[GLIB] Make remote inspector DBus protocol common to all glib based ports
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2
3         [GLIB] Make remote inspector DBus protocol common to all glib based ports
4         https://bugs.webkit.org/show_bug.cgi?id=172970
5
6         Reviewed by Žan Doberšek.
7
8         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
9         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
10         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
11         debug WPE, without having to implement the frontend part in WPE yet.
12
13         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
14         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
15
16 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
17
18         [GTK] Web Process deadlock when closing the remote inspector frontend
19         https://bugs.webkit.org/show_bug.cgi?id=172973
20
21         Reviewed by Žan Doberšek.
22
23         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
24         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
25         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
26         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
27
28         * inspector/remote/glib/RemoteInspectorGlib.cpp:
29         (Inspector::RemoteInspector::receivedCloseMessage):
30
31 2017-06-05  Saam Barati  <sbarati@apple.com>
32
33         Try to fix features.json by adding an ESNext section.
34
35         Unreviewed.
36
37         * features.json:
38
39 2017-06-05  David Kilzer  <ddkilzer@apple.com>
40
41         Follow-up: Update JSC's features.json
42         https://bugs.webkit.org/show_bug.cgi?id=172942
43
44         Rubber-stamped by Jon Davis.
45
46         * features.json: Change "Supported in preview" to
47         "Supported" to try to fix <https://webkit.org/status/>.
48
49 2017-06-05  Saam Barati  <sbarati@apple.com>
50
51         We don't properly parse init_expr when the opcode is an unexpected opcode
52         https://bugs.webkit.org/show_bug.cgi?id=172945
53
54         Reviewed by JF Bastien.
55
56         The bug is a simple typo. It should use the constant
57         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
58         macro. This failure is already caught by spec tests that fail
59         on arm64 devices.
60
61         * wasm/WasmModuleParser.cpp:
62
63 2017-06-05  Keith Miller  <keith_miller@apple.com>
64
65         OMG tier up checks should be a patchpoint
66         https://bugs.webkit.org/show_bug.cgi?id=172944
67
68         Reviewed by Saam Barati.
69
70         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
71         In order to reduce code generated out of line in each function. We generate a single stub
72         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
73
74         * wasm/WasmB3IRGenerator.cpp:
75         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
76         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
77         (JSC::Wasm::B3IRGenerator::addLoop):
78         * wasm/WasmThunks.cpp:
79         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
80         * wasm/WasmThunks.h:
81
82 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
83
84         Remove unused VM members
85         https://bugs.webkit.org/show_bug.cgi?id=172941
86
87         Reviewed by Mark Lam.
88
89         * runtime/HashMapImpl.h:
90         (JSC::HashMapImpl::selectStructure): Deleted.
91         * runtime/VM.cpp:
92         (JSC::VM::VM):
93         * runtime/VM.h:
94
95 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
96
97         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
98         https://bugs.webkit.org/show_bug.cgi?id=172848
99         <rdar://problem/25709212>
100
101         Reviewed by Saam Barati.
102
103         * heap/HeapSnapshotBuilder.h:
104         * heap/HeapSnapshotBuilder.cpp:
105         Update the snapshot version. Change the node's 0 | 1 internal value
106         to be a 32bit bit flag. This is nice in that it is both compatible
107         with the previous snapshot version and the same size. We can use more
108         flags in the future.
109
110         (JSC::HeapSnapshotBuilder::json):
111         In cases where the classInfo gives us "Object" check for a better
112         class name by checking (o).__proto__.constructor.name. We avoid this
113         check in cases where (o).hasOwnProperty("constructor") which is the
114         case for most Foo.prototype objects. Otherwise this would get the
115         name of the Foo superclass for the Foo.prototype object.
116
117         * runtime/JSObject.cpp:
118         (JSC::JSObject::calculatedClassName):
119         Handle some possible edge cases that were not handled before. Such
120         as a JSObject without a GlobalObject, and an object which doesn't
121         have a default getPrototype. Try to make the code a little clearer.
122
123 2017-06-05  Saam Barati  <sbarati@apple.com>
124
125         Update JSC's features.json
126         https://bugs.webkit.org/show_bug.cgi?id=172942
127
128         Rubber stamped by Mark Lam.
129
130         * features.json:
131
132 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
133
134         Fix build of Windows-specific code with ICU 59.1
135         https://bugs.webkit.org/show_bug.cgi?id=172729
136
137         Reviewed by Darin Adler.
138
139         Fix conversions from WTF::String to wchar_t* and vice versa.
140
141         * jsc.cpp:
142         (currentWorkingDirectory):
143         (fetchModuleFromLocalFileSystem):
144         * runtime/DateConversion.cpp:
145         (JSC::formatDateTime):
146
147 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [JSC] Drop unnecessary USE(CF) guard for getenv
150         https://bugs.webkit.org/show_bug.cgi?id=172903
151
152         Reviewed by Sam Weinig.
153
154         getenv is not related to USE(CF) and OS(UNIX). It seems that this
155         ifdef only hits in WinCairo, but WinCairo can use getenv.
156         Moreover, in VM::VM, we already use getenv without any ifdef guard.
157
158         This patch just drops it.
159
160         * runtime/VM.cpp:
161         (JSC::enableAssembler):
162
163 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
164
165         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
166         https://bugs.webkit.org/show_bug.cgi?id=172904
167
168         Reviewed by Sam Weinig.
169
170         In non-Darwin environment, uintptr_t may have the same type
171         to uint64_t. We avoided the compile error by using OS(DARWIN).
172         But, since it depends on cstdint implementaion rather than OS, it is flaky.
173         Instead, we just use template parameter IntegralType.
174         And we describe the type constraint in a SFINAE manner.
175
176         * dfg/DFGOpInfo.h:
177         (JSC::DFG::OpInfo::OpInfo):
178
179 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
180
181         [ARM] Unreviewed buildfix after r217711.
182
183         * assembler/MacroAssemblerARM.h:
184         (JSC::MacroAssemblerARM::xor32):
185
186 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
187
188         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
189         https://bugs.webkit.org/show_bug.cgi?id=168844
190
191         Reviewed by Saam Barati.
192
193         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
194
195         * parser/Parser.cpp:
196         (JSC::DepthManager::DepthManager):
197         (JSC::Parser<LexerType>::parseExportDeclaration):
198         * parser/Parser.h:
199         (JSC::Parser::DepthManager::DepthManager): Deleted.
200         (JSC::Parser::DepthManager::~DepthManager): Deleted.
201
202 2017-06-02  Keith Miller  <keith_miller@apple.com>
203
204         Defer installing mach breakpoint handler until watchdog is actually called
205         https://bugs.webkit.org/show_bug.cgi?id=172885
206
207         Reviewed by Saam Barati.
208
209         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
210         This hides the issue, so it won't occur as often.
211
212         * runtime/VMTraps.cpp:
213         (JSC::VMTraps::SignalSender::send):
214         (JSC::VMTraps::VMTraps): Deleted.
215         * runtime/VMTraps.h:
216
217 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
218
219         Atomics.load and Atomics.store need to be fully fenced
220         https://bugs.webkit.org/show_bug.cgi?id=172844
221
222         Reviewed by Keith Miller.
223         
224         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
225         AtomicXchg(value, ptr) for the store.
226         
227         DFG needed no changes because it implements all atomics using a CAS loop.
228         
229         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
230         
231         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
232         is not correct according to my current understanding of the SAB memory model, which requires
233         that atomic operations are SC with respect to everything not just other atomics.
234
235         * ftl/FTLLowerDFGToB3.cpp:
236         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
237         * ftl/FTLOutput.cpp:
238         (JSC::FTL::Output::atomicWeakCAS):
239         * ftl/FTLOutput.h:
240         * runtime/AtomicsObject.cpp:
241
242 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
243
244         Unreviewed, attempt to fix the iOS build after r217711.
245
246         * assembler/MacroAssemblerARM64.h:
247         (JSC::MacroAssemblerARM64::xor32):
248         (JSC::MacroAssemblerARM64::xor64):
249
250 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
251
252         GC should use scrambled free-lists
253         https://bugs.webkit.org/show_bug.cgi?id=172793
254
255         Reviewed by Mark Lam.
256         
257         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
258         The linked-list would be threaded through free memory, as is the usual convention.
259         
260         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
261         this leads to a more natural fast-path structure and saves one register on ARM64.
262         
263         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
264         every time they do a sweep-to-pop.
265         
266         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
267         quite a bit. Previously, there were four copies of the allocator fast path: two in
268         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
269         was obviously different-looking, but the other three were almost identical. This moves all of
270         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
271         AssemblyHelpers.h.
272         
273         This appears to be just as fast as our previously allocator.
274
275         * JavaScriptCore.xcodeproj/project.pbxproj:
276         * heap/FreeList.cpp:
277         (JSC::FreeList::FreeList):
278         (JSC::FreeList::~FreeList):
279         (JSC::FreeList::clear):
280         (JSC::FreeList::initializeList):
281         (JSC::FreeList::initializeBump):
282         (JSC::FreeList::contains):
283         (JSC::FreeList::dump):
284         * heap/FreeList.h:
285         (JSC::FreeList::allocationWillFail):
286         (JSC::FreeList::originalSize):
287         (JSC::FreeList::addressOfList):
288         (JSC::FreeList::offsetOfBlock):
289         (JSC::FreeList::offsetOfList):
290         (JSC::FreeList::offsetOfIndex):
291         (JSC::FreeList::offsetOfPayloadEnd):
292         (JSC::FreeList::offsetOfRemaining):
293         (JSC::FreeList::offsetOfOriginalSize):
294         (JSC::FreeList::FreeList): Deleted.
295         (JSC::FreeList::list): Deleted.
296         (JSC::FreeList::bump): Deleted.
297         (JSC::FreeList::operator==): Deleted.
298         (JSC::FreeList::operator!=): Deleted.
299         (JSC::FreeList::operator bool): Deleted.
300         * heap/FreeListInlines.h: Added.
301         (JSC::FreeList::addFreeCell):
302         (JSC::FreeList::allocate):
303         (JSC::FreeList::forEach):
304         (JSC::FreeList::toOffset):
305         (JSC::FreeList::fromOffset):
306         * heap/IncrementalSweeper.cpp:
307         (JSC::IncrementalSweeper::sweepNextBlock):
308         * heap/MarkedAllocator.cpp:
309         (JSC::MarkedAllocator::MarkedAllocator):
310         (JSC::MarkedAllocator::didConsumeFreeList):
311         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
312         (JSC::MarkedAllocator::tryAllocateIn):
313         (JSC::MarkedAllocator::allocateSlowCaseImpl):
314         (JSC::MarkedAllocator::stopAllocating):
315         (JSC::MarkedAllocator::prepareForAllocation):
316         (JSC::MarkedAllocator::resumeAllocating):
317         (JSC::MarkedAllocator::sweep):
318         (JSC::MarkedAllocator::setFreeList): Deleted.
319         * heap/MarkedAllocator.h:
320         (JSC::MarkedAllocator::freeList):
321         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
322         * heap/MarkedAllocatorInlines.h:
323         (JSC::MarkedAllocator::isFreeListedCell):
324         (JSC::MarkedAllocator::tryAllocate):
325         (JSC::MarkedAllocator::allocate):
326         * heap/MarkedBlock.cpp:
327         (JSC::MarkedBlock::Handle::stopAllocating):
328         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
329         (JSC::MarkedBlock::Handle::resumeAllocating):
330         (JSC::MarkedBlock::Handle::zap):
331         (JSC::MarkedBlock::Handle::sweep):
332         (JSC::MarkedBlock::Handle::isFreeListedCell):
333         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
334         * heap/MarkedBlock.h:
335         * heap/MarkedBlockInlines.h:
336         (JSC::MarkedBlock::Handle::specializedSweep):
337         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
338         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
339         * heap/Subspace.cpp:
340         (JSC::Subspace::finishSweep):
341         * heap/Subspace.h:
342         * jit/AssemblyHelpers.h:
343         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
344         * runtime/JSDestructibleObjectSubspace.cpp:
345         (JSC::JSDestructibleObjectSubspace::finishSweep):
346         * runtime/JSDestructibleObjectSubspace.h:
347         * runtime/JSSegmentedVariableObjectSubspace.cpp:
348         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
349         * runtime/JSSegmentedVariableObjectSubspace.h:
350         * runtime/JSStringSubspace.cpp:
351         (JSC::JSStringSubspace::finishSweep):
352         * runtime/JSStringSubspace.h:
353         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
354         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
355         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
356
357 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
358
359         [JSC] Use @globalPrivate for concatSlowPath
360         https://bugs.webkit.org/show_bug.cgi?id=172802
361
362         Reviewed by Darin Adler.
363
364         Use @globalPrivate instead of manually putting it to JSGlobalObject.
365
366         * builtins/ArrayPrototype.js:
367         (concatSlowPath): Deleted.
368         * runtime/JSGlobalObject.cpp:
369         (JSC::JSGlobalObject::init):
370
371 2017-06-01  Andy Estes  <aestes@apple.com>
372
373         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
374         https://bugs.webkit.org/show_bug.cgi?id=172828
375
376         Reviewed by Beth Dakin.
377
378         * Configurations/FeatureDefines.xcconfig:
379
380 2017-06-01  Keith Miller  <keith_miller@apple.com>
381
382         Undo rollout in r217638 with bug fix
383         https://bugs.webkit.org/show_bug.cgi?id=172824
384
385         Unreviewed, reland patch with unused set_state code removed.
386
387         * API/tests/ExecutionTimeLimitTest.cpp:
388         (dispatchTermitateCallback):
389         (testExecutionTimeLimit):
390         * runtime/JSLock.cpp:
391         (JSC::JSLock::didAcquireLock):
392         * runtime/Options.cpp:
393         (JSC::overrideDefaults):
394         (JSC::Options::initialize):
395         * runtime/Options.h:
396         * runtime/VMTraps.cpp:
397         (JSC::SignalContext::SignalContext):
398         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
399         (JSC::installSignalHandler):
400         (JSC::VMTraps::SignalSender::send):
401         * tools/SigillCrashAnalyzer.cpp:
402         (JSC::SignalContext::SignalContext):
403         (JSC::SignalContext::dump):
404         (JSC::installCrashHandler):
405         * wasm/WasmBBQPlan.cpp:
406         (JSC::Wasm::BBQPlan::compileFunctions):
407         * wasm/WasmFaultSignalHandler.cpp:
408         (JSC::Wasm::trapHandler):
409         (JSC::Wasm::enableFastMemory):
410         * wasm/WasmMachineThreads.cpp:
411         (JSC::Wasm::resetInstructionCacheOnAllThreads):
412
413 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
414
415         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
416         https://bugs.webkit.org/show_bug.cgi?id=172800
417
418         Reviewed by Saam Barati.
419
420         This fixes a static_cast<uint64_t> by making it a cast to int64_t
421         instead, which looks like the original intent. This fixes the
422         sampling-profiler tests in JSTests/stress.
423
424         * runtime/SamplingProfiler.cpp:
425         (JSC::SamplingProfiler::timerLoop):
426
427 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
428
429         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
430         https://bugs.webkit.org/show_bug.cgi?id=170945
431
432         Reviewed by Mark Lam.
433
434         Re-define PutByIdFlags as a int32_t enum explicitly because it is
435         stored as an int32_t value in UnlinkedInstruction.  This prevents
436         a bug on 64-bit big endian architectures where the word order is
437         inverted (when we convert the UnlinkedInstruction into a CodeBlock
438         Instruction), resulting in the PutByIdFlags value not being stored in
439         the 32-bit word that the rest of the code expects it to be in.
440
441         * bytecode/PutByIdFlags.h:
442
443 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
444
445         [JSC] Implement String.prototype.concat in JS builtins
446         https://bugs.webkit.org/show_bug.cgi?id=172798
447
448         Reviewed by Sam Weinig.
449
450         Since we have highly effective + operation for strings,
451         implementing String.prototype.concat in JS simplifies the
452         implementation and improves performance by using speculated
453         types.
454
455         Added microbenchmarks show performance improvement.
456
457         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
458         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
459         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
460         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
461
462         * builtins/StringPrototype.js:
463         (globalPrivate.stringConcatSlowPath):
464         (concat):
465         * runtime/StringPrototype.cpp:
466         (JSC::StringPrototype::finishCreation):
467         (JSC::stringProtoFuncConcat): Deleted.
468
469 2017-05-31  Mark Lam  <mark.lam@apple.com>
470
471         Remove overrides of visitChildren() that do not add any functionality.
472         https://bugs.webkit.org/show_bug.cgi?id=172789
473         <rdar://problem/32500865>
474
475         Reviewed by Andreas Kling.
476
477         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
478         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
479         * bytecode/UnlinkedModuleProgramCodeBlock.h:
480         * bytecode/UnlinkedProgramCodeBlock.cpp:
481         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
482         * bytecode/UnlinkedProgramCodeBlock.h:
483         * wasm/js/WebAssemblyFunction.cpp:
484         (JSC::WebAssemblyFunction::visitChildren): Deleted.
485         * wasm/js/WebAssemblyFunction.h:
486         * wasm/js/WebAssemblyInstanceConstructor.cpp:
487         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
488         * wasm/js/WebAssemblyInstanceConstructor.h:
489         * wasm/js/WebAssemblyMemoryConstructor.cpp:
490         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
491         * wasm/js/WebAssemblyMemoryConstructor.h:
492         * wasm/js/WebAssemblyModuleConstructor.cpp:
493         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
494         * wasm/js/WebAssemblyModuleConstructor.h:
495         * wasm/js/WebAssemblyTableConstructor.cpp:
496         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
497         * wasm/js/WebAssemblyTableConstructor.h:
498
499 2017-05-31  Commit Queue  <commit-queue@webkit.org>
500
501         Unreviewed, rolling out r217611 and r217631.
502         https://bugs.webkit.org/show_bug.cgi?id=172785
503
504         "caused wasm-hashset-many.html to become flaky." (Requested by
505         keith_miller on #webkit).
506
507         Reverted changesets:
508
509         "Reland r216808, underlying lldb bug has been fixed."
510         https://bugs.webkit.org/show_bug.cgi?id=172759
511         http://trac.webkit.org/changeset/217611
512
513         "Use dispatch queues for mach exceptions"
514         https://bugs.webkit.org/show_bug.cgi?id=172775
515         http://trac.webkit.org/changeset/217631
516
517 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
518
519         Rolling out: Prevent async methods named 'function'
520         https://bugs.webkit.org/show_bug.cgi?id=172776
521
522         Reviewed by Mark Lam.
523
524         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
525         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
526         PR to spec was closed, so changes need to roll out. See
527         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
528
529         * parser/Parser.cpp:
530         (JSC::Parser<LexerType>::parseClass):
531         (JSC::Parser<LexerType>::parsePropertyMethod):
532
533 2017-05-31  Andy Estes  <aestes@apple.com>
534
535         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
536         https://bugs.webkit.org/show_bug.cgi?id=172366
537
538         Reviewed by Daniel Bates.
539
540         * Configurations/FeatureDefines.xcconfig:
541
542 2017-05-31  Keith Miller  <keith_miller@apple.com>
543
544         Reland r216808, underlying lldb bug has been fixed.
545         https://bugs.webkit.org/show_bug.cgi?id=172759
546
547
548         Unreviewed, relanding old patch. See: rdar://problem/31183352
549
550         * API/tests/ExecutionTimeLimitTest.cpp:
551         (dispatchTermitateCallback):
552         (testExecutionTimeLimit):
553         * runtime/JSLock.cpp:
554         (JSC::JSLock::didAcquireLock):
555         * runtime/Options.cpp:
556         (JSC::overrideDefaults):
557         (JSC::Options::initialize):
558         * runtime/Options.h:
559         * runtime/VMTraps.cpp:
560         (JSC::SignalContext::SignalContext):
561         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
562         (JSC::installSignalHandler):
563         (JSC::VMTraps::SignalSender::send):
564         * tools/SigillCrashAnalyzer.cpp:
565         (JSC::SignalContext::SignalContext):
566         (JSC::SignalContext::dump):
567         (JSC::installCrashHandler):
568         * wasm/WasmBBQPlan.cpp:
569         (JSC::Wasm::BBQPlan::compileFunctions):
570         * wasm/WasmFaultSignalHandler.cpp:
571         (JSC::Wasm::trapHandler):
572         (JSC::Wasm::enableFastMemory):
573         * wasm/WasmMachineThreads.cpp:
574         (JSC::Wasm::resetInstructionCacheOnAllThreads):
575
576 2017-05-31  Keith Miller  <keith_miller@apple.com>
577
578         Fix leak in PromiseDeferredTimer
579         https://bugs.webkit.org/show_bug.cgi?id=172755
580
581         Reviewed by JF Bastien.
582
583         We were not properly freeing the list of dependencies if we were already tracking the promise before.
584         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
585         where we were already tracking the promise we append the provided dependency list to the existing list.
586         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
587         contents.
588
589         * runtime/PromiseDeferredTimer.cpp:
590         (JSC::PromiseDeferredTimer::addPendingPromise):
591
592 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
593
594         Prevent async methods named 'function' in Object literal
595         https://bugs.webkit.org/show_bug.cgi?id=172660
596
597         Reviewed by Saam Barati.
598
599         Prevent async method named 'function' in object.
600         https://github.com/tc39/ecma262/pull/884
601
602         * parser/Parser.cpp:
603         (JSC::Parser<LexerType>::parsePropertyMethod):
604
605 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
606
607         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
608         https://bugs.webkit.org/show_bug.cgi?id=171274
609
610         Reviewed by Saam Barati.
611
612         Current patch allow to use async arrow function within constructor,
613         and allow to access to `this`. Current patch force load 'this' from 
614         virtual scope each time as we access to `this` in async arrow function
615         within constructor it is neccessary because async function can be 
616         suspended and `superCall` can be called and async function resumed. 
617    
618         * bytecompiler/BytecodeGenerator.cpp:
619         (JSC::BytecodeGenerator::emitPutGeneratorFields):
620         (JSC::BytecodeGenerator::ensureThis):
621         * bytecompiler/BytecodeGenerator.h:
622         (JSC::BytecodeGenerator::makeFunction):
623
624 2017-05-30  Ali Juma  <ajuma@chromium.org>
625
626         [CredentialManagement] Incorporate IDL updates from latest spec
627         https://bugs.webkit.org/show_bug.cgi?id=172011
628
629         Reviewed by Daniel Bates.
630
631         * runtime/CommonIdentifiers.h:
632
633 2017-05-30  Alex Christensen  <achristensen@webkit.org>
634
635         Update libwebrtc configuration
636         https://bugs.webkit.org/show_bug.cgi?id=172727
637
638         Reviewed by Geoffrey Garen.
639
640         * Configurations/FeatureDefines.xcconfig:
641
642 2017-05-28  Dan Bernstein  <mitz@apple.com>
643
644         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
645         https://bugs.webkit.org/show_bug.cgi?id=172691
646
647         Reviewed by Tim Horton.
648
649         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
650         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
651
652 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
653
654         [JSC] Provide better type information of toLength and tighten bytecode
655         https://bugs.webkit.org/show_bug.cgi?id=172690
656
657         Reviewed by Sam Weinig.
658
659         In this patch, we carefully leverage operator + in order to
660
661         1. tighten bytecode
662
663         operator+ emits to_number bytecode. What this bytecode does is the same
664         to @Number() call. It is more efficient, and it is smaller bytecode
665         than @Number() call (load global variable @Number, set up arguments, and
666         call it).
667
668         2. offer better type prediction data
669
670         Now, we have code like
671
672             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
673
674         This is not good because DFG prediction propagation phase predicts as Double
675         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
676         Usually, the result becomes Int32. This patch leverages to_number in a bit
677         interesting way: to_number has value profiling to offer better type prediction.
678         This value profiling can offer a chance to change the prediction to Int32 efficiently.
679         It is a bit tricky. But it is worth doing to speed up our builtin functions,
680         which should leverage all the JSC's tricky things to be optimized.
681
682         Related microbenchmarks show performance improvement.
683
684                                                   baseline                  patched
685
686             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
687             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
688             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
689             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
690             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
691             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
692
693
694         * builtins/GlobalOperations.js:
695         (globalPrivate.toInteger):
696         (globalPrivate.toLength):
697
698 2017-05-28  Sam Weinig  <sam@webkit.org>
699
700         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
701         https://bugs.webkit.org/show_bug.cgi?id=172684
702
703         Reviewed by Yusuke Suzuki.
704
705         * runtime/IteratorOperations.cpp:
706         (JSC::iteratorMethod):
707         (JSC::iteratorForIterable):
708         * runtime/IteratorOperations.h:
709         (JSC::forEachInIterable):
710         Add additional iterator helpers to allow union + sequence conversion code
711         to check for iterability by getting the iterator method, and iterate using
712         that method later on.
713
714 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
715
716         Unreviewed, build fix for Windows
717         https://bugs.webkit.org/show_bug.cgi?id=172413
718
719         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
720
721         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
722
723         * runtime/JSMap.h:
724         (JSC::isJSMap):
725         (JSC::jsDynamicCast): Deleted.
726         (JSC::>): Deleted.
727         * runtime/JSSet.h:
728         (JSC::isJSSet):
729         (JSC::jsDynamicCast): Deleted.
730         (JSC::>): Deleted.
731         * runtime/MapConstructor.cpp:
732         (JSC::constructMap):
733         * runtime/SetConstructor.cpp:
734         (JSC::constructSet):
735
736 2017-05-28  Mark Lam  <mark.lam@apple.com>
737
738         Implement a faster Interpreter::getOpcodeID().
739         https://bugs.webkit.org/show_bug.cgi?id=172669
740
741         Reviewed by Saam Barati.
742
743         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
744         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
745         handler code that executes each opcode.  getOpcodeID() can therefore just read
746         the 32-bits before the opcode address to get its OpcodeID.
747
748         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
749         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
750         well, but I'll let the Linux folks turn that on after they have verified that it
751         works on linux too.
752
753         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
754         1. we only need to initialize it once per process, not once per VM / interpreter
755            instance.
756         2. we can initialize it in the Interpreter constructor instead of requiring a
757            separate call to an initialize() function.
758
759         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
760         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
761
762         * bytecode/BytecodeList.json:
763         * generate-bytecode-files:
764         * interpreter/Interpreter.cpp:
765         (JSC::Interpreter::Interpreter):
766         (JSC::Interpreter::opcodeIDTable):
767         (JSC::Interpreter::initialize): Deleted.
768         * interpreter/Interpreter.h:
769         (JSC::Interpreter::getOpcode):
770         (JSC::Interpreter::getOpcodeID):
771         * llint/LowLevelInterpreter.cpp:
772         * runtime/VM.cpp:
773         (JSC::VM::VM):
774
775 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
776
777         [JSC] Map and Set constructors should have fast path for cloning
778         https://bugs.webkit.org/show_bug.cgi?id=172413
779
780         Reviewed by Saam Barati.
781
782         In this patch, we add a fast path for cloning in Set and Map constructors.
783
784         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
785         At that time, our generic path just iterates the given set object and add
786         it to the newly created one. It is quite slow because we need to follow
787         the iterator protocol inside C++ and we need to call set.add() repeatedly
788         while the given set guarantees the elements are unique.
789
790         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
791         and JSSet are done really fast without invoking any observable JS functions.
792         To check whether we can use this clone() function in Set and Map constructors,
793         we set several watchpoints.
794
795         In the case of Set,
796
797         1. Set.prototype[Symbol.iterator] is not changed.
798         2. SetIterator.prototype.next is not changed.
799         3. Set.prototype.add is not changed.
800         4. The given Set does not have [Symbol.iterator] function in its instance.
801         5. The given Set's [[Prototype]] is Set.prototype.
802         6. Newly created set's [[Prototype]] is Set.prototype.
803
804         If the above requirements are met, cloning the given Set is not observable to users.
805         Thus we can take a fast path.
806
807         Currently, we do not integrate this optimization into DFG and FTL.
808         And we do not optimize other iterables. For example, we can optimize Set
809         constructor taking Int32 Array. And we should optimize generic iterator cases too.
810         They are planned as part of a separate bug[1].
811
812         This change improves ARES-6 Air by 5.3% in steady state.
813
814         Baseline:
815             Running... Air ( 1  to go)
816             firstIteration:     76.41 +- 15.60 ms
817             averageWorstCase:   40.63 +- 7.54 ms
818             steadyState:        9.13 +- 0.51 ms
819
820
821         Patched:
822             Running... Air ( 1  to go)
823             firstIteration:     75.00 +- 22.54 ms
824             averageWorstCase:   39.18 +- 8.45 ms
825             steadyState:        8.67 +- 0.28 ms
826
827         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
828
829         * CMakeLists.txt:
830         * JavaScriptCore.xcodeproj/project.pbxproj:
831         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
832         * runtime/HashMapImpl.h:
833         (JSC::HashMapBucket::extractValue):
834         (JSC::HashMapImpl::finishCreation):
835         (JSC::HashMapImpl::add):
836         (JSC::HashMapImpl::setUpHeadAndTail):
837         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
838         (JSC::HashMapImpl::addNormalizedInternal):
839         * runtime/InternalFunction.cpp:
840         (JSC::InternalFunction::createSubclassStructureSlow):
841         (JSC::InternalFunction::createSubclassStructure): Deleted.
842         * runtime/InternalFunction.h:
843         (JSC::InternalFunction::createSubclassStructure):
844         * runtime/JSGlobalObject.cpp:
845         (JSC::JSGlobalObject::JSGlobalObject):
846         (JSC::JSGlobalObject::init):
847         (JSC::JSGlobalObject::visitChildren):
848         * runtime/JSGlobalObject.h:
849         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
850         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
851         (JSC::JSGlobalObject::mapSetWatchpoint):
852         (JSC::JSGlobalObject::setAddWatchpoint):
853         (JSC::JSGlobalObject::mapPrototype):
854         (JSC::JSGlobalObject::jsSetPrototype):
855         (JSC::JSGlobalObject::setStructure):
856         * runtime/JSGlobalObjectInlines.h:
857         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
858         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
859         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
860         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
861         * runtime/JSMap.cpp:
862         (JSC::JSMap::clone):
863         (JSC::JSMap::canCloneFastAndNonObservable):
864         * runtime/JSMap.h:
865         (JSC::jsDynamicCast):
866         (JSC::>):
867         (JSC::JSMap::createStructure): Deleted.
868         (JSC::JSMap::create): Deleted.
869         (JSC::JSMap::set): Deleted.
870         (JSC::JSMap::JSMap): Deleted.
871         * runtime/JSSet.cpp:
872         (JSC::JSSet::clone):
873         (JSC::JSSet::canCloneFastAndNonObservable):
874         * runtime/JSSet.h:
875         (JSC::jsDynamicCast):
876         (JSC::>):
877         (JSC::JSSet::createStructure): Deleted.
878         (JSC::JSSet::create): Deleted.
879         (JSC::JSSet::JSSet): Deleted.
880         * runtime/MapConstructor.cpp:
881         (JSC::constructMap):
882         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
883         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
884         * runtime/SetConstructor.cpp:
885         (JSC::constructSet):
886
887 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
888
889         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
890         https://bugs.webkit.org/show_bug.cgi?id=172260
891
892         Reviewed by Filip Pizlo.
893
894         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
895         to be used as a general-purpose injectable compiler over all the JIT tiers.
896
897         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
898
899         * CMakeLists.txt:
900         * JavaScriptCore.xcodeproj/project.pbxproj:
901         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
902         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
903         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
904         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
905         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
906         * bytecode/GetterSetterAccessCase.cpp:
907         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
908         * dfg/DFGAbstractInterpreterInlines.h:
909         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
910         * dfg/DFGByteCodeParser.cpp:
911         (JSC::DFG::blessCallDOMGetter):
912         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
913         * dfg/DFGClobberize.h:
914         (JSC::DFG::clobberize):
915         * dfg/DFGFixupPhase.cpp:
916         (JSC::DFG::FixupPhase::fixupNode):
917         * dfg/DFGGraph.h:
918         * dfg/DFGNode.h:
919         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
920         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
921         (JSC::DFG::SnippetParams::SnippetParams):
922         * dfg/DFGSpeculativeJIT.cpp:
923         (JSC::DFG::allocateTemporaryRegistersForSnippet):
924         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
925         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
926         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
927         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
928         (JSC::DOMJIT::CallDOMGetterSnippet::create):
929         * domjit/DOMJITGetterSetter.h:
930         * domjit/DOMJITSignature.h:
931         * domjit/DOMJITValue.h: Removed.
932         * ftl/FTLLowerDFGToB3.cpp:
933         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
934         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
935         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
936         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
937         (JSC::FTL::SnippetParams::SnippetParams):
938         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
939         (JSC::Snippet::create):
940         (JSC::Snippet::setGenerator):
941         (JSC::Snippet::generator):
942         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
943         (JSC::SnippetParams::~SnippetParams):
944         (JSC::SnippetParams::Value::Value):
945         (JSC::SnippetParams::Value::isGPR):
946         (JSC::SnippetParams::Value::isFPR):
947         (JSC::SnippetParams::Value::isJSValueRegs):
948         (JSC::SnippetParams::Value::gpr):
949         (JSC::SnippetParams::Value::fpr):
950         (JSC::SnippetParams::Value::jsValueRegs):
951         (JSC::SnippetParams::Value::reg):
952         (JSC::SnippetParams::Value::value):
953         (JSC::SnippetParams::SnippetParams):
954         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
955         (JSC::SnippetReg::SnippetReg):
956         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
957         * jsc.cpp:
958         (WTF::DOMJITNode::checkSubClassSnippet):
959         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
960         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
961         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
962         * runtime/ClassInfo.h:
963
964 2017-05-26  Keith Miller  <keith_miller@apple.com>
965
966         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
967         https://bugs.webkit.org/show_bug.cgi?id=172654
968
969         Reviewed by Mark Lam.
970
971         The test's intent is to assert that an exception has not been
972         thrown (as indicated by the message string), but the test was
973         erroneously checking for ! the right condition. This is now fixed.
974
975         * API/tests/JSExportTests.mm:
976         (wrapperForNSObjectisObject):
977
978 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
979
980         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
981         https://bugs.webkit.org/show_bug.cgi?id=172664
982         <rdar://problem/32362933>
983
984         Reviewed by Matt Baker.
985
986         Automatically pause on connection was triggering a pause before the
987         frontend may have initialized. Often during frontend initialization
988         the frontend may perform an action that clears the pause state requested
989         by the developer. This change defers the pause until after the frontend
990         has initialized, right before returning to the application's code.
991
992         * inspector/remote/RemoteControllableTarget.h:
993         * inspector/remote/RemoteInspectionTarget.h:
994         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
995         (Inspector::RemoteConnectionToTarget::setup):
996         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
997         (Inspector::RemoteConnectionToTarget::setup):
998         * runtime/JSGlobalObjectDebuggable.cpp:
999         (JSC::JSGlobalObjectDebuggable::connect):
1000         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
1001         * runtime/JSGlobalObjectDebuggable.h:
1002         Pass an immediatelyPause boolean on to the controller. Remove
1003         the current path that invokes a pause before initialization.
1004
1005         * inspector/JSGlobalObjectInspectorController.h:
1006         * inspector/JSGlobalObjectInspectorController.cpp:
1007         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1008         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1009         Manage should immediately pause state.
1010
1011         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1012         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
1013         When initialized, trigger a pause if requested.
1014
1015 2017-05-26  Mark Lam  <mark.lam@apple.com>
1016
1017         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
1018         https://bugs.webkit.org/show_bug.cgi?id=172655
1019
1020         Reviewed by Saam Barati.
1021
1022         * API/tests/JSExportTests.mm:
1023         (wrapperForNSObjectisObject):
1024
1025 2017-05-26  Mark Lam  <mark.lam@apple.com>
1026
1027         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
1028         https://bugs.webkit.org/show_bug.cgi?id=172651
1029
1030         Reviewed by Saam Barati.
1031
1032         This is because the assertion utility functions used in testCFStrings() expects
1033         to get the JSGlobalContextRef from the global context variable.  However,
1034         testCFStrings() creates its own JSGlobalContextRef but does not set the global
1035         context variable to it.
1036
1037         The fix is to make testCFStrings() initialize the global context variable properly.
1038
1039         * API/tests/testapi.c:
1040         (testCFStrings):
1041
1042 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1043
1044         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
1045         https://bugs.webkit.org/show_bug.cgi?id=167805
1046
1047         Reviewed by Saam Barati.
1048
1049         Since ModuleProgramExecutable is executed only once, we can skip compiling
1050         code unreachable from the current program count. This can skip massive
1051         initialization code.
1052
1053         We already do this for global code in bug#167725. This patch extends it to
1054         module code.
1055
1056         * interpreter/Interpreter.cpp:
1057         (JSC::Interpreter::executeModuleProgram):
1058         * interpreter/Interpreter.h:
1059         * jit/JIT.cpp:
1060         (JSC::JIT::privateCompileMainPass):
1061         * runtime/JSModuleRecord.cpp:
1062         (JSC::JSModuleRecord::evaluate):
1063         * runtime/JSModuleRecord.h:
1064         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
1065
1066 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
1067
1068         Prevent async methods named 'function'
1069         https://bugs.webkit.org/show_bug.cgi?id=172598
1070
1071         Reviewed by Mark Lam.
1072
1073         Prevent async method named 'function' in class.
1074         Link to change in ecma262 specification
1075         https://github.com/tc39/ecma262/pull/884
1076
1077         * parser/Parser.cpp:
1078         (JSC::Parser<LexerType>::parseClass):
1079
1080 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1081
1082         Unreviewed, build fix for GCC
1083
1084         std::tuple does not have implicit constructor.
1085         Thus, we cannot use implicit construction with initializer brace.
1086         We should specify the name like `GetInst { }`.
1087
1088         * bytecompiler/BytecodeGenerator.h:
1089         (JSC::StructureForInContext::addGetInst):
1090
1091 2017-05-25  Keith Miller  <keith_miller@apple.com>
1092
1093         Cleanup tests after r217240
1094         https://bugs.webkit.org/show_bug.cgi?id=172466
1095
1096         Reviewed by Mark Lam.
1097
1098         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
1099
1100         * API/tests/JSExportTests.mm:
1101         (wrapperForNSObjectisObject):
1102         * API/tests/testapi.mm:
1103         (testObjectiveCAPIMain):
1104
1105 2017-05-25  Michael Saboff  <msaboff@apple.com>
1106
1107         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
1108         https://bugs.webkit.org/show_bug.cgi?id=172617
1109
1110         Reviewed by Mark Lam.
1111
1112         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
1113         when tested running JetStream.
1114
1115         * runtime/Options.h:
1116
1117 2017-05-25  Saam Barati  <sbarati@apple.com>
1118
1119         Our for-in optimization in the bytecode generator does its static analysis incorrectly
1120         https://bugs.webkit.org/show_bug.cgi?id=172532
1121         <rdar://problem/32369452>
1122
1123         Reviewed by Mark Lam.
1124
1125         Our static analysis for when a for-in induction variable
1126         is written to tried to its analysis as we generate
1127         bytecode. This has issues, since it does not account for
1128         the dynamic execution path of the program. Let's consider
1129         a program where our old analysis worked:
1130         
1131         ```
1132         for (let p in o) {
1133             o[p]; // We can transform this into a fast get_direct_pname
1134             p = 20;
1135             o[p]; // We cannot transform this since p has been changed.
1136         }
1137         ```
1138         
1139         However, our static analysis did not account for loops, which exist
1140         in JavaScript. e.g, it would incorrectly compile this program as:
1141         ```
1142         for (let p in o) {
1143             for (let i = 0; i < 20; ++i) {
1144                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
1145                 p = 20;
1146                 o[p]; // We correctly do not transform this.
1147             } 
1148         }
1149         ```
1150         
1151         Because of this flaw, I've made the optimization more conservative.
1152         We now optimistically emit code for the optimized access. However,
1153         if a for-in context is *ever* invalidated, before we pop it off
1154         the stack, we rewrite the program's optimized accesses to no longer
1155         be optimized. To do this, each context keeps track of its optimized
1156         accesses.
1157         
1158         This patch also adds a new bytecode, op_nop, which is just a no-op.
1159         It was helpful to add this because reverting get_direct_pname to get_by_val
1160         will leave us with an extra instruction word because get_direct_pname is
1161         has a length of 7 where get_by_val has a length of 6. This leaves us with
1162         an extra slot that we fill with an op_nop.
1163
1164         * bytecode/BytecodeDumper.cpp:
1165         (JSC::BytecodeDumper<Block>::dumpBytecode):
1166         * bytecode/BytecodeList.json:
1167         * bytecode/BytecodeUseDef.h:
1168         (JSC::computeUsesForBytecodeOffset):
1169         (JSC::computeDefsForBytecodeOffset):
1170         * bytecompiler/BytecodeGenerator.cpp:
1171         (JSC::BytecodeGenerator::emitGetByVal):
1172         (JSC::BytecodeGenerator::popIndexedForInScope):
1173         (JSC::BytecodeGenerator::popStructureForInScope):
1174         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1175         (JSC::StructureForInContext::pop):
1176         (JSC::IndexedForInContext::pop):
1177         * bytecompiler/BytecodeGenerator.h:
1178         (JSC::StructureForInContext::addGetInst):
1179         (JSC::IndexedForInContext::addGetInst):
1180         * dfg/DFGByteCodeParser.cpp:
1181         (JSC::DFG::ByteCodeParser::parseBlock):
1182         * dfg/DFGCapabilities.cpp:
1183         (JSC::DFG::capabilityLevel):
1184         * jit/JIT.cpp:
1185         (JSC::JIT::privateCompileMainPass):
1186         * jit/JIT.h:
1187         * jit/JITOpcodes.cpp:
1188         (JSC::JIT::emit_op_nop):
1189         * llint/LowLevelInterpreter.asm:
1190
1191 2017-05-25  Mark Lam  <mark.lam@apple.com>
1192
1193         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
1194         https://bugs.webkit.org/show_bug.cgi?id=172548
1195         <rdar://problem/31458393>
1196
1197         Reviewed by Filip Pizlo.
1198
1199         Consider the following scenario:
1200
1201         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
1202            structure transitions, e.g. structure S2 transitioning to structure S3.
1203            In this case, O1 would be installed in S2's watchpoint set.
1204         2. When the structure transition happens, structure S2 will fire watchpoint O1.
1205         3. O1's handler will normally re-install itself in the watchpoint set of the new
1206            "transitioned to" structure S3.
1207         4. "Installation" here requires writing into the StructureRareData SD3 of the new
1208            structure S3.  If SD3 does not exist yet, the installation process will trigger
1209            the allocation of StructureRareData SD3.
1210         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
1211            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
1212            by the GC, and therefore will be collected soon.
1213         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
1214            SD1.  This, in turn, triggers the deletion of the
1215            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
1216
1217         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
1218         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
1219         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
1220         deleted.  The result is that badness happens later when S3's watchpoint set fires
1221         its watchpoints and accesses the deleted O1.
1222
1223         The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
1224         check if "this" is still valid before proceeding to re-install itself or to
1225         invoke its handleFire() method.
1226
1227         ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
1228         AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
1229         and return false its owner StructureRareData is no longer reachable by the GC.
1230         This ensures that it won't be deleted while it's installed to any watchpoint set.
1231
1232         Additional considerations and notes:
1233         1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
1234            being installed in watchpoint sets.  What actually happens is that
1235            ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
1236            (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
1237            watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
1238            not itself a Watchpoint object.
1239
1240            But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
1241            instead of its Watchpoint members.  The description of the issue is still
1242            accurate given the life-cycle of the Watchpoint members are embedded in the
1243            enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
1244            hence, they share the same life-cycle.
1245
1246         2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
1247            m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
1248            watchpoint sets.  This is safe to do even if the owner StructureRareData is no
1249            longer reachable by the GC.
1250
1251            This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
1252            is if its Watchpoint members are still installed in some watchpoint set that
1253            fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
1254            instance has not been deleted yet, because its destructor will automatically
1255            remove the Watchpoint members from any watchpoint sets.
1256
1257         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1258         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1259         (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
1260         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1261         * heap/FreeList.cpp:
1262         (JSC::FreeList::contains):
1263         * heap/FreeList.h:
1264         * heap/HeapCell.h:
1265         * heap/HeapCellInlines.h:
1266         (JSC::HeapCell::isLive):
1267         * heap/MarkedAllocator.h:
1268         (JSC::MarkedAllocator::isFreeListedCell):
1269         * heap/MarkedBlock.h:
1270         * heap/MarkedBlockInlines.h:
1271         (JSC::MarkedBlock::Handle::isFreeListedCell):
1272         * runtime/StructureRareData.cpp:
1273         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
1274
1275 2017-05-23  Saam Barati  <sbarati@apple.com>
1276
1277         We should not mmap zero bytes for a memory in Wasm
1278         https://bugs.webkit.org/show_bug.cgi?id=172528
1279         <rdar://problem/32257076>
1280
1281         Reviewed by Mark Lam.
1282
1283         This patch fixes a bug where we would call into mmap with zero bytes
1284         when creating a slow WasmMemory with zero initial page size. This fix
1285         is simple: if we don't have any initial bytes, we just call the constructor
1286         in WasmMemory that's meant to handle this case.
1287
1288         * wasm/WasmMemory.cpp:
1289         (JSC::Wasm::Memory::create):
1290
1291 2017-05-23  Brian Burg  <bburg@apple.com>
1292
1293         REGRESSION(r217051): Automation sessions fail to complete bootstrap
1294         https://bugs.webkit.org/show_bug.cgi?id=172513
1295         <rdar://problem/32338354>
1296
1297         Reviewed by Joseph Pecoraro.
1298
1299         The changes to be more strict about typechecking messages were too strict.
1300
1301         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1302         (Inspector::RemoteInspector::receivedSetupMessage):
1303         WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
1304         into an NSDictionary as NSNull if the key isn't present in a forwarded command.
1305         We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
1306         [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
1307
1308 2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>
1309
1310         Remove dead ENABLE(FONT_LOAD_EVENTS) code
1311         https://bugs.webkit.org/show_bug.cgi?id=172517
1312
1313         Rubber-stamped by Simon Fraser.
1314
1315         * Configurations/FeatureDefines.xcconfig:
1316
1317 2017-05-23  Saam Barati  <sbarati@apple.com>
1318
1319         CFGSimplificationPhase should not merge a block with itself
1320         https://bugs.webkit.org/show_bug.cgi?id=172508
1321         <rdar://problem/28424006>
1322
1323         Reviewed by Keith Miller.
1324
1325         CFGSimplificationPhase can run into or create IR that ends up with a
1326         block that has a Jump to itself, and no other predecessors. It should
1327         gracefully handle such IR. Before this patch, it would not. The only criteria
1328         for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
1329         The code is written in such a way that if we merge a block with itself, we
1330         will infinite loop until we run out of memory.
1331         
1332         Merging a block with itself does not make sense for a few reasons. First,
1333         we're joining the contents of two blocks. What is the definition of joining
1334         a block with itself? I suppose we could simply unroll this self loop
1335         one level, but that would not be wise because this self loop is by definition
1336         unreachable unless it's the root block in the graph (which I think is
1337         invalid IR since we'd never generate bytecode that would do this).
1338         
1339         This patch employs an easy fix: we can't merge a block with itself.
1340
1341         * dfg/DFGCFGSimplificationPhase.cpp:
1342         (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
1343         (JSC::DFG::CFGSimplificationPhase::run):
1344         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1345         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1346
1347 2017-05-22  Brian Burg  <bburg@apple.com>
1348
1349         Web Inspector: webkit reload policy should match default behavior
1350         https://bugs.webkit.org/show_bug.cgi?id=171385
1351         <rdar://problem/31871515>
1352
1353         Reviewed by Joseph Pecoraro.
1354
1355         Add a new option to Page.reload that allows the test harness
1356         to reload its test page using the old reload behavior.
1357
1358         The new behavior of revalidating expired cached subresources only
1359         is the current default, since only the test harness needs the old behavior.
1360
1361         * inspector/protocol/Page.json:
1362
1363 2017-05-22  Keith Miller  <keith_miller@apple.com>
1364
1365         [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
1366         https://bugs.webkit.org/show_bug.cgi?id=167708
1367
1368         Reviewed by Geoffrey Garen.
1369
1370         This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
1371         class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
1372
1373         Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
1374         creating a wrapper for NSObject.
1375
1376         * API/APICast.h:
1377         (toJSGlobalObject):
1378         * API/JSContext.mm:
1379         (-[JSContext ensureWrapperMap]):
1380         (-[JSContext initWithVirtualMachine:]):
1381         (-[JSContext dealloc]):
1382         (-[JSContext wrapperMap]):
1383         (-[JSContext initWithGlobalContextRef:]):
1384         (-[JSContext wrapperForObjCObject:]):
1385         (-[JSContext wrapperForJSObject:]):
1386         * API/JSWrapperMap.h:
1387         * API/JSWrapperMap.mm:
1388         (-[JSObjCClassInfo initForClass:]):
1389         (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
1390         (-[JSObjCClassInfo wrapperForObject:inContext:]):
1391         (-[JSObjCClassInfo constructorInContext:]):
1392         (-[JSObjCClassInfo prototypeInContext:]):
1393         (-[JSWrapperMap initWithGlobalContextRef:]):
1394         (-[JSWrapperMap classInfoForClass:]):
1395         (-[JSWrapperMap jsWrapperForObject:inContext:]):
1396         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
1397         (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
1398         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
1399         (-[JSObjCClassInfo wrapperForObject:]): Deleted.
1400         (-[JSObjCClassInfo constructor]): Deleted.
1401         (-[JSObjCClassInfo prototype]): Deleted.
1402         (-[JSWrapperMap initWithContext:]): Deleted.
1403         (-[JSWrapperMap jsWrapperForObject:]): Deleted.
1404         (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
1405         * API/tests/JSExportTests.mm:
1406         (wrapperLifetimeIsTiedToGlobalObject):
1407         (runJSExportTests):
1408         * API/tests/testapi.mm:
1409         * runtime/JSGlobalObject.h:
1410         (JSC::JSGlobalObject::wrapperMap):
1411         (JSC::JSGlobalObject::setWrapperMap):
1412
1413 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
1414
1415         FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
1416         https://bugs.webkit.org/show_bug.cgi?id=172455
1417
1418         Reviewed by Mark Lam.
1419         
1420         The FTL needs to run B3's callee-save register restoration before it runs the exception
1421         handler's callee-save register restoration.  This exposes B3's callee-save register
1422         algorithm in AssemblyHelpers so that the FTL can call it.
1423
1424         * b3/air/AirGenerate.cpp:
1425         (JSC::B3::Air::generate):
1426         * ftl/FTLLowerDFGToB3.cpp:
1427         (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
1428         * heap/Subspace.cpp: Added some debugging support.
1429         (JSC::Subspace::allocate):
1430         (JSC::Subspace::tryAllocate):
1431         (JSC::Subspace::didAllocate):
1432         * heap/Subspace.h:
1433         * jit/AssemblyHelpers.h:
1434         (JSC::AssemblyHelpers::addressFor):
1435         (JSC::AssemblyHelpers::emitSave):
1436         (JSC::AssemblyHelpers::emitRestore):
1437
1438 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1439
1440         [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
1441         https://bugs.webkit.org/show_bug.cgi?id=172216
1442
1443         Reviewed by Saam Barati.
1444
1445         This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
1446         To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
1447         ArrayStorage and SlowPutArrayStorage, then it produces vector length.
1448         CheckInBounds uses this vector length to perform bound checking for ArrayStorage
1449         and SlowPutArrayStorage.
1450
1451         * dfg/DFGAbstractInterpreterInlines.h:
1452         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1453         * dfg/DFGArrayMode.cpp:
1454         (JSC::DFG::permitsBoundsCheckLowering):
1455         * dfg/DFGClobberize.h:
1456         (JSC::DFG::clobberize):
1457         * dfg/DFGDoesGC.cpp:
1458         (JSC::DFG::doesGC):
1459         * dfg/DFGFixupPhase.cpp:
1460         (JSC::DFG::FixupPhase::fixupNode):
1461         * dfg/DFGHeapLocation.cpp:
1462         (WTF::printInternal):
1463         * dfg/DFGHeapLocation.h:
1464         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1465         * dfg/DFGNode.h:
1466         (JSC::DFG::Node::hasArrayMode):
1467         * dfg/DFGNodeType.h:
1468         * dfg/DFGPredictionPropagationPhase.cpp:
1469         * dfg/DFGSSALoweringPhase.cpp:
1470         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1471         * dfg/DFGSafeToExecute.h:
1472         (JSC::DFG::safeToExecute):
1473         * dfg/DFGSpeculativeJIT32_64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compile):
1475         * dfg/DFGSpeculativeJIT64.cpp:
1476         (JSC::DFG::SpeculativeJIT::compile):
1477         * ftl/FTLAbstractHeapRepository.h:
1478         (JSC::FTL::AbstractHeapRepository::forIndexingType):
1479         (JSC::FTL::AbstractHeapRepository::forArrayType):
1480         * ftl/FTLCapabilities.cpp:
1481         (JSC::FTL::canCompile):
1482         * ftl/FTLLowerDFGToB3.cpp:
1483         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1484         (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
1485         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1486         * jit/JITPropertyAccess.cpp:
1487         (JSC::JIT::emitArrayStoragePutByVal):
1488         * jit/JITPropertyAccess32_64.cpp:
1489         (JSC::JIT::emitArrayStorageLoad):
1490         (JSC::JIT::emitArrayStoragePutByVal):
1491
1492 2017-05-21  Saam Barati  <sbarati@apple.com>
1493
1494         We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
1495         https://bugs.webkit.org/show_bug.cgi?id=171041
1496         <rdar://problem/32082516>
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         We were treating a for-loop variable declaration potentially as a top
1501         level statement, e.g, in a program like this:
1502         ```
1503         function foo() {
1504             for (let variable of expr) { }
1505         }
1506         ```
1507         But we should not be. This had the consequence of making this type of program
1508         throw a syntax error:
1509         ```
1510         function foo(arg) {
1511             for (let arg of expr) { }
1512         }
1513         ```
1514         even though it should not. The fix is simple, we just need to increment the
1515         statement depth before parsing anything inside the for loop.
1516
1517         * parser/Parser.cpp:
1518         (JSC::Parser<LexerType>::parseForStatement):
1519
1520 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1521
1522         [JSC] Make get_by_val & string "499" to number 499
1523         https://bugs.webkit.org/show_bug.cgi?id=172225
1524
1525         Reviewed by Saam Barati.
1526
1527         Property subscript will be converted by ToString. So JS code is not aware of
1528         the original type of the subscript value. But our get_by_val can leverage
1529         information if the given subscript is number. Thus, passing number instead of
1530         string can improve the performance of get_by_val in all the tiers.
1531
1532         In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
1533         convert the given value to Int32 index constant if the given value is a string
1534         that can be converted to Int32.
1535
1536         This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
1537         appear in some code like accessing the result of JSON.
1538
1539             map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
1540
1541         * bytecompiler/BytecodeGenerator.h:
1542         (JSC::BytecodeGenerator::emitNodeForProperty):
1543         (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
1544         * bytecompiler/NodesCodegen.cpp:
1545         (JSC::TaggedTemplateNode::emitBytecode):
1546         (JSC::BracketAccessorNode::emitBytecode):
1547         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1548         (JSC::FunctionCallBracketNode::emitBytecode):
1549         (JSC::PostfixNode::emitBracket):
1550         (JSC::PrefixNode::emitBracket):
1551         (JSC::AssignBracketNode::emitBytecode):
1552         (JSC::ReadModifyBracketNode::emitBytecode):
1553         (JSC::ForInNode::emitLoopHeader):
1554         (JSC::ForOfNode::emitBytecode):
1555         (JSC::ObjectPatternNode::bindValue):
1556         (JSC::AssignmentElementNode::bindValue):
1557
1558 2017-05-21  Saam Barati  <sbarati@apple.com>
1559
1560         We overwrite the callee save space on the stack when throwing stack overflow from wasm
1561         https://bugs.webkit.org/show_bug.cgi?id=172316
1562
1563         Reviewed by Mark Lam.
1564
1565         When throwing a stack overflow exception, the overflow
1566         thunk would do the following:
1567           move fp, sp
1568           populate argument registers
1569           call C code
1570         
1571         However, the C function is allowed to clobber our spilled
1572         callee saves that live below fp. The reason I did this move is that
1573         when we jump to this code, we've proven that sp is out of bounds on
1574         the stack. So we're not allowed to just use its value or keep growing
1575         the stack from that point. However, this patch revises this approach
1576         to be the same in spirit, but actually correct. We conservatively assume
1577         the B3 function we're coming from could have saved all callee saves.
1578         So we emit code like this now:
1579           add -maxNumCalleeSaveSpace, fp, sp
1580           populate argument registers
1581           call C code
1582         
1583         This ensures our callee saves will not be overwritten. Note
1584         that fp is still in a valid stack range here, since the thing
1585         calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
1586         is less than our redzone size, so it's safe to decrement sp by 
1587         this amount.
1588         
1589         The previously added wasm stack overflow test is an instance crash
1590         without this change on arm64. It also appears that this test crashed
1591         on some other x86 devices.
1592
1593         * wasm/WasmThunks.cpp:
1594         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1595
1596 2017-05-20  Chris Dumez  <cdumez@apple.com>
1597
1598         Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
1599         https://bugs.webkit.org/show_bug.cgi?id=172418
1600
1601         Reviewed by Youenn Fablet.
1602
1603         Add CommonIdentifiers that are now needed.
1604
1605         * runtime/CommonIdentifiers.h:
1606
1607 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1608
1609         Unreviewed, add scope.release() to propertyIsEnumerable functions.
1610         https://bugs.webkit.org/show_bug.cgi?id=172411
1611
1612         * runtime/JSGlobalObjectFunctions.cpp:
1613         (JSC::globalFuncPropertyIsEnumerable):
1614         * runtime/ObjectPrototype.cpp:
1615         (JSC::objectProtoFuncPropertyIsEnumerable):
1616
1617 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1618
1619         [JSC] Drop MapBase
1620         https://bugs.webkit.org/show_bug.cgi?id=172417
1621
1622         Reviewed by Sam Weinig.
1623
1624         MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
1625         Thus MapBase is unnecessary. This patch drops it.
1626         It is good because we can eliminate one indirection when accessing to map implementation.
1627         Moreover, we can drop one unnecessary allocation per Map and Set.
1628
1629         * CMakeLists.txt:
1630         * JavaScriptCore.xcodeproj/project.pbxproj:
1631         * dfg/DFGSpeculativeJIT64.cpp:
1632         (JSC::DFG::SpeculativeJIT::compile):
1633         * ftl/FTLAbstractHeapRepository.h:
1634         * ftl/FTLLowerDFGToB3.cpp:
1635         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1636         * runtime/HashMapImpl.cpp:
1637         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1638         (JSC::getHashMapImplKeyClassInfo): Deleted.
1639         (JSC::getHashMapImplKeyValueClassInfo): Deleted.
1640         * runtime/HashMapImpl.h:
1641         (JSC::HashMapImpl::finishCreation):
1642         (JSC::HashMapImpl::get):
1643         (JSC::HashMapImpl::info): Deleted.
1644         (JSC::HashMapImpl::createStructure): Deleted.
1645         (JSC::HashMapImpl::create): Deleted.
1646         * runtime/JSMap.h:
1647         (JSC::JSMap::set):
1648         (JSC::JSMap::get): Deleted.
1649         * runtime/JSMapIterator.cpp:
1650         (JSC::JSMapIterator::finishCreation):
1651         * runtime/JSSet.h:
1652         (JSC::JSSet::add): Deleted.
1653         * runtime/JSSetIterator.cpp:
1654         (JSC::JSSetIterator::finishCreation):
1655         * runtime/MapBase.cpp: Removed.
1656         * runtime/MapBase.h: Removed.
1657         * runtime/MapPrototype.cpp:
1658         (JSC::mapProtoFuncSize):
1659         * runtime/SetConstructor.cpp:
1660         (JSC::constructSet):
1661         * runtime/SetPrototype.cpp:
1662         (JSC::setProtoFuncSize):
1663         * runtime/VM.cpp:
1664         (JSC::VM::VM):
1665
1666 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1667
1668         [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
1669         https://bugs.webkit.org/show_bug.cgi?id=172411
1670
1671         Reviewed by Sam Weinig.
1672
1673         We use @Reflect.@getOwnPropertyDescriptor() to check
1674
1675         1. the descriptor exists,
1676         2. and the descriptor.enumrable is true
1677
1678         But Object::propertyIsEnumerable does the completely same thing without
1679         allocating a new object for property descriptor.
1680
1681         In this patch, we add a new private function @propertyIsEnumerable, and
1682         use it in Object.assign implementation. It does not allocate unnecessary
1683         objects. It is good for GC-pressure and performance.
1684
1685         This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
1686         does not introduce a fast path for objects that do not have accessors,
1687         and it could speed up things further, this patch can speed up the common
1688         slow path cases that is the current implementation of Object.assign.
1689
1690             object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
1691
1692         * builtins/BuiltinNames.h:
1693         * builtins/ObjectConstructor.js:
1694         (globalPrivate.enumerableOwnProperties):
1695         (assign):
1696         * runtime/JSGlobalObject.cpp:
1697         (JSC::JSGlobalObject::init):
1698         * runtime/JSGlobalObjectFunctions.cpp:
1699         (JSC::globalFuncPropertyIsEnumerable):
1700         * runtime/JSGlobalObjectFunctions.h:
1701
1702 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1703
1704         [JSC] Enable testapi on Mac CMake build
1705         https://bugs.webkit.org/show_bug.cgi?id=172354
1706
1707         Reviewed by Alex Christensen.
1708
1709         This patch makes testapi buildable and runnable for Mac CMake port.
1710
1711         * API/tests/DateTests.mm:
1712         (+[DateTests JSDateToNSDateTest]):
1713         (+[DateTests roundTripThroughJSDateTest]):
1714         This test only works with the en_US locale.
1715
1716         * shell/CMakeLists.txt:
1717         * shell/PlatformMac.cmake:
1718         Some of tests rely on ARC. We enable ARC for those files.
1719
1720         * shell/PlatformWin.cmake:
1721         Clean up.
1722
1723 2017-05-19  Mark Lam  <mark.lam@apple.com>
1724
1725         [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1726         https://bugs.webkit.org/show_bug.cgi?id=172383
1727         <rdar://problem/31418651>
1728
1729         Reviewed by Filip Pizlo.
1730
1731         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1732         available as a scratch register.  This assumption is wrong if this canTrample
1733         register is used for a silentFill() after an operation that returns a result in
1734         regT0 or regT1.
1735
1736         Turns out the only reason we need the canTrample register is for
1737         SetDoubleConstant.  We can remove the need for this canTrample register by
1738         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1739         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1740         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
1741
1742         Update for re-landing: Changed ARM64 to use scratchRegister() as well.
1743         scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
1744         as a scratch register.
1745
1746         * assembler/MacroAssembler.h:
1747         (JSC::MacroAssembler::moveDouble):
1748         * dfg/DFGArrayifySlowPathGenerator.h:
1749         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1750         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1751         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1752         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1753         * dfg/DFGSlowPathGenerator.h:
1754         (JSC::DFG::CallSlowPathGenerator::tearDown):
1755         * dfg/DFGSpeculativeJIT.cpp:
1756         (JSC::DFG::SpeculativeJIT::silentFill):
1757         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1758         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1759         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1760         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1761         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1762         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1763         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1764         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1765         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1766         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1767         * dfg/DFGSpeculativeJIT.h:
1768         (JSC::DFG::SpeculativeJIT::silentFill):
1769         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1770         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1771         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1772         * dfg/DFGSpeculativeJIT32_64.cpp:
1773         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1774         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1775         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1776         (JSC::DFG::SpeculativeJIT::emitCall):
1777         (JSC::DFG::SpeculativeJIT::compile):
1778         * dfg/DFGSpeculativeJIT64.cpp:
1779         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1780         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1781         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1782         (JSC::DFG::SpeculativeJIT::emitCall):
1783         (JSC::DFG::SpeculativeJIT::compile):
1784         (JSC::DFG::SpeculativeJIT::convertAnyInt):
1785
1786 2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
1787
1788         Unreviewed, rolling out r217156.
1789
1790         This change broke the iOS build.
1791
1792         Reverted changeset:
1793
1794         "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
1795         result registers."
1796         https://bugs.webkit.org/show_bug.cgi?id=172383
1797         http://trac.webkit.org/changeset/217156
1798
1799 2017-05-19  Mark Lam  <mark.lam@apple.com>
1800
1801         Add missing exception check.
1802         https://bugs.webkit.org/show_bug.cgi?id=172346
1803         <rdar://problem/32289640>
1804
1805         Reviewed by Geoffrey Garen.
1806
1807         * runtime/JSObject.cpp:
1808         (JSC::JSObject::hasInstance):
1809
1810 2017-05-19  Mark Lam  <mark.lam@apple.com>
1811
1812         DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1813         https://bugs.webkit.org/show_bug.cgi?id=172383
1814         <rdar://problem/31418651>
1815
1816         Reviewed by Filip Pizlo.
1817
1818         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1819         available as a scratch register.  This assumption is wrong if this canTrample
1820         register is used for a silentFill() after an operation that returns a result in
1821         regT0 or regT1.
1822
1823         Turns out the only reason we need the canTrample register is for
1824         SetDoubleConstant.  We can remove the need for this canTrample register by
1825         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1826         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1827         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
1828
1829         * assembler/MacroAssembler.h:
1830         (JSC::MacroAssembler::moveDouble):
1831         * dfg/DFGArrayifySlowPathGenerator.h:
1832         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1833         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1834         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1835         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1836         * dfg/DFGSlowPathGenerator.h:
1837         (JSC::DFG::CallSlowPathGenerator::tearDown):
1838         * dfg/DFGSpeculativeJIT.cpp:
1839         (JSC::DFG::SpeculativeJIT::silentFill):
1840         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1841         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1842         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1843         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1844         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1845         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1846         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1847         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1848         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1849         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1850         * dfg/DFGSpeculativeJIT.h:
1851         (JSC::DFG::SpeculativeJIT::silentFill):
1852         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1853         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1854         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1855         * dfg/DFGSpeculativeJIT32_64.cpp:
1856         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1857         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1858         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1859         (JSC::DFG::SpeculativeJIT::emitCall):
1860         (JSC::DFG::SpeculativeJIT::compile):
1861         * dfg/DFGSpeculativeJIT64.cpp:
1862         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1863         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1864         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1865         (JSC::DFG::SpeculativeJIT::emitCall):
1866         (JSC::DFG::SpeculativeJIT::compile):
1867         (JSC::DFG::SpeculativeJIT::convertAnyInt):
1868
1869 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
1870
1871         Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
1872         https://bugs.webkit.org/show_bug.cgi?id=172382
1873
1874         Reviewed by Saam Barati.
1875         
1876         This is just a small clean-up - my last patch here created some unnecessary code duplication.
1877
1878         * runtime/ArrayPrototype.cpp:
1879         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1880
1881 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
1882
1883         arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
1884         https://bugs.webkit.org/show_bug.cgi?id=172369
1885
1886         Reviewed by Mark Lam.
1887
1888         * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
1889         (JSC::Subspace::allocate):
1890         (JSC::Subspace::tryAllocate):
1891         * runtime/ArrayPrototype.cpp:
1892         (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
1893         * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
1894         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1895
1896 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
1897
1898         B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
1899         https://bugs.webkit.org/show_bug.cgi?id=172306
1900
1901         Reviewed by Michael Saboff.
1902         
1903         This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
1904         fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
1905         normal store instructions for fenced stores. That's wrong because then you get reorderings
1906         that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
1907         with respect for each other.
1908         
1909         This is imprecise. If you really just wanted a store-release, then every X86 store does this.
1910         But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
1911         respect to all other fences. If we ever did want to say that something is a store release in
1912         the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
1913         range without the fence flag would mean the traditional store-release, which lowers to a
1914         normal store on x86. But to my knowledge, that traditional store-release is only useful for
1915         unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
1916         and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
1917         an ARM-style store-release on x86 using xchg.
1918         
1919         The implication of this change is that the FTL no longer violates the SAB memory model.
1920
1921         * assembler/MacroAssemblerX86Common.h:
1922         (JSC::MacroAssemblerX86Common::xchg8):
1923         (JSC::MacroAssemblerX86Common::xchg16):
1924         (JSC::MacroAssemblerX86Common::xchg32):
1925         (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
1926         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
1927         (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
1928         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
1929         (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
1930         (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
1931         (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
1932         (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
1933         * assembler/MacroAssemblerX86_64.h:
1934         (JSC::MacroAssemblerX86_64::xchg64):
1935         (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
1936         (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
1937         * b3/B3LowerToAir.cpp:
1938         (JSC::B3::Air::LowerToAir::ArgPromise::inst):
1939         (JSC::B3::Air::LowerToAir::trappingInst):
1940         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1941         (JSC::B3::Air::LowerToAir::createStore):
1942         (JSC::B3::Air::LowerToAir::storeOpcode):
1943         (JSC::B3::Air::LowerToAir::appendStore):
1944         (JSC::B3::Air::LowerToAir::append):
1945         (JSC::B3::Air::LowerToAir::appendTrapping):
1946         (JSC::B3::Air::LowerToAir::fillStackmap):
1947         (JSC::B3::Air::LowerToAir::lower):
1948         * b3/air/AirKind.cpp:
1949         (JSC::B3::Air::Kind::dump):
1950         * b3/air/AirKind.h:
1951         (JSC::B3::Air::Kind::Kind):
1952         (JSC::B3::Air::Kind::operator==):
1953         (JSC::B3::Air::Kind::hash):
1954         * b3/air/AirLowerAfterRegAlloc.cpp:
1955         (JSC::B3::Air::lowerAfterRegAlloc):
1956         * b3/air/AirLowerMacros.cpp:
1957         (JSC::B3::Air::lowerMacros):
1958         * b3/air/AirOpcode.opcodes:
1959         * b3/air/AirValidate.cpp:
1960         * b3/air/opcode_generator.rb:
1961         * b3/testb3.cpp:
1962         (JSC::B3::correctSqrt):
1963         (JSC::B3::testSqrtArg):
1964         (JSC::B3::testSqrtImm):
1965         (JSC::B3::testSqrtMem):
1966         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
1967         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
1968         (JSC::B3::testStoreRelAddLoadAcq32):
1969         (JSC::B3::testTrappingLoad):
1970         (JSC::B3::testTrappingStore):
1971         (JSC::B3::testTrappingLoadAddStore):
1972         (JSC::B3::testTrappingLoadDCE):
1973
1974 2017-05-19  Don Olmstead  <don.olmstead@am.sony.com>
1975
1976         [JSC] Remove PLATFORM(WIN) references
1977         https://bugs.webkit.org/show_bug.cgi?id=172294
1978
1979         Reviewed by Yusuke Suzuki.
1980
1981         * heap/MachineStackMarker.cpp:
1982         (JSC::MachineThreads::removeThread):
1983         * llint/LLIntOfflineAsmConfig.h:
1984         * runtime/ConfigFile.h:
1985         * runtime/VM.cpp:
1986         (JSC::VM::updateStackLimits):
1987
1988 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1989
1990         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
1991         https://bugs.webkit.org/show_bug.cgi?id=172098
1992
1993         Reviewed by Saam Barati.
1994
1995         In this patch, we generalize CheckDOM to CheckSubClass.
1996         It can accept any ClassInfo and perform ClassInfo check
1997         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
1998         checkSubClassPatchpoint. It can create DOMJIT patchpoint
1999         for that ClassInfo. It it natural that ClassInfo holds the
2000         way to emit DOMJIT::Patchpoint to perform CheckSubClass
2001         rather than having it in each DOMJIT getter / function
2002         signature annotation.
2003
2004         One problem is that it enlarges the size of ClassInfo.
2005         But this is the best place to put this function pointer.
2006         By doing so, we can add a patchpoint for CheckSubClass
2007         in an non-intrusive manner: WebCore can inject patchpoints
2008         without interactive JSC.
2009
2010         We still have a way to reduce the size of ClassInfo if
2011         we move ArrayBuffer related methods out to the other places.
2012
2013         This patch touches many files because we add a new function
2014         pointer to ClassInfo. But they are basically mechanical change.
2015
2016         * API/JSAPIWrapperObject.mm:
2017         * API/JSCallbackConstructor.cpp:
2018         * API/JSCallbackFunction.cpp:
2019         * API/JSCallbackObject.cpp:
2020         * API/ObjCCallbackFunction.mm:
2021         * CMakeLists.txt:
2022         * JavaScriptCore.xcodeproj/project.pbxproj:
2023         * bytecode/CodeBlock.cpp:
2024         * bytecode/DOMJITAccessCasePatchpointParams.h:
2025         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
2026         * bytecode/EvalCodeBlock.cpp:
2027         * bytecode/FunctionCodeBlock.cpp:
2028         * bytecode/GetterSetterAccessCase.cpp:
2029         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2030         * bytecode/ModuleProgramCodeBlock.cpp:
2031         * bytecode/ProgramCodeBlock.cpp:
2032         * bytecode/UnlinkedCodeBlock.cpp:
2033         * bytecode/UnlinkedEvalCodeBlock.cpp:
2034         * bytecode/UnlinkedFunctionCodeBlock.cpp:
2035         * bytecode/UnlinkedFunctionExecutable.cpp:
2036         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
2037         * bytecode/UnlinkedProgramCodeBlock.cpp:
2038         * debugger/DebuggerScope.cpp:
2039         * dfg/DFGAbstractInterpreterInlines.h:
2040         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2041         * dfg/DFGByteCodeParser.cpp:
2042         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2043         * dfg/DFGClobberize.h:
2044         (JSC::DFG::clobberize):
2045         * dfg/DFGConstantFoldingPhase.cpp:
2046         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2047         * dfg/DFGDOMJITPatchpointParams.h:
2048         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
2049         * dfg/DFGDoesGC.cpp:
2050         (JSC::DFG::doesGC):
2051         * dfg/DFGFixupPhase.cpp:
2052         (JSC::DFG::FixupPhase::fixupNode):
2053         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2054         (JSC::DFG::FixupPhase::fixupCheckSubClass):
2055         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
2056         * dfg/DFGGraph.cpp:
2057         (JSC::DFG::Graph::dump):
2058         * dfg/DFGNode.h:
2059         (JSC::DFG::Node::hasClassInfo):
2060         (JSC::DFG::Node::classInfo):
2061         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
2062         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
2063         * dfg/DFGNodeType.h:
2064         * dfg/DFGPredictionPropagationPhase.cpp:
2065         * dfg/DFGSafeToExecute.h:
2066         (JSC::DFG::safeToExecute):
2067         * dfg/DFGSpeculativeJIT.cpp:
2068         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2069         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
2070         * dfg/DFGSpeculativeJIT.h:
2071         (JSC::DFG::SpeculativeJIT::vm):
2072         * dfg/DFGSpeculativeJIT32_64.cpp:
2073         (JSC::DFG::SpeculativeJIT::compile):
2074         * dfg/DFGSpeculativeJIT64.cpp:
2075         (JSC::DFG::SpeculativeJIT::compile):
2076         * domjit/DOMJITGetterSetter.h:
2077         * domjit/DOMJITPatchpointParams.h:
2078         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
2079         (JSC::DOMJIT::PatchpointParams::vm):
2080         * domjit/DOMJITSignature.h:
2081         (JSC::DOMJIT::Signature::Signature):
2082         (JSC::DOMJIT::Signature::checkDOM): Deleted.
2083         * ftl/FTLAbstractHeapRepository.h:
2084         * ftl/FTLCapabilities.cpp:
2085         (JSC::FTL::canCompile):
2086         * ftl/FTLDOMJITPatchpointParams.h:
2087         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
2088         * ftl/FTLLowerDFGToB3.cpp:
2089         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2090         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2091         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
2092         * inspector/JSInjectedScriptHost.cpp:
2093         * inspector/JSInjectedScriptHostPrototype.cpp:
2094         * inspector/JSJavaScriptCallFrame.cpp:
2095         * inspector/JSJavaScriptCallFramePrototype.cpp:
2096         * jsc.cpp:
2097         (WTF::DOMJITNode::checkSubClassPatchpoint):
2098         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2099         (WTF::DOMJITFunctionObject::finishCreation):
2100         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2101         (WTF::DOMJITCheckSubClassObject::createStructure):
2102         (WTF::DOMJITCheckSubClassObject::create):
2103         (WTF::DOMJITCheckSubClassObject::safeFunction):
2104         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2105         (WTF::DOMJITCheckSubClassObject::finishCreation):
2106         (GlobalObject::finishCreation):
2107         (functionCreateDOMJITCheckSubClassObject):
2108         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
2109         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
2110         * runtime/AbstractModuleRecord.cpp:
2111         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2112         * runtime/ArrayConstructor.cpp:
2113         * runtime/ArrayIteratorPrototype.cpp:
2114         * runtime/ArrayPrototype.cpp:
2115         * runtime/AsyncFunctionConstructor.cpp:
2116         * runtime/AsyncFunctionPrototype.cpp:
2117         * runtime/AtomicsObject.cpp:
2118         * runtime/BooleanConstructor.cpp:
2119         * runtime/BooleanObject.cpp:
2120         * runtime/BooleanPrototype.cpp:
2121         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
2122         (JSC::ClassInfo::dump):
2123         * runtime/ClassInfo.h:
2124         (JSC::ClassInfo::offsetOfParentClass):
2125         * runtime/ClonedArguments.cpp:
2126         * runtime/ConsoleObject.cpp:
2127         * runtime/CustomGetterSetter.cpp:
2128         * runtime/DateConstructor.cpp:
2129         * runtime/DateInstance.cpp:
2130         * runtime/DatePrototype.cpp:
2131         * runtime/DirectArguments.cpp:
2132         * runtime/Error.cpp:
2133         * runtime/ErrorConstructor.cpp:
2134         * runtime/ErrorInstance.cpp:
2135         * runtime/ErrorPrototype.cpp:
2136         * runtime/EvalExecutable.cpp:
2137         * runtime/Exception.cpp:
2138         * runtime/ExceptionHelpers.cpp:
2139         * runtime/ExecutableBase.cpp:
2140         * runtime/FunctionConstructor.cpp:
2141         * runtime/FunctionExecutable.cpp:
2142         * runtime/FunctionPrototype.cpp:
2143         * runtime/FunctionRareData.cpp:
2144         * runtime/GeneratorFunctionConstructor.cpp:
2145         * runtime/GeneratorFunctionPrototype.cpp:
2146         * runtime/GeneratorPrototype.cpp:
2147         * runtime/GetterSetter.cpp:
2148         * runtime/HashMapImpl.cpp:
2149         * runtime/HashMapImpl.h:
2150         * runtime/InferredType.cpp:
2151         (JSC::InferredType::create):
2152         * runtime/InferredTypeTable.cpp:
2153         * runtime/InferredValue.cpp:
2154         * runtime/InspectorInstrumentationObject.cpp:
2155         * runtime/InternalFunction.cpp:
2156         * runtime/IntlCollator.cpp:
2157         * runtime/IntlCollatorConstructor.cpp:
2158         * runtime/IntlCollatorPrototype.cpp:
2159         * runtime/IntlDateTimeFormat.cpp:
2160         * runtime/IntlDateTimeFormatConstructor.cpp:
2161         * runtime/IntlDateTimeFormatPrototype.cpp:
2162         * runtime/IntlNumberFormat.cpp:
2163         * runtime/IntlNumberFormatConstructor.cpp:
2164         * runtime/IntlNumberFormatPrototype.cpp:
2165         * runtime/IntlObject.cpp:
2166         * runtime/IteratorPrototype.cpp:
2167         * runtime/JSAPIValueWrapper.cpp:
2168         * runtime/JSArray.cpp:
2169         * runtime/JSArrayBuffer.cpp:
2170         * runtime/JSArrayBufferConstructor.cpp:
2171         * runtime/JSArrayBufferPrototype.cpp:
2172         * runtime/JSArrayBufferView.cpp:
2173         * runtime/JSAsyncFunction.cpp:
2174         * runtime/JSBoundFunction.cpp:
2175         * runtime/JSCallee.cpp:
2176         * runtime/JSCustomGetterSetterFunction.cpp:
2177         * runtime/JSDataView.cpp:
2178         * runtime/JSDataViewPrototype.cpp:
2179         * runtime/JSEnvironmentRecord.cpp:
2180         * runtime/JSFixedArray.cpp:
2181         * runtime/JSFunction.cpp:
2182         * runtime/JSGeneratorFunction.cpp:
2183         * runtime/JSGlobalLexicalEnvironment.cpp:
2184         * runtime/JSGlobalObject.cpp:
2185         * runtime/JSInternalPromise.cpp:
2186         * runtime/JSInternalPromiseConstructor.cpp:
2187         * runtime/JSInternalPromiseDeferred.cpp:
2188         * runtime/JSInternalPromisePrototype.cpp:
2189         * runtime/JSLexicalEnvironment.cpp:
2190         * runtime/JSMap.cpp:
2191         * runtime/JSMapIterator.cpp:
2192         * runtime/JSModuleEnvironment.cpp:
2193         * runtime/JSModuleLoader.cpp:
2194         * runtime/JSModuleNamespaceObject.cpp:
2195         * runtime/JSModuleRecord.cpp:
2196         * runtime/JSNativeStdFunction.cpp:
2197         * runtime/JSONObject.cpp:
2198         * runtime/JSObject.cpp:
2199         * runtime/JSPromise.cpp:
2200         * runtime/JSPromiseConstructor.cpp:
2201         * runtime/JSPromiseDeferred.cpp:
2202         * runtime/JSPromisePrototype.cpp:
2203         * runtime/JSPropertyNameEnumerator.cpp:
2204         * runtime/JSPropertyNameIterator.cpp:
2205         * runtime/JSProxy.cpp:
2206         * runtime/JSScriptFetcher.cpp:
2207         * runtime/JSSet.cpp:
2208         * runtime/JSSetIterator.cpp:
2209         * runtime/JSSourceCode.cpp:
2210         * runtime/JSString.cpp:
2211         * runtime/JSStringIterator.cpp:
2212         * runtime/JSSymbolTableObject.cpp:
2213         * runtime/JSTemplateRegistryKey.cpp:
2214         * runtime/JSTypedArrayConstructors.cpp:
2215         * runtime/JSTypedArrayPrototypes.cpp:
2216         * runtime/JSTypedArrayViewConstructor.cpp:
2217         * runtime/JSTypedArrays.cpp:
2218         * runtime/JSWeakMap.cpp:
2219         * runtime/JSWeakSet.cpp:
2220         * runtime/JSWithScope.cpp:
2221         * runtime/MapConstructor.cpp:
2222         * runtime/MapIteratorPrototype.cpp:
2223         * runtime/MapPrototype.cpp:
2224         * runtime/MathObject.cpp:
2225         * runtime/ModuleLoaderPrototype.cpp:
2226         * runtime/ModuleProgramExecutable.cpp:
2227         * runtime/NativeErrorConstructor.cpp:
2228         * runtime/NativeExecutable.cpp:
2229         * runtime/NativeStdFunctionCell.cpp:
2230         * runtime/NullGetterFunction.cpp:
2231         * runtime/NullSetterFunction.cpp:
2232         * runtime/NumberConstructor.cpp:
2233         * runtime/NumberObject.cpp:
2234         * runtime/NumberPrototype.cpp:
2235         * runtime/ObjectConstructor.cpp:
2236         * runtime/ObjectPrototype.cpp:
2237         * runtime/ProgramExecutable.cpp:
2238         * runtime/PropertyTable.cpp:
2239         * runtime/ProxyConstructor.cpp:
2240         * runtime/ProxyObject.cpp:
2241         * runtime/ProxyRevoke.cpp:
2242         * runtime/ReflectObject.cpp:
2243         * runtime/RegExp.cpp:
2244         * runtime/RegExpConstructor.cpp:
2245         * runtime/RegExpObject.cpp:
2246         * runtime/RegExpPrototype.cpp:
2247         * runtime/ScopedArguments.cpp:
2248         * runtime/ScopedArgumentsTable.cpp:
2249         * runtime/ScriptExecutable.cpp:
2250         * runtime/SetConstructor.cpp:
2251         * runtime/SetIteratorPrototype.cpp:
2252         * runtime/SetPrototype.cpp:
2253         * runtime/SparseArrayValueMap.cpp:
2254         * runtime/StrictEvalActivation.cpp:
2255         * runtime/StringConstructor.cpp:
2256         * runtime/StringIteratorPrototype.cpp:
2257         * runtime/StringObject.cpp:
2258         * runtime/StringPrototype.cpp:
2259         * runtime/Structure.cpp:
2260         * runtime/StructureChain.cpp:
2261         * runtime/StructureRareData.cpp:
2262         * runtime/Symbol.cpp:
2263         * runtime/SymbolConstructor.cpp:
2264         * runtime/SymbolObject.cpp:
2265         * runtime/SymbolPrototype.cpp:
2266         * runtime/SymbolTable.cpp:
2267         * runtime/WeakMapConstructor.cpp:
2268         * runtime/WeakMapData.cpp:
2269         * runtime/WeakMapPrototype.cpp:
2270         * runtime/WeakSetConstructor.cpp:
2271         * runtime/WeakSetPrototype.cpp:
2272         * testRegExp.cpp:
2273         * tools/JSDollarVM.cpp:
2274         * tools/JSDollarVMPrototype.cpp:
2275         * wasm/JSWebAssembly.cpp:
2276         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2277         * wasm/js/JSWebAssemblyCompileError.cpp:
2278         * wasm/js/JSWebAssemblyInstance.cpp:
2279         * wasm/js/JSWebAssemblyLinkError.cpp:
2280         * wasm/js/JSWebAssemblyMemory.cpp:
2281         * wasm/js/JSWebAssemblyModule.cpp:
2282         * wasm/js/JSWebAssemblyRuntimeError.cpp:
2283         * wasm/js/JSWebAssemblyTable.cpp:
2284         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2285         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2286         * wasm/js/WebAssemblyFunction.cpp:
2287         * wasm/js/WebAssemblyFunctionBase.cpp:
2288         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2289         * wasm/js/WebAssemblyInstancePrototype.cpp:
2290         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2291         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2292         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2293         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2294         * wasm/js/WebAssemblyModuleConstructor.cpp:
2295         * wasm/js/WebAssemblyModulePrototype.cpp:
2296         * wasm/js/WebAssemblyModuleRecord.cpp:
2297         * wasm/js/WebAssemblyPrototype.cpp:
2298         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2299         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2300         * wasm/js/WebAssemblyTableConstructor.cpp:
2301         * wasm/js/WebAssemblyTablePrototype.cpp:
2302         * wasm/js/WebAssemblyToJSCallee.cpp:
2303         * wasm/js/WebAssemblyWrapperFunction.cpp:
2304
2305 2017-05-18  JF Bastien  <jfbastien@apple.com>
2306
2307         WebAssembly: exports is a getter
2308         https://bugs.webkit.org/show_bug.cgi?id=172129
2309
2310         Reviewed by Saam Barati.
2311
2312         As updated here: https://github.com/WebAssembly/design/pull/1062
2313
2314         * wasm/js/JSWebAssemblyInstance.cpp:
2315         (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
2316         * wasm/js/JSWebAssemblyInstance.h:
2317         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
2318         * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
2319         * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
2320         (JSC::getInstance): helper, as in surrounding files
2321         (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
2322         * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
2323         (JSC::getMemory):
2324         (JSC::webAssemblyMemoryProtoFuncGrow):
2325         (JSC::webAssemblyMemoryProtoFuncBuffer):
2326         * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
2327         (JSC::webAssemblyTableProtoFuncLength):
2328         (JSC::webAssemblyTableProtoFuncGrow):
2329         (JSC::webAssemblyTableProtoFuncGet):
2330         (JSC::webAssemblyTableProtoFuncSet):
2331
2332 2017-05-18  Saam Barati  <sbarati@apple.com>
2333
2334         Proxy's [[Get]] passes incorrect receiver
2335         https://bugs.webkit.org/show_bug.cgi?id=164849
2336         <rdar://problem/31767058>
2337
2338         Reviewed by Yusuke Suzuki.
2339
2340         * runtime/ProxyObject.cpp:
2341         (JSC::performProxyGet):
2342
2343 2017-05-18  Andy Estes  <aestes@apple.com>
2344
2345         ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
2346         https://bugs.webkit.org/show_bug.cgi?id=172305
2347
2348         Reviewed by Anders Carlsson.
2349
2350         * Configurations/FeatureDefines.xcconfig:
2351
2352 2017-05-18  Saam Barati  <sbarati@apple.com>
2353
2354         We need to destroy worker threads in jsc.cpp
2355         https://bugs.webkit.org/show_bug.cgi?id=170751
2356         <rdar://problem/31800412>
2357
2358         Reviewed by Filip Pizlo.
2359
2360         This patch fixes a bug where a $ agent worker would still
2361         have compilation threads running after the thread the worker
2362         was created on dies. This manifested itself inside DFG AI where
2363         we would notice a string constant is atomic, then the worker
2364         thread would die, destroying its atomic string table, then
2365         we'd notice the same string is no longer atomic, and we'd crash
2366         because we'd fail to see the same speculated type for the same
2367         JSValue.
2368         
2369         This patch makes it so that $ agent workers destroy their VM when
2370         they're done executing. Before a VM gets destroyed, it ensures that
2371         all its compilation threads finish.
2372
2373         * jsc.cpp:
2374         (functionDollarAgentStart):
2375         (runJSC):
2376         (jscmain):
2377
2378 2017-05-18  Michael Saboff  <msaboff@apple.com>
2379
2380         Add FTL whitelist debugging option
2381         https://bugs.webkit.org/show_bug.cgi?id=172321
2382
2383         Reviewed by Saam Barati.
2384
2385         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2386         (JSC::DFG::ensureGlobalFTLWhitelist):
2387         (JSC::DFG::TierUpCheckInjectionPhase::run):
2388         * runtime/Options.h:
2389         * tools/FunctionWhitelist.cpp:
2390         (JSC::FunctionWhitelist::contains):
2391
2392 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
2393
2394         Constructor calls set this too early
2395         https://bugs.webkit.org/show_bug.cgi?id=172302
2396
2397         Reviewed by Saam Barati.
2398         
2399         We were setting this before evaluating the arguments, so this code:
2400         
2401             var x = 42;
2402             new x(x = function() { });
2403         
2404         Would crash because we would pass 42 as this, and create_this would treat it as a cell.
2405         Dereferencing a non-cell is guaranteed to crash.
2406
2407         * bytecompiler/BytecodeGenerator.cpp:
2408         (JSC::BytecodeGenerator::emitConstruct):
2409         * bytecompiler/BytecodeGenerator.h:
2410         * bytecompiler/NodesCodegen.cpp:
2411         (JSC::NewExprNode::emitBytecode):
2412         (JSC::FunctionCallValueNode::emitBytecode):
2413
2414 2017-05-18  Saam Barati  <sbarati@apple.com>
2415
2416         WebAssembly: perform stack checks
2417         https://bugs.webkit.org/show_bug.cgi?id=165546
2418         <rdar://problem/29760307>
2419
2420         Reviewed by Filip Pizlo.
2421
2422         This patch adds stack checks to wasm. It implements it by storing the stack
2423         bounds on the Context.
2424         
2425         Stack checking works as normal, except we do a small optimization for terminal
2426         nodes in the call tree (nodes that don't make any calls). These nodes will
2427         only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
2428         it's assumed the parent that called them did their stack check for them.
2429         This is because all things that make calls make sure to do an extra 1024
2430         bytes whenever doing a stack check.
2431         
2432         We also take into account stack size for potential JS calls when doing
2433         stack checks since our JS stubs don't do this on their own. Each frame
2434         will ensure it does a stack check large enough for any potential JS call
2435         stubs it'll execute.
2436         
2437         Surprisingly, this patch is neutral on WasmBench and TitzerBench.
2438
2439         * llint/LLIntData.cpp:
2440         (JSC::LLInt::Data::performAssertions):
2441         * llint/LowLevelInterpreter.asm:
2442         * runtime/Error.cpp:
2443         (JSC::createRangeError):
2444         (JSC::addErrorInfoAndGetBytecodeOffset):
2445         I fixed a bug here where we assumed that the first frame that has line
2446         and column info would be in our stack trace. This is not correct
2447         since we limit our stack trace size. If everything in our limited
2448         size stack trace is Wasm, then we won't have any frames with line
2449         and column info.
2450         * runtime/Error.h:
2451         * runtime/ExceptionHelpers.cpp:
2452         (JSC::createStackOverflowError):
2453         * runtime/ExceptionHelpers.h:
2454         * runtime/JSGlobalObject.cpp:
2455         (JSC::JSGlobalObject::init):
2456         (JSC::JSGlobalObject::visitChildren):
2457         * runtime/JSGlobalObject.h:
2458         (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
2459         * runtime/JSType.h:
2460         * runtime/Options.h: I've added a new option that controls
2461         whether or not we use fast TLS for the wasm context.
2462         * runtime/VM.cpp:
2463         (JSC::VM::VM):
2464         * runtime/VM.h:
2465         * wasm/WasmB3IRGenerator.cpp:
2466         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2467         * wasm/WasmBinding.cpp:
2468         (JSC::Wasm::wasmToWasm):
2469         * wasm/WasmContext.cpp:
2470         (JSC::Wasm::loadContext):
2471         (JSC::Wasm::storeContext):
2472         * wasm/WasmContext.h:
2473         (JSC::Wasm::useFastTLSForContext):
2474         * wasm/WasmExceptionType.h:
2475         * wasm/WasmMemoryInformation.h:
2476         (JSC::Wasm::PinnedRegisterInfo::toSave):
2477         * wasm/WasmThunks.cpp:
2478         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2479         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2480         (JSC::Wasm::Thunks::stub):
2481         * wasm/WasmThunks.h:
2482         * wasm/js/JSWebAssemblyInstance.h:
2483         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
2484         (JSC::JSWebAssemblyInstance::cachedStackLimit):
2485         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2486         * wasm/js/JSWebAssemblyModule.cpp:
2487         (JSC::JSWebAssemblyModule::finishCreation):
2488         * wasm/js/WebAssemblyFunction.cpp:
2489         (JSC::callWebAssemblyFunction):
2490         * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
2491         This is needed for correctness because we may call into JS,
2492         and then the first JS frame could stack overflow. When it stack
2493         overflows, it rolls back one frame to the wasm->js call stub with
2494         the wasm->js callee. It gets the lexical global object from this
2495         frame, meaning it gets the global object from the callee. Therefore,
2496         we must make it an object since all objects have global objects.
2497         (JSC::WebAssemblyToJSCallee::create):
2498         * wasm/js/WebAssemblyToJSCallee.h:
2499
2500 2017-05-18  Keith Miller  <keith_miller@apple.com>
2501
2502         WebAssembly API: test with neutered inputs
2503         https://bugs.webkit.org/show_bug.cgi?id=163899
2504
2505         Reviewed by JF Bastien.
2506
2507         Add tests to check that we properly throw a type error when
2508         we get a transferred ArrayBuffer. Also, we should make sure
2509         we cannot post message a wasm memory's ArrayBuffer.
2510
2511         * API/JSTypedArray.cpp:
2512         (JSObjectGetArrayBufferBytesPtr):
2513         * runtime/ArrayBuffer.cpp:
2514         (JSC::ArrayBuffer::makeShared):
2515         (JSC::ArrayBuffer::makeWasmMemory):
2516         (JSC::ArrayBuffer::transferTo):
2517         (JSC::ArrayBuffer::neuter):
2518         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2519         (JSC::errorMesasgeForTransfer):
2520         * runtime/ArrayBuffer.h:
2521         (JSC::ArrayBuffer::isLocked):
2522         (JSC::ArrayBuffer::isWasmMemory):
2523         * wasm/js/JSWebAssemblyMemory.cpp:
2524         (JSC::JSWebAssemblyMemory::buffer):
2525         (JSC::JSWebAssemblyMemory::grow):
2526
2527 2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
2528
2529         Remote Inspector: Be stricter about checking message types
2530         https://bugs.webkit.org/show_bug.cgi?id=172259
2531         <rdar://problem/32264839>
2532
2533         Reviewed by Brian Burg.
2534
2535         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2536         (Inspector::RemoteInspector::receivedSetupMessage):
2537         (Inspector::RemoteInspector::receivedDataMessage):
2538         (Inspector::RemoteInspector::receivedDidCloseMessage):
2539         (Inspector::RemoteInspector::receivedIndicateMessage):
2540         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2541         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2542         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2543         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2544         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2545         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2546         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2547         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2548         Bail if we don't receive the expected types for message data.
2549
2550 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
2551
2552         DFG inlining should be hardened for the no-result case
2553         https://bugs.webkit.org/show_bug.cgi?id=172290
2554
2555         Reviewed by Saam Barati.
2556         
2557         Previously, if we were inlining a setter call, we might have a bad time because the setter's
2558         result register is the invalid VirtualRegister(), and much of the intrinsic handling code
2559         assumes that the result register is valid.
2560         
2561         This doesn't usually cause problems because people don't usually point a setter at something
2562         that we recognize as an intrinsic.
2563         
2564         * CMakeLists.txt:
2565         * JavaScriptCore.xcodeproj/project.pbxproj:
2566         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
2567         * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
2568         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
2569         (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
2570         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
2571         * runtime/Intrinsic.cpp: Added. I needed this to debug.
2572         (JSC::intrinsicName):
2573         (WTF::printInternal):
2574         * runtime/Intrinsic.h:
2575
2576 2017-05-18  Commit Queue  <commit-queue@webkit.org>
2577
2578         Unreviewed, rolling out r217031, r217032, and r217037.
2579         https://bugs.webkit.org/show_bug.cgi?id=172293
2580
2581         cause linking errors in Windows (Requested by yusukesuzuki on
2582         #webkit).
2583
2584         Reverted changesets:
2585
2586         "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
2587         https://bugs.webkit.org/show_bug.cgi?id=172098
2588         http://trac.webkit.org/changeset/217031
2589
2590         "Unreviewed, rebaseline for newly added ClassInfo"
2591         https://bugs.webkit.org/show_bug.cgi?id=172098
2592         http://trac.webkit.org/changeset/217032
2593
2594         "Unreviewed, fix debug and non-JIT build"
2595         https://bugs.webkit.org/show_bug.cgi?id=172098
2596         http://trac.webkit.org/changeset/217037
2597
2598 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2599
2600         Unreviewed, fix debug and non-JIT build
2601         https://bugs.webkit.org/show_bug.cgi?id=172098
2602
2603         * jsc.cpp:
2604         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2605
2606 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2607
2608         Unreviewed, rebaseline for newly added ClassInfo
2609         https://bugs.webkit.org/show_bug.cgi?id=172098
2610
2611         * wasm/js/WebAssemblyFunctionBase.cpp:
2612
2613 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2614
2615         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
2616         https://bugs.webkit.org/show_bug.cgi?id=172098
2617
2618         Reviewed by Saam Barati.
2619
2620         In this patch, we generalize CheckDOM to CheckSubClass.
2621         It can accept any ClassInfo and perform ClassInfo check
2622         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
2623         checkSubClassPatchpoint. It can create DOMJIT patchpoint
2624         for that ClassInfo. It it natural that ClassInfo holds the
2625         way to emit DOMJIT::Patchpoint to perform CheckSubClass
2626         rather than having it in each DOMJIT getter / function
2627         signature annotation.
2628
2629         One problem is that it enlarges the size of ClassInfo.
2630         But this is the best place to put this function pointer.
2631         By doing so, we can add a patchpoint for CheckSubClass
2632         in an non-intrusive manner: WebCore can inject patchpoints
2633         without interactive JSC.
2634
2635         We still have a way to reduce the size of ClassInfo if
2636         we move ArrayBuffer related methods out to the other places.
2637
2638         This patch touches many files because we add a new function
2639         pointer to ClassInfo. But they are basically mechanical change.
2640
2641         * API/JSAPIWrapperObject.mm:
2642         * API/JSCallbackConstructor.cpp:
2643         * API/JSCallbackFunction.cpp:
2644         * API/JSCallbackObject.cpp:
2645         * API/ObjCCallbackFunction.mm:
2646         * CMakeLists.txt:
2647         * JavaScriptCore.xcodeproj/project.pbxproj:
2648         * bytecode/CodeBlock.cpp:
2649         * bytecode/DOMJITAccessCasePatchpointParams.h:
2650         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
2651         * bytecode/EvalCodeBlock.cpp:
2652         * bytecode/FunctionCodeBlock.cpp:
2653         * bytecode/GetterSetterAccessCase.cpp:
2654         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2655         * bytecode/ModuleProgramCodeBlock.cpp:
2656         * bytecode/ProgramCodeBlock.cpp:
2657         * bytecode/UnlinkedCodeBlock.cpp:
2658         * bytecode/UnlinkedEvalCodeBlock.cpp:
2659         * bytecode/UnlinkedFunctionCodeBlock.cpp:
2660         * bytecode/UnlinkedFunctionExecutable.cpp:
2661         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
2662         * bytecode/UnlinkedProgramCodeBlock.cpp:
2663         * debugger/DebuggerScope.cpp:
2664         * dfg/DFGAbstractInterpreterInlines.h:
2665         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2666         * dfg/DFGByteCodeParser.cpp:
2667         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2668         * dfg/DFGClobberize.h:
2669         (JSC::DFG::clobberize):
2670         * dfg/DFGConstantFoldingPhase.cpp:
2671         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2672         * dfg/DFGDOMJITPatchpointParams.h:
2673         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
2674         * dfg/DFGDoesGC.cpp:
2675         (JSC::DFG::doesGC):
2676         * dfg/DFGFixupPhase.cpp:
2677         (JSC::DFG::FixupPhase::fixupNode):
2678         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2679         (JSC::DFG::FixupPhase::fixupCheckSubClass):
2680         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
2681         * dfg/DFGGraph.cpp:
2682         (JSC::DFG::Graph::dump):
2683         * dfg/DFGNode.h:
2684         (JSC::DFG::Node::hasClassInfo):
2685         (JSC::DFG::Node::classInfo):
2686         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
2687         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
2688         * dfg/DFGNodeType.h:
2689         * dfg/DFGPredictionPropagationPhase.cpp:
2690         * dfg/DFGSafeToExecute.h:
2691         (JSC::DFG::safeToExecute):
2692         * dfg/DFGSpeculativeJIT.cpp:
2693         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2694         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
2695         * dfg/DFGSpeculativeJIT.h:
2696         (JSC::DFG::SpeculativeJIT::vm):
2697         * dfg/DFGSpeculativeJIT32_64.cpp:
2698         (JSC::DFG::SpeculativeJIT::compile):
2699         In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
2700         And ClassInfo knows how to perform CheckSubClass efficiently.
2701         If ClassInfo does not have a way to perform CheckSubClass efficiently,
2702         we just perform jsDynamicCast thing in ASM.
2703         * dfg/DFGSpeculativeJIT64.cpp:
2704         (JSC::DFG::SpeculativeJIT::compile):
2705         * domjit/DOMJITGetterSetter.h:
2706         * domjit/DOMJITPatchpointParams.h:
2707         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
2708         (JSC::DOMJIT::PatchpointParams::vm):
2709         * domjit/DOMJITSignature.h:
2710         (JSC::DOMJIT::Signature::Signature):
2711         (JSC::DOMJIT::Signature::checkDOM): Deleted.
2712         * ftl/FTLAbstractHeapRepository.h:
2713         * ftl/FTLCapabilities.cpp:
2714         (JSC::FTL::canCompile):
2715         * ftl/FTLDOMJITPatchpointParams.h:
2716         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
2717         * ftl/FTLLowerDFGToB3.cpp:
2718         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2719         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2720         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
2721         * inspector/JSInjectedScriptHost.cpp:
2722         * inspector/JSInjectedScriptHostPrototype.cpp:
2723         * inspector/JSJavaScriptCallFrame.cpp:
2724         * inspector/JSJavaScriptCallFramePrototype.cpp:
2725         * jsc.cpp:
2726         (WTF::DOMJITNode::checkSubClassPatchpoint):
2727         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2728         (WTF::DOMJITFunctionObject::finishCreation):
2729         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2730         (WTF::DOMJITCheckSubClassObject::createStructure):
2731         (WTF::DOMJITCheckSubClassObject::create):
2732         (WTF::DOMJITCheckSubClassObject::safeFunction):
2733         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2734         (WTF::DOMJITCheckSubClassObject::finishCreation):
2735         (GlobalObject::finishCreation):
2736         (functionCreateDOMJITCheckSubClassObject):
2737         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
2738         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
2739         * runtime/AbstractModuleRecord.cpp:
2740         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2741         * runtime/ArrayConstructor.cpp:
2742         * runtime/ArrayIteratorPrototype.cpp:
2743         * runtime/ArrayPrototype.cpp:
2744         * runtime/AsyncFunctionConstructor.cpp:
2745         * runtime/AsyncFunctionPrototype.cpp:
2746         * runtime/AtomicsObject.cpp:
2747         * runtime/BooleanConstructor.cpp:
2748         * runtime/BooleanObject.cpp:
2749         * runtime/BooleanPrototype.cpp:
2750         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
2751         (JSC::ClassInfo::dump):
2752         * runtime/ClassInfo.h:
2753         (JSC::ClassInfo::offsetOfParentClass):
2754         * runtime/ClonedArguments.cpp:
2755         * runtime/ConsoleObject.cpp:
2756         * runtime/CustomGetterSetter.cpp:
2757         * runtime/DateConstructor.cpp:
2758         * runtime/DateInstance.cpp:
2759         * runtime/DatePrototype.cpp:
2760         * runtime/DirectArguments.cpp:
2761         * runtime/Error.cpp:
2762         * runtime/ErrorConstructor.cpp:
2763         * runtime/ErrorInstance.cpp:
2764         * runtime/ErrorPrototype.cpp:
2765         * runtime/EvalExecutable.cpp:
2766         * runtime/Exception.cpp:
2767         * runtime/ExceptionHelpers.cpp:
2768         * runtime/ExecutableBase.cpp:
2769         * runtime/FunctionConstructor.cpp:
2770         * runtime/FunctionExecutable.cpp:
2771         * runtime/FunctionPrototype.cpp:
2772         * runtime/FunctionRareData.cpp:
2773         * runtime/GeneratorFunctionConstructor.cpp:
2774         * runtime/GeneratorFunctionPrototype.cpp:
2775         * runtime/GeneratorPrototype.cpp:
2776         * runtime/GetterSetter.cpp:
2777         * runtime/HashMapImpl.cpp:
2778         * runtime/HashMapImpl.h:
2779         * runtime/InferredType.cpp:
2780         (JSC::InferredType::create):
2781         * runtime/InferredTypeTable.cpp:
2782         * runtime/InferredValue.cpp:
2783         * runtime/InspectorInstrumentationObject.cpp:
2784         * runtime/InternalFunction.cpp:
2785         * runtime/IntlCollator.cpp:
2786         * runtime/IntlCollatorConstructor.cpp:
2787         * runtime/IntlCollatorPrototype.cpp:
2788         * runtime/IntlDateTimeFormat.cpp:
2789         * runtime/IntlDateTimeFormatConstructor.cpp:
2790         * runtime/IntlDateTimeFormatPrototype.cpp:
2791         * runtime/IntlNumberFormat.cpp:
2792         * runtime/IntlNumberFormatConstructor.cpp:
2793         * runtime/IntlNumberFormatPrototype.cpp:
2794         * runtime/IntlObject.cpp:
2795         * runtime/IteratorPrototype.cpp:
2796         * runtime/JSAPIValueWrapper.cpp:
2797         * runtime/JSArray.cpp:
2798         * runtime/JSArrayBuffer.cpp:
2799         * runtime/JSArrayBufferConstructor.cpp:
2800         * runtime/JSArrayBufferPrototype.cpp:
2801         * runtime/JSArrayBufferView.cpp:
2802         * runtime/JSAsyncFunction.cpp:
2803         * runtime/JSBoundFunction.cpp:
2804         * runtime/JSCallee.cpp:
2805         * runtime/JSCustomGetterSetterFunction.cpp:
2806         * runtime/JSDataView.cpp:
2807         * runtime/JSDataViewPrototype.cpp:
2808         * runtime/JSEnvironmentRecord.cpp:
2809         * runtime/JSFixedArray.cpp:
2810         * runtime/JSFunction.cpp:
2811         * runtime/JSGeneratorFunction.cpp:
2812         * runtime/JSGlobalLexicalEnvironment.cpp:
2813         * runtime/JSGlobalObject.cpp:
2814         * runtime/JSInternalPromise.cpp:
2815         * runtime/JSInternalPromiseConstructor.cpp:
2816         * runtime/JSInternalPromiseDeferred.cpp:
2817         * runtime/JSInternalPromisePrototype.cpp:
2818         * runtime/JSLexicalEnvironment.cpp:
2819         * runtime/JSMap.cpp:
2820         * runtime/JSMapIterator.cpp:
2821         * runtime/JSModuleEnvironment.cpp:
2822         * runtime/JSModuleLoader.cpp:
2823         * runtime/JSModuleNamespaceObject.cpp:
2824         * runtime/JSModuleRecord.cpp:
2825         * runtime/JSNativeStdFunction.cpp:
2826         * runtime/JSONObject.cpp:
2827         * runtime/JSObject.cpp:
2828         * runtime/JSPromise.cpp:
2829         * runtime/JSPromiseConstructor.cpp:
2830         * runtime/JSPromiseDeferred.cpp:
2831         * runtime/JSPromisePrototype.cpp:
2832         * runtime/JSPropertyNameEnumerator.cpp:
2833         * runtime/JSPropertyNameIterator.cpp:
2834         * runtime/JSProxy.cpp:
2835         * runtime/JSScriptFetcher.cpp:
2836         * runtime/JSSet.cpp:
2837         * runtime/JSSetIterator.cpp:
2838         * runtime/JSSourceCode.cpp:
2839         * runtime/JSString.cpp:
2840         * runtime/JSStringIterator.cpp:
2841         * runtime/JSSymbolTableObject.cpp:
2842         * runtime/JSTemplateRegistryKey.cpp:
2843         * runtime/JSTypedArrayConstructors.cpp:
2844         * runtime/JSTypedArrayPrototypes.cpp:
2845         * runtime/JSTypedArrayViewConstructor.cpp:
2846         * runtime/JSTypedArrays.cpp:
2847         * runtime/JSWeakMap.cpp:
2848         * runtime/JSWeakSet.cpp:
2849         * runtime/JSWithScope.cpp:
2850         * runtime/MapConstructor.cpp:
2851         * runtime/MapIteratorPrototype.cpp:
2852         * runtime/MapPrototype.cpp:
2853         * runtime/MathObject.cpp:
2854         * runtime/ModuleLoaderPrototype.cpp:
2855         * runtime/ModuleProgramExecutable.cpp:
2856         * runtime/NativeErrorConstructor.cpp:
2857         * runtime/NativeExecutable.cpp:
2858         * runtime/NativeStdFunctionCell.cpp:
2859         * runtime/NullGetterFunction.cpp:
2860         * runtime/NullSetterFunction.cpp:
2861         * runtime/NumberConstructor.cpp:
2862         * runtime/NumberObject.cpp:
2863         * runtime/NumberPrototype.cpp:
2864         * runtime/ObjectConstructor.cpp:
2865         * runtime/ObjectPrototype.cpp:
2866         * runtime/ProgramExecutable.cpp:
2867         * runtime/PropertyTable.cpp:
2868         * runtime/ProxyConstructor.cpp:
2869         * runtime/ProxyObject.cpp:
2870         * runtime/ProxyRevoke.cpp:
2871         * runtime/ReflectObject.cpp:
2872         * runtime/RegExp.cpp:
2873         * runtime/RegExpConstructor.cpp:
2874         * runtime/RegExpObject.cpp:
2875         * runtime/RegExpPrototype.cpp:
2876         * runtime/ScopedArguments.cpp:
2877         * runtime/ScopedArgumentsTable.cpp:
2878         * runtime/ScriptExecutable.cpp:
2879         * runtime/SetConstructor.cpp:
2880         * runtime/SetIteratorPrototype.cpp:
2881         * runtime/SetPrototype.cpp:
2882         * runtime/SparseArrayValueMap.cpp:
2883         * runtime/StrictEvalActivation.cpp:
2884         * runtime/StringConstructor.cpp:
2885         * runtime/StringIteratorPrototype.cpp:
2886         * runtime/StringObject.cpp:
2887         * runtime/StringPrototype.cpp:
2888         * runtime/Structure.cpp:
2889         * runtime/StructureChain.cpp:
2890         * runtime/StructureRareData.cpp:
2891         * runtime/Symbol.cpp:
2892         * runtime/SymbolConstructor.cpp:
2893         * runtime/SymbolObject.cpp:
2894         * runtime/SymbolPrototype.cpp:
2895         * runtime/SymbolTable.cpp:
2896         * runtime/WeakMapConstructor.cpp:
2897         * runtime/WeakMapData.cpp:
2898         * runtime/WeakMapPrototype.cpp:
2899         * runtime/WeakSetConstructor.cpp:
2900         * runtime/WeakSetPrototype.cpp:
2901         * testRegExp.cpp:
2902         * tools/JSDollarVM.cpp:
2903         * tools/JSDollarVMPrototype.cpp:
2904         * wasm/JSWebAssembly.cpp:
2905         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2906         * wasm/js/JSWebAssemblyCompileError.cpp:
2907         * wasm/js/JSWebAssemblyInstance.cpp:
2908         * wasm/js/JSWebAssemblyLinkError.cpp:
2909         * wasm/js/JSWebAssemblyMemory.cpp:
2910         * wasm/js/JSWebAssemblyModule.cpp:
2911         * wasm/js/JSWebAssemblyRuntimeError.cpp:
2912         * wasm/js/JSWebAssemblyTable.cpp:
2913         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2914         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2915         * wasm/js/WebAssemblyFunction.cpp:
2916         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2917         * wasm/js/WebAssemblyInstancePrototype.cpp:
2918         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2919         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2920         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2921         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2922         * wasm/js/WebAssemblyModuleConstructor.cpp:
2923         * wasm/js/WebAssemblyModulePrototype.cpp:
2924         * wasm/js/WebAssemblyModuleRecord.cpp:
2925         * wasm/js/WebAssemblyPrototype.cpp:
2926         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2927         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2928         * wasm/js/WebAssemblyTableConstructor.cpp:
2929         * wasm/js/WebAssemblyTablePrototype.cpp:
2930         * wasm/js/WebAssemblyToJSCallee.cpp:
2931         * wasm/js/WebAssemblyWrapperFunction.cpp:
2932
2933 2017-05-17  Saam Barati  <sbarati@apple.com>
2934
2935         We don't do context switches for Wasm->Wasm call indirect
2936         https://bugs.webkit.org/show_bug.cgi?id=172188
2937         <rdar://problem/32231828>
2938
2939         Reviewed by Keith Miller.
2940
2941         We did not do a context switch when doing an indirect call. 
2942         This is clearly wrong, since the thing we're making an indirect
2943         call to could be from another instance. This patch fixes this
2944         oversight by doing a very simple context switch. I've also opened
2945         a bug to make indirect calls fast: https://bugs.webkit.org/show_bug.cgi?id=172197
2946         since this patch adds yet another branch to the indirect call path.
2947         I've also added tests that either throw or crash before this change.
2948
2949         * CMakeLists.txt:
2950         * JavaScriptCore.xcodeproj/project.pbxproj:
2951         * wasm/WasmB3IRGenerator.cpp:
2952         * wasm/js/JSWebAssemblyTable.h:
2953         (JSC::JSWebAssemblyTable::offsetOfJSFunctions):
2954         * wasm/js/WebAssemblyFunction.cpp:
2955         (JSC::WebAssemblyFunction::visitChildren):
2956         (JSC::WebAssemblyFunction::finishCreation): Deleted.
2957         * wasm/js/WebAssemblyFunction.h:
2958         (JSC::WebAssemblyFunction::instance): Deleted.
2959         (JSC::WebAssemblyFunction::offsetOfInstance): Deleted.
2960         * wasm/js/WebAssemblyFunctionBase.cpp: Added.
2961         (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
2962         (JSC::WebAssemblyFunctionBase::visitChildren):
2963         (JSC::WebAssemblyFunctionBase::finishCreation):
2964         * wasm/js/WebAssemblyFunctionBase.h: Added.
2965         (JSC::WebAssemblyFunctionBase::instance):
2966         (JSC::WebAssemblyFunctionBase::offsetOfInstance):
2967         * wasm/js/WebAssemblyModuleRecord.cpp:
2968         (JSC::WebAssemblyModuleRecord::link):
2969         (JSC::WebAssemblyModuleRecord::evaluate):
2970         * wasm/js/WebAssemblyWrapperFunction.cpp:
2971         (JSC::WebAssemblyWrapperFunction::create):
2972         (JSC::WebAssemblyWrapperFunction::finishCreation):
2973         (JSC::WebAssemblyWrapperFunction::visitChildren):
2974         * wasm/js/WebAssemblyWrapperFunction.h:
2975
2976 2017-05-17  Filip Pizlo  <fpizlo@apple.com>
2977
2978         JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
2979         https://bugs.webkit.org/show_bug.cgi?id=172208
2980
2981         Reviewed by Saam Barati.
2982
2983         * dfg/DFGArgumentsEliminationPhase.cpp:
2984
2985 2017-05-17  Don Olmstead  <don.olmstead@am.sony.com>
2986
2987         [Win] Support $vm.getpid()
2988         https://bugs.webkit.org/show_bug.cgi?id=172248
2989
2990         Reviewed by Mark Lam.
2991
2992         * tools/JSDollarVMPrototype.cpp:
2993         (JSC::functionGetPID):
2994         (JSC::JSDollarVMPrototype::finishCreation):
2995
2996 2017-05-17  Michael Saboff  <msaboff@apple.com>
2997
2998         [iOS] The Garbage Collector shouldn't rely on the bmalloc scavenger for up to date memory footprint info
2999         https://bugs.webkit.org/show_bug.cgi?id=172186
3000
3001         Reviewed by Geoffrey Garen.
3002
3003         The calls to bmalloc::api::memoryFootprint() and ::percentAvailableMemoryInUse() now call
3004         the OS to get up to date values.  In overCriticalMemoryThreshold(), we get the current value every
3005         100th call and use a cached value the rest of the time.  When colleciton is done, we start with
3006         a new overCriticalMemoryThreshold value for the next cycle.
3007
3008         The choice of 1 out of 100 calls was validated by using JetStream and verifying that it didn't impact
3009         performance and still provides timely memory footprint data.  With additional debug logging, I
3010         determined that we call overCriticalMemoryThreshold() over 20,000 times/second running JetStream.
3011         Other logging showed that there were over 1700 calls to overCriticalMemoryThreshold() on average per
3012         GC cycle.  Dividing both of these numbers by 100 seems reasonable.
3013
3014         * heap/Heap.cpp:
3015         (JSC::Heap::overCriticalMemoryThreshold):
3016         (JSC::Heap::updateAllocationLimits):
3017         (JSC::Heap::shouldDoFullCollection):
3018         * heap/Heap.h:
3019
3020 2017-05-17  Saam Barati  <sbarati@apple.com>
3021
3022         PinnedRegisters should be better modeled in IRC/Briggs
3023         https://bugs.webkit.org/show_bug.cgi?id=171955
3024
3025         Reviewed by Filip Pizlo.
3026
3027         This patch fixes a bug in Briggs/IRC with respect to pinned registers.
3028         Pinned registers were not part of the assignable register file in IRC/Briggs,
3029         and this would lead to an asymmetry because they were modeled in the
3030         interference graph. The bug is that we use registerCount() to move various
3031         Tmps between various lists in the different allocators, and if a Tmp
3032         interfered with a pinned register (usually via a Patchpoint's clobbered set),
3033         we'd have an interference edge modeled in the degree for that Tmp, but the registerCount()
3034         would make us think that this particular Tmp is not assignable. This would
3035         lead us to fail to color a colorable graph. Specifically, this happened in
3036         our various patchpoint tests that stress the register allocator by forcing
3037         the entire register file into arguments for the patchpoint and then doing
3038         interesting things with the result, arguments, etc.
3039         
3040         This patch fixes the bug by coming up with an more natural way to model pinned
3041         registers. Pinned registers are now part of the register file. However,
3042         pinned registers are live at every point in the program (this is a defining
3043         property of a pinned register). In practice, this means that the only Tmps 
3044         that can be assigned to pinned registers are ones that are coalescing
3045         candidates. This means the program has some number of defs for a Tmp T like:
3046         MoveType pinnedReg, T
3047         
3048         Note, if any other defs for T happen, like:
3049         Add32, t1, t2, T
3050         T will have an interference edge with pinnedReg, since pinnedReg is live
3051         at every point in the program. Modeling pinned registers this way allows
3052         IRC/Briggs to have no special casing for them. It treats it like any other
3053         precolored Tmp. This allows us to do coalescing, biased coloring, etc, which
3054         could all lead to a Tmp being assigned to a pinned register.
3055         
3056         Interestingly, we used to have special handling for the frame pointer
3057         register, which in many ways, acts like a pinned register, since FP is
3058         always live, and we wanted it to take place in coalescing. The allocator
3059         had a side-table interference graph with FP. Interestingly, we didn't even
3060         handle this properly everywhere since we could rely on a patchpoint never
3061         claiming to clobber FP (this would be illegal). So the code only handled
3062         the pseudo-pinned register properties of FP in various places. This patch
3063         drops this special casing and pins FP since all pinned registers can take
3064         part in coalescing.
3065
3066         * b3/B3PatchpointSpecial.h:
3067         * b3/B3Procedure.cpp:
3068         (JSC::B3::Procedure::mutableGPRs):
3069         (JSC::B3::Procedure::mutableFPRs):
3070         * b3/B3Procedure.h:
3071         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
3072         * b3/air/AirCode.cpp:
3073         (JSC::B3::Air::Code::Code):
3074         (JSC::B3::Air::Code::pinRegister):
3075         (JSC::B3::Air::Code::mutableGPRs):
3076         (JSC::B3::Air::Code::mutableFPRs):
3077         * b3/air/AirCode.h:
3078         (JSC::B3::Air::Code::pinnedRegisters):
3079         * b3/air/AirSpecial.h:
3080         * b3/air/testair.cpp:
3081         * b3/testb3.cpp:
3082         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
3083         (JSC::B3::testSpillDefSmallerThanUse):
3084         (JSC::B3::testLateRegister):
3085         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
3086         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
3087         (JSC::B3::testMoveConstants):
3088
3089 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3090
3091         [DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String)
3092         https://bugs.webkit.org/show_bug.cgi?id=172115
3093
3094         Reviewed by Saam Barati.
3095
3096         In Fixup phase, we attempt to fold MakeRope to Identity (or reduce arguments) by dropping
3097         empty strings. However, when we are in Fixup phase, we do not have much information about
3098         constant values.
3099
3100         In ARES-6 Babylon, we find that we can constant-fold MakeRope by using constants figured
3101         out by CFA. Without it, Babylon repeatedly produces rope strings. To fix this, we introduce
3102         MakeRope handling in constant folding phase.
3103
3104         It shows 7.5% performance improvement in ARES-6 Babylon steadyState.
3105
3106             Before:
3107
3108             firstIteration:     50.02 +- 14.56 ms
3109             averageWorstCase:   26.52 +- 4.52 ms
3110             steadyState:        8.15 +- 0.23 ms
3111
3112             After:
3113
3114             firstIteration:     49.08 +- 12.90 ms
3115             averageWorstCase:   25.16 +- 3.82 ms
3116             steadyState:        7.58 +- 0.21 ms
3117
3118         * dfg/DFGAbstractInterpreterInlines.h:
3119         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3120         * dfg/DFGConstantFoldingPhase.cpp:
3121         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3122
3123 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3124
3125         Unreviewed, add Objective C files to CMake Mac port
3126         https://bugs.webkit.org/show_bug.cgi?id=172103
3127
3128         * shell/PlatformMac.cmake: Added.
3129
3130 2017-05-16  JF Bastien  <jfbastien@apple.com>
3131
3132         WebAssembly: enforce size limits
3133         https://bugs.webkit.org/show_bug.cgi?id=165833
3134         <rdar://problem/29760219>
3135
3136         Reviewed by Keith Miller.
3137
3138         Use the same limits as V8.
3139
3140         * JavaScriptCore.xcodeproj/project.pbxproj:
3141         * wasm/WasmLimits.h: Added.
3142         * wasm/WasmModuleParser.cpp:
3143         * wasm/WasmParser.h:
3144         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
3145
3146 2017-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3147
3148         [JSC] Build testapi in non Apple ports
3149         https://bugs.webkit.org/show_bug.cgi?id=172103
3150
3151         Reviewed by Filip Pizlo.
3152
3153         This patch makes JSC testapi buildable in non-Apple ports.
3154         We isolate CF related tests in testapi.c. If we do not use
3155         CF, we include JavaScript.h instead of JavaScriptCore.h.
3156
3157         By running the testapi in Linux, we found that contraints
3158         test have a bug: If constraint marker runs after WeakRefs
3159         are destroyed, it accesses destroyed WeakRef. This patch
3160         also fixes it.
3161
3162         * API/tests/CurrentThisInsideBlockGetterTest.h:
3163         * API/tests/CustomGlobalObjectClassTest.c:
3164         * API/tests/ExecutionTimeLimitTest.cpp:
3165         * API/tests/FunctionOverridesTest.cpp:
3166         * API/tests/GlobalContextWithFinalizerTest.cpp:
3167         * API/tests/JSObjectGetProxyTargetTest.cpp:
3168         * API/tests/MultithreadedMultiVMExecutionTest.cpp:
3169         * API/tests/PingPongStackOverflowTest.cpp:
3170         * API/tests/TypedArrayCTest.cpp:
3171         * API/tests/testapi.c:
3172         (assertEqualsAsCharactersPtr):
3173         (markingConstraint):
3174         (testMarkingConstraintsAndHeapFinalizers):
3175         (testCFStrings):
3176         (main):
3177         * shell/CMakeLists.txt:
3178
3179 2017-05-16  JF Bastien  <jfbastien@apple.com>
3180
3181         WebAssembly: report Memory usage to GC
3182         https://bugs.webkit.org/show_bug.cgi?id=170690
3183         <rdar://problem/31965310>
3184
3185         Reviewed by Keith Miller.
3186
3187         * wasm/js/JSWebAssemblyMemory.cpp:
3188         (JSC::JSWebAssemblyMemory::grow):
3189         (JSC::JSWebAssemblyMemory::finishCreation):
3190         (JSC::JSWebAssemblyMemory::visitChildren):
3191
3192 2017-05-16  JF Bastien  <jfbastien@apple.com>
3193
3194         WebAssembly: validate load / store alignment
3195         https://bugs.webkit.org/show_bug.cgi?id=168836
3196         <rdar://problem/31965349>
3197
3198         Reviewed by Keith Miller.
3199
3200         * wasm/WasmFunctionParser.h: check the alignment
3201         * wasm/generateWasm.py: generate the log2 alignment helper
3202         (Wasm):
3203         (isSimple):
3204         (memoryLog2Alignment):
3205         * wasm/generateWasmOpsHeader.py:
3206         (memoryLog2AlignmentGenerator):
3207         * wasm/wasm.json: fix formatting
3208
3209 2017-05-15  Mark Lam  <mark.lam@apple.com>
3210
3211         Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
3212         https://bugs.webkit.org/show_bug.cgi?id=172147
3213
3214         Rubber-stamped by Saam Barati.
3215
3216         I rolled out every thing in those 2 patches except for the change to make
3217         CodeBlock::finishCreation() return a bool plus its clients that depend on this.
3218         I made this exception because r214931 relies on this change, and this part of
3219         the change looks correct.
3220
3221         * builtins/BuiltinNames.h:
3222         * builtins/GlobalOperations.js:
3223         (globalPrivate.speciesConstructor):
3224         (globalPrivate.copyDataProperties): Deleted.
3225         * bytecode/CodeBlock.cpp:
3226         (JSC::CodeBlock::finishCreation):
3227         (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
3228         * bytecode/CodeBlock.h:
3229         * bytecode/UnlinkedCodeBlock.h:
3230         (JSC::UnlinkedCodeBlock::addBitVector):
3231         (JSC::UnlinkedCodeBlock::constantRegisters):
3232         (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
3233         (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
3234         * bytecompiler/BytecodeGenerator.cpp:
3235         * bytecompiler/BytecodeGenerator.h:
3236         * bytecompiler/NodesCodegen.cpp:
3237         (JSC::PropertyListNode::emitBytecode):
3238         (JSC::ObjectPatternNode::bindValue):
3239         (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
3240         * parser/ASTBuilder.h:
3241         (JSC::ASTBuilder::createProperty):
3242         (JSC::ASTBuilder::appendObjectPatternEntry):
3243         (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
3244         (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
3245         (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
3246         * parser/NodeConstructors.h:
3247         (JSC::PropertyNode::PropertyNode):
3248         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3249         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
3250         * parser/Nodes.h:
3251         (JSC::ObjectPatternNode::appendEntry):
3252         (JSC::ObjectSpreadExpressionNode::expression): Deleted.
3253         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
3254         * parser/Parser.cpp:
3255         (JSC::Parser<LexerType>::parseDestructuringPattern):
3256         (JSC::Parser<LexerType>::parseProperty):
3257         * parser/SyntaxChecker.h:
3258         (JSC::SyntaxChecker::createSpreadExpression):
3259         (JSC::SyntaxChecker::createProperty):
3260         (JSC::SyntaxChecker::operatorStackPop):
3261         (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
3262         * runtime/ObjectConstructor.cpp:
3263         (JSC::ObjectConstructor::finishCreation):
3264         * runtime/SetPrototype.cpp:
3265         (JSC::SetPrototype::finishCreation):
3266
3267 2017-05-15  David Kilzer  <ddkilzer@apple.com>
3268
3269         JSEnvironmentRecord::allocationSizeForScopeSize() and offsetOfVariable(ScopeOffset) should used checked arithmetic
3270         <https://webkit.org/b/172134>
3271
3272         Reviewed by Saam Barati.
3273
3274         * runtime/JSEnvironmentRecord.h:
3275         (JSC::JSEnvironmentRecord::offsetOfVariable): Change to return
3276         size_t and use checked arithmetic.
3277         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): Change
3278         to use checked arithmetic.
3279
3280 2017-05-15  Mark Lam  <mark.lam@apple.com>
3281
3282         WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
3283         https://bugs.webkit.org/show_bug.cgi?id=171775
3284         <rdar://problem/30975761>
3285
3286         Reviewed by Filip Pizlo.
3287
3288         Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3289         from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
3290         for our debugging needs.
3291
3292         Also added VM::throwingThread() to track which thread an exception was thrown in.
3293         This may be useful if the client is entering the VM from different threads.
3294
3295         * runtime/ExceptionScope.cpp:
3296         (JSC::ExceptionScope::unexpectedExceptionMessage):
3297         * runtime/ExceptionScope.h:
3298         (JSC::ExceptionScope::exception):
3299         (JSC::ExceptionScope::unexpectedExceptionMessage):
3300         * runtime/Options.h:
3301         - Added the unexpectedExceptionStackTraceLimit option.
3302         * runtime/VM.cpp:
3303         (JSC::VM::throwException):
3304         * runtime/VM.h:
3305         (JSC::VM::throwingThread):
3306         (JSC::VM::clearException):
3307
3308 2017-05-13  David Kilzer  <ddkilzer@apple.com>
3309
3310         Unused lambda capture in JSContextGroupAddMarkingConstraint()
3311         <https://webkit.org/b/172084>
3312
3313         Reviewed by Saam Barati.
3314
3315         Fixes the following warning with newer clang:
3316
3317             Source/JavaScriptCore/API/JSMarkingConstraintPrivate.cpp:78:11: error: lambda capture 'vm' is not used [-Werror,-Wunused-lambda-capture]
3318                     [&vm, constraintCallback, userData]
3319                       ^
3320
3321         * API/JSMarkingConstraintPrivate.cpp:
3322         (JSContextGroupAddMarkingConstraint): Remove unused lambda
3323         capture for '&vm'.
3324
3325 2017-05-13  David Kilzer  <ddkilzer@apple.com>
3326
3327         [JSC] config.rb fails when checking some clang versions
3328         <https://webkit.org/b/172082>
3329
3330         Reviewed by Mark Lam.
3331
3332         * offlineasm/config.rb:
3333         - Add support for quad-dotted version of Apple clang (800.0.12.1).
3334         - Add support for checking open source clang version (5.0.0).
3335
3336 2017-05-13  Commit Queue  <commit-queue@webkit.org>
3337
3338         Unreviewed, rolling out r216808.
3339         https://bugs.webkit.org/show_bug.cgi?id=172075
3340
3341         caused lldb to hang when debugging (Requested by smfr on
3342         #webkit).
3343
3344         Reverted changeset:
3345
3346         "Use Mach exceptions instead of signals where possible"
3347         https://bugs.webkit.org/show_bug.cgi?id=171865
3348         http://trac.webkit.org/changeset/216808
3349
3350 2017-05-13  Commit Queue  <commit-queue@webkit.org>
3351
3352         Unreviewed, rolling out r216801.
3353         https://bugs.webkit.org/show_bug.cgi?id=172072
3354
3355         Many memory corruption crashes on worker threads (Requested by
3356         ap on #webkit).
3357
3358         Reverted changeset:
3359
3360         "WorkerRunLoop::Task::performTask() should check
3361         !scriptController->isTerminatingExecution()."
3362         https://bugs.webkit.org/show_bug.cgi?id=171775
3363         http://trac.webkit.org/changeset/216801
3364
3365 2017-05-12  Geoffrey Garen  <ggaren@apple.com>
3366
3367         [JSC] DFG::Node should not have its own allocator
3368         https://bugs.webkit.org/show_bug.cgi?id=160098
3369
3370         Reviewed by Saam Barati.
3371
3372         I just rebased the patch from <http://trac.webkit.org/changeset/203808>.
3373
3374         I ran Octane and JetStream locally on a MacBook Air and I wasn't able to
3375         reproduce a regression. Let's land this again and see what the bots say.
3376
3377         * JavaScriptCore.xcodeproj/project.pbxproj:
3378         * b3/B3SparseCollection.h:
3379         (JSC::B3::SparseCollection::packIndices):
3380         * dfg/DFGAllocator.h: Removed.
3381         * dfg/DFGDriver.cpp:
3382         (JSC::DFG::compileImpl):
3383         * dfg/DFGGraph.cpp:
3384         (JSC::DFG::Graph::Graph):
3385         (JSC::DFG::Graph::~Graph):
3386         (JSC::DFG::Graph::deleteNode):
3387         (JSC::DFG::Graph::packNodeIndices):
3388         (JSC::DFG::Graph::addNodeToMapByIndex): Deleted.
3389         * dfg/DFGGraph.h:
3390         (JSC::DFG::Graph::addNode):
3391         (JSC::DFG::Graph::maxNodeCount):
3392         (JSC::DFG::Graph::nodeAt):
3393         * dfg/DFGLongLivedState.cpp: Removed.
3394         * dfg/DFGLongLivedState.h: Removed.
3395         * dfg/DFGNode.h:
3396         * dfg/DFGNodeAllocator.h:
3397         * dfg/DFGPlan.cpp:
3398         (JSC::DFG::Plan::compileInThread):
3399         (JSC::DFG::Plan::compileInThreadImpl):
3400         * dfg/DFGPlan.h:
3401         * dfg/DFGWorklist.cpp:
3402         * runtime/VM.cpp:
3403         (JSC::VM::VM):
3404         * runtime/VM.h:
3405
3406 2017-05-12  Keith Miller  <keith_miller@apple.com>
3407
3408         Use Mach exceptions instead of signals where possible
3409         https://bugs.webkit.org/show_bug.cgi?id=171865
3410
3411         Reviewed by Mark Lam.
3412
3413         This patch adds some new JSC options. The first is an option that
3414         enables or disables web assembly tier up. The second controls
3415         whether or not we use mach exceptions (where available).
3416
3417         * API/tests/ExecutionTimeLimitTest.cpp:
3418         (dispatchTermitateCallback):
3419         (testExecutionTimeLimit):
3420         * runtime/JSLock.cpp:
3421         (JSC::JSLock::didAcquireLock):
3422         * runtime/Options.cpp:
3423         (JSC::overrideDefaults):
3424         (JSC::Options::initialize):
3425         * runtime/Options.h: