da5a42564ecff1b1f39010653032f334cb90e056
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Make DataTransferItemList work with plain text entries
4         https://bugs.webkit.org/show_bug.cgi?id=175596
5
6         Reviewed by Wenson Hsieh.
7
8         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
9
10         * runtime/CommonIdentifiers.h:
11
12 2017-08-15  Robin Morisset  <rmorisset@apple.com>
13
14         Support the 'with' keyword in FTL
15         https://bugs.webkit.org/show_bug.cgi?id=175585
16
17         Reviewed by Saam Barati.
18
19         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
20         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
21         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
22         that takes its parentScope argument first.
23
24         * bytecompiler/BytecodeGenerator.cpp:
25         (JSC::BytecodeGenerator::emitPushWithScope):
26         * debugger/DebuggerCallFrame.cpp:
27         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
28         * dfg/DFGByteCodeParser.cpp:
29         (JSC::DFG::ByteCodeParser::parseBlock):
30         * dfg/DFGFixupPhase.cpp:
31         (JSC::DFG::FixupPhase::fixupNode):
32         * dfg/DFGSpeculativeJIT.cpp:
33         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
34         * ftl/FTLCapabilities.cpp:
35         (JSC::FTL::canCompile):
36         * ftl/FTLLowerDFGToB3.cpp:
37         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
38         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
39         * jit/JITOperations.cpp:
40         * runtime/CommonSlowPaths.cpp:
41         (JSC::SLOW_PATH_DECL):
42         * runtime/Completion.cpp:
43         (JSC::evaluateWithScopeExtension):
44         * runtime/JSWithScope.cpp:
45         (JSC::JSWithScope::create):
46         * runtime/JSWithScope.h:
47
48 2017-08-15  Saam Barati  <sbarati@apple.com>
49
50         Make VM::scratchBufferForSize thread safe
51         https://bugs.webkit.org/show_bug.cgi?id=175604
52
53         Reviewed by Geoffrey Garen and Mark Lam.
54
55         I want to use the VM::scratchBufferForSize in another patch I'm writing.
56         The use case for my other patch is to call it from the compiler thread.
57         When reading the code, I saw that this API was not thread safe. This patch
58         makes it thread safe. It actually turns out we were calling this API from
59         the compiler thread already when we created FTL::State for an FTL OSR entry
60         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
61         is now correct with this patch.
62
63         * runtime/VM.cpp:
64         (JSC::VM::VM):
65         (JSC::VM::~VM):
66         (JSC::VM::gatherConservativeRoots):
67         (JSC::VM::scratchBufferForSize):
68         * runtime/VM.h:
69         (JSC::VM::scratchBufferForSize): Deleted.
70
71 2017-08-15  Keith Miller  <keith_miller@apple.com>
72
73         JSC named bytecode offsets should use references rather than pointers
74         https://bugs.webkit.org/show_bug.cgi?id=175601
75
76         Reviewed by Saam Barati.
77
78         * dfg/DFGByteCodeParser.cpp:
79         (JSC::DFG::ByteCodeParser::parseBlock):
80         * jit/JITOpcodes.cpp:
81         (JSC::JIT::emit_op_overrides_has_instance):
82         (JSC::JIT::emit_op_instanceof):
83         (JSC::JIT::emitSlow_op_instanceof):
84         (JSC::JIT::emitSlow_op_instanceof_custom):
85         * jit/JITOpcodes32_64.cpp:
86         (JSC::JIT::emit_op_overrides_has_instance):
87         (JSC::JIT::emit_op_instanceof):
88         (JSC::JIT::emitSlow_op_instanceof):
89         (JSC::JIT::emitSlow_op_instanceof_custom):
90
91 2017-08-15  Keith Miller  <keith_miller@apple.com>
92
93         Enable named offsets into JSC bytecodes
94         https://bugs.webkit.org/show_bug.cgi?id=175561
95
96         Reviewed by Mark Lam.
97
98         This patch adds the ability to add named offsets into JSC's
99         bytecodes.  In the bytecode json file, instead of listing a
100         length, you can now list a set of names and their types. Each
101         opcode with an offsets property will have a struct named after the
102         opcode by in our C++ naming style. For example,
103         op_overrides_has_instance would become OpOverridesHasInstance. The
104         struct has the same memory layout as the instruction list has but
105         comes with handy named accessors.
106
107         As a first cut I converted the various instanceof bytecodes to use
108         named offsets.
109
110         As an example op_overrides_has_instance produces the following struct:
111
112         struct OpOverridesHasInstance {
113         public:
114             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
115             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
116             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
117             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
118             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
119             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
120             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
121             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
122
123         private:
124             friend class LLIntOffsetsExtractor;
125             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
126             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
127             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
128             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
129         };
130
131         * CMakeLists.txt:
132         * DerivedSources.make:
133         * JavaScriptCore.xcodeproj/project.pbxproj:
134         * bytecode/BytecodeList.json:
135         * dfg/DFGByteCodeParser.cpp:
136         (JSC::DFG::ByteCodeParser::parseBlock):
137         * generate-bytecode-files:
138         * jit/JITOpcodes.cpp:
139         (JSC::JIT::emit_op_overrides_has_instance):
140         (JSC::JIT::emit_op_instanceof):
141         (JSC::JIT::emitSlow_op_instanceof):
142         (JSC::JIT::emitSlow_op_instanceof_custom):
143         * jit/JITOpcodes32_64.cpp:
144         (JSC::JIT::emit_op_overrides_has_instance):
145         (JSC::JIT::emit_op_instanceof):
146         (JSC::JIT::emitSlow_op_instanceof):
147         (JSC::JIT::emitSlow_op_instanceof_custom):
148         * llint/LLIntOffsetsExtractor.cpp:
149         * llint/LowLevelInterpreter.asm:
150         * llint/LowLevelInterpreter32_64.asm:
151         * llint/LowLevelInterpreter64.asm:
152
153 2017-08-15  Mark Lam  <mark.lam@apple.com>
154
155         Update testmasm to use new CPUState APIs.
156         https://bugs.webkit.org/show_bug.cgi?id=175573
157
158         Reviewed by Keith Miller.
159
160         1. Applied convenience CPUState accessors to minimize casting.
161         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
162            messages.
163         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
164            casting is (mostly) no longer an issue.
165         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
166            to make it clear that we're comparing against the bit values of testWord64(id).
167         5. Added a "Completed N tests" message at the end of running all tests.
168            This makes it easy to tell at a glance that testmasm completed successfully
169            versus when it crashed midway in a test.  The number of tests also serves as
170            a quick checksum to confirm that we ran the number of tests we expected.
171
172         * assembler/testmasm.cpp:
173         (WTF::printInternal):
174         (JSC::testSimple):
175         (JSC::testProbeReadsArgumentRegisters):
176         (JSC::testProbeWritesArgumentRegisters):
177         (JSC::testProbePreservesGPRS):
178         (JSC::testProbeModifiesStackPointer):
179         (JSC::testProbeModifiesProgramCounter):
180         (JSC::run):
181
182 2017-08-14  Keith Miller  <keith_miller@apple.com>
183
184         Add testing tool to lie to the DFG about profiles
185         https://bugs.webkit.org/show_bug.cgi?id=175487
186
187         Reviewed by Saam Barati.
188
189         This patch adds a new bytecode identity_with_profile that lets
190         us lie to the DFG about what profiles it has seen as the input to
191         another bytecode. Previously, there was no reliable way to force
192         a given profile when we tired up.
193
194         * bytecode/BytecodeDumper.cpp:
195         (JSC::BytecodeDumper<Block>::dumpBytecode):
196         * bytecode/BytecodeIntrinsicRegistry.h:
197         * bytecode/BytecodeList.json:
198         * bytecode/BytecodeUseDef.h:
199         (JSC::computeUsesForBytecodeOffset):
200         (JSC::computeDefsForBytecodeOffset):
201         * bytecode/SpeculatedType.cpp:
202         (JSC::speculationFromString):
203         * bytecode/SpeculatedType.h:
204         * bytecompiler/BytecodeGenerator.cpp:
205         (JSC::BytecodeGenerator::emitIdWithProfile):
206         * bytecompiler/BytecodeGenerator.h:
207         * bytecompiler/NodesCodegen.cpp:
208         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
209         * dfg/DFGAbstractInterpreterInlines.h:
210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
211         * dfg/DFGByteCodeParser.cpp:
212         (JSC::DFG::ByteCodeParser::parseBlock):
213         * dfg/DFGCapabilities.cpp:
214         (JSC::DFG::capabilityLevel):
215         * dfg/DFGClobberize.h:
216         (JSC::DFG::clobberize):
217         * dfg/DFGDoesGC.cpp:
218         (JSC::DFG::doesGC):
219         * dfg/DFGFixupPhase.cpp:
220         (JSC::DFG::FixupPhase::fixupNode):
221         * dfg/DFGMayExit.cpp:
222         * dfg/DFGNode.h:
223         (JSC::DFG::Node::getForcedPrediction):
224         * dfg/DFGNodeType.h:
225         * dfg/DFGPredictionPropagationPhase.cpp:
226         * dfg/DFGSafeToExecute.h:
227         (JSC::DFG::safeToExecute):
228         * dfg/DFGSpeculativeJIT32_64.cpp:
229         (JSC::DFG::SpeculativeJIT::compile):
230         * dfg/DFGSpeculativeJIT64.cpp:
231         (JSC::DFG::SpeculativeJIT::compile):
232         * dfg/DFGValidate.cpp:
233         * jit/JIT.cpp:
234         (JSC::JIT::privateCompileMainPass):
235         * jit/JIT.h:
236         * jit/JITOpcodes.cpp:
237         (JSC::JIT::emit_op_identity_with_profile):
238         * jit/JITOpcodes32_64.cpp:
239         (JSC::JIT::emit_op_identity_with_profile):
240         * llint/LowLevelInterpreter.asm:
241
242 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
243
244         Remove Proximity Events and related code
245         https://bugs.webkit.org/show_bug.cgi?id=175545
246
247         Reviewed by Daniel Bates.
248
249         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
250         and other related code.
251
252         * Configurations/FeatureDefines.xcconfig:
253
254 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
255
256         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
257         https://bugs.webkit.org/show_bug.cgi?id=175504
258
259         Reviewed by Sam Weinig.
260
261         * Configurations/FeatureDefines.xcconfig:
262
263 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
264
265         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
266         https://bugs.webkit.org/show_bug.cgi?id=175557
267
268         Reviewed by Jon Lee.
269
270         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
271
272         * Configurations/FeatureDefines.xcconfig:
273
274 2017-08-14  Robin Morisset  <rmorisset@apple.com>
275
276         Support the 'with' keyword in DFG
277         https://bugs.webkit.org/show_bug.cgi?id=175470
278
279         Reviewed by Saam Barati.
280
281         Not particularly optimized at the moment, the goal is just to avoid
282         the DFG bailing out of any function with this keyword.
283
284         * dfg/DFGAbstractInterpreterInlines.h:
285         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
286         * dfg/DFGByteCodeParser.cpp:
287         (JSC::DFG::ByteCodeParser::parseBlock):
288         * dfg/DFGCapabilities.cpp:
289         (JSC::DFG::capabilityLevel):
290         * dfg/DFGClobberize.h:
291         (JSC::DFG::clobberize):
292         * dfg/DFGDoesGC.cpp:
293         (JSC::DFG::doesGC):
294         * dfg/DFGFixupPhase.cpp:
295         (JSC::DFG::FixupPhase::fixupNode):
296         * dfg/DFGNodeType.h:
297         * dfg/DFGPredictionPropagationPhase.cpp:
298         * dfg/DFGSafeToExecute.h:
299         (JSC::DFG::safeToExecute):
300         * dfg/DFGSpeculativeJIT.cpp:
301         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
302         * dfg/DFGSpeculativeJIT.h:
303         (JSC::DFG::SpeculativeJIT::callOperation):
304         * dfg/DFGSpeculativeJIT32_64.cpp:
305         (JSC::DFG::SpeculativeJIT::compile):
306         * dfg/DFGSpeculativeJIT64.cpp:
307         (JSC::DFG::SpeculativeJIT::compile):
308         * jit/JITOperations.cpp:
309         * jit/JITOperations.h:
310
311 2017-08-14  Mark Lam  <mark.lam@apple.com>
312
313         Add some convenience utility accessor methods to MacroAssembler::CPUState.
314         https://bugs.webkit.org/show_bug.cgi?id=175549
315         <rdar://problem/33884868>
316
317         Reviewed by Saam Barati.
318
319         Previously, in order to read ProbeContext CPUState registers, we used to need to
320         do it this way:
321
322             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
323             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
324             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
325             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
326
327         With this patch, we can now read them this way instead:
328         
329             ExecState* exec = cpu.fp<ExecState*>();
330             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
331             void* p = cpu.gpr<void*>(GPRInfo::regT1);
332             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
333
334         * assembler/MacroAssembler.h:
335         (JSC:: const):
336         (JSC::MacroAssembler::CPUState::fpr const):
337         (JSC::MacroAssembler::CPUState::pc const):
338         (JSC::MacroAssembler::CPUState::fp const):
339         (JSC::MacroAssembler::CPUState::sp const):
340         (JSC::ProbeContext::pc):
341         (JSC::ProbeContext::fp):
342         (JSC::ProbeContext::sp):
343
344 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
345
346         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
347         https://bugs.webkit.org/show_bug.cgi?id=174921
348
349         Reviewed by Mark Lam.
350         
351         Uses CagedUniquePtr<> to cage the ScopeOffset array.
352
353         * dfg/DFGSpeculativeJIT.cpp:
354         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
355         * ftl/FTLLowerDFGToB3.cpp:
356         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
357         * jit/JITPropertyAccess.cpp:
358         (JSC::JIT::emitScopedArgumentsGetByVal):
359         * runtime/ScopedArgumentsTable.cpp:
360         (JSC::ScopedArgumentsTable::create):
361         (JSC::ScopedArgumentsTable::setLength):
362         * runtime/ScopedArgumentsTable.h:
363
364 2017-08-14  Mark Lam  <mark.lam@apple.com>
365
366         Gardening: fix Windows build.
367         https://bugs.webkit.org/show_bug.cgi?id=175446
368
369         Not reviewed.
370
371         * assembler/MacroAssemblerX86Common.cpp:
372         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
373         (JSC::ctiMasmProbeTrampoline):
374
375 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
376
377         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
378         https://bugs.webkit.org/show_bug.cgi?id=175512
379         <rdar://problem/33863584>
380
381         Reviewed by Mark Lam.
382
383         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
384         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
385
386 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
387
388         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
389         https://bugs.webkit.org/show_bug.cgi?id=175513
390
391         Reviewed by Mark Lam.
392
393         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
394
395 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
396
397         FTL's compileGetTypedArrayByteOffset needs to do caging
398         https://bugs.webkit.org/show_bug.cgi?id=175366
399
400         Reviewed by Saam Barati.
401         
402         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
403         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
404
405         * dfg/DFGSpeculativeJIT.cpp:
406         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
407         * ftl/FTLLowerDFGToB3.cpp:
408         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
409         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
410         * runtime/ArrayBuffer.h:
411         * runtime/ArrayBufferView.h:
412         * runtime/JSArrayBufferView.h:
413
414 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
415
416         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
417         https://bugs.webkit.org/show_bug.cgi?id=175474
418         <rdar://problem/33844628>
419
420         Reviewed by Wenson Hsieh.
421
422         * Configurations/FeatureDefines.xcconfig:
423         * runtime/CommonIdentifiers.h:
424
425 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
426
427         Caging shouldn't have to use a patchpoint for adding
428         https://bugs.webkit.org/show_bug.cgi?id=175483
429
430         Reviewed by Mark Lam.
431
432         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
433         constants and associative operations dictate that you always want to sink constants. For example,
434         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
435         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
436         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
437         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
438         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
439         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
440         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
441         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
442         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
443         hacks for just stopping B3's reassociation only in this specific case.
444         
445         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
446         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
447         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
448         that if we cage the same pointer in two places, both places will compute the same value.
449         
450         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
451         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
452         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
453         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
454         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
455         enough scale to warrant new opcodes.)
456         
457         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
458         makes the code a bit less ugly.
459
460         * b3/B3LowerToAir.cpp:
461         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
462         (JSC::B3::Air::LowerToAir::lower):
463         * b3/B3Opcode.cpp:
464         (WTF::printInternal):
465         * b3/B3Opcode.h:
466         * b3/B3ReduceStrength.cpp:
467         * b3/B3Validate.cpp:
468         * b3/B3Value.cpp:
469         (JSC::B3::Value::effects const):
470         (JSC::B3::Value::key const):
471         (JSC::B3::Value::isFree const):
472         (JSC::B3::Value::typeFor):
473         * b3/B3Value.h:
474         * b3/B3ValueKey.cpp:
475         (JSC::B3::ValueKey::materialize const):
476         * ftl/FTLLowerDFGToB3.cpp:
477         (JSC::FTL::DFG::LowerDFGToB3::caged):
478         * ftl/FTLOutput.cpp:
479         (JSC::FTL::Output::opaque):
480         * ftl/FTLOutput.h:
481
482 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
483
484         ScopedArguments overflow storage needs to be in the JSValue gigacage
485         https://bugs.webkit.org/show_bug.cgi?id=174923
486
487         Reviewed by Saam Barati.
488         
489         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
490         object into the JSValue gigacage.
491
492         * dfg/DFGSpeculativeJIT.cpp:
493         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
494         * ftl/FTLLowerDFGToB3.cpp:
495         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
496         * jit/JITPropertyAccess.cpp:
497         (JSC::JIT::emitScopedArgumentsGetByVal):
498         * runtime/ScopedArguments.h:
499         (JSC::ScopedArguments::subspaceFor):
500         (JSC::ScopedArguments::overflowStorage const):
501
502 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
503
504         JSLexicalEnvironment needs to be in the JSValue gigacage
505         https://bugs.webkit.org/show_bug.cgi?id=174922
506
507         Reviewed by Michael Saboff.
508         
509         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
510         the only random accesses use pointer caging.
511         
512         We don't need to do anything to normal lexical environment accesses.
513
514         * dfg/DFGSpeculativeJIT.cpp:
515         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
516         * ftl/FTLLowerDFGToB3.cpp:
517         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
518         * runtime/JSEnvironmentRecord.h:
519         (JSC::JSEnvironmentRecord::subspaceFor):
520         (JSC::JSEnvironmentRecord::variables):
521
522 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
523
524         DirectArguments should be in the JSValue gigacage
525         https://bugs.webkit.org/show_bug.cgi?id=174920
526
527         Reviewed by Michael Saboff.
528         
529         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
530         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
531         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
532         required to use fixed offsets, and you can only store JSValues.
533
534         * dfg/DFGSpeculativeJIT.cpp:
535         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
536         * ftl/FTLLowerDFGToB3.cpp:
537         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
538         * jit/JITPropertyAccess.cpp:
539         (JSC::JIT::emitDirectArgumentsGetByVal):
540         * runtime/DirectArguments.h:
541         (JSC::DirectArguments::subspaceFor):
542         (JSC::DirectArguments::storage):
543         * runtime/VM.cpp:
544         (JSC::VM::VM):
545         * runtime/VM.h:
546
547 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
548
549         Unreviewed, add a FIXME.
550
551         * ftl/FTLLowerDFGToB3.cpp:
552         (JSC::FTL::DFG::LowerDFGToB3::caged):
553
554 2017-08-10  Sam Weinig  <sam@webkit.org>
555
556         WTF::Function does not allow for reference / non-default constructible return types
557         https://bugs.webkit.org/show_bug.cgi?id=175244
558
559         Reviewed by Chris Dumez.
560
561         * runtime/ArrayBuffer.cpp:
562         (JSC::ArrayBufferContents::transferTo):
563         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
564         destroy call needed to be a no-op anyway, since the data is being moved.
565
566 2017-08-11  Mark Lam  <mark.lam@apple.com>
567
568         Gardening: fix CLoop build.
569         https://bugs.webkit.org/show_bug.cgi?id=175446
570         <rdar://problem/33836545>
571
572         Not reviewed.
573
574         * assembler/MacroAssemblerPrinter.cpp:
575
576 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
577
578         DFG should do caging
579         https://bugs.webkit.org/show_bug.cgi?id=174918
580
581         Reviewed by Saam Barati.
582         
583         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
584         the conditional caging with a watchpoint.
585         
586         This might be a 1% SunSpider slow-down, but it's not clear.
587
588         * dfg/DFGSpeculativeJIT.cpp:
589         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
590         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
591         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
592         (JSC::DFG::SpeculativeJIT::compileCreateRest):
593         (JSC::DFG::SpeculativeJIT::compileSpread):
594         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
595         (JSC::DFG::SpeculativeJIT::compileArraySlice):
596         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
597         * dfg/DFGSpeculativeJIT.h:
598         * dfg/DFGSpeculativeJIT64.cpp:
599         (JSC::DFG::SpeculativeJIT::compile):
600
601 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
602
603         Unreviewed, build fix for x86 GTK port
604         https://bugs.webkit.org/show_bug.cgi?id=175446
605
606         Use pushfl/popfl instead of pushfd/popfd.
607
608         * assembler/MacroAssemblerX86Common.cpp:
609
610 2017-08-10  Mark Lam  <mark.lam@apple.com>
611
612         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
613         https://bugs.webkit.org/show_bug.cgi?id=175446
614         <rdar://problem/33836545>
615
616         Reviewed by Saam Barati.
617
618         * assembler/AbstractMacroAssembler.h:
619         * assembler/MacroAssembler.cpp:
620         (JSC::MacroAssembler::probe):
621         * assembler/MacroAssembler.h:
622         * assembler/MacroAssemblerARM.cpp:
623         (JSC::MacroAssembler::probe):
624         * assembler/MacroAssemblerARM.h:
625         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
626         * assembler/MacroAssemblerARM64.cpp:
627         (JSC::MacroAssembler::probe):
628         * assembler/MacroAssemblerARMv7.cpp:
629         (JSC::MacroAssembler::probe):
630         * assembler/MacroAssemblerARMv7.h:
631         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
632         * assembler/MacroAssemblerPrinter.cpp:
633         * assembler/MacroAssemblerPrinter.h:
634         * assembler/MacroAssemblerX86Common.cpp:
635         * assembler/testmasm.cpp:
636         (JSC::isSpecialGPR):
637         (JSC::testProbeModifiesProgramCounter):
638         (JSC::run):
639         * b3/B3LowerToAir.cpp:
640         (JSC::B3::Air::LowerToAir::print):
641         * b3/air/AirPrintSpecial.cpp:
642         * b3/air/AirPrintSpecial.h:
643
644 2017-08-10  Mark Lam  <mark.lam@apple.com>
645
646         Apply the UNLIKELY macro to some unlikely things.
647         https://bugs.webkit.org/show_bug.cgi?id=175440
648         <rdar://problem/33834767>
649
650         Reviewed by Yusuke Suzuki.
651
652         * bytecode/CodeBlock.cpp:
653         (JSC::CodeBlock::~CodeBlock):
654         (JSC::CodeBlock::jettison):
655         * dfg/DFGByteCodeParser.cpp:
656         (JSC::DFG::ByteCodeParser::handleCall):
657         (JSC::DFG::ByteCodeParser::handleVarargsCall):
658         (JSC::DFG::ByteCodeParser::handleGetById):
659         (JSC::DFG::ByteCodeParser::handlePutById):
660         (JSC::DFG::ByteCodeParser::parseBlock):
661         (JSC::DFG::ByteCodeParser::parseCodeBlock):
662         * dfg/DFGJITCompiler.cpp:
663         (JSC::DFG::JITCompiler::JITCompiler):
664         (JSC::DFG::JITCompiler::linkOSRExits):
665         (JSC::DFG::JITCompiler::link):
666         (JSC::DFG::JITCompiler::disassemble):
667         * dfg/DFGJITFinalizer.cpp:
668         (JSC::DFG::JITFinalizer::finalizeCommon):
669         * dfg/DFGOSRExit.cpp:
670         (JSC::DFG::OSRExit::compileOSRExit):
671         * dfg/DFGPlan.cpp:
672         (JSC::DFG::Plan::Plan):
673         * ftl/FTLJITFinalizer.cpp:
674         (JSC::FTL::JITFinalizer::finalizeCommon):
675         * ftl/FTLLink.cpp:
676         (JSC::FTL::link):
677         * ftl/FTLOSRExitCompiler.cpp:
678         (JSC::FTL::compileStub):
679         * jit/JIT.cpp:
680         (JSC::JIT::privateCompileMainPass):
681         (JSC::JIT::compileWithoutLinking):
682         (JSC::JIT::link):
683         * runtime/ScriptExecutable.cpp:
684         (JSC::ScriptExecutable::installCode):
685         * runtime/VM.cpp:
686         (JSC::VM::VM):
687
688 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
689
690         [WTF] ThreadSpecific should not introduce additional indirection
691         https://bugs.webkit.org/show_bug.cgi?id=175187
692
693         Reviewed by Mark Lam.
694
695         * runtime/Identifier.cpp:
696
697 2017-08-10  Tim Horton  <timothy_horton@apple.com>
698
699         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
700         https://bugs.webkit.org/show_bug.cgi?id=175436
701         <rdar://problem/33667497>
702
703         Reviewed by Simon Fraser.
704
705         * interpreter/Interpreter.cpp:
706         (JSC::Interpreter::Interpreter):
707
708 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
709
710         Remove ENABLE_GAMEPAD_DEPRECATED
711         https://bugs.webkit.org/show_bug.cgi?id=175361
712
713         Reviewed by Carlos Garcia Campos.
714
715         * Configurations/FeatureDefines.xcconfig:
716
717 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
718
719         [JSC] Create JSSet constructor that accepts it's size as parameter
720         https://bugs.webkit.org/show_bug.cgi?id=173297
721
722         Reviewed by Saam Barati.
723
724         This patch is adding a new constructor to JSSet that gives its
725         expected initial size. It is important to avoid re-hashing and mutiple
726         allocations when we know the final size of JSSet, such as in
727         CodeBlock::setConstantIdentifierSetRegisters.
728
729         * bytecode/CodeBlock.cpp:
730         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
731         * runtime/HashMapImpl.h:
732         (JSC::HashMapImpl::HashMapImpl):
733         * runtime/JSSet.h:
734
735 2017-08-09  Commit Queue  <commit-queue@webkit.org>
736
737         Unreviewed, rolling out r220466, r220477, and r220487.
738         https://bugs.webkit.org/show_bug.cgi?id=175411
739
740         This change broke existing API tests and follow up fixes did
741         not resolve all the issues. (Requested by ryanhaddad on
742         #webkit).
743
744         Reverted changesets:
745
746         https://bugs.webkit.org/show_bug.cgi?id=175244
747         http://trac.webkit.org/changeset/220466
748
749         "WTF::Function does not allow for reference / non-default
750         constructible return types"
751         https://bugs.webkit.org/show_bug.cgi?id=175244
752         http://trac.webkit.org/changeset/220477
753
754         https://bugs.webkit.org/show_bug.cgi?id=175244
755         http://trac.webkit.org/changeset/220487
756
757 2017-08-09  Caitlin Potter  <caitp@igalia.com>
758
759         Early error on ANY operator before new.target
760         https://bugs.webkit.org/show_bug.cgi?id=157970
761
762         Reviewed by Saam Barati.
763
764         Instead of throwing if any unary operator precedes new.target, only
765         throw if the unary operator updates the reference.
766
767         The following become legal in JSC:
768
769         ```
770         !new.target
771         ~new.target
772         typeof new.target
773         delete new.target
774         void new.target
775         ```
776
777         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
778
779         * parser/Parser.cpp:
780         (JSC::Parser<LexerType>::parseUnaryExpression):
781
782 2017-08-09  Sam Weinig  <sam@webkit.org>
783
784         WTF::Function does not allow for reference / non-default constructible return types
785         https://bugs.webkit.org/show_bug.cgi?id=175244
786
787         Reviewed by Chris Dumez.
788
789         * runtime/ArrayBuffer.cpp:
790         (JSC::ArrayBufferContents::transferTo):
791         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
792         destroy call needed to be a no-op anyway, since the data is being moved.
793
794 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
795
796         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
797         https://bugs.webkit.org/show_bug.cgi?id=175392
798         <rdar://problem/33783207>
799
800         Reviewed by Tim Horton and Megan Gardner.
801
802         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
803
804         * Configurations/FeatureDefines.xcconfig:
805
806 2017-08-09  Robin Morisset  <rmorisset@apple.com>
807
808         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
809         https://bugs.webkit.org/show_bug.cgi?id=175358
810
811         Reviewed by Mark Lam.
812
813         * jit/JITOperations.cpp:
814         * runtime/JSObjectInlines.h:
815         (JSC::JSObject::putInlineForJSObject):
816
817 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
818
819         Unreviewed, rolling out r220457.
820
821         This change introduced API test failures.
822
823         Reverted changeset:
824
825         "WTF::Function does not allow for reference / non-default
826         constructible return types"
827         https://bugs.webkit.org/show_bug.cgi?id=175244
828         http://trac.webkit.org/changeset/220457
829
830 2017-08-09  Sam Weinig  <sam@webkit.org>
831
832         WTF::Function does not allow for reference / non-default constructible return types
833         https://bugs.webkit.org/show_bug.cgi?id=175244
834
835         Reviewed by Chris Dumez.
836
837         * runtime/ArrayBuffer.cpp:
838         (JSC::ArrayBufferContents::transferTo):
839         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
840         destroy call needed to be a no-op anyway, since the data is being moved.
841
842 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
843
844         REGRESSION: 2 test262/test/language/statements/async-function failures
845         https://bugs.webkit.org/show_bug.cgi?id=175334
846
847         Reviewed by Yusuke Suzuki.
848
849         Switch off useAsyncIterator by default
850
851         * runtime/Options.h:
852
853 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
854
855         ICs should do caging
856         https://bugs.webkit.org/show_bug.cgi?id=175295
857
858         Reviewed by Saam Barati.
859         
860         Adds the appropriate cage() calls in our inline caches.
861
862         * bytecode/AccessCase.cpp:
863         (JSC::AccessCase::generateImpl):
864         * bytecode/InlineAccess.cpp:
865         (JSC::InlineAccess::dumpCacheSizesAndCrash):
866         (JSC::InlineAccess::generateSelfPropertyAccess):
867         (JSC::InlineAccess::generateSelfPropertyReplace):
868         (JSC::InlineAccess::generateArrayLength):
869
870 2017-08-08  Devin Rousso  <drousso@apple.com>
871
872         Web Inspector: Canvas: support editing WebGL shaders
873         https://bugs.webkit.org/show_bug.cgi?id=124211
874         <rdar://problem/15448958>
875
876         Reviewed by Matt Baker.
877
878         * inspector/protocol/Canvas.json:
879         Add `updateShader` command that will change the given shader's source to the provided string,
880         recompile, and relink it to its associated program.
881         Drive-by: add description to `requestShaderSource` command.
882
883 2017-08-08  Robin Morisset  <rmorisset@apple.com>
884
885         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
886         https://bugs.webkit.org/show_bug.cgi?id=175347
887
888         Reviewed by Saam Barati.
889
890         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
891         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
892         negligible considering how much more finishCreation does.
893         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
894         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
895
896         * bytecode/CodeBlock.cpp:
897         (JSC::CodeBlock::finishCreation):
898         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
899         (JSC::CodeBlock::setConstantRegisters):
900         * bytecode/CodeBlock.h:
901         * runtime/ScriptExecutable.cpp:
902         (JSC::ScriptExecutable::newCodeBlockFor):
903
904 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
905
906         Unreviewed, fix Ubuntu LTS build
907         https://bugs.webkit.org/show_bug.cgi?id=174490
908
909         * inspector/remote/glib/RemoteInspectorGlib.cpp:
910         * inspector/remote/glib/RemoteInspectorServer.cpp:
911
912 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
913
914         Baseline JIT should do caging
915         https://bugs.webkit.org/show_bug.cgi?id=175037
916
917         Reviewed by Mark Lam.
918         
919         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
920         
921         Also modifies FTL caging to be more defensive when caging is disabled.
922         
923         Relanded with fixed AssemblyHelpers::cageConditionally().
924
925         * bytecode/AccessCase.cpp:
926         (JSC::AccessCase::generateImpl):
927         * bytecode/InlineAccess.cpp:
928         (JSC::InlineAccess::dumpCacheSizesAndCrash):
929         (JSC::InlineAccess::generateSelfPropertyAccess):
930         (JSC::InlineAccess::generateSelfPropertyReplace):
931         (JSC::InlineAccess::generateArrayLength):
932         * ftl/FTLLowerDFGToB3.cpp:
933         (JSC::FTL::DFG::LowerDFGToB3::caged):
934         * jit/AssemblyHelpers.h:
935         (JSC::AssemblyHelpers::cage):
936         (JSC::AssemblyHelpers::cageConditionally):
937         * jit/JITPropertyAccess.cpp:
938         (JSC::JIT::emitDoubleLoad):
939         (JSC::JIT::emitContiguousLoad):
940         (JSC::JIT::emitArrayStorageLoad):
941         (JSC::JIT::emitGenericContiguousPutByVal):
942         (JSC::JIT::emitArrayStoragePutByVal):
943         (JSC::JIT::emit_op_get_from_scope):
944         (JSC::JIT::emit_op_put_to_scope):
945         (JSC::JIT::emitIntTypedArrayGetByVal):
946         (JSC::JIT::emitFloatTypedArrayGetByVal):
947         (JSC::JIT::emitIntTypedArrayPutByVal):
948         (JSC::JIT::emitFloatTypedArrayPutByVal):
949         * jsc.cpp:
950         (jscmain):
951         (primitiveGigacageDisabled): Deleted.
952
953 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
954
955         Unreviewed, rolling out r220368.
956
957         This change caused WK1 tests to exit early with crashes.
958
959         Reverted changeset:
960
961         "Baseline JIT should do caging"
962         https://bugs.webkit.org/show_bug.cgi?id=175037
963         http://trac.webkit.org/changeset/220368
964
965 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
966
967         [CMake] Properly test if compiler supports compiler flags
968         https://bugs.webkit.org/show_bug.cgi?id=174490
969
970         Reviewed by Konstantin Tokarev.
971
972         * API/tests/PingPongStackOverflowTest.cpp:
973         (testPingPongStackOverflow):
974         * API/tests/testapi.c:
975         * b3/testb3.cpp:
976         (JSC::B3::testPatchpointLotsOfLateAnys):
977
978 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
979
980         [Linux] Clear WasmMemory with madvice instead of memset
981         https://bugs.webkit.org/show_bug.cgi?id=175150
982
983         Reviewed by Filip Pizlo.
984
985         In Linux, zeroing pages with memset populates backing store.
986         Instead, we should use madvise with MADV_DONTNEED. It discards
987         pages. And if you access these pages, on-demand-zero-pages will
988         be shown.
989
990         We also commit grown pages in all OSes.
991
992         * wasm/WasmMemory.cpp:
993         (JSC::Wasm::commitZeroPages):
994         (JSC::Wasm::Memory::create):
995         (JSC::Wasm::Memory::grow):
996
997 2017-08-07  Robin Morisset  <rmorisset@apple.com>
998
999         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1000         https://bugs.webkit.org/show_bug.cgi?id=175307
1001
1002         Reviewed by Saam Barati.
1003
1004         ```
1005         let a = new Uint8Array(10);
1006         let b = Object.getOwnPropertyDescriptor(a, 0);
1007         assert(b.configurable === false);
1008         ```
1009         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1010         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1011         that says that typed arrays are integer indexed exotic objects.
1012
1013         * runtime/JSGenericTypedArrayViewInlines.h:
1014         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1015
1016 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1017
1018         Baseline JIT should do caging
1019         https://bugs.webkit.org/show_bug.cgi?id=175037
1020
1021         Reviewed by Mark Lam.
1022         
1023         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1024         
1025         Also modifies FTL caging to be more defensive when caging is disabled.
1026
1027         * ftl/FTLLowerDFGToB3.cpp:
1028         (JSC::FTL::DFG::LowerDFGToB3::caged):
1029         * jit/AssemblyHelpers.h:
1030         (JSC::AssemblyHelpers::cage):
1031         (JSC::AssemblyHelpers::cageConditionally):
1032         * jit/JITPropertyAccess.cpp:
1033         (JSC::JIT::emitDoubleLoad):
1034         (JSC::JIT::emitContiguousLoad):
1035         (JSC::JIT::emitArrayStorageLoad):
1036         (JSC::JIT::emitGenericContiguousPutByVal):
1037         (JSC::JIT::emitArrayStoragePutByVal):
1038         (JSC::JIT::emit_op_get_from_scope):
1039         (JSC::JIT::emit_op_put_to_scope):
1040         (JSC::JIT::emitIntTypedArrayGetByVal):
1041         (JSC::JIT::emitFloatTypedArrayGetByVal):
1042         (JSC::JIT::emitIntTypedArrayPutByVal):
1043         (JSC::JIT::emitFloatTypedArrayPutByVal):
1044         * jsc.cpp:
1045         (jscmain):
1046         (primitiveGigacageDisabled): Deleted.
1047
1048 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1049
1050         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1051         https://bugs.webkit.org/show_bug.cgi?id=174919
1052
1053         Reviewed by Keith Miller.
1054         
1055         This adapts JSC to there being two gigacages.
1056         
1057         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1058         singletons. I don't think we were gaining anything by making them be singletons.
1059         
1060         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1061         gigacages. We'll have one of those allocators per cage.
1062         
1063         From there, this change teaches everyone who previously knew about cages that there are two cages.
1064         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1065         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1066         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1067         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1068         
1069         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1070         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1071
1072         * JavaScriptCore.xcodeproj/project.pbxproj:
1073         * bytecode/AccessCase.cpp:
1074         (JSC::AccessCase::generateImpl):
1075         * dfg/DFGSpeculativeJIT.cpp:
1076         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1077         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1078         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1079         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1080         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1081         * ftl/FTLLowerDFGToB3.cpp:
1082         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1083         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1084         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1085         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1086         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1087         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1088         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1089         (JSC::FTL::DFG::LowerDFGToB3::caged):
1090         * heap/FastMallocAlignedMemoryAllocator.cpp:
1091         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1092         * heap/FastMallocAlignedMemoryAllocator.h:
1093         * heap/GigacageAlignedMemoryAllocator.cpp:
1094         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1095         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1096         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1097         (JSC::GigacageAlignedMemoryAllocator::dump const):
1098         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1099         * heap/GigacageAlignedMemoryAllocator.h:
1100         * jsc.cpp:
1101         (primitiveGigacageDisabled):
1102         (jscmain):
1103         (gigacageDisabled): Deleted.
1104         * llint/LowLevelInterpreter64.asm:
1105         * runtime/ArrayBuffer.cpp:
1106         (JSC::ArrayBufferContents::tryAllocate):
1107         (JSC::ArrayBuffer::createAdopted):
1108         (JSC::ArrayBuffer::createFromBytes):
1109         * runtime/AuxiliaryBarrier.h:
1110         * runtime/ButterflyInlines.h:
1111         (JSC::Butterfly::createUninitialized):
1112         (JSC::Butterfly::tryCreate):
1113         (JSC::Butterfly::growArrayRight):
1114         * runtime/CagedBarrierPtr.h: Added.
1115         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1116         (JSC::CagedBarrierPtr::clear):
1117         (JSC::CagedBarrierPtr::set):
1118         (JSC::CagedBarrierPtr::get const):
1119         (JSC::CagedBarrierPtr::getMayBeNull const):
1120         (JSC::CagedBarrierPtr::operator== const):
1121         (JSC::CagedBarrierPtr::operator!= const):
1122         (JSC::CagedBarrierPtr::operator bool const):
1123         (JSC::CagedBarrierPtr::setWithoutBarrier):
1124         (JSC::CagedBarrierPtr::operator* const):
1125         (JSC::CagedBarrierPtr::operator-> const):
1126         (JSC::CagedBarrierPtr::operator[] const):
1127         * runtime/DirectArguments.cpp:
1128         (JSC::DirectArguments::overrideThings):
1129         (JSC::DirectArguments::unmapArgument):
1130         * runtime/DirectArguments.h:
1131         (JSC::DirectArguments::isMappedArgument const):
1132         * runtime/GenericArguments.h:
1133         * runtime/GenericArgumentsInlines.h:
1134         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1135         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1136         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1137         * runtime/HashMapImpl.cpp:
1138         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1139         * runtime/HashMapImpl.h:
1140         (JSC::HashMapBuffer::create):
1141         (JSC::HashMapImpl::buffer const):
1142         (JSC::HashMapImpl::rehash):
1143         * runtime/JSArray.cpp:
1144         (JSC::JSArray::tryCreateUninitializedRestricted):
1145         (JSC::JSArray::unshiftCountSlowCase):
1146         (JSC::JSArray::setLength):
1147         (JSC::JSArray::pop):
1148         (JSC::JSArray::push):
1149         (JSC::JSArray::fastSlice):
1150         (JSC::JSArray::shiftCountWithArrayStorage):
1151         (JSC::JSArray::shiftCountWithAnyIndexingType):
1152         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1153         (JSC::JSArray::fillArgList):
1154         (JSC::JSArray::copyToArguments):
1155         * runtime/JSArray.h:
1156         (JSC::JSArray::tryCreate):
1157         * runtime/JSArrayBufferView.cpp:
1158         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1159         (JSC::JSArrayBufferView::finalize):
1160         * runtime/JSLock.cpp:
1161         (JSC::JSLock::didAcquireLock):
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::heapSnapshot):
1164         (JSC::JSObject::getOwnPropertySlotByIndex):
1165         (JSC::JSObject::putByIndex):
1166         (JSC::JSObject::enterDictionaryIndexingMode):
1167         (JSC::JSObject::createInitialIndexedStorage):
1168         (JSC::JSObject::createArrayStorage):
1169         (JSC::JSObject::convertUndecidedToInt32):
1170         (JSC::JSObject::convertUndecidedToDouble):
1171         (JSC::JSObject::convertUndecidedToContiguous):
1172         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1173         (JSC::JSObject::convertUndecidedToArrayStorage):
1174         (JSC::JSObject::convertInt32ToDouble):
1175         (JSC::JSObject::convertInt32ToContiguous):
1176         (JSC::JSObject::convertInt32ToArrayStorage):
1177         (JSC::JSObject::convertDoubleToContiguous):
1178         (JSC::JSObject::convertDoubleToArrayStorage):
1179         (JSC::JSObject::convertContiguousToArrayStorage):
1180         (JSC::JSObject::setIndexQuicklyToUndecided):
1181         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1182         (JSC::JSObject::deletePropertyByIndex):
1183         (JSC::JSObject::getOwnPropertyNames):
1184         (JSC::JSObject::putIndexedDescriptor):
1185         (JSC::JSObject::defineOwnIndexedProperty):
1186         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1187         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1188         (JSC::JSObject::getNewVectorLength):
1189         (JSC::JSObject::ensureLengthSlow):
1190         (JSC::JSObject::reallocateAndShrinkButterfly):
1191         (JSC::JSObject::allocateMoreOutOfLineStorage):
1192         (JSC::JSObject::getEnumerableLength):
1193         * runtime/JSObject.h:
1194         (JSC::JSObject::getArrayLength const):
1195         (JSC::JSObject::getVectorLength):
1196         (JSC::JSObject::putDirectIndex):
1197         (JSC::JSObject::canGetIndexQuickly):
1198         (JSC::JSObject::getIndexQuickly):
1199         (JSC::JSObject::tryGetIndexQuickly const):
1200         (JSC::JSObject::canSetIndexQuickly):
1201         (JSC::JSObject::setIndexQuickly):
1202         (JSC::JSObject::initializeIndex):
1203         (JSC::JSObject::initializeIndexWithoutBarrier):
1204         (JSC::JSObject::hasSparseMap):
1205         (JSC::JSObject::inSparseIndexingMode):
1206         (JSC::JSObject::butterfly const):
1207         (JSC::JSObject::butterfly):
1208         (JSC::JSObject::outOfLineStorage const):
1209         (JSC::JSObject::outOfLineStorage):
1210         (JSC::JSObject::ensureInt32):
1211         (JSC::JSObject::ensureDouble):
1212         (JSC::JSObject::ensureContiguous):
1213         (JSC::JSObject::ensureArrayStorage):
1214         (JSC::JSObject::arrayStorage):
1215         (JSC::JSObject::arrayStorageOrNull):
1216         (JSC::JSObject::ensureLength):
1217         * runtime/RegExpMatchesArray.h:
1218         (JSC::tryCreateUninitializedRegExpMatchesArray):
1219         * runtime/VM.cpp:
1220         (JSC::VM::VM):
1221         (JSC::VM::~VM):
1222         (JSC::VM::primitiveGigacageDisabledCallback):
1223         (JSC::VM::primitiveGigacageDisabled):
1224         (JSC::VM::gigacageDisabledCallback): Deleted.
1225         (JSC::VM::gigacageDisabled): Deleted.
1226         * runtime/VM.h:
1227         (JSC::VM::gigacageAuxiliarySpace):
1228         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1229         (JSC::VM::primitiveGigacageEnabled):
1230         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1231         (JSC::VM::gigacageEnabled): Deleted.
1232         * wasm/WasmMemory.cpp:
1233         (JSC::Wasm::Memory::create):
1234         (JSC::Wasm::Memory::~Memory):
1235         (JSC::Wasm::Memory::grow):
1236
1237 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1238
1239         Unreviewed, rolling out r220144.
1240         https://bugs.webkit.org/show_bug.cgi?id=175276
1241
1242         "It did not actually speed things up in the way I expected"
1243         (Requested by saamyjoon on #webkit).
1244
1245         Reverted changeset:
1246
1247         "On memory-constrained iOS devices, reduce the rate at which
1248         the JS heap grows before a GC to try to keep more memory
1249         available for the system"
1250         https://bugs.webkit.org/show_bug.cgi?id=175041
1251         http://trac.webkit.org/changeset/220144
1252
1253 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1254
1255         Unreviewed, rolling out r220299.
1256
1257         This change caused LayoutTest inspector/dom-debugger/dom-
1258         breakpoints.html to fail.
1259
1260         Reverted changeset:
1261
1262         "Web Inspector: capture async stack trace when workers/main
1263         context posts a message"
1264         https://bugs.webkit.org/show_bug.cgi?id=167084
1265         http://trac.webkit.org/changeset/220299
1266
1267 2017-08-07  Brian Burg  <bburg@apple.com>
1268
1269         Remove CANVAS_PATH compilation guard
1270         https://bugs.webkit.org/show_bug.cgi?id=175207
1271
1272         Reviewed by Sam Weinig.
1273
1274         * Configurations/FeatureDefines.xcconfig:
1275
1276 2017-08-07  Keith Miller  <keith_miller@apple.com>
1277
1278         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1279         https://bugs.webkit.org/show_bug.cgi?id=175256
1280
1281         Reviewed by Saam Barati.
1282
1283         The check in createFromBytes just needed to check that the buffer was not null before
1284         calling isCaged.
1285
1286         * runtime/ArrayBuffer.cpp:
1287         (JSC::ArrayBuffer::createFromBytes):
1288
1289 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1290
1291         [GTK][WPE] Add API to provide browser information required by automation
1292         https://bugs.webkit.org/show_bug.cgi?id=175130
1293
1294         Reviewed by Brian Burg.
1295
1296         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1297         get them.
1298
1299         * inspector/remote/RemoteInspector.cpp:
1300         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1301         * inspector/remote/RemoteInspector.h:
1302         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1303         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1304         requested to ensure they are updated before StartAutomationSession reply is sent.
1305         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1306         StartAutomationSession mesasage.
1307
1308 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1309
1310         Promise resolve and reject function should have length = 1
1311         https://bugs.webkit.org/show_bug.cgi?id=175242
1312
1313         Reviewed by Saam Barati.
1314
1315         Previously we have separate system for "length" and "name" for builtin functions.
1316         The builtin functions do not use lazy reifying system. Instead, they have direct
1317         properties when instantiating it. While the function created for properties (like
1318         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1319         these builtin functions are just created by JSFunction::create(). Since it does
1320         not set any values for "length", these functions do not have "length" property.
1321         So, the resolve and reject functions passed to Promise's executor do not have
1322         "length" property.
1323
1324         This patch make builtin functions use standard lazy reifying system for "length".
1325         So, "length" property of the builtin function just works as if the normal functions
1326         do.
1327
1328         * runtime/JSFunction.cpp:
1329         (JSC::JSFunction::createBuiltinFunction):
1330         (JSC::JSFunction::getOwnPropertySlot):
1331         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1332         (JSC::JSFunction::put):
1333         (JSC::JSFunction::deleteProperty):
1334         (JSC::JSFunction::defineOwnProperty):
1335         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1336         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1337         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1338         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1339         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
1340         * runtime/JSFunction.h:
1341
1342 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
1343
1344         [ESNext] Async iteration - Implement Async Generator - parser
1345         https://bugs.webkit.org/show_bug.cgi?id=175210
1346
1347         Reviewed by Yusuke Suzuki.
1348
1349         Current implementation is draft version of Async Iteration. 
1350         Link to spec https://tc39.github.io/proposal-async-iteration/
1351
1352         Current patch implement only parser part of the Async generator
1353         Runtime part will be in next ptches
1354
1355         * parser/ASTBuilder.h:
1356         (JSC::ASTBuilder::createFunctionMetadata):
1357         * parser/Parser.cpp:
1358         (JSC::getAsynFunctionBodyParseMode):
1359         (JSC::Parser<LexerType>::parseInner):
1360         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1361         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1362         (JSC::stringArticleForFunctionMode):
1363         (JSC::stringForFunctionMode):
1364         (JSC::Parser<LexerType>::parseFunctionInfo):
1365         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1366         (JSC::Parser<LexerType>::parseClass):
1367         (JSC::Parser<LexerType>::parseProperty):
1368         (JSC::Parser<LexerType>::parsePropertyMethod):
1369         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1370         * parser/Parser.h:
1371         (JSC::Scope::setSourceParseMode):
1372         * parser/ParserModes.h:
1373         (JSC::isFunctionParseMode):
1374         (JSC::isAsyncFunctionParseMode):
1375         (JSC::isAsyncArrowFunctionParseMode):
1376         (JSC::isAsyncGeneratorFunctionParseMode):
1377         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
1378         (JSC::isAsyncFunctionWrapperParseMode):
1379         (JSC::isAsyncFunctionBodyParseMode):
1380         (JSC::isGeneratorMethodParseMode):
1381         (JSC::isAsyncMethodParseMode):
1382         (JSC::isAsyncGeneratorMethodParseMode):
1383         (JSC::isMethodParseMode):
1384         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
1385         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
1386
1387 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
1388
1389         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
1390         https://bugs.webkit.org/show_bug.cgi?id=175083
1391
1392         Reviewed by Oliver Hunt.
1393         
1394         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
1395         even if we are using the pop path.
1396         
1397         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
1398         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
1399         the world just because we changed it.
1400         
1401         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
1402         easier to debug leaks.
1403
1404         * bytecode/AccessCase.cpp:
1405         * bytecode/PolymorphicAccess.cpp:
1406         * heap/HeapCell.cpp:
1407         (JSC::HeapCell::isLive):
1408         * heap/HeapCellInlines.h:
1409         (JSC::HeapCell::isLive): Deleted.
1410         * heap/MarkedAllocator.cpp:
1411         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1412         (JSC::MarkedAllocator::endMarking):
1413         * heap/MarkedBlockInlines.h:
1414         (JSC::MarkedBlock::Handle::specializedSweep):
1415         * jit/AssemblyHelpers.cpp:
1416         * jit/Repatch.cpp:
1417         * runtime/TestRunnerUtils.h:
1418         * runtime/VM.cpp:
1419         (JSC::waitForVMDestruction):
1420         (JSC::VM::~VM):
1421
1422 2017-08-05  Mark Lam  <mark.lam@apple.com>
1423
1424         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
1425         https://bugs.webkit.org/show_bug.cgi?id=175228
1426         <rdar://problem/33735737>
1427
1428         Reviewed by Saam Barati.
1429
1430         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
1431         delete OSRExit32_64.cpp.
1432
1433         * CMakeLists.txt:
1434         * JavaScriptCore.xcodeproj/project.pbxproj:
1435         * dfg/DFGOSRExit.cpp:
1436         (JSC::DFG::OSRExit::compileExit):
1437         * dfg/DFGOSRExit32_64.cpp: Removed.
1438         * jit/GPRInfo.h:
1439         (JSC::JSValueSource::payloadGPR const):
1440
1441 2017-08-04  Youenn Fablet  <youenn@apple.com>
1442
1443         [Cache API] Add Cache and CacheStorage IDL definitions
1444         https://bugs.webkit.org/show_bug.cgi?id=175201
1445
1446         Reviewed by Brady Eidson.
1447
1448         * runtime/CommonIdentifiers.h:
1449
1450 2017-08-04  Mark Lam  <mark.lam@apple.com>
1451
1452         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
1453         https://bugs.webkit.org/show_bug.cgi?id=175230
1454         <rdar://problem/33735857>
1455
1456         Reviewed by Saam Barati.
1457
1458         * assembler/testmasm.cpp:
1459         (JSC::testProbeReadsArgumentRegisters):
1460         (JSC::testProbeWritesArgumentRegisters):
1461
1462 2017-08-04  Mark Lam  <mark.lam@apple.com>
1463
1464         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
1465         https://bugs.webkit.org/show_bug.cgi?id=175214
1466         <rdar://problem/33733308>
1467
1468         Rubber-stamped by Michael Saboff.
1469
1470         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
1471         DFGOSRExitCompiler files.
1472
1473         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
1474
1475         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
1476         used by compileOSRExit(), and will be changed to not be a DFG operation function
1477         when we use JIT probes for DFG OSR exits later in
1478         https://bugs.webkit.org/show_bug.cgi?id=175144.
1479
1480         * CMakeLists.txt:
1481         * JavaScriptCore.xcodeproj/project.pbxproj:
1482         * dfg/DFGJITCompiler.cpp:
1483         * dfg/DFGOSRExit.cpp:
1484         (JSC::DFG::OSRExit::emitRestoreArguments):
1485         (JSC::DFG::OSRExit::compileOSRExit):
1486         (JSC::DFG::OSRExit::compileExit):
1487         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1488         * dfg/DFGOSRExit.h:
1489         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
1490         * dfg/DFGOSRExitCompiler.cpp: Removed.
1491         * dfg/DFGOSRExitCompiler.h: Removed.
1492         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
1493         * dfg/DFGOSRExitCompiler64.cpp: Removed.
1494         * dfg/DFGOperations.cpp:
1495         * dfg/DFGOperations.h:
1496         * dfg/DFGThunks.cpp:
1497
1498 2017-08-04  Matt Baker  <mattbaker@apple.com>
1499
1500         Web Inspector: capture async stack trace when workers/main context posts a message
1501         https://bugs.webkit.org/show_bug.cgi?id=167084
1502         <rdar://problem/30033673>
1503
1504         Reviewed by Brian Burg.
1505
1506         * inspector/agents/InspectorDebuggerAgent.h:
1507         Add `PostMessage` async call type.
1508
1509 2017-08-04  Mark Lam  <mark.lam@apple.com>
1510
1511         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
1512         https://bugs.webkit.org/show_bug.cgi?id=175208
1513         <rdar://problem/33732402>
1514
1515         Reviewed by Saam Barati.
1516
1517         This will minimize the code diff and make it easier to review the patch for
1518         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
1519         steps:
1520
1521         1. Do the code changes to move methods into OSRExit.
1522         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
1523         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
1524
1525         Splitting this refactoring into these 3 steps also makes it easier to review this
1526         patch and understand what is being changed.
1527
1528         * dfg/DFGOSRExit.h:
1529         * dfg/DFGOSRExitCompiler.cpp:
1530         (JSC::DFG::OSRExit::emitRestoreArguments):
1531         (JSC::DFG::OSRExit::compileOSRExit):
1532         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
1533         (): Deleted.
1534         * dfg/DFGOSRExitCompiler.h:
1535         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
1536         (): Deleted.
1537         * dfg/DFGOSRExitCompiler32_64.cpp:
1538         (JSC::DFG::OSRExit::compileExit):
1539         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1540         * dfg/DFGOSRExitCompiler64.cpp:
1541         (JSC::DFG::OSRExit::compileExit):
1542         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1543         * dfg/DFGThunks.cpp:
1544         (JSC::DFG::osrExitGenerationThunkGenerator):
1545
1546 2017-08-04  Devin Rousso  <drousso@apple.com>
1547
1548         Web Inspector: add source view for WebGL shader programs
1549         https://bugs.webkit.org/show_bug.cgi?id=138593
1550         <rdar://problem/18936194>
1551
1552         Reviewed by Matt Baker.
1553
1554         * inspector/protocol/Canvas.json:
1555          - Add `ShaderType` enum that contains "vertex" and "fragment".
1556          - Add `requestShaderSource` command that will return the original source code for a given
1557            shader program and shader type.
1558
1559 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
1560
1561         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
1562         https://bugs.webkit.org/show_bug.cgi?id=175141
1563
1564         Reviewed by Mark Lam.
1565         
1566         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
1567         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
1568         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
1569         determined by the AlignedMemoryAllocator object.
1570         
1571         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
1572         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
1573         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
1574         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
1575         they use the same AlignedMemoryAllocator.
1576
1577         * CMakeLists.txt:
1578         * JavaScriptCore.xcodeproj/project.pbxproj:
1579         * heap/AlignedMemoryAllocator.cpp: Added.
1580         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
1581         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
1582         * heap/AlignedMemoryAllocator.h: Added.
1583         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
1584         (JSC::FastMallocAlignedMemoryAllocator::singleton):
1585         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
1586         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
1587         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
1588         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
1589         (JSC::FastMallocAlignedMemoryAllocator::dump const):
1590         * heap/FastMallocAlignedMemoryAllocator.h: Added.
1591         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
1592         (JSC::GigacageAlignedMemoryAllocator::singleton):
1593         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1594         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
1595         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1596         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1597         (JSC::GigacageAlignedMemoryAllocator::dump const):
1598         * heap/GigacageAlignedMemoryAllocator.h: Added.
1599         * heap/GigacageSubspace.cpp: Removed.
1600         * heap/GigacageSubspace.h: Removed.
1601         * heap/LargeAllocation.cpp:
1602         (JSC::LargeAllocation::tryCreate):
1603         (JSC::LargeAllocation::destroy):
1604         * heap/MarkedAllocator.cpp:
1605         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1606         * heap/MarkedBlock.cpp:
1607         (JSC::MarkedBlock::tryCreate):
1608         (JSC::MarkedBlock::Handle::Handle):
1609         (JSC::MarkedBlock::Handle::~Handle):
1610         (JSC::MarkedBlock::Handle::didAddToAllocator):
1611         (JSC::MarkedBlock::Handle::subspace const):
1612         * heap/MarkedBlock.h:
1613         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
1614         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1615         * heap/Subspace.cpp:
1616         (JSC::Subspace::Subspace):
1617         (JSC::Subspace::findEmptyBlockToSteal):
1618         (JSC::Subspace::canTradeBlocksWith): Deleted.
1619         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
1620         (JSC::Subspace::freeAlignedMemory): Deleted.
1621         * heap/Subspace.h:
1622         (JSC::Subspace::name const):
1623         (JSC::Subspace::alignedMemoryAllocator const):
1624         * runtime/JSDestructibleObjectSubspace.cpp:
1625         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
1626         * runtime/JSDestructibleObjectSubspace.h:
1627         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1628         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
1629         * runtime/JSSegmentedVariableObjectSubspace.h:
1630         * runtime/JSStringSubspace.cpp:
1631         (JSC::JSStringSubspace::JSStringSubspace):
1632         * runtime/JSStringSubspace.h:
1633         * runtime/VM.cpp:
1634         (JSC::VM::VM):
1635         * runtime/VM.h:
1636         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1637         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
1638         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1639
1640 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1641
1642         [ESNext] Async iteration - update feature.json
1643         https://bugs.webkit.org/show_bug.cgi?id=175197
1644
1645         Reviewed by Yusuke Suzuki.
1646
1647         Update feature.json to add status of the Async Iteration
1648
1649         * features.json:
1650
1651 2017-08-04  Matt Lewis  <jlewis3@apple.com>
1652
1653         Unreviewed, rolling out r220271.
1654
1655         Rolling out due to Layout Test failing on iOS Simulator.
1656
1657         Reverted changeset:
1658
1659         "Remove STREAMS_API compilation guard"
1660         https://bugs.webkit.org/show_bug.cgi?id=175165
1661         http://trac.webkit.org/changeset/220271
1662
1663 2017-08-04  Youenn Fablet  <youenn@apple.com>
1664
1665         Remove STREAMS_API compilation guard
1666         https://bugs.webkit.org/show_bug.cgi?id=175165
1667
1668         Reviewed by Darin Adler.
1669
1670         * Configurations/FeatureDefines.xcconfig:
1671
1672 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1673
1674         [EsNext] Async iteration - Add feature flag
1675         https://bugs.webkit.org/show_bug.cgi?id=166694
1676
1677         Reviewed by Yusuke Suzuki.
1678
1679         Add feature flag to JSC to switch on/off Async Iterator
1680
1681         * runtime/Options.h:
1682
1683 2017-08-03  Brian Burg  <bburg@apple.com>
1684
1685         Remove ENABLE(WEB_SOCKET) guards
1686         https://bugs.webkit.org/show_bug.cgi?id=167044
1687
1688         Reviewed by Joseph Pecoraro.
1689
1690         * Configurations/FeatureDefines.xcconfig:
1691
1692 2017-08-03  Youenn Fablet  <youenn@apple.com>
1693
1694         Remove FETCH_API compilation guard
1695         https://bugs.webkit.org/show_bug.cgi?id=175154
1696
1697         Reviewed by Chris Dumez.
1698
1699         * Configurations/FeatureDefines.xcconfig:
1700
1701 2017-08-03  Matt Baker  <mattbaker@apple.com>
1702
1703         Web Inspector: Instrument WebGLProgram created/deleted
1704         https://bugs.webkit.org/show_bug.cgi?id=175059
1705
1706         Reviewed by Devin Rousso.
1707
1708         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
1709
1710         * inspector/protocol/Canvas.json:
1711
1712 2017-08-03  Brady Eidson  <beidson@apple.com>
1713
1714         Add SW IDLs and stub out basic functionality.
1715         https://bugs.webkit.org/show_bug.cgi?id=175115
1716
1717         Reviewed by Chris Dumez.
1718
1719         * Configurations/FeatureDefines.xcconfig:
1720
1721         * runtime/CommonIdentifiers.h:
1722
1723 2017-08-03  Mark Lam  <mark.lam@apple.com>
1724
1725         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
1726         https://bugs.webkit.org/show_bug.cgi?id=175142
1727         <rdar://problem/33704528>
1728
1729         Reviewed by Filip Pizlo.
1730
1731         The convention in the rest of of JSC for such methods which return the address of
1732         a field is to name them "addressOf<field name>".  We'll rename
1733         ScratchBuffer::activeLengthPtr to be consistent with this convention.
1734
1735         * dfg/DFGSpeculativeJIT.cpp:
1736         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1737         * dfg/DFGSpeculativeJIT32_64.cpp:
1738         (JSC::DFG::SpeculativeJIT::compile):
1739         * dfg/DFGSpeculativeJIT64.cpp:
1740         (JSC::DFG::SpeculativeJIT::compile):
1741         * dfg/DFGThunks.cpp:
1742         (JSC::DFG::osrExitGenerationThunkGenerator):
1743         * ftl/FTLLowerDFGToB3.cpp:
1744         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1745         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1746         * ftl/FTLThunks.cpp:
1747         (JSC::FTL::genericGenerationThunkGenerator):
1748         * jit/AssemblyHelpers.cpp:
1749         (JSC::AssemblyHelpers::debugCall):
1750         * jit/ScratchRegisterAllocator.cpp:
1751         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1752         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1753         * runtime/VM.h:
1754         (JSC::ScratchBuffer::addressOfActiveLength):
1755         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
1756         * wasm/WasmBinding.cpp:
1757         (JSC::Wasm::wasmToJs):
1758
1759 2017-08-02  Devin Rousso  <drousso@apple.com>
1760
1761         Web Inspector: add stack trace information for each RecordingAction
1762         https://bugs.webkit.org/show_bug.cgi?id=174663
1763
1764         Reviewed by Joseph Pecoraro.
1765
1766         * inspector/ScriptCallFrame.h:
1767         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
1768         with an existing value doesn't need require a functor and can use existing code.
1769
1770         * interpreter/StackVisitor.h:
1771         * interpreter/StackVisitor.cpp:
1772         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
1773
1774 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1775
1776         Merge WTFThreadData to Thread::current
1777         https://bugs.webkit.org/show_bug.cgi?id=174716
1778
1779         Reviewed by Mark Lam.
1780
1781         Use Thread::current() instead.
1782
1783         * API/JSContext.mm:
1784         (+[JSContext currentContext]):
1785         (+[JSContext currentThis]):
1786         (+[JSContext currentCallee]):
1787         (+[JSContext currentArguments]):
1788         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1789         (-[JSContext endCallbackWithData:]):
1790         * heap/Heap.cpp:
1791         (JSC::Heap::requestCollection):
1792         * runtime/Completion.cpp:
1793         (JSC::checkSyntax):
1794         (JSC::checkModuleSyntax):
1795         (JSC::evaluate):
1796         (JSC::loadAndEvaluateModule):
1797         (JSC::loadModule):
1798         (JSC::linkAndEvaluateModule):
1799         (JSC::importModule):
1800         * runtime/Identifier.cpp:
1801         (JSC::Identifier::checkCurrentAtomicStringTable):
1802         * runtime/InitializeThreading.cpp:
1803         (JSC::initializeThreading):
1804         * runtime/JSLock.cpp:
1805         (JSC::JSLock::didAcquireLock):
1806         (JSC::JSLock::willReleaseLock):
1807         (JSC::JSLock::dropAllLocks):
1808         (JSC::JSLock::grabAllLocks):
1809         * runtime/JSLock.h:
1810         * runtime/VM.cpp:
1811         (JSC::VM::VM):
1812         (JSC::VM::updateStackLimits):
1813         (JSC::VM::committedStackByteCount):
1814         * runtime/VM.h:
1815         (JSC::VM::isSafeToRecurse const):
1816         * runtime/VMEntryScope.cpp:
1817         (JSC::VMEntryScope::VMEntryScope):
1818         * runtime/VMInlines.h:
1819         (JSC::VM::ensureStackCapacityFor):
1820         * yarr/YarrPattern.cpp:
1821         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1822
1823 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1824
1825         LLInt should do pointer caging
1826         https://bugs.webkit.org/show_bug.cgi?id=175036
1827
1828         Reviewed by Keith Miller.
1829
1830         Implementing this in the LLInt was challenging because offlineasm did not previously know
1831         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1832         to be where the Gigacage is enabled right now.
1833
1834         * llint/LLIntOfflineAsmConfig.h:
1835         * llint/LowLevelInterpreter64.asm:
1836         * offlineasm/ast.rb:
1837         * offlineasm/x86.rb:
1838
1839 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1840
1841         Sweeping should only scribble when sweeping to free list
1842         https://bugs.webkit.org/show_bug.cgi?id=175105
1843
1844         Reviewed by Saam Barati.
1845         
1846         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1847         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1848         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1849         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1850         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1851         when it doesn't matter anyway because we're building a free list.
1852         
1853         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1854         zap.
1855
1856         * heap/MarkedBlockInlines.h:
1857         (JSC::MarkedBlock::Handle::specializedSweep):
1858
1859 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1860
1861         All C++ accesses to JSObject::m_butterfly should do caging
1862         https://bugs.webkit.org/show_bug.cgi?id=175039
1863
1864         Reviewed by Keith Miller.
1865         
1866         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1867         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1868         outside the gigacage.
1869
1870         * runtime/JSArray.cpp:
1871         (JSC::JSArray::setLength):
1872         (JSC::JSArray::pop):
1873         (JSC::JSArray::push):
1874         (JSC::JSArray::shiftCountWithAnyIndexingType):
1875         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1876         (JSC::JSArray::fillArgList):
1877         (JSC::JSArray::copyToArguments):
1878         * runtime/JSObject.cpp:
1879         (JSC::JSObject::heapSnapshot):
1880         (JSC::JSObject::createInitialIndexedStorage):
1881         (JSC::JSObject::createArrayStorage):
1882         (JSC::JSObject::convertUndecidedToInt32):
1883         (JSC::JSObject::convertUndecidedToDouble):
1884         (JSC::JSObject::convertUndecidedToContiguous):
1885         (JSC::JSObject::convertInt32ToDouble):
1886         (JSC::JSObject::convertInt32ToArrayStorage):
1887         (JSC::JSObject::convertDoubleToContiguous):
1888         (JSC::JSObject::convertDoubleToArrayStorage):
1889         (JSC::JSObject::convertContiguousToArrayStorage):
1890         (JSC::JSObject::defineOwnIndexedProperty):
1891         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1892         (JSC::JSObject::ensureLengthSlow):
1893         (JSC::JSObject::allocateMoreOutOfLineStorage):
1894         * runtime/JSObject.h:
1895         (JSC::JSObject::canGetIndexQuickly):
1896         (JSC::JSObject::getIndexQuickly):
1897         (JSC::JSObject::tryGetIndexQuickly const):
1898         (JSC::JSObject::canSetIndexQuickly):
1899         (JSC::JSObject::setIndexQuickly):
1900         (JSC::JSObject::initializeIndex):
1901         (JSC::JSObject::initializeIndexWithoutBarrier):
1902         (JSC::JSObject::butterfly const):
1903         (JSC::JSObject::butterfly):
1904
1905 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1906
1907         We should be OK with the gigacage being disabled on gmalloc
1908         https://bugs.webkit.org/show_bug.cgi?id=175082
1909
1910         Reviewed by Michael Saboff.
1911
1912         * jsc.cpp:
1913         (jscmain):
1914
1915 2017-08-02  Saam Barati  <sbarati@apple.com>
1916
1917         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1918         https://bugs.webkit.org/show_bug.cgi?id=175041
1919         <rdar://problem/33659370>
1920
1921         Reviewed by Filip Pizlo.
1922
1923         The testing I have done shows that this new function is a ~10%
1924         progression running JetStream on 1GB iOS devices. I've also tried
1925         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1926         or a regression. Right now, we'll just enable this for <= 1GB devices
1927         since it's a win. In the future, we might want to either look into
1928         tweaking these parameters or coming up with a new function for > 1GB
1929         devices.
1930
1931         * heap/Heap.cpp:
1932         * runtime/Options.h:
1933
1934 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1935
1936         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1937         https://bugs.webkit.org/show_bug.cgi?id=174727
1938
1939         Reviewed by Mark Lam.
1940         
1941         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1942         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1943         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1944         
1945         This is neutral on JetStream.
1946
1947         * CMakeLists.txt:
1948         * JavaScriptCore.xcodeproj/project.pbxproj:
1949         * b3/B3InsertionSet.cpp:
1950         (JSC::B3::InsertionSet::execute):
1951         * dfg/DFGAbstractInterpreterInlines.h:
1952         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1953         * dfg/DFGArgumentsEliminationPhase.cpp:
1954         * dfg/DFGClobberize.cpp:
1955         (JSC::DFG::readsOverlap):
1956         * dfg/DFGClobberize.h:
1957         (JSC::DFG::clobberize):
1958         * dfg/DFGDoesGC.cpp:
1959         (JSC::DFG::doesGC):
1960         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1961         (JSC::DFG::performFixedButterflyAccessUncaging):
1962         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1963         * dfg/DFGFixupPhase.cpp:
1964         (JSC::DFG::FixupPhase::fixupNode):
1965         * dfg/DFGHeapLocation.cpp:
1966         (WTF::printInternal):
1967         * dfg/DFGHeapLocation.h:
1968         * dfg/DFGNodeType.h:
1969         * dfg/DFGPlan.cpp:
1970         (JSC::DFG::Plan::compileInThreadImpl):
1971         * dfg/DFGPredictionPropagationPhase.cpp:
1972         * dfg/DFGSafeToExecute.h:
1973         (JSC::DFG::safeToExecute):
1974         * dfg/DFGSpeculativeJIT.cpp:
1975         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1976         * dfg/DFGSpeculativeJIT32_64.cpp:
1977         (JSC::DFG::SpeculativeJIT::compile):
1978         * dfg/DFGSpeculativeJIT64.cpp:
1979         (JSC::DFG::SpeculativeJIT::compile):
1980         * dfg/DFGTypeCheckHoistingPhase.cpp:
1981         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1982         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1983         * ftl/FTLCapabilities.cpp:
1984         (JSC::FTL::canCompile):
1985         * ftl/FTLLowerDFGToB3.cpp:
1986         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1987         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1989         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1990         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1991         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1992         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1993         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1994         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1995         (JSC::FTL::DFG::LowerDFGToB3::caged):
1996         * heap/GigacageSubspace.cpp: Added.
1997         (JSC::GigacageSubspace::GigacageSubspace):
1998         (JSC::GigacageSubspace::~GigacageSubspace):
1999         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2000         (JSC::GigacageSubspace::freeAlignedMemory):
2001         (JSC::GigacageSubspace::canTradeBlocksWith):
2002         * heap/GigacageSubspace.h: Added.
2003         * heap/Heap.cpp:
2004         (JSC::Heap::Heap):
2005         (JSC::Heap::lastChanceToFinalize):
2006         (JSC::Heap::finalize):
2007         (JSC::Heap::sweepInFinalize):
2008         (JSC::Heap::updateAllocationLimits):
2009         (JSC::Heap::shouldDoFullCollection):
2010         (JSC::Heap::collectIfNecessaryOrDefer):
2011         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2012         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2013         (JSC::Heap::sweepLargeAllocations): Deleted.
2014         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2015         * heap/Heap.h:
2016         * heap/LargeAllocation.cpp:
2017         (JSC::LargeAllocation::tryCreate):
2018         (JSC::LargeAllocation::destroy):
2019         * heap/MarkedAllocator.cpp:
2020         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2021         (JSC::MarkedAllocator::tryAllocateBlock):
2022         * heap/MarkedBlock.cpp:
2023         (JSC::MarkedBlock::tryCreate):
2024         (JSC::MarkedBlock::Handle::Handle):
2025         (JSC::MarkedBlock::Handle::~Handle):
2026         (JSC::MarkedBlock::Handle::didAddToAllocator):
2027         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2028         * heap/MarkedBlock.h:
2029         (JSC::MarkedBlock::Handle::subspace const):
2030         * heap/MarkedSpace.cpp:
2031         (JSC::MarkedSpace::~MarkedSpace):
2032         (JSC::MarkedSpace::freeMemory):
2033         (JSC::MarkedSpace::prepareForAllocation):
2034         (JSC::MarkedSpace::addMarkedAllocator):
2035         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2036         * heap/MarkedSpace.h:
2037         (JSC::MarkedSpace::firstAllocator const):
2038         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2039         * heap/Subspace.cpp:
2040         (JSC::Subspace::Subspace):
2041         (JSC::Subspace::canTradeBlocksWith):
2042         (JSC::Subspace::tryAllocateAlignedMemory):
2043         (JSC::Subspace::freeAlignedMemory):
2044         (JSC::Subspace::prepareForAllocation):
2045         (JSC::Subspace::findEmptyBlockToSteal):
2046         * heap/Subspace.h:
2047         (JSC::Subspace::didCreateFirstAllocator):
2048         * heap/SubspaceInlines.h:
2049         (JSC::Subspace::forEachAllocator):
2050         (JSC::Subspace::forEachMarkedBlock):
2051         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2052         * jit/JITPropertyAccess.cpp:
2053         (JSC::JIT::emitDoubleLoad):
2054         (JSC::JIT::emitContiguousLoad):
2055         (JSC::JIT::emitArrayStorageLoad):
2056         (JSC::JIT::emitGenericContiguousPutByVal):
2057         (JSC::JIT::emitArrayStoragePutByVal):
2058         (JSC::JIT::emit_op_get_from_scope):
2059         (JSC::JIT::emit_op_put_to_scope):
2060         (JSC::JIT::emitIntTypedArrayGetByVal):
2061         (JSC::JIT::emitFloatTypedArrayGetByVal):
2062         (JSC::JIT::emitIntTypedArrayPutByVal):
2063         (JSC::JIT::emitFloatTypedArrayPutByVal):
2064         * jsc.cpp:
2065         (fillBufferWithContentsOfFile):
2066         (functionReadFile):
2067         (gigacageDisabled):
2068         (jscmain):
2069         * llint/LowLevelInterpreter64.asm:
2070         * runtime/ArrayBuffer.cpp:
2071         (JSC::ArrayBufferContents::tryAllocate):
2072         (JSC::ArrayBuffer::createAdopted):
2073         (JSC::ArrayBuffer::createFromBytes):
2074         (JSC::ArrayBuffer::tryCreate):
2075         * runtime/IndexingHeader.h:
2076         * runtime/InitializeThreading.cpp:
2077         (JSC::initializeThreading):
2078         * runtime/JSArrayBuffer.cpp:
2079         * runtime/JSArrayBufferView.cpp:
2080         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2081         (JSC::JSArrayBufferView::finalize):
2082         * runtime/JSLock.cpp:
2083         (JSC::JSLock::didAcquireLock):
2084         * runtime/JSObject.h:
2085         * runtime/Options.cpp:
2086         (JSC::recomputeDependentOptions):
2087         * runtime/Options.h:
2088         * runtime/ScopedArgumentsTable.h:
2089         * runtime/VM.cpp:
2090         (JSC::VM::VM):
2091         (JSC::VM::~VM):
2092         (JSC::VM::gigacageDisabledCallback):
2093         (JSC::VM::gigacageDisabled):
2094         * runtime/VM.h:
2095         (JSC::VM::fireGigacageEnabledIfNecessary):
2096         (JSC::VM::gigacageEnabled):
2097         * wasm/WasmB3IRGenerator.cpp:
2098         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2099         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2100         * wasm/WasmCodeBlock.cpp:
2101         (JSC::Wasm::CodeBlock::isSafeToRun):
2102         * wasm/WasmMemory.cpp:
2103         (JSC::Wasm::makeString):
2104         (JSC::Wasm::Memory::create):
2105         (JSC::Wasm::Memory::~Memory):
2106         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2107         (JSC::Wasm::Memory::grow):
2108         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2109         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2110         * wasm/WasmMemory.h:
2111         * wasm/js/JSWebAssemblyInstance.cpp:
2112         (JSC::JSWebAssemblyInstance::create):
2113         * wasm/js/JSWebAssemblyMemory.cpp:
2114         (JSC::JSWebAssemblyMemory::grow):
2115         (JSC::JSWebAssemblyMemory::finishCreation):
2116         * wasm/js/JSWebAssemblyMemory.h:
2117         (JSC::JSWebAssemblyMemory::subspaceFor):
2118
2119 2017-07-31  Mark Lam  <mark.lam@apple.com>
2120
2121         Added some UNLIKELYs to operationOptimize().
2122         https://bugs.webkit.org/show_bug.cgi?id=174976
2123
2124         Reviewed by JF Bastien.
2125
2126         * jit/JITOperations.cpp:
2127
2128 2017-07-31  Keith Miller  <keith_miller@apple.com>
2129
2130         Make more things LLInt constexprs
2131         https://bugs.webkit.org/show_bug.cgi?id=174994
2132
2133         Reviewed by Saam Barati.
2134
2135         This patch makes more const values in the LLInt constexprs.
2136         It also deletes all of the no longer necessary static_asserts in
2137         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2138
2139         * interpreter/ShadowChicken.h:
2140         (JSC::ShadowChicken::Packet::tailMarker):
2141         * llint/LLIntData.cpp:
2142         (JSC::LLInt::Data::performAssertions):
2143         * llint/LowLevelInterpreter.asm:
2144         * offlineasm/generate_offset_extractor.rb:
2145         * offlineasm/parser.rb:
2146
2147 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2148
2149         Unreviewed, rolling out r220060.
2150
2151         This broke our internal builds. Contact reviewer of patch for
2152         more information.
2153
2154         Reverted changeset:
2155
2156         "Merge WTFThreadData to Thread::current"
2157         https://bugs.webkit.org/show_bug.cgi?id=174716
2158         http://trac.webkit.org/changeset/220060
2159
2160 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2161
2162         [JSC] Support optional catch binding
2163         https://bugs.webkit.org/show_bug.cgi?id=174981
2164
2165         Reviewed by Saam Barati.
2166
2167         This patch implements optional catch binding proposal[1], which is now stage 3.
2168         This proposal adds a new `catch` brace with no error value binding.
2169
2170             ```
2171                 try {
2172                     ...
2173                 } catch {
2174                     ...
2175                 }
2176             ```
2177
2178         Sometimes we do not need to get error value actually. For example, the function returns
2179         boolean which means whether the function succeeds.
2180
2181             ```
2182             function parse(result) // -> bool
2183             {
2184                  try {
2185                      parseInner(result);
2186                  } catch {
2187                      return false;
2188                  }
2189                  return true;
2190             }
2191             ```
2192
2193         In the above case, we are not interested in the actual error value. Without this syntax,
2194         we always need to introduce a binding for an error value that is just ignored.
2195
2196         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2197
2198         * bytecompiler/NodesCodegen.cpp:
2199         (JSC::TryNode::emitBytecode):
2200         * parser/Parser.cpp:
2201         (JSC::Parser<LexerType>::parseTryStatement):
2202
2203 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2204
2205         Merge WTFThreadData to Thread::current
2206         https://bugs.webkit.org/show_bug.cgi?id=174716
2207
2208         Reviewed by Sam Weinig.
2209
2210         Use Thread::current() instead.
2211
2212         * API/JSContext.mm:
2213         (+[JSContext currentContext]):
2214         (+[JSContext currentThis]):
2215         (+[JSContext currentCallee]):
2216         (+[JSContext currentArguments]):
2217         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2218         (-[JSContext endCallbackWithData:]):
2219         * heap/Heap.cpp:
2220         (JSC::Heap::requestCollection):
2221         * runtime/Completion.cpp:
2222         (JSC::checkSyntax):
2223         (JSC::checkModuleSyntax):
2224         (JSC::evaluate):
2225         (JSC::loadAndEvaluateModule):
2226         (JSC::loadModule):
2227         (JSC::linkAndEvaluateModule):
2228         (JSC::importModule):
2229         * runtime/Identifier.cpp:
2230         (JSC::Identifier::checkCurrentAtomicStringTable):
2231         * runtime/InitializeThreading.cpp:
2232         (JSC::initializeThreading):
2233         * runtime/JSLock.cpp:
2234         (JSC::JSLock::didAcquireLock):
2235         (JSC::JSLock::willReleaseLock):
2236         (JSC::JSLock::dropAllLocks):
2237         (JSC::JSLock::grabAllLocks):
2238         * runtime/JSLock.h:
2239         * runtime/VM.cpp:
2240         (JSC::VM::VM):
2241         (JSC::VM::updateStackLimits):
2242         (JSC::VM::committedStackByteCount):
2243         * runtime/VM.h:
2244         (JSC::VM::isSafeToRecurse const):
2245         * runtime/VMEntryScope.cpp:
2246         (JSC::VMEntryScope::VMEntryScope):
2247         * runtime/VMInlines.h:
2248         (JSC::VM::ensureStackCapacityFor):
2249         * yarr/YarrPattern.cpp:
2250         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2251
2252 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2253
2254         [WTF] Introduce Private Symbols
2255         https://bugs.webkit.org/show_bug.cgi?id=174935
2256
2257         Reviewed by Darin Adler.
2258
2259         Use SymbolImpl::isPrivate().
2260
2261         * builtins/BuiltinNames.cpp:
2262         * builtins/BuiltinNames.h:
2263         (JSC::BuiltinNames::isPrivateName): Deleted.
2264         * builtins/BuiltinUtils.h:
2265         * bytecode/BytecodeIntrinsicRegistry.cpp:
2266         (JSC::BytecodeIntrinsicRegistry::lookup):
2267         * runtime/CommonIdentifiers.cpp:
2268         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2269         * runtime/CommonIdentifiers.h:
2270         * runtime/ExceptionHelpers.cpp:
2271         (JSC::createUndefinedVariableError):
2272         * runtime/Identifier.h:
2273         (JSC::Identifier::isPrivateName):
2274         * runtime/IdentifierInlines.h:
2275         (JSC::identifierToSafePublicJSValue):
2276         * runtime/ObjectConstructor.cpp:
2277         (JSC::objectConstructorAssign):
2278         (JSC::defineProperties):
2279         (JSC::setIntegrityLevel):
2280         (JSC::testIntegrityLevel):
2281         (JSC::ownPropertyKeys):
2282         * runtime/PrivateName.h:
2283         (JSC::PrivateName::PrivateName):
2284         * runtime/PropertyName.h:
2285         (JSC::PropertyName::isPrivateName):
2286         * runtime/ProxyObject.cpp:
2287         (JSC::performProxyGet):
2288         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2289         (JSC::ProxyObject::performHasProperty):
2290         (JSC::ProxyObject::performPut):
2291         (JSC::ProxyObject::performDelete):
2292         (JSC::ProxyObject::performDefineOwnProperty):
2293
2294 2017-07-29  Keith Miller  <keith_miller@apple.com>
2295
2296         LLInt offsets extractor should be able to handle C++ constexprs
2297         https://bugs.webkit.org/show_bug.cgi?id=174964
2298
2299         Reviewed by Saam Barati.
2300
2301         This patch adds new syntax to the offline asm language. The new keyword,
2302         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2303         expression. Additionally, if the value is not an identifier you can wrap it in
2304         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2305         which will get converted into:
2306         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
2307
2308         This patch also changes the data format the LLIntOffsetsExtractor
2309         binary produces.  Previously, it would produce unsigned values,
2310         after this patch every value is an int64_t.  Using an int64_t is
2311         useful because it means that we can represent any constant needed.
2312         int32_t masks are sign extended then passed then converted to a
2313         negative literal sting in the assembler so it will be the constant
2314         expected.
2315
2316         * llint/LLIntOffsetsExtractor.cpp:
2317         (JSC::LLIntOffsetsExtractor::dummy):
2318         * llint/LowLevelInterpreter.asm:
2319         * llint/LowLevelInterpreter64.asm:
2320         * offlineasm/asm.rb:
2321         * offlineasm/ast.rb:
2322         * offlineasm/generate_offset_extractor.rb:
2323         * offlineasm/offsets.rb:
2324         * offlineasm/parser.rb:
2325         * offlineasm/transform.rb:
2326
2327 2017-07-28  Matt Baker  <mattbaker@apple.com>
2328
2329         Web Inspector: capture an async stack trace when web content calls addEventListener
2330         https://bugs.webkit.org/show_bug.cgi?id=174739
2331         <rdar://problem/33468197>
2332
2333         Reviewed by Brian Burg.
2334
2335         Allow debugger agents to perform custom logic when asynchronous stack
2336         trace data is cleared. For example, the PageDebuggerAgent would clear
2337         its list of registered listeners for which call stacks have been recorded.
2338
2339         * inspector/agents/InspectorDebuggerAgent.cpp:
2340         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2341         * inspector/agents/InspectorDebuggerAgent.h:
2342
2343 2017-07-28  Mark Lam  <mark.lam@apple.com>
2344
2345         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
2346         https://bugs.webkit.org/show_bug.cgi?id=174948
2347         <rdar://problem/33495680>
2348
2349         Reviewed by Filip Pizlo.
2350
2351         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
2352         owner StructureRareData is already known to be dead (in terms of GC liveness) but
2353         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
2354         requests to fire this watchpoint.
2355
2356         If the GC had the chance to sweep the StructureRareData, thereby destructing the
2357         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
2358         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
2359
2360         But since the watchpoint hasn't been destructed yet, it still remains on the
2361         WatchpointSet and needs to guard against being fired in this state.  The fix is
2362         to simply return early if its owner StructureRareData is not live.  This has the
2363         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
2364         not firing as we would expect.
2365
2366         This patch also removes some cargo cult copying of watchpoint code which
2367         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
2368         used.  This patch removes these unnecessary instantiations.
2369
2370         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2371         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2372         * runtime/StructureRareData.cpp:
2373         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2374         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2375
2376 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2377
2378         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
2379         https://bugs.webkit.org/show_bug.cgi?id=174900
2380
2381         Reviewed by Saam Barati.
2382
2383         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
2384         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
2385         The problem is that even transforming phase also checks this pseudo terminals.
2386
2387             BB1
2388             1: ForceOSRExit
2389             2: CreateDirectArguments
2390
2391             BB2
2392             3: GetButterfly(@2)
2393             4: ForceOSRExit
2394
2395         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
2396
2397         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
2398
2399         * dfg/DFGArgumentsEliminationPhase.cpp:
2400
2401 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
2402
2403         [ES] Add support finally to Promise
2404         https://bugs.webkit.org/show_bug.cgi?id=174503
2405
2406         Reviewed by Yusuke Suzuki.
2407
2408         Add support `finally` method to Promise according
2409         to the https://bugs.webkit.org/show_bug.cgi?id=174503
2410         Current spec on STAGE 3 
2411         https://github.com/tc39/proposal-promise-finally
2412
2413         * builtins/PromisePrototype.js:
2414         (finally):
2415         (const.valueThunk):
2416         (globalPrivate.getThenFinally):
2417         (const.thrower):
2418         (globalPrivate.getCatchFinally):
2419         * runtime/JSPromisePrototype.cpp:
2420
2421 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2422
2423         Unreviewed, build fix for CLoop
2424         https://bugs.webkit.org/show_bug.cgi?id=171637
2425
2426         * domjit/DOMJITGetterSetter.h:
2427
2428 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2429
2430         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
2431         https://bugs.webkit.org/show_bug.cgi?id=171637
2432
2433         Reviewed by Darin Adler.
2434
2435         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
2436         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
2437
2438         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
2439         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
2440
2441         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
2442         op_get_by_id_with_this case yet.
2443         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
2444
2445         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
2446         ClassInfo check.
2447
2448         * CMakeLists.txt:
2449         * JavaScriptCore.xcodeproj/project.pbxproj:
2450         * bytecode/AccessCase.cpp:
2451         (JSC::AccessCase::generateImpl):
2452         * bytecode/GetByIdStatus.cpp:
2453         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2454         * bytecode/GetByIdVariant.cpp:
2455         (JSC::GetByIdVariant::GetByIdVariant):
2456         (JSC::GetByIdVariant::operator=):
2457         (JSC::GetByIdVariant::attemptToMerge):
2458         (JSC::GetByIdVariant::dumpInContext):
2459         * bytecode/GetByIdVariant.h:
2460         (JSC::GetByIdVariant::customAccessorGetter):
2461         (JSC::GetByIdVariant::domAttribute):
2462         (JSC::GetByIdVariant::domJIT): Deleted.
2463         * bytecode/GetterSetterAccessCase.cpp:
2464         (JSC::GetterSetterAccessCase::create):
2465         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2466         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2467         * bytecode/GetterSetterAccessCase.h:
2468         (JSC::GetterSetterAccessCase::domAttribute):
2469         (JSC::GetterSetterAccessCase::customAccessor):
2470         (JSC::GetterSetterAccessCase::domJIT): Deleted.
2471         * bytecompiler/BytecodeGenerator.cpp:
2472         (JSC::BytecodeGenerator::instantiateLexicalVariables):
2473         * create_hash_table:
2474         * dfg/DFGAbstractInterpreterInlines.h:
2475         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2476         * dfg/DFGByteCodeParser.cpp:
2477         (JSC::DFG::blessCallDOMGetter):
2478         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2479         (JSC::DFG::ByteCodeParser::handleGetById):
2480         * dfg/DFGClobberize.h:
2481         (JSC::DFG::clobberize):
2482         * dfg/DFGFixupPhase.cpp:
2483         (JSC::DFG::FixupPhase::fixupNode):
2484         * dfg/DFGNode.h:
2485         * dfg/DFGSpeculativeJIT.cpp:
2486         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2487         * dfg/DFGSpeculativeJIT.h:
2488         (JSC::DFG::SpeculativeJIT::callCustomGetter):
2489         * domjit/DOMJITGetterSetter.h:
2490         (JSC::DOMJIT::GetterSetter::GetterSetter):
2491         (JSC::DOMJIT::GetterSetter::getter):
2492         (JSC::DOMJIT::GetterSetter::compiler):
2493         (JSC::DOMJIT::GetterSetter::resultType):
2494         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
2495         (JSC::DOMJIT::GetterSetter::setter): Deleted.
2496         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
2497         * ftl/FTLLowerDFGToB3.cpp:
2498         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2499         * jit/Repatch.cpp:
2500         (JSC::tryCacheGetByID):
2501         * jsc.cpp:
2502         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2503         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2504         (WTF::DOMJITGetter::customGetter):
2505         (WTF::DOMJITGetter::finishCreation):
2506         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2507         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2508         (WTF::DOMJITGetterComplex::customGetter):
2509         (WTF::DOMJITGetterComplex::finishCreation):
2510         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2511         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
2512         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
2513         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2514         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
2515         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
2516         * runtime/CustomGetterSetter.h:
2517         (JSC::CustomGetterSetter::create):
2518         (JSC::CustomGetterSetter::setter):
2519         (JSC::CustomGetterSetter::CustomGetterSetter):
2520         (): Deleted.
2521         * runtime/DOMAnnotation.h: Added.
2522         (JSC::operator==):
2523         (JSC::operator!=):
2524         * runtime/DOMAttributeGetterSetter.cpp: Added.
2525         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
2526         (JSC::isDOMAttributeGetterSetter):
2527         * runtime/Error.cpp:
2528         (JSC::throwDOMAttributeGetterTypeError):
2529         * runtime/Error.h:
2530         (JSC::throwVMDOMAttributeGetterTypeError):
2531         * runtime/JSCustomGetterSetterFunction.cpp:
2532         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
2533         * runtime/JSObject.cpp:
2534         (JSC::JSObject::putInlineSlow):
2535         (JSC::JSObject::deleteProperty):
2536         (JSC::JSObject::getOwnStaticPropertySlot):
2537         (JSC::JSObject::reifyAllStaticProperties):
2538         (JSC::JSObject::fillGetterPropertySlot):
2539         (JSC::JSObject::findPropertyHashEntry): Deleted.
2540         * runtime/JSObject.h:
2541         (JSC::JSObject::getOwnNonIndexPropertySlot):
2542         (JSC::JSObject::fillCustomGetterPropertySlot):
2543         * runtime/Lookup.cpp:
2544         (JSC::setUpStaticFunctionSlot):
2545         * runtime/Lookup.h:
2546         (JSC::HashTableValue::domJIT):
2547         (JSC::getStaticPropertySlotFromTable):
2548         (JSC::putEntry):
2549         (JSC::lookupPut):
2550         (JSC::reifyStaticProperty):
2551         (JSC::reifyStaticProperties):
2552         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
2553         this static property table requires.
2554
2555         * runtime/ProgramExecutable.cpp:
2556         (JSC::ProgramExecutable::initializeGlobalProperties):
2557         * runtime/PropertyName.h:
2558         * runtime/PropertySlot.cpp:
2559         (JSC::PropertySlot::customGetter):
2560         (JSC::PropertySlot::customAccessorGetter):
2561         * runtime/PropertySlot.h:
2562         (JSC::PropertySlot::domAttribute):
2563         (JSC::PropertySlot::setCustom):
2564         (JSC::PropertySlot::setCacheableCustom):
2565         (JSC::PropertySlot::getValue):
2566         (JSC::PropertySlot::domJIT): Deleted.
2567         * runtime/VM.cpp:
2568         (JSC::VM::VM):
2569         * runtime/VM.h:
2570
2571 2017-07-26  Devin Rousso  <drousso@apple.com>
2572
2573         Web Inspector: create protocol for recording Canvas contexts
2574         https://bugs.webkit.org/show_bug.cgi?id=174481
2575
2576         Reviewed by Joseph Pecoraro.
2577
2578         * inspector/protocol/Canvas.json:
2579          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
2580          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
2581          - Add `recordingFinished` event that is fired once a recording is finished.
2582
2583         * CMakeLists.txt:
2584         * DerivedSources.make:
2585         * inspector/protocol/Recording.json: Added.
2586          - Add `Type` enum that lists the types of recordings
2587          - Add `InitialState` type that contains information about the canvas context at the
2588            beginning of the recording.
2589          - Add `Frame` type that holds a list of actions that were recorded.
2590          - Add `Recording` type as the container object of recording data.
2591
2592         * inspector/scripts/codegen/generate_js_backend_commands.py:
2593         (JSBackendCommandsGenerator.generate_domain):
2594         Create an agent for domains with no events or commands.
2595
2596         * inspector/InspectorValues.h:
2597         Make Array `get` public so that values can be retrieved if needed.
2598
2599 2017-07-26  Brian Burg  <bburg@apple.com>
2600
2601         Remove WEB_TIMING feature flag
2602         https://bugs.webkit.org/show_bug.cgi?id=174795
2603
2604         Reviewed by Alex Christensen.
2605
2606         * Configurations/FeatureDefines.xcconfig:
2607
2608 2017-07-26  Mark Lam  <mark.lam@apple.com>
2609
2610         Add the ability to change sp and pc to the ARM64 JIT probe.
2611         https://bugs.webkit.org/show_bug.cgi?id=174697
2612         <rdar://problem/33436965>
2613
2614         Reviewed by JF Bastien.
2615
2616         This patch implements the following:
2617
2618         1. The ARM64 probe now supports modifying the pc and sp.
2619
2620            However, lr is not preserved when modifying the pc because it is used as the
2621            scratch register for the indirect jump. Hence, the probe handler function
2622            may not modify both lr and pc in the same probe invocation.
2623
2624         2. Fix probe tests to use bitwise comparison when comparing double register
2625            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
2626
2627         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
2628            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
2629            instructions which require 16 byte alignment for their memory access.
2630
2631         * assembler/MacroAssemblerARM64.cpp:
2632         (JSC::arm64ProbeError):
2633         (JSC::MacroAssembler::probe):
2634         (JSC::arm64ProbeTrampoline): Deleted.
2635         * assembler/testmasm.cpp:
2636         (JSC::isSpecialGPR):
2637         (JSC::testProbeReadsArgumentRegisters):
2638         (JSC::testProbeWritesArgumentRegisters):
2639         (JSC::testProbePreservesGPRS):
2640         (JSC::testProbeModifiesStackPointer):
2641         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2642         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2643
2644 2017-07-25  JF Bastien  <jfbastien@apple.com>
2645
2646         WebAssembly: generate smaller binaries
2647         https://bugs.webkit.org/show_bug.cgi?id=174818
2648
2649         Reviewed by Filip Pizlo.
2650
2651         This patch reduces generated code size for WebAssembly in 2 ways:
2652
2653         1. Use the ZR register when storing zero on ARM64.
2654         2. Synthesize wasm context lazily.
2655
2656         This leads to a modest size reduction on both x86-64 and ARM64 for
2657         large WebAssembly games, without any performance loss on WasmBench
2658         and TitzerBench.
2659
2660         The reason this works is that these games, using Emscripten,
2661         generate 100k+ tiny functions, and our JIT allocation granule
2662         rounds all allocations up to 32 bytes. There are plenty of other
2663         simple gains to be had, I've filed a follow-up bug at
2664         webkit.org/b/174819
2665
2666         We should further avoid the per-function cost of tiering, which
2667         represents the bulk of code generated for small functions.
2668
2669         * assembler/MacroAssemblerARM64.h:
2670         (JSC::MacroAssemblerARM64::storeZero64):
2671         * assembler/MacroAssemblerX86_64.h:
2672         (JSC::MacroAssemblerX86_64::storeZero64):
2673         * b3/B3LowerToAir.cpp:
2674         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
2675         for x86 because it constrains register reuse and codegen in a way
2676         that doesn't affect ARM64 because it has a dedicated zero
2677         register.
2678         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
2679         * wasm/WasmB3IRGenerator.cpp:
2680         (JSC::Wasm::B3IRGenerator::instanceValue):
2681         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
2682         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2683         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
2684
2685 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
2686
2687         B3 should do LICM
2688         https://bugs.webkit.org/show_bug.cgi?id=174750
2689
2690         Reviewed by Keith Miller and Saam Barati.
2691         
2692         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
2693         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
2694         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
2695         change templatizes DFG::NaturalLoops so that we can just use it.
2696         
2697         The LICM phase itself is really simple. We are decently precise with our handling of everything except
2698         the relationship between control dependence and side exits.
2699         
2700         Also added a bunch of tests.
2701         
2702         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
2703         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
2704         so it doesn't hurt to have it.
2705         
2706         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
2707         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
2708         it's good to have it because LICM is one of those core compiler phases; every compiler has it
2709         eventually.
2710
2711         * CMakeLists.txt:
2712         * JavaScriptCore.xcodeproj/project.pbxproj:
2713         * b3/B3BackwardsCFG.h: Added.
2714         (JSC::B3::BackwardsCFG::BackwardsCFG):
2715         * b3/B3BackwardsDominators.h: Added.
2716         (JSC::B3::BackwardsDominators::BackwardsDominators):
2717         * b3/B3BasicBlock.cpp:
2718         (JSC::B3::BasicBlock::appendNonTerminal):
2719         * b3/B3Effects.h:
2720         * b3/B3EnsureLoopPreHeaders.cpp: Added.
2721         (JSC::B3::ensureLoopPreHeaders):
2722         * b3/B3EnsureLoopPreHeaders.h: Added.
2723         * b3/B3Generate.cpp:
2724         (JSC::B3::generateToAir):
2725         * b3/B3HoistLoopInvariantValues.cpp: Added.
2726         (JSC::B3::hoistLoopInvariantValues):
2727         * b3/B3HoistLoopInvariantValues.h: Added.
2728         * b3/B3NaturalLoops.h: Added.
2729         (JSC::B3::NaturalLoops::NaturalLoops):
2730         * b3/B3Procedure.cpp:
2731         (JSC::B3::Procedure::invalidateCFG):
2732         (JSC::B3::Procedure::naturalLoops):
2733         (JSC::B3::Procedure::backwardsCFG):
2734         (JSC::B3::Procedure::backwardsDominators):
2735         * b3/B3Procedure.h:
2736         * b3/testb3.cpp:
2737         (JSC::B3::generateLoop):
2738         (JSC::B3::makeArrayForLoops):
2739         (JSC::B3::generateLoopNotBackwardsDominant):
2740         (JSC::B3::oneFunction):
2741         (JSC::B3::noOpFunction):
2742         (JSC::B3::testLICMPure):
2743         (JSC::B3::testLICMPureSideExits):
2744         (JSC::B3::testLICMPureWritesPinned):
2745         (JSC::B3::testLICMPureWrites):
2746         (JSC::B3::testLICMReadsLocalState):
2747         (JSC::B3::testLICMReadsPinned):
2748         (JSC::B3::testLICMReads):
2749         (JSC::B3::testLICMPureNotBackwardsDominant):
2750         (JSC::B3::testLICMPureFoiledByChild):
2751         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2752         (JSC::B3::testLICMExitsSideways):
2753         (JSC::B3::testLICMWritesLocalState):
2754         (JSC::B3::testLICMWrites):
2755         (JSC::B3::testLICMFence):
2756         (JSC::B3::testLICMWritesPinned):
2757         (JSC::B3::testLICMControlDependent):
2758         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2759         (JSC::B3::testLICMControlDependentSideExits):
2760         (JSC::B3::testLICMReadsPinnedWritesPinned):
2761         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2762         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2763         (JSC::B3::testLICMDefaultCall):
2764         (JSC::B3::run):
2765         * dfg/DFGBasicBlock.h:
2766         * dfg/DFGCFG.h:
2767         * dfg/DFGNaturalLoops.cpp: Removed.
2768         * dfg/DFGNaturalLoops.h:
2769         (JSC::DFG::NaturalLoops::NaturalLoops):
2770         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
2771         (JSC::DFG::NaturalLoop::header): Deleted.
2772         (JSC::DFG::NaturalLoop::size): Deleted.
2773         (JSC::DFG::NaturalLoop::at): Deleted.
2774         (JSC::DFG::NaturalLoop::operator[]): Deleted.
2775         (JSC::DFG::NaturalLoop::contains): Deleted.
2776         (JSC::DFG::NaturalLoop::index): Deleted.
2777         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
2778         (JSC::DFG::NaturalLoop::addBlock): Deleted.
2779         (JSC::DFG::NaturalLoops::numLoops): Deleted.
2780         (JSC::DFG::NaturalLoops::loop): Deleted.
2781         (JSC::DFG::NaturalLoops::headerOf): Deleted.
2782         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
2783         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
2784         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
2785         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
2786
2787 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
2788
2789         GC should be fine with trading blocks between destructor and non-destructor blocks
2790         https://bugs.webkit.org/show_bug.cgi?id=174811
2791
2792         Reviewed by Mark Lam.
2793         
2794         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
2795         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
2796         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
2797         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
2798         set.
2799         
2800         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
2801         is empty if:
2802         
2803         A) It has no live objects and its a non-destructor block, or
2804         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2805         C) We just stole it from another allocator (so it also has no destructors), or
2806         D) We just swept the block and ran all destructors.
2807         
2808         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2809         block that could be stolen.
2810
2811         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2812         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2813         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2814         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2815         
2816         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2817         
2818         If we tried to enable trading of blocks between allocators without making any changes to how
2819         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2820         live objects in order for those bits to be candidates for trading. But if we do that, then our
2821         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2822         our destructors won't run and we'll leak memory.
2823         
2824         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2825         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2826         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2827         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2828         are (empty & ~destructible).
2829         
2830         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2831         remove destructor-oriented special-casing of block trading.
2832
2833         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2834         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2835         pathological cases.
2836         
2837         * heap/MarkedAllocator.cpp:
2838         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2839         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2840         (JSC::MarkedAllocator::endMarking):
2841         (JSC::MarkedAllocator::shrink):
2842         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2843         * heap/MarkedAllocator.h:
2844         * heap/MarkedBlock.cpp:
2845         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2846         (JSC::MarkedBlock::Handle::sweep):
2847         * heap/MarkedBlockInlines.h:
2848         (JSC::MarkedBlock::Handle::specializedSweep):
2849         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2850         (JSC::MarkedBlock::Handle::emptyMode):
2851
2852 2017-07-25  Keith Miller  <keith_miller@apple.com>
2853
2854         Remove Broken CompareEq constant folding phase.
2855         https://bugs.webkit.org/show_bug.cgi?id=174846
2856         <rdar://problem/32978808>
2857
2858         Reviewed by Saam Barati.
2859
2860         This bug happened when we would get code like the following:
2861
2862         a: JSConst(Undefined)
2863         b: GetLocal(SomeObjectOrUndefined)
2864         ...
2865         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2866
2867         constant folding will turn this into:
2868
2869         a: JSConst(Undefined)
2870         b: GetLocal(SomeObjectOrUndefined)
2871         ...
2872         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2873
2874         But the SpeculativeJIT/FTL lowering will fail to check b
2875         properly which leads to an assertion failure in the AI.
2876
2877         I'll follow up with a more robust fix later. For now, I'll remove the
2878         case that generates the code. Removing the code appears to be perf
2879         neutral.
2880
2881         * dfg/DFGConstantFoldingPhase.cpp:
2882         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2883
2884 2017-07-25  Matt Baker  <mattbaker@apple.com>
2885
2886         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2887         https://bugs.webkit.org/show_bug.cgi?id=174738
2888
2889         Reviewed by Brian Burg.
2890
2891         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2892         stack traces. This preserves the call type in JSC, makes the range of
2893         possible call types explicit, and is safer than passing ints.
2894
2895         * inspector/agents/InspectorDebuggerAgent.cpp:
2896         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2897         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2898         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2899         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2900         * inspector/agents/InspectorDebuggerAgent.h:
2901
2902 2017-07-25  Mark Lam  <mark.lam@apple.com>
2903
2904         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2905         https://bugs.webkit.org/show_bug.cgi?id=174809
2906         <rdar://problem/33504759>
2907
2908         Reviewed by Filip Pizlo.
2909
2910         1. When the probe handler function changes the sp register to point to the
2911            region of stack in the middle of the ProbeContext on the stack, there is a
2912            bug where the ProbeContext's register values to be restored can be over-written
2913            before they can be restored.  This is now fixed.
2914
2915         2. Added more robust probe tests for changing the sp register.
2916
2917         3. Made existing probe tests to ensure that probe handlers were actually called.
2918
2919         4. Added some verification to testProbePreservesGPRS().
2920
2921         5. Change all the probe tests to fail early on discovering an error instead of
2922            batching till the end of the test.  This helps point a finger to the failing
2923            issue earlier.
2924
2925         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2926         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2927
2928         * assembler/MacroAssemblerARM.cpp:
2929         * assembler/MacroAssemblerARMv7.cpp:
2930         * assembler/MacroAssemblerX86Common.cpp:
2931         * assembler/testmasm.cpp:
2932         (JSC::testProbeReadsArgumentRegisters):
2933         (JSC::testProbeWritesArgumentRegisters):
2934         (JSC::testProbePreservesGPRS):
2935         (JSC::testProbeModifiesStackPointer):
2936         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2937         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2938         (JSC::testProbeModifiesProgramCounter):
2939         (JSC::run):
2940
2941 2017-07-25  Brian Burg  <bburg@apple.com>
2942
2943         Web Automation: add support for uploading files
2944         https://bugs.webkit.org/show_bug.cgi?id=174797
2945         <rdar://problem/28485063>
2946
2947         Reviewed by Joseph Pecoraro.
2948
2949         * inspector/scripts/generate-inspector-protocol-bindings.py:
2950         (generate_from_specification):
2951         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2952
2953         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2954         (CppFrontendDispatcherImplementationGenerator.generate_output):
2955         Use a framework include for InspectorFrontendRouter.h since this generated code
2956         will be compiled outside of WebCore.framework.
2957
2958         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2959         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2960         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2961         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2962         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2963         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2964         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2965         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2966         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2967         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2968         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2969         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2970         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2971         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2972         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2973         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2974         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2975         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2976         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2977         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2978         Rebaseline code generator tests.
2979
2980 2017-07-24  Mark Lam  <mark.lam@apple.com>
2981
2982         Gardening: fixed C Loop build after r219790.
2983         https://bugs.webkit.org/show_bug.cgi?id=174696
2984
2985         Not reviewed.
2986
2987         * assembler/testmasm.cpp:
2988
2989 2017-07-23  Mark Lam  <mark.lam@apple.com>
2990
2991         Create regression tests for the JIT probe.
2992         https://bugs.webkit.org/show_bug.cgi?id=174696
2993         <rdar://problem/33436922>
2994
2995         Reviewed by Saam Barati.
2996
2997         The new testmasm will test the following:
2998         1. the probe is able to read the value of CPU registers.
2999         2. the probe is able to write the value of CPU registers.
3000         3. the probe is able to preserve all CPU registers.
3001         4. special case of (2): the probe is able to change the value of the stack pointer.
3002         5. special case of (2): the probe is able to change the value of the program counter
3003            i.e. the probe can change where the code continues executing upon returning from
3004            the probe.
3005
3006         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
3007         because it does not support changing the sp and pc yet.  The ARM64 probe
3008         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
3009         later.
3010
3011         * Configurations/ToolExecutable.xcconfig:
3012         * JavaScriptCore.xcodeproj/project.pbxproj:
3013         * assembler/MacroAssembler.h:
3014         (JSC::MacroAssembler::CPUState::pc):
3015         (JSC::MacroAssembler::CPUState::fp):
3016         (JSC::MacroAssembler::CPUState::sp):
3017         (JSC::ProbeContext::pc):
3018         (JSC::ProbeContext::fp):
3019         (JSC::ProbeContext::sp):
3020         * assembler/MacroAssemblerARM64.cpp:
3021         (JSC::arm64ProbeTrampoline):
3022         * assembler/MacroAssemblerPrinter.cpp:
3023         (JSC::Printer::printPCRegister):
3024         * assembler/testmasm.cpp: Added.
3025         (hiddenTruthBecauseNoReturnIsStupid):
3026         (usage):
3027         (JSC::nextID):
3028         (JSC::isPC):
3029         (JSC::isSP):
3030         (JSC::isFP):
3031         (JSC::compile):
3032         (JSC::invoke):
3033         (JSC::compileAndRun):
3034         (JSC::testSimple):
3035         (JSC::testProbeReadsArgumentRegisters):
3036         (JSC::testProbeWritesArgumentRegisters):
3037         (JSC::testFunctionToTrashRegisters):
3038         (JSC::testProbePreservesGPRS):
3039         (JSC::testProbeModifiesStackPointer):
3040         (JSC::testProbeModifiesProgramCounter):
3041         (JSC::run):
3042         (run):
3043         (main):
3044         * b3/air/testair.cpp:
3045         (usage):
3046         * shell/CMakeLists.txt:
3047
3048 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
3049
3050         It should be easy to decide how WebKit yields
3051         https://bugs.webkit.org/show_bug.cgi?id=174298
3052
3053         Reviewed by Saam Barati.
3054         
3055         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
3056
3057         * heap/Heap.cpp:
3058         (JSC::Heap::resumeThePeriphery):
3059         * heap/VisitingTimeout.h:
3060         * runtime/JSCell.cpp:
3061         (JSC::JSCell::lockSlow):
3062         (JSC::JSCell::unlockSlow):
3063         * runtime/JSCell.h:
3064         * runtime/JSCellInlines.h:
3065         (JSC::JSCell::lock):
3066         (JSC::JSCell::unlock):
3067         * runtime/JSLock.cpp:
3068         (JSC::JSLock::grabAllLocks):
3069         * runtime/SamplingProfiler.cpp:
3070
3071 2017-07-21  Mark Lam  <mark.lam@apple.com>
3072
3073         Refactor MASM probe CPUState to use arrays for register storage.
3074         https://bugs.webkit.org/show_bug.cgi?id=174694
3075
3076         Reviewed by Keith Miller.
3077
3078         Using arrays for register storage in CPUState allows us to do away with the
3079         huge switch statements to decode each register id.  We can now simply index into
3080         the arrays.
3081
3082         With this patch, we now:
3083
3084         1. Remove the need for macros for defining the list of CPU registers.
3085            We can go back to simple enums.  This makes the code easier to read.
3086
3087         2. Make the assembler the authority on register names.
3088            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
3089            GPRInfo and FPRInfo now forwards to the assembler.
3090
3091         3. Make the assembler the authority on the number of registers of each type.
3092
3093         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
3094            This is inconsistent with how every other CPU architecture implements
3095            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
3096            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
3097
3098         * assembler/ARM64Assembler.h:
3099         (JSC::ARM64Assembler::numberOfRegisters):
3100         (JSC::ARM64Assembler::firstSPRegister):
3101         (JSC::ARM64Assembler::lastSPRegister):
3102         (JSC::ARM64Assembler::numberOfSPRegisters):
3103         (JSC::ARM64Assembler::numberOfFPRegisters):
3104         (JSC::ARM64Assembler::gprName):
3105         (JSC::ARM64Assembler::sprName):
3106         (JSC::ARM64Assembler::fprName):
3107         * assembler/ARMAssembler.h:
3108         (JSC::ARMAssembler::numberOfRegisters):
3109         (JSC::ARMAssembler::firstSPRegister):
3110         (JSC::ARMAssembler::lastSPRegister):
3111         (JSC::ARMAssembler::numberOfSPRegisters):
3112         (JSC::ARMAssembler::numberOfFPRegisters):
3113         (JSC::ARMAssembler::gprName):
3114         (JSC::ARMAssembler::sprName):
3115         (JSC::ARMAssembler::fprName):
3116         * assembler/ARMv7Assembler.h:
3117         (JSC::ARMv7Assembler::lastRegister):
3118         (JSC::ARMv7Assembler::numberOfRegisters):
3119         (JSC::ARMv7Assembler::firstSPRegister):
3120         (JSC::ARMv7Assembler::lastSPRegister):
3121         (JSC::ARMv7Assembler::numberOfSPRegisters):
3122         (JSC::ARMv7Assembler::numberOfFPRegisters):
3123         (JSC::ARMv7Assembler::gprName):
3124         (JSC::ARMv7Assembler::sprName):
3125         (JSC::ARMv7Assembler::fprName):
3126         * assembler/AbstractMacroAssembler.h:
3127         (JSC::AbstractMacroAssembler::numberOfRegisters):
3128         (JSC::AbstractMacroAssembler::gprName):
3129         (JSC::AbstractMacroAssembler::firstSPRegister):
3130         (JSC::AbstractMacroAssembler::lastSPRegister):
3131         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
3132         (JSC::AbstractMacroAssembler::sprName):
3133         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
3134         (JSC::AbstractMacroAssembler::fprName):
3135         * assembler/MIPSAssembler.h:
3136         (JSC::MIPSAssembler::numberOfRegisters):
3137         (JSC::MIPSAssembler::firstSPRegister):
3138         (JSC::MIPSAssembler::lastSPRegister):
3139         (JSC::MIPSAssembler::numberOfSPRegisters):
3140         (JSC::MIPSAssembler::numberOfFPRegisters):
3141         (JSC::MIPSAssembler::gprName):
3142         (JSC::MIPSAssembler::sprName):
3143         (JSC::MIPSAssembler::fprName):
3144         * assembler/MacroAssembler.h:
3145         (JSC::MacroAssembler::CPUState::gprName):
3146         (JSC::MacroAssembler::CPUState::sprName):
3147         (JSC::MacroAssembler::CPUState::fprName):
3148         (JSC::MacroAssembler::CPUState::gpr):
3149         (JSC::MacroAssembler::CPUState::spr):
3150         (JSC::MacroAssembler::CPUState::fpr):
3151         (JSC::MacroAssembler::CPUState::pc):
3152         (JSC::MacroAssembler::CPUState::fp):
3153         (JSC::MacroAssembler::CPUState::sp):
3154         (JSC::ProbeContext::gpr):
3155         (JSC::ProbeContext::spr):
3156         (JSC::ProbeContext::fpr):
3157         (JSC::ProbeContext::gprName):
3158         (JSC::ProbeContext::sprName):
3159         (JSC::ProbeContext::fprName):
3160         (JSC::MacroAssembler::numberOfRegisters): Deleted.
3161         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
3162         * assembler/MacroAssemblerARM.cpp:
3163         * assembler/MacroAssemblerARM64.cpp:
3164         (JSC::arm64ProbeTrampoline):
3165         * assembler/MacroAssemblerARMv7.cpp:
3166         * assembler/MacroAssemblerPrinter.cpp:
3167         (JSC::Printer::nextID):
3168         (JSC::Printer::printAllRegisters):
3169         (JSC::Printer::printPCRegister):
3170         (JSC::Printer::printRegisterID):
3171         (JSC::Printer::printAddress):
3172         * assembler/MacroAssemblerX86Common.cpp:
3173         * assembler/X86Assembler.h:
3174         (JSC::X86Assembler::numberOfRegisters):
3175         (JSC::X86Assembler::firstSPRegister):
3176         (JSC::X86Assembler::lastSPRegister):
3177         (JSC::X86Assembler::numberOfSPRegisters):
3178         (JSC::X86Assembler::numberOfFPRegisters):
3179         (JSC::X86Assembler::gprName):
3180         (JSC::X86Assembler::sprName):
3181         (JSC::X86Assembler::fprName):
3182         * jit/FPRInfo.h:
3183         (JSC::FPRInfo::debugName):
3184         * jit/GPRInfo.h:
3185         (JSC::GPRInfo::debugName):
3186         * jit/RegisterSet.cpp:
3187         (JSC::RegisterSet::reservedHardwareRegisters):
3188
3189 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3190
3191         [JSC] Introduce static symbols
3192         https://bugs.webkit.org/show_bug.cgi?id=158863
3193
3194         Reviewed by Darin Adler.
3195
3196         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
3197         As a result, we can share the same Symbol values between VMs and threads.
3198         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
3199
3200         * CMakeLists.txt:
3201         * JavaScriptCore.xcodeproj/project.pbxproj:
3202         * builtins/BuiltinNames.cpp: Added.
3203         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
3204
3205         * builtins/BuiltinNames.h:
3206         (JSC::BuiltinNames::BuiltinNames):
3207         * builtins/BuiltinUtils.h:
3208
3209 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         [FTL] Arguments elimination is suppressed by unreachable blocks
3212         https://bugs.webkit.org/show_bug.cgi?id=174352
3213
3214         Reviewed by Filip Pizlo.
3215
3216         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
3217         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
3218         Since GetById without information can escape arguments if it is specified, non-executed code including
3219         op_get_by_id with arguments can escape arguments.
3220
3221         For example,
3222
3223             function test(flag)
3224             {
3225                 if (flag) {
3226                     // This is not executed, but emits GetById with arguments.
3227                     // It prevents us from eliminating materialization.
3228                     return arguments.length;
3229                 }
3230                 return arguments.length;
3231             }
3232             noInline(test);
3233             while (true)
3234                 test(false);
3235
3236         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
3237         So this GetById exists and escapes arguments.
3238
3239         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
3240         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
3241         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
3242
3243         * dfg/DFGArgumentsEliminationPhase.cpp:
3244         * dfg/DFGNode.h:
3245         (JSC::DFG::Node::isPseudoTerminal):
3246         * dfg/DFGValidate.cpp:
3247
3248 2017-07-20  Chris Dumez  <cdumez@apple.com>
3249
3250         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
3251         https://bugs.webkit.org/show_bug.cgi?id=174660
3252
3253         Reviewed by Geoffrey Garen.
3254
3255         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
3256         This essentially replaces a branch to figure out if the new size is less or greater than the
3257         current size by an assertion.
3258
3259         * b3/B3BasicBlockUtils.h:
3260         (JSC::B3::clearPredecessors):
3261         * b3/B3InferSwitches.cpp:
3262         * b3/B3LowerToAir.cpp:
3263         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
3264         * b3/B3ReduceStrength.cpp:
3265         * b3/B3SparseCollection.h:
3266         (JSC::B3::SparseCollection::packIndices):
3267         * b3/B3UseCounts.cpp:
3268         (JSC::B3::UseCounts::UseCounts):
3269         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
3270         * b3/air/AirEmitShuffle.cpp:
3271         (JSC::B3::Air::emitShuffle):
3272         * b3/air/AirLowerAfterRegAlloc.cpp:
3273         (JSC::B3::Air::lowerAfterRegAlloc):
3274         * b3/air/AirOptimizeBlockOrder.cpp:
3275         (JSC::B3::Air::optimizeBlockOrder):
3276         * bytecode/Operands.h:
3277         (JSC::Operands::ensureLocals):
3278         * bytecode/PreciseJumpTargets.cpp:
3279         (JSC::computePreciseJumpTargetsInternal):
3280         * dfg/DFGBlockInsertionSet.cpp:
3281         (JSC::DFG::BlockInsertionSet::execute):
3282         * dfg/DFGBlockMapInlines.h:
3283         (JSC::DFG::BlockMap<T>::BlockMap):
3284         * dfg/DFGByteCodeParser.cpp:
3285         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
3286         (JSC::DFG::ByteCodeParser::clearCaches):
3287         * dfg/DFGDisassembler.cpp:
3288         (JSC::DFG::Disassembler::Disassembler):
3289         * dfg/DFGFlowIndexing.cpp:
3290         (JSC::DFG::FlowIndexing::recompute):
3291         * dfg/DFGGraph.cpp:
3292         (JSC::DFG::Graph::registerFrozenValues):
3293         * dfg/DFGInPlaceAbstractState.cpp:
3294         (JSC::DFG::setLiveValues):
3295         * dfg/DFGLICMPhase.cpp:
3296         (JSC::DFG::LICMPhase::run):
3297         * dfg/DFGLivenessAnalysisPhase.cpp:
3298         * dfg/DFGNaturalLoops.cpp:
3299         (JSC::DFG::NaturalLoops::NaturalLoops):
3300         * dfg/DFGStoreBarrierClusteringPhase.cpp:
3301         * ftl/FTLLowerDFGToB3.cpp:
3302         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3303         * heap/CodeBlockSet.cpp:
3304         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3305         * heap/MarkedSpace.cpp:
3306         (JSC::MarkedSpace::sweepLargeAllocations):
3307         * inspector/ContentSearchUtilities.cpp:
3308         (Inspector::ContentSearchUtilities::findMagicComment):
3309         * interpreter/ShadowChicken.cpp:
3310         (JSC::ShadowChicken::update):
3311         * parser/ASTBuilder.h:
3312         (JSC::ASTBuilder::shrinkOperandStackBy):
3313         * parser/Lexer.h:
3314         (JSC::Lexer::setOffset):
3315         * runtime/RegExpInlines.h:
3316         (JSC::RegExp::matchInline):
3317         * runtime/RegExpPrototype.cpp:
3318         (JSC::genericSplit):
3319         * yarr/RegularExpression.cpp:
3320         (JSC::Yarr::RegularExpression::match):
3321
3322 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3323
3324         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
3325         https://bugs.webkit.org/show_bug.cgi?id=174678
3326
3327         Reviewed by Mark Lam.
3328
3329         Use Thread& instead.
3330
3331         * runtime/JSLock.cpp:
3332         (JSC::JSLock::didAcquireLock):
3333
3334 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3335
3336         [WTF] Implement WTF::ThreadGroup
3337         https://bugs.webkit.org/show_bug.cgi?id=174081
3338
3339         Reviewed by Mark Lam.
3340
3341         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3342         And SamplingProfiler and others interact with WTF::Thread directly.
3343
3344         * API/tests/ExecutionTimeLimitTest.cpp:
3345         * heap/MachineStackMarker.cpp:
3346         (JSC::MachineThreads::MachineThreads):
3347         (JSC::captureStack):
3348         (JSC::MachineThreads::tryCopyOtherThreadStack):
3349         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3350         (JSC::MachineThreads::gatherConservativeRoots):
3351         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3352         (JSC::ActiveMachineThreadsManager::add): Deleted.
3353         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3354         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3355         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3356         (JSC::activeMachineThreadsManager): Deleted.
3357         (JSC::MachineThreads::~MachineThreads): Deleted.
3358         (JSC::MachineThreads::addCurrentThread): Deleted.
3359         (): Deleted.
3360         (JSC::MachineThreads::removeThread): Deleted.
3361         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3362         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3363         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3364         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3365         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3366         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3367         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3368         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3369         * heap/MachineStackMarker.h:
3370         (JSC::MachineThreads::addCurrentThread):
3371         (JSC::MachineThreads::getLock):
3372         (JSC::MachineThreads::threads):
3373         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3374         (JSC::MachineThreads::MachineThread::resume): Deleted.
3375         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3376         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3377         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3378         (JSC::MachineThreads::threadsListHead): Deleted.
3379         * runtime/SamplingProfiler.cpp:
3380         (JSC::FrameWalker::isValidFramePointer):
3381         (JSC::SamplingProfiler::SamplingProfiler):
3382         (JSC::SamplingProfiler::takeSample):
3383         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3384         * runtime/SamplingProfiler.h:
3385         * wasm/WasmMachineThreads.cpp:
3386         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3387
3388 2017-07-18  Andy Estes  <aestes@apple.com>
3389
3390         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
3391         https://bugs.webkit.org/show_bug.cgi?id=174631
3392
3393         Reviewed by Tim Horton.
3394
3395         * Configurations/Base.xcconfig:
3396         * b3/B3FoldPathConstants.cpp:
3397         * b3/B3LowerMacros.cpp:
3398         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
3399         * dfg/DFGByteCodeParser.cpp:
3400         (JSC::DFG::ByteCodeParser::check):
3401         (JSC::DFG::ByteCodeParser::planLoad):
3402
3403 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3404
3405         WTF::Thread should have the threads stack bounds.
3406         https://bugs.webkit.org/show_bug.cgi?id=173975
3407
3408         Reviewed by Mark Lam.
3409
3410         There is a site in JSC that try to walk another thread's stack.
3411         Currently, stack bounds are stored in WTFThreadData which is located
3412         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3413         We workaround this situation by holding StackBounds in MachineThread in JSC,
3414         but StackBounds should be put in WTF::Thread instead.
3415
3416         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
3417         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
3418
3419         * heap/MachineStackMarker.cpp:
3420         (JSC::MachineThreads::MachineThread::MachineThread):
3421         (JSC::MachineThreads::MachineThread::captureStack):
3422         * heap/MachineStackMarker.h:
3423         (JSC::MachineThreads::MachineThread::stackBase):
3424         (JSC::MachineThreads::MachineThread::stackEnd):
3425         * runtime/VMTraps.cpp:
3426
3427 2017-07-18  Andy Estes  <aestes@apple.com>
3428
3429         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
3430         https://bugs.webkit.org/show_bug.cgi?id=174631
3431
3432         Reviewed by Sam Weinig.
3433
3434         * Configurations/Base.xcconfig:
3435
3436 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
3437
3438         Web Inspector: Modernize InjectedScriptSource
3439         https://bugs.webkit.org/show_bug.cgi?id=173890
3440
3441         Reviewed by Brian Burg.
3442
3443         * inspector/InjectedScript.h:
3444         Reorder functions to be slightly better.
3445
3446         * inspector/InjectedScriptSource.js:
3447         - Convert to classes named InjectedScript and RemoteObject
3448         - Align InjectedScript's API with the wrapper C++ interfaces
3449         - Move some code to RemoteObject where appropriate (subtype, describe)
3450         - Move some code to helper functions (isPrimitiveValue, isDefined)
3451         - Refactor for readability and modern features
3452         - Remove some unused / unnecessary code
3453
3454 2017-07-18  Mark Lam  <mark.lam@apple.com>
3455
3456         Butterfly storage need not be initialized for indexing type Undecided.
3457         https://bugs.webkit.org/show_bug.cgi?id=174516
3458
3459         Reviewed by Saam Barati.
3460
3461         While it's not incorrect to initialize the butterfly storage when the
3462         indexingType is Undecided, it is inefficient as we'll end up initializing
3463         it again later when we convert the storage to a different indexingType.
3464         Some of our code already skips initializing Undecided butterflies.
3465         This patch makes it the consistent behavior everywhere.
3466
3467         * dfg/DFGSpeculativeJIT.cpp:
3468         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3469         * runtime/JSArray.cpp:
3470         (JSC::JSArray::tryCreateUninitializedRestricted):
3471         * runtime/JSArray.h:
3472         (JSC::JSArray::tryCreate):
3473         * runtime/JSObject.cpp:
3474         (JSC::JSObject::ensureLengthSlow):
3475
3476 2017-07-18  Saam Barati  <sbarati@apple.com>
3477
3478         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
3479         https://bugs.webkit.org/show_bug.cgi?id=174515
3480         <rdar://problem/33358092>
3481
3482         Reviewed by Filip Pizlo.
3483
3484         AirLowerAfterRegAlloc was computing the set of available scratch
3485         registers incorrectly. It was always excluding callee save registers
3486         from the set of live registers. It did not guarantee that live callee save
3487         registers were not in the set of scratch registers that could
3488         get clobbered. That's incorrect as the shuffling code is free
3489         to overwrite whatever is in the scratch register it gets passed.
3490
3491         * b3/air/AirLowerAfterRegAlloc.cpp:
3492         (JSC::B3::Air::lowerAfterRegAlloc):
3493         * b3/testb3.cpp:
3494         (JSC::B3::functionNineArgs):
3495         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
3496         (JSC::B3::run):
3497         * jit/RegisterSet.h:
3498
3499 2017-07-18  Andy Estes  <aestes@apple.com>
3500
3501         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
3502         https://bugs.webkit.org/show_bug.cgi?id=174631
3503
3504         Reviewed by Dan Bernstein.
3505
3506         * Configurations/Base.xcconfig:
3507
3508 2017-07-18  Devin Rousso  <drousso@apple.com>
3509
3510         Web Inspector: Add memoryCost to Inspector Protocol objects
3511         https://bugs.webkit.org/show_bug.cgi?id=174478
3512
3513         Reviewed by Joseph Pecoraro.
3514
3515         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
3516         plus the memoryCost of the data if it is a string.
3517
3518         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
3519
3520         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
3521         key plus the memoryCost of the InspectorValue for each entry.
3522
3523         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
3524
3525         * inspector/InspectorValues.h:
3526         * inspector/InspectorValues.cpp:
3527         (Inspector::InspectorValue::memoryCost):
3528         (Inspector::InspectorObjectBase::memoryCost):
3529         (Inspector::InspectorArrayBase::memoryCost):
3530
3531 2017-07-18  Andy Estes  <aestes@apple.com>
3532
3533         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
3534         https://bugs.webkit.org/show_bug.cgi?id=174631
3535
3536         Reviewed by Darin Adler.
3537
3538         * Configurations/Base.xcconfig:
3539
3540 2017-07-18  Michael Saboff  <msaboff@apple.com>
3541
3542         [JSC] There should be a debug option to dump a compiled RegExp Pattern
3543         https://bugs.webkit.org/show_bug.cgi?id=174601
3544
3545         Reviewed by Alex Christensen.
3546
3547         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
3548         objects after a regular expression has been compiled.
3549
3550         * runtime/Options.h:
3551         * yarr/YarrPattern.cpp:
3552         (JSC::Yarr::YarrPattern::compile):
3553         (JSC::Yarr::indentForNestingLevel):
3554         (JSC::Yarr::dumpUChar32):
3555         (JSC::Yarr::PatternAlternative::dump):
3556         (JSC::Yarr::PatternTerm::dumpQuantifier):
3557         (JSC::Yarr::PatternTerm::dump):
3558         (JSC::Yarr::PatternDisjunction::dump):
3559         (JSC::Yarr::YarrPattern::dumpPattern):
3560         * yarr/YarrPattern.h:
3561         (JSC::Yarr::YarrPattern::global):
3562
3563 2017-07-17  Darin Adler  <darin@apple.com>
3564
3565         Improve use of NeverDestroyed
3566         https://bugs.webkit.org/show_bug.cgi?id=174348
3567
3568         Reviewed by Sam Weinig.
3569
3570         * heap/MachineStackMarker.cpp:
3571         * wasm/WasmMemory.cpp:
3572         Removed unneeded includes of NeverDestroyed.h in files that do not make use
3573         of NeverDestroyed.
3574
3575 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3576
3577         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
3578         https://bugs.webkit.org/show_bug.cgi?id=174547
3579
3580         Reviewed by Alex Christensen.
3581
3582         * CMakeLists.txt:
3583         * shell/CMakeLists.txt:
3584
3585 2017-07-17  Saam Barati  <sbarati@apple.com>
3586
3587         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
3588         https://bugs.webkit.org/show_bug.cgi?id=174584
3589
3590         Rubber stamped by Keith Miller.
3591
3592         I used it to diagnose a bug. The bug is now fixed. This custom
3593         RELEASE_ASSERT is no longer needed.
3594
3595         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3596
3597 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3598
3599         -Wformat-truncation warning in ConfigFile.cpp
3600         https://bugs.webkit.org/show_bug.cgi?id=174506
3601
3602         Reviewed by Darin Adler.
3603
3604         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
3605         return ParseError.
3606
3607         * runtime/ConfigFile.cpp:
3608         (JSC::ConfigFile::parse):
3609
3610 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
3611
3612         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
3613         https://bugs.webkit.org/show_bug.cgi?id=174557
3614
3615         Reviewed by Michael Catanzaro.
3616
3617         * CMakeLists.txt:
3618
3619 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3620
3621         [WTF] Use std::unique_ptr for StackTrace
3622         https://bugs.webkit.org/show_bug.cgi?id=174495
3623
3624         Reviewed by Alex Christensen.
3625
3626         * runtime/ExceptionScope.cpp:
3627         (JSC::ExceptionScope::unexpectedExceptionMessage):
3628         * runtime/VM.cpp:
3629         (JSC::VM::throwException):
3630
3631 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3632
3633         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
3634         https://bugs.webkit.org/show_bug.cgi?id=174423
3635
3636         Reviewed by Saam Barati.
3637
3638         * dfg/DFGAvailabilityMap.cpp:
3639         (JSC::DFG::AvailabilityMap::pruneHeap):
3640         (JSC::DFG::AvailabilityMap::pruneByLiveness):
3641
3642 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3643
3644         Fix compiler warnings when building with GCC 7
3645         https://bugs.webkit.org/show_bug.cgi?id=174463
3646
3647         Reviewed by Darin Adler.
3648
3649         * disassembler/udis86/udis86_decode.c:
3650         (decode_operand):
3651
3652 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3653
3654         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
3655         https://bugs.webkit.org/show_bug.cgi?id=174467
3656
3657         Reviewed by Saam Barati.
3658
3659         * bytecode/CallLinkInfo.cpp:
3660         (JSC::CallLinkInfo::callTypeFor):
3661
3662 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
3663
3664         Web Inspector: Remove unused and untested Page domain commands
3665         https://bugs.webkit.org/show_bug.cgi?id=174429
3666
3667         Reviewed by Timothy Hatcher.
3668
3669         * inspector/protocol/Page.json:
3670
3671 2017-07-13  Saam Barati  <sbarati@apple.com>
3672
3673         Missing exception check in JSObject::hasInstance
3674         https://bugs.webkit.org/show_bug.cgi?id=174455
3675         <rdar://problem/31384608>
3676
3677         Reviewed by Mark Lam.
3678
3679         * runtime/JSObject.cpp:
3680         (JSC::JSObject::hasInstance):
3681
3682 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
3683
3684         [ESnext] Implement Object Spread
3685         https://bugs.webkit.org/show_bug.cgi?id=167963
3686
3687         Reviewed by Saam Barati.
3688
3689         This patch implements ECMA262 stage 3 Object Spread proposal [1].
3690         It's implemented using CopyDataPropertiesNoExclusions to copy
3691         all enumerable keys from object being spreaded. The implementation of
3692         CopyDataPropertiesNoExclusions follows the CopyDataProperties
3693         implementation, however we don't receive excludedNames as parameter.
3694
3695         [1] - https://github.com/tc39/proposal-object-rest-spread
3696
3697         * builtins/GlobalOperations.js:
3698         (globalPrivate.copyDataPropertiesNoExclusions):
3699         * bytecompiler/BytecodeGenerator.cpp:
3700         (JSC::BytecodeGenerator::emitLoad):
3701         * bytecompiler/NodesCodegen.cpp:
3702         (JSC::PropertyListNode::emitBytecode):
3703         (JSC::ObjectSpreadExpressionNode::emitBytecode):
3704         * parser/ASTBuilder.h:
3705         (JSC::ASTBuilder::createObjectSpreadExpression):
3706         (JSC::ASTBuilder::createProperty):
3707         * parser/NodeConstructors.h:
3708         (JSC::PropertyNode::PropertyNode):
3709         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
3710         * parser/Nodes.h:
3711         (JSC::ObjectSpreadExpressionNode::expression):
3712         * parser/Parser.cpp:
3713         (JSC::Parser<LexerType>::parseProperty):
3714         * parser/SyntaxChecker.h:
3715         (JSC::SyntaxChecker::createObjectSpreadExpression):
3716         (JSC::SyntaxChecker::createProperty):
3717
3718 2017-07-12  Mark Lam  <mark.lam@apple.com>
3719
3720         Gardening: build fix after r219434.
3721         https://bugs.webkit.org/show_bug.cgi?id=174441
3722
3723         Not reviewed.
3724
3725         Make public some MacroAssembler functions that are needed by the probe implementationq.
3726
3727         * assembler/MacroAssemblerARM.h:
3728         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3729         * assembler/MacroAssemblerARMv7.h:
3730         (JSC::MacroAssemblerARMv7::linkCall):
3731
3732 2017-07-12  Mark Lam  <mark.lam@apple.com>
3733
3734         Move Probe code from AbstractMacroAssembler to MacroAssembler.
3735         https://bugs.webkit.org/show_bug.cgi?id=174441
3736
3737         Reviewed by Saam Barati.
3738
3739         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
3740         to MacroAssembler.  There is no code behavior change.
3741
3742         * assembler/AbstractMacroAssembler.h:
3743         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
3744         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
3745         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
3746         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
3747         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
3748         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
3749         * assembler/MacroAssembler.h:
3750         (JSC::MacroAssembler::CPUState::gprName):
3751         (JSC::MacroAssembler::CPUState::fprName):
3752         (JSC::MacroAssembler::CPUState::gpr):
3753         (JSC::MacroAssembler::CPUState::fpr):
3754         * assembler/MacroAssemblerARM.cpp:
3755         (JSC::MacroAssembler::probe):
3756         (JSC::MacroAssemblerARM::probe): Deleted.
3757         * assembler/MacroAssemblerARM.h:
3758         * assembler/MacroAssemblerARM64.cpp:
3759         (JSC::MacroAssembler::probe):
3760         (JSC::MacroAssemblerARM64::probe): Deleted.
3761         * assembler/MacroAssemblerARM64.h:
3762         * assembler/MacroAssemblerARMv7.cpp:
3763         (JSC::MacroAssembler::probe):
3764         (JSC::MacroAssemblerARMv7::probe): Deleted.
3765         * assembler/MacroAssemblerARMv7.h:
3766         * assembler/MacroAssemblerMIPS.h:
3767         * assembler/MacroAssemblerX86Common.cpp:
3768         (JSC::MacroAssembler::probe):
3769         (JSC::MacroAssemblerX86Common::probe): Deleted.
3770         * assembler/MacroAssemblerX86Common.h:
3771
3772 2017-07-12  Saam Barati  <sbarati@apple.com>
3773
3774         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
3775         https://bugs.webkit.org/show_bug.cgi?id=174411
3776         <rdar://problem/31696186>
3777
3778         Reviewed by Mark Lam.
3779
3780         The code for deleting an argument was incorrectly referencing state
3781         when it decided if it should unmap or mark a property as having its
3782         descriptor modified. This patch fixes the bug where if we delete a
3783         property, we would sometimes not unmap an argument when deleting it.
3784
3785         * runtime/GenericArgumentsInlines.h:
3786         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3787         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
3788         (JSC::GenericArguments<Type>::deleteProperty):
3789         (JSC::GenericArguments<Type>::deletePropertyByIndex):
3790
3791 2017-07-12  Commit Queue  <commit-queue@webkit.org>
3792
3793         Unreviewed, rolling out r219176.
3794         https://bugs.webkit.org/show_bug.cgi?id=174436
3795
3796         "Can cause infinite recursion on iOS" (Requested by mlam on
3797         #webkit).
3798
3799         Reverted changeset:
3800
3801         "WTF::Thread should have the threads stack bounds."
3802         https://bugs.webkit.org/show_bug.cgi?id=173975
3803         http://trac.webkit.org/changeset/219176
3804
3805 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3806
3807         Unreviewed, rolling out r219401.
3808
3809         This revision rolled out the previous patch, but after talking
3810         with reviewer, a rebaseline is what was needed.Rolling back in
3811         before rebaseline.
3812
3813         Reverted changeset:
3814
3815         "Unreviewed, rolling out r219379."
3816         https://bugs.webkit.org/show_bug.cgi?id=174400
3817         http://trac.webkit.org/changeset/219401
3818
3819 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3820
3821         Unreviewed, rolling out r219379.
3822
3823         This revision caused a consistent failure in the test
3824         fast/dom/Window/property-access-on-cached-window-after-frame-
3825         removed.html.
3826
3827         Reverted changeset:
3828
3829         "Remove NAVIGATOR_HWCONCURRENCY"
3830         https://bugs.webkit.org/show_bug.cgi?id=174400
3831         http://trac.webkit.org/changeset/219379
3832
3833 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
3834
3835         Wrong radix used in Unicode Escape in invalid character error message
3836         https://bugs.webkit.org/show_bug.cgi?id=174419
3837
3838         Reviewed by Alex Christensen.
3839
3840         * parser/Lexer.cpp:
3841         (JSC::Lexer<T>::invalidCharacterMessage):
3842
3843 2017-07-11  Dean Jackson  <dino@apple.com>
3844
3845         Remove NAVIGATOR_HWCONCURRENCY
3846         https://bugs.webkit.org/show_bug.cgi?id=174400
3847
3848         Reviewed by Sam Weinig.
3849
3850         * Configurations/FeatureDefines.xcconfig:
3851
3852 2017-07-11  Dean Jackson  <dino@apple.com>
3853
3854         Rolling out r219372.
3855
3856         * Configurations/FeatureDefines.xcconfig:
3857
3858 2017-07-11  Dean Jackson  <dino@apple.com>
3859
3860         Remove NAVIGATOR_HWCONCURRENCY
3861         https://bugs.webkit.org/show_bug.cgi?id=174400
3862
3863         Reviewed by Sam Weinig.
3864
3865         * Configurations/FeatureDefines.xcconfig:
3866
3867 2017-07-11  Saam Barati  <sbarati@apple.com>
3868
3869         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
3870         https://bugs.webkit.org/show_bug.cgi?id=174397
3871
3872         Rubber stamped by David Kilzer.
3873
3874         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
3875         * wasm/js/WebAssemblyFunctionCell.h: Removed.
3876
3877 2017-07-10  Saam Barati  <sbarati@apple.com>
3878
3879         Allocation sinking phase should consider a CheckStructure that would fail as an escape
3880         https://bugs.webkit.org/show_bug.cgi?id=174321
3881         <rdar://problem/32604963>
3882
3883         Reviewed by Filip Pizlo.
3884
3885         When the allocation sinking phase was generating stores to materialize
3886         objects in a cycle with each other, it would assume that each materialized
3887         object had a valid, non empty, set of structures. This is an OK assumption for
3888         the phase to make because how do you materialize an object with no structure?
3889         
3890         The abstract interpretation part of the phase will model what's in the heap.
3891         However, it would sometimes model that a CheckStructure would fail. The phase
3892         did nothing special for this; it just stored the empty set of structures for
3893         its representation of a particular allocation. However, what the phase proved
3894         in such a scenario is that, had the CheckStructure executed, it would have exited.
3895         
3896         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
3897         This will cause the allocation in question to be materialized just before
3898         the CheckStructure, and then at execution time, the CheckStructure will exit.
3899         
3900         I wasn't able to write a test case for this. However, I was able to reproduce
3901         this crash by manually editing the IR. I've opened a separate bug to help us
3902         create a testing framework for writing tests for hard to reproduce bugs like this:
3903         https://bugs.webkit.org/show_bug.cgi?id=174322
3904
3905         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3906
3907 2017-07-10  Devin Rousso  <drousso@apple.com>
3908
3909         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
3910         https://bugs.webkit.org/show_bug.cgi?id=174279
3911
3912         Reviewed by Matt Baker.
3913
3914         * inspector/protocol/DOM.json:
3915         Add `highlightNodeList` command that will highlight each node in the given list.
3916
3917 2017-07-03  Brian Burg  <bburg@apple.com>
3918
3919         Web Replay: remove some unused code
3920         https://bugs.webkit.org/show_bug.cgi?id=173903
3921
3922         Rubber-stamped by Joseph Pecoraro.
3923
3924         * CMakeLists.txt:
3925         * Configurations/FeatureDefines.xcconfig:
3926         * DerivedSources.make:
3927         * JavaScriptCore.xcodeproj/project.pbxproj:
3928         * inspector/protocol/Replay.json: Removed.
3929         * replay/EmptyInputCursor.h: Removed.
3930         * replay/EncodedValue.cpp: Removed.
3931         * replay/EncodedValue.h: Removed.
3932         * replay/InputCursor.h: Removed.
3933         * replay/JSInputs.json: Removed.
3934         * replay/NondeterministicInput.h: Removed.
3935         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
3936         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
3937         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
3938         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
3939         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
3940         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
3941         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
3942         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
3943         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
3944         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
3945         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
3946         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
3947         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
3948         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
3949         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
3950         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
3951         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
3952         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
3953         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
3954         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
3955         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
3956         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
3957         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
3958         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
3959         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
3960         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
3961         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
3962         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
3963         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3964         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3965         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3966         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3967         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3968         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3969         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3970         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3971         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3972         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3973         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3974         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3975         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.