cc244a1b607358788a1e4625bc7c89beb54073d1
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Support optional catch binding
4         https://bugs.webkit.org/show_bug.cgi?id=174981
5
6         Reviewed by Saam Barati.
7
8         This patch implements optional catch binding proposal[1], which is now stage 3.
9         This proposal adds a new `catch` brace with no error value binding.
10
11             ```
12                 try {
13                     ...
14                 } catch {
15                     ...
16                 }
17             ```
18
19         Sometimes we do not need to get error value actually. For example, the function returns
20         boolean which means whether the function succeeds.
21
22             ```
23             function parse(result) // -> bool
24             {
25                  try {
26                      parseInner(result);
27                  } catch {
28                      return false;
29                  }
30                  return true;
31             }
32             ```
33
34         In the above case, we are not interested in the actual error value. Without this syntax,
35         we always need to introduce a binding for an error value that is just ignored.
36
37         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
38
39         * bytecompiler/NodesCodegen.cpp:
40         (JSC::TryNode::emitBytecode):
41         * parser/Parser.cpp:
42         (JSC::Parser<LexerType>::parseTryStatement):
43
44 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
45
46         Merge WTFThreadData to Thread::current
47         https://bugs.webkit.org/show_bug.cgi?id=174716
48
49         Reviewed by Sam Weinig.
50
51         Use Thread::current() instead.
52
53         * API/JSContext.mm:
54         (+[JSContext currentContext]):
55         (+[JSContext currentThis]):
56         (+[JSContext currentCallee]):
57         (+[JSContext currentArguments]):
58         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
59         (-[JSContext endCallbackWithData:]):
60         * heap/Heap.cpp:
61         (JSC::Heap::requestCollection):
62         * runtime/Completion.cpp:
63         (JSC::checkSyntax):
64         (JSC::checkModuleSyntax):
65         (JSC::evaluate):
66         (JSC::loadAndEvaluateModule):
67         (JSC::loadModule):
68         (JSC::linkAndEvaluateModule):
69         (JSC::importModule):
70         * runtime/Identifier.cpp:
71         (JSC::Identifier::checkCurrentAtomicStringTable):
72         * runtime/InitializeThreading.cpp:
73         (JSC::initializeThreading):
74         * runtime/JSLock.cpp:
75         (JSC::JSLock::didAcquireLock):
76         (JSC::JSLock::willReleaseLock):
77         (JSC::JSLock::dropAllLocks):
78         (JSC::JSLock::grabAllLocks):
79         * runtime/JSLock.h:
80         * runtime/VM.cpp:
81         (JSC::VM::VM):
82         (JSC::VM::updateStackLimits):
83         (JSC::VM::committedStackByteCount):
84         * runtime/VM.h:
85         (JSC::VM::isSafeToRecurse const):
86         * runtime/VMEntryScope.cpp:
87         (JSC::VMEntryScope::VMEntryScope):
88         * runtime/VMInlines.h:
89         (JSC::VM::ensureStackCapacityFor):
90         * yarr/YarrPattern.cpp:
91         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
92
93 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
94
95         [WTF] Introduce Private Symbols
96         https://bugs.webkit.org/show_bug.cgi?id=174935
97
98         Reviewed by Darin Adler.
99
100         Use SymbolImpl::isPrivate().
101
102         * builtins/BuiltinNames.cpp:
103         * builtins/BuiltinNames.h:
104         (JSC::BuiltinNames::isPrivateName): Deleted.
105         * builtins/BuiltinUtils.h:
106         * bytecode/BytecodeIntrinsicRegistry.cpp:
107         (JSC::BytecodeIntrinsicRegistry::lookup):
108         * runtime/CommonIdentifiers.cpp:
109         (JSC::CommonIdentifiers::isPrivateName): Deleted.
110         * runtime/CommonIdentifiers.h:
111         * runtime/ExceptionHelpers.cpp:
112         (JSC::createUndefinedVariableError):
113         * runtime/Identifier.h:
114         (JSC::Identifier::isPrivateName):
115         * runtime/IdentifierInlines.h:
116         (JSC::identifierToSafePublicJSValue):
117         * runtime/ObjectConstructor.cpp:
118         (JSC::objectConstructorAssign):
119         (JSC::defineProperties):
120         (JSC::setIntegrityLevel):
121         (JSC::testIntegrityLevel):
122         (JSC::ownPropertyKeys):
123         * runtime/PrivateName.h:
124         (JSC::PrivateName::PrivateName):
125         * runtime/PropertyName.h:
126         (JSC::PropertyName::isPrivateName):
127         * runtime/ProxyObject.cpp:
128         (JSC::performProxyGet):
129         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
130         (JSC::ProxyObject::performHasProperty):
131         (JSC::ProxyObject::performPut):
132         (JSC::ProxyObject::performDelete):
133         (JSC::ProxyObject::performDefineOwnProperty):
134
135 2017-07-29  Keith Miller  <keith_miller@apple.com>
136
137         LLInt offsets extractor should be able to handle C++ constexprs
138         https://bugs.webkit.org/show_bug.cgi?id=174964
139
140         Reviewed by Saam Barati.
141
142         This patch adds new syntax to the offline asm language. The new keyword,
143         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
144         expression. Additionally, if the value is not an identifier you can wrap it in
145         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
146         which will get converted into:
147         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
148
149         This patch also changes the data format the LLIntOffsetsExtractor
150         binary produces.  Previously, it would produce unsigned values,
151         after this patch every value is an int64_t.  Using an int64_t is
152         useful because it means that we can represent any constant needed.
153         int32_t masks are sign extended then passed then converted to a
154         negative literal sting in the assembler so it will be the constant
155         expected.
156
157         * llint/LLIntOffsetsExtractor.cpp:
158         (JSC::LLIntOffsetsExtractor::dummy):
159         * llint/LowLevelInterpreter.asm:
160         * llint/LowLevelInterpreter64.asm:
161         * offlineasm/asm.rb:
162         * offlineasm/ast.rb:
163         * offlineasm/generate_offset_extractor.rb:
164         * offlineasm/offsets.rb:
165         * offlineasm/parser.rb:
166         * offlineasm/transform.rb:
167
168 2017-07-28  Matt Baker  <mattbaker@apple.com>
169
170         Web Inspector: capture an async stack trace when web content calls addEventListener
171         https://bugs.webkit.org/show_bug.cgi?id=174739
172         <rdar://problem/33468197>
173
174         Reviewed by Brian Burg.
175
176         Allow debugger agents to perform custom logic when asynchronous stack
177         trace data is cleared. For example, the PageDebuggerAgent would clear
178         its list of registered listeners for which call stacks have been recorded.
179
180         * inspector/agents/InspectorDebuggerAgent.cpp:
181         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
182         * inspector/agents/InspectorDebuggerAgent.h:
183
184 2017-07-28  Mark Lam  <mark.lam@apple.com>
185
186         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
187         https://bugs.webkit.org/show_bug.cgi?id=174948
188         <rdar://problem/33495680>
189
190         Reviewed by Filip Pizlo.
191
192         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
193         owner StructureRareData is already known to be dead (in terms of GC liveness) but
194         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
195         requests to fire this watchpoint.
196
197         If the GC had the chance to sweep the StructureRareData, thereby destructing the
198         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
199         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
200
201         But since the watchpoint hasn't been destructed yet, it still remains on the
202         WatchpointSet and needs to guard against being fired in this state.  The fix is
203         to simply return early if its owner StructureRareData is not live.  This has the
204         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
205         not firing as we would expect.
206
207         This patch also removes some cargo cult copying of watchpoint code which
208         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
209         used.  This patch removes these unnecessary instantiations.
210
211         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
212         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
213         * runtime/StructureRareData.cpp:
214         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
215         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
216
217 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
218
219         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
220         https://bugs.webkit.org/show_bug.cgi?id=174900
221
222         Reviewed by Saam Barati.
223
224         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
225         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
226         The problem is that even transforming phase also checks this pseudo terminals.
227
228             BB1
229             1: ForceOSRExit
230             2: CreateDirectArguments
231
232             BB2
233             3: GetButterfly(@2)
234             4: ForceOSRExit
235
236         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
237
238         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
239
240         * dfg/DFGArgumentsEliminationPhase.cpp:
241
242 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
243
244         [ES] Add support finally to Promise
245         https://bugs.webkit.org/show_bug.cgi?id=174503
246
247         Reviewed by Yusuke Suzuki.
248
249         Add support `finally` method to Promise according
250         to the https://bugs.webkit.org/show_bug.cgi?id=174503
251         Current spec on STAGE 3 
252         https://github.com/tc39/proposal-promise-finally
253
254         * builtins/PromisePrototype.js:
255         (finally):
256         (const.valueThunk):
257         (globalPrivate.getThenFinally):
258         (const.thrower):
259         (globalPrivate.getCatchFinally):
260         * runtime/JSPromisePrototype.cpp:
261
262 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
263
264         Unreviewed, build fix for CLoop
265         https://bugs.webkit.org/show_bug.cgi?id=171637
266
267         * domjit/DOMJITGetterSetter.h:
268
269 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
270
271         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
272         https://bugs.webkit.org/show_bug.cgi?id=171637
273
274         Reviewed by Darin Adler.
275
276         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
277         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
278
279         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
280         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
281
282         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
283         op_get_by_id_with_this case yet.
284         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
285
286         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
287         ClassInfo check.
288
289         * CMakeLists.txt:
290         * JavaScriptCore.xcodeproj/project.pbxproj:
291         * bytecode/AccessCase.cpp:
292         (JSC::AccessCase::generateImpl):
293         * bytecode/GetByIdStatus.cpp:
294         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
295         * bytecode/GetByIdVariant.cpp:
296         (JSC::GetByIdVariant::GetByIdVariant):
297         (JSC::GetByIdVariant::operator=):
298         (JSC::GetByIdVariant::attemptToMerge):
299         (JSC::GetByIdVariant::dumpInContext):
300         * bytecode/GetByIdVariant.h:
301         (JSC::GetByIdVariant::customAccessorGetter):
302         (JSC::GetByIdVariant::domAttribute):
303         (JSC::GetByIdVariant::domJIT): Deleted.
304         * bytecode/GetterSetterAccessCase.cpp:
305         (JSC::GetterSetterAccessCase::create):
306         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
307         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
308         * bytecode/GetterSetterAccessCase.h:
309         (JSC::GetterSetterAccessCase::domAttribute):
310         (JSC::GetterSetterAccessCase::customAccessor):
311         (JSC::GetterSetterAccessCase::domJIT): Deleted.
312         * bytecompiler/BytecodeGenerator.cpp:
313         (JSC::BytecodeGenerator::instantiateLexicalVariables):
314         * create_hash_table:
315         * dfg/DFGAbstractInterpreterInlines.h:
316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
317         * dfg/DFGByteCodeParser.cpp:
318         (JSC::DFG::blessCallDOMGetter):
319         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
320         (JSC::DFG::ByteCodeParser::handleGetById):
321         * dfg/DFGClobberize.h:
322         (JSC::DFG::clobberize):
323         * dfg/DFGFixupPhase.cpp:
324         (JSC::DFG::FixupPhase::fixupNode):
325         * dfg/DFGNode.h:
326         * dfg/DFGSpeculativeJIT.cpp:
327         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
328         * dfg/DFGSpeculativeJIT.h:
329         (JSC::DFG::SpeculativeJIT::callCustomGetter):
330         * domjit/DOMJITGetterSetter.h:
331         (JSC::DOMJIT::GetterSetter::GetterSetter):
332         (JSC::DOMJIT::GetterSetter::getter):
333         (JSC::DOMJIT::GetterSetter::compiler):
334         (JSC::DOMJIT::GetterSetter::resultType):
335         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
336         (JSC::DOMJIT::GetterSetter::setter): Deleted.
337         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
338         * ftl/FTLLowerDFGToB3.cpp:
339         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
340         * jit/Repatch.cpp:
341         (JSC::tryCacheGetByID):
342         * jsc.cpp:
343         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
344         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
345         (WTF::DOMJITGetter::customGetter):
346         (WTF::DOMJITGetter::finishCreation):
347         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
348         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
349         (WTF::DOMJITGetterComplex::customGetter):
350         (WTF::DOMJITGetterComplex::finishCreation):
351         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
352         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
353         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
354         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
355         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
356         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
357         * runtime/CustomGetterSetter.h:
358         (JSC::CustomGetterSetter::create):
359         (JSC::CustomGetterSetter::setter):
360         (JSC::CustomGetterSetter::CustomGetterSetter):
361         (): Deleted.
362         * runtime/DOMAnnotation.h: Added.
363         (JSC::operator==):
364         (JSC::operator!=):
365         * runtime/DOMAttributeGetterSetter.cpp: Added.
366         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
367         (JSC::isDOMAttributeGetterSetter):
368         * runtime/Error.cpp:
369         (JSC::throwDOMAttributeGetterTypeError):
370         * runtime/Error.h:
371         (JSC::throwVMDOMAttributeGetterTypeError):
372         * runtime/JSCustomGetterSetterFunction.cpp:
373         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
374         * runtime/JSObject.cpp:
375         (JSC::JSObject::putInlineSlow):
376         (JSC::JSObject::deleteProperty):
377         (JSC::JSObject::getOwnStaticPropertySlot):
378         (JSC::JSObject::reifyAllStaticProperties):
379         (JSC::JSObject::fillGetterPropertySlot):
380         (JSC::JSObject::findPropertyHashEntry): Deleted.
381         * runtime/JSObject.h:
382         (JSC::JSObject::getOwnNonIndexPropertySlot):
383         (JSC::JSObject::fillCustomGetterPropertySlot):
384         * runtime/Lookup.cpp:
385         (JSC::setUpStaticFunctionSlot):
386         * runtime/Lookup.h:
387         (JSC::HashTableValue::domJIT):
388         (JSC::getStaticPropertySlotFromTable):
389         (JSC::putEntry):
390         (JSC::lookupPut):
391         (JSC::reifyStaticProperty):
392         (JSC::reifyStaticProperties):
393         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
394         this static property table requires.
395
396         * runtime/ProgramExecutable.cpp:
397         (JSC::ProgramExecutable::initializeGlobalProperties):
398         * runtime/PropertyName.h:
399         * runtime/PropertySlot.cpp:
400         (JSC::PropertySlot::customGetter):
401         (JSC::PropertySlot::customAccessorGetter):
402         * runtime/PropertySlot.h:
403         (JSC::PropertySlot::domAttribute):
404         (JSC::PropertySlot::setCustom):
405         (JSC::PropertySlot::setCacheableCustom):
406         (JSC::PropertySlot::getValue):
407         (JSC::PropertySlot::domJIT): Deleted.
408         * runtime/VM.cpp:
409         (JSC::VM::VM):
410         * runtime/VM.h:
411
412 2017-07-26  Devin Rousso  <drousso@apple.com>
413
414         Web Inspector: create protocol for recording Canvas contexts
415         https://bugs.webkit.org/show_bug.cgi?id=174481
416
417         Reviewed by Joseph Pecoraro.
418
419         * inspector/protocol/Canvas.json:
420          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
421          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
422          - Add `recordingFinished` event that is fired once a recording is finished.
423
424         * CMakeLists.txt:
425         * DerivedSources.make:
426         * inspector/protocol/Recording.json: Added.
427          - Add `Type` enum that lists the types of recordings
428          - Add `InitialState` type that contains information about the canvas context at the
429            beginning of the recording.
430          - Add `Frame` type that holds a list of actions that were recorded.
431          - Add `Recording` type as the container object of recording data.
432
433         * inspector/scripts/codegen/generate_js_backend_commands.py:
434         (JSBackendCommandsGenerator.generate_domain):
435         Create an agent for domains with no events or commands.
436
437         * inspector/InspectorValues.h:
438         Make Array `get` public so that values can be retrieved if needed.
439
440 2017-07-26  Brian Burg  <bburg@apple.com>
441
442         Remove WEB_TIMING feature flag
443         https://bugs.webkit.org/show_bug.cgi?id=174795
444
445         Reviewed by Alex Christensen.
446
447         * Configurations/FeatureDefines.xcconfig:
448
449 2017-07-26  Mark Lam  <mark.lam@apple.com>
450
451         Add the ability to change sp and pc to the ARM64 JIT probe.
452         https://bugs.webkit.org/show_bug.cgi?id=174697
453         <rdar://problem/33436965>
454
455         Reviewed by JF Bastien.
456
457         This patch implements the following:
458
459         1. The ARM64 probe now supports modifying the pc and sp.
460
461            However, lr is not preserved when modifying the pc because it is used as the
462            scratch register for the indirect jump. Hence, the probe handler function
463            may not modify both lr and pc in the same probe invocation.
464
465         2. Fix probe tests to use bitwise comparison when comparing double register
466            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
467
468         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
469            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
470            instructions which require 16 byte alignment for their memory access.
471
472         * assembler/MacroAssemblerARM64.cpp:
473         (JSC::arm64ProbeError):
474         (JSC::MacroAssembler::probe):
475         (JSC::arm64ProbeTrampoline): Deleted.
476         * assembler/testmasm.cpp:
477         (JSC::isSpecialGPR):
478         (JSC::testProbeReadsArgumentRegisters):
479         (JSC::testProbeWritesArgumentRegisters):
480         (JSC::testProbePreservesGPRS):
481         (JSC::testProbeModifiesStackPointer):
482         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
483         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
484
485 2017-07-25  JF Bastien  <jfbastien@apple.com>
486
487         WebAssembly: generate smaller binaries
488         https://bugs.webkit.org/show_bug.cgi?id=174818
489
490         Reviewed by Filip Pizlo.
491
492         This patch reduces generated code size for WebAssembly in 2 ways:
493
494         1. Use the ZR register when storing zero on ARM64.
495         2. Synthesize wasm context lazily.
496
497         This leads to a modest size reduction on both x86-64 and ARM64 for
498         large WebAssembly games, without any performance loss on WasmBench
499         and TitzerBench.
500
501         The reason this works is that these games, using Emscripten,
502         generate 100k+ tiny functions, and our JIT allocation granule
503         rounds all allocations up to 32 bytes. There are plenty of other
504         simple gains to be had, I've filed a follow-up bug at
505         webkit.org/b/174819
506
507         We should further avoid the per-function cost of tiering, which
508         represents the bulk of code generated for small functions.
509
510         * assembler/MacroAssemblerARM64.h:
511         (JSC::MacroAssemblerARM64::storeZero64):
512         * assembler/MacroAssemblerX86_64.h:
513         (JSC::MacroAssemblerX86_64::storeZero64):
514         * b3/B3LowerToAir.cpp:
515         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
516         for x86 because it constrains register reuse and codegen in a way
517         that doesn't affect ARM64 because it has a dedicated zero
518         register.
519         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
520         * wasm/WasmB3IRGenerator.cpp:
521         (JSC::Wasm::B3IRGenerator::instanceValue):
522         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
523         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
524         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
525
526 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
527
528         B3 should do LICM
529         https://bugs.webkit.org/show_bug.cgi?id=174750
530
531         Reviewed by Keith Miller and Saam Barati.
532         
533         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
534         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
535         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
536         change templatizes DFG::NaturalLoops so that we can just use it.
537         
538         The LICM phase itself is really simple. We are decently precise with our handling of everything except
539         the relationship between control dependence and side exits.
540         
541         Also added a bunch of tests.
542         
543         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
544         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
545         so it doesn't hurt to have it.
546         
547         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
548         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
549         it's good to have it because LICM is one of those core compiler phases; every compiler has it
550         eventually.
551
552         * CMakeLists.txt:
553         * JavaScriptCore.xcodeproj/project.pbxproj:
554         * b3/B3BackwardsCFG.h: Added.
555         (JSC::B3::BackwardsCFG::BackwardsCFG):
556         * b3/B3BackwardsDominators.h: Added.
557         (JSC::B3::BackwardsDominators::BackwardsDominators):
558         * b3/B3BasicBlock.cpp:
559         (JSC::B3::BasicBlock::appendNonTerminal):
560         * b3/B3Effects.h:
561         * b3/B3EnsureLoopPreHeaders.cpp: Added.
562         (JSC::B3::ensureLoopPreHeaders):
563         * b3/B3EnsureLoopPreHeaders.h: Added.
564         * b3/B3Generate.cpp:
565         (JSC::B3::generateToAir):
566         * b3/B3HoistLoopInvariantValues.cpp: Added.
567         (JSC::B3::hoistLoopInvariantValues):
568         * b3/B3HoistLoopInvariantValues.h: Added.
569         * b3/B3NaturalLoops.h: Added.
570         (JSC::B3::NaturalLoops::NaturalLoops):
571         * b3/B3Procedure.cpp:
572         (JSC::B3::Procedure::invalidateCFG):
573         (JSC::B3::Procedure::naturalLoops):
574         (JSC::B3::Procedure::backwardsCFG):
575         (JSC::B3::Procedure::backwardsDominators):
576         * b3/B3Procedure.h:
577         * b3/testb3.cpp:
578         (JSC::B3::generateLoop):
579         (JSC::B3::makeArrayForLoops):
580         (JSC::B3::generateLoopNotBackwardsDominant):
581         (JSC::B3::oneFunction):
582         (JSC::B3::noOpFunction):
583         (JSC::B3::testLICMPure):
584         (JSC::B3::testLICMPureSideExits):
585         (JSC::B3::testLICMPureWritesPinned):
586         (JSC::B3::testLICMPureWrites):
587         (JSC::B3::testLICMReadsLocalState):
588         (JSC::B3::testLICMReadsPinned):
589         (JSC::B3::testLICMReads):
590         (JSC::B3::testLICMPureNotBackwardsDominant):
591         (JSC::B3::testLICMPureFoiledByChild):
592         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
593         (JSC::B3::testLICMExitsSideways):
594         (JSC::B3::testLICMWritesLocalState):
595         (JSC::B3::testLICMWrites):
596         (JSC::B3::testLICMFence):
597         (JSC::B3::testLICMWritesPinned):
598         (JSC::B3::testLICMControlDependent):
599         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
600         (JSC::B3::testLICMControlDependentSideExits):
601         (JSC::B3::testLICMReadsPinnedWritesPinned):
602         (JSC::B3::testLICMReadsWritesDifferentHeaps):
603         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
604         (JSC::B3::testLICMDefaultCall):
605         (JSC::B3::run):
606         * dfg/DFGBasicBlock.h:
607         * dfg/DFGCFG.h:
608         * dfg/DFGNaturalLoops.cpp: Removed.
609         * dfg/DFGNaturalLoops.h:
610         (JSC::DFG::NaturalLoops::NaturalLoops):
611         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
612         (JSC::DFG::NaturalLoop::header): Deleted.
613         (JSC::DFG::NaturalLoop::size): Deleted.
614         (JSC::DFG::NaturalLoop::at): Deleted.
615         (JSC::DFG::NaturalLoop::operator[]): Deleted.
616         (JSC::DFG::NaturalLoop::contains): Deleted.
617         (JSC::DFG::NaturalLoop::index): Deleted.
618         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
619         (JSC::DFG::NaturalLoop::addBlock): Deleted.
620         (JSC::DFG::NaturalLoops::numLoops): Deleted.
621         (JSC::DFG::NaturalLoops::loop): Deleted.
622         (JSC::DFG::NaturalLoops::headerOf): Deleted.
623         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
624         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
625         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
626         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
627
628 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
629
630         GC should be fine with trading blocks between destructor and non-destructor blocks
631         https://bugs.webkit.org/show_bug.cgi?id=174811
632
633         Reviewed by Mark Lam.
634         
635         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
636         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
637         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
638         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
639         set.
640         
641         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
642         is empty if:
643         
644         A) It has no live objects and its a non-destructor block, or
645         B) We just allocated it (so it has no destructors even if it's a destructor block), or
646         C) We just stole it from another allocator (so it also has no destructors), or
647         D) We just swept the block and ran all destructors.
648         
649         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
650         block that could be stolen.
651
652         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
653         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
654         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
655         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
656         
657         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
658         
659         If we tried to enable trading of blocks between allocators without making any changes to how
660         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
661         live objects in order for those bits to be candidates for trading. But if we do that, then our
662         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
663         our destructors won't run and we'll leak memory.
664         
665         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
666         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
667         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
668         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
669         are (empty & ~destructible).
670         
671         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
672         remove destructor-oriented special-casing of block trading.
673
674         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
675         so this change is more about clean-up than perf. But, this could reduce memory usage in some
676         pathological cases.
677         
678         * heap/MarkedAllocator.cpp:
679         (JSC::MarkedAllocator::findEmptyBlockToSteal):
680         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
681         (JSC::MarkedAllocator::endMarking):
682         (JSC::MarkedAllocator::shrink):
683         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
684         * heap/MarkedAllocator.h:
685         * heap/MarkedBlock.cpp:
686         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
687         (JSC::MarkedBlock::Handle::sweep):
688         * heap/MarkedBlockInlines.h:
689         (JSC::MarkedBlock::Handle::specializedSweep):
690         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
691         (JSC::MarkedBlock::Handle::emptyMode):
692
693 2017-07-25  Keith Miller  <keith_miller@apple.com>
694
695         Remove Broken CompareEq constant folding phase.
696         https://bugs.webkit.org/show_bug.cgi?id=174846
697         <rdar://problem/32978808>
698
699         Reviewed by Saam Barati.
700
701         This bug happened when we would get code like the following:
702
703         a: JSConst(Undefined)
704         b: GetLocal(SomeObjectOrUndefined)
705         ...
706         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
707
708         constant folding will turn this into:
709
710         a: JSConst(Undefined)
711         b: GetLocal(SomeObjectOrUndefined)
712         ...
713         c: CompareEq(Check:ObjectOrOther:b, Other:a)
714
715         But the SpeculativeJIT/FTL lowering will fail to check b
716         properly which leads to an assertion failure in the AI.
717
718         I'll follow up with a more robust fix later. For now, I'll remove the
719         case that generates the code. Removing the code appears to be perf
720         neutral.
721
722         * dfg/DFGConstantFoldingPhase.cpp:
723         (JSC::DFG::ConstantFoldingPhase::foldConstants):
724
725 2017-07-25  Matt Baker  <mattbaker@apple.com>
726
727         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
728         https://bugs.webkit.org/show_bug.cgi?id=174738
729
730         Reviewed by Brian Burg.
731
732         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
733         stack traces. This preserves the call type in JSC, makes the range of
734         possible call types explicit, and is safer than passing ints.
735
736         * inspector/agents/InspectorDebuggerAgent.cpp:
737         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
738         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
739         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
740         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
741         * inspector/agents/InspectorDebuggerAgent.h:
742
743 2017-07-25  Mark Lam  <mark.lam@apple.com>
744
745         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
746         https://bugs.webkit.org/show_bug.cgi?id=174809
747         <rdar://problem/33504759>
748
749         Reviewed by Filip Pizlo.
750
751         1. When the probe handler function changes the sp register to point to the
752            region of stack in the middle of the ProbeContext on the stack, there is a
753            bug where the ProbeContext's register values to be restored can be over-written
754            before they can be restored.  This is now fixed.
755
756         2. Added more robust probe tests for changing the sp register.
757
758         3. Made existing probe tests to ensure that probe handlers were actually called.
759
760         4. Added some verification to testProbePreservesGPRS().
761
762         5. Change all the probe tests to fail early on discovering an error instead of
763            batching till the end of the test.  This helps point a finger to the failing
764            issue earlier.
765
766         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
767         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
768
769         * assembler/MacroAssemblerARM.cpp:
770         * assembler/MacroAssemblerARMv7.cpp:
771         * assembler/MacroAssemblerX86Common.cpp:
772         * assembler/testmasm.cpp:
773         (JSC::testProbeReadsArgumentRegisters):
774         (JSC::testProbeWritesArgumentRegisters):
775         (JSC::testProbePreservesGPRS):
776         (JSC::testProbeModifiesStackPointer):
777         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
778         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
779         (JSC::testProbeModifiesProgramCounter):
780         (JSC::run):
781
782 2017-07-25  Brian Burg  <bburg@apple.com>
783
784         Web Automation: add support for uploading files
785         https://bugs.webkit.org/show_bug.cgi?id=174797
786         <rdar://problem/28485063>
787
788         Reviewed by Joseph Pecoraro.
789
790         * inspector/scripts/generate-inspector-protocol-bindings.py:
791         (generate_from_specification):
792         Start generating frontend dispatcher code if the target framework is 'WebKit'.
793
794         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
795         (CppFrontendDispatcherImplementationGenerator.generate_output):
796         Use a framework include for InspectorFrontendRouter.h since this generated code
797         will be compiled outside of WebCore.framework.
798
799         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
800         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
801         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
802         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
803         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
804         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
805         * inspector/scripts/tests/generic/expected/enum-values.json-result:
806         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
807         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
808         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
809         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
810         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
811         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
812         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
813         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
814         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
815         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
816         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
817         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
818         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
819         Rebaseline code generator tests.
820
821 2017-07-24  Mark Lam  <mark.lam@apple.com>
822
823         Gardening: fixed C Loop build after r219790.
824         https://bugs.webkit.org/show_bug.cgi?id=174696
825
826         Not reviewed.
827
828         * assembler/testmasm.cpp:
829
830 2017-07-23  Mark Lam  <mark.lam@apple.com>
831
832         Create regression tests for the JIT probe.
833         https://bugs.webkit.org/show_bug.cgi?id=174696
834         <rdar://problem/33436922>
835
836         Reviewed by Saam Barati.
837
838         The new testmasm will test the following:
839         1. the probe is able to read the value of CPU registers.
840         2. the probe is able to write the value of CPU registers.
841         3. the probe is able to preserve all CPU registers.
842         4. special case of (2): the probe is able to change the value of the stack pointer.
843         5. special case of (2): the probe is able to change the value of the program counter
844            i.e. the probe can change where the code continues executing upon returning from
845            the probe.
846
847         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
848         because it does not support changing the sp and pc yet.  The ARM64 probe
849         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
850         later.
851
852         * Configurations/ToolExecutable.xcconfig:
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * assembler/MacroAssembler.h:
855         (JSC::MacroAssembler::CPUState::pc):
856         (JSC::MacroAssembler::CPUState::fp):
857         (JSC::MacroAssembler::CPUState::sp):
858         (JSC::ProbeContext::pc):
859         (JSC::ProbeContext::fp):
860         (JSC::ProbeContext::sp):
861         * assembler/MacroAssemblerARM64.cpp:
862         (JSC::arm64ProbeTrampoline):
863         * assembler/MacroAssemblerPrinter.cpp:
864         (JSC::Printer::printPCRegister):
865         * assembler/testmasm.cpp: Added.
866         (hiddenTruthBecauseNoReturnIsStupid):
867         (usage):
868         (JSC::nextID):
869         (JSC::isPC):
870         (JSC::isSP):
871         (JSC::isFP):
872         (JSC::compile):
873         (JSC::invoke):
874         (JSC::compileAndRun):
875         (JSC::testSimple):
876         (JSC::testProbeReadsArgumentRegisters):
877         (JSC::testProbeWritesArgumentRegisters):
878         (JSC::testFunctionToTrashRegisters):
879         (JSC::testProbePreservesGPRS):
880         (JSC::testProbeModifiesStackPointer):
881         (JSC::testProbeModifiesProgramCounter):
882         (JSC::run):
883         (run):
884         (main):
885         * b3/air/testair.cpp:
886         (usage):
887         * shell/CMakeLists.txt:
888
889 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
890
891         It should be easy to decide how WebKit yields
892         https://bugs.webkit.org/show_bug.cgi?id=174298
893
894         Reviewed by Saam Barati.
895         
896         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
897
898         * heap/Heap.cpp:
899         (JSC::Heap::resumeThePeriphery):
900         * heap/VisitingTimeout.h:
901         * runtime/JSCell.cpp:
902         (JSC::JSCell::lockSlow):
903         (JSC::JSCell::unlockSlow):
904         * runtime/JSCell.h:
905         * runtime/JSCellInlines.h:
906         (JSC::JSCell::lock):
907         (JSC::JSCell::unlock):
908         * runtime/JSLock.cpp:
909         (JSC::JSLock::grabAllLocks):
910         * runtime/SamplingProfiler.cpp:
911
912 2017-07-21  Mark Lam  <mark.lam@apple.com>
913
914         Refactor MASM probe CPUState to use arrays for register storage.
915         https://bugs.webkit.org/show_bug.cgi?id=174694
916
917         Reviewed by Keith Miller.
918
919         Using arrays for register storage in CPUState allows us to do away with the
920         huge switch statements to decode each register id.  We can now simply index into
921         the arrays.
922
923         With this patch, we now:
924
925         1. Remove the need for macros for defining the list of CPU registers.
926            We can go back to simple enums.  This makes the code easier to read.
927
928         2. Make the assembler the authority on register names.
929            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
930            GPRInfo and FPRInfo now forwards to the assembler.
931
932         3. Make the assembler the authority on the number of registers of each type.
933
934         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
935            This is inconsistent with how every other CPU architecture implements
936            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
937            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
938
939         * assembler/ARM64Assembler.h:
940         (JSC::ARM64Assembler::numberOfRegisters):
941         (JSC::ARM64Assembler::firstSPRegister):
942         (JSC::ARM64Assembler::lastSPRegister):
943         (JSC::ARM64Assembler::numberOfSPRegisters):
944         (JSC::ARM64Assembler::numberOfFPRegisters):
945         (JSC::ARM64Assembler::gprName):
946         (JSC::ARM64Assembler::sprName):
947         (JSC::ARM64Assembler::fprName):
948         * assembler/ARMAssembler.h:
949         (JSC::ARMAssembler::numberOfRegisters):
950         (JSC::ARMAssembler::firstSPRegister):
951         (JSC::ARMAssembler::lastSPRegister):
952         (JSC::ARMAssembler::numberOfSPRegisters):
953         (JSC::ARMAssembler::numberOfFPRegisters):
954         (JSC::ARMAssembler::gprName):
955         (JSC::ARMAssembler::sprName):
956         (JSC::ARMAssembler::fprName):
957         * assembler/ARMv7Assembler.h:
958         (JSC::ARMv7Assembler::lastRegister):
959         (JSC::ARMv7Assembler::numberOfRegisters):
960         (JSC::ARMv7Assembler::firstSPRegister):
961         (JSC::ARMv7Assembler::lastSPRegister):
962         (JSC::ARMv7Assembler::numberOfSPRegisters):
963         (JSC::ARMv7Assembler::numberOfFPRegisters):
964         (JSC::ARMv7Assembler::gprName):
965         (JSC::ARMv7Assembler::sprName):
966         (JSC::ARMv7Assembler::fprName):
967         * assembler/AbstractMacroAssembler.h:
968         (JSC::AbstractMacroAssembler::numberOfRegisters):
969         (JSC::AbstractMacroAssembler::gprName):
970         (JSC::AbstractMacroAssembler::firstSPRegister):
971         (JSC::AbstractMacroAssembler::lastSPRegister):
972         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
973         (JSC::AbstractMacroAssembler::sprName):
974         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
975         (JSC::AbstractMacroAssembler::fprName):
976         * assembler/MIPSAssembler.h:
977         (JSC::MIPSAssembler::numberOfRegisters):
978         (JSC::MIPSAssembler::firstSPRegister):
979         (JSC::MIPSAssembler::lastSPRegister):
980         (JSC::MIPSAssembler::numberOfSPRegisters):
981         (JSC::MIPSAssembler::numberOfFPRegisters):
982         (JSC::MIPSAssembler::gprName):
983         (JSC::MIPSAssembler::sprName):
984         (JSC::MIPSAssembler::fprName):
985         * assembler/MacroAssembler.h:
986         (JSC::MacroAssembler::CPUState::gprName):
987         (JSC::MacroAssembler::CPUState::sprName):
988         (JSC::MacroAssembler::CPUState::fprName):
989         (JSC::MacroAssembler::CPUState::gpr):
990         (JSC::MacroAssembler::CPUState::spr):
991         (JSC::MacroAssembler::CPUState::fpr):
992         (JSC::MacroAssembler::CPUState::pc):
993         (JSC::MacroAssembler::CPUState::fp):
994         (JSC::MacroAssembler::CPUState::sp):
995         (JSC::ProbeContext::gpr):
996         (JSC::ProbeContext::spr):
997         (JSC::ProbeContext::fpr):
998         (JSC::ProbeContext::gprName):
999         (JSC::ProbeContext::sprName):
1000         (JSC::ProbeContext::fprName):
1001         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1002         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1003         * assembler/MacroAssemblerARM.cpp:
1004         * assembler/MacroAssemblerARM64.cpp:
1005         (JSC::arm64ProbeTrampoline):
1006         * assembler/MacroAssemblerARMv7.cpp:
1007         * assembler/MacroAssemblerPrinter.cpp:
1008         (JSC::Printer::nextID):
1009         (JSC::Printer::printAllRegisters):
1010         (JSC::Printer::printPCRegister):
1011         (JSC::Printer::printRegisterID):
1012         (JSC::Printer::printAddress):
1013         * assembler/MacroAssemblerX86Common.cpp:
1014         * assembler/X86Assembler.h:
1015         (JSC::X86Assembler::numberOfRegisters):
1016         (JSC::X86Assembler::firstSPRegister):
1017         (JSC::X86Assembler::lastSPRegister):
1018         (JSC::X86Assembler::numberOfSPRegisters):
1019         (JSC::X86Assembler::numberOfFPRegisters):
1020         (JSC::X86Assembler::gprName):
1021         (JSC::X86Assembler::sprName):
1022         (JSC::X86Assembler::fprName):
1023         * jit/FPRInfo.h:
1024         (JSC::FPRInfo::debugName):
1025         * jit/GPRInfo.h:
1026         (JSC::GPRInfo::debugName):
1027         * jit/RegisterSet.cpp:
1028         (JSC::RegisterSet::reservedHardwareRegisters):
1029
1030 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1031
1032         [JSC] Introduce static symbols
1033         https://bugs.webkit.org/show_bug.cgi?id=158863
1034
1035         Reviewed by Darin Adler.
1036
1037         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1038         As a result, we can share the same Symbol values between VMs and threads.
1039         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1040
1041         * CMakeLists.txt:
1042         * JavaScriptCore.xcodeproj/project.pbxproj:
1043         * builtins/BuiltinNames.cpp: Added.
1044         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1045
1046         * builtins/BuiltinNames.h:
1047         (JSC::BuiltinNames::BuiltinNames):
1048         * builtins/BuiltinUtils.h:
1049
1050 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1051
1052         [FTL] Arguments elimination is suppressed by unreachable blocks
1053         https://bugs.webkit.org/show_bug.cgi?id=174352
1054
1055         Reviewed by Filip Pizlo.
1056
1057         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1058         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1059         Since GetById without information can escape arguments if it is specified, non-executed code including
1060         op_get_by_id with arguments can escape arguments.
1061
1062         For example,
1063
1064             function test(flag)
1065             {
1066                 if (flag) {
1067                     // This is not executed, but emits GetById with arguments.
1068                     // It prevents us from eliminating materialization.
1069                     return arguments.length;
1070                 }
1071                 return arguments.length;
1072             }
1073             noInline(test);
1074             while (true)
1075                 test(false);
1076
1077         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1078         So this GetById exists and escapes arguments.
1079
1080         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1081         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1082         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1083
1084         * dfg/DFGArgumentsEliminationPhase.cpp:
1085         * dfg/DFGNode.h:
1086         (JSC::DFG::Node::isPseudoTerminal):
1087         * dfg/DFGValidate.cpp:
1088
1089 2017-07-20  Chris Dumez  <cdumez@apple.com>
1090
1091         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1092         https://bugs.webkit.org/show_bug.cgi?id=174660
1093
1094         Reviewed by Geoffrey Garen.
1095
1096         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1097         This essentially replaces a branch to figure out if the new size is less or greater than the
1098         current size by an assertion.
1099
1100         * b3/B3BasicBlockUtils.h:
1101         (JSC::B3::clearPredecessors):
1102         * b3/B3InferSwitches.cpp:
1103         * b3/B3LowerToAir.cpp:
1104         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1105         * b3/B3ReduceStrength.cpp:
1106         * b3/B3SparseCollection.h:
1107         (JSC::B3::SparseCollection::packIndices):
1108         * b3/B3UseCounts.cpp:
1109         (JSC::B3::UseCounts::UseCounts):
1110         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1111         * b3/air/AirEmitShuffle.cpp:
1112         (JSC::B3::Air::emitShuffle):
1113         * b3/air/AirLowerAfterRegAlloc.cpp:
1114         (JSC::B3::Air::lowerAfterRegAlloc):
1115         * b3/air/AirOptimizeBlockOrder.cpp:
1116         (JSC::B3::Air::optimizeBlockOrder):
1117         * bytecode/Operands.h:
1118         (JSC::Operands::ensureLocals):
1119         * bytecode/PreciseJumpTargets.cpp:
1120         (JSC::computePreciseJumpTargetsInternal):
1121         * dfg/DFGBlockInsertionSet.cpp:
1122         (JSC::DFG::BlockInsertionSet::execute):
1123         * dfg/DFGBlockMapInlines.h:
1124         (JSC::DFG::BlockMap<T>::BlockMap):
1125         * dfg/DFGByteCodeParser.cpp:
1126         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1127         (JSC::DFG::ByteCodeParser::clearCaches):
1128         * dfg/DFGDisassembler.cpp:
1129         (JSC::DFG::Disassembler::Disassembler):
1130         * dfg/DFGFlowIndexing.cpp:
1131         (JSC::DFG::FlowIndexing::recompute):
1132         * dfg/DFGGraph.cpp:
1133         (JSC::DFG::Graph::registerFrozenValues):
1134         * dfg/DFGInPlaceAbstractState.cpp:
1135         (JSC::DFG::setLiveValues):
1136         * dfg/DFGLICMPhase.cpp:
1137         (JSC::DFG::LICMPhase::run):
1138         * dfg/DFGLivenessAnalysisPhase.cpp:
1139         * dfg/DFGNaturalLoops.cpp:
1140         (JSC::DFG::NaturalLoops::NaturalLoops):
1141         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1142         * ftl/FTLLowerDFGToB3.cpp:
1143         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1144         * heap/CodeBlockSet.cpp:
1145         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1146         * heap/MarkedSpace.cpp:
1147         (JSC::MarkedSpace::sweepLargeAllocations):
1148         * inspector/ContentSearchUtilities.cpp:
1149         (Inspector::ContentSearchUtilities::findMagicComment):
1150         * interpreter/ShadowChicken.cpp:
1151         (JSC::ShadowChicken::update):
1152         * parser/ASTBuilder.h:
1153         (JSC::ASTBuilder::shrinkOperandStackBy):
1154         * parser/Lexer.h:
1155         (JSC::Lexer::setOffset):
1156         * runtime/RegExpInlines.h:
1157         (JSC::RegExp::matchInline):
1158         * runtime/RegExpPrototype.cpp:
1159         (JSC::genericSplit):
1160         * yarr/RegularExpression.cpp:
1161         (JSC::Yarr::RegularExpression::match):
1162
1163 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1164
1165         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1166         https://bugs.webkit.org/show_bug.cgi?id=174678
1167
1168         Reviewed by Mark Lam.
1169
1170         Use Thread& instead.
1171
1172         * runtime/JSLock.cpp:
1173         (JSC::JSLock::didAcquireLock):
1174
1175 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1176
1177         [WTF] Implement WTF::ThreadGroup
1178         https://bugs.webkit.org/show_bug.cgi?id=174081
1179
1180         Reviewed by Mark Lam.
1181
1182         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1183         And SamplingProfiler and others interact with WTF::Thread directly.
1184
1185         * API/tests/ExecutionTimeLimitTest.cpp:
1186         * heap/MachineStackMarker.cpp:
1187         (JSC::MachineThreads::MachineThreads):
1188         (JSC::captureStack):
1189         (JSC::MachineThreads::tryCopyOtherThreadStack):
1190         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1191         (JSC::MachineThreads::gatherConservativeRoots):
1192         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1193         (JSC::ActiveMachineThreadsManager::add): Deleted.
1194         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1195         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1196         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1197         (JSC::activeMachineThreadsManager): Deleted.
1198         (JSC::MachineThreads::~MachineThreads): Deleted.
1199         (JSC::MachineThreads::addCurrentThread): Deleted.
1200         (): Deleted.
1201         (JSC::MachineThreads::removeThread): Deleted.
1202         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1203         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1204         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1205         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1206         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1207         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1208         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1209         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1210         * heap/MachineStackMarker.h:
1211         (JSC::MachineThreads::addCurrentThread):
1212         (JSC::MachineThreads::getLock):
1213         (JSC::MachineThreads::threads):
1214         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1215         (JSC::MachineThreads::MachineThread::resume): Deleted.
1216         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1217         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1218         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1219         (JSC::MachineThreads::threadsListHead): Deleted.
1220         * runtime/SamplingProfiler.cpp:
1221         (JSC::FrameWalker::isValidFramePointer):
1222         (JSC::SamplingProfiler::SamplingProfiler):
1223         (JSC::SamplingProfiler::takeSample):
1224         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1225         * runtime/SamplingProfiler.h:
1226         * wasm/WasmMachineThreads.cpp:
1227         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1228
1229 2017-07-18  Andy Estes  <aestes@apple.com>
1230
1231         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1232         https://bugs.webkit.org/show_bug.cgi?id=174631
1233
1234         Reviewed by Tim Horton.
1235
1236         * Configurations/Base.xcconfig:
1237         * b3/B3FoldPathConstants.cpp:
1238         * b3/B3LowerMacros.cpp:
1239         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::ByteCodeParser::check):
1242         (JSC::DFG::ByteCodeParser::planLoad):
1243
1244 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1245
1246         WTF::Thread should have the threads stack bounds.
1247         https://bugs.webkit.org/show_bug.cgi?id=173975
1248
1249         Reviewed by Mark Lam.
1250
1251         There is a site in JSC that try to walk another thread's stack.
1252         Currently, stack bounds are stored in WTFThreadData which is located
1253         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1254         We workaround this situation by holding StackBounds in MachineThread in JSC,
1255         but StackBounds should be put in WTF::Thread instead.
1256
1257         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1258         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1259
1260         * heap/MachineStackMarker.cpp:
1261         (JSC::MachineThreads::MachineThread::MachineThread):
1262         (JSC::MachineThreads::MachineThread::captureStack):
1263         * heap/MachineStackMarker.h:
1264         (JSC::MachineThreads::MachineThread::stackBase):
1265         (JSC::MachineThreads::MachineThread::stackEnd):
1266         * runtime/VMTraps.cpp:
1267
1268 2017-07-18  Andy Estes  <aestes@apple.com>
1269
1270         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1271         https://bugs.webkit.org/show_bug.cgi?id=174631
1272
1273         Reviewed by Sam Weinig.
1274
1275         * Configurations/Base.xcconfig:
1276
1277 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1278
1279         Web Inspector: Modernize InjectedScriptSource
1280         https://bugs.webkit.org/show_bug.cgi?id=173890
1281
1282         Reviewed by Brian Burg.
1283
1284         * inspector/InjectedScript.h:
1285         Reorder functions to be slightly better.
1286
1287         * inspector/InjectedScriptSource.js:
1288         - Convert to classes named InjectedScript and RemoteObject
1289         - Align InjectedScript's API with the wrapper C++ interfaces
1290         - Move some code to RemoteObject where appropriate (subtype, describe)
1291         - Move some code to helper functions (isPrimitiveValue, isDefined)
1292         - Refactor for readability and modern features
1293         - Remove some unused / unnecessary code
1294
1295 2017-07-18  Mark Lam  <mark.lam@apple.com>
1296
1297         Butterfly storage need not be initialized for indexing type Undecided.
1298         https://bugs.webkit.org/show_bug.cgi?id=174516
1299
1300         Reviewed by Saam Barati.
1301
1302         While it's not incorrect to initialize the butterfly storage when the
1303         indexingType is Undecided, it is inefficient as we'll end up initializing
1304         it again later when we convert the storage to a different indexingType.
1305         Some of our code already skips initializing Undecided butterflies.
1306         This patch makes it the consistent behavior everywhere.
1307
1308         * dfg/DFGSpeculativeJIT.cpp:
1309         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1310         * runtime/JSArray.cpp:
1311         (JSC::JSArray::tryCreateUninitializedRestricted):
1312         * runtime/JSArray.h:
1313         (JSC::JSArray::tryCreate):
1314         * runtime/JSObject.cpp:
1315         (JSC::JSObject::ensureLengthSlow):
1316
1317 2017-07-18  Saam Barati  <sbarati@apple.com>
1318
1319         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
1320         https://bugs.webkit.org/show_bug.cgi?id=174515
1321         <rdar://problem/33358092>
1322
1323         Reviewed by Filip Pizlo.
1324
1325         AirLowerAfterRegAlloc was computing the set of available scratch
1326         registers incorrectly. It was always excluding callee save registers
1327         from the set of live registers. It did not guarantee that live callee save
1328         registers were not in the set of scratch registers that could
1329         get clobbered. That's incorrect as the shuffling code is free
1330         to overwrite whatever is in the scratch register it gets passed.
1331
1332         * b3/air/AirLowerAfterRegAlloc.cpp:
1333         (JSC::B3::Air::lowerAfterRegAlloc):
1334         * b3/testb3.cpp:
1335         (JSC::B3::functionNineArgs):
1336         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1337         (JSC::B3::run):
1338         * jit/RegisterSet.h:
1339
1340 2017-07-18  Andy Estes  <aestes@apple.com>
1341
1342         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
1343         https://bugs.webkit.org/show_bug.cgi?id=174631
1344
1345         Reviewed by Dan Bernstein.
1346
1347         * Configurations/Base.xcconfig:
1348
1349 2017-07-18  Devin Rousso  <drousso@apple.com>
1350
1351         Web Inspector: Add memoryCost to Inspector Protocol objects
1352         https://bugs.webkit.org/show_bug.cgi?id=174478
1353
1354         Reviewed by Joseph Pecoraro.
1355
1356         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
1357         plus the memoryCost of the data if it is a string.
1358
1359         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
1360
1361         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
1362         key plus the memoryCost of the InspectorValue for each entry.
1363
1364         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
1365
1366         * inspector/InspectorValues.h:
1367         * inspector/InspectorValues.cpp:
1368         (Inspector::InspectorValue::memoryCost):
1369         (Inspector::InspectorObjectBase::memoryCost):
1370         (Inspector::InspectorArrayBase::memoryCost):
1371
1372 2017-07-18  Andy Estes  <aestes@apple.com>
1373
1374         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
1375         https://bugs.webkit.org/show_bug.cgi?id=174631
1376
1377         Reviewed by Darin Adler.
1378
1379         * Configurations/Base.xcconfig:
1380
1381 2017-07-18  Michael Saboff  <msaboff@apple.com>
1382
1383         [JSC] There should be a debug option to dump a compiled RegExp Pattern
1384         https://bugs.webkit.org/show_bug.cgi?id=174601
1385
1386         Reviewed by Alex Christensen.
1387
1388         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
1389         objects after a regular expression has been compiled.
1390
1391         * runtime/Options.h:
1392         * yarr/YarrPattern.cpp:
1393         (JSC::Yarr::YarrPattern::compile):
1394         (JSC::Yarr::indentForNestingLevel):
1395         (JSC::Yarr::dumpUChar32):
1396         (JSC::Yarr::PatternAlternative::dump):
1397         (JSC::Yarr::PatternTerm::dumpQuantifier):
1398         (JSC::Yarr::PatternTerm::dump):
1399         (JSC::Yarr::PatternDisjunction::dump):
1400         (JSC::Yarr::YarrPattern::dumpPattern):
1401         * yarr/YarrPattern.h:
1402         (JSC::Yarr::YarrPattern::global):
1403
1404 2017-07-17  Darin Adler  <darin@apple.com>
1405
1406         Improve use of NeverDestroyed
1407         https://bugs.webkit.org/show_bug.cgi?id=174348
1408
1409         Reviewed by Sam Weinig.
1410
1411         * heap/MachineStackMarker.cpp:
1412         * wasm/WasmMemory.cpp:
1413         Removed unneeded includes of NeverDestroyed.h in files that do not make use
1414         of NeverDestroyed.
1415
1416 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1417
1418         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
1419         https://bugs.webkit.org/show_bug.cgi?id=174547
1420
1421         Reviewed by Alex Christensen.
1422
1423         * CMakeLists.txt:
1424         * shell/CMakeLists.txt:
1425
1426 2017-07-17  Saam Barati  <sbarati@apple.com>
1427
1428         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
1429         https://bugs.webkit.org/show_bug.cgi?id=174584
1430
1431         Rubber stamped by Keith Miller.
1432
1433         I used it to diagnose a bug. The bug is now fixed. This custom
1434         RELEASE_ASSERT is no longer needed.
1435
1436         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1437
1438 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1439
1440         -Wformat-truncation warning in ConfigFile.cpp
1441         https://bugs.webkit.org/show_bug.cgi?id=174506
1442
1443         Reviewed by Darin Adler.
1444
1445         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
1446         return ParseError.
1447
1448         * runtime/ConfigFile.cpp:
1449         (JSC::ConfigFile::parse):
1450
1451 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
1452
1453         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
1454         https://bugs.webkit.org/show_bug.cgi?id=174557
1455
1456         Reviewed by Michael Catanzaro.
1457
1458         * CMakeLists.txt:
1459
1460 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1461
1462         [WTF] Use std::unique_ptr for StackTrace
1463         https://bugs.webkit.org/show_bug.cgi?id=174495
1464
1465         Reviewed by Alex Christensen.
1466
1467         * runtime/ExceptionScope.cpp:
1468         (JSC::ExceptionScope::unexpectedExceptionMessage):
1469         * runtime/VM.cpp:
1470         (JSC::VM::throwException):
1471
1472 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1473
1474         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
1475         https://bugs.webkit.org/show_bug.cgi?id=174423
1476
1477         Reviewed by Saam Barati.
1478
1479         * dfg/DFGAvailabilityMap.cpp:
1480         (JSC::DFG::AvailabilityMap::pruneHeap):
1481         (JSC::DFG::AvailabilityMap::pruneByLiveness):
1482
1483 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1484
1485         Fix compiler warnings when building with GCC 7
1486         https://bugs.webkit.org/show_bug.cgi?id=174463
1487
1488         Reviewed by Darin Adler.
1489
1490         * disassembler/udis86/udis86_decode.c:
1491         (decode_operand):
1492
1493 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1494
1495         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
1496         https://bugs.webkit.org/show_bug.cgi?id=174467
1497
1498         Reviewed by Saam Barati.
1499
1500         * bytecode/CallLinkInfo.cpp:
1501         (JSC::CallLinkInfo::callTypeFor):
1502
1503 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
1504
1505         Web Inspector: Remove unused and untested Page domain commands
1506         https://bugs.webkit.org/show_bug.cgi?id=174429
1507
1508         Reviewed by Timothy Hatcher.
1509
1510         * inspector/protocol/Page.json:
1511
1512 2017-07-13  Saam Barati  <sbarati@apple.com>
1513
1514         Missing exception check in JSObject::hasInstance
1515         https://bugs.webkit.org/show_bug.cgi?id=174455
1516         <rdar://problem/31384608>
1517
1518         Reviewed by Mark Lam.
1519
1520         * runtime/JSObject.cpp:
1521         (JSC::JSObject::hasInstance):
1522
1523 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
1524
1525         [ESnext] Implement Object Spread
1526         https://bugs.webkit.org/show_bug.cgi?id=167963
1527
1528         Reviewed by Saam Barati.
1529
1530         This patch implements ECMA262 stage 3 Object Spread proposal [1].
1531         It's implemented using CopyDataPropertiesNoExclusions to copy
1532         all enumerable keys from object being spreaded. The implementation of
1533         CopyDataPropertiesNoExclusions follows the CopyDataProperties
1534         implementation, however we don't receive excludedNames as parameter.
1535
1536         [1] - https://github.com/tc39/proposal-object-rest-spread
1537
1538         * builtins/GlobalOperations.js:
1539         (globalPrivate.copyDataPropertiesNoExclusions):
1540         * bytecompiler/BytecodeGenerator.cpp:
1541         (JSC::BytecodeGenerator::emitLoad):
1542         * bytecompiler/NodesCodegen.cpp:
1543         (JSC::PropertyListNode::emitBytecode):
1544         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1545         * parser/ASTBuilder.h:
1546         (JSC::ASTBuilder::createObjectSpreadExpression):
1547         (JSC::ASTBuilder::createProperty):
1548         * parser/NodeConstructors.h:
1549         (JSC::PropertyNode::PropertyNode):
1550         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
1551         * parser/Nodes.h:
1552         (JSC::ObjectSpreadExpressionNode::expression):
1553         * parser/Parser.cpp:
1554         (JSC::Parser<LexerType>::parseProperty):
1555         * parser/SyntaxChecker.h:
1556         (JSC::SyntaxChecker::createObjectSpreadExpression):
1557         (JSC::SyntaxChecker::createProperty):
1558
1559 2017-07-12  Mark Lam  <mark.lam@apple.com>
1560
1561         Gardening: build fix after r219434.
1562         https://bugs.webkit.org/show_bug.cgi?id=174441
1563
1564         Not reviewed.
1565
1566         Make public some MacroAssembler functions that are needed by the probe implementationq.
1567
1568         * assembler/MacroAssemblerARM.h:
1569         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1570         * assembler/MacroAssemblerARMv7.h:
1571         (JSC::MacroAssemblerARMv7::linkCall):
1572
1573 2017-07-12  Mark Lam  <mark.lam@apple.com>
1574
1575         Move Probe code from AbstractMacroAssembler to MacroAssembler.
1576         https://bugs.webkit.org/show_bug.cgi?id=174441
1577
1578         Reviewed by Saam Barati.
1579
1580         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
1581         to MacroAssembler.  There is no code behavior change.
1582
1583         * assembler/AbstractMacroAssembler.h:
1584         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
1585         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
1586         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
1587         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
1588         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
1589         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
1590         * assembler/MacroAssembler.h:
1591         (JSC::MacroAssembler::CPUState::gprName):
1592         (JSC::MacroAssembler::CPUState::fprName):
1593         (JSC::MacroAssembler::CPUState::gpr):
1594         (JSC::MacroAssembler::CPUState::fpr):
1595         * assembler/MacroAssemblerARM.cpp:
1596         (JSC::MacroAssembler::probe):
1597         (JSC::MacroAssemblerARM::probe): Deleted.
1598         * assembler/MacroAssemblerARM.h:
1599         * assembler/MacroAssemblerARM64.cpp:
1600         (JSC::MacroAssembler::probe):
1601         (JSC::MacroAssemblerARM64::probe): Deleted.
1602         * assembler/MacroAssemblerARM64.h:
1603         * assembler/MacroAssemblerARMv7.cpp:
1604         (JSC::MacroAssembler::probe):
1605         (JSC::MacroAssemblerARMv7::probe): Deleted.
1606         * assembler/MacroAssemblerARMv7.h:
1607         * assembler/MacroAssemblerMIPS.h:
1608         * assembler/MacroAssemblerX86Common.cpp:
1609         (JSC::MacroAssembler::probe):
1610         (JSC::MacroAssemblerX86Common::probe): Deleted.
1611         * assembler/MacroAssemblerX86Common.h:
1612
1613 2017-07-12  Saam Barati  <sbarati@apple.com>
1614
1615         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
1616         https://bugs.webkit.org/show_bug.cgi?id=174411
1617         <rdar://problem/31696186>
1618
1619         Reviewed by Mark Lam.
1620
1621         The code for deleting an argument was incorrectly referencing state
1622         when it decided if it should unmap or mark a property as having its
1623         descriptor modified. This patch fixes the bug where if we delete a
1624         property, we would sometimes not unmap an argument when deleting it.
1625
1626         * runtime/GenericArgumentsInlines.h:
1627         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1628         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1629         (JSC::GenericArguments<Type>::deleteProperty):
1630         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1631
1632 2017-07-12  Commit Queue  <commit-queue@webkit.org>
1633
1634         Unreviewed, rolling out r219176.
1635         https://bugs.webkit.org/show_bug.cgi?id=174436
1636
1637         "Can cause infinite recursion on iOS" (Requested by mlam on
1638         #webkit).
1639
1640         Reverted changeset:
1641
1642         "WTF::Thread should have the threads stack bounds."
1643         https://bugs.webkit.org/show_bug.cgi?id=173975
1644         http://trac.webkit.org/changeset/219176
1645
1646 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1647
1648         Unreviewed, rolling out r219401.
1649
1650         This revision rolled out the previous patch, but after talking
1651         with reviewer, a rebaseline is what was needed.Rolling back in
1652         before rebaseline.
1653
1654         Reverted changeset:
1655
1656         "Unreviewed, rolling out r219379."
1657         https://bugs.webkit.org/show_bug.cgi?id=174400
1658         http://trac.webkit.org/changeset/219401
1659
1660 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1661
1662         Unreviewed, rolling out r219379.
1663
1664         This revision caused a consistent failure in the test
1665         fast/dom/Window/property-access-on-cached-window-after-frame-
1666         removed.html.
1667
1668         Reverted changeset:
1669
1670         "Remove NAVIGATOR_HWCONCURRENCY"
1671         https://bugs.webkit.org/show_bug.cgi?id=174400
1672         http://trac.webkit.org/changeset/219379
1673
1674 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
1675
1676         Wrong radix used in Unicode Escape in invalid character error message
1677         https://bugs.webkit.org/show_bug.cgi?id=174419
1678
1679         Reviewed by Alex Christensen.
1680
1681         * parser/Lexer.cpp:
1682         (JSC::Lexer<T>::invalidCharacterMessage):
1683
1684 2017-07-11  Dean Jackson  <dino@apple.com>
1685
1686         Remove NAVIGATOR_HWCONCURRENCY
1687         https://bugs.webkit.org/show_bug.cgi?id=174400
1688
1689         Reviewed by Sam Weinig.
1690
1691         * Configurations/FeatureDefines.xcconfig:
1692
1693 2017-07-11  Dean Jackson  <dino@apple.com>
1694
1695         Rolling out r219372.
1696
1697         * Configurations/FeatureDefines.xcconfig:
1698
1699 2017-07-11  Dean Jackson  <dino@apple.com>
1700
1701         Remove NAVIGATOR_HWCONCURRENCY
1702         https://bugs.webkit.org/show_bug.cgi?id=174400
1703
1704         Reviewed by Sam Weinig.
1705
1706         * Configurations/FeatureDefines.xcconfig:
1707
1708 2017-07-11  Saam Barati  <sbarati@apple.com>
1709
1710         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
1711         https://bugs.webkit.org/show_bug.cgi?id=174397
1712
1713         Rubber stamped by David Kilzer.
1714
1715         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
1716         * wasm/js/WebAssemblyFunctionCell.h: Removed.
1717
1718 2017-07-10  Saam Barati  <sbarati@apple.com>
1719
1720         Allocation sinking phase should consider a CheckStructure that would fail as an escape
1721         https://bugs.webkit.org/show_bug.cgi?id=174321
1722         <rdar://problem/32604963>
1723
1724         Reviewed by Filip Pizlo.
1725
1726         When the allocation sinking phase was generating stores to materialize
1727         objects in a cycle with each other, it would assume that each materialized
1728         object had a valid, non empty, set of structures. This is an OK assumption for
1729         the phase to make because how do you materialize an object with no structure?
1730         
1731         The abstract interpretation part of the phase will model what's in the heap.
1732         However, it would sometimes model that a CheckStructure would fail. The phase
1733         did nothing special for this; it just stored the empty set of structures for
1734         its representation of a particular allocation. However, what the phase proved
1735         in such a scenario is that, had the CheckStructure executed, it would have exited.
1736         
1737         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
1738         This will cause the allocation in question to be materialized just before
1739         the CheckStructure, and then at execution time, the CheckStructure will exit.
1740         
1741         I wasn't able to write a test case for this. However, I was able to reproduce
1742         this crash by manually editing the IR. I've opened a separate bug to help us
1743         create a testing framework for writing tests for hard to reproduce bugs like this:
1744         https://bugs.webkit.org/show_bug.cgi?id=174322
1745
1746         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1747
1748 2017-07-10  Devin Rousso  <drousso@apple.com>
1749
1750         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
1751         https://bugs.webkit.org/show_bug.cgi?id=174279
1752
1753         Reviewed by Matt Baker.
1754
1755         * inspector/protocol/DOM.json:
1756         Add `highlightNodeList` command that will highlight each node in the given list.
1757
1758 2017-07-03  Brian Burg  <bburg@apple.com>
1759
1760         Web Replay: remove some unused code
1761         https://bugs.webkit.org/show_bug.cgi?id=173903
1762
1763         Rubber-stamped by Joseph Pecoraro.
1764
1765         * CMakeLists.txt:
1766         * Configurations/FeatureDefines.xcconfig:
1767         * DerivedSources.make:
1768         * JavaScriptCore.xcodeproj/project.pbxproj:
1769         * inspector/protocol/Replay.json: Removed.
1770         * replay/EmptyInputCursor.h: Removed.
1771         * replay/EncodedValue.cpp: Removed.
1772         * replay/EncodedValue.h: Removed.
1773         * replay/InputCursor.h: Removed.
1774         * replay/JSInputs.json: Removed.
1775         * replay/NondeterministicInput.h: Removed.
1776         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
1777         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
1778         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
1779         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
1780         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
1781         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
1782         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
1783         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
1784         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
1785         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
1786         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
1787         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
1788         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
1789         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
1790         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
1791         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
1792         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
1793         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
1794         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
1795         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
1796         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
1797         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
1798         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
1799         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
1800         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
1801         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
1802         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
1803         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
1804         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
1805         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
1806         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
1807         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
1808         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
1809         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
1810         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
1811         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
1812         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
1813         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
1814         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
1815         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
1816         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
1817         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
1818         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
1819         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
1820         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
1821         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
1822         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
1823         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
1824         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
1825         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
1826         * replay/scripts/tests/generate-input-with-guard.json: Removed.
1827         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
1828         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
1829         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
1830         * runtime/DateConstructor.cpp:
1831         (JSC::constructDate):
1832         (JSC::dateNow):
1833         (JSC::deterministicCurrentTime): Deleted.
1834         * runtime/JSGlobalObject.cpp:
1835         (JSC::JSGlobalObject::JSGlobalObject):
1836         (JSC::JSGlobalObject::setInputCursor): Deleted.
1837         * runtime/JSGlobalObject.h:
1838         (JSC::JSGlobalObject::inputCursor): Deleted.
1839
1840 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1841
1842         Move make-js-file-arrays.py from WebCore to JavaScriptCore
1843         https://bugs.webkit.org/show_bug.cgi?id=174024
1844
1845         Reviewed by Michael Catanzaro.
1846
1847         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
1848         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
1849         Added command line option to pass the namespace to use instead of using WebCore.
1850
1851         * JavaScriptCore.xcodeproj/project.pbxproj:
1852         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
1853         (main):
1854
1855 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1856
1857         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
1858         https://bugs.webkit.org/show_bug.cgi?id=174296
1859
1860         Reviewed by Mark Lam.
1861
1862         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
1863         It caused a problem in scanning template literals. While template literals normalize
1864         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
1865         To handle it correctly, LineNumberAdder is introduced.
1866
1867         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
1868         LineNumberAdder. Let's just use shiftLineTerminator() instead.
1869
1870         * parser/Lexer.cpp:
1871         (JSC::Lexer<T>::parseTemplateLiteral):
1872         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
1873         (JSC::LineNumberAdder::clear): Deleted.
1874         (JSC::LineNumberAdder::add): Deleted.
1875
1876 2017-07-09  Dan Bernstein  <mitz@apple.com>
1877
1878         [Xcode] ICU headers aren’t treated as system headers after r219155
1879         https://bugs.webkit.org/show_bug.cgi?id=174299
1880
1881         Reviewed by Sam Weinig.
1882
1883         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
1884           C++ compilers.
1885
1886 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
1887         * runtime/IntlDateTimeFormat.cpp: Ditto.
1888         * runtime/JSGlobalObject.cpp: Ditto.
1889         * runtime/StringPrototype.cpp: Ditto.
1890
1891 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1892
1893         [JSC] Use fastMalloc / fastFree for STL containers
1894         https://bugs.webkit.org/show_bug.cgi?id=174297
1895
1896         Reviewed by Sam Weinig.
1897
1898         In some places, we intentionally use STL containers over WTF containers.
1899         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
1900         because we do not have effective empty / deleted representations in the space of key's value.
1901         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
1902
1903         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
1904         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
1905
1906         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
1907         without compromising memory allocation throughput.
1908
1909         * dfg/DFGGraph.h:
1910         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1911         * ftl/FTLLowerDFGToB3.cpp:
1912         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1913         * runtime/FunctionHasExecutedCache.h:
1914         * runtime/TypeLocationCache.h:
1915
1916 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1917
1918         Drop NOSNIFF compile flag
1919         https://bugs.webkit.org/show_bug.cgi?id=174289
1920
1921         Reviewed by Michael Catanzaro.
1922
1923         * Configurations/FeatureDefines.xcconfig:
1924
1925 2017-07-07  AJ Ringer  <aringer@apple.com>
1926
1927         Lower the max_protection for the separated heap
1928         https://bugs.webkit.org/show_bug.cgi?id=174281
1929
1930         Reviewed by Oliver Hunt.
1931
1932         Switch to vm_protect so we can set maximum page protection.
1933
1934         * jit/ExecutableAllocator.cpp:
1935         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1936         (JSC::ExecutableAllocator::allocate):
1937
1938 2017-07-07  Devin Rousso  <drousso@apple.com>
1939
1940         Web Inspector: Show all elements currently using a given CSS Canvas
1941         https://bugs.webkit.org/show_bug.cgi?id=173965
1942
1943         Reviewed by Joseph Pecoraro.
1944
1945         * inspector/protocol/Canvas.json:
1946          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1947            canvas via -webkit-canvas.
1948          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1949            added/removed from the list of -webkit-canvas clients.
1950
1951 2017-07-07  Mark Lam  <mark.lam@apple.com>
1952
1953         \n\r is not the same as \r\n.
1954         https://bugs.webkit.org/show_bug.cgi?id=173053
1955
1956         Reviewed by Keith Miller.
1957
1958         * parser/Lexer.cpp:
1959         (JSC::Lexer<T>::shiftLineTerminator):
1960         (JSC::LineNumberAdder::add):
1961
1962 2017-07-07  Commit Queue  <commit-queue@webkit.org>
1963
1964         Unreviewed, rolling out r219238, r219239, and r219241.
1965         https://bugs.webkit.org/show_bug.cgi?id=174265
1966
1967         "fast/workers/dedicated-worker-lifecycle.html is flaky"
1968         (Requested by yusukesuzuki on #webkit).
1969
1970         Reverted changesets:
1971
1972         "[WTF] Implement WTF::ThreadGroup"
1973         https://bugs.webkit.org/show_bug.cgi?id=174081
1974         http://trac.webkit.org/changeset/219238
1975
1976         "Unreviewed, build fix after r219238"
1977         https://bugs.webkit.org/show_bug.cgi?id=174081
1978         http://trac.webkit.org/changeset/219239
1979
1980         "Unreviewed, CLoop build fix after r219238"
1981         https://bugs.webkit.org/show_bug.cgi?id=174081
1982         http://trac.webkit.org/changeset/219241
1983
1984 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1985
1986         Unreviewed, CLoop build fix after r219238
1987         https://bugs.webkit.org/show_bug.cgi?id=174081
1988
1989         * heap/MachineStackMarker.cpp:
1990
1991 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1992
1993         [WTF] Implement WTF::ThreadGroup
1994         https://bugs.webkit.org/show_bug.cgi?id=174081
1995
1996         Reviewed by Mark Lam.
1997
1998         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1999         And SamplingProfiler and others interact with WTF::Thread directly.
2000
2001         * API/tests/ExecutionTimeLimitTest.cpp:
2002         * heap/MachineStackMarker.cpp:
2003         (JSC::MachineThreads::MachineThreads):
2004         (JSC::captureStack):
2005         (JSC::MachineThreads::tryCopyOtherThreadStack):
2006         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2007         (JSC::MachineThreads::gatherConservativeRoots):
2008         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2009         (JSC::ActiveMachineThreadsManager::add): Deleted.
2010         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2011         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2012         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2013         (JSC::activeMachineThreadsManager): Deleted.
2014         (JSC::MachineThreads::~MachineThreads): Deleted.
2015         (JSC::MachineThreads::addCurrentThread): Deleted.
2016         (): Deleted.
2017         (JSC::MachineThreads::removeThread): Deleted.
2018         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2019         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2020         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2021         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2022         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2023         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2024         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2025         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2026         * heap/MachineStackMarker.h:
2027         (JSC::MachineThreads::addCurrentThread):
2028         (JSC::MachineThreads::getLock):
2029         (JSC::MachineThreads::threads):
2030         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2031         (JSC::MachineThreads::MachineThread::resume): Deleted.
2032         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2033         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2034         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2035         (JSC::MachineThreads::threadsListHead): Deleted.
2036         * runtime/SamplingProfiler.cpp:
2037         (JSC::FrameWalker::isValidFramePointer):
2038         (JSC::SamplingProfiler::SamplingProfiler):
2039         (JSC::SamplingProfiler::takeSample):
2040         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2041         * runtime/SamplingProfiler.h:
2042         * wasm/WasmMachineThreads.cpp:
2043         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2044
2045 2017-07-06  Saam Barati  <sbarati@apple.com>
2046
2047         We are missing places where we invalidate the for-in context
2048         https://bugs.webkit.org/show_bug.cgi?id=174184
2049
2050         Reviewed by Geoffrey Garen.
2051
2052         * bytecompiler/BytecodeGenerator.cpp:
2053         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2054         * bytecompiler/NodesCodegen.cpp:
2055         (JSC::EmptyLetExpression::emitBytecode):
2056         (JSC::ForInNode::emitLoopHeader):
2057         (JSC::ForOfNode::emitBytecode):
2058         (JSC::BindingNode::bindValue):
2059
2060 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2061
2062         Unreviewed, suppress warnings in GCC environment
2063
2064         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2065         * runtime/IntlCollator.cpp:
2066         * runtime/IntlDateTimeFormat.cpp:
2067         * runtime/JSGlobalObject.cpp:
2068         * runtime/StringPrototype.cpp:
2069
2070 2017-07-05  Saam Barati  <sbarati@apple.com>
2071
2072         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2073         https://bugs.webkit.org/show_bug.cgi?id=174188
2074         <rdar://problem/30581423>
2075
2076         Reviewed by Mark Lam.
2077
2078         We were calling lowJSValue(edge) when we were speculating the
2079         edge as double. This isn't allowed. We should have been using
2080         lowDouble.
2081         
2082         This patch also adds a new option, called useArrayAllocationProfiling,
2083         which defaults to true. When false, it will make the array allocation
2084         profile not actually sample seen arrays. It'll force the allocation
2085         profile's predicted indexing type to be ArrayWithUndecided. Adding
2086         this option made it trivial to write a test for this bug.
2087
2088         * bytecode/ArrayAllocationProfile.cpp:
2089         (JSC::ArrayAllocationProfile::updateIndexingType):
2090         * ftl/FTLLowerDFGToB3.cpp:
2091         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2092         * runtime/Options.h:
2093
2094 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2095
2096         WTF::Thread should have the threads stack bounds.
2097         https://bugs.webkit.org/show_bug.cgi?id=173975
2098
2099         Reviewed by Keith Miller.
2100
2101         There is a site in JSC that try to walk another thread's stack.
2102         Currently, stack bounds are stored in WTFThreadData which is located
2103         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2104         We workaround this situation by holding StackBounds in MachineThread in JSC,
2105         but StackBounds should be put in WTF::Thread instead.
2106
2107         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2108         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2109         is natural choice.
2110
2111         * heap/MachineStackMarker.cpp:
2112         (JSC::MachineThreads::MachineThread::MachineThread):
2113         (JSC::MachineThreads::MachineThread::captureStack):
2114         * heap/MachineStackMarker.h:
2115         (JSC::MachineThreads::MachineThread::stackBase):
2116         (JSC::MachineThreads::MachineThread::stackEnd):
2117         * runtime/InitializeThreading.cpp:
2118         (JSC::initializeThreading):
2119         * runtime/VM.cpp:
2120         (JSC::VM::VM):
2121         (JSC::VM::updateStackLimits):
2122         (JSC::VM::committedStackByteCount):
2123         * runtime/VM.h:
2124         (JSC::VM::isSafeToRecurse):
2125         * runtime/VMEntryScope.cpp:
2126         (JSC::VMEntryScope::VMEntryScope):
2127         * runtime/VMInlines.h:
2128         (JSC::VM::ensureStackCapacityFor):
2129         * runtime/VMTraps.cpp:
2130         * yarr/YarrPattern.cpp:
2131         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2132
2133 2017-07-05  Keith Miller  <keith_miller@apple.com>
2134
2135         Crashing with information should have an abort reason
2136         https://bugs.webkit.org/show_bug.cgi?id=174185
2137
2138         Reviewed by Saam Barati.
2139
2140         Add crash information for the abstract interpreter and add an enum
2141         value for object allocation sinking.
2142
2143         * assembler/AbortReason.h:
2144         * dfg/DFGAbstractInterpreterInlines.h:
2145         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2146         * dfg/DFGGraph.cpp:
2147         (JSC::DFG::logDFGAssertionFailure):
2148         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2149
2150 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2151
2152         Remove copy of ICU headers from WebKit
2153         https://bugs.webkit.org/show_bug.cgi?id=116407
2154
2155         Reviewed by Alex Christensen.
2156
2157         Use WTF's copy of ICU headers.
2158
2159         * Configurations/Base.xcconfig:
2160         * icu/unicode/localpointer.h: Removed.
2161         * icu/unicode/parseerr.h: Removed.
2162         * icu/unicode/platform.h: Removed.
2163         * icu/unicode/ptypes.h: Removed.
2164         * icu/unicode/putil.h: Removed.
2165         * icu/unicode/uchar.h: Removed.
2166         * icu/unicode/ucnv.h: Removed.
2167         * icu/unicode/ucnv_err.h: Removed.
2168         * icu/unicode/ucol.h: Removed.
2169         * icu/unicode/uconfig.h: Removed.
2170         * icu/unicode/ucurr.h: Removed.
2171         * icu/unicode/uenum.h: Removed.
2172         * icu/unicode/uiter.h: Removed.
2173         * icu/unicode/uloc.h: Removed.
2174         * icu/unicode/umachine.h: Removed.
2175         * icu/unicode/unorm.h: Removed.
2176         * icu/unicode/unorm2.h: Removed.
2177         * icu/unicode/urename.h: Removed.
2178         * icu/unicode/uscript.h: Removed.
2179         * icu/unicode/uset.h: Removed.
2180         * icu/unicode/ustring.h: Removed.
2181         * icu/unicode/utf.h: Removed.
2182         * icu/unicode/utf16.h: Removed.
2183         * icu/unicode/utf8.h: Removed.
2184         * icu/unicode/utf_old.h: Removed.
2185         * icu/unicode/utypes.h: Removed.
2186         * icu/unicode/uvernum.h: Removed.
2187         * icu/unicode/uversion.h: Removed.
2188         * runtime/IntlCollator.cpp:
2189         * runtime/IntlDateTimeFormat.cpp:
2190         (JSC::IntlDateTimeFormat::partTypeString):
2191         * runtime/JSGlobalObject.cpp:
2192         * runtime/StringPrototype.cpp:
2193         (JSC::normalize):
2194         (JSC::stringProtoFuncNormalize):
2195
2196 2017-07-05  Devin Rousso  <drousso@apple.com>
2197
2198         Web Inspector: Allow users to log any tracked canvas context
2199         https://bugs.webkit.org/show_bug.cgi?id=173397
2200         <rdar://problem/33111581>
2201
2202         Reviewed by Joseph Pecoraro.
2203
2204         * inspector/protocol/Canvas.json:
2205         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2206
2207 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2208
2209         Add WebKitPrivateFrameworkStubs for iOS 11
2210         https://bugs.webkit.org/show_bug.cgi?id=173988
2211
2212         Reviewed by David Kilzer.
2213
2214         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2215         same directory for private framework stubs.
2216
2217 2017-07-05  JF Bastien  <jfbastien@apple.com>
2218
2219         WebAssembly: implement name section's module name, skip unknown sections
2220         https://bugs.webkit.org/show_bug.cgi?id=172008
2221
2222         Reviewed by Keith Miller.
2223
2224         Parse the WebAssembly module name properly, and skip unknown
2225         sections. This is useful because as toolchains support new types
2226         of names we want to keep displaying the information we know about
2227         and simply ignore new information. That capability was designed
2228         into WebAssembly's name section.
2229
2230         Failure to commit this patch would mean that WebKit won't display
2231         stack trace information, which would make developers sad.
2232
2233         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2234
2235         Note that this patch doesn't do anything with the parsed name! Two
2236         reasons for this: module names aren't supported in binaryen yet,
2237         so I can't write a simple binary test; and using the name is a
2238         slightly riskier change because it requires changing StackVisitor
2239         + StackFrame (where they print "[wasm code]") which requires
2240         figuring out the frame's Module. The latter bit isn't trivial
2241         because we only know wasm frames from their tag bits, and
2242         CodeBlocks are always nullptr.
2243
2244         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2245
2246         I filed #174098 to use the module name.
2247
2248         * wasm/WasmFormat.h:
2249         (JSC::Wasm::isValidNameType):
2250         * wasm/WasmNameSectionParser.cpp:
2251
2252 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2253
2254         Cleanup some StringBuilder use
2255         https://bugs.webkit.org/show_bug.cgi?id=174118
2256
2257         Reviewed by Andreas Kling.
2258
2259         * runtime/FunctionConstructor.cpp:
2260         (JSC::constructFunctionSkippingEvalEnabledCheck):
2261         * tools/FunctionOverrides.cpp:
2262         (JSC::parseClause):
2263         * wasm/WasmOMGPlan.cpp:
2264         * wasm/WasmPlan.cpp:
2265         * wasm/WasmValidate.cpp:
2266
2267 2017-07-03  Saam Barati  <sbarati@apple.com>
2268
2269         LayoutTest workers/bomb.html is a Crash
2270         https://bugs.webkit.org/show_bug.cgi?id=167757
2271         <rdar://problem/33086462>
2272
2273         Reviewed by Keith Miller.
2274
2275         VMTraps::SignalSender was accessing VM fields even after
2276         the VM was destroyed. This happened when the SignalSender
2277         thread was in the middle of its work() function while VMTraps
2278         was notified that the VM was shutting down. The VM would proceed
2279         to run its destructor even after the SignalSender thread finished
2280         doing its work. This means that the SignalSender thread was accessing
2281         VM field eve after VM was destructed (including itself, since it is
2282         transitively owned by the VM). The VM must wait for the SignalSender
2283         thread to shutdown before it can continue to destruct itself.
2284
2285         * runtime/VMTraps.cpp:
2286         (JSC::VMTraps::willDestroyVM):
2287
2288 2017-07-03  Saam Barati  <sbarati@apple.com>
2289
2290         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
2291         https://bugs.webkit.org/show_bug.cgi?id=174110
2292
2293         Reviewed by Michael Saboff.
2294
2295         * dfg/DFGByteCodeParser.cpp:
2296         (JSC::DFG::ByteCodeParser::parseBlock):
2297
2298 2017-07-03  Saam Barati  <sbarati@apple.com>
2299
2300         Add a new assertion to object allocation sinking phase
2301         https://bugs.webkit.org/show_bug.cgi?id=174107
2302
2303         Rubber stamped by Filip Pizlo.
2304
2305         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2306
2307 2017-07-03  Commit Queue  <commit-queue@webkit.org>
2308
2309         Unreviewed, rolling out r219060.
2310         https://bugs.webkit.org/show_bug.cgi?id=174108
2311
2312         crashing constantly when initializing UIWebView (Requested by
2313         thorton on #webkit).
2314
2315         Reverted changeset:
2316
2317         "WTF::Thread should have the threads stack bounds."
2318         https://bugs.webkit.org/show_bug.cgi?id=173975
2319         http://trac.webkit.org/changeset/219060
2320
2321 2017-07-03  Matt Lewis  <jlewis3@apple.com>
2322
2323         Unreviewed, rolling out r219103.
2324
2325         Caused multiple build failures.
2326
2327         Reverted changeset:
2328
2329         "Remove copy of ICU headers from WebKit"
2330         https://bugs.webkit.org/show_bug.cgi?id=116407
2331         http://trac.webkit.org/changeset/219103
2332
2333 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2334
2335         Remove copy of ICU headers from WebKit
2336         https://bugs.webkit.org/show_bug.cgi?id=116407
2337
2338         Reviewed by Alex Christensen.
2339
2340         Use WTF's copy of ICU headers.
2341
2342         * Configurations/Base.xcconfig:
2343         * icu/unicode/localpointer.h: Removed.
2344         * icu/unicode/parseerr.h: Removed.
2345         * icu/unicode/platform.h: Removed.
2346         * icu/unicode/ptypes.h: Removed.
2347         * icu/unicode/putil.h: Removed.
2348         * icu/unicode/uchar.h: Removed.
2349         * icu/unicode/ucnv.h: Removed.
2350         * icu/unicode/ucnv_err.h: Removed.
2351         * icu/unicode/ucol.h: Removed.
2352         * icu/unicode/uconfig.h: Removed.
2353         * icu/unicode/ucurr.h: Removed.
2354         * icu/unicode/uenum.h: Removed.
2355         * icu/unicode/uiter.h: Removed.
2356         * icu/unicode/uloc.h: Removed.
2357         * icu/unicode/umachine.h: Removed.
2358         * icu/unicode/unorm.h: Removed.
2359         * icu/unicode/unorm2.h: Removed.
2360         * icu/unicode/urename.h: Removed.
2361         * icu/unicode/uscript.h: Removed.
2362         * icu/unicode/uset.h: Removed.
2363         * icu/unicode/ustring.h: Removed.
2364         * icu/unicode/utf.h: Removed.
2365         * icu/unicode/utf16.h: Removed.
2366         * icu/unicode/utf8.h: Removed.
2367         * icu/unicode/utf_old.h: Removed.
2368         * icu/unicode/utypes.h: Removed.
2369         * icu/unicode/uvernum.h: Removed.
2370         * icu/unicode/uversion.h: Removed.
2371         * runtime/IntlCollator.cpp:
2372         * runtime/IntlDateTimeFormat.cpp:
2373         * runtime/JSGlobalObject.cpp:
2374         * runtime/StringPrototype.cpp:
2375
2376 2017-07-03  Saam Barati  <sbarati@apple.com>
2377
2378         Add better crash logging for allocation sinking phase
2379         https://bugs.webkit.org/show_bug.cgi?id=174102
2380         <rdar://problem/33112092>
2381
2382         Rubber stamped by Filip Pizlo.
2383
2384         I'm trying to gather better information from crashlogs about why
2385         we're crashing in the allocation sinking phase. I'm adding a allocation
2386         sinking specific RELEASE_ASSERT as well as marking a few functions as
2387         NEVER_INLINE to have the stack traces in the crash trace contain more
2388         actionable information.
2389
2390         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2391
2392 2017-07-03  Sam Weinig  <sam@webkit.org>
2393
2394         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
2395         https://bugs.webkit.org/show_bug.cgi?id=174083
2396
2397         Reviewed by Alex Christensen.
2398
2399         * Configurations/FeatureDefines.xcconfig:
2400         Add ENABLE_NAVIGATOR_STANDALONE.
2401
2402 2017-07-03  Andy Estes  <aestes@apple.com>
2403
2404         [Xcode] Add an experimental setting to build with ccache
2405         https://bugs.webkit.org/show_bug.cgi?id=173875
2406
2407         Reviewed by Tim Horton.
2408
2409         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
2410
2411 2017-07-03  Devin Rousso  <drousso@apple.com>
2412
2413         Web Inspector: Support listing WebGL2 and WebGPU contexts
2414         https://bugs.webkit.org/show_bug.cgi?id=173396
2415
2416         Reviewed by Joseph Pecoraro.
2417
2418         * inspector/protocol/Canvas.json:
2419         * inspector/scripts/codegen/generator.py:
2420         (Generator.stylized_name_for_enum_value):
2421         Add cases for handling new Canvas.ContextType protocol enumerations:
2422          - "webgl2" maps to `WebGL2`
2423          - "webgpu" maps to `WebGPU`
2424
2425 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2426
2427         WTF::Thread should have the threads stack bounds.
2428         https://bugs.webkit.org/show_bug.cgi?id=173975
2429
2430         Reviewed by Mark Lam.
2431
2432         There is a site in JSC that try to walk another thread's stack.
2433         Currently, stack bounds are stored in WTFThreadData which is located
2434         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2435         We workaround this situation by holding StackBounds in MachineThread in JSC,
2436         but StackBounds should be put in WTF::Thread instead.
2437
2438         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2439         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2440         is natural choice.
2441
2442         * heap/MachineStackMarker.cpp:
2443         (JSC::MachineThreads::MachineThread::MachineThread):
2444         (JSC::MachineThreads::MachineThread::captureStack):
2445         * heap/MachineStackMarker.h:
2446         (JSC::MachineThreads::MachineThread::stackBase):
2447         (JSC::MachineThreads::MachineThread::stackEnd):
2448         * runtime/InitializeThreading.cpp:
2449         (JSC::initializeThreading):
2450         * runtime/VM.cpp:
2451         (JSC::VM::VM):
2452         (JSC::VM::updateStackLimits):
2453         (JSC::VM::committedStackByteCount):
2454         * runtime/VM.h:
2455         (JSC::VM::isSafeToRecurse):
2456         * runtime/VMEntryScope.cpp:
2457         (JSC::VMEntryScope::VMEntryScope):
2458         * runtime/VMInlines.h:
2459         (JSC::VM::ensureStackCapacityFor):
2460         * runtime/VMTraps.cpp:
2461         * yarr/YarrPattern.cpp:
2462         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2463
2464 2017-07-01  Dan Bernstein  <mitz@apple.com>
2465
2466         [iOS] Remove code only needed when building for iOS 9.x
2467         https://bugs.webkit.org/show_bug.cgi?id=174068
2468
2469         Reviewed by Tim Horton.
2470
2471         * Configurations/FeatureDefines.xcconfig:
2472         * jit/ExecutableAllocator.cpp:
2473         * runtime/Options.cpp:
2474         (JSC::recomputeDependentOptions):
2475
2476 2017-07-01  Dan Bernstein  <mitz@apple.com>
2477
2478         [macOS] Remove code only needed when building for OS X Yosemite
2479         https://bugs.webkit.org/show_bug.cgi?id=174067
2480
2481         Reviewed by Tim Horton.
2482
2483         * API/WebKitAvailability.h:
2484         * Configurations/Base.xcconfig:
2485         * Configurations/DebugRelease.xcconfig:
2486         * Configurations/FeatureDefines.xcconfig:
2487         * Configurations/Version.xcconfig:
2488
2489 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2490
2491         Unreviewed, build fix for GCC
2492         https://bugs.webkit.org/show_bug.cgi?id=174034
2493
2494         * b3/testb3.cpp:
2495         (JSC::B3::testDoubleLiteralComparison):
2496
2497 2017-06-30  Keith Miller  <keith_miller@apple.com>
2498
2499         Force crashWithInfo to be out of line.
2500         https://bugs.webkit.org/show_bug.cgi?id=174028
2501
2502         Reviewed by Filip Pizlo.
2503
2504         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
2505
2506         * dfg/DFGGraph.cpp:
2507         (JSC::DFG::logDFGAssertionFailure):
2508         (JSC::DFG::Graph::logAssertionFailure):
2509         (JSC::DFG::crash): Deleted.
2510         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2511         * dfg/DFGGraph.h:
2512
2513 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2514
2515         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
2516         https://bugs.webkit.org/show_bug.cgi?id=174053
2517
2518         Reviewed by Geoffrey Garen.
2519
2520         We already have AbstractMacroAssembler::random() function. Use it instead.
2521
2522         * jit/JIT.cpp:
2523         (JSC::JIT::JIT):
2524         (JSC::JIT::compileWithoutLinking):
2525         * jit/JIT.h:
2526
2527 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2528
2529         [WTF] Drop SymbolRegistry::keyForSymbol
2530         https://bugs.webkit.org/show_bug.cgi?id=174052
2531
2532         Reviewed by Sam Weinig.
2533
2534         * runtime/SymbolConstructor.cpp:
2535         (JSC::symbolConstructorKeyFor):
2536
2537 2017-06-30  Saam Barati  <sbarati@apple.com>
2538
2539         B3ReduceStrength should reduce EqualOrUnordered over const float input
2540         https://bugs.webkit.org/show_bug.cgi?id=174039
2541
2542         Reviewed by Michael Saboff.
2543
2544         We perform this folding for ConstDoubleValue. It is simply
2545         an oversight that we didn't do it for ConstFloatValue.
2546
2547         * b3/B3ConstFloatValue.cpp:
2548         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
2549         * b3/B3ConstFloatValue.h:
2550         * b3/testb3.cpp:
2551         (JSC::B3::testFloatEqualOrUnorderedFolding):
2552         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
2553         (JSC::B3::testFloatEqualOrUnorderedDontFold):
2554         (JSC::B3::run):
2555
2556 2017-06-30  Matt Baker  <mattbaker@apple.com>
2557
2558         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
2559         https://bugs.webkit.org/show_bug.cgi?id=173840
2560         <rdar://problem/30840820>
2561
2562         Reviewed by Joseph Pecoraro.
2563
2564         When truncating an asynchronous stack trace, the parent chain is traversed
2565         until a locked node is found. The path from this node to the root is shared
2566         by more than one stack trace, and cannot be safely modified. Starting at
2567         the first locked node, the path is cloned and becomes a new stack trace tree.
2568
2569         However, the clone operation initialized each new AsyncStackTrace node with
2570         the original node's parent. This would increment the child count of the original
2571         node. When cloning nodes, new nodes should not have their parent set until the
2572         next node up the parent chain is cloned.
2573
2574         * inspector/AsyncStackTrace.cpp:
2575         (Inspector::AsyncStackTrace::truncate):
2576
2577 2017-06-30  Michael Saboff  <msaboff@apple.com>
2578
2579         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
2580         https://bugs.webkit.org/show_bug.cgi?id=174044
2581
2582         Reviewed by Oliver Hunt.
2583
2584         The .* enclosure optimization didn't respect that we can start matching from a non-zero
2585         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
2586         then finding the extent of the match by going back to the beginning of the line and going
2587         forward to the end of the line.  The code that went back to the beginning of the line
2588         checked for an index of 0 instead of comparing the index to the start position.  This start
2589         position is passed as the initial index.
2590
2591         Added another temporary register to the YARR JIT to contain the start position for
2592         platforms that have spare registers.
2593
2594         * yarr/Yarr.h:
2595         * yarr/YarrInterpreter.cpp:
2596         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
2597         (JSC::Yarr::Interpreter::Interpreter):
2598         * yarr/YarrJIT.cpp:
2599         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
2600         (JSC::Yarr::YarrGenerator::compile):
2601         * yarr/YarrPattern.cpp:
2602         (JSC::Yarr::YarrPattern::YarrPattern):
2603         * yarr/YarrPattern.h:
2604         (JSC::Yarr::YarrPattern::reset):
2605
2606 2017-06-30  Saam Barati  <sbarati@apple.com>
2607
2608         B3MoveConstants floatZero() returns the wrong ValueKey
2609         https://bugs.webkit.org/show_bug.cgi?id=174040
2610
2611         Reviewed by Filip Pizlo.
2612
2613         It had a typo where the ValueKey for floatZero() produces a Double
2614         instead of a Float.
2615
2616         * b3/B3MoveConstants.cpp:
2617
2618 2017-06-30  Saam Barati  <sbarati@apple.com>
2619
2620         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
2621         https://bugs.webkit.org/show_bug.cgi?id=174034
2622         <rdar://problem/30793007>
2623
2624         Reviewed by Filip Pizlo.
2625
2626         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
2627         reduce binary operations over double constants into the same binary
2628         operation over the double constants casted to floats. This is clearly
2629         incorrect as these two things will produce different values. For example:
2630         
2631         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
2632         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
2633         c = EqualOrUnordered(@a, @b) // produces 0
2634         
2635         into:
2636         
2637         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
2638         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
2639         c = EqualOrUnordered(@a, @b) // produces 1
2640         
2641         Which produces a different value for @c.
2642
2643         * b3/B3ReduceDoubleToFloat.cpp:
2644         * b3/testb3.cpp:
2645         (JSC::B3::doubleEq):
2646         (JSC::B3::doubleNeq):
2647         (JSC::B3::doubleGt):
2648         (JSC::B3::doubleGte):
2649         (JSC::B3::doubleLt):
2650         (JSC::B3::doubleLte):
2651         (JSC::B3::testDoubleLiteralComparison):
2652         (JSC::B3::run):
2653
2654 2017-06-29  Jer Noble  <jer.noble@apple.com>
2655
2656         Make Legacy EME API controlled by RuntimeEnabled setting.
2657         https://bugs.webkit.org/show_bug.cgi?id=173994
2658
2659         Reviewed by Sam Weinig.
2660
2661         * Configurations/FeatureDefines.xcconfig:
2662         * runtime/CommonIdentifiers.h:
2663
2664 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
2665
2666         Ran sort-Xcode-project-file.
2667
2668         * JavaScriptCore.xcodeproj/project.pbxproj:
2669
2670 2017-06-30  Matt Lewis  <jlewis3@apple.com>
2671
2672         Unreviewed, rolling out r218992.
2673
2674         The patch broke the iOS device builds.
2675
2676         Reverted changeset:
2677
2678         "DFG_ASSERT should allow stuffing registers before trapping."
2679         https://bugs.webkit.org/show_bug.cgi?id=174005
2680         http://trac.webkit.org/changeset/218992
2681
2682 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
2683
2684         RegExpCachedResult::setInput should reify left and right contexts
2685         https://bugs.webkit.org/show_bug.cgi?id=173818
2686
2687         Reviewed by Keith Miller.
2688         
2689         If you don't reify them in setInput, then when you later try to reify them, you'll end up
2690         using indices into an old input string to create a substring of a new input string. That
2691         never goes well.
2692
2693         * runtime/RegExpCachedResult.cpp:
2694         (JSC::RegExpCachedResult::setInput):
2695
2696 2017-06-30  Keith Miller  <keith_miller@apple.com>
2697
2698         DFG_ASSERT should allow stuffing registers before trapping.
2699         https://bugs.webkit.org/show_bug.cgi?id=174005
2700
2701         Reviewed by Mark Lam.
2702
2703         DFG_ASSERT currently prints error data to stderr before crashing,
2704         which is nice for local development. In the wild, however, we
2705         can't see this information in crash logs. This patch enables
2706         stuffing some of the most useful information from DFG_ASSERTS into
2707         up to five registers right before crashing. The values stuffed
2708         should not impact any logging during local development.
2709
2710         * assembler/AbortReason.h:
2711         * dfg/DFGAbstractInterpreterInlines.h:
2712         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2713         * dfg/DFGGraph.cpp:
2714         (JSC::DFG::logForCrash):
2715         (JSC::DFG::Graph::logAssertionFailure):
2716         (JSC::DFG::crash): Deleted.
2717         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2718         * dfg/DFGGraph.h:
2719
2720 2017-06-29  Saam Barati  <sbarati@apple.com>
2721
2722         Calculating postCapacity in unshiftCountSlowCase is wrong
2723         https://bugs.webkit.org/show_bug.cgi?id=173992
2724         <rdar://problem/32283199>
2725
2726         Reviewed by Keith Miller.
2727
2728         This patch fixes a bug inside unshiftCountSlowCase where we would use
2729         more memory than we allocated. The bug was when deciding how much extra
2730         space we have after the vector we've allocated. This area is called the
2731         postCapacity. The largest legal postCapacity value we could use is the
2732         space we allocated minus the space we need:
2733         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
2734         However, the code was calculating the postCapacity as:
2735         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
2736         
2737         where count is how many elements we're appending. Depending on the inputs,
2738         count could be larger than (newStorageCapacity - requiredVectorLength). This
2739         would cause us to use more memory than we actually allocated.
2740
2741         * runtime/JSArray.cpp:
2742         (JSC::JSArray::unshiftCountSlowCase):
2743
2744 2017-06-29  Commit Queue  <commit-queue@webkit.org>
2745
2746         Unreviewed, rolling out r218512.
2747         https://bugs.webkit.org/show_bug.cgi?id=173981
2748
2749         "It changes the behavior of the JS API's JSEvaluateScript
2750         which breaks TurboTax" (Requested by saamyjoon on #webkit).
2751
2752         Reverted changeset:
2753
2754         "test262: Completion values for control flow do not match the
2755         spec"
2756         https://bugs.webkit.org/show_bug.cgi?id=171265
2757         http://trac.webkit.org/changeset/218512
2758
2759 2017-06-29  JF Bastien  <jfbastien@apple.com>
2760
2761         WebAssembly: disable some APIs under CSP
2762         https://bugs.webkit.org/show_bug.cgi?id=173892
2763         <rdar://problem/32914613>
2764
2765         Reviewed by Daniel Bates.
2766
2767         We should disable parts of WebAssembly under Content Security
2768         Policy as discussed here:
2769
2770         https://github.com/WebAssembly/design/issues/1092
2771
2772         Exactly what should be disabled isn't super clear, so we may as
2773         well be conservative and disable many things if developers already
2774         opted into CSP. It's easy to loosen what we disable later.
2775
2776         This patch disables:
2777         - WebAssembly.Instance
2778         - WebAssembly.instantiate
2779         - WebAssembly.Memory
2780         - WebAssembly.Table
2781
2782         And leaves:
2783         - WebAssembly on the global object
2784         - WebAssembly.Module
2785         - WebAssembly.compile
2786         - WebAssembly.CompileError
2787         - WebAssembly.LinkError
2788
2789         Nothing because currently unimplmented:
2790         - WebAssembly.compileStreaming
2791         - WebAssembly.instantiateStreaming
2792
2793         That way it won't be possible to call WebAssembly-compiled code,
2794         or create memories (which use fancy 4GiB allocations
2795         sometimes). Table isn't really useful on its own, and eventually
2796         we may make them shareable so without more details it seems benign
2797         to disable them (and useless if we don't).
2798
2799         I haven't done anything with postMessage, so you can still
2800         postMessage a WebAssembly.Module cross-CSP, but you can't
2801         instantiate it so it's useless. Because of this I elected to leave
2802         WebAssembly.Module and friends available.
2803
2804         I haven't added any new directives. It's still unsafe-eval. We can
2805         add something else later, but it seems odd to add a WebAssembly as
2806         a new capability and tell developers "you should have been using
2807         this directive which we just implemented if you wanted to disable
2808         WebAssembly which didn't exist when you adopted CSP". So IMO we
2809         should keep unsafe-eval as it currently is, add WebAssembly to
2810         what it disables, and later consider having two new directives
2811         which do each individually or something.
2812
2813         In all cases I throw an EvalError *before* other WebAssembly
2814         errors would be produced.
2815
2816         Note that, as for eval, reporting doesn't work and is tracked by
2817         https://webkit.org/b/111869
2818
2819         * runtime/JSGlobalObject.cpp:
2820         (JSC::JSGlobalObject::JSGlobalObject):
2821         * runtime/JSGlobalObject.h:
2822         (JSC::JSGlobalObject::webAssemblyEnabled):
2823         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
2824         (JSC::JSGlobalObject::setWebAssemblyEnabled):
2825         * wasm/js/JSWebAssemblyInstance.cpp:
2826         (JSC::JSWebAssemblyInstance::create):
2827         * wasm/js/JSWebAssemblyMemory.cpp:
2828         (JSC::JSWebAssemblyMemory::create):
2829         * wasm/js/JSWebAssemblyMemory.h:
2830         * wasm/js/JSWebAssemblyTable.cpp:
2831         (JSC::JSWebAssemblyTable::create):
2832         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2833         (JSC::constructJSWebAssemblyMemory):
2834
2835 2017-06-28  Keith Miller  <keith_miller@apple.com>
2836
2837         VMTraps has some races
2838         https://bugs.webkit.org/show_bug.cgi?id=173941
2839
2840         Reviewed by Michael Saboff.
2841
2842         This patch refactors much of the VMTraps API.
2843
2844         On the message sending side:
2845
2846         1) No longer uses the Yarr JIT check to determine if we are in
2847         RegExp code. That was unsound because RegExp JIT code can be run
2848         on compilation threads.  Instead it looks at the current frame's
2849         code block slot and checks if it is valid, which is the same as
2850         what it did for JIT code previously.
2851
2852         2) Only have one signal sender thread, previously, there could be
2853         many at once, which caused some data races. Additionally, the
2854         signal sender thread is an automatic thread so it will deallocate
2855         itself when not in use.
2856
2857         On the VMTraps breakpoint side:
2858
2859         1) We now have a true mapping of if we hit a breakpoint instead of
2860         a JIT assertion. So the exception handler won't eat JIT assertions
2861         anymore.
2862
2863         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
2864         them instead of every CodeBlock on the stack. This both prevents
2865         us from hitting stale VMTraps breakpoints and also doesn't OSR
2866         codeblocks that otherwise don't need to be jettisoned.
2867
2868         3) The old exception handler could theoretically fail for a couple
2869         of reasons then resume execution with a clobbered instruction
2870         set. This patch will kill the program if the exception handler
2871         would fail.
2872
2873         This patch also refactors some of the jsc.cpp functions to take the
2874         CommandLine options object instead of individual options. Also, there
2875         is a new command line option that makes exceptions due to watchdog
2876         timeouts an acceptable result.
2877
2878         * API/tests/testapi.c:
2879         (main):
2880         * bytecode/CodeBlock.cpp:
2881         (JSC::CodeBlock::installVMTrapBreakpoints):
2882         * dfg/DFGCommonData.cpp:
2883         (JSC::DFG::pcCodeBlockMap):
2884         (JSC::DFG::CommonData::invalidate):
2885         (JSC::DFG::CommonData::~CommonData):
2886         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2887         (JSC::DFG::codeBlockForVMTrapPC):
2888         * dfg/DFGCommonData.h:
2889         * jsc.cpp:
2890         (functionDollarAgentStart):
2891         (checkUncaughtException):
2892         (checkException):
2893         (runWithOptions):
2894         (printUsageStatement):
2895         (CommandLine::parseArguments):
2896         (jscmain):
2897         (runWithScripts): Deleted.
2898         * runtime/JSLock.cpp:
2899         (JSC::JSLock::didAcquireLock):
2900         * runtime/VMTraps.cpp:
2901         (JSC::sanitizedTopCallFrame):
2902         (JSC::VMTraps::tryInstallTrapBreakpoints):
2903         (JSC::VMTraps::willDestroyVM):
2904         (JSC::VMTraps::fireTrap):
2905         (JSC::VMTraps::handleTraps):
2906         (JSC::VMTraps::VMTraps):
2907         (JSC::VMTraps::~VMTraps):
2908         (JSC::findActiveVMAndStackBounds): Deleted.
2909         (JSC::installSignalHandler): Deleted.
2910         (JSC::VMTraps::addSignalSender): Deleted.
2911         (JSC::VMTraps::removeSignalSender): Deleted.
2912         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2913         (JSC::VMTraps::SignalSender::send): Deleted.
2914         * runtime/VMTraps.h:
2915         (JSC::VMTraps::~VMTraps): Deleted.
2916         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2917
2918 2017-06-28  Devin Rousso  <drousso@apple.com>
2919
2920         Web Inspector: Instrument active pixel memory used by canvases
2921         https://bugs.webkit.org/show_bug.cgi?id=173087
2922         <rdar://problem/32719261>
2923
2924         Reviewed by Joseph Pecoraro.
2925
2926         * inspector/protocol/Canvas.json:
2927          - Add optional `memoryCost` attribute to the `Canvas` type.
2928          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2929
2930 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2931
2932         Web Inspector: Cleanup Protocol JSON files
2933         https://bugs.webkit.org/show_bug.cgi?id=173934
2934
2935         Reviewed by Matt Baker.
2936
2937         * inspector/protocol/ApplicationCache.json:
2938         * inspector/protocol/CSS.json:
2939         * inspector/protocol/Console.json:
2940         * inspector/protocol/DOM.json:
2941         * inspector/protocol/DOMDebugger.json:
2942         * inspector/protocol/Debugger.json:
2943         * inspector/protocol/LayerTree.json:
2944         * inspector/protocol/Network.json:
2945         * inspector/protocol/Page.json:
2946         * inspector/protocol/Runtime.json:
2947         Be more consistent about placement of `description` property.
2948
2949 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2950
2951         Web Inspector: Remove unused Inspector domain events
2952         https://bugs.webkit.org/show_bug.cgi?id=173905
2953
2954         Reviewed by Matt Baker.
2955
2956         * inspector/protocol/Inspector.json:
2957
2958 2017-06-28  JF Bastien  <jfbastien@apple.com>
2959
2960         Ensure that computed new stack pointer values do not underflow.
2961         https://bugs.webkit.org/show_bug.cgi?id=173700
2962         <rdar://problem/32926032>
2963
2964         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
2965
2966         Patch by Mark Lam, with the following fix:
2967
2968         Re-apply this patch, it originally broke the ARM build because the llint code
2969         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
2970         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
2971         and operands to emit valid code (because the second operand can be SP).
2972
2973         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2974            m_numCalleeLocals is sane.
2975
2976         2. Added underflow checks in LLInt code and VarargsFrame code.
2977
2978         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2979            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2980            Ensure that Options::softReservedZoneSize() is at least greater than
2981            Options::reservedZoneSize() by minimumReservedZoneSize.
2982
2983         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2984            and only if the max size of the frame is greater than Options::reservedZoneSize().
2985
2986            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2987            of memory at the bottom (end) of the stack.  This means that, at any time, the
2988            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2989            end of the stack.  Hence, if the max frame size is less than
2990            Options::reservedZoneSize(), there's no way that frame pointer - max
2991            frame size can underflow, and we can elide the underflow check.
2992
2993            Note that we use Options::reservedZoneSize() instead of
2994            Options::softReservedZoneSize() for determine if we need an underflow check.
2995            This is because the softStackLimit that is used for stack checks can be set
2996            based on Options::reservedZoneSize() during error handling (e.g. when creating
2997            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2998            distance between the frame pointer and the end of the stack is
2999            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
3000
3001            Note also that we ensure that Options::reservedZoneSize() is at least
3002            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
3003            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
3004            instead of minimumReservedZoneSize gives us more chances to elide underflow
3005            checks.
3006
3007         * JavaScriptCore.xcodeproj/project.pbxproj:
3008         * bytecompiler/BytecodeGenerator.cpp:
3009         (JSC::BytecodeGenerator::generate):
3010         * dfg/DFGGraph.cpp:
3011         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
3012         * dfg/DFGJITCompiler.cpp:
3013         (JSC::DFG::emitStackOverflowCheck):
3014         (JSC::DFG::JITCompiler::compile):
3015         (JSC::DFG::JITCompiler::compileFunction):
3016         * ftl/FTLLowerDFGToB3.cpp:
3017         (JSC::FTL::DFG::LowerDFGToB3::lower):
3018         * jit/JIT.cpp:
3019         (JSC::JIT::compileWithoutLinking):
3020         * jit/SetupVarargsFrame.cpp:
3021         (JSC::emitSetupVarargsFrameFastCase):
3022         * llint/LLIntSlowPaths.cpp:
3023         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3024         * llint/LowLevelInterpreter.asm:
3025         * llint/LowLevelInterpreter32_64.asm:
3026         * llint/LowLevelInterpreter64.asm:
3027         * runtime/MinimumReservedZoneSize.h: Added.
3028         * runtime/Options.cpp:
3029         (JSC::recomputeDependentOptions):
3030         * runtime/VM.cpp:
3031         (JSC::VM::updateStackLimits):
3032         * wasm/WasmB3IRGenerator.cpp:
3033         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3034         * wasm/js/WebAssemblyFunction.cpp:
3035         (JSC::callWebAssemblyFunction):
3036
3037 2017-06-28  Chris Dumez  <cdumez@apple.com>
3038
3039         Unreviewed, rolling out r218869.
3040
3041         Broke the iOS build
3042
3043         Reverted changeset:
3044
3045         "Ensure that computed new stack pointer values do not
3046         underflow."
3047         https://bugs.webkit.org/show_bug.cgi?id=173700
3048         http://trac.webkit.org/changeset/218869
3049
3050 2017-06-28  Chris Dumez  <cdumez@apple.com>
3051
3052         Unreviewed, rolling out r218873.
3053
3054         Broke the iOS build
3055
3056         Reverted changeset:
3057
3058         "Gardening: CLoop build fix."
3059         https://bugs.webkit.org/show_bug.cgi?id=173700
3060         http://trac.webkit.org/changeset/218873
3061
3062 2017-06-28  Mark Lam  <mark.lam@apple.com>
3063
3064         Gardening: CLoop build fix.
3065         https://bugs.webkit.org/show_bug.cgi?id=173700
3066         <rdar://problem/32926032>
3067
3068         Not reviewed.
3069
3070         * llint/LLIntSlowPaths.cpp:
3071         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3072
3073 2017-06-28  Mark Lam  <mark.lam@apple.com>
3074
3075         Ensure that computed new stack pointer values do not underflow.
3076         https://bugs.webkit.org/show_bug.cgi?id=173700
3077         <rdar://problem/32926032>
3078
3079         Reviewed by Filip Pizlo and Saam Barati.
3080
3081         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
3082            m_numCalleeLocals is sane.
3083
3084         2. Added underflow checks in LLInt code and VarargsFrame code.
3085
3086         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
3087            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
3088            Ensure that Options::softReservedZoneSize() is at least greater than
3089            Options::reservedZoneSize() by minimumReservedZoneSize.
3090
3091         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
3092            and only if the max size of the frame is greater than Options::reservedZoneSize().
3093
3094            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
3095            of memory at the bottom (end) of the stack.  This means that, at any time, the
3096            frame pointer must be at least Options::reservedZoneSize() bytes away from the
3097            end of the stack.  Hence, if the max frame size is less than
3098            Options::reservedZoneSize(), there's no way that frame pointer - max
3099            frame size can underflow, and we can elide the underflow check.
3100
3101            Note that we use Options::reservedZoneSize() instead of
3102            Options::softReservedZoneSize() for determine if we need an underflow check.
3103            This is because the softStackLimit that is used for stack checks can be set
3104            based on Options::reservedZoneSize() during error handling (e.g. when creating
3105            strings for instantiating the Error object).  Hence, the guaranteed minimum of
3106            distance between the frame pointer and the end of the stack is
3107            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
3108
3109            Note also that we ensure that Options::reservedZoneSize() is at least
3110            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
3111            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
3112            instead of minimumReservedZoneSize gives us more chances to elide underflow
3113            checks.
3114
3115         * JavaScriptCore.xcodeproj/project.pbxproj:
3116         * bytecompiler/BytecodeGenerator.cpp:
3117         (JSC::BytecodeGenerator::generate):
3118         * dfg/DFGGraph.cpp:
3119         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
3120         * dfg/DFGJITCompiler.cpp:
3121         (JSC::DFG::JITCompiler::compile):
3122         (JSC::DFG::JITCompiler::compileFunction):
3123         * ftl/FTLLowerDFGToB3.cpp:
3124         (JSC::FTL::DFG::LowerDFGToB3::lower):
3125         * jit/JIT.cpp:
3126         (JSC::JIT::compileWithoutLinking):
3127         * jit/SetupVarargsFrame.cpp:
3128         (JSC::emitSetupVarargsFrameFastCase):
3129         * llint/LLIntSlowPaths.cpp:
3130         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3131         * llint/LowLevelInterpreter.asm:
3132         * llint/LowLevelInterpreter32_64.asm:
3133         * llint/LowLevelInterpreter64.asm:
3134         * runtime/MinimumReservedZoneSize.h: Added.
3135         * runtime/Options.cpp:
3136         (JSC::recomputeDependentOptions):
3137         * runtime/VM.cpp:
3138         (JSC::VM::updateStackLimits):
3139         * wasm/WasmB3IRGenerator.cpp:
3140         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3141         * wasm/js/WebAssemblyFunction.cpp:
3142         (JSC::callWebAssemblyFunction):
3143
3144 2017-06-27  JF Bastien  <jfbastien@apple.com>
3145
3146         WebAssembly: running out of executable memory should throw OoM
3147         https://bugs.webkit.org/show_bug.cgi?id=171537
3148         <rdar://problem/32963338>
3149
3150         Reviewed by Saam Barati.
3151
3152         Both on first compile with BBQ as well as on tier-up with OMG,
3153         running out of X memory shouldn't cause the entire program to
3154         terminate. An exception will do when compiling initial code (since
3155         we don't have any other fallback at the moment), and refusal to
3156         tier up will do as well (it'll just be slower).
3157
3158         This is useful because programs which generate huge amounts of
3159         code simply look like crashes, which developers report to
3160         us. Getting a JavaScript exception instead is much clearer.
3161
3162         * jit/ExecutableAllocator.cpp:
3163         (JSC::ExecutableAllocator::allocate):
3164         * llint/LLIntSlowPaths.cpp:
3165         (JSC::LLInt::shouldJIT):
3166         * runtime/Options.h:
3167         * wasm/WasmBBQPlan.cpp:
3168         (JSC::Wasm::BBQPlan::prepare):
3169         (JSC::Wasm::BBQPlan::complete):
3170         * wasm/WasmBinding.cpp:
3171         (JSC::Wasm::wasmToJs):
3172         (JSC::Wasm::wasmToWasm):
3173         * wasm/WasmBinding.h:
3174         * wasm/WasmOMGPlan.cpp:
3175         (JSC::Wasm::OMGPlan::work):
3176         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3177         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3178         * wasm/js/JSWebAssemblyCodeBlock.h:
3179         * wasm/js/JSWebAssemblyInstance.cpp:
3180         (JSC::JSWebAssemblyInstance::finalizeCreation):
3181
3182 2017-06-27  Saam Barati  <sbarati@apple.com>
3183
3184         JITStubRoutine::passesFilter should use isJITPC
3185         https://bugs.webkit.org/show_bug.cgi?id=173906
3186
3187         Reviewed by JF Bastien.
3188
3189         This patch makes JITStubRoutine use the isJITPC abstraction defined
3190         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
3191         hardcoded platform size constant. This means it'd do the wrong thing
3192         if Options::jitMemoryReservationSize() was larger than the defined
3193         constant for that platform. This patch also removes a bunch of
3194         dead code in that file.
3195
3196         * jit/ExecutableAllocator.cpp:
3197         * jit/ExecutableAllocator.h:
3198         * jit/JITStubRoutine.h:
3199         (JSC::JITStubRoutine::passesFilter):
3200         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
3201         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
3202         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
3203
3204 2017-06-27  Saam Barati  <sbarati@apple.com>
3205
3206         Fix some stale comments in Wasm code base
3207         https://bugs.webkit.org/show_bug.cgi?id=173814
3208
3209         Reviewed by Mark Lam.
3210
3211         * wasm/WasmBinding.cpp:
3212         (JSC::Wasm::wasmToJs):
3213         * wasm/WasmOMGPlan.cpp:
3214         (JSC::Wasm::runOMGPlanForIndex):
3215
3216 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
3217
3218         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
3219         https://bugs.webkit.org/show_bug.cgi?id=167962
3220
3221         Reviewed by Saam Barati.
3222
3223         Object Rest/Spread Destructing proposal is in stage 3[1] and this
3224         Patch is a prototype implementation of it. A simple change over the
3225         parser was necessary to support the new '...' token on Object Pattern
3226         destruction rule. In the bytecode generator side, We changed the
3227         bytecode generated on ObjectPatternNode::bindValue to store in an
3228         set the identifiers of already destructured properties, following spec draft
3229         section[2], and then pass it as excludedNames to CopyDataProperties.
3230         The rest destructuring calls copyDataProperties to perform the
3231         copy of rest properties in rhs.
3232
3233         We also implemented CopyDataProperties as private JS global operation
3234         on builtins/GlobalOperations.js following it's specification on [3].
3235         It is implemented using Set object to verify if a property is on
3236         excludedNames to keep this algorithm with O(n + m) complexity, where n
3237         = number of source's own properties and m = excludedNames.length.
3238
3239         In this implementation we aren't using excludeList as constant if
3240         destructuring pattern contains computed property, i.e. we can
3241         just determine the key to be excluded at runtime. If we can define all
3242         identifiers in the pattern in compile time, we then create a
3243         constant JSSet. This approach gives a good performance improvement,
3244         since we allocate the excludeSet just once, reducing GC pressure.
3245
3246         [1] - https://github.com/tc39/proposal-object-rest-spread
3247         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
3248         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
3249
3250         * builtins/BuiltinNames.h:
3251         * builtins/GlobalOperations.js:
3252         (globalPrivate.copyDataProperties):
3253         * bytecode/CodeBlock.cpp:
3254         (JSC::CodeBlock::finishCreation):
3255         * bytecompiler/NodesCodegen.cpp:
3256         (JSC::ObjectPatternNode::bindValue):
3257         * parser/ASTBuilder.h:
3258         (JSC::ASTBuilder::appendObjectPatternEntry):
3259         (JSC::ASTBuilder::appendObjectPatternRestEntry):
3260         (JSC::ASTBuilder::setContainsObjectRestElement):
3261         * parser/Nodes.h:
3262         (JSC::ObjectPatternNode::appendEntry):
3263         (JSC::ObjectPatternNode::setContainsRestElement):
3264         * parser/Parser.cpp:
3265         (JSC::Parser<LexerType>::parseDestructuringPattern):
3266         (JSC::Parser<LexerType>::parseProperty):
3267         * parser/SyntaxChecker.h:
3268         (JSC::SyntaxChecker::operatorStackPop):
3269         * runtime/JSGlobalObject.cpp:
3270         (JSC::JSGlobalObject::init):
3271         * runtime/JSGlobalObject.h:
3272         (JSC::JSGlobalObject::asyncFunctionStructure):
3273         (JSC::JSGlobalObject::setStructure): Deleted.
3274         * runtime/JSGlobalObjectFunctions.cpp:
3275         (JSC::privateToObject):
3276         * runtime/JSGlobalObjectFunctions.h:
3277         * runtime/ObjectConstructor.cpp:
3278         (JSC::ObjectConstructor::finishCreation):
3279         * runtime/SetPrototype.cpp:
3280         (JSC::SetPrototype::finishCreation):
3281
3282 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3283
3284         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
3285         https://bugs.webkit.org/show_bug.cgi?id=173888
3286
3287         Reviewed by Saam Barati.
3288
3289         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
3290         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
3291         This causes occasional SEGV / assertion failures in workers/bomb test.
3292
3293         * dfg/DFGWorklist.cpp:
3294
3295 2017-06-27  Saam Barati  <sbarati@apple.com>
3296
3297         Remove an inaccurate comment inside DFGClobberize.h
3298         https://bugs.webkit.org/show_bug.cgi?id=163874
3299
3300         Reviewed by Filip Pizlo.
3301
3302         The comment said that Clobberize may or may not be sound if run prior to
3303         doing type inference. This is not correct, though. Clobberize *must* be sound
3304         prior do doing type inference since we use it inside the BytecodeParser, which
3305         is the very first thing the DFG does.
3306
3307         * dfg/DFGClobberize.h:
3308         (JSC::DFG::clobberize):
3309
3310 2017-06-27  Saam Barati  <sbarati@apple.com>
3311
3312         Function constructor needs to follow the spec and validate parameters and body independently
3313         https://bugs.webkit.org/show_bug.cgi?id=173303
3314         <rdar://problem/32732526>
3315
3316         Reviewed by Keith Miller.
3317
3318         The Function constructor must check the arguments and body strings
3319         independently for syntax errors. People rely on this specified behavior
3320         to verify that a particular string is a valid function body. We used
3321         to check these things strings concatenated together, instead of
3322         independently. For example, this used to be valid: `Function("/*", "*/){")`.
3323         However, we should throw a syntax error here since "(/*)" is not a valid
3324         parameter list, and "*/){" is not a valid body.
3325         
3326         To implement the specified behavior, we check the syntax independently of
3327         both the body and the parameter list. To check that the parameter list has
3328         valid syntax, we check that it is valid if in a function with an empty body.
3329         To check that the body has valid syntax, we check it is valid in a function
3330         with an empty parameter list.
3331
3332         * runtime/FunctionConstructor.cpp:
3333         (JSC::constructFunctionSkippingEvalEnabledCheck):
3334
3335 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
3336
3337         Add missing includes to fix compilation error on FreeBSD
3338         https://bugs.webkit.org/show_bug.cgi?id=172919
3339
3340         Reviewed by Mark Lam.
3341
3342         * API/JSRemoteInspector.h:
3343         * API/tests/GlobalContextWithFinalizerTest.cpp:
3344         * API/tests/TypedArrayCTest.cpp:
3345
3346 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
3347
3348         Web Inspector: Crash generating object preview for ArrayIterator
3349         https://bugs.webkit.org/show_bug.cgi?id=173754
3350         <rdar://problem/32859012>
3351
3352         Reviewed by Saam Barati.
3353
3354         When Inspector generates an object preview for an ArrayIterator instance it made
3355         a "clone" of the original ArrayIterator instance by constructing a new object with
3356         the instance's structure. However, user code could have modified that instance's
3357         structure, such as adding / removing properties. The `return` property had special
3358         meaning, and our clone did not fill that slot. This approach is brittle in that
3359         we weren't satisfying the expectations of an object with a particular Structure,
3360         and the original goal of having Web Inspector peek values of built-in Iterators
3361         was to avoid observable behavior.
3362
3363         This tightens Web Inspector's Iterator preview to only peek values if the
3364         Iterators would actually be non-observable. It also builds an ArrayIterator
3365         clone like a regular object construction.
3366
3367         * inspector/JSInjectedScriptHost.cpp:
3368         (Inspector::cloneArrayIteratorObject):
3369         Build up the Object from scratch with a new ArrayIterator prototype.
3370
3371         (Inspector::JSInjectedScriptHost::iteratorEntries):
3372         Only clone and peek iterators if it would not be observable.
3373         Also update iteration to be more in line with IterationOperations, such as when
3374         we call iteratorClose.
3375
3376         * runtime/JSGlobalObject.cpp:
3377         (JSC::JSGlobalObject::JSGlobalObject):
3378         (JSC::JSGlobalObject::init):
3379         * runtime/JSGlobalObject.h:
3380         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
3381         * runtime/JSGlobalObjectInlines.h:
3382         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
3383         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
3384
3385         * runtime/JSMap.cpp:
3386         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3387         (JSC::JSMap::canCloneFastAndNonObservable):
3388         * runtime/JSMap.h:
3389         * runtime/JSSet.cpp:
3390         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3391         (JSC::JSSet::canCloneFastAndNonObservable):
3392         * runtime/JSSet.h:
3393         Promote isIteratorProtocolFastAndNonObservable to a method.
3394
3395         * runtime/JSObject.cpp:
3396         (JSC::canDoFastPutDirectIndex):
3397         * runtime/JSTypeInfo.h:
3398         (JSC::TypeInfo::isArgumentsType):
3399         Helper to detect if an Object is an Arguments type.
3400
3401 2017-06-26  Saam Barati  <sbarati@apple.com>
3402
3403         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
3404         https://bugs.webkit.org/show_bug.cgi?id=173740
3405
3406         Reviewed by Mark Lam.
3407
3408         The builtin was using for-of iteration to iterate over an internal
3409         list in its algorithm. For-of iteration is observable via user code
3410         in the global object, so this approach was wrong as it would break if
3411         a user changed the Array iteration protocol in some way.
3412
3413         * builtins/RegExpPrototype.js:
3414         (replace):
3415
3416 2017-06-26  Mark Lam  <mark.lam@apple.com>
3417
3418         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
3419         https://bugs.webkit.org/show_bug.cgi?id=173848
3420
3421         Reviewed by JF Bastien.
3422
3423         This functor only dumps the return VirtualPC.
3424
3425         * interpreter/Interpreter.cpp:
3426         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
3427         (JSC::Interpreter::dumpRegisters):
3428         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
3429         (JSC::DumpRegisterFunctor::operator()): Deleted.
3430
3431 2017-06-26  Saam Barati  <sbarati@apple.com>
3432
3433         Crash in JSC::Lexer<unsigned char>::setCode
3434         https://bugs.webkit.org/show_bug.cgi?id=172754
3435
3436         Reviewed by Mark Lam.
3437
3438         The lexer was asking one of its buffers to reserve initial space that
3439         was O(text size in bytes). For large sources, this would end up causing
3440         the vector to overflow and crash. This patch changes this code be like
3441         the Lexer's other buffers and to only reserve a small starting buffer.
3442
3443         * parser/Lexer.cpp:
3444         (JSC::Lexer<T>::setCode):
3445
3446 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3447
3448         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
3449         https://bugs.webkit.org/show_bug.cgi?id=173825
3450
3451         Reviewed by Saam Barati.
3452
3453         * jsc.cpp:
3454         (startTimeoutThreadIfNeeded):
3455         (timeoutThreadMain): Deleted.
3456
3457 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
3458
3459         Unreviewed, add missing header for CLoop
3460
3461         * runtime/SymbolTable.cpp:
3462
3463 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
3464
3465         Unreviewed, add missing header icncludes
3466
3467         * parser/Lexer.h:
3468
3469 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
3470
3471         Remove excessive headers from JavaScriptCore
3472         https://bugs.webkit.org/show_bug.cgi?id=173812
3473
3474         Reviewed by Darin Adler.
3475
3476         * API/APIUtils.h:
3477         * assembler/LinkBuffer.cpp:
3478         * assembler/MacroAssemblerCodeRef.cpp:
3479         * b3/air/AirLiveness.h:
3480         * b3/air/AirLowerAfterRegAlloc.cpp:
3481         * bindings/ScriptValue.cpp:
3482         * bindings/ScriptValue.h:
3483         * bytecode/AccessCase.cpp:
3484         * bytecode/AccessCase.h:
3485         * bytecode/ArrayProfile.h:
3486         * bytecode/BytecodeDumper.h:
3487         * bytecode/BytecodeIntrinsicRegistry.cpp:
3488         * bytecode/BytecodeKills.h:
3489         * bytecode/BytecodeLivenessAnalysis.h:
3490         * bytecode/BytecodeUseDef.h:
3491         * bytecode/CallLinkStatus.h:
3492         * bytecode/CodeBlock.h:
3493         * bytecode/CodeOrigin.h:
3494         * bytecode/ComplexGetStatus.h:
3495         * bytecode/GetByIdStatus.h:
3496         * bytecode/GetByIdVariant.h:
3497         * bytecode/InlineCallFrame.h:
3498         * bytecode/InlineCallFrameSet.h:
3499         * bytecode/Instruction.h:
3500         * bytecode/InternalFunctionAllocationProfile.h:
3501         * bytecode/JumpTable.h:
3502         * bytecode/MethodOfGettingAValueProfile.h:
3503         * bytecode/ObjectPropertyConditionSet.h:
3504         * bytecode/Operands.h:
3505         * bytecode/PolymorphicAccess.h:
3506         * bytecode/PutByIdStatus.h:
3507         * bytecode/SpeculatedType.cpp:
3508         * bytecode/StructureSet.h:
3509         * bytecode/StructureStubInfo.h:
3510         * bytecode/UnlinkedCodeBlock.h:
3511         * bytecode/UnlinkedFunctionExecutable.h:
3512         * bytecode/ValueProfile.h:
3513         * bytecompiler/BytecodeGenerator.cpp:
3514         * bytecompiler/BytecodeGenerator.h:
3515         * bytecompiler/Label.h:
3516         * bytecompiler/StaticPropertyAnalysis.h:
3517         * debugger/DebuggerCallFrame.cpp:
3518         * dfg/DFGAbstractInterpreter.h:
3519         * dfg/DFGAdjacencyList.h:
3520         * dfg/DFGArgumentsUtilities.h:
3521         * dfg/DFGArrayMode.h:
3522         * dfg/DFGArrayifySlowPathGenerator.h:
3523         * dfg/DFGBackwardsPropagationPhase.h:
3524         * dfg/DFGBasicBlock.h:
3525         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3526         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3527         * dfg/DFGCapabilities.h:
3528         * dfg/DFGCommon.h:
3529         * dfg/DFGCommonData.h:
3530         * dfg/DFGDesiredIdentifiers.h:
3531         * dfg/DFGDesiredWatchpoints.h:
3532         * dfg/DFGDisassembler.cpp:
3533         * dfg/DFGDominators.h:
3534         * dfg/DFGDriver.cpp:
3535         * dfg/DFGDriver.h:
3536         * dfg/DFGEdgeDominates.h:
3537         * dfg/DFGFinalizer.h:
3538         * dfg/DFGGenerationInfo.h:
3539         * dfg/DFGJITCompiler.cpp:
3540         * dfg/DFGJITCompiler.h:
3541         * dfg/DFGJITFinalizer.h:
3542         * dfg/DFGLivenessAnalysisPhase.h:
3543         * dfg/DFGMinifiedNode.h:
3544         * dfg/DFGMultiGetByOffsetData.h:
3545         * dfg/DFGNaturalLoops.cpp:
3546         * dfg/DFGNaturalLoops.h:
3547         * dfg/DFGNode.h:
3548         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3549         * dfg/DFGOSRExit.h:
3550         * dfg/DFGOSRExitCompilationInfo.h:
3551         * dfg/DFGOSRExitCompiler.cpp:
3552         * dfg/DFGOSRExitCompiler.h:
3553         * dfg/DFGOSRExitJumpPlaceholder.h:
3554         * dfg/DFGOperations.cpp:
3555         * dfg/DFGOperations.h:
3556         * dfg/DFGPlan.h:
3557         * dfg/DFGPreciseLocalClobberize.h:
3558         * dfg/DFGPromotedHeapLocation.h:
3559         * dfg/DFGRegisteredStructure.h:
3560         * dfg/DFGRegisteredStructureSet.h:
3561         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3562         * dfg/DFGSlowPathGenerator.h:
3563         * dfg/DFGSnippetParams.h:
3564         * dfg/DFGSpeculativeJIT.h:
3565         * dfg/DFGToFTLDeferredCompilationCallback.h:
3566         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
3567         * dfg/DFGValidate.h:
3568         * dfg/DFGValueSource.h:
3569         * dfg/DFGVariableEvent.h:
3570         * dfg/DFGVariableEventStream.h:
3571         * dfg/DFGWorklist.h:
3572         * domjit/DOMJITCallDOMGetterSnippet.h:
3573         * domjit/DOMJITEffect.h:
3574         * ftl/FTLLink.cpp:
3575         * ftl/FTLLowerDFGToB3.cpp:
3576         * ftl/FTLPatchpointExceptionHandle.h:
3577         * heap/AllocatorAttributes.h:
3578         * heap/CodeBlockSet.h:
3579         * heap/DeferGC.h:
3580         * heap/GCSegmentedArray.h:
3581         * heap/Heap.cpp:
3582         * heap/Heap.h:
3583         * heap/IncrementalSweeper.h:
3584         * heap/ListableHandler.h:
3585         * heap/MachineStackMarker.h:
3586         * heap/MarkedAllocator.h:
3587         * heap/MarkedBlock.cpp:
3588         * heap/MarkedBlock.h:
3589         * heap/MarkingConstraint.h:
3590         * heap/SlotVisitor.cpp:
3591         * heap/SlotVisitor.h:
3592         * inspector/ConsoleMessage.cpp:
3593         * inspector/ConsoleMessage.h:
3594         * inspector/InjectedScript.h:
3595         * inspector/InjectedScriptHost.h:
3596         * inspector/InjectedScriptManager.cpp:
3597         * inspector/JSGlobalObjectInspectorController.cpp:
3598         * inspector/JavaScriptCallFrame.h:
3599         * inspector/ScriptCallStack.h:
3600         * inspector/ScriptCallStackFactory.cpp:
3601         * inspector/ScriptDebugServer.h:
3602         * inspector/agents/InspectorConsoleAgent.h:
3603         * inspector/agents/InspectorDebuggerAgent.cpp:
3604         * inspector/agents/InspectorDebuggerAgent.h:
3605         * inspector/agents/InspectorHeapAgent.cpp:
3606         * inspector/agents/InspectorHeapAgent.h:
3607         * inspector/agents/InspectorRuntimeAgent.h:
3608         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3609         * inspector/agents/InspectorScriptProfilerAgent.h:
3610         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3611         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3612         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3613         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3614         * inspector/augmentable/AlternateDispatchableAgent.h:
3615         * interpreter/CLoopStack.h:
3616         * interpreter/CachedCall.h:
3617         * interpreter/CallFrame.h:
3618         * interpreter/Interpreter.cpp:
3619         * interpreter/Interpreter.h:
3620         * jit/AssemblyHelpers.cpp:
3621         * jit/AssemblyHelpers.h:
3622         * jit/CCallHelpers.h:
3623         * jit/CallFrameShuffler.h:
3624         * jit/ExecutableAllocator.h:
3625         * jit/GCAwareJITStubRoutine.h:
3626         * jit/HostCallReturnValue.h:
3627         * jit/ICStats.h:
3628         * jit/JIT.cpp:
3629         * jit/JIT.h:
3630         * jit/JITAddGenerator.h:
3631         * jit/JITCall32_64.cpp:
3632         * jit/JITCode.h:
3633         * jit/JITDisassembler.cpp:
3634         * jit/JITExceptions.cpp:
3635         * jit/JITMathIC.h:
3636         * jit/JITOpcodes.cpp:
3637         * jit/JITOperations.cpp:
3638         * jit/JITOperations.h:
3639         * jit/JITThunks.cpp:
3640         * jit/JITThunks.h:
3641         * jit/JSInterfaceJIT.h:
3642         * jit/PCToCodeOriginMap.h:
3643         * jit/PolymorphicCallStubRoutine.h:
3644         * jit/RegisterSet.h:
3645         * jit/Repatch.h:
3646         * jit/SetupVarargsFrame.h:
3647         * jit/Snippet.h:
3648         * jit/SnippetParams.h:
3649         * jit/ThunkGenerators.h:
3650         * jsc.cpp:
3651         * llint/LLIntCLoop.h:
3652         * llint/LLIntEntrypoint.h:
3653         * llint/LLIntExceptions.h:
3654         * llint/LLIntOfflineAsmConfig.h:
3655         * llint/LLIntSlowPaths.cpp:
3656         * parser/NodeConstructors.h:
3657         * parser/Nodes.cpp:
3658         * parser/Nodes.h:
3659         * parser/Parser.cpp:
3660         * parser/Parser.h:
3661         * parser/ParserTokens.h:
3662         * parser/SourceProviderCacheItem.h:
3663         * profiler/ProfilerBytecodeSequence.h:
3664         * profiler/ProfilerDatabase.cpp:
3665         * profiler/ProfilerDatabase.h:
3666         * profiler/ProfilerOrigin.h:
3667         * profiler/ProfilerOriginStack.h:
3668         * profiler/ProfilerProfiledBytecodes.h:
3669         * profiler/ProfilerUID.h:
3670         * runtime/AbstractModuleRecord.h:
3671         * runtime/ArrayConstructor.h:
3672         * runtime/ArrayConventions.h:
3673         * runtime/ArrayIteratorPrototype.h:
3674         * runtime/ArrayPrototype.h:
3675         * runtime/BasicBlockLocation.h:
3676         * runtime/Butterfly.h:
3677         * runtime/CallData.cpp:
3678         * runtime/CodeCache.h:
3679         * runtime/CommonSlowPaths.cpp:
3680         * runtime/CommonSlowPaths.h:
3681         * runtime/CommonSlowPathsExceptions.cpp:
3682         * runtime/Completion.cpp:
3683         * runtime/ControlFlowProfiler.h:
3684         * runtime/DateInstanceCache.h:
3685         * runtime/ErrorConstructor.h:
3686         * runtime/ErrorInstance.h:
3687         * runtime/ExceptionHelpers.cpp:
3688         * runtime/ExceptionHelpers.h:
3689         * runtime/ExecutableBase.h:
3690         * runtime/FunctionExecutable.h:
3691         * runtime/HasOwnPropertyCache.h:
3692         * runtime/Identifier.h:
3693         * runtime/InternalFunction.h:
3694         * runtime/IntlCollator.cpp:
3695         * runtime/IntlCollatorPrototype.h:
3696         * runtime/IntlDateTimeFormatPrototype.h:
3697         * runtime/IntlNumberFormat.cpp:
3698         * runtime/IntlNumberFormatPrototype.h:
3699         * runtime/IteratorOperations.cpp:
3700         * runtime/JSArray.h:
3701         * runtime/JSArrayBufferPrototype.h:
3702         * runtime/JSCJSValue.h:
3703         * runtime/JSCJSValueInlines.h:
3704         * runtime/JSCell.h:
3705         * runtime/JSFunction.cpp:
3706         * runtime/JSFunction.h:
3707         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3708         * runtime/JSGlobalObject.cpp:
3709         * runtime/JSGlobalObject.h:
3710         * runtime/JSGlobalObjectDebuggable.cpp:
3711         * runtime/JSGlobalObjectDebuggable.h:
3712         * runtime/JSGlobalObjectFunctions.cpp:
3713         * runtime/JSGlobalObjectFunctions.h:
3714         * runtime/JSJob.cpp:
3715         * runtime/JSLock.h:
3716         * runtime/JSModuleLoader.cpp:
3717         * runtime/JSModuleNamespaceObject.h:
3718         * runtime/JSModuleRecord.h:
3719         * runtime/JSObject.cpp:
3720         * runtime/JSObject.h:
3721         * runtime/JSRunLoopTimer.h:
3722         * runtime/JSTemplateRegistryKey.h:
3723         * runtime/JSTypedArrayPrototypes.cpp:
3724         * runtime/JSTypedArrayPrototypes.h:
3725         * runtime/JSTypedArrays.h:
3726         * runtime/LiteralParser.h:
3727         * runtime/MatchResult.h:
3728         * runtime/MemoryStatistics.h:
3729         * runtime/PrivateName.h:
3730         * runtime/PromiseDeferredTimer.h:
3731         * runtime/ProxyObject.h:
3732         * runtime/RegExp.h:
3733         * runtime/SamplingProfiler.cpp:
3734         * runtime/SmallStrings.h:
3735         * runtime/StringPrototype.cpp:
3736         * runtime/StringRecursionChecker.h:
3737         * runtime/Structure.h:
3738         * runtime/SymbolConstructor.h:
3739         * runtime/SymbolPrototype.cpp:
3740         * runtime/SymbolPrototype.h:
3741         * runtime/TypeProfiler.h:
3742         * runtime/TypeProfilerLog.h:
3743         * runtime/TypedArrayType.h:
3744         * runtime/VM.cpp:
3745         * runtime/VM.h:
3746         * runtime/VMEntryScope.h:
3747         * runtime/WeakMapData.h:
3748         * runtime/WriteBarrier.h:
3749         * tools/FunctionOverrides.cpp:
3750         * tools/FunctionOverrides.h:
3751         * wasm/WasmBinding.cpp:
3752         * wasm/js/JSWebAssemblyCodeBlock.h:
3753         * wasm/js/WebAssemblyPrototype.cpp:
3754         * yarr/Yarr.h:
3755         * yarr/YarrJIT.cpp:
3756         * yarr/YarrJIT.h:
3757         * yarr/YarrParser.h:
3758
3759 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3760
3761         [JSC] Clean up Object.entries implementation
3762         https://bugs.webkit.org/show_bug.cgi?id=173759
3763
3764         Reviewed by Sam Weinig.
3765
3766         This patch cleans up Object.entries implementation.
3767         We drop unused private functions. And we merge the
3768         implementation into Object.entries.
3769
3770         It slightly speeds up Object.entries speed.
3771
3772                                      baseline                  patched
3773
3774             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
3775
3776
3777         * builtins/BuiltinNames.h:
3778         * builtins/ObjectConstructor.js:
3779         (entries):
3780         (globalPrivate.enumerableOwnProperties): Deleted.
3781         * runtime/JSGlobalObject.cpp:
3782         (JSC::JSGlobalObject::init):
3783         * runtime/ObjectConstructor.cpp:
3784         (JSC::ownEnumerablePropertyKeys): Deleted.
3785         * runtime/ObjectConstructor.h:
3786
3787 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
3788
3789         Remove Reflect.enumerate
3790         https://bugs.webkit.org/show_bug.cgi?id=173806
3791
3792         Reviewed by Yusuke Suzuki.
3793
3794         * CMakeLists.txt:
3795         * JavaScriptCore.xcodeproj/project.pbxproj:
3796         * inspector/JSInjectedScriptHost.cpp:
3797         (Inspector::JSInjectedScriptHost::subtype):
3798         (Inspector::JSInjectedScriptHost::getInternalProperties):
3799         (Inspector::JSInjectedScriptHost::iteratorEntries):
3800         * runtime/JSGlobalObject.cpp:
3801         (JSC::JSGlobalObject::init):
3802         (JSC::JSGlobalObject::visitChildren):
3803         * runtime/JSPropertyNameIterator.cpp: Removed.
3804         * runtime/JSPropertyNameIterator.h: Removed.
3805         * runtime/ReflectObject.cpp:
3806         (JSC::reflectObjectEnumerate): Deleted.
3807
3808 2017-06-23  Keith Miller  <keith_miller@apple.com>
3809
3810         Switch VMTraps to use halt instructions rather than breakpoint instructions
3811         https://bugs.webkit.org/show_bug.cgi?id=173677
3812         <rdar://problem/32178892>
3813
3814         Reviewed by JF Bastien.
3815
3816         Using the breakpoint instruction for VMTraps caused issues with lldb.
3817         Since we only need some way to stop execution we can, in theory, use
3818         any exceptioning instruction we want. I went with the halt instruction
3819         on X86 since that is the only one byte instruction that does not
3820         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
3821         On ARM we use the data cache clearing instruction with the zero register,
3822         which triggers a segmentation fault.
3823
3824         Also, update the platform code to only use signaling VMTraps
3825         on where we have an appropriate instruction (x86 and ARM64).
3826
3827         * API/tests/ExecutionTimeLimitTest.cpp:
3828         (testExecutionTimeLimit):
3829         * assembler/ARM64Assembler.h:
3830         (JSC::ARM64Assembler::replaceWithVMHalt):
3831         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
3832         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
3833         * assembler/ARMAssembler.h:
3834         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
3835         * assembler/ARMv7Assembler.h:
3836         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
3837         * assembler/MIPSAssembler.h:
3838         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
3839         * assembler/MacroAssemblerARM.h:
3840         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
3841         * assembler/MacroAssemblerARM64.h:
3842         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3843         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
3844         * assembler/MacroAssemblerARMv7.h:
3845         (JSC::MacroAssemblerARMv7::storeFence):
3846         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
3847         * assembler/MacroAssemblerMIPS.h:
3848         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
3849         * assembler/MacroAssemblerX86Common.h:
3850         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3851         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
3852         * assembler/X86Assembler.h:
3853         (JSC::X86Assembler::replaceWithHlt):
3854         (JSC::X86Assembler::replaceWithInt3): Deleted.
3855         * dfg/DFGJumpReplacement.cpp:
3856         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
3857         * runtime/VMTraps.cpp:
3858         (JSC::SignalContext::SignalContext):
3859         (JSC::installSignalHandler):
3860         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
3861         * wasm/WasmFaultSignalHandler.cpp:
3862         (JSC::Wasm::enableFastMemory):
3863
3864 2017-06-22  Saam Barati  <sbarati@apple.com>
3865
3866         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
3867         https://bugs.webkit.org/show_bug.cgi?id=173743
3868         <rdar://problem/32932536>
3869
3870         Reviewed by Mark Lam.
3871
3872         The code always manually speculates, however, we weren't specifying
3873         ManualOperandSpeculation when creating a JSValueOperand. This would
3874         fire an assertion in JSValueOperand construction for a node like:
3875         Identity(String:@otherNode)
3876         
3877         I spent about 45 minutes trying to craft a test and came up
3878         empty. However, this fixes a debug assertion on an internal
3879         Apple website.
3880
3881         * dfg/DFGSpeculativeJIT32_64.cpp:
3882         (JSC::DFG::SpeculativeJIT::compile):
3883         * dfg/DFGSpeculativeJIT64.cpp:
3884         (JSC::DFG::SpeculativeJIT::compile):
3885
3886 2017-06-22  Saam Barati  <sbarati@apple.com>
3887
3888         ValueRep(DoubleRep(@v)) can not simply convert to @v
3889         https://bugs.webkit.org/show_bug.cgi?id=173687
3890         <rdar://problem/32855563>
3891
3892         Reviewed by Mark Lam.
3893
3894         Consider this IR:
3895          block#x
3896           p: Phi() // int32 and double flows into this phi from various control flow
3897           d: DoubleRep(@p)
3898           some uses of @d here
3899           v: ValueRep(DoubleRepUse:@d)
3900           a: NewArrayWithSize(Int32:@v)
3901           some more nodes here ...
3902         
3903         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
3904         AI proves that the Int32 check will fail. Constant folding phase removes
3905         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
3906         
3907         The IR then looks like this:
3908         block#x
3909           p: Phi() // int32 and double flows into this phi from various control flow
3910           d: DoubleRep(@p)
3911           some uses of @d here
3912           v: ValueRep(DoubleRepUse:@d)
3913           a: NewArrayWithSize(Int32:@v)
3914           Unreachable
3915         
3916         However, there was a strength reduction rule that tries eliminate redundant
3917         conversions. It used to convert the program to:
3918         block#x
3919           p: Phi() // int32 and double flows into this phi from various control flow
3920           d: DoubleRep(@p)
3921           some uses of @d here
3922           a: NewArrayWithSize(Int32:@p)
3923           Unreachable
3924         
3925         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
3926         and we'll crash. This patch removes this strength reduction rule since it
3927         does not maintain what would have happened if we executed the program before
3928         the rule.
3929         
3930         This rule is also wrong for other types of programs (I'm not sure we'd
3931         actually emit this code, but if such IR were generated, we would previously
3932         optimize it incorrectly):
3933         @a: Constant(JSTrue)
3934         @b: DoubleRep(@a)
3935         @c: ValueRep(@b)
3936         @d: use(@c)
3937         
3938         However, the strength reduction rule would've transformed this into:
3939         @a: Constant(JSTrue)
3940         @d: use(@a)
3941         
3942         And this would be wrong because node @c before the transformation would
3943         have produced the JSValue jsNumber(1.0).
3944         
3945         This patch was neutral in the benchmark run I did.
3946
3947         * dfg/DFGStrengthReductionPhase.cpp:
3948         (JSC::DFG::StrengthReductionPhase::handleNode):
3949
3950 2017-06-22  JF Bastien  <jfbastien@apple.com>
3951
3952         ARM64: doubled executable memory limit from 32MiB to 64MiB
3953         https://bugs.webkit.org/show_bug.cgi?id=173734
3954         <rdar://problem/32932407>
3955
3956         Reviewed by Oliver Hunt.
3957
3958         Some WebAssembly programs stress the amount of memory we have
3959         available, especially when we consider tiering (BBQ never dies,
3960         and is bigger that OMG). Tiering to OMG just piles on more memory,
3961         and we're also competing with JavaScript.
3962
3963         * jit/ExecutableAllocator.h:
3964
3965 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3966
3967         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
3968         https://bugs.webkit.org/show_bug.cgi?id=173698
3969
3970         Reviewed by Matt Baker.
3971
3972         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
3973         when preparing Inspector pause information is spent generating object previews for
3974         the `thisObject` of each of the call frames. In some cases, this could be more
3975         than 95% of the time generating pause information. In the common case, only one of
3976         these (the top frame) will ever be seen by users. This change avoids eagerly
3977         generating object previews up front and let the frontend request previews if they
3978         are needed.
3979
3980         This introduces the `Runtime.getPreview` protocol command. This can be used to:
3981
3982             - Get a preview for a RemoteObject that did not have a preview but could.
3983             - Update a preview for a RemoteObject that had a preview.
3984
3985         This patch only uses it for the first case, but the second is valid and may be
3986         something we want to do in the future.
3987
3988         * inspector/protocol/Runtime.json:
3989         A new command to get an up to date preview for an object.
3990
3991         * inspector/InjectedScript.h:
3992         * inspector/InjectedScript.cpp:
3993         (Inspector::InjectedScript::getPreview):
3994         * inspector/agents/InspectorRuntimeAgent.cpp:
3995         (Inspector::InspectorRuntimeAgent::getPreview):
3996         * inspector/agents/InspectorRuntimeAgent.h:
3997         Plumbing for the new command.
3998
3999         * inspector/InjectedScriptSource.js:
4000         (InjectedScript.prototype.getPreview):
4001         Implementation just uses the existing helper.
4002
4003         (InjectedScript.CallFrameProxy):
4004         Do not generate a preview for the this object as it may not be shown.
4005         Let the frontend request a preview if it wants or needs one.
4006
4007 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
4008
4009         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
4010         https://bugs.webkit.org/show_bug.cgi?id=173686
4011
4012         Reviewed by Mark Lam.
4013
4014         * inspector/InjectedScript.cpp:
4015         (Inspector::InjectedScript::functionDetails):
4016         * inspector/InjectedScriptSource.js:
4017         (InjectedScript.prototype.functionDetails):
4018         * inspector/JSInjectedScriptHost.cpp:
4019         (Inspector::JSInjectedScriptHost::functionDetails):
4020
4021 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4022
4023         [JSC] Object.values should be implemented in C++
4024         https://bugs.webkit.org/show_bug.cgi?id=173703
4025
4026         Reviewed by Sam Weinig.
4027
4028         As the same to Object.assign, Object.values() is also inherently polymorphic.
4029         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
4030         result is costly.
4031
4032         In this patch, we implement Object.values() in C++. It can avoid above allocations.
4033         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
4034         non-observable JSObject::get() calls.
4035
4036         This improves performance by 2.49x. And also now Object.values() beats
4037         Object.keys(object).map(key => object[key]) implementation.
4038
4039                                              baseline                  patched
4040
4041             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
4042             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
4043
4044         * builtins/ObjectConstructor.js:
4045         (values): Deleted.
4046         * runtime/ObjectConstructor.cpp:
4047         (JSC::objectConstructorValues):
4048
4049 2017-06-21  Saam Barati  <sbarati@apple.com>
4050