977b5d4aef5c3a2e023129c39da851dae9278405
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Add fast path for Object.assign
4         https://bugs.webkit.org/show_bug.cgi?id=173416
5
6         Reviewed by Mark Lam.
7
8         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
9         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
10         check in the face of Proxy. Proxy can observe that this check is done correctly.
11
12         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
13         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
14         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
15         value by calling `slot.getValue()`.
16
17         This further improves performance of Object.assign.
18
19                                         baseline                  patched
20
21             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
22
23         * runtime/ObjectConstructor.cpp:
24         (JSC::objectConstructorAssign):
25
26 2017-06-16  Michael Saboff  <msaboff@apple.com>
27
28         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
29         https://bugs.webkit.org/show_bug.cgi?id=173488
30
31         Reviewed by Filip Pizlo.
32
33         ClonedArguments lazily sets its callee and interator properties and it used its own inline
34         code to initialize its butterfly.  This means that these lazily set properties can have
35         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
36         to create the butterfly as it clears out of line properties.
37
38         * runtime/ClonedArguments.cpp:
39         (JSC::ClonedArguments::createEmpty):
40
41 2017-06-16  Mark Lam  <mark.lam@apple.com>
42
43         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
44         https://bugs.webkit.org/show_bug.cgi?id=173491
45
46         Reviewed by Keith Miller.
47
48         The implementation are based on static data. There's no need to get the
49         interpreter instance. Hence, we can make these methods static and avoid doing
50         unnecessary work to compute the interpreter this pointer.
51
52         Also removed the unused isCallBytecode method.
53
54         * bytecode/BytecodeBasicBlock.cpp:
55         (JSC::BytecodeBasicBlock::computeImpl):
56         * bytecode/BytecodeDumper.cpp:
57         (JSC::BytecodeDumper<Block>::printGetByIdOp):
58         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
59         (JSC::BytecodeDumper<Block>::dumpBytecode):
60         (JSC::BytecodeDumper<Block>::dumpBlock):
61         * bytecode/BytecodeLivenessAnalysis.cpp:
62         (JSC::BytecodeLivenessAnalysis::dumpResults):
63         * bytecode/BytecodeLivenessAnalysisInlines.h:
64         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
65         * bytecode/BytecodeRewriter.cpp:
66         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
67         * bytecode/CallLinkStatus.cpp:
68         (JSC::CallLinkStatus::computeFromLLInt):
69         * bytecode/CodeBlock.cpp:
70         (JSC::CodeBlock::finishCreation):
71         (JSC::CodeBlock::propagateTransitions):
72         (JSC::CodeBlock::finalizeLLIntInlineCaches):
73         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
74         (JSC::CodeBlock::usesOpcode):
75         (JSC::CodeBlock::valueProfileForBytecodeOffset):
76         (JSC::CodeBlock::arithProfileForPC):
77         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
78         * bytecode/PreciseJumpTargets.cpp:
79         (JSC::getJumpTargetsForBytecodeOffset):
80         (JSC::computePreciseJumpTargetsInternal):
81         (JSC::findJumpTargetsForBytecodeOffset):
82         * bytecode/PreciseJumpTargetsInlines.h:
83         (JSC::extractStoredJumpTargetsForBytecodeOffset):
84         * bytecode/UnlinkedCodeBlock.cpp:
85         (JSC::UnlinkedCodeBlock::applyModification):
86         * dfg/DFGByteCodeParser.cpp:
87         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
88         (JSC::DFG::ByteCodeParser::parseBlock):
89         * dfg/DFGCapabilities.cpp:
90         (JSC::DFG::capabilityLevel):
91         * interpreter/Interpreter.cpp:
92         (JSC::Interpreter::Interpreter):
93         (JSC::Interpreter::isOpcode):
94         (): Deleted.
95         * interpreter/Interpreter.h:
96         (JSC::Interpreter::getOpcode): Deleted.
97         (JSC::Interpreter::getOpcodeID): Deleted.
98         (JSC::Interpreter::isCallBytecode): Deleted.
99         * interpreter/InterpreterInlines.h:
100         (JSC::Interpreter::getOpcode):
101         (JSC::Interpreter::getOpcodeID):
102         * jit/JIT.cpp:
103         (JSC::JIT::privateCompileMainPass):
104         (JSC::JIT::privateCompileSlowCases):
105         * jit/JITOpcodes.cpp:
106         (JSC::JIT::emitNewFuncCommon):
107         (JSC::JIT::emitNewFuncExprCommon):
108         * jit/JITPropertyAccess.cpp:
109         (JSC::JIT::emitSlow_op_put_by_val):
110         (JSC::JIT::privateCompilePutByVal):
111         * jit/JITPropertyAccess32_64.cpp:
112         (JSC::JIT::emitSlow_op_put_by_val):
113         * llint/LLIntSlowPaths.cpp:
114         (JSC::LLInt::llint_trace_operand):
115         (JSC::LLInt::llint_trace_value):
116         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
117         * profiler/ProfilerBytecodeSequence.cpp:
118         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
119
120 2017-06-16  Matt Lewis  <jlewis3@apple.com>
121
122         Unreviewed, rolling out r218376.
123
124         The patch cause multiple Layout Test Crashes.
125
126         Reverted changeset:
127
128         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
129         backend"
130         https://bugs.webkit.org/show_bug.cgi?id=172623
131         http://trac.webkit.org/changeset/218376
132
133 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
134
135         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
136         https://bugs.webkit.org/show_bug.cgi?id=173470
137
138         Reviewed by Joseph Pecoraro.
139
140         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
141         const char* overload of StringBuilder::append() that assummes Latin1
142         encoding, not UTF8.
143
144         * runtime/ConsoleClient.cpp:
145         (JSC::ConsoleClient::printConsoleMessageWithArguments):
146
147 2017-06-15  Mark Lam  <mark.lam@apple.com>
148
149         Add a JSRunLoopTimer registry in VM.
150         https://bugs.webkit.org/show_bug.cgi?id=173429
151         <rdar://problem/31287961>
152
153         Reviewed by Filip Pizlo.
154
155         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
156         need to change their run loop (e.g. when setting to the WebThread's run loop).
157
158         * heap/Heap.cpp:
159         (JSC::Heap::Heap):
160         (JSC::Heap::setRunLoop): Deleted.
161         * heap/Heap.h:
162         (JSC::Heap::runLoop): Deleted.
163         * runtime/JSRunLoopTimer.cpp:
164         (JSC::JSRunLoopTimer::JSRunLoopTimer):
165         (JSC::JSRunLoopTimer::setRunLoop):
166         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
167         * runtime/VM.cpp:
168         (JSC::VM::VM):
169         (JSC::VM::registerRunLoopTimer):
170         (JSC::VM::unregisterRunLoopTimer):
171         (JSC::VM::setRunLoop):
172         * runtime/VM.h:
173         (JSC::VM::runLoop):
174
175 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
176
177         [Cocoa] Modernize some internal initializers to use instancetype instead of id
178         https://bugs.webkit.org/show_bug.cgi?id=173112
179
180         Reviewed by Wenson Hsieh.
181
182         * API/JSContextInternal.h:
183         * API/JSWrapperMap.h:
184         * API/JSWrapperMap.mm:
185         (-[JSObjCClassInfo initForClass:]):
186         (-[JSWrapperMap initWithGlobalContextRef:]):
187
188 2017-06-15  Matt Baker  <mattbaker@apple.com>
189
190         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
191         https://bugs.webkit.org/show_bug.cgi?id=172623
192         <rdar://problem/32415986>
193
194         Reviewed by Devin Rousso.
195
196         This patch adds a basic Canvas protocol. It includes Canvas and related
197         types and events for monitoring the lifetime of canvases in the page.
198
199         * CMakeLists.txt:
200         * DerivedSources.make:
201         * inspector/protocol/Canvas.json: Added.
202
203         * inspector/scripts/codegen/generator.py:
204         (Generator.stylized_name_for_enum_value):
205         Add special handling for Canvas.ContextType protocol enumeration,
206         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
207
208 2017-06-15  Keith Miller  <keith_miller@apple.com>
209
210         Add logging to MachineStackMarker to try to diagnose crashes in the wild
211         https://bugs.webkit.org/show_bug.cgi?id=173427
212
213         Reviewed by Mark Lam.
214
215         This patch adds some logging to the MachineStackMarker constructor
216         to help figure out where we are seeing crashes. Since macOS does
217         not support os_log_info my hope is that if we set all the callee
218         save registers before making any calls in the C++ code we can
219         figure out which calls is the source of the crash. We also, set
220         all the caller save registers before returning in case some
221         weirdness is happening in the Heap constructor.
222
223         This logging should not matter from a performance perspective. We
224         only create MachineStackMarkers when we are creating a new VM,
225         which is already expensive.
226
227         * heap/MachineStackMarker.cpp:
228         (JSC::MachineThreads::MachineThreads):
229
230 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [JSC] Implement Object.assign in C++
233         https://bugs.webkit.org/show_bug.cgi?id=173414
234
235         Reviewed by Saam Barati.
236
237         Implementing Object.assign in JS is not so good compared to C++ version because,
238
239         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
240         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
241
242         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
243         So JS's type profile doesn't help well.
244
245         3. We have a chance to introduce various fast path for Object.assign in C++.
246
247         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
248
249         We can see 1.65x improvement in SixSpeed object-assign.es6.
250
251                                     baseline                  patched
252
253         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
254
255         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
256
257         * builtins/ObjectConstructor.js:
258         (entries):
259         (assign): Deleted.
260         * runtime/JSCJSValueInlines.h:
261         (JSC::JSValue::putInline):
262         * runtime/JSCell.h:
263         * runtime/JSCellInlines.h:
264         (JSC::JSCell::putInline):
265         * runtime/JSObject.cpp:
266         (JSC::JSObject::put):
267         * runtime/JSObject.h:
268         * runtime/JSObjectInlines.h:
269         (JSC::JSObject::putInlineForJSObject):
270         (JSC::JSObject::putInline): Deleted.
271         * runtime/ObjectConstructor.cpp:
272         (JSC::objectConstructorAssign):
273
274 2017-06-14  Dan Bernstein  <mitz@apple.com>
275
276         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
277         https://bugs.webkit.org/show_bug.cgi?id=168578
278
279         Reviewed by Geoff Garen.
280
281         * API/JSWrapperMap.mm:
282         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
283         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
284         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
285           it defines conformance to a JSExport-derived protocol and if so, avoid using the
286           superclass as a substitute as we’d normally do.
287
288         * API/ObjcRuntimeExtras.h:
289         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
290           bail out.
291
292         * API/tests/JSExportTests.mm:
293         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
294         (runJSExportTests): Run new test.
295
296 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
297
298         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
299         https://bugs.webkit.org/show_bug.cgi?id=172421
300
301         * dfg/DFGSpeculativeJIT.cpp:
302         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
303
304 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
305
306         REGRESSION: 15 new jsc failures in WPE and GTK+
307         https://bugs.webkit.org/show_bug.cgi?id=173349
308
309         Reviewed by JF Bastien.
310
311         Recent changes to generateWasm.py are not accounted for from
312         CMake, which leads to WasmOps.h not being regenerated in partial
313         builds. Make generateWasm.py an additional dependency.
314         * CMakeLists.txt:
315
316 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
317
318         Debugger has unexpected effect on program correctness
319         https://bugs.webkit.org/show_bug.cgi?id=172683
320
321         Reviewed by Saam Barati.
322
323         * inspector/InjectedScriptSource.js:
324         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
325         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
326         (BasicCommandLineAPI):
327         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
328         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
329
330 2017-06-13  JF Bastien  <jfbastien@apple.com>
331
332         WebAssembly: fix erroneous signature comment
333         https://bugs.webkit.org/show_bug.cgi?id=173334
334
335         Reviewed by Keith Miller.
336
337         * wasm/WasmSignature.h:
338
339 2017-06-13  Michael Saboff  <msaboff@apple.com>
340
341         Refactor AbsenceOfSetter to AbsenceOfSetEffects
342         https://bugs.webkit.org/show_bug.cgi?id=173322
343
344         Reviewed by Filip Pizlo.
345
346         * bytecode/ObjectPropertyCondition.h:
347         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
348         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
349         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
350         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
351         * bytecode/ObjectPropertyConditionSet.cpp:
352         (JSC::generateConditionsForPropertySetterMiss):
353         (JSC::generateConditionsForPropertySetterMissConcurrently):
354         * bytecode/PropertyCondition.cpp:
355         (JSC::PropertyCondition::dumpInContext):
356         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
357         (JSC::PropertyCondition::isStillValid):
358         (WTF::printInternal):
359         * bytecode/PropertyCondition.h:
360         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
361         (JSC::PropertyCondition::absenceOfSetEffect):
362         (JSC::PropertyCondition::hasPrototype):
363         (JSC::PropertyCondition::hash):
364         (JSC::PropertyCondition::operator==):
365         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
366         (JSC::PropertyCondition::absenceOfSetter): Deleted.
367
368 2017-06-13  JF Bastien  <jfbastien@apple.com>
369
370         WebAssembly: import updated spec tests
371         https://bugs.webkit.org/show_bug.cgi?id=173287
372         <rdar://problem/32725975>
373
374         Reviewed by Saam Barati.
375
376         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
377         with a few modifications so things work.
378
379         Fix a bunch of bugs found through this process, and punt a few tests (which I
380         marked as blocked by this bug).
381
382         Fixes:
383
384         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
385         instead of byte alignment. It was also missing memory-alignment.js despite it
386         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
387         pass.
388
389         Tables can be imported or in a section. There can be only one, but sections can
390         be empty. An Elements section can exist if there's no Table, as long as it is
391         also empty.
392
393         Memories can be imported or in a section. There can be only one, but sections
394         can be empty. A Data section can exist if there's no Memory, as long as it is
395         also empty.
396
397         Prototypes: stringify without .prototype. in the string.
398
399         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
400         not a final size, and throws a RangeError on failure, not a TypeError.
401
402         Fix compile / instantiate so the reject the promise if given an argument of the
403         wrong type (instead of failing instantly).
404
405         Fix async on neuter test.
406
407         Element section shouldn't affect any Table if any of the elements are out of
408         bounds. We need to process it in two passes.
409
410         Segment section shouldn't affect any Data if any of the segments are out of
411         bounds. We need to process it in two passes.
412
413         Empty data segments are valid, but only when there is no memory. Their index
414         still gets validated, and has to be zero.
415
416         Punts:
417
418         Error messages with context, the test seems overly restrictive but this is
419         minor.
420
421         compile/instantiate/validate property descriptors.
422
423         UTF-8 bugs.
424
425         Temporarily disable NaN tests. We need to go back and implement the following
426         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
427         much as getting all the other tests passing.
428
429         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
430         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
431         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
432         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
433         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
434         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
435         why they're not allowed.
436
437         * wasm/WasmB3IRGenerator.cpp:
438         * wasm/WasmFunctionParser.h:
439         * wasm/WasmModuleParser.cpp:
440         * wasm/WasmModuleParser.h:
441         * wasm/WasmParser.h:
442         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
443         * wasm/generateWasm.py:
444         (memoryLog2Alignment):
445         * wasm/js/JSWebAssemblyTable.cpp:
446         (JSC::JSWebAssemblyTable::grow):
447         * wasm/js/JSWebAssemblyTable.h:
448         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
449         * wasm/js/WebAssemblyInstancePrototype.cpp:
450         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
451         * wasm/js/WebAssemblyMemoryPrototype.cpp:
452         * wasm/js/WebAssemblyModulePrototype.cpp:
453         * wasm/js/WebAssemblyModuleRecord.cpp:
454         (JSC::WebAssemblyModuleRecord::evaluate):
455         * wasm/js/WebAssemblyPrototype.cpp:
456         (JSC::webAssemblyCompileFunc):
457         (JSC::resolve):
458         (JSC::instantiate):
459         (JSC::compileAndInstantiate):
460         (JSC::webAssemblyInstantiateFunc):
461         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
462         * wasm/js/WebAssemblyTablePrototype.cpp:
463         (JSC::webAssemblyTableProtoFuncGrow):
464
465 2017-06-13  Michael Saboff  <msaboff@apple.com>
466
467         DFG doesn't properly handle a property that is change to read only in a prototype
468         https://bugs.webkit.org/show_bug.cgi?id=173321
469
470         Reviewed by Filip Pizlo.
471
472         We need to check for ReadOnly as well as a not being a Setter when checking
473         an AbsenceOfSetter.
474
475         * bytecode/PropertyCondition.cpp:
476         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
477
478 2017-06-13  Daniel Bates  <dabates@apple.com>
479
480         Implement W3C Secure Contexts Draft Specification
481         https://bugs.webkit.org/show_bug.cgi?id=158121
482         <rdar://problem/26012994>
483
484         Reviewed by Brent Fulgham.
485
486         Part 4
487
488         Adds isSecureContext to the list of common identifiers as needed to support
489         toggling its exposure from a runtime enabled feature flag.
490
491         * runtime/CommonIdentifiers.h:
492
493 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
494
495         [JSC] Remove redundant includes in config.h
496         https://bugs.webkit.org/show_bug.cgi?id=173294
497
498         Reviewed by Alex Christensen.
499
500         * config.h:
501
502 2017-06-12  Saam Barati  <sbarati@apple.com>
503
504         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
505         https://bugs.webkit.org/show_bug.cgi?id=172957
506         <rdar://problem/32602704>
507
508         Reviewed by Filip Pizlo.
509
510         Consider this program:
511         ```
512         block#1:
513         n: GetClosureVar(..., |this|) // this will load empty JSValue()
514         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
515         Branch(#2, #3)
516         
517         Block#3:
518         x: GetLocal(locFoo)
519         y: CheckNotEmpty(@x)
520         ```
521         
522         If we claim that a cell check filters out the empty value, we will
523         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
524         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
525         
526         On 64 bit platforms:
527         - Cell use kind *now allows* the empty value to pass through.
528         - CellOrOther use kind *now allows* for the empty value to pass through
529         - NotCell use kind *no longer allows* the empty value to pass through.
530
531         * assembler/CPU.h:
532         (JSC::isARMv7IDIVSupported):
533         (JSC::isARM64):
534         (JSC::isX86):
535         (JSC::isX86_64):
536         (JSC::is64Bit):
537         (JSC::is32Bit):
538         (JSC::isMIPS):
539         Make these functions constexpr so we can use them in static variable assignment.
540
541         * bytecode/SpeculatedType.h:
542         * dfg/DFGSpeculativeJIT.cpp:
543         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
544         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
545         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
546         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
547         (JSC::DFG::SpeculativeJIT::speculateCell):
548         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
549         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
550         (JSC::DFG::SpeculativeJIT::speculateString):
551         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
552         (JSC::DFG::SpeculativeJIT::speculateSymbol):
553         (JSC::DFG::SpeculativeJIT::speculateNotCell):
554         * dfg/DFGSpeculativeJIT32_64.cpp:
555         * dfg/DFGSpeculativeJIT64.cpp:
556         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
557         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
558         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
559         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
560         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
561         * dfg/DFGUseKind.h:
562         (JSC::DFG::typeFilterFor):
563         * ftl/FTLLowerDFGToB3.cpp:
564         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
565         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
566         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
567         (JSC::FTL::DFG::LowerDFGToB3::boolify):
568         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
569         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
570         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
571         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
572         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
573         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
574         (JSC::FTL::DFG::LowerDFGToB3::isCell):
575         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
576         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
577         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
578         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
579         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
580
581 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
582
583         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
584         https://bugs.webkit.org/show_bug.cgi?id=172421
585
586         * dfg/DFGSpeculativeJIT.cpp:
587         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
588
589 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
590
591         We incorrectly allow escaped characters in keyword tokens
592         https://bugs.webkit.org/show_bug.cgi?id=171310
593
594         Reviewed by Yusuke Suzuki.
595
596         According spec it is not allow to use escaped characters in 
597         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
598         Current patch implements this requirements.
599
600
601         * parser/Lexer.cpp:
602         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
603         * parser/Parser.cpp:
604         (JSC::Parser<LexerType>::printUnexpectedTokenText):
605         * parser/ParserTokens.h:
606
607 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
608
609         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
610         https://bugs.webkit.org/show_bug.cgi?id=172421
611
612         * assembler/MacroAssemblerARM64.h:
613         (JSC::MacroAssemblerARM64::branch64):
614         (JSC::MacroAssemblerARM64::branchPtr):
615
616 2017-06-12  Commit Queue  <commit-queue@webkit.org>
617
618         Unreviewed, rolling out r218093.
619         https://bugs.webkit.org/show_bug.cgi?id=173259
620
621         Break builds (Requested by yusukesuzuki on #webkit).
622
623         Reverted changeset:
624
625         "Unreviewed, build fix for ARM64"
626         https://bugs.webkit.org/show_bug.cgi?id=172421
627         http://trac.webkit.org/changeset/218093
628
629 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
630
631         Unreviewed, build fix for ARM64
632         https://bugs.webkit.org/show_bug.cgi?id=172421
633
634         * dfg/DFGSpeculativeJIT.cpp:
635         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
636
637 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
638
639         [DFG] Add ArrayIndexOf intrinsic
640         https://bugs.webkit.org/show_bug.cgi?id=172421
641
642         Reviewed by Saam Barati.
643
644         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
645         We emit array check and go fast path if the array is Array::Int32, Array::Double
646         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
647         we have inlined fast paths.
648
649         With updated ARES-6 Babylon,
650
651         Before
652             firstIteration:     45.76 +- 3.87 ms
653             averageWorstCase:   24.41 +- 2.17 ms
654             steadyState:        8.01 +- 0.22 ms
655         After
656             firstIteration:     45.64 +- 4.23 ms
657             averageWorstCase:   23.03 +- 3.34 ms
658             steadyState:        7.33 +- 0.34 ms
659
660         In SixSpeed.
661                                          baseline                  patched
662
663             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
664             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
665             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
666
667         * dfg/DFGAbstractInterpreterInlines.h:
668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
669         * dfg/DFGByteCodeParser.cpp:
670         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
671         * dfg/DFGClobberize.h:
672         (JSC::DFG::clobberize):
673         * dfg/DFGDoesGC.cpp:
674         (JSC::DFG::doesGC):
675         * dfg/DFGFixupPhase.cpp:
676         (JSC::DFG::FixupPhase::fixupNode):
677         * dfg/DFGNode.h:
678         (JSC::DFG::Node::hasArrayMode):
679         * dfg/DFGNodeType.h:
680         * dfg/DFGOperations.cpp:
681         * dfg/DFGOperations.h:
682         * dfg/DFGPredictionPropagationPhase.cpp:
683         * dfg/DFGSafeToExecute.h:
684         (JSC::DFG::safeToExecute):
685         * dfg/DFGSpeculativeJIT.cpp:
686         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
687         (JSC::DFG::SpeculativeJIT::speculateObject):
688         * dfg/DFGSpeculativeJIT.h:
689         (JSC::DFG::SpeculativeJIT::callOperation):
690         * dfg/DFGSpeculativeJIT32_64.cpp:
691         (JSC::DFG::SpeculativeJIT::compile):
692         * dfg/DFGSpeculativeJIT64.cpp:
693         (JSC::DFG::SpeculativeJIT::compile):
694         (JSC::DFG::SpeculativeJIT::speculateInt32):
695         * ftl/FTLCapabilities.cpp:
696         (JSC::FTL::canCompile):
697         * ftl/FTLLowerDFGToB3.cpp:
698         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
699         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
700         * jit/JITOperations.h:
701         * runtime/ArrayPrototype.cpp:
702         (JSC::ArrayPrototype::finishCreation):
703         * runtime/Intrinsic.cpp:
704         (JSC::intrinsicName):
705         * runtime/Intrinsic.h:
706
707 2017-06-11  Keith Miller  <keith_miller@apple.com>
708
709         TypedArray constructor with string shouldn't throw
710         https://bugs.webkit.org/show_bug.cgi?id=173181
711
712         Reviewed by JF Bastien.
713
714         We should be coercing primitive arguments to numbers in the various
715         TypedArray constructors.
716
717         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
718         (JSC::constructGenericTypedArrayViewWithArguments):
719
720 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
721
722         [WTF] Make ThreadMessage portable
723         https://bugs.webkit.org/show_bug.cgi?id=172073
724
725         Reviewed by Keith Miller.
726
727         * runtime/MachineContext.h:
728         (JSC::MachineContext::stackPointer):
729         * tools/CodeProfiling.cpp:
730         (JSC::profilingTimer):
731
732 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
733
734         [JSC] Shrink Structure size
735         https://bugs.webkit.org/show_bug.cgi?id=173239
736
737         Reviewed by Mark Lam.
738
739         We find that the size of our Structure is slightly enlarged due to paddings.
740         By changing the order of members, we can reduce the size from 120 to 112.
741         This is good because 120 and 112 are categorized into different size classes.
742         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
743         We now save 16 bytes per Structure for free.
744
745         * runtime/ConcurrentJSLock.h:
746         * runtime/Structure.cpp:
747         (JSC::Structure::Structure):
748         * runtime/Structure.h:
749
750 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
751
752         Unreviewed, attempt to fix JSC tests on Win after r217771
753
754         * jsc.cpp:
755         (currentWorkingDirectory): buffer is not NULL-terminated
756
757 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
758
759         [WTF] Add RegisteredSymbolImpl
760         https://bugs.webkit.org/show_bug.cgi?id=173230
761
762         Reviewed by Mark Lam.
763
764         * runtime/SymbolConstructor.cpp:
765         (JSC::symbolConstructorKeyFor):
766
767 2017-06-10  Dan Bernstein  <mitz@apple.com>
768
769         Reverted r218056 because it made the IDE reindex constantly.
770
771         * Configurations/DebugRelease.xcconfig:
772
773 2017-06-10  Dan Bernstein  <mitz@apple.com>
774
775         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
776         https://bugs.webkit.org/show_bug.cgi?id=173223
777
778         Reviewed by Sam Weinig.
779
780         The rebuilds were happening due to a difference in the compiler options that the IDE and
781         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
782         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
783         specify an appropriate path in CLANG_INDEX_STORE_PATH.
784
785         * Configurations/DebugRelease.xcconfig:
786
787 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
790         https://bugs.webkit.org/show_bug.cgi?id=173227
791
792         Reviewed by Mark Lam.
793
794         The latest spec introduces slight change to RegExp.prototype.[@@search].
795         This patch applies this change. Basically, this change is done in the slow path of
796         the RegExp.prototype[@@search].
797         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
798
799         * builtins/RegExpPrototype.js:
800         (search):
801
802 2017-06-09  Chris Dumez  <cdumez@apple.com>
803
804         Update Thread::create() to take in a WTF::Function instead of a std::function
805         https://bugs.webkit.org/show_bug.cgi?id=173175
806
807         Reviewed by Mark Lam.
808
809         * API/tests/CompareAndSwapTest.cpp:
810         (testCompareAndSwap):
811
812 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
813
814         [DFG] Add verboseDFGOSRExit
815         https://bugs.webkit.org/show_bug.cgi?id=173156
816
817         Reviewed by Saam Barati.
818
819         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
820
821         * dfg/DFGOSRExitCompiler.cpp:
822         * runtime/Options.h:
823
824 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
825
826         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
827         https://bugs.webkit.org/show_bug.cgi?id=173170
828
829         Reviewed by Yusuke Suzuki.
830
831         MIPS does not build since r217711 because it is missing this
832         implementation. This patch fixes the build.
833
834         * assembler/MacroAssemblerMIPS.h:
835         (JSC::MacroAssemblerMIPS::xor32):
836
837 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
838
839         [JSC] FTL does not require dlfcn
840         https://bugs.webkit.org/show_bug.cgi?id=173143
841
842         Reviewed by Darin Adler.
843
844         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
845         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
846
847         * ftl/FTLLowerDFGToB3.cpp:
848
849 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
850
851         [DFG] Add --verboseDFGFailure
852         https://bugs.webkit.org/show_bug.cgi?id=173155
853
854         Reviewed by Sam Weinig.
855
856         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
857
858         * dfg/DFGCapabilities.cpp:
859         (JSC::DFG::verboseCapabilities):
860         (JSC::DFG::debugFail):
861         * runtime/Options.cpp:
862         (JSC::recomputeDependentOptions):
863         * runtime/Options.h:
864
865 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
868         https://bugs.webkit.org/show_bug.cgi?id=173147
869
870         Reviewed by JF Bastien.
871
872         Because this value becomes -1 in non-Darwin environments.
873         Thus, we do not need to use OS(DARWIN) here.
874
875         * wasm/WasmMemory.cpp:
876
877 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
878
879         Reduce compiler warnings
880         https://bugs.webkit.org/show_bug.cgi?id=172078
881
882         Reviewed by Yusuke Suzuki.
883
884         * runtime/IntlDateTimeFormat.h:
885
886 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
887
888         [Cocoa] JSWrapperMap leaks for all JSContexts
889         https://bugs.webkit.org/show_bug.cgi?id=173110
890         <rdar://problem/32602198>
891
892         Reviewed by Geoffrey Garen.
893
894         * API/JSContext.mm:
895         (-[JSContext ensureWrapperMap]):
896         Ensure this allocation gets released.
897
898 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
899
900         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
901         https://bugs.webkit.org/show_bug.cgi?id=161156
902
903         Reviewed by Saam Barati.
904         
905         Since LLInt does not register impure property watchpoints for self property accesses, it
906         shouldn't try to cache accesses that require a watchpoint.
907         
908         This manifested as a flaky failure because the test would fire the watchpoint after we had
909         usually already tiered up. Without concurrent JIT, we would have always tiered up before
910         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
911         also adds a test that deterministically failed in LLInt without this change; it does so by just
912         running a lot shorter.
913
914         * llint/LLIntSlowPaths.cpp:
915         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
916
917 2017-06-08  Keith Miller  <keith_miller@apple.com>
918
919         WebAssembly: We should only create wrappers for functions that can be exported
920         https://bugs.webkit.org/show_bug.cgi?id=173088
921
922         Reviewed by Saam Barati.
923
924         This patch makes it so we only create wrappers for WebAssembly functions that
925         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
926
927         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
928         Most of the tests were duplicates of ones in the spec-tests directory. The others I
929         have converted to use the normal API.
930
931         * jsc.cpp:
932         (GlobalObject::finishCreation):
933         (valueWithTypeOfWasmValue): Deleted.
934         (box): Deleted.
935         (callWasmFunction): Deleted.
936         (functionTestWasmModuleFunctions): Deleted.
937         * wasm/WasmB3IRGenerator.cpp:
938         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
939         (JSC::Wasm::createJSToWasmWrapper):
940         (JSC::Wasm::parseAndCompile):
941         * wasm/WasmB3IRGenerator.h:
942         * wasm/WasmBBQPlan.cpp:
943         (JSC::Wasm::BBQPlan::prepare):
944         (JSC::Wasm::BBQPlan::compileFunctions):
945         (JSC::Wasm::BBQPlan::complete):
946         * wasm/WasmBBQPlan.h:
947         * wasm/WasmBBQPlanInlines.h:
948         (JSC::Wasm::BBQPlan::initializeCallees):
949         * wasm/WasmCodeBlock.cpp:
950         (JSC::Wasm::CodeBlock::CodeBlock):
951         * wasm/WasmCodeBlock.h:
952         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
953         * wasm/WasmFormat.h:
954         * wasm/WasmOMGPlan.cpp:
955         (JSC::Wasm::OMGPlan::work):
956
957 2017-06-07  JF Bastien  <jfbastien@apple.com>
958
959         WebAssembly: test imports and exports with 16-bit characters
960         https://bugs.webkit.org/show_bug.cgi?id=165977
961         <rdar://problem/29760130>
962
963         Reviewed by Saam Barati.
964
965         Add the missing UTF-8 conversions. Improve import failure error
966         messages, otherwise it's hard to figure out which import is wrong.
967
968         * wasm/js/JSWebAssemblyInstance.cpp:
969         (JSC::JSWebAssemblyInstance::create):
970         * wasm/js/WebAssemblyModuleRecord.cpp:
971         (JSC::WebAssemblyModuleRecord::finishCreation):
972         (JSC::WebAssemblyModuleRecord::link):
973
974 2017-06-07  Devin Rousso  <drousso@apple.com>
975
976         Web Inspector: Add ContextMenu item to log WebSocket object to console
977         https://bugs.webkit.org/show_bug.cgi?id=172878
978
979         Reviewed by Joseph Pecoraro.
980
981         * inspector/protocol/Network.json:
982         Add resolveWebSocket command.
983
984 2017-06-07  Jon Davis  <jond@apple.com>
985
986         Update feature status for features Supported In Preview
987         https://bugs.webkit.org/show_bug.cgi?id=173071
988
989         Reviewed by Darin Adler.
990
991         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
992         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
993
994         * features.json:
995
996 2017-06-07  Saam Barati  <sbarati@apple.com>
997
998         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
999         https://bugs.webkit.org/show_bug.cgi?id=172673
1000         <rdar://problem/32250144>
1001
1002         Reviewed by Mark Lam.
1003
1004         This patch simply removes this assertion. It's faulty because it
1005         races with the main thread when doing concurrent compilation.
1006         
1007         Consider a program with:
1008         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
1009         - Structure S2
1010         
1011         The DFG IR is like so:
1012           a: JSConstant(O) // FrozenValue {O, S1}
1013           b: CheckStructure(@a, S2)
1014           c: ToThis(@a)
1015           d: CheckEq(@c, nullConstant)
1016           Branch(@d)
1017         
1018         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
1019         When running AI, we'll notice that node @b will OSR exit, so nodes after
1020         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
1021         Now, when running AI, @a will have Top for its structure set. No longer will
1022         we think @b exits.
1023         
1024         The DFG backend asserts that under such a situation, we should have simplified
1025         the CheckEq to false. However, this is a racy thing to assert, since the
1026         transition from dfgWatchable() to !dfgWatchable() can happen right before we
1027         enter the backend. Hence, this assertion is not valid.
1028         
1029         (Note, the generated code for the above program will never actually execute.
1030         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
1031         S1 not transitioning. S1 transitions, so we won't actually run the code that
1032         gets compiled.)
1033
1034         * dfg/DFGSpeculativeJIT64.cpp:
1035         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1036
1037 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1038
1039         [JSC] has_generic_property never accepts non-String
1040         https://bugs.webkit.org/show_bug.cgi?id=173057
1041
1042         Reviewed by Darin Adler.
1043
1044         We never pass non-String value to has_generic_property bytecode.
1045
1046         * runtime/CommonSlowPaths.cpp:
1047         (JSC::SLOW_PATH_DECL):
1048
1049 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
1050
1051         [Win][x86-64] Some callee saved registers aren't preserved
1052         https://bugs.webkit.org/show_bug.cgi?id=171266
1053
1054         Reviewed by Saam Barati.
1055
1056         * jit/RegisterSet.cpp:
1057         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
1058
1059 2017-06-06  Mark Lam  <mark.lam@apple.com>
1060
1061         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
1062         https://bugs.webkit.org/show_bug.cgi?id=173035
1063         <rdar://problem/32554593>
1064
1065         Reviewed by Geoffrey Garen and Filip Pizlo.
1066
1067         Also added and fixed up some assertions.
1068
1069         * runtime/ArrayConventions.h:
1070         * runtime/JSArray.cpp:
1071         (JSC::JSArray::setLength):
1072         * runtime/JSObject.cpp:
1073         (JSC::JSObject::createInitialIndexedStorage):
1074         (JSC::JSObject::ensureLengthSlow):
1075         (JSC::JSObject::reallocateAndShrinkButterfly):
1076         * runtime/JSObject.h:
1077         (JSC::JSObject::ensureLength):
1078         * runtime/RegExpObject.cpp:
1079         (JSC::collectMatches):
1080         * runtime/RegExpPrototype.cpp:
1081         (JSC::regExpProtoFuncSplitFast):
1082
1083 2017-06-06  Saam Barati  <sbarati@apple.com>
1084
1085         Make sure we restore SP when doing calls that could be to JS
1086         https://bugs.webkit.org/show_bug.cgi?id=172946
1087         <rdar://problem/32579026>
1088
1089         Reviewed by JF Bastien.
1090
1091         I was worried that there was a bug where we'd call JS, JS would tail call,
1092         and we'd end up with a bogus SP. However, this bug does not exist since wasm
1093         always calls to JS through a stub, and the stub treats SP as a callee save.
1094         
1095         I wrote a test for this, and also made a note that this is the needed ABI.
1096
1097         * wasm/WasmBinding.cpp:
1098         (JSC::Wasm::wasmToJs):
1099
1100 2017-06-06  Keith Miller  <keith_miller@apple.com>
1101
1102         OMG tier up checks should be a patchpoint
1103         https://bugs.webkit.org/show_bug.cgi?id=172944
1104
1105         Reviewed by Saam Barati.
1106
1107         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
1108         In order to reduce code generated out of line in each function. We generate a single stub
1109         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
1110
1111         * wasm/WasmB3IRGenerator.cpp:
1112         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1113         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1114         (JSC::Wasm::B3IRGenerator::addLoop):
1115         * wasm/WasmThunks.cpp:
1116         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1117         * wasm/WasmThunks.h:
1118
1119 2017-06-06  Darin Adler  <darin@apple.com>
1120
1121         Cut down use of WTF_ARRAY_LENGTH
1122         https://bugs.webkit.org/show_bug.cgi?id=172997
1123
1124         Reviewed by Chris Dumez.
1125
1126         * parser/Lexer.cpp:
1127         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
1128
1129         * runtime/NumberPrototype.cpp:
1130         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
1131
1132 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
1133
1134         Add missing <functional> includes
1135         https://bugs.webkit.org/show_bug.cgi?id=173017
1136
1137         Patch by Thiago Macieira <thiago.macieira@intel.com>
1138         Reviewed by Yusuke Suzuki.
1139
1140         This patch fixes compilation with GCC 7.
1141
1142         * inspector/InspectorBackendDispatcher.h:
1143
1144 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
1145
1146         Unreviewed, fix 32-bit build.
1147
1148         * jit/JITOpcodes.cpp:
1149         (JSC::JIT::emit_op_unreachable):
1150
1151 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
1152
1153         Unreviewed rollout r217807. Caused a test to crash.
1154
1155         * heap/HeapSnapshotBuilder.cpp:
1156         (JSC::HeapSnapshotBuilder::buildSnapshot):
1157         (JSC::HeapSnapshotBuilder::json):
1158         (): Deleted.
1159         * heap/HeapSnapshotBuilder.h:
1160         * runtime/JSObject.cpp:
1161         (JSC::JSObject::calculatedClassName):
1162
1163 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
1164
1165         index out of bound in bytecodebasicblock
1166         https://bugs.webkit.org/show_bug.cgi?id=172963
1167
1168         Reviewed by Saam Barati and Mark Lam.
1169         
1170         We were leaving an unterminated basic block when generating CodeForCall for a class
1171         constructor. This was mostly benign since that unterminated block was not reachable, but it
1172         does cause an ASSERT.
1173         
1174         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
1175         this really is the cleanest and most idiomatic way to solve this problem, so even though it
1176         makes the change bigger it's probabably worth it.
1177
1178         * bytecode/BytecodeDumper.cpp:
1179         (JSC::BytecodeDumper<Block>::dumpBytecode):
1180         * bytecode/BytecodeList.json:
1181         * bytecode/BytecodeUseDef.h:
1182         (JSC::computeUsesForBytecodeOffset):
1183         (JSC::computeDefsForBytecodeOffset):
1184         * bytecode/Opcode.h:
1185         (JSC::isTerminal):
1186         * bytecompiler/BytecodeGenerator.cpp:
1187         (JSC::BytecodeGenerator::generate):
1188         (JSC::BytecodeGenerator::emitUnreachable):
1189         * bytecompiler/BytecodeGenerator.h:
1190         * dfg/DFGByteCodeParser.cpp:
1191         (JSC::DFG::ByteCodeParser::parseBlock):
1192         * dfg/DFGCapabilities.cpp:
1193         (JSC::DFG::capabilityLevel):
1194         * ftl/FTLLowerDFGToB3.cpp:
1195         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
1196         * jit/JIT.cpp:
1197         (JSC::JIT::privateCompileMainPass):
1198         * jit/JIT.h:
1199         * jit/JITOpcodes.cpp:
1200         (JSC::JIT::emit_op_unreachable):
1201         * llint/LowLevelInterpreter.asm:
1202         * runtime/CommonSlowPaths.cpp:
1203         (JSC::SLOW_PATH_DECL):
1204         * runtime/CommonSlowPaths.h:
1205
1206 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
1207
1208         Unreviewed, rolling out r217812.
1209
1210         This change caused test failures on arm64.
1211
1212         Reverted changeset:
1213
1214         "OMG tier up checks should be a patchpoint"
1215         https://bugs.webkit.org/show_bug.cgi?id=172944
1216         http://trac.webkit.org/changeset/217812
1217
1218 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1219
1220         [WPE] Enable remote inspector
1221         https://bugs.webkit.org/show_bug.cgi?id=172971
1222
1223         Reviewed by Žan Doberšek.
1224
1225         We can just build the current glib remote inspector, without adding a frontend implementation and using a
1226         WebKitGTK+ browser as frontend for now.
1227
1228         * PlatformWPE.cmake: Add remote inspector files to compilation.
1229         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1230         (Inspector::backendCommands): Load the inspector resources library.
1231
1232 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1233
1234         [GLIB] Make remote inspector DBus protocol common to all glib based ports
1235         https://bugs.webkit.org/show_bug.cgi?id=172970
1236
1237         Reviewed by Žan Doberšek.
1238
1239         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
1240         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
1241         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
1242         debug WPE, without having to implement the frontend part in WPE yet.
1243
1244         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
1245         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
1246
1247 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1248
1249         [GTK] Web Process deadlock when closing the remote inspector frontend
1250         https://bugs.webkit.org/show_bug.cgi?id=172973
1251
1252         Reviewed by Žan Doberšek.
1253
1254         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
1255         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
1256         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
1257         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
1258
1259         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1260         (Inspector::RemoteInspector::receivedCloseMessage):
1261
1262 2017-06-05  Saam Barati  <sbarati@apple.com>
1263
1264         Try to fix features.json by adding an ESNext section.
1265
1266         Unreviewed.
1267
1268         * features.json:
1269
1270 2017-06-05  David Kilzer  <ddkilzer@apple.com>
1271
1272         Follow-up: Update JSC's features.json
1273         https://bugs.webkit.org/show_bug.cgi?id=172942
1274
1275         Rubber-stamped by Jon Davis.
1276
1277         * features.json: Change "Supported in preview" to
1278         "Supported" to try to fix <https://webkit.org/status/>.
1279
1280 2017-06-05  Saam Barati  <sbarati@apple.com>
1281
1282         We don't properly parse init_expr when the opcode is an unexpected opcode
1283         https://bugs.webkit.org/show_bug.cgi?id=172945
1284
1285         Reviewed by JF Bastien.
1286
1287         The bug is a simple typo. It should use the constant
1288         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
1289         macro. This failure is already caught by spec tests that fail
1290         on arm64 devices.
1291
1292         * wasm/WasmModuleParser.cpp:
1293
1294 2017-06-05  Keith Miller  <keith_miller@apple.com>
1295
1296         OMG tier up checks should be a patchpoint
1297         https://bugs.webkit.org/show_bug.cgi?id=172944
1298
1299         Reviewed by Saam Barati.
1300
1301         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
1302         In order to reduce code generated out of line in each function. We generate a single stub
1303         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
1304
1305         * wasm/WasmB3IRGenerator.cpp:
1306         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1307         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1308         (JSC::Wasm::B3IRGenerator::addLoop):
1309         * wasm/WasmThunks.cpp:
1310         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1311         * wasm/WasmThunks.h:
1312
1313 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1314
1315         Remove unused VM members
1316         https://bugs.webkit.org/show_bug.cgi?id=172941
1317
1318         Reviewed by Mark Lam.
1319
1320         * runtime/HashMapImpl.h:
1321         (JSC::HashMapImpl::selectStructure): Deleted.
1322         * runtime/VM.cpp:
1323         (JSC::VM::VM):
1324         * runtime/VM.h:
1325
1326 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1327
1328         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1329         https://bugs.webkit.org/show_bug.cgi?id=172848
1330         <rdar://problem/25709212>
1331
1332         Reviewed by Saam Barati.
1333
1334         * heap/HeapSnapshotBuilder.h:
1335         * heap/HeapSnapshotBuilder.cpp:
1336         Update the snapshot version. Change the node's 0 | 1 internal value
1337         to be a 32bit bit flag. This is nice in that it is both compatible
1338         with the previous snapshot version and the same size. We can use more
1339         flags in the future.
1340
1341         (JSC::HeapSnapshotBuilder::json):
1342         In cases where the classInfo gives us "Object" check for a better
1343         class name by checking (o).__proto__.constructor.name. We avoid this
1344         check in cases where (o).hasOwnProperty("constructor") which is the
1345         case for most Foo.prototype objects. Otherwise this would get the
1346         name of the Foo superclass for the Foo.prototype object.
1347
1348         * runtime/JSObject.cpp:
1349         (JSC::JSObject::calculatedClassName):
1350         Handle some possible edge cases that were not handled before. Such
1351         as a JSObject without a GlobalObject, and an object which doesn't
1352         have a default getPrototype. Try to make the code a little clearer.
1353
1354 2017-06-05  Saam Barati  <sbarati@apple.com>
1355
1356         Update JSC's features.json
1357         https://bugs.webkit.org/show_bug.cgi?id=172942
1358
1359         Rubber stamped by Mark Lam.
1360
1361         * features.json:
1362
1363 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
1364
1365         Fix build of Windows-specific code with ICU 59.1
1366         https://bugs.webkit.org/show_bug.cgi?id=172729
1367
1368         Reviewed by Darin Adler.
1369
1370         Fix conversions from WTF::String to wchar_t* and vice versa.
1371
1372         * jsc.cpp:
1373         (currentWorkingDirectory):
1374         (fetchModuleFromLocalFileSystem):
1375         * runtime/DateConversion.cpp:
1376         (JSC::formatDateTime):
1377
1378 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1379
1380         [JSC] Drop unnecessary USE(CF) guard for getenv
1381         https://bugs.webkit.org/show_bug.cgi?id=172903
1382
1383         Reviewed by Sam Weinig.
1384
1385         getenv is not related to USE(CF) and OS(UNIX). It seems that this
1386         ifdef only hits in WinCairo, but WinCairo can use getenv.
1387         Moreover, in VM::VM, we already use getenv without any ifdef guard.
1388
1389         This patch just drops it.
1390
1391         * runtime/VM.cpp:
1392         (JSC::enableAssembler):
1393
1394 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1395
1396         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
1397         https://bugs.webkit.org/show_bug.cgi?id=172904
1398
1399         Reviewed by Sam Weinig.
1400
1401         In non-Darwin environment, uintptr_t may have the same type
1402         to uint64_t. We avoided the compile error by using OS(DARWIN).
1403         But, since it depends on cstdint implementaion rather than OS, it is flaky.
1404         Instead, we just use template parameter IntegralType.
1405         And we describe the type constraint in a SFINAE manner.
1406
1407         * dfg/DFGOpInfo.h:
1408         (JSC::DFG::OpInfo::OpInfo):
1409
1410 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
1411
1412         [ARM] Unreviewed buildfix after r217711.
1413
1414         * assembler/MacroAssemblerARM.h:
1415         (JSC::MacroAssemblerARM::xor32):
1416
1417 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1418
1419         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
1420         https://bugs.webkit.org/show_bug.cgi?id=168844
1421
1422         Reviewed by Saam Barati.
1423
1424         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
1425
1426         * parser/Parser.cpp:
1427         (JSC::DepthManager::DepthManager):
1428         (JSC::Parser<LexerType>::parseExportDeclaration):
1429         * parser/Parser.h:
1430         (JSC::Parser::DepthManager::DepthManager): Deleted.
1431         (JSC::Parser::DepthManager::~DepthManager): Deleted.
1432
1433 2017-06-02  Keith Miller  <keith_miller@apple.com>
1434
1435         Defer installing mach breakpoint handler until watchdog is actually called
1436         https://bugs.webkit.org/show_bug.cgi?id=172885
1437
1438         Reviewed by Saam Barati.
1439
1440         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
1441         This hides the issue, so it won't occur as often.
1442
1443         * runtime/VMTraps.cpp:
1444         (JSC::VMTraps::SignalSender::send):
1445         (JSC::VMTraps::VMTraps): Deleted.
1446         * runtime/VMTraps.h:
1447
1448 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
1449
1450         Atomics.load and Atomics.store need to be fully fenced
1451         https://bugs.webkit.org/show_bug.cgi?id=172844
1452
1453         Reviewed by Keith Miller.
1454         
1455         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
1456         AtomicXchg(value, ptr) for the store.
1457         
1458         DFG needed no changes because it implements all atomics using a CAS loop.
1459         
1460         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
1461         
1462         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
1463         is not correct according to my current understanding of the SAB memory model, which requires
1464         that atomic operations are SC with respect to everything not just other atomics.
1465
1466         * ftl/FTLLowerDFGToB3.cpp:
1467         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1468         * ftl/FTLOutput.cpp:
1469         (JSC::FTL::Output::atomicWeakCAS):
1470         * ftl/FTLOutput.h:
1471         * runtime/AtomicsObject.cpp:
1472
1473 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
1474
1475         Unreviewed, attempt to fix the iOS build after r217711.
1476
1477         * assembler/MacroAssemblerARM64.h:
1478         (JSC::MacroAssemblerARM64::xor32):
1479         (JSC::MacroAssemblerARM64::xor64):
1480
1481 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
1482
1483         GC should use scrambled free-lists
1484         https://bugs.webkit.org/show_bug.cgi?id=172793
1485
1486         Reviewed by Mark Lam.
1487         
1488         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
1489         The linked-list would be threaded through free memory, as is the usual convention.
1490         
1491         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
1492         this leads to a more natural fast-path structure and saves one register on ARM64.
1493         
1494         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
1495         every time they do a sweep-to-pop.
1496         
1497         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
1498         quite a bit. Previously, there were four copies of the allocator fast path: two in
1499         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
1500         was obviously different-looking, but the other three were almost identical. This moves all of
1501         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
1502         AssemblyHelpers.h.
1503         
1504         This appears to be just as fast as our previously allocator.
1505
1506         * JavaScriptCore.xcodeproj/project.pbxproj:
1507         * heap/FreeList.cpp:
1508         (JSC::FreeList::FreeList):
1509         (JSC::FreeList::~FreeList):
1510         (JSC::FreeList::clear):
1511         (JSC::FreeList::initializeList):
1512         (JSC::FreeList::initializeBump):
1513         (JSC::FreeList::contains):
1514         (JSC::FreeList::dump):
1515         * heap/FreeList.h:
1516         (JSC::FreeList::allocationWillFail):
1517         (JSC::FreeList::originalSize):
1518         (JSC::FreeList::addressOfList):
1519         (JSC::FreeList::offsetOfBlock):
1520         (JSC::FreeList::offsetOfList):
1521         (JSC::FreeList::offsetOfIndex):
1522         (JSC::FreeList::offsetOfPayloadEnd):
1523         (JSC::FreeList::offsetOfRemaining):
1524         (JSC::FreeList::offsetOfOriginalSize):
1525         (JSC::FreeList::FreeList): Deleted.
1526         (JSC::FreeList::list): Deleted.
1527         (JSC::FreeList::bump): Deleted.
1528         (JSC::FreeList::operator==): Deleted.
1529         (JSC::FreeList::operator!=): Deleted.
1530         (JSC::FreeList::operator bool): Deleted.
1531         * heap/FreeListInlines.h: Added.
1532         (JSC::FreeList::addFreeCell):
1533         (JSC::FreeList::allocate):
1534         (JSC::FreeList::forEach):
1535         (JSC::FreeList::toOffset):
1536         (JSC::FreeList::fromOffset):
1537         * heap/IncrementalSweeper.cpp:
1538         (JSC::IncrementalSweeper::sweepNextBlock):
1539         * heap/MarkedAllocator.cpp:
1540         (JSC::MarkedAllocator::MarkedAllocator):
1541         (JSC::MarkedAllocator::didConsumeFreeList):
1542         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1543         (JSC::MarkedAllocator::tryAllocateIn):
1544         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1545         (JSC::MarkedAllocator::stopAllocating):
1546         (JSC::MarkedAllocator::prepareForAllocation):
1547         (JSC::MarkedAllocator::resumeAllocating):
1548         (JSC::MarkedAllocator::sweep):
1549         (JSC::MarkedAllocator::setFreeList): Deleted.
1550         * heap/MarkedAllocator.h:
1551         (JSC::MarkedAllocator::freeList):
1552         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
1553         * heap/MarkedAllocatorInlines.h:
1554         (JSC::MarkedAllocator::isFreeListedCell):
1555         (JSC::MarkedAllocator::tryAllocate):
1556         (JSC::MarkedAllocator::allocate):
1557         * heap/MarkedBlock.cpp:
1558         (JSC::MarkedBlock::Handle::stopAllocating):
1559         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1560         (JSC::MarkedBlock::Handle::resumeAllocating):
1561         (JSC::MarkedBlock::Handle::zap):
1562         (JSC::MarkedBlock::Handle::sweep):
1563         (JSC::MarkedBlock::Handle::isFreeListedCell):
1564         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
1565         * heap/MarkedBlock.h:
1566         * heap/MarkedBlockInlines.h:
1567         (JSC::MarkedBlock::Handle::specializedSweep):
1568         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1569         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
1570         * heap/Subspace.cpp:
1571         (JSC::Subspace::finishSweep):
1572         * heap/Subspace.h:
1573         * jit/AssemblyHelpers.h:
1574         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1575         * runtime/JSDestructibleObjectSubspace.cpp:
1576         (JSC::JSDestructibleObjectSubspace::finishSweep):
1577         * runtime/JSDestructibleObjectSubspace.h:
1578         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1579         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
1580         * runtime/JSSegmentedVariableObjectSubspace.h:
1581         * runtime/JSStringSubspace.cpp:
1582         (JSC::JSStringSubspace::finishSweep):
1583         * runtime/JSStringSubspace.h:
1584         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1585         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
1586         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1587
1588 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1589
1590         [JSC] Use @globalPrivate for concatSlowPath
1591         https://bugs.webkit.org/show_bug.cgi?id=172802
1592
1593         Reviewed by Darin Adler.
1594
1595         Use @globalPrivate instead of manually putting it to JSGlobalObject.
1596
1597         * builtins/ArrayPrototype.js:
1598         (concatSlowPath): Deleted.
1599         * runtime/JSGlobalObject.cpp:
1600         (JSC::JSGlobalObject::init):
1601
1602 2017-06-01  Andy Estes  <aestes@apple.com>
1603
1604         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
1605         https://bugs.webkit.org/show_bug.cgi?id=172828
1606
1607         Reviewed by Beth Dakin.
1608
1609         * Configurations/FeatureDefines.xcconfig:
1610
1611 2017-06-01  Keith Miller  <keith_miller@apple.com>
1612
1613         Undo rollout in r217638 with bug fix
1614         https://bugs.webkit.org/show_bug.cgi?id=172824
1615
1616         Unreviewed, reland patch with unused set_state code removed.
1617
1618         * API/tests/ExecutionTimeLimitTest.cpp:
1619         (dispatchTermitateCallback):
1620         (testExecutionTimeLimit):
1621         * runtime/JSLock.cpp:
1622         (JSC::JSLock::didAcquireLock):
1623         * runtime/Options.cpp:
1624         (JSC::overrideDefaults):
1625         (JSC::Options::initialize):
1626         * runtime/Options.h:
1627         * runtime/VMTraps.cpp:
1628         (JSC::SignalContext::SignalContext):
1629         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1630         (JSC::installSignalHandler):
1631         (JSC::VMTraps::SignalSender::send):
1632         * tools/SigillCrashAnalyzer.cpp:
1633         (JSC::SignalContext::SignalContext):
1634         (JSC::SignalContext::dump):
1635         (JSC::installCrashHandler):
1636         * wasm/WasmBBQPlan.cpp:
1637         (JSC::Wasm::BBQPlan::compileFunctions):
1638         * wasm/WasmFaultSignalHandler.cpp:
1639         (JSC::Wasm::trapHandler):
1640         (JSC::Wasm::enableFastMemory):
1641         * wasm/WasmMachineThreads.cpp:
1642         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1643
1644 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
1645
1646         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
1647         https://bugs.webkit.org/show_bug.cgi?id=172800
1648
1649         Reviewed by Saam Barati.
1650
1651         This fixes a static_cast<uint64_t> by making it a cast to int64_t
1652         instead, which looks like the original intent. This fixes the
1653         sampling-profiler tests in JSTests/stress.
1654
1655         * runtime/SamplingProfiler.cpp:
1656         (JSC::SamplingProfiler::timerLoop):
1657
1658 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
1659
1660         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
1661         https://bugs.webkit.org/show_bug.cgi?id=170945
1662
1663         Reviewed by Mark Lam.
1664
1665         Re-define PutByIdFlags as a int32_t enum explicitly because it is
1666         stored as an int32_t value in UnlinkedInstruction.  This prevents
1667         a bug on 64-bit big endian architectures where the word order is
1668         inverted (when we convert the UnlinkedInstruction into a CodeBlock
1669         Instruction), resulting in the PutByIdFlags value not being stored in
1670         the 32-bit word that the rest of the code expects it to be in.
1671
1672         * bytecode/PutByIdFlags.h:
1673
1674 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1675
1676         [JSC] Implement String.prototype.concat in JS builtins
1677         https://bugs.webkit.org/show_bug.cgi?id=172798
1678
1679         Reviewed by Sam Weinig.
1680
1681         Since we have highly effective + operation for strings,
1682         implementing String.prototype.concat in JS simplifies the
1683         implementation and improves performance by using speculated
1684         types.
1685
1686         Added microbenchmarks show performance improvement.
1687
1688         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
1689         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
1690         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
1691         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
1692
1693         * builtins/StringPrototype.js:
1694         (globalPrivate.stringConcatSlowPath):
1695         (concat):
1696         * runtime/StringPrototype.cpp:
1697         (JSC::StringPrototype::finishCreation):
1698         (JSC::stringProtoFuncConcat): Deleted.
1699
1700 2017-05-31  Mark Lam  <mark.lam@apple.com>
1701
1702         Remove overrides of visitChildren() that do not add any functionality.
1703         https://bugs.webkit.org/show_bug.cgi?id=172789
1704         <rdar://problem/32500865>
1705
1706         Reviewed by Andreas Kling.
1707
1708         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1709         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
1710         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1711         * bytecode/UnlinkedProgramCodeBlock.cpp:
1712         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
1713         * bytecode/UnlinkedProgramCodeBlock.h:
1714         * wasm/js/WebAssemblyFunction.cpp:
1715         (JSC::WebAssemblyFunction::visitChildren): Deleted.
1716         * wasm/js/WebAssemblyFunction.h:
1717         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1718         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
1719         * wasm/js/WebAssemblyInstanceConstructor.h:
1720         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1721         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
1722         * wasm/js/WebAssemblyMemoryConstructor.h:
1723         * wasm/js/WebAssemblyModuleConstructor.cpp:
1724         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
1725         * wasm/js/WebAssemblyModuleConstructor.h:
1726         * wasm/js/WebAssemblyTableConstructor.cpp:
1727         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
1728         * wasm/js/WebAssemblyTableConstructor.h:
1729
1730 2017-05-31  Commit Queue  <commit-queue@webkit.org>
1731
1732         Unreviewed, rolling out r217611 and r217631.
1733         https://bugs.webkit.org/show_bug.cgi?id=172785
1734
1735         "caused wasm-hashset-many.html to become flaky." (Requested by
1736         keith_miller on #webkit).
1737
1738         Reverted changesets:
1739
1740         "Reland r216808, underlying lldb bug has been fixed."
1741         https://bugs.webkit.org/show_bug.cgi?id=172759
1742         http://trac.webkit.org/changeset/217611
1743
1744         "Use dispatch queues for mach exceptions"
1745         https://bugs.webkit.org/show_bug.cgi?id=172775
1746         http://trac.webkit.org/changeset/217631
1747
1748 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
1749
1750         Rolling out: Prevent async methods named 'function'
1751         https://bugs.webkit.org/show_bug.cgi?id=172776
1752
1753         Reviewed by Mark Lam.
1754
1755         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
1756         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
1757         PR to spec was closed, so changes need to roll out. See
1758         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
1759
1760         * parser/Parser.cpp:
1761         (JSC::Parser<LexerType>::parseClass):
1762         (JSC::Parser<LexerType>::parsePropertyMethod):
1763
1764 2017-05-31  Andy Estes  <aestes@apple.com>
1765
1766         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
1767         https://bugs.webkit.org/show_bug.cgi?id=172366
1768
1769         Reviewed by Daniel Bates.
1770
1771         * Configurations/FeatureDefines.xcconfig:
1772
1773 2017-05-31  Keith Miller  <keith_miller@apple.com>
1774
1775         Reland r216808, underlying lldb bug has been fixed.
1776         https://bugs.webkit.org/show_bug.cgi?id=172759
1777
1778
1779         Unreviewed, relanding old patch. See: rdar://problem/31183352
1780
1781         * API/tests/ExecutionTimeLimitTest.cpp:
1782         (dispatchTermitateCallback):
1783         (testExecutionTimeLimit):
1784         * runtime/JSLock.cpp:
1785         (JSC::JSLock::didAcquireLock):
1786         * runtime/Options.cpp:
1787         (JSC::overrideDefaults):
1788         (JSC::Options::initialize):
1789         * runtime/Options.h:
1790         * runtime/VMTraps.cpp:
1791         (JSC::SignalContext::SignalContext):
1792         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1793         (JSC::installSignalHandler):
1794         (JSC::VMTraps::SignalSender::send):
1795         * tools/SigillCrashAnalyzer.cpp:
1796         (JSC::SignalContext::SignalContext):
1797         (JSC::SignalContext::dump):
1798         (JSC::installCrashHandler):
1799         * wasm/WasmBBQPlan.cpp:
1800         (JSC::Wasm::BBQPlan::compileFunctions):
1801         * wasm/WasmFaultSignalHandler.cpp:
1802         (JSC::Wasm::trapHandler):
1803         (JSC::Wasm::enableFastMemory):
1804         * wasm/WasmMachineThreads.cpp:
1805         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1806
1807 2017-05-31  Keith Miller  <keith_miller@apple.com>
1808
1809         Fix leak in PromiseDeferredTimer
1810         https://bugs.webkit.org/show_bug.cgi?id=172755
1811
1812         Reviewed by JF Bastien.
1813
1814         We were not properly freeing the list of dependencies if we were already tracking the promise before.
1815         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
1816         where we were already tracking the promise we append the provided dependency list to the existing list.
1817         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
1818         contents.
1819
1820         * runtime/PromiseDeferredTimer.cpp:
1821         (JSC::PromiseDeferredTimer::addPendingPromise):
1822
1823 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1824
1825         Prevent async methods named 'function' in Object literal
1826         https://bugs.webkit.org/show_bug.cgi?id=172660
1827
1828         Reviewed by Saam Barati.
1829
1830         Prevent async method named 'function' in object.
1831         https://github.com/tc39/ecma262/pull/884
1832
1833         * parser/Parser.cpp:
1834         (JSC::Parser<LexerType>::parsePropertyMethod):
1835
1836 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
1837
1838         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
1839         https://bugs.webkit.org/show_bug.cgi?id=171274
1840
1841         Reviewed by Saam Barati.
1842
1843         Current patch allow to use async arrow function within constructor,
1844         and allow to access to `this`. Current patch force load 'this' from 
1845         virtual scope each time as we access to `this` in async arrow function
1846         within constructor it is neccessary because async function can be 
1847         suspended and `superCall` can be called and async function resumed. 
1848    
1849         * bytecompiler/BytecodeGenerator.cpp:
1850         (JSC::BytecodeGenerator::emitPutGeneratorFields):
1851         (JSC::BytecodeGenerator::ensureThis):
1852         * bytecompiler/BytecodeGenerator.h:
1853         (JSC::BytecodeGenerator::makeFunction):
1854
1855 2017-05-30  Ali Juma  <ajuma@chromium.org>
1856
1857         [CredentialManagement] Incorporate IDL updates from latest spec
1858         https://bugs.webkit.org/show_bug.cgi?id=172011
1859
1860         Reviewed by Daniel Bates.
1861
1862         * runtime/CommonIdentifiers.h:
1863
1864 2017-05-30  Alex Christensen  <achristensen@webkit.org>
1865
1866         Update libwebrtc configuration
1867         https://bugs.webkit.org/show_bug.cgi?id=172727
1868
1869         Reviewed by Geoffrey Garen.
1870
1871         * Configurations/FeatureDefines.xcconfig:
1872
1873 2017-05-28  Dan Bernstein  <mitz@apple.com>
1874
1875         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
1876         https://bugs.webkit.org/show_bug.cgi?id=172691
1877
1878         Reviewed by Tim Horton.
1879
1880         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
1881         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
1882
1883 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1884
1885         [JSC] Provide better type information of toLength and tighten bytecode
1886         https://bugs.webkit.org/show_bug.cgi?id=172690
1887
1888         Reviewed by Sam Weinig.
1889
1890         In this patch, we carefully leverage operator + in order to
1891
1892         1. tighten bytecode
1893
1894         operator+ emits to_number bytecode. What this bytecode does is the same
1895         to @Number() call. It is more efficient, and it is smaller bytecode
1896         than @Number() call (load global variable @Number, set up arguments, and
1897         call it).
1898
1899         2. offer better type prediction data
1900
1901         Now, we have code like
1902
1903             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
1904
1905         This is not good because DFG prediction propagation phase predicts as Double
1906         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
1907         Usually, the result becomes Int32. This patch leverages to_number in a bit
1908         interesting way: to_number has value profiling to offer better type prediction.
1909         This value profiling can offer a chance to change the prediction to Int32 efficiently.
1910         It is a bit tricky. But it is worth doing to speed up our builtin functions,
1911         which should leverage all the JSC's tricky things to be optimized.
1912
1913         Related microbenchmarks show performance improvement.
1914
1915                                                   baseline                  patched
1916
1917             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
1918             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
1919             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
1920             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
1921             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
1922             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
1923
1924
1925         * builtins/GlobalOperations.js:
1926         (globalPrivate.toInteger):
1927         (globalPrivate.toLength):
1928
1929 2017-05-28  Sam Weinig  <sam@webkit.org>
1930
1931         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
1932         https://bugs.webkit.org/show_bug.cgi?id=172684
1933
1934         Reviewed by Yusuke Suzuki.
1935
1936         * runtime/IteratorOperations.cpp:
1937         (JSC::iteratorMethod):
1938         (JSC::iteratorForIterable):
1939         * runtime/IteratorOperations.h:
1940         (JSC::forEachInIterable):
1941         Add additional iterator helpers to allow union + sequence conversion code
1942         to check for iterability by getting the iterator method, and iterate using
1943         that method later on.
1944
1945 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1946
1947         Unreviewed, build fix for Windows
1948         https://bugs.webkit.org/show_bug.cgi?id=172413
1949
1950         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
1951
1952         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
1953
1954         * runtime/JSMap.h:
1955         (JSC::isJSMap):
1956         (JSC::jsDynamicCast): Deleted.
1957         (JSC::>): Deleted.
1958         * runtime/JSSet.h:
1959         (JSC::isJSSet):
1960         (JSC::jsDynamicCast): Deleted.
1961         (JSC::>): Deleted.
1962         * runtime/MapConstructor.cpp:
1963         (JSC::constructMap):
1964         * runtime/SetConstructor.cpp:
1965         (JSC::constructSet):
1966
1967 2017-05-28  Mark Lam  <mark.lam@apple.com>
1968
1969         Implement a faster Interpreter::getOpcodeID().
1970         https://bugs.webkit.org/show_bug.cgi?id=172669
1971
1972         Reviewed by Saam Barati.
1973
1974         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
1975         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
1976         handler code that executes each opcode.  getOpcodeID() can therefore just read
1977         the 32-bits before the opcode address to get its OpcodeID.
1978
1979         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
1980         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
1981         well, but I'll let the Linux folks turn that on after they have verified that it
1982         works on linux too.
1983
1984         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
1985         1. we only need to initialize it once per process, not once per VM / interpreter
1986            instance.
1987         2. we can initialize it in the Interpreter constructor instead of requiring a
1988            separate call to an initialize() function.
1989
1990         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
1991         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
1992
1993         * bytecode/BytecodeList.json:
1994         * generate-bytecode-files:
1995         * interpreter/Interpreter.cpp:
1996         (JSC::Interpreter::Interpreter):
1997         (JSC::Interpreter::opcodeIDTable):
1998         (JSC::Interpreter::initialize): Deleted.
1999         * interpreter/Interpreter.h:
2000         (JSC::Interpreter::getOpcode):
2001         (JSC::Interpreter::getOpcodeID):
2002         * llint/LowLevelInterpreter.cpp:
2003         * runtime/VM.cpp:
2004         (JSC::VM::VM):
2005
2006 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2007
2008         [JSC] Map and Set constructors should have fast path for cloning
2009         https://bugs.webkit.org/show_bug.cgi?id=172413
2010
2011         Reviewed by Saam Barati.
2012
2013         In this patch, we add a fast path for cloning in Set and Map constructors.
2014
2015         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
2016         At that time, our generic path just iterates the given set object and add
2017         it to the newly created one. It is quite slow because we need to follow
2018         the iterator protocol inside C++ and we need to call set.add() repeatedly
2019         while the given set guarantees the elements are unique.
2020
2021         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
2022         and JSSet are done really fast without invoking any observable JS functions.
2023         To check whether we can use this clone() function in Set and Map constructors,
2024         we set several watchpoints.
2025
2026         In the case of Set,
2027
2028         1. Set.prototype[Symbol.iterator] is not changed.
2029         2. SetIterator.prototype.next is not changed.
2030         3. Set.prototype.add is not changed.
2031         4. The given Set does not have [Symbol.iterator] function in its instance.
2032         5. The given Set's [[Prototype]] is Set.prototype.
2033         6. Newly created set's [[Prototype]] is Set.prototype.
2034
2035         If the above requirements are met, cloning the given Set is not observable to users.
2036         Thus we can take a fast path.
2037
2038         Currently, we do not integrate this optimization into DFG and FTL.
2039         And we do not optimize other iterables. For example, we can optimize Set
2040         constructor taking Int32 Array. And we should optimize generic iterator cases too.
2041         They are planned as part of a separate bug[1].
2042
2043         This change improves ARES-6 Air by 5.3% in steady state.
2044
2045         Baseline:
2046             Running... Air ( 1  to go)
2047             firstIteration:     76.41 +- 15.60 ms
2048             averageWorstCase:   40.63 +- 7.54 ms
2049             steadyState:        9.13 +- 0.51 ms
2050
2051
2052         Patched:
2053             Running... Air ( 1  to go)
2054             firstIteration:     75.00 +- 22.54 ms
2055             averageWorstCase:   39.18 +- 8.45 ms
2056             steadyState:        8.67 +- 0.28 ms
2057
2058         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
2059
2060         * CMakeLists.txt:
2061         * JavaScriptCore.xcodeproj/project.pbxproj:
2062         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
2063         * runtime/HashMapImpl.h:
2064         (JSC::HashMapBucket::extractValue):
2065         (JSC::HashMapImpl::finishCreation):
2066         (JSC::HashMapImpl::add):
2067         (JSC::HashMapImpl::setUpHeadAndTail):
2068         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
2069         (JSC::HashMapImpl::addNormalizedInternal):
2070         * runtime/InternalFunction.cpp:
2071         (JSC::InternalFunction::createSubclassStructureSlow):
2072         (JSC::InternalFunction::createSubclassStructure): Deleted.
2073         * runtime/InternalFunction.h:
2074         (JSC::InternalFunction::createSubclassStructure):
2075         * runtime/JSGlobalObject.cpp:
2076         (JSC::JSGlobalObject::JSGlobalObject):
2077         (JSC::JSGlobalObject::init):
2078         (JSC::JSGlobalObject::visitChildren):
2079         * runtime/JSGlobalObject.h:
2080         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
2081         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
2082         (JSC::JSGlobalObject::mapSetWatchpoint):
2083         (JSC::JSGlobalObject::setAddWatchpoint):
2084         (JSC::JSGlobalObject::mapPrototype):
2085         (JSC::JSGlobalObject::jsSetPrototype):
2086         (JSC::JSGlobalObject::setStructure):
2087         * runtime/JSGlobalObjectInlines.h:
2088         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
2089         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
2090         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
2091         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
2092         * runtime/JSMap.cpp:
2093         (JSC::JSMap::clone):
2094         (JSC::JSMap::canCloneFastAndNonObservable):
2095         * runtime/JSMap.h:
2096         (JSC::jsDynamicCast):
2097         (JSC::>):
2098         (JSC::JSMap::createStructure): Deleted.
2099         (JSC::JSMap::create): Deleted.
2100         (JSC::JSMap::set): Deleted.
2101         (JSC::JSMap::JSMap): Deleted.
2102         * runtime/JSSet.cpp:
2103         (JSC::JSSet::clone):
2104         (JSC::JSSet::canCloneFastAndNonObservable):
2105         * runtime/JSSet.h:
2106         (JSC::jsDynamicCast):
2107         (JSC::>):
2108         (JSC::JSSet::createStructure): Deleted.
2109         (JSC::JSSet::create): Deleted.
2110         (JSC::JSSet::JSSet): Deleted.
2111         * runtime/MapConstructor.cpp:
2112         (JSC::constructMap):
2113         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
2114         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2115         * runtime/SetConstructor.cpp:
2116         (JSC::constructSet):
2117
2118 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2119
2120         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
2121         https://bugs.webkit.org/show_bug.cgi?id=172260
2122
2123         Reviewed by Filip Pizlo.
2124
2125         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
2126         to be used as a general-purpose injectable compiler over all the JIT tiers.
2127
2128         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
2129
2130         * CMakeLists.txt:
2131         * JavaScriptCore.xcodeproj/project.pbxproj:
2132         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
2133         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2134         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
2135         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
2136         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
2137         * bytecode/GetterSetterAccessCase.cpp:
2138         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2139         * dfg/DFGAbstractInterpreterInlines.h:
2140         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2141         * dfg/DFGByteCodeParser.cpp:
2142         (JSC::DFG::blessCallDOMGetter):
2143         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2144         * dfg/DFGClobberize.h:
2145         (JSC::DFG::clobberize):
2146         * dfg/DFGFixupPhase.cpp:
2147         (JSC::DFG::FixupPhase::fixupNode):
2148         * dfg/DFGGraph.h:
2149         * dfg/DFGNode.h:
2150         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
2151         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
2152         (JSC::DFG::SnippetParams::SnippetParams):
2153         * dfg/DFGSpeculativeJIT.cpp:
2154         (JSC::DFG::allocateTemporaryRegistersForSnippet):
2155         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2156         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2157         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
2158         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
2159         (JSC::DOMJIT::CallDOMGetterSnippet::create):
2160         * domjit/DOMJITGetterSetter.h:
2161         * domjit/DOMJITSignature.h:
2162         * domjit/DOMJITValue.h: Removed.
2163         * ftl/FTLLowerDFGToB3.cpp:
2164         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2165         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2166         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
2167         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
2168         (JSC::FTL::SnippetParams::SnippetParams):
2169         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
2170         (JSC::Snippet::create):
2171         (JSC::Snippet::setGenerator):
2172         (JSC::Snippet::generator):
2173         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
2174         (JSC::SnippetParams::~SnippetParams):
2175         (JSC::SnippetParams::Value::Value):
2176         (JSC::SnippetParams::Value::isGPR):
2177         (JSC::SnippetParams::Value::isFPR):
2178         (JSC::SnippetParams::Value::isJSValueRegs):
2179         (JSC::SnippetParams::Value::gpr):
2180         (JSC::SnippetParams::Value::fpr):
2181         (JSC::SnippetParams::Value::jsValueRegs):
2182         (JSC::SnippetParams::Value::reg):
2183         (JSC::SnippetParams::Value::value):
2184         (JSC::SnippetParams::SnippetParams):
2185         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
2186         (JSC::SnippetReg::SnippetReg):
2187         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
2188         * jsc.cpp:
2189         (WTF::DOMJITNode::checkSubClassSnippet):
2190         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2191         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
2192         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
2193         * runtime/ClassInfo.h:
2194
2195 2017-05-26  Keith Miller  <keith_miller@apple.com>
2196
2197         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
2198         https://bugs.webkit.org/show_bug.cgi?id=172654
2199
2200         Reviewed by Mark Lam.
2201
2202         The test's intent is to assert that an exception has not been
2203         thrown (as indicated by the message string), but the test was
2204         erroneously checking for ! the right condition. This is now fixed.
2205
2206         * API/tests/JSExportTests.mm:
2207         (wrapperForNSObjectisObject):
2208
2209 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
2210
2211         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
2212         https://bugs.webkit.org/show_bug.cgi?id=172664
2213         <rdar://problem/32362933>
2214
2215         Reviewed by Matt Baker.
2216
2217         Automatically pause on connection was triggering a pause before the
2218         frontend may have initialized. Often during frontend initialization
2219         the frontend may perform an action that clears the pause state requested
2220         by the developer. This change defers the pause until after the frontend
2221         has initialized, right before returning to the application's code.
2222
2223         * inspector/remote/RemoteControllableTarget.h:
2224         * inspector/remote/RemoteInspectionTarget.h:
2225         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2226         (Inspector::RemoteConnectionToTarget::setup):
2227         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
2228         (Inspector::RemoteConnectionToTarget::setup):
2229         * runtime/JSGlobalObjectDebuggable.cpp:
2230         (JSC::JSGlobalObjectDebuggable::connect):
2231         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
2232         * runtime/JSGlobalObjectDebuggable.h:
2233         Pass an immediatelyPause boolean on to the controller. Remove
2234         the current path that invokes a pause before initialization.
2235
2236         * inspector/JSGlobalObjectInspectorController.h:
2237         * inspector/JSGlobalObjectInspectorController.cpp:
2238         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2239         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2240         Manage should immediately pause state.
2241
2242         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
2243         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
2244         When initialized, trigger a pause if requested.
2245
2246 2017-05-26  Mark Lam  <mark.lam@apple.com>
2247
2248         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
2249         https://bugs.webkit.org/show_bug.cgi?id=172655
2250
2251         Reviewed by Saam Barati.
2252
2253         * API/tests/JSExportTests.mm:
2254         (wrapperForNSObjectisObject):
2255
2256 2017-05-26  Mark Lam  <mark.lam@apple.com>
2257
2258         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
2259         https://bugs.webkit.org/show_bug.cgi?id=172651
2260
2261         Reviewed by Saam Barati.
2262
2263         This is because the assertion utility functions used in testCFStrings() expects
2264         to get the JSGlobalContextRef from the global context variable.  However,
2265         testCFStrings() creates its own JSGlobalContextRef but does not set the global
2266         context variable to it.
2267
2268         The fix is to make testCFStrings() initialize the global context variable properly.
2269
2270         * API/tests/testapi.c:
2271         (testCFStrings):
2272
2273 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2274
2275         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
2276         https://bugs.webkit.org/show_bug.cgi?id=167805
2277
2278         Reviewed by Saam Barati.
2279
2280         Since ModuleProgramExecutable is executed only once, we can skip compiling
2281         code unreachable from the current program count. This can skip massive
2282         initialization code.
2283
2284         We already do this for global code in bug#167725. This patch extends it to
2285         module code.
2286
2287         * interpreter/Interpreter.cpp:
2288         (JSC::Interpreter::executeModuleProgram):
2289         * interpreter/Interpreter.h:
2290         * jit/JIT.cpp:
2291         (JSC::JIT::privateCompileMainPass):
2292         * runtime/JSModuleRecord.cpp:
2293         (JSC::JSModuleRecord::evaluate):
2294         * runtime/JSModuleRecord.h:
2295         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
2296
2297 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
2298
2299         Prevent async methods named 'function'
2300         https://bugs.webkit.org/show_bug.cgi?id=172598
2301
2302         Reviewed by Mark Lam.
2303
2304         Prevent async method named 'function' in class.
2305         Link to change in ecma262 specification
2306         https://github.com/tc39/ecma262/pull/884
2307
2308         * parser/Parser.cpp:
2309         (JSC::Parser<LexerType>::parseClass):
2310
2311 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2312
2313         Unreviewed, build fix for GCC
2314
2315         std::tuple does not have implicit constructor.
2316         Thus, we cannot use implicit construction with initializer brace.
2317         We should specify the name like `GetInst { }`.
2318
2319         * bytecompiler/BytecodeGenerator.h:
2320         (JSC::StructureForInContext::addGetInst):
2321
2322 2017-05-25  Keith Miller  <keith_miller@apple.com>
2323
2324         Cleanup tests after r217240
2325         https://bugs.webkit.org/show_bug.cgi?id=172466
2326
2327         Reviewed by Mark Lam.
2328
2329         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
2330
2331         * API/tests/JSExportTests.mm:
2332         (wrapperForNSObjectisObject):
2333         * API/tests/testapi.mm:
2334         (testObjectiveCAPIMain):
2335
2336 2017-05-25  Michael Saboff  <msaboff@apple.com>
2337
2338         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
2339         https://bugs.webkit.org/show_bug.cgi?id=172617
2340
2341         Reviewed by Mark Lam.
2342
2343         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
2344         when tested running JetStream.
2345
2346         * runtime/Options.h:
2347
2348 2017-05-25  Saam Barati  <sbarati@apple.com>
2349
2350         Our for-in optimization in the bytecode generator does its static analysis incorrectly
2351         https://bugs.webkit.org/show_bug.cgi?id=172532
2352         <rdar://problem/32369452>
2353
2354         Reviewed by Mark Lam.
2355
2356         Our static analysis for when a for-in induction variable
2357         is written to tried to its analysis as we generate
2358         bytecode. This has issues, since it does not account for
2359         the dynamic execution path of the program. Let's consider
2360         a program where our old analysis worked:
2361         
2362         ```
2363         for (let p in o) {
2364             o[p]; // We can transform this into a fast get_direct_pname
2365             p = 20;
2366             o[p]; // We cannot transform this since p has been changed.
2367         }
2368         ```
2369         
2370         However, our static analysis did not account for loops, which exist
2371         in JavaScript. e.g, it would incorrectly compile this program as:
2372         ```
2373         for (let p in o) {
2374             for (let i = 0; i < 20; ++i) {
2375                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
2376                 p = 20;
2377                 o[p]; // We correctly do not transform this.
2378             } 
2379         }
2380         ```
2381         
2382         Because of this flaw, I've made the optimization more conservative.
2383         We now optimistically emit code for the optimized access. However,
2384         if a for-in context is *ever* invalidated, before we pop it off
2385         the stack, we rewrite the program's optimized accesses to no longer
2386         be optimized. To do this, each context keeps track of its optimized
2387         accesses.
2388         
2389         This patch also adds a new bytecode, op_nop, which is just a no-op.
2390         It was helpful to add this because reverting get_direct_pname to get_by_val
2391         will leave us with an extra instruction word because get_direct_pname is
2392         has a length of 7 where get_by_val has a length of 6. This leaves us with
2393         an extra slot that we fill with an op_nop.
2394
2395         * bytecode/BytecodeDumper.cpp:
2396         (JSC::BytecodeDumper<Block>::dumpBytecode):
2397         * bytecode/BytecodeList.json:
2398         * bytecode/BytecodeUseDef.h:
2399         (JSC::computeUsesForBytecodeOffset):
2400         (JSC::computeDefsForBytecodeOffset):
2401         * bytecompiler/BytecodeGenerator.cpp:
2402         (JSC::BytecodeGenerator::emitGetByVal):
2403         (JSC::BytecodeGenerator::popIndexedForInScope):
2404         (JSC::BytecodeGenerator::popStructureForInScope):
2405         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2406         (JSC::StructureForInContext::pop):
2407         (JSC::IndexedForInContext::pop):
2408         * bytecompiler/BytecodeGenerator.h:
2409         (JSC::StructureForInContext::addGetInst):
2410         (JSC::IndexedForInContext::addGetInst):
2411         * dfg/DFGByteCodeParser.cpp:
2412         (JSC::DFG::ByteCodeParser::parseBlock):
2413         * dfg/DFGCapabilities.cpp:
2414         (JSC::DFG::capabilityLevel):
2415         * jit/JIT.cpp:
2416         (JSC::JIT::privateCompileMainPass):
2417         * jit/JIT.h:
2418         * jit/JITOpcodes.cpp:
2419         (JSC::JIT::emit_op_nop):
2420         * llint/LowLevelInterpreter.asm:
2421
2422 2017-05-25  Mark Lam  <mark.lam@apple.com>
2423
2424         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
2425         https://bugs.webkit.org/show_bug.cgi?id=172548
2426         <rdar://problem/31458393>
2427
2428         Reviewed by Filip Pizlo.
2429
2430         Consider the following scenario:
2431
2432         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
2433            structure transitions, e.g. structure S2 transitioning to structure S3.
2434            In this case, O1 would be installed in S2's watchpoint set.
2435         2. When the structure transition happens, structure S2 will fire watchpoint O1.
2436         3. O1's handler will normally re-install itself in the watchpoint set of the new
2437            "transitioned to" structure S3.
2438         4. "Installation" here requires writing into the StructureRareData SD3 of the new
2439            structure S3.  If SD3 does not exist yet, the installation process will trigger
2440            the allocation of StructureRareData SD3.
2441         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
2442            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
2443            by the GC, and therefore will be collected soon.
2444         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
2445            SD1.  This, in turn, triggers the deletion of the
2446            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
2447
2448         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
2449         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
2450         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
2451         deleted.  The result is that badness happens later when S3's watchpoint set fires
2452         its watchpoints and accesses the deleted O1.
2453
2454         The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
2455         check if "this" is still valid before proceeding to re-install itself or to
2456         invoke its handleFire() method.
2457
2458         ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
2459         AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
2460         and return false its owner StructureRareData is no longer reachable by the GC.
2461         This ensures that it won't be deleted while it's installed to any watchpoint set.
2462
2463         Additional considerations and notes:
2464         1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2465            being installed in watchpoint sets.  What actually happens is that
2466            ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
2467            (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
2468            watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
2469            not itself a Watchpoint object.
2470
2471            But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2472            instead of its Watchpoint members.  The description of the issue is still
2473            accurate given the life-cycle of the Watchpoint members are embedded in the
2474            enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
2475            hence, they share the same life-cycle.
2476
2477         2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
2478            m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
2479            watchpoint sets.  This is safe to do even if the owner StructureRareData is no
2480            longer reachable by the GC.
2481
2482            This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
2483            is if its Watchpoint members are still installed in some watchpoint set that
2484            fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
2485            instance has not been deleted yet, because its destructor will automatically
2486            remove the Watchpoint members from any watchpoint sets.
2487
2488         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2489         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2490         (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
2491         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2492         * heap/FreeList.cpp:
2493         (JSC::FreeList::contains):
2494         * heap/FreeList.h:
2495         * heap/HeapCell.h:
2496         * heap/HeapCellInlines.h:
2497         (JSC::HeapCell::isLive):
2498         * heap/MarkedAllocator.h:
2499         (JSC::MarkedAllocator::isFreeListedCell):
2500         * heap/MarkedBlock.h:
2501         * heap/MarkedBlockInlines.h:
2502         (JSC::MarkedBlock::Handle::isFreeListedCell):
2503         * runtime/StructureRareData.cpp:
2504         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
2505
2506 2017-05-23  Saam Barati  <sbarati@apple.com>
2507
2508         We should not mmap zero bytes for a memory in Wasm
2509         https://bugs.webkit.org/show_bug.cgi?id=172528
2510         <rdar://problem/32257076>
2511
2512         Reviewed by Mark Lam.
2513
2514         This patch fixes a bug where we would call into mmap with zero bytes
2515         when creating a slow WasmMemory with zero initial page size. This fix
2516         is simple: if we don't have any initial bytes, we just call the constructor
2517         in WasmMemory that's meant to handle this case.
2518
2519         * wasm/WasmMemory.cpp:
2520         (JSC::Wasm::Memory::create):
2521
2522 2017-05-23  Brian Burg  <bburg@apple.com>
2523
2524         REGRESSION(r217051): Automation sessions fail to complete bootstrap
2525         https://bugs.webkit.org/show_bug.cgi?id=172513
2526         <rdar://problem/32338354>
2527
2528         Reviewed by Joseph Pecoraro.
2529
2530         The changes to be more strict about typechecking messages were too strict.
2531
2532         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2533         (Inspector::RemoteInspector::receivedSetupMessage):
2534         WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
2535         into an NSDictionary as NSNull if the key isn't present in a forwarded command.
2536         We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
2537         [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
2538
2539 2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>
2540
2541         Remove dead ENABLE(FONT_LOAD_EVENTS) code
2542         https://bugs.webkit.org/show_bug.cgi?id=172517
2543
2544         Rubber-stamped by Simon Fraser.
2545
2546         * Configurations/FeatureDefines.xcconfig:
2547
2548 2017-05-23  Saam Barati  <sbarati@apple.com>
2549
2550         CFGSimplificationPhase should not merge a block with itself
2551         https://bugs.webkit.org/show_bug.cgi?id=172508
2552         <rdar://problem/28424006>
2553
2554         Reviewed by Keith Miller.
2555
2556         CFGSimplificationPhase can run into or create IR that ends up with a
2557         block that has a Jump to itself, and no other predecessors. It should
2558         gracefully handle such IR. Before this patch, it would not. The only criteria
2559         for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
2560         The code is written in such a way that if we merge a block with itself, we
2561         will infinite loop until we run out of memory.
2562         
2563         Merging a block with itself does not make sense for a few reasons. First,
2564         we're joining the contents of two blocks. What is the definition of joining
2565         a block with itself? I suppose we could simply unroll this self loop
2566         one level, but that would not be wise because this self loop is by definition
2567         unreachable unless it's the root block in the graph (which I think is
2568         invalid IR since we'd never generate bytecode that would do this).
2569         
2570         This patch employs an easy fix: we can't merge a block with itself.
2571
2572         * dfg/DFGCFGSimplificationPhase.cpp:
2573         (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
2574         (JSC::DFG::CFGSimplificationPhase::run):
2575         (JSC::DFG::CFGSimplificationPhase::convertToJump):
2576         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2577
2578 2017-05-22  Brian Burg  <bburg@apple.com>
2579
2580         Web Inspector: webkit reload policy should match default behavior
2581         https://bugs.webkit.org/show_bug.cgi?id=171385
2582         <rdar://problem/31871515>
2583
2584         Reviewed by Joseph Pecoraro.
2585
2586         Add a new option to Page.reload that allows the test harness
2587         to reload its test page using the old reload behavior.
2588
2589         The new behavior of revalidating expired cached subresources only
2590         is the current default, since only the test harness needs the old behavior.
2591
2592         * inspector/protocol/Page.json:
2593
2594 2017-05-22  Keith Miller  <keith_miller@apple.com>
2595
2596         [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
2597         https://bugs.webkit.org/show_bug.cgi?id=167708
2598
2599         Reviewed by Geoffrey Garen.
2600
2601         This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
2602         class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
2603
2604         Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
2605         creating a wrapper for NSObject.
2606
2607         * API/APICast.h:
2608         (toJSGlobalObject):
2609         * API/JSContext.mm:
2610         (-[JSContext ensureWrapperMap]):
2611         (-[JSContext initWithVirtualMachine:]):
2612         (-[JSContext dealloc]):
2613         (-[JSContext wrapperMap]):
2614         (-[JSContext initWithGlobalContextRef:]):
2615         (-[JSContext wrapperForObjCObject:]):
2616         (-[JSContext wrapperForJSObject:]):
2617         * API/JSWrapperMap.h:
2618         * API/JSWrapperMap.mm:
2619         (-[JSObjCClassInfo initForClass:]):
2620         (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
2621         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2622         (-[JSObjCClassInfo constructorInContext:]):
2623         (-[JSObjCClassInfo prototypeInContext:]):
2624         (-[JSWrapperMap initWithGlobalContextRef:]):
2625         (-[JSWrapperMap classInfoForClass:]):
2626         (-[JSWrapperMap jsWrapperForObject:inContext:]):
2627         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
2628         (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
2629         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
2630         (-[JSObjCClassInfo wrapperForObject:]): Deleted.
2631         (-[JSObjCClassInfo constructor]): Deleted.
2632         (-[JSObjCClassInfo prototype]): Deleted.
2633         (-[JSWrapperMap initWithContext:]): Deleted.
2634         (-[JSWrapperMap jsWrapperForObject:]): Deleted.
2635         (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
2636         * API/tests/JSExportTests.mm:
2637         (wrapperLifetimeIsTiedToGlobalObject):
2638         (runJSExportTests):
2639         * API/tests/testapi.mm:
2640         * runtime/JSGlobalObject.h:
2641         (JSC::JSGlobalObject::wrapperMap):
2642         (JSC::JSGlobalObject::setWrapperMap):
2643
2644 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
2645
2646         FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
2647         https://bugs.webkit.org/show_bug.cgi?id=172455
2648
2649         Reviewed by Mark Lam.
2650         
2651         The FTL needs to run B3's callee-save register restoration before it runs the exception
2652         handler's callee-save register restoration.  This exposes B3's callee-save register
2653         algorithm in AssemblyHelpers so that the FTL can call it.
2654
2655         * b3/air/AirGenerate.cpp:
2656         (JSC::B3::Air::generate):
2657         * ftl/FTLLowerDFGToB3.cpp:
2658         (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
2659         * heap/Subspace.cpp: Added some debugging support.
2660         (JSC::Subspace::allocate):
2661         (JSC::Subspace::tryAllocate):
2662         (JSC::Subspace::didAllocate):
2663         * heap/Subspace.h:
2664         * jit/AssemblyHelpers.h:
2665         (JSC::AssemblyHelpers::addressFor):
2666         (JSC::AssemblyHelpers::emitSave):
2667         (JSC::AssemblyHelpers::emitRestore):
2668
2669 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2670
2671         [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
2672         https://bugs.webkit.org/show_bug.cgi?id=172216
2673
2674         Reviewed by Saam Barati.
2675
2676         This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
2677         To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
2678         ArrayStorage and SlowPutArrayStorage, then it produces vector length.
2679         CheckInBounds uses this vector length to perform bound checking for ArrayStorage
2680         and SlowPutArrayStorage.
2681
2682         * dfg/DFGAbstractInterpreterInlines.h:
2683         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2684         * dfg/DFGArrayMode.cpp:
2685         (JSC::DFG::permitsBoundsCheckLowering):
2686         * dfg/DFGClobberize.h:
2687         (JSC::DFG::clobberize):
2688         * dfg/DFGDoesGC.cpp:
2689         (JSC::DFG::doesGC):
2690         * dfg/DFGFixupPhase.cpp:
2691         (JSC::DFG::FixupPhase::fixupNode):
2692         * dfg/DFGHeapLocation.cpp:
2693         (WTF::printInternal):
2694         * dfg/DFGHeapLocation.h:
2695         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2696         * dfg/DFGNode.h:
2697         (JSC::DFG::Node::hasArrayMode):
2698         * dfg/DFGNodeType.h:
2699         * dfg/DFGPredictionPropagationPhase.cpp:
2700         * dfg/DFGSSALoweringPhase.cpp:
2701         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2702         * dfg/DFGSafeToExecute.h:
2703         (JSC::DFG::safeToExecute):
2704         * dfg/DFGSpeculativeJIT32_64.cpp:
2705         (JSC::DFG::SpeculativeJIT::compile):
2706         * dfg/DFGSpeculativeJIT64.cpp:
2707         (JSC::DFG::SpeculativeJIT::compile):
2708         * ftl/FTLAbstractHeapRepository.h:
2709         (JSC::FTL::AbstractHeapRepository::forIndexingType):
2710         (JSC::FTL::AbstractHeapRepository::forArrayType):
2711         * ftl/FTLCapabilities.cpp:
2712         (JSC::FTL::canCompile):
2713         * ftl/FTLLowerDFGToB3.cpp:
2714         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2715         (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
2716         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2717         * jit/JITPropertyAccess.cpp:
2718         (JSC::JIT::emitArrayStoragePutByVal):
2719         * jit/JITPropertyAccess32_64.cpp:
2720         (JSC::JIT::emitArrayStorageLoad):
2721         (JSC::JIT::emitArrayStoragePutByVal):
2722
2723 2017-05-21  Saam Barati  <sbarati@apple.com>
2724
2725         We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
2726         https://bugs.webkit.org/show_bug.cgi?id=171041
2727         <rdar://problem/32082516>
2728
2729         Reviewed by Yusuke Suzuki.
2730
2731         We were treating a for-loop variable declaration potentially as a top
2732         level statement, e.g, in a program like this:
2733         ```
2734         function foo() {
2735             for (let variable of expr) { }
2736         }
2737         ```
2738         But we should not be. This had the consequence of making this type of program
2739         throw a syntax error:
2740         ```
2741         function foo(arg) {
2742             for (let arg of expr) { }
2743         }
2744         ```
2745         even though it should not. The fix is simple, we just need to increment the
2746         statement depth before parsing anything inside the for loop.
2747
2748         * parser/Parser.cpp:
2749         (JSC::Parser<LexerType>::parseForStatement):
2750
2751 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2752
2753         [JSC] Make get_by_val & string "499" to number 499
2754         https://bugs.webkit.org/show_bug.cgi?id=172225
2755
2756         Reviewed by Saam Barati.
2757
2758         Property subscript will be converted by ToString. So JS code is not aware of
2759         the original type of the subscript value. But our get_by_val can leverage
2760         information if the given subscript is number. Thus, passing number instead of
2761         string can improve the performance of get_by_val in all the tiers.
2762
2763         In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
2764         convert the given value to Int32 index constant if the given value is a string
2765         that can be converted to Int32.
2766
2767         This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
2768         appear in some code like accessing the result of JSON.
2769
2770             map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
2771
2772         * bytecompiler/BytecodeGenerator.h:
2773         (JSC::BytecodeGenerator::emitNodeForProperty):
2774         (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
2775         * bytecompiler/NodesCodegen.cpp:
2776         (JSC::TaggedTemplateNode::emitBytecode):
2777         (JSC::BracketAccessorNode::emitBytecode):
2778         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
2779         (JSC::FunctionCallBracketNode::emitBytecode):
2780         (JSC::PostfixNode::emitBracket):
2781         (JSC::PrefixNode::emitBracket):
2782         (JSC::AssignBracketNode::emitBytecode):
2783         (JSC::ReadModifyBracketNode::emitBytecode):
2784         (JSC::ForInNode::emitLoopHeader):
2785         (JSC::ForOfNode::emitBytecode):
2786         (JSC::ObjectPatternNode::bindValue):
2787         (JSC::AssignmentElementNode::bindValue):
2788
2789 2017-05-21  Saam Barati  <sbarati@apple.com>
2790
2791         We overwrite the callee save space on the stack when throwing stack overflow from wasm
2792         https://bugs.webkit.org/show_bug.cgi?id=172316
2793
2794         Reviewed by Mark Lam.
2795
2796         When throwing a stack overflow exception, the overflow
2797         thunk would do the following:
2798           move fp, sp
2799           populate argument registers
2800           call C code
2801         
2802         However, the C function is allowed to clobber our spilled
2803         callee saves that live below fp. The reason I did this move is that
2804         when we jump to this code, we've proven that sp is out of bounds on
2805         the stack. So we're not allowed to just use its value or keep growing
2806         the stack from that point. However, this patch revises this approach
2807         to be the same in spirit, but actually correct. We conservatively assume
2808         the B3 function we're coming from could have saved all callee saves.
2809         So we emit code like this now:
2810           add -maxNumCalleeSaveSpace, fp, sp
2811           populate argument registers
2812           call C code
2813         
2814         This ensures our callee saves will not be overwritten. Note
2815         that fp is still in a valid stack range here, since the thing
2816         calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
2817         is less than our redzone size, so it's safe to decrement sp by 
2818         this amount.
2819         
2820         The previously added wasm stack overflow test is an instance crash
2821         without this change on arm64. It also appears that this test crashed
2822         on some other x86 devices.
2823
2824         * wasm/WasmThunks.cpp:
2825         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2826
2827 2017-05-20  Chris Dumez  <cdumez@apple.com>
2828
2829         Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
2830         https://bugs.webkit.org/show_bug.cgi?id=172418
2831
2832         Reviewed by Youenn Fablet.
2833
2834         Add CommonIdentifiers that are now needed.
2835
2836         * runtime/CommonIdentifiers.h:
2837
2838 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2839
2840         Unreviewed, add scope.release() to propertyIsEnumerable functions.
2841         https://bugs.webkit.org/show_bug.cgi?id=172411
2842
2843         * runtime/JSGlobalObjectFunctions.cpp:
2844         (JSC::globalFuncPropertyIsEnumerable):
2845         * runtime/ObjectPrototype.cpp:
2846         (JSC::objectProtoFuncPropertyIsEnumerable):
2847
2848 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] Drop MapBase
2851         https://bugs.webkit.org/show_bug.cgi?id=172417
2852
2853         Reviewed by Sam Weinig.
2854
2855         MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
2856         Thus MapBase is unnecessary. This patch drops it.
2857         It is good because we can eliminate one indirection when accessing to map implementation.
2858         Moreover, we can drop one unnecessary allocation per Map and Set.
2859
2860         * CMakeLists.txt:
2861         * JavaScriptCore.xcodeproj/project.pbxproj:
2862         * dfg/DFGSpeculativeJIT64.cpp:
2863         (JSC::DFG::SpeculativeJIT::compile):
2864         * ftl/FTLAbstractHeapRepository.h:
2865         * ftl/FTLLowerDFGToB3.cpp:
2866         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2867         * runtime/HashMapImpl.cpp:
2868         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
2869         (JSC::getHashMapImplKeyClassInfo): Deleted.
2870         (JSC::getHashMapImplKeyValueClassInfo): Deleted.
2871         * runtime/HashMapImpl.h:
2872         (JSC::HashMapImpl::finishCreation):
2873         (JSC::HashMapImpl::get):
2874         (JSC::HashMapImpl::info): Deleted.
2875         (JSC::HashMapImpl::createStructure): Deleted.
2876         (JSC::HashMapImpl::create): Deleted.
2877         * runtime/JSMap.h:
2878         (JSC::JSMap::set):
2879         (JSC::JSMap::get): Deleted.
2880         * runtime/JSMapIterator.cpp:
2881         (JSC::JSMapIterator::finishCreation):
2882         * runtime/JSSet.h:
2883         (JSC::JSSet::add): Deleted.
2884         * runtime/JSSetIterator.cpp:
2885         (JSC::JSSetIterator::finishCreation):
2886         * runtime/MapBase.cpp: Removed.
2887         * runtime/MapBase.h: Removed.
2888         * runtime/MapPrototype.cpp:
2889         (JSC::mapProtoFuncSize):
2890         * runtime/SetConstructor.cpp:
2891         (JSC::constructSet):
2892         * runtime/SetPrototype.cpp:
2893         (JSC::setProtoFuncSize):
2894         * runtime/VM.cpp:
2895         (JSC::VM::VM):
2896
2897 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2898
2899         [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
2900         https://bugs.webkit.org/show_bug.cgi?id=172411
2901
2902         Reviewed by Sam Weinig.
2903
2904         We use @Reflect.@getOwnPropertyDescriptor() to check
2905
2906         1. the descriptor exists,
2907         2. and the descriptor.enumrable is true
2908
2909         But Object::propertyIsEnumerable does the completely same thing without
2910         allocating a new object for property descriptor.
2911
2912         In this patch, we add a new private function @propertyIsEnumerable, and
2913         use it in Object.assign implementation. It does not allocate unnecessary
2914         objects. It is good for GC-pressure and performance.
2915
2916         This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
2917         does not introduce a fast path for objects that do not have accessors,
2918         and it could speed up things further, this patch can speed up the common
2919         slow path cases that is the current implementation of Object.assign.
2920
2921             object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
2922
2923         * builtins/BuiltinNames.h:
2924         * builtins/ObjectConstructor.js:
2925         (globalPrivate.enumerableOwnProperties):
2926         (assign):
2927         * runtime/JSGlobalObject.cpp:
2928         (JSC::JSGlobalObject::init):
2929         * runtime/JSGlobalObjectFunctions.cpp:
2930         (JSC::globalFuncPropertyIsEnumerable):
2931         * runtime/JSGlobalObjectFunctions.h:
2932
2933 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2934
2935         [JSC] Enable testapi on Mac CMake build
2936         https://bugs.webkit.org/show_bug.cgi?id=172354
2937
2938         Reviewed by Alex Christensen.
2939
2940         This patch makes testapi buildable and runnable for Mac CMake port.
2941
2942         * API/tests/DateTests.mm:
2943         (+[DateTests JSDateToNSDateTest]):
2944         (+[DateTests roundTripThroughJSDateTest]):
2945         This test only works with the en_US locale.
2946
2947         * shell/CMakeLists.txt:
2948         * shell/PlatformMac.cmake:
2949         Some of tests rely on ARC. We enable ARC for those files.
2950
2951         * shell/PlatformWin.cmake:
2952         Clean up.
2953
2954 2017-05-19  Mark Lam  <mark.lam@apple.com>
2955
2956         [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
2957         https://bugs.webkit.org/show_bug.cgi?id=172383
2958         <rdar://problem/31418651>
2959
2960         Reviewed by Filip Pizlo.
2961
2962         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
2963         available as a scratch register.  This assumption is wrong if this canTrample
2964         register is used for a silentFill() after an operation that returns a result in
2965         regT0 or regT1.
2966
2967         Turns out the only reason we need the canTrample register is for
2968         SetDoubleConstant.  We can remove the need for this canTrample register by
2969         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
2970         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
2971         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
2972
2973         Update for re-landing: Changed ARM64 to use scratchRegister() as well.
2974         scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
2975         as a scratch register.
2976
2977         * assembler/MacroAssembler.h:
2978         (JSC::MacroAssembler::moveDouble):
2979         * dfg/DFGArrayifySlowPathGenerator.h:
2980         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2981         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
2982         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2983         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2984         * dfg/DFGSlowPathGenerator.h:
2985         (JSC::DFG::CallSlowPathGenerator::tearDown):
2986         * dfg/DFGSpeculativeJIT.cpp:
2987         (JSC::DFG::SpeculativeJIT::silentFill):
2988         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2989         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2990         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2991         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2992         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2993         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2994         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2995         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2996         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2997         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2998         * dfg/DFGSpeculativeJIT.h:
2999         (JSC::DFG::SpeculativeJIT::silentFill):
3000         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
3001         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
3002         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
3003         * dfg/DFGSpeculativeJIT32_64.cpp:
3004         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3005         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3006         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3007         (JSC::DFG::SpeculativeJIT::emitCall):
3008         (JSC::DFG::SpeculativeJIT::compile):
3009         * dfg/DFGSpeculativeJIT64.cpp:
3010         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3011         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3012         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3013         (JSC::DFG::SpeculativeJIT::emitCall):
3014         (JSC::DFG::SpeculativeJIT::compile):
3015         (JSC::DFG::SpeculativeJIT::convertAnyInt):
3016
3017 2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
3018
3019         Unreviewed, rolling out r217156.
3020
3021         This change broke the iOS build.
3022
3023         Reverted changeset:
3024
3025         "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
3026         result registers."
3027         https://bugs.webkit.org/show_bug.cgi?id=172383
3028         http://trac.webkit.org/changeset/217156
3029
3030 2017-05-19  Mark Lam  <mark.lam@apple.com>
3031
3032         Add missing exception check.
3033         https://bugs.webkit.org/show_bug.cgi?id=172346
3034         <rdar://problem/32289640>
3035
3036         Reviewed by Geoffrey Garen.
3037
3038         * runtime/JSObject.cpp:
3039         (JSC::JSObject::hasInstance):
3040
3041 2017-05-19  Mark Lam  <mark.lam@apple.com>
3042
3043         DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
3044         https://bugs.webkit.org/show_bug.cgi?id=172383
3045         <rdar://problem/31418651>
3046
3047         Reviewed by Filip Pizlo.
3048
3049         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
3050         available as a scratch register.  This assumption is wrong if this canTrample
3051         register is used for a silentFill() after an operation that returns a result in
3052         regT0 or regT1.
3053
3054         Turns out the only reason we need the canTrample register is for
3055         SetDoubleConstant.  We can remove the need for this canTrample register by
3056         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
3057         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
3058         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
3059
3060         * assembler/MacroAssembler.h:
3061         (JSC::MacroAssembler::moveDouble):
3062         * dfg/DFGArrayifySlowPathGenerator.h:
3063         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3064         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
3065         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3066         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3067         * dfg/DFGSlowPathGenerator.h:
3068         (JSC::DFG::CallSlowPathGenerator::tearDown):
3069         * dfg/DFGSpeculativeJIT.cpp:
3070         (JSC::DFG::SpeculativeJIT::silentFill):
3071         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
3072         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3073         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3074         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
3075         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
3076         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3077         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3078         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3079         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3080         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3081         * dfg/DFGSpeculativeJIT.h:
3082         (JSC::DFG::SpeculativeJIT::silentFill):
3083         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
3084         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
3085         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
3086         * dfg/DFGSpeculativeJIT32_64.cpp:
3087         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3088         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3089         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3090         (JSC::DFG::SpeculativeJIT::emitCall):
3091         (JSC::DFG::SpeculativeJIT::compile):
3092         * dfg/DFGSpeculativeJIT64.cpp:
3093         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3094         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3095         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3096         (JSC::DFG::SpeculativeJIT::emitCall):
3097         (JSC::DFG::SpeculativeJIT::compile):
3098         (JSC::DFG::SpeculativeJIT::convertAnyInt):
3099
3100 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
3101
3102         Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
3103         https://bugs.webkit.org/show_bug.cgi?id=172382
3104
3105         Reviewed by Saam Barati.
3106         
3107         This is just a small clean-up - my last patch here created some unnecessary code duplication.
3108
3109         * runtime/ArrayPrototype.cpp:
3110         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3111
3112 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
3113
3114         arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
3115         https://bugs.webkit.org/show_bug.cgi?id=172369
3116
3117         Reviewed by Mark Lam.
3118
3119         * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
3120         (JSC::Subspace::allocate):
3121         (JSC::Subspace::tryAllocate):
3122         * runtime/ArrayPrototype.cpp:
3123         (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
3124         * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
3125         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
3126
3127 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3128
3129         B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
3130         https://bugs.webkit.org/show_bug.cgi?id=172306
3131
3132         Reviewed by Michael Saboff.
3133         
3134         This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
3135         fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
3136         normal store instructions for fenced stores. That's wrong because then you get reorderings
3137         that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
3138         with respect for each other.
3139         
3140         This is imprecise. If you really just wanted a store-release, then every X86 store does this.
3141         But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
3142         respect to all other fences. If we ever did want to say that something is a store release in
3143         the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
3144         range without the fence flag would mean the traditional store-release, which lowers to a
3145         normal store on x86. But to my knowledge, that traditional store-release is only useful for
3146         unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
3147         and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
3148         an ARM-style store-release on x86 using xchg.
3149         
3150         The implication of this change is that the FTL no longer violates the SAB memory model.
3151
3152         * assembler/MacroAssemblerX86Common.h:
3153         (JSC::MacroAssemblerX86Common::xchg8):
3154         (JSC::MacroAssemblerX86Common::xchg16):
3155         (JSC::MacroAssemblerX86Common::xchg32):
3156         (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
3157         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
3158         (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
3159         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
3160         (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
3161         (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
3162         (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
3163         (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
3164         * assembler/MacroAssemblerX86_64.h:
3165         (JSC::MacroAssemblerX86_64::xchg64):
3166         (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
3167         (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
3168         * b3/B3LowerToAir.cpp:
3169         (JSC::B3::Air::LowerToAir::ArgPromise::inst):
3170         (JSC::B3::Air::LowerToAir::trappingInst):
3171         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
3172         (JSC::B3::Air::LowerToAir::createStore):
3173         (JSC::B3::Air::LowerToAir::storeOpcode):
3174         (JSC::B3::Air::LowerToAir::appendStore):
3175         (JSC::B3::Air::LowerToAir::append):
3176         (JSC::B3::Air::LowerToAir::appendTrapping):
3177         (JSC::B3::Air::LowerToAir::fillStackmap):
3178         (JSC::B3::Air::LowerToAir::lower):
3179         * b3/air/AirKind.cpp:
3180         (JSC::B3::Air::Kind::dump):
3181         * b3/air/AirKind.h:
3182         (JSC::B3::Air::Kind::Kind):
3183         (JSC::B3::Air::Kind::operator==):
3184         (JSC::B3::Air::Kind::hash):
3185         * b3/air/AirLowerAfterRegAlloc.cpp:
3186         (JSC::B3::Air::lowerAfterRegAlloc):
3187         * b3/air/AirLowerMacros.cpp:
3188         (JSC::B3::Air::lowerMacros):
3189         * b3/air/AirOpcode.opcodes:
3190         * b3/air/AirValidate.cpp:
3191         * b3/air/opcode_generator.rb:
3192         * b3/testb3.cpp:
3193         (JSC::B3::correctSqrt):
3194         (JSC::B3::testSqrtArg):
3195         (JSC::B3::testSqrtImm):
3196         (JSC::B3::testSqrtMem):
3197         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
3198         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
3199         (JSC::B3::testStoreRelAddLoadAcq32):
3200         (JSC::B3::testTrappingLoad):
3201         (JSC::B3::testTrappingStore):
3202         (JSC::B3::testTrappingLoadAddStore):
3203         (JSC::B3::testTrappingLoadDCE):
3204
3205 2017-05-19  Don Olmstead  <don.olmstead@am.sony.com>
3206
3207         [JSC] Remove PLATFORM(WIN) references
3208         https://bugs.webkit.org/show_bug.cgi?id=172294
3209
3210         Reviewed by Yusuke Suzuki.
3211
3212         * heap/MachineStackMarker.cpp:
3213         (JSC::MachineThreads::removeThread):
3214         * llint/LLIntOfflineAsmConfig.h:
3215         * runtime/ConfigFile.h:
3216         * runtime/VM.cpp:
3217         (JSC::VM::updateStackLimits):
3218
3219 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3220
3221         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
3222         https://bugs.webkit.org/show_bug.cgi?id=172098
3223
3224         Reviewed by Saam Barati.
3225
3226         In this patch, we generalize CheckDOM to CheckSubClass.
3227         It can accept any ClassInfo and perform ClassInfo check
3228         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
3229         checkSubClassPatchpoint. It can create DOMJIT patchpoint
3230         for that ClassInfo. It it natural that ClassInfo holds the
3231         way to emit DOMJIT::Patchpoint to perform CheckSubClass
3232         rather than having it in each DOMJIT getter / function
3233         signature annotation.
3234
3235         One problem is that it enlarges the size of ClassInfo.
3236         But this is the best place to put this function pointer.
3237         By doing so, we can add a patchpoint for CheckSubClass
3238         in an non-intrusive manner: WebCore can inject patchpoints
3239         without interactive JSC.
3240
3241         We still have a way to reduce the size of ClassInfo if
3242         we move ArrayBuffer related methods out to the other places.
3243
3244         This patch touches many files because we add a new function
3245         pointer to ClassInfo. But they are basically mechanical change.
3246
3247         * API/JSAPIWrapperObject.mm:
3248         * API/JSCallbackConstructor.cpp:
3249         * API/JSCallbackFunction.cpp:
3250         * API/JSCallbackObject.cpp:
3251         * API/ObjCCallbackFunction.mm:
3252         * CMakeLists.txt:
3253         * JavaScriptCore.xcodeproj/project.pbxproj:
3254         * bytecode/CodeBlock.cpp:
3255         * bytecode/DOMJITAccessCasePatchpointParams.h:
3256         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
3257         * bytecode/EvalCodeBlock.cpp:
3258         * bytecode/FunctionCodeBlock.cpp:
3259         * bytecode/GetterSetterAccessCase.cpp:
3260         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3261         * bytecode/ModuleProgramCodeBlock.cpp:
3262         * bytecode/ProgramCodeBlock.cpp:
3263         * bytecode/UnlinkedCodeBlock.cpp:
3264         * bytecode/UnlinkedEvalCodeBlock.cpp:
3265         * bytecode/UnlinkedFunctionCodeBlock.cpp:
3266         * bytecode/UnlinkedFunctionExecutable.cpp:
3267         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3268         * bytecode/UnlinkedProgramCodeBlock.cpp:
3269         * debugger/DebuggerScope.cpp:
3270         * dfg/DFGAbstractInterpreterInlines.h:
3271         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3272         * dfg/DFGByteCodeParser.cpp:
3273         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3274         * dfg/DFGClobberize.h:
3275         (JSC::DFG::clobberize):
3276         * dfg/DFGConstantFoldingPhase.cpp:
3277         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3278         * dfg/DFGDOMJITPatchpointParams.h:
3279         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
3280         * dfg/DFGDoesGC.cpp:
3281         (JSC::DFG::doesGC):
3282         * dfg/DFGFixupPhase.cpp:
3283         (JSC::DFG::FixupPhase::fixupNode):
3284         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
3285         (JSC::DFG::FixupPhase::fixupCheckSubClass):
3286         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
3287         * dfg/DFGGraph.cpp:
3288         (JSC::DFG::Graph::dump):
3289         * dfg/DFGNode.h:
3290         (JSC::DFG::Node::hasClassInfo):
3291         (JSC::DFG::Node::classInfo):
3292         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
3293         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
3294         * dfg/DFGNodeType.h:
3295         * dfg/DFGPredictionPropagationPhase.cpp:
3296         * dfg/DFGSafeToExecute.h:
3297         (JSC::DFG::safeToExecute):
3298         * dfg/DFGSpeculativeJIT.cpp:
3299         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3300         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
3301         * dfg/DFGSpeculativeJIT.h:
3302         (JSC::DFG::SpeculativeJIT::vm):
3303         * dfg/DFGSpeculativeJIT32_64.cpp:
3304         (JSC::DFG::SpeculativeJIT::compile):
3305         * dfg/DFGSpeculativeJIT64.cpp:
3306         (JSC::DFG::SpeculativeJIT::compile):
3307         * domjit/DOMJITGetterSetter.h:
3308         * domjit/DOMJITPatchpointParams.h:
3309         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
3310         (JSC::DOMJIT::PatchpointParams::vm):
3311         * domjit/DOMJITSignature.h:
3312         (JSC::DOMJIT::Signature::Signature):
3313         (JSC::DOMJIT::Signature::checkDOM): Deleted.
3314         * ftl/FTLAbstractHeapRepository.h:
3315         * ftl/FTLCapabilities.cpp:
3316         (JSC::FTL::canCompile):
3317         * ftl/FTLDOMJITPatchpointParams.h:
3318         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
3319         * ftl/FTLLowerDFGToB3.cpp:
3320         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3321         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3322         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
3323         * inspector/JSInjectedScriptHost.cpp:
3324         * inspector/JSInjectedScriptHostPrototype.cpp:
3325         * inspector/JSJavaScriptCallFrame.cpp:
3326         * inspector/JSJavaScriptCallFramePrototype.cpp:
3327         * jsc.cpp:
3328         (WTF::DOMJITNode::checkSubClassPatchpoint):
3329         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3330         (WTF::DOMJITFunctionObject::finishCreation):
3331         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3332         (WTF::DOMJITCheckSubClassObject::createStructure):
3333         (WTF::DOMJITCheckSubClassObject::create):
3334         (WTF::DOMJITCheckSubClassObject::safeFunction):
3335         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
3336         (WTF::DOMJITCheckSubClassObject::finishCreation):
3337         (GlobalObject::finishCreation):
3338         (functionCreateDOMJITCheckSubClassObject):
3339         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
3340         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
3341         * runtime/AbstractModuleRecord.cpp:
3342         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3343         * runtime/ArrayConstructor.cpp:
3344         * runtime/ArrayIteratorPrototype.cpp:
3345         * runtime/ArrayPrototype.cpp:
3346         * runtime/AsyncFunctionConstructor.cpp:
3347         * runtime/AsyncFunctionPrototype.cpp:
3348         * runtime/AtomicsObject.cpp:
3349         * runtime/BooleanConstructor.cpp:
3350         * runtime/BooleanObject.cpp:
3351         * runtime/BooleanPrototype.cpp:
3352         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
3353         (JSC::ClassInfo::dump):
3354         * runtime/ClassInfo.h:
3355         (JSC::ClassInfo::offsetOfParentClass):
3356         * runtime/ClonedArguments.cpp:
3357         * runtime/ConsoleObject.cpp:
3358         * runtime/CustomGetterSetter.cpp:
3359         * runtime/DateConstructor.cpp:
3360         * runtime/DateInstance.cpp:
3361         * runtime/DatePrototype.cpp:
3362         * runtime/DirectArguments.cpp:
3363         * runtime/Error.cpp:
3364         * runtime/ErrorConstructor.cpp:
3365         * runtime/ErrorInstance.cpp:
3366         * runtime/ErrorPrototype.cpp:
3367         * runtime/EvalExecutable.cpp:
3368         * runtime/Exception.cpp:
3369         * runtime/ExceptionHelpers.cpp:
3370         * runtime/ExecutableBase.cpp:
3371         * runtime/FunctionConstructor.cpp:
3372         * runtime/FunctionExecutable.cpp:
3373         * runtime/FunctionPrototype.cpp:
3374         * runtime/FunctionRareData.cpp:
3375         * runtime/GeneratorFunctionConstructor.cpp:
3376         * runtime/GeneratorFunctionPrototype.cpp:
3377         * runtime/GeneratorPrototype.cpp:
3378         * runtime/GetterSetter.cpp:
3379         * runtime/HashMapImpl.cpp:
3380         * runtime/HashMapImpl.h:
3381         * runtime/InferredType.cpp:
3382         (JSC::InferredType::create):
3383         * runtime/InferredTypeTable.cpp:
3384         * runtime/InferredValue.cpp:
3385         * runtime/InspectorInstrumentationObject.cpp:
3386         * runtime/InternalFunction.cpp:
3387         * runtime/IntlCollator.cpp:
3388         * runtime/IntlCollatorConstructor.cpp:
3389         * runtime/IntlCollatorPrototype.cpp:
3390         * runtime/IntlDateTimeFormat.cpp:
3391         * runtime/IntlDateTimeFormatConstructor.cpp:
3392         * runtime/IntlDateTimeFormatPrototype.cpp:
3393         * runtime/IntlNumberFormat.cpp:
3394         * runtime/IntlNumberFormatConstructor.cpp:
3395         * runtime/IntlNumberFormatPrototype.cpp:
3396         * runtime/IntlObject.cpp:
3397         * runtime/IteratorPrototype.cpp:
3398         * runtime/JSAPIValueWrapper.cpp:
3399         * runtime/JSArray.cpp:
3400         * runtime/JSArrayBuffer.cpp:
3401         * runtime/JSArrayBufferConstructor.cpp:
3402         * runtime/JSArrayBufferPrototype.cpp:
3403         * runtime/JSArrayBufferView.cpp:
3404         * runtime/JSAsyncFunction.cpp:
3405         * runtime/JSBoundFunction.cpp:
3406         * runtime/JSCallee.cpp:
3407         * runtime/JSCustomGetterSetterFunction.cpp:
3408         * runtime/JSDataView.cpp:
3409         * runtime/JSDataViewPrototype.cpp:
3410         * runtime/JSEnvironmentRecord.cpp:
3411         * runtime/JSFixedArray.cpp:
3412         * runtime/JSFunction.cpp:
3413         * runtime/JSGeneratorFunction.cpp:
3414         * runtime/JSGlobalLexicalEnvironment.cpp:
3415         * runtime/JSGlobalObject.cpp:
3416         * runtime/JSInternalPromise.cpp:
3417         * runtime/JSInternalPromiseConstructor.cpp:
3418         * runtime/JSInternalPromiseDeferred.cpp:
3419         * runtime/JSInternalPromisePrototype.cpp:
3420         * runtime/JSLexicalEnvironment.cpp:
3421         * runtime/JSMap.cpp:
3422         * runtime/JSMapIterator.cpp:
3423         * runtime/JSModuleEnvironment.cpp:
3424         * runtime/JSModuleLoader.cpp:
3425         * runtime/JSModuleNamespaceObject.cpp:
3426         * runtime/JSModuleRecord.cpp:
3427         * runtime/JSNativeStdFunction.cpp:
3428         * runtime/JSONObject.cpp:
3429         * runtime/JSObject.cpp:
3430         * runtime/JSPromise.cpp:
3431         * runtime/JSPromiseConstructor.cpp:
3432         * runtime/JSPromiseDeferred.cpp:
3433         * runtime/JSPromisePrototype.cpp:
3434         * runtime/JSPropertyNameEnumerator.cpp:
3435         * runtime/JSPropertyNameIterator.cpp:
3436         * runtime/JSProxy.cpp:
3437         * runtime/JSScriptFetcher.cpp:
3438         * runtime/JSSet.cpp:
3439         * runtime/JSSetIterator.cpp:
3440         * runtime/JSSourceCode.cpp:
3441         * runtime/JSString.cpp:
3442         * runtime/JSStringIterator.cpp:
3443         * runtime/JSSymbolTableObject.cpp:
3444         * runtime/JSTemplateRegistryKey.cpp:
3445         * runtime/JSTypedArrayConstructors.cpp:
3446         * runtime/JSTypedArrayPrototypes.cpp:
3447         * runtime/JSTypedArrayViewConstructor.cpp:
3448         * runtime/JSTypedArrays.cpp:
3449         * runtime/JSWeakMap.cpp:
3450         * runtime/JSWeakSet.cpp:
3451         * runtime/JSWithScope.cpp:
3452         * runtime/MapConstructor.cpp:
3453         * runtime/MapIteratorPrototype.cpp:
3454         * runtime/MapPrototype.cpp:
3455         * runtime/MathObject.cpp:
3456         * runtime/ModuleLoaderPrototype.cpp:
3457         * runtime/ModuleProgramExecutable.cpp:
3458         * runtime/NativeErrorConstructor.cpp:
3459         * runtime/NativeExecutable.cpp:
3460         * runtime/NativeStdFunctionCell.cpp:
3461         * runtime/NullGetterFunction.cpp:
3462         * runtime/NullSetterFunction.cpp:
3463         * runtime/NumberConstructor.cpp:
3464         * runtime/NumberObject.cpp:
3465         * runtime/NumberPrototype.cpp:
3466         * runtime/ObjectConstructor.cpp:
3467         * runtime/ObjectPrototype.cpp:
3468         * runtime/ProgramExecutable.cpp:
3469         * runtime/PropertyTable.cpp:
3470         * runtime/ProxyConstructor.cpp:
3471         * runtime/ProxyObject.cpp:
3472         * runtime/ProxyRevoke.cpp:
3473         * runtime/ReflectObject.cpp:
3474         * runtime/RegExp.cpp:
3475         * runtime/RegExpConstructor.cpp:
3476         * runtime/RegExpObject.cpp:
3477         * runtime/RegExpPrototype.cpp:
3478         * runtime/ScopedArguments.cpp:
3479         * runtime/ScopedArgumentsTable.cpp:
3480         * runtime/ScriptExecutable.cpp:
3481         * runtime/SetConstructor.cpp:
3482         * runtime/SetIteratorPrototype.cpp:
3483         * runtime/SetPrototype.cpp:
3484         * runtime/SparseArrayValueMap.cpp:
3485         * runtime/StrictEvalActivation.cpp:
3486         * runtime/StringConstructor.cpp:
3487         * runtime/StringIteratorPrototype.cpp:
3488         * runtime/StringObject.cpp:
3489         * runtime/StringPrototype.cpp:
3490         * runtime/Structure.cpp:
3491         * runtime/StructureChain.cpp:
3492         * runtime/StructureRareData.cpp:
3493         * runtime/Symbol.cpp:
3494         * runtime/SymbolConstructor.cpp:
3495         * runtime/SymbolObject.cpp:
3496         * runtime/SymbolPrototype.cpp:
3497         * runtime/SymbolTable.cpp:
3498         * runtime/WeakMapConstructor.cpp:
3499         * runtime/WeakMapData.cpp:
3500         * runtime/WeakMapPrototype.cpp:
3501         * runtime/WeakSetConstructor.cpp:
3502         * runtime/WeakSetPrototype.cpp:
3503         * testRegExp.cpp:
3504         * tools/JSDollarVM.cpp:
3505         * tools/JSDollarVMPrototype.cpp:
3506         * wasm/JSWebAssembly.cpp:
3507         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3508         * wasm/js/JSWebAssemblyCompileError.cpp:
3509         * wasm/js/JSWebAssemblyInstance.cpp:
3510         * wasm/js/JSWebAssemblyLinkError.cpp:
3511         * wasm/js/JSWebAssemblyMemory.cpp:
3512         * wasm/js/JSWebAssemblyModule.cpp:
3513         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3514         * wasm/js/JSWebAssemblyTable.cpp:
3515         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3516         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3517         * wasm/js/WebAssemblyFunction.cpp:
3518         * wasm/js/WebAssemblyFunctionBase.cpp:
3519         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3520         * wasm/js/WebAssemblyInstancePrototype.cpp:
3521         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3522         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3523         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3524         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3525         * wasm/js/WebAssemblyModuleConstructor.cpp:
3526         * wasm/js/WebAssemblyModulePrototype.cpp:
3527         * wasm/js/WebAssemblyModuleRecord.cpp:
3528         * wasm/js/WebAssemblyPrototype.cpp:
3529         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3530         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3531         * wasm/js/WebAssemblyTableConstructor.cpp:
3532         * wasm/js/WebAssemblyTablePrototype.cpp:
3533         * wasm/js/WebAssemblyToJSCallee.cpp:
3534         * wasm/js/WebAssemblyWrapperFunction.cpp:
3535
3536 2017-05-18  JF Bastien  <jfbastien@apple.com>
3537
3538         WebAssembly: exports is a getter
3539         https://bugs.webkit.org/show_bug.cgi?id=172129
3540
3541         Reviewed by Saam Barati.
3542
3543         As updated here: https://github.com/WebAssembly/design/pull/1062
3544
3545         * wasm/js/JSWebAssemblyInstance.cpp:
3546         (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
3547         * wasm/js/JSWebAssemblyInstance.h:
3548         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
3549         * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
3550         * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
3551         (JSC::getInstance): helper, as in surrounding files
3552         (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
3553         * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
3554         (JSC::getMemory):
3555         (JSC::webAssemblyMemoryProtoFuncGrow):
3556         (JSC::webAssemblyMemoryProtoFuncBuffer):
3557         * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
3558         (JSC::webAssemblyTableProtoFuncLength):
3559         (JSC::webAssemblyTableProtoFuncGrow):
3560         (JSC::webAssemblyTableProtoFuncGet):
3561         (JSC::webAssemblyTableProtoFuncSet):
3562
3563 2017-05-18  Saam Barati  <sbarati@apple.com>
3564
3565         Proxy's [[Get]] passes incorrect receiver
3566         https://bugs.webkit.org/show_bug.cgi?id=164849
3567         <rdar://problem/31767058>
3568
3569         Reviewed by Yusuke Suzuki.
3570
3571         * runtime/ProxyObject.cpp:
3572         (JSC::performProxyGet):
3573
3574 2017-05-18  Andy Estes  <aestes@apple.com>
3575
3576         ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
3577         https://bugs.webkit.org/show_bug.cgi?id=172305
3578
3579         Reviewed by Anders Carlsson.
3580
3581         * Configurations/FeatureDefines.xcconfig:
3582
3583 2017-05-18  Saam Barati  <sbarati@apple.com>
3584
3585         We need to destroy worker threads in jsc.cpp
3586         https://bugs.webkit.org/show_bug.cgi?id=170751
3587         <rdar://problem/31800412>
3588
3589         Reviewed by Filip Pizlo.
3590
3591         This patch fixes a bug where a $ agent worker would still
3592         have compilation threads running after the thread the worker
3593         was created on dies. This manifested itself inside DFG AI where
3594         we would notice a string constant is atomic, then the worker
3595         thread would die, destroying its atomic string table, then
3596         we'd notice the same string is no longer atomic, and we'd crash
3597         because we'd fail to see the same speculated type for the same
3598         JSValue.
3599         
3600         This patch makes it so that $ agent workers destroy their VM when
3601         they're done executing. Before a VM gets destroyed, it ensures that
3602         all its compilation threads finish.
3603
3604         * jsc.cpp:
3605         (functionDollarAgentStart):
3606         (runJSC):
3607         (jscmain):
3608
3609 2017-05-18  Michael Saboff  <msaboff@apple.com>
3610
3611         Add FTL whitelist debugging option
3612         https://bugs.webkit.org/show_bug.cgi?id=172321
3613
3614         Reviewed by Saam Barati.
3615
3616         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3617         (JSC::DFG::ensureGlobalFTLWhitelist):
3618         (JSC::DFG::TierUpCheckInjectionPhase::run):
3619         * runtime/Options.h:
3620         * tools/FunctionWhitelist.cpp:
3621         (JSC::FunctionWhitelist::contains):
3622
3623 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3624
3625         Constructor calls set this too early
3626         https://bugs.webkit.org/show_bug.cgi?id=172302
3627
3628         Reviewed by Saam Barati.
3629         
3630         We were setting this before evaluating the arguments, so this code:
3631         
3632             var x = 42;
3633             new x(x = function() { });
3634         
3635         Would crash because we would pass 42 as this, and create_this would treat it as a cell.
3636         Dereferencing a non-cell is guaranteed to crash.
3637
3638         * bytecompiler/BytecodeGenerator.cpp:
3639         (JSC::BytecodeGenerator::emitConstruct):
3640         * bytecompiler/BytecodeGenerator.h:
3641         * bytecompiler/NodesCodegen.cpp:
3642         (JSC::NewExprNode::emitBytecode):
3643         (JSC::FunctionCallValueNode::emitBytecode):
3644
3645 2017-05-18  Saam Barati  <sbarati@apple.com>
3646
3647         WebAssembly: perform stack checks
3648         https://bugs.webkit.org/show_bug.cgi?id=165546
3649         <rdar://problem/29760307>
3650
3651         Reviewed by Filip Pizlo.
3652
3653         This patch adds stack checks to wasm. It implements it by storing the stack
3654         bounds on the Context.
3655         
3656         Stack checking works as normal, except we do a small optimization for terminal
3657         nodes in the call tree (nodes that don't make any calls). These nodes will
3658         only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
3659         it's assumed the parent that called them did their stack check for them.
3660         This is because all things that make calls make sure to do an extra 1024
3661         bytes whenever doing a stack check.
3662         
3663         We also take into account stack size for potential JS calls when doing
3664         stack checks since our JS stubs don't do this on their own. Each frame
3665         will ensure it does a stack check large enough for any potential JS call
3666         stubs it'll execute.
3667         
3668         Surprisingly, this patch is neutral on WasmBench and TitzerBench.
3669
3670         * llint/LLIntData.cpp:
3671         (JSC::LLInt::Data::performAssertions):
3672         * llint/LowLevelInterpreter.asm:
3673         * runtime/Error.cpp:
3674         (JSC::createRangeError):
3675         (JSC::addErrorInfoAndGetBytecodeOffset):
3676         I fixed a bug here where we assumed that the first frame that has line
3677         and column info would be in our stack trace. This is not correct
3678         since we limit our stack trace size. If everything in our limited
3679         size stack trace is Wasm, then we won't have any frames with line
3680         and column info.
3681         * runtime/Error.h:
3682         * runtime/ExceptionHelpers.cpp:
3683         (JSC::createStackOverflowError):
3684         * runtime/ExceptionHelpers.h:
3685         * runtime/JSGlobalObject.cpp:
3686         (JSC::JSGlobalObject::init):
3687         (JSC::JSGlobalObject::visitChildren):
3688         * runtime/JSGlobalObject.h:
3689         (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
3690         * runtime/JSType.h:
3691         * runtime/Options.h: I've added a new option that controls
3692         whether or not we use fast TLS for the wasm context.
3693         * runtime/VM.cpp:
3694         (JSC::VM::VM):
3695         * runtime/VM.h:
3696         * wasm/WasmB3IRGenerator.cpp:
3697         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3698         * wasm/WasmBinding.cpp:
3699         (JSC::Wasm::wasmToWasm):
3700         * wasm/WasmContext.cpp:
3701         (JSC::Wasm::loadContext):
3702         (JSC::Wasm::storeContext):
3703         * wasm/WasmContext.h:
3704         (JSC::Wasm::useFastTLSForContext):
3705         * wasm/WasmExceptionType.h:
3706         * wasm/WasmMemoryInformation.h:
3707         (JSC::Wasm::PinnedRegisterInfo::toSave):
3708         * wasm/WasmThunks.cpp:
3709         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3710         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3711         (JSC::Wasm::Thunks::stub):
3712         * wasm/WasmThunks.h:
3713         * wasm/js/JSWebAssemblyInstance.h:
3714         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
3715         (JSC::JSWebAssemblyInstance::cachedStackLimit):
3716         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
3717         * wasm/js/JSWebAssemblyModule.cpp:
3718         (JSC::JSWebAssemblyModule::finishCreation):
3719         * wasm/js/WebAssemblyFunction.cpp:
3720         (JSC::callWebAssemblyFunction):
3721         * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
3722         This is needed for correctness because we may call into JS,
3723         and then the first JS frame could stack overflow. When it stack
3724         overflows, it rolls back one frame to the wasm->js call stub with
3725         the wasm->js callee. It gets the lexical global object from this
3726         frame, meaning it gets the global object from the callee. Therefore,
3727         we must make it an object since all objects have global objects.
3728         (JSC::WebAssemblyToJSCallee::create):
3729         * wasm/js/WebAssemblyToJSCallee.h:
3730
3731 2017-05-18  Keith Miller  <keith_miller@apple.com>
3732
3733         WebAssembly API: test with neutered inputs
3734         https://bugs.webkit.org/show_bug.cgi?id=163899
3735
3736         Reviewed by JF Bastien.
3737
3738         Add tests to check that we properly throw a type error when
3739         we get a transferred ArrayBuffer. Also, we should make sure
3740         we cannot post message a wasm memory's ArrayBuffer.
3741
3742         * API/JSTypedArray.cpp:
3743         (JSObjectGetArrayBufferBytesPtr):
3744         * runtime/ArrayBuffer.cpp:
3745         (JSC::ArrayBuffer::makeShared):
3746         (JSC::ArrayBuffer::makeWasmMemory):
3747         (JSC::ArrayBuffer::transferTo):
3748         (JSC::ArrayBuffer::neuter):
3749         (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
3750         (JSC::errorMesasgeForTransfer):
3751         * runtime/ArrayBuffer.h:
3752         (JSC::ArrayBuffer::isLocked):
3753         (JSC::ArrayBuffer::isWasmMemory):
3754         * wasm/js/JSWebAssemblyMemory.cpp:
3755         (JSC::JSWebAssemblyMemory::buffer):
3756         (JSC::JSWebAssemblyMemory::grow):
3757
3758 2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
3759
3760         Remote Inspector: Be stricter about checking message types
3761         https://bugs.webkit.org/show_bug.cgi?id=172259
3762         <rdar://problem/32264839>
3763
3764         Reviewed by Brian Burg.
3765
3766         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3767         (Inspector::RemoteInspector::receivedSetupMessage):
3768         (Inspector::RemoteInspector::receivedDataMessage):
3769         (Inspector::RemoteInspector::receivedDidCloseMessage):
3770         (Inspector::RemoteInspector::receivedIndicateMessage):
3771         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3772         (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
3773         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
3774         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3775         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3776         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3777         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3778         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3779         Bail if we don't receive the expected types for message data.
3780
3781 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3782
3783         DFG inlining should be hardened for the no-result case
3784         https://bugs.webkit.org/show_bug.cgi?id=172290
3785
3786         Reviewed by Saam Barati.
3787         
3788         Previously, if we were inlining a setter call, we might have a bad time because the setter's
3789         result register is the invalid VirtualRegister(), and much of the intrinsic handling code
3790         assumes that the result register is valid.
3791         
3792         This doesn't usually cause problems because people don't usually point a setter at something
3793         that we recognize as an intrinsic.
3794         
3795         * CMakeLists.txt:
3796         * JavaScriptCore.xcodeproj/project.pbxproj:
3797         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
3798         * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
3799         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
3800         (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
3801         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
3802         * runtime/Intrinsic.cpp: Added. I needed this to debug.
3803         (JSC::intrinsicName):
3804         (WTF::printInternal):
3805         * runtime/Intrinsic.h:
3806
3807 2017-05-18  Commit Queue  <commit-queue@webkit.org>
3808
3809         Unreviewed, rolling out r217031, r217032, and r217037.
3810         https://bugs.webkit.org/show_bug.cgi?id=172293
3811
3812         cause linking errors in Windows (Requested by yusukesuzuki on
3813         #webkit).
3814
3815         Reverted changesets:
3816
3817         "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
3818         https://bugs.webkit.org/show_bug.cgi?id=172098
3819         http://trac.webkit.org/changeset/217031
3820
3821         "Unreviewed, rebaseline for newly added ClassInfo"
3822         https://bugs.webkit.org/show_bug.cgi?id=172098
3823         http://trac.webkit.org/changeset/217032
3824
3825         "Unreviewed, fix debug and non-JIT build"
3826         https://bugs.webkit.org/show_bug.cgi?id=172098
3827         http://trac.webkit.org/changeset/217037
3828
3829 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3830
3831         Unreviewed, fix debug and non-JIT build
3832         https://bugs.webkit.org/show_bug.cgi?id=172098
3833
3834         * jsc.cpp:
3835         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3836
3837 2017-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3838
3839         Unreviewed, rebaseline for newly added ClassInfo
3840         https://bugs.webkit.org/show_bug.cgi?id=172098
3841
3842         * wasm/js/WebAssemblyFunctionBase.cpp:
3843
3844 2017-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3845
3846         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
3847         https://bugs.webkit.org/show_bug.cgi?id=172098
3848
3849         Reviewed by Saam Barati.
3850
3851         In this patch, we generalize CheckDOM to CheckSubClass.
3852         It can accept any ClassInfo and perform ClassInfo check
3853         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
3854         checkSubClassPatchpoint. It can create DOMJIT patchpoint
3855         for that ClassInfo. It it natural that ClassInfo holds the
3856         way to emit DOMJIT::Patchpoint to perform CheckSubClass
3857         rather than having it in each DOMJIT getter / function
3858         signature annotation.
3859
3860         One problem is that it enlarges the size of ClassInfo.
3861         But this is the best place to put this function pointer.
3862         By doing so, we can add a patchpoint for CheckSubClass
3863         in an non-intrusive manner: WebCore can inject patchpoints
3864         without interactive JSC.
3865
3866         We still have a way to reduce the size of ClassInfo if
3867         we move ArrayBuffer related methods out to the other places.
3868
3869         This patch touches many files because we add a new function
3870         pointer to ClassInfo. But they are basically mechanical change.
3871
3872         * API/JSAPIWrapperObject.mm:
3873         * API/JSCallbackConstructor.cpp:
3874         * API/JSCallbackFunction.cpp:
3875         * API/JSCallbackObject.cpp:
3876         * API/ObjCCallbackFunction.mm:
3877         * CMakeLists.txt:
3878         * JavaScriptCore.xcodeproj/project.pbxproj:
3879         * bytecode/CodeBlock.cpp:
3880         * bytecode/DOMJITAccessCasePatchpointParams.h:
3881         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
3882         * bytecode/EvalCodeBlock.cpp:
3883         * bytecode/FunctionCodeBlock.cpp:
3884         * bytecode/GetterSetterAccessCase.cpp:
3885         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3886         * bytecode/ModuleProgramCodeBlock.cpp:
3887         * bytecode/ProgramCodeBlock.cpp:
3888         * bytecode/UnlinkedCodeBlock.cpp:
3889         * bytecode/UnlinkedEvalCodeBlock.cpp:
3890         * bytecode/UnlinkedFunctionCodeBlock.cpp:
3891         * bytecode/UnlinkedFunctionExecutable.cpp:
3892         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3893         * bytecode/UnlinkedProgramCodeBlock.cpp:
3894         * debugger/DebuggerScope.cpp:
3895         * dfg/DFGAbstractInterpreterInlines.h:
3896         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3897         * dfg/DFGByteCodeParser.cpp:
3898         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3899         * dfg/DFGClobberize.h:
3900         (JSC::DFG::clobberize):
3901         * dfg/DFGConstantFoldingPhase.cpp:
3902         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3903         * dfg/DFGDOMJITPatchpointParams.h:
3904         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
3905         * dfg/DFGDoesGC.cpp:
3906         (JSC::DFG::doesGC):
3907         * dfg/DFGFixupPhase.cpp:
3908         (JSC::DFG::FixupPhase::fixupNode):
3909         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
3910         (JSC::DFG::FixupPhase::fixupCheckSubClass):
3911         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
3912         * dfg/DFGGraph.cpp:
3913         (JSC::DFG::Graph::dump):
3914         * dfg/DFGNode.h:
3915         (JSC::DFG::Node::hasClassInfo):
3916         (JSC::DFG::Node::classInfo):
3917         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
3918         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
3919         * dfg/DFGNodeType.h:
3920         * dfg/DFGPredictionPropagationPhase.cpp:
3921         * dfg/DFGSafeToExecute.h:
3922         (JSC::DFG::safeToExecute):
3923         * dfg/DFGSpeculativeJIT.cpp:
3924         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3925         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
3926         * dfg/DFGSpeculativeJIT.h:
3927         (JSC::DFG::SpeculativeJIT::vm):
3928         * dfg/DFGSpeculativeJIT32_64.cpp:
3929         (JSC::DFG::SpeculativeJIT::compile):
3930         In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
3931         And ClassInfo knows how to perform CheckSubClass efficiently.
3932         If ClassInfo does not have a way to perform CheckSubClass efficiently,
3933         we just perform jsDynamicCast thing in ASM.
3934         * dfg/DFGSpeculativeJIT64.cpp:
3935         (JSC::DFG::SpeculativeJIT::compile):
3936         * domjit/DOMJITGetterSetter.h:
3937         * domjit/DOMJITPatchpointParams.h:
3938         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
3939         (JSC::DOMJIT::PatchpointParams::vm):
3940         * domjit/DOMJITSignature.h:
3941         (JSC::DOMJIT::Signature::Signature):
3942         (JSC::DOMJIT::Signature::checkDOM): Deleted.
3943         * ftl/FTLAbstractHeapRepository.h:
3944         * ftl/FTLCapabilities.cpp:
3945         (JSC::FTL::canCompile):
3946         * ftl/FTLDOMJITPatchpointParams.h:
3947         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
3948         * ftl/FTLLowerDFGToB3.cpp:
3949         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3950         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3951         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
3952         * inspector/JSInjectedScriptHost.cpp:
3953         * inspector/JSInjectedScriptHostPrototype.cpp:
3954         * inspector/JSJavaScriptCallFrame.cpp:
3955         * inspector/JSJavaScriptCallFramePrototype.cpp:
3956         * jsc.cpp:
3957         (WTF::DOMJITNode::checkSubClassPatchpoint):
3958         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3959         (WTF::DOMJITFunctionObject::finishCreation):
3960         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3961         (WTF::DOMJITCheckSubClassObject::createStructure):
3962         (WTF::DOMJITCheckSubClassObject::create):
3963         (WTF::DOMJITCheckSubClassObject::safeFunction):
3964         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
3965         (WTF::DOMJITCheckSubClassObject::finishCreation):
3966         (GlobalObject::finishCreation):
3967         (functionCreateDOMJITCheckSubClassObject):
3968         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
3969         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
3970         * runtime/AbstractModuleRecord.cpp:
3971         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3972         * runtime/ArrayConstructor.cpp:
3973         * runtime/ArrayIteratorPrototype.cpp:
3974         * runtime/ArrayPrototype.cpp:
3975         * runtime/AsyncFunctionConstructor.cpp:
3976         * runtime/AsyncFunctionPrototype.cpp:
3977         * runtime/AtomicsObject.cpp:
3978         * runtime/BooleanConstructor.cpp:
3979         * runtime/BooleanObject.cpp:
3980         * runtime/BooleanPrototype.cpp:
3981         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
3982         (JSC::ClassInfo::dump):
3983         * runtime/ClassInfo.h:
3984         (JSC::ClassInfo::offsetOfParentClass):
3985         * runtime/ClonedArguments.cpp:
3986         * runtime/ConsoleObject.cpp:
3987         * runtime/CustomGetterSetter.cpp:
3988         * runtime/DateConstructor.cpp:
3989         * runtime/DateInstance.cpp:
3990         * runtime/DatePrototype.cpp:
3991         * runtime/DirectArguments.cpp:
3992         * runtime/Error.cpp:
3993         * runtime/ErrorConstructor.cpp:
3994         * runtime/ErrorInstance.cpp:
3995         * runtime/ErrorPrototype.cpp:
3996         * runtime/EvalExecutable.cpp:
3997         * runtime/Exception.cpp:
3998         * runtime/ExceptionHelpers.cpp:
3999         * runtime/ExecutableBase.cpp:
4000         * runtime/FunctionConstructor.cpp:
4001         * runtime/FunctionExecutable.cpp:
4002         * runtime/FunctionPrototype.cpp:
4003         * runtime/FunctionRareData.cpp:
4004         * runtime/GeneratorFunctionConstructor.cpp:
4005         * runtime/GeneratorFunctionPrototype.cpp:
4006         * runtime/GeneratorPrototype.cpp:
4007         * runtime/GetterSetter.cpp:
4008         * runtime/HashMapImpl.cpp:
4009         * runtime/HashMapImpl.h:
4010         * runtime/InferredType.cpp:
4011         (JSC::InferredType::create):
4012         * runtime/InferredTypeTable.cpp:
4013         * runtime/InferredValue.cpp:
4014         * runtime/InspectorInstrumentationObject.cpp:
4015         * runtime/InternalFunction.cpp:
4016         * runtime/IntlCollator.cpp:
4017         * runtime/IntlCollatorConstructor.cpp:
4018         * runtime/IntlCollatorPrototype.cpp:
4019         * runtime/IntlDateTimeFormat.cpp:
4020         * runtime/IntlDateTimeFormatConstructor.cpp:
4021         * runtime/IntlDateTimeFormatPrototype.cpp:
4022         * runtime/IntlNumberFormat.cpp:
4023         * runtime/IntlNumberFormatConstructor.cpp:
4024         * runtime/IntlNumberFormatPrototype.cpp:
4025         * runtime/IntlObject.cpp:
4026         * runtime/IteratorPrototype.cpp:
4027         * runtime/JSAPIValueWrapper.cpp:
4028         * runtime/JSArray.cpp:
4029         * runtime/JSArrayBuffer.cpp:
4030         * runtime/JSArrayBufferConstructor.cpp:
4031         * runtime/JSArrayBufferPrototype.cpp:
4032         * runtime/JSArrayBufferView.cpp:
4033         * runtime/JSAsyncFunction.cpp:
4034         * runtime/JSBoundFunction.cpp:
4035         * runtime/JSCallee.cpp:
4036         * runtime/JSCustomGetterSetterFunction.cpp:
4037         * runtime/JSDataView.cpp:
4038         * runtime/JSDataViewPrototype.cpp:
4039         * runtime/JSEnvironmentRecord.cpp: