Make LegacyCustomProtocolManager optional for network process
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2
3         Make LegacyCustomProtocolManager optional for network process
4         https://bugs.webkit.org/show_bug.cgi?id=176230
5
6         Reviewed by Alex Christensen.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         [JSC] Remove easy toRemove & map.remove() use in OAS phase
13         https://bugs.webkit.org/show_bug.cgi?id=180208
14
15         Reviewed by Mark Lam.
16
17         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
18         to optimize this common pattern. This patch only modifies apparent ones.
19         But we can apply this refactoring further to OAS phase in the future.
20
21         One thing we should care is that predicate of removeIf should not touch the
22         removing set itself. In this patch, we apply this change to (1) apparently
23         correct one and (2) things in DFG OAS phase since it is very slow.
24
25         * b3/B3MoveConstants.cpp:
26         * dfg/DFGObjectAllocationSinkingPhase.cpp:
27
28 2017-11-30  Commit Queue  <commit-queue@webkit.org>
29
30         Unreviewed, rolling out r225362.
31         https://bugs.webkit.org/show_bug.cgi?id=180225
32
33         removeIf predicate function can touch remove target set
34         (Requested by yusukesuzuki on #webkit).
35
36         Reverted changeset:
37
38         "[JSC] Remove easy toRemove & map.remove() use"
39         https://bugs.webkit.org/show_bug.cgi?id=180208
40         https://trac.webkit.org/changeset/225362
41
42 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
43
44         [JSC] Use AllocatorIfExists for MaterializeNewObject
45         https://bugs.webkit.org/show_bug.cgi?id=180189
46
47         Reviewed by Filip Pizlo.
48
49         I don't think anyone guarantees this allocator exists at this phase.
50         And nullptr allocator just works here. We change AllocatorForMode
51         to AllocatorIfExists to accept nullptr for allocator.
52
53         * ftl/FTLLowerDFGToB3.cpp:
54         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
55
56 2017-11-30  Mark Lam  <mark.lam@apple.com>
57
58         Let's scramble MacroAssemblerCodePtr values.
59         https://bugs.webkit.org/show_bug.cgi?id=180169
60         <rdar://problem/35758340>
61
62         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
63
64         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
65
66         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
67            template argument type that will be used to cast the result.  This makes the
68            client code that uses these functions a little less verbose.
69
70         3. Change the code base in general to minimize passing void* code pointers around.
71            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
72            at the last moment when we need the underlying code pointer.
73
74         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
75            default.  I'm leaving them in because they are instrumental in finding bugs
76            where not all MacroAssemblerCodePtr values were not scrambled as expected.
77            I expect them to be useful in the near future as we add more scrambling.
78
79         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
80            explicit casts to a boolean).  This ensures that clients will always explicitly
81            use scrambledBits() or executableAddress() to get a value based on which value
82            they actually need.
83
84         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
85            This was helpful when debugging tests that ran multiple VMs concurrently on
86            different threads.
87
88         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
89         CLoop).  It is not yet supported in 32-bit and Windows because we don't
90         currently have a way to read a global variable from their LLInt code.
91
92         * assembler/AbstractMacroAssembler.h:
93         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
94         (JSC::AbstractMacroAssembler::linkPointer):
95         * assembler/CodeLocation.h:
96         (JSC::CodeLocationCommon::instructionAtOffset):
97         (JSC::CodeLocationCommon::labelAtOffset):
98         (JSC::CodeLocationCommon::jumpAtOffset):
99         (JSC::CodeLocationCommon::callAtOffset):
100         (JSC::CodeLocationCommon::nearCallAtOffset):
101         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
102         (JSC::CodeLocationCommon::dataLabel32AtOffset):
103         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
104         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
105         * assembler/LinkBuffer.cpp:
106         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
107         * assembler/LinkBuffer.h:
108         (JSC::LinkBuffer::link):
109         (JSC::LinkBuffer::patch):
110         * assembler/MacroAssemblerCodeRef.cpp:
111         (JSC::MacroAssemblerCodePtr::initialize):
112         * assembler/MacroAssemblerCodeRef.h:
113         (JSC::FunctionPtr::FunctionPtr):
114         (JSC::FunctionPtr::value const):
115         (JSC::FunctionPtr::executableAddress const):
116         (JSC::ReturnAddressPtr::ReturnAddressPtr):
117         (JSC::ReturnAddressPtr::value const):
118         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
119         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
120         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
121         (JSC::MacroAssemblerCodePtr:: const):
122         (JSC::MacroAssemblerCodePtr::operator! const):
123         (JSC::MacroAssemblerCodePtr::operator bool const):
124         (JSC::MacroAssemblerCodePtr::operator== const):
125         (JSC::MacroAssemblerCodePtr::hash const):
126         (JSC::MacroAssemblerCodePtr::emptyValue):
127         (JSC::MacroAssemblerCodePtr::deletedValue):
128         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
129         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
130         * b3/B3LowerMacros.cpp:
131         * b3/testb3.cpp:
132         (JSC::B3::testInterpreter):
133         * dfg/DFGDisassembler.cpp:
134         (JSC::DFG::Disassembler::dumpDisassembly):
135         * dfg/DFGJITCompiler.cpp:
136         (JSC::DFG::JITCompiler::link):
137         (JSC::DFG::JITCompiler::compileFunction):
138         * dfg/DFGOperations.cpp:
139         * dfg/DFGSpeculativeJIT.cpp:
140         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
141         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
142         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
143         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
144         * dfg/DFGSpeculativeJIT.h:
145         * disassembler/Disassembler.cpp:
146         (JSC::disassemble):
147         * disassembler/UDis86Disassembler.cpp:
148         (JSC::tryToDisassembleWithUDis86):
149         * ftl/FTLCompile.cpp:
150         (JSC::FTL::compile):
151         * ftl/FTLJITCode.cpp:
152         (JSC::FTL::JITCode::executableAddressAtOffset):
153         * ftl/FTLLink.cpp:
154         (JSC::FTL::link):
155         * ftl/FTLLowerDFGToB3.cpp:
156         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
157         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
158         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
159         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
160         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
161         * interpreter/InterpreterInlines.h:
162         (JSC::Interpreter::getOpcodeID):
163         * jit/JITArithmetic.cpp:
164         (JSC::JIT::emitMathICFast):
165         (JSC::JIT::emitMathICSlow):
166         * jit/JITCode.cpp:
167         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
168         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
169         (JSC::JITCodeWithCodeRef::offsetOf):
170         * jit/JITDisassembler.cpp:
171         (JSC::JITDisassembler::dumpDisassembly):
172         * jit/PCToCodeOriginMap.cpp:
173         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
174         * jit/Repatch.cpp:
175         (JSC::ftlThunkAwareRepatchCall):
176         * jit/ThunkGenerators.cpp:
177         (JSC::virtualThunkFor):
178         (JSC::boundThisNoArgsFunctionCallGenerator):
179         * llint/LLIntSlowPaths.cpp:
180         (JSC::LLInt::llint_trace_operand):
181         (JSC::LLInt::llint_trace_value):
182         (JSC::LLInt::handleHostCall):
183         (JSC::LLInt::setUpCall):
184         * llint/LowLevelInterpreter64.asm:
185         * offlineasm/cloop.rb:
186         * runtime/InitializeThreading.cpp:
187         (JSC::initializeThreading):
188         * wasm/WasmBBQPlan.cpp:
189         (JSC::Wasm::BBQPlan::complete):
190         * wasm/WasmCallee.h:
191         (JSC::Wasm::Callee::entrypoint const):
192         * wasm/WasmCodeBlock.cpp:
193         (JSC::Wasm::CodeBlock::CodeBlock):
194         * wasm/WasmOMGPlan.cpp:
195         (JSC::Wasm::OMGPlan::work):
196         * wasm/js/WasmToJS.cpp:
197         (JSC::Wasm::wasmToJS):
198         * wasm/js/WebAssemblyFunction.cpp:
199         (JSC::callWebAssemblyFunction):
200         * wasm/js/WebAssemblyFunction.h:
201         * wasm/js/WebAssemblyWrapperFunction.cpp:
202         (JSC::WebAssemblyWrapperFunction::create):
203
204 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
205
206         [JSC] Remove easy toRemove & map.remove() use
207         https://bugs.webkit.org/show_bug.cgi?id=180208
208
209         Reviewed by Mark Lam.
210
211         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
212         to optimize this common pattern. This patch only modifies apparent ones.
213         But we can apply this refactoring further to OAS phase in the future.
214
215         * b3/B3MoveConstants.cpp:
216         * dfg/DFGArgumentsEliminationPhase.cpp:
217         * dfg/DFGObjectAllocationSinkingPhase.cpp:
218         * wasm/WasmSignature.cpp:
219         (JSC::Wasm::SignatureInformation::tryCleanup):
220
221 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
222
223         [JSC] Use getEffectiveAddress more in JSC
224         https://bugs.webkit.org/show_bug.cgi?id=180154
225
226         Reviewed by Mark Lam.
227
228         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
229         And we also add MacroAssembler::negPtr(src, dest) variation.
230
231         * assembler/MacroAssembler.h:
232         (JSC::MacroAssembler::negPtr):
233         * assembler/MacroAssemblerARM.h:
234         (JSC::MacroAssemblerARM::neg32):
235         * assembler/MacroAssemblerARM64.h:
236         (JSC::MacroAssemblerARM64::neg32):
237         (JSC::MacroAssemblerARM64::neg64):
238         * assembler/MacroAssemblerARMv7.h:
239         (JSC::MacroAssemblerARMv7::neg32):
240         * assembler/MacroAssemblerMIPS.h:
241         (JSC::MacroAssemblerMIPS::neg32):
242         * assembler/MacroAssemblerX86Common.h:
243         (JSC::MacroAssemblerX86Common::neg32):
244         * assembler/MacroAssemblerX86_64.h:
245         (JSC::MacroAssemblerX86_64::neg64):
246         * dfg/DFGThunks.cpp:
247         (JSC::DFG::osrEntryThunkGenerator):
248         * ftl/FTLLowerDFGToB3.cpp:
249         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
250         * jit/SetupVarargsFrame.cpp:
251         (JSC::emitSetVarargsFrame):
252
253 2017-11-30  Mark Lam  <mark.lam@apple.com>
254
255         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
256         https://bugs.webkit.org/show_bug.cgi?id=180219
257         <rdar://problem/35696536>
258
259         Reviewed by Filip Pizlo.
260
261         * jsc.cpp:
262         (functionFlashHeapAccess):
263
264 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
265
266         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
267         https://bugs.webkit.org/show_bug.cgi?id=180190
268
269         Reviewed by Mark Lam.
270
271         If DFG HasIndexedProperty node observes negative index, it goes to a slow
272         path by calling operationHasIndexedProperty. The problem is that
273         operationHasIndexedProperty does not account negative index. Negative index
274         was used as uint32 array index.
275
276         In this patch we add a path for negative index in operationHasIndexedProperty.
277         And rename it to operationHasIndexedPropertyByInt to make intension clear.
278         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
279         since it is only used in DFG and FTL.
280
281         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
282         This causes repeated OSR exit and significantly regresses the performance. We opened
283         a bug to track this issue[1].
284
285         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
286
287         * dfg/DFGOperations.cpp:
288         * dfg/DFGOperations.h:
289         * dfg/DFGSpeculativeJIT32_64.cpp:
290         (JSC::DFG::SpeculativeJIT::compile):
291         * dfg/DFGSpeculativeJIT64.cpp:
292         (JSC::DFG::SpeculativeJIT::compile):
293         * ftl/FTLLowerDFGToB3.cpp:
294         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
295         * jit/JITOperations.cpp:
296         * jit/JITOperations.h:
297
298 2017-11-30  Michael Saboff  <msaboff@apple.com>
299
300         Allow JSC command line tool to accept UTF8
301         https://bugs.webkit.org/show_bug.cgi?id=180205
302
303         Reviewed by Keith Miller.
304
305         This unifies the UTF8 handling of interactive mode with that of source files.
306
307         * jsc.cpp:
308         (runInteractive):
309
310 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
313         https://bugs.webkit.org/show_bug.cgi?id=180185
314
315         Reviewed by Carlos Garcia Campos.
316
317         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
318         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
319         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
320         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
321         DFG node can be emitted if we see untaken path includes String + String code.
322
323         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
324         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
325         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
326         original code used before r225314.
327
328         * dfg/DFGSpeculativeJIT.cpp:
329         (JSC::DFG::SpeculativeJIT::compileMakeRope):
330         * ftl/FTLLowerDFGToB3.cpp:
331         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
332
333 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
334
335         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
336         https://bugs.webkit.org/show_bug.cgi?id=180108
337
338         Reviewed by Saam Barati.
339         
340         This was creating a vector of things to remove and then removing them. I think I remember writing
341         this code, and I did that because at the time we did not have removeAllMatching, which is
342         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
343         obvious improvement before I did more fundamental things to this code.
344
345         * heap/CodeBlockSet.cpp:
346         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
347
348 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
349
350         GC should support isoheaps
351         https://bugs.webkit.org/show_bug.cgi?id=179288
352
353         Reviewed by Saam Barati.
354         
355         This expands the power of the Subspace API in JSC:
356         
357         - Everything associated with describing the types of objects is now part of the HeapCellType class.
358           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
359           HeapCellType; these are orthogonal things.
360         
361         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
362           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
363           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
364           pages but releases the physical pages as part of the respective allocator's scavenging policy
365           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
366           IsoSubspace).
367         
368         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
369         for more things.
370         
371         This does not have any effect on JetStream (0.18% faster with p = 0.69).
372
373         * JavaScriptCore.xcodeproj/project.pbxproj:
374         * Sources.txt:
375         * bytecode/AccessCase.cpp:
376         (JSC::AccessCase::generateImpl):
377         * bytecode/ObjectAllocationProfileInlines.h:
378         (JSC::ObjectAllocationProfile::initializeProfile):
379         * dfg/DFGSpeculativeJIT.cpp:
380         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
381         (JSC::DFG::SpeculativeJIT::compileMakeRope):
382         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
383         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
384         * dfg/DFGSpeculativeJIT64.cpp:
385         (JSC::DFG::SpeculativeJIT::compile):
386         * ftl/FTLAbstractHeapRepository.h:
387         * ftl/FTLLowerDFGToB3.cpp:
388         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
389         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
390         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
391         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
392         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
393         * heap/AlignedMemoryAllocator.cpp:
394         (JSC::AlignedMemoryAllocator::registerAllocator):
395         (JSC::AlignedMemoryAllocator::registerSubspace):
396         * heap/AlignedMemoryAllocator.h:
397         (JSC::AlignedMemoryAllocator::firstAllocator const):
398         * heap/AllocationFailureMode.h: Added.
399         * heap/CompleteSubspace.cpp: Added.
400         (JSC::CompleteSubspace::CompleteSubspace):
401         (JSC::CompleteSubspace::~CompleteSubspace):
402         (JSC::CompleteSubspace::allocatorFor):
403         (JSC::CompleteSubspace::allocate):
404         (JSC::CompleteSubspace::allocateNonVirtual):
405         (JSC::CompleteSubspace::allocatorForSlow):
406         (JSC::CompleteSubspace::allocateSlow):
407         (JSC::CompleteSubspace::tryAllocateSlow):
408         * heap/CompleteSubspace.h: Added.
409         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
410         (JSC::CompleteSubspace::allocatorForSizeStep):
411         (JSC::CompleteSubspace::allocatorForNonVirtual):
412         * heap/HeapCellType.cpp: Added.
413         (JSC::HeapCellType::HeapCellType):
414         (JSC::HeapCellType::~HeapCellType):
415         (JSC::HeapCellType::finishSweep):
416         (JSC::HeapCellType::destroy):
417         * heap/HeapCellType.h: Added.
418         (JSC::HeapCellType::attributes const):
419         * heap/IsoAlignedMemoryAllocator.cpp: Added.
420         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
421         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
422         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
423         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
424         (JSC::IsoAlignedMemoryAllocator::dump const):
425         * heap/IsoAlignedMemoryAllocator.h: Added.
426         * heap/IsoSubspace.cpp: Added.
427         (JSC::IsoSubspace::IsoSubspace):
428         (JSC::IsoSubspace::~IsoSubspace):
429         (JSC::IsoSubspace::allocatorFor):
430         (JSC::IsoSubspace::allocatorForNonVirtual):
431         (JSC::IsoSubspace::allocate):
432         (JSC::IsoSubspace::allocateNonVirtual):
433         * heap/IsoSubspace.h: Added.
434         (JSC::IsoSubspace::size const):
435         * heap/MarkedAllocator.cpp:
436         (JSC::MarkedAllocator::MarkedAllocator):
437         (JSC::MarkedAllocator::setSubspace):
438         (JSC::MarkedAllocator::allocateSlowCase):
439         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
440         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
441         * heap/MarkedAllocator.h:
442         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
443         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
444         * heap/MarkedAllocatorInlines.h:
445         (JSC::MarkedAllocator::allocate):
446         (JSC::MarkedAllocator::tryAllocate): Deleted.
447         * heap/MarkedBlock.h:
448         * heap/MarkedBlockInlines.h:
449         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
450         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
451         * heap/MarkedSpace.cpp:
452         (JSC::MarkedSpace::addMarkedAllocator):
453         * heap/MarkedSpace.h:
454         * heap/Subspace.cpp:
455         (JSC::Subspace::Subspace):
456         (JSC::Subspace::initialize):
457         (JSC::Subspace::finishSweep):
458         (JSC::Subspace::destroy):
459         (JSC::Subspace::prepareForAllocation):
460         (JSC::Subspace::findEmptyBlockToSteal):
461         (): Deleted.
462         (JSC::Subspace::allocate): Deleted.
463         (JSC::Subspace::tryAllocate): Deleted.
464         (JSC::Subspace::allocatorForSlow): Deleted.
465         (JSC::Subspace::allocateSlow): Deleted.
466         (JSC::Subspace::tryAllocateSlow): Deleted.
467         (JSC::Subspace::didAllocate): Deleted.
468         * heap/Subspace.h:
469         (JSC::Subspace::heapCellType const):
470         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
471         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
472         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
473         (JSC::Subspace::allocatorForSizeStep): Deleted.
474         (JSC::Subspace::tryAllocatorFor): Deleted.
475         (JSC::Subspace::allocatorFor): Deleted.
476         * jit/AssemblyHelpers.h:
477         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
478         (JSC::AssemblyHelpers::emitAllocateVariableSized):
479         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
480         * jit/JITOpcodes.cpp:
481         (JSC::JIT::emit_op_new_object):
482         * runtime/ButterflyInlines.h:
483         (JSC::Butterfly::createUninitialized):
484         (JSC::Butterfly::tryCreate):
485         (JSC::Butterfly::growArrayRight):
486         * runtime/DirectArguments.cpp:
487         (JSC::DirectArguments::overrideThings):
488         * runtime/DirectArguments.h:
489         (JSC::DirectArguments::subspaceFor):
490         * runtime/DirectEvalExecutable.h:
491         * runtime/EvalExecutable.h:
492         * runtime/ExecutableBase.h:
493         (JSC::ExecutableBase::subspaceFor):
494         * runtime/FunctionExecutable.h:
495         * runtime/GenericArgumentsInlines.h:
496         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
497         * runtime/HashMapImpl.h:
498         (JSC::HashMapBuffer::create):
499         * runtime/IndirectEvalExecutable.h:
500         * runtime/JSArray.cpp:
501         (JSC::JSArray::tryCreateUninitializedRestricted):
502         (JSC::JSArray::unshiftCountSlowCase):
503         * runtime/JSArray.h:
504         (JSC::JSArray::tryCreate):
505         * runtime/JSArrayBufferView.cpp:
506         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
507         * runtime/JSCell.h:
508         (JSC::subspaceFor):
509         * runtime/JSCellInlines.h:
510         (JSC::JSCell::subspaceFor):
511         (JSC::tryAllocateCellHelper):
512         (JSC::allocateCell):
513         (JSC::tryAllocateCell):
514         * runtime/JSDestructibleObject.h:
515         (JSC::JSDestructibleObject::subspaceFor):
516         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
517         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
518         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
519         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
520         (JSC::JSDestructibleObjectHeapCellType::destroy):
521         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
522         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
523         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
524         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
525         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
526         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
527         * runtime/JSDestructibleObjectSubspace.h: Removed.
528         * runtime/JSLexicalEnvironment.h:
529         (JSC::JSLexicalEnvironment::subspaceFor):
530         * runtime/JSSegmentedVariableObject.h:
531         (JSC::JSSegmentedVariableObject::subspaceFor):
532         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
533         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
534         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
535         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
536         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
537         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
538         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
539         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
540         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
541         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
542         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
543         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
544         * runtime/JSString.h:
545         (JSC::JSString::subspaceFor):
546         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
547         (JSC::JSStringHeapCellType::JSStringHeapCellType):
548         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
549         (JSC::JSStringHeapCellType::finishSweep):
550         (JSC::JSStringHeapCellType::destroy):
551         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
552         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
553         (JSC::JSStringSubspace::finishSweep): Deleted.
554         (JSC::JSStringSubspace::destroy): Deleted.
555         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
556         * runtime/JSStringSubspace.cpp: Removed.
557         * runtime/JSStringSubspace.h: Removed.
558         * runtime/ModuleProgramExecutable.h:
559         * runtime/NativeExecutable.h:
560         * runtime/ProgramExecutable.h:
561         * runtime/RegExpMatchesArray.h:
562         (JSC::tryCreateUninitializedRegExpMatchesArray):
563         * runtime/ScopedArguments.h:
564         (JSC::ScopedArguments::subspaceFor):
565         * runtime/VM.cpp:
566         (JSC::VM::VM):
567         * runtime/VM.h:
568         (JSC::VM::gigacageAuxiliarySpace):
569         * wasm/js/JSWebAssemblyCodeBlock.h:
570         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
571         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
572         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
573         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
574         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
575         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
576         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
577         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
578         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
579         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
580         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
581         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
582         * wasm/js/JSWebAssemblyMemory.h:
583         (JSC::JSWebAssemblyMemory::subspaceFor):
584
585 2017-11-29  Saam Barati  <sbarati@apple.com>
586
587         Remove pointer caging for double arrays
588         https://bugs.webkit.org/show_bug.cgi?id=180163
589
590         Reviewed by Mark Lam.
591
592         This patch removes pointer caging from double arrays. Like
593         my previous removals of pointer caging, this is a security vs
594         performance tradeoff. We believe that butterflies being allocated
595         in the cage and with a 32GB runway gives us enough security that
596         pointer caging the butterfly just for double arrays does not add
597         enough security benefit for the performance hit it incurs.
598         
599         This patch also removes the GetButterflyWithoutCaging node and
600         the FixedButterflyAccessUncaging phase. The node is no longer needed
601         because now all GetButterfly nodes are not caged. The phase is removed
602         since we no longer have two nodes.
603
604         * dfg/DFGAbstractInterpreterInlines.h:
605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
606         * dfg/DFGArgumentsEliminationPhase.cpp:
607         * dfg/DFGClobberize.h:
608         (JSC::DFG::clobberize):
609         * dfg/DFGDoesGC.cpp:
610         (JSC::DFG::doesGC):
611         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
612         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
613         * dfg/DFGFixupPhase.cpp:
614         (JSC::DFG::FixupPhase::fixupNode):
615         * dfg/DFGHeapLocation.cpp:
616         (WTF::printInternal):
617         * dfg/DFGHeapLocation.h:
618         * dfg/DFGNodeType.h:
619         * dfg/DFGPlan.cpp:
620         (JSC::DFG::Plan::compileInThreadImpl):
621         * dfg/DFGPredictionPropagationPhase.cpp:
622         * dfg/DFGSafeToExecute.h:
623         (JSC::DFG::safeToExecute):
624         * dfg/DFGSpeculativeJIT.cpp:
625         (JSC::DFG::SpeculativeJIT::compileSpread):
626         (JSC::DFG::SpeculativeJIT::compileArraySlice):
627         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
628         * dfg/DFGSpeculativeJIT32_64.cpp:
629         (JSC::DFG::SpeculativeJIT::compile):
630         * dfg/DFGSpeculativeJIT64.cpp:
631         (JSC::DFG::SpeculativeJIT::compile):
632         * dfg/DFGTypeCheckHoistingPhase.cpp:
633         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
634         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
635         * ftl/FTLCapabilities.cpp:
636         (JSC::FTL::canCompile):
637         * ftl/FTLLowerDFGToB3.cpp:
638         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
639         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
640         * jit/JITPropertyAccess.cpp:
641         (JSC::JIT::emitDoubleLoad):
642         (JSC::JIT::emitGenericContiguousPutByVal):
643         * runtime/Butterfly.h:
644         (JSC::Butterfly::pointer):
645         (JSC::Butterfly::contiguousDouble):
646         (JSC::Butterfly::caged): Deleted.
647         * runtime/ButterflyInlines.h:
648         (JSC::Butterfly::createOrGrowPropertyStorage):
649         * runtime/JSObject.cpp:
650         (JSC::JSObject::ensureLengthSlow):
651         (JSC::JSObject::reallocateAndShrinkButterfly):
652
653 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
654
655         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
656         https://bugs.webkit.org/show_bug.cgi?id=175447
657
658         Reviewed by Carlos Alberto Lopez Perez.
659
660         This patch allows DFG JIT to be enabled on MIPS platforms.
661
662         * Sources.txt:
663         * assembler/MIPSAssembler.h:
664         (JSC::MIPSAssembler::lastSPRegister):
665         (JSC::MIPSAssembler::numberOfSPRegisters):
666         (JSC::MIPSAssembler::sprName):
667         * assembler/MacroAssemblerMIPS.cpp: Added.
668         (JSC::MacroAssembler::probe):
669         * assembler/ProbeContext.cpp:
670         (JSC::Probe::executeProbe):
671         * assembler/ProbeContext.h:
672         (JSC::Probe::CPUState::pc):
673         * assembler/testmasm.cpp:
674         (JSC::isSpecialGPR):
675         (JSC::testProbePreservesGPRS):
676         (JSC::testProbeModifiesStackPointer):
677         (JSC::testProbeModifiesStackValues):
678
679 2017-11-29  Matt Lewis  <jlewis3@apple.com>
680
681         Unreviewed, rolling out r225286.
682
683         The source files within this patch have been marked as
684         executable.
685
686         Reverted changeset:
687
688         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
689         https://bugs.webkit.org/show_bug.cgi?id=175447
690         https://trac.webkit.org/changeset/225286
691
692 2017-11-29  Alex Christensen  <achristensen@webkit.org>
693
694         Fix Mac CMake build.
695
696         * PlatformMac.cmake:
697
698 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
699
700         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
701         https://bugs.webkit.org/show_bug.cgi?id=175447
702
703         Reviewed by Carlos Alberto Lopez Perez.
704
705         This patch allows DFG JIT to be enabled on MIPS platforms.
706
707         * Sources.txt:
708         * assembler/MIPSAssembler.h:
709         (JSC::MIPSAssembler::lastSPRegister):
710         (JSC::MIPSAssembler::numberOfSPRegisters):
711         (JSC::MIPSAssembler::sprName):
712         * assembler/MacroAssemblerMIPS.cpp: Added.
713         (JSC::MacroAssembler::probe):
714         * assembler/ProbeContext.cpp:
715         (JSC::Probe::executeProbe):
716         * assembler/ProbeContext.h:
717         (JSC::Probe::CPUState::pc):
718         * assembler/testmasm.cpp:
719         (JSC::isSpecialGPR):
720         (JSC::testProbePreservesGPRS):
721         (JSC::testProbeModifiesStackPointer):
722         (JSC::testProbeModifiesStackValues):
723
724 2017-11-28  JF Bastien  <jfbastien@apple.com>
725
726         Strict and sloppy functions shouldn't share structure
727         https://bugs.webkit.org/show_bug.cgi?id=180103
728         <rdar://problem/35667847>
729
730         Reviewed by Saam Barati.
731
732         Sloppy and strict functions don't act the same when it comes to
733         arguments, caller, and callee. Sharing a structure means that
734         anything that is cached gets shared, and that's incorrect.
735
736         * dfg/DFGAbstractInterpreterInlines.h:
737         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compileNewFunction):
740         * ftl/FTLLowerDFGToB3.cpp:
741         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
742         * runtime/FunctionConstructor.cpp:
743         (JSC::constructFunctionSkippingEvalEnabledCheck):
744         * runtime/JSFunction.cpp:
745         (JSC::JSFunction::create): the second ::create is always strict
746         because it applies to native functions.
747         * runtime/JSFunctionInlines.h:
748         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
749         * runtime/JSGlobalObject.cpp:
750         (JSC::JSGlobalObject::init):
751         (JSC::JSGlobalObject::visitChildren):
752         * runtime/JSGlobalObject.h:
753         (JSC::JSGlobalObject::strictFunctionStructure const):
754         (JSC::JSGlobalObject::sloppyFunctionStructure const):
755         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
756         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
757         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
758
759 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
762         https://bugs.webkit.org/show_bug.cgi?id=180070
763
764         Reviewed by Saam Barati.
765
766         This patch adds getEffectiveAddress in all JIT platforms.
767         This is abstracted version of x86 lea.
768
769         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
770
771         * assembler/MacroAssemblerARM.h:
772         (JSC::MacroAssemblerARM::getEffectiveAddress):
773         * assembler/MacroAssemblerARM64.h:
774         (JSC::MacroAssemblerARM64::getEffectiveAddress):
775         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
776         * assembler/MacroAssemblerARMv7.h:
777         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
778         * assembler/MacroAssemblerMIPS.h:
779         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
780         * assembler/MacroAssemblerX86.h:
781         (JSC::MacroAssemblerX86::getEffectiveAddress):
782         * assembler/MacroAssemblerX86_64.h:
783         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
784         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
785         * assembler/testmasm.cpp:
786         (JSC::testGetEffectiveAddress):
787         (JSC::run):
788         * dfg/DFGSpeculativeJIT.cpp:
789         (JSC::DFG::SpeculativeJIT::compileArrayPush):
790         * yarr/YarrJIT.cpp:
791         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
792         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
793
794 2017-11-29  Robin Morisset  <rmorisset@apple.com>
795
796         The recursive tail call optimisation is wrong on closures
797         https://bugs.webkit.org/show_bug.cgi?id=179835
798
799         Reviewed by Saam Barati.
800
801         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
802         As a stopgap measure this patch just does not do the optimisation for closures.
803
804         * dfg/DFGByteCodeParser.cpp:
805         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
806
807 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
808
809         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
810         https://bugs.webkit.org/show_bug.cgi?id=180119
811
812         Reviewed by Devin Rousso.
813
814         * inspector/InjectedScriptManager.h:
815         * inspector/JSGlobalObjectScriptDebugServer.h:
816         * inspector/agents/InspectorHeapAgent.h:
817         * inspector/agents/InspectorRuntimeAgent.h:
818         * inspector/agents/InspectorScriptProfilerAgent.h:
819         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
820
821 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
822
823         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
824         https://bugs.webkit.org/show_bug.cgi?id=179642
825         <rdar://problem/35517704>
826
827         Reviewed by Brian Burg.
828
829         * inspector/protocol/Network.json:
830         Expose the NetworkAgent for a Service Worker inspector.
831
832  2017-11-28  Brian Burg  <bburg@apple.com>
833
834         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
835         https://bugs.webkit.org/show_bug.cgi?id=179696
836
837         Reviewed by Timothy Hatcher.
838
839         * inspector/scripts/codegen/generate_objc_header.py:
840         (ObjCHeaderGenerator._generate_type_interface):
841         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
842         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
843         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
844         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
845         * inspector/scripts/codegen/objc_generator.py:
846         (ObjCGenerator.protocol_type_for_raw_name):
847         (ObjCGenerator.objc_protocol_export_expression_for_variable):
848         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
849         (ObjCGenerator.objc_protocol_import_expression_for_variable):
850         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
851         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
852         (ObjCGenerator.objc_to_protocol_expression_for_member):
853         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
854         (ObjCGenerator.protocol_to_objc_expression_for_member):
855         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
856         (ObjCGenerator.objc_setter_method_for_member_internal):
857         (ObjCGenerator.objc_getter_method_for_member_internal):
858         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
859         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
860         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
861         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
862         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
863         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
864         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
865         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
866         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
867         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
868
869 2017-11-27  JF Bastien  <jfbastien@apple.com>
870
871         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
872         https://bugs.webkit.org/show_bug.cgi?id=180051
873         <rdar://problem/35614371>
874
875         Reviewed by Saam Barati.
876
877         Checking for int32 isn't sufficient when uint32 is expected
878         afterwards. While we're here, also use Checked<>.
879
880         * dfg/DFGAbstractInterpreterInlines.h:
881         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
882
883 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
884
885         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
886         https://bugs.webkit.org/show_bug.cgi?id=173793
887
888         Reviewed by Joseph Pecoraro.
889
890         Based on patch by Brian Burg.
891
892         * JavaScriptCore.xcodeproj/project.pbxproj:
893         * Sources.txt:
894         * bindings/ScriptValue.cpp:
895         (Inspector::jsToInspectorValue):
896         (Inspector::toInspectorValue):
897         (Deprecated::ScriptValue::toInspectorValue const):
898         * bindings/ScriptValue.h:
899         * inspector/AsyncStackTrace.cpp:
900         * inspector/ConsoleMessage.cpp:
901         * inspector/ContentSearchUtilities.cpp:
902         * inspector/DeprecatedInspectorValues.cpp: Added.
903         * inspector/DeprecatedInspectorValues.h: Added.
904         Keep the old symbols around in JavaScriptCore so that builds with the
905         public iOS SDK continue to work. These older SDKs include a version of
906         WebInspector.framework that expects to find InspectorArray and other
907         symbols in JavaScriptCore.framework.
908
909         * inspector/InjectedScript.cpp:
910         (Inspector::InjectedScript::getFunctionDetails):
911         (Inspector::InjectedScript::functionDetails):
912         (Inspector::InjectedScript::getPreview):
913         (Inspector::InjectedScript::getProperties):
914         (Inspector::InjectedScript::getDisplayableProperties):
915         (Inspector::InjectedScript::getInternalProperties):
916         (Inspector::InjectedScript::getCollectionEntries):
917         (Inspector::InjectedScript::saveResult):
918         (Inspector::InjectedScript::wrapCallFrames const):
919         (Inspector::InjectedScript::wrapObject const):
920         (Inspector::InjectedScript::wrapTable const):
921         (Inspector::InjectedScript::previewValue const):
922         (Inspector::InjectedScript::setExceptionValue):
923         (Inspector::InjectedScript::clearExceptionValue):
924         (Inspector::InjectedScript::inspectObject):
925         (Inspector::InjectedScript::releaseObject):
926         * inspector/InjectedScriptBase.cpp:
927         (Inspector::InjectedScriptBase::makeCall):
928         (Inspector::InjectedScriptBase::makeEvalCall):
929         * inspector/InjectedScriptBase.h:
930         * inspector/InjectedScriptManager.cpp:
931         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
932         * inspector/InspectorBackendDispatcher.cpp:
933         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
934         (Inspector::BackendDispatcher::dispatch):
935         (Inspector::BackendDispatcher::sendResponse):
936         (Inspector::BackendDispatcher::sendPendingErrors):
937         (Inspector::BackendDispatcher::getPropertyValue):
938         (Inspector::castToInteger):
939         (Inspector::castToNumber):
940         (Inspector::BackendDispatcher::getInteger):
941         (Inspector::BackendDispatcher::getDouble):
942         (Inspector::BackendDispatcher::getString):
943         (Inspector::BackendDispatcher::getBoolean):
944         (Inspector::BackendDispatcher::getObject):
945         (Inspector::BackendDispatcher::getArray):
946         (Inspector::BackendDispatcher::getValue):
947         * inspector/InspectorBackendDispatcher.h:
948         We need to keep around the sendResponse() variant with a parameter that
949         has the InspectorObject type, as older WebInspector.framework versions
950         expect this symbol to exist. Introduce a variant with arity 3 that can
951         be used in TOT so as to avoid having two methods with the same name, arity, and
952         different parameter types.
953
954         When system WebInspector.framework is updated, we can remove the legacy
955         method variant that uses the InspectorObject type. At that point, we can
956         transition TOT to use the 2-arity variant, and delete the 3-arity variant
957         when system WebInspector.framework is updated once more to use the 2-arity one.
958
959         * inspector/InspectorProtocolTypes.h:
960         (Inspector::Protocol::Array::openAccessors):
961         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
962         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
963         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
964         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
965         * inspector/ScriptCallFrame.cpp:
966         * inspector/ScriptCallStack.cpp:
967         * inspector/agents/InspectorAgent.cpp:
968         (Inspector::InspectorAgent::inspect):
969         * inspector/agents/InspectorAgent.h:
970         * inspector/agents/InspectorDebuggerAgent.cpp:
971         (Inspector::buildAssertPauseReason):
972         (Inspector::buildCSPViolationPauseReason):
973         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
974         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
975         (Inspector::buildObjectForBreakpointCookie):
976         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
977         (Inspector::parseLocation):
978         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
979         (Inspector::InspectorDebuggerAgent::setBreakpoint):
980         (Inspector::InspectorDebuggerAgent::continueToLocation):
981         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
982         (Inspector::InspectorDebuggerAgent::didParseSource):
983         (Inspector::InspectorDebuggerAgent::breakProgram):
984         * inspector/agents/InspectorDebuggerAgent.h:
985         * inspector/agents/InspectorRuntimeAgent.cpp:
986         (Inspector::InspectorRuntimeAgent::callFunctionOn):
987         (Inspector::InspectorRuntimeAgent::saveResult):
988         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
989         * inspector/agents/InspectorRuntimeAgent.h:
990         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
991         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
992         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
993         (CppBackendDispatcherImplementationGenerator.generate_output):
994         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
995         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
996         (CppFrontendDispatcherHeaderGenerator.generate_output):
997         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
998         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
999         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1000         (_generate_unchecked_setter_for_member):
1001         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1002         (CppProtocolTypesImplementationGenerator):
1003         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1004         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1005         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1006         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1007         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1008         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1009         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1010         * inspector/scripts/codegen/generate_objc_internal_header.py:
1011         (ObjCInternalHeaderGenerator.generate_output):
1012         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1013         (ObjCProtocolTypesImplementationGenerator.generate_output):
1014         * inspector/scripts/codegen/generator.py:
1015         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1016         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1017         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1018         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1019         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1020         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1021         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1022         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1023         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1024         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1025         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1026         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1027         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1028         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1029         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1030         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1031         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1032         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1033         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1034         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1035
1036 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1037
1038         Support recursive tail call optimization for polymorphic calls
1039         https://bugs.webkit.org/show_bug.cgi?id=178390
1040
1041         Reviewed by Saam Barati.
1042
1043         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1044         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1045
1046         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1047
1048         * dfg/DFGByteCodeParser.cpp:
1049         (JSC::DFG::ByteCodeParser::handleCall):
1050         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1051         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1052         (JSC::DFG::ByteCodeParser::inlineCall):
1053         (JSC::DFG::ByteCodeParser::handleCallVariant):
1054         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1055         (JSC::DFG::ByteCodeParser::getInliningBalance):
1056         (JSC::DFG::ByteCodeParser::handleInlining):
1057         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1058
1059 2017-11-27  Saam Barati  <sbarati@apple.com>
1060
1061         Spread can escape when CreateRest does not
1062         https://bugs.webkit.org/show_bug.cgi?id=180057
1063         <rdar://problem/35676119>
1064
1065         Reviewed by JF Bastien.
1066
1067         We previously did not handle Spread(PhantomCreateRest) only because I did not
1068         think it was possible to generate this IR. I was wrong. We can generate
1069         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1070         This IR is rare to generate since we normally don't PutStack(Spread) because
1071         the SetLocal almost always gets eliminated because of how our bytecode generates
1072         op_spread. However, there exists a test case showing it is possible. Supporting
1073         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1074         the Validation rule for Spread.
1075
1076         * dfg/DFGOperations.cpp:
1077         * dfg/DFGOperations.h:
1078         * dfg/DFGValidate.cpp:
1079         * ftl/FTLLowerDFGToB3.cpp:
1080         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1081         * runtime/JSFixedArray.h:
1082         (JSC::JSFixedArray::tryCreate):
1083
1084 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1085
1086         [CMake][Win] Conditionally select DLL CRT or static CRT
1087         https://bugs.webkit.org/show_bug.cgi?id=170594
1088
1089         Reviewed by Alex Christensen.
1090
1091         * shell/PlatformWin.cmake:
1092
1093 2017-11-27  Saam Barati  <sbarati@apple.com>
1094
1095         Having a bad time watchpoint firing during compilation revealed a racy assertion
1096         https://bugs.webkit.org/show_bug.cgi?id=180048
1097         <rdar://problem/35700009>
1098
1099         Reviewed by Mark Lam.
1100
1101         While a DFG compilation is watching the having a bad time watchpoint, it was
1102         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1103         However, if the having a bad time watchpoint fires during the compilation,
1104         this particular structure will no longer have ArrayWithContiguous indexing type.
1105         This patch fixes this racy assertion to be aware that the watchpoint may fire
1106         during compilation.
1107
1108         * dfg/DFGSpeculativeJIT.cpp:
1109         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1110         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1111
1112 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1113
1114         One too many zeroes in macOS version number in FeatureDefines
1115         https://bugs.webkit.org/show_bug.cgi?id=180011
1116
1117         Reviewed by Dan Bernstein.
1118
1119         * Configurations/FeatureDefines.xcconfig:
1120
1121 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1122
1123         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1124         https://bugs.webkit.org/show_bug.cgi?id=179821
1125
1126         Reviewed by Saam Barati.
1127
1128         * dfg/DFGSafeToExecute.h:
1129         (JSC::DFG::safeToExecute):
1130
1131 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1132
1133         [DFG] Add NormalizeMapKey DFG IR
1134         https://bugs.webkit.org/show_bug.cgi?id=179912
1135
1136         Reviewed by Saam Barati.
1137
1138         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1139         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1140         do not need to call normalizeMapKey conservatively in DFG operations.
1141         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1142
1143         * dfg/DFGAbstractInterpreterInlines.h:
1144         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1145         * dfg/DFGByteCodeParser.cpp:
1146         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1147         * dfg/DFGClobberize.h:
1148         (JSC::DFG::clobberize):
1149         * dfg/DFGDoesGC.cpp:
1150         (JSC::DFG::doesGC):
1151         * dfg/DFGFixupPhase.cpp:
1152         (JSC::DFG::FixupPhase::fixupNode):
1153         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1154         * dfg/DFGNodeType.h:
1155         * dfg/DFGOperations.cpp:
1156         * dfg/DFGPredictionPropagationPhase.cpp:
1157         * dfg/DFGSafeToExecute.h:
1158         (JSC::DFG::safeToExecute):
1159         * dfg/DFGSpeculativeJIT.cpp:
1160         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1161         * dfg/DFGSpeculativeJIT.h:
1162         * dfg/DFGSpeculativeJIT32_64.cpp:
1163         (JSC::DFG::SpeculativeJIT::compile):
1164         * dfg/DFGSpeculativeJIT64.cpp:
1165         (JSC::DFG::SpeculativeJIT::compile):
1166         * ftl/FTLCapabilities.cpp:
1167         (JSC::FTL::canCompile):
1168         * ftl/FTLLowerDFGToB3.cpp:
1169         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1170         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1171         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1172         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1173         * runtime/HashMapImpl.h:
1174
1175 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1176
1177         [FTL] Support DeleteById and DeleteByVal
1178         https://bugs.webkit.org/show_bug.cgi?id=180022
1179
1180         Reviewed by Saam Barati.
1181
1182         We should increase the coverage of FTL. Even if the code includes DeleteById,
1183         it does not mean that remaining part of the code should not be optimized in FTL.
1184         Right now, even CallEval and `with` scope are handled in FTL.
1185
1186         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1187         code including them.
1188
1189         * ftl/FTLCapabilities.cpp:
1190         (JSC::FTL::canCompile):
1191         * ftl/FTLLowerDFGToB3.cpp:
1192         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1193         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1194         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1195
1196 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1197
1198         [DFG] Introduce {Set,Map,WeakMap}Fields
1199         https://bugs.webkit.org/show_bug.cgi?id=179925
1200
1201         Reviewed by Saam Barati.
1202
1203         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
1204         writes readonly MiscFields which is used by various nodes and make optimization
1205         conservative.
1206
1207         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
1208
1209         * dfg/DFGAbstractHeap.h:
1210         * dfg/DFGByteCodeParser.cpp:
1211         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1212         * dfg/DFGClobberize.h:
1213         (JSC::DFG::clobberize):
1214         * dfg/DFGHeapLocation.cpp:
1215         (WTF::printInternal):
1216         * dfg/DFGHeapLocation.h:
1217         * dfg/DFGNode.h:
1218         (JSC::DFG::Node::hasBucketOwnerType):
1219
1220 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1221
1222         [JSC] Remove JSStringBuilder
1223         https://bugs.webkit.org/show_bug.cgi?id=180016
1224
1225         Reviewed by Saam Barati.
1226
1227         JSStringBuilder is replaced with WTF::StringBuilder.
1228         This patch removes remaning uses and drop JSStringBuilder.
1229
1230         * JavaScriptCore.xcodeproj/project.pbxproj:
1231         * runtime/ArrayPrototype.cpp:
1232         * runtime/AsyncFunctionPrototype.cpp:
1233         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1234         * runtime/ErrorPrototype.cpp:
1235         * runtime/FunctionPrototype.cpp:
1236         * runtime/GeneratorFunctionPrototype.cpp:
1237         * runtime/JSGlobalObjectFunctions.cpp:
1238         (JSC::decode):
1239         (JSC::globalFuncEscape):
1240         * runtime/JSStringBuilder.h: Removed.
1241         * runtime/JSStringInlines.h:
1242         (JSC::jsMakeNontrivialString):
1243         * runtime/RegExpPrototype.cpp:
1244         * runtime/StringPrototype.cpp:
1245
1246 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         [DFG] Remove GetLocalUnlinked
1249         https://bugs.webkit.org/show_bug.cgi?id=180017
1250
1251         Reviewed by Saam Barati.
1252
1253         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
1254         This patch just removes it.
1255
1256         * dfg/DFGAbstractInterpreterInlines.h:
1257         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1258         * dfg/DFGClobberize.h:
1259         (JSC::DFG::clobberize):
1260         * dfg/DFGCommon.h:
1261         * dfg/DFGDoesGC.cpp:
1262         (JSC::DFG::doesGC):
1263         * dfg/DFGFixupPhase.cpp:
1264         (JSC::DFG::FixupPhase::fixupNode):
1265         * dfg/DFGGraph.cpp:
1266         (JSC::DFG::Graph::dump):
1267         * dfg/DFGNode.h:
1268         (JSC::DFG::Node::hasUnlinkedLocal):
1269         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1270         (JSC::DFG::Node::convertToGetLocal): Deleted.
1271         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1272         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1273         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1274         * dfg/DFGNodeType.h:
1275         * dfg/DFGPredictionPropagationPhase.cpp:
1276         * dfg/DFGSafeToExecute.h:
1277         (JSC::DFG::safeToExecute):
1278         * dfg/DFGSpeculativeJIT32_64.cpp:
1279         (JSC::DFG::SpeculativeJIT::compile):
1280         * dfg/DFGSpeculativeJIT64.cpp:
1281         (JSC::DFG::SpeculativeJIT::compile):
1282         * dfg/DFGStackLayoutPhase.cpp:
1283         (JSC::DFG::StackLayoutPhase::run):
1284         * dfg/DFGValidate.cpp:
1285
1286 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1287
1288         Make ArgList::data() private again when we can remove callWasmFunction().
1289         https://bugs.webkit.org/show_bug.cgi?id=168582
1290
1291         Reviewed by JF Bastien.
1292
1293         Make ArgList::data() private since we already removed callWasmFunction.
1294
1295         * runtime/ArgList.h:
1296
1297 2016-08-05  Darin Adler  <darin@apple.com>
1298
1299         Fix some minor problems in the StringImpl header
1300         https://bugs.webkit.org/show_bug.cgi?id=160630
1301
1302         Reviewed by Brent Fulgham.
1303
1304         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1305         Yarr namespacing since we use "using namespace" in this file.
1306
1307 2017-11-24  Mark Lam  <mark.lam@apple.com>
1308
1309         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1310         https://bugs.webkit.org/show_bug.cgi?id=179936
1311         <rdar://problem/35623998>
1312
1313         Reviewed by Saam Barati.
1314
1315         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1316         See https://bugs.webkit.org/show_bug.cgi?id=179684.
1317
1318         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1319         was allocating stack space to stash arguments (to be forwarded) and new frame
1320         info.  The location of this new stash space happens to lie beyond the top of frame
1321         of the tail call caller frame.  After stashing the arguments, the code proceeded
1322         to load the callee codeBlock.  This triggered an allocation, which in turn,
1323         triggered stack sanitization.  The CLoop stack sanitizer was relying on
1324         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
1325         that turned out to be inadequate.  As a result, part of the stashed data was
1326         zeroed out, and subsequently led to a crash.
1327
1328         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1329         1. JIT builds do stack sanitization in the LLInt code itself (different from the
1330            CLoop implementation), and the sanitizer there is aware of the true top of
1331            stack value (i.e. the stack pointer).
1332         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
1333            parallel stack is one condition necessary for reproducing this issue.
1334
1335         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1336         every time before it calls out to native C++ code.  This also brings the CLoop's
1337         behavior closer to hardware behavior where we can know where the stack pointer
1338         is after calling from JS back into native C++ code, which makes it easier to
1339         reason about correctness.       
1340
1341         Also simplified the various stack boundary calculations (removed the +1 and -1
1342         adjustments).  The CLoopStack bounds are now:
1343
1344             reservationTop(): the lowest reserved address that can be within stack bounds.
1345             m_commitTop: the lowest address within stack bounds that has been committed.
1346             lowAddress() aka m_end: the lowest stack address that JS code can use.
1347             m_lastStackPointer: cache of the last m_currentStackPointer value.
1348             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1349             highAddress(): the highest address just beyond the bounds of the stack.
1350
1351         Also deleted some unneeded code.
1352
1353         * interpreter/CLoopStack.cpp:
1354         (JSC::CLoopStack::CLoopStack):
1355         (JSC::CLoopStack::gatherConservativeRoots):
1356         (JSC::CLoopStack::sanitizeStack):
1357         (JSC::CLoopStack::setSoftReservedZoneSize):
1358         * interpreter/CLoopStack.h:
1359         (JSC::CLoopStack::setCurrentStackPointer):
1360         (JSC::CLoopStack::lowAddress const):
1361
1362         (JSC::CLoopStack::baseOfStack const): Deleted.
1363         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1364           Now, it has the exact same value as highAddress() and can be removed.
1365
1366         * interpreter/CLoopStackInlines.h:
1367         (JSC::CLoopStack::ensureCapacityFor):
1368         (JSC::CLoopStack::currentStackPointer):
1369         (JSC::CLoopStack::setCLoopStackLimit):
1370
1371         (JSC::CLoopStack::topOfFrameFor): Deleted.
1372         - Not needed.
1373
1374         (JSC::CLoopStack::topOfStack): Deleted.
1375         - Supplanted by currentStackPointer().
1376
1377         (JSC::CLoopStack::shrink): Deleted.
1378         - This is unused.
1379
1380         * llint/LowLevelInterpreter.cpp:
1381         (JSC::CLoop::execute):
1382         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1383           upon exitting the interpreter loop.
1384
1385         * offlineasm/cloop.rb:
1386         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1387           call from JS into C++ code.
1388
1389         * tools/VMInspector.h:
1390         - Added some default argument values. These were being used while debugging this
1391           issue.
1392
1393 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1394
1395         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1396         https://bugs.webkit.org/show_bug.cgi?id=179923
1397
1398         Reviewed by Darin Adler.
1399
1400         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1401         So we can use it as a marker of deleted bucket.
1402
1403         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1404         It shrinks the size of HashMapBucket much.
1405
1406         * dfg/DFGSpeculativeJIT.cpp:
1407         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1408         * ftl/FTLAbstractHeapRepository.h:
1409         * ftl/FTLLowerDFGToB3.cpp:
1410         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1411         * runtime/HashMapImpl.h:
1412         (JSC::HashMapBucket::createSentinel):
1413         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1414         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1415         flag of sentinel bucket is not used.
1416
1417         (JSC::HashMapBucket::HashMapBucket):
1418         (JSC::HashMapBucket::deleted const):
1419         (JSC::HashMapBucket::makeDeleted):
1420         (JSC::HashMapImpl::remove):
1421         (JSC::HashMapImpl::clear):
1422         (JSC::HashMapImpl::setUpHeadAndTail):
1423         (JSC::HashMapImpl::addNormalizedInternal):
1424         (JSC::HashMapBucket::setDeleted): Deleted.
1425         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1426         (): Deleted.
1427
1428 2017-11-24  Mark Lam  <mark.lam@apple.com>
1429
1430         Move unsafe jsc shell test functions to the $vm object.
1431         https://bugs.webkit.org/show_bug.cgi?id=179980
1432
1433         Reviewed by Yusuke Suzuki.
1434
1435         Also removed setElementRoot() which was not used.
1436
1437         * jsc.cpp:
1438         (GlobalObject::finishCreation):
1439         (WTF::Element::Element): Deleted.
1440         (WTF::Element::root const): Deleted.
1441         (WTF::Element::setRoot): Deleted.
1442         (WTF::Element::create): Deleted.
1443         (WTF::Element::visitChildren): Deleted.
1444         (WTF::Element::createStructure): Deleted.
1445         (WTF::Root::Root): Deleted.
1446         (WTF::Root::element): Deleted.
1447         (WTF::Root::setElement): Deleted.
1448         (WTF::Root::create): Deleted.
1449         (WTF::Root::createStructure): Deleted.
1450         (WTF::Root::visitChildren): Deleted.
1451         (WTF::ImpureGetter::ImpureGetter): Deleted.
1452         (WTF::ImpureGetter::createStructure): Deleted.
1453         (WTF::ImpureGetter::create): Deleted.
1454         (WTF::ImpureGetter::finishCreation): Deleted.
1455         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1456         (WTF::ImpureGetter::visitChildren): Deleted.
1457         (WTF::ImpureGetter::setDelegate): Deleted.
1458         (WTF::CustomGetter::CustomGetter): Deleted.
1459         (WTF::CustomGetter::createStructure): Deleted.
1460         (WTF::CustomGetter::create): Deleted.
1461         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1462         (WTF::CustomGetter::customGetter): Deleted.
1463         (WTF::CustomGetter::customGetterAcessor): Deleted.
1464         (WTF::RuntimeArray::create): Deleted.
1465         (WTF::RuntimeArray::~RuntimeArray): Deleted.
1466         (WTF::RuntimeArray::destroy): Deleted.
1467         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1468         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1469         (WTF::RuntimeArray::put): Deleted.
1470         (WTF::RuntimeArray::deleteProperty): Deleted.
1471         (WTF::RuntimeArray::getLength const): Deleted.
1472         (WTF::RuntimeArray::createPrototype): Deleted.
1473         (WTF::RuntimeArray::createStructure): Deleted.
1474         (WTF::RuntimeArray::finishCreation): Deleted.
1475         (WTF::RuntimeArray::RuntimeArray): Deleted.
1476         (WTF::RuntimeArray::lengthGetter): Deleted.
1477         (WTF::SimpleObject::SimpleObject): Deleted.
1478         (WTF::SimpleObject::create): Deleted.
1479         (WTF::SimpleObject::visitChildren): Deleted.
1480         (WTF::SimpleObject::createStructure): Deleted.
1481         (WTF::SimpleObject::hiddenValue): Deleted.
1482         (WTF::SimpleObject::setHiddenValue): Deleted.
1483         (WTF::DOMJITNode::DOMJITNode): Deleted.
1484         (WTF::DOMJITNode::createStructure): Deleted.
1485         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
1486         (WTF::DOMJITNode::create): Deleted.
1487         (WTF::DOMJITNode::value const): Deleted.
1488         (WTF::DOMJITNode::offsetOfValue): Deleted.
1489         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
1490         (WTF::DOMJITGetter::createStructure): Deleted.
1491         (WTF::DOMJITGetter::create): Deleted.
1492         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
1493         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
1494         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
1495         (WTF::DOMJITGetter::customGetter): Deleted.
1496         (WTF::DOMJITGetter::finishCreation): Deleted.
1497         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
1498         (WTF::DOMJITGetterComplex::createStructure): Deleted.
1499         (WTF::DOMJITGetterComplex::create): Deleted.
1500         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
1501         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
1502         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
1503         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
1504         (WTF::DOMJITGetterComplex::customGetter): Deleted.
1505         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
1506         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
1507         (WTF::DOMJITFunctionObject::createStructure): Deleted.
1508         (WTF::DOMJITFunctionObject::create): Deleted.
1509         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
1510         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
1511         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
1512         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
1513         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
1514         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
1515         (WTF::DOMJITCheckSubClassObject::create): Deleted.
1516         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
1517         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
1518         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
1519         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
1520         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
1521         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
1522         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
1523         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
1524         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
1525         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
1526         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
1527         (WTF::Element::handleOwner): Deleted.
1528         (WTF::Element::finishCreation): Deleted.
1529         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
1530         (JSTestCustomGetterSetter::create): Deleted.
1531         (JSTestCustomGetterSetter::createStructure): Deleted.
1532         (customGetAccessor): Deleted.
1533         (customGetValue): Deleted.
1534         (customSetAccessor): Deleted.
1535         (customSetValue): Deleted.
1536         (JSTestCustomGetterSetter::finishCreation): Deleted.
1537         (GlobalObject::addConstructableFunction): Deleted.
1538         (functionCreateRoot): Deleted.
1539         (functionCreateElement): Deleted.
1540         (functionGetElement): Deleted.
1541         (functionSetElementRoot): Deleted.
1542         (functionCreateSimpleObject): Deleted.
1543         (functionGetHiddenValue): Deleted.
1544         (functionSetHiddenValue): Deleted.
1545         (functionCreateProxy): Deleted.
1546         (functionCreateRuntimeArray): Deleted.
1547         (functionCreateImpureGetter): Deleted.
1548         (functionCreateCustomGetterObject): Deleted.
1549         (functionCreateDOMJITNodeObject): Deleted.
1550         (functionCreateDOMJITGetterObject): Deleted.
1551         (functionCreateDOMJITGetterComplexObject): Deleted.
1552         (functionCreateDOMJITFunctionObject): Deleted.
1553         (functionCreateDOMJITCheckSubClassObject): Deleted.
1554         (functionCreateDOMJITGetterBaseJSObject): Deleted.
1555         (functionSetImpureGetterDelegate): Deleted.
1556         (functionGetGetterSetter): Deleted.
1557         (functionShadowChickenFunctionsOnStack): Deleted.
1558         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
1559         (functionGlobalObjectForObject): Deleted.
1560         (functionLoadGetterFromGetterSetter): Deleted.
1561         (functionCreateCustomTestGetterSetter): Deleted.
1562         (functionAbort): Deleted.
1563         (functionFindTypeForExpression): Deleted.
1564         (functionReturnTypeFor): Deleted.
1565         (functionDumpBasicBlockExecutionRanges): Deleted.
1566         (functionHasBasicBlockExecuted): Deleted.
1567         (functionBasicBlockExecutionCount): Deleted.
1568         (functionEnableExceptionFuzz): Deleted.
1569         (functionCreateBuiltin): Deleted.
1570         * runtime/JSGlobalObject.cpp:
1571         (JSC::JSGlobalObject::init):
1572         * tools/JSDollarVM.cpp:
1573         (WTF::Element::Element):
1574         (WTF::Element::root const):
1575         (WTF::Element::setRoot):
1576         (WTF::Element::create):
1577         (WTF::Element::visitChildren):
1578         (WTF::Element::createStructure):
1579         (WTF::Root::Root):
1580         (WTF::Root::element):
1581         (WTF::Root::setElement):
1582         (WTF::Root::create):
1583         (WTF::Root::createStructure):
1584         (WTF::Root::visitChildren):
1585         (WTF::SimpleObject::SimpleObject):
1586         (WTF::SimpleObject::create):
1587         (WTF::SimpleObject::visitChildren):
1588         (WTF::SimpleObject::createStructure):
1589         (WTF::SimpleObject::hiddenValue):
1590         (WTF::SimpleObject::setHiddenValue):
1591         (WTF::ImpureGetter::ImpureGetter):
1592         (WTF::ImpureGetter::createStructure):
1593         (WTF::ImpureGetter::create):
1594         (WTF::ImpureGetter::finishCreation):
1595         (WTF::ImpureGetter::getOwnPropertySlot):
1596         (WTF::ImpureGetter::visitChildren):
1597         (WTF::ImpureGetter::setDelegate):
1598         (WTF::CustomGetter::CustomGetter):
1599         (WTF::CustomGetter::createStructure):
1600         (WTF::CustomGetter::create):
1601         (WTF::CustomGetter::getOwnPropertySlot):
1602         (WTF::CustomGetter::customGetter):
1603         (WTF::CustomGetter::customGetterAcessor):
1604         (WTF::RuntimeArray::create):
1605         (WTF::RuntimeArray::~RuntimeArray):
1606         (WTF::RuntimeArray::destroy):
1607         (WTF::RuntimeArray::getOwnPropertySlot):
1608         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1609         (WTF::RuntimeArray::put):
1610         (WTF::RuntimeArray::deleteProperty):
1611         (WTF::RuntimeArray::getLength const):
1612         (WTF::RuntimeArray::createPrototype):
1613         (WTF::RuntimeArray::createStructure):
1614         (WTF::RuntimeArray::finishCreation):
1615         (WTF::RuntimeArray::RuntimeArray):
1616         (WTF::RuntimeArray::lengthGetter):
1617         (WTF::DOMJITNode::DOMJITNode):
1618         (WTF::DOMJITNode::createStructure):
1619         (WTF::DOMJITNode::checkSubClassSnippet):
1620         (WTF::DOMJITNode::create):
1621         (WTF::DOMJITNode::value const):
1622         (WTF::DOMJITNode::offsetOfValue):
1623         (WTF::DOMJITGetter::DOMJITGetter):
1624         (WTF::DOMJITGetter::createStructure):
1625         (WTF::DOMJITGetter::create):
1626         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1627         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1628         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1629         (WTF::DOMJITGetter::customGetter):
1630         (WTF::DOMJITGetter::finishCreation):
1631         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
1632         (WTF::DOMJITGetterComplex::createStructure):
1633         (WTF::DOMJITGetterComplex::create):
1634         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1635         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1636         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1637         (WTF::DOMJITGetterComplex::functionEnableException):
1638         (WTF::DOMJITGetterComplex::customGetter):
1639         (WTF::DOMJITGetterComplex::finishCreation):
1640         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1641         (WTF::DOMJITFunctionObject::createStructure):
1642         (WTF::DOMJITFunctionObject::create):
1643         (WTF::DOMJITFunctionObject::safeFunction):
1644         (WTF::DOMJITFunctionObject::unsafeFunction):
1645         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1646         (WTF::DOMJITFunctionObject::finishCreation):
1647         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1648         (WTF::DOMJITCheckSubClassObject::createStructure):
1649         (WTF::DOMJITCheckSubClassObject::create):
1650         (WTF::DOMJITCheckSubClassObject::safeFunction):
1651         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1652         (WTF::DOMJITCheckSubClassObject::finishCreation):
1653         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1654         (WTF::DOMJITGetterBaseJSObject::createStructure):
1655         (WTF::DOMJITGetterBaseJSObject::create):
1656         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
1657         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1658         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1659         (WTF::DOMJITGetterBaseJSObject::customGetter):
1660         (WTF::DOMJITGetterBaseJSObject::finishCreation):
1661         (WTF::Message::releaseContents):
1662         (WTF::Message::index const):
1663         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1664         (WTF::JSTestCustomGetterSetter::create):
1665         (WTF::JSTestCustomGetterSetter::createStructure):
1666         (WTF::customGetAccessor):
1667         (WTF::customGetValue):
1668         (WTF::customSetAccessor):
1669         (WTF::customSetValue):
1670         (WTF::JSTestCustomGetterSetter::finishCreation):
1671         (WTF::Element::handleOwner):
1672         (WTF::Element::finishCreation):
1673         (JSC::functionCrash):
1674         (JSC::functionCreateProxy):
1675         (JSC::functionCreateRuntimeArray):
1676         (JSC::functionCreateImpureGetter):
1677         (JSC::functionCreateCustomGetterObject):
1678         (JSC::functionCreateDOMJITNodeObject):
1679         (JSC::functionCreateDOMJITGetterObject):
1680         (JSC::functionCreateDOMJITGetterComplexObject):
1681         (JSC::functionCreateDOMJITFunctionObject):
1682         (JSC::functionCreateDOMJITCheckSubClassObject):
1683         (JSC::functionCreateDOMJITGetterBaseJSObject):
1684         (JSC::functionSetImpureGetterDelegate):
1685         (JSC::functionCreateBuiltin):
1686         (JSC::functionCreateRoot):
1687         (JSC::functionCreateElement):
1688         (JSC::functionGetElement):
1689         (JSC::functionCreateSimpleObject):
1690         (JSC::functionGetHiddenValue):
1691         (JSC::functionSetHiddenValue):
1692         (JSC::functionShadowChickenFunctionsOnStack):
1693         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1694         (JSC::functionFindTypeForExpression):
1695         (JSC::functionReturnTypeFor):
1696         (JSC::functionDumpBasicBlockExecutionRanges):
1697         (JSC::functionHasBasicBlockExecuted):
1698         (JSC::functionBasicBlockExecutionCount):
1699         (JSC::functionEnableExceptionFuzz):
1700         (JSC::functionGlobalObjectForObject):
1701         (JSC::functionGetGetterSetter):
1702         (JSC::functionLoadGetterFromGetterSetter):
1703         (JSC::functionCreateCustomTestGetterSetter):
1704         (JSC::JSDollarVM::finishCreation):
1705         (JSC::JSDollarVM::addFunction):
1706         (JSC::JSDollarVM::addConstructibleFunction):
1707         * tools/JSDollarVM.h:
1708         (JSC::JSDollarVM::create):
1709
1710 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
1711
1712         Minor ArrayBufferView cleanup
1713         https://bugs.webkit.org/show_bug.cgi?id=179966
1714
1715         Reviewed by Darin Adler.
1716         
1717         Use void* for data pointers when we don't need to do offset math. Use const for
1718         source pointers.
1719         
1720         Prefer uint8_t* to char*.
1721         
1722         Add comments noting that the assertions should not be made release assertions
1723         as recommended by the style checker, since the point is to avoid the virtual byteLength()
1724         call in release.
1725
1726         * runtime/ArrayBufferView.h:
1727         (JSC::ArrayBufferView::setImpl):
1728         (JSC::ArrayBufferView::setRangeImpl):
1729         (JSC::ArrayBufferView::getRangeImpl):
1730         (JSC::ArrayBufferView::zeroRangeImpl):
1731
1732 2017-11-23  Darin Adler  <darin@apple.com>
1733
1734         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
1735         https://bugs.webkit.org/show_bug.cgi?id=179907
1736
1737         Reviewed by Sam Weinig.
1738
1739         * inspector/agents/InspectorDebuggerAgent.cpp:
1740         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
1741         defaults to that.
1742
1743         * runtime/StringPrototype.cpp:
1744         (JSC::stringIncludesImpl): Use String::find since there is no overload of
1745         String::contains that takes a start offset now that we removed the one that took a
1746         caseSensitive boolean. We can add one later if we like, but this should do for now.
1747
1748         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
1749         the StringImpl.h header because it is only used here.
1750
1751 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
1752
1753         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
1754         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
1755         
1756         Also name the argument to zeroRange() to 'count' since it's an item count.
1757
1758         * runtime/GenericTypedArrayView.h:
1759         (JSC::GenericTypedArrayView::zeroRange):
1760         (JSC::GenericTypedArrayView::getRange):
1761
1762 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
1763
1764         Allow for more efficient use of GenericTypedArrayView
1765         https://bugs.webkit.org/show_bug.cgi?id=179899
1766
1767         Reviewed by Sam Weinig.
1768         
1769         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
1770         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
1771         in a length.
1772
1773         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
1774         byteLength() calls.
1775         
1776         Renamed 'dataLength' to 'count' in setRange() to be clearer.
1777         
1778         Added setNative() for callers who don't need clamping of doubles.
1779
1780         * runtime/ArrayBufferView.h:
1781         (JSC::ArrayBufferView::setRangeImpl):
1782         (JSC::ArrayBufferView::getRangeImpl):
1783         * runtime/GenericTypedArrayView.h:
1784         (JSC::GenericTypedArrayView::setRange):
1785         (JSC::GenericTypedArrayView::setNative const):
1786         (JSC::GenericTypedArrayView::getRange):
1787         (JSC::GenericTypedArrayView::checkInboundData const):
1788         (JSC::GenericTypedArrayView::internalByteLength const):
1789
1790 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1791
1792         [DFG][FTL] Support MapSet / SetAdd intrinsics
1793         https://bugs.webkit.org/show_bug.cgi?id=179858
1794
1795         Reviewed by Saam Barati.
1796
1797         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
1798         By handling them as MapSet and SetAdd DFG nodes and decoupling
1799         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
1800         remove duplicate MapHash calculation for the same key.
1801
1802         One story is *set-if-not-exists*.
1803
1804             if (!map.has(key))
1805                 map.set(key, value);
1806
1807         In the above code, both `has` and `set` require hash value for `key`.
1808         If we can change `set` to the series of DFG nodes:
1809
1810             1: MapHash(key)
1811             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
1812
1813         we can remove duplicate @1 produced by `has` operation.
1814
1815         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
1816
1817                                          baseline                  patched
1818
1819             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
1820             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
1821
1822         Microbenchmarks
1823
1824             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
1825
1826         * dfg/DFGAbstractInterpreterInlines.h:
1827         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1828         * dfg/DFGByteCodeParser.cpp:
1829         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1830         * dfg/DFGClobberize.h:
1831         (JSC::DFG::clobberize):
1832         * dfg/DFGDoesGC.cpp:
1833         (JSC::DFG::doesGC):
1834         * dfg/DFGFixupPhase.cpp:
1835         (JSC::DFG::FixupPhase::fixupNode):
1836         * dfg/DFGNodeType.h:
1837         * dfg/DFGOperations.cpp:
1838         * dfg/DFGOperations.h:
1839         * dfg/DFGPredictionPropagationPhase.cpp:
1840         * dfg/DFGSafeToExecute.h:
1841         (JSC::DFG::safeToExecute):
1842         * dfg/DFGSpeculativeJIT.cpp:
1843         (JSC::DFG::SpeculativeJIT::compileSetAdd):
1844         (JSC::DFG::SpeculativeJIT::compileMapSet):
1845         * dfg/DFGSpeculativeJIT.h:
1846         (JSC::DFG::SpeculativeJIT::callOperation):
1847         * dfg/DFGSpeculativeJIT32_64.cpp:
1848         (JSC::DFG::SpeculativeJIT::compile):
1849         * dfg/DFGSpeculativeJIT64.cpp:
1850         (JSC::DFG::SpeculativeJIT::compile):
1851         * ftl/FTLCapabilities.cpp:
1852         (JSC::FTL::canCompile):
1853         * ftl/FTLLowerDFGToB3.cpp:
1854         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1855         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
1856         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
1857         * jit/JITOperations.h:
1858         * runtime/HashMapImpl.h:
1859         (JSC::HashMapImpl::addNormalized):
1860         (JSC::HashMapImpl::addNormalizedInternal):
1861         * runtime/Intrinsic.cpp:
1862         (JSC::intrinsicName):
1863         * runtime/Intrinsic.h:
1864         * runtime/MapPrototype.cpp:
1865         (JSC::MapPrototype::finishCreation):
1866         * runtime/SetPrototype.cpp:
1867         (JSC::SetPrototype::finishCreation):
1868
1869 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1870
1871         [JSC] Allow poly proto for intrinsic getters
1872         https://bugs.webkit.org/show_bug.cgi?id=179550
1873
1874         Reviewed by Saam Barati.
1875
1876         This patch allows intrinsic getters to accept poly proto.
1877         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
1878         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
1879         code for poly proto case.
1880
1881         * bytecode/IntrinsicGetterAccessCase.cpp:
1882         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1883         (JSC::IntrinsicGetterAccessCase::create):
1884         * bytecode/IntrinsicGetterAccessCase.h:
1885         * jit/IntrinsicEmitter.cpp:
1886         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1887         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1888         * jit/Repatch.cpp:
1889         (JSC::tryCacheGetByID):
1890
1891 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
1892
1893         Detect __declspec within JSBase.h
1894         https://bugs.webkit.org/show_bug.cgi?id=179892
1895
1896         Reviewed by Darin Adler.
1897
1898         * API/JSBase.h:
1899
1900 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1901
1902         Remove unused TOUCH_ICON_LOADING feature flag
1903         https://bugs.webkit.org/show_bug.cgi?id=179873
1904
1905         Reviewed by Simon Fraser.
1906
1907         * Configurations/FeatureDefines.xcconfig:
1908
1909 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1910
1911         Add CPU(UNKNOWN) to cover all the unknown CPU types
1912         https://bugs.webkit.org/show_bug.cgi?id=179243
1913
1914         Reviewed by JF Bastien.
1915
1916         * CMakeLists.txt:
1917
1918 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1919
1920         Remove unused LEGACY_VENDOR_PREFIXES feature flag
1921         https://bugs.webkit.org/show_bug.cgi?id=179872
1922
1923         Reviewed by Darin Adler.
1924
1925         * Configurations/FeatureDefines.xcconfig:
1926
1927 2017-11-18  Tim Horton  <timothy_horton@apple.com>
1928
1929         Fix typos in closing ENABLE() comments
1930         https://bugs.webkit.org/show_bug.cgi?id=179869
1931
1932         Unreviewed.
1933
1934         * wasm/WasmMemory.h:
1935         * wasm/WasmMemoryMode.h:
1936
1937 2017-11-17  JF Bastien  <jfbastien@apple.com>
1938
1939         NFC update ClassInfo to C++14
1940         https://bugs.webkit.org/show_bug.cgi?id=179783
1941
1942         Reviewed by Mark Lam.
1943
1944         Forked from #179734, use `using` instead of `typedef`. It's easier
1945         to read.
1946
1947         * runtime/ClassInfo.h:
1948
1949 2017-11-17  JF Bastien  <jfbastien@apple.com>
1950
1951         WebAssembly JS API: throw when a promise can't be created
1952         https://bugs.webkit.org/show_bug.cgi?id=179826
1953         <rdar://problem/35455813>
1954
1955         Reviewed by Mark Lam.
1956
1957         Failure *in* a promise causes rejection, but failure to create a
1958         promise (because of stack overflow) isn't really spec'd (as all
1959         stack things JS). This applies to WebAssembly.compile and
1960         WebAssembly.instantiate.
1961
1962         Dan's current proposal says:
1963
1964             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
1965
1966             Whenever a stack overflow occurs in WebAssembly code, the same
1967             class of exception is thrown as for a stack overflow in
1968             JavaScript. The particular exception here is
1969             implementation-defined in both cases.
1970
1971             Note: ECMAScript doesn’t specify any sort of behavior on stack
1972             overflow; implementations have been observed to throw RangeError,
1973             InternalError or Error. Any is valid here.
1974
1975         This is for general stack overflow within WebAssembly, not
1976         specifically for promise creation within JavaScript, but it seems
1977         like a stack overflow in promise creation should follow the same
1978         rule instead of, say, swallowing the overflow and returning
1979         undefined.
1980
1981         * wasm/js/WebAssemblyPrototype.cpp:
1982         (JSC::webAssemblyCompileFunc):
1983         (JSC::webAssemblyInstantiateFunc):
1984
1985 2017-11-16  Daniel Bates  <dabates@apple.com>
1986
1987         Add feature define for alternative presentation button element
1988         https://bugs.webkit.org/show_bug.cgi?id=179692
1989         Part of <rdar://problem/34917108>
1990
1991         Reviewed by Andy Estes.
1992
1993         Only enabled on Cocoa platforms by default.
1994
1995         * Configurations/FeatureDefines.xcconfig:
1996
1997 2017-11-16  Saam Barati  <sbarati@apple.com>
1998
1999         Fix a bug with cpuid in the FTL.
2000
2001         Rubber stamped by Mark Lam.
2002
2003         Before uploading the previous patch, I tried to condense the code. I
2004         accidentally removed a crucial line saying that CPUID clobbers various
2005         registers.
2006
2007         * ftl/FTLLowerDFGToB3.cpp:
2008         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2009
2010 2017-11-16  Saam Barati  <sbarati@apple.com>
2011
2012         Add some X86 intrinsics to $vm to help with some perf testing
2013         https://bugs.webkit.org/show_bug.cgi?id=179693
2014
2015         Reviewed by Mark Lam.
2016
2017         I've been doing some local perf testing of various ideas and have
2018         had these come in handy. I'm going to land them to dollarVM to prevent
2019         having to add them to my local build every time I do perf testing.
2020
2021         * assembler/MacroAssemblerX86Common.h:
2022         (JSC::MacroAssemblerX86Common::mfence):
2023         (JSC::MacroAssemblerX86Common::rdtsc):
2024         (JSC::MacroAssemblerX86Common::pause):
2025         (JSC::MacroAssemblerX86Common::cpuid):
2026         * assembler/X86Assembler.h:
2027         (JSC::X86Assembler::rdtsc):
2028         (JSC::X86Assembler::pause):
2029         (JSC::X86Assembler::cpuid):
2030         * dfg/DFGAbstractInterpreterInlines.h:
2031         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2032         * dfg/DFGByteCodeParser.cpp:
2033         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2034         * dfg/DFGClobberize.h:
2035         (JSC::DFG::clobberize):
2036         * dfg/DFGDoesGC.cpp:
2037         (JSC::DFG::doesGC):
2038         * dfg/DFGFixupPhase.cpp:
2039         (JSC::DFG::FixupPhase::fixupNode):
2040         * dfg/DFGGraph.cpp:
2041         (JSC::DFG::Graph::dump):
2042         * dfg/DFGNode.h:
2043         (JSC::DFG::Node::intrinsic):
2044         * dfg/DFGNodeType.h:
2045         * dfg/DFGPredictionPropagationPhase.cpp:
2046         * dfg/DFGSafeToExecute.h:
2047         (JSC::DFG::safeToExecute):
2048         * dfg/DFGSpeculativeJIT32_64.cpp:
2049         (JSC::DFG::SpeculativeJIT::compile):
2050         * dfg/DFGSpeculativeJIT64.cpp:
2051         (JSC::DFG::SpeculativeJIT::compile):
2052         * dfg/DFGValidate.cpp:
2053         * ftl/FTLCapabilities.cpp:
2054         (JSC::FTL::canCompile):
2055         * ftl/FTLLowerDFGToB3.cpp:
2056         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2057         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2058         * runtime/Intrinsic.cpp:
2059         (JSC::intrinsicName):
2060         * runtime/Intrinsic.h:
2061         * tools/JSDollarVM.cpp:
2062         (JSC::functionCpuMfence):
2063         (JSC::functionCpuRdtsc):
2064         (JSC::functionCpuCpuid):
2065         (JSC::functionCpuPause):
2066         (JSC::functionCpuClflush):
2067         (JSC::JSDollarVM::finishCreation):
2068
2069 2017-11-16  JF Bastien  <jfbastien@apple.com>
2070
2071         It should be easier to reify lazy property names
2072         https://bugs.webkit.org/show_bug.cgi?id=179734
2073         <rdar://problem/35492521>
2074
2075         Reviewed by Keith Miller.
2076
2077         We reify lazy property names in a few different ways, each
2078         specific to the JSCell implementation, in put() instead of having
2079         a special function to do reification. Let's make that simpler.
2080
2081         This patch makes it easier to reify property names in a uniform
2082         manner, and does so in JSFunction. As a follow up I'll use the
2083         same mechanics for:
2084
2085         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2086         ErrorConstructor  stackTraceLimit
2087         ErrorInstance     line, column, sourceURL, stack
2088         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2089         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2090         JSArray           length
2091         RegExpObject      lastIndex
2092         StringObject      length
2093
2094         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2095         * runtime/JSCell.cpp:
2096         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2097         * runtime/JSCell.h:
2098         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2099         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2100         (JSC::JSFunction::put):
2101         (JSC::JSFunction::reifyLength):
2102         (JSC::JSFunction::reifyName):
2103         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2104         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2105         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2106         (JSC::JSFunction::reifyLazyNameIfNeeded):
2107         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2108         * runtime/JSFunction.h:
2109         (JSC::JSFunction::isLazy):
2110         (JSC::JSFunction::isReified):
2111         * runtime/JSObjectInlines.h:
2112         (JSC::JSObject::putDirectInternal): do the reification here.
2113
2114 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2115
2116         Provide a runtime option for disabling the optimization of recursive tail calls
2117         https://bugs.webkit.org/show_bug.cgi?id=179765
2118
2119         Reviewed by Mark Lam.
2120
2121         * bytecode/PreciseJumpTargets.cpp:
2122         (JSC::getJumpTargetsForBytecodeOffset):
2123         * bytecompiler/BytecodeGenerator.cpp:
2124         (JSC::BytecodeGenerator::emitEnter):
2125         * dfg/DFGByteCodeParser.cpp:
2126         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2127         * runtime/Options.h:
2128
2129 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2130
2131         Fix null pointer dereference in bytecodeDumper
2132         https://bugs.webkit.org/show_bug.cgi?id=179764
2133
2134         Reviewed by Mark Lam.
2135
2136         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2137
2138         * bytecode/BytecodeDumper.cpp:
2139         (JSC::BytecodeDumper<Block>::printCallOp):
2140
2141 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2142
2143         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2144         https://bugs.webkit.org/show_bug.cgi?id=179763
2145         <rdar://problem/35550513>
2146
2147         Reviewed by Keith Miller.
2148
2149         Fix null pointer dereference caused by an eliminated tdz_check
2150
2151         The problem was when doing an OSR entry in DFG while |this| was null
2152         (because super() had not yet been called in the constructor of this
2153         subclass), it would be marked as non-null, and the tdz_check eliminated.
2154
2155         * dfg/DFGInPlaceAbstractState.cpp:
2156         (JSC::DFG::InPlaceAbstractState::initialize):
2157
2158 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2159
2160         Unreviewed, rolling out r224863.
2161
2162         Introduced LayoutTest crashes on iOS Simulator.
2163
2164         Reverted changeset:
2165
2166         "Move JSONValues to WTF and convert uses of InspectorValues.h
2167         to JSONValues.h"
2168         https://bugs.webkit.org/show_bug.cgi?id=173793
2169         https://trac.webkit.org/changeset/224863
2170
2171 2017-11-14  Mark Lam  <mark.lam@apple.com>
2172
2173         Gardening: CLoop build fix after r224862.
2174         https://bugs.webkit.org/show_bug.cgi?id=179699
2175
2176         Not reviewed..
2177
2178         * bytecode/CodeBlock.h:
2179         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2180
2181 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2182
2183         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2184         https://bugs.webkit.org/show_bug.cgi?id=173793
2185
2186         Reviewed by Brian Burg.
2187
2188         Based on patch by Brian Burg.
2189
2190         * JavaScriptCore.xcodeproj/project.pbxproj:
2191         * Sources.txt:
2192         * bindings/ScriptValue.cpp:
2193         (Inspector::jsToInspectorValue):
2194         (Inspector::toInspectorValue):
2195         (Deprecated::ScriptValue::toInspectorValue const):
2196         * bindings/ScriptValue.h:
2197         * inspector/AsyncStackTrace.cpp:
2198         * inspector/ConsoleMessage.cpp:
2199         * inspector/ContentSearchUtilities.cpp:
2200         * inspector/InjectedScript.cpp:
2201         (Inspector::InjectedScript::getFunctionDetails):
2202         (Inspector::InjectedScript::functionDetails):
2203         (Inspector::InjectedScript::getPreview):
2204         (Inspector::InjectedScript::getProperties):
2205         (Inspector::InjectedScript::getDisplayableProperties):
2206         (Inspector::InjectedScript::getInternalProperties):
2207         (Inspector::InjectedScript::getCollectionEntries):
2208         (Inspector::InjectedScript::saveResult):
2209         (Inspector::InjectedScript::wrapCallFrames const):
2210         (Inspector::InjectedScript::wrapObject const):
2211         (Inspector::InjectedScript::wrapTable const):
2212         (Inspector::InjectedScript::previewValue const):
2213         (Inspector::InjectedScript::setExceptionValue):
2214         (Inspector::InjectedScript::clearExceptionValue):
2215         (Inspector::InjectedScript::inspectObject):
2216         (Inspector::InjectedScript::releaseObject):
2217         * inspector/InjectedScriptBase.cpp:
2218         (Inspector::InjectedScriptBase::makeCall):
2219         (Inspector::InjectedScriptBase::makeEvalCall):
2220         * inspector/InjectedScriptBase.h:
2221         * inspector/InjectedScriptManager.cpp:
2222         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2223         * inspector/InspectorBackendDispatcher.cpp:
2224         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
2225         (Inspector::BackendDispatcher::dispatch):
2226         (Inspector::BackendDispatcher::sendResponse):
2227         (Inspector::BackendDispatcher::sendPendingErrors):
2228         (Inspector::BackendDispatcher::getPropertyValue):
2229         (Inspector::castToInteger):
2230         (Inspector::castToNumber):
2231         (Inspector::BackendDispatcher::getInteger):
2232         (Inspector::BackendDispatcher::getDouble):
2233         (Inspector::BackendDispatcher::getString):
2234         (Inspector::BackendDispatcher::getBoolean):
2235         (Inspector::BackendDispatcher::getObject):
2236         (Inspector::BackendDispatcher::getArray):
2237         (Inspector::BackendDispatcher::getValue):
2238         * inspector/InspectorBackendDispatcher.h:
2239         * inspector/InspectorProtocolTypes.h:
2240         (Inspector::Protocol::Array::openAccessors):
2241         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
2242         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
2243         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
2244         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
2245         * inspector/ScriptCallFrame.cpp:
2246         * inspector/ScriptCallStack.cpp:
2247         * inspector/agents/InspectorAgent.cpp:
2248         (Inspector::InspectorAgent::inspect):
2249         * inspector/agents/InspectorAgent.h:
2250         * inspector/agents/InspectorDebuggerAgent.cpp:
2251         (Inspector::buildAssertPauseReason):
2252         (Inspector::buildCSPViolationPauseReason):
2253         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2254         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2255         (Inspector::buildObjectForBreakpointCookie):
2256         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2257         (Inspector::parseLocation):
2258         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2259         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2260         (Inspector::InspectorDebuggerAgent::continueToLocation):
2261         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2262         (Inspector::InspectorDebuggerAgent::didParseSource):
2263         (Inspector::InspectorDebuggerAgent::breakProgram):
2264         * inspector/agents/InspectorDebuggerAgent.h:
2265         * inspector/agents/InspectorRuntimeAgent.cpp:
2266         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2267         (Inspector::InspectorRuntimeAgent::saveResult):
2268         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2269         * inspector/agents/InspectorRuntimeAgent.h:
2270         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2271         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2272         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2273         (CppBackendDispatcherImplementationGenerator.generate_output):
2274         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2275         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2276         (CppFrontendDispatcherHeaderGenerator.generate_output):
2277         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2278         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2279         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2280         (_generate_unchecked_setter_for_member):
2281         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2282         (CppProtocolTypesImplementationGenerator):
2283         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2284         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2285         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2286         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2287         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2288         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2289         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2290         * inspector/scripts/codegen/generate_objc_internal_header.py:
2291         (ObjCInternalHeaderGenerator.generate_output):
2292         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2293         (ObjCProtocolTypesImplementationGenerator.generate_output):
2294         * inspector/scripts/codegen/generator.py:
2295         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2296         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2297         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2298         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2299         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2300         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2301         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2302         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2303         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2304         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2305         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2306         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2307         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2308         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2309         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2310         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2311         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2312         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2313         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2314         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2315
2316 2017-11-14  Mark Lam  <mark.lam@apple.com>
2317
2318         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2319         https://bugs.webkit.org/show_bug.cgi?id=179699
2320         <rdar://problem/35462346>
2321
2322         Reviewed by Michael Saboff.
2323
2324         * interpreter/Interpreter.cpp:
2325         (JSC::Interpreter::dumpRegisters):
2326         - Need to skip the callee saved registers
2327
2328 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
2329
2330         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2331         https://bugs.webkit.org/show_bug.cgi?id=179563
2332
2333         Reviewed by Carlos Alberto Lopez Perez.
2334
2335         When run with BranchIfTruncateSuccessful,
2336         branchTruncateDoubleToInt32() should set the destination register
2337         before branching.
2338         This change also removes branchTruncateDoubleToUInt32() as it is
2339         deprecated (see r160205), merges branchOnTruncateResult() into
2340         branchTruncateDoubleToInt32() and adds test cases in testmasm.
2341
2342         * assembler/MacroAssemblerMIPS.h:
2343         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2344         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2345         Properly set dest before branching.
2346         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2347         * assembler/testmasm.cpp:
2348         (JSC::testBranchTruncateDoubleToInt32):
2349         (JSC::run):
2350         Add tests for branchTruncateDoubleToInt32().
2351
2352 2017-11-14  Daniel Bates  <dabates@apple.com>
2353
2354         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2355         for feature defines
2356
2357         Following r195498 and r201917 the Visual Studio property files for feature defines have
2358         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2359         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2360         files.
2361
2362         * Configurations/FeatureDefines.xcconfig:
2363
2364 2017-11-14  Mark Lam  <mark.lam@apple.com>
2365
2366         Remove JSDollarVMPrototype.
2367         https://bugs.webkit.org/show_bug.cgi?id=179685
2368
2369         Reviewed by Saam Barati.
2370
2371         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2372
2373            This allows us to call these functions during lldb debugging sessions using
2374            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
2375            VMInspector provides VM debugging utility methods.  It doesn't make sense to
2376            have a JSDollarVMPrototype object provide these methods.
2377
2378            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2379
2380         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2381
2382            JSDollarVM is a special object used only for debugging purposes.  There's no
2383            gain in requiring its methods to be stored in a prototype object other than to
2384            conform to typical JS convention.  We can remove this complexity.
2385
2386         * JavaScriptCore.xcodeproj/project.pbxproj:
2387         * Sources.txt:
2388         * runtime/JSGlobalObject.cpp:
2389         (JSC::JSGlobalObject::init):
2390         * tools/JSDollarVM.cpp:
2391         (JSC::JSDollarVM::addFunction):
2392         (JSC::functionCrash):
2393         (JSC::functionDFGTrue):
2394         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2395         (JSC::CallerFrameJITTypeFunctor::operator() const):
2396         (JSC::CallerFrameJITTypeFunctor::jitType):
2397         (JSC::functionLLintTrue):
2398         (JSC::functionJITTrue):
2399         (JSC::functionGC):
2400         (JSC::functionEdenGC):
2401         (JSC::functionCodeBlockForFrame):
2402         (JSC::codeBlockFromArg):
2403         (JSC::functionCodeBlockFor):
2404         (JSC::functionPrintSourceFor):
2405         (JSC::functionPrintBytecodeFor):
2406         (JSC::functionPrint):
2407         (JSC::functionPrintCallFrame):
2408         (JSC::functionPrintStack):
2409         (JSC::functionValue):
2410         (JSC::functionGetPID):
2411         (JSC::JSDollarVM::finishCreation):
2412         * tools/JSDollarVM.h:
2413         (JSC::JSDollarVM::create):
2414         * tools/JSDollarVMPrototype.cpp: Removed.
2415         * tools/JSDollarVMPrototype.h: Removed.
2416         * tools/VMInspector.cpp:
2417         (JSC::VMInspector::currentThreadOwnsJSLock):
2418         (JSC::ensureCurrentThreadOwnsJSLock):
2419         (JSC::VMInspector::gc):
2420         (JSC::VMInspector::edenGC):
2421         (JSC::VMInspector::isInHeap):
2422         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2423         (JSC::CellAddressCheckFunctor::operator() const):
2424         (JSC::VMInspector::isValidCell):
2425         (JSC::VMInspector::isValidCodeBlock):
2426         (JSC::VMInspector::codeBlockForFrame):
2427         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2428         (JSC::PrintFrameFunctor::operator() const):
2429         (JSC::VMInspector::printCallFrame):
2430         (JSC::VMInspector::printStack):
2431         (JSC::VMInspector::printValue):
2432         * tools/VMInspector.h:
2433
2434 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2435
2436         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2437         https://bugs.webkit.org/show_bug.cgi?id=179640
2438         <rdar://problem/35517361>
2439
2440         Reviewed by Devin Rousso.
2441
2442         * CMakeLists.txt:
2443         * DerivedSources.make:
2444         Gate the ServiceWorker domain on the ENABLE feature flag.
2445
2446         * inspector/protocol/ServiceWorker.json: Added.
2447         New domain to be made available inside of a ServiceWorker target.
2448
2449 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2450
2451         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2452         https://bugs.webkit.org/show_bug.cgi?id=179594
2453
2454         Reviewed by Saam Barati.
2455
2456         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2457         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2458         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2459         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2460         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2461
2462         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2463         accept this type, and emit optimized code compared to Array::Generic case.
2464
2465         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2466         exit instead of ExoticObjectMode.
2467
2468         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2469         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2470
2471             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
2472
2473         * dfg/DFGArgumentsEliminationPhase.cpp:
2474         * dfg/DFGArrayMode.cpp:
2475         (JSC::DFG::ArrayMode::refine const):
2476         * dfg/DFGClobberize.h:
2477         (JSC::DFG::clobberize):
2478         * dfg/DFGSpeculativeJIT.cpp:
2479         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2480         * ftl/FTLLowerDFGToB3.cpp:
2481         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2482         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2483
2484 2017-11-14  Saam Barati  <sbarati@apple.com>
2485
2486         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2487         https://bugs.webkit.org/show_bug.cgi?id=179639
2488         <rdar://problem/35513018>
2489
2490         Reviewed by JF Bastien.
2491
2492         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
2493         walk the stack for ShadowChicken (and maybe other things). We weren't updating
2494         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
2495         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
2496         this bug by giving Wasm::Instance a lambda that is called when we need to store
2497         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
2498         Currently, JSWebAssemblyInstance passes in a lambda that stores to
2499         VM.topCallFrame.
2500
2501         * wasm/WasmB3IRGenerator.cpp:
2502         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2503         * wasm/WasmInstance.cpp:
2504         (JSC::Wasm::Instance::Instance):
2505         (JSC::Wasm::Instance::create):
2506         * wasm/WasmInstance.h:
2507         (JSC::Wasm::Instance::storeTopCallFrame):
2508         * wasm/js/JSWebAssemblyInstance.cpp:
2509         (JSC::JSWebAssemblyInstance::create):
2510         * wasm/js/JSWebAssemblyInstance.h:
2511         * wasm/js/WasmToJS.cpp:
2512         (JSC::Wasm::wasmToJSException):
2513         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2514         (JSC::constructJSWebAssemblyInstance):
2515         * wasm/js/WebAssemblyPrototype.cpp:
2516         (JSC::instantiate):
2517
2518 2017-11-13  Saam Barati  <sbarati@apple.com>
2519
2520         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
2521         https://bugs.webkit.org/show_bug.cgi?id=179203
2522
2523         Reviewed by Yusuke Suzuki.
2524
2525         This patch only removes the pointer caging for the described types in the title.
2526         These types still allocate out of the gigacage. This is a just a cost vs benefit
2527         tradeoff of performance vs security.
2528
2529         * dfg/DFGSpeculativeJIT.cpp:
2530         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2531         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2532         * ftl/FTLLowerDFGToB3.cpp:
2533         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2534         * jit/JITPropertyAccess.cpp:
2535         (JSC::JIT::emitDirectArgumentsGetByVal):
2536         (JSC::JIT::emitScopedArgumentsGetByVal):
2537         * runtime/DirectArguments.h:
2538         (JSC::DirectArguments::storage):
2539         * runtime/HashMapImpl.cpp:
2540         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2541         * runtime/HashMapImpl.h:
2542         * runtime/JSLexicalEnvironment.h:
2543         (JSC::JSLexicalEnvironment::variables):
2544         * runtime/ScopedArguments.h:
2545         (JSC::ScopedArguments::overflowStorage const):
2546
2547 2017-11-08  Keith Miller  <keith_miller@apple.com>
2548
2549         Async iteration should only fetch the next method once and add feature flag
2550         https://bugs.webkit.org/show_bug.cgi?id=179451
2551
2552         Reviewed by Geoffrey Garen.
2553
2554         Add feature flag for Async iteration. Also, change async iteration to match
2555         the expected behavior of the proposal.
2556
2557         * Configurations/FeatureDefines.xcconfig:
2558         * builtins/AsyncFromSyncIteratorPrototype.js:
2559         (globalPrivate.createAsyncFromSyncIterator):
2560         (globalPrivate.AsyncFromSyncIteratorConstructor):
2561         * builtins/BuiltinNames.h:
2562         * bytecompiler/BytecodeGenerator.cpp:
2563         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2564         * runtime/Options.h:
2565
2566 2017-11-13  Mark Lam  <mark.lam@apple.com>
2567
2568         Add more overflow check book-keeping for MarkedArgumentBuffer.
2569         https://bugs.webkit.org/show_bug.cgi?id=179634
2570         <rdar://problem/35492517>
2571
2572         Reviewed by Saam Barati.
2573
2574         * runtime/ArgList.h:
2575         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
2576         * runtime/JSJob.cpp:
2577         (JSC::JSJobMicrotask::run):
2578         * runtime/ObjectConstructor.cpp:
2579         (JSC::defineProperties):
2580         * runtime/ReflectObject.cpp:
2581         (JSC::reflectObjectConstruct):
2582
2583 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
2584
2585         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
2586         https://bugs.webkit.org/show_bug.cgi?id=179542
2587
2588         Reviewed by Alex Christensen.
2589
2590         * assembler/MacroAssemblerARM.h:
2591         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
2592
2593 2017-11-13  Mark Lam  <mark.lam@apple.com>
2594
2595         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2596         https://bugs.webkit.org/show_bug.cgi?id=179619
2597         <rdar://problem/35492518>
2598
2599         Reviewed by Saam Barati.
2600
2601         * jsc.cpp:
2602         (functionLoadGetterFromGetterSetter):
2603
2604 2017-11-12  Darin Adler  <darin@apple.com>
2605
2606         More is<> and downcast<>, less static_cast<>
2607         https://bugs.webkit.org/show_bug.cgi?id=179600
2608
2609         Reviewed by Chris Dumez.
2610
2611         * runtime/JSString.h:
2612         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
2613         (JSC::jsSubstringOfResolved): Ditto.
2614
2615 2017-11-12  Mark Lam  <mark.lam@apple.com>
2616
2617         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2618         https://bugs.webkit.org/show_bug.cgi?id=179562
2619         <rdar://problem/35467022>
2620
2621         Reviewed by Saam Barati.
2622
2623         * dfg/DFGFixupPhase.cpp:
2624         (JSC::DFG::FixupPhase::fixupNode):
2625         * dfg/DFGOperations.cpp:
2626         * dfg/DFGSafeToExecute.h:
2627         (JSC::DFG::SafeToExecuteEdge::operator()):
2628         * dfg/DFGSpeculativeJIT.cpp:
2629         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
2630         (JSC::DFG::SpeculativeJIT::speculate):
2631         * dfg/DFGSpeculativeJIT.h:
2632         * dfg/DFGUseKind.cpp:
2633         (WTF::printInternal):
2634         * dfg/DFGUseKind.h:
2635         (JSC::DFG::typeFilterFor):
2636         * ftl/FTLCapabilities.cpp:
2637         (JSC::FTL::canCompile):
2638         * ftl/FTLLowerDFGToB3.cpp:
2639         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2640         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
2641
2642 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
2643
2644         Web Inspector: Canvas tab: show detailed status during canvas recording
2645         https://bugs.webkit.org/show_bug.cgi?id=178185
2646         <rdar://problem/34939862>
2647
2648         Reviewed by Brian Burg.
2649
2650         * inspector/protocol/Canvas.json:
2651         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
2652         payloads since the last Canvas.recordingProgress event and the current buffer usage.
2653
2654         * inspector/protocol/Recording.json:
2655         Remove the required `frames` parameter from the Recording protocol object, as they will be
2656         sent in batches via the Canvas.recordingProgress event.
2657
2658 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
2659
2660         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
2661         https://bugs.webkit.org/show_bug.cgi?id=179543
2662
2663         Reviewed by Antoine Quint.
2664
2665         * inspector/protocol/Network.json:
2666         Use a better type for the status code.
2667
2668 2017-11-10  Robin Morisset  <rmorisset@apple.com>
2669
2670         The memory consumption of DFG::BasicBlock can be easily reduced a bit
2671         https://bugs.webkit.org/show_bug.cgi?id=179528
2672
2673         Reviewed by Saam Barati.
2674
2675         A few changes here:
2676         - Reordering some fields of DFG::BasicBlock to reduce padding
2677         - Making the enum fields that are glorified booleans fit into a u8
2678         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
2679           This change works because we never increase the number of arguments after allocating an Operands object.
2680           It lets us avoid one extra capacity field and one extra pointer field per Operands,
2681           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
2682           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
2683           we have a chance to avoid an allocation.
2684         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
2685
2686         * bytecode/Operands.h:
2687         (JSC::Operands::Operands):
2688         (JSC::Operands::numberOfArguments const):
2689         (JSC::Operands::numberOfLocals const):
2690         (JSC::Operands::argument):
2691         (JSC::Operands::argument const):
2692         (JSC::Operands::local):
2693         (JSC::Operands::local const):
2694         (JSC::Operands::ensureLocals):
2695         (JSC::Operands::setLocal):
2696         (JSC::Operands::getLocal):
2697         (JSC::Operands::setArgumentFirstTime):
2698         (JSC::Operands::setLocalFirstTime):
2699         (JSC::Operands::operand):
2700         (JSC::Operands::setOperand):
2701         (JSC::Operands::size const):
2702         (JSC::Operands::at const):
2703         (JSC::Operands::at):
2704         (JSC::Operands::isArgument const):
2705         (JSC::Operands::isVariable const):
2706         (JSC::Operands::virtualRegisterForIndex const):
2707         (JSC::Operands::fill):
2708         (JSC::Operands::operator== const):
2709         (JSC::Operands::argumentForIndex const): Deleted.
2710         (JSC::Operands::variableForIndex const): Deleted.
2711         (JSC::Operands::indexForOperand const): Deleted.
2712         * dfg/DFGBasicBlock.cpp:
2713         (JSC::DFG::BasicBlock::BasicBlock):
2714         * dfg/DFGBasicBlock.h:
2715         * dfg/DFGBranchDirection.h:
2716         * dfg/DFGStructureClobberState.h:
2717
2718 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2719
2720         [JSC] Retry module fetching if previous request fails
2721         https://bugs.webkit.org/show_bug.cgi?id=178168
2722
2723         Reviewed by Saam Barati.
2724
2725         According to the latest spec, the failed fetching operation can be retried if it is requested again.
2726         For example,
2727
2728             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2729             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2730
2731         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
2732         But when loading the second module, we do not use the cached failure result in the first module loading.
2733         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
2734         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
2735
2736         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
2737         like to cache modules based on their URLs. As a result,
2738
2739             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2740             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2741
2742         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
2743         instantiation are cached in the module pipeline.
2744
2745         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
2746         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
2747         if the previous one fails. As an overview of our change,
2748
2749         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
2750            be unified. But if currently executing one fails, other attempts should retry fetching.
2751
2752         2. Instantiation should be cached if fetching succeeds.
2753
2754         3. Satisfying should be cached if it succeeds.
2755
2756         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
2757
2758         * builtins/ModuleLoaderPrototype.js:
2759         (requestFetch):
2760         (requestInstantiate):
2761         (requestSatisfy):
2762         (link):
2763         (loadModule):
2764         * runtime/JSGlobalObject.cpp:
2765         (JSC::JSGlobalObject::init):
2766
2767 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
2768
2769         Web Inspector: support undo/redo of insertAdjacentHTML
2770         https://bugs.webkit.org/show_bug.cgi?id=179283
2771
2772         Reviewed by Joseph Pecoraro.
2773
2774         * inspector/protocol/DOM.json:
2775         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
2776         on the given node.
2777
2778 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
2779
2780         Web Inspector: Make domain availability a list of types instead of a single type
2781         https://bugs.webkit.org/show_bug.cgi?id=179457
2782
2783         Reviewed by Brian Burg.
2784
2785         * inspector/scripts/codegen/generate_js_backend_commands.py:
2786         (JSBackendCommandsGenerator.generate_domain):
2787         Update output of `InspectorBackend.activateDomain` to include the list.
2788
2789         * inspector/scripts/codegen/models.py:
2790         (Protocol.parse_domain):
2791         Parse `availability` as a list and include a new supported value of "service-worker".
2792
2793         * inspector/protocol/ApplicationCache.json:
2794         * inspector/protocol/CSS.json:
2795         * inspector/protocol/Canvas.json:
2796         * inspector/protocol/DOM.json:
2797         * inspector/protocol/DOMDebugger.json:
2798         * inspector/protocol/DOMStorage.json:
2799         * inspector/protocol/Database.json:
2800         * inspector/protocol/IndexedDB.json:
2801         * inspector/protocol/LayerTree.json:
2802         * inspector/protocol/Memory.json:
2803         * inspector/protocol/Network.json:
2804         * inspector/protocol/Page.json:
2805         * inspector/protocol/Timeline.json:
2806         * inspector/protocol/Worker.json:
2807         Update `availability` to be a list.
2808
2809         * inspector/scripts/tests/generic/domain-availability.json:
2810         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2811         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
2812         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
2813         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
2814         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2815         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2816         Update tests to include a test for the type and an invalid value.
2817
2818 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2819
2820         [JSC][JIT] Clean up SlowPathCall stubs
2821         https://bugs.webkit.org/show_bug.cgi?id=179247
2822
2823         Reviewed by Saam Barati.
2824
2825         We have bunch of duplicate functions that just call a slow path function.
2826         This patch cleans up the above duplication.
2827
2828         * jit/JIT.cpp:
2829         (JSC::JIT::emitSlowCaseCall):
2830         (JSC::JIT::privateCompileSlowCases):
2831         * jit/JIT.h:
2832         * jit/JITArithmetic.cpp:
2833         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2834         (JSC::JIT::emitSlow_op_inc): Deleted.
2835         (JSC::JIT::emitSlow_op_dec): Deleted.
2836         (JSC::JIT::emitSlow_op_bitand): Deleted.
2837         (JSC::JIT::emitSlow_op_bitor): Deleted.
2838         (JSC::JIT::emitSlow_op_bitxor): Deleted.
2839         (JSC::JIT::emitSlow_op_lshift): Deleted.
2840         (JSC::JIT::emitSlow_op_rshift): Deleted.
2841         (JSC::JIT::emitSlow_op_urshift): Deleted.
2842         (JSC::JIT::emitSlow_op_div): Deleted.
2843         * jit/JITArithmetic32_64.cpp:
2844         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2845         (JSC::JIT::emitSlow_op_inc): Deleted.
2846         (JSC::JIT::emitSlow_op_dec): Deleted.
2847         * jit/JITOpcodes.cpp:
2848         (JSC::JIT::emitSlow_op_create_this): Deleted.
2849         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2850         (JSC::JIT::emitSlow_op_to_this): Deleted.
2851         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2852         (JSC::JIT::emitSlow_op_not): Deleted.
2853         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2854         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2855         (JSC::JIT::emitSlow_op_to_number): Deleted.
2856         (JSC::JIT::emitSlow_op_to_string): Deleted.
2857         (JSC::JIT::emitSlow_op_to_object): Deleted.
2858         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2859         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2860         * jit/JITOpcodes32_64.cpp:
2861         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2862         (JSC::JIT::emitSlow_op_not): Deleted.
2863         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2864         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2865         (JSC::JIT::emitSlow_op_to_number): Deleted.
2866         (JSC::JIT::emitSlow_op_to_string): Deleted.
2867         (JSC::JIT::emitSlow_op_to_object): Deleted.
2868         (JSC::JIT::emitSlow_op_create_this): Deleted.
2869         (JSC::JIT::emitSlow_op_to_this): Deleted.
2870         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2871         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2872         * jit/JITPropertyAccess.cpp:
2873         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2874         * jit/JITPropertyAccess32_64.cpp:
2875         (JSC::JIT::emit_op_resolve_scope):
2876         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2877         * jit/SlowPathCall.h:
2878         (JSC::JITSlowPathCall::JITSlowPathCall):
2879         * runtime/CommonSlowPaths.cpp:
2880         (JSC::SLOW_PATH_DECL):
2881         * runtime/CommonSlowPaths.h:
2882
2883 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
2884
2885         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
2886         https://bugs.webkit.org/show_bug.cgi?id=179446
2887
2888         Reviewed by Žan Doberšek.
2889
2890         The trunc.w.d mips instruction should give a 0x7fffffff result when
2891         the source value is Infinity, NaN, or rounds to an integer outside the
2892         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
2893         branchTruncateDoubleToUInt32() have been relying on. It turns out that
2894         this assumption is not true on some CPUs, including on the ci20 on
2895         which we run the testbot (we get 0x80000000 instead). We should the
2896         invalid operation cause bit instead to check whether the source value
2897         could be properly truncated. This requires the addition of the cfc1
2898         instruction, as well as the special registers that can be used with it
2899         (control registers of CP1).
2900
2901         * assembler/MIPSAssembler.h:
2902         (JSC::MIPSAssembler::firstSPRegister):
2903         (JSC::MIPSAssembler::lastSPRegister):
2904         (JSC::MIPSAssembler::numberOfSPRegisters):
2905         (JSC::MIPSAssembler::sprName):
2906         Added control registers of CP1.
2907         (JSC::MIPSAssembler::cfc1):
2908         Added.
2909         * assembler/MacroAssemblerMIPS.h:
2910         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
2911         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2912         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2913         Use fcsr to check if the value could be properly truncated.
2914
2915 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
2916
2917         HTMLMediaElement should not use element fullscreen on iOS
2918         https://bugs.webkit.org/show_bug.cgi?id=179418
2919         rdar://problem/35409277
2920
2921         Reviewed by Eric Carlson.
2922
2923         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
2924
2925         * Configurations/FeatureDefines.xcconfig:
2926
2927 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2928
2929         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
2930         https://bugs.webkit.org/show_bug.cgi?id=179276
2931
2932         Reviewed by Andy Estes.
2933
2934         * inspector/InjectedScriptHost.h:
2935         * inspector/JSInjectedScriptHost.cpp:
2936         (Inspector::JSInjectedScriptHost::getInternalProperties):
2937         Call through to virtual implementation so that WebCore can provide custom
2938         internal properties for Web / DOM objects.
2939
2940 2017-11-08  Saam Barati  <sbarati@apple.com>
2941
2942         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2943         https://bugs.webkit.org/show_bug.cgi?id=177792
2944
2945         Reviewed by Yusuke Suzuki.
2946
2947         Before this patch, if a JSFunction's rare data initialized its allocation profile
2948         before its backing Executable's poly proto watchpoint was invalidated, that
2949         JSFunction would continue to allocate non-poly proto objects until its allocation
2950         profile was cleared (which essentially never happens in practice). This patch
2951         improves on this pathology. A JSFunction's rare data will now watch the poly
2952         proto watchpoint if it's still valid and clear its allocation profile when we
2953         detect that we should go poly proto.
2954
2955         * bytecode/ObjectAllocationProfile.h:
2956         * bytecode/ObjectAllocationProfileInlines.h:
2957         (JSC::ObjectAllocationProfile::initializeProfile):
2958         * runtime/FunctionRareData.cpp:
2959         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2960         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2961         * runtime/FunctionRareData.h:
2962         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
2963         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
2964         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
2965
2966 2017-11-08  Keith Miller  <keith_miller@apple.com>
2967
2968         Add super sampler begin and end bytecodes.
2969         https://bugs.webkit.org/show_bug.cgi?id=179376
2970
2971         Reviewed by Filip Pizlo.
2972
2973         This patch adds a way to measure a narrow range of bytecodes for
2974         performance. This is done using the same infrastructure as the
2975         super sampler. I also added a class that helps do the bytecode
2976         checking with RAII. One problem with the current way this is done
2977         is that we don't handle decrementing early exits, either from
2978         branches or exceptions. So, when using this API users need to
2979         ensure that there are no early exits or that those exits don't
2980         occur on the measure code.
2981
2982         * JavaScriptCore.xcodeproj/project.pbxproj:
2983         * bytecode/BytecodeDumper.cpp:
2984         (JSC::BytecodeDumper<Block>::dumpBytecode):
2985         * bytecode/BytecodeList.json:
2986         * bytecode/BytecodeUseDef.h:
2987         (JSC::computeUsesForBytecodeOffset):
2988         (JSC::computeDefsForBytecodeOffset):
2989         * bytecompiler/BytecodeGenerator.cpp:
2990         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
2991         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
2992         * bytecompiler/BytecodeGenerator.h:
2993         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
2994         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
2995         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
2996         * dfg/DFGAbstractInterpreterInlines.h:
2997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2998         * dfg/DFGByteCodeParser.cpp:
2999         (JSC::DFG::ByteCodeParser::parseBlock):
3000         * dfg/DFGClobberize.h:
3001         (JSC::DFG::clobberize):
3002         * dfg/DFGClobbersExitState.cpp:
3003         (JSC::DFG::clobbersExitState):
3004         * dfg/DFGDoesGC.cpp:
3005         (JSC::DFG::doesGC):
3006         * dfg/DFGFixupPhase.cpp:
3007         (JSC::DFG::FixupPhase::fixupNode):
3008         * dfg/DFGMayExit.cpp:
3009         * dfg/DFGNodeType.h:
3010         * dfg/DFGPredictionPropagationPhase.cpp:
3011         * dfg/DFGSafeToExecute.h:
3012         (JSC::DFG::safeToExecute):
3013         * dfg/DFGSpeculativeJIT.cpp:
3014         * dfg/DFGSpeculativeJIT32_64.cpp:
3015         (JSC::DFG::SpeculativeJIT::compile):
3016         * dfg/DFGSpeculativeJIT64.cpp:
3017         (JSC::DFG::SpeculativeJIT::compile):
3018         * ftl/FTLCapabilities.cpp:
3019         (JSC::FTL::canCompile):
3020         * ftl/FTLLowerDFGToB3.cpp:
3021         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3022         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
3023         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
3024         * jit/JIT.cpp:
3025         (JSC::JIT::privateCompileMainPass):
3026         * jit/JIT.h:
3027         * jit/JITOpcodes.cpp:
3028         (JSC::JIT::emit_op_super_sampler_begin):
3029         (JSC::JIT::emit_op_super_sampler_end):
3030         * llint/LLIntSlowPaths.cpp:
3031         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3032         * llint/LLIntSlowPaths.h:
3033         * llint/LowLevelInterpreter.asm:
3034
3035 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3036
3037         Turn recursive tail calls into loops
3038         https://bugs.webkit.org/show_bug.cgi?id=176601
3039
3040         Reviewed by Saam Barati.
3041
3042         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3043
3044         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
3045         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
3046         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
3047         We do this part through modifying the computation of the jump targets.
3048         Importantly, we only do this splitting for functions that have tail calls.
3049         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
3050
3051         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
3052         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
3053
3054         * bytecode/CodeBlock.h:
3055         (JSC::CodeBlock::hasTailCalls const):
3056         * bytecode/PreciseJumpTargets.cpp:
3057         (JSC::getJumpTargetsForBytecodeOffset):
3058         (JSC::computePreciseJumpTargetsInternal):
3059         * bytecode/UnlinkedCodeBlock.cpp:
3060         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3061         * bytecode/UnlinkedCodeBlock.h:
3062         (JSC::UnlinkedCodeBlock::hasTailCalls const):
3063         (JSC::UnlinkedCodeBlock::setHasTailCalls):
3064         * bytecompiler/BytecodeGenerator.cpp:
3065         (JSC::BytecodeGenerator::emitEnter):
3066         (JSC::BytecodeGenerator::emitCallInTailPosition):
3067         * dfg/DFGByteCodeParser.cpp:
3068         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3069         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
3070         (JSC::DFG::ByteCodeParser::handleCall):
3071         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3072         (JSC::DFG::ByteCodeParser::parseBlock):
3073         (JSC::DFG::ByteCodeParser::parse):
3074
3075 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3076
3077         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
3078         https://bugs.webkit.org/show_bug.cgi?id=179407
3079
3080         Reviewed by Matt Baker.
3081
3082         * inspector/protocol/Page.json:
3083         Remove unused protocol type.
3084
3085 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
3086
3087         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
3088         https://bugs.webkit.org/show_bug.cgi?id=173619
3089
3090         Reviewed by Alex Christensen and Brian Burg.
3091
3092         Eventually all classes used for our JSON-RPC message passing should be outside
3093         of the Inspector namespace since the protocol is used outside of Inspector code.
3094         This will also allow us to unify the primitive JSON types with parameteric types
3095         like Inspector::Protocol::Array<T> and other protocol-related types which don't
3096         need to be in the Inspector namespace.
3097
3098         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
3099         patches, other clients will move to use JSON::Value and friends. When all uses are
3100         changed, the actual implementation will be renamed. This patch just focuses on the typedef
3101         and making changes in generated protocol code.
3102
3103         Original patch by Brian Burg, rebased and updated by me.
3104
3105         * inspector/InspectorValues.cpp:
3106         * inspector/InspectorValues.h:
3107         * inspector/scripts/codegen/cpp_generator.py:
3108         (CppGenerator.cpp_protocol_type_for_type):
3109         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3110         (CppGenerator.cpp_type_for_type_with_name):
3111         (CppGenerator.cpp_type_for_stack_in_parameter):
3112         * inspector/scripts/codegen/cpp_generator_templates.py:
3113         (void):
3114         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3115         (_generate_class_for_object_declaration):
3116         (_generate_forward_declarations_for_binding_traits):
3117         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3118         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
3119         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
3120         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3121         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3122         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3123         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3124         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3125         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3126         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3127         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3128         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3129         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3130         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3131         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3132         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3133         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3134
3135 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
3136
3137         Get rid of unsightly hex numbers from unified build object files
3138         https://bugs.webkit.org/show_bug.cgi?id=179410
3139
3140         Reviewed by Saam Barati.
3141
3142         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
3143
3144 2017-11-07  Saam Barati  <sbarati@apple.com>
3145
3146         Only cage double butterfly accesses
3147         https://bugs.webkit.org/show_bug.cgi?id=179202
3148
3149         Reviewed by Mark Lam.
3150
3151         This patch removes caging from all butterfly accesses except double loads/stores.
3152         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
3153         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
3154         by caging. The other load/stores we are no longer caging to get back performance on
3155         various benchmarks.
3156
3157         * bytecode/AccessCase.cpp:
3158         (JSC::AccessCase::generateImpl):
3159         * bytecode/InlineAccess.cpp:
3160         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3161         (JSC::InlineAccess::generateSelfPropertyAccess):
3162         (JSC::InlineAccess::generateSelfPropertyReplace):
3163         (JSC::InlineAccess::generateArrayLength):
3164         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
3165         * dfg/DFGSpeculativeJIT.cpp:
3166         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3167         (JSC::DFG::SpeculativeJIT::compileSpread):
3168         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3169         * dfg/DFGSpeculativeJIT64.cpp:
3170         (JSC::DFG::SpeculativeJIT::compile):
3171         * ftl/FTLLowerDFGToB3.cpp:
3172         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3173         * jit/JITPropertyAccess.cpp:
3174         (JSC::JIT::emitContiguousLoad):
3175         (JSC::JIT::emitArrayStorageLoad):
3176         (JSC::JIT::emitGenericContiguousPutByVal):
3177         (JSC::JIT::emitArrayStoragePutByVal):
3178         (JSC::JIT::emit_op_get_from_scope):
3179         (JSC::JIT::emit_op_put_to_scope):
3180         * llint/LowLevelInterpreter64.asm:
3181         * runtime/AuxiliaryBarrier.h:
3182         (JSC::AuxiliaryBarrier::operator-> const):
3183         * runtime/Butterfly.h:
3184         (JSC::Butterfly::caged):
3185         (JSC::Butterfly::contiguousDouble):
3186         * runtime/JSArray.cpp:
3187         (JSC::JSArray::setLength):
3188         (JSC::JSArray::pop):
3189         (JSC::JSArray::shiftCountWithAnyIndexingType):
3190         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3191         (JSC::JSArray::fillArgList):
3192         (JSC::JSArray::copyToArguments):
3193         * runtime/JSArrayInlines.h:
3194         (JSC::JSArray::pushInline):
3195         * runtime/JSObject.cpp:
3196         (JSC::JSObject::heapSnapshot):
3197         (JSC::JSObject::createInitialIndexedStorage):
3198         (JSC::JSObject::createArrayStorage):
3199         (JSC::JSObject::convertUndecidedToInt32):
3200         (JSC::JSObject::ensureLengthSlow):
3201         (JSC::JSObject::reallocateAndShrinkButterfly):
3202         (JSC::JSObject::allocateMoreOutOfLineStorage):
3203         * runtime/JSObject.h:
3204         (JSC::JSObject::canGetIndexQuickly):
3205         (JSC::JSObject::getIndexQuickly):
3206         (JSC::JSObject::tryGetIndexQuickly const):
3207         (JSC::JSObject::canSetIndexQuickly):
3208         (JSC::JSObject::butterfly const):
3209         (JSC::JSObject::butterfly):
3210
3211 2017-11-07  Mark Lam  <mark.lam@apple.com>
3212
3213         Introduce a default RegisterSet constructor so that we can use { } notation.
3214         https://bugs.webkit.org/show_bug.cgi?id=179389
3215
3216         Reviewed by Saam Barati.
3217
3218         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
3219         does not add any code documentation value.
3220
3221         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
3222         * b3/air/AirCode.cpp:
3223         (JSC::B3::Air::Code::setRegsInPriorityOrder):
3224         * b3/air/AirPrintSpecial.cpp:
3225         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
3226         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
3227         * b3/air/testair.cpp:
3228         * bytecode/PolymorphicAccess.h:
3229         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3230         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
3231         * dfg/DFGJITCode.cpp:
3232         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3233         * ftl/FTLJITCode.cpp:
3234         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3235         * jit/JITCode.cpp:
3236         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3237         * jit/RegisterSet.cpp:
3238         (JSC::RegisterSet::reservedHardwareRegisters):
3239         (JSC::RegisterSet::runtimeRegisters):
3240         (JSC::RegisterSet::macroScratchRegisters):
3241         * jit/RegisterSet.h:
3242         (JSC::RegisterSet::RegisterSet):
3243         * wasm/WasmB3IRGenerator.cpp:
3244         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3245
3246 2017-11-07  Mark Lam  <mark.lam@apple.com>
3247
3248         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3249         https://bugs.webkit.org/show_bug.cgi?id=179355
3250         <rdar://problem/35263053>
3251
3252         Reviewed by Saam Barati.
3253
3254         In the Transition case in AccessCase::generateImpl(), we were restoring registers
3255         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
3256         where we previously stashed the reallocated butterfly.  If the generated code is
3257         under heavy register pressure, scratchGPR could have been from the set of preserved
3258         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
3259         As a result, the restoration would trash the butterfly result we stored there.
3260         This patch fixes the issue by excluding the scratchGPR in the restoration.
3261
3262         * bytecode/AccessCase.cpp:
3263         (JSC::AccessCase::generateImpl):
3264
3265 2017-11-06  Robin Morisset  <rmorisset@apple.com>
3266
3267         CodeBlock::usesOpcode() is dead code
3268         https://bugs.webkit.org/show_bug.cgi?id=179316
3269
3270         Reviewed by Yusuke Suzuki.
3271
3272         Remove CodeBlock::usesOpcode which is dead code
3273
3274         * bytecode/CodeBlock.cpp:
3275         * bytecode/CodeBlock.h:
3276
3277 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3280         https://bugs.webkit.org/show_bug.cgi?id=144458
3281
3282         Reviewed by Saam Barati.
3283
3284         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
3285         InternalFunction calls are not cached and they always go to the slow path. This is not good because
3286
3287         1. We need to query getCallData/getConstructData every time in the slow path.
3288         2. CallLinkInfo tells nothing in the higher tier JITs.
3289
3290         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
3291         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
3292         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
3293
3294         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
3295         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
3296         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3297         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3298
3299         Attached microbenchmarks show performance improvement.
3300
3301                                                            baseline                  patched
3302
3303         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
3304         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
3305         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
3306         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
3307
3308         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3309
3310         * API/JSCallbackFunction.cpp:
3311         (JSC::JSCallbackFunction::JSCallbackFunction):
3312         (JSC::JSCallbackFunction::getCallData): Deleted.
3313         * API/JSCallbackFunction.h:
3314         (JSC::JSCallbackFunction::createStructure):
3315         * API/ObjCCallbackFunction.h:
3316         (JSC::ObjCCallbackFunction::createStructure):
3317         * API/ObjCCallbackFunction.mm:
3318         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3319         (JSC::ObjCCallbackFunction::getCallData): Deleted.
3320         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3321         * bytecode/BytecodeDumper.cpp:
3322         (JSC::BytecodeDumper<Block>::printCallOp):
3323         * bytecode/BytecodeList.json:
3324         * bytecode/CallLinkInfo.cpp:
3325         (JSC::CallLinkInfo::setCallee):
3326         (JSC::CallLinkInfo::callee):
3327         (JSC::CallLinkInfo::setLastSeenCallee):
3328         (JSC::CallLinkInfo::lastSeenCallee):
3329         (JSC::CallLinkInfo::visitWeak):
3330         * bytecode/CallLinkInfo.h:
3331         * bytecode/CallLinkStatus.cpp:
3332         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3333         * bytecode/LLIntCallLinkInfo.h:
3334         * jit/JITOperations.cpp:
3335         * jit/JITThunks.cpp:
3336         (JSC::JITThunks::ctiInternalFunctionCall):
3337         (JSC::JITThunks::ctiInternalFunctionConstruct):
3338         * jit/JITThunks.h:
3339         * jit/Repatch.cpp:
3340         (JSC::linkFor):
3341         (JSC::linkPolymorphicCall):
3342         * jit/Repatch.h:
3343         * jit/ThunkGenerators.cpp:
3344         (JSC::virtualThunkFor):
3345         (JSC::nativeFor