[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Remove std::random_shuffle
        https://bugs.webkit.org/show_bug.cgi?id=185292

        Reviewed by Darin Adler.

        std::random_shuffle is deprecated in C++14 and removed in C++17,
        since std::random_shuffle relies on rand and srand.
        Use std::shuffle instead.

        * jit/BinarySwitch.cpp:
        (JSC::RandomNumberGenerator::RandomNumberGenerator):
        (JSC::RandomNumberGenerator::operator()):
        (JSC::RandomNumberGenerator::min):
        (JSC::RandomNumberGenerator::max):
        (JSC::BinarySwitch::build):

2018-05-03  Saam Barati  <sbarati@apple.com>

        Don't prevent CreateThis being folded to NewObject when the structure is poly proto
        https://bugs.webkit.org/show_bug.cgi?id=185177

        Reviewed by Filip Pizlo.

        This patch teaches the DFG/FTL how to constant fold CreateThis with
        a known poly proto Structure to NewObject. We do it by emitting a NewObject
        followed by a PutByOffset for the prototype value.
        
        We make it so that ObjectAllocationProfile holds the prototype value.
        This is sound because JSFunction clears that profile when its 'prototype'
        field changes.
        
        This patch also renames underscoreProtoPrivateName to polyProtoName since
        that name was nonsensical: it was only used for poly proto.
        
        This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
        regressed that benchmark when I first introduced poly proto.

        * builtins/BuiltinNames.cpp:
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        (JSC::BuiltinNames::polyProtoName const):
        (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::prototype):
        (JSC::ObjectAllocationProfile::clear):
        (JSC::ObjectAllocationProfile::visitAggregate):
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfile::initializeProfile):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionRareData.h:
        * runtime/Structure.cpp:
        (JSC::Structure::create):

2018-05-03  Michael Saboff  <msaboff@apple.com>

        OSR entry pruning of Program Bytecodes doesn't take into account try/catch
        https://bugs.webkit.org/show_bug.cgi?id=185281

        Reviewed by Saam Barati.

        When we compute bytecode block reachability, we need to take into account blocks
        containing try/catch.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):

2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>

        ARM: Wrong offset for operand rt in disassembler
        https://bugs.webkit.org/show_bug.cgi?id=184083

        Reviewed by Yusuke Suzuki.

        * disassembler/ARMv7/ARMv7DOpcode.h:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):

2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>

        ARM: Support vstr in disassembler
        https://bugs.webkit.org/show_bug.cgi?id=184084

        Reviewed by Yusuke Suzuki.

        * disassembler/ARMv7/ARMv7DOpcode.cpp:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
        * disassembler/ARMv7/ARMv7DOpcode.h:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.

2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>

        Invoke ensureArrayStorage for all arguments
        https://bugs.webkit.org/show_bug.cgi?id=185247

        Reviewed by Yusuke Suzuki.

        ensureArrayStorage was only invoked for first argument in each loop iteration.

        * jsc.cpp:
        (functionEnsureArrayStorage):

2018-05-03  Filip Pizlo  <fpizlo@apple.com>

        Make it easy to log compile times for all optimizing tiers
        https://bugs.webkit.org/show_bug.cgi?id=185270

        Reviewed by Keith Miller.
        
        This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
        helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
        it.
        
        This should help us reduce compile times by telling us where to look. So, far, it looks like
        CFA is the worst.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/B3Common.cpp:
        (JSC::B3::shouldMeasurePhaseTiming): Deleted.
        * b3/B3Common.h:
        * b3/B3TimingScope.cpp: Removed.
        * b3/B3TimingScope.h:
        (JSC::B3::TimingScope::TimingScope):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        * tools/CompilerTimingScope.cpp: Added.
        (JSC::CompilerTimingScope::CompilerTimingScope):
        (JSC::CompilerTimingScope::~CompilerTimingScope):
        * tools/CompilerTimingScope.h: Added.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2018-05-03  Filip Pizlo  <fpizlo@apple.com>

        Strings should not be allocated in a gigacage
        https://bugs.webkit.org/show_bug.cgi?id=185218

        Reviewed by Saam Barati.

        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::toStringGeneric):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeToAtomicString const):
        (JSC::JSRopeString::resolveRope const):
        * runtime/JSString.h:
        (JSC::JSString::create):
        (JSC::JSString::createHasOtherOwner):
        * runtime/VM.h:
        (JSC::VM::gigacageAuxiliarySpace):

2018-05-03  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix 32-bit profile offset for change in bytecode
        length of the get_by_id and get_array_length opcodes.

        * llint/LowLevelInterpreter32_64.asm:

2018-05-03  Michael Saboff  <msaboff@apple.com>

        WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
        https://bugs.webkit.org/show_bug.cgi?id=185231

        Reviewed by Saam Barati.

        We weren't clearing the scratch register cache when switching back and forth between 
        allowing scratch register usage.  We disallow scratch register usage when we are in
        code that will freely allocate and use any register.  Such usage can change the
        contents of scratch registers.  For ARM64, where we cache the contents of scratch
        registers to reuse some or all of the contained values, we need to invalidate these
        caches.  We do this when re-enabling scratch register usage, that is when we transition
        from disallow to allow scratch register usage.

        Added a new Air regression test.

        * assembler/AllowMacroScratchRegisterUsage.h:
        (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
        * assembler/AllowMacroScratchRegisterUsageIf.h:
        (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
        * assembler/DisallowMacroScratchRegisterUsage.h:
        (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
        * b3/air/testair.cpp:

2018-05-03  Keith Miller  <keith_miller@apple.com>

        Remove the prototype caching for get_by_id in the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=185226

        Reviewed by Michael Saboff.

        There is no evidence that this is actually a speedup and we keep
        getting bugs with it. At this point it seems like we should just
        remove this code.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printGetByIdOp):
        (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetById):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Options.h:

2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r231197.

        The test added with this change crashes on the 32-bit JSC bot.

        Reverted changeset:

        "Correctly detect string overflow when using the 'Function'
        constructor"
        https://bugs.webkit.org/show_bug.cgi?id=184883
        https://trac.webkit.org/changeset/231197

2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>

        Disable usage of fused multiply-add instructions for JSC with compiler flag
        https://bugs.webkit.org/show_bug.cgi?id=184909

        Reviewed by Yusuke Suzuki.

        Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
        like parseInt() do not return slightly different results depending on whether the
        compiler was able to use fused multiply-add instructions or not.

        * CMakeLists.txt:

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix build failure in ARM, ARMv7 and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=185192

        compareDouble relies on MacroAssembler::invert function.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::compareDouble):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compareDouble): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::compareDouble): Deleted.

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add MacroAssembler::and16 and store16
        https://bugs.webkit.org/show_bug.cgi?id=185188

        Reviewed by Mark Lam.

        r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
        This patch adds these methods for ARM.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::and16):
        (JSC::MacroAssemblerARM::store16):

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Unify compare related code in 32bit and 64bit
        https://bugs.webkit.org/show_bug.cgi?id=185189

        Reviewed by Mark Lam.

        This patch unifies some part of compare related code in 32bit and 64bit
        to reduce the size of 32bit specific DFG code.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32Compare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
        (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
        (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
        https://bugs.webkit.org/show_bug.cgi?id=185192

        Reviewed by Mark Lam.

        Now Object.is starts using compareDouble. So we would like to have
        efficient implementation for compareDouble and compareFloat for
        major architectures, ARM64, X86, and X86_64.

        This patch adds compareDouble and compareFloat implementations for
        these architectures. And generic implementation is moved to each
        architecture's MacroAssembler implementation.

        We also add tests for them in testmasm. To implement this test
        easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
        major architectures.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::compareDouble): Deleted.
        (JSC::MacroAssembler::compareFloat): Deleted.
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compareDouble):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::compareDouble):
        (JSC::MacroAssemblerARM64::compareFloat):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::floatingPointCompare):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compareDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::compareDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::loadFloat):
        (JSC::MacroAssemblerX86Common::compareDouble):
        (JSC::MacroAssemblerX86Common::compareFloat):
        (JSC::MacroAssemblerX86Common::floatingPointCompare):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movss_mr):
        (JSC::X86Assembler::movss_rm):
        * assembler/testmasm.cpp:
        (JSC::floatOperands):
        (JSC::testCompareFloat):
        (JSC::run):

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix 32bit DFG code
        https://bugs.webkit.org/show_bug.cgi?id=185065

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSameValue):

2018-05-02  Filip Pizlo  <fpizlo@apple.com>

        JSC should know how to cache custom getter accesses on the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=185213

        Reviewed by Keith Miller.

        This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2018-05-01  Filip Pizlo  <fpizlo@apple.com>

        JSC should be able to cache custom setter calls on the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=185174

        Reviewed by Saam Barati.

        We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
        condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
        impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
        of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
        custom accessors because it won't find the custom property in the structure.

        The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().

        This is a 4x speed-up on assign-custom-setter.js.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::hasAlternateBase const):
        (JSC::AccessCase::alternateBase const):
        (JSC::AccessCase::generateImpl):
        * bytecode/AccessCase.h:
        (JSC::AccessCase::alternateBase const): Deleted.
        * bytecode/GetterSetterAccessCase.cpp:
        (JSC::GetterSetterAccessCase::hasAlternateBase const):
        (JSC::GetterSetterAccessCase::alternateBase const):
        * bytecode/GetterSetterAccessCase.h:
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        * bytecode/ObjectPropertyConditionSet.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):

2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>

        [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
        https://bugs.webkit.org/show_bug.cgi?id=185195

        Reviewed by Mark Lam.

        This implements the given function for MIPS, such that it builds again.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::and16):
        (JSC::MacroAssemblerMIPS::store16):

2018-05-02  Rick Waldron  <waldron.rick@gmail.com>

        Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
        https://bugs.webkit.org/show_bug.cgi?id=185043

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDollarAgentMonotonicNow):

2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Implement and16 and store16 for MacroAssemblerARMv7
        https://bugs.webkit.org/show_bug.cgi?id=185196

        Reviewed by Mark Lam.

        This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::and16):
        (JSC::MacroAssemblerARMv7::store16):

2018-05-02  Robin Morisset  <rmorisset@apple.com>

        emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
        https://bugs.webkit.org/show_bug.cgi?id=183172

        Reviewed by Filip Pizlo.

        DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
        but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.

        I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
        Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
        a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.

        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArgumentsUtilities.cpp:
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):

2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, stackPointer signature is different from declaration
        https://bugs.webkit.org/show_bug.cgi?id=184790

        * runtime/MachineContext.h:
        (JSC::MachineContext::stackPointer):

2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add SameValue DFG node
        https://bugs.webkit.org/show_bug.cgi?id=185065

        Reviewed by Saam Barati.

        This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
        And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
        if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
        from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
        implementations for these SameValue nodes.

        This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
        has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
        was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
        generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
        correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
        correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.

        Added microbenchmark shows performance improvement.

            object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::compareDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
        * assembler/testmasm.cpp:
        (JSC::doubleOperands):
        (JSC::testCompareDouble):
        (JSC::run):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSameValue):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/ObjectConstructor.cpp:

2018-04-30  Filip Pizlo  <fpizlo@apple.com>

        B3::demoteValues should be able to handle patchpoint terminals
        https://bugs.webkit.org/show_bug.cgi?id=185151

        Reviewed by Saam Barati.
        
        If we try to demote a patchpoint terminal then prior to this change we would append a Set to
        the basic block that the patchpoint terminated. That's wrong because then the terminal is no
        longer the last thing in the block.
        
        Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
        really do that because demotion happens as a prerequisite to other transformations.
        
        One solution might have been to make demoteValues insert a basic block whenever it encounters
        this problem. But that would break clients that do CFG analysis before demoteValues and use
        the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
        also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
        so it's not bad to introduce that requirement.
        
        So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
        terminal as if it had multiple successors. This means that a patchpoint terminal's successors
        will only have it as their predecessor. Then, demoteValues just prepends the Set to the
        successors of the patchpoint terminal.
        
        This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
        a unit test in testb3.

        * b3/B3BreakCriticalEdges.cpp:
        (JSC::B3::breakCriticalEdges):
        * b3/B3BreakCriticalEdges.h:
        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3FixSSA.h:
        * b3/B3Value.cpp:
        (JSC::B3::Value::foldIdentity const):
        (JSC::B3::Value::performSubstitution):
        * b3/B3Value.h:
        * b3/testb3.cpp:
        (JSC::B3::testDemotePatchpointTerminal):
        (JSC::B3::run):

2018-05-01  Robin Morisset  <rmorisset@apple.com>

        Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
        https://bugs.webkit.org/show_bug.cgi?id=184772
        <rdar://problem/39146327>

        Reviewed by Filip Pizlo.

        Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
        This patch now makes sure that the check correctly detects if there is an integer overflow.

        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountWithAnyIndexingType):

2018-05-01  Robin Morisset  <rmorisset@apple.com>

        Correctly detect string overflow when using the 'Function' constructor
        https://bugs.webkit.org/show_bug.cgi?id=184883
        <rdar://problem/36320331>

        Reviewed by Filip Pizlo.

        The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
        Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.

        I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
        In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
        I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):

2018-05-01  Robin Morisset  <rmorisset@apple.com>

        IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
        https://bugs.webkit.org/show_bug.cgi?id=185162

        Reviewed by Filip Pizlo.

        * runtime/IntlObject.cpp:
        (JSC::removeUnicodeLocaleExtension):

2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>

        Add SetCallee as DFG-Operation
        https://bugs.webkit.org/show_bug.cgi?id=184582

        Reviewed by Filip Pizlo.

        For recursive tail calls not only the argument count can change but also the
        callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
        Also update the callee when optimizing a recursive tail call.
        Enable recursive tail call optimization also for closures.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::handleCallVariant):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSetCallee):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):

2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>

        WebAssembly: add support for stream APIs - JavaScript API
        https://bugs.webkit.org/show_bug.cgi?id=183442

        Reviewed by Yusuke Suzuki and JF Bastien.

        Add WebAssembly stream API. Current patch only add functions
        WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
        does not add streaming way of the implementation. So in current version it
        only wait for load whole module, than start to parse.

        * CMakeLists.txt:
        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinNames.h:
        * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
        (compileStreaming):
        (instantiateStreaming):
        * jsc.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        * runtime/Options.h:
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::hasPendingPromise):
        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
        * runtime/PromiseDeferredTimer.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyModuleValidateAsyncInternal):
        (JSC::webAssemblyCompileFunc):
        (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
        (JSC::webAssemblyModuleInstantinateAsyncInternal):
        (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        (JSC::WebAssemblyPrototype::create):
        (JSC::WebAssemblyPrototype::finishCreation):
        * wasm/js/WebAssemblyPrototype.h:

2018-04-30  Saam Barati  <sbarati@apple.com>

        ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=185149
        <rdar://problem/39455917>

        Reviewed by Filip Pizlo.

        The bug was that we were deleting checks that we shouldn't have deleted.
        This patch makes a helper inside strength reduction that converts to
        a LazyJSConstant while maintaining checks, and switches users of the
        node API inside strength reduction to instead call the helper function.
        
        This patch also fixes a potential bug where StringReplace and
        StringReplaceRegExp may not preserve all their checks.


        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):

2018-04-29  Filip Pizlo  <fpizlo@apple.com>

        LICM shouldn't hoist nodes if hoisted nodes exited in that code block
        https://bugs.webkit.org/show_bug.cgi?id=185126

        Reviewed by Saam Barati.
        
        This change is just restoring functionality that we've already had for a while. It had been
        accidentally broken due to an unrelated CodeBlock refactoring.

        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::attemptHoist):

2018-04-30  Mark Lam  <mark.lam@apple.com>

        Apply PtrTags to the MetaAllocator and friends.
        https://bugs.webkit.org/show_bug.cgi?id=185110
        <rdar://problem/39533895>

        Reviewed by Saam Barati.

        1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
        2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
           and add a sanity check to verify that allocated code buffers are within those
           bounds.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::debugAddress):
        (JSC::LinkBuffer::code):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        * bytecode/InlineAccess.cpp:
        (JSC::linkCodeInline):
        (JSC::InlineAccess::rewireStubAsJump):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::findPC):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::findPC):
        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        (JSC::isJITPC):
        (JSC::performJITMemcpy):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):
        * runtime/JSCPtrTag.h:
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::Callee::Callee):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):

2018-04-30  Keith Miller  <keith_miller@apple.com>

        Move the MayBePrototype JSCell header bit to InlineTypeFlags
        https://bugs.webkit.org/show_bug.cgi?id=185143

        Reviewed by Mark Lam.

        * runtime/IndexingType.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::setStructure):
        (JSC::JSCell::mayBePrototype const):
        (JSC::JSCell::didBecomePrototype):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::mayBePrototype):
        (JSC::TypeInfo::mergeInlineTypeFlags):

2018-04-30  Keith Miller  <keith_miller@apple.com>

        Remove unneeded exception check from String.fromCharCode
        https://bugs.webkit.org/show_bug.cgi?id=185083

        Reviewed by Mark Lam.

        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):

2018-04-30  Keith Miller  <keith_miller@apple.com>

        Move StructureIsImmortal to out of line flags.
        https://bugs.webkit.org/show_bug.cgi?id=185101

        Reviewed by Saam Barati.

        This will free up a bit in the inline flags where we can move the
        isPrototype bit to. This will, in turn, free a bit for use in
        implementing copy on write butterflies.

        Also, this patch removes an assertion from Structure::typeInfo()
        that inadvertently makes the function invalid to call while
        cleaning up the vm.

        * heap/HeapCellType.cpp:
        (JSC::DefaultDestroyFunc::operator() const):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::callDestructor): Deleted.
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::hasStaticPropertyTable):
        (JSC::TypeInfo::structureIsImmortal const):
        * runtime/Structure.h:

2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove arity fixup check if the number of parameters is 1
        https://bugs.webkit.org/show_bug.cgi?id=183984

        Reviewed by Mark Lam.

        If the number of parameters is one (|this|), we never hit arity fixup check.
        We do not need to emit arity fixup check code.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):

2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Use WordLock instead of std::mutex for Threading
        https://bugs.webkit.org/show_bug.cgi?id=185121

        Reviewed by Geoffrey Garen.

        ThreadGroup starts using WordLock.

        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::getLock):

2018-04-29  Filip Pizlo  <fpizlo@apple.com>

        B3 should run tail duplication at the bitter end
        https://bugs.webkit.org/show_bug.cgi?id=185123

        Reviewed by Geoffrey Garen.
        
        Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
        everywhere else.
        
        The goal of this change is to allow us to run path specialization after switch lowering but
        before tail duplication.

        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * runtime/Options.h:

2018-04-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r231137.
        https://bugs.webkit.org/show_bug.cgi?id=185118

        It is breaking Test262 language/expressions/multiplication
        /order-of-evaluation.js (Requested by caiolima on #webkit).

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231137

2018-04-28  Saam Barati  <sbarati@apple.com>

        We don't model regexp effects properly
        https://bugs.webkit.org/show_bug.cgi?id=185059
        <rdar://problem/39736150>

        Reviewed by Filip Pizlo.

        RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
        the regexp is global.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2018-04-28  Rick Waldron  <waldron.rick@gmail.com>

        Token misspelled "tocken" in error message string
        https://bugs.webkit.org/show_bug.cgi?id=185030

        Reviewed by Saam Barati.

        * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::didFinishParsing):
        (JSC::Parser<LexerType>::parseSourceElements):
        (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseVariableDeclaration):
        (JSC::Parser<LexerType>::parseWhileStatement):
        (JSC::Parser<LexerType>::parseVariableDeclarationList):
        (JSC::Parser<LexerType>::createBindingPattern):
        (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
        (JSC::Parser<LexerType>::parseObjectRestElement):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        (JSC::Parser<LexerType>::parseForStatement):
        (JSC::Parser<LexerType>::parseBreakStatement):
        (JSC::Parser<LexerType>::parseContinueStatement):
        (JSC::Parser<LexerType>::parseThrowStatement):
        (JSC::Parser<LexerType>::parseWithStatement):
        (JSC::Parser<LexerType>::parseSwitchStatement):
        (JSC::Parser<LexerType>::parseSwitchClauses):
        (JSC::Parser<LexerType>::parseTryStatement):
        (JSC::Parser<LexerType>::parseBlockStatement):
        (JSC::Parser<LexerType>::parseFormalParameters):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
        (JSC::Parser<LexerType>::parseExpressionStatement):
        (JSC::Parser<LexerType>::parseIfStatement):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseConditionalExpression):
        (JSC::Parser<LexerType>::parseBinaryExpression):
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::parseStrictObjectLiteral):
        (JSC::Parser<LexerType>::parseArrayLiteral):
        (JSC::Parser<LexerType>::parseArguments):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::operatorString):
        (JSC::Parser<LexerType>::parseUnaryExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):

2018-04-28  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        Added BigInt support into times binary operator into LLInt and on
        JITOperations profiledMul and unprofiledMul. We are also replacing all
        uses of int to unsigned when there is no negative values for
        variables.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::JSBigInt):
        (JSC::JSBigInt::allocationSize):
        (JSC::JSBigInt::createWithLength):
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::digitDiv):
        (JSC::JSBigInt::internalMultiplyAdd):
        (JSC::JSBigInt::multiplyAccumulate):
        (JSC::JSBigInt::equals):
        (JSC::JSBigInt::absoluteDivSmall):
        (JSC::JSBigInt::calculateMaximumCharactersRequired):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::rightTrim):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::digit):
        (JSC::JSBigInt::setDigit):
        * runtime/JSBigInt.h:
        * runtime/Operations.h:
        (JSC::jsMul):

2018-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r231131.
        https://bugs.webkit.org/show_bug.cgi?id=185112

        It is breaking Debug build due to unchecked exception
        (Requested by caiolima on #webkit).

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231131

2018-04-27  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        Added BigInt support into times binary operator into LLInt and on
        JITOperations profiledMul and unprofiledMul. We are also replacing all
        uses of int to unsigned when there is no negative values for
        variables.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::JSBigInt):
        (JSC::JSBigInt::allocationSize):
        (JSC::JSBigInt::createWithLength):
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::digitDiv):
        (JSC::JSBigInt::internalMultiplyAdd):
        (JSC::JSBigInt::multiplyAccumulate):
        (JSC::JSBigInt::equals):
        (JSC::JSBigInt::absoluteDivSmall):
        (JSC::JSBigInt::calculateMaximumCharactersRequired):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::rightTrim):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::digit):
        (JSC::JSBigInt::setDigit):
        * runtime/JSBigInt.h:
        * runtime/Operations.h:
        (JSC::jsMul):

2018-04-27  JF Bastien  <jfbastien@apple.com>

        Make the first 64 bits of JSString look like a double JSValue
        https://bugs.webkit.org/show_bug.cgi?id=185081

        Reviewed by Filip Pizlo.

        We can be clever about how we lay out JSString so that, were it
        reinterpreted as a JSValue, it would look like a double.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::and16):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andw_mr):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::store32As8):
        (JSC::FTL::Output::store32As16):
        * runtime/JSString.h:
        (JSC::JSString::JSString):

2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
        https://bugs.webkit.org/show_bug.cgi?id=185055

        Reviewed by JF Bastien.

        This patch is paving the way to emitting jscvt instruction if possible.
        To do that, we need to determine jscvt instruction is supported in the
        given CPU.

        We add a function collectCPUFeatures, which is responsible to collect
        CPU features if necessary. In Linux, we can use auxiliary vector to get
        the information without parsing /proc/cpuinfo.

        Currently, nobody calls this function. It is later called when we emit
        jscvt instruction. To make it possible, we also need to add disassembler
        support too.

        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerARM64.cpp:
        (JSC::MacroAssemblerARM64::collectCPUFeatures):
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerX86Common.h:

2018-04-26  Filip Pizlo  <fpizlo@apple.com>

        Also run foldPathConstants before mussing up SSA
        https://bugs.webkit.org/show_bug.cgi?id=185069

        Reviewed by Saam Barati.
        
        This isn't needed now, but will be once I implement the phase in bug 185060.
        
        This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
        Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
        be landed separately and measured separately from that phase.
        
        It's probably nice for sanity to have this and reduceStrength run before tail duplication and
        another round of reduceStrength, since that make for something that is closer to a fixpoint. But
        it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
        neutral. It all depends on what programs typically look like.

        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):

2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r231086.

        Caused JSC test failures due to an unchecked exception.

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231086

2018-04-26  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        Added BigInt support into times binary operator into LLInt and on
        JITOperations profiledMul and unprofiledMul. We are also replacing all
        uses of int to unsigned when there is no negative values for
        variables.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * jit/JITOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::JSBigInt):
        (JSC::JSBigInt::allocationSize):
        (JSC::JSBigInt::createWithLength):
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::multiply):
        (JSC::JSBigInt::digitDiv):
        (JSC::JSBigInt::internalMultiplyAdd):
        (JSC::JSBigInt::multiplyAccumulate):
        (JSC::JSBigInt::equals):
        (JSC::JSBigInt::absoluteDivSmall):
        (JSC::JSBigInt::calculateMaximumCharactersRequired):
        (JSC::JSBigInt::toStringGeneric):
        (JSC::JSBigInt::rightTrim):
        (JSC::JSBigInt::allocateFor):
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::digit):
        (JSC::JSBigInt::setDigit):
        * runtime/JSBigInt.h:
        * runtime/Operations.h:
        (JSC::jsMul):

2018-04-26  Mark Lam  <mark.lam@apple.com>

        Gardening: Speculative build fix for Windows.
        https://bugs.webkit.org/show_bug.cgi?id=184976
        <rdar://problem/39723901>

        Not reviewed.

        * runtime/JSCPtrTag.h:

2018-04-26  Mark Lam  <mark.lam@apple.com>

        Gardening: Windows build fix.

        Not reviewed.

        * runtime/Options.cpp:

2018-04-26  Jer Noble  <jer.noble@apple.com>

        WK_COCOA_TOUCH all the things.
        https://bugs.webkit.org/show_bug.cgi?id=185006
        <rdar://problem/39736025>

        Reviewed by Tim Horton.

        * Configurations/Base.xcconfig:

2018-04-26  Per Arne Vollan  <pvollan@apple.com>

        Disable content filtering in minimal simulator mode
        https://bugs.webkit.org/show_bug.cgi?id=185027
        <rdar://problem/39736091>

        Reviewed by Jer Noble.

        * Configurations/FeatureDefines.xcconfig:

2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>

        [INTL] Implement Intl.PluralRules
        https://bugs.webkit.org/show_bug.cgi?id=184312

        Reviewed by JF Bastien.

        Use UNumberFormat to enforce formatting, and then UPluralRules to find
        the correct plural rule for the given number. Relies on ICU v59+ for
        resolvedOptions().pluralCategories and trailing 0 detection.
        Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.

        * CMakeLists.txt:
        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/BuiltinNames.h:
        * runtime/BigIntObject.cpp:
        (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
        * runtime/BigIntObject.h:
        * runtime/CommonIdentifiers.h:
        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation):
        * runtime/IntlObject.h:
        * runtime/IntlPluralRules.cpp: Added.
        (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
        (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
        (JSC::UEnumerationDeleter::operator() const):
        (JSC::IntlPluralRules::create):
        (JSC::IntlPluralRules::createStructure):
        (JSC::IntlPluralRules::IntlPluralRules):
        (JSC::IntlPluralRules::finishCreation):
        (JSC::IntlPluralRules::destroy):
        (JSC::IntlPluralRules::visitChildren):
        (JSC::IntlPRInternal::localeData):
        (JSC::IntlPluralRules::initializePluralRules):
        (JSC::IntlPluralRules::resolvedOptions):
        (JSC::IntlPluralRules::select):
        * runtime/IntlPluralRules.h: Added.
        * runtime/IntlPluralRulesConstructor.cpp: Added.
        (JSC::IntlPluralRulesConstructor::create):
        (JSC::IntlPluralRulesConstructor::createStructure):
        (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
        (JSC::IntlPluralRulesConstructor::finishCreation):
        (JSC::constructIntlPluralRules):
        (JSC::callIntlPluralRules):
        (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
        (JSC::IntlPluralRulesConstructor::visitChildren):
        * runtime/IntlPluralRulesConstructor.h: Added.
        * runtime/IntlPluralRulesPrototype.cpp: Added.
        (JSC::IntlPluralRulesPrototype::create):
        (JSC::IntlPluralRulesPrototype::createStructure):
        (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
        (JSC::IntlPluralRulesPrototype::finishCreation):
        (JSC::IntlPluralRulesPrototypeFuncSelect):
        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
        * runtime/IntlPluralRulesPrototype.h: Added.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
        * runtime/JSGlobalObject.h:
        * runtime/Options.h:
        * runtime/RegExpPrototype.cpp: Added inlines header.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>

        [MIPS] Fix branch offsets in branchNeg32
        https://bugs.webkit.org/show_bug.cgi?id=185025

        Reviewed by Yusuke Suzuki.

        Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchNeg32):

2018-04-25  Robin Morisset  <rmorisset@apple.com>

        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
        https://bugs.webkit.org/show_bug.cgi?id=184773
        <rdar://problem/37773612>

        Reviewed by Filip Pizlo.

        We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
        arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
        This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
        We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
        This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):

2018-04-25  Mark Lam  <mark.lam@apple.com>

        Push the definition of PtrTag down to the WTF layer.
        https://bugs.webkit.org/show_bug.cgi?id=184976
        <rdar://problem/39723901>

        Reviewed by Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARM64Assembler.h:
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerCodeRef.cpp:
        * assembler/MacroAssemblerCodeRef.h:
        * b3/B3MathExtras.cpp:
        * bytecode/LLIntCallLinkInfo.h:
        * disassembler/Disassembler.h:
        * ftl/FTLJITCode.cpp:
        * interpreter/InterpreterInlines.h:
        * jit/ExecutableAllocator.h:
        * jit/JITOperations.cpp:
        * jit/ThunkGenerator.h:
        * jit/ThunkGenerators.h:
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntPCRanges.h:
        * runtime/JSCPtrTag.h: Added.
        * runtime/NativeFunction.h:
        * runtime/PtrTag.h: Removed.
        * runtime/VMTraps.cpp:

2018-04-25  Keith Miller  <keith_miller@apple.com>

        getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
        https://bugs.webkit.org/show_bug.cgi?id=184998

        Reviewed by Saam Barati.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):

2018-04-25  Keith Miller  <keith_miller@apple.com>

        Add missing scope release to functionProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=184995

        Reviewed by Saam Barati.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):

2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
        https://bugs.webkit.org/show_bug.cgi?id=184730

        Reviewed by Mark Lam.

        Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
        And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.

        We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
        ARMv7 implementation.

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add32):
        (JSC::MacroAssemblerARM::and32):
        (JSC::MacroAssemblerARM::lshift32):
        (JSC::MacroAssemblerARM::mul32):
        (JSC::MacroAssemblerARM::or32):
        (JSC::MacroAssemblerARM::rshift32):
        (JSC::MacroAssemblerARM::urshift32):
        (JSC::MacroAssemblerARM::sub32):
        (JSC::MacroAssemblerARM::xor32):
        (JSC::MacroAssemblerARM::load8):
        (JSC::MacroAssemblerARM::abortWithReason):
        (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM::store8):
        (JSC::MacroAssemblerARM::store32):
        (JSC::MacroAssemblerARM::push):
        (JSC::MacroAssemblerARM::swap):
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branchPtr):
        (JSC::MacroAssemblerARM::branch32):
        (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARM::branchTest8):
        (JSC::MacroAssemblerARM::branchTest32):
        (JSC::MacroAssemblerARM::jump):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::mull32):
        (JSC::MacroAssemblerARM::branchMul32):
        (JSC::MacroAssemblerARM::patchableBranch32):
        (JSC::MacroAssemblerARM::nearCall):
        (JSC::MacroAssemblerARM::compare32):
        (JSC::MacroAssemblerARM::compare8):
        (JSC::MacroAssemblerARM::test32):
        (JSC::MacroAssemblerARM::test8):
        (JSC::MacroAssemblerARM::add64):
        (JSC::MacroAssemblerARM::load32):
        (JSC::MacroAssemblerARM::call):
        (JSC::MacroAssemblerARM::branchPtrWithPatch):
        (JSC::MacroAssemblerARM::branch32WithPatch):
        (JSC::MacroAssemblerARM::storePtrWithPatch):
        (JSC::MacroAssemblerARM::loadDouble):
        (JSC::MacroAssemblerARM::storeDouble):
        (JSC::MacroAssemblerARM::addDouble):
        (JSC::MacroAssemblerARM::divDouble):
        (JSC::MacroAssemblerARM::subDouble):
        (JSC::MacroAssemblerARM::mulDouble):
        (JSC::MacroAssemblerARM::convertInt32ToDouble):
        (JSC::MacroAssemblerARM::branchDouble):
        (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerARM::truncateDoubleToInt32):
        (JSC::MacroAssemblerARM::truncateDoubleToUint32):
        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM::branchDoubleNonZero):
        (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
        (JSC::MacroAssemblerARM::call32):
        (JSC::MacroAssemblerARM::internalCompare32):

2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>

        [WinCairo] Fix js/regexp-unicode.html crash.
        https://bugs.webkit.org/show_bug.cgi?id=184891

        Reviewed by Yusuke Suzuki.

        On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
        RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):
        Unconditionally save and restore RDI on 64-bit Windows.

2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>

        [GTK] Miscellaneous build cleanups
        https://bugs.webkit.org/show_bug.cgi?id=184399

        Reviewed by Žan Doberšek.

        * PlatformGTK.cmake:

2018-04-24  Keith Miller  <keith_miller@apple.com>

        fromCharCode is missing some exception checks
        https://bugs.webkit.org/show_bug.cgi?id=184952

        Reviewed by Saam Barati.

        I also removed the pointless slow path function and moved it into the
        main function.

        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromCharCodeSlowCase): Deleted.

2018-04-24  Filip Pizlo  <fpizlo@apple.com>

        MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
        https://bugs.webkit.org/show_bug.cgi?id=184923

        Reviewed by Saam Barati.
        
        If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
        (i.e. we know that the object has one of those structures), then previously we would still emit a
        switch with a case per structure along with a default case. That would mean one extra redundant
        branch to check that whatever structure we wound up with belongs to the set. In that case, we
        were already making the default case be an Oops.
        
        One possible solution would be to say that the default case being Oops means that B3 doesn't need
        to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
        be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
        seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
        trap.
        
        So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
        extra branch.
        
        This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
        it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
        read.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):

2018-04-24  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE should know how to decay a MultiGetByOffset
        https://bugs.webkit.org/show_bug.cgi?id=159859

        Reviewed by Keith Miller.
        
        This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
        clobberize() can report a def() for MultiGetByOffset.
        
        This is a slight improvement to codegen in splay because splay is a heavy user of
        MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
        "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
        removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
        splay's time.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::remove):
        (JSC::DFG::Node::removeWithoutChecks):
        (JSC::DFG::Node::replaceWith):
        (JSC::DFG::Node::replaceWithWithoutChecks):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToMultiGetByOffset):
        (JSC::DFG::Node::replaceWith): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2018-04-24  Keith Miller  <keith_miller@apple.com>

        Update API docs with information on which run loop the VM will use
        https://bugs.webkit.org/show_bug.cgi?id=184900
        <rdar://problem/39166054>

        Reviewed by Mark Lam.

        * API/JSContextRef.h:
        * API/JSVirtualMachine.h:

2018-04-24  Filip Pizlo  <fpizlo@apple.com>

        $vm.totalGCTime() should be a thing
        https://bugs.webkit.org/show_bug.cgi?id=184916

        Reviewed by Sam Weinig.
        
        When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
        time spent in GC to determine if the regression is because the GC got slower.
        
        This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.

        * heap/Heap.cpp:
        (JSC::Heap::runEndPhase):
        * heap/Heap.h:
        (JSC::Heap::totalGCTime const):
        * tools/JSDollarVM.cpp:
        (JSC::functionTotalGCTime):
        (JSC::JSDollarVM::finishCreation):

2018-04-23  Zalan Bujtas  <zalan@apple.com>

        [LayoutFormattingContext] Initial commit.
        https://bugs.webkit.org/show_bug.cgi?id=184896

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2018-04-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, revert accidental change to verbose flag.

        * dfg/DFGByteCodeParser.cpp:

2018-04-23  Filip Pizlo  <fpizlo@apple.com>

        Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.

        Rubber stamped by Saam Barati.
        
        This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
        anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
        Seems sensible to just roll it out.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parse):

2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove ModuleLoaderPrototype
        https://bugs.webkit.org/show_bug.cgi?id=184784

        Reviewed by Mark Lam.

        When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
        However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
        This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::proxyRevokeStructure const):
        (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        (JSC::moduleLoaderRequestedModules):
        (JSC::moduleLoaderModuleDeclarationInstantiation):
        (JSC::moduleLoaderResolve):
        (JSC::moduleLoaderResolveSync):
        (JSC::moduleLoaderFetch):
        (JSC::moduleLoaderGetModuleNamespaceObject):
        (JSC::moduleLoaderEvaluate):
        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp: Removed.
        * runtime/ModuleLoaderPrototype.h: Removed.

2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] All API tests fail in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=184813

        Reviewed by Mark Lam.

        This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
        JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.

        * API/glib/JSCContext.cpp:
        (JSCContextExceptionHandler::JSCContextExceptionHandler):
        (JSCContextExceptionHandler::~JSCContextExceptionHandler):
        (jscContextConstructed):
        (ExceptionHandler::ExceptionHandler): Deleted.
        (ExceptionHandler::~ExceptionHandler): Deleted.

2018-04-20  Tim Horton  <timothy_horton@apple.com>

        Adjust geolocation feature flag
        https://bugs.webkit.org/show_bug.cgi?id=184856

        Reviewed by Wenson Hsieh.

        * Configurations/FeatureDefines.xcconfig:

2018-04-20  Brian Burg  <bburg@apple.com>

        Web Inspector: remove some dead code in IdentifiersFactory
        https://bugs.webkit.org/show_bug.cgi?id=184839

        Reviewed by Timothy Hatcher.

        This was never used on non-Chrome ports, so the identifier always has a
        prefix of '0.'. We may change this in the future, but for now remove this.
        Using a PID for this purpose is problematic anyway.

        * inspector/IdentifiersFactory.cpp:
        (Inspector::addPrefixToIdentifier):
        (Inspector::IdentifiersFactory::createIdentifier):
        (Inspector::IdentifiersFactory::requestId):
        (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
        * inspector/IdentifiersFactory.h:

2018-04-20  Mark Lam  <mark.lam@apple.com>

        Add the ability to use a hash for setting PtrTag enum values.
        https://bugs.webkit.org/show_bug.cgi?id=184852
        <rdar://problem/39613891>

        Reviewed by Saam Barati.

        * runtime/PtrTag.h:

2018-04-20  Mark Lam  <mark.lam@apple.com>

        Some JSEntryPtrTags should actually be JSInternalPtrTags.
        https://bugs.webkit.org/show_bug.cgi?id=184712
        <rdar://problem/39507381>

        Reviewed by Michael Saboff.

        1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
        2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
           only when needed.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::callReturnLocation):
        (JSC::CallLinkInfo::patchableJump):
        (JSC::CallLinkInfo::hotPathBegin):
        (JSC::CallLinkInfo::slowPathStart):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setCallLocations):
        (JSC::CallLinkInfo::hotPathOther):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::doneLocation):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::initialize):
        * ftl/FTLLazySlowPath.h:
        (JSC::FTL::LazySlowPath::done const):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::getCodePtr):
        (JSC::LLInt::getExecutableAddress): Deleted.
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2018-04-18  Jer Noble  <jer.noble@apple.com>

        Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
        https://bugs.webkit.org/show_bug.cgi?id=184762

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-04-20  Daniel Bates  <dabates@apple.com>

        Remove code for compilers that did not support NSDMI for aggregates
        https://bugs.webkit.org/show_bug.cgi?id=184599

        Reviewed by Per Arne Vollan.

        Remove workaround for earlier Visual Studio versions that did not support non-static data
        member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
        and EWS bots to a newer version that supports this feature.

        * domjit/DOMJITEffect.h:
        (JSC::DOMJIT::Effect::Effect): Deleted.
        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
        * wasm/WasmFormat.h:
        (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.

2018-04-20  Mark Lam  <mark.lam@apple.com>

        Build fix for internal builds after r230826.
        https://bugs.webkit.org/show_bug.cgi?id=184790
        <rdar://problem/39301369>

        Not reviewed.

        * runtime/Options.cpp:
        (JSC::overrideDefaults):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::dump):

2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
        https://bugs.webkit.org/show_bug.cgi?id=184254
        <rdar://problem/39140200>

        Reviewed by Daniel Bates.

        Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.

        * runtime/ArrayBuffer.h:
        (JSC::ArrayBufferContents::ArrayBufferContents):

2018-04-19  Mark Lam  <mark.lam@apple.com>

        Apply pointer profiling to Signal pointers.
        https://bugs.webkit.org/show_bug.cgi?id=184790
        <rdar://problem/39301369>

        Reviewed by Michael Saboff.

        1. Change stackPointer, framePointer, and instructionPointer accessors to
           be a pair of getter/setter functions.
        2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
           a pointer profiling variants of these accessors.
        3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).

        * JavaScriptCorePrefix.h:
        * runtime/MachineContext.h:
        (JSC::MachineContext::stackPointerImpl):
        (JSC::MachineContext::stackPointer):
        (JSC::MachineContext::setStackPointer):
        (JSC::MachineContext::framePointerImpl):
        (JSC::MachineContext::framePointer):
        (JSC::MachineContext::setFramePointer):
        (JSC::MachineContext::instructionPointerImpl):
        (JSC::MachineContext::instructionPointer):
        (JSC::MachineContext::setInstructionPointer):
        (JSC::MachineContext::linkRegisterImpl):
        (JSC::MachineContext::linkRegister):
        (JSC::MachineContext::setLinkRegister):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::takeSample):
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        * tools/CodeProfiling.cpp:
        (JSC::profilingTimer):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SignalContext::dump):
        (JSC::installCrashHandler):
        (JSC::SigillCrashAnalyzer::analyze):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):

2018-04-19  David Kilzer  <ddkilzer@apple.com>

        Enable Objective-C weak references
        <https://webkit.org/b/184789>
        <rdar://problem/39571716>

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        (CLANG_ENABLE_OBJC_WEAK): Enable.
        * Configurations/ToolExecutable.xcconfig:
        (CLANG_ENABLE_OBJC_ARC): Simplify.

2018-04-17  Filip Pizlo  <fpizlo@apple.com>

        The InternalFunction hierarchy should be in IsoSubspaces
        https://bugs.webkit.org/show_bug.cgi?id=184721

        Reviewed by Saam Barati.
        
        This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
        but subclasses that are the same size as InternalFunction share its subspace. I did this
        because the subclasses appear to just override methods, which are called dynamically via the
        structure or class of the object. So, I don't see a type confusion risk if UAF is used to
        allocate one kind of InternalFunction over another.

        * API/JSBase.h:
        * API/JSCallbackFunction.h:
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::subspaceFor):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * heap/IsoSubspacePerVM.cpp: Added.
        (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
        (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
        (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
        (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
        (JSC::IsoSubspacePerVM::forVM):
        * heap/IsoSubspacePerVM.h: Added.
        (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
        * runtime/Error.h:
        * runtime/ErrorConstructor.h:
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::subspaceFor):
        * runtime/IntlCollatorConstructor.h:
        * runtime/IntlDateTimeFormatConstructor.h:
        * runtime/IntlNumberFormatConstructor.h:
        * runtime/JSArrayBufferConstructor.h:
        * runtime/NativeErrorConstructor.h:
        * runtime/ProxyRevoke.h:
        * runtime/RegExpConstructor.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, Fix jsc shell
        https://bugs.webkit.org/show_bug.cgi?id=184600

        WebAssembly module loading does not finish with drainMicrotasks().
        So JSNativeStdFunction's capturing variables become invalid.
        This patch fixes this issue.

        * jsc.cpp:
        (functionDollarAgentStart):
        (runWithOptions):
        (runJSC):
        (jscmain):

2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>

        REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
        https://bugs.webkit.org/show_bug.cgi?id=184725

        Reviewed by Mark Lam.

        * jit/JIT.h:

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Import tables in wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184738

        Reviewed by JF Bastien.

        This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
        Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
        just works.

        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Fix build error and crash after PtrTag change
        https://bugs.webkit.org/show_bug.cgi?id=184732

        Reviewed by Mark Lam.

        Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
        MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
        twice with ARM-Thumb2.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/Repatch.cpp:
        (JSC::linkPolymorphicCall):

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Import globals from wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184736

        Reviewed by JF Bastien.

        This patch implements a feature importing globals to/from wasm modules.
        Since we are not supporting mutable globals now, we can just copy the
        global data when importing. Currently we do not support importing/exporting
        i64 globals. This will be supported once (1) mutable global bindings are
        specified and (2) BigInt based i64 importing/exporting is specified.

        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2018-04-18  Tomas Popela  <tpopela@redhat.com>

        Unreviewed, fix build on ARM

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::readCallTarget):

2018-04-18  Tomas Popela  <tpopela@redhat.com>

        Unreviewed, fix build with GCC

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, reland r230697, r230720, and r230724.
        https://bugs.webkit.org/show_bug.cgi?id=184600

        With CatchScope check.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ModuleLoaderPrototype.js:
        (globalPrivate.newRegistryEntry):
        (requestInstantiate):
        (link):
        * jsc.cpp:
        (convertShebangToJSComment):
        (fillBufferWithContentsOfFile):
        (fetchModuleFromLocalFileSystem):
        (GlobalObject::moduleLoaderFetch):
        (functionDollarAgentStart):
        (checkException):
        (runWithOptions):
        * parser/NodesAnalyzeModule.cpp:
        (JSC::ImportDeclarationNode::analyzeModule):
        * parser/SourceProvider.h:
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        (JSC::AbstractModuleRecord::resolveImport):
        (JSC::AbstractModuleRecord::link):
        (JSC::AbstractModuleRecord::evaluate):
        (JSC::identifierToJSValue): Deleted.
        * runtime/AbstractModuleRecord.h:
        (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
        (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::evaluate):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSModuleRecord.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        (JSC::moduleLoaderPrototypeRequestedModules):
        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
        * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::getWasmBufferFromValue):
        (JSC::createSourceBufferFromValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::prepareLink):
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyModuleRecord.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::WebAssemblyPrototype::instantiate):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        * wasm/js/WebAssemblyPrototype.h:

2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
        https://bugs.webkit.org/show_bug.cgi?id=184687

        Reviewed by Michael Catanzaro.

        Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
        JSClassDefinition. This is required to implement dynamic properties that can't be added with
        jsc_class_add_property() for example to implement something like imports object in seed/gjs.

        * API/glib/JSCClass.cpp:
        (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
        can throw exceptions.
        (VTableExceptionHandler::~VTableExceptionHandler):
        (getProperty): Iterate the class chain to call get_property function.
        (setProperty): Iterate the class chain to call set_property function.
        (hasProperty): Iterate the class chain to call has_property function.
        (deleteProperty): Iterate the class chain to call delete_property function.
        (getPropertyNames): Iterate the class chain to call enumerate_properties function.
        (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
        jscClassCreate now.
        (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
        * API/glib/JSCClass.h:
        * API/glib/JSCClassPrivate.h:
        * API/glib/JSCContext.cpp:
        (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
        (jsc_context_register_class): Add JSCClassVTable parameter.
        * API/glib/JSCContext.h:
        * API/glib/JSCContextPrivate.h:
        * API/glib/JSCWrapperMap.cpp:
        (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
        * API/glib/JSCWrapperMap.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.

2018-04-17  Mark Lam  <mark.lam@apple.com>

        Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
        https://bugs.webkit.org/show_bug.cgi?id=184702
        <rdar://problem/35391681>

        Reviewed by Filip Pizlo and Saam Barati.

        1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
           to take a PtrTag template argument.
        2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
        (JSC::AbstractMacroAssembler::linkJump):
        (JSC::AbstractMacroAssembler::linkPointer):
        (JSC::AbstractMacroAssembler::getLinkerAddress):
        (JSC::AbstractMacroAssembler::repatchJump):
        (JSC::AbstractMacroAssembler::repatchJumpToNop):
        (JSC::AbstractMacroAssembler::repatchNearCall):
        (JSC::AbstractMacroAssembler::repatchCompact):
        (JSC::AbstractMacroAssembler::repatchInt32):
        (JSC::AbstractMacroAssembler::repatchPointer):
        (JSC::AbstractMacroAssembler::readPointer):
        (JSC::AbstractMacroAssembler::replaceWithLoad):
        (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
        * assembler/CodeLocation.h:
        (JSC::CodeLocationCommon:: const):
        (JSC::CodeLocationCommon::CodeLocationCommon):
        (JSC::CodeLocationInstruction::CodeLocationInstruction):
        (JSC::CodeLocationLabel::CodeLocationLabel):
        (JSC::CodeLocationLabel::retagged):
        (JSC::CodeLocationLabel:: const):
        (JSC::CodeLocationJump::CodeLocationJump):
        (JSC::CodeLocationJump::retagged):
        (JSC::CodeLocationCall::CodeLocationCall):
        (JSC::CodeLocationCall::retagged):
        (JSC::CodeLocationNearCall::CodeLocationNearCall):
        (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
        (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
        (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
        (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
        (JSC::CodeLocationCommon<tag>::instructionAtOffset):
        (JSC::CodeLocationCommon<tag>::labelAtOffset):
        (JSC::CodeLocationCommon<tag>::jumpAtOffset):
        (JSC::CodeLocationCommon<tag>::callAtOffset):
        (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
        (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
        (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
        (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
        (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
        (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
        (JSC::CodeLocationCommon::labelAtOffset): Deleted.
        (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
        (JSC::CodeLocationCommon::callAtOffset): Deleted.
        (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
        (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
        (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
        (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
        (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
        (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
        (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::link):
        (JSC::LinkBuffer::patch):
        (JSC::LinkBuffer::entrypoint):
        (JSC::LinkBuffer::locationOf):
        (JSC::LinkBuffer::locationOfNearCall):
        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        (JSC::LinkBuffer::trampolineAt):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::readCallTarget):
        (JSC::MacroAssemblerARM::replaceWithJump):
        (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARM::repatchCall):
        (JSC::MacroAssemblerARM::linkCall):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::readCallTarget):
        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
        (JSC::MacroAssemblerARM64::replaceWithJump):
        (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerARM64::repatchCall):
        (JSC::MacroAssemblerARM64::linkCall):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::replaceWithJump):
        (JSC::MacroAssemblerARMv7::readCallTarget):
        (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerARMv7::repatchCall):
        (JSC::MacroAssemblerARMv7::linkCall):
        * assembler/MacroAssemblerCodeRef.cpp:
        (JSC::MacroAssemblerCodePtrBase::dumpWithName):
        (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
        (JSC::MacroAssemblerCodeRefBase::disassembly):
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
        (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
        (JSC::MacroAssemblerCodePtr::dump const): Deleted.
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
        (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
        (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
        (JSC::MacroAssemblerCodeRef::dump const): Deleted.
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):
        (JSC::FunctionPtr::retagged const):
        (JSC::FunctionPtr::retaggedExecutableAddress const):
        (JSC::FunctionPtr::operator== const):
        (JSC::FunctionPtr::operator!= const):
        (JSC::ReturnAddressPtr::ReturnAddressPtr):
        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        (JSC::MacroAssemblerCodePtr::retagged const):
        (JSC::MacroAssemblerCodePtr:: const):
        (JSC::MacroAssemblerCodePtr::dumpWithName const):
        (JSC::MacroAssemblerCodePtr::dump const):
        (JSC::MacroAssemblerCodePtrHash::hash):
        (JSC::MacroAssemblerCodePtrHash::equal):
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
        (JSC::MacroAssemblerCodeRef::code const):
        (JSC::MacroAssemblerCodeRef::retaggedCode const):
        (JSC::MacroAssemblerCodeRef::retagged const):
        (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
        (JSC::MacroAssemblerCodeRef::disassembly const):
        (JSC::MacroAssemblerCodeRef::dump const):
        (JSC::FunctionPtr<tag>::FunctionPtr):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::readCallTarget):
        (JSC::MacroAssemblerMIPS::replaceWithJump):
        (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerMIPS::repatchCall):
        (JSC::MacroAssemblerMIPS::linkCall):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::readCallTarget):
        (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86::repatchCall):
        (JSC::MacroAssemblerX86::linkCall):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::repatchCompact):
        (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
        (JSC::MacroAssemblerX86Common::replaceWithJump):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::readCallTarget):
        (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::repatchCall):
        (JSC::MacroAssemblerX86_64::linkCall):
        * assembler/testmasm.cpp:
        (JSC::compile):
        (JSC::invoke):
        (JSC::testProbeModifiesProgramCounter):
        * b3/B3Compilation.cpp:
        (JSC::B3::Compilation::Compilation):
        * b3/B3Compilation.h:
        (JSC::B3::Compilation::code const):
        (JSC::B3::Compilation::codeRef const):
        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/B3LowerMacros.cpp:
        * b3/air/AirDisassembler.cpp:
        (JSC::B3::Air::Disassembler::dump):
        * b3/air/testair.cpp:
        * b3/testb3.cpp:
        (JSC::B3::invoke):
        (JSC::B3::testInterpreter):
        (JSC::B3::testEntrySwitchSimple):
        (JSC::B3::testEntrySwitchNoEntrySwitch):
        (JSC::B3::testEntrySwitchWithCommonPaths):
        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
        (JSC::B3::testEntrySwitchLoop):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/AccessCaseSnippetParams.cpp:
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::callReturnLocation):
        (JSC::CallLinkInfo::patchableJump):
        (JSC::CallLinkInfo::hotPathBegin):
        (JSC::CallLinkInfo::slowPathStart):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setCallLocations):
        (JSC::CallLinkInfo::hotPathOther):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::GetByIdVariant):
        (JSC::GetByIdVariant::dumpInContext const):
        * bytecode/GetByIdVariant.h:
        (JSC::GetByIdVariant::customAccessorGetter const):
        * bytecode/GetterSetterAccessCase.cpp:
        (JSC::GetterSetterAccessCase::create):
        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
        (JSC::GetterSetterAccessCase::dumpImpl const):
        * bytecode/GetterSetterAccessCase.h:
        (JSC::GetterSetterAccessCase::customAccessor const):
        (): Deleted.
        * bytecode/HandlerInfo.h:
        (JSC::HandlerInfo::initialize):
        * bytecode/InlineAccess.cpp:
        (JSC::linkCodeInline):
        (JSC::InlineAccess::rewireStubAsJump):
        * bytecode/InlineAccess.h:
        * bytecode/JumpTable.h:
        (JSC::StringJumpTable::ctiForValue):
        (JSC::SimpleJumpTable::ctiForValue):
        * bytecode/LLIntCallLinkInfo.h:
        (JSC::LLIntCallLinkInfo::unlink):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationResult::AccessGenerationResult):
        (JSC::AccessGenerationResult::code const):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::slowPathCallLocation):
        (JSC::StructureStubInfo::doneLocation):
        (JSC::StructureStubInfo::slowPathStartLocation):
        (JSC::StructureStubInfo::patchableJumpForIn):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::appendCatchEntrypoint):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpDisassembly):
        * dfg/DFGDriver.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallLinkRecord::CallLinkRecord):
        (JSC::DFG::JITCompiler::appendCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
        (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::JITFinalizer):
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGJumpReplacement.h:
        (JSC::DFG::JumpReplacement::JumpReplacement):
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        (JSC::DFG::prepareCatchOSREntry):
        * dfg/DFGOSREntry.h:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::OSRExit::codeLocationForRepatch const):
        (JSC::DFG::OSRExit::emitRestoreArguments):
        (JSC::DFG::OSRExit::compileOSRExit):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::osrWriteBarrier):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
        (JSC::DFG::slowPathCall):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMathIC):
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::appendCall):
        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitThunkGenerator):
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * dfg/DFGThunks.h:
        * disassembler/ARM64Disassembler.cpp:
        (JSC::tryToDisassemble):
        * disassembler/ARMv7Disassembler.cpp:
        (JSC::tryToDisassemble):
        * disassembler/Disassembler.cpp:
        (JSC::disassemble):
        (JSC::disassembleAsynchronously):
        * disassembler/Disassembler.h:
        (JSC::tryToDisassemble):
        * disassembler/UDis86Disassembler.cpp:
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/UDis86Disassembler.h:
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/X86Disassembler.cpp:
        (JSC::tryToDisassemble):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLExceptionTarget.cpp:
        (JSC::FTL::ExceptionTarget::label):
        (JSC::FTL::ExceptionTarget::jumps):
        * ftl/FTLExceptionTarget.h:
        * ftl/FTLGeneratedFunction.h:
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::initializeB3Code):
        (JSC::FTL::JITCode::initializeAddressForCall):
        (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
        (JSC::FTL::JITCode::addressForCall):
        (JSC::FTL::JITCode::executableAddressAtOffset):
        * ftl/FTLJITCode.h:
        (JSC::FTL::JITCode::b3Code const):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeCommon):
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::initialize):
        (JSC::FTL::LazySlowPath::generate):
        * ftl/FTLLazySlowPath.h:
        (JSC::FTL::LazySlowPath::patchableJump const):
        (JSC::FTL::LazySlowPath::done const):
        (JSC::FTL::LazySlowPath::stub const):
        * ftl/FTLLazySlowPathCall.h:
        (JSC::FTL::createLazyCallGenerator):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::codeLocationForRepatch const):
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOSRExitHandle.cpp:
        (JSC::FTL::OSRExitHandle::emitExitThunk):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::compileFTLLazySlowPath):
        * ftl/FTLPatchpointExceptionHandle.cpp:
        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
        * ftl/FTLSlowPathCall.cpp:
        (JSC::FTL::SlowPathCallContext::keyWithTarget const):
        (JSC::FTL::SlowPathCallContext::makeCall):
        * ftl/FTLSlowPathCall.h:
        (JSC::FTL::callOperation):
        * ftl/FTLSlowPathCallKey.cpp:
        (JSC::FTL::SlowPathCallKey::dump const):
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::callTarget const):
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        (JSC::FTL::SlowPathCallKey::hash const):
        (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::genericGenerationThunkGenerator):
        (JSC::FTL::osrExitGenerationThunkGenerator):
        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
        (JSC::FTL::slowPathCallThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::generateIfNecessary):
        (JSC::FTL::keyForThunk):
        (JSC::FTL::Thunks::getSlowPathCallThunk):
        (JSC::FTL::Thunks::keyForSlowPathCallThunk):
        * interpreter/InterpreterInlines.h:
        (JSC::Interpreter::getOpcodeID):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::callExceptionFuzz):
        (JSC::AssemblyHelpers::emitDumbVirtualCall):
        (JSC::AssemblyHelpers::debugCall):
        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::ensureShadowChickenPacket):
        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
        (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h:
        (JSC::createJITStubRoutine):
        * jit/JIT.cpp:
        (JSC::ctiPatchCallByReturnAddress):
        (JSC::JIT::compileWithoutLinking):
        (JSC::JIT::link):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        (JSC::CallRecord::CallRecord):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitMathICFast):
        (JSC::JIT::emitMathICSlow):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCode.cpp:
        (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
        (JSC::DirectJITCode::DirectJITCode):
        (JSC::DirectJITCode::initializeCodeRef):
        (JSC::DirectJITCode::addressForCall):
        (JSC::NativeJITCode::NativeJITCode):
        (JSC::NativeJITCode::initializeCodeRef):
        (JSC::NativeJITCode::addressForCall):
        * jit/JITCode.h:
        * jit/JITCodeMap.h:
        (JSC::JITCodeMap::Entry::Entry):
        (JSC::JITCodeMap::Entry::codeLocation):
        (JSC::JITCodeMap::append):
        (JSC::JITCodeMap::find const):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dumpDisassembly):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::finalize):
        * jit/JITInlines.h:
        (JSC::JIT::emitNakedCall):
        (JSC::JIT::emitNakedTailCall):
        (JSC::JIT::appendCallWithExceptionCheck):
        (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
        (JSC::JIT::appendCallWithCallFrameRollbackOnException):
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::privateCompileHasIndexedProperty):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitPutByValWithCachedId):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id_direct):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::privateCompilePutByValWithCachedId):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITStubRoutine.h:
        (JSC::JITStubRoutine::JITStubRoutine):
        (JSC::JITStubRoutine::createSelfManagedRoutine):
        (JSC::JITStubRoutine::code const):
        (JSC::JITStubRoutine::asCodePtr):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        (JSC::JITThunks::ctiNativeTailCall):
        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
        (JSC::JITThunks::ctiInternalFunctionCall):
        (JSC::JITThunks::ctiInternalFunctionConstruct):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::existingCTIStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * jit/PCToCodeOriginMap.cpp:
        (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
        * jit/PCToCodeOriginMap.h:
        * jit/PolymorphicCallStubRoutine.cpp:
        (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
        * jit/PolymorphicCallStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::readPutICCallTarget):
        (JSC::ftlThunkAwareRepatchCall):
        (JSC::appropriateOptimizingGetByIdFunction):
        (JSC::appropriateGetByIdFunction):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryCacheIn):
        (JSC::repatchIn):
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::linkDirectFor):
        (JSC::revertCall):
        (JSC::unlinkFor):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/Repatch.h:
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        (JSC::SpecializedThunkJIT::callDoubleToDouble):
        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
        * jit/ThunkGenerator.h:
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkCallThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeTailCallGenerator):
        (JSC::nativeTailCallWithoutSavedTagsGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::internalFunctionCallGenerator):
        (JSC::internalFunctionConstructGenerator):
        (JSC::arityFixupGenerator):
        (JSC::unreachableGenerator):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::clz32ThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::truncThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::imulThunkGenerator):
        (JSC::randomThunkGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        * jit/ThunkGenerators.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::getExecutableAddress):
        (JSC::LLInt::getCodePtr):
        (JSC::LLInt::getCodeRef):
        (JSC::LLInt::getCodeFunctionPtr):
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        (JSC::LLInt::setModuleProgramEntrypoint):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * llint/LLIntThunks.cpp:
        (JSC::vmEntryToWasm):
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        (JSC::LLInt::moduleProgramEntryThunkGenerator):
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::addOSRExitSite):
        * profiler/ProfilerCompilation.h:
        * profiler/ProfilerOSRExitSite.cpp:
        (JSC::Profiler::OSRExitSite::toJS const):
        * profiler/ProfilerOSRExitSite.h:
        (JSC::Profiler::OSRExitSite::OSRExitSite):
        (JSC::Profiler::OSRExitSite::codeAddress const):
        (JSC::Profiler::OSRExitSite:: const): Deleted.
        * runtime/ExecutableBase.cpp:
        (JSC::ExecutableBase::clearCode):
        * runtime/ExecutableBase.h:
        (JSC::ExecutableBase::entrypointFor):
        * runtime/NativeExecutable.cpp:
        (JSC::NativeExecutable::finishCreation):
        * runtime/NativeFunction.h:
        (JSC::TaggedNativeFunction::TaggedNativeFunction):
        (JSC::TaggedNativeFunction::operator NativeFunction):
        * runtime/PtrTag.h:
        (JSC::tagCodePtr):
        (JSC::untagCodePtr):
        (JSC::retagCodePtr):
        (JSC::tagCFunctionPtr):
        (JSC::untagCFunctionPtr):
        (JSC::nextPtrTagID): Deleted.
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::setCustomValue):
        (JSC::PutPropertySlot::setCustomAccessor):
        (JSC::PutPropertySlot::customSetter const):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):
        (JSC::VM::getCTIInternalFunctionTrampolineFor):
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::prepare):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmBinding.h:
        * wasm/WasmCallee.h:
        (JSC::Wasm::Callee::entrypoint const):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
        * wasm/WasmCodeBlock.h:
        (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/WasmFormat.h:
        * wasm/WasmInstance.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
        (JSC::Wasm::Thunks::stub):
        (JSC::Wasm::Thunks::existingStub):
        * wasm/WasmThunks.h:
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::handleBadI64Use):
        (JSC::Wasm::wasmToJS):
        * wasm/js/WasmToJS.h:
        * wasm/js/WebAssemblyFunction.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
        (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::clear):

2018-04-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r230697, r230720, and r230724.
        https://bugs.webkit.org/show_bug.cgi?id=184717

        These caused multiple failures on the Test262 testers.
        (Requested by mlewis13 on #webkit).

        Reverted changesets:

        "[WebAssembly][Modules] Prototype wasm import"
        https://bugs.webkit.org/show_bug.cgi?id=184600
        https://trac.webkit.org/changeset/230697

        "[WebAssembly][Modules] Implement function import from wasm
        modules"
        https://bugs.webkit.org/show_bug.cgi?id=184689
        https://trac.webkit.org/changeset/230720

        "[JSC] Rename runWebAssembly to runWebAssemblySuite"
        https://bugs.webkit.org/show_bug.cgi?id=184703
        https://trac.webkit.org/changeset/230724

2018-04-17  JF Bastien  <jfbastien@apple.com>

        A put is not an ExistingProperty put when we transition a structure because of an attributes change
        https://bugs.webkit.org/show_bug.cgi?id=184706
        <rdar://problem/38871451>

        Reviewed by Saam Barati.

        When putting a property on a structure and the slot is a different
        type, the slot can't be said to have already been existing.

        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal):

2018-04-17  Filip Pizlo  <fpizlo@apple.com>

        JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
        https://bugs.webkit.org/show_bug.cgi?id=184705

        Reviewed by Michael Saboff.
        
        My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
        while testing an unrelated patch, a concurrent GC thread crashed inside
        JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
        because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
        mode and another vector.
        
        The fix is to lock inside visitChildren and anyone who changes those fields.
        
        I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
        this.

        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::neuter):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):

2018-04-16  Filip Pizlo  <fpizlo@apple.com>

        PutStackSinkingPhase should know that KillStack means ConflictingFlush
        https://bugs.webkit.org/show_bug.cgi?id=184672

        Reviewed by Michael Saboff.

        We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
        KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
        archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
        intentional - I don't know.

        Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
        doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
        the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
        KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
        that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
        specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
        could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
        KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
        inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
        have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
        values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
        value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.

        This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
        them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
        its stack slot for the purpose of clobberize.

        * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
        * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
        * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
        (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):

2018-04-17  Filip Pizlo  <fpizlo@apple.com>

        JSWebAssemblyCodeBlock should be in an IsoSubspace
        https://bugs.webkit.org/show_bug.cgi?id=184704

        Reviewed by Mark Lam.
        
        Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
        CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
        shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
        protection.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * wasm/js/JSWebAssemblyCodeBlock.h:

2018-04-17  Jer Noble  <jer.noble@apple.com>

        Only enable useSeparatedWXHeap on ARM64.
        https://bugs.webkit.org/show_bug.cgi?id=184697

        Reviewed by Saam Barati.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Implement function import from wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184689

        Reviewed by JF Bastien.

        This patch implements function import from wasm modules. We move function importing part
        from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
        is because linking these functions requires that all the dependent modules are created.
        While we want to move all the linking functionality from JSWebAssemblyInstance to
        WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
        function importing part because efficient compilation of WebAssembly needs to know
        the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
        or attached WebAssembly memory object. So we cannot defer this linking to
        WebAssemblyModuleRecord::link now.

        The largest difference from JS module linking is that WebAssembly module linking links
        function from the module by snapshotting. When you have a cyclic module graph like this,

        -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
            ^                                                  |
            +--------------------------------------------------+

        we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
        is described in [1], and tested in this patch.

        [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (functionDollarAgentStart):
        (checkException):
        (runWithOptions):
        Small fixes for wasm module loading.

        * parser/NodesAnalyzeModule.cpp:
        (JSC::ImportDeclarationNode::analyzeModule):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::resolveImport):
        (JSC::AbstractModuleRecord::link):
        * runtime/AbstractModuleRecord.h:
        (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
        (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
        Now, wasm modules can have import which is named "*". So this function does not work.
        Since wasm modules never have namespace importing, we check this in JS's module analyzer.

        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::instantiateDeclarations):
        * wasm/WasmCreationMode.h: Added.
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyModuleRecord.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::WebAssemblyPrototype::instantiate):
        (JSC::webAssemblyInstantiateFunc):

2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>

        Implement setupArgumentsImpl for ARM and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=183786

        Reviewed by Yusuke Suzuki.

        Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
        numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
        registers used for 64-bit values on 32-bit architectures. numCrossSources
        keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::moveDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::moveDouble):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupStubCrossArgs):
        (JSC::CCallHelpers::ArgCollection::ArgCollection):
        (JSC::CCallHelpers::ArgCollection::pushRegArg):
        (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
        (JSC::CCallHelpers::ArgCollection::addGPRArg):
        (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
        (JSC::CCallHelpers::ArgCollection::addStackArg):
        (JSC::CCallHelpers::ArgCollection::addPoke):
        (JSC::CCallHelpers::ArgCollection::argCount):
        (JSC::CCallHelpers::calculatePokeOffset):
        (JSC::CCallHelpers::pokeForArgument):
        (JSC::CCallHelpers::stackAligned):
        (JSC::CCallHelpers::marshallArgumentRegister):
        (JSC::CCallHelpers::setupArgumentsImpl):
        (JSC::CCallHelpers::pokeArgumentsAligned):
        (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
        (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
        (JSC::CCallHelpers::setupArguments):
        * jit/FPRInfo.h:
        (JSC::FPRInfo::toArgumentRegister):

2018-04-17  Saam Barati  <sbarati@apple.com>

        Add system trace points for process launch and for initializeWebProcess
        https://bugs.webkit.org/show_bug.cgi?id=184669

        Reviewed by Simon Fraser.

        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):

2018-04-17  Jer Noble  <jer.noble@apple.com>

        Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
        https://bugs.webkit.org/show_bug.cgi?id=184602

        Reviewed by Beth Dakin.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add API to clear JSCContext uncaught exception
        https://bugs.webkit.org/show_bug.cgi?id=184685

        Reviewed by Žan Doberšek.

        Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.

        * API/glib/JSCContext.cpp:
        (jsc_context_clear_exception):
        * API/glib/JSCContext.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Add API to query, delete and enumerate properties
        https://bugs.webkit.org/show_bug.cgi?id=184647

        Reviewed by Michael Catanzaro.

        Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().

        * API/glib/JSCValue.cpp:
        (jsc_value_object_has_property):
        (jsc_value_object_delete_property):
        (jsc_value_object_enumerate_properties):
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Prototype wasm import
        https://bugs.webkit.org/show_bug.cgi?id=184600

        Reviewed by JF Bastien.

        This patch is an initial attempt to implement Wasm loading in module pipeline.
        Currently,

        1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
           in whatwg HTML, we should integrate this into WebCore.

        2. We only support exporting values from Wasm. Wasm module cannot import anything from
           the other modules now.

        When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
        loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
        module loader pipeline just handles it as the same to JS. When parsing a module, we
        checks the type of JSSourceCode. If the source code is Wasm source code, we create a
        WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
        AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.

        * builtins/ModuleLoaderPrototype.js:
        (globalPrivate.newRegistryEntry):
        (requestInstantiate):
        (link):
        * jsc.cpp:
        (convertShebangToJSComment):
        (fillBufferWithContentsOfFile):
        (fetchModuleFromLocalFileSystem):
        (GlobalObject::moduleLoaderFetch):
        * parser/SourceProvider.h:
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        (JSC::AbstractModuleRecord::link):
        (JSC::AbstractModuleRecord::evaluate):
        (JSC::identifierToJSValue): Deleted.
        * runtime/AbstractModuleRecord.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::evaluate):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSModuleRecord.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        (JSC::moduleLoaderPrototypeRequestedModules):
        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::getWasmBufferFromValue):
        (JSC::createSourceBufferFromValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::prepareLink):
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyModuleRecord.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::resolve):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::WebAssemblyPrototype::instantiate):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        * wasm/js/WebAssemblyPrototype.h:

2018-04-14  Filip Pizlo  <fpizlo@apple.com>

        Function.prototype.caller shouldn't return generator bodies
        https://bugs.webkit.org/show_bug.cgi?id=184630

        Reviewed by Yusuke Suzuki.
        
        Function.prototype.caller no longer returns generator bodies. Those are meant to be
        private.
        
        Also added some builtin debugging tools so that it's easier to do the investigation that I
        did.

        * builtins/BuiltinNames.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncBuiltinDescribe):
        * runtime/JSGlobalObjectFunctions.h:

2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove duplicate 32bit ProfileType implementation
        https://bugs.webkit.org/show_bug.cgi?id=184536

        Reviewed by Saam Barati.

        This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileProfileType):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfUndefined):
        (JSC::AssemblyHelpers::branchIfNull):

2018-04-12  Mark Lam  <mark.lam@apple.com>

        Consolidate some PtrTags.
        https://bugs.webkit.org/show_bug.cgi?id=184552
        <rdar://problem/39389404>

        Reviewed by Filip Pizlo.

        Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
        Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::repatchNearCall):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::readCallTarget):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::readCallTarget):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::readCallTarget):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::readCallTarget):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::readCallTarget):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/InlineAccess.cpp:
        (JSC::InlineAccess::rewireStubAsJump):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::regenerate):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::OSRExit::compileOSRExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOperations.cpp:
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::executableAddressAtOffset):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeCommon):
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::generate):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOSRExitHandle.cpp:
        (JSC::FTL::OSRExitHandle::emitExitThunk):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitDumbVirtualCall):
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        (JSC::JIT::link):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCode.cpp:
        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
        (JSC::NativeJITCode::addressForCall):
        * jit/JITInlines.h:
        (JSC::JIT::emitNakedCall):
        (JSC::JIT::emitNakedTailCall):
        * jit/JITMathIC.h:
        (JSC::isProfileEmpty):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::privateCompilePutByValWithCachedId):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/Repatch.cpp:
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        (JSC::LLInt::setModuleProgramEntrypoint):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        (JSC::LLInt::moduleProgramEntryThunkGenerator):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/NativeExecutable.cpp:
        (JSC::NativeExecutable::finishCreation):
        * runtime/NativeFunction.h:
        (JSC::TaggedNativeFunction::TaggedNativeFunction):
        (JSC::TaggedNativeFunction::operator NativeFunction):
        * runtime/PtrTag.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):
        * wasm/js/WebAssemblyFunction.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>

        [WPE] Move libWPEWebInspectorResources.so to pkglibdir
        https://bugs.webkit.org/show_bug.cgi?id=184379

        Reviewed by Žan Doberšek.

        Load the module from the new location.

        * PlatformWPE.cmake:
        * inspector/remote/glib/RemoteInspectorUtils.cpp:
        (Inspector::backendCommands):

2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove compileBigIntEquality in DFG 32bit
        https://bugs.webkit.org/show_bug.cgi?id=184535

        Reviewed by Saam Barati.

        We can have the unified implementation for compileBigIntEquality.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.

2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>

        [WPE] Improve include hierarchy
        https://bugs.webkit.org/show_bug.cgi?id=184376

        Reviewed by Žan Doberšek.

        Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
        /usr/include/wpe-0.1/WPE/jsc.

        * PlatformWPE.cmake:

2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GLIB] Handle strings containing null characters
        https://bugs.webkit.org/show_bug.cgi?id=184450

        Reviewed by Michael Catanzaro.

        We should be able to evaluate scripts containing null characters and to handle strings that contains them
        too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
        parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
        jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
        contain null characters.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create): Add a create constructor that takes the String.
        * API/OpaqueJSString.h:
        (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
        * API/glib/JSCContext.cpp:
        (jsc_context_evaluate): Add length parameter.
        (jsc_context_evaluate_with_source_uri): Ditto.
        * API/glib/JSCContext.h:
        * API/glib/JSCValue.cpp:
        (jsc_value_new_string_from_bytes):
        (jsc_value_to_string):
        (jsc_value_to_string_as_bytes):
        (jsc_value_object_is_instance_of): Pass length to evaluate.
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
        https://bugs.webkit.org/show_bug.cgi?id=184500

        Reviewed by Mark Lam.

        Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
        JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
        It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
        CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
        poke held GPR. The benefit from this CellValue is that we can use the same code
        for 32bit and 64bit. This patch removes several ifdefs.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::CellValue::CellValue):
        (JSC::CCallHelpers::CellValue::gpr const):
        (JSC::CCallHelpers::setupArgumentsImpl):

2018-04-11  Mark Lam  <mark.lam@apple.com>

        [Build fix] Replace CompactJITCodeMap with JITCodeMap.
        https://bugs.webkit.org/show_bug.cgi?id=184512
        <rdar://problem/35391728>

        Not reviewed.

        * bytecode/CodeBlock.h:
        * jit/JITCodeMap.h:

2018-04-11  Mark Lam  <mark.lam@apple.com>

        Replace CompactJITCodeMap with JITCodeMap.
        https://bugs.webkit.org/show_bug.cgi?id=184512
        <rdar://problem/35391728>

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setJITCodeMap):
        (JSC::CodeBlock::jitCodeMap const):
        (JSC::CodeBlock::jitCodeMap): Deleted.
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
        * jit/AssemblyHelpers.h:
        * jit/CompactJITCodeMap.h: Removed.
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITCodeMap.h: Added.
        (JSC::JITCodeMap::Entry::Entry):
        (JSC::JITCodeMap::Entry::bytecodeIndex const):
        (JSC::JITCodeMap::Entry::codeLocation):
        (JSC::JITCodeMap::append):
        (JSC::JITCodeMap::finish):
        (JSC::JITCodeMap::find const):
        (JSC::JITCodeMap::operator bool const):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove CompareSlowPathGenerator
        https://bugs.webkit.org/show_bug.cgi?id=184492

        Reviewed by Mark Lam.

        Now CompareSlowPathGenerator is just calling a specified function.
        This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.

        We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
        introducing a new constructor for GPRTemporary.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCompareSlowPathGenerator.h: Removed.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
        (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
        (JSC::DFG::SpeculativeJIT::compileIsObject):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):

2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for 32bit
        https://bugs.webkit.org/show_bug.cgi?id=184236

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):

2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove duplicate 32bit code more
        https://bugs.webkit.org/show_bug.cgi?id=184236

        Reviewed by Mark Lam.

        Remove duplicate 32bit code more aggressively part 2.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCompareSlowPathGenerator.h: Added.
        (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
        Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
        (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
        (JSC::DFG::SpeculativeJIT::compileIsObject):
        (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
        (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
        (JSC::DFG::SpeculativeJIT::compilePutById):
        (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
        (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
        (): Deleted.
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::loadValue):
        (JSC::AssemblyHelpers::selectScratchGPR):
        (JSC::AssemblyHelpers::constructRegisterSet):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::setAny):
        Clean up selectScratchGPR code to pass JSValueRegs.

2018-04-10  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Add support for BigInt in SpeculatedType
        https://bugs.webkit.org/show_bug.cgi?id=182470

        Reviewed by Saam Barati.

        This patch introduces the SpecBigInt type to DFG to enable BigInt
        speculation into DFG and FTL.

        With SpecBigInt introduction, we can then specialize "===" operations
        to BigInts. As we are doing for some cells, we first check if operands
        are pointing to the same JSCell, and if it is false, we
        fallback to "operationCompareStrictEqCell". The idea in further
        patches is to implement BigInt equality check directly in
        assembly.

        We are also adding support for BigInt constant folding into
        TypeOf operation.

        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromClassInfo):
        (JSC::speculationFromStructure):
        (JSC::speculationFromJSType):
        (JSC::speculationFromString):
        * bytecode/SpeculatedType.h:
        (JSC::isBigIntSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToThis):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        * dfg/DFGInferredTypeCheck.cpp:
        (JSC::DFG::insertInferredTypeCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBigInt):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateBigInt):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
        (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::branchIfNotType):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfBigInt):
        (JSC::AssemblyHelpers::branchIfNotBigInt):
        * runtime/InferredType.cpp:
        (JSC::InferredType::Descriptor::forValue):
        (JSC::InferredType::Descriptor::putByIdFlags const):
        (JSC::InferredType::Descriptor::merge):
        (WTF::printInternal):
        * runtime/InferredType.h:
        * runtime/JSBigInt.h:

2018-04-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop build.

        * dfg/DFGAbstractInterpreterClobberState.cpp:

2018-04-10  Mark Lam  <mark.lam@apple.com>

        Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
        https://bugs.webkit.org/show_bug.cgi?id=184464
        <rdar://problem/39323947>

        Reviewed by Saam Barati.

        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::sizeClassToIndex):

2018-04-09  Filip Pizlo  <fpizlo@apple.com>

        DFG AI and clobberize should agree with each other
        https://bugs.webkit.org/show_bug.cgi?id=184440

        Reviewed by Saam Barati.
        
        One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
        agree with each other. That's what this patch does: it adds an assertion that AI's structure
        state tracking must be equivalent to JSCell_structureID being clobbered.
        
        One subtlety is that AI sometimes folds away structure clobbering using information that
        clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
        ObservedTransitions).
        
        This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
        clobberize missing a write(Heap).
        
        This also makes some cases more precise in order to appease the assertion. Making things more
        precise might make things faster, but I didn't measure it because that wasn't the goal.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
        (WTF::printInternal):
        * dfg/DFGAbstractInterpreterClobberState.h: Added.
        (JSC::DFG::mergeClobberStates):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
        * dfg/DFGAtTailAbstractState.h:
        (JSC::DFG::AtTailAbstractState::setClobberState):
        (JSC::DFG::AtTailAbstractState::mergeClobberState):
        (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGClobberSet.cpp:
        (JSC::DFG::writeSet):
        * dfg/DFGClobberSet.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGInPlaceAbstractState.h:
        (JSC::DFG::InPlaceAbstractState::clobberState const):
        (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
        (JSC::DFG::InPlaceAbstractState::didClobber const):
        (JSC::DFG::InPlaceAbstractState::setClobberState):
        (JSC::DFG::InPlaceAbstractState::mergeClobberState):
        (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.

2018-04-10  Filip Pizlo  <fpizlo@apple.com>

        ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
        https://bugs.webkit.org/show_bug.cgi?id=184460
        <rdar://problem/37610966>

        Reviewed by Mark Lam.

        * bytecode/ExecutableToCodeBlockEdge.cpp:
        (JSC::ExecutableToCodeBlockEdge::visitChildren):

2018-04-10  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
        https://bugs.webkit.org/show_bug.cgi?id=184455

        Reviewed by Michael Saboff.
        
        LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
        says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
        (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
        the thing being hoisted does have effects, then we get a crash.
        
        In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
        ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
        would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
        effectful.
        
        Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
        clobberize to also think that CompareEq(Untyped:, _) is effectful.
        
        This fixes the whole situation by teaching both clobberize and AI that the only effectful form
        of CompareEq is ComapreEq(Untyped:, Untyped:).

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2018-04-09  Filip Pizlo  <fpizlo@apple.com>

        Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
        https://bugs.webkit.org/show_bug.cgi?id=184372

        Reviewed by Saam Barati.
        
        We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
        have already proved, using techniques that are more precise than AI, that the edge has type
        Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
        because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
        other than a check - so we think we can call those just because we should have already
        bailed. It's better to think of them as the result of folding a check. Therefore, we should
        only do it if there had been a check to begin with.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
        (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):

2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce @putByIdDirectPrivate
        https://bugs.webkit.org/show_bug.cgi?id=184400

        Reviewed by Saam Barati.

        This patch adds @putByIdDirectPrivate() to use it for builtin JS.
        @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
        accessing to ECMAScript internal fields.

        This change removes accidental [[Put]] operation to an object whose [[Prototype]]
        has internal fields (not direct properties). By using @getByIdDirectPrivate() and
        @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
        fields that accessing to the internal fields does not traverse prototype chains.

        * builtins/ArrayIteratorPrototype.js:
        (globalPrivate.arrayIteratorValueNext):
        (globalPrivate.arrayIteratorKeyNext):
        (globalPrivate.arrayIteratorKeyValueNext):
        * builtins/ArrayPrototype.js:
        (globalPrivate.createArrayIterator):
        * builtins/AsyncFromSyncIteratorPrototype.js:
        (globalPrivate.AsyncFromSyncIteratorConstructor):
        * builtins/AsyncFunctionPrototype.js:
        (globalPrivate.asyncFunctionResume):
        * builtins/AsyncGeneratorPrototype.js:
        (globalPrivate.asyncGeneratorQueueEnqueue):
        (globalPrivate.asyncGeneratorQueueDequeue):
        (asyncGeneratorYieldAwaited):
        (globalPrivate.asyncGeneratorYield):
        (globalPrivate.doAsyncGeneratorBodyCall):
        (globalPrivate.asyncGeneratorResumeNext):
        * builtins/GeneratorPrototype.js:
        (globalPrivate.generatorResume):
        * builtins/MapIteratorPrototype.js:
        (globalPrivate.mapIteratorNext):
        * builtins/MapPrototype.js:
        (globalPrivate.createMapIterator):
        * builtins/ModuleLoaderPrototype.js:
        (forceFulfillPromise):
        * builtins/PromiseOperations.js:
        (globalPrivate.newHandledRejectedPromise):
        (globalPrivate.rejectPromise):
        (globalPrivate.fulfillPromise):
        (globalPrivate.initializePromise):
        * builtins/PromisePrototype.js:
        (then):
        * builtins/SetIteratorPrototype.js:
        (globalPrivate.setIteratorNext):
        * builtins/SetPrototype.js:
        (globalPrivate.createSetIterator):
        * builtins/StringIteratorPrototype.js:
        (next):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):

2018-04-09  Mark Lam  <mark.lam@apple.com>

        Decorate method table entries to support pointer profiling.
        https://bugs.webkit.org/show_bug.cgi?id=184430
        <rdar://problem/39296190>

        Reviewed by Saam Barati.

        * runtime/ClassInfo.h:

2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>

        [WPE] Don't install JSC C API headers
        https://bugs.webkit.org/show_bug.cgi?id=184375

        Reviewed by Žan Doberšek.

        None of the functions declared in these headers are exported in WPE. Use the new jsc API
        instead.

        * PlatformWPE.cmake:

2018-04-08  Mark Lam  <mark.lam@apple.com>

        Add pointer profiling to the FTL and supporting code.
        https://bugs.webkit.org/show_bug.cgi?id=184395
        <rdar://problem/39264019>

        Reviewed by Michael Saboff and Filip Pizlo.

        * assembler/CodeLocation.h:
        (JSC::CodeLocationLabel::retagged):
        (JSC::CodeLocationJump::retagged):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOf):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLExceptionTarget.cpp:
        (JSC::FTL::ExceptionTarget::label):
        (JSC::FTL::ExceptionTarget::jumps):
        * ftl/FTLExceptionTarget.h:
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::executableAddressAtOffset):
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::~LazySlowPath):
        (JSC::FTL::LazySlowPath::initialize):
        (JSC::FTL::LazySlowPath::generate):
        (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
        * ftl/FTLLazySlowPath.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOSRExitHandle.cpp:
        (JSC::FTL::OSRExitHandle::emitExitThunk):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::compileFTLLazySlowPath):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::callWithoutSideEffects):