Web Inspector: REGRESSION (r220233): Check for null pointer passed to WebGLRenderingC...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2
3         Unreviewed, rolling out r220271.
4
5         Rolling out due to Layout Test failing on iOS Simulator.
6
7         Reverted changeset:
8
9         "Remove STREAMS_API compilation guard"
10         https://bugs.webkit.org/show_bug.cgi?id=175165
11         http://trac.webkit.org/changeset/220271
12
13 2017-08-04  Youenn Fablet  <youenn@apple.com>
14
15         Remove STREAMS_API compilation guard
16         https://bugs.webkit.org/show_bug.cgi?id=175165
17
18         Reviewed by Darin Adler.
19
20         * Configurations/FeatureDefines.xcconfig:
21
22 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
23
24         [EsNext] Async iteration - Add feature flag
25         https://bugs.webkit.org/show_bug.cgi?id=166694
26
27         Reviewed by Yusuke Suzuki.
28
29         Add feature flag to JSC to switch on/off Async Iterator
30
31         * runtime/Options.h:
32
33 2017-08-03  Brian Burg  <bburg@apple.com>
34
35         Remove ENABLE(WEB_SOCKET) guards
36         https://bugs.webkit.org/show_bug.cgi?id=167044
37
38         Reviewed by Joseph Pecoraro.
39
40         * Configurations/FeatureDefines.xcconfig:
41
42 2017-08-03  Youenn Fablet  <youenn@apple.com>
43
44         Remove FETCH_API compilation guard
45         https://bugs.webkit.org/show_bug.cgi?id=175154
46
47         Reviewed by Chris Dumez.
48
49         * Configurations/FeatureDefines.xcconfig:
50
51 2017-08-03  Matt Baker  <mattbaker@apple.com>
52
53         Web Inspector: Instrument WebGLProgram created/deleted
54         https://bugs.webkit.org/show_bug.cgi?id=175059
55
56         Reviewed by Devin Rousso.
57
58         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
59
60         * inspector/protocol/Canvas.json:
61
62 2017-08-03  Brady Eidson  <beidson@apple.com>
63
64         Add SW IDLs and stub out basic functionality.
65         https://bugs.webkit.org/show_bug.cgi?id=175115
66
67         Reviewed by Chris Dumez.
68
69         * Configurations/FeatureDefines.xcconfig:
70
71         * runtime/CommonIdentifiers.h:
72
73 2017-08-03  Mark Lam  <mark.lam@apple.com>
74
75         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
76         https://bugs.webkit.org/show_bug.cgi?id=175142
77         <rdar://problem/33704528>
78
79         Reviewed by Filip Pizlo.
80
81         The convention in the rest of of JSC for such methods which return the address of
82         a field is to name them "addressOf<field name>".  We'll rename
83         ScratchBuffer::activeLengthPtr to be consistent with this convention.
84
85         * dfg/DFGSpeculativeJIT.cpp:
86         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
87         * dfg/DFGSpeculativeJIT32_64.cpp:
88         (JSC::DFG::SpeculativeJIT::compile):
89         * dfg/DFGSpeculativeJIT64.cpp:
90         (JSC::DFG::SpeculativeJIT::compile):
91         * dfg/DFGThunks.cpp:
92         (JSC::DFG::osrExitGenerationThunkGenerator):
93         * ftl/FTLLowerDFGToB3.cpp:
94         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
95         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
96         * ftl/FTLThunks.cpp:
97         (JSC::FTL::genericGenerationThunkGenerator):
98         * jit/AssemblyHelpers.cpp:
99         (JSC::AssemblyHelpers::debugCall):
100         * jit/ScratchRegisterAllocator.cpp:
101         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
102         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
103         * runtime/VM.h:
104         (JSC::ScratchBuffer::addressOfActiveLength):
105         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
106         * wasm/WasmBinding.cpp:
107         (JSC::Wasm::wasmToJs):
108
109 2017-08-02  Devin Rousso  <drousso@apple.com>
110
111         Web Inspector: add stack trace information for each RecordingAction
112         https://bugs.webkit.org/show_bug.cgi?id=174663
113
114         Reviewed by Joseph Pecoraro.
115
116         * inspector/ScriptCallFrame.h:
117         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
118         with an existing value doesn't need require a functor and can use existing code.
119
120         * interpreter/StackVisitor.h:
121         * interpreter/StackVisitor.cpp:
122         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
123
124 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
125
126         Merge WTFThreadData to Thread::current
127         https://bugs.webkit.org/show_bug.cgi?id=174716
128
129         Reviewed by Mark Lam.
130
131         Use Thread::current() instead.
132
133         * API/JSContext.mm:
134         (+[JSContext currentContext]):
135         (+[JSContext currentThis]):
136         (+[JSContext currentCallee]):
137         (+[JSContext currentArguments]):
138         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
139         (-[JSContext endCallbackWithData:]):
140         * heap/Heap.cpp:
141         (JSC::Heap::requestCollection):
142         * runtime/Completion.cpp:
143         (JSC::checkSyntax):
144         (JSC::checkModuleSyntax):
145         (JSC::evaluate):
146         (JSC::loadAndEvaluateModule):
147         (JSC::loadModule):
148         (JSC::linkAndEvaluateModule):
149         (JSC::importModule):
150         * runtime/Identifier.cpp:
151         (JSC::Identifier::checkCurrentAtomicStringTable):
152         * runtime/InitializeThreading.cpp:
153         (JSC::initializeThreading):
154         * runtime/JSLock.cpp:
155         (JSC::JSLock::didAcquireLock):
156         (JSC::JSLock::willReleaseLock):
157         (JSC::JSLock::dropAllLocks):
158         (JSC::JSLock::grabAllLocks):
159         * runtime/JSLock.h:
160         * runtime/VM.cpp:
161         (JSC::VM::VM):
162         (JSC::VM::updateStackLimits):
163         (JSC::VM::committedStackByteCount):
164         * runtime/VM.h:
165         (JSC::VM::isSafeToRecurse const):
166         * runtime/VMEntryScope.cpp:
167         (JSC::VMEntryScope::VMEntryScope):
168         * runtime/VMInlines.h:
169         (JSC::VM::ensureStackCapacityFor):
170         * yarr/YarrPattern.cpp:
171         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
172
173 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
174
175         LLInt should do pointer caging
176         https://bugs.webkit.org/show_bug.cgi?id=175036
177
178         Reviewed by Keith Miller.
179
180         Implementing this in the LLInt was challenging because offlineasm did not previously know
181         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
182         to be where the Gigacage is enabled right now.
183
184         * llint/LLIntOfflineAsmConfig.h:
185         * llint/LowLevelInterpreter64.asm:
186         * offlineasm/ast.rb:
187         * offlineasm/x86.rb:
188
189 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
190
191         Sweeping should only scribble when sweeping to free list
192         https://bugs.webkit.org/show_bug.cgi?id=175105
193
194         Reviewed by Saam Barati.
195         
196         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
197         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
198         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
199         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
200         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
201         when it doesn't matter anyway because we're building a free list.
202         
203         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
204         zap.
205
206         * heap/MarkedBlockInlines.h:
207         (JSC::MarkedBlock::Handle::specializedSweep):
208
209 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
210
211         All C++ accesses to JSObject::m_butterfly should do caging
212         https://bugs.webkit.org/show_bug.cgi?id=175039
213
214         Reviewed by Keith Miller.
215         
216         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
217         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
218         outside the gigacage.
219
220         * runtime/JSArray.cpp:
221         (JSC::JSArray::setLength):
222         (JSC::JSArray::pop):
223         (JSC::JSArray::push):
224         (JSC::JSArray::shiftCountWithAnyIndexingType):
225         (JSC::JSArray::unshiftCountWithAnyIndexingType):
226         (JSC::JSArray::fillArgList):
227         (JSC::JSArray::copyToArguments):
228         * runtime/JSObject.cpp:
229         (JSC::JSObject::heapSnapshot):
230         (JSC::JSObject::createInitialIndexedStorage):
231         (JSC::JSObject::createArrayStorage):
232         (JSC::JSObject::convertUndecidedToInt32):
233         (JSC::JSObject::convertUndecidedToDouble):
234         (JSC::JSObject::convertUndecidedToContiguous):
235         (JSC::JSObject::convertInt32ToDouble):
236         (JSC::JSObject::convertInt32ToArrayStorage):
237         (JSC::JSObject::convertDoubleToContiguous):
238         (JSC::JSObject::convertDoubleToArrayStorage):
239         (JSC::JSObject::convertContiguousToArrayStorage):
240         (JSC::JSObject::defineOwnIndexedProperty):
241         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
242         (JSC::JSObject::ensureLengthSlow):
243         (JSC::JSObject::allocateMoreOutOfLineStorage):
244         * runtime/JSObject.h:
245         (JSC::JSObject::canGetIndexQuickly):
246         (JSC::JSObject::getIndexQuickly):
247         (JSC::JSObject::tryGetIndexQuickly const):
248         (JSC::JSObject::canSetIndexQuickly):
249         (JSC::JSObject::setIndexQuickly):
250         (JSC::JSObject::initializeIndex):
251         (JSC::JSObject::initializeIndexWithoutBarrier):
252         (JSC::JSObject::butterfly const):
253         (JSC::JSObject::butterfly):
254
255 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
256
257         We should be OK with the gigacage being disabled on gmalloc
258         https://bugs.webkit.org/show_bug.cgi?id=175082
259
260         Reviewed by Michael Saboff.
261
262         * jsc.cpp:
263         (jscmain):
264
265 2017-08-02  Saam Barati  <sbarati@apple.com>
266
267         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
268         https://bugs.webkit.org/show_bug.cgi?id=175041
269         <rdar://problem/33659370>
270
271         Reviewed by Filip Pizlo.
272
273         The testing I have done shows that this new function is a ~10%
274         progression running JetStream on 1GB iOS devices. I've also tried
275         this on a few > 1GB iOS devices, and the testing shows this is either neutral
276         or a regression. Right now, we'll just enable this for <= 1GB devices
277         since it's a win. In the future, we might want to either look into
278         tweaking these parameters or coming up with a new function for > 1GB
279         devices.
280
281         * heap/Heap.cpp:
282         * runtime/Options.h:
283
284 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
285
286         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
287         https://bugs.webkit.org/show_bug.cgi?id=174727
288
289         Reviewed by Mark Lam.
290         
291         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
292         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
293         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
294         
295         This is neutral on JetStream.
296
297         * CMakeLists.txt:
298         * JavaScriptCore.xcodeproj/project.pbxproj:
299         * b3/B3InsertionSet.cpp:
300         (JSC::B3::InsertionSet::execute):
301         * dfg/DFGAbstractInterpreterInlines.h:
302         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
303         * dfg/DFGArgumentsEliminationPhase.cpp:
304         * dfg/DFGClobberize.cpp:
305         (JSC::DFG::readsOverlap):
306         * dfg/DFGClobberize.h:
307         (JSC::DFG::clobberize):
308         * dfg/DFGDoesGC.cpp:
309         (JSC::DFG::doesGC):
310         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
311         (JSC::DFG::performFixedButterflyAccessUncaging):
312         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
313         * dfg/DFGFixupPhase.cpp:
314         (JSC::DFG::FixupPhase::fixupNode):
315         * dfg/DFGHeapLocation.cpp:
316         (WTF::printInternal):
317         * dfg/DFGHeapLocation.h:
318         * dfg/DFGNodeType.h:
319         * dfg/DFGPlan.cpp:
320         (JSC::DFG::Plan::compileInThreadImpl):
321         * dfg/DFGPredictionPropagationPhase.cpp:
322         * dfg/DFGSafeToExecute.h:
323         (JSC::DFG::safeToExecute):
324         * dfg/DFGSpeculativeJIT.cpp:
325         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
326         * dfg/DFGSpeculativeJIT32_64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGSpeculativeJIT64.cpp:
329         (JSC::DFG::SpeculativeJIT::compile):
330         * dfg/DFGTypeCheckHoistingPhase.cpp:
331         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
332         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
333         * ftl/FTLCapabilities.cpp:
334         (JSC::FTL::canCompile):
335         * ftl/FTLLowerDFGToB3.cpp:
336         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
337         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
338         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
339         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
340         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
341         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
342         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
343         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
344         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
345         (JSC::FTL::DFG::LowerDFGToB3::caged):
346         * heap/GigacageSubspace.cpp: Added.
347         (JSC::GigacageSubspace::GigacageSubspace):
348         (JSC::GigacageSubspace::~GigacageSubspace):
349         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
350         (JSC::GigacageSubspace::freeAlignedMemory):
351         (JSC::GigacageSubspace::canTradeBlocksWith):
352         * heap/GigacageSubspace.h: Added.
353         * heap/Heap.cpp:
354         (JSC::Heap::Heap):
355         (JSC::Heap::lastChanceToFinalize):
356         (JSC::Heap::finalize):
357         (JSC::Heap::sweepInFinalize):
358         (JSC::Heap::updateAllocationLimits):
359         (JSC::Heap::shouldDoFullCollection):
360         (JSC::Heap::collectIfNecessaryOrDefer):
361         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
362         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
363         (JSC::Heap::sweepLargeAllocations): Deleted.
364         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
365         * heap/Heap.h:
366         * heap/LargeAllocation.cpp:
367         (JSC::LargeAllocation::tryCreate):
368         (JSC::LargeAllocation::destroy):
369         * heap/MarkedAllocator.cpp:
370         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
371         (JSC::MarkedAllocator::tryAllocateBlock):
372         * heap/MarkedBlock.cpp:
373         (JSC::MarkedBlock::tryCreate):
374         (JSC::MarkedBlock::Handle::Handle):
375         (JSC::MarkedBlock::Handle::~Handle):
376         (JSC::MarkedBlock::Handle::didAddToAllocator):
377         (JSC::MarkedBlock::Handle::subspace const): Deleted.
378         * heap/MarkedBlock.h:
379         (JSC::MarkedBlock::Handle::subspace const):
380         * heap/MarkedSpace.cpp:
381         (JSC::MarkedSpace::~MarkedSpace):
382         (JSC::MarkedSpace::freeMemory):
383         (JSC::MarkedSpace::prepareForAllocation):
384         (JSC::MarkedSpace::addMarkedAllocator):
385         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
386         * heap/MarkedSpace.h:
387         (JSC::MarkedSpace::firstAllocator const):
388         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
389         * heap/Subspace.cpp:
390         (JSC::Subspace::Subspace):
391         (JSC::Subspace::canTradeBlocksWith):
392         (JSC::Subspace::tryAllocateAlignedMemory):
393         (JSC::Subspace::freeAlignedMemory):
394         (JSC::Subspace::prepareForAllocation):
395         (JSC::Subspace::findEmptyBlockToSteal):
396         * heap/Subspace.h:
397         (JSC::Subspace::didCreateFirstAllocator):
398         * heap/SubspaceInlines.h:
399         (JSC::Subspace::forEachAllocator):
400         (JSC::Subspace::forEachMarkedBlock):
401         (JSC::Subspace::forEachNotEmptyMarkedBlock):
402         * jit/JITPropertyAccess.cpp:
403         (JSC::JIT::emitDoubleLoad):
404         (JSC::JIT::emitContiguousLoad):
405         (JSC::JIT::emitArrayStorageLoad):
406         (JSC::JIT::emitGenericContiguousPutByVal):
407         (JSC::JIT::emitArrayStoragePutByVal):
408         (JSC::JIT::emit_op_get_from_scope):
409         (JSC::JIT::emit_op_put_to_scope):
410         (JSC::JIT::emitIntTypedArrayGetByVal):
411         (JSC::JIT::emitFloatTypedArrayGetByVal):
412         (JSC::JIT::emitIntTypedArrayPutByVal):
413         (JSC::JIT::emitFloatTypedArrayPutByVal):
414         * jsc.cpp:
415         (fillBufferWithContentsOfFile):
416         (functionReadFile):
417         (gigacageDisabled):
418         (jscmain):
419         * llint/LowLevelInterpreter64.asm:
420         * runtime/ArrayBuffer.cpp:
421         (JSC::ArrayBufferContents::tryAllocate):
422         (JSC::ArrayBuffer::createAdopted):
423         (JSC::ArrayBuffer::createFromBytes):
424         (JSC::ArrayBuffer::tryCreate):
425         * runtime/IndexingHeader.h:
426         * runtime/InitializeThreading.cpp:
427         (JSC::initializeThreading):
428         * runtime/JSArrayBuffer.cpp:
429         * runtime/JSArrayBufferView.cpp:
430         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
431         (JSC::JSArrayBufferView::finalize):
432         * runtime/JSLock.cpp:
433         (JSC::JSLock::didAcquireLock):
434         * runtime/JSObject.h:
435         * runtime/Options.cpp:
436         (JSC::recomputeDependentOptions):
437         * runtime/Options.h:
438         * runtime/ScopedArgumentsTable.h:
439         * runtime/VM.cpp:
440         (JSC::VM::VM):
441         (JSC::VM::~VM):
442         (JSC::VM::gigacageDisabledCallback):
443         (JSC::VM::gigacageDisabled):
444         * runtime/VM.h:
445         (JSC::VM::fireGigacageEnabledIfNecessary):
446         (JSC::VM::gigacageEnabled):
447         * wasm/WasmB3IRGenerator.cpp:
448         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
449         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
450         * wasm/WasmCodeBlock.cpp:
451         (JSC::Wasm::CodeBlock::isSafeToRun):
452         * wasm/WasmMemory.cpp:
453         (JSC::Wasm::makeString):
454         (JSC::Wasm::Memory::create):
455         (JSC::Wasm::Memory::~Memory):
456         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
457         (JSC::Wasm::Memory::grow):
458         (JSC::Wasm::Memory::initializePreallocations): Deleted.
459         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
460         * wasm/WasmMemory.h:
461         * wasm/js/JSWebAssemblyInstance.cpp:
462         (JSC::JSWebAssemblyInstance::create):
463         * wasm/js/JSWebAssemblyMemory.cpp:
464         (JSC::JSWebAssemblyMemory::grow):
465         (JSC::JSWebAssemblyMemory::finishCreation):
466         * wasm/js/JSWebAssemblyMemory.h:
467         (JSC::JSWebAssemblyMemory::subspaceFor):
468
469 2017-07-31  Mark Lam  <mark.lam@apple.com>
470
471         Added some UNLIKELYs to operationOptimize().
472         https://bugs.webkit.org/show_bug.cgi?id=174976
473
474         Reviewed by JF Bastien.
475
476         * jit/JITOperations.cpp:
477
478 2017-07-31  Keith Miller  <keith_miller@apple.com>
479
480         Make more things LLInt constexprs
481         https://bugs.webkit.org/show_bug.cgi?id=174994
482
483         Reviewed by Saam Barati.
484
485         This patch makes more const values in the LLInt constexprs.
486         It also deletes all of the no longer necessary static_asserts in
487         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
488
489         * interpreter/ShadowChicken.h:
490         (JSC::ShadowChicken::Packet::tailMarker):
491         * llint/LLIntData.cpp:
492         (JSC::LLInt::Data::performAssertions):
493         * llint/LowLevelInterpreter.asm:
494         * offlineasm/generate_offset_extractor.rb:
495         * offlineasm/parser.rb:
496
497 2017-07-31  Matt Lewis  <jlewis3@apple.com>
498
499         Unreviewed, rolling out r220060.
500
501         This broke our internal builds. Contact reviewer of patch for
502         more information.
503
504         Reverted changeset:
505
506         "Merge WTFThreadData to Thread::current"
507         https://bugs.webkit.org/show_bug.cgi?id=174716
508         http://trac.webkit.org/changeset/220060
509
510 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
511
512         [JSC] Support optional catch binding
513         https://bugs.webkit.org/show_bug.cgi?id=174981
514
515         Reviewed by Saam Barati.
516
517         This patch implements optional catch binding proposal[1], which is now stage 3.
518         This proposal adds a new `catch` brace with no error value binding.
519
520             ```
521                 try {
522                     ...
523                 } catch {
524                     ...
525                 }
526             ```
527
528         Sometimes we do not need to get error value actually. For example, the function returns
529         boolean which means whether the function succeeds.
530
531             ```
532             function parse(result) // -> bool
533             {
534                  try {
535                      parseInner(result);
536                  } catch {
537                      return false;
538                  }
539                  return true;
540             }
541             ```
542
543         In the above case, we are not interested in the actual error value. Without this syntax,
544         we always need to introduce a binding for an error value that is just ignored.
545
546         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
547
548         * bytecompiler/NodesCodegen.cpp:
549         (JSC::TryNode::emitBytecode):
550         * parser/Parser.cpp:
551         (JSC::Parser<LexerType>::parseTryStatement):
552
553 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
554
555         Merge WTFThreadData to Thread::current
556         https://bugs.webkit.org/show_bug.cgi?id=174716
557
558         Reviewed by Sam Weinig.
559
560         Use Thread::current() instead.
561
562         * API/JSContext.mm:
563         (+[JSContext currentContext]):
564         (+[JSContext currentThis]):
565         (+[JSContext currentCallee]):
566         (+[JSContext currentArguments]):
567         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
568         (-[JSContext endCallbackWithData:]):
569         * heap/Heap.cpp:
570         (JSC::Heap::requestCollection):
571         * runtime/Completion.cpp:
572         (JSC::checkSyntax):
573         (JSC::checkModuleSyntax):
574         (JSC::evaluate):
575         (JSC::loadAndEvaluateModule):
576         (JSC::loadModule):
577         (JSC::linkAndEvaluateModule):
578         (JSC::importModule):
579         * runtime/Identifier.cpp:
580         (JSC::Identifier::checkCurrentAtomicStringTable):
581         * runtime/InitializeThreading.cpp:
582         (JSC::initializeThreading):
583         * runtime/JSLock.cpp:
584         (JSC::JSLock::didAcquireLock):
585         (JSC::JSLock::willReleaseLock):
586         (JSC::JSLock::dropAllLocks):
587         (JSC::JSLock::grabAllLocks):
588         * runtime/JSLock.h:
589         * runtime/VM.cpp:
590         (JSC::VM::VM):
591         (JSC::VM::updateStackLimits):
592         (JSC::VM::committedStackByteCount):
593         * runtime/VM.h:
594         (JSC::VM::isSafeToRecurse const):
595         * runtime/VMEntryScope.cpp:
596         (JSC::VMEntryScope::VMEntryScope):
597         * runtime/VMInlines.h:
598         (JSC::VM::ensureStackCapacityFor):
599         * yarr/YarrPattern.cpp:
600         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
601
602 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
603
604         [WTF] Introduce Private Symbols
605         https://bugs.webkit.org/show_bug.cgi?id=174935
606
607         Reviewed by Darin Adler.
608
609         Use SymbolImpl::isPrivate().
610
611         * builtins/BuiltinNames.cpp:
612         * builtins/BuiltinNames.h:
613         (JSC::BuiltinNames::isPrivateName): Deleted.
614         * builtins/BuiltinUtils.h:
615         * bytecode/BytecodeIntrinsicRegistry.cpp:
616         (JSC::BytecodeIntrinsicRegistry::lookup):
617         * runtime/CommonIdentifiers.cpp:
618         (JSC::CommonIdentifiers::isPrivateName): Deleted.
619         * runtime/CommonIdentifiers.h:
620         * runtime/ExceptionHelpers.cpp:
621         (JSC::createUndefinedVariableError):
622         * runtime/Identifier.h:
623         (JSC::Identifier::isPrivateName):
624         * runtime/IdentifierInlines.h:
625         (JSC::identifierToSafePublicJSValue):
626         * runtime/ObjectConstructor.cpp:
627         (JSC::objectConstructorAssign):
628         (JSC::defineProperties):
629         (JSC::setIntegrityLevel):
630         (JSC::testIntegrityLevel):
631         (JSC::ownPropertyKeys):
632         * runtime/PrivateName.h:
633         (JSC::PrivateName::PrivateName):
634         * runtime/PropertyName.h:
635         (JSC::PropertyName::isPrivateName):
636         * runtime/ProxyObject.cpp:
637         (JSC::performProxyGet):
638         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
639         (JSC::ProxyObject::performHasProperty):
640         (JSC::ProxyObject::performPut):
641         (JSC::ProxyObject::performDelete):
642         (JSC::ProxyObject::performDefineOwnProperty):
643
644 2017-07-29  Keith Miller  <keith_miller@apple.com>
645
646         LLInt offsets extractor should be able to handle C++ constexprs
647         https://bugs.webkit.org/show_bug.cgi?id=174964
648
649         Reviewed by Saam Barati.
650
651         This patch adds new syntax to the offline asm language. The new keyword,
652         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
653         expression. Additionally, if the value is not an identifier you can wrap it in
654         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
655         which will get converted into:
656         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
657
658         This patch also changes the data format the LLIntOffsetsExtractor
659         binary produces.  Previously, it would produce unsigned values,
660         after this patch every value is an int64_t.  Using an int64_t is
661         useful because it means that we can represent any constant needed.
662         int32_t masks are sign extended then passed then converted to a
663         negative literal sting in the assembler so it will be the constant
664         expected.
665
666         * llint/LLIntOffsetsExtractor.cpp:
667         (JSC::LLIntOffsetsExtractor::dummy):
668         * llint/LowLevelInterpreter.asm:
669         * llint/LowLevelInterpreter64.asm:
670         * offlineasm/asm.rb:
671         * offlineasm/ast.rb:
672         * offlineasm/generate_offset_extractor.rb:
673         * offlineasm/offsets.rb:
674         * offlineasm/parser.rb:
675         * offlineasm/transform.rb:
676
677 2017-07-28  Matt Baker  <mattbaker@apple.com>
678
679         Web Inspector: capture an async stack trace when web content calls addEventListener
680         https://bugs.webkit.org/show_bug.cgi?id=174739
681         <rdar://problem/33468197>
682
683         Reviewed by Brian Burg.
684
685         Allow debugger agents to perform custom logic when asynchronous stack
686         trace data is cleared. For example, the PageDebuggerAgent would clear
687         its list of registered listeners for which call stacks have been recorded.
688
689         * inspector/agents/InspectorDebuggerAgent.cpp:
690         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
691         * inspector/agents/InspectorDebuggerAgent.h:
692
693 2017-07-28  Mark Lam  <mark.lam@apple.com>
694
695         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
696         https://bugs.webkit.org/show_bug.cgi?id=174948
697         <rdar://problem/33495680>
698
699         Reviewed by Filip Pizlo.
700
701         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
702         owner StructureRareData is already known to be dead (in terms of GC liveness) but
703         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
704         requests to fire this watchpoint.
705
706         If the GC had the chance to sweep the StructureRareData, thereby destructing the
707         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
708         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
709
710         But since the watchpoint hasn't been destructed yet, it still remains on the
711         WatchpointSet and needs to guard against being fired in this state.  The fix is
712         to simply return early if its owner StructureRareData is not live.  This has the
713         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
714         not firing as we would expect.
715
716         This patch also removes some cargo cult copying of watchpoint code which
717         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
718         used.  This patch removes these unnecessary instantiations.
719
720         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
721         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
722         * runtime/StructureRareData.cpp:
723         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
724         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
725
726 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
727
728         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
729         https://bugs.webkit.org/show_bug.cgi?id=174900
730
731         Reviewed by Saam Barati.
732
733         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
734         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
735         The problem is that even transforming phase also checks this pseudo terminals.
736
737             BB1
738             1: ForceOSRExit
739             2: CreateDirectArguments
740
741             BB2
742             3: GetButterfly(@2)
743             4: ForceOSRExit
744
745         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
746
747         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
748
749         * dfg/DFGArgumentsEliminationPhase.cpp:
750
751 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
752
753         [ES] Add support finally to Promise
754         https://bugs.webkit.org/show_bug.cgi?id=174503
755
756         Reviewed by Yusuke Suzuki.
757
758         Add support `finally` method to Promise according
759         to the https://bugs.webkit.org/show_bug.cgi?id=174503
760         Current spec on STAGE 3 
761         https://github.com/tc39/proposal-promise-finally
762
763         * builtins/PromisePrototype.js:
764         (finally):
765         (const.valueThunk):
766         (globalPrivate.getThenFinally):
767         (const.thrower):
768         (globalPrivate.getCatchFinally):
769         * runtime/JSPromisePrototype.cpp:
770
771 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
772
773         Unreviewed, build fix for CLoop
774         https://bugs.webkit.org/show_bug.cgi?id=171637
775
776         * domjit/DOMJITGetterSetter.h:
777
778 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
779
780         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
781         https://bugs.webkit.org/show_bug.cgi?id=171637
782
783         Reviewed by Darin Adler.
784
785         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
786         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
787
788         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
789         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
790
791         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
792         op_get_by_id_with_this case yet.
793         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
794
795         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
796         ClassInfo check.
797
798         * CMakeLists.txt:
799         * JavaScriptCore.xcodeproj/project.pbxproj:
800         * bytecode/AccessCase.cpp:
801         (JSC::AccessCase::generateImpl):
802         * bytecode/GetByIdStatus.cpp:
803         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
804         * bytecode/GetByIdVariant.cpp:
805         (JSC::GetByIdVariant::GetByIdVariant):
806         (JSC::GetByIdVariant::operator=):
807         (JSC::GetByIdVariant::attemptToMerge):
808         (JSC::GetByIdVariant::dumpInContext):
809         * bytecode/GetByIdVariant.h:
810         (JSC::GetByIdVariant::customAccessorGetter):
811         (JSC::GetByIdVariant::domAttribute):
812         (JSC::GetByIdVariant::domJIT): Deleted.
813         * bytecode/GetterSetterAccessCase.cpp:
814         (JSC::GetterSetterAccessCase::create):
815         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
816         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
817         * bytecode/GetterSetterAccessCase.h:
818         (JSC::GetterSetterAccessCase::domAttribute):
819         (JSC::GetterSetterAccessCase::customAccessor):
820         (JSC::GetterSetterAccessCase::domJIT): Deleted.
821         * bytecompiler/BytecodeGenerator.cpp:
822         (JSC::BytecodeGenerator::instantiateLexicalVariables):
823         * create_hash_table:
824         * dfg/DFGAbstractInterpreterInlines.h:
825         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
826         * dfg/DFGByteCodeParser.cpp:
827         (JSC::DFG::blessCallDOMGetter):
828         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
829         (JSC::DFG::ByteCodeParser::handleGetById):
830         * dfg/DFGClobberize.h:
831         (JSC::DFG::clobberize):
832         * dfg/DFGFixupPhase.cpp:
833         (JSC::DFG::FixupPhase::fixupNode):
834         * dfg/DFGNode.h:
835         * dfg/DFGSpeculativeJIT.cpp:
836         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
837         * dfg/DFGSpeculativeJIT.h:
838         (JSC::DFG::SpeculativeJIT::callCustomGetter):
839         * domjit/DOMJITGetterSetter.h:
840         (JSC::DOMJIT::GetterSetter::GetterSetter):
841         (JSC::DOMJIT::GetterSetter::getter):
842         (JSC::DOMJIT::GetterSetter::compiler):
843         (JSC::DOMJIT::GetterSetter::resultType):
844         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
845         (JSC::DOMJIT::GetterSetter::setter): Deleted.
846         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
847         * ftl/FTLLowerDFGToB3.cpp:
848         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
849         * jit/Repatch.cpp:
850         (JSC::tryCacheGetByID):
851         * jsc.cpp:
852         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
853         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
854         (WTF::DOMJITGetter::customGetter):
855         (WTF::DOMJITGetter::finishCreation):
856         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
857         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
858         (WTF::DOMJITGetterComplex::customGetter):
859         (WTF::DOMJITGetterComplex::finishCreation):
860         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
861         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
862         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
863         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
864         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
865         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
866         * runtime/CustomGetterSetter.h:
867         (JSC::CustomGetterSetter::create):
868         (JSC::CustomGetterSetter::setter):
869         (JSC::CustomGetterSetter::CustomGetterSetter):
870         (): Deleted.
871         * runtime/DOMAnnotation.h: Added.
872         (JSC::operator==):
873         (JSC::operator!=):
874         * runtime/DOMAttributeGetterSetter.cpp: Added.
875         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
876         (JSC::isDOMAttributeGetterSetter):
877         * runtime/Error.cpp:
878         (JSC::throwDOMAttributeGetterTypeError):
879         * runtime/Error.h:
880         (JSC::throwVMDOMAttributeGetterTypeError):
881         * runtime/JSCustomGetterSetterFunction.cpp:
882         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
883         * runtime/JSObject.cpp:
884         (JSC::JSObject::putInlineSlow):
885         (JSC::JSObject::deleteProperty):
886         (JSC::JSObject::getOwnStaticPropertySlot):
887         (JSC::JSObject::reifyAllStaticProperties):
888         (JSC::JSObject::fillGetterPropertySlot):
889         (JSC::JSObject::findPropertyHashEntry): Deleted.
890         * runtime/JSObject.h:
891         (JSC::JSObject::getOwnNonIndexPropertySlot):
892         (JSC::JSObject::fillCustomGetterPropertySlot):
893         * runtime/Lookup.cpp:
894         (JSC::setUpStaticFunctionSlot):
895         * runtime/Lookup.h:
896         (JSC::HashTableValue::domJIT):
897         (JSC::getStaticPropertySlotFromTable):
898         (JSC::putEntry):
899         (JSC::lookupPut):
900         (JSC::reifyStaticProperty):
901         (JSC::reifyStaticProperties):
902         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
903         this static property table requires.
904
905         * runtime/ProgramExecutable.cpp:
906         (JSC::ProgramExecutable::initializeGlobalProperties):
907         * runtime/PropertyName.h:
908         * runtime/PropertySlot.cpp:
909         (JSC::PropertySlot::customGetter):
910         (JSC::PropertySlot::customAccessorGetter):
911         * runtime/PropertySlot.h:
912         (JSC::PropertySlot::domAttribute):
913         (JSC::PropertySlot::setCustom):
914         (JSC::PropertySlot::setCacheableCustom):
915         (JSC::PropertySlot::getValue):
916         (JSC::PropertySlot::domJIT): Deleted.
917         * runtime/VM.cpp:
918         (JSC::VM::VM):
919         * runtime/VM.h:
920
921 2017-07-26  Devin Rousso  <drousso@apple.com>
922
923         Web Inspector: create protocol for recording Canvas contexts
924         https://bugs.webkit.org/show_bug.cgi?id=174481
925
926         Reviewed by Joseph Pecoraro.
927
928         * inspector/protocol/Canvas.json:
929          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
930          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
931          - Add `recordingFinished` event that is fired once a recording is finished.
932
933         * CMakeLists.txt:
934         * DerivedSources.make:
935         * inspector/protocol/Recording.json: Added.
936          - Add `Type` enum that lists the types of recordings
937          - Add `InitialState` type that contains information about the canvas context at the
938            beginning of the recording.
939          - Add `Frame` type that holds a list of actions that were recorded.
940          - Add `Recording` type as the container object of recording data.
941
942         * inspector/scripts/codegen/generate_js_backend_commands.py:
943         (JSBackendCommandsGenerator.generate_domain):
944         Create an agent for domains with no events or commands.
945
946         * inspector/InspectorValues.h:
947         Make Array `get` public so that values can be retrieved if needed.
948
949 2017-07-26  Brian Burg  <bburg@apple.com>
950
951         Remove WEB_TIMING feature flag
952         https://bugs.webkit.org/show_bug.cgi?id=174795
953
954         Reviewed by Alex Christensen.
955
956         * Configurations/FeatureDefines.xcconfig:
957
958 2017-07-26  Mark Lam  <mark.lam@apple.com>
959
960         Add the ability to change sp and pc to the ARM64 JIT probe.
961         https://bugs.webkit.org/show_bug.cgi?id=174697
962         <rdar://problem/33436965>
963
964         Reviewed by JF Bastien.
965
966         This patch implements the following:
967
968         1. The ARM64 probe now supports modifying the pc and sp.
969
970            However, lr is not preserved when modifying the pc because it is used as the
971            scratch register for the indirect jump. Hence, the probe handler function
972            may not modify both lr and pc in the same probe invocation.
973
974         2. Fix probe tests to use bitwise comparison when comparing double register
975            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
976
977         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
978            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
979            instructions which require 16 byte alignment for their memory access.
980
981         * assembler/MacroAssemblerARM64.cpp:
982         (JSC::arm64ProbeError):
983         (JSC::MacroAssembler::probe):
984         (JSC::arm64ProbeTrampoline): Deleted.
985         * assembler/testmasm.cpp:
986         (JSC::isSpecialGPR):
987         (JSC::testProbeReadsArgumentRegisters):
988         (JSC::testProbeWritesArgumentRegisters):
989         (JSC::testProbePreservesGPRS):
990         (JSC::testProbeModifiesStackPointer):
991         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
992         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
993
994 2017-07-25  JF Bastien  <jfbastien@apple.com>
995
996         WebAssembly: generate smaller binaries
997         https://bugs.webkit.org/show_bug.cgi?id=174818
998
999         Reviewed by Filip Pizlo.
1000
1001         This patch reduces generated code size for WebAssembly in 2 ways:
1002
1003         1. Use the ZR register when storing zero on ARM64.
1004         2. Synthesize wasm context lazily.
1005
1006         This leads to a modest size reduction on both x86-64 and ARM64 for
1007         large WebAssembly games, without any performance loss on WasmBench
1008         and TitzerBench.
1009
1010         The reason this works is that these games, using Emscripten,
1011         generate 100k+ tiny functions, and our JIT allocation granule
1012         rounds all allocations up to 32 bytes. There are plenty of other
1013         simple gains to be had, I've filed a follow-up bug at
1014         webkit.org/b/174819
1015
1016         We should further avoid the per-function cost of tiering, which
1017         represents the bulk of code generated for small functions.
1018
1019         * assembler/MacroAssemblerARM64.h:
1020         (JSC::MacroAssemblerARM64::storeZero64):
1021         * assembler/MacroAssemblerX86_64.h:
1022         (JSC::MacroAssemblerX86_64::storeZero64):
1023         * b3/B3LowerToAir.cpp:
1024         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1025         for x86 because it constrains register reuse and codegen in a way
1026         that doesn't affect ARM64 because it has a dedicated zero
1027         register.
1028         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1029         * wasm/WasmB3IRGenerator.cpp:
1030         (JSC::Wasm::B3IRGenerator::instanceValue):
1031         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1032         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1033         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1034
1035 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1036
1037         B3 should do LICM
1038         https://bugs.webkit.org/show_bug.cgi?id=174750
1039
1040         Reviewed by Keith Miller and Saam Barati.
1041         
1042         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1043         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1044         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1045         change templatizes DFG::NaturalLoops so that we can just use it.
1046         
1047         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1048         the relationship between control dependence and side exits.
1049         
1050         Also added a bunch of tests.
1051         
1052         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1053         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1054         so it doesn't hurt to have it.
1055         
1056         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1057         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1058         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1059         eventually.
1060
1061         * CMakeLists.txt:
1062         * JavaScriptCore.xcodeproj/project.pbxproj:
1063         * b3/B3BackwardsCFG.h: Added.
1064         (JSC::B3::BackwardsCFG::BackwardsCFG):
1065         * b3/B3BackwardsDominators.h: Added.
1066         (JSC::B3::BackwardsDominators::BackwardsDominators):
1067         * b3/B3BasicBlock.cpp:
1068         (JSC::B3::BasicBlock::appendNonTerminal):
1069         * b3/B3Effects.h:
1070         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1071         (JSC::B3::ensureLoopPreHeaders):
1072         * b3/B3EnsureLoopPreHeaders.h: Added.
1073         * b3/B3Generate.cpp:
1074         (JSC::B3::generateToAir):
1075         * b3/B3HoistLoopInvariantValues.cpp: Added.
1076         (JSC::B3::hoistLoopInvariantValues):
1077         * b3/B3HoistLoopInvariantValues.h: Added.
1078         * b3/B3NaturalLoops.h: Added.
1079         (JSC::B3::NaturalLoops::NaturalLoops):
1080         * b3/B3Procedure.cpp:
1081         (JSC::B3::Procedure::invalidateCFG):
1082         (JSC::B3::Procedure::naturalLoops):
1083         (JSC::B3::Procedure::backwardsCFG):
1084         (JSC::B3::Procedure::backwardsDominators):
1085         * b3/B3Procedure.h:
1086         * b3/testb3.cpp:
1087         (JSC::B3::generateLoop):
1088         (JSC::B3::makeArrayForLoops):
1089         (JSC::B3::generateLoopNotBackwardsDominant):
1090         (JSC::B3::oneFunction):
1091         (JSC::B3::noOpFunction):
1092         (JSC::B3::testLICMPure):
1093         (JSC::B3::testLICMPureSideExits):
1094         (JSC::B3::testLICMPureWritesPinned):
1095         (JSC::B3::testLICMPureWrites):
1096         (JSC::B3::testLICMReadsLocalState):
1097         (JSC::B3::testLICMReadsPinned):
1098         (JSC::B3::testLICMReads):
1099         (JSC::B3::testLICMPureNotBackwardsDominant):
1100         (JSC::B3::testLICMPureFoiledByChild):
1101         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1102         (JSC::B3::testLICMExitsSideways):
1103         (JSC::B3::testLICMWritesLocalState):
1104         (JSC::B3::testLICMWrites):
1105         (JSC::B3::testLICMFence):
1106         (JSC::B3::testLICMWritesPinned):
1107         (JSC::B3::testLICMControlDependent):
1108         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1109         (JSC::B3::testLICMControlDependentSideExits):
1110         (JSC::B3::testLICMReadsPinnedWritesPinned):
1111         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1112         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1113         (JSC::B3::testLICMDefaultCall):
1114         (JSC::B3::run):
1115         * dfg/DFGBasicBlock.h:
1116         * dfg/DFGCFG.h:
1117         * dfg/DFGNaturalLoops.cpp: Removed.
1118         * dfg/DFGNaturalLoops.h:
1119         (JSC::DFG::NaturalLoops::NaturalLoops):
1120         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1121         (JSC::DFG::NaturalLoop::header): Deleted.
1122         (JSC::DFG::NaturalLoop::size): Deleted.
1123         (JSC::DFG::NaturalLoop::at): Deleted.
1124         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1125         (JSC::DFG::NaturalLoop::contains): Deleted.
1126         (JSC::DFG::NaturalLoop::index): Deleted.
1127         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1128         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1129         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1130         (JSC::DFG::NaturalLoops::loop): Deleted.
1131         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1132         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1133         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1134         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1135         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1136
1137 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1138
1139         GC should be fine with trading blocks between destructor and non-destructor blocks
1140         https://bugs.webkit.org/show_bug.cgi?id=174811
1141
1142         Reviewed by Mark Lam.
1143         
1144         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1145         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1146         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1147         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1148         set.
1149         
1150         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1151         is empty if:
1152         
1153         A) It has no live objects and its a non-destructor block, or
1154         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1155         C) We just stole it from another allocator (so it also has no destructors), or
1156         D) We just swept the block and ran all destructors.
1157         
1158         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1159         block that could be stolen.
1160
1161         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1162         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1163         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1164         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1165         
1166         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1167         
1168         If we tried to enable trading of blocks between allocators without making any changes to how
1169         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1170         live objects in order for those bits to be candidates for trading. But if we do that, then our
1171         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1172         our destructors won't run and we'll leak memory.
1173         
1174         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1175         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1176         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1177         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1178         are (empty & ~destructible).
1179         
1180         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1181         remove destructor-oriented special-casing of block trading.
1182
1183         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1184         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1185         pathological cases.
1186         
1187         * heap/MarkedAllocator.cpp:
1188         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1189         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1190         (JSC::MarkedAllocator::endMarking):
1191         (JSC::MarkedAllocator::shrink):
1192         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1193         * heap/MarkedAllocator.h:
1194         * heap/MarkedBlock.cpp:
1195         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1196         (JSC::MarkedBlock::Handle::sweep):
1197         * heap/MarkedBlockInlines.h:
1198         (JSC::MarkedBlock::Handle::specializedSweep):
1199         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1200         (JSC::MarkedBlock::Handle::emptyMode):
1201
1202 2017-07-25  Keith Miller  <keith_miller@apple.com>
1203
1204         Remove Broken CompareEq constant folding phase.
1205         https://bugs.webkit.org/show_bug.cgi?id=174846
1206         <rdar://problem/32978808>
1207
1208         Reviewed by Saam Barati.
1209
1210         This bug happened when we would get code like the following:
1211
1212         a: JSConst(Undefined)
1213         b: GetLocal(SomeObjectOrUndefined)
1214         ...
1215         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1216
1217         constant folding will turn this into:
1218
1219         a: JSConst(Undefined)
1220         b: GetLocal(SomeObjectOrUndefined)
1221         ...
1222         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1223
1224         But the SpeculativeJIT/FTL lowering will fail to check b
1225         properly which leads to an assertion failure in the AI.
1226
1227         I'll follow up with a more robust fix later. For now, I'll remove the
1228         case that generates the code. Removing the code appears to be perf
1229         neutral.
1230
1231         * dfg/DFGConstantFoldingPhase.cpp:
1232         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1233
1234 2017-07-25  Matt Baker  <mattbaker@apple.com>
1235
1236         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1237         https://bugs.webkit.org/show_bug.cgi?id=174738
1238
1239         Reviewed by Brian Burg.
1240
1241         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1242         stack traces. This preserves the call type in JSC, makes the range of
1243         possible call types explicit, and is safer than passing ints.
1244
1245         * inspector/agents/InspectorDebuggerAgent.cpp:
1246         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1247         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1248         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1249         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1250         * inspector/agents/InspectorDebuggerAgent.h:
1251
1252 2017-07-25  Mark Lam  <mark.lam@apple.com>
1253
1254         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1255         https://bugs.webkit.org/show_bug.cgi?id=174809
1256         <rdar://problem/33504759>
1257
1258         Reviewed by Filip Pizlo.
1259
1260         1. When the probe handler function changes the sp register to point to the
1261            region of stack in the middle of the ProbeContext on the stack, there is a
1262            bug where the ProbeContext's register values to be restored can be over-written
1263            before they can be restored.  This is now fixed.
1264
1265         2. Added more robust probe tests for changing the sp register.
1266
1267         3. Made existing probe tests to ensure that probe handlers were actually called.
1268
1269         4. Added some verification to testProbePreservesGPRS().
1270
1271         5. Change all the probe tests to fail early on discovering an error instead of
1272            batching till the end of the test.  This helps point a finger to the failing
1273            issue earlier.
1274
1275         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1276         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1277
1278         * assembler/MacroAssemblerARM.cpp:
1279         * assembler/MacroAssemblerARMv7.cpp:
1280         * assembler/MacroAssemblerX86Common.cpp:
1281         * assembler/testmasm.cpp:
1282         (JSC::testProbeReadsArgumentRegisters):
1283         (JSC::testProbeWritesArgumentRegisters):
1284         (JSC::testProbePreservesGPRS):
1285         (JSC::testProbeModifiesStackPointer):
1286         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1287         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1288         (JSC::testProbeModifiesProgramCounter):
1289         (JSC::run):
1290
1291 2017-07-25  Brian Burg  <bburg@apple.com>
1292
1293         Web Automation: add support for uploading files
1294         https://bugs.webkit.org/show_bug.cgi?id=174797
1295         <rdar://problem/28485063>
1296
1297         Reviewed by Joseph Pecoraro.
1298
1299         * inspector/scripts/generate-inspector-protocol-bindings.py:
1300         (generate_from_specification):
1301         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1302
1303         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1304         (CppFrontendDispatcherImplementationGenerator.generate_output):
1305         Use a framework include for InspectorFrontendRouter.h since this generated code
1306         will be compiled outside of WebCore.framework.
1307
1308         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1309         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1310         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1311         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1312         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1313         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1314         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1315         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1316         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1317         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1318         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1319         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1320         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1321         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1322         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1323         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1324         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1325         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1326         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1327         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1328         Rebaseline code generator tests.
1329
1330 2017-07-24  Mark Lam  <mark.lam@apple.com>
1331
1332         Gardening: fixed C Loop build after r219790.
1333         https://bugs.webkit.org/show_bug.cgi?id=174696
1334
1335         Not reviewed.
1336
1337         * assembler/testmasm.cpp:
1338
1339 2017-07-23  Mark Lam  <mark.lam@apple.com>
1340
1341         Create regression tests for the JIT probe.
1342         https://bugs.webkit.org/show_bug.cgi?id=174696
1343         <rdar://problem/33436922>
1344
1345         Reviewed by Saam Barati.
1346
1347         The new testmasm will test the following:
1348         1. the probe is able to read the value of CPU registers.
1349         2. the probe is able to write the value of CPU registers.
1350         3. the probe is able to preserve all CPU registers.
1351         4. special case of (2): the probe is able to change the value of the stack pointer.
1352         5. special case of (2): the probe is able to change the value of the program counter
1353            i.e. the probe can change where the code continues executing upon returning from
1354            the probe.
1355
1356         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1357         because it does not support changing the sp and pc yet.  The ARM64 probe
1358         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1359         later.
1360
1361         * Configurations/ToolExecutable.xcconfig:
1362         * JavaScriptCore.xcodeproj/project.pbxproj:
1363         * assembler/MacroAssembler.h:
1364         (JSC::MacroAssembler::CPUState::pc):
1365         (JSC::MacroAssembler::CPUState::fp):
1366         (JSC::MacroAssembler::CPUState::sp):
1367         (JSC::ProbeContext::pc):
1368         (JSC::ProbeContext::fp):
1369         (JSC::ProbeContext::sp):
1370         * assembler/MacroAssemblerARM64.cpp:
1371         (JSC::arm64ProbeTrampoline):
1372         * assembler/MacroAssemblerPrinter.cpp:
1373         (JSC::Printer::printPCRegister):
1374         * assembler/testmasm.cpp: Added.
1375         (hiddenTruthBecauseNoReturnIsStupid):
1376         (usage):
1377         (JSC::nextID):
1378         (JSC::isPC):
1379         (JSC::isSP):
1380         (JSC::isFP):
1381         (JSC::compile):
1382         (JSC::invoke):
1383         (JSC::compileAndRun):
1384         (JSC::testSimple):
1385         (JSC::testProbeReadsArgumentRegisters):
1386         (JSC::testProbeWritesArgumentRegisters):
1387         (JSC::testFunctionToTrashRegisters):
1388         (JSC::testProbePreservesGPRS):
1389         (JSC::testProbeModifiesStackPointer):
1390         (JSC::testProbeModifiesProgramCounter):
1391         (JSC::run):
1392         (run):
1393         (main):
1394         * b3/air/testair.cpp:
1395         (usage):
1396         * shell/CMakeLists.txt:
1397
1398 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1399
1400         It should be easy to decide how WebKit yields
1401         https://bugs.webkit.org/show_bug.cgi?id=174298
1402
1403         Reviewed by Saam Barati.
1404         
1405         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1406
1407         * heap/Heap.cpp:
1408         (JSC::Heap::resumeThePeriphery):
1409         * heap/VisitingTimeout.h:
1410         * runtime/JSCell.cpp:
1411         (JSC::JSCell::lockSlow):
1412         (JSC::JSCell::unlockSlow):
1413         * runtime/JSCell.h:
1414         * runtime/JSCellInlines.h:
1415         (JSC::JSCell::lock):
1416         (JSC::JSCell::unlock):
1417         * runtime/JSLock.cpp:
1418         (JSC::JSLock::grabAllLocks):
1419         * runtime/SamplingProfiler.cpp:
1420
1421 2017-07-21  Mark Lam  <mark.lam@apple.com>
1422
1423         Refactor MASM probe CPUState to use arrays for register storage.
1424         https://bugs.webkit.org/show_bug.cgi?id=174694
1425
1426         Reviewed by Keith Miller.
1427
1428         Using arrays for register storage in CPUState allows us to do away with the
1429         huge switch statements to decode each register id.  We can now simply index into
1430         the arrays.
1431
1432         With this patch, we now:
1433
1434         1. Remove the need for macros for defining the list of CPU registers.
1435            We can go back to simple enums.  This makes the code easier to read.
1436
1437         2. Make the assembler the authority on register names.
1438            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1439            GPRInfo and FPRInfo now forwards to the assembler.
1440
1441         3. Make the assembler the authority on the number of registers of each type.
1442
1443         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1444            This is inconsistent with how every other CPU architecture implements
1445            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1446            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1447
1448         * assembler/ARM64Assembler.h:
1449         (JSC::ARM64Assembler::numberOfRegisters):
1450         (JSC::ARM64Assembler::firstSPRegister):
1451         (JSC::ARM64Assembler::lastSPRegister):
1452         (JSC::ARM64Assembler::numberOfSPRegisters):
1453         (JSC::ARM64Assembler::numberOfFPRegisters):
1454         (JSC::ARM64Assembler::gprName):
1455         (JSC::ARM64Assembler::sprName):
1456         (JSC::ARM64Assembler::fprName):
1457         * assembler/ARMAssembler.h:
1458         (JSC::ARMAssembler::numberOfRegisters):
1459         (JSC::ARMAssembler::firstSPRegister):
1460         (JSC::ARMAssembler::lastSPRegister):
1461         (JSC::ARMAssembler::numberOfSPRegisters):
1462         (JSC::ARMAssembler::numberOfFPRegisters):
1463         (JSC::ARMAssembler::gprName):
1464         (JSC::ARMAssembler::sprName):
1465         (JSC::ARMAssembler::fprName):
1466         * assembler/ARMv7Assembler.h:
1467         (JSC::ARMv7Assembler::lastRegister):
1468         (JSC::ARMv7Assembler::numberOfRegisters):
1469         (JSC::ARMv7Assembler::firstSPRegister):
1470         (JSC::ARMv7Assembler::lastSPRegister):
1471         (JSC::ARMv7Assembler::numberOfSPRegisters):
1472         (JSC::ARMv7Assembler::numberOfFPRegisters):
1473         (JSC::ARMv7Assembler::gprName):
1474         (JSC::ARMv7Assembler::sprName):
1475         (JSC::ARMv7Assembler::fprName):
1476         * assembler/AbstractMacroAssembler.h:
1477         (JSC::AbstractMacroAssembler::numberOfRegisters):
1478         (JSC::AbstractMacroAssembler::gprName):
1479         (JSC::AbstractMacroAssembler::firstSPRegister):
1480         (JSC::AbstractMacroAssembler::lastSPRegister):
1481         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1482         (JSC::AbstractMacroAssembler::sprName):
1483         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1484         (JSC::AbstractMacroAssembler::fprName):
1485         * assembler/MIPSAssembler.h:
1486         (JSC::MIPSAssembler::numberOfRegisters):
1487         (JSC::MIPSAssembler::firstSPRegister):
1488         (JSC::MIPSAssembler::lastSPRegister):
1489         (JSC::MIPSAssembler::numberOfSPRegisters):
1490         (JSC::MIPSAssembler::numberOfFPRegisters):
1491         (JSC::MIPSAssembler::gprName):
1492         (JSC::MIPSAssembler::sprName):
1493         (JSC::MIPSAssembler::fprName):
1494         * assembler/MacroAssembler.h:
1495         (JSC::MacroAssembler::CPUState::gprName):
1496         (JSC::MacroAssembler::CPUState::sprName):
1497         (JSC::MacroAssembler::CPUState::fprName):
1498         (JSC::MacroAssembler::CPUState::gpr):
1499         (JSC::MacroAssembler::CPUState::spr):
1500         (JSC::MacroAssembler::CPUState::fpr):
1501         (JSC::MacroAssembler::CPUState::pc):
1502         (JSC::MacroAssembler::CPUState::fp):
1503         (JSC::MacroAssembler::CPUState::sp):
1504         (JSC::ProbeContext::gpr):
1505         (JSC::ProbeContext::spr):
1506         (JSC::ProbeContext::fpr):
1507         (JSC::ProbeContext::gprName):
1508         (JSC::ProbeContext::sprName):
1509         (JSC::ProbeContext::fprName):
1510         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1511         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1512         * assembler/MacroAssemblerARM.cpp:
1513         * assembler/MacroAssemblerARM64.cpp:
1514         (JSC::arm64ProbeTrampoline):
1515         * assembler/MacroAssemblerARMv7.cpp:
1516         * assembler/MacroAssemblerPrinter.cpp:
1517         (JSC::Printer::nextID):
1518         (JSC::Printer::printAllRegisters):
1519         (JSC::Printer::printPCRegister):
1520         (JSC::Printer::printRegisterID):
1521         (JSC::Printer::printAddress):
1522         * assembler/MacroAssemblerX86Common.cpp:
1523         * assembler/X86Assembler.h:
1524         (JSC::X86Assembler::numberOfRegisters):
1525         (JSC::X86Assembler::firstSPRegister):
1526         (JSC::X86Assembler::lastSPRegister):
1527         (JSC::X86Assembler::numberOfSPRegisters):
1528         (JSC::X86Assembler::numberOfFPRegisters):
1529         (JSC::X86Assembler::gprName):
1530         (JSC::X86Assembler::sprName):
1531         (JSC::X86Assembler::fprName):
1532         * jit/FPRInfo.h:
1533         (JSC::FPRInfo::debugName):
1534         * jit/GPRInfo.h:
1535         (JSC::GPRInfo::debugName):
1536         * jit/RegisterSet.cpp:
1537         (JSC::RegisterSet::reservedHardwareRegisters):
1538
1539 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1540
1541         [JSC] Introduce static symbols
1542         https://bugs.webkit.org/show_bug.cgi?id=158863
1543
1544         Reviewed by Darin Adler.
1545
1546         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1547         As a result, we can share the same Symbol values between VMs and threads.
1548         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1549
1550         * CMakeLists.txt:
1551         * JavaScriptCore.xcodeproj/project.pbxproj:
1552         * builtins/BuiltinNames.cpp: Added.
1553         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1554
1555         * builtins/BuiltinNames.h:
1556         (JSC::BuiltinNames::BuiltinNames):
1557         * builtins/BuiltinUtils.h:
1558
1559 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1560
1561         [FTL] Arguments elimination is suppressed by unreachable blocks
1562         https://bugs.webkit.org/show_bug.cgi?id=174352
1563
1564         Reviewed by Filip Pizlo.
1565
1566         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1567         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1568         Since GetById without information can escape arguments if it is specified, non-executed code including
1569         op_get_by_id with arguments can escape arguments.
1570
1571         For example,
1572
1573             function test(flag)
1574             {
1575                 if (flag) {
1576                     // This is not executed, but emits GetById with arguments.
1577                     // It prevents us from eliminating materialization.
1578                     return arguments.length;
1579                 }
1580                 return arguments.length;
1581             }
1582             noInline(test);
1583             while (true)
1584                 test(false);
1585
1586         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1587         So this GetById exists and escapes arguments.
1588
1589         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1590         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1591         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1592
1593         * dfg/DFGArgumentsEliminationPhase.cpp:
1594         * dfg/DFGNode.h:
1595         (JSC::DFG::Node::isPseudoTerminal):
1596         * dfg/DFGValidate.cpp:
1597
1598 2017-07-20  Chris Dumez  <cdumez@apple.com>
1599
1600         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1601         https://bugs.webkit.org/show_bug.cgi?id=174660
1602
1603         Reviewed by Geoffrey Garen.
1604
1605         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1606         This essentially replaces a branch to figure out if the new size is less or greater than the
1607         current size by an assertion.
1608
1609         * b3/B3BasicBlockUtils.h:
1610         (JSC::B3::clearPredecessors):
1611         * b3/B3InferSwitches.cpp:
1612         * b3/B3LowerToAir.cpp:
1613         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1614         * b3/B3ReduceStrength.cpp:
1615         * b3/B3SparseCollection.h:
1616         (JSC::B3::SparseCollection::packIndices):
1617         * b3/B3UseCounts.cpp:
1618         (JSC::B3::UseCounts::UseCounts):
1619         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1620         * b3/air/AirEmitShuffle.cpp:
1621         (JSC::B3::Air::emitShuffle):
1622         * b3/air/AirLowerAfterRegAlloc.cpp:
1623         (JSC::B3::Air::lowerAfterRegAlloc):
1624         * b3/air/AirOptimizeBlockOrder.cpp:
1625         (JSC::B3::Air::optimizeBlockOrder):
1626         * bytecode/Operands.h:
1627         (JSC::Operands::ensureLocals):
1628         * bytecode/PreciseJumpTargets.cpp:
1629         (JSC::computePreciseJumpTargetsInternal):
1630         * dfg/DFGBlockInsertionSet.cpp:
1631         (JSC::DFG::BlockInsertionSet::execute):
1632         * dfg/DFGBlockMapInlines.h:
1633         (JSC::DFG::BlockMap<T>::BlockMap):
1634         * dfg/DFGByteCodeParser.cpp:
1635         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1636         (JSC::DFG::ByteCodeParser::clearCaches):
1637         * dfg/DFGDisassembler.cpp:
1638         (JSC::DFG::Disassembler::Disassembler):
1639         * dfg/DFGFlowIndexing.cpp:
1640         (JSC::DFG::FlowIndexing::recompute):
1641         * dfg/DFGGraph.cpp:
1642         (JSC::DFG::Graph::registerFrozenValues):
1643         * dfg/DFGInPlaceAbstractState.cpp:
1644         (JSC::DFG::setLiveValues):
1645         * dfg/DFGLICMPhase.cpp:
1646         (JSC::DFG::LICMPhase::run):
1647         * dfg/DFGLivenessAnalysisPhase.cpp:
1648         * dfg/DFGNaturalLoops.cpp:
1649         (JSC::DFG::NaturalLoops::NaturalLoops):
1650         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1651         * ftl/FTLLowerDFGToB3.cpp:
1652         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1653         * heap/CodeBlockSet.cpp:
1654         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1655         * heap/MarkedSpace.cpp:
1656         (JSC::MarkedSpace::sweepLargeAllocations):
1657         * inspector/ContentSearchUtilities.cpp:
1658         (Inspector::ContentSearchUtilities::findMagicComment):
1659         * interpreter/ShadowChicken.cpp:
1660         (JSC::ShadowChicken::update):
1661         * parser/ASTBuilder.h:
1662         (JSC::ASTBuilder::shrinkOperandStackBy):
1663         * parser/Lexer.h:
1664         (JSC::Lexer::setOffset):
1665         * runtime/RegExpInlines.h:
1666         (JSC::RegExp::matchInline):
1667         * runtime/RegExpPrototype.cpp:
1668         (JSC::genericSplit):
1669         * yarr/RegularExpression.cpp:
1670         (JSC::Yarr::RegularExpression::match):
1671
1672 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1673
1674         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1675         https://bugs.webkit.org/show_bug.cgi?id=174678
1676
1677         Reviewed by Mark Lam.
1678
1679         Use Thread& instead.
1680
1681         * runtime/JSLock.cpp:
1682         (JSC::JSLock::didAcquireLock):
1683
1684 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1685
1686         [WTF] Implement WTF::ThreadGroup
1687         https://bugs.webkit.org/show_bug.cgi?id=174081
1688
1689         Reviewed by Mark Lam.
1690
1691         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1692         And SamplingProfiler and others interact with WTF::Thread directly.
1693
1694         * API/tests/ExecutionTimeLimitTest.cpp:
1695         * heap/MachineStackMarker.cpp:
1696         (JSC::MachineThreads::MachineThreads):
1697         (JSC::captureStack):
1698         (JSC::MachineThreads::tryCopyOtherThreadStack):
1699         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1700         (JSC::MachineThreads::gatherConservativeRoots):
1701         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1702         (JSC::ActiveMachineThreadsManager::add): Deleted.
1703         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1704         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1705         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1706         (JSC::activeMachineThreadsManager): Deleted.
1707         (JSC::MachineThreads::~MachineThreads): Deleted.
1708         (JSC::MachineThreads::addCurrentThread): Deleted.
1709         (): Deleted.
1710         (JSC::MachineThreads::removeThread): Deleted.
1711         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1712         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1713         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1714         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1715         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1716         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1717         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1718         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1719         * heap/MachineStackMarker.h:
1720         (JSC::MachineThreads::addCurrentThread):
1721         (JSC::MachineThreads::getLock):
1722         (JSC::MachineThreads::threads):
1723         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1724         (JSC::MachineThreads::MachineThread::resume): Deleted.
1725         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1726         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1727         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1728         (JSC::MachineThreads::threadsListHead): Deleted.
1729         * runtime/SamplingProfiler.cpp:
1730         (JSC::FrameWalker::isValidFramePointer):
1731         (JSC::SamplingProfiler::SamplingProfiler):
1732         (JSC::SamplingProfiler::takeSample):
1733         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1734         * runtime/SamplingProfiler.h:
1735         * wasm/WasmMachineThreads.cpp:
1736         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1737
1738 2017-07-18  Andy Estes  <aestes@apple.com>
1739
1740         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1741         https://bugs.webkit.org/show_bug.cgi?id=174631
1742
1743         Reviewed by Tim Horton.
1744
1745         * Configurations/Base.xcconfig:
1746         * b3/B3FoldPathConstants.cpp:
1747         * b3/B3LowerMacros.cpp:
1748         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1749         * dfg/DFGByteCodeParser.cpp:
1750         (JSC::DFG::ByteCodeParser::check):
1751         (JSC::DFG::ByteCodeParser::planLoad):
1752
1753 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1754
1755         WTF::Thread should have the threads stack bounds.
1756         https://bugs.webkit.org/show_bug.cgi?id=173975
1757
1758         Reviewed by Mark Lam.
1759
1760         There is a site in JSC that try to walk another thread's stack.
1761         Currently, stack bounds are stored in WTFThreadData which is located
1762         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1763         We workaround this situation by holding StackBounds in MachineThread in JSC,
1764         but StackBounds should be put in WTF::Thread instead.
1765
1766         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1767         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1768
1769         * heap/MachineStackMarker.cpp:
1770         (JSC::MachineThreads::MachineThread::MachineThread):
1771         (JSC::MachineThreads::MachineThread::captureStack):
1772         * heap/MachineStackMarker.h:
1773         (JSC::MachineThreads::MachineThread::stackBase):
1774         (JSC::MachineThreads::MachineThread::stackEnd):
1775         * runtime/VMTraps.cpp:
1776
1777 2017-07-18  Andy Estes  <aestes@apple.com>
1778
1779         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1780         https://bugs.webkit.org/show_bug.cgi?id=174631
1781
1782         Reviewed by Sam Weinig.
1783
1784         * Configurations/Base.xcconfig:
1785
1786 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1787
1788         Web Inspector: Modernize InjectedScriptSource
1789         https://bugs.webkit.org/show_bug.cgi?id=173890
1790
1791         Reviewed by Brian Burg.
1792
1793         * inspector/InjectedScript.h:
1794         Reorder functions to be slightly better.
1795
1796         * inspector/InjectedScriptSource.js:
1797         - Convert to classes named InjectedScript and RemoteObject
1798         - Align InjectedScript's API with the wrapper C++ interfaces
1799         - Move some code to RemoteObject where appropriate (subtype, describe)
1800         - Move some code to helper functions (isPrimitiveValue, isDefined)
1801         - Refactor for readability and modern features
1802         - Remove some unused / unnecessary code
1803
1804 2017-07-18  Mark Lam  <mark.lam@apple.com>
1805
1806         Butterfly storage need not be initialized for indexing type Undecided.
1807         https://bugs.webkit.org/show_bug.cgi?id=174516
1808
1809         Reviewed by Saam Barati.
1810
1811         While it's not incorrect to initialize the butterfly storage when the
1812         indexingType is Undecided, it is inefficient as we'll end up initializing
1813         it again later when we convert the storage to a different indexingType.
1814         Some of our code already skips initializing Undecided butterflies.
1815         This patch makes it the consistent behavior everywhere.
1816
1817         * dfg/DFGSpeculativeJIT.cpp:
1818         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1819         * runtime/JSArray.cpp:
1820         (JSC::JSArray::tryCreateUninitializedRestricted):
1821         * runtime/JSArray.h:
1822         (JSC::JSArray::tryCreate):
1823         * runtime/JSObject.cpp:
1824         (JSC::JSObject::ensureLengthSlow):
1825
1826 2017-07-18  Saam Barati  <sbarati@apple.com>
1827
1828         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
1829         https://bugs.webkit.org/show_bug.cgi?id=174515
1830         <rdar://problem/33358092>
1831
1832         Reviewed by Filip Pizlo.
1833
1834         AirLowerAfterRegAlloc was computing the set of available scratch
1835         registers incorrectly. It was always excluding callee save registers
1836         from the set of live registers. It did not guarantee that live callee save
1837         registers were not in the set of scratch registers that could
1838         get clobbered. That's incorrect as the shuffling code is free
1839         to overwrite whatever is in the scratch register it gets passed.
1840
1841         * b3/air/AirLowerAfterRegAlloc.cpp:
1842         (JSC::B3::Air::lowerAfterRegAlloc):
1843         * b3/testb3.cpp:
1844         (JSC::B3::functionNineArgs):
1845         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1846         (JSC::B3::run):
1847         * jit/RegisterSet.h:
1848
1849 2017-07-18  Andy Estes  <aestes@apple.com>
1850
1851         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
1852         https://bugs.webkit.org/show_bug.cgi?id=174631
1853
1854         Reviewed by Dan Bernstein.
1855
1856         * Configurations/Base.xcconfig:
1857
1858 2017-07-18  Devin Rousso  <drousso@apple.com>
1859
1860         Web Inspector: Add memoryCost to Inspector Protocol objects
1861         https://bugs.webkit.org/show_bug.cgi?id=174478
1862
1863         Reviewed by Joseph Pecoraro.
1864
1865         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
1866         plus the memoryCost of the data if it is a string.
1867
1868         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
1869
1870         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
1871         key plus the memoryCost of the InspectorValue for each entry.
1872
1873         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
1874
1875         * inspector/InspectorValues.h:
1876         * inspector/InspectorValues.cpp:
1877         (Inspector::InspectorValue::memoryCost):
1878         (Inspector::InspectorObjectBase::memoryCost):
1879         (Inspector::InspectorArrayBase::memoryCost):
1880
1881 2017-07-18  Andy Estes  <aestes@apple.com>
1882
1883         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
1884         https://bugs.webkit.org/show_bug.cgi?id=174631
1885
1886         Reviewed by Darin Adler.
1887
1888         * Configurations/Base.xcconfig:
1889
1890 2017-07-18  Michael Saboff  <msaboff@apple.com>
1891
1892         [JSC] There should be a debug option to dump a compiled RegExp Pattern
1893         https://bugs.webkit.org/show_bug.cgi?id=174601
1894
1895         Reviewed by Alex Christensen.
1896
1897         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
1898         objects after a regular expression has been compiled.
1899
1900         * runtime/Options.h:
1901         * yarr/YarrPattern.cpp:
1902         (JSC::Yarr::YarrPattern::compile):
1903         (JSC::Yarr::indentForNestingLevel):
1904         (JSC::Yarr::dumpUChar32):
1905         (JSC::Yarr::PatternAlternative::dump):
1906         (JSC::Yarr::PatternTerm::dumpQuantifier):
1907         (JSC::Yarr::PatternTerm::dump):
1908         (JSC::Yarr::PatternDisjunction::dump):
1909         (JSC::Yarr::YarrPattern::dumpPattern):
1910         * yarr/YarrPattern.h:
1911         (JSC::Yarr::YarrPattern::global):
1912
1913 2017-07-17  Darin Adler  <darin@apple.com>
1914
1915         Improve use of NeverDestroyed
1916         https://bugs.webkit.org/show_bug.cgi?id=174348
1917
1918         Reviewed by Sam Weinig.
1919
1920         * heap/MachineStackMarker.cpp:
1921         * wasm/WasmMemory.cpp:
1922         Removed unneeded includes of NeverDestroyed.h in files that do not make use
1923         of NeverDestroyed.
1924
1925 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1926
1927         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
1928         https://bugs.webkit.org/show_bug.cgi?id=174547
1929
1930         Reviewed by Alex Christensen.
1931
1932         * CMakeLists.txt:
1933         * shell/CMakeLists.txt:
1934
1935 2017-07-17  Saam Barati  <sbarati@apple.com>
1936
1937         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
1938         https://bugs.webkit.org/show_bug.cgi?id=174584
1939
1940         Rubber stamped by Keith Miller.
1941
1942         I used it to diagnose a bug. The bug is now fixed. This custom
1943         RELEASE_ASSERT is no longer needed.
1944
1945         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1946
1947 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1948
1949         -Wformat-truncation warning in ConfigFile.cpp
1950         https://bugs.webkit.org/show_bug.cgi?id=174506
1951
1952         Reviewed by Darin Adler.
1953
1954         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
1955         return ParseError.
1956
1957         * runtime/ConfigFile.cpp:
1958         (JSC::ConfigFile::parse):
1959
1960 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
1961
1962         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
1963         https://bugs.webkit.org/show_bug.cgi?id=174557
1964
1965         Reviewed by Michael Catanzaro.
1966
1967         * CMakeLists.txt:
1968
1969 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1970
1971         [WTF] Use std::unique_ptr for StackTrace
1972         https://bugs.webkit.org/show_bug.cgi?id=174495
1973
1974         Reviewed by Alex Christensen.
1975
1976         * runtime/ExceptionScope.cpp:
1977         (JSC::ExceptionScope::unexpectedExceptionMessage):
1978         * runtime/VM.cpp:
1979         (JSC::VM::throwException):
1980
1981 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1982
1983         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
1984         https://bugs.webkit.org/show_bug.cgi?id=174423
1985
1986         Reviewed by Saam Barati.
1987
1988         * dfg/DFGAvailabilityMap.cpp:
1989         (JSC::DFG::AvailabilityMap::pruneHeap):
1990         (JSC::DFG::AvailabilityMap::pruneByLiveness):
1991
1992 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1993
1994         Fix compiler warnings when building with GCC 7
1995         https://bugs.webkit.org/show_bug.cgi?id=174463
1996
1997         Reviewed by Darin Adler.
1998
1999         * disassembler/udis86/udis86_decode.c:
2000         (decode_operand):
2001
2002 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2003
2004         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2005         https://bugs.webkit.org/show_bug.cgi?id=174467
2006
2007         Reviewed by Saam Barati.
2008
2009         * bytecode/CallLinkInfo.cpp:
2010         (JSC::CallLinkInfo::callTypeFor):
2011
2012 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2013
2014         Web Inspector: Remove unused and untested Page domain commands
2015         https://bugs.webkit.org/show_bug.cgi?id=174429
2016
2017         Reviewed by Timothy Hatcher.
2018
2019         * inspector/protocol/Page.json:
2020
2021 2017-07-13  Saam Barati  <sbarati@apple.com>
2022
2023         Missing exception check in JSObject::hasInstance
2024         https://bugs.webkit.org/show_bug.cgi?id=174455
2025         <rdar://problem/31384608>
2026
2027         Reviewed by Mark Lam.
2028
2029         * runtime/JSObject.cpp:
2030         (JSC::JSObject::hasInstance):
2031
2032 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2033
2034         [ESnext] Implement Object Spread
2035         https://bugs.webkit.org/show_bug.cgi?id=167963
2036
2037         Reviewed by Saam Barati.
2038
2039         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2040         It's implemented using CopyDataPropertiesNoExclusions to copy
2041         all enumerable keys from object being spreaded. The implementation of
2042         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2043         implementation, however we don't receive excludedNames as parameter.
2044
2045         [1] - https://github.com/tc39/proposal-object-rest-spread
2046
2047         * builtins/GlobalOperations.js:
2048         (globalPrivate.copyDataPropertiesNoExclusions):
2049         * bytecompiler/BytecodeGenerator.cpp:
2050         (JSC::BytecodeGenerator::emitLoad):
2051         * bytecompiler/NodesCodegen.cpp:
2052         (JSC::PropertyListNode::emitBytecode):
2053         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2054         * parser/ASTBuilder.h:
2055         (JSC::ASTBuilder::createObjectSpreadExpression):
2056         (JSC::ASTBuilder::createProperty):
2057         * parser/NodeConstructors.h:
2058         (JSC::PropertyNode::PropertyNode):
2059         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2060         * parser/Nodes.h:
2061         (JSC::ObjectSpreadExpressionNode::expression):
2062         * parser/Parser.cpp:
2063         (JSC::Parser<LexerType>::parseProperty):
2064         * parser/SyntaxChecker.h:
2065         (JSC::SyntaxChecker::createObjectSpreadExpression):
2066         (JSC::SyntaxChecker::createProperty):
2067
2068 2017-07-12  Mark Lam  <mark.lam@apple.com>
2069
2070         Gardening: build fix after r219434.
2071         https://bugs.webkit.org/show_bug.cgi?id=174441
2072
2073         Not reviewed.
2074
2075         Make public some MacroAssembler functions that are needed by the probe implementationq.
2076
2077         * assembler/MacroAssemblerARM.h:
2078         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2079         * assembler/MacroAssemblerARMv7.h:
2080         (JSC::MacroAssemblerARMv7::linkCall):
2081
2082 2017-07-12  Mark Lam  <mark.lam@apple.com>
2083
2084         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2085         https://bugs.webkit.org/show_bug.cgi?id=174441
2086
2087         Reviewed by Saam Barati.
2088
2089         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2090         to MacroAssembler.  There is no code behavior change.
2091
2092         * assembler/AbstractMacroAssembler.h:
2093         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2094         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2095         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2096         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2097         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2098         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2099         * assembler/MacroAssembler.h:
2100         (JSC::MacroAssembler::CPUState::gprName):
2101         (JSC::MacroAssembler::CPUState::fprName):
2102         (JSC::MacroAssembler::CPUState::gpr):
2103         (JSC::MacroAssembler::CPUState::fpr):
2104         * assembler/MacroAssemblerARM.cpp:
2105         (JSC::MacroAssembler::probe):
2106         (JSC::MacroAssemblerARM::probe): Deleted.
2107         * assembler/MacroAssemblerARM.h:
2108         * assembler/MacroAssemblerARM64.cpp:
2109         (JSC::MacroAssembler::probe):
2110         (JSC::MacroAssemblerARM64::probe): Deleted.
2111         * assembler/MacroAssemblerARM64.h:
2112         * assembler/MacroAssemblerARMv7.cpp:
2113         (JSC::MacroAssembler::probe):
2114         (JSC::MacroAssemblerARMv7::probe): Deleted.
2115         * assembler/MacroAssemblerARMv7.h:
2116         * assembler/MacroAssemblerMIPS.h:
2117         * assembler/MacroAssemblerX86Common.cpp:
2118         (JSC::MacroAssembler::probe):
2119         (JSC::MacroAssemblerX86Common::probe): Deleted.
2120         * assembler/MacroAssemblerX86Common.h:
2121
2122 2017-07-12  Saam Barati  <sbarati@apple.com>
2123
2124         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2125         https://bugs.webkit.org/show_bug.cgi?id=174411
2126         <rdar://problem/31696186>
2127
2128         Reviewed by Mark Lam.
2129
2130         The code for deleting an argument was incorrectly referencing state
2131         when it decided if it should unmap or mark a property as having its
2132         descriptor modified. This patch fixes the bug where if we delete a
2133         property, we would sometimes not unmap an argument when deleting it.
2134
2135         * runtime/GenericArgumentsInlines.h:
2136         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2137         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2138         (JSC::GenericArguments<Type>::deleteProperty):
2139         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2140
2141 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2142
2143         Unreviewed, rolling out r219176.
2144         https://bugs.webkit.org/show_bug.cgi?id=174436
2145
2146         "Can cause infinite recursion on iOS" (Requested by mlam on
2147         #webkit).
2148
2149         Reverted changeset:
2150
2151         "WTF::Thread should have the threads stack bounds."
2152         https://bugs.webkit.org/show_bug.cgi?id=173975
2153         http://trac.webkit.org/changeset/219176
2154
2155 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2156
2157         Unreviewed, rolling out r219401.
2158
2159         This revision rolled out the previous patch, but after talking
2160         with reviewer, a rebaseline is what was needed.Rolling back in
2161         before rebaseline.
2162
2163         Reverted changeset:
2164
2165         "Unreviewed, rolling out r219379."
2166         https://bugs.webkit.org/show_bug.cgi?id=174400
2167         http://trac.webkit.org/changeset/219401
2168
2169 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2170
2171         Unreviewed, rolling out r219379.
2172
2173         This revision caused a consistent failure in the test
2174         fast/dom/Window/property-access-on-cached-window-after-frame-
2175         removed.html.
2176
2177         Reverted changeset:
2178
2179         "Remove NAVIGATOR_HWCONCURRENCY"
2180         https://bugs.webkit.org/show_bug.cgi?id=174400
2181         http://trac.webkit.org/changeset/219379
2182
2183 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2184
2185         Wrong radix used in Unicode Escape in invalid character error message
2186         https://bugs.webkit.org/show_bug.cgi?id=174419
2187
2188         Reviewed by Alex Christensen.
2189
2190         * parser/Lexer.cpp:
2191         (JSC::Lexer<T>::invalidCharacterMessage):
2192
2193 2017-07-11  Dean Jackson  <dino@apple.com>
2194
2195         Remove NAVIGATOR_HWCONCURRENCY
2196         https://bugs.webkit.org/show_bug.cgi?id=174400
2197
2198         Reviewed by Sam Weinig.
2199
2200         * Configurations/FeatureDefines.xcconfig:
2201
2202 2017-07-11  Dean Jackson  <dino@apple.com>
2203
2204         Rolling out r219372.
2205
2206         * Configurations/FeatureDefines.xcconfig:
2207
2208 2017-07-11  Dean Jackson  <dino@apple.com>
2209
2210         Remove NAVIGATOR_HWCONCURRENCY
2211         https://bugs.webkit.org/show_bug.cgi?id=174400
2212
2213         Reviewed by Sam Weinig.
2214
2215         * Configurations/FeatureDefines.xcconfig:
2216
2217 2017-07-11  Saam Barati  <sbarati@apple.com>
2218
2219         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2220         https://bugs.webkit.org/show_bug.cgi?id=174397
2221
2222         Rubber stamped by David Kilzer.
2223
2224         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2225         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2226
2227 2017-07-10  Saam Barati  <sbarati@apple.com>
2228
2229         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2230         https://bugs.webkit.org/show_bug.cgi?id=174321
2231         <rdar://problem/32604963>
2232
2233         Reviewed by Filip Pizlo.
2234
2235         When the allocation sinking phase was generating stores to materialize
2236         objects in a cycle with each other, it would assume that each materialized
2237         object had a valid, non empty, set of structures. This is an OK assumption for
2238         the phase to make because how do you materialize an object with no structure?
2239         
2240         The abstract interpretation part of the phase will model what's in the heap.
2241         However, it would sometimes model that a CheckStructure would fail. The phase
2242         did nothing special for this; it just stored the empty set of structures for
2243         its representation of a particular allocation. However, what the phase proved
2244         in such a scenario is that, had the CheckStructure executed, it would have exited.
2245         
2246         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2247         This will cause the allocation in question to be materialized just before
2248         the CheckStructure, and then at execution time, the CheckStructure will exit.
2249         
2250         I wasn't able to write a test case for this. However, I was able to reproduce
2251         this crash by manually editing the IR. I've opened a separate bug to help us
2252         create a testing framework for writing tests for hard to reproduce bugs like this:
2253         https://bugs.webkit.org/show_bug.cgi?id=174322
2254
2255         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2256
2257 2017-07-10  Devin Rousso  <drousso@apple.com>
2258
2259         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2260         https://bugs.webkit.org/show_bug.cgi?id=174279
2261
2262         Reviewed by Matt Baker.
2263
2264         * inspector/protocol/DOM.json:
2265         Add `highlightNodeList` command that will highlight each node in the given list.
2266
2267 2017-07-03  Brian Burg  <bburg@apple.com>
2268
2269         Web Replay: remove some unused code
2270         https://bugs.webkit.org/show_bug.cgi?id=173903
2271
2272         Rubber-stamped by Joseph Pecoraro.
2273
2274         * CMakeLists.txt:
2275         * Configurations/FeatureDefines.xcconfig:
2276         * DerivedSources.make:
2277         * JavaScriptCore.xcodeproj/project.pbxproj:
2278         * inspector/protocol/Replay.json: Removed.
2279         * replay/EmptyInputCursor.h: Removed.
2280         * replay/EncodedValue.cpp: Removed.
2281         * replay/EncodedValue.h: Removed.
2282         * replay/InputCursor.h: Removed.
2283         * replay/JSInputs.json: Removed.
2284         * replay/NondeterministicInput.h: Removed.
2285         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2286         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2287         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2288         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2289         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2290         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2291         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2292         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2293         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2294         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2295         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2296         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2297         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2298         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2299         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2300         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2301         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2302         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2303         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2304         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2305         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2306         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2307         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2308         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2309         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2310         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2311         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2312         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2313         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2314         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2315         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2316         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2317         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2318         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2319         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2320         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2321         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2322         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2323         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2324         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2325         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2326         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2327         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2328         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2329         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2330         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2331         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2332         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2333         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2334         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2335         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2336         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2337         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2338         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2339         * runtime/DateConstructor.cpp:
2340         (JSC::constructDate):
2341         (JSC::dateNow):
2342         (JSC::deterministicCurrentTime): Deleted.
2343         * runtime/JSGlobalObject.cpp:
2344         (JSC::JSGlobalObject::JSGlobalObject):
2345         (JSC::JSGlobalObject::setInputCursor): Deleted.
2346         * runtime/JSGlobalObject.h:
2347         (JSC::JSGlobalObject::inputCursor): Deleted.
2348
2349 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2350
2351         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2352         https://bugs.webkit.org/show_bug.cgi?id=174024
2353
2354         Reviewed by Michael Catanzaro.
2355
2356         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2357         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2358         Added command line option to pass the namespace to use instead of using WebCore.
2359
2360         * JavaScriptCore.xcodeproj/project.pbxproj:
2361         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2362         (main):
2363
2364 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2365
2366         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2367         https://bugs.webkit.org/show_bug.cgi?id=174296
2368
2369         Reviewed by Mark Lam.
2370
2371         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2372         It caused a problem in scanning template literals. While template literals normalize
2373         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2374         To handle it correctly, LineNumberAdder is introduced.
2375
2376         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2377         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2378
2379         * parser/Lexer.cpp:
2380         (JSC::Lexer<T>::parseTemplateLiteral):
2381         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2382         (JSC::LineNumberAdder::clear): Deleted.
2383         (JSC::LineNumberAdder::add): Deleted.
2384
2385 2017-07-09  Dan Bernstein  <mitz@apple.com>
2386
2387         [Xcode] ICU headers aren’t treated as system headers after r219155
2388         https://bugs.webkit.org/show_bug.cgi?id=174299
2389
2390         Reviewed by Sam Weinig.
2391
2392         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2393           C++ compilers.
2394
2395 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2396         * runtime/IntlDateTimeFormat.cpp: Ditto.
2397         * runtime/JSGlobalObject.cpp: Ditto.
2398         * runtime/StringPrototype.cpp: Ditto.
2399
2400 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2401
2402         [JSC] Use fastMalloc / fastFree for STL containers
2403         https://bugs.webkit.org/show_bug.cgi?id=174297
2404
2405         Reviewed by Sam Weinig.
2406
2407         In some places, we intentionally use STL containers over WTF containers.
2408         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2409         because we do not have effective empty / deleted representations in the space of key's value.
2410         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2411
2412         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2413         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2414
2415         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2416         without compromising memory allocation throughput.
2417
2418         * dfg/DFGGraph.h:
2419         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2420         * ftl/FTLLowerDFGToB3.cpp:
2421         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2422         * runtime/FunctionHasExecutedCache.h:
2423         * runtime/TypeLocationCache.h:
2424
2425 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2426
2427         Drop NOSNIFF compile flag
2428         https://bugs.webkit.org/show_bug.cgi?id=174289
2429
2430         Reviewed by Michael Catanzaro.
2431
2432         * Configurations/FeatureDefines.xcconfig:
2433
2434 2017-07-07  AJ Ringer  <aringer@apple.com>
2435
2436         Lower the max_protection for the separated heap
2437         https://bugs.webkit.org/show_bug.cgi?id=174281
2438
2439         Reviewed by Oliver Hunt.
2440
2441         Switch to vm_protect so we can set maximum page protection.
2442
2443         * jit/ExecutableAllocator.cpp:
2444         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2445         (JSC::ExecutableAllocator::allocate):
2446
2447 2017-07-07  Devin Rousso  <drousso@apple.com>
2448
2449         Web Inspector: Show all elements currently using a given CSS Canvas
2450         https://bugs.webkit.org/show_bug.cgi?id=173965
2451
2452         Reviewed by Joseph Pecoraro.
2453
2454         * inspector/protocol/Canvas.json:
2455          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2456            canvas via -webkit-canvas.
2457          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2458            added/removed from the list of -webkit-canvas clients.
2459
2460 2017-07-07  Mark Lam  <mark.lam@apple.com>
2461
2462         \n\r is not the same as \r\n.
2463         https://bugs.webkit.org/show_bug.cgi?id=173053
2464
2465         Reviewed by Keith Miller.
2466
2467         * parser/Lexer.cpp:
2468         (JSC::Lexer<T>::shiftLineTerminator):
2469         (JSC::LineNumberAdder::add):
2470
2471 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2472
2473         Unreviewed, rolling out r219238, r219239, and r219241.
2474         https://bugs.webkit.org/show_bug.cgi?id=174265
2475
2476         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2477         (Requested by yusukesuzuki on #webkit).
2478
2479         Reverted changesets:
2480
2481         "[WTF] Implement WTF::ThreadGroup"
2482         https://bugs.webkit.org/show_bug.cgi?id=174081
2483         http://trac.webkit.org/changeset/219238
2484
2485         "Unreviewed, build fix after r219238"
2486         https://bugs.webkit.org/show_bug.cgi?id=174081
2487         http://trac.webkit.org/changeset/219239
2488
2489         "Unreviewed, CLoop build fix after r219238"
2490         https://bugs.webkit.org/show_bug.cgi?id=174081
2491         http://trac.webkit.org/changeset/219241
2492
2493 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2494
2495         Unreviewed, CLoop build fix after r219238
2496         https://bugs.webkit.org/show_bug.cgi?id=174081
2497
2498         * heap/MachineStackMarker.cpp:
2499
2500 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         [WTF] Implement WTF::ThreadGroup
2503         https://bugs.webkit.org/show_bug.cgi?id=174081
2504
2505         Reviewed by Mark Lam.
2506
2507         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2508         And SamplingProfiler and others interact with WTF::Thread directly.
2509
2510         * API/tests/ExecutionTimeLimitTest.cpp:
2511         * heap/MachineStackMarker.cpp:
2512         (JSC::MachineThreads::MachineThreads):
2513         (JSC::captureStack):
2514         (JSC::MachineThreads::tryCopyOtherThreadStack):
2515         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2516         (JSC::MachineThreads::gatherConservativeRoots):
2517         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2518         (JSC::ActiveMachineThreadsManager::add): Deleted.
2519         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2520         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2521         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2522         (JSC::activeMachineThreadsManager): Deleted.
2523         (JSC::MachineThreads::~MachineThreads): Deleted.
2524         (JSC::MachineThreads::addCurrentThread): Deleted.
2525         (): Deleted.
2526         (JSC::MachineThreads::removeThread): Deleted.
2527         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2528         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2529         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2530         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2531         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2532         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2533         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2534         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2535         * heap/MachineStackMarker.h:
2536         (JSC::MachineThreads::addCurrentThread):
2537         (JSC::MachineThreads::getLock):
2538         (JSC::MachineThreads::threads):
2539         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2540         (JSC::MachineThreads::MachineThread::resume): Deleted.
2541         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2542         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2543         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2544         (JSC::MachineThreads::threadsListHead): Deleted.
2545         * runtime/SamplingProfiler.cpp:
2546         (JSC::FrameWalker::isValidFramePointer):
2547         (JSC::SamplingProfiler::SamplingProfiler):
2548         (JSC::SamplingProfiler::takeSample):
2549         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2550         * runtime/SamplingProfiler.h:
2551         * wasm/WasmMachineThreads.cpp:
2552         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2553
2554 2017-07-06  Saam Barati  <sbarati@apple.com>
2555
2556         We are missing places where we invalidate the for-in context
2557         https://bugs.webkit.org/show_bug.cgi?id=174184
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         * bytecompiler/BytecodeGenerator.cpp:
2562         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2563         * bytecompiler/NodesCodegen.cpp:
2564         (JSC::EmptyLetExpression::emitBytecode):
2565         (JSC::ForInNode::emitLoopHeader):
2566         (JSC::ForOfNode::emitBytecode):
2567         (JSC::BindingNode::bindValue):
2568
2569 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2570
2571         Unreviewed, suppress warnings in GCC environment
2572
2573         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2574         * runtime/IntlCollator.cpp:
2575         * runtime/IntlDateTimeFormat.cpp:
2576         * runtime/JSGlobalObject.cpp:
2577         * runtime/StringPrototype.cpp:
2578
2579 2017-07-05  Saam Barati  <sbarati@apple.com>
2580
2581         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2582         https://bugs.webkit.org/show_bug.cgi?id=174188
2583         <rdar://problem/30581423>
2584
2585         Reviewed by Mark Lam.
2586
2587         We were calling lowJSValue(edge) when we were speculating the
2588         edge as double. This isn't allowed. We should have been using
2589         lowDouble.
2590         
2591         This patch also adds a new option, called useArrayAllocationProfiling,
2592         which defaults to true. When false, it will make the array allocation
2593         profile not actually sample seen arrays. It'll force the allocation
2594         profile's predicted indexing type to be ArrayWithUndecided. Adding
2595         this option made it trivial to write a test for this bug.
2596
2597         * bytecode/ArrayAllocationProfile.cpp:
2598         (JSC::ArrayAllocationProfile::updateIndexingType):
2599         * ftl/FTLLowerDFGToB3.cpp:
2600         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2601         * runtime/Options.h:
2602
2603 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2604
2605         WTF::Thread should have the threads stack bounds.
2606         https://bugs.webkit.org/show_bug.cgi?id=173975
2607
2608         Reviewed by Keith Miller.
2609
2610         There is a site in JSC that try to walk another thread's stack.
2611         Currently, stack bounds are stored in WTFThreadData which is located
2612         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2613         We workaround this situation by holding StackBounds in MachineThread in JSC,
2614         but StackBounds should be put in WTF::Thread instead.
2615
2616         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2617         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2618         is natural choice.
2619
2620         * heap/MachineStackMarker.cpp:
2621         (JSC::MachineThreads::MachineThread::MachineThread):
2622         (JSC::MachineThreads::MachineThread::captureStack):
2623         * heap/MachineStackMarker.h:
2624         (JSC::MachineThreads::MachineThread::stackBase):
2625         (JSC::MachineThreads::MachineThread::stackEnd):
2626         * runtime/InitializeThreading.cpp:
2627         (JSC::initializeThreading):
2628         * runtime/VM.cpp:
2629         (JSC::VM::VM):
2630         (JSC::VM::updateStackLimits):
2631         (JSC::VM::committedStackByteCount):
2632         * runtime/VM.h:
2633         (JSC::VM::isSafeToRecurse):
2634         * runtime/VMEntryScope.cpp:
2635         (JSC::VMEntryScope::VMEntryScope):
2636         * runtime/VMInlines.h:
2637         (JSC::VM::ensureStackCapacityFor):
2638         * runtime/VMTraps.cpp:
2639         * yarr/YarrPattern.cpp:
2640         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2641
2642 2017-07-05  Keith Miller  <keith_miller@apple.com>
2643
2644         Crashing with information should have an abort reason
2645         https://bugs.webkit.org/show_bug.cgi?id=174185
2646
2647         Reviewed by Saam Barati.
2648
2649         Add crash information for the abstract interpreter and add an enum
2650         value for object allocation sinking.
2651
2652         * assembler/AbortReason.h:
2653         * dfg/DFGAbstractInterpreterInlines.h:
2654         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2655         * dfg/DFGGraph.cpp:
2656         (JSC::DFG::logDFGAssertionFailure):
2657         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2658
2659 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2660
2661         Remove copy of ICU headers from WebKit
2662         https://bugs.webkit.org/show_bug.cgi?id=116407
2663
2664         Reviewed by Alex Christensen.
2665
2666         Use WTF's copy of ICU headers.
2667
2668         * Configurations/Base.xcconfig:
2669         * icu/unicode/localpointer.h: Removed.
2670         * icu/unicode/parseerr.h: Removed.
2671         * icu/unicode/platform.h: Removed.
2672         * icu/unicode/ptypes.h: Removed.
2673         * icu/unicode/putil.h: Removed.
2674         * icu/unicode/uchar.h: Removed.
2675         * icu/unicode/ucnv.h: Removed.
2676         * icu/unicode/ucnv_err.h: Removed.
2677         * icu/unicode/ucol.h: Removed.
2678         * icu/unicode/uconfig.h: Removed.
2679         * icu/unicode/ucurr.h: Removed.
2680         * icu/unicode/uenum.h: Removed.
2681         * icu/unicode/uiter.h: Removed.
2682         * icu/unicode/uloc.h: Removed.
2683         * icu/unicode/umachine.h: Removed.
2684         * icu/unicode/unorm.h: Removed.
2685         * icu/unicode/unorm2.h: Removed.
2686         * icu/unicode/urename.h: Removed.
2687         * icu/unicode/uscript.h: Removed.
2688         * icu/unicode/uset.h: Removed.
2689         * icu/unicode/ustring.h: Removed.
2690         * icu/unicode/utf.h: Removed.
2691         * icu/unicode/utf16.h: Removed.
2692         * icu/unicode/utf8.h: Removed.
2693         * icu/unicode/utf_old.h: Removed.
2694         * icu/unicode/utypes.h: Removed.
2695         * icu/unicode/uvernum.h: Removed.
2696         * icu/unicode/uversion.h: Removed.
2697         * runtime/IntlCollator.cpp:
2698         * runtime/IntlDateTimeFormat.cpp:
2699         (JSC::IntlDateTimeFormat::partTypeString):
2700         * runtime/JSGlobalObject.cpp:
2701         * runtime/StringPrototype.cpp:
2702         (JSC::normalize):
2703         (JSC::stringProtoFuncNormalize):
2704
2705 2017-07-05  Devin Rousso  <drousso@apple.com>
2706
2707         Web Inspector: Allow users to log any tracked canvas context
2708         https://bugs.webkit.org/show_bug.cgi?id=173397
2709         <rdar://problem/33111581>
2710
2711         Reviewed by Joseph Pecoraro.
2712
2713         * inspector/protocol/Canvas.json:
2714         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2715
2716 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2717
2718         Add WebKitPrivateFrameworkStubs for iOS 11
2719         https://bugs.webkit.org/show_bug.cgi?id=173988
2720
2721         Reviewed by David Kilzer.
2722
2723         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2724         same directory for private framework stubs.
2725
2726 2017-07-05  JF Bastien  <jfbastien@apple.com>
2727
2728         WebAssembly: implement name section's module name, skip unknown sections
2729         https://bugs.webkit.org/show_bug.cgi?id=172008
2730
2731         Reviewed by Keith Miller.
2732
2733         Parse the WebAssembly module name properly, and skip unknown
2734         sections. This is useful because as toolchains support new types
2735         of names we want to keep displaying the information we know about
2736         and simply ignore new information. That capability was designed
2737         into WebAssembly's name section.
2738
2739         Failure to commit this patch would mean that WebKit won't display
2740         stack trace information, which would make developers sad.
2741
2742         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2743
2744         Note that this patch doesn't do anything with the parsed name! Two
2745         reasons for this: module names aren't supported in binaryen yet,
2746         so I can't write a simple binary test; and using the name is a
2747         slightly riskier change because it requires changing StackVisitor
2748         + StackFrame (where they print "[wasm code]") which requires
2749         figuring out the frame's Module. The latter bit isn't trivial
2750         because we only know wasm frames from their tag bits, and
2751         CodeBlocks are always nullptr.
2752
2753         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2754
2755         I filed #174098 to use the module name.
2756
2757         * wasm/WasmFormat.h:
2758         (JSC::Wasm::isValidNameType):
2759         * wasm/WasmNameSectionParser.cpp:
2760
2761 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2762
2763         Cleanup some StringBuilder use
2764         https://bugs.webkit.org/show_bug.cgi?id=174118
2765
2766         Reviewed by Andreas Kling.
2767
2768         * runtime/FunctionConstructor.cpp:
2769         (JSC::constructFunctionSkippingEvalEnabledCheck):
2770         * tools/FunctionOverrides.cpp:
2771         (JSC::parseClause):
2772         * wasm/WasmOMGPlan.cpp:
2773         * wasm/WasmPlan.cpp:
2774         * wasm/WasmValidate.cpp:
2775
2776 2017-07-03  Saam Barati  <sbarati@apple.com>
2777
2778         LayoutTest workers/bomb.html is a Crash
2779         https://bugs.webkit.org/show_bug.cgi?id=167757
2780         <rdar://problem/33086462>
2781
2782         Reviewed by Keith Miller.
2783
2784         VMTraps::SignalSender was accessing VM fields even after
2785         the VM was destroyed. This happened when the SignalSender
2786         thread was in the middle of its work() function while VMTraps
2787         was notified that the VM was shutting down. The VM would proceed
2788         to run its destructor even after the SignalSender thread finished
2789         doing its work. This means that the SignalSender thread was accessing
2790         VM field eve after VM was destructed (including itself, since it is
2791         transitively owned by the VM). The VM must wait for the SignalSender
2792         thread to shutdown before it can continue to destruct itself.
2793
2794         * runtime/VMTraps.cpp:
2795         (JSC::VMTraps::willDestroyVM):
2796
2797 2017-07-03  Saam Barati  <sbarati@apple.com>
2798
2799         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
2800         https://bugs.webkit.org/show_bug.cgi?id=174110
2801
2802         Reviewed by Michael Saboff.
2803
2804         * dfg/DFGByteCodeParser.cpp:
2805         (JSC::DFG::ByteCodeParser::parseBlock):
2806
2807 2017-07-03  Saam Barati  <sbarati@apple.com>
2808
2809         Add a new assertion to object allocation sinking phase
2810         https://bugs.webkit.org/show_bug.cgi?id=174107
2811
2812         Rubber stamped by Filip Pizlo.
2813
2814         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2815
2816 2017-07-03  Commit Queue  <commit-queue@webkit.org>
2817
2818         Unreviewed, rolling out r219060.
2819         https://bugs.webkit.org/show_bug.cgi?id=174108
2820
2821         crashing constantly when initializing UIWebView (Requested by
2822         thorton on #webkit).
2823
2824         Reverted changeset:
2825
2826         "WTF::Thread should have the threads stack bounds."
2827         https://bugs.webkit.org/show_bug.cgi?id=173975
2828         http://trac.webkit.org/changeset/219060
2829
2830 2017-07-03  Matt Lewis  <jlewis3@apple.com>
2831
2832         Unreviewed, rolling out r219103.
2833
2834         Caused multiple build failures.
2835
2836         Reverted changeset:
2837
2838         "Remove copy of ICU headers from WebKit"
2839         https://bugs.webkit.org/show_bug.cgi?id=116407
2840         http://trac.webkit.org/changeset/219103
2841
2842 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2843
2844         Remove copy of ICU headers from WebKit
2845         https://bugs.webkit.org/show_bug.cgi?id=116407
2846
2847         Reviewed by Alex Christensen.
2848
2849         Use WTF's copy of ICU headers.
2850
2851         * Configurations/Base.xcconfig:
2852         * icu/unicode/localpointer.h: Removed.
2853         * icu/unicode/parseerr.h: Removed.
2854         * icu/unicode/platform.h: Removed.
2855         * icu/unicode/ptypes.h: Removed.
2856         * icu/unicode/putil.h: Removed.
2857         * icu/unicode/uchar.h: Removed.
2858         * icu/unicode/ucnv.h: Removed.
2859         * icu/unicode/ucnv_err.h: Removed.
2860         * icu/unicode/ucol.h: Removed.
2861         * icu/unicode/uconfig.h: Removed.
2862         * icu/unicode/ucurr.h: Removed.
2863         * icu/unicode/uenum.h: Removed.
2864         * icu/unicode/uiter.h: Removed.
2865         * icu/unicode/uloc.h: Removed.
2866         * icu/unicode/umachine.h: Removed.
2867         * icu/unicode/unorm.h: Removed.
2868         * icu/unicode/unorm2.h: Removed.
2869         * icu/unicode/urename.h: Removed.
2870         * icu/unicode/uscript.h: Removed.
2871         * icu/unicode/uset.h: Removed.
2872         * icu/unicode/ustring.h: Removed.
2873         * icu/unicode/utf.h: Removed.
2874         * icu/unicode/utf16.h: Removed.
2875         * icu/unicode/utf8.h: Removed.
2876         * icu/unicode/utf_old.h: Removed.
2877         * icu/unicode/utypes.h: Removed.
2878         * icu/unicode/uvernum.h: Removed.
2879         * icu/unicode/uversion.h: Removed.
2880         * runtime/IntlCollator.cpp:
2881         * runtime/IntlDateTimeFormat.cpp:
2882         * runtime/JSGlobalObject.cpp:
2883         * runtime/StringPrototype.cpp:
2884
2885 2017-07-03  Saam Barati  <sbarati@apple.com>
2886
2887         Add better crash logging for allocation sinking phase
2888         https://bugs.webkit.org/show_bug.cgi?id=174102
2889         <rdar://problem/33112092>
2890
2891         Rubber stamped by Filip Pizlo.
2892
2893         I'm trying to gather better information from crashlogs about why
2894         we're crashing in the allocation sinking phase. I'm adding a allocation
2895         sinking specific RELEASE_ASSERT as well as marking a few functions as
2896         NEVER_INLINE to have the stack traces in the crash trace contain more
2897         actionable information.
2898
2899         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2900
2901 2017-07-03  Sam Weinig  <sam@webkit.org>
2902
2903         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
2904         https://bugs.webkit.org/show_bug.cgi?id=174083
2905
2906         Reviewed by Alex Christensen.
2907
2908         * Configurations/FeatureDefines.xcconfig:
2909         Add ENABLE_NAVIGATOR_STANDALONE.
2910
2911 2017-07-03  Andy Estes  <aestes@apple.com>
2912
2913         [Xcode] Add an experimental setting to build with ccache
2914         https://bugs.webkit.org/show_bug.cgi?id=173875
2915
2916         Reviewed by Tim Horton.
2917
2918         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
2919
2920 2017-07-03  Devin Rousso  <drousso@apple.com>
2921
2922         Web Inspector: Support listing WebGL2 and WebGPU contexts
2923         https://bugs.webkit.org/show_bug.cgi?id=173396
2924
2925         Reviewed by Joseph Pecoraro.
2926
2927         * inspector/protocol/Canvas.json:
2928         * inspector/scripts/codegen/generator.py:
2929         (Generator.stylized_name_for_enum_value):
2930         Add cases for handling new Canvas.ContextType protocol enumerations:
2931          - "webgl2" maps to `WebGL2`
2932          - "webgpu" maps to `WebGPU`
2933
2934 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2935
2936         WTF::Thread should have the threads stack bounds.
2937         https://bugs.webkit.org/show_bug.cgi?id=173975
2938
2939         Reviewed by Mark Lam.
2940
2941         There is a site in JSC that try to walk another thread's stack.
2942         Currently, stack bounds are stored in WTFThreadData which is located
2943         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2944         We workaround this situation by holding StackBounds in MachineThread in JSC,
2945         but StackBounds should be put in WTF::Thread instead.
2946
2947         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2948         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2949         is natural choice.
2950
2951         * heap/MachineStackMarker.cpp:
2952         (JSC::MachineThreads::MachineThread::MachineThread):
2953         (JSC::MachineThreads::MachineThread::captureStack):
2954         * heap/MachineStackMarker.h:
2955         (JSC::MachineThreads::MachineThread::stackBase):
2956         (JSC::MachineThreads::MachineThread::stackEnd):
2957         * runtime/InitializeThreading.cpp:
2958         (JSC::initializeThreading):
2959         * runtime/VM.cpp:
2960         (JSC::VM::VM):
2961         (JSC::VM::updateStackLimits):
2962         (JSC::VM::committedStackByteCount):
2963         * runtime/VM.h:
2964         (JSC::VM::isSafeToRecurse):
2965         * runtime/VMEntryScope.cpp:
2966         (JSC::VMEntryScope::VMEntryScope):
2967         * runtime/VMInlines.h:
2968         (JSC::VM::ensureStackCapacityFor):
2969         * runtime/VMTraps.cpp:
2970         * yarr/YarrPattern.cpp:
2971         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2972
2973 2017-07-01  Dan Bernstein  <mitz@apple.com>
2974
2975         [iOS] Remove code only needed when building for iOS 9.x
2976         https://bugs.webkit.org/show_bug.cgi?id=174068
2977
2978         Reviewed by Tim Horton.
2979
2980         * Configurations/FeatureDefines.xcconfig:
2981         * jit/ExecutableAllocator.cpp:
2982         * runtime/Options.cpp:
2983         (JSC::recomputeDependentOptions):
2984
2985 2017-07-01  Dan Bernstein  <mitz@apple.com>
2986
2987         [macOS] Remove code only needed when building for OS X Yosemite
2988         https://bugs.webkit.org/show_bug.cgi?id=174067
2989
2990         Reviewed by Tim Horton.
2991
2992         * API/WebKitAvailability.h:
2993         * Configurations/Base.xcconfig:
2994         * Configurations/DebugRelease.xcconfig:
2995         * Configurations/FeatureDefines.xcconfig:
2996         * Configurations/Version.xcconfig:
2997
2998 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2999
3000         Unreviewed, build fix for GCC
3001         https://bugs.webkit.org/show_bug.cgi?id=174034
3002
3003         * b3/testb3.cpp:
3004         (JSC::B3::testDoubleLiteralComparison):
3005
3006 2017-06-30  Keith Miller  <keith_miller@apple.com>
3007
3008         Force crashWithInfo to be out of line.
3009         https://bugs.webkit.org/show_bug.cgi?id=174028
3010
3011         Reviewed by Filip Pizlo.
3012
3013         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3014
3015         * dfg/DFGGraph.cpp:
3016         (JSC::DFG::logDFGAssertionFailure):
3017         (JSC::DFG::Graph::logAssertionFailure):
3018         (JSC::DFG::crash): Deleted.
3019         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3020         * dfg/DFGGraph.h:
3021
3022 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3023
3024         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3025         https://bugs.webkit.org/show_bug.cgi?id=174053
3026
3027         Reviewed by Geoffrey Garen.
3028
3029         We already have AbstractMacroAssembler::random() function. Use it instead.
3030
3031         * jit/JIT.cpp:
3032         (JSC::JIT::JIT):
3033         (JSC::JIT::compileWithoutLinking):
3034         * jit/JIT.h:
3035
3036 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3037
3038         [WTF] Drop SymbolRegistry::keyForSymbol
3039         https://bugs.webkit.org/show_bug.cgi?id=174052
3040
3041         Reviewed by Sam Weinig.
3042
3043         * runtime/SymbolConstructor.cpp:
3044         (JSC::symbolConstructorKeyFor):
3045
3046 2017-06-30  Saam Barati  <sbarati@apple.com>
3047
3048         B3ReduceStrength should reduce EqualOrUnordered over const float input
3049         https://bugs.webkit.org/show_bug.cgi?id=174039
3050
3051         Reviewed by Michael Saboff.
3052
3053         We perform this folding for ConstDoubleValue. It is simply
3054         an oversight that we didn't do it for ConstFloatValue.
3055
3056         * b3/B3ConstFloatValue.cpp:
3057         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3058         * b3/B3ConstFloatValue.h:
3059         * b3/testb3.cpp:
3060         (JSC::B3::testFloatEqualOrUnorderedFolding):
3061         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3062         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3063         (JSC::B3::run):
3064
3065 2017-06-30  Matt Baker  <mattbaker@apple.com>
3066
3067         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3068         https://bugs.webkit.org/show_bug.cgi?id=173840
3069         <rdar://problem/30840820>
3070
3071         Reviewed by Joseph Pecoraro.
3072
3073         When truncating an asynchronous stack trace, the parent chain is traversed
3074         until a locked node is found. The path from this node to the root is shared
3075         by more than one stack trace, and cannot be safely modified. Starting at
3076         the first locked node, the path is cloned and becomes a new stack trace tree.
3077
3078         However, the clone operation initialized each new AsyncStackTrace node with
3079         the original node's parent. This would increment the child count of the original
3080         node. When cloning nodes, new nodes should not have their parent set until the
3081         next node up the parent chain is cloned.
3082
3083         * inspector/AsyncStackTrace.cpp:
3084         (Inspector::AsyncStackTrace::truncate):
3085
3086 2017-06-30  Michael Saboff  <msaboff@apple.com>
3087
3088         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3089         https://bugs.webkit.org/show_bug.cgi?id=174044
3090
3091         Reviewed by Oliver Hunt.
3092
3093         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3094         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3095         then finding the extent of the match by going back to the beginning of the line and going
3096         forward to the end of the line.  The code that went back to the beginning of the line
3097         checked for an index of 0 instead of comparing the index to the start position.  This start
3098         position is passed as the initial index.
3099
3100         Added another temporary register to the YARR JIT to contain the start position for
3101         platforms that have spare registers.
3102
3103         * yarr/Yarr.h:
3104         * yarr/YarrInterpreter.cpp:
3105         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3106         (JSC::Yarr::Interpreter::Interpreter):
3107         * yarr/YarrJIT.cpp:
3108         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3109         (JSC::Yarr::YarrGenerator::compile):
3110         * yarr/YarrPattern.cpp:
3111         (JSC::Yarr::YarrPattern::YarrPattern):
3112         * yarr/YarrPattern.h:
3113         (JSC::Yarr::YarrPattern::reset):
3114
3115 2017-06-30  Saam Barati  <sbarati@apple.com>
3116
3117         B3MoveConstants floatZero() returns the wrong ValueKey
3118         https://bugs.webkit.org/show_bug.cgi?id=174040
3119
3120         Reviewed by Filip Pizlo.
3121
3122         It had a typo where the ValueKey for floatZero() produces a Double
3123         instead of a Float.
3124
3125         * b3/B3MoveConstants.cpp:
3126
3127 2017-06-30  Saam Barati  <sbarati@apple.com>
3128
3129         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3130         https://bugs.webkit.org/show_bug.cgi?id=174034
3131         <rdar://problem/30793007>
3132
3133         Reviewed by Filip Pizlo.
3134
3135         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3136         reduce binary operations over double constants into the same binary
3137         operation over the double constants casted to floats. This is clearly
3138         incorrect as these two things will produce different values. For example:
3139         
3140         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3141         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3142         c = EqualOrUnordered(@a, @b) // produces 0
3143         
3144         into:
3145         
3146         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3147         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3148         c = EqualOrUnordered(@a, @b) // produces 1
3149         
3150         Which produces a different value for @c.
3151
3152         * b3/B3ReduceDoubleToFloat.cpp:
3153         * b3/testb3.cpp:
3154         (JSC::B3::doubleEq):
3155         (JSC::B3::doubleNeq):
3156         (JSC::B3::doubleGt):
3157         (JSC::B3::doubleGte):
3158         (JSC::B3::doubleLt):
3159         (JSC::B3::doubleLte):
3160         (JSC::B3::testDoubleLiteralComparison):
3161         (JSC::B3::run):
3162
3163 2017-06-29  Jer Noble  <jer.noble@apple.com>
3164
3165         Make Legacy EME API controlled by RuntimeEnabled setting.
3166         https://bugs.webkit.org/show_bug.cgi?id=173994
3167
3168         Reviewed by Sam Weinig.
3169
3170         * Configurations/FeatureDefines.xcconfig:
3171         * runtime/CommonIdentifiers.h:
3172
3173 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3174
3175         Ran sort-Xcode-project-file.
3176
3177         * JavaScriptCore.xcodeproj/project.pbxproj:
3178
3179 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3180
3181         Unreviewed, rolling out r218992.
3182
3183         The patch broke the iOS device builds.
3184
3185         Reverted changeset:
3186
3187         "DFG_ASSERT should allow stuffing registers before trapping."
3188         https://bugs.webkit.org/show_bug.cgi?id=174005
3189         http://trac.webkit.org/changeset/218992
3190
3191 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3192
3193         RegExpCachedResult::setInput should reify left and right contexts
3194         https://bugs.webkit.org/show_bug.cgi?id=173818
3195
3196         Reviewed by Keith Miller.
3197         
3198         If you don't reify them in setInput, then when you later try to reify them, you'll end up
3199         using indices into an old input string to create a substring of a new input string. That
3200         never goes well.
3201
3202         * runtime/RegExpCachedResult.cpp:
3203         (JSC::RegExpCachedResult::setInput):
3204
3205 2017-06-30  Keith Miller  <keith_miller@apple.com>
3206
3207         DFG_ASSERT should allow stuffing registers before trapping.
3208         https://bugs.webkit.org/show_bug.cgi?id=174005
3209
3210         Reviewed by Mark Lam.
3211
3212         DFG_ASSERT currently prints error data to stderr before crashing,
3213         which is nice for local development. In the wild, however, we
3214         can't see this information in crash logs. This patch enables
3215         stuffing some of the most useful information from DFG_ASSERTS into
3216         up to five registers right before crashing. The values stuffed
3217         should not impact any logging during local development.
3218
3219         * assembler/AbortReason.h:
3220         * dfg/DFGAbstractInterpreterInlines.h:
3221         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3222         * dfg/DFGGraph.cpp:
3223         (JSC::DFG::logForCrash):
3224         (JSC::DFG::Graph::logAssertionFailure):
3225         (JSC::DFG::crash): Deleted.
3226         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3227         * dfg/DFGGraph.h:
3228
3229 2017-06-29  Saam Barati  <sbarati@apple.com>
3230
3231         Calculating postCapacity in unshiftCountSlowCase is wrong
3232         https://bugs.webkit.org/show_bug.cgi?id=173992
3233         <rdar://problem/32283199>
3234
3235         Reviewed by Keith Miller.
3236
3237         This patch fixes a bug inside unshiftCountSlowCase where we would use
3238         more memory than we allocated. The bug was when deciding how much extra
3239         space we have after the vector we've allocated. This area is called the
3240         postCapacity. The largest legal postCapacity value we could use is the
3241         space we allocated minus the space we need:
3242         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
3243         However, the code was calculating the postCapacity as:
3244         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
3245         
3246         where count is how many elements we're appending. Depending on the inputs,
3247         count could be larger than (newStorageCapacity - requiredVectorLength). This
3248         would cause us to use more memory than we actually allocated.
3249
3250         * runtime/JSArray.cpp:
3251         (JSC::JSArray::unshiftCountSlowCase):
3252
3253 2017-06-29  Commit Queue  <commit-queue@webkit.org>
3254
3255         Unreviewed, rolling out r218512.
3256         https://bugs.webkit.org/show_bug.cgi?id=173981
3257
3258         "It changes the behavior of the JS API's JSEvaluateScript
3259         which breaks TurboTax" (Requested by saamyjoon on #webkit).
3260
3261         Reverted changeset:
3262
3263         "test262: Completion values for control flow do not match the
3264         spec"
3265         https://bugs.webkit.org/show_bug.cgi?id=171265
3266         http://trac.webkit.org/changeset/218512
3267
3268 2017-06-29  JF Bastien  <jfbastien@apple.com>
3269
3270         WebAssembly: disable some APIs under CSP
3271         https://bugs.webkit.org/show_bug.cgi?id=173892
3272         <rdar://problem/32914613>
3273
3274         Reviewed by Daniel Bates.
3275
3276         We should disable parts of WebAssembly under Content Security
3277         Policy as discussed here:
3278
3279         https://github.com/WebAssembly/design/issues/1092
3280
3281         Exactly what should be disabled isn't super clear, so we may as
3282         well be conservative and disable many things if developers already
3283         opted into CSP. It's easy to loosen what we disable later.
3284
3285         This patch disables:
3286         - WebAssembly.Instance
3287         - WebAssembly.instantiate
3288         - WebAssembly.Memory
3289         - WebAssembly.Table
3290
3291         And leaves:
3292         - WebAssembly on the global object
3293         - WebAssembly.Module
3294         - WebAssembly.compile
3295         - WebAssembly.CompileError
3296         - WebAssembly.LinkError
3297
3298         Nothing because currently unimplmented:
3299         - WebAssembly.compileStreaming
3300         - WebAssembly.instantiateStreaming
3301
3302         That way it won't be possible to call WebAssembly-compiled code,
3303         or create memories (which use fancy 4GiB allocations
3304         sometimes). Table isn't really useful on its own, and eventually
3305         we may make them shareable so without more details it seems benign
3306         to disable them (and useless if we don't).
3307
3308         I haven't done anything with postMessage, so you can still
3309         postMessage a WebAssembly.Module cross-CSP, but you can't
3310         instantiate it so it's useless. Because of this I elected to leave
3311         WebAssembly.Module and friends available.
3312
3313         I haven't added any new directives. It's still unsafe-eval. We can
3314         add something else later, but it seems odd to add a WebAssembly as
3315         a new capability and tell developers "you should have been using
3316         this directive which we just implemented if you wanted to disable
3317         WebAssembly which didn't exist when you adopted CSP". So IMO we
3318         should keep unsafe-eval as it currently is, add WebAssembly to
3319         what it disables, and later consider having two new directives
3320         which do each individually or something.
3321
3322         In all cases I throw an EvalError *before* other WebAssembly
3323         errors would be produced.
3324
3325         Note that, as for eval, reporting doesn't work and is tracked by
3326         https://webkit.org/b/111869
3327
3328         * runtime/JSGlobalObject.cpp:
3329         (JSC::JSGlobalObject::JSGlobalObject):
3330         * runtime/JSGlobalObject.h:
3331         (JSC::JSGlobalObject::webAssemblyEnabled):
3332         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
3333         (JSC::JSGlobalObject::setWebAssemblyEnabled):
3334         * wasm/js/JSWebAssemblyInstance.cpp:
3335         (JSC::JSWebAssemblyInstance::create):
3336         * wasm/js/JSWebAssemblyMemory.cpp:
3337         (JSC::JSWebAssemblyMemory::create):
3338         * wasm/js/JSWebAssemblyMemory.h:
3339         * wasm/js/JSWebAssemblyTable.cpp:
3340         (JSC::JSWebAssemblyTable::create):
3341         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3342         (JSC::constructJSWebAssemblyMemory):
3343
3344 2017-06-28  Keith Miller  <keith_miller@apple.com>
3345
3346         VMTraps has some races
3347         https://bugs.webkit.org/show_bug.cgi?id=173941
3348
3349         Reviewed by Michael Saboff.
3350
3351         This patch refactors much of the VMTraps API.
3352
3353         On the message sending side:
3354
3355         1) No longer uses the Yarr JIT check to determine if we are in
3356         RegExp code. That was unsound because RegExp JIT code can be run
3357         on compilation threads.  Instead it looks at the current frame's
3358         code block slot and checks if it is valid, which is the same as
3359         what it did for JIT code previously.
3360
3361         2) Only have one signal sender thread, previously, there could be
3362         many at once, which caused some data races. Additionally, the
3363         signal sender thread is an automatic thread so it will deallocate
3364         itself when not in use.
3365
3366         On the VMTraps breakpoint side:
3367
3368         1) We now have a true mapping of if we hit a breakpoint instead of
3369         a JIT assertion. So the exception handler won't eat JIT assertions
3370         anymore.
3371
3372         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
3373         them instead of every CodeBlock on the stack. This both prevents
3374         us from hitting stale VMTraps breakpoints and also doesn't OSR
3375         codeblocks that otherwise don't need to be jettisoned.
3376
3377         3) The old exception handler could theoretically fail for a couple
3378         of reasons then resume execution with a clobbered instruction
3379         set. This patch will kill the program if the exception handler
3380         would fail.
3381
3382         This patch also refactors some of the jsc.cpp functions to take the
3383         CommandLine options object instead of individual options. Also, there
3384         is a new command line option that makes exceptions due to watchdog
3385         timeouts an acceptable result.
3386
3387         * API/tests/testapi.c:
3388         (main):
3389         * bytecode/CodeBlock.cpp:
3390         (JSC::CodeBlock::installVMTrapBreakpoints):
3391         * dfg/DFGCommonData.cpp:
3392         (JSC::DFG::pcCodeBlockMap):
3393         (JSC::DFG::CommonData::invalidate):
3394         (JSC::DFG::CommonData::~CommonData):
3395         (JSC::DFG::CommonData::installVMTrapBreakpoints):
3396         (JSC::DFG::codeBlockForVMTrapPC):
3397         * dfg/DFGCommonData.h:
3398         * jsc.cpp:
3399         (functionDollarAgentStart):
3400         (checkUncaughtException):
3401         (checkException):
3402         (runWithOptions):
3403         (printUsageStatement):
3404         (CommandLine::parseArguments):
3405         (jscmain):
3406         (runWithScripts): Deleted.
3407         * runtime/JSLock.cpp:
3408         (JSC::JSLock::didAcquireLock):