Fix crashes due to mishandling custom sections.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-02-01  Keith Miller  <keith_miller@apple.com>
2
3         Fix crashes due to mishandling custom sections.
4         https://bugs.webkit.org/show_bug.cgi?id=182404
5         <rdar://problem/36935863>
6
7         Reviewed by Saam Barati.
8
9         This also cleans up some of our validation code. We also
10         mistakenly, allowed unknown (different from custom sections with
11         id: 0) section ids.
12
13         * wasm/WasmModuleParser.cpp:
14         (JSC::Wasm::ModuleParser::parse):
15         * wasm/WasmModuleParser.h:
16         * wasm/WasmSections.h:
17         (JSC::Wasm::isKnownSection):
18         (JSC::Wasm::decodeSection):
19         (JSC::Wasm::validateOrder):
20         (JSC::Wasm::makeString):
21         (JSC::Wasm::isValidSection): Deleted.
22
23 2018-02-01  Michael Catanzaro  <mcatanzaro@igalia.com>
24
25         -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
26         https://bugs.webkit.org/show_bug.cgi?id=182389
27
28         Reviewed by Yusuke Suzuki.
29
30         Fix the warning.
31
32         As a bonus, remove a couple unreachable breaks for good measure.
33
34         * dfg/DFGObjectAllocationSinkingPhase.cpp:
35
36 2018-02-01  Chris Dumez  <cdumez@apple.com>
37
38         Queue a microtask when a waitUntil() promise is settled
39         https://bugs.webkit.org/show_bug.cgi?id=182372
40         <rdar://problem/37101019>
41
42         Reviewed by Mark Lam.
43
44         Export a symbol so it can be used in WebCore.
45
46         * runtime/JSGlobalObject.h:
47
48 2018-01-31  Don Olmstead  <don.olmstead@sony.com>
49
50         [CMake] Make JavaScriptCore headers copies
51         https://bugs.webkit.org/show_bug.cgi?id=182303
52
53         Reviewed by Alex Christensen.
54
55         * CMakeLists.txt:
56         * PlatformGTK.cmake:
57         * PlatformJSCOnly.cmake:
58         * PlatformMac.cmake:
59         * PlatformWPE.cmake:
60         * PlatformWin.cmake:
61         * shell/CMakeLists.txt:
62         * shell/PlatformWin.cmake:
63
64 2018-01-31  Saam Barati  <sbarati@apple.com>
65
66         Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
67         https://bugs.webkit.org/show_bug.cgi?id=182064
68         <rdar://problem/36840132>
69
70         Reviewed by Geoffrey Garen.
71
72         This patch switches WebAssembly Memory to always use bmalloc's
73         zeroed virtual allocation API. This makes it so that we don't
74         dirty the memory to zero it. It's a huge compile time speedup
75         on WasmBench on iOS.
76
77         * wasm/WasmMemory.cpp:
78         (JSC::Wasm::Memory::create):
79         (JSC::Wasm::Memory::~Memory):
80         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
81         (JSC::Wasm::Memory::grow):
82         (JSC::Wasm::commitZeroPages): Deleted.
83
84 2018-01-31  Mark Lam  <mark.lam@apple.com>
85
86         Build fix for CLoop after r227874.
87         https://bugs.webkit.org/show_bug.cgi?id=182155
88         <rdar://problem/36286266>
89
90         Not reviewed.
91
92         Just needed support for lea of a LabelReference in cloop.rb (just like those
93         added for arm64.rb and x86.rb).
94
95         * offlineasm/cloop.rb:
96
97 2018-01-31  Keith Miller  <keith_miller@apple.com>
98
99         Canonicalize aquiring the JSCell lock.
100         https://bugs.webkit.org/show_bug.cgi?id=182320
101
102         Reviewed by Michael Saboff.
103
104         It's currently kinda annoying to figure out where
105         we aquire the a JSCell's lock. This patch adds a
106         helper to make it easier to grep...
107
108         * bytecode/UnlinkedCodeBlock.cpp:
109         (JSC::UnlinkedCodeBlock::visitChildren):
110         (JSC::UnlinkedCodeBlock::setInstructions):
111         (JSC::UnlinkedCodeBlock::shrinkToFit):
112         * runtime/ErrorInstance.cpp:
113         (JSC::ErrorInstance::finishCreation):
114         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
115         (JSC::ErrorInstance::visitChildren):
116         * runtime/JSArray.cpp:
117         (JSC::JSArray::shiftCountWithArrayStorage):
118         (JSC::JSArray::unshiftCountWithArrayStorage):
119         * runtime/JSCell.h:
120         (JSC::JSCell::cellLock):
121         * runtime/JSObject.cpp:
122         (JSC::JSObject::visitButterflyImpl):
123         (JSC::JSObject::convertContiguousToArrayStorage):
124         * runtime/JSPropertyNameEnumerator.cpp:
125         (JSC::JSPropertyNameEnumerator::visitChildren):
126         * runtime/SparseArrayValueMap.cpp:
127         (JSC::SparseArrayValueMap::add):
128         (JSC::SparseArrayValueMap::remove):
129         (JSC::SparseArrayValueMap::visitChildren):
130
131 2018-01-31  Saam Barati  <sbarati@apple.com>
132
133         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
134         https://bugs.webkit.org/show_bug.cgi?id=182074
135         <rdar://problem/36846261>
136
137         Reviewed by Mark Lam.
138
139         This patch teaches the JSONP evaluator about the global lexical environment.
140         Before, it was using the global object as the global scope, but that's wrong.
141         The global lexical environment is the first node in the global scope chain.
142
143         * interpreter/Interpreter.cpp:
144         (JSC::Interpreter::executeProgram):
145         * jsc.cpp:
146         (GlobalObject::finishCreation):
147         (shellSupportsRichSourceInfo):
148         (functionDisableRichSourceInfo):
149         * runtime/LiteralParser.cpp:
150         (JSC::LiteralParser<CharType>::tryJSONPParse):
151         * runtime/LiteralParser.h:
152
153 2018-01-31  Saam Barati  <sbarati@apple.com>
154
155         clean up pushToSaveImmediateWithoutTouchingRegisters a bit
156         https://bugs.webkit.org/show_bug.cgi?id=181774
157
158         Reviewed by JF Bastien.
159
160         This function on ARM64 was considering what to do with the scratch
161         register. And conditionally invalidated what was in it. This is not
162         relevant though, since the function always recovers what was in that
163         register. This patch just switches it to using dataTempRegister
164         directly and updates the comment to describe why it can do so safely.
165
166         * assembler/MacroAssemblerARM64.h:
167         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
168
169 2018-01-30  Mark Lam  <mark.lam@apple.com>
170
171         Apply poisoning to TypedArray vector pointers.
172         https://bugs.webkit.org/show_bug.cgi?id=182155
173         <rdar://problem/36286266>
174
175         Reviewed by JF Bastien.
176
177         The TypeArray's vector pointer is now poisoned.  The poison value is chosen based
178         on a TypeArray's jsType.  The JSType must be between FirstTypedArrayType and
179         LastTypedArrayType.  At runtime, we enforce that the index is well-behaved by
180         masking it against TypedArrayPoisonIndexMask.  TypedArrayPoisonIndexMask (16) is
181         the number of TypedArray types (10) rounded up to the next power of 2.
182         Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
183         can use index masking on the index, and be guaranteed that the masked index will
184         be within bounds of the poisons array.
185
186         1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
187            do any unnecessary work if the TypedArray vector is null.
188
189            FTL's cagedMayBeNull() is no longer needed because it is only used by
190            compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
191            in a TypedArray specific way.  So, might as well do the work inline in
192            compileGetTypedArrayByteOffset() instead.
193
194         2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
195            because there's already a null check above it that ensures that sizeGPR is
196            never null.
197
198         3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
199            loading of the vector for unpoisoning and uncaging.  We don't need the vector
200            if the length is 0.
201
202         Implementation notes on the need to null check the TypeArray vector:
203
204         1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
205            m_poisonedVector null check because the function is a null check.
206
207         2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
208            m_poisonedVector null check because it is followed by a call to
209            cageTypedArrayStorage() which assumes that storageReg cannot be null.
210
211         3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
212            m_poisonedVector null check.
213
214         4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
215            check because the poisoning code is preceded by a sizeGPR null check, which
216            ensures that the storageGPR (vector to be poisoned) is not null.
217
218         5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
219            check because it is followed by a call to caged() which assumes that the
220            vector cannot be null.
221
222         6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
223
224         7. FTL's compileNewTypedArray() does not need a vector null check because the
225            poisoning code is preceded by a size null check, which ensures that the
226            storage (vector to be poisoned) is not null.
227
228         8. FTL's speculateTypedArrayIsNotNeutered() does not need a
229            m_poisonedVector null check because the function is a null check.
230
231         9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
232            case needs a null check so that it does not try to unpoison a null vector.
233
234         10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
235             we already do a length check even before loading the vector.
236
237         11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
238             we already do a length check even before loading the vector.
239
240         12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
241             we already do a length check even before loading the vector.
242
243         13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
244             we already do a length check even before loading the vector.
245
246         14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
247             client will do a TypedArray length check before calling it.
248
249         * dfg/DFGFixupPhase.cpp:
250         (JSC::DFG::FixupPhase::checkArray):
251         * dfg/DFGNode.h:
252         (JSC::DFG::Node::hasArrayMode):
253         * dfg/DFGSpeculativeJIT.cpp:
254         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
255         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
256         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
257         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
258         * ftl/FTLAbstractHeapRepository.h:
259         * ftl/FTLLowerDFGToB3.cpp:
260         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
261         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
262         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
263         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
264         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
265         * jit/IntrinsicEmitter.cpp:
266         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
267         * jit/JITPropertyAccess.cpp:
268         (JSC::JIT::emitIntTypedArrayGetByVal):
269         (JSC::JIT::emitFloatTypedArrayGetByVal):
270         (JSC::JIT::emitIntTypedArrayPutByVal):
271         (JSC::JIT::emitFloatTypedArrayPutByVal):
272         * llint/LowLevelInterpreter.asm:
273         * llint/LowLevelInterpreter64.asm:
274         * offlineasm/arm64.rb:
275         * offlineasm/x86.rb:
276         * runtime/CagedBarrierPtr.h:
277         * runtime/JSArrayBufferView.cpp:
278         (JSC::JSArrayBufferView::JSArrayBufferView):
279         (JSC::JSArrayBufferView::finalize):
280         (JSC::JSArrayBufferView::neuter):
281         * runtime/JSArrayBufferView.h:
282         (JSC::JSArrayBufferView::vector const):
283         (JSC::JSArrayBufferView::offsetOfPoisonedVector):
284         (JSC::JSArrayBufferView::poisonFor):
285         (JSC::JSArrayBufferView::Poison::key):
286         (JSC::JSArrayBufferView::offsetOfVector): Deleted.
287         * runtime/JSCPoison.cpp:
288         (JSC::initializePoison):
289         * runtime/JSCPoison.h:
290         * runtime/JSGenericTypedArrayViewInlines.h:
291         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
292         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
293         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
294         * runtime/JSObject.h:
295
296 2018-01-30  Fujii Hironori  <Hironori.Fujii@sony.com>
297
298         [Win] Warning fix.
299         https://bugs.webkit.org/show_bug.cgi?id=177007
300
301         Reviewed by Yusuke Suzuki.
302
303         * interpreter/StackVisitor.cpp:
304         (JSC::StackVisitor::Frame::dump const):
305         Changed the type of locationRawBits from unsigned to uintptr_t.
306         * runtime/IntlNumberFormat.cpp:
307         (JSC::IntlNumberFormat::createNumberFormat):
308         Initialize 'style' to avoid potentially uninitialized local variable warning.
309
310 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         [JSC] Implement trimStart and trimEnd
313         https://bugs.webkit.org/show_bug.cgi?id=182233
314
315         Reviewed by Mark Lam.
316
317         String.prototype.{trimStart,trimEnd} are now stage 3[1].
318         String.prototype.{trimLeft,trimRight} are alias to these functions.
319
320         We rename these functions to trimStart and trimEnd, and put them as
321         trimLeft and trimRight too.
322
323         [1]: https://tc39.github.io/proposal-string-left-right-trim/
324
325         * runtime/StringPrototype.cpp:
326         (JSC::StringPrototype::finishCreation):
327         (JSC::trimString):
328         (JSC::stringProtoFuncTrim):
329         (JSC::stringProtoFuncTrimStart):
330         (JSC::stringProtoFuncTrimEnd):
331         (JSC::stringProtoFuncTrimLeft): Deleted.
332         (JSC::stringProtoFuncTrimRight): Deleted.
333
334 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
335
336         [JSC] Relax line terminators in String to make JSON subset of JS
337         https://bugs.webkit.org/show_bug.cgi?id=182232
338
339         Reviewed by Keith Miller.
340
341         "Subsume JSON" spec is now stage 3[1]. Before this spec change,
342         JSON can accept \u2028 / \u2029 in string while JS cannot do that.
343         It accidentally made JSON non subset of JS.
344
345         Now we extend our JS string to accept \u2028 / \u2029 to make JSON
346         subset of JS in this spec change.
347
348         [1]: https://github.com/tc39/proposal-json-superset
349
350         * parser/Lexer.cpp:
351         (JSC::Lexer<T>::parseStringSlowCase):
352
353 2018-01-29  Jiewen Tan  <jiewen_tan@apple.com>
354
355         [WebAuthN] Add a compile-time feature flag
356         https://bugs.webkit.org/show_bug.cgi?id=182211
357         <rdar://problem/36936365>
358
359         Reviewed by Brent Fulgham.
360
361         * Configurations/FeatureDefines.xcconfig:
362
363 2018-01-29  Michael Saboff  <msaboff@apple.com>
364
365         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
366         https://bugs.webkit.org/show_bug.cgi?id=182249
367
368         Reviewed by Keith Miller.
369
370         Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
371         Untyped and Object values when compared against built in types.  Such comparisons can
372         invoke toNumber() or other methods.
373
374         * dfg/DFGClobberize.h:
375         (JSC::DFG::clobberize):
376
377 2018-01-29  Matt Lewis  <jlewis3@apple.com>
378
379         Unreviewed, rolling out r227725.
380
381         This caused internal failures.
382
383         Reverted changeset:
384
385         "JSC Sampling Profiler: Detect tester and testee when sampling
386         in RegExp JIT"
387         https://bugs.webkit.org/show_bug.cgi?id=152729
388         https://trac.webkit.org/changeset/227725
389
390 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
391
392         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
393         https://bugs.webkit.org/show_bug.cgi?id=152729
394
395         Reviewed by Saam Barati.
396
397         This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
398         executing RegExp in VM so that SamplingProfiler can detect it. This is better
399         than the previous VM::isExecutingInRegExpJIT flag approach since
400
401         1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
402         if we suspend the thread just before executing this flag, or just after clearing
403         this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
404         should set such a flag before and after executing JIT RegExp code.
405
406         2. This removes VM dependency from YarrJIT which is not essential one.
407
408         We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
409         is done in non JS thread.
410
411         * bytecode/BytecodeDumper.cpp:
412         (JSC::regexpName):
413         (JSC::BytecodeDumper<Block>::dumpRegExps):
414         (JSC::regexpToSourceString): Deleted.
415         * heap/Heap.cpp:
416         (JSC::Heap::addCoreConstraints):
417         * runtime/RegExp.cpp:
418         (JSC::RegExp::compile):
419         (JSC::RegExp::match):
420         (JSC::RegExp::matchConcurrently):
421         (JSC::RegExp::compileMatchOnly):
422         (JSC::RegExp::toSourceString const):
423         * runtime/RegExp.h:
424         * runtime/RegExpInlines.h:
425         (JSC::RegExp::matchInline):
426         * runtime/RegExpMatchesArray.h:
427         (JSC::createRegExpMatchesArray):
428         * runtime/SamplingProfiler.cpp:
429         (JSC::SamplingProfiler::SamplingProfiler):
430         (JSC::SamplingProfiler::timerLoop):
431         (JSC::SamplingProfiler::takeSample):
432         (JSC::SamplingProfiler::processUnverifiedStackTraces):
433         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
434         (JSC::SamplingProfiler::StackFrame::displayName):
435         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
436         (JSC::SamplingProfiler::StackFrame::functionStartLine):
437         (JSC::SamplingProfiler::StackFrame::functionStartColumn):
438         (JSC::SamplingProfiler::StackFrame::sourceID):
439         (JSC::SamplingProfiler::StackFrame::url):
440         (WTF::printInternal):
441         (JSC::SamplingProfiler::~SamplingProfiler): Deleted.
442         * runtime/SamplingProfiler.h:
443         * runtime/VM.h:
444         * yarr/YarrJIT.cpp:
445         (JSC::Yarr::YarrGenerator::generateEnter):
446         (JSC::Yarr::YarrGenerator::generateReturn):
447         (JSC::Yarr::YarrGenerator::YarrGenerator):
448         (JSC::Yarr::jitCompile):
449         * yarr/YarrJIT.h:
450
451 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
452
453         [DFG][FTL] WeakMap#set should have DFG node
454         https://bugs.webkit.org/show_bug.cgi?id=180015
455
456         Reviewed by Saam Barati.
457
458         This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
459         We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
460         the subsequent WeakMapGet if CSE allows.
461
462         * dfg/DFGAbstractInterpreterInlines.h:
463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
464         * dfg/DFGByteCodeParser.cpp:
465         (JSC::DFG::ByteCodeParser::addVarArgChild):
466         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
467         * dfg/DFGClobberize.h:
468         (JSC::DFG::clobberize):
469         * dfg/DFGDoesGC.cpp:
470         (JSC::DFG::doesGC):
471         WeakMap operations do not cause GC.
472
473         * dfg/DFGFixupPhase.cpp:
474         (JSC::DFG::FixupPhase::fixupNode):
475         * dfg/DFGNodeType.h:
476         * dfg/DFGOperations.cpp:
477         * dfg/DFGOperations.h:
478         * dfg/DFGPredictionPropagationPhase.cpp:
479         * dfg/DFGSafeToExecute.h:
480         (JSC::DFG::safeToExecute):
481         * dfg/DFGSpeculativeJIT.cpp:
482         (JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
483         (JSC::DFG::SpeculativeJIT::compileWeakMapSet):
484         * dfg/DFGSpeculativeJIT.h:
485         (JSC::DFG::SpeculativeJIT::callOperation):
486         * dfg/DFGSpeculativeJIT32_64.cpp:
487         (JSC::DFG::SpeculativeJIT::compile):
488         * dfg/DFGSpeculativeJIT64.cpp:
489         (JSC::DFG::SpeculativeJIT::compile):
490         * ftl/FTLCapabilities.cpp:
491         (JSC::FTL::canCompile):
492         * ftl/FTLLowerDFGToB3.cpp:
493         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
494         (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
495         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
496         * jit/JITOperations.h:
497         * runtime/Intrinsic.cpp:
498         (JSC::intrinsicName):
499         * runtime/Intrinsic.h:
500         * runtime/WeakMapPrototype.cpp:
501         (JSC::WeakMapPrototype::finishCreation):
502         * runtime/WeakSetPrototype.cpp:
503         (JSC::WeakSetPrototype::finishCreation):
504
505 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
506
507         LargeAllocation should do the same distancing as MarkedBlock
508         https://bugs.webkit.org/show_bug.cgi?id=182226
509
510         Reviewed by Saam Barati.
511
512         This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
513         
514         To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
515         is doing:
516         
517         - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
518           calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
519           keeps the old way just for a static_assert.
520         
521         - The promised amount of distancing is now codified in HeapCell.h as
522           minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
523           as big as this. I didn't want to just use footer size for this constant because then, if
524           you increased the size of the footer, you'd also add padding to every large allocation.
525         
526         Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
527         allocation. It also zeroes that slice of memory to prevent any information leaks that way.
528         
529         This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
530         ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
531         smaller objects, and diminishing overhead for larger objects. We allocate very few large
532         objects, so we shouldn't have any real space overhead from this.
533
534         * heap/HeapCell.h:
535         * heap/LargeAllocation.cpp:
536         (JSC::LargeAllocation::tryCreate):
537         * heap/MarkedBlock.h:
538         * heap/MarkedSpace.h:
539
540 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
541
542         Make MarkedBlock::Footer bigger
543         https://bugs.webkit.org/show_bug.cgi?id=182220
544
545         Reviewed by JF Bastien.
546         
547         This makes the block footer larger by moving the newlyAllocated bits from the handle into
548         the footer.
549         
550         It used to be profitable to put anything we could into the handle because that would free up
551         payload space inside the block. But now that we want to use the footer for padding, it's
552         profitable to put GC state information - especially data that is used by the GC itself and so
553         is not useful for a Spectre attack - into the footer to increase object distancing.
554
555         * heap/CellContainer.cpp:
556         (JSC::CellContainer::isNewlyAllocated const):
557         * heap/IsoCellSet.cpp:
558         (JSC::IsoCellSet::sweepToFreeList):
559         * heap/MarkedBlock.cpp:
560         (JSC::MarkedBlock::Handle::Handle):
561         (JSC::MarkedBlock::Footer::Footer):
562         (JSC::MarkedBlock::Handle::stopAllocating):
563         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
564         (JSC::MarkedBlock::Handle::resumeAllocating):
565         (JSC::MarkedBlock::aboutToMarkSlow):
566         (JSC::MarkedBlock::resetAllocated):
567         (JSC::MarkedBlock::Handle::resetAllocated): Deleted.
568         * heap/MarkedBlock.h:
569         (JSC::MarkedBlock::newlyAllocatedVersion const):
570         (JSC::MarkedBlock::isNewlyAllocated):
571         (JSC::MarkedBlock::setNewlyAllocated):
572         (JSC::MarkedBlock::clearNewlyAllocated):
573         (JSC::MarkedBlock::newlyAllocated const):
574         (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
575         (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
576         (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
577         (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
578         (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
579         * heap/MarkedBlockInlines.h:
580         (JSC::MarkedBlock::isNewlyAllocatedStale const):
581         (JSC::MarkedBlock::hasAnyNewlyAllocated):
582         (JSC::MarkedBlock::Handle::isLive):
583         (JSC::MarkedBlock::Handle::specializedSweep):
584         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
585         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
586         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
587         * heap/MarkedSpace.cpp:
588         (JSC::MarkedSpace::endMarking):
589         * heap/SlotVisitor.cpp:
590         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
591
592 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
593
594         MarkedBlock should have a footer instead of a header
595         https://bugs.webkit.org/show_bug.cgi?id=182217
596
597         Reviewed by JF Bastien.
598         
599         This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
600         change anything except for some compile-time constants, so it should not affect performance.
601         
602         This change is to help protect against Spectre attacks on structure checks, which allow for
603         small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
604         OOBs will only get to other objects in the same block or the block footer. The block footer
605         is not super interesting. So, if we combine this with the TLC change (r227617), this means we
606         can use blocks as the mechanism of achieving distance between objects from different origins.
607         We just need to avoid ever putting objects from different origins in the same block. That's
608         what bug 181636 is about.
609         
610         * heap/BlockDirectory.cpp:
611         (JSC::blockHeaderSize): Deleted.
612         (JSC::BlockDirectory::blockSizeForBytes): Deleted.
613         * heap/BlockDirectory.h:
614         * heap/HeapUtil.h:
615         (JSC::HeapUtil::findGCObjectPointersForMarking):
616         * heap/MarkedBlock.cpp:
617         (JSC::MarkedBlock::MarkedBlock):
618         (JSC::MarkedBlock::~MarkedBlock):
619         (JSC::MarkedBlock::Footer::Footer):
620         (JSC::MarkedBlock::Footer::~Footer):
621         (JSC::MarkedBlock::Handle::stopAllocating):
622         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
623         (JSC::MarkedBlock::Handle::resumeAllocating):
624         (JSC::MarkedBlock::aboutToMarkSlow):
625         (JSC::MarkedBlock::resetMarks):
626         (JSC::MarkedBlock::assertMarksNotStale):
627         (JSC::MarkedBlock::Handle::didConsumeFreeList):
628         (JSC::MarkedBlock::markCount):
629         (JSC::MarkedBlock::clearHasAnyMarked):
630         (JSC::MarkedBlock::Handle::didAddToDirectory):
631         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
632         (JSC::MarkedBlock::Handle::sweep):
633         * heap/MarkedBlock.h:
634         (JSC::MarkedBlock::markingVersion const):
635         (JSC::MarkedBlock::lock):
636         (JSC::MarkedBlock::subspace const):
637         (JSC::MarkedBlock::footer):
638         (JSC::MarkedBlock::footer const):
639         (JSC::MarkedBlock::handle):
640         (JSC::MarkedBlock::handle const):
641         (JSC::MarkedBlock::Handle::blockFooter):
642         (JSC::MarkedBlock::isAtomAligned):
643         (JSC::MarkedBlock::Handle::cellAlign):
644         (JSC::MarkedBlock::blockFor):
645         (JSC::MarkedBlock::vm const):
646         (JSC::MarkedBlock::weakSet):
647         (JSC::MarkedBlock::cellSize):
648         (JSC::MarkedBlock::attributes const):
649         (JSC::MarkedBlock::atomNumber):
650         (JSC::MarkedBlock::areMarksStale):
651         (JSC::MarkedBlock::aboutToMark):
652         (JSC::MarkedBlock::isMarkedRaw):
653         (JSC::MarkedBlock::isMarked):
654         (JSC::MarkedBlock::testAndSetMarked):
655         (JSC::MarkedBlock::marks const):
656         (JSC::MarkedBlock::isAtom):
657         (JSC::MarkedBlock::Handle::forEachCell):
658         (JSC::MarkedBlock::hasAnyMarked const):
659         (JSC::MarkedBlock::noteMarked):
660         (WTF::MarkedBlockHash::hash):
661         (JSC::MarkedBlock::firstAtom): Deleted.
662         * heap/MarkedBlockInlines.h:
663         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
664         (JSC::MarkedBlock::Handle::isLive):
665         (JSC::MarkedBlock::Handle::specializedSweep):
666         (JSC::MarkedBlock::Handle::forEachLiveCell):
667         (JSC::MarkedBlock::Handle::forEachDeadCell):
668         (JSC::MarkedBlock::Handle::forEachMarkedCell):
669         * heap/MarkedSpace.cpp:
670         * heap/MarkedSpace.h:
671         * llint/LowLevelInterpreter.asm:
672         * llint/LowLevelInterpreter32_64.asm:
673         * llint/LowLevelInterpreter64.asm:
674
675 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
676
677         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
678         https://bugs.webkit.org/show_bug.cgi?id=182213
679
680         Reviewed by Mark Lam.
681
682         toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
683         As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
684         this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
685         This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
686
687         We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
688         but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
689
690         * runtime/NumberPrototype.cpp:
691         (JSC::toStringWithRadixInternal):
692
693 2018-01-26  Saam Barati  <sbarati@apple.com>
694
695         Fix emitAllocateWithNonNullAllocator to work on arm
696         https://bugs.webkit.org/show_bug.cgi?id=182187
697         <rdar://problem/36906550>
698
699         Reviewed by Filip Pizlo.
700
701         This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
702         and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
703         register on ARM.
704
705         * ftl/FTLLowerDFGToB3.cpp:
706         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
707         * jit/AssemblyHelpers.cpp:
708         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
709
710 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
711
712         Rebaselining builtin generator tests after r227685.
713
714         Unreviewed.
715
716         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
717         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
718         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
719         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
720         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
721         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
722         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
723         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
724         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
725         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
726         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
727         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
728         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
729         It used to be that the builtins generator was minifying by default. That was an accident
730         and we now only minify on Release builds. The generator tests are now getting the
731         default unminified output behavior so they need to update their expectations
732         for some extra whitespace.
733
734 2018-01-26  Mark Lam  <mark.lam@apple.com>
735
736         We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
737         https://bugs.webkit.org/show_bug.cgi?id=182180
738         <rdar://problem/36460697>
739
740         Reviewed by Michael Saboff.
741
742         Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
743         but not as the Node's first base class.  ParserArena::m_deletableObjects is
744         expecting pointers to objects of the shape of ParserArenaDeletable.  We ensure
745         this by allocating the Node subclass, and casting it to ParserArenaDeletable to
746         get the correct pointer to append to ParserArena::m_deletableObjects.
747
748         To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED 
749         (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
750         ParserArenaDeletable.
751
752         * parser/NodeConstructors.h:
753         (JSC::ParserArenaDeletable::operator new):
754         * parser/Nodes.h:
755         * parser/ParserArena.h:
756         (JSC::ParserArena::allocateDeletable):
757
758 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
759
760         JavaScriptCore builtins should be partially minified in Release builds not Debug builds
761         https://bugs.webkit.org/show_bug.cgi?id=182165
762
763         Reviewed by Keith Miller.
764
765         * Scripts/builtins/builtins_model.py:
766         (BuiltinFunction.fromString):
767         Apply minifications on Release builds instead of Debug builds.
768         Also eliminate leading whitespace.
769
770 2018-01-26  Filip Pizlo  <fpizlo@apple.com>
771
772         Disable TLS-based TLCs
773         https://bugs.webkit.org/show_bug.cgi?id=182175
774
775         Reviewed by Saam Barati.
776
777         Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
778
779         * heap/BlockDirectory.cpp:
780         (JSC::BlockDirectory::~BlockDirectory):
781         * heap/BlockDirectory.h:
782         * heap/ThreadLocalCache.cpp:
783         (JSC::ThreadLocalCache::installSlow):
784         (JSC::ThreadLocalCache::installData):
785         * heap/ThreadLocalCache.h:
786         * heap/ThreadLocalCacheInlines.h:
787         (JSC::ThreadLocalCache::getImpl):
788         * jit/AssemblyHelpers.cpp:
789         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
790         * runtime/VM.cpp:
791         (JSC::VM::~VM):
792         * runtime/VM.h:
793
794 2018-01-25  Yusuke Suzuki  <utatane.tea@gmail.com>
795
796         imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
797         https://bugs.webkit.org/show_bug.cgi?id=181980
798
799         Reviewed by Ryosuke Niwa.
800
801         We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
802         promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
803         and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
804         correctly.
805
806         * builtins/ModuleLoaderPrototype.js:
807         (requestInstantiate):
808         (requestSatisfy):
809
810 2018-01-25  Mark Lam  <mark.lam@apple.com>
811
812         Gardening: fix 32-bit build after r227643.
813         https://bugs.webkit.org/show_bug.cgi?id=182086
814
815         Not reviewed.
816
817         * jit/AssemblyHelpers.cpp:
818         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
819
820 2018-01-24  Filip Pizlo  <fpizlo@apple.com>
821
822         DirectArguments should protect itself using dynamic poisoning and precise index masking
823         https://bugs.webkit.org/show_bug.cgi?id=182086
824
825         Reviewed by Saam Barati.
826         
827         This implements dynamic poisoning and precise index masking in DirectArguments, using the
828         helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
829         
830         We use dynamic poisoning for DirectArguments since this object did not have any additional
831         indirection inside it that could have been poisoned. So, we use the xor of the expected type
832         and the actual type as an additional input into the pointer.
833         
834         We use precise index masking for bounds checks, because it's not worth doing index masking
835         unless we know that precise index masking is too slow.
836
837         * assembler/MacroAssembler.h:
838         (JSC::MacroAssembler::lshiftPtr):
839         (JSC::MacroAssembler::rshiftPtr):
840         * dfg/DFGSpeculativeJIT.cpp:
841         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
842         * ftl/FTLLowerDFGToB3.cpp:
843         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
844         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
845         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
846         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
847         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
848         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
849         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
850         * jit/AssemblyHelpers.cpp:
851         (JSC::AssemblyHelpers::emitPreciseIndexMask32):
852         (JSC::AssemblyHelpers::emitDynamicPoison):
853         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
854         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
855         * jit/AssemblyHelpers.h:
856         * jit/JITPropertyAccess.cpp:
857         (JSC::JIT::emitDirectArgumentsGetByVal):
858         * runtime/DirectArguments.h:
859         (JSC::DirectArguments::getIndexQuickly const):
860         (JSC::DirectArguments::setIndexQuickly):
861         (JSC::DirectArguments::argument):
862         * runtime/GenericArgumentsInlines.h:
863
864 2018-01-25  Mark Lam  <mark.lam@apple.com>
865
866         Rename some local vars from type to typedArrayType for greater clarity.
867         https://bugs.webkit.org/show_bug.cgi?id=182148
868         <rdar://problem/36882310>
869
870         Reviewed by Saam Barati.
871
872         * dfg/DFGSpeculativeJIT.cpp:
873         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
874         * ftl/FTLLowerDFGToB3.cpp:
875         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
876
877 2018-01-25  Filip Pizlo  <fpizlo@apple.com>
878
879         JSC GC should support TLCs (thread local caches)
880         https://bugs.webkit.org/show_bug.cgi?id=181559
881
882         Reviewed by Mark Lam and Saam Barati.
883         
884         This is a big step towards object distancing by site origin. This patch implements TLCs, or
885         thread-local caches, which allow each thread to allocate from its own free lists. It also
886         means that any given thread can context-switch TLCs. This will allow us to do separate
887         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
888         will allow us to have a hard distancing constraint between objects from different origins.
889         
890         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
891         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
892         aligned memory allocator (which roughly represents which cage you came out of), and anyone
893         using the same allocator can share those blocks - but so long as they are in that
894         BlockDirectory, they will have the size and type of that directory. Previously, each
895         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
896         LocalAllocators, each of which has a FreeList.
897         
898         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
899         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
900         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
901         starts by figuring out what Allocator it wants (often we have this information at JIT time).
902         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
903         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
904         offsets as opposed to indices to make it easy to do the math on each allocation (if
905         LocalAllocator had a weird size then every allocation would have to do an imul).
906         
907         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
908         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
909         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
910         something there, but it's not significant according to our threshold).
911         
912         Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
913         function needs to be careful to avoid using the scratch register because the FTL will call it
914         in disallow-scratch-register mode.
915
916         * JavaScriptCore.xcodeproj/project.pbxproj:
917         * Sources.txt:
918         * b3/B3LowerToAir.cpp:
919         * b3/B3PatchpointSpecial.cpp:
920         (JSC::B3::PatchpointSpecial::admitsStack):
921         * b3/B3StackmapSpecial.cpp:
922         (JSC::B3::StackmapSpecial::forEachArgImpl):
923         (JSC::B3::StackmapSpecial::isArgValidForRep):
924         * b3/B3StackmapValue.cpp:
925         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
926         * b3/B3StackmapValue.h:
927         * b3/B3Validate.cpp:
928         * b3/B3ValueRep.cpp:
929         (JSC::B3::ValueRep::addUsedRegistersTo const):
930         (JSC::B3::ValueRep::dump const):
931         (WTF::printInternal):
932         * b3/B3ValueRep.h:
933         (JSC::B3::ValueRep::ValueRep):
934         * bytecode/AccessCase.cpp:
935         (JSC::AccessCase::generateImpl):
936         * bytecode/ObjectAllocationProfile.h:
937         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
938         (JSC::ObjectAllocationProfile::clear):
939         * bytecode/ObjectAllocationProfileInlines.h:
940         (JSC::ObjectAllocationProfile::initializeProfile):
941         * dfg/DFGSpeculativeJIT.cpp:
942         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
943         (JSC::DFG::SpeculativeJIT::compileMakeRope):
944         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
945         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
946         (JSC::DFG::SpeculativeJIT::compileCreateThis):
947         (JSC::DFG::SpeculativeJIT::compileNewObject):
948         * dfg/DFGSpeculativeJIT.h:
949         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
950         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
951         * ftl/FTLAbstractHeapRepository.h:
952         * ftl/FTLLowerDFGToB3.cpp:
953         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
954         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
955         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
956         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
957         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
958         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
959         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
960         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
961         * heap/Allocator.cpp: Added.
962         (JSC::Allocator::cellSize const):
963         * heap/Allocator.h: Added.
964         (JSC::Allocator::Allocator):
965         (JSC::Allocator::offset const):
966         (JSC::Allocator::operator== const):
967         (JSC::Allocator::operator!= const):
968         (JSC::Allocator::operator bool const):
969         * heap/AllocatorInlines.h: Added.
970         (JSC::Allocator::allocate const):
971         (JSC::Allocator::tryAllocate const):
972         * heap/BlockDirectory.cpp:
973         (JSC::BlockDirectory::BlockDirectory):
974         (JSC::BlockDirectory::findBlockForAllocation):
975         (JSC::BlockDirectory::stopAllocating):
976         (JSC::BlockDirectory::prepareForAllocation):
977         (JSC::BlockDirectory::stopAllocatingForGood):
978         (JSC::BlockDirectory::resumeAllocating):
979         (JSC::BlockDirectory::endMarking):
980         (JSC::BlockDirectory::isFreeListedCell):
981         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
982         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
983         (JSC::BlockDirectory::allocateIn): Deleted.
984         (JSC::BlockDirectory::tryAllocateIn): Deleted.
985         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
986         (JSC::BlockDirectory::allocateSlowCase): Deleted.
987         * heap/BlockDirectory.h:
988         (JSC::BlockDirectory::cellKind const):
989         (JSC::BlockDirectory::allocator const):
990         (JSC::BlockDirectory::freeList const): Deleted.
991         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
992         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
993         * heap/BlockDirectoryInlines.h:
994         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
995         (JSC::BlockDirectory::allocate): Deleted.
996         * heap/CompleteSubspace.cpp:
997         (JSC::CompleteSubspace::CompleteSubspace):
998         (JSC::CompleteSubspace::allocatorFor):
999         (JSC::CompleteSubspace::allocate):
1000         (JSC::CompleteSubspace::allocateNonVirtual):
1001         (JSC::CompleteSubspace::allocatorForSlow):
1002         (JSC::CompleteSubspace::allocateSlow):
1003         (JSC::CompleteSubspace::tryAllocateSlow):
1004         * heap/CompleteSubspace.h:
1005         (JSC::CompleteSubspace::allocatorForSizeStep):
1006         (JSC::CompleteSubspace::allocatorForNonVirtual):
1007         * heap/FreeList.h:
1008         * heap/GCDeferralContext.h:
1009         * heap/Heap.cpp:
1010         (JSC::Heap::Heap):
1011         (JSC::Heap::lastChanceToFinalize):
1012         * heap/Heap.h:
1013         (JSC::Heap::threadLocalCacheLayout):
1014         * heap/IsoCellSet.h:
1015         * heap/IsoSubspace.cpp:
1016         (JSC::IsoSubspace::IsoSubspace):
1017         (JSC::IsoSubspace::allocatorFor):
1018         (JSC::IsoSubspace::allocate):
1019         (JSC::IsoSubspace::allocateNonVirtual):
1020         * heap/IsoSubspace.h:
1021         (JSC::IsoSubspace::allocatorForNonVirtual):
1022         * heap/LocalAllocator.cpp: Added.
1023         (JSC::LocalAllocator::LocalAllocator):
1024         (JSC::LocalAllocator::reset):
1025         (JSC::LocalAllocator::~LocalAllocator):
1026         (JSC::LocalAllocator::stopAllocating):
1027         (JSC::LocalAllocator::resumeAllocating):
1028         (JSC::LocalAllocator::prepareForAllocation):
1029         (JSC::LocalAllocator::stopAllocatingForGood):
1030         (JSC::LocalAllocator::allocateSlowCase):
1031         (JSC::LocalAllocator::didConsumeFreeList):
1032         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1033         (JSC::LocalAllocator::allocateIn):
1034         (JSC::LocalAllocator::tryAllocateIn):
1035         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1036         (JSC::LocalAllocator::isFreeListedCell const):
1037         * heap/LocalAllocator.h: Added.
1038         (JSC::LocalAllocator::offsetOfFreeList):
1039         (JSC::LocalAllocator::offsetOfCellSize):
1040         * heap/LocalAllocatorInlines.h: Added.
1041         (JSC::LocalAllocator::allocate):
1042         * heap/MarkedSpace.cpp:
1043         (JSC::MarkedSpace::stopAllocatingForGood):
1044         * heap/MarkedSpace.h:
1045         * heap/SlotVisitor.cpp:
1046         * heap/SlotVisitor.h:
1047         * heap/Subspace.h:
1048         * heap/ThreadLocalCache.cpp: Added.
1049         (JSC::ThreadLocalCache::create):
1050         (JSC::ThreadLocalCache::ThreadLocalCache):
1051         (JSC::ThreadLocalCache::~ThreadLocalCache):
1052         (JSC::ThreadLocalCache::allocateData):
1053         (JSC::ThreadLocalCache::destroyData):
1054         (JSC::ThreadLocalCache::installSlow):
1055         (JSC::ThreadLocalCache::installData):
1056         (JSC::ThreadLocalCache::allocatorSlow):
1057         (JSC::ThreadLocalCache::destructor):
1058         * heap/ThreadLocalCache.h: Added.
1059         (JSC::ThreadLocalCache::offsetOfSize):
1060         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1061         * heap/ThreadLocalCacheInlines.h: Added.
1062         (JSC::ThreadLocalCache::getImpl):
1063         (JSC::ThreadLocalCache::get):
1064         (JSC::ThreadLocalCache::install):
1065         (JSC::ThreadLocalCache::allocator):
1066         (JSC::ThreadLocalCache::tryGetAllocator):
1067         * heap/ThreadLocalCacheLayout.cpp: Added.
1068         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1069         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1070         (JSC::ThreadLocalCacheLayout::allocateOffset):
1071         (JSC::ThreadLocalCacheLayout::snapshot):
1072         (JSC::ThreadLocalCacheLayout::directory):
1073         * heap/ThreadLocalCacheLayout.h: Added.
1074         * jit/AssemblyHelpers.cpp:
1075         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1076         (JSC::AssemblyHelpers::emitAllocate):
1077         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1078         * jit/AssemblyHelpers.h:
1079         (JSC::AssemblyHelpers::vm):
1080         (JSC::AssemblyHelpers::emitAllocateJSCell):
1081         (JSC::AssemblyHelpers::emitAllocateJSObject):
1082         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1083         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1084         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1085         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1086         * jit/JITOpcodes.cpp:
1087         (JSC::JIT::emit_op_new_object):
1088         (JSC::JIT::emit_op_create_this):
1089         * jit/JITOpcodes32_64.cpp:
1090         (JSC::JIT::emit_op_new_object):
1091         (JSC::JIT::emit_op_create_this):
1092         * runtime/ButterflyInlines.h:
1093         (JSC::Butterfly::createUninitialized):
1094         (JSC::Butterfly::tryCreate):
1095         (JSC::Butterfly::growArrayRight):
1096         * runtime/DirectArguments.cpp:
1097         (JSC::DirectArguments::overrideThings):
1098         * runtime/GenericArgumentsInlines.h:
1099         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1100         * runtime/HashMapImpl.h:
1101         (JSC::HashMapBuffer::create):
1102         * runtime/JSArray.cpp:
1103         (JSC::JSArray::tryCreateUninitializedRestricted):
1104         (JSC::JSArray::unshiftCountSlowCase):
1105         * runtime/JSArray.h:
1106         (JSC::JSArray::tryCreate):
1107         * runtime/JSArrayBufferView.cpp:
1108         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1109         * runtime/JSCellInlines.h:
1110         (JSC::tryAllocateCellHelper):
1111         * runtime/JSGlobalObject.cpp:
1112         (JSC::JSGlobalObject::JSGlobalObject):
1113         * runtime/JSGlobalObject.h:
1114         (JSC::JSGlobalObject::threadLocalCache const):
1115         * runtime/JSLock.cpp:
1116         (JSC::JSLock::didAcquireLock):
1117         * runtime/Options.h:
1118         * runtime/RegExpMatchesArray.h:
1119         (JSC::tryCreateUninitializedRegExpMatchesArray):
1120         * runtime/VM.cpp:
1121         (JSC::VM::VM):
1122         * runtime/VM.h:
1123         * runtime/VMEntryScope.cpp:
1124         (JSC::VMEntryScope::VMEntryScope):
1125
1126 2018-01-25  Commit Queue  <commit-queue@webkit.org>
1127
1128         Unreviewed, rolling out r227592.
1129         https://bugs.webkit.org/show_bug.cgi?id=182110
1130
1131         it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
1132         #webkit).
1133
1134         Reverted changeset:
1135
1136         "JSC GC should support TLCs (thread local caches)"
1137         https://bugs.webkit.org/show_bug.cgi?id=181559
1138         https://trac.webkit.org/changeset/227592
1139
1140 2018-01-25  Alejandro G. Castro  <alex@igalia.com>
1141
1142         undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
1143         https://bugs.webkit.org/show_bug.cgi?id=180637
1144
1145         Reviewed by Michael Catanzaro.
1146
1147         We need to make sure the implementation of the inline functions is
1148         compiled when we compile the code using the function, now that the
1149         compilation is divided, or we could end up with undefined symbols
1150         when the declaration is not inlined, at least with some compilers
1151         and optimizations enabled -O2.
1152
1153         * b3/B3SwitchValue.cpp: replace the include.
1154
1155 2018-01-20  Filip Pizlo  <fpizlo@apple.com>
1156
1157         JSC GC should support TLCs (thread local caches)
1158         https://bugs.webkit.org/show_bug.cgi?id=181559
1159
1160         Reviewed by Mark Lam and Saam Barati.
1161         
1162         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1163         thread-local caches, which allow each thread to allocate from its own free lists. It also
1164         means that any given thread can context-switch TLCs. This will allow us to do separate
1165         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1166         will allow us to have a hard distancing constraint between objects from different origins.
1167         
1168         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1169         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1170         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1171         using the same allocator can share those blocks - but so long as they are in that
1172         BlockDirectory, they will have the size and type of that directory. Previously, each
1173         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1174         LocalAllocators, each of which has a FreeList.
1175         
1176         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1177         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1178         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1179         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1180         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1181         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1182         offsets as opposed to indices to make it easy to do the math on each allocation (if
1183         LocalAllocator had a weird size then every allocation would have to do an imul).
1184         
1185         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1186         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1187         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1188         something there, but it's not significant according to our threshold).
1189
1190         * JavaScriptCore.xcodeproj/project.pbxproj:
1191         * Sources.txt:
1192         * b3/B3LowerToAir.cpp:
1193         * b3/B3PatchpointSpecial.cpp:
1194         (JSC::B3::PatchpointSpecial::admitsStack):
1195         * b3/B3StackmapSpecial.cpp:
1196         (JSC::B3::StackmapSpecial::forEachArgImpl):
1197         (JSC::B3::StackmapSpecial::isArgValidForRep):
1198         * b3/B3StackmapValue.cpp:
1199         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1200         * b3/B3StackmapValue.h:
1201         * b3/B3Validate.cpp:
1202         * b3/B3ValueRep.cpp:
1203         (JSC::B3::ValueRep::addUsedRegistersTo const):
1204         (JSC::B3::ValueRep::dump const):
1205         (WTF::printInternal):
1206         * b3/B3ValueRep.h:
1207         (JSC::B3::ValueRep::ValueRep):
1208         * bytecode/AccessCase.cpp:
1209         (JSC::AccessCase::generateImpl):
1210         * bytecode/ObjectAllocationProfile.h:
1211         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1212         (JSC::ObjectAllocationProfile::clear):
1213         * bytecode/ObjectAllocationProfileInlines.h:
1214         (JSC::ObjectAllocationProfile::initializeProfile):
1215         * dfg/DFGSpeculativeJIT.cpp:
1216         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1217         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1218         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1219         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1220         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1221         (JSC::DFG::SpeculativeJIT::compileNewObject):
1222         * dfg/DFGSpeculativeJIT.h:
1223         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1224         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1225         * ftl/FTLAbstractHeapRepository.h:
1226         * ftl/FTLLowerDFGToB3.cpp:
1227         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1228         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1229         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1230         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1231         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1232         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1233         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1234         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1235         * heap/Allocator.cpp: Added.
1236         (JSC::Allocator::cellSize const):
1237         * heap/Allocator.h: Added.
1238         (JSC::Allocator::Allocator):
1239         (JSC::Allocator::offset const):
1240         (JSC::Allocator::operator== const):
1241         (JSC::Allocator::operator!= const):
1242         (JSC::Allocator::operator bool const):
1243         * heap/AllocatorInlines.h: Added.
1244         (JSC::Allocator::allocate const):
1245         (JSC::Allocator::tryAllocate const):
1246         * heap/BlockDirectory.cpp:
1247         (JSC::BlockDirectory::BlockDirectory):
1248         (JSC::BlockDirectory::findBlockForAllocation):
1249         (JSC::BlockDirectory::stopAllocating):
1250         (JSC::BlockDirectory::prepareForAllocation):
1251         (JSC::BlockDirectory::stopAllocatingForGood):
1252         (JSC::BlockDirectory::resumeAllocating):
1253         (JSC::BlockDirectory::endMarking):
1254         (JSC::BlockDirectory::isFreeListedCell):
1255         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1256         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1257         (JSC::BlockDirectory::allocateIn): Deleted.
1258         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1259         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1260         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1261         * heap/BlockDirectory.h:
1262         (JSC::BlockDirectory::cellKind const):
1263         (JSC::BlockDirectory::allocator const):
1264         (JSC::BlockDirectory::freeList const): Deleted.
1265         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1266         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1267         * heap/BlockDirectoryInlines.h:
1268         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1269         (JSC::BlockDirectory::allocate): Deleted.
1270         * heap/CompleteSubspace.cpp:
1271         (JSC::CompleteSubspace::CompleteSubspace):
1272         (JSC::CompleteSubspace::allocatorFor):
1273         (JSC::CompleteSubspace::allocate):
1274         (JSC::CompleteSubspace::allocateNonVirtual):
1275         (JSC::CompleteSubspace::allocatorForSlow):
1276         (JSC::CompleteSubspace::allocateSlow):
1277         (JSC::CompleteSubspace::tryAllocateSlow):
1278         * heap/CompleteSubspace.h:
1279         (JSC::CompleteSubspace::allocatorForSizeStep):
1280         (JSC::CompleteSubspace::allocatorForNonVirtual):
1281         * heap/FreeList.h:
1282         * heap/GCDeferralContext.h:
1283         * heap/Heap.cpp:
1284         (JSC::Heap::Heap):
1285         (JSC::Heap::lastChanceToFinalize):
1286         * heap/Heap.h:
1287         (JSC::Heap::threadLocalCacheLayout):
1288         * heap/IsoCellSet.h:
1289         * heap/IsoSubspace.cpp:
1290         (JSC::IsoSubspace::IsoSubspace):
1291         (JSC::IsoSubspace::allocatorFor):
1292         (JSC::IsoSubspace::allocate):
1293         (JSC::IsoSubspace::allocateNonVirtual):
1294         * heap/IsoSubspace.h:
1295         (JSC::IsoSubspace::allocatorForNonVirtual):
1296         * heap/LocalAllocator.cpp: Added.
1297         (JSC::LocalAllocator::LocalAllocator):
1298         (JSC::LocalAllocator::reset):
1299         (JSC::LocalAllocator::~LocalAllocator):
1300         (JSC::LocalAllocator::stopAllocating):
1301         (JSC::LocalAllocator::resumeAllocating):
1302         (JSC::LocalAllocator::prepareForAllocation):
1303         (JSC::LocalAllocator::stopAllocatingForGood):
1304         (JSC::LocalAllocator::allocateSlowCase):
1305         (JSC::LocalAllocator::didConsumeFreeList):
1306         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1307         (JSC::LocalAllocator::allocateIn):
1308         (JSC::LocalAllocator::tryAllocateIn):
1309         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1310         (JSC::LocalAllocator::isFreeListedCell const):
1311         * heap/LocalAllocator.h: Added.
1312         (JSC::LocalAllocator::offsetOfFreeList):
1313         (JSC::LocalAllocator::offsetOfCellSize):
1314         * heap/LocalAllocatorInlines.h: Added.
1315         (JSC::LocalAllocator::allocate):
1316         * heap/MarkedSpace.cpp:
1317         (JSC::MarkedSpace::stopAllocatingForGood):
1318         * heap/MarkedSpace.h:
1319         * heap/SlotVisitor.cpp:
1320         * heap/SlotVisitor.h:
1321         * heap/Subspace.h:
1322         * heap/ThreadLocalCache.cpp: Added.
1323         (JSC::ThreadLocalCache::create):
1324         (JSC::ThreadLocalCache::ThreadLocalCache):
1325         (JSC::ThreadLocalCache::~ThreadLocalCache):
1326         (JSC::ThreadLocalCache::allocateData):
1327         (JSC::ThreadLocalCache::destroyData):
1328         (JSC::ThreadLocalCache::installSlow):
1329         (JSC::ThreadLocalCache::installData):
1330         (JSC::ThreadLocalCache::allocatorSlow):
1331         (JSC::ThreadLocalCache::destructor):
1332         * heap/ThreadLocalCache.h: Added.
1333         (JSC::ThreadLocalCache::offsetOfSize):
1334         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1335         * heap/ThreadLocalCacheInlines.h: Added.
1336         (JSC::ThreadLocalCache::getImpl):
1337         (JSC::ThreadLocalCache::get):
1338         (JSC::ThreadLocalCache::install):
1339         (JSC::ThreadLocalCache::allocator):
1340         (JSC::ThreadLocalCache::tryGetAllocator):
1341         * heap/ThreadLocalCacheLayout.cpp: Added.
1342         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1343         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1344         (JSC::ThreadLocalCacheLayout::allocateOffset):
1345         (JSC::ThreadLocalCacheLayout::snapshot):
1346         (JSC::ThreadLocalCacheLayout::directory):
1347         * heap/ThreadLocalCacheLayout.h: Added.
1348         * jit/AssemblyHelpers.cpp:
1349         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1350         (JSC::AssemblyHelpers::emitAllocate):
1351         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1352         * jit/AssemblyHelpers.h:
1353         (JSC::AssemblyHelpers::vm):
1354         (JSC::AssemblyHelpers::emitAllocateJSCell):
1355         (JSC::AssemblyHelpers::emitAllocateJSObject):
1356         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1357         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1358         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1359         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1360         * jit/JITOpcodes.cpp:
1361         (JSC::JIT::emit_op_new_object):
1362         (JSC::JIT::emit_op_create_this):
1363         * jit/JITOpcodes32_64.cpp:
1364         (JSC::JIT::emit_op_new_object):
1365         (JSC::JIT::emit_op_create_this):
1366         * runtime/ButterflyInlines.h:
1367         (JSC::Butterfly::createUninitialized):
1368         (JSC::Butterfly::tryCreate):
1369         (JSC::Butterfly::growArrayRight):
1370         * runtime/DirectArguments.cpp:
1371         (JSC::DirectArguments::overrideThings):
1372         * runtime/GenericArgumentsInlines.h:
1373         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1374         * runtime/HashMapImpl.h:
1375         (JSC::HashMapBuffer::create):
1376         * runtime/JSArray.cpp:
1377         (JSC::JSArray::tryCreateUninitializedRestricted):
1378         (JSC::JSArray::unshiftCountSlowCase):
1379         * runtime/JSArray.h:
1380         (JSC::JSArray::tryCreate):
1381         * runtime/JSArrayBufferView.cpp:
1382         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1383         * runtime/JSCellInlines.h:
1384         (JSC::tryAllocateCellHelper):
1385         * runtime/JSGlobalObject.cpp:
1386         (JSC::JSGlobalObject::JSGlobalObject):
1387         * runtime/JSGlobalObject.h:
1388         (JSC::JSGlobalObject::threadLocalCache const):
1389         * runtime/JSLock.cpp:
1390         (JSC::JSLock::didAcquireLock):
1391         * runtime/Options.h:
1392         * runtime/RegExpMatchesArray.h:
1393         (JSC::tryCreateUninitializedRegExpMatchesArray):
1394         * runtime/VM.cpp:
1395         (JSC::VM::VM):
1396         * runtime/VM.h:
1397         * runtime/VMEntryScope.cpp:
1398         (JSC::VMEntryScope::VMEntryScope):
1399
1400 2018-01-24  Joseph Pecoraro  <pecoraro@apple.com>
1401
1402         Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
1403         https://bugs.webkit.org/show_bug.cgi?id=182067
1404
1405         Reviewed by Brian Burg.
1406
1407         * inspector/scripts/codegen/models.py:
1408         (Framework.fromString):
1409         (Frameworks):
1410         * inspector/scripts/generate-inspector-protocol-bindings.py:
1411         (generate_from_specification):
1412         Allow framework WebInspectorUI to generate just the backend commands files.
1413
1414 2018-01-23  Mark Lam  <mark.lam@apple.com>
1415
1416         Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
1417         https://bugs.webkit.org/show_bug.cgi?id=182017
1418         <rdar://problem/36795513>
1419
1420         Reviewed by Filip Pizlo and JF Bastien.
1421
1422         Removed the POISON() macro.  Now that we have Poison types, we can just use the
1423         the Poison type instead and make the code a bit nicer to read.
1424
1425         * API/JSAPIWrapperObject.h:
1426         * API/JSCallbackFunction.h:
1427         * API/JSCallbackObject.h:
1428         * b3/B3LowerMacros.cpp:
1429         * b3/testb3.cpp:
1430         (JSC::B3::testInterpreter):
1431         * bytecode/CodeBlock.h:
1432         (JSC::CodeBlock::instructions):
1433         (JSC::CodeBlock::instructions const):
1434         * dfg/DFGOSRExitCompilerCommon.h:
1435         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1436         * dfg/DFGSpeculativeJIT.cpp:
1437         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1438         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1439         * ftl/FTLLowerDFGToB3.cpp:
1440         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1441         * jit/JIT.h:
1442         * jit/ThunkGenerators.cpp:
1443         (JSC::virtualThunkFor):
1444         (JSC::nativeForGenerator):
1445         (JSC::boundThisNoArgsFunctionCallGenerator):
1446         * parser/UnlinkedSourceCode.h:
1447         * runtime/ArrayPrototype.h:
1448         * runtime/CustomGetterSetter.h:
1449         * runtime/DateInstance.h:
1450         * runtime/InternalFunction.h:
1451         * runtime/JSArrayBuffer.h:
1452         * runtime/JSCPoison.cpp:
1453         (JSC::initializePoison):
1454         * runtime/JSCPoison.h:
1455         * runtime/JSGlobalObject.h:
1456         * runtime/JSScriptFetchParameters.h:
1457         * runtime/JSScriptFetcher.h:
1458         * runtime/NativeExecutable.h:
1459         * runtime/StructureTransitionTable.h:
1460         * runtime/WriteBarrier.h:
1461         (JSC::WriteBarrier::poison): Deleted.
1462         * wasm/js/JSToWasm.cpp:
1463         (JSC::Wasm::createJSToWasmWrapper):
1464         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1465         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1466         * wasm/js/JSWebAssemblyCodeBlock.h:
1467         * wasm/js/JSWebAssemblyInstance.h:
1468         (JSC::JSWebAssemblyInstance::poison):
1469         * wasm/js/JSWebAssemblyMemory.h:
1470         * wasm/js/JSWebAssemblyModule.h:
1471         * wasm/js/JSWebAssemblyTable.h:
1472         * wasm/js/WasmToJS.cpp:
1473         (JSC::Wasm::handleBadI64Use):
1474         (JSC::Wasm::wasmToJS):
1475         * wasm/js/WebAssemblyFunctionBase.h:
1476         * wasm/js/WebAssemblyModuleRecord.h:
1477         * wasm/js/WebAssemblyToJSCallee.h:
1478         * wasm/js/WebAssemblyWrapperFunction.h:
1479
1480 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1481
1482         Unreviewed, suppress GCC warnings
1483         https://bugs.webkit.org/show_bug.cgi?id=181976
1484
1485         * runtime/TypedArrayType.h:
1486
1487 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1488
1489         [YARR] Add diagnosis for YarrJIT failures
1490         https://bugs.webkit.org/show_bug.cgi?id=181927
1491
1492         Reviewed by Sam Weinig.
1493
1494         It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
1495         This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
1496
1497         * runtime/RegExp.cpp:
1498         (JSC::RegExp::compile):
1499         (JSC::RegExp::compileMatchOnly):
1500         * yarr/YarrJIT.cpp:
1501         (JSC::Yarr::YarrGenerator::generateTerm):
1502         (JSC::Yarr::YarrGenerator::backtrackTerm):
1503         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1504         (JSC::Yarr::YarrGenerator::YarrGenerator):
1505         (JSC::Yarr::YarrGenerator::compile):
1506         (JSC::Yarr::dumpCompileFailure):
1507         (JSC::Yarr::jitCompile):
1508         * yarr/YarrJIT.h:
1509         (JSC::Yarr::YarrCodeBlock::setFallBack):
1510         (JSC::Yarr::YarrCodeBlock::fallBack):
1511         (JSC::Yarr::YarrCodeBlock::clear):
1512         (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
1513         (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
1514         (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
1515
1516 2018-01-23  Alex Christensen  <achristensen@webkit.org>
1517
1518         Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
1519         https://bugs.webkit.org/show_bug.cgi?id=182028
1520
1521         Reviewed by Keith Miller.
1522
1523         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
1524         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1525         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1526
1527 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1528
1529         Use precise index masking for FTL GetByArgumentByVal
1530         https://bugs.webkit.org/show_bug.cgi?id=182006
1531
1532         Reviewed by Keith Miller.
1533         
1534         This protects speculative out-of-bounds on arguments[index].
1535         
1536         Making this work right involved fixing a possible overflow situation with
1537         numberOfArgumentsToSkip.
1538
1539         * dfg/DFGByteCodeParser.cpp:
1540         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
1541         * dfg/DFGGraph.cpp:
1542         (JSC::DFG::Graph::dump):
1543         * dfg/DFGNode.h:
1544         (JSC::DFG::Node::hasNumberOfArgumentsToSkip):
1545         (JSC::DFG::Node::numberOfArgumentsToSkip):
1546         * dfg/DFGStackLayoutPhase.cpp:
1547         (JSC::DFG::StackLayoutPhase::run):
1548         * ftl/FTLLowerDFGToB3.cpp:
1549         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1550
1551 2018-01-23  David Kilzer  <ddkilzer@apple.com>
1552
1553         Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
1554         <https://webkit.org/b/181871>
1555         <rdar://problem/36669691>
1556
1557         Address feedback for this change.
1558
1559         * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
1560         feedback from Konstantin Tokarev.
1561
1562 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1563
1564         Rollout r219636
1565         https://bugs.webkit.org/show_bug.cgi?id=181997
1566         <rdar://problem/35883022>
1567
1568         Unreviewed, as it is a rollout.
1569
1570         * dfg/DFGSpeculativeJIT.cpp:
1571         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1572         * runtime/JSArray.cpp:
1573         (JSC::JSArray::tryCreateUninitializedRestricted):
1574         * runtime/JSArray.h:
1575         (JSC::JSArray::tryCreate):
1576         * runtime/JSObject.cpp:
1577         (JSC::JSObject::ensureLengthSlow):
1578
1579 2018-01-23  Mark Lam  <mark.lam@apple.com>
1580
1581         Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
1582         https://bugs.webkit.org/show_bug.cgi?id=181976
1583         <rdar://problem/36766936>
1584
1585         Reviewed by Filip Pizlo.
1586
1587         1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
1588            list.  I also added static asserts in TypedArrayType.h to enforce this.
1589
1590            Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
1591
1592         2. Define 4 new values:
1593            a. FirstTypedArrayType
1594            b. LastTypedArrayType
1595            c. NumberOfTypedArrayTypesExcludingDataView
1596            d. NumberOfTypedArrayTypes
1597
1598            Use these everywhere where we iterate or bisect the TypedArray JSTypes.
1599
1600         3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
1601
1602         4. Simplify the code that converts between TypedArrayType and JSType.
1603
1604            Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
1605            Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
1606            instead of TypeDataView.  Now, it converts to TypeDataView.
1607
1608            This does not result in any change of behavior because typedArrayTypeForType()
1609            is only called in Structure::hasIndexingHeader(), and its result is passed to
1610            isTypedView(), which handles TypeDataView correctly.
1611
1612         5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
1613            If the vector is null, we can skip the rest of the checks.  While the current
1614            code does not result in incorrect behavior, it is inefficient, and communicates
1615            wrong information to the reader i.e. implying that there's something in the
1616            dataGPR when there's not.  The dataGPR should also be null in this case.
1617
1618         * dfg/DFGByteCodeParser.cpp:
1619         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1620         * dfg/DFGSpeculativeJIT.cpp:
1621         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1622         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1623         * ftl/FTLLowerDFGToB3.cpp:
1624         (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
1625         * ftl/FTLOSRExit.cpp:
1626         * llint/LowLevelInterpreter.asm:
1627         * llint/LowLevelInterpreter64.asm:
1628         * runtime/JSGlobalObject.cpp:
1629         (JSC::JSGlobalObject::visitChildren):
1630         * runtime/JSType.h:
1631         * runtime/TypedArrayType.cpp:
1632         (JSC::typeForTypedArrayType): Deleted.
1633         * runtime/TypedArrayType.h:
1634         (JSC::typedArrayTypeForType):
1635         (JSC::typeForTypedArrayType):
1636
1637 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1638
1639         DFG should always flush `this`
1640         https://bugs.webkit.org/show_bug.cgi?id=181999
1641
1642         Reviewed by Saam Barati and Mark Lam.
1643         
1644         This is going to make it possible to use precise index masking for arguments-on-the-stack
1645         accesses with an index adjusted so that 0 is this. Without this change, we would have no way
1646         of masking when the argument count is 0, unless we padded the argument area so that there was
1647         always an argument slot after `this` and it was always initialized.
1648         
1649         This is neutral on all benchmarks.
1650
1651         * dfg/DFGByteCodeParser.cpp:
1652         (JSC::DFG::ByteCodeParser::flushImpl):
1653         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1654         (JSC::DFG::ByteCodeParser::flush):
1655         (JSC::DFG::ByteCodeParser::flushForTerminal):
1656         (JSC::DFG::ByteCodeParser::parse):
1657         (JSC::DFG::flushImpl): Deleted.
1658         (JSC::DFG::flushForTerminalImpl): Deleted.
1659         * dfg/DFGPreciseLocalClobberize.h:
1660         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1661
1662 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1663
1664         JSC should use a speculation fence on VM entry/exit
1665         https://bugs.webkit.org/show_bug.cgi?id=181991
1666
1667         Reviewed by JF Bastien and Mark Lam.
1668         
1669         This adds a WTF::speculationFence on VM entry and exit.
1670         
1671         For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
1672         tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
1673         
1674         * runtime/JSLock.cpp:
1675         (JSC::JSLock::didAcquireLock):
1676         (JSC::JSLock::willReleaseLock):
1677
1678 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1679
1680         [JSC] JIT requires sizeof(bool) == 1
1681         https://bugs.webkit.org/show_bug.cgi?id=181150
1682
1683         Reviewed by Saam Barati.
1684
1685         LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
1686         Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
1687
1688         * runtime/InitializeThreading.cpp:
1689
1690 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1691
1692         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1693         https://bugs.webkit.org/show_bug.cgi?id=181739
1694         <rdar://problem/36627662>
1695
1696         Reviewed by Saam Barati.
1697
1698         When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
1699         into a jump, we should update that stack slot as there is no guarantee that the function was originally
1700         called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
1701
1702         It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
1703         as its first OpInfo field, and stores it to the stack at the right place.
1704
1705         We must be a bit careful in where we put this new node, as it ClobbersExit.
1706         We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
1707
1708         * dfg/DFGAbstractInterpreterInlines.h:
1709         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1710         * dfg/DFGArgumentsEliminationPhase.cpp:
1711         * dfg/DFGByteCodeParser.cpp:
1712         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1713         * dfg/DFGClobberize.h:
1714         (JSC::DFG::clobberize):
1715         * dfg/DFGDoesGC.cpp:
1716         (JSC::DFG::doesGC):
1717         * dfg/DFGFixupPhase.cpp:
1718         (JSC::DFG::FixupPhase::fixupNode):
1719         * dfg/DFGMayExit.cpp:
1720         * dfg/DFGNode.h:
1721         (JSC::DFG::Node::argumentCountIncludingThis):
1722         * dfg/DFGNodeType.h:
1723         * dfg/DFGPredictionPropagationPhase.cpp:
1724         * dfg/DFGPutStackSinkingPhase.cpp:
1725         * dfg/DFGSafeToExecute.h:
1726         (JSC::DFG::safeToExecute):
1727         * dfg/DFGSpeculativeJIT.cpp:
1728         (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
1729         * dfg/DFGSpeculativeJIT.h:
1730         * dfg/DFGSpeculativeJIT32_64.cpp:
1731         (JSC::DFG::SpeculativeJIT::compile):
1732         * dfg/DFGSpeculativeJIT64.cpp:
1733         (JSC::DFG::SpeculativeJIT::compile):
1734         * ftl/FTLCapabilities.cpp:
1735         (JSC::FTL::canCompile):
1736         * ftl/FTLLowerDFGToB3.cpp:
1737         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1738         (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
1739
1740 2018-01-22  Michael Saboff  <msaboff@apple.com>
1741
1742         DFG abstract interpreter needs to properly model effects of some Math ops
1743         https://bugs.webkit.org/show_bug.cgi?id=181886
1744
1745         Reviewed by Saam Barati.
1746
1747         Reviewed the processing of the various ArithXXX and CompareXXX and found that
1748         several nodes don't handle UntypedUse.  Added clobberWorld() for those cases.
1749
1750         * dfg/DFGAbstractInterpreter.h:
1751         * dfg/DFGAbstractInterpreterInlines.h:
1752         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1753         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1754
1755 2018-01-21  Wenson Hsieh  <wenson_hsieh@apple.com>
1756
1757         Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
1758         https://bugs.webkit.org/show_bug.cgi?id=181918
1759
1760         Reviewed by Tim Horton.
1761
1762         Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
1763
1764         * Configurations/FeatureDefines.xcconfig:
1765
1766 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1767
1768         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1769         https://bugs.webkit.org/show_bug.cgi?id=181182
1770
1771         Reviewed by Darin Adler.
1772
1773         Casting double to integer is undefined behavior when the truncation
1774         results into a value that doesn't fit into integer size,
1775         according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
1776         numberProtoFuncToString to remove these source of undefined
1777         behavior.
1778
1779         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
1780
1781         * runtime/BigIntPrototype.cpp:
1782         (JSC::bigIntProtoFuncToString):
1783         * runtime/NumberPrototype.cpp:
1784         (JSC::numberProtoFuncToString):
1785         (JSC::extractToStringRadixArgument):
1786         (JSC::extractRadixFromArgs): Deleted.
1787         * runtime/NumberPrototype.h:
1788
1789 2018-01-19  Saam Barati  <sbarati@apple.com>
1790
1791         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1792         https://bugs.webkit.org/show_bug.cgi?id=181877
1793         <rdar://problem/36630552>
1794
1795         Reviewed by Mark Lam.
1796
1797         Before this patch, we used to assert that op_negate's result ArithProfile
1798         only produces number. It's logically true that negate only produces a number.
1799         However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
1800         profiling. So we'll end up profiling something that's likely the input to
1801         negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
1802         is entirely heuristic based, potentially leading to profiling results being imprecise.
1803
1804         * dfg/DFGByteCodeParser.cpp:
1805         (JSC::DFG::ByteCodeParser::makeSafe):
1806
1807 2018-01-19  David Kilzer  <ddkilzer@apple.com>
1808
1809         oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
1810         <https://webkit.org/b/181871>
1811
1812         Rubber-stamped by JF Bastien.
1813
1814         * CMakeLists.txt: Add ICU header search path to
1815         LLIntOffsetsExtractor target by reusing
1816         JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
1817
1818 2018-01-19  Saam Barati  <sbarati@apple.com>
1819
1820         Spread's effects are modeled incorrectly both in AI and in Clobberize
1821         https://bugs.webkit.org/show_bug.cgi?id=181867
1822         <rdar://problem/36290415>
1823
1824         Reviewed by Michael Saboff.
1825
1826         * dfg/DFGAbstractInterpreterInlines.h:
1827         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1828         * dfg/DFGClobberize.h:
1829         (JSC::DFG::clobberize):
1830
1831 2018-01-19  Keith Miller  <keith_miller@apple.com>
1832
1833         HaveInternalSDK includes should be "#include?"
1834         https://bugs.webkit.org/show_bug.cgi?id=179670
1835
1836         Reviewed by Dan Bernstein.
1837
1838         * Configurations/Base.xcconfig:
1839
1840 2018-01-18  JF Bastien  <jfbastien@apple.com>
1841
1842         Set the minimum executable allocator size properly
1843         https://bugs.webkit.org/show_bug.cgi?id=181816
1844         <rdar://problem/36635533>
1845
1846         Reviewed by Saam Barati.
1847
1848         Executable allocator expects at least two page size's worth of
1849         allocation in certain conditions, and that causes some tests to
1850         now fail because they ask for less. Set that minimum correctly. We
1851         were already rounding up to a page size, so having a minimum of 2
1852         page sizes is fine.
1853
1854         * jit/ExecutableAllocator.cpp:
1855         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1856
1857 2018-01-18  Michael Saboff  <msaboff@apple.com>
1858
1859         Unreviewed build fix for Windows
1860
1861         * interpreter/FrameTracers.h:
1862         (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
1863         on Windows.
1864
1865 2018-01-18  Mark Lam  <mark.lam@apple.com>
1866
1867         Poisons should be initialized after Options are initialized.
1868         https://bugs.webkit.org/show_bug.cgi?id=181807
1869         <rdar://problem/36629138>
1870
1871         Reviewed by Keith Miller.
1872
1873         This is because poison initialization may depend on options.
1874
1875         * runtime/InitializeThreading.cpp:
1876         (JSC::initializeThreading):
1877
1878 2018-01-18  Dan Bernstein  <mitz@apple.com>
1879
1880         [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
1881         https://bugs.webkit.org/show_bug.cgi?id=181803
1882
1883         Reviewed by Tim Horton.
1884
1885         * Configurations/Base.xcconfig: Updated.
1886         * Configurations/DebugRelease.xcconfig: Ditto.
1887         * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
1888         * Configurations/Version.xcconfig: Updated.
1889         * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
1890           useful for defining settings that depend on the target macOS version.
1891
1892 2018-01-18  Michael Saboff  <msaboff@apple.com>
1893
1894         REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
1895         https://bugs.webkit.org/show_bug.cgi?id=181802
1896
1897         Reviewed by Filip Pizlo.
1898
1899         There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
1900         Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
1901         The other place was when we call into the operationOSRWriteBarrier().
1902
1903         Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
1904         This helped find the other cases beyond the original problem.
1905
1906         * dfg/DFGOSRExitCompilerCommon.cpp:
1907         (JSC::DFG::osrWriteBarrier):
1908         * interpreter/FrameTracers.h:
1909         (JSC::assertStackPointerIsAligned):
1910         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1911         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
1912         * jit/ThunkGenerators.cpp:
1913         (JSC::nativeForGenerator):
1914         * llint/LowLevelInterpreter32_64.asm:
1915
1916 2018-01-18  Commit Queue  <commit-queue@webkit.org>
1917
1918         Unreviewed, rolling out r227096.
1919         https://bugs.webkit.org/show_bug.cgi?id=181788
1920
1921         "it caused a 15% octane regression" (Requested by saamyjoon on
1922         #webkit).
1923
1924         Reverted changeset:
1925
1926         "Support MultiGetByOffset in the DFG"
1927         https://bugs.webkit.org/show_bug.cgi?id=181466
1928         https://trac.webkit.org/changeset/227096
1929
1930 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1931
1932         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1933         https://bugs.webkit.org/show_bug.cgi?id=181535
1934
1935         Reviewed by Saam Barati.
1936
1937         When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
1938         However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
1939         information. So we should not create RegExpObject for this typical case.
1940
1941         This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
1942         phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
1943         `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
1944         SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
1945
1946         This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
1947         non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
1948         in this patch.
1949
1950         We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
1951         flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
1952         instead of RegExpObject. This offers the chance to make NewRegExp unused.
1953
1954         We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
1955         since they are the same behavior.
1956
1957         The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
1958         somewhat pure execution time of our Yarr implementation.
1959
1960                                      baseline                  patched
1961
1962             regex-u.es5          34.8557+-0.5963     ^      6.1507+-0.5526        ^ definitely 5.6670x faster
1963             regex-u.es6          89.1919+-3.3851     ^     32.0917+-0.4260        ^ definitely 2.7793x faster
1964
1965         This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
1966         this patch right now. We should support StringReplace node in subsequent patches.
1967
1968         * dfg/DFGAbstractInterpreterInlines.h:
1969         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1970         * dfg/DFGByteCodeParser.cpp:
1971         (JSC::DFG::ByteCodeParser::parseBlock):
1972         * dfg/DFGClobberize.h:
1973         (JSC::DFG::clobberize):
1974         * dfg/DFGClobbersExitState.cpp:
1975         (JSC::DFG::clobbersExitState):
1976         * dfg/DFGDoesGC.cpp:
1977         (JSC::DFG::doesGC):
1978         * dfg/DFGFixupPhase.cpp:
1979         (JSC::DFG::FixupPhase::fixupNode):
1980         * dfg/DFGGraph.cpp:
1981         (JSC::DFG::Graph::dump):
1982         * dfg/DFGMayExit.cpp:
1983         * dfg/DFGNode.cpp:
1984         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
1985         * dfg/DFGNode.h:
1986         (JSC::DFG::Node::convertToPhantomNewRegexp):
1987         (JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
1988         (JSC::DFG::Node::hasHeapPrediction):
1989         (JSC::DFG::Node::hasCellOperand):
1990         (JSC::DFG::Node::isPhantomAllocation):
1991         (JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
1992         (JSC::DFG::Node::ignoreLastIndexIsWritable):
1993         * dfg/DFGNodeType.h:
1994         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1995         * dfg/DFGOperations.cpp:
1996         * dfg/DFGOperations.h:
1997         * dfg/DFGPredictionPropagationPhase.cpp:
1998         * dfg/DFGPromotedHeapLocation.cpp:
1999         (WTF::printInternal):
2000         * dfg/DFGPromotedHeapLocation.h:
2001         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
2002         * dfg/DFGSafeToExecute.h:
2003         (JSC::DFG::safeToExecute):
2004         * dfg/DFGSpeculativeJIT.cpp:
2005         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2006         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2007         (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
2008         * dfg/DFGSpeculativeJIT.h:
2009         (JSC::DFG::SpeculativeJIT::callOperation):
2010         * dfg/DFGSpeculativeJIT32_64.cpp:
2011         (JSC::DFG::SpeculativeJIT::compile):
2012         * dfg/DFGSpeculativeJIT64.cpp:
2013         (JSC::DFG::SpeculativeJIT::compile):
2014         * dfg/DFGStrengthReductionPhase.cpp:
2015         (JSC::DFG::StrengthReductionPhase::handleNode):
2016         * dfg/DFGValidate.cpp:
2017         * ftl/FTLCapabilities.cpp:
2018         (JSC::FTL::canCompile):
2019         * ftl/FTLLowerDFGToB3.cpp:
2020         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2021         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
2022         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2023         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2024         * ftl/FTLOperations.cpp:
2025         (JSC::FTL::operationPopulateObjectInOSR):
2026         (JSC::FTL::operationMaterializeObjectInOSR):
2027         * jit/JITOperations.h:
2028         * runtime/RegExpObject.h:
2029         (JSC::RegExpObject::create):
2030
2031 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2032
2033         [FTL] Remove unused helper functions to convert node to PutHint
2034         https://bugs.webkit.org/show_bug.cgi?id=181775
2035
2036         Reviewed by Saam Barati.
2037
2038         We are using PromotedHeapLocation::createHint. So they are not necessary.
2039
2040         * dfg/DFGNode.cpp:
2041         (JSC::DFG::Node::convertToPutHint): Deleted.
2042         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2043         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2044         (JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
2045         * dfg/DFGNode.h:
2046
2047 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2048
2049         Unreviewed, suppress warnings on GCC
2050
2051         Since `length` and `p` are always positive or zero,
2052         static_cast<unsigned>() does what we want.
2053
2054         * runtime/JSBigInt.cpp:
2055         (JSC::JSBigInt::parseInt):
2056
2057 2018-01-17  Saam Barati  <sbarati@apple.com>
2058
2059         Disable Atomics when SharedArrayBuffer isn’t enabled
2060         https://bugs.webkit.org/show_bug.cgi?id=181572
2061         <rdar://problem/36553206>
2062
2063         Reviewed by Michael Saboff.
2064
2065         * runtime/JSGlobalObject.cpp:
2066         (JSC::JSGlobalObject::init):
2067         (JSC::createAtomicsProperty): Deleted.
2068
2069 2018-01-17  Saam Barati  <sbarati@apple.com>
2070
2071         Support MultiGetByOffset in the DFG
2072         https://bugs.webkit.org/show_bug.cgi?id=181466
2073
2074         Reviewed by Keith Miller.
2075
2076         This seems to benefit Speedometer in my local testing. It seems like this
2077         might be around a 0.5% improvement.
2078
2079         * dfg/DFGAbstractInterpreterInlines.h:
2080         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2081         * dfg/DFGByteCodeParser.cpp:
2082         (JSC::DFG::ByteCodeParser::handleGetById):
2083         * dfg/DFGConstantFoldingPhase.cpp:
2084         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2085         * dfg/DFGGraph.h:
2086         (JSC::DFG::Graph::supportsMultiGetByOffset):
2087         * dfg/DFGSpeculativeJIT64.cpp:
2088         (JSC::DFG::SpeculativeJIT::compile):
2089
2090 2018-01-17  Saam Barati  <sbarati@apple.com>
2091
2092         DFG::Node::convertToConstant needs to clear the varargs flags
2093         https://bugs.webkit.org/show_bug.cgi?id=181697
2094         <rdar://problem/36497332>
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         * dfg/DFGNode.h:
2099         (JSC::DFG::Node::convertToConstant):
2100
2101 2018-01-16  JF Bastien  <jfbastien@apple.com>
2102
2103         Allow dangerous disabling of poison
2104         https://bugs.webkit.org/show_bug.cgi?id=181685
2105         <rdar://problem/36546265>
2106
2107         Reviewed by Keith Miller.
2108
2109         Some tools such as leak detectors and such like to look at real
2110         pointers, and poisoned ones confuse them. Add a JSC option to
2111         disable poisoning, but log to the console when this is done.
2112
2113         * runtime/JSCPoison.cpp:
2114         (JSC::initializePoison):
2115         * runtime/Options.h:
2116
2117 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2118
2119         Unreviewed, rolling out r226937.
2120
2121         Tests added with this change are failing due to a missing
2122         exception check.
2123
2124         Reverted changeset:
2125
2126         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2127         double to int32_t"
2128         https://bugs.webkit.org/show_bug.cgi?id=181182
2129         https://trac.webkit.org/changeset/226937
2130
2131 2018-01-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2132
2133         Test programs should only be built in developer mode
2134         https://bugs.webkit.org/show_bug.cgi?id=181653
2135
2136         Reviewed by Carlos Garcia Campos.
2137
2138         Build test programs only in developer mode, and fix code style.
2139
2140         * shell/CMakeLists.txt:
2141
2142 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2143
2144         Improve use of ExportMacros
2145         https://bugs.webkit.org/show_bug.cgi?id=181652
2146
2147         Reviewed by Konstantin Tokarev.
2148
2149         * API/JSBase.h: Update a comment.
2150         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
2151         * runtime/JSExportMacros.h: Simplify the #defines in this file.
2152
2153 2018-01-15  JF Bastien  <jfbastien@apple.com>
2154
2155         Remove makePoisonedUnique
2156         https://bugs.webkit.org/show_bug.cgi?id=181630
2157         <rdar://problem/36498623>
2158
2159         Reviewed by Mark Lam.
2160
2161         I added a conversion from std::unique_ptr, so we can just use
2162         std::make_unique and it'll auto-poison when converted.
2163
2164         * bytecode/CodeBlock.h:
2165         (JSC::CodeBlock::makePoisonedUnique): Deleted.
2166         * runtime/JSGlobalObject.cpp:
2167         (JSC::JSGlobalObject::init):
2168         * runtime/JSGlobalObject.h:
2169         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2170
2171 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2172
2173         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
2174         https://bugs.webkit.org/show_bug.cgi?id=181438
2175         <rdar://problem/36376724>
2176
2177         Reviewed by Carlos Garcia Campos.
2178
2179         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
2180         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
2181         get rid of the version script.
2182
2183         * PlatformGTK.cmake:
2184         * javascriptcoregtk-symbols.map: Removed.
2185
2186 2018-01-14  Saam Barati  <sbarati@apple.com>
2187
2188         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
2189
2190         * bytecode/CallLinkStatus.cpp:
2191         (JSC::CallLinkStatus::computeFromLLInt):
2192         (JSC::CallLinkStatus::computeExitSiteData):
2193
2194 2018-01-13  Mark Lam  <mark.lam@apple.com>
2195
2196         Replace all use of ConstExprPoisoned with Poisoned.
2197         https://bugs.webkit.org/show_bug.cgi?id=181542
2198         <rdar://problem/36442138>
2199
2200         Reviewed by JF Bastien.
2201
2202         1. All JSC poisons are now defined in JSCPoison.h.
2203
2204         2. Change all clients to use the new poison values via the POISON() macro.
2205
2206         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
2207            uses the t5 temp register, which is not available on the Windows port.
2208            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
2209            it will just work for now.
2210
2211            When poisoning is enabled for the Windows port, this LLInt code will need a
2212            Windows specific implementation to workaround its lack of a t5 register.
2213
2214         * API/JSAPIWrapperObject.h:
2215         * API/JSCallbackFunction.h:
2216         * API/JSCallbackObject.h:
2217         * JavaScriptCore.xcodeproj/project.pbxproj:
2218         * Sources.txt:
2219         * assembler/MacroAssemblerCodeRef.h:
2220         (JSC::MacroAssemblerCodePtr::emptyValue):
2221         (JSC::MacroAssemblerCodePtr::deletedValue):
2222         * b3/B3LowerMacros.cpp:
2223         * b3/testb3.cpp:
2224         (JSC::B3::testInterpreter):
2225         * bytecode/CodeBlock.h:
2226         (JSC::CodeBlock::instructions):
2227         (JSC::CodeBlock::instructions const):
2228         (JSC::CodeBlock::makePoisonedUnique):
2229         * dfg/DFGOSRExitCompilerCommon.h:
2230         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2231         * dfg/DFGSpeculativeJIT.cpp:
2232         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2233         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2234         * ftl/FTLLowerDFGToB3.cpp:
2235         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2236         * jit/JIT.h:
2237         * jit/ThunkGenerators.cpp:
2238         (JSC::virtualThunkFor):
2239         (JSC::nativeForGenerator):
2240         (JSC::boundThisNoArgsFunctionCallGenerator):
2241         * llint/LowLevelInterpreter.asm:
2242         * llint/LowLevelInterpreter32_64.asm:
2243         * llint/LowLevelInterpreter64.asm:
2244         * parser/UnlinkedSourceCode.h:
2245         * runtime/ArrayPrototype.h:
2246         * runtime/CustomGetterSetter.h:
2247         * runtime/DateInstance.h:
2248         * runtime/InternalFunction.h:
2249         * runtime/JSArrayBuffer.h:
2250         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2251         (JSC::initializePoison):
2252         * runtime/JSCPoison.h:
2253         (): Deleted.
2254         * runtime/JSCPoisonedPtr.cpp: Removed.
2255         * runtime/JSCPoisonedPtr.h: Removed.
2256         * runtime/JSGlobalObject.h:
2257         (JSC::JSGlobalObject::makePoisonedUnique):
2258         * runtime/JSScriptFetchParameters.h:
2259         * runtime/JSScriptFetcher.h:
2260         * runtime/NativeExecutable.h:
2261         * runtime/StructureTransitionTable.h:
2262         (JSC::StructureTransitionTable::map const):
2263         (JSC::StructureTransitionTable::weakImpl const):
2264         * runtime/WriteBarrier.h:
2265         (JSC::WriteBarrier::poison):
2266         * wasm/js/JSToWasm.cpp:
2267         (JSC::Wasm::createJSToWasmWrapper):
2268         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2269         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2270         * wasm/js/JSWebAssemblyCodeBlock.h:
2271         * wasm/js/JSWebAssemblyInstance.h:
2272         * wasm/js/JSWebAssemblyMemory.h:
2273         * wasm/js/JSWebAssemblyModule.h:
2274         * wasm/js/JSWebAssemblyTable.h:
2275         * wasm/js/WasmToJS.cpp:
2276         (JSC::Wasm::handleBadI64Use):
2277         (JSC::Wasm::wasmToJS):
2278         * wasm/js/WebAssemblyFunctionBase.h:
2279         * wasm/js/WebAssemblyModuleRecord.h:
2280         * wasm/js/WebAssemblyToJSCallee.h:
2281         * wasm/js/WebAssemblyWrapperFunction.h:
2282
2283 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2284
2285         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2286         https://bugs.webkit.org/show_bug.cgi?id=181182
2287
2288         Reviewed by Darin Adler.
2289
2290         Casting double to integer is undefined behavior when the truncation
2291         results into a value that doesn't fit into integer size, according C++
2292         spec[1]. Thus, we are changing bigIntProtoFuncToString and
2293         numberProtoFuncToString to remove these source of undefined behavior.
2294
2295         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
2296
2297         * runtime/BigIntPrototype.cpp:
2298         (JSC::bigIntProtoFuncToString):
2299         * runtime/NumberPrototype.cpp:
2300         (JSC::numberProtoFuncToString):
2301         (JSC::extractRadixFromArgs): Deleted.
2302         (JSC::extractToStringRadixArgument): Added.
2303
2304 2018-01-12  Saam Barati  <sbarati@apple.com>
2305
2306         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
2307         https://bugs.webkit.org/show_bug.cgi?id=181545
2308
2309         Reviewed by Michael Saboff.
2310
2311         This patch follows the theme of putting optimization profiling information on
2312         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
2313         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
2314         pulled from the code cache, making better compilation decisions, usually
2315         resulting in fewer exits, and fewer recompilations.
2316         
2317         This is a 1% Speedometer progression in my testing.
2318
2319         * bytecode/BytecodeDumper.cpp:
2320         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
2321         * bytecode/CallLinkStatus.cpp:
2322         (JSC::CallLinkStatus::computeFromLLInt):
2323         (JSC::CallLinkStatus::computeFor):
2324         (JSC::CallLinkStatus::computeExitSiteData):
2325         (JSC::CallLinkStatus::computeDFGStatuses):
2326         * bytecode/CallLinkStatus.h:
2327         * bytecode/CodeBlock.h:
2328         (JSC::CodeBlock::addFrequentExitSite): Deleted.
2329         (JSC::CodeBlock::hasExitSite const): Deleted.
2330         (JSC::CodeBlock::exitProfile): Deleted.
2331         * bytecode/DFGExitProfile.cpp:
2332         (JSC::DFG::ExitProfile::add):
2333         (JSC::DFG::QueryableExitProfile::initialize):
2334         * bytecode/DFGExitProfile.h:
2335         (JSC::DFG::ExitProfile::hasExitSite const):
2336         * bytecode/GetByIdStatus.cpp:
2337         (JSC::GetByIdStatus::hasExitSite):
2338         (JSC::GetByIdStatus::computeFor):
2339         (JSC::GetByIdStatus::computeForStubInfo):
2340         * bytecode/GetByIdStatus.h:
2341         * bytecode/PutByIdStatus.cpp:
2342         (JSC::PutByIdStatus::hasExitSite):
2343         (JSC::PutByIdStatus::computeFor):
2344         (JSC::PutByIdStatus::computeForStubInfo):
2345         * bytecode/PutByIdStatus.h:
2346         * bytecode/UnlinkedCodeBlock.cpp:
2347         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2348         * bytecode/UnlinkedCodeBlock.h:
2349         (JSC::UnlinkedCodeBlock::hasExitSite const):
2350         (JSC::UnlinkedCodeBlock::hasExitSite):
2351         (JSC::UnlinkedCodeBlock::exitProfile):
2352         * dfg/DFGByteCodeParser.cpp:
2353         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2354         * dfg/DFGGraph.h:
2355         (JSC::DFG::Graph::hasGlobalExitSite):
2356         (JSC::DFG::Graph::hasExitSite):
2357         * dfg/DFGLICMPhase.cpp:
2358         (JSC::DFG::LICMPhase::attemptHoist):
2359         * dfg/DFGOSRExitBase.cpp:
2360         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2361
2362 2018-01-12  JF Bastien  <jfbastien@apple.com>
2363
2364         PoisonedWriteBarrier
2365         https://bugs.webkit.org/show_bug.cgi?id=181599
2366         <rdar://problem/36474351>
2367
2368         Reviewed by Mark Lam.
2369
2370         Allow poisoning of WriteBarrier objects, and use this for
2371         WebAssembly because it is perf-neutral, at least on WasmBench on
2372         my MBP. If it indeed is perf-neutral according to the bots, start
2373         using it in more performance-sensitive places.
2374
2375         * heap/HandleTypes.h:
2376         * heap/SlotVisitor.h:
2377         * heap/SlotVisitorInlines.h:
2378         (JSC::SlotVisitor::append):
2379         (JSC::SlotVisitor::appendHidden):
2380         * runtime/JSCJSValue.h:
2381         * runtime/JSCPoison.h:
2382         * runtime/Structure.h:
2383         * runtime/StructureInlines.h:
2384         (JSC::Structure::setPrototypeWithoutTransition):
2385         (JSC::Structure::setGlobalObject):
2386         (JSC::Structure::setPreviousID):
2387         * runtime/WriteBarrier.h:
2388         (JSC::WriteBarrierBase::copyFrom):
2389         (JSC::WriteBarrierBase::get const):
2390         (JSC::WriteBarrierBase::operator* const):
2391         (JSC::WriteBarrierBase::operator-> const):
2392         (JSC::WriteBarrierBase::clear):
2393         (JSC::WriteBarrierBase::slot):
2394         (JSC::WriteBarrierBase::operator bool const):
2395         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
2396         (JSC::WriteBarrierBase::unvalidatedGet const):
2397         (JSC::operator==):
2398         * runtime/WriteBarrierInlines.h:
2399         (JSC::Traits>::set):
2400         (JSC::Traits>::setMayBeNull):
2401         (JSC::Traits>::setEarlyValue):
2402         (JSC::DumbValueTraits<Unknown>>::set):
2403         * wasm/WasmInstance.h:
2404         * wasm/js/JSWebAssemblyInstance.cpp:
2405         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2406         (JSC::JSWebAssemblyInstance::finishCreation):
2407         (JSC::JSWebAssemblyInstance::visitChildren):
2408         (JSC::JSWebAssemblyInstance::create):
2409         * wasm/js/JSWebAssemblyInstance.h:
2410         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
2411         * wasm/js/JSWebAssemblyMemory.h:
2412         * wasm/js/JSWebAssemblyModule.h:
2413         * wasm/js/JSWebAssemblyTable.cpp:
2414         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2415         (JSC::JSWebAssemblyTable::grow):
2416         (JSC::JSWebAssemblyTable::clearFunction):
2417         * wasm/js/JSWebAssemblyTable.h:
2418         * wasm/js/WasmToJS.cpp:
2419         (JSC::Wasm::materializeImportJSCell):
2420         (JSC::Wasm::handleBadI64Use):
2421         (JSC::Wasm::wasmToJS):
2422         * wasm/js/WebAssemblyFunctionBase.h:
2423         * wasm/js/WebAssemblyModuleRecord.cpp:
2424         (JSC::WebAssemblyModuleRecord::link):
2425         (JSC::WebAssemblyModuleRecord::evaluate):
2426         * wasm/js/WebAssemblyModuleRecord.h:
2427         * wasm/js/WebAssemblyToJSCallee.h:
2428         * wasm/js/WebAssemblyWrapperFunction.h:
2429
2430 2018-01-12  Saam Barati  <sbarati@apple.com>
2431
2432         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2433         https://bugs.webkit.org/show_bug.cgi?id=181177
2434         <rdar://problem/36205704>
2435
2436         Reviewed by Yusuke Suzuki.
2437
2438         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
2439         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
2440         have semantic consequences when validation is turned off. However, with validation on, this trips up
2441         our OSR exit machinery that says when an exit is allowed to happen.
2442         
2443         Consider the following IR:
2444         
2445         a: GetClosureVar // Or any other node that produces BytecodeTop
2446         ...
2447         c: CheckStructure(Cell:@a, {s2})
2448         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2449         
2450         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
2451         a: GetClosureVar
2452         e: CheckStructureOrEmpty(@a, {s1})
2453         ...
2454         f: CheckStructureOrEmpty(@a, {s2})
2455         c: CheckStructure(Cell:@a, {s2})
2456         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2457         
2458         This will cause constant folding to change the IR to:
2459         a: GetClosureVar
2460         e: CheckStructureOrEmpty(@a, {s1})
2461         ...
2462         f: CheckStructureOrEmpty(@a, {s2})
2463         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2464         
2465         Our mayExit analysis determines that the PutByOffset should not exit. Note
2466         that AI will determine the only value the PutByOffset can see in @a is 
2467         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
2468         when lowering the PutByOffset, we reach a contradiction in AI and emit
2469         an OSR exit. However, because mayExit said we couldn't exit, we assert.
2470         
2471         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
2472         would have determined we would OSR exit at the second CheckStructure.
2473         
2474         This patch makes it so constant folding produces the following IR:
2475         a: GetClosureVar
2476         e: CheckStructureOrEmpty(@a, {s1})
2477         g: AssertNotEmpty(@a)
2478         ...
2479         f: CheckStructureOrEmpty(@a, {s2})
2480         h: AssertNotEmpty(@a)
2481         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2482         
2483         This modification will cause AI to know we will OSR exit before even reaching
2484         the PutByOffset. Note that in the original IR, the GetClosureVar won't
2485         actually produce the TDZ value. If it did, bytecode would have caused us
2486         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
2487         why this bug is about IR bookkeeping and not an actual error in IR analysis.
2488         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
2489         more congruous with CheckStructure's semantics of crashing on the empty value
2490         as input (on 64 bit platforms).
2491
2492         * dfg/DFGAbstractInterpreterInlines.h:
2493         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2494         * dfg/DFGClobberize.h:
2495         (JSC::DFG::clobberize):
2496         * dfg/DFGConstantFoldingPhase.cpp:
2497         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2498         * dfg/DFGDoesGC.cpp:
2499         (JSC::DFG::doesGC):
2500         * dfg/DFGFixupPhase.cpp:
2501         (JSC::DFG::FixupPhase::fixupNode):
2502         * dfg/DFGNodeType.h:
2503         * dfg/DFGPredictionPropagationPhase.cpp:
2504         * dfg/DFGSafeToExecute.h:
2505         (JSC::DFG::safeToExecute):
2506         * dfg/DFGSpeculativeJIT32_64.cpp:
2507         (JSC::DFG::SpeculativeJIT::compile):
2508         * dfg/DFGSpeculativeJIT64.cpp:
2509         (JSC::DFG::SpeculativeJIT::compile):
2510         * ftl/FTLCapabilities.cpp:
2511         (JSC::FTL::canCompile):
2512         * ftl/FTLLowerDFGToB3.cpp:
2513         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2514         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2515
2516 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
2517
2518         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
2519         https://bugs.webkit.org/show_bug.cgi?id=181579
2520         <rdar://problem/36193759>
2521
2522         Reviewed by Brian Burg.
2523
2524         * inspector/agents/InspectorConsoleAgent.h:
2525         * inspector/agents/InspectorConsoleAgent.cpp:
2526         (Inspector::InspectorConsoleAgent::clearMessages):
2527         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2528         Switch from a raw pointer to m_consoleMessages.last().
2529         Also move the expiration check into the if block since it can only
2530         happen inside here when the number of console messages changes.
2531
2532         (Inspector::InspectorConsoleAgent::discardValues):
2533         Also clear the expired message count when messages are cleared.
2534
2535 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [JSC] Create parallel SlotVisitors apriori
2538         https://bugs.webkit.org/show_bug.cgi?id=180907
2539
2540         Reviewed by Saam Barati.
2541
2542         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2543         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
2544         Then we do not need to grab locks while iterating all the SlotVisitors.
2545
2546         In addition, we do not need to consider the case that the number of SlotVisitors increases
2547         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2548         does not increase any more.
2549
2550         * heap/Heap.cpp:
2551         (JSC::Heap::Heap):
2552         (JSC::Heap::runBeginPhase):
2553         * heap/Heap.h:
2554         * heap/HeapInlines.h:
2555         (JSC::Heap::forEachSlotVisitor):
2556         (JSC::Heap::numberOfSlotVisitors): Deleted.
2557         * heap/MarkingConstraintSolver.cpp:
2558         (JSC::MarkingConstraintSolver::didVisitSomething const):
2559
2560 2018-01-12  Saam Barati  <sbarati@apple.com>
2561
2562         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2563         https://bugs.webkit.org/show_bug.cgi?id=181562
2564         <rdar://problem/36445624>
2565
2566         Reviewed by Yusuke Suzuki.
2567
2568         Before this patch, the very first block in the switch for polymorphic call
2569         inlining will have exitOK at the top. The others are not guaranteed to.
2570         That was just a bug. They're all exitOK at the top. This will lead to crashes
2571         in FixupPhase because we won't have a node in a block that has ExitOK, so
2572         when we fixup various type checks, we assert out.
2573
2574         * dfg/DFGByteCodeParser.cpp:
2575         (JSC::DFG::ByteCodeParser::handleInlining):
2576
2577 2018-01-11  Keith Miller  <keith_miller@apple.com>
2578
2579         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
2580         https://bugs.webkit.org/show_bug.cgi?id=181573
2581
2582         Reviewed by Simon Fraser.
2583
2584         * Configurations/FeatureDefines.xcconfig:
2585         * runtime/Options.h:
2586
2587 2018-01-11  Michael Saboff  <msaboff@apple.com>
2588
2589         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
2590         https://bugs.webkit.org/show_bug.cgi?id=181570
2591
2592         Reviewed by Keith Miller.
2593
2594         * assembler/MacroAssemblerARM64.h:
2595         (JSC::MacroAssemblerARM64::abortWithReason):
2596         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
2597         JIT release asserts that will crash the program.
2598
2599         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2600         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
2601         caching is enabled.
2602
2603 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
2604
2605         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
2606         https://bugs.webkit.org/show_bug.cgi?id=181543
2607
2608         Rubber stamped by Michael Saboff.
2609         
2610         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
2611         really have anything to do with allocation anymore. The allocation will be done by something
2612         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
2613         place to find blocks (a "block directory").
2614
2615         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
2616         attributes of the HeapCellType. So let's call them CellAttributes.
2617
2618         * JavaScriptCore.xcodeproj/project.pbxproj:
2619         * Sources.txt:
2620         * bytecode/AccessCase.cpp:
2621         (JSC::AccessCase::generateImpl):
2622         * bytecode/ObjectAllocationProfile.h:
2623         * bytecode/ObjectAllocationProfileInlines.h:
2624         (JSC::ObjectAllocationProfile::initializeProfile):
2625         * dfg/DFGSpeculativeJIT.cpp:
2626         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2627         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2628         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2629         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2630         (JSC::DFG::SpeculativeJIT::compileNewObject):
2631         * dfg/DFGSpeculativeJIT.h:
2632         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2633         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2634         * ftl/FTLAbstractHeapRepository.h:
2635         * ftl/FTLLowerDFGToB3.cpp:
2636         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2637         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2638         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2639         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2640         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2641         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2642         * heap/AlignedMemoryAllocator.cpp:
2643         (JSC::AlignedMemoryAllocator::registerDirectory):
2644         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
2645         * heap/AlignedMemoryAllocator.h:
2646         (JSC::AlignedMemoryAllocator::firstDirectory const):
2647         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
2648         * heap/AllocatorAttributes.cpp: Removed.
2649         * heap/AllocatorAttributes.h: Removed.
2650         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
2651         (JSC::BlockDirectory::BlockDirectory):
2652         (JSC::BlockDirectory::setSubspace):
2653         (JSC::BlockDirectory::isPagedOut):
2654         (JSC::BlockDirectory::findEmptyBlockToSteal):
2655         (JSC::BlockDirectory::didConsumeFreeList):
2656         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
2657         (JSC::BlockDirectory::allocateIn):
2658         (JSC::BlockDirectory::tryAllocateIn):
2659         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
2660         (JSC::BlockDirectory::allocateSlowCase):
2661         (JSC::BlockDirectory::blockSizeForBytes):
2662         (JSC::BlockDirectory::tryAllocateBlock):
2663         (JSC::BlockDirectory::addBlock):
2664         (JSC::BlockDirectory::removeBlock):
2665         (JSC::BlockDirectory::stopAllocating):
2666         (JSC::BlockDirectory::prepareForAllocation):
2667         (JSC::BlockDirectory::lastChanceToFinalize):
2668         (JSC::BlockDirectory::resumeAllocating):
2669         (JSC::BlockDirectory::beginMarkingForFullCollection):
2670         (JSC::BlockDirectory::endMarking):
2671         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
2672         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
2673         (JSC::BlockDirectory::findBlockToSweep):
2674         (JSC::BlockDirectory::sweep):
2675         (JSC::BlockDirectory::shrink):
2676         (JSC::BlockDirectory::assertNoUnswept):
2677         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
2678         (JSC::BlockDirectory::dump const):
2679         (JSC::BlockDirectory::dumpBits):
2680         (JSC::BlockDirectory::markedSpace const):
2681         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2682         (JSC::MarkedAllocator::setSubspace): Deleted.
2683         (JSC::MarkedAllocator::isPagedOut): Deleted.
2684         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
2685         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
2686         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
2687         (JSC::MarkedAllocator::allocateIn): Deleted.
2688         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
2689         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
2690         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
2691         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
2692         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
2693         (JSC::MarkedAllocator::addBlock): Deleted.
2694         (JSC::MarkedAllocator::removeBlock): Deleted.
2695         (JSC::MarkedAllocator::stopAllocating): Deleted.
2696         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
2697         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
2698         (JSC::MarkedAllocator::resumeAllocating): Deleted.
2699         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
2700         (JSC::MarkedAllocator::endMarking): Deleted.
2701         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
2702         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
2703         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
2704         (JSC::MarkedAllocator::sweep): Deleted.
2705         (JSC::MarkedAllocator::shrink): Deleted.
2706         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
2707         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
2708         (JSC::MarkedAllocator::dump const): Deleted.
2709         (JSC::MarkedAllocator::dumpBits): Deleted.
2710         (JSC::MarkedAllocator::markedSpace const): Deleted.
2711         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
2712         (JSC::BlockDirectory::attributes const):
2713         (JSC::BlockDirectory::forEachBitVector):
2714         (JSC::BlockDirectory::forEachBitVectorWithName):
2715         (JSC::BlockDirectory::nextDirectory const):
2716         (JSC::BlockDirectory::nextDirectoryInSubspace const):
2717         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
2718         (JSC::BlockDirectory::setNextDirectory):
2719         (JSC::BlockDirectory::setNextDirectoryInSubspace):
2720         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
2721         (JSC::BlockDirectory::offsetOfFreeList):
2722         (JSC::BlockDirectory::offsetOfCellSize):
2723         (JSC::MarkedAllocator::cellSize const): Deleted.
2724         (JSC::MarkedAllocator::attributes const): Deleted.
2725         (JSC::MarkedAllocator::needsDestruction const): Deleted.
2726         (JSC::MarkedAllocator::destruction const): Deleted.
2727         (JSC::MarkedAllocator::cellKind const): Deleted.
2728         (JSC::MarkedAllocator::heap): Deleted.
2729         (JSC::MarkedAllocator::bitvectorLock): Deleted.
2730         (JSC::MarkedAllocator::forEachBitVector): Deleted.
2731         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
2732         (JSC::MarkedAllocator::nextAllocator const): Deleted.
2733         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
2734         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
2735         (JSC::MarkedAllocator::setNextAllocator): Deleted.
2736         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
2737         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
2738         (JSC::MarkedAllocator::subspace const): Deleted.
2739         (JSC::MarkedAllocator::freeList const): Deleted.
2740         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
2741         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
2742         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
2743         (JSC::BlockDirectory::isFreeListedCell const):
2744         (JSC::BlockDirectory::allocate):
2745         (JSC::BlockDirectory::forEachBlock):
2746         (JSC::BlockDirectory::forEachNotEmptyBlock):
2747         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
2748         (JSC::MarkedAllocator::allocate): Deleted.
2749         (JSC::MarkedAllocator::forEachBlock): Deleted.
2750         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
2751         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
2752         (JSC::CellAttributes::dump const):
2753         (JSC::AllocatorAttributes::dump const): Deleted.
2754         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
2755         (JSC::CellAttributes::CellAttributes):
2756         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
2757         * heap/CompleteSubspace.cpp:
2758         (JSC::CompleteSubspace::allocatorFor):
2759         (JSC::CompleteSubspace::allocateNonVirtual):
2760         (JSC::CompleteSubspace::allocatorForSlow):
2761         (JSC::CompleteSubspace::tryAllocateSlow):
2762         * heap/CompleteSubspace.h:
2763         (JSC::CompleteSubspace::allocatorForSizeStep):
2764         (JSC::CompleteSubspace::allocatorForNonVirtual):
2765         * heap/GCDeferralContext.h:
2766         * heap/Heap.cpp:
2767         (JSC::Heap::updateAllocationLimits):
2768         * heap/Heap.h:
2769         * heap/HeapCell.h:
2770         * heap/HeapCellInlines.h:
2771         (JSC::HeapCell::cellAttributes const):
2772         (JSC::HeapCell::destructionMode const):
2773         (JSC::HeapCell::cellKind const):
2774         (JSC::HeapCell::allocatorAttributes const): Deleted.
2775         * heap/HeapCellType.cpp:
2776         (JSC::HeapCellType::HeapCellType):
2777         * heap/HeapCellType.h:
2778         (JSC::HeapCellType::attributes const):
2779         * heap/IncrementalSweeper.cpp:
2780         (JSC::IncrementalSweeper::IncrementalSweeper):
2781         (JSC::IncrementalSweeper::sweepNextBlock):
2782         (JSC::IncrementalSweeper::startSweeping):
2783         (JSC::IncrementalSweeper::stopSweeping):
2784         * heap/IncrementalSweeper.h:
2785         * heap/IsoCellSet.cpp:
2786         (JSC::IsoCellSet::IsoCellSet):
2787         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
2788         (JSC::IsoCellSet::addSlow):
2789         (JSC::IsoCellSet::didRemoveBlock):
2790         (JSC::IsoCellSet::sweepToFreeList):
2791         * heap/IsoCellSetInlines.h:
2792         (JSC::IsoCellSet::forEachMarkedCell):
2793         (JSC::IsoCellSet::forEachLiveCell):
2794         * heap/IsoSubspace.cpp:
2795         (JSC::IsoSubspace::IsoSubspace):
2796         (JSC::IsoSubspace::allocatorFor):
2797         (JSC::IsoSubspace::allocateNonVirtual):
2798         * heap/IsoSubspace.h:
2799         (JSC::IsoSubspace::allocatorForNonVirtual):
2800         * heap/LargeAllocation.h:
2801         (JSC::LargeAllocation::attributes const):
2802         * heap/MarkedAllocator.cpp: Removed.
2803         * heap/MarkedAllocator.h: Removed.
2804         * heap/MarkedAllocatorInlines.h: Removed.
2805         * heap/MarkedBlock.cpp:
2806         (JSC::MarkedBlock::Handle::~Handle):
2807         (JSC::MarkedBlock::Handle::setIsFreeListed):
2808         (JSC::MarkedBlock::Handle::stopAllocating):
2809         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2810         (JSC::MarkedBlock::Handle::resumeAllocating):
2811         (JSC::MarkedBlock::aboutToMarkSlow):
2812         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2813         (JSC::MarkedBlock::noteMarkedSlow):
2814         (JSC::MarkedBlock::Handle::removeFromDirectory):
2815         (JSC::MarkedBlock::Handle::didAddToDirectory):
2816         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
2817         (JSC::MarkedBlock::Handle::dumpState):
2818         (JSC::MarkedBlock::Handle::subspace const):
2819         (JSC::MarkedBlock::Handle::sweep):
2820         (JSC::MarkedBlock::Handle::isFreeListedCell const):
2821         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
2822         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
2823         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
2824         * heap/MarkedBlock.h:
2825         (JSC::MarkedBlock::Handle::directory const):
2826         (JSC::MarkedBlock::Handle::attributes const):
2827         (JSC::MarkedBlock::attributes const):
2828         (JSC::MarkedBlock::Handle::allocator const): Deleted.
2829         * heap/MarkedBlockInlines.h:
2830         (JSC::MarkedBlock::Handle::isAllocated):
2831         (JSC::MarkedBlock::Handle::isLive):
2832         (JSC::MarkedBlock::Handle::specializedSweep):
2833         (JSC::MarkedBlock::Handle::isEmpty):
2834         * heap/MarkedSpace.cpp:
2835         (JSC::MarkedSpace::lastChanceToFinalize):
2836         (JSC::MarkedSpace::sweep):
2837         (JSC::MarkedSpace::stopAllocating):
2838         (JSC::MarkedSpace::resumeAllocating):
2839         (JSC::MarkedSpace::isPagedOut):
2840         (JSC::MarkedSpace::freeBlock):
2841         (JSC::MarkedSpace::shrink):
2842         (JSC::MarkedSpace::beginMarking):
2843         (JSC::MarkedSpace::endMarking):
2844         (JSC::MarkedSpace::snapshotUnswept):
2845         (JSC::MarkedSpace::assertNoUnswept):
2846         (JSC::MarkedSpace::dumpBits):
2847         (JSC::MarkedSpace::addBlockDirectory):
2848         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
2849         * heap/MarkedSpace.h:
2850         (JSC::MarkedSpace::firstDirectory const):
2851         (JSC::MarkedSpace::directoryLock):
2852         (JSC::MarkedSpace::forEachBlock):
2853         (JSC::MarkedSpace::forEachDirectory):
2854         (JSC::MarkedSpace::firstAllocator const): Deleted.
2855         (JSC::MarkedSpace::allocatorLock): Deleted.
2856         (JSC::MarkedSpace::forEachAllocator): Deleted.
2857         * heap/MarkedSpaceInlines.h:
2858         * heap/Subspace.cpp:
2859         (JSC::Subspace::initialize):
2860         (JSC::Subspace::prepareForAllocation):
2861         (JSC::Subspace::findEmptyBlockToSteal):
2862         (JSC::Subspace::parallelDirectorySource):
2863         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2864         (JSC::Subspace::sweep):
2865         (JSC::Subspace::parallelAllocatorSource): Deleted.
2866         * heap/Subspace.h:
2867         (JSC::Subspace::attributes const):
2868         (JSC::Subspace::didCreateFirstDirectory):
2869         (JSC::Subspace::didCreateFirstAllocator): Deleted.
2870         * heap/SubspaceInlines.h:
2871         (JSC::Subspace::forEachDirectory):
2872         (JSC::Subspace::forEachMarkedBlock):
2873         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2874         (JSC::Subspace::forEachAllocator): Deleted.
2875         * jit/AssemblyHelpers.h:
2876         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2877         (JSC::AssemblyHelpers::emitAllocate):
2878         (JSC::AssemblyHelpers::emitAllocateJSCell):
2879         (JSC::AssemblyHelpers::emitAllocateJSObject):
2880         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2881         * jit/JIT.h:
2882         * jit/JITOpcodes.cpp:
2883         (JSC::JIT::emit_op_new_object):
2884         * jit/JITOpcodes32_64.cpp:
2885         (JSC::JIT::emit_op_new_object):
2886         * runtime/JSDestructibleObjectHeapCellType.cpp:
2887         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
2888         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2889         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
2890         * runtime/JSStringHeapCellType.cpp:
2891         (JSC::JSStringHeapCellType::JSStringHeapCellType):
2892         * runtime/VM.cpp:
2893         (JSC::VM::VM):
2894         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2895         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2896
2897 2018-01-11  Saam Barati  <sbarati@apple.com>
2898
2899         When inserting Unreachable in byte code parser we need to flush all the right things
2900         https://bugs.webkit.org/show_bug.cgi?id=181509
2901         <rdar://problem/36423110>
2902
2903         Reviewed by Mark Lam.
2904
2905         I added code in r226655 that had its own mechanism for preserving liveness when
2906         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
2907         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
2908         I got some of these values wrong, which was leading to a crash when recovering the
2909         callee value from an inlined frame. Instead of making the same mistake and repeating
2910         similar code again, this patch refactors this logic to be shared with the other
2911         liveness preservation code in the DFG bytecode parser. This is what I should have
2912         done in my initial patch.
2913
2914         * bytecode/InlineCallFrame.h:
2915         (JSC::remapOperand):
2916         * dfg/DFGByteCodeParser.cpp:
2917         (JSC::DFG::flushImpl):
2918         (JSC::DFG::flushForTerminalImpl):
2919         (JSC::DFG::ByteCodeParser::flush):
2920         (JSC::DFG::ByteCodeParser::flushForTerminal):
2921         (JSC::DFG::ByteCodeParser::parse):
2922
2923 2018-01-11  Saam Barati  <sbarati@apple.com>
2924
2925         JITMathIC code in the FTL is wrong when code gets duplicated
2926         https://bugs.webkit.org/show_bug.cgi?id=181525
2927         <rdar://problem/36351993>
2928
2929         Reviewed by Michael Saboff and Keith Miller.
2930
2931         B3/Air may duplicate code for various reasons. Patchpoint generators inside
2932         FTLLower must be aware that they can be called multiple times because of this.
2933         The patchpoint for math ICs was not aware of this, and shared state amongst
2934         all invocations of the patchpoint's generator. This patch fixes this bug so
2935         that each invocation of the patchpoint's generator gets a unique math IC.
2936
2937         * bytecode/CodeBlock.h:
2938         (JSC::CodeBlock::addMathIC):
2939         * ftl/FTLLowerDFGToB3.cpp:
2940         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2941         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
2942         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
2943         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2944         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
2945         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2946         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
2947         * jit/JITMathIC.h:
2948         (JSC::isProfileEmpty):
2949
2950 2018-01-11  Michael Saboff  <msaboff@apple.com>
2951
2952         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
2953         https://bugs.webkit.org/show_bug.cgi?id=181512
2954
2955         Reviewed by Saam Barati.
2956
2957         * assembler/MacroAssemblerARM64.h:
2958         (JSC::MacroAssemblerARM64::abortWithReason):
2959         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2960         All current uses of dataTempRegister in these functions are safe, but it makes sense to
2961         fix them in case they might be used elsewhere.
2962
2963 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
2964
2965         CodeBlocks should be in IsoSubspaces
2966         https://bugs.webkit.org/show_bug.cgi?id=180884
2967
2968         Reviewed by Saam Barati.
2969         
2970         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
2971         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
2972         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
2973         
2974         - Code block sweeping is now just eager sweeping. This means that it automatically takes
2975           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
2976           its eden set for.
2977         
2978         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
2979           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
2980           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
2981           longer has to clear the set of weakly visited code blocks. This also means that
2982           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
2983           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
2984           has IsoCellSets to tell us which edges have output constraints (what we used to call
2985           CodeBlock's weak reference harvester) and which have unconditional finalizers.
2986         
2987         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
2988         
2989         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
2990           handle requests from the sampler, debugger, and other facilities. They may want to ask
2991           if some pointer corresponds to a CodeBlock during stages of execution during which the
2992           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
2993           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
2994           allocated has now been full constructed.
2995         
2996         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
2997         happening before and after this change, but we misread the revision numbers at first and
2998         thought that this was the cause.
2999         
3000         * JavaScriptCore.xcodeproj/project.pbxproj:
3001         * Sources.txt:
3002         * bytecode/CodeBlock.cpp:
3003         (JSC::CodeBlock::CodeBlock):
3004         (JSC::CodeBlock::finishCreation):
3005         (JSC::CodeBlock::finishCreationCommon):
3006         (JSC::CodeBlock::~CodeBlock):
3007         (JSC::CodeBlock::visitChildren):
3008         (JSC::CodeBlock::propagateTransitions):
3009         (JSC::CodeBlock::determineLiveness):
3010         (JSC::CodeBlock::finalizeUnconditionally):
3011         (JSC::CodeBlock::stronglyVisitStrongReferences):
3012         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3013         (JSC::CodeBlock::installVMTrapBreakpoints):
3014         (JSC::CodeBlock::dumpMathICStats):
3015         (JSC::CodeBlock::visitWeakly): Deleted.
3016         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3017         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3018         * bytecode/CodeBlock.h:
3019         (JSC::CodeBlock::subspaceFor):
3020         (JSC::CodeBlock::ownerEdge const):
3021         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3022         * bytecode/EvalCodeBlock.h:
3023         (JSC::EvalCodeBlock::create): Deleted.
3024         (JSC::EvalCodeBlock::createStructure): Deleted.
3025         (JSC::EvalCodeBlock::variable): Deleted.
3026         (JSC::EvalCodeBlock::numVariables): Deleted.
3027         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3028         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3029         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3030         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3031         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3032         (JSC::ExecutableToCodeBlockEdge::createStructure):
3033         (JSC::ExecutableToCodeBlockEdge::create):
3034         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3035         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3036         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3037         (JSC::ExecutableToCodeBlockEdge::activate):
3038         (JSC::ExecutableToCodeBlockEdge::deactivate):
3039         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3040         (JSC::ExecutableToCodeBlockEdge::wrap):
3041         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3042         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3043         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3044         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3045         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3046         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3047         (JSC::ExecutableToCodeBlockEdge::unwrap):
3048         * bytecode/FunctionCodeBlock.h:
3049         (JSC::FunctionCodeBlock::subspaceFor):
3050         (JSC::FunctionCodeBlock::createStructure):
3051         * bytecode/ModuleProgramCodeBlock.h:
3052         (JSC::ModuleProgramCodeBlock::create): Deleted.
3053         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3054         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3055         * bytecode/ProgramCodeBlock.h:
3056         (JSC::ProgramCodeBlock::create): Deleted.
3057         (JSC::ProgramCodeBlock::createStructure): Deleted.
3058         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3059         * debugger/Debugger.cpp:
3060         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3061         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3062         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3063         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3064         * heap/CodeBlockSet.cpp:
3065         (JSC::CodeBlockSet::contains):
3066         (JSC::CodeBlockSet::dump const):
3067         (JSC::CodeBlockSet::add):
3068         (JSC::CodeBlockSet::remove):
3069         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3070         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3071         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3072         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3073         * heap/CodeBlockSet.h:
3074         * heap/CodeBlockSetInlines.h:
3075         (JSC::CodeBlockSet::iterate):
3076         (JSC::CodeBlockSet::iterateViaSubspaces):
3077         * heap/ConservativeRoots.cpp:
3078         (JSC::ConservativeRoots::genericAddPointer):
3079         (JSC::DummyMarkHook::markKnownJSCell):
3080         (JSC::CompositeMarkHook::mark):
3081         (JSC::CompositeMarkHook::markKnownJSCell):
3082         * heap/ConservativeRoots.h:
3083         * heap/Heap.cpp:
3084         (JSC::Heap::lastChanceToFinalize):
3085         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3086         (JSC::Heap::finalizeUnconditionalFinalizers):
3087         (JSC::Heap::beginMarking):
3088         (JSC::Heap::deleteUnmarkedCompiledCode):
3089         (JSC::Heap::sweepInFinalize):
3090         (JSC::Heap::forEachCodeBlockImpl):
3091         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3092         (JSC::Heap::addCoreConstraints):
3093         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3094         * heap/Heap.h:
3095         * heap/HeapCell.h:
3096         * heap/HeapCellInlines.h:
3097         (JSC::HeapCell::subspace const):
3098         * heap/HeapInlines.h:
3099         (JSC::Heap::forEachCodeBlock):
3100         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3101         * heap/HeapUtil.h:
3102         (JSC::HeapUtil::findGCObjectPointersForMarking):
3103         * heap/IsoCellSet.cpp:
3104         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3105         * heap/IsoCellSet.h:
3106         * heap/IsoCellSetInlines.h:
3107         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3108         (JSC::IsoCellSet::forEachLiveCell):
3109         * heap/LargeAllocation.h:
3110         (JSC::LargeAllocation::subspace const):
3111         * heap/MarkStackMergingConstraint.cpp:
3112         (JSC::MarkStackMergingConstraint::executeImpl):
3113         * heap/MarkStackMergingConstraint.h:
3114         * heap/MarkedAllocator.cpp:
3115         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3116         * heap/MarkedBlock.cpp:
3117         (JSC::MarkedBlock::Handle::didAddToAllocator):
3118         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3119         * heap/MarkedBlock.h:
3120         (JSC::MarkedBlock::subspace const):
3121         * heap/MarkedBlockInlines.h:
3122         (JSC::MarkedBlock::Handle::forEachLiveCell):
3123         * heap/MarkedSpaceInlines.h:
3124         (JSC::MarkedSpace::forEachLiveCell):
3125         * heap/MarkingConstraint.cpp:
3126         (JSC::MarkingConstraint::execute):
3127         (JSC::MarkingConstraint::doParallelWork):
3128         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3129         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3130         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3131         * heap/MarkingConstraint.h:
3132         * heap/MarkingConstraintSet.cpp:
3133         (JSC::MarkingConstraintSet::add):
3134         * heap/MarkingConstraintSet.h:
3135         (JSC::MarkingConstraintSet::add):
3136         * heap/MarkingConstraintSolver.cpp:
3137         (JSC::MarkingConstraintSolver::execute):
3138         (JSC::MarkingConstraintSolver::addParallelTask):
3139         (JSC::MarkingConstraintSolver::runExecutionThread):
3140         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3141         * heap/MarkingConstraintSolver.h:
3142         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3143         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3144         * heap/SimpleMarkingConstraint.cpp:
3145         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3146         (JSC::SimpleMarkingConstraint::executeImpl):
3147         * heap/SimpleMarkingConstraint.h:
3148         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3149         * heap/SlotVisitor.cpp:
3150         (JSC::SlotVisitor::addParallelConstraintTask):
3151         * heap/SlotVisitor.h:
3152         * heap/Subspace.cpp:
3153         (JSC::Subspace::sweep):
3154         * heap/Subspace.h:
3155         * heap/SubspaceInlines.h:
3156         (JSC::Subspace::forEachLiveCell):
3157         * llint/LowLevelInterpreter.asm:
3158         * runtime/EvalExecutable.cpp:
3159         (JSC::EvalExecutable::visitChildren):
3160         * runtime/EvalExecutable.h:
3161         (JSC::EvalExecutable::codeBlock):
3162         * runtime/FunctionExecutable.cpp:
3163         (JSC::FunctionExecutable::baselineCodeBlockFor):
3164         (JSC::FunctionExecutable::visitChildren):
3165         * runtime/FunctionExecutable.h:
3166         * runtime/JSType.h:
3167         * runtime/ModuleProgramExecutable.cpp:
3168         (JSC::ModuleProgramExecutable::visitChildren):
3169         * runtime/ModuleProgramExecutable.h:
3170         * runtime/ProgramExecutable.cpp:
3171         (JSC::ProgramExecutable::visitChildren):
3172         * runtime/ProgramExecutable.h:
3173         * runtime/ScriptExecutable.cpp:
3174         (JSC::ScriptExecutable::installCode):
3175         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3176         * runtime/VM.cpp:
3177         (JSC::VM::VM):
3178         * runtime/VM.h:
3179         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3180         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3181         (JSC::VM::forEachCodeBlockSpace):
3182         * runtime/VMTraps.cpp:
3183         (JSC::VMTraps::handleTraps):
3184         * tools/VMInspector.cpp:
3185         (JSC::VMInspector::codeBlockForMachinePC):
3186         (JSC::VMInspector::isValidCodeBlock):
3187
3188 2018-01-11  Michael Saboff  <msaboff@apple.com>
3189
3190         Add a DOM gadget for Spectre testing
3191         https://bugs.webkit.org/show_bug.cgi?id=181351
3192
3193         Reviewed by Ryosuke Niwa.
3194
3195         * runtime/Options.h:
3196
3197 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3198
3199         [DFG][FTL] regExpMatchFast should be handled
3200         https://bugs.webkit.org/show_bug.cgi?id=180988
3201
3202         Reviewed by Mark Lam.
3203
3204         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
3205         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
3206         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
3207
3208         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
3209         slow path part to `@matchSlow()` private function.
3210
3211         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
3212         this regExpMatchFast function.
3213
3214                                  baseline                  patched
3215
3216         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
3217         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
3218
3219         * builtins/RegExpPrototype.js:
3220         (globalPrivate.matchSlow):
3221         (overriddenName.string_appeared_here.match):
3222         * dfg/DFGAbstractInterpreterInlines.h:
3223         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3224         * dfg/DFGByteCodeParser.cpp:
3225         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3226         * dfg/DFGClobberize.h:
3227         (JSC::DFG::clobberize):
3228         * dfg/DFGDoesGC.cpp:
3229         (JSC::DFG::doesGC):
3230         * dfg/DFGFixupPhase.cpp:
3231         (JSC::DFG::FixupPhase::fixupNode):
3232         * dfg/DFGNode.h:
3233         (JSC::DFG::Node::hasHeapPrediction):
3234         * dfg/DFGNodeType.h:
3235         * dfg/DFGOperations.cpp:
3236         * dfg/DFGOperations.h:
3237         * dfg/DFGPredictionPropagationPhase.cpp:
3238         * dfg/DFGSafeToExecute.h:
3239         (JSC::DFG::safeToExecute):
3240         * dfg/DFGSpeculativeJIT.cpp:
3241         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
3242         * dfg/DFGSpeculativeJIT.h:
3243         * dfg/DFGSpeculativeJIT32_64.cpp:
3244         (JSC::DFG::SpeculativeJIT::compile):
3245         * dfg/DFGSpeculativeJIT64.cpp:
3246         (JSC::DFG::SpeculativeJIT::compile):
3247         * ftl/FTLCapabilities.cpp:
3248         (JSC::FTL::canCompile):
3249         * ftl/FTLLowerDFGToB3.cpp:
3250         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3251         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
3252         * runtime/Intrinsic.cpp:
3253         (JSC::intrinsicName):
3254         * runtime/Intrinsic.h:
3255         * runtime/JSGlobalObject.cpp:
3256         (JSC::JSGlobalObject::init):
3257         * runtime/RegExpPrototype.cpp:
3258         (JSC::regExpProtoFuncMatchFast):
3259
3260 2018-01-11  Saam Barati  <sbarati@apple.com>
3261
3262         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
3263         https://bugs.webkit.org/show_bug.cgi?id=181508
3264
3265         Reviewed by Yusuke Suzuki.
3266
3267         Our for-in caching would cache structure chains that had prototypes with
3268         indexed properties. Clearly this is wrong. This caching breaks when a prototype
3269         adds new indexed properties. We would continue to enumerate the old cached
3270         state of properties, and not include the new indexed properties.
3271         
3272         The old code used to prevent caching only if the base structure had
3273         indexed properties. This patch extends it to prevent caching if the
3274         base, or any structure in the prototype chain, has indexed properties.
3275
3276         * runtime/Structure.cpp:
3277         (JSC::Structure::canCachePropertyNameEnumerator const):
3278
3279 2018-01-10  JF Bastien  <jfbastien@apple.com>
3280
3281         Poison small JSObject derivatives which only contain pointers
3282         https://bugs.webkit.org/show_bug.cgi?id=181483
3283         <rdar://problem/36407127>
3284
3285         Reviewed by Mark Lam.
3286
3287         I wrote a script that finds interesting things to poison or
3288         generally harden. These stood out because they derive from
3289         JSObject and only contain a few pointer or pointer-like fields,
3290         and could therefore just be poisoned. This also requires some
3291         template "improvements" to our poisoning machinery. Worth noting
3292         is that I'm making PoisonedUniquePtr move-assignable and
3293         move-constructible from unique_ptr, which makes it a better
3294         drop-in replacement because we don't need to use
3295         makePoisonedUniquePtr. This means function-locals can be
3296         unique_ptr and get the nice RAII pattern, and once the function is
3297         done you can just move to the class' PoisonedUniquePtr without
3298         worrying.
3299
3300         * API/JSAPIWrapperObject.h:
3301         (JSC::JSAPIWrapperObject::wrappedObject):
3302         * API/JSAPIWrapperObject.mm:
3303         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
3304         * API/JSCallbackObject.h:
3305         * runtime/ArrayPrototype.h:
3306         * runtime/DateInstance.h:
3307         * runtime/JSArrayBuffer.cpp:
3308         (JSC::JSArrayBuffer::finishCreation):
3309         (JSC::JSArrayBuffer::isShared const):
3310         (JSC::JSArrayBuffer::sharingMode const):
3311         * runtime/JSArrayBuffer.h:
3312         * runtime/JSCPoison.h:
3313
3314 2018-01-10  Commit Queue  <commit-queue@webkit.org>
3315
3316         Unreviewed, rolling out r226667 and r226673.
3317         https://bugs.webkit.org/show_bug.cgi?id=181488
3318
3319         This caused a flaky crash. (Requested by mlewis13 on #webkit).
3320
3321         Reverted changesets:
3322
3323         "CodeBlocks should be in IsoSubspaces"
3324         https://bugs.webkit.org/show_bug.cgi?id=180884
3325         https://trac.webkit.org/changeset/226667
3326
3327         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
3328         https://bugs.webkit.org/show_bug.cgi?id=180884
3329         https://trac.webkit.org/changeset/226673
3330
3331 2018-01-09  David Kilzer  <ddkilzer@apple.com>
3332
3333         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
3334         <https://bugs.webkit.org/show_bug.cgi?id=180884>
3335
3336         Fixes the following build error:
3337
3338             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
3339
3340         * heap/Heap.cpp:
3341         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
3342         fix the build.
3343
3344 2018-01-09  Keith Miller  <keith_miller@apple.com>
3345
3346         and32 with an Address source on ARM64 did not invalidate dataTempRegister
3347         https://bugs.webkit.org/show_bug.cgi?id=181467