1428fe02ecc829d30ff9d366cc26362d1831856e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-30  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly: support DataView compilation
4         https://bugs.webkit.org/show_bug.cgi?id=183342
5
6         Reviewed by Mark Lam.
7
8         Compiling a module from a DataView was incorrectly dealing with
9         DataView's offset.
10
11         * wasm/WasmModuleParser.cpp:
12         (JSC::Wasm::ModuleParser::parse):
13         * wasm/js/JSWebAssemblyHelpers.h:
14         (JSC::getWasmBufferFromValue):
15         (JSC::createSourceBufferFromValue):
16         * wasm/js/WebAssemblyPrototype.cpp:
17         (JSC::webAssemblyValidateFunc):
18
19 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
20
21         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
22         https://bugs.webkit.org/show_bug.cgi?id=184189
23
24         Reviewed by JF Bastien.
25
26         * bytecompiler/NodesCodegen.cpp:
27         (JSC::ResolveNode::emitBytecode):
28
29 2018-03-30  Mark Lam  <mark.lam@apple.com>
30
31         Add pointer profiling support to Wasm.
32         https://bugs.webkit.org/show_bug.cgi?id=184175
33         <rdar://problem/39027923>
34
35         Reviewed by JF Bastien.
36
37         * runtime/PtrTag.h:
38         * wasm/WasmB3IRGenerator.cpp:
39         (JSC::Wasm::B3IRGenerator::addGrowMemory):
40         (JSC::Wasm::B3IRGenerator::addCall):
41         (JSC::Wasm::B3IRGenerator::addCallIndirect):
42         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
43         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
44         * wasm/WasmBBQPlan.cpp:
45         (JSC::Wasm::BBQPlan::prepare):
46         (JSC::Wasm::BBQPlan::complete):
47         * wasm/WasmBinding.cpp:
48         (JSC::Wasm::wasmToWasm):
49         * wasm/WasmBinding.h:
50         * wasm/WasmFaultSignalHandler.cpp:
51         (JSC::Wasm::trapHandler):
52         * wasm/WasmOMGPlan.cpp:
53         (JSC::Wasm::OMGPlan::work):
54         * wasm/WasmThunks.cpp:
55         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
56         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
57         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
58         * wasm/js/WasmToJS.cpp:
59         (JSC::Wasm::handleBadI64Use):
60         (JSC::Wasm::wasmToJS):
61         * wasm/js/WebAssemblyFunction.cpp:
62         (JSC::callWebAssemblyFunction):
63         * wasm/js/WebAssemblyFunction.h:
64
65 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
66
67         Unreviewed, rolling out r230102.
68
69         Caused assertion failures on JSC bots.
70
71         Reverted changeset:
72
73         "A stack overflow in the parsing of a builtin (called by
74         createExecutable) cause a crash instead of a catchable js
75         exception"
76         https://bugs.webkit.org/show_bug.cgi?id=184074
77         https://trac.webkit.org/changeset/230102
78
79 2018-03-30  Robin Morisset  <rmorisset@apple.com>
80
81         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
82         https://bugs.webkit.org/show_bug.cgi?id=183812
83
84         Reviewed by Keith Miller.
85
86         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
87         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
88
89         * dfg/DFGByteCodeParser.cpp:
90         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
91         (JSC::DFG::ByteCodeParser::inlineCall):
92
93 2018-03-30  Robin Morisset  <rmorisset@apple.com>
94
95         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
96         https://bugs.webkit.org/show_bug.cgi?id=184074
97         <rdar://problem/37165897>
98
99         Reviewed by Keith Miller.
100
101         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
102         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
103         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
104         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
105
106         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
107         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
108
109         Two other minor changes:
110         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
111         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
112
113         * JavaScriptCore.xcodeproj/project.pbxproj:
114         * Scripts/builtins/builtins_generate_combined_header.py:
115         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
116         (ParserError):
117         (generate_section_for_object): Deleted.
118         (generate_externs_for_object): Deleted.
119         (generate_macros_for_object): Deleted.
120         (generate_section_for_code_table_macro): Deleted.
121         (generate_section_for_code_name_macro): Deleted.
122         (generate_section_for_global_private_code_name_macro): Deleted.
123         * Scripts/builtins/builtins_generate_separate_header.py:
124         (generate_secondary_header_includes):
125         * Scripts/builtins/builtins_templates.py:
126         * Sources.txt:
127         * builtins/BuiltinExecutableCreator.cpp: Removed.
128         * builtins/BuiltinExecutableCreator.h: Removed.
129         * builtins/BuiltinExecutables.cpp:
130         (JSC::BuiltinExecutables::createDefaultConstructor):
131         (JSC::BuiltinExecutables::createBuiltinExecutable):
132         (JSC::createBuiltinExecutable):
133         (JSC::BuiltinExecutables::createExecutableOrCrash):
134         (JSC::BuiltinExecutables::createExecutable):
135         * builtins/BuiltinExecutables.h:
136         * bytecompiler/BytecodeGenerator.h:
137         * parser/ParserError.cpp: Added.
138         (JSC::ParserError::toErrorObject):
139         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
140         (WTF::printInternal):
141         * parser/ParserError.h:
142         (JSC::ParserError::toErrorObject): Deleted.
143         (WTF::printInternal): Deleted.
144         * runtime/AsyncIteratorPrototype.cpp:
145         (JSC::AsyncIteratorPrototype::finishCreation):
146         * runtime/FunctionPrototype.cpp:
147         (JSC::FunctionPrototype::addFunctionProperties):
148         * runtime/JSGlobalObject.cpp:
149         (JSC::JSGlobalObject::init):
150         * runtime/JSObject.cpp:
151         (JSC::JSObject::getOwnStaticPropertySlot):
152         (JSC::JSObject::reifyAllStaticProperties):
153         * runtime/JSObject.h:
154         (JSC::JSObject::getOwnNonIndexPropertySlot):
155         (JSC::JSObject::getOwnPropertySlot):
156         (JSC::JSObject::getPropertySlot):
157         * runtime/JSObjectInlines.h:
158         (JSC::JSObject::getNonIndexPropertySlot):
159         * runtime/JSTypedArrayViewPrototype.cpp:
160         (JSC::JSTypedArrayViewPrototype::finishCreation):
161         * runtime/Lookup.cpp:
162         (JSC::reifyStaticAccessor):
163         (JSC::setUpStaticFunctionSlot):
164         * runtime/Lookup.h:
165         (JSC::getStaticPropertySlotFromTable):
166         (JSC::reifyStaticProperty):
167         * runtime/MapPrototype.cpp:
168         (JSC::MapPrototype::finishCreation):
169         * runtime/SetPrototype.cpp:
170         (JSC::SetPrototype::finishCreation):
171         * tools/JSDollarVM.cpp:
172         (JSC::functionCreateBuiltin):
173
174 2018-03-30  Robin Morisset  <rmorisset@apple.com>
175
176         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
177         https://bugs.webkit.org/show_bug.cgi?id=183657
178         <rdar://problem/38464399>
179
180         Reviewed by Keith Miller.
181
182         There was just a missing check in unshiftCountForIndexingType.
183         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
184         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
185         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
186
187         * runtime/ArrayPrototype.cpp:
188         (JSC::unshift):
189         * runtime/JSArray.cpp:
190         (JSC::JSArray::unshiftCountWithAnyIndexingType):
191         * runtime/JSObject.h:
192         (JSC::JSObject::ensureLength):
193
194 2018-03-29  Mark Lam  <mark.lam@apple.com>
195
196         Add some pointer profiling support to B3 and Air.
197         https://bugs.webkit.org/show_bug.cgi?id=184165
198         <rdar://problem/39022125>
199
200         Reviewed by JF Bastien.
201
202         * b3/B3LowerMacros.cpp:
203         * b3/B3LowerMacrosAfterOptimizations.cpp:
204         * b3/B3MathExtras.cpp:
205         * b3/B3ReduceStrength.cpp:
206         * b3/air/AirCCallSpecial.cpp:
207         (JSC::B3::Air::CCallSpecial::generate):
208         * b3/air/AirCCallSpecial.h:
209         * b3/testb3.cpp:
210         (JSC::B3::testCallSimple):
211         (JSC::B3::testCallRare):
212         (JSC::B3::testCallRareLive):
213         (JSC::B3::testCallSimplePure):
214         (JSC::B3::testCallFunctionWithHellaArguments):
215         (JSC::B3::testCallFunctionWithHellaArguments2):
216         (JSC::B3::testCallFunctionWithHellaArguments3):
217         (JSC::B3::testCallSimpleDouble):
218         (JSC::B3::testCallSimpleFloat):
219         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
220         (JSC::B3::testCallFunctionWithHellaFloatArguments):
221         (JSC::B3::testLinearScanWithCalleeOnStack):
222         (JSC::B3::testInterpreter):
223         (JSC::B3::testLICMPure):
224         (JSC::B3::testLICMPureSideExits):
225         (JSC::B3::testLICMPureWritesPinned):
226         (JSC::B3::testLICMPureWrites):
227         (JSC::B3::testLICMReadsLocalState):
228         (JSC::B3::testLICMReadsPinned):
229         (JSC::B3::testLICMReads):
230         (JSC::B3::testLICMPureNotBackwardsDominant):
231         (JSC::B3::testLICMPureFoiledByChild):
232         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
233         (JSC::B3::testLICMExitsSideways):
234         (JSC::B3::testLICMWritesLocalState):
235         (JSC::B3::testLICMWrites):
236         (JSC::B3::testLICMFence):
237         (JSC::B3::testLICMWritesPinned):
238         (JSC::B3::testLICMControlDependent):
239         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
240         (JSC::B3::testLICMControlDependentSideExits):
241         (JSC::B3::testLICMReadsPinnedWritesPinned):
242         (JSC::B3::testLICMReadsWritesDifferentHeaps):
243         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
244         (JSC::B3::testLICMDefaultCall):
245         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
246         * ftl/FTLLowerDFGToB3.cpp:
247         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
248         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
249         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
250         * jit/GPRInfo.h:
251         * runtime/PtrTag.h:
252         * wasm/WasmBinding.cpp:
253         (JSC::Wasm::wasmToWasm):
254
255 2018-03-29  JF Bastien  <jfbastien@apple.com>
256
257         Use Forward.h instead of forward-declaring WTF::String
258         https://bugs.webkit.org/show_bug.cgi?id=184172
259         <rdar://problem/39026146>
260
261         Reviewed by Yusuke Suzuki.
262
263         As part of #184164 I'm changing WTF::String, and the forward
264         declarations are just wrong because I'm making it templated. We
265         should use Forward.h anyways, so do that instead.
266
267         * runtime/DateConversion.h:
268
269 2018-03-29  Mark Lam  <mark.lam@apple.com>
270
271         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
272         https://bugs.webkit.org/show_bug.cgi?id=184163
273         <rdar://problem/39020397>
274
275         Reviewed by JF Bastien.
276
277         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
278
279         Also renamed some structs, methods, and variable names to be more accurate.
280         Previously, there is some confusion between a code pointer and the address of a
281         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
282         the LoadLocation variables appropriately to distinguish them from code pointers.
283
284         * wasm/WasmB3IRGenerator.cpp:
285         (JSC::Wasm::B3IRGenerator::addCall):
286         (JSC::Wasm::B3IRGenerator::addCallIndirect):
287         * wasm/WasmBinding.cpp:
288         (JSC::Wasm::wasmToWasm):
289         * wasm/WasmCodeBlock.cpp:
290         (JSC::Wasm::CodeBlock::CodeBlock):
291         * wasm/WasmCodeBlock.h:
292         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
293         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
294         * wasm/WasmFormat.h:
295         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
296         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
297         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
298         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
299         * wasm/WasmInstance.h:
300         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
301         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
302         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
303         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
304         * wasm/WasmOMGPlan.cpp:
305         (JSC::Wasm::OMGPlan::work):
306         * wasm/WasmTable.cpp:
307         (JSC::Wasm::Table::Table):
308         (JSC::Wasm::Table::grow):
309         (JSC::Wasm::Table::clearFunction):
310         (JSC::Wasm::Table::setFunction):
311         * wasm/WasmTable.h:
312         (JSC::Wasm::Table::offsetOfFunctions):
313         * wasm/js/JSWebAssemblyCodeBlock.h:
314         * wasm/js/JSWebAssemblyInstance.cpp:
315         (JSC::JSWebAssemblyInstance::finalizeCreation):
316         (JSC::JSWebAssemblyInstance::create):
317         * wasm/js/JSWebAssemblyTable.cpp:
318         (JSC::JSWebAssemblyTable::setFunction):
319         * wasm/js/WebAssemblyFunction.cpp:
320         (JSC::WebAssemblyFunction::create):
321         (JSC::WebAssemblyFunction::WebAssemblyFunction):
322         * wasm/js/WebAssemblyFunction.h:
323         * wasm/js/WebAssemblyModuleRecord.cpp:
324         (JSC::WebAssemblyModuleRecord::link):
325         (JSC::WebAssemblyModuleRecord::evaluate):
326         * wasm/js/WebAssemblyWrapperFunction.cpp:
327         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
328         (JSC::WebAssemblyWrapperFunction::create):
329         * wasm/js/WebAssemblyWrapperFunction.h:
330
331 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
332
333         Remove WTF_EXPORTDATA and JS_EXPORTDATA
334         https://bugs.webkit.org/show_bug.cgi?id=184170
335
336         Reviewed by JF Bastien.
337
338         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
339         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
340
341         * heap/WriteBarrierSupport.h:
342         * jit/ExecutableAllocator.cpp:
343         * jit/ExecutableAllocator.h:
344         * runtime/JSCPoison.h:
345         * runtime/JSCell.h:
346         * runtime/JSExportMacros.h:
347         * runtime/JSGlobalObject.h:
348         * runtime/JSObject.h:
349         * runtime/Options.h:
350         * runtime/PropertyDescriptor.h:
351         * runtime/PropertyMapHashTable.h:
352         * runtime/SamplingCounter.h:
353
354 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
355
356         MSVC __forceinline slows down JSC release build fivefold after r229391
357         https://bugs.webkit.org/show_bug.cgi?id=184062
358
359         Reviewed by Alex Christensen.
360
361         * jit/CCallHelpers.h:
362         (JSC::CCallHelpers::marshallArgumentRegister):
363         Exempt MSVC from a single forced inline used within recursive templates.
364
365 2018-03-29  Keith Miller  <keith_miller@apple.com>
366
367         ArrayMode should not try to get the DFG to think it can convert TypedArrays
368         https://bugs.webkit.org/show_bug.cgi?id=184137
369
370         Reviewed by Saam Barati.
371
372         * dfg/DFGArrayMode.cpp:
373         (JSC::DFG::ArrayMode::fromObserved):
374
375 2018-03-29  Commit Queue  <commit-queue@webkit.org>
376
377         Unreviewed, rolling out r230062.
378         https://bugs.webkit.org/show_bug.cgi?id=184128
379
380         Broke mac port. web content process crashes while loading any
381         web page (Requested by rniwa on #webkit).
382
383         Reverted changeset:
384
385         "MSVC __forceinline slows down JSC release build fivefold
386         after r229391"
387         https://bugs.webkit.org/show_bug.cgi?id=184062
388         https://trac.webkit.org/changeset/230062
389
390 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
391
392         MSVC __forceinline slows down JSC release build fivefold after r229391
393         https://bugs.webkit.org/show_bug.cgi?id=184062
394
395         Reviewed by Alex Christensen.
396
397         * jit/CCallHelpers.h:
398         (JSC::CCallHelpers::marshallArgumentRegister):
399         Exempt MSVC from a single forced inline used within recursive templates.
400
401 2018-03-28  Mark Lam  <mark.lam@apple.com>
402
403         Enhance ARM64 probe to support pointer profiling.
404         https://bugs.webkit.org/show_bug.cgi?id=184069
405         <rdar://problem/38939879>
406
407         Reviewed by JF Bastien.
408
409         * assembler/MacroAssemblerARM64.cpp:
410         (JSC::MacroAssembler::probe):
411         * assembler/MacroAssemblerX86Common.h:
412         (JSC::MacroAssemblerX86Common::popPair):
413         (JSC::MacroAssemblerX86Common::pushPair):
414         * assembler/testmasm.cpp:
415         (JSC::testProbeReadsArgumentRegisters):
416         (JSC::testProbeWritesArgumentRegisters):
417         * runtime/PtrTag.h:
418         (JSC::tagForPtr):
419
420 2018-03-28  Robin Morisset  <rmorisset@apple.com>
421
422         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
423         https://bugs.webkit.org/show_bug.cgi?id=183894
424
425         Reviewed by Saam Barati.
426
427         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
428
429         * runtime/JSONObject.cpp:
430         (JSC::Stringifier::appendStringifiedValue):
431
432 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
433
434         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
435         https://bugs.webkit.org/show_bug.cgi?id=184073
436
437         Reviewed by Yusuke Suzuki.
438
439         We currently have duplicated code in Obj and GLib implementations.
440
441         * API/JSManagedValue.mm:
442         (managedValueHandleOwner):
443         (-[JSManagedValue initWithValue:]):
444         * API/JSWeakValue.cpp: Added.
445         (JSC::JSWeakValue::~JSWeakValue):
446         (JSC::JSWeakValue::clear):
447         (JSC::JSWeakValue::isClear const):
448         (JSC::JSWeakValue::setPrimitive):
449         (JSC::JSWeakValue::setObject):
450         (JSC::JSWeakValue::setString):
451         * API/JSWeakValue.h: Added.
452         (JSC::JSWeakValue::isSet const):
453         (JSC::JSWeakValue::isPrimitive const):
454         (JSC::JSWeakValue::isObject const):
455         (JSC::JSWeakValue::isString const):
456         (JSC::JSWeakValue::object const):
457         (JSC::JSWeakValue::primitive const):
458         (JSC::JSWeakValue::string const):
459         * API/glib/JSCWeakValue.cpp:
460         * JavaScriptCore.xcodeproj/project.pbxproj:
461         * Sources.txt:
462
463 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
464
465         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
466         https://bugs.webkit.org/show_bug.cgi?id=184041
467
468         Reviewed by Michael Catanzaro.
469
470         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
471         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
472         jsc_weak_value_get_value() will always return nullptr.
473
474         * API/glib/JSCWeakValue.cpp: Added.
475         (WeakValueRef::~WeakValueRef):
476         (WeakValueRef::clear):
477         (WeakValueRef::isClear const):
478         (WeakValueRef::isSet const):
479         (WeakValueRef::isPrimitive const):
480         (WeakValueRef::isObject const):
481         (WeakValueRef::isString const):
482         (WeakValueRef::setPrimitive):
483         (WeakValueRef::setObject):
484         (WeakValueRef::setString):
485         (WeakValueRef::object const):
486         (WeakValueRef::primitive const):
487         (WeakValueRef::string const):
488         (weakValueHandleOwner):
489         (jscWeakValueInitialize):
490         (jscWeakValueSetProperty):
491         (jscWeakValueDispose):
492         (jsc_weak_value_class_init):
493         (jsc_weak_value_new):
494         (jsc_weak_value_get_value):
495         * API/glib/JSCWeakValue.h: Added.
496         * API/glib/docs/jsc-glib-4.0-sections.txt:
497         * API/glib/docs/jsc-glib-docs.sgml:
498         * API/glib/jsc.h:
499         * GLib.cmake:
500
501 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
502
503         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
504         https://bugs.webkit.org/show_bug.cgi?id=181292
505
506         Reviewed by Saam Barati.
507
508         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
509
510         * dfg/DFGSpeculativeJIT.cpp:
511         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
512         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
513         (JSC::DFG::SpeculativeJIT::compileCreateRest):
514         (JSC::DFG::SpeculativeJIT::compileArraySlice):
515         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
516         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
517         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
518
519 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
520
521         Add Load16Z for B3 and use it in WebAssembly
522         https://bugs.webkit.org/show_bug.cgi?id=165884
523
524         Reviewed by JF Bastien.
525
526         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
527         spec-tests/memory.wast.js already covered this change.
528
529         * wasm/WasmB3IRGenerator.cpp:
530         (JSC::Wasm::B3IRGenerator::emitLoadOp):
531
532 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
533
534         [JSC] Remove repeated iteration of ElementNode
535         https://bugs.webkit.org/show_bug.cgi?id=183987
536
537         Reviewed by Keith Miller.
538
539         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
540         While it is OK for small arrays, this repeated iteration takes much time
541         if the array is very large. For example, Kraken's initialization code includes
542         very large array with numeric literals. This makes bytecode compiling so long.
543
544         This patch carefully removes unnecessary iteration when emitting arrays.
545         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
546         to 9.988050 ms.
547
548         * bytecompiler/BytecodeGenerator.cpp:
549         (JSC::BytecodeGenerator::emitNewArrayBuffer):
550         (JSC::BytecodeGenerator::emitNewArray):
551         * bytecompiler/BytecodeGenerator.h:
552         * bytecompiler/NodesCodegen.cpp:
553         (JSC::ArrayNode::emitBytecode):
554         (JSC::ArrayPatternNode::bindValue const):
555         (JSC::ArrayPatternNode::emitDirectBinding):
556
557 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
558
559         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
560         https://bugs.webkit.org/show_bug.cgi?id=183655
561
562         Reviewed by Keith Miller.
563
564         * jit/CCallHelpers.h:
565         (JSC::CCallHelpers::ArgCollection::argCount):
566         (JSC::CCallHelpers::marshallArgumentRegister):
567         (JSC::CCallHelpers::setupArgumentsImpl):
568         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
569
570         * jit/JIT.h:
571         (JSC::JIT::callOperation):
572         (JSC::JIT::is64BitType):
573         (JSC::JIT::is64BitType<void>):
574         On Win64, ensure special call is used for SlowPathReturnType.
575
576         * jit/JITOperations.h:
577         Update changed type.
578
579 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
580
581         We should have SSE4 detection in the X86 MacroAssembler.
582         https://bugs.webkit.org/show_bug.cgi?id=165363
583
584         Reviewed by JF Bastien.
585
586         This patch adds popcnt support to WASM in x86_64 environment.
587         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
588         Our spec-tests already cover popcnt.
589
590         * assembler/MacroAssemblerARM64.h:
591         (JSC::MacroAssemblerARM64::supportsCountPopulation):
592         * assembler/MacroAssemblerX86Common.cpp:
593         (JSC::MacroAssemblerX86Common::getCPUID):
594         (JSC::MacroAssemblerX86Common::getCPUIDEx):
595         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
596         * assembler/MacroAssemblerX86Common.h:
597         (JSC::MacroAssemblerX86Common::countPopulation32):
598         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
599         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
600         (JSC::MacroAssemblerX86Common::supportsAVX):
601         (JSC::MacroAssemblerX86Common::supportsLZCNT):
602         (JSC::MacroAssemblerX86Common::supportsBMI1):
603         (JSC::MacroAssemblerX86Common::isSSE2Present):
604         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
605         * assembler/MacroAssemblerX86_64.h:
606         (JSC::MacroAssemblerX86_64::countPopulation64):
607         * assembler/X86Assembler.h:
608         (JSC::X86Assembler::popcnt_rr):
609         (JSC::X86Assembler::popcnt_mr):
610         (JSC::X86Assembler::popcntq_rr):
611         (JSC::X86Assembler::popcntq_mr):
612         * wasm/WasmB3IRGenerator.cpp:
613         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
614         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
615
616 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
617
618         DFG should know that CreateThis can be effectful
619         https://bugs.webkit.org/show_bug.cgi?id=184013
620
621         Reviewed by Saam Barati.
622
623         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
624         is a proxy.
625
626         * dfg/DFGAbstractInterpreterInlines.h:
627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
628         * dfg/DFGClobberize.h:
629         (JSC::DFG::clobberize):
630
631 2018-03-25  Saam Barati  <sbarati@apple.com>
632
633         Fix typo in JSC option name
634         https://bugs.webkit.org/show_bug.cgi?id=184001
635
636         Reviewed by Mark Lam.
637
638         enableJITDebugAssetions => enableJITDebugAssertions.
639
640         * assembler/MacroAssembler.cpp:
641         (JSC::MacroAssembler::jitAssert):
642         * runtime/Options.h:
643
644 2018-03-25  Saam Barati  <sbarati@apple.com>
645
646         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
647         https://bugs.webkit.org/show_bug.cgi?id=183995
648
649         Reviewed by Filip Pizlo.
650
651         The removal of this line of code was unintended and happened during some
652         refactoring Fil was doing. The consequence of removing this line of code
653         is that the m_emptyCursor became a monotonically increasing integer, leading
654         the cursor to usually being out of bounds of the block range (depending on
655         what the program is doing). This made the functionality of finding an empty
656         block to steal almost always fail.
657
658         * heap/BlockDirectory.cpp:
659         (JSC::BlockDirectory::prepareForAllocation):
660
661 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
662
663         [DFG] Introduces fused compare and jump
664         https://bugs.webkit.org/show_bug.cgi?id=177100
665
666         Reviewed by Mark Lam.
667
668         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
669         It offers 3 benefit.
670
671         1. They are introduced due to the similar purpose to op_jless etc. It aligns
672         op_eq families to op_jless families.
673
674         2. It reduces the size of bytecode to represent the typical code sequence.
675
676         3. It offers the way to fuse check and jump in DFG code generation. Since
677         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
678         we cannot do this optimization. It reduces the machine code size in DFG too.
679
680         It slightly improves Octane/boyer.
681
682             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
683
684         * bytecode/BytecodeDumper.cpp:
685         (JSC::BytecodeDumper<Block>::dumpBytecode):
686         * bytecode/BytecodeList.json:
687         * bytecode/BytecodeUseDef.h:
688         (JSC::computeUsesForBytecodeOffset):
689         (JSC::computeDefsForBytecodeOffset):
690         * bytecode/Opcode.h:
691         (JSC::isBranch):
692         * bytecode/PreciseJumpTargetsInlines.h:
693         (JSC::extractStoredJumpTargetsForBytecodeOffset):
694         * bytecompiler/BytecodeGenerator.cpp:
695         (JSC::BytecodeGenerator::emitJumpIfTrue):
696         (JSC::BytecodeGenerator::emitJumpIfFalse):
697         * dfg/DFGByteCodeParser.cpp:
698         (JSC::DFG::ByteCodeParser::parseBlock):
699         * dfg/DFGCapabilities.cpp:
700         (JSC::DFG::capabilityLevel):
701         * dfg/DFGOperations.cpp:
702         * dfg/DFGOperations.h:
703         * dfg/DFGSpeculativeJIT.cpp:
704         (JSC::DFG::SpeculativeJIT::compileStrictEq):
705         * jit/JIT.cpp:
706         (JSC::JIT::privateCompileMainPass):
707         (JSC::JIT::privateCompileSlowCases):
708         * jit/JIT.h:
709         * jit/JITOpcodes.cpp:
710         (JSC::JIT::emit_op_jeq):
711         (JSC::JIT::emit_op_neq):
712         (JSC::JIT::emit_op_jneq):
713         (JSC::JIT::compileOpStrictEq):
714         (JSC::JIT::emit_op_stricteq):
715         (JSC::JIT::emit_op_nstricteq):
716         (JSC::JIT::compileOpStrictEqJump):
717         (JSC::JIT::emit_op_jstricteq):
718         (JSC::JIT::emit_op_jnstricteq):
719         (JSC::JIT::emitSlow_op_jstricteq):
720         (JSC::JIT::emitSlow_op_jnstricteq):
721         (JSC::JIT::emitSlow_op_jeq):
722         (JSC::JIT::emitSlow_op_jneq):
723         * jit/JITOpcodes32_64.cpp:
724         (JSC::JIT::emitSlow_op_eq):
725         (JSC::JIT::emit_op_jeq):
726         (JSC::JIT::compileOpEqJumpSlow):
727         (JSC::JIT::emitSlow_op_jeq):
728         (JSC::JIT::emit_op_jneq):
729         (JSC::JIT::emitSlow_op_jneq):
730         (JSC::JIT::compileOpStrictEq):
731         (JSC::JIT::emit_op_stricteq):
732         (JSC::JIT::emit_op_nstricteq):
733         (JSC::JIT::compileOpStrictEqJump):
734         (JSC::JIT::emit_op_jstricteq):
735         (JSC::JIT::emit_op_jnstricteq):
736         (JSC::JIT::emitSlow_op_jstricteq):
737         (JSC::JIT::emitSlow_op_jnstricteq):
738         * jit/JITOperations.cpp:
739         * jit/JITOperations.h:
740         * llint/LLIntSlowPaths.cpp:
741         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
742         * llint/LLIntSlowPaths.h:
743         * llint/LowLevelInterpreter.asm:
744         * llint/LowLevelInterpreter32_64.asm:
745         * llint/LowLevelInterpreter64.asm:
746
747 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
748
749         [JSC] Improve constants and add comments for CodeBlockHash
750         https://bugs.webkit.org/show_bug.cgi?id=183982
751
752         Rubber-stamped by Mark Lam.
753
754         * bytecode/CodeBlockHash.cpp:
755         (JSC::CodeBlockHash::CodeBlockHash):
756         * bytecode/ParseHash.cpp:
757         (JSC::ParseHash::ParseHash):
758
759 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [JSC] Add options to report parsing and bytecode compiling times
762         https://bugs.webkit.org/show_bug.cgi?id=183982
763
764         Reviewed by Mark Lam.
765
766         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
767         When they are enabled, JSC reports times consumed for parsing and bytecode
768         compiling.
769
770         * JavaScriptCore.xcodeproj/project.pbxproj:
771         * Sources.txt:
772         * bytecode/ParseHash.cpp: Added.
773         (JSC::ParseHash::ParseHash):
774         * bytecode/ParseHash.h: Added.
775         (JSC::ParseHash::hashForCall const):
776         (JSC::ParseHash::hashForConstruct const):
777         * bytecode/UnlinkedFunctionExecutable.cpp:
778         (JSC::generateUnlinkedFunctionCodeBlock):
779         * bytecompiler/BytecodeGenerator.h:
780         (JSC::BytecodeGenerator::generate):
781         * parser/Parser.h:
782         (JSC::parse):
783         * runtime/CodeCache.h:
784         (JSC::generateUnlinkedCodeBlock):
785         * runtime/Options.h:
786
787 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [JIT] Drop ENABLE_JIT_VERBOSE flag
790         https://bugs.webkit.org/show_bug.cgi?id=183983
791
792         Reviewed by Mark Lam.
793
794         Just use JITInternal::verbose value.
795
796         * jit/JIT.cpp:
797         (JSC::JIT::privateCompileMainPass):
798         (JSC::JIT::privateCompileSlowCases):
799         (JSC::JIT::link):
800
801 2018-03-23  Tim Horton  <timothy_horton@apple.com>
802
803         Fix the build with no pasteboard
804         https://bugs.webkit.org/show_bug.cgi?id=183973
805
806         Reviewed by Dan Bernstein.
807
808         * Configurations/FeatureDefines.xcconfig:
809
810 2018-03-23  Mark Lam  <mark.lam@apple.com>
811
812         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
813         https://bugs.webkit.org/show_bug.cgi?id=183942
814         <rdar://problem/38798018>
815
816         Reviewed by JF Bastien.
817
818         1. Move the LLInt TypedArray unpoisoning to just before the array access after
819            all the branches.
820         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
821         3. Remove a useless instruction in the implementation of emitX86Lea for a global
822            label.
823
824         * llint/LowLevelInterpreter.asm:
825         * llint/LowLevelInterpreter64.asm:
826         * offlineasm/x86.rb:
827
828 2018-03-23  Mark Lam  <mark.lam@apple.com>
829
830         Add more support for pointer profiling.
831         https://bugs.webkit.org/show_bug.cgi?id=183943
832         <rdar://problem/38799068>
833
834         Reviewed by JF Bastien.
835
836         * assembler/ARM64Assembler.h:
837         (JSC::ARM64Assembler::linkJumpOrCall):
838         * assembler/AbstractMacroAssembler.h:
839         (JSC::AbstractMacroAssembler::repatchNearCall):
840         (JSC::AbstractMacroAssembler::tagReturnAddress):
841         (JSC::AbstractMacroAssembler::untagReturnAddress):
842
843 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
844
845         [WTF] Add standard containers with FastAllocator specialization
846         https://bugs.webkit.org/show_bug.cgi?id=183789
847
848         Reviewed by Darin Adler.
849
850         * b3/air/testair.cpp:
851         * b3/testb3.cpp:
852         (JSC::B3::testDoubleLiteralComparison):
853         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
854         * dfg/DFGGraph.h:
855         * dfg/DFGIntegerCheckCombiningPhase.cpp:
856         * dfg/DFGObjectAllocationSinkingPhase.cpp:
857         * ftl/FTLLowerDFGToB3.cpp:
858         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
859         * runtime/FunctionHasExecutedCache.h:
860         * runtime/TypeLocationCache.h:
861
862 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
863
864         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
865         https://bugs.webkit.org/show_bug.cgi?id=182960
866
867         Reviewed by Saam Barati.
868
869         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
870         It should always touch ArrayStorage_vector. To unify
871         vector setting code for the real ArrayStorage_vector and
872         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
873         annotate this.
874
875         * ftl/FTLLowerDFGToB3.cpp:
876         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
877
878 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
879
880         Unreviewed build fix for GCC 4.9 builds.
881
882         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
883         supported in 4.9 libstdc++, so wrap the static assert using it in a
884         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
885         as is done in bitwise_cast() in StdLibExtras.h.
886
887 2018-03-22  Tim Horton  <timothy_horton@apple.com>
888
889         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
890         https://bugs.webkit.org/show_bug.cgi?id=183930
891         <rdar://problem/38782249>
892
893         Reviewed by Dan Bernstein.
894
895         * JavaScriptCore.xcodeproj/project.pbxproj:
896
897 2018-03-22  Mark Lam  <mark.lam@apple.com>
898
899         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
900         https://bugs.webkit.org/show_bug.cgi?id=183914
901         <rdar://problem/38763536>
902
903         Reviewed by Saam Barati and JF Bastien.
904
905         This is in preparation for supporting pointer profiling work.
906
907         * assembler/MacroAssemblerARM.h:
908         (JSC::MacroAssemblerARM::jump):
909         (JSC::MacroAssemblerARM::call):
910         * assembler/MacroAssemblerARM64.h:
911         (JSC::MacroAssemblerARM64::call):
912         (JSC::MacroAssemblerARM64::jump):
913         * assembler/MacroAssemblerARMv7.h:
914         (JSC::MacroAssemblerARMv7::jump):
915         (JSC::MacroAssemblerARMv7::call):
916         * assembler/MacroAssemblerMIPS.h:
917         (JSC::MacroAssemblerMIPS::jump):
918         (JSC::MacroAssemblerMIPS::call):
919         * assembler/MacroAssemblerX86.h:
920         (JSC::MacroAssemblerX86::call):
921         (JSC::MacroAssemblerX86::jump):
922         * assembler/MacroAssemblerX86Common.h:
923         (JSC::MacroAssemblerX86Common::jump):
924         (JSC::MacroAssemblerX86Common::call):
925         * assembler/MacroAssemblerX86_64.h:
926         (JSC::MacroAssemblerX86_64::call):
927         (JSC::MacroAssemblerX86_64::jump):
928
929 2018-03-22  Tim Horton  <timothy_horton@apple.com>
930
931         Improve readability of WebCore's OTHER_LDFLAGS
932         https://bugs.webkit.org/show_bug.cgi?id=183909
933         <rdar://problem/38760992>
934
935         Reviewed by Dan Bernstein.
936
937         * Configurations/Base.xcconfig:
938         * Configurations/FeatureDefines.xcconfig:
939
940 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
941
942         [ARM] Thumb: Do not decorate bottom bit twice
943         https://bugs.webkit.org/show_bug.cgi?id=183906
944
945         Reviewed by Mark Lam.
946
947         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
948         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
949         a thumb pointer.
950
951         * jit/Repatch.cpp:
952         (JSC::linkPolymorphicCall):
953
954 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
955
956         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
957         https://bugs.webkit.org/show_bug.cgi?id=183559
958
959         Reviewed by Mark Lam.
960
961         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
962         to clear NodeMustGenerate for this ToString. It should be since it does not have
963         any user-observable side effect. This patch clears NodeMustGenerate.
964
965         * dfg/DFGConstantFoldingPhase.cpp:
966         (JSC::DFG::ConstantFoldingPhase::foldConstants):
967
968 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
969
970         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
971         https://bugs.webkit.org/show_bug.cgi?id=183897
972
973         Reviewed by Mark Lam.
974
975         We should not use `default:` clause here since it accidentally catches
976         the opcode and DFG nodes which should be optimized. For example,
977         op_super_sampler_begin and op_super_sampler_end are not listed while
978         they have DFG and FTL backend.
979
980         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
981         And we also clean up unnecessary checks in FTLCapabilities. Since we
982         already handles all the possible array types for these nodes (which can
983         be checked in DFG's code), we do not need to check array types.
984
985         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
986
987         * dfg/DFGCapabilities.cpp:
988         (JSC::DFG::capabilityLevel):
989         * ftl/FTLCapabilities.cpp:
990         (JSC::FTL::canCompile):
991         * ftl/FTLLowerDFGToB3.cpp:
992         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
993
994 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
995
996         [JSC] Drop op_put_by_index
997         https://bugs.webkit.org/show_bug.cgi?id=183899
998
999         Reviewed by Mark Lam.
1000
1001         This patch drops op_put_by_index.
1002
1003         1. This functionality can be just covered by direct put_by_val.
1004         2. put_by_index is not well optimized. It is just calling a C
1005         function. And it does not have DFG handling.
1006
1007         * bytecode/BytecodeDumper.cpp:
1008         (JSC::BytecodeDumper<Block>::dumpBytecode):
1009         * bytecode/BytecodeList.json:
1010         * bytecode/BytecodeUseDef.h:
1011         (JSC::computeUsesForBytecodeOffset):
1012         (JSC::computeDefsForBytecodeOffset):
1013         * bytecompiler/BytecodeGenerator.cpp:
1014         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
1015         * bytecompiler/BytecodeGenerator.h:
1016         * bytecompiler/NodesCodegen.cpp:
1017         (JSC::ArrayNode::emitBytecode):
1018         (JSC::ArrayPatternNode::emitDirectBinding):
1019         * jit/JIT.cpp:
1020         (JSC::JIT::privateCompileMainPass):
1021         * jit/JIT.h:
1022         * jit/JITPropertyAccess.cpp:
1023         (JSC::JIT::emit_op_put_by_index): Deleted.
1024         * jit/JITPropertyAccess32_64.cpp:
1025         (JSC::JIT::emit_op_put_by_index): Deleted.
1026         * llint/LLIntSlowPaths.cpp:
1027         * llint/LLIntSlowPaths.h:
1028         * llint/LowLevelInterpreter.asm:
1029
1030 2018-03-22  Michael Saboff  <msaboff@apple.com>
1031
1032         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
1033         https://bugs.webkit.org/show_bug.cgi?id=183901
1034
1035         Reviewed by Keith Miller.
1036
1037         Added write barriers to ensure the reversed contents are properly marked.
1038
1039         * runtime/ArrayPrototype.cpp:
1040         (JSC::arrayProtoFuncReverse):
1041
1042 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
1043
1044         ScopedArguments should do poisoning and index masking
1045         https://bugs.webkit.org/show_bug.cgi?id=183863
1046
1047         Reviewed by Mark Lam.
1048         
1049         This outlines the ScopedArguments overflow storage and adds poisoning.
1050
1051         * bytecode/AccessCase.cpp:
1052         (JSC::AccessCase::generateWithGuard):
1053         * dfg/DFGSpeculativeJIT.cpp:
1054         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1055         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1056         * ftl/FTLAbstractHeapRepository.h:
1057         * ftl/FTLLowerDFGToB3.cpp:
1058         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1059         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1060         * jit/JITPropertyAccess.cpp:
1061         (JSC::JIT::emitScopedArgumentsGetByVal):
1062         * runtime/JSCPoison.h:
1063         * runtime/ScopedArguments.cpp:
1064         (JSC::ScopedArguments::ScopedArguments):
1065         (JSC::ScopedArguments::createUninitialized):
1066         (JSC::ScopedArguments::visitChildren):
1067         * runtime/ScopedArguments.h:
1068
1069 2018-03-21  Mark Lam  <mark.lam@apple.com>
1070
1071         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
1072         https://bugs.webkit.org/show_bug.cgi?id=183861
1073         <rdar://problem/38716822>
1074
1075         Reviewed by Filip Pizlo.
1076
1077         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
1078         new PtrTag macro list.
1079
1080         * CMakeLists.txt:
1081         * JavaScriptCore.xcodeproj/project.pbxproj:
1082         * Sources.txt:
1083         * runtime/PtrTag.cpp: Added.
1084         (JSC::ptrTagName):
1085         * runtime/PtrTag.h:
1086
1087 2018-03-21  Mark Lam  <mark.lam@apple.com>
1088
1089         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
1090         https://bugs.webkit.org/show_bug.cgi?id=183857
1091         <rdar://problem/38712184>
1092
1093         Reviewed by JF Bastien.
1094
1095         We should avoid doing pointer math with CodeBlock::instructions().begin().
1096         Instead, we should use the operator[] that comes with CodeBlock::instructions()
1097         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
1098         the bytecode offset of a given Instruction*.  These methods will do assertions
1099         which helps catch bugs sooner, plus they are more descriptive of the operation
1100         we're trying to do.
1101
1102         * bytecode/BytecodeKills.h:
1103         (JSC::BytecodeKills::operandIsKilled const):
1104         (JSC::BytecodeKills::forEachOperandKilledAt const):
1105         * bytecode/CallLinkStatus.cpp:
1106         (JSC::CallLinkStatus::computeFromLLInt):
1107         * bytecode/CodeBlock.cpp:
1108         (JSC::CodeBlock::dumpBytecode):
1109         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1110         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1111         * bytecode/GetByIdStatus.cpp:
1112         (JSC::GetByIdStatus::computeFromLLInt):
1113         * bytecode/PutByIdStatus.cpp:
1114         (JSC::PutByIdStatus::computeFromLLInt):
1115         * dfg/DFGByteCodeParser.cpp:
1116         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1117         * dfg/DFGOSRExit.cpp:
1118         (JSC::DFG::reifyInlinedCallFrames):
1119         * dfg/DFGOSRExitCompilerCommon.cpp:
1120         (JSC::DFG::reifyInlinedCallFrames):
1121         * interpreter/CallFrame.cpp:
1122         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
1123         (JSC::CallFrame::currentVPC const):
1124         (JSC::CallFrame::setCurrentVPC):
1125         * jit/JITCall.cpp:
1126         (JSC::JIT::compileOpCall):
1127         * jit/JITInlines.h:
1128         (JSC::JIT::updateTopCallFrame):
1129         (JSC::JIT::copiedInstruction):
1130         * jit/JITOpcodes.cpp:
1131         (JSC::JIT::privateCompileHasIndexedProperty):
1132         * jit/JITOpcodes32_64.cpp:
1133         (JSC::JIT::privateCompileHasIndexedProperty):
1134         * jit/JITPropertyAccess.cpp:
1135         (JSC::JIT::privateCompileGetByVal):
1136         (JSC::JIT::privateCompileGetByValWithCachedId):
1137         (JSC::JIT::privateCompilePutByVal):
1138         (JSC::JIT::privateCompilePutByValWithCachedId):
1139         * jit/SlowPathCall.h:
1140         (JSC::JITSlowPathCall::call):
1141         * llint/LLIntSlowPaths.cpp:
1142         (JSC::LLInt::llint_trace_operand):
1143         (JSC::LLInt::llint_trace_value):
1144         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1145         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1146         (JSC::LLInt::getByVal): Deleted.
1147         (JSC::LLInt::handleHostCall): Deleted.
1148         (JSC::LLInt::setUpCall): Deleted.
1149         (JSC::LLInt::genericCall): Deleted.
1150         (JSC::LLInt::varargsSetup): Deleted.
1151         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
1152         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
1153         (JSC::LLInt::llint_write_barrier_slow): Deleted.
1154         (JSC::LLInt::llint_crash): Deleted.
1155         * runtime/SamplingProfiler.cpp:
1156         (JSC::tryGetBytecodeIndex):
1157
1158 2018-03-21  Keith Miller  <keith_miller@apple.com>
1159
1160         btjs should print the bytecode offset in the stack trace for JS frames
1161         https://bugs.webkit.org/show_bug.cgi?id=183856
1162
1163         Reviewed by Filip Pizlo.
1164
1165         * interpreter/CallFrame.cpp:
1166         (JSC::CallFrame::bytecodeOffset):
1167         (JSC::CallFrame::dump):
1168
1169 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1170
1171         Unreviewed. Fix GTK and WPE debug build after r229798.
1172
1173         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
1174
1175         * API/glib/JSCCallbackFunction.cpp:
1176         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1177         * API/glib/JSCContext.cpp:
1178         (jscContextSetVirtualMachine):
1179         (jscContextGetJSContext):
1180         (wrapperMap):
1181         (jscContextHandleExceptionIfNeeded):
1182         * API/glib/JSCValue.cpp:
1183         (jscValueCallFunction):
1184         * API/glib/JSCVirtualMachine.cpp:
1185         (addWrapper):
1186         (removeWrapper):
1187         (jscVirtualMachineSetContextGroup):
1188         (jscVirtualMachineAddContext):
1189         (jscVirtualMachineRemoveContext):
1190         * API/glib/JSCWrapperMap.cpp:
1191         (JSC::WrapperMap::gobjectWrapper):
1192         (JSC::WrapperMap::unwrap):
1193         (JSC::WrapperMap::registerClass):
1194         (JSC::WrapperMap::createJSWrappper):
1195         (JSC::WrapperMap::wrappedObject const):
1196
1197 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1198
1199         [GTK][WPE] JSC bindings not introspectable
1200         https://bugs.webkit.org/show_bug.cgi?id=136989
1201
1202         Reviewed by Michael Catanzaro.
1203
1204         Make it possible to include individual headers when building WebKit layer.
1205
1206         * API/glib/JSCAutocleanups.h:
1207         * API/glib/JSCClass.h:
1208         * API/glib/JSCContext.h:
1209         * API/glib/JSCException.h:
1210         * API/glib/JSCValue.h:
1211         * API/glib/JSCVersion.h.in:
1212         * API/glib/JSCVirtualMachine.h:
1213
1214 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1215
1216         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
1217         https://bugs.webkit.org/show_bug.cgi?id=164061
1218
1219         Reviewed by Michael Catanzaro.
1220
1221         Add initial GLib API for JavaScriptCore.
1222
1223         * API/JSAPIWrapperObject.h:
1224         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
1225         (jsAPIWrapperObjectHandleOwner):
1226         (JSAPIWrapperObjectHandleOwner::finalize):
1227         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1228         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
1229         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1230         (JSC::JSAPIWrapperObject::finishCreation):
1231         (JSC::JSAPIWrapperObject::setWrappedObject):
1232         (JSC::JSAPIWrapperObject::visitChildren):
1233         * API/glib/JSCAutocleanups.h: Added.
1234         * API/glib/JSCCallbackFunction.cpp: Added.
1235         (JSC::callAsFunction):
1236         (JSC::callAsConstructor):
1237         (JSC::JSCCallbackFunction::create):
1238         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1239         (JSC::JSCCallbackFunction::call):
1240         (JSC::JSCCallbackFunction::construct):
1241         (JSC::JSCCallbackFunction::destroy):
1242         * API/glib/JSCCallbackFunction.h: Added.
1243         (JSC::JSCCallbackFunction::createStructure):
1244         (JSC::JSCCallbackFunction::functionCallback):
1245         (JSC::JSCCallbackFunction::constructCallback):
1246         * API/glib/JSCClass.cpp: Added.
1247         (jscClassGetProperty):
1248         (jscClassSetProperty):
1249         (jscClassDispose):
1250         (jscClassConstructed):
1251         (jsc_class_class_init):
1252         (jscClassCreate):
1253         (jscClassGetJSClass):
1254         (jscClassGetOrCreateJSWrapper):
1255         (jscClassInvalidate):
1256         (jsc_class_get_name):
1257         (jsc_class_get_parent):
1258         (jsc_class_add_constructor):
1259         (jsc_class_add_method):
1260         (jsc_class_add_property):
1261         * API/glib/JSCClass.h: Added.
1262         * API/glib/JSCClassPrivate.h: Added.
1263         * API/glib/JSCContext.cpp: Added.
1264         (ExceptionHandler::ExceptionHandler):
1265         (ExceptionHandler::~ExceptionHandler):
1266         (jscContextSetVirtualMachine):
1267         (jscContextGetProperty):
1268         (jscContextSetProperty):
1269         (jscContextConstructed):
1270         (jscContextDispose):
1271         (jsc_context_class_init):
1272         (jscContextGetOrCreate):
1273         (jscContextGetJSContext):
1274         (wrapperMap):
1275         (jscContextGetOrCreateValue):
1276         (jscContextValueDestroyed):
1277         (jscContextGetJSWrapper):
1278         (jscContextGetOrCreateJSWrapper):
1279         (jscContextWrappedObject):
1280         (jscContextPushCallback):
1281         (jscContextPopCallback):
1282         (jscContextGArrayToJSArray):
1283         (jscContextJSArrayToGArray):
1284         (jscContextGValueToJSValue):
1285         (jscContextJSValueToGValue):
1286         (jsc_context_new):
1287         (jsc_context_new_with_virtual_machine):
1288         (jsc_context_get_virtual_machine):
1289         (jsc_context_get_exception):
1290         (jsc_context_throw):
1291         (jsc_context_throw_exception):
1292         (jsc_context_push_exception_handler):
1293         (jsc_context_pop_exception_handler):
1294         (jscContextHandleExceptionIfNeeded):
1295         (jsc_context_get_current):
1296         (jsc_context_evaluate):
1297         (jsc_context_evaluate_with_source_uri):
1298         (jsc_context_set_value):
1299         (jsc_context_get_value):
1300         (jsc_context_register_class):
1301         * API/glib/JSCContext.h: Added.
1302         * API/glib/JSCContextPrivate.h: Added.
1303         * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
1304         * API/glib/JSCException.cpp: Added.
1305         (jscExceptionDispose):
1306         (jsc_exception_class_init):
1307         (jscExceptionCreate):
1308         (jscExceptionGetJSValue):
1309         (jscExceptionEnsureProperties):
1310         (jsc_exception_new):
1311         (jsc_exception_get_message):
1312         (jsc_exception_get_line_number):
1313         (jsc_exception_get_source_uri):
1314         * API/glib/JSCException.h: Added.
1315         * API/glib/JSCExceptionPrivate.h: Added.
1316         * API/glib/JSCGLibWrapperObject.h: Added.
1317         (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
1318         (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
1319         (JSC::JSCGLibWrapperObject::object const):
1320         * API/glib/JSCValue.cpp: Added.
1321         (jscValueGetProperty):
1322         (jscValueSetProperty):
1323         (jscValueDispose):
1324         (jsc_value_class_init):
1325         (jscValueGetJSValue):
1326         (jscValueCreate):
1327         (jsc_value_get_context):
1328         (jsc_value_new_undefined):
1329         (jsc_value_is_undefined):
1330         (jsc_value_new_null):
1331         (jsc_value_is_null):
1332         (jsc_value_new_number):
1333         (jsc_value_is_number):
1334         (jsc_value_to_double):
1335         (jsc_value_to_int32):
1336         (jsc_value_new_boolean):
1337         (jsc_value_is_boolean):
1338         (jsc_value_to_boolean):
1339         (jsc_value_new_string):
1340         (jsc_value_is_string):
1341         (jsc_value_to_string):
1342         (jsc_value_new_array):
1343         (jsc_value_new_array_from_garray):
1344         (jsc_value_is_array):
1345         (jsc_value_new_object):
1346         (jsc_value_is_object):
1347         (jsc_value_object_is_instance_of):
1348         (jsc_value_object_set_property):
1349         (jsc_value_object_get_property):
1350         (jsc_value_object_set_property_at_index):
1351         (jsc_value_object_get_property_at_index):
1352         (jscValueCallFunction):
1353         (jsc_value_object_invoke_method):
1354         (jsc_value_object_define_property_data):
1355         (jsc_value_object_define_property_accessor):
1356         (jsc_value_new_function):
1357         (jsc_value_is_function):
1358         (jsc_value_function_call):
1359         (jsc_value_is_constructor):
1360         (jsc_value_constructor_call):
1361         * API/glib/JSCValue.h: Added.
1362         * API/glib/JSCValuePrivate.h: Added.
1363         * API/glib/JSCVersion.cpp: Added.
1364         (jsc_get_major_version):
1365         (jsc_get_minor_version):
1366         (jsc_get_micro_version):
1367         * API/glib/JSCVersion.h.in: Added.
1368         * API/glib/JSCVirtualMachine.cpp: Added.
1369         (addWrapper):
1370         (removeWrapper):
1371         (jscVirtualMachineSetContextGroup):
1372         (jscVirtualMachineEnsureContextGroup):
1373         (jscVirtualMachineDispose):
1374         (jsc_virtual_machine_class_init):
1375         (jscVirtualMachineGetOrCreate):
1376         (jscVirtualMachineGetContextGroup):
1377         (jscVirtualMachineAddContext):
1378         (jscVirtualMachineRemoveContext):
1379         (jscVirtualMachineGetContext):
1380         (jsc_virtual_machine_new):
1381         * API/glib/JSCVirtualMachine.h: Added.
1382         * API/glib/JSCVirtualMachinePrivate.h: Added.
1383         * API/glib/JSCWrapperMap.cpp: Added.
1384         (JSC::WrapperMap::WrapperMap):
1385         (JSC::WrapperMap::~WrapperMap):
1386         (JSC::WrapperMap::gobjectWrapper):
1387         (JSC::WrapperMap::unwrap):
1388         (JSC::WrapperMap::registerClass):
1389         (JSC::WrapperMap::createJSWrappper):
1390         (JSC::WrapperMap::jsWrapper const):
1391         (JSC::WrapperMap::wrappedObject const):
1392         * API/glib/JSCWrapperMap.h: Added.
1393         * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
1394         * API/glib/docs/jsc-glib-4.0.types: Added.
1395         * API/glib/docs/jsc-glib-docs.sgml: Added.
1396         * API/glib/jsc.h: Added.
1397         * CMakeLists.txt:
1398         * GLib.cmake: Added.
1399         * JavaScriptCore.gir.in: Removed.
1400         * PlatformGTK.cmake:
1401         * PlatformWPE.cmake:
1402         * heap/Heap.cpp:
1403         (JSC::Heap::releaseDelayedReleasedObjects):
1404         * heap/Heap.h:
1405         * heap/HeapInlines.h:
1406         (JSC::Heap::releaseSoon):
1407         * javascriptcoregtk.pc.in:
1408         * runtime/JSGlobalObject.cpp:
1409         (JSC::JSGlobalObject::init):
1410         (JSC::JSGlobalObject::visitChildren):
1411         (JSC::JSGlobalObject::setWrapperMap):
1412         * runtime/JSGlobalObject.h:
1413         (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
1414         (JSC::JSGlobalObject::glibWrapperObjectStructure const):
1415         (JSC::JSGlobalObject::wrapperMap const):
1416
1417 2018-03-21  Christopher Reid  <chris.reid@sony.com>
1418
1419         Windows 64-bit build fix after r229767
1420         https://bugs.webkit.org/show_bug.cgi?id=183810
1421
1422         Reviewed by Mark Lam.
1423
1424         Removing an extra parameter in the call to m_assember::call.
1425
1426         * assembler/MacroAssemblerX86_64.h:
1427
1428 2018-03-20  Dan Bernstein  <mitz@apple.com>
1429
1430         [Xcode] JSVALUE_MODEL is unused
1431         https://bugs.webkit.org/show_bug.cgi?id=183809
1432
1433         Reviewed by Tim Horton.
1434
1435         * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
1436
1437 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1438
1439         Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
1440         https://bugs.webkit.org/show_bug.cgi?id=183808
1441         <rdar://problem/38692079>
1442
1443         Reviewed by Dan Bernstein.
1444
1445         * Configurations/JavaScriptCore.xcconfig:
1446
1447 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1448
1449         Enable the minimal simulator feature flag when appropriate
1450         https://bugs.webkit.org/show_bug.cgi?id=183807
1451
1452         Reviewed by Dan Bernstein.
1453
1454         * Configurations/FeatureDefines.xcconfig:
1455
1456 2018-03-20  Saam Barati  <sbarati@apple.com>
1457
1458         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
1459         https://bugs.webkit.org/show_bug.cgi?id=183795
1460         <rdar://problem/38298694>
1461
1462         Reviewed by JF Bastien.
1463
1464         We were just assuming that the constants we were inserting were
1465         always exitOK=true. However, this breaks validation. The exitOK
1466         we emit for the constants in the NewArrayBuffer should respect
1467         the current exit state of the IR we've emitted. This is just IR
1468         bookkeeping since JSConstant is a non-exiting node.
1469
1470         * dfg/DFGArgumentsEliminationPhase.cpp:
1471
1472 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
1473
1474         MIPS+Armv7 builds are broken since r229391
1475         https://bugs.webkit.org/show_bug.cgi?id=183474
1476
1477         Reviewed by Yusuke Suzuki.
1478
1479         Add missing armv7 and mips operations and fix arguments to a call to
1480         operationGetByValCell. This should fix compilation on MIPS and Armv7
1481         (though it does not implement the missing setupArguments stuff in
1482         CCallHelpers).
1483
1484         * assembler/MacroAssembler.h:
1485         * assembler/MacroAssemblerARMv7.h:
1486         (JSC::MacroAssemblerARMv7::swap):
1487         * assembler/MacroAssemblerMIPS.h:
1488         (JSC::MacroAssemblerMIPS::swap):
1489         * dfg/DFGSpeculativeJIT32_64.cpp:
1490         (JSC::DFG::SpeculativeJIT::compile):
1491         * jit/FPRInfo.h:
1492
1493 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1494
1495         Add and adopt WK_PLATFORM_NAME and adjust default feature defines
1496         https://bugs.webkit.org/show_bug.cgi?id=183758
1497         <rdar://problem/38017644>
1498
1499         Reviewed by Dan Bernstein.
1500
1501         * Configurations/FeatureDefines.xcconfig:
1502
1503 2018-03-20  Mark Lam  <mark.lam@apple.com>
1504
1505         Improve FunctionPtr and use it in the JIT CallRecord.
1506         https://bugs.webkit.org/show_bug.cgi?id=183756
1507         <rdar://problem/38641335>
1508
1509         Reviewed by JF Bastien.
1510
1511         1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
1512            PtrTag to reflect that.
1513
1514         2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
1515            executableAddress().
1516
1517         3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
1518            take "any" pointer.  "any" in this case means that the pointer may not be typed
1519            as a C/C++ function to the C++ compiler (due to upstream casting or usage of
1520            void* as a storage type), but it is still expected to be pointing to a C/C++
1521            function.
1522
1523         4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
1524            convenience constructor that lets us retag the underlying pointer.  The other
1525            FunctionPtr is still expected to point to a C/C++ function.
1526
1527         5. Added PtrTag assertion placeholder functions to be implemented later.
1528
1529         6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
1530            pointer.  This improves type safety, and assists in getting pointer tagging
1531            right later.
1532
1533         7. Added versions of JIT callOperations methods that will take a PtrTag.
1534            This is preparation for more more pointer tagging work later.
1535
1536         * assembler/MacroAssemblerARM.h:
1537         (JSC::MacroAssemblerARM::linkCall):
1538         * assembler/MacroAssemblerARMv7.h:
1539         (JSC::MacroAssemblerARMv7::linkCall):
1540         * assembler/MacroAssemblerCodeRef.h:
1541         (JSC::FunctionPtr::FunctionPtr):
1542         (JSC::FunctionPtr::operator bool const):
1543         (JSC::FunctionPtr::operator! const):
1544         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1545         (JSC::MacroAssemblerCodePtr::retagged const):
1546         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1547         (JSC::FunctionPtr::value const): Deleted.
1548         * assembler/MacroAssemblerMIPS.h:
1549         (JSC::MacroAssemblerMIPS::linkCall):
1550         * assembler/MacroAssemblerX86.h:
1551         (JSC::MacroAssemblerX86::linkCall):
1552         * assembler/MacroAssemblerX86_64.h:
1553         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
1554         (JSC::MacroAssemblerX86_64::linkCall):
1555         * bytecode/AccessCase.cpp:
1556         (JSC::AccessCase::generateImpl):
1557         * ftl/FTLSlowPathCall.cpp:
1558         (JSC::FTL::SlowPathCallContext::makeCall):
1559         * ftl/FTLSlowPathCall.h:
1560         (JSC::FTL::callOperation):
1561         * ftl/FTLThunks.cpp:
1562         (JSC::FTL::osrExitGenerationThunkGenerator):
1563         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1564         (JSC::FTL::slowPathCallThunkGenerator):
1565         * jit/JIT.cpp:
1566         (JSC::JIT::link):
1567         (JSC::JIT::privateCompileExceptionHandlers):
1568         * jit/JIT.h:
1569         (JSC::CallRecord::CallRecord):
1570         (JSC::JIT::appendCall):
1571         (JSC::JIT::appendCallWithSlowPathReturnType):
1572         (JSC::JIT::callOperation):
1573         (JSC::JIT::callOperationWithProfile):
1574         (JSC::JIT::callOperationWithResult):
1575         (JSC::JIT::callOperationNoExceptionCheck):
1576         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1577         * jit/JITArithmetic.cpp:
1578         (JSC::JIT::emitMathICFast):
1579         (JSC::JIT::emitMathICSlow):
1580         * jit/JITInlines.h:
1581         (JSC::JIT::emitNakedCall):
1582         (JSC::JIT::emitNakedTailCall):
1583         (JSC::JIT::appendCallWithExceptionCheck):
1584         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1585         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1586         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1587         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1588         * jit/JITPropertyAccess.cpp:
1589         (JSC::JIT::emitSlow_op_get_by_val):
1590         (JSC::JIT::emitSlow_op_put_by_val):
1591         (JSC::JIT::privateCompileGetByValWithCachedId):
1592         (JSC::JIT::privateCompilePutByVal):
1593         (JSC::JIT::privateCompilePutByValWithCachedId):
1594         * jit/JITPropertyAccess32_64.cpp:
1595         (JSC::JIT::emitSlow_op_put_by_val):
1596         * jit/Repatch.cpp:
1597         (JSC::linkPolymorphicCall):
1598         * jit/SlowPathCall.h:
1599         (JSC::JITSlowPathCall::JITSlowPathCall):
1600         (JSC::JITSlowPathCall::call):
1601         * jit/ThunkGenerators.cpp:
1602         (JSC::nativeForGenerator):
1603         * runtime/PtrTag.h:
1604         (JSC::nextPtrTagID):
1605         (JSC::assertIsCFunctionPtr):
1606         (JSC::assertIsNullOrCFunctionPtr):
1607         (JSC::assertIsNotTagged):
1608         (JSC::assertIsTagged):
1609         (JSC::assertIsNullOrTagged):
1610         (JSC::assertIsTaggedWith):
1611         (JSC::assertIsNullOrTaggedWith):
1612         (JSC::uniquePtrTagID): Deleted.
1613
1614 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1615
1616         [MIPS] Optimize generated JIT code for loads/stores
1617         https://bugs.webkit.org/show_bug.cgi?id=183243
1618
1619         Reviewed by Yusuke Suzuki.
1620
1621         JIT generates three MIPS instructions for a load/store from/to an absolute address:
1622
1623           lui adrTmpReg, address >> 16
1624           ori adrTmpReg, address & 0xffff
1625           lw dataReg, 0(adrTmpReg)
1626
1627         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
1628         be encoded into the load/store and ori instruction can be removed:
1629
1630           lui adrTmpReg, (address + 0x8000) >> 16
1631           lw dataReg, (address & 0xffff)(adrTmpReg)
1632
1633         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
1634
1635         * assembler/MacroAssemblerMIPS.h:
1636         (JSC::MacroAssemblerMIPS::add32):
1637         (JSC::MacroAssemblerMIPS::add64):
1638         (JSC::MacroAssemblerMIPS::or32):
1639         (JSC::MacroAssemblerMIPS::sub32):
1640         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
1641         (JSC::MacroAssemblerMIPS::load8):
1642         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1643         (JSC::MacroAssemblerMIPS::load32):
1644         (JSC::MacroAssemblerMIPS::store8):
1645         (JSC::MacroAssemblerMIPS::store32):
1646         (JSC::MacroAssemblerMIPS::branchTest8):
1647         (JSC::MacroAssemblerMIPS::branchAdd32):
1648         (JSC::MacroAssemblerMIPS::loadDouble):
1649         (JSC::MacroAssemblerMIPS::storeDouble):
1650
1651 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1652
1653         [DFG][FTL] Add vectorLengthHint for NewArray
1654         https://bugs.webkit.org/show_bug.cgi?id=183694
1655
1656         Reviewed by Saam Barati.
1657
1658         While the following code is a common, it is not so efficient.
1659
1660         var array = [];
1661         for (...) {
1662             ...
1663             array.push(...);
1664         }
1665
1666         The array is always allocated with 0 vector length. And it is eventually grown.
1667
1668         We have ArrayAllocationProfile, and it tells us that the vector length hint for
1669         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
1670         extends this support for NewArray DFG node.
1671
1672         This patch improves Kraken/stanford-crypto-aes 4%.
1673
1674                                       baseline                  patched
1675
1676         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
1677
1678         NewArray can be optimized.
1679
1680                                                        baseline                  patched
1681
1682         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
1683         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
1684
1685         * dfg/DFGByteCodeParser.cpp:
1686         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1687         (JSC::DFG::ByteCodeParser::parseBlock):
1688         * dfg/DFGNode.h:
1689         (JSC::DFG::Node::hasVectorLengthHint):
1690         (JSC::DFG::Node::vectorLengthHint):
1691         * dfg/DFGSpeculativeJIT64.cpp:
1692         (JSC::DFG::SpeculativeJIT::compile):
1693         * ftl/FTLLowerDFGToB3.cpp:
1694         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1695
1696 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1697
1698         [DFG][FTL] Make ArraySlice(0) code tight
1699         https://bugs.webkit.org/show_bug.cgi?id=183590
1700
1701         Reviewed by Saam Barati.
1702
1703         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
1704
1705         1. We support array.slice() call. This is a well-used way to clone array.
1706         For example, underscore.js uses this technique.
1707
1708         2. We remove several checks if the given index value is a proven constant.
1709
1710         * dfg/DFGBackwardsPropagationPhase.cpp:
1711         (JSC::DFG::BackwardsPropagationPhase::propagate):
1712         * dfg/DFGByteCodeParser.cpp:
1713         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1714         * dfg/DFGFixupPhase.cpp:
1715         (JSC::DFG::FixupPhase::fixupNode):
1716         * dfg/DFGSpeculativeJIT.cpp:
1717         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
1718         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1719         We can skip some of checks if the given value is a proven constant.
1720
1721         * ftl/FTLLowerDFGToB3.cpp:
1722         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1723         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
1724         to fold BelowEqual(0, x) to true.
1725
1726 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1727
1728         Drop s_exceptionInstructions static initializer
1729         https://bugs.webkit.org/show_bug.cgi?id=183732
1730
1731         Reviewed by Darin Adler.
1732
1733         Make Instruction constructor constexpr to drop the static constructor
1734         of LLInt::Data::s_exceptionInstructions.
1735
1736         * bytecode/Instruction.h:
1737         (JSC::Instruction::Instruction):
1738
1739 2018-03-19  Dan Bernstein  <mitz@apple.com>
1740
1741         Investigate why __cpu_indicator_init is used
1742         https://bugs.webkit.org/show_bug.cgi?id=183736
1743
1744         Reviewed by Tim Horton.
1745
1746         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
1747         we were passing the -all_load option to the linker, causing it to bring in all members of
1748         every static library being linked in, including the compiler runtime library. We only need
1749         to load all members of WTF. The linker option for doing that is -force_load, and it requires
1750         a path to the library. To support building against libWTF.a built locally as well as against
1751         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
1752         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
1753         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
1754         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
1755         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
1756         reexporting libobjc.
1757
1758         * Configurations/JavaScriptCore.xcconfig:
1759         * JavaScriptCore.xcodeproj/project.pbxproj:
1760
1761 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
1762
1763         Unreviewed, another quick fix for r229699
1764
1765         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
1766
1767         * Configurations/FeatureDefines.xcconfig:
1768
1769 2018-03-19  Mark Lam  <mark.lam@apple.com>
1770
1771         FunctionPtr should be passed by value.
1772         https://bugs.webkit.org/show_bug.cgi?id=183746
1773         <rdar://problem/38625311>
1774
1775         Reviewed by JF Bastien.
1776
1777         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
1778         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
1779         treated as if they are C/C++ functions.
1780
1781         Regardless, there's no need to pass it by reference.
1782
1783         * assembler/MacroAssemblerCodeRef.h:
1784         * dfg/DFGJITCompiler.h:
1785         (JSC::DFG::JITCompiler::appendCall):
1786         * dfg/DFGSpeculativeJIT.h:
1787         (JSC::DFG::SpeculativeJIT::appendCall):
1788         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1789         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1790         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1791         * jit/JIT.h:
1792         (JSC::JIT::appendCall):
1793         (JSC::JIT::appendCallWithSlowPathReturnType):
1794         * jit/JITInlines.h:
1795         (JSC::JIT::appendCallWithExceptionCheck):
1796         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1797         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1798         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1799         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1800
1801 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
1802
1803         Fix MSVC run-time check after r229391. 
1804         https://bugs.webkit.org/show_bug.cgi?id=183673
1805
1806         Reviewed by Keith Miller.
1807
1808         Replaces attempted fix from r229424/r229432.
1809         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
1810
1811         * jit/CCallHelpers.h:
1812         (JSC::CCallHelpers::clampArrayToSize):
1813
1814 2018-03-15  Tim Horton  <timothy_horton@apple.com>
1815
1816         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
1817         https://bugs.webkit.org/show_bug.cgi?id=183675
1818         <rdar://problem/38515281>
1819
1820         Reviewed by Dan Bernstein.
1821
1822         * JavaScriptCore.xcodeproj/project.pbxproj:
1823         Don't install the JSC alias if we're installing to an alternate location.
1824         This should have been a part of r229637.
1825
1826 2018-03-15  Tim Horton  <timothy_horton@apple.com>
1827
1828         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
1829         https://bugs.webkit.org/show_bug.cgi?id=183649
1830         <rdar://problem/38480526>
1831
1832         Reviewed by Dan Bernstein.
1833
1834         * Configurations/Base.xcconfig:
1835         * JavaScriptCore.xcodeproj/project.pbxproj:
1836
1837 2018-03-14  Mark Lam  <mark.lam@apple.com>
1838
1839         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
1840         https://bugs.webkit.org/show_bug.cgi?id=183623
1841         <rdar://problem/38443314>
1842
1843         Reviewed by Michael Saboff.
1844
1845         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
1846            emitters to support pointer profiling.
1847
1848         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
1849
1850         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
1851
1852         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
1853            a placeholder until we have time to analyze what pointer profile each client
1854            site has later.
1855     
1856         5. Apply PtrTags to the YarrJIT.
1857
1858         * assembler/ARM64Assembler.h:
1859         (JSC::ARM64Assembler::linkJumpOrCall):
1860         * assembler/AbstractMacroAssembler.h:
1861         (JSC::AbstractMacroAssembler::getLinkerAddress):
1862         (JSC::AbstractMacroAssembler::tagPtr):
1863         (JSC::AbstractMacroAssembler::untagPtr):
1864         (JSC::AbstractMacroAssembler::removePtrTag):
1865         * assembler/LinkBuffer.cpp:
1866         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1867         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1868         * assembler/LinkBuffer.h:
1869         (JSC::LinkBuffer::link):
1870         (JSC::LinkBuffer::locationOfNearCall):
1871         (JSC::LinkBuffer::locationOf):
1872         * assembler/MacroAssemblerARM.h:
1873         (JSC::MacroAssemblerARM::jump):
1874         (JSC::MacroAssemblerARM::call):
1875         (JSC::MacroAssemblerARM::readCallTarget):
1876         * assembler/MacroAssemblerARM64.h:
1877         (JSC::MacroAssemblerARM64::call):
1878         (JSC::MacroAssemblerARM64::jump):
1879         (JSC::MacroAssemblerARM64::readCallTarget):
1880         (JSC::MacroAssemblerARM64::linkCall):
1881         * assembler/MacroAssemblerARMv7.h:
1882         (JSC::MacroAssemblerARMv7::jump):
1883         (JSC::MacroAssemblerARMv7::relativeTableJump):
1884         (JSC::MacroAssemblerARMv7::call):
1885         (JSC::MacroAssemblerARMv7::readCallTarget):
1886         * assembler/MacroAssemblerCodeRef.cpp:
1887         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1888         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1889         * assembler/MacroAssemblerCodeRef.h:
1890         (JSC::FunctionPtr::FunctionPtr):
1891         (JSC::FunctionPtr::value const):
1892         (JSC::MacroAssemblerCodePtr:: const):
1893         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1894         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1895         * assembler/MacroAssemblerMIPS.h:
1896         (JSC::MacroAssemblerMIPS::jump):
1897         (JSC::MacroAssemblerMIPS::call):
1898         (JSC::MacroAssemblerMIPS::readCallTarget):
1899         * assembler/MacroAssemblerX86.h:
1900         (JSC::MacroAssemblerX86::call):
1901         (JSC::MacroAssemblerX86::jump):
1902         (JSC::MacroAssemblerX86::readCallTarget):
1903         * assembler/MacroAssemblerX86Common.cpp:
1904         (JSC::MacroAssembler::probe):
1905         * assembler/MacroAssemblerX86Common.h:
1906         (JSC::MacroAssemblerX86Common::jump):
1907         (JSC::MacroAssemblerX86Common::call):
1908         * assembler/MacroAssemblerX86_64.h:
1909         (JSC::MacroAssemblerX86_64::call):
1910         (JSC::MacroAssemblerX86_64::jump):
1911         (JSC::MacroAssemblerX86_64::readCallTarget):
1912         * assembler/testmasm.cpp:
1913         (JSC::compile):
1914         (JSC::invoke):
1915         * b3/B3Compile.cpp:
1916         (JSC::B3::compile):
1917         * b3/B3LowerMacros.cpp:
1918         * b3/air/AirCCallSpecial.cpp:
1919         (JSC::B3::Air::CCallSpecial::generate):
1920         * b3/air/testair.cpp:
1921         * b3/testb3.cpp:
1922         (JSC::B3::invoke):
1923         (JSC::B3::testInterpreter):
1924         (JSC::B3::testEntrySwitchSimple):
1925         (JSC::B3::testEntrySwitchNoEntrySwitch):
1926         (JSC::B3::testEntrySwitchWithCommonPaths):
1927         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1928         (JSC::B3::testEntrySwitchLoop):
1929         * bytecode/AccessCase.cpp:
1930         (JSC::AccessCase::generateImpl):
1931         * bytecode/AccessCaseSnippetParams.cpp:
1932         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1933         * bytecode/InlineAccess.cpp:
1934         (JSC::linkCodeInline):
1935         (JSC::InlineAccess::rewireStubAsJump):
1936         * bytecode/PolymorphicAccess.cpp:
1937         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1938         (JSC::PolymorphicAccess::regenerate):
1939         * dfg/DFGJITCompiler.cpp:
1940         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1941         (JSC::DFG::JITCompiler::link):
1942         (JSC::DFG::JITCompiler::compileFunction):
1943         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1944         * dfg/DFGJITCompiler.h:
1945         (JSC::DFG::JITCompiler::appendCall):
1946         * dfg/DFGJITFinalizer.cpp:
1947         (JSC::DFG::JITFinalizer::finalize):
1948         (JSC::DFG::JITFinalizer::finalizeFunction):
1949         * dfg/DFGOSRExit.cpp:
1950         (JSC::DFG::OSRExit::emitRestoreArguments):
1951         (JSC::DFG::OSRExit::compileOSRExit):
1952         * dfg/DFGOSRExitCompilerCommon.cpp:
1953         (JSC::DFG::handleExitCounts):
1954         (JSC::DFG::osrWriteBarrier):
1955         (JSC::DFG::adjustAndJumpToTarget):
1956         * dfg/DFGSpeculativeJIT.cpp:
1957         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1958         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1959         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1960         * dfg/DFGSpeculativeJIT64.cpp:
1961         (JSC::DFG::SpeculativeJIT::compile):
1962         * dfg/DFGThunks.cpp:
1963         (JSC::DFG::osrExitThunkGenerator):
1964         (JSC::DFG::osrExitGenerationThunkGenerator):
1965         (JSC::DFG::osrEntryThunkGenerator):
1966         * ftl/FTLCompile.cpp:
1967         (JSC::FTL::compile):
1968         * ftl/FTLJITFinalizer.cpp:
1969         (JSC::FTL::JITFinalizer::finalizeCommon):
1970         * ftl/FTLLazySlowPath.cpp:
1971         (JSC::FTL::LazySlowPath::generate):
1972         * ftl/FTLLink.cpp:
1973         (JSC::FTL::link):
1974         * ftl/FTLLowerDFGToB3.cpp:
1975         (JSC::FTL::DFG::LowerDFGToB3::lower):
1976         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1977         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1978         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1979         * ftl/FTLOSRExitCompiler.cpp:
1980         (JSC::FTL::compileStub):
1981         (JSC::FTL::compileFTLOSRExit):
1982         * ftl/FTLSlowPathCall.cpp:
1983         (JSC::FTL::SlowPathCallContext::makeCall):
1984         * ftl/FTLThunks.cpp:
1985         (JSC::FTL::genericGenerationThunkGenerator):
1986         (JSC::FTL::osrExitGenerationThunkGenerator):
1987         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1988         (JSC::FTL::slowPathCallThunkGenerator):
1989         * jit/AssemblyHelpers.cpp:
1990         (JSC::AssemblyHelpers::callExceptionFuzz):
1991         (JSC::AssemblyHelpers::debugCall):
1992         * jit/CCallHelpers.cpp:
1993         (JSC::CCallHelpers::ensureShadowChickenPacket):
1994         * jit/CCallHelpers.h:
1995         (JSC::CCallHelpers::jumpToExceptionHandler):
1996         * jit/ExecutableAllocator.cpp:
1997         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1998         * jit/JIT.cpp:
1999         (JSC::JIT::emitEnterOptimizationCheck):
2000         (JSC::JIT::link):
2001         (JSC::JIT::privateCompileExceptionHandlers):
2002         * jit/JIT.h:
2003         (JSC::JIT::appendCall):
2004         * jit/JITMathIC.h:
2005         (JSC::isProfileEmpty):
2006         * jit/JITOpcodes.cpp:
2007         (JSC::JIT::emit_op_catch):
2008         (JSC::JIT::emit_op_switch_imm):
2009         (JSC::JIT::emit_op_switch_char):
2010         (JSC::JIT::emit_op_switch_string):
2011         (JSC::JIT::emitSlow_op_loop_hint):
2012         (JSC::JIT::privateCompileHasIndexedProperty):
2013         * jit/JITOpcodes32_64.cpp:
2014         (JSC::JIT::emit_op_catch):
2015         (JSC::JIT::emit_op_switch_imm):
2016         (JSC::JIT::emit_op_switch_char):
2017         (JSC::JIT::emit_op_switch_string):
2018         (JSC::JIT::privateCompileHasIndexedProperty):
2019         * jit/JITPropertyAccess.cpp:
2020         (JSC::JIT::stringGetByValStubGenerator):
2021         (JSC::JIT::privateCompileGetByVal):
2022         (JSC::JIT::privateCompileGetByValWithCachedId):
2023         (JSC::JIT::privateCompilePutByVal):
2024         (JSC::JIT::privateCompilePutByValWithCachedId):
2025         * jit/JITPropertyAccess32_64.cpp:
2026         (JSC::JIT::stringGetByValStubGenerator):
2027         * jit/JITStubRoutine.h:
2028         * jit/Repatch.cpp:
2029         (JSC::readCallTarget):
2030         (JSC::appropriateOptimizingPutByIdFunction):
2031         (JSC::linkPolymorphicCall):
2032         (JSC::resetPutByID):
2033         * jit/SlowPathCall.h:
2034         (JSC::JITSlowPathCall::call):
2035         * jit/SpecializedThunkJIT.h:
2036         (JSC::SpecializedThunkJIT::finalize):
2037         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2038         * jit/ThunkGenerators.cpp:
2039         (JSC::throwExceptionFromCallSlowPathGenerator):
2040         (JSC::slowPathFor):
2041         (JSC::linkCallThunkGenerator):
2042         (JSC::linkPolymorphicCallThunkGenerator):
2043         (JSC::virtualThunkFor):
2044         (JSC::nativeForGenerator):
2045         (JSC::arityFixupGenerator):
2046         (JSC::unreachableGenerator):
2047         (JSC::boundThisNoArgsFunctionCallGenerator):
2048         * llint/LLIntThunks.cpp:
2049         (JSC::LLInt::generateThunkWithJumpTo):
2050         (JSC::LLInt::functionForCallEntryThunkGenerator):
2051         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2052         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2053         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2054         (JSC::LLInt::evalEntryThunkGenerator):
2055         (JSC::LLInt::programEntryThunkGenerator):
2056         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2057         * runtime/PtrTag.h:
2058         * wasm/WasmB3IRGenerator.cpp:
2059         (JSC::Wasm::B3IRGenerator::addCall):
2060         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2061         * wasm/WasmBBQPlan.cpp:
2062         (JSC::Wasm::BBQPlan::complete):
2063         * wasm/WasmBinding.cpp:
2064         (JSC::Wasm::wasmToWasm):
2065         * wasm/WasmOMGPlan.cpp:
2066         (JSC::Wasm::OMGPlan::work):
2067         * wasm/WasmThunks.cpp:
2068         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2069         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2070         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2071         * wasm/js/WasmToJS.cpp:
2072         (JSC::Wasm::handleBadI64Use):
2073         (JSC::Wasm::wasmToJS):
2074         * yarr/YarrJIT.cpp:
2075         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2076         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2077         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2078         (JSC::Yarr::YarrGenerator::generateEnter):
2079         (JSC::Yarr::YarrGenerator::YarrGenerator):
2080         (JSC::Yarr::YarrGenerator::compile):
2081         (JSC::Yarr::jitCompile):
2082         * yarr/YarrJIT.h:
2083         (JSC::Yarr::YarrCodeBlock::execute):
2084
2085 2018-03-14  Caitlin Potter  <caitp@igalia.com>
2086
2087         [JSC] fix order of evaluation for ClassDefinitionEvaluation
2088         https://bugs.webkit.org/show_bug.cgi?id=183523
2089
2090         Reviewed by Keith Miller.
2091
2092         Computed property names need to be evaluated in source order during class
2093         definition evaluation, as it's observable (and specified to work this way).
2094
2095         This change improves compatibility with Chromium.
2096
2097         * bytecompiler/BytecodeGenerator.h:
2098         (JSC::BytecodeGenerator::emitDefineClassElements):
2099         * bytecompiler/NodesCodegen.cpp:
2100         (JSC::PropertyListNode::emitBytecode):
2101         (JSC::ClassExprNode::emitBytecode):
2102         * parser/ASTBuilder.h:
2103         (JSC::ASTBuilder::createClassExpr):
2104         (JSC::ASTBuilder::createGetterOrSetterProperty):
2105         (JSC::ASTBuilder::createProperty):
2106         * parser/NodeConstructors.h:
2107         (JSC::PropertyNode::PropertyNode):
2108         (JSC::ClassExprNode::ClassExprNode):
2109         * parser/Nodes.cpp:
2110         (JSC::PropertyListNode::hasStaticallyNamedProperty):
2111         * parser/Nodes.h:
2112         (JSC::PropertyNode::isClassProperty const):
2113         (JSC::PropertyNode::isStaticClassProperty const):
2114         (JSC::PropertyNode::isInstanceClassProperty const):
2115         * parser/Parser.cpp:
2116         (JSC::Parser<LexerType>::parseClass):
2117         (JSC::Parser<LexerType>::parseProperty):
2118         (JSC::Parser<LexerType>::parseGetterSetter):
2119         * parser/Parser.h:
2120         * parser/SyntaxChecker.h:
2121         (JSC::SyntaxChecker::createClassExpr):
2122         (JSC::SyntaxChecker::createProperty):
2123         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2124
2125 2018-03-14  Keith Miller  <keith_miller@apple.com>
2126
2127         Move jsc CLI breakpoint function to $vm
2128         https://bugs.webkit.org/show_bug.cgi?id=183512
2129
2130         Reviewed by Yusuke Suzuki.
2131
2132         * jsc.cpp:
2133         (GlobalObject::finishCreation):
2134         (functionBreakpoint): Deleted.
2135         * tools/JSDollarVM.cpp:
2136         (JSC::functionBreakpoint):
2137         (JSC::JSDollarVM::finishCreation):
2138
2139 2018-03-14  Tim Horton  <timothy_horton@apple.com>
2140
2141         Fix the build after r229567
2142
2143         * Configurations/FeatureDefines.xcconfig:
2144
2145 2018-03-12  Mark Lam  <mark.lam@apple.com>
2146
2147         Gardening: speculative build fix for WinCairo.
2148         https://bugs.webkit.org/show_bug.cgi?id=183573
2149
2150         Not reviewed.
2151
2152         * runtime/NativeFunction.h:
2153         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2154
2155 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2156
2157         Unreviewed, fix obsolete ASSERT
2158         https://bugs.webkit.org/show_bug.cgi?id=183310
2159
2160         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
2161
2162         * dfg/DFGNode.h:
2163         (JSC::DFG::Node::convertToNewObject):
2164
2165 2018-03-12  Tim Horton  <timothy_horton@apple.com>
2166
2167         Stop using SDK conditionals to control feature definitions
2168         https://bugs.webkit.org/show_bug.cgi?id=183430
2169         <rdar://problem/38251619>
2170
2171         Reviewed by Dan Bernstein.
2172
2173         * Configurations/FeatureDefines.xcconfig:
2174         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
2175
2176 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
2177
2178         Runtime flag for link prefetch and remove link subresource.
2179         https://bugs.webkit.org/show_bug.cgi?id=183540
2180
2181         Reviewed by Chris Dumez.
2182
2183         Remove the LINK_PREFETCH build time flag.
2184
2185         * Configurations/FeatureDefines.xcconfig:
2186
2187 2018-03-12  Mark Lam  <mark.lam@apple.com>
2188
2189         Gardening: speculative build fix for Windows.
2190         https://bugs.webkit.org/show_bug.cgi?id=183573
2191
2192         Not reviewed.
2193
2194         * runtime/NativeFunction.h:
2195         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2196
2197 2018-03-12  Mark Lam  <mark.lam@apple.com>
2198
2199         Add another PtrTag.
2200         https://bugs.webkit.org/show_bug.cgi?id=183580
2201         <rdar://problem/38390584>
2202
2203         Reviewed by Keith Miller.
2204
2205         * runtime/PtrTag.h:
2206
2207 2018-03-12  Mark Lam  <mark.lam@apple.com>
2208
2209         Make a NativeFunction into a class to support pointer profiling.
2210         https://bugs.webkit.org/show_bug.cgi?id=183573
2211         <rdar://problem/38384697>
2212
2213         Reviewed by Filip Pizlo.
2214
2215         1. NativeFunction is now a class, and introducing RawNativeFunction and
2216            TaggedNativeFunction.
2217
2218            RawNativeFunction is the raw pointer type (equivalent
2219            to the old definition of NativeFunction).  This is mainly used for underlying
2220            storage inside the NativeFunction class, and also for global data tables that
2221            cannot embed non-trivially constructed objects.
2222
2223            NativeFunction's role is mainly to encapsulate a pointer to a C function that
2224            we pass into the VM.
2225
2226            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
2227            function that we track in the VM.
2228
2229         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
2230            cast function pointers to void* anymore when constructing a TrustedImmPtr.
2231
2232         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
2233
2234         4. Added more PtrTag utility functions.
2235
2236         * CMakeLists.txt:
2237         * JavaScriptCore.xcodeproj/project.pbxproj:
2238         * assembler/AbstractMacroAssembler.h:
2239         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2240         * create_hash_table:
2241         * interpreter/Interpreter.cpp:
2242         (JSC::Interpreter::executeCall):
2243         (JSC::Interpreter::executeConstruct):
2244         * interpreter/InterpreterInlines.h:
2245         (JSC::Interpreter::getOpcodeID):
2246         * jit/JITThunks.cpp:
2247         (JSC::JITThunks::hostFunctionStub):
2248         * jit/JITThunks.h:
2249         * llint/LLIntData.cpp:
2250         (JSC::LLInt::initialize):
2251         * llint/LLIntSlowPaths.cpp:
2252         (JSC::LLInt::setUpCall):
2253         * llint/LowLevelInterpreter.asm:
2254         * llint/LowLevelInterpreter.cpp:
2255         (JSC::CLoop::execute):
2256         * llint/LowLevelInterpreter64.asm:
2257         * offlineasm/ast.rb:
2258         * runtime/CallData.h:
2259         * runtime/CommonSlowPaths.cpp:
2260         * runtime/ConstructData.h:
2261         * runtime/InternalFunction.h:
2262         (JSC::InternalFunction::nativeFunctionFor):
2263         * runtime/JSCell.cpp:
2264         (JSC::JSCell::getCallData):
2265         (JSC::JSCell::getConstructData):
2266         * runtime/JSFunction.h:
2267         * runtime/JSFunctionInlines.h:
2268         (JSC::JSFunction::nativeFunction):
2269         (JSC::JSFunction::nativeConstructor):
2270         (JSC::isHostFunction):
2271         * runtime/Lookup.h:
2272         (JSC::HashTableValue::function const):
2273         (JSC::HashTableValue::accessorGetter const):
2274         (JSC::HashTableValue::accessorSetter const):
2275         (JSC::nonCachingStaticFunctionGetter):
2276         * runtime/NativeExecutable.cpp:
2277         (JSC::NativeExecutable::create):
2278         (JSC::NativeExecutable::NativeExecutable):
2279         * runtime/NativeExecutable.h:
2280         * runtime/NativeFunction.h: Added.
2281         (JSC::NativeFunction::NativeFunction):
2282         (JSC::NativeFunction::operator intptr_t const):
2283         (JSC::NativeFunction::operator bool const):
2284         (JSC::NativeFunction::operator! const):
2285         (JSC::NativeFunction::operator== const):
2286         (JSC::NativeFunction::operator!= const):
2287         (JSC::NativeFunction::operator()):
2288         (JSC::NativeFunction::rawPointer const):
2289         (JSC::NativeFunctionHash::hash):
2290         (JSC::NativeFunctionHash::equal):
2291         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2292         (JSC::TaggedNativeFunction::operator bool const):
2293         (JSC::TaggedNativeFunction::operator! const):
2294         (JSC::TaggedNativeFunction::operator== const):
2295         (JSC::TaggedNativeFunction::operator!= const):
2296         (JSC::TaggedNativeFunction::operator()):
2297         (JSC::TaggedNativeFunction::operator NativeFunction):
2298         (JSC::TaggedNativeFunction::rawPointer const):
2299         (JSC::TaggedNativeFunctionHash::hash):
2300         (JSC::TaggedNativeFunctionHash::equal):
2301         * runtime/PtrTag.h:
2302         (JSC::tagCFunctionPtr):
2303         (JSC::untagCFunctionPtr):
2304         * runtime/VM.h:
2305         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
2306
2307 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
2308
2309         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
2310
2311         * dfg/DFGSpeculativeJIT.cpp:
2312         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2313
2314 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2315
2316         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
2317         https://bugs.webkit.org/show_bug.cgi?id=183310
2318
2319         Reviewed by Filip Pizlo.
2320
2321         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
2322         This contributes to 6% win in Octane/raytrace.
2323
2324                                         baseline                  patched
2325
2326             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
2327
2328         * dfg/DFGAbstractInterpreterInlines.h:
2329         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2330         * dfg/DFGConstantFoldingPhase.cpp:
2331         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2332
2333 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
2334
2335         Disable Sigill crash analyzer on watchOS
2336         https://bugs.webkit.org/show_bug.cgi?id=183548
2337         <rdar://problem/38338032>
2338
2339         Reviewed by Mark Lam.
2340
2341         Sigill is not supported on watchOS.
2342
2343         * runtime/Options.cpp:
2344         (JSC::overrideDefaults):
2345
2346 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
2347
2348         Split DirectArguments into JSValueOOB and JSValueStrict parts
2349         https://bugs.webkit.org/show_bug.cgi?id=183458
2350
2351         Reviewed by Yusuke Suzuki.
2352         
2353         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
2354         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
2355         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
2356         to read and write within a Spectre mitigation window. Writes are important, because within the
2357         window, a write could appear to be made speculatively and rolled out later. This means that:
2358         
2359         - JSValue objects cannot have lengths, masks, or anything else inline.
2360         
2361         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
2362           check, unless that type is in the form of a poison key.
2363         
2364         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
2365         means that it's wrong for DirectArguments to have an inline length.
2366         
2367         This changes DirectArguments to use poisoning according to the universal formula:
2368         
2369         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
2370         
2371         - No inline length.
2372         
2373         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
2374         amortize whatever cost there was.
2375
2376         * bytecode/AccessCase.cpp:
2377         (JSC::AccessCase::generateWithGuard):
2378         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2379         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2380         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
2381         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
2382         * dfg/DFGSpeculativeJIT.cpp:
2383         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2384         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2385         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2386         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2387         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2388         * ftl/FTLAbstractHeapRepository.h:
2389         * ftl/FTLLowerDFGToB3.cpp:
2390         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2391         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2392         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2393         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
2394         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
2395         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2396         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
2397         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
2398         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
2399         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
2400         * heap/SecurityKind.h:
2401         * jit/JITPropertyAccess.cpp:
2402         (JSC::JIT::emit_op_get_from_arguments):
2403         (JSC::JIT::emit_op_put_to_arguments):
2404         (JSC::JIT::emitDirectArgumentsGetByVal):
2405         * jit/JITPropertyAccess32_64.cpp:
2406         (JSC::JIT::emit_op_get_from_arguments):
2407         (JSC::JIT::emit_op_put_to_arguments):
2408         * llint/LowLevelInterpreter.asm:
2409         * llint/LowLevelInterpreter32_64.asm:
2410         * llint/LowLevelInterpreter64.asm:
2411         * runtime/DirectArguments.cpp:
2412         (JSC::DirectArguments::DirectArguments):
2413         (JSC::DirectArguments::createUninitialized):
2414         (JSC::DirectArguments::create):
2415         (JSC::DirectArguments::createByCopying):
2416         (JSC::DirectArguments::estimatedSize):
2417         (JSC::DirectArguments::visitChildren):
2418         (JSC::DirectArguments::overrideThings):
2419         (JSC::DirectArguments::copyToArguments):
2420         (JSC::DirectArguments::mappedArgumentsSize):
2421         * runtime/DirectArguments.h:
2422         * runtime/JSCPoison.h:
2423         * runtime/JSLexicalEnvironment.h:
2424         * runtime/JSSymbolTableObject.h:
2425         * runtime/VM.cpp:
2426         (JSC::VM::VM):
2427         * runtime/VM.h:
2428
2429 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2430
2431         [B3] Above/Below should be strength-reduced for comparison with 0
2432         https://bugs.webkit.org/show_bug.cgi?id=183543
2433
2434         Reviewed by Filip Pizlo.
2435
2436         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
2437         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
2438         be converted to `0`. This patch adds such a folding to comparisons.
2439
2440         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
2441         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
2442         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
2443         when we fail to fold it to a constant.
2444
2445         * b3/B3Const32Value.cpp:
2446         (JSC::B3::Const32Value::lessThanConstant const):
2447         (JSC::B3::Const32Value::greaterThanConstant const):
2448         (JSC::B3::Const32Value::lessEqualConstant const):
2449         (JSC::B3::Const32Value::greaterEqualConstant const):
2450         (JSC::B3::Const32Value::aboveConstant const):
2451         (JSC::B3::Const32Value::belowConstant const):
2452         (JSC::B3::Const32Value::aboveEqualConstant const):
2453         (JSC::B3::Const32Value::belowEqualConstant const):
2454         * b3/B3Const64Value.cpp:
2455         (JSC::B3::Const64Value::lessThanConstant const):
2456         (JSC::B3::Const64Value::greaterThanConstant const):
2457         (JSC::B3::Const64Value::lessEqualConstant const):
2458         (JSC::B3::Const64Value::greaterEqualConstant const):
2459         (JSC::B3::Const64Value::aboveConstant const):
2460         (JSC::B3::Const64Value::belowConstant const):
2461         (JSC::B3::Const64Value::aboveEqualConstant const):
2462         (JSC::B3::Const64Value::belowEqualConstant const):
2463         * b3/B3ReduceStrength.cpp:
2464         * b3/testb3.cpp:
2465         (JSC::B3::int64Operands):
2466         (JSC::B3::int32Operands):
2467
2468 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2469
2470         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
2471         https://bugs.webkit.org/show_bug.cgi?id=181848
2472
2473         Reviewed by Sam Weinig.
2474
2475         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
2476         optimized since it sets `lastIndex` value before performing RegExp operation.
2477
2478         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
2479         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
2480         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
2481         in object allocation sinking phase.
2482
2483         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
2484         has a global flag. And it improves the performance.
2485
2486                                       baseline                  patched
2487
2488         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
2489         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
2490
2491         * dfg/DFGAbstractInterpreterInlines.h:
2492         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2493         * dfg/DFGClobberize.h:
2494         (JSC::DFG::clobberize):
2495         * dfg/DFGDoesGC.cpp:
2496         (JSC::DFG::doesGC):
2497         * dfg/DFGFixupPhase.cpp:
2498         (JSC::DFG::FixupPhase::fixupNode):
2499         * dfg/DFGMayExit.cpp:
2500         * dfg/DFGNode.cpp:
2501         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
2502         * dfg/DFGNode.h:
2503         (JSC::DFG::Node::hasHeapPrediction):
2504         (JSC::DFG::Node::hasCellOperand):
2505         * dfg/DFGNodeType.h:
2506         * dfg/DFGOperations.cpp:
2507         * dfg/DFGOperations.h:
2508         * dfg/DFGPredictionPropagationPhase.cpp:
2509         * dfg/DFGSafeToExecute.h:
2510         (JSC::DFG::safeToExecute):
2511         * dfg/DFGSpeculativeJIT.cpp:
2512         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
2513         * dfg/DFGSpeculativeJIT.h:
2514         * dfg/DFGSpeculativeJIT32_64.cpp:
2515         (JSC::DFG::SpeculativeJIT::compile):
2516         * dfg/DFGSpeculativeJIT64.cpp:
2517         (JSC::DFG::SpeculativeJIT::compile):
2518         * dfg/DFGStrengthReductionPhase.cpp:
2519         (JSC::DFG::StrengthReductionPhase::handleNode):
2520         * ftl/FTLCapabilities.cpp:
2521         (JSC::FTL::canCompile):
2522         * ftl/FTLLowerDFGToB3.cpp:
2523         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2524         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
2525         * runtime/RegExpObject.cpp:
2526         (JSC::collectMatches): Deleted.
2527         * runtime/RegExpObject.h:
2528         * runtime/RegExpObjectInlines.h:
2529         (JSC::RegExpObject::execInline):
2530         (JSC::RegExpObject::matchInline):
2531         (JSC::advanceStringUnicode):
2532         (JSC::collectMatches):
2533         (JSC::RegExpObject::advanceStringUnicode): Deleted.
2534         * runtime/RegExpPrototype.cpp:
2535         (JSC::advanceStringIndex):
2536
2537 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2538
2539         B3::reduceStrength should canonicalize integer comparisons
2540         https://bugs.webkit.org/show_bug.cgi?id=150958
2541
2542         Reviewed by Filip Pizlo.
2543
2544         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
2545         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
2546         canonicalize comparisons to have constant value at least on the right hand side, we can
2547         remove pattern matchings checking leftImm in B3LowerToAir.
2548
2549         Since this flipping changes the opcode of the value, to achieve safely, we just create a
2550         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
2551         we replace m_value with this constant. If we fail to fold it to constant, we replace
2552         m_value with the flipped one.
2553
2554         These comparisons are already handled in testb3.
2555
2556         * b3/B3LowerToAir.cpp:
2557         * b3/B3ReduceStrength.cpp:
2558
2559 2018-03-09  Mark Lam  <mark.lam@apple.com>
2560
2561         offlineasm should reset the Assembler's working state before doing another pass for a new target.
2562         https://bugs.webkit.org/show_bug.cgi?id=183538
2563         <rdar://problem/38325955>
2564
2565         Reviewed by Michael Saboff.
2566
2567         * llint/LowLevelInterpreter.cpp:
2568         * offlineasm/asm.rb:
2569         * offlineasm/cloop.rb:
2570
2571 2018-03-09  Brian Burg  <bburg@apple.com>
2572
2573         Web Inspector: there should only be one way for async backend commands to send failure
2574         https://bugs.webkit.org/show_bug.cgi?id=183524
2575
2576         Reviewed by Timothy Hatcher.
2577
2578         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
2579         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
2580         This change only affects interfaces generated for C++ backend dispatchers.
2581
2582         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2583         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
2584         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2585         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2586         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2587
2588 2018-03-09  Mark Lam  <mark.lam@apple.com>
2589
2590         Build fix after r229476.
2591         https://bugs.webkit.org/show_bug.cgi?id=183488
2592
2593         Not reviewed.
2594
2595         * runtime/StackAlignment.h:
2596
2597 2018-03-09  Mark Lam  <mark.lam@apple.com>
2598
2599         [Re-landing] Add support for ARM64E.
2600         https://bugs.webkit.org/show_bug.cgi?id=183398
2601         <rdar://problem/38212621>
2602
2603         Reviewed by Michael Saboff.
2604
2605         * assembler/MacroAssembler.h:
2606         * llint/LLIntOfflineAsmConfig.h:
2607         * llint/LowLevelInterpreter.asm:
2608         * llint/LowLevelInterpreter64.asm:
2609         * offlineasm/backends.rb:
2610
2611 2018-03-09  Mark Lam  <mark.lam@apple.com>
2612
2613         [Re-landing] Prepare LLInt code to support pointer profiling.
2614         https://bugs.webkit.org/show_bug.cgi?id=183387
2615         <rdar://problem/38199678>
2616
2617         Reviewed by JF Bastien.
2618
2619         1. Introduced PtrTag enums for supporting pointer profiling later.
2620
2621         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
2622            template functions for the same purpose.
2623
2624         3. Prepare the offlineasm for supporting pointer profiling later.
2625
2626         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
2627            effect on behavior.
2628
2629         5. Removed returnToThrowForThrownException() because it is not used anywhere.
2630
2631         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
2632            easier to view and edit these files in Xcode.
2633
2634         * CMakeLists.txt:
2635         * JavaScriptCore.xcodeproj/project.pbxproj:
2636         * bytecode/LLIntCallLinkInfo.h:
2637         (JSC::LLIntCallLinkInfo::unlink):
2638         * llint/LLIntData.cpp:
2639         (JSC::LLInt::initialize):
2640         * llint/LLIntData.h:
2641         * llint/LLIntExceptions.cpp:
2642         (JSC::LLInt::returnToThrowForThrownException): Deleted.
2643         * llint/LLIntExceptions.h:
2644         * llint/LLIntOfflineAsmConfig.h:
2645         * llint/LLIntOffsetsExtractor.cpp:
2646         * llint/LLIntPCRanges.h:
2647         (JSC::LLInt::isLLIntPC):
2648         * llint/LLIntSlowPaths.cpp:
2649         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2650         (JSC::LLInt::handleHostCall):
2651         (JSC::LLInt::setUpCall):
2652         * llint/LowLevelInterpreter.asm:
2653         * llint/LowLevelInterpreter32_64.asm:
2654         * llint/LowLevelInterpreter64.asm:
2655         * offlineasm/ast.rb:
2656         * offlineasm/instructions.rb:
2657         * offlineasm/risc.rb:
2658         * runtime/PtrTag.h: Added.
2659         (JSC::uniquePtrTagID):
2660         (JSC::ptrTag):
2661         (JSC::tagCodePtr):
2662         (JSC::untagCodePtr):
2663         (JSC::retagCodePtr):
2664         (JSC::removeCodePtrTag):
2665
2666 2018-03-09  Mark Lam  <mark.lam@apple.com>
2667
2668         Remove unused LLINT_STATS feature.
2669         https://bugs.webkit.org/show_bug.cgi?id=183522
2670         <rdar://problem/38313139>
2671
2672         Rubber-stamped by Keith Miller.
2673
2674         We haven't used this in a while, and it is one more option that makes offlineasm
2675         build slower.  We can always re-introduce this later if we need it.
2676
2677         * jsc.cpp:
2678         * llint/LLIntCommon.h:
2679         * llint/LLIntData.cpp:
2680         (JSC::LLInt::initialize):
2681         (JSC::LLInt::Data::finalizeStats): Deleted.
2682         (JSC::LLInt::compareStats): Deleted.
2683         (JSC::LLInt::Data::dumpStats): Deleted.
2684         (JSC::LLInt::Data::ensureStats): Deleted.
2685         (JSC::LLInt::Data::loadStats): Deleted.
2686         (JSC::LLInt::Data::resetStats): Deleted.
2687         (JSC::LLInt::Data::saveStats): Deleted.
2688         * llint/LLIntData.h:
2689         (): Deleted.
2690         (JSC::LLInt::Data::opcodeStats): Deleted.
2691         * llint/LLIntOfflineAsmConfig.h:
2692         * llint/LLIntSlowPaths.cpp:
2693         * llint/LLIntSlowPaths.h:
2694         * llint/LowLevelInterpreter.asm:
2695         * llint/LowLevelInterpreter32_64.asm:
2696         * llint/LowLevelInterpreter64.asm:
2697         * runtime/Options.cpp:
2698         (JSC::Options::isAvailable):
2699         (JSC::recomputeDependentOptions):
2700         * runtime/Options.h:
2701         * runtime/TestRunnerUtils.cpp:
2702         (JSC::finalizeStatsAtEndOfTesting):
2703
2704 2018-03-09  Michael Saboff  <msaboff@apple.com>
2705
2706         Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
2707         https://bugs.webkit.org/show_bug.cgi?id=183488
2708
2709         It applied and built just fine locally.
2710
2711         * assembler/testmasm.cpp:
2712         (JSC::testBranchTruncateDoubleToInt32):
2713
2714 2018-03-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2715
2716         Unreviewed, remove WebAssemblyFunctionType
2717         https://bugs.webkit.org/show_bug.cgi?id=183429
2718
2719         Drop WebAssemblyFunctionType since it is no longer used. This breaks
2720         JSCast assumption that all the derived classes of JSFunction use
2721         JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
2722
2723         * runtime/JSFunction.cpp:
2724         (JSC::JSFunction::finishCreation):
2725         * runtime/JSType.h:
2726         * wasm/js/WebAssemblyFunction.cpp:
2727         (JSC::WebAssemblyFunction::createStructure):
2728         * wasm/js/WebAssemblyFunction.h:
2729
2730 2018-03-09  Ryan Haddad  <ryanhaddad@apple.com>
2731
2732         Unreviewed, rolling out r229446.
2733
2734         This change relies on changes that have been rolled out.
2735
2736         Reverted changeset:
2737
2738         "testmasm crashes in testBranchTruncateDoubleToInt32() on
2739         ARM64"
2740         https://bugs.webkit.org/show_bug.cgi?id=183488
2741         https://trac.webkit.org/changeset/229446
2742
2743 2018-03-08  Chris Dumez  <cdumez@apple.com>
2744
2745         Safari not handling undefined global variables with same name as element Id correctly.
2746         https://bugs.webkit.org/show_bug.cgi?id=183087
2747         <rdar://problem/37927596>
2748
2749         Reviewed by Ryosuke Niwa.
2750
2751         global variables (var foo;) should not be hidden by:
2752         - Named properties
2753         - Properties on the prototype chain
2754
2755         Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
2756         if !hasOwnProperty() instead of !hasProperty.
2757
2758         This aligns our behavior with Chrome and Firefox.
2759
2760         * runtime/JSGlobalObject.h:
2761         (JSC::JSGlobalObject::addVar):
2762
2763 2018-03-08  Commit Queue  <commit-queue@webkit.org>
2764
2765         Unreviewed, rolling out r229354 and r229364.
2766         https://bugs.webkit.org/show_bug.cgi?id=183492
2767
2768         Breaks internal builds (Requested by ryanhaddad on #webkit).
2769
2770         Reverted changesets:
2771
2772         "Prepare LLInt code to support pointer profiling."
2773         https://bugs.webkit.org/show_bug.cgi?id=183387
2774         https://trac.webkit.org/changeset/229354
2775
2776         "Add support for ARM64E."
2777         https://bugs.webkit.org/show_bug.cgi?id=183398
2778         https://trac.webkit.org/changeset/229364
2779
2780 2018-03-08  Michael Saboff  <msaboff@apple.com>
2781
2782         testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
2783         https://bugs.webkit.org/show_bug.cgi?id=183488
2784
2785         Reviewed by Mark Lam.
2786
2787         Using stackAlignmentBytes() will keep the stack properly aligned.
2788
2789         * assembler/testmasm.cpp:
2790         (JSC::testBranchTruncateDoubleToInt32):
2791
2792 2018-03-08  Michael Saboff  <msaboff@apple.com>
2793
2794         Emit code to zero the stack frame on function entry
2795         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
2796
2797         Reviewed by Mark Lam.
2798
2799         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
2800         The default setting of the option is off.
2801
2802         Did some minor refactoring of the YarrJIT stack alignment code.
2803
2804         * b3/air/AirCode.cpp:
2805         (JSC::B3::Air::defaultPrologueGenerator):
2806         * dfg/DFGJITCompiler.cpp:
2807         (JSC::DFG::JITCompiler::compile):
2808         (JSC::DFG::JITCompiler::compileFunction):
2809         * dfg/DFGSpeculativeJIT.cpp:
2810         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2811         * dfg/DFGThunks.cpp:
2812         (JSC::DFG::osrEntryThunkGenerator):
2813         * ftl/FTLLowerDFGToB3.cpp:
2814         (JSC::FTL::DFG::LowerDFGToB3::lower):
2815         * jit/AssemblyHelpers.h:
2816         (JSC::AssemblyHelpers::clearStackFrame):
2817         * jit/JIT.cpp:
2818         (JSC::JIT::compileWithoutLinking):
2819         * llint/LowLevelInterpreter.asm:
2820         * runtime/Options.h:
2821         * yarr/YarrJIT.cpp:
2822         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
2823         (JSC::Yarr::YarrGenerator::initCallFrame):
2824         (JSC::Yarr::YarrGenerator::removeCallFrame):
2825
2826 2018-03-08  Keith Miller  <keith_miller@apple.com>
2827
2828         Unreviewed, another attempt at fixing the Windows build.
2829         I guess the pragma must be outside the function...
2830
2831         * jit/CCallHelpers.h:
2832         (JSC::CCallHelpers::clampArrayToSize):
2833
2834 2018-03-08  Keith Miller  <keith_miller@apple.com>
2835
2836         Unreviewed, one last try at fixing the windows build before rollout.
2837
2838         * jit/CCallHelpers.h:
2839         (JSC::CCallHelpers::clampArrayToSize):
2840
2841 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2842
2843         [JSC] Optimize inherits<T> if T is final type
2844         https://bugs.webkit.org/show_bug.cgi?id=183435
2845
2846         Reviewed by Mark Lam.
2847
2848         If the type T is a final type (`std::is_final<T>::value == true`), there is no
2849         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
2850         to check the given cell's `classInfo(vm)` is `T::info()`.
2851
2852         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
2853         final type. And we also add `final` annotations to JS cell types in JSC. This
2854         offers,
2855
2856         1. Readability. If the given class is annotated with `final`, we do not need to
2857         consider about the derived classes of T.
2858
2859         2. Static Checking. If your class is not intended to be used as a base class, attaching
2860         `final` can ensure this invariant.
2861
2862         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
2863         be smaller.
2864
2865         * API/JSCallbackConstructor.h:
2866         (JSC::JSCallbackConstructor::create): Deleted.
2867         (JSC::JSCallbackConstructor::classRef const): Deleted.
2868         (JSC::JSCallbackConstructor::callback const): Deleted.
2869         (JSC::JSCallbackConstructor::createStructure): Deleted.
2870         (JSC::JSCallbackConstructor::constructCallback): Deleted.
2871         * API/JSCallbackFunction.h:
2872         (JSC::JSCallbackFunction::createStructure): Deleted.
2873         (JSC::JSCallbackFunction::functionCallback): Deleted.
2874         * API/JSCallbackObject.h:
2875         (JSC::JSCallbackObject::create): Deleted.
2876         (JSC::JSCallbackObject::destroy): Deleted.
2877         (JSC::JSCallbackObject::classRef const): Deleted.
2878         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
2879         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
2880         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
2881         (JSC::JSCallbackObject::visitChildren): Deleted.
2882         * bytecode/CodeBlock.cpp:
2883         (JSC::CodeBlock::setConstantRegisters):
2884         * bytecode/ExecutableToCodeBlockEdge.h:
2885         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
2886         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
2887         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
2888         * bytecode/FunctionCodeBlock.h:
2889         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
2890         (JSC::FunctionCodeBlock::create): Deleted.
2891         (JSC::FunctionCodeBlock::createStructure): Deleted.
2892         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
2893         * debugger/DebuggerScope.h:
2894         (JSC::DebuggerScope::createStructure): Deleted.
2895         (JSC::DebuggerScope::iterator::iterator): Deleted.
2896         (JSC::DebuggerScope::iterator::get): Deleted.
2897         (JSC::DebuggerScope::iterator::operator++): Deleted.
2898         (JSC::DebuggerScope::iterator::operator== const): Deleted.
2899         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
2900         (JSC::DebuggerScope::isValid const): Deleted.
2901         (JSC::DebuggerScope::jsScope const): Deleted.
2902         * inspector/JSInjectedScriptHost.h:
2903         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
2904         (Inspector::JSInjectedScriptHost::create): Deleted.
2905         (Inspector::JSInjectedScriptHost::impl const): Deleted.
2906         * inspector/JSInjectedScriptHostPrototype.h:
2907         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
2908         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
2909         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
2910         * inspector/JSJavaScriptCallFrame.h:
2911         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
2912         (Inspector::JSJavaScriptCallFrame::create): Deleted.
2913         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
2914         * inspector/JSJavaScriptCallFramePrototype.h:
2915         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
2916         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
2917         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
2918         * jit/Repatch.cpp:
2919         (JSC::tryCacheGetByID):
2920         * runtime/ArrayConstructor.h:
2921         (JSC::ArrayConstructor::create): Deleted.
2922         (JSC::ArrayConstructor::createStructure): Deleted.
2923         * runtime/ArrayIteratorPrototype.h:
2924         (JSC::ArrayIteratorPrototype::create): Deleted.
2925         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
2926         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
2927         * runtime/ArrayPrototype.h:
2928         (JSC::ArrayPrototype::createStructure): Deleted.
2929         * runtime/AsyncFromSyncIteratorPrototype.h:
2930         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
2931         * runtime/AsyncFunctionConstructor.h:
2932         (JSC::AsyncFunctionConstructor::create): Deleted.
2933         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
2934         * runtime/AsyncFunctionPrototype.h:
2935         (JSC::AsyncFunctionPrototype::create): Deleted.
2936         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
2937         * runtime/AsyncGeneratorFunctionConstructor.h:
2938         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
2939         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
2940         * runtime/AsyncGeneratorFunctionPrototype.h:
2941         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
2942         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
2943         * runtime/AsyncGeneratorPrototype.h:
2944         (JSC::AsyncGeneratorPrototype::create): Deleted.
2945         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
2946         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
2947         * runtime/AsyncIteratorPrototype.h:
2948         (JSC::AsyncIteratorPrototype::create): Deleted.
2949         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
2950         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
2951         * runtime/AtomicsObject.h:
2952         * runtime/BigIntConstructor.h:
2953         (JSC::BigIntConstructor::create): Deleted.
2954         (JSC::BigIntConstructor::createStructure): Deleted.
2955         * runtime/BigIntObject.h:
2956         (JSC::BigIntObject::create): Deleted.
2957         (JSC::BigIntObject::internalValue const): Deleted.
2958         (JSC::BigIntObject::createStructure): Deleted.
2959         * runtime/BigIntPrototype.h:
2960         (JSC::BigIntPrototype::create): Deleted.
2961         (JSC::BigIntPrototype::createStructure): Deleted.
2962         * runtime/BooleanConstructor.h:
2963         (JSC::BooleanConstructor::create): Deleted.
2964         (JSC::BooleanConstructor::createStructure): Deleted.
2965         * runtime/BooleanPrototype.h:
2966         (JSC::BooleanPrototype::create): Deleted.
2967         (JSC::BooleanPrototype::createStructure): Deleted.
2968         * runtime/ConsoleObject.h:
2969         (JSC::ConsoleObject::create): Deleted.
2970         (JSC::ConsoleObject::createStructure): Deleted.
2971         * runtime/DOMAttributeGetterSetter.h:
2972         (JSC::isDOMAttributeGetterSetter): Deleted.
2973         * runtime/DateConstructor.h:
2974         (JSC::DateConstructor::create): Deleted.
2975         (JSC::DateConstructor::createStructure): Deleted.
2976         * runtime/DateInstance.h:
2977         (JSC::DateInstance::create): Deleted.
2978         (JSC::DateInstance::internalNumber const): Deleted.
2979         (JSC::DateInstance::gregorianDateTime const): Deleted.
2980         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
2981         (JSC::DateInstance::createStructure): Deleted.
2982         * runtime/DatePrototype.h:
2983         (JSC::DatePrototype::create): Deleted.
2984         (JSC::DatePrototype::createStructure): Deleted.
2985         * runtime/Error.h:
2986         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
2987         (JSC::StrictModeTypeErrorFunction::create): Deleted.
2988         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
2989         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
2990         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
2991         * runtime/ErrorConstructor.h:
2992         (JSC::ErrorConstructor::create): Deleted.
2993         (JSC::ErrorConstructor::createStructure): Deleted.
2994         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
2995         * runtime/Exception.h:
2996         (JSC::Exception::valueOffset): Deleted.
2997         (JSC::Exception::value const): Deleted.
2998         (JSC::Exception::stack const): Deleted.
2999         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
3000         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
3001         * runtime/FunctionConstructor.h:
3002         (JSC::FunctionConstructor::create): Deleted.
3003         (JSC::FunctionConstructor::createStructure): Deleted.
3004         * runtime/FunctionPrototype.h:
3005         (JSC::FunctionPrototype::create): Deleted.
3006         (JSC::FunctionPrototype::createStructure): Deleted.
3007         * runtime/FunctionRareData.h:
3008         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
3009         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
3010         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
3011         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
3012         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
3013         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
3014         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
3015         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
3016         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
3017         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
3018         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
3019         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
3020         (JSC::FunctionRareData::hasReifiedName const): Deleted.
3021         (JSC::FunctionRareData::setHasReifiedName): Deleted.
3022         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
3023         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
3024         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
3025         * runtime/GeneratorFunctionConstructor.h:
3026         (JSC::GeneratorFunctionConstructor::create): Deleted.
3027         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
3028         * runtime/GeneratorFunctionPrototype.h:
3029         (JSC::GeneratorFunctionPrototype::create): Deleted.
3030         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
3031         * runtime/GeneratorPrototype.h:
3032         (JSC::GeneratorPrototype::create): Deleted.
3033         (JSC::GeneratorPrototype::createStructure): Deleted.
3034         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
3035         * runtime/InferredValue.h:
3036         (JSC::InferredValue::subspaceFor): Deleted.
3037         (JSC::InferredValue::inferredValue): Deleted.
3038         (JSC::InferredValue::state const): Deleted.
3039         (JSC::InferredValue::isStillValid const): Deleted.
3040         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
3041         (JSC::InferredValue::add): Deleted.
3042         (JSC::InferredValue::notifyWrite): Deleted.
3043         (JSC::InferredValue::invalidate): Deleted.
3044         * runtime/InspectorInstrumentationObject.h:
3045         (JSC::InspectorInstrumentationObject::create): Deleted.
3046         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
3047         * runtime/IntlCollator.h:
3048         (JSC::IntlCollator::boundCompare const): Deleted.
3049         * runtime/IntlCollatorConstructor.h:
3050         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
3051         * runtime/IntlCollatorPrototype.h:
3052         * runtime/IntlDateTimeFormat.h:
3053         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
3054         * runtime/IntlDateTimeFormatConstructor.h:
3055         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
3056         * runtime/IntlDateTimeFormatPrototype.h:
3057         * runtime/IntlNumberFormat.h:
3058         (JSC::IntlNumberFormat::boundFormat const): Deleted.
3059         * runtime/IntlNumberFormatConstructor.h:
3060         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
3061         * runtime/IntlNumberFormatPrototype.h:
3062         * runtime/IntlObject.h:
3063         * runtime/IteratorPrototype.h:
3064         (JSC::IteratorPrototype::create): Deleted.
3065         (JSC::IteratorPrototype::createStructure): Deleted.
3066         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
3067         * runtime/JSAPIValueWrapper.h:
3068         (JSC::JSAPIValueWrapper::value const): Deleted.
3069         (JSC::JSAPIValueWrapper::createStructure): Deleted.
3070         (JSC::JSAPIValueWrapper::create): Deleted.
3071         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
3072         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
3073         * runtime/JSArrayBufferConstructor.h:
3074         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
3075         * runtime/JSArrayBufferPrototype.h:
3076         * runtime/JSAsyncFunction.h:
3077         (JSC::JSAsyncFunction::subspaceFor): Deleted.
3078         (JSC::JSAsyncFunction::allocationSize): Deleted.
3079         (JSC::JSAsyncFunction::createStructure): Deleted.
3080         * runtime/JSAsyncGeneratorFunction.h:
3081         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
3082         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
3083         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
3084         * runtime/JSBigInt.h:
3085         (JSC::JSBigInt::setSign): Deleted.
3086         (JSC::JSBigInt::sign const): Deleted.
3087         (JSC::JSBigInt::setLength): Deleted.
3088         (JSC::JSBigInt::length const): Deleted.
3089         * runtime/JSBoundFunction.h:
3090         (JSC::JSBoundFunction::subspaceFor): Deleted.
3091         (JSC::JSBoundFunction::targetFunction): Deleted.
3092         (JSC::JSBoundFunction::boundThis): Deleted.
3093         (JSC::JSBoundFunction::boundArgs): Deleted.
3094         (JSC::JSBoundFunction::createStructure): Deleted.
3095         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
3096         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
3097         * runtime/JSCast.h:
3098         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
3099         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
3100         (JSC::JSCastingHelpers::InheritsTraits::inherits):
3101         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
3102         * runtime/JSCustomGetterSetterFunction.cpp:
3103         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3104         * runtime/JSCustomGetterSetterFunction.h:
3105         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
3106         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
3107         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
3108         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
3109         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
3110         * runtime/JSDataView.h:
3111         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
3112         (JSC::JSDataView::unsharedBuffer const): Deleted.
3113         * runtime/JSDataViewPrototype.h:
3114         * runtime/JSFixedArray.h:
3115         (JSC::JSFixedArray::createStructure): Deleted.
3116         (JSC::JSFixedArray::tryCreate): Deleted.
3117         (JSC::JSFixedArray::create): Deleted.
3118         (JSC::JSFixedArray::createFromArray): Deleted.
3119         (JSC::JSFixedArray::get const): Deleted.
3120         (JSC::JSFixedArray::set): Deleted.
3121         (JSC::JSFixedArray::buffer): Deleted.
3122         (JSC::JSFixedArray::buffer const): Deleted.
3123         (JSC::JSFixedArray::values const): Deleted.
3124         (JSC::JSFixedArray::size const): Deleted.
3125         (JSC::JSFixedArray::length const): Deleted.
3126         (JSC::JSFixedArray::offsetOfSize): Deleted.
3127         (JSC::JSFixedArray::offsetOfData): Deleted.
3128         (JSC::JSFixedArray::JSFixedArray): Deleted.
3129         (JSC::JSFixedArray::allocationSize): Deleted.
3130         * runtime/JSGeneratorFunction.h:
3131         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
3132         (JSC::JSGeneratorFunction::allocationSize): Deleted.
3133         (JSC::JSGeneratorFunction::createStructure): Deleted.
3134         * runtime/JSGenericTypedArrayView.h:
3135         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
3136         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
3137         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
3138         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
3139         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
3140         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
3141         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
3142         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
3143         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
3144         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
3145         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
3146         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
3147         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
3148         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
3149         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
3150         (JSC::JSGenericTypedArrayView::sort): Deleted.
3151         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
3152         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
3153         (JSC::JSGenericTypedArrayView::info): Deleted.
3154         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
3155         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
3156         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
3157         * runtime/JSGenericTypedArrayViewConstructor.h:
3158         * runtime/JSGenericTypedArrayViewPrototype.h:
3159         * runtime/JSInternalPromise.h:
3160         * runtime/JSInternalPromiseConstructor.h:
3161         * runtime/JSInternalPromisePrototype.h:
3162         * runtime/JSMapIterator.h:
3163         (JSC::JSMapIterator::createStructure): Deleted.
3164         (JSC::JSMapIterator::create): Deleted.
3165         (JSC::JSMapIterator::advanceIter): Deleted.
3166         (JSC::JSMapIterator::next): Deleted.
3167         (JSC::JSMapIterator::nextKeyValue): Deleted.
3168         (JSC::JSMapIterator::kind const): Deleted.
3169         (JSC::JSMapIterator::iteratedValue const): Deleted.
3170         (JSC::JSMapIterator::JSMapIterator): Deleted.
3171         (JSC::JSMapIterator::setIterator): Deleted.
3172         * runtime/JSModuleLoader.h:
3173         (JSC::JSModuleLoader::create): Deleted.
3174         (JSC::JSModuleLoader::createStructure): Deleted.
3175         * runtime/JSModuleNamespaceObject.h:
3176         (JSC::isJSModuleNamespaceObject): Deleted.
3177         * runtime/JSModuleRecord.h:
3178         (JSC::JSModuleRecord::sourceCode const): Deleted.
3179         (JSC::JSModuleRecord::declaredVariables const): Deleted.
3180         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
3181         * runtime/JSNativeStdFunction.h:
3182         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
3183         (JSC::JSNativeStdFunction::createStructure): Deleted.
3184         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
3185         * runtime/JSONObject.h:
3186         (JSC::JSONObject::create): Deleted.
3187         (JSC::JSONObject::createStructure): Deleted.
3188         * runtime/JSObject.h:
3189         (JSC::JSObject::fillCustomGetterPropertySlot):
3190         * runtime/JSScriptFetchParameters.h:
3191         (JSC::JSScriptFetchParameters::createStructure): Deleted.
3192         (JSC::JSScriptFetchParameters::create): Deleted.
3193         (JSC::JSScriptFetchParameters::parameters const): Deleted.
3194         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
3195         * runtime/JSScriptFetcher.h:
3196         (JSC::JSScriptFetcher::createStructure): Deleted.
3197         (JSC::JSScriptFetcher::create): Deleted.
3198         (JSC::JSScriptFetcher::fetcher const): Deleted.
3199         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
3200         * runtime/JSSetIterator.h:
3201         (JSC::JSSetIterator::createStructure): Deleted.
3202         (JSC::JSSetIterator::create): Deleted.
3203         (JSC::JSSetIterator::advanceIter): Deleted.
3204         (JSC::JSSetIterator::next): Deleted.
3205         (JSC::JSSetIterator::kind const): Deleted.
3206         (JSC::JSSetIterator::iteratedValue const): Deleted.
3207         (JSC::JSSetIterator::JSSetIterator): Deleted.
3208         (JSC::JSSetIterator::setIterator): Deleted.
3209         * runtime/JSSourceCode.h:
3210         (JSC::JSSourceCode::createStructure): Deleted.
3211         (JSC::JSSourceCode::create): Deleted.
3212         (JSC::JSSourceCode::sourceCode const): Deleted.
3213         (JSC::JSSourceCode::JSSourceCode): Deleted.
3214         * runtime/JSStringIterator.h:
3215         (JSC::JSStringIterator::createStructure): Deleted.
3216         (JSC::JSStringIterator::create): Deleted.
3217         (JSC::JSStringIterator::JSStringIterator): Deleted.
3218         * runtime/JSTemplateObjectDescriptor.h:
3219         (JSC::isTemplateObjectDescriptor): Deleted.
3220         * runtime/JSTypedArrayViewConstructor.h:
3221         (JSC::JSTypedArrayViewConstructor::create): Deleted.
3222         * runtime/JSTypedArrayViewPrototype.h:
3223         * runtime/MapConstructor.h:
3224         (JSC::MapConstructor::create): Deleted.
3225         (JSC::MapConstructor::createStructure): Deleted.
3226         * runtime/MapIteratorPrototype.h:
3227         (JSC::MapIteratorPrototype::create): Deleted.
3228         (JSC::MapIteratorPrototype::createStructure): Deleted.
3229         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
3230         * runtime/MapPrototype.h:
3231         (JSC::MapPrototype::create): Deleted.
3232         (JSC::MapPrototype::createStructure): Deleted.
3233         (JSC::MapPrototype::MapPrototype): Deleted.
3234         * runtime/MathObject.h:
3235         (JSC::MathObject::create): Deleted.
3236         (JSC::MathObject::createStructure): Deleted.
3237         * runtime/ModuleLoaderPrototype.h:
3238         (JSC::ModuleLoaderPrototype::create): Deleted.
3239         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
3240         * runtime/NativeErrorConstructor.h:
3241         (JSC::NativeErrorConstructor::create): Deleted.
3242         (JSC::NativeErrorConstructor::createStructure): Deleted.
3243         (JSC::NativeErrorConstructor::errorStructure): Deleted.
3244         * runtime/NativeErrorPrototype.h:
3245         (JSC::NativeErrorPrototype::create): Deleted.
3246         * runtime/NativeStdFunctionCell.h:
3247         (JSC::NativeStdFunctionCell::createStructure): Deleted.
3248         (JSC::NativeStdFunctionCell::function const): Deleted.
3249         * runtime/NullGetterFunction.h:
3250         (JSC::NullGetterFunction::create): Deleted.
3251         (JSC::NullGetterFunction::createStructure): Deleted.
3252         * runtime/NullSetterFunction.h:
3253         (JSC::NullSetterFunction::create): Deleted.
3254         (JSC::NullSetterFunction::createStructure): Deleted.
3255         * runtime/NumberConstructor.h:
3256         (JSC::NumberConstructor::create): Deleted.
3257         (JSC::NumberConstructor::createStructure): Deleted.
3258         (JSC::NumberConstructor::isIntegerImpl): Deleted.
3259         * runtime/NumberPrototype.h:
3260         (JSC::NumberPrototype::create): Deleted.
3261         (JSC::NumberPrototype::createStructure): Deleted.
3262         * runtime/ObjectConstructor.h:
3263         (JSC::ObjectConstructor::create): Deleted.
3264         (JSC::ObjectConstructor::createStructure): Deleted.
3265         * runtime/ObjectPrototype.h:
3266         (JSC::ObjectPrototype::createStructure): Deleted.
3267         * runtime/ProxyConstructor.h:
3268         (JSC::ProxyConstructor::createStructure): Deleted.
3269         * runtime/ProxyRevoke.h:
3270         (JSC::ProxyRevoke::createStructure): Deleted.
3271         (JSC::ProxyRevoke::proxy): Deleted.
3272         (JSC::ProxyRevoke::setProxyToNull): Deleted.
3273         * runtime/ReflectObject.h:
3274         (JSC::ReflectObject::create): Deleted.
3275         (JSC::ReflectObject::createStructure): Deleted.
3276         * runtime/RegExpConstructor.cpp:
3277         (JSC::regExpConstructorDollar):
3278         (JSC::regExpConstructorInput):
3279         (JSC::regExpConstructorMultiline):
3280         (JSC::regExpConstructorLastMatch):
3281         (JSC::regExpConstructorLastParen):
3282         (JSC::regExpConstructorLeftContext):
3283         (JSC::regExpConstructorRightContext):
3284         * runtime/RegExpConstructor.h:
3285         (JSC::RegExpConstructor::create): Deleted.
3286         (JSC::RegExpConstructor::createStructure): Deleted.
3287         (JSC::RegExpConstructor::setMultiline): Deleted.
3288         (JSC::RegExpConstructor::multiline const): Deleted.
3289         (JSC::RegExpConstructor::setInput): Deleted.
3290         (JSC::RegExpConstructor::input): Deleted.
3291         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
3292         (JSC::asRegExpConstructor): Deleted.
3293         * runtime/RegExpPrototype.h:
3294         (JSC::RegExpPrototype::create): Deleted.
3295         (JSC::RegExpPrototype::createStructure): Deleted.
3296         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
3297         * runtime/SetConstructor.h:
3298         (JSC::SetConstructor::create): Deleted.
3299         (JSC::SetConstructor::createStructure): Deleted.
3300         * runtime/SetIteratorPrototype.h:
3301         (JSC::SetIteratorPrototype::create): Deleted.
3302         (JSC::SetIteratorPrototype::createStructure): Deleted.
3303         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
3304         * runtime/SetPrototype.h:
3305         (JSC::SetPrototype::create): Deleted.
3306         (JSC::SetPrototype::createStructure): Deleted.
3307         (JSC::SetPrototype::SetPrototype): Deleted.
3308         * runtime/StringConstructor.h:
3309         (JSC::StringConstructor::create): Deleted.
3310         (JSC::StringConstructor::createStructure): Deleted.
3311         * runtime/StringIteratorPrototype.h:
3312         (JSC::StringIteratorPrototype::create): Deleted.
3313         (JSC::StringIteratorPrototype::createStructure): Deleted.
3314         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
3315         * runtime/StringPrototype.h:
3316         (JSC::StringPrototype::createStructure): Deleted.
3317         * runtime/SymbolConstructor.h:
3318         (JSC::SymbolConstructor::create): Deleted.
3319         (JSC::SymbolConstructor::createStructure): Deleted.
3320         * runtime/SymbolObject.h:
3321         (JSC::SymbolObject::create): Deleted.
3322         (JSC::SymbolObject::internalValue const): Deleted.
3323         (JSC::SymbolObject::createStructure): Deleted.
3324         * runtime/SymbolPrototype.h:
3325         (JSC::SymbolPrototype::create): Deleted.
3326         (JSC::SymbolPrototype::createStructure): Deleted.
3327         * runtime/WeakMapConstructor.h:
3328         (JSC::WeakMapConstructor::create): Deleted.
3329         (JSC::WeakMapConstructor::createStructure): Deleted.
3330         * runtime/WeakMapPrototype.h:
3331         (JSC::WeakMapPrototype::create): Deleted.
3332         (JSC::WeakMapPrototype::createStructure): Deleted.
3333         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
3334         * runtime/WeakSetConstructor.h:
3335         (JSC::WeakSetConstructor::create): Deleted.
3336         (JSC::WeakSetConstructor::createStructure): Deleted.
3337         * runtime/WeakSetPrototype.h:
3338         (JSC::WeakSetPrototype::create): Deleted.
3339         (JSC::WeakSetPrototype::createStructure): Deleted.
3340         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
3341         * tools/JSDollarVM.h:
3342         (JSC::JSDollarVM::createStructure): Deleted.
3343         (JSC::JSDollarVM::create): Deleted.
3344         (JSC::JSDollarVM::JSDollarVM): Deleted.
3345         * wasm/js/JSWebAssembly.h:
3346         * wasm/js/JSWebAssemblyCompileError.h:
3347         (JSC::JSWebAssemblyCompileError::create): Deleted.
3348         * wasm/js/JSWebAssemblyInstance.h:
3349         (JSC::JSWebAssemblyInstance::instance): Deleted.
3350         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
3351         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
3352         (JSC::JSWebAssemblyInstance::memory): Deleted.
3353         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
3354         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
3355         (JSC::JSWebAssemblyInstance::table): Deleted.
3356         (JSC::JSWebAssemblyInstance::setTable): Deleted.
3357         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
3358         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
3359         (JSC::JSWebAssemblyInstance::module const): Deleted.
3360         * wasm/js/JSWebAssemblyLinkError.h:
3361         (JSC::JSWebAssemblyLinkError::create): Deleted.
3362         * wasm/js/JSWebAssemblyMemory.h:
3363         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
3364         (JSC::JSWebAssemblyMemory::memory): Deleted.
3365         * wasm/js/JSWebAssemblyModule.h:
3366         * wasm/js/JSWebAssemblyRuntimeError.h:
3367         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
3368         * wasm/js/JSWebAssemblyTable.h:
3369         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
3370         (JSC::JSWebAssemblyTable::maximum const): Deleted.
3371         (JSC::JSWebAssemblyTable::length const): Deleted.
3372         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
3373         (JSC::JSWebAssemblyTable::table): Deleted.
3374         * wasm/js/WebAssemblyCompileErrorConstructor.h:
3375         * wasm/js/WebAssemblyCompileErrorPrototype.h:
3376         * wasm/js/WebAssemblyInstanceConstructor.h:
3377         * wasm/js/WebAssemblyInstancePrototype.h:
3378         * wasm/js/WebAssemblyLinkErrorConstructor.h:
3379         * wasm/js/WebAssemblyLinkErrorPrototype.h:
3380         * wasm/js/WebAssemblyMemoryConstructor.h:
3381         * wasm/js/WebAssemblyMemoryPrototype.h:
3382         * wasm/js/WebAssemblyModuleConstructor.h:
3383         * wasm/js/WebAssemblyModulePrototype.h:
3384         * wasm/js/WebAssemblyModuleRecord.h:
3385         * wasm/js/WebAssemblyPrototype.h:
3386         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
3387         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
3388         * wasm/js/WebAssemblyTableConstructor.h:
3389         * wasm/js/WebAssemblyTablePrototype.h:
3390
3391 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
3392
3393         Make it possible to randomize register allocation
3394         https://bugs.webkit.org/show_bug.cgi?id=183416
3395
3396         Reviewed by Keith Miller.
3397         
3398         This is disabled by default for now, because it reveals a regalloc bug in wasm.
3399
3400         * b3/air/AirCode.cpp:
3401         (JSC::B3::Air::Code::Code):
3402         * b3/air/AirCode.h:
3403         (JSC::B3::Air::Code::weakRandom):
3404         * runtime/Options.h:
3405
3406 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3407
3408         [JSC] Add inherits<T>(VM&) leveraging JSCast fast path
3409         https://bugs.webkit.org/show_bug.cgi?id=183429
3410
3411         Reviewed by Mark Lam.
3412
3413         Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
3414         They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
3415         paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
3416         and construct jsDynamicCast and JSCell::inherits based on this.
3417
3418         And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
3419         In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
3420
3421         We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
3422         The embedder can add their extended object types after that.
3423
3424         * API/JSObjectRef.cpp:
3425         (JSObjectGetPrivateProperty):
3426         (JSObjectSetPrivateProperty):
3427         (JSObjectDeletePrivateProperty):
3428         * API/JSValue.mm:
3429         (isDate):
3430         (isArray):
3431         * API/JSValueRef.cpp:
3432         (JSValueIsArray):
3433         (JSValueIsDate):
3434         (JSValueIsObjectOfClass):
3435         * API/JSWeakObjectMapRefPrivate.cpp:
3436         * API/JSWrapperMap.mm:
3437         (tryUnwrapObjcObject):
3438         * API/ObjCCallbackFunction.mm:
3439         (tryUnwrapConstructor):
3440         * dfg/DFGByteCodeParser.cpp:
3441         (JSC::DFG::ByteCodeParser::parseBlock):
3442         * dfg/DFGOperations.cpp:
3443         * ftl/FTLLowerDFGToB3.cpp:
3444         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3445         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3446         * ftl/FTLOperations.cpp:
3447         (JSC::FTL::operationMaterializeObjectInOSR):
3448         * inspector/JSInjectedScriptHost.cpp:
3449         (Inspector::JSInjectedScriptHost::subtype):
3450         (Inspector::JSInjectedScriptHost::functionDetails):
3451         * inspector/agents/InspectorHeapAgent.cpp:
3452         (Inspector::InspectorHeapAgent::getPreview):
3453         * interpreter/Interpreter.cpp:
3454         (JSC::notifyDebuggerOfUnwinding):
3455         * interpreter/ShadowChicken.cpp:
3456         (JSC::ShadowChicken::update):
3457         * jit/JIT.cpp:
3458         (JSC::JIT::privateCompileMainPass):
3459         * jit/JITOperations.cpp:
3460         (JSC::operationNewFunctionCommon):
3461         * jsc.cpp:
3462         (checkException):
3463         * runtime/BooleanObject.h:
3464         (JSC::asBooleanObject): Deleted.
3465         * runtime/BooleanPrototype.cpp:
3466         (JSC::booleanProtoFuncToString):
3467         (JSC::booleanProtoFuncValueOf):
3468         * runtime/DateConstructor.cpp:
3469         (JSC::constructDate):
3470         * runtime/DateInstance.h:
3471         (JSC::asDateInstance): Deleted.
3472         * runtime/DatePrototype.cpp:
3473         (JSC::formateDateInstance):
3474         (JSC::dateProtoFuncToISOString):
3475         (JSC::dateProtoFuncToLocaleString):
3476         (JSC::dateProtoFuncToLocaleDateString):
3477         (JSC::dateProtoFuncToLocaleTimeString):
3478         (JSC::dateProtoFuncGetTime):
3479         (JSC::dateProtoFuncGetFullYear):
3480         (JSC::dateProtoFuncGetUTCFullYear):
3481         (JSC::dateProtoFuncGetMonth):
3482         (JSC::dateProtoFuncGetUTCMonth):
3483         (JSC::dateProtoFuncGetDate):
3484         (JSC::dateProtoFuncGetUTCDate):
3485         (JSC::dateProtoFuncGetDay):
3486         (JSC::dateProtoFuncGetUTCDay):
3487         (JSC::dateProtoFuncGetHours):
3488         (JSC::dateProtoFuncGetUTCHours):
3489         (JSC::dateProtoFuncGetMinutes):
3490         (JSC::dateProtoFuncGetUTCMinutes):
3491         (JSC::dateProtoFuncGetSeconds):
3492         (JSC::dateProtoFuncGetUTCSeconds):
3493         (JSC::dateProtoFuncGetMilliSeconds):
3494         (JSC::dateProtoFuncGetUTCMilliseconds):
3495         (JSC::dateProtoFuncGetTimezoneOffset):
3496         (JSC::dateProtoFuncSetTime):
3497         (JSC::setNewValueFromTimeArgs):
3498         (JSC::setNewValueFromDateArgs):
3499         (JSC::dateProtoFuncSetYear):
3500         (JSC::dateProtoFuncGetYear):
3501         * runtime/ExceptionHelpers.cpp:
3502         (JSC::isTerminatedExecutionException):
3503         * runtime/FunctionPrototype.cpp:
3504         (JSC::functionProtoFuncToString):
3505         * runtime/InternalFunction.h:
3506         (JSC::asInternalFunction):
3507         * runtime/JSArray.h:
3508         (JSC::asArray):
3509         * runtime/JSCJSValue.cpp:
3510         (JSC::JSValue::dumpForBacktrace const):
3511         * runtime/JSCJSValue.h:
3512         * runtime/JSCJSValueInlines.h:
3513         (JSC::JSValue::inherits const):
3514         * runtime/JSCast.h:
3515         (JSC::JSCastingHelpers::inheritsGenericImpl):
3516         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
3517         (JSC::JSCastingHelpers::InheritsTraits::inherits):
3518         (JSC::JSCastingHelpers::inherits):
3519         (JSC::jsDynamicCast):
3520         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
3521         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
3522         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
3523         * runtime/JSCell.h:
3524         * runtime/JSCellInlines.h:
3525         (JSC::JSCell::inherits const):
3526         * runtime/JSFunction.cpp:
3527         (JSC::RetrieveCallerFunctionFunctor::operator() const):
3528         (JSC::JSFunction::callerGetter):
3529         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3530         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3531         * runtime/JSGlobalObject.cpp:
3532         (JSC::enqueueJob):
3533         * runtime/JSGlobalObject.h:
3534         (JSC::asGlobalObject): Deleted.
3535         * runtime/JSInternalPromiseDeferred.cpp:
3536         (JSC::JSInternalPromiseDeferred::create):
3537         * runtime/JSLexicalEnvironment.h:
3538         (JSC::asActivation):
3539         * runtime/JSONObject.cpp:
3540         (JSC::unwrapBoxedPrimitive):
3541         (JSC::Stringifier::Stringifier):
3542         (JSC::Walker::walk):
3543         * runtime/JSPromise.cpp:
3544         (JSC::JSPromise::resolve):
3545         * runtime/JSPromiseDeferred.cpp:
3546         (JSC::JSPromiseDeferred::create):
3547         * runtime/JSType.h:
3548         * runtime/ProxyObject.h:
3549         (JSC::ProxyObject::create): Deleted.
3550         (JSC::ProxyObject::createStructure): Deleted.
3551         (JSC::ProxyObject::target const): Deleted.
3552         (JSC::ProxyObject::handler const): Deleted.
3553         * runtime/RegExpConstructor.cpp:
3554         (JSC::constructRegExp):
3555         * runtime/RegExpConstructor.h:
3556         (JSC::asRegExpConstructor):
3557         (JSC::isRegExp):
3558         * runtime/RegExpObject.cpp:
3559         (JSC::RegExpObject::finishCreation):
3560         (JSC::RegExpObject::getOwnPropertySlot):
3561         (JSC::RegExpObject::defineOwnProperty):
3562         (JSC::regExpObjectSetLastIndexStrict):
3563         (JSC::regExpObjectSetLastIndexNonStrict):
3564         (JSC::RegExpObject::put):
3565         * runtime/RegExpObject.h:
3566         (JSC::RegExpObject::create): Deleted.
3567         (JSC::RegExpObject::setRegExp): Deleted.
3568         (JSC::RegExpObject::regExp const): Deleted.
3569         (JSC::RegExpObject::setLastIndex): Deleted.
3570         (JSC::RegExpObject::getLastIndex const): Deleted.
3571         (JSC::RegExpObject::test): Deleted.
3572         (JSC::RegExpObject::testInline): Deleted.
3573         (JSC::RegExpObject::createStructure): Deleted.
3574         (JSC::RegExpObject::offsetOfRegExp): Deleted.
3575         (JSC::RegExpObject::offsetOfLastIndex): Deleted.
3576         (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
3577         (JSC::RegExpObject::allocationSize): Deleted.
3578         (JSC::asRegExpObject): Deleted.
3579         * runtime/RegExpPrototype.cpp:
3580         (JSC::regExpProtoFuncTestFast):
3581         (JSC::regExpProtoFuncExec):
3582         (JSC::regExpProtoFuncMatchFast):
3583         (JSC::regExpProtoFuncCompile):
3584         (JSC::regExpProtoGetterGlobal):
3585         (JSC::regExpProtoGetterIgnoreCase):
3586         (JSC::regExpProtoGetterMultiline):
3587         (JSC::regExpProtoGetterDotAll):
3588         (JSC::regExpProtoGetterSticky):
3589         (JSC::regExpProtoGetterUnicode):
3590         (JSC::regExpProtoGetterSource):
3591         (JSC::regExpProtoFuncSearchFast):
3592         (JSC::regExpProtoFuncSplitFast):
3593         * runtime/StringObject.h:
3594         (JSC::asStringObject): Deleted.
3595         * runtime/StringPrototype.cpp:
3596         (JSC::replaceUsingRegExpSearch):
3597         (JSC::replace):
3598         (JSC::stringProtoFuncReplaceUsingRegExp):
3599         (JSC::stringProtoFuncToString):
3600         * runtime/SymbolPrototype.cpp:
3601         (JSC::symbolProtoFuncToString):
3602         (JSC::symbolProtoFuncValueOf):
3603         * tools/JSDollarVM.cpp:
3604         (WTF::customGetValue):
3605         (WTF::customSetValue):
3606         * wasm/js/JSWebAssemblyHelpers.h:
3607         (JSC::isWebAssemblyHostFunction):
3608         * wasm/js/WebAssemblyWrapperFunction.cpp:
3609         (JSC::WebAssemblyWrapperFunction::create):
3610
3611 2018-03-07  Tim Horton  <timothy_horton@apple.com>
3612
3613         Sort and separate FeatureDefines.xcconfig
3614         https://bugs.webkit.org/show_bug.cgi?id=183427
3615
3616         Reviewed by Dan Bernstein.
3617
3618         * Configurations/FeatureDefines.xcconfig:
3619         Sort and split FeatureDefines into paragraphs
3620         (to make it easier to sort later).
3621
3622 2018-03-07  Keith Miller  <keith_miller@apple.com>
3623
3624         Unreviewed, fix 32-bit build.
3625
3626         * dfg/DFGSpeculativeJIT.cpp:
3627         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3628
3629 2018-03-07  Keith Miller  <keith_miller@apple.com>
3630
3631         Meta-program setupArguments and callOperation
3632         https://bugs.webkit.org/show_bug.cgi?id=183263
3633
3634         Rubber-stamped by Filip Pizlo.
3635
3636         This patch removes all the custom overrides of callOperation and setupArguments
3637         throughout the JITs. In their place there is a new setupArguments that marshalls
3638         the arguments into place based on the type of the operation's function pointer.
3639         There were a couple of design choices in the implementation of setupArguments:
3640
3641         1) We assume that no TrustedImm floating point values are passed.
3642         2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
3643         3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
3644
3645         The new callOperation/setupArguments do their best to make sure
3646         it's hard to call a function with the wrong parameters. They will
3647         only try to pattern match if the types match up with the next
3648         passed argument. Additionally, the base case should static_assert
3649         of the number of inferred arguments does not match the arity of
3650         the operation's function pointer.
3651
3652         * assembler/AbstractMacroAssembler.h:
3653         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
3654         (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
3655         * assembler/MacroAssembler.h:
3656         (JSC::MacroAssembler::poke):
3657         (JSC::MacroAssembler::move):
3658         * assembler/MacroAssemblerARM64.h:
3659         (JSC::MacroAssemblerARM64::swap):
3660         * assembler/MacroAssemblerX86.h:
3661         (JSC::MacroAssemblerX86::storeDouble):
3662         * assembler/MacroAssemblerX86Common.h:
3663         (JSC::MacroAssemblerX86Common::loadDouble):
3664         (JSC::MacroAssemblerX86Common::swap):
3665         (JSC::MacroAssemblerX86Common::move):
3666         * bytecode/AccessCase.cpp:
3667         (JSC::AccessCase::generateImpl):
3668         * bytecode/AccessCaseSnippetParams.cpp:
3669         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3670         * bytecode/PolymorphicAccess.cpp:
3671         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3672         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3673         * dfg/DFGNode.h:
3674         * dfg/DFGOSRExit.cpp:
3675         (JSC::DFG::OSRExit::emitRestoreArguments):
3676         * dfg/DFGOSRExitCompilerCommon.cpp:
3677         (JSC::DFG::osrWriteBarrier):
3678         * dfg/DFGOperations.cpp:
3679         * dfg/DFGOperations.h:
3680         * dfg/DFGSlowPathGenerator.h:
3681         * dfg/DFGSpeculativeJIT.cpp:
3682         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
3683         (JSC::DFG::SpeculativeJIT::compileArithMod):
3684         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3685         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
3686         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3687         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3688         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3689         * dfg/DFGSpeculativeJIT.h:
3690         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
3691         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
3692         (JSC::DFG::SpeculativeJIT::initConstantInfo):
3693         (JSC::DFG::SpeculativeJIT::callOperation):
3694         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
3695         (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
3696         * dfg/DFGSpeculativeJIT32_64.cpp:
3697         (JSC::DFG::SpeculativeJIT::cachedGetById):
3698         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3699         (JSC::DFG::SpeculativeJIT::cachedPutById):
3700         (JSC::DFG::SpeculativeJIT::emitCall):
3701         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
3702         (JSC::DFG::SpeculativeJIT::compile):
3703         * dfg/DFGSpeculativeJIT64.cpp:
3704         (JSC::DFG::SpeculativeJIT::emitCall):
3705         (JSC::DFG::SpeculativeJIT::compile):
3706         * ftl/FTLLowerDFGToB3.cpp:
3707         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3708         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3709         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3710         * ftl/FTLOSRExitCompiler.cpp:
3711         (JSC::FTL::compileStub):
3712         * ftl/FTLSlowPathCall.h:
3713         (JSC::FTL::callOperation):
3714         * jit/AssemblyHelpers.cpp:
3715         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3716         * jit/CCallHelpers.cpp:
3717         (JSC::CCallHelpers::ensureShadowChickenPacket):
3718         * jit/CCallHelpers.h:
3719         (JSC::CCallHelpers::setupArgument):
3720         (JSC::CCallHelpers::setupStubArgs):
3721         (JSC::CCallHelpers::ArgCollection::ArgCollection):
3722         (JSC::CCallHelpers::ArgCollection::pushRegArg):
3723         (JSC::CCallHelpers::ArgCollection::addGPRArg):
3724         (JSC::CCallHelpers::ArgCollection::addStackArg):
3725         (JSC::CCallHelpers::ArgCollection::addPoke):
3726         (JSC::CCallHelpers::ArgCollection::argCount):
3727         (JSC::CCallHelpers::clampArrayToSize):
3728         (JSC::CCallHelpers::pokeForArgument):
3729         (JSC::CCallHelpers::marshallArgumentRegister):
3730         (JSC::CCallHelpers::setupArgumentsImpl):
3731         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
3732         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
3733         (JSC::CCallHelpers::setupArguments):
3734         (JSC::CCallHelpers::prepareForTailCallSlow):
3735         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
3736         (JSC::CCallHelpers::resetCallArguments): Deleted.
3737         (JSC::CCallHelpers::addCallArgument): Deleted.
3738         (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
3739         (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
3740         (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
3741         (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
3742         (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
3743         (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
3744         (JSC::CCallHelpers::setupStubArguments): Deleted.
3745         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
3746         (JSC::CCallHelpers::setupStubArguments134): Deleted.
3747         (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
3748         * jit/FPRInfo.h:
3749         (JSC::toInfoFromReg):
3750         * jit/GPRInfo.h:
3751         (JSC::JSValueRegs::JSValueRegs):
3752         (JSC::toInfoFromReg):
3753         * jit/JIT.h:
3754         (JSC::JIT::callOperation):
3755         (JSC::JIT::callOperationWithProfile):
3756         (JSC::JIT::callOperationWithResult):
3757         (JSC::JIT::callOperationNoExceptionCheck):
3758         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
3759         * jit/JITArithmetic.cpp:
3760         (JSC::JIT::emitMathICFast):
3761         (JSC::JIT::emitMathICSlow):
3762         * jit/JITArithmetic32_64.cpp:
3763         (JSC::JIT::emit_compareAndJumpSlow):
3764         * jit/JITCall32_64.cpp:
3765         (JSC::JIT::compileSetupVarargsFrame):
3766         * jit/JITInlines.h:
3767         (JSC::JIT::callOperation): Deleted.
3768         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3769         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3770         * jit/JITOpcodes.cpp:
3771         (JSC::JIT::emit_op_new_array_with_size):
3772         * jit/JITOpcodes32_64.cpp:
3773         (JSC::JIT::emitSlow_op_instanceof):
3774         (JSC::JIT::emitSlow_op_instanceof_custom):
3775         (JSC::JIT::emit_op_set_function_name):
3776         (JSC::JIT::emitSlow_op_eq):
3777         (JSC::JIT::emitSlow_op_neq):
3778         (JSC::JIT::emit_op_throw):
3779         (JSC::JIT::emit_op_switch_imm):
3780         (JSC::JIT::emit_op_switch_char):
3781         (JSC::JIT::emit_op_switch_string):
3782         (JSC::JIT::emitSlow_op_has_indexed_property):
3783         * jit/JITOperations.cpp:
3784         * jit/JITOperations.h:
3785         * jit/JITPropertyAccess.cpp:
3786         (JSC::JIT::emitGetByValWithCachedId):
3787         (JSC::JIT::emitSlow_op_get_by_id):
3788         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3789         (JSC::JIT::emitSlow_op_get_from_scope):
3790         * jit/JITPropertyAccess32_64.cpp:
3791         (JSC::JIT::emit_op_put_by_index):
3792         (JSC::JIT::emit_op_put_setter_by_id):
3793         (JSC::JIT::emit_op_put_getter_setter_by_id):
3794         (JSC::JIT::emit_op_put_getter_by_val):
3795         (JSC::JIT::emit_op_put_setter_by_val):
3796         (JSC::JIT::emit_op_del_by_id):
3797         (JSC::JIT::emit_op_del_by_val):
3798         (JSC::JIT::emitGetByValWithCachedId):
3799         (JSC::JIT::emitSlow_op_get_by_val):
3800         (JSC::JIT::emitPutByValWithCachedId):
3801         (JSC::JIT::emitSlow_op_put_by_val):
3802         (JSC::JIT::emitSlow_op_try_get_by_id):
3803         (JSC::JIT::emitSlow_op_get_by_id):
3804         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3805         (JSC::JIT::emitSlow_op_put_by_id):
3806         (JSC::JIT::emitSlow_op_get_from_scope):
3807         * jit/RegisterSet.h:
3808         (JSC::RegisterSet::RegisterSet):
3809         * jit/ThunkGenerators.cpp:
3810         (JSC::throwExceptionFromCallSlowPathGenerator):
3811         (JSC::slowPathFor):
3812         * jsc.cpp:
3813         (GlobalObject::finishCreation):
3814         (functionBreakpoint):
3815         * runtime/JSCJSValue.h:
3816         * wasm/js/WasmToJS.cpp:
3817         (JSC::Wasm::wasmToJS):
3818
3819 2018-03-07  Mark Lam  <mark.lam@apple.com>
3820
3821         Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
3822         https://bugs.webkit.org/show_bug.cgi?id=183414
3823         <rdar://problem/38231678>
3824
3825         Reviewed by Michael Saboff.
3826
3827         * interpreter/ProtoCallFrame.cpp:
3828         (JSC::ProtoCallFrame::init):
3829         * interpreter/ProtoCallFrame.h:
3830
3831 2018-03-07  Mark Lam  <mark.lam@apple.com>
3832
3833         Simplify the variants of FunctionPtr constructors.
3834         https://bugs.webkit.org/show_bug.cgi?id=183399
3835         <rdar://problem/38212980>
3836
3837         Reviewed by Yusuke Suzuki.
3838
3839         * assembler/MacroAssemblerCodeRef.h:
3840         (JSC::FunctionPtr::FunctionPtr):
3841
3842 2018-03-06  Filip Pizlo  <fpizlo@apple.com>
3843
3844         MarkedArgumentsBuffer should allocate from the JSValue Gigacage
3845         https://bugs.webkit.org/show_bug.cgi?id=183377
3846
3847         Reviewed by Michael Saboff.
3848         
3849         That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
3850
3851         * runtime/ArgList.cpp:
3852         (JSC::MarkedArgumentBuffer::expandCapacity):
3853
3854 2018-03-07  Mark Lam  <mark.lam@apple.com>
3855
3856         Add support for ARM64E.
3857         https://bugs.webkit.org/show_bug.cgi?id=183398
3858         <rdar://problem/38212621>
3859
3860         Reviewed by Michael Saboff.
3861
3862         * assembler/MacroAssembler.h:
3863         * llint/LLIntOfflineAsmConfig.h:
3864         * llint/LowLevelInterpreter.asm:
3865         * llint/LowLevelInterpreter64.asm:
3866         * offlineasm/backends.rb:
3867
3868 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3869
3870         HTML `pattern` attribute should set `u` flag for regular expressions
3871         https://bugs.webkit.org/show_bug.cgi?id=151598
3872
3873         Reviewed by Chris Dumez.
3874
3875         Add UnicodeMode for JSC::Yarr::RegularExpression.
3876
3877         * yarr/RegularExpression.cpp:
3878         (JSC::Yarr::RegularExpression::Private::create):
3879         (JSC::Yarr::RegularExpression::Private::Private):
3880         (JSC::Yarr::RegularExpression::Private::compile):
3881         (JSC::Yarr::RegularExpression::RegularExpression):
3882         * yarr/RegularExpression.h:
3883
3884 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3885
3886         [JSC] Add more JSType based fast path for jsDynamicCast
3887         https://bugs.webkit.org/show_bug.cgi?id=183403
3888
3889         Reviewed by Mark Lam.
3890
3891         We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
3892         are used for jsDynamicCast in JSC, arguments types, and scope types.
3893
3894         We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
3895
3896         * jit/JITOperations.cpp:
3897         * llint/LLIntSlowPaths.cpp:
3898         (JSC::LLInt::setUpCall):
3899         * runtime/ClonedArguments.h:
3900         (JSC::ClonedArguments::specialsMaterialized const): Deleted.
3901         * runtime/DirectArguments.h:
3902         (JSC::DirectArguments::subspaceFor): Deleted.
3903         (JSC::DirectArguments::internalLength const): Deleted.
3904         (JSC::DirectArguments::length const): Deleted.
3905         (JSC::DirectArguments::isMappedArgument const): Deleted.
3906         (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
3907         (JSC::DirectArguments::getIndexQuickly const): Deleted.
3908         (JSC::DirectArguments::setIndexQuickly): Deleted.
3909         (JSC::DirectArguments::callee): Deleted.
3910         (JSC::DirectArguments::argument): Deleted.
3911         (JSC::DirectArguments::overrodeThings const): Deleted.
3912         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
3913         (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
3914         (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
3915         (JSC::DirectArguments::offsetOfCallee): Deleted.
3916         (JSC::DirectArguments::offsetOfLength): Deleted.
3917         (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
3918         (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
3919         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
3920         (JSC::DirectArguments::storageOffset): Deleted.
3921         (JSC::DirectArguments::offsetOfSlot): Deleted.
3922         (JSC::DirectArguments::allocationSize): Deleted.
3923         (JSC::DirectArguments::storage): Deleted.
3924         * runtime/JSCast.h:
3925         * runtime/JSGlobalLexicalEnvironment.h:
3926         (JSC::JSGlobalLexicalEnvironment::create): Deleted.
3927         (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
3928         (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
3929         (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
3930         * runtime/JSGlobalObject.cpp:
3931         (JSC::JSGlobalObject::finishCreation):
3932         * runtime/JSMap.h:
3933         (JSC::isJSMap): Deleted.
3934         * runtime/JSModuleEnvironment.h:
3935         (JSC::JSModuleEnvironment::create): Deleted.
3936         (JSC::JSModuleEnvironment::createStructure): Deleted.
3937         (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
3938         (JSC::JSModuleEnvironment::allocationSize): Deleted.
3939         (JSC::JSModuleEnvironment::moduleRecord): Deleted.
3940         (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
3941         * runtime/JSObject.cpp:
3942         (JSC::canDoFastPutDirectIndex):
3943         (JSC::JSObject::defineOwnIndexedProperty):
3944         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3945         * runtime/JSObject.h:
3946         (JSC::JSFinalObject::allocationSize): Deleted.
3947         (JSC::JSFinalObject::typeInfo): Deleted.
3948         (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
3949         (JSC::JSFinalObject::maxInlineCapacity): Deleted.
3950         (JSC::JSFinalObject::createStructure): Deleted.
3951         (JSC::JSFinalObject::finishCreation): Deleted.
3952         (JSC::JSFinalObject::JSFinalObject): Deleted.
3953         (JSC::isJSFinalObject): Deleted.
3954         * runtime/JSScope.cpp:
3955         * runtime/JSScope.h:
3956         * runtime/JSSegmentedVariableObject.cpp:
3957         * runtime/JSSegmentedVariableObject.h:
3958         * runtime/JSSet.h:
3959         (JSC::isJSSet): Deleted.
3960         * runtime/JSType.h:
3961         * runtime/JSWeakMap.h:
3962         (JSC::isJSWeakMap): Deleted.
3963         * runtime/JSWeakSet.h:
3964         (JSC::isJSWeakSet): Deleted.
3965         * runtime/JSWithScope.h:
3966         (JSC::JSWithScope::object): Deleted.
3967         * runtime/MapConstructor.cpp:
3968         (JSC::constructMap):
3969         (JSC::mapPrivateFuncMapBucketHead):
3970         * runtime/MapPrototype.cpp:
3971         (JSC::getMap):
3972         * runtime/NumberObject.cpp:
3973         (JSC::NumberObject::finishCreation):
3974         * runtime/NumberPrototype.cpp:
3975         (JSC::toThisNumber):
3976         (JSC::numberProtoFuncToExponential):
3977         (JSC::numberProtoFuncToFixed):
3978         (JSC::numberProtoFuncToPrecision):
3979         (JSC::numberProtoFuncToString):
3