Implement 64-bit MacroAssembler::probe support for Windows.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2
3         Implement 64-bit MacroAssembler::probe support for Windows.
4         https://bugs.webkit.org/show_bug.cgi?id=175724
5
6         Reviewed by Mark Lam.
7
8         This is needed to enable the DFG. MSVC does no longer support inline assembly
9         for 64-bit, which means we have to put the code in an asm file.
10
11         * assembler/MacroAssemblerX86Common.cpp:
12         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
13         * jit/JITStubsMSVC64.asm:
14
15 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
16
17         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
18         https://bugs.webkit.org/show_bug.cgi?id=175400
19
20         Reviewed by Matt Baker.
21
22         * inspector/protocol/Canvas.json:
23         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
24         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
25         `drawElements` when that program is in use will have no effect.
26
27 2017-08-22  Keith Miller  <keith_miller@apple.com>
28
29         Unriviewed, fix windows build... for realz.
30
31         * CMakeLists.txt:
32
33 2017-08-22  Saam Barati  <sbarati@apple.com>
34
35         We are using valueProfileForBytecodeOffset when there may not be a value profile
36         https://bugs.webkit.org/show_bug.cgi?id=175812
37
38         Reviewed by Michael Saboff.
39
40         This patch uses the type system to aid the code around CodeBlock's ValueProfile
41         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
42         so there were callers of this that thought it could return nullptr when there
43         was no such ValueProfile. This was not the case, it always returned a non-null
44         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
45         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
46         and does the right thing if there is no such ValueProfile.
47         
48         This patch also changes the other ValueProfile accessors on CodeBlock to
49         return ValueProfile& instead of ValueProfile*. Some callers handled the null
50         case unnecessarily, and using the type system to specify the result can't be
51         null removes these useless branches.
52
53         * bytecode/CodeBlock.cpp:
54         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
55         (JSC::CodeBlock::dumpValueProfiles):
56         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
57         (JSC::CodeBlock::valueProfileForBytecodeOffset):
58         (JSC::CodeBlock::validate):
59         * bytecode/CodeBlock.h:
60         (JSC::CodeBlock::valueProfileForArgument):
61         (JSC::CodeBlock::valueProfile):
62         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
63         (JSC::CodeBlock::getFromAllValueProfiles):
64         * dfg/DFGByteCodeParser.cpp:
65         (JSC::DFG::ByteCodeParser::handleInlining):
66         * dfg/DFGGraph.cpp:
67         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
68         * dfg/DFGPredictionInjectionPhase.cpp:
69         (JSC::DFG::PredictionInjectionPhase::run):
70         * jit/JIT.h:
71         * jit/JITInlines.h:
72         (JSC::JIT::emitValueProfilingSite):
73         * profiler/ProfilerBytecodeSequence.cpp:
74         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
75         * tools/HeapVerifier.cpp:
76         (JSC::HeapVerifier::validateJSCell):
77
78 2017-08-22  Keith Miller  <keith_miller@apple.com>
79
80         Unreviewed, fix windows build... maybe.
81
82         * CMakeLists.txt:
83
84 2017-08-22  Keith Miller  <keith_miller@apple.com>
85
86         Unreviewed, fix cloop build.
87
88         * JavaScriptCore.xcodeproj/project.pbxproj:
89
90 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
91
92         [Win][Release] Crash when running testmasm executable.
93         https://bugs.webkit.org/show_bug.cgi?id=175772
94
95         Reviewed by Mark Lam.
96
97         We need to save and restore the modified registers in case one or more registers are callee saved
98         on the relevant platforms.
99
100         * assembler/testmasm.cpp:
101         (JSC::testProbeReadsArgumentRegisters):
102         (JSC::testProbeWritesArgumentRegisters):
103
104 2017-08-21  Mark Lam  <mark.lam@apple.com>
105
106         Change probe code to use static_assert instead of COMPILE_ASSERT.
107         https://bugs.webkit.org/show_bug.cgi?id=175762
108
109         Reviewed by JF Bastien.
110
111         * assembler/MacroAssemblerARM.cpp:
112         * assembler/MacroAssemblerARM64.cpp:
113         (JSC::MacroAssembler::probe): Deleted.
114         * assembler/MacroAssemblerARMv7.cpp:
115         * assembler/MacroAssemblerX86Common.cpp:
116
117 2017-08-21  Keith Miller  <keith_miller@apple.com>
118
119         Make generate_offset_extractor.rb architectures argument more robust
120         https://bugs.webkit.org/show_bug.cgi?id=175809
121
122         Reviewed by Joseph Pecoraro.
123
124         It turns out that some of our builders pass their architectures as
125         space separated lists.  I decided to just make the splitting of
126         our list robust to any reasonable combination of spaces and
127         commas.
128
129         * offlineasm/generate_offset_extractor.rb:
130
131 2017-08-21  Keith Miller  <keith_miller@apple.com>
132
133         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
134         https://bugs.webkit.org/show_bug.cgi?id=175690
135
136         Reviewed by Michael Saboff.
137
138         This should reduce some of the time we spend building offline asm
139         in our builds (except for linux since they already did this).
140
141         * CMakeLists.txt:
142         * JavaScriptCore.xcodeproj/project.pbxproj:
143         * offlineasm/backends.rb:
144         * offlineasm/generate_offset_extractor.rb:
145
146 2017-08-20  Mark Lam  <mark.lam@apple.com>
147
148         Gardening: fix CLoop build.
149         https://bugs.webkit.org/show_bug.cgi?id=175688
150         <rdar://problem/33436870>
151
152         Not reviewed.
153
154         Make these files dependent on ENABLE(MASM_PROBE).
155
156         * assembler/ProbeContext.cpp:
157         * assembler/ProbeContext.h:
158         * assembler/ProbeStack.cpp:
159         * assembler/ProbeStack.h:
160
161 2017-08-20  Mark Lam  <mark.lam@apple.com>
162
163         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
164         https://bugs.webkit.org/show_bug.cgi?id=175688
165         <rdar://problem/33436870>
166
167         Reviewed by JF Bastien.
168
169         With this patch, the clients of the MacroAssembler::probe() can now change
170         stack values without having to worry about whether there is enough room in the
171         current stack frame for it or not.  This is done using the Probe::Context's stack
172         member like so:
173
174             jit.probe([] (Probe::Context& context) {
175                 auto cpu = context.cpu;
176                 auto stack = context.stack();
177                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
178
179                 // Get a value at the current stack pointer location.
180                 auto value = stack.get<uintptr_t>(currentSP);
181
182                 // Set a value above the current stack pointer (within current frame).
183                 stack.set<uintptr_t>(currentSP + 10, value);
184
185                 // Set a value below the current stack pointer (out of current frame).
186                 stack.set<uintptr_t>(currentSP - 10, value);
187
188                 // Set the new stack pointer.
189                 cpu.sp() = currentSP - 20;
190             });
191
192         What happens behind the scene:
193
194         1. the generated JIT probe code will now call Probe::executeProbe(), and
195            Probe::executeProbe() will in turn call the client's probe function.
196
197            Probe::executeProbe() receives the Probe::State on the machine stack passed
198            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
199            Probe::Context to be passed to the client's probe function.  The client will
200            no longer see the Probe::State directly.
201
202         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
203            stack pages.  Currently, each page is 1K in size.
204            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
205
206         3. Invoking get() of set() on Probe::Stack with an address will lead to the
207            following:
208
209            a. the address will be decoded to a baseAddress that points to the 1K page
210               that contains that address.
211
212            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
213               If so, go to step (f).  Else, continue with step (c).
214
215            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
216               for that specified baseAddress to this mirror page.
217
218            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
219               keyed on the baseAddress.
220
221            e. the ProbeStack will also cache the last baseAddress and its corresponding
222               mirror page in use.  With memory accesses tending to be localized, this
223               will save us from having to look up the page in the HashMap.
224
225            f. get() will map the requested address to a physical address in the mirror
226               page, and return the value at that location.
227
228            g. set() will map the requested address to a physical address in the mirror
229               page, and set the value at that location in the mirror page.
230
231               set() will also set a dirty bit corresponding to the "cache line" that
232               was modified in the mirror page.
233
234         4. When the client's probe function returns, Probe::executeProbe() will check if
235            there are stack changes that need to be applied.  If stack changes are needed:
236
237            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
238               space is available to flush the dirty stack pages.  It will also register a
239               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
240               Probe::executeProbe() returns to the probe trampoline.
241
242            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
243               a safe place if needed, and then calls the flushStackDirtyPages callback
244               if needed.
245
246            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
247               HashMap and flush all dirty "cache lines" to the machine stack.
248               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
249
250            d. lastly, the probe trampoline will restore all register values and return
251               to the pc set in the Probe::State.
252
253         To make this patch work, I also had to do the following work:
254
255         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
256            Mainly, this means moving the code over to ProbeContext.h.
257            I also added some convenience accessor methods for spr registers. 
258
259            Moved Probe::Context over to its own file ProbeContext.h/cpp.
260
261         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
262            addition to the client's probe function and arg.
263
264            I also took this opportunity to optimize the generated JIT probe code to
265            minimize the amount of memory stores needed. 
266
267         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
268            either lr or pc (or neither), but not both at in the same probe invocation.
269            The ARM64 probe trampoline used to have to check for this invariant in the
270            assembly trampoline code.  With the introduction of Probe::executeProbe(),
271            we can now do it there and simplify the trampoline.
272
273         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
274            changes lr.  That code path never worked before, but has now been fixed.
275
276         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
277            MacroAssemblerARMv7.
278
279            We can now use move() with TrustedImmPtr, and it does the same thing but in a
280            more generic way.
281
282        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
283            the same semantics as movs (according to the Thumb spec).  This means these
284            instructions may trash the APSR flags before we have a chance to preserve them.
285
286            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
287            early on.  This entails adding support for the mrs instruction in the
288            ARMv7Assembler.
289
290        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
291            the easy way.
292
293            Also fixed testmasm tests which check flag registers to only compare the
294            portions that are modifiable by the client i.e. some masking is applied.
295
296         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
297
298         * CMakeLists.txt:
299         * JavaScriptCore.xcodeproj/project.pbxproj:
300         * assembler/ARMv7Assembler.h:
301         (JSC::ARMv7Assembler::mrs):
302         * assembler/AbstractMacroAssembler.h:
303         * assembler/MacroAssembler.cpp:
304         (JSC::stdFunctionCallback):
305         (JSC::MacroAssembler::probe):
306         * assembler/MacroAssembler.h:
307         (JSC::MacroAssembler::CPUState::gprName): Deleted.
308         (JSC::MacroAssembler::CPUState::sprName): Deleted.
309         (JSC::MacroAssembler::CPUState::fprName): Deleted.
310         (JSC::MacroAssembler::CPUState::gpr): Deleted.
311         (JSC::MacroAssembler::CPUState::spr): Deleted.
312         (JSC::MacroAssembler::CPUState::fpr): Deleted.
313         (JSC:: const): Deleted.
314         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
315         (JSC::MacroAssembler::CPUState::pc): Deleted.
316         (JSC::MacroAssembler::CPUState::fp): Deleted.
317         (JSC::MacroAssembler::CPUState::sp): Deleted.
318         (JSC::MacroAssembler::CPUState::pc const): Deleted.
319         (JSC::MacroAssembler::CPUState::fp const): Deleted.
320         (JSC::MacroAssembler::CPUState::sp const): Deleted.
321         (JSC::Probe::State::gpr): Deleted.
322         (JSC::Probe::State::spr): Deleted.
323         (JSC::Probe::State::fpr): Deleted.
324         (JSC::Probe::State::gprName): Deleted.
325         (JSC::Probe::State::sprName): Deleted.
326         (JSC::Probe::State::fprName): Deleted.
327         (JSC::Probe::State::pc): Deleted.
328         (JSC::Probe::State::fp): Deleted.
329         (JSC::Probe::State::sp): Deleted.
330         * assembler/MacroAssemblerARM.cpp:
331         (JSC::MacroAssembler::probe):
332         * assembler/MacroAssemblerARM.h:
333         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
334         * assembler/MacroAssemblerARM64.cpp:
335         (JSC::MacroAssembler::probe):
336         (JSC::arm64ProbeError): Deleted.
337         * assembler/MacroAssemblerARMv7.cpp:
338         (JSC::MacroAssembler::probe):
339         * assembler/MacroAssemblerARMv7.h:
340         (JSC::MacroAssemblerARMv7::armV7Condition):
341         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
342         * assembler/MacroAssemblerPrinter.cpp:
343         (JSC::Printer::printCallback):
344         * assembler/MacroAssemblerPrinter.h:
345         * assembler/MacroAssemblerX86Common.cpp:
346         (JSC::ctiMasmProbeTrampoline):
347         (JSC::MacroAssembler::probe):
348         * assembler/Printer.h:
349         (JSC::Printer::Context::Context):
350         * assembler/ProbeContext.cpp: Added.
351         (JSC::Probe::executeProbe):
352         (JSC::Probe::handleProbeStackInitialization):
353         (JSC::Probe::probeStateForContext):
354         * assembler/ProbeContext.h: Added.
355         (JSC::Probe::CPUState::gprName):
356         (JSC::Probe::CPUState::sprName):
357         (JSC::Probe::CPUState::fprName):
358         (JSC::Probe::CPUState::gpr):
359         (JSC::Probe::CPUState::spr):
360         (JSC::Probe::CPUState::fpr):
361         (JSC::Probe:: const):
362         (JSC::Probe::CPUState::fpr const):
363         (JSC::Probe::CPUState::pc):
364         (JSC::Probe::CPUState::fp):
365         (JSC::Probe::CPUState::sp):
366         (JSC::Probe::CPUState::pc const):
367         (JSC::Probe::CPUState::fp const):
368         (JSC::Probe::CPUState::sp const):
369         (JSC::Probe::Context::Context):
370         (JSC::Probe::Context::gpr):
371         (JSC::Probe::Context::spr):
372         (JSC::Probe::Context::fpr):
373         (JSC::Probe::Context::gprName):
374         (JSC::Probe::Context::sprName):
375         (JSC::Probe::Context::fprName):
376         (JSC::Probe::Context::pc):
377         (JSC::Probe::Context::fp):
378         (JSC::Probe::Context::sp):
379         (JSC::Probe::Context::stack):
380         (JSC::Probe::Context::hasWritesToFlush):
381         (JSC::Probe::Context::releaseStack):
382         * assembler/ProbeStack.cpp: Added.
383         (JSC::Probe::Page::Page):
384         (JSC::Probe::Page::flushWrites):
385         (JSC::Probe::Stack::Stack):
386         (JSC::Probe::Stack::hasWritesToFlush):
387         (JSC::Probe::Stack::flushWrites):
388         (JSC::Probe::Stack::ensurePageFor):
389         * assembler/ProbeStack.h: Added.
390         (JSC::Probe::Page::baseAddressFor):
391         (JSC::Probe::Page::chunkAddressFor):
392         (JSC::Probe::Page::baseAddress):
393         (JSC::Probe::Page::get):
394         (JSC::Probe::Page::set):
395         (JSC::Probe::Page::hasWritesToFlush const):
396         (JSC::Probe::Page::flushWritesIfNeeded):
397         (JSC::Probe::Page::dirtyBitFor):
398         (JSC::Probe::Page::physicalAddressFor):
399         (JSC::Probe::Stack::Stack):
400         (JSC::Probe::Stack::lowWatermark):
401         (JSC::Probe::Stack::get):
402         (JSC::Probe::Stack::set):
403         (JSC::Probe::Stack::newStackPointer const):
404         (JSC::Probe::Stack::setNewStackPointer):
405         (JSC::Probe::Stack::isValid):
406         (JSC::Probe::Stack::pageFor):
407         * assembler/testmasm.cpp:
408         (JSC::testProbeReadsArgumentRegisters):
409         (JSC::testProbeWritesArgumentRegisters):
410         (JSC::testProbePreservesGPRS):
411         (JSC::testProbeModifiesStackPointer):
412         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
413         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
414         (JSC::testProbeModifiesProgramCounter):
415         (JSC::testProbeModifiesStackValues):
416         (JSC::run):
417         (): Deleted.
418         (JSC::fillStack): Deleted.
419         (JSC::testProbeModifiesStackWithCallback): Deleted.
420
421 2017-08-19  Andy Estes  <aestes@apple.com>
422
423         [Payment Request] Add interface stubs
424         https://bugs.webkit.org/show_bug.cgi?id=175730
425
426         Reviewed by Youenn Fablet.
427
428         * runtime/CommonIdentifiers.h:
429
430 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
431
432         Implement 32-bit MacroAssembler::probe support for Windows.
433         https://bugs.webkit.org/show_bug.cgi?id=175449
434
435         Reviewed by Mark Lam.
436
437         This is needed to enable the DFG.
438
439         * assembler/MacroAssemblerX86Common.cpp:
440         * assembler/testmasm.cpp:
441         (JSC::run):
442         (dllLauncherEntryPoint):
443         * shell/CMakeLists.txt:
444         * shell/PlatformWin.cmake:
445
446 2017-08-18  Mark Lam  <mark.lam@apple.com>
447
448         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
449         https://bugs.webkit.org/show_bug.cgi?id=175725
450         <rdar://problem/33965477>
451
452         Rubber-stamped by JF Bastien.
453
454         This is purely a refactoring patch (in preparation for the introduction of a
455         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
456         later).  This patch does not change any semantics / behavior.
457
458         * assembler/AbstractMacroAssembler.h:
459         * assembler/MacroAssembler.cpp:
460         (JSC::stdFunctionCallback):
461         (JSC::MacroAssembler::probe):
462         * assembler/MacroAssembler.h:
463         (JSC::ProbeContext::gpr): Deleted.
464         (JSC::ProbeContext::spr): Deleted.
465         (JSC::ProbeContext::fpr): Deleted.
466         (JSC::ProbeContext::gprName): Deleted.
467         (JSC::ProbeContext::sprName): Deleted.
468         (JSC::ProbeContext::fprName): Deleted.
469         (JSC::ProbeContext::pc): Deleted.
470         (JSC::ProbeContext::fp): Deleted.
471         (JSC::ProbeContext::sp): Deleted.
472         * assembler/MacroAssemblerARM.cpp:
473         (JSC::MacroAssembler::probe):
474         * assembler/MacroAssemblerARM.h:
475         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
476         * assembler/MacroAssemblerARM64.cpp:
477         (JSC::arm64ProbeError):
478         (JSC::MacroAssembler::probe):
479         * assembler/MacroAssemblerARMv7.cpp:
480         (JSC::MacroAssembler::probe):
481         * assembler/MacroAssemblerARMv7.h:
482         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
483         * assembler/MacroAssemblerPrinter.cpp:
484         (JSC::Printer::printCallback):
485         * assembler/MacroAssemblerPrinter.h:
486         * assembler/MacroAssemblerX86Common.cpp:
487         (JSC::MacroAssembler::probe):
488         * assembler/Printer.h:
489         (JSC::Printer::Context::Context):
490         * assembler/testmasm.cpp:
491         (JSC::testProbeReadsArgumentRegisters):
492         (JSC::testProbeWritesArgumentRegisters):
493         (JSC::testProbePreservesGPRS):
494         (JSC::testProbeModifiesStackPointer):
495         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
496         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
497         (JSC::testProbeModifiesProgramCounter):
498         (JSC::fillStack):
499         (JSC::testProbeModifiesStackWithCallback):
500         (JSC::run):
501         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
502
503 2017-08-17  JF Bastien  <jfbastien@apple.com>
504
505         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
506         https://bugs.webkit.org/show_bug.cgi?id=175693
507         <rdar://problem/33952443>
508
509         Reviewed by Saam Barati.
510
511         64-bit constants in an unreachable context were being decoded as
512         32-bit constants. This is pretty benign because unreachable code
513         shouldn't occur often. The effect is that 64-bit constants which
514         can't be encoded as 32-bit constants would cause the binary to be
515         rejected.
516
517         At the same time, 32-bit integer constants should be decoded as signed.
518
519         * wasm/WasmFunctionParser.h:
520         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
521
522 2017-08-17  Robin Morisset  <rmorisset@apple.com>
523
524         Teach DFGFixupPhase.cpp that the current scope is always a cell
525         https://bugs.webkit.org/show_bug.cgi?id=175610
526
527         Reviewed by Keith Miller.
528
529         Also teach it that the argument to with can usually be speculated to be an object,
530         since toObject() is called on it.
531
532         * dfg/DFGFixupPhase.cpp:
533         (JSC::DFG::FixupPhase::fixupNode):
534         * dfg/DFGSpeculativeJIT.cpp:
535         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
536         * dfg/DFGSpeculativeJIT.h:
537         (JSC::DFG::SpeculativeJIT::callOperation):
538         * ftl/FTLLowerDFGToB3.cpp:
539         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
540         * jit/JITOperations.cpp:
541         * jit/JITOperations.h:
542
543 2017-08-17  Matt Baker  <mattbaker@apple.com>
544
545         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
546         https://bugs.webkit.org/show_bug.cgi?id=175644
547
548         Reviewed by Brian Burg.
549
550         * inspector/agents/InspectorScriptProfilerAgent.h:
551
552 2017-08-17  Mark Lam  <mark.lam@apple.com>
553
554         Only use 16 VFP registers if !CPU(ARM_NEON).
555         https://bugs.webkit.org/show_bug.cgi?id=175514
556
557         Reviewed by JF Bastien.
558
559         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
560         says that there are only 16 128-bit NEON registers.  This change is merely to
561         correct the code documentation of these registers.  The FPQuadRegisterID are
562         currently unused.
563
564         * assembler/ARMAssembler.h:
565         (JSC::ARMAssembler::lastFPRegister):
566         (JSC::ARMAssembler::fprName):
567         * assembler/ARMv7Assembler.h:
568         (JSC::ARMv7Assembler::lastFPRegister):
569         (JSC::ARMv7Assembler::fprName):
570         * assembler/MacroAssemblerARM.cpp:
571         * assembler/MacroAssemblerARMv7.cpp:
572
573 2017-08-17  Andreas Kling  <akling@apple.com>
574
575         Disable CSS regions at compile time
576         https://bugs.webkit.org/show_bug.cgi?id=175630
577
578         Reviewed by Antti Koivisto.
579
580         * Configurations/FeatureDefines.xcconfig:
581
582 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
583
584         [WPE][GTK] Ensure proper casting of data in gvariants
585         https://bugs.webkit.org/show_bug.cgi?id=175667
586
587         Reviewed by Michael Catanzaro.
588
589         g_variant_new requires data to have the correct width for their types, using
590         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
591         types without explicit casting, leading to undefined behavior in some platforms.
592
593         * inspector/remote/glib/RemoteInspectorGlib.cpp:
594         (Inspector::RemoteInspector::listingForInspectionTarget const):
595         (Inspector::RemoteInspector::listingForAutomationTarget const):
596         (Inspector::RemoteInspector::sendMessageToRemote):
597
598 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
599
600         [JSC] Avoid code bloating for iteration if block does not have "break"
601         https://bugs.webkit.org/show_bug.cgi?id=173228
602
603         Reviewed by Keith Miller.
604
605         Currently, we always emit code for breaked path when emitting for-of iteration.
606         But we can know that this breaked path can be used when emitting the bytecode.
607
608         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
609         the break label may be bound. We emit a breaked path only when it returns
610         true. This reduces bytecode bloating when using for-of iteration.
611
612         * bytecompiler/BytecodeGenerator.cpp:
613         (JSC::Label::setLocation):
614         (JSC::BytecodeGenerator::newLabel):
615         (JSC::BytecodeGenerator::emitLabel):
616         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
617         (JSC::BytecodeGenerator::breakTarget):
618         (JSC::BytecodeGenerator::continueTarget):
619         (JSC::BytecodeGenerator::emitEnumeration):
620         * bytecompiler/BytecodeGenerator.h:
621         * bytecompiler/Label.h:
622         (JSC::Label::bind const):
623         (JSC::Label::hasOneRef const):
624         (JSC::Label::isBound const):
625         (JSC::Label::Label): Deleted.
626         * bytecompiler/LabelScope.h:
627         (JSC::LabelScope::hasOneRef const):
628         (JSC::LabelScope::breakTargetMayBeBound const):
629         * bytecompiler/NodesCodegen.cpp:
630         (JSC::ContinueNode::trivialTarget):
631         (JSC::ContinueNode::emitBytecode):
632         (JSC::BreakNode::trivialTarget):
633         (JSC::BreakNode::emitBytecode):
634
635 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
636
637         ARM build fix after r220807 and r220834.
638         https://bugs.webkit.org/show_bug.cgi?id=175617
639
640         Unreviewed typo fix.
641
642         * assembler/MacroAssemblerARM.cpp:
643
644 2017-08-17  Mark Lam  <mark.lam@apple.com>
645
646         Gardening: build fix for ARM_TRADITIONAL after r220807.
647         https://bugs.webkit.org/show_bug.cgi?id=175617
648
649         Not reviewed.
650
651         * assembler/MacroAssemblerARM.cpp:
652
653 2017-08-16  Mark Lam  <mark.lam@apple.com>
654
655         Add back the ability to disable MASM_PROBE from the build.
656         https://bugs.webkit.org/show_bug.cgi?id=175656
657         <rdar://problem/33933720>
658
659         Reviewed by Yusuke Suzuki.
660
661         This is needed for ports that the existing MASM_PROBE implementation doesn't work
662         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
663         default if !ENABLE(MASM_PROBE).
664
665         * assembler/AbstractMacroAssembler.h:
666         * assembler/MacroAssembler.cpp:
667         * assembler/MacroAssembler.h:
668         * assembler/MacroAssemblerARM.cpp:
669         * assembler/MacroAssemblerARM64.cpp:
670         * assembler/MacroAssemblerARMv7.cpp:
671         * assembler/MacroAssemblerPrinter.cpp:
672         * assembler/MacroAssemblerPrinter.h:
673         * assembler/MacroAssemblerX86Common.cpp:
674         * assembler/testmasm.cpp:
675         (JSC::run):
676         * b3/B3LowerToAir.cpp:
677         * b3/air/AirPrintSpecial.cpp:
678         * b3/air/AirPrintSpecial.h:
679
680 2017-08-16  Dan Bernstein  <mitz@apple.com>
681
682         [Cocoa] Older-iOS install name symbols are being exported on other platforms
683         https://bugs.webkit.org/show_bug.cgi?id=175654
684
685         Reviewed by Tim Horton.
686
687         * API/JSBase.cpp: Define the symbols only when targeting iOS.
688
689 2017-08-16  Matt Baker  <mattbaker@apple.com>
690
691         Web Inspector: capture async stack trace when workers/main context posts a message
692         https://bugs.webkit.org/show_bug.cgi?id=167084
693         <rdar://problem/30033673>
694
695         Reviewed by Brian Burg.
696
697         * inspector/agents/InspectorDebuggerAgent.h:
698         Add `PostMessage` async call type.
699
700 2017-08-16  Mark Lam  <mark.lam@apple.com>
701
702         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
703         https://bugs.webkit.org/show_bug.cgi?id=175617
704         <rdar://problem/33912104>
705
706         Reviewed by JF Bastien.
707
708         This patch adds a new feature to MacroAssembler::probe() where the probe function
709         can provide a ProbeFunction callback to fill in stack values after the stack
710         pointer has been adjusted.  The probe function can use this feature as follows:
711
712         1. Set the new sp value in the ProbeContext's CPUState.
713
714         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
715            which will do the work of filling in the stack values after the probe
716            trampoline has adjusted the machine stack pointer.
717
718         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
719            to pass to the initializeStackFunction callback.
720
721         4. Return from the probe function.
722
723         Upon returning from the probe function, the probe trampoline will adjust the
724         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
725         is not set, the probe trampoline will restore registers and return to its caller.
726
727         If initializeStackFunction is set, the trampoline will move the ProbeContext
728         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
729         an address lower than where CPUState.sp() points.  This ensures that the
730         ProbeContext will not be trashed by the initializeStackFunction when it writes to
731         the stack.  Then, the trampoline will call back to the initializeStackFunction
732         ProbeFunction to let it fill in the stack values as desired.  The
733         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
734         the new location.
735
736         initializeStackFunction may now write to the stack at addresses greater or
737         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
738         not allowed to change CPUState.sp().  If the initializeStackFunction does not
739         abide by these rules, then behavior is undefined, and bad things may happen.
740
741         For future reference, some implementation details that this patch needed to
742         be mindful of:
743
744         1. When the probe trampoline allocates stack space for the ProbeContext, it
745            should include OUT_SIZE as well.  This ensures that it doesn't have to move
746            the ProbeContext on exit if the probe function didn't change the sp.
747
748         2. If the trampoline has to move the ProbeContext, it needs to point the machine
749            sp to new ProbeContext first before copying over the ProbeContext data.  This
750            protects the new ProbeContext from possibly being trashed by interrupts.
751
752         3. When computing the new address of ProbeContext to move to, we need to make
753            sure that it is properly aligned in accordance with stack ABI requirements
754            (just like we did when we allocated the ProbeContext on entry to the
755            probe trampoline).
756
757         4. When copying the ProbeContext to its new location, the trampoline should
758            always copy words from low addresses to high addresses.  This is because if
759            we're moving the ProbeContext, we'll always be moving it to a lower address.
760
761         * assembler/MacroAssembler.h:
762         * assembler/MacroAssemblerARM.cpp:
763         * assembler/MacroAssemblerARM64.cpp:
764         * assembler/MacroAssemblerARMv7.cpp:
765         * assembler/MacroAssemblerX86Common.cpp:
766         * assembler/testmasm.cpp:
767         (JSC::testProbePreservesGPRS):
768         (JSC::testProbeModifiesStackPointer):
769         (JSC::fillStack):
770         (JSC::testProbeModifiesStackWithCallback):
771         (JSC::run):
772
773 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
774
775         Fix JSCOnly ARM buildbots after r220047 and r220184
776         https://bugs.webkit.org/show_bug.cgi?id=174993
777
778         Reviewed by Carlos Alberto Lopez Perez.
779
780         * CMakeLists.txt: Generate only one backend on Linux to save build time.
781
782 2017-08-16  Andy Estes  <aestes@apple.com>
783
784         [Payment Request] Add an ENABLE flag and an experimental feature preference
785         https://bugs.webkit.org/show_bug.cgi?id=175622
786
787         Reviewed by Tim Horton.
788
789         * Configurations/FeatureDefines.xcconfig:
790
791 2017-08-15  Robin Morisset  <rmorisset@apple.com>
792
793         We are too conservative about the effects of PushWithScope
794         https://bugs.webkit.org/show_bug.cgi?id=175584
795
796         Reviewed by Saam Barati.
797
798         PushWithScope converts its argument to an object (this can throw a type error,
799         but has no other observable effect), and allocates a new scope, that it then
800         makes the new current scope. We were a bit too
801         conservative in saying that it clobbers the world.
802
803         * dfg/DFGAbstractInterpreterInlines.h:
804         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
805         * dfg/DFGClobberize.h:
806         (JSC::DFG::clobberize):
807         * dfg/DFGDoesGC.cpp:
808         (JSC::DFG::doesGC):
809
810 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
811
812         Make DataTransferItemList work with plain text entries
813         https://bugs.webkit.org/show_bug.cgi?id=175596
814
815         Reviewed by Wenson Hsieh.
816
817         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
818
819         * runtime/CommonIdentifiers.h:
820
821 2017-08-15  Robin Morisset  <rmorisset@apple.com>
822
823         Support the 'with' keyword in FTL
824         https://bugs.webkit.org/show_bug.cgi?id=175585
825
826         Reviewed by Saam Barati.
827
828         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
829         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
830         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
831         that takes its parentScope argument first.
832
833         * bytecompiler/BytecodeGenerator.cpp:
834         (JSC::BytecodeGenerator::emitPushWithScope):
835         * debugger/DebuggerCallFrame.cpp:
836         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
837         * dfg/DFGByteCodeParser.cpp:
838         (JSC::DFG::ByteCodeParser::parseBlock):
839         * dfg/DFGFixupPhase.cpp:
840         (JSC::DFG::FixupPhase::fixupNode):
841         * dfg/DFGSpeculativeJIT.cpp:
842         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
843         * ftl/FTLCapabilities.cpp:
844         (JSC::FTL::canCompile):
845         * ftl/FTLLowerDFGToB3.cpp:
846         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
847         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
848         * jit/JITOperations.cpp:
849         * runtime/CommonSlowPaths.cpp:
850         (JSC::SLOW_PATH_DECL):
851         * runtime/Completion.cpp:
852         (JSC::evaluateWithScopeExtension):
853         * runtime/JSWithScope.cpp:
854         (JSC::JSWithScope::create):
855         * runtime/JSWithScope.h:
856
857 2017-08-15  Saam Barati  <sbarati@apple.com>
858
859         Make VM::scratchBufferForSize thread safe
860         https://bugs.webkit.org/show_bug.cgi?id=175604
861
862         Reviewed by Geoffrey Garen and Mark Lam.
863
864         I want to use the VM::scratchBufferForSize in another patch I'm writing.
865         The use case for my other patch is to call it from the compiler thread.
866         When reading the code, I saw that this API was not thread safe. This patch
867         makes it thread safe. It actually turns out we were calling this API from
868         the compiler thread already when we created FTL::State for an FTL OSR entry
869         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
870         is now correct with this patch.
871
872         * runtime/VM.cpp:
873         (JSC::VM::VM):
874         (JSC::VM::~VM):
875         (JSC::VM::gatherConservativeRoots):
876         (JSC::VM::scratchBufferForSize):
877         * runtime/VM.h:
878         (JSC::VM::scratchBufferForSize): Deleted.
879
880 2017-08-15  Keith Miller  <keith_miller@apple.com>
881
882         JSC named bytecode offsets should use references rather than pointers
883         https://bugs.webkit.org/show_bug.cgi?id=175601
884
885         Reviewed by Saam Barati.
886
887         * dfg/DFGByteCodeParser.cpp:
888         (JSC::DFG::ByteCodeParser::parseBlock):
889         * jit/JITOpcodes.cpp:
890         (JSC::JIT::emit_op_overrides_has_instance):
891         (JSC::JIT::emit_op_instanceof):
892         (JSC::JIT::emitSlow_op_instanceof):
893         (JSC::JIT::emitSlow_op_instanceof_custom):
894         * jit/JITOpcodes32_64.cpp:
895         (JSC::JIT::emit_op_overrides_has_instance):
896         (JSC::JIT::emit_op_instanceof):
897         (JSC::JIT::emitSlow_op_instanceof):
898         (JSC::JIT::emitSlow_op_instanceof_custom):
899
900 2017-08-15  Keith Miller  <keith_miller@apple.com>
901
902         Enable named offsets into JSC bytecodes
903         https://bugs.webkit.org/show_bug.cgi?id=175561
904
905         Reviewed by Mark Lam.
906
907         This patch adds the ability to add named offsets into JSC's
908         bytecodes.  In the bytecode json file, instead of listing a
909         length, you can now list a set of names and their types. Each
910         opcode with an offsets property will have a struct named after the
911         opcode by in our C++ naming style. For example,
912         op_overrides_has_instance would become OpOverridesHasInstance. The
913         struct has the same memory layout as the instruction list has but
914         comes with handy named accessors.
915
916         As a first cut I converted the various instanceof bytecodes to use
917         named offsets.
918
919         As an example op_overrides_has_instance produces the following struct:
920
921         struct OpOverridesHasInstance {
922         public:
923             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
924             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
925             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
926             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
927             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
928             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
929             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
930             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
931
932         private:
933             friend class LLIntOffsetsExtractor;
934             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
935             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
936             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
937             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
938         };
939
940         * CMakeLists.txt:
941         * DerivedSources.make:
942         * JavaScriptCore.xcodeproj/project.pbxproj:
943         * bytecode/BytecodeList.json:
944         * dfg/DFGByteCodeParser.cpp:
945         (JSC::DFG::ByteCodeParser::parseBlock):
946         * generate-bytecode-files:
947         * jit/JITOpcodes.cpp:
948         (JSC::JIT::emit_op_overrides_has_instance):
949         (JSC::JIT::emit_op_instanceof):
950         (JSC::JIT::emitSlow_op_instanceof):
951         (JSC::JIT::emitSlow_op_instanceof_custom):
952         * jit/JITOpcodes32_64.cpp:
953         (JSC::JIT::emit_op_overrides_has_instance):
954         (JSC::JIT::emit_op_instanceof):
955         (JSC::JIT::emitSlow_op_instanceof):
956         (JSC::JIT::emitSlow_op_instanceof_custom):
957         * llint/LLIntOffsetsExtractor.cpp:
958         * llint/LowLevelInterpreter.asm:
959         * llint/LowLevelInterpreter32_64.asm:
960         * llint/LowLevelInterpreter64.asm:
961
962 2017-08-15  Mark Lam  <mark.lam@apple.com>
963
964         Update testmasm to use new CPUState APIs.
965         https://bugs.webkit.org/show_bug.cgi?id=175573
966
967         Reviewed by Keith Miller.
968
969         1. Applied convenience CPUState accessors to minimize casting.
970         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
971            messages.
972         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
973            casting is (mostly) no longer an issue.
974         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
975            to make it clear that we're comparing against the bit values of testWord64(id).
976         5. Added a "Completed N tests" message at the end of running all tests.
977            This makes it easy to tell at a glance that testmasm completed successfully
978            versus when it crashed midway in a test.  The number of tests also serves as
979            a quick checksum to confirm that we ran the number of tests we expected.
980
981         * assembler/testmasm.cpp:
982         (WTF::printInternal):
983         (JSC::testSimple):
984         (JSC::testProbeReadsArgumentRegisters):
985         (JSC::testProbeWritesArgumentRegisters):
986         (JSC::testProbePreservesGPRS):
987         (JSC::testProbeModifiesStackPointer):
988         (JSC::testProbeModifiesProgramCounter):
989         (JSC::run):
990
991 2017-08-14  Keith Miller  <keith_miller@apple.com>
992
993         Add testing tool to lie to the DFG about profiles
994         https://bugs.webkit.org/show_bug.cgi?id=175487
995
996         Reviewed by Saam Barati.
997
998         This patch adds a new bytecode identity_with_profile that lets
999         us lie to the DFG about what profiles it has seen as the input to
1000         another bytecode. Previously, there was no reliable way to force
1001         a given profile when we tired up.
1002
1003         * bytecode/BytecodeDumper.cpp:
1004         (JSC::BytecodeDumper<Block>::dumpBytecode):
1005         * bytecode/BytecodeIntrinsicRegistry.h:
1006         * bytecode/BytecodeList.json:
1007         * bytecode/BytecodeUseDef.h:
1008         (JSC::computeUsesForBytecodeOffset):
1009         (JSC::computeDefsForBytecodeOffset):
1010         * bytecode/SpeculatedType.cpp:
1011         (JSC::speculationFromString):
1012         * bytecode/SpeculatedType.h:
1013         * bytecompiler/BytecodeGenerator.cpp:
1014         (JSC::BytecodeGenerator::emitIdWithProfile):
1015         * bytecompiler/BytecodeGenerator.h:
1016         * bytecompiler/NodesCodegen.cpp:
1017         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1018         * dfg/DFGAbstractInterpreterInlines.h:
1019         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1020         * dfg/DFGByteCodeParser.cpp:
1021         (JSC::DFG::ByteCodeParser::parseBlock):
1022         * dfg/DFGCapabilities.cpp:
1023         (JSC::DFG::capabilityLevel):
1024         * dfg/DFGClobberize.h:
1025         (JSC::DFG::clobberize):
1026         * dfg/DFGDoesGC.cpp:
1027         (JSC::DFG::doesGC):
1028         * dfg/DFGFixupPhase.cpp:
1029         (JSC::DFG::FixupPhase::fixupNode):
1030         * dfg/DFGMayExit.cpp:
1031         * dfg/DFGNode.h:
1032         (JSC::DFG::Node::getForcedPrediction):
1033         * dfg/DFGNodeType.h:
1034         * dfg/DFGPredictionPropagationPhase.cpp:
1035         * dfg/DFGSafeToExecute.h:
1036         (JSC::DFG::safeToExecute):
1037         * dfg/DFGSpeculativeJIT32_64.cpp:
1038         (JSC::DFG::SpeculativeJIT::compile):
1039         * dfg/DFGSpeculativeJIT64.cpp:
1040         (JSC::DFG::SpeculativeJIT::compile):
1041         * dfg/DFGValidate.cpp:
1042         * jit/JIT.cpp:
1043         (JSC::JIT::privateCompileMainPass):
1044         * jit/JIT.h:
1045         * jit/JITOpcodes.cpp:
1046         (JSC::JIT::emit_op_identity_with_profile):
1047         * jit/JITOpcodes32_64.cpp:
1048         (JSC::JIT::emit_op_identity_with_profile):
1049         * llint/LowLevelInterpreter.asm:
1050
1051 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1052
1053         Remove Proximity Events and related code
1054         https://bugs.webkit.org/show_bug.cgi?id=175545
1055
1056         Reviewed by Daniel Bates.
1057
1058         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
1059         and other related code.
1060
1061         * Configurations/FeatureDefines.xcconfig:
1062
1063 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1064
1065         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
1066         https://bugs.webkit.org/show_bug.cgi?id=175504
1067
1068         Reviewed by Sam Weinig.
1069
1070         * Configurations/FeatureDefines.xcconfig:
1071
1072 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1073
1074         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
1075         https://bugs.webkit.org/show_bug.cgi?id=175557
1076
1077         Reviewed by Jon Lee.
1078
1079         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
1080
1081         * Configurations/FeatureDefines.xcconfig:
1082
1083 2017-08-14  Robin Morisset  <rmorisset@apple.com>
1084
1085         Support the 'with' keyword in DFG
1086         https://bugs.webkit.org/show_bug.cgi?id=175470
1087
1088         Reviewed by Saam Barati.
1089
1090         Not particularly optimized at the moment, the goal is just to avoid
1091         the DFG bailing out of any function with this keyword.
1092
1093         * dfg/DFGAbstractInterpreterInlines.h:
1094         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1095         * dfg/DFGByteCodeParser.cpp:
1096         (JSC::DFG::ByteCodeParser::parseBlock):
1097         * dfg/DFGCapabilities.cpp:
1098         (JSC::DFG::capabilityLevel):
1099         * dfg/DFGClobberize.h:
1100         (JSC::DFG::clobberize):
1101         * dfg/DFGDoesGC.cpp:
1102         (JSC::DFG::doesGC):
1103         * dfg/DFGFixupPhase.cpp:
1104         (JSC::DFG::FixupPhase::fixupNode):
1105         * dfg/DFGNodeType.h:
1106         * dfg/DFGPredictionPropagationPhase.cpp:
1107         * dfg/DFGSafeToExecute.h:
1108         (JSC::DFG::safeToExecute):
1109         * dfg/DFGSpeculativeJIT.cpp:
1110         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1111         * dfg/DFGSpeculativeJIT.h:
1112         (JSC::DFG::SpeculativeJIT::callOperation):
1113         * dfg/DFGSpeculativeJIT32_64.cpp:
1114         (JSC::DFG::SpeculativeJIT::compile):
1115         * dfg/DFGSpeculativeJIT64.cpp:
1116         (JSC::DFG::SpeculativeJIT::compile):
1117         * jit/JITOperations.cpp:
1118         * jit/JITOperations.h:
1119
1120 2017-08-14  Mark Lam  <mark.lam@apple.com>
1121
1122         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1123         https://bugs.webkit.org/show_bug.cgi?id=175549
1124         <rdar://problem/33884868>
1125
1126         Reviewed by Saam Barati.
1127
1128         Previously, in order to read ProbeContext CPUState registers, we used to need to
1129         do it this way:
1130
1131             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1132             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1133             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1134             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1135
1136         With this patch, we can now read them this way instead:
1137         
1138             ExecState* exec = cpu.fp<ExecState*>();
1139             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1140             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1141             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1142
1143         * assembler/MacroAssembler.h:
1144         (JSC:: const):
1145         (JSC::MacroAssembler::CPUState::fpr const):
1146         (JSC::MacroAssembler::CPUState::pc const):
1147         (JSC::MacroAssembler::CPUState::fp const):
1148         (JSC::MacroAssembler::CPUState::sp const):
1149         (JSC::ProbeContext::pc):
1150         (JSC::ProbeContext::fp):
1151         (JSC::ProbeContext::sp):
1152
1153 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1154
1155         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1156         https://bugs.webkit.org/show_bug.cgi?id=174921
1157
1158         Reviewed by Mark Lam.
1159         
1160         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1161
1162         * dfg/DFGSpeculativeJIT.cpp:
1163         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1164         * ftl/FTLLowerDFGToB3.cpp:
1165         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1166         * jit/JITPropertyAccess.cpp:
1167         (JSC::JIT::emitScopedArgumentsGetByVal):
1168         * runtime/ScopedArgumentsTable.cpp:
1169         (JSC::ScopedArgumentsTable::create):
1170         (JSC::ScopedArgumentsTable::setLength):
1171         * runtime/ScopedArgumentsTable.h:
1172
1173 2017-08-14  Mark Lam  <mark.lam@apple.com>
1174
1175         Gardening: fix Windows build.
1176         https://bugs.webkit.org/show_bug.cgi?id=175446
1177
1178         Not reviewed.
1179
1180         * assembler/MacroAssemblerX86Common.cpp:
1181         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1182         (JSC::ctiMasmProbeTrampoline):
1183
1184 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1185
1186         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1187         https://bugs.webkit.org/show_bug.cgi?id=175512
1188         <rdar://problem/33863584>
1189
1190         Reviewed by Mark Lam.
1191
1192         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1193         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1194
1195 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1196
1197         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1198         https://bugs.webkit.org/show_bug.cgi?id=175513
1199
1200         Reviewed by Mark Lam.
1201
1202         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1203
1204 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1205
1206         FTL's compileGetTypedArrayByteOffset needs to do caging
1207         https://bugs.webkit.org/show_bug.cgi?id=175366
1208
1209         Reviewed by Saam Barati.
1210         
1211         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1212         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1213
1214         * dfg/DFGSpeculativeJIT.cpp:
1215         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1216         * ftl/FTLLowerDFGToB3.cpp:
1217         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1218         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1219         * runtime/ArrayBuffer.h:
1220         * runtime/ArrayBufferView.h:
1221         * runtime/JSArrayBufferView.h:
1222
1223 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1224
1225         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1226         https://bugs.webkit.org/show_bug.cgi?id=175474
1227         <rdar://problem/33844628>
1228
1229         Reviewed by Wenson Hsieh.
1230
1231         * Configurations/FeatureDefines.xcconfig:
1232         * runtime/CommonIdentifiers.h:
1233
1234 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1235
1236         Caging shouldn't have to use a patchpoint for adding
1237         https://bugs.webkit.org/show_bug.cgi?id=175483
1238
1239         Reviewed by Mark Lam.
1240
1241         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1242         constants and associative operations dictate that you always want to sink constants. For example,
1243         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1244         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1245         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1246         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1247         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1248         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1249         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1250         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1251         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1252         hacks for just stopping B3's reassociation only in this specific case.
1253         
1254         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1255         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1256         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1257         that if we cage the same pointer in two places, both places will compute the same value.
1258         
1259         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1260         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1261         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1262         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1263         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1264         enough scale to warrant new opcodes.)
1265         
1266         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1267         makes the code a bit less ugly.
1268
1269         * b3/B3LowerToAir.cpp:
1270         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1271         (JSC::B3::Air::LowerToAir::lower):
1272         * b3/B3Opcode.cpp:
1273         (WTF::printInternal):
1274         * b3/B3Opcode.h:
1275         * b3/B3ReduceStrength.cpp:
1276         * b3/B3Validate.cpp:
1277         * b3/B3Value.cpp:
1278         (JSC::B3::Value::effects const):
1279         (JSC::B3::Value::key const):
1280         (JSC::B3::Value::isFree const):
1281         (JSC::B3::Value::typeFor):
1282         * b3/B3Value.h:
1283         * b3/B3ValueKey.cpp:
1284         (JSC::B3::ValueKey::materialize const):
1285         * ftl/FTLLowerDFGToB3.cpp:
1286         (JSC::FTL::DFG::LowerDFGToB3::caged):
1287         * ftl/FTLOutput.cpp:
1288         (JSC::FTL::Output::opaque):
1289         * ftl/FTLOutput.h:
1290
1291 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1292
1293         ScopedArguments overflow storage needs to be in the JSValue gigacage
1294         https://bugs.webkit.org/show_bug.cgi?id=174923
1295
1296         Reviewed by Saam Barati.
1297         
1298         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1299         object into the JSValue gigacage.
1300
1301         * dfg/DFGSpeculativeJIT.cpp:
1302         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1303         * ftl/FTLLowerDFGToB3.cpp:
1304         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1305         * jit/JITPropertyAccess.cpp:
1306         (JSC::JIT::emitScopedArgumentsGetByVal):
1307         * runtime/ScopedArguments.h:
1308         (JSC::ScopedArguments::subspaceFor):
1309         (JSC::ScopedArguments::overflowStorage const):
1310
1311 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1312
1313         JSLexicalEnvironment needs to be in the JSValue gigacage
1314         https://bugs.webkit.org/show_bug.cgi?id=174922
1315
1316         Reviewed by Michael Saboff.
1317         
1318         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1319         the only random accesses use pointer caging.
1320         
1321         We don't need to do anything to normal lexical environment accesses.
1322
1323         * dfg/DFGSpeculativeJIT.cpp:
1324         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1325         * ftl/FTLLowerDFGToB3.cpp:
1326         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1327         * runtime/JSEnvironmentRecord.h:
1328         (JSC::JSEnvironmentRecord::subspaceFor):
1329         (JSC::JSEnvironmentRecord::variables):
1330
1331 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1332
1333         DirectArguments should be in the JSValue gigacage
1334         https://bugs.webkit.org/show_bug.cgi?id=174920
1335
1336         Reviewed by Michael Saboff.
1337         
1338         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1339         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1340         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1341         required to use fixed offsets, and you can only store JSValues.
1342
1343         * dfg/DFGSpeculativeJIT.cpp:
1344         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1345         * ftl/FTLLowerDFGToB3.cpp:
1346         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1347         * jit/JITPropertyAccess.cpp:
1348         (JSC::JIT::emitDirectArgumentsGetByVal):
1349         * runtime/DirectArguments.h:
1350         (JSC::DirectArguments::subspaceFor):
1351         (JSC::DirectArguments::storage):
1352         * runtime/VM.cpp:
1353         (JSC::VM::VM):
1354         * runtime/VM.h:
1355
1356 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1357
1358         Unreviewed, add a FIXME.
1359
1360         * ftl/FTLLowerDFGToB3.cpp:
1361         (JSC::FTL::DFG::LowerDFGToB3::caged):
1362
1363 2017-08-10  Sam Weinig  <sam@webkit.org>
1364
1365         WTF::Function does not allow for reference / non-default constructible return types
1366         https://bugs.webkit.org/show_bug.cgi?id=175244
1367
1368         Reviewed by Chris Dumez.
1369
1370         * runtime/ArrayBuffer.cpp:
1371         (JSC::ArrayBufferContents::transferTo):
1372         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1373         destroy call needed to be a no-op anyway, since the data is being moved.
1374
1375 2017-08-11  Mark Lam  <mark.lam@apple.com>
1376
1377         Gardening: fix CLoop build.
1378         https://bugs.webkit.org/show_bug.cgi?id=175446
1379         <rdar://problem/33836545>
1380
1381         Not reviewed.
1382
1383         * assembler/MacroAssemblerPrinter.cpp:
1384
1385 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1386
1387         DFG should do caging
1388         https://bugs.webkit.org/show_bug.cgi?id=174918
1389
1390         Reviewed by Saam Barati.
1391         
1392         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1393         the conditional caging with a watchpoint.
1394         
1395         This might be a 1% SunSpider slow-down, but it's not clear.
1396
1397         * dfg/DFGSpeculativeJIT.cpp:
1398         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1399         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1400         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1401         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1402         (JSC::DFG::SpeculativeJIT::compileSpread):
1403         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1404         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1405         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1406         * dfg/DFGSpeculativeJIT.h:
1407         * dfg/DFGSpeculativeJIT64.cpp:
1408         (JSC::DFG::SpeculativeJIT::compile):
1409
1410 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1411
1412         Unreviewed, build fix for x86 GTK port
1413         https://bugs.webkit.org/show_bug.cgi?id=175446
1414
1415         Use pushfl/popfl instead of pushfd/popfd.
1416
1417         * assembler/MacroAssemblerX86Common.cpp:
1418
1419 2017-08-10  Mark Lam  <mark.lam@apple.com>
1420
1421         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1422         https://bugs.webkit.org/show_bug.cgi?id=175446
1423         <rdar://problem/33836545>
1424
1425         Reviewed by Saam Barati.
1426
1427         * assembler/AbstractMacroAssembler.h:
1428         * assembler/MacroAssembler.cpp:
1429         (JSC::MacroAssembler::probe):
1430         * assembler/MacroAssembler.h:
1431         * assembler/MacroAssemblerARM.cpp:
1432         (JSC::MacroAssembler::probe):
1433         * assembler/MacroAssemblerARM.h:
1434         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1435         * assembler/MacroAssemblerARM64.cpp:
1436         (JSC::MacroAssembler::probe):
1437         * assembler/MacroAssemblerARMv7.cpp:
1438         (JSC::MacroAssembler::probe):
1439         * assembler/MacroAssemblerARMv7.h:
1440         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1441         * assembler/MacroAssemblerPrinter.cpp:
1442         * assembler/MacroAssemblerPrinter.h:
1443         * assembler/MacroAssemblerX86Common.cpp:
1444         * assembler/testmasm.cpp:
1445         (JSC::isSpecialGPR):
1446         (JSC::testProbeModifiesProgramCounter):
1447         (JSC::run):
1448         * b3/B3LowerToAir.cpp:
1449         (JSC::B3::Air::LowerToAir::print):
1450         * b3/air/AirPrintSpecial.cpp:
1451         * b3/air/AirPrintSpecial.h:
1452
1453 2017-08-10  Mark Lam  <mark.lam@apple.com>
1454
1455         Apply the UNLIKELY macro to some unlikely things.
1456         https://bugs.webkit.org/show_bug.cgi?id=175440
1457         <rdar://problem/33834767>
1458
1459         Reviewed by Yusuke Suzuki.
1460
1461         * bytecode/CodeBlock.cpp:
1462         (JSC::CodeBlock::~CodeBlock):
1463         (JSC::CodeBlock::jettison):
1464         * dfg/DFGByteCodeParser.cpp:
1465         (JSC::DFG::ByteCodeParser::handleCall):
1466         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1467         (JSC::DFG::ByteCodeParser::handleGetById):
1468         (JSC::DFG::ByteCodeParser::handlePutById):
1469         (JSC::DFG::ByteCodeParser::parseBlock):
1470         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1471         * dfg/DFGJITCompiler.cpp:
1472         (JSC::DFG::JITCompiler::JITCompiler):
1473         (JSC::DFG::JITCompiler::linkOSRExits):
1474         (JSC::DFG::JITCompiler::link):
1475         (JSC::DFG::JITCompiler::disassemble):
1476         * dfg/DFGJITFinalizer.cpp:
1477         (JSC::DFG::JITFinalizer::finalizeCommon):
1478         * dfg/DFGOSRExit.cpp:
1479         (JSC::DFG::OSRExit::compileOSRExit):
1480         * dfg/DFGPlan.cpp:
1481         (JSC::DFG::Plan::Plan):
1482         * ftl/FTLJITFinalizer.cpp:
1483         (JSC::FTL::JITFinalizer::finalizeCommon):
1484         * ftl/FTLLink.cpp:
1485         (JSC::FTL::link):
1486         * ftl/FTLOSRExitCompiler.cpp:
1487         (JSC::FTL::compileStub):
1488         * jit/JIT.cpp:
1489         (JSC::JIT::privateCompileMainPass):
1490         (JSC::JIT::compileWithoutLinking):
1491         (JSC::JIT::link):
1492         * runtime/ScriptExecutable.cpp:
1493         (JSC::ScriptExecutable::installCode):
1494         * runtime/VM.cpp:
1495         (JSC::VM::VM):
1496
1497 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1498
1499         [WTF] ThreadSpecific should not introduce additional indirection
1500         https://bugs.webkit.org/show_bug.cgi?id=175187
1501
1502         Reviewed by Mark Lam.
1503
1504         * runtime/Identifier.cpp:
1505
1506 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1507
1508         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1509         https://bugs.webkit.org/show_bug.cgi?id=175436
1510         <rdar://problem/33667497>
1511
1512         Reviewed by Simon Fraser.
1513
1514         * interpreter/Interpreter.cpp:
1515         (JSC::Interpreter::Interpreter):
1516
1517 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1518
1519         Remove ENABLE_GAMEPAD_DEPRECATED
1520         https://bugs.webkit.org/show_bug.cgi?id=175361
1521
1522         Reviewed by Carlos Garcia Campos.
1523
1524         * Configurations/FeatureDefines.xcconfig:
1525
1526 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1527
1528         [JSC] Create JSSet constructor that accepts it's size as parameter
1529         https://bugs.webkit.org/show_bug.cgi?id=173297
1530
1531         Reviewed by Saam Barati.
1532
1533         This patch is adding a new constructor to JSSet that gives its
1534         expected initial size. It is important to avoid re-hashing and mutiple
1535         allocations when we know the final size of JSSet, such as in
1536         CodeBlock::setConstantIdentifierSetRegisters.
1537
1538         * bytecode/CodeBlock.cpp:
1539         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1540         * runtime/HashMapImpl.h:
1541         (JSC::HashMapImpl::HashMapImpl):
1542         * runtime/JSSet.h:
1543
1544 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1545
1546         Unreviewed, rolling out r220466, r220477, and r220487.
1547         https://bugs.webkit.org/show_bug.cgi?id=175411
1548
1549         This change broke existing API tests and follow up fixes did
1550         not resolve all the issues. (Requested by ryanhaddad on
1551         #webkit).
1552
1553         Reverted changesets:
1554
1555         https://bugs.webkit.org/show_bug.cgi?id=175244
1556         http://trac.webkit.org/changeset/220466
1557
1558         "WTF::Function does not allow for reference / non-default
1559         constructible return types"
1560         https://bugs.webkit.org/show_bug.cgi?id=175244
1561         http://trac.webkit.org/changeset/220477
1562
1563         https://bugs.webkit.org/show_bug.cgi?id=175244
1564         http://trac.webkit.org/changeset/220487
1565
1566 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1567
1568         Early error on ANY operator before new.target
1569         https://bugs.webkit.org/show_bug.cgi?id=157970
1570
1571         Reviewed by Saam Barati.
1572
1573         Instead of throwing if any unary operator precedes new.target, only
1574         throw if the unary operator updates the reference.
1575
1576         The following become legal in JSC:
1577
1578         ```
1579         !new.target
1580         ~new.target
1581         typeof new.target
1582         delete new.target
1583         void new.target
1584         ```
1585
1586         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1587
1588         * parser/Parser.cpp:
1589         (JSC::Parser<LexerType>::parseUnaryExpression):
1590
1591 2017-08-09  Sam Weinig  <sam@webkit.org>
1592
1593         WTF::Function does not allow for reference / non-default constructible return types
1594         https://bugs.webkit.org/show_bug.cgi?id=175244
1595
1596         Reviewed by Chris Dumez.
1597
1598         * runtime/ArrayBuffer.cpp:
1599         (JSC::ArrayBufferContents::transferTo):
1600         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1601         destroy call needed to be a no-op anyway, since the data is being moved.
1602
1603 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1604
1605         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1606         https://bugs.webkit.org/show_bug.cgi?id=175392
1607         <rdar://problem/33783207>
1608
1609         Reviewed by Tim Horton and Megan Gardner.
1610
1611         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1612
1613         * Configurations/FeatureDefines.xcconfig:
1614
1615 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1616
1617         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1618         https://bugs.webkit.org/show_bug.cgi?id=175358
1619
1620         Reviewed by Mark Lam.
1621
1622         * jit/JITOperations.cpp:
1623         * runtime/JSObjectInlines.h:
1624         (JSC::JSObject::putInlineForJSObject):
1625
1626 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1627
1628         Unreviewed, rolling out r220457.
1629
1630         This change introduced API test failures.
1631
1632         Reverted changeset:
1633
1634         "WTF::Function does not allow for reference / non-default
1635         constructible return types"
1636         https://bugs.webkit.org/show_bug.cgi?id=175244
1637         http://trac.webkit.org/changeset/220457
1638
1639 2017-08-09  Sam Weinig  <sam@webkit.org>
1640
1641         WTF::Function does not allow for reference / non-default constructible return types
1642         https://bugs.webkit.org/show_bug.cgi?id=175244
1643
1644         Reviewed by Chris Dumez.
1645
1646         * runtime/ArrayBuffer.cpp:
1647         (JSC::ArrayBufferContents::transferTo):
1648         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1649         destroy call needed to be a no-op anyway, since the data is being moved.
1650
1651 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1652
1653         REGRESSION: 2 test262/test/language/statements/async-function failures
1654         https://bugs.webkit.org/show_bug.cgi?id=175334
1655
1656         Reviewed by Yusuke Suzuki.
1657
1658         Switch off useAsyncIterator by default
1659
1660         * runtime/Options.h:
1661
1662 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1663
1664         ICs should do caging
1665         https://bugs.webkit.org/show_bug.cgi?id=175295
1666
1667         Reviewed by Saam Barati.
1668         
1669         Adds the appropriate cage() calls in our inline caches.
1670
1671         * bytecode/AccessCase.cpp:
1672         (JSC::AccessCase::generateImpl):
1673         * bytecode/InlineAccess.cpp:
1674         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1675         (JSC::InlineAccess::generateSelfPropertyAccess):
1676         (JSC::InlineAccess::generateSelfPropertyReplace):
1677         (JSC::InlineAccess::generateArrayLength):
1678
1679 2017-08-08  Devin Rousso  <drousso@apple.com>
1680
1681         Web Inspector: Canvas: support editing WebGL shaders
1682         https://bugs.webkit.org/show_bug.cgi?id=124211
1683         <rdar://problem/15448958>
1684
1685         Reviewed by Matt Baker.
1686
1687         * inspector/protocol/Canvas.json:
1688         Add `updateShader` command that will change the given shader's source to the provided string,
1689         recompile, and relink it to its associated program.
1690         Drive-by: add description to `requestShaderSource` command.
1691
1692 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1693
1694         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1695         https://bugs.webkit.org/show_bug.cgi?id=175347
1696
1697         Reviewed by Saam Barati.
1698
1699         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1700         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1701         negligible considering how much more finishCreation does.
1702         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1703         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1704
1705         * bytecode/CodeBlock.cpp:
1706         (JSC::CodeBlock::finishCreation):
1707         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1708         (JSC::CodeBlock::setConstantRegisters):
1709         * bytecode/CodeBlock.h:
1710         * runtime/ScriptExecutable.cpp:
1711         (JSC::ScriptExecutable::newCodeBlockFor):
1712
1713 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1714
1715         Unreviewed, fix Ubuntu LTS build
1716         https://bugs.webkit.org/show_bug.cgi?id=174490
1717
1718         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1719         * inspector/remote/glib/RemoteInspectorServer.cpp:
1720
1721 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1722
1723         Baseline JIT should do caging
1724         https://bugs.webkit.org/show_bug.cgi?id=175037
1725
1726         Reviewed by Mark Lam.
1727         
1728         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1729         
1730         Also modifies FTL caging to be more defensive when caging is disabled.
1731         
1732         Relanded with fixed AssemblyHelpers::cageConditionally().
1733
1734         * bytecode/AccessCase.cpp:
1735         (JSC::AccessCase::generateImpl):
1736         * bytecode/InlineAccess.cpp:
1737         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1738         (JSC::InlineAccess::generateSelfPropertyAccess):
1739         (JSC::InlineAccess::generateSelfPropertyReplace):
1740         (JSC::InlineAccess::generateArrayLength):
1741         * ftl/FTLLowerDFGToB3.cpp:
1742         (JSC::FTL::DFG::LowerDFGToB3::caged):
1743         * jit/AssemblyHelpers.h:
1744         (JSC::AssemblyHelpers::cage):
1745         (JSC::AssemblyHelpers::cageConditionally):
1746         * jit/JITPropertyAccess.cpp:
1747         (JSC::JIT::emitDoubleLoad):
1748         (JSC::JIT::emitContiguousLoad):
1749         (JSC::JIT::emitArrayStorageLoad):
1750         (JSC::JIT::emitGenericContiguousPutByVal):
1751         (JSC::JIT::emitArrayStoragePutByVal):
1752         (JSC::JIT::emit_op_get_from_scope):
1753         (JSC::JIT::emit_op_put_to_scope):
1754         (JSC::JIT::emitIntTypedArrayGetByVal):
1755         (JSC::JIT::emitFloatTypedArrayGetByVal):
1756         (JSC::JIT::emitIntTypedArrayPutByVal):
1757         (JSC::JIT::emitFloatTypedArrayPutByVal):
1758         * jsc.cpp:
1759         (jscmain):
1760         (primitiveGigacageDisabled): Deleted.
1761
1762 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1763
1764         Unreviewed, rolling out r220368.
1765
1766         This change caused WK1 tests to exit early with crashes.
1767
1768         Reverted changeset:
1769
1770         "Baseline JIT should do caging"
1771         https://bugs.webkit.org/show_bug.cgi?id=175037
1772         http://trac.webkit.org/changeset/220368
1773
1774 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1775
1776         [CMake] Properly test if compiler supports compiler flags
1777         https://bugs.webkit.org/show_bug.cgi?id=174490
1778
1779         Reviewed by Konstantin Tokarev.
1780
1781         * API/tests/PingPongStackOverflowTest.cpp:
1782         (testPingPongStackOverflow):
1783         * API/tests/testapi.c:
1784         * b3/testb3.cpp:
1785         (JSC::B3::testPatchpointLotsOfLateAnys):
1786
1787 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1788
1789         [Linux] Clear WasmMemory with madvice instead of memset
1790         https://bugs.webkit.org/show_bug.cgi?id=175150
1791
1792         Reviewed by Filip Pizlo.
1793
1794         In Linux, zeroing pages with memset populates backing store.
1795         Instead, we should use madvise with MADV_DONTNEED. It discards
1796         pages. And if you access these pages, on-demand-zero-pages will
1797         be shown.
1798
1799         We also commit grown pages in all OSes.
1800
1801         * wasm/WasmMemory.cpp:
1802         (JSC::Wasm::commitZeroPages):
1803         (JSC::Wasm::Memory::create):
1804         (JSC::Wasm::Memory::grow):
1805
1806 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1807
1808         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1809         https://bugs.webkit.org/show_bug.cgi?id=175307
1810
1811         Reviewed by Saam Barati.
1812
1813         ```
1814         let a = new Uint8Array(10);
1815         let b = Object.getOwnPropertyDescriptor(a, 0);
1816         assert(b.configurable === false);
1817         ```
1818         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1819         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1820         that says that typed arrays are integer indexed exotic objects.
1821
1822         * runtime/JSGenericTypedArrayViewInlines.h:
1823         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1824
1825 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1826
1827         Baseline JIT should do caging
1828         https://bugs.webkit.org/show_bug.cgi?id=175037
1829
1830         Reviewed by Mark Lam.
1831         
1832         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1833         
1834         Also modifies FTL caging to be more defensive when caging is disabled.
1835
1836         * ftl/FTLLowerDFGToB3.cpp:
1837         (JSC::FTL::DFG::LowerDFGToB3::caged):
1838         * jit/AssemblyHelpers.h:
1839         (JSC::AssemblyHelpers::cage):
1840         (JSC::AssemblyHelpers::cageConditionally):
1841         * jit/JITPropertyAccess.cpp:
1842         (JSC::JIT::emitDoubleLoad):
1843         (JSC::JIT::emitContiguousLoad):
1844         (JSC::JIT::emitArrayStorageLoad):
1845         (JSC::JIT::emitGenericContiguousPutByVal):
1846         (JSC::JIT::emitArrayStoragePutByVal):
1847         (JSC::JIT::emit_op_get_from_scope):
1848         (JSC::JIT::emit_op_put_to_scope):
1849         (JSC::JIT::emitIntTypedArrayGetByVal):
1850         (JSC::JIT::emitFloatTypedArrayGetByVal):
1851         (JSC::JIT::emitIntTypedArrayPutByVal):
1852         (JSC::JIT::emitFloatTypedArrayPutByVal):
1853         * jsc.cpp:
1854         (jscmain):
1855         (primitiveGigacageDisabled): Deleted.
1856
1857 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1858
1859         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1860         https://bugs.webkit.org/show_bug.cgi?id=174919
1861
1862         Reviewed by Keith Miller.
1863         
1864         This adapts JSC to there being two gigacages.
1865         
1866         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1867         singletons. I don't think we were gaining anything by making them be singletons.
1868         
1869         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1870         gigacages. We'll have one of those allocators per cage.
1871         
1872         From there, this change teaches everyone who previously knew about cages that there are two cages.
1873         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1874         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1875         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1876         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1877         
1878         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1879         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1880
1881         * JavaScriptCore.xcodeproj/project.pbxproj:
1882         * bytecode/AccessCase.cpp:
1883         (JSC::AccessCase::generateImpl):
1884         * dfg/DFGSpeculativeJIT.cpp:
1885         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1886         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1887         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1888         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1889         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1890         * ftl/FTLLowerDFGToB3.cpp:
1891         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1892         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1893         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1894         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1895         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1896         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1897         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1898         (JSC::FTL::DFG::LowerDFGToB3::caged):
1899         * heap/FastMallocAlignedMemoryAllocator.cpp:
1900         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1901         * heap/FastMallocAlignedMemoryAllocator.h:
1902         * heap/GigacageAlignedMemoryAllocator.cpp:
1903         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1904         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1905         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1906         (JSC::GigacageAlignedMemoryAllocator::dump const):
1907         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1908         * heap/GigacageAlignedMemoryAllocator.h:
1909         * jsc.cpp:
1910         (primitiveGigacageDisabled):
1911         (jscmain):
1912         (gigacageDisabled): Deleted.
1913         * llint/LowLevelInterpreter64.asm:
1914         * runtime/ArrayBuffer.cpp:
1915         (JSC::ArrayBufferContents::tryAllocate):
1916         (JSC::ArrayBuffer::createAdopted):
1917         (JSC::ArrayBuffer::createFromBytes):
1918         * runtime/AuxiliaryBarrier.h:
1919         * runtime/ButterflyInlines.h:
1920         (JSC::Butterfly::createUninitialized):
1921         (JSC::Butterfly::tryCreate):
1922         (JSC::Butterfly::growArrayRight):
1923         * runtime/CagedBarrierPtr.h: Added.
1924         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1925         (JSC::CagedBarrierPtr::clear):
1926         (JSC::CagedBarrierPtr::set):
1927         (JSC::CagedBarrierPtr::get const):
1928         (JSC::CagedBarrierPtr::getMayBeNull const):
1929         (JSC::CagedBarrierPtr::operator== const):
1930         (JSC::CagedBarrierPtr::operator!= const):
1931         (JSC::CagedBarrierPtr::operator bool const):
1932         (JSC::CagedBarrierPtr::setWithoutBarrier):
1933         (JSC::CagedBarrierPtr::operator* const):
1934         (JSC::CagedBarrierPtr::operator-> const):
1935         (JSC::CagedBarrierPtr::operator[] const):
1936         * runtime/DirectArguments.cpp:
1937         (JSC::DirectArguments::overrideThings):
1938         (JSC::DirectArguments::unmapArgument):
1939         * runtime/DirectArguments.h:
1940         (JSC::DirectArguments::isMappedArgument const):
1941         * runtime/GenericArguments.h:
1942         * runtime/GenericArgumentsInlines.h:
1943         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1944         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1945         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1946         * runtime/HashMapImpl.cpp:
1947         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1948         * runtime/HashMapImpl.h:
1949         (JSC::HashMapBuffer::create):
1950         (JSC::HashMapImpl::buffer const):
1951         (JSC::HashMapImpl::rehash):
1952         * runtime/JSArray.cpp:
1953         (JSC::JSArray::tryCreateUninitializedRestricted):
1954         (JSC::JSArray::unshiftCountSlowCase):
1955         (JSC::JSArray::setLength):
1956         (JSC::JSArray::pop):
1957         (JSC::JSArray::push):
1958         (JSC::JSArray::fastSlice):
1959         (JSC::JSArray::shiftCountWithArrayStorage):
1960         (JSC::JSArray::shiftCountWithAnyIndexingType):
1961         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1962         (JSC::JSArray::fillArgList):
1963         (JSC::JSArray::copyToArguments):
1964         * runtime/JSArray.h:
1965         (JSC::JSArray::tryCreate):
1966         * runtime/JSArrayBufferView.cpp:
1967         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1968         (JSC::JSArrayBufferView::finalize):
1969         * runtime/JSLock.cpp:
1970         (JSC::JSLock::didAcquireLock):
1971         * runtime/JSObject.cpp:
1972         (JSC::JSObject::heapSnapshot):
1973         (JSC::JSObject::getOwnPropertySlotByIndex):
1974         (JSC::JSObject::putByIndex):
1975         (JSC::JSObject::enterDictionaryIndexingMode):
1976         (JSC::JSObject::createInitialIndexedStorage):
1977         (JSC::JSObject::createArrayStorage):
1978         (JSC::JSObject::convertUndecidedToInt32):
1979         (JSC::JSObject::convertUndecidedToDouble):
1980         (JSC::JSObject::convertUndecidedToContiguous):
1981         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1982         (JSC::JSObject::convertUndecidedToArrayStorage):
1983         (JSC::JSObject::convertInt32ToDouble):
1984         (JSC::JSObject::convertInt32ToContiguous):
1985         (JSC::JSObject::convertInt32ToArrayStorage):
1986         (JSC::JSObject::convertDoubleToContiguous):
1987         (JSC::JSObject::convertDoubleToArrayStorage):
1988         (JSC::JSObject::convertContiguousToArrayStorage):
1989         (JSC::JSObject::setIndexQuicklyToUndecided):
1990         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1991         (JSC::JSObject::deletePropertyByIndex):
1992         (JSC::JSObject::getOwnPropertyNames):
1993         (JSC::JSObject::putIndexedDescriptor):
1994         (JSC::JSObject::defineOwnIndexedProperty):
1995         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1996         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1997         (JSC::JSObject::getNewVectorLength):
1998         (JSC::JSObject::ensureLengthSlow):
1999         (JSC::JSObject::reallocateAndShrinkButterfly):
2000         (JSC::JSObject::allocateMoreOutOfLineStorage):
2001         (JSC::JSObject::getEnumerableLength):
2002         * runtime/JSObject.h:
2003         (JSC::JSObject::getArrayLength const):
2004         (JSC::JSObject::getVectorLength):
2005         (JSC::JSObject::putDirectIndex):
2006         (JSC::JSObject::canGetIndexQuickly):
2007         (JSC::JSObject::getIndexQuickly):
2008         (JSC::JSObject::tryGetIndexQuickly const):
2009         (JSC::JSObject::canSetIndexQuickly):
2010         (JSC::JSObject::setIndexQuickly):
2011         (JSC::JSObject::initializeIndex):
2012         (JSC::JSObject::initializeIndexWithoutBarrier):
2013         (JSC::JSObject::hasSparseMap):
2014         (JSC::JSObject::inSparseIndexingMode):
2015         (JSC::JSObject::butterfly const):
2016         (JSC::JSObject::butterfly):
2017         (JSC::JSObject::outOfLineStorage const):
2018         (JSC::JSObject::outOfLineStorage):
2019         (JSC::JSObject::ensureInt32):
2020         (JSC::JSObject::ensureDouble):
2021         (JSC::JSObject::ensureContiguous):
2022         (JSC::JSObject::ensureArrayStorage):
2023         (JSC::JSObject::arrayStorage):
2024         (JSC::JSObject::arrayStorageOrNull):
2025         (JSC::JSObject::ensureLength):
2026         * runtime/RegExpMatchesArray.h:
2027         (JSC::tryCreateUninitializedRegExpMatchesArray):
2028         * runtime/VM.cpp:
2029         (JSC::VM::VM):
2030         (JSC::VM::~VM):
2031         (JSC::VM::primitiveGigacageDisabledCallback):
2032         (JSC::VM::primitiveGigacageDisabled):
2033         (JSC::VM::gigacageDisabledCallback): Deleted.
2034         (JSC::VM::gigacageDisabled): Deleted.
2035         * runtime/VM.h:
2036         (JSC::VM::gigacageAuxiliarySpace):
2037         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
2038         (JSC::VM::primitiveGigacageEnabled):
2039         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
2040         (JSC::VM::gigacageEnabled): Deleted.
2041         * wasm/WasmMemory.cpp:
2042         (JSC::Wasm::Memory::create):
2043         (JSC::Wasm::Memory::~Memory):
2044         (JSC::Wasm::Memory::grow):
2045
2046 2017-08-07  Commit Queue  <commit-queue@webkit.org>
2047
2048         Unreviewed, rolling out r220144.
2049         https://bugs.webkit.org/show_bug.cgi?id=175276
2050
2051         "It did not actually speed things up in the way I expected"
2052         (Requested by saamyjoon on #webkit).
2053
2054         Reverted changeset:
2055
2056         "On memory-constrained iOS devices, reduce the rate at which
2057         the JS heap grows before a GC to try to keep more memory
2058         available for the system"
2059         https://bugs.webkit.org/show_bug.cgi?id=175041
2060         http://trac.webkit.org/changeset/220144
2061
2062 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
2063
2064         Unreviewed, rolling out r220299.
2065
2066         This change caused LayoutTest inspector/dom-debugger/dom-
2067         breakpoints.html to fail.
2068
2069         Reverted changeset:
2070
2071         "Web Inspector: capture async stack trace when workers/main
2072         context posts a message"
2073         https://bugs.webkit.org/show_bug.cgi?id=167084
2074         http://trac.webkit.org/changeset/220299
2075
2076 2017-08-07  Brian Burg  <bburg@apple.com>
2077
2078         Remove CANVAS_PATH compilation guard
2079         https://bugs.webkit.org/show_bug.cgi?id=175207
2080
2081         Reviewed by Sam Weinig.
2082
2083         * Configurations/FeatureDefines.xcconfig:
2084
2085 2017-08-07  Keith Miller  <keith_miller@apple.com>
2086
2087         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
2088         https://bugs.webkit.org/show_bug.cgi?id=175256
2089
2090         Reviewed by Saam Barati.
2091
2092         The check in createFromBytes just needed to check that the buffer was not null before
2093         calling isCaged.
2094
2095         * runtime/ArrayBuffer.cpp:
2096         (JSC::ArrayBuffer::createFromBytes):
2097
2098 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
2099
2100         [GTK][WPE] Add API to provide browser information required by automation
2101         https://bugs.webkit.org/show_bug.cgi?id=175130
2102
2103         Reviewed by Brian Burg.
2104
2105         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2106         get them.
2107
2108         * inspector/remote/RemoteInspector.cpp:
2109         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2110         * inspector/remote/RemoteInspector.h:
2111         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2112         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2113         requested to ensure they are updated before StartAutomationSession reply is sent.
2114         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2115         StartAutomationSession mesasage.
2116
2117 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2118
2119         Promise resolve and reject function should have length = 1
2120         https://bugs.webkit.org/show_bug.cgi?id=175242
2121
2122         Reviewed by Saam Barati.
2123
2124         Previously we have separate system for "length" and "name" for builtin functions.
2125         The builtin functions do not use lazy reifying system. Instead, they have direct
2126         properties when instantiating it. While the function created for properties (like
2127         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2128         these builtin functions are just created by JSFunction::create(). Since it does
2129         not set any values for "length", these functions do not have "length" property.
2130         So, the resolve and reject functions passed to Promise's executor do not have
2131         "length" property.
2132
2133         This patch make builtin functions use standard lazy reifying system for "length".
2134         So, "length" property of the builtin function just works as if the normal functions
2135         do.
2136
2137         * runtime/JSFunction.cpp:
2138         (JSC::JSFunction::createBuiltinFunction):
2139         (JSC::JSFunction::getOwnPropertySlot):
2140         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2141         (JSC::JSFunction::put):
2142         (JSC::JSFunction::deleteProperty):
2143         (JSC::JSFunction::defineOwnProperty):
2144         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2145         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2146         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2147         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2148         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2149         * runtime/JSFunction.h:
2150
2151 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2152
2153         [ESNext] Async iteration - Implement Async Generator - parser
2154         https://bugs.webkit.org/show_bug.cgi?id=175210
2155
2156         Reviewed by Yusuke Suzuki.
2157
2158         Current implementation is draft version of Async Iteration. 
2159         Link to spec https://tc39.github.io/proposal-async-iteration/
2160
2161         Current patch implement only parser part of the Async generator
2162         Runtime part will be in next ptches
2163
2164         * parser/ASTBuilder.h:
2165         (JSC::ASTBuilder::createFunctionMetadata):
2166         * parser/Parser.cpp:
2167         (JSC::getAsynFunctionBodyParseMode):
2168         (JSC::Parser<LexerType>::parseInner):
2169         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2170         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2171         (JSC::stringArticleForFunctionMode):
2172         (JSC::stringForFunctionMode):
2173         (JSC::Parser<LexerType>::parseFunctionInfo):
2174         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2175         (JSC::Parser<LexerType>::parseClass):
2176         (JSC::Parser<LexerType>::parseProperty):
2177         (JSC::Parser<LexerType>::parsePropertyMethod):
2178         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2179         * parser/Parser.h:
2180         (JSC::Scope::setSourceParseMode):
2181         * parser/ParserModes.h:
2182         (JSC::isFunctionParseMode):
2183         (JSC::isAsyncFunctionParseMode):
2184         (JSC::isAsyncArrowFunctionParseMode):
2185         (JSC::isAsyncGeneratorFunctionParseMode):
2186         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2187         (JSC::isAsyncFunctionWrapperParseMode):
2188         (JSC::isAsyncFunctionBodyParseMode):
2189         (JSC::isGeneratorMethodParseMode):
2190         (JSC::isAsyncMethodParseMode):
2191         (JSC::isAsyncGeneratorMethodParseMode):
2192         (JSC::isMethodParseMode):
2193         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2194         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2195
2196 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2197
2198         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2199         https://bugs.webkit.org/show_bug.cgi?id=175083
2200
2201         Reviewed by Oliver Hunt.
2202         
2203         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2204         even if we are using the pop path.
2205         
2206         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2207         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2208         the world just because we changed it.
2209         
2210         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2211         easier to debug leaks.
2212
2213         * bytecode/AccessCase.cpp:
2214         * bytecode/PolymorphicAccess.cpp:
2215         * heap/HeapCell.cpp:
2216         (JSC::HeapCell::isLive):
2217         * heap/HeapCellInlines.h:
2218         (JSC::HeapCell::isLive): Deleted.
2219         * heap/MarkedAllocator.cpp:
2220         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2221         (JSC::MarkedAllocator::endMarking):
2222         * heap/MarkedBlockInlines.h:
2223         (JSC::MarkedBlock::Handle::specializedSweep):
2224         * jit/AssemblyHelpers.cpp:
2225         * jit/Repatch.cpp:
2226         * runtime/TestRunnerUtils.h:
2227         * runtime/VM.cpp:
2228         (JSC::waitForVMDestruction):
2229         (JSC::VM::~VM):
2230
2231 2017-08-05  Mark Lam  <mark.lam@apple.com>
2232
2233         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2234         https://bugs.webkit.org/show_bug.cgi?id=175228
2235         <rdar://problem/33735737>
2236
2237         Reviewed by Saam Barati.
2238
2239         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2240         delete OSRExit32_64.cpp.
2241
2242         * CMakeLists.txt:
2243         * JavaScriptCore.xcodeproj/project.pbxproj:
2244         * dfg/DFGOSRExit.cpp:
2245         (JSC::DFG::OSRExit::compileExit):
2246         * dfg/DFGOSRExit32_64.cpp: Removed.
2247         * jit/GPRInfo.h:
2248         (JSC::JSValueSource::payloadGPR const):
2249
2250 2017-08-04  Youenn Fablet  <youenn@apple.com>
2251
2252         [Cache API] Add Cache and CacheStorage IDL definitions
2253         https://bugs.webkit.org/show_bug.cgi?id=175201
2254
2255         Reviewed by Brady Eidson.
2256
2257         * runtime/CommonIdentifiers.h:
2258
2259 2017-08-04  Mark Lam  <mark.lam@apple.com>
2260
2261         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2262         https://bugs.webkit.org/show_bug.cgi?id=175230
2263         <rdar://problem/33735857>
2264
2265         Reviewed by Saam Barati.
2266
2267         * assembler/testmasm.cpp:
2268         (JSC::testProbeReadsArgumentRegisters):
2269         (JSC::testProbeWritesArgumentRegisters):
2270
2271 2017-08-04  Mark Lam  <mark.lam@apple.com>
2272
2273         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2274         https://bugs.webkit.org/show_bug.cgi?id=175214
2275         <rdar://problem/33733308>
2276
2277         Rubber-stamped by Michael Saboff.
2278
2279         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2280         DFGOSRExitCompiler files.
2281
2282         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2283
2284         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2285         used by compileOSRExit(), and will be changed to not be a DFG operation function
2286         when we use JIT probes for DFG OSR exits later in
2287         https://bugs.webkit.org/show_bug.cgi?id=175144.
2288
2289         * CMakeLists.txt:
2290         * JavaScriptCore.xcodeproj/project.pbxproj:
2291         * dfg/DFGJITCompiler.cpp:
2292         * dfg/DFGOSRExit.cpp:
2293         (JSC::DFG::OSRExit::emitRestoreArguments):
2294         (JSC::DFG::OSRExit::compileOSRExit):
2295         (JSC::DFG::OSRExit::compileExit):
2296         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2297         * dfg/DFGOSRExit.h:
2298         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2299         * dfg/DFGOSRExitCompiler.cpp: Removed.
2300         * dfg/DFGOSRExitCompiler.h: Removed.
2301         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2302         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2303         * dfg/DFGOperations.cpp:
2304         * dfg/DFGOperations.h:
2305         * dfg/DFGThunks.cpp:
2306
2307 2017-08-04  Matt Baker  <mattbaker@apple.com>
2308
2309         Web Inspector: capture async stack trace when workers/main context posts a message
2310         https://bugs.webkit.org/show_bug.cgi?id=167084
2311         <rdar://problem/30033673>
2312
2313         Reviewed by Brian Burg.
2314
2315         * inspector/agents/InspectorDebuggerAgent.h:
2316         Add `PostMessage` async call type.
2317
2318 2017-08-04  Mark Lam  <mark.lam@apple.com>
2319
2320         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2321         https://bugs.webkit.org/show_bug.cgi?id=175208
2322         <rdar://problem/33732402>
2323
2324         Reviewed by Saam Barati.
2325
2326         This will minimize the code diff and make it easier to review the patch for
2327         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2328         steps:
2329
2330         1. Do the code changes to move methods into OSRExit.
2331         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2332         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2333
2334         Splitting this refactoring into these 3 steps also makes it easier to review this
2335         patch and understand what is being changed.
2336
2337         * dfg/DFGOSRExit.h:
2338         * dfg/DFGOSRExitCompiler.cpp:
2339         (JSC::DFG::OSRExit::emitRestoreArguments):
2340         (JSC::DFG::OSRExit::compileOSRExit):
2341         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2342         (): Deleted.
2343         * dfg/DFGOSRExitCompiler.h:
2344         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2345         (): Deleted.
2346         * dfg/DFGOSRExitCompiler32_64.cpp:
2347         (JSC::DFG::OSRExit::compileExit):
2348         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2349         * dfg/DFGOSRExitCompiler64.cpp:
2350         (JSC::DFG::OSRExit::compileExit):
2351         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2352         * dfg/DFGThunks.cpp:
2353         (JSC::DFG::osrExitGenerationThunkGenerator):
2354
2355 2017-08-04  Devin Rousso  <drousso@apple.com>
2356
2357         Web Inspector: add source view for WebGL shader programs
2358         https://bugs.webkit.org/show_bug.cgi?id=138593
2359         <rdar://problem/18936194>
2360
2361         Reviewed by Matt Baker.
2362
2363         * inspector/protocol/Canvas.json:
2364          - Add `ShaderType` enum that contains "vertex" and "fragment".
2365          - Add `requestShaderSource` command that will return the original source code for a given
2366            shader program and shader type.
2367
2368 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2369
2370         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2371         https://bugs.webkit.org/show_bug.cgi?id=175141
2372
2373         Reviewed by Mark Lam.
2374         
2375         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2376         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2377         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2378         determined by the AlignedMemoryAllocator object.
2379         
2380         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2381         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2382         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2383         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2384         they use the same AlignedMemoryAllocator.
2385
2386         * CMakeLists.txt:
2387         * JavaScriptCore.xcodeproj/project.pbxproj:
2388         * heap/AlignedMemoryAllocator.cpp: Added.
2389         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2390         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2391         * heap/AlignedMemoryAllocator.h: Added.
2392         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2393         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2394         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2395         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2396         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2397         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2398         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2399         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2400         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2401         (JSC::GigacageAlignedMemoryAllocator::singleton):
2402         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2403         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2404         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2405         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2406         (JSC::GigacageAlignedMemoryAllocator::dump const):
2407         * heap/GigacageAlignedMemoryAllocator.h: Added.
2408         * heap/GigacageSubspace.cpp: Removed.
2409         * heap/GigacageSubspace.h: Removed.
2410         * heap/LargeAllocation.cpp:
2411         (JSC::LargeAllocation::tryCreate):
2412         (JSC::LargeAllocation::destroy):
2413         * heap/MarkedAllocator.cpp:
2414         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2415         * heap/MarkedBlock.cpp:
2416         (JSC::MarkedBlock::tryCreate):
2417         (JSC::MarkedBlock::Handle::Handle):
2418         (JSC::MarkedBlock::Handle::~Handle):
2419         (JSC::MarkedBlock::Handle::didAddToAllocator):
2420         (JSC::MarkedBlock::Handle::subspace const):
2421         * heap/MarkedBlock.h:
2422         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2423         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2424         * heap/Subspace.cpp:
2425         (JSC::Subspace::Subspace):
2426         (JSC::Subspace::findEmptyBlockToSteal):
2427         (JSC::Subspace::canTradeBlocksWith): Deleted.
2428         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2429         (JSC::Subspace::freeAlignedMemory): Deleted.
2430         * heap/Subspace.h:
2431         (JSC::Subspace::name const):
2432         (JSC::Subspace::alignedMemoryAllocator const):
2433         * runtime/JSDestructibleObjectSubspace.cpp:
2434         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2435         * runtime/JSDestructibleObjectSubspace.h:
2436         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2437         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2438         * runtime/JSSegmentedVariableObjectSubspace.h:
2439         * runtime/JSStringSubspace.cpp:
2440         (JSC::JSStringSubspace::JSStringSubspace):
2441         * runtime/JSStringSubspace.h:
2442         * runtime/VM.cpp:
2443         (JSC::VM::VM):
2444         * runtime/VM.h:
2445         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2446         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2447         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2448
2449 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2450
2451         [ESNext] Async iteration - update feature.json
2452         https://bugs.webkit.org/show_bug.cgi?id=175197
2453
2454         Reviewed by Yusuke Suzuki.
2455
2456         Update feature.json to add status of the Async Iteration
2457
2458         * features.json:
2459
2460 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2461
2462         Unreviewed, rolling out r220271.
2463
2464         Rolling out due to Layout Test failing on iOS Simulator.
2465
2466         Reverted changeset:
2467
2468         "Remove STREAMS_API compilation guard"
2469         https://bugs.webkit.org/show_bug.cgi?id=175165
2470         http://trac.webkit.org/changeset/220271
2471
2472 2017-08-04  Youenn Fablet  <youenn@apple.com>
2473
2474         Remove STREAMS_API compilation guard
2475         https://bugs.webkit.org/show_bug.cgi?id=175165
2476
2477         Reviewed by Darin Adler.
2478
2479         * Configurations/FeatureDefines.xcconfig:
2480
2481 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2482
2483         [EsNext] Async iteration - Add feature flag
2484         https://bugs.webkit.org/show_bug.cgi?id=166694
2485
2486         Reviewed by Yusuke Suzuki.
2487
2488         Add feature flag to JSC to switch on/off Async Iterator
2489
2490         * runtime/Options.h:
2491
2492 2017-08-03  Brian Burg  <bburg@apple.com>
2493
2494         Remove ENABLE(WEB_SOCKET) guards
2495         https://bugs.webkit.org/show_bug.cgi?id=167044
2496
2497         Reviewed by Joseph Pecoraro.
2498
2499         * Configurations/FeatureDefines.xcconfig:
2500
2501 2017-08-03  Youenn Fablet  <youenn@apple.com>
2502
2503         Remove FETCH_API compilation guard
2504         https://bugs.webkit.org/show_bug.cgi?id=175154
2505
2506         Reviewed by Chris Dumez.
2507
2508         * Configurations/FeatureDefines.xcconfig:
2509
2510 2017-08-03  Matt Baker  <mattbaker@apple.com>
2511
2512         Web Inspector: Instrument WebGLProgram created/deleted
2513         https://bugs.webkit.org/show_bug.cgi?id=175059
2514
2515         Reviewed by Devin Rousso.
2516
2517         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2518
2519         * inspector/protocol/Canvas.json:
2520
2521 2017-08-03  Brady Eidson  <beidson@apple.com>
2522
2523         Add SW IDLs and stub out basic functionality.
2524         https://bugs.webkit.org/show_bug.cgi?id=175115
2525
2526         Reviewed by Chris Dumez.
2527
2528         * Configurations/FeatureDefines.xcconfig:
2529
2530         * runtime/CommonIdentifiers.h:
2531
2532 2017-08-03  Mark Lam  <mark.lam@apple.com>
2533
2534         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2535         https://bugs.webkit.org/show_bug.cgi?id=175142
2536         <rdar://problem/33704528>
2537
2538         Reviewed by Filip Pizlo.
2539
2540         The convention in the rest of of JSC for such methods which return the address of
2541         a field is to name them "addressOf<field name>".  We'll rename
2542         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2543
2544         * dfg/DFGSpeculativeJIT.cpp:
2545         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2546         * dfg/DFGSpeculativeJIT32_64.cpp:
2547         (JSC::DFG::SpeculativeJIT::compile):
2548         * dfg/DFGSpeculativeJIT64.cpp:
2549         (JSC::DFG::SpeculativeJIT::compile):
2550         * dfg/DFGThunks.cpp:
2551         (JSC::DFG::osrExitGenerationThunkGenerator):
2552         * ftl/FTLLowerDFGToB3.cpp:
2553         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2554         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2555         * ftl/FTLThunks.cpp:
2556         (JSC::FTL::genericGenerationThunkGenerator):
2557         * jit/AssemblyHelpers.cpp:
2558         (JSC::AssemblyHelpers::debugCall):
2559         * jit/ScratchRegisterAllocator.cpp:
2560         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2561         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2562         * runtime/VM.h:
2563         (JSC::ScratchBuffer::addressOfActiveLength):
2564         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2565         * wasm/WasmBinding.cpp:
2566         (JSC::Wasm::wasmToJs):
2567
2568 2017-08-02  Devin Rousso  <drousso@apple.com>
2569
2570         Web Inspector: add stack trace information for each RecordingAction
2571         https://bugs.webkit.org/show_bug.cgi?id=174663
2572
2573         Reviewed by Joseph Pecoraro.
2574
2575         * inspector/ScriptCallFrame.h:
2576         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2577         with an existing value doesn't need require a functor and can use existing code.
2578
2579         * interpreter/StackVisitor.h:
2580         * interpreter/StackVisitor.cpp:
2581         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2582
2583 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2584
2585         Merge WTFThreadData to Thread::current
2586         https://bugs.webkit.org/show_bug.cgi?id=174716
2587
2588         Reviewed by Mark Lam.
2589
2590         Use Thread::current() instead.
2591
2592         * API/JSContext.mm:
2593         (+[JSContext currentContext]):
2594         (+[JSContext currentThis]):
2595         (+[JSContext currentCallee]):
2596         (+[JSContext currentArguments]):
2597         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2598         (-[JSContext endCallbackWithData:]):
2599         * heap/Heap.cpp:
2600         (JSC::Heap::requestCollection):
2601         * runtime/Completion.cpp:
2602         (JSC::checkSyntax):
2603         (JSC::checkModuleSyntax):
2604         (JSC::evaluate):
2605         (JSC::loadAndEvaluateModule):
2606         (JSC::loadModule):
2607         (JSC::linkAndEvaluateModule):
2608         (JSC::importModule):
2609         * runtime/Identifier.cpp:
2610         (JSC::Identifier::checkCurrentAtomicStringTable):
2611         * runtime/InitializeThreading.cpp:
2612         (JSC::initializeThreading):
2613         * runtime/JSLock.cpp:
2614         (JSC::JSLock::didAcquireLock):
2615         (JSC::JSLock::willReleaseLock):
2616         (JSC::JSLock::dropAllLocks):
2617         (JSC::JSLock::grabAllLocks):
2618         * runtime/JSLock.h:
2619         * runtime/VM.cpp:
2620         (JSC::VM::VM):
2621         (JSC::VM::updateStackLimits):
2622         (JSC::VM::committedStackByteCount):
2623         * runtime/VM.h:
2624         (JSC::VM::isSafeToRecurse const):
2625         * runtime/VMEntryScope.cpp:
2626         (JSC::VMEntryScope::VMEntryScope):
2627         * runtime/VMInlines.h:
2628         (JSC::VM::ensureStackCapacityFor):
2629         * yarr/YarrPattern.cpp:
2630         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2631
2632 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2633
2634         LLInt should do pointer caging
2635         https://bugs.webkit.org/show_bug.cgi?id=175036
2636
2637         Reviewed by Keith Miller.
2638
2639         Implementing this in the LLInt was challenging because offlineasm did not previously know
2640         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2641         to be where the Gigacage is enabled right now.
2642
2643         * llint/LLIntOfflineAsmConfig.h:
2644         * llint/LowLevelInterpreter64.asm:
2645         * offlineasm/ast.rb:
2646         * offlineasm/x86.rb:
2647
2648 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2649
2650         Sweeping should only scribble when sweeping to free list
2651         https://bugs.webkit.org/show_bug.cgi?id=175105
2652
2653         Reviewed by Saam Barati.
2654         
2655         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2656         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2657         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2658         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2659         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2660         when it doesn't matter anyway because we're building a free list.
2661         
2662         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2663         zap.
2664
2665         * heap/MarkedBlockInlines.h:
2666         (JSC::MarkedBlock::Handle::specializedSweep):
2667
2668 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2669
2670         All C++ accesses to JSObject::m_butterfly should do caging
2671         https://bugs.webkit.org/show_bug.cgi?id=175039
2672
2673         Reviewed by Keith Miller.
2674         
2675         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2676         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2677         outside the gigacage.
2678
2679         * runtime/JSArray.cpp:
2680         (JSC::JSArray::setLength):
2681         (JSC::JSArray::pop):
2682         (JSC::JSArray::push):
2683         (JSC::JSArray::shiftCountWithAnyIndexingType):
2684         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2685         (JSC::JSArray::fillArgList):
2686         (JSC::JSArray::copyToArguments):
2687         * runtime/JSObject.cpp:
2688         (JSC::JSObject::heapSnapshot):
2689         (JSC::JSObject::createInitialIndexedStorage):
2690         (JSC::JSObject::createArrayStorage):
2691         (JSC::JSObject::convertUndecidedToInt32):
2692         (JSC::JSObject::convertUndecidedToDouble):
2693         (JSC::JSObject::convertUndecidedToContiguous):
2694         (JSC::JSObject::convertInt32ToDouble):
2695         (JSC::JSObject::convertInt32ToArrayStorage):
2696         (JSC::JSObject::convertDoubleToContiguous):
2697         (JSC::JSObject::convertDoubleToArrayStorage):
2698         (JSC::JSObject::convertContiguousToArrayStorage):
2699         (JSC::JSObject::defineOwnIndexedProperty):
2700         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2701         (JSC::JSObject::ensureLengthSlow):
2702         (JSC::JSObject::allocateMoreOutOfLineStorage):
2703         * runtime/JSObject.h:
2704         (JSC::JSObject::canGetIndexQuickly):
2705         (JSC::JSObject::getIndexQuickly):
2706         (JSC::JSObject::tryGetIndexQuickly const):
2707         (JSC::JSObject::canSetIndexQuickly):
2708         (JSC::JSObject::setIndexQuickly):
2709         (JSC::JSObject::initializeIndex):
2710         (JSC::JSObject::initializeIndexWithoutBarrier):
2711         (JSC::JSObject::butterfly const):
2712         (JSC::JSObject::butterfly):
2713
2714 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2715
2716         We should be OK with the gigacage being disabled on gmalloc
2717         https://bugs.webkit.org/show_bug.cgi?id=175082
2718
2719         Reviewed by Michael Saboff.
2720
2721         * jsc.cpp:
2722         (jscmain):
2723
2724 2017-08-02  Saam Barati  <sbarati@apple.com>
2725
2726         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2727         https://bugs.webkit.org/show_bug.cgi?id=175041
2728         <rdar://problem/33659370>
2729
2730         Reviewed by Filip Pizlo.
2731
2732         The testing I have done shows that this new function is a ~10%
2733         progression running JetStream on 1GB iOS devices. I've also tried
2734         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2735         or a regression. Right now, we'll just enable this for <= 1GB devices
2736         since it's a win. In the future, we might want to either look into
2737         tweaking these parameters or coming up with a new function for > 1GB
2738         devices.
2739
2740         * heap/Heap.cpp:
2741         * runtime/Options.h:
2742
2743 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2744
2745         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2746         https://bugs.webkit.org/show_bug.cgi?id=174727
2747
2748         Reviewed by Mark Lam.
2749         
2750         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2751         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2752         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2753         
2754         This is neutral on JetStream.
2755
2756         * CMakeLists.txt:
2757         * JavaScriptCore.xcodeproj/project.pbxproj:
2758         * b3/B3InsertionSet.cpp:
2759         (JSC::B3::InsertionSet::execute):
2760         * dfg/DFGAbstractInterpreterInlines.h:
2761         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2762         * dfg/DFGArgumentsEliminationPhase.cpp:
2763         * dfg/DFGClobberize.cpp:
2764         (JSC::DFG::readsOverlap):
2765         * dfg/DFGClobberize.h:
2766         (JSC::DFG::clobberize):
2767         * dfg/DFGDoesGC.cpp:
2768         (JSC::DFG::doesGC):
2769         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2770         (JSC::DFG::performFixedButterflyAccessUncaging):
2771         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2772         * dfg/DFGFixupPhase.cpp:
2773         (JSC::DFG::FixupPhase::fixupNode):
2774         * dfg/DFGHeapLocation.cpp:
2775         (WTF::printInternal):
2776         * dfg/DFGHeapLocation.h:
2777         * dfg/DFGNodeType.h:
2778         * dfg/DFGPlan.cpp:
2779         (JSC::DFG::Plan::compileInThreadImpl):
2780         * dfg/DFGPredictionPropagationPhase.cpp:
2781         * dfg/DFGSafeToExecute.h:
2782         (JSC::DFG::safeToExecute):
2783         * dfg/DFGSpeculativeJIT.cpp:
2784         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2785         * dfg/DFGSpeculativeJIT32_64.cpp:
2786         (JSC::DFG::SpeculativeJIT::compile):
2787         * dfg/DFGSpeculativeJIT64.cpp:
2788         (JSC::DFG::SpeculativeJIT::compile):
2789         * dfg/DFGTypeCheckHoistingPhase.cpp:
2790         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2791         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2792         * ftl/FTLCapabilities.cpp:
2793         (JSC::FTL::canCompile):
2794         * ftl/FTLLowerDFGToB3.cpp:
2795         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2796         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2797         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2798         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2799         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2800         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2801         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2802         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2803         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2804         (JSC::FTL::DFG::LowerDFGToB3::caged):
2805         * heap/GigacageSubspace.cpp: Added.
2806         (JSC::GigacageSubspace::GigacageSubspace):
2807         (JSC::GigacageSubspace::~GigacageSubspace):
2808         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2809         (JSC::GigacageSubspace::freeAlignedMemory):
2810         (JSC::GigacageSubspace::canTradeBlocksWith):
2811         * heap/GigacageSubspace.h: Added.
2812         * heap/Heap.cpp:
2813         (JSC::Heap::Heap):
2814         (JSC::Heap::lastChanceToFinalize):
2815         (JSC::Heap::finalize):
2816         (JSC::Heap::sweepInFinalize):
2817         (JSC::Heap::updateAllocationLimits):
2818         (JSC::Heap::shouldDoFullCollection):
2819         (JSC::Heap::collectIfNecessaryOrDefer):
2820         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2821         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2822         (JSC::Heap::sweepLargeAllocations): Deleted.
2823         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2824         * heap/Heap.h:
2825         * heap/LargeAllocation.cpp:
2826         (JSC::LargeAllocation::tryCreate):
2827         (JSC::LargeAllocation::destroy):
2828         * heap/MarkedAllocator.cpp:
2829         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2830         (JSC::MarkedAllocator::tryAllocateBlock):
2831         * heap/MarkedBlock.cpp:
2832         (JSC::MarkedBlock::tryCreate):
2833         (JSC::MarkedBlock::Handle::Handle):
2834         (JSC::MarkedBlock::Handle::~Handle):
2835         (JSC::MarkedBlock::Handle::didAddToAllocator):
2836         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2837         * heap/MarkedBlock.h:
2838         (JSC::MarkedBlock::Handle::subspace const):
2839         * heap/MarkedSpace.cpp:
2840         (JSC::MarkedSpace::~MarkedSpace):
2841         (JSC::MarkedSpace::freeMemory):
2842         (JSC::MarkedSpace::prepareForAllocation):
2843         (JSC::MarkedSpace::addMarkedAllocator):
2844         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2845         * heap/MarkedSpace.h:
2846         (JSC::MarkedSpace::firstAllocator const):
2847         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2848         * heap/Subspace.cpp:
2849         (JSC::Subspace::Subspace):
2850         (JSC::Subspace::canTradeBlocksWith):
2851         (JSC::Subspace::tryAllocateAlignedMemory):
2852         (JSC::Subspace::freeAlignedMemory):
2853         (JSC::Subspace::prepareForAllocation):
2854         (JSC::Subspace::findEmptyBlockToSteal):
2855         * heap/Subspace.h:
2856         (JSC::Subspace::didCreateFirstAllocator):
2857         * heap/SubspaceInlines.h:
2858         (JSC::Subspace::forEachAllocator):
2859         (JSC::Subspace::forEachMarkedBlock):
2860         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2861         * jit/JITPropertyAccess.cpp:
2862         (JSC::JIT::emitDoubleLoad):
2863         (JSC::JIT::emitContiguousLoad):
2864         (JSC::JIT::emitArrayStorageLoad):
2865         (JSC::JIT::emitGenericContiguousPutByVal):
2866         (JSC::JIT::emitArrayStoragePutByVal):
2867         (JSC::JIT::emit_op_get_from_scope):
2868         (JSC::JIT::emit_op_put_to_scope):
2869         (JSC::JIT::emitIntTypedArrayGetByVal):
2870         (JSC::JIT::emitFloatTypedArrayGetByVal):
2871         (JSC::JIT::emitIntTypedArrayPutByVal):
2872         (JSC::JIT::emitFloatTypedArrayPutByVal):
2873         * jsc.cpp:
2874         (fillBufferWithContentsOfFile):
2875         (functionReadFile):
2876         (gigacageDisabled):
2877         (jscmain):
2878         * llint/LowLevelInterpreter64.asm:
2879         * runtime/ArrayBuffer.cpp:
2880         (JSC::ArrayBufferContents::tryAllocate):
2881         (JSC::ArrayBuffer::createAdopted):
2882         (JSC::ArrayBuffer::createFromBytes):
2883         (JSC::ArrayBuffer::tryCreate):
2884         * runtime/IndexingHeader.h:
2885         * runtime/InitializeThreading.cpp:
2886         (JSC::initializeThreading):
2887         * runtime/JSArrayBuffer.cpp:
2888         * runtime/JSArrayBufferView.cpp:
2889         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2890         (JSC::JSArrayBufferView::finalize):
2891         * runtime/JSLock.cpp:
2892         (JSC::JSLock::didAcquireLock):
2893         * runtime/JSObject.h:
2894         * runtime/Options.cpp:
2895         (JSC::recomputeDependentOptions):
2896         * runtime/Options.h:
2897         * runtime/ScopedArgumentsTable.h:
2898         * runtime/VM.cpp:
2899         (JSC::VM::VM):
2900         (JSC::VM::~VM):
2901         (JSC::VM::gigacageDisabledCallback):
2902         (JSC::VM::gigacageDisabled):
2903         * runtime/VM.h:
2904         (JSC::VM::fireGigacageEnabledIfNecessary):
2905         (JSC::VM::gigacageEnabled):
2906         * wasm/WasmB3IRGenerator.cpp:
2907         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2908         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2909         * wasm/WasmCodeBlock.cpp:
2910         (JSC::Wasm::CodeBlock::isSafeToRun):
2911         * wasm/WasmMemory.cpp:
2912         (JSC::Wasm::makeString):
2913         (JSC::Wasm::Memory::create):
2914         (JSC::Wasm::Memory::~Memory):
2915         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2916         (JSC::Wasm::Memory::grow):
2917         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2918         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2919         * wasm/WasmMemory.h:
2920         * wasm/js/JSWebAssemblyInstance.cpp:
2921         (JSC::JSWebAssemblyInstance::create):
2922         * wasm/js/JSWebAssemblyMemory.cpp:
2923         (JSC::JSWebAssemblyMemory::grow):
2924         (JSC::JSWebAssemblyMemory::finishCreation):
2925         * wasm/js/JSWebAssemblyMemory.h:
2926         (JSC::JSWebAssemblyMemory::subspaceFor):
2927
2928 2017-07-31  Mark Lam  <mark.lam@apple.com>
2929
2930         Added some UNLIKELYs to operationOptimize().
2931         https://bugs.webkit.org/show_bug.cgi?id=174976
2932
2933         Reviewed by JF Bastien.
2934
2935         * jit/JITOperations.cpp:
2936
2937 2017-07-31  Keith Miller  <keith_miller@apple.com>
2938
2939         Make more things LLInt constexprs
2940         https://bugs.webkit.org/show_bug.cgi?id=174994
2941
2942         Reviewed by Saam Barati.
2943
2944         This patch makes more const values in the LLInt constexprs.
2945         It also deletes all of the no longer necessary static_asserts in
2946         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2947
2948         * interpreter/ShadowChicken.h:
2949         (JSC::ShadowChicken::Packet::tailMarker):
2950         * llint/LLIntData.cpp:
2951         (JSC::LLInt::Data::performAssertions):
2952         * llint/LowLevelInterpreter.asm:
2953         * offlineasm/generate_offset_extractor.rb:
2954         * offlineasm/parser.rb:
2955
2956 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2957
2958         Unreviewed, rolling out r220060.
2959
2960         This broke our internal builds. Contact reviewer of patch for
2961         more information.
2962
2963         Reverted changeset:
2964
2965         "Merge WTFThreadData to Thread::current"
2966         https://bugs.webkit.org/show_bug.cgi?id=174716
2967         http://trac.webkit.org/changeset/220060
2968
2969 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2970
2971         [JSC] Support optional catch binding
2972         https://bugs.webkit.org/show_bug.cgi?id=174981
2973
2974         Reviewed by Saam Barati.
2975
2976         This patch implements optional catch binding proposal[1], which is now stage 3.
2977         This proposal adds a new `catch` brace with no error value binding.
2978
2979             ```
2980                 try {
2981                     ...
2982                 } catch {
2983                     ...
2984                 }
2985             ```
2986
2987         Sometimes we do not need to get error value actually. For example, the function returns
2988         boolean which means whether the function succeeds.
2989
2990             ```
2991             function parse(result) // -> bool
2992             {
2993                  try {
2994                      parseInner(result);
2995                  } catch {
2996                      return false;
2997                  }
2998                  return true;
2999             }
3000             ```
3001
3002         In the above case, we are not interested in the actual error value. Without this syntax,
3003         we always need to introduce a binding for an error value that is just ignored.
3004
3005         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
3006
3007         * bytecompiler/NodesCodegen.cpp:
3008         (JSC::TryNode::emitBytecode):
3009         * parser/Parser.cpp:
3010         (JSC::Parser<LexerType>::parseTryStatement):
3011
3012 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3013
3014         Merge WTFThreadData to Thread::current
3015         https://bugs.webkit.org/show_bug.cgi?id=174716
3016
3017         Reviewed by Sam Weinig.
3018
3019         Use Thread::current() instead.
3020
3021         * API/JSContext.mm:
3022         (+[JSContext currentContext]):
3023         (+[JSContext currentThis]):
3024         (+[JSContext currentCallee]):
3025         (+[JSContext currentArguments]):
3026         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3027         (-[JSContext endCallbackWithData:]):
3028         * heap/Heap.cpp:
3029         (JSC::Heap::requestCollection):
3030         * runtime/Completion.cpp:
3031         (JSC::checkSyntax):
3032         (JSC::checkModuleSyntax):
3033         (JSC::evaluate):
3034         (JSC::loadAndEvaluateModule):
3035         (JSC::loadModule):
3036         (JSC::linkAndEvaluateModule):
3037         (JSC::importModule):
3038         * runtime/Identifier.cpp:
3039         (JSC::Identifier::checkCurrentAtomicStringTable):
3040         * runtime/InitializeThreading.cpp:
3041         (JSC::initializeThreading):
3042         * runtime/JSLock.cpp:
3043         (JSC::JSLock::didAcquireLock):
3044         (JSC::JSLock::willReleaseLock):
3045         (JSC::JSLock::dropAllLocks):
3046         (JSC::JSLock::grabAllLocks):
3047         * runtime/JSLock.h:
3048         * runtime/VM.cpp:
3049         (JSC::VM::VM):
3050         (JSC::VM::updateStackLimits):
3051         (JSC::VM::committedStackByteCount):
3052         * runtime/VM.h:
3053         (JSC::VM::isSafeToRecurse const):
3054         * runtime/VMEntryScope.cpp:
3055         (JSC::VMEntryScope::VMEntryScope):
3056         * runtime/VMInlines.h:
3057         (JSC::VM::ensureStackCapacityFor):
3058         * yarr/YarrPattern.cpp:
3059         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
3060
3061 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3062
3063         [WTF] Introduce Private Symbols
3064         https://bugs.webkit.org/show_bug.cgi?id=174935
3065
3066         Reviewed by Darin Adler.
3067
3068         Use SymbolImpl::isPrivate().
3069
3070         * builtins/BuiltinNames.cpp:
3071         * builtins/BuiltinNames.h:
3072         (JSC::BuiltinNames::isPrivateName): Deleted.
3073         * builtins/BuiltinUtils.h:
3074         * bytecode/BytecodeIntrinsicRegistry.cpp:
3075         (JSC::BytecodeIntrinsicRegistry::lookup):
3076         * runtime/CommonIdentifiers.cpp:
3077         (JSC::CommonIdentifiers::isPrivateName): Deleted.
3078         * runtime/CommonIdentifiers.h:
3079         * runtime/ExceptionHelpers.cpp:
3080         (JSC::createUndefinedVariableError):
3081         * runtime/Identifier.h:
3082         (JSC::Identifier::isPrivateName):
3083         * runtime/IdentifierInlines.h:
3084         (JSC::identifierToSafePublicJSValue):
3085         * runtime/ObjectConstructor.cpp:
3086         (JSC::objectConstructorAssign):
3087         (JSC::defineProperties):
3088         (JSC::setIntegrityLevel):
3089         (JSC::testIntegrityLevel):
3090         (JSC::ownPropertyKeys):
3091         * runtime/PrivateName.h:
3092         (JSC::PrivateName::PrivateName):
3093         * runtime/PropertyName.h:
3094         (JSC::PropertyName::isPrivateName):
3095         * runtime/ProxyObject.cpp:
3096         (JSC::performProxyGet):
3097         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3098         (JSC::ProxyObject::performHasProperty):
3099         (JSC::ProxyObject::performPut):
3100         (JSC::ProxyObject::performDelete):
3101         (JSC::ProxyObject::performDefineOwnProperty):
3102
3103 2017-07-29  Keith Miller  <keith_miller@apple.com>
3104
3105         LLInt offsets extractor should be able to handle C++ constexprs
3106         https://bugs.webkit.org/show_bug.cgi?id=174964
3107
3108         Reviewed by Saam Barati.
3109
3110         This patch adds new syntax to the offline asm language. The new keyword,
3111         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3112         expression. Additionally, if the value is not an identifier you can wrap it in
3113         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3114         which will get converted into:
3115         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3116
3117         This patch also changes the data format the LLIntOffsetsExtractor
3118         binary produces.  Previously, it would produce unsigned values,
3119         after this patch every value is an int64_t.  Using an int64_t is
3120         useful because it means that we can represent any constant needed.
3121         int32_t masks are sign extended then passed then converted to a
3122         negative literal sting in the assembler so it will be the constant
3123         expected.
3124
3125         * llint/LLIntOffsetsExtractor.cpp:
3126         (JSC::LLIntOffsetsExtractor::dummy):
3127         * llint/LowLevelInterpreter.asm:
3128         * llint/LowLevelInterpreter64.asm:
3129         * offlineasm/asm.rb:
3130         * offlineasm/ast.rb:
3131         * offlineasm/generate_offset_extractor.rb:
3132         * offlineasm/offsets.rb:
3133         * offlineasm/parser.rb:
3134         * offlineasm/transform.rb:
3135
3136 2017-07-28  Matt Baker  <mattbaker@apple.com>
3137
3138         Web Inspector: capture an async stack trace when web content calls addEventListener
3139         https://bugs.webkit.org/show_bug.cgi?id=174739
3140         <rdar://problem/33468197>
3141
3142         Reviewed by Brian Burg.
3143
3144         Allow debugger agents to perform custom logic when asynchronous stack
3145         trace data is cleared. For example, the PageDebuggerAgent would clear
3146         its list of registered listeners for which call stacks have been recorded.
3147
3148         * inspector/agents/InspectorDebuggerAgent.cpp:
3149         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3150         * inspector/agents/InspectorDebuggerAgent.h:
3151
3152 2017-07-28  Mark Lam  <mark.lam@apple.com>
3153
3154         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3155         https://bugs.webkit.org/show_bug.cgi?id=174948
3156         <rdar://problem/33495680>
3157
3158         Reviewed by Filip Pizlo.
3159
3160         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3161         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3162         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3163         requests to fire this watchpoint.
3164
3165         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3166         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3167         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3168
3169         But since the watchpoint hasn't been destructed yet, it still remains on the
3170         WatchpointSet and needs to guard against being fired in this state.  The fix is
3171         to simply return early if its owner StructureRareData is not live.  This has the
3172         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3173         not firing as we would expect.
3174
3175         This patch also removes some cargo cult copying of watchpoint code which
3176         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3177         used.  This patch removes these unnecessary instantiations.
3178
3179         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3180         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3181         * runtime/StructureRareData.cpp:
3182         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3183         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3184
3185 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3186
3187         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3188         https://bugs.webkit.org/show_bug.cgi?id=174900
3189
3190         Reviewed by Saam Barati.
3191
3192         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3193         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3194         The problem is that even transforming phase also checks this pseudo terminals.
3195
3196             BB1
3197             1: ForceOSRExit
3198             2: CreateDirectArguments
3199
3200             BB2
3201             3: GetButterfly(@2)
3202             4: ForceOSRExit
3203
3204         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3205
3206         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3207
3208         * dfg/DFGArgumentsEliminationPhase.cpp:
3209
3210 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3211
3212         [ES] Add support finally to Promise
3213         https://bugs.webkit.org/show_bug.cgi?id=174503
3214
3215         Reviewed by Yusuke Suzuki.
3216
3217         Add support `finally` method to Promise according
3218         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3219         Current spec on STAGE 3 
3220         https://github.com/tc39/proposal-promise-finally
3221
3222         * builtins/PromisePrototype.js:
3223         (finally):
3224         (const.valueThunk):
3225         (globalPrivate.getThenFinally):
3226         (const.thrower):
3227         (globalPrivate.getCatchFinally):
3228         * runtime/JSPromisePrototype.cpp:
3229
3230 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3231
3232         Unreviewed, build fix for CLoop
3233         https://bugs.webkit.org/show_bug.cgi?id=171637
3234
3235         * domjit/DOMJITGetterSetter.h:
3236
3237 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3238
3239         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3240         https://bugs.webkit.org/show_bug.cgi?id=171637
3241
3242         Reviewed by Darin Adler.
3243
3244         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3245         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3246
3247         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3248         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3249
3250         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3251         op_get_by_id_with_this case yet.
3252         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3253
3254         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3255         ClassInfo check.
3256
3257         * CMakeLists.txt:
3258         * JavaScriptCore.xcodeproj/project.pbxproj:
3259         * bytecode/AccessCase.cpp:
3260         (JSC::AccessCase::generateImpl):
3261         * bytecode/GetByIdStatus.cpp:
3262         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3263         * bytecode/GetByIdVariant.cpp:
3264         (JSC::GetByIdVariant::GetByIdVariant):
3265         (JSC::GetByIdVariant::operator=):
3266         (JSC::GetByIdVariant::attemptToMerge):
3267         (JSC::GetByIdVariant::dumpInContext):
3268         * bytecode/GetByIdVariant.h:
3269         (JSC::GetByIdVariant::customAccessorGetter):
3270         (JSC::GetByIdVariant::domAttribute):
3271         (JSC::GetByIdVariant::domJIT): Deleted.
3272         * bytecode/GetterSetterAccessCase.cpp:
3273         (JSC::GetterSetterAccessCase::create):
3274         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3275         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3276         * bytecode/GetterSetterAccessCase.h:
3277         (JSC::GetterSetterAccessCase::domAttribute):
3278         (JSC::GetterSetterAccessCase::customAccessor):
3279         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3280         * bytecompiler/BytecodeGenerator.cpp:
3281         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3282         * create_hash_table:
3283         * dfg/DFGAbstractInterpreterInlines.h:
3284         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3285         * dfg/DFGByteCodeParser.cpp:
3286         (JSC::DFG::blessCallDOMGetter):
3287         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3288         (JSC::DFG::ByteCodeParser::handleGetById):
3289         * dfg/DFGClobberize.h:
3290         (JSC::DFG::clobberize):
3291         * dfg/DFGFixupPhase.cpp:
3292         (JSC::DFG::FixupPhase::fixupNode):
3293         * dfg/DFGNode.h:
3294         * dfg/DFGSpeculativeJIT.cpp:
3295         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3296         * dfg/DFGSpeculativeJIT.h:
3297         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3298         * domjit/DOMJITGetterSetter.h:
3299         (JSC::DOMJIT::GetterSetter::GetterSetter):
3300         (JSC::DOMJIT::GetterSetter::getter):
3301         (JSC::DOMJIT::GetterSetter::compiler):
3302         (JSC::DOMJIT::GetterSetter::resultType):
3303         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3304         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3305         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3306         * ftl/FTLLowerDFGToB3.cpp:
3307         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3308         * jit/Repatch.cpp:
3309         (JSC::tryCacheGetByID):
3310         * jsc.cpp:
3311         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3312         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3313         (WTF::DOMJITGetter::customGetter):
3314         (WTF::DOMJITGetter::finishCreation):
3315         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3316         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3317         (WTF::DOMJITGetterComplex::customGetter):
3318         (WTF::DOMJITGetterComplex::finishCreation):
3319         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3320         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3321         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3322         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3323         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3324         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3325         * runtime/CustomGetterSetter.h:
3326         (JSC::CustomGetterSetter::create):
3327         (JSC::CustomGetterSetter::setter):
3328         (JSC::CustomGetterSetter::CustomGetterSetter):
3329         (): Deleted.
3330         * runtime/DOMAnnotation.h: Added.
3331         (JSC::operator==):
3332         (JSC::operator!=):
3333         * runtime/DOMAttributeGetterSetter.cpp: Added.
3334         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3335         (JSC::isDOMAttributeGetterSetter):
3336         * runtime/Error.cpp:
3337         (JSC::throwDOMAttributeGetterTypeError):
3338         * runtime/Error.h:
3339         (JSC::throwVMDOMAttributeGetterTypeError):
3340         * runtime/JSCustomGetterSetterFunction.cpp:
3341         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3342         * runtime/JSObject.cpp:
3343         (JSC::JSObject::putInlineSlow):
3344         (JSC::JSObject::deleteProperty):
3345         (JSC::JSObject::getOwnStaticPropertySlot):
3346         (JSC::JSObject::reifyAllStaticProperties):
3347         (JSC::JSObject::fillGetterPropertySlot):
3348         (JSC::JSObject::findPropertyHashEntry): Deleted.
3349         * runtime/JSObject.h:
3350         (JSC::JSObject::getOwnNonIndexPropertySlot):
3351         (JSC::JSObject::fillCustomGetterPropertySlot):
3352         * runtime/Lookup.cpp:
3353         (JSC::setUpStaticFunctionSlot):
3354         * runtime/Lookup.h:
3355         (JSC::HashTableValue::domJIT):
3356         (JSC::getStaticPropertySlotFromTable):
3357         (JSC::putEntry):
3358         (JSC::lookupPut):
3359         (JSC::reifyStaticProperty):
3360         (JSC::reifyStaticProperties):
3361         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3362         this static property table requires.
3363
3364         * runtime/ProgramExecutable.cpp:
3365         (JSC::ProgramExecutable::initializeGlobalProperties):
3366         * runtime/PropertyName.h:
3367         * runtime/PropertySlot.cpp:
3368         (JSC::PropertySlot::customGetter):
3369         (JSC::PropertySlot::customAccessorGetter):
3370         * runtime/PropertySlot.h:
3371         (JSC::PropertySlot::domAttribute):
3372         (JSC::PropertySlot::setCustom):
3373         (JSC::PropertySlot::setCacheableCustom):
3374         (JSC::PropertySlot::getValue):
3375         (JSC::PropertySlot::domJIT): Deleted.
3376         * runtime/VM.cpp:
3377         (JSC::VM::VM):
3378         * runtime/VM.h:
3379
3380 2017-07-26  Devin Rousso  <drousso@apple.com>
3381
3382         Web Inspector: create protocol for recording Canvas contexts
3383         https://bugs.webkit.org/show_bug.cgi?id=174481
3384
3385         Reviewed by Joseph Pecoraro.
3386
3387         * inspector/protocol/Canvas.json:
3388          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3389          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3390          - Add `recordingFinished` event that is fired once a recording is finished.
3391
3392         * CMakeLists.txt:
3393         * DerivedSources.make:
3394         * inspector/protocol/Recording.json: Added.
3395          - Add `Type` enum that lists the types of recordings
3396          - Add `InitialState` type that contains information about the canvas context at the
3397            beginning of the recording.
3398          - Add `Frame` type that holds a list of actions that were recorded.
3399          - Add `Recording` type as the container object of recording data.
3400
3401         * inspector/scripts/codegen/generate_js_backend_commands.py:
3402