abd19f68861d521c2a96ba5a0487c04f55d25256
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-31  Mark Lam  <mark.lam@apple.com>
2
3         Added some UNLIKELYs to operationOptimize().
4         https://bugs.webkit.org/show_bug.cgi?id=174976
5
6         Reviewed by JF Bastien.
7
8         * jit/JITOperations.cpp:
9
10 2017-07-31  Keith Miller  <keith_miller@apple.com>
11
12         Make more things LLInt constexprs
13         https://bugs.webkit.org/show_bug.cgi?id=174994
14
15         Reviewed by Saam Barati.
16
17         This patch makes more const values in the LLInt constexprs.
18         It also deletes all of the no longer necessary static_asserts in
19         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
20
21         * interpreter/ShadowChicken.h:
22         (JSC::ShadowChicken::Packet::tailMarker):
23         * llint/LLIntData.cpp:
24         (JSC::LLInt::Data::performAssertions):
25         * llint/LowLevelInterpreter.asm:
26         * offlineasm/generate_offset_extractor.rb:
27         * offlineasm/parser.rb:
28
29 2017-07-31  Matt Lewis  <jlewis3@apple.com>
30
31         Unreviewed, rolling out r220060.
32
33         This broke our internal builds. Contact reviewer of patch for
34         more information.
35
36         Reverted changeset:
37
38         "Merge WTFThreadData to Thread::current"
39         https://bugs.webkit.org/show_bug.cgi?id=174716
40         http://trac.webkit.org/changeset/220060
41
42 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
43
44         [JSC] Support optional catch binding
45         https://bugs.webkit.org/show_bug.cgi?id=174981
46
47         Reviewed by Saam Barati.
48
49         This patch implements optional catch binding proposal[1], which is now stage 3.
50         This proposal adds a new `catch` brace with no error value binding.
51
52             ```
53                 try {
54                     ...
55                 } catch {
56                     ...
57                 }
58             ```
59
60         Sometimes we do not need to get error value actually. For example, the function returns
61         boolean which means whether the function succeeds.
62
63             ```
64             function parse(result) // -> bool
65             {
66                  try {
67                      parseInner(result);
68                  } catch {
69                      return false;
70                  }
71                  return true;
72             }
73             ```
74
75         In the above case, we are not interested in the actual error value. Without this syntax,
76         we always need to introduce a binding for an error value that is just ignored.
77
78         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
79
80         * bytecompiler/NodesCodegen.cpp:
81         (JSC::TryNode::emitBytecode):
82         * parser/Parser.cpp:
83         (JSC::Parser<LexerType>::parseTryStatement):
84
85 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
86
87         Merge WTFThreadData to Thread::current
88         https://bugs.webkit.org/show_bug.cgi?id=174716
89
90         Reviewed by Sam Weinig.
91
92         Use Thread::current() instead.
93
94         * API/JSContext.mm:
95         (+[JSContext currentContext]):
96         (+[JSContext currentThis]):
97         (+[JSContext currentCallee]):
98         (+[JSContext currentArguments]):
99         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
100         (-[JSContext endCallbackWithData:]):
101         * heap/Heap.cpp:
102         (JSC::Heap::requestCollection):
103         * runtime/Completion.cpp:
104         (JSC::checkSyntax):
105         (JSC::checkModuleSyntax):
106         (JSC::evaluate):
107         (JSC::loadAndEvaluateModule):
108         (JSC::loadModule):
109         (JSC::linkAndEvaluateModule):
110         (JSC::importModule):
111         * runtime/Identifier.cpp:
112         (JSC::Identifier::checkCurrentAtomicStringTable):
113         * runtime/InitializeThreading.cpp:
114         (JSC::initializeThreading):
115         * runtime/JSLock.cpp:
116         (JSC::JSLock::didAcquireLock):
117         (JSC::JSLock::willReleaseLock):
118         (JSC::JSLock::dropAllLocks):
119         (JSC::JSLock::grabAllLocks):
120         * runtime/JSLock.h:
121         * runtime/VM.cpp:
122         (JSC::VM::VM):
123         (JSC::VM::updateStackLimits):
124         (JSC::VM::committedStackByteCount):
125         * runtime/VM.h:
126         (JSC::VM::isSafeToRecurse const):
127         * runtime/VMEntryScope.cpp:
128         (JSC::VMEntryScope::VMEntryScope):
129         * runtime/VMInlines.h:
130         (JSC::VM::ensureStackCapacityFor):
131         * yarr/YarrPattern.cpp:
132         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
133
134 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
135
136         [WTF] Introduce Private Symbols
137         https://bugs.webkit.org/show_bug.cgi?id=174935
138
139         Reviewed by Darin Adler.
140
141         Use SymbolImpl::isPrivate().
142
143         * builtins/BuiltinNames.cpp:
144         * builtins/BuiltinNames.h:
145         (JSC::BuiltinNames::isPrivateName): Deleted.
146         * builtins/BuiltinUtils.h:
147         * bytecode/BytecodeIntrinsicRegistry.cpp:
148         (JSC::BytecodeIntrinsicRegistry::lookup):
149         * runtime/CommonIdentifiers.cpp:
150         (JSC::CommonIdentifiers::isPrivateName): Deleted.
151         * runtime/CommonIdentifiers.h:
152         * runtime/ExceptionHelpers.cpp:
153         (JSC::createUndefinedVariableError):
154         * runtime/Identifier.h:
155         (JSC::Identifier::isPrivateName):
156         * runtime/IdentifierInlines.h:
157         (JSC::identifierToSafePublicJSValue):
158         * runtime/ObjectConstructor.cpp:
159         (JSC::objectConstructorAssign):
160         (JSC::defineProperties):
161         (JSC::setIntegrityLevel):
162         (JSC::testIntegrityLevel):
163         (JSC::ownPropertyKeys):
164         * runtime/PrivateName.h:
165         (JSC::PrivateName::PrivateName):
166         * runtime/PropertyName.h:
167         (JSC::PropertyName::isPrivateName):
168         * runtime/ProxyObject.cpp:
169         (JSC::performProxyGet):
170         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
171         (JSC::ProxyObject::performHasProperty):
172         (JSC::ProxyObject::performPut):
173         (JSC::ProxyObject::performDelete):
174         (JSC::ProxyObject::performDefineOwnProperty):
175
176 2017-07-29  Keith Miller  <keith_miller@apple.com>
177
178         LLInt offsets extractor should be able to handle C++ constexprs
179         https://bugs.webkit.org/show_bug.cgi?id=174964
180
181         Reviewed by Saam Barati.
182
183         This patch adds new syntax to the offline asm language. The new keyword,
184         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
185         expression. Additionally, if the value is not an identifier you can wrap it in
186         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
187         which will get converted into:
188         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
189
190         This patch also changes the data format the LLIntOffsetsExtractor
191         binary produces.  Previously, it would produce unsigned values,
192         after this patch every value is an int64_t.  Using an int64_t is
193         useful because it means that we can represent any constant needed.
194         int32_t masks are sign extended then passed then converted to a
195         negative literal sting in the assembler so it will be the constant
196         expected.
197
198         * llint/LLIntOffsetsExtractor.cpp:
199         (JSC::LLIntOffsetsExtractor::dummy):
200         * llint/LowLevelInterpreter.asm:
201         * llint/LowLevelInterpreter64.asm:
202         * offlineasm/asm.rb:
203         * offlineasm/ast.rb:
204         * offlineasm/generate_offset_extractor.rb:
205         * offlineasm/offsets.rb:
206         * offlineasm/parser.rb:
207         * offlineasm/transform.rb:
208
209 2017-07-28  Matt Baker  <mattbaker@apple.com>
210
211         Web Inspector: capture an async stack trace when web content calls addEventListener
212         https://bugs.webkit.org/show_bug.cgi?id=174739
213         <rdar://problem/33468197>
214
215         Reviewed by Brian Burg.
216
217         Allow debugger agents to perform custom logic when asynchronous stack
218         trace data is cleared. For example, the PageDebuggerAgent would clear
219         its list of registered listeners for which call stacks have been recorded.
220
221         * inspector/agents/InspectorDebuggerAgent.cpp:
222         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
223         * inspector/agents/InspectorDebuggerAgent.h:
224
225 2017-07-28  Mark Lam  <mark.lam@apple.com>
226
227         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
228         https://bugs.webkit.org/show_bug.cgi?id=174948
229         <rdar://problem/33495680>
230
231         Reviewed by Filip Pizlo.
232
233         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
234         owner StructureRareData is already known to be dead (in terms of GC liveness) but
235         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
236         requests to fire this watchpoint.
237
238         If the GC had the chance to sweep the StructureRareData, thereby destructing the
239         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
240         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
241
242         But since the watchpoint hasn't been destructed yet, it still remains on the
243         WatchpointSet and needs to guard against being fired in this state.  The fix is
244         to simply return early if its owner StructureRareData is not live.  This has the
245         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
246         not firing as we would expect.
247
248         This patch also removes some cargo cult copying of watchpoint code which
249         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
250         used.  This patch removes these unnecessary instantiations.
251
252         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
253         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
254         * runtime/StructureRareData.cpp:
255         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
256         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
257
258 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
259
260         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
261         https://bugs.webkit.org/show_bug.cgi?id=174900
262
263         Reviewed by Saam Barati.
264
265         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
266         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
267         The problem is that even transforming phase also checks this pseudo terminals.
268
269             BB1
270             1: ForceOSRExit
271             2: CreateDirectArguments
272
273             BB2
274             3: GetButterfly(@2)
275             4: ForceOSRExit
276
277         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
278
279         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
280
281         * dfg/DFGArgumentsEliminationPhase.cpp:
282
283 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
284
285         [ES] Add support finally to Promise
286         https://bugs.webkit.org/show_bug.cgi?id=174503
287
288         Reviewed by Yusuke Suzuki.
289
290         Add support `finally` method to Promise according
291         to the https://bugs.webkit.org/show_bug.cgi?id=174503
292         Current spec on STAGE 3 
293         https://github.com/tc39/proposal-promise-finally
294
295         * builtins/PromisePrototype.js:
296         (finally):
297         (const.valueThunk):
298         (globalPrivate.getThenFinally):
299         (const.thrower):
300         (globalPrivate.getCatchFinally):
301         * runtime/JSPromisePrototype.cpp:
302
303 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
304
305         Unreviewed, build fix for CLoop
306         https://bugs.webkit.org/show_bug.cgi?id=171637
307
308         * domjit/DOMJITGetterSetter.h:
309
310 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
313         https://bugs.webkit.org/show_bug.cgi?id=171637
314
315         Reviewed by Darin Adler.
316
317         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
318         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
319
320         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
321         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
322
323         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
324         op_get_by_id_with_this case yet.
325         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
326
327         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
328         ClassInfo check.
329
330         * CMakeLists.txt:
331         * JavaScriptCore.xcodeproj/project.pbxproj:
332         * bytecode/AccessCase.cpp:
333         (JSC::AccessCase::generateImpl):
334         * bytecode/GetByIdStatus.cpp:
335         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
336         * bytecode/GetByIdVariant.cpp:
337         (JSC::GetByIdVariant::GetByIdVariant):
338         (JSC::GetByIdVariant::operator=):
339         (JSC::GetByIdVariant::attemptToMerge):
340         (JSC::GetByIdVariant::dumpInContext):
341         * bytecode/GetByIdVariant.h:
342         (JSC::GetByIdVariant::customAccessorGetter):
343         (JSC::GetByIdVariant::domAttribute):
344         (JSC::GetByIdVariant::domJIT): Deleted.
345         * bytecode/GetterSetterAccessCase.cpp:
346         (JSC::GetterSetterAccessCase::create):
347         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
348         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
349         * bytecode/GetterSetterAccessCase.h:
350         (JSC::GetterSetterAccessCase::domAttribute):
351         (JSC::GetterSetterAccessCase::customAccessor):
352         (JSC::GetterSetterAccessCase::domJIT): Deleted.
353         * bytecompiler/BytecodeGenerator.cpp:
354         (JSC::BytecodeGenerator::instantiateLexicalVariables):
355         * create_hash_table:
356         * dfg/DFGAbstractInterpreterInlines.h:
357         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
358         * dfg/DFGByteCodeParser.cpp:
359         (JSC::DFG::blessCallDOMGetter):
360         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
361         (JSC::DFG::ByteCodeParser::handleGetById):
362         * dfg/DFGClobberize.h:
363         (JSC::DFG::clobberize):
364         * dfg/DFGFixupPhase.cpp:
365         (JSC::DFG::FixupPhase::fixupNode):
366         * dfg/DFGNode.h:
367         * dfg/DFGSpeculativeJIT.cpp:
368         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
369         * dfg/DFGSpeculativeJIT.h:
370         (JSC::DFG::SpeculativeJIT::callCustomGetter):
371         * domjit/DOMJITGetterSetter.h:
372         (JSC::DOMJIT::GetterSetter::GetterSetter):
373         (JSC::DOMJIT::GetterSetter::getter):
374         (JSC::DOMJIT::GetterSetter::compiler):
375         (JSC::DOMJIT::GetterSetter::resultType):
376         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
377         (JSC::DOMJIT::GetterSetter::setter): Deleted.
378         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
379         * ftl/FTLLowerDFGToB3.cpp:
380         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
381         * jit/Repatch.cpp:
382         (JSC::tryCacheGetByID):
383         * jsc.cpp:
384         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
385         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
386         (WTF::DOMJITGetter::customGetter):
387         (WTF::DOMJITGetter::finishCreation):
388         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
389         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
390         (WTF::DOMJITGetterComplex::customGetter):
391         (WTF::DOMJITGetterComplex::finishCreation):
392         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
393         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
394         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
395         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
396         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
397         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
398         * runtime/CustomGetterSetter.h:
399         (JSC::CustomGetterSetter::create):
400         (JSC::CustomGetterSetter::setter):
401         (JSC::CustomGetterSetter::CustomGetterSetter):
402         (): Deleted.
403         * runtime/DOMAnnotation.h: Added.
404         (JSC::operator==):
405         (JSC::operator!=):
406         * runtime/DOMAttributeGetterSetter.cpp: Added.
407         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
408         (JSC::isDOMAttributeGetterSetter):
409         * runtime/Error.cpp:
410         (JSC::throwDOMAttributeGetterTypeError):
411         * runtime/Error.h:
412         (JSC::throwVMDOMAttributeGetterTypeError):
413         * runtime/JSCustomGetterSetterFunction.cpp:
414         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
415         * runtime/JSObject.cpp:
416         (JSC::JSObject::putInlineSlow):
417         (JSC::JSObject::deleteProperty):
418         (JSC::JSObject::getOwnStaticPropertySlot):
419         (JSC::JSObject::reifyAllStaticProperties):
420         (JSC::JSObject::fillGetterPropertySlot):
421         (JSC::JSObject::findPropertyHashEntry): Deleted.
422         * runtime/JSObject.h:
423         (JSC::JSObject::getOwnNonIndexPropertySlot):
424         (JSC::JSObject::fillCustomGetterPropertySlot):
425         * runtime/Lookup.cpp:
426         (JSC::setUpStaticFunctionSlot):
427         * runtime/Lookup.h:
428         (JSC::HashTableValue::domJIT):
429         (JSC::getStaticPropertySlotFromTable):
430         (JSC::putEntry):
431         (JSC::lookupPut):
432         (JSC::reifyStaticProperty):
433         (JSC::reifyStaticProperties):
434         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
435         this static property table requires.
436
437         * runtime/ProgramExecutable.cpp:
438         (JSC::ProgramExecutable::initializeGlobalProperties):
439         * runtime/PropertyName.h:
440         * runtime/PropertySlot.cpp:
441         (JSC::PropertySlot::customGetter):
442         (JSC::PropertySlot::customAccessorGetter):
443         * runtime/PropertySlot.h:
444         (JSC::PropertySlot::domAttribute):
445         (JSC::PropertySlot::setCustom):
446         (JSC::PropertySlot::setCacheableCustom):
447         (JSC::PropertySlot::getValue):
448         (JSC::PropertySlot::domJIT): Deleted.
449         * runtime/VM.cpp:
450         (JSC::VM::VM):
451         * runtime/VM.h:
452
453 2017-07-26  Devin Rousso  <drousso@apple.com>
454
455         Web Inspector: create protocol for recording Canvas contexts
456         https://bugs.webkit.org/show_bug.cgi?id=174481
457
458         Reviewed by Joseph Pecoraro.
459
460         * inspector/protocol/Canvas.json:
461          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
462          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
463          - Add `recordingFinished` event that is fired once a recording is finished.
464
465         * CMakeLists.txt:
466         * DerivedSources.make:
467         * inspector/protocol/Recording.json: Added.
468          - Add `Type` enum that lists the types of recordings
469          - Add `InitialState` type that contains information about the canvas context at the
470            beginning of the recording.
471          - Add `Frame` type that holds a list of actions that were recorded.
472          - Add `Recording` type as the container object of recording data.
473
474         * inspector/scripts/codegen/generate_js_backend_commands.py:
475         (JSBackendCommandsGenerator.generate_domain):
476         Create an agent for domains with no events or commands.
477
478         * inspector/InspectorValues.h:
479         Make Array `get` public so that values can be retrieved if needed.
480
481 2017-07-26  Brian Burg  <bburg@apple.com>
482
483         Remove WEB_TIMING feature flag
484         https://bugs.webkit.org/show_bug.cgi?id=174795
485
486         Reviewed by Alex Christensen.
487
488         * Configurations/FeatureDefines.xcconfig:
489
490 2017-07-26  Mark Lam  <mark.lam@apple.com>
491
492         Add the ability to change sp and pc to the ARM64 JIT probe.
493         https://bugs.webkit.org/show_bug.cgi?id=174697
494         <rdar://problem/33436965>
495
496         Reviewed by JF Bastien.
497
498         This patch implements the following:
499
500         1. The ARM64 probe now supports modifying the pc and sp.
501
502            However, lr is not preserved when modifying the pc because it is used as the
503            scratch register for the indirect jump. Hence, the probe handler function
504            may not modify both lr and pc in the same probe invocation.
505
506         2. Fix probe tests to use bitwise comparison when comparing double register
507            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
508
509         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
510            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
511            instructions which require 16 byte alignment for their memory access.
512
513         * assembler/MacroAssemblerARM64.cpp:
514         (JSC::arm64ProbeError):
515         (JSC::MacroAssembler::probe):
516         (JSC::arm64ProbeTrampoline): Deleted.
517         * assembler/testmasm.cpp:
518         (JSC::isSpecialGPR):
519         (JSC::testProbeReadsArgumentRegisters):
520         (JSC::testProbeWritesArgumentRegisters):
521         (JSC::testProbePreservesGPRS):
522         (JSC::testProbeModifiesStackPointer):
523         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
524         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
525
526 2017-07-25  JF Bastien  <jfbastien@apple.com>
527
528         WebAssembly: generate smaller binaries
529         https://bugs.webkit.org/show_bug.cgi?id=174818
530
531         Reviewed by Filip Pizlo.
532
533         This patch reduces generated code size for WebAssembly in 2 ways:
534
535         1. Use the ZR register when storing zero on ARM64.
536         2. Synthesize wasm context lazily.
537
538         This leads to a modest size reduction on both x86-64 and ARM64 for
539         large WebAssembly games, without any performance loss on WasmBench
540         and TitzerBench.
541
542         The reason this works is that these games, using Emscripten,
543         generate 100k+ tiny functions, and our JIT allocation granule
544         rounds all allocations up to 32 bytes. There are plenty of other
545         simple gains to be had, I've filed a follow-up bug at
546         webkit.org/b/174819
547
548         We should further avoid the per-function cost of tiering, which
549         represents the bulk of code generated for small functions.
550
551         * assembler/MacroAssemblerARM64.h:
552         (JSC::MacroAssemblerARM64::storeZero64):
553         * assembler/MacroAssemblerX86_64.h:
554         (JSC::MacroAssemblerX86_64::storeZero64):
555         * b3/B3LowerToAir.cpp:
556         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
557         for x86 because it constrains register reuse and codegen in a way
558         that doesn't affect ARM64 because it has a dedicated zero
559         register.
560         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
561         * wasm/WasmB3IRGenerator.cpp:
562         (JSC::Wasm::B3IRGenerator::instanceValue):
563         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
564         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
565         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
566
567 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
568
569         B3 should do LICM
570         https://bugs.webkit.org/show_bug.cgi?id=174750
571
572         Reviewed by Keith Miller and Saam Barati.
573         
574         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
575         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
576         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
577         change templatizes DFG::NaturalLoops so that we can just use it.
578         
579         The LICM phase itself is really simple. We are decently precise with our handling of everything except
580         the relationship between control dependence and side exits.
581         
582         Also added a bunch of tests.
583         
584         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
585         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
586         so it doesn't hurt to have it.
587         
588         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
589         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
590         it's good to have it because LICM is one of those core compiler phases; every compiler has it
591         eventually.
592
593         * CMakeLists.txt:
594         * JavaScriptCore.xcodeproj/project.pbxproj:
595         * b3/B3BackwardsCFG.h: Added.
596         (JSC::B3::BackwardsCFG::BackwardsCFG):
597         * b3/B3BackwardsDominators.h: Added.
598         (JSC::B3::BackwardsDominators::BackwardsDominators):
599         * b3/B3BasicBlock.cpp:
600         (JSC::B3::BasicBlock::appendNonTerminal):
601         * b3/B3Effects.h:
602         * b3/B3EnsureLoopPreHeaders.cpp: Added.
603         (JSC::B3::ensureLoopPreHeaders):
604         * b3/B3EnsureLoopPreHeaders.h: Added.
605         * b3/B3Generate.cpp:
606         (JSC::B3::generateToAir):
607         * b3/B3HoistLoopInvariantValues.cpp: Added.
608         (JSC::B3::hoistLoopInvariantValues):
609         * b3/B3HoistLoopInvariantValues.h: Added.
610         * b3/B3NaturalLoops.h: Added.
611         (JSC::B3::NaturalLoops::NaturalLoops):
612         * b3/B3Procedure.cpp:
613         (JSC::B3::Procedure::invalidateCFG):
614         (JSC::B3::Procedure::naturalLoops):
615         (JSC::B3::Procedure::backwardsCFG):
616         (JSC::B3::Procedure::backwardsDominators):
617         * b3/B3Procedure.h:
618         * b3/testb3.cpp:
619         (JSC::B3::generateLoop):
620         (JSC::B3::makeArrayForLoops):
621         (JSC::B3::generateLoopNotBackwardsDominant):
622         (JSC::B3::oneFunction):
623         (JSC::B3::noOpFunction):
624         (JSC::B3::testLICMPure):
625         (JSC::B3::testLICMPureSideExits):
626         (JSC::B3::testLICMPureWritesPinned):
627         (JSC::B3::testLICMPureWrites):
628         (JSC::B3::testLICMReadsLocalState):
629         (JSC::B3::testLICMReadsPinned):
630         (JSC::B3::testLICMReads):
631         (JSC::B3::testLICMPureNotBackwardsDominant):
632         (JSC::B3::testLICMPureFoiledByChild):
633         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
634         (JSC::B3::testLICMExitsSideways):
635         (JSC::B3::testLICMWritesLocalState):
636         (JSC::B3::testLICMWrites):
637         (JSC::B3::testLICMFence):
638         (JSC::B3::testLICMWritesPinned):
639         (JSC::B3::testLICMControlDependent):
640         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
641         (JSC::B3::testLICMControlDependentSideExits):
642         (JSC::B3::testLICMReadsPinnedWritesPinned):
643         (JSC::B3::testLICMReadsWritesDifferentHeaps):
644         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
645         (JSC::B3::testLICMDefaultCall):
646         (JSC::B3::run):
647         * dfg/DFGBasicBlock.h:
648         * dfg/DFGCFG.h:
649         * dfg/DFGNaturalLoops.cpp: Removed.
650         * dfg/DFGNaturalLoops.h:
651         (JSC::DFG::NaturalLoops::NaturalLoops):
652         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
653         (JSC::DFG::NaturalLoop::header): Deleted.
654         (JSC::DFG::NaturalLoop::size): Deleted.
655         (JSC::DFG::NaturalLoop::at): Deleted.
656         (JSC::DFG::NaturalLoop::operator[]): Deleted.
657         (JSC::DFG::NaturalLoop::contains): Deleted.
658         (JSC::DFG::NaturalLoop::index): Deleted.
659         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
660         (JSC::DFG::NaturalLoop::addBlock): Deleted.
661         (JSC::DFG::NaturalLoops::numLoops): Deleted.
662         (JSC::DFG::NaturalLoops::loop): Deleted.
663         (JSC::DFG::NaturalLoops::headerOf): Deleted.
664         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
665         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
666         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
667         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
668
669 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
670
671         GC should be fine with trading blocks between destructor and non-destructor blocks
672         https://bugs.webkit.org/show_bug.cgi?id=174811
673
674         Reviewed by Mark Lam.
675         
676         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
677         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
678         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
679         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
680         set.
681         
682         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
683         is empty if:
684         
685         A) It has no live objects and its a non-destructor block, or
686         B) We just allocated it (so it has no destructors even if it's a destructor block), or
687         C) We just stole it from another allocator (so it also has no destructors), or
688         D) We just swept the block and ran all destructors.
689         
690         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
691         block that could be stolen.
692
693         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
694         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
695         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
696         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
697         
698         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
699         
700         If we tried to enable trading of blocks between allocators without making any changes to how
701         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
702         live objects in order for those bits to be candidates for trading. But if we do that, then our
703         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
704         our destructors won't run and we'll leak memory.
705         
706         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
707         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
708         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
709         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
710         are (empty & ~destructible).
711         
712         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
713         remove destructor-oriented special-casing of block trading.
714
715         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
716         so this change is more about clean-up than perf. But, this could reduce memory usage in some
717         pathological cases.
718         
719         * heap/MarkedAllocator.cpp:
720         (JSC::MarkedAllocator::findEmptyBlockToSteal):
721         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
722         (JSC::MarkedAllocator::endMarking):
723         (JSC::MarkedAllocator::shrink):
724         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
725         * heap/MarkedAllocator.h:
726         * heap/MarkedBlock.cpp:
727         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
728         (JSC::MarkedBlock::Handle::sweep):
729         * heap/MarkedBlockInlines.h:
730         (JSC::MarkedBlock::Handle::specializedSweep):
731         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
732         (JSC::MarkedBlock::Handle::emptyMode):
733
734 2017-07-25  Keith Miller  <keith_miller@apple.com>
735
736         Remove Broken CompareEq constant folding phase.
737         https://bugs.webkit.org/show_bug.cgi?id=174846
738         <rdar://problem/32978808>
739
740         Reviewed by Saam Barati.
741
742         This bug happened when we would get code like the following:
743
744         a: JSConst(Undefined)
745         b: GetLocal(SomeObjectOrUndefined)
746         ...
747         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
748
749         constant folding will turn this into:
750
751         a: JSConst(Undefined)
752         b: GetLocal(SomeObjectOrUndefined)
753         ...
754         c: CompareEq(Check:ObjectOrOther:b, Other:a)
755
756         But the SpeculativeJIT/FTL lowering will fail to check b
757         properly which leads to an assertion failure in the AI.
758
759         I'll follow up with a more robust fix later. For now, I'll remove the
760         case that generates the code. Removing the code appears to be perf
761         neutral.
762
763         * dfg/DFGConstantFoldingPhase.cpp:
764         (JSC::DFG::ConstantFoldingPhase::foldConstants):
765
766 2017-07-25  Matt Baker  <mattbaker@apple.com>
767
768         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
769         https://bugs.webkit.org/show_bug.cgi?id=174738
770
771         Reviewed by Brian Burg.
772
773         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
774         stack traces. This preserves the call type in JSC, makes the range of
775         possible call types explicit, and is safer than passing ints.
776
777         * inspector/agents/InspectorDebuggerAgent.cpp:
778         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
779         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
780         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
781         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
782         * inspector/agents/InspectorDebuggerAgent.h:
783
784 2017-07-25  Mark Lam  <mark.lam@apple.com>
785
786         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
787         https://bugs.webkit.org/show_bug.cgi?id=174809
788         <rdar://problem/33504759>
789
790         Reviewed by Filip Pizlo.
791
792         1. When the probe handler function changes the sp register to point to the
793            region of stack in the middle of the ProbeContext on the stack, there is a
794            bug where the ProbeContext's register values to be restored can be over-written
795            before they can be restored.  This is now fixed.
796
797         2. Added more robust probe tests for changing the sp register.
798
799         3. Made existing probe tests to ensure that probe handlers were actually called.
800
801         4. Added some verification to testProbePreservesGPRS().
802
803         5. Change all the probe tests to fail early on discovering an error instead of
804            batching till the end of the test.  This helps point a finger to the failing
805            issue earlier.
806
807         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
808         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
809
810         * assembler/MacroAssemblerARM.cpp:
811         * assembler/MacroAssemblerARMv7.cpp:
812         * assembler/MacroAssemblerX86Common.cpp:
813         * assembler/testmasm.cpp:
814         (JSC::testProbeReadsArgumentRegisters):
815         (JSC::testProbeWritesArgumentRegisters):
816         (JSC::testProbePreservesGPRS):
817         (JSC::testProbeModifiesStackPointer):
818         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
819         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
820         (JSC::testProbeModifiesProgramCounter):
821         (JSC::run):
822
823 2017-07-25  Brian Burg  <bburg@apple.com>
824
825         Web Automation: add support for uploading files
826         https://bugs.webkit.org/show_bug.cgi?id=174797
827         <rdar://problem/28485063>
828
829         Reviewed by Joseph Pecoraro.
830
831         * inspector/scripts/generate-inspector-protocol-bindings.py:
832         (generate_from_specification):
833         Start generating frontend dispatcher code if the target framework is 'WebKit'.
834
835         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
836         (CppFrontendDispatcherImplementationGenerator.generate_output):
837         Use a framework include for InspectorFrontendRouter.h since this generated code
838         will be compiled outside of WebCore.framework.
839
840         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
841         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
842         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
843         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
844         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
845         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
846         * inspector/scripts/tests/generic/expected/enum-values.json-result:
847         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
848         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
849         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
850         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
851         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
852         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
853         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
854         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
855         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
856         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
857         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
858         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
859         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
860         Rebaseline code generator tests.
861
862 2017-07-24  Mark Lam  <mark.lam@apple.com>
863
864         Gardening: fixed C Loop build after r219790.
865         https://bugs.webkit.org/show_bug.cgi?id=174696
866
867         Not reviewed.
868
869         * assembler/testmasm.cpp:
870
871 2017-07-23  Mark Lam  <mark.lam@apple.com>
872
873         Create regression tests for the JIT probe.
874         https://bugs.webkit.org/show_bug.cgi?id=174696
875         <rdar://problem/33436922>
876
877         Reviewed by Saam Barati.
878
879         The new testmasm will test the following:
880         1. the probe is able to read the value of CPU registers.
881         2. the probe is able to write the value of CPU registers.
882         3. the probe is able to preserve all CPU registers.
883         4. special case of (2): the probe is able to change the value of the stack pointer.
884         5. special case of (2): the probe is able to change the value of the program counter
885            i.e. the probe can change where the code continues executing upon returning from
886            the probe.
887
888         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
889         because it does not support changing the sp and pc yet.  The ARM64 probe
890         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
891         later.
892
893         * Configurations/ToolExecutable.xcconfig:
894         * JavaScriptCore.xcodeproj/project.pbxproj:
895         * assembler/MacroAssembler.h:
896         (JSC::MacroAssembler::CPUState::pc):
897         (JSC::MacroAssembler::CPUState::fp):
898         (JSC::MacroAssembler::CPUState::sp):
899         (JSC::ProbeContext::pc):
900         (JSC::ProbeContext::fp):
901         (JSC::ProbeContext::sp):
902         * assembler/MacroAssemblerARM64.cpp:
903         (JSC::arm64ProbeTrampoline):
904         * assembler/MacroAssemblerPrinter.cpp:
905         (JSC::Printer::printPCRegister):
906         * assembler/testmasm.cpp: Added.
907         (hiddenTruthBecauseNoReturnIsStupid):
908         (usage):
909         (JSC::nextID):
910         (JSC::isPC):
911         (JSC::isSP):
912         (JSC::isFP):
913         (JSC::compile):
914         (JSC::invoke):
915         (JSC::compileAndRun):
916         (JSC::testSimple):
917         (JSC::testProbeReadsArgumentRegisters):
918         (JSC::testProbeWritesArgumentRegisters):
919         (JSC::testFunctionToTrashRegisters):
920         (JSC::testProbePreservesGPRS):
921         (JSC::testProbeModifiesStackPointer):
922         (JSC::testProbeModifiesProgramCounter):
923         (JSC::run):
924         (run):
925         (main):
926         * b3/air/testair.cpp:
927         (usage):
928         * shell/CMakeLists.txt:
929
930 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
931
932         It should be easy to decide how WebKit yields
933         https://bugs.webkit.org/show_bug.cgi?id=174298
934
935         Reviewed by Saam Barati.
936         
937         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
938
939         * heap/Heap.cpp:
940         (JSC::Heap::resumeThePeriphery):
941         * heap/VisitingTimeout.h:
942         * runtime/JSCell.cpp:
943         (JSC::JSCell::lockSlow):
944         (JSC::JSCell::unlockSlow):
945         * runtime/JSCell.h:
946         * runtime/JSCellInlines.h:
947         (JSC::JSCell::lock):
948         (JSC::JSCell::unlock):
949         * runtime/JSLock.cpp:
950         (JSC::JSLock::grabAllLocks):
951         * runtime/SamplingProfiler.cpp:
952
953 2017-07-21  Mark Lam  <mark.lam@apple.com>
954
955         Refactor MASM probe CPUState to use arrays for register storage.
956         https://bugs.webkit.org/show_bug.cgi?id=174694
957
958         Reviewed by Keith Miller.
959
960         Using arrays for register storage in CPUState allows us to do away with the
961         huge switch statements to decode each register id.  We can now simply index into
962         the arrays.
963
964         With this patch, we now:
965
966         1. Remove the need for macros for defining the list of CPU registers.
967            We can go back to simple enums.  This makes the code easier to read.
968
969         2. Make the assembler the authority on register names.
970            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
971            GPRInfo and FPRInfo now forwards to the assembler.
972
973         3. Make the assembler the authority on the number of registers of each type.
974
975         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
976            This is inconsistent with how every other CPU architecture implements
977            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
978            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
979
980         * assembler/ARM64Assembler.h:
981         (JSC::ARM64Assembler::numberOfRegisters):
982         (JSC::ARM64Assembler::firstSPRegister):
983         (JSC::ARM64Assembler::lastSPRegister):
984         (JSC::ARM64Assembler::numberOfSPRegisters):
985         (JSC::ARM64Assembler::numberOfFPRegisters):
986         (JSC::ARM64Assembler::gprName):
987         (JSC::ARM64Assembler::sprName):
988         (JSC::ARM64Assembler::fprName):
989         * assembler/ARMAssembler.h:
990         (JSC::ARMAssembler::numberOfRegisters):
991         (JSC::ARMAssembler::firstSPRegister):
992         (JSC::ARMAssembler::lastSPRegister):
993         (JSC::ARMAssembler::numberOfSPRegisters):
994         (JSC::ARMAssembler::numberOfFPRegisters):
995         (JSC::ARMAssembler::gprName):
996         (JSC::ARMAssembler::sprName):
997         (JSC::ARMAssembler::fprName):
998         * assembler/ARMv7Assembler.h:
999         (JSC::ARMv7Assembler::lastRegister):
1000         (JSC::ARMv7Assembler::numberOfRegisters):
1001         (JSC::ARMv7Assembler::firstSPRegister):
1002         (JSC::ARMv7Assembler::lastSPRegister):
1003         (JSC::ARMv7Assembler::numberOfSPRegisters):
1004         (JSC::ARMv7Assembler::numberOfFPRegisters):
1005         (JSC::ARMv7Assembler::gprName):
1006         (JSC::ARMv7Assembler::sprName):
1007         (JSC::ARMv7Assembler::fprName):
1008         * assembler/AbstractMacroAssembler.h:
1009         (JSC::AbstractMacroAssembler::numberOfRegisters):
1010         (JSC::AbstractMacroAssembler::gprName):
1011         (JSC::AbstractMacroAssembler::firstSPRegister):
1012         (JSC::AbstractMacroAssembler::lastSPRegister):
1013         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1014         (JSC::AbstractMacroAssembler::sprName):
1015         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1016         (JSC::AbstractMacroAssembler::fprName):
1017         * assembler/MIPSAssembler.h:
1018         (JSC::MIPSAssembler::numberOfRegisters):
1019         (JSC::MIPSAssembler::firstSPRegister):
1020         (JSC::MIPSAssembler::lastSPRegister):
1021         (JSC::MIPSAssembler::numberOfSPRegisters):
1022         (JSC::MIPSAssembler::numberOfFPRegisters):
1023         (JSC::MIPSAssembler::gprName):
1024         (JSC::MIPSAssembler::sprName):
1025         (JSC::MIPSAssembler::fprName):
1026         * assembler/MacroAssembler.h:
1027         (JSC::MacroAssembler::CPUState::gprName):
1028         (JSC::MacroAssembler::CPUState::sprName):
1029         (JSC::MacroAssembler::CPUState::fprName):
1030         (JSC::MacroAssembler::CPUState::gpr):
1031         (JSC::MacroAssembler::CPUState::spr):
1032         (JSC::MacroAssembler::CPUState::fpr):
1033         (JSC::MacroAssembler::CPUState::pc):
1034         (JSC::MacroAssembler::CPUState::fp):
1035         (JSC::MacroAssembler::CPUState::sp):
1036         (JSC::ProbeContext::gpr):
1037         (JSC::ProbeContext::spr):
1038         (JSC::ProbeContext::fpr):
1039         (JSC::ProbeContext::gprName):
1040         (JSC::ProbeContext::sprName):
1041         (JSC::ProbeContext::fprName):
1042         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1043         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1044         * assembler/MacroAssemblerARM.cpp:
1045         * assembler/MacroAssemblerARM64.cpp:
1046         (JSC::arm64ProbeTrampoline):
1047         * assembler/MacroAssemblerARMv7.cpp:
1048         * assembler/MacroAssemblerPrinter.cpp:
1049         (JSC::Printer::nextID):
1050         (JSC::Printer::printAllRegisters):
1051         (JSC::Printer::printPCRegister):
1052         (JSC::Printer::printRegisterID):
1053         (JSC::Printer::printAddress):
1054         * assembler/MacroAssemblerX86Common.cpp:
1055         * assembler/X86Assembler.h:
1056         (JSC::X86Assembler::numberOfRegisters):
1057         (JSC::X86Assembler::firstSPRegister):
1058         (JSC::X86Assembler::lastSPRegister):
1059         (JSC::X86Assembler::numberOfSPRegisters):
1060         (JSC::X86Assembler::numberOfFPRegisters):
1061         (JSC::X86Assembler::gprName):
1062         (JSC::X86Assembler::sprName):
1063         (JSC::X86Assembler::fprName):
1064         * jit/FPRInfo.h:
1065         (JSC::FPRInfo::debugName):
1066         * jit/GPRInfo.h:
1067         (JSC::GPRInfo::debugName):
1068         * jit/RegisterSet.cpp:
1069         (JSC::RegisterSet::reservedHardwareRegisters):
1070
1071 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1072
1073         [JSC] Introduce static symbols
1074         https://bugs.webkit.org/show_bug.cgi?id=158863
1075
1076         Reviewed by Darin Adler.
1077
1078         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1079         As a result, we can share the same Symbol values between VMs and threads.
1080         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1081
1082         * CMakeLists.txt:
1083         * JavaScriptCore.xcodeproj/project.pbxproj:
1084         * builtins/BuiltinNames.cpp: Added.
1085         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1086
1087         * builtins/BuiltinNames.h:
1088         (JSC::BuiltinNames::BuiltinNames):
1089         * builtins/BuiltinUtils.h:
1090
1091 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1092
1093         [FTL] Arguments elimination is suppressed by unreachable blocks
1094         https://bugs.webkit.org/show_bug.cgi?id=174352
1095
1096         Reviewed by Filip Pizlo.
1097
1098         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1099         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1100         Since GetById without information can escape arguments if it is specified, non-executed code including
1101         op_get_by_id with arguments can escape arguments.
1102
1103         For example,
1104
1105             function test(flag)
1106             {
1107                 if (flag) {
1108                     // This is not executed, but emits GetById with arguments.
1109                     // It prevents us from eliminating materialization.
1110                     return arguments.length;
1111                 }
1112                 return arguments.length;
1113             }
1114             noInline(test);
1115             while (true)
1116                 test(false);
1117
1118         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1119         So this GetById exists and escapes arguments.
1120
1121         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1122         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1123         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1124
1125         * dfg/DFGArgumentsEliminationPhase.cpp:
1126         * dfg/DFGNode.h:
1127         (JSC::DFG::Node::isPseudoTerminal):
1128         * dfg/DFGValidate.cpp:
1129
1130 2017-07-20  Chris Dumez  <cdumez@apple.com>
1131
1132         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1133         https://bugs.webkit.org/show_bug.cgi?id=174660
1134
1135         Reviewed by Geoffrey Garen.
1136
1137         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1138         This essentially replaces a branch to figure out if the new size is less or greater than the
1139         current size by an assertion.
1140
1141         * b3/B3BasicBlockUtils.h:
1142         (JSC::B3::clearPredecessors):
1143         * b3/B3InferSwitches.cpp:
1144         * b3/B3LowerToAir.cpp:
1145         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1146         * b3/B3ReduceStrength.cpp:
1147         * b3/B3SparseCollection.h:
1148         (JSC::B3::SparseCollection::packIndices):
1149         * b3/B3UseCounts.cpp:
1150         (JSC::B3::UseCounts::UseCounts):
1151         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1152         * b3/air/AirEmitShuffle.cpp:
1153         (JSC::B3::Air::emitShuffle):
1154         * b3/air/AirLowerAfterRegAlloc.cpp:
1155         (JSC::B3::Air::lowerAfterRegAlloc):
1156         * b3/air/AirOptimizeBlockOrder.cpp:
1157         (JSC::B3::Air::optimizeBlockOrder):
1158         * bytecode/Operands.h:
1159         (JSC::Operands::ensureLocals):
1160         * bytecode/PreciseJumpTargets.cpp:
1161         (JSC::computePreciseJumpTargetsInternal):
1162         * dfg/DFGBlockInsertionSet.cpp:
1163         (JSC::DFG::BlockInsertionSet::execute):
1164         * dfg/DFGBlockMapInlines.h:
1165         (JSC::DFG::BlockMap<T>::BlockMap):
1166         * dfg/DFGByteCodeParser.cpp:
1167         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1168         (JSC::DFG::ByteCodeParser::clearCaches):
1169         * dfg/DFGDisassembler.cpp:
1170         (JSC::DFG::Disassembler::Disassembler):
1171         * dfg/DFGFlowIndexing.cpp:
1172         (JSC::DFG::FlowIndexing::recompute):
1173         * dfg/DFGGraph.cpp:
1174         (JSC::DFG::Graph::registerFrozenValues):
1175         * dfg/DFGInPlaceAbstractState.cpp:
1176         (JSC::DFG::setLiveValues):
1177         * dfg/DFGLICMPhase.cpp:
1178         (JSC::DFG::LICMPhase::run):
1179         * dfg/DFGLivenessAnalysisPhase.cpp:
1180         * dfg/DFGNaturalLoops.cpp:
1181         (JSC::DFG::NaturalLoops::NaturalLoops):
1182         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1183         * ftl/FTLLowerDFGToB3.cpp:
1184         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1185         * heap/CodeBlockSet.cpp:
1186         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1187         * heap/MarkedSpace.cpp:
1188         (JSC::MarkedSpace::sweepLargeAllocations):
1189         * inspector/ContentSearchUtilities.cpp:
1190         (Inspector::ContentSearchUtilities::findMagicComment):
1191         * interpreter/ShadowChicken.cpp:
1192         (JSC::ShadowChicken::update):
1193         * parser/ASTBuilder.h:
1194         (JSC::ASTBuilder::shrinkOperandStackBy):
1195         * parser/Lexer.h:
1196         (JSC::Lexer::setOffset):
1197         * runtime/RegExpInlines.h:
1198         (JSC::RegExp::matchInline):
1199         * runtime/RegExpPrototype.cpp:
1200         (JSC::genericSplit):
1201         * yarr/RegularExpression.cpp:
1202         (JSC::Yarr::RegularExpression::match):
1203
1204 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1205
1206         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1207         https://bugs.webkit.org/show_bug.cgi?id=174678
1208
1209         Reviewed by Mark Lam.
1210
1211         Use Thread& instead.
1212
1213         * runtime/JSLock.cpp:
1214         (JSC::JSLock::didAcquireLock):
1215
1216 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1217
1218         [WTF] Implement WTF::ThreadGroup
1219         https://bugs.webkit.org/show_bug.cgi?id=174081
1220
1221         Reviewed by Mark Lam.
1222
1223         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1224         And SamplingProfiler and others interact with WTF::Thread directly.
1225
1226         * API/tests/ExecutionTimeLimitTest.cpp:
1227         * heap/MachineStackMarker.cpp:
1228         (JSC::MachineThreads::MachineThreads):
1229         (JSC::captureStack):
1230         (JSC::MachineThreads::tryCopyOtherThreadStack):
1231         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1232         (JSC::MachineThreads::gatherConservativeRoots):
1233         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1234         (JSC::ActiveMachineThreadsManager::add): Deleted.
1235         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1236         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1237         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1238         (JSC::activeMachineThreadsManager): Deleted.
1239         (JSC::MachineThreads::~MachineThreads): Deleted.
1240         (JSC::MachineThreads::addCurrentThread): Deleted.
1241         (): Deleted.
1242         (JSC::MachineThreads::removeThread): Deleted.
1243         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1244         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1245         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1246         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1247         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1248         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1249         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1250         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1251         * heap/MachineStackMarker.h:
1252         (JSC::MachineThreads::addCurrentThread):
1253         (JSC::MachineThreads::getLock):
1254         (JSC::MachineThreads::threads):
1255         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1256         (JSC::MachineThreads::MachineThread::resume): Deleted.
1257         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1258         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1259         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1260         (JSC::MachineThreads::threadsListHead): Deleted.
1261         * runtime/SamplingProfiler.cpp:
1262         (JSC::FrameWalker::isValidFramePointer):
1263         (JSC::SamplingProfiler::SamplingProfiler):
1264         (JSC::SamplingProfiler::takeSample):
1265         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1266         * runtime/SamplingProfiler.h:
1267         * wasm/WasmMachineThreads.cpp:
1268         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1269
1270 2017-07-18  Andy Estes  <aestes@apple.com>
1271
1272         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1273         https://bugs.webkit.org/show_bug.cgi?id=174631
1274
1275         Reviewed by Tim Horton.
1276
1277         * Configurations/Base.xcconfig:
1278         * b3/B3FoldPathConstants.cpp:
1279         * b3/B3LowerMacros.cpp:
1280         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1281         * dfg/DFGByteCodeParser.cpp:
1282         (JSC::DFG::ByteCodeParser::check):
1283         (JSC::DFG::ByteCodeParser::planLoad):
1284
1285 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1286
1287         WTF::Thread should have the threads stack bounds.
1288         https://bugs.webkit.org/show_bug.cgi?id=173975
1289
1290         Reviewed by Mark Lam.
1291
1292         There is a site in JSC that try to walk another thread's stack.
1293         Currently, stack bounds are stored in WTFThreadData which is located
1294         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1295         We workaround this situation by holding StackBounds in MachineThread in JSC,
1296         but StackBounds should be put in WTF::Thread instead.
1297
1298         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1299         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1300
1301         * heap/MachineStackMarker.cpp:
1302         (JSC::MachineThreads::MachineThread::MachineThread):
1303         (JSC::MachineThreads::MachineThread::captureStack):
1304         * heap/MachineStackMarker.h:
1305         (JSC::MachineThreads::MachineThread::stackBase):
1306         (JSC::MachineThreads::MachineThread::stackEnd):
1307         * runtime/VMTraps.cpp:
1308
1309 2017-07-18  Andy Estes  <aestes@apple.com>
1310
1311         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1312         https://bugs.webkit.org/show_bug.cgi?id=174631
1313
1314         Reviewed by Sam Weinig.
1315
1316         * Configurations/Base.xcconfig:
1317
1318 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1319
1320         Web Inspector: Modernize InjectedScriptSource
1321         https://bugs.webkit.org/show_bug.cgi?id=173890
1322
1323         Reviewed by Brian Burg.
1324
1325         * inspector/InjectedScript.h:
1326         Reorder functions to be slightly better.
1327
1328         * inspector/InjectedScriptSource.js:
1329         - Convert to classes named InjectedScript and RemoteObject
1330         - Align InjectedScript's API with the wrapper C++ interfaces
1331         - Move some code to RemoteObject where appropriate (subtype, describe)
1332         - Move some code to helper functions (isPrimitiveValue, isDefined)
1333         - Refactor for readability and modern features
1334         - Remove some unused / unnecessary code
1335
1336 2017-07-18  Mark Lam  <mark.lam@apple.com>
1337
1338         Butterfly storage need not be initialized for indexing type Undecided.
1339         https://bugs.webkit.org/show_bug.cgi?id=174516
1340
1341         Reviewed by Saam Barati.
1342
1343         While it's not incorrect to initialize the butterfly storage when the
1344         indexingType is Undecided, it is inefficient as we'll end up initializing
1345         it again later when we convert the storage to a different indexingType.
1346         Some of our code already skips initializing Undecided butterflies.
1347         This patch makes it the consistent behavior everywhere.
1348
1349         * dfg/DFGSpeculativeJIT.cpp:
1350         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1351         * runtime/JSArray.cpp:
1352         (JSC::JSArray::tryCreateUninitializedRestricted):
1353         * runtime/JSArray.h:
1354         (JSC::JSArray::tryCreate):
1355         * runtime/JSObject.cpp:
1356         (JSC::JSObject::ensureLengthSlow):
1357
1358 2017-07-18  Saam Barati  <sbarati@apple.com>
1359
1360         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
1361         https://bugs.webkit.org/show_bug.cgi?id=174515
1362         <rdar://problem/33358092>
1363
1364         Reviewed by Filip Pizlo.
1365
1366         AirLowerAfterRegAlloc was computing the set of available scratch
1367         registers incorrectly. It was always excluding callee save registers
1368         from the set of live registers. It did not guarantee that live callee save
1369         registers were not in the set of scratch registers that could
1370         get clobbered. That's incorrect as the shuffling code is free
1371         to overwrite whatever is in the scratch register it gets passed.
1372
1373         * b3/air/AirLowerAfterRegAlloc.cpp:
1374         (JSC::B3::Air::lowerAfterRegAlloc):
1375         * b3/testb3.cpp:
1376         (JSC::B3::functionNineArgs):
1377         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1378         (JSC::B3::run):
1379         * jit/RegisterSet.h:
1380
1381 2017-07-18  Andy Estes  <aestes@apple.com>
1382
1383         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
1384         https://bugs.webkit.org/show_bug.cgi?id=174631
1385
1386         Reviewed by Dan Bernstein.
1387
1388         * Configurations/Base.xcconfig:
1389
1390 2017-07-18  Devin Rousso  <drousso@apple.com>
1391
1392         Web Inspector: Add memoryCost to Inspector Protocol objects
1393         https://bugs.webkit.org/show_bug.cgi?id=174478
1394
1395         Reviewed by Joseph Pecoraro.
1396
1397         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
1398         plus the memoryCost of the data if it is a string.
1399
1400         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
1401
1402         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
1403         key plus the memoryCost of the InspectorValue for each entry.
1404
1405         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
1406
1407         * inspector/InspectorValues.h:
1408         * inspector/InspectorValues.cpp:
1409         (Inspector::InspectorValue::memoryCost):
1410         (Inspector::InspectorObjectBase::memoryCost):
1411         (Inspector::InspectorArrayBase::memoryCost):
1412
1413 2017-07-18  Andy Estes  <aestes@apple.com>
1414
1415         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
1416         https://bugs.webkit.org/show_bug.cgi?id=174631
1417
1418         Reviewed by Darin Adler.
1419
1420         * Configurations/Base.xcconfig:
1421
1422 2017-07-18  Michael Saboff  <msaboff@apple.com>
1423
1424         [JSC] There should be a debug option to dump a compiled RegExp Pattern
1425         https://bugs.webkit.org/show_bug.cgi?id=174601
1426
1427         Reviewed by Alex Christensen.
1428
1429         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
1430         objects after a regular expression has been compiled.
1431
1432         * runtime/Options.h:
1433         * yarr/YarrPattern.cpp:
1434         (JSC::Yarr::YarrPattern::compile):
1435         (JSC::Yarr::indentForNestingLevel):
1436         (JSC::Yarr::dumpUChar32):
1437         (JSC::Yarr::PatternAlternative::dump):
1438         (JSC::Yarr::PatternTerm::dumpQuantifier):
1439         (JSC::Yarr::PatternTerm::dump):
1440         (JSC::Yarr::PatternDisjunction::dump):
1441         (JSC::Yarr::YarrPattern::dumpPattern):
1442         * yarr/YarrPattern.h:
1443         (JSC::Yarr::YarrPattern::global):
1444
1445 2017-07-17  Darin Adler  <darin@apple.com>
1446
1447         Improve use of NeverDestroyed
1448         https://bugs.webkit.org/show_bug.cgi?id=174348
1449
1450         Reviewed by Sam Weinig.
1451
1452         * heap/MachineStackMarker.cpp:
1453         * wasm/WasmMemory.cpp:
1454         Removed unneeded includes of NeverDestroyed.h in files that do not make use
1455         of NeverDestroyed.
1456
1457 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1458
1459         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
1460         https://bugs.webkit.org/show_bug.cgi?id=174547
1461
1462         Reviewed by Alex Christensen.
1463
1464         * CMakeLists.txt:
1465         * shell/CMakeLists.txt:
1466
1467 2017-07-17  Saam Barati  <sbarati@apple.com>
1468
1469         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
1470         https://bugs.webkit.org/show_bug.cgi?id=174584
1471
1472         Rubber stamped by Keith Miller.
1473
1474         I used it to diagnose a bug. The bug is now fixed. This custom
1475         RELEASE_ASSERT is no longer needed.
1476
1477         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1478
1479 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1480
1481         -Wformat-truncation warning in ConfigFile.cpp
1482         https://bugs.webkit.org/show_bug.cgi?id=174506
1483
1484         Reviewed by Darin Adler.
1485
1486         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
1487         return ParseError.
1488
1489         * runtime/ConfigFile.cpp:
1490         (JSC::ConfigFile::parse):
1491
1492 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
1493
1494         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
1495         https://bugs.webkit.org/show_bug.cgi?id=174557
1496
1497         Reviewed by Michael Catanzaro.
1498
1499         * CMakeLists.txt:
1500
1501 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1502
1503         [WTF] Use std::unique_ptr for StackTrace
1504         https://bugs.webkit.org/show_bug.cgi?id=174495
1505
1506         Reviewed by Alex Christensen.
1507
1508         * runtime/ExceptionScope.cpp:
1509         (JSC::ExceptionScope::unexpectedExceptionMessage):
1510         * runtime/VM.cpp:
1511         (JSC::VM::throwException):
1512
1513 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1514
1515         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
1516         https://bugs.webkit.org/show_bug.cgi?id=174423
1517
1518         Reviewed by Saam Barati.
1519
1520         * dfg/DFGAvailabilityMap.cpp:
1521         (JSC::DFG::AvailabilityMap::pruneHeap):
1522         (JSC::DFG::AvailabilityMap::pruneByLiveness):
1523
1524 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1525
1526         Fix compiler warnings when building with GCC 7
1527         https://bugs.webkit.org/show_bug.cgi?id=174463
1528
1529         Reviewed by Darin Adler.
1530
1531         * disassembler/udis86/udis86_decode.c:
1532         (decode_operand):
1533
1534 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1535
1536         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
1537         https://bugs.webkit.org/show_bug.cgi?id=174467
1538
1539         Reviewed by Saam Barati.
1540
1541         * bytecode/CallLinkInfo.cpp:
1542         (JSC::CallLinkInfo::callTypeFor):
1543
1544 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
1545
1546         Web Inspector: Remove unused and untested Page domain commands
1547         https://bugs.webkit.org/show_bug.cgi?id=174429
1548
1549         Reviewed by Timothy Hatcher.
1550
1551         * inspector/protocol/Page.json:
1552
1553 2017-07-13  Saam Barati  <sbarati@apple.com>
1554
1555         Missing exception check in JSObject::hasInstance
1556         https://bugs.webkit.org/show_bug.cgi?id=174455
1557         <rdar://problem/31384608>
1558
1559         Reviewed by Mark Lam.
1560
1561         * runtime/JSObject.cpp:
1562         (JSC::JSObject::hasInstance):
1563
1564 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
1565
1566         [ESnext] Implement Object Spread
1567         https://bugs.webkit.org/show_bug.cgi?id=167963
1568
1569         Reviewed by Saam Barati.
1570
1571         This patch implements ECMA262 stage 3 Object Spread proposal [1].
1572         It's implemented using CopyDataPropertiesNoExclusions to copy
1573         all enumerable keys from object being spreaded. The implementation of
1574         CopyDataPropertiesNoExclusions follows the CopyDataProperties
1575         implementation, however we don't receive excludedNames as parameter.
1576
1577         [1] - https://github.com/tc39/proposal-object-rest-spread
1578
1579         * builtins/GlobalOperations.js:
1580         (globalPrivate.copyDataPropertiesNoExclusions):
1581         * bytecompiler/BytecodeGenerator.cpp:
1582         (JSC::BytecodeGenerator::emitLoad):
1583         * bytecompiler/NodesCodegen.cpp:
1584         (JSC::PropertyListNode::emitBytecode):
1585         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1586         * parser/ASTBuilder.h:
1587         (JSC::ASTBuilder::createObjectSpreadExpression):
1588         (JSC::ASTBuilder::createProperty):
1589         * parser/NodeConstructors.h:
1590         (JSC::PropertyNode::PropertyNode):
1591         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
1592         * parser/Nodes.h:
1593         (JSC::ObjectSpreadExpressionNode::expression):
1594         * parser/Parser.cpp:
1595         (JSC::Parser<LexerType>::parseProperty):
1596         * parser/SyntaxChecker.h:
1597         (JSC::SyntaxChecker::createObjectSpreadExpression):
1598         (JSC::SyntaxChecker::createProperty):
1599
1600 2017-07-12  Mark Lam  <mark.lam@apple.com>
1601
1602         Gardening: build fix after r219434.
1603         https://bugs.webkit.org/show_bug.cgi?id=174441
1604
1605         Not reviewed.
1606
1607         Make public some MacroAssembler functions that are needed by the probe implementationq.
1608
1609         * assembler/MacroAssemblerARM.h:
1610         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1611         * assembler/MacroAssemblerARMv7.h:
1612         (JSC::MacroAssemblerARMv7::linkCall):
1613
1614 2017-07-12  Mark Lam  <mark.lam@apple.com>
1615
1616         Move Probe code from AbstractMacroAssembler to MacroAssembler.
1617         https://bugs.webkit.org/show_bug.cgi?id=174441
1618
1619         Reviewed by Saam Barati.
1620
1621         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
1622         to MacroAssembler.  There is no code behavior change.
1623
1624         * assembler/AbstractMacroAssembler.h:
1625         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
1626         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
1627         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
1628         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
1629         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
1630         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
1631         * assembler/MacroAssembler.h:
1632         (JSC::MacroAssembler::CPUState::gprName):
1633         (JSC::MacroAssembler::CPUState::fprName):
1634         (JSC::MacroAssembler::CPUState::gpr):
1635         (JSC::MacroAssembler::CPUState::fpr):
1636         * assembler/MacroAssemblerARM.cpp:
1637         (JSC::MacroAssembler::probe):
1638         (JSC::MacroAssemblerARM::probe): Deleted.
1639         * assembler/MacroAssemblerARM.h:
1640         * assembler/MacroAssemblerARM64.cpp:
1641         (JSC::MacroAssembler::probe):
1642         (JSC::MacroAssemblerARM64::probe): Deleted.
1643         * assembler/MacroAssemblerARM64.h:
1644         * assembler/MacroAssemblerARMv7.cpp:
1645         (JSC::MacroAssembler::probe):
1646         (JSC::MacroAssemblerARMv7::probe): Deleted.
1647         * assembler/MacroAssemblerARMv7.h:
1648         * assembler/MacroAssemblerMIPS.h:
1649         * assembler/MacroAssemblerX86Common.cpp:
1650         (JSC::MacroAssembler::probe):
1651         (JSC::MacroAssemblerX86Common::probe): Deleted.
1652         * assembler/MacroAssemblerX86Common.h:
1653
1654 2017-07-12  Saam Barati  <sbarati@apple.com>
1655
1656         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
1657         https://bugs.webkit.org/show_bug.cgi?id=174411
1658         <rdar://problem/31696186>
1659
1660         Reviewed by Mark Lam.
1661
1662         The code for deleting an argument was incorrectly referencing state
1663         when it decided if it should unmap or mark a property as having its
1664         descriptor modified. This patch fixes the bug where if we delete a
1665         property, we would sometimes not unmap an argument when deleting it.
1666
1667         * runtime/GenericArgumentsInlines.h:
1668         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1669         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1670         (JSC::GenericArguments<Type>::deleteProperty):
1671         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1672
1673 2017-07-12  Commit Queue  <commit-queue@webkit.org>
1674
1675         Unreviewed, rolling out r219176.
1676         https://bugs.webkit.org/show_bug.cgi?id=174436
1677
1678         "Can cause infinite recursion on iOS" (Requested by mlam on
1679         #webkit).
1680
1681         Reverted changeset:
1682
1683         "WTF::Thread should have the threads stack bounds."
1684         https://bugs.webkit.org/show_bug.cgi?id=173975
1685         http://trac.webkit.org/changeset/219176
1686
1687 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1688
1689         Unreviewed, rolling out r219401.
1690
1691         This revision rolled out the previous patch, but after talking
1692         with reviewer, a rebaseline is what was needed.Rolling back in
1693         before rebaseline.
1694
1695         Reverted changeset:
1696
1697         "Unreviewed, rolling out r219379."
1698         https://bugs.webkit.org/show_bug.cgi?id=174400
1699         http://trac.webkit.org/changeset/219401
1700
1701 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1702
1703         Unreviewed, rolling out r219379.
1704
1705         This revision caused a consistent failure in the test
1706         fast/dom/Window/property-access-on-cached-window-after-frame-
1707         removed.html.
1708
1709         Reverted changeset:
1710
1711         "Remove NAVIGATOR_HWCONCURRENCY"
1712         https://bugs.webkit.org/show_bug.cgi?id=174400
1713         http://trac.webkit.org/changeset/219379
1714
1715 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
1716
1717         Wrong radix used in Unicode Escape in invalid character error message
1718         https://bugs.webkit.org/show_bug.cgi?id=174419
1719
1720         Reviewed by Alex Christensen.
1721
1722         * parser/Lexer.cpp:
1723         (JSC::Lexer<T>::invalidCharacterMessage):
1724
1725 2017-07-11  Dean Jackson  <dino@apple.com>
1726
1727         Remove NAVIGATOR_HWCONCURRENCY
1728         https://bugs.webkit.org/show_bug.cgi?id=174400
1729
1730         Reviewed by Sam Weinig.
1731
1732         * Configurations/FeatureDefines.xcconfig:
1733
1734 2017-07-11  Dean Jackson  <dino@apple.com>
1735
1736         Rolling out r219372.
1737
1738         * Configurations/FeatureDefines.xcconfig:
1739
1740 2017-07-11  Dean Jackson  <dino@apple.com>
1741
1742         Remove NAVIGATOR_HWCONCURRENCY
1743         https://bugs.webkit.org/show_bug.cgi?id=174400
1744
1745         Reviewed by Sam Weinig.
1746
1747         * Configurations/FeatureDefines.xcconfig:
1748
1749 2017-07-11  Saam Barati  <sbarati@apple.com>
1750
1751         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
1752         https://bugs.webkit.org/show_bug.cgi?id=174397
1753
1754         Rubber stamped by David Kilzer.
1755
1756         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
1757         * wasm/js/WebAssemblyFunctionCell.h: Removed.
1758
1759 2017-07-10  Saam Barati  <sbarati@apple.com>
1760
1761         Allocation sinking phase should consider a CheckStructure that would fail as an escape
1762         https://bugs.webkit.org/show_bug.cgi?id=174321
1763         <rdar://problem/32604963>
1764
1765         Reviewed by Filip Pizlo.
1766
1767         When the allocation sinking phase was generating stores to materialize
1768         objects in a cycle with each other, it would assume that each materialized
1769         object had a valid, non empty, set of structures. This is an OK assumption for
1770         the phase to make because how do you materialize an object with no structure?
1771         
1772         The abstract interpretation part of the phase will model what's in the heap.
1773         However, it would sometimes model that a CheckStructure would fail. The phase
1774         did nothing special for this; it just stored the empty set of structures for
1775         its representation of a particular allocation. However, what the phase proved
1776         in such a scenario is that, had the CheckStructure executed, it would have exited.
1777         
1778         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
1779         This will cause the allocation in question to be materialized just before
1780         the CheckStructure, and then at execution time, the CheckStructure will exit.
1781         
1782         I wasn't able to write a test case for this. However, I was able to reproduce
1783         this crash by manually editing the IR. I've opened a separate bug to help us
1784         create a testing framework for writing tests for hard to reproduce bugs like this:
1785         https://bugs.webkit.org/show_bug.cgi?id=174322
1786
1787         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1788
1789 2017-07-10  Devin Rousso  <drousso@apple.com>
1790
1791         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
1792         https://bugs.webkit.org/show_bug.cgi?id=174279
1793
1794         Reviewed by Matt Baker.
1795
1796         * inspector/protocol/DOM.json:
1797         Add `highlightNodeList` command that will highlight each node in the given list.
1798
1799 2017-07-03  Brian Burg  <bburg@apple.com>
1800
1801         Web Replay: remove some unused code
1802         https://bugs.webkit.org/show_bug.cgi?id=173903
1803
1804         Rubber-stamped by Joseph Pecoraro.
1805
1806         * CMakeLists.txt:
1807         * Configurations/FeatureDefines.xcconfig:
1808         * DerivedSources.make:
1809         * JavaScriptCore.xcodeproj/project.pbxproj:
1810         * inspector/protocol/Replay.json: Removed.
1811         * replay/EmptyInputCursor.h: Removed.
1812         * replay/EncodedValue.cpp: Removed.
1813         * replay/EncodedValue.h: Removed.
1814         * replay/InputCursor.h: Removed.
1815         * replay/JSInputs.json: Removed.
1816         * replay/NondeterministicInput.h: Removed.
1817         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
1818         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
1819         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
1820         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
1821         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
1822         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
1823         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
1824         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
1825         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
1826         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
1827         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
1828         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
1829         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
1830         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
1831         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
1832         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
1833         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
1834         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
1835         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
1836         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
1837         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
1838         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
1839         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
1840         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
1841         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
1842         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
1843         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
1844         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
1845         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
1846         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
1847         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
1848         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
1849         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
1850         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
1851         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
1852         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
1853         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
1854         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
1855         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
1856         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
1857         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
1858         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
1859         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
1860         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
1861         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
1862         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
1863         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
1864         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
1865         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
1866         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
1867         * replay/scripts/tests/generate-input-with-guard.json: Removed.
1868         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
1869         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
1870         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
1871         * runtime/DateConstructor.cpp:
1872         (JSC::constructDate):
1873         (JSC::dateNow):
1874         (JSC::deterministicCurrentTime): Deleted.
1875         * runtime/JSGlobalObject.cpp:
1876         (JSC::JSGlobalObject::JSGlobalObject):
1877         (JSC::JSGlobalObject::setInputCursor): Deleted.
1878         * runtime/JSGlobalObject.h:
1879         (JSC::JSGlobalObject::inputCursor): Deleted.
1880
1881 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1882
1883         Move make-js-file-arrays.py from WebCore to JavaScriptCore
1884         https://bugs.webkit.org/show_bug.cgi?id=174024
1885
1886         Reviewed by Michael Catanzaro.
1887
1888         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
1889         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
1890         Added command line option to pass the namespace to use instead of using WebCore.
1891
1892         * JavaScriptCore.xcodeproj/project.pbxproj:
1893         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
1894         (main):
1895
1896 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1897
1898         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
1899         https://bugs.webkit.org/show_bug.cgi?id=174296
1900
1901         Reviewed by Mark Lam.
1902
1903         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
1904         It caused a problem in scanning template literals. While template literals normalize
1905         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
1906         To handle it correctly, LineNumberAdder is introduced.
1907
1908         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
1909         LineNumberAdder. Let's just use shiftLineTerminator() instead.
1910
1911         * parser/Lexer.cpp:
1912         (JSC::Lexer<T>::parseTemplateLiteral):
1913         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
1914         (JSC::LineNumberAdder::clear): Deleted.
1915         (JSC::LineNumberAdder::add): Deleted.
1916
1917 2017-07-09  Dan Bernstein  <mitz@apple.com>
1918
1919         [Xcode] ICU headers aren’t treated as system headers after r219155
1920         https://bugs.webkit.org/show_bug.cgi?id=174299
1921
1922         Reviewed by Sam Weinig.
1923
1924         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
1925           C++ compilers.
1926
1927 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
1928         * runtime/IntlDateTimeFormat.cpp: Ditto.
1929         * runtime/JSGlobalObject.cpp: Ditto.
1930         * runtime/StringPrototype.cpp: Ditto.
1931
1932 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1933
1934         [JSC] Use fastMalloc / fastFree for STL containers
1935         https://bugs.webkit.org/show_bug.cgi?id=174297
1936
1937         Reviewed by Sam Weinig.
1938
1939         In some places, we intentionally use STL containers over WTF containers.
1940         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
1941         because we do not have effective empty / deleted representations in the space of key's value.
1942         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
1943
1944         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
1945         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
1946
1947         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
1948         without compromising memory allocation throughput.
1949
1950         * dfg/DFGGraph.h:
1951         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1952         * ftl/FTLLowerDFGToB3.cpp:
1953         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1954         * runtime/FunctionHasExecutedCache.h:
1955         * runtime/TypeLocationCache.h:
1956
1957 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1958
1959         Drop NOSNIFF compile flag
1960         https://bugs.webkit.org/show_bug.cgi?id=174289
1961
1962         Reviewed by Michael Catanzaro.
1963
1964         * Configurations/FeatureDefines.xcconfig:
1965
1966 2017-07-07  AJ Ringer  <aringer@apple.com>
1967
1968         Lower the max_protection for the separated heap
1969         https://bugs.webkit.org/show_bug.cgi?id=174281
1970
1971         Reviewed by Oliver Hunt.
1972
1973         Switch to vm_protect so we can set maximum page protection.
1974
1975         * jit/ExecutableAllocator.cpp:
1976         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1977         (JSC::ExecutableAllocator::allocate):
1978
1979 2017-07-07  Devin Rousso  <drousso@apple.com>
1980
1981         Web Inspector: Show all elements currently using a given CSS Canvas
1982         https://bugs.webkit.org/show_bug.cgi?id=173965
1983
1984         Reviewed by Joseph Pecoraro.
1985
1986         * inspector/protocol/Canvas.json:
1987          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1988            canvas via -webkit-canvas.
1989          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1990            added/removed from the list of -webkit-canvas clients.
1991
1992 2017-07-07  Mark Lam  <mark.lam@apple.com>
1993
1994         \n\r is not the same as \r\n.
1995         https://bugs.webkit.org/show_bug.cgi?id=173053
1996
1997         Reviewed by Keith Miller.
1998
1999         * parser/Lexer.cpp:
2000         (JSC::Lexer<T>::shiftLineTerminator):
2001         (JSC::LineNumberAdder::add):
2002
2003 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2004
2005         Unreviewed, rolling out r219238, r219239, and r219241.
2006         https://bugs.webkit.org/show_bug.cgi?id=174265
2007
2008         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2009         (Requested by yusukesuzuki on #webkit).
2010
2011         Reverted changesets:
2012
2013         "[WTF] Implement WTF::ThreadGroup"
2014         https://bugs.webkit.org/show_bug.cgi?id=174081
2015         http://trac.webkit.org/changeset/219238
2016
2017         "Unreviewed, build fix after r219238"
2018         https://bugs.webkit.org/show_bug.cgi?id=174081
2019         http://trac.webkit.org/changeset/219239
2020
2021         "Unreviewed, CLoop build fix after r219238"
2022         https://bugs.webkit.org/show_bug.cgi?id=174081
2023         http://trac.webkit.org/changeset/219241
2024
2025 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2026
2027         Unreviewed, CLoop build fix after r219238
2028         https://bugs.webkit.org/show_bug.cgi?id=174081
2029
2030         * heap/MachineStackMarker.cpp:
2031
2032 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2033
2034         [WTF] Implement WTF::ThreadGroup
2035         https://bugs.webkit.org/show_bug.cgi?id=174081
2036
2037         Reviewed by Mark Lam.
2038
2039         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2040         And SamplingProfiler and others interact with WTF::Thread directly.
2041
2042         * API/tests/ExecutionTimeLimitTest.cpp:
2043         * heap/MachineStackMarker.cpp:
2044         (JSC::MachineThreads::MachineThreads):
2045         (JSC::captureStack):
2046         (JSC::MachineThreads::tryCopyOtherThreadStack):
2047         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2048         (JSC::MachineThreads::gatherConservativeRoots):
2049         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2050         (JSC::ActiveMachineThreadsManager::add): Deleted.
2051         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2052         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2053         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2054         (JSC::activeMachineThreadsManager): Deleted.
2055         (JSC::MachineThreads::~MachineThreads): Deleted.
2056         (JSC::MachineThreads::addCurrentThread): Deleted.
2057         (): Deleted.
2058         (JSC::MachineThreads::removeThread): Deleted.
2059         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2060         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2061         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2062         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2063         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2064         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2065         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2066         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2067         * heap/MachineStackMarker.h:
2068         (JSC::MachineThreads::addCurrentThread):
2069         (JSC::MachineThreads::getLock):
2070         (JSC::MachineThreads::threads):
2071         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2072         (JSC::MachineThreads::MachineThread::resume): Deleted.
2073         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2074         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2075         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2076         (JSC::MachineThreads::threadsListHead): Deleted.
2077         * runtime/SamplingProfiler.cpp:
2078         (JSC::FrameWalker::isValidFramePointer):
2079         (JSC::SamplingProfiler::SamplingProfiler):
2080         (JSC::SamplingProfiler::takeSample):
2081         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2082         * runtime/SamplingProfiler.h:
2083         * wasm/WasmMachineThreads.cpp:
2084         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2085
2086 2017-07-06  Saam Barati  <sbarati@apple.com>
2087
2088         We are missing places where we invalidate the for-in context
2089         https://bugs.webkit.org/show_bug.cgi?id=174184
2090
2091         Reviewed by Geoffrey Garen.
2092
2093         * bytecompiler/BytecodeGenerator.cpp:
2094         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2095         * bytecompiler/NodesCodegen.cpp:
2096         (JSC::EmptyLetExpression::emitBytecode):
2097         (JSC::ForInNode::emitLoopHeader):
2098         (JSC::ForOfNode::emitBytecode):
2099         (JSC::BindingNode::bindValue):
2100
2101 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2102
2103         Unreviewed, suppress warnings in GCC environment
2104
2105         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2106         * runtime/IntlCollator.cpp:
2107         * runtime/IntlDateTimeFormat.cpp:
2108         * runtime/JSGlobalObject.cpp:
2109         * runtime/StringPrototype.cpp:
2110
2111 2017-07-05  Saam Barati  <sbarati@apple.com>
2112
2113         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2114         https://bugs.webkit.org/show_bug.cgi?id=174188
2115         <rdar://problem/30581423>
2116
2117         Reviewed by Mark Lam.
2118
2119         We were calling lowJSValue(edge) when we were speculating the
2120         edge as double. This isn't allowed. We should have been using
2121         lowDouble.
2122         
2123         This patch also adds a new option, called useArrayAllocationProfiling,
2124         which defaults to true. When false, it will make the array allocation
2125         profile not actually sample seen arrays. It'll force the allocation
2126         profile's predicted indexing type to be ArrayWithUndecided. Adding
2127         this option made it trivial to write a test for this bug.
2128
2129         * bytecode/ArrayAllocationProfile.cpp:
2130         (JSC::ArrayAllocationProfile::updateIndexingType):
2131         * ftl/FTLLowerDFGToB3.cpp:
2132         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2133         * runtime/Options.h:
2134
2135 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2136
2137         WTF::Thread should have the threads stack bounds.
2138         https://bugs.webkit.org/show_bug.cgi?id=173975
2139
2140         Reviewed by Keith Miller.
2141
2142         There is a site in JSC that try to walk another thread's stack.
2143         Currently, stack bounds are stored in WTFThreadData which is located
2144         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2145         We workaround this situation by holding StackBounds in MachineThread in JSC,
2146         but StackBounds should be put in WTF::Thread instead.
2147
2148         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2149         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2150         is natural choice.
2151
2152         * heap/MachineStackMarker.cpp:
2153         (JSC::MachineThreads::MachineThread::MachineThread):
2154         (JSC::MachineThreads::MachineThread::captureStack):
2155         * heap/MachineStackMarker.h:
2156         (JSC::MachineThreads::MachineThread::stackBase):
2157         (JSC::MachineThreads::MachineThread::stackEnd):
2158         * runtime/InitializeThreading.cpp:
2159         (JSC::initializeThreading):
2160         * runtime/VM.cpp:
2161         (JSC::VM::VM):
2162         (JSC::VM::updateStackLimits):
2163         (JSC::VM::committedStackByteCount):
2164         * runtime/VM.h:
2165         (JSC::VM::isSafeToRecurse):
2166         * runtime/VMEntryScope.cpp:
2167         (JSC::VMEntryScope::VMEntryScope):
2168         * runtime/VMInlines.h:
2169         (JSC::VM::ensureStackCapacityFor):
2170         * runtime/VMTraps.cpp:
2171         * yarr/YarrPattern.cpp:
2172         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2173
2174 2017-07-05  Keith Miller  <keith_miller@apple.com>
2175
2176         Crashing with information should have an abort reason
2177         https://bugs.webkit.org/show_bug.cgi?id=174185
2178
2179         Reviewed by Saam Barati.
2180
2181         Add crash information for the abstract interpreter and add an enum
2182         value for object allocation sinking.
2183
2184         * assembler/AbortReason.h:
2185         * dfg/DFGAbstractInterpreterInlines.h:
2186         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2187         * dfg/DFGGraph.cpp:
2188         (JSC::DFG::logDFGAssertionFailure):
2189         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2190
2191 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2192
2193         Remove copy of ICU headers from WebKit
2194         https://bugs.webkit.org/show_bug.cgi?id=116407
2195
2196         Reviewed by Alex Christensen.
2197
2198         Use WTF's copy of ICU headers.
2199
2200         * Configurations/Base.xcconfig:
2201         * icu/unicode/localpointer.h: Removed.
2202         * icu/unicode/parseerr.h: Removed.
2203         * icu/unicode/platform.h: Removed.
2204         * icu/unicode/ptypes.h: Removed.
2205         * icu/unicode/putil.h: Removed.
2206         * icu/unicode/uchar.h: Removed.
2207         * icu/unicode/ucnv.h: Removed.
2208         * icu/unicode/ucnv_err.h: Removed.
2209         * icu/unicode/ucol.h: Removed.
2210         * icu/unicode/uconfig.h: Removed.
2211         * icu/unicode/ucurr.h: Removed.
2212         * icu/unicode/uenum.h: Removed.
2213         * icu/unicode/uiter.h: Removed.
2214         * icu/unicode/uloc.h: Removed.
2215         * icu/unicode/umachine.h: Removed.
2216         * icu/unicode/unorm.h: Removed.
2217         * icu/unicode/unorm2.h: Removed.
2218         * icu/unicode/urename.h: Removed.
2219         * icu/unicode/uscript.h: Removed.
2220         * icu/unicode/uset.h: Removed.
2221         * icu/unicode/ustring.h: Removed.
2222         * icu/unicode/utf.h: Removed.
2223         * icu/unicode/utf16.h: Removed.
2224         * icu/unicode/utf8.h: Removed.
2225         * icu/unicode/utf_old.h: Removed.
2226         * icu/unicode/utypes.h: Removed.
2227         * icu/unicode/uvernum.h: Removed.
2228         * icu/unicode/uversion.h: Removed.
2229         * runtime/IntlCollator.cpp:
2230         * runtime/IntlDateTimeFormat.cpp:
2231         (JSC::IntlDateTimeFormat::partTypeString):
2232         * runtime/JSGlobalObject.cpp:
2233         * runtime/StringPrototype.cpp:
2234         (JSC::normalize):
2235         (JSC::stringProtoFuncNormalize):
2236
2237 2017-07-05  Devin Rousso  <drousso@apple.com>
2238
2239         Web Inspector: Allow users to log any tracked canvas context
2240         https://bugs.webkit.org/show_bug.cgi?id=173397
2241         <rdar://problem/33111581>
2242
2243         Reviewed by Joseph Pecoraro.
2244
2245         * inspector/protocol/Canvas.json:
2246         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2247
2248 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2249
2250         Add WebKitPrivateFrameworkStubs for iOS 11
2251         https://bugs.webkit.org/show_bug.cgi?id=173988
2252
2253         Reviewed by David Kilzer.
2254
2255         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2256         same directory for private framework stubs.
2257
2258 2017-07-05  JF Bastien  <jfbastien@apple.com>
2259
2260         WebAssembly: implement name section's module name, skip unknown sections
2261         https://bugs.webkit.org/show_bug.cgi?id=172008
2262
2263         Reviewed by Keith Miller.
2264
2265         Parse the WebAssembly module name properly, and skip unknown
2266         sections. This is useful because as toolchains support new types
2267         of names we want to keep displaying the information we know about
2268         and simply ignore new information. That capability was designed
2269         into WebAssembly's name section.
2270
2271         Failure to commit this patch would mean that WebKit won't display
2272         stack trace information, which would make developers sad.
2273
2274         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2275
2276         Note that this patch doesn't do anything with the parsed name! Two
2277         reasons for this: module names aren't supported in binaryen yet,
2278         so I can't write a simple binary test; and using the name is a
2279         slightly riskier change because it requires changing StackVisitor
2280         + StackFrame (where they print "[wasm code]") which requires
2281         figuring out the frame's Module. The latter bit isn't trivial
2282         because we only know wasm frames from their tag bits, and
2283         CodeBlocks are always nullptr.
2284
2285         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2286
2287         I filed #174098 to use the module name.
2288
2289         * wasm/WasmFormat.h:
2290         (JSC::Wasm::isValidNameType):
2291         * wasm/WasmNameSectionParser.cpp:
2292
2293 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2294
2295         Cleanup some StringBuilder use
2296         https://bugs.webkit.org/show_bug.cgi?id=174118
2297
2298         Reviewed by Andreas Kling.
2299
2300         * runtime/FunctionConstructor.cpp:
2301         (JSC::constructFunctionSkippingEvalEnabledCheck):
2302         * tools/FunctionOverrides.cpp:
2303         (JSC::parseClause):
2304         * wasm/WasmOMGPlan.cpp:
2305         * wasm/WasmPlan.cpp:
2306         * wasm/WasmValidate.cpp:
2307
2308 2017-07-03  Saam Barati  <sbarati@apple.com>
2309
2310         LayoutTest workers/bomb.html is a Crash
2311         https://bugs.webkit.org/show_bug.cgi?id=167757
2312         <rdar://problem/33086462>
2313
2314         Reviewed by Keith Miller.
2315
2316         VMTraps::SignalSender was accessing VM fields even after
2317         the VM was destroyed. This happened when the SignalSender
2318         thread was in the middle of its work() function while VMTraps
2319         was notified that the VM was shutting down. The VM would proceed
2320         to run its destructor even after the SignalSender thread finished
2321         doing its work. This means that the SignalSender thread was accessing
2322         VM field eve after VM was destructed (including itself, since it is
2323         transitively owned by the VM). The VM must wait for the SignalSender
2324         thread to shutdown before it can continue to destruct itself.
2325
2326         * runtime/VMTraps.cpp:
2327         (JSC::VMTraps::willDestroyVM):
2328
2329 2017-07-03  Saam Barati  <sbarati@apple.com>
2330
2331         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
2332         https://bugs.webkit.org/show_bug.cgi?id=174110
2333
2334         Reviewed by Michael Saboff.
2335
2336         * dfg/DFGByteCodeParser.cpp:
2337         (JSC::DFG::ByteCodeParser::parseBlock):
2338
2339 2017-07-03  Saam Barati  <sbarati@apple.com>
2340
2341         Add a new assertion to object allocation sinking phase
2342         https://bugs.webkit.org/show_bug.cgi?id=174107
2343
2344         Rubber stamped by Filip Pizlo.
2345
2346         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2347
2348 2017-07-03  Commit Queue  <commit-queue@webkit.org>
2349
2350         Unreviewed, rolling out r219060.
2351         https://bugs.webkit.org/show_bug.cgi?id=174108
2352
2353         crashing constantly when initializing UIWebView (Requested by
2354         thorton on #webkit).
2355
2356         Reverted changeset:
2357
2358         "WTF::Thread should have the threads stack bounds."
2359         https://bugs.webkit.org/show_bug.cgi?id=173975
2360         http://trac.webkit.org/changeset/219060
2361
2362 2017-07-03  Matt Lewis  <jlewis3@apple.com>
2363
2364         Unreviewed, rolling out r219103.
2365
2366         Caused multiple build failures.
2367
2368         Reverted changeset:
2369
2370         "Remove copy of ICU headers from WebKit"
2371         https://bugs.webkit.org/show_bug.cgi?id=116407
2372         http://trac.webkit.org/changeset/219103
2373
2374 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2375
2376         Remove copy of ICU headers from WebKit
2377         https://bugs.webkit.org/show_bug.cgi?id=116407
2378
2379         Reviewed by Alex Christensen.
2380
2381         Use WTF's copy of ICU headers.
2382
2383         * Configurations/Base.xcconfig:
2384         * icu/unicode/localpointer.h: Removed.
2385         * icu/unicode/parseerr.h: Removed.
2386         * icu/unicode/platform.h: Removed.
2387         * icu/unicode/ptypes.h: Removed.
2388         * icu/unicode/putil.h: Removed.
2389         * icu/unicode/uchar.h: Removed.
2390         * icu/unicode/ucnv.h: Removed.
2391         * icu/unicode/ucnv_err.h: Removed.
2392         * icu/unicode/ucol.h: Removed.
2393         * icu/unicode/uconfig.h: Removed.
2394         * icu/unicode/ucurr.h: Removed.
2395         * icu/unicode/uenum.h: Removed.
2396         * icu/unicode/uiter.h: Removed.
2397         * icu/unicode/uloc.h: Removed.
2398         * icu/unicode/umachine.h: Removed.
2399         * icu/unicode/unorm.h: Removed.
2400         * icu/unicode/unorm2.h: Removed.
2401         * icu/unicode/urename.h: Removed.
2402         * icu/unicode/uscript.h: Removed.
2403         * icu/unicode/uset.h: Removed.
2404         * icu/unicode/ustring.h: Removed.
2405         * icu/unicode/utf.h: Removed.
2406         * icu/unicode/utf16.h: Removed.
2407         * icu/unicode/utf8.h: Removed.
2408         * icu/unicode/utf_old.h: Removed.
2409         * icu/unicode/utypes.h: Removed.
2410         * icu/unicode/uvernum.h: Removed.
2411         * icu/unicode/uversion.h: Removed.
2412         * runtime/IntlCollator.cpp:
2413         * runtime/IntlDateTimeFormat.cpp:
2414         * runtime/JSGlobalObject.cpp:
2415         * runtime/StringPrototype.cpp:
2416
2417 2017-07-03  Saam Barati  <sbarati@apple.com>
2418
2419         Add better crash logging for allocation sinking phase
2420         https://bugs.webkit.org/show_bug.cgi?id=174102
2421         <rdar://problem/33112092>
2422
2423         Rubber stamped by Filip Pizlo.
2424
2425         I'm trying to gather better information from crashlogs about why
2426         we're crashing in the allocation sinking phase. I'm adding a allocation
2427         sinking specific RELEASE_ASSERT as well as marking a few functions as
2428         NEVER_INLINE to have the stack traces in the crash trace contain more
2429         actionable information.
2430
2431         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2432
2433 2017-07-03  Sam Weinig  <sam@webkit.org>
2434
2435         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
2436         https://bugs.webkit.org/show_bug.cgi?id=174083
2437
2438         Reviewed by Alex Christensen.
2439
2440         * Configurations/FeatureDefines.xcconfig:
2441         Add ENABLE_NAVIGATOR_STANDALONE.
2442
2443 2017-07-03  Andy Estes  <aestes@apple.com>
2444
2445         [Xcode] Add an experimental setting to build with ccache
2446         https://bugs.webkit.org/show_bug.cgi?id=173875
2447
2448         Reviewed by Tim Horton.
2449
2450         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
2451
2452 2017-07-03  Devin Rousso  <drousso@apple.com>
2453
2454         Web Inspector: Support listing WebGL2 and WebGPU contexts
2455         https://bugs.webkit.org/show_bug.cgi?id=173396
2456
2457         Reviewed by Joseph Pecoraro.
2458
2459         * inspector/protocol/Canvas.json:
2460         * inspector/scripts/codegen/generator.py:
2461         (Generator.stylized_name_for_enum_value):
2462         Add cases for handling new Canvas.ContextType protocol enumerations:
2463          - "webgl2" maps to `WebGL2`
2464          - "webgpu" maps to `WebGPU`
2465
2466 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2467
2468         WTF::Thread should have the threads stack bounds.
2469         https://bugs.webkit.org/show_bug.cgi?id=173975
2470
2471         Reviewed by Mark Lam.
2472
2473         There is a site in JSC that try to walk another thread's stack.
2474         Currently, stack bounds are stored in WTFThreadData which is located
2475         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2476         We workaround this situation by holding StackBounds in MachineThread in JSC,
2477         but StackBounds should be put in WTF::Thread instead.
2478
2479         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2480         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2481         is natural choice.
2482
2483         * heap/MachineStackMarker.cpp:
2484         (JSC::MachineThreads::MachineThread::MachineThread):
2485         (JSC::MachineThreads::MachineThread::captureStack):
2486         * heap/MachineStackMarker.h:
2487         (JSC::MachineThreads::MachineThread::stackBase):
2488         (JSC::MachineThreads::MachineThread::stackEnd):
2489         * runtime/InitializeThreading.cpp:
2490         (JSC::initializeThreading):
2491         * runtime/VM.cpp:
2492         (JSC::VM::VM):
2493         (JSC::VM::updateStackLimits):
2494         (JSC::VM::committedStackByteCount):
2495         * runtime/VM.h:
2496         (JSC::VM::isSafeToRecurse):
2497         * runtime/VMEntryScope.cpp:
2498         (JSC::VMEntryScope::VMEntryScope):
2499         * runtime/VMInlines.h:
2500         (JSC::VM::ensureStackCapacityFor):
2501         * runtime/VMTraps.cpp:
2502         * yarr/YarrPattern.cpp:
2503         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2504
2505 2017-07-01  Dan Bernstein  <mitz@apple.com>
2506
2507         [iOS] Remove code only needed when building for iOS 9.x
2508         https://bugs.webkit.org/show_bug.cgi?id=174068
2509
2510         Reviewed by Tim Horton.
2511
2512         * Configurations/FeatureDefines.xcconfig:
2513         * jit/ExecutableAllocator.cpp:
2514         * runtime/Options.cpp:
2515         (JSC::recomputeDependentOptions):
2516
2517 2017-07-01  Dan Bernstein  <mitz@apple.com>
2518
2519         [macOS] Remove code only needed when building for OS X Yosemite
2520         https://bugs.webkit.org/show_bug.cgi?id=174067
2521
2522         Reviewed by Tim Horton.
2523
2524         * API/WebKitAvailability.h:
2525         * Configurations/Base.xcconfig:
2526         * Configurations/DebugRelease.xcconfig:
2527         * Configurations/FeatureDefines.xcconfig:
2528         * Configurations/Version.xcconfig:
2529
2530 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2531
2532         Unreviewed, build fix for GCC
2533         https://bugs.webkit.org/show_bug.cgi?id=174034
2534
2535         * b3/testb3.cpp:
2536         (JSC::B3::testDoubleLiteralComparison):
2537
2538 2017-06-30  Keith Miller  <keith_miller@apple.com>
2539
2540         Force crashWithInfo to be out of line.
2541         https://bugs.webkit.org/show_bug.cgi?id=174028
2542
2543         Reviewed by Filip Pizlo.
2544
2545         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
2546
2547         * dfg/DFGGraph.cpp:
2548         (JSC::DFG::logDFGAssertionFailure):
2549         (JSC::DFG::Graph::logAssertionFailure):
2550         (JSC::DFG::crash): Deleted.
2551         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2552         * dfg/DFGGraph.h:
2553
2554 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2555
2556         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
2557         https://bugs.webkit.org/show_bug.cgi?id=174053
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         We already have AbstractMacroAssembler::random() function. Use it instead.
2562
2563         * jit/JIT.cpp:
2564         (JSC::JIT::JIT):
2565         (JSC::JIT::compileWithoutLinking):
2566         * jit/JIT.h:
2567
2568 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2569
2570         [WTF] Drop SymbolRegistry::keyForSymbol
2571         https://bugs.webkit.org/show_bug.cgi?id=174052
2572
2573         Reviewed by Sam Weinig.
2574
2575         * runtime/SymbolConstructor.cpp:
2576         (JSC::symbolConstructorKeyFor):
2577
2578 2017-06-30  Saam Barati  <sbarati@apple.com>
2579
2580         B3ReduceStrength should reduce EqualOrUnordered over const float input
2581         https://bugs.webkit.org/show_bug.cgi?id=174039
2582
2583         Reviewed by Michael Saboff.
2584
2585         We perform this folding for ConstDoubleValue. It is simply
2586         an oversight that we didn't do it for ConstFloatValue.
2587
2588         * b3/B3ConstFloatValue.cpp:
2589         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
2590         * b3/B3ConstFloatValue.h:
2591         * b3/testb3.cpp:
2592         (JSC::B3::testFloatEqualOrUnorderedFolding):
2593         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
2594         (JSC::B3::testFloatEqualOrUnorderedDontFold):
2595         (JSC::B3::run):
2596
2597 2017-06-30  Matt Baker  <mattbaker@apple.com>
2598
2599         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
2600         https://bugs.webkit.org/show_bug.cgi?id=173840
2601         <rdar://problem/30840820>
2602
2603         Reviewed by Joseph Pecoraro.
2604
2605         When truncating an asynchronous stack trace, the parent chain is traversed
2606         until a locked node is found. The path from this node to the root is shared
2607         by more than one stack trace, and cannot be safely modified. Starting at
2608         the first locked node, the path is cloned and becomes a new stack trace tree.
2609
2610         However, the clone operation initialized each new AsyncStackTrace node with
2611         the original node's parent. This would increment the child count of the original
2612         node. When cloning nodes, new nodes should not have their parent set until the
2613         next node up the parent chain is cloned.
2614
2615         * inspector/AsyncStackTrace.cpp:
2616         (Inspector::AsyncStackTrace::truncate):
2617
2618 2017-06-30  Michael Saboff  <msaboff@apple.com>
2619
2620         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
2621         https://bugs.webkit.org/show_bug.cgi?id=174044
2622
2623         Reviewed by Oliver Hunt.
2624
2625         The .* enclosure optimization didn't respect that we can start matching from a non-zero
2626         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
2627         then finding the extent of the match by going back to the beginning of the line and going
2628         forward to the end of the line.  The code that went back to the beginning of the line
2629         checked for an index of 0 instead of comparing the index to the start position.  This start
2630         position is passed as the initial index.
2631
2632         Added another temporary register to the YARR JIT to contain the start position for
2633         platforms that have spare registers.
2634
2635         * yarr/Yarr.h:
2636         * yarr/YarrInterpreter.cpp:
2637         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
2638         (JSC::Yarr::Interpreter::Interpreter):
2639         * yarr/YarrJIT.cpp:
2640         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
2641         (JSC::Yarr::YarrGenerator::compile):
2642         * yarr/YarrPattern.cpp:
2643         (JSC::Yarr::YarrPattern::YarrPattern):
2644         * yarr/YarrPattern.h:
2645         (JSC::Yarr::YarrPattern::reset):
2646
2647 2017-06-30  Saam Barati  <sbarati@apple.com>
2648
2649         B3MoveConstants floatZero() returns the wrong ValueKey
2650         https://bugs.webkit.org/show_bug.cgi?id=174040
2651
2652         Reviewed by Filip Pizlo.
2653
2654         It had a typo where the ValueKey for floatZero() produces a Double
2655         instead of a Float.
2656
2657         * b3/B3MoveConstants.cpp:
2658
2659 2017-06-30  Saam Barati  <sbarati@apple.com>
2660
2661         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
2662         https://bugs.webkit.org/show_bug.cgi?id=174034
2663         <rdar://problem/30793007>
2664
2665         Reviewed by Filip Pizlo.
2666
2667         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
2668         reduce binary operations over double constants into the same binary
2669         operation over the double constants casted to floats. This is clearly
2670         incorrect as these two things will produce different values. For example:
2671         
2672         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
2673         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
2674         c = EqualOrUnordered(@a, @b) // produces 0
2675         
2676         into:
2677         
2678         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
2679         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
2680         c = EqualOrUnordered(@a, @b) // produces 1
2681         
2682         Which produces a different value for @c.
2683
2684         * b3/B3ReduceDoubleToFloat.cpp:
2685         * b3/testb3.cpp:
2686         (JSC::B3::doubleEq):
2687         (JSC::B3::doubleNeq):
2688         (JSC::B3::doubleGt):
2689         (JSC::B3::doubleGte):
2690         (JSC::B3::doubleLt):
2691         (JSC::B3::doubleLte):
2692         (JSC::B3::testDoubleLiteralComparison):
2693         (JSC::B3::run):
2694
2695 2017-06-29  Jer Noble  <jer.noble@apple.com>
2696
2697         Make Legacy EME API controlled by RuntimeEnabled setting.
2698         https://bugs.webkit.org/show_bug.cgi?id=173994
2699
2700         Reviewed by Sam Weinig.
2701
2702         * Configurations/FeatureDefines.xcconfig:
2703         * runtime/CommonIdentifiers.h:
2704
2705 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
2706
2707         Ran sort-Xcode-project-file.
2708
2709         * JavaScriptCore.xcodeproj/project.pbxproj:
2710
2711 2017-06-30  Matt Lewis  <jlewis3@apple.com>
2712
2713         Unreviewed, rolling out r218992.
2714
2715         The patch broke the iOS device builds.
2716
2717         Reverted changeset:
2718
2719         "DFG_ASSERT should allow stuffing registers before trapping."
2720         https://bugs.webkit.org/show_bug.cgi?id=174005
2721         http://trac.webkit.org/changeset/218992
2722
2723 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
2724
2725         RegExpCachedResult::setInput should reify left and right contexts
2726         https://bugs.webkit.org/show_bug.cgi?id=173818
2727
2728         Reviewed by Keith Miller.
2729         
2730         If you don't reify them in setInput, then when you later try to reify them, you'll end up
2731         using indices into an old input string to create a substring of a new input string. That
2732         never goes well.
2733
2734         * runtime/RegExpCachedResult.cpp:
2735         (JSC::RegExpCachedResult::setInput):
2736
2737 2017-06-30  Keith Miller  <keith_miller@apple.com>
2738
2739         DFG_ASSERT should allow stuffing registers before trapping.
2740         https://bugs.webkit.org/show_bug.cgi?id=174005
2741
2742         Reviewed by Mark Lam.
2743
2744         DFG_ASSERT currently prints error data to stderr before crashing,
2745         which is nice for local development. In the wild, however, we
2746         can't see this information in crash logs. This patch enables
2747         stuffing some of the most useful information from DFG_ASSERTS into
2748         up to five registers right before crashing. The values stuffed
2749         should not impact any logging during local development.
2750
2751         * assembler/AbortReason.h:
2752         * dfg/DFGAbstractInterpreterInlines.h:
2753         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2754         * dfg/DFGGraph.cpp:
2755         (JSC::DFG::logForCrash):
2756         (JSC::DFG::Graph::logAssertionFailure):
2757         (JSC::DFG::crash): Deleted.
2758         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2759         * dfg/DFGGraph.h:
2760
2761 2017-06-29  Saam Barati  <sbarati@apple.com>
2762
2763         Calculating postCapacity in unshiftCountSlowCase is wrong
2764         https://bugs.webkit.org/show_bug.cgi?id=173992
2765         <rdar://problem/32283199>
2766
2767         Reviewed by Keith Miller.
2768
2769         This patch fixes a bug inside unshiftCountSlowCase where we would use
2770         more memory than we allocated. The bug was when deciding how much extra
2771         space we have after the vector we've allocated. This area is called the
2772         postCapacity. The largest legal postCapacity value we could use is the
2773         space we allocated minus the space we need:
2774         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
2775         However, the code was calculating the postCapacity as:
2776         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
2777         
2778         where count is how many elements we're appending. Depending on the inputs,
2779         count could be larger than (newStorageCapacity - requiredVectorLength). This
2780         would cause us to use more memory than we actually allocated.
2781
2782         * runtime/JSArray.cpp:
2783         (JSC::JSArray::unshiftCountSlowCase):
2784
2785 2017-06-29  Commit Queue  <commit-queue@webkit.org>
2786
2787         Unreviewed, rolling out r218512.
2788         https://bugs.webkit.org/show_bug.cgi?id=173981
2789
2790         "It changes the behavior of the JS API's JSEvaluateScript
2791         which breaks TurboTax" (Requested by saamyjoon on #webkit).
2792
2793         Reverted changeset:
2794
2795         "test262: Completion values for control flow do not match the
2796         spec"
2797         https://bugs.webkit.org/show_bug.cgi?id=171265
2798         http://trac.webkit.org/changeset/218512
2799
2800 2017-06-29  JF Bastien  <jfbastien@apple.com>
2801
2802         WebAssembly: disable some APIs under CSP
2803         https://bugs.webkit.org/show_bug.cgi?id=173892
2804         <rdar://problem/32914613>
2805
2806         Reviewed by Daniel Bates.
2807
2808         We should disable parts of WebAssembly under Content Security
2809         Policy as discussed here:
2810
2811         https://github.com/WebAssembly/design/issues/1092
2812
2813         Exactly what should be disabled isn't super clear, so we may as
2814         well be conservative and disable many things if developers already
2815         opted into CSP. It's easy to loosen what we disable later.
2816
2817         This patch disables:
2818         - WebAssembly.Instance
2819         - WebAssembly.instantiate
2820         - WebAssembly.Memory
2821         - WebAssembly.Table
2822
2823         And leaves:
2824         - WebAssembly on the global object
2825         - WebAssembly.Module
2826         - WebAssembly.compile
2827         - WebAssembly.CompileError
2828         - WebAssembly.LinkError
2829
2830         Nothing because currently unimplmented:
2831         - WebAssembly.compileStreaming
2832         - WebAssembly.instantiateStreaming
2833
2834         That way it won't be possible to call WebAssembly-compiled code,
2835         or create memories (which use fancy 4GiB allocations
2836         sometimes). Table isn't really useful on its own, and eventually
2837         we may make them shareable so without more details it seems benign
2838         to disable them (and useless if we don't).
2839
2840         I haven't done anything with postMessage, so you can still
2841         postMessage a WebAssembly.Module cross-CSP, but you can't
2842         instantiate it so it's useless. Because of this I elected to leave
2843         WebAssembly.Module and friends available.
2844
2845         I haven't added any new directives. It's still unsafe-eval. We can
2846         add something else later, but it seems odd to add a WebAssembly as
2847         a new capability and tell developers "you should have been using
2848         this directive which we just implemented if you wanted to disable
2849         WebAssembly which didn't exist when you adopted CSP". So IMO we
2850         should keep unsafe-eval as it currently is, add WebAssembly to
2851         what it disables, and later consider having two new directives
2852         which do each individually or something.
2853
2854         In all cases I throw an EvalError *before* other WebAssembly
2855         errors would be produced.
2856
2857         Note that, as for eval, reporting doesn't work and is tracked by
2858         https://webkit.org/b/111869
2859
2860         * runtime/JSGlobalObject.cpp:
2861         (JSC::JSGlobalObject::JSGlobalObject):
2862         * runtime/JSGlobalObject.h:
2863         (JSC::JSGlobalObject::webAssemblyEnabled):
2864         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
2865         (JSC::JSGlobalObject::setWebAssemblyEnabled):
2866         * wasm/js/JSWebAssemblyInstance.cpp:
2867         (JSC::JSWebAssemblyInstance::create):
2868         * wasm/js/JSWebAssemblyMemory.cpp:
2869         (JSC::JSWebAssemblyMemory::create):
2870         * wasm/js/JSWebAssemblyMemory.h:
2871         * wasm/js/JSWebAssemblyTable.cpp:
2872         (JSC::JSWebAssemblyTable::create):
2873         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2874         (JSC::constructJSWebAssemblyMemory):
2875
2876 2017-06-28  Keith Miller  <keith_miller@apple.com>
2877
2878         VMTraps has some races
2879         https://bugs.webkit.org/show_bug.cgi?id=173941
2880
2881         Reviewed by Michael Saboff.
2882
2883         This patch refactors much of the VMTraps API.
2884
2885         On the message sending side:
2886
2887         1) No longer uses the Yarr JIT check to determine if we are in
2888         RegExp code. That was unsound because RegExp JIT code can be run
2889         on compilation threads.  Instead it looks at the current frame's
2890         code block slot and checks if it is valid, which is the same as
2891         what it did for JIT code previously.
2892
2893         2) Only have one signal sender thread, previously, there could be
2894         many at once, which caused some data races. Additionally, the
2895         signal sender thread is an automatic thread so it will deallocate
2896         itself when not in use.
2897
2898         On the VMTraps breakpoint side:
2899
2900         1) We now have a true mapping of if we hit a breakpoint instead of
2901         a JIT assertion. So the exception handler won't eat JIT assertions
2902         anymore.
2903
2904         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
2905         them instead of every CodeBlock on the stack. This both prevents
2906         us from hitting stale VMTraps breakpoints and also doesn't OSR
2907         codeblocks that otherwise don't need to be jettisoned.
2908
2909         3) The old exception handler could theoretically fail for a couple
2910         of reasons then resume execution with a clobbered instruction
2911         set. This patch will kill the program if the exception handler
2912         would fail.
2913
2914         This patch also refactors some of the jsc.cpp functions to take the
2915         CommandLine options object instead of individual options. Also, there
2916         is a new command line option that makes exceptions due to watchdog
2917         timeouts an acceptable result.
2918
2919         * API/tests/testapi.c:
2920         (main):
2921         * bytecode/CodeBlock.cpp:
2922         (JSC::CodeBlock::installVMTrapBreakpoints):
2923         * dfg/DFGCommonData.cpp:
2924         (JSC::DFG::pcCodeBlockMap):
2925         (JSC::DFG::CommonData::invalidate):
2926         (JSC::DFG::CommonData::~CommonData):
2927         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2928         (JSC::DFG::codeBlockForVMTrapPC):
2929         * dfg/DFGCommonData.h:
2930         * jsc.cpp:
2931         (functionDollarAgentStart):
2932         (checkUncaughtException):
2933         (checkException):
2934         (runWithOptions):
2935         (printUsageStatement):
2936         (CommandLine::parseArguments):
2937         (jscmain):
2938         (runWithScripts): Deleted.
2939         * runtime/JSLock.cpp:
2940         (JSC::JSLock::didAcquireLock):
2941         * runtime/VMTraps.cpp:
2942         (JSC::sanitizedTopCallFrame):
2943         (JSC::VMTraps::tryInstallTrapBreakpoints):
2944         (JSC::VMTraps::willDestroyVM):
2945         (JSC::VMTraps::fireTrap):
2946         (JSC::VMTraps::handleTraps):
2947         (JSC::VMTraps::VMTraps):
2948         (JSC::VMTraps::~VMTraps):
2949         (JSC::findActiveVMAndStackBounds): Deleted.
2950         (JSC::installSignalHandler): Deleted.
2951         (JSC::VMTraps::addSignalSender): Deleted.
2952         (JSC::VMTraps::removeSignalSender): Deleted.
2953         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2954         (JSC::VMTraps::SignalSender::send): Deleted.
2955         * runtime/VMTraps.h:
2956         (JSC::VMTraps::~VMTraps): Deleted.
2957         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2958
2959 2017-06-28  Devin Rousso  <drousso@apple.com>
2960
2961         Web Inspector: Instrument active pixel memory used by canvases
2962         https://bugs.webkit.org/show_bug.cgi?id=173087
2963         <rdar://problem/32719261>
2964
2965         Reviewed by Joseph Pecoraro.
2966
2967         * inspector/protocol/Canvas.json:
2968          - Add optional `memoryCost` attribute to the `Canvas` type.
2969          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2970
2971 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2972
2973         Web Inspector: Cleanup Protocol JSON files
2974         https://bugs.webkit.org/show_bug.cgi?id=173934
2975
2976         Reviewed by Matt Baker.
2977
2978         * inspector/protocol/ApplicationCache.json:
2979         * inspector/protocol/CSS.json:
2980         * inspector/protocol/Console.json:
2981         * inspector/protocol/DOM.json:
2982         * inspector/protocol/DOMDebugger.json:
2983         * inspector/protocol/Debugger.json:
2984         * inspector/protocol/LayerTree.json:
2985         * inspector/protocol/Network.json:
2986         * inspector/protocol/Page.json:
2987         * inspector/protocol/Runtime.json:
2988         Be more consistent about placement of `description` property.
2989
2990 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2991
2992         Web Inspector: Remove unused Inspector domain events
2993         https://bugs.webkit.org/show_bug.cgi?id=173905
2994
2995         Reviewed by Matt Baker.
2996
2997         * inspector/protocol/Inspector.json:
2998
2999 2017-06-28  JF Bastien  <jfbastien@apple.com>
3000
3001         Ensure that computed new stack pointer values do not underflow.
3002         https://bugs.webkit.org/show_bug.cgi?id=173700
3003         <rdar://problem/32926032>
3004
3005         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
3006
3007         Patch by Mark Lam, with the following fix:
3008
3009         Re-apply this patch, it originally broke the ARM build because the llint code
3010         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
3011         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
3012         and operands to emit valid code (because the second operand can be SP).
3013
3014         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
3015            m_numCalleeLocals is sane.
3016
3017         2. Added underflow checks in LLInt code and VarargsFrame code.
3018
3019         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
3020            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
3021            Ensure that Options::softReservedZoneSize() is at least greater than
3022            Options::reservedZoneSize() by minimumReservedZoneSize.
3023
3024         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
3025            and only if the max size of the frame is greater than Options::reservedZoneSize().
3026
3027            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
3028            of memory at the bottom (end) of the stack.  This means that, at any time, the
3029            frame pointer must be at least Options::reservedZoneSize() bytes away from the
3030            end of the stack.  Hence, if the max frame size is less than
3031            Options::reservedZoneSize(), there's no way that frame pointer - max
3032            frame size can underflow, and we can elide the underflow check.
3033
3034            Note that we use Options::reservedZoneSize() instead of
3035            Options::softReservedZoneSize() for determine if we need an underflow check.
3036            This is because the softStackLimit that is used for stack checks can be set
3037            based on Options::reservedZoneSize() during error handling (e.g. when creating
3038            strings for instantiating the Error object).  Hence, the guaranteed minimum of
3039            distance between the frame pointer and the end of the stack is
3040            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
3041
3042            Note also that we ensure that Options::reservedZoneSize() is at least
3043            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
3044            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
3045            instead of minimumReservedZoneSize gives us more chances to elide underflow
3046            checks.
3047
3048         * JavaScriptCore.xcodeproj/project.pbxproj:
3049         * bytecompiler/BytecodeGenerator.cpp:
3050         (JSC::BytecodeGenerator::generate):
3051         * dfg/DFGGraph.cpp:
3052         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
3053         * dfg/DFGJITCompiler.cpp:
3054         (JSC::DFG::emitStackOverflowCheck):
3055         (JSC::DFG::JITCompiler::compile):
3056         (JSC::DFG::JITCompiler::compileFunction):
3057         * ftl/FTLLowerDFGToB3.cpp:
3058         (JSC::FTL::DFG::LowerDFGToB3::lower):
3059         * jit/JIT.cpp:
3060         (JSC::JIT::compileWithoutLinking):
3061         * jit/SetupVarargsFrame.cpp:
3062         (JSC::emitSetupVarargsFrameFastCase):
3063         * llint/LLIntSlowPaths.cpp:
3064         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3065         * llint/LowLevelInterpreter.asm:
3066         * llint/LowLevelInterpreter32_64.asm:
3067         * llint/LowLevelInterpreter64.asm:
3068         * runtime/MinimumReservedZoneSize.h: Added.
3069         * runtime/Options.cpp:
3070         (JSC::recomputeDependentOptions):
3071         * runtime/VM.cpp:
3072         (JSC::VM::updateStackLimits):
3073         * wasm/WasmB3IRGenerator.cpp:
3074         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3075         * wasm/js/WebAssemblyFunction.cpp:
3076         (JSC::callWebAssemblyFunction):
3077
3078 2017-06-28  Chris Dumez  <cdumez@apple.com>
3079
3080         Unreviewed, rolling out r218869.
3081
3082         Broke the iOS build
3083
3084         Reverted changeset:
3085
3086         "Ensure that computed new stack pointer values do not
3087         underflow."
3088         https://bugs.webkit.org/show_bug.cgi?id=173700
3089         http://trac.webkit.org/changeset/218869
3090
3091 2017-06-28  Chris Dumez  <cdumez@apple.com>
3092
3093         Unreviewed, rolling out r218873.
3094
3095         Broke the iOS build
3096
3097         Reverted changeset:
3098
3099         "Gardening: CLoop build fix."
3100         https://bugs.webkit.org/show_bug.cgi?id=173700
3101         http://trac.webkit.org/changeset/218873
3102
3103 2017-06-28  Mark Lam  <mark.lam@apple.com>
3104
3105         Gardening: CLoop build fix.
3106         https://bugs.webkit.org/show_bug.cgi?id=173700
3107         <rdar://problem/32926032>
3108
3109         Not reviewed.
3110
3111         * llint/LLIntSlowPaths.cpp:
3112         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3113
3114 2017-06-28  Mark Lam  <mark.lam@apple.com>
3115
3116         Ensure that computed new stack pointer values do not underflow.
3117         https://bugs.webkit.org/show_bug.cgi?id=173700
3118         <rdar://problem/32926032>
3119
3120         Reviewed by Filip Pizlo and Saam Barati.
3121
3122         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
3123            m_numCalleeLocals is sane.
3124
3125         2. Added underflow checks in LLInt code and VarargsFrame code.
3126
3127         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
3128            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
3129            Ensure that Options::softReservedZoneSize() is at least greater than
3130            Options::reservedZoneSize() by minimumReservedZoneSize.
3131
3132         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
3133            and only if the max size of the frame is greater than Options::reservedZoneSize().
3134
3135            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
3136            of memory at the bottom (end) of the stack.  This means that, at any time, the
3137            frame pointer must be at least Options::reservedZoneSize() bytes away from the
3138            end of the stack.  Hence, if the max frame size is less than
3139            Options::reservedZoneSize(), there's no way that frame pointer - max
3140            frame size can underflow, and we can elide the underflow check.
3141
3142            Note that we use Options::reservedZoneSize() instead of
3143            Options::softReservedZoneSize() for determine if we need an underflow check.
3144            This is because the softStackLimit that is used for stack checks can be set
3145            based on Options::reservedZoneSize() during error handling (e.g. when creating
3146            strings for instantiating the Error object).  Hence, the guaranteed minimum of
3147            distance between the frame pointer and the end of the stack is
3148            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
3149
3150            Note also that we ensure that Options::reservedZoneSize() is at least
3151            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
3152            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
3153            instead of minimumReservedZoneSize gives us more chances to elide underflow
3154            checks.
3155
3156         * JavaScriptCore.xcodeproj/project.pbxproj:
3157         * bytecompiler/BytecodeGenerator.cpp:
3158         (JSC::BytecodeGenerator::generate):
3159         * dfg/DFGGraph.cpp:
3160         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
3161         * dfg/DFGJITCompiler.cpp:
3162         (JSC::DFG::JITCompiler::compile):
3163         (JSC::DFG::JITCompiler::compileFunction):
3164         * ftl/FTLLowerDFGToB3.cpp:
3165         (JSC::FTL::DFG::LowerDFGToB3::lower):
3166         * jit/JIT.cpp:
3167         (JSC::JIT::compileWithoutLinking):
3168         * jit/SetupVarargsFrame.cpp:
3169         (JSC::emitSetupVarargsFrameFastCase):
3170         * llint/LLIntSlowPaths.cpp:
3171         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3172         * llint/LowLevelInterpreter.asm:
3173         * llint/LowLevelInterpreter32_64.asm:
3174         * llint/LowLevelInterpreter64.asm:
3175         * runtime/MinimumReservedZoneSize.h: Added.
3176         * runtime/Options.cpp:
3177         (JSC::recomputeDependentOptions):
3178         * runtime/VM.cpp:
3179         (JSC::VM::updateStackLimits):
3180         * wasm/WasmB3IRGenerator.cpp:
3181         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3182         * wasm/js/WebAssemblyFunction.cpp:
3183         (JSC::callWebAssemblyFunction):
3184
3185 2017-06-27  JF Bastien  <jfbastien@apple.com>
3186
3187         WebAssembly: running out of executable memory should throw OoM
3188         https://bugs.webkit.org/show_bug.cgi?id=171537
3189         <rdar://problem/32963338>
3190
3191         Reviewed by Saam Barati.
3192
3193         Both on first compile with BBQ as well as on tier-up with OMG,
3194         running out of X memory shouldn't cause the entire program to
3195         terminate. An exception will do when compiling initial code (since
3196         we don't have any other fallback at the moment), and refusal to
3197         tier up will do as well (it'll just be slower).
3198
3199         This is useful because programs which generate huge amounts of
3200         code simply look like crashes, which developers report to
3201         us. Getting a JavaScript exception instead is much clearer.
3202
3203         * jit/ExecutableAllocator.cpp:
3204         (JSC::ExecutableAllocator::allocate):
3205         * llint/LLIntSlowPaths.cpp:
3206         (JSC::LLInt::shouldJIT):
3207         * runtime/Options.h:
3208         * wasm/WasmBBQPlan.cpp:
3209         (JSC::Wasm::BBQPlan::prepare):
3210         (JSC::Wasm::BBQPlan::complete):
3211         * wasm/WasmBinding.cpp:
3212         (JSC::Wasm::wasmToJs):
3213         (JSC::Wasm::wasmToWasm):
3214         * wasm/WasmBinding.h:
3215         * wasm/WasmOMGPlan.cpp:
3216         (JSC::Wasm::OMGPlan::work):
3217         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3218         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3219         * wasm/js/JSWebAssemblyCodeBlock.h:
3220         * wasm/js/JSWebAssemblyInstance.cpp:
3221         (JSC::JSWebAssemblyInstance::finalizeCreation):
3222
3223 2017-06-27  Saam Barati  <sbarati@apple.com>
3224
3225         JITStubRoutine::passesFilter should use isJITPC
3226         https://bugs.webkit.org/show_bug.cgi?id=173906
3227
3228         Reviewed by JF Bastien.
3229
3230         This patch makes JITStubRoutine use the isJITPC abstraction defined
3231         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
3232         hardcoded platform size constant. This means it'd do the wrong thing
3233         if Options::jitMemoryReservationSize() was larger than the defined
3234         constant for that platform. This patch also removes a bunch of
3235         dead code in that file.
3236
3237         * jit/ExecutableAllocator.cpp:
3238         * jit/ExecutableAllocator.h:
3239         * jit/JITStubRoutine.h:
3240         (JSC::JITStubRoutine::passesFilter):
3241         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
3242         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
3243         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
3244
3245 2017-06-27  Saam Barati  <sbarati@apple.com>
3246
3247         Fix some stale comments in Wasm code base
3248         https://bugs.webkit.org/show_bug.cgi?id=173814
3249
3250         Reviewed by Mark Lam.
3251
3252         * wasm/WasmBinding.cpp:
3253         (JSC::Wasm::wasmToJs):
3254         * wasm/WasmOMGPlan.cpp:
3255         (JSC::Wasm::runOMGPlanForIndex):
3256
3257 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
3258
3259         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
3260         https://bugs.webkit.org/show_bug.cgi?id=167962
3261
3262         Reviewed by Saam Barati.
3263
3264         Object Rest/Spread Destructing proposal is in stage 3[1] and this
3265         Patch is a prototype implementation of it. A simple change over the
3266         parser was necessary to support the new '...' token on Object Pattern
3267         destruction rule. In the bytecode generator side, We changed the
3268         bytecode generated on ObjectPatternNode::bindValue to store in an
3269         set the identifiers of already destructured properties, following spec draft
3270         section[2], and then pass it as excludedNames to CopyDataProperties.
3271         The rest destructuring calls copyDataProperties to perform the
3272         copy of rest properties in rhs.
3273
3274         We also implemented CopyDataProperties as private JS global operation
3275         on builtins/GlobalOperations.js following it's specification on [3].
3276         It is implemented using Set object to verify if a property is on
3277         excludedNames to keep this algorithm with O(n + m) complexity, where n
3278         = number of source's own properties and m = excludedNames.length.
3279
3280         In this implementation we aren't using excludeList as constant if
3281         destructuring pattern contains computed property, i.e. we can
3282         just determine the key to be excluded at runtime. If we can define all
3283         identifiers in the pattern in compile time, we then create a
3284         constant JSSet. This approach gives a good performance improvement,
3285         since we allocate the excludeSet just once, reducing GC pressure.
3286
3287         [1] - https://github.com/tc39/proposal-object-rest-spread
3288         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
3289         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
3290
3291         * builtins/BuiltinNames.h:
3292         * builtins/GlobalOperations.js:
3293         (globalPrivate.copyDataProperties):
3294         * bytecode/CodeBlock.cpp:
3295         (JSC::CodeBlock::finishCreation):
3296         * bytecompiler/NodesCodegen.cpp:
3297         (JSC::ObjectPatternNode::bindValue):
3298         * parser/ASTBuilder.h:
3299         (JSC::ASTBuilder::appendObjectPatternEntry):
3300         (JSC::ASTBuilder::appendObjectPatternRestEntry):
3301         (JSC::ASTBuilder::setContainsObjectRestElement):
3302         * parser/Nodes.h:
3303         (JSC::ObjectPatternNode::appendEntry):
3304         (JSC::ObjectPatternNode::setContainsRestElement):
3305         * parser/Parser.cpp:
3306         (JSC::Parser<LexerType>::parseDestructuringPattern):
3307         (JSC::Parser<LexerType>::parseProperty):
3308         * parser/SyntaxChecker.h:
3309         (JSC::SyntaxChecker::operatorStackPop):
3310         * runtime/JSGlobalObject.cpp:
3311         (JSC::JSGlobalObject::init):
3312         * runtime/JSGlobalObject.h:
3313         (JSC::JSGlobalObject::asyncFunctionStructure):
3314         (JSC::JSGlobalObject::setStructure): Deleted.
3315         * runtime/JSGlobalObjectFunctions.cpp:
3316         (JSC::privateToObject):
3317         * runtime/JSGlobalObjectFunctions.h:
3318         * runtime/ObjectConstructor.cpp:
3319         (JSC::ObjectConstructor::finishCreation):
3320         * runtime/SetPrototype.cpp:
3321         (JSC::SetPrototype::finishCreation):
3322
3323 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3324
3325         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
3326         https://bugs.webkit.org/show_bug.cgi?id=173888
3327
3328         Reviewed by Saam Barati.
3329
3330         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
3331         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
3332         This causes occasional SEGV / assertion failures in workers/bomb test.
3333
3334         * dfg/DFGWorklist.cpp:
3335
3336 2017-06-27  Saam Barati  <sbarati@apple.com>
3337
3338         Remove an inaccurate comment inside DFGClobberize.h
3339         https://bugs.webkit.org/show_bug.cgi?id=163874
3340
3341         Reviewed by Filip Pizlo.
3342
3343         The comment said that Clobberize may or may not be sound if run prior to
3344         doing type inference. This is not correct, though. Clobberize *must* be sound
3345         prior do doing type inference since we use it inside the BytecodeParser, which
3346         is the very first thing the DFG does.
3347
3348         * dfg/DFGClobberize.h:
3349         (JSC::DFG::clobberize):
3350
3351 2017-06-27  Saam Barati  <sbarati@apple.com>
3352
3353         Function constructor needs to follow the spec and validate parameters and body independently
3354         https://bugs.webkit.org/show_bug.cgi?id=173303
3355         <rdar://problem/32732526>
3356
3357         Reviewed by Keith Miller.
3358
3359         The Function constructor must check the arguments and body strings
3360         independently for syntax errors. People rely on this specified behavior
3361         to verify that a particular string is a valid function body. We used
3362         to check these things strings concatenated together, instead of
3363         independently. For example, this used to be valid: `Function("/*", "*/){")`.
3364         However, we should throw a syntax error here since "(/*)" is not a valid
3365         parameter list, and "*/){" is not a valid body.
3366         
3367         To implement the specified behavior, we check the syntax independently of
3368         both the body and the parameter list. To check that the parameter list has
3369         valid syntax, we check that it is valid if in a function with an empty body.
3370         To check that the body has valid syntax, we check it is valid in a function
3371         with an empty parameter list.
3372
3373         * runtime/FunctionConstructor.cpp:
3374         (JSC::constructFunctionSkippingEvalEnabledCheck):
3375
3376 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
3377
3378         Add missing includes to fix compilation error on FreeBSD
3379         https://bugs.webkit.org/show_bug.cgi?id=172919
3380
3381         Reviewed by Mark Lam.
3382
3383         * API/JSRemoteInspector.h:
3384         * API/tests/GlobalContextWithFinalizerTest.cpp:
3385         * API/tests/TypedArrayCTest.cpp:
3386
3387 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
3388
3389         Web Inspector: Crash generating object preview for ArrayIterator
3390         https://bugs.webkit.org/show_bug.cgi?id=173754
3391         <rdar://problem/32859012>
3392
3393         Reviewed by Saam Barati.
3394
3395         When Inspector generates an object preview for an ArrayIterator instance it made
3396         a "clone" of the original ArrayIterator instance by constructing a new object with
3397         the instance's structure. However, user code could have modified that instance's
3398         structure, such as adding / removing properties. The `return` property had special
3399         meaning, and our clone did not fill that slot. This approach is brittle in that
3400         we weren't satisfying the expectations of an object with a particular Structure,
3401         and the original goal of having Web Inspector peek values of built-in Iterators
3402         was to avoid observable behavior.
3403
3404         This tightens Web Inspector's Iterator preview to only peek values if the
3405         Iterators would actually be non-observable. It also builds an ArrayIterator
3406         clone like a regular object construction.
3407
3408         * inspector/JSInjectedScriptHost.cpp:
3409         (Inspector::cloneArrayIteratorObject):
3410         Build up the Object from scratch with a new ArrayIterator prototype.
3411
3412         (Inspector::JSInjectedScriptHost::iteratorEntries):
3413         Only clone and peek iterators if it would not be observable.
3414         Also update iteration to be more in line with IterationOperations, such as when
3415         we call iteratorClose.
3416
3417         * runtime/JSGlobalObject.cpp:
3418         (JSC::JSGlobalObject::JSGlobalObject):
3419         (JSC::JSGlobalObject::init):
3420         * runtime/JSGlobalObject.h:
3421         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
3422         * runtime/JSGlobalObjectInlines.h:
3423         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
3424         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
3425
3426         * runtime/JSMap.cpp:
3427         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3428         (JSC::JSMap::canCloneFastAndNonObservable):
3429         * runtime/JSMap.h:
3430         * runtime/JSSet.cpp:
3431         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3432         (JSC::JSSet::canCloneFastAndNonObservable):
3433         * runtime/JSSet.h:
3434         Promote isIteratorProtocolFastAndNonObservable to a method.
3435
3436         * runtime/JSObject.cpp:
3437         (JSC::canDoFastPutDirectIndex):
3438         * runtime/JSTypeInfo.h:
3439         (JSC::TypeInfo::isArgumentsType):
3440         Helper to detect if an Object is an Arguments type.
3441
3442 2017-06-26  Saam Barati  <sbarati@apple.com>
3443
3444         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
3445         https://bugs.webkit.org/show_bug.cgi?id=173740
3446
3447         Reviewed by Mark Lam.
3448
3449         The builtin was using for-of iteration to iterate over an internal
3450         list in its algorithm. For-of iteration is observable via user code
3451         in the global object, so this approach was wrong as it would break if
3452         a user changed the Array iteration protocol in some way.
3453
3454         * builtins/RegExpPrototype.js:
3455         (replace):
3456
3457 2017-06-26  Mark Lam  <mark.lam@apple.com>
3458
3459         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
3460         https://bugs.webkit.org/show_bug.cgi?id=173848
3461
3462         Reviewed by JF Bastien.
3463
3464         This functor only dumps the return VirtualPC.
3465
3466         * interpreter/Interpreter.cpp:
3467         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
3468         (JSC::Interpreter::dumpRegisters):
3469         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
3470         (JSC::DumpRegisterFunctor::operator()): Deleted.
3471
3472 2017-06-26  Saam Barati  <sbarati@apple.com>
3473
3474         Crash in JSC::Lexer<unsigned char>::setCode
3475         https://bugs.webkit.org/show_bug.cgi?id=172754
3476
3477         Reviewed by Mark Lam.
3478
3479         The lexer was asking one of its buffers to reserve initial space that
3480         was O(text size in bytes). For large sources, this would end up causing
3481         the vector to overflow and crash. This patch changes this code be like
3482         the Lexer's other buffers and to only reserve a small starting buffer.
3483
3484         * parser/Lexer.cpp:
3485         (JSC::Lexer<T>::setCode):
3486
3487 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3488
3489         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
3490         https://bugs.webkit.org/show_bug.cgi?id=173825
3491
3492         Reviewed by Saam Barati.
3493
3494         * jsc.cpp:
3495         (startTimeoutThreadIfNeeded):
3496         (timeoutThreadMain): Deleted.
3497
3498 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
3499
3500         Unreviewed, add missing header for CLoop
3501
3502         * runtime/SymbolTable.cpp:
3503
3504 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
3505
3506         Unreviewed, add missing header icncludes
3507
3508         * parser/Lexer.h:
3509
3510 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
3511
3512         Remove excessive headers from JavaScriptCore
3513         https://bugs.webkit.org/show_bug.cgi?id=173812
3514
3515         Reviewed by Darin Adler.
3516
3517         * API/APIUtils.h:
3518         * assembler/LinkBuffer.cpp:
3519         * assembler/MacroAssemblerCodeRef.cpp:
3520         * b3/air/AirLiveness.h:
3521         * b3/air/AirLowerAfterRegAlloc.cpp:
3522         * bindings/ScriptValue.cpp:
3523         * bindings/ScriptValue.h:
3524         * bytecode/AccessCase.cpp:
3525         * bytecode/AccessCase.h:
3526         * bytecode/ArrayProfile.h:
3527         * bytecode/BytecodeDumper.h:
3528         * bytecode/BytecodeIntrinsicRegistry.cpp:
3529         * bytecode/BytecodeKills.h:
3530         * bytecode/BytecodeLivenessAnalysis.h:
3531         * bytecode/BytecodeUseDef.h:
3532         * bytecode/CallLinkStatus.h:
3533         * bytecode/CodeBlock.h:
3534         * bytecode/CodeOrigin.h:
3535         * bytecode/ComplexGetStatus.h:
3536         * bytecode/GetByIdStatus.h:
3537         * bytecode/GetByIdVariant.h:
3538         * bytecode/InlineCallFrame.h:
3539         * bytecode/InlineCallFrameSet.h:
3540         * bytecode/Instruction.h:
3541         * bytecode/InternalFunctionAllocationProfile.h:
3542         * bytecode/JumpTable.h:
3543         * bytecode/MethodOfGettingAValueProfile.h:
3544         * bytecode/ObjectPropertyConditionSet.h:
3545         * bytecode/Operands.h:
3546         * bytecode/PolymorphicAccess.h:
3547         * bytecode/PutByIdStatus.h:
3548         * bytecode/SpeculatedType.cpp:
3549         * bytecode/StructureSet.h:
3550         * bytecode/StructureStubInfo.h:
3551         * bytecode/UnlinkedCodeBlock.h:
3552         * bytecode/UnlinkedFunctionExecutable.h:
3553         * bytecode/ValueProfile.h:
3554         * bytecompiler/BytecodeGenerator.cpp:
3555         * bytecompiler/BytecodeGenerator.h:
3556         * bytecompiler/Label.h:
3557         * bytecompiler/StaticPropertyAnalysis.h:
3558         * debugger/DebuggerCallFrame.cpp:
3559         * dfg/DFGAbstractInterpreter.h:
3560         * dfg/DFGAdjacencyList.h:
3561         * dfg/DFGArgumentsUtilities.h:
3562         * dfg/DFGArrayMode.h:
3563         * dfg/DFGArrayifySlowPathGenerator.h:
3564         * dfg/DFGBackwardsPropagationPhase.h:
3565         * dfg/DFGBasicBlock.h:
3566         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3567         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3568         * dfg/DFGCapabilities.h:
3569         * dfg/DFGCommon.h:
3570         * dfg/DFGCommonData.h:
3571         * dfg/DFGDesiredIdentifiers.h:
3572         * dfg/DFGDesiredWatchpoints.h:
3573         * dfg/DFGDisassembler.cpp:
3574         * dfg/DFGDominators.h:
3575         * dfg/DFGDriver.cpp:
3576         * dfg/DFGDriver.h:
3577         * dfg/DFGEdgeDominates.h:
3578         * dfg/DFGFinalizer.h:
3579         * dfg/DFGGenerationInfo.h:
3580         * dfg/DFGJITCompiler.cpp:
3581         * dfg/DFGJITCompiler.h:
3582         * dfg/DFGJITFinalizer.h:
3583         * dfg/DFGLivenessAnalysisPhase.h:
3584         * dfg/DFGMinifiedNode.h:
3585         * dfg/DFGMultiGetByOffsetData.h:
3586         * dfg/DFGNaturalLoops.cpp:
3587         * dfg/DFGNaturalLoops.h:
3588         * dfg/DFGNode.h:
3589         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3590         * dfg/DFGOSRExit.h:
3591         * dfg/DFGOSRExitCompilationInfo.h:
3592         * dfg/DFGOSRExitCompiler.cpp:
3593         * dfg/DFGOSRExitCompiler.h:
3594         * dfg/DFGOSRExitJumpPlaceholder.h:
3595         * dfg/DFGOperations.cpp:
3596         * dfg/DFGOperations.h:
3597         * dfg/DFGPlan.h:
3598         * dfg/DFGPreciseLocalClobberize.h:
3599         * dfg/DFGPromotedHeapLocation.h:
3600         * dfg/DFGRegisteredStructure.h:
3601         * dfg/DFGRegisteredStructureSet.h:
3602         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3603         * dfg/DFGSlowPathGenerator.h:
3604         * dfg/DFGSnippetParams.h:
3605         * dfg/DFGSpeculativeJIT.h:
3606         * dfg/DFGToFTLDeferredCompilationCallback.h:
3607         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
3608         * dfg/DFGValidate.h:
3609         * dfg/DFGValueSource.h:
3610         * dfg/DFGVariableEvent.h:
3611         * dfg/DFGVariableEventStream.h:
3612         * dfg/DFGWorklist.h:
3613         * domjit/DOMJITCallDOMGetterSnippet.h:
3614         * domjit/DOMJITEffect.h:
3615         * ftl/FTLLink.cpp:
3616         * ftl/FTLLowerDFGToB3.cpp:
3617         * ftl/FTLPatchpointExceptionHandle.h:
3618         * heap/AllocatorAttributes.h:
3619         * heap/CodeBlockSet.h:
3620         * heap/DeferGC.h:
3621         * heap/GCSegmentedArray.h:
3622         * heap/Heap.cpp:
3623         * heap/Heap.h:
3624         * heap/IncrementalSweeper.h:
3625         * heap/ListableHandler.h:
3626         * heap/MachineStackMarker.h:
3627         * heap/MarkedAllocator.h:
3628         * heap/MarkedBlock.cpp:
3629         * heap/MarkedBlock.h:
3630         * heap/MarkingConstraint.h:
3631         * heap/SlotVisitor.cpp:
3632         * heap/SlotVisitor.h:
3633         * inspector/ConsoleMessage.cpp:
3634         * inspector/ConsoleMessage.h:
3635         * inspector/InjectedScript.h:
3636         * inspector/InjectedScriptHost.h:
3637         * inspector/InjectedScriptManager.cpp:
3638         * inspector/JSGlobalObjectInspectorController.cpp:
3639         * inspector/JavaScriptCallFrame.h:
3640         * inspector/ScriptCallStack.h:
3641         * inspector/ScriptCallStackFactory.cpp:
3642         * inspector/ScriptDebugServer.h:
3643         * inspector/agents/InspectorConsoleAgent.h:
3644         * inspector/agents/InspectorDebuggerAgent.cpp:
3645         * inspector/agents/InspectorDebuggerAgent.h:
3646         * inspector/agents/InspectorHeapAgent.cpp:
3647         * inspector/agents/InspectorHeapAgent.h:
3648         * inspector/agents/InspectorRuntimeAgent.h:
3649         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3650         * inspector/agents/InspectorScriptProfilerAgent.h:
3651         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3652         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3653         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3654         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3655         * inspector/augmentable/AlternateDispatchableAgent.h:
3656         * interpreter/CLoopStack.h:
3657         * interpreter/CachedCall.h:
3658         * interpreter/CallFrame.h:
3659         * interpreter/Interpreter.cpp:
3660         * interpreter/Interpreter.h:
3661         * jit/AssemblyHelpers.cpp:
3662         * jit/AssemblyHelpers.h:
3663         * jit/CCallHelpers.h:
3664         * jit/CallFrameShuffler.h:
3665         * jit/ExecutableAllocator.h:
3666         * jit/GCAwareJITStubRoutine.h:
3667         * jit/HostCallReturnValue.h:
3668         * jit/ICStats.h:
3669         * jit/JIT.cpp:
3670         * jit/JIT.h:
3671         * jit/JITAddGenerator.h:
3672         * jit/JITCall32_64.cpp:
3673         * jit/JITCode.h:
3674         * jit/JITDisassembler.cpp:
3675         * jit/JITExceptions.cpp:
3676         * jit/JITMathIC.h:
3677         * jit/JITOpcodes.cpp:
3678         * jit/JITOperations.cpp:
3679         * jit/JITOperations.h:
3680         * jit/JITThunks.cpp:
3681         * jit/JITThunks.h:
3682         * jit/JSInterfaceJIT.h:
3683         * jit/PCToCodeOriginMap.h:
3684         * jit/PolymorphicCallStubRoutine.h:
3685         * jit/RegisterSet.h:
3686         * jit/Repatch.h:
3687         * jit/SetupVarargsFrame.h:
3688         * jit/Snippet.h:
3689         * jit/SnippetParams.h:
3690         * jit/ThunkGenerators.h:
3691         * jsc.cpp:
3692         * llint/LLIntCLoop.h:
3693         * llint/LLIntEntrypoint.h:
3694         * llint/LLIntExceptions.h:
3695         * llint/LLIntOfflineAsmConfig.h:
3696         * llint/LLIntSlowPaths.cpp:
3697         * parser/NodeConstructors.h:
3698         * parser/Nodes.cpp:
3699         * parser/Nodes.h:
3700         * parser/Parser.cpp:
3701         * parser/Parser.h:
3702         * parser/ParserTokens.h:
3703         * parser/SourceProviderCacheItem.h:
3704         * profiler/ProfilerBytecodeSequence.h:
3705         * profiler/ProfilerDatabase.cpp:
3706         * profiler/ProfilerDatabase.h:
3707         * profiler/ProfilerOrigin.h:
3708         * profiler/ProfilerOriginStack.h:
3709         * profiler/ProfilerProfiledBytecodes.h:
3710         * profiler/ProfilerUID.h:
3711         * runtime/AbstractModuleRecord.h:
3712         * runtime/ArrayConstructor.h:
3713         * runtime/ArrayConventions.h:
3714         * runtime/ArrayIteratorPrototype.h:
3715         * runtime/ArrayPrototype.h:
3716         * runtime/BasicBlockLocation.h:
3717         * runtime/Butterfly.h:
3718         * runtime/CallData.cpp:
3719         * runtime/CodeCache.h:
3720         * runtime/CommonSlowPaths.cpp:
3721         * runtime/CommonSlowPaths.h:
3722         * runtime/CommonSlowPathsExceptions.cpp:
3723         * runtime/Completion.cpp:
3724         * runtime/ControlFlowProfiler.h:
3725         * runtime/DateInstanceCache.h:
3726         * runtime/ErrorConstructor.h:
3727         * runtime/ErrorInstance.h:
3728         * runtime/ExceptionHelpers.cpp:
3729         * runtime/ExceptionHelpers.h:
3730         * runtime/ExecutableBase.h:
3731         * runtime/FunctionExecutable.h:
3732         * runtime/HasOwnPropertyCache.h:
3733         * runtime/Identifier.h:
3734         * runtime/InternalFunction.h:
3735         * runtime/IntlCollator.cpp:
3736         * runtime/IntlCollatorPrototype.h:
3737         * runtime/IntlDateTimeFormatPrototype.h:
3738         * runtime/IntlNumberFormat.cpp:
3739         * runtime/IntlNumberFormatPrototype.h:
3740         * runtime/IteratorOperations.cpp:
3741         * runtime/JSArray.h:
3742         * runtime/JSArrayBufferPrototype.h:
3743         * runtime/JSCJSValue.h:
3744         * runtime/JSCJSValueInlines.h:
3745         * runtime/JSCell.h:
3746         * runtime/JSFunction.cpp:
3747         * runtime/JSFunction.h:
3748         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3749         * runtime/JSGlobalObject.cpp:
3750         * runtime/JSGlobalObject.h:
3751         * runtime/JSGlobalObjectDebuggable.cpp:
3752         * runtime/JSGlobalObjectDebuggable.h:
3753         * runtime/JSGlobalObjectFunctions.cpp:
3754         * runtime/JSGlobalObjectFunctions.h:
3755         * runtime/JSJob.cpp:
3756         * runtime/JSLock.h:
3757         * runtime/JSModuleLoader.cpp:
3758         * runtime/JSModuleNamespaceObject.h:
3759         * runtime/JSModuleRecord.h:
3760         * runtime/JSObject.cpp:
3761         * runtime/JSObject.h:
3762         * runtime/JSRunLoopTimer.h:
3763         * runtime/JSTemplateRegistryKey.h:
3764         * runtime/JSTypedArrayPrototypes.cpp:
3765         * runtime/JSTypedArrayPrototypes.h:
3766         * runtime/JSTypedArrays.h:
3767         * runtime/LiteralParser.h:
3768         * runtime/MatchResult.h:
3769         * runtime/MemoryStatistics.h:
3770         * runtime/PrivateName.h:
3771         * runtime/PromiseDeferredTimer.h:
3772         * runtime/ProxyObject.h:
3773         * runtime/RegExp.h:
3774         * runtime/SamplingProfiler.cpp:
3775         * runtime/SmallStrings.h:
3776         * runtime/StringPrototype.cpp:
3777         * runtime/StringRecursionChecker.h:
3778         * runtime/Structure.h:
3779         * runtime/SymbolConstructor.h:
3780         * runtime/SymbolPrototype.cpp:
3781         * runtime/SymbolPrototype.h:
3782         * runtime/TypeProfiler.h:
3783         * runtime/TypeProfilerLog.h:
3784         * runtime/TypedArrayType.h:
3785         * runtime/VM.cpp:
3786         * runtime/VM.h:
3787         * runtime/VMEntryScope.h:
3788         * runtime/WeakMapData.h:
3789         * runtime/WriteBarrier.h:
3790         * tools/FunctionOverrides.cpp:
3791         * tools/FunctionOverrides.h:
3792         * wasm/WasmBinding.cpp:
3793         * wasm/js/JSWebAssemblyCodeBlock.h:
3794         * wasm/js/WebAssemblyPrototype.cpp:
3795         * yarr/Yarr.h:
3796         * yarr/YarrJIT.cpp:
3797         * yarr/YarrJIT.h:
3798         * yarr/YarrParser.h:
3799
3800 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3801
3802         [JSC] Clean up Object.entries implementation
3803         https://bugs.webkit.org/show_bug.cgi?id=173759
3804
3805         Reviewed by Sam Weinig.
3806
3807         This patch cleans up Object.entries implementation.
3808         We drop unused private functions. And we merge the
3809         implementation into Object.entries.
3810
3811         It slightly speeds up Object.entries speed.
3812
3813                                      baseline                  patched
3814
3815             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
3816
3817
3818         * builtins/BuiltinNames.h:
3819         * builtins/ObjectConstructor.js:
3820         (entries):
3821         (globalPrivate.enumerableOwnProperties): Deleted.
3822         * runtime/JSGlobalObject.cpp:
3823         (JSC::JSGlobalObject::init):
3824         * runtime/ObjectConstructor.cpp:
3825         (JSC::ownEnumerablePropertyKeys): Deleted.
3826         * runtime/ObjectConstructor.h:
3827
3828 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
3829
3830         Remove Reflect.enumerate
3831         https://bugs.webkit.org/show_bug.cgi?id=173806
3832
3833         Reviewed by Yusuke Suzuki.
3834
3835         * CMakeLists.txt:
3836         * JavaScriptCore.xcodeproj/project.pbxproj:
3837         * inspector/JSInjectedScriptHost.cpp:
3838         (Inspector::JSInjectedScriptHost::subtype):
3839         (Inspector::JSInjectedScriptHost::getInternalProperties):
3840         (Inspector::JSInjectedScriptHost::iteratorEntries):
3841         * runtime/JSGlobalObject.cpp:
3842         (JSC::JSGlobalObject::init):
3843         (JSC::JSGlobalObject::visitChildren):
3844         * runtime/JSPropertyNameIterator.cpp: Removed.
3845         * runtime/JSPropertyNameIterator.h: Removed.
3846         * runtime/ReflectObject.cpp:
3847         (JSC::reflectObjectEnumerate): Deleted.
3848
3849 2017-06-23  Keith Miller  <keith_miller@apple.com>
3850
3851         Switch VMTraps to use halt instructions rather than breakpoint instructions
3852         https://bugs.webkit.org/show_bug.cgi?id=173677
3853         <rdar://problem/32178892>
3854
3855         Reviewed by JF Bastien.
3856
3857         Using the breakpoint instruction for VMTraps caused issues with lldb.
3858         Since we only need some way to stop execution we can, in theory, use
3859         any exceptioning instruction we want. I went with the halt instruction
3860         on X86 since that is the only one byte instruction that does not
3861         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
3862         On ARM we use the data cache clearing instruction with the zero register,
3863         which triggers a segmentation fault.
3864
3865         Also, update the platform code to only use signaling VMTraps
3866         on where we have an appropriate instruction (x86 and ARM64).
3867
3868         * API/tests/ExecutionTimeLimitTest.cpp:
3869         (testExecutionTimeLimit):
3870         * assembler/ARM64Assembler.h:
3871         (JSC::ARM64Assembler::replaceWithVMHalt):
3872         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
3873         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
3874         * assembler/ARMAssembler.h:
3875         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
3876         * assembler/ARMv7Assembler.h:
3877         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
3878         * assembler/MIPSAssembler.h:
3879         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
3880         * assembler/MacroAssemblerARM.h:
3881         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
3882         * assembler/MacroAssemblerARM64.h:
3883         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3884         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
3885         * assembler/MacroAssemblerARMv7.h:
3886         (JSC::MacroAssemblerARMv7::storeFence):
3887         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
3888         * assembler/MacroAssemblerMIPS.h:
3889         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
3890         * assembler/MacroAssemblerX86Common.h:
3891         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3892         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
3893         * assembler/X86Assembler.h:
3894         (JSC::X86Assembler::replaceWithHlt):
3895         (JSC::X86Assembler::replaceWithInt3): Deleted.
3896         * dfg/DFGJumpReplacement.cpp:
3897         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
3898         * runtime/VMTraps.cpp:
3899         (JSC::SignalContext::SignalContext):
3900         (JSC::installSignalHandler):
3901         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
3902         * wasm/WasmFaultSignalHandler.cpp:
3903         (JSC::Wasm::enableFastMemory):
3904
3905 2017-06-22  Saam Barati  <sbarati@apple.com>
3906
3907         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
3908         https://bugs.webkit.org/show_bug.cgi?id=173743
3909         <rdar://problem/32932536>
3910
3911         Reviewed by Mark Lam.
3912
3913         The code always manually speculates, however, we weren't specifying
3914         ManualOperandSpeculation when creating a JSValueOperand. This would
3915         fire an assertion in JSValueOperand construction for a node like:
3916         Identity(String:@otherNode)
3917         
3918         I spent about 45 minutes trying to craft a test and came up
3919         empty. However, this fixes a debug assertion on an internal
3920         Apple website.
3921
3922         * dfg/DFGSpeculativeJIT32_64.cpp:
3923         (JSC::DFG::SpeculativeJIT::compile):
3924         * dfg/DFGSpeculativeJIT64.cpp:
3925         (JSC::DFG::SpeculativeJIT::compile):
3926
3927 2017-06-22  Saam Barati  <sbarati@apple.com>
3928
3929         ValueRep(DoubleRep(@v)) can not simply convert to @v
3930         https://bugs.webkit.org/show_bug.cgi?id=173687
3931         <rdar://problem/32855563>
3932
3933         Reviewed by Mark Lam.
3934
3935         Consider this IR:
3936          block#x
3937           p: Phi() // int32 and double flows into this phi from various control flow
3938           d: DoubleRep(@p)
3939           some uses of @d here
3940           v: ValueRep(DoubleRepUse:@d)
3941           a: NewArrayWithSize(Int32:@v)
3942           some more nodes here ...
3943         
3944         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
3945         AI proves that the Int32 check will fail. Constant folding phase removes
3946         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
3947         
3948         The IR then looks like this:
3949         block#x
3950           p: Phi() // int32 and double flows into this phi from various control flow
3951           d: DoubleRep(@p)
3952           some uses of @d here
3953           v: ValueRep(DoubleRepUse:@d)
3954           a: NewArrayWithSize(Int32:@v)
3955           Unreachable
3956         
3957         However, there was a strength reduction rule that tries eliminate redundant
3958         conversions. It used to convert the program to:
3959         block#x
3960           p: Phi() // int32 and double flows into this phi from various control flow
3961           d: DoubleRep(@p)
3962           some uses of @d here
3963           a: NewArrayWithSize(Int32:@p)
3964           Unreachable
3965         
3966         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
3967         and we'll crash. This patch removes this strength reduction rule since it
3968         does not maintain what would have happened if we executed the program before
3969         the rule.
3970         
3971         This rule is also wrong for other types of programs (I'm not sure we'd
3972         actually emit this code, but if such IR were generated, we would previously
3973         optimize it incorrectly):
3974         @a: Constant(JSTrue)
3975         @b: DoubleRep(@a)
3976         @c: ValueRep(@b)
3977         @d: use(@c)
3978         
3979         However, the strength reduction rule would've transformed this into:
3980         @a: Constant(JSTrue)
3981         @d: use(@a)
3982         
3983         And this would be wrong because node @c before the transformation would
3984         have produced the JSValue jsNumber(1.0).
3985         
3986         This patch was neutral in the benchmark run I did.
3987
3988         * dfg/DFGStrengthReductionPhase.cpp:
3989         (JSC::DFG::StrengthReductionPhase::handleNode):
3990
3991 2017-06-22  JF Bastien  <jfbastien@apple.com>
3992
3993         ARM64: doubled executable memory limit from 32MiB to 64MiB
3994         https://bugs.webkit.org/show_bug.cgi?id=173734
3995         <rdar://problem/32932407>
3996
3997         Reviewed by Oliver Hunt.
3998
3999         Some WebAssembly programs stress the amount of memory we have
4000         available, especially when we consider tiering (BBQ never dies,
4001         and is bigger that OMG). Tiering to OMG just piles on more memory,
4002         and we're also competing with JavaScript.
4003
4004         * jit/ExecutableAllocator.h:
4005
4006 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
4007
4008         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
4009         https://bugs.webkit.org/show_bug.cgi?id=173698
4010
4011         Reviewed by Matt Baker.
4012
4013         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
4014         when preparing Inspector pause information is spent generating object previews for
4015         the `thisObject` of each of the call frames. In some cases, this could be more
4016         than 95% of the time generating pause information. In the common case, only one of
4017         these (the top frame) will ever be seen by users. This change avoids eagerly
4018         generating object previews up front and let the frontend request previews if they
4019         are needed.
4020
4021         This introduces the `Runtime.getPreview` protocol command. This can be used to:
4022
4023             - Get a preview for a RemoteObject that did not have a preview but could.
4024             - Update a preview for a RemoteObject that had a preview.
4025
4026         This patch only uses it for the first case, but the second is valid and may be
4027         something we want to do in the future.
4028
4029         * inspector/protocol/Runtime.json:
4030         A new command to get an up to date preview for an object.
4031
4032         * inspector/InjectedScript.h:
4033         * inspector/InjectedScript.cpp:
4034         (Inspector::InjectedScript::getPreview):
4035         * inspector/agents/InspectorRuntimeAgent.cpp:
4036         (Inspector::InspectorRuntimeAgent::getPreview):
4037         * inspector/agents/InspectorRuntimeAgent.h:
4038         Plumbing for the new command.
4039
4040         * inspector/InjectedScriptSource.js:
4041         (InjectedScript.prototype.getPreview):
4042         Implementation just uses the existing helper.
4043
4044         (InjectedScript.CallFrameProxy):
4045         Do not generate a preview for the this object as it may not be shown.
4046         Let the frontend request a preview if it wants or needs one.
4047
4048 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
4049
4050         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
4051         https://bugs.webkit.org/show_bug.cgi?id=173686
4052
4053         Reviewed by Mark Lam.
4054
4055         *&nb