Demarcate code added due to lack of NSDMI for aggregates
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-25  Daniel Bates  <dabates@apple.com>
2
3         Demarcate code added due to lack of NSDMI for aggregates
4         https://bugs.webkit.org/show_bug.cgi?id=175990
5
6         Reviewed by Andy Estes.
7
8         * domjit/DOMJITEffect.h:
9         (JSC::DOMJIT::Effect::Effect):
10         (JSC::DOMJIT::Effect::forWrite):
11         (JSC::DOMJIT::Effect::forRead):
12         (JSC::DOMJIT::Effect::forReadWrite):
13         (JSC::DOMJIT::Effect::forPure):
14         (JSC::DOMJIT::Effect::forDef):
15         * runtime/HasOwnPropertyCache.h:
16         (JSC::HasOwnPropertyCache::Entry::Entry):
17         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
18         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
19         make some comments read well.
20         (JSC::Wasm::CallableFunction::CallableFunction):
21         * wasm/js/WebAssemblyFunction.cpp:
22         (JSC::WebAssemblyFunction::WebAssemblyFunction):
23         * wasm/js/WebAssemblyWrapperFunction.cpp:
24         (JSC::WebAssemblyWrapperFunction::create):
25
26 2017-08-25  Saam Barati  <sbarati@apple.com>
27
28         Unreviewed. Fix 32-bit after r221196
29
30         * jit/JITOpcodes32_64.cpp:
31         (JSC::JIT::emit_op_catch):
32
33 2017-08-25  Chris Dumez  <cdumez@apple.com>
34
35         Land stubs for File and Directory Entries API interfaces
36         https://bugs.webkit.org/show_bug.cgi?id=175993
37         <rdar://problem/34087477>
38
39         Reviewed by Ryosuke Niwa.
40
41         Add CommonIdentifiers needed for [EnabledAtRuntime].
42
43         * runtime/CommonIdentifiers.h:
44
45 2017-08-25  Brian Burg  <bburg@apple.com>
46
47         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
48         https://bugs.webkit.org/show_bug.cgi?id=175563
49         <rdar://problem/33734492>
50
51         Reviewed by Joseph Pecoraro.
52
53         Add macros for new capability protocol string names. Let's use a reverse
54         domain name notification for these capabilities so we know whether they are
55         intended for a particular client/port or any WebKit client, and what feature they
56         are related to (i.e., webrtc).
57
58         * inspector/remote/RemoteInspectorConstants.h:
59
60 2017-08-24  Brian Burg  <bburg@apple.com>
61
62         Web Automation: use automation session configurations to propagate per-session settings
63         https://bugs.webkit.org/show_bug.cgi?id=175562
64         <rdar://problem/30853362>
65
66         Reviewed by Joseph Pecoraro.
67
68         Add a Cocoa-specific code path to forward capabilities when requesting
69         a new session from the remote inspector (i.e., automation) client.
70
71         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
72
73         * inspector/remote/RemoteInspector.h:
74         * inspector/remote/RemoteInspectorConstants.h:
75         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
76         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
77
78 2017-08-25  Saam Barati  <sbarati@apple.com>
79
80         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
81         https://bugs.webkit.org/show_bug.cgi?id=175893
82
83         Reviewed by Mark Lam.
84
85         * dfg/DFGJITCode.cpp:
86         (JSC::DFG::JITCode::finalizeOSREntrypoints):
87         * dfg/DFGJITCode.h:
88         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
89         * dfg/DFGSpeculativeJIT.cpp:
90         (JSC::DFG::SpeculativeJIT::linkOSREntries):
91
92 2017-08-25  Saam Barati  <sbarati@apple.com>
93
94         Support compiling catch in the DFG
95         https://bugs.webkit.org/show_bug.cgi?id=174590
96         <rdar://problem/34047845>
97
98         Reviewed by Filip Pizlo.
99
100         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
101         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
102         
103         To implement catch in the DFG, this patch introduces the concept of multiple
104         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
105         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
106         patch contains many straight forward changes generalizing the code to handle more than
107         one entrypoint.
108         
109         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
110         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
111         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
112         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
113         and SSANaturalLoops vs CPSNaturalLoops.
114         
115         The way we compile the catch entrypoint is by bootstrapping the state
116         of the program by loading all live bytecode locals from a buffer. The OSR
117         entry code will store all live values into that buffer before jumping to
118         the entrypoint. The OSR entry code is also responsible for performing type
119         proofs of the arguments before doing an OSR entry. If there is a type
120         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
121         each catch entrypoint knows the argument type proofs it must perform to enter
122         into the DFG. Currently, all entrypoints' arguments flush format are unified
123         via ArgumentPosition, but this is just an implementation detail. The code is
124         written more generally to assume that each entrypoint may perform its own distinct
125         proof.
126         
127         op_catch now performs value profiling for all live bytecode locals in the
128         LLInt and baseline JIT. This information is then fed into the DFG via the
129         ExtractCatchLocal node in the prediction propagation phase.
130         
131         This patch also changes how we generate op_catch in bytecode. All op_catches
132         are now split out at the end of the program in bytecode. This ensures that
133         no op_catch is inside a try block. This is needed to ensure correctness in
134         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
135         before SetLocals inside a try block. If an op_catch were in a try block, this
136         would cause the phase to insert a Flush before one of the state bootstrapping
137         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
138         its own at the end of a bytecode stream seemed like the most elegant solution since
139         it better represents that we treat op_catch as an entrypoint. This is true
140         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
141         via normal control flow. Because op_catch cannot throw, this will not break
142         any previous semantics of op_catch. Logically, it'd be valid to split try
143         blocks around any non-throwing bytecode operation.
144
145         * CMakeLists.txt:
146         * JavaScriptCore.xcodeproj/project.pbxproj:
147         * bytecode/BytecodeDumper.cpp:
148         (JSC::BytecodeDumper<Block>::dumpBytecode):
149         * bytecode/BytecodeList.json:
150         * bytecode/BytecodeUseDef.h:
151         (JSC::computeUsesForBytecodeOffset):
152         * bytecode/CodeBlock.cpp:
153         (JSC::CodeBlock::finishCreation):
154         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
155         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
156         (JSC::CodeBlock::validate):
157         * bytecode/CodeBlock.h:
158         * bytecode/ValueProfile.h:
159         (JSC::ValueProfile::ValueProfile):
160         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
161         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
162         (JSC::ValueProfileAndOperandBuffer::forEach):
163         * bytecompiler/BytecodeGenerator.cpp:
164         (JSC::BytecodeGenerator::generate):
165         (JSC::BytecodeGenerator::BytecodeGenerator):
166         (JSC::BytecodeGenerator::emitCatch):
167         (JSC::BytecodeGenerator::emitEnumeration):
168         * bytecompiler/BytecodeGenerator.h:
169         * bytecompiler/NodesCodegen.cpp:
170         (JSC::TryNode::emitBytecode):
171         * dfg/DFGAbstractInterpreterInlines.h:
172         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
173         * dfg/DFGBackwardsCFG.h:
174         (JSC::DFG::BackwardsCFG::BackwardsCFG):
175         * dfg/DFGBasicBlock.cpp:
176         (JSC::DFG::BasicBlock::BasicBlock):
177         * dfg/DFGBasicBlock.h:
178         (JSC::DFG::BasicBlock::findTerminal const):
179         * dfg/DFGByteCodeParser.cpp:
180         (JSC::DFG::ByteCodeParser::setDirect):
181         (JSC::DFG::ByteCodeParser::flush):
182         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
183         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
184         (JSC::DFG::ByteCodeParser::parseBlock):
185         (JSC::DFG::ByteCodeParser::parseCodeBlock):
186         (JSC::DFG::ByteCodeParser::parse):
187         * dfg/DFGCFG.h:
188         (JSC::DFG::CFG::root):
189         (JSC::DFG::CFG::roots):
190         (JSC::DFG::CPSCFG::CPSCFG):
191         (JSC::DFG::selectCFG):
192         * dfg/DFGCPSRethreadingPhase.cpp:
193         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
194         * dfg/DFGCSEPhase.cpp:
195         * dfg/DFGClobberize.h:
196         (JSC::DFG::clobberize):
197         * dfg/DFGControlEquivalenceAnalysis.h:
198         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
199         * dfg/DFGDCEPhase.cpp:
200         (JSC::DFG::DCEPhase::run):
201         * dfg/DFGDisassembler.cpp:
202         (JSC::DFG::Disassembler::createDumpList):
203         * dfg/DFGDoesGC.cpp:
204         (JSC::DFG::doesGC):
205         * dfg/DFGDominators.h:
206         (JSC::DFG::Dominators::Dominators):
207         (JSC::DFG::ensureDominatorsForCFG):
208         * dfg/DFGEdgeDominates.h:
209         (JSC::DFG::EdgeDominates::EdgeDominates):
210         (JSC::DFG::EdgeDominates::operator()):
211         * dfg/DFGFixupPhase.cpp:
212         (JSC::DFG::FixupPhase::fixupNode):
213         (JSC::DFG::FixupPhase::fixupChecksInBlock):
214         * dfg/DFGFlushFormat.h:
215         * dfg/DFGGraph.cpp:
216         (JSC::DFG::Graph::Graph):
217         (JSC::DFG::unboxLoopNode):
218         (JSC::DFG::Graph::dumpBlockHeader):
219         (JSC::DFG::Graph::dump):
220         (JSC::DFG::Graph::determineReachability):
221         (JSC::DFG::Graph::invalidateCFG):
222         (JSC::DFG::Graph::blocksInPreOrder):
223         (JSC::DFG::Graph::blocksInPostOrder):
224         (JSC::DFG::Graph::ensureCPSDominators):
225         (JSC::DFG::Graph::ensureSSADominators):
226         (JSC::DFG::Graph::ensureCPSNaturalLoops):
227         (JSC::DFG::Graph::ensureSSANaturalLoops):
228         (JSC::DFG::Graph::ensureBackwardsCFG):
229         (JSC::DFG::Graph::ensureBackwardsDominators):
230         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
231         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
232         (JSC::DFG::Graph::clearCPSCFGData):
233         (JSC::DFG::Graph::ensureDominators): Deleted.
234         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
235         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
236         * dfg/DFGGraph.h:
237         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
238         (JSC::DFG::Graph::isEntrypoint const):
239         * dfg/DFGInPlaceAbstractState.cpp:
240         (JSC::DFG::InPlaceAbstractState::initialize):
241         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
242         * dfg/DFGJITCode.cpp:
243         (JSC::DFG::JITCode::shrinkToFit):
244         * dfg/DFGJITCode.h:
245         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
246         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
247         (JSC::DFG::JITCode::appendCatchEntrypoint):
248         * dfg/DFGJITCompiler.cpp:
249         (JSC::DFG::JITCompiler::compile):
250         (JSC::DFG::JITCompiler::compileFunction):
251         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
252         (JSC::DFG::JITCompiler::noticeOSREntry):
253         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
254         * dfg/DFGJITCompiler.h:
255         * dfg/DFGLICMPhase.cpp:
256         (JSC::DFG::LICMPhase::run):
257         (JSC::DFG::LICMPhase::attemptHoist):
258         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
259         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
260         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
261         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
262         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
263         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
264         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
265         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
266         (JSC::DFG::createPreHeader):
267         (JSC::DFG::LoopPreHeaderCreationPhase::run):
268         * dfg/DFGMaximalFlushInsertionPhase.cpp:
269         (JSC::DFG::MaximalFlushInsertionPhase::run):
270         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
271         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
272         * dfg/DFGMayExit.cpp:
273         * dfg/DFGNaturalLoops.h:
274         (JSC::DFG::NaturalLoops::NaturalLoops):
275         * dfg/DFGNode.h:
276         (JSC::DFG::Node::isSwitch const):
277         (JSC::DFG::Node::successor):
278         (JSC::DFG::Node::catchOSREntryIndex const):
279         (JSC::DFG::Node::catchLocalPrediction):
280         (JSC::DFG::Node::isSwitch): Deleted.
281         * dfg/DFGNodeType.h:
282         * dfg/DFGOSREntry.cpp:
283         (JSC::DFG::prepareCatchOSREntry):
284         * dfg/DFGOSREntry.h:
285         * dfg/DFGOSREntrypointCreationPhase.cpp:
286         (JSC::DFG::OSREntrypointCreationPhase::run):
287         * dfg/DFGOSRExitCompilerCommon.cpp:
288         (JSC::DFG::handleExitCounts):
289         * dfg/DFGObjectAllocationSinkingPhase.cpp:
290         * dfg/DFGPlan.cpp:
291         (JSC::DFG::Plan::compileInThreadImpl):
292         * dfg/DFGPrePostNumbering.cpp:
293         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
294         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
295         (WTF::printInternal): Deleted.
296         * dfg/DFGPrePostNumbering.h:
297         (): Deleted.
298         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
299         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
300         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
301         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
302         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
303         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
304         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
305         * dfg/DFGPredictionInjectionPhase.cpp:
306         (JSC::DFG::PredictionInjectionPhase::run):
307         * dfg/DFGPredictionPropagationPhase.cpp:
308         * dfg/DFGPutStackSinkingPhase.cpp:
309         * dfg/DFGSSACalculator.cpp:
310         (JSC::DFG::SSACalculator::nonLocalReachingDef):
311         (JSC::DFG::SSACalculator::reachingDefAtTail):
312         * dfg/DFGSSACalculator.h:
313         (JSC::DFG::SSACalculator::computePhis):
314         * dfg/DFGSSAConversionPhase.cpp:
315         (JSC::DFG::SSAConversionPhase::run):
316         (JSC::DFG::performSSAConversion):
317         * dfg/DFGSafeToExecute.h:
318         (JSC::DFG::safeToExecute):
319         * dfg/DFGSpeculativeJIT.cpp:
320         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
321         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
322         (JSC::DFG::SpeculativeJIT::createOSREntries):
323         (JSC::DFG::SpeculativeJIT::linkOSREntries):
324         * dfg/DFGSpeculativeJIT32_64.cpp:
325         (JSC::DFG::SpeculativeJIT::compile):
326         * dfg/DFGSpeculativeJIT64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
329         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
330         * dfg/DFGStrengthReductionPhase.cpp:
331         (JSC::DFG::StrengthReductionPhase::handleNode):
332         * dfg/DFGTierUpCheckInjectionPhase.cpp:
333         (JSC::DFG::TierUpCheckInjectionPhase::run):
334         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
335         * dfg/DFGTypeCheckHoistingPhase.cpp:
336         (JSC::DFG::TypeCheckHoistingPhase::run):
337         * dfg/DFGValidate.cpp:
338         * ftl/FTLLink.cpp:
339         (JSC::FTL::link):
340         * ftl/FTLLowerDFGToB3.cpp:
341         (JSC::FTL::DFG::LowerDFGToB3::lower):
342         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
343         (JSC::FTL::DFG::LowerDFGToB3::isValid):
344         * jit/JIT.h:
345         * jit/JITInlines.h:
346         (JSC::JIT::callOperation):
347         * jit/JITOpcodes.cpp:
348         (JSC::JIT::emit_op_catch):
349         * jit/JITOpcodes32_64.cpp:
350         (JSC::JIT::emit_op_catch):
351         * jit/JITOperations.cpp:
352         * jit/JITOperations.h:
353         * llint/LLIntSlowPaths.cpp:
354         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
355         * llint/LLIntSlowPaths.h:
356         * llint/LowLevelInterpreter32_64.asm:
357         * llint/LowLevelInterpreter64.asm:
358
359 2017-08-25  Keith Miller  <keith_miller@apple.com>
360
361         Explore increasing max JSString::m_length to UINT_MAX.
362         https://bugs.webkit.org/show_bug.cgi?id=163955
363         <rdar://problem/32001499>
364
365         Reviewed by JF Bastien.
366
367         This can cause us to release assert on some code paths. I don't
368         see a reason to maintain this restriction.
369
370         * runtime/JSString.h:
371         (JSC::JSString::length const):
372         (JSC::JSString::setLength):
373         (JSC::JSString::isValidLength): Deleted.
374         * runtime/JSStringBuilder.h:
375         (JSC::jsMakeNontrivialString):
376
377 2017-08-24  Commit Queue  <commit-queue@webkit.org>
378
379         Unreviewed, rolling out r221119, r221124, and r221143.
380         https://bugs.webkit.org/show_bug.cgi?id=175973
381
382         "I think it regressed JSBench by 20%" (Requested by saamyjoon
383         on #webkit).
384
385         Reverted changesets:
386
387         "Support compiling catch in the DFG"
388         https://bugs.webkit.org/show_bug.cgi?id=174590
389         http://trac.webkit.org/changeset/221119
390
391         "Unreviewed, build fix in GTK port"
392         https://bugs.webkit.org/show_bug.cgi?id=174590
393         http://trac.webkit.org/changeset/221124
394
395         "DFG::JITCode::osrEntry should get sorted since we perform a
396         binary search on it"
397         https://bugs.webkit.org/show_bug.cgi?id=175893
398         http://trac.webkit.org/changeset/221143
399
400 2017-08-24  Michael Saboff  <msaboff@apple.com>
401
402         Enable moving fixed character class terms after fixed character terms for BMP only character classes
403         https://bugs.webkit.org/show_bug.cgi?id=175958
404
405         Reviewed by Saam Barati.
406
407         Currently we don't perform the reordering optimiaztion of fixed character terms that
408         follow fixed character class terms for Unicode patterns.
409
410         This change allows that reordering when the character class contains only BMP
411         characters.
412
413         This fix is covered by existing tests.
414
415         * yarr/YarrJIT.cpp:
416         (JSC::Yarr::YarrGenerator::optimizeAlternative):
417
418 2017-08-24  Michael Saboff  <msaboff@apple.com>
419
420         Add support for RegExp "dotAll" flag
421         https://bugs.webkit.org/show_bug.cgi?id=175924
422
423         Reviewed by Keith Miller.
424
425         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
426         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
427         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
428         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
429         used for '.' processing, to DotClassID.  The selection of which builtin character class
430         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
431         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
432         the WebCore content extensions code in the PatternParser class.
433
434         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
435         any character CharacterClass, it merely reads the character.  There is another optimization
436         in our DotStart enclosure processing where a non-capturing regular expression in the form
437         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
438         expression and then look for the extents of the surrounding .*'s.  When used with the
439         dotAll flag, that processing alwys results with the beinning of the string and the end
440         of the string.  Therefore we short circuit the finding the beginning and end of the line
441         or string with dotAll patterns.
442
443         * bytecode/BytecodeDumper.cpp:
444         (JSC::regexpToSourceString):
445         * runtime/CommonIdentifiers.h:
446         * runtime/RegExp.cpp:
447         (JSC::regExpFlags):
448         (JSC::RegExpFunctionalTestCollector::outputOneTest):
449         * runtime/RegExp.h:
450         * runtime/RegExpKey.h:
451         * runtime/RegExpPrototype.cpp:
452         (JSC::RegExpPrototype::finishCreation):
453         (JSC::flagsString):
454         (JSC::regExpProtoGetterDotAll):
455         * yarr/YarrInterpreter.cpp:
456         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
457         * yarr/YarrInterpreter.h:
458         (JSC::Yarr::BytecodePattern::dotAll const):
459         * yarr/YarrJIT.cpp:
460         (JSC::Yarr::YarrGenerator::optimizeAlternative):
461         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
462         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
463         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
464         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
465         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
466         * yarr/YarrParser.h:
467         (JSC::Yarr::Parser::parseTokens):
468         * yarr/YarrPattern.cpp:
469         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
470         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
471         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
472         (JSC::Yarr::YarrPattern::YarrPattern):
473         (JSC::Yarr::PatternTerm::dump):
474         (JSC::Yarr::anycharCreate):
475         * yarr/YarrPattern.h:
476         (JSC::Yarr::YarrPattern::reset):
477         (JSC::Yarr::YarrPattern::anyCharacterClass):
478         (JSC::Yarr::YarrPattern::dotAll const):
479
480 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
481
482         Reduce Gigacage sizes
483         https://bugs.webkit.org/show_bug.cgi?id=175920
484
485         Reviewed by Mark Lam.
486
487         Teach all of the code generators to use the right gigacage masks.
488
489         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
490         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
491
492         * ftl/FTLLowerDFGToB3.cpp:
493         (JSC::FTL::DFG::LowerDFGToB3::caged):
494         * jit/AssemblyHelpers.h:
495         (JSC::AssemblyHelpers::cage):
496         (JSC::AssemblyHelpers::cageConditionally):
497         * llint/LowLevelInterpreter64.asm:
498         * runtime/Options.h:
499
500 2017-08-24  Saam Barati  <sbarati@apple.com>
501
502         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
503         https://bugs.webkit.org/show_bug.cgi?id=175893
504
505         Reviewed by Mark Lam.
506
507         * dfg/DFGJITCode.cpp:
508         (JSC::DFG::JITCode::finalizeOSREntrypoints):
509         * dfg/DFGJITCode.h:
510         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
511         * dfg/DFGSpeculativeJIT.cpp:
512         (JSC::DFG::SpeculativeJIT::linkOSREntries):
513
514 2017-08-23  Keith Miller  <keith_miller@apple.com>
515
516         Fix Titzer bench on iOS.
517         https://bugs.webkit.org/show_bug.cgi?id=175917
518
519         Reviewed by Ryosuke Niwa.
520
521         Currently, Titzer bench doesn't run on iOS since the benchmark
522         allocates lots of physical pages that it never actually writes
523         to. We limited the total number wasm physical pages to the ram
524         size of the phone, which caused us to fail a memory
525         allocation. This patch changes it so we will allocate up to 3x ram
526         size, which seems to fix the problem.
527
528         * wasm/WasmMemory.cpp:
529
530 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
531
532         Unreviewed, fix for test262
533         https://bugs.webkit.org/show_bug.cgi?id=175915
534
535         * runtime/MapPrototype.cpp:
536         (JSC::MapPrototype::finishCreation):
537         * runtime/SetPrototype.cpp:
538         (JSC::SetPrototype::finishCreation):
539
540 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
541
542         Unreviewed, build fix in GTK port
543         https://bugs.webkit.org/show_bug.cgi?id=174590
544
545         * bytecompiler/BytecodeGenerator.cpp:
546         (JSC::BytecodeGenerator::emitCatch):
547         * bytecompiler/BytecodeGenerator.h:
548
549 2017-08-23  Saam Barati  <sbarati@apple.com>
550
551         Support compiling catch in the DFG
552         https://bugs.webkit.org/show_bug.cgi?id=174590
553
554         Reviewed by Filip Pizlo.
555
556         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
557         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
558         
559         To implement catch in the DFG, this patch introduces the concept of multiple
560         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
561         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
562         patch contains many straight forward changes generalizing the code to handle more than
563         one entrypoint.
564         
565         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
566         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
567         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
568         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
569         and SSANaturalLoops vs CPSNaturalLoops.
570         
571         The way we compile the catch entrypoint is by bootstrapping the state
572         of the program by loading all live bytecode locals from a buffer. The OSR
573         entry code will store all live values into that buffer before jumping to
574         the entrypoint. The OSR entry code is also responsible for performing type
575         proofs of the arguments before doing an OSR entry. If there is a type
576         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
577         each catch entrypoint knows the argument type proofs it must perform to enter
578         into the DFG. Currently, all entrypoints' arguments flush format are unified
579         via ArgumentPosition, but this is just an implementation detail. The code is
580         written more generally to assume that each entrypoint may perform its own distinct
581         proof.
582         
583         op_catch now performs value profiling for all live bytecode locals in the
584         LLInt and baseline JIT. This information is then fed into the DFG via the
585         ExtractCatchLocal node in the prediction propagation phase.
586         
587         This patch also changes how we generate op_catch in bytecode. All op_catches
588         are now split out at the end of the program in bytecode. This ensures that
589         no op_catch is inside a try block. This is needed to ensure correctness in
590         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
591         before SetLocals inside a try block. If an op_catch were in a try block, this
592         would cause the phase to insert a Flush before one of the state bootstrapping
593         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
594         its own at the end of a bytecode stream seemed like the most elegant solution since
595         it better represents that we treat op_catch as an entrypoint. This is true
596         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
597         via normal control flow. Because op_catch cannot throw, this will not break
598         any previous semantics of op_catch. Logically, it'd be valid to split try
599         blocks around any non-throwing bytecode operation.
600
601         * CMakeLists.txt:
602         * JavaScriptCore.xcodeproj/project.pbxproj:
603         * bytecode/BytecodeDumper.cpp:
604         (JSC::BytecodeDumper<Block>::dumpBytecode):
605         * bytecode/BytecodeList.json:
606         * bytecode/BytecodeUseDef.h:
607         (JSC::computeUsesForBytecodeOffset):
608         * bytecode/CodeBlock.cpp:
609         (JSC::CodeBlock::finishCreation):
610         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
611         (JSC::CodeBlock::validate):
612         * bytecode/CodeBlock.h:
613         * bytecode/ValueProfile.h:
614         (JSC::ValueProfile::ValueProfile):
615         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
616         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
617         (JSC::ValueProfileAndOperandBuffer::forEach):
618         * bytecompiler/BytecodeGenerator.cpp:
619         (JSC::BytecodeGenerator::generate):
620         (JSC::BytecodeGenerator::BytecodeGenerator):
621         (JSC::BytecodeGenerator::emitCatch):
622         (JSC::BytecodeGenerator::emitEnumeration):
623         * bytecompiler/BytecodeGenerator.h:
624         * bytecompiler/NodesCodegen.cpp:
625         (JSC::TryNode::emitBytecode):
626         * dfg/DFGAbstractInterpreterInlines.h:
627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
628         * dfg/DFGBackwardsCFG.h:
629         (JSC::DFG::BackwardsCFG::BackwardsCFG):
630         * dfg/DFGBasicBlock.cpp:
631         (JSC::DFG::BasicBlock::BasicBlock):
632         * dfg/DFGBasicBlock.h:
633         (JSC::DFG::BasicBlock::findTerminal const):
634         * dfg/DFGByteCodeParser.cpp:
635         (JSC::DFG::ByteCodeParser::setDirect):
636         (JSC::DFG::ByteCodeParser::flush):
637         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
638         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
639         (JSC::DFG::ByteCodeParser::parseBlock):
640         (JSC::DFG::ByteCodeParser::parseCodeBlock):
641         (JSC::DFG::ByteCodeParser::parse):
642         * dfg/DFGCFG.h:
643         (JSC::DFG::CFG::root):
644         (JSC::DFG::CFG::roots):
645         (JSC::DFG::CPSCFG::CPSCFG):
646         (JSC::DFG::selectCFG):
647         * dfg/DFGCPSRethreadingPhase.cpp:
648         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
649         * dfg/DFGCSEPhase.cpp:
650         * dfg/DFGClobberize.h:
651         (JSC::DFG::clobberize):
652         * dfg/DFGControlEquivalenceAnalysis.h:
653         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
654         * dfg/DFGDCEPhase.cpp:
655         (JSC::DFG::DCEPhase::run):
656         * dfg/DFGDisassembler.cpp:
657         (JSC::DFG::Disassembler::createDumpList):
658         * dfg/DFGDoesGC.cpp:
659         (JSC::DFG::doesGC):
660         * dfg/DFGDominators.h:
661         (JSC::DFG::Dominators::Dominators):
662         (JSC::DFG::ensureDominatorsForCFG):
663         * dfg/DFGEdgeDominates.h:
664         (JSC::DFG::EdgeDominates::EdgeDominates):
665         (JSC::DFG::EdgeDominates::operator()):
666         * dfg/DFGFixupPhase.cpp:
667         (JSC::DFG::FixupPhase::fixupNode):
668         (JSC::DFG::FixupPhase::fixupChecksInBlock):
669         * dfg/DFGFlushFormat.h:
670         * dfg/DFGGraph.cpp:
671         (JSC::DFG::Graph::Graph):
672         (JSC::DFG::unboxLoopNode):
673         (JSC::DFG::Graph::dumpBlockHeader):
674         (JSC::DFG::Graph::dump):
675         (JSC::DFG::Graph::determineReachability):
676         (JSC::DFG::Graph::invalidateCFG):
677         (JSC::DFG::Graph::blocksInPreOrder):
678         (JSC::DFG::Graph::blocksInPostOrder):
679         (JSC::DFG::Graph::ensureCPSDominators):
680         (JSC::DFG::Graph::ensureSSADominators):
681         (JSC::DFG::Graph::ensureCPSNaturalLoops):
682         (JSC::DFG::Graph::ensureSSANaturalLoops):
683         (JSC::DFG::Graph::ensureBackwardsCFG):
684         (JSC::DFG::Graph::ensureBackwardsDominators):
685         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
686         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
687         (JSC::DFG::Graph::clearCPSCFGData):
688         (JSC::DFG::Graph::ensureDominators): Deleted.
689         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
690         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
691         * dfg/DFGGraph.h:
692         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
693         (JSC::DFG::Graph::isEntrypoint const):
694         * dfg/DFGInPlaceAbstractState.cpp:
695         (JSC::DFG::InPlaceAbstractState::initialize):
696         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
697         * dfg/DFGJITCode.cpp:
698         (JSC::DFG::JITCode::shrinkToFit):
699         * dfg/DFGJITCode.h:
700         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
701         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
702         (JSC::DFG::JITCode::appendCatchEntrypoint):
703         * dfg/DFGJITCompiler.cpp:
704         (JSC::DFG::JITCompiler::compile):
705         (JSC::DFG::JITCompiler::compileFunction):
706         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
707         (JSC::DFG::JITCompiler::noticeOSREntry):
708         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
709         * dfg/DFGJITCompiler.h:
710         * dfg/DFGLICMPhase.cpp:
711         (JSC::DFG::LICMPhase::run):
712         (JSC::DFG::LICMPhase::attemptHoist):
713         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
714         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
715         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
716         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
717         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
718         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
719         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
720         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
721         (JSC::DFG::createPreHeader):
722         (JSC::DFG::LoopPreHeaderCreationPhase::run):
723         * dfg/DFGMaximalFlushInsertionPhase.cpp:
724         (JSC::DFG::MaximalFlushInsertionPhase::run):
725         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
726         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
727         * dfg/DFGMayExit.cpp:
728         * dfg/DFGNaturalLoops.h:
729         (JSC::DFG::NaturalLoops::NaturalLoops):
730         * dfg/DFGNode.h:
731         (JSC::DFG::Node::isSwitch const):
732         (JSC::DFG::Node::successor):
733         (JSC::DFG::Node::catchOSREntryIndex const):
734         (JSC::DFG::Node::catchLocalPrediction):
735         (JSC::DFG::Node::isSwitch): Deleted.
736         * dfg/DFGNodeType.h:
737         * dfg/DFGOSREntry.cpp:
738         (JSC::DFG::prepareCatchOSREntry):
739         * dfg/DFGOSREntry.h:
740         * dfg/DFGOSREntrypointCreationPhase.cpp:
741         (JSC::DFG::OSREntrypointCreationPhase::run):
742         * dfg/DFGOSRExitCompilerCommon.cpp:
743         (JSC::DFG::handleExitCounts):
744         * dfg/DFGObjectAllocationSinkingPhase.cpp:
745         * dfg/DFGPlan.cpp:
746         (JSC::DFG::Plan::compileInThreadImpl):
747         * dfg/DFGPrePostNumbering.cpp:
748         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
749         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
750         (WTF::printInternal): Deleted.
751         * dfg/DFGPrePostNumbering.h:
752         (): Deleted.
753         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
754         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
755         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
756         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
757         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
758         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
759         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
760         * dfg/DFGPredictionInjectionPhase.cpp:
761         (JSC::DFG::PredictionInjectionPhase::run):
762         * dfg/DFGPredictionPropagationPhase.cpp:
763         * dfg/DFGPutStackSinkingPhase.cpp:
764         * dfg/DFGSSACalculator.cpp:
765         (JSC::DFG::SSACalculator::nonLocalReachingDef):
766         (JSC::DFG::SSACalculator::reachingDefAtTail):
767         * dfg/DFGSSACalculator.h:
768         (JSC::DFG::SSACalculator::computePhis):
769         * dfg/DFGSSAConversionPhase.cpp:
770         (JSC::DFG::SSAConversionPhase::run):
771         (JSC::DFG::performSSAConversion):
772         * dfg/DFGSafeToExecute.h:
773         (JSC::DFG::safeToExecute):
774         * dfg/DFGSpeculativeJIT.cpp:
775         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
776         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
777         (JSC::DFG::SpeculativeJIT::createOSREntries):
778         (JSC::DFG::SpeculativeJIT::linkOSREntries):
779         * dfg/DFGSpeculativeJIT32_64.cpp:
780         (JSC::DFG::SpeculativeJIT::compile):
781         * dfg/DFGSpeculativeJIT64.cpp:
782         (JSC::DFG::SpeculativeJIT::compile):
783         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
784         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
785         * dfg/DFGStrengthReductionPhase.cpp:
786         (JSC::DFG::StrengthReductionPhase::handleNode):
787         * dfg/DFGTierUpCheckInjectionPhase.cpp:
788         (JSC::DFG::TierUpCheckInjectionPhase::run):
789         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
790         * dfg/DFGTypeCheckHoistingPhase.cpp:
791         (JSC::DFG::TypeCheckHoistingPhase::run):
792         * dfg/DFGValidate.cpp:
793         * ftl/FTLLink.cpp:
794         (JSC::FTL::link):
795         * ftl/FTLLowerDFGToB3.cpp:
796         (JSC::FTL::DFG::LowerDFGToB3::lower):
797         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
798         (JSC::FTL::DFG::LowerDFGToB3::isValid):
799         * jit/JIT.h:
800         * jit/JITInlines.h:
801         (JSC::JIT::callOperation):
802         * jit/JITOpcodes.cpp:
803         (JSC::JIT::emit_op_catch):
804         * jit/JITOpcodes32_64.cpp:
805         (JSC::JIT::emit_op_catch):
806         * jit/JITOperations.cpp:
807         * jit/JITOperations.h:
808         * llint/LLIntSlowPaths.cpp:
809         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
810         * llint/LLIntSlowPaths.h:
811         * llint/LowLevelInterpreter32_64.asm:
812         * llint/LowLevelInterpreter64.asm:
813
814 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
815
816         Unreviewed, debug build fix
817         https://bugs.webkit.org/show_bug.cgi?id=174355
818
819         * ftl/FTLLowerDFGToB3.cpp:
820         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
821
822 2017-08-23  Michael Saboff  <msaboff@apple.com>
823
824         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
825         https://bugs.webkit.org/show_bug.cgi?id=175903
826
827         Reviewed by Saam Barati.
828
829         In generateCharacterClassGreedy we were incrementing the "count" register before checking
830         for the end of the input string.  The at-end-of-input check is the final check before
831         knowing that the current character matched.  In this case, the end of input check
832         indicates that we ran out of prechecked characters and therefore should fail the match of
833         the current character.  The backtracking code uses the value in the "count" register as
834         the number of character that successfully matched, which shouldn't include the current
835         character.  Therefore we need to move the incrementing of "count" to after the
836         at end of input check.
837
838         Through code inspection of the expectations of other backtracking code, I determined that 
839         the non greedy character class matching code had a similar issue.  I fixed that as well
840         and added a new test case.
841
842         * yarr/YarrJIT.cpp:
843         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
844         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
845
846 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
847
848         [JSC] Optimize Map iteration with intrinsic
849         https://bugs.webkit.org/show_bug.cgi?id=174355
850
851         Reviewed by Saam Barati.
852
853         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
854         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
855         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
856         setIteratorNext functions which should be inlined. This leads significant performance boost
857         when they are inlined in for-of iteration.
858
859         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
860         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
861         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
862         to any hash maps. And its key and value fields are filled with Undefined. By returning this
863         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
864         code.
865
866         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
867         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
868
869         Existing microbenchmarks shows performance improvements.
870
871         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
872         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
873         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
874         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
875         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
876
877         * CMakeLists.txt:
878         * DerivedSources.make:
879         * builtins/ArrayPrototype.js:
880         (globalPrivate.createArrayIterator):
881         * builtins/BuiltinNames.h:
882         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
883         (globalPrivate.mapIteratorNext):
884         (next):
885         * builtins/MapPrototype.js:
886         (globalPrivate.createMapIterator):
887         (values):
888         (keys):
889         (entries):
890         (forEach):
891         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
892         (globalPrivate.setIteratorNext):
893         (next):
894         * builtins/SetPrototype.js:
895         (globalPrivate.createSetIterator):
896         (values):
897         (entries):
898         (forEach):
899         * bytecode/BytecodeIntrinsicRegistry.cpp:
900         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
901         * bytecode/BytecodeIntrinsicRegistry.h:
902         * bytecode/SpeculatedType.h:
903         * dfg/DFGAbstractInterpreterInlines.h:
904         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
905         * dfg/DFGByteCodeParser.cpp:
906         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
907         * dfg/DFGClobberize.h:
908         (JSC::DFG::clobberize):
909         * dfg/DFGDoesGC.cpp:
910         (JSC::DFG::doesGC):
911         * dfg/DFGFixupPhase.cpp:
912         (JSC::DFG::FixupPhase::fixupNode):
913         * dfg/DFGHeapLocation.cpp:
914         (WTF::printInternal):
915         * dfg/DFGHeapLocation.h:
916         * dfg/DFGNode.h:
917         (JSC::DFG::Node::hasHeapPrediction):
918         (JSC::DFG::Node::hasBucketOwnerType):
919         (JSC::DFG::Node::bucketOwnerType):
920         (JSC::DFG::Node::OpInfoWrapper::as const):
921         * dfg/DFGNodeType.h:
922         * dfg/DFGOperations.cpp:
923         * dfg/DFGPredictionPropagationPhase.cpp:
924         * dfg/DFGSafeToExecute.h:
925         (JSC::DFG::safeToExecute):
926         * dfg/DFGSpeculativeJIT.cpp:
927         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
928         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
929         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
930         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
931         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
932         * dfg/DFGSpeculativeJIT.h:
933         * dfg/DFGSpeculativeJIT32_64.cpp:
934         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
935         (JSC::DFG::SpeculativeJIT::compile):
936         * dfg/DFGSpeculativeJIT64.cpp:
937         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
938         (JSC::DFG::SpeculativeJIT::compile):
939         * ftl/FTLAbstractHeapRepository.h:
940         * ftl/FTLCapabilities.cpp:
941         (JSC::FTL::canCompile):
942         * ftl/FTLLowerDFGToB3.cpp:
943         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
944         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
945         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
946         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
947         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
948         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
949         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
950         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
951         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
952         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
953         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
954         * inspector/JSInjectedScriptHost.cpp:
955         (Inspector::JSInjectedScriptHost::subtype):
956         (Inspector::JSInjectedScriptHost::getInternalProperties):
957         (Inspector::cloneMapIteratorObject):
958         (Inspector::cloneSetIteratorObject):
959         (Inspector::JSInjectedScriptHost::iteratorEntries):
960         * runtime/HashMapImpl.h:
961         (JSC::HashMapBucket::createSentinel):
962         (JSC::HashMapBucket::offsetOfNext):
963         (JSC::HashMapBucket::offsetOfDeleted):
964         (JSC::HashMapImpl::offsetOfHead):
965         * runtime/Intrinsic.cpp:
966         (JSC::intrinsicName):
967         * runtime/Intrinsic.h:
968         * runtime/JSGlobalObject.cpp:
969         (JSC::JSGlobalObject::init):
970         * runtime/JSGlobalObject.h:
971         * runtime/JSMap.h:
972         * runtime/JSMapIterator.cpp:
973         (JSC::JSMapIterator::clone): Deleted.
974         * runtime/JSMapIterator.h:
975         (JSC::JSMapIterator::iteratedValue const):
976         * runtime/JSSet.h:
977         * runtime/JSSetIterator.cpp:
978         (JSC::JSSetIterator::clone): Deleted.
979         * runtime/JSSetIterator.h:
980         (JSC::JSSetIterator::iteratedValue const):
981         * runtime/MapConstructor.cpp:
982         (JSC::mapPrivateFuncMapBucketHead):
983         (JSC::mapPrivateFuncMapBucketNext):
984         (JSC::mapPrivateFuncMapBucketKey):
985         (JSC::mapPrivateFuncMapBucketValue):
986         * runtime/MapConstructor.h:
987         * runtime/MapIteratorPrototype.cpp:
988         (JSC::MapIteratorPrototype::finishCreation):
989         (JSC::MapIteratorPrototypeFuncNext): Deleted.
990         * runtime/MapPrototype.cpp:
991         (JSC::MapPrototype::finishCreation):
992         (JSC::mapProtoFuncValues): Deleted.
993         (JSC::mapProtoFuncEntries): Deleted.
994         (JSC::mapProtoFuncKeys): Deleted.
995         (JSC::privateFuncMapIterator): Deleted.
996         (JSC::privateFuncMapIteratorNext): Deleted.
997         * runtime/MapPrototype.h:
998         * runtime/SetConstructor.cpp:
999         (JSC::setPrivateFuncSetBucketHead):
1000         (JSC::setPrivateFuncSetBucketNext):
1001         (JSC::setPrivateFuncSetBucketKey):
1002         * runtime/SetConstructor.h:
1003         * runtime/SetIteratorPrototype.cpp:
1004         (JSC::SetIteratorPrototype::finishCreation):
1005         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1006         * runtime/SetPrototype.cpp:
1007         (JSC::SetPrototype::finishCreation):
1008         (JSC::setProtoFuncSize):
1009         (JSC::setProtoFuncValues): Deleted.
1010         (JSC::setProtoFuncEntries): Deleted.
1011         (JSC::privateFuncSetIterator): Deleted.
1012         (JSC::privateFuncSetIteratorNext): Deleted.
1013         * runtime/SetPrototype.h:
1014         * runtime/VM.cpp:
1015         (JSC::VM::VM):
1016         * runtime/VM.h:
1017
1018 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1019
1020         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1021         <https://webkit.org/b/175889>
1022         <rdar://problem/33667497>
1023
1024         Reviewed by Mark Lam.
1025
1026         * API/ObjCCallbackFunction.mm:
1027         (JSC::objCCallbackFunctionCallAsConstructor): Use
1028         const_cast<JSObjectRef>() since JSValueRef is const while
1029         JSObjectRef is not.
1030         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1031         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1032         const_cast<void*>() since JSObjectMake() takes a void*, but
1033         CFBridgingRetain() returns const void*.
1034
1035 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1036
1037         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1038         https://bugs.webkit.org/show_bug.cgi?id=175738
1039
1040         Reviewed by Saam Barati.
1041
1042         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1043         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1044         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1045
1046         * dfg/DFGByteCodeParser.cpp:
1047         (JSC::DFG::makeDynamicVarOpInfo):
1048         (JSC::DFG::ByteCodeParser::parseBlock):
1049         * dfg/DFGNode.h:
1050         (JSC::DFG::Node::getPutInfo):
1051         (JSC::DFG::Node::hasHeapPrediction):
1052         * dfg/DFGPredictionPropagationPhase.cpp:
1053
1054 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1055
1056         [ESNext] Async iteration - Implement Async Generator - runtime
1057         https://bugs.webkit.org/show_bug.cgi?id=175240
1058
1059         Reviewed by Yusuke Suzuki.
1060
1061         Current implementation is draft version of Async Iteration. 
1062         Link to spec https://tc39.github.io/proposal-async-iteration/
1063        
1064         To implement async generator added new states that show reason why async generator was suspended:
1065         # yield - return promise with result
1066         # await - wait until promise will be resolved and then continue
1067        
1068         The main difference between async function and async generator is that, 
1069         async function returns promise but async generator returns
1070         object with methods (next, throw and return) that return promise that 
1071         can be resolved with pair of properties value and done.
1072         Async generator functions are similar to generator functions, with the following differences:
1073         # When called, async generator functions return an object, an async generator 
1074         whose methods (next, throw, and return) return promises for { value, done }, 
1075         instead of directly returning { value, done }. 
1076         This automatically makes the returned async generator objects async iterators.
1077         # await expressions and for-await-of statements are allowed.
1078         # The behavior of yield* is modified to support 
1079           delegation to sync and async iterables
1080
1081         * CMakeLists.txt:
1082         * DerivedSources.make:
1083         * JavaScriptCore.xcodeproj/project.pbxproj:
1084         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1085         (next.try):
1086         (next):
1087         (return.try):
1088         (return):
1089         (throw.try):
1090         (throw):
1091         (globalPrivate.createAsyncFromSyncIterator):
1092         (globalPrivate.AsyncFromSyncIteratorConstructor):
1093         * builtins/AsyncGeneratorPrototype.js: Added.
1094         (globalPrivate.createAsyncGeneratorQueue):
1095         (globalPrivate.asyncGeneratorQueueIsEmpty):
1096         (globalPrivate.asyncGeneratorQueueCreateItem):
1097         (globalPrivate.asyncGeneratorQueueEnqueue):
1098         (globalPrivate.asyncGeneratorQueueDequeue):
1099         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1100         (globalPrivate.asyncGeneratorDequeue):
1101         (globalPrivate.isExecutionState):
1102         (globalPrivate.isSuspendYieldState):
1103         (globalPrivate.asyncGeneratorReject):
1104         (globalPrivate.asyncGeneratorResolve):
1105         (asyncGeneratorYieldAwaited):
1106         (globalPrivate.asyncGeneratorYield):
1107         (const.onRejected):
1108         (globalPrivate.awaitValue):
1109         (const.onFulfilled):
1110         (globalPrivate.doAsyncGeneratorBodyCall):
1111         (globalPrivate.asyncGeneratorResumeNext.):
1112         (globalPrivate.asyncGeneratorResumeNext):
1113         (globalPrivate.asyncGeneratorEnqueue):
1114         (next):
1115         (return):
1116         (throw):
1117         * builtins/AsyncIteratorPrototype.js: Added.
1118         (symbolAsyncIteratorGetter):
1119         * builtins/BuiltinNames.h:
1120         * bytecode/BytecodeDumper.cpp:
1121         (JSC::BytecodeDumper<Block>::dumpBytecode):
1122         * bytecode/BytecodeIntrinsicRegistry.cpp:
1123         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1124         * bytecode/BytecodeIntrinsicRegistry.h:
1125         * bytecode/BytecodeList.json:
1126         * bytecode/BytecodeUseDef.h:
1127         (JSC::computeUsesForBytecodeOffset):
1128         (JSC::computeDefsForBytecodeOffset):
1129         * bytecompiler/BytecodeGenerator.cpp:
1130         (JSC::BytecodeGenerator::BytecodeGenerator):
1131         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1132         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1133         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1134         (JSC::BytecodeGenerator::emitNewFunction):
1135         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1136         (JSC::BytecodeGenerator::emitIteratorClose):
1137         (JSC::BytecodeGenerator::emitYieldPoint):
1138         (JSC::BytecodeGenerator::emitYield):
1139         (JSC::BytecodeGenerator::emitCallIterator):
1140         (JSC::BytecodeGenerator::emitAwait):
1141         (JSC::BytecodeGenerator::emitGetIterator):
1142         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1143         (JSC::BytecodeGenerator::emitDelegateYield):
1144         * bytecompiler/BytecodeGenerator.h:
1145         * bytecompiler/NodesCodegen.cpp:
1146         (JSC::ReturnNode::emitBytecode):
1147         (JSC::FunctionNode::emitBytecode):
1148         (JSC::YieldExprNode::emitBytecode):
1149         (JSC::AwaitExprNode::emitBytecode):
1150         * dfg/DFGAbstractInterpreterInlines.h:
1151         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1152         * dfg/DFGByteCodeParser.cpp:
1153         (JSC::DFG::ByteCodeParser::parseBlock):
1154         * dfg/DFGCapabilities.cpp:
1155         (JSC::DFG::capabilityLevel):
1156         * dfg/DFGClobberize.h:
1157         (JSC::DFG::clobberize):
1158         * dfg/DFGClobbersExitState.cpp:
1159         (JSC::DFG::clobbersExitState):
1160         * dfg/DFGDoesGC.cpp:
1161         (JSC::DFG::doesGC):
1162         * dfg/DFGFixupPhase.cpp:
1163         (JSC::DFG::FixupPhase::fixupNode):
1164         * dfg/DFGMayExit.cpp:
1165         * dfg/DFGNode.h:
1166         (JSC::DFG::Node::convertToPhantomNewFunction):
1167         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1168         (JSC::DFG::Node::hasCellOperand):
1169         (JSC::DFG::Node::isFunctionAllocation):
1170         (JSC::DFG::Node::isPhantomFunctionAllocation):
1171         (JSC::DFG::Node::isPhantomAllocation):
1172         * dfg/DFGNodeType.h:
1173         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1174         * dfg/DFGPredictionPropagationPhase.cpp:
1175         * dfg/DFGSafeToExecute.h:
1176         (JSC::DFG::safeToExecute):
1177         * dfg/DFGSpeculativeJIT.cpp:
1178         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1179         * dfg/DFGSpeculativeJIT32_64.cpp:
1180         (JSC::DFG::SpeculativeJIT::compile):
1181         * dfg/DFGSpeculativeJIT64.cpp:
1182         (JSC::DFG::SpeculativeJIT::compile):
1183         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1184         * dfg/DFGValidate.cpp:
1185         * ftl/FTLCapabilities.cpp:
1186         (JSC::FTL::canCompile):
1187         * ftl/FTLLowerDFGToB3.cpp:
1188         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1189         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1190         * ftl/FTLOperations.cpp:
1191         (JSC::FTL::operationPopulateObjectInOSR):
1192         (JSC::FTL::operationMaterializeObjectInOSR):
1193         * jit/JIT.cpp:
1194         (JSC::JIT::privateCompileMainPass):
1195         * jit/JIT.h:
1196         * jit/JITOpcodes.cpp:
1197         (JSC::JIT::emitNewFuncCommon):
1198         (JSC::JIT::emit_op_new_async_generator_func):
1199         (JSC::JIT::emit_op_new_async_func):
1200         (JSC::JIT::emitNewFuncExprCommon):
1201         (JSC::JIT::emit_op_new_async_generator_func_exp):
1202         * jit/JITOperations.cpp:
1203         * jit/JITOperations.h:
1204         * llint/LLIntSlowPaths.cpp:
1205         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1206         * llint/LLIntSlowPaths.h:
1207         * llint/LowLevelInterpreter.asm:
1208         * parser/ASTBuilder.h:
1209         (JSC::ASTBuilder::createFunctionMetadata):
1210         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
1211         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
1212         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1213         (JSC::AsyncFromSyncIteratorPrototype::create):
1214         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
1215         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
1216         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
1217         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1218         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1219         (JSC::callAsyncGeneratorFunctionConstructor):
1220         (JSC::constructAsyncGeneratorFunctionConstructor):
1221         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
1222         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
1223         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
1224         (JSC::AsyncGeneratorFunctionConstructor::create):
1225         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1226         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
1227         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
1228         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1229         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
1230         (JSC::AsyncGeneratorFunctionPrototype::create):
1231         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
1232         * runtime/AsyncGeneratorPrototype.cpp: Added.
1233         (JSC::AsyncGeneratorPrototype::finishCreation):
1234         * runtime/AsyncGeneratorPrototype.h: Added.
1235         (JSC::AsyncGeneratorPrototype::create):
1236         (JSC::AsyncGeneratorPrototype::createStructure):
1237         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
1238         * runtime/AsyncIteratorPrototype.cpp: Added.
1239         (JSC::AsyncIteratorPrototype::finishCreation):
1240         * runtime/AsyncIteratorPrototype.h: Added.
1241         (JSC::AsyncIteratorPrototype::create):
1242         (JSC::AsyncIteratorPrototype::createStructure):
1243         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
1244         * runtime/CommonIdentifiers.h:
1245         * runtime/FunctionConstructor.cpp:
1246         (JSC::constructFunctionSkippingEvalEnabledCheck):
1247         * runtime/FunctionConstructor.h:
1248         * runtime/FunctionExecutable.h:
1249         * runtime/JSAsyncGeneratorFunction.cpp: Added.
1250         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
1251         (JSC::JSAsyncGeneratorFunction::createImpl):
1252         (JSC::JSAsyncGeneratorFunction::create):
1253         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1254         * runtime/JSAsyncGeneratorFunction.h: Added.
1255         (JSC::JSAsyncGeneratorFunction::allocationSize):
1256         (JSC::JSAsyncGeneratorFunction::createStructure):
1257         * runtime/JSFunction.cpp:
1258         (JSC::JSFunction::getOwnPropertySlot):
1259         * runtime/JSGlobalObject.cpp:
1260         (JSC::JSGlobalObject::init):
1261         (JSC::JSGlobalObject::visitChildren):
1262         * runtime/JSGlobalObject.h:
1263         (JSC::JSGlobalObject::asyncIteratorPrototype const):
1264         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
1265         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
1266         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
1267         * runtime/Options.h:
1268
1269 2017-08-22  Michael Saboff  <msaboff@apple.com>
1270
1271         Implement Unicode RegExp support in the YARR JIT
1272         https://bugs.webkit.org/show_bug.cgi?id=174646
1273
1274         Reviewed by Filip Pizlo.
1275
1276         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
1277         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
1278         register usage to reduce the number of callee save registers used for non-Unicode expressions.
1279         For Unicode expressions, there are several more registers used to store constants values for
1280         processing surrogate pairs as well as discerning whether a character belongs to the Basic
1281         Multilingual Plane (BMP) or one of the Supplemental Planes.
1282
1283         This implements JIT support for Unicode expressions very similar to how the interpreter works.
1284         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
1285         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
1286         functions to each of these to simplify how the JIT code reads and writes the structure fields.
1287
1288         Given that reading surrogate pairs and transforming them into a single code point takes a
1289         little processing, the code that implements reading a Unicode character is implemented as a
1290         leaf function added to the end of the JIT'ed code.  The calling convention for
1291         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
1292         that argument values stay in argument registers for most of the generated code.
1293         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
1294         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
1295         returned in regT0.  If another return register is requested, we'll create an inline copy of
1296         that function.
1297
1298         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
1299         is used in optimizeAlternative() where we swap the order of a fixed character class term with
1300         a fixed character term that immediately follows it.  Since the non-BMP character class may
1301         increment "index" when matching, that must be done first before trying to match a fixed
1302         character term later in the string.
1303
1304         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
1305         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
1306         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
1307         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
1308
1309         (JSC::MacroAssemblerARM64::load16Unaligned):
1310         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
1311         * assembler/MacroAssemblerX86Common.h:
1312         (JSC::MacroAssemblerX86Common::load16Unaligned):
1313         (JSC::MacroAssemblerX86Common::load16):
1314         * assembler/MacroAssemblerX86_64.h:
1315         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
1316         * create_regex_tables:
1317         * runtime/RegExp.cpp:
1318         (JSC::RegExp::compile):
1319         * yarr/YarrInterpreter.cpp:
1320         * yarr/YarrJIT.cpp:
1321         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1322         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1323         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1324         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1325         (JSC::Yarr::YarrGenerator::readCharacter):
1326         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1327         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
1328         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
1329         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1330         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1331         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1332         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
1333         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
1334         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1335         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1336         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
1337         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1338         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1339         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1340         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1341         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1342         (JSC::Yarr::YarrGenerator::generate):
1343         (JSC::Yarr::YarrGenerator::backtrack):
1344         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1345         (JSC::Yarr::YarrGenerator::generateEnter):
1346         (JSC::Yarr::YarrGenerator::generateReturn):
1347         (JSC::Yarr::YarrGenerator::YarrGenerator):
1348         (JSC::Yarr::YarrGenerator::compile):
1349         * yarr/YarrJIT.h:
1350         * yarr/YarrPattern.cpp:
1351         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1352         (JSC::Yarr::CharacterClassConstructor::reset):
1353         (JSC::Yarr::CharacterClassConstructor::charClass):
1354         (JSC::Yarr::CharacterClassConstructor::addSorted):
1355         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1356         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1357         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1358         * yarr/YarrPattern.h:
1359         (JSC::Yarr::CharacterClass::CharacterClass):
1360         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
1361         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
1362         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
1363         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
1364         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
1365         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
1366         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1367         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
1368         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1369         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
1370
1371 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1372
1373         Implement 64-bit MacroAssembler::probe support for Windows.
1374         https://bugs.webkit.org/show_bug.cgi?id=175724
1375
1376         Reviewed by Mark Lam.
1377
1378         This is needed to enable the DFG. MSVC does no longer support inline assembly
1379         for 64-bit, which means we have to put the code in an asm file.
1380
1381         * assembler/MacroAssemblerX86Common.cpp:
1382         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
1383         * jit/JITStubsMSVC64.asm:
1384
1385 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
1386
1387         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
1388         https://bugs.webkit.org/show_bug.cgi?id=175400
1389
1390         Reviewed by Matt Baker.
1391
1392         * inspector/protocol/Canvas.json:
1393         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
1394         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
1395         `drawElements` when that program is in use will have no effect.
1396
1397 2017-08-22  Keith Miller  <keith_miller@apple.com>
1398
1399         Unriviewed, fix windows build... for realz.
1400
1401         * CMakeLists.txt:
1402
1403 2017-08-22  Saam Barati  <sbarati@apple.com>
1404
1405         We are using valueProfileForBytecodeOffset when there may not be a value profile
1406         https://bugs.webkit.org/show_bug.cgi?id=175812
1407
1408         Reviewed by Michael Saboff.
1409
1410         This patch uses the type system to aid the code around CodeBlock's ValueProfile
1411         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
1412         so there were callers of this that thought it could return nullptr when there
1413         was no such ValueProfile. This was not the case, it always returned a non-null
1414         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
1415         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
1416         and does the right thing if there is no such ValueProfile.
1417         
1418         This patch also changes the other ValueProfile accessors on CodeBlock to
1419         return ValueProfile& instead of ValueProfile*. Some callers handled the null
1420         case unnecessarily, and using the type system to specify the result can't be
1421         null removes these useless branches.
1422
1423         * bytecode/CodeBlock.cpp:
1424         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1425         (JSC::CodeBlock::dumpValueProfiles):
1426         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1427         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1428         (JSC::CodeBlock::validate):
1429         * bytecode/CodeBlock.h:
1430         (JSC::CodeBlock::valueProfileForArgument):
1431         (JSC::CodeBlock::valueProfile):
1432         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1433         (JSC::CodeBlock::getFromAllValueProfiles):
1434         * dfg/DFGByteCodeParser.cpp:
1435         (JSC::DFG::ByteCodeParser::handleInlining):
1436         * dfg/DFGGraph.cpp:
1437         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1438         * dfg/DFGPredictionInjectionPhase.cpp:
1439         (JSC::DFG::PredictionInjectionPhase::run):
1440         * jit/JIT.h:
1441         * jit/JITInlines.h:
1442         (JSC::JIT::emitValueProfilingSite):
1443         * profiler/ProfilerBytecodeSequence.cpp:
1444         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1445         * tools/HeapVerifier.cpp:
1446         (JSC::HeapVerifier::validateJSCell):
1447
1448 2017-08-22  Keith Miller  <keith_miller@apple.com>
1449
1450         Unreviewed, fix windows build... maybe.
1451
1452         * CMakeLists.txt:
1453
1454 2017-08-22  Keith Miller  <keith_miller@apple.com>
1455
1456         Unreviewed, fix cloop build.
1457
1458         * JavaScriptCore.xcodeproj/project.pbxproj:
1459
1460 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1461
1462         [Win][Release] Crash when running testmasm executable.
1463         https://bugs.webkit.org/show_bug.cgi?id=175772
1464
1465         Reviewed by Mark Lam.
1466
1467         We need to save and restore the modified registers in case one or more registers are callee saved
1468         on the relevant platforms.
1469
1470         * assembler/testmasm.cpp:
1471         (JSC::testProbeReadsArgumentRegisters):
1472         (JSC::testProbeWritesArgumentRegisters):
1473
1474 2017-08-21  Mark Lam  <mark.lam@apple.com>
1475
1476         Change probe code to use static_assert instead of COMPILE_ASSERT.
1477         https://bugs.webkit.org/show_bug.cgi?id=175762
1478
1479         Reviewed by JF Bastien.
1480
1481         * assembler/MacroAssemblerARM.cpp:
1482         * assembler/MacroAssemblerARM64.cpp:
1483         (JSC::MacroAssembler::probe): Deleted.
1484         * assembler/MacroAssemblerARMv7.cpp:
1485         * assembler/MacroAssemblerX86Common.cpp:
1486
1487 2017-08-21  Keith Miller  <keith_miller@apple.com>
1488
1489         Make generate_offset_extractor.rb architectures argument more robust
1490         https://bugs.webkit.org/show_bug.cgi?id=175809
1491
1492         Reviewed by Joseph Pecoraro.
1493
1494         It turns out that some of our builders pass their architectures as
1495         space separated lists.  I decided to just make the splitting of
1496         our list robust to any reasonable combination of spaces and
1497         commas.
1498
1499         * offlineasm/generate_offset_extractor.rb:
1500
1501 2017-08-21  Keith Miller  <keith_miller@apple.com>
1502
1503         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
1504         https://bugs.webkit.org/show_bug.cgi?id=175690
1505
1506         Reviewed by Michael Saboff.
1507
1508         This should reduce some of the time we spend building offline asm
1509         in our builds (except for linux since they already did this).
1510
1511         * CMakeLists.txt:
1512         * JavaScriptCore.xcodeproj/project.pbxproj:
1513         * offlineasm/backends.rb:
1514         * offlineasm/generate_offset_extractor.rb:
1515
1516 2017-08-20  Mark Lam  <mark.lam@apple.com>
1517
1518         Gardening: fix CLoop build.
1519         https://bugs.webkit.org/show_bug.cgi?id=175688
1520         <rdar://problem/33436870>
1521
1522         Not reviewed.
1523
1524         Make these files dependent on ENABLE(MASM_PROBE).
1525
1526         * assembler/ProbeContext.cpp:
1527         * assembler/ProbeContext.h:
1528         * assembler/ProbeStack.cpp:
1529         * assembler/ProbeStack.h:
1530
1531 2017-08-20  Mark Lam  <mark.lam@apple.com>
1532
1533         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
1534         https://bugs.webkit.org/show_bug.cgi?id=175688
1535         <rdar://problem/33436870>
1536
1537         Reviewed by JF Bastien.
1538
1539         With this patch, the clients of the MacroAssembler::probe() can now change
1540         stack values without having to worry about whether there is enough room in the
1541         current stack frame for it or not.  This is done using the Probe::Context's stack
1542         member like so:
1543
1544             jit.probe([] (Probe::Context& context) {
1545                 auto cpu = context.cpu;
1546                 auto stack = context.stack();
1547                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
1548
1549                 // Get a value at the current stack pointer location.
1550                 auto value = stack.get<uintptr_t>(currentSP);
1551
1552                 // Set a value above the current stack pointer (within current frame).
1553                 stack.set<uintptr_t>(currentSP + 10, value);
1554
1555                 // Set a value below the current stack pointer (out of current frame).
1556                 stack.set<uintptr_t>(currentSP - 10, value);
1557
1558                 // Set the new stack pointer.
1559                 cpu.sp() = currentSP - 20;
1560             });
1561
1562         What happens behind the scene:
1563
1564         1. the generated JIT probe code will now call Probe::executeProbe(), and
1565            Probe::executeProbe() will in turn call the client's probe function.
1566
1567            Probe::executeProbe() receives the Probe::State on the machine stack passed
1568            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
1569            Probe::Context to be passed to the client's probe function.  The client will
1570            no longer see the Probe::State directly.
1571
1572         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
1573            stack pages.  Currently, each page is 1K in size.
1574            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
1575
1576         3. Invoking get() of set() on Probe::Stack with an address will lead to the
1577            following:
1578
1579            a. the address will be decoded to a baseAddress that points to the 1K page
1580               that contains that address.
1581
1582            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
1583               If so, go to step (f).  Else, continue with step (c).
1584
1585            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
1586               for that specified baseAddress to this mirror page.
1587
1588            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
1589               keyed on the baseAddress.
1590
1591            e. the ProbeStack will also cache the last baseAddress and its corresponding
1592               mirror page in use.  With memory accesses tending to be localized, this
1593               will save us from having to look up the page in the HashMap.
1594
1595            f. get() will map the requested address to a physical address in the mirror
1596               page, and return the value at that location.
1597
1598            g. set() will map the requested address to a physical address in the mirror
1599               page, and set the value at that location in the mirror page.
1600
1601               set() will also set a dirty bit corresponding to the "cache line" that
1602               was modified in the mirror page.
1603
1604         4. When the client's probe function returns, Probe::executeProbe() will check if
1605            there are stack changes that need to be applied.  If stack changes are needed:
1606
1607            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
1608               space is available to flush the dirty stack pages.  It will also register a
1609               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
1610               Probe::executeProbe() returns to the probe trampoline.
1611
1612            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
1613               a safe place if needed, and then calls the flushStackDirtyPages callback
1614               if needed.
1615
1616            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
1617               HashMap and flush all dirty "cache lines" to the machine stack.
1618               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
1619
1620            d. lastly, the probe trampoline will restore all register values and return
1621               to the pc set in the Probe::State.
1622
1623         To make this patch work, I also had to do the following work:
1624
1625         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
1626            Mainly, this means moving the code over to ProbeContext.h.
1627            I also added some convenience accessor methods for spr registers. 
1628
1629            Moved Probe::Context over to its own file ProbeContext.h/cpp.
1630
1631         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
1632            addition to the client's probe function and arg.
1633
1634            I also took this opportunity to optimize the generated JIT probe code to
1635            minimize the amount of memory stores needed. 
1636
1637         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
1638            either lr or pc (or neither), but not both at in the same probe invocation.
1639            The ARM64 probe trampoline used to have to check for this invariant in the
1640            assembly trampoline code.  With the introduction of Probe::executeProbe(),
1641            we can now do it there and simplify the trampoline.
1642
1643         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
1644            changes lr.  That code path never worked before, but has now been fixed.
1645
1646         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
1647            MacroAssemblerARMv7.
1648
1649            We can now use move() with TrustedImmPtr, and it does the same thing but in a
1650            more generic way.
1651
1652        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
1653            the same semantics as movs (according to the Thumb spec).  This means these
1654            instructions may trash the APSR flags before we have a chance to preserve them.
1655
1656            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
1657            early on.  This entails adding support for the mrs instruction in the
1658            ARMv7Assembler.
1659
1660        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
1661            the easy way.
1662
1663            Also fixed testmasm tests which check flag registers to only compare the
1664            portions that are modifiable by the client i.e. some masking is applied.
1665
1666         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
1667
1668         * CMakeLists.txt:
1669         * JavaScriptCore.xcodeproj/project.pbxproj:
1670         * assembler/ARMv7Assembler.h:
1671         (JSC::ARMv7Assembler::mrs):
1672         * assembler/AbstractMacroAssembler.h:
1673         * assembler/MacroAssembler.cpp:
1674         (JSC::stdFunctionCallback):
1675         (JSC::MacroAssembler::probe):
1676         * assembler/MacroAssembler.h:
1677         (JSC::MacroAssembler::CPUState::gprName): Deleted.
1678         (JSC::MacroAssembler::CPUState::sprName): Deleted.
1679         (JSC::MacroAssembler::CPUState::fprName): Deleted.
1680         (JSC::MacroAssembler::CPUState::gpr): Deleted.
1681         (JSC::MacroAssembler::CPUState::spr): Deleted.
1682         (JSC::MacroAssembler::CPUState::fpr): Deleted.
1683         (JSC:: const): Deleted.
1684         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
1685         (JSC::MacroAssembler::CPUState::pc): Deleted.
1686         (JSC::MacroAssembler::CPUState::fp): Deleted.
1687         (JSC::MacroAssembler::CPUState::sp): Deleted.
1688         (JSC::MacroAssembler::CPUState::pc const): Deleted.
1689         (JSC::MacroAssembler::CPUState::fp const): Deleted.
1690         (JSC::MacroAssembler::CPUState::sp const): Deleted.
1691         (JSC::Probe::State::gpr): Deleted.
1692         (JSC::Probe::State::spr): Deleted.
1693         (JSC::Probe::State::fpr): Deleted.
1694         (JSC::Probe::State::gprName): Deleted.
1695         (JSC::Probe::State::sprName): Deleted.
1696         (JSC::Probe::State::fprName): Deleted.
1697         (JSC::Probe::State::pc): Deleted.
1698         (JSC::Probe::State::fp): Deleted.
1699         (JSC::Probe::State::sp): Deleted.
1700         * assembler/MacroAssemblerARM.cpp:
1701         (JSC::MacroAssembler::probe):
1702         * assembler/MacroAssemblerARM.h:
1703         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
1704         * assembler/MacroAssemblerARM64.cpp:
1705         (JSC::MacroAssembler::probe):
1706         (JSC::arm64ProbeError): Deleted.
1707         * assembler/MacroAssemblerARMv7.cpp:
1708         (JSC::MacroAssembler::probe):
1709         * assembler/MacroAssemblerARMv7.h:
1710         (JSC::MacroAssemblerARMv7::armV7Condition):
1711         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
1712         * assembler/MacroAssemblerPrinter.cpp:
1713         (JSC::Printer::printCallback):
1714         * assembler/MacroAssemblerPrinter.h:
1715         * assembler/MacroAssemblerX86Common.cpp:
1716         (JSC::ctiMasmProbeTrampoline):
1717         (JSC::MacroAssembler::probe):
1718         * assembler/Printer.h:
1719         (JSC::Printer::Context::Context):
1720         * assembler/ProbeContext.cpp: Added.
1721         (JSC::Probe::executeProbe):
1722         (JSC::Probe::handleProbeStackInitialization):
1723         (JSC::Probe::probeStateForContext):
1724         * assembler/ProbeContext.h: Added.
1725         (JSC::Probe::CPUState::gprName):
1726         (JSC::Probe::CPUState::sprName):
1727         (JSC::Probe::CPUState::fprName):
1728         (JSC::Probe::CPUState::gpr):
1729         (JSC::Probe::CPUState::spr):
1730         (JSC::Probe::CPUState::fpr):
1731         (JSC::Probe:: const):
1732         (JSC::Probe::CPUState::fpr const):
1733         (JSC::Probe::CPUState::pc):
1734         (JSC::Probe::CPUState::fp):
1735         (JSC::Probe::CPUState::sp):
1736         (JSC::Probe::CPUState::pc const):
1737         (JSC::Probe::CPUState::fp const):
1738         (JSC::Probe::CPUState::sp const):
1739         (JSC::Probe::Context::Context):
1740         (JSC::Probe::Context::gpr):
1741         (JSC::Probe::Context::spr):
1742         (JSC::Probe::Context::fpr):
1743         (JSC::Probe::Context::gprName):
1744         (JSC::Probe::Context::sprName):
1745         (JSC::Probe::Context::fprName):
1746         (JSC::Probe::Context::pc):
1747         (JSC::Probe::Context::fp):
1748         (JSC::Probe::Context::sp):
1749         (JSC::Probe::Context::stack):
1750         (JSC::Probe::Context::hasWritesToFlush):
1751         (JSC::Probe::Context::releaseStack):
1752         * assembler/ProbeStack.cpp: Added.
1753         (JSC::Probe::Page::Page):
1754         (JSC::Probe::Page::flushWrites):
1755         (JSC::Probe::Stack::Stack):
1756         (JSC::Probe::Stack::hasWritesToFlush):
1757         (JSC::Probe::Stack::flushWrites):
1758         (JSC::Probe::Stack::ensurePageFor):
1759         * assembler/ProbeStack.h: Added.
1760         (JSC::Probe::Page::baseAddressFor):
1761         (JSC::Probe::Page::chunkAddressFor):
1762         (JSC::Probe::Page::baseAddress):
1763         (JSC::Probe::Page::get):
1764         (JSC::Probe::Page::set):
1765         (JSC::Probe::Page::hasWritesToFlush const):
1766         (JSC::Probe::Page::flushWritesIfNeeded):
1767         (JSC::Probe::Page::dirtyBitFor):
1768         (JSC::Probe::Page::physicalAddressFor):
1769         (JSC::Probe::Stack::Stack):
1770         (JSC::Probe::Stack::lowWatermark):
1771         (JSC::Probe::Stack::get):
1772         (JSC::Probe::Stack::set):
1773         (JSC::Probe::Stack::newStackPointer const):
1774         (JSC::Probe::Stack::setNewStackPointer):
1775         (JSC::Probe::Stack::isValid):
1776         (JSC::Probe::Stack::pageFor):
1777         * assembler/testmasm.cpp:
1778         (JSC::testProbeReadsArgumentRegisters):
1779         (JSC::testProbeWritesArgumentRegisters):
1780         (JSC::testProbePreservesGPRS):
1781         (JSC::testProbeModifiesStackPointer):
1782         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
1783         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1784         (JSC::testProbeModifiesProgramCounter):
1785         (JSC::testProbeModifiesStackValues):
1786         (JSC::run):
1787         (): Deleted.
1788         (JSC::fillStack): Deleted.
1789         (JSC::testProbeModifiesStackWithCallback): Deleted.
1790
1791 2017-08-19  Andy Estes  <aestes@apple.com>
1792
1793         [Payment Request] Add interface stubs
1794         https://bugs.webkit.org/show_bug.cgi?id=175730
1795
1796         Reviewed by Youenn Fablet.
1797
1798         * runtime/CommonIdentifiers.h:
1799
1800 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
1801
1802         Implement 32-bit MacroAssembler::probe support for Windows.
1803         https://bugs.webkit.org/show_bug.cgi?id=175449
1804
1805         Reviewed by Mark Lam.
1806
1807         This is needed to enable the DFG.
1808
1809         * assembler/MacroAssemblerX86Common.cpp:
1810         * assembler/testmasm.cpp:
1811         (JSC::run):
1812         (dllLauncherEntryPoint):
1813         * shell/CMakeLists.txt:
1814         * shell/PlatformWin.cmake:
1815
1816 2017-08-18  Mark Lam  <mark.lam@apple.com>
1817
1818         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
1819         https://bugs.webkit.org/show_bug.cgi?id=175725
1820         <rdar://problem/33965477>
1821
1822         Rubber-stamped by JF Bastien.
1823
1824         This is purely a refactoring patch (in preparation for the introduction of a
1825         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
1826         later).  This patch does not change any semantics / behavior.
1827
1828         * assembler/AbstractMacroAssembler.h:
1829         * assembler/MacroAssembler.cpp:
1830         (JSC::stdFunctionCallback):
1831         (JSC::MacroAssembler::probe):
1832         * assembler/MacroAssembler.h:
1833         (JSC::ProbeContext::gpr): Deleted.
1834         (JSC::ProbeContext::spr): Deleted.
1835         (JSC::ProbeContext::fpr): Deleted.
1836         (JSC::ProbeContext::gprName): Deleted.
1837         (JSC::ProbeContext::sprName): Deleted.
1838         (JSC::ProbeContext::fprName): Deleted.
1839         (JSC::ProbeContext::pc): Deleted.
1840         (JSC::ProbeContext::fp): Deleted.
1841         (JSC::ProbeContext::sp): Deleted.
1842         * assembler/MacroAssemblerARM.cpp:
1843         (JSC::MacroAssembler::probe):
1844         * assembler/MacroAssemblerARM.h:
1845         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1846         * assembler/MacroAssemblerARM64.cpp:
1847         (JSC::arm64ProbeError):
1848         (JSC::MacroAssembler::probe):
1849         * assembler/MacroAssemblerARMv7.cpp:
1850         (JSC::MacroAssembler::probe):
1851         * assembler/MacroAssemblerARMv7.h:
1852         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1853         * assembler/MacroAssemblerPrinter.cpp:
1854         (JSC::Printer::printCallback):
1855         * assembler/MacroAssemblerPrinter.h:
1856         * assembler/MacroAssemblerX86Common.cpp:
1857         (JSC::MacroAssembler::probe):
1858         * assembler/Printer.h:
1859         (JSC::Printer::Context::Context):
1860         * assembler/testmasm.cpp:
1861         (JSC::testProbeReadsArgumentRegisters):
1862         (JSC::testProbeWritesArgumentRegisters):
1863         (JSC::testProbePreservesGPRS):
1864         (JSC::testProbeModifiesStackPointer):
1865         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
1866         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1867         (JSC::testProbeModifiesProgramCounter):
1868         (JSC::fillStack):
1869         (JSC::testProbeModifiesStackWithCallback):
1870         (JSC::run):
1871         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
1872
1873 2017-08-17  JF Bastien  <jfbastien@apple.com>
1874
1875         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
1876         https://bugs.webkit.org/show_bug.cgi?id=175693
1877         <rdar://problem/33952443>
1878
1879         Reviewed by Saam Barati.
1880
1881         64-bit constants in an unreachable context were being decoded as
1882         32-bit constants. This is pretty benign because unreachable code
1883         shouldn't occur often. The effect is that 64-bit constants which
1884         can't be encoded as 32-bit constants would cause the binary to be
1885         rejected.
1886
1887         At the same time, 32-bit integer constants should be decoded as signed.
1888
1889         * wasm/WasmFunctionParser.h:
1890         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
1891
1892 2017-08-17  Robin Morisset  <rmorisset@apple.com>
1893
1894         Teach DFGFixupPhase.cpp that the current scope is always a cell
1895         https://bugs.webkit.org/show_bug.cgi?id=175610
1896
1897         Reviewed by Keith Miller.
1898
1899         Also teach it that the argument to with can usually be speculated to be an object,
1900         since toObject() is called on it.
1901
1902         * dfg/DFGFixupPhase.cpp:
1903         (JSC::DFG::FixupPhase::fixupNode):
1904         * dfg/DFGSpeculativeJIT.cpp:
1905         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1906         * dfg/DFGSpeculativeJIT.h:
1907         (JSC::DFG::SpeculativeJIT::callOperation):
1908         * ftl/FTLLowerDFGToB3.cpp:
1909         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
1910         * jit/JITOperations.cpp:
1911         * jit/JITOperations.h:
1912
1913 2017-08-17  Matt Baker  <mattbaker@apple.com>
1914
1915         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
1916         https://bugs.webkit.org/show_bug.cgi?id=175644
1917
1918         Reviewed by Brian Burg.
1919
1920         * inspector/agents/InspectorScriptProfilerAgent.h:
1921
1922 2017-08-17  Mark Lam  <mark.lam@apple.com>
1923
1924         Only use 16 VFP registers if !CPU(ARM_NEON).
1925         https://bugs.webkit.org/show_bug.cgi?id=175514
1926
1927         Reviewed by JF Bastien.
1928
1929         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
1930         says that there are only 16 128-bit NEON registers.  This change is merely to
1931         correct the code documentation of these registers.  The FPQuadRegisterID are
1932         currently unused.
1933
1934         * assembler/ARMAssembler.h:
1935         (JSC::ARMAssembler::lastFPRegister):
1936         (JSC::ARMAssembler::fprName):
1937         * assembler/ARMv7Assembler.h:
1938         (JSC::ARMv7Assembler::lastFPRegister):
1939         (JSC::ARMv7Assembler::fprName):
1940         * assembler/MacroAssemblerARM.cpp:
1941         * assembler/MacroAssemblerARMv7.cpp:
1942
1943 2017-08-17  Andreas Kling  <akling@apple.com>
1944
1945         Disable CSS regions at compile time
1946         https://bugs.webkit.org/show_bug.cgi?id=175630
1947
1948         Reviewed by Antti Koivisto.
1949
1950         * Configurations/FeatureDefines.xcconfig:
1951
1952 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
1953
1954         [WPE][GTK] Ensure proper casting of data in gvariants
1955         https://bugs.webkit.org/show_bug.cgi?id=175667
1956
1957         Reviewed by Michael Catanzaro.
1958
1959         g_variant_new requires data to have the correct width for their types, using
1960         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
1961         types without explicit casting, leading to undefined behavior in some platforms.
1962
1963         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1964         (Inspector::RemoteInspector::listingForInspectionTarget const):
1965         (Inspector::RemoteInspector::listingForAutomationTarget const):
1966         (Inspector::RemoteInspector::sendMessageToRemote):
1967
1968 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1969
1970         [JSC] Avoid code bloating for iteration if block does not have "break"
1971         https://bugs.webkit.org/show_bug.cgi?id=173228
1972
1973         Reviewed by Keith Miller.
1974
1975         Currently, we always emit code for breaked path when emitting for-of iteration.
1976         But we can know that this breaked path can be used when emitting the bytecode.
1977
1978         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
1979         the break label may be bound. We emit a breaked path only when it returns
1980         true. This reduces bytecode bloating when using for-of iteration.
1981
1982         * bytecompiler/BytecodeGenerator.cpp:
1983         (JSC::Label::setLocation):
1984         (JSC::BytecodeGenerator::newLabel):
1985         (JSC::BytecodeGenerator::emitLabel):
1986         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
1987         (JSC::BytecodeGenerator::breakTarget):
1988         (JSC::BytecodeGenerator::continueTarget):
1989         (JSC::BytecodeGenerator::emitEnumeration):
1990         * bytecompiler/BytecodeGenerator.h:
1991         * bytecompiler/Label.h:
1992         (JSC::Label::bind const):
1993         (JSC::Label::hasOneRef const):
1994         (JSC::Label::isBound const):
1995         (JSC::Label::Label): Deleted.
1996         * bytecompiler/LabelScope.h:
1997         (JSC::LabelScope::hasOneRef const):
1998         (JSC::LabelScope::breakTargetMayBeBound const):
1999         * bytecompiler/NodesCodegen.cpp:
2000         (JSC::ContinueNode::trivialTarget):
2001         (JSC::ContinueNode::emitBytecode):
2002         (JSC::BreakNode::trivialTarget):
2003         (JSC::BreakNode::emitBytecode):
2004
2005 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2006
2007         ARM build fix after r220807 and r220834.
2008         https://bugs.webkit.org/show_bug.cgi?id=175617
2009
2010         Unreviewed typo fix.
2011
2012         * assembler/MacroAssemblerARM.cpp:
2013
2014 2017-08-17  Mark Lam  <mark.lam@apple.com>
2015
2016         Gardening: build fix for ARM_TRADITIONAL after r220807.
2017         https://bugs.webkit.org/show_bug.cgi?id=175617
2018
2019         Not reviewed.
2020
2021         * assembler/MacroAssemblerARM.cpp:
2022
2023 2017-08-16  Mark Lam  <mark.lam@apple.com>
2024
2025         Add back the ability to disable MASM_PROBE from the build.
2026         https://bugs.webkit.org/show_bug.cgi?id=175656
2027         <rdar://problem/33933720>
2028
2029         Reviewed by Yusuke Suzuki.
2030
2031         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2032         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2033         default if !ENABLE(MASM_PROBE).
2034
2035         * assembler/AbstractMacroAssembler.h:
2036         * assembler/MacroAssembler.cpp:
2037         * assembler/MacroAssembler.h:
2038         * assembler/MacroAssemblerARM.cpp:
2039         * assembler/MacroAssemblerARM64.cpp:
2040         * assembler/MacroAssemblerARMv7.cpp:
2041         * assembler/MacroAssemblerPrinter.cpp:
2042         * assembler/MacroAssemblerPrinter.h:
2043         * assembler/MacroAssemblerX86Common.cpp:
2044         * assembler/testmasm.cpp:
2045         (JSC::run):
2046         * b3/B3LowerToAir.cpp:
2047         * b3/air/AirPrintSpecial.cpp:
2048         * b3/air/AirPrintSpecial.h:
2049
2050 2017-08-16  Dan Bernstein  <mitz@apple.com>
2051
2052         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2053         https://bugs.webkit.org/show_bug.cgi?id=175654
2054
2055         Reviewed by Tim Horton.
2056
2057         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2058
2059 2017-08-16  Matt Baker  <mattbaker@apple.com>
2060
2061         Web Inspector: capture async stack trace when workers/main context posts a message
2062         https://bugs.webkit.org/show_bug.cgi?id=167084
2063         <rdar://problem/30033673>
2064
2065         Reviewed by Brian Burg.
2066
2067         * inspector/agents/InspectorDebuggerAgent.h:
2068         Add `PostMessage` async call type.
2069
2070 2017-08-16  Mark Lam  <mark.lam@apple.com>
2071
2072         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2073         https://bugs.webkit.org/show_bug.cgi?id=175617
2074         <rdar://problem/33912104>
2075
2076         Reviewed by JF Bastien.
2077
2078         This patch adds a new feature to MacroAssembler::probe() where the probe function
2079         can provide a ProbeFunction callback to fill in stack values after the stack
2080         pointer has been adjusted.  The probe function can use this feature as follows:
2081
2082         1. Set the new sp value in the ProbeContext's CPUState.
2083
2084         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2085            which will do the work of filling in the stack values after the probe
2086            trampoline has adjusted the machine stack pointer.
2087
2088         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2089            to pass to the initializeStackFunction callback.
2090
2091         4. Return from the probe function.
2092
2093         Upon returning from the probe function, the probe trampoline will adjust the
2094         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2095         is not set, the probe trampoline will restore registers and return to its caller.
2096
2097         If initializeStackFunction is set, the trampoline will move the ProbeContext
2098         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2099         an address lower than where CPUState.sp() points.  This ensures that the
2100         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2101         the stack.  Then, the trampoline will call back to the initializeStackFunction
2102         ProbeFunction to let it fill in the stack values as desired.  The
2103         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2104         the new location.
2105
2106         initializeStackFunction may now write to the stack at addresses greater or
2107         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2108         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2109         abide by these rules, then behavior is undefined, and bad things may happen.
2110
2111         For future reference, some implementation details that this patch needed to
2112         be mindful of:
2113
2114         1. When the probe trampoline allocates stack space for the ProbeContext, it
2115            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2116            the ProbeContext on exit if the probe function didn't change the sp.
2117
2118         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2119            sp to new ProbeContext first before copying over the ProbeContext data.  This
2120            protects the new ProbeContext from possibly being trashed by interrupts.
2121
2122         3. When computing the new address of ProbeContext to move to, we need to make
2123            sure that it is properly aligned in accordance with stack ABI requirements
2124            (just like we did when we allocated the ProbeContext on entry to the
2125            probe trampoline).
2126
2127         4. When copying the ProbeContext to its new location, the trampoline should
2128            always copy words from low addresses to high addresses.  This is because if
2129            we're moving the ProbeContext, we'll always be moving it to a lower address.
2130
2131         * assembler/MacroAssembler.h:
2132         * assembler/MacroAssemblerARM.cpp:
2133         * assembler/MacroAssemblerARM64.cpp:
2134         * assembler/MacroAssemblerARMv7.cpp:
2135         * assembler/MacroAssemblerX86Common.cpp:
2136         * assembler/testmasm.cpp:
2137         (JSC::testProbePreservesGPRS):
2138         (JSC::testProbeModifiesStackPointer):
2139         (JSC::fillStack):
2140         (JSC::testProbeModifiesStackWithCallback):
2141         (JSC::run):
2142
2143 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2144
2145         Fix JSCOnly ARM buildbots after r220047 and r220184
2146         https://bugs.webkit.org/show_bug.cgi?id=174993
2147
2148         Reviewed by Carlos Alberto Lopez Perez.
2149
2150         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2151
2152 2017-08-16  Andy Estes  <aestes@apple.com>
2153
2154         [Payment Request] Add an ENABLE flag and an experimental feature preference
2155         https://bugs.webkit.org/show_bug.cgi?id=175622
2156
2157         Reviewed by Tim Horton.
2158
2159         * Configurations/FeatureDefines.xcconfig:
2160
2161 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2162
2163         We are too conservative about the effects of PushWithScope
2164         https://bugs.webkit.org/show_bug.cgi?id=175584
2165
2166         Reviewed by Saam Barati.
2167
2168         PushWithScope converts its argument to an object (this can throw a type error,
2169         but has no other observable effect), and allocates a new scope, that it then
2170         makes the new current scope. We were a bit too
2171         conservative in saying that it clobbers the world.
2172
2173         * dfg/DFGAbstractInterpreterInlines.h:
2174         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2175         * dfg/DFGClobberize.h:
2176         (JSC::DFG::clobberize):
2177         * dfg/DFGDoesGC.cpp:
2178         (JSC::DFG::doesGC):
2179
2180 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2181
2182         Make DataTransferItemList work with plain text entries
2183         https://bugs.webkit.org/show_bug.cgi?id=175596
2184
2185         Reviewed by Wenson Hsieh.
2186
2187         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
2188
2189         * runtime/CommonIdentifiers.h:
2190
2191 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2192
2193         Support the 'with' keyword in FTL
2194         https://bugs.webkit.org/show_bug.cgi?id=175585
2195
2196         Reviewed by Saam Barati.
2197
2198         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
2199         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
2200         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
2201         that takes its parentScope argument first.
2202
2203         * bytecompiler/BytecodeGenerator.cpp:
2204         (JSC::BytecodeGenerator::emitPushWithScope):
2205         * debugger/DebuggerCallFrame.cpp:
2206         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2207         * dfg/DFGByteCodeParser.cpp:
2208         (JSC::DFG::ByteCodeParser::parseBlock):
2209         * dfg/DFGFixupPhase.cpp:
2210         (JSC::DFG::FixupPhase::fixupNode):
2211         * dfg/DFGSpeculativeJIT.cpp:
2212         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2213         * ftl/FTLCapabilities.cpp:
2214         (JSC::FTL::canCompile):
2215         * ftl/FTLLowerDFGToB3.cpp:
2216         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2217         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2218         * jit/JITOperations.cpp:
2219         * runtime/CommonSlowPaths.cpp:
2220         (JSC::SLOW_PATH_DECL):
2221         * runtime/Completion.cpp:
2222         (JSC::evaluateWithScopeExtension):
2223         * runtime/JSWithScope.cpp:
2224         (JSC::JSWithScope::create):
2225         * runtime/JSWithScope.h:
2226
2227 2017-08-15  Saam Barati  <sbarati@apple.com>
2228
2229         Make VM::scratchBufferForSize thread safe
2230         https://bugs.webkit.org/show_bug.cgi?id=175604
2231
2232         Reviewed by Geoffrey Garen and Mark Lam.
2233
2234         I want to use the VM::scratchBufferForSize in another patch I'm writing.
2235         The use case for my other patch is to call it from the compiler thread.
2236         When reading the code, I saw that this API was not thread safe. This patch
2237         makes it thread safe. It actually turns out we were calling this API from
2238         the compiler thread already when we created FTL::State for an FTL OSR entry
2239         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
2240         is now correct with this patch.
2241
2242         * runtime/VM.cpp:
2243         (JSC::VM::VM):
2244         (JSC::VM::~VM):
2245         (JSC::VM::gatherConservativeRoots):
2246         (JSC::VM::scratchBufferForSize):
2247         * runtime/VM.h:
2248         (JSC::VM::scratchBufferForSize): Deleted.
2249
2250 2017-08-15  Keith Miller  <keith_miller@apple.com>
2251
2252         JSC named bytecode offsets should use references rather than pointers
2253         https://bugs.webkit.org/show_bug.cgi?id=175601
2254
2255         Reviewed by Saam Barati.
2256
2257         * dfg/DFGByteCodeParser.cpp:
2258         (JSC::DFG::ByteCodeParser::parseBlock):
2259         * jit/JITOpcodes.cpp:
2260         (JSC::JIT::emit_op_overrides_has_instance):
2261         (JSC::JIT::emit_op_instanceof):
2262         (JSC::JIT::emitSlow_op_instanceof):
2263         (JSC::JIT::emitSlow_op_instanceof_custom):
2264         * jit/JITOpcodes32_64.cpp:
2265         (JSC::JIT::emit_op_overrides_has_instance):
2266         (JSC::JIT::emit_op_instanceof):
2267         (JSC::JIT::emitSlow_op_instanceof):
2268         (JSC::JIT::emitSlow_op_instanceof_custom):
2269
2270 2017-08-15  Keith Miller  <keith_miller@apple.com>
2271
2272         Enable named offsets into JSC bytecodes
2273         https://bugs.webkit.org/show_bug.cgi?id=175561
2274
2275         Reviewed by Mark Lam.
2276
2277         This patch adds the ability to add named offsets into JSC's
2278         bytecodes.  In the bytecode json file, instead of listing a
2279         length, you can now list a set of names and their types. Each
2280         opcode with an offsets property will have a struct named after the
2281         opcode by in our C++ naming style. For example,
2282         op_overrides_has_instance would become OpOverridesHasInstance. The
2283         struct has the same memory layout as the instruction list has but
2284         comes with handy named accessors.
2285
2286         As a first cut I converted the various instanceof bytecodes to use
2287         named offsets.
2288
2289         As an example op_overrides_has_instance produces the following struct:
2290
2291         struct OpOverridesHasInstance {
2292         public:
2293             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
2294             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
2295             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
2296             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
2297             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
2298             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
2299             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
2300             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
2301
2302         private:
2303             friend class LLIntOffsetsExtractor;
2304             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
2305             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
2306             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
2307             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
2308         };
2309
2310         * CMakeLists.txt:
2311         * DerivedSources.make:
2312         * JavaScriptCore.xcodeproj/project.pbxproj:
2313         * bytecode/BytecodeList.json:
2314         * dfg/DFGByteCodeParser.cpp:
2315         (JSC::DFG::ByteCodeParser::parseBlock):
2316         * generate-bytecode-files:
2317         * jit/JITOpcodes.cpp:
2318         (JSC::JIT::emit_op_overrides_has_instance):
2319         (JSC::JIT::emit_op_instanceof):
2320         (JSC::JIT::emitSlow_op_instanceof):
2321         (JSC::JIT::emitSlow_op_instanceof_custom):
2322         * jit/JITOpcodes32_64.cpp:
2323         (JSC::JIT::emit_op_overrides_has_instance):
2324         (JSC::JIT::emit_op_instanceof):
2325         (JSC::JIT::emitSlow_op_instanceof):
2326         (JSC::JIT::emitSlow_op_instanceof_custom):
2327         * llint/LLIntOffsetsExtractor.cpp:
2328         * llint/LowLevelInterpreter.asm:
2329         * llint/LowLevelInterpreter32_64.asm:
2330         * llint/LowLevelInterpreter64.asm:
2331
2332 2017-08-15  Mark Lam  <mark.lam@apple.com>
2333
2334         Update testmasm to use new CPUState APIs.
2335         https://bugs.webkit.org/show_bug.cgi?id=175573
2336
2337         Reviewed by Keith Miller.
2338
2339         1. Applied convenience CPUState accessors to minimize casting.
2340         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
2341            messages.
2342         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
2343            casting is (mostly) no longer an issue.
2344         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
2345            to make it clear that we're comparing against the bit values of testWord64(id).
2346         5. Added a "Completed N tests" message at the end of running all tests.
2347            This makes it easy to tell at a glance that testmasm completed successfully
2348            versus when it crashed midway in a test.  The number of tests also serves as
2349            a quick checksum to confirm that we ran the number of tests we expected.
2350
2351         * assembler/testmasm.cpp:
2352         (WTF::printInternal):
2353         (JSC::testSimple):
2354         (JSC::testProbeReadsArgumentRegisters):
2355         (JSC::testProbeWritesArgumentRegisters):
2356         (JSC::testProbePreservesGPRS):
2357         (JSC::testProbeModifiesStackPointer):
2358         (JSC::testProbeModifiesProgramCounter):
2359         (JSC::run):
2360
2361 2017-08-14  Keith Miller  <keith_miller@apple.com>
2362
2363         Add testing tool to lie to the DFG about profiles
2364         https://bugs.webkit.org/show_bug.cgi?id=175487
2365
2366         Reviewed by Saam Barati.
2367
2368         This patch adds a new bytecode identity_with_profile that lets
2369         us lie to the DFG about what profiles it has seen as the input to
2370         another bytecode. Previously, there was no reliable way to force
2371         a given profile when we tired up.
2372
2373         * bytecode/BytecodeDumper.cpp:
2374         (JSC::BytecodeDumper<Block>::dumpBytecode):
2375         * bytecode/BytecodeIntrinsicRegistry.h:
2376         * bytecode/BytecodeList.json:
2377         * bytecode/BytecodeUseDef.h:
2378         (JSC::computeUsesForBytecodeOffset):
2379         (JSC::computeDefsForBytecodeOffset):
2380         * bytecode/SpeculatedType.cpp:
2381         (JSC::speculationFromString):
2382         * bytecode/SpeculatedType.h:
2383         * bytecompiler/BytecodeGenerator.cpp:
2384         (JSC::BytecodeGenerator::emitIdWithProfile):
2385         * bytecompiler/BytecodeGenerator.h:
2386         * bytecompiler/NodesCodegen.cpp:
2387         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2388         * dfg/DFGAbstractInterpreterInlines.h:
2389         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2390         * dfg/DFGByteCodeParser.cpp:
2391         (JSC::DFG::ByteCodeParser::parseBlock):
2392         * dfg/DFGCapabilities.cpp:
2393         (JSC::DFG::capabilityLevel):
2394         * dfg/DFGClobberize.h:
2395         (JSC::DFG::clobberize):
2396         * dfg/DFGDoesGC.cpp:
2397         (JSC::DFG::doesGC):
2398         * dfg/DFGFixupPhase.cpp:
2399         (JSC::DFG::FixupPhase::fixupNode):
2400         * dfg/DFGMayExit.cpp:
2401         * dfg/DFGNode.h:
2402         (JSC::DFG::Node::getForcedPrediction):
2403         * dfg/DFGNodeType.h:
2404         * dfg/DFGPredictionPropagationPhase.cpp:
2405         * dfg/DFGSafeToExecute.h:
2406         (JSC::DFG::safeToExecute):
2407         * dfg/DFGSpeculativeJIT32_64.cpp:
2408         (JSC::DFG::SpeculativeJIT::compile):
2409         * dfg/DFGSpeculativeJIT64.cpp:
2410         (JSC::DFG::SpeculativeJIT::compile):
2411         * dfg/DFGValidate.cpp:
2412         * jit/JIT.cpp:
2413         (JSC::JIT::privateCompileMainPass):
2414         * jit/JIT.h:
2415         * jit/JITOpcodes.cpp:
2416         (JSC::JIT::emit_op_identity_with_profile):
2417         * jit/JITOpcodes32_64.cpp:
2418         (JSC::JIT::emit_op_identity_with_profile):
2419         * llint/LowLevelInterpreter.asm:
2420
2421 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2422
2423         Remove Proximity Events and related code
2424         https://bugs.webkit.org/show_bug.cgi?id=175545
2425
2426         Reviewed by Daniel Bates.
2427
2428         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
2429         and other related code.
2430
2431         * Configurations/FeatureDefines.xcconfig:
2432
2433 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2434
2435         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
2436         https://bugs.webkit.org/show_bug.cgi?id=175504
2437
2438         Reviewed by Sam Weinig.
2439
2440         * Configurations/FeatureDefines.xcconfig:
2441
2442 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2443
2444         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
2445         https://bugs.webkit.org/show_bug.cgi?id=175557
2446
2447         Reviewed by Jon Lee.
2448
2449         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
2450
2451         * Configurations/FeatureDefines.xcconfig:
2452
2453 2017-08-14  Robin Morisset  <rmorisset@apple.com>
2454
2455         Support the 'with' keyword in DFG
2456         https://bugs.webkit.org/show_bug.cgi?id=175470
2457
2458         Reviewed by Saam Barati.
2459
2460         Not particularly optimized at the moment, the goal is just to avoid
2461         the DFG bailing out of any function with this keyword.
2462
2463         * dfg/DFGAbstractInterpreterInlines.h:
2464         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2465         * dfg/DFGByteCodeParser.cpp:
2466         (JSC::DFG::ByteCodeParser::parseBlock):
2467         * dfg/DFGCapabilities.cpp:
2468         (JSC::DFG::capabilityLevel):
2469         * dfg/DFGClobberize.h:
2470         (JSC::DFG::clobberize):
2471         * dfg/DFGDoesGC.cpp:
2472         (JSC::DFG::doesGC):
2473         * dfg/DFGFixupPhase.cpp:
2474         (JSC::DFG::FixupPhase::fixupNode):
2475         * dfg/DFGNodeType.h:
2476         * dfg/DFGPredictionPropagationPhase.cpp:
2477         * dfg/DFGSafeToExecute.h:
2478         (JSC::DFG::safeToExecute):
2479         * dfg/DFGSpeculativeJIT.cpp:
2480         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2481         * dfg/DFGSpeculativeJIT.h:
2482         (JSC::DFG::SpeculativeJIT::callOperation):
2483         * dfg/DFGSpeculativeJIT32_64.cpp:
2484         (JSC::DFG::SpeculativeJIT::compile):
2485         * dfg/DFGSpeculativeJIT64.cpp:
2486         (JSC::DFG::SpeculativeJIT::compile):
2487         * jit/JITOperations.cpp:
2488         * jit/JITOperations.h:
2489
2490 2017-08-14  Mark Lam  <mark.lam@apple.com>
2491
2492         Add some convenience utility accessor methods to MacroAssembler::CPUState.
2493         https://bugs.webkit.org/show_bug.cgi?id=175549
2494         <rdar://problem/33884868>
2495
2496         Reviewed by Saam Barati.
2497
2498         Previously, in order to read ProbeContext CPUState registers, we used to need to
2499         do it this way:
2500
2501             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
2502             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
2503             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
2504             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
2505
2506         With this patch, we can now read them this way instead:
2507         
2508             ExecState* exec = cpu.fp<ExecState*>();
2509             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
2510             void* p = cpu.gpr<void*>(GPRInfo::regT1);
2511             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
2512
2513         * assembler/MacroAssembler.h:
2514         (JSC:: const):
2515         (JSC::MacroAssembler::CPUState::fpr const):
2516         (JSC::MacroAssembler::CPUState::pc const):
2517         (JSC::MacroAssembler::CPUState::fp const):
2518         (JSC::MacroAssembler::CPUState::sp const):
2519         (JSC::ProbeContext::pc):
2520         (JSC::ProbeContext::fp):
2521         (JSC::ProbeContext::sp):
2522
2523 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2524
2525         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
2526         https://bugs.webkit.org/show_bug.cgi?id=174921
2527
2528         Reviewed by Mark Lam.
2529         
2530         Uses CagedUniquePtr<> to cage the ScopeOffset array.
2531
2532         * dfg/DFGSpeculativeJIT.cpp:
2533         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2534         * ftl/FTLLowerDFGToB3.cpp:
2535         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2536         * jit/JITPropertyAccess.cpp:
2537         (JSC::JIT::emitScopedArgumentsGetByVal):
2538         * runtime/ScopedArgumentsTable.cpp:
2539         (JSC::ScopedArgumentsTable::create):
2540         (JSC::ScopedArgumentsTable::setLength):
2541         * runtime/ScopedArgumentsTable.h:
2542
2543 2017-08-14  Mark Lam  <mark.lam@apple.com>
2544
2545         Gardening: fix Windows build.
2546         https://bugs.webkit.org/show_bug.cgi?id=175446
2547
2548         Not reviewed.
2549
2550         * assembler/MacroAssemblerX86Common.cpp:
2551         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
2552         (JSC::ctiMasmProbeTrampoline):
2553
2554 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2555
2556         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
2557         https://bugs.webkit.org/show_bug.cgi?id=175512
2558         <rdar://problem/33863584>
2559
2560         Reviewed by Mark Lam.
2561
2562         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
2563         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
2564
2565 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2566
2567         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
2568         https://bugs.webkit.org/show_bug.cgi?id=175513
2569
2570         Reviewed by Mark Lam.
2571
2572         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
2573
2574 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2575
2576         FTL's compileGetTypedArrayByteOffset needs to do caging
2577         https://bugs.webkit.org/show_bug.cgi?id=175366
2578
2579         Reviewed by Saam Barati.
2580         
2581         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
2582         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
2583
2584         * dfg/DFGSpeculativeJIT.cpp:
2585         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2586         * ftl/FTLLowerDFGToB3.cpp:
2587         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2588         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
2589         * runtime/ArrayBuffer.h:
2590         * runtime/ArrayBufferView.h:
2591         * runtime/JSArrayBufferView.h:
2592
2593 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
2594
2595         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
2596         https://bugs.webkit.org/show_bug.cgi?id=175474
2597         <rdar://problem/33844628>
2598
2599         Reviewed by Wenson Hsieh.
2600
2601         * Configurations/FeatureDefines.xcconfig:
2602         * runtime/CommonIdentifiers.h:
2603
2604 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2605
2606         Caging shouldn't have to use a patchpoint for adding
2607         https://bugs.webkit.org/show_bug.cgi?id=175483
2608
2609         Reviewed by Mark Lam.
2610
2611         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
2612         constants and associative operations dictate that you always want to sink constants. For example,
2613         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
2614         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
2615         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
2616         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
2617         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
2618         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
2619         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
2620         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
2621         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
2622         hacks for just stopping B3's reassociation only in this specific case.
2623         
2624         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
2625         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
2626         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
2627         that if we cage the same pointer in two places, both places will compute the same value.
2628         
2629         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
2630         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
2631         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
2632         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
2633         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
2634         enough scale to warrant new opcodes.)
2635         
2636         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
2637         makes the code a bit less ugly.
2638
2639         * b3/B3LowerToAir.cpp:
2640         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2641         (JSC::B3::Air::LowerToAir::lower):
2642         * b3/B3Opcode.cpp:
2643         (WTF::printInternal):
2644         * b3/B3Opcode.h:
2645         * b3/B3ReduceStrength.cpp:
2646         * b3/B3Validate.cpp:
2647         * b3/B3Value.cpp:
2648         (JSC::B3::Value::effects const):
2649         (JSC::B3::Value::key const):
2650         (JSC::B3::Value::isFree const):
2651         (JSC::B3::Value::typeFor):
2652         * b3/B3Value.h:
2653         * b3/B3ValueKey.cpp:
2654         (JSC::B3::ValueKey::materialize const):
2655         * ftl/FTLLowerDFGToB3.cpp:
2656         (JSC::FTL::DFG::LowerDFGToB3::caged):
2657         * ftl/FTLOutput.cpp:
2658         (JSC::FTL::Output::opaque):
2659         * ftl/FTLOutput.h:
2660
2661 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2662
2663         ScopedArguments overflow storage needs to be in the JSValue gigacage
2664         https://bugs.webkit.org/show_bug.cgi?id=174923
2665
2666         Reviewed by Saam Barati.
2667         
2668         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
2669         object into the JSValue gigacage.
2670
2671         * dfg/DFGSpeculativeJIT.cpp:
2672         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2673         * ftl/FTLLowerDFGToB3.cpp:
2674         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2675         * jit/JITPropertyAccess.cpp:
2676         (JSC::JIT::emitScopedArgumentsGetByVal):
2677         * runtime/ScopedArguments.h:
2678         (JSC::ScopedArguments::subspaceFor):
2679         (JSC::ScopedArguments::overflowStorage const):
2680
2681 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2682
2683         JSLexicalEnvironment needs to be in the JSValue gigacage
2684         https://bugs.webkit.org/show_bug.cgi?id=174922
2685
2686         Reviewed by Michael Saboff.
2687         
2688         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
2689         the only random accesses use pointer caging.
2690         
2691         We don't need to do anything to normal lexical environment accesses.
2692
2693         * dfg/DFGSpeculativeJIT.cpp:
2694         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2695         * ftl/FTLLowerDFGToB3.cpp:
2696         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2697         * runtime/JSEnvironmentRecord.h:
2698         (JSC::JSEnvironmentRecord::subspaceFor):
2699         (JSC::JSEnvironmentRecord::variables):
2700
2701 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2702
2703         DirectArguments should be in the JSValue gigacage
2704         https://bugs.webkit.org/show_bug.cgi?id=174920
2705
2706         Reviewed by Michael Saboff.
2707         
2708         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
2709         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
2710         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
2711         required to use fixed offsets, and you can only store JSValues.
2712
2713         * dfg/DFGSpeculativeJIT.cpp:
2714         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2715         * ftl/FTLLowerDFGToB3.cpp:
2716         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2717         * jit/JITPropertyAccess.cpp:
2718         (JSC::JIT::emitDirectArgumentsGetByVal):
2719         * runtime/DirectArguments.h:
2720         (JSC::DirectArguments::subspaceFor):
2721         (JSC::DirectArguments::storage):
2722         * runtime/VM.cpp:
2723         (JSC::VM::VM):
2724         * runtime/VM.h:
2725
2726 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2727
2728         Unreviewed, add a FIXME.
2729
2730         * ftl/FTLLowerDFGToB3.cpp:
2731         (JSC::FTL::DFG::LowerDFGToB3::caged):
2732
2733 2017-08-10  Sam Weinig  <sam@webkit.org>
2734
2735         WTF::Function does not allow for reference / non-default constructible return types
2736         https://bugs.webkit.org/show_bug.cgi?id=175244
2737
2738         Reviewed by Chris Dumez.
2739
2740         * runtime/ArrayBuffer.cpp:
2741         (JSC::ArrayBufferContents::transferTo):
2742         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
2743         destroy call needed to be a no-op anyway, since the data is being moved.
2744
2745 2017-08-11  Mark Lam  <mark.lam@apple.com>
2746
2747         Gardening: fix CLoop build.
2748         https://bugs.webkit.org/show_bug.cgi?id=175446
2749         <rdar://problem/33836545>
2750
2751         Not reviewed.
2752
2753         * assembler/MacroAssemblerPrinter.cpp:
2754
2755 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
2756
2757         DFG should do caging
2758         https://bugs.webkit.org/show_bug.cgi?id=174918
2759
2760         Reviewed by Saam Barati.
2761         
2762         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
2763         the conditional caging with a watchpoint.
2764         
2765         This might be a 1% SunSpider slow-down, but it's not clear.
2766
2767         * dfg/DFGSpeculativeJIT.cpp:
2768         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
2769         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2770         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2771         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2772         (JSC::DFG::SpeculativeJIT::compileSpread):
2773         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2774         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2775         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2776         * dfg/DFGSpeculativeJIT.h:
2777         * dfg/DFGSpeculativeJIT64.cpp:
2778         (JSC::DFG::SpeculativeJIT::compile):
2779
2780 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2781
2782         Unreviewed, build fix for x86 GTK port
2783         https://bugs.webkit.org/show_bug.cgi?id=175446
2784
2785         Use pushfl/popfl instead of pushfd/popfd.
2786
2787         * assembler/MacroAssemblerX86Common.cpp:
2788
2789 2017-08-10  Mark Lam  <mark.lam@apple.com>
2790
2791         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
2792         https://bugs.webkit.org/show_bug.cgi?id=175446
2793         <rdar://problem/33836545>
2794
2795         Reviewed by Saam Barati.
2796
2797         * assembler/AbstractMacroAssembler.h:
2798         * assembler/MacroAssembler.cpp:
2799         (JSC::MacroAssembler::probe):
2800         * assembler/MacroAssembler.h:
2801         * assembler/MacroAssemblerARM.cpp:
2802         (JSC::MacroAssembler::probe):
2803         * assembler/MacroAssemblerARM.h:
2804         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2805         * assembler/MacroAssemblerARM64.cpp:
2806         (JSC::MacroAssembler::probe):
2807         * assembler/MacroAssemblerARMv7.cpp:
2808         (JSC::MacroAssembler::probe):
2809         * assembler/MacroAssemblerARMv7.h:
2810         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2811         * assembler/MacroAssemblerPrinter.cpp:
2812         * assembler/MacroAssemblerPrinter.h:
2813         * assembler/MacroAssemblerX86Common.cpp:
2814         * assembler/testmasm.cpp:
2815         (JSC::isSpecialGPR):
2816         (JSC::testProbeModifiesProgramCounter):
2817         (JSC::run):
2818         * b3/B3LowerToAir.cpp:
2819         (JSC::B3::Air::LowerToAir::print):
2820         * b3/air/AirPrintSpecial.cpp:
2821         * b3/air/AirPrintSpecial.h:
2822
2823 2017-08-10  Mark Lam  <mark.lam@apple.com>
2824
2825         Apply the UNLIKELY macro to some unlikely things.
2826         https://bugs.webkit.org/show_bug.cgi?id=175440
2827         <rdar://problem/33834767>
2828
2829         Reviewed by Yusuke Suzuki.
2830
2831         * bytecode/CodeBlock.cpp:
2832         (JSC::CodeBlock::~CodeBlock):
2833         (JSC::CodeBlock::jettison):
2834         * dfg/DFGByteCodeParser.cpp:
2835         (JSC::DFG::ByteCodeParser::handleCall):
2836         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2837         (JSC::DFG::ByteCodeParser::handleGetById):
2838         (JSC::DFG::ByteCodeParser::handlePutById):
2839         (JSC::DFG::ByteCodeParser::parseBlock):
2840         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2841         * dfg/DFGJITCompiler.cpp:
2842         (JSC::DFG::JITCompiler::JITCompiler):
2843         (JSC::DFG::JITCompiler::linkOSRExits):
2844         (JSC::DFG::JITCompiler::link):
2845         (JSC::DFG::JITCompiler::disassemble):
2846         * dfg/DFGJITFinalizer.cpp:
2847         (JSC::DFG::JITFinalizer::finalizeCommon):
2848         * dfg/DFGOSRExit.cpp:
2849         (JSC::DFG::OSRExit::compileOSRExit):
2850         * dfg/DFGPlan.cpp:
2851         (JSC::DFG::Plan::Plan):
2852         * ftl/FTLJITFinalizer.cpp:
2853         (JSC::FTL::JITFinalizer::finalizeCommon):
2854         * ftl/FTLLink.cpp:
2855         (JSC::FTL::link):
2856         * ftl/FTLOSRExitCompiler.cpp:
2857         (JSC::FTL::compileStub):
2858         * jit/JIT.cpp:
2859         (JSC::JIT::privateCompileMainPass):
2860         (JSC::JIT::compileWithoutLinking):
2861         (JSC::JIT::link):
2862         * runtime/ScriptExecutable.cpp:
2863         (JSC::ScriptExecutable::installCode):
2864         * runtime/VM.cpp:
2865         (JSC::VM::VM):
2866
2867 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2868
2869         [WTF] ThreadSpecific should not introduce additional indirection
2870         https://bugs.webkit.org/show_bug.cgi?id=175187
2871
2872         Reviewed by Mark Lam.
2873
2874         * runtime/Identifier.cpp:
2875
2876 2017-08-10  Tim Horton  <timothy_horton@apple.com>
2877
2878         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
2879         https://bugs.webkit.org/show_bug.cgi?id=175436
2880         <rdar://problem/33667497>
2881
2882         Reviewed by Simon Fraser.
2883
2884         * interpreter/Interpreter.cpp:
2885         (JSC::Interpreter::Interpreter):
2886
2887 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
2888
2889         Remove ENABLE_GAMEPAD_DEPRECATED
2890         https://bugs.webkit.org/show_bug.cgi?id=175361
2891
2892         Reviewed by Carlos Garcia Campos.
2893
2894         * Configurations/FeatureDefines.xcconfig:
2895
2896 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
2897
2898         [JSC] Create JSSet constructor that accepts it's size as parameter
2899         https://bugs.webkit.org/show_bug.cgi?id=173297
2900
2901         Reviewed by Saam Barati.
2902
2903         This patch is adding a new constructor to JSSet that gives its
2904         expected initial size. It is important to avoid re-hashing and mutiple
2905         allocations when we know the final size of JSSet, such as in
2906         CodeBlock::setConstantIdentifierSetRegisters.
2907
2908         * bytecode/CodeBlock.cpp:
2909         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2910         * runtime/HashMapImpl.h:
2911         (JSC::HashMapImpl::HashMapImpl):
2912         * runtime/JSSet.h:
2913
2914 2017-08-09  Commit Queue  <commit-queue@webkit.org>
2915
2916         Unreviewed, rolling out r220466, r220477, and r220487.
2917         https://bugs.webkit.org/show_bug.cgi?id=175411
2918
2919         This change broke existing API tests and follow up fixes did
2920         not resolve all the issues. (Requested by ryanhaddad on
2921         #webkit).
2922
2923         Reverted changesets:
2924
2925         https://bugs.webkit.org/show_bug.cgi?id=175244
2926         http://trac.webkit.org/changeset/220466
2927
2928         "WTF::Function does not allow for reference / non-default
2929         constructible return types"
2930         https://bugs.webkit.org/show_bug.cgi?id=175244
2931         http://trac.webkit.org/changeset/220477
2932
2933         https://bugs.webkit.org/show_bug.cgi?id=175244
2934         http://trac.webkit.org/changeset/220487
2935
2936 2017-08-09  Caitlin Potter  <caitp@igalia.com>
2937
2938         Early error on ANY operator before new.target
2939         https://bugs.webkit.org/show_bug.cgi?id=157970
2940
2941         Reviewed by Saam Barati.
2942
2943         Instead of throwing if any unary operator precedes new.target, only
2944         throw if the unary operator updates the reference.
2945
2946         The following become legal in JSC:
2947
2948         ```
2949         !new.target
2950         ~new.target
2951         typeof new.target
2952         delete new.target
2953         void new.target
2954         ```
2955
2956         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
2957
2958         * parser/Parser.cpp:
2959         (JSC::Parser<LexerType>::parseUnaryExpression):
2960
2961 2017-08-09  Sam Weinig  <sam@webkit.org>
2962
2963         WTF::Function does not allow for reference / non-default constructible return types
2964         https://bugs.webkit.org/show_bug.cgi?id=175244
2965
2966         Reviewed by Chris Dumez.
2967
2968         * runtime/ArrayBuffer.cpp:
2969         (JSC::ArrayBufferContents::transferTo):
2970         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
2971         destroy call needed to be a no-op anyway, since the data is being moved.
2972
2973 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
2974
2975         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
2976         https://bugs.webkit.org/show_bug.cgi?id=175392
2977         <rdar://problem/33783207>
2978
2979         Reviewed by Tim Horton and Megan Gardner.
2980
2981         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
2982
2983         * Configurations/FeatureDefines.xcconfig:
2984
2985 2017-08-09  Robin Morisset  <rmorisset@apple.com>
2986
2987         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
2988         https://bugs.webkit.org/show_bug.cgi?id=175358
2989
2990         Reviewed by Mark Lam.
2991
2992         * jit/JITOperations.cpp:
2993         * runtime/JSObjectInlines.h:
2994         (JSC::JSObject::putInlineForJSObject):
2995
2996 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
2997
2998         Unreviewed, rolling out r220457.
2999
3000         This change introduced API test failures.
3001
3002         Reverted changeset:
3003
3004         "WTF::Function does not allow for reference / non-default
3005         constructible return types"
3006         https://bugs.webkit.org/show_bug.cgi?id=175244
3007         http://trac.webkit.org/changeset/220457
3008
3009 2017-08-09  Sam Weinig  <sam@webkit.org>
3010
3011         WTF::Function does not allow for reference / non-default constructible return types
3012         https://bugs.webkit.org/show_bug.cgi?id=175244
3013
3014         Reviewed by Chris Dumez.
3015
3016         * runtime/ArrayBuffer.cpp:
3017         (JSC::ArrayBufferContents::transferTo):
3018         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3019         destroy call needed to be a no-op anyway, since the data is being moved.
3020
3021 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3022
3023         REGRESSION: 2 test262/test/language/statements/async-function failures
3024         https://bugs.webkit.org/show_bug.cgi?id=175334
3025
3026         Reviewed by Yusuke Suzuki.
3027
3028         Switch off useAsyncIterator by default
3029
3030         * runtime/Options.h:
3031
3032 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3033
3034         ICs should do caging
3035         https://bugs.webkit.org/show_bug.cgi?id=175295
3036
3037         Reviewed by Saam Barati.
3038         
3039         Adds the appropriate cage() calls in our inline caches.
3040
3041         * bytecode/AccessCase.cpp:
3042         (JSC::AccessCase::generateImpl):
3043         * bytecode/InlineAccess.cpp:
3044         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3045         (JSC::InlineAccess::generateSelfPropertyAccess):
3046         (JSC::InlineAccess::generateSelfPropertyReplace):
3047         (JSC::InlineAccess::generateArrayLength):
3048
3049 2017-08-08  Devin Rousso  <drousso@apple.com>
3050
3051         Web Inspector: Canvas: support editing WebGL shaders
3052         https://bugs.webkit.org/show_bug.cgi?id=124211
3053         <rdar://problem/15448958>
3054
3055         Reviewed by Matt Baker.
3056
3057         * inspector/protocol/Canvas.json:
3058         Add `updateShader` command that will change the given shader's source to the provided string,
3059         recompile, and relink it to its associated program.
3060         Drive-by: add description to `requestShaderSource` command.
3061
3062 2017-08-08  Robin Morisset  <rmorisset@apple.com>
3063
3064         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
3065         https://bugs.webkit.org/show_bug.cgi?id=175347
3066
3067         Reviewed by Saam Barati.
3068
3069         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
3070         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
3071         negligible considering how much more finishCreation does.
3072         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
3073         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
3074
3075         * bytecode/CodeBlock.cpp:
3076         (JSC::CodeBlock::finishCreation):
3077         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3078         (JSC::CodeBlock::setConstantRegisters):
3079         * bytecode/CodeBlock.h:
3080         * runtime/ScriptExecutable.cpp:
3081         (JSC::ScriptExecutable::newCodeBlockFor):
3082
3083 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
3084
3085         Unreviewed, fix Ubuntu LTS build
3086         https://bugs.webkit.org/show_bug.cgi?id=174490
3087
3088         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3089         * inspector/remote/glib/RemoteInspectorServer.cpp:
3090
3091 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3092
3093         Baseline JIT should do caging
3094         https://bugs.webkit.org/show_bug.cgi?id=175037
3095
3096         Reviewed by Mark Lam.
3097         
3098         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
3099         
3100         Also modifies FTL caging to be more defensive when caging is disabled.
3101         
3102         Relanded with fixed AssemblyHelpers::cageConditionally().
3103
3104         * bytecode/AccessCase.cpp:
3105         (JSC::AccessCase::generateImpl):
3106         * bytecode/InlineAccess.cpp:
3107         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3108         (JSC::InlineAccess::generateSelfPropertyAccess):
3109         (JSC::InlineAccess::generateSelfPropertyReplace):
3110         (JSC::InlineAccess::generateArrayLength):
3111         * ftl/FTLLowerDFGToB3.cpp:
3112         (JSC::FTL::DFG::LowerDFGToB3::caged):
3113         * jit/AssemblyHelpers.h:
3114         (JSC::AssemblyHelpers::cage):
3115         (JSC::AssemblyHelpers::cageConditionally):
3116         * jit/JITPropertyAccess.cpp:
3117         (JSC::JIT::emitDoubleLoad):
3118         (JSC::JIT::emitContiguousLoad):
3119         (JSC::JIT::emitArrayStorageLoad):
3120         (JSC::JIT::emitGenericContiguousPutByVal):
3121         (JSC::JIT::emitArrayStoragePutByVal):
3122         (JSC::JIT::emit_op_get_from_scope):
3123         (JSC::JIT::emit_op_put_to_scope):
3124         (JSC::JIT::emitIntTypedArrayGetByVal):
3125         (JSC::JIT::emitFloatTypedArrayGetByVal):
3126         (JSC::JIT::emitIntTypedArrayPutByVal):
3127         (JSC::JIT::emitFloatTypedArrayPutByVal):
3128         * jsc.cpp:
3129         (jscmain):
3130         (primitiveGigacageDisabled): Deleted.
3131
3132 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
3133
3134         Unreviewed, rolling out r220368.
3135
3136         This change caused WK1 tests to exit early with crashes.
3137
3138         Reverted changeset:
3139
3140         "Baseline JIT should do caging"
3141         https://bugs.webkit.org/show_bug.cgi?id=175037
3142         http://trac.webkit.org/changeset/220368
3143
3144 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
3145
3146         [CMake] Properly test if compiler supports compiler flags
3147         https://bugs.webkit.org/show_bug.cgi?id=174490
3148
3149         Reviewed by Konstantin Tokarev.
3150
3151         * API/tests/PingPongStackOverflowTest.cpp:
3152         (testPingPongStackOverflow):
3153         * API/tests/testapi.c:
3154         * b3/testb3.cpp:
3155         (JSC::B3::testPatchpointLotsOfLateAnys):
3156
3157 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3158
3159         [Linux] Clear WasmMemory with madvice instead of memset
3160         https://bugs.webkit.org/show_bug.cgi?id=175150
3161
3162         Reviewed by Filip Pizlo.
3163
3164         In Linux, zeroing pages with memset populates backing store.
3165         Instead, we should use madvise with MADV_DONTNEED. It discards
3166         pages. And if you access these pages, on-demand-zero-pages will
3167         be shown.
3168
3169         We also commit grown pages in all OSes.
3170
3171         * wasm/WasmMemory.cpp:
3172         (JSC::Wasm::commitZeroPages):
3173         (JSC::Wasm::Memory::create):
3174         (JSC::Wasm::Memory::grow):
3175
3176 2017-08-07  Robin Morisset  <rmorisset@apple.com>
3177
3178         GetOwnProperty of TypedArray indexed fields is wrongly configurable
3179         https://bugs.webkit.org/show_bug.cgi?id=175307
3180
3181         Reviewed by Saam Barati.
3182
3183         ```
3184         let a = new Uint8Array(10);
3185         let b = Object.getOwnPropertyDescriptor(a, 0);
3186         assert(b.configurable === false);
3187         ```
3188         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
3189         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
3190         that says that typed arrays are integer indexed exotic objects.
3191
3192         * runtime/JSGenericTypedArrayViewInlines.h:
3193         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
3194
3195 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
3196
3197         Baseline JIT should do caging
3198         https://bugs.webkit.org/show_bug.cgi?id=175037
3199
3200         Reviewed by Mark Lam.
3201         
3202         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
3203         
3204         Also modifies FTL caging to be more defensive when caging is disabled.
3205
3206         * ftl/FTLLowerDFGToB3.cpp:
3207         (JSC::FTL::DFG::LowerDFGToB3::caged):
3208         * jit/AssemblyHelpers.h:
3209         (JSC::AssemblyHelpers::cage):
3210         (JSC::AssemblyHelpers::cageConditionally):
3211         * jit/JITPropertyAccess.cpp:
3212         (JSC::JIT::emitDoubleLoad):
3213         (JSC::JIT::emitContiguousLoad):
3214         (JSC::JIT::emitArrayStorageLoad):
3215         (JSC::JIT::emitGenericContiguousPutByVal):
3216         (JSC::JIT::emitArrayStoragePutByVal):
3217         (JSC::JIT::emit_op_get_from_scope):
3218         (JSC::JIT::emit_op_put_to_scope):
3219         (JSC::JIT::emitIntTypedArrayGetByVal):
3220         (JSC::JIT::emitFloatTypedArrayGetByVal):
3221         (JSC::JIT::emitIntTypedArrayPutByVal):
3222         (JSC::JIT::emitFloatTypedArrayPutByVal):
3223         * jsc.cpp:
3224         (jscmain):
3225         (primitiveGigacageDisabled): Deleted.
3226
3227 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
3228
3229         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
3230         https://bugs.webkit.org/show_bug.cgi?id=174919
3231
3232         Reviewed by Keith Miller.
3233         
3234         This adapts JSC to there being two gigacages.
3235         
3236         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
3237         singletons. I don't think we were gaining anything by making them be singletons.
3238         
3239         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
3240         gigacages. We'll have one of those allocators per cage.
3241         
3242         From there, this change teaches everyone who previously knew about cages that there are two cages.
3243         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
3244         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
3245         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
3246         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
3247         
3248         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
3249         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
3250
3251         * JavaScriptCore.xcodeproj/project.pbxproj:
3252         * bytecode/AccessCase.cpp:
3253         (JSC::AccessCase::generateImpl):
3254         * dfg/DFGSpeculativeJIT.cpp:
3255         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3256         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3257         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3258         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
3259         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3260         * ftl/FTLLowerDFGToB3.cpp:
3261         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3262         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3263         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3264         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3265         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3266         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3267         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3268         (JSC::FTL::DFG::LowerDFGToB3::caged):
3269         * heap/FastMallocAlignedMemoryAllocator.cpp:
3270         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
3271         * heap/FastMallocAlignedMemoryAllocator.h:
3272         * heap/GigacageAlignedMemoryAllocator.cpp:
3273         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
3274         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
3275         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
3276         (JSC::GigacageAlignedMemoryAllocator::dump const):
3277         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
3278         * heap/GigacageAlignedMemoryAllocator.h:
3279         * jsc.cpp:
3280         (primitiveGigacageDisabled):
3281         (jscmain):
3282         (gigacageDisabled): Deleted.
3283         * llint/LowLevelInterpreter64.asm:
3284         * runtime/ArrayBuffer.cpp:
3285         (JSC::ArrayBufferContents::tryAllocate):
3286         (JSC::ArrayBuffer::createAdopted):
3287         (JSC::ArrayBuffer::createFromBytes):
3288         * runtime/AuxiliaryBarrier.h:
3289         * runtime/ButterflyInlines.h:
3290         (JSC::Butterfly::createUninitialized):
3291         (JSC::Butterfly::tryCreate):
3292         (JSC::Butterfly::growArrayRight):
3293         * runtime/CagedBarrierPtr.h: Added.
3294         (JSC::CagedBarrierPtr::CagedBarrierPtr):
3295         (JSC::CagedBarrierPtr::clear):
3296         (JSC::CagedBarrierPtr::set):
3297         (JSC::CagedBarrierPtr::get const):
3298         (JSC::CagedBarrierPtr::getMayBeNull const):
3299         (JSC::CagedBarrierPtr::operator== const):
3300         (JSC::CagedBarrierPtr::operator!= const):
3301         (JSC::CagedBarrierPtr::operator bool const):
3302         (JSC::CagedBarrierPtr::setWithoutBarrier):
3303         (JSC::CagedBarrierPtr::operator* const):
3304         (JSC::CagedBarrierPtr::operator-> const):
3305         (JSC::CagedBarrierPtr::operator[] const):
3306         * runtime/DirectArguments.cpp:
3307         (JSC::DirectArguments::overrideThings):
3308         (JSC::DirectArguments::unmapArgument):
3309         * runtime/DirectArguments.h:
3310         (JSC::DirectArguments::isMappedArgument const):
3311         * runtime/GenericArguments.h:
3312         * runtime/GenericArgumentsInlines.h:
3313         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3314         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
3315         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
3316         * runtime/HashMapImpl.cpp:
3317         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3318         * runtime/HashMapImpl.h:
3319         (JSC::HashMapBuffer::create):
3320         (JSC::HashMapImpl::buffer const):
3321         (JSC::HashMapImpl::rehash):
3322         * runtime/JSArray.cpp:
3323         (JSC::JSArray::tryCreateUninitializedRestricted):
3324         (JSC::JSArray::unshiftCountSlowCase):
3325         (JSC::JSArray::setLength):
3326         (JSC::JSArray::pop):
3327         (JSC::JSArray::push):
3328         (JSC::JSArray::fastSlice):
3329         (JSC::JSArray::shiftCountWithArrayStorage):
3330         (JSC::JSArray::shiftCountWithAnyIndexingType):
3331         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3332         (JSC::JSArray::fillArgList):
3333         (JSC::JSArray::copyToArguments):
3334         * runtime/JSArray.h:
3335         (JSC::JSArray::tryCreate):
3336         * runtime/JSArrayBufferView.cpp:
3337         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3338         (JSC::JSArrayBufferView::finalize):
3339         * runtime/JSLock.cpp:
3340         (JSC::JSLock::didAcquireLock):
3341         * runtime/JSObject.cpp:
3342         (JSC::JSObject::heapSnapshot):
3343         (JSC::JSObject::getOwnPropertySlotByIndex):
3344         (JSC::JSObject::putByIndex):
3345         (JSC::JSObject::enterDictionaryIndexingMode):
3346         (JSC::JSObject::createInitialIndexedStorage):
3347         (JSC::JSObject::createArrayStorage):
3348         (JSC::JSObject::convertUndecidedToInt32):
3349         (JSC::JSObject::convertUndecidedToDouble):
3350         (JSC::JSObject::convertUndecidedToContiguous):
3351         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3352         (JSC::JSObject::convertUndecidedToArrayStorage):
3353         (JSC::JSObject::convertInt32ToDouble):
3354         (JSC::JSObject::convertInt32ToContiguous):
3355         (JSC::JSObject::convertInt32ToArrayStorage):
3356         (JSC::JSObject::convertDoubleToContiguous):
3357         (JSC::JSObject::convertDoubleToArrayStorage):
3358         (JSC::JSObject::convertContiguousToArrayStorage):
3359         (JSC::JSObject::setIndexQuicklyToUndecided):
3360         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3361         (JSC::JSObject::deletePropertyByIndex):
3362         (JSC::JSObject::getOwnPropertyNames):
3363         (JSC::JSObject::putIndexedDescriptor):
3364         (JSC::JSObject::defineOwnIndexedProperty):
3365         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3366         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3367         (JSC::JSObject::getNewVectorLength):
3368         (JSC::JSObject::ensureLengthSlow):
3369         (JSC::JSObject::reallocateAndShrinkButterfly):
3370         (JSC::JSObject::allocateMoreOutOfLineStorage):
3371         (JSC::JSObject::getEnumerableLength):
3372         * runtime/JSObject.h:
3373         (JSC::JSObject::getArrayLength const):
3374         (JSC::JSObject::getVectorLength):
3375         (JSC::JSObject::putDirectIndex):
3376         (JSC::JSObject::canGetIndexQuickly):
3377         (JSC::JSObject::getIndexQuickly):
3378         (JSC::JSObject::tryGetIndexQuickly const):
3379         (JSC::JSObject::canSetIndexQuickly):
3380         (JSC::JSObject::setIndexQuickly):
3381         (JSC::JSObject::initializeIndex):
3382         (JSC::JSObject::initializeIndexWithoutBarrier):
3383         (JSC::JSObject::hasSparseMap):
3384         (JSC::JSObject::inSparseIndexingMode):
3385         (JSC::JSObject::butterfly const):
3386         (JSC::JSObject::butterfly):
3387         (JSC::JSObject::outOfLineStorage const):
3388         (JSC::JSObject::outOfLineStorage):
3389         (JSC::JSObject::ensureInt32):
3390         (JSC::JSObject::ensureDouble):
3391         (JSC::JSObject::ensureContiguous):
3392         (JSC::JSObject::ensureArrayStorage):
3393         (JSC::JSObject::arrayStorage):
3394         (JSC::JSObject::arrayStorageOrNull):
3395         (JSC::JSObject::ensureLength):
3396         * runtime/RegExpMatchesArray.h:
3397         (JSC::tryCreateUninitializedRegExpMatchesArray):
3398         * runtime/VM.cpp:
3399         (JSC::VM::VM):
3400         (JSC::VM::~VM):
3401         (JSC::VM::primitiveGigacageDisabledCallback):
3402         (JSC::VM::primitiveGigacageDisabled):
3403         (JSC::VM::gigacageDisabledCallback): Deleted.
3404         (JSC::VM::gigacageDisabled): Deleted.
3405         * runtime/VM.h:
3406         (JSC::VM::gigacageAuxiliarySpace):
3407         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
3408         (JSC::VM::primitiveGigacageEnabled):
3409         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
3410         (JSC::VM::gigacageEnabled): Deleted.
3411         * wasm/WasmMemory.cpp:
3412         (JSC::Wasm::Memory::create):
3413         (JSC::Wasm::Memory::~Memory):
3414         (JSC::Wasm::Memory::grow):
3415
3416 2017-08-07  Commit Queue  <commit-queue@webkit.org>
3417
3418         Unreviewed, rolling out r220144.