Unreviewed attempt to fix Windows build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-03  Chris Dumez  <cdumez@apple.com>
2
3         Unreviewed attempt to fix Windows build.
4
5         * runtime/JSGlobalObjectFunctions.cpp:
6
7 2017-09-03  Chris Dumez  <cdumez@apple.com>
8
9         Unreviewed, rolling out r221552.
10
11         Broke the build
12
13         Reverted changeset:
14
15         "[WTF] Add C++03 allocator interface for GCC < 6"
16         https://bugs.webkit.org/show_bug.cgi?id=176301
17         http://trac.webkit.org/changeset/221552
18
19 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
20
21         [WTF] Add C++03 allocator interface for GCC < 6
22         https://bugs.webkit.org/show_bug.cgi?id=176301
23
24         Reviewed by Darin Adler.
25
26         * dfg/DFGObjectAllocationSinkingPhase.cpp:
27
28 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
29
30         [JSC] Clean up BytecodeLivenessAnalysis
31         https://bugs.webkit.org/show_bug.cgi?id=176295
32
33         Reviewed by Saam Barati.
34
35         Previously, computeDefsForBytecodeOffset was a bit customizable.
36         This is used for try-catch handler's liveness analysis. But after
37         careful generatorification implementation, it is now not necessary.
38         This patch drops this customizability.
39
40         * bytecode/BytecodeGeneratorification.cpp:
41         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
42         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
43         * bytecode/BytecodeLivenessAnalysis.cpp:
44         (JSC::BytecodeLivenessAnalysis::computeKills):
45         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
46         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
47         * bytecode/BytecodeLivenessAnalysis.h:
48         * bytecode/BytecodeLivenessAnalysisInlines.h:
49         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
50         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
51         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
52         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
53         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
54         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
55         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
56         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
57         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
58         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
59
60 2017-09-03  Sam Weinig  <sam@webkit.org>
61
62         Remove CanvasProxy
63         https://bugs.webkit.org/show_bug.cgi?id=176288
64
65         Reviewed by Yusuke Suzuki.
66
67         CanvasProxy does not appear to be in any current HTML spec
68         and was disabled and unimplemented in our tree. Time to 
69         get rid of it.
70
71         * Configurations/FeatureDefines.xcconfig:
72
73 2017-09-02  Oliver Hunt  <oliver@apple.com>
74
75         Need an API to get the global context from JSObjectRef
76         https://bugs.webkit.org/show_bug.cgi?id=176291
77
78         Reviewed by Saam Barati.
79
80         Very simple additional API, starting off as SPI on principle.
81
82         * API/JSObjectRef.cpp:
83         (JSObjectGetGlobalContext):
84         * API/JSObjectRefPrivate.h:
85         * API/tests/testapi.c:
86         (main):
87
88 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
89
90         [DFG] Relax arity requirement
91         https://bugs.webkit.org/show_bug.cgi?id=175523
92
93         Reviewed by Saam Barati.
94
95         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
96         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
97         of the pre-ES6.
98
99         This patch removes the above restriction by performing the arity fixup in DFG.
100
101         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
102
103                                        baseline                  patched
104
105         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
106         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
107         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
108         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
109
110         * bytecode/InlineCallFrame.cpp:
111         (JSC::InlineCallFrame::dumpInContext const):
112         * bytecode/InlineCallFrame.h:
113         (JSC::InlineCallFrame::InlineCallFrame):
114         * dfg/DFGAbstractInterpreterInlines.h:
115         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
116         * dfg/DFGArgumentsEliminationPhase.cpp:
117         * dfg/DFGArgumentsUtilities.cpp:
118         (JSC::DFG::argumentsInvolveStackSlot):
119         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
120         * dfg/DFGByteCodeParser.cpp:
121         (JSC::DFG::ByteCodeParser::setLocal):
122         (JSC::DFG::ByteCodeParser::setArgument):
123         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
124         (JSC::DFG::ByteCodeParser::flush):
125         (JSC::DFG::ByteCodeParser::getArgumentCount):
126         (JSC::DFG::ByteCodeParser::inliningCost):
127         (JSC::DFG::ByteCodeParser::inlineCall):
128         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
129         (JSC::DFG::ByteCodeParser::parseBlock):
130         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
131         * dfg/DFGCommonData.cpp:
132         (JSC::DFG::CommonData::validateReferences):
133         * dfg/DFGConstantFoldingPhase.cpp:
134         (JSC::DFG::ConstantFoldingPhase::foldConstants):
135         * dfg/DFGGraph.cpp:
136         (JSC::DFG::Graph::isLiveInBytecode):
137         * dfg/DFGGraph.h:
138         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
139         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
140         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
141         * dfg/DFGOSRExit.cpp:
142         (JSC::DFG::OSRExit::emitRestoreArguments):
143         * dfg/DFGOSRExitCompilerCommon.cpp:
144         (JSC::DFG::reifyInlinedCallFrames):
145         * dfg/DFGPreciseLocalClobberize.h:
146         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
147         * dfg/DFGSpeculativeJIT.cpp:
148         (JSC::DFG::SpeculativeJIT::emitGetLength):
149         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
150         * dfg/DFGStackLayoutPhase.cpp:
151         (JSC::DFG::StackLayoutPhase::run):
152         * ftl/FTLCompile.cpp:
153         (JSC::FTL::compile):
154         * ftl/FTLLowerDFGToB3.cpp:
155         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
156         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
157         * ftl/FTLOperations.cpp:
158         (JSC::FTL::operationMaterializeObjectInOSR):
159         * interpreter/StackVisitor.cpp:
160         (JSC::StackVisitor::readInlinedFrame):
161         * jit/AssemblyHelpers.h:
162         (JSC::AssemblyHelpers::argumentsStart):
163         * jit/SetupVarargsFrame.cpp:
164         (JSC::emitSetupVarargsFrameFastCase):
165         * runtime/ClonedArguments.cpp:
166         (JSC::ClonedArguments::createWithInlineFrame):
167         * runtime/CommonSlowPaths.h:
168         (JSC::CommonSlowPaths::numberOfExtraSlots):
169         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
170         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
171         (JSC::CommonSlowPaths::arityCheckFor):
172         * runtime/StackAlignment.h:
173         (JSC::stackAlignmentBytes):
174         (JSC::stackAlignmentRegisters):
175
176 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
177
178         [FTL] FTL allocation for async Function is incorrect
179         https://bugs.webkit.org/show_bug.cgi?id=176214
180
181         Reviewed by Saam Barati.
182
183         In FTL, allocating async function / async generator function was incorrectly using
184         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
185         but it is a bug.
186
187         * ftl/FTLLowerDFGToB3.cpp:
188         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
189
190 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
191
192         [JSC] Fix "name" and "length" of Proxy revoke function
193         https://bugs.webkit.org/show_bug.cgi?id=176155
194
195         Reviewed by Mark Lam.
196
197         ProxyRevoke's length should be configurable. And it does not have
198         its own name. We add NameVisibility enum to InternalFunction to
199         control visibility of the name.
200
201         * runtime/InternalFunction.cpp:
202         (JSC::InternalFunction::finishCreation):
203         * runtime/InternalFunction.h:
204         * runtime/ProxyRevoke.cpp:
205         (JSC::ProxyRevoke::finishCreation):
206
207 2017-08-31  Saam Barati  <sbarati@apple.com>
208
209         Throwing an exception in the DFG/FTL should not cause a jettison
210         https://bugs.webkit.org/show_bug.cgi?id=176060
211         <rdar://problem/34143348>
212
213         Reviewed by Keith Miller.
214
215         Throwing an exception is not something that should be a jettison-able
216         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
217         counts which could cause a CodeBlock to jettison and recompile. This
218         was dumb. Throwing an exception is not a reason to jettison and
219         recompile in the way that a speculation failure is. This patch
220         treats Throw/ThrowStaticError as true terminals in DFG IR.
221
222         * bytecode/BytecodeUseDef.h:
223         (JSC::computeUsesForBytecodeOffset):
224         * dfg/DFGAbstractInterpreterInlines.h:
225         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
226         * dfg/DFGByteCodeParser.cpp:
227         (JSC::DFG::ByteCodeParser::parseBlock):
228         * dfg/DFGClobberize.h:
229         (JSC::DFG::clobberize):
230         * dfg/DFGFixupPhase.cpp:
231         (JSC::DFG::FixupPhase::fixupNode):
232         * dfg/DFGInPlaceAbstractState.cpp:
233         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
234         * dfg/DFGNode.h:
235         (JSC::DFG::Node::isTerminal):
236         (JSC::DFG::Node::isPseudoTerminal):
237         (JSC::DFG::Node::errorType):
238         * dfg/DFGNodeType.h:
239         * dfg/DFGOperations.cpp:
240         * dfg/DFGOperations.h:
241         * dfg/DFGPredictionPropagationPhase.cpp:
242         * dfg/DFGSpeculativeJIT.cpp:
243         (JSC::DFG::SpeculativeJIT::compileThrow):
244         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
245         * dfg/DFGSpeculativeJIT.h:
246         (JSC::DFG::SpeculativeJIT::callOperation):
247         * dfg/DFGSpeculativeJIT32_64.cpp:
248         (JSC::DFG::SpeculativeJIT::compile):
249         * dfg/DFGSpeculativeJIT64.cpp:
250         (JSC::DFG::SpeculativeJIT::compile):
251         * ftl/FTLLowerDFGToB3.cpp:
252         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
253         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
254         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
255         * jit/JITOperations.h:
256
257 2017-08-31  Saam Barati  <sbarati@apple.com>
258
259         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
260         https://bugs.webkit.org/show_bug.cgi?id=176206
261
262         Reviewed by Keith Miller.
263
264         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
265         when he fixed it from overwriting invalid parts of the ArithProfile when the
266         currentNode and the operandNode are from the same bytecode. However, the
267         mechanism used to determine same bytecode was comparing NodeOrigin. That's
268         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
269         have the same semantic origin, but differ only in exitOK. For example,
270         in the below IR, the DoubleRep and the Phi have the same semantic
271         origin, but different NodeOrigins.
272
273         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
274         58 ExitOK(MustGen, W:SideState, bc#63)
275         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
276         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
277
278         * dfg/DFGGraph.cpp:
279         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
280
281 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
282
283         [CMake] Make USE_CF conditional within Windows
284         https://bugs.webkit.org/show_bug.cgi?id=176173
285
286         Reviewed by Alex Christensen.
287
288         * PlatformWin.cmake:
289
290 2017-08-31  Saam Barati  <sbarati@apple.com>
291
292         useSeparatedWXHeap should never be true when not on iOS
293         https://bugs.webkit.org/show_bug.cgi?id=176190
294
295         Reviewed by JF Bastien.
296
297         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
298         the process insta-crashes. Let's silently ignore that option and set it
299         to false when not on iOS.
300
301         * runtime/Options.cpp:
302         (JSC::recomputeDependentOptions):
303
304 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
305
306         Fix debug crashes.
307
308         Rubber stamped by Mark Lam.
309
310         * runtime/JSArrayBufferView.cpp:
311         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
312
313 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
314
315         All of the different ArrayBuffer::data's should be CagedPtr<>
316         https://bugs.webkit.org/show_bug.cgi?id=175515
317
318         Reviewed by Michael Saboff.
319         
320         This straightforwardly implements what the title says.
321
322         * runtime/ArrayBuffer.cpp:
323         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
324         (JSC::ArrayBufferContents::destroy):
325         (JSC::ArrayBufferContents::tryAllocate):
326         (JSC::ArrayBufferContents::makeShared):
327         (JSC::ArrayBufferContents::copyTo):
328         (JSC::ArrayBuffer::createFromBytes):
329         (JSC::ArrayBuffer::transferTo):
330         * runtime/ArrayBuffer.h:
331         (JSC::SharedArrayBufferContents::data const):
332         (JSC::ArrayBufferContents::data const):
333         (JSC::ArrayBuffer::data):
334         (JSC::ArrayBuffer::data const):
335         * runtime/ArrayBufferView.h:
336         (JSC::ArrayBufferView::baseAddress const):
337         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
338         * runtime/DataView.h:
339         (JSC::DataView::get):
340         (JSC::DataView::set):
341         * runtime/JSArrayBufferView.cpp:
342         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
343         * runtime/JSArrayBufferView.h:
344         (JSC::JSArrayBufferView::ConstructionContext::vector const):
345         (JSC::JSArrayBufferView::vector const):
346         * runtime/JSGenericTypedArrayViewInlines.h:
347         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
348
349 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
350
351         Strings need to be in some kind of gigacage
352         https://bugs.webkit.org/show_bug.cgi?id=174924
353
354         Reviewed by Oliver Hunt.
355
356         * runtime/JSString.cpp:
357         (JSC::JSRopeString::resolveRopeToAtomicString const):
358         (JSC::JSRopeString::resolveRope const):
359         * runtime/JSString.h:
360         (JSC::JSString::create):
361         (JSC::JSString::createHasOtherOwner):
362         * runtime/JSStringBuilder.h:
363         * runtime/VM.h:
364         (JSC::VM::gigacageAuxiliarySpace):
365
366 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
367
368         [JSC] Use reifying system for "name" property of builtin JSFunction
369         https://bugs.webkit.org/show_bug.cgi?id=175260
370
371         Reviewed by Saam Barati.
372
373         Currently builtin JSFunction uses direct property for "name", which is different
374         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
375         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
376         JSFunction::createBuiltinFunction.
377
378         We would like to store the "correct" name in FunctionExecutable. For example,
379         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
380         instead of specifying name when creating JSFunction. To do so, we add a new
381         annotations, @getter and @overriddenName. When @getter is specified, the name of
382         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
383         the name of the function becomes "xxx".
384
385         We also treat @xxx as anonymous builtin functions that cannot be achieved in
386         the current JS without privilege.
387
388         * Scripts/builtins/builtins_generate_combined_header.py:
389         (generate_section_for_code_table_macro):
390         * Scripts/builtins/builtins_generate_combined_implementation.py:
391         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
392         * Scripts/builtins/builtins_generate_separate_header.py:
393         (generate_section_for_code_table_macro):
394         * Scripts/builtins/builtins_generate_separate_implementation.py:
395         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
396         * Scripts/builtins/builtins_model.py:
397         (BuiltinFunction.__init__):
398         (BuiltinFunction.fromString):
399         * Scripts/builtins/builtins_templates.py:
400         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
401         (overriddenName.string_appeared_here.match):
402         (intrinsic.RegExpTestIntrinsic.test):
403         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
404         (overriddenName.string_appeared_here.match):
405         (intrinsic.RegExpTestIntrinsic.test):
406         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
407         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
408         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
409         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
410         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
411         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
412         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
413         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
414         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
415         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
416         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
417         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
418         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
419         * builtins/AsyncIteratorPrototype.js:
420         (symbolAsyncIteratorGetter): Deleted.
421         * builtins/BuiltinExecutables.cpp:
422         (JSC::BuiltinExecutables::BuiltinExecutables):
423         * builtins/BuiltinExecutables.h:
424         * builtins/BuiltinNames.h:
425         * builtins/FunctionPrototype.js:
426         (symbolHasInstance): Deleted.
427         * builtins/GlobalOperations.js:
428         (globalPrivate.speciesGetter): Deleted.
429         * builtins/IteratorPrototype.js:
430         (symbolIteratorGetter): Deleted.
431         * builtins/PromiseConstructor.js:
432         (all.newResolveElement.return.resolve):
433         (all.newResolveElement):
434         (all):
435         * builtins/PromiseOperations.js:
436         (globalPrivate.newPromiseCapability.executor):
437         (globalPrivate.newPromiseCapability):
438         (globalPrivate.createResolvingFunctions.resolve):
439         (globalPrivate.createResolvingFunctions.reject):
440         (globalPrivate.createResolvingFunctions):
441         * builtins/RegExpPrototype.js:
442         (match): Deleted.
443         (replace): Deleted.
444         (search): Deleted.
445         (split): Deleted.
446         * jsc.cpp:
447         (functionCreateBuiltin):
448         * runtime/AsyncIteratorPrototype.cpp:
449         (JSC::AsyncIteratorPrototype::finishCreation):
450         * runtime/FunctionPrototype.cpp:
451         (JSC::FunctionPrototype::addFunctionProperties):
452         * runtime/IteratorPrototype.cpp:
453         (JSC::IteratorPrototype::finishCreation):
454         * runtime/JSFunction.cpp:
455         (JSC::JSFunction::finishCreation):
456         (JSC::JSFunction::getOwnNonIndexPropertyNames):
457         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
458         (JSC::JSFunction::createBuiltinFunction): Deleted.
459         * runtime/JSFunction.h:
460         * runtime/JSGlobalObject.cpp:
461         (JSC::JSGlobalObject::init):
462         * runtime/JSObject.cpp:
463         (JSC::JSObject::putDirectBuiltinFunction):
464         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
465         * runtime/JSTypedArrayViewPrototype.cpp:
466         (JSC::JSTypedArrayViewPrototype::finishCreation):
467         * runtime/Lookup.cpp:
468         (JSC::reifyStaticAccessor):
469         * runtime/MapPrototype.cpp:
470         (JSC::MapPrototype::finishCreation):
471         * runtime/RegExpPrototype.cpp:
472         (JSC::RegExpPrototype::finishCreation):
473         * runtime/SetPrototype.cpp:
474         (JSC::SetPrototype::finishCreation):
475
476 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
477
478         Unreviewed, rolling out r221327.
479
480         This change caused test262 failures.
481
482         Reverted changeset:
483
484         "[JSC] Use reifying system for "name" property of builtin
485         JSFunction"
486         https://bugs.webkit.org/show_bug.cgi?id=175260
487         http://trac.webkit.org/changeset/221327
488
489 2017-08-30  Matt Lewis  <jlewis3@apple.com>
490
491         Unreviewed, rolling out r221384.
492
493         This patch caused multiple 32-bit JSC test failures.
494
495         Reverted changeset:
496
497         "Strings need to be in some kind of gigacage"
498         https://bugs.webkit.org/show_bug.cgi?id=174924
499         http://trac.webkit.org/changeset/221384
500
501 2017-08-30  Saam Barati  <sbarati@apple.com>
502
503         semicolon is being interpreted as an = in the LiteralParser
504         https://bugs.webkit.org/show_bug.cgi?id=176114
505
506         Reviewed by Oliver Hunt.
507
508         When lexing a semicolon in the LiteralParser, we were properly
509         setting the TokenType on the current token, however, we were
510         *returning* the wrong TokenType. The lex function both returns
511         the TokenType and sets it on the current token. Semicolon was
512         setting the TokenType to semicolon, but returning the TokenType
513         for '='. This caused programs like `x;123` to be interpreted as
514         `x=123`.
515
516         * runtime/LiteralParser.cpp:
517         (JSC::LiteralParser<CharType>::Lexer::lex):
518         (JSC::LiteralParser<CharType>::Lexer::next):
519
520 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
521
522         Strings need to be in some kind of gigacage
523         https://bugs.webkit.org/show_bug.cgi?id=174924
524
525         Reviewed by Oliver Hunt.
526
527         * runtime/JSString.cpp:
528         (JSC::JSRopeString::resolveRopeToAtomicString const):
529         (JSC::JSRopeString::resolveRope const):
530         * runtime/JSString.h:
531         (JSC::JSString::create):
532         (JSC::JSString::createHasOtherOwner):
533         * runtime/JSStringBuilder.h:
534         * runtime/VM.h:
535         (JSC::VM::gigacageAuxiliarySpace):
536
537 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
538
539         [ESNext] Async iteration - Implement async iteration statement: for-await-of
540         https://bugs.webkit.org/show_bug.cgi?id=166698
541
542         Reviewed by Yusuke Suzuki.
543
544         Implementation of the for-await-of statement.
545
546         * bytecompiler/BytecodeGenerator.cpp:
547         (JSC::BytecodeGenerator::emitEnumeration):
548         (JSC::BytecodeGenerator::emitIteratorNext):
549         * bytecompiler/BytecodeGenerator.h:
550         * parser/ASTBuilder.h:
551         (JSC::ASTBuilder::createForOfLoop):
552         * parser/NodeConstructors.h:
553         (JSC::ForOfNode::ForOfNode):
554         * parser/Nodes.h:
555         (JSC::ForOfNode::isForAwait const):
556         * parser/Parser.cpp:
557         (JSC::Parser<LexerType>::parseForStatement):
558         * parser/Parser.h:
559         (JSC::Scope::setSourceParseMode):
560         (JSC::Scope::setIsFunction):
561         (JSC::Scope::setIsAsyncGeneratorFunction):
562         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
563         * parser/SyntaxChecker.h:
564         (JSC::SyntaxChecker::createForOfLoop):
565
566 2017-08-29  Commit Queue  <commit-queue@webkit.org>
567
568         Unreviewed, rolling out r221317.
569         https://bugs.webkit.org/show_bug.cgi?id=176090
570
571         "It broke a testing mode because we will never FTL compile a
572         function that repeatedly throws" (Requested by saamyjoon on
573         #webkit).
574
575         Reverted changeset:
576
577         "Throwing an exception in the DFG/FTL should not be a
578         jettison-able OSR exit"
579         https://bugs.webkit.org/show_bug.cgi?id=176060
580         http://trac.webkit.org/changeset/221317
581
582 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
583
584         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
585         https://bugs.webkit.org/show_bug.cgi?id=175895
586
587         Reviewed by Saam Barati.
588
589         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
590         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
591         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
592         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
593         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
594         if one side of the children is constant non String cell.
595
596         This slightly optimizes map/set iteration.
597
598         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
599         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
600         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
601         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
602         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
603
604         * dfg/DFGAbstractInterpreterInlines.h:
605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
606         * dfg/DFGConstantFoldingPhase.cpp:
607         (JSC::DFG::ConstantFoldingPhase::foldConstants):
608         * dfg/DFGNode.h:
609         (JSC::DFG::Node::convertToCompareEqPtr):
610
611 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
612
613         [JSC] Use reifying system for "name" property of builtin JSFunction
614         https://bugs.webkit.org/show_bug.cgi?id=175260
615
616         Reviewed by Saam Barati.
617
618         Currently builtin JSFunction uses direct property for "name", which is different
619         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
620         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
621         JSFunction::createBuiltinFunction.
622
623         We would like to store the "correct" name in FunctionExecutable. For example,
624         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
625         instead of specifying name when creating JSFunction. To do so, we add a new
626         annotations, @getter and @overriddenName. When @getter is specified, the name of
627         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
628         the name of the function becomes "xxx".
629
630         * Scripts/builtins/builtins_generate_combined_header.py:
631         (generate_section_for_code_table_macro):
632         * Scripts/builtins/builtins_generate_combined_implementation.py:
633         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
634         * Scripts/builtins/builtins_generate_separate_header.py:
635         (generate_section_for_code_table_macro):
636         * Scripts/builtins/builtins_generate_separate_implementation.py:
637         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
638         * Scripts/builtins/builtins_model.py:
639         (BuiltinFunction.__init__):
640         (BuiltinFunction.fromString):
641         * Scripts/builtins/builtins_templates.py:
642         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
643         (overriddenName.string_appeared_here.match):
644         (intrinsic.RegExpTestIntrinsic.test):
645         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
646         (overriddenName.string_appeared_here.match):
647         (intrinsic.RegExpTestIntrinsic.test):
648         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
649         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
650         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
651         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
652         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
653         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
654         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
655         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
656         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
657         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
658         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
659         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
660         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
661         * builtins/BuiltinExecutables.cpp:
662         (JSC::BuiltinExecutables::BuiltinExecutables):
663         * builtins/BuiltinExecutables.h:
664         * builtins/FunctionPrototype.js:
665         (symbolHasInstance): Deleted.
666         * builtins/GlobalOperations.js:
667         (globalPrivate.speciesGetter): Deleted.
668         * builtins/IteratorPrototype.js:
669         (symbolIteratorGetter): Deleted.
670         * builtins/RegExpPrototype.js:
671         (match): Deleted.
672         (replace): Deleted.
673         (search): Deleted.
674         (split): Deleted.
675         * jsc.cpp:
676         (functionCreateBuiltin):
677         * runtime/FunctionPrototype.cpp:
678         (JSC::FunctionPrototype::addFunctionProperties):
679         * runtime/IteratorPrototype.cpp:
680         (JSC::IteratorPrototype::finishCreation):
681         * runtime/JSFunction.cpp:
682         (JSC::JSFunction::getOwnNonIndexPropertyNames):
683         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
684         (JSC::JSFunction::createBuiltinFunction): Deleted.
685         * runtime/JSFunction.h:
686         * runtime/JSGlobalObject.cpp:
687         (JSC::JSGlobalObject::init):
688         * runtime/JSObject.cpp:
689         (JSC::JSObject::putDirectBuiltinFunction):
690         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
691         * runtime/JSTypedArrayViewPrototype.cpp:
692         (JSC::JSTypedArrayViewPrototype::finishCreation):
693         * runtime/Lookup.cpp:
694         (JSC::reifyStaticAccessor):
695         * runtime/RegExpPrototype.cpp:
696         (JSC::RegExpPrototype::finishCreation):
697
698 2017-08-29  Saam Barati  <sbarati@apple.com>
699
700         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
701         https://bugs.webkit.org/show_bug.cgi?id=176060
702
703         Reviewed by Michael Saboff.
704
705         OSR exitting when we throw an exception is expected behavior. We should
706         not count these exits towards our jettison OSR exit threshold.
707
708         * bytecode/ExitKind.cpp:
709         (JSC::exitKindToString):
710         (JSC::exitKindMayJettison):
711         * bytecode/ExitKind.h:
712         * dfg/DFGSpeculativeJIT32_64.cpp:
713         (JSC::DFG::SpeculativeJIT::compile):
714         * dfg/DFGSpeculativeJIT64.cpp:
715         (JSC::DFG::SpeculativeJIT::compile):
716         * ftl/FTLLowerDFGToB3.cpp:
717         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
718
719 2017-08-29  Chris Dumez  <cdumez@apple.com>
720
721         Add initial support for dataTransferItem.webkitGetAsEntry()
722         https://bugs.webkit.org/show_bug.cgi?id=176038
723         <rdar://problem/34121095>
724
725         Reviewed by Wenson Hsieh.
726
727         Add CommonIdentifier needed by [EnabledAtRuntime].
728
729         * runtime/CommonIdentifiers.h:
730
731 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
732
733         Web Inspector: Record actions performed on WebGLRenderingContext
734         https://bugs.webkit.org/show_bug.cgi?id=174483
735         <rdar://problem/34040722>
736
737         Reviewed by Matt Baker.
738
739         * inspector/protocol/Recording.json:
740         * inspector/scripts/codegen/generator.py:
741         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
742
743 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
744
745         Unreviewed, suppress warnings in GTK port
746
747         The "block" variable hides the argument variable.
748
749         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
750         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
751
752 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
753
754         Merge WeakMapData into JSWeakMap and JSWeakSet
755         https://bugs.webkit.org/show_bug.cgi?id=143919
756
757         Reviewed by Darin Adler.
758
759         This patch changes WeakMapData from JSCell to JSDestructibleObject,
760         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
761         it instead of separately allocating WeakMapData. This reduces memory
762         consumption and allocation times.
763
764         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
765         field. Since this class is always embedded in WeakMapBase, we can calculate
766         WeakMapBase address from the address of DeadKeyCleaner.
767
768         This patch does not include the optimization changing WeakMapData to Set
769         for JSWeakSet.
770
771         * CMakeLists.txt:
772         * JavaScriptCore.xcodeproj/project.pbxproj:
773         * inspector/JSInjectedScriptHost.cpp:
774         (Inspector::JSInjectedScriptHost::weakMapSize):
775         (Inspector::JSInjectedScriptHost::weakMapEntries):
776         (Inspector::JSInjectedScriptHost::weakSetSize):
777         (Inspector::JSInjectedScriptHost::weakSetEntries):
778         * runtime/JSWeakMap.cpp:
779         (JSC::JSWeakMap::finishCreation): Deleted.
780         (JSC::JSWeakMap::visitChildren): Deleted.
781         * runtime/JSWeakMap.h:
782         (JSC::JSWeakMap::createStructure): Deleted.
783         (JSC::JSWeakMap::create): Deleted.
784         (JSC::JSWeakMap::weakMapData): Deleted.
785         (JSC::JSWeakMap::JSWeakMap): Deleted.
786         * runtime/JSWeakSet.cpp:
787         (JSC::JSWeakSet::finishCreation): Deleted.
788         (JSC::JSWeakSet::visitChildren): Deleted.
789         * runtime/JSWeakSet.h:
790         (JSC::JSWeakSet::createStructure): Deleted.
791         (JSC::JSWeakSet::create): Deleted.
792         (JSC::JSWeakSet::weakMapData): Deleted.
793         (JSC::JSWeakSet::JSWeakSet): Deleted.
794         * runtime/VM.cpp:
795         (JSC::VM::VM):
796         * runtime/VM.h:
797         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
798         (JSC::WeakMapBase::WeakMapBase):
799         (JSC::WeakMapBase::destroy):
800         (JSC::WeakMapBase::estimatedSize):
801         (JSC::WeakMapBase::visitChildren):
802         (JSC::WeakMapBase::set):
803         (JSC::WeakMapBase::get):
804         (JSC::WeakMapBase::remove):
805         (JSC::WeakMapBase::contains):
806         (JSC::WeakMapBase::clear):
807         (JSC::WeakMapBase::DeadKeyCleaner::target):
808         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
809         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
810         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
811         (JSC::WeakMapBase::size const):
812         * runtime/WeakMapPrototype.cpp:
813         (JSC::getWeakMap):
814         (JSC::protoFuncWeakMapDelete):
815         (JSC::protoFuncWeakMapGet):
816         (JSC::protoFuncWeakMapHas):
817         (JSC::protoFuncWeakMapSet):
818         (JSC::getWeakMapData): Deleted.
819         * runtime/WeakSetPrototype.cpp:
820         (JSC::getWeakSet):
821         (JSC::protoFuncWeakSetDelete):
822         (JSC::protoFuncWeakSetHas):
823         (JSC::protoFuncWeakSetAdd):
824         (JSC::getWeakMapData): Deleted.
825
826 2017-08-25  Daniel Bates  <dabates@apple.com>
827
828         Demarcate code added due to lack of NSDMI for aggregates
829         https://bugs.webkit.org/show_bug.cgi?id=175990
830
831         Reviewed by Andy Estes.
832
833         * domjit/DOMJITEffect.h:
834         (JSC::DOMJIT::Effect::Effect):
835         (JSC::DOMJIT::Effect::forWrite):
836         (JSC::DOMJIT::Effect::forRead):
837         (JSC::DOMJIT::Effect::forReadWrite):
838         (JSC::DOMJIT::Effect::forPure):
839         (JSC::DOMJIT::Effect::forDef):
840         * runtime/HasOwnPropertyCache.h:
841         (JSC::HasOwnPropertyCache::Entry::Entry):
842         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
843         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
844         make some comments read well.
845         (JSC::Wasm::CallableFunction::CallableFunction):
846         * wasm/js/WebAssemblyFunction.cpp:
847         (JSC::WebAssemblyFunction::WebAssemblyFunction):
848         * wasm/js/WebAssemblyWrapperFunction.cpp:
849         (JSC::WebAssemblyWrapperFunction::create):
850
851 2017-08-25  Saam Barati  <sbarati@apple.com>
852
853         Unreviewed. Fix 32-bit after r221196
854
855         * jit/JITOpcodes32_64.cpp:
856         (JSC::JIT::emit_op_catch):
857
858 2017-08-25  Chris Dumez  <cdumez@apple.com>
859
860         Land stubs for File and Directory Entries API interfaces
861         https://bugs.webkit.org/show_bug.cgi?id=175993
862         <rdar://problem/34087477>
863
864         Reviewed by Ryosuke Niwa.
865
866         Add CommonIdentifiers needed for [EnabledAtRuntime].
867
868         * runtime/CommonIdentifiers.h:
869
870 2017-08-25  Brian Burg  <bburg@apple.com>
871
872         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
873         https://bugs.webkit.org/show_bug.cgi?id=175563
874         <rdar://problem/33734492>
875
876         Reviewed by Joseph Pecoraro.
877
878         Add macros for new capability protocol string names. Let's use a reverse
879         domain name notification for these capabilities so we know whether they are
880         intended for a particular client/port or any WebKit client, and what feature they
881         are related to (i.e., webrtc).
882
883         * inspector/remote/RemoteInspectorConstants.h:
884
885 2017-08-24  Brian Burg  <bburg@apple.com>
886
887         Web Automation: use automation session configurations to propagate per-session settings
888         https://bugs.webkit.org/show_bug.cgi?id=175562
889         <rdar://problem/30853362>
890
891         Reviewed by Joseph Pecoraro.
892
893         Add a Cocoa-specific code path to forward capabilities when requesting
894         a new session from the remote inspector (i.e., automation) client.
895
896         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
897
898         * inspector/remote/RemoteInspector.h:
899         * inspector/remote/RemoteInspectorConstants.h:
900         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
901         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
902
903 2017-08-25  Saam Barati  <sbarati@apple.com>
904
905         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
906         https://bugs.webkit.org/show_bug.cgi?id=175893
907
908         Reviewed by Mark Lam.
909
910         * dfg/DFGJITCode.cpp:
911         (JSC::DFG::JITCode::finalizeOSREntrypoints):
912         * dfg/DFGJITCode.h:
913         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
914         * dfg/DFGSpeculativeJIT.cpp:
915         (JSC::DFG::SpeculativeJIT::linkOSREntries):
916
917 2017-08-25  Saam Barati  <sbarati@apple.com>
918
919         Support compiling catch in the DFG
920         https://bugs.webkit.org/show_bug.cgi?id=174590
921         <rdar://problem/34047845>
922
923         Reviewed by Filip Pizlo.
924
925         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
926         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
927         
928         To implement catch in the DFG, this patch introduces the concept of multiple
929         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
930         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
931         patch contains many straight forward changes generalizing the code to handle more than
932         one entrypoint.
933         
934         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
935         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
936         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
937         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
938         and SSANaturalLoops vs CPSNaturalLoops.
939         
940         The way we compile the catch entrypoint is by bootstrapping the state
941         of the program by loading all live bytecode locals from a buffer. The OSR
942         entry code will store all live values into that buffer before jumping to
943         the entrypoint. The OSR entry code is also responsible for performing type
944         proofs of the arguments before doing an OSR entry. If there is a type
945         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
946         each catch entrypoint knows the argument type proofs it must perform to enter
947         into the DFG. Currently, all entrypoints' arguments flush format are unified
948         via ArgumentPosition, but this is just an implementation detail. The code is
949         written more generally to assume that each entrypoint may perform its own distinct
950         proof.
951         
952         op_catch now performs value profiling for all live bytecode locals in the
953         LLInt and baseline JIT. This information is then fed into the DFG via the
954         ExtractCatchLocal node in the prediction propagation phase.
955         
956         This patch also changes how we generate op_catch in bytecode. All op_catches
957         are now split out at the end of the program in bytecode. This ensures that
958         no op_catch is inside a try block. This is needed to ensure correctness in
959         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
960         before SetLocals inside a try block. If an op_catch were in a try block, this
961         would cause the phase to insert a Flush before one of the state bootstrapping
962         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
963         its own at the end of a bytecode stream seemed like the most elegant solution since
964         it better represents that we treat op_catch as an entrypoint. This is true
965         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
966         via normal control flow. Because op_catch cannot throw, this will not break
967         any previous semantics of op_catch. Logically, it'd be valid to split try
968         blocks around any non-throwing bytecode operation.
969
970         * CMakeLists.txt:
971         * JavaScriptCore.xcodeproj/project.pbxproj:
972         * bytecode/BytecodeDumper.cpp:
973         (JSC::BytecodeDumper<Block>::dumpBytecode):
974         * bytecode/BytecodeList.json:
975         * bytecode/BytecodeUseDef.h:
976         (JSC::computeUsesForBytecodeOffset):
977         * bytecode/CodeBlock.cpp:
978         (JSC::CodeBlock::finishCreation):
979         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
980         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
981         (JSC::CodeBlock::validate):
982         * bytecode/CodeBlock.h:
983         * bytecode/ValueProfile.h:
984         (JSC::ValueProfile::ValueProfile):
985         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
986         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
987         (JSC::ValueProfileAndOperandBuffer::forEach):
988         * bytecompiler/BytecodeGenerator.cpp:
989         (JSC::BytecodeGenerator::generate):
990         (JSC::BytecodeGenerator::BytecodeGenerator):
991         (JSC::BytecodeGenerator::emitCatch):
992         (JSC::BytecodeGenerator::emitEnumeration):
993         * bytecompiler/BytecodeGenerator.h:
994         * bytecompiler/NodesCodegen.cpp:
995         (JSC::TryNode::emitBytecode):
996         * dfg/DFGAbstractInterpreterInlines.h:
997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
998         * dfg/DFGBackwardsCFG.h:
999         (JSC::DFG::BackwardsCFG::BackwardsCFG):
1000         * dfg/DFGBasicBlock.cpp:
1001         (JSC::DFG::BasicBlock::BasicBlock):
1002         * dfg/DFGBasicBlock.h:
1003         (JSC::DFG::BasicBlock::findTerminal const):
1004         * dfg/DFGByteCodeParser.cpp:
1005         (JSC::DFG::ByteCodeParser::setDirect):
1006         (JSC::DFG::ByteCodeParser::flush):
1007         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1008         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1009         (JSC::DFG::ByteCodeParser::parseBlock):
1010         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1011         (JSC::DFG::ByteCodeParser::parse):
1012         * dfg/DFGCFG.h:
1013         (JSC::DFG::CFG::root):
1014         (JSC::DFG::CFG::roots):
1015         (JSC::DFG::CPSCFG::CPSCFG):
1016         (JSC::DFG::selectCFG):
1017         * dfg/DFGCPSRethreadingPhase.cpp:
1018         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1019         * dfg/DFGCSEPhase.cpp:
1020         * dfg/DFGClobberize.h:
1021         (JSC::DFG::clobberize):
1022         * dfg/DFGControlEquivalenceAnalysis.h:
1023         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1024         * dfg/DFGDCEPhase.cpp:
1025         (JSC::DFG::DCEPhase::run):
1026         * dfg/DFGDisassembler.cpp:
1027         (JSC::DFG::Disassembler::createDumpList):
1028         * dfg/DFGDoesGC.cpp:
1029         (JSC::DFG::doesGC):
1030         * dfg/DFGDominators.h:
1031         (JSC::DFG::Dominators::Dominators):
1032         (JSC::DFG::ensureDominatorsForCFG):
1033         * dfg/DFGEdgeDominates.h:
1034         (JSC::DFG::EdgeDominates::EdgeDominates):
1035         (JSC::DFG::EdgeDominates::operator()):
1036         * dfg/DFGFixupPhase.cpp:
1037         (JSC::DFG::FixupPhase::fixupNode):
1038         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1039         * dfg/DFGFlushFormat.h:
1040         * dfg/DFGGraph.cpp:
1041         (JSC::DFG::Graph::Graph):
1042         (JSC::DFG::unboxLoopNode):
1043         (JSC::DFG::Graph::dumpBlockHeader):
1044         (JSC::DFG::Graph::dump):
1045         (JSC::DFG::Graph::determineReachability):
1046         (JSC::DFG::Graph::invalidateCFG):
1047         (JSC::DFG::Graph::blocksInPreOrder):
1048         (JSC::DFG::Graph::blocksInPostOrder):
1049         (JSC::DFG::Graph::ensureCPSDominators):
1050         (JSC::DFG::Graph::ensureSSADominators):
1051         (JSC::DFG::Graph::ensureCPSNaturalLoops):
1052         (JSC::DFG::Graph::ensureSSANaturalLoops):
1053         (JSC::DFG::Graph::ensureBackwardsCFG):
1054         (JSC::DFG::Graph::ensureBackwardsDominators):
1055         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1056         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1057         (JSC::DFG::Graph::clearCPSCFGData):
1058         (JSC::DFG::Graph::ensureDominators): Deleted.
1059         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
1060         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
1061         * dfg/DFGGraph.h:
1062         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
1063         (JSC::DFG::Graph::isEntrypoint const):
1064         * dfg/DFGInPlaceAbstractState.cpp:
1065         (JSC::DFG::InPlaceAbstractState::initialize):
1066         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1067         * dfg/DFGJITCode.cpp:
1068         (JSC::DFG::JITCode::shrinkToFit):
1069         * dfg/DFGJITCode.h:
1070         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1071         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1072         (JSC::DFG::JITCode::appendCatchEntrypoint):
1073         * dfg/DFGJITCompiler.cpp:
1074         (JSC::DFG::JITCompiler::compile):
1075         (JSC::DFG::JITCompiler::compileFunction):
1076         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1077         (JSC::DFG::JITCompiler::noticeOSREntry):
1078         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1079         * dfg/DFGJITCompiler.h:
1080         * dfg/DFGLICMPhase.cpp:
1081         (JSC::DFG::LICMPhase::run):
1082         (JSC::DFG::LICMPhase::attemptHoist):
1083         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1084         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1085         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1086         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1087         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1088         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1089         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1090         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1091         (JSC::DFG::createPreHeader):
1092         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1093         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1094         (JSC::DFG::MaximalFlushInsertionPhase::run):
1095         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1096         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1097         * dfg/DFGMayExit.cpp:
1098         * dfg/DFGNaturalLoops.h:
1099         (JSC::DFG::NaturalLoops::NaturalLoops):
1100         * dfg/DFGNode.h:
1101         (JSC::DFG::Node::isSwitch const):
1102         (JSC::DFG::Node::successor):
1103         (JSC::DFG::Node::catchOSREntryIndex const):
1104         (JSC::DFG::Node::catchLocalPrediction):
1105         (JSC::DFG::Node::isSwitch): Deleted.
1106         * dfg/DFGNodeType.h:
1107         * dfg/DFGOSREntry.cpp:
1108         (JSC::DFG::prepareCatchOSREntry):
1109         * dfg/DFGOSREntry.h:
1110         * dfg/DFGOSREntrypointCreationPhase.cpp:
1111         (JSC::DFG::OSREntrypointCreationPhase::run):
1112         * dfg/DFGOSRExitCompilerCommon.cpp:
1113         (JSC::DFG::handleExitCounts):
1114         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1115         * dfg/DFGPlan.cpp:
1116         (JSC::DFG::Plan::compileInThreadImpl):
1117         * dfg/DFGPrePostNumbering.cpp:
1118         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1119         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1120         (WTF::printInternal): Deleted.
1121         * dfg/DFGPrePostNumbering.h:
1122         (): Deleted.
1123         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1124         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1125         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1126         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1127         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1128         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1129         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1130         * dfg/DFGPredictionInjectionPhase.cpp:
1131         (JSC::DFG::PredictionInjectionPhase::run):
1132         * dfg/DFGPredictionPropagationPhase.cpp:
1133         * dfg/DFGPutStackSinkingPhase.cpp:
1134         * dfg/DFGSSACalculator.cpp:
1135         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1136         (JSC::DFG::SSACalculator::reachingDefAtTail):
1137         * dfg/DFGSSACalculator.h:
1138         (JSC::DFG::SSACalculator::computePhis):
1139         * dfg/DFGSSAConversionPhase.cpp:
1140         (JSC::DFG::SSAConversionPhase::run):
1141         (JSC::DFG::performSSAConversion):
1142         * dfg/DFGSafeToExecute.h:
1143         (JSC::DFG::safeToExecute):
1144         * dfg/DFGSpeculativeJIT.cpp:
1145         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1146         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1147         (JSC::DFG::SpeculativeJIT::createOSREntries):
1148         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1149         * dfg/DFGSpeculativeJIT32_64.cpp:
1150         (JSC::DFG::SpeculativeJIT::compile):
1151         * dfg/DFGSpeculativeJIT64.cpp:
1152         (JSC::DFG::SpeculativeJIT::compile):
1153         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1154         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1155         * dfg/DFGStrengthReductionPhase.cpp:
1156         (JSC::DFG::StrengthReductionPhase::handleNode):
1157         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1158         (JSC::DFG::TierUpCheckInjectionPhase::run):
1159         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1160         * dfg/DFGTypeCheckHoistingPhase.cpp:
1161         (JSC::DFG::TypeCheckHoistingPhase::run):
1162         * dfg/DFGValidate.cpp:
1163         * ftl/FTLLink.cpp:
1164         (JSC::FTL::link):
1165         * ftl/FTLLowerDFGToB3.cpp:
1166         (JSC::FTL::DFG::LowerDFGToB3::lower):
1167         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1168         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1169         * jit/JIT.h:
1170         * jit/JITInlines.h:
1171         (JSC::JIT::callOperation):
1172         * jit/JITOpcodes.cpp:
1173         (JSC::JIT::emit_op_catch):
1174         * jit/JITOpcodes32_64.cpp:
1175         (JSC::JIT::emit_op_catch):
1176         * jit/JITOperations.cpp:
1177         * jit/JITOperations.h:
1178         * llint/LLIntSlowPaths.cpp:
1179         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1180         * llint/LLIntSlowPaths.h:
1181         * llint/LowLevelInterpreter32_64.asm:
1182         * llint/LowLevelInterpreter64.asm:
1183
1184 2017-08-25  Keith Miller  <keith_miller@apple.com>
1185
1186         Explore increasing max JSString::m_length to UINT_MAX.
1187         https://bugs.webkit.org/show_bug.cgi?id=163955
1188         <rdar://problem/32001499>
1189
1190         Reviewed by JF Bastien.
1191
1192         This can cause us to release assert on some code paths. I don't
1193         see a reason to maintain this restriction.
1194
1195         * runtime/JSString.h:
1196         (JSC::JSString::length const):
1197         (JSC::JSString::setLength):
1198         (JSC::JSString::isValidLength): Deleted.
1199         * runtime/JSStringBuilder.h:
1200         (JSC::jsMakeNontrivialString):
1201
1202 2017-08-24  Commit Queue  <commit-queue@webkit.org>
1203
1204         Unreviewed, rolling out r221119, r221124, and r221143.
1205         https://bugs.webkit.org/show_bug.cgi?id=175973
1206
1207         "I think it regressed JSBench by 20%" (Requested by saamyjoon
1208         on #webkit).
1209
1210         Reverted changesets:
1211
1212         "Support compiling catch in the DFG"
1213         https://bugs.webkit.org/show_bug.cgi?id=174590
1214         http://trac.webkit.org/changeset/221119
1215
1216         "Unreviewed, build fix in GTK port"
1217         https://bugs.webkit.org/show_bug.cgi?id=174590
1218         http://trac.webkit.org/changeset/221124
1219
1220         "DFG::JITCode::osrEntry should get sorted since we perform a
1221         binary search on it"
1222         https://bugs.webkit.org/show_bug.cgi?id=175893
1223         http://trac.webkit.org/changeset/221143
1224
1225 2017-08-24  Michael Saboff  <msaboff@apple.com>
1226
1227         Enable moving fixed character class terms after fixed character terms for BMP only character classes
1228         https://bugs.webkit.org/show_bug.cgi?id=175958
1229
1230         Reviewed by Saam Barati.
1231
1232         Currently we don't perform the reordering optimiaztion of fixed character terms that
1233         follow fixed character class terms for Unicode patterns.
1234
1235         This change allows that reordering when the character class contains only BMP
1236         characters.
1237
1238         This fix is covered by existing tests.
1239
1240         * yarr/YarrJIT.cpp:
1241         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1242
1243 2017-08-24  Michael Saboff  <msaboff@apple.com>
1244
1245         Add support for RegExp "dotAll" flag
1246         https://bugs.webkit.org/show_bug.cgi?id=175924
1247
1248         Reviewed by Keith Miller.
1249
1250         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
1251         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
1252         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
1253         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
1254         used for '.' processing, to DotClassID.  The selection of which builtin character class
1255         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
1256         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
1257         the WebCore content extensions code in the PatternParser class.
1258
1259         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
1260         any character CharacterClass, it merely reads the character.  There is another optimization
1261         in our DotStart enclosure processing where a non-capturing regular expression in the form
1262         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
1263         expression and then look for the extents of the surrounding .*'s.  When used with the
1264         dotAll flag, that processing alwys results with the beinning of the string and the end
1265         of the string.  Therefore we short circuit the finding the beginning and end of the line
1266         or string with dotAll patterns.
1267
1268         * bytecode/BytecodeDumper.cpp:
1269         (JSC::regexpToSourceString):
1270         * runtime/CommonIdentifiers.h:
1271         * runtime/RegExp.cpp:
1272         (JSC::regExpFlags):
1273         (JSC::RegExpFunctionalTestCollector::outputOneTest):
1274         * runtime/RegExp.h:
1275         * runtime/RegExpKey.h:
1276         * runtime/RegExpPrototype.cpp:
1277         (JSC::RegExpPrototype::finishCreation):
1278         (JSC::flagsString):
1279         (JSC::regExpProtoGetterDotAll):
1280         * yarr/YarrInterpreter.cpp:
1281         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1282         * yarr/YarrInterpreter.h:
1283         (JSC::Yarr::BytecodePattern::dotAll const):
1284         * yarr/YarrJIT.cpp:
1285         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1286         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1287         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1288         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1289         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1290         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1291         * yarr/YarrParser.h:
1292         (JSC::Yarr::Parser::parseTokens):
1293         * yarr/YarrPattern.cpp:
1294         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1295         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1296         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1297         (JSC::Yarr::YarrPattern::YarrPattern):
1298         (JSC::Yarr::PatternTerm::dump):
1299         (JSC::Yarr::anycharCreate):
1300         * yarr/YarrPattern.h:
1301         (JSC::Yarr::YarrPattern::reset):
1302         (JSC::Yarr::YarrPattern::anyCharacterClass):
1303         (JSC::Yarr::YarrPattern::dotAll const):
1304
1305 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
1306
1307         Reduce Gigacage sizes
1308         https://bugs.webkit.org/show_bug.cgi?id=175920
1309
1310         Reviewed by Mark Lam.
1311
1312         Teach all of the code generators to use the right gigacage masks.
1313
1314         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
1315         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
1316
1317         * ftl/FTLLowerDFGToB3.cpp:
1318         (JSC::FTL::DFG::LowerDFGToB3::caged):
1319         * jit/AssemblyHelpers.h:
1320         (JSC::AssemblyHelpers::cage):
1321         (JSC::AssemblyHelpers::cageConditionally):
1322         * llint/LowLevelInterpreter64.asm:
1323         * runtime/Options.h:
1324
1325 2017-08-24  Saam Barati  <sbarati@apple.com>
1326
1327         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
1328         https://bugs.webkit.org/show_bug.cgi?id=175893
1329
1330         Reviewed by Mark Lam.
1331
1332         * dfg/DFGJITCode.cpp:
1333         (JSC::DFG::JITCode::finalizeOSREntrypoints):
1334         * dfg/DFGJITCode.h:
1335         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
1336         * dfg/DFGSpeculativeJIT.cpp:
1337         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1338
1339 2017-08-23  Keith Miller  <keith_miller@apple.com>
1340
1341         Fix Titzer bench on iOS.
1342         https://bugs.webkit.org/show_bug.cgi?id=175917
1343
1344         Reviewed by Ryosuke Niwa.
1345
1346         Currently, Titzer bench doesn't run on iOS since the benchmark
1347         allocates lots of physical pages that it never actually writes
1348         to. We limited the total number wasm physical pages to the ram
1349         size of the phone, which caused us to fail a memory
1350         allocation. This patch changes it so we will allocate up to 3x ram
1351         size, which seems to fix the problem.
1352
1353         * wasm/WasmMemory.cpp:
1354
1355 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1356
1357         Unreviewed, fix for test262
1358         https://bugs.webkit.org/show_bug.cgi?id=175915
1359
1360         * runtime/MapPrototype.cpp:
1361         (JSC::MapPrototype::finishCreation):
1362         * runtime/SetPrototype.cpp:
1363         (JSC::SetPrototype::finishCreation):
1364
1365 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1366
1367         Unreviewed, build fix in GTK port
1368         https://bugs.webkit.org/show_bug.cgi?id=174590
1369
1370         * bytecompiler/BytecodeGenerator.cpp:
1371         (JSC::BytecodeGenerator::emitCatch):
1372         * bytecompiler/BytecodeGenerator.h:
1373
1374 2017-08-23  Saam Barati  <sbarati@apple.com>
1375
1376         Support compiling catch in the DFG
1377         https://bugs.webkit.org/show_bug.cgi?id=174590
1378
1379         Reviewed by Filip Pizlo.
1380
1381         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
1382         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
1383         
1384         To implement catch in the DFG, this patch introduces the concept of multiple
1385         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
1386         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
1387         patch contains many straight forward changes generalizing the code to handle more than
1388         one entrypoint.
1389         
1390         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
1391         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
1392         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
1393         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
1394         and SSANaturalLoops vs CPSNaturalLoops.
1395         
1396         The way we compile the catch entrypoint is by bootstrapping the state
1397         of the program by loading all live bytecode locals from a buffer. The OSR
1398         entry code will store all live values into that buffer before jumping to
1399         the entrypoint. The OSR entry code is also responsible for performing type
1400         proofs of the arguments before doing an OSR entry. If there is a type
1401         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
1402         each catch entrypoint knows the argument type proofs it must perform to enter
1403         into the DFG. Currently, all entrypoints' arguments flush format are unified
1404         via ArgumentPosition, but this is just an implementation detail. The code is
1405         written more generally to assume that each entrypoint may perform its own distinct
1406         proof.
1407         
1408         op_catch now performs value profiling for all live bytecode locals in the
1409         LLInt and baseline JIT. This information is then fed into the DFG via the
1410         ExtractCatchLocal node in the prediction propagation phase.
1411         
1412         This patch also changes how we generate op_catch in bytecode. All op_catches
1413         are now split out at the end of the program in bytecode. This ensures that
1414         no op_catch is inside a try block. This is needed to ensure correctness in
1415         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
1416         before SetLocals inside a try block. If an op_catch were in a try block, this
1417         would cause the phase to insert a Flush before one of the state bootstrapping
1418         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
1419         its own at the end of a bytecode stream seemed like the most elegant solution since
1420         it better represents that we treat op_catch as an entrypoint. This is true
1421         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
1422         via normal control flow. Because op_catch cannot throw, this will not break
1423         any previous semantics of op_catch. Logically, it'd be valid to split try
1424         blocks around any non-throwing bytecode operation.
1425
1426         * CMakeLists.txt:
1427         * JavaScriptCore.xcodeproj/project.pbxproj:
1428         * bytecode/BytecodeDumper.cpp:
1429         (JSC::BytecodeDumper<Block>::dumpBytecode):
1430         * bytecode/BytecodeList.json:
1431         * bytecode/BytecodeUseDef.h:
1432         (JSC::computeUsesForBytecodeOffset):
1433         * bytecode/CodeBlock.cpp:
1434         (JSC::CodeBlock::finishCreation):
1435         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1436         (JSC::CodeBlock::validate):
1437         * bytecode/CodeBlock.h:
1438         * bytecode/ValueProfile.h:
1439         (JSC::ValueProfile::ValueProfile):
1440         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
1441         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
1442         (JSC::ValueProfileAndOperandBuffer::forEach):
1443         * bytecompiler/BytecodeGenerator.cpp:
1444         (JSC::BytecodeGenerator::generate):
1445         (JSC::BytecodeGenerator::BytecodeGenerator):
1446         (JSC::BytecodeGenerator::emitCatch):
1447         (JSC::BytecodeGenerator::emitEnumeration):
1448         * bytecompiler/BytecodeGenerator.h:
1449         * bytecompiler/NodesCodegen.cpp:
1450         (JSC::TryNode::emitBytecode):
1451         * dfg/DFGAbstractInterpreterInlines.h:
1452         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1453         * dfg/DFGBackwardsCFG.h:
1454         (JSC::DFG::BackwardsCFG::BackwardsCFG):
1455         * dfg/DFGBasicBlock.cpp:
1456         (JSC::DFG::BasicBlock::BasicBlock):
1457         * dfg/DFGBasicBlock.h:
1458         (JSC::DFG::BasicBlock::findTerminal const):
1459         * dfg/DFGByteCodeParser.cpp:
1460         (JSC::DFG::ByteCodeParser::setDirect):
1461         (JSC::DFG::ByteCodeParser::flush):
1462         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1463         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1464         (JSC::DFG::ByteCodeParser::parseBlock):
1465         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1466         (JSC::DFG::ByteCodeParser::parse):
1467         * dfg/DFGCFG.h:
1468         (JSC::DFG::CFG::root):
1469         (JSC::DFG::CFG::roots):
1470         (JSC::DFG::CPSCFG::CPSCFG):
1471         (JSC::DFG::selectCFG):
1472         * dfg/DFGCPSRethreadingPhase.cpp:
1473         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1474         * dfg/DFGCSEPhase.cpp:
1475         * dfg/DFGClobberize.h:
1476         (JSC::DFG::clobberize):
1477         * dfg/DFGControlEquivalenceAnalysis.h:
1478         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1479         * dfg/DFGDCEPhase.cpp:
1480         (JSC::DFG::DCEPhase::run):
1481         * dfg/DFGDisassembler.cpp:
1482         (JSC::DFG::Disassembler::createDumpList):
1483         * dfg/DFGDoesGC.cpp:
1484         (JSC::DFG::doesGC):
1485         * dfg/DFGDominators.h:
1486         (JSC::DFG::Dominators::Dominators):
1487         (JSC::DFG::ensureDominatorsForCFG):
1488         * dfg/DFGEdgeDominates.h:
1489         (JSC::DFG::EdgeDominates::EdgeDominates):
1490         (JSC::DFG::EdgeDominates::operator()):
1491         * dfg/DFGFixupPhase.cpp:
1492         (JSC::DFG::FixupPhase::fixupNode):
1493         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1494         * dfg/DFGFlushFormat.h:
1495         * dfg/DFGGraph.cpp:
1496         (JSC::DFG::Graph::Graph):
1497         (JSC::DFG::unboxLoopNode):
1498         (JSC::DFG::Graph::dumpBlockHeader):
1499         (JSC::DFG::Graph::dump):
1500         (JSC::DFG::Graph::determineReachability):
1501         (JSC::DFG::Graph::invalidateCFG):
1502         (JSC::DFG::Graph::blocksInPreOrder):
1503         (JSC::DFG::Graph::blocksInPostOrder):
1504         (JSC::DFG::Graph::ensureCPSDominators):
1505         (JSC::DFG::Graph::ensureSSADominators):
1506         (JSC::DFG::Graph::ensureCPSNaturalLoops):
1507         (JSC::DFG::Graph::ensureSSANaturalLoops):
1508         (JSC::DFG::Graph::ensureBackwardsCFG):
1509         (JSC::DFG::Graph::ensureBackwardsDominators):
1510         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1511         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1512         (JSC::DFG::Graph::clearCPSCFGData):
1513         (JSC::DFG::Graph::ensureDominators): Deleted.
1514         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
1515         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
1516         * dfg/DFGGraph.h:
1517         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
1518         (JSC::DFG::Graph::isEntrypoint const):
1519         * dfg/DFGInPlaceAbstractState.cpp:
1520         (JSC::DFG::InPlaceAbstractState::initialize):
1521         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1522         * dfg/DFGJITCode.cpp:
1523         (JSC::DFG::JITCode::shrinkToFit):
1524         * dfg/DFGJITCode.h:
1525         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1526         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1527         (JSC::DFG::JITCode::appendCatchEntrypoint):
1528         * dfg/DFGJITCompiler.cpp:
1529         (JSC::DFG::JITCompiler::compile):
1530         (JSC::DFG::JITCompiler::compileFunction):
1531         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1532         (JSC::DFG::JITCompiler::noticeOSREntry):
1533         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1534         * dfg/DFGJITCompiler.h:
1535         * dfg/DFGLICMPhase.cpp:
1536         (JSC::DFG::LICMPhase::run):
1537         (JSC::DFG::LICMPhase::attemptHoist):
1538         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1539         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1540         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1541         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1542         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1543         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1544         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1545         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1546         (JSC::DFG::createPreHeader):
1547         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1548         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1549         (JSC::DFG::MaximalFlushInsertionPhase::run):
1550         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1551         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1552         * dfg/DFGMayExit.cpp:
1553         * dfg/DFGNaturalLoops.h:
1554         (JSC::DFG::NaturalLoops::NaturalLoops):
1555         * dfg/DFGNode.h:
1556         (JSC::DFG::Node::isSwitch const):
1557         (JSC::DFG::Node::successor):
1558         (JSC::DFG::Node::catchOSREntryIndex const):
1559         (JSC::DFG::Node::catchLocalPrediction):
1560         (JSC::DFG::Node::isSwitch): Deleted.
1561         * dfg/DFGNodeType.h:
1562         * dfg/DFGOSREntry.cpp:
1563         (JSC::DFG::prepareCatchOSREntry):
1564         * dfg/DFGOSREntry.h:
1565         * dfg/DFGOSREntrypointCreationPhase.cpp:
1566         (JSC::DFG::OSREntrypointCreationPhase::run):
1567         * dfg/DFGOSRExitCompilerCommon.cpp:
1568         (JSC::DFG::handleExitCounts):
1569         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1570         * dfg/DFGPlan.cpp:
1571         (JSC::DFG::Plan::compileInThreadImpl):
1572         * dfg/DFGPrePostNumbering.cpp:
1573         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1574         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1575         (WTF::printInternal): Deleted.
1576         * dfg/DFGPrePostNumbering.h:
1577         (): Deleted.
1578         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1579         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1580         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1581         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1582         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1583         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1584         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1585         * dfg/DFGPredictionInjectionPhase.cpp:
1586         (JSC::DFG::PredictionInjectionPhase::run):
1587         * dfg/DFGPredictionPropagationPhase.cpp:
1588         * dfg/DFGPutStackSinkingPhase.cpp:
1589         * dfg/DFGSSACalculator.cpp:
1590         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1591         (JSC::DFG::SSACalculator::reachingDefAtTail):
1592         * dfg/DFGSSACalculator.h:
1593         (JSC::DFG::SSACalculator::computePhis):
1594         * dfg/DFGSSAConversionPhase.cpp:
1595         (JSC::DFG::SSAConversionPhase::run):
1596         (JSC::DFG::performSSAConversion):
1597         * dfg/DFGSafeToExecute.h:
1598         (JSC::DFG::safeToExecute):
1599         * dfg/DFGSpeculativeJIT.cpp:
1600         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1601         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1602         (JSC::DFG::SpeculativeJIT::createOSREntries):
1603         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1604         * dfg/DFGSpeculativeJIT32_64.cpp:
1605         (JSC::DFG::SpeculativeJIT::compile):
1606         * dfg/DFGSpeculativeJIT64.cpp:
1607         (JSC::DFG::SpeculativeJIT::compile):
1608         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1609         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1610         * dfg/DFGStrengthReductionPhase.cpp:
1611         (JSC::DFG::StrengthReductionPhase::handleNode):
1612         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1613         (JSC::DFG::TierUpCheckInjectionPhase::run):
1614         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1615         * dfg/DFGTypeCheckHoistingPhase.cpp:
1616         (JSC::DFG::TypeCheckHoistingPhase::run):
1617         * dfg/DFGValidate.cpp:
1618         * ftl/FTLLink.cpp:
1619         (JSC::FTL::link):
1620         * ftl/FTLLowerDFGToB3.cpp:
1621         (JSC::FTL::DFG::LowerDFGToB3::lower):
1622         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1623         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1624         * jit/JIT.h:
1625         * jit/JITInlines.h:
1626         (JSC::JIT::callOperation):
1627         * jit/JITOpcodes.cpp:
1628         (JSC::JIT::emit_op_catch):
1629         * jit/JITOpcodes32_64.cpp:
1630         (JSC::JIT::emit_op_catch):
1631         * jit/JITOperations.cpp:
1632         * jit/JITOperations.h:
1633         * llint/LLIntSlowPaths.cpp:
1634         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1635         * llint/LLIntSlowPaths.h:
1636         * llint/LowLevelInterpreter32_64.asm:
1637         * llint/LowLevelInterpreter64.asm:
1638
1639 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1640
1641         Unreviewed, debug build fix
1642         https://bugs.webkit.org/show_bug.cgi?id=174355
1643
1644         * ftl/FTLLowerDFGToB3.cpp:
1645         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1646
1647 2017-08-23  Michael Saboff  <msaboff@apple.com>
1648
1649         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
1650         https://bugs.webkit.org/show_bug.cgi?id=175903
1651
1652         Reviewed by Saam Barati.
1653
1654         In generateCharacterClassGreedy we were incrementing the "count" register before checking
1655         for the end of the input string.  The at-end-of-input check is the final check before
1656         knowing that the current character matched.  In this case, the end of input check
1657         indicates that we ran out of prechecked characters and therefore should fail the match of
1658         the current character.  The backtracking code uses the value in the "count" register as
1659         the number of character that successfully matched, which shouldn't include the current
1660         character.  Therefore we need to move the incrementing of "count" to after the
1661         at end of input check.
1662
1663         Through code inspection of the expectations of other backtracking code, I determined that 
1664         the non greedy character class matching code had a similar issue.  I fixed that as well
1665         and added a new test case.
1666
1667         * yarr/YarrJIT.cpp:
1668         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1669         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1670
1671 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1672
1673         [JSC] Optimize Map iteration with intrinsic
1674         https://bugs.webkit.org/show_bug.cgi?id=174355
1675
1676         Reviewed by Saam Barati.
1677
1678         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
1679         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
1680         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
1681         setIteratorNext functions which should be inlined. This leads significant performance boost
1682         when they are inlined in for-of iteration.
1683
1684         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
1685         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
1686         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
1687         to any hash maps. And its key and value fields are filled with Undefined. By returning this
1688         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
1689         code.
1690
1691         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
1692         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
1693
1694         Existing microbenchmarks shows performance improvements.
1695
1696         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
1697         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
1698         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
1699         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
1700         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
1701
1702         * CMakeLists.txt:
1703         * DerivedSources.make:
1704         * builtins/ArrayPrototype.js:
1705         (globalPrivate.createArrayIterator):
1706         * builtins/BuiltinNames.h:
1707         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1708         (globalPrivate.mapIteratorNext):
1709         (next):
1710         * builtins/MapPrototype.js:
1711         (globalPrivate.createMapIterator):
1712         (values):
1713         (keys):
1714         (entries):
1715         (forEach):
1716         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1717         (globalPrivate.setIteratorNext):
1718         (next):
1719         * builtins/SetPrototype.js:
1720         (globalPrivate.createSetIterator):
1721         (values):
1722         (entries):
1723         (forEach):
1724         * bytecode/BytecodeIntrinsicRegistry.cpp:
1725         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1726         * bytecode/BytecodeIntrinsicRegistry.h:
1727         * bytecode/SpeculatedType.h:
1728         * dfg/DFGAbstractInterpreterInlines.h:
1729         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1730         * dfg/DFGByteCodeParser.cpp:
1731         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1732         * dfg/DFGClobberize.h:
1733         (JSC::DFG::clobberize):
1734         * dfg/DFGDoesGC.cpp:
1735         (JSC::DFG::doesGC):
1736         * dfg/DFGFixupPhase.cpp:
1737         (JSC::DFG::FixupPhase::fixupNode):
1738         * dfg/DFGHeapLocation.cpp:
1739         (WTF::printInternal):
1740         * dfg/DFGHeapLocation.h:
1741         * dfg/DFGNode.h:
1742         (JSC::DFG::Node::hasHeapPrediction):
1743         (JSC::DFG::Node::hasBucketOwnerType):
1744         (JSC::DFG::Node::bucketOwnerType):
1745         (JSC::DFG::Node::OpInfoWrapper::as const):
1746         * dfg/DFGNodeType.h:
1747         * dfg/DFGOperations.cpp:
1748         * dfg/DFGPredictionPropagationPhase.cpp:
1749         * dfg/DFGSafeToExecute.h:
1750         (JSC::DFG::safeToExecute):
1751         * dfg/DFGSpeculativeJIT.cpp:
1752         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
1753         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1754         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
1755         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
1756         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
1757         * dfg/DFGSpeculativeJIT.h:
1758         * dfg/DFGSpeculativeJIT32_64.cpp:
1759         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1760         (JSC::DFG::SpeculativeJIT::compile):
1761         * dfg/DFGSpeculativeJIT64.cpp:
1762         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1763         (JSC::DFG::SpeculativeJIT::compile):
1764         * ftl/FTLAbstractHeapRepository.h:
1765         * ftl/FTLCapabilities.cpp:
1766         (JSC::FTL::canCompile):
1767         * ftl/FTLLowerDFGToB3.cpp:
1768         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1770         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
1771         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1772         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
1773         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
1774         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
1775         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
1776         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
1777         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
1778         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
1779         * inspector/JSInjectedScriptHost.cpp:
1780         (Inspector::JSInjectedScriptHost::subtype):
1781         (Inspector::JSInjectedScriptHost::getInternalProperties):
1782         (Inspector::cloneMapIteratorObject):
1783         (Inspector::cloneSetIteratorObject):
1784         (Inspector::JSInjectedScriptHost::iteratorEntries):
1785         * runtime/HashMapImpl.h:
1786         (JSC::HashMapBucket::createSentinel):
1787         (JSC::HashMapBucket::offsetOfNext):
1788         (JSC::HashMapBucket::offsetOfDeleted):
1789         (JSC::HashMapImpl::offsetOfHead):
1790         * runtime/Intrinsic.cpp:
1791         (JSC::intrinsicName):
1792         * runtime/Intrinsic.h:
1793         * runtime/JSGlobalObject.cpp:
1794         (JSC::JSGlobalObject::init):
1795         * runtime/JSGlobalObject.h:
1796         * runtime/JSMap.h:
1797         * runtime/JSMapIterator.cpp:
1798         (JSC::JSMapIterator::clone): Deleted.
1799         * runtime/JSMapIterator.h:
1800         (JSC::JSMapIterator::iteratedValue const):
1801         * runtime/JSSet.h:
1802         * runtime/JSSetIterator.cpp:
1803         (JSC::JSSetIterator::clone): Deleted.
1804         * runtime/JSSetIterator.h:
1805         (JSC::JSSetIterator::iteratedValue const):
1806         * runtime/MapConstructor.cpp:
1807         (JSC::mapPrivateFuncMapBucketHead):
1808         (JSC::mapPrivateFuncMapBucketNext):
1809         (JSC::mapPrivateFuncMapBucketKey):
1810         (JSC::mapPrivateFuncMapBucketValue):
1811         * runtime/MapConstructor.h:
1812         * runtime/MapIteratorPrototype.cpp:
1813         (JSC::MapIteratorPrototype::finishCreation):
1814         (JSC::MapIteratorPrototypeFuncNext): Deleted.
1815         * runtime/MapPrototype.cpp:
1816         (JSC::MapPrototype::finishCreation):
1817         (JSC::mapProtoFuncValues): Deleted.
1818         (JSC::mapProtoFuncEntries): Deleted.
1819         (JSC::mapProtoFuncKeys): Deleted.
1820         (JSC::privateFuncMapIterator): Deleted.
1821         (JSC::privateFuncMapIteratorNext): Deleted.
1822         * runtime/MapPrototype.h:
1823         * runtime/SetConstructor.cpp:
1824         (JSC::setPrivateFuncSetBucketHead):
1825         (JSC::setPrivateFuncSetBucketNext):
1826         (JSC::setPrivateFuncSetBucketKey):
1827         * runtime/SetConstructor.h:
1828         * runtime/SetIteratorPrototype.cpp:
1829         (JSC::SetIteratorPrototype::finishCreation):
1830         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1831         * runtime/SetPrototype.cpp:
1832         (JSC::SetPrototype::finishCreation):
1833         (JSC::setProtoFuncSize):
1834         (JSC::setProtoFuncValues): Deleted.
1835         (JSC::setProtoFuncEntries): Deleted.
1836         (JSC::privateFuncSetIterator): Deleted.
1837         (JSC::privateFuncSetIteratorNext): Deleted.
1838         * runtime/SetPrototype.h:
1839         * runtime/VM.cpp:
1840         (JSC::VM::VM):
1841         * runtime/VM.h:
1842
1843 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1844
1845         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1846         <https://webkit.org/b/175889>
1847         <rdar://problem/33667497>
1848
1849         Reviewed by Mark Lam.
1850
1851         * API/ObjCCallbackFunction.mm:
1852         (JSC::objCCallbackFunctionCallAsConstructor): Use
1853         const_cast<JSObjectRef>() since JSValueRef is const while
1854         JSObjectRef is not.
1855         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1856         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1857         const_cast<void*>() since JSObjectMake() takes a void*, but
1858         CFBridgingRetain() returns const void*.
1859
1860 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1861
1862         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1863         https://bugs.webkit.org/show_bug.cgi?id=175738
1864
1865         Reviewed by Saam Barati.
1866
1867         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1868         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1869         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1870
1871         * dfg/DFGByteCodeParser.cpp:
1872         (JSC::DFG::makeDynamicVarOpInfo):
1873         (JSC::DFG::ByteCodeParser::parseBlock):
1874         * dfg/DFGNode.h:
1875         (JSC::DFG::Node::getPutInfo):
1876         (JSC::DFG::Node::hasHeapPrediction):
1877         * dfg/DFGPredictionPropagationPhase.cpp:
1878
1879 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1880
1881         [ESNext] Async iteration - Implement Async Generator - runtime
1882         https://bugs.webkit.org/show_bug.cgi?id=175240
1883
1884         Reviewed by Yusuke Suzuki.
1885
1886         Current implementation is draft version of Async Iteration. 
1887         Link to spec https://tc39.github.io/proposal-async-iteration/
1888        
1889         To implement async generator added new states that show reason why async generator was suspended:
1890         # yield - return promise with result
1891         # await - wait until promise will be resolved and then continue
1892        
1893         The main difference between async function and async generator is that, 
1894         async function returns promise but async generator returns
1895         object with methods (next, throw and return) that return promise that 
1896         can be resolved with pair of properties value and done.
1897         Async generator functions are similar to generator functions, with the following differences:
1898         # When called, async generator functions return an object, an async generator 
1899         whose methods (next, throw, and return) return promises for { value, done }, 
1900         instead of directly returning { value, done }. 
1901         This automatically makes the returned async generator objects async iterators.
1902         # await expressions and for-await-of statements are allowed.
1903         # The behavior of yield* is modified to support 
1904           delegation to sync and async iterables
1905
1906         * CMakeLists.txt:
1907         * DerivedSources.make:
1908         * JavaScriptCore.xcodeproj/project.pbxproj:
1909         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1910         (next.try):
1911         (next):
1912         (return.try):
1913         (return):
1914         (throw.try):
1915         (throw):
1916         (globalPrivate.createAsyncFromSyncIterator):
1917         (globalPrivate.AsyncFromSyncIteratorConstructor):
1918         * builtins/AsyncGeneratorPrototype.js: Added.
1919         (globalPrivate.createAsyncGeneratorQueue):
1920         (globalPrivate.asyncGeneratorQueueIsEmpty):
1921         (globalPrivate.asyncGeneratorQueueCreateItem):
1922         (globalPrivate.asyncGeneratorQueueEnqueue):
1923         (globalPrivate.asyncGeneratorQueueDequeue):
1924         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1925         (globalPrivate.asyncGeneratorDequeue):
1926         (globalPrivate.isExecutionState):
1927         (globalPrivate.isSuspendYieldState):
1928         (globalPrivate.asyncGeneratorReject):
1929         (globalPrivate.asyncGeneratorResolve):
1930         (asyncGeneratorYieldAwaited):
1931         (globalPrivate.asyncGeneratorYield):
1932         (const.onRejected):
1933         (globalPrivate.awaitValue):
1934         (const.onFulfilled):
1935         (globalPrivate.doAsyncGeneratorBodyCall):
1936         (globalPrivate.asyncGeneratorResumeNext.):
1937         (globalPrivate.asyncGeneratorResumeNext):
1938         (globalPrivate.asyncGeneratorEnqueue):
1939         (next):
1940         (return):
1941         (throw):
1942         * builtins/AsyncIteratorPrototype.js: Added.
1943         (symbolAsyncIteratorGetter):
1944         * builtins/BuiltinNames.h:
1945         * bytecode/BytecodeDumper.cpp:
1946         (JSC::BytecodeDumper<Block>::dumpBytecode):
1947         * bytecode/BytecodeIntrinsicRegistry.cpp:
1948         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1949         * bytecode/BytecodeIntrinsicRegistry.h:
1950         * bytecode/BytecodeList.json:
1951         * bytecode/BytecodeUseDef.h:
1952         (JSC::computeUsesForBytecodeOffset):
1953         (JSC::computeDefsForBytecodeOffset):
1954         * bytecompiler/BytecodeGenerator.cpp:
1955         (JSC::BytecodeGenerator::BytecodeGenerator):
1956         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1957         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1958         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1959         (JSC::BytecodeGenerator::emitNewFunction):
1960         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1961         (JSC::BytecodeGenerator::emitIteratorClose):
1962         (JSC::BytecodeGenerator::emitYieldPoint):
1963         (JSC::BytecodeGenerator::emitYield):
1964         (JSC::BytecodeGenerator::emitCallIterator):
1965         (JSC::BytecodeGenerator::emitAwait):
1966         (JSC::BytecodeGenerator::emitGetIterator):
1967         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1968         (JSC::BytecodeGenerator::emitDelegateYield):
1969         * bytecompiler/BytecodeGenerator.h:
1970         * bytecompiler/NodesCodegen.cpp:
1971         (JSC::ReturnNode::emitBytecode):
1972         (JSC::FunctionNode::emitBytecode):
1973         (JSC::YieldExprNode::emitBytecode):
1974         (JSC::AwaitExprNode::emitBytecode):
1975         * dfg/DFGAbstractInterpreterInlines.h:
1976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1977         * dfg/DFGByteCodeParser.cpp:
1978         (JSC::DFG::ByteCodeParser::parseBlock):
1979         * dfg/DFGCapabilities.cpp:
1980         (JSC::DFG::capabilityLevel):
1981         * dfg/DFGClobberize.h:
1982         (JSC::DFG::clobberize):
1983         * dfg/DFGClobbersExitState.cpp:
1984         (JSC::DFG::clobbersExitState):
1985         * dfg/DFGDoesGC.cpp:
1986         (JSC::DFG::doesGC):
1987         * dfg/DFGFixupPhase.cpp:
1988         (JSC::DFG::FixupPhase::fixupNode):
1989         * dfg/DFGMayExit.cpp:
1990         * dfg/DFGNode.h:
1991         (JSC::DFG::Node::convertToPhantomNewFunction):
1992         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1993         (JSC::DFG::Node::hasCellOperand):
1994         (JSC::DFG::Node::isFunctionAllocation):
1995         (JSC::DFG::Node::isPhantomFunctionAllocation):
1996         (JSC::DFG::Node::isPhantomAllocation):
1997         * dfg/DFGNodeType.h:
1998         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1999         * dfg/DFGPredictionPropagationPhase.cpp:
2000         * dfg/DFGSafeToExecute.h:
2001         (JSC::DFG::safeToExecute):
2002         * dfg/DFGSpeculativeJIT.cpp:
2003         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2004         * dfg/DFGSpeculativeJIT32_64.cpp:
2005         (JSC::DFG::SpeculativeJIT::compile):
2006         * dfg/DFGSpeculativeJIT64.cpp:
2007         (JSC::DFG::SpeculativeJIT::compile):
2008         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2009         * dfg/DFGValidate.cpp:
2010         * ftl/FTLCapabilities.cpp:
2011         (JSC::FTL::canCompile):
2012         * ftl/FTLLowerDFGToB3.cpp:
2013         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2014         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2015         * ftl/FTLOperations.cpp:
2016         (JSC::FTL::operationPopulateObjectInOSR):
2017         (JSC::FTL::operationMaterializeObjectInOSR):
2018         * jit/JIT.cpp:
2019         (JSC::JIT::privateCompileMainPass):
2020         * jit/JIT.h:
2021         * jit/JITOpcodes.cpp:
2022         (JSC::JIT::emitNewFuncCommon):
2023         (JSC::JIT::emit_op_new_async_generator_func):
2024         (JSC::JIT::emit_op_new_async_func):
2025         (JSC::JIT::emitNewFuncExprCommon):
2026         (JSC::JIT::emit_op_new_async_generator_func_exp):
2027         * jit/JITOperations.cpp:
2028         * jit/JITOperations.h:
2029         * llint/LLIntSlowPaths.cpp:
2030         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2031         * llint/LLIntSlowPaths.h:
2032         * llint/LowLevelInterpreter.asm:
2033         * parser/ASTBuilder.h:
2034         (JSC::ASTBuilder::createFunctionMetadata):
2035         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
2036         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2037         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2038         (JSC::AsyncFromSyncIteratorPrototype::create):
2039         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
2040         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
2041         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
2042         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
2043         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
2044         (JSC::callAsyncGeneratorFunctionConstructor):
2045         (JSC::constructAsyncGeneratorFunctionConstructor):
2046         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
2047         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
2048         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
2049         (JSC::AsyncGeneratorFunctionConstructor::create):
2050         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
2051         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
2052         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
2053         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2054         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
2055         (JSC::AsyncGeneratorFunctionPrototype::create):
2056         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
2057         * runtime/AsyncGeneratorPrototype.cpp: Added.
2058         (JSC::AsyncGeneratorPrototype::finishCreation):
2059         * runtime/AsyncGeneratorPrototype.h: Added.
2060         (JSC::AsyncGeneratorPrototype::create):
2061         (JSC::AsyncGeneratorPrototype::createStructure):
2062         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
2063         * runtime/AsyncIteratorPrototype.cpp: Added.
2064         (JSC::AsyncIteratorPrototype::finishCreation):
2065         * runtime/AsyncIteratorPrototype.h: Added.
2066         (JSC::AsyncIteratorPrototype::create):
2067         (JSC::AsyncIteratorPrototype::createStructure):
2068         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
2069         * runtime/CommonIdentifiers.h:
2070         * runtime/FunctionConstructor.cpp:
2071         (JSC::constructFunctionSkippingEvalEnabledCheck):
2072         * runtime/FunctionConstructor.h:
2073         * runtime/FunctionExecutable.h:
2074         * runtime/JSAsyncGeneratorFunction.cpp: Added.
2075         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
2076         (JSC::JSAsyncGeneratorFunction::createImpl):
2077         (JSC::JSAsyncGeneratorFunction::create):
2078         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
2079         * runtime/JSAsyncGeneratorFunction.h: Added.
2080         (JSC::JSAsyncGeneratorFunction::allocationSize):
2081         (JSC::JSAsyncGeneratorFunction::createStructure):
2082         * runtime/JSFunction.cpp:
2083         (JSC::JSFunction::getOwnPropertySlot):
2084         * runtime/JSGlobalObject.cpp:
2085         (JSC::JSGlobalObject::init):
2086         (JSC::JSGlobalObject::visitChildren):
2087         * runtime/JSGlobalObject.h:
2088         (JSC::JSGlobalObject::asyncIteratorPrototype const):
2089         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
2090         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
2091         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
2092         * runtime/Options.h:
2093
2094 2017-08-22  Michael Saboff  <msaboff@apple.com>
2095
2096         Implement Unicode RegExp support in the YARR JIT
2097         https://bugs.webkit.org/show_bug.cgi?id=174646
2098
2099         Reviewed by Filip Pizlo.
2100
2101         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
2102         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
2103         register usage to reduce the number of callee save registers used for non-Unicode expressions.
2104         For Unicode expressions, there are several more registers used to store constants values for
2105         processing surrogate pairs as well as discerning whether a character belongs to the Basic
2106         Multilingual Plane (BMP) or one of the Supplemental Planes.
2107
2108         This implements JIT support for Unicode expressions very similar to how the interpreter works.
2109         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
2110         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
2111         functions to each of these to simplify how the JIT code reads and writes the structure fields.
2112
2113         Given that reading surrogate pairs and transforming them into a single code point takes a
2114         little processing, the code that implements reading a Unicode character is implemented as a
2115         leaf function added to the end of the JIT'ed code.  The calling convention for
2116         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
2117         that argument values stay in argument registers for most of the generated code.
2118         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
2119         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
2120         returned in regT0.  If another return register is requested, we'll create an inline copy of
2121         that function.
2122
2123         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
2124         is used in optimizeAlternative() where we swap the order of a fixed character class term with
2125         a fixed character term that immediately follows it.  Since the non-BMP character class may
2126         increment "index" when matching, that must be done first before trying to match a fixed
2127         character term later in the string.
2128
2129         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
2130         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
2131         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
2132         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
2133
2134         (JSC::MacroAssemblerARM64::load16Unaligned):
2135         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
2136         * assembler/MacroAssemblerX86Common.h:
2137         (JSC::MacroAssemblerX86Common::load16Unaligned):
2138         (JSC::MacroAssemblerX86Common::load16):
2139         * assembler/MacroAssemblerX86_64.h:
2140         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
2141         * create_regex_tables:
2142         * runtime/RegExp.cpp:
2143         (JSC::RegExp::compile):
2144         * yarr/YarrInterpreter.cpp:
2145         * yarr/YarrJIT.cpp:
2146         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2147         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2148         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2149         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
2150         (JSC::Yarr::YarrGenerator::readCharacter):
2151         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
2152         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
2153         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
2154         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2155         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
2156         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
2157         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
2158         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
2159         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
2160         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2161         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
2162         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2163         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2164         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2165         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2166         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2167         (JSC::Yarr::YarrGenerator::generate):
2168         (JSC::Yarr::YarrGenerator::backtrack):
2169         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2170         (JSC::Yarr::YarrGenerator::generateEnter):
2171         (JSC::Yarr::YarrGenerator::generateReturn):
2172         (JSC::Yarr::YarrGenerator::YarrGenerator):
2173         (JSC::Yarr::YarrGenerator::compile):
2174         * yarr/YarrJIT.h:
2175         * yarr/YarrPattern.cpp:
2176         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2177         (JSC::Yarr::CharacterClassConstructor::reset):
2178         (JSC::Yarr::CharacterClassConstructor::charClass):
2179         (JSC::Yarr::CharacterClassConstructor::addSorted):
2180         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2181         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2182         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
2183         * yarr/YarrPattern.h:
2184         (JSC::Yarr::CharacterClass::CharacterClass):
2185         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
2186         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
2187         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
2188         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
2189         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
2190         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
2191         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
2192         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
2193         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
2194         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
2195
2196 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2197
2198         Implement 64-bit MacroAssembler::probe support for Windows.
2199         https://bugs.webkit.org/show_bug.cgi?id=175724
2200
2201         Reviewed by Mark Lam.
2202
2203         This is needed to enable the DFG. MSVC does no longer support inline assembly
2204         for 64-bit, which means we have to put the code in an asm file.
2205
2206         * assembler/MacroAssemblerX86Common.cpp:
2207         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
2208         * jit/JITStubsMSVC64.asm:
2209
2210 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
2211
2212         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
2213         https://bugs.webkit.org/show_bug.cgi?id=175400
2214
2215         Reviewed by Matt Baker.
2216
2217         * inspector/protocol/Canvas.json:
2218         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
2219         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
2220         `drawElements` when that program is in use will have no effect.
2221
2222 2017-08-22  Keith Miller  <keith_miller@apple.com>
2223
2224         Unriviewed, fix windows build... for realz.
2225
2226         * CMakeLists.txt:
2227
2228 2017-08-22  Saam Barati  <sbarati@apple.com>
2229
2230         We are using valueProfileForBytecodeOffset when there may not be a value profile
2231         https://bugs.webkit.org/show_bug.cgi?id=175812
2232
2233         Reviewed by Michael Saboff.
2234
2235         This patch uses the type system to aid the code around CodeBlock's ValueProfile
2236         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
2237         so there were callers of this that thought it could return nullptr when there
2238         was no such ValueProfile. This was not the case, it always returned a non-null
2239         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
2240         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
2241         and does the right thing if there is no such ValueProfile.
2242         
2243         This patch also changes the other ValueProfile accessors on CodeBlock to
2244         return ValueProfile& instead of ValueProfile*. Some callers handled the null
2245         case unnecessarily, and using the type system to specify the result can't be
2246         null removes these useless branches.
2247
2248         * bytecode/CodeBlock.cpp:
2249         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2250         (JSC::CodeBlock::dumpValueProfiles):
2251         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2252         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2253         (JSC::CodeBlock::validate):
2254         * bytecode/CodeBlock.h:
2255         (JSC::CodeBlock::valueProfileForArgument):
2256         (JSC::CodeBlock::valueProfile):
2257         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2258         (JSC::CodeBlock::getFromAllValueProfiles):
2259         * dfg/DFGByteCodeParser.cpp:
2260         (JSC::DFG::ByteCodeParser::handleInlining):
2261         * dfg/DFGGraph.cpp:
2262         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2263         * dfg/DFGPredictionInjectionPhase.cpp:
2264         (JSC::DFG::PredictionInjectionPhase::run):
2265         * jit/JIT.h:
2266         * jit/JITInlines.h:
2267         (JSC::JIT::emitValueProfilingSite):
2268         * profiler/ProfilerBytecodeSequence.cpp:
2269         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2270         * tools/HeapVerifier.cpp:
2271         (JSC::HeapVerifier::validateJSCell):
2272
2273 2017-08-22  Keith Miller  <keith_miller@apple.com>
2274
2275         Unreviewed, fix windows build... maybe.
2276
2277         * CMakeLists.txt:
2278
2279 2017-08-22  Keith Miller  <keith_miller@apple.com>
2280
2281         Unreviewed, fix cloop build.
2282
2283         * JavaScriptCore.xcodeproj/project.pbxproj:
2284
2285 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2286
2287         [Win][Release] Crash when running testmasm executable.
2288         https://bugs.webkit.org/show_bug.cgi?id=175772
2289
2290         Reviewed by Mark Lam.
2291
2292         We need to save and restore the modified registers in case one or more registers are callee saved
2293         on the relevant platforms.
2294
2295         * assembler/testmasm.cpp:
2296         (JSC::testProbeReadsArgumentRegisters):
2297         (JSC::testProbeWritesArgumentRegisters):
2298
2299 2017-08-21  Mark Lam  <mark.lam@apple.com>
2300
2301         Change probe code to use static_assert instead of COMPILE_ASSERT.
2302         https://bugs.webkit.org/show_bug.cgi?id=175762
2303
2304         Reviewed by JF Bastien.
2305
2306         * assembler/MacroAssemblerARM.cpp:
2307         * assembler/MacroAssemblerARM64.cpp:
2308         (JSC::MacroAssembler::probe): Deleted.
2309         * assembler/MacroAssemblerARMv7.cpp:
2310         * assembler/MacroAssemblerX86Common.cpp:
2311
2312 2017-08-21  Keith Miller  <keith_miller@apple.com>
2313
2314         Make generate_offset_extractor.rb architectures argument more robust
2315         https://bugs.webkit.org/show_bug.cgi?id=175809
2316
2317         Reviewed by Joseph Pecoraro.
2318
2319         It turns out that some of our builders pass their architectures as
2320         space separated lists.  I decided to just make the splitting of
2321         our list robust to any reasonable combination of spaces and
2322         commas.
2323
2324         * offlineasm/generate_offset_extractor.rb:
2325
2326 2017-08-21  Keith Miller  <keith_miller@apple.com>
2327
2328         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
2329         https://bugs.webkit.org/show_bug.cgi?id=175690
2330
2331         Reviewed by Michael Saboff.
2332
2333         This should reduce some of the time we spend building offline asm
2334         in our builds (except for linux since they already did this).
2335
2336         * CMakeLists.txt:
2337         * JavaScriptCore.xcodeproj/project.pbxproj:
2338         * offlineasm/backends.rb:
2339         * offlineasm/generate_offset_extractor.rb:
2340
2341 2017-08-20  Mark Lam  <mark.lam@apple.com>
2342
2343         Gardening: fix CLoop build.
2344         https://bugs.webkit.org/show_bug.cgi?id=175688
2345         <rdar://problem/33436870>
2346
2347         Not reviewed.
2348
2349         Make these files dependent on ENABLE(MASM_PROBE).
2350
2351         * assembler/ProbeContext.cpp:
2352         * assembler/ProbeContext.h:
2353         * assembler/ProbeStack.cpp:
2354         * assembler/ProbeStack.h:
2355
2356 2017-08-20  Mark Lam  <mark.lam@apple.com>
2357
2358         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
2359         https://bugs.webkit.org/show_bug.cgi?id=175688
2360         <rdar://problem/33436870>
2361
2362         Reviewed by JF Bastien.
2363
2364         With this patch, the clients of the MacroAssembler::probe() can now change
2365         stack values without having to worry about whether there is enough room in the
2366         current stack frame for it or not.  This is done using the Probe::Context's stack
2367         member like so:
2368
2369             jit.probe([] (Probe::Context& context) {
2370                 auto cpu = context.cpu;
2371                 auto stack = context.stack();
2372                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
2373
2374                 // Get a value at the current stack pointer location.
2375                 auto value = stack.get<uintptr_t>(currentSP);
2376
2377                 // Set a value above the current stack pointer (within current frame).
2378                 stack.set<uintptr_t>(currentSP + 10, value);
2379
2380                 // Set a value below the current stack pointer (out of current frame).
2381                 stack.set<uintptr_t>(currentSP - 10, value);
2382
2383                 // Set the new stack pointer.
2384                 cpu.sp() = currentSP - 20;
2385             });
2386
2387         What happens behind the scene:
2388
2389         1. the generated JIT probe code will now call Probe::executeProbe(), and
2390            Probe::executeProbe() will in turn call the client's probe function.
2391
2392            Probe::executeProbe() receives the Probe::State on the machine stack passed
2393            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
2394            Probe::Context to be passed to the client's probe function.  The client will
2395            no longer see the Probe::State directly.
2396
2397         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
2398            stack pages.  Currently, each page is 1K in size.
2399            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
2400
2401         3. Invoking get() of set() on Probe::Stack with an address will lead to the
2402            following:
2403
2404            a. the address will be decoded to a baseAddress that points to the 1K page
2405               that contains that address.
2406
2407            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
2408               If so, go to step (f).  Else, continue with step (c).
2409
2410            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
2411               for that specified baseAddress to this mirror page.
2412
2413            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
2414               keyed on the baseAddress.
2415
2416            e. the ProbeStack will also cache the last baseAddress and its corresponding
2417               mirror page in use.  With memory accesses tending to be localized, this
2418               will save us from having to look up the page in the HashMap.
2419
2420            f. get() will map the requested address to a physical address in the mirror
2421               page, and return the value at that location.
2422
2423            g. set() will map the requested address to a physical address in the mirror
2424               page, and set the value at that location in the mirror page.
2425
2426               set() will also set a dirty bit corresponding to the "cache line" that
2427               was modified in the mirror page.
2428
2429         4. When the client's probe function returns, Probe::executeProbe() will check if
2430            there are stack changes that need to be applied.  If stack changes are needed:
2431
2432            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
2433               space is available to flush the dirty stack pages.  It will also register a
2434               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
2435               Probe::executeProbe() returns to the probe trampoline.
2436
2437            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
2438               a safe place if needed, and then calls the flushStackDirtyPages callback
2439               if needed.
2440
2441            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
2442               HashMap and flush all dirty "cache lines" to the machine stack.
2443               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
2444
2445            d. lastly, the probe trampoline will restore all register values and return
2446               to the pc set in the Probe::State.
2447
2448         To make this patch work, I also had to do the following work:
2449
2450         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
2451            Mainly, this means moving the code over to ProbeContext.h.
2452            I also added some convenience accessor methods for spr registers. 
2453
2454            Moved Probe::Context over to its own file ProbeContext.h/cpp.
2455
2456         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
2457            addition to the client's probe function and arg.
2458
2459            I also took this opportunity to optimize the generated JIT probe code to
2460            minimize the amount of memory stores needed. 
2461
2462         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
2463            either lr or pc (or neither), but not both at in the same probe invocation.
2464            The ARM64 probe trampoline used to have to check for this invariant in the
2465            assembly trampoline code.  With the introduction of Probe::executeProbe(),
2466            we can now do it there and simplify the trampoline.
2467
2468         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
2469            changes lr.  That code path never worked before, but has now been fixed.
2470
2471         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
2472            MacroAssemblerARMv7.
2473
2474            We can now use move() with TrustedImmPtr, and it does the same thing but in a
2475            more generic way.
2476
2477        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
2478            the same semantics as movs (according to the Thumb spec).  This means these
2479            instructions may trash the APSR flags before we have a chance to preserve them.
2480
2481            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
2482            early on.  This entails adding support for the mrs instruction in the
2483            ARMv7Assembler.
2484
2485        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
2486            the easy way.
2487
2488            Also fixed testmasm tests which check flag registers to only compare the
2489            portions that are modifiable by the client i.e. some masking is applied.
2490
2491         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
2492
2493         * CMakeLists.txt:
2494         * JavaScriptCore.xcodeproj/project.pbxproj:
2495         * assembler/ARMv7Assembler.h:
2496         (JSC::ARMv7Assembler::mrs):
2497         * assembler/AbstractMacroAssembler.h:
2498         * assembler/MacroAssembler.cpp:
2499         (JSC::stdFunctionCallback):
2500         (JSC::MacroAssembler::probe):
2501         * assembler/MacroAssembler.h:
2502         (JSC::MacroAssembler::CPUState::gprName): Deleted.
2503         (JSC::MacroAssembler::CPUState::sprName): Deleted.
2504         (JSC::MacroAssembler::CPUState::fprName): Deleted.
2505         (JSC::MacroAssembler::CPUState::gpr): Deleted.
2506         (JSC::MacroAssembler::CPUState::spr): Deleted.
2507         (JSC::MacroAssembler::CPUState::fpr): Deleted.
2508         (JSC:: const): Deleted.
2509         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
2510         (JSC::MacroAssembler::CPUState::pc): Deleted.
2511         (JSC::MacroAssembler::CPUState::fp): Deleted.
2512         (JSC::MacroAssembler::CPUState::sp): Deleted.
2513         (JSC::MacroAssembler::CPUState::pc const): Deleted.
2514         (JSC::MacroAssembler::CPUState::fp const): Deleted.
2515         (JSC::MacroAssembler::CPUState::sp const): Deleted.
2516         (JSC::Probe::State::gpr): Deleted.
2517         (JSC::Probe::State::spr): Deleted.
2518         (JSC::Probe::State::fpr): Deleted.
2519         (JSC::Probe::State::gprName): Deleted.
2520         (JSC::Probe::State::sprName): Deleted.
2521         (JSC::Probe::State::fprName): Deleted.
2522         (JSC::Probe::State::pc): Deleted.
2523         (JSC::Probe::State::fp): Deleted.
2524         (JSC::Probe::State::sp): Deleted.
2525         * assembler/MacroAssemblerARM.cpp:
2526         (JSC::MacroAssembler::probe):
2527         * assembler/MacroAssemblerARM.h:
2528         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
2529         * assembler/MacroAssemblerARM64.cpp:
2530         (JSC::MacroAssembler::probe):
2531         (JSC::arm64ProbeError): Deleted.
2532         * assembler/MacroAssemblerARMv7.cpp:
2533         (JSC::MacroAssembler::probe):
2534         * assembler/MacroAssemblerARMv7.h:
2535         (JSC::MacroAssemblerARMv7::armV7Condition):
2536         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
2537         * assembler/MacroAssemblerPrinter.cpp:
2538         (JSC::Printer::printCallback):
2539         * assembler/MacroAssemblerPrinter.h:
2540         * assembler/MacroAssemblerX86Common.cpp:
2541         (JSC::ctiMasmProbeTrampoline):
2542         (JSC::MacroAssembler::probe):
2543         * assembler/Printer.h:
2544         (JSC::Printer::Context::Context):
2545         * assembler/ProbeContext.cpp: Added.
2546         (JSC::Probe::executeProbe):
2547         (JSC::Probe::handleProbeStackInitialization):
2548         (JSC::Probe::probeStateForContext):
2549         * assembler/ProbeContext.h: Added.
2550         (JSC::Probe::CPUState::gprName):
2551         (JSC::Probe::CPUState::sprName):
2552         (JSC::Probe::CPUState::fprName):
2553         (JSC::Probe::CPUState::gpr):
2554         (JSC::Probe::CPUState::spr):
2555         (JSC::Probe::CPUState::fpr):
2556         (JSC::Probe:: const):
2557         (JSC::Probe::CPUState::fpr const):
2558         (JSC::Probe::CPUState::pc):
2559         (JSC::Probe::CPUState::fp):
2560         (JSC::Probe::CPUState::sp):
2561         (JSC::Probe::CPUState::pc const):
2562         (JSC::Probe::CPUState::fp const):
2563         (JSC::Probe::CPUState::sp const):
2564         (JSC::Probe::Context::Context):
2565         (JSC::Probe::Context::gpr):
2566         (JSC::Probe::Context::spr):
2567         (JSC::Probe::Context::fpr):
2568         (JSC::Probe::Context::gprName):
2569         (JSC::Probe::Context::sprName):
2570         (JSC::Probe::Context::fprName):
2571         (JSC::Probe::Context::pc):
2572         (JSC::Probe::Context::fp):
2573         (JSC::Probe::Context::sp):
2574         (JSC::Probe::Context::stack):
2575         (JSC::Probe::Context::hasWritesToFlush):
2576         (JSC::Probe::Context::releaseStack):
2577         * assembler/ProbeStack.cpp: Added.
2578         (JSC::Probe::Page::Page):
2579         (JSC::Probe::Page::flushWrites):
2580         (JSC::Probe::Stack::Stack):
2581         (JSC::Probe::Stack::hasWritesToFlush):
2582         (JSC::Probe::Stack::flushWrites):
2583         (JSC::Probe::Stack::ensurePageFor):
2584         * assembler/ProbeStack.h: Added.
2585         (JSC::Probe::Page::baseAddressFor):
2586         (JSC::Probe::Page::chunkAddressFor):
2587         (JSC::Probe::Page::baseAddress):
2588         (JSC::Probe::Page::get):
2589         (JSC::Probe::Page::set):
2590         (JSC::Probe::Page::hasWritesToFlush const):
2591         (JSC::Probe::Page::flushWritesIfNeeded):
2592         (JSC::Probe::Page::dirtyBitFor):
2593         (JSC::Probe::Page::physicalAddressFor):
2594         (JSC::Probe::Stack::Stack):
2595         (JSC::Probe::Stack::lowWatermark):
2596         (JSC::Probe::Stack::get):
2597         (JSC::Probe::Stack::set):
2598         (JSC::Probe::Stack::newStackPointer const):
2599         (JSC::Probe::Stack::setNewStackPointer):
2600         (JSC::Probe::Stack::isValid):
2601         (JSC::Probe::Stack::pageFor):
2602         * assembler/testmasm.cpp:
2603         (JSC::testProbeReadsArgumentRegisters):
2604         (JSC::testProbeWritesArgumentRegisters):
2605         (JSC::testProbePreservesGPRS):
2606         (JSC::testProbeModifiesStackPointer):
2607         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2608         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2609         (JSC::testProbeModifiesProgramCounter):
2610         (JSC::testProbeModifiesStackValues):
2611         (JSC::run):
2612         (): Deleted.
2613         (JSC::fillStack): Deleted.
2614         (JSC::testProbeModifiesStackWithCallback): Deleted.
2615
2616 2017-08-19  Andy Estes  <aestes@apple.com>
2617
2618         [Payment Request] Add interface stubs
2619         https://bugs.webkit.org/show_bug.cgi?id=175730
2620
2621         Reviewed by Youenn Fablet.
2622
2623         * runtime/CommonIdentifiers.h:
2624
2625 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
2626
2627         Implement 32-bit MacroAssembler::probe support for Windows.
2628         https://bugs.webkit.org/show_bug.cgi?id=175449
2629
2630         Reviewed by Mark Lam.
2631
2632         This is needed to enable the DFG.
2633
2634         * assembler/MacroAssemblerX86Common.cpp:
2635         * assembler/testmasm.cpp:
2636         (JSC::run):
2637         (dllLauncherEntryPoint):
2638         * shell/CMakeLists.txt:
2639         * shell/PlatformWin.cmake:
2640
2641 2017-08-18  Mark Lam  <mark.lam@apple.com>
2642
2643         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
2644         https://bugs.webkit.org/show_bug.cgi?id=175725
2645         <rdar://problem/33965477>
2646
2647         Rubber-stamped by JF Bastien.
2648
2649         This is purely a refactoring patch (in preparation for the introduction of a
2650         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
2651         later).  This patch does not change any semantics / behavior.
2652
2653         * assembler/AbstractMacroAssembler.h:
2654         * assembler/MacroAssembler.cpp:
2655         (JSC::stdFunctionCallback):
2656         (JSC::MacroAssembler::probe):
2657         * assembler/MacroAssembler.h:
2658         (JSC::ProbeContext::gpr): Deleted.
2659         (JSC::ProbeContext::spr): Deleted.
2660         (JSC::ProbeContext::fpr): Deleted.
2661         (JSC::ProbeContext::gprName): Deleted.
2662         (JSC::ProbeContext::sprName): Deleted.
2663         (JSC::ProbeContext::fprName): Deleted.
2664         (JSC::ProbeContext::pc): Deleted.
2665         (JSC::ProbeContext::fp): Deleted.
2666         (JSC::ProbeContext::sp): Deleted.
2667         * assembler/MacroAssemblerARM.cpp:
2668         (JSC::MacroAssembler::probe):
2669         * assembler/MacroAssemblerARM.h:
2670         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2671         * assembler/MacroAssemblerARM64.cpp:
2672         (JSC::arm64ProbeError):
2673         (JSC::MacroAssembler::probe):
2674         * assembler/MacroAssemblerARMv7.cpp:
2675         (JSC::MacroAssembler::probe):
2676         * assembler/MacroAssemblerARMv7.h:
2677         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2678         * assembler/MacroAssemblerPrinter.cpp:
2679         (JSC::Printer::printCallback):
2680         * assembler/MacroAssemblerPrinter.h:
2681         * assembler/MacroAssemblerX86Common.cpp:
2682         (JSC::MacroAssembler::probe):
2683         * assembler/Printer.h:
2684         (JSC::Printer::Context::Context):
2685         * assembler/testmasm.cpp:
2686         (JSC::testProbeReadsArgumentRegisters):
2687         (JSC::testProbeWritesArgumentRegisters):
2688         (JSC::testProbePreservesGPRS):
2689         (JSC::testProbeModifiesStackPointer):
2690         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2691         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2692         (JSC::testProbeModifiesProgramCounter):
2693         (JSC::fillStack):
2694         (JSC::testProbeModifiesStackWithCallback):
2695         (JSC::run):
2696         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
2697
2698 2017-08-17  JF Bastien  <jfbastien@apple.com>
2699
2700         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
2701         https://bugs.webkit.org/show_bug.cgi?id=175693
2702         <rdar://problem/33952443>
2703
2704         Reviewed by Saam Barati.
2705
2706         64-bit constants in an unreachable context were being decoded as
2707         32-bit constants. This is pretty benign because unreachable code
2708         shouldn't occur often. The effect is that 64-bit constants which
2709         can't be encoded as 32-bit constants would cause the binary to be
2710         rejected.
2711
2712         At the same time, 32-bit integer constants should be decoded as signed.
2713
2714         * wasm/WasmFunctionParser.h:
2715         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2716
2717 2017-08-17  Robin Morisset  <rmorisset@apple.com>
2718
2719         Teach DFGFixupPhase.cpp that the current scope is always a cell
2720         https://bugs.webkit.org/show_bug.cgi?id=175610
2721
2722         Reviewed by Keith Miller.
2723
2724         Also teach it that the argument to with can usually be speculated to be an object,
2725         since toObject() is called on it.
2726
2727         * dfg/DFGFixupPhase.cpp:
2728         (JSC::DFG::FixupPhase::fixupNode):
2729         * dfg/DFGSpeculativeJIT.cpp:
2730         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2731         * dfg/DFGSpeculativeJIT.h:
2732         (JSC::DFG::SpeculativeJIT::callOperation):
2733         * ftl/FTLLowerDFGToB3.cpp:
2734         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2735         * jit/JITOperations.cpp:
2736         * jit/JITOperations.h:
2737
2738 2017-08-17  Matt Baker  <mattbaker@apple.com>
2739
2740         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
2741         https://bugs.webkit.org/show_bug.cgi?id=175644
2742
2743         Reviewed by Brian Burg.
2744
2745         * inspector/agents/InspectorScriptProfilerAgent.h:
2746
2747 2017-08-17  Mark Lam  <mark.lam@apple.com>
2748
2749         Only use 16 VFP registers if !CPU(ARM_NEON).
2750         https://bugs.webkit.org/show_bug.cgi?id=175514
2751
2752         Reviewed by JF Bastien.
2753
2754         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
2755         says that there are only 16 128-bit NEON registers.  This change is merely to
2756         correct the code documentation of these registers.  The FPQuadRegisterID are
2757         currently unused.
2758
2759         * assembler/ARMAssembler.h:
2760         (JSC::ARMAssembler::lastFPRegister):
2761         (JSC::ARMAssembler::fprName):
2762         * assembler/ARMv7Assembler.h:
2763         (JSC::ARMv7Assembler::lastFPRegister):
2764         (JSC::ARMv7Assembler::fprName):
2765         * assembler/MacroAssemblerARM.cpp:
2766         * assembler/MacroAssemblerARMv7.cpp:
2767
2768 2017-08-17  Andreas Kling  <akling@apple.com>
2769
2770         Disable CSS regions at compile time
2771         https://bugs.webkit.org/show_bug.cgi?id=175630
2772
2773         Reviewed by Antti Koivisto.
2774
2775         * Configurations/FeatureDefines.xcconfig:
2776
2777 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
2778
2779         [WPE][GTK] Ensure proper casting of data in gvariants
2780         https://bugs.webkit.org/show_bug.cgi?id=175667
2781
2782         Reviewed by Michael Catanzaro.
2783
2784         g_variant_new requires data to have the correct width for their types, using
2785         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
2786         types without explicit casting, leading to undefined behavior in some platforms.
2787
2788         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2789         (Inspector::RemoteInspector::listingForInspectionTarget const):
2790         (Inspector::RemoteInspector::listingForAutomationTarget const):
2791         (Inspector::RemoteInspector::sendMessageToRemote):
2792
2793 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2794
2795         [JSC] Avoid code bloating for iteration if block does not have "break"
2796         https://bugs.webkit.org/show_bug.cgi?id=173228
2797
2798         Reviewed by Keith Miller.
2799
2800         Currently, we always emit code for breaked path when emitting for-of iteration.
2801         But we can know that this breaked path can be used when emitting the bytecode.
2802
2803         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
2804         the break label may be bound. We emit a breaked path only when it returns
2805         true. This reduces bytecode bloating when using for-of iteration.
2806
2807         * bytecompiler/BytecodeGenerator.cpp:
2808         (JSC::Label::setLocation):
2809         (JSC::BytecodeGenerator::newLabel):
2810         (JSC::BytecodeGenerator::emitLabel):
2811         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2812         (JSC::BytecodeGenerator::breakTarget):
2813         (JSC::BytecodeGenerator::continueTarget):
2814         (JSC::BytecodeGenerator::emitEnumeration):
2815         * bytecompiler/BytecodeGenerator.h:
2816         * bytecompiler/Label.h:
2817         (JSC::Label::bind const):
2818         (JSC::Label::hasOneRef const):
2819         (JSC::Label::isBound const):
2820         (JSC::Label::Label): Deleted.
2821         * bytecompiler/LabelScope.h:
2822         (JSC::LabelScope::hasOneRef const):
2823         (JSC::LabelScope::breakTargetMayBeBound const):
2824         * bytecompiler/NodesCodegen.cpp:
2825         (JSC::ContinueNode::trivialTarget):
2826         (JSC::ContinueNode::emitBytecode):
2827         (JSC::BreakNode::trivialTarget):
2828         (JSC::BreakNode::emitBytecode):
2829
2830 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2831
2832         ARM build fix after r220807 and r220834.
2833         https://bugs.webkit.org/show_bug.cgi?id=175617
2834
2835         Unreviewed typo fix.
2836
2837         * assembler/MacroAssemblerARM.cpp:
2838
2839 2017-08-17  Mark Lam  <mark.lam@apple.com>
2840
2841         Gardening: build fix for ARM_TRADITIONAL after r220807.
2842         https://bugs.webkit.org/show_bug.cgi?id=175617
2843
2844         Not reviewed.
2845
2846         * assembler/MacroAssemblerARM.cpp:
2847
2848 2017-08-16  Mark Lam  <mark.lam@apple.com>
2849
2850         Add back the ability to disable MASM_PROBE from the build.
2851         https://bugs.webkit.org/show_bug.cgi?id=175656
2852         <rdar://problem/33933720>
2853
2854         Reviewed by Yusuke Suzuki.
2855
2856         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2857         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2858         default if !ENABLE(MASM_PROBE).
2859
2860         * assembler/AbstractMacroAssembler.h:
2861         * assembler/MacroAssembler.cpp:
2862         * assembler/MacroAssembler.h:
2863         * assembler/MacroAssemblerARM.cpp:
2864         * assembler/MacroAssemblerARM64.cpp:
2865         * assembler/MacroAssemblerARMv7.cpp:
2866         * assembler/MacroAssemblerPrinter.cpp:
2867         * assembler/MacroAssemblerPrinter.h:
2868         * assembler/MacroAssemblerX86Common.cpp:
2869         * assembler/testmasm.cpp:
2870         (JSC::run):
2871         * b3/B3LowerToAir.cpp:
2872         * b3/air/AirPrintSpecial.cpp:
2873         * b3/air/AirPrintSpecial.h:
2874
2875 2017-08-16  Dan Bernstein  <mitz@apple.com>
2876
2877         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2878         https://bugs.webkit.org/show_bug.cgi?id=175654
2879
2880         Reviewed by Tim Horton.
2881
2882         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2883
2884 2017-08-16  Matt Baker  <mattbaker@apple.com>
2885
2886         Web Inspector: capture async stack trace when workers/main context posts a message
2887         https://bugs.webkit.org/show_bug.cgi?id=167084
2888         <rdar://problem/30033673>
2889
2890         Reviewed by Brian Burg.
2891
2892         * inspector/agents/InspectorDebuggerAgent.h:
2893         Add `PostMessage` async call type.
2894
2895 2017-08-16  Mark Lam  <mark.lam@apple.com>
2896
2897         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2898         https://bugs.webkit.org/show_bug.cgi?id=175617
2899         <rdar://problem/33912104>
2900
2901         Reviewed by JF Bastien.
2902
2903         This patch adds a new feature to MacroAssembler::probe() where the probe function
2904         can provide a ProbeFunction callback to fill in stack values after the stack
2905         pointer has been adjusted.  The probe function can use this feature as follows:
2906
2907         1. Set the new sp value in the ProbeContext's CPUState.
2908
2909         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2910            which will do the work of filling in the stack values after the probe
2911            trampoline has adjusted the machine stack pointer.
2912
2913         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2914            to pass to the initializeStackFunction callback.
2915
2916         4. Return from the probe function.
2917
2918         Upon returning from the probe function, the probe trampoline will adjust the
2919         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2920         is not set, the probe trampoline will restore registers and return to its caller.
2921
2922         If initializeStackFunction is set, the trampoline will move the ProbeContext
2923         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2924         an address lower than where CPUState.sp() points.  This ensures that the
2925         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2926         the stack.  Then, the trampoline will call back to the initializeStackFunction
2927         ProbeFunction to let it fill in the stack values as desired.  The
2928         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2929         the new location.
2930
2931         initializeStackFunction may now write to the stack at addresses greater or
2932         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2933         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2934         abide by these rules, then behavior is undefined, and bad things may happen.
2935
2936         For future reference, some implementation details that this patch needed to
2937         be mindful of:
2938
2939         1. When the probe trampoline allocates stack space for the ProbeContext, it
2940            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2941            the ProbeContext on exit if the probe function didn't change the sp.
2942
2943         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2944            sp to new ProbeContext first before copying over the ProbeContext data.  This
2945            protects the new ProbeContext from possibly being trashed by interrupts.
2946
2947         3. When computing the new address of ProbeContext to move to, we need to make
2948            sure that it is properly aligned in accordance with stack ABI requirements
2949            (just like we did when we allocated the ProbeContext on entry to the
2950            probe trampoline).
2951
2952         4. When copying the ProbeContext to its new location, the trampoline should
2953            always copy words from low addresses to high addresses.  This is because if
2954            we're moving the ProbeContext, we'll always be moving it to a lower address.
2955
2956         * assembler/MacroAssembler.h:
2957         * assembler/MacroAssemblerARM.cpp:
2958         * assembler/MacroAssemblerARM64.cpp:
2959         * assembler/MacroAssemblerARMv7.cpp:
2960         * assembler/MacroAssemblerX86Common.cpp:
2961         * assembler/testmasm.cpp:
2962         (JSC::testProbePreservesGPRS):
2963         (JSC::testProbeModifiesStackPointer):
2964         (JSC::fillStack):
2965         (JSC::testProbeModifiesStackWithCallback):
2966         (JSC::run):
2967
2968 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2969
2970         Fix JSCOnly ARM buildbots after r220047 and r220184
2971         https://bugs.webkit.org/show_bug.cgi?id=174993
2972
2973         Reviewed by Carlos Alberto Lopez Perez.
2974
2975         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2976
2977 2017-08-16  Andy Estes  <aestes@apple.com>
2978
2979         [Payment Request] Add an ENABLE flag and an experimental feature preference
2980         https://bugs.webkit.org/show_bug.cgi?id=175622
2981
2982         Reviewed by Tim Horton.
2983
2984         * Configurations/FeatureDefines.xcconfig:
2985
2986 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2987
2988         We are too conservative about the effects of PushWithScope
2989         https://bugs.webkit.org/show_bug.cgi?id=175584
2990
2991         Reviewed by Saam Barati.
2992
2993         PushWithScope converts its argument to an object (this can throw a type error,
2994         but has no other observable effect), and allocates a new scope, that it then
2995         makes the new current scope. We were a bit too
2996         conservative in saying that it clobbers the world.
2997
2998         * dfg/DFGAbstractInterpreterInlines.h:
2999         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3000         * dfg/DFGClobberize.h:
3001         (JSC::DFG::clobberize):
3002         * dfg/DFGDoesGC.cpp:
3003         (JSC::DFG::doesGC):
3004
3005 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
3006
3007         Make DataTransferItemList work with plain text entries
3008         https://bugs.webkit.org/show_bug.cgi?id=175596
3009
3010         Reviewed by Wenson Hsieh.
3011
3012         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
3013
3014         * runtime/CommonIdentifiers.h:
3015
3016 2017-08-15  Robin Morisset  <rmorisset@apple.com>
3017
3018         Support the 'with' keyword in FTL
3019         https://bugs.webkit.org/show_bug.cgi?id=175585
3020
3021         Reviewed by Saam Barati.
3022
3023         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
3024         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
3025         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
3026         that takes its parentScope argument first.
3027
3028         * bytecompiler/BytecodeGenerator.cpp:
3029         (JSC::BytecodeGenerator::emitPushWithScope):
3030         * debugger/DebuggerCallFrame.cpp:
3031         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3032         * dfg/DFGByteCodeParser.cpp:
3033         (JSC::DFG::ByteCodeParser::parseBlock):
3034         * dfg/DFGFixupPhase.cpp:
3035         (JSC::DFG::FixupPhase::fixupNode):
3036         * dfg/DFGSpeculativeJIT.cpp:
3037         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
3038         * ftl/FTLCapabilities.cpp:
3039         (JSC::FTL::canCompile):
3040         * ftl/FTLLowerDFGToB3.cpp:
3041         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3042         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
3043         * jit/JITOperations.cpp:
3044         * runtime/CommonSlowPaths.cpp:
3045         (JSC::SLOW_PATH_DECL):
3046         * runtime/Completion.cpp:
3047         (JSC::evaluateWithScopeExtension):
3048         * runtime/JSWithScope.cpp:
3049         (JSC::JSWithScope::create):
3050         * runtime/JSWithScope.h:
3051
3052 2017-08-15  Saam Barati  <sbarati@apple.com>
3053
3054         Make VM::scratchBufferForSize thread safe
3055         https://bugs.webkit.org/show_bug.cgi?id=175604
3056
3057         Reviewed by Geoffrey Garen and Mark Lam.
3058
3059         I want to use the VM::scratchBufferForSize in another patch I'm writing.
3060         The use case for my other patch is to call it from the compiler thread.
3061         When reading the code, I saw that this API was not thread safe. This patch
3062         makes it thread safe. It actually turns out we were calling this API from
3063         the compiler thread already when we created FTL::State for an FTL OSR entry
3064         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
3065         is now correct with this patch.
3066
3067         * runtime/VM.cpp:
3068         (JSC::VM::VM):
3069         (JSC::VM::~VM):
3070         (JSC::VM::gatherConservativeRoots):
3071         (JSC::VM::scratchBufferForSize):
3072         * runtime/VM.h:
3073         (JSC::VM::scratchBufferForSize): Deleted.
3074
3075 2017-08-15  Keith Miller  <keith_miller@apple.com>
3076
3077         JSC named bytecode offsets should use references rather than pointers
3078         https://bugs.webkit.org/show_bug.cgi?id=175601
3079
3080         Reviewed by Saam Barati.
3081
3082         * dfg/DFGByteCodeParser.cpp:
3083         (JSC::DFG::ByteCodeParser::parseBlock):
3084         * jit/JITOpcodes.cpp:
3085         (JSC::JIT::emit_op_overrides_has_instance):
3086         (JSC::JIT::emit_op_instanceof):
3087         (JSC::JIT::emitSlow_op_instanceof):
3088         (JSC::JIT::emitSlow_op_instanceof_custom):
3089         * jit/JITOpcodes32_64.cpp:
3090         (JSC::JIT::emit_op_overrides_has_instance):
3091         (JSC::JIT::emit_op_instanceof):
3092         (JSC::JIT::emitSlow_op_instanceof):
3093         (JSC::JIT::emitSlow_op_instanceof_custom):
3094
3095 2017-08-15  Keith Miller  <keith_miller@apple.com>
3096
3097         Enable named offsets into JSC bytecodes
3098         https://bugs.webkit.org/show_bug.cgi?id=175561
3099
3100         Reviewed by Mark Lam.
3101
3102         This patch adds the ability to add named offsets into JSC's
3103         bytecodes.  In the bytecode json file, instead of listing a
3104         length, you can now list a set of names and their types. Each
3105         opcode with an offsets property will have a struct named after the
3106         opcode by in our C++ naming style. For example,
3107         op_overrides_has_instance would become OpOverridesHasInstance. The
3108         struct has the same memory layout as the instruction list has but
3109         comes with handy named accessors.
3110
3111         As a first cut I converted the various instanceof bytecodes to use
3112         named offsets.
3113
3114         As an example op_overrides_has_instance produces the following struct:
3115
3116         struct OpOverridesHasInstance {
3117         public:
3118             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
3119             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
3120             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
3121             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
3122             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
3123             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
3124             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
3125             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
3126
3127         private:
3128             friend class LLIntOffsetsExtractor;
3129             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
3130             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
3131             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
3132             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
3133         };
3134
3135         * CMakeLists.txt:
3136         * DerivedSources.make:
3137         * JavaScriptCore.xcodeproj/project.pbxproj:
3138         * bytecode/BytecodeList.json:
3139         * dfg/DFGByteCodeParser.cpp:
3140         (JSC::DFG::ByteCodeParser::parseBlock):
3141         * generate-bytecode-files:
3142         * jit/JITOpcodes.cpp:
3143         (JSC::JIT::emit_op_overrides_has_instance):
3144         (JSC::JIT::emit_op_instanceof):
3145         (JSC::JIT::emitSlow_op_instanceof):
3146         (JSC::JIT::emitSlow_op_instanceof_custom):
3147         * jit/JITOpcodes32_64.cpp:
3148         (JSC::JIT::emit_op_overrides_has_instance):
3149         (JSC::JIT::emit_op_instanceof):
3150         (JSC::JIT::emitSlow_op_instanceof):
3151         (JSC::JIT::emitSlow_op_instanceof_custom):
3152         * llint/LLIntOffsetsExtractor.cpp:
3153         * llint/LowLevelInterpreter.asm:
3154         * llint/LowLevelInterpreter32_64.asm:
3155         * llint/LowLevelInterpreter64.asm:
3156
3157 2017-08-15  Mark Lam  <mark.lam@apple.com>
3158
3159         Update testmasm to use new CPUState APIs.
3160         https://bugs.webkit.org/show_bug.cgi?id=175573
3161
3162         Reviewed by Keith Miller.
3163
3164         1. Applied convenience CPUState accessors to minimize casting.
3165         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
3166            messages.
3167         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
3168            casting is (mostly) no longer an issue.
3169         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
3170            to make it clear that we're comparing against the bit values of testWord64(id).
3171         5. Added a "Completed N tests" message at the end of running all tests.
3172            This makes it easy to tell at a glance that testmasm completed successfully
3173            versus when it crashed midway in a test.  The number of tests also serves as
3174            a quick checksum to confirm that we ran the number of tests we expected.
3175
3176         * assembler/testmasm.cpp:
3177         (WTF::printInternal):
3178         (JSC::testSimple):
3179         (JSC::testProbeReadsArgumentRegisters):
3180         (JSC::testProbeWritesArgumentRegisters):
3181         (JSC::testProbePreservesGPRS):
3182         (JSC::testProbeModifiesStackPointer):
3183         (JSC::testProbeModifiesProgramCounter):
3184         (JSC::run):
3185
3186 2017-08-14  Keith Miller  <keith_miller@apple.com>
3187
3188         Add testing tool to lie to the DFG about profiles
3189         https://bugs.webkit.org/show_bug.cgi?id=175487
3190
3191         Reviewed by Saam Barati.
3192
3193         This patch adds a new bytecode identity_with_profile that lets
3194         us lie to the DFG about what profiles it has seen as the input to
3195         another bytecode. Previously, there was no reliable way to force
3196         a given profile when we tired up.
3197
3198         * bytecode/BytecodeDumper.cpp:
3199         (JSC::BytecodeDumper<Block>::dumpBytecode):
3200         * bytecode/BytecodeIntrinsicRegistry.h:
3201         * bytecode/BytecodeList.json:
3202         * bytecode/BytecodeUseDef.h:
3203         (JSC::computeUsesForBytecodeOffset):
3204         (JSC::computeDefsForBytecodeOffset):
3205         * bytecode/SpeculatedType.cpp:
3206         (JSC::speculationFromString):
3207         * bytecode/SpeculatedType.h:
3208         * bytecompiler/BytecodeGenerator.cpp:
3209         (JSC::BytecodeGenerator::emitIdWithProfile):
3210         * bytecompiler/BytecodeGenerator.h:
3211         * bytecompiler/NodesCodegen.cpp:
3212         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
3213         * dfg/DFGAbstractInterpreterInlines.h:
3214         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3215         * dfg/DFGByteCodeParser.cpp:
3216         (JSC::DFG::ByteCodeParser::parseBlock):
3217         * dfg/DFGCapabilities.cpp:
3218         (JSC::DFG::capabilityLevel):
3219         * dfg/DFGClobberize.h:
3220         (JSC::DFG::clobberize):
3221         * dfg/DFGDoesGC.cpp:
3222         (JSC::DFG::doesGC):
3223         * dfg/DFGFixupPhase.cpp:
3224         (JSC::DFG::FixupPhase::fixupNode):
3225         * dfg/DFGMayExit.cpp:
3226         * dfg/DFGNode.h:
3227         (JSC::DFG::Node::getForcedPrediction):
3228         * dfg/DFGNodeType.h:
3229         * dfg/DFGPredictionPropagationPhase.cpp:
3230         * dfg/DFGSafeToExecute.h:
3231         (JSC::DFG::safeToExecute):
3232         * dfg/DFGSpeculativeJIT32_64.cpp:
3233         (JSC::DFG::SpeculativeJIT::compile):
3234         * dfg/DFGSpeculativeJIT64.cpp:
3235         (JSC::DFG::SpeculativeJIT::compile):
3236         * dfg/DFGValidate.cpp:
3237         * jit/JIT.cpp:
3238         (JSC::JIT::privateCompileMainPass):
3239         * jit/JIT.h:
3240         * jit/JITOpcodes.cpp:
3241         (JSC::JIT::emit_op_identity_with_profile):
3242         * jit/JITOpcodes32_64.cpp:
3243         (JSC::JIT::emit_op_identity_with_profile):
3244         * llint/LowLevelInterpreter.asm:
3245
3246 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3247
3248         Remove Proximity Events and related code
3249         https://bugs.webkit.org/show_bug.cgi?id=175545
3250
3251         Reviewed by Daniel Bates.
3252
3253         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
3254         and other related code.
3255
3256         * Configurations/FeatureDefines.xcconfig:
3257
3258 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3259
3260         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
3261         https://bugs.webkit.org/show_bug.cgi?id=175504
3262
3263         Reviewed by Sam Weinig.
3264
3265         * Configurations/FeatureDefines.xcconfig:
3266
3267 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3268
3269         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
3270         https://bugs.webkit.org/show_bug.cgi?id=175557
3271
3272         Reviewed by Jon Lee.
3273
3274         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
3275
3276         * Configurations/FeatureDefines.xcconfig:
3277
3278 2017-08-14  Robin Morisset  <rmorisset@apple.com>
3279
3280         Support the 'with' keyword in DFG
3281         https://bugs.webkit.org/show_bug.cgi?id=175470
3282
3283         Reviewed by Saam Barati.
3284
3285         Not particularly optimized at the moment, the goal is just to avoid
3286         the DFG bailing out of any function with this keyword.
3287
3288         * dfg/DFGAbstractInterpreterInlines.h:
3289         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3290         * dfg/DFGByteCodeParser.cpp:
3291         (JSC::DFG::ByteCodeParser::parseBlock):
3292         * dfg/DFGCapabilities.cpp:
3293         (JSC::DFG::capabilityLevel):
3294         * dfg/DFGClobberize.h:
3295         (JSC::DFG::clobberize):
3296         * dfg/DFGDoesGC.cpp:
3297         (JSC::DFG::doesGC):
3298         * dfg/DFGFixupPhase.cpp:
3299         (JSC::DFG::FixupPhase::fixupNode):
3300         * dfg/DFGNodeType.h:
3301         * dfg/DFGPredictionPropagationPhase.cpp:
3302         * dfg/DFGSafeToExecute.h:
3303         (JSC::DFG::safeToExecute):
3304         * dfg/DFGSpeculativeJIT.cpp:
3305         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
3306         * dfg/DFGSpeculativeJIT.h:
3307         (JSC::DFG::SpeculativeJIT::callOperation):
3308         * dfg/DFGSpeculativeJIT32_64.cpp:
3309         (JSC::DFG::SpeculativeJIT::compile):
3310         * dfg/DFGSpeculativeJIT64.cpp:
3311         (JSC::DFG::SpeculativeJIT::compile):
3312         * jit/JITOperations.cpp:
3313         * jit/JITOperations.h:
3314
3315 2017-08-14  Mark Lam  <mark.lam@apple.com>
3316
3317         Add some convenience utility accessor methods to MacroAssembler::CPUState.
3318         https://bugs.webkit.org/show_bug.cgi?id=175549
3319         <rdar://problem/33884868>
3320
3321         Reviewed by Saam Barati.
3322
3323         Previously, in order to read ProbeContext CPUState registers, we used to need to
3324         do it this way:
3325
3326             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
3327             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
3328             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
3329             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
3330
3331         With this patch, we can now read them this way instead:
3332         
3333             ExecState* exec = cpu.fp<ExecState*>();
3334             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
3335             void* p = cpu.gpr<void*>(GPRInfo::regT1);