Remove poisoning of typed array vector
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2
3         Remove poisoning of typed array vector
4         https://bugs.webkit.org/show_bug.cgi?id=184313
5
6         Reviewed by Saam Barati.
7
8         * dfg/DFGFixupPhase.cpp:
9         (JSC::DFG::FixupPhase::checkArray):
10         * dfg/DFGSpeculativeJIT.cpp:
11         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
12         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
13         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
14         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
15         * ftl/FTLAbstractHeapRepository.h:
16         * ftl/FTLLowerDFGToB3.cpp:
17         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
18         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
19         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
20         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
21         * jit/IntrinsicEmitter.cpp:
22         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
23         * jit/JITPropertyAccess.cpp:
24         (JSC::JIT::emitIntTypedArrayGetByVal):
25         (JSC::JIT::emitFloatTypedArrayGetByVal):
26         (JSC::JIT::emitIntTypedArrayPutByVal):
27         (JSC::JIT::emitFloatTypedArrayPutByVal):
28         * llint/LowLevelInterpreter.asm:
29         * llint/LowLevelInterpreter64.asm:
30         * offlineasm/arm64.rb:
31         * offlineasm/x86.rb:
32         * runtime/CagedBarrierPtr.h:
33         * runtime/JSArrayBufferView.cpp:
34         (JSC::JSArrayBufferView::JSArrayBufferView):
35         (JSC::JSArrayBufferView::finalize):
36         (JSC::JSArrayBufferView::neuter):
37         * runtime/JSArrayBufferView.h:
38         (JSC::JSArrayBufferView::vector const):
39         (JSC::JSArrayBufferView::offsetOfVector):
40         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
41         (JSC::JSArrayBufferView::poisonFor): Deleted.
42         (JSC::JSArrayBufferView::Poison::key): Deleted.
43         * runtime/JSCPoison.cpp:
44         (JSC::initializePoison):
45         * runtime/JSCPoison.h:
46         * runtime/JSGenericTypedArrayViewInlines.h:
47         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
48         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
49         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
50         * runtime/JSObject.h:
51
52 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
53
54         Don't do index masking or poisoning for DirectArguments
55         https://bugs.webkit.org/show_bug.cgi?id=184280
56
57         Reviewed by Saam Barati.
58
59         * JavaScriptCore.xcodeproj/project.pbxproj:
60         * bytecode/AccessCase.cpp:
61         (JSC::AccessCase::generateWithGuard):
62         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
63         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
64         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
65         * dfg/DFGSpeculativeJIT.cpp:
66         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
67         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
68         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
69         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
70         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
71         * ftl/FTLAbstractHeapRepository.h:
72         * ftl/FTLLowerDFGToB3.cpp:
73         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
74         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
75         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
76         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
77         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
78         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
79         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
80         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
81         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
82         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
83         * heap/SecurityKind.h:
84         * jit/JITPropertyAccess.cpp:
85         (JSC::JIT::emit_op_get_from_arguments):
86         (JSC::JIT::emit_op_put_to_arguments):
87         (JSC::JIT::emitDirectArgumentsGetByVal):
88         * jit/JITPropertyAccess32_64.cpp:
89         (JSC::JIT::emit_op_get_from_arguments):
90         (JSC::JIT::emit_op_put_to_arguments):
91         * llint/LowLevelInterpreter.asm:
92         * llint/LowLevelInterpreter32_64.asm:
93         * llint/LowLevelInterpreter64.asm:
94         * runtime/DirectArguments.cpp:
95         (JSC::DirectArguments::DirectArguments):
96         (JSC::DirectArguments::createUninitialized):
97         (JSC::DirectArguments::create):
98         (JSC::DirectArguments::createByCopying):
99         (JSC::DirectArguments::estimatedSize):
100         (JSC::DirectArguments::visitChildren):
101         (JSC::DirectArguments::overrideThings):
102         (JSC::DirectArguments::copyToArguments):
103         (JSC::DirectArguments::mappedArgumentsSize):
104         * runtime/DirectArguments.h:
105         * runtime/JSCPoison.h:
106         * runtime/JSLexicalEnvironment.h:
107         * runtime/JSSymbolTableObject.h:
108
109 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
110
111         JSArray::appendMemcpy seems to be missing a barrier
112         https://bugs.webkit.org/show_bug.cgi?id=184290
113
114         Reviewed by Mark Lam.
115         
116         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
117         barrier right after.
118         
119         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
120         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
121
122         * runtime/JSArray.cpp:
123         (JSC::JSArray::appendMemcpy):
124
125 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
126
127         GC shouldn't do object distancing
128         https://bugs.webkit.org/show_bug.cgi?id=184195
129
130         Reviewed by Saam Barati.
131         
132         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
133         to be a small speed-up.
134
135         * CMakeLists.txt:
136         * JavaScriptCore.xcodeproj/project.pbxproj:
137         * Sources.txt:
138         * heap/BlockDirectory.cpp:
139         (JSC::BlockDirectory::findBlockForAllocation):
140         (JSC::BlockDirectory::addBlock):
141         * heap/BlockDirectory.h:
142         * heap/CellAttributes.cpp:
143         (JSC::CellAttributes::dump const):
144         * heap/CellAttributes.h:
145         (JSC::CellAttributes::CellAttributes):
146         * heap/LocalAllocator.cpp:
147         (JSC::LocalAllocator::allocateSlowCase):
148         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
149         * heap/MarkedBlock.cpp:
150         (JSC::MarkedBlock::Handle::didAddToDirectory):
151         * heap/MarkedBlock.h:
152         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
153         * heap/SecurityKind.cpp: Removed.
154         * heap/SecurityKind.h: Removed.
155         * heap/SecurityOriginToken.cpp: Removed.
156         * heap/SecurityOriginToken.h: Removed.
157         * heap/ThreadLocalCache.cpp:
158         (JSC::ThreadLocalCache::create):
159         (JSC::ThreadLocalCache::ThreadLocalCache):
160         * heap/ThreadLocalCache.h:
161         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
162         * runtime/JSDestructibleObjectHeapCellType.cpp:
163         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
164         * runtime/JSGlobalObject.cpp:
165         (JSC::JSGlobalObject::JSGlobalObject):
166         * runtime/JSGlobalObject.h:
167         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
168         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
169         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
170         * runtime/JSStringHeapCellType.cpp:
171         (JSC::JSStringHeapCellType::JSStringHeapCellType):
172         * runtime/VM.cpp:
173         (JSC::VM::VM):
174         * runtime/VM.h:
175         * runtime/VMEntryScope.cpp:
176         (JSC::VMEntryScope::VMEntryScope):
177         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
178         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
179
180 2018-04-02  Saam Barati  <sbarati@apple.com>
181
182         bmalloc should compute its own estimate of its footprint
183         https://bugs.webkit.org/show_bug.cgi?id=184121
184
185         Reviewed by Filip Pizlo.
186
187         * heap/IsoAlignedMemoryAllocator.cpp:
188         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
189         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
190         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
191
192 2018-04-02  Mark Lam  <mark.lam@apple.com>
193
194         We should not trash the stack pointer on OSR entry.
195         https://bugs.webkit.org/show_bug.cgi?id=184243
196         <rdar://problem/39114319>
197
198         Reviewed by Filip Pizlo.
199
200         In the DFG OSR entry path, we momentarily over-write the stack pointer with
201         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
202         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
203         The stack pointer does get corrected later in the thunk (generated by
204         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
205         so far.
206
207         This bug only poses an issue if interrupts use the user stack for their stack
208         frame (e.g. linux), and when we do stack alignment tests during debugging.
209
210         The fix is simply to remove the assignment.
211
212         * dfg/DFGThunks.cpp:
213         (JSC::DFG::osrEntryThunkGenerator):
214         * jit/JIT.cpp:
215         (JSC::JIT::emitEnterOptimizationCheck):
216
217 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
218
219         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
220         https://bugs.webkit.org/show_bug.cgi?id=183740
221
222         Reviewed by Yusuke Suzuki.
223
224         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
225         first generated and a register operand variant of the same method is called to generate the rest
226         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
227         generate more efficient code using MIPS instructions with immediate operand.
228
229         * assembler/MIPSAssembler.h:
230         (JSC::MIPSAssembler::slti):
231         * assembler/MacroAssemblerMIPS.h:
232         (JSC::MacroAssemblerMIPS::lshift32):
233         (JSC::MacroAssemblerMIPS::xor32):
234         (JSC::MacroAssemblerMIPS::branch8):
235         (JSC::MacroAssemblerMIPS::compare8):
236         (JSC::MacroAssemblerMIPS::branch32):
237         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
238         (JSC::MacroAssemblerMIPS::branchTest32):
239         (JSC::MacroAssemblerMIPS::mask8OnTest):
240         (JSC::MacroAssemblerMIPS::branchTest8):
241         (JSC::MacroAssemblerMIPS::branchAdd32):
242         (JSC::MacroAssemblerMIPS::branchNeg32):
243         (JSC::MacroAssemblerMIPS::compare32):
244         (JSC::MacroAssemblerMIPS::test8):
245
246 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         [DFG] More aggressive removal of duplicate 32bit DFG code
249         https://bugs.webkit.org/show_bug.cgi?id=184089
250
251         Reviewed by Saam Barati.
252
253         This patch more aggressively removes duplicate 32bit DFG code
254         by leveraging JSValueRegs and meta-programmed callOperation.
255
256         * dfg/DFGSpeculativeJIT.cpp:
257         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
258         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
259         (JSC::DFG::SpeculativeJIT::compileNewArray):
260         (JSC::DFG::SpeculativeJIT::compileCheckCell):
261         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
262         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
263         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
264         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
265         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
266         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
267         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
268         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
269         (JSC::DFG::SpeculativeJIT::compileToThis):
270         (JSC::DFG::SpeculativeJIT::compileIdentity):
271         * dfg/DFGSpeculativeJIT.h:
272         * dfg/DFGSpeculativeJIT32_64.cpp:
273         (JSC::DFG::SpeculativeJIT::compile):
274         * dfg/DFGSpeculativeJIT64.cpp:
275         (JSC::DFG::SpeculativeJIT::compile):
276
277 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
278
279         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
280         https://bugs.webkit.org/show_bug.cgi?id=184228
281
282         Reviewed by Yusuke Suzuki.
283
284         * runtime/Options.h:
285
286 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
287
288         JSObject shouldn't do index masking
289         https://bugs.webkit.org/show_bug.cgi?id=184194
290
291         Reviewed by Yusuke Suzuki.
292         
293         Remove index masking, because it's not the way we'll mitigate Spectre.
294
295         * API/tests/JSObjectGetProxyTargetTest.cpp:
296         (testJSObjectGetProxyTarget):
297         * b3/B3LowerToAir.cpp:
298         * b3/B3Validate.cpp:
299         * b3/B3WasmBoundsCheckValue.cpp:
300         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
301         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
302         * b3/B3WasmBoundsCheckValue.h:
303         (JSC::B3::WasmBoundsCheckValue::bounds const):
304         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
305         * b3/testb3.cpp:
306         (JSC::B3::testWasmBoundsCheck):
307         (JSC::B3::run):
308         * dfg/DFGAbstractInterpreterInlines.h:
309         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
310         * dfg/DFGArgumentsEliminationPhase.cpp:
311         * dfg/DFGByteCodeParser.cpp:
312         (JSC::DFG::ByteCodeParser::parseBlock):
313         * dfg/DFGClobberize.h:
314         (JSC::DFG::clobberize):
315         * dfg/DFGDoesGC.cpp:
316         (JSC::DFG::doesGC):
317         * dfg/DFGFixupPhase.cpp:
318         (JSC::DFG::FixupPhase::fixupNode):
319         * dfg/DFGNodeType.h:
320         * dfg/DFGPredictionPropagationPhase.cpp:
321         * dfg/DFGSSALoweringPhase.cpp:
322         (JSC::DFG::SSALoweringPhase::handleNode):
323         * dfg/DFGSafeToExecute.h:
324         (JSC::DFG::safeToExecute):
325         * dfg/DFGSpeculativeJIT.cpp:
326         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
327         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
328         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
329         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
330         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
331         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
332         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
333         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
334         (JSC::DFG::SpeculativeJIT::compileArraySlice):
335         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
336         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
337         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
338         (JSC::DFG::SpeculativeJIT::compileCreateThis):
339         (JSC::DFG::SpeculativeJIT::compileNewObject):
340         * dfg/DFGSpeculativeJIT.h:
341         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
342         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
343         * dfg/DFGSpeculativeJIT32_64.cpp:
344         (JSC::DFG::SpeculativeJIT::compile):
345         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
346         * dfg/DFGSpeculativeJIT64.cpp:
347         (JSC::DFG::SpeculativeJIT::compile):
348         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
349         * ftl/FTLAbstractHeapRepository.h:
350         * ftl/FTLCapabilities.cpp:
351         (JSC::FTL::canCompile):
352         * ftl/FTLLowerDFGToB3.cpp:
353         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
354         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
355         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
356         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
357         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
358         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
359         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
360         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
361         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
362         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
363         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
364         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
365         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
366         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
367         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
368         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
369         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
370         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
371         * jit/AssemblyHelpers.h:
372         (JSC::AssemblyHelpers::emitAllocateJSObject):
373         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
374         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
375         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
376         * jit/JITOpcodes.cpp:
377         (JSC::JIT::emit_op_new_object):
378         (JSC::JIT::emit_op_create_this):
379         * jit/JITOperations.cpp:
380         * jit/JITPropertyAccess.cpp:
381         (JSC::JIT::emitDoubleLoad):
382         (JSC::JIT::emitContiguousLoad):
383         (JSC::JIT::emitArrayStorageLoad):
384         * llint/LowLevelInterpreter32_64.asm:
385         * llint/LowLevelInterpreter64.asm:
386         * runtime/Butterfly.h:
387         (JSC::ContiguousData::at const):
388         (JSC::ContiguousData::at):
389         (JSC::Butterfly::computeIndexingMask const): Deleted.
390         * runtime/ButterflyInlines.h:
391         (JSC::ContiguousData<T>::at const): Deleted.
392         (JSC::ContiguousData<T>::at): Deleted.
393         * runtime/ClonedArguments.cpp:
394         (JSC::ClonedArguments::createEmpty):
395         * runtime/JSArray.cpp:
396         (JSC::JSArray::tryCreateUninitializedRestricted):
397         (JSC::JSArray::appendMemcpy):
398         (JSC::JSArray::setLength):
399         (JSC::JSArray::pop):
400         (JSC::JSArray::shiftCountWithAnyIndexingType):
401         (JSC::JSArray::unshiftCountWithAnyIndexingType):
402         (JSC::JSArray::fillArgList):
403         (JSC::JSArray::copyToArguments):
404         * runtime/JSArrayBufferView.cpp:
405         (JSC::JSArrayBufferView::JSArrayBufferView):
406         * runtime/JSArrayInlines.h:
407         (JSC::JSArray::pushInline):
408         * runtime/JSFixedArray.h:
409         * runtime/JSGenericTypedArrayViewInlines.h:
410         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
411         * runtime/JSObject.cpp:
412         (JSC::JSObject::getOwnPropertySlotByIndex):
413         (JSC::JSObject::putByIndex):
414         (JSC::JSObject::createInitialUndecided):
415         (JSC::JSObject::createInitialInt32):
416         (JSC::JSObject::createInitialDouble):
417         (JSC::JSObject::createInitialContiguous):
418         (JSC::JSObject::createArrayStorage):
419         (JSC::JSObject::convertUndecidedToInt32):
420         (JSC::JSObject::convertUndecidedToDouble):
421         (JSC::JSObject::convertUndecidedToContiguous):
422         (JSC::JSObject::convertUndecidedToArrayStorage):
423         (JSC::JSObject::convertInt32ToDouble):
424         (JSC::JSObject::convertInt32ToArrayStorage):
425         (JSC::JSObject::convertDoubleToContiguous):
426         (JSC::JSObject::convertDoubleToArrayStorage):
427         (JSC::JSObject::convertContiguousToArrayStorage):
428         (JSC::JSObject::createInitialForValueAndSet):
429         (JSC::JSObject::deletePropertyByIndex):
430         (JSC::JSObject::getOwnPropertyNames):
431         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
432         (JSC::JSObject::countElements):
433         (JSC::JSObject::increaseVectorLength):
434         (JSC::JSObject::ensureLengthSlow):
435         (JSC::JSObject::reallocateAndShrinkButterfly):
436         (JSC::JSObject::getEnumerableLength):
437         * runtime/JSObject.h:
438         (JSC::JSObject::canGetIndexQuickly):
439         (JSC::JSObject::getIndexQuickly):
440         (JSC::JSObject::tryGetIndexQuickly const):
441         (JSC::JSObject::setIndexQuickly):
442         (JSC::JSObject::initializeIndex):
443         (JSC::JSObject::initializeIndexWithoutBarrier):
444         (JSC::JSObject::butterflyOffset):
445         (JSC::JSObject::setButterfly):
446         (JSC::JSObject::nukeStructureAndSetButterfly):
447         (JSC::JSObject::JSObject):
448         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
449         (JSC::JSObject::butterflyIndexingMask const): Deleted.
450         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
451         * runtime/JSObjectInlines.h:
452         (JSC::JSObject::prepareToPutDirectWithoutTransition):
453         (JSC::JSObject::putDirectInternal):
454         * runtime/RegExpMatchesArray.h:
455         (JSC::tryCreateUninitializedRegExpMatchesArray):
456         * runtime/Structure.cpp:
457         (JSC::Structure::flattenDictionaryStructure):
458         * wasm/WasmB3IRGenerator.cpp:
459         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
460         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
461         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
462         (JSC::Wasm::B3IRGenerator::load):
463         (JSC::Wasm::B3IRGenerator::store):
464         (JSC::Wasm::B3IRGenerator::addCallIndirect):
465         * wasm/WasmBinding.cpp:
466         (JSC::Wasm::wasmToWasm):
467         * wasm/WasmInstance.h:
468         (JSC::Wasm::Instance::updateCachedMemory):
469         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
470         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
471         * wasm/WasmMemory.cpp:
472         (JSC::Wasm::Memory::Memory):
473         (JSC::Wasm::Memory::grow):
474         * wasm/WasmMemory.h:
475         (JSC::Wasm::Memory::size const):
476         (JSC::Wasm::Memory::offsetOfSize):
477         (JSC::Wasm::Memory::indexingMask): Deleted.
478         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
479         * wasm/WasmMemoryInformation.cpp:
480         (JSC::Wasm::PinnedRegisterInfo::get):
481         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
482         * wasm/WasmMemoryInformation.h:
483         (JSC::Wasm::PinnedRegisterInfo::toSave const):
484         * wasm/js/JSToWasm.cpp:
485         (JSC::Wasm::createJSToWasmWrapper):
486
487 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
488
489         JSC crash in JIT code with for-of loop and Array/Set iterators
490         https://bugs.webkit.org/show_bug.cgi?id=183174
491
492         Reviewed by Saam Barati.
493
494         * dfg/DFGSafeToExecute.h:
495         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
496
497 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
498
499         Strings and Vectors shouldn't do index masking
500         https://bugs.webkit.org/show_bug.cgi?id=184193
501
502         Reviewed by Mark Lam.
503
504         * dfg/DFGSpeculativeJIT.cpp:
505         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
506         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
507         * ftl/FTLAbstractHeapRepository.h:
508         * ftl/FTLLowerDFGToB3.cpp:
509         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
510         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
511         * jit/ThunkGenerators.cpp:
512         (JSC::stringCharLoad):
513
514 2018-03-30  Mark Lam  <mark.lam@apple.com>
515
516         Add pointer profiling support in baseline JIT and supporting files.
517         https://bugs.webkit.org/show_bug.cgi?id=184200
518         <rdar://problem/39057300>
519
520         Reviewed by Filip Pizlo.
521
522         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
523            the code via the arity check entry.
524         2. To accommodate (1), all JITCode must now populate their arity check entry code
525            pointers as well.  For native code, programs, evals, and modules that don't
526            do arity check, we set the normal entry as the arity check entry (though with
527            the CodeEntryWithArityCheckPtrTag profile instead).
528
529         * assembler/AbstractMacroAssembler.h:
530         * assembler/LinkBuffer.h:
531         (JSC::LinkBuffer::locationOfNearCall):
532         * assembler/MacroAssemblerARM64.h:
533         (JSC::MacroAssemblerARM64::readCallTarget):
534         (JSC::MacroAssemblerARM64::linkCall):
535         * bytecode/AccessCase.cpp:
536         (JSC::AccessCase::generateImpl):
537         * bytecode/AccessCaseSnippetParams.cpp:
538         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
539         * bytecode/CodeBlock.cpp:
540         (JSC::CodeBlock::addJITAddIC):
541         (JSC::CodeBlock::addJITMulIC):
542         (JSC::CodeBlock::addJITSubIC):
543         (JSC::CodeBlock::addJITNegIC):
544         * bytecode/CodeBlock.h:
545         (JSC::CodeBlock::addMathIC):
546         * bytecode/InlineAccess.cpp:
547         (JSC::InlineAccess::rewireStubAsJump):
548         * bytecode/LLIntCallLinkInfo.h:
549         (JSC::LLIntCallLinkInfo::unlink):
550         (): Deleted.
551         * bytecode/PolymorphicAccess.cpp:
552         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
553         (JSC::PolymorphicAccess::regenerate):
554         * dfg/DFGJITFinalizer.cpp:
555         (JSC::DFG::JITFinalizer::finalize):
556         (JSC::DFG::JITFinalizer::finalizeFunction):
557         * dfg/DFGSpeculativeJIT.cpp:
558         (JSC::DFG::SpeculativeJIT::compileValueAdd):
559         (JSC::DFG::SpeculativeJIT::compileArithSub):
560         (JSC::DFG::SpeculativeJIT::compileArithNegate):
561         (JSC::DFG::SpeculativeJIT::compileArithMul):
562         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
563         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
564         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
565         * disassembler/ARM64Disassembler.cpp:
566         (JSC::tryToDisassemble):
567         * ftl/FTLJITFinalizer.cpp:
568         (JSC::FTL::JITFinalizer::finalizeCommon):
569         * ftl/FTLLowerDFGToB3.cpp:
570         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
571         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
572         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
573         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
574         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
575         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
576         * heap/JITStubRoutineSet.h:
577         (JSC::JITStubRoutineSet::mark):
578         * jit/AssemblyHelpers.cpp:
579         (JSC::AssemblyHelpers::callExceptionFuzz):
580         (JSC::AssemblyHelpers::debugCall):
581         * jit/AssemblyHelpers.h:
582         (JSC::AssemblyHelpers::emitFunctionPrologue):
583         * jit/CCallHelpers.cpp:
584         (JSC::CCallHelpers::ensureShadowChickenPacket):
585         * jit/CCallHelpers.h:
586         (JSC::CCallHelpers::prepareForTailCallSlow):
587         * jit/CallFrameShuffler.cpp:
588         (JSC::CallFrameShuffler::prepareForTailCall):
589         * jit/ExecutableAllocator.cpp:
590         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
591         * jit/ExecutableAllocator.h:
592         (JSC::performJITMemcpy):
593         * jit/JIT.cpp:
594         (JSC::JIT::compileWithoutLinking):
595         (JSC::JIT::link):
596         * jit/JITArithmetic.cpp:
597         (JSC::JIT::emit_op_negate):
598         (JSC::JIT::emit_op_add):
599         (JSC::JIT::emitMathICFast):
600         (JSC::JIT::emitMathICSlow):
601         (JSC::JIT::emit_op_mul):
602         (JSC::JIT::emit_op_sub):
603         * jit/JITCode.cpp:
604         (JSC::JITCode::execute):
605         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
606         (JSC::DirectJITCode::DirectJITCode):
607         (JSC::DirectJITCode::initializeCodeRef):
608         (JSC::NativeJITCode::addressForCall):
609         * jit/JITExceptions.cpp:
610         (JSC::genericUnwind):
611         * jit/JITMathIC.h:
612         (JSC::isProfileEmpty):
613         (JSC::JITBinaryMathIC::JITBinaryMathIC):
614         (JSC::JITUnaryMathIC::JITUnaryMathIC):
615         * jit/JITOpcodes.cpp:
616         (JSC::JIT::emit_op_switch_imm):
617         (JSC::JIT::emit_op_switch_char):
618         (JSC::JIT::emit_op_switch_string):
619         (JSC::JIT::privateCompileHasIndexedProperty):
620         (JSC::JIT::emitSlow_op_has_indexed_property):
621         * jit/JITOpcodes32_64.cpp:
622         (JSC::JIT::privateCompileHasIndexedProperty):
623         * jit/JITOperations.cpp:
624         (JSC::getByVal):
625         (JSC::tryGetByValOptimize):
626         * jit/JITPropertyAccess.cpp:
627         (JSC::JIT::stringGetByValStubGenerator):
628         (JSC::JIT::emitGetByValWithCachedId):
629         (JSC::JIT::emitSlow_op_get_by_val):
630         (JSC::JIT::emitPutByValWithCachedId):
631         (JSC::JIT::emitSlow_op_put_by_val):
632         (JSC::JIT::emitSlow_op_try_get_by_id):
633         (JSC::JIT::emitSlow_op_get_by_id):
634         (JSC::JIT::emitSlow_op_get_by_id_with_this):
635         (JSC::JIT::emitSlow_op_put_by_id):
636         (JSC::JIT::privateCompileGetByVal):
637         (JSC::JIT::privateCompileGetByValWithCachedId):
638         (JSC::JIT::privateCompilePutByVal):
639         (JSC::JIT::privateCompilePutByValWithCachedId):
640         * jit/JITThunks.cpp:
641         (JSC::JITThunks::hostFunctionStub):
642         * jit/Repatch.cpp:
643         (JSC::tryCacheGetByID):
644         (JSC::repatchGetByID):
645         (JSC::appropriateOptimizingPutByIdFunction):
646         (JSC::tryCachePutByID):
647         (JSC::repatchPutByID):
648         (JSC::linkFor):
649         (JSC::revertCall):
650         (JSC::linkPolymorphicCall):
651         (JSC::resetGetByID):
652         (JSC::resetPutByID):
653         * jit/Repatch.h:
654         * jit/SpecializedThunkJIT.h:
655         (JSC::SpecializedThunkJIT::finalize):
656         (JSC::SpecializedThunkJIT::callDoubleToDouble):
657         * jit/ThunkGenerators.cpp:
658         (JSC::emitPointerValidation):
659         (JSC::throwExceptionFromCallSlowPathGenerator):
660         (JSC::slowPathFor):
661         (JSC::linkCallThunkGenerator): Deleted.
662         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
663         (JSC::virtualThunkFor): Deleted.
664         (JSC::nativeForGenerator): Deleted.
665         (JSC::nativeCallGenerator): Deleted.
666         (JSC::nativeTailCallGenerator): Deleted.
667         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
668         (JSC::nativeConstructGenerator): Deleted.
669         (JSC::internalFunctionCallGenerator): Deleted.
670         (JSC::internalFunctionConstructGenerator): Deleted.
671         (JSC::arityFixupGenerator): Deleted.
672         (JSC::unreachableGenerator): Deleted.
673         (JSC::stringCharLoad): Deleted.
674         (JSC::charToString): Deleted.
675         (JSC::charCodeAtThunkGenerator): Deleted.
676         (JSC::charAtThunkGenerator): Deleted.
677         (JSC::fromCharCodeThunkGenerator): Deleted.
678         (JSC::clz32ThunkGenerator): Deleted.
679         (JSC::sqrtThunkGenerator): Deleted.
680         (JSC::floorThunkGenerator): Deleted.
681         (JSC::ceilThunkGenerator): Deleted.
682         (JSC::truncThunkGenerator): Deleted.
683         (JSC::roundThunkGenerator): Deleted.
684         (JSC::expThunkGenerator): Deleted.
685         (JSC::logThunkGenerator): Deleted.
686         (JSC::absThunkGenerator): Deleted.
687         (JSC::imulThunkGenerator): Deleted.
688         (JSC::randomThunkGenerator): Deleted.
689         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
690         * llint/LLIntData.cpp:
691         (JSC::LLInt::initialize):
692         * llint/LLIntData.h:
693         (JSC::LLInt::getCodePtr):
694         * llint/LLIntEntrypoint.cpp:
695         (JSC::LLInt::setEvalEntrypoint):
696         (JSC::LLInt::setProgramEntrypoint):
697         (JSC::LLInt::setModuleProgramEntrypoint):
698         * llint/LLIntSlowPaths.cpp:
699         (JSC::LLInt::setUpCall):
700         * llint/LLIntThunks.cpp:
701         (JSC::LLInt::generateThunkWithJumpTo):
702         * llint/LowLevelInterpreter.asm:
703         * llint/LowLevelInterpreter32_64.asm:
704         * llint/LowLevelInterpreter64.asm:
705         * runtime/ExecutableBase.h:
706         * runtime/NativeExecutable.cpp:
707         (JSC::NativeExecutable::finishCreation):
708         * runtime/NativeFunction.h:
709         (JSC::TaggedNativeFunction::TaggedNativeFunction):
710         (JSC::TaggedNativeFunction::operator NativeFunction):
711         * runtime/PropertySlot.h:
712         (JSC::PropertySlot::setCustom):
713         (JSC::PropertySlot::setCacheableCustom):
714         * runtime/PtrTag.h:
715         * runtime/PutPropertySlot.h:
716         (JSC::PutPropertySlot::setCustomValue):
717         (JSC::PutPropertySlot::setCustomAccessor):
718         * runtime/SamplingProfiler.cpp:
719         (JSC::SamplingProfiler::takeSample):
720         * runtime/VMTraps.cpp:
721         (JSC::SignalContext::SignalContext):
722         (JSC::VMTraps::tryInstallTrapBreakpoints):
723         * tools/SigillCrashAnalyzer.cpp:
724         (JSC::installCrashHandler):
725         * yarr/YarrJIT.cpp:
726         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
727         (JSC::Yarr::YarrGenerator::generateEnter):
728
729 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
730
731         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
732         https://bugs.webkit.org/show_bug.cgi?id=175223
733
734         Reviewed by Matt Baker.
735
736         * inspector/protocol/Canvas.json:
737         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
738         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
739         is called. The blend is removed and the previous value is applied once the draw is complete.
740
741 2018-03-30  JF Bastien  <jfbastien@apple.com>
742
743         WebAssembly: support DataView compilation
744         https://bugs.webkit.org/show_bug.cgi?id=183342
745
746         Reviewed by Mark Lam.
747
748         Compiling a module from a DataView was incorrectly dealing with
749         DataView's offset.
750
751         * wasm/WasmModuleParser.cpp:
752         (JSC::Wasm::ModuleParser::parse):
753         * wasm/js/JSWebAssemblyHelpers.h:
754         (JSC::getWasmBufferFromValue):
755         (JSC::createSourceBufferFromValue):
756         * wasm/js/WebAssemblyPrototype.cpp:
757         (JSC::webAssemblyValidateFunc):
758
759 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
760
761         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
762         https://bugs.webkit.org/show_bug.cgi?id=184189
763
764         Reviewed by JF Bastien.
765
766         * bytecompiler/NodesCodegen.cpp:
767         (JSC::ResolveNode::emitBytecode):
768
769 2018-03-30  Mark Lam  <mark.lam@apple.com>
770
771         Add pointer profiling support to Wasm.
772         https://bugs.webkit.org/show_bug.cgi?id=184175
773         <rdar://problem/39027923>
774
775         Reviewed by JF Bastien.
776
777         * runtime/PtrTag.h:
778         * wasm/WasmB3IRGenerator.cpp:
779         (JSC::Wasm::B3IRGenerator::addGrowMemory):
780         (JSC::Wasm::B3IRGenerator::addCall):
781         (JSC::Wasm::B3IRGenerator::addCallIndirect):
782         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
783         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
784         * wasm/WasmBBQPlan.cpp:
785         (JSC::Wasm::BBQPlan::prepare):
786         (JSC::Wasm::BBQPlan::complete):
787         * wasm/WasmBinding.cpp:
788         (JSC::Wasm::wasmToWasm):
789         * wasm/WasmBinding.h:
790         * wasm/WasmFaultSignalHandler.cpp:
791         (JSC::Wasm::trapHandler):
792         * wasm/WasmOMGPlan.cpp:
793         (JSC::Wasm::OMGPlan::work):
794         * wasm/WasmThunks.cpp:
795         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
796         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
797         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
798         * wasm/js/WasmToJS.cpp:
799         (JSC::Wasm::handleBadI64Use):
800         (JSC::Wasm::wasmToJS):
801         * wasm/js/WebAssemblyFunction.cpp:
802         (JSC::callWebAssemblyFunction):
803         * wasm/js/WebAssemblyFunction.h:
804
805 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
806
807         Unreviewed, rolling out r230102.
808
809         Caused assertion failures on JSC bots.
810
811         Reverted changeset:
812
813         "A stack overflow in the parsing of a builtin (called by
814         createExecutable) cause a crash instead of a catchable js
815         exception"
816         https://bugs.webkit.org/show_bug.cgi?id=184074
817         https://trac.webkit.org/changeset/230102
818
819 2018-03-30  Robin Morisset  <rmorisset@apple.com>
820
821         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
822         https://bugs.webkit.org/show_bug.cgi?id=183812
823
824         Reviewed by Keith Miller.
825
826         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
827         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
828
829         * dfg/DFGByteCodeParser.cpp:
830         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
831         (JSC::DFG::ByteCodeParser::inlineCall):
832
833 2018-03-30  Robin Morisset  <rmorisset@apple.com>
834
835         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
836         https://bugs.webkit.org/show_bug.cgi?id=184074
837         <rdar://problem/37165897>
838
839         Reviewed by Keith Miller.
840
841         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
842         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
843         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
844         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
845
846         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
847         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
848
849         Two other minor changes:
850         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
851         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
852
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * Scripts/builtins/builtins_generate_combined_header.py:
855         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
856         (ParserError):
857         (generate_section_for_object): Deleted.
858         (generate_externs_for_object): Deleted.
859         (generate_macros_for_object): Deleted.
860         (generate_section_for_code_table_macro): Deleted.
861         (generate_section_for_code_name_macro): Deleted.
862         (generate_section_for_global_private_code_name_macro): Deleted.
863         * Scripts/builtins/builtins_generate_separate_header.py:
864         (generate_secondary_header_includes):
865         * Scripts/builtins/builtins_templates.py:
866         * Sources.txt:
867         * builtins/BuiltinExecutableCreator.cpp: Removed.
868         * builtins/BuiltinExecutableCreator.h: Removed.
869         * builtins/BuiltinExecutables.cpp:
870         (JSC::BuiltinExecutables::createDefaultConstructor):
871         (JSC::BuiltinExecutables::createBuiltinExecutable):
872         (JSC::createBuiltinExecutable):
873         (JSC::BuiltinExecutables::createExecutableOrCrash):
874         (JSC::BuiltinExecutables::createExecutable):
875         * builtins/BuiltinExecutables.h:
876         * bytecompiler/BytecodeGenerator.h:
877         * parser/ParserError.cpp: Added.
878         (JSC::ParserError::toErrorObject):
879         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
880         (WTF::printInternal):
881         * parser/ParserError.h:
882         (JSC::ParserError::toErrorObject): Deleted.
883         (WTF::printInternal): Deleted.
884         * runtime/AsyncIteratorPrototype.cpp:
885         (JSC::AsyncIteratorPrototype::finishCreation):
886         * runtime/FunctionPrototype.cpp:
887         (JSC::FunctionPrototype::addFunctionProperties):
888         * runtime/JSGlobalObject.cpp:
889         (JSC::JSGlobalObject::init):
890         * runtime/JSObject.cpp:
891         (JSC::JSObject::getOwnStaticPropertySlot):
892         (JSC::JSObject::reifyAllStaticProperties):
893         * runtime/JSObject.h:
894         (JSC::JSObject::getOwnNonIndexPropertySlot):
895         (JSC::JSObject::getOwnPropertySlot):
896         (JSC::JSObject::getPropertySlot):
897         * runtime/JSObjectInlines.h:
898         (JSC::JSObject::getNonIndexPropertySlot):
899         * runtime/JSTypedArrayViewPrototype.cpp:
900         (JSC::JSTypedArrayViewPrototype::finishCreation):
901         * runtime/Lookup.cpp:
902         (JSC::reifyStaticAccessor):
903         (JSC::setUpStaticFunctionSlot):
904         * runtime/Lookup.h:
905         (JSC::getStaticPropertySlotFromTable):
906         (JSC::reifyStaticProperty):
907         * runtime/MapPrototype.cpp:
908         (JSC::MapPrototype::finishCreation):
909         * runtime/SetPrototype.cpp:
910         (JSC::SetPrototype::finishCreation):
911         * tools/JSDollarVM.cpp:
912         (JSC::functionCreateBuiltin):
913
914 2018-03-30  Robin Morisset  <rmorisset@apple.com>
915
916         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
917         https://bugs.webkit.org/show_bug.cgi?id=183657
918         <rdar://problem/38464399>
919
920         Reviewed by Keith Miller.
921
922         There was just a missing check in unshiftCountForIndexingType.
923         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
924         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
925         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
926
927         * runtime/ArrayPrototype.cpp:
928         (JSC::unshift):
929         * runtime/JSArray.cpp:
930         (JSC::JSArray::unshiftCountWithAnyIndexingType):
931         * runtime/JSObject.h:
932         (JSC::JSObject::ensureLength):
933
934 2018-03-29  Mark Lam  <mark.lam@apple.com>
935
936         Add some pointer profiling support to B3 and Air.
937         https://bugs.webkit.org/show_bug.cgi?id=184165
938         <rdar://problem/39022125>
939
940         Reviewed by JF Bastien.
941
942         * b3/B3LowerMacros.cpp:
943         * b3/B3LowerMacrosAfterOptimizations.cpp:
944         * b3/B3MathExtras.cpp:
945         * b3/B3ReduceStrength.cpp:
946         * b3/air/AirCCallSpecial.cpp:
947         (JSC::B3::Air::CCallSpecial::generate):
948         * b3/air/AirCCallSpecial.h:
949         * b3/testb3.cpp:
950         (JSC::B3::testCallSimple):
951         (JSC::B3::testCallRare):
952         (JSC::B3::testCallRareLive):
953         (JSC::B3::testCallSimplePure):
954         (JSC::B3::testCallFunctionWithHellaArguments):
955         (JSC::B3::testCallFunctionWithHellaArguments2):
956         (JSC::B3::testCallFunctionWithHellaArguments3):
957         (JSC::B3::testCallSimpleDouble):
958         (JSC::B3::testCallSimpleFloat):
959         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
960         (JSC::B3::testCallFunctionWithHellaFloatArguments):
961         (JSC::B3::testLinearScanWithCalleeOnStack):
962         (JSC::B3::testInterpreter):
963         (JSC::B3::testLICMPure):
964         (JSC::B3::testLICMPureSideExits):
965         (JSC::B3::testLICMPureWritesPinned):
966         (JSC::B3::testLICMPureWrites):
967         (JSC::B3::testLICMReadsLocalState):
968         (JSC::B3::testLICMReadsPinned):
969         (JSC::B3::testLICMReads):
970         (JSC::B3::testLICMPureNotBackwardsDominant):
971         (JSC::B3::testLICMPureFoiledByChild):
972         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
973         (JSC::B3::testLICMExitsSideways):
974         (JSC::B3::testLICMWritesLocalState):
975         (JSC::B3::testLICMWrites):
976         (JSC::B3::testLICMFence):
977         (JSC::B3::testLICMWritesPinned):
978         (JSC::B3::testLICMControlDependent):
979         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
980         (JSC::B3::testLICMControlDependentSideExits):
981         (JSC::B3::testLICMReadsPinnedWritesPinned):
982         (JSC::B3::testLICMReadsWritesDifferentHeaps):
983         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
984         (JSC::B3::testLICMDefaultCall):
985         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
986         * ftl/FTLLowerDFGToB3.cpp:
987         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
988         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
989         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
990         * jit/GPRInfo.h:
991         * runtime/PtrTag.h:
992         * wasm/WasmBinding.cpp:
993         (JSC::Wasm::wasmToWasm):
994
995 2018-03-29  JF Bastien  <jfbastien@apple.com>
996
997         Use Forward.h instead of forward-declaring WTF::String
998         https://bugs.webkit.org/show_bug.cgi?id=184172
999         <rdar://problem/39026146>
1000
1001         Reviewed by Yusuke Suzuki.
1002
1003         As part of #184164 I'm changing WTF::String, and the forward
1004         declarations are just wrong because I'm making it templated. We
1005         should use Forward.h anyways, so do that instead.
1006
1007         * runtime/DateConversion.h:
1008
1009 2018-03-29  Mark Lam  <mark.lam@apple.com>
1010
1011         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
1012         https://bugs.webkit.org/show_bug.cgi?id=184163
1013         <rdar://problem/39020397>
1014
1015         Reviewed by JF Bastien.
1016
1017         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
1018
1019         Also renamed some structs, methods, and variable names to be more accurate.
1020         Previously, there is some confusion between a code pointer and the address of a
1021         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
1022         the LoadLocation variables appropriately to distinguish them from code pointers.
1023
1024         * wasm/WasmB3IRGenerator.cpp:
1025         (JSC::Wasm::B3IRGenerator::addCall):
1026         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1027         * wasm/WasmBinding.cpp:
1028         (JSC::Wasm::wasmToWasm):
1029         * wasm/WasmCodeBlock.cpp:
1030         (JSC::Wasm::CodeBlock::CodeBlock):
1031         * wasm/WasmCodeBlock.h:
1032         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1033         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
1034         * wasm/WasmFormat.h:
1035         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
1036         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
1037         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
1038         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
1039         * wasm/WasmInstance.h:
1040         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
1041         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
1042         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
1043         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1044         * wasm/WasmOMGPlan.cpp:
1045         (JSC::Wasm::OMGPlan::work):
1046         * wasm/WasmTable.cpp:
1047         (JSC::Wasm::Table::Table):
1048         (JSC::Wasm::Table::grow):
1049         (JSC::Wasm::Table::clearFunction):
1050         (JSC::Wasm::Table::setFunction):
1051         * wasm/WasmTable.h:
1052         (JSC::Wasm::Table::offsetOfFunctions):
1053         * wasm/js/JSWebAssemblyCodeBlock.h:
1054         * wasm/js/JSWebAssemblyInstance.cpp:
1055         (JSC::JSWebAssemblyInstance::finalizeCreation):
1056         (JSC::JSWebAssemblyInstance::create):
1057         * wasm/js/JSWebAssemblyTable.cpp:
1058         (JSC::JSWebAssemblyTable::setFunction):
1059         * wasm/js/WebAssemblyFunction.cpp:
1060         (JSC::WebAssemblyFunction::create):
1061         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1062         * wasm/js/WebAssemblyFunction.h:
1063         * wasm/js/WebAssemblyModuleRecord.cpp:
1064         (JSC::WebAssemblyModuleRecord::link):
1065         (JSC::WebAssemblyModuleRecord::evaluate):
1066         * wasm/js/WebAssemblyWrapperFunction.cpp:
1067         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
1068         (JSC::WebAssemblyWrapperFunction::create):
1069         * wasm/js/WebAssemblyWrapperFunction.h:
1070
1071 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1072
1073         Remove WTF_EXPORTDATA and JS_EXPORTDATA
1074         https://bugs.webkit.org/show_bug.cgi?id=184170
1075
1076         Reviewed by JF Bastien.
1077
1078         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
1079         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
1080
1081         * heap/WriteBarrierSupport.h:
1082         * jit/ExecutableAllocator.cpp:
1083         * jit/ExecutableAllocator.h:
1084         * runtime/JSCPoison.h:
1085         * runtime/JSCell.h:
1086         * runtime/JSExportMacros.h:
1087         * runtime/JSGlobalObject.h:
1088         * runtime/JSObject.h:
1089         * runtime/Options.h:
1090         * runtime/PropertyDescriptor.h:
1091         * runtime/PropertyMapHashTable.h:
1092         * runtime/SamplingCounter.h:
1093
1094 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
1095
1096         MSVC __forceinline slows down JSC release build fivefold after r229391
1097         https://bugs.webkit.org/show_bug.cgi?id=184062
1098
1099         Reviewed by Alex Christensen.
1100
1101         * jit/CCallHelpers.h:
1102         (JSC::CCallHelpers::marshallArgumentRegister):
1103         Exempt MSVC from a single forced inline used within recursive templates.
1104
1105 2018-03-29  Keith Miller  <keith_miller@apple.com>
1106
1107         ArrayMode should not try to get the DFG to think it can convert TypedArrays
1108         https://bugs.webkit.org/show_bug.cgi?id=184137
1109
1110         Reviewed by Saam Barati.
1111
1112         * dfg/DFGArrayMode.cpp:
1113         (JSC::DFG::ArrayMode::fromObserved):
1114
1115 2018-03-29  Commit Queue  <commit-queue@webkit.org>
1116
1117         Unreviewed, rolling out r230062.
1118         https://bugs.webkit.org/show_bug.cgi?id=184128
1119
1120         Broke mac port. web content process crashes while loading any
1121         web page (Requested by rniwa on #webkit).
1122
1123         Reverted changeset:
1124
1125         "MSVC __forceinline slows down JSC release build fivefold
1126         after r229391"
1127         https://bugs.webkit.org/show_bug.cgi?id=184062
1128         https://trac.webkit.org/changeset/230062
1129
1130 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
1131
1132         MSVC __forceinline slows down JSC release build fivefold after r229391
1133         https://bugs.webkit.org/show_bug.cgi?id=184062
1134
1135         Reviewed by Alex Christensen.
1136
1137         * jit/CCallHelpers.h:
1138         (JSC::CCallHelpers::marshallArgumentRegister):
1139         Exempt MSVC from a single forced inline used within recursive templates.
1140
1141 2018-03-28  Mark Lam  <mark.lam@apple.com>
1142
1143         Enhance ARM64 probe to support pointer profiling.
1144         https://bugs.webkit.org/show_bug.cgi?id=184069
1145         <rdar://problem/38939879>
1146
1147         Reviewed by JF Bastien.
1148
1149         * assembler/MacroAssemblerARM64.cpp:
1150         (JSC::MacroAssembler::probe):
1151         * assembler/MacroAssemblerX86Common.h:
1152         (JSC::MacroAssemblerX86Common::popPair):
1153         (JSC::MacroAssemblerX86Common::pushPair):
1154         * assembler/testmasm.cpp:
1155         (JSC::testProbeReadsArgumentRegisters):
1156         (JSC::testProbeWritesArgumentRegisters):
1157         * runtime/PtrTag.h:
1158         (JSC::tagForPtr):
1159
1160 2018-03-28  Robin Morisset  <rmorisset@apple.com>
1161
1162         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
1163         https://bugs.webkit.org/show_bug.cgi?id=183894
1164
1165         Reviewed by Saam Barati.
1166
1167         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
1168
1169         * runtime/JSONObject.cpp:
1170         (JSC::Stringifier::appendStringifiedValue):
1171
1172 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
1173
1174         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
1175         https://bugs.webkit.org/show_bug.cgi?id=184073
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         We currently have duplicated code in Obj and GLib implementations.
1180
1181         * API/JSManagedValue.mm:
1182         (managedValueHandleOwner):
1183         (-[JSManagedValue initWithValue:]):
1184         * API/JSWeakValue.cpp: Added.
1185         (JSC::JSWeakValue::~JSWeakValue):
1186         (JSC::JSWeakValue::clear):
1187         (JSC::JSWeakValue::isClear const):
1188         (JSC::JSWeakValue::setPrimitive):
1189         (JSC::JSWeakValue::setObject):
1190         (JSC::JSWeakValue::setString):
1191         * API/JSWeakValue.h: Added.
1192         (JSC::JSWeakValue::isSet const):
1193         (JSC::JSWeakValue::isPrimitive const):
1194         (JSC::JSWeakValue::isObject const):
1195         (JSC::JSWeakValue::isString const):
1196         (JSC::JSWeakValue::object const):
1197         (JSC::JSWeakValue::primitive const):
1198         (JSC::JSWeakValue::string const):
1199         * API/glib/JSCWeakValue.cpp:
1200         * JavaScriptCore.xcodeproj/project.pbxproj:
1201         * Sources.txt:
1202
1203 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
1204
1205         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
1206         https://bugs.webkit.org/show_bug.cgi?id=184041
1207
1208         Reviewed by Michael Catanzaro.
1209
1210         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
1211         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
1212         jsc_weak_value_get_value() will always return nullptr.
1213
1214         * API/glib/JSCWeakValue.cpp: Added.
1215         (WeakValueRef::~WeakValueRef):
1216         (WeakValueRef::clear):
1217         (WeakValueRef::isClear const):
1218         (WeakValueRef::isSet const):
1219         (WeakValueRef::isPrimitive const):
1220         (WeakValueRef::isObject const):
1221         (WeakValueRef::isString const):
1222         (WeakValueRef::setPrimitive):
1223         (WeakValueRef::setObject):
1224         (WeakValueRef::setString):
1225         (WeakValueRef::object const):
1226         (WeakValueRef::primitive const):
1227         (WeakValueRef::string const):
1228         (weakValueHandleOwner):
1229         (jscWeakValueInitialize):
1230         (jscWeakValueSetProperty):
1231         (jscWeakValueDispose):
1232         (jsc_weak_value_class_init):
1233         (jsc_weak_value_new):
1234         (jsc_weak_value_get_value):
1235         * API/glib/JSCWeakValue.h: Added.
1236         * API/glib/docs/jsc-glib-4.0-sections.txt:
1237         * API/glib/docs/jsc-glib-docs.sgml:
1238         * API/glib/jsc.h:
1239         * GLib.cmake:
1240
1241 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1242
1243         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
1244         https://bugs.webkit.org/show_bug.cgi?id=181292
1245
1246         Reviewed by Saam Barati.
1247
1248         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
1249
1250         * dfg/DFGSpeculativeJIT.cpp:
1251         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1252         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1253         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1254         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1255         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1256         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1257         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1258
1259 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1260
1261         Add Load16Z for B3 and use it in WebAssembly
1262         https://bugs.webkit.org/show_bug.cgi?id=165884
1263
1264         Reviewed by JF Bastien.
1265
1266         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
1267         spec-tests/memory.wast.js already covered this change.
1268
1269         * wasm/WasmB3IRGenerator.cpp:
1270         (JSC::Wasm::B3IRGenerator::emitLoadOp):
1271
1272 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1273
1274         [JSC] Remove repeated iteration of ElementNode
1275         https://bugs.webkit.org/show_bug.cgi?id=183987
1276
1277         Reviewed by Keith Miller.
1278
1279         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
1280         While it is OK for small arrays, this repeated iteration takes much time
1281         if the array is very large. For example, Kraken's initialization code includes
1282         very large array with numeric literals. This makes bytecode compiling so long.
1283
1284         This patch carefully removes unnecessary iteration when emitting arrays.
1285         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
1286         to 9.988050 ms.
1287
1288         * bytecompiler/BytecodeGenerator.cpp:
1289         (JSC::BytecodeGenerator::emitNewArrayBuffer):
1290         (JSC::BytecodeGenerator::emitNewArray):
1291         * bytecompiler/BytecodeGenerator.h:
1292         * bytecompiler/NodesCodegen.cpp:
1293         (JSC::ArrayNode::emitBytecode):
1294         (JSC::ArrayPatternNode::bindValue const):
1295         (JSC::ArrayPatternNode::emitDirectBinding):
1296
1297 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
1298
1299         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
1300         https://bugs.webkit.org/show_bug.cgi?id=183655
1301
1302         Reviewed by Keith Miller.
1303
1304         * jit/CCallHelpers.h:
1305         (JSC::CCallHelpers::ArgCollection::argCount):
1306         (JSC::CCallHelpers::marshallArgumentRegister):
1307         (JSC::CCallHelpers::setupArgumentsImpl):
1308         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
1309
1310         * jit/JIT.h:
1311         (JSC::JIT::callOperation):
1312         (JSC::JIT::is64BitType):
1313         (JSC::JIT::is64BitType<void>):
1314         On Win64, ensure special call is used for SlowPathReturnType.
1315
1316         * jit/JITOperations.h:
1317         Update changed type.
1318
1319 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1320
1321         We should have SSE4 detection in the X86 MacroAssembler.
1322         https://bugs.webkit.org/show_bug.cgi?id=165363
1323
1324         Reviewed by JF Bastien.
1325
1326         This patch adds popcnt support to WASM in x86_64 environment.
1327         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
1328         Our spec-tests already cover popcnt.
1329
1330         * assembler/MacroAssemblerARM64.h:
1331         (JSC::MacroAssemblerARM64::supportsCountPopulation):
1332         * assembler/MacroAssemblerX86Common.cpp:
1333         (JSC::MacroAssemblerX86Common::getCPUID):
1334         (JSC::MacroAssemblerX86Common::getCPUIDEx):
1335         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
1336         * assembler/MacroAssemblerX86Common.h:
1337         (JSC::MacroAssemblerX86Common::countPopulation32):
1338         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1339         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
1340         (JSC::MacroAssemblerX86Common::supportsAVX):
1341         (JSC::MacroAssemblerX86Common::supportsLZCNT):
1342         (JSC::MacroAssemblerX86Common::supportsBMI1):
1343         (JSC::MacroAssemblerX86Common::isSSE2Present):
1344         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
1345         * assembler/MacroAssemblerX86_64.h:
1346         (JSC::MacroAssemblerX86_64::countPopulation64):
1347         * assembler/X86Assembler.h:
1348         (JSC::X86Assembler::popcnt_rr):
1349         (JSC::X86Assembler::popcnt_mr):
1350         (JSC::X86Assembler::popcntq_rr):
1351         (JSC::X86Assembler::popcntq_mr):
1352         * wasm/WasmB3IRGenerator.cpp:
1353         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
1354         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
1355
1356 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
1357
1358         DFG should know that CreateThis can be effectful
1359         https://bugs.webkit.org/show_bug.cgi?id=184013
1360
1361         Reviewed by Saam Barati.
1362
1363         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
1364         is a proxy.
1365
1366         * dfg/DFGAbstractInterpreterInlines.h:
1367         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1368         * dfg/DFGClobberize.h:
1369         (JSC::DFG::clobberize):
1370
1371 2018-03-25  Saam Barati  <sbarati@apple.com>
1372
1373         Fix typo in JSC option name
1374         https://bugs.webkit.org/show_bug.cgi?id=184001
1375
1376         Reviewed by Mark Lam.
1377
1378         enableJITDebugAssetions => enableJITDebugAssertions.
1379
1380         * assembler/MacroAssembler.cpp:
1381         (JSC::MacroAssembler::jitAssert):
1382         * runtime/Options.h:
1383
1384 2018-03-25  Saam Barati  <sbarati@apple.com>
1385
1386         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
1387         https://bugs.webkit.org/show_bug.cgi?id=183995
1388
1389         Reviewed by Filip Pizlo.
1390
1391         The removal of this line of code was unintended and happened during some
1392         refactoring Fil was doing. The consequence of removing this line of code
1393         is that the m_emptyCursor became a monotonically increasing integer, leading
1394         the cursor to usually being out of bounds of the block range (depending on
1395         what the program is doing). This made the functionality of finding an empty
1396         block to steal almost always fail.
1397
1398         * heap/BlockDirectory.cpp:
1399         (JSC::BlockDirectory::prepareForAllocation):
1400
1401 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1402
1403         [DFG] Introduces fused compare and jump
1404         https://bugs.webkit.org/show_bug.cgi?id=177100
1405
1406         Reviewed by Mark Lam.
1407
1408         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
1409         It offers 3 benefit.
1410
1411         1. They are introduced due to the similar purpose to op_jless etc. It aligns
1412         op_eq families to op_jless families.
1413
1414         2. It reduces the size of bytecode to represent the typical code sequence.
1415
1416         3. It offers the way to fuse check and jump in DFG code generation. Since
1417         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
1418         we cannot do this optimization. It reduces the machine code size in DFG too.
1419
1420         It slightly improves Octane/boyer.
1421
1422             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
1423
1424         * bytecode/BytecodeDumper.cpp:
1425         (JSC::BytecodeDumper<Block>::dumpBytecode):
1426         * bytecode/BytecodeList.json:
1427         * bytecode/BytecodeUseDef.h:
1428         (JSC::computeUsesForBytecodeOffset):
1429         (JSC::computeDefsForBytecodeOffset):
1430         * bytecode/Opcode.h:
1431         (JSC::isBranch):
1432         * bytecode/PreciseJumpTargetsInlines.h:
1433         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1434         * bytecompiler/BytecodeGenerator.cpp:
1435         (JSC::BytecodeGenerator::emitJumpIfTrue):
1436         (JSC::BytecodeGenerator::emitJumpIfFalse):
1437         * dfg/DFGByteCodeParser.cpp:
1438         (JSC::DFG::ByteCodeParser::parseBlock):
1439         * dfg/DFGCapabilities.cpp:
1440         (JSC::DFG::capabilityLevel):
1441         * dfg/DFGOperations.cpp:
1442         * dfg/DFGOperations.h:
1443         * dfg/DFGSpeculativeJIT.cpp:
1444         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1445         * jit/JIT.cpp:
1446         (JSC::JIT::privateCompileMainPass):
1447         (JSC::JIT::privateCompileSlowCases):
1448         * jit/JIT.h:
1449         * jit/JITOpcodes.cpp:
1450         (JSC::JIT::emit_op_jeq):
1451         (JSC::JIT::emit_op_neq):
1452         (JSC::JIT::emit_op_jneq):
1453         (JSC::JIT::compileOpStrictEq):
1454         (JSC::JIT::emit_op_stricteq):
1455         (JSC::JIT::emit_op_nstricteq):
1456         (JSC::JIT::compileOpStrictEqJump):
1457         (JSC::JIT::emit_op_jstricteq):
1458         (JSC::JIT::emit_op_jnstricteq):
1459         (JSC::JIT::emitSlow_op_jstricteq):
1460         (JSC::JIT::emitSlow_op_jnstricteq):
1461         (JSC::JIT::emitSlow_op_jeq):
1462         (JSC::JIT::emitSlow_op_jneq):
1463         * jit/JITOpcodes32_64.cpp:
1464         (JSC::JIT::emitSlow_op_eq):
1465         (JSC::JIT::emit_op_jeq):
1466         (JSC::JIT::compileOpEqJumpSlow):
1467         (JSC::JIT::emitSlow_op_jeq):
1468         (JSC::JIT::emit_op_jneq):
1469         (JSC::JIT::emitSlow_op_jneq):
1470         (JSC::JIT::compileOpStrictEq):
1471         (JSC::JIT::emit_op_stricteq):
1472         (JSC::JIT::emit_op_nstricteq):
1473         (JSC::JIT::compileOpStrictEqJump):
1474         (JSC::JIT::emit_op_jstricteq):
1475         (JSC::JIT::emit_op_jnstricteq):
1476         (JSC::JIT::emitSlow_op_jstricteq):
1477         (JSC::JIT::emitSlow_op_jnstricteq):
1478         * jit/JITOperations.cpp:
1479         * jit/JITOperations.h:
1480         * llint/LLIntSlowPaths.cpp:
1481         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1482         * llint/LLIntSlowPaths.h:
1483         * llint/LowLevelInterpreter.asm:
1484         * llint/LowLevelInterpreter32_64.asm:
1485         * llint/LowLevelInterpreter64.asm:
1486
1487 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1488
1489         [JSC] Improve constants and add comments for CodeBlockHash
1490         https://bugs.webkit.org/show_bug.cgi?id=183982
1491
1492         Rubber-stamped by Mark Lam.
1493
1494         * bytecode/CodeBlockHash.cpp:
1495         (JSC::CodeBlockHash::CodeBlockHash):
1496         * bytecode/ParseHash.cpp:
1497         (JSC::ParseHash::ParseHash):
1498
1499 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1500
1501         [JSC] Add options to report parsing and bytecode compiling times
1502         https://bugs.webkit.org/show_bug.cgi?id=183982
1503
1504         Reviewed by Mark Lam.
1505
1506         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
1507         When they are enabled, JSC reports times consumed for parsing and bytecode
1508         compiling.
1509
1510         * JavaScriptCore.xcodeproj/project.pbxproj:
1511         * Sources.txt:
1512         * bytecode/ParseHash.cpp: Added.
1513         (JSC::ParseHash::ParseHash):
1514         * bytecode/ParseHash.h: Added.
1515         (JSC::ParseHash::hashForCall const):
1516         (JSC::ParseHash::hashForConstruct const):
1517         * bytecode/UnlinkedFunctionExecutable.cpp:
1518         (JSC::generateUnlinkedFunctionCodeBlock):
1519         * bytecompiler/BytecodeGenerator.h:
1520         (JSC::BytecodeGenerator::generate):
1521         * parser/Parser.h:
1522         (JSC::parse):
1523         * runtime/CodeCache.h:
1524         (JSC::generateUnlinkedCodeBlock):
1525         * runtime/Options.h:
1526
1527 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1528
1529         [JIT] Drop ENABLE_JIT_VERBOSE flag
1530         https://bugs.webkit.org/show_bug.cgi?id=183983
1531
1532         Reviewed by Mark Lam.
1533
1534         Just use JITInternal::verbose value.
1535
1536         * jit/JIT.cpp:
1537         (JSC::JIT::privateCompileMainPass):
1538         (JSC::JIT::privateCompileSlowCases):
1539         (JSC::JIT::link):
1540
1541 2018-03-23  Tim Horton  <timothy_horton@apple.com>
1542
1543         Fix the build with no pasteboard
1544         https://bugs.webkit.org/show_bug.cgi?id=183973
1545
1546         Reviewed by Dan Bernstein.
1547
1548         * Configurations/FeatureDefines.xcconfig:
1549
1550 2018-03-23  Mark Lam  <mark.lam@apple.com>
1551
1552         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
1553         https://bugs.webkit.org/show_bug.cgi?id=183942
1554         <rdar://problem/38798018>
1555
1556         Reviewed by JF Bastien.
1557
1558         1. Move the LLInt TypedArray unpoisoning to just before the array access after
1559            all the branches.
1560         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
1561         3. Remove a useless instruction in the implementation of emitX86Lea for a global
1562            label.
1563
1564         * llint/LowLevelInterpreter.asm:
1565         * llint/LowLevelInterpreter64.asm:
1566         * offlineasm/x86.rb:
1567
1568 2018-03-23  Mark Lam  <mark.lam@apple.com>
1569
1570         Add more support for pointer profiling.
1571         https://bugs.webkit.org/show_bug.cgi?id=183943
1572         <rdar://problem/38799068>
1573
1574         Reviewed by JF Bastien.
1575
1576         * assembler/ARM64Assembler.h:
1577         (JSC::ARM64Assembler::linkJumpOrCall):
1578         * assembler/AbstractMacroAssembler.h:
1579         (JSC::AbstractMacroAssembler::repatchNearCall):
1580         (JSC::AbstractMacroAssembler::tagReturnAddress):
1581         (JSC::AbstractMacroAssembler::untagReturnAddress):
1582
1583 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1584
1585         [WTF] Add standard containers with FastAllocator specialization
1586         https://bugs.webkit.org/show_bug.cgi?id=183789
1587
1588         Reviewed by Darin Adler.
1589
1590         * b3/air/testair.cpp:
1591         * b3/testb3.cpp:
1592         (JSC::B3::testDoubleLiteralComparison):
1593         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1594         * dfg/DFGGraph.h:
1595         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1596         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1597         * ftl/FTLLowerDFGToB3.cpp:
1598         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1599         * runtime/FunctionHasExecutedCache.h:
1600         * runtime/TypeLocationCache.h:
1601
1602 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1603
1604         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
1605         https://bugs.webkit.org/show_bug.cgi?id=182960
1606
1607         Reviewed by Saam Barati.
1608
1609         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
1610         It should always touch ArrayStorage_vector. To unify
1611         vector setting code for the real ArrayStorage_vector and
1612         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
1613         annotate this.
1614
1615         * ftl/FTLLowerDFGToB3.cpp:
1616         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1617
1618 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
1619
1620         Unreviewed build fix for GCC 4.9 builds.
1621
1622         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
1623         supported in 4.9 libstdc++, so wrap the static assert using it in a
1624         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
1625         as is done in bitwise_cast() in StdLibExtras.h.
1626
1627 2018-03-22  Tim Horton  <timothy_horton@apple.com>
1628
1629         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
1630         https://bugs.webkit.org/show_bug.cgi?id=183930
1631         <rdar://problem/38782249>
1632
1633         Reviewed by Dan Bernstein.
1634
1635         * JavaScriptCore.xcodeproj/project.pbxproj:
1636
1637 2018-03-22  Mark Lam  <mark.lam@apple.com>
1638
1639         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
1640         https://bugs.webkit.org/show_bug.cgi?id=183914
1641         <rdar://problem/38763536>
1642
1643         Reviewed by Saam Barati and JF Bastien.
1644
1645         This is in preparation for supporting pointer profiling work.
1646
1647         * assembler/MacroAssemblerARM.h:
1648         (JSC::MacroAssemblerARM::jump):
1649         (JSC::MacroAssemblerARM::call):
1650         * assembler/MacroAssemblerARM64.h:
1651         (JSC::MacroAssemblerARM64::call):
1652         (JSC::MacroAssemblerARM64::jump):
1653         * assembler/MacroAssemblerARMv7.h:
1654         (JSC::MacroAssemblerARMv7::jump):
1655         (JSC::MacroAssemblerARMv7::call):
1656         * assembler/MacroAssemblerMIPS.h:
1657         (JSC::MacroAssemblerMIPS::jump):
1658         (JSC::MacroAssemblerMIPS::call):
1659         * assembler/MacroAssemblerX86.h:
1660         (JSC::MacroAssemblerX86::call):
1661         (JSC::MacroAssemblerX86::jump):
1662         * assembler/MacroAssemblerX86Common.h:
1663         (JSC::MacroAssemblerX86Common::jump):
1664         (JSC::MacroAssemblerX86Common::call):
1665         * assembler/MacroAssemblerX86_64.h:
1666         (JSC::MacroAssemblerX86_64::call):
1667         (JSC::MacroAssemblerX86_64::jump):
1668
1669 2018-03-22  Tim Horton  <timothy_horton@apple.com>
1670
1671         Improve readability of WebCore's OTHER_LDFLAGS
1672         https://bugs.webkit.org/show_bug.cgi?id=183909
1673         <rdar://problem/38760992>
1674
1675         Reviewed by Dan Bernstein.
1676
1677         * Configurations/Base.xcconfig:
1678         * Configurations/FeatureDefines.xcconfig:
1679
1680 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
1681
1682         [ARM] Thumb: Do not decorate bottom bit twice
1683         https://bugs.webkit.org/show_bug.cgi?id=183906
1684
1685         Reviewed by Mark Lam.
1686
1687         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
1688         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
1689         a thumb pointer.
1690
1691         * jit/Repatch.cpp:
1692         (JSC::linkPolymorphicCall):
1693
1694 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1695
1696         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
1697         https://bugs.webkit.org/show_bug.cgi?id=183559
1698
1699         Reviewed by Mark Lam.
1700
1701         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
1702         to clear NodeMustGenerate for this ToString. It should be since it does not have
1703         any user-observable side effect. This patch clears NodeMustGenerate.
1704
1705         * dfg/DFGConstantFoldingPhase.cpp:
1706         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1707
1708 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1709
1710         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
1711         https://bugs.webkit.org/show_bug.cgi?id=183897
1712
1713         Reviewed by Mark Lam.
1714
1715         We should not use `default:` clause here since it accidentally catches
1716         the opcode and DFG nodes which should be optimized. For example,
1717         op_super_sampler_begin and op_super_sampler_end are not listed while
1718         they have DFG and FTL backend.
1719
1720         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
1721         And we also clean up unnecessary checks in FTLCapabilities. Since we
1722         already handles all the possible array types for these nodes (which can
1723         be checked in DFG's code), we do not need to check array types.
1724
1725         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
1726
1727         * dfg/DFGCapabilities.cpp:
1728         (JSC::DFG::capabilityLevel):
1729         * ftl/FTLCapabilities.cpp:
1730         (JSC::FTL::canCompile):
1731         * ftl/FTLLowerDFGToB3.cpp:
1732         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1733
1734 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1735
1736         [JSC] Drop op_put_by_index
1737         https://bugs.webkit.org/show_bug.cgi?id=183899
1738
1739         Reviewed by Mark Lam.
1740
1741         This patch drops op_put_by_index.
1742
1743         1. This functionality can be just covered by direct put_by_val.
1744         2. put_by_index is not well optimized. It is just calling a C
1745         function. And it does not have DFG handling.
1746
1747         * bytecode/BytecodeDumper.cpp:
1748         (JSC::BytecodeDumper<Block>::dumpBytecode):
1749         * bytecode/BytecodeList.json:
1750         * bytecode/BytecodeUseDef.h:
1751         (JSC::computeUsesForBytecodeOffset):
1752         (JSC::computeDefsForBytecodeOffset):
1753         * bytecompiler/BytecodeGenerator.cpp:
1754         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
1755         * bytecompiler/BytecodeGenerator.h:
1756         * bytecompiler/NodesCodegen.cpp:
1757         (JSC::ArrayNode::emitBytecode):
1758         (JSC::ArrayPatternNode::emitDirectBinding):
1759         * jit/JIT.cpp:
1760         (JSC::JIT::privateCompileMainPass):
1761         * jit/JIT.h:
1762         * jit/JITPropertyAccess.cpp:
1763         (JSC::JIT::emit_op_put_by_index): Deleted.
1764         * jit/JITPropertyAccess32_64.cpp:
1765         (JSC::JIT::emit_op_put_by_index): Deleted.
1766         * llint/LLIntSlowPaths.cpp:
1767         * llint/LLIntSlowPaths.h:
1768         * llint/LowLevelInterpreter.asm:
1769
1770 2018-03-22  Michael Saboff  <msaboff@apple.com>
1771
1772         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
1773         https://bugs.webkit.org/show_bug.cgi?id=183901
1774
1775         Reviewed by Keith Miller.
1776
1777         Added write barriers to ensure the reversed contents are properly marked.
1778
1779         * runtime/ArrayPrototype.cpp:
1780         (JSC::arrayProtoFuncReverse):
1781
1782 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
1783
1784         ScopedArguments should do poisoning and index masking
1785         https://bugs.webkit.org/show_bug.cgi?id=183863
1786
1787         Reviewed by Mark Lam.
1788         
1789         This outlines the ScopedArguments overflow storage and adds poisoning.
1790
1791         * bytecode/AccessCase.cpp:
1792         (JSC::AccessCase::generateWithGuard):
1793         * dfg/DFGSpeculativeJIT.cpp:
1794         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1795         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1796         * ftl/FTLAbstractHeapRepository.h:
1797         * ftl/FTLLowerDFGToB3.cpp:
1798         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1799         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1800         * jit/JITPropertyAccess.cpp:
1801         (JSC::JIT::emitScopedArgumentsGetByVal):
1802         * runtime/JSCPoison.h:
1803         * runtime/ScopedArguments.cpp:
1804         (JSC::ScopedArguments::ScopedArguments):
1805         (JSC::ScopedArguments::createUninitialized):
1806         (JSC::ScopedArguments::visitChildren):
1807         * runtime/ScopedArguments.h:
1808
1809 2018-03-21  Mark Lam  <mark.lam@apple.com>
1810
1811         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
1812         https://bugs.webkit.org/show_bug.cgi?id=183861
1813         <rdar://problem/38716822>
1814
1815         Reviewed by Filip Pizlo.
1816
1817         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
1818         new PtrTag macro list.
1819
1820         * CMakeLists.txt:
1821         * JavaScriptCore.xcodeproj/project.pbxproj:
1822         * Sources.txt:
1823         * runtime/PtrTag.cpp: Added.
1824         (JSC::ptrTagName):
1825         * runtime/PtrTag.h:
1826
1827 2018-03-21  Mark Lam  <mark.lam@apple.com>
1828
1829         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
1830         https://bugs.webkit.org/show_bug.cgi?id=183857
1831         <rdar://problem/38712184>
1832
1833         Reviewed by JF Bastien.
1834
1835         We should avoid doing pointer math with CodeBlock::instructions().begin().
1836         Instead, we should use the operator[] that comes with CodeBlock::instructions()
1837         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
1838         the bytecode offset of a given Instruction*.  These methods will do assertions
1839         which helps catch bugs sooner, plus they are more descriptive of the operation
1840         we're trying to do.
1841
1842         * bytecode/BytecodeKills.h:
1843         (JSC::BytecodeKills::operandIsKilled const):
1844         (JSC::BytecodeKills::forEachOperandKilledAt const):
1845         * bytecode/CallLinkStatus.cpp:
1846         (JSC::CallLinkStatus::computeFromLLInt):
1847         * bytecode/CodeBlock.cpp:
1848         (JSC::CodeBlock::dumpBytecode):
1849         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1850         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1851         * bytecode/GetByIdStatus.cpp:
1852         (JSC::GetByIdStatus::computeFromLLInt):
1853         * bytecode/PutByIdStatus.cpp:
1854         (JSC::PutByIdStatus::computeFromLLInt):
1855         * dfg/DFGByteCodeParser.cpp:
1856         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1857         * dfg/DFGOSRExit.cpp:
1858         (JSC::DFG::reifyInlinedCallFrames):
1859         * dfg/DFGOSRExitCompilerCommon.cpp:
1860         (JSC::DFG::reifyInlinedCallFrames):
1861         * interpreter/CallFrame.cpp:
1862         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
1863         (JSC::CallFrame::currentVPC const):
1864         (JSC::CallFrame::setCurrentVPC):
1865         * jit/JITCall.cpp:
1866         (JSC::JIT::compileOpCall):
1867         * jit/JITInlines.h:
1868         (JSC::JIT::updateTopCallFrame):
1869         (JSC::JIT::copiedInstruction):
1870         * jit/JITOpcodes.cpp:
1871         (JSC::JIT::privateCompileHasIndexedProperty):
1872         * jit/JITOpcodes32_64.cpp:
1873         (JSC::JIT::privateCompileHasIndexedProperty):
1874         * jit/JITPropertyAccess.cpp:
1875         (JSC::JIT::privateCompileGetByVal):
1876         (JSC::JIT::privateCompileGetByValWithCachedId):
1877         (JSC::JIT::privateCompilePutByVal):
1878         (JSC::JIT::privateCompilePutByValWithCachedId):
1879         * jit/SlowPathCall.h:
1880         (JSC::JITSlowPathCall::call):
1881         * llint/LLIntSlowPaths.cpp:
1882         (JSC::LLInt::llint_trace_operand):
1883         (JSC::LLInt::llint_trace_value):
1884         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1885         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1886         (JSC::LLInt::getByVal): Deleted.
1887         (JSC::LLInt::handleHostCall): Deleted.
1888         (JSC::LLInt::setUpCall): Deleted.
1889         (JSC::LLInt::genericCall): Deleted.
1890         (JSC::LLInt::varargsSetup): Deleted.
1891         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
1892         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
1893         (JSC::LLInt::llint_write_barrier_slow): Deleted.
1894         (JSC::LLInt::llint_crash): Deleted.
1895         * runtime/SamplingProfiler.cpp:
1896         (JSC::tryGetBytecodeIndex):
1897
1898 2018-03-21  Keith Miller  <keith_miller@apple.com>
1899
1900         btjs should print the bytecode offset in the stack trace for JS frames
1901         https://bugs.webkit.org/show_bug.cgi?id=183856
1902
1903         Reviewed by Filip Pizlo.
1904
1905         * interpreter/CallFrame.cpp:
1906         (JSC::CallFrame::bytecodeOffset):
1907         (JSC::CallFrame::dump):
1908
1909 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1910
1911         Unreviewed. Fix GTK and WPE debug build after r229798.
1912
1913         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
1914
1915         * API/glib/JSCCallbackFunction.cpp:
1916         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1917         * API/glib/JSCContext.cpp:
1918         (jscContextSetVirtualMachine):
1919         (jscContextGetJSContext):
1920         (wrapperMap):
1921         (jscContextHandleExceptionIfNeeded):
1922         * API/glib/JSCValue.cpp:
1923         (jscValueCallFunction):
1924         * API/glib/JSCVirtualMachine.cpp:
1925         (addWrapper):
1926         (removeWrapper):
1927         (jscVirtualMachineSetContextGroup):
1928         (jscVirtualMachineAddContext):
1929         (jscVirtualMachineRemoveContext):
1930         * API/glib/JSCWrapperMap.cpp:
1931         (JSC::WrapperMap::gobjectWrapper):
1932         (JSC::WrapperMap::unwrap):
1933         (JSC::WrapperMap::registerClass):
1934         (JSC::WrapperMap::createJSWrappper):
1935         (JSC::WrapperMap::wrappedObject const):
1936
1937 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1938
1939         [GTK][WPE] JSC bindings not introspectable
1940         https://bugs.webkit.org/show_bug.cgi?id=136989
1941
1942         Reviewed by Michael Catanzaro.
1943
1944         Make it possible to include individual headers when building WebKit layer.
1945
1946         * API/glib/JSCAutocleanups.h:
1947         * API/glib/JSCClass.h:
1948         * API/glib/JSCContext.h:
1949         * API/glib/JSCException.h:
1950         * API/glib/JSCValue.h:
1951         * API/glib/JSCVersion.h.in:
1952         * API/glib/JSCVirtualMachine.h:
1953
1954 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1955
1956         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
1957         https://bugs.webkit.org/show_bug.cgi?id=164061
1958
1959         Reviewed by Michael Catanzaro.
1960
1961         Add initial GLib API for JavaScriptCore.
1962
1963         * API/JSAPIWrapperObject.h:
1964         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
1965         (jsAPIWrapperObjectHandleOwner):
1966         (JSAPIWrapperObjectHandleOwner::finalize):
1967         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1968         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
1969         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1970         (JSC::JSAPIWrapperObject::finishCreation):
1971         (JSC::JSAPIWrapperObject::setWrappedObject):
1972         (JSC::JSAPIWrapperObject::visitChildren):
1973         * API/glib/JSCAutocleanups.h: Added.
1974         * API/glib/JSCCallbackFunction.cpp: Added.
1975         (JSC::callAsFunction):
1976         (JSC::callAsConstructor):
1977         (JSC::JSCCallbackFunction::create):
1978         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1979         (JSC::JSCCallbackFunction::call):
1980         (JSC::JSCCallbackFunction::construct):
1981         (JSC::JSCCallbackFunction::destroy):
1982         * API/glib/JSCCallbackFunction.h: Added.
1983         (JSC::JSCCallbackFunction::createStructure):
1984         (JSC::JSCCallbackFunction::functionCallback):
1985         (JSC::JSCCallbackFunction::constructCallback):
1986         * API/glib/JSCClass.cpp: Added.
1987         (jscClassGetProperty):
1988         (jscClassSetProperty):
1989         (jscClassDispose):
1990         (jscClassConstructed):
1991         (jsc_class_class_init):
1992         (jscClassCreate):
1993         (jscClassGetJSClass):
1994         (jscClassGetOrCreateJSWrapper):
1995         (jscClassInvalidate):
1996         (jsc_class_get_name):
1997         (jsc_class_get_parent):
1998         (jsc_class_add_constructor):
1999         (jsc_class_add_method):
2000         (jsc_class_add_property):
2001         * API/glib/JSCClass.h: Added.
2002         * API/glib/JSCClassPrivate.h: Added.
2003         * API/glib/JSCContext.cpp: Added.
2004         (ExceptionHandler::ExceptionHandler):
2005         (ExceptionHandler::~ExceptionHandler):
2006         (jscContextSetVirtualMachine):
2007         (jscContextGetProperty):
2008         (jscContextSetProperty):
2009         (jscContextConstructed):
2010         (jscContextDispose):
2011         (jsc_context_class_init):
2012         (jscContextGetOrCreate):
2013         (jscContextGetJSContext):
2014         (wrapperMap):
2015         (jscContextGetOrCreateValue):
2016         (jscContextValueDestroyed):
2017         (jscContextGetJSWrapper):
2018         (jscContextGetOrCreateJSWrapper):
2019         (jscContextWrappedObject):
2020         (jscContextPushCallback):
2021         (jscContextPopCallback):
2022         (jscContextGArrayToJSArray):
2023         (jscContextJSArrayToGArray):
2024         (jscContextGValueToJSValue):
2025         (jscContextJSValueToGValue):
2026         (jsc_context_new):
2027         (jsc_context_new_with_virtual_machine):
2028         (jsc_context_get_virtual_machine):
2029         (jsc_context_get_exception):
2030         (jsc_context_throw):
2031         (jsc_context_throw_exception):
2032         (jsc_context_push_exception_handler):
2033         (jsc_context_pop_exception_handler):
2034         (jscContextHandleExceptionIfNeeded):
2035         (jsc_context_get_current):
2036         (jsc_context_evaluate):
2037         (jsc_context_evaluate_with_source_uri):
2038         (jsc_context_set_value):
2039         (jsc_context_get_value):
2040         (jsc_context_register_class):
2041         * API/glib/JSCContext.h: Added.
2042         * API/glib/JSCContextPrivate.h: Added.
2043         * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
2044         * API/glib/JSCException.cpp: Added.
2045         (jscExceptionDispose):
2046         (jsc_exception_class_init):
2047         (jscExceptionCreate):
2048         (jscExceptionGetJSValue):
2049         (jscExceptionEnsureProperties):
2050         (jsc_exception_new):
2051         (jsc_exception_get_message):
2052         (jsc_exception_get_line_number):
2053         (jsc_exception_get_source_uri):
2054         * API/glib/JSCException.h: Added.
2055         * API/glib/JSCExceptionPrivate.h: Added.
2056         * API/glib/JSCGLibWrapperObject.h: Added.
2057         (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
2058         (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
2059         (JSC::JSCGLibWrapperObject::object const):
2060         * API/glib/JSCValue.cpp: Added.
2061         (jscValueGetProperty):
2062         (jscValueSetProperty):
2063         (jscValueDispose):
2064         (jsc_value_class_init):
2065         (jscValueGetJSValue):
2066         (jscValueCreate):
2067         (jsc_value_get_context):
2068         (jsc_value_new_undefined):
2069         (jsc_value_is_undefined):
2070         (jsc_value_new_null):
2071         (jsc_value_is_null):
2072         (jsc_value_new_number):
2073         (jsc_value_is_number):
2074         (jsc_value_to_double):
2075         (jsc_value_to_int32):
2076         (jsc_value_new_boolean):
2077         (jsc_value_is_boolean):
2078         (jsc_value_to_boolean):
2079         (jsc_value_new_string):
2080         (jsc_value_is_string):
2081         (jsc_value_to_string):
2082         (jsc_value_new_array):
2083         (jsc_value_new_array_from_garray):
2084         (jsc_value_is_array):
2085         (jsc_value_new_object):
2086         (jsc_value_is_object):
2087         (jsc_value_object_is_instance_of):
2088         (jsc_value_object_set_property):
2089         (jsc_value_object_get_property):
2090         (jsc_value_object_set_property_at_index):
2091         (jsc_value_object_get_property_at_index):
2092         (jscValueCallFunction):
2093         (jsc_value_object_invoke_method):
2094         (jsc_value_object_define_property_data):
2095         (jsc_value_object_define_property_accessor):
2096         (jsc_value_new_function):
2097         (jsc_value_is_function):
2098         (jsc_value_function_call):
2099         (jsc_value_is_constructor):
2100         (jsc_value_constructor_call):
2101         * API/glib/JSCValue.h: Added.
2102         * API/glib/JSCValuePrivate.h: Added.
2103         * API/glib/JSCVersion.cpp: Added.
2104         (jsc_get_major_version):
2105         (jsc_get_minor_version):
2106         (jsc_get_micro_version):
2107         * API/glib/JSCVersion.h.in: Added.
2108         * API/glib/JSCVirtualMachine.cpp: Added.
2109         (addWrapper):
2110         (removeWrapper):
2111         (jscVirtualMachineSetContextGroup):
2112         (jscVirtualMachineEnsureContextGroup):
2113         (jscVirtualMachineDispose):
2114         (jsc_virtual_machine_class_init):
2115         (jscVirtualMachineGetOrCreate):
2116         (jscVirtualMachineGetContextGroup):
2117         (jscVirtualMachineAddContext):
2118         (jscVirtualMachineRemoveContext):
2119         (jscVirtualMachineGetContext):
2120         (jsc_virtual_machine_new):
2121         * API/glib/JSCVirtualMachine.h: Added.
2122         * API/glib/JSCVirtualMachinePrivate.h: Added.
2123         * API/glib/JSCWrapperMap.cpp: Added.
2124         (JSC::WrapperMap::WrapperMap):
2125         (JSC::WrapperMap::~WrapperMap):
2126         (JSC::WrapperMap::gobjectWrapper):
2127         (JSC::WrapperMap::unwrap):
2128         (JSC::WrapperMap::registerClass):
2129         (JSC::WrapperMap::createJSWrappper):
2130         (JSC::WrapperMap::jsWrapper const):
2131         (JSC::WrapperMap::wrappedObject const):
2132         * API/glib/JSCWrapperMap.h: Added.
2133         * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
2134         * API/glib/docs/jsc-glib-4.0.types: Added.
2135         * API/glib/docs/jsc-glib-docs.sgml: Added.
2136         * API/glib/jsc.h: Added.
2137         * CMakeLists.txt:
2138         * GLib.cmake: Added.
2139         * JavaScriptCore.gir.in: Removed.
2140         * PlatformGTK.cmake:
2141         * PlatformWPE.cmake:
2142         * heap/Heap.cpp:
2143         (JSC::Heap::releaseDelayedReleasedObjects):
2144         * heap/Heap.h:
2145         * heap/HeapInlines.h:
2146         (JSC::Heap::releaseSoon):
2147         * javascriptcoregtk.pc.in:
2148         * runtime/JSGlobalObject.cpp:
2149         (JSC::JSGlobalObject::init):
2150         (JSC::JSGlobalObject::visitChildren):
2151         (JSC::JSGlobalObject::setWrapperMap):
2152         * runtime/JSGlobalObject.h:
2153         (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
2154         (JSC::JSGlobalObject::glibWrapperObjectStructure const):
2155         (JSC::JSGlobalObject::wrapperMap const):
2156
2157 2018-03-21  Christopher Reid  <chris.reid@sony.com>
2158
2159         Windows 64-bit build fix after r229767
2160         https://bugs.webkit.org/show_bug.cgi?id=183810
2161
2162         Reviewed by Mark Lam.
2163
2164         Removing an extra parameter in the call to m_assember::call.
2165
2166         * assembler/MacroAssemblerX86_64.h:
2167
2168 2018-03-20  Dan Bernstein  <mitz@apple.com>
2169
2170         [Xcode] JSVALUE_MODEL is unused
2171         https://bugs.webkit.org/show_bug.cgi?id=183809
2172
2173         Reviewed by Tim Horton.
2174
2175         * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
2176
2177 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2178
2179         Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
2180         https://bugs.webkit.org/show_bug.cgi?id=183808
2181         <rdar://problem/38692079>
2182
2183         Reviewed by Dan Bernstein.
2184
2185         * Configurations/JavaScriptCore.xcconfig:
2186
2187 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2188
2189         Enable the minimal simulator feature flag when appropriate
2190         https://bugs.webkit.org/show_bug.cgi?id=183807
2191
2192         Reviewed by Dan Bernstein.
2193
2194         * Configurations/FeatureDefines.xcconfig:
2195
2196 2018-03-20  Saam Barati  <sbarati@apple.com>
2197
2198         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
2199         https://bugs.webkit.org/show_bug.cgi?id=183795
2200         <rdar://problem/38298694>
2201
2202         Reviewed by JF Bastien.
2203
2204         We were just assuming that the constants we were inserting were
2205         always exitOK=true. However, this breaks validation. The exitOK
2206         we emit for the constants in the NewArrayBuffer should respect
2207         the current exit state of the IR we've emitted. This is just IR
2208         bookkeeping since JSConstant is a non-exiting node.
2209
2210         * dfg/DFGArgumentsEliminationPhase.cpp:
2211
2212 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
2213
2214         MIPS+Armv7 builds are broken since r229391
2215         https://bugs.webkit.org/show_bug.cgi?id=183474
2216
2217         Reviewed by Yusuke Suzuki.
2218
2219         Add missing armv7 and mips operations and fix arguments to a call to
2220         operationGetByValCell. This should fix compilation on MIPS and Armv7
2221         (though it does not implement the missing setupArguments stuff in
2222         CCallHelpers).
2223
2224         * assembler/MacroAssembler.h:
2225         * assembler/MacroAssemblerARMv7.h:
2226         (JSC::MacroAssemblerARMv7::swap):
2227         * assembler/MacroAssemblerMIPS.h:
2228         (JSC::MacroAssemblerMIPS::swap):
2229         * dfg/DFGSpeculativeJIT32_64.cpp:
2230         (JSC::DFG::SpeculativeJIT::compile):
2231         * jit/FPRInfo.h:
2232
2233 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2234
2235         Add and adopt WK_PLATFORM_NAME and adjust default feature defines
2236         https://bugs.webkit.org/show_bug.cgi?id=183758
2237         <rdar://problem/38017644>
2238
2239         Reviewed by Dan Bernstein.
2240
2241         * Configurations/FeatureDefines.xcconfig:
2242
2243 2018-03-20  Mark Lam  <mark.lam@apple.com>
2244
2245         Improve FunctionPtr and use it in the JIT CallRecord.
2246         https://bugs.webkit.org/show_bug.cgi?id=183756
2247         <rdar://problem/38641335>
2248
2249         Reviewed by JF Bastien.
2250
2251         1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
2252            PtrTag to reflect that.
2253
2254         2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
2255            executableAddress().
2256
2257         3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
2258            take "any" pointer.  "any" in this case means that the pointer may not be typed
2259            as a C/C++ function to the C++ compiler (due to upstream casting or usage of
2260            void* as a storage type), but it is still expected to be pointing to a C/C++
2261            function.
2262
2263         4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
2264            convenience constructor that lets us retag the underlying pointer.  The other
2265            FunctionPtr is still expected to point to a C/C++ function.
2266
2267         5. Added PtrTag assertion placeholder functions to be implemented later.
2268
2269         6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
2270            pointer.  This improves type safety, and assists in getting pointer tagging
2271            right later.
2272
2273         7. Added versions of JIT callOperations methods that will take a PtrTag.
2274            This is preparation for more more pointer tagging work later.
2275
2276         * assembler/MacroAssemblerARM.h:
2277         (JSC::MacroAssemblerARM::linkCall):
2278         * assembler/MacroAssemblerARMv7.h:
2279         (JSC::MacroAssemblerARMv7::linkCall):
2280         * assembler/MacroAssemblerCodeRef.h:
2281         (JSC::FunctionPtr::FunctionPtr):
2282         (JSC::FunctionPtr::operator bool const):
2283         (JSC::FunctionPtr::operator! const):
2284         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2285         (JSC::MacroAssemblerCodePtr::retagged const):
2286         (JSC::MacroAssemblerCodeRef::retaggedCode const):
2287         (JSC::FunctionPtr::value const): Deleted.
2288         * assembler/MacroAssemblerMIPS.h:
2289         (JSC::MacroAssemblerMIPS::linkCall):
2290         * assembler/MacroAssemblerX86.h:
2291         (JSC::MacroAssemblerX86::linkCall):
2292         * assembler/MacroAssemblerX86_64.h:
2293         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
2294         (JSC::MacroAssemblerX86_64::linkCall):
2295         * bytecode/AccessCase.cpp:
2296         (JSC::AccessCase::generateImpl):
2297         * ftl/FTLSlowPathCall.cpp:
2298         (JSC::FTL::SlowPathCallContext::makeCall):
2299         * ftl/FTLSlowPathCall.h:
2300         (JSC::FTL::callOperation):
2301         * ftl/FTLThunks.cpp:
2302         (JSC::FTL::osrExitGenerationThunkGenerator):
2303         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2304         (JSC::FTL::slowPathCallThunkGenerator):
2305         * jit/JIT.cpp:
2306         (JSC::JIT::link):
2307         (JSC::JIT::privateCompileExceptionHandlers):
2308         * jit/JIT.h:
2309         (JSC::CallRecord::CallRecord):
2310         (JSC::JIT::appendCall):
2311         (JSC::JIT::appendCallWithSlowPathReturnType):
2312         (JSC::JIT::callOperation):
2313         (JSC::JIT::callOperationWithProfile):
2314         (JSC::JIT::callOperationWithResult):
2315         (JSC::JIT::callOperationNoExceptionCheck):
2316         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2317         * jit/JITArithmetic.cpp:
2318         (JSC::JIT::emitMathICFast):
2319         (JSC::JIT::emitMathICSlow):
2320         * jit/JITInlines.h:
2321         (JSC::JIT::emitNakedCall):
2322         (JSC::JIT::emitNakedTailCall):
2323         (JSC::JIT::appendCallWithExceptionCheck):
2324         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
2325         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
2326         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
2327         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2328         * jit/JITPropertyAccess.cpp:
2329         (JSC::JIT::emitSlow_op_get_by_val):
2330         (JSC::JIT::emitSlow_op_put_by_val):
2331         (JSC::JIT::privateCompileGetByValWithCachedId):
2332         (JSC::JIT::privateCompilePutByVal):
2333         (JSC::JIT::privateCompilePutByValWithCachedId):
2334         * jit/JITPropertyAccess32_64.cpp:
2335         (JSC::JIT::emitSlow_op_put_by_val):
2336         * jit/Repatch.cpp:
2337         (JSC::linkPolymorphicCall):
2338         * jit/SlowPathCall.h:
2339         (JSC::JITSlowPathCall::JITSlowPathCall):
2340         (JSC::JITSlowPathCall::call):
2341         * jit/ThunkGenerators.cpp:
2342         (JSC::nativeForGenerator):
2343         * runtime/PtrTag.h:
2344         (JSC::nextPtrTagID):
2345         (JSC::assertIsCFunctionPtr):
2346         (JSC::assertIsNullOrCFunctionPtr):
2347         (JSC::assertIsNotTagged):
2348         (JSC::assertIsTagged):
2349         (JSC::assertIsNullOrTagged):
2350         (JSC::assertIsTaggedWith):
2351         (JSC::assertIsNullOrTaggedWith):
2352         (JSC::uniquePtrTagID): Deleted.
2353
2354 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2355
2356         [MIPS] Optimize generated JIT code for loads/stores
2357         https://bugs.webkit.org/show_bug.cgi?id=183243
2358
2359         Reviewed by Yusuke Suzuki.
2360
2361         JIT generates three MIPS instructions for a load/store from/to an absolute address:
2362
2363           lui adrTmpReg, address >> 16
2364           ori adrTmpReg, address & 0xffff
2365           lw dataReg, 0(adrTmpReg)
2366
2367         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
2368         be encoded into the load/store and ori instruction can be removed:
2369
2370           lui adrTmpReg, (address + 0x8000) >> 16
2371           lw dataReg, (address & 0xffff)(adrTmpReg)
2372
2373         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
2374
2375         * assembler/MacroAssemblerMIPS.h:
2376         (JSC::MacroAssemblerMIPS::add32):
2377         (JSC::MacroAssemblerMIPS::add64):
2378         (JSC::MacroAssemblerMIPS::or32):
2379         (JSC::MacroAssemblerMIPS::sub32):
2380         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
2381         (JSC::MacroAssemblerMIPS::load8):
2382         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
2383         (JSC::MacroAssemblerMIPS::load32):
2384         (JSC::MacroAssemblerMIPS::store8):
2385         (JSC::MacroAssemblerMIPS::store32):
2386         (JSC::MacroAssemblerMIPS::branchTest8):
2387         (JSC::MacroAssemblerMIPS::branchAdd32):
2388         (JSC::MacroAssemblerMIPS::loadDouble):
2389         (JSC::MacroAssemblerMIPS::storeDouble):
2390
2391 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2392
2393         [DFG][FTL] Add vectorLengthHint for NewArray
2394         https://bugs.webkit.org/show_bug.cgi?id=183694
2395
2396         Reviewed by Saam Barati.
2397
2398         While the following code is a common, it is not so efficient.
2399
2400         var array = [];
2401         for (...) {
2402             ...
2403             array.push(...);
2404         }
2405
2406         The array is always allocated with 0 vector length. And it is eventually grown.
2407
2408         We have ArrayAllocationProfile, and it tells us that the vector length hint for
2409         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
2410         extends this support for NewArray DFG node.
2411
2412         This patch improves Kraken/stanford-crypto-aes 4%.
2413
2414                                       baseline                  patched
2415
2416         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
2417
2418         NewArray can be optimized.
2419
2420                                                        baseline                  patched
2421
2422         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
2423         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
2424
2425         * dfg/DFGByteCodeParser.cpp:
2426         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2427         (JSC::DFG::ByteCodeParser::parseBlock):
2428         * dfg/DFGNode.h:
2429         (JSC::DFG::Node::hasVectorLengthHint):
2430         (JSC::DFG::Node::vectorLengthHint):
2431         * dfg/DFGSpeculativeJIT64.cpp:
2432         (JSC::DFG::SpeculativeJIT::compile):
2433         * ftl/FTLLowerDFGToB3.cpp:
2434         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2435
2436 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2437
2438         [DFG][FTL] Make ArraySlice(0) code tight
2439         https://bugs.webkit.org/show_bug.cgi?id=183590
2440
2441         Reviewed by Saam Barati.
2442
2443         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
2444
2445         1. We support array.slice() call. This is a well-used way to clone array.
2446         For example, underscore.js uses this technique.
2447
2448         2. We remove several checks if the given index value is a proven constant.
2449
2450         * dfg/DFGBackwardsPropagationPhase.cpp:
2451         (JSC::DFG::BackwardsPropagationPhase::propagate):
2452         * dfg/DFGByteCodeParser.cpp:
2453         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2454         * dfg/DFGFixupPhase.cpp:
2455         (JSC::DFG::FixupPhase::fixupNode):
2456         * dfg/DFGSpeculativeJIT.cpp:
2457         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2458         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2459         We can skip some of checks if the given value is a proven constant.
2460
2461         * ftl/FTLLowerDFGToB3.cpp:
2462         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2463         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
2464         to fold BelowEqual(0, x) to true.
2465
2466 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2467
2468         Drop s_exceptionInstructions static initializer
2469         https://bugs.webkit.org/show_bug.cgi?id=183732
2470
2471         Reviewed by Darin Adler.
2472
2473         Make Instruction constructor constexpr to drop the static constructor
2474         of LLInt::Data::s_exceptionInstructions.
2475
2476         * bytecode/Instruction.h:
2477         (JSC::Instruction::Instruction):
2478
2479 2018-03-19  Dan Bernstein  <mitz@apple.com>
2480
2481         Investigate why __cpu_indicator_init is used
2482         https://bugs.webkit.org/show_bug.cgi?id=183736
2483
2484         Reviewed by Tim Horton.
2485
2486         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
2487         we were passing the -all_load option to the linker, causing it to bring in all members of
2488         every static library being linked in, including the compiler runtime library. We only need
2489         to load all members of WTF. The linker option for doing that is -force_load, and it requires
2490         a path to the library. To support building against libWTF.a built locally as well as against
2491         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
2492         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
2493         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
2494         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
2495         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
2496         reexporting libobjc.
2497
2498         * Configurations/JavaScriptCore.xcconfig:
2499         * JavaScriptCore.xcodeproj/project.pbxproj:
2500
2501 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
2502
2503         Unreviewed, another quick fix for r229699
2504
2505         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
2506
2507         * Configurations/FeatureDefines.xcconfig:
2508
2509 2018-03-19  Mark Lam  <mark.lam@apple.com>
2510
2511         FunctionPtr should be passed by value.
2512         https://bugs.webkit.org/show_bug.cgi?id=183746
2513         <rdar://problem/38625311>
2514
2515         Reviewed by JF Bastien.
2516
2517         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
2518         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
2519         treated as if they are C/C++ functions.
2520
2521         Regardless, there's no need to pass it by reference.
2522
2523         * assembler/MacroAssemblerCodeRef.h:
2524         * dfg/DFGJITCompiler.h:
2525         (JSC::DFG::JITCompiler::appendCall):
2526         * dfg/DFGSpeculativeJIT.h:
2527         (JSC::DFG::SpeculativeJIT::appendCall):
2528         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
2529         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
2530         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2531         * jit/JIT.h:
2532         (JSC::JIT::appendCall):
2533         (JSC::JIT::appendCallWithSlowPathReturnType):
2534         * jit/JITInlines.h:
2535         (JSC::JIT::appendCallWithExceptionCheck):
2536         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
2537         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
2538         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
2539         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2540
2541 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
2542
2543         Fix MSVC run-time check after r229391. 
2544         https://bugs.webkit.org/show_bug.cgi?id=183673
2545
2546         Reviewed by Keith Miller.
2547
2548         Replaces attempted fix from r229424/r229432.
2549         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
2550
2551         * jit/CCallHelpers.h:
2552         (JSC::CCallHelpers::clampArrayToSize):
2553
2554 2018-03-15  Tim Horton  <timothy_horton@apple.com>
2555
2556         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
2557         https://bugs.webkit.org/show_bug.cgi?id=183675
2558         <rdar://problem/38515281>
2559
2560         Reviewed by Dan Bernstein.
2561
2562         * JavaScriptCore.xcodeproj/project.pbxproj:
2563         Don't install the JSC alias if we're installing to an alternate location.
2564         This should have been a part of r229637.
2565
2566 2018-03-15  Tim Horton  <timothy_horton@apple.com>
2567
2568         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
2569         https://bugs.webkit.org/show_bug.cgi?id=183649
2570         <rdar://problem/38480526>
2571
2572         Reviewed by Dan Bernstein.
2573
2574         * Configurations/Base.xcconfig:
2575         * JavaScriptCore.xcodeproj/project.pbxproj:
2576
2577 2018-03-14  Mark Lam  <mark.lam@apple.com>
2578
2579         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
2580         https://bugs.webkit.org/show_bug.cgi?id=183623
2581         <rdar://problem/38443314>
2582
2583         Reviewed by Michael Saboff.
2584
2585         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
2586            emitters to support pointer profiling.
2587
2588         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
2589
2590         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
2591
2592         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
2593            a placeholder until we have time to analyze what pointer profile each client
2594            site has later.
2595     
2596         5. Apply PtrTags to the YarrJIT.
2597
2598         * assembler/ARM64Assembler.h:
2599         (JSC::ARM64Assembler::linkJumpOrCall):
2600         * assembler/AbstractMacroAssembler.h:
2601         (JSC::AbstractMacroAssembler::getLinkerAddress):
2602         (JSC::AbstractMacroAssembler::tagPtr):
2603         (JSC::AbstractMacroAssembler::untagPtr):
2604         (JSC::AbstractMacroAssembler::removePtrTag):
2605         * assembler/LinkBuffer.cpp:
2606         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2607         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2608         * assembler/LinkBuffer.h:
2609         (JSC::LinkBuffer::link):
2610         (JSC::LinkBuffer::locationOfNearCall):
2611         (JSC::LinkBuffer::locationOf):
2612         * assembler/MacroAssemblerARM.h:
2613         (JSC::MacroAssemblerARM::jump):
2614         (JSC::MacroAssemblerARM::call):
2615         (JSC::MacroAssemblerARM::readCallTarget):
2616         * assembler/MacroAssemblerARM64.h:
2617         (JSC::MacroAssemblerARM64::call):
2618         (JSC::MacroAssemblerARM64::jump):
2619         (JSC::MacroAssemblerARM64::readCallTarget):
2620         (JSC::MacroAssemblerARM64::linkCall):
2621         * assembler/MacroAssemblerARMv7.h:
2622         (JSC::MacroAssemblerARMv7::jump):
2623         (JSC::MacroAssemblerARMv7::relativeTableJump):
2624         (JSC::MacroAssemblerARMv7::call):
2625         (JSC::MacroAssemblerARMv7::readCallTarget):
2626         * assembler/MacroAssemblerCodeRef.cpp:
2627         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2628         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2629         * assembler/MacroAssemblerCodeRef.h:
2630         (JSC::FunctionPtr::FunctionPtr):
2631         (JSC::FunctionPtr::value const):
2632         (JSC::MacroAssemblerCodePtr:: const):
2633         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2634         (JSC::MacroAssemblerCodeRef::retaggedCode const):
2635         * assembler/MacroAssemblerMIPS.h:
2636         (JSC::MacroAssemblerMIPS::jump):
2637         (JSC::MacroAssemblerMIPS::call):
2638         (JSC::MacroAssemblerMIPS::readCallTarget):
2639         * assembler/MacroAssemblerX86.h:
2640         (JSC::MacroAssemblerX86::call):
2641         (JSC::MacroAssemblerX86::jump):
2642         (JSC::MacroAssemblerX86::readCallTarget):
2643         * assembler/MacroAssemblerX86Common.cpp:
2644         (JSC::MacroAssembler::probe):
2645         * assembler/MacroAssemblerX86Common.h:
2646         (JSC::MacroAssemblerX86Common::jump):
2647         (JSC::MacroAssemblerX86Common::call):
2648         * assembler/MacroAssemblerX86_64.h:
2649         (JSC::MacroAssemblerX86_64::call):
2650         (JSC::MacroAssemblerX86_64::jump):
2651         (JSC::MacroAssemblerX86_64::readCallTarget):
2652         * assembler/testmasm.cpp:
2653         (JSC::compile):
2654         (JSC::invoke):
2655         * b3/B3Compile.cpp:
2656         (JSC::B3::compile):
2657         * b3/B3LowerMacros.cpp:
2658         * b3/air/AirCCallSpecial.cpp:
2659         (JSC::B3::Air::CCallSpecial::generate):
2660         * b3/air/testair.cpp:
2661         * b3/testb3.cpp:
2662         (JSC::B3::invoke):
2663         (JSC::B3::testInterpreter):
2664         (JSC::B3::testEntrySwitchSimple):
2665         (JSC::B3::testEntrySwitchNoEntrySwitch):
2666         (JSC::B3::testEntrySwitchWithCommonPaths):
2667         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
2668         (JSC::B3::testEntrySwitchLoop):
2669         * bytecode/AccessCase.cpp:
2670         (JSC::AccessCase::generateImpl):
2671         * bytecode/AccessCaseSnippetParams.cpp:
2672         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2673         * bytecode/InlineAccess.cpp:
2674         (JSC::linkCodeInline):
2675         (JSC::InlineAccess::rewireStubAsJump):
2676         * bytecode/PolymorphicAccess.cpp:
2677         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2678         (JSC::PolymorphicAccess::regenerate):
2679         * dfg/DFGJITCompiler.cpp:
2680         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2681         (JSC::DFG::JITCompiler::link):
2682         (JSC::DFG::JITCompiler::compileFunction):
2683         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2684         * dfg/DFGJITCompiler.h:
2685         (JSC::DFG::JITCompiler::appendCall):
2686         * dfg/DFGJITFinalizer.cpp:
2687         (JSC::DFG::JITFinalizer::finalize):
2688         (JSC::DFG::JITFinalizer::finalizeFunction):
2689         * dfg/DFGOSRExit.cpp:
2690         (JSC::DFG::OSRExit::emitRestoreArguments):
2691         (JSC::DFG::OSRExit::compileOSRExit):
2692         * dfg/DFGOSRExitCompilerCommon.cpp:
2693         (JSC::DFG::handleExitCounts):
2694         (JSC::DFG::osrWriteBarrier):
2695         (JSC::DFG::adjustAndJumpToTarget):
2696         * dfg/DFGSpeculativeJIT.cpp:
2697         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2698         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2699         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2700         * dfg/DFGSpeculativeJIT64.cpp:
2701         (JSC::DFG::SpeculativeJIT::compile):
2702         * dfg/DFGThunks.cpp:
2703         (JSC::DFG::osrExitThunkGenerator):
2704         (JSC::DFG::osrExitGenerationThunkGenerator):
2705         (JSC::DFG::osrEntryThunkGenerator):
2706         * ftl/FTLCompile.cpp:
2707         (JSC::FTL::compile):
2708         * ftl/FTLJITFinalizer.cpp:
2709         (JSC::FTL::JITFinalizer::finalizeCommon):
2710         * ftl/FTLLazySlowPath.cpp:
2711         (JSC::FTL::LazySlowPath::generate):
2712         * ftl/FTLLink.cpp:
2713         (JSC::FTL::link):
2714         * ftl/FTLLowerDFGToB3.cpp:
2715         (JSC::FTL::DFG::LowerDFGToB3::lower):
2716         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2717         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2718         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2719         * ftl/FTLOSRExitCompiler.cpp:
2720         (JSC::FTL::compileStub):
2721         (JSC::FTL::compileFTLOSRExit):
2722         * ftl/FTLSlowPathCall.cpp:
2723         (JSC::FTL::SlowPathCallContext::makeCall):
2724         * ftl/FTLThunks.cpp:
2725         (JSC::FTL::genericGenerationThunkGenerator):
2726         (JSC::FTL::osrExitGenerationThunkGenerator):
2727         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2728         (JSC::FTL::slowPathCallThunkGenerator):
2729         * jit/AssemblyHelpers.cpp:
2730         (JSC::AssemblyHelpers::callExceptionFuzz):
2731         (JSC::AssemblyHelpers::debugCall):
2732         * jit/CCallHelpers.cpp:
2733         (JSC::CCallHelpers::ensureShadowChickenPacket):
2734         * jit/CCallHelpers.h:
2735         (JSC::CCallHelpers::jumpToExceptionHandler):
2736         * jit/ExecutableAllocator.cpp:
2737         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2738         * jit/JIT.cpp:
2739         (JSC::JIT::emitEnterOptimizationCheck):
2740         (JSC::JIT::link):
2741         (JSC::JIT::privateCompileExceptionHandlers):
2742         * jit/JIT.h:
2743         (JSC::JIT::appendCall):
2744         * jit/JITMathIC.h:
2745         (JSC::isProfileEmpty):
2746         * jit/JITOpcodes.cpp:
2747         (JSC::JIT::emit_op_catch):
2748         (JSC::JIT::emit_op_switch_imm):
2749         (JSC::JIT::emit_op_switch_char):
2750         (JSC::JIT::emit_op_switch_string):
2751         (JSC::JIT::emitSlow_op_loop_hint):
2752         (JSC::JIT::privateCompileHasIndexedProperty):
2753         * jit/JITOpcodes32_64.cpp:
2754         (JSC::JIT::emit_op_catch):
2755         (JSC::JIT::emit_op_switch_imm):
2756         (JSC::JIT::emit_op_switch_char):
2757         (JSC::JIT::emit_op_switch_string):
2758         (JSC::JIT::privateCompileHasIndexedProperty):
2759         * jit/JITPropertyAccess.cpp:
2760         (JSC::JIT::stringGetByValStubGenerator):
2761         (JSC::JIT::privateCompileGetByVal):
2762         (JSC::JIT::privateCompileGetByValWithCachedId):
2763         (JSC::JIT::privateCompilePutByVal):
2764         (JSC::JIT::privateCompilePutByValWithCachedId):
2765         * jit/JITPropertyAccess32_64.cpp:
2766         (JSC::JIT::stringGetByValStubGenerator):
2767         * jit/JITStubRoutine.h:
2768         * jit/Repatch.cpp:
2769         (JSC::readCallTarget):
2770         (JSC::appropriateOptimizingPutByIdFunction):
2771         (JSC::linkPolymorphicCall):
2772         (JSC::resetPutByID):
2773         * jit/SlowPathCall.h:
2774         (JSC::JITSlowPathCall::call):
2775         * jit/SpecializedThunkJIT.h:
2776         (JSC::SpecializedThunkJIT::finalize):
2777         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2778         * jit/ThunkGenerators.cpp:
2779         (JSC::throwExceptionFromCallSlowPathGenerator):
2780         (JSC::slowPathFor):
2781         (JSC::linkCallThunkGenerator):
2782         (JSC::linkPolymorphicCallThunkGenerator):
2783         (JSC::virtualThunkFor):
2784         (JSC::nativeForGenerator):
2785         (JSC::arityFixupGenerator):
2786         (JSC::unreachableGenerator):
2787         (JSC::boundThisNoArgsFunctionCallGenerator):
2788         * llint/LLIntThunks.cpp:
2789         (JSC::LLInt::generateThunkWithJumpTo):
2790         (JSC::LLInt::functionForCallEntryThunkGenerator):
2791         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2792         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2793         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2794         (JSC::LLInt::evalEntryThunkGenerator):
2795         (JSC::LLInt::programEntryThunkGenerator):
2796         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2797         * runtime/PtrTag.h:
2798         * wasm/WasmB3IRGenerator.cpp:
2799         (JSC::Wasm::B3IRGenerator::addCall):
2800         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2801         * wasm/WasmBBQPlan.cpp:
2802         (JSC::Wasm::BBQPlan::complete):
2803         * wasm/WasmBinding.cpp:
2804         (JSC::Wasm::wasmToWasm):
2805         * wasm/WasmOMGPlan.cpp:
2806         (JSC::Wasm::OMGPlan::work):
2807         * wasm/WasmThunks.cpp:
2808         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2809         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2810         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2811         * wasm/js/WasmToJS.cpp:
2812         (JSC::Wasm::handleBadI64Use):
2813         (JSC::Wasm::wasmToJS):
2814         * yarr/YarrJIT.cpp:
2815         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2816         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2817         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2818         (JSC::Yarr::YarrGenerator::generateEnter):
2819         (JSC::Yarr::YarrGenerator::YarrGenerator):
2820         (JSC::Yarr::YarrGenerator::compile):
2821         (JSC::Yarr::jitCompile):
2822         * yarr/YarrJIT.h:
2823         (JSC::Yarr::YarrCodeBlock::execute):
2824
2825 2018-03-14  Caitlin Potter  <caitp@igalia.com>
2826
2827         [JSC] fix order of evaluation for ClassDefinitionEvaluation
2828         https://bugs.webkit.org/show_bug.cgi?id=183523
2829
2830         Reviewed by Keith Miller.
2831
2832         Computed property names need to be evaluated in source order during class
2833         definition evaluation, as it's observable (and specified to work this way).
2834
2835         This change improves compatibility with Chromium.
2836
2837         * bytecompiler/BytecodeGenerator.h:
2838         (JSC::BytecodeGenerator::emitDefineClassElements):
2839         * bytecompiler/NodesCodegen.cpp:
2840         (JSC::PropertyListNode::emitBytecode):
2841         (JSC::ClassExprNode::emitBytecode):
2842         * parser/ASTBuilder.h:
2843         (JSC::ASTBuilder::createClassExpr):
2844         (JSC::ASTBuilder::createGetterOrSetterProperty):
2845         (JSC::ASTBuilder::createProperty):
2846         * parser/NodeConstructors.h:
2847         (JSC::PropertyNode::PropertyNode):
2848         (JSC::ClassExprNode::ClassExprNode):
2849         * parser/Nodes.cpp:
2850         (JSC::PropertyListNode::hasStaticallyNamedProperty):
2851         * parser/Nodes.h:
2852         (JSC::PropertyNode::isClassProperty const):
2853         (JSC::PropertyNode::isStaticClassProperty const):
2854         (JSC::PropertyNode::isInstanceClassProperty const):
2855         * parser/Parser.cpp:
2856         (JSC::Parser<LexerType>::parseClass):
2857         (JSC::Parser<LexerType>::parseProperty):
2858         (JSC::Parser<LexerType>::parseGetterSetter):
2859         * parser/Parser.h:
2860         * parser/SyntaxChecker.h:
2861         (JSC::SyntaxChecker::createClassExpr):
2862         (JSC::SyntaxChecker::createProperty):
2863         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2864
2865 2018-03-14  Keith Miller  <keith_miller@apple.com>
2866
2867         Move jsc CLI breakpoint function to $vm
2868         https://bugs.webkit.org/show_bug.cgi?id=183512
2869
2870         Reviewed by Yusuke Suzuki.
2871
2872         * jsc.cpp:
2873         (GlobalObject::finishCreation):
2874         (functionBreakpoint): Deleted.
2875         * tools/JSDollarVM.cpp:
2876         (JSC::functionBreakpoint):
2877         (JSC::JSDollarVM::finishCreation):
2878
2879 2018-03-14  Tim Horton  <timothy_horton@apple.com>
2880
2881         Fix the build after r229567
2882
2883         * Configurations/FeatureDefines.xcconfig:
2884
2885 2018-03-12  Mark Lam  <mark.lam@apple.com>
2886
2887         Gardening: speculative build fix for WinCairo.
2888         https://bugs.webkit.org/show_bug.cgi?id=183573
2889
2890         Not reviewed.
2891
2892         * runtime/NativeFunction.h:
2893         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2894
2895 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2896
2897         Unreviewed, fix obsolete ASSERT
2898         https://bugs.webkit.org/show_bug.cgi?id=183310
2899
2900         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
2901
2902         * dfg/DFGNode.h:
2903         (JSC::DFG::Node::convertToNewObject):
2904
2905 2018-03-12  Tim Horton  <timothy_horton@apple.com>
2906
2907         Stop using SDK conditionals to control feature definitions
2908         https://bugs.webkit.org/show_bug.cgi?id=183430
2909         <rdar://problem/38251619>
2910
2911         Reviewed by Dan Bernstein.
2912
2913         * Configurations/FeatureDefines.xcconfig:
2914         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
2915
2916 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
2917
2918         Runtime flag for link prefetch and remove link subresource.
2919         https://bugs.webkit.org/show_bug.cgi?id=183540
2920
2921         Reviewed by Chris Dumez.
2922
2923         Remove the LINK_PREFETCH build time flag.
2924
2925         * Configurations/FeatureDefines.xcconfig:
2926
2927 2018-03-12  Mark Lam  <mark.lam@apple.com>
2928
2929         Gardening: speculative build fix for Windows.
2930         https://bugs.webkit.org/show_bug.cgi?id=183573
2931
2932         Not reviewed.
2933
2934         * runtime/NativeFunction.h:
2935         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2936
2937 2018-03-12  Mark Lam  <mark.lam@apple.com>
2938
2939         Add another PtrTag.
2940         https://bugs.webkit.org/show_bug.cgi?id=183580
2941         <rdar://problem/38390584>
2942
2943         Reviewed by Keith Miller.
2944
2945         * runtime/PtrTag.h:
2946
2947 2018-03-12  Mark Lam  <mark.lam@apple.com>
2948
2949         Make a NativeFunction into a class to support pointer profiling.
2950         https://bugs.webkit.org/show_bug.cgi?id=183573
2951         <rdar://problem/38384697>
2952
2953         Reviewed by Filip Pizlo.
2954
2955         1. NativeFunction is now a class, and introducing RawNativeFunction and
2956            TaggedNativeFunction.
2957
2958            RawNativeFunction is the raw pointer type (equivalent
2959            to the old definition of NativeFunction).  This is mainly used for underlying
2960            storage inside the NativeFunction class, and also for global data tables that
2961            cannot embed non-trivially constructed objects.
2962
2963            NativeFunction's role is mainly to encapsulate a pointer to a C function that
2964            we pass into the VM.
2965
2966            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
2967            function that we track in the VM.
2968
2969         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
2970            cast function pointers to void* anymore when constructing a TrustedImmPtr.
2971
2972         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
2973
2974         4. Added more PtrTag utility functions.
2975
2976         * CMakeLists.txt:
2977         * JavaScriptCore.xcodeproj/project.pbxproj:
2978         * assembler/AbstractMacroAssembler.h:
2979         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2980         * create_hash_table:
2981         * interpreter/Interpreter.cpp:
2982         (JSC::Interpreter::executeCall):
2983         (JSC::Interpreter::executeConstruct):
2984         * interpreter/InterpreterInlines.h:
2985         (JSC::Interpreter::getOpcodeID):
2986         * jit/JITThunks.cpp:
2987         (JSC::JITThunks::hostFunctionStub):
2988         * jit/JITThunks.h:
2989         * llint/LLIntData.cpp:
2990         (JSC::LLInt::initialize):
2991         * llint/LLIntSlowPaths.cpp:
2992         (JSC::LLInt::setUpCall):
2993         * llint/LowLevelInterpreter.asm:
2994         * llint/LowLevelInterpreter.cpp:
2995         (JSC::CLoop::execute):
2996         * llint/LowLevelInterpreter64.asm:
2997         * offlineasm/ast.rb:
2998         * runtime/CallData.h:
2999         * runtime/CommonSlowPaths.cpp:
3000         * runtime/ConstructData.h:
3001         * runtime/InternalFunction.h:
3002         (JSC::InternalFunction::nativeFunctionFor):
3003         * runtime/JSCell.cpp:
3004         (JSC::JSCell::getCallData):
3005         (JSC::JSCell::getConstructData):
3006         * runtime/JSFunction.h:
3007         * runtime/JSFunctionInlines.h:
3008         (JSC::JSFunction::nativeFunction):
3009         (JSC::JSFunction::nativeConstructor):
3010         (JSC::isHostFunction):
3011         * runtime/Lookup.h:
3012         (JSC::HashTableValue::function const):
3013         (JSC::HashTableValue::accessorGetter const):
3014         (JSC::HashTableValue::accessorSetter const):
3015         (JSC::nonCachingStaticFunctionGetter):
3016         * runtime/NativeExecutable.cpp:
3017         (JSC::NativeExecutable::create):
3018         (JSC::NativeExecutable::NativeExecutable):
3019         * runtime/NativeExecutable.h:
3020         * runtime/NativeFunction.h: Added.
3021         (JSC::NativeFunction::NativeFunction):
3022         (JSC::NativeFunction::operator intptr_t const):
3023         (JSC::NativeFunction::operator bool const):
3024         (JSC::NativeFunction::operator! const):
3025         (JSC::NativeFunction::operator== const):
3026         (JSC::NativeFunction::operator!= const):
3027         (JSC::NativeFunction::operator()):
3028         (JSC::NativeFunction::rawPointer const):
3029         (JSC::NativeFunctionHash::hash):
3030         (JSC::NativeFunctionHash::equal):
3031         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3032         (JSC::TaggedNativeFunction::operator bool const):
3033         (JSC::TaggedNativeFunction::operator! const):
3034         (JSC::TaggedNativeFunction::operator== const):
3035         (JSC::TaggedNativeFunction::operator!= const):
3036         (JSC::TaggedNativeFunction::operator()):
3037         (JSC::TaggedNativeFunction::operator NativeFunction):
3038         (JSC::TaggedNativeFunction::rawPointer const):
3039         (JSC::TaggedNativeFunctionHash::hash):
3040         (JSC::TaggedNativeFunctionHash::equal):
3041         * runtime/PtrTag.h:
3042         (JSC::tagCFunctionPtr):
3043         (JSC::untagCFunctionPtr):
3044         * runtime/VM.h:
3045         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
3046
3047 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
3048
3049         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
3050
3051         * dfg/DFGSpeculativeJIT.cpp:
3052         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3053
3054 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3055
3056         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
3057         https://bugs.webkit.org/show_bug.cgi?id=183310
3058
3059         Reviewed by Filip Pizlo.
3060
3061         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
3062         This contributes to 6% win in Octane/raytrace.
3063
3064                                         baseline                  patched
3065
3066             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
3067
3068         * dfg/DFGAbstractInterpreterInlines.h:
3069         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3070         * dfg/DFGConstantFoldingPhase.cpp:
3071         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3072
3073 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
3074
3075         Disable Sigill crash analyzer on watchOS
3076         https://bugs.webkit.org/show_bug.cgi?id=183548
3077         <rdar://problem/38338032>
3078
3079         Reviewed by Mark Lam.
3080
3081         Sigill is not supported on watchOS.
3082
3083         * runtime/Options.cpp:
3084         (JSC::overrideDefaults):
3085
3086 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
3087
3088         Split DirectArguments into JSValueOOB and JSValueStrict parts
3089         https://bugs.webkit.org/show_bug.cgi?id=183458
3090
3091         Reviewed by Yusuke Suzuki.
3092         
3093         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
3094         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
3095         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
3096         to read and write within a Spectre mitigation window. Writes are important, because within the
3097         window, a write could appear to be made speculatively and rolled out later. This means that:
3098         
3099         - JSValue objects cannot have lengths, masks, or anything else inline.
3100         
3101         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
3102           check, unless that type is in the form of a poison key.
3103         
3104         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
3105         means that it's wrong for DirectArguments to have an inline length.
3106         
3107         This changes DirectArguments to use poisoning according to the universal formula:
3108         
3109         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
3110         
3111         - No inline length.
3112         
3113         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
3114         amortize whatever cost there was.
3115
3116         * bytecode/AccessCase.cpp:
3117         (JSC::AccessCase::generateWithGuard):
3118         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3119         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3120         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
3121         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
3122         * dfg/DFGSpeculativeJIT.cpp:
3123         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3124         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3125         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3126         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3127         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3128         * ftl/FTLAbstractHeapRepository.h:
3129         * ftl/FTLLowerDFGToB3.cpp:
3130         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3131         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3132         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3133         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3134         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3135         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3136         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
3137         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
3138         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
3139         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
3140         * heap/SecurityKind.h:
3141         * jit/JITPropertyAccess.cpp:
3142         (JSC::JIT::emit_op_get_from_arguments):
3143         (JSC::JIT::emit_op_put_to_arguments):
3144         (JSC::JIT::emitDirectArgumentsGetByVal):
3145         * jit/JITPropertyAccess32_64.cpp:
3146         (JSC::JIT::emit_op_get_from_arguments):
3147         (JSC::JIT::emit_op_put_to_arguments):
3148         * llint/LowLevelInterpreter.asm:
3149         * llint/LowLevelInterpreter32_64.asm:
3150         * llint/LowLevelInterpreter64.asm:
3151         * runtime/DirectArguments.cpp:
3152         (JSC::DirectArguments::DirectArguments):
3153         (JSC::DirectArguments::createUninitialized):
3154         (JSC::DirectArguments::create):
3155         (JSC::DirectArguments::createByCopying):
3156         (JSC::DirectArguments::estimatedSize):
3157         (JSC::DirectArguments::visitChildren):
3158         (JSC::DirectArguments::overrideThings):
3159         (JSC::DirectArguments::copyToArguments):
3160         (JSC::DirectArguments::mappedArgumentsSize):
3161         * runtime/DirectArguments.h:
3162         * runtime/JSCPoison.h:
3163         * runtime/JSLexicalEnvironment.h:
3164         * runtime/JSSymbolTableObject.h:
3165         * runtime/VM.cpp:
3166         (JSC::VM::VM):
3167         * runtime/VM.h:
3168
3169 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3170
3171         [B3] Above/Below should be strength-reduced for comparison with 0
3172         https://bugs.webkit.org/show_bug.cgi?id=183543
3173
3174         Reviewed by Filip Pizlo.
3175
3176         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
3177         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
3178         be converted to `0`. This patch adds such a folding to comparisons.
3179
3180         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
3181         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
3182         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
3183         when we fail to fold it to a constant.
3184
3185         * b3/B3Const32Value.cpp:
3186         (JSC::B3::Const32Value::lessThanConstant const):
3187         (JSC::B3::Const32Value::greaterThanConstant const):
3188         (JSC::B3::Const32Value::lessEqualConstant const):
3189         (JSC::B3::Const32Value::greaterEqualConstant const):
3190         (JSC::B3::Const32Value::aboveConstant const):
3191         (JSC::B3::Const32Value::belowConstant const):
3192         (JSC::B3::Const32Value::aboveEqualConstant const):
3193         (JSC::B3::Const32Value::belowEqualConstant const):
3194         * b3/B3Const64Value.cpp:
3195         (JSC::B3::Const64Value::lessThanConstant const):
3196         (JSC::B3::Const64Value::greaterThanConstant const):
3197         (JSC::B3::Const64Value::lessEqualConstant const):
3198         (JSC::B3::Const64Value::greaterEqualConstant const):
3199         (JSC::B3::Const64Value::aboveConstant const):
3200         (JSC::B3::Const64Value::belowConstant const):
3201         (JSC::B3::Const64Value::aboveEqualConstant const):
3202         (JSC::B3::Const64Value::belowEqualConstant const):
3203         * b3/B3ReduceStrength.cpp:
3204         * b3/testb3.cpp:
3205         (JSC::B3::int64Operands):
3206         (JSC::B3::int32Operands):
3207
3208 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3209
3210         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
3211         https://bugs.webkit.org/show_bug.cgi?id=181848
3212
3213         Reviewed by Sam Weinig.
3214
3215         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
3216         optimized since it sets `lastIndex` value before performing RegExp operation.
3217
3218         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
3219         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
3220         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
3221         in object allocation sinking phase.
3222
3223         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
3224         has a global flag. And it improves the performance.
3225
3226                                       baseline                  patched
3227
3228         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
3229         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
3230
3231         * dfg/DFGAbstractInterpreterInlines.h:
3232         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3233         * dfg/DFGClobberize.h:
3234         (JSC::DFG::clobberize):
3235         * dfg/DFGDoesGC.cpp:
3236         (JSC::DFG::doesGC):
3237         * dfg/DFGFixupPhase.cpp:
3238         (JSC::DFG::FixupPhase::fixupNode):
3239         * dfg/DFGMayExit.cpp:
3240         * dfg/DFGNode.cpp:
3241         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
3242         * dfg/DFGNode.h:
3243         (JSC::DFG::Node::hasHeapPrediction):
3244         (JSC::DFG::Node::hasCellOperand):
3245         * dfg/DFGNodeType.h:
3246         * dfg/DFGOperations.cpp:
3247         * dfg/DFGOperations.h:
3248         * dfg/DFGPredictionPropagationPhase.cpp:
3249         * dfg/DFGSafeToExecute.h:
3250         (JSC::DFG::safeToExecute):
3251         * dfg/DFGSpeculativeJIT.cpp:
3252         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
3253         * dfg/DFGSpeculativeJIT.h:
3254         * dfg/DFGSpeculativeJIT32_64.cpp:
3255         (JSC::DFG::SpeculativeJIT::compile):
3256         * dfg/DFGSpeculativeJIT64.cpp:
3257         (JSC::DFG::SpeculativeJIT::compile):
3258         * dfg/DFGStrengthReductionPhase.cpp:
3259         (JSC::DFG::StrengthReductionPhase::handleNode):
3260         * ftl/FTLCapabilities.cpp:
3261         (JSC::FTL::canCompile):
3262         * ftl/FTLLowerDFGToB3.cpp:
3263         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3264         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
3265         * runtime/RegExpObject.cpp:
3266         (JSC::collectMatches): Deleted.
3267         * runtime/RegExpObject.h:
3268         * runtime/RegExpObjectInlines.h:
3269         (JSC::RegExpObject::execInline):
3270         (JSC::RegExpObject::matchInline):
3271         (JSC::advanceStringUnicode):
3272         (JSC::collectMatches):
3273         (JSC::RegExpObject::advanceStringUnicode): Deleted.
3274         * runtime/RegExpPrototype.cpp:
3275         (JSC::advanceStringIndex):
3276
3277 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         B3::reduceStrength should canonicalize integer comparisons
3280         https://bugs.webkit.org/show_bug.cgi?id=150958
3281
3282         Reviewed by Filip Pizlo.
3283
3284         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
3285         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
3286         canonicalize comparisons to have constant value at least on the right hand side, we can
3287         remove pattern matchings checking leftImm in B3LowerToAir.
3288
3289         Since this flipping changes the opcode of the value, to achieve safely, we just create a
3290         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
3291         we replace m_value with this constant. If we fail to fold it to constant, we replace
3292         m_value with the flipped one.
3293
3294         These comparisons are already handled in testb3.
3295
3296         * b3/B3LowerToAir.cpp:
3297         * b3/B3ReduceStrength.cpp:
3298
3299 2018-03-09  Mark Lam  <mark.lam@apple.com>
3300
3301         offlineasm should reset the Assembler's working state before doing another pass for a new target.
3302         https://bugs.webkit.org/show_bug.cgi?id=183538
3303         <rdar://problem/38325955>
3304
3305         Reviewed by Michael Saboff.
3306
3307         * llint/LowLevelInterpreter.cpp:
3308         * offlineasm/asm.rb:
3309         * offlineasm/cloop.rb:
3310
3311 2018-03-09  Brian Burg  <bburg@apple.com>
3312
3313         Web Inspector: there should only be one way for async backend commands to send failure
3314         https://bugs.webkit.org/show_bug.cgi?id=183524
3315
3316         Reviewed by Timothy Hatcher.
3317
3318         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
3319         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
3320         This change only affects interfaces generated for C++ backend dispatchers.
3321
3322         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3323         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3324         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3325         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3326         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3327
3328 2018-03-09  Mark Lam  <mark.lam@apple.com>
3329
3330         Build fix after r229476.
3331         https://bugs.webkit.org/show_bug.cgi?id=183488
3332
3333         Not reviewed.
3334
3335         * runtime/StackAlignment.h:
3336
3337 2018-03-09  Mark Lam  <mark.lam@apple.com>
3338
3339         [Re-landing] Add support for ARM64E.
3340         https://bugs.webkit.org/show_bug.cgi?id=183398
3341         <rdar://problem/38212621>
3342
3343         Reviewed by Michael Saboff.
3344
3345         * assembler/MacroAssembler.h:
3346         * llint/LLIntOfflineAsmConfig.h:
3347         * llint/LowLevelInterpreter.asm:
3348         * llint/LowLevelInterpreter64.asm:
3349         * offlineasm/backends.rb:
3350
3351 2018-03-09  Mark Lam  <mark.lam@apple.com>
3352
3353         [Re-landing] Prepare LLInt code to support pointer profiling.
3354         https://bugs.webkit.org/show_bug.cgi?id=183387
3355         <rdar://problem/38199678>
3356
3357         Reviewed by JF Bastien.
3358
3359         1. Introduced PtrTag enums for supporting pointer profiling later.
3360
3361         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
3362            template functions for the same purpose.
3363
3364         3. Prepare the offlineasm for supporting pointer profiling later.
3365
3366         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
3367            effect on behavior.
3368
3369         5. Removed returnToThrowForThrownException() because it is not used anywhere.
3370
3371         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
3372            easier to view and edit these files in Xcode.
3373
3374         * CMakeLists.txt:
3375         * JavaScriptCore.xcodeproj/project.pbxproj:
3376         * bytecode/LLIntCallLinkInfo.h:
3377         (JSC::LLIntCallLinkInfo::unlink):
3378         * llint/LLIntData.cpp:
3379         (JSC::LLInt::initialize):
3380         * llint/LLIntData.h:
3381         * llint/LLIntExceptions.cpp:
3382         (JSC::LLInt::returnToThrowForThrownException): Deleted.
3383         * llint/LLIntExceptions.h:
3384         * llint/LLIntOfflineAsmConfig.h:
3385         * llint/LLIntOffsetsExtractor.cpp:
3386         * llint/LLIntPCRanges.h:
3387         (JSC::LLInt::isLLIntPC):
3388         * llint/LLIntSlowPaths.cpp:
3389         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3390         (JSC::LLInt::handleHostCall):
3391         (JSC::LLInt::setUpCall):
3392         * llint/LowLevelInterpreter.asm:
3393         * llint/LowLevelInterpreter32_64.asm:
3394         * llint/LowLevelInterpreter64.asm:
3395         * offlineasm/ast.rb:
3396         * offlineasm/instructions.rb:
3397         * offlineasm/risc.rb:
3398         * runtime/PtrTag.h: Added.
3399         (JSC::uniquePtrTagID):
3400         (JSC::ptrTag):
3401         (JSC::tagCodePtr):
3402         (JSC::untagCodePtr):
3403         (JSC::retagCodePtr):
3404         (JSC::removeCodePtrTag):
3405
3406 2018-03-09  Mark Lam  <mark.lam@apple.com>
3407
3408         Remove unused LLINT_STATS feature.
3409         https://bugs.webkit.org/show_bug.cgi?id=183522
3410         <rdar://problem/38313139>
3411
3412         Rubber-stamped by Keith Miller.
3413
3414         We haven't used this in a while, and it is one more option that makes offlineasm
3415         build slower.  We can always re-introduce this later if we need it.
3416
3417         * jsc.cpp:
3418         * llint/LLIntCommon.h:
3419         * llint/LLIntData.cpp:
3420         (JSC::LLInt::initialize):
3421         (JSC::LLInt::Data::finalizeStats): Deleted.
3422         (JSC::LLInt::compareStats):&n