[MIPS] Optimize generated JIT code for loads/stores
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2
3         [MIPS] Optimize generated JIT code for loads/stores
4         https://bugs.webkit.org/show_bug.cgi?id=183243
5
6         Reviewed by Yusuke Suzuki.
7
8         JIT generates three MIPS instructions for a load/store from/to an absolute address:
9
10           lui adrTmpReg, address >> 16
11           ori adrTmpReg, address & 0xffff
12           lw dataReg, 0(adrTmpReg)
13
14         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
15         be encoded into the load/store and ori instruction can be removed:
16
17           lui adrTmpReg, (address + 0x8000) >> 16
18           lw dataReg, (address & 0xffff)(adrTmpReg)
19
20         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
21
22         * assembler/MacroAssemblerMIPS.h:
23         (JSC::MacroAssemblerMIPS::add32):
24         (JSC::MacroAssemblerMIPS::add64):
25         (JSC::MacroAssemblerMIPS::or32):
26         (JSC::MacroAssemblerMIPS::sub32):
27         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
28         (JSC::MacroAssemblerMIPS::load8):
29         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
30         (JSC::MacroAssemblerMIPS::load32):
31         (JSC::MacroAssemblerMIPS::store8):
32         (JSC::MacroAssemblerMIPS::store32):
33         (JSC::MacroAssemblerMIPS::branchTest8):
34         (JSC::MacroAssemblerMIPS::branchAdd32):
35         (JSC::MacroAssemblerMIPS::loadDouble):
36         (JSC::MacroAssemblerMIPS::storeDouble):
37
38 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
39
40         [DFG][FTL] Add vectorLengthHint for NewArray
41         https://bugs.webkit.org/show_bug.cgi?id=183694
42
43         Reviewed by Saam Barati.
44
45         While the following code is a common, it is not so efficient.
46
47         var array = [];
48         for (...) {
49             ...
50             array.push(...);
51         }
52
53         The array is always allocated with 0 vector length. And it is eventually grown.
54
55         We have ArrayAllocationProfile, and it tells us that the vector length hint for
56         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
57         extends this support for NewArray DFG node.
58
59         This patch improves Kraken/stanford-crypto-aes 4%.
60
61                                       baseline                  patched
62
63         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
64
65         NewArray can be optimized.
66
67                                                        baseline                  patched
68
69         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
70         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
71
72         * dfg/DFGByteCodeParser.cpp:
73         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
74         (JSC::DFG::ByteCodeParser::parseBlock):
75         * dfg/DFGNode.h:
76         (JSC::DFG::Node::hasVectorLengthHint):
77         (JSC::DFG::Node::vectorLengthHint):
78         * dfg/DFGSpeculativeJIT64.cpp:
79         (JSC::DFG::SpeculativeJIT::compile):
80         * ftl/FTLLowerDFGToB3.cpp:
81         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
82
83 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
84
85         [DFG][FTL] Make ArraySlice(0) code tight
86         https://bugs.webkit.org/show_bug.cgi?id=183590
87
88         Reviewed by Saam Barati.
89
90         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
91
92         1. We support array.slice() call. This is a well-used way to clone array.
93         For example, underscore.js uses this technique.
94
95         2. We remove several checks if the given index value is a proven constant.
96
97         * dfg/DFGBackwardsPropagationPhase.cpp:
98         (JSC::DFG::BackwardsPropagationPhase::propagate):
99         * dfg/DFGByteCodeParser.cpp:
100         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
101         * dfg/DFGFixupPhase.cpp:
102         (JSC::DFG::FixupPhase::fixupNode):
103         * dfg/DFGSpeculativeJIT.cpp:
104         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
105         (JSC::DFG::SpeculativeJIT::compileArraySlice):
106         We can skip some of checks if the given value is a proven constant.
107
108         * ftl/FTLLowerDFGToB3.cpp:
109         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
110         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
111         to fold BelowEqual(0, x) to true.
112
113 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
114
115         Drop s_exceptionInstructions static initializer
116         https://bugs.webkit.org/show_bug.cgi?id=183732
117
118         Reviewed by Darin Adler.
119
120         Make Instruction constructor constexpr to drop the static constructor
121         of LLInt::Data::s_exceptionInstructions.
122
123         * bytecode/Instruction.h:
124         (JSC::Instruction::Instruction):
125
126 2018-03-19  Dan Bernstein  <mitz@apple.com>
127
128         Investigate why __cpu_indicator_init is used
129         https://bugs.webkit.org/show_bug.cgi?id=183736
130
131         Reviewed by Tim Horton.
132
133         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
134         we were passing the -all_load option to the linker, causing it to bring in all members of
135         every static library being linked in, including the compiler runtime library. We only need
136         to load all members of WTF. The linker option for doing that is -force_load, and it requires
137         a path to the library. To support building against libWTF.a built locally as well as against
138         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
139         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
140         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
141         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
142         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
143         reexporting libobjc.
144
145         * Configurations/JavaScriptCore.xcconfig:
146         * JavaScriptCore.xcodeproj/project.pbxproj:
147
148 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
149
150         Unreviewed, another quick fix for r229699
151
152         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
153
154         * Configurations/FeatureDefines.xcconfig:
155
156 2018-03-19  Mark Lam  <mark.lam@apple.com>
157
158         FunctionPtr should be passed by value.
159         https://bugs.webkit.org/show_bug.cgi?id=183746
160         <rdar://problem/38625311>
161
162         Reviewed by JF Bastien.
163
164         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
165         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
166         treated as if they are C/C++ functions.
167
168         Regardless, there's no need to pass it by reference.
169
170         * assembler/MacroAssemblerCodeRef.h:
171         * dfg/DFGJITCompiler.h:
172         (JSC::DFG::JITCompiler::appendCall):
173         * dfg/DFGSpeculativeJIT.h:
174         (JSC::DFG::SpeculativeJIT::appendCall):
175         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
176         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
177         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
178         * jit/JIT.h:
179         (JSC::JIT::appendCall):
180         (JSC::JIT::appendCallWithSlowPathReturnType):
181         * jit/JITInlines.h:
182         (JSC::JIT::appendCallWithExceptionCheck):
183         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
184         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
185         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
186         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
187
188 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
189
190         Fix MSVC run-time check after r229391. 
191         https://bugs.webkit.org/show_bug.cgi?id=183673
192
193         Reviewed by Keith Miller.
194
195         Replaces attempted fix from r229424/r229432.
196         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
197
198         * jit/CCallHelpers.h:
199         (JSC::CCallHelpers::clampArrayToSize):
200
201 2018-03-15  Tim Horton  <timothy_horton@apple.com>
202
203         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
204         https://bugs.webkit.org/show_bug.cgi?id=183675
205         <rdar://problem/38515281>
206
207         Reviewed by Dan Bernstein.
208
209         * JavaScriptCore.xcodeproj/project.pbxproj:
210         Don't install the JSC alias if we're installing to an alternate location.
211         This should have been a part of r229637.
212
213 2018-03-15  Tim Horton  <timothy_horton@apple.com>
214
215         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
216         https://bugs.webkit.org/show_bug.cgi?id=183649
217         <rdar://problem/38480526>
218
219         Reviewed by Dan Bernstein.
220
221         * Configurations/Base.xcconfig:
222         * JavaScriptCore.xcodeproj/project.pbxproj:
223
224 2018-03-14  Mark Lam  <mark.lam@apple.com>
225
226         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
227         https://bugs.webkit.org/show_bug.cgi?id=183623
228         <rdar://problem/38443314>
229
230         Reviewed by Michael Saboff.
231
232         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
233            emitters to support pointer profiling.
234
235         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
236
237         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
238
239         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
240            a placeholder until we have time to analyze what pointer profile each client
241            site has later.
242     
243         5. Apply PtrTags to the YarrJIT.
244
245         * assembler/ARM64Assembler.h:
246         (JSC::ARM64Assembler::linkJumpOrCall):
247         * assembler/AbstractMacroAssembler.h:
248         (JSC::AbstractMacroAssembler::getLinkerAddress):
249         (JSC::AbstractMacroAssembler::tagPtr):
250         (JSC::AbstractMacroAssembler::untagPtr):
251         (JSC::AbstractMacroAssembler::removePtrTag):
252         * assembler/LinkBuffer.cpp:
253         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
254         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
255         * assembler/LinkBuffer.h:
256         (JSC::LinkBuffer::link):
257         (JSC::LinkBuffer::locationOfNearCall):
258         (JSC::LinkBuffer::locationOf):
259         * assembler/MacroAssemblerARM.h:
260         (JSC::MacroAssemblerARM::jump):
261         (JSC::MacroAssemblerARM::call):
262         (JSC::MacroAssemblerARM::readCallTarget):
263         * assembler/MacroAssemblerARM64.h:
264         (JSC::MacroAssemblerARM64::call):
265         (JSC::MacroAssemblerARM64::jump):
266         (JSC::MacroAssemblerARM64::readCallTarget):
267         (JSC::MacroAssemblerARM64::linkCall):
268         * assembler/MacroAssemblerARMv7.h:
269         (JSC::MacroAssemblerARMv7::jump):
270         (JSC::MacroAssemblerARMv7::relativeTableJump):
271         (JSC::MacroAssemblerARMv7::call):
272         (JSC::MacroAssemblerARMv7::readCallTarget):
273         * assembler/MacroAssemblerCodeRef.cpp:
274         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
275         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
276         * assembler/MacroAssemblerCodeRef.h:
277         (JSC::FunctionPtr::FunctionPtr):
278         (JSC::FunctionPtr::value const):
279         (JSC::MacroAssemblerCodePtr:: const):
280         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
281         (JSC::MacroAssemblerCodeRef::retaggedCode const):
282         * assembler/MacroAssemblerMIPS.h:
283         (JSC::MacroAssemblerMIPS::jump):
284         (JSC::MacroAssemblerMIPS::call):
285         (JSC::MacroAssemblerMIPS::readCallTarget):
286         * assembler/MacroAssemblerX86.h:
287         (JSC::MacroAssemblerX86::call):
288         (JSC::MacroAssemblerX86::jump):
289         (JSC::MacroAssemblerX86::readCallTarget):
290         * assembler/MacroAssemblerX86Common.cpp:
291         (JSC::MacroAssembler::probe):
292         * assembler/MacroAssemblerX86Common.h:
293         (JSC::MacroAssemblerX86Common::jump):
294         (JSC::MacroAssemblerX86Common::call):
295         * assembler/MacroAssemblerX86_64.h:
296         (JSC::MacroAssemblerX86_64::call):
297         (JSC::MacroAssemblerX86_64::jump):
298         (JSC::MacroAssemblerX86_64::readCallTarget):
299         * assembler/testmasm.cpp:
300         (JSC::compile):
301         (JSC::invoke):
302         * b3/B3Compile.cpp:
303         (JSC::B3::compile):
304         * b3/B3LowerMacros.cpp:
305         * b3/air/AirCCallSpecial.cpp:
306         (JSC::B3::Air::CCallSpecial::generate):
307         * b3/air/testair.cpp:
308         * b3/testb3.cpp:
309         (JSC::B3::invoke):
310         (JSC::B3::testInterpreter):
311         (JSC::B3::testEntrySwitchSimple):
312         (JSC::B3::testEntrySwitchNoEntrySwitch):
313         (JSC::B3::testEntrySwitchWithCommonPaths):
314         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
315         (JSC::B3::testEntrySwitchLoop):
316         * bytecode/AccessCase.cpp:
317         (JSC::AccessCase::generateImpl):
318         * bytecode/AccessCaseSnippetParams.cpp:
319         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
320         * bytecode/InlineAccess.cpp:
321         (JSC::linkCodeInline):
322         (JSC::InlineAccess::rewireStubAsJump):
323         * bytecode/PolymorphicAccess.cpp:
324         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
325         (JSC::PolymorphicAccess::regenerate):
326         * dfg/DFGJITCompiler.cpp:
327         (JSC::DFG::JITCompiler::compileExceptionHandlers):
328         (JSC::DFG::JITCompiler::link):
329         (JSC::DFG::JITCompiler::compileFunction):
330         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
331         * dfg/DFGJITCompiler.h:
332         (JSC::DFG::JITCompiler::appendCall):
333         * dfg/DFGJITFinalizer.cpp:
334         (JSC::DFG::JITFinalizer::finalize):
335         (JSC::DFG::JITFinalizer::finalizeFunction):
336         * dfg/DFGOSRExit.cpp:
337         (JSC::DFG::OSRExit::emitRestoreArguments):
338         (JSC::DFG::OSRExit::compileOSRExit):
339         * dfg/DFGOSRExitCompilerCommon.cpp:
340         (JSC::DFG::handleExitCounts):
341         (JSC::DFG::osrWriteBarrier):
342         (JSC::DFG::adjustAndJumpToTarget):
343         * dfg/DFGSpeculativeJIT.cpp:
344         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
345         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
346         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
347         * dfg/DFGSpeculativeJIT64.cpp:
348         (JSC::DFG::SpeculativeJIT::compile):
349         * dfg/DFGThunks.cpp:
350         (JSC::DFG::osrExitThunkGenerator):
351         (JSC::DFG::osrExitGenerationThunkGenerator):
352         (JSC::DFG::osrEntryThunkGenerator):
353         * ftl/FTLCompile.cpp:
354         (JSC::FTL::compile):
355         * ftl/FTLJITFinalizer.cpp:
356         (JSC::FTL::JITFinalizer::finalizeCommon):
357         * ftl/FTLLazySlowPath.cpp:
358         (JSC::FTL::LazySlowPath::generate):
359         * ftl/FTLLink.cpp:
360         (JSC::FTL::link):
361         * ftl/FTLLowerDFGToB3.cpp:
362         (JSC::FTL::DFG::LowerDFGToB3::lower):
363         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
364         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
365         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
366         * ftl/FTLOSRExitCompiler.cpp:
367         (JSC::FTL::compileStub):
368         (JSC::FTL::compileFTLOSRExit):
369         * ftl/FTLSlowPathCall.cpp:
370         (JSC::FTL::SlowPathCallContext::makeCall):
371         * ftl/FTLThunks.cpp:
372         (JSC::FTL::genericGenerationThunkGenerator):
373         (JSC::FTL::osrExitGenerationThunkGenerator):
374         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
375         (JSC::FTL::slowPathCallThunkGenerator):
376         * jit/AssemblyHelpers.cpp:
377         (JSC::AssemblyHelpers::callExceptionFuzz):
378         (JSC::AssemblyHelpers::debugCall):
379         * jit/CCallHelpers.cpp:
380         (JSC::CCallHelpers::ensureShadowChickenPacket):
381         * jit/CCallHelpers.h:
382         (JSC::CCallHelpers::jumpToExceptionHandler):
383         * jit/ExecutableAllocator.cpp:
384         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
385         * jit/JIT.cpp:
386         (JSC::JIT::emitEnterOptimizationCheck):
387         (JSC::JIT::link):
388         (JSC::JIT::privateCompileExceptionHandlers):
389         * jit/JIT.h:
390         (JSC::JIT::appendCall):
391         * jit/JITMathIC.h:
392         (JSC::isProfileEmpty):
393         * jit/JITOpcodes.cpp:
394         (JSC::JIT::emit_op_catch):
395         (JSC::JIT::emit_op_switch_imm):
396         (JSC::JIT::emit_op_switch_char):
397         (JSC::JIT::emit_op_switch_string):
398         (JSC::JIT::emitSlow_op_loop_hint):
399         (JSC::JIT::privateCompileHasIndexedProperty):
400         * jit/JITOpcodes32_64.cpp:
401         (JSC::JIT::emit_op_catch):
402         (JSC::JIT::emit_op_switch_imm):
403         (JSC::JIT::emit_op_switch_char):
404         (JSC::JIT::emit_op_switch_string):
405         (JSC::JIT::privateCompileHasIndexedProperty):
406         * jit/JITPropertyAccess.cpp:
407         (JSC::JIT::stringGetByValStubGenerator):
408         (JSC::JIT::privateCompileGetByVal):
409         (JSC::JIT::privateCompileGetByValWithCachedId):
410         (JSC::JIT::privateCompilePutByVal):
411         (JSC::JIT::privateCompilePutByValWithCachedId):
412         * jit/JITPropertyAccess32_64.cpp:
413         (JSC::JIT::stringGetByValStubGenerator):
414         * jit/JITStubRoutine.h:
415         * jit/Repatch.cpp:
416         (JSC::readCallTarget):
417         (JSC::appropriateOptimizingPutByIdFunction):
418         (JSC::linkPolymorphicCall):
419         (JSC::resetPutByID):
420         * jit/SlowPathCall.h:
421         (JSC::JITSlowPathCall::call):
422         * jit/SpecializedThunkJIT.h:
423         (JSC::SpecializedThunkJIT::finalize):
424         (JSC::SpecializedThunkJIT::callDoubleToDouble):
425         * jit/ThunkGenerators.cpp:
426         (JSC::throwExceptionFromCallSlowPathGenerator):
427         (JSC::slowPathFor):
428         (JSC::linkCallThunkGenerator):
429         (JSC::linkPolymorphicCallThunkGenerator):
430         (JSC::virtualThunkFor):
431         (JSC::nativeForGenerator):
432         (JSC::arityFixupGenerator):
433         (JSC::unreachableGenerator):
434         (JSC::boundThisNoArgsFunctionCallGenerator):
435         * llint/LLIntThunks.cpp:
436         (JSC::LLInt::generateThunkWithJumpTo):
437         (JSC::LLInt::functionForCallEntryThunkGenerator):
438         (JSC::LLInt::functionForConstructEntryThunkGenerator):
439         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
440         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
441         (JSC::LLInt::evalEntryThunkGenerator):
442         (JSC::LLInt::programEntryThunkGenerator):
443         (JSC::LLInt::moduleProgramEntryThunkGenerator):
444         * runtime/PtrTag.h:
445         * wasm/WasmB3IRGenerator.cpp:
446         (JSC::Wasm::B3IRGenerator::addCall):
447         (JSC::Wasm::B3IRGenerator::addCallIndirect):
448         * wasm/WasmBBQPlan.cpp:
449         (JSC::Wasm::BBQPlan::complete):
450         * wasm/WasmBinding.cpp:
451         (JSC::Wasm::wasmToWasm):
452         * wasm/WasmOMGPlan.cpp:
453         (JSC::Wasm::OMGPlan::work):
454         * wasm/WasmThunks.cpp:
455         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
456         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
457         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
458         * wasm/js/WasmToJS.cpp:
459         (JSC::Wasm::handleBadI64Use):
460         (JSC::Wasm::wasmToJS):
461         * yarr/YarrJIT.cpp:
462         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
463         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
464         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
465         (JSC::Yarr::YarrGenerator::generateEnter):
466         (JSC::Yarr::YarrGenerator::YarrGenerator):
467         (JSC::Yarr::YarrGenerator::compile):
468         (JSC::Yarr::jitCompile):
469         * yarr/YarrJIT.h:
470         (JSC::Yarr::YarrCodeBlock::execute):
471
472 2018-03-14  Caitlin Potter  <caitp@igalia.com>
473
474         [JSC] fix order of evaluation for ClassDefinitionEvaluation
475         https://bugs.webkit.org/show_bug.cgi?id=183523
476
477         Reviewed by Keith Miller.
478
479         Computed property names need to be evaluated in source order during class
480         definition evaluation, as it's observable (and specified to work this way).
481
482         This change improves compatibility with Chromium.
483
484         * bytecompiler/BytecodeGenerator.h:
485         (JSC::BytecodeGenerator::emitDefineClassElements):
486         * bytecompiler/NodesCodegen.cpp:
487         (JSC::PropertyListNode::emitBytecode):
488         (JSC::ClassExprNode::emitBytecode):
489         * parser/ASTBuilder.h:
490         (JSC::ASTBuilder::createClassExpr):
491         (JSC::ASTBuilder::createGetterOrSetterProperty):
492         (JSC::ASTBuilder::createProperty):
493         * parser/NodeConstructors.h:
494         (JSC::PropertyNode::PropertyNode):
495         (JSC::ClassExprNode::ClassExprNode):
496         * parser/Nodes.cpp:
497         (JSC::PropertyListNode::hasStaticallyNamedProperty):
498         * parser/Nodes.h:
499         (JSC::PropertyNode::isClassProperty const):
500         (JSC::PropertyNode::isStaticClassProperty const):
501         (JSC::PropertyNode::isInstanceClassProperty const):
502         * parser/Parser.cpp:
503         (JSC::Parser<LexerType>::parseClass):
504         (JSC::Parser<LexerType>::parseProperty):
505         (JSC::Parser<LexerType>::parseGetterSetter):
506         * parser/Parser.h:
507         * parser/SyntaxChecker.h:
508         (JSC::SyntaxChecker::createClassExpr):
509         (JSC::SyntaxChecker::createProperty):
510         (JSC::SyntaxChecker::createGetterOrSetterProperty):
511
512 2018-03-14  Keith Miller  <keith_miller@apple.com>
513
514         Move jsc CLI breakpoint function to $vm
515         https://bugs.webkit.org/show_bug.cgi?id=183512
516
517         Reviewed by Yusuke Suzuki.
518
519         * jsc.cpp:
520         (GlobalObject::finishCreation):
521         (functionBreakpoint): Deleted.
522         * tools/JSDollarVM.cpp:
523         (JSC::functionBreakpoint):
524         (JSC::JSDollarVM::finishCreation):
525
526 2018-03-14  Tim Horton  <timothy_horton@apple.com>
527
528         Fix the build after r229567
529
530         * Configurations/FeatureDefines.xcconfig:
531
532 2018-03-12  Mark Lam  <mark.lam@apple.com>
533
534         Gardening: speculative build fix for WinCairo.
535         https://bugs.webkit.org/show_bug.cgi?id=183573
536
537         Not reviewed.
538
539         * runtime/NativeFunction.h:
540         (JSC::TaggedNativeFunction::TaggedNativeFunction):
541
542 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
543
544         Unreviewed, fix obsolete ASSERT
545         https://bugs.webkit.org/show_bug.cgi?id=183310
546
547         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
548
549         * dfg/DFGNode.h:
550         (JSC::DFG::Node::convertToNewObject):
551
552 2018-03-12  Tim Horton  <timothy_horton@apple.com>
553
554         Stop using SDK conditionals to control feature definitions
555         https://bugs.webkit.org/show_bug.cgi?id=183430
556         <rdar://problem/38251619>
557
558         Reviewed by Dan Bernstein.
559
560         * Configurations/FeatureDefines.xcconfig:
561         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
562
563 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
564
565         Runtime flag for link prefetch and remove link subresource.
566         https://bugs.webkit.org/show_bug.cgi?id=183540
567
568         Reviewed by Chris Dumez.
569
570         Remove the LINK_PREFETCH build time flag.
571
572         * Configurations/FeatureDefines.xcconfig:
573
574 2018-03-12  Mark Lam  <mark.lam@apple.com>
575
576         Gardening: speculative build fix for Windows.
577         https://bugs.webkit.org/show_bug.cgi?id=183573
578
579         Not reviewed.
580
581         * runtime/NativeFunction.h:
582         (JSC::TaggedNativeFunction::TaggedNativeFunction):
583
584 2018-03-12  Mark Lam  <mark.lam@apple.com>
585
586         Add another PtrTag.
587         https://bugs.webkit.org/show_bug.cgi?id=183580
588         <rdar://problem/38390584>
589
590         Reviewed by Keith Miller.
591
592         * runtime/PtrTag.h:
593
594 2018-03-12  Mark Lam  <mark.lam@apple.com>
595
596         Make a NativeFunction into a class to support pointer profiling.
597         https://bugs.webkit.org/show_bug.cgi?id=183573
598         <rdar://problem/38384697>
599
600         Reviewed by Filip Pizlo.
601
602         1. NativeFunction is now a class, and introducing RawNativeFunction and
603            TaggedNativeFunction.
604
605            RawNativeFunction is the raw pointer type (equivalent
606            to the old definition of NativeFunction).  This is mainly used for underlying
607            storage inside the NativeFunction class, and also for global data tables that
608            cannot embed non-trivially constructed objects.
609
610            NativeFunction's role is mainly to encapsulate a pointer to a C function that
611            we pass into the VM.
612
613            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
614            function that we track in the VM.
615
616         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
617            cast function pointers to void* anymore when constructing a TrustedImmPtr.
618
619         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
620
621         4. Added more PtrTag utility functions.
622
623         * CMakeLists.txt:
624         * JavaScriptCore.xcodeproj/project.pbxproj:
625         * assembler/AbstractMacroAssembler.h:
626         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
627         * create_hash_table:
628         * interpreter/Interpreter.cpp:
629         (JSC::Interpreter::executeCall):
630         (JSC::Interpreter::executeConstruct):
631         * interpreter/InterpreterInlines.h:
632         (JSC::Interpreter::getOpcodeID):
633         * jit/JITThunks.cpp:
634         (JSC::JITThunks::hostFunctionStub):
635         * jit/JITThunks.h:
636         * llint/LLIntData.cpp:
637         (JSC::LLInt::initialize):
638         * llint/LLIntSlowPaths.cpp:
639         (JSC::LLInt::setUpCall):
640         * llint/LowLevelInterpreter.asm:
641         * llint/LowLevelInterpreter.cpp:
642         (JSC::CLoop::execute):
643         * llint/LowLevelInterpreter64.asm:
644         * offlineasm/ast.rb:
645         * runtime/CallData.h:
646         * runtime/CommonSlowPaths.cpp:
647         * runtime/ConstructData.h:
648         * runtime/InternalFunction.h:
649         (JSC::InternalFunction::nativeFunctionFor):
650         * runtime/JSCell.cpp:
651         (JSC::JSCell::getCallData):
652         (JSC::JSCell::getConstructData):
653         * runtime/JSFunction.h:
654         * runtime/JSFunctionInlines.h:
655         (JSC::JSFunction::nativeFunction):
656         (JSC::JSFunction::nativeConstructor):
657         (JSC::isHostFunction):
658         * runtime/Lookup.h:
659         (JSC::HashTableValue::function const):
660         (JSC::HashTableValue::accessorGetter const):
661         (JSC::HashTableValue::accessorSetter const):
662         (JSC::nonCachingStaticFunctionGetter):
663         * runtime/NativeExecutable.cpp:
664         (JSC::NativeExecutable::create):
665         (JSC::NativeExecutable::NativeExecutable):
666         * runtime/NativeExecutable.h:
667         * runtime/NativeFunction.h: Added.
668         (JSC::NativeFunction::NativeFunction):
669         (JSC::NativeFunction::operator intptr_t const):
670         (JSC::NativeFunction::operator bool const):
671         (JSC::NativeFunction::operator! const):
672         (JSC::NativeFunction::operator== const):
673         (JSC::NativeFunction::operator!= const):
674         (JSC::NativeFunction::operator()):
675         (JSC::NativeFunction::rawPointer const):
676         (JSC::NativeFunctionHash::hash):
677         (JSC::NativeFunctionHash::equal):
678         (JSC::TaggedNativeFunction::TaggedNativeFunction):
679         (JSC::TaggedNativeFunction::operator bool const):
680         (JSC::TaggedNativeFunction::operator! const):
681         (JSC::TaggedNativeFunction::operator== const):
682         (JSC::TaggedNativeFunction::operator!= const):
683         (JSC::TaggedNativeFunction::operator()):
684         (JSC::TaggedNativeFunction::operator NativeFunction):
685         (JSC::TaggedNativeFunction::rawPointer const):
686         (JSC::TaggedNativeFunctionHash::hash):
687         (JSC::TaggedNativeFunctionHash::equal):
688         * runtime/PtrTag.h:
689         (JSC::tagCFunctionPtr):
690         (JSC::untagCFunctionPtr):
691         * runtime/VM.h:
692         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
693
694 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
695
696         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
697
698         * dfg/DFGSpeculativeJIT.cpp:
699         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
700
701 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
704         https://bugs.webkit.org/show_bug.cgi?id=183310
705
706         Reviewed by Filip Pizlo.
707
708         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
709         This contributes to 6% win in Octane/raytrace.
710
711                                         baseline                  patched
712
713             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
714
715         * dfg/DFGAbstractInterpreterInlines.h:
716         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
717         * dfg/DFGConstantFoldingPhase.cpp:
718         (JSC::DFG::ConstantFoldingPhase::foldConstants):
719
720 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
721
722         Disable Sigill crash analyzer on watchOS
723         https://bugs.webkit.org/show_bug.cgi?id=183548
724         <rdar://problem/38338032>
725
726         Reviewed by Mark Lam.
727
728         Sigill is not supported on watchOS.
729
730         * runtime/Options.cpp:
731         (JSC::overrideDefaults):
732
733 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
734
735         Split DirectArguments into JSValueOOB and JSValueStrict parts
736         https://bugs.webkit.org/show_bug.cgi?id=183458
737
738         Reviewed by Yusuke Suzuki.
739         
740         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
741         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
742         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
743         to read and write within a Spectre mitigation window. Writes are important, because within the
744         window, a write could appear to be made speculatively and rolled out later. This means that:
745         
746         - JSValue objects cannot have lengths, masks, or anything else inline.
747         
748         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
749           check, unless that type is in the form of a poison key.
750         
751         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
752         means that it's wrong for DirectArguments to have an inline length.
753         
754         This changes DirectArguments to use poisoning according to the universal formula:
755         
756         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
757         
758         - No inline length.
759         
760         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
761         amortize whatever cost there was.
762
763         * bytecode/AccessCase.cpp:
764         (JSC::AccessCase::generateWithGuard):
765         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
766         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
767         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
768         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
769         * dfg/DFGSpeculativeJIT.cpp:
770         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
771         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
772         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
773         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
774         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
775         * ftl/FTLAbstractHeapRepository.h:
776         * ftl/FTLLowerDFGToB3.cpp:
777         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
778         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
779         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
780         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
781         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
782         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
783         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
784         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
785         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
786         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
787         * heap/SecurityKind.h:
788         * jit/JITPropertyAccess.cpp:
789         (JSC::JIT::emit_op_get_from_arguments):
790         (JSC::JIT::emit_op_put_to_arguments):
791         (JSC::JIT::emitDirectArgumentsGetByVal):
792         * jit/JITPropertyAccess32_64.cpp:
793         (JSC::JIT::emit_op_get_from_arguments):
794         (JSC::JIT::emit_op_put_to_arguments):
795         * llint/LowLevelInterpreter.asm:
796         * llint/LowLevelInterpreter32_64.asm:
797         * llint/LowLevelInterpreter64.asm:
798         * runtime/DirectArguments.cpp:
799         (JSC::DirectArguments::DirectArguments):
800         (JSC::DirectArguments::createUninitialized):
801         (JSC::DirectArguments::create):
802         (JSC::DirectArguments::createByCopying):
803         (JSC::DirectArguments::estimatedSize):
804         (JSC::DirectArguments::visitChildren):
805         (JSC::DirectArguments::overrideThings):
806         (JSC::DirectArguments::copyToArguments):
807         (JSC::DirectArguments::mappedArgumentsSize):
808         * runtime/DirectArguments.h:
809         * runtime/JSCPoison.h:
810         * runtime/JSLexicalEnvironment.h:
811         * runtime/JSSymbolTableObject.h:
812         * runtime/VM.cpp:
813         (JSC::VM::VM):
814         * runtime/VM.h:
815
816 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
817
818         [B3] Above/Below should be strength-reduced for comparison with 0
819         https://bugs.webkit.org/show_bug.cgi?id=183543
820
821         Reviewed by Filip Pizlo.
822
823         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
824         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
825         be converted to `0`. This patch adds such a folding to comparisons.
826
827         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
828         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
829         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
830         when we fail to fold it to a constant.
831
832         * b3/B3Const32Value.cpp:
833         (JSC::B3::Const32Value::lessThanConstant const):
834         (JSC::B3::Const32Value::greaterThanConstant const):
835         (JSC::B3::Const32Value::lessEqualConstant const):
836         (JSC::B3::Const32Value::greaterEqualConstant const):
837         (JSC::B3::Const32Value::aboveConstant const):
838         (JSC::B3::Const32Value::belowConstant const):
839         (JSC::B3::Const32Value::aboveEqualConstant const):
840         (JSC::B3::Const32Value::belowEqualConstant const):
841         * b3/B3Const64Value.cpp:
842         (JSC::B3::Const64Value::lessThanConstant const):
843         (JSC::B3::Const64Value::greaterThanConstant const):
844         (JSC::B3::Const64Value::lessEqualConstant const):
845         (JSC::B3::Const64Value::greaterEqualConstant const):
846         (JSC::B3::Const64Value::aboveConstant const):
847         (JSC::B3::Const64Value::belowConstant const):
848         (JSC::B3::Const64Value::aboveEqualConstant const):
849         (JSC::B3::Const64Value::belowEqualConstant const):
850         * b3/B3ReduceStrength.cpp:
851         * b3/testb3.cpp:
852         (JSC::B3::int64Operands):
853         (JSC::B3::int32Operands):
854
855 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
856
857         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
858         https://bugs.webkit.org/show_bug.cgi?id=181848
859
860         Reviewed by Sam Weinig.
861
862         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
863         optimized since it sets `lastIndex` value before performing RegExp operation.
864
865         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
866         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
867         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
868         in object allocation sinking phase.
869
870         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
871         has a global flag. And it improves the performance.
872
873                                       baseline                  patched
874
875         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
876         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
877
878         * dfg/DFGAbstractInterpreterInlines.h:
879         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
880         * dfg/DFGClobberize.h:
881         (JSC::DFG::clobberize):
882         * dfg/DFGDoesGC.cpp:
883         (JSC::DFG::doesGC):
884         * dfg/DFGFixupPhase.cpp:
885         (JSC::DFG::FixupPhase::fixupNode):
886         * dfg/DFGMayExit.cpp:
887         * dfg/DFGNode.cpp:
888         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
889         * dfg/DFGNode.h:
890         (JSC::DFG::Node::hasHeapPrediction):
891         (JSC::DFG::Node::hasCellOperand):
892         * dfg/DFGNodeType.h:
893         * dfg/DFGOperations.cpp:
894         * dfg/DFGOperations.h:
895         * dfg/DFGPredictionPropagationPhase.cpp:
896         * dfg/DFGSafeToExecute.h:
897         (JSC::DFG::safeToExecute):
898         * dfg/DFGSpeculativeJIT.cpp:
899         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
900         * dfg/DFGSpeculativeJIT.h:
901         * dfg/DFGSpeculativeJIT32_64.cpp:
902         (JSC::DFG::SpeculativeJIT::compile):
903         * dfg/DFGSpeculativeJIT64.cpp:
904         (JSC::DFG::SpeculativeJIT::compile):
905         * dfg/DFGStrengthReductionPhase.cpp:
906         (JSC::DFG::StrengthReductionPhase::handleNode):
907         * ftl/FTLCapabilities.cpp:
908         (JSC::FTL::canCompile):
909         * ftl/FTLLowerDFGToB3.cpp:
910         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
911         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
912         * runtime/RegExpObject.cpp:
913         (JSC::collectMatches): Deleted.
914         * runtime/RegExpObject.h:
915         * runtime/RegExpObjectInlines.h:
916         (JSC::RegExpObject::execInline):
917         (JSC::RegExpObject::matchInline):
918         (JSC::advanceStringUnicode):
919         (JSC::collectMatches):
920         (JSC::RegExpObject::advanceStringUnicode): Deleted.
921         * runtime/RegExpPrototype.cpp:
922         (JSC::advanceStringIndex):
923
924 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
925
926         B3::reduceStrength should canonicalize integer comparisons
927         https://bugs.webkit.org/show_bug.cgi?id=150958
928
929         Reviewed by Filip Pizlo.
930
931         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
932         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
933         canonicalize comparisons to have constant value at least on the right hand side, we can
934         remove pattern matchings checking leftImm in B3LowerToAir.
935
936         Since this flipping changes the opcode of the value, to achieve safely, we just create a
937         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
938         we replace m_value with this constant. If we fail to fold it to constant, we replace
939         m_value with the flipped one.
940
941         These comparisons are already handled in testb3.
942
943         * b3/B3LowerToAir.cpp:
944         * b3/B3ReduceStrength.cpp:
945
946 2018-03-09  Mark Lam  <mark.lam@apple.com>
947
948         offlineasm should reset the Assembler's working state before doing another pass for a new target.
949         https://bugs.webkit.org/show_bug.cgi?id=183538
950         <rdar://problem/38325955>
951
952         Reviewed by Michael Saboff.
953
954         * llint/LowLevelInterpreter.cpp:
955         * offlineasm/asm.rb:
956         * offlineasm/cloop.rb:
957
958 2018-03-09  Brian Burg  <bburg@apple.com>
959
960         Web Inspector: there should only be one way for async backend commands to send failure
961         https://bugs.webkit.org/show_bug.cgi?id=183524
962
963         Reviewed by Timothy Hatcher.
964
965         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
966         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
967         This change only affects interfaces generated for C++ backend dispatchers.
968
969         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
970         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
971         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
972         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
973         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
974
975 2018-03-09  Mark Lam  <mark.lam@apple.com>
976
977         Build fix after r229476.
978         https://bugs.webkit.org/show_bug.cgi?id=183488
979
980         Not reviewed.
981
982         * runtime/StackAlignment.h:
983
984 2018-03-09  Mark Lam  <mark.lam@apple.com>
985
986         [Re-landing] Add support for ARM64E.
987         https://bugs.webkit.org/show_bug.cgi?id=183398
988         <rdar://problem/38212621>
989
990         Reviewed by Michael Saboff.
991
992         * assembler/MacroAssembler.h:
993         * llint/LLIntOfflineAsmConfig.h:
994         * llint/LowLevelInterpreter.asm:
995         * llint/LowLevelInterpreter64.asm:
996         * offlineasm/backends.rb:
997
998 2018-03-09  Mark Lam  <mark.lam@apple.com>
999
1000         [Re-landing] Prepare LLInt code to support pointer profiling.
1001         https://bugs.webkit.org/show_bug.cgi?id=183387
1002         <rdar://problem/38199678>
1003
1004         Reviewed by JF Bastien.
1005
1006         1. Introduced PtrTag enums for supporting pointer profiling later.
1007
1008         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
1009            template functions for the same purpose.
1010
1011         3. Prepare the offlineasm for supporting pointer profiling later.
1012
1013         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
1014            effect on behavior.
1015
1016         5. Removed returnToThrowForThrownException() because it is not used anywhere.
1017
1018         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
1019            easier to view and edit these files in Xcode.
1020
1021         * CMakeLists.txt:
1022         * JavaScriptCore.xcodeproj/project.pbxproj:
1023         * bytecode/LLIntCallLinkInfo.h:
1024         (JSC::LLIntCallLinkInfo::unlink):
1025         * llint/LLIntData.cpp:
1026         (JSC::LLInt::initialize):
1027         * llint/LLIntData.h:
1028         * llint/LLIntExceptions.cpp:
1029         (JSC::LLInt::returnToThrowForThrownException): Deleted.
1030         * llint/LLIntExceptions.h:
1031         * llint/LLIntOfflineAsmConfig.h:
1032         * llint/LLIntOffsetsExtractor.cpp:
1033         * llint/LLIntPCRanges.h:
1034         (JSC::LLInt::isLLIntPC):
1035         * llint/LLIntSlowPaths.cpp:
1036         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1037         (JSC::LLInt::handleHostCall):
1038         (JSC::LLInt::setUpCall):
1039         * llint/LowLevelInterpreter.asm:
1040         * llint/LowLevelInterpreter32_64.asm:
1041         * llint/LowLevelInterpreter64.asm:
1042         * offlineasm/ast.rb:
1043         * offlineasm/instructions.rb:
1044         * offlineasm/risc.rb:
1045         * runtime/PtrTag.h: Added.
1046         (JSC::uniquePtrTagID):
1047         (JSC::ptrTag):
1048         (JSC::tagCodePtr):
1049         (JSC::untagCodePtr):
1050         (JSC::retagCodePtr):
1051         (JSC::removeCodePtrTag):
1052
1053 2018-03-09  Mark Lam  <mark.lam@apple.com>
1054
1055         Remove unused LLINT_STATS feature.
1056         https://bugs.webkit.org/show_bug.cgi?id=183522
1057         <rdar://problem/38313139>
1058
1059         Rubber-stamped by Keith Miller.
1060
1061         We haven't used this in a while, and it is one more option that makes offlineasm
1062         build slower.  We can always re-introduce this later if we need it.
1063
1064         * jsc.cpp:
1065         * llint/LLIntCommon.h:
1066         * llint/LLIntData.cpp:
1067         (JSC::LLInt::initialize):
1068         (JSC::LLInt::Data::finalizeStats): Deleted.
1069         (JSC::LLInt::compareStats): Deleted.
1070         (JSC::LLInt::Data::dumpStats): Deleted.
1071         (JSC::LLInt::Data::ensureStats): Deleted.
1072         (JSC::LLInt::Data::loadStats): Deleted.
1073         (JSC::LLInt::Data::resetStats): Deleted.
1074         (JSC::LLInt::Data::saveStats): Deleted.
1075         * llint/LLIntData.h:
1076         (): Deleted.
1077         (JSC::LLInt::Data::opcodeStats): Deleted.
1078         * llint/LLIntOfflineAsmConfig.h:
1079         * llint/LLIntSlowPaths.cpp:
1080         * llint/LLIntSlowPaths.h:
1081         * llint/LowLevelInterpreter.asm:
1082         * llint/LowLevelInterpreter32_64.asm:
1083         * llint/LowLevelInterpreter64.asm:
1084         * runtime/Options.cpp:
1085         (JSC::Options::isAvailable):
1086         (JSC::recomputeDependentOptions):
1087         * runtime/Options.h:
1088         * runtime/TestRunnerUtils.cpp:
1089         (JSC::finalizeStatsAtEndOfTesting):
1090
1091 2018-03-09  Michael Saboff  <msaboff@apple.com>
1092
1093         Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
1094         https://bugs.webkit.org/show_bug.cgi?id=183488
1095
1096         It applied and built just fine locally.
1097
1098         * assembler/testmasm.cpp:
1099         (JSC::testBranchTruncateDoubleToInt32):
1100
1101 2018-03-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1102
1103         Unreviewed, remove WebAssemblyFunctionType
1104         https://bugs.webkit.org/show_bug.cgi?id=183429
1105
1106         Drop WebAssemblyFunctionType since it is no longer used. This breaks
1107         JSCast assumption that all the derived classes of JSFunction use
1108         JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
1109
1110         * runtime/JSFunction.cpp:
1111         (JSC::JSFunction::finishCreation):
1112         * runtime/JSType.h:
1113         * wasm/js/WebAssemblyFunction.cpp:
1114         (JSC::WebAssemblyFunction::createStructure):
1115         * wasm/js/WebAssemblyFunction.h:
1116
1117 2018-03-09  Ryan Haddad  <ryanhaddad@apple.com>
1118
1119         Unreviewed, rolling out r229446.
1120
1121         This change relies on changes that have been rolled out.
1122
1123         Reverted changeset:
1124
1125         "testmasm crashes in testBranchTruncateDoubleToInt32() on
1126         ARM64"
1127         https://bugs.webkit.org/show_bug.cgi?id=183488
1128         https://trac.webkit.org/changeset/229446
1129
1130 2018-03-08  Chris Dumez  <cdumez@apple.com>
1131
1132         Safari not handling undefined global variables with same name as element Id correctly.
1133         https://bugs.webkit.org/show_bug.cgi?id=183087
1134         <rdar://problem/37927596>
1135
1136         Reviewed by Ryosuke Niwa.
1137
1138         global variables (var foo;) should not be hidden by:
1139         - Named properties
1140         - Properties on the prototype chain
1141
1142         Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
1143         if !hasOwnProperty() instead of !hasProperty.
1144
1145         This aligns our behavior with Chrome and Firefox.
1146
1147         * runtime/JSGlobalObject.h:
1148         (JSC::JSGlobalObject::addVar):
1149
1150 2018-03-08  Commit Queue  <commit-queue@webkit.org>
1151
1152         Unreviewed, rolling out r229354 and r229364.
1153         https://bugs.webkit.org/show_bug.cgi?id=183492
1154
1155         Breaks internal builds (Requested by ryanhaddad on #webkit).
1156
1157         Reverted changesets:
1158
1159         "Prepare LLInt code to support pointer profiling."
1160         https://bugs.webkit.org/show_bug.cgi?id=183387
1161         https://trac.webkit.org/changeset/229354
1162
1163         "Add support for ARM64E."
1164         https://bugs.webkit.org/show_bug.cgi?id=183398
1165         https://trac.webkit.org/changeset/229364
1166
1167 2018-03-08  Michael Saboff  <msaboff@apple.com>
1168
1169         testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
1170         https://bugs.webkit.org/show_bug.cgi?id=183488
1171
1172         Reviewed by Mark Lam.
1173
1174         Using stackAlignmentBytes() will keep the stack properly aligned.
1175
1176         * assembler/testmasm.cpp:
1177         (JSC::testBranchTruncateDoubleToInt32):
1178
1179 2018-03-08  Michael Saboff  <msaboff@apple.com>
1180
1181         Emit code to zero the stack frame on function entry
1182         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
1183
1184         Reviewed by Mark Lam.
1185
1186         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
1187         The default setting of the option is off.
1188
1189         Did some minor refactoring of the YarrJIT stack alignment code.
1190
1191         * b3/air/AirCode.cpp:
1192         (JSC::B3::Air::defaultPrologueGenerator):
1193         * dfg/DFGJITCompiler.cpp:
1194         (JSC::DFG::JITCompiler::compile):
1195         (JSC::DFG::JITCompiler::compileFunction):
1196         * dfg/DFGSpeculativeJIT.cpp:
1197         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1198         * dfg/DFGThunks.cpp:
1199         (JSC::DFG::osrEntryThunkGenerator):
1200         * ftl/FTLLowerDFGToB3.cpp:
1201         (JSC::FTL::DFG::LowerDFGToB3::lower):
1202         * jit/AssemblyHelpers.h:
1203         (JSC::AssemblyHelpers::clearStackFrame):
1204         * jit/JIT.cpp:
1205         (JSC::JIT::compileWithoutLinking):
1206         * llint/LowLevelInterpreter.asm:
1207         * runtime/Options.h:
1208         * yarr/YarrJIT.cpp:
1209         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
1210         (JSC::Yarr::YarrGenerator::initCallFrame):
1211         (JSC::Yarr::YarrGenerator::removeCallFrame):
1212
1213 2018-03-08  Keith Miller  <keith_miller@apple.com>
1214
1215         Unreviewed, another attempt at fixing the Windows build.
1216         I guess the pragma must be outside the function...
1217
1218         * jit/CCallHelpers.h:
1219         (JSC::CCallHelpers::clampArrayToSize):
1220
1221 2018-03-08  Keith Miller  <keith_miller@apple.com>
1222
1223         Unreviewed, one last try at fixing the windows build before rollout.
1224
1225         * jit/CCallHelpers.h:
1226         (JSC::CCallHelpers::clampArrayToSize):
1227
1228 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1229
1230         [JSC] Optimize inherits<T> if T is final type
1231         https://bugs.webkit.org/show_bug.cgi?id=183435
1232
1233         Reviewed by Mark Lam.
1234
1235         If the type T is a final type (`std::is_final<T>::value == true`), there is no
1236         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
1237         to check the given cell's `classInfo(vm)` is `T::info()`.
1238
1239         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
1240         final type. And we also add `final` annotations to JS cell types in JSC. This
1241         offers,
1242
1243         1. Readability. If the given class is annotated with `final`, we do not need to
1244         consider about the derived classes of T.
1245
1246         2. Static Checking. If your class is not intended to be used as a base class, attaching
1247         `final` can ensure this invariant.
1248
1249         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
1250         be smaller.
1251
1252         * API/JSCallbackConstructor.h:
1253         (JSC::JSCallbackConstructor::create): Deleted.
1254         (JSC::JSCallbackConstructor::classRef const): Deleted.
1255         (JSC::JSCallbackConstructor::callback const): Deleted.
1256         (JSC::JSCallbackConstructor::createStructure): Deleted.
1257         (JSC::JSCallbackConstructor::constructCallback): Deleted.
1258         * API/JSCallbackFunction.h:
1259         (JSC::JSCallbackFunction::createStructure): Deleted.
1260         (JSC::JSCallbackFunction::functionCallback): Deleted.
1261         * API/JSCallbackObject.h:
1262         (JSC::JSCallbackObject::create): Deleted.
1263         (JSC::JSCallbackObject::destroy): Deleted.
1264         (JSC::JSCallbackObject::classRef const): Deleted.
1265         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
1266         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
1267         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
1268         (JSC::JSCallbackObject::visitChildren): Deleted.
1269         * bytecode/CodeBlock.cpp:
1270         (JSC::CodeBlock::setConstantRegisters):
1271         * bytecode/ExecutableToCodeBlockEdge.h:
1272         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
1273         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
1274         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
1275         * bytecode/FunctionCodeBlock.h:
1276         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
1277         (JSC::FunctionCodeBlock::create): Deleted.
1278         (JSC::FunctionCodeBlock::createStructure): Deleted.
1279         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
1280         * debugger/DebuggerScope.h:
1281         (JSC::DebuggerScope::createStructure): Deleted.
1282         (JSC::DebuggerScope::iterator::iterator): Deleted.
1283         (JSC::DebuggerScope::iterator::get): Deleted.
1284         (JSC::DebuggerScope::iterator::operator++): Deleted.
1285         (JSC::DebuggerScope::iterator::operator== const): Deleted.
1286         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
1287         (JSC::DebuggerScope::isValid const): Deleted.
1288         (JSC::DebuggerScope::jsScope const): Deleted.
1289         * inspector/JSInjectedScriptHost.h:
1290         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
1291         (Inspector::JSInjectedScriptHost::create): Deleted.
1292         (Inspector::JSInjectedScriptHost::impl const): Deleted.
1293         * inspector/JSInjectedScriptHostPrototype.h:
1294         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
1295         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
1296         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
1297         * inspector/JSJavaScriptCallFrame.h:
1298         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
1299         (Inspector::JSJavaScriptCallFrame::create): Deleted.
1300         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
1301         * inspector/JSJavaScriptCallFramePrototype.h:
1302         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
1303         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
1304         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
1305         * jit/Repatch.cpp:
1306         (JSC::tryCacheGetByID):
1307         * runtime/ArrayConstructor.h:
1308         (JSC::ArrayConstructor::create): Deleted.
1309         (JSC::ArrayConstructor::createStructure): Deleted.
1310         * runtime/ArrayIteratorPrototype.h:
1311         (JSC::ArrayIteratorPrototype::create): Deleted.
1312         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
1313         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
1314         * runtime/ArrayPrototype.h:
1315         (JSC::ArrayPrototype::createStructure): Deleted.
1316         * runtime/AsyncFromSyncIteratorPrototype.h:
1317         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
1318         * runtime/AsyncFunctionConstructor.h:
1319         (JSC::AsyncFunctionConstructor::create): Deleted.
1320         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
1321         * runtime/AsyncFunctionPrototype.h:
1322         (JSC::AsyncFunctionPrototype::create): Deleted.
1323         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
1324         * runtime/AsyncGeneratorFunctionConstructor.h:
1325         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
1326         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
1327         * runtime/AsyncGeneratorFunctionPrototype.h:
1328         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
1329         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
1330         * runtime/AsyncGeneratorPrototype.h:
1331         (JSC::AsyncGeneratorPrototype::create): Deleted.
1332         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
1333         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
1334         * runtime/AsyncIteratorPrototype.h:
1335         (JSC::AsyncIteratorPrototype::create): Deleted.
1336         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
1337         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
1338         * runtime/AtomicsObject.h:
1339         * runtime/BigIntConstructor.h:
1340         (JSC::BigIntConstructor::create): Deleted.
1341         (JSC::BigIntConstructor::createStructure): Deleted.
1342         * runtime/BigIntObject.h:
1343         (JSC::BigIntObject::create): Deleted.
1344         (JSC::BigIntObject::internalValue const): Deleted.
1345         (JSC::BigIntObject::createStructure): Deleted.
1346         * runtime/BigIntPrototype.h:
1347         (JSC::BigIntPrototype::create): Deleted.
1348         (JSC::BigIntPrototype::createStructure): Deleted.
1349         * runtime/BooleanConstructor.h:
1350         (JSC::BooleanConstructor::create): Deleted.
1351         (JSC::BooleanConstructor::createStructure): Deleted.
1352         * runtime/BooleanPrototype.h:
1353         (JSC::BooleanPrototype::create): Deleted.
1354         (JSC::BooleanPrototype::createStructure): Deleted.
1355         * runtime/ConsoleObject.h:
1356         (JSC::ConsoleObject::create): Deleted.
1357         (JSC::ConsoleObject::createStructure): Deleted.
1358         * runtime/DOMAttributeGetterSetter.h:
1359         (JSC::isDOMAttributeGetterSetter): Deleted.
1360         * runtime/DateConstructor.h:
1361         (JSC::DateConstructor::create): Deleted.
1362         (JSC::DateConstructor::createStructure): Deleted.
1363         * runtime/DateInstance.h:
1364         (JSC::DateInstance::create): Deleted.
1365         (JSC::DateInstance::internalNumber const): Deleted.
1366         (JSC::DateInstance::gregorianDateTime const): Deleted.
1367         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
1368         (JSC::DateInstance::createStructure): Deleted.
1369         * runtime/DatePrototype.h:
1370         (JSC::DatePrototype::create): Deleted.
1371         (JSC::DatePrototype::createStructure): Deleted.
1372         * runtime/Error.h:
1373         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
1374         (JSC::StrictModeTypeErrorFunction::create): Deleted.
1375         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
1376         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
1377         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
1378         * runtime/ErrorConstructor.h:
1379         (JSC::ErrorConstructor::create): Deleted.
1380         (JSC::ErrorConstructor::createStructure): Deleted.
1381         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
1382         * runtime/Exception.h:
1383         (JSC::Exception::valueOffset): Deleted.
1384         (JSC::Exception::value const): Deleted.
1385         (JSC::Exception::stack const): Deleted.
1386         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
1387         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
1388         * runtime/FunctionConstructor.h:
1389         (JSC::FunctionConstructor::create): Deleted.
1390         (JSC::FunctionConstructor::createStructure): Deleted.
1391         * runtime/FunctionPrototype.h:
1392         (JSC::FunctionPrototype::create): Deleted.
1393         (JSC::FunctionPrototype::createStructure): Deleted.
1394         * runtime/FunctionRareData.h:
1395         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
1396         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
1397         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
1398         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
1399         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
1400         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
1401         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
1402         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
1403         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
1404         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
1405         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
1406         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
1407         (JSC::FunctionRareData::hasReifiedName const): Deleted.
1408         (JSC::FunctionRareData::setHasReifiedName): Deleted.
1409         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
1410         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
1411         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
1412         * runtime/GeneratorFunctionConstructor.h:
1413         (JSC::GeneratorFunctionConstructor::create): Deleted.
1414         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
1415         * runtime/GeneratorFunctionPrototype.h:
1416         (JSC::GeneratorFunctionPrototype::create): Deleted.
1417         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
1418         * runtime/GeneratorPrototype.h:
1419         (JSC::GeneratorPrototype::create): Deleted.
1420         (JSC::GeneratorPrototype::createStructure): Deleted.
1421         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
1422         * runtime/InferredValue.h:
1423         (JSC::InferredValue::subspaceFor): Deleted.
1424         (JSC::InferredValue::inferredValue): Deleted.
1425         (JSC::InferredValue::state const): Deleted.
1426         (JSC::InferredValue::isStillValid const): Deleted.
1427         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
1428         (JSC::InferredValue::add): Deleted.
1429         (JSC::InferredValue::notifyWrite): Deleted.
1430         (JSC::InferredValue::invalidate): Deleted.
1431         * runtime/InspectorInstrumentationObject.h:
1432         (JSC::InspectorInstrumentationObject::create): Deleted.
1433         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
1434         * runtime/IntlCollator.h:
1435         (JSC::IntlCollator::boundCompare const): Deleted.
1436         * runtime/IntlCollatorConstructor.h:
1437         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
1438         * runtime/IntlCollatorPrototype.h:
1439         * runtime/IntlDateTimeFormat.h:
1440         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
1441         * runtime/IntlDateTimeFormatConstructor.h:
1442         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
1443         * runtime/IntlDateTimeFormatPrototype.h:
1444         * runtime/IntlNumberFormat.h:
1445         (JSC::IntlNumberFormat::boundFormat const): Deleted.
1446         * runtime/IntlNumberFormatConstructor.h:
1447         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
1448         * runtime/IntlNumberFormatPrototype.h:
1449         * runtime/IntlObject.h:
1450         * runtime/IteratorPrototype.h:
1451         (JSC::IteratorPrototype::create): Deleted.
1452         (JSC::IteratorPrototype::createStructure): Deleted.
1453         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
1454         * runtime/JSAPIValueWrapper.h:
1455         (JSC::JSAPIValueWrapper::value const): Deleted.
1456         (JSC::JSAPIValueWrapper::createStructure): Deleted.
1457         (JSC::JSAPIValueWrapper::create): Deleted.
1458         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
1459         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
1460         * runtime/JSArrayBufferConstructor.h:
1461         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
1462         * runtime/JSArrayBufferPrototype.h:
1463         * runtime/JSAsyncFunction.h:
1464         (JSC::JSAsyncFunction::subspaceFor): Deleted.
1465         (JSC::JSAsyncFunction::allocationSize): Deleted.
1466         (JSC::JSAsyncFunction::createStructure): Deleted.
1467         * runtime/JSAsyncGeneratorFunction.h:
1468         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
1469         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
1470         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
1471         * runtime/JSBigInt.h:
1472         (JSC::JSBigInt::setSign): Deleted.
1473         (JSC::JSBigInt::sign const): Deleted.
1474         (JSC::JSBigInt::setLength): Deleted.
1475         (JSC::JSBigInt::length const): Deleted.
1476         * runtime/JSBoundFunction.h:
1477         (JSC::JSBoundFunction::subspaceFor): Deleted.
1478         (JSC::JSBoundFunction::targetFunction): Deleted.
1479         (JSC::JSBoundFunction::boundThis): Deleted.
1480         (JSC::JSBoundFunction::boundArgs): Deleted.
1481         (JSC::JSBoundFunction::createStructure): Deleted.
1482         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
1483         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
1484         * runtime/JSCast.h:
1485         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
1486         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
1487         (JSC::JSCastingHelpers::InheritsTraits::inherits):
1488         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
1489         * runtime/JSCustomGetterSetterFunction.cpp:
1490         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1491         * runtime/JSCustomGetterSetterFunction.h:
1492         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
1493         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
1494         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
1495         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
1496         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
1497         * runtime/JSDataView.h:
1498         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
1499         (JSC::JSDataView::unsharedBuffer const): Deleted.
1500         * runtime/JSDataViewPrototype.h:
1501         * runtime/JSFixedArray.h:
1502         (JSC::JSFixedArray::createStructure): Deleted.
1503         (JSC::JSFixedArray::tryCreate): Deleted.
1504         (JSC::JSFixedArray::create): Deleted.
1505         (JSC::JSFixedArray::createFromArray): Deleted.
1506         (JSC::JSFixedArray::get const): Deleted.
1507         (JSC::JSFixedArray::set): Deleted.
1508         (JSC::JSFixedArray::buffer): Deleted.
1509         (JSC::JSFixedArray::buffer const): Deleted.
1510         (JSC::JSFixedArray::values const): Deleted.
1511         (JSC::JSFixedArray::size const): Deleted.
1512         (JSC::JSFixedArray::length const): Deleted.
1513         (JSC::JSFixedArray::offsetOfSize): Deleted.
1514         (JSC::JSFixedArray::offsetOfData): Deleted.
1515         (JSC::JSFixedArray::JSFixedArray): Deleted.
1516         (JSC::JSFixedArray::allocationSize): Deleted.
1517         * runtime/JSGeneratorFunction.h:
1518         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
1519         (JSC::JSGeneratorFunction::allocationSize): Deleted.
1520         (JSC::JSGeneratorFunction::createStructure): Deleted.
1521         * runtime/JSGenericTypedArrayView.h:
1522         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
1523         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
1524         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
1525         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
1526         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
1527         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
1528         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
1529         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
1530         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
1531         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
1532         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
1533         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
1534         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
1535         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
1536         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
1537         (JSC::JSGenericTypedArrayView::sort): Deleted.
1538         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
1539         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
1540         (JSC::JSGenericTypedArrayView::info): Deleted.
1541         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
1542         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
1543         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
1544         * runtime/JSGenericTypedArrayViewConstructor.h:
1545         * runtime/JSGenericTypedArrayViewPrototype.h:
1546         * runtime/JSInternalPromise.h:
1547         * runtime/JSInternalPromiseConstructor.h:
1548         * runtime/JSInternalPromisePrototype.h:
1549         * runtime/JSMapIterator.h:
1550         (JSC::JSMapIterator::createStructure): Deleted.
1551         (JSC::JSMapIterator::create): Deleted.
1552         (JSC::JSMapIterator::advanceIter): Deleted.
1553         (JSC::JSMapIterator::next): Deleted.
1554         (JSC::JSMapIterator::nextKeyValue): Deleted.
1555         (JSC::JSMapIterator::kind const): Deleted.
1556         (JSC::JSMapIterator::iteratedValue const): Deleted.
1557         (JSC::JSMapIterator::JSMapIterator): Deleted.
1558         (JSC::JSMapIterator::setIterator): Deleted.
1559         * runtime/JSModuleLoader.h:
1560         (JSC::JSModuleLoader::create): Deleted.
1561         (JSC::JSModuleLoader::createStructure): Deleted.
1562         * runtime/JSModuleNamespaceObject.h:
1563         (JSC::isJSModuleNamespaceObject): Deleted.
1564         * runtime/JSModuleRecord.h:
1565         (JSC::JSModuleRecord::sourceCode const): Deleted.
1566         (JSC::JSModuleRecord::declaredVariables const): Deleted.
1567         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
1568         * runtime/JSNativeStdFunction.h:
1569         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
1570         (JSC::JSNativeStdFunction::createStructure): Deleted.
1571         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
1572         * runtime/JSONObject.h:
1573         (JSC::JSONObject::create): Deleted.
1574         (JSC::JSONObject::createStructure): Deleted.
1575         * runtime/JSObject.h:
1576         (JSC::JSObject::fillCustomGetterPropertySlot):
1577         * runtime/JSScriptFetchParameters.h:
1578         (JSC::JSScriptFetchParameters::createStructure): Deleted.
1579         (JSC::JSScriptFetchParameters::create): Deleted.
1580         (JSC::JSScriptFetchParameters::parameters const): Deleted.
1581         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
1582         * runtime/JSScriptFetcher.h:
1583         (JSC::JSScriptFetcher::createStructure): Deleted.
1584         (JSC::JSScriptFetcher::create): Deleted.
1585         (JSC::JSScriptFetcher::fetcher const): Deleted.
1586         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
1587         * runtime/JSSetIterator.h:
1588         (JSC::JSSetIterator::createStructure): Deleted.
1589         (JSC::JSSetIterator::create): Deleted.
1590         (JSC::JSSetIterator::advanceIter): Deleted.
1591         (JSC::JSSetIterator::next): Deleted.
1592         (JSC::JSSetIterator::kind const): Deleted.
1593         (JSC::JSSetIterator::iteratedValue const): Deleted.
1594         (JSC::JSSetIterator::JSSetIterator): Deleted.
1595         (JSC::JSSetIterator::setIterator): Deleted.
1596         * runtime/JSSourceCode.h:
1597         (JSC::JSSourceCode::createStructure): Deleted.
1598         (JSC::JSSourceCode::create): Deleted.
1599         (JSC::JSSourceCode::sourceCode const): Deleted.
1600         (JSC::JSSourceCode::JSSourceCode): Deleted.
1601         * runtime/JSStringIterator.h:
1602         (JSC::JSStringIterator::createStructure): Deleted.
1603         (JSC::JSStringIterator::create): Deleted.
1604         (JSC::JSStringIterator::JSStringIterator): Deleted.
1605         * runtime/JSTemplateObjectDescriptor.h:
1606         (JSC::isTemplateObjectDescriptor): Deleted.
1607         * runtime/JSTypedArrayViewConstructor.h:
1608         (JSC::JSTypedArrayViewConstructor::create): Deleted.
1609         * runtime/JSTypedArrayViewPrototype.h:
1610         * runtime/MapConstructor.h:
1611         (JSC::MapConstructor::create): Deleted.
1612         (JSC::MapConstructor::createStructure): Deleted.
1613         * runtime/MapIteratorPrototype.h:
1614         (JSC::MapIteratorPrototype::create): Deleted.
1615         (JSC::MapIteratorPrototype::createStructure): Deleted.
1616         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
1617         * runtime/MapPrototype.h:
1618         (JSC::MapPrototype::create): Deleted.
1619         (JSC::MapPrototype::createStructure): Deleted.
1620         (JSC::MapPrototype::MapPrototype): Deleted.
1621         * runtime/MathObject.h:
1622         (JSC::MathObject::create): Deleted.
1623         (JSC::MathObject::createStructure): Deleted.
1624         * runtime/ModuleLoaderPrototype.h:
1625         (JSC::ModuleLoaderPrototype::create): Deleted.
1626         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
1627         * runtime/NativeErrorConstructor.h:
1628         (JSC::NativeErrorConstructor::create): Deleted.
1629         (JSC::NativeErrorConstructor::createStructure): Deleted.
1630         (JSC::NativeErrorConstructor::errorStructure): Deleted.
1631         * runtime/NativeErrorPrototype.h:
1632         (JSC::NativeErrorPrototype::create): Deleted.
1633         * runtime/NativeStdFunctionCell.h:
1634         (JSC::NativeStdFunctionCell::createStructure): Deleted.
1635         (JSC::NativeStdFunctionCell::function const): Deleted.
1636         * runtime/NullGetterFunction.h:
1637         (JSC::NullGetterFunction::create): Deleted.
1638         (JSC::NullGetterFunction::createStructure): Deleted.
1639         * runtime/NullSetterFunction.h:
1640         (JSC::NullSetterFunction::create): Deleted.
1641         (JSC::NullSetterFunction::createStructure): Deleted.
1642         * runtime/NumberConstructor.h:
1643         (JSC::NumberConstructor::create): Deleted.
1644         (JSC::NumberConstructor::createStructure): Deleted.
1645         (JSC::NumberConstructor::isIntegerImpl): Deleted.
1646         * runtime/NumberPrototype.h:
1647         (JSC::NumberPrototype::create): Deleted.
1648         (JSC::NumberPrototype::createStructure): Deleted.
1649         * runtime/ObjectConstructor.h:
1650         (JSC::ObjectConstructor::create): Deleted.
1651         (JSC::ObjectConstructor::createStructure): Deleted.
1652         * runtime/ObjectPrototype.h:
1653         (JSC::ObjectPrototype::createStructure): Deleted.
1654         * runtime/ProxyConstructor.h:
1655         (JSC::ProxyConstructor::createStructure): Deleted.
1656         * runtime/ProxyRevoke.h:
1657         (JSC::ProxyRevoke::createStructure): Deleted.
1658         (JSC::ProxyRevoke::proxy): Deleted.
1659         (JSC::ProxyRevoke::setProxyToNull): Deleted.
1660         * runtime/ReflectObject.h:
1661         (JSC::ReflectObject::create): Deleted.
1662         (JSC::ReflectObject::createStructure): Deleted.
1663         * runtime/RegExpConstructor.cpp:
1664         (JSC::regExpConstructorDollar):
1665         (JSC::regExpConstructorInput):
1666         (JSC::regExpConstructorMultiline):
1667         (JSC::regExpConstructorLastMatch):
1668         (JSC::regExpConstructorLastParen):
1669         (JSC::regExpConstructorLeftContext):
1670         (JSC::regExpConstructorRightContext):
1671         * runtime/RegExpConstructor.h:
1672         (JSC::RegExpConstructor::create): Deleted.
1673         (JSC::RegExpConstructor::createStructure): Deleted.
1674         (JSC::RegExpConstructor::setMultiline): Deleted.
1675         (JSC::RegExpConstructor::multiline const): Deleted.
1676         (JSC::RegExpConstructor::setInput): Deleted.
1677         (JSC::RegExpConstructor::input): Deleted.
1678         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
1679         (JSC::asRegExpConstructor): Deleted.
1680         * runtime/RegExpPrototype.h:
1681         (JSC::RegExpPrototype::create): Deleted.
1682         (JSC::RegExpPrototype::createStructure): Deleted.
1683         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
1684         * runtime/SetConstructor.h:
1685         (JSC::SetConstructor::create): Deleted.
1686         (JSC::SetConstructor::createStructure): Deleted.
1687         * runtime/SetIteratorPrototype.h:
1688         (JSC::SetIteratorPrototype::create): Deleted.
1689         (JSC::SetIteratorPrototype::createStructure): Deleted.
1690         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
1691         * runtime/SetPrototype.h:
1692         (JSC::SetPrototype::create): Deleted.
1693         (JSC::SetPrototype::createStructure): Deleted.
1694         (JSC::SetPrototype::SetPrototype): Deleted.
1695         * runtime/StringConstructor.h:
1696         (JSC::StringConstructor::create): Deleted.
1697         (JSC::StringConstructor::createStructure): Deleted.
1698         * runtime/StringIteratorPrototype.h:
1699         (JSC::StringIteratorPrototype::create): Deleted.
1700         (JSC::StringIteratorPrototype::createStructure): Deleted.
1701         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
1702         * runtime/StringPrototype.h:
1703         (JSC::StringPrototype::createStructure): Deleted.
1704         * runtime/SymbolConstructor.h:
1705         (JSC::SymbolConstructor::create): Deleted.
1706         (JSC::SymbolConstructor::createStructure): Deleted.
1707         * runtime/SymbolObject.h:
1708         (JSC::SymbolObject::create): Deleted.
1709         (JSC::SymbolObject::internalValue const): Deleted.
1710         (JSC::SymbolObject::createStructure): Deleted.
1711         * runtime/SymbolPrototype.h:
1712         (JSC::SymbolPrototype::create): Deleted.
1713         (JSC::SymbolPrototype::createStructure): Deleted.
1714         * runtime/WeakMapConstructor.h:
1715         (JSC::WeakMapConstructor::create): Deleted.
1716         (JSC::WeakMapConstructor::createStructure): Deleted.
1717         * runtime/WeakMapPrototype.h:
1718         (JSC::WeakMapPrototype::create): Deleted.
1719         (JSC::WeakMapPrototype::createStructure): Deleted.
1720         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
1721         * runtime/WeakSetConstructor.h:
1722         (JSC::WeakSetConstructor::create): Deleted.
1723         (JSC::WeakSetConstructor::createStructure): Deleted.
1724         * runtime/WeakSetPrototype.h:
1725         (JSC::WeakSetPrototype::create): Deleted.
1726         (JSC::WeakSetPrototype::createStructure): Deleted.
1727         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
1728         * tools/JSDollarVM.h:
1729         (JSC::JSDollarVM::createStructure): Deleted.
1730         (JSC::JSDollarVM::create): Deleted.
1731         (JSC::JSDollarVM::JSDollarVM): Deleted.
1732         * wasm/js/JSWebAssembly.h:
1733         * wasm/js/JSWebAssemblyCompileError.h:
1734         (JSC::JSWebAssemblyCompileError::create): Deleted.
1735         * wasm/js/JSWebAssemblyInstance.h:
1736         (JSC::JSWebAssemblyInstance::instance): Deleted.
1737         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
1738         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
1739         (JSC::JSWebAssemblyInstance::memory): Deleted.
1740         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
1741         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
1742         (JSC::JSWebAssemblyInstance::table): Deleted.
1743         (JSC::JSWebAssemblyInstance::setTable): Deleted.
1744         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
1745         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
1746         (JSC::JSWebAssemblyInstance::module const): Deleted.
1747         * wasm/js/JSWebAssemblyLinkError.h:
1748         (JSC::JSWebAssemblyLinkError::create): Deleted.
1749         * wasm/js/JSWebAssemblyMemory.h:
1750         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
1751         (JSC::JSWebAssemblyMemory::memory): Deleted.
1752         * wasm/js/JSWebAssemblyModule.h:
1753         * wasm/js/JSWebAssemblyRuntimeError.h:
1754         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
1755         * wasm/js/JSWebAssemblyTable.h:
1756         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
1757         (JSC::JSWebAssemblyTable::maximum const): Deleted.
1758         (JSC::JSWebAssemblyTable::length const): Deleted.
1759         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
1760         (JSC::JSWebAssemblyTable::table): Deleted.
1761         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1762         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1763         * wasm/js/WebAssemblyInstanceConstructor.h:
1764         * wasm/js/WebAssemblyInstancePrototype.h:
1765         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1766         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1767         * wasm/js/WebAssemblyMemoryConstructor.h:
1768         * wasm/js/WebAssemblyMemoryPrototype.h:
1769         * wasm/js/WebAssemblyModuleConstructor.h:
1770         * wasm/js/WebAssemblyModulePrototype.h:
1771         * wasm/js/WebAssemblyModuleRecord.h:
1772         * wasm/js/WebAssemblyPrototype.h:
1773         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1774         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1775         * wasm/js/WebAssemblyTableConstructor.h:
1776         * wasm/js/WebAssemblyTablePrototype.h:
1777
1778 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
1779
1780         Make it possible to randomize register allocation
1781         https://bugs.webkit.org/show_bug.cgi?id=183416
1782
1783         Reviewed by Keith Miller.
1784         
1785         This is disabled by default for now, because it reveals a regalloc bug in wasm.
1786
1787         * b3/air/AirCode.cpp:
1788         (JSC::B3::Air::Code::Code):
1789         * b3/air/AirCode.h:
1790         (JSC::B3::Air::Code::weakRandom):
1791         * runtime/Options.h:
1792
1793 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         [JSC] Add inherits<T>(VM&) leveraging JSCast fast path
1796         https://bugs.webkit.org/show_bug.cgi?id=183429
1797
1798         Reviewed by Mark Lam.
1799
1800         Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
1801         They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
1802         paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
1803         and construct jsDynamicCast and JSCell::inherits based on this.
1804
1805         And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
1806         In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
1807
1808         We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
1809         The embedder can add their extended object types after that.
1810
1811         * API/JSObjectRef.cpp:
1812         (JSObjectGetPrivateProperty):
1813         (JSObjectSetPrivateProperty):
1814         (JSObjectDeletePrivateProperty):
1815         * API/JSValue.mm:
1816         (isDate):
1817         (isArray):
1818         * API/JSValueRef.cpp:
1819         (JSValueIsArray):
1820         (JSValueIsDate):
1821         (JSValueIsObjectOfClass):
1822         * API/JSWeakObjectMapRefPrivate.cpp:
1823         * API/JSWrapperMap.mm:
1824         (tryUnwrapObjcObject):
1825         * API/ObjCCallbackFunction.mm:
1826         (tryUnwrapConstructor):
1827         * dfg/DFGByteCodeParser.cpp:
1828         (JSC::DFG::ByteCodeParser::parseBlock):
1829         * dfg/DFGOperations.cpp:
1830         * ftl/FTLLowerDFGToB3.cpp:
1831         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1832         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1833         * ftl/FTLOperations.cpp:
1834         (JSC::FTL::operationMaterializeObjectInOSR):
1835         * inspector/JSInjectedScriptHost.cpp:
1836         (Inspector::JSInjectedScriptHost::subtype):
1837         (Inspector::JSInjectedScriptHost::functionDetails):
1838         * inspector/agents/InspectorHeapAgent.cpp:
1839         (Inspector::InspectorHeapAgent::getPreview):
1840         * interpreter/Interpreter.cpp:
1841         (JSC::notifyDebuggerOfUnwinding):
1842         * interpreter/ShadowChicken.cpp:
1843         (JSC::ShadowChicken::update):
1844         * jit/JIT.cpp:
1845         (JSC::JIT::privateCompileMainPass):
1846         * jit/JITOperations.cpp:
1847         (JSC::operationNewFunctionCommon):
1848         * jsc.cpp:
1849         (checkException):
1850         * runtime/BooleanObject.h:
1851         (JSC::asBooleanObject): Deleted.
1852         * runtime/BooleanPrototype.cpp:
1853         (JSC::booleanProtoFuncToString):
1854         (JSC::booleanProtoFuncValueOf):
1855         * runtime/DateConstructor.cpp:
1856         (JSC::constructDate):
1857         * runtime/DateInstance.h:
1858         (JSC::asDateInstance): Deleted.
1859         * runtime/DatePrototype.cpp:
1860         (JSC::formateDateInstance):
1861         (JSC::dateProtoFuncToISOString):
1862         (JSC::dateProtoFuncToLocaleString):
1863         (JSC::dateProtoFuncToLocaleDateString):
1864         (JSC::dateProtoFuncToLocaleTimeString):
1865         (JSC::dateProtoFuncGetTime):
1866         (JSC::dateProtoFuncGetFullYear):
1867         (JSC::dateProtoFuncGetUTCFullYear):
1868         (JSC::dateProtoFuncGetMonth):
1869         (JSC::dateProtoFuncGetUTCMonth):
1870         (JSC::dateProtoFuncGetDate):
1871         (JSC::dateProtoFuncGetUTCDate):
1872         (JSC::dateProtoFuncGetDay):
1873         (JSC::dateProtoFuncGetUTCDay):
1874         (JSC::dateProtoFuncGetHours):
1875         (JSC::dateProtoFuncGetUTCHours):
1876         (JSC::dateProtoFuncGetMinutes):
1877         (JSC::dateProtoFuncGetUTCMinutes):
1878         (JSC::dateProtoFuncGetSeconds):
1879         (JSC::dateProtoFuncGetUTCSeconds):
1880         (JSC::dateProtoFuncGetMilliSeconds):
1881         (JSC::dateProtoFuncGetUTCMilliseconds):
1882         (JSC::dateProtoFuncGetTimezoneOffset):
1883         (JSC::dateProtoFuncSetTime):
1884         (JSC::setNewValueFromTimeArgs):
1885         (JSC::setNewValueFromDateArgs):
1886         (JSC::dateProtoFuncSetYear):
1887         (JSC::dateProtoFuncGetYear):
1888         * runtime/ExceptionHelpers.cpp:
1889         (JSC::isTerminatedExecutionException):
1890         * runtime/FunctionPrototype.cpp:
1891         (JSC::functionProtoFuncToString):
1892         * runtime/InternalFunction.h:
1893         (JSC::asInternalFunction):
1894         * runtime/JSArray.h:
1895         (JSC::asArray):
1896         * runtime/JSCJSValue.cpp:
1897         (JSC::JSValue::dumpForBacktrace const):
1898         * runtime/JSCJSValue.h:
1899         * runtime/JSCJSValueInlines.h:
1900         (JSC::JSValue::inherits const):
1901         * runtime/JSCast.h:
1902         (JSC::JSCastingHelpers::inheritsGenericImpl):
1903         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
1904         (JSC::JSCastingHelpers::InheritsTraits::inherits):
1905         (JSC::JSCastingHelpers::inherits):
1906         (JSC::jsDynamicCast):
1907         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
1908         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
1909         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
1910         * runtime/JSCell.h:
1911         * runtime/JSCellInlines.h:
1912         (JSC::JSCell::inherits const):
1913         * runtime/JSFunction.cpp:
1914         (JSC::RetrieveCallerFunctionFunctor::operator() const):
1915         (JSC::JSFunction::callerGetter):
1916         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1917         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1918         * runtime/JSGlobalObject.cpp:
1919         (JSC::enqueueJob):
1920         * runtime/JSGlobalObject.h:
1921         (JSC::asGlobalObject): Deleted.
1922         * runtime/JSInternalPromiseDeferred.cpp:
1923         (JSC::JSInternalPromiseDeferred::create):
1924         * runtime/JSLexicalEnvironment.h:
1925         (JSC::asActivation):
1926         * runtime/JSONObject.cpp:
1927         (JSC::unwrapBoxedPrimitive):
1928         (JSC::Stringifier::Stringifier):
1929         (JSC::Walker::walk):
1930         * runtime/JSPromise.cpp:
1931         (JSC::JSPromise::resolve):
1932         * runtime/JSPromiseDeferred.cpp:
1933         (JSC::JSPromiseDeferred::create):
1934         * runtime/JSType.h:
1935         * runtime/ProxyObject.h:
1936         (JSC::ProxyObject::create): Deleted.
1937         (JSC::ProxyObject::createStructure): Deleted.
1938         (JSC::ProxyObject::target const): Deleted.
1939         (JSC::ProxyObject::handler const): Deleted.
1940         * runtime/RegExpConstructor.cpp:
1941         (JSC::constructRegExp):
1942         * runtime/RegExpConstructor.h:
1943         (JSC::asRegExpConstructor):
1944         (JSC::isRegExp):
1945         * runtime/RegExpObject.cpp:
1946         (JSC::RegExpObject::finishCreation):
1947         (JSC::RegExpObject::getOwnPropertySlot):
1948         (JSC::RegExpObject::defineOwnProperty):
1949         (JSC::regExpObjectSetLastIndexStrict):
1950         (JSC::regExpObjectSetLastIndexNonStrict):
1951         (JSC::RegExpObject::put):
1952         * runtime/RegExpObject.h:
1953         (JSC::RegExpObject::create): Deleted.
1954         (JSC::RegExpObject::setRegExp): Deleted.
1955         (JSC::RegExpObject::regExp const): Deleted.
1956         (JSC::RegExpObject::setLastIndex): Deleted.
1957         (JSC::RegExpObject::getLastIndex const): Deleted.
1958         (JSC::RegExpObject::test): Deleted.
1959         (JSC::RegExpObject::testInline): Deleted.
1960         (JSC::RegExpObject::createStructure): Deleted.
1961         (JSC::RegExpObject::offsetOfRegExp): Deleted.
1962         (JSC::RegExpObject::offsetOfLastIndex): Deleted.
1963         (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
1964         (JSC::RegExpObject::allocationSize): Deleted.
1965         (JSC::asRegExpObject): Deleted.
1966         * runtime/RegExpPrototype.cpp:
1967         (JSC::regExpProtoFuncTestFast):
1968         (JSC::regExpProtoFuncExec):
1969         (JSC::regExpProtoFuncMatchFast):
1970         (JSC::regExpProtoFuncCompile):
1971         (JSC::regExpProtoGetterGlobal):
1972         (JSC::regExpProtoGetterIgnoreCase):
1973         (JSC::regExpProtoGetterMultiline):
1974         (JSC::regExpProtoGetterDotAll):
1975         (JSC::regExpProtoGetterSticky):
1976         (JSC::regExpProtoGetterUnicode):
1977         (JSC::regExpProtoGetterSource):
1978         (JSC::regExpProtoFuncSearchFast):
1979         (JSC::regExpProtoFuncSplitFast):
1980         * runtime/StringObject.h:
1981         (JSC::asStringObject): Deleted.
1982         * runtime/StringPrototype.cpp:
1983         (JSC::replaceUsingRegExpSearch):
1984         (JSC::replace):
1985         (JSC::stringProtoFuncReplaceUsingRegExp):
1986         (JSC::stringProtoFuncToString):
1987         * runtime/SymbolPrototype.cpp:
1988         (JSC::symbolProtoFuncToString):
1989         (JSC::symbolProtoFuncValueOf):
1990         * tools/JSDollarVM.cpp:
1991         (WTF::customGetValue):
1992         (WTF::customSetValue):
1993         * wasm/js/JSWebAssemblyHelpers.h:
1994         (JSC::isWebAssemblyHostFunction):
1995         * wasm/js/WebAssemblyWrapperFunction.cpp:
1996         (JSC::WebAssemblyWrapperFunction::create):
1997
1998 2018-03-07  Tim Horton  <timothy_horton@apple.com>
1999
2000         Sort and separate FeatureDefines.xcconfig
2001         https://bugs.webkit.org/show_bug.cgi?id=183427
2002
2003         Reviewed by Dan Bernstein.
2004
2005         * Configurations/FeatureDefines.xcconfig:
2006         Sort and split FeatureDefines into paragraphs
2007         (to make it easier to sort later).
2008
2009 2018-03-07  Keith Miller  <keith_miller@apple.com>
2010
2011         Unreviewed, fix 32-bit build.
2012
2013         * dfg/DFGSpeculativeJIT.cpp:
2014         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2015
2016 2018-03-07  Keith Miller  <keith_miller@apple.com>
2017
2018         Meta-program setupArguments and callOperation
2019         https://bugs.webkit.org/show_bug.cgi?id=183263
2020
2021         Rubber-stamped by Filip Pizlo.
2022
2023         This patch removes all the custom overrides of callOperation and setupArguments
2024         throughout the JITs. In their place there is a new setupArguments that marshalls
2025         the arguments into place based on the type of the operation's function pointer.
2026         There were a couple of design choices in the implementation of setupArguments:
2027
2028         1) We assume that no TrustedImm floating point values are passed.
2029         2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
2030         3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
2031
2032         The new callOperation/setupArguments do their best to make sure
2033         it's hard to call a function with the wrong parameters. They will
2034         only try to pattern match if the types match up with the next
2035         passed argument. Additionally, the base case should static_assert
2036         of the number of inferred arguments does not match the arity of
2037         the operation's function pointer.
2038
2039         * assembler/AbstractMacroAssembler.h:
2040         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2041         (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
2042         * assembler/MacroAssembler.h:
2043         (JSC::MacroAssembler::poke):
2044         (JSC::MacroAssembler::move):
2045         * assembler/MacroAssemblerARM64.h:
2046         (JSC::MacroAssemblerARM64::swap):
2047         * assembler/MacroAssemblerX86.h:
2048         (JSC::MacroAssemblerX86::storeDouble):
2049         * assembler/MacroAssemblerX86Common.h:
2050         (JSC::MacroAssemblerX86Common::loadDouble):
2051         (JSC::MacroAssemblerX86Common::swap):
2052         (JSC::MacroAssemblerX86Common::move):
2053         * bytecode/AccessCase.cpp:
2054         (JSC::AccessCase::generateImpl):
2055         * bytecode/AccessCaseSnippetParams.cpp:
2056         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2057         * bytecode/PolymorphicAccess.cpp:
2058         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2059         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2060         * dfg/DFGNode.h:
2061         * dfg/DFGOSRExit.cpp:
2062         (JSC::DFG::OSRExit::emitRestoreArguments):
2063         * dfg/DFGOSRExitCompilerCommon.cpp:
2064         (JSC::DFG::osrWriteBarrier):
2065         * dfg/DFGOperations.cpp:
2066         * dfg/DFGOperations.h:
2067         * dfg/DFGSlowPathGenerator.h:
2068         * dfg/DFGSpeculativeJIT.cpp:
2069         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
2070         (JSC::DFG::SpeculativeJIT::compileArithMod):
2071         (JSC::DFG::SpeculativeJIT::compileArithRounding):
2072         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2073         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2074         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2075         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2076         * dfg/DFGSpeculativeJIT.h:
2077         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
2078         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
2079         (JSC::DFG::SpeculativeJIT::initConstantInfo):
2080         (JSC::DFG::SpeculativeJIT::callOperation):
2081         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
2082         (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
2083         * dfg/DFGSpeculativeJIT32_64.cpp:
2084         (JSC::DFG::SpeculativeJIT::cachedGetById):
2085         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2086         (JSC::DFG::SpeculativeJIT::cachedPutById):
2087         (JSC::DFG::SpeculativeJIT::emitCall):
2088         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2089         (JSC::DFG::SpeculativeJIT::compile):
2090         * dfg/DFGSpeculativeJIT64.cpp:
2091         (JSC::DFG::SpeculativeJIT::emitCall):
2092         (JSC::DFG::SpeculativeJIT::compile):
2093         * ftl/FTLLowerDFGToB3.cpp:
2094         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2095         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2096         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2097         * ftl/FTLOSRExitCompiler.cpp:
2098         (JSC::FTL::compileStub):
2099         * ftl/FTLSlowPathCall.h:
2100         (JSC::FTL::callOperation):
2101         * jit/AssemblyHelpers.cpp:
2102         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2103         * jit/CCallHelpers.cpp:
2104         (JSC::CCallHelpers::ensureShadowChickenPacket):
2105         * jit/CCallHelpers.h:
2106         (JSC::CCallHelpers::setupArgument):
2107         (JSC::CCallHelpers::setupStubArgs):
2108         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2109         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2110         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2111         (JSC::CCallHelpers::ArgCollection::addStackArg):
2112         (JSC::CCallHelpers::ArgCollection::addPoke):
2113         (JSC::CCallHelpers::ArgCollection::argCount):
2114         (JSC::CCallHelpers::clampArrayToSize):
2115         (JSC::CCallHelpers::pokeForArgument):
2116         (JSC::CCallHelpers::marshallArgumentRegister):
2117         (JSC::CCallHelpers::setupArgumentsImpl):
2118         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2119         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2120         (JSC::CCallHelpers::setupArguments):
2121         (JSC::CCallHelpers::prepareForTailCallSlow):
2122         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
2123         (JSC::CCallHelpers::resetCallArguments): Deleted.
2124         (JSC::CCallHelpers::addCallArgument): Deleted.
2125         (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
2126         (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
2127         (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
2128         (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
2129         (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
2130         (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
2131         (JSC::CCallHelpers::setupStubArguments): Deleted.
2132         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
2133         (JSC::CCallHelpers::setupStubArguments134): Deleted.
2134         (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
2135         * jit/FPRInfo.h:
2136         (JSC::toInfoFromReg):
2137         * jit/GPRInfo.h:
2138         (JSC::JSValueRegs::JSValueRegs):
2139         (JSC::toInfoFromReg):
2140         * jit/JIT.h:
2141         (JSC::JIT::callOperation):
2142         (JSC::JIT::callOperationWithProfile):
2143         (JSC::JIT::callOperationWithResult):
2144         (JSC::JIT::callOperationNoExceptionCheck):
2145         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2146         * jit/JITArithmetic.cpp:
2147         (JSC::JIT::emitMathICFast):
2148         (JSC::JIT::emitMathICSlow):
2149         * jit/JITArithmetic32_64.cpp:
2150         (JSC::JIT::emit_compareAndJumpSlow):
2151         * jit/JITCall32_64.cpp:
2152         (JSC::JIT::compileSetupVarargsFrame):
2153         * jit/JITInlines.h:
2154         (JSC::JIT::callOperation): Deleted.
2155         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2156         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
2157         * jit/JITOpcodes.cpp:
2158         (JSC::JIT::emit_op_new_array_with_size):
2159         * jit/JITOpcodes32_64.cpp:
2160         (JSC::JIT::emitSlow_op_instanceof):
2161         (JSC::JIT::emitSlow_op_instanceof_custom):
2162         (JSC::JIT::emit_op_set_function_name):
2163         (JSC::JIT::emitSlow_op_eq):
2164         (JSC::JIT::emitSlow_op_neq):
2165         (JSC::JIT::emit_op_throw):
2166         (JSC::JIT::emit_op_switch_imm):
2167         (JSC::JIT::emit_op_switch_char):
2168         (JSC::JIT::emit_op_switch_string):
2169         (JSC::JIT::emitSlow_op_has_indexed_property):
2170         * jit/JITOperations.cpp:
2171         * jit/JITOperations.h:
2172         * jit/JITPropertyAccess.cpp:
2173         (JSC::JIT::emitGetByValWithCachedId):
2174         (JSC::JIT::emitSlow_op_get_by_id):
2175         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2176         (JSC::JIT::emitSlow_op_get_from_scope):
2177         * jit/JITPropertyAccess32_64.cpp:
2178         (JSC::JIT::emit_op_put_by_index):
2179         (JSC::JIT::emit_op_put_setter_by_id):
2180         (JSC::JIT::emit_op_put_getter_setter_by_id):
2181         (JSC::JIT::emit_op_put_getter_by_val):
2182         (JSC::JIT::emit_op_put_setter_by_val):
2183         (JSC::JIT::emit_op_del_by_id):
2184         (JSC::JIT::emit_op_del_by_val):
2185         (JSC::JIT::emitGetByValWithCachedId):
2186         (JSC::JIT::emitSlow_op_get_by_val):
2187         (JSC::JIT::emitPutByValWithCachedId):
2188         (JSC::JIT::emitSlow_op_put_by_val):
2189         (JSC::JIT::emitSlow_op_try_get_by_id):
2190         (JSC::JIT::emitSlow_op_get_by_id):
2191         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2192         (JSC::JIT::emitSlow_op_put_by_id):
2193         (JSC::JIT::emitSlow_op_get_from_scope):
2194         * jit/RegisterSet.h:
2195         (JSC::RegisterSet::RegisterSet):
2196         * jit/ThunkGenerators.cpp:
2197         (JSC::throwExceptionFromCallSlowPathGenerator):
2198         (JSC::slowPathFor):
2199         * jsc.cpp:
2200         (GlobalObject::finishCreation):
2201         (functionBreakpoint):
2202         * runtime/JSCJSValue.h:
2203         * wasm/js/WasmToJS.cpp:
2204         (JSC::Wasm::wasmToJS):
2205
2206 2018-03-07  Mark Lam  <mark.lam@apple.com>
2207
2208         Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
2209         https://bugs.webkit.org/show_bug.cgi?id=183414
2210         <rdar://problem/38231678>
2211
2212         Reviewed by Michael Saboff.
2213
2214         * interpreter/ProtoCallFrame.cpp:
2215         (JSC::ProtoCallFrame::init):
2216         * interpreter/ProtoCallFrame.h:
2217
2218 2018-03-07  Mark Lam  <mark.lam@apple.com>
2219
2220         Simplify the variants of FunctionPtr constructors.
2221         https://bugs.webkit.org/show_bug.cgi?id=183399
2222         <rdar://problem/38212980>
2223
2224         Reviewed by Yusuke Suzuki.
2225
2226         * assembler/MacroAssemblerCodeRef.h:
2227         (JSC::FunctionPtr::FunctionPtr):
2228
2229 2018-03-06  Filip Pizlo  <fpizlo@apple.com>
2230
2231         MarkedArgumentsBuffer should allocate from the JSValue Gigacage
2232         https://bugs.webkit.org/show_bug.cgi?id=183377
2233
2234         Reviewed by Michael Saboff.
2235         
2236         That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
2237
2238         * runtime/ArgList.cpp:
2239         (JSC::MarkedArgumentBuffer::expandCapacity):
2240
2241 2018-03-07  Mark Lam  <mark.lam@apple.com>
2242
2243         Add support for ARM64E.
2244         https://bugs.webkit.org/show_bug.cgi?id=183398
2245         <rdar://problem/38212621>
2246
2247         Reviewed by Michael Saboff.
2248
2249         * assembler/MacroAssembler.h:
2250         * llint/LLIntOfflineAsmConfig.h:
2251         * llint/LowLevelInterpreter.asm:
2252         * llint/LowLevelInterpreter64.asm:
2253         * offlineasm/backends.rb:
2254
2255 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2256
2257         HTML `pattern` attribute should set `u` flag for regular expressions
2258         https://bugs.webkit.org/show_bug.cgi?id=151598
2259
2260         Reviewed by Chris Dumez.
2261
2262         Add UnicodeMode for JSC::Yarr::RegularExpression.
2263
2264         * yarr/RegularExpression.cpp:
2265         (JSC::Yarr::RegularExpression::Private::create):
2266         (JSC::Yarr::RegularExpression::Private::Private):
2267         (JSC::Yarr::RegularExpression::Private::compile):
2268         (JSC::Yarr::RegularExpression::RegularExpression):
2269         * yarr/RegularExpression.h:
2270
2271 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2272
2273         [JSC] Add more JSType based fast path for jsDynamicCast
2274         https://bugs.webkit.org/show_bug.cgi?id=183403
2275
2276         Reviewed by Mark Lam.
2277
2278         We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
2279         are used for jsDynamicCast in JSC, arguments types, and scope types.
2280
2281         We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
2282
2283         * jit/JITOperations.cpp:
2284         * llint/LLIntSlowPaths.cpp:
2285         (JSC::LLInt::setUpCall):
2286         * runtime/ClonedArguments.h:
2287         (JSC::ClonedArguments::specialsMaterialized const): Deleted.
2288         * runtime/DirectArguments.h:
2289         (JSC::DirectArguments::subspaceFor): Deleted.
2290         (JSC::DirectArguments::internalLength const): Deleted.
2291         (JSC::DirectArguments::length const): Deleted.
2292         (JSC::DirectArguments::isMappedArgument const): Deleted.
2293         (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
2294         (JSC::DirectArguments::getIndexQuickly const): Deleted.
2295         (JSC::DirectArguments::setIndexQuickly): Deleted.
2296         (JSC::DirectArguments::callee): Deleted.
2297         (JSC::DirectArguments::argument): Deleted.
2298         (JSC::DirectArguments::overrodeThings const): Deleted.
2299         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
2300         (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
2301         (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
2302         (JSC::DirectArguments::offsetOfCallee): Deleted.
2303         (JSC::DirectArguments::offsetOfLength): Deleted.
2304         (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
2305         (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
2306         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
2307         (JSC::DirectArguments::storageOffset): Deleted.
2308         (JSC::DirectArguments::offsetOfSlot): Deleted.
2309         (JSC::DirectArguments::allocationSize): Deleted.
2310         (JSC::DirectArguments::storage): Deleted.
2311         * runtime/JSCast.h:
2312         * runtime/JSGlobalLexicalEnvironment.h:
2313         (JSC::JSGlobalLexicalEnvironment::create): Deleted.
2314         (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
2315         (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
2316         (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
2317         * runtime/JSGlobalObject.cpp:
2318         (JSC::JSGlobalObject::finishCreation):
2319         * runtime/JSMap.h:
2320         (JSC::isJSMap): Deleted.
2321         * runtime/JSModuleEnvironment.h:
2322         (JSC::JSModuleEnvironment::create): Deleted.
2323         (JSC::JSModuleEnvironment::createStructure): Deleted.
2324         (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
2325         (JSC::JSModuleEnvironment::allocationSize): Deleted.
2326         (JSC::JSModuleEnvironment::moduleRecord): Deleted.
2327         (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
2328         * runtime/JSObject.cpp:
2329         (JSC::canDoFastPutDirectIndex):
2330         (JSC::JSObject::defineOwnIndexedProperty):
2331         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2332         * runtime/JSObject.h:
2333         (JSC::JSFinalObject::allocationSize): Deleted.
2334         (JSC::JSFinalObject::typeInfo): Deleted.
2335         (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
2336         (JSC::JSFinalObject::maxInlineCapacity): Deleted.
2337         (JSC::JSFinalObject::createStructure): Deleted.
2338         (JSC::JSFinalObject::finishCreation): Deleted.
2339         (JSC::JSFinalObject::JSFinalObject): Deleted.
2340         (JSC::isJSFinalObject): Deleted.
2341         * runtime/JSScope.cpp:
2342         * runtime/JSScope.h:
2343         * runtime/JSSegmentedVariableObject.cpp:
2344         * runtime/JSSegmentedVariableObject.h:
2345         * runtime/JSSet.h:
2346         (JSC::isJSSet): Deleted.
2347         * runtime/JSType.h:
2348         * runtime/JSWeakMap.h:
2349         (JSC::isJSWeakMap): Deleted.
2350         * runtime/JSWeakSet.h:
2351         (JSC::isJSWeakSet): Deleted.
2352         * runtime/JSWithScope.h:
2353         (JSC::JSWithScope::object): Deleted.
2354         * runtime/MapConstructor.cpp:
2355         (JSC::constructMap):
2356         (JSC::mapPrivateFuncMapBucketHead):
2357         * runtime/MapPrototype.cpp:
2358         (JSC::getMap):
2359         * runtime/NumberObject.cpp:
2360         (JSC::NumberObject::finishCreation):
2361         * runtime/NumberPrototype.cpp:
2362         (JSC::toThisNumber):
2363         (JSC::numberProtoFuncToExponential):
2364         (JSC::numberProtoFuncToFixed):
2365         (JSC::numberProtoFuncToPrecision):
2366         (JSC::numberProtoFuncToString):
2367         (JSC::numberProtoFuncToLocaleString):
2368         (JSC::numberProtoFuncValueOf):
2369         * runtime/ObjectConstructor.cpp:
2370         (JSC::objectConstructorSeal):
2371         (JSC::objectConstructorFreeze):
2372         (JSC::objectConstructorIsSealed):
2373         (JSC::objectConstructorIsFrozen):
2374         * runtime/ProxyObject.cpp:
2375         (JSC::ProxyObject::finishCreation):
2376         * runtime/ScopedArguments.h:
2377         (JSC::ScopedArguments::subspaceFor): Deleted.
2378         (JSC::ScopedArguments::internalLength const): Deleted.
2379         (JSC::ScopedArguments::length const): Deleted.
2380         (JSC::ScopedArguments::isMappedArgument const): Deleted.
2381         (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
2382         (JSC::ScopedArguments::getIndexQuickly const): Deleted.
2383         (JSC::ScopedArguments::setIndexQuickly): Deleted.
2384         (JSC::ScopedArguments::callee): Deleted.
2385         (JSC::ScopedArguments::overrodeThings const): Deleted.
2386         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
2387         (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
2388         (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
2389         (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
2390         (JSC::ScopedArguments::offsetOfTotalLength): Deleted.
2391         (JSC::ScopedArguments::offsetOfTable): Deleted.
2392         (JSC::ScopedArguments::offsetOfScope): Deleted.
2393         (JSC::ScopedArguments::overflowStorageOffset): Deleted.
2394         (JSC::ScopedArguments::allocationSize): Deleted.
2395         (JSC::ScopedArguments::overflowStorage const): Deleted.
2396         * runtime/SetConstructor.cpp:
2397         (JSC::constructSet):
2398         (JSC::setPrivateFuncSetBucketHead):
2399         * runtime/SetPrototype.cpp:
2400         (JSC::getSet):
2401         * runtime/StrictEvalActivation.h:
2402         (JSC::StrictEvalActivation::create): Deleted.
2403         (JSC::StrictEvalActivation::createStructure): Deleted.
2404         * runtime/WeakMapPrototype.cpp:
2405         (JSC::getWeakMap):
2406         * runtime/WeakSetPrototype.cpp:
2407         (JSC::getWeakSet):
2408
2409 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
2410
2411         [ARM] offlineasm: fix indentation in armOpcodeReversedOperands
2412         https://bugs.webkit.org/show_bug.cgi?id=183400
2413
2414         Reviewed by Mark Lam.
2415
2416         * offlineasm/arm.rb:
2417
2418 2018-03-06  Mark Lam  <mark.lam@apple.com>
2419
2420         Prepare LLInt code to support pointer profiling.
2421         https://bugs.webkit.org/show_bug.cgi?id=183387
2422         <rdar://problem/38199678>
2423
2424         Reviewed by JF Bastien.
2425
2426         1. Introduced PtrTag enums for supporting pointer profiling later.
2427
2428         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
2429            template functions for the same purpose.
2430
2431         3. Prepare the offlineasm for supporting pointer profiling later.
2432
2433         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
2434            effect on behavior.
2435
2436         5. Removed returnToThrowForThrownException() because it is not used anywhere.
2437
2438         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
2439            easier to view and edit these files in Xcode.
2440
2441         * CMakeLists.txt:
2442         * JavaScriptCore.xcodeproj/project.pbxproj:
2443         * bytecode/LLIntCallLinkInfo.h:
2444         (JSC::LLIntCallLinkInfo::unlink):
2445         * llint/LLIntData.cpp:
2446         (JSC::LLInt::initialize):
2447         * llint/LLIntData.h:
2448         * llint/LLIntExceptions.cpp:
2449         (JSC::LLInt::returnToThrowForThrownException): Deleted.
2450         * llint/LLIntExceptions.h:
2451         * llint/LLIntOfflineAsmConfig.h:
2452         * llint/LLIntOffsetsExtractor.cpp:
2453         * llint/LLIntPCRanges.h:
2454         (JSC::LLInt::isLLIntPC):
2455         * llint/LLIntSlowPaths.cpp:
2456         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2457         (JSC::LLInt::handleHostCall):
2458         (JSC::LLInt::setUpCall):
2459         * llint/LowLevelInterpreter.asm:
2460         * llint/LowLevelInterpreter32_64.asm:
2461         * llint/LowLevelInterpreter64.asm:
2462         * offlineasm/ast.rb:
2463         * offlineasm/instructions.rb:
2464         * offlineasm/risc.rb:
2465         * runtime/PtrTag.h: Added.
2466         (JSC::uniquePtrTagID):
2467         (JSC::ptrTag):
2468         (JSC::tagCodePtr):
2469         (JSC::untagCodePtr):
2470         (JSC::retagCodePtr):
2471         (JSC::removeCodePtrTag):
2472
2473 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
2474
2475         [ARM] Assembler warnings: "use of r13 is deprecated"
2476         https://bugs.webkit.org/show_bug.cgi?id=183286
2477
2478         Reviewed by Mark Lam.
2479
2480         Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
2481         sometimes generates assembly code that triggers this warning. Prevent
2482         this by simply switching operands.
2483
2484         * offlineasm/arm.rb:
2485
2486 2018-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2487
2488         Unreviewed, fix incorrect assertion after r229309
2489         https://bugs.webkit.org/show_bug.cgi?id=182975
2490
2491         * runtime/TypeProfilerLog.cpp:
2492         (JSC::TypeProfilerLog::TypeProfilerLog):
2493
2494 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2495
2496         Fix std::make_unique / new[] using system malloc
2497         https://bugs.webkit.org/show_bug.cgi?id=182975
2498
2499         Reviewed by JF Bastien.
2500
2501         Use Vector, FAST_ALLOCATED, or UniqueArray instead.
2502
2503         * API/JSStringRefCF.cpp:
2504         (JSStringCreateWithCFString):
2505         * bytecode/BytecodeKills.h:
2506         * bytecode/BytecodeLivenessAnalysis.cpp:
2507         (JSC::BytecodeLivenessAnalysis::computeKills):
2508         * dfg/DFGDisassembler.cpp:
2509         (JSC::DFG::Disassembler::dumpDisassembly):
2510         * jit/PolymorphicCallStubRoutine.cpp:
2511         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2512         * jit/PolymorphicCallStubRoutine.h:
2513         * jit/Repatch.cpp:
2514         (JSC::linkPolymorphicCall):
2515         * jsc.cpp:
2516         (currentWorkingDirectory):
2517         * llint/LLIntData.cpp:
2518         (JSC::LLInt::initialize):
2519         * llint/LLIntData.h:
2520         * runtime/ArgList.h:
2521         * runtime/StructureChain.h:
2522         * runtime/StructureIDTable.cpp:
2523         (JSC::StructureIDTable::StructureIDTable):
2524         (JSC::StructureIDTable::resize):
2525         * runtime/StructureIDTable.h:
2526         * runtime/TypeProfilerLog.cpp:
2527         (JSC::TypeProfilerLog::TypeProfilerLog):
2528         (JSC::TypeProfilerLog::initializeLog): Deleted.
2529         * runtime/TypeProfilerLog.h:
2530         (JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
2531         * runtime/VM.cpp:
2532         (JSC::VM::~VM):
2533         (JSC::VM::acquireRegExpPatternContexBuffer):
2534         * runtime/VM.h:
2535         * testRegExp.cpp:
2536         (runFromFiles):
2537         * tools/HeapVerifier.cpp:
2538         (JSC::HeapVerifier::HeapVerifier):
2539         * tools/HeapVerifier.h:
2540
2541 2018-03-05  Mark Lam  <mark.lam@apple.com>
2542
2543         JITThunk functions should only be called when the JIT is enabled.
2544         https://bugs.webkit.org/show_bug.cgi?id=183351
2545         <rdar://problem/38160091>
2546
2547         Reviewed by Keith Miller.
2548
2549         * jit/JITThunks.cpp:
2550         (JSC::JITThunks::ctiNativeCall):
2551         (JSC::JITThunks::ctiNativeConstruct):
2552         (JSC::JITThunks::ctiInternalFunctionCall):
2553         (JSC::JITThunks::ctiInternalFunctionConstruct):
2554         * runtime/VM.cpp:
2555         (JSC::VM::VM):
2556         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2557
2558 2018-03-05  Mark Lam  <mark.lam@apple.com>
2559
2560         Gardening: build fix.
2561
2562         Not reviewed.
2563
2564         * interpreter/AbstractPC.h:
2565         (JSC::AbstractPC::AbstractPC):
2566
2567 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2568
2569         [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
2570         https://bugs.webkit.org/show_bug.cgi?id=183324
2571
2572         Reviewed by JF Bastien.
2573
2574         We have WTF::ArithmeticOperations which has operations with overflow checking.
2575         This is suitable for CLoop's overflow checking operations. This patch emits
2576         WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
2577         lowered to optimized code using CPU's overflow flag.
2578
2579         * offlineasm/cloop.rb:
2580
2581 2018-03-05  Don Olmstead  <don.olmstead@sony.com>
2582
2583         [CMake] Split JSC header copying into public and private targets
2584         https://bugs.webkit.org/show_bug.cgi?id=183251
2585
2586         Reviewed by Konstantin Tokarev.
2587
2588         * CMakeLists.txt:
2589
2590 2018-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2591
2592         [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
2593         https://bugs.webkit.org/show_bug.cgi?id=183312
2594
2595         Reviewed by Mark Lam.
2596
2597         Remove wtf/CurrentTime.h include pragma.
2598
2599         * API/tests/ExecutionTimeLimitTest.cpp:
2600         (currentCPUTimeAsJSFunctionCallback):
2601         (testExecutionTimeLimit):
2602         * bytecode/SuperSampler.cpp:
2603         * dfg/DFGPlan.cpp:
2604         * heap/BlockDirectory.cpp:
2605         * heap/Heap.cpp:
2606         * heap/IncrementalSweeper.cpp:
2607         * inspector/agents/InspectorConsoleAgent.cpp:
2608         * inspector/agents/InspectorRuntimeAgent.cpp:
2609         * profiler/ProfilerDatabase.cpp:
2610         * runtime/CodeCache.h:
2611         * runtime/JSDateMath.cpp:
2612         * runtime/TypeProfilerLog.cpp:
2613         * runtime/VM.cpp:
2614         * runtime/Watchdog.cpp:
2615         (JSC::Watchdog::shouldTerminate):
2616         (JSC::Watchdog::startTimer):
2617         * testRegExp.cpp:
2618         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2619
2620 2018-03-04  Tim Horton  <timothy_horton@apple.com>
2621
2622         Make !ENABLE(DATA_DETECTION) iOS build actually succeed
2623         https://bugs.webkit.org/show_bug.cgi?id=183283
2624         <rdar://problem/38062148>
2625
2626         Reviewed by Sam Weinig.
2627
2628         * Configurations/FeatureDefines.xcconfig:
2629
2630 2018-03-02  Mark Lam  <mark.lam@apple.com>
2631
2632         Make the LLInt probe work for ARM64.
2633         https://bugs.webkit.org/show_bug.cgi?id=183298
2634         <rdar://problem/38077413>
2635
2636         Reviewed by Filip Pizlo.
2637
2638         * llint/LowLevelInterpreter.asm:
2639
2640 2018-03-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2641
2642         [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
2643         https://bugs.webkit.org/show_bug.cgi?id=183279
2644
2645         Reviewed by JF Bastien.
2646
2647         * bytecode/BytecodeIntrinsicRegistry.h:
2648         * ftl/FTLThunks.h:
2649         * heap/CodeBlockSet.h:
2650         * heap/GCSegmentedArray.h:
2651         * heap/MachineStackMarker.h:
2652         * heap/MarkingConstraintSet.h:
2653
2654 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         Remove monotonicallyIncreasingTime
2657         https://bugs.webkit.org/show_bug.cgi?id=182911
2658
2659         Reviewed by Michael Catanzaro.
2660
2661         * debugger/Debugger.cpp:
2662         (JSC::Debugger::willEvaluateScript):
2663         (JSC::Debugger::didEvaluateScript):
2664         * debugger/Debugger.h:
2665         * debugger/ScriptProfilingScope.h:
2666         * inspector/agents/InspectorDebuggerAgent.cpp:
2667         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2668         * inspector/agents/InspectorHeapAgent.cpp:
2669         (Inspector::InspectorHeapAgent::snapshot):
2670         (Inspector::InspectorHeapAgent::didGarbageCollect):
2671         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
2672         * inspector/agents/InspectorHeapAgent.h:
2673         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2674         (Inspector::InspectorScriptProfilerAgent::startTracking):
2675         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
2676         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
2677         (Inspector::InspectorScriptProfilerAgent::addEvent):
2678         (Inspector::buildSamples):
2679         * inspector/agents/InspectorScriptProfilerAgent.h:
2680         * runtime/SamplingProfiler.cpp:
2681         (JSC::SamplingProfiler::takeSample):
2682         * runtime/SamplingProfiler.h:
2683
2684 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2685
2686         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
2687         https://bugs.webkit.org/show_bug.cgi?id=183173
2688
2689         Reviewed by Saam Barati.
2690
2691         Classifier could propagate an error which does not occur at the first token
2692         of the given expression. We should check whether the given token is "async"
2693         instead of assertion.
2694
2695         * parser/Parser.cpp:
2696         (JSC::Parser<LexerType>::parseAssignmentExpression):
2697
2698 2018-03-01  Saam Barati  <sbarati@apple.com>
2699
2700         We need to clear cached structures when having a bad time
2701         https://bugs.webkit.org/show_bug.cgi?id=183256
2702         <rdar://problem/36245022>
2703
2704         Reviewed by Mark Lam.
2705
2706         This patch makes both InternalFunctionAllocationProfile and the VM's
2707         structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
2708         we clear them when they'd produce an object with a bad indexing type.
2709         For the VM's Structure cache, we conservatively clear the entire cache 
2710         since it may be housing Structures with bad indexing types.
2711
2712         * runtime/FunctionRareData.h:
2713         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
2714         * runtime/JSGlobalObject.cpp:
2715         (JSC::JSGlobalObject::haveABadTime):
2716         * runtime/StructureCache.h:
2717         (JSC::StructureCache::clear):
2718
2719 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2720
2721         Unreviewed, fix exception check for ExceptionScope
2722         https://bugs.webkit.org/show_bug.cgi?id=183175
2723
2724         * jsc.cpp:
2725         (GlobalObject::moduleLoaderFetch):
2726
2727 2018-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2728
2729         [ARM] Fix compile error in debug builds by invoking unpoisoned().
2730
2731         Reviewed by Mark Lam.
2732
2733         * assembler/MacroAssemblerCodeRef.h:
2734         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
2735         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
2736         (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
2737         * yarr/YarrInterpreter.cpp:
2738         (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2739
2740 2018-02-28  JF Bastien  <jfbastien@apple.com>
2741
2742         GC should sweep code block before deleting
2743         https://bugs.webkit.org/show_bug.cgi?id=183229
2744         <rdar://problem/32767615>
2745
2746         Reviewed by Saam Barati, Fil Pizlo.
2747
2748         Stub routines shouldn't get deleted before codeblocks have been
2749         swept, otherwise there's a small race window where the codeblock
2750         thinks it's still reachable.
2751
2752         * heap/Heap.cpp:
2753         (JSC::Heap::deleteUnmarkedCompiledCode):
2754         (JSC::Heap::sweepInFinalize):
2755
2756 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2757
2758         JSC crash with `import("")`
2759         https://bugs.webkit.org/show_bug.cgi?id=183175
2760
2761         Reviewed by Saam Barati.
2762
2763         Add file existence and file type check for module loader implementation in jsc.cpp.
2764         This is not safe for TOCTOU, but it is OK since this functionality is used for the
2765         JSC shell (jsc.cpp): testing purpose.
2766
2767         * jsc.cpp:
2768         (fillBufferWithContentsOfFile):
2769         (fetchModuleFromLocalFileSystem):
2770
2771 2018-02-27  Keith Miller  <keith_miller@apple.com>
2772
2773         Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
2774         https://bugs.webkit.org/show_bug.cgi?id=183195
2775
2776         Reviewed by Mark Lam.
2777
2778         * assembler/AbstractMacroAssembler.h:
2779         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2780         * assembler/MacroAssembler.h:
2781         (JSC::MacroAssembler::patchableBranchPtr):
2782         (JSC::MacroAssembler::patchableBranchPtrWithPatch):
2783         * assembler/MacroAssemblerARM.h:
2784         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2785         (JSC::MacroAssemblerARM::storePtrWithPatch):
2786         * assembler/MacroAssemblerARM64.h:
2787         (JSC::MacroAssemblerARM64::call):
2788         (JSC::MacroAssemblerARM64::tailRecursiveCall):
2789         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2790         (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
2791         (JSC::MacroAssemblerARM64::storePtrWithPatch):
2792         * assembler/MacroAssemblerARMv7.h:
2793         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
2794         (JSC::MacroAssemblerARMv7::patchableBranchPtr):
2795         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
2796         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
2797         * assembler/MacroAssemblerMIPS.h:
2798         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2799         (JSC::MacroAssemblerMIPS::storePtrWithPatch):
2800         * assembler/MacroAssemblerX86.h:
2801         (JSC::MacroAssemblerX86::branchPtrWithPatch):
2802         * assembler/MacroAssemblerX86_64.h:
2803         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
2804         (JSC::MacroAssemblerX86_64::call):
2805         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
2806         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
2807         (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
2808         * bytecode/AccessCase.cpp:
2809         (JSC::AccessCase::generateImpl):
2810         * dfg/DFGSpeculativeJIT.cpp:
2811         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2812         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2813         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2814         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2815         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2816         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2817         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2818         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2819         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2820         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2821         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2822         * dfg/DFGSpeculativeJIT.h:
2823         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
2824         * dfg/DFGSpeculativeJIT32_64.cpp:
2825         (JSC::DFG::SpeculativeJIT::compile):
2826         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2827         * dfg/DFGSpeculativeJIT64.cpp:
2828         (JSC::DFG::SpeculativeJIT::emitCall):
2829         (JSC::DFG::SpeculativeJIT::compile):
2830         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2831         * dfg/DFGThunks.cpp:
2832         (JSC::DFG::osrExitGenerationThunkGenerator):
2833         * ftl/FTLLowerDFGToB3.cpp:
2834         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2835         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2836         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2837         * ftl/FTLThunks.cpp:
2838         (JSC::FTL::genericGenerationThunkGenerator):
2839         * jit/AssemblyHelpers.cpp:
2840         (JSC::AssemblyHelpers::debugCall):
2841         (JSC::AssemblyHelpers::sanitizeStackInline):
2842         * jit/IntrinsicEmitter.cpp:
2843         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2844         * jit/JITCall.cpp:
2845         (JSC::JIT::compileOpCall):
2846         * jit/JITCall32_64.cpp:
2847         (JSC::JIT::compileOpCall):
2848         * jit/ScratchRegisterAllocator.cpp:
2849         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2850         * wasm/js/WasmToJS.cpp:
2851         (JSC::Wasm::wasmToJS):
2852         * yarr/YarrJIT.cpp:
2853         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2854         (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
2855         (JSC::Yarr::YarrGenerator::generate):
2856
2857 2018-02-26  Mark Lam  <mark.lam@apple.com>
2858
2859         Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
2860         https://bugs.webkit.org/show_bug.cgi?id=183159
2861         <rdar://problem/37930837>
2862
2863         Reviewed by Keith Miller.
2864
2865         * assembler/LinkBuffer.h:
2866         * assembler/testmasm.cpp:
2867         (JSC::compile):
2868         * b3/B3Compile.cpp:
2869         (JSC::B3::compile):
2870         * b3/air/testair.cpp:
2871         * b3/testb3.cpp:
2872         (JSC::B3::testEntrySwitchSimple):
2873         (JSC::B3::testEntrySwitchNoEntrySwitch):
2874         (JSC::B3::testEntrySwitchWithCommonPaths):
2875         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
2876         (JSC::B3::testEntrySwitchLoop):
2877         * bytecode/InlineAccess.cpp:
2878         (JSC::linkCodeInline):
2879         (JSC::InlineAccess::rewireStubAsJump):
2880         * bytecode/PolymorphicAccess.cpp:
2881         (JSC::PolymorphicAccess::regenerate):
2882         * dfg/DFGJITFinalizer.cpp:
2883         (JSC::DFG::JITFinalizer::finalize):
2884         (JSC::DFG::JITFinalizer::finalizeFunction):
2885         * dfg/DFGOSRExit.cpp:
2886         (JSC::DFG::OSRExit::compileOSRExit):
2887         * dfg/DFGThunks.cpp:
2888         (JSC::DFG::osrExitThunkGenerator):
2889         (JSC::DFG::osrExitGenerationThunkGenerator):
2890         (JSC::DFG::osrEntryThunkGenerator):
2891         * ftl/FTLJITFinalizer.cpp:
2892         (JSC::FTL::JITFinalizer::finalizeCommon):
2893         * ftl/FTLLazySlowPath.cpp:
2894         (JSC::FTL::LazySlowPath::generate):
2895         * ftl/FTLOSRExitCompiler.cpp:
2896         (JSC::FTL::compileStub):
2897         * ftl/FTLThunks.cpp:
2898         (JSC::FTL::genericGenerationThunkGenerator):
2899         (JSC::FTL::slowPathCallThunkGenerator):
2900         * jit/ExecutableAllocator.cpp:
2901         * jit/JIT.cpp:
2902         (JSC::JIT::link):
2903         * jit/JITMathIC.h:
2904         (JSC::isProfileEmpty):
2905         * jit/JITOpcodes.cpp:
2906         (JSC::JIT::privateCompileHasIndexedProperty):
2907         * jit/JITOpcodes32_64.cpp:
2908         (JSC::JIT::privateCompileHasIndexedProperty):
2909         * jit/JITPropertyAccess.cpp:
2910         (JSC::JIT::stringGetByValStubGenerator):
2911         (JSC::JIT::privateCompileGetByVal):
2912         (JSC::JIT::privateCompileGetByValWithCachedId):
2913         (JSC::JIT::privateCompilePutByVal):
2914         (JSC::JIT::privateCompilePutByValWithCachedId):
2915         * jit/JITPropertyAccess32_64.cpp:
2916         (JSC::JIT::stringGetByValStubGenerator):
2917         * jit/JITStubRoutine.h:
2918         * jit/Repatch.cpp:
2919         (JSC::linkPolymorphicCall):
2920         * jit/SpecializedThunkJIT.h:
2921         (JSC::SpecializedThunkJIT::finalize):
2922         * jit/ThunkGenerators.cpp:
2923         (JSC::throwExceptionFromCallSlowPathGenerator):
2924         (JSC::linkCallThunkGenerator):
2925         (JSC::linkPolymorphicCallThunkGenerator):
2926         (JSC::virtualThunkFor):
2927         (JSC::nativeForGenerator):
2928         (JSC::arityFixupGenerator):
2929         (JSC::unreachableGenerator):
2930         (JSC::boundThisNoArgsFunctionCallGenerator):
2931         * llint/LLIntThunks.cpp:
2932         (JSC::LLInt::generateThunkWithJumpTo):
2933         * wasm/WasmBBQPlan.cpp:
2934         (JSC::Wasm::BBQPlan::complete):
2935         * wasm/WasmBinding.cpp:
2936         (JSC::Wasm::wasmToWasm):
2937         * wasm/WasmOMGPlan.cpp:
2938         (JSC::Wasm::OMGPlan::work):
2939         * wasm/WasmThunks.cpp:
2940         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2941         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2942         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2943         * wasm/js/WasmToJS.cpp:
2944         (JSC::Wasm::handleBadI64Use):
2945         (JSC::Wasm::wasmToJS):
2946         * yarr/YarrJIT.cpp:
2947         (JSC::Yarr::YarrGenerator::compile):
2948
2949 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2950
2951         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
2952         https://bugs.webkit.org/show_bug.cgi?id=182965
2953
2954         Reviewed by Saam Barati.
2955
2956         This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
2957         Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
2958         for InBounds case, we do not have OutOfBounds check for that case.
2959         This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
2960
2961         * dfg/DFGOperations.cpp:
2962         * dfg/DFGOperations.h:
2963         * dfg/DFGSpeculativeJIT.cpp:
2964         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2965         * dfg/DFGSpeculativeJIT64.cpp:
2966         (JSC::DFG::SpeculativeJIT::compile):
2967         * ftl/FTLCapabilities.cpp:
2968         (JSC::FTL::canCompile):
2969         * ftl/FTLLowerDFGToB3.cpp:
2970         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2971         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
2972         For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
2973         But except for SlowPutArrayStorage case, basically it is meaningless since
2974         we do not have indexed accessors.
2975
2976 2018-02-26  Saam Barati  <sbarati@apple.com>
2977
2978         validateStackAccess should not validate if the offset is within the stack bounds
2979         https://bugs.webkit.org/show_bug.cgi?id=183067
2980         <rdar://problem/37749988>
2981
2982         Reviewed by Mark Lam.
2983
2984         The validation rule was saying that any load from the stack must be
2985         within the stack bounds of the frame. However, it's natural for a user
2986         of B3 to emit code that may be outside of B3's stack bounds, but guard
2987         such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
2988         B3 is wrong to assert that this is a static property about all stack loads.
2989
2990         * b3/B3Validate.cpp:
2991
2992 2018-02-23  Saam Barati  <sbarati@apple.com>
2993
2994         Make Number.isInteger an intrinsic
2995         https://bugs.webkit.org/show_bug.cgi?id=183088
2996
2997         Reviewed by JF Bastien.
2998
2999         When profiling the ML subtest in ARES, I noticed it was spending some
3000         time in Number.isInteger. This patch makes that operation an intrinsic
3001         in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
3002         it's likely not an aggregate speedup on ARES. However, it is definitely
3003         faster than calling into a builtin function, so we might as well have
3004         it as an intrinsic.
3005
3006         * dfg/DFGAbstractInterpreterInlines.h:
3007         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3008         * dfg/DFGByteCodeParser.cpp:
3009         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3010         * dfg/DFGClobberize.h:
3011         (JSC::DFG::clobberize):
3012         * dfg/DFGDoesGC.cpp:
3013         (JSC::DFG::doesGC):
3014         * dfg/DFGFixupPhase.cpp:
3015         (JSC::DFG::FixupPhase::fixupNode):
3016         * dfg/DFGNodeType.h:
3017         * dfg/DFGOperations.cpp:
3018         * dfg/DFGOperations.h:
3019         * dfg/DFGPredictionPropagationPhase.cpp:
3020         * dfg/DFGSafeToExecute.h:
3021         (JSC::DFG::safeToExecute):
3022         * dfg/DFGSpeculativeJIT32_64.cpp:
3023         (JSC::DFG::SpeculativeJIT::compile):
3024         * dfg/DFGSpeculativeJIT64.cpp:
3025         (JSC::DFG::SpeculativeJIT::compile):
3026         * ftl/FTLCapabilities.cpp:
3027         (JSC::FTL::canCompile):
3028         * ftl/FTLLowerDFGToB3.cpp:
3029         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3030         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
3031         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
3032         * runtime/Intrinsic.cpp:
3033         (JSC::intrinsicName):
3034         * runtime/Intrinsic.h:
3035         * runtime/NumberConstructor.cpp:
3036         (JSC::NumberConstructor::finishCreation):
3037         (JSC::numberConstructorFuncIsInteger):
3038         * runtime/NumberConstructor.h:
3039         (JSC::NumberConstructor::isIntegerImpl):
3040
3041 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
3042
3043         WebAssembly: cache memory address / size on instance
3044         https://bugs.webkit.org/show_bug.cgi?id=177305
3045
3046         Reviewed by JF Bastien.
3047
3048         Cache memory address/size in wasm:Instance to avoid load wasm:Memory 
3049         object during access to memory and memory size property in JiT
3050
3051         * wasm/WasmB3IRGenerator.cpp:
3052         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3053         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
3054         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3055         * wasm/WasmBinding.cpp:
3056         (JSC::Wasm::wasmToWasm):
3057         * wasm/WasmInstance.h:
3058         (JSC::Wasm::Instance::cachedMemory const):
3059         (JSC::Wasm::Instance::cachedMemorySize const):
3060         (JSC::Wasm::Instance::createWeakPtr):
3061         (JSC::Wasm::Instance::setMemory):
3062         (JSC::Wasm::Instance::updateCachedMemory):
3063         (JSC::Wasm::Instance::offsetOfCachedMemory):
3064         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
3065         (JSC::Wasm::Instance::offsetOfCachedIndexingMask):
3066         (JSC::Wasm::Instance::allocationSize):
3067         * wasm/WasmMemory.cpp:
3068         (JSC::Wasm::Memory::grow):
3069         (JSC::Wasm::Memory::registerInstance):
3070         * wasm/WasmMemory.h:
3071         (JSC::Wasm::Memory::indexingMask):
3072         * wasm/js/JSToWasm.cpp:
3073         (JSC::Wasm::createJSToWasmWrapper):
3074         * wasm/js/WebAssemblyModuleRecord.cpp:
3075         (JSC::WebAssemblyModuleRecord::evaluate):
3076
3077 2018-02-23  Saam Barati  <sbarati@apple.com>
3078
3079         ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
3080         https://bugs.webkit.org/show_bug.cgi?id=182982
3081
3082         Reviewed by Yusuke Suzuki.
3083
3084         I don't know why this check was not always an assert. When we see
3085         a GetByOffset on an eliminated allocation, that allocation *must*
3086         be a PhantomClonedArguments. If it weren't, the GetByOffset would
3087         have escaped it. Because this transformation happens by visiting
3088         blocks in pre-order, and by visiting nodes in a block starting from
3089         index zero to index block->size() - 1, we're guaranteed that eliminated
3090         allocations get transformed before users of it, since we visit nodes
3091         in dominator order.
3092
3093         * dfg/DFGArgumentsEliminationPhase.cpp:
3094
3095 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         [JSC] Implement $vm.ftlTrue function for FTL testing
3098         https://bugs.webkit.org/show_bug.cgi?id=183071
3099
3100         Reviewed by Mark Lam.
3101
3102         Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
3103         This is useful for testing whether the caller function is compiled in FTL.
3104
3105         We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
3106
3107         * dfg/DFGByteCodeParser.cpp:
3108         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3109         * jsc.cpp:
3110         (GlobalObject::finishCreation):
3111         (functionFalse1):
3112         (functionFalse2): Deleted.
3113         * runtime/Intrinsic.cpp:
3114         (JSC::intrinsicName):
3115         * runtime/Intrinsic.h:
3116         * tools/JSDollarVM.cpp:
3117         (JSC::functionFTLTrue):
3118         (JSC::JSDollarVM::finishCreation):
3119
3120 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3121
3122         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
3123         https://bugs.webkit.org/show_bug.cgi?id=182792
3124
3125         Reviewed by Mark Lam.
3126
3127         This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
3128         HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
3129         in web-tooling-benchmarks.
3130
3131         * ftl/FTLCapabilities.cpp:
3132         (JSC::FTL::canCompile):
3133         * ftl/FTLLowerDFGToB3.cpp:
3134         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3135
3136 2018-02-22  Mark Lam  <mark.lam@apple.com>
3137
3138         Refactor MacroAssembler code to improve reuse and extensibility.
3139         https://bugs.webkit.org/show_bug.cgi?id=183054
3140         <rdar://problem/37797337>
3141
3142         Reviewed by Saam Barati.
3143
3144         * assembler/ARM64Assembler.h:
3145         * assembler/MacroAssembler.cpp:
3146         * assembler/MacroAssembler.h:
3147         * assembler/MacroAssemblerARM.h:
3148         * assembler/MacroAssemblerARM64.h:
3149         (JSC::MacroAssemblerARM64::canCompact):
3150         (JSC::MacroAssemblerARM64::computeJumpType):
3151         (JSC::MacroAssemblerARM64::jumpSizeDelta):
3152         (JSC::MacroAssemblerARM64::link):
3153         (JSC::MacroAssemblerARM64::load64):
3154         (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
3155         (JSC::MacroAssemblerARM64::load32):
3156         (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
3157         (JSC::MacroAssemblerARM64::load16):
3158         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3159         (JSC::MacroAssemblerARM64::load8):
3160         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3161         (JSC::MacroAssemblerARM64::store64):
3162         (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
3163         (JSC::MacroAssemblerARM64::store32):
3164         (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
3165         (JSC::MacroAssemblerARM64::store16):
3166         (JSC::MacroAssemblerARM64::store8):
3167         (JSC::MacroAssemblerARM64::getEffectiveAddress):
3168         (JSC::MacroAssemblerARM64::branchDoubleNonZero):
3169         (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
3170         (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
3171         (JSC::MacroAssemblerARM64::loadDouble):
3172         (JSC::MacroAssemblerARM64::loadFloat):
3173         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
3174         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
3175         (JSC::MacroAssemblerARM64::storeDouble):
3176         (JSC::MacroAssemblerARM64::storeFloat):
3177         (JSC::MacroAssemblerARM64::call):
3178         (JSC::MacroAssemblerARM64::jump):
3179         (JSC::MacroAssemblerARM64::tailRecursiveCall):
3180         (JSC::MacroAssemblerARM64::setCarry):
3181         (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
3182         (JSC::MacroAssemblerARM64::isBreakpoint):
3183         (JSC::MacroAssemblerARM64::invert):
3184         (JSC::MacroAssemblerARM64::readCallTarget):
3185         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3186         (JSC::MacroAssemblerARM64::replaceWithJump):
3187         (JSC::MacroAssemblerARM64::maxJumpReplacementSize):
3188         (JSC::MacroAssemblerARM64::patchableJumpSize):
3189         (JSC::MacroAssemblerARM64::repatchCall):
3190         (JSC::MacroAssemblerARM64::makeBranch):
3191         (JSC::MacroAssemblerARM64::makeCompareAndBranch):
3192         (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
3193         (JSC::MacroAssemblerARM64::ARM64Condition):
3194         (JSC::MacroAssemblerARM64::moveWithFixedWidth):
3195         (JSC::MacroAssemblerARM64::load):
3196         (JSC::MacroAssemblerARM64::store):
3197         (JSC::MacroAssemblerARM64::tryLoadWithOffset):
3198         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
3199         (JSC::MacroAssemblerARM64::tryStoreWithOffset):
3200         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
3201         (JSC::MacroAssemblerARM64::linkCall):
3202         * assembler/MacroAssemblerARMv7.h:
3203         * assembler/MacroAssemblerMIPS.h:
3204         * assembler/MacroAssemblerX86Common.h:
3205         * assembler/ProbeStack.h:
3206         - Removed a forward declaration of an obsolete class.
3207
3208 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3209
3210         Remove sleep(double) and sleepMS(double) interfaces
3211         https://bugs.webkit.org/show_bug.cgi?id=183038
3212
3213         Reviewed by Mark Lam.
3214
3215         * bytecode/SuperSampler.cpp:
3216         (JSC::initializeSuperSampler):
3217
3218 2018-02-21  Don Olmstead  <don.olmstead@sony.com>
3219
3220         [CMake] Split declaration of JSC headers into public and private
3221         https://bugs.webkit.org/show_bug.cgi?id=182980
3222
3223         Reviewed by Michael Catanzaro.
3224
3225         * CMakeLists.txt:
3226         * PlatformGTK.cmake:
3227         * PlatformMac.cmake:
3228         * PlatformWPE.cmake:
3229         * PlatformWin.cmake:
3230
3231 2018-02-20  Saam Barati  <sbarati@apple.com>
3232
3233         DFG::VarargsForwardingPhase should eliminate getting argument length
3234         https://bugs.webkit.org/show_bug.cgi?id=182959
3235
3236         Reviewed by Keith Miller.
3237
3238         This patch teaches the DFG VarargsForwardingPhase to not treat
3239         length accesses on Cloned/Direct Arguments objects as escapes.
3240         It teaches this phase to materialize the length in the same
3241         way the ArgumentsEliminationPhase does.
3242         
3243         This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
3244         up the ML subtest by 2-4%.
3245         
3246         This patch also extends compileGetArgumentCountIncludingThis to take
3247         a parameter that is the inline call frame to load from (in the case
3248         where the inline call frame is a varargs frame). This allows the
3249         the emitCodeToGetArgumentsArrayLength helper function to just emit
3250         a GetArgumentCountIncludingThis node instead of a GetLocal. If we
3251         emitted a GetLocal, we'd need to rerun CPS rethreading.
3252
3253         * dfg/DFGArgumentsEliminationPhase.cpp:
3254         * dfg/DFGArgumentsUtilities.cpp:
3255         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3256         * dfg/DFGByteCodeParser.cpp:
3257         (JSC::DFG::ByteCodeParser::getArgumentCount):
3258         * dfg/DFGClobberize.h:
3259         (JSC::DFG::clobberize):
3260         * dfg/DFGNode.h:
3261         (JSC::DFG::Node::argumentsInlineCallFrame):
3262         * dfg/DFGSpeculativeJIT.cpp:
3263         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
3264         * dfg/DFGVarargsForwardingPhase.cpp:
3265         * ftl/FTLLowerDFGToB3.cpp:
3266         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
3267
3268 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3269
3270         [FTL] Support ArrayPush for ArrayStorage
3271         https://bugs.webkit.org/show_bug.cgi?id=182782
3272
3273         Reviewed by Saam Barati.
3274
3275         This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
3276
3277         * ftl/FTLAbstractHeapRepository.h:
3278         * ftl/FTLCapabilities.cpp:
3279         (JSC::FTL::canCompile):
3280         * ftl/FTLLowerDFGToB3.cpp:
3281         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3282
3283 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3284
3285         [FTL] Support ArrayPop for ArrayStorage
3286         https://bugs.webkit.org/show_bug.cgi?id=182783
3287
3288         Reviewed by Saam Barati.
3289
3290         This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
3291
3292         * ftl/FTLAbstractHeapRepository.h:
3293         * ftl/FTLCapabilities.cpp:
3294         (JSC::FTL::canCompile):
3295         * ftl/FTLLowerDFGToB3.cpp:
3296         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
3297
3298 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3299
3300         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
3301         https://bugs.webkit.org/show_bug.cgi?id=182731
3302
3303         Reviewed by Saam Barati.
3304
3305         This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
3306         Due to ArrayifyToStructure and CheckArray changes, necessary changes for
3307         supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
3308         is enough.
3309
3310         We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
3311         ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
3312         where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
3313
3314         * dfg/DFGSpeculativeJIT.cpp:
3315         (JSC::DFG::SpeculativeJIT::silentFill):
3316         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3317         * dfg/DFGSpeculativeJIT.h:
3318         * ftl/FTLCapabilities.cpp:
3319         (JSC::FTL::canCompile):
3320         * ftl/FTLLowerDFGToB3.cpp:
3321         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3322
3323 2018-02-19  Saam Barati  <sbarati@apple.com>
3324
3325         Don't use JSFunction's allocation profile when getting the prototype can be effectful
3326         https://bugs.webkit.org/show_bug.cgi?id=182942
3327         <rdar://problem/37584764>
3328
3329         Reviewed by Mark Lam.
3330
3331         Prior to this patch, the create_this implementation assumed that anything
3332         that is a JSFunction can use the object allocation profile and go down the
3333         fast path to allocate the |this| object. Implied by this approach is that
3334         accessing the 'prototype' property of the incoming function is not an
3335         effectful operation. This is inherent to the ObjectAllocationProfile 
3336         data structure: it caches the prototype field. However, getting the
3337         'prototype' property might be an effectful operation, e.g, it could
3338         be a getter. Many variants of functions in JS have the 'prototype' property
3339         as non-configurable. However, some functions, like bound functions, do not
3340         have the 'prototype' field with these attributes.
3341         
3342         This patch adds the notion of 'canUseAllocationProfile' to JSFunction
3343         and threads it through so that we only go down the fast path and use
3344         the allocation profile when the prototype property is non-configurable.
3345
3346         * bytecompiler/NodesCodegen.cpp:
3347         (JSC::ClassExprNode::emitBytecode):
3348         * dfg/DFGOperations.cpp:
3349         * runtime/CommonSlowPaths.cpp:
3350         (JSC::SLOW_PATH_DECL):
3351         * runtime/JSFunction.cpp:
3352         (JSC::JSFunction::prototypeForConstruction):
3353         (JSC::JSFunction::allocateAndInitializeRareData):
3354         (JSC::JSFunction::initializeRareData):
3355         (JSC::JSFunction::getOwnPropertySlot):
3356         (JSC::JSFunction::canUseAllocationProfileNonInline):
3357         * runtime/JSFunction.h:
3358         (JSC::JSFunction::ensureRareDataAndAllocationProfile):
3359         * runtime/JSFunctionInlines.h:
3360         (JSC::JSFunction::canUseAllocationProfile):
3361
3362 2018-02-19  Saam Barati  <sbarati@apple.com>
3363
3364         Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
3365         https://bugs.webkit.org/show_bug.cgi?id=182912
3366         <rdar://problem/37685083>
3367
3368         Reviewed by Keith Miller.
3369
3370         In the baseline JIT and LLInt, when we loading a hole from an original array,
3371         with the array prototype chain being normal, we end up marking the ArrayProfile
3372         for that GetByVal as out of bounds. However, the DFG knows exactly how to
3373         optimize this case by returning undefined when loading from a hole. Currently,
3374         it only does this for Contiguous arrays (and sometimes Double arrays).
3375         This patch just makes sure to not mark the ArrayProfile as out of bounds
3376         in this scenario for Contiguous arrays, since the DFG will always optimize
3377         this case.
3378         
3379         However, we should extend this by profiling when a GetByVal loads a hole. By
3380         doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
3381         arrays. That work will happen in:
3382         https://bugs.webkit.org/show_bug.cgi?id=182940
3383         
3384         This patch is a 30-50%  speedup on JetStream's hash-map test. This patch
3385         speeds up JetStream by 1% when testing on my iMac.
3386
3387         * dfg/DFGArrayMode.cpp:
3388         (JSC::DFG::ArrayMode::refine const):
3389         * dfg/DFGFixupPhase.cpp:
3390         (JSC::DFG::FixupPhase::fixupNode):
3391         * jit/JITOperations.cpp:
3392         (JSC::getByVal):