[WTF] Use ThreadGroup to bookkeep active threads for Mach exception
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
4         https://bugs.webkit.org/show_bug.cgi?id=174678
5
6         Reviewed by Mark Lam.
7
8         Use Thread& instead.
9
10         * runtime/JSLock.cpp:
11         (JSC::JSLock::didAcquireLock):
12
13 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
14
15         [WTF] Implement WTF::ThreadGroup
16         https://bugs.webkit.org/show_bug.cgi?id=174081
17
18         Reviewed by Mark Lam.
19
20         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
21         And SamplingProfiler and others interact with WTF::Thread directly.
22
23         * API/tests/ExecutionTimeLimitTest.cpp:
24         * heap/MachineStackMarker.cpp:
25         (JSC::MachineThreads::MachineThreads):
26         (JSC::captureStack):
27         (JSC::MachineThreads::tryCopyOtherThreadStack):
28         (JSC::MachineThreads::tryCopyOtherThreadStacks):
29         (JSC::MachineThreads::gatherConservativeRoots):
30         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
31         (JSC::ActiveMachineThreadsManager::add): Deleted.
32         (JSC::ActiveMachineThreadsManager::remove): Deleted.
33         (JSC::ActiveMachineThreadsManager::contains): Deleted.
34         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
35         (JSC::activeMachineThreadsManager): Deleted.
36         (JSC::MachineThreads::~MachineThreads): Deleted.
37         (JSC::MachineThreads::addCurrentThread): Deleted.
38         (): Deleted.
39         (JSC::MachineThreads::removeThread): Deleted.
40         (JSC::MachineThreads::removeThreadIfFound): Deleted.
41         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
42         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
43         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
44         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
45         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
46         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
47         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
48         * heap/MachineStackMarker.h:
49         (JSC::MachineThreads::addCurrentThread):
50         (JSC::MachineThreads::getLock):
51         (JSC::MachineThreads::threads):
52         (JSC::MachineThreads::MachineThread::suspend): Deleted.
53         (JSC::MachineThreads::MachineThread::resume): Deleted.
54         (JSC::MachineThreads::MachineThread::threadID): Deleted.
55         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
56         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
57         (JSC::MachineThreads::threadsListHead): Deleted.
58         * runtime/SamplingProfiler.cpp:
59         (JSC::FrameWalker::isValidFramePointer):
60         (JSC::SamplingProfiler::SamplingProfiler):
61         (JSC::SamplingProfiler::takeSample):
62         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
63         * runtime/SamplingProfiler.h:
64         * wasm/WasmMachineThreads.cpp:
65         (JSC::Wasm::resetInstructionCacheOnAllThreads):
66
67 2017-07-18  Andy Estes  <aestes@apple.com>
68
69         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
70         https://bugs.webkit.org/show_bug.cgi?id=174631
71
72         Reviewed by Tim Horton.
73
74         * Configurations/Base.xcconfig:
75         * b3/B3FoldPathConstants.cpp:
76         * b3/B3LowerMacros.cpp:
77         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
78         * dfg/DFGByteCodeParser.cpp:
79         (JSC::DFG::ByteCodeParser::check):
80         (JSC::DFG::ByteCodeParser::planLoad):
81
82 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
83
84         WTF::Thread should have the threads stack bounds.
85         https://bugs.webkit.org/show_bug.cgi?id=173975
86
87         Reviewed by Mark Lam.
88
89         There is a site in JSC that try to walk another thread's stack.
90         Currently, stack bounds are stored in WTFThreadData which is located
91         in TLS. Thus, only the thread itself can access its own WTFThreadData.
92         We workaround this situation by holding StackBounds in MachineThread in JSC,
93         but StackBounds should be put in WTF::Thread instead.
94
95         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
96         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
97
98         * heap/MachineStackMarker.cpp:
99         (JSC::MachineThreads::MachineThread::MachineThread):
100         (JSC::MachineThreads::MachineThread::captureStack):
101         * heap/MachineStackMarker.h:
102         (JSC::MachineThreads::MachineThread::stackBase):
103         (JSC::MachineThreads::MachineThread::stackEnd):
104         * runtime/VMTraps.cpp:
105
106 2017-07-18  Andy Estes  <aestes@apple.com>
107
108         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
109         https://bugs.webkit.org/show_bug.cgi?id=174631
110
111         Reviewed by Sam Weinig.
112
113         * Configurations/Base.xcconfig:
114
115 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
116
117         Web Inspector: Modernize InjectedScriptSource
118         https://bugs.webkit.org/show_bug.cgi?id=173890
119
120         Reviewed by Brian Burg.
121
122         * inspector/InjectedScript.h:
123         Reorder functions to be slightly better.
124
125         * inspector/InjectedScriptSource.js:
126         - Convert to classes named InjectedScript and RemoteObject
127         - Align InjectedScript's API with the wrapper C++ interfaces
128         - Move some code to RemoteObject where appropriate (subtype, describe)
129         - Move some code to helper functions (isPrimitiveValue, isDefined)
130         - Refactor for readability and modern features
131         - Remove some unused / unnecessary code
132
133 2017-07-18  Mark Lam  <mark.lam@apple.com>
134
135         Butterfly storage need not be initialized for indexing type Undecided.
136         https://bugs.webkit.org/show_bug.cgi?id=174516
137
138         Reviewed by Saam Barati.
139
140         While it's not incorrect to initialize the butterfly storage when the
141         indexingType is Undecided, it is inefficient as we'll end up initializing
142         it again later when we convert the storage to a different indexingType.
143         Some of our code already skips initializing Undecided butterflies.
144         This patch makes it the consistent behavior everywhere.
145
146         * dfg/DFGSpeculativeJIT.cpp:
147         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
148         * runtime/JSArray.cpp:
149         (JSC::JSArray::tryCreateUninitializedRestricted):
150         * runtime/JSArray.h:
151         (JSC::JSArray::tryCreate):
152         * runtime/JSObject.cpp:
153         (JSC::JSObject::ensureLengthSlow):
154
155 2017-07-18  Saam Barati  <sbarati@apple.com>
156
157         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
158         https://bugs.webkit.org/show_bug.cgi?id=174515
159         <rdar://problem/33358092>
160
161         Reviewed by Filip Pizlo.
162
163         AirLowerAfterRegAlloc was computing the set of available scratch
164         registers incorrectly. It was always excluding callee save registers
165         from the set of live registers. It did not guarantee that live callee save
166         registers were not in the set of scratch registers that could
167         get clobbered. That's incorrect as the shuffling code is free
168         to overwrite whatever is in the scratch register it gets passed.
169
170         * b3/air/AirLowerAfterRegAlloc.cpp:
171         (JSC::B3::Air::lowerAfterRegAlloc):
172         * b3/testb3.cpp:
173         (JSC::B3::functionNineArgs):
174         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
175         (JSC::B3::run):
176         * jit/RegisterSet.h:
177
178 2017-07-18  Andy Estes  <aestes@apple.com>
179
180         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
181         https://bugs.webkit.org/show_bug.cgi?id=174631
182
183         Reviewed by Dan Bernstein.
184
185         * Configurations/Base.xcconfig:
186
187 2017-07-18  Devin Rousso  <drousso@apple.com>
188
189         Web Inspector: Add memoryCost to Inspector Protocol objects
190         https://bugs.webkit.org/show_bug.cgi?id=174478
191
192         Reviewed by Joseph Pecoraro.
193
194         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
195         plus the memoryCost of the data if it is a string.
196
197         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
198
199         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
200         key plus the memoryCost of the InspectorValue for each entry.
201
202         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
203
204         * inspector/InspectorValues.h:
205         * inspector/InspectorValues.cpp:
206         (Inspector::InspectorValue::memoryCost):
207         (Inspector::InspectorObjectBase::memoryCost):
208         (Inspector::InspectorArrayBase::memoryCost):
209
210 2017-07-18  Andy Estes  <aestes@apple.com>
211
212         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
213         https://bugs.webkit.org/show_bug.cgi?id=174631
214
215         Reviewed by Darin Adler.
216
217         * Configurations/Base.xcconfig:
218
219 2017-07-18  Michael Saboff  <msaboff@apple.com>
220
221         [JSC] There should be a debug option to dump a compiled RegExp Pattern
222         https://bugs.webkit.org/show_bug.cgi?id=174601
223
224         Reviewed by Alex Christensen.
225
226         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
227         objects after a regular expression has been compiled.
228
229         * runtime/Options.h:
230         * yarr/YarrPattern.cpp:
231         (JSC::Yarr::YarrPattern::compile):
232         (JSC::Yarr::indentForNestingLevel):
233         (JSC::Yarr::dumpUChar32):
234         (JSC::Yarr::PatternAlternative::dump):
235         (JSC::Yarr::PatternTerm::dumpQuantifier):
236         (JSC::Yarr::PatternTerm::dump):
237         (JSC::Yarr::PatternDisjunction::dump):
238         (JSC::Yarr::YarrPattern::dumpPattern):
239         * yarr/YarrPattern.h:
240         (JSC::Yarr::YarrPattern::global):
241
242 2017-07-17  Darin Adler  <darin@apple.com>
243
244         Improve use of NeverDestroyed
245         https://bugs.webkit.org/show_bug.cgi?id=174348
246
247         Reviewed by Sam Weinig.
248
249         * heap/MachineStackMarker.cpp:
250         * wasm/WasmMemory.cpp:
251         Removed unneeded includes of NeverDestroyed.h in files that do not make use
252         of NeverDestroyed.
253
254 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
255
256         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
257         https://bugs.webkit.org/show_bug.cgi?id=174547
258
259         Reviewed by Alex Christensen.
260
261         * CMakeLists.txt:
262         * shell/CMakeLists.txt:
263
264 2017-07-17  Saam Barati  <sbarati@apple.com>
265
266         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
267         https://bugs.webkit.org/show_bug.cgi?id=174584
268
269         Rubber stamped by Keith Miller.
270
271         I used it to diagnose a bug. The bug is now fixed. This custom
272         RELEASE_ASSERT is no longer needed.
273
274         * dfg/DFGObjectAllocationSinkingPhase.cpp:
275
276 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
277
278         -Wformat-truncation warning in ConfigFile.cpp
279         https://bugs.webkit.org/show_bug.cgi?id=174506
280
281         Reviewed by Darin Adler.
282
283         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
284         return ParseError.
285
286         * runtime/ConfigFile.cpp:
287         (JSC::ConfigFile::parse):
288
289 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
290
291         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
292         https://bugs.webkit.org/show_bug.cgi?id=174557
293
294         Reviewed by Michael Catanzaro.
295
296         * CMakeLists.txt:
297
298 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
299
300         [WTF] Use std::unique_ptr for StackTrace
301         https://bugs.webkit.org/show_bug.cgi?id=174495
302
303         Reviewed by Alex Christensen.
304
305         * runtime/ExceptionScope.cpp:
306         (JSC::ExceptionScope::unexpectedExceptionMessage):
307         * runtime/VM.cpp:
308         (JSC::VM::throwException):
309
310 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
313         https://bugs.webkit.org/show_bug.cgi?id=174423
314
315         Reviewed by Saam Barati.
316
317         * dfg/DFGAvailabilityMap.cpp:
318         (JSC::DFG::AvailabilityMap::pruneHeap):
319         (JSC::DFG::AvailabilityMap::pruneByLiveness):
320
321 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
322
323         Fix compiler warnings when building with GCC 7
324         https://bugs.webkit.org/show_bug.cgi?id=174463
325
326         Reviewed by Darin Adler.
327
328         * disassembler/udis86/udis86_decode.c:
329         (decode_operand):
330
331 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
332
333         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
334         https://bugs.webkit.org/show_bug.cgi?id=174467
335
336         Reviewed by Saam Barati.
337
338         * bytecode/CallLinkInfo.cpp:
339         (JSC::CallLinkInfo::callTypeFor):
340
341 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
342
343         Web Inspector: Remove unused and untested Page domain commands
344         https://bugs.webkit.org/show_bug.cgi?id=174429
345
346         Reviewed by Timothy Hatcher.
347
348         * inspector/protocol/Page.json:
349
350 2017-07-13  Saam Barati  <sbarati@apple.com>
351
352         Missing exception check in JSObject::hasInstance
353         https://bugs.webkit.org/show_bug.cgi?id=174455
354         <rdar://problem/31384608>
355
356         Reviewed by Mark Lam.
357
358         * runtime/JSObject.cpp:
359         (JSC::JSObject::hasInstance):
360
361 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
362
363         [ESnext] Implement Object Spread
364         https://bugs.webkit.org/show_bug.cgi?id=167963
365
366         Reviewed by Saam Barati.
367
368         This patch implements ECMA262 stage 3 Object Spread proposal [1].
369         It's implemented using CopyDataPropertiesNoExclusions to copy
370         all enumerable keys from object being spreaded. The implementation of
371         CopyDataPropertiesNoExclusions follows the CopyDataProperties
372         implementation, however we don't receive excludedNames as parameter.
373
374         [1] - https://github.com/tc39/proposal-object-rest-spread
375
376         * builtins/GlobalOperations.js:
377         (globalPrivate.copyDataPropertiesNoExclusions):
378         * bytecompiler/BytecodeGenerator.cpp:
379         (JSC::BytecodeGenerator::emitLoad):
380         * bytecompiler/NodesCodegen.cpp:
381         (JSC::PropertyListNode::emitBytecode):
382         (JSC::ObjectSpreadExpressionNode::emitBytecode):
383         * parser/ASTBuilder.h:
384         (JSC::ASTBuilder::createObjectSpreadExpression):
385         (JSC::ASTBuilder::createProperty):
386         * parser/NodeConstructors.h:
387         (JSC::PropertyNode::PropertyNode):
388         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
389         * parser/Nodes.h:
390         (JSC::ObjectSpreadExpressionNode::expression):
391         * parser/Parser.cpp:
392         (JSC::Parser<LexerType>::parseProperty):
393         * parser/SyntaxChecker.h:
394         (JSC::SyntaxChecker::createObjectSpreadExpression):
395         (JSC::SyntaxChecker::createProperty):
396
397 2017-07-12  Mark Lam  <mark.lam@apple.com>
398
399         Gardening: build fix after r219434.
400         https://bugs.webkit.org/show_bug.cgi?id=174441
401
402         Not reviewed.
403
404         Make public some MacroAssembler functions that are needed by the probe implementationq.
405
406         * assembler/MacroAssemblerARM.h:
407         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
408         * assembler/MacroAssemblerARMv7.h:
409         (JSC::MacroAssemblerARMv7::linkCall):
410
411 2017-07-12  Mark Lam  <mark.lam@apple.com>
412
413         Move Probe code from AbstractMacroAssembler to MacroAssembler.
414         https://bugs.webkit.org/show_bug.cgi?id=174441
415
416         Reviewed by Saam Barati.
417
418         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
419         to MacroAssembler.  There is no code behavior change.
420
421         * assembler/AbstractMacroAssembler.h:
422         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
423         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
424         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
425         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
426         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
427         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
428         * assembler/MacroAssembler.h:
429         (JSC::MacroAssembler::CPUState::gprName):
430         (JSC::MacroAssembler::CPUState::fprName):
431         (JSC::MacroAssembler::CPUState::gpr):
432         (JSC::MacroAssembler::CPUState::fpr):
433         * assembler/MacroAssemblerARM.cpp:
434         (JSC::MacroAssembler::probe):
435         (JSC::MacroAssemblerARM::probe): Deleted.
436         * assembler/MacroAssemblerARM.h:
437         * assembler/MacroAssemblerARM64.cpp:
438         (JSC::MacroAssembler::probe):
439         (JSC::MacroAssemblerARM64::probe): Deleted.
440         * assembler/MacroAssemblerARM64.h:
441         * assembler/MacroAssemblerARMv7.cpp:
442         (JSC::MacroAssembler::probe):
443         (JSC::MacroAssemblerARMv7::probe): Deleted.
444         * assembler/MacroAssemblerARMv7.h:
445         * assembler/MacroAssemblerMIPS.h:
446         * assembler/MacroAssemblerX86Common.cpp:
447         (JSC::MacroAssembler::probe):
448         (JSC::MacroAssemblerX86Common::probe): Deleted.
449         * assembler/MacroAssemblerX86Common.h:
450
451 2017-07-12  Saam Barati  <sbarati@apple.com>
452
453         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
454         https://bugs.webkit.org/show_bug.cgi?id=174411
455         <rdar://problem/31696186>
456
457         Reviewed by Mark Lam.
458
459         The code for deleting an argument was incorrectly referencing state
460         when it decided if it should unmap or mark a property as having its
461         descriptor modified. This patch fixes the bug where if we delete a
462         property, we would sometimes not unmap an argument when deleting it.
463
464         * runtime/GenericArgumentsInlines.h:
465         (JSC::GenericArguments<Type>::getOwnPropertySlot):
466         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
467         (JSC::GenericArguments<Type>::deleteProperty):
468         (JSC::GenericArguments<Type>::deletePropertyByIndex):
469
470 2017-07-12  Commit Queue  <commit-queue@webkit.org>
471
472         Unreviewed, rolling out r219176.
473         https://bugs.webkit.org/show_bug.cgi?id=174436
474
475         "Can cause infinite recursion on iOS" (Requested by mlam on
476         #webkit).
477
478         Reverted changeset:
479
480         "WTF::Thread should have the threads stack bounds."
481         https://bugs.webkit.org/show_bug.cgi?id=173975
482         http://trac.webkit.org/changeset/219176
483
484 2017-07-12  Matt Lewis  <jlewis3@apple.com>
485
486         Unreviewed, rolling out r219401.
487
488         This revision rolled out the previous patch, but after talking
489         with reviewer, a rebaseline is what was needed.Rolling back in
490         before rebaseline.
491
492         Reverted changeset:
493
494         "Unreviewed, rolling out r219379."
495         https://bugs.webkit.org/show_bug.cgi?id=174400
496         http://trac.webkit.org/changeset/219401
497
498 2017-07-12  Matt Lewis  <jlewis3@apple.com>
499
500         Unreviewed, rolling out r219379.
501
502         This revision caused a consistent failure in the test
503         fast/dom/Window/property-access-on-cached-window-after-frame-
504         removed.html.
505
506         Reverted changeset:
507
508         "Remove NAVIGATOR_HWCONCURRENCY"
509         https://bugs.webkit.org/show_bug.cgi?id=174400
510         http://trac.webkit.org/changeset/219379
511
512 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
513
514         Wrong radix used in Unicode Escape in invalid character error message
515         https://bugs.webkit.org/show_bug.cgi?id=174419
516
517         Reviewed by Alex Christensen.
518
519         * parser/Lexer.cpp:
520         (JSC::Lexer<T>::invalidCharacterMessage):
521
522 2017-07-11  Dean Jackson  <dino@apple.com>
523
524         Remove NAVIGATOR_HWCONCURRENCY
525         https://bugs.webkit.org/show_bug.cgi?id=174400
526
527         Reviewed by Sam Weinig.
528
529         * Configurations/FeatureDefines.xcconfig:
530
531 2017-07-11  Dean Jackson  <dino@apple.com>
532
533         Rolling out r219372.
534
535         * Configurations/FeatureDefines.xcconfig:
536
537 2017-07-11  Dean Jackson  <dino@apple.com>
538
539         Remove NAVIGATOR_HWCONCURRENCY
540         https://bugs.webkit.org/show_bug.cgi?id=174400
541
542         Reviewed by Sam Weinig.
543
544         * Configurations/FeatureDefines.xcconfig:
545
546 2017-07-11  Saam Barati  <sbarati@apple.com>
547
548         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
549         https://bugs.webkit.org/show_bug.cgi?id=174397
550
551         Rubber stamped by David Kilzer.
552
553         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
554         * wasm/js/WebAssemblyFunctionCell.h: Removed.
555
556 2017-07-10  Saam Barati  <sbarati@apple.com>
557
558         Allocation sinking phase should consider a CheckStructure that would fail as an escape
559         https://bugs.webkit.org/show_bug.cgi?id=174321
560         <rdar://problem/32604963>
561
562         Reviewed by Filip Pizlo.
563
564         When the allocation sinking phase was generating stores to materialize
565         objects in a cycle with each other, it would assume that each materialized
566         object had a valid, non empty, set of structures. This is an OK assumption for
567         the phase to make because how do you materialize an object with no structure?
568         
569         The abstract interpretation part of the phase will model what's in the heap.
570         However, it would sometimes model that a CheckStructure would fail. The phase
571         did nothing special for this; it just stored the empty set of structures for
572         its representation of a particular allocation. However, what the phase proved
573         in such a scenario is that, had the CheckStructure executed, it would have exited.
574         
575         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
576         This will cause the allocation in question to be materialized just before
577         the CheckStructure, and then at execution time, the CheckStructure will exit.
578         
579         I wasn't able to write a test case for this. However, I was able to reproduce
580         this crash by manually editing the IR. I've opened a separate bug to help us
581         create a testing framework for writing tests for hard to reproduce bugs like this:
582         https://bugs.webkit.org/show_bug.cgi?id=174322
583
584         * dfg/DFGObjectAllocationSinkingPhase.cpp:
585
586 2017-07-10  Devin Rousso  <drousso@apple.com>
587
588         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
589         https://bugs.webkit.org/show_bug.cgi?id=174279
590
591         Reviewed by Matt Baker.
592
593         * inspector/protocol/DOM.json:
594         Add `highlightNodeList` command that will highlight each node in the given list.
595
596 2017-07-03  Brian Burg  <bburg@apple.com>
597
598         Web Replay: remove some unused code
599         https://bugs.webkit.org/show_bug.cgi?id=173903
600
601         Rubber-stamped by Joseph Pecoraro.
602
603         * CMakeLists.txt:
604         * Configurations/FeatureDefines.xcconfig:
605         * DerivedSources.make:
606         * JavaScriptCore.xcodeproj/project.pbxproj:
607         * inspector/protocol/Replay.json: Removed.
608         * replay/EmptyInputCursor.h: Removed.
609         * replay/EncodedValue.cpp: Removed.
610         * replay/EncodedValue.h: Removed.
611         * replay/InputCursor.h: Removed.
612         * replay/JSInputs.json: Removed.
613         * replay/NondeterministicInput.h: Removed.
614         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
615         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
616         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
617         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
618         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
619         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
620         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
621         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
622         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
623         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
624         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
625         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
626         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
627         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
628         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
629         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
630         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
631         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
632         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
633         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
634         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
635         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
636         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
637         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
638         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
639         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
640         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
641         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
642         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
643         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
644         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
645         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
646         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
647         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
648         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
649         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
650         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
651         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
652         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
653         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
654         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
655         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
656         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
657         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
658         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
659         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
660         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
661         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
662         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
663         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
664         * replay/scripts/tests/generate-input-with-guard.json: Removed.
665         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
666         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
667         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
668         * runtime/DateConstructor.cpp:
669         (JSC::constructDate):
670         (JSC::dateNow):
671         (JSC::deterministicCurrentTime): Deleted.
672         * runtime/JSGlobalObject.cpp:
673         (JSC::JSGlobalObject::JSGlobalObject):
674         (JSC::JSGlobalObject::setInputCursor): Deleted.
675         * runtime/JSGlobalObject.h:
676         (JSC::JSGlobalObject::inputCursor): Deleted.
677
678 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
679
680         Move make-js-file-arrays.py from WebCore to JavaScriptCore
681         https://bugs.webkit.org/show_bug.cgi?id=174024
682
683         Reviewed by Michael Catanzaro.
684
685         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
686         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
687         Added command line option to pass the namespace to use instead of using WebCore.
688
689         * JavaScriptCore.xcodeproj/project.pbxproj:
690         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
691         (main):
692
693 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
694
695         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
696         https://bugs.webkit.org/show_bug.cgi?id=174296
697
698         Reviewed by Mark Lam.
699
700         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
701         It caused a problem in scanning template literals. While template literals normalize
702         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
703         To handle it correctly, LineNumberAdder is introduced.
704
705         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
706         LineNumberAdder. Let's just use shiftLineTerminator() instead.
707
708         * parser/Lexer.cpp:
709         (JSC::Lexer<T>::parseTemplateLiteral):
710         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
711         (JSC::LineNumberAdder::clear): Deleted.
712         (JSC::LineNumberAdder::add): Deleted.
713
714 2017-07-09  Dan Bernstein  <mitz@apple.com>
715
716         [Xcode] ICU headers aren’t treated as system headers after r219155
717         https://bugs.webkit.org/show_bug.cgi?id=174299
718
719         Reviewed by Sam Weinig.
720
721         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
722           C++ compilers.
723
724 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
725         * runtime/IntlDateTimeFormat.cpp: Ditto.
726         * runtime/JSGlobalObject.cpp: Ditto.
727         * runtime/StringPrototype.cpp: Ditto.
728
729 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
730
731         [JSC] Use fastMalloc / fastFree for STL containers
732         https://bugs.webkit.org/show_bug.cgi?id=174297
733
734         Reviewed by Sam Weinig.
735
736         In some places, we intentionally use STL containers over WTF containers.
737         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
738         because we do not have effective empty / deleted representations in the space of key's value.
739         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
740
741         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
742         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
743
744         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
745         without compromising memory allocation throughput.
746
747         * dfg/DFGGraph.h:
748         * dfg/DFGIntegerCheckCombiningPhase.cpp:
749         * ftl/FTLLowerDFGToB3.cpp:
750         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
751         * runtime/FunctionHasExecutedCache.h:
752         * runtime/TypeLocationCache.h:
753
754 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
755
756         Drop NOSNIFF compile flag
757         https://bugs.webkit.org/show_bug.cgi?id=174289
758
759         Reviewed by Michael Catanzaro.
760
761         * Configurations/FeatureDefines.xcconfig:
762
763 2017-07-07  AJ Ringer  <aringer@apple.com>
764
765         Lower the max_protection for the separated heap
766         https://bugs.webkit.org/show_bug.cgi?id=174281
767
768         Reviewed by Oliver Hunt.
769
770         Switch to vm_protect so we can set maximum page protection.
771
772         * jit/ExecutableAllocator.cpp:
773         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
774         (JSC::ExecutableAllocator::allocate):
775
776 2017-07-07  Devin Rousso  <drousso@apple.com>
777
778         Web Inspector: Show all elements currently using a given CSS Canvas
779         https://bugs.webkit.org/show_bug.cgi?id=173965
780
781         Reviewed by Joseph Pecoraro.
782
783         * inspector/protocol/Canvas.json:
784          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
785            canvas via -webkit-canvas.
786          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
787            added/removed from the list of -webkit-canvas clients.
788
789 2017-07-07  Mark Lam  <mark.lam@apple.com>
790
791         \n\r is not the same as \r\n.
792         https://bugs.webkit.org/show_bug.cgi?id=173053
793
794         Reviewed by Keith Miller.
795
796         * parser/Lexer.cpp:
797         (JSC::Lexer<T>::shiftLineTerminator):
798         (JSC::LineNumberAdder::add):
799
800 2017-07-07  Commit Queue  <commit-queue@webkit.org>
801
802         Unreviewed, rolling out r219238, r219239, and r219241.
803         https://bugs.webkit.org/show_bug.cgi?id=174265
804
805         "fast/workers/dedicated-worker-lifecycle.html is flaky"
806         (Requested by yusukesuzuki on #webkit).
807
808         Reverted changesets:
809
810         "[WTF] Implement WTF::ThreadGroup"
811         https://bugs.webkit.org/show_bug.cgi?id=174081
812         http://trac.webkit.org/changeset/219238
813
814         "Unreviewed, build fix after r219238"
815         https://bugs.webkit.org/show_bug.cgi?id=174081
816         http://trac.webkit.org/changeset/219239
817
818         "Unreviewed, CLoop build fix after r219238"
819         https://bugs.webkit.org/show_bug.cgi?id=174081
820         http://trac.webkit.org/changeset/219241
821
822 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
823
824         Unreviewed, CLoop build fix after r219238
825         https://bugs.webkit.org/show_bug.cgi?id=174081
826
827         * heap/MachineStackMarker.cpp:
828
829 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
830
831         [WTF] Implement WTF::ThreadGroup
832         https://bugs.webkit.org/show_bug.cgi?id=174081
833
834         Reviewed by Mark Lam.
835
836         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
837         And SamplingProfiler and others interact with WTF::Thread directly.
838
839         * API/tests/ExecutionTimeLimitTest.cpp:
840         * heap/MachineStackMarker.cpp:
841         (JSC::MachineThreads::MachineThreads):
842         (JSC::captureStack):
843         (JSC::MachineThreads::tryCopyOtherThreadStack):
844         (JSC::MachineThreads::tryCopyOtherThreadStacks):
845         (JSC::MachineThreads::gatherConservativeRoots):
846         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
847         (JSC::ActiveMachineThreadsManager::add): Deleted.
848         (JSC::ActiveMachineThreadsManager::remove): Deleted.
849         (JSC::ActiveMachineThreadsManager::contains): Deleted.
850         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
851         (JSC::activeMachineThreadsManager): Deleted.
852         (JSC::MachineThreads::~MachineThreads): Deleted.
853         (JSC::MachineThreads::addCurrentThread): Deleted.
854         (): Deleted.
855         (JSC::MachineThreads::removeThread): Deleted.
856         (JSC::MachineThreads::removeThreadIfFound): Deleted.
857         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
858         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
859         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
860         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
861         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
862         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
863         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
864         * heap/MachineStackMarker.h:
865         (JSC::MachineThreads::addCurrentThread):
866         (JSC::MachineThreads::getLock):
867         (JSC::MachineThreads::threads):
868         (JSC::MachineThreads::MachineThread::suspend): Deleted.
869         (JSC::MachineThreads::MachineThread::resume): Deleted.
870         (JSC::MachineThreads::MachineThread::threadID): Deleted.
871         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
872         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
873         (JSC::MachineThreads::threadsListHead): Deleted.
874         * runtime/SamplingProfiler.cpp:
875         (JSC::FrameWalker::isValidFramePointer):
876         (JSC::SamplingProfiler::SamplingProfiler):
877         (JSC::SamplingProfiler::takeSample):
878         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
879         * runtime/SamplingProfiler.h:
880         * wasm/WasmMachineThreads.cpp:
881         (JSC::Wasm::resetInstructionCacheOnAllThreads):
882
883 2017-07-06  Saam Barati  <sbarati@apple.com>
884
885         We are missing places where we invalidate the for-in context
886         https://bugs.webkit.org/show_bug.cgi?id=174184
887
888         Reviewed by Geoffrey Garen.
889
890         * bytecompiler/BytecodeGenerator.cpp:
891         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
892         * bytecompiler/NodesCodegen.cpp:
893         (JSC::EmptyLetExpression::emitBytecode):
894         (JSC::ForInNode::emitLoopHeader):
895         (JSC::ForOfNode::emitBytecode):
896         (JSC::BindingNode::bindValue):
897
898 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
899
900         Unreviewed, suppress warnings in GCC environment
901
902         * dfg/DFGObjectAllocationSinkingPhase.cpp:
903         * runtime/IntlCollator.cpp:
904         * runtime/IntlDateTimeFormat.cpp:
905         * runtime/JSGlobalObject.cpp:
906         * runtime/StringPrototype.cpp:
907
908 2017-07-05  Saam Barati  <sbarati@apple.com>
909
910         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
911         https://bugs.webkit.org/show_bug.cgi?id=174188
912         <rdar://problem/30581423>
913
914         Reviewed by Mark Lam.
915
916         We were calling lowJSValue(edge) when we were speculating the
917         edge as double. This isn't allowed. We should have been using
918         lowDouble.
919         
920         This patch also adds a new option, called useArrayAllocationProfiling,
921         which defaults to true. When false, it will make the array allocation
922         profile not actually sample seen arrays. It'll force the allocation
923         profile's predicted indexing type to be ArrayWithUndecided. Adding
924         this option made it trivial to write a test for this bug.
925
926         * bytecode/ArrayAllocationProfile.cpp:
927         (JSC::ArrayAllocationProfile::updateIndexingType):
928         * ftl/FTLLowerDFGToB3.cpp:
929         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
930         * runtime/Options.h:
931
932 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
933
934         WTF::Thread should have the threads stack bounds.
935         https://bugs.webkit.org/show_bug.cgi?id=173975
936
937         Reviewed by Keith Miller.
938
939         There is a site in JSC that try to walk another thread's stack.
940         Currently, stack bounds are stored in WTFThreadData which is located
941         in TLS. Thus, only the thread itself can access its own WTFThreadData.
942         We workaround this situation by holding StackBounds in MachineThread in JSC,
943         but StackBounds should be put in WTF::Thread instead.
944
945         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
946         information is tightly coupled with Thread. Thus putting it in WTF::Thread
947         is natural choice.
948
949         * heap/MachineStackMarker.cpp:
950         (JSC::MachineThreads::MachineThread::MachineThread):
951         (JSC::MachineThreads::MachineThread::captureStack):
952         * heap/MachineStackMarker.h:
953         (JSC::MachineThreads::MachineThread::stackBase):
954         (JSC::MachineThreads::MachineThread::stackEnd):
955         * runtime/InitializeThreading.cpp:
956         (JSC::initializeThreading):
957         * runtime/VM.cpp:
958         (JSC::VM::VM):
959         (JSC::VM::updateStackLimits):
960         (JSC::VM::committedStackByteCount):
961         * runtime/VM.h:
962         (JSC::VM::isSafeToRecurse):
963         * runtime/VMEntryScope.cpp:
964         (JSC::VMEntryScope::VMEntryScope):
965         * runtime/VMInlines.h:
966         (JSC::VM::ensureStackCapacityFor):
967         * runtime/VMTraps.cpp:
968         * yarr/YarrPattern.cpp:
969         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
970
971 2017-07-05  Keith Miller  <keith_miller@apple.com>
972
973         Crashing with information should have an abort reason
974         https://bugs.webkit.org/show_bug.cgi?id=174185
975
976         Reviewed by Saam Barati.
977
978         Add crash information for the abstract interpreter and add an enum
979         value for object allocation sinking.
980
981         * assembler/AbortReason.h:
982         * dfg/DFGAbstractInterpreterInlines.h:
983         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
984         * dfg/DFGGraph.cpp:
985         (JSC::DFG::logDFGAssertionFailure):
986         * dfg/DFGObjectAllocationSinkingPhase.cpp:
987
988 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
989
990         Remove copy of ICU headers from WebKit
991         https://bugs.webkit.org/show_bug.cgi?id=116407
992
993         Reviewed by Alex Christensen.
994
995         Use WTF's copy of ICU headers.
996
997         * Configurations/Base.xcconfig:
998         * icu/unicode/localpointer.h: Removed.
999         * icu/unicode/parseerr.h: Removed.
1000         * icu/unicode/platform.h: Removed.
1001         * icu/unicode/ptypes.h: Removed.
1002         * icu/unicode/putil.h: Removed.
1003         * icu/unicode/uchar.h: Removed.
1004         * icu/unicode/ucnv.h: Removed.
1005         * icu/unicode/ucnv_err.h: Removed.
1006         * icu/unicode/ucol.h: Removed.
1007         * icu/unicode/uconfig.h: Removed.
1008         * icu/unicode/ucurr.h: Removed.
1009         * icu/unicode/uenum.h: Removed.
1010         * icu/unicode/uiter.h: Removed.
1011         * icu/unicode/uloc.h: Removed.
1012         * icu/unicode/umachine.h: Removed.
1013         * icu/unicode/unorm.h: Removed.
1014         * icu/unicode/unorm2.h: Removed.
1015         * icu/unicode/urename.h: Removed.
1016         * icu/unicode/uscript.h: Removed.
1017         * icu/unicode/uset.h: Removed.
1018         * icu/unicode/ustring.h: Removed.
1019         * icu/unicode/utf.h: Removed.
1020         * icu/unicode/utf16.h: Removed.
1021         * icu/unicode/utf8.h: Removed.
1022         * icu/unicode/utf_old.h: Removed.
1023         * icu/unicode/utypes.h: Removed.
1024         * icu/unicode/uvernum.h: Removed.
1025         * icu/unicode/uversion.h: Removed.
1026         * runtime/IntlCollator.cpp:
1027         * runtime/IntlDateTimeFormat.cpp:
1028         (JSC::IntlDateTimeFormat::partTypeString):
1029         * runtime/JSGlobalObject.cpp:
1030         * runtime/StringPrototype.cpp:
1031         (JSC::normalize):
1032         (JSC::stringProtoFuncNormalize):
1033
1034 2017-07-05  Devin Rousso  <drousso@apple.com>
1035
1036         Web Inspector: Allow users to log any tracked canvas context
1037         https://bugs.webkit.org/show_bug.cgi?id=173397
1038         <rdar://problem/33111581>
1039
1040         Reviewed by Joseph Pecoraro.
1041
1042         * inspector/protocol/Canvas.json:
1043         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
1044
1045 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
1046
1047         Add WebKitPrivateFrameworkStubs for iOS 11
1048         https://bugs.webkit.org/show_bug.cgi?id=173988
1049
1050         Reviewed by David Kilzer.
1051
1052         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
1053         same directory for private framework stubs.
1054
1055 2017-07-05  JF Bastien  <jfbastien@apple.com>
1056
1057         WebAssembly: implement name section's module name, skip unknown sections
1058         https://bugs.webkit.org/show_bug.cgi?id=172008
1059
1060         Reviewed by Keith Miller.
1061
1062         Parse the WebAssembly module name properly, and skip unknown
1063         sections. This is useful because as toolchains support new types
1064         of names we want to keep displaying the information we know about
1065         and simply ignore new information. That capability was designed
1066         into WebAssembly's name section.
1067
1068         Failure to commit this patch would mean that WebKit won't display
1069         stack trace information, which would make developers sad.
1070
1071         Module names were added here: https://github.com/WebAssembly/design/pull/1055
1072
1073         Note that this patch doesn't do anything with the parsed name! Two
1074         reasons for this: module names aren't supported in binaryen yet,
1075         so I can't write a simple binary test; and using the name is a
1076         slightly riskier change because it requires changing StackVisitor
1077         + StackFrame (where they print "[wasm code]") which requires
1078         figuring out the frame's Module. The latter bit isn't trivial
1079         because we only know wasm frames from their tag bits, and
1080         CodeBlocks are always nullptr.
1081
1082         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
1083
1084         I filed #174098 to use the module name.
1085
1086         * wasm/WasmFormat.h:
1087         (JSC::Wasm::isValidNameType):
1088         * wasm/WasmNameSectionParser.cpp:
1089
1090 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
1091
1092         Cleanup some StringBuilder use
1093         https://bugs.webkit.org/show_bug.cgi?id=174118
1094
1095         Reviewed by Andreas Kling.
1096
1097         * runtime/FunctionConstructor.cpp:
1098         (JSC::constructFunctionSkippingEvalEnabledCheck):
1099         * tools/FunctionOverrides.cpp:
1100         (JSC::parseClause):
1101         * wasm/WasmOMGPlan.cpp:
1102         * wasm/WasmPlan.cpp:
1103         * wasm/WasmValidate.cpp:
1104
1105 2017-07-03  Saam Barati  <sbarati@apple.com>
1106
1107         LayoutTest workers/bomb.html is a Crash
1108         https://bugs.webkit.org/show_bug.cgi?id=167757
1109         <rdar://problem/33086462>
1110
1111         Reviewed by Keith Miller.
1112
1113         VMTraps::SignalSender was accessing VM fields even after
1114         the VM was destroyed. This happened when the SignalSender
1115         thread was in the middle of its work() function while VMTraps
1116         was notified that the VM was shutting down. The VM would proceed
1117         to run its destructor even after the SignalSender thread finished
1118         doing its work. This means that the SignalSender thread was accessing
1119         VM field eve after VM was destructed (including itself, since it is
1120         transitively owned by the VM). The VM must wait for the SignalSender
1121         thread to shutdown before it can continue to destruct itself.
1122
1123         * runtime/VMTraps.cpp:
1124         (JSC::VMTraps::willDestroyVM):
1125
1126 2017-07-03  Saam Barati  <sbarati@apple.com>
1127
1128         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
1129         https://bugs.webkit.org/show_bug.cgi?id=174110
1130
1131         Reviewed by Michael Saboff.
1132
1133         * dfg/DFGByteCodeParser.cpp:
1134         (JSC::DFG::ByteCodeParser::parseBlock):
1135
1136 2017-07-03  Saam Barati  <sbarati@apple.com>
1137
1138         Add a new assertion to object allocation sinking phase
1139         https://bugs.webkit.org/show_bug.cgi?id=174107
1140
1141         Rubber stamped by Filip Pizlo.
1142
1143         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1144
1145 2017-07-03  Commit Queue  <commit-queue@webkit.org>
1146
1147         Unreviewed, rolling out r219060.
1148         https://bugs.webkit.org/show_bug.cgi?id=174108
1149
1150         crashing constantly when initializing UIWebView (Requested by
1151         thorton on #webkit).
1152
1153         Reverted changeset:
1154
1155         "WTF::Thread should have the threads stack bounds."
1156         https://bugs.webkit.org/show_bug.cgi?id=173975
1157         http://trac.webkit.org/changeset/219060
1158
1159 2017-07-03  Matt Lewis  <jlewis3@apple.com>
1160
1161         Unreviewed, rolling out r219103.
1162
1163         Caused multiple build failures.
1164
1165         Reverted changeset:
1166
1167         "Remove copy of ICU headers from WebKit"
1168         https://bugs.webkit.org/show_bug.cgi?id=116407
1169         http://trac.webkit.org/changeset/219103
1170
1171 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1172
1173         Remove copy of ICU headers from WebKit
1174         https://bugs.webkit.org/show_bug.cgi?id=116407
1175
1176         Reviewed by Alex Christensen.
1177
1178         Use WTF's copy of ICU headers.
1179
1180         * Configurations/Base.xcconfig:
1181         * icu/unicode/localpointer.h: Removed.
1182         * icu/unicode/parseerr.h: Removed.
1183         * icu/unicode/platform.h: Removed.
1184         * icu/unicode/ptypes.h: Removed.
1185         * icu/unicode/putil.h: Removed.
1186         * icu/unicode/uchar.h: Removed.
1187         * icu/unicode/ucnv.h: Removed.
1188         * icu/unicode/ucnv_err.h: Removed.
1189         * icu/unicode/ucol.h: Removed.
1190         * icu/unicode/uconfig.h: Removed.
1191         * icu/unicode/ucurr.h: Removed.
1192         * icu/unicode/uenum.h: Removed.
1193         * icu/unicode/uiter.h: Removed.
1194         * icu/unicode/uloc.h: Removed.
1195         * icu/unicode/umachine.h: Removed.
1196         * icu/unicode/unorm.h: Removed.
1197         * icu/unicode/unorm2.h: Removed.
1198         * icu/unicode/urename.h: Removed.
1199         * icu/unicode/uscript.h: Removed.
1200         * icu/unicode/uset.h: Removed.
1201         * icu/unicode/ustring.h: Removed.
1202         * icu/unicode/utf.h: Removed.
1203         * icu/unicode/utf16.h: Removed.
1204         * icu/unicode/utf8.h: Removed.
1205         * icu/unicode/utf_old.h: Removed.
1206         * icu/unicode/utypes.h: Removed.
1207         * icu/unicode/uvernum.h: Removed.
1208         * icu/unicode/uversion.h: Removed.
1209         * runtime/IntlCollator.cpp:
1210         * runtime/IntlDateTimeFormat.cpp:
1211         * runtime/JSGlobalObject.cpp:
1212         * runtime/StringPrototype.cpp:
1213
1214 2017-07-03  Saam Barati  <sbarati@apple.com>
1215
1216         Add better crash logging for allocation sinking phase
1217         https://bugs.webkit.org/show_bug.cgi?id=174102
1218         <rdar://problem/33112092>
1219
1220         Rubber stamped by Filip Pizlo.
1221
1222         I'm trying to gather better information from crashlogs about why
1223         we're crashing in the allocation sinking phase. I'm adding a allocation
1224         sinking specific RELEASE_ASSERT as well as marking a few functions as
1225         NEVER_INLINE to have the stack traces in the crash trace contain more
1226         actionable information.
1227
1228         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1229
1230 2017-07-03  Sam Weinig  <sam@webkit.org>
1231
1232         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
1233         https://bugs.webkit.org/show_bug.cgi?id=174083
1234
1235         Reviewed by Alex Christensen.
1236
1237         * Configurations/FeatureDefines.xcconfig:
1238         Add ENABLE_NAVIGATOR_STANDALONE.
1239
1240 2017-07-03  Andy Estes  <aestes@apple.com>
1241
1242         [Xcode] Add an experimental setting to build with ccache
1243         https://bugs.webkit.org/show_bug.cgi?id=173875
1244
1245         Reviewed by Tim Horton.
1246
1247         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
1248
1249 2017-07-03  Devin Rousso  <drousso@apple.com>
1250
1251         Web Inspector: Support listing WebGL2 and WebGPU contexts
1252         https://bugs.webkit.org/show_bug.cgi?id=173396
1253
1254         Reviewed by Joseph Pecoraro.
1255
1256         * inspector/protocol/Canvas.json:
1257         * inspector/scripts/codegen/generator.py:
1258         (Generator.stylized_name_for_enum_value):
1259         Add cases for handling new Canvas.ContextType protocol enumerations:
1260          - "webgl2" maps to `WebGL2`
1261          - "webgpu" maps to `WebGPU`
1262
1263 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1264
1265         WTF::Thread should have the threads stack bounds.
1266         https://bugs.webkit.org/show_bug.cgi?id=173975
1267
1268         Reviewed by Mark Lam.
1269
1270         There is a site in JSC that try to walk another thread's stack.
1271         Currently, stack bounds are stored in WTFThreadData which is located
1272         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1273         We workaround this situation by holding StackBounds in MachineThread in JSC,
1274         but StackBounds should be put in WTF::Thread instead.
1275
1276         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1277         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1278         is natural choice.
1279
1280         * heap/MachineStackMarker.cpp:
1281         (JSC::MachineThreads::MachineThread::MachineThread):
1282         (JSC::MachineThreads::MachineThread::captureStack):
1283         * heap/MachineStackMarker.h:
1284         (JSC::MachineThreads::MachineThread::stackBase):
1285         (JSC::MachineThreads::MachineThread::stackEnd):
1286         * runtime/InitializeThreading.cpp:
1287         (JSC::initializeThreading):
1288         * runtime/VM.cpp:
1289         (JSC::VM::VM):
1290         (JSC::VM::updateStackLimits):
1291         (JSC::VM::committedStackByteCount):
1292         * runtime/VM.h:
1293         (JSC::VM::isSafeToRecurse):
1294         * runtime/VMEntryScope.cpp:
1295         (JSC::VMEntryScope::VMEntryScope):
1296         * runtime/VMInlines.h:
1297         (JSC::VM::ensureStackCapacityFor):
1298         * runtime/VMTraps.cpp:
1299         * yarr/YarrPattern.cpp:
1300         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1301
1302 2017-07-01  Dan Bernstein  <mitz@apple.com>
1303
1304         [iOS] Remove code only needed when building for iOS 9.x
1305         https://bugs.webkit.org/show_bug.cgi?id=174068
1306
1307         Reviewed by Tim Horton.
1308
1309         * Configurations/FeatureDefines.xcconfig:
1310         * jit/ExecutableAllocator.cpp:
1311         * runtime/Options.cpp:
1312         (JSC::recomputeDependentOptions):
1313
1314 2017-07-01  Dan Bernstein  <mitz@apple.com>
1315
1316         [macOS] Remove code only needed when building for OS X Yosemite
1317         https://bugs.webkit.org/show_bug.cgi?id=174067
1318
1319         Reviewed by Tim Horton.
1320
1321         * API/WebKitAvailability.h:
1322         * Configurations/Base.xcconfig:
1323         * Configurations/DebugRelease.xcconfig:
1324         * Configurations/FeatureDefines.xcconfig:
1325         * Configurations/Version.xcconfig:
1326
1327 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Unreviewed, build fix for GCC
1330         https://bugs.webkit.org/show_bug.cgi?id=174034
1331
1332         * b3/testb3.cpp:
1333         (JSC::B3::testDoubleLiteralComparison):
1334
1335 2017-06-30  Keith Miller  <keith_miller@apple.com>
1336
1337         Force crashWithInfo to be out of line.
1338         https://bugs.webkit.org/show_bug.cgi?id=174028
1339
1340         Reviewed by Filip Pizlo.
1341
1342         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1343
1344         * dfg/DFGGraph.cpp:
1345         (JSC::DFG::logDFGAssertionFailure):
1346         (JSC::DFG::Graph::logAssertionFailure):
1347         (JSC::DFG::crash): Deleted.
1348         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1349         * dfg/DFGGraph.h:
1350
1351 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1352
1353         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1354         https://bugs.webkit.org/show_bug.cgi?id=174053
1355
1356         Reviewed by Geoffrey Garen.
1357
1358         We already have AbstractMacroAssembler::random() function. Use it instead.
1359
1360         * jit/JIT.cpp:
1361         (JSC::JIT::JIT):
1362         (JSC::JIT::compileWithoutLinking):
1363         * jit/JIT.h:
1364
1365 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1366
1367         [WTF] Drop SymbolRegistry::keyForSymbol
1368         https://bugs.webkit.org/show_bug.cgi?id=174052
1369
1370         Reviewed by Sam Weinig.
1371
1372         * runtime/SymbolConstructor.cpp:
1373         (JSC::symbolConstructorKeyFor):
1374
1375 2017-06-30  Saam Barati  <sbarati@apple.com>
1376
1377         B3ReduceStrength should reduce EqualOrUnordered over const float input
1378         https://bugs.webkit.org/show_bug.cgi?id=174039
1379
1380         Reviewed by Michael Saboff.
1381
1382         We perform this folding for ConstDoubleValue. It is simply
1383         an oversight that we didn't do it for ConstFloatValue.
1384
1385         * b3/B3ConstFloatValue.cpp:
1386         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1387         * b3/B3ConstFloatValue.h:
1388         * b3/testb3.cpp:
1389         (JSC::B3::testFloatEqualOrUnorderedFolding):
1390         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1391         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1392         (JSC::B3::run):
1393
1394 2017-06-30  Matt Baker  <mattbaker@apple.com>
1395
1396         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1397         https://bugs.webkit.org/show_bug.cgi?id=173840
1398         <rdar://problem/30840820>
1399
1400         Reviewed by Joseph Pecoraro.
1401
1402         When truncating an asynchronous stack trace, the parent chain is traversed
1403         until a locked node is found. The path from this node to the root is shared
1404         by more than one stack trace, and cannot be safely modified. Starting at
1405         the first locked node, the path is cloned and becomes a new stack trace tree.
1406
1407         However, the clone operation initialized each new AsyncStackTrace node with
1408         the original node's parent. This would increment the child count of the original
1409         node. When cloning nodes, new nodes should not have their parent set until the
1410         next node up the parent chain is cloned.
1411
1412         * inspector/AsyncStackTrace.cpp:
1413         (Inspector::AsyncStackTrace::truncate):
1414
1415 2017-06-30  Michael Saboff  <msaboff@apple.com>
1416
1417         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1418         https://bugs.webkit.org/show_bug.cgi?id=174044
1419
1420         Reviewed by Oliver Hunt.
1421
1422         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1423         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1424         then finding the extent of the match by going back to the beginning of the line and going
1425         forward to the end of the line.  The code that went back to the beginning of the line
1426         checked for an index of 0 instead of comparing the index to the start position.  This start
1427         position is passed as the initial index.
1428
1429         Added another temporary register to the YARR JIT to contain the start position for
1430         platforms that have spare registers.
1431
1432         * yarr/Yarr.h:
1433         * yarr/YarrInterpreter.cpp:
1434         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1435         (JSC::Yarr::Interpreter::Interpreter):
1436         * yarr/YarrJIT.cpp:
1437         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1438         (JSC::Yarr::YarrGenerator::compile):
1439         * yarr/YarrPattern.cpp:
1440         (JSC::Yarr::YarrPattern::YarrPattern):
1441         * yarr/YarrPattern.h:
1442         (JSC::Yarr::YarrPattern::reset):
1443
1444 2017-06-30  Saam Barati  <sbarati@apple.com>
1445
1446         B3MoveConstants floatZero() returns the wrong ValueKey
1447         https://bugs.webkit.org/show_bug.cgi?id=174040
1448
1449         Reviewed by Filip Pizlo.
1450
1451         It had a typo where the ValueKey for floatZero() produces a Double
1452         instead of a Float.
1453
1454         * b3/B3MoveConstants.cpp:
1455
1456 2017-06-30  Saam Barati  <sbarati@apple.com>
1457
1458         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1459         https://bugs.webkit.org/show_bug.cgi?id=174034
1460         <rdar://problem/30793007>
1461
1462         Reviewed by Filip Pizlo.
1463
1464         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1465         reduce binary operations over double constants into the same binary
1466         operation over the double constants casted to floats. This is clearly
1467         incorrect as these two things will produce different values. For example:
1468         
1469         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1470         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1471         c = EqualOrUnordered(@a, @b) // produces 0
1472         
1473         into:
1474         
1475         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1476         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1477         c = EqualOrUnordered(@a, @b) // produces 1
1478         
1479         Which produces a different value for @c.
1480
1481         * b3/B3ReduceDoubleToFloat.cpp:
1482         * b3/testb3.cpp:
1483         (JSC::B3::doubleEq):
1484         (JSC::B3::doubleNeq):
1485         (JSC::B3::doubleGt):
1486         (JSC::B3::doubleGte):
1487         (JSC::B3::doubleLt):
1488         (JSC::B3::doubleLte):
1489         (JSC::B3::testDoubleLiteralComparison):
1490         (JSC::B3::run):
1491
1492 2017-06-29  Jer Noble  <jer.noble@apple.com>
1493
1494         Make Legacy EME API controlled by RuntimeEnabled setting.
1495         https://bugs.webkit.org/show_bug.cgi?id=173994
1496
1497         Reviewed by Sam Weinig.
1498
1499         * Configurations/FeatureDefines.xcconfig:
1500         * runtime/CommonIdentifiers.h:
1501
1502 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1503
1504         Ran sort-Xcode-project-file.
1505
1506         * JavaScriptCore.xcodeproj/project.pbxproj:
1507
1508 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1509
1510         Unreviewed, rolling out r218992.
1511
1512         The patch broke the iOS device builds.
1513
1514         Reverted changeset:
1515
1516         "DFG_ASSERT should allow stuffing registers before trapping."
1517         https://bugs.webkit.org/show_bug.cgi?id=174005
1518         http://trac.webkit.org/changeset/218992
1519
1520 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1521
1522         RegExpCachedResult::setInput should reify left and right contexts
1523         https://bugs.webkit.org/show_bug.cgi?id=173818
1524
1525         Reviewed by Keith Miller.
1526         
1527         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1528         using indices into an old input string to create a substring of a new input string. That
1529         never goes well.
1530
1531         * runtime/RegExpCachedResult.cpp:
1532         (JSC::RegExpCachedResult::setInput):
1533
1534 2017-06-30  Keith Miller  <keith_miller@apple.com>
1535
1536         DFG_ASSERT should allow stuffing registers before trapping.
1537         https://bugs.webkit.org/show_bug.cgi?id=174005
1538
1539         Reviewed by Mark Lam.
1540
1541         DFG_ASSERT currently prints error data to stderr before crashing,
1542         which is nice for local development. In the wild, however, we
1543         can't see this information in crash logs. This patch enables
1544         stuffing some of the most useful information from DFG_ASSERTS into
1545         up to five registers right before crashing. The values stuffed
1546         should not impact any logging during local development.
1547
1548         * assembler/AbortReason.h:
1549         * dfg/DFGAbstractInterpreterInlines.h:
1550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1551         * dfg/DFGGraph.cpp:
1552         (JSC::DFG::logForCrash):
1553         (JSC::DFG::Graph::logAssertionFailure):
1554         (JSC::DFG::crash): Deleted.
1555         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1556         * dfg/DFGGraph.h:
1557
1558 2017-06-29  Saam Barati  <sbarati@apple.com>
1559
1560         Calculating postCapacity in unshiftCountSlowCase is wrong
1561         https://bugs.webkit.org/show_bug.cgi?id=173992
1562         <rdar://problem/32283199>
1563
1564         Reviewed by Keith Miller.
1565
1566         This patch fixes a bug inside unshiftCountSlowCase where we would use
1567         more memory than we allocated. The bug was when deciding how much extra
1568         space we have after the vector we've allocated. This area is called the
1569         postCapacity. The largest legal postCapacity value we could use is the
1570         space we allocated minus the space we need:
1571         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1572         However, the code was calculating the postCapacity as:
1573         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1574         
1575         where count is how many elements we're appending. Depending on the inputs,
1576         count could be larger than (newStorageCapacity - requiredVectorLength). This
1577         would cause us to use more memory than we actually allocated.
1578
1579         * runtime/JSArray.cpp:
1580         (JSC::JSArray::unshiftCountSlowCase):
1581
1582 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1583
1584         Unreviewed, rolling out r218512.
1585         https://bugs.webkit.org/show_bug.cgi?id=173981
1586
1587         "It changes the behavior of the JS API's JSEvaluateScript
1588         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1589
1590         Reverted changeset:
1591
1592         "test262: Completion values for control flow do not match the
1593         spec"
1594         https://bugs.webkit.org/show_bug.cgi?id=171265
1595         http://trac.webkit.org/changeset/218512
1596
1597 2017-06-29  JF Bastien  <jfbastien@apple.com>
1598
1599         WebAssembly: disable some APIs under CSP
1600         https://bugs.webkit.org/show_bug.cgi?id=173892
1601         <rdar://problem/32914613>
1602
1603         Reviewed by Daniel Bates.
1604
1605         We should disable parts of WebAssembly under Content Security
1606         Policy as discussed here:
1607
1608         https://github.com/WebAssembly/design/issues/1092
1609
1610         Exactly what should be disabled isn't super clear, so we may as
1611         well be conservative and disable many things if developers already
1612         opted into CSP. It's easy to loosen what we disable later.
1613
1614         This patch disables:
1615         - WebAssembly.Instance
1616         - WebAssembly.instantiate
1617         - WebAssembly.Memory
1618         - WebAssembly.Table
1619
1620         And leaves:
1621         - WebAssembly on the global object
1622         - WebAssembly.Module
1623         - WebAssembly.compile
1624         - WebAssembly.CompileError
1625         - WebAssembly.LinkError
1626
1627         Nothing because currently unimplmented:
1628         - WebAssembly.compileStreaming
1629         - WebAssembly.instantiateStreaming
1630
1631         That way it won't be possible to call WebAssembly-compiled code,
1632         or create memories (which use fancy 4GiB allocations
1633         sometimes). Table isn't really useful on its own, and eventually
1634         we may make them shareable so without more details it seems benign
1635         to disable them (and useless if we don't).
1636
1637         I haven't done anything with postMessage, so you can still
1638         postMessage a WebAssembly.Module cross-CSP, but you can't
1639         instantiate it so it's useless. Because of this I elected to leave
1640         WebAssembly.Module and friends available.
1641
1642         I haven't added any new directives. It's still unsafe-eval. We can
1643         add something else later, but it seems odd to add a WebAssembly as
1644         a new capability and tell developers "you should have been using
1645         this directive which we just implemented if you wanted to disable
1646         WebAssembly which didn't exist when you adopted CSP". So IMO we
1647         should keep unsafe-eval as it currently is, add WebAssembly to
1648         what it disables, and later consider having two new directives
1649         which do each individually or something.
1650
1651         In all cases I throw an EvalError *before* other WebAssembly
1652         errors would be produced.
1653
1654         Note that, as for eval, reporting doesn't work and is tracked by
1655         https://webkit.org/b/111869
1656
1657         * runtime/JSGlobalObject.cpp:
1658         (JSC::JSGlobalObject::JSGlobalObject):
1659         * runtime/JSGlobalObject.h:
1660         (JSC::JSGlobalObject::webAssemblyEnabled):
1661         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
1662         (JSC::JSGlobalObject::setWebAssemblyEnabled):
1663         * wasm/js/JSWebAssemblyInstance.cpp:
1664         (JSC::JSWebAssemblyInstance::create):
1665         * wasm/js/JSWebAssemblyMemory.cpp:
1666         (JSC::JSWebAssemblyMemory::create):
1667         * wasm/js/JSWebAssemblyMemory.h:
1668         * wasm/js/JSWebAssemblyTable.cpp:
1669         (JSC::JSWebAssemblyTable::create):
1670         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1671         (JSC::constructJSWebAssemblyMemory):
1672
1673 2017-06-28  Keith Miller  <keith_miller@apple.com>
1674
1675         VMTraps has some races
1676         https://bugs.webkit.org/show_bug.cgi?id=173941
1677
1678         Reviewed by Michael Saboff.
1679
1680         This patch refactors much of the VMTraps API.
1681
1682         On the message sending side:
1683
1684         1) No longer uses the Yarr JIT check to determine if we are in
1685         RegExp code. That was unsound because RegExp JIT code can be run
1686         on compilation threads.  Instead it looks at the current frame's
1687         code block slot and checks if it is valid, which is the same as
1688         what it did for JIT code previously.
1689
1690         2) Only have one signal sender thread, previously, there could be
1691         many at once, which caused some data races. Additionally, the
1692         signal sender thread is an automatic thread so it will deallocate
1693         itself when not in use.
1694
1695         On the VMTraps breakpoint side:
1696
1697         1) We now have a true mapping of if we hit a breakpoint instead of
1698         a JIT assertion. So the exception handler won't eat JIT assertions
1699         anymore.
1700
1701         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
1702         them instead of every CodeBlock on the stack. This both prevents
1703         us from hitting stale VMTraps breakpoints and also doesn't OSR
1704         codeblocks that otherwise don't need to be jettisoned.
1705
1706         3) The old exception handler could theoretically fail for a couple
1707         of reasons then resume execution with a clobbered instruction
1708         set. This patch will kill the program if the exception handler
1709         would fail.
1710
1711         This patch also refactors some of the jsc.cpp functions to take the
1712         CommandLine options object instead of individual options. Also, there
1713         is a new command line option that makes exceptions due to watchdog
1714         timeouts an acceptable result.
1715
1716         * API/tests/testapi.c:
1717         (main):
1718         * bytecode/CodeBlock.cpp:
1719         (JSC::CodeBlock::installVMTrapBreakpoints):
1720         * dfg/DFGCommonData.cpp:
1721         (JSC::DFG::pcCodeBlockMap):
1722         (JSC::DFG::CommonData::invalidate):
1723         (JSC::DFG::CommonData::~CommonData):
1724         (JSC::DFG::CommonData::installVMTrapBreakpoints):
1725         (JSC::DFG::codeBlockForVMTrapPC):
1726         * dfg/DFGCommonData.h:
1727         * jsc.cpp:
1728         (functionDollarAgentStart):
1729         (checkUncaughtException):
1730         (checkException):
1731         (runWithOptions):
1732         (printUsageStatement):
1733         (CommandLine::parseArguments):
1734         (jscmain):
1735         (runWithScripts): Deleted.
1736         * runtime/JSLock.cpp:
1737         (JSC::JSLock::didAcquireLock):
1738         * runtime/VMTraps.cpp:
1739         (JSC::sanitizedTopCallFrame):
1740         (JSC::VMTraps::tryInstallTrapBreakpoints):
1741         (JSC::VMTraps::willDestroyVM):
1742         (JSC::VMTraps::fireTrap):
1743         (JSC::VMTraps::handleTraps):
1744         (JSC::VMTraps::VMTraps):
1745         (JSC::VMTraps::~VMTraps):
1746         (JSC::findActiveVMAndStackBounds): Deleted.
1747         (JSC::installSignalHandler): Deleted.
1748         (JSC::VMTraps::addSignalSender): Deleted.
1749         (JSC::VMTraps::removeSignalSender): Deleted.
1750         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
1751         (JSC::VMTraps::SignalSender::send): Deleted.
1752         * runtime/VMTraps.h:
1753         (JSC::VMTraps::~VMTraps): Deleted.
1754         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
1755
1756 2017-06-28  Devin Rousso  <drousso@apple.com>
1757
1758         Web Inspector: Instrument active pixel memory used by canvases
1759         https://bugs.webkit.org/show_bug.cgi?id=173087
1760         <rdar://problem/32719261>
1761
1762         Reviewed by Joseph Pecoraro.
1763
1764         * inspector/protocol/Canvas.json:
1765          - Add optional `memoryCost` attribute to the `Canvas` type.
1766          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
1767
1768 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
1769
1770         Web Inspector: Cleanup Protocol JSON files
1771         https://bugs.webkit.org/show_bug.cgi?id=173934
1772
1773         Reviewed by Matt Baker.
1774
1775         * inspector/protocol/ApplicationCache.json:
1776         * inspector/protocol/CSS.json:
1777         * inspector/protocol/Console.json:
1778         * inspector/protocol/DOM.json:
1779         * inspector/protocol/DOMDebugger.json:
1780         * inspector/protocol/Debugger.json:
1781         * inspector/protocol/LayerTree.json:
1782         * inspector/protocol/Network.json:
1783         * inspector/protocol/Page.json:
1784         * inspector/protocol/Runtime.json:
1785         Be more consistent about placement of `description` property.
1786
1787 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
1788
1789         Web Inspector: Remove unused Inspector domain events
1790         https://bugs.webkit.org/show_bug.cgi?id=173905
1791
1792         Reviewed by Matt Baker.
1793
1794         * inspector/protocol/Inspector.json:
1795
1796 2017-06-28  JF Bastien  <jfbastien@apple.com>
1797
1798         Ensure that computed new stack pointer values do not underflow.
1799         https://bugs.webkit.org/show_bug.cgi?id=173700
1800         <rdar://problem/32926032>
1801
1802         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
1803
1804         Patch by Mark Lam, with the following fix:
1805
1806         Re-apply this patch, it originally broke the ARM build because the llint code
1807         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
1808         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
1809         and operands to emit valid code (because the second operand can be SP).
1810
1811         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1812            m_numCalleeLocals is sane.
1813
1814         2. Added underflow checks in LLInt code and VarargsFrame code.
1815
1816         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1817            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1818            Ensure that Options::softReservedZoneSize() is at least greater than
1819            Options::reservedZoneSize() by minimumReservedZoneSize.
1820
1821         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1822            and only if the max size of the frame is greater than Options::reservedZoneSize().
1823
1824            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1825            of memory at the bottom (end) of the stack.  This means that, at any time, the
1826            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1827            end of the stack.  Hence, if the max frame size is less than
1828            Options::reservedZoneSize(), there's no way that frame pointer - max
1829            frame size can underflow, and we can elide the underflow check.
1830
1831            Note that we use Options::reservedZoneSize() instead of
1832            Options::softReservedZoneSize() for determine if we need an underflow check.
1833            This is because the softStackLimit that is used for stack checks can be set
1834            based on Options::reservedZoneSize() during error handling (e.g. when creating
1835            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1836            distance between the frame pointer and the end of the stack is
1837            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1838
1839            Note also that we ensure that Options::reservedZoneSize() is at least
1840            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1841            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1842            instead of minimumReservedZoneSize gives us more chances to elide underflow
1843            checks.
1844
1845         * JavaScriptCore.xcodeproj/project.pbxproj:
1846         * bytecompiler/BytecodeGenerator.cpp:
1847         (JSC::BytecodeGenerator::generate):
1848         * dfg/DFGGraph.cpp:
1849         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1850         * dfg/DFGJITCompiler.cpp:
1851         (JSC::DFG::emitStackOverflowCheck):
1852         (JSC::DFG::JITCompiler::compile):
1853         (JSC::DFG::JITCompiler::compileFunction):
1854         * ftl/FTLLowerDFGToB3.cpp:
1855         (JSC::FTL::DFG::LowerDFGToB3::lower):
1856         * jit/JIT.cpp:
1857         (JSC::JIT::compileWithoutLinking):
1858         * jit/SetupVarargsFrame.cpp:
1859         (JSC::emitSetupVarargsFrameFastCase):
1860         * llint/LLIntSlowPaths.cpp:
1861         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1862         * llint/LowLevelInterpreter.asm:
1863         * llint/LowLevelInterpreter32_64.asm:
1864         * llint/LowLevelInterpreter64.asm:
1865         * runtime/MinimumReservedZoneSize.h: Added.
1866         * runtime/Options.cpp:
1867         (JSC::recomputeDependentOptions):
1868         * runtime/VM.cpp:
1869         (JSC::VM::updateStackLimits):
1870         * wasm/WasmB3IRGenerator.cpp:
1871         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1872         * wasm/js/WebAssemblyFunction.cpp:
1873         (JSC::callWebAssemblyFunction):
1874
1875 2017-06-28  Chris Dumez  <cdumez@apple.com>
1876
1877         Unreviewed, rolling out r218869.
1878
1879         Broke the iOS build
1880
1881         Reverted changeset:
1882
1883         "Ensure that computed new stack pointer values do not
1884         underflow."
1885         https://bugs.webkit.org/show_bug.cgi?id=173700
1886         http://trac.webkit.org/changeset/218869
1887
1888 2017-06-28  Chris Dumez  <cdumez@apple.com>
1889
1890         Unreviewed, rolling out r218873.
1891
1892         Broke the iOS build
1893
1894         Reverted changeset:
1895
1896         "Gardening: CLoop build fix."
1897         https://bugs.webkit.org/show_bug.cgi?id=173700
1898         http://trac.webkit.org/changeset/218873
1899
1900 2017-06-28  Mark Lam  <mark.lam@apple.com>
1901
1902         Gardening: CLoop build fix.
1903         https://bugs.webkit.org/show_bug.cgi?id=173700
1904         <rdar://problem/32926032>
1905
1906         Not reviewed.
1907
1908         * llint/LLIntSlowPaths.cpp:
1909         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1910
1911 2017-06-28  Mark Lam  <mark.lam@apple.com>
1912
1913         Ensure that computed new stack pointer values do not underflow.
1914         https://bugs.webkit.org/show_bug.cgi?id=173700
1915         <rdar://problem/32926032>
1916
1917         Reviewed by Filip Pizlo and Saam Barati.
1918
1919         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1920            m_numCalleeLocals is sane.
1921
1922         2. Added underflow checks in LLInt code and VarargsFrame code.
1923
1924         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1925            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1926            Ensure that Options::softReservedZoneSize() is at least greater than
1927            Options::reservedZoneSize() by minimumReservedZoneSize.
1928
1929         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1930            and only if the max size of the frame is greater than Options::reservedZoneSize().
1931
1932            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1933            of memory at the bottom (end) of the stack.  This means that, at any time, the
1934            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1935            end of the stack.  Hence, if the max frame size is less than
1936            Options::reservedZoneSize(), there's no way that frame pointer - max
1937            frame size can underflow, and we can elide the underflow check.
1938
1939            Note that we use Options::reservedZoneSize() instead of
1940            Options::softReservedZoneSize() for determine if we need an underflow check.
1941            This is because the softStackLimit that is used for stack checks can be set
1942            based on Options::reservedZoneSize() during error handling (e.g. when creating
1943            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1944            distance between the frame pointer and the end of the stack is
1945            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1946
1947            Note also that we ensure that Options::reservedZoneSize() is at least
1948            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1949            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1950            instead of minimumReservedZoneSize gives us more chances to elide underflow
1951            checks.
1952
1953         * JavaScriptCore.xcodeproj/project.pbxproj:
1954         * bytecompiler/BytecodeGenerator.cpp:
1955         (JSC::BytecodeGenerator::generate):
1956         * dfg/DFGGraph.cpp:
1957         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1958         * dfg/DFGJITCompiler.cpp:
1959         (JSC::DFG::JITCompiler::compile):
1960         (JSC::DFG::JITCompiler::compileFunction):
1961         * ftl/FTLLowerDFGToB3.cpp:
1962         (JSC::FTL::DFG::LowerDFGToB3::lower):
1963         * jit/JIT.cpp:
1964         (JSC::JIT::compileWithoutLinking):
1965         * jit/SetupVarargsFrame.cpp:
1966         (JSC::emitSetupVarargsFrameFastCase):
1967         * llint/LLIntSlowPaths.cpp:
1968         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1969         * llint/LowLevelInterpreter.asm:
1970         * llint/LowLevelInterpreter32_64.asm:
1971         * llint/LowLevelInterpreter64.asm:
1972         * runtime/MinimumReservedZoneSize.h: Added.
1973         * runtime/Options.cpp:
1974         (JSC::recomputeDependentOptions):
1975         * runtime/VM.cpp:
1976         (JSC::VM::updateStackLimits):
1977         * wasm/WasmB3IRGenerator.cpp:
1978         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1979         * wasm/js/WebAssemblyFunction.cpp:
1980         (JSC::callWebAssemblyFunction):
1981
1982 2017-06-27  JF Bastien  <jfbastien@apple.com>
1983
1984         WebAssembly: running out of executable memory should throw OoM
1985         https://bugs.webkit.org/show_bug.cgi?id=171537
1986         <rdar://problem/32963338>
1987
1988         Reviewed by Saam Barati.
1989
1990         Both on first compile with BBQ as well as on tier-up with OMG,
1991         running out of X memory shouldn't cause the entire program to
1992         terminate. An exception will do when compiling initial code (since
1993         we don't have any other fallback at the moment), and refusal to
1994         tier up will do as well (it'll just be slower).
1995
1996         This is useful because programs which generate huge amounts of
1997         code simply look like crashes, which developers report to
1998         us. Getting a JavaScript exception instead is much clearer.
1999
2000         * jit/ExecutableAllocator.cpp:
2001         (JSC::ExecutableAllocator::allocate):
2002         * llint/LLIntSlowPaths.cpp:
2003         (JSC::LLInt::shouldJIT):
2004         * runtime/Options.h:
2005         * wasm/WasmBBQPlan.cpp:
2006         (JSC::Wasm::BBQPlan::prepare):
2007         (JSC::Wasm::BBQPlan::complete):
2008         * wasm/WasmBinding.cpp:
2009         (JSC::Wasm::wasmToJs):
2010         (JSC::Wasm::wasmToWasm):
2011         * wasm/WasmBinding.h:
2012         * wasm/WasmOMGPlan.cpp:
2013         (JSC::Wasm::OMGPlan::work):
2014         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2015         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2016         * wasm/js/JSWebAssemblyCodeBlock.h:
2017         * wasm/js/JSWebAssemblyInstance.cpp:
2018         (JSC::JSWebAssemblyInstance::finalizeCreation):
2019
2020 2017-06-27  Saam Barati  <sbarati@apple.com>
2021
2022         JITStubRoutine::passesFilter should use isJITPC
2023         https://bugs.webkit.org/show_bug.cgi?id=173906
2024
2025         Reviewed by JF Bastien.
2026
2027         This patch makes JITStubRoutine use the isJITPC abstraction defined
2028         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
2029         hardcoded platform size constant. This means it'd do the wrong thing
2030         if Options::jitMemoryReservationSize() was larger than the defined
2031         constant for that platform. This patch also removes a bunch of
2032         dead code in that file.
2033
2034         * jit/ExecutableAllocator.cpp:
2035         * jit/ExecutableAllocator.h:
2036         * jit/JITStubRoutine.h:
2037         (JSC::JITStubRoutine::passesFilter):
2038         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2039         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2040         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2041
2042 2017-06-27  Saam Barati  <sbarati@apple.com>
2043
2044         Fix some stale comments in Wasm code base
2045         https://bugs.webkit.org/show_bug.cgi?id=173814
2046
2047         Reviewed by Mark Lam.
2048
2049         * wasm/WasmBinding.cpp:
2050         (JSC::Wasm::wasmToJs):
2051         * wasm/WasmOMGPlan.cpp:
2052         (JSC::Wasm::runOMGPlanForIndex):
2053
2054 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
2055
2056         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2057         https://bugs.webkit.org/show_bug.cgi?id=167962
2058
2059         Reviewed by Saam Barati.
2060
2061         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2062         Patch is a prototype implementation of it. A simple change over the
2063         parser was necessary to support the new '...' token on Object Pattern
2064         destruction rule. In the bytecode generator side, We changed the
2065         bytecode generated on ObjectPatternNode::bindValue to store in an
2066         set the identifiers of already destructured properties, following spec draft
2067         section[2], and then pass it as excludedNames to CopyDataProperties.
2068         The rest destructuring calls copyDataProperties to perform the
2069         copy of rest properties in rhs.
2070
2071         We also implemented CopyDataProperties as private JS global operation
2072         on builtins/GlobalOperations.js following it's specification on [3].
2073         It is implemented using Set object to verify if a property is on
2074         excludedNames to keep this algorithm with O(n + m) complexity, where n
2075         = number of source's own properties and m = excludedNames.length.
2076
2077         In this implementation we aren't using excludeList as constant if
2078         destructuring pattern contains computed property, i.e. we can
2079         just determine the key to be excluded at runtime. If we can define all
2080         identifiers in the pattern in compile time, we then create a
2081         constant JSSet. This approach gives a good performance improvement,
2082         since we allocate the excludeSet just once, reducing GC pressure.
2083
2084         [1] - https://github.com/tc39/proposal-object-rest-spread
2085         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2086         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
2087
2088         * builtins/BuiltinNames.h:
2089         * builtins/GlobalOperations.js:
2090         (globalPrivate.copyDataProperties):
2091         * bytecode/CodeBlock.cpp:
2092         (JSC::CodeBlock::finishCreation):
2093         * bytecompiler/NodesCodegen.cpp:
2094         (JSC::ObjectPatternNode::bindValue):
2095         * parser/ASTBuilder.h:
2096         (JSC::ASTBuilder::appendObjectPatternEntry):
2097         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2098         (JSC::ASTBuilder::setContainsObjectRestElement):
2099         * parser/Nodes.h:
2100         (JSC::ObjectPatternNode::appendEntry):
2101         (JSC::ObjectPatternNode::setContainsRestElement):
2102         * parser/Parser.cpp:
2103         (JSC::Parser<LexerType>::parseDestructuringPattern):
2104         (JSC::Parser<LexerType>::parseProperty):
2105         * parser/SyntaxChecker.h:
2106         (JSC::SyntaxChecker::operatorStackPop):
2107         * runtime/JSGlobalObject.cpp:
2108         (JSC::JSGlobalObject::init):
2109         * runtime/JSGlobalObject.h:
2110         (JSC::JSGlobalObject::asyncFunctionStructure):
2111         (JSC::JSGlobalObject::setStructure): Deleted.
2112         * runtime/JSGlobalObjectFunctions.cpp:
2113         (JSC::privateToObject):
2114         * runtime/JSGlobalObjectFunctions.h:
2115         * runtime/ObjectConstructor.cpp:
2116         (JSC::ObjectConstructor::finishCreation):
2117         * runtime/SetPrototype.cpp:
2118         (JSC::SetPrototype::finishCreation):
2119
2120 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2121
2122         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
2123         https://bugs.webkit.org/show_bug.cgi?id=173888
2124
2125         Reviewed by Saam Barati.
2126
2127         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
2128         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
2129         This causes occasional SEGV / assertion failures in workers/bomb test.
2130
2131         * dfg/DFGWorklist.cpp:
2132
2133 2017-06-27  Saam Barati  <sbarati@apple.com>
2134
2135         Remove an inaccurate comment inside DFGClobberize.h
2136         https://bugs.webkit.org/show_bug.cgi?id=163874
2137
2138         Reviewed by Filip Pizlo.
2139
2140         The comment said that Clobberize may or may not be sound if run prior to
2141         doing type inference. This is not correct, though. Clobberize *must* be sound
2142         prior do doing type inference since we use it inside the BytecodeParser, which
2143         is the very first thing the DFG does.
2144
2145         * dfg/DFGClobberize.h:
2146         (JSC::DFG::clobberize):
2147
2148 2017-06-27  Saam Barati  <sbarati@apple.com>
2149
2150         Function constructor needs to follow the spec and validate parameters and body independently
2151         https://bugs.webkit.org/show_bug.cgi?id=173303
2152         <rdar://problem/32732526>
2153
2154         Reviewed by Keith Miller.
2155
2156         The Function constructor must check the arguments and body strings
2157         independently for syntax errors. People rely on this specified behavior
2158         to verify that a particular string is a valid function body. We used
2159         to check these things strings concatenated together, instead of
2160         independently. For example, this used to be valid: `Function("/*", "*/){")`.
2161         However, we should throw a syntax error here since "(/*)" is not a valid
2162         parameter list, and "*/){" is not a valid body.
2163         
2164         To implement the specified behavior, we check the syntax independently of
2165         both the body and the parameter list. To check that the parameter list has
2166         valid syntax, we check that it is valid if in a function with an empty body.
2167         To check that the body has valid syntax, we check it is valid in a function
2168         with an empty parameter list.
2169
2170         * runtime/FunctionConstructor.cpp:
2171         (JSC::constructFunctionSkippingEvalEnabledCheck):
2172
2173 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
2174
2175         Add missing includes to fix compilation error on FreeBSD
2176         https://bugs.webkit.org/show_bug.cgi?id=172919
2177
2178         Reviewed by Mark Lam.
2179
2180         * API/JSRemoteInspector.h:
2181         * API/tests/GlobalContextWithFinalizerTest.cpp:
2182         * API/tests/TypedArrayCTest.cpp:
2183
2184 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2185
2186         Web Inspector: Crash generating object preview for ArrayIterator
2187         https://bugs.webkit.org/show_bug.cgi?id=173754
2188         <rdar://problem/32859012>
2189
2190         Reviewed by Saam Barati.
2191
2192         When Inspector generates an object preview for an ArrayIterator instance it made
2193         a "clone" of the original ArrayIterator instance by constructing a new object with
2194         the instance's structure. However, user code could have modified that instance's
2195         structure, such as adding / removing properties. The `return` property had special
2196         meaning, and our clone did not fill that slot. This approach is brittle in that
2197         we weren't satisfying the expectations of an object with a particular Structure,
2198         and the original goal of having Web Inspector peek values of built-in Iterators
2199         was to avoid observable behavior.
2200
2201         This tightens Web Inspector's Iterator preview to only peek values if the
2202         Iterators would actually be non-observable. It also builds an ArrayIterator
2203         clone like a regular object construction.
2204
2205         * inspector/JSInjectedScriptHost.cpp:
2206         (Inspector::cloneArrayIteratorObject):
2207         Build up the Object from scratch with a new ArrayIterator prototype.
2208
2209         (Inspector::JSInjectedScriptHost::iteratorEntries):
2210         Only clone and peek iterators if it would not be observable.
2211         Also update iteration to be more in line with IterationOperations, such as when
2212         we call iteratorClose.
2213
2214         * runtime/JSGlobalObject.cpp:
2215         (JSC::JSGlobalObject::JSGlobalObject):
2216         (JSC::JSGlobalObject::init):
2217         * runtime/JSGlobalObject.h:
2218         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
2219         * runtime/JSGlobalObjectInlines.h:
2220         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
2221         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
2222
2223         * runtime/JSMap.cpp:
2224         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2225         (JSC::JSMap::canCloneFastAndNonObservable):
2226         * runtime/JSMap.h:
2227         * runtime/JSSet.cpp:
2228         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2229         (JSC::JSSet::canCloneFastAndNonObservable):
2230         * runtime/JSSet.h:
2231         Promote isIteratorProtocolFastAndNonObservable to a method.
2232
2233         * runtime/JSObject.cpp:
2234         (JSC::canDoFastPutDirectIndex):
2235         * runtime/JSTypeInfo.h:
2236         (JSC::TypeInfo::isArgumentsType):
2237         Helper to detect if an Object is an Arguments type.
2238
2239 2017-06-26  Saam Barati  <sbarati@apple.com>
2240
2241         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
2242         https://bugs.webkit.org/show_bug.cgi?id=173740
2243
2244         Reviewed by Mark Lam.
2245
2246         The builtin was using for-of iteration to iterate over an internal
2247         list in its algorithm. For-of iteration is observable via user code
2248         in the global object, so this approach was wrong as it would break if
2249         a user changed the Array iteration protocol in some way.
2250
2251         * builtins/RegExpPrototype.js:
2252         (replace):
2253
2254 2017-06-26  Mark Lam  <mark.lam@apple.com>
2255
2256         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
2257         https://bugs.webkit.org/show_bug.cgi?id=173848
2258
2259         Reviewed by JF Bastien.
2260
2261         This functor only dumps the return VirtualPC.
2262
2263         * interpreter/Interpreter.cpp:
2264         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
2265         (JSC::Interpreter::dumpRegisters):
2266         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
2267         (JSC::DumpRegisterFunctor::operator()): Deleted.
2268
2269 2017-06-26  Saam Barati  <sbarati@apple.com>
2270
2271         Crash in JSC::Lexer<unsigned char>::setCode
2272         https://bugs.webkit.org/show_bug.cgi?id=172754
2273
2274         Reviewed by Mark Lam.
2275
2276         The lexer was asking one of its buffers to reserve initial space that
2277         was O(text size in bytes). For large sources, this would end up causing
2278         the vector to overflow and crash. This patch changes this code be like
2279         the Lexer's other buffers and to only reserve a small starting buffer.
2280
2281         * parser/Lexer.cpp:
2282         (JSC::Lexer<T>::setCode):
2283
2284 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2285
2286         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
2287         https://bugs.webkit.org/show_bug.cgi?id=173825
2288
2289         Reviewed by Saam Barati.
2290
2291         * jsc.cpp:
2292         (startTimeoutThreadIfNeeded):
2293         (timeoutThreadMain): Deleted.
2294
2295 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2296
2297         Unreviewed, add missing header for CLoop
2298
2299         * runtime/SymbolTable.cpp:
2300
2301 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2302
2303         Unreviewed, add missing header icncludes
2304
2305         * parser/Lexer.h:
2306
2307 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2308
2309         Remove excessive headers from JavaScriptCore
2310         https://bugs.webkit.org/show_bug.cgi?id=173812
2311
2312         Reviewed by Darin Adler.
2313
2314         * API/APIUtils.h:
2315         * assembler/LinkBuffer.cpp:
2316         * assembler/MacroAssemblerCodeRef.cpp:
2317         * b3/air/AirLiveness.h:
2318         * b3/air/AirLowerAfterRegAlloc.cpp:
2319         * bindings/ScriptValue.cpp:
2320         * bindings/ScriptValue.h:
2321         * bytecode/AccessCase.cpp:
2322         * bytecode/AccessCase.h:
2323         * bytecode/ArrayProfile.h:
2324         * bytecode/BytecodeDumper.h:
2325         * bytecode/BytecodeIntrinsicRegistry.cpp:
2326         * bytecode/BytecodeKills.h:
2327         * bytecode/BytecodeLivenessAnalysis.h:
2328         * bytecode/BytecodeUseDef.h:
2329         * bytecode/CallLinkStatus.h:
2330         * bytecode/CodeBlock.h:
2331         * bytecode/CodeOrigin.h:
2332         * bytecode/ComplexGetStatus.h:
2333         * bytecode/GetByIdStatus.h:
2334         * bytecode/GetByIdVariant.h:
2335         * bytecode/InlineCallFrame.h:
2336         * bytecode/InlineCallFrameSet.h:
2337         * bytecode/Instruction.h:
2338         * bytecode/InternalFunctionAllocationProfile.h:
2339         * bytecode/JumpTable.h:
2340         * bytecode/MethodOfGettingAValueProfile.h:
2341         * bytecode/ObjectPropertyConditionSet.h:
2342         * bytecode/Operands.h:
2343         * bytecode/PolymorphicAccess.h:
2344         * bytecode/PutByIdStatus.h:
2345         * bytecode/SpeculatedType.cpp:
2346         * bytecode/StructureSet.h:
2347         * bytecode/StructureStubInfo.h:
2348         * bytecode/UnlinkedCodeBlock.h:
2349         * bytecode/UnlinkedFunctionExecutable.h:
2350         * bytecode/ValueProfile.h:
2351         * bytecompiler/BytecodeGenerator.cpp:
2352         * bytecompiler/BytecodeGenerator.h:
2353         * bytecompiler/Label.h:
2354         * bytecompiler/StaticPropertyAnalysis.h:
2355         * debugger/DebuggerCallFrame.cpp:
2356         * dfg/DFGAbstractInterpreter.h:
2357         * dfg/DFGAdjacencyList.h:
2358         * dfg/DFGArgumentsUtilities.h:
2359         * dfg/DFGArrayMode.h:
2360         * dfg/DFGArrayifySlowPathGenerator.h:
2361         * dfg/DFGBackwardsPropagationPhase.h:
2362         * dfg/DFGBasicBlock.h:
2363         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2364         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2365         * dfg/DFGCapabilities.h:
2366         * dfg/DFGCommon.h:
2367         * dfg/DFGCommonData.h:
2368         * dfg/DFGDesiredIdentifiers.h:
2369         * dfg/DFGDesiredWatchpoints.h:
2370         * dfg/DFGDisassembler.cpp:
2371         * dfg/DFGDominators.h:
2372         * dfg/DFGDriver.cpp:
2373         * dfg/DFGDriver.h:
2374         * dfg/DFGEdgeDominates.h:
2375         * dfg/DFGFinalizer.h:
2376         * dfg/DFGGenerationInfo.h:
2377         * dfg/DFGJITCompiler.cpp:
2378         * dfg/DFGJITCompiler.h:
2379         * dfg/DFGJITFinalizer.h:
2380         * dfg/DFGLivenessAnalysisPhase.h:
2381         * dfg/DFGMinifiedNode.h:
2382         * dfg/DFGMultiGetByOffsetData.h:
2383         * dfg/DFGNaturalLoops.cpp:
2384         * dfg/DFGNaturalLoops.h:
2385         * dfg/DFGNode.h:
2386         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2387         * dfg/DFGOSRExit.h:
2388         * dfg/DFGOSRExitCompilationInfo.h:
2389         * dfg/DFGOSRExitCompiler.cpp:
2390         * dfg/DFGOSRExitCompiler.h:
2391         * dfg/DFGOSRExitJumpPlaceholder.h:
2392         * dfg/DFGOperations.cpp:
2393         * dfg/DFGOperations.h:
2394         * dfg/DFGPlan.h:
2395         * dfg/DFGPreciseLocalClobberize.h:
2396         * dfg/DFGPromotedHeapLocation.h:
2397         * dfg/DFGRegisteredStructure.h:
2398         * dfg/DFGRegisteredStructureSet.h:
2399         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2400         * dfg/DFGSlowPathGenerator.h:
2401         * dfg/DFGSnippetParams.h:
2402         * dfg/DFGSpeculativeJIT.h:
2403         * dfg/DFGToFTLDeferredCompilationCallback.h:
2404         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2405         * dfg/DFGValidate.h:
2406         * dfg/DFGValueSource.h:
2407         * dfg/DFGVariableEvent.h:
2408         * dfg/DFGVariableEventStream.h:
2409         * dfg/DFGWorklist.h:
2410         * domjit/DOMJITCallDOMGetterSnippet.h:
2411         * domjit/DOMJITEffect.h:
2412         * ftl/FTLLink.cpp:
2413         * ftl/FTLLowerDFGToB3.cpp:
2414         * ftl/FTLPatchpointExceptionHandle.h:
2415         * heap/AllocatorAttributes.h:
2416         * heap/CodeBlockSet.h:
2417         * heap/DeferGC.h:
2418         * heap/GCSegmentedArray.h:
2419         * heap/Heap.cpp:
2420         * heap/Heap.h:
2421         * heap/IncrementalSweeper.h:
2422         * heap/ListableHandler.h:
2423         * heap/MachineStackMarker.h:
2424         * heap/MarkedAllocator.h:
2425         * heap/MarkedBlock.cpp:
2426         * heap/MarkedBlock.h:
2427         * heap/MarkingConstraint.h:
2428         * heap/SlotVisitor.cpp:
2429         * heap/SlotVisitor.h:
2430         * inspector/ConsoleMessage.cpp:
2431         * inspector/ConsoleMessage.h:
2432         * inspector/InjectedScript.h:
2433         * inspector/InjectedScriptHost.h:
2434         * inspector/InjectedScriptManager.cpp:
2435         * inspector/JSGlobalObjectInspectorController.cpp:
2436         * inspector/JavaScriptCallFrame.h:
2437         * inspector/ScriptCallStack.h:
2438         * inspector/ScriptCallStackFactory.cpp:
2439         * inspector/ScriptDebugServer.h:
2440         * inspector/agents/InspectorConsoleAgent.h:
2441         * inspector/agents/InspectorDebuggerAgent.cpp:
2442         * inspector/agents/InspectorDebuggerAgent.h:
2443         * inspector/agents/InspectorHeapAgent.cpp:
2444         * inspector/agents/InspectorHeapAgent.h:
2445         * inspector/agents/InspectorRuntimeAgent.h:
2446         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2447         * inspector/agents/InspectorScriptProfilerAgent.h:
2448         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2449         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2450         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2451         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2452         * inspector/augmentable/AlternateDispatchableAgent.h:
2453         * interpreter/CLoopStack.h:
2454         * interpreter/CachedCall.h:
2455         * interpreter/CallFrame.h:
2456         * interpreter/Interpreter.cpp:
2457         * interpreter/Interpreter.h:
2458         * jit/AssemblyHelpers.cpp:
2459         * jit/AssemblyHelpers.h:
2460         * jit/CCallHelpers.h:
2461         * jit/CallFrameShuffler.h:
2462         * jit/ExecutableAllocator.h:
2463         * jit/GCAwareJITStubRoutine.h:
2464         * jit/HostCallReturnValue.h:
2465         * jit/ICStats.h:
2466         * jit/JIT.cpp:
2467         * jit/JIT.h:
2468         * jit/JITAddGenerator.h:
2469         * jit/JITCall32_64.cpp:
2470         * jit/JITCode.h:
2471         * jit/JITDisassembler.cpp:
2472         * jit/JITExceptions.cpp:
2473         * jit/JITMathIC.h:
2474         * jit/JITOpcodes.cpp:
2475         * jit/JITOperations.cpp:
2476         * jit/JITOperations.h:
2477         * jit/JITThunks.cpp:
2478         * jit/JITThunks.h:
2479         * jit/JSInterfaceJIT.h:
2480         * jit/PCToCodeOriginMap.h:
2481         * jit/PolymorphicCallStubRoutine.h:
2482         * jit/RegisterSet.h:
2483         * jit/Repatch.h:
2484         * jit/SetupVarargsFrame.h:
2485         * jit/Snippet.h:
2486         * jit/SnippetParams.h:
2487         * jit/ThunkGenerators.h:
2488         * jsc.cpp:
2489         * llint/LLIntCLoop.h:
2490         * llint/LLIntEntrypoint.h:
2491         * llint/LLIntExceptions.h:
2492         * llint/LLIntOfflineAsmConfig.h:
2493         * llint/LLIntSlowPaths.cpp:
2494         * parser/NodeConstructors.h:
2495         * parser/Nodes.cpp:
2496         * parser/Nodes.h:
2497         * parser/Parser.cpp:
2498         * parser/Parser.h:
2499         * parser/ParserTokens.h:
2500         * parser/SourceProviderCacheItem.h:
2501         * profiler/ProfilerBytecodeSequence.h:
2502         * profiler/ProfilerDatabase.cpp:
2503         * profiler/ProfilerDatabase.h:
2504         * profiler/ProfilerOrigin.h:
2505         * profiler/ProfilerOriginStack.h:
2506         * profiler/ProfilerProfiledBytecodes.h:
2507         * profiler/ProfilerUID.h:
2508         * runtime/AbstractModuleRecord.h:
2509         * runtime/ArrayConstructor.h:
2510         * runtime/ArrayConventions.h:
2511         * runtime/ArrayIteratorPrototype.h:
2512         * runtime/ArrayPrototype.h:
2513         * runtime/BasicBlockLocation.h:
2514         * runtime/Butterfly.h:
2515         * runtime/CallData.cpp:
2516         * runtime/CodeCache.h:
2517         * runtime/CommonSlowPaths.cpp:
2518         * runtime/CommonSlowPaths.h:
2519         * runtime/CommonSlowPathsExceptions.cpp:
2520         * runtime/Completion.cpp:
2521         * runtime/ControlFlowProfiler.h:
2522         * runtime/DateInstanceCache.h:
2523         * runtime/ErrorConstructor.h:
2524         * runtime/ErrorInstance.h:
2525         * runtime/ExceptionHelpers.cpp:
2526         * runtime/ExceptionHelpers.h:
2527         * runtime/ExecutableBase.h:
2528         * runtime/FunctionExecutable.h:
2529         * runtime/HasOwnPropertyCache.h:
2530         * runtime/Identifier.h:
2531         * runtime/InternalFunction.h:
2532         * runtime/IntlCollator.cpp:
2533         * runtime/IntlCollatorPrototype.h:
2534         * runtime/IntlDateTimeFormatPrototype.h:
2535         * runtime/IntlNumberFormat.cpp:
2536         * runtime/IntlNumberFormatPrototype.h:
2537         * runtime/IteratorOperations.cpp:
2538         * runtime/JSArray.h:
2539         * runtime/JSArrayBufferPrototype.h:
2540         * runtime/JSCJSValue.h:
2541         * runtime/JSCJSValueInlines.h:
2542         * runtime/JSCell.h:
2543         * runtime/JSFunction.cpp:
2544         * runtime/JSFunction.h:
2545         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2546         * runtime/JSGlobalObject.cpp:
2547         * runtime/JSGlobalObject.h:
2548         * runtime/JSGlobalObjectDebuggable.cpp:
2549         * runtime/JSGlobalObjectDebuggable.h:
2550         * runtime/JSGlobalObjectFunctions.cpp:
2551         * runtime/JSGlobalObjectFunctions.h:
2552         * runtime/JSJob.cpp:
2553         * runtime/JSLock.h:
2554         * runtime/JSModuleLoader.cpp:
2555         * runtime/JSModuleNamespaceObject.h:
2556         * runtime/JSModuleRecord.h:
2557         * runtime/JSObject.cpp:
2558         * runtime/JSObject.h:
2559         * runtime/JSRunLoopTimer.h:
2560         * runtime/JSTemplateRegistryKey.h:
2561         * runtime/JSTypedArrayPrototypes.cpp:
2562         * runtime/JSTypedArrayPrototypes.h:
2563         * runtime/JSTypedArrays.h:
2564         * runtime/LiteralParser.h:
2565         * runtime/MatchResult.h:
2566         * runtime/MemoryStatistics.h:
2567         * runtime/PrivateName.h:
2568         * runtime/PromiseDeferredTimer.h:
2569         * runtime/ProxyObject.h:
2570         * runtime/RegExp.h:
2571         * runtime/SamplingProfiler.cpp:
2572         * runtime/SmallStrings.h:
2573         * runtime/StringPrototype.cpp:
2574         * runtime/StringRecursionChecker.h:
2575         * runtime/Structure.h:
2576         * runtime/SymbolConstructor.h:
2577         * runtime/SymbolPrototype.cpp:
2578         * runtime/SymbolPrototype.h:
2579         * runtime/TypeProfiler.h:
2580         * runtime/TypeProfilerLog.h:
2581         * runtime/TypedArrayType.h:
2582         * runtime/VM.cpp:
2583         * runtime/VM.h:
2584         * runtime/VMEntryScope.h:
2585         * runtime/WeakMapData.h:
2586         * runtime/WriteBarrier.h:
2587         * tools/FunctionOverrides.cpp:
2588         * tools/FunctionOverrides.h:
2589         * wasm/WasmBinding.cpp:
2590         * wasm/js/JSWebAssemblyCodeBlock.h:
2591         * wasm/js/WebAssemblyPrototype.cpp:
2592         * yarr/Yarr.h:
2593         * yarr/YarrJIT.cpp:
2594         * yarr/YarrJIT.h:
2595         * yarr/YarrParser.h:
2596
2597 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2598
2599         [JSC] Clean up Object.entries implementation
2600         https://bugs.webkit.org/show_bug.cgi?id=173759
2601
2602         Reviewed by Sam Weinig.
2603
2604         This patch cleans up Object.entries implementation.
2605         We drop unused private functions. And we merge the
2606         implementation into Object.entries.
2607
2608         It slightly speeds up Object.entries speed.
2609
2610                                      baseline                  patched
2611
2612             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2613
2614
2615         * builtins/BuiltinNames.h:
2616         * builtins/ObjectConstructor.js:
2617         (entries):
2618         (globalPrivate.enumerableOwnProperties): Deleted.
2619         * runtime/JSGlobalObject.cpp:
2620         (JSC::JSGlobalObject::init):
2621         * runtime/ObjectConstructor.cpp:
2622         (JSC::ownEnumerablePropertyKeys): Deleted.
2623         * runtime/ObjectConstructor.h:
2624
2625 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2626
2627         Remove Reflect.enumerate
2628         https://bugs.webkit.org/show_bug.cgi?id=173806
2629
2630         Reviewed by Yusuke Suzuki.
2631
2632         * CMakeLists.txt:
2633         * JavaScriptCore.xcodeproj/project.pbxproj:
2634         * inspector/JSInjectedScriptHost.cpp:
2635         (Inspector::JSInjectedScriptHost::subtype):
2636         (Inspector::JSInjectedScriptHost::getInternalProperties):
2637         (Inspector::JSInjectedScriptHost::iteratorEntries):
2638         * runtime/JSGlobalObject.cpp:
2639         (JSC::JSGlobalObject::init):
2640         (JSC::JSGlobalObject::visitChildren):
2641         * runtime/JSPropertyNameIterator.cpp: Removed.
2642         * runtime/JSPropertyNameIterator.h: Removed.
2643         * runtime/ReflectObject.cpp:
2644         (JSC::reflectObjectEnumerate): Deleted.
2645
2646 2017-06-23  Keith Miller  <keith_miller@apple.com>
2647
2648         Switch VMTraps to use halt instructions rather than breakpoint instructions
2649         https://bugs.webkit.org/show_bug.cgi?id=173677
2650         <rdar://problem/32178892>
2651
2652         Reviewed by JF Bastien.
2653
2654         Using the breakpoint instruction for VMTraps caused issues with lldb.
2655         Since we only need some way to stop execution we can, in theory, use
2656         any exceptioning instruction we want. I went with the halt instruction
2657         on X86 since that is the only one byte instruction that does not
2658         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
2659         On ARM we use the data cache clearing instruction with the zero register,
2660         which triggers a segmentation fault.
2661
2662         Also, update the platform code to only use signaling VMTraps
2663         on where we have an appropriate instruction (x86 and ARM64).
2664
2665         * API/tests/ExecutionTimeLimitTest.cpp:
2666         (testExecutionTimeLimit):
2667         * assembler/ARM64Assembler.h:
2668         (JSC::ARM64Assembler::replaceWithVMHalt):
2669         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
2670         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
2671         * assembler/ARMAssembler.h:
2672         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
2673         * assembler/ARMv7Assembler.h:
2674         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
2675         * assembler/MIPSAssembler.h:
2676         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
2677         * assembler/MacroAssemblerARM.h:
2678         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
2679         * assembler/MacroAssemblerARM64.h:
2680         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2681         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
2682         * assembler/MacroAssemblerARMv7.h:
2683         (JSC::MacroAssemblerARMv7::storeFence):
2684         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
2685         * assembler/MacroAssemblerMIPS.h:
2686         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
2687         * assembler/MacroAssemblerX86Common.h:
2688         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
2689         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
2690         * assembler/X86Assembler.h:
2691         (JSC::X86Assembler::replaceWithHlt):
2692         (JSC::X86Assembler::replaceWithInt3): Deleted.
2693         * dfg/DFGJumpReplacement.cpp:
2694         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2695         * runtime/VMTraps.cpp:
2696         (JSC::SignalContext::SignalContext):
2697         (JSC::installSignalHandler):
2698         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
2699         * wasm/WasmFaultSignalHandler.cpp:
2700         (JSC::Wasm::enableFastMemory):
2701
2702 2017-06-22  Saam Barati  <sbarati@apple.com>
2703
2704         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
2705         https://bugs.webkit.org/show_bug.cgi?id=173743
2706         <rdar://problem/32932536>
2707
2708         Reviewed by Mark Lam.
2709
2710         The code always manually speculates, however, we weren't specifying
2711         ManualOperandSpeculation when creating a JSValueOperand. This would
2712         fire an assertion in JSValueOperand construction for a node like:
2713         Identity(String:@otherNode)
2714         
2715         I spent about 45 minutes trying to craft a test and came up
2716         empty. However, this fixes a debug assertion on an internal
2717         Apple website.
2718
2719         * dfg/DFGSpeculativeJIT32_64.cpp:
2720         (JSC::DFG::SpeculativeJIT::compile):
2721         * dfg/DFGSpeculativeJIT64.cpp:
2722         (JSC::DFG::SpeculativeJIT::compile):
2723
2724 2017-06-22  Saam Barati  <sbarati@apple.com>
2725
2726         ValueRep(DoubleRep(@v)) can not simply convert to @v
2727         https://bugs.webkit.org/show_bug.cgi?id=173687
2728         <rdar://problem/32855563>
2729
2730         Reviewed by Mark Lam.
2731
2732         Consider this IR:
2733          block#x
2734           p: Phi() // int32 and double flows into this phi from various control flow
2735           d: DoubleRep(@p)
2736           some uses of @d here
2737           v: ValueRep(DoubleRepUse:@d)
2738           a: NewArrayWithSize(Int32:@v)
2739           some more nodes here ...
2740         
2741         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
2742         AI proves that the Int32 check will fail. Constant folding phase removes
2743         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
2744         
2745         The IR then looks like this:
2746         block#x
2747           p: Phi() // int32 and double flows into this phi from various control flow
2748           d: DoubleRep(@p)
2749           some uses of @d here
2750           v: ValueRep(DoubleRepUse:@d)
2751           a: NewArrayWithSize(Int32:@v)
2752           Unreachable
2753         
2754         However, there was a strength reduction rule that tries eliminate redundant
2755         conversions. It used to convert the program to:
2756         block#x
2757           p: Phi() // int32 and double flows into this phi from various control flow
2758           d: DoubleRep(@p)
2759           some uses of @d here
2760           a: NewArrayWithSize(Int32:@p)
2761           Unreachable
2762         
2763         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
2764         and we'll crash. This patch removes this strength reduction rule since it
2765         does not maintain what would have happened if we executed the program before
2766         the rule.
2767         
2768         This rule is also wrong for other types of programs (I'm not sure we'd
2769         actually emit this code, but if such IR were generated, we would previously
2770         optimize it incorrectly):
2771         @a: Constant(JSTrue)
2772         @b: DoubleRep(@a)
2773         @c: ValueRep(@b)
2774         @d: use(@c)
2775         
2776         However, the strength reduction rule would've transformed this into:
2777         @a: Constant(JSTrue)
2778         @d: use(@a)
2779         
2780         And this would be wrong because node @c before the transformation would
2781         have produced the JSValue jsNumber(1.0).
2782         
2783         This patch was neutral in the benchmark run I did.
2784
2785         * dfg/DFGStrengthReductionPhase.cpp:
2786         (JSC::DFG::StrengthReductionPhase::handleNode):
2787
2788 2017-06-22  JF Bastien  <jfbastien@apple.com>
2789
2790         ARM64: doubled executable memory limit from 32MiB to 64MiB
2791         https://bugs.webkit.org/show_bug.cgi?id=173734
2792         <rdar://problem/32932407>
2793
2794         Reviewed by Oliver Hunt.
2795
2796         Some WebAssembly programs stress the amount of memory we have
2797         available, especially when we consider tiering (BBQ never dies,
2798         and is bigger that OMG). Tiering to OMG just piles on more memory,
2799         and we're also competing with JavaScript.
2800
2801         * jit/ExecutableAllocator.h:
2802
2803 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2804
2805         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
2806         https://bugs.webkit.org/show_bug.cgi?id=173698
2807
2808         Reviewed by Matt Baker.
2809
2810         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
2811         when preparing Inspector pause information is spent generating object previews for
2812         the `thisObject` of each of the call frames. In some cases, this could be more
2813         than 95% of the time generating pause information. In the common case, only one of
2814         these (the top frame) will ever be seen by users. This change avoids eagerly
2815         generating object previews up front and let the frontend request previews if they
2816         are needed.
2817
2818         This introduces the `Runtime.getPreview` protocol command. This can be used to:
2819
2820             - Get a preview for a RemoteObject that did not have a preview but could.
2821             - Update a preview for a RemoteObject that had a preview.
2822
2823         This patch only uses it for the first case, but the second is valid and may be
2824         something we want to do in the future.
2825
2826         * inspector/protocol/Runtime.json:
2827         A new command to get an up to date preview for an object.
2828
2829         * inspector/InjectedScript.h:
2830         * inspector/InjectedScript.cpp:
2831         (Inspector::InjectedScript::getPreview):
2832         * inspector/agents/InspectorRuntimeAgent.cpp:
2833         (Inspector::InspectorRuntimeAgent::getPreview):
2834         * inspector/agents/InspectorRuntimeAgent.h:
2835         Plumbing for the new command.
2836
2837         * inspector/InjectedScriptSource.js:
2838         (InjectedScript.prototype.getPreview):
2839         Implementation just uses the existing helper.
2840
2841         (InjectedScript.CallFrameProxy):
2842         Do not generate a preview for the this object as it may not be shown.
2843         Let the frontend request a preview if it wants or needs one.
2844
2845 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2846
2847         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
2848         https://bugs.webkit.org/show_bug.cgi?id=173686
2849
2850         Reviewed by Mark Lam.
2851
2852         * inspector/InjectedScript.cpp:
2853         (Inspector::InjectedScript::functionDetails):
2854         * inspector/InjectedScriptSource.js:
2855         (InjectedScript.prototype.functionDetails):
2856         * inspector/JSInjectedScriptHost.cpp:
2857         (Inspector::JSInjectedScriptHost::functionDetails):
2858
2859 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2860
2861         [JSC] Object.values should be implemented in C++
2862         https://bugs.webkit.org/show_bug.cgi?id=173703
2863
2864         Reviewed by Sam Weinig.
2865
2866         As the same to Object.assign, Object.values() is also inherently polymorphic.
2867         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
2868         result is costly.
2869
2870         In this patch, we implement Object.values() in C++. It can avoid above allocations.
2871         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
2872         non-observable JSObject::get() calls.
2873
2874         This improves performance by 2.49x. And also now Object.values() beats
2875         Object.keys(object).map(key => object[key]) implementation.
2876
2877                                              baseline                  patched
2878
2879             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
2880             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
2881
2882         * builtins/ObjectConstructor.js:
2883         (values): Deleted.
2884         * runtime/ObjectConstructor.cpp:
2885         (JSC::objectConstructorValues):
2886
2887 2017-06-21  Saam Barati  <sbarati@apple.com>
2888
2889         ArrayPrototype.map builtin declares a var it does not use
2890         https://bugs.webkit.org/show_bug.cgi?id=173685
2891
2892         Reviewed by Keith Miller.
2893
2894         * builtins/ArrayPrototype.js:
2895         (map):
2896
2897 2017-06-21  Saam Barati  <sbarati@apple.com>
2898
2899         eval virtual call is incorrect in the baseline JIT
2900         https://bugs.webkit.org/show_bug.cgi?id=173587
2901         <rdar://problem/32867897>
2902
2903         Reviewed by Michael Saboff.
2904
2905         When making a virtual call for call_eval, e.g, when the thing
2906         we're calling isn't actually eval, we end up calling the caller
2907         instead of the callee. This is clearly wrong. The code ends up
2908         issuing a load for the Callee in the callers frame instead of
2909         the callee we're calling. The fix is simple, we just need to
2910         load the real callee. Only the 32-bit baseline JIT had this bug.
2911
2912         * jit/JITCall32_64.cpp:
2913         (JSC::JIT::compileCallEvalSlowCase):
2914
2915 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
2916
2917         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
2918         https://bugs.webkit.org/show_bug.cgi?id=172432
2919         <rdar://problem/29870873>
2920
2921         Reviewed by Saam Barati.
2922
2923         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
2924         We will proceed to improve debugging of these cases in the follow-up bugs.
2925
2926         * debugger/Debugger.cpp:
2927         (JSC::Debugger::exception):
2928         Ignore pausing on these errors.
2929
2930         * runtime/ErrorInstance.h:
2931         (JSC::ErrorInstance::setStackOverflowError):
2932         (JSC::ErrorInstance::isStackOverflowError):
2933         (JSC::ErrorInstance::setOutOfMemoryError):
2934         (JSC::ErrorInstance::isOutOfMemoryError):
2935         * runtime/ExceptionHelpers.cpp:
2936         (JSC::createStackOverflowError):
2937         * runtime/Error.cpp:
2938         (JSC::createOutOfMemoryError):
2939         Mark these kinds of errors.
2940
2941 2017-06-21  Saam Barati  <sbarati@apple.com>
2942
2943         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
2944         https://bugs.webkit.org/show_bug.cgi?id=173609
2945
2946         Reviewed by Keith Miller.
2947
2948         This patch makes many of the IC generating functions require a locker as
2949         a parameter. We do this in other places in JSC to indicate that
2950         a particular API is only valid while a particular lock is held.
2951         This is the case when generating ICs. This patch just makes it
2952         explicit in the IC generating interface.
2953
2954         * bytecode/PolymorphicAccess.cpp:
2955         (JSC::PolymorphicAccess::addCases):
2956         (JSC::PolymorphicAccess::addCase):
2957         (JSC::PolymorphicAccess::commit):
2958         (JSC::PolymorphicAccess::regenerate):
2959         * bytecode/PolymorphicAccess.h:
2960         * bytecode/StructureStubInfo.cpp:
2961         (JSC::StructureStubInfo::addAccessCase):
2962         (JSC::StructureStubInfo::initStub): Deleted.
2963         * bytecode/StructureStubInfo.h:
2964         * jit/Repatch.cpp:
2965         (JSC::tryCacheGetByID):
2966         (JSC::repatchGetByID):
2967         (JSC::tryCachePutByID):
2968         (JSC::repatchPutByID):
2969         (JSC::tryRepatchIn):
2970         (JSC::repatchIn):
2971
2972 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
2973
2974         Disable font variations on macOS Sierra and iOS 10
2975         https://bugs.webkit.org/show_bug.cgi?id=173618
2976         <rdar://problem/32879164>
2977
2978         Reviewed by Jon Lee.
2979
2980         * Configurations/FeatureDefines.xcconfig:
2981
2982 2017-06-20  Keith Miller  <keith_miller@apple.com>
2983
2984         Fix leak of ModuleInformations in BBQPlan constructors.
2985         https://bugs.webkit.org/show_bug.cgi?id=173577
2986
2987         Reviewed by Saam Barati.
2988
2989         This patch fixes a leak in the BBQPlan constructiors. Previously,
2990         the plans were calling makeRef on the newly constructed objects.
2991         This patch fixes the issue and uses adoptRef instead. Additionally,
2992         an old, incorrect, attempt to fix the leak is removed.
2993
2994         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2995         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2996         * jit/JITWorklist.cpp:
2997         (JSC::JITWorklist::Thread::Thread):
2998         * runtime/PromiseDeferredTimer.cpp:
2999         (JSC::PromiseDeferredTimer::addPendingPromise):
3000         * runtime/VM.cpp:
3001         (JSC::VM::VM):
3002         * wasm/WasmBBQPlan.cpp:
3003         (JSC::Wasm::BBQPlan::BBQPlan):
3004         * wasm/WasmPlan.cpp:
3005         (JSC::Wasm::Plan::Plan):
3006
3007 2017-06-20  Devin Rousso  <drousso@apple.com>
3008
3009         Web Inspector: Send context attributes for tracked canvases
3010         https://bugs.webkit.org/show_bug.cgi?id=173327
3011
3012         Reviewed by Joseph Pecoraro.
3013
3014         * inspector/protocol/Canvas.json:
3015         Add ContextAttributes object type that is optionally used for WebGL canvases.
3016
3017 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
3018
3019         Remove excessive include directives from WTF
3020         https://bugs.webkit.org/show_bug.cgi?id=173553
3021
3022         Reviewed by Saam Barati.
3023
3024         * profiler/ProfilerDatabase.cpp: Added missing include directive.
3025         * runtime/SamplingProfiler.cpp: Ditto.
3026
3027 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
3028
3029         Revert changes in bug#160417 about extending `null` not being a derived class
3030         https://bugs.webkit.org/show_bug.cgi?id=169293
3031
3032         Reviewed by Saam Barati.
3033
3034         Reverted changes in bug#160417 about extending `null` not being a derived class 
3035         according to changes in spec:
3036         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
3037
3038         * builtins/BuiltinNames.h:
3039         * bytecompiler/BytecodeGenerator.cpp:
3040         (JSC::BytecodeGenerator::BytecodeGenerator):
3041         (JSC::BytecodeGenerator::emitReturn):
3042         * bytecompiler/NodesCodegen.cpp:
3043         (JSC::ClassExprNode::emitBytecode):
3044
3045 2017-06-20  Saam Barati  <sbarati@apple.com>
3046
3047         repatchIn needs to lock the CodeBlock's lock
3048         https://bugs.webkit.org/show_bug.cgi?id=173573
3049
3050         Reviewed by Yusuke Suzuki.
3051
3052         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
3053         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
3054         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
3055         with the marking thread. repatchIn was not grabbing the lock. I haven't been
3056         able to get it to crash, but this is needed for the same reasons that get and put IC
3057         regeneration grab the lock.
3058
3059         * jit/Repatch.cpp:
3060         (JSC::repatchIn):
3061
3062 2017-06-19  Devin Rousso  <drousso@apple.com>
3063
3064         Web Inspector: create canvas content view and details sidebar panel
3065         https://bugs.webkit.org/show_bug.cgi?id=138941
3066         <rdar://problem/19051672>
3067
3068         Reviewed by Joseph Pecoraro.
3069
3070         * inspector/protocol/Canvas.json:
3071          - Add an optional `nodeId` attribute to the `Canvas` type.
3072          - Add `requestNode` command for getting the node id of the backing canvas element.
3073          - Add `requestContent` command for getting the current image content of the canvas.
3074
3075 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3076
3077         Unreviewed, build fix for ARM
3078
3079         * assembler/MacroAssemblerARM.h:
3080         (JSC::MacroAssemblerARM::internalCompare32):
3081
3082 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3083
3084         [DFG] More ArrayIndexOf fixups for various types
3085         https://bugs.webkit.org/show_bug.cgi?id=173176
3086
3087         Reviewed by Saam Barati.
3088
3089         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
3090
3091         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
3092         never contains the given search value.
3093
3094         2. We support Symbol and Other specialization additionally. Especially, Other is
3095         useful because null/undefined can be used as a sentinel value.
3096
3097         One interesting thing is that Array.prototype.indexOf does not consider holes as
3098         undefineds. Thus,
3099
3100             var array = [,,,,,,,];
3101             array.indexOf(undefined); // => -1
3102
3103         This can be trivially achieved in JSC because Empty and Undefined are different values.
3104
3105         * dfg/DFGFixupPhase.cpp:
3106         (JSC::DFG::FixupPhase::fixupNode):
3107         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
3108         * dfg/DFGSpeculativeJIT.cpp:
3109         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3110         (JSC::DFG::SpeculativeJIT::speculateOther):
3111         * dfg/DFGSpeculativeJIT.h:
3112         * ftl/FTLLowerDFGToB3.cpp:
3113         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
3114
3115 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
3116
3117         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
3118         https://bugs.webkit.org/show_bug.cgi?id=172972
3119
3120         Reviewed by Mark Lam.
3121
3122         We are changing internalCompare32 implementation in ARM
3123         MacroAssembler to emit "cmp" when the "right.value" is 0.
3124         It is generating wrong comparison cases, since the
3125         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
3126         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
3127         resulting in following assembly code:
3128
3129         ```
3130         cmn $r0, #0
3131         bhi <address>
3132         ```
3133
3134         However, as cmn is similar to "adds", it will never take the branch
3135         when $r0 > 0. In that case, the correct opcode is "cmp". With this
3136         patch we will fix current broken tests that uses
3137         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
3138         such as ForwardVarargs, Spread and GetRestLength.
3139
3140         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
3141
3142         * assembler/MacroAssemblerARM.h:
3143         (JSC::MacroAssemblerARM::internalCompare32):
3144
3145 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
3146
3147         test262: Completion values for control flow do not match the spec
3148         https://bugs.webkit.org/show_bug.cgi?id=171265
3149
3150         Reviewed by Saam Barati.
3151
3152         * bytecompiler/BytecodeGenerator.h:
3153         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
3154         When we care about having proper completion values (global code
3155         in programs, modules, and eval) insert undefined results for
3156         control flow statements.
3157
3158         * bytecompiler/NodesCodegen.cpp:
3159         (JSC::SourceElements::emitBytecode):
3160         Reduce writing a default `undefined` value to the completion result to
3161         only once before the last statement we know will produce a value.
3162
3163         (JSC::IfElseNode::emitBytecode):
3164         (JSC::WithNode::emitBytecode):
3165         (JSC::WhileNode::emitBytecode):
3166         (JSC::ForNode::emitBytecode):
3167         (JSC::ForInNode::emitBytecode):
3168         (JSC::ForOfNode::emitBytecode):
3169         (JSC::SwitchNode::emitBytecode):
3170         Insert an undefined to handle cases where code may break out of an
3171         if/else or with statement (break/continue).
3172
3173         (JSC::TryNode::emitBytecode):
3174         Same handling for break cases. Also, finally block statement completion
3175         values are always ignored for the try statement result.
3176
3177         (JSC::ClassDeclNode::emitBytecode):
3178         Class declarations, like function declarations, produce an empty result.
3179
3180         * parser/Nodes.cpp:
3181         (JSC::SourceElements::lastStatement):
3182         (JSC::SourceElements::hasCompletionValue):
3183         (JSC::SourceElements::hasEarlyBreakOrContinue):
3184         (JSC::BlockNode::lastStatement):
3185         (JSC::BlockNode::singleStatement):
3186         (JSC::BlockNode::hasCompletionValue):
3187         (JSC::BlockNode::hasEarlyBreakOrContinue):
3188         (JSC::ScopeNode::singleStatement):
3189         (JSC::ScopeNode::hasCompletionValue):
3190         (JSC::ScopeNode::hasEarlyBreakOrContinue):
3191         The only non-trivial cases need to loop through their list of statements
3192         to determine if this has a completion value or not. Likewise for
3193         determining if there is an early break / continue, meaning a break or
3194         continue statement with no preceding statement that has a completion value.
3195
3196         * parser/Nodes.h:
3197         (JSC::StatementNode::next):
3198         (JSC::StatementNode::hasCompletionValue):
3199         Helper to check if a statement nodes produces a completion value or not.
3200
3201 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
3202
3203         Missing <functional> includes make builds fail with GCC 7.x
3204         https://bugs.webkit.org/show_bug.cgi?id=173544
3205
3206         Unreviewed gardening.
3207
3208         Fix compilation with GCC 7.
3209
3210         * API/tests/CompareAndSwapTest.cpp:
3211         * runtime/VMEntryScope.h:
3212
3213 2017-06-17  Keith Miller  <keith_miller@apple.com>
3214
3215         ArrayBuffer constructor needs to create subclass structures before its buffer
3216         https://bugs.webkit.org/show_bug.cgi?id=173510
3217
3218         Reviewed by Yusuke Suzuki.
3219
3220         * runtime/JSArrayBufferConstructor.cpp:
3221         (JSC::constructArrayBuffer):
3222
3223 2017-06-17  Keith Miller  <keith_miller@apple.com>
3224
3225         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
3226         https://bugs.webkit.org/show_bug.cgi?id=173506
3227
3228         Reviewed by Ryosuke Niwa.
3229
3230         This patch changes the result of unshift if old length +
3231         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
3232         the getLength function, which was always incorrect to use, has
3233         been removed. Additionally, some cases where we were using a
3234         constant for (2 ** 53) - 1 have been replaced with
3235         maxSafeInteger()
3236
3237         * interpreter/Interpreter.cpp:
3238         (JSC::sizeOfVarargs):
3239         * runtime/ArrayPrototype.cpp:
3240         (JSC::arrayProtoFuncToLocaleString):
3241         (JSC::arrayProtoFuncPop):
3242         (JSC::arrayProtoFuncPush):
3243         (JSC::arrayProtoFuncReverse):
3244         (JSC::arrayProtoFuncShift):
3245         (JSC::arrayProtoFuncSlice):
3246         (JSC::arrayProtoFuncSplice):
3247         (JSC::arrayProtoFuncUnShift):
3248         (JSC::arrayProtoFuncIndexOf):
3249         (JSC::arrayProtoFuncLastIndexOf):
3250         * runtime/JSArrayInlines.h:
3251         (JSC::getLength): Deleted.
3252         * runtime/JSCJSValue.cpp:
3253         (JSC::JSValue::toLength):
3254         * runtime/NumberConstructor.cpp:
3255         (JSC::numberConstructorFuncIsSafeInteger):
3256
3257 2017-06-16  Matt Baker  <mattbaker@apple.com>
3258
3259         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3260         https://bugs.webkit.org/show_bug.cgi?id=172623
3261         <rdar://problem/32415986>
3262
3263         Reviewed by Devin Rousso and Joseph Pecoraro.
3264
3265         This patch adds a basic Canvas protocol. It includes Canvas and related
3266         types and events for monitoring the lifetime of canvases in the page.
3267
3268         * CMakeLists.txt:
3269         * DerivedSources.make:
3270         * inspector/protocol/Canvas.json: Added.
3271
3272         * inspector/scripts/codegen/generator.py:
3273         (Generator.stylized_name_for_enum_value):
3274         Add special handling for Canvas.ContextType protocol enumeration,
3275         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
3276
3277 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
3278
3279         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
3280         https://bugs.webkit.org/show_bug.cgi?id=173366
3281         <rdar://problem/32767014>
3282
3283         Reviewed by Tim Horton.
3284
3285         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
3286
3287         * Configurations/FeatureDefines.xcconfig:
3288
3289 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3290
3291         [JSC] Add fast path for Object.assign
3292         https://bugs.webkit.org/show_bug.cgi?id=173416
3293
3294         Reviewed by Mark Lam.
3295
3296         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
3297         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
3298         check in the face of Proxy. Proxy can observe that this check is done correctly.
3299
3300         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
3301         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
3302         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
3303         value by calling `slot.getValue()`.
3304
3305         This further improves performance of Object.assign.
3306
3307                                         baseline                  patched
3308
3309             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
3310
3311         * runtime/ObjectConstructor.cpp:
3312         (JSC::objectConstructorAssign):
3313
3314 2017-06-16  Michael Saboff  <msaboff@apple.com>
3315
3316         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
3317         https://bugs.webkit.org/show_bug.cgi?id=173488
3318
3319         Reviewed by Filip Pizlo.
3320
3321         ClonedArguments lazily sets its callee and interator properties and it used its own inline
3322         code to initialize its butterfly.  This means that these lazily set properties can have
3323         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
3324         to create the butterfly as it clears out of line properties.
3325
3326         * runtime/ClonedArguments.cpp:
3327         (JSC::ClonedArguments::createEmpty):
3328
3329 2017-06-16  Mark Lam  <mark.lam@apple.com>
3330
3331         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
3332         https://bugs.webkit.org/show_bug.cgi?id=173491
3333
3334         Reviewed by Keith Miller.
3335
3336         The implementation are based on static data. There's no need to get the
3337         interpreter instance. Hence, we can make these methods static and avoid doing
3338         unnecessary work to compute the interpreter this pointer.
3339
3340         Also removed the unused isCallBytecode method.
3341
3342         * bytecode/BytecodeBasicBlock.cpp:
3343         (JSC::BytecodeBasicBlock::computeImpl):
3344         * bytecode/BytecodeDumper.cpp:
3345         (JSC::BytecodeDumper<Block>::printGetByIdOp):
3346         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3347         (JSC::BytecodeDumper<Block>::dumpBytecode):
3348         (JSC::BytecodeDumper<Block>::dumpBlock):
3349         * bytecode/BytecodeLivenessAnalysis.cpp:
3350         (JSC::BytecodeLivenessAnalysis::dumpResults):
3351         * bytecode/BytecodeLivenessAnalysisInlines.h:
3352         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3353         * bytecode/BytecodeRewriter.cpp:
3354         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3355         * bytecode/CallLinkStatus.cpp:
3356         (JSC::CallLinkStatus::computeFromLLInt):
3357         * bytecode/CodeBlock.cpp:
3358         (JSC::CodeBlock::finishCreation):
3359         (JSC::CodeBlock::propagateTransitions):
3360         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3361         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3362         (JSC::CodeBlock::usesOpcode):
3363         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3364         (JSC::CodeBlock::arithProfileForPC):
3365         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3366         * bytecode/PreciseJumpTargets.cpp:
3367         (JSC::getJumpTargetsForBytecodeOffset):
3368         (JSC::computePreciseJumpTargetsInternal):
3369         (JSC::findJumpTargetsForBytecodeOffset):
3370         * bytecode/PreciseJumpTargetsInlines.h:
3371         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3372         * bytecode/UnlinkedCodeBlock.cpp:
3373         (JSC::UnlinkedCodeBlock::applyModification):
3374         * dfg/DFGByteCodeParser.cpp:
3375         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3376         (JSC::DFG::ByteCodeParser::parseBlock):
3377         * dfg/DFGCapabilities.cpp:
3378         (JSC::DFG::capabilityLevel):
3379         * interpreter/Interpreter.cpp:
3380         (JSC::Interpreter::Interpreter):
3381         (JSC::Interpreter::isOpcode):
3382         (): Deleted.
3383         * interpreter/Interpreter.h:
3384         (JSC::Interpreter::getOpcode): Deleted.
3385         (JSC::Interpreter::getOpcodeID): Deleted.
3386         (JSC::Interpreter::isCallBytecode): Deleted.
3387         * interpreter/InterpreterInlines.h:
3388         (JSC::Interpreter::getOpcode):
3389         (JSC::Interpreter::getOpcodeID):
3390         * jit/JIT.cpp:
3391         (JSC::JIT::privateCompileMainPass):
3392         (JSC::JIT::privateCompileSlowCases):
3393         * jit/JITOpcodes.cpp:
3394         (JSC::JIT::emitNewFuncCommon):
3395         (JSC::JIT::emitNewFuncExprCommon):
3396         * jit/JITPropertyAccess.cpp:
3397         (JSC::JIT::emitSlow_op_put_by_val):
3398         (JSC::JIT::privateCompilePutByVal):
3399         * jit/JITPropertyAccess32_64.cpp:
3400         (JSC::JIT::emitSlow_op_put_by_val):
3401         * llint/LLIntSlowPaths.cpp:
3402         (JSC::LLInt::llint_trace_operand):
3403         (JSC::LLInt::llint_trace_value):
3404         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3405         * profiler/ProfilerBytecodeSequence.cpp:
3406         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3407
3408 2017-06-16  Matt Lewis  <jlewis3@apple.com>
3409
3410         Unreviewed, rolling out r218376.
3411
3412         The patch cause multiple Layout Test Crashes.
3413
3414         Reverted changeset:
3415
3416         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
3417         backend"
3418         https://bugs.webkit.org/show_bug.cgi?id=172623
3419         http://trac.webkit.org/changeset/218376
3420
3421 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
3422
3423         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
3424         https://bugs.webkit.org/show_bug.cgi?id=173470
3425
3426         Reviewed by Joseph Pecoraro.
3427
3428         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
3429         const char* overload of StringBuilder::append() that assummes Latin1
3430         encoding, not UTF8.
3431
3432         * runtime/ConsoleClient.cpp:
3433         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3434
3435 2017-06-15  Mark Lam  <mark.lam@apple.com>
3436
3437         Add a JSRunLoopTimer registry in VM.
3438         https://bugs.webkit.org/show_bug.cgi?id=173429
3439         <rdar://problem/31287961>
3440
3441         Reviewed by Filip Pizlo.
3442
3443         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
3444         need to change their run loop (e.g. when setting to the WebThread's run loop).
3445
3446         * heap/Heap.cpp:
3447         (JSC::Heap::Heap):
3448         (JSC::Heap::setRunLoop): Deleted.
3449         * heap/Heap.h:
3450         (JSC::Heap::runLoop): Deleted.
3451         * runtime/JSRunLoopTimer.cpp:
3452         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3453         (JSC::JSRunLoopTimer::setRunLoop):
3454         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
3455         * runtime/VM.cpp:
3456         (JSC::VM::VM):
3457         (JSC::VM::registerRunLoopTimer):
3458         (JSC::VM::unregisterRunLoopTimer):
3459         (JSC::VM::setRunLoop):
3460         * runtime/VM.h:
3461         (JSC::VM::runLoop):
3462
3463 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
3464
3465         [Cocoa] Modernize some internal initializers to use instancetype instead of id
3466         https://bugs.webkit.org/show_bug.cgi?id=173112
3467
3468         Reviewed by Wenson Hsieh.
3469
3470         * API/JSContextInternal.h:
3471         * API/JSWrapperMap.h:
3472         * API/JSWrapperMap.mm:
3473         (-[JSObjCClassInfo initForClass:]):
3474         (-[JSWrapperMap initWithGlobalContextRef:]):
3475
3476 2017-06-15  Matt Baker  <mattbaker@apple.com>
3477
3478         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3479         https://bugs.webkit.org/show_bug.cgi?id=172623
3480         <rdar://problem/32415986>
3481
3482         Reviewed by Devin Rousso.
3483
3484         This patch adds a basic Canvas protocol. It includes Canvas and related
3485         types and events for monitoring the lifetime of canvases in the page.
3486
3487         * CMakeLists.txt: