05e063d66c34c3634d18085cf8f30d91ea1b7405
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-05-11  Matt Lewis  <jlewis3@apple.com>
2
3         Unreviewed, rolling out r216677.
4
5         Patch caused layout test crashes.
6
7         Reverted changeset:
8
9         "WorkerThread::stop() should call
10         scheduleExecutionTermination() last."
11         https://bugs.webkit.org/show_bug.cgi?id=171775
12         http://trac.webkit.org/changeset/216677
13
14 2017-05-11  Don Olmstead  <don.olmstead@am.sony.com>
15
16         [CMake] Add HAVE check for regex.h
17         https://bugs.webkit.org/show_bug.cgi?id=171950
18
19         Reviewed by Michael Catanzaro.
20
21         * runtime/ConfigFile.cpp:
22         (JSC::ConfigFile::parse):
23
24 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
25
26         Callers of JSString::unsafeView() should check exceptions
27         https://bugs.webkit.org/show_bug.cgi?id=171995
28
29         Reviewed by Mark Lam.
30         
31         unsafeView() can throw OOME. So, callers of unsafeView() should check for exceptions before trying
32         to access the view.
33
34         Also, I made the functions surrounding unsafeView() take ExecState* not ExecState&, to comply with
35         the rest of JSC.
36
37         * dfg/DFGOperations.cpp:
38         * jsc.cpp:
39         (printInternal):
40         (functionDebug):
41         * runtime/ArrayPrototype.cpp:
42         (JSC::arrayProtoFuncJoin):
43         * runtime/FunctionConstructor.cpp:
44         (JSC::constructFunctionSkippingEvalEnabledCheck):
45         * runtime/IntlCollatorPrototype.cpp:
46         (JSC::IntlCollatorFuncCompare):
47         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
48         (JSC::genericTypedArrayViewProtoFuncJoin):
49         * runtime/JSGlobalObjectFunctions.cpp:
50         (JSC::globalFuncParseFloat):
51         * runtime/JSONObject.cpp:
52         (JSC::JSONProtoFuncParse):
53         * runtime/JSString.cpp:
54         (JSC::JSString::getPrimitiveNumber):
55         (JSC::JSString::toNumber):
56         * runtime/JSString.h:
57         (JSC::JSString::getIndex):
58         (JSC::JSRopeString::unsafeView):
59         (JSC::JSRopeString::viewWithUnderlyingString):
60         (JSC::JSString::unsafeView):
61         (JSC::JSString::viewWithUnderlyingString):
62         * runtime/JSStringJoiner.h:
63         (JSC::JSStringJoiner::appendWithoutSideEffects):
64         (JSC::JSStringJoiner::append):
65         * runtime/ParseInt.h:
66         (JSC::toStringView):
67         * runtime/StringPrototype.cpp:
68         (JSC::stringProtoFuncRepeatCharacter):
69         (JSC::stringProtoFuncCharAt):
70         (JSC::stringProtoFuncCharCodeAt):
71         (JSC::stringProtoFuncIndexOf):
72         (JSC::stringProtoFuncNormalize):
73
74 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
75
76         Offer SPI to notify clients that GC has happened
77         https://bugs.webkit.org/show_bug.cgi?id=171980
78
79         Reviewed by Geoffrey Garen.
80         
81         Sometimes when you're programming with weak references, it's most convenient if the GC tells
82         you when it finishes. This adds exactly such an API. This API is called at the *flip*: the
83         moment when the GC knows for sure which objects are dead and has definitely not allocated any
84         new objects or executed any JS code. The finalization part of the flip, which is where this
85         callback gets called, runs on the "main" thread - i.e. some thread that is attempting to
86         execute JS code and holds the JS lock. This will usually run as a side-effect of some
87         allocation or from the runloop.
88         
89         This means, for example, that if you implemented a vector of weak references and registered a
90         callback to prune the vector of null weak references, then aside from the callback, nobody
91         would ever see a null weak reference in the vector.
92
93         * API/JSHeapFinalizerPrivate.cpp: Added.
94         (JSContextGroupAddHeapFinalizer):
95         (JSContextGroupRemoveHeapFinalizer):
96         * API/JSHeapFinalizerPrivate.h: Added.
97         * API/tests/testapi.c:
98         (heapFinalizer):
99         (testMarkingConstraintsAndHeapFinalizers):
100         (main):
101         (testMarkingConstraints): Deleted.
102         * CMakeLists.txt:
103         * JavaScriptCore.xcodeproj/project.pbxproj:
104         * heap/Heap.cpp:
105         (JSC::Heap::finalize):
106         (JSC::Heap::addHeapFinalizerCallback):
107         (JSC::Heap::removeHeapFinalizerCallback):
108         * heap/Heap.h:
109         * heap/HeapFinalizerCallback.cpp: Added.
110         (JSC::HeapFinalizerCallback::dump):
111         * heap/HeapFinalizerCallback.h: Added.
112         (JSC::HeapFinalizerCallback::HeapFinalizerCallback):
113         (JSC::HeapFinalizerCallback::operator==):
114         (JSC::HeapFinalizerCallback::operator!=):
115         (JSC::HeapFinalizerCallback::operator bool):
116         (JSC::HeapFinalizerCallback::run):
117
118 2017-05-11  Filip Pizlo  <fpizlo@apple.com>
119
120         JSWeakCreate/Retain/Release should take a JSContextGroupRef and not a JSContextRef
121         https://bugs.webkit.org/show_bug.cgi?id=171979
122
123         Reviewed by Mark Lam.
124         
125         Functions that don't execute arbitrary JS but just need access to the VM should take a
126         JSContextGroupRef, not a JSContextRef.
127
128         * API/JSWeakPrivate.cpp:
129         (JSWeakCreate):
130         (JSWeakRetain):
131         (JSWeakRelease):
132         * API/JSWeakPrivate.h:
133         * API/tests/testapi.c:
134         (testMarkingConstraints):
135
136 2017-05-11  Mark Lam  <mark.lam@apple.com>
137
138         WorkerThread::stop() should call scheduleExecutionTermination() last.
139         https://bugs.webkit.org/show_bug.cgi?id=171775
140         <rdar://problem/30975761>
141
142         Reviewed by Geoffrey Garen.
143
144         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
145         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
146         for our debugging needs.
147
148         Also added VM::throwingThread() to track which thread an exception was thrown in.
149         This may be useful if the client is entering the VM from different threads.
150
151         * runtime/ExceptionScope.cpp:
152         (JSC::ExceptionScope::unexpectedExceptionMessage):
153         (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
154         * runtime/ExceptionScope.h:
155         (JSC::ExceptionScope::exception):
156         (JSC::ExceptionScope::unexpectedExceptionMessage):
157         * runtime/VM.cpp:
158         (JSC::VM::throwException):
159         * runtime/VM.h:
160         (JSC::VM::throwingThread):
161         (JSC::VM::clearException):
162
163 2017-05-11  JF Bastien  <jfbastien@apple.com>
164
165         WebAssembly: stop supporting 0xD
166         https://bugs.webkit.org/show_bug.cgi?id=168788
167         <rdar://problem/31880922>
168
169         Reviewed by Saam Barati.
170
171         Only version 1 is supported by other browsers, and there shouldn't
172         be any 0xD binaries in the wild anymore.
173
174         * wasm/WasmModuleParser.cpp:
175
176 2017-05-09  Sam Weinig  <sam@webkit.org>
177
178         Remove support for legacy Notifications
179         https://bugs.webkit.org/show_bug.cgi?id=171487
180
181         Reviewed by Jon Lee.
182
183         * Configurations/FeatureDefines.xcconfig:
184         Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
185
186 2017-05-10  Commit Queue  <commit-queue@webkit.org>
187
188         Unreviewed, rolling out r216635.
189         https://bugs.webkit.org/show_bug.cgi?id=171953
190
191         "Some worker tests are failing". (Requested by mlam on #webkit).
192
193         Reverted changeset:
194
195         "WorkerThread::stop() should call
196         scheduleExecutionTermination() last."
197         https://bugs.webkit.org/show_bug.cgi?id=171775
198         http://trac.webkit.org/changeset/216635
199
200 2017-05-10  Mark Lam  <mark.lam@apple.com>
201
202         Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
203         https://bugs.webkit.org/show_bug.cgi?id=160337
204         <rdar://problem/27611733>
205
206         Not reviewed.
207
208         Updated a comment per Geoff's suggestion.
209
210         * heap/MachineStackMarker.cpp:
211         (JSC::MachineThreads::tryCopyOtherThreadStack):
212
213 2017-05-10  Mark Lam  <mark.lam@apple.com>
214
215         WorkerThread::stop() should call scheduleExecutionTermination() last.
216         https://bugs.webkit.org/show_bug.cgi?id=171775
217         <rdar://problem/30975761>
218
219         Reviewed by Geoffrey Garen.
220
221         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
222         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
223         for our debugging needs.
224
225         Also added VM::throwingThread() to track which thread an exception was thrown in.
226         This may be useful if the client is entering the VM from different threads.
227
228         * runtime/ExceptionScope.cpp:
229         (JSC::ExceptionScope::unexpectedExceptionMessage):
230         (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
231         * runtime/ExceptionScope.h:
232         (JSC::ExceptionScope::exception):
233         (JSC::ExceptionScope::unexpectedExceptionMessage):
234         * runtime/VM.cpp:
235         (JSC::VM::throwException):
236         * runtime/VM.h:
237         (JSC::VM::throwingThread):
238         (JSC::VM::clearException):
239
240 2017-05-10  Mark Lam  <mark.lam@apple.com>
241
242         Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
243         https://bugs.webkit.org/show_bug.cgi?id=160337
244         <rdar://problem/27611733>
245
246         Reviewed by Filip Pizlo and Geoffrey Garen.
247
248         This is a workaround for <rdar://problem/27607384>. During thread initialization,
249         for some target platforms, thread state is momentarily set to 0 before being
250         filled in with the target thread's real register values. As a result, there's
251         a race condition that may result in us getting a null stackPointer during a GC scan.
252         This issue may manifest with workqueue threads where the OS may choose to recycle
253         a thread for an expired task.
254
255         The workaround is simply to indicate that there's nothing to copy and return.
256         This is correct because we will only ever observe a null pointer during thread
257         initialization. Hence, by definition, there's nothing there that we need to scan
258         yet, and therefore, nothing that needs to be copied.
259
260         * heap/MachineStackMarker.cpp:
261         (JSC::MachineThreads::tryCopyOtherThreadStack):
262
263 2017-05-10  JF Bastien  <jfbastien@apple.com>
264
265         WebAssembly: support name section
266
267         https://bugs.webkit.org/show_bug.cgi?id=171263
268
269         Reviewed by Keith Miller.
270
271         The name section is an optional custom section in the WebAssembly
272         spec. At least when debugging, developers expect to be able to use
273         this section to obtain intelligible stack traces, otherwise we
274         just number the wasm functions which is somewhat painful.
275
276         This patch parses this section, dropping its content eagerly on
277         error, and if there is a name section then backtraces use their
278         value instead of numbers. Otherwise we stick to numbers as before.
279
280         Note that the format of name sections changed in mid-February:
281           https://github.com/WebAssembly/design/pull/984
282         And binaryen was only updated in early March:
283           https://github.com/WebAssembly/binaryen/pull/933
284
285         * CMakeLists.txt:
286         * JavaScriptCore.xcodeproj/project.pbxproj:
287         * interpreter/Interpreter.cpp:
288         (JSC::GetStackTraceFunctor::operator()):
289         * interpreter/StackVisitor.cpp:
290         (JSC::StackVisitor::readNonInlinedFrame):
291         (JSC::StackVisitor::Frame::functionName):
292         * interpreter/StackVisitor.h:
293         (JSC::StackVisitor::Frame::wasmFunctionIndexOrName):
294         * runtime/StackFrame.cpp:
295         (JSC::StackFrame::functionName):
296         * runtime/StackFrame.h:
297         (JSC::StackFrame::StackFrame):
298         (JSC::StackFrame::wasm):
299         * wasm/WasmBBQPlanInlines.h:
300         (JSC::Wasm::BBQPlan::initializeCallees):
301         * wasm/WasmCallee.cpp:
302         (JSC::Wasm::Callee::Callee):
303         * wasm/WasmCallee.h:
304         (JSC::Wasm::Callee::create):
305         (JSC::Wasm::Callee::indexOrName):
306         * wasm/WasmFormat.cpp:
307         (JSC::Wasm::makeString):
308         * wasm/WasmFormat.h:
309         (JSC::Wasm::isValidExternalKind):
310         (JSC::Wasm::isValidNameType):
311         (JSC::Wasm::NameSection::get):
312         * wasm/WasmIndexOrName.cpp: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
313         (JSC::Wasm::IndexOrName::IndexOrName):
314         (JSC::Wasm::makeString):
315         * wasm/WasmIndexOrName.h: Copied from Source/JavaScriptCore/wasm/WasmFormat.cpp.
316         * wasm/WasmModuleInformation.h:
317         * wasm/WasmModuleParser.cpp:
318         * wasm/WasmName.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
319         * wasm/WasmNameSectionParser.cpp: Added.
320         * wasm/WasmNameSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
321         (JSC::Wasm::NameSectionParser::NameSectionParser):
322         * wasm/WasmOMGPlan.cpp:
323         (JSC::Wasm::OMGPlan::work):
324         * wasm/WasmParser.h:
325         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
326
327 2017-05-10  Filip Pizlo  <fpizlo@apple.com>
328
329         Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname
330         https://bugs.webkit.org/show_bug.cgi?id=171801
331
332         Reviewed by Michael Saboff.
333         
334         This was a goofy oversight. The for-in optimization relies on the bytecode generator
335         to detect when the loop's index variable gets mutated. We forgot to have the hooks for
336         detecting this in prefix and postfix operations (++i and i++).
337
338         * bytecompiler/NodesCodegen.cpp:
339         (JSC::PostfixNode::emitResolve):
340         (JSC::PrefixNode::emitResolve):
341
342 2017-05-10  Michael Catanzaro  <mcatanzaro@igalia.com>
343
344         [GTK] -Wmissing-field-initializers triggered by RemoteInspectorServer.cpp:128
345         https://bugs.webkit.org/show_bug.cgi?id=171273
346
347         Reviewed by Carlos Garcia Campos.
348
349         * inspector/remote/glib/RemoteInspectorGlib.cpp:
350         * inspector/remote/glib/RemoteInspectorServer.cpp:
351
352 2017-05-10  Adrian Perez de Castro  <aperez@igalia.com>
353
354         Remove some last remnants of the EFL port
355         https://bugs.webkit.org/show_bug.cgi?id=171922
356
357         Reviewed by Antonio Gomes.
358
359         The EFL port is no more.
360
361         * PlatformEfl.cmake: Removed.
362         * shell/PlatformEfl.cmake: Removed.
363
364 2017-05-09  Filip Pizlo  <fpizlo@apple.com>
365
366         JSInjectedScriptHost should get a copy of the boundArgs
367         https://bugs.webkit.org/show_bug.cgi?id=171897
368
369         Reviewed by Joseph Pecoraro.
370         
371         The boundArgs array is very special - it cannot be mutated in any way. So, it makes sense
372         for the inspector to get a copy of it.
373
374         * inspector/JSInjectedScriptHost.cpp:
375         (Inspector::JSInjectedScriptHost::getInternalProperties):
376         * runtime/JSBoundFunction.cpp:
377         (JSC::JSBoundFunction::boundArgsCopy):
378         * runtime/JSBoundFunction.h:
379         (JSC::JSBoundFunction::boundArgs):
380
381 2017-05-09  Mark Lam  <mark.lam@apple.com>
382
383         Unindent some code in Watchdog::shouldTerminate().
384         https://bugs.webkit.org/show_bug.cgi?id=171896
385
386         Rubber stamped by Keith Miller.
387
388         I should have done this before I landed r213107, but I forgot.  Unindenting it now.
389
390         * runtime/Watchdog.cpp:
391         (JSC::Watchdog::shouldTerminate):
392
393 2017-05-09  Michael Saboff  <msaboff@apple.com>
394
395         Cap the number of FTL compilation threads on iOS to 2
396         https://bugs.webkit.org/show_bug.cgi?id=171887
397
398         Reviewed by Filip Pizlo.
399
400         Set an iOS specific max of 2 threads.
401
402         * runtime/Options.h:
403
404 2017-05-09  Filip Pizlo  <fpizlo@apple.com>
405
406         Heap::heap() should behave gracefully for null pointers
407         https://bugs.webkit.org/show_bug.cgi?id=171888
408         <rdar://problem/32005315>
409
410         Reviewed by Mark Lam.
411         
412         Some callers of Heap::heap() can pass a null cell and they will behave gracefully if we
413         return a null Heap. So, let's do that.
414         
415         This fixes a crash and it does not hurt performance. I'm seeing a possible 0.5% regression
416         with 74% probability. That's a neutral result by our usual 95% standard.
417
418         * heap/HeapInlines.h:
419         (JSC::Heap::heap):
420
421 2017-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
422
423         Handle IDLPromise<> properly
424         https://bugs.webkit.org/show_bug.cgi?id=166752
425
426         Reviewed by Youenn Fablet.
427
428         Add JSPromise::resolve static function.
429         This applies `Promise.resolve()` conversion to a given value.
430
431         * runtime/JSGlobalObject.cpp:
432         (JSC::JSGlobalObject::init):
433         (JSC::JSGlobalObject::visitChildren):
434         * runtime/JSGlobalObject.h:
435         (JSC::JSGlobalObject::promiseResolveFunction):
436         * runtime/JSPromise.cpp:
437         (JSC::JSPromise::resolve):
438         * runtime/JSPromise.h:
439
440 2017-05-09  Zan Dobersek  <zdobersek@igalia.com>
441
442         Upstream the WPE port
443         https://bugs.webkit.org/show_bug.cgi?id=171110
444
445         Reviewed by Alex Christensen.
446
447         * PlatformWPE.cmake: Added.
448         * shell/PlatformWPE.cmake: Added.
449
450 2017-05-09  Saam Barati  <sbarati@apple.com>
451
452         CallLinkInfos belonging to Wasm->JS stubs need to be informed when we clearCode() from all Executables
453         https://bugs.webkit.org/show_bug.cgi?id=171707
454         <rdar://problem/31891649>
455
456         Reviewed by Filip Pizlo.
457
458         This patch fixes a bug where a Wasm->JS IC call stub would go stale
459         and point into a CodeBlock no longer owned by any executable. The
460         problematic scenario is this:
461
462         1. We generate the call IC which has a branch on a callee check. This
463            callee owns the Executable in question. If the branch succeeds, it
464            will call code belonging to a particular CodeBlock associated with
465            that Executable.
466
467         2. Heap::deleteAllCodeBlocks is called. This leads the Executable to clear
468            its various CodeBlock references.
469
470         3. Wasm has no idea this happened, so now it has stale ICs that point into
471            code from a CodeBlock no longer belonging to an Executable.
472
473         This patch fixes the bug by informing all JSWebAssemblyCodeBlocks to unlink
474         their CallLinkInfo when Heap::deleteAllCodeBlocks is called.
475
476         We track all JSWebAssemblyCodeBlocks by creating a new subspace for them.
477         This allows us to quickly iterate over the live JSWebAssemblyCodeBlocks in the
478         heap.
479
480         * CMakeLists.txt:
481         * JavaScriptCore.xcodeproj/project.pbxproj:
482         * heap/Heap.cpp:
483         (JSC::Heap::deleteAllCodeBlocks):
484         * heap/Subspace.h:
485         * heap/SubspaceInlines.h:
486         (JSC::Subspace::forEachLiveCell):
487         * runtime/VM.cpp:
488         (JSC::VM::VM):
489         * runtime/VM.h:
490         * wasm/js/JSWebAssemblyCodeBlock.cpp:
491         (JSC::JSWebAssemblyCodeBlock::clearJSCallICs):
492         * wasm/js/JSWebAssemblyCodeBlock.h:
493         (JSC::JSWebAssemblyCodeBlock::createStructure): Deleted.
494         (JSC::JSWebAssemblyCodeBlock::functionImportCount): Deleted.
495         (JSC::JSWebAssemblyCodeBlock::module): Deleted.
496         (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
497         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
498         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport): Deleted.
499         (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub): Deleted.
500         (JSC::JSWebAssemblyCodeBlock::codeBlock): Deleted.
501         (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs): Deleted.
502         (JSC::JSWebAssemblyCodeBlock::allocationSize): Deleted.
503         (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub): Deleted.
504         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Added.
505         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
506         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace):
507         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
508         (JSC::JSWebAssemblyCodeBlockSubspace::destroy):
509         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Added.
510
511 2017-05-08  Saam Barati  <sbarati@apple.com>
512
513         testWasmBoundsCheck and testCallFunctionWithHellaArguments is broken in testb3
514         https://bugs.webkit.org/show_bug.cgi?id=171392
515         <rdar://problem/31872222>
516
517         Reviewed by Keith Miller.
518
519         This patch fixes two bugs. The first one is:
520         Inside testb3, we were using the wrong WasmBoundsCheckValue constructor.
521         Everything compiled OK because of implicit casting in C. I've changed one
522         of the constructors to take arguments in a different order so we don't
523         run into this problem again.
524         
525         The second bug was that Air::ShufflePair::inst was assuming that a move
526         from BigImm to its destination is always valid. This is not the case.
527         For example, the store, `Move BigImm, Addr` is not allowed. I refactored
528         the code to be correct by emitting more than one instruction when needeed.
529         
530         When testing my changes, I ran ARM64 testb3 both in debug and
531         release. I ran into many pre-existing failures. I've opened
532         a new bug to fix those here: https://bugs.webkit.org/show_bug.cgi?id=171826
533
534         * b3/B3WasmBoundsCheckValue.cpp:
535         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
536         * b3/B3WasmBoundsCheckValue.h:
537         * b3/air/AirEmitShuffle.cpp:
538         (JSC::B3::Air::ShufflePair::insts):
539         (JSC::B3::Air::ShufflePair::inst): Deleted.
540         * b3/air/AirEmitShuffle.h:
541         * b3/air/AirLowerMacros.cpp:
542         (JSC::B3::Air::lowerMacros):
543         * b3/testb3.cpp:
544         (JSC::B3::testLoadAcq42):
545         (JSC::B3::testStoreRelAddLoadAcq32):
546         (JSC::B3::testStoreRelAddLoadAcq8):
547         (JSC::B3::testStoreRelAddFenceLoadAcq8):
548         (JSC::B3::testStoreRelAddLoadAcq16):
549         (JSC::B3::testStoreRelAddLoadAcq64):
550         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
551         (JSC::B3::testCheckMul):
552         (JSC::B3::testCheckMulMemory):
553         (JSC::B3::testCheckMul64):
554         (JSC::B3::testCheckMulFold):
555         (JSC::B3::testCheckMulFoldFail):
556         (JSC::B3::testCheckMulArgumentAliasing64):
557         (JSC::B3::testCheckMulArgumentAliasing32):
558         (JSC::B3::testCheckMul64SShr):
559         (JSC::B3::testCallFunctionWithHellaArguments):
560         (JSC::B3::functionWithHellaArguments2):
561         (JSC::B3::testCallFunctionWithHellaArguments2):
562         (JSC::B3::functionWithHellaArguments3):
563         (JSC::B3::testCallFunctionWithHellaArguments3):
564         (JSC::B3::testSpillDefSmallerThanUse):
565         (JSC::B3::testLateRegister):
566         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
567         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
568         (JSC::B3::testMoveConstants):
569         (JSC::B3::testAtomicWeakCAS):
570         (JSC::B3::testAtomicStrongCAS):
571         (JSC::B3::testAtomicXchg):
572         (JSC::B3::testWasmBoundsCheck):
573         (JSC::B3::run):
574         * wasm/WasmB3IRGenerator.cpp:
575         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
576
577 2017-05-08  Filip Pizlo  <fpizlo@apple.com>
578
579         Expose a function to get proxy targets
580         https://bugs.webkit.org/show_bug.cgi?id=171797
581         <rdar://problem/32027549>
582
583         Reviewed by Mark Lam.
584         
585         This exposes a new private API function, JSObjectGetProxyTarget(), that gets the target of a
586         proxy. It works with both ProxyObject and JSProxy, but it's primarily intended for use with
587         JSProxy.
588
589         * API/JSObjectRef.cpp:
590         (JSObjectGetProxyTarget):
591         * API/JSObjectRefPrivate.h:
592         * API/tests/JSObjectGetProxyTargetTest.cpp: Added.
593         (testJSObjectGetProxyTarget):
594         * API/tests/JSObjectGetProxyTargetTest.h: Added.
595         * API/tests/testapi.c:
596         (main):
597         * JavaScriptCore.xcodeproj/project.pbxproj:
598         * runtime/ProxyObject.h:
599         * shell/PlatformWin.cmake: 
600
601 2017-05-08  Mark Lam  <mark.lam@apple.com>
602
603         op_throw_static_error's use of its first operand should be reflected in DFG BytecodeUseDef as well.
604         https://bugs.webkit.org/show_bug.cgi?id=171786
605         <rdar://problem/32051023>
606
607         Reviewed by Saam Barati.
608
609         * bytecode/BytecodeDumper.cpp:
610         (JSC::BytecodeDumper<Block>::dumpBytecode):
611         - Fix BytecodeDumper to dump op_throw_static_error correctly.  Previously,
612           it was expecting op1 to always be a constant.  r206870 changed it to take a
613           variable string as well.
614
615         * bytecode/BytecodeUseDef.h:
616         (JSC::computeUsesForBytecodeOffset):
617         - Fix the bug.
618
619         * dfg/DFGByteCodeParser.cpp:
620         (JSC::DFG::ByteCodeParser::parseBlock):
621         - Move the Phantom of op1 after the ThrowStaticError node, because technically,
622           the ThrowStaticError represents op_throw_static_error, and op_throw_static_error
623           uses op1.  In practice, this probably doesn't matter, but let's have the code
624           accurately communicate the behavior we're expecting.
625
626 2017-05-08  JF Bastien  <jfbastien@apple.com>
627
628         WebAssembly: don't just emit extended offset adds for patch
629         https://bugs.webkit.org/show_bug.cgi?id=171799
630
631         Reviewed by Mark Lam.
632
633         It isn't necessary to restrict.
634
635         * b3/air/AirLowerStackArgs.cpp:
636         (JSC::B3::Air::lowerStackArgs):
637
638 2017-05-08  Mark Lam  <mark.lam@apple.com>
639
640         Introduce ExceptionScope::assertNoException() and releaseAssertNoException().
641         https://bugs.webkit.org/show_bug.cgi?id=171776
642
643         Reviewed by Keith Miller.
644
645         Instead of ASSERT(!scope.exception()), we can now do scope.assertNoException().
646         Ditto for RELEASE_ASSERT and scope.releaseAssertNoException().  
647
648         The advantage of using ExceptionScope::assertNoException() and
649         releaseAssertNoException() is that if the assertion fails, these utility
650         functions will print the stack trace for where the unexpected exception is
651         detected as well as where the unexpected exception was thrown from.  This makes
652         it much easier to debug the source of unhandled exceptions.
653
654         * debugger/Debugger.cpp:
655         (JSC::Debugger::pauseIfNeeded):
656         * dfg/DFGOperations.cpp:
657         * interpreter/Interpreter.cpp:
658         (JSC::eval):
659         (JSC::notifyDebuggerOfUnwinding):
660         (JSC::Interpreter::executeProgram):
661         (JSC::Interpreter::executeCall):
662         (JSC::Interpreter::executeConstruct):
663         (JSC::Interpreter::prepareForRepeatCall):
664         (JSC::Interpreter::execute):
665         (JSC::Interpreter::debug):
666         * interpreter/ShadowChicken.cpp:
667         (JSC::ShadowChicken::functionsOnStack):
668         * jsc.cpp:
669         (GlobalObject::moduleLoaderResolve):
670         (GlobalObject::moduleLoaderFetch):
671         (functionGenerateHeapSnapshot):
672         (functionSamplingProfilerStackTraces):
673         (box):
674         (runWithScripts):
675         * runtime/AbstractModuleRecord.cpp:
676         (JSC::AbstractModuleRecord::finishCreation):
677         * runtime/ArrayPrototype.cpp:
678         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
679         * runtime/Completion.cpp:
680         (JSC::rejectPromise):
681         * runtime/ErrorInstance.cpp:
682         (JSC::ErrorInstance::sanitizedToString):
683         * runtime/ExceptionHelpers.cpp:
684         (JSC::createError):
685         * runtime/ExceptionScope.cpp:
686         (JSC::ExceptionScope::unexpectedExceptionMessage):
687         * runtime/ExceptionScope.h:
688         (JSC::ExceptionScope::assertNoException):
689         (JSC::ExceptionScope::releaseAssertNoException):
690         (JSC::ExceptionScope::unexpectedExceptionMessage):
691         * runtime/GenericArgumentsInlines.h:
692         (JSC::GenericArguments<Type>::defineOwnProperty):
693         * runtime/IntlCollator.cpp:
694         (JSC::IntlCollator::createCollator):
695         (JSC::IntlCollator::resolvedOptions):
696         * runtime/IntlDateTimeFormat.cpp:
697         (JSC::IntlDateTimeFormat::resolvedOptions):
698         (JSC::IntlDateTimeFormat::format):
699         * runtime/IntlNumberFormat.cpp:
700         (JSC::IntlNumberFormat::createNumberFormat):
701         (JSC::IntlNumberFormat::resolvedOptions):
702         * runtime/JSCJSValue.cpp:
703         (JSC::JSValue::putToPrimitiveByIndex):
704         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
705         (JSC::genericTypedArrayViewProtoFuncIncludes):
706         (JSC::genericTypedArrayViewProtoFuncIndexOf):
707         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
708         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
709         * runtime/JSGlobalObject.cpp:
710         (JSC::JSGlobalObject::init):
711         * runtime/JSGlobalObjectFunctions.cpp:
712         (JSC::globalFuncHostPromiseRejectionTracker):
713         * runtime/JSModuleEnvironment.cpp:
714         (JSC::JSModuleEnvironment::getOwnPropertySlot):
715         * runtime/JSModuleLoader.cpp:
716         (JSC::JSModuleLoader::finishCreation):
717         * runtime/JSModuleNamespaceObject.cpp:
718         (JSC::JSModuleNamespaceObject::finishCreation):
719         * runtime/JSONObject.cpp:
720         (JSC::Stringifier::toJSON):
721         * runtime/JSObject.cpp:
722         (JSC::JSObject::ordinaryToPrimitive):
723         * runtime/JSPropertyNameEnumerator.h:
724         (JSC::propertyNameEnumerator):
725         * runtime/ObjectConstructor.cpp:
726         (JSC::objectConstructorGetOwnPropertyDescriptors):
727         (JSC::objectConstructorDefineProperty):
728         * runtime/ObjectPrototype.cpp:
729         (JSC::objectProtoFuncHasOwnProperty):
730         * runtime/ProgramExecutable.cpp:
731         (JSC::ProgramExecutable::initializeGlobalProperties):
732         * runtime/ReflectObject.cpp:
733         (JSC::reflectObjectDefineProperty):
734         * runtime/SamplingProfiler.cpp:
735         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
736         * runtime/StringPrototype.cpp:
737         (JSC::stringProtoFuncRepeatCharacter):
738         * runtime/TemplateRegistry.cpp:
739         (JSC::TemplateRegistry::getTemplateObject):
740         * runtime/VM.cpp:
741         (JSC::VM::throwException):
742         * runtime/VM.h:
743         (JSC::VM::nativeStackTraceOfLastThrow):
744         (JSC::VM::clearException):
745         * wasm/WasmB3IRGenerator.cpp:
746         * wasm/js/JSWebAssemblyInstance.cpp:
747         (JSC::JSWebAssemblyInstance::create):
748
749 2017-05-06  Bill Ming  <mbbill@gmail.com>
750
751         Fix 32bit Windows build by giving correct parameters to MASM
752         https://bugs.webkit.org/show_bug.cgi?id=170833
753
754         Reviewed by Alex Christensen.
755
756         * CMakeLists.txt:
757
758 2017-05-06  Oleksandr Skachkov  <gskachkov@gmail.com>
759
760         [ES6] Arrow function. Issue in access to this after eval('super()') within constructor
761         https://bugs.webkit.org/show_bug.cgi?id=171543
762
763         Reviewed by Saam Barati.
764
765         Current patch force to use 'this' within arrow function or eval 
766         from virtual scope each time, instead of using thisRegister.
767
768         * bytecompiler/BytecodeGenerator.cpp:
769         (JSC::BytecodeGenerator::ensureThis):
770
771 2017-05-05  Keith Miller  <keith_miller@apple.com>
772
773         Put does not properly consult the prototype chain
774         https://bugs.webkit.org/show_bug.cgi?id=171754
775
776         Reviewed by Saam Barati.
777
778         We should do a follow up that cleans up the rest of put. See:
779         https://bugs.webkit.org/show_bug.cgi?id=171759
780
781         * runtime/JSCJSValue.cpp:
782         (JSC::JSValue::putToPrimitive):
783         * runtime/JSObject.cpp:
784         (JSC::JSObject::putInlineSlow):
785         * runtime/JSObjectInlines.h:
786         (JSC::JSObject::canPerformFastPutInline):
787
788 2017-05-05  JF Bastien  <jfbastien@apple.com>
789
790         WebAssembly: Air::Inst::generate crashes on large binary on A64
791         https://bugs.webkit.org/show_bug.cgi?id=170215
792
793         Reviewed by Filip Pizlo.
794
795         ARM can't encode all offsets in a single instruction. We usualy
796         handle this type of detail early, or the macro assembler uses a
797         scratch register to take care of the large immediate. After
798         register allocation we assumed that we would never get large
799         offsets, and asserted this was the case. That was a fine
800         assumption with JavaScript, but WebAssembly ends up generating
801         stack frames which are too big to encode.
802
803         There are two places that needed to be fixed:
804             1. AirGenerate
805             2. AirLowerStackArgs
806
807         We now unconditionally pin the dataTempRegister on ARM64, and use
808         it when immediates don't fit.
809
810         Number 1. is easy: we're just incrementing SP, make sure we can
811         use a scratch register when that happens.
812
813         Number 2. is more complex: not all Inst can receive a stack
814         argument whose base register isn't SP or FP. Specifically,
815         Patchpoints and Stackmaps get very sad because they just want to
816         know the offset value, but when we materialize the offset as
817         follows:
818
819             Move (spill337), (spill201), %r0, @8735
820
821         Becomes (where %r16 is dataTempRegister):
822             Move $1404, %r16, @8736
823             Add64 %sp, %r16, @8736
824             Move (%r16), 2032(%sp), %r0, @8736
825
826         The code currently doesn't see through our little dance. To work
827         around this issue we introduce a new Air Arg kind:
828         ExtendedOffsetAddr. This is the same as a regular Addr, but with
829         an offset which may be too big to encode. Opcodes then declare
830         whether their arguments can handle such inputs, and if so we
831         generate them, otherwise we generate Addr as shown above.
832
833         None of this affects x86 because it can always encode large
834         immediates.
835
836         This patch also drive-by converts some uses of `override` to
837         `final`. It makes the code easier to grok, and maybe helps the
838         optimizer sometimes but really that doens't matter.
839
840         * assembler/MacroAssembler.h:
841         * assembler/MacroAssemblerARM64.h:
842         * b3/B3CheckSpecial.cpp:
843         (JSC::B3::CheckSpecial::admitsExtendedOffsetAddr):
844         * b3/B3CheckSpecial.h:
845         * b3/B3Common.cpp:
846         (JSC::B3::pinnedExtendedOffsetAddrRegister): keep the CPU-specific
847         pinning information in a cpp file
848         * b3/B3Common.h:
849         * b3/B3PatchpointSpecial.cpp:
850         (JSC::B3::PatchpointSpecial::admitsExtendedOffsetAddr):
851         * b3/B3PatchpointSpecial.h:
852         * b3/B3StackmapSpecial.cpp:
853         (JSC::B3::StackmapSpecial::isArgValidForRep):
854         (JSC::B3::StackmapSpecial::repForArg):
855         * b3/B3StackmapSpecial.h:
856         * b3/air/AirArg.cpp:
857         (JSC::B3::Air::Arg::isStackMemory):
858         (JSC::B3::Air::Arg::jsHash):
859         (JSC::B3::Air::Arg::dump):
860         (WTF::printInternal):
861         (JSC::B3::Air::Arg::stackAddrImpl): Deleted. There was only one
862         use of this (in AirLowerStackArgs) and it was now confusing to
863         split the logic up between these two. Inline the code that used to
864         be here into its one usepoint instead.
865         * b3/air/AirArg.h:
866         (JSC::B3::Air::Arg::extendedOffsetAddr):
867         (JSC::B3::Air::Arg::isExtendedOffsetAddr):
868         (JSC::B3::Air::Arg::isMemory):
869         (JSC::B3::Air::Arg::base):
870         (JSC::B3::Air::Arg::offset):
871         (JSC::B3::Air::Arg::isGP):
872         (JSC::B3::Air::Arg::isFP):
873         (JSC::B3::Air::Arg::isValidForm):
874         (JSC::B3::Air::Arg::forEachTmpFast):
875         (JSC::B3::Air::Arg::forEachTmp):
876         (JSC::B3::Air::Arg::asAddress):
877         (JSC::B3::Air::Arg::stackAddr): Deleted.
878         * b3/air/AirCCallSpecial.cpp:
879         (JSC::B3::Air::CCallSpecial::isValid):
880         (JSC::B3::Air::CCallSpecial::admitsExtendedOffsetAddr):
881         (JSC::B3::Air::CCallSpecial::generate):
882         * b3/air/AirCCallSpecial.h:
883         * b3/air/AirCode.cpp:
884         (JSC::B3::Air::Code::Code):
885         (JSC::B3::Air::Code::pinRegister): Check that the register wasn't
886         pinned before pinning it. It's likely a bug to pin the same
887         register twice.
888         * b3/air/AirCustom.h:
889         (JSC::B3::Air::PatchCustom::admitsExtendedOffsetAddr):
890         (JSC::B3::Air::CCallCustom::admitsExtendedOffsetAddr):
891         (JSC::B3::Air::ShuffleCustom::admitsExtendedOffsetAddr):
892         (JSC::B3::Air::EntrySwitchCustom::admitsExtendedOffsetAddr):
893         (JSC::B3::Air::WasmBoundsCheckCustom::admitsExtendedOffsetAddr):
894         * b3/air/AirGenerate.cpp:
895         (JSC::B3::Air::generate):
896         * b3/air/AirInst.h:
897         * b3/air/AirInstInlines.h:
898         (JSC::B3::Air::Inst::admitsExtendedOffsetAddr):
899         * b3/air/AirLowerStackArgs.cpp:
900         (JSC::B3::Air::lowerStackArgs):
901         * b3/air/AirPrintSpecial.cpp:
902         (JSC::B3::Air::PrintSpecial::admitsExtendedOffsetAddr):
903         (JSC::B3::Air::PrintSpecial::generate):
904         * b3/air/AirPrintSpecial.h:
905         * b3/air/AirSpecial.h:
906         * b3/air/opcode_generator.rb:
907
908 2017-05-05  Oliver Hunt  <oliver@apple.com>
909
910         Move trivial String prototype functions to JS builtins
911         https://bugs.webkit.org/show_bug.cgi?id=171737
912
913         Reviewed by Saam Barati.
914
915         Super simple change to migrate all of the old school
916         html-ifying string operations to builtin JS.
917
918         Core implementation is basically a 1-for-1 match to the spec.
919
920         * builtins/StringPrototype.js:
921         (globalPrivate.createHTML):
922         (anchor):
923         (big):
924         (blink):
925         (bold):
926         (fixed):
927         (fontcolor):
928         (fontsize):
929         (italics):
930         (link):
931         (small):
932         (strike):
933         (sub):
934         (sup):
935         * runtime/StringPrototype.cpp:
936         (JSC::StringPrototype::finishCreation):
937         (JSC::stringProtoFuncBig): Deleted.
938         (JSC::stringProtoFuncSmall): Deleted.
939         (JSC::stringProtoFuncBlink): Deleted.
940         (JSC::stringProtoFuncBold): Deleted.
941         (JSC::stringProtoFuncFixed): Deleted.
942         (JSC::stringProtoFuncItalics): Deleted.
943         (JSC::stringProtoFuncStrike): Deleted.
944         (JSC::stringProtoFuncSub): Deleted.
945         (JSC::stringProtoFuncSup): Deleted.
946         (JSC::stringProtoFuncFontcolor): Deleted.
947         (JSC::stringProtoFuncFontsize): Deleted.
948         (JSC::stringProtoFuncAnchor): Deleted.
949         (JSC::stringProtoFuncLink): Deleted.
950
951 2017-05-05  Don Olmstead  <don.olmstead@am.sony.com>
952
953         [JSC] Remove export from Intrinsic
954         https://bugs.webkit.org/show_bug.cgi?id=171752
955
956         Reviewed by Alexey Proskuryakov.
957
958         * runtime/Intrinsic.h:
959
960 2017-05-05  Saam Barati  <sbarati@apple.com>
961
962         putDirectIndex does not properly do defineOwnProperty
963         https://bugs.webkit.org/show_bug.cgi?id=171591
964         <rdar://problem/31735695>
965
966         Reviewed by Geoffrey Garen.
967
968         This patch fixes putDirectIndex and its JIT implementations to be
969         compatible with the ES6 spec. I think our code became out of date
970         when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
971         return arbitrary objects. We perform putDirectIndex on that arbitrary
972         object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
973         However, we weren't doing this. putDirectIndex assumed it could just splat
974         data into any descendent of JSObject's butterfly. For example, this means
975         we'd just splat into the butterfly of a typed array, even though a typed
976         array doesn't use its butterfly to store its indexed properties in the usual
977         way. Also, typed array properties are non-configurable, so this operation
978         should throw. This also means if we saw a ProxyObject, we'd just splat
979         into its butterfly, but this is obviously wrong because ProxyObject should
980         intercept the defineProperty operation.
981         
982         This patch fixes this issue by adding a whitelist of cell types that can
983         go down putDirectIndex's fast path. Anything not in that whitelist will
984         simply call into defineOwnProperty.
985
986         * bytecode/ByValInfo.h:
987         (JSC::jitArrayModePermitsPutDirect):
988         * dfg/DFGArrayMode.cpp:
989         (JSC::DFG::ArrayMode::refine):
990         * jit/JITOperations.cpp:
991         * runtime/ArrayPrototype.cpp:
992         (JSC::arrayProtoFuncSplice):
993         * runtime/ClonedArguments.cpp:
994         (JSC::ClonedArguments::createStructure):
995         * runtime/JSGenericTypedArrayViewInlines.h:
996         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
997         * runtime/JSObject.cpp:
998         (JSC::canDoFastPutDirectIndex):
999         (JSC::JSObject::defineOwnIndexedProperty):
1000         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1001         (JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
1002         * runtime/JSObject.h:
1003         (JSC::JSObject::putDirectIndex):
1004         (JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
1005         * runtime/JSType.h:
1006
1007 2017-05-05  Guillaume Emont  <guijemont@igalia.com>
1008
1009         [JSC] include JSCInlines.h in ObjectInitializationScope.cpp
1010         https://bugs.webkit.org/show_bug.cgi?id=171744
1011
1012         Reviewed by Mark Lam.
1013
1014         * runtime/ObjectInitializationScope.cpp:
1015
1016
1017 2017-05-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1018
1019         [GTK] Assertion failure in Inspector::RemoteInspector::setRemoteInspectorClient when disposing WebKitWebContext
1020         https://bugs.webkit.org/show_bug.cgi?id=171644
1021
1022         Reviewed by Michael Catanzaro.
1023
1024         Fix ASSERT that requires given client to be a valid pointer, since it's valid to pass nullptr to unset the
1025         client. The ASSERT now ensures that client is set or unset. I also renamed the function to setClient because
1026         setRemoteInspectorClient is redundant for a class named RemoteInspector. And added a getter too, to check if the
1027         remote inspector has a client.
1028
1029         * inspector/remote/RemoteInspector.cpp:
1030         (Inspector::RemoteInspector::setClient):
1031         * inspector/remote/RemoteInspector.h:
1032
1033 2017-05-04  Commit Queue  <commit-queue@webkit.org>
1034
1035         Unreviewed, rolling out r216206.
1036         https://bugs.webkit.org/show_bug.cgi?id=171714
1037
1038         Multiple LayoutTests crashing in Document::page() (Requested
1039         by ap on #webkit).
1040
1041         Reverted changeset:
1042
1043         "Remove support for legacy Notifications"
1044         https://bugs.webkit.org/show_bug.cgi?id=171487
1045         http://trac.webkit.org/changeset/216206
1046
1047 2017-05-04  Don Olmstead  <don.olmstead@am.sony.com>
1048
1049         [Win] Remove redundant macros that are set in the CMake config
1050         https://bugs.webkit.org/show_bug.cgi?id=171571
1051
1052         Reviewed by Brent Fulgham.
1053
1054         * config.h:
1055
1056 2017-05-04  Mark Lam  <mark.lam@apple.com>
1057
1058         Gardening: Build fix for Windows after r216217.
1059         https://bugs.webkit.org/show_bug.cgi?id=171586
1060
1061         Not reviewed.
1062
1063         * shell/PlatformWin.cmake:
1064
1065 2017-05-04  Filip Pizlo  <fpizlo@apple.com>
1066
1067         JSC::Heap should expose a richer API for requesting GCs
1068         https://bugs.webkit.org/show_bug.cgi?id=171690
1069
1070         Reviewed by Geoffrey Garen.
1071         
1072         I want to stop WebCore from requesting synchronous GCs. But various parts of that work
1073         may cause regressions, so I'd like to land it separately from the functionality that is
1074         needed on the JSC side. This change is mostly a JSC-side refactoring that does not
1075         change behavior. In the future I'll land the behavior changes (i.e. not requesting sync
1076         GCs).
1077         
1078         This change allows you to enumerate over synchronousness, so that we can make all APIs
1079         take synchronousness as an argument. It replaces the collectAllGarbage API with a
1080         collectNow(Synchronousness, GCRequest) API. GCRequest is a new concept, which subsumes
1081         std::optional<CollectionScope> and gives us the ability to register callbacks along
1082         with a GC. So, you can ask for an async GC and get a callback when it's done.
1083         
1084         Also adds ability to request that fastMalloc memory be released after the incremental
1085         sweeper finishes.
1086         
1087         * API/JSBase.cpp:
1088         (JSSynchronousGarbageCollectForDebugging):
1089         * CMakeLists.txt:
1090         * JavaScriptCore.xcodeproj/project.pbxproj:
1091         * heap/FullGCActivityCallback.cpp:
1092         (JSC::FullGCActivityCallback::doCollection):
1093         * heap/FullGCActivityCallback.h:
1094         * heap/GCRequest.cpp: Added.
1095         (JSC::GCRequest::subsumedBy):
1096         (JSC::GCRequest::dump):
1097         * heap/GCRequest.h: Added.
1098         (JSC::GCRequest::GCRequest):
1099         * heap/Heap.cpp:
1100         (JSC::Heap::collect):
1101         (JSC::Heap::collectNow):
1102         (JSC::Heap::collectAsync):
1103         (JSC::Heap::collectSync):
1104         (JSC::Heap::runBeginPhase):
1105         (JSC::Heap::runEndPhase):
1106         (JSC::Heap::requestCollection):
1107         (JSC::Heap::willStartCollection):
1108         (JSC::Heap::sweeper):
1109         (JSC::Heap::collectNowFullIfNotDoneRecently):
1110         (JSC::Heap::shouldDoFullCollection):
1111         (JSC::Heap::collectAllGarbage): Deleted.
1112         (JSC::Heap::collectAllGarbageIfNotDoneRecently): Deleted.
1113         * heap/Heap.h:
1114         * heap/HeapSnapshotBuilder.cpp:
1115         (JSC::HeapSnapshotBuilder::buildSnapshot):
1116         * heap/IncrementalSweeper.cpp:
1117         (JSC::IncrementalSweeper::doSweep):
1118         * heap/IncrementalSweeper.h:
1119         (JSC::IncrementalSweeper::freeFastMallocMemoryAfterSweeping):
1120         * heap/MarkedAllocator.cpp:
1121         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1122         * heap/MarkedSpace.cpp:
1123         (JSC::MarkedSpace::sweep):
1124         * heap/Synchronousness.cpp: Added.
1125         (WTF::printInternal):
1126         * heap/Synchronousness.h: Added.
1127         * inspector/agents/InspectorHeapAgent.cpp:
1128         (Inspector::InspectorHeapAgent::gc):
1129         * jsc.cpp:
1130         (functionGCAndSweep):
1131         (runJSC):
1132         * tools/JSDollarVMPrototype.cpp:
1133         (JSC::JSDollarVMPrototype::gc):
1134         * wasm/WasmMemory.cpp:
1135
1136 2017-05-04  Mark Lam  <mark.lam@apple.com>
1137
1138         NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe.
1139         https://bugs.webkit.org/show_bug.cgi?id=171586
1140         <rdar://problem/31873190>
1141
1142         Reviewed by Yusuke Suzuki.
1143
1144         JavaScriptCore allows multiple VMs to be instantiated, and each of these should
1145         be able to run concurrently on different threads.  There is code in the VM that
1146         allocates NeverDestroyed<String>(ASCIILiteral(...)) to defined immortal strings
1147         meant to be shared by all VMs.
1148
1149         However, NeverDestroyed<String>(ASCIILiteral(...)) is not thread-safe because
1150         each thread will ref and deref the underlying StringImpl.  Since this ref and
1151         deref is not done in a thread-safe way, the NeverDestroyed<String> may get
1152         destroyed due to the ref/deref races.  Additionally, each thread may modify the
1153         StringImpl by setting its hash and also twiddling its flags.
1154
1155         The fix is to use the StaticStringImpl class which is safe for ref/derefing
1156         concurrently from different threads.  StaticStringImpl is also pre-set with a
1157         hash on construction, and its flags are set in such a way as to prevent twiddling
1158         at runtime.  Hence, we will be able to share a NeverDestroyed<String> between
1159         VMs, as long as it is backed by a StaticStringImpl.
1160
1161         An alternative solution would be to change all the uses of NeverDestroyed<String>
1162         to use per-VM strings.  However, this solution is cumbersome, and makes it harder
1163         to allocate the intended shared string.  It also uses more memory and takes more
1164         CPU time because it requires allocating the same string for each VM instance.
1165         The StaticStringImpl solution wins out because it is more efficient and is easier
1166         to use.
1167
1168         The StaticStringImpl solution also can be used in WTF without a layer violation.
1169         See Source/WTF/wtf/text/icu/TextBreakIteratorICU.h for an example.
1170
1171         Also added the MultithreadedMultiVMExecutionTest which runs multiple VMs in
1172         multiple threads, all banging on the BuiltinExecutable's baseConstructorCode
1173         NeverDestroyed<String>.  The test will manifest the issue reliably (before this
1174         fix) if run on an ASAN build.
1175
1176         * API/tests/MultithreadedMultiVMExecutionTest.cpp: Added.
1177         (threadsList):
1178         (startMultithreadedMultiVMExecutionTest):
1179         (finalizeMultithreadedMultiVMExecutionTest):
1180         * API/tests/MultithreadedMultiVMExecutionTest.h: Added.
1181         * API/tests/testapi.c:
1182         (main):
1183         * JavaScriptCore.xcodeproj/project.pbxproj:
1184         * builtins/BuiltinExecutables.cpp:
1185         (JSC::BuiltinExecutables::createDefaultConstructor):
1186         * inspector/agents/InspectorDebuggerAgent.cpp:
1187         (Inspector::objectGroupForBreakpointAction):
1188         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
1189         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
1190         (JSC::InputTraits<Test::SavedMouseButton>::type):
1191         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
1192         (JSC::InputTraits<Test::SavedMouseButton>::type):
1193         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
1194         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1195         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
1196         (JSC::InputTraits<Test::FormCombo>::type):
1197         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
1198         (JSC::InputTraits<Test::GetCurrentTime>::type):
1199         (JSC::InputTraits<Test::SetRandomSeed>::type):
1200         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
1201         (JSC::InputTraits<Test::ArrayOfThings>::type):
1202         (JSC::InputTraits<Test::SavedHistory>::type):
1203         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
1204         (JSC::InputTraits<Test::ScalarInput1>::type):
1205         (JSC::InputTraits<Test::ScalarInput2>::type):
1206         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
1207         (JSC::InputTraits<Test::ScalarInput>::type):
1208         (JSC::InputTraits<Test::MapInput>::type):
1209         * runtime/IntlObject.cpp:
1210         (JSC::numberingSystemsForLocale):
1211
1212 2017-05-04  Sam Weinig  <sam@webkit.org>
1213
1214         Remove support for legacy Notifications
1215         https://bugs.webkit.org/show_bug.cgi?id=171487
1216
1217         Reviewed by Jon Lee.
1218
1219         * Configurations/FeatureDefines.xcconfig:
1220         Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
1221
1222 2017-05-04  Konstantin Tokarev  <annulen@yandex.ru>
1223
1224         Fix compilation with ICU 59.1
1225         https://bugs.webkit.org/show_bug.cgi?id=171612
1226
1227         Reviewed by Mark Lam.
1228
1229         ICU 59.1 has broken source compatibility. Now it defines UChar as
1230         char16_t, which does not allow automatic type conversion from unsigned
1231         short in C++ code.
1232
1233         * API/JSStringRef.cpp:
1234         (JSStringCreateWithCharacters):
1235         (JSStringCreateWithCharactersNoCopy):
1236         (JSStringGetCharactersPtr):
1237         * runtime/DateConversion.cpp:
1238         (JSC::formatDateTime):
1239
1240 2017-05-04  Saam Barati  <sbarati@apple.com>
1241
1242         stress/call-apply-exponential-bytecode-size.js.no-llint failing on 32-bit debug for OOM on executable memory
1243         https://bugs.webkit.org/show_bug.cgi?id=171008
1244
1245         Reviewed by Yusuke Suzuki.
1246
1247         This patch lowers the threshold for .call/.apply recursion
1248         in an attempt to emit less code and not impact perf.
1249         We're currently failing tests on x86-32 by running out
1250         of executable memory. If perf gets impacted because of this,
1251         then I'll apply a stricter change just to 32-bit platforms.
1252         However, if this doesn't negatively impact perf, it's all around
1253         better than all platforms emit less bytecode.
1254
1255         * bytecompiler/NodesCodegen.cpp:
1256
1257 2017-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1258
1259         [JSC] Math unary functions should be handled by DFG
1260         https://bugs.webkit.org/show_bug.cgi?id=171269
1261
1262         Reviewed by Saam Barati.
1263
1264         ArithSin, ArithCos, and ArithLog are just calling a C runtime function.
1265         While handling them in DFG is not very effective for performance, they
1266         can drop some type checks & value conversions and mark them as pure
1267         operations. It is effective if they are involved in some complex
1268         optimization phase. Actually, ArithLog is effective in kraken.
1269
1270         While a few of Math functions have DFG nodes, basically math functions
1271         are pure. And large part of these functions are just calling a C runtime
1272         function. This patch generalizes these nodes in DFG as ArithUnary. And
1273         we annotate many unary math functions with Intrinsics and convert them
1274         to ArithUnary in DFG. It also cleans up duplicate code in ArithSin,
1275         ArithCos, and ArithLog. If your math function has some good DFG / FTL
1276         optimization rather than calling a C runtime function, you should add
1277         a specialized DFG node, like ArithSqrt.
1278
1279         We also create a new namespace JSC::Math. Inside it, we collect math functions.
1280
1281         * dfg/DFGAbstractInterpreterInlines.h:
1282         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1283         * dfg/DFGArithMode.cpp:
1284         (JSC::DFG::arithUnaryFunction):
1285         (JSC::DFG::arithUnaryOperation):
1286         (WTF::printInternal):
1287         * dfg/DFGArithMode.h:
1288         * dfg/DFGBackwardsPropagationPhase.cpp:
1289         (JSC::DFG::BackwardsPropagationPhase::propagate):
1290         * dfg/DFGByteCodeParser.cpp:
1291         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1292         * dfg/DFGClobberize.h:
1293         (JSC::DFG::clobberize):
1294         * dfg/DFGDoesGC.cpp:
1295         (JSC::DFG::doesGC):
1296         * dfg/DFGFixupPhase.cpp:
1297         (JSC::DFG::FixupPhase::fixupNode):
1298         * dfg/DFGGraph.cpp:
1299         (JSC::DFG::Graph::dump):
1300         * dfg/DFGNode.h:
1301         (JSC::DFG::Node::hasArithUnaryType):
1302         (JSC::DFG::Node::arithUnaryType):
1303         * dfg/DFGNodeType.h:
1304         * dfg/DFGOperations.cpp:
1305         * dfg/DFGOperations.h:
1306         * dfg/DFGPredictionPropagationPhase.cpp:
1307         * dfg/DFGSafeToExecute.h:
1308         (JSC::DFG::safeToExecute):
1309         * dfg/DFGSpeculativeJIT.cpp:
1310         (JSC::DFG::SpeculativeJIT::compileArithUnary):
1311         (JSC::DFG::SpeculativeJIT::compileArithCos): Deleted.
1312         (JSC::DFG::SpeculativeJIT::compileArithTan): Deleted.
1313         (JSC::DFG::SpeculativeJIT::compileArithSin): Deleted.
1314         (JSC::DFG::SpeculativeJIT::compileArithLog): Deleted.
1315         * dfg/DFGSpeculativeJIT.h:
1316         * dfg/DFGSpeculativeJIT32_64.cpp:
1317         (JSC::DFG::SpeculativeJIT::compile):
1318         * dfg/DFGSpeculativeJIT64.cpp:
1319         (JSC::DFG::SpeculativeJIT::compile):
1320         * ftl/FTLCapabilities.cpp:
1321         (JSC::FTL::canCompile):
1322         * ftl/FTLLowerDFGToB3.cpp:
1323         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1324         (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
1325         (JSC::FTL::DFG::LowerDFGToB3::compileArithSin): Deleted.
1326         (JSC::FTL::DFG::LowerDFGToB3::compileArithCos): Deleted.
1327         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan): Deleted.
1328         (JSC::FTL::DFG::LowerDFGToB3::compileArithLog): Deleted.
1329         * ftl/FTLOutput.cpp:
1330         (JSC::FTL::Output::doubleUnary):
1331         (JSC::FTL::Output::doubleSin): Deleted.
1332         (JSC::FTL::Output::doubleCos): Deleted.
1333         (JSC::FTL::Output::doubleTan): Deleted.
1334         (JSC::FTL::Output::doubleLog): Deleted.
1335         * ftl/FTLOutput.h:
1336         * runtime/Intrinsic.h:
1337         * runtime/MathCommon.cpp:
1338         (JSC::Math::log1p):
1339         * runtime/MathCommon.h:
1340         * runtime/MathObject.cpp:
1341         (JSC::MathObject::finishCreation):
1342         (JSC::mathProtoFuncACos):
1343         (JSC::mathProtoFuncASin):
1344         (JSC::mathProtoFuncATan):
1345         (JSC::mathProtoFuncCos):
1346         (JSC::mathProtoFuncExp):
1347         (JSC::mathProtoFuncLog):
1348         (JSC::mathProtoFuncSin):
1349         (JSC::mathProtoFuncTan):
1350         (JSC::mathProtoFuncACosh):
1351         (JSC::mathProtoFuncASinh):
1352         (JSC::mathProtoFuncATanh):
1353         (JSC::mathProtoFuncCbrt):
1354         (JSC::mathProtoFuncCosh):
1355         (JSC::mathProtoFuncExpm1):
1356         (JSC::mathProtoFuncLog1p):
1357         (JSC::mathProtoFuncLog10):
1358         (JSC::mathProtoFuncLog2):
1359         (JSC::mathProtoFuncSinh):
1360         (JSC::mathProtoFuncTanh):
1361
1362 2017-05-03  Saam Barati  <sbarati@apple.com>
1363
1364         How we build polymorphic cases is wrong when making a call from Wasm
1365         https://bugs.webkit.org/show_bug.cgi?id=171527
1366
1367         Reviewed by JF Bastien.
1368
1369         This patches fixes a bug when we emit a polymorphic call IC from
1370         Wasm. We were incorrectly assuming that if we made a call *from wasm*,
1371         then the thing we are *calling to* does not have a CodeBlock. This
1372         is obviously wrong. This patch fixes the incorrect assumption.
1373         
1374         This patch also does two more things:
1375         1. Add a new option that makes us make calls to JS using a
1376         slow path instead of using a call IC.
1377         2. Fixes a potential GC bug where we didn't populate JSWebAssemblyCodeBlock's
1378         JSWebAssemblyModule pointer.
1379
1380         * jit/Repatch.cpp:
1381         (JSC::linkPolymorphicCall):
1382         * runtime/Options.h:
1383         * wasm/WasmBinding.cpp:
1384         (JSC::Wasm::wasmToJs):
1385         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1386         (JSC::JSWebAssemblyCodeBlock::create):
1387         (JSC::JSWebAssemblyCodeBlock::finishCreation):
1388         * wasm/js/JSWebAssemblyCodeBlock.h:
1389         * wasm/js/JSWebAssemblyInstance.cpp:
1390         (JSC::JSWebAssemblyInstance::finalizeCreation):
1391
1392 2017-05-03  Keith Miller  <keith_miller@apple.com>
1393
1394         Array.prototype.sort should also allow a null comparator
1395         https://bugs.webkit.org/show_bug.cgi?id=171621
1396         <rdar://problem/30757933>
1397
1398         Reviewed by Michael Saboff.
1399
1400         It looks like sort not accepting a null comparator
1401         causes some pages to stop working. Those pages work in
1402         Chrome/Firefox so we should try to match them.
1403
1404         * builtins/ArrayPrototype.js:
1405         (sort):
1406
1407 2017-05-03  Mark Lam  <mark.lam@apple.com>
1408
1409         Use the CLoop for CPU(ARM64E).
1410         https://bugs.webkit.org/show_bug.cgi?id=171620
1411         <rdar://problem/31973027>
1412
1413         Reviewed by Geoffrey Garen.
1414
1415         * llint/LLIntOfflineAsmConfig.h:
1416         * tools/SigillCrashAnalyzer.cpp:
1417         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
1418
1419 2017-05-03  Keith Miller  <keith_miller@apple.com>
1420
1421         Different behaviour with the .sort(callback) method (unlike Firefox & Chrome)
1422         https://bugs.webkit.org/show_bug.cgi?id=47825
1423
1424         Reviewed by Saam Barati.
1425
1426         This patch makes our sort function match the behavior of Firefox
1427         and Chrome when the result of the comparison function is a
1428         boolean. When we first switched to using merge sort, it regressed
1429         JQuery sorting of DOM nodes by 30%. The regression was do to the
1430         fact that JQuery was using compareDocumentPosition to compare the
1431         locations of objects. Since one of the benchmarks would pass a
1432         reverse sorted list to the sort function we would end up walking
1433         the entire DOM to do comparisons. The solution to this was to
1434         merge based on comparison(right, left) rather than
1435         comparison(left, right). Although, in practice this does nothing
1436         since sort could just as easily receive an already sorted list and
1437         we're back in the same spot.
1438
1439         The downside of sorting with comparison(right, left) is that to
1440         maintain stability when sorting, you only want to merge from right
1441         when the comparison function returns a negative value. This is
1442         where the problem with booleans comes in. Since booleans toNumber
1443         false to 0 and true to 1 both values are "equal". This patch fixes
1444         this by special casing boolean return values.
1445
1446
1447         * builtins/ArrayPrototype.js:
1448         (sort.merge):
1449
1450 2017-05-03  Andy VanWagoner  <thetalecrafter@gmail.com>
1451
1452         [INTL] Support dashed values in unicode locale extensions
1453         https://bugs.webkit.org/show_bug.cgi?id=171480
1454
1455         Reviewed by JF Bastien.
1456
1457         Implements the UnicodeExtensionSubtags operation and updates the ResolveLocale operation to use it.
1458         This fixes locale extensions with values that include '-'. The following calendars work now:
1459         ethiopic-amete-alem
1460         islamic-umalqura
1461         islamic-tbla
1462         islamic-civil
1463         islamic-rgsa
1464
1465         While updating IntlObject, the comments containing spec text were replaced with a single url at the
1466         top of each function pointing to the relevant part of ECMA-402.
1467
1468         * runtime/IntlObject.cpp:
1469         (JSC::unicodeExtensionSubTags): Added.
1470         (JSC::resolveLocale): Updated to latest standard.
1471
1472 2017-05-02  Don Olmstead  <don.olmstead@am.sony.com>
1473
1474         Build fix after r216078
1475         https://bugs.webkit.org/show_bug.cgi?id=171554
1476
1477         Reviewed by Saam Barati.
1478
1479         * API/tests/testapi.c:
1480
1481 2017-05-02  Filip Pizlo  <fpizlo@apple.com>
1482
1483         Unreviewed, fix pedantic C compilers.
1484
1485         * API/tests/testapi.c:
1486         (markingConstraint):
1487         (testMarkingConstraints):
1488
1489 2017-05-02  Filip Pizlo  <fpizlo@apple.com>
1490
1491         Unreviewed, fix cmake build.
1492
1493         * CMakeLists.txt:
1494
1495 2017-05-02  Filip Pizlo  <fpizlo@apple.com>
1496
1497         JSC C API should expose GC marking constraints and weak references
1498         https://bugs.webkit.org/show_bug.cgi?id=171554
1499
1500         Reviewed by Geoffrey Garen.
1501         
1502         This exposes an API that lets you participate in the GC's fixpoint. You can ask the GC
1503         what is marked and you can tell the GC to mark things. The constraint callback cannot
1504         do a whole lot, but it can query marking state and it can dereference weak references.
1505         
1506         Additionally, this exposes a very simple weak reference API in C.
1507
1508         * API/JSMarkingConstraintPrivate.cpp: Added.
1509         (JSC::isMarked):
1510         (JSC::mark):
1511         (JSContextGroupRegisterMarkingConstraint):
1512         * API/JSMarkingConstraintPrivate.h: Added.
1513         * API/JSWeakPrivate.cpp: Added.
1514         (OpaqueJSWeak::OpaqueJSWeak):
1515         (JSWeakCreate):
1516         (JSWeakRetain):
1517         (JSWeakRelease):
1518         (JSWeakGetObject):
1519         * API/JSWeakPrivate.h: Added.
1520         * API/tests/testapi.c:
1521         (markingConstraint):
1522         (testMarkingConstraints):
1523         (main):
1524         * JavaScriptCore.xcodeproj/project.pbxproj:
1525         * heap/SlotVisitor.h:
1526         * heap/SlotVisitorInlines.h:
1527         (JSC::SlotVisitor::appendHiddenUnbarriered):
1528         (JSC::SlotVisitor::appendHidden):
1529
1530 2017-05-02  Mark Lam  <mark.lam@apple.com>
1531
1532         JSFixedArray::allocationSize() should not allow for allocation failure.
1533         https://bugs.webkit.org/show_bug.cgi?id=171516
1534
1535         Reviewed by Geoffrey Garen.
1536
1537         Since JSFixedArray::createFromArray() now handles allocation failures by throwing
1538         OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
1539         size to allocate) should also allow for allocation failure on overflow.
1540
1541         This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
1542         run on 32-bit builds.
1543
1544         * runtime/JSFixedArray.h:
1545         (JSC::JSFixedArray::tryCreate):
1546         (JSC::JSFixedArray::allocationSize):
1547
1548 2017-05-01  Zan Dobersek  <zdobersek@igalia.com>
1549
1550         [aarch64][Linux] m_allowScratchRegister assert hit in MacroAssemblerARM64 under B3::Air::CCallSpecial::generate()
1551         https://bugs.webkit.org/show_bug.cgi?id=170672
1552
1553         Reviewed by Filip Pizlo.
1554
1555         In Air::CCallSpecial::admitsStack() we reject admitting the callee argument on
1556         the stack for ARM64 because that can lead to disallowed usage of the scratch
1557         register in MacroAssemblerARM64 when generating a call with an address Arg
1558         in Air::CCallSpecial::generate().
1559
1560         The testLinearScanWithCalleeOnStack test is added to testb3. It reproduces the
1561         original issue by force-spilling everything on the stack and enforcing the use
1562         of the linear scan register allocation by using an optimization level of 1.
1563
1564         * b3/air/AirCCallSpecial.cpp:
1565         (JSC::B3::Air::CCallSpecial::admitsStack):
1566         * b3/testb3.cpp:
1567         (JSC::B3::testLinearScanWithCalleeOnStack):
1568         (JSC::B3::run):
1569
1570 2017-05-01  David Kilzer  <ddkilzer@apple.com>
1571
1572         Stop using sprintf() in JavaScriptCore debugger
1573         <https://webkit.org/b/171512>
1574
1575         Reviewed by Keith Miller.
1576
1577         * disassembler/udis86/udis86.c:
1578         (ud_insn_hex): Switch from sprintf() to snprintf().
1579
1580 2017-04-21  Filip Pizlo  <fpizlo@apple.com>
1581
1582         Air::fixObviousSpills should remove totally redundant instructions
1583         https://bugs.webkit.org/show_bug.cgi?id=171131
1584
1585         Reviewed by Saam Barati.
1586         
1587         This is a modest compile-time-neutral improvement to fixObviousSpills. That phase
1588         builds up a classic alias analysis data structure over spills and registers and then
1589         uses it to remove the most common spill pathologies we encounter. For example, if you
1590         use a spill but the spill is aliased to a register or constant, then we can replace the
1591         use of the spill with a use of the register or constant.
1592         
1593         But that phase was missing perhaps one of the most obvious fixups that its analysis
1594         allows us to do: if any instruction creates an alias we already know about, then the
1595         instruction is redundant. This turned out to be super important for
1596         https://bugs.webkit.org/show_bug.cgi?id=171075. That patch didn't work out, but this
1597         kind of optimization might be a good clean-up for many other kinds of optimizations.
1598
1599         * b3/air/AirFixObviousSpills.cpp:
1600
1601 2017-04-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1602
1603         We initialize functions too early in an eval
1604         https://bugs.webkit.org/show_bug.cgi?id=161099
1605
1606         Reviewed by Saam Barati.
1607
1608         Current patch allow to fix problem with scope in function that is 
1609         declared within eval. Before scope was set inside Interpretator.cpp and it
1610         was scope where eval is executed, but in this case function would not 
1611         see let/const variables and classes declated in eval.
1612         This patch devide declaration and binding in two operation, first just declare
1613         variable with function name, and second bind variable to function with correct 
1614         scope
1615
1616         * bytecompiler/BytecodeGenerator.cpp:
1617         (JSC::BytecodeGenerator::generate):
1618         (JSC::BytecodeGenerator::BytecodeGenerator):
1619         * bytecompiler/BytecodeGenerator.h:
1620         * interpreter/Interpreter.cpp:
1621         (JSC::Interpreter::execute):
1622
1623 2017-04-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1624
1625         [ES6]. Implement Annex B.3.3 function hoisting rules for eval
1626         https://bugs.webkit.org/show_bug.cgi?id=163208
1627
1628         Reviewed by Saam Barati.
1629
1630         Current patch implements Annex B.3.3 that is related to 
1631         hoisting of function declaration in eval. 
1632         https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
1633         Function declaration in eval should create variable with 
1634         function name in function scope where eval is invoked 
1635         or bind to variable if it declared outside of the eval. 
1636         If variable is created it can be removed by 'delete a;' command. 
1637         If eval is invoke in block scope that contains let/const 
1638         variable with the same name as function declaration 
1639         we do not bind. This patch leads to the following behavior: 
1640         '''
1641         function foo() {
1642            {
1643              print(boo); // undefined
1644              eval('{ function boo() {}}');
1645              print(boo); // function boo() {}
1646            }
1647            print(boo); // function boo() {}
1648         }
1649
1650         function foobar() {
1651           { 
1652             let boo = 10;
1653             print(boo); // 10;
1654             eval('{ function boo() {}}');
1655             print(boo); // 10;
1656           }
1657           print(boo) // 10
1658         }
1659
1660         function bar() {
1661            {
1662               var boo = 10;
1663               print(boo); // 10
1664               eval('{ function boo() {} }'); 
1665               print(boo); // function boo() {}
1666            }
1667            print(boo); // function boo() {}
1668         }       
1669         
1670         function bas() {
1671             {
1672                  let boo = 10;
1673                  eval(' { function boo() {} } ');
1674                  print(boo); // 10
1675             }
1676             print(boo); //Reference Error
1677         }
1678         '''
1679
1680         Current implementation relies on already implemented 
1681         'hoist function in sloppy mode' feature, with small changes.
1682         In short it works in following way: during hoisting of function 
1683         with name S in eval, we are looking for first scope that 
1684         contains space for variable with name S and if this scope 
1685         has var type we bind function there
1686
1687         To implement this feature was added bytecode ops:
1688         op_resolve_scope_for_hoisting_func_decl_in_eval - get variable scope 
1689         or return undefined if variable can't be binded there.
1690
1691         There is a corner case, hoist function in eval within catch block,
1692         that is not covered by this patch, and will be fixed in 
1693         https://bugs.webkit.org/show_bug.cgi?id=168184
1694
1695         * bytecode/BytecodeDumper.cpp:
1696         (JSC::BytecodeDumper<Block>::dumpBytecode):
1697         * bytecode/BytecodeList.json:
1698         * bytecode/BytecodeUseDef.h:
1699         (JSC::computeUsesForBytecodeOffset):
1700         (JSC::computeDefsForBytecodeOffset):
1701         * bytecode/CodeBlock.cpp:
1702         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1703         * bytecode/EvalCodeBlock.h:
1704         (JSC::EvalCodeBlock::functionHoistingCandidate):
1705         (JSC::EvalCodeBlock::numFunctionHoistingCandidates):
1706         * bytecode/UnlinkedEvalCodeBlock.h:
1707         * bytecompiler/BytecodeGenerator.cpp:
1708         (JSC::BytecodeGenerator::BytecodeGenerator):
1709         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
1710         (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
1711         * bytecompiler/BytecodeGenerator.h:
1712         * dfg/DFGAbstractInterpreterInlines.h:
1713         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1714         * dfg/DFGByteCodeParser.cpp:
1715         (JSC::DFG::ByteCodeParser::parseBlock):
1716         * dfg/DFGCapabilities.cpp:
1717         (JSC::DFG::capabilityLevel):
1718         * dfg/DFGClobberize.h:
1719         (JSC::DFG::clobberize):
1720         * dfg/DFGDoesGC.cpp:
1721         (JSC::DFG::doesGC):
1722         * dfg/DFGFixupPhase.cpp:
1723         (JSC::DFG::FixupPhase::fixupNode):
1724         * dfg/DFGNode.h:
1725         (JSC::DFG::Node::hasIdentifier):
1726         * dfg/DFGNodeType.h:
1727         * dfg/DFGOperations.cpp:
1728         * dfg/DFGOperations.h:
1729         * dfg/DFGPredictionPropagationPhase.cpp:
1730         * dfg/DFGSafeToExecute.h:
1731         (JSC::DFG::safeToExecute):
1732         * dfg/DFGSpeculativeJIT.cpp:
1733         (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
1734         * dfg/DFGSpeculativeJIT.h:
1735         (JSC::DFG::SpeculativeJIT::callOperation):
1736         * dfg/DFGSpeculativeJIT32_64.cpp:
1737         (JSC::DFG::SpeculativeJIT::compile):
1738         * dfg/DFGSpeculativeJIT64.cpp:
1739         (JSC::DFG::SpeculativeJIT::compile):
1740         * ftl/FTLCapabilities.cpp:
1741         (JSC::FTL::canCompile):
1742         * ftl/FTLLowerDFGToB3.cpp:
1743         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1744         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
1745         * interpreter/Interpreter.cpp:
1746         (JSC::Interpreter::execute):
1747         * jit/JIT.cpp:
1748         (JSC::JIT::privateCompileMainPass):
1749         * jit/JIT.h:
1750         * jit/JITOperations.h:
1751         * jit/JITPropertyAccess.cpp:
1752         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
1753         * jit/JITPropertyAccess32_64.cpp:
1754         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
1755         * llint/LowLevelInterpreter.asm:
1756         * parser/Parser.cpp:
1757         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
1758         * parser/Parser.h:
1759         (JSC::Scope::getSloppyModeHoistedFunctions):
1760         (JSC::Parser::declareFunction):
1761         * runtime/CommonSlowPaths.cpp:
1762         (JSC::SLOW_PATH_DECL):
1763         * runtime/CommonSlowPaths.h:
1764         * runtime/EvalExecutable.h:
1765         (JSC::EvalExecutable::numFunctionHoistingCandidates):
1766         (JSC::EvalExecutable::numTopLevelFunctionDecls):
1767         (JSC::EvalExecutable::numberOfFunctionDecls): Deleted.
1768         * runtime/JSScope.cpp:
1769         (JSC::JSScope::resolve):
1770         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1771         * runtime/JSScope.h:
1772
1773 2017-04-29  Oleksandr Skachkov  <gskachkov@gmail.com>
1774
1775         Deep nesting is leading to ReferenceError for hoisted function
1776         https://bugs.webkit.org/show_bug.cgi?id=171456
1777
1778         Reviewed by Yusuke Suzuki.
1779
1780         Current patch fix error that appears during hoisting of the function 
1781         in block scope. Error happens only when exist some deep scope that lead
1782         to increase scope stack, after which list of the hosted candidates do not 
1783         copied to updated scope stack.
1784
1785         * parser/Parser.h:
1786         (JSC::Scope::Scope):
1787
1788 2017-04-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1789
1790         [JSC] LabelScopePtr is not necessary
1791         https://bugs.webkit.org/show_bug.cgi?id=171474
1792
1793         Reviewed by Geoffrey Garen.
1794
1795         Originally, LabelScopePtr is introduced because LabelScopes uses Vector<> instead of SegmentedVector<>.
1796         LabelScopePtr holds the pointer to the vector owner and index instead of the pointer to LabelScope directly
1797         since Vector<> can relocate LocalScopes inside it.
1798         The reason why LabelScopes use Vector instead is that there is code copying this vector. SegmentedVector<>
1799         prohibits copying since it is so costly. So, we used Vector<> here instead of SegmentedVector<>.
1800
1801         But the latest code does not have copying code for LabelScopes. Thus, we can take the same design to Label and
1802         RegisterID. Just use SegmentedVector<> and Ref<>/RefPtr<>. This patch removes LabelScopePtr since it is no
1803         longer necessary. And use SegmentedVector for LabelScopes.
1804
1805         * bytecompiler/BytecodeGenerator.cpp:
1806         (JSC::reclaim):
1807         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1808         (JSC::BytecodeGenerator::newLabelScope):
1809         (JSC::BytecodeGenerator::newLabel):
1810         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
1811         (JSC::BytecodeGenerator::breakTarget):
1812         (JSC::BytecodeGenerator::continueTarget):
1813         (JSC::BytecodeGenerator::emitEnumeration):
1814         * bytecompiler/BytecodeGenerator.h:
1815         * bytecompiler/LabelScope.h:
1816         (JSC::LabelScope::LabelScope):
1817         (JSC::LabelScope::breakTarget):
1818         (JSC::LabelScope::continueTarget):
1819         (JSC::LabelScope::type):
1820         (JSC::LabelScope::name):
1821         (JSC::LabelScope::scopeDepth):
1822         (JSC::LabelScope::ref):
1823         (JSC::LabelScope::deref):
1824         (JSC::LabelScope::refCount):
1825         (JSC::LabelScopePtr::LabelScopePtr): Deleted.
1826         (JSC::LabelScopePtr::operator=): Deleted.
1827         (JSC::LabelScopePtr::~LabelScopePtr): Deleted.
1828         (JSC::LabelScopePtr::operator!): Deleted.
1829         (JSC::LabelScopePtr::operator*): Deleted.
1830         (JSC::LabelScopePtr::operator->): Deleted.
1831         (JSC::LabelScopePtr::null): Deleted.
1832         * bytecompiler/NodesCodegen.cpp:
1833         (JSC::DoWhileNode::emitBytecode):
1834         (JSC::WhileNode::emitBytecode):
1835         (JSC::ForNode::emitBytecode):
1836         (JSC::ForInNode::emitBytecode):
1837         (JSC::ContinueNode::trivialTarget):
1838         (JSC::ContinueNode::emitBytecode):
1839         (JSC::BreakNode::trivialTarget):
1840         (JSC::BreakNode::emitBytecode):
1841         (JSC::SwitchNode::emitBytecode):
1842         (JSC::LabelNode::emitBytecode):
1843
1844 2017-04-28  Mark Lam  <mark.lam@apple.com>
1845
1846         Revert instrumentation from https://bugs.webkit.org/show_bug.cgi?id=170086 that is no longer needed.
1847         https://bugs.webkit.org/show_bug.cgi?id=170094
1848
1849         Reviewed by JF Bastien and Keith Miller.
1850
1851         * heap/Heap.cpp:
1852         (JSC::Heap::resumeThePeriphery):
1853
1854 2017-04-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1855
1856         [INTL] Implement the caseFirst option for Intl.Collator
1857         https://bugs.webkit.org/show_bug.cgi?id=158188
1858
1859         Reviewed by Geoffrey Garen.
1860
1861         Implements the caseFirst option and unicode locale extension.
1862         The caseFirst option explicitly determines whether upper or lower case comes first.
1863
1864         * runtime/IntlCollator.cpp:
1865         (JSC::sortLocaleData): Added kf data.
1866         (JSC::searchLocaleData): Added kf data.
1867         (JSC::IntlCollator::initializeCollator): Set caseFirst option.
1868         (JSC::IntlCollator::createCollator): Set new attributes on ICU collator.
1869         (JSC::IntlCollator::caseFirstString): Added.
1870         (JSC::IntlCollator::resolvedOptions): Added caseFirst property.
1871         * runtime/IntlCollator.h:
1872
1873 2017-04-27  Mark Lam  <mark.lam@apple.com>
1874
1875         Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
1876         https://bugs.webkit.org/show_bug.cgi?id=171404
1877         <rdar://problem/31876178>
1878
1879         Reviewed by Saam Barati.
1880
1881         1. Added some tryAllocate() functions in JSCellInlines.h.
1882         2. Consolidated the implementations of allocateCell() template functions into a
1883            single tryAllocateCellHelper() to reduce redundancy and eliminate needing to
1884            copy-paste for variations of allocateCell and tryAllocateCell.
1885         3. Changed JSFixedArray::createFromArray() and constructEmptyArray() to check for
1886            allocation failure and throw an OutOfMemoryError.  It was already possible to
1887            throw errors from these functions for other reasons.  So, their clients are
1888            already ready to handle OOMEs.
1889
1890         * ftl/FTLOperations.cpp:
1891         (JSC::FTL::operationMaterializeObjectInOSR):
1892         * runtime/JSCInlines.h:
1893         * runtime/JSCell.h:
1894         * runtime/JSCellInlines.h:
1895         (JSC::tryAllocateCellHelper):
1896         (JSC::allocateCell):
1897         (JSC::tryAllocateCell):
1898         * runtime/JSFixedArray.h:
1899         (JSC::JSFixedArray::createFromArray):
1900         (JSC::JSFixedArray::tryCreate):
1901         (JSC::JSFixedArray::create): Deleted.
1902         * runtime/JSGlobalObject.h:
1903         (JSC::constructEmptyArray):
1904
1905 2017-04-27  Joseph Pecoraro  <pecoraro@apple.com>
1906
1907         Support for promise rejection events (unhandledrejection)
1908         https://bugs.webkit.org/show_bug.cgi?id=150358
1909         <rdar://problem/28441651>
1910
1911         Reviewed by Saam Barati.
1912
1913         Patch by Joseph Pecoraro and Yusuke Suzuki.
1914
1915         Implement support for promise.[[PromiseIsHandled]] and the
1916         HostPromiseRejectionTracker hook for HTML to track promise rejections:
1917         https://tc39.github.io/ecma262/#sec-host-promise-rejection-tracker
1918         https://html.spec.whatwg.org/multipage/webappapis.html#unhandled-promise-rejections
1919
1920         * builtins/BuiltinNames.h:
1921         New private symbols.
1922
1923         * builtins/PromiseOperations.js:
1924         (globalPrivate.newHandledRejectedPromise):
1925         Utility to create a rejected promise with [[PromiseIsHandled]] to true.
1926
1927         (globalPrivate.rejectPromise):
1928         (globalPrivate.initializePromise):
1929         * builtins/PromisePrototype.js:
1930         (then):
1931         Implement standard behavior of [[PromiseIsHandled]] and the host hook.
1932
1933         * runtime/JSPromise.cpp:
1934         (JSC::JSPromise::isHandled):
1935         * runtime/JSPromise.h:
1936         C++ accessors for the [[PromiseIsHandled]] state.
1937
1938         * bytecode/BytecodeIntrinsicRegistry.cpp:
1939         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1940         * bytecode/BytecodeIntrinsicRegistry.h:
1941         Expose private values for the Reject / Handle enum values in built-ins.
1942
1943         * jsc.cpp:
1944         * runtime/JSGlobalObject.h:
1945         (JSC::JSGlobalObject::promiseResolveFunction):
1946         Add a new GlobalObjectMethodTable hook matching the promise rejection hook.
1947
1948         * runtime/JSGlobalObject.cpp:
1949         (JSC::JSGlobalObject::init):
1950         (JSC::JSGlobalObject::visitChildren):
1951         * runtime/JSGlobalObjectFunctions.cpp:
1952         (JSC::globalFuncHostPromiseRejectionTracker):
1953         * runtime/JSGlobalObjectFunctions.h:
1954         Plumb the builtin hook through to the optional GlobalObjectMethodTable hook.
1955
1956         * inspector/InjectedScriptSource.js:
1957         (InjectedScript.prototype.createFakeValueDescriptor):
1958         Silence possible rejected promises created internally via Web Inspector.
1959
1960 2017-04-27  Saam Barati  <sbarati@apple.com>
1961
1962         B3::FoldPathConstants does not consider the fall through case for Switch
1963         https://bugs.webkit.org/show_bug.cgi?id=171390
1964
1965         Reviewed by Filip Pizlo.
1966
1967         foldPathConstants was not taking into account a Switch's default
1968         case when it tried to constant propagate the switch's operand value.
1969         e.g, we incorrectly transformed this code:
1970         
1971         ```
1972         x = argumentGPR0;
1973         switch (x) {
1974         case 10: return 20;
1975         
1976         case 0:
1977         default: return x == 0;
1978         }
1979         ```
1980         
1981         into:
1982         ```
1983         x = argumentGPR0;
1984         switch (x) {
1985         case 10: return 20;
1986         
1987         case 0:
1988         default: return 1;
1989         }
1990         ```
1991         
1992         Because we didn't take into account the default case, we incorrectly
1993         optimized the code as if case 0's block was only reachable if x is
1994         equal to zero. This is obviously not true, since it's the same block
1995         as the default case.
1996         
1997         This fix ensures that we can run the WebAssembly Tanks demo even when
1998         we set webAssemblyBBQOptimizationLevel=2.
1999
2000         * b3/B3FoldPathConstants.cpp:
2001         * b3/B3SwitchValue.cpp:
2002         (JSC::B3::SwitchValue::fallThrough):
2003         (JSC::B3::SwitchValue::removeCase): Deleted.
2004         * b3/B3SwitchValue.h:
2005         * b3/testb3.cpp:
2006         (JSC::B3::testCallFunctionWithHellaArguments):
2007         (JSC::B3::testSwitchSameCaseAsDefault):
2008         (JSC::B3::testWasmBoundsCheck):
2009         (JSC::B3::run):
2010
2011 2017-04-27  Keith Miller  <keith_miller@apple.com>
2012
2013         WebAssembly: Don't tier up the same function twice
2014         https://bugs.webkit.org/show_bug.cgi?id=171397
2015
2016         Reviewed by Filip Pizlo.
2017
2018         Because we don't CAS the tier up count on function entry/loop backedge and we use the least significant to indicate whether or not tier up has already started we could see the following:
2019
2020         Threads A and B are running count in memory is (0):
2021
2022         A: load tier up count (0)
2023         B: load tier up count (0)
2024         A: decrement count to -2 and see we need to check for tier up (0)
2025         A: store -2 to count (-2)
2026         A: exchangeOr(1) to tier up count (-1)
2027         B: decrement count to -2 and see we need to check for tier up (-1)
2028         B: store -2 to count (-2)
2029         B: exchangeOr(1) to tier up count (-1)
2030
2031         This would cause us to tier up the same function twice, which we would rather avoid.
2032
2033         * wasm/WasmB3IRGenerator.cpp:
2034         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2035         * wasm/WasmTierUpCount.h:
2036         (JSC::Wasm::TierUpCount::TierUpCount):
2037         (JSC::Wasm::TierUpCount::loopDecrement):
2038         (JSC::Wasm::TierUpCount::functionEntryDecrement):
2039         (JSC::Wasm::TierUpCount::shouldStartTierUp):
2040
2041 2017-04-27  Keith Miller  <keith_miller@apple.com>
2042
2043         REGRESSION (r215843): ASSERTION FAILED: !m_completionTasks[0].first in  JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast(JSC::VM &)
2044         https://bugs.webkit.org/show_bug.cgi?id=171380
2045
2046         Reviewed by JF Bastien.
2047
2048         This patch fixes the association of VMs to Wasm::Plans. For validation
2049         we want all the completion tasks to be associate with a VM. For BBQ,
2050         we want the main task to not be associated with any VM.
2051
2052         * jsc.cpp:
2053         (functionTestWasmModuleFunctions):
2054         * wasm/WasmBBQPlan.cpp:
2055         (JSC::Wasm::BBQPlan::BBQPlan):
2056         * wasm/WasmBBQPlan.h:
2057         * wasm/WasmCodeBlock.cpp:
2058         (JSC::Wasm::CodeBlock::CodeBlock):
2059         (JSC::Wasm::CodeBlock::compileAsync):
2060         * wasm/WasmCodeBlock.h:
2061         (JSC::Wasm::CodeBlock::create):
2062         * wasm/WasmModule.cpp:
2063         (JSC::Wasm::makeValidationCallback):
2064         (JSC::Wasm::Module::validateSync):
2065         (JSC::Wasm::Module::validateAsync):
2066         (JSC::Wasm::Module::getOrCreateCodeBlock):
2067         (JSC::Wasm::Module::compileSync):
2068         (JSC::Wasm::Module::compileAsync):
2069         * wasm/WasmModule.h:
2070         * wasm/WasmOMGPlan.cpp:
2071         (JSC::Wasm::OMGPlan::OMGPlan):
2072         (JSC::Wasm::runOMGPlanForIndex):
2073         * wasm/WasmOMGPlan.h:
2074         * wasm/WasmPlan.cpp:
2075         (JSC::Wasm::Plan::Plan):
2076         (JSC::Wasm::Plan::runCompletionTasks):
2077         (JSC::Wasm::Plan::addCompletionTask):
2078         (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
2079         * wasm/WasmPlan.h:
2080         (JSC::Wasm::Plan::dontFinalize):
2081         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2082         (JSC::constructJSWebAssemblyInstance):
2083         * wasm/js/WebAssemblyPrototype.cpp:
2084         (JSC::webAssemblyValidateFunc):
2085
2086 2017-04-27  Saam Barati  <sbarati@apple.com>
2087
2088         Restore some caching functionality that got accidentally removed when doing Wasm PIC patches
2089         https://bugs.webkit.org/show_bug.cgi?id=171382
2090
2091         Reviewed by Keith Miller.
2092
2093         When I created Wasm::CodeBlock, I accidentally removed caching
2094         the creation of JSWebAssemblyCodeBlocks. This patch restores it.
2095         It's worth keeping JSWebAssemblyModule's JSWebAssemblyCodeBlock
2096         cache because creating a JSWebAssemblyCodeBlock does non trivial
2097         work by creating the various IC call stubs.
2098
2099         * wasm/js/JSWebAssemblyCodeBlock.h:
2100         (JSC::JSWebAssemblyCodeBlock::codeBlock):
2101         * wasm/js/JSWebAssemblyInstance.cpp:
2102         (JSC::JSWebAssemblyInstance::finalizeCreation):
2103         (JSC::JSWebAssemblyInstance::create):
2104         * wasm/js/JSWebAssemblyModule.h:
2105
2106 2017-04-27  Mark Lam  <mark.lam@apple.com>
2107
2108         Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate().
2109         https://bugs.webkit.org/show_bug.cgi?id=171344
2110         <rdar://problem/31352667>
2111
2112         Reviewed by Filip Pizlo.
2113
2114         JSArray::tryCreateForInitializationPrivate() should only be used in performance
2115         critical paths, and should always be used with care because it creates an
2116         uninitialized object that needs to be initialized by its client before the object
2117         can be released into the system.  Before the object is fully initialized:
2118         a. the client should not re-enter the VM to execute JS code, and
2119         b. GC should not run.
2120
2121         This is because until the object is fully initialized, it is an inconsistent
2122         state that the GC and JS code will not be happy about.
2123
2124         In this patch, we do the following:
2125
2126         1. Renamed JSArray::tryCreateForInitializationPrivate() to
2127            JSArray::tryCreateUninitializedRestricted() because "private" is a bit ambiguous
2128            and can be confused with APIs that are called freely within WebKit but are
2129            not meant for clients of WebKit.  In this case, we intend for use of this API
2130            to be restricted to only a few carefully considered and crafted cases.
2131
2132         2. Introduce the ObjectInitializationScope RAII object which covers the period
2133            when the uninitialized object is created and gets initialized.
2134
2135            ObjectInitializationScope will asserts that either the object is created
2136            fully initialized (in the case where the object structure is not an "original"
2137            structure) or if created uninitialized, is fully initialized at the end of
2138            the scope.
2139
2140            If the object is created uninitialized, the ObjectInitializationScope also
2141            ensures that we do not GC nor re-enter the VM to execute JS code.  This is
2142            achieved by enabling DisallowGC and DisallowVMReentry scopes.
2143
2144            tryCreateUninitializedRestricted() and initializeIndex() now requires an
2145            ObjectInitializationScope instance.  The ObjectInitializationScope replaces
2146            the VM& argument because it can be used to pass the VM& itself.  This is a
2147            small optimization that makes passing the ObjectInitializationScope free even
2148            on release builds.
2149
2150         3. Factored a DisallowScope out of DisallowGC, and make DisallowGC extend it.
2151            Introduce a DisallowVMReentry class that extends DisallowScope.
2152
2153         4. Fixed a bug found by the ObjectInitializationScope.  The bug is that there are
2154            scenarios where the structure passed to tryCreateUninitializedRestricted()
2155            that may not be an "original" structure.  As a result, initializeIndex() would
2156            end up allocating new structures, and therefore trigger a GC.
2157
2158            The fix is to detect that the structure passed to tryCreateUninitializedRestricted()
2159            is not an "original" one, and pre-initialize the array with 0s.
2160
2161            This bug was detected by existing tests. Hence, no new test needed.
2162
2163         5. Replaced all inappropriate uses of tryCreateUninitializedRestricted() with
2164            tryCreate().  Inappropriate uses here means code that is not in performance
2165            critical paths.
2166
2167            Similarly, replaced accompanying uses of initializeIndex() with putDirectIndex().
2168
2169            This patch is performance neutral (according to the JSC command line benchmarks).
2170
2171         * CMakeLists.txt:
2172         * JavaScriptCore.xcodeproj/project.pbxproj:
2173         * dfg/DFGOperations.cpp:
2174         * ftl/FTLOperations.cpp:
2175         (JSC::FTL::operationMaterializeObjectInOSR):
2176         * heap/DeferGC.cpp:
2177         * heap/DeferGC.h:
2178         (JSC::DisallowGC::DisallowGC):
2179         (JSC::DisallowGC::initialize):
2180         (JSC::DisallowGC::scopeReentryCount):
2181         (JSC::DisallowGC::setScopeReentryCount):
2182         (JSC::DisallowGC::~DisallowGC): Deleted.
2183         (JSC::DisallowGC::isGCDisallowedOnCurrentThread): Deleted.
2184         * heap/GCDeferralContextInlines.h:
2185         (JSC::GCDeferralContext::~GCDeferralContext):
2186         * heap/Heap.cpp:
2187         (JSC::Heap::collectIfNecessaryOrDefer):
2188         * runtime/ArrayPrototype.cpp:
2189         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2190         * runtime/ClonedArguments.cpp:
2191         (JSC::ClonedArguments::createWithInlineFrame):
2192         (JSC::ClonedArguments::createByCopyingFrom):
2193         * runtime/CommonSlowPaths.cpp:
2194         (JSC::SLOW_PATH_DECL):
2195         * runtime/DisallowScope.h: Added.
2196         (JSC::DisallowScope::DisallowScope):
2197         (JSC::DisallowScope::~DisallowScope):
2198         (JSC::DisallowScope::isInEffectOnCurrentThread):
2199         (JSC::DisallowScope::enable):
2200         (JSC::DisallowScope::enterScope):
2201         (JSC::DisallowScope::exitScope):
2202         * runtime/DisallowVMReentry.cpp: Added.
2203         * runtime/DisallowVMReentry.h: Added.
2204         (JSC::DisallowVMReentry::DisallowVMReentry):
2205         (JSC::DisallowVMReentry::initialize):
2206         (JSC::DisallowVMReentry::scopeReentryCount):
2207         (JSC::DisallowVMReentry::setScopeReentryCount):
2208         * runtime/InitializeThreading.cpp:
2209         (JSC::initializeThreading):
2210         * runtime/JSArray.cpp:
2211         (JSC::JSArray::tryCreateUninitializedRestricted):
2212         (JSC::JSArray::fastSlice):
2213         (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
2214         * runtime/JSArray.h:
2215         (JSC::JSArray::tryCreateUninitializedRestricted):
2216         (JSC::JSArray::tryCreate):
2217         (JSC::constructArray):
2218         (JSC::constructArrayNegativeIndexed):
2219         (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
2220         (JSC::createArrayButterfly): Deleted.
2221         * runtime/JSCellInlines.h:
2222         (JSC::allocateCell):
2223         * runtime/JSObject.h:
2224         (JSC::JSObject::initializeIndex):
2225         (JSC::JSObject::initializeIndexWithoutBarrier):
2226         * runtime/ObjectInitializationScope.cpp: Added.
2227         (JSC::ObjectInitializationScope::ObjectInitializationScope):
2228         (JSC::ObjectInitializationScope::~ObjectInitializationScope):
2229         (JSC::ObjectInitializationScope::notifyAllocated):
2230         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2231         * runtime/ObjectInitializationScope.h: Added.
2232         (JSC::ObjectInitializationScope::ObjectInitializationScope):
2233         (JSC::ObjectInitializationScope::vm):
2234         (JSC::ObjectInitializationScope::notifyAllocated):
2235         * runtime/Operations.h:
2236         (JSC::isScribbledValue):
2237         (JSC::scribble):
2238         * runtime/RegExpMatchesArray.cpp:
2239         (JSC::createEmptyRegExpMatchesArray):
2240         * runtime/RegExpMatchesArray.h:
2241         (JSC::tryCreateUninitializedRegExpMatchesArray):
2242         (JSC::createRegExpMatchesArray):
2243         * runtime/VMEntryScope.cpp:
2244         (JSC::VMEntryScope::VMEntryScope):
2245
2246 2017-04-27  Carlos Garcia Campos  <cgarcia@igalia.com>
2247
2248         [GTK] Remote inspector should support inspecting targets with previous version of backend commands
2249         https://bugs.webkit.org/show_bug.cgi?id=171267
2250
2251         Reviewed by Michael Catanzaro.
2252
2253         Rename GetTargetList DBus method as SetupInspectorClient since this method is actually called only once by
2254         client right after connecting to the server. The method now receives the client backend commands hash as
2255         argument and returns the contents of the backend commands file in case the hash doesn't match with the local
2256         version.
2257
2258         * PlatformGTK.cmake: Add RemoteInspectorUtils to compilation.
2259         * inspector/remote/glib/RemoteInspectorServer.cpp:
2260         (Inspector::RemoteInspectorServer::setupInspectorClient):
2261         * inspector/remote/glib/RemoteInspectorServer.h:
2262         * inspector/remote/glib/RemoteInspectorUtils.cpp: Added.
2263         (Inspector::backendCommands):
2264         (Inspector::backendCommandsHash):
2265         * inspector/remote/glib/RemoteInspectorUtils.h: Added.
2266
2267 2017-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2268
2269         [JSC] Handle PhantomSpread in LoadVarargs as the same to the others
2270         https://bugs.webkit.org/show_bug.cgi?id=171262
2271
2272         Reviewed by Saam Barati.
2273
2274         This is follow-up patch after r215720. In that patch, accidentally
2275         we did not apply the same change to LoadVarargs in argument elimination
2276         phase. This patch just does the same rewriting to handle PhantomSpread
2277         correctly.
2278
2279         * dfg/DFGArgumentsEliminationPhase.cpp:
2280
2281 2017-04-26  Joseph Pecoraro  <pecoraro@apple.com>
2282
2283         Web Inspector: Uint8ClampedArray should be treated like an array, not an object
2284         https://bugs.webkit.org/show_bug.cgi?id=171364
2285         <rdar://problem/10873037>
2286
2287         Reviewed by Sam Weinig.
2288
2289         * inspector/JSInjectedScriptHost.cpp:
2290         (Inspector::JSInjectedScriptHost::subtype):
2291         Treat Uint8ClampedArray (like other Typed Arrays) as an array.
2292
2293 2017-04-26  Saam Barati  <sbarati@apple.com>
2294
2295         Print Wasm function index in stack trace
2296         https://bugs.webkit.org/show_bug.cgi?id=171349
2297
2298         Reviewed by JF Bastien.
2299
2300         This patch prints a Callee's index in the function index
2301         space in Error.stack.
2302
2303         This will lead to stack traces that have lines of text like:
2304         wasm function index: 4@[wasm code]
2305
2306         We don't ascribe indices to everything in wasm. Specifically, the
2307         Wasm->JS call stub callee does not get a name, and neither does
2308         the JS -> Wasm entrypoint.
2309
2310         * interpreter/Interpreter.cpp:
2311         (JSC::GetStackTraceFunctor::operator()):
2312         * interpreter/StackVisitor.cpp:
2313         (JSC::StackVisitor::readNonInlinedFrame):
2314         (JSC::StackVisitor::Frame::functionName):
2315         * interpreter/StackVisitor.h:
2316         (JSC::StackVisitor::Frame::wasmFunctionIndex):
2317         * runtime/StackFrame.cpp:
2318         (JSC::StackFrame::functionName):
2319         * runtime/StackFrame.h:
2320         (JSC::StackFrame::StackFrame):
2321         (JSC::StackFrame::wasm):
2322         (JSC::StackFrame::hasBytecodeOffset):
2323         (JSC::StackFrame::bytecodeOffset):
2324         * wasm/WasmBBQPlanInlines.h:
2325         (JSC::Wasm::BBQPlan::initializeCallees):
2326         * wasm/WasmCallee.cpp:
2327         (JSC::Wasm::Callee::Callee):
2328         * wasm/WasmCallee.h:
2329         (JSC::Wasm::Callee::create):
2330         (JSC::Wasm::Callee::index):
2331         * wasm/WasmOMGPlan.cpp:
2332         (JSC::Wasm::OMGPlan::work):
2333
2334 2017-04-26  Keith Miller  <keith_miller@apple.com>
2335
2336         Follow up to r215843
2337         https://bugs.webkit.org/show_bug.cgi?id=171361
2338
2339         Reviewed by Saam Barati.
2340
2341         This patch fixes some style comments Saam didn't get a chance to
2342         request before I landed: https://bugs.webkit.org/show_bug.cgi?id=170134.
2343
2344         It renames Wasm::CodeBlock::m_wasmEntrypoints to
2345         m_wasmIndirectCallEntrypoints, as well as fixes some copyrights and
2346         indentation.
2347
2348         * wasm/WasmBBQPlan.cpp:
2349         * wasm/WasmCodeBlock.cpp:
2350         (JSC::Wasm::CodeBlock::CodeBlock):
2351         * wasm/WasmCodeBlock.h:
2352         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
2353         * wasm/WasmOMGPlan.cpp:
2354         (JSC::Wasm::OMGPlan::work):
2355         * wasm/WasmTierUpCount.h:
2356         (JSC::Wasm::TierUpCount::TierUpCount):
2357         (JSC::Wasm::TierUpCount::loopDecrement):
2358         (JSC::Wasm::TierUpCount::functionEntryDecrement):
2359         (JSC::Wasm::TierUpCount::shouldStartTierUp):
2360         (JSC::Wasm::TierUpCount::count):
2361
2362 2017-04-26  Saam Barati  <sbarati@apple.com>
2363
2364         ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
2365         https://bugs.webkit.org/show_bug.cgi?id=170924
2366         <rdar://problem/31721052>
2367
2368         Reviewed by Mark Lam.
2369
2370         The error message handler for "in" was searching for the literal
2371         string "in". However, our parser incorrectly allows escaped characters
2372         to be part of keywords. So this is parsed as "in" in JSC: "i\u006E".
2373         It should not be parsed that way. I opened https://bugs.webkit.org/show_bug.cgi?id=171310
2374         to address this issue.
2375         
2376         Regardless, the error message handlers should handle unexpected text gracefully.
2377         All functions that try to augment error messages with the goal of
2378         providing a more textual context for the error message should use
2379         the original error message instead of crashing when they detect
2380         unexpected text.
2381         
2382         This patch also changes the already buggy code that tries to find
2383         the base of a function call. That could would fail for code like this:
2384         "zoo.bar("/abc\)*/");". See https://bugs.webkit.org/show_bug.cgi?id=146304
2385         It would think that the base is "z". However, the algorithm that tries
2386         to find the base can often tell when it fails, and when it does, it should
2387         happily return the approximate text error message instead of thinking
2388         that the base is "z".
2389
2390         * runtime/ExceptionHelpers.cpp:
2391         (JSC::functionCallBase):
2392         (JSC::notAFunctionSourceAppender):
2393         (JSC::invalidParameterInSourceAppender):
2394
2395 2017-04-26  Keith Miller  <keith_miller@apple.com>
2396
2397         WebAssembly: Implement tier up
2398         https://bugs.webkit.org/show_bug.cgi?id=170134
2399
2400         Reviewed by Filip Pizlo.
2401
2402         This patch implements tier up for wasm functions. Unlike with JS
2403         code, wasm code needs to be able to tier up concurrently with the
2404         running code.  Since JS code is synchronous we can always link on
2405         the running thread, wasm, however, can run the same code on more
2406         than one thread. In order to make patching work correctly, we need
2407         to ensure that all patches of callsites are aligned. On ARM we get
2408         this for free since every call is a near call. On X86 we ensure
2409         that the 32-bit relative offset is 32-bit aligned.
2410
2411         This patch also modifies how Wasm::Plan works. Now Plan is a
2412         abstract super class and there are two subclasses, which
2413         correspond to the different tiers of our wasm engine.  The first,
2414         Build Bytecode Quickly (BBQ) tier, roughly does what the old plan
2415         code did before.  The new tier, Optimized Machine code Generation
2416         (OMG), can be called at any point by BBQ code and compiles exactly
2417         one function. Once an OMGPlan finishes it will link it's code
2418         internally then reset the instruction cache of all running wasm
2419         threads, via, a ThreadMessage. Once the instruction caches have
2420         been reset all the other functions will be patched to call the new
2421         code.
2422
2423         * JavaScriptCore.xcodeproj/project.pbxproj:
2424         * assembler/AbstractMacroAssembler.h:
2425         (JSC::AbstractMacroAssembler::ensureCacheLineSpace):
2426         * assembler/CodeLocation.h:
2427         (JSC::CodeLocationThreadSafeNearCall::CodeLocationThreadSafeNearCall):
2428         * assembler/MacroAssemblerARM64.h:
2429         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
2430         * assembler/MacroAssemblerX86Common.h:
2431         (JSC::MacroAssemblerX86Common::threadSafeNearCall):
2432         * assembler/MacroAssemblerX86_64.h:
2433         (JSC::MacroAssemblerX86_64::threadSafePatchableNearCall):
2434         * b3/air/AirEmitShuffle.cpp:
2435         (JSC::B3::Air::ShufflePair::inst):
2436         (JSC::B3::Air::ShufflePair::opcode): Deleted.
2437         * b3/air/AirEmitShuffle.h:
2438         * jsc.cpp:
2439         (functionTestWasmModuleFunctions):
2440         * runtime/JSLock.cpp:
2441         (JSC::JSLock::didAcquireLock):
2442         * runtime/Options.h:
2443         * wasm/WasmB3IRGenerator.cpp:
2444         (JSC::Wasm::B3IRGenerator::materializeWasmContext):
2445         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2446         (JSC::Wasm::B3IRGenerator::constant):
2447         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2448         (JSC::Wasm::B3IRGenerator::addLoop):
2449         (JSC::Wasm::B3IRGenerator::addTopLevel):
2450         (JSC::Wasm::B3IRGenerator::addBlock):
2451         (JSC::Wasm::createJSToWasmWrapper):
2452         (JSC::Wasm::parseAndCompile):
2453         * wasm/WasmB3IRGenerator.h:
2454         * wasm/WasmBBQPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlan.cpp.
2455         (JSC::Wasm::BBQPlan::BBQPlan):
2456         (JSC::Wasm::BBQPlan::stateString):
2457         (JSC::Wasm::BBQPlan::moveToState):
2458         (JSC::Wasm::BBQPlan::parseAndValidateModule):
2459         (JSC::Wasm::BBQPlan::prepare):
2460         (JSC::Wasm::BBQPlan::ThreadCountHolder::ThreadCountHolder):
2461         (JSC::Wasm::BBQPlan::ThreadCountHolder::~ThreadCountHolder):
2462         (JSC::Wasm::BBQPlan::compileFunctions):
2463         (JSC::Wasm::BBQPlan::complete):
2464         (JSC::Wasm::BBQPlan::work):
2465         * wasm/WasmBBQPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlan.h.
2466         * wasm/WasmBBQPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
2467         (JSC::Wasm::BBQPlan::initializeCallees):
2468         * wasm/WasmBinding.cpp:
2469         (JSC::Wasm::wasmToWasm):
2470         * wasm/WasmCallee.h:
2471         (JSC::Wasm::Callee::entrypoint):
2472         * wasm/WasmCodeBlock.cpp:
2473         (JSC::Wasm::CodeBlock::CodeBlock):
2474         * wasm/WasmCodeBlock.h:
2475         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2476         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2477         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
2478         (JSC::Wasm::CodeBlock::tierUpCount):
2479         (JSC::Wasm::CodeBlock::mode):
2480         * wasm/WasmFormat.h:
2481         (JSC::Wasm::CallableFunction::CallableFunction):
2482         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation):
2483         * wasm/WasmMachineThreads.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
2484         (JSC::Wasm::wasmThreads):
2485         (JSC::Wasm::startTrackingCurrentThread):
2486         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2487         * wasm/WasmMachineThreads.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.h.
2488         * wasm/WasmModule.cpp:
2489         (JSC::Wasm::makeValidationResult):
2490         (JSC::Wasm::makeValidationCallback):
2491         (JSC::Wasm::Module::validateSync):
2492         (JSC::Wasm::Module::validateAsync):
2493         * wasm/WasmModule.h:
2494         (JSC::Wasm::Module::codeBlockFor):
2495         * wasm/WasmOMGPlan.cpp: Added.
2496         (JSC::Wasm::OMGPlan::OMGPlan):
2497         (JSC::Wasm::OMGPlan::work):
2498         (JSC::Wasm::runOMGPlanForIndex):
2499         * wasm/WasmOMGPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
2500         * wasm/WasmPlan.cpp:
2501         (JSC::Wasm::Plan::Plan):
2502         (JSC::Wasm::Plan::runCompletionTasks):
2503         (JSC::Wasm::Plan::addCompletionTask):
2504         (JSC::Wasm::Plan::waitForCompletion):
2505         (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
2506         (JSC::Wasm::Plan::fail):
2507         (JSC::Wasm::Plan::stateString): Deleted.
2508         (JSC::Wasm::Plan::moveToState): Deleted.
2509         (JSC::Wasm::Plan::parseAndValidateModule): Deleted.
2510         (JSC::Wasm::Plan::prepare): Deleted.
2511         (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder): Deleted.
2512         (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder): Deleted.
2513         (JSC::Wasm::Plan::compileFunctions): Deleted.
2514         (JSC::Wasm::Plan::complete): Deleted.
2515         * wasm/WasmPlan.h:
2516         (JSC::Wasm::Plan::exports): Deleted.
2517         (JSC::Wasm::Plan::internalFunctionCount): Deleted.
2518         (JSC::Wasm::Plan::takeModuleInformation): Deleted.
2519         (JSC::Wasm::Plan::takeCallLinkInfos): Deleted.
2520         (JSC::Wasm::Plan::takeWasmToWasmExitStubs): Deleted.
2521         (JSC::Wasm::Plan::hasWork): Deleted.
2522         (JSC::Wasm::Plan::hasBeenPrepared): Deleted.
2523         * wasm/WasmTierUpCount.h: Renamed from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
2524         (JSC::Wasm::TierUpCount::TierUpCount):
2525         (JSC::Wasm::TierUpCount::loopDecrement):
2526         (JSC::Wasm::TierUpCount::functionEntryDecrement):
2527         (JSC::Wasm::TierUpCount::shouldStartTierUp):
2528         (JSC::Wasm::TierUpCount::count):
2529         * wasm/WasmWorklist.cpp:
2530         * wasm/WasmWorklist.h:
2531         (JSC::Wasm::Worklist::nextTicket):
2532         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2533         * wasm/js/JSWebAssemblyCodeBlock.h:
2534         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
2535         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
2536         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): Deleted.
2537         * wasm/js/JSWebAssemblyTable.cpp:
2538         (JSC::JSWebAssemblyTable::setFunction):
2539         * wasm/js/WebAssemblyFunction.cpp:
2540         (JSC::WebAssemblyFunction::create):
2541         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2542         * wasm/js/WebAssemblyFunction.h:
2543         (JSC::WebAssemblyFunction::signatureIndex):
2544         (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation):
2545         (JSC::WebAssemblyFunction::callableFunction):
2546         (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation):
2547         (JSC::WebAssemblyFunction::wasmEntrypoint): Deleted.
2548         (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint): Deleted.
2549         * wasm/js/WebAssemblyModuleRecord.cpp:
2550         (JSC::WebAssemblyModuleRecord::link):
2551         (JSC::WebAssemblyModuleRecord::evaluate):
2552         * wasm/js/WebAssemblyPrototype.cpp:
2553         (JSC::webAssemblyValidateFunc):
2554         * wasm/js/WebAssemblyWrapperFunction.cpp:
2555         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
2556         (JSC::WebAssemblyWrapperFunction::create):
2557         * wasm/js/WebAssemblyWrapperFunction.h:
2558         (JSC::WebAssemblyWrapperFunction::signatureIndex):
2559         (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation):
2560         (JSC::WebAssemblyWrapperFunction::callableFunction):
2561         (JSC::WebAssemblyWrapperFunction::wasmEntrypoint): Deleted.
2562
2563 2017-04-26  Caitlin Potter  <caitp@igalia.com>
2564
2565         [JSC] fix RETURN_IF_EXCEPTION() placement in ownPropertyKeys()
2566         https://bugs.webkit.org/show_bug.cgi?id=171330
2567
2568         Reviewed by Mark Lam.
2569
2570         Ensure RETURN_IF_EXCEPTION() following invokation of the
2571         filterPropertyIfNeeded() lambda.
2572
2573         * runtime/ObjectConstructor.cpp:
2574         (JSC::ownPropertyKeys):
2575
2576 2017-04-26  Caitlin Potter  <caitp@igalia.com>
2577
2578         [JSC] Object.keys() must discard property names with no PropertyDescriptor
2579         https://bugs.webkit.org/show_bug.cgi?id=171291
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         Proxy objects can produce an arbitrary list of property names from the
2584         "ownKeys" trap, however the Object.keys() algorithm is required to
2585         discard names which do not have a PropertyDescriptor. This also
2586         applies to other uses of the EnumerableOwnProperties() algorithm
2587         (https://tc39.github.io/ecma262/#sec-enumerableownproperties)
2588
2589         Related to https://bugs.chromium.org/p/v8/issues/detail?id=6290
2590
2591         * runtime/ObjectConstructor.cpp:
2592         (JSC::ownPropertyKeys):
2593
2594 2017-04-25  Andy VanWagoner  <thetalecrafter@gmail.com>
2595
2596         Unhandled enumeration values in IntlDateTimeFormat.cpp
2597         https://bugs.webkit.org/show_bug.cgi?id=171241
2598
2599         Reviewed by JF Bastien.
2600
2601         Added some missing cases of the UDateFormatField to partTypeString,
2602         and made them conditional to the ICU version that added them.
2603         This should remove the warnings that appear on platform builds using the
2604         newer system ICU headers.
2605
2606         * runtime/IntlDateTimeFormat.cpp:
2607         (JSC::IntlDateTimeFormat::partTypeString):
2608
2609 2017-04-25  Commit Queue  <commit-queue@webkit.org>
2610
2611         Unreviewed, rolling out r215476.
2612         https://bugs.webkit.org/show_bug.cgi?id=171304
2613
2614         "It broke JSBench" (Requested by saamyjoon on #webkit).
2615
2616         Reverted changeset:
2617
2618         "[ES6]. Implement Annex B.3.3 function hoisting rules for
2619         eval"
2620         https://bugs.webkit.org/show_bug.cgi?id=163208
2621         http://trac.webkit.org/changeset/215476
2622
2623 2017-04-25  Saam Barati  <sbarati@apple.com>
2624
2625         JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
2626         https://bugs.webkit.org/show_bug.cgi?id=171150
2627         <rdar://problem/31771880>
2628
2629         Reviewed by Sam Weinig.
2630
2631         This patch fixes a huge oversight from the patch that introduced
2632         op_spread/Spread. The original patch did not account for the
2633         base object having Symbol.iterator or getters that could
2634         change the iterator protocol. This patch fixes the oversight both
2635         in the C code, as well as the DFG/FTL backends. We only perform
2636         the memcpy version of spread if we've proven that it's guaranteed
2637         to be side-effect free (no indexed getters), and if the iterator
2638         protocol is guaranteed to be the original protocol. To do this, we
2639         must prove that:
2640         1. The protocol on Array.prototype hasn't changed (this is the same as the
2641         introductory patch for op_spread).
2642         2. The base object's __proto__ is Array.prototype
2643         3. The base object does not have indexed getters
2644         4. The base object does not have Symbol.iterator property.
2645
2646         * dfg/DFGGraph.cpp:
2647         (JSC::DFG::Graph::canDoFastSpread):
2648         * dfg/DFGGraph.h:
2649         * dfg/DFGSpeculativeJIT.cpp:
2650         (JSC::DFG::SpeculativeJIT::compileSpread):
2651         * ftl/FTLLowerDFGToB3.cpp:
2652         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2653         * runtime/JSArray.cpp:
2654         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2655         * runtime/JSArray.h:
2656         * runtime/JSArrayInlines.h:
2657         (JSC::JSArray::isIteratorProtocolFastAndNonObservable): Deleted.
2658         * runtime/JSGlobalObject.h:
2659         * runtime/JSGlobalObjectInlines.h:
2660         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
2661         (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable): Deleted.
2662
2663 2017-04-25  Mark Lam  <mark.lam@apple.com>
2664
2665         Array.prototype.slice() should ensure that end >= begin.
2666         https://bugs.webkit.org/show_bug.cgi?id=170989
2667         <rdar://problem/31705652>
2668
2669         Reviewed by Saam Barati.
2670
2671         * runtime/ArrayPrototype.cpp:
2672         (JSC::arrayProtoFuncSlice):
2673
2674 2017-04-25  Don Olmstead  <don.olmstead@am.sony.com>
2675
2676         [Win] Use Clang's __has_declspec_attribute for export macros
2677         https://bugs.webkit.org/show_bug.cgi?id=171240
2678
2679         Reviewed by Alex Christensen.
2680
2681         * runtime/JSExportMacros.h:
2682
2683 2017-04-25  Saam Barati  <sbarati@apple.com>
2684
2685         Unreviewed. Attempt armv7k build fix after r215720
2686
2687         I think we're just missing an include for the definition of ExecState::r().
2688
2689         * runtime/JSFixedArray.cpp:
2690
2691 2017-04-25  Daniel Bates  <dabates@apple.com>
2692
2693         [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
2694         https://bugs.webkit.org/show_bug.cgi?id=136452
2695         <rdar://problem/23412620>
2696
2697         Reviewed by Brent Fulgham.
2698
2699         Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
2700
2701         * Configurations/FeatureDefines.xcconfig:
2702
2703 2017-04-25  Mark Lam  <mark.lam@apple.com>
2704
2705         Local CSE wrongly CSEs array accesses with different result types.
2706         https://bugs.webkit.org/show_bug.cgi?id=170990
2707         <rdar://problem/31705945>
2708
2709         Reviewed by Saam Barati.
2710
2711         The fix is to use different LocationKind enums for the different type of array
2712         result types.  This makes the HeapLocation values different based on the result
2713         types, and allows CSE to discern between them.
2714
2715         * dfg/DFGCSEPhase.cpp:
2716         * dfg/DFGClobberize.h:
2717         (JSC::DFG::clobberize):
2718         * dfg/DFGHeapLocation.cpp:
2719         (WTF::printInternal):
2720         * dfg/DFGHeapLocation.h:
2721         (JSC::DFG::indexedPropertyLocForResultType):
2722
2723 2017-04-25  Mark Lam  <mark.lam@apple.com>
2724
2725         Make DFG SpeculatedType dumps easier to read.
2726         https://bugs.webkit.org/show_bug.cgi?id=171280
2727
2728         Reviewed by Saam Barati.
2729
2730         Adding a pretty printer to insert |s between each type string and changing the
2731         dumped strings to match the SpeculatedType names case-wise.
2732
2733         * bytecode/SpeculatedType.cpp:
2734         (JSC::PrettyPrinter::PrettyPrinter):
2735         (JSC::PrettyPrinter::print):
2736         (JSC::dumpSpeculation):
2737         * bytecode/SpeculatedType.h:
2738
2739 2017-04-25  JF Bastien  <jfbastien@apple.com>
2740
2741         lowerStackArgs: check Arg::addr.isValidForm when falling back to SP offsets
2742         https://bugs.webkit.org/show_bug.cgi?id=171278
2743
2744         Reviewed by Filip Pizlo.
2745
2746         lowerStackArgs checked that the FP offsets it tries to generate
2747         are valid form, but didn't check that the fallback was valid
2748         form. This lead to stackAddr's assertion being dead, and the
2749         MaroAssembler asserting way later on move / add when handed a huge
2750         immediate.
2751
2752         * b3/air/AirArg.cpp:
2753         (JSC::B3::Air::Arg::stackAddrImpl):
2754
2755 2017-04-25  Zan Dobersek  <zdobersek@igalia.com>
2756
2757         [aarch64] moveConditionally32(), moveConditionallyTest32() should move from/to 64-bit registers
2758         https://bugs.webkit.org/show_bug.cgi?id=170891
2759
2760         Reviewed by Saam Barati.
2761
2762         moveConditionally32() and moveConditionallyTest32() operations in
2763         MacroAssemblerARM64 properly perform comparisons and tests on 32-bit
2764         values, but end up performing the moves from and to 32-bit registers.
2765
2766         Move operations should instead be done on 64-bit registers, just like
2767         on the X86_64 platform. This is achieved by specifying 64 as the data
2768         size for the csel instructions.
2769
2770         * assembler/MacroAssemblerARM64.h:
2771         (JSC::MacroAssemblerARM64::moveConditionally32):
2772         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2773
2774 2017-04-24  Joseph Pecoraro  <pecoraro@apple.com>
2775
2776         test262: test262/test/language/expressions/object/method-definition/early-errors-object-method-duplicate-parameters.js
2777         https://bugs.webkit.org/show_bug.cgi?id=171190
2778
2779         Reviewed by Saam Barati.
2780
2781         * bytecompiler/BytecodeGenerator.cpp:
2782         (JSC::BytecodeGenerator::BytecodeGenerator):
2783         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
2784         (JSC::BytecodeGenerator::emitNewFunction):
2785         * bytecompiler/NodesCodegen.cpp:
2786         (JSC::FunctionNode::emitBytecode):
2787         (JSC::Scope::setSourceParseMode):
2788         * parser/ParserModes.h:
2789         (JSC::isFunctionParseMode):
2790         (JSC::isMethodParseMode):
2791         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2792         (JSC::isGeneratorParseMode):
2793         (JSC::isGeneratorWrapperParseMode):
2794         * runtime/FunctionExecutable.h:
2795         * runtime/JSFunction.cpp:
2796         (JSC::JSFunction::getOwnPropertySlot):
2797         Add a new GeneratorWrapperMethodMode parse mode. The other function types
2798         (async, arrow) already have a FunctionMode and a MethodMode. Give
2799         generators one as well. This lets isMethodParseMode actually be accurate.
2800
2801         * parser/Parser.cpp:
2802         (JSC::Parser<LexerType>::parseInner):
2803         (JSC::Parser<LexerType>::isArrowFunctionParameters):
2804         (JSC::Parser<LexerType>::parseFormalParameters):
2805         (JSC::stringForFunctionMode):
2806         (JSC::Parser<LexerType>::parseFunctionParameters):
2807         (JSC::Parser<LexerType>::parseFunctionInfo):
2808         (JSC::Parser<LexerType>::parseClass):
2809         (JSC::Parser<LexerType>::parsePropertyMethod):
2810         * parser/Parser.h:
2811         Add a duplicate parameter failure if there are duplicate parameters
2812         in method syntax.
2813
2814 2017-04-24  Andy VanWagoner  <thetalecrafter@gmail.com>
2815
2816         Clean up ICU headers
2817         https://bugs.webkit.org/show_bug.cgi?id=170997
2818
2819         Reviewed by JF Bastien.
2820
2821         Update all icu headers to 55.1
2822
2823         * icu/LICENSE: Update copyright
2824         * icu/README: Explain ICU headers for OS X better
2825         * icu/unicode/localpointer.h:
2826         (LocalPointer::LocalPointer):
2827         (LocalPointer::adoptInsteadAndCheckErrorCode):
2828         * icu/unicode/platform.h:
2829         * icu/unicode/putil.h:
2830         * icu/unicode/ucal.h:
2831         * icu/unicode/uchar.h:
2832         * icu/unicode/ucnv.h:
2833         * icu/unicode/ucol.h:
2834         * icu/unicode/uconfig.h:
2835         * icu/unicode/ucurr.h:
2836         * icu/unicode/udatpg.h:
2837         * icu/unicode/udisplaycontext.h:
2838         * icu/unicode/uformattable.h:
2839         * icu/unicode/uloc.h:
2840         * icu/unicode/umachine.h:
2841         * icu/unicode/unum.h:
2842         * icu/unicode/unumsys.h:
2843         * icu/unicode/urename.h:
2844         * icu/unicode/uscript.h:
2845         * icu/unicode/uset.h:
2846         * icu/unicode/ustring.h:
2847         * icu/unicode/utf8.h:
2848         * icu/unicode/utypes.h:
2849
2850 2017-04-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2851
2852         [JSC] Use JSFixedArray directly when using call_varargs
2853         https://bugs.webkit.org/show_bug.cgi?id=171057
2854
2855         Reviewed by Saam Barati.
2856
2857         Previously we always emit new_array_with_spread when calling call(...args).
2858         But this array is unnecessary if varargs operation can handle Spread directly.
2859
2860         This patch implements a peep-hole optimization in the bytecode compiler layer
2861         to omit new_array_with_spread. This is very simple and effective because this
2862         peep-hole optimization is quite common when using (...args) style calls and
2863         this optimization works all the tiers. While we can implement the phase to
2864         omit this NewArrayWithSpread in argument elimination phase, it only works
2865         for FTL. While such an optimization can work with complex data flow, this
2866         peep-hole optimization can optimize a common case easily.
2867
2868         For now, Spread and PhantomSpread can be directly drained by CallVarargs
2869         and LoadVarargs related operations. We modify DFG and FTL to handle this correctly.
2870
2871         This shows six-speed improvement.
2872
2873             spread.es6                 89.4300+-2.0236     ^     69.6015+-1.7278        ^ definitely 1.2849x faster
2874             spread-generator.es6      344.7879+-5.9147     ^    331.2712+-6.8610        ^ definitely 1.0408x faster
2875
2876         * bytecompiler/BytecodeGenerator.cpp:
2877         (JSC::BytecodeGenerator::emitCall):
2878         (JSC::BytecodeGenerator::emitConstruct):
2879         * dfg/DFGArgumentsEliminationPhase.cpp:
2880         * dfg/DFGPreciseLocalClobberize.h:
2881         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2882         * ftl/FTLLowerDFGToB3.cpp:
2883         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2884         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2885         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2886         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
2887         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2888         * interpreter/Interpreter.cpp:
2889         (JSC::sizeOfVarargs):
2890         (JSC::loadVarargs):
2891         * parser/Nodes.h:
2892         (JSC::ArrayNode::elements):
2893         * runtime/JSFixedArray.cpp:
2894         (JSC::JSFixedArray::copyToArguments):
2895         * runtime/JSFixedArray.h:
2896
2897 2017-04-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2898
2899         [WTF] Move JSC tools/StackTrace to WTF and unify stack trace dump code
2900         https://bugs.webkit.org/show_bug.cgi?id=171199
2901
2902         Reviewed by Mark Lam.
2903
2904         This patch adds a utility method to produce demangled names with dladdr.
2905         It fixes several memory leaks because the result of abi::__cxa_demangle()
2906         needs to be `free`-ed.
2907
2908         * CMakeLists.txt:
2909         * JavaScriptCore.xcodeproj/project.pbxproj:
2910         * inspector/JSGlobalObjectInspectorController.cpp:
2911         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2912         * runtime/SamplingProfiler.cpp:
2913         (JSC::SamplingProfiler::StackFrame::displayName):
2914         * tools/CellProfile.h:
2915         * tools/CodeProfile.cpp:
2916         (JSC::CodeProfile::report):
2917         (JSC::symbolName): Deleted.
2918
2919 2017-04-24  Joseph Pecoraro  <pecoraro@apple.com>
2920
2921         Web Inspector: ObjC RWIProtocol codegen should better handle optional members
2922         https://bugs.webkit.org/show_bug.cgi?id=171251
2923         <rdar://problem/31697002>
2924
2925         Reviewed by Brian Burg.
2926
2927         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2928         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
2929         * inspector/scripts/codegen/objc_generator.py:
2930         (ObjCGenerator.protocol_to_objc_expression_for_member):
2931         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
2932         Always be safe and nil check object property accesses, optional or not.
2933
2934         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2935         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2936         Rebaselined inspector generator tests.
2937
2938 2017-04-24  Saam Barati  <sbarati@apple.com>
2939
2940         ASSERTION FAILED: m_table seen with workers/wasm-hashset LayoutTests
2941         https://bugs.webkit.org/show_bug.cgi?id=171119
2942         <rdar://problem/31760635>
2943
2944         Reviewed by Keith Miller.
2945
2946         The HashSet of timer set notification callbacks can be accessed
2947         and augmented simultaneously from different threads. e.g, the worker
2948         thread can augment it while the wasm compilation thread will
2949         access it. Therefore, accesses must be guarded by a lock.
2950
2951         * runtime/JSRunLoopTimer.cpp:
2952         (JSC::JSRunLoopTimer::scheduleTimer):
2953         (JSC::JSRunLoopTimer::addTimerSetNotification):
2954         (JSC::JSRunLoopTimer::removeTimerSetNotification):
2955         * runtime/JSRunLoopTimer.h:
2956
2957 2017-04-24  Joseph Pecoraro  <pecoraro@apple.com>
2958
2959         test262: test262/test/language/computed-property-names/class/static/getter-prototype.js
2960         https://bugs.webkit.org/show_bug.cgi?id=170897
2961
2962         Reviewed by Saam Barati.
2963
2964         * parser/ASTBuilder.h:
2965         (JSC::ASTBuilder::createArguments):
2966         (JSC::ASTBuilder::createArgumentsList):
2967         Reorder so all the createProperty methods are grouped together.
2968
2969         * parser/Parser.h:
2970         * parser/Parser.cpp:
2971         (JSC::Parser<LexerType>::parseClass):
2972         (JSC::Parser<LexerType>::parseProperty):
2973         (JSC::Parser<LexerType>::parseGetterSetter):
2974         Refine the conditions for syntax errors for getter/setter
2975         properties names. "prototype" is not allowed as a static
2976         and "constructor" is not all when non-static.
2977
2978         * runtime/JSObject.cpp:
2979         (JSC::JSObject::putGetter):
2980         (JSC::JSObject::putSetter):
2981         Throw exceptions. These methods are only used by this path
2982         via op_put_getter_by_val / op_put_setter_by_val.
2983
2984 2017-04-24  Joseph Pecoraro  <pecoraro@apple.com>
2985
2986         test262: test262/test/language/statements/for-of/dstr-array-elem-init-fn-name-arrow.js
2987         https://bugs.webkit.org/show_bug.cgi?id=171160
2988
2989         Reviewed by JF Bastien.
2990
2991         * parser/ASTBuilder.h:
2992         (JSC::ASTBuilder::tryInferNameInPattern):
2993         (JSC::ASTBuilder::tryInferNameInPatternWithIdentifier):
2994         We supported getting the name from a BindingNode.
2995         We extend this to support getting the name from a
2996         ResolveNode inside of an AssignmentElementNode.
2997
2998         * parser/Nodes.h:
2999         (JSC::DestructuringPatternNode::isAssignmentElementNode):
3000         (JSC::AssignmentElementNode::isAssignmentElementNode):
3001         Make it possible to identify an assignment element node.
3002
3003 2017-04-24  Alex Christensen  <achristensen@webkit.org>
3004
3005         Reduce copies and allocations in SharedBuffer::append
3006         https://bugs.webkit.org/show_bug.cgi?id=170956
3007
3008         Reviewed by Andreas Kling.
3009
3010         * runtime/ArrayBuffer.h:
3011
3012 2017-04-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3013
3014         [GTK] Switch to use ENABLE_REMOTE_INSPECTOR instead of ENABLE_INSPECTOR_SERVER for the remote inspector
3015         https://bugs.webkit.org/show_bug.cgi?id=166680
3016
3017         Reviewed by Michael Catanzaro.
3018
3019         Add GTK+ port implementation of RemoteInspector.
3020
3021         * PlatformGTK.cmake:
3022         * inspector/remote/RemoteConnectionToTarget.h:
3023         * inspector/remote/RemoteInspector.h:
3024         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp: Added.
3025         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget):
3026         (Inspector::RemoteConnectionToTarget::~RemoteConnectionToTarget):
3027         (Inspector::RemoteConnectionToTarget::setup):
3028         (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
3029         (Inspector::RemoteConnectionToTarget::close):
3030         (Inspector::RemoteConnectionToTarget::targetClosed):
3031         (Inspector::RemoteConnectionToTarget::targetIdentifier):
3032         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
3033         * inspector/remote/glib/RemoteInspectorGlib.cpp: Added.
3034         (Inspector::RemoteInspector::singleton):
3035         (Inspector::RemoteInspector::RemoteInspector):
3036         (Inspector::RemoteInspector::start):
3037         (Inspector::RemoteInspector::stopInternal):
3038         (Inspector::RemoteInspector::setupConnection):
3039         (Inspector::dbusConnectionCallAsyncReadyCallback):
3040         (Inspector::RemoteInspector::listingForInspectionTarget):
3041         (Inspector::RemoteInspector::listingForAutomationTarget):
3042         (Inspector::RemoteInspector::pushListingsNow):
3043         (Inspector::RemoteInspector::pushListingsSoon):
3044         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3045         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
3046         (Inspector::RemoteInspector::sendMessageToRemote):
3047         (Inspector::RemoteInspector::receivedGetTargetListMessage):
3048         (Inspector::RemoteInspector::receivedSetupMessage):
3049         (Inspector::RemoteInspector::receivedDataMessage):
3050         (Inspector::RemoteInspector::receivedCloseMessage):
3051         (Inspector::RemoteInspector::setup):
3052         (Inspector::RemoteInspector::sendMessageToTarget):
3053         (Inspector::RemoteInspector::requestAutomationSession):
3054         * inspector/remote/glib/RemoteInspectorServer.cpp: Added.
3055         (Inspector::generateConnectionID):
3056         (Inspector::RemoteInspectorServer::singleton):
3057         (Inspector::RemoteInspectorServer::~RemoteInspectorServer):
3058         (Inspector::RemoteInspectorServer::interfaceInfo):
3059         (Inspector::RemoteInspectorServer::start):
3060         (Inspector::RemoteInspectorServer::newConnectionCallback):
3061         (Inspector::RemoteInspectorServer::connectionClosedCallback):
3062         (Inspector::RemoteInspectorServer::newConnection):
3063         (Inspector::dbusConnectionCallAsyncReadyCallback):
3064         (Inspector::RemoteInspectorServer::setTargetList):
3065         (Inspector::RemoteInspectorServer::clientConnectionClosedCallback):
3066         (Inspector::RemoteInspectorServer::getTargetList):
3067         (Inspector::RemoteInspectorServer::setup):
3068         (Inspector::RemoteInspectorServer::close):
3069         (Inspector::RemoteInspectorServer::clientConnectionClosed):
3070         (Inspector::RemoteInspectorServer::connectionClosed):
3071         (Inspector::RemoteInspectorServer::sendMessageToBackend):
3072         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
3073         (Inspector::RemoteInspectorServer::startAutomationSession):
3074         * inspector/remote/glib/RemoteInspectorServer.h: Added.
3075         (Inspector::RemoteInspectorServer::isRunning):
3076
3077 2017-04-24  Joseph Pecoraro  <pecoraro@apple.com>
3078
3079         test262: test262/test/language/expressions/generators/yield-as-label.js
3080         https://bugs.webkit.org/show_bug.cgi?id=170979
3081
3082         Reviewed by Saam Barati.
3083
3084         * parser/Parser.cpp:
3085         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3086         (JSC::Parser<LexerType>::parseDestructuringPattern):
3087         (JSC::Parser<LexerType>::parseFormalParameters):
3088         Converge on "Cannot" instead of "Can't" in error messages.
3089
3090         (JSC::Parser<LexerType>::parseFunctionInfo):
3091         Disallow "yield" as the generator function name in function expressions.
3092         This refers to the difference between Declaration and Expression, where
3093         only GeneratorExpression explicitly has [+Yield] disallowing yield for
3094         the generator name:
3095
3096             GeneratorDeclaration[Yield, Await, Default]:
3097                 function * BindingIdentifier[?Yield, ?Await] ...
3098
3099             GeneratorExpression:
3100                 function * BindingIdentifier[+Yield, ~Await]opt ...
3101
3102         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3103         Disallow "yield" as a label name in strict mode or inside a generator.
3104
3105         (JSC::Parser<LexerType>::parseProperty):
3106         Disallow "yield" or any keyword in object literal shorthands.
3107
3108         * parser/Parser.h:
3109         (JSC::Parser::getToken):
3110         (JSC::Parser::isDisallowedIdentifierLet):
3111         (JSC::Parser::isDisallowedIdentifierYield):
3112         (JSC::Parser::disallowedIdentifierLetReason):
3113         (JSC::Parser::disallowedIdentifierYieldReason):
3114         Follow pattern for improved error messages based on context.
3115
3116 2017-04-23  Commit Queue  <commit-queue@webkit.org>
3117
3118         Unreviewed, rolling out r215674.
3119         https://bugs.webkit.org/show_bug.cgi?id=171212
3120
3121         Possible unintended commit. This patch was on the wrong bug.
3122         (Requested by JoePeck on #webkit).
3123
3124         Reverted changeset:
3125
3126         "test262: test262/test/language/expressions/generators/yield-
3127         as-label.js"
3128         https://bugs.webkit.org/show_bug.cgi?id=170979
3129         http://trac.webkit.org/changeset/215674
3130
3131 2017-04-23  Joseph Pecoraro  <pecoraro@apple.com>
3132
3133         test262: test262/test/built-ins/Number/prototype/toPrecision/nan.js
3134         https://bugs.webkit.org/show_bug.cgi?id=171197
3135
3136         Reviewed by Saam Barati.
3137
3138         * runtime/NumberPrototype.cpp:
3139         (JSC::numberProtoFuncToExponential):
3140         (JSC::numberProtoFuncToFixed):
3141         (JSC::numberProtoFuncToPrecision):
3142         Refine the order of operations to match the spec.
3143
3144 2017-04-23  Joseph Pecoraro  <pecoraro@apple.com>
3145
3146         test262: test262/test/language/expressions/generators/yield-as-label.js
3147         https://bugs.webkit.org/show_bug.cgi?id=170979
3148
3149         Reviewed by Saam Barati.
3150
3151         * parser/Parser.cpp:
3152         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3153         (JSC::Parser<LexerType>::parseDestructuringPattern):
3154         (JSC::Parser<LexerType>::parseFormalParameters):
3155         Converge on "Cannot" instead of "Can't" in error messages.
3156
3157         (JSC::Parser<LexerType>::parseFunctionInfo):
3158         Disallow "yield" as the generator function name in function expressions.
3159         This refers to the difference between Declaration and Expression, where
3160         only GeneratorExpression explicitly has [+Yield] disallowing yield for
3161         the generator name:
3162
3163             GeneratorDeclaration[Yield, Await, Default]:
3164                 function * BindingIdentifier[?Yield, ?Await] ...
3165
3166             GeneratorExpression:
3167                 function * BindingIdentifier[+Yield, ~Await]opt ...
3168
3169         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3170         Disallow "yield" as a label name in strict mode or inside a generator.
3171
3172         (JSC::Parser<LexerType>::parseProperty):
3173         Disallow "yield" or any keyword in object literal shorthands.
3174
3175         * parser/Parser.h:
3176         (JSC::Parser::getToken):
3177         (JSC::Parser::isDisallowedIdentifierLet):
3178         (JSC::Parser::isDisallowedIdentifierYield):
3179         (JSC::Parser::disallowedIdentifierLetReason):
3180         (JSC::Parser::disallowedIdentifierYieldReason):
3181         Follow pattern for improved error messages based on context.
3182
3183 2017-04-23  Joseph Pecoraro  <pecoraro@apple.com>
3184
3185         test262: test262/test/built-ins/Number/parseFloat.js
3186         https://bugs.webkit.org/show_bug.cgi?id=171193
3187
3188         Reviewed by Yusuke Suzuki.
3189
3190         * runtime/CommonIdentifiers.h:
3191         * runtime/JSGlobalObject.cpp:
3192         (JSC::JSGlobalObject::init):
3193         (JSC::JSGlobalObject::visitChildren):
3194         * runtime/JSGlobalObject.h:
3195         (JSC::JSGlobalObject::parseFloatFunction):
3196         Expose parseFloat on the global object to be shared with Number constructor.
3197
3198         * runtime/NumberConstructor.cpp:
3199         (JSC::NumberConstructor::finishCreation):
3200         parseFloat uses the same value as the global parseFloat.
3201
3202 2017-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3203
3204         [JSC] Use DoublyLinkedList for MachineThread
3205         https://bugs.webkit.org/show_bug.cgi?id=171171
3206
3207         Reviewed by Mark Lam.
3208
3209         MachineThread can use WTF::DoublyLinkedList to simplify
3210         its implementation. We should not use Vector<> etc. since
3211         we do not want to call allocations during suspending and
3212         resuming threads.
3213
3214         * heap/MachineStackMarker.cpp:
3215         (JSC::MachineThreads::MachineThreads):
3216         (JSC::MachineThreads::~MachineThreads):
3217         (JSC::MachineThreads::addCurrentThread):
3218         (JSC::MachineThreads::removeThreadIfFound):
3219         (JSC::MachineThreads::MachineThread::MachineThread):
3220         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3221         * heap/MachineStackMarker.h:
3222         (JSC::MachineThreads::threadsListHead):
3223         * runtime/SamplingProfiler.cpp:
3224         (JSC::FrameWalker::isValidFramePointer):
3225         * runtime/VMTraps.cpp:
3226         (JSC::findActiveVMAndStackBounds):
3227
3228 2017-04-22  JF Bastien  <jfbastien@apple.com>
3229
3230         WebAssembly: Module.exports, Module.imports, Module.customSections are wrong
3231         https://bugs.webkit.org/show_bug.cgi?id=171078
3232
3233         Reviewed by Saam Barati.
3234
3235         They're static properties of Module, not instance properties of a module.
3236         https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymoduleexports
3237
3238         * wasm/js/WebAssemblyModuleConstructor.cpp:
3239         (JSC::webAssemblyModuleCustomSections):
3240         (JSC::webAssemblyModuleImports):
3241         (JSC::webAssemblyModuleExports):
3242         * wasm/js/WebAssemblyModulePrototype.cpp:
3243         (JSC::webAssemblyModuleProtoCustomSections): Deleted.
3244         (JSC::webAssemblyModuleProtoImports): Deleted.
3245         (JSC::webAssemblyModuleProtoExports): Deleted.
3246
3247 2017-04-21  Saam Barati  <sbarati@apple.com>
3248
3249         SharedArrayBuffer-opt.js fails with Briggs
3250         https://bugs.webkit.org/show_bug.cgi?id=170948
3251         <rdar://problem/31740568>
3252
3253         Reviewed by Michael Saboff.
3254
3255         The bug was not actually with Briggs, but instead was with
3256         our X86-64 MacroAssembler. Michael fixed the bug here:
3257         https://trac.webkit.org/changeset/215618/webkit
3258         
3259         The issue was we weren't adding the REX byte for AtomicXchg8,
3260         leading to the incorrect encoding for the result register depending
3261         on which register it was. If you look at this code, you'll see the issue:
3262
3263           Int32 @38 = AtomicXchg(@59, @64, width = 8, range = 0, fenceRange = 0, ControlDependent|Fence|Writes:0|Reads:0, DFG:@49)
3264               AtomicXchg8 %rsi, (%rax,%rdx), @38
3265                   0x2dcb5bc0015e: lock xchg %dh, (%rax,%rdx)
3266           Int32 @66 = Const32(255, DFG:@49)
3267           Int32 @67 = BitAnd(@38, $255(@66), DFG:@49)
3268               ZeroExtend8To32 %rsi, %rax, @67
3269                   0x2dcb5bc00162: movzx %sil, %eax
3270
3271         Air thought the result was in the lower 8 bits of %rsi,
3272         however, the code we emitted stored it in the [8-15] bits
3273         of %rdx. Since this issue is fixed, I'm turning Briggs back
3274         on.
3275
3276         * b3/air/AirAllocateRegistersByGraphColoring.h:
3277         (JSC::B3::Air::useIRC):
3278
3279 2017-04-20  Mark Lam  <mark.lam@apple.com>
3280
3281         Refactor MASM probe to allow printing of custom types.
3282         https://bugs.webkit.org/show_bug.cgi?id=171101
3283
3284         Reviewed by JF Bastien.
3285
3286         For example, this allows us to add MASM printing of CodeBlock* and Air::Args.
3287
3288         In general, MASM print can be used like dataLog, except that it generates JITted
3289         code for doing the dataLogging later when the JITted code runs.  MASM print can
3290         print any value type that a specialized Printer template or a setPrinter()
3291         function implemented for that type.
3292
3293         * CMakeLists.txt:
3294         * JavaScriptCore.xcodeproj/project.pbxproj:
3295         * assembler/MacroAssembler.h:
3296
3297         * assembler/MacroAssemblerPrinter.cpp:
3298         (JSC::Printer::printAllRegisters):
3299         (JSC::Printer::printPCRegister):
3300         (JSC::Printer::printRegisterID):
3301         (JSC::Printer::printFPRegisterID):
3302         (JSC::Printer::printAddress):
3303         (JSC::Printer::printMemory):
3304         (JSC::Printer::printCallback):
3305         (JSC::printIndent): Deleted.
3306         (JSC::printCPU): Deleted.
3307         (JSC::printCPURegisters): Deleted.
3308         (JSC::printPC): Deleted.
3309         (JSC::printRegister): Deleted.
3310         (JSC::printMemory): Deleted.
3311         (JSC::MacroAssemblerPrinter::printCallback): Deleted.
3312         * assembler/MacroAssemblerPrinter.h:
3313         (JSC::AllRegisters::AllRegisters):
3314         (JSC::Printer::Printer<AllRegisters>::Printer):
3315         (JSC::Printer::Printer<PCRegister>::Printer):
3316         (JSC::Printer::Printer<MacroAssembler::RegisterID>::Printer):
3317         (JSC::Printer::Printer<MacroAssembler::FPRegisterID>::Printer):
3318         (JSC::Printer::Printer<MacroAssembler::Address>::Printer):
3319         (JSC::Printer::Printer<Memory>::Printer):
3320         (JSC::Printer::Printer<MemWord<IntType>>::Printer):
3321         (JSC::MacroAssembler::print):
3322         (JSC::MacroAssemblerPrinter::print): Deleted.
3323         (JSC::MacroAssemblerPrinter::PrintArg::PrintArg): Deleted.
3324         (JSC::MacroAssemblerPrinter::appendPrintArg): Deleted.
3325         - Refactored to move the underlying PrintRecord (and associated data structures)
3326           out to Printer.cpp/h.
3327         - MacroAssemblerPrinter.cpp/h now only add custom Printers for MASM types like
3328           RegisterID and Memory.  It also defines the implementation of
3329           MacroAssembler::print().
3330
3331           As before, JIT code that wishes to use MacroAssembler::print() needs to
3332           #include "MacroAssemblerPrinter.h".
3333
3334         - Also added the ability to specify an optional indentation (in number of chars)
3335           when MASM printing AllRegisters.  This is useful because AllRegisters prints
3336           a block of data unlike other printers which print inline.
3337
3338         * assembler/Printer.cpp: Added.
3339         (JSC::Printer::printConstCharString):
3340         (JSC::Printer::printIntptr):
3341         (JSC::Printer::printUintptr):
3342         (JSC::Printer::printPointer):
3343         (JSC::Printer::setPrinter):
3344         * assembler/Printer.h: Added.
3345         (JSC::Printer::Context::Context):
3346         (JSC::Printer::PrintRecord::PrintRecord):
3347         (JSC::Printer::appendPrinter):
3348         (JSC::Printer::makePrintRecordList):
3349         (JSC::Printer::Printer<RawPointer>::Printer):
3350         (JSC::Printer::setPrinter):
3351         (JSC::Printer::Printer::Printer):
3352         - Data structures for creating a list of PrintRecords.  Classes which wish to
3353           add custom support for MASM printing can #include "Printer.h" and implement
3354           either:
3355           1. a specialized Printer template, or
3356           2. a setPrinter() function.
3357
3358           See Printer<Reg> and Printer<B3::Air::Tmp> in AirPrintSpecial.h for examples of
3359           (1).  See CodeBlock's setPrinter() for an example of (2).
3360
3361         * b3/B3LowerToAir.cpp:
3362         (JSC::B3::Air::LowerToAir::print):
3363         * b3/air/AirPrintSpecial.cpp: Added.
3364         (JSC::B3::Air::PrintSpecial::PrintSpecial):
3365         (JSC::B3::Air::PrintSpecial::~PrintSpecial):
3366         (JSC::B3::Air::PrintSpecial::forEachArg):
3367         (JSC::B3::Air::PrintSpecial::isValid):
3368         (JSC::B3::Air::PrintSpecial::admitsStack):
3369         (JSC::B3::Air::PrintSpecial::reportUsedRegisters):
3370         (JSC::B3::Air::PrintSpecial::generate):
3371         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
3372         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
3373         (JSC::B3::Air::PrintSpecial::dumpImpl):
3374         (JSC::B3::Air::PrintSpecial::deepDumpImpl):
3375         (JSC::Printer::printAirArg):
3376         * b3/air/AirPrintSpecial.h: Added.
3377         (JSC::Printer::appendAirArg):
3378         (JSC::Printer::appendAirArgs):
3379         (JSC::Printer::Printer<B3::Air::Tmp>::Printer):
3380         (JSC::Printer::Printer<Reg>::Printer):
3381         - Add the print() operation for use in LowerToAir.  print() will emit a
3382           PrintSpecial that will ultimately emit a MASM print to print what we want.
3383         - LowerToAir's print() adds the ability to print Air::Args.
3384         - Unlike in the baseline JIT and the DFG, LowerToAir's print() can perturb the
3385           usage of registers.  This is because PrintSpecial is a patch point, and it
3386           prevents certain optimizations.  If not used carefully, an attempt to print()
3387           an Arg by taking a Tmp, can force the B3 Value into a Tmp earlier than it would
3388           otherwise do so.  So, use LowerToAir's print() with care.
3389
3390         * bytecode/CodeBlock.cpp:
3391         (JSC::setPrinter):
3392         - Now we can MASM print CodeBlock*.
3393         (WTF::printInternal):
3394         - Now we can dataLog CodeBlock* (including null CodeBlock pointers).
3395
3396         * bytecode/CodeBlock.h:
3397
3398         * runtime/VM.cpp:
3399         (JSC::VM::throwException):
3400         - Use the new ability to dataLog CodeBlock*.  No need to do an explicit null
3401           check before printing anymore.
3402
3403 2017-04-21  Keith Miller  <keith_miller@apple.com>
3404
3405         Unreviewed, rolling out r215634.
3406
3407         underlying build issues should have been fixed
3408
3409         Reverted changeset:
3410
3411         "Unreviewed, rolling out r215620 and r215623."
3412         https://bugs.webkit.org/show_bug.cgi?id=171139
3413         http://trac.webkit.org/changeset/215634
3414
3415 2017-04-21  Commit Queue  <commit-queue@webkit.org>
3416
3417         Unreviewed, rolling out r215620 and r215623.
3418         https://bugs.webkit.org/show_bug.cgi?id=171139
3419
3420         broke arm64 build (Requested by keith_miller on #webkit).
3421
3422         Reverted changesets:
3423
3424         "Add signaling API"
3425         https://bugs.webkit.org/show_bug.cgi?id=170976
3426         http://trac.webkit.org/changeset/215620
3427
3428         "Unreviewed, fix Cloop build."
3429         http://trac.webkit.org/changeset/215623
3430
3431 2017-04-21  Keith Miller  <keith_miller@apple.com>
3432
3433         Remove LL/SC from Atomics
3434         https://bugs.webkit.org/show_bug.cgi?id=171141
3435
3436         Reviewed by Saam Barati.
3437
3438         Adding load link and store conditionally was not an actual progression
3439         and the existing code is causing problems for users of Atomics. So let's
3440         get rid of it.
3441
3442         * heap/LargeAllocation.h:
3443         (JSC::LargeAllocation::testAndSetMarked):
3444         * heap/MarkedBlock.h:
3445         (JSC::MarkedBlock::testAndSetMarked):
3446         * heap/SlotVisitor.cpp:
3447         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3448
3449 2017-04-21  Keith Miller  <keith_miller@apple.com>
3450
3451         Unreviewed, fix Cloop build.
3452
3453         * jit/ExecutableAllocator.h:
3454         (JSC::isJITPC):
3455
3456 2017-04-20  Keith Miller  <keith_miller@apple.com>
3457
3458         Add signaling API
3459         https://bugs.webkit.org/show_bug.cgi?id=170976
3460
3461         Reviewed by Filip Pizlo.
3462
3463         Update various uses of sigaction to use the new signaling API.
3464         Also switch VMTraps to use the thread message system instead of
3465         rolling it's own.
3466
3467         * jit/ExecutableAllocator.h:
3468         (JSC::isJITPC):
3469         * runtime/VMTraps.cpp:
3470         (JSC::installSignalHandler):
3471         (JSC::VMTraps::VMTraps):
3472         (JSC::VMTraps::SignalSender::send):
3473         (JSC::handleSigusr1): Deleted.
3474         (JSC::handleSigtrap): Deleted.
3475         (JSC::installSignalHandlers): Deleted.
3476         * runtime/VMTraps.h:
3477         * tools/SigillCrashAnalyzer.cpp:
3478         (JSC::installCrashHandler):
3479         (JSC::handleCrash): Deleted.
3480         * wasm/WasmFaultSignalHandler.cpp:
3481         (JSC::Wasm::trapHandler):
3482         (JSC::Wasm::enableFastMemory):
3483
3484 2017-04-21  Michael Saboff  <msaboff@apple.com>
3485
3486         X86-64 Assembler doesn't handle xchg with byte register src
3487         https://bugs.webkit.org/show_bug.cgi?id=171118
3488
3489         Reviewed by Saam Barati.
3490
3491         * assembler/X86Assembler.h:
3492         (JSC::X86Assembler::xchgb_rm): Use oneByteOp8() since these are 8 bit opcodes.
3493
3494 2017-04-21  Andy VanWagoner  <thetalecrafter@gmail.com>
3495
3496         [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
3497         https://bugs.webkit.org/show_bug.cgi?id=169458
3498
3499         Reviewed by JF Bastien.
3500
3501         Use udat_formatForFields to iterate through the parts of a formatted date string.
3502         Make formatToParts and related functions dependent on ICU version >= 55.
3503
3504         * icu/unicode/udat.h: Update to 55.1.
3505         * icu/unicode/ufieldpositer.h: Added from 55.1.
3506         * icu/unicode/uvernum.h: Update to 55.1
3507         * runtime/IntlDateTimeFormat.cpp:
3508         (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
3509         (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
3510         * runtime/IntlDateTimeFormat.h:
3511         * runtime/IntlDateTimeFormatPrototype.cpp:
3512         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
3513
3514 2017-04-20  Konstantin Tokarev  <annulen@yandex.ru>
3515
3516         [cmake] Define FORWARDING_HEADERS_DIR in WebKitFS and use it everywhere
3517         https://bugs.webkit.org/show_bug.cgi?id=171071
3518
3519         Reviewed by Michael Catanzaro.
3520
3521         "${DERIVED_SOURCES_DIR}/ForwardingHeaders" path occurs very often in the
3522         build system files. GTK-specifc FORWARDING_HEADERS_DIR variable should
3523         be available for all ports.
3524
3525         * CMakeLists.txt:
3526         * PlatformWin.cmake:
3527
3528 2017-04-20  Konstantin Tokarev  <annulen@yandex.ru>
3529
3530         Remove unused lamda captures
3531         https://bugs.webkit.org/show_bug.cgi?id=171098
3532
3533         Reviewed by Yusuke Suzuki.
3534
3535         * bytecompiler/NodesCodegen.cpp:
3536         (JSC::ArrayNode::emitBytecode):
3537         * ftl/FTLState.cpp:
3538         (JSC::FTL::State::State):
3539         * wasm/WasmB3IRGenerator.cpp:
3540
3541 2017-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3542
3543         [JSC][FTL] FTL should support Arrayify
3544         https://bugs.webkit.org/show_bug.cgi?id=169596
3545
3546         Reviewed by Saam Barati.
3547
3548         This patch simply expands the coverage of FTL by supporting Arrayify.
3549         While ArrayifyToStructure is already supported, Arrayify is not supported
3550         in FTL. While supporting Arrayify in FTL itself does not offer so much
3551         performance difference from DFG's one, no FTL support for Arrayify
3552         prevents us applying FTL to the code including Arrayify.
3553
3554         * dfg/DFGArrayMode.cpp:
3555         (JSC::DFG::toIndexingShape):
3556         * dfg/DFGSpeculativeJIT.cpp:
3557         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3558         * ftl/FTLCapabilities.cpp:
3559         (JSC::FTL::canCompile):
3560         * ftl/FTLLowerDFGToB3.cpp:
3561         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3562         (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
3563         (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
3564         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3565         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
3566         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure): Deleted.
3567         (JSC::FTL::DFG::LowerDFGToB3::isArrayType): Deleted.
3568
3569 2017-04-20  Mark Lam  <mark.lam@apple.com>
3570
3571         virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
3572         https://bugs.webkit.org/show_bug.cgi?id=171079
3573         <rdar://problem/31684756>
3574
3575         Reviewed by Saam Barati.
3576
3577         This is needed because tail calls would restore callee saved registers (and
3578         therefore, potentially clobber the tag registers) before jumping to the thunk.
3579
3580         * jit/ThunkGenerators.cpp:
3581         (JSC::virtualThunkFor):
3582
3583 2017-04-20  Mark Lam  <mark.lam@apple.com>
3584
3585         Build fix after r215592.
3586         https://bugs.webkit.org/show_bug.cgi?id=171088
3587
3588         Not reviewed.
3589
3590         * assembler/MacroAssemblerPrinter.h:
3591
3592 2017-04-20  Mark Lam  <mark.lam@apple.com>
3593
3594         Update the MASM probe to only take 1 arg instead of 2 (in addition to the callback function).
3595         https://bugs.webkit.org/show_bug.cgi?id=171088
3596
3597         Reviewed by Michael Saboff and Saam Barati.
3598
3599         Experience shows that we never use the 2nd arg.  So, let's remove it to reduce
3600         the footprint at each probe site.
3601
3602         Also fix the MacroAssembler::print() function so that it is a no-op when
3603         !ENABLE(MASM_PROBE).  This will allow us to have print() statements in JIT code
3604         without a lot of #if ENABLE(MASM_PROBE)s later.
3605
3606         * assembler/AbstractMacroAssembler.h:
3607         * assembler/MacroAssembler.cpp:
3608         (JSC::stdFunctionCallback):
3609         (JSC::MacroAssembler::probe):
3610         * assembler/MacroAssembler.h:
3611         * assembler/MacroAssemblerARM.cpp:
3612         (JSC::MacroAssemblerARM::probe):
3613         * assembler/MacroAssemblerARM.h:
3614         * assembler/MacroAssemblerARM64.cpp:
3615         (JSC::MacroAssemblerARM64::probe):
3616         * assembler/MacroAssemblerARM64.h:
3617         * assembler/MacroAssemblerARMv7.cpp:
3618         (JSC::MacroAssemblerARMv7::probe):
3619         * assembler/MacroAssemblerARMv7.h:
3620         * assembler/MacroAssemblerPrinter.cpp:
3621         (JSC::MacroAssemblerPrinter::printCallback):
3622         * assembler/MacroAssemblerPrinter.h:
3623         (JSC::MacroAssemblerPrinter::print):
3624         (JSC::MacroAssembler::print):
3625         * assembler/MacroAssemblerX86Common.cpp:
3626         (JSC::MacroAssemblerX86Common::probe):
3627         * assembler/MacroAssemblerX86Common.h:
3628
3629 2017-04-20  Matt Baker  <mattbaker@apple.com>
3630
3631         Web Inspector: Add regular expression support to XHR breakpoints
3632         https://bugs.webkit.org/show_bug.cgi?id=170099
3633         <rdar://problem/31558082>
3634
3635         Reviewed by Joseph Pecoraro.
3636
3637         * inspector/protocol/DOMDebugger.json:
3638         New optional `isRegex` parameter denotes whether `url` contains
3639         a regular expression.
3640
3641 2017-04-15  Filip Pizlo  <fpizlo@apple.com>
3642
3643         Optimize SharedArrayBuffer in the DFG+FTL
3644         https://bugs.webkit.org/show_bug.cgi?id=164108
3645
3646         Reviewed by Saam Barati.
3647         
3648         This adds atomics intrinsics to the DFG and wires them through to the DFG and FTL backends. This
3649         was super easy in the FTL since B3 already has comprehensive atomic intrinsics, which are more
3650         powerful than what we need right now. In the DFG backend, I went with an easy-to-write
3651         implementation that just reduces everything to a weak CAS loop. It's very inefficient with
3652         registers (it needs ~8) but it's the DFG backend, so it's not obvious how much we care.
3653         
3654         To make the rare cases easy to handle, I refactored AtomicsObject.cpp so that the operations for
3655         the slow paths can share code with the native functions.
3656         
3657         This also fixes register handling in the X86 implementations of CAS, in the case that
3658         expectedAndResult is not %rax. This also fixes the ARM64 implementation of branchWeakCAS.
3659         
3660         I adapted the CascadeLock from WTF/benchmarks/ToyLocks.h as a microbenchmark of lock performance.
3661         This benchmark performs 2.5x faster, in both the contended and uncontended case, thanks to this
3662         change. It's still about 3x slower than native. I investigated this only a bit. I suspect that
3663         the story will be different in asm.js code, which will get constant-folding of the typed array
3664         backing store by virtue of how it uses lexically scoped variables as pointers to the heap arrays.
3665         It's worth noting that the native lock I was comparing against, the very nicely-tuned
3666         CascadeLock, is at the very high end of lock throughput under virtually all conditions
3667         (uncontended, microcontended, held for a long time). I also compared to WTF::Lock and others, and
3668         the only ones that performed better in this microbenchmark were spinlocks. I don't recommend
3669         using those. So, when I say this is 3x slower than native, I really mean that it's 3x slower than
3670         the fastest native lock that I have in my arsenal.
3671         
3672         Also worth noting is that I experimented with exposing Atomics.yield(), which uses sched_yield,
3673         as a way of testing if adding a yield loop to the JS cascadeLock would help. It does not help. I
3674         did not investigate why.
3675
3676         * assembler/AbstractMacroAssembler.h:
3677         (JSC::AbstractMacroAssembler::JumpList::append):
3678         * assembler/CPU.h:
3679         (JSC::is64Bit):
3680         (JSC::is32Bit):
3681         * b3/B3Common.h:
3682         (JSC::B3::is64Bit): Deleted.
3683         (JSC::B3::is32Bit): Deleted.
3684         * b3/B3LowerToAir.cpp:
3685         (JSC::B3::Air::LowerToAir::appendTrapping):
3686         (JSC::B3::Air::LowerToAir::appendCAS):
3687         (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
3688         * dfg/DFGAbstractInterpreterInlines.h:
3689         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3690         * dfg/DFGByteCodeParser.cpp:
3691         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3692         * dfg/DFGClobberize.h:
3693         (JSC::DFG::clobberize):
3694         * dfg/DFGDoesGC.cpp:
3695         (JSC::DFG::doesGC):
3696         * dfg/DFGFixupPhase.cpp:
3697         (JSC::DFG::FixupPhase::fixupNode):
3698         * dfg/DFGNode.h:
3699         (JSC::DFG::Node::hasHeapPrediction):
3700         (JSC::DFG::Node::hasArrayMode):
3701         * dfg/DFGNodeType.h:
3702         (JSC::DFG::isAtomicsIntrinsic):
3703         (JSC::DFG::numExtraAtomicsArgs):
3704         * dfg/DFGPredictionPropagationPhase.cpp:
3705         * dfg/DFGSSALoweringPhase.cpp:
3706         (JSC::DFG::SSALoweringPhase::handleNode):
3707         * dfg/DFGSafeToExecute.h:
3708         (JSC::DFG::safeToExecute):
3709         * dfg/DFGSpeculativeJIT.cpp:
3710         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
3711         (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
3712         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3713         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
3714         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3715         * dfg/DFGSpeculativeJIT.h:
3716         (JSC::DFG::SpeculativeJIT::callOperation):
3717         * dfg/DFGSpeculativeJIT32_64.cpp:
3718         (JSC::DFG::SpeculativeJIT::compile):
3719         * dfg/DFGSpeculativeJIT64.cpp:
3720         (JSC::DFG::SpeculativeJIT::compile):
3721         * ftl/FTLAbstractHeapRepository.cpp:
3722         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
3723         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
3724         * ftl/FTLAbstractHeapRepository.h:
3725         * ftl/FTLCapabilities.cpp:
3726         (JSC::FTL::canCompile):
3727         * ftl/FTLLowerDFGToB3.cpp:
3728         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3729         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3730         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
3731         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3732         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3733         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
3734         (JSC::FTL::DFG::LowerDFGToB3::loadFromIntTypedArray):
3735         (JSC::FTL::DFG::LowerDFGToB3::storeType):
3736         (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
3737         (JSC::FTL::DFG::LowerDFGToB3::getIntTypedArrayStoreOperand):
3738         (JSC::FTL::DFG::LowerDFGToB3::vmCall):
3739         * ftl/FTLOutput.cpp:
3740         (JSC::FTL::Output::store):
3741         (JSC::FTL::Output::store32As8):
3742         (JSC::FTL::Output::store32As16):
3743         (JSC::FTL::Output::atomicXchgAdd):
3744         (JSC::FTL::Output::atomicXchgAnd):
3745         (JSC::FTL::Output::atomicXchgOr):
3746         (JSC::FTL::Output::atomicXchgSub):
3747         (JSC::FTL::Output::atomicXchgXor):
3748         (JSC::FTL::Output::atomicXchg):
3749         (JSC::FTL::Output::atomicStrongCAS):
3750         * ftl/FTLOutput.h:
3751         (JSC::FTL::Output::store32):
3752         (JSC::FTL::Output::store64):
3753         (JSC::FTL::Output::storePtr):
3754         (JSC::FTL::Output::storeFloat):
3755         (JSC::FTL::Output::storeDouble):
3756         * jit/JITOperations.h:
3757         * runtime/AtomicsObject.cpp:
3758         (JSC::atomicsFuncAdd):
3759         (JSC::atomicsFuncAnd):
3760         (JSC::atomicsFuncCompareExchange):
3761         (JSC::atomicsFuncExchange):
3762         (JSC::atomicsFuncIsLockFree):
3763         (JSC::atomicsFuncLoad):
3764         (JSC::atomicsFuncOr):
3765         (JSC::atomicsFuncStore):
3766         (JSC::atomicsFuncSub):
3767         (JSC::atomicsFuncWait):
3768         (JSC::atomicsFuncWake):
3769         (JSC::atomicsFuncXor):
3770         (JSC::operationAtomicsAdd):
3771         (JSC::operationAtomicsAnd):
3772         (JSC::operationAtomicsCompareExchange):
3773         (JSC::operationAtomicsExchange):
3774         (JSC::operationAtomicsIsLockFree):
3775         (JSC::operationAtomicsLoad):
3776         (JSC::operationAtomicsOr):
3777         (JSC::operationAtomicsStore):
3778         (JSC::operationAtomicsSub):
3779         (JSC::operationAtomicsXor):
3780         * runtime/AtomicsObject.h:
3781
3782 2017-04-19  Youenn Fablet  <youenn@apple.com>
3783
3784         [Mac] Allow customizing H264 encoder
3785         https://bugs.webkit.org/show_bug.cgi?id=170829
3786
3787         Reviewed by Alex Christensen.
3788
3789         * Configurations/FeatureDefines.xcconfig:
3790
3791 2017-04-19  Michael Saboff  <msaboff@apple.com>
3792
3793         Tune GC related JSC options for iOS
3794         https://bugs.webkit.org/show_bug.cgi?id=171019
3795
3796         Reviewed by Mark Lam.
3797
3798         Always set these GC options on iOS.
3799
3800         * runtime/Options.cpp:
3801         (JSC::overrideDefaults):
3802
3803 2017-04-19  JF Bastien  <jfbastien@apple.com>
3804
3805         WebAssembly: fast memory cleanups
3806         https://bugs.webkit.org/show_bug.cgi?id=170909
3807
3808         Reviewed by Saam Barati.
3809
3810         * b3/B3LowerToAir.cpp: correct comment, and make wasm-independent
3811         (JSC::B3::Air::LowerToAir::lower):
3812         * b3/B3Procedure.h:
3813         * b3/B3Validate.cpp:
3814         * b3/B3Value.cpp:
3815         (JSC::B3::Value::effects):
3816         * b3/B3WasmBoundsCheckValue.cpp: have the creator pass in a
3817         maximum, so we don't have to know so much about wasm here
3818         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
3819         (JSC::B3::WasmBoundsCheckValue::cloneImpl):
3820         (JSC::B3::WasmBoundsCheckValue::dumpMeta):
3821         * b3/B3WasmBoundsCheckValue.h:
3822         (JSC::B3::WasmBoundsCheckValue::boundsType):
3823         (JSC::B3::WasmBoundsCheckValue::bounds):
3824         * b3/air/AirCode.h:
3825         * b3/air/AirCustom.h:
3826         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
3827         * b3/testb3.cpp:
3828         (JSC::B3::testWasmBoundsCheck):
3829         * wasm/WasmB3IRGenerator.cpp:
3830         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3831         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3832         (JSC::Wasm::createJSToWasmWrapper): remove dead code
3833         * wasm/WasmMemory.cpp: don't GC if no memory could possibly be free'd
3834         (JSC::Wasm::Memory::initializePreallocations): verbose-only code,
3835         and copy-pasta bug
3836
3837 2017-04-19  Mark Lam  <mark.lam@apple.com>
3838
3839         B3StackmapSpecial should handle when stackmap values are not recoverable from a Def'ed arg.
3840         https://bugs.webkit.org/show_bug.cgi?id=170973
3841         <rdar://problem/30318657>
3842
3843         Reviewed by Filip Pizlo.
3844
3845         In the event of an arithmetic overflow on a binary sub instruction (where the
3846         result register is same as one of the operand registers), the CheckSub FTL
3847         operation will try to recover the original value in the clobbered result register.
3848
3849         This recover is done by adding the other operand value to the result register.
3850         However, this recovery method only works if the width of the original value in
3851         the result register is less or equal to the width of the expected result.  If the
3852         width of the original operand value (e.g. a JSInt32) is wider than the result
3853         (e.g. a machine Int32), then the sub operation would have zero extended the
3854         result and cleared the upper 32-bits of the result register.  Recovery by adding
3855         back the other operand will not restore the JSValue tag in the upper word.
3856
3857         This poses a problem if the stackmap value for the operand relies on that same
3858         clobbered register.
3859
3860         The fix is to detect this potential scenario (i.e. width of the Def's arg < width
3861         of a stackmap value).  If this condition is detected, we'll declare the stackmap
3862         value to be LateColdUse to ensure that the register allocator gives it a
3863         different register if needed so that it's not dependent on the clobbered register.
3864
3865         * b3/B3CheckSpecial.cpp:
3866         (JSC::B3::CheckSpecial::forEachArg):
3867         * b3/B3PatchpointSpecial.cpp:
3868         (JSC::B3::PatchpointSpecial::forEachArg):
3869         * b3/B3StackmapSpecial.cpp:
3870         (JSC::B3::StackmapSpecial::forEachArgImpl):
3871         * b3/B3StackmapSpecial.h:
3872
3873 2017-04-19  JF Bastien  <jfbastien@apple.com>
3874
3875         Unreviewed, rolling out r215520.
3876
3877         Broke Debian 8
3878
3879         Reverted changeset:
3880
3881         "[INTL] Implement Intl.DateTimeFormat.prototype.formatToParts"
3882         https://bugs.webkit.org/show_bug.cgi?id=169458
3883         http://trac.webkit.org/changeset/215520
3884
3885 2017-04-19  JF Bastien  <jfbastien@apple.com>
3886
3887         WebAssembly: limit slow memories
3888         https://bugs.webkit.org/show_bug.cgi?id=170825
3889
3890         Reviewed by Saam Barati.
3891
3892         We limits the number of fast memories, partly because ASLR. The
3893         code then falls back to slow memories. It first tries to virtually
3894         allocated any declared maximum (and in there, physically the
3895         initial), and if that fails it tries to physically allocate the
3896         initial without any extra.
3897
3898         This can still be used to cause a bunch of virtual
3899         allocation. This patch imposes soft limit on slow memories as
3900         well. The total virtual maximum for slow memories is set at the
3901         same (theoretical) value as that for fast memories.
3902
3903         Anything exceeding that limit causes allocation/grow to fail.
3904
3905         * wasm/WasmMemory.cpp:
3906
3907 2017-04-19  JF Bastien  <jfbastien@apple.com>
3908
3909         Cannot compile JavaScriptCore/runtime/VMTraps.cpp on FreeBSD because std::pair has a non-trivial copy constructor
3910         https://bugs.webkit.org/show_bug.cgi?id=170875
3911
3912         Reviewed by Mark Lam.
3913
3914         WTF::ExpectedDetail::ConstexprBase doesn't have a user-defined
3915         copy constructor, and its implicitly-defined copy constructor is
3916         deleted because the default std::pair implementation on FreeBSD
3917         has a non-trivial copy constructor. /usr/include/c++/v1/__config
3918         says _LIBCPP_TRIVIAL_PAIR_COPY_CTOR is disabled in order to keep
3919         ABI compatibility:
3920         https://svnweb.freebsd.org/changeset/base/261801.
3921
3922         That's a huge bummer, and I'm not a fan of broken stdlibs, but in
3923         this case it's pretty nice to have a custom named type anyways and
3924         costs nothing.
3925
3926         * runtime/VMTraps.cpp:
3927         (JSC::findActiveVMAndStackBounds):
3928         (JSC::handleSigusr1):
3929         (JSC::handleSigtrap):
3930
3931 2017-04-19  Andy VanWagoner  <thetalecrafter@gmail.com>
3932
3933         [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
3934         https://bugs.webkit.org/show_bug.cgi?id=169458
3935
3936         Reviewed by JF Bastien.
3937
3938         Use udat_formatForFields to iterate through the parts of a formatted date string.
3939
3940         * icu/unicode/udat.h: Update to 55.1.
3941         * icu/unicode/ufieldpositer.h: Added from 55.1.
3942         * runtime/IntlDateTimeFormat.cpp:
3943         (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
3944         (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
3945         * runtime/IntlDateTimeFormat.h:
3946         * runtime/IntlDateTimeFormatPrototype.cpp:
3947         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
3948
3949 2017-04-19  JF Bastien  <jfbastien@apple.com>
3950
3951         WebAssembly: don't expose any WebAssembly JS object if JIT is off
3952         https://bugs.webkit.org/show_bug.cgi?id=170782
3953
3954         Reviewed by Saam Barati.
3955
3956         It's unexpected that we expose the global WebAssembly object if no
3957         JIT is present because it can't be used to compile or
3958         instantiate. Other APIs such as Memory should also be Inaccessible
3959         in those circumstances.
3960
3961         Also ensure that we don't pre-allocate fast memories if
3962         WebAssembly won't be used, and don't mark our intention to use a
3963         fast TLS slot for WebAssembly.
3964
3965         * runtime/Options.cpp:
3966         (JSC::recomputeDependentOptions):
3967
3968 2017-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3969
3970         r211670 broke double to int conversion.
3971         https://bugs.webkit.org/show_bug.cgi?id=170961
3972
3973         Reviewed by Mark Lam.
3974
3975         In this patch, we take a template parameter way.
3976         While it reduces duplicate code, it effectively produces
3977         optimized code for operationToInt32SensibleSlow,
3978         and fixes kraken pbkdf2 regression on Linux.
3979
3980         And this patch also fixes undefined behavior by changing
3981         int32_t to uint32_t. If exp is 31, missingOne is 1 << 31,
3982         INT32_MIN. Thus missingOne - 1 will cause int32_t overflow,
3983         and it is an undefined behavior.
3984
3985         * runtime/MathCommon.cpp:
3986         (JSC::operationToInt32SensibleSlow):
3987         * runtime/MathCommon.h:
3988         (JSC::toInt32Internal):
3989         (JSC::toInt32):
3990
3991 2017-04-18  Mark Lam  <mark.lam@apple.com>
3992
3993         r211670 broke double to int conversion.
3994         https://bugs.webkit.org/show_bug.cgi?id=170961
3995         <rdar://problem/31687696>
3996
3997         Reviewed by Yusuke Suzuki.
3998
3999         This is because operationToInt32SensibleSlow() assumes that left shifts of greater
4000         than 31 bits on an 31-bit value will produce a 0.  However, the spec says that
4001         "if the value of the right operand is negative or is greater or equal to the
4002         number of bits in the promoted left operand, the behavior is undefined."
4003         See http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators.
4004
4005         This patch fixes this by restoring the check to prevent a shift of greater than
4006         31 bits.  It also consolidates the optimization in operationToInt32SensibleSlow()
4007         back into toInt32() so that we don't have 2 copies of the same code with only a
4008         slight variation.
4009
4010         JSC benchmarks shows that performance is neutral with this patch.
4011
4012         * dfg/DFGSpeculativeJIT.cpp:
4013         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
4014         * ftl/FTLLowerDFGToB3.cpp:
4015         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
4016         * runtime/MathCommon.cpp:
4017         (JSC::operationToInt32SensibleSlow): Deleted.
4018         * runtime/MathCommon.h:
4019         (JSC::toInt32):
4020
4021 2017-04-18  Oleksandr Skachkov  <gskachkov@gmail.com>
4022
4023         [ES6]. Implement Annex B.3.3 function hoisting rules for eval
4024         https://bugs.webkit.org/show_bug.cgi?id=163208
4025
4026         Reviewed by Saam Barati.
4027
4028         Current patch implements Annex B.3.3 that is related to 
4029         hoisting of function declaration in eval. 
4030         https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
4031         Function declaration in eval should create variable with 
4032         function name in function scope where eval is invoked 
4033         or bind to variable if it declared outside of the eval. 
4034         If variable is created it can be removed by 'delete a;' command. 
4035         If eval is invoke in block scope that contains let/const 
4036         variable with the same name as function declaration