36b35a047b879097b591beae69f489bae809e589
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-08  Michael Saboff  <msaboff@apple.com>
2
3         Emit code to zero the stack frame on function entry
4         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
5
6         Reviewed by Mark Lam.
7
8         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
9         The default setting of the option is off.
10
11         Did some minor refactoring of the YarrJIT stack alignment code.
12
13         * b3/air/AirCode.cpp:
14         (JSC::B3::Air::defaultPrologueGenerator):
15         * dfg/DFGJITCompiler.cpp:
16         (JSC::DFG::JITCompiler::compile):
17         (JSC::DFG::JITCompiler::compileFunction):
18         * dfg/DFGSpeculativeJIT.cpp:
19         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
20         * dfg/DFGThunks.cpp:
21         (JSC::DFG::osrEntryThunkGenerator):
22         * ftl/FTLLowerDFGToB3.cpp:
23         (JSC::FTL::DFG::LowerDFGToB3::lower):
24         * jit/AssemblyHelpers.h:
25         (JSC::AssemblyHelpers::clearStackFrame):
26         * jit/JIT.cpp:
27         (JSC::JIT::compileWithoutLinking):
28         * llint/LowLevelInterpreter.asm:
29         * runtime/Options.h:
30         * yarr/YarrJIT.cpp:
31         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
32         (JSC::Yarr::YarrGenerator::initCallFrame):
33         (JSC::Yarr::YarrGenerator::removeCallFrame):
34
35 2018-03-08  Keith Miller  <keith_miller@apple.com>
36
37         Unreviewed, another attempt at fixing the Windows build.
38         I guess the pragma must be outside the function...
39
40         * jit/CCallHelpers.h:
41         (JSC::CCallHelpers::clampArrayToSize):
42
43 2018-03-08  Keith Miller  <keith_miller@apple.com>
44
45         Unreviewed, one last try at fixing the windows build before rollout.
46
47         * jit/CCallHelpers.h:
48         (JSC::CCallHelpers::clampArrayToSize):
49
50 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
51
52         [JSC] Optimize inherits<T> if T is final type
53         https://bugs.webkit.org/show_bug.cgi?id=183435
54
55         Reviewed by Mark Lam.
56
57         If the type T is a final type (`std::is_final<T>::value == true`), there is no
58         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
59         to check the given cell's `classInfo(vm)` is `T::info()`.
60
61         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
62         final type. And we also add `final` annotations to JS cell types in JSC. This
63         offers,
64
65         1. Readability. If the given class is annotated with `final`, we do not need to
66         consider about the derived classes of T.
67
68         2. Static Checking. If your class is not intended to be used as a base class, attaching
69         `final` can ensure this invariant.
70
71         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
72         be smaller.
73
74         * API/JSCallbackConstructor.h:
75         (JSC::JSCallbackConstructor::create): Deleted.
76         (JSC::JSCallbackConstructor::classRef const): Deleted.
77         (JSC::JSCallbackConstructor::callback const): Deleted.
78         (JSC::JSCallbackConstructor::createStructure): Deleted.
79         (JSC::JSCallbackConstructor::constructCallback): Deleted.
80         * API/JSCallbackFunction.h:
81         (JSC::JSCallbackFunction::createStructure): Deleted.
82         (JSC::JSCallbackFunction::functionCallback): Deleted.
83         * API/JSCallbackObject.h:
84         (JSC::JSCallbackObject::create): Deleted.
85         (JSC::JSCallbackObject::destroy): Deleted.
86         (JSC::JSCallbackObject::classRef const): Deleted.
87         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
88         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
89         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
90         (JSC::JSCallbackObject::visitChildren): Deleted.
91         * bytecode/CodeBlock.cpp:
92         (JSC::CodeBlock::setConstantRegisters):
93         * bytecode/ExecutableToCodeBlockEdge.h:
94         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
95         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
96         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
97         * bytecode/FunctionCodeBlock.h:
98         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
99         (JSC::FunctionCodeBlock::create): Deleted.
100         (JSC::FunctionCodeBlock::createStructure): Deleted.
101         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
102         * debugger/DebuggerScope.h:
103         (JSC::DebuggerScope::createStructure): Deleted.
104         (JSC::DebuggerScope::iterator::iterator): Deleted.
105         (JSC::DebuggerScope::iterator::get): Deleted.
106         (JSC::DebuggerScope::iterator::operator++): Deleted.
107         (JSC::DebuggerScope::iterator::operator== const): Deleted.
108         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
109         (JSC::DebuggerScope::isValid const): Deleted.
110         (JSC::DebuggerScope::jsScope const): Deleted.
111         * inspector/JSInjectedScriptHost.h:
112         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
113         (Inspector::JSInjectedScriptHost::create): Deleted.
114         (Inspector::JSInjectedScriptHost::impl const): Deleted.
115         * inspector/JSInjectedScriptHostPrototype.h:
116         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
117         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
118         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
119         * inspector/JSJavaScriptCallFrame.h:
120         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
121         (Inspector::JSJavaScriptCallFrame::create): Deleted.
122         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
123         * inspector/JSJavaScriptCallFramePrototype.h:
124         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
125         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
126         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
127         * jit/Repatch.cpp:
128         (JSC::tryCacheGetByID):
129         * runtime/ArrayConstructor.h:
130         (JSC::ArrayConstructor::create): Deleted.
131         (JSC::ArrayConstructor::createStructure): Deleted.
132         * runtime/ArrayIteratorPrototype.h:
133         (JSC::ArrayIteratorPrototype::create): Deleted.
134         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
135         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
136         * runtime/ArrayPrototype.h:
137         (JSC::ArrayPrototype::createStructure): Deleted.
138         * runtime/AsyncFromSyncIteratorPrototype.h:
139         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
140         * runtime/AsyncFunctionConstructor.h:
141         (JSC::AsyncFunctionConstructor::create): Deleted.
142         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
143         * runtime/AsyncFunctionPrototype.h:
144         (JSC::AsyncFunctionPrototype::create): Deleted.
145         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
146         * runtime/AsyncGeneratorFunctionConstructor.h:
147         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
148         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
149         * runtime/AsyncGeneratorFunctionPrototype.h:
150         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
151         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
152         * runtime/AsyncGeneratorPrototype.h:
153         (JSC::AsyncGeneratorPrototype::create): Deleted.
154         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
155         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
156         * runtime/AsyncIteratorPrototype.h:
157         (JSC::AsyncIteratorPrototype::create): Deleted.
158         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
159         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
160         * runtime/AtomicsObject.h:
161         * runtime/BigIntConstructor.h:
162         (JSC::BigIntConstructor::create): Deleted.
163         (JSC::BigIntConstructor::createStructure): Deleted.
164         * runtime/BigIntObject.h:
165         (JSC::BigIntObject::create): Deleted.
166         (JSC::BigIntObject::internalValue const): Deleted.
167         (JSC::BigIntObject::createStructure): Deleted.
168         * runtime/BigIntPrototype.h:
169         (JSC::BigIntPrototype::create): Deleted.
170         (JSC::BigIntPrototype::createStructure): Deleted.
171         * runtime/BooleanConstructor.h:
172         (JSC::BooleanConstructor::create): Deleted.
173         (JSC::BooleanConstructor::createStructure): Deleted.
174         * runtime/BooleanPrototype.h:
175         (JSC::BooleanPrototype::create): Deleted.
176         (JSC::BooleanPrototype::createStructure): Deleted.
177         * runtime/ConsoleObject.h:
178         (JSC::ConsoleObject::create): Deleted.
179         (JSC::ConsoleObject::createStructure): Deleted.
180         * runtime/DOMAttributeGetterSetter.h:
181         (JSC::isDOMAttributeGetterSetter): Deleted.
182         * runtime/DateConstructor.h:
183         (JSC::DateConstructor::create): Deleted.
184         (JSC::DateConstructor::createStructure): Deleted.
185         * runtime/DateInstance.h:
186         (JSC::DateInstance::create): Deleted.
187         (JSC::DateInstance::internalNumber const): Deleted.
188         (JSC::DateInstance::gregorianDateTime const): Deleted.
189         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
190         (JSC::DateInstance::createStructure): Deleted.
191         * runtime/DatePrototype.h:
192         (JSC::DatePrototype::create): Deleted.
193         (JSC::DatePrototype::createStructure): Deleted.
194         * runtime/Error.h:
195         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
196         (JSC::StrictModeTypeErrorFunction::create): Deleted.
197         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
198         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
199         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
200         * runtime/ErrorConstructor.h:
201         (JSC::ErrorConstructor::create): Deleted.
202         (JSC::ErrorConstructor::createStructure): Deleted.
203         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
204         * runtime/Exception.h:
205         (JSC::Exception::valueOffset): Deleted.
206         (JSC::Exception::value const): Deleted.
207         (JSC::Exception::stack const): Deleted.
208         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
209         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
210         * runtime/FunctionConstructor.h:
211         (JSC::FunctionConstructor::create): Deleted.
212         (JSC::FunctionConstructor::createStructure): Deleted.
213         * runtime/FunctionPrototype.h:
214         (JSC::FunctionPrototype::create): Deleted.
215         (JSC::FunctionPrototype::createStructure): Deleted.
216         * runtime/FunctionRareData.h:
217         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
218         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
219         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
220         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
221         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
222         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
223         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
224         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
225         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
226         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
227         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
228         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
229         (JSC::FunctionRareData::hasReifiedName const): Deleted.
230         (JSC::FunctionRareData::setHasReifiedName): Deleted.
231         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
232         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
233         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
234         * runtime/GeneratorFunctionConstructor.h:
235         (JSC::GeneratorFunctionConstructor::create): Deleted.
236         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
237         * runtime/GeneratorFunctionPrototype.h:
238         (JSC::GeneratorFunctionPrototype::create): Deleted.
239         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
240         * runtime/GeneratorPrototype.h:
241         (JSC::GeneratorPrototype::create): Deleted.
242         (JSC::GeneratorPrototype::createStructure): Deleted.
243         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
244         * runtime/InferredValue.h:
245         (JSC::InferredValue::subspaceFor): Deleted.
246         (JSC::InferredValue::inferredValue): Deleted.
247         (JSC::InferredValue::state const): Deleted.
248         (JSC::InferredValue::isStillValid const): Deleted.
249         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
250         (JSC::InferredValue::add): Deleted.
251         (JSC::InferredValue::notifyWrite): Deleted.
252         (JSC::InferredValue::invalidate): Deleted.
253         * runtime/InspectorInstrumentationObject.h:
254         (JSC::InspectorInstrumentationObject::create): Deleted.
255         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
256         * runtime/IntlCollator.h:
257         (JSC::IntlCollator::boundCompare const): Deleted.
258         * runtime/IntlCollatorConstructor.h:
259         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
260         * runtime/IntlCollatorPrototype.h:
261         * runtime/IntlDateTimeFormat.h:
262         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
263         * runtime/IntlDateTimeFormatConstructor.h:
264         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
265         * runtime/IntlDateTimeFormatPrototype.h:
266         * runtime/IntlNumberFormat.h:
267         (JSC::IntlNumberFormat::boundFormat const): Deleted.
268         * runtime/IntlNumberFormatConstructor.h:
269         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
270         * runtime/IntlNumberFormatPrototype.h:
271         * runtime/IntlObject.h:
272         * runtime/IteratorPrototype.h:
273         (JSC::IteratorPrototype::create): Deleted.
274         (JSC::IteratorPrototype::createStructure): Deleted.
275         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
276         * runtime/JSAPIValueWrapper.h:
277         (JSC::JSAPIValueWrapper::value const): Deleted.
278         (JSC::JSAPIValueWrapper::createStructure): Deleted.
279         (JSC::JSAPIValueWrapper::create): Deleted.
280         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
281         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
282         * runtime/JSArrayBufferConstructor.h:
283         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
284         * runtime/JSArrayBufferPrototype.h:
285         * runtime/JSAsyncFunction.h:
286         (JSC::JSAsyncFunction::subspaceFor): Deleted.
287         (JSC::JSAsyncFunction::allocationSize): Deleted.
288         (JSC::JSAsyncFunction::createStructure): Deleted.
289         * runtime/JSAsyncGeneratorFunction.h:
290         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
291         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
292         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
293         * runtime/JSBigInt.h:
294         (JSC::JSBigInt::setSign): Deleted.
295         (JSC::JSBigInt::sign const): Deleted.
296         (JSC::JSBigInt::setLength): Deleted.
297         (JSC::JSBigInt::length const): Deleted.
298         * runtime/JSBoundFunction.h:
299         (JSC::JSBoundFunction::subspaceFor): Deleted.
300         (JSC::JSBoundFunction::targetFunction): Deleted.
301         (JSC::JSBoundFunction::boundThis): Deleted.
302         (JSC::JSBoundFunction::boundArgs): Deleted.
303         (JSC::JSBoundFunction::createStructure): Deleted.
304         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
305         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
306         * runtime/JSCast.h:
307         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
308         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
309         (JSC::JSCastingHelpers::InheritsTraits::inherits):
310         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
311         * runtime/JSCustomGetterSetterFunction.cpp:
312         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
313         * runtime/JSCustomGetterSetterFunction.h:
314         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
315         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
316         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
317         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
318         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
319         * runtime/JSDataView.h:
320         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
321         (JSC::JSDataView::unsharedBuffer const): Deleted.
322         * runtime/JSDataViewPrototype.h:
323         * runtime/JSFixedArray.h:
324         (JSC::JSFixedArray::createStructure): Deleted.
325         (JSC::JSFixedArray::tryCreate): Deleted.
326         (JSC::JSFixedArray::create): Deleted.
327         (JSC::JSFixedArray::createFromArray): Deleted.
328         (JSC::JSFixedArray::get const): Deleted.
329         (JSC::JSFixedArray::set): Deleted.
330         (JSC::JSFixedArray::buffer): Deleted.
331         (JSC::JSFixedArray::buffer const): Deleted.
332         (JSC::JSFixedArray::values const): Deleted.
333         (JSC::JSFixedArray::size const): Deleted.
334         (JSC::JSFixedArray::length const): Deleted.
335         (JSC::JSFixedArray::offsetOfSize): Deleted.
336         (JSC::JSFixedArray::offsetOfData): Deleted.
337         (JSC::JSFixedArray::JSFixedArray): Deleted.
338         (JSC::JSFixedArray::allocationSize): Deleted.
339         * runtime/JSGeneratorFunction.h:
340         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
341         (JSC::JSGeneratorFunction::allocationSize): Deleted.
342         (JSC::JSGeneratorFunction::createStructure): Deleted.
343         * runtime/JSGenericTypedArrayView.h:
344         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
345         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
346         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
347         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
348         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
349         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
350         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
351         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
352         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
353         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
354         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
355         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
356         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
357         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
358         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
359         (JSC::JSGenericTypedArrayView::sort): Deleted.
360         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
361         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
362         (JSC::JSGenericTypedArrayView::info): Deleted.
363         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
364         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
365         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
366         * runtime/JSGenericTypedArrayViewConstructor.h:
367         * runtime/JSGenericTypedArrayViewPrototype.h:
368         * runtime/JSInternalPromise.h:
369         * runtime/JSInternalPromiseConstructor.h:
370         * runtime/JSInternalPromisePrototype.h:
371         * runtime/JSMapIterator.h:
372         (JSC::JSMapIterator::createStructure): Deleted.
373         (JSC::JSMapIterator::create): Deleted.
374         (JSC::JSMapIterator::advanceIter): Deleted.
375         (JSC::JSMapIterator::next): Deleted.
376         (JSC::JSMapIterator::nextKeyValue): Deleted.
377         (JSC::JSMapIterator::kind const): Deleted.
378         (JSC::JSMapIterator::iteratedValue const): Deleted.
379         (JSC::JSMapIterator::JSMapIterator): Deleted.
380         (JSC::JSMapIterator::setIterator): Deleted.
381         * runtime/JSModuleLoader.h:
382         (JSC::JSModuleLoader::create): Deleted.
383         (JSC::JSModuleLoader::createStructure): Deleted.
384         * runtime/JSModuleNamespaceObject.h:
385         (JSC::isJSModuleNamespaceObject): Deleted.
386         * runtime/JSModuleRecord.h:
387         (JSC::JSModuleRecord::sourceCode const): Deleted.
388         (JSC::JSModuleRecord::declaredVariables const): Deleted.
389         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
390         * runtime/JSNativeStdFunction.h:
391         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
392         (JSC::JSNativeStdFunction::createStructure): Deleted.
393         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
394         * runtime/JSONObject.h:
395         (JSC::JSONObject::create): Deleted.
396         (JSC::JSONObject::createStructure): Deleted.
397         * runtime/JSObject.h:
398         (JSC::JSObject::fillCustomGetterPropertySlot):
399         * runtime/JSScriptFetchParameters.h:
400         (JSC::JSScriptFetchParameters::createStructure): Deleted.
401         (JSC::JSScriptFetchParameters::create): Deleted.
402         (JSC::JSScriptFetchParameters::parameters const): Deleted.
403         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
404         * runtime/JSScriptFetcher.h:
405         (JSC::JSScriptFetcher::createStructure): Deleted.
406         (JSC::JSScriptFetcher::create): Deleted.
407         (JSC::JSScriptFetcher::fetcher const): Deleted.
408         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
409         * runtime/JSSetIterator.h:
410         (JSC::JSSetIterator::createStructure): Deleted.
411         (JSC::JSSetIterator::create): Deleted.
412         (JSC::JSSetIterator::advanceIter): Deleted.
413         (JSC::JSSetIterator::next): Deleted.
414         (JSC::JSSetIterator::kind const): Deleted.
415         (JSC::JSSetIterator::iteratedValue const): Deleted.
416         (JSC::JSSetIterator::JSSetIterator): Deleted.
417         (JSC::JSSetIterator::setIterator): Deleted.
418         * runtime/JSSourceCode.h:
419         (JSC::JSSourceCode::createStructure): Deleted.
420         (JSC::JSSourceCode::create): Deleted.
421         (JSC::JSSourceCode::sourceCode const): Deleted.
422         (JSC::JSSourceCode::JSSourceCode): Deleted.
423         * runtime/JSStringIterator.h:
424         (JSC::JSStringIterator::createStructure): Deleted.
425         (JSC::JSStringIterator::create): Deleted.
426         (JSC::JSStringIterator::JSStringIterator): Deleted.
427         * runtime/JSTemplateObjectDescriptor.h:
428         (JSC::isTemplateObjectDescriptor): Deleted.
429         * runtime/JSTypedArrayViewConstructor.h:
430         (JSC::JSTypedArrayViewConstructor::create): Deleted.
431         * runtime/JSTypedArrayViewPrototype.h:
432         * runtime/MapConstructor.h:
433         (JSC::MapConstructor::create): Deleted.
434         (JSC::MapConstructor::createStructure): Deleted.
435         * runtime/MapIteratorPrototype.h:
436         (JSC::MapIteratorPrototype::create): Deleted.
437         (JSC::MapIteratorPrototype::createStructure): Deleted.
438         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
439         * runtime/MapPrototype.h:
440         (JSC::MapPrototype::create): Deleted.
441         (JSC::MapPrototype::createStructure): Deleted.
442         (JSC::MapPrototype::MapPrototype): Deleted.
443         * runtime/MathObject.h:
444         (JSC::MathObject::create): Deleted.
445         (JSC::MathObject::createStructure): Deleted.
446         * runtime/ModuleLoaderPrototype.h:
447         (JSC::ModuleLoaderPrototype::create): Deleted.
448         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
449         * runtime/NativeErrorConstructor.h:
450         (JSC::NativeErrorConstructor::create): Deleted.
451         (JSC::NativeErrorConstructor::createStructure): Deleted.
452         (JSC::NativeErrorConstructor::errorStructure): Deleted.
453         * runtime/NativeErrorPrototype.h:
454         (JSC::NativeErrorPrototype::create): Deleted.
455         * runtime/NativeStdFunctionCell.h:
456         (JSC::NativeStdFunctionCell::createStructure): Deleted.
457         (JSC::NativeStdFunctionCell::function const): Deleted.
458         * runtime/NullGetterFunction.h:
459         (JSC::NullGetterFunction::create): Deleted.
460         (JSC::NullGetterFunction::createStructure): Deleted.
461         * runtime/NullSetterFunction.h:
462         (JSC::NullSetterFunction::create): Deleted.
463         (JSC::NullSetterFunction::createStructure): Deleted.
464         * runtime/NumberConstructor.h:
465         (JSC::NumberConstructor::create): Deleted.
466         (JSC::NumberConstructor::createStructure): Deleted.
467         (JSC::NumberConstructor::isIntegerImpl): Deleted.
468         * runtime/NumberPrototype.h:
469         (JSC::NumberPrototype::create): Deleted.
470         (JSC::NumberPrototype::createStructure): Deleted.
471         * runtime/ObjectConstructor.h:
472         (JSC::ObjectConstructor::create): Deleted.
473         (JSC::ObjectConstructor::createStructure): Deleted.
474         * runtime/ObjectPrototype.h:
475         (JSC::ObjectPrototype::createStructure): Deleted.
476         * runtime/ProxyConstructor.h:
477         (JSC::ProxyConstructor::createStructure): Deleted.
478         * runtime/ProxyRevoke.h:
479         (JSC::ProxyRevoke::createStructure): Deleted.
480         (JSC::ProxyRevoke::proxy): Deleted.
481         (JSC::ProxyRevoke::setProxyToNull): Deleted.
482         * runtime/ReflectObject.h:
483         (JSC::ReflectObject::create): Deleted.
484         (JSC::ReflectObject::createStructure): Deleted.
485         * runtime/RegExpConstructor.cpp:
486         (JSC::regExpConstructorDollar):
487         (JSC::regExpConstructorInput):
488         (JSC::regExpConstructorMultiline):
489         (JSC::regExpConstructorLastMatch):
490         (JSC::regExpConstructorLastParen):
491         (JSC::regExpConstructorLeftContext):
492         (JSC::regExpConstructorRightContext):
493         * runtime/RegExpConstructor.h:
494         (JSC::RegExpConstructor::create): Deleted.
495         (JSC::RegExpConstructor::createStructure): Deleted.
496         (JSC::RegExpConstructor::setMultiline): Deleted.
497         (JSC::RegExpConstructor::multiline const): Deleted.
498         (JSC::RegExpConstructor::setInput): Deleted.
499         (JSC::RegExpConstructor::input): Deleted.
500         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
501         (JSC::asRegExpConstructor): Deleted.
502         * runtime/RegExpPrototype.h:
503         (JSC::RegExpPrototype::create): Deleted.
504         (JSC::RegExpPrototype::createStructure): Deleted.
505         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
506         * runtime/SetConstructor.h:
507         (JSC::SetConstructor::create): Deleted.
508         (JSC::SetConstructor::createStructure): Deleted.
509         * runtime/SetIteratorPrototype.h:
510         (JSC::SetIteratorPrototype::create): Deleted.
511         (JSC::SetIteratorPrototype::createStructure): Deleted.
512         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
513         * runtime/SetPrototype.h:
514         (JSC::SetPrototype::create): Deleted.
515         (JSC::SetPrototype::createStructure): Deleted.
516         (JSC::SetPrototype::SetPrototype): Deleted.
517         * runtime/StringConstructor.h:
518         (JSC::StringConstructor::create): Deleted.
519         (JSC::StringConstructor::createStructure): Deleted.
520         * runtime/StringIteratorPrototype.h:
521         (JSC::StringIteratorPrototype::create): Deleted.
522         (JSC::StringIteratorPrototype::createStructure): Deleted.
523         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
524         * runtime/StringPrototype.h:
525         (JSC::StringPrototype::createStructure): Deleted.
526         * runtime/SymbolConstructor.h:
527         (JSC::SymbolConstructor::create): Deleted.
528         (JSC::SymbolConstructor::createStructure): Deleted.
529         * runtime/SymbolObject.h:
530         (JSC::SymbolObject::create): Deleted.
531         (JSC::SymbolObject::internalValue const): Deleted.
532         (JSC::SymbolObject::createStructure): Deleted.
533         * runtime/SymbolPrototype.h:
534         (JSC::SymbolPrototype::create): Deleted.
535         (JSC::SymbolPrototype::createStructure): Deleted.
536         * runtime/WeakMapConstructor.h:
537         (JSC::WeakMapConstructor::create): Deleted.
538         (JSC::WeakMapConstructor::createStructure): Deleted.
539         * runtime/WeakMapPrototype.h:
540         (JSC::WeakMapPrototype::create): Deleted.
541         (JSC::WeakMapPrototype::createStructure): Deleted.
542         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
543         * runtime/WeakSetConstructor.h:
544         (JSC::WeakSetConstructor::create): Deleted.
545         (JSC::WeakSetConstructor::createStructure): Deleted.
546         * runtime/WeakSetPrototype.h:
547         (JSC::WeakSetPrototype::create): Deleted.
548         (JSC::WeakSetPrototype::createStructure): Deleted.
549         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
550         * tools/JSDollarVM.h:
551         (JSC::JSDollarVM::createStructure): Deleted.
552         (JSC::JSDollarVM::create): Deleted.
553         (JSC::JSDollarVM::JSDollarVM): Deleted.
554         * wasm/js/JSWebAssembly.h:
555         * wasm/js/JSWebAssemblyCompileError.h:
556         (JSC::JSWebAssemblyCompileError::create): Deleted.
557         * wasm/js/JSWebAssemblyInstance.h:
558         (JSC::JSWebAssemblyInstance::instance): Deleted.
559         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
560         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
561         (JSC::JSWebAssemblyInstance::memory): Deleted.
562         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
563         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
564         (JSC::JSWebAssemblyInstance::table): Deleted.
565         (JSC::JSWebAssemblyInstance::setTable): Deleted.
566         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
567         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
568         (JSC::JSWebAssemblyInstance::module const): Deleted.
569         * wasm/js/JSWebAssemblyLinkError.h:
570         (JSC::JSWebAssemblyLinkError::create): Deleted.
571         * wasm/js/JSWebAssemblyMemory.h:
572         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
573         (JSC::JSWebAssemblyMemory::memory): Deleted.
574         * wasm/js/JSWebAssemblyModule.h:
575         * wasm/js/JSWebAssemblyRuntimeError.h:
576         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
577         * wasm/js/JSWebAssemblyTable.h:
578         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
579         (JSC::JSWebAssemblyTable::maximum const): Deleted.
580         (JSC::JSWebAssemblyTable::length const): Deleted.
581         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
582         (JSC::JSWebAssemblyTable::table): Deleted.
583         * wasm/js/WebAssemblyCompileErrorConstructor.h:
584         * wasm/js/WebAssemblyCompileErrorPrototype.h:
585         * wasm/js/WebAssemblyInstanceConstructor.h:
586         * wasm/js/WebAssemblyInstancePrototype.h:
587         * wasm/js/WebAssemblyLinkErrorConstructor.h:
588         * wasm/js/WebAssemblyLinkErrorPrototype.h:
589         * wasm/js/WebAssemblyMemoryConstructor.h:
590         * wasm/js/WebAssemblyMemoryPrototype.h:
591         * wasm/js/WebAssemblyModuleConstructor.h:
592         * wasm/js/WebAssemblyModulePrototype.h:
593         * wasm/js/WebAssemblyModuleRecord.h:
594         * wasm/js/WebAssemblyPrototype.h:
595         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
596         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
597         * wasm/js/WebAssemblyTableConstructor.h:
598         * wasm/js/WebAssemblyTablePrototype.h:
599
600 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
601
602         Make it possible to randomize register allocation
603         https://bugs.webkit.org/show_bug.cgi?id=183416
604
605         Reviewed by Keith Miller.
606         
607         This is disabled by default for now, because it reveals a regalloc bug in wasm.
608
609         * b3/air/AirCode.cpp:
610         (JSC::B3::Air::Code::Code):
611         * b3/air/AirCode.h:
612         (JSC::B3::Air::Code::weakRandom):
613         * runtime/Options.h:
614
615 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
616
617         [JSC] Add inherits<T>(VM&) leveraging JSCast fast path
618         https://bugs.webkit.org/show_bug.cgi?id=183429
619
620         Reviewed by Mark Lam.
621
622         Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
623         They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
624         paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
625         and construct jsDynamicCast and JSCell::inherits based on this.
626
627         And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
628         In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
629
630         We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
631         The embedder can add their extended object types after that.
632
633         * API/JSObjectRef.cpp:
634         (JSObjectGetPrivateProperty):
635         (JSObjectSetPrivateProperty):
636         (JSObjectDeletePrivateProperty):
637         * API/JSValue.mm:
638         (isDate):
639         (isArray):
640         * API/JSValueRef.cpp:
641         (JSValueIsArray):
642         (JSValueIsDate):
643         (JSValueIsObjectOfClass):
644         * API/JSWeakObjectMapRefPrivate.cpp:
645         * API/JSWrapperMap.mm:
646         (tryUnwrapObjcObject):
647         * API/ObjCCallbackFunction.mm:
648         (tryUnwrapConstructor):
649         * dfg/DFGByteCodeParser.cpp:
650         (JSC::DFG::ByteCodeParser::parseBlock):
651         * dfg/DFGOperations.cpp:
652         * ftl/FTLLowerDFGToB3.cpp:
653         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
654         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
655         * ftl/FTLOperations.cpp:
656         (JSC::FTL::operationMaterializeObjectInOSR):
657         * inspector/JSInjectedScriptHost.cpp:
658         (Inspector::JSInjectedScriptHost::subtype):
659         (Inspector::JSInjectedScriptHost::functionDetails):
660         * inspector/agents/InspectorHeapAgent.cpp:
661         (Inspector::InspectorHeapAgent::getPreview):
662         * interpreter/Interpreter.cpp:
663         (JSC::notifyDebuggerOfUnwinding):
664         * interpreter/ShadowChicken.cpp:
665         (JSC::ShadowChicken::update):
666         * jit/JIT.cpp:
667         (JSC::JIT::privateCompileMainPass):
668         * jit/JITOperations.cpp:
669         (JSC::operationNewFunctionCommon):
670         * jsc.cpp:
671         (checkException):
672         * runtime/BooleanObject.h:
673         (JSC::asBooleanObject): Deleted.
674         * runtime/BooleanPrototype.cpp:
675         (JSC::booleanProtoFuncToString):
676         (JSC::booleanProtoFuncValueOf):
677         * runtime/DateConstructor.cpp:
678         (JSC::constructDate):
679         * runtime/DateInstance.h:
680         (JSC::asDateInstance): Deleted.
681         * runtime/DatePrototype.cpp:
682         (JSC::formateDateInstance):
683         (JSC::dateProtoFuncToISOString):
684         (JSC::dateProtoFuncToLocaleString):
685         (JSC::dateProtoFuncToLocaleDateString):
686         (JSC::dateProtoFuncToLocaleTimeString):
687         (JSC::dateProtoFuncGetTime):
688         (JSC::dateProtoFuncGetFullYear):
689         (JSC::dateProtoFuncGetUTCFullYear):
690         (JSC::dateProtoFuncGetMonth):
691         (JSC::dateProtoFuncGetUTCMonth):
692         (JSC::dateProtoFuncGetDate):
693         (JSC::dateProtoFuncGetUTCDate):
694         (JSC::dateProtoFuncGetDay):
695         (JSC::dateProtoFuncGetUTCDay):
696         (JSC::dateProtoFuncGetHours):
697         (JSC::dateProtoFuncGetUTCHours):
698         (JSC::dateProtoFuncGetMinutes):
699         (JSC::dateProtoFuncGetUTCMinutes):
700         (JSC::dateProtoFuncGetSeconds):
701         (JSC::dateProtoFuncGetUTCSeconds):
702         (JSC::dateProtoFuncGetMilliSeconds):
703         (JSC::dateProtoFuncGetUTCMilliseconds):
704         (JSC::dateProtoFuncGetTimezoneOffset):
705         (JSC::dateProtoFuncSetTime):
706         (JSC::setNewValueFromTimeArgs):
707         (JSC::setNewValueFromDateArgs):
708         (JSC::dateProtoFuncSetYear):
709         (JSC::dateProtoFuncGetYear):
710         * runtime/ExceptionHelpers.cpp:
711         (JSC::isTerminatedExecutionException):
712         * runtime/FunctionPrototype.cpp:
713         (JSC::functionProtoFuncToString):
714         * runtime/InternalFunction.h:
715         (JSC::asInternalFunction):
716         * runtime/JSArray.h:
717         (JSC::asArray):
718         * runtime/JSCJSValue.cpp:
719         (JSC::JSValue::dumpForBacktrace const):
720         * runtime/JSCJSValue.h:
721         * runtime/JSCJSValueInlines.h:
722         (JSC::JSValue::inherits const):
723         * runtime/JSCast.h:
724         (JSC::JSCastingHelpers::inheritsGenericImpl):
725         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
726         (JSC::JSCastingHelpers::InheritsTraits::inherits):
727         (JSC::JSCastingHelpers::inherits):
728         (JSC::jsDynamicCast):
729         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
730         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
731         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
732         * runtime/JSCell.h:
733         * runtime/JSCellInlines.h:
734         (JSC::JSCell::inherits const):
735         * runtime/JSFunction.cpp:
736         (JSC::RetrieveCallerFunctionFunctor::operator() const):
737         (JSC::JSFunction::callerGetter):
738         (JSC::JSFunction::getOwnNonIndexPropertyNames):
739         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
740         * runtime/JSGlobalObject.cpp:
741         (JSC::enqueueJob):
742         * runtime/JSGlobalObject.h:
743         (JSC::asGlobalObject): Deleted.
744         * runtime/JSInternalPromiseDeferred.cpp:
745         (JSC::JSInternalPromiseDeferred::create):
746         * runtime/JSLexicalEnvironment.h:
747         (JSC::asActivation):
748         * runtime/JSONObject.cpp:
749         (JSC::unwrapBoxedPrimitive):
750         (JSC::Stringifier::Stringifier):
751         (JSC::Walker::walk):
752         * runtime/JSPromise.cpp:
753         (JSC::JSPromise::resolve):
754         * runtime/JSPromiseDeferred.cpp:
755         (JSC::JSPromiseDeferred::create):
756         * runtime/JSType.h:
757         * runtime/ProxyObject.h:
758         (JSC::ProxyObject::create): Deleted.
759         (JSC::ProxyObject::createStructure): Deleted.
760         (JSC::ProxyObject::target const): Deleted.
761         (JSC::ProxyObject::handler const): Deleted.
762         * runtime/RegExpConstructor.cpp:
763         (JSC::constructRegExp):
764         * runtime/RegExpConstructor.h:
765         (JSC::asRegExpConstructor):
766         (JSC::isRegExp):
767         * runtime/RegExpObject.cpp:
768         (JSC::RegExpObject::finishCreation):
769         (JSC::RegExpObject::getOwnPropertySlot):
770         (JSC::RegExpObject::defineOwnProperty):
771         (JSC::regExpObjectSetLastIndexStrict):
772         (JSC::regExpObjectSetLastIndexNonStrict):
773         (JSC::RegExpObject::put):
774         * runtime/RegExpObject.h:
775         (JSC::RegExpObject::create): Deleted.
776         (JSC::RegExpObject::setRegExp): Deleted.
777         (JSC::RegExpObject::regExp const): Deleted.
778         (JSC::RegExpObject::setLastIndex): Deleted.
779         (JSC::RegExpObject::getLastIndex const): Deleted.
780         (JSC::RegExpObject::test): Deleted.
781         (JSC::RegExpObject::testInline): Deleted.
782         (JSC::RegExpObject::createStructure): Deleted.
783         (JSC::RegExpObject::offsetOfRegExp): Deleted.
784         (JSC::RegExpObject::offsetOfLastIndex): Deleted.
785         (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
786         (JSC::RegExpObject::allocationSize): Deleted.
787         (JSC::asRegExpObject): Deleted.
788         * runtime/RegExpPrototype.cpp:
789         (JSC::regExpProtoFuncTestFast):
790         (JSC::regExpProtoFuncExec):
791         (JSC::regExpProtoFuncMatchFast):
792         (JSC::regExpProtoFuncCompile):
793         (JSC::regExpProtoGetterGlobal):
794         (JSC::regExpProtoGetterIgnoreCase):
795         (JSC::regExpProtoGetterMultiline):
796         (JSC::regExpProtoGetterDotAll):
797         (JSC::regExpProtoGetterSticky):
798         (JSC::regExpProtoGetterUnicode):
799         (JSC::regExpProtoGetterSource):
800         (JSC::regExpProtoFuncSearchFast):
801         (JSC::regExpProtoFuncSplitFast):
802         * runtime/StringObject.h:
803         (JSC::asStringObject): Deleted.
804         * runtime/StringPrototype.cpp:
805         (JSC::replaceUsingRegExpSearch):
806         (JSC::replace):
807         (JSC::stringProtoFuncReplaceUsingRegExp):
808         (JSC::stringProtoFuncToString):
809         * runtime/SymbolPrototype.cpp:
810         (JSC::symbolProtoFuncToString):
811         (JSC::symbolProtoFuncValueOf):
812         * tools/JSDollarVM.cpp:
813         (WTF::customGetValue):
814         (WTF::customSetValue):
815         * wasm/js/JSWebAssemblyHelpers.h:
816         (JSC::isWebAssemblyHostFunction):
817         * wasm/js/WebAssemblyWrapperFunction.cpp:
818         (JSC::WebAssemblyWrapperFunction::create):
819
820 2018-03-07  Tim Horton  <timothy_horton@apple.com>
821
822         Sort and separate FeatureDefines.xcconfig
823         https://bugs.webkit.org/show_bug.cgi?id=183427
824
825         Reviewed by Dan Bernstein.
826
827         * Configurations/FeatureDefines.xcconfig:
828         Sort and split FeatureDefines into paragraphs
829         (to make it easier to sort later).
830
831 2018-03-07  Keith Miller  <keith_miller@apple.com>
832
833         Unreviewed, fix 32-bit build.
834
835         * dfg/DFGSpeculativeJIT.cpp:
836         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
837
838 2018-03-07  Keith Miller  <keith_miller@apple.com>
839
840         Meta-program setupArguments and callOperation
841         https://bugs.webkit.org/show_bug.cgi?id=183263
842
843         Rubber-stamped by Filip Pizlo.
844
845         This patch removes all the custom overrides of callOperation and setupArguments
846         throughout the JITs. In their place there is a new setupArguments that marshalls
847         the arguments into place based on the type of the operation's function pointer.
848         There were a couple of design choices in the implementation of setupArguments:
849
850         1) We assume that no TrustedImm floating point values are passed.
851         2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
852         3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
853
854         The new callOperation/setupArguments do their best to make sure
855         it's hard to call a function with the wrong parameters. They will
856         only try to pattern match if the types match up with the next
857         passed argument. Additionally, the base case should static_assert
858         of the number of inferred arguments does not match the arity of
859         the operation's function pointer.
860
861         * assembler/AbstractMacroAssembler.h:
862         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
863         (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
864         * assembler/MacroAssembler.h:
865         (JSC::MacroAssembler::poke):
866         (JSC::MacroAssembler::move):
867         * assembler/MacroAssemblerARM64.h:
868         (JSC::MacroAssemblerARM64::swap):
869         * assembler/MacroAssemblerX86.h:
870         (JSC::MacroAssemblerX86::storeDouble):
871         * assembler/MacroAssemblerX86Common.h:
872         (JSC::MacroAssemblerX86Common::loadDouble):
873         (JSC::MacroAssemblerX86Common::swap):
874         (JSC::MacroAssemblerX86Common::move):
875         * bytecode/AccessCase.cpp:
876         (JSC::AccessCase::generateImpl):
877         * bytecode/AccessCaseSnippetParams.cpp:
878         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
879         * bytecode/PolymorphicAccess.cpp:
880         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
881         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
882         * dfg/DFGNode.h:
883         * dfg/DFGOSRExit.cpp:
884         (JSC::DFG::OSRExit::emitRestoreArguments):
885         * dfg/DFGOSRExitCompilerCommon.cpp:
886         (JSC::DFG::osrWriteBarrier):
887         * dfg/DFGOperations.cpp:
888         * dfg/DFGOperations.h:
889         * dfg/DFGSlowPathGenerator.h:
890         * dfg/DFGSpeculativeJIT.cpp:
891         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
892         (JSC::DFG::SpeculativeJIT::compileArithMod):
893         (JSC::DFG::SpeculativeJIT::compileArithRounding):
894         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
895         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
896         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
897         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
898         * dfg/DFGSpeculativeJIT.h:
899         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
900         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
901         (JSC::DFG::SpeculativeJIT::initConstantInfo):
902         (JSC::DFG::SpeculativeJIT::callOperation):
903         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
904         (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
905         * dfg/DFGSpeculativeJIT32_64.cpp:
906         (JSC::DFG::SpeculativeJIT::cachedGetById):
907         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
908         (JSC::DFG::SpeculativeJIT::cachedPutById):
909         (JSC::DFG::SpeculativeJIT::emitCall):
910         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
911         (JSC::DFG::SpeculativeJIT::compile):
912         * dfg/DFGSpeculativeJIT64.cpp:
913         (JSC::DFG::SpeculativeJIT::emitCall):
914         (JSC::DFG::SpeculativeJIT::compile):
915         * ftl/FTLLowerDFGToB3.cpp:
916         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
917         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
918         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
919         * ftl/FTLOSRExitCompiler.cpp:
920         (JSC::FTL::compileStub):
921         * ftl/FTLSlowPathCall.h:
922         (JSC::FTL::callOperation):
923         * jit/AssemblyHelpers.cpp:
924         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
925         * jit/CCallHelpers.cpp:
926         (JSC::CCallHelpers::ensureShadowChickenPacket):
927         * jit/CCallHelpers.h:
928         (JSC::CCallHelpers::setupArgument):
929         (JSC::CCallHelpers::setupStubArgs):
930         (JSC::CCallHelpers::ArgCollection::ArgCollection):
931         (JSC::CCallHelpers::ArgCollection::pushRegArg):
932         (JSC::CCallHelpers::ArgCollection::addGPRArg):
933         (JSC::CCallHelpers::ArgCollection::addStackArg):
934         (JSC::CCallHelpers::ArgCollection::addPoke):
935         (JSC::CCallHelpers::ArgCollection::argCount):
936         (JSC::CCallHelpers::clampArrayToSize):
937         (JSC::CCallHelpers::pokeForArgument):
938         (JSC::CCallHelpers::marshallArgumentRegister):
939         (JSC::CCallHelpers::setupArgumentsImpl):
940         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
941         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
942         (JSC::CCallHelpers::setupArguments):
943         (JSC::CCallHelpers::prepareForTailCallSlow):
944         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
945         (JSC::CCallHelpers::resetCallArguments): Deleted.
946         (JSC::CCallHelpers::addCallArgument): Deleted.
947         (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
948         (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
949         (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
950         (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
951         (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
952         (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
953         (JSC::CCallHelpers::setupStubArguments): Deleted.
954         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
955         (JSC::CCallHelpers::setupStubArguments134): Deleted.
956         (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
957         * jit/FPRInfo.h:
958         (JSC::toInfoFromReg):
959         * jit/GPRInfo.h:
960         (JSC::JSValueRegs::JSValueRegs):
961         (JSC::toInfoFromReg):
962         * jit/JIT.h:
963         (JSC::JIT::callOperation):
964         (JSC::JIT::callOperationWithProfile):
965         (JSC::JIT::callOperationWithResult):
966         (JSC::JIT::callOperationNoExceptionCheck):
967         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
968         * jit/JITArithmetic.cpp:
969         (JSC::JIT::emitMathICFast):
970         (JSC::JIT::emitMathICSlow):
971         * jit/JITArithmetic32_64.cpp:
972         (JSC::JIT::emit_compareAndJumpSlow):
973         * jit/JITCall32_64.cpp:
974         (JSC::JIT::compileSetupVarargsFrame):
975         * jit/JITInlines.h:
976         (JSC::JIT::callOperation): Deleted.
977         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
978         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
979         * jit/JITOpcodes.cpp:
980         (JSC::JIT::emit_op_new_array_with_size):
981         * jit/JITOpcodes32_64.cpp:
982         (JSC::JIT::emitSlow_op_instanceof):
983         (JSC::JIT::emitSlow_op_instanceof_custom):
984         (JSC::JIT::emit_op_set_function_name):
985         (JSC::JIT::emitSlow_op_eq):
986         (JSC::JIT::emitSlow_op_neq):
987         (JSC::JIT::emit_op_throw):
988         (JSC::JIT::emit_op_switch_imm):
989         (JSC::JIT::emit_op_switch_char):
990         (JSC::JIT::emit_op_switch_string):
991         (JSC::JIT::emitSlow_op_has_indexed_property):
992         * jit/JITOperations.cpp:
993         * jit/JITOperations.h:
994         * jit/JITPropertyAccess.cpp:
995         (JSC::JIT::emitGetByValWithCachedId):
996         (JSC::JIT::emitSlow_op_get_by_id):
997         (JSC::JIT::emitSlow_op_get_by_id_with_this):
998         (JSC::JIT::emitSlow_op_get_from_scope):
999         * jit/JITPropertyAccess32_64.cpp:
1000         (JSC::JIT::emit_op_put_by_index):
1001         (JSC::JIT::emit_op_put_setter_by_id):
1002         (JSC::JIT::emit_op_put_getter_setter_by_id):
1003         (JSC::JIT::emit_op_put_getter_by_val):
1004         (JSC::JIT::emit_op_put_setter_by_val):
1005         (JSC::JIT::emit_op_del_by_id):
1006         (JSC::JIT::emit_op_del_by_val):
1007         (JSC::JIT::emitGetByValWithCachedId):
1008         (JSC::JIT::emitSlow_op_get_by_val):
1009         (JSC::JIT::emitPutByValWithCachedId):
1010         (JSC::JIT::emitSlow_op_put_by_val):
1011         (JSC::JIT::emitSlow_op_try_get_by_id):
1012         (JSC::JIT::emitSlow_op_get_by_id):
1013         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1014         (JSC::JIT::emitSlow_op_put_by_id):
1015         (JSC::JIT::emitSlow_op_get_from_scope):
1016         * jit/RegisterSet.h:
1017         (JSC::RegisterSet::RegisterSet):
1018         * jit/ThunkGenerators.cpp:
1019         (JSC::throwExceptionFromCallSlowPathGenerator):
1020         (JSC::slowPathFor):
1021         * jsc.cpp:
1022         (GlobalObject::finishCreation):
1023         (functionBreakpoint):
1024         * runtime/JSCJSValue.h:
1025         * wasm/js/WasmToJS.cpp:
1026         (JSC::Wasm::wasmToJS):
1027
1028 2018-03-07  Mark Lam  <mark.lam@apple.com>
1029
1030         Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
1031         https://bugs.webkit.org/show_bug.cgi?id=183414
1032         <rdar://problem/38231678>
1033
1034         Reviewed by Michael Saboff.
1035
1036         * interpreter/ProtoCallFrame.cpp:
1037         (JSC::ProtoCallFrame::init):
1038         * interpreter/ProtoCallFrame.h:
1039
1040 2018-03-07  Mark Lam  <mark.lam@apple.com>
1041
1042         Simplify the variants of FunctionPtr constructors.
1043         https://bugs.webkit.org/show_bug.cgi?id=183399
1044         <rdar://problem/38212980>
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         * assembler/MacroAssemblerCodeRef.h:
1049         (JSC::FunctionPtr::FunctionPtr):
1050
1051 2018-03-06  Filip Pizlo  <fpizlo@apple.com>
1052
1053         MarkedArgumentsBuffer should allocate from the JSValue Gigacage
1054         https://bugs.webkit.org/show_bug.cgi?id=183377
1055
1056         Reviewed by Michael Saboff.
1057         
1058         That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
1059
1060         * runtime/ArgList.cpp:
1061         (JSC::MarkedArgumentBuffer::expandCapacity):
1062
1063 2018-03-07  Mark Lam  <mark.lam@apple.com>
1064
1065         Add support for ARM64E.
1066         https://bugs.webkit.org/show_bug.cgi?id=183398
1067         <rdar://problem/38212621>
1068
1069         Reviewed by Michael Saboff.
1070
1071         * assembler/MacroAssembler.h:
1072         * llint/LLIntOfflineAsmConfig.h:
1073         * llint/LowLevelInterpreter.asm:
1074         * llint/LowLevelInterpreter64.asm:
1075         * offlineasm/backends.rb:
1076
1077 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1078
1079         HTML `pattern` attribute should set `u` flag for regular expressions
1080         https://bugs.webkit.org/show_bug.cgi?id=151598
1081
1082         Reviewed by Chris Dumez.
1083
1084         Add UnicodeMode for JSC::Yarr::RegularExpression.
1085
1086         * yarr/RegularExpression.cpp:
1087         (JSC::Yarr::RegularExpression::Private::create):
1088         (JSC::Yarr::RegularExpression::Private::Private):
1089         (JSC::Yarr::RegularExpression::Private::compile):
1090         (JSC::Yarr::RegularExpression::RegularExpression):
1091         * yarr/RegularExpression.h:
1092
1093 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1094
1095         [JSC] Add more JSType based fast path for jsDynamicCast
1096         https://bugs.webkit.org/show_bug.cgi?id=183403
1097
1098         Reviewed by Mark Lam.
1099
1100         We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
1101         are used for jsDynamicCast in JSC, arguments types, and scope types.
1102
1103         We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
1104
1105         * jit/JITOperations.cpp:
1106         * llint/LLIntSlowPaths.cpp:
1107         (JSC::LLInt::setUpCall):
1108         * runtime/ClonedArguments.h:
1109         (JSC::ClonedArguments::specialsMaterialized const): Deleted.
1110         * runtime/DirectArguments.h:
1111         (JSC::DirectArguments::subspaceFor): Deleted.
1112         (JSC::DirectArguments::internalLength const): Deleted.
1113         (JSC::DirectArguments::length const): Deleted.
1114         (JSC::DirectArguments::isMappedArgument const): Deleted.
1115         (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
1116         (JSC::DirectArguments::getIndexQuickly const): Deleted.
1117         (JSC::DirectArguments::setIndexQuickly): Deleted.
1118         (JSC::DirectArguments::callee): Deleted.
1119         (JSC::DirectArguments::argument): Deleted.
1120         (JSC::DirectArguments::overrodeThings const): Deleted.
1121         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
1122         (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
1123         (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
1124         (JSC::DirectArguments::offsetOfCallee): Deleted.
1125         (JSC::DirectArguments::offsetOfLength): Deleted.
1126         (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
1127         (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
1128         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
1129         (JSC::DirectArguments::storageOffset): Deleted.
1130         (JSC::DirectArguments::offsetOfSlot): Deleted.
1131         (JSC::DirectArguments::allocationSize): Deleted.
1132         (JSC::DirectArguments::storage): Deleted.
1133         * runtime/JSCast.h:
1134         * runtime/JSGlobalLexicalEnvironment.h:
1135         (JSC::JSGlobalLexicalEnvironment::create): Deleted.
1136         (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
1137         (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
1138         (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
1139         * runtime/JSGlobalObject.cpp:
1140         (JSC::JSGlobalObject::finishCreation):
1141         * runtime/JSMap.h:
1142         (JSC::isJSMap): Deleted.
1143         * runtime/JSModuleEnvironment.h:
1144         (JSC::JSModuleEnvironment::create): Deleted.
1145         (JSC::JSModuleEnvironment::createStructure): Deleted.
1146         (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
1147         (JSC::JSModuleEnvironment::allocationSize): Deleted.
1148         (JSC::JSModuleEnvironment::moduleRecord): Deleted.
1149         (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
1150         * runtime/JSObject.cpp:
1151         (JSC::canDoFastPutDirectIndex):
1152         (JSC::JSObject::defineOwnIndexedProperty):
1153         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1154         * runtime/JSObject.h:
1155         (JSC::JSFinalObject::allocationSize): Deleted.
1156         (JSC::JSFinalObject::typeInfo): Deleted.
1157         (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
1158         (JSC::JSFinalObject::maxInlineCapacity): Deleted.
1159         (JSC::JSFinalObject::createStructure): Deleted.
1160         (JSC::JSFinalObject::finishCreation): Deleted.
1161         (JSC::JSFinalObject::JSFinalObject): Deleted.
1162         (JSC::isJSFinalObject): Deleted.
1163         * runtime/JSScope.cpp:
1164         * runtime/JSScope.h:
1165         * runtime/JSSegmentedVariableObject.cpp:
1166         * runtime/JSSegmentedVariableObject.h:
1167         * runtime/JSSet.h:
1168         (JSC::isJSSet): Deleted.
1169         * runtime/JSType.h:
1170         * runtime/JSWeakMap.h:
1171         (JSC::isJSWeakMap): Deleted.
1172         * runtime/JSWeakSet.h:
1173         (JSC::isJSWeakSet): Deleted.
1174         * runtime/JSWithScope.h:
1175         (JSC::JSWithScope::object): Deleted.
1176         * runtime/MapConstructor.cpp:
1177         (JSC::constructMap):
1178         (JSC::mapPrivateFuncMapBucketHead):
1179         * runtime/MapPrototype.cpp:
1180         (JSC::getMap):
1181         * runtime/NumberObject.cpp:
1182         (JSC::NumberObject::finishCreation):
1183         * runtime/NumberPrototype.cpp:
1184         (JSC::toThisNumber):
1185         (JSC::numberProtoFuncToExponential):
1186         (JSC::numberProtoFuncToFixed):
1187         (JSC::numberProtoFuncToPrecision):
1188         (JSC::numberProtoFuncToString):
1189         (JSC::numberProtoFuncToLocaleString):
1190         (JSC::numberProtoFuncValueOf):
1191         * runtime/ObjectConstructor.cpp:
1192         (JSC::objectConstructorSeal):
1193         (JSC::objectConstructorFreeze):
1194         (JSC::objectConstructorIsSealed):
1195         (JSC::objectConstructorIsFrozen):
1196         * runtime/ProxyObject.cpp:
1197         (JSC::ProxyObject::finishCreation):
1198         * runtime/ScopedArguments.h:
1199         (JSC::ScopedArguments::subspaceFor): Deleted.
1200         (JSC::ScopedArguments::internalLength const): Deleted.
1201         (JSC::ScopedArguments::length const): Deleted.
1202         (JSC::ScopedArguments::isMappedArgument const): Deleted.
1203         (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
1204         (JSC::ScopedArguments::getIndexQuickly const): Deleted.
1205         (JSC::ScopedArguments::setIndexQuickly): Deleted.
1206         (JSC::ScopedArguments::callee): Deleted.
1207         (JSC::ScopedArguments::overrodeThings const): Deleted.
1208         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
1209         (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
1210         (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
1211         (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
1212         (JSC::ScopedArguments::offsetOfTotalLength): Deleted.
1213         (JSC::ScopedArguments::offsetOfTable): Deleted.
1214         (JSC::ScopedArguments::offsetOfScope): Deleted.
1215         (JSC::ScopedArguments::overflowStorageOffset): Deleted.
1216         (JSC::ScopedArguments::allocationSize): Deleted.
1217         (JSC::ScopedArguments::overflowStorage const): Deleted.
1218         * runtime/SetConstructor.cpp:
1219         (JSC::constructSet):
1220         (JSC::setPrivateFuncSetBucketHead):
1221         * runtime/SetPrototype.cpp:
1222         (JSC::getSet):
1223         * runtime/StrictEvalActivation.h:
1224         (JSC::StrictEvalActivation::create): Deleted.
1225         (JSC::StrictEvalActivation::createStructure): Deleted.
1226         * runtime/WeakMapPrototype.cpp:
1227         (JSC::getWeakMap):
1228         * runtime/WeakSetPrototype.cpp:
1229         (JSC::getWeakSet):
1230
1231 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1232
1233         [ARM] offlineasm: fix indentation in armOpcodeReversedOperands
1234         https://bugs.webkit.org/show_bug.cgi?id=183400
1235
1236         Reviewed by Mark Lam.
1237
1238         * offlineasm/arm.rb:
1239
1240 2018-03-06  Mark Lam  <mark.lam@apple.com>
1241
1242         Prepare LLInt code to support pointer profiling.
1243         https://bugs.webkit.org/show_bug.cgi?id=183387
1244         <rdar://problem/38199678>
1245
1246         Reviewed by JF Bastien.
1247
1248         1. Introduced PtrTag enums for supporting pointer profiling later.
1249
1250         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
1251            template functions for the same purpose.
1252
1253         3. Prepare the offlineasm for supporting pointer profiling later.
1254
1255         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
1256            effect on behavior.
1257
1258         5. Removed returnToThrowForThrownException() because it is not used anywhere.
1259
1260         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
1261            easier to view and edit these files in Xcode.
1262
1263         * CMakeLists.txt:
1264         * JavaScriptCore.xcodeproj/project.pbxproj:
1265         * bytecode/LLIntCallLinkInfo.h:
1266         (JSC::LLIntCallLinkInfo::unlink):
1267         * llint/LLIntData.cpp:
1268         (JSC::LLInt::initialize):
1269         * llint/LLIntData.h:
1270         * llint/LLIntExceptions.cpp:
1271         (JSC::LLInt::returnToThrowForThrownException): Deleted.
1272         * llint/LLIntExceptions.h:
1273         * llint/LLIntOfflineAsmConfig.h:
1274         * llint/LLIntOffsetsExtractor.cpp:
1275         * llint/LLIntPCRanges.h:
1276         (JSC::LLInt::isLLIntPC):
1277         * llint/LLIntSlowPaths.cpp:
1278         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1279         (JSC::LLInt::handleHostCall):
1280         (JSC::LLInt::setUpCall):
1281         * llint/LowLevelInterpreter.asm:
1282         * llint/LowLevelInterpreter32_64.asm:
1283         * llint/LowLevelInterpreter64.asm:
1284         * offlineasm/ast.rb:
1285         * offlineasm/instructions.rb:
1286         * offlineasm/risc.rb:
1287         * runtime/PtrTag.h: Added.
1288         (JSC::uniquePtrTagID):
1289         (JSC::ptrTag):
1290         (JSC::tagCodePtr):
1291         (JSC::untagCodePtr):
1292         (JSC::retagCodePtr):
1293         (JSC::removeCodePtrTag):
1294
1295 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1296
1297         [ARM] Assembler warnings: "use of r13 is deprecated"
1298         https://bugs.webkit.org/show_bug.cgi?id=183286
1299
1300         Reviewed by Mark Lam.
1301
1302         Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
1303         sometimes generates assembly code that triggers this warning. Prevent
1304         this by simply switching operands.
1305
1306         * offlineasm/arm.rb:
1307
1308 2018-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1309
1310         Unreviewed, fix incorrect assertion after r229309
1311         https://bugs.webkit.org/show_bug.cgi?id=182975
1312
1313         * runtime/TypeProfilerLog.cpp:
1314         (JSC::TypeProfilerLog::TypeProfilerLog):
1315
1316 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1317
1318         Fix std::make_unique / new[] using system malloc
1319         https://bugs.webkit.org/show_bug.cgi?id=182975
1320
1321         Reviewed by JF Bastien.
1322
1323         Use Vector, FAST_ALLOCATED, or UniqueArray instead.
1324
1325         * API/JSStringRefCF.cpp:
1326         (JSStringCreateWithCFString):
1327         * bytecode/BytecodeKills.h:
1328         * bytecode/BytecodeLivenessAnalysis.cpp:
1329         (JSC::BytecodeLivenessAnalysis::computeKills):
1330         * dfg/DFGDisassembler.cpp:
1331         (JSC::DFG::Disassembler::dumpDisassembly):
1332         * jit/PolymorphicCallStubRoutine.cpp:
1333         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1334         * jit/PolymorphicCallStubRoutine.h:
1335         * jit/Repatch.cpp:
1336         (JSC::linkPolymorphicCall):
1337         * jsc.cpp:
1338         (currentWorkingDirectory):
1339         * llint/LLIntData.cpp:
1340         (JSC::LLInt::initialize):
1341         * llint/LLIntData.h:
1342         * runtime/ArgList.h:
1343         * runtime/StructureChain.h:
1344         * runtime/StructureIDTable.cpp:
1345         (JSC::StructureIDTable::StructureIDTable):
1346         (JSC::StructureIDTable::resize):
1347         * runtime/StructureIDTable.h:
1348         * runtime/TypeProfilerLog.cpp:
1349         (JSC::TypeProfilerLog::TypeProfilerLog):
1350         (JSC::TypeProfilerLog::initializeLog): Deleted.
1351         * runtime/TypeProfilerLog.h:
1352         (JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
1353         * runtime/VM.cpp:
1354         (JSC::VM::~VM):
1355         (JSC::VM::acquireRegExpPatternContexBuffer):
1356         * runtime/VM.h:
1357         * testRegExp.cpp:
1358         (runFromFiles):
1359         * tools/HeapVerifier.cpp:
1360         (JSC::HeapVerifier::HeapVerifier):
1361         * tools/HeapVerifier.h:
1362
1363 2018-03-05  Mark Lam  <mark.lam@apple.com>
1364
1365         JITThunk functions should only be called when the JIT is enabled.
1366         https://bugs.webkit.org/show_bug.cgi?id=183351
1367         <rdar://problem/38160091>
1368
1369         Reviewed by Keith Miller.
1370
1371         * jit/JITThunks.cpp:
1372         (JSC::JITThunks::ctiNativeCall):
1373         (JSC::JITThunks::ctiNativeConstruct):
1374         (JSC::JITThunks::ctiInternalFunctionCall):
1375         (JSC::JITThunks::ctiInternalFunctionConstruct):
1376         * runtime/VM.cpp:
1377         (JSC::VM::VM):
1378         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1379
1380 2018-03-05  Mark Lam  <mark.lam@apple.com>
1381
1382         Gardening: build fix.
1383
1384         Not reviewed.
1385
1386         * interpreter/AbstractPC.h:
1387         (JSC::AbstractPC::AbstractPC):
1388
1389 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1390
1391         [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
1392         https://bugs.webkit.org/show_bug.cgi?id=183324
1393
1394         Reviewed by JF Bastien.
1395
1396         We have WTF::ArithmeticOperations which has operations with overflow checking.
1397         This is suitable for CLoop's overflow checking operations. This patch emits
1398         WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
1399         lowered to optimized code using CPU's overflow flag.
1400
1401         * offlineasm/cloop.rb:
1402
1403 2018-03-05  Don Olmstead  <don.olmstead@sony.com>
1404
1405         [CMake] Split JSC header copying into public and private targets
1406         https://bugs.webkit.org/show_bug.cgi?id=183251
1407
1408         Reviewed by Konstantin Tokarev.
1409
1410         * CMakeLists.txt:
1411
1412 2018-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1413
1414         [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
1415         https://bugs.webkit.org/show_bug.cgi?id=183312
1416
1417         Reviewed by Mark Lam.
1418
1419         Remove wtf/CurrentTime.h include pragma.
1420
1421         * API/tests/ExecutionTimeLimitTest.cpp:
1422         (currentCPUTimeAsJSFunctionCallback):
1423         (testExecutionTimeLimit):
1424         * bytecode/SuperSampler.cpp:
1425         * dfg/DFGPlan.cpp:
1426         * heap/BlockDirectory.cpp:
1427         * heap/Heap.cpp:
1428         * heap/IncrementalSweeper.cpp:
1429         * inspector/agents/InspectorConsoleAgent.cpp:
1430         * inspector/agents/InspectorRuntimeAgent.cpp:
1431         * profiler/ProfilerDatabase.cpp:
1432         * runtime/CodeCache.h:
1433         * runtime/JSDateMath.cpp:
1434         * runtime/TypeProfilerLog.cpp:
1435         * runtime/VM.cpp:
1436         * runtime/Watchdog.cpp:
1437         (JSC::Watchdog::shouldTerminate):
1438         (JSC::Watchdog::startTimer):
1439         * testRegExp.cpp:
1440         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1441
1442 2018-03-04  Tim Horton  <timothy_horton@apple.com>
1443
1444         Make !ENABLE(DATA_DETECTION) iOS build actually succeed
1445         https://bugs.webkit.org/show_bug.cgi?id=183283
1446         <rdar://problem/38062148>
1447
1448         Reviewed by Sam Weinig.
1449
1450         * Configurations/FeatureDefines.xcconfig:
1451
1452 2018-03-02  Mark Lam  <mark.lam@apple.com>
1453
1454         Make the LLInt probe work for ARM64.
1455         https://bugs.webkit.org/show_bug.cgi?id=183298
1456         <rdar://problem/38077413>
1457
1458         Reviewed by Filip Pizlo.
1459
1460         * llint/LowLevelInterpreter.asm:
1461
1462 2018-03-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1463
1464         [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
1465         https://bugs.webkit.org/show_bug.cgi?id=183279
1466
1467         Reviewed by JF Bastien.
1468
1469         * bytecode/BytecodeIntrinsicRegistry.h:
1470         * ftl/FTLThunks.h:
1471         * heap/CodeBlockSet.h:
1472         * heap/GCSegmentedArray.h:
1473         * heap/MachineStackMarker.h:
1474         * heap/MarkingConstraintSet.h:
1475
1476 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1477
1478         Remove monotonicallyIncreasingTime
1479         https://bugs.webkit.org/show_bug.cgi?id=182911
1480
1481         Reviewed by Michael Catanzaro.
1482
1483         * debugger/Debugger.cpp:
1484         (JSC::Debugger::willEvaluateScript):
1485         (JSC::Debugger::didEvaluateScript):
1486         * debugger/Debugger.h:
1487         * debugger/ScriptProfilingScope.h:
1488         * inspector/agents/InspectorDebuggerAgent.cpp:
1489         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1490         * inspector/agents/InspectorHeapAgent.cpp:
1491         (Inspector::InspectorHeapAgent::snapshot):
1492         (Inspector::InspectorHeapAgent::didGarbageCollect):
1493         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
1494         * inspector/agents/InspectorHeapAgent.h:
1495         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1496         (Inspector::InspectorScriptProfilerAgent::startTracking):
1497         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
1498         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
1499         (Inspector::InspectorScriptProfilerAgent::addEvent):
1500         (Inspector::buildSamples):
1501         * inspector/agents/InspectorScriptProfilerAgent.h:
1502         * runtime/SamplingProfiler.cpp:
1503         (JSC::SamplingProfiler::takeSample):
1504         * runtime/SamplingProfiler.h:
1505
1506 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1507
1508         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1509         https://bugs.webkit.org/show_bug.cgi?id=183173
1510
1511         Reviewed by Saam Barati.
1512
1513         Classifier could propagate an error which does not occur at the first token
1514         of the given expression. We should check whether the given token is "async"
1515         instead of assertion.
1516
1517         * parser/Parser.cpp:
1518         (JSC::Parser<LexerType>::parseAssignmentExpression):
1519
1520 2018-03-01  Saam Barati  <sbarati@apple.com>
1521
1522         We need to clear cached structures when having a bad time
1523         https://bugs.webkit.org/show_bug.cgi?id=183256
1524         <rdar://problem/36245022>
1525
1526         Reviewed by Mark Lam.
1527
1528         This patch makes both InternalFunctionAllocationProfile and the VM's
1529         structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
1530         we clear them when they'd produce an object with a bad indexing type.
1531         For the VM's Structure cache, we conservatively clear the entire cache 
1532         since it may be housing Structures with bad indexing types.
1533
1534         * runtime/FunctionRareData.h:
1535         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
1536         * runtime/JSGlobalObject.cpp:
1537         (JSC::JSGlobalObject::haveABadTime):
1538         * runtime/StructureCache.h:
1539         (JSC::StructureCache::clear):
1540
1541 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1542
1543         Unreviewed, fix exception check for ExceptionScope
1544         https://bugs.webkit.org/show_bug.cgi?id=183175
1545
1546         * jsc.cpp:
1547         (GlobalObject::moduleLoaderFetch):
1548
1549 2018-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1550
1551         [ARM] Fix compile error in debug builds by invoking unpoisoned().
1552
1553         Reviewed by Mark Lam.
1554
1555         * assembler/MacroAssemblerCodeRef.h:
1556         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
1557         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
1558         (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
1559         * yarr/YarrInterpreter.cpp:
1560         (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
1561
1562 2018-02-28  JF Bastien  <jfbastien@apple.com>
1563
1564         GC should sweep code block before deleting
1565         https://bugs.webkit.org/show_bug.cgi?id=183229
1566         <rdar://problem/32767615>
1567
1568         Reviewed by Saam Barati, Fil Pizlo.
1569
1570         Stub routines shouldn't get deleted before codeblocks have been
1571         swept, otherwise there's a small race window where the codeblock
1572         thinks it's still reachable.
1573
1574         * heap/Heap.cpp:
1575         (JSC::Heap::deleteUnmarkedCompiledCode):
1576         (JSC::Heap::sweepInFinalize):
1577
1578 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1579
1580         JSC crash with `import("")`
1581         https://bugs.webkit.org/show_bug.cgi?id=183175
1582
1583         Reviewed by Saam Barati.
1584
1585         Add file existence and file type check for module loader implementation in jsc.cpp.
1586         This is not safe for TOCTOU, but it is OK since this functionality is used for the
1587         JSC shell (jsc.cpp): testing purpose.
1588
1589         * jsc.cpp:
1590         (fillBufferWithContentsOfFile):
1591         (fetchModuleFromLocalFileSystem):
1592
1593 2018-02-27  Keith Miller  <keith_miller@apple.com>
1594
1595         Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
1596         https://bugs.webkit.org/show_bug.cgi?id=183195
1597
1598         Reviewed by Mark Lam.
1599
1600         * assembler/AbstractMacroAssembler.h:
1601         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
1602         * assembler/MacroAssembler.h:
1603         (JSC::MacroAssembler::patchableBranchPtr):
1604         (JSC::MacroAssembler::patchableBranchPtrWithPatch):
1605         * assembler/MacroAssemblerARM.h:
1606         (JSC::MacroAssemblerARM::branchPtrWithPatch):
1607         (JSC::MacroAssemblerARM::storePtrWithPatch):
1608         * assembler/MacroAssemblerARM64.h:
1609         (JSC::MacroAssemblerARM64::call):
1610         (JSC::MacroAssemblerARM64::tailRecursiveCall):
1611         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
1612         (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
1613         (JSC::MacroAssemblerARM64::storePtrWithPatch):
1614         * assembler/MacroAssemblerARMv7.h:
1615         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
1616         (JSC::MacroAssemblerARMv7::patchableBranchPtr):
1617         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
1618         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
1619         * assembler/MacroAssemblerMIPS.h:
1620         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
1621         (JSC::MacroAssemblerMIPS::storePtrWithPatch):
1622         * assembler/MacroAssemblerX86.h:
1623         (JSC::MacroAssemblerX86::branchPtrWithPatch):
1624         * assembler/MacroAssemblerX86_64.h:
1625         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
1626         (JSC::MacroAssemblerX86_64::call):
1627         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
1628         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
1629         (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
1630         * bytecode/AccessCase.cpp:
1631         (JSC::AccessCase::generateImpl):
1632         * dfg/DFGSpeculativeJIT.cpp:
1633         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1634         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1635         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1636         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1637         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1638         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1639         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1640         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1641         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1642         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1643         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1644         * dfg/DFGSpeculativeJIT.h:
1645         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
1646         * dfg/DFGSpeculativeJIT32_64.cpp:
1647         (JSC::DFG::SpeculativeJIT::compile):
1648         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1649         * dfg/DFGSpeculativeJIT64.cpp:
1650         (JSC::DFG::SpeculativeJIT::emitCall):
1651         (JSC::DFG::SpeculativeJIT::compile):
1652         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1653         * dfg/DFGThunks.cpp:
1654         (JSC::DFG::osrExitGenerationThunkGenerator):
1655         * ftl/FTLLowerDFGToB3.cpp:
1656         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1657         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1658         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1659         * ftl/FTLThunks.cpp:
1660         (JSC::FTL::genericGenerationThunkGenerator):
1661         * jit/AssemblyHelpers.cpp:
1662         (JSC::AssemblyHelpers::debugCall):
1663         (JSC::AssemblyHelpers::sanitizeStackInline):
1664         * jit/IntrinsicEmitter.cpp:
1665         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1666         * jit/JITCall.cpp:
1667         (JSC::JIT::compileOpCall):
1668         * jit/JITCall32_64.cpp:
1669         (JSC::JIT::compileOpCall):
1670         * jit/ScratchRegisterAllocator.cpp:
1671         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1672         * wasm/js/WasmToJS.cpp:
1673         (JSC::Wasm::wasmToJS):
1674         * yarr/YarrJIT.cpp:
1675         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1676         (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
1677         (JSC::Yarr::YarrGenerator::generate):
1678
1679 2018-02-26  Mark Lam  <mark.lam@apple.com>
1680
1681         Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
1682         https://bugs.webkit.org/show_bug.cgi?id=183159
1683         <rdar://problem/37930837>
1684
1685         Reviewed by Keith Miller.
1686
1687         * assembler/LinkBuffer.h:
1688         * assembler/testmasm.cpp:
1689         (JSC::compile):
1690         * b3/B3Compile.cpp:
1691         (JSC::B3::compile):
1692         * b3/air/testair.cpp:
1693         * b3/testb3.cpp:
1694         (JSC::B3::testEntrySwitchSimple):
1695         (JSC::B3::testEntrySwitchNoEntrySwitch):
1696         (JSC::B3::testEntrySwitchWithCommonPaths):
1697         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1698         (JSC::B3::testEntrySwitchLoop):
1699         * bytecode/InlineAccess.cpp:
1700         (JSC::linkCodeInline):
1701         (JSC::InlineAccess::rewireStubAsJump):
1702         * bytecode/PolymorphicAccess.cpp:
1703         (JSC::PolymorphicAccess::regenerate):
1704         * dfg/DFGJITFinalizer.cpp:
1705         (JSC::DFG::JITFinalizer::finalize):
1706         (JSC::DFG::JITFinalizer::finalizeFunction):
1707         * dfg/DFGOSRExit.cpp:
1708         (JSC::DFG::OSRExit::compileOSRExit):
1709         * dfg/DFGThunks.cpp:
1710         (JSC::DFG::osrExitThunkGenerator):
1711         (JSC::DFG::osrExitGenerationThunkGenerator):
1712         (JSC::DFG::osrEntryThunkGenerator):
1713         * ftl/FTLJITFinalizer.cpp:
1714         (JSC::FTL::JITFinalizer::finalizeCommon):
1715         * ftl/FTLLazySlowPath.cpp:
1716         (JSC::FTL::LazySlowPath::generate):
1717         * ftl/FTLOSRExitCompiler.cpp:
1718         (JSC::FTL::compileStub):
1719         * ftl/FTLThunks.cpp:
1720         (JSC::FTL::genericGenerationThunkGenerator):
1721         (JSC::FTL::slowPathCallThunkGenerator):
1722         * jit/ExecutableAllocator.cpp:
1723         * jit/JIT.cpp:
1724         (JSC::JIT::link):
1725         * jit/JITMathIC.h:
1726         (JSC::isProfileEmpty):
1727         * jit/JITOpcodes.cpp:
1728         (JSC::JIT::privateCompileHasIndexedProperty):
1729         * jit/JITOpcodes32_64.cpp:
1730         (JSC::JIT::privateCompileHasIndexedProperty):
1731         * jit/JITPropertyAccess.cpp:
1732         (JSC::JIT::stringGetByValStubGenerator):
1733         (JSC::JIT::privateCompileGetByVal):
1734         (JSC::JIT::privateCompileGetByValWithCachedId):
1735         (JSC::JIT::privateCompilePutByVal):
1736         (JSC::JIT::privateCompilePutByValWithCachedId):
1737         * jit/JITPropertyAccess32_64.cpp:
1738         (JSC::JIT::stringGetByValStubGenerator):
1739         * jit/JITStubRoutine.h:
1740         * jit/Repatch.cpp:
1741         (JSC::linkPolymorphicCall):
1742         * jit/SpecializedThunkJIT.h:
1743         (JSC::SpecializedThunkJIT::finalize):
1744         * jit/ThunkGenerators.cpp:
1745         (JSC::throwExceptionFromCallSlowPathGenerator):
1746         (JSC::linkCallThunkGenerator):
1747         (JSC::linkPolymorphicCallThunkGenerator):
1748         (JSC::virtualThunkFor):
1749         (JSC::nativeForGenerator):
1750         (JSC::arityFixupGenerator):
1751         (JSC::unreachableGenerator):
1752         (JSC::boundThisNoArgsFunctionCallGenerator):
1753         * llint/LLIntThunks.cpp:
1754         (JSC::LLInt::generateThunkWithJumpTo):
1755         * wasm/WasmBBQPlan.cpp:
1756         (JSC::Wasm::BBQPlan::complete):
1757         * wasm/WasmBinding.cpp:
1758         (JSC::Wasm::wasmToWasm):
1759         * wasm/WasmOMGPlan.cpp:
1760         (JSC::Wasm::OMGPlan::work):
1761         * wasm/WasmThunks.cpp:
1762         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1763         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1764         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1765         * wasm/js/WasmToJS.cpp:
1766         (JSC::Wasm::handleBadI64Use):
1767         (JSC::Wasm::wasmToJS):
1768         * yarr/YarrJIT.cpp:
1769         (JSC::Yarr::YarrGenerator::compile):
1770
1771 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1774         https://bugs.webkit.org/show_bug.cgi?id=182965
1775
1776         Reviewed by Saam Barati.
1777
1778         This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
1779         Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
1780         for InBounds case, we do not have OutOfBounds check for that case.
1781         This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
1782
1783         * dfg/DFGOperations.cpp:
1784         * dfg/DFGOperations.h:
1785         * dfg/DFGSpeculativeJIT.cpp:
1786         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1787         * dfg/DFGSpeculativeJIT64.cpp:
1788         (JSC::DFG::SpeculativeJIT::compile):
1789         * ftl/FTLCapabilities.cpp:
1790         (JSC::FTL::canCompile):
1791         * ftl/FTLLowerDFGToB3.cpp:
1792         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1793         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
1794         For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
1795         But except for SlowPutArrayStorage case, basically it is meaningless since
1796         we do not have indexed accessors.
1797
1798 2018-02-26  Saam Barati  <sbarati@apple.com>
1799
1800         validateStackAccess should not validate if the offset is within the stack bounds
1801         https://bugs.webkit.org/show_bug.cgi?id=183067
1802         <rdar://problem/37749988>
1803
1804         Reviewed by Mark Lam.
1805
1806         The validation rule was saying that any load from the stack must be
1807         within the stack bounds of the frame. However, it's natural for a user
1808         of B3 to emit code that may be outside of B3's stack bounds, but guard
1809         such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
1810         B3 is wrong to assert that this is a static property about all stack loads.
1811
1812         * b3/B3Validate.cpp:
1813
1814 2018-02-23  Saam Barati  <sbarati@apple.com>
1815
1816         Make Number.isInteger an intrinsic
1817         https://bugs.webkit.org/show_bug.cgi?id=183088
1818
1819         Reviewed by JF Bastien.
1820
1821         When profiling the ML subtest in ARES, I noticed it was spending some
1822         time in Number.isInteger. This patch makes that operation an intrinsic
1823         in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
1824         it's likely not an aggregate speedup on ARES. However, it is definitely
1825         faster than calling into a builtin function, so we might as well have
1826         it as an intrinsic.
1827
1828         * dfg/DFGAbstractInterpreterInlines.h:
1829         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1830         * dfg/DFGByteCodeParser.cpp:
1831         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1832         * dfg/DFGClobberize.h:
1833         (JSC::DFG::clobberize):
1834         * dfg/DFGDoesGC.cpp:
1835         (JSC::DFG::doesGC):
1836         * dfg/DFGFixupPhase.cpp:
1837         (JSC::DFG::FixupPhase::fixupNode):
1838         * dfg/DFGNodeType.h:
1839         * dfg/DFGOperations.cpp:
1840         * dfg/DFGOperations.h:
1841         * dfg/DFGPredictionPropagationPhase.cpp:
1842         * dfg/DFGSafeToExecute.h:
1843         (JSC::DFG::safeToExecute):
1844         * dfg/DFGSpeculativeJIT32_64.cpp:
1845         (JSC::DFG::SpeculativeJIT::compile):
1846         * dfg/DFGSpeculativeJIT64.cpp:
1847         (JSC::DFG::SpeculativeJIT::compile):
1848         * ftl/FTLCapabilities.cpp:
1849         (JSC::FTL::canCompile):
1850         * ftl/FTLLowerDFGToB3.cpp:
1851         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1852         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
1853         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1854         * runtime/Intrinsic.cpp:
1855         (JSC::intrinsicName):
1856         * runtime/Intrinsic.h:
1857         * runtime/NumberConstructor.cpp:
1858         (JSC::NumberConstructor::finishCreation):
1859         (JSC::numberConstructorFuncIsInteger):
1860         * runtime/NumberConstructor.h:
1861         (JSC::NumberConstructor::isIntegerImpl):
1862
1863 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1864
1865         WebAssembly: cache memory address / size on instance
1866         https://bugs.webkit.org/show_bug.cgi?id=177305
1867
1868         Reviewed by JF Bastien.
1869
1870         Cache memory address/size in wasm:Instance to avoid load wasm:Memory 
1871         object during access to memory and memory size property in JiT
1872
1873         * wasm/WasmB3IRGenerator.cpp:
1874         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1875         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
1876         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1877         * wasm/WasmBinding.cpp:
1878         (JSC::Wasm::wasmToWasm):
1879         * wasm/WasmInstance.h:
1880         (JSC::Wasm::Instance::cachedMemory const):
1881         (JSC::Wasm::Instance::cachedMemorySize const):
1882         (JSC::Wasm::Instance::createWeakPtr):
1883         (JSC::Wasm::Instance::setMemory):
1884         (JSC::Wasm::Instance::updateCachedMemory):
1885         (JSC::Wasm::Instance::offsetOfCachedMemory):
1886         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
1887         (JSC::Wasm::Instance::offsetOfCachedIndexingMask):
1888         (JSC::Wasm::Instance::allocationSize):
1889         * wasm/WasmMemory.cpp:
1890         (JSC::Wasm::Memory::grow):
1891         (JSC::Wasm::Memory::registerInstance):
1892         * wasm/WasmMemory.h:
1893         (JSC::Wasm::Memory::indexingMask):
1894         * wasm/js/JSToWasm.cpp:
1895         (JSC::Wasm::createJSToWasmWrapper):
1896         * wasm/js/WebAssemblyModuleRecord.cpp:
1897         (JSC::WebAssemblyModuleRecord::evaluate):
1898
1899 2018-02-23  Saam Barati  <sbarati@apple.com>
1900
1901         ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
1902         https://bugs.webkit.org/show_bug.cgi?id=182982
1903
1904         Reviewed by Yusuke Suzuki.
1905
1906         I don't know why this check was not always an assert. When we see
1907         a GetByOffset on an eliminated allocation, that allocation *must*
1908         be a PhantomClonedArguments. If it weren't, the GetByOffset would
1909         have escaped it. Because this transformation happens by visiting
1910         blocks in pre-order, and by visiting nodes in a block starting from
1911         index zero to index block->size() - 1, we're guaranteed that eliminated
1912         allocations get transformed before users of it, since we visit nodes
1913         in dominator order.
1914
1915         * dfg/DFGArgumentsEliminationPhase.cpp:
1916
1917 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1918
1919         [JSC] Implement $vm.ftlTrue function for FTL testing
1920         https://bugs.webkit.org/show_bug.cgi?id=183071
1921
1922         Reviewed by Mark Lam.
1923
1924         Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
1925         This is useful for testing whether the caller function is compiled in FTL.
1926
1927         We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
1928
1929         * dfg/DFGByteCodeParser.cpp:
1930         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1931         * jsc.cpp:
1932         (GlobalObject::finishCreation):
1933         (functionFalse1):
1934         (functionFalse2): Deleted.
1935         * runtime/Intrinsic.cpp:
1936         (JSC::intrinsicName):
1937         * runtime/Intrinsic.h:
1938         * tools/JSDollarVM.cpp:
1939         (JSC::functionFTLTrue):
1940         (JSC::JSDollarVM::finishCreation):
1941
1942 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1943
1944         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1945         https://bugs.webkit.org/show_bug.cgi?id=182792
1946
1947         Reviewed by Mark Lam.
1948
1949         This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
1950         HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
1951         in web-tooling-benchmarks.
1952
1953         * ftl/FTLCapabilities.cpp:
1954         (JSC::FTL::canCompile):
1955         * ftl/FTLLowerDFGToB3.cpp:
1956         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1957
1958 2018-02-22  Mark Lam  <mark.lam@apple.com>
1959
1960         Refactor MacroAssembler code to improve reuse and extensibility.
1961         https://bugs.webkit.org/show_bug.cgi?id=183054
1962         <rdar://problem/37797337>
1963
1964         Reviewed by Saam Barati.
1965
1966         * assembler/ARM64Assembler.h:
1967         * assembler/MacroAssembler.cpp:
1968         * assembler/MacroAssembler.h:
1969         * assembler/MacroAssemblerARM.h:
1970         * assembler/MacroAssemblerARM64.h:
1971         (JSC::MacroAssemblerARM64::canCompact):
1972         (JSC::MacroAssemblerARM64::computeJumpType):
1973         (JSC::MacroAssemblerARM64::jumpSizeDelta):
1974         (JSC::MacroAssemblerARM64::link):
1975         (JSC::MacroAssemblerARM64::load64):
1976         (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
1977         (JSC::MacroAssemblerARM64::load32):
1978         (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
1979         (JSC::MacroAssemblerARM64::load16):
1980         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1981         (JSC::MacroAssemblerARM64::load8):
1982         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1983         (JSC::MacroAssemblerARM64::store64):
1984         (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
1985         (JSC::MacroAssemblerARM64::store32):
1986         (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
1987         (JSC::MacroAssemblerARM64::store16):
1988         (JSC::MacroAssemblerARM64::store8):
1989         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1990         (JSC::MacroAssemblerARM64::branchDoubleNonZero):
1991         (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
1992         (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
1993         (JSC::MacroAssemblerARM64::loadDouble):
1994         (JSC::MacroAssemblerARM64::loadFloat):
1995         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1996         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
1997         (JSC::MacroAssemblerARM64::storeDouble):
1998         (JSC::MacroAssemblerARM64::storeFloat):
1999         (JSC::MacroAssemblerARM64::call):
2000         (JSC::MacroAssemblerARM64::jump):
2001         (JSC::MacroAssemblerARM64::tailRecursiveCall):
2002         (JSC::MacroAssemblerARM64::setCarry):
2003         (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
2004         (JSC::MacroAssemblerARM64::isBreakpoint):
2005         (JSC::MacroAssemblerARM64::invert):
2006         (JSC::MacroAssemblerARM64::readCallTarget):
2007         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2008         (JSC::MacroAssemblerARM64::replaceWithJump):
2009         (JSC::MacroAssemblerARM64::maxJumpReplacementSize):
2010         (JSC::MacroAssemblerARM64::patchableJumpSize):
2011         (JSC::MacroAssemblerARM64::repatchCall):
2012         (JSC::MacroAssemblerARM64::makeBranch):
2013         (JSC::MacroAssemblerARM64::makeCompareAndBranch):
2014         (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
2015         (JSC::MacroAssemblerARM64::ARM64Condition):
2016         (JSC::MacroAssemblerARM64::moveWithFixedWidth):
2017         (JSC::MacroAssemblerARM64::load):
2018         (JSC::MacroAssemblerARM64::store):
2019         (JSC::MacroAssemblerARM64::tryLoadWithOffset):
2020         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2021         (JSC::MacroAssemblerARM64::tryStoreWithOffset):
2022         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
2023         (JSC::MacroAssemblerARM64::linkCall):
2024         * assembler/MacroAssemblerARMv7.h:
2025         * assembler/MacroAssemblerMIPS.h:
2026         * assembler/MacroAssemblerX86Common.h:
2027         * assembler/ProbeStack.h:
2028         - Removed a forward declaration of an obsolete class.
2029
2030 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2031
2032         Remove sleep(double) and sleepMS(double) interfaces
2033         https://bugs.webkit.org/show_bug.cgi?id=183038
2034
2035         Reviewed by Mark Lam.
2036
2037         * bytecode/SuperSampler.cpp:
2038         (JSC::initializeSuperSampler):
2039
2040 2018-02-21  Don Olmstead  <don.olmstead@sony.com>
2041
2042         [CMake] Split declaration of JSC headers into public and private
2043         https://bugs.webkit.org/show_bug.cgi?id=182980
2044
2045         Reviewed by Michael Catanzaro.
2046
2047         * CMakeLists.txt:
2048         * PlatformGTK.cmake:
2049         * PlatformMac.cmake:
2050         * PlatformWPE.cmake:
2051         * PlatformWin.cmake:
2052
2053 2018-02-20  Saam Barati  <sbarati@apple.com>
2054
2055         DFG::VarargsForwardingPhase should eliminate getting argument length
2056         https://bugs.webkit.org/show_bug.cgi?id=182959
2057
2058         Reviewed by Keith Miller.
2059
2060         This patch teaches the DFG VarargsForwardingPhase to not treat
2061         length accesses on Cloned/Direct Arguments objects as escapes.
2062         It teaches this phase to materialize the length in the same
2063         way the ArgumentsEliminationPhase does.
2064         
2065         This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
2066         up the ML subtest by 2-4%.
2067         
2068         This patch also extends compileGetArgumentCountIncludingThis to take
2069         a parameter that is the inline call frame to load from (in the case
2070         where the inline call frame is a varargs frame). This allows the
2071         the emitCodeToGetArgumentsArrayLength helper function to just emit
2072         a GetArgumentCountIncludingThis node instead of a GetLocal. If we
2073         emitted a GetLocal, we'd need to rerun CPS rethreading.
2074
2075         * dfg/DFGArgumentsEliminationPhase.cpp:
2076         * dfg/DFGArgumentsUtilities.cpp:
2077         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2078         * dfg/DFGByteCodeParser.cpp:
2079         (JSC::DFG::ByteCodeParser::getArgumentCount):
2080         * dfg/DFGClobberize.h:
2081         (JSC::DFG::clobberize):
2082         * dfg/DFGNode.h:
2083         (JSC::DFG::Node::argumentsInlineCallFrame):
2084         * dfg/DFGSpeculativeJIT.cpp:
2085         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
2086         * dfg/DFGVarargsForwardingPhase.cpp:
2087         * ftl/FTLLowerDFGToB3.cpp:
2088         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
2089
2090 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2091
2092         [FTL] Support ArrayPush for ArrayStorage
2093         https://bugs.webkit.org/show_bug.cgi?id=182782
2094
2095         Reviewed by Saam Barati.
2096
2097         This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
2098
2099         * ftl/FTLAbstractHeapRepository.h:
2100         * ftl/FTLCapabilities.cpp:
2101         (JSC::FTL::canCompile):
2102         * ftl/FTLLowerDFGToB3.cpp:
2103         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2104
2105 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2106
2107         [FTL] Support ArrayPop for ArrayStorage
2108         https://bugs.webkit.org/show_bug.cgi?id=182783
2109
2110         Reviewed by Saam Barati.
2111
2112         This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
2113
2114         * ftl/FTLAbstractHeapRepository.h:
2115         * ftl/FTLCapabilities.cpp:
2116         (JSC::FTL::canCompile):
2117         * ftl/FTLLowerDFGToB3.cpp:
2118         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2119
2120 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2121
2122         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
2123         https://bugs.webkit.org/show_bug.cgi?id=182731
2124
2125         Reviewed by Saam Barati.
2126
2127         This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
2128         Due to ArrayifyToStructure and CheckArray changes, necessary changes for
2129         supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
2130         is enough.
2131
2132         We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
2133         ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
2134         where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
2135
2136         * dfg/DFGSpeculativeJIT.cpp:
2137         (JSC::DFG::SpeculativeJIT::silentFill):
2138         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2139         * dfg/DFGSpeculativeJIT.h:
2140         * ftl/FTLCapabilities.cpp:
2141         (JSC::FTL::canCompile):
2142         * ftl/FTLLowerDFGToB3.cpp:
2143         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2144
2145 2018-02-19  Saam Barati  <sbarati@apple.com>
2146
2147         Don't use JSFunction's allocation profile when getting the prototype can be effectful
2148         https://bugs.webkit.org/show_bug.cgi?id=182942
2149         <rdar://problem/37584764>
2150
2151         Reviewed by Mark Lam.
2152
2153         Prior to this patch, the create_this implementation assumed that anything
2154         that is a JSFunction can use the object allocation profile and go down the
2155         fast path to allocate the |this| object. Implied by this approach is that
2156         accessing the 'prototype' property of the incoming function is not an
2157         effectful operation. This is inherent to the ObjectAllocationProfile 
2158         data structure: it caches the prototype field. However, getting the
2159         'prototype' property might be an effectful operation, e.g, it could
2160         be a getter. Many variants of functions in JS have the 'prototype' property
2161         as non-configurable. However, some functions, like bound functions, do not
2162         have the 'prototype' field with these attributes.
2163         
2164         This patch adds the notion of 'canUseAllocationProfile' to JSFunction
2165         and threads it through so that we only go down the fast path and use
2166         the allocation profile when the prototype property is non-configurable.
2167
2168         * bytecompiler/NodesCodegen.cpp:
2169         (JSC::ClassExprNode::emitBytecode):
2170         * dfg/DFGOperations.cpp:
2171         * runtime/CommonSlowPaths.cpp:
2172         (JSC::SLOW_PATH_DECL):
2173         * runtime/JSFunction.cpp:
2174         (JSC::JSFunction::prototypeForConstruction):
2175         (JSC::JSFunction::allocateAndInitializeRareData):
2176         (JSC::JSFunction::initializeRareData):
2177         (JSC::JSFunction::getOwnPropertySlot):
2178         (JSC::JSFunction::canUseAllocationProfileNonInline):
2179         * runtime/JSFunction.h:
2180         (JSC::JSFunction::ensureRareDataAndAllocationProfile):
2181         * runtime/JSFunctionInlines.h:
2182         (JSC::JSFunction::canUseAllocationProfile):
2183
2184 2018-02-19  Saam Barati  <sbarati@apple.com>
2185
2186         Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
2187         https://bugs.webkit.org/show_bug.cgi?id=182912
2188         <rdar://problem/37685083>
2189
2190         Reviewed by Keith Miller.
2191
2192         In the baseline JIT and LLInt, when we loading a hole from an original array,
2193         with the array prototype chain being normal, we end up marking the ArrayProfile
2194         for that GetByVal as out of bounds. However, the DFG knows exactly how to
2195         optimize this case by returning undefined when loading from a hole. Currently,
2196         it only does this for Contiguous arrays (and sometimes Double arrays).
2197         This patch just makes sure to not mark the ArrayProfile as out of bounds
2198         in this scenario for Contiguous arrays, since the DFG will always optimize
2199         this case.
2200         
2201         However, we should extend this by profiling when a GetByVal loads a hole. By
2202         doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
2203         arrays. That work will happen in:
2204         https://bugs.webkit.org/show_bug.cgi?id=182940
2205         
2206         This patch is a 30-50%  speedup on JetStream's hash-map test. This patch
2207         speeds up JetStream by 1% when testing on my iMac.
2208
2209         * dfg/DFGArrayMode.cpp:
2210         (JSC::DFG::ArrayMode::refine const):
2211         * dfg/DFGFixupPhase.cpp:
2212         (JSC::DFG::FixupPhase::fixupNode):
2213         * jit/JITOperations.cpp:
2214         (JSC::getByVal):
2215         (JSC::canAccessArgumentIndexQuickly): Deleted.
2216         * llint/LLIntSlowPaths.cpp:
2217         (JSC::LLInt::getByVal):
2218         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2219         * llint/LowLevelInterpreter32_64.asm:
2220         * llint/LowLevelInterpreter64.asm:
2221         * runtime/CommonSlowPaths.h:
2222         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2223
2224 2018-02-17  Filip Pizlo  <fpizlo@apple.com>
2225
2226         GetArrayMask should support constant folding
2227         https://bugs.webkit.org/show_bug.cgi?id=182907
2228
2229         Reviewed by Saam Barati.
2230         
2231         Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
2232         ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
2233         impossible for that function to get called with a non-null value if the value was not an array view,
2234         due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
2235         the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
2236         array.
2237         
2238         This isn't a measurable progression, but it does save a register in the codegen for typed array
2239         accesses. Hopefully these improvements add up.
2240
2241         * assembler/AssemblerBuffer.h:
2242         * dfg/DFGAbstractInterpreterInlines.h:
2243         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2244         * dfg/DFGGraph.cpp:
2245         (JSC::DFG::Graph::tryGetFoldableView):
2246
2247 2018-02-18  Dominik Inführ  <dominik.infuehr@gmail.com>
2248
2249         Offlineasm/MIPS: immediates need to be within 16-bit signed values
2250         https://bugs.webkit.org/show_bug.cgi?id=182890
2251
2252         Reviewed by Michael Catanzaro.
2253
2254         In Sequence.getModifiedListMIPS(), we allow immediate values within
2255         the range -0xffff..0xffff for immediates (addresses and other
2256         immediates), but then in Immediate.mipsOperand() and
2257         Address.mipsOperand() we raise if immediate values are not within
2258         -0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
2259         since r228552 made the VM structure bigger meaning we address values
2260         with bigger offsets in llint. This change restricts the allowed range,
2261         so that a separate load of the value is done for values outside of
2262         that range.
2263
2264         * offlineasm/mips.rb:
2265
2266 2018-02-17  Darin Adler  <darin@apple.com>
2267
2268         Web Inspector: get rid of remaining uses of OptOutput<T>
2269         https://bugs.webkit.org/show_bug.cgi?id=180607
2270
2271         Reviewed by Brian Burg.
2272
2273         * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
2274         is inside the Inspector namespace already. Also use auto a bit.
2275         * inspector/AsyncStackTrace.h: Ditto.
2276         * inspector/ConsoleMessage.cpp: Ditto.
2277
2278         * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
2279         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
2280         Vector instead of a unique_ptr<Vector>.
2281         (Inspector::ContentSearchUtilities::lineEndings): Ditto.
2282         (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
2283         (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
2284         a Vector for a fixed size array; also got rid of reinterpret_cast.
2285         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
2286         expression here since it's the only place it was used.
2287
2288         * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
2289
2290         * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
2291         is inside the Inspector namespace already. Also use auto a bit.
2292
2293         * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
2294         Removed base template for BindingTraits; we only need the specializations.
2295
2296         * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
2297         is inside the Inspector namespace already. Also use auto a bit.
2298         * inspector/ScriptCallFrame.h: Ditto.
2299         * inspector/ScriptCallStack.cpp: Ditto.
2300         * inspector/ScriptCallStack.h: Ditto.
2301         * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
2302         * inspector/agents/InspectorConsoleAgent.h: Ditto.
2303
2304         * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
2305         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
2306         OptOutput* for out arguments.
2307         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
2308
2309         * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
2310         (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
2311         for out arguments.
2312         * inspector/agents/InspectorHeapAgent.h: Ditto.
2313
2314         * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
2315         (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
2316         for out arguments.
2317         (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
2318         (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
2319         (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
2320         * inspector/agents/InspectorRuntimeAgent.h: Ditto.
2321
2322         * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
2323         and removed some bogus const.
2324         * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
2325
2326         * inspector/scripts/codegen/cpp_generator.py:
2327         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
2328         (CppGenerator.cpp_type_for_type_with_name): Ditto.
2329         (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
2330         Inspector::Protocol::OptOutput*.
2331         (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
2332         (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
2333         (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
2334
2335         * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
2336         conditional around assertion code which will now compile to nothing if ASSERT is disabled.
2337         Build strings more simply in a few cases.
2338
2339         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2340         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2341         Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
2342         replace OptOutput here.
2343         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2344         Pass by reference instead of pointer now.
2345
2346         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2347         Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
2348         if ASSERT is disabled.
2349
2350         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2351         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
2352         the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
2353         (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
2354
2355         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2356         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
2357         more simply.
2358
2359         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2360         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2361         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2362         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2363         Rebaselined.
2364
2365 2018-02-16  Matt Lewis  <jlewis3@apple.com>
2366
2367         Unreviewed, rolling out r228318.
2368
2369         The patch that this attempted to fix was rolled out already.
2370
2371         Reverted changeset:
2372
2373         "Fix build on ARMv7 traditional JSCOnly bot after r228306"
2374         https://bugs.webkit.org/show_bug.cgi?id=182563
2375         https://trac.webkit.org/changeset/228318
2376
2377 2018-02-16  Filip Pizlo  <fpizlo@apple.com>
2378
2379         Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
2380         progression.
2381
2382         * assembler/AssemblerBuffer.h:
2383         (JSC::AssemblerBuffer::append):
2384         * heap/LargeAllocation.cpp:
2385         (JSC::LargeAllocation::tryCreate):
2386         * heap/MarkedBlock.cpp:
2387         (JSC::MarkedBlock::Handle::didAddToDirectory):
2388         * runtime/ArrayBuffer.cpp:
2389         (JSC::ArrayBufferContents::tryAllocate):
2390         (JSC::ArrayBufferContents::copyTo):
2391         (JSC::ArrayBuffer::createInternal):
2392         * runtime/ArrayBufferView.h:
2393         (JSC::ArrayBufferView::zeroRangeImpl):
2394         * runtime/ArrayConventions.cpp:
2395         (JSC::clearArrayMemset):
2396         * runtime/ArrayConventions.h:
2397         (JSC::clearArray):
2398         * runtime/ArrayPrototype.cpp:
2399         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2400         * runtime/ButterflyInlines.h:
2401         (JSC::Butterfly::tryCreate):
2402         (JSC::Butterfly::createOrGrowPropertyStorage):
2403         (JSC::Butterfly::growArrayRight):
2404         (JSC::Butterfly::resizeArray):
2405         * runtime/GenericTypedArrayViewInlines.h:
2406         (JSC::GenericTypedArrayView<Adaptor>::create):
2407         * runtime/JSArray.cpp:
2408         (JSC::JSArray::appendMemcpy):
2409         (JSC::JSArray::fastSlice):
2410         * runtime/JSArrayBufferView.cpp:
2411         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2412         * runtime/JSGenericTypedArrayViewInlines.h:
2413         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2414         * runtime/JSObject.cpp:
2415         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2416         (JSC::JSObject::shiftButterflyAfterFlattening):
2417         * runtime/PropertyTable.cpp:
2418         (JSC::PropertyTable::PropertyTable):
2419
2420 2018-02-16  Saam Barati  <sbarati@apple.com>
2421
2422         Fix bugs from r228411
2423         https://bugs.webkit.org/show_bug.cgi?id=182851
2424         <rdar://problem/37577732>
2425
2426         Reviewed by JF Bastien.
2427
2428         There was a bug from r228411 where inside the constant folding phase,
2429         we used an insertCheck method that didn't handle varargs. This would
2430         lead to a crash. When thinking about the fix for that function, I realized
2431         a made a couple of mistakes in r228411. One is probably a security bug, and
2432         the other is a performance bug because it'll prevent CSE for certain flavors
2433         of GetByVal nodes. Both blunders are similar in nature.
2434         
2435         In r228411, I added code in LICM that inserted a CheckVarargs node with children
2436         of another varargs node. However, to construct this new node's children,
2437         I just copied the AdjacencyList. This does a shallow copy. What we needed
2438         was a deep copy. We needed to create a new vararg AdjacencyList that points
2439         to edges that are deep copies of the original varargs children. This patch
2440         fixes this goof in LICM.
2441         
2442         r228411 made it so that PureValue over a varargs node would just compare actual
2443         AdjacencyLists structs. So, if you had two GetByVals that had equal santized
2444         children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
2445         have different firstChild values. Instead, we need to do a deep compare of their
2446         adjacency lists. This patch teaches PureValue how to do that.
2447
2448         * dfg/DFGClobberize.h:
2449         (JSC::DFG::clobberize):
2450         * dfg/DFGConstantFoldingPhase.cpp:
2451         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2452         * dfg/DFGGraph.h:
2453         (JSC::DFG::Graph::copyVarargChildren):
2454         * dfg/DFGInsertionSet.h:
2455         (JSC::DFG::InsertionSet::insertCheck):
2456         * dfg/DFGLICMPhase.cpp:
2457         (JSC::DFG::LICMPhase::attemptHoist):
2458         * dfg/DFGPureValue.cpp:
2459         (JSC::DFG::PureValue::dump const):
2460         * dfg/DFGPureValue.h:
2461         (JSC::DFG::PureValue::PureValue):
2462         (JSC::DFG::PureValue::op const):
2463         (JSC::DFG::PureValue::hash const):
2464         (JSC::DFG::PureValue::operator== const):
2465         (JSC::DFG::PureValue::isVarargs const):
2466         (JSC::DFG::PureValue::children const): Deleted.
2467         * dfg/DFGStrengthReductionPhase.cpp:
2468         (JSC::DFG::StrengthReductionPhase::handleNode):
2469         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2470
2471 2018-02-16  Matt Lewis  <jlewis3@apple.com>
2472
2473         Unreviewed, rolling out r228546.
2474
2475         This caused a consistent crash on all macOS WK2 platforms.
2476
2477         Reverted changeset:
2478
2479         "Web Inspector: get rid of remaining uses of OptOutput<T>"
2480         https://bugs.webkit.org/show_bug.cgi?id=180607
2481         https://trac.webkit.org/changeset/228546
2482
2483 2018-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
2484
2485         fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
2486         https://bugs.webkit.org/show_bug.cgi?id=172952
2487
2488         Reviewed by Michael Catanzaro.
2489
2490         Null dereference of VM::topCallFrame happens in
2491         Inspector::createScriptCallStackForConsole if the ExecState has no
2492         call frames.
2493
2494         * inspector/ScriptCallStackFactory.cpp:
2495         (Inspector::createScriptCallStack): Do null check of topCallFrame.
2496         (Inspector::createScriptCallStackForConsole): Ditto.
2497
2498 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
2499
2500         Objects that contain dangerous things should be allocated far away from objects that can do OOB
2501         https://bugs.webkit.org/show_bug.cgi?id=182843
2502
2503         Reviewed by Saam Barati.
2504         
2505         To complete our object distancing plan, we need to put objects that can contain unpoisoned data
2506         far away from objects that cannot. Objects referenceable from JSValues cannot contain
2507         unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
2508         storing mostly JSValues from data that is meant for storing anything.
2509         
2510         This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
2511         zeroing sort of the same way SecurityOriginToken already was.
2512         
2513         This change shouldn't make anything slower. If anything, it will be a small speed-up because it
2514         removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
2515         the SecurityKinds.
2516
2517         * Sources.txt:
2518         * bytecode/ObjectAllocationProfileInlines.h:
2519         (JSC::ObjectAllocationProfile::initializeProfile):
2520         * heap/BlockDirectory.cpp:
2521         (JSC::BlockDirectory::addBlock):
2522         * heap/BlockDirectory.h:
2523         * heap/CellAttributes.cpp:
2524         (JSC::CellAttributes::dump const):
2525         * heap/CellAttributes.h:
2526         (JSC::CellAttributes::CellAttributes):
2527         * heap/LocalAllocator.cpp:
2528         (JSC::LocalAllocator::allocateSlowCase):
2529         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
2530         * heap/MarkedBlock.cpp:
2531         (JSC::MarkedBlock::Handle::didAddToDirectory):
2532         (JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
2533         * heap/MarkedBlock.h:
2534         * heap/SecurityKind.cpp: Added.
2535         (WTF::printInternal):
2536         * heap/SecurityKind.h: Added.
2537         * runtime/JSCellInlines.h:
2538         (JSC::JSCell::subspaceFor):
2539         * runtime/JSDestructibleObjectHeapCellType.cpp:
2540         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
2541         * runtime/JSObject.h:
2542         (JSC::JSObject::subspaceFor):
2543         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2544         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
2545         * runtime/JSStringHeapCellType.cpp:
2546         (JSC::JSStringHeapCellType::JSStringHeapCellType):
2547         * runtime/Symbol.h:
2548         (JSC::Symbol::subspaceFor):
2549         * runtime/VM.cpp:
2550         (JSC::VM::VM):
2551         * runtime/VM.h:
2552         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2553         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2554
2555 2018-02-15  Darin Adler  <darin@apple.com>
2556
2557         Web Inspector: get rid of remaining uses of OptOutput<T>
2558         https://bugs.webkit.org/show_bug.cgi?id=180607
2559
2560         Reviewed by Brian Burg.
2561
2562         * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
2563         is inside the Inspector namespace already. Also use auto a bit.
2564         * inspector/AsyncStackTrace.h: Ditto.
2565         * inspector/ConsoleMessage.cpp: Ditto.
2566
2567         * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
2568         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
2569         Vector instead of a unique_ptr<Vector>.
2570         (Inspector::ContentSearchUtilities::lineEndings): Ditto.
2571         (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
2572         (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
2573         a Vector for a fixed size array; also got rid of reinterpret_cast.
2574         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
2575         expression here since it's the only place it was used.
2576
2577         * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
2578
2579         * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
2580         is inside the Inspector namespace already. Also use auto a bit.
2581
2582         * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
2583         Removed base template for BindingTraits; we only need the specializations.
2584
2585         * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
2586         is inside the Inspector namespace already. Also use auto a bit.
2587         * inspector/ScriptCallFrame.h: Ditto.
2588         * inspector/ScriptCallStack.cpp: Ditto.
2589         * inspector/ScriptCallStack.h: Ditto.
2590         * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
2591         * inspector/agents/InspectorConsoleAgent.h: Ditto.
2592
2593         * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
2594         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
2595         OptOutput* for out arguments.
2596         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
2597
2598         * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
2599         (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
2600         for out arguments.
2601         * inspector/agents/InspectorHeapAgent.h: Ditto.
2602
2603         * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
2604         (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
2605         for out arguments.
2606         (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
2607         (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
2608         (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
2609         * inspector/agents/InspectorRuntimeAgent.h: Ditto.
2610
2611         * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
2612         and removed some bogus const.
2613         * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
2614
2615         * inspector/scripts/codegen/cpp_generator.py:
2616         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
2617         (CppGenerator.cpp_type_for_type_with_name): Ditto.
2618         (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
2619         Inspector::Protocol::OptOutput*.
2620         (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
2621         (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
2622         (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
2623
2624         * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
2625         conditional around assertion code which will now compile to nothing if ASSERT is disabled.
2626         Build strings more simply in a few cases.
2627
2628         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2629         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2630         Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
2631         replace OptOutput here.
2632         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2633         Pass by reference instead of pointer now.
2634
2635         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2636         Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
2637         if ASSERT is disabled.
2638
2639         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2640         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
2641         the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
2642         (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
2643
2644         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2645         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
2646         more simply.
2647
2648         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2649         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2650         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2651         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2652         Rebaselined.
2653
2654 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
2655
2656         Unreviewed, roll out r228366 since it did not progress anything.
2657
2658         * heap/Heap.cpp:
2659         (JSC::Heap::finalizeUnconditionalFinalizers):
2660         * runtime/ErrorInstance.cpp:
2661         (JSC::ErrorInstance::visitChildren):
2662         (JSC::ErrorInstance::finalizeUnconditionally): Deleted.
2663         * runtime/ErrorInstance.h:
2664         (JSC::ErrorInstance::stackTrace):
2665         (JSC::ErrorInstance::subspaceFor): Deleted.
2666         * runtime/Exception.cpp:
2667         (JSC::Exception::visitChildren):
2668         (JSC::Exception::finalizeUnconditionally): Deleted.
2669         * runtime/Exception.h:
2670         * runtime/StackFrame.cpp:
2671         (JSC::StackFrame::visitChildren):
2672         (JSC::StackFrame::isFinalizationCandidate): Deleted.
2673         (JSC::StackFrame::finalizeUnconditionally): Deleted.
2674         * runtime/StackFrame.h:
2675         * runtime/VM.cpp:
2676         (JSC::VM::VM):
2677         * runtime/VM.h:
2678
2679 2018-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2680
2681         [JSC] Remove monotonicallyIncreasingTime and currentTime
2682         https://bugs.webkit.org/show_bug.cgi?id=182793
2683
2684         Reviewed by Saam Barati.
2685
2686         We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
2687         replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
2688         compared to double.
2689         This patch removes monotonicallyIncreasingTime and currentTime in JSC.
2690
2691         * b3/testb3.cpp:
2692         (JSC::B3::testComplex):
2693         * dfg/DFGPhase.h:
2694         (JSC::DFG::runAndLog):
2695         * dfg/DFGPlan.cpp:
2696         (JSC::DFG::Plan::compileInThread):
2697         (JSC::DFG::Plan::compileInThreadImpl):
2698         * dfg/DFGPlan.h:
2699         * dynbench.cpp:
2700         (JSC::benchmarkImpl):
2701         * heap/BlockDirectory.cpp:
2702         (JSC::BlockDirectory::isPagedOut):
2703         * heap/BlockDirectory.h:
2704         * heap/FullGCActivityCallback.cpp:
2705         (JSC::FullGCActivityCallback::doCollection):
2706         * heap/Heap.cpp:
2707         (JSC::Heap::isPagedOut):
2708         (JSC::Heap::sweepSynchronously):
2709         * heap/Heap.h:
2710         * heap/MarkedSpace.cpp:
2711         (JSC::MarkedSpace::isPagedOut):
2712         * heap/MarkedSpace.h:
2713         * inspector/agents/InspectorConsoleAgent.cpp:
2714         (Inspector::InspectorConsoleAgent::startTiming):
2715         (Inspector::InspectorConsoleAgent::stopTiming):
2716         * inspector/agents/InspectorConsoleAgent.h:
2717         * inspector/agents/InspectorRuntimeAgent.cpp:
2718         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2719         * jit/JIT.cpp:
2720         (JSC::JIT::compileWithoutLinking):
2721         (JSC::JIT::compileTimeStats):
2722         * jit/JIT.h:
2723         * jsc.cpp:
2724         (StopWatch::start):
2725         (StopWatch::stop):
2726         (StopWatch::getElapsedMS):
2727         (functionPreciseTime):
2728         (runJSC):
2729         * profiler/ProfilerDatabase.cpp:
2730         (JSC::Profiler::Database::logEvent):
2731         * profiler/ProfilerEvent.cpp:
2732         (JSC::Profiler::Event::toJS const):
2733         * profiler/ProfilerEvent.h:
2734         (JSC::Profiler::Event::Event):
2735         (JSC::Profiler::Event::time const):
2736         * runtime/CodeCache.cpp:
2737         (JSC::CodeCacheMap::pruneSlowCase):
2738         * runtime/CodeCache.h:
2739         (JSC::CodeCacheMap::CodeCacheMap):
2740         (JSC::CodeCacheMap::prune):
2741         * runtime/DateConstructor.cpp:
2742         (JSC::callDate):
2743         * runtime/TypeProfilerLog.cpp:
2744         (JSC::TypeProfilerLog::processLogEntries):
2745         * testRegExp.cpp:
2746         (StopWatch::start):
2747         (StopWatch::stop):
2748         (StopWatch::getElapsedMS):
2749
2750 2018-02-14  Keith Miller  <keith_miller@apple.com>
2751
2752         We should be able to jsDynamicCast from JSType when possible
2753         https://bugs.webkit.org/show_bug.cgi?id=182804
2754
2755         Reviewed by Filip Pizlo and Mark Lam.
2756
2757         This patch beefs up jsDynamicCast in some of the cases where we
2758         can use the JSType to quickly determine if a cell is a subclass of
2759         the desired type. Since all JSCells have a range of JSTypes they support,
2760         if there is a range exclusive to a class and all subclasses we can use
2761         that range to quickly determine if the cast should be successful.
2762
2763         Additionally, the JSValue versions of jsCast and jsDynamicCast now
2764         call the JSCell version after checking the value is a cell.
2765
2766         Finally, the casting functions have been moved to a new header,
2767         JSCast.h
2768
2769         * JavaScriptCore.xcodeproj/project.pbxproj:
2770         * bytecode/CallVariant.h:
2771         * bytecode/CodeBlock.h:
2772         * bytecode/ExecutableToCodeBlockEdge.h:
2773         * bytecode/TrackedReferences.h:
2774         * bytecode/UnlinkedCodeBlock.h:
2775         * bytecode/UnlinkedFunctionExecutable.h:
2776         * dfg/DFGAbstractValue.h:
2777         * dfg/DFGCommonData.h:
2778         * dfg/DFGFrozenValue.h:
2779         * dfg/DFGStructureAbstractValue.h:
2780         * heap/CellContainerInlines.h:
2781         * heap/ConservativeRoots.cpp:
2782         * heap/GCLogging.cpp:
2783         * heap/HeapInlines.h:
2784         * heap/HeapSnapshotBuilder.cpp:
2785         * heap/MarkedBlock.cpp:
2786         * heap/MarkedBlockInlines.h:
2787         * heap/SubspaceInlines.h:
2788         * heap/WeakInlines.h:
2789         * jit/JITOpcodes.cpp:
2790         * jit/JITOpcodes32_64.cpp:
2791         * llint/LLIntOffsetsExtractor.cpp:
2792         * runtime/ArrayBufferNeuteringWatchpoint.h:
2793         * runtime/BigIntPrototype.cpp:
2794         * runtime/ClassInfo.h:
2795         * runtime/CustomGetterSetter.h:
2796         * runtime/FunctionRareData.h:
2797         * runtime/GetterSetter.h:
2798         * runtime/InferredType.h:
2799         * runtime/InferredTypeTable.h:
2800         * runtime/InferredValue.h:
2801         * runtime/InternalFunction.cpp:
2802         (JSC::InternalFunction::finishCreation):
2803         * runtime/JSAPIValueWrapper.h:
2804         * runtime/JSArray.h:
2805         (JSC::JSArray::finishCreation):
2806         * runtime/JSArrayBufferView.cpp:
2807         (JSC::JSArrayBufferView::finishCreation):
2808         * runtime/JSCast.h: Added.
2809         (JSC::jsCast):
2810         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
2811         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
2812         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
2813         (JSC::jsDynamicCast):
2814         * runtime/JSCell.cpp:
2815         * runtime/JSCell.h:
2816         (JSC::jsCast): Deleted.
2817         (JSC::jsDynamicCast): Deleted.
2818         * runtime/JSCellInlines.h:
2819         * runtime/JSFunction.cpp:
2820         (JSC::JSFunction::finishCreation):
2821         * runtime/JSJob.h:
2822         * runtime/JSObject.h:
2823         (JSC::JSObject::finishCreation):
2824         * runtime/JSPromiseDeferred.h:
2825         * runtime/JSPropertyNameEnumerator.h:
2826         * runtime/NativeStdFunctionCell.h:
2827         * runtime/ScopedArgumentsTable.h:
2828         * runtime/SparseArrayValueMap.h:
2829         * runtime/Structure.h:
2830         * runtime/StructureChain.h:
2831         * runtime/StructureRareData.h:
2832         * tools/CellProfile.h:
2833         * wasm/js/JSWebAssemblyCodeBlock.h:
2834
2835 2018-02-14  Michael Saboff  <msaboff@apple.com>
2836
2837         Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
2838         https://bugs.webkit.org/show_bug.cgi?id=182808
2839
2840         Reviewed by Keith Miller.
2841
2842         Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
2843         thunk.
2844
2845         * wasm/WasmThunks.cpp:
2846         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2847
2848 2018-02-14  Saam Barati  <sbarati@apple.com>
2849
2850         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
2851         https://bugs.webkit.org/show_bug.cgi?id=182801
2852
2853         Reviewed by Keith Miller.
2854
2855         VMTraps would sometimes install traps when it paused the JS thread when it
2856         was in C code. This is wrong, as installing traps mallocs, and the JS thread
2857         may have been holding the malloc lock while in C code. This could lead to a
2858         deadlock when C code was holding the malloc lock.
2859         
2860         This patch makes it so that we only install traps when we've proven the PC
2861         is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
2862         we're not holding the malloc lock.
2863
2864         * jsc.cpp:
2865         (GlobalObject::finishCreation):
2866         (functionMallocInALoop):
2867         * runtime/VMTraps.cpp:
2868         (JSC::VMTraps::tryInstallTrapBreakpoints):
2869
2870 2018-02-14  Michael Saboff  <msaboff@apple.com>
2871
2872         REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
2873         https://bugs.webkit.org/show_bug.cgi?id=182705
2874
2875         Reviewed by Mark Lam.
2876
2877         Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
2878         buffer on the VM.  Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
2879         Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
2880         compilation thread.
2881
2882         * runtime/RegExpInlines.h:
2883         (JSC::RegExp::matchInline):
2884         * runtime/VM.cpp:
2885         (JSC::VM::~VM):
2886         (JSC::VM::acquireRegExpPatternContexBuffer):
2887         (JSC::VM::releaseRegExpPatternContexBuffer):
2888         * runtime/VM.h:
2889         * yarr/YarrJIT.cpp:
2890         (JSC::Yarr::YarrGenerator::generate):
2891         (JSC::Yarr::YarrGenerator::backtrack):
2892         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2893         (JSC::Yarr::YarrGenerator::generateEnter):
2894         (JSC::Yarr::YarrGenerator::generateReturn):
2895         (JSC::Yarr::YarrGenerator::YarrGenerator):
2896         (JSC::Yarr::YarrGenerator::compile):
2897         * yarr/YarrJIT.h:
2898         (JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer):
2899         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer):
2900
2901 2018-02-13  Saam Barati  <sbarati@apple.com>
2902
2903         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
2904         https://bugs.webkit.org/show_bug.cgi?id=182755
2905         <rdar://problem/37080864>
2906
2907         Reviewed by Keith Miller.
2908
2909         putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
2910         the object in question to a dictionary indexing mode when the index is less than
2911         the vector length. This makes no sense. If we're defining a getter, setter, or read
2912         only property, we must always enter the dictionary indexing mode irrespective
2913         of the index in relation to the vector length.
2914
2915         * runtime/JSObject.cpp:
2916         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2917
2918 2018-02-13  Saam Barati  <sbarati@apple.com>
2919
2920         Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
2921
2922         * dfg/DFGSpeculativeJIT32_64.cpp:
2923         (JSC::DFG::SpeculativeJIT::compile):
2924
2925 2018-02-13  Guillaume Emont  <guijemont@igalia.com>
2926
2927         [YarrJIT][ARM] We need to save r8 as it is the initial start register
2928         https://bugs.webkit.org/show_bug.cgi?id=182157
2929
2930         Reviewed by Saam Barati.
2931
2932         Register r8 is the initial start register since r224172, so we need to
2933         save it. We still need to save r6 as well even though it is not the
2934         initial start register any more, since it is used by the
2935         MacroAssembler which we use (we get crashes in some situations if we
2936         don't save r6). This issue was discovered because
2937         stress/regress-174044.js crashes on a raspberry pi 2 when compiled in
2938         -O2.
2939
2940         * yarr/YarrJIT.cpp:
2941         (JSC::Yarr::YarrGenerator::generateEnter):
2942         (JSC::Yarr::YarrGenerator::generateReturn):
2943
2944 2018-02-13  Caitlin Potter  <caitp@igalia.com>
2945
2946         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
2947         https://bugs.webkit.org/show_bug.cgi?id=182717
2948
2949         Reviewed by Yusuke Suzuki.
2950
2951         https://github.com/tc39/ecma262/pull/890 imposes a change to template
2952         literals, to allow template callsite arrays to be collected when the
2953         code containing the tagged template call is collected. This spec change
2954         has received concensus and been ratified.
2955
2956         This change eliminates the eternal map associating template contents
2957         with arrays.
2958
2959         * CMakeLists.txt:
2960         * JavaScriptCore.xcodeproj/project.pbxproj:
2961         * Sources.txt:
2962         * bytecode/CodeBlock.cpp:
2963         (JSC::CodeBlock::setConstantRegisters):
2964         * bytecode/DirectEvalCodeCache.cpp:
2965         (JSC::DirectEvalCodeCache::setSlow):
2966         * bytecode/UnlinkedCodeBlock.cpp:
2967         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2968         * bytecode/UnlinkedCodeBlock.h:
2969         (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
2970         * bytecompiler/BytecodeGenerator.cpp:
2971         (JSC::BytecodeGenerator::addTemplateObjectConstant):
2972         (JSC::BytecodeGenerator::emitGetTemplateObject):
2973         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
2974         * bytecompiler/BytecodeGenerator.h:
2975         * parser/Parser.cpp:
2976         (JSC::Parser<LexerType>::parseInner):
2977         (JSC::Parser<LexerType>::parseMemberExpression):
2978         * parser/Parser.h:
2979         * parser/ParserModes.h:
2980         * runtime/EvalExecutable.h:
2981         (JSC::EvalExecutable::allowDirectEvalCache const):
2982         * runtime/JSGlobalObject.cpp:
2983         (JSC::JSGlobalObject::JSGlobalObject):
2984         * runtime/JSGlobalObject.h:
2985         (JSC::JSGlobalObject::templateRegistry): Deleted.
2986         * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
2987         (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
2988         (JSC::JSTemplateObjectDescriptor::create):
2989         (JSC::JSTemplateObjectDescriptor::destroy):
2990         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
2991         * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
2992         (JSC::isTemplateObjectDescriptor):
2993         * runtime/JSTemplateRegistryKey.cpp: Removed.
2994         * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
2995         (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
2996         * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
2997         (JSC::TemplateObjectDescriptor::operator== const):
2998         (JSC::TemplateObjectDescriptor::operator!= const):
2999         (JSC::TemplateObjectDescriptor::Hasher::hash):
3000         (JSC::TemplateObjectDescriptor::Hasher::equal):
3001         (JSC::TemplateObjectDescriptor::create):
3002         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
3003         (JSC::TemplateObjectDescriptor::calculateHash):
3004         * runtime/TemplateRegistry.h: Removed.
3005         * runtime/TemplateRegistryKeyTable.cpp: Removed.
3006         * runtime/TemplateRegistryKeyTable.h: Removed.
3007         * runtime/VM.cpp:
3008         (JSC::VM::VM):
3009         * runtime/VM.h:
3010         (JSC::VM::templateRegistryKeyTable): Deleted.
3011         * runtime/VMEntryScope.cpp:
3012
3013         * CMakeLists.txt:
3014         * JavaScriptCore.xcodeproj/project.pbxproj:
3015         * Sources.txt:
3016         * bytecode/CodeBlock.cpp:
3017         (JSC::CodeBlock::setConstantRegisters):
3018         * bytecode/DirectEvalCodeCache.cpp:
3019         (JSC::DirectEvalCodeCache::setSlow):
3020         * bytecode/UnlinkedCodeBlock.h:
3021         (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::addTemplateObjectConstant):
3024         (JSC::BytecodeGenerator::emitGetTemplateObject):
3025         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
3026         * bytecompiler/BytecodeGenerator.h:
3027         * parser/Parser.cpp:
3028         (JSC::Parser<LexerType>::parseInner):
3029         (JSC::Parser<LexerType>::parseMemberExpression):
3030         * parser/Parser.h:
3031         * parser/ParserModes.h:
3032         * runtime/EvalExecutable.h:
3033         (JSC::EvalExecutable::allowDirectEvalCache const):
3034         * runtime/JSGlobalObject.cpp:
3035         (JSC::JSGlobalObject::JSGlobalObject):
3036         * runtime/JSGlobalObject.h:
3037         (JSC::JSGlobalObject::templateRegistry): Deleted.
3038         * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
3039         (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
3040         (JSC::JSTemplateObjectDescriptor::create):
3041         (JSC::JSTemplateObjectDescriptor::destroy):
3042         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3043         * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
3044         (JSC::isTemplateObjectDescriptor):
3045         * runtime/JSTemplateRegistryKey.cpp: Removed.
3046         * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
3047         (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
3048         * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
3049         (JSC::TemplateObjectDescriptor::operator== const):
3050         (JSC::TemplateObjectDescriptor::operator!= const):
3051         (JSC::TemplateObjectDescriptor::Hasher::hash):
3052         (JSC::TemplateObjectDescriptor::Hasher::equal):
3053         (JSC::TemplateObjectDescriptor::create):
3054         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
3055         (JSC::TemplateObjectDescriptor::calculateHash):
3056         * runtime/TemplateRegistry.h: Removed.
3057         * runtime/TemplateRegistryKeyTable.cpp: Removed.
3058         * runtime/TemplateRegistryKeyTable.h: Removed.
3059         * runtime/VM.cpp:
3060         (JSC::VM::VM):
3061         * runtime/VM.h:
3062         (JSC::VM::templateRegistryKeyTable): Deleted.
3063         * runtime/VMEntryScope.cpp:
3064
3065         * CMakeLists.txt:
3066         * JavaScriptCore.xcodeproj/project.pbxproj:
3067         * Sources.txt:
3068         * bytecode/CodeBlock.cpp:
3069         (JSC::CodeBlock::setConstantRegisters):
3070         * bytecode/DirectEvalCodeCache.cpp:
3071         (JSC::DirectEvalCodeCache::setSlow):
3072         * bytecode/UnlinkedCodeBlock.h:
3073         (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
3074         * bytecompiler/BytecodeGenerator.cpp:
3075         (JSC::BytecodeGenerator::addTemplateObjectConstant):
3076         (JSC::BytecodeGenerator::emitGetTemplateObject):
3077         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
3078         * bytecompiler/BytecodeGenerator.h:
3079         * parser/Parser.cpp:
3080         (JSC::Parser<LexerType>::parseInner):
3081         (JSC::Parser<LexerType>::parseMemberExpression):
3082         * parser/Parser.h:
3083         * parser/ParserModes.h:
3084         * runtime/EvalExecutable.h:
3085         (JSC::EvalExecutable::allowDirectEvalCache const):
3086         * runtime/JSGlobalObject.cpp:
3087         (JSC::JSGlobalObject::JSGlobalObject):
3088         * runtime/JSGlobalObject.h:
3089         (JSC::JSGlobalObject::templateRegistry): Deleted.
3090         * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
3091         (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
3092         (JSC::JSTemplateObjectDescriptor::create):
3093         (JSC::JSTemplateObjectDescriptor::destroy):
3094         (JSC::JSTemplateObjectDescriptor::createTemplateObject):
3095         * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
3096         (JSC::isTemplateObjectDescriptor):
3097         * runtime/JSTemplateRegistryKey.cpp: Removed.
3098         * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
3099         (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
3100         * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
3101         (JSC::TemplateObjectDescriptor::operator== const):
3102         (JSC::TemplateObjectDescriptor::operator!= const):
3103         (JSC::TemplateObjectDescriptor::Hasher::hash):
3104         (JSC::TemplateObjectDescriptor::Hasher::equal):
3105         (JSC::TemplateObjectDescriptor::create):
3106         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
3107         (JSC::TemplateObjectDescriptor::calculateHash):
3108         * runtime/TemplateRegistry.h: Removed.
3109         * runtime/TemplateRegistryKeyTable.cpp: Removed.
3110         * runtime/TemplateRegistryKeyTable.h: Removed.
3111         * runtime/VM.cpp:
3112         (JSC::VM::VM):
3113         * runtime/VM.h:
3114         (JSC::VM::templateRegistryKeyTable): Deleted.
3115         * runtime/VMEntryScope.cpp:
3116
3117 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3118
3119         Support GetArrayLength on ArrayStorage in the FTL
3120         https://bugs.webkit.org/show_bug.cgi?id=182625
3121
3122         Reviewed by Saam Barati.
3123
3124         This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
3125         The implementation is trivial; just porting one in DFG to FTL.
3126
3127         This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
3128         ArrayPush, ArrayPop, Arrayify, and PutByVal.
3129
3130         * dfg/DFGSpeculativeJIT.cpp:
3131         (JSC::DFG::SpeculativeJIT::checkArray):
3132         * ftl/FTLCapabilities.cpp:
3133         (JSC::FTL::canCompile):
3134         * ftl/FTLLowerDFGToB3.cpp:
3135         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3136         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3137         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
3138
3139 2018-02-10  Filip Pizlo  <fpizlo@apple.com>
3140
3141         Lock down JSFunction
3142         https://bugs.webkit.org/show_bug.cgi?id=182652
3143
3144         Reviewed by Saam Barati.
3145         
3146         This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
3147         isospaces.
3148         
3149         This is so neutral on JetStream: 0.01% slower with p = 0.969211.
3150
3151         * dfg/DFGSpeculativeJIT.cpp:
3152         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3153         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3154         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3155         * dfg/DFGSpeculativeJIT.h:
3156         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
3157         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
3158         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
3159         * dfg/DFGSpeculativeJIT64.cpp:
3160         (JSC::DFG::SpeculativeJIT::compile):
3161         * ftl/FTLLowerDFGToB3.cpp:
3162         (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
3163         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3164         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
3165         (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
3166         * ftl/FTLOutput.h:
3167         (JSC::FTL::Output::weakPointer):
3168         (JSC::FTL::Output::weakPoisonedPointer):
3169         * heap/MarkedSpace.cpp:
3170         * jit/JITOpcodes.cpp:
3171         (JSC::JIT::emit_op_create_this):
3172         * jit/ThunkGenerators.cpp:
3173         (JSC::virtualThunkFor):
3174         (JSC::nativeForGenerator):
3175         (JSC::boundThisNoArgsFunctionCallGenerator):
3176         * llint/LowLevelInterpreter.asm:
3177         * llint/LowLevelInterpreter64.asm:
3178         * runtime/JSAsyncFunction.h:
3179         (JSC::JSAsyncFunction::subspaceFor):
3180         * runtime/JSAsyncGeneratorFunction.h:
3181         (JSC::JSAsyncGeneratorFunction::subspaceFor):
3182         * runtime/JSBoundFunction.h:
3183         (JSC::JSBoundFunction::subspaceFor):
3184         * runtime/JSCPoison.h:
3185         * runtime/JSCustomGetterSetterFunction.h:
3186         (JSC::JSCustomGetterSetterFunction::subspaceFor):
3187         * runtime/JSFunction.h:
3188         (JSC::JSFunction::subspaceFor):
3189         * runtime/JSGeneratorFunction.h:
3190         (JSC::JSGeneratorFunction::subspaceFor):
3191         * runtime/JSNativeStdFunction.h:
3192         (JSC::JSNativeStdFunction::subspaceFor):
3193         * runtime/VM.cpp:
3194         (JSC::VM::VM):
3195         * runtime/VM.h:
3196         * wasm/js/WebAssemblyFunction.h:
3197         * wasm/js/WebAssemblyWrapperFunction.h:
3198
3199 2018-02-12  Saam Barati  <sbarati@apple.com>
3200
3201         Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA
3202         https://bugs.webkit.org/show_bug.cgi?id=182633
3203         <rdar://problem/37441037>
3204
3205         Reviewed by Keith Miller.
3206
3207         This patch introduces a GetIndexMask node to DFG SSA. This is an input to
3208         GetByVal for the GetByVal variants that do conservative index masking.
3209         The reason I'm adding this node is I realized there were loads of
3210         the butterfly index mask inside loops that B3 couldn't reason about
3211         because B3 can't arbitrarily hoist loads out of loops if those loops
3212         have side exits (because the side exit might be protecting the safety of the
3213         load). However, for these loops I analyzed, the DFG would be able to hoist
3214         these loads out of loops because it knows about JS semantics to correctly
3215         reason about the safety of hoisting the load.
3216         
3217         This is a 1% speedup on JetStream on Mac and iOS in my testing.
3218         
3219         This patch also adds some infrastructure for eliminating and doing CSE on
3220         varargs nodes. Because this patch makes GetByVal a varargs node, I ran into
3221         issues we never had before. We never had a varargs node that could be CSEd or be
3222         hoisted out of a loop until I made GetByVal varargs. To make it all work,
3223         I added a CheckVarargs node. This is just like Check, but it's varargs.
3224
3225         * dfg/DFGAbstractInterpreterInlines.h:
3226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3227         * dfg/DFGAdjacencyList.h:
3228         (JSC::DFG::AdjacencyList::AdjacencyList):
3229         * dfg/DFGArgumentsEliminationPhase.cpp:
3230         * dfg/DFGBackwardsPropagationPhase.cpp:
3231         (JSC::DFG::BackwardsPropagationPhase::propagate):
3232         * dfg/DFGBasicBlock.cpp:
3233         (JSC::DFG::BasicBlock::replaceTerminal):
3234         * dfg/DFGBasicBlock.h:
3235         (JSC::DFG::BasicBlock::findTerminal const):
3236         * dfg/DFGBasicBlockInlines.h:
3237         (JSC::DFG::BasicBlock::replaceTerminal):
3238         * dfg/DFGByteCodeParser.cpp:
3239         (JSC::DFG::ByteCodeParser::parseBlock):
3240         * dfg/DFGCFGSimplificationPhase.cpp:
3241         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3242         * dfg/DFGCPSRethreadingPhase.cpp:
3243         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3244         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
3245         * dfg/DFGCSEPhase.cpp:
3246         * dfg/DFGCleanUpPhase.cpp:
3247         (JSC::DFG::CleanUpPhase::run):
3248         * dfg/DFGClobberize.h:
3249         (JSC::DFG::clobberize):
3250         * dfg/DFGConstantFoldingPhase.cpp:
3251         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3252         (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
3253         * dfg/DFGDCEPhase.cpp:
3254         (JSC::DFG::DCEPhase::run):
3255         (JSC::DFG::DCEPhase::fixupBlock):
3256         * dfg/DFGDoesGC.cpp:
3257         (JSC::DFG::doesGC):
3258         * dfg/DFGFixupPhase.cpp:
3259         (JSC::DFG::FixupPhase::fixupNode):
3260         (JSC::DFG::FixupPhase::fixupChecksInBlock):
3261         * dfg/DFGHeapLocation.cpp:
3262         (WTF::printInternal):
3263         * dfg/DFGHeapLocation.h:
3264         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3265         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
3266         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3267         * dfg/DFGLICMPhase.cpp:
3268         (JSC::DFG::LICMPhase::attemptHoist):
3269         * dfg/DFGMayExit.cpp:
3270         * dfg/DFGNode.cpp:
3271         (JSC::DFG::Node::remove):
3272         (JSC::DFG::Node::convertToIdentityOn):
3273         * dfg/DFGNode.h:
3274         (JSC::DFG::Node::replaceWith):
3275         * dfg/DFGNodeType.h:
3276         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3277         * dfg/DFGPredictionPropagationPhase.cpp:
3278         * dfg/DFGPureValue.cpp:
3279         (JSC::DFG::PureValue::dump const):
3280         * dfg/DFGPureValue.h:
3281         (JSC::DFG::PureValue::PureValue):
3282         * dfg/DFGPutStackSinkingPhase.cpp:
3283         * dfg/DFGSSAConversionPhase.cpp:
3284         (JSC::DFG::SSAConversionPhase::run):
3285         * dfg/DFGSSALoweringPhase.cpp:
3286         (JSC::DFG::SSALoweringPhase::handleNode):
3287         * dfg/DFGSafeToExecute.h:
3288         (JSC::DFG::safeToExecute):
3289         * dfg/DFGSpeculativeJIT.cpp:
3290         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3291         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3292         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3293         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3294         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
3295         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
3296         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3297         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3298         * dfg/DFGSpeculativeJIT.h:
3299         * dfg/DFGSpeculativeJIT32_64.cpp:
3300         (JSC::DFG::SpeculativeJIT::compile):
3301         * dfg/DFGSpeculativeJIT64.cpp:
3302         (JSC::DFG::SpeculativeJIT::compile):
3303         * dfg/DFGStoreBarrierClusteringPhase.cpp:
3304         * dfg/DFGValidate.cpp:
3305         * dfg/DFGVarargsForwardingPhase.cpp:
3306         * ftl/FTLCapabilities.cpp:
3307         (JSC::FTL::canCompile):
3308         * ftl/FTLLowerDFGToB3.cpp:
3309         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3310         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask):
3311         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3312         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3313         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
3314         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
3315
3316 2018-02-12  Mark Lam  <mark.lam@apple.com>
3317
3318         Miscellaneous refactoring of offlineasm.
3319         https://bugs.webkit.org/show_bug.cgi?id=182702
3320         <rdar://problem/37467887>
3321
3322         Reviewed by Filip Pizlo.
3323
3324         1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation,
3325            and $asm.debugAnnotation into a recordMetaData method.  This standardizes how
3326            we emit this metadata and makes all backends do it the same way.
3327
3328         2. Add the ability to include custom offlineasm scripts from WebKitAdditions in
3329            the future.
3330
3331         * offlineasm/arm.rb:
3332         * offlineasm/arm64.rb:
3333         * offlineasm/ast.rb:
3334         * offlineasm/backends.rb:
3335         * offlineasm/cloop.rb:
3336         * offlineasm/config.rb:
3337         * offlineasm/mips.rb:
3338         * offlineasm/risc.rb:
3339         * offlineasm/x86.rb:
3340
3341 2018-02-12  Saam Barati  <sbarati@apple.com>
3342
3343         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
3344         https://bugs.webkit.org/show_bug.cgi?id=182706
3345         <rdar://problem/36833681>
3346
3347         Reviewed by Filip Pizlo.
3348
3349         When we added support for PhantomNewArrayBuffer, we forgot to update
3350         the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
3351         This patch adds that support. It's trivial to generate the length for
3352         a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
3353         length.
3354
3355         * dfg/DFGArgumentsUtilities.cpp:
3356         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3357
3358 2018-02-12  Mark Lam  <mark.lam@apple.com>
3359
3360         Add more support for pointer preparations.
3361         https://bugs.webkit.org/show_bug.cgi?id=182703
3362         <rdar://problem/37469451>
3363
3364         Reviewed by Saam Barati.
3365
3366         * llint/LLIntData.h:
3367         (JSC::LLInt::getCodePtr):
3368         * llint/LLIntPCRanges.h:
3369         (JSC::LLInt::isLLIntPC):
3370         * runtime/Options.cpp:
3371         (JSC::recomputeDependentOptions):
3372
3373 2018-02-12  Mark Lam  <mark.lam@apple.com>
3374
3375         Fix missing exception check in RegExpObject::matchGlobal().
3376         https://bugs.webkit.org/show_bug.cgi?id=182701
3377         <rdar://problem/37465865>
3378
3379         Reviewed by Michael Saboff.
3380
3381         This issue was discovered when running JSC tests on an asm LLInt build with
3382         JSC_useJIT=false.
3383
3384         * runtime/RegExpObject.cpp:
3385         (JSC::RegExpObject::matchGlobal):
3386
3387 2018-02-11  Guillaume Emont  <guijemont@igalia.com>
3388
3389         [MIPS] JSC needs to be built with -latomic
3390         https://bugs.webkit.org/show_bug.cgi?id=182610
3391
3392         Reviewed by Žan Doberšek.
3393
3394         Since r228149, on MIPS we need to link with -latomic, because
3395         __atomic_fetch_add_8 is not available as a compiler intrinsic.
3396
3397         * CMakeLists.txt:
3398
3399 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
3400
3401         Don't waste memory for error.stack
3402         https://bugs.webkit.org/show_bug.cgi?id=182656
3403
3404         Reviewed by Saam Barati.
3405         
3406         This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their
3407         contents if we GC.
3408         
3409         This isn't going to happen under normal operation since your callees and code blocks will
3410         still be alive when you ask for .stack.
3411         
3412         Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it,
3413         since it is likely to recover 3-5 MB on membuster.
3414
3415         * heap/Heap.cpp:
3416         (JSC::Heap::finalizeUnconditionalFinalizers):
3417         * runtime/ErrorInstance.cpp:
3418         (JSC::ErrorInstance::visitChildren):
3419         (JSC::ErrorInstance::finalizeUnconditionally):
3420         * runtime/ErrorInstance.h:
3421         (JSC::ErrorInstance::subspaceFor):
3422         * runtime/Exception.cpp:
3423         (JSC::Exception::visitChildren):
3424         (JSC::Exception::finalizeUnconditionally):
3425         * runtime/Exception.h:
3426         (JSC::Exception::valueOffset): Deleted.
3427         (JSC::Exception::value const): Deleted.
3428         (JSC::Exception::stack const): Deleted.
3429         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
3430         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
3431         * runtime/StackFrame.cpp:
3432         (JSC::StackFrame::isFinalizationCandidate):
3433         (JSC::StackFrame::finalizeUnconditionally):
3434         (JSC::StackFrame::visitChildren): Deleted.
3435         * runtime/StackFrame.h:
3436         * runtime/VM.cpp:
3437         (JSC::VM::VM):
3438         * runtime/VM.h:
3439
3440 2018-02-09  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3441
3442         Fix build on ARMv7 traditional JSCOnly bot after r228306
3443         https://bugs.webkit.org/show_bug.cgi?id=182563
3444
3445         Unreviewed build fix.
3446
3447         * assembler/AssemblerBuffer.h:
3448
3449 2018-02-08  Filip Pizlo  <fpizlo@apple.com>
3450
3451         Experiment with alternative implementation of memcpy/memset
3452         https://bugs.webkit.org/show_bug.cgi?id=182563
3453
3454         Reviewed by Michael Saboff and Mark Lam.
3455         
3456         This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a
3457         constant size argument.
3458
3459         * assembler/AssemblerBuffer.h:
3460         (JSC::AssemblerBuffer::append):
3461         * runtime/ArrayBuffer.cpp:
3462         (JSC::ArrayBufferContents::tryAllocate):
3463         (JSC::ArrayBufferContents::copyTo):
3464         (JSC::ArrayBuffer::createInternal):
3465         * runtime/ArrayBufferView.h:
3466         (JSC::ArrayBufferView::zeroRangeImpl):
3467         * runtime/ArrayConventions.cpp:
3468         * runtime/ArrayConventions.h:
3469         (JSC::clearArray):
3470         * runtime/ArrayPrototype.cpp:
3471         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3472         * runtime/ButterflyInlines.h:
3473         (JSC::Butterfly::tryCreate):
3474         (JSC::Butterfly::createOrGrowPropertyStorage):
3475         (JSC::Butterfly::growArrayRight):
3476         (JSC::Butterfly::resizeArray):
3477         * runtime/GenericTypedArrayViewInlines.h:
3478         (JSC::GenericTypedArrayView<Adaptor>::create):
3479         * runtime/JSArray.cpp:
3480         (JSC::JSArray::appendMemcpy):
3481         (JSC::JSArray::fastSlice):
3482         * runtime/JSArrayBufferView.cpp:
3483         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3484         * runtime/JSGenericTypedArrayViewInlines.h:
3485         (JSC::JSGenericTypedArrayView<Adaptor>::set):
3486         * runtime/JSObject.cpp:
3487         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3488         (JSC::JSObject::shiftButterflyAfterFlattening):
3489         * runtime/PropertyTable.cpp:
3490         (JSC::PropertyTable::PropertyTable):
3491
3492 2018-02-08  Don Olmstead  <don.olmstead@sony.com>
3493
3494         Remove JavaScriptCore/ForwardingHeaders directory
3495         https://bugs.webkit.org/show_bug.cgi?id=182594
3496
3497         Reviewed by Mark Lam.
3498
3499         * CMakeLists.txt:
3500         * ForwardingHeaders/JavaScriptCore/APICast.h: Removed.
3501         * ForwardingHeaders/JavaScriptCore/JSBase.h: Removed.
3502         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed.
3503         * ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed.
3504         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed.
3505         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed.
3506         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed.
3507         * ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed.
3508         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed.
3509         * ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed.
3510         * ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed.
3511         * ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed.
3512         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed.
3513         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed.
3514         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed.
3515
3516 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3517
3518         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
3519         https://bugs.webkit.org/show_bug.cgi?id=182440
3520
3521         Reviewed by Darin Adler.
3522
3523         This patch implements Array.prototype.flatMap and Array.prototype.flatten
3524         since they are now stage 3 [1].
3525
3526         [1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
3527
3528         * builtins/ArrayPrototype.js:
3529         (filter):
3530         (map):
3531         (globalPrivate.concatSlowPath):
3532         (globalPrivate.arraySpeciesCreate):
3533         (globalPrivate.flattenIntoArray):
3534         (flatten):
3535         (globalPrivate.flattenIntoArrayWithCallback):
3536         We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason.
3537         We carefully keep both functions small to encourage inlining.
3538
3539         (flatMap):
3540         * runtime/ArrayPrototype.cpp:
3541         (JSC::ArrayPrototype::finishCreation):
3542
3543 2018-01-13  Darin Adler  <darin@apple.com>
3544
3545         Event improvements
3546         https://bugs.webkit.org/show_bug.cgi?id=179591
3547
3548         Reviewed by Chris Dumez.
3549
3550         Remove all uses of ScriptValue other than in the implementation of ScriptObject.
3551
3552         * bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
3553
3554         * bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
3555         * bindings/ScriptObject.h: Ditto.
3556
3557         * bindings/ScriptValue.cpp:
3558         (Deprecated::ScriptValue::~ScriptValue): Deleted.
3559         (Deprecated::ScriptValue::getString const): Deleted.
3560         (Deprecated::ScriptValue::toString const): Deleted.
3561         (Deprecated::ScriptValue::isEqual const): Deleted.
3562         (Deprecated::ScriptValue::isNull const): Deleted.
3563         (Deprecated::ScriptValue::isUndefined const): Deleted.
3564         (Deprecated::ScriptValue::isObject const): Deleted.
3565         (Deprecated::ScriptValue::isFunction const): Deleted.
3566         (Deprecated::ScriptValue::toInspectorValue const): Deleted.
3567         * bindings/ScriptValue.h: Removed many unused functions. Made the rest
3568         protected since this is now used only in ScriptObject.
3569
3570         * inspector/ConsoleMessage.cpp:
3571         (Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
3572         (Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
3573
3574         * inspector/ScriptArguments.cpp:
3575         (Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
3576         use rvalue reference with move instead of lvalue reference with swap, and take execution
3577         state by reference instead of pointer.
3578         (Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
3579         (Inspector::ScriptArguments::ScriptArguments): Ditto.
3580         (Inspector::ScriptArguments::~ScriptArguments): Deleted.
3581         (Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
3582         (Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
3583         (Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
3584         instead of calling through the C API.
3585         * inspector/ScriptArguments.h: Updated for the above.
3586
3587         * inspector/ScriptCallStackFactory.cpp:
3588         (Inspector::createScriptArguments): Updated for changes to ScriptArguments.
3589
3590         * inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
3591         * inspector/agents/InspectorAgent.cpp: Ditto.
3592         * inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
3593         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
3594         of ScriptValue.
3595         (Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
3596         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
3597         * runtime/ConsoleClient.cpp:
3598         (JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
3599         (JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
3600         instead of calling a separate createEmpty function.
3601
3602         * runtime/VM.cpp:
3603         (JSC::VM::createLeaked): Deleted.
3604         * runtime/VM.h: Deleted createLeaked.
3605
3606 2018-02-06  Brian Burg  <bburg@apple.com>
3607
3608         Web Inspector: protocol generator should automatically deduce the correct include style to use
3609         https://bugs.webkit.org/show_bug.cgi?id=182505
3610
3611         Reviewed by Timothy Hatcher.
3612
3613         Currently the generated imports use a mix of system header imports (powered by forwarding headers)
3614         and framework-style includes. Since forwarding headers are going away, this patch stops
3615         using system header includes for headers that are JavaScriptCore private headers. Instead,
3616         use either a relative include or a framework include.
3617
3618         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
3619         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
3620         (CppAlternateBackendDispatcherHeaderGenerator):
3621         (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
3622         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3623         (CppBackendDispatcherHeaderGenerator.generate_output):
3624         (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
3625         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3626         (CppBackendDispatcherImplementationGenerator.generate_output):
3627         (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
3628         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3629         (CppFrontendDispatcherHeaderGenerator.generate_output):
3630         (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
3631         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3632         (CppFrontendDispatcherImplementationGenerator.generate_output):
3633         (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
3634         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3635         (CppProtocolTypesHeaderGenerator.generate_output):
3636         (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
3637         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3638         (CppProtocolTypesImplementationGenerator.generate_output):
3639         (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
3640         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3641         (ObjCBackendDispatcherHeaderGenerator):
3642         Convert existing header lists to the new entries format, which includes the
3643         allowable target frameworks and the relative path to the header.
3644
3645         * inspector/scripts/codegen/generator.py:
3646         (Generator.generate_includes_from_entries):
3647         Copied from the same in the builtins code generator. It still works great.
3648
3649         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3650         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3651         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3652         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3653         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3654         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3655         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3656         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3657         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3658         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3659         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3660         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3661         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3662         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3663         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3664         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3665         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3666         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3667         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3668         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3669         Rebaseline.
3670
3671 2018-02-06  Keith Miller  <keith_miller@apple.com>
3672
3673         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
3674         https://bugs.webkit.org/show_bug.cgi?id=182549
3675         <rdar://problem/36189995>
3676
3677         Reviewed by Saam Barati.
3678
3679         Previously, the llint/baseline caching for put_to_scope and
3680         get_from_scope would cache lexical environments when the
3681         varInjectionWatchpoint had been fired for global properties. Code
3682         in the DFG does not follow this same assumption so we could
3683         potentially return the wrong result. Additionally, the baseline
3684         would write barrier the global object rather than the lexical
3685         enviroment object. This patch makes it so that we do not cache
3686         anything other than the global object for when the resolve type is
3687         GlobalPropertyWithVarInjectionChecks or GlobalProperty.
3688
3689         * assembler/MacroAssembler.cpp:
3690         (JSC::MacroAssembler::jitAssert):
3691         * assembler/MacroAssembler.h:
3692         * jit/JITPropertyAccess.cpp:
3693         (JSC::JIT::emit_op_get_from_scope):
3694         (JSC::JIT::emit_op_put_to_scope):
3695         * runtime/CommonSlowPaths.h:
3696         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3697         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3698         * runtime/Options.h:
3699
3700 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
3701
3702         Global objects should be able to use TLCs to allocate from different blocks from each other
3703         https://bugs.webkit.org/show_bug.cgi?id=182227
3704
3705         Reviewed by JF Bastien.
3706         
3707         This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
3708         distance between objects from different origins, using the following combination of things. For
3709         short lets refer to that constant as K.
3710         
3711         - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
3712         
3713         - Since r227718, MarkedBlock puts at least K bytes in its footer.
3714         
3715         - Since r227617, global objects can have their own TLCs, which make them allocate from a
3716           different set of blocks than other global objects. The TLC of a global object comes into
3717           effect when you enter the VM via that global object.
3718         
3719         - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
3720           share the same security origin or empty blocks (in which case we zero the block and change
3721           its security origin).
3722         
3723         WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
3724         the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
3725         a TLC based on their document's SecurityOrigin.
3726         
3727         * JavaScriptCore.xcodeproj/project.pbxproj:
3728         * Sources.txt:
3729         * heap/BlockDirectory.cpp:
3730         (JSC::BlockDirectory::findBlockForAllocation):
3731         (JSC::BlockDirectory::prepareForAllocation):
3732         * heap/BlockDirectory.h:
3733         * heap/LocalAllocator.cpp:
3734         (JSC::LocalAllocator::LocalAllocator):
3735         (JSC::LocalAllocator::reset):
3736         (JSC::LocalAllocator::~LocalAllocator):
3737         (JSC::LocalAllocator::allocateSlowCase):
3738         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3739         * heap/LocalAllocator.h:
3740         (JSC::LocalAllocator::tlc const):
3741         * heap/MarkStackMergingConstraint.cpp:
3742         * heap/MarkStackMergingConstraint.h:
3743         * heap/MarkedBlock.cpp:
3744         (JSC::MarkedBlock::Handle::associateWithOrigin):
3745         * heap/MarkedBlock.h:
3746         (JSC::MarkedBlock::Handle::securityOriginToken const):
3747         * heap/SecurityOriginToken.cpp: Added.
3748         (JSC::uniqueSecurityOriginToken):
3749         * heap/SecurityOriginToken.h: Added.
3750         * heap/ThreadLocalCache.cpp:
3751         (JSC::ThreadLocalCache::create):
3752         (JSC::ThreadLocalCache::ThreadLocalCache):
3753         (JSC::ThreadLocalCache::allocateData):
3754         (JSC::ThreadLocalCache::installSlow):
3755         * heap/ThreadLocalCache.h:
3756         (JSC::ThreadLocalCache::securityOriginToken const):
3757         * heap/ThreadLocalCacheInlines.h:
3758         (JSC::ThreadLocalCache::install):
3759         * runtime/JSGlobalObject.cpp:
3760         (JSC::JSGlobalObject::JSGlobalObject):
3761         (JSC::JSGlobalObject::createThreadLocalCache):
3762         * runtime/JSGlobalObject.h:
3763         (JSC::JSGlobalObject::threadLocalCache):
3764         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3765         * runtime/VMEntryScope.cpp:
3766         (JSC::VMEntryScope::VMEntryScope):
3767         (JSC::VMEntryScope::~VMEntryScope):
3768         * runtime/VMEntryScope.h:
3769
3770 2018-02-05  Don Olmstead  <don.olmstead@sony.com>
3771
3772         JavaScriptCore files should not be included relatively
3773         https://bugs.webkit.org/show_bug.cgi?id=182452
3774
3775         Reviewed by Keith Miller.
3776
3777         * API/JSCallbackConstructor.h:
3778         * CMakeLists.txt:
3779         * disassembler/ARM64Disassembler.cpp:
3780         * disassembler/ARMv7Disassembler.cpp:
3781         * heap/LockDuringMarking.h:
3782         * inspector/InjectedScriptBase.h:
3783         * inspector/InjectedScriptHost.h:
3784         * inspector/JavaScriptCallFrame.h:
3785         * inspector/ScriptArguments.h:
3786         * inspector/ScriptDebugListener.h:
3787         * inspector/ScriptDebugServer.h:
3788         * inspector/agents/InspectorAgent.h:
3789         * inspector/agents/InspectorConsoleAgent.h:
3790         * inspector/agents/InspectorDebuggerAgent.h:
3791         * inspector/agents/InspectorHeapAgent.h:
3792         * inspector/agents/InspectorRuntimeAgent.h:
3793         * inspector/agents/InspectorScriptProfilerAgent.h:
3794         * runtime/RegExp.h:
3795
3796 2018-02-05  Commit Queue  <commit-queue@webkit.org>
3797
3798         Unreviewed, rolling out r228012.
3799         https://bugs.webkit.org/show_bug.cgi?id=182493
3800
3801         "It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
3802         #webkit).
3803
3804         Reverted changeset:
3805
3806         "[JSC] Clean up ArraySpeciesCreate"
3807         https://bugs.webkit.org/show_bug.cgi?id=182434
3808         https://trac.webkit.org/changeset/228012
3809
3810 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
3811
3812         Rebaseline bindings generator tests after r228032.
3813         https://bugs.webkit.org/show_bug.cgi?id=182445
3814
3815         Unreviewed test gardening.
3816
3817         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
3818
3819 2018-02-02  Saam Barati  <sbarati@apple.com>
3820
3821         Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
3822         https://bugs.webkit.org/show_bug.cgi?id=182453
3823         <rdar://problem/37174236>
3824
3825         Reviewed by JF Bastien and Mark Lam.
3826
3827         * dfg/DFGAbstractInterpreterInlines.h:
3828         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3829         * dfg/DFGArgumentsEliminationPhase.cpp:
3830         * dfg/DFGArgumentsUtilities.cpp:
3831         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3832         * dfg/DFGFixupPhase.cpp:
3833         (JSC::DFG::FixupPhase::fixupChecksInBlock):
3834         * dfg/DFGFlowIndexing.h:
3835         (JSC::DFG::FlowIndexing::shadowIndex const):
3836         * dfg/DFGLICMPhase.cpp:
3837         (JSC::DFG::LICMPhase::run):
3838         (JSC::DFG::LICMPhase::attemptHoist):
3839         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3840         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3841         * dfg/DFGPutStackSinkingPhase.cpp:
3842         * dfg/DFGSpeculativeJIT.cpp:
3843         (JSC::DFG::SpeculativeJIT::compileArithAbs):
3844         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3845         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
3846         * dfg/DFGSpeculativeJIT64.cpp:
3847         (JSC::DFG::SpeculativeJIT::fillJSValue):
3848         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3849         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
3850         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3851         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3852         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3853         (JSC::DFG::SpeculativeJIT::compile):
3854         * dfg/DFGStoreBarrierClusteringPhase.cpp:
3855         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3856         * ftl/FTLLowerDFGToB3.cpp:
3857         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3858         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
3859         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
3860         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3861         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
3862         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
3863         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
3864         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3865         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
3866         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3867         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3868         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
3869         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3870         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3871         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3872         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3873         (JSC::FTL::DFG::LowerDFGToB3::compare):
3874         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
3875         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3876         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3877         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3878         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3879         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3880         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
3881
3882 2018-02-02  Don Olmstead  <don.olmstead@sony.com>
3883
3884         JS Builtins should include JavaScriptCore headers directly
3885         https://bugs.webkit.org/show_bug.cgi?id=182445
3886
3887         Reviewed by Yusuke Suzuki.
3888
3889         * Scripts/builtins/builtins_generator.py:
3890         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3891         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3892         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3893         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3894         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3895         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3896
3897 2018-02-02  Saam Barati  <sbarati@apple.com>
3898
3899         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
3900         https://bugs.webkit.org/show_bug.cgi?id=182368
3901         <rdar://problem/36932466>
3902
3903         Reviewed by Mark Lam.
3904
3905         When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
3906         we must add the VariableAccessData to the given argument position. Otherwise,
3907         we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
3908         If we end up with such a situation, it can lead to invalid IR after the
3909         arguments elimination phase optimizes a GetByVal to a GetStack.
3910
3911         * dfg/DFGByteCodeParser.cpp:
3912         (JSC::DFG::ByteCodeParser::flushImpl):
3913         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
3914         (JSC::DFG::ByteCodeParser::flush):