373c82068e25fa4acfc7a50b7ce1baa412dda6fd
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-02-01  Michael Catanzaro  <mcatanzaro@igalia.com>
2
3         -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
4         https://bugs.webkit.org/show_bug.cgi?id=182389
5
6         Reviewed by Yusuke Suzuki.
7
8         Fix the warning.
9
10         As a bonus, remove a couple unreachable breaks for good measure.
11
12         * dfg/DFGObjectAllocationSinkingPhase.cpp:
13
14 2018-02-01  Chris Dumez  <cdumez@apple.com>
15
16         Queue a microtask when a waitUntil() promise is settled
17         https://bugs.webkit.org/show_bug.cgi?id=182372
18         <rdar://problem/37101019>
19
20         Reviewed by Mark Lam.
21
22         Export a symbol so it can be used in WebCore.
23
24         * runtime/JSGlobalObject.h:
25
26 2018-01-31  Don Olmstead  <don.olmstead@sony.com>
27
28         [CMake] Make JavaScriptCore headers copies
29         https://bugs.webkit.org/show_bug.cgi?id=182303
30
31         Reviewed by Alex Christensen.
32
33         * CMakeLists.txt:
34         * PlatformGTK.cmake:
35         * PlatformJSCOnly.cmake:
36         * PlatformMac.cmake:
37         * PlatformWPE.cmake:
38         * PlatformWin.cmake:
39         * shell/CMakeLists.txt:
40         * shell/PlatformWin.cmake:
41
42 2018-01-31  Saam Barati  <sbarati@apple.com>
43
44         Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
45         https://bugs.webkit.org/show_bug.cgi?id=182064
46         <rdar://problem/36840132>
47
48         Reviewed by Geoffrey Garen.
49
50         This patch switches WebAssembly Memory to always use bmalloc's
51         zeroed virtual allocation API. This makes it so that we don't
52         dirty the memory to zero it. It's a huge compile time speedup
53         on WasmBench on iOS.
54
55         * wasm/WasmMemory.cpp:
56         (JSC::Wasm::Memory::create):
57         (JSC::Wasm::Memory::~Memory):
58         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
59         (JSC::Wasm::Memory::grow):
60         (JSC::Wasm::commitZeroPages): Deleted.
61
62 2018-01-31  Mark Lam  <mark.lam@apple.com>
63
64         Build fix for CLoop after r227874.
65         https://bugs.webkit.org/show_bug.cgi?id=182155
66         <rdar://problem/36286266>
67
68         Not reviewed.
69
70         Just needed support for lea of a LabelReference in cloop.rb (just like those
71         added for arm64.rb and x86.rb).
72
73         * offlineasm/cloop.rb:
74
75 2018-01-31  Keith Miller  <keith_miller@apple.com>
76
77         Canonicalize aquiring the JSCell lock.
78         https://bugs.webkit.org/show_bug.cgi?id=182320
79
80         Reviewed by Michael Saboff.
81
82         It's currently kinda annoying to figure out where
83         we aquire the a JSCell's lock. This patch adds a
84         helper to make it easier to grep...
85
86         * bytecode/UnlinkedCodeBlock.cpp:
87         (JSC::UnlinkedCodeBlock::visitChildren):
88         (JSC::UnlinkedCodeBlock::setInstructions):
89         (JSC::UnlinkedCodeBlock::shrinkToFit):
90         * runtime/ErrorInstance.cpp:
91         (JSC::ErrorInstance::finishCreation):
92         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
93         (JSC::ErrorInstance::visitChildren):
94         * runtime/JSArray.cpp:
95         (JSC::JSArray::shiftCountWithArrayStorage):
96         (JSC::JSArray::unshiftCountWithArrayStorage):
97         * runtime/JSCell.h:
98         (JSC::JSCell::cellLock):
99         * runtime/JSObject.cpp:
100         (JSC::JSObject::visitButterflyImpl):
101         (JSC::JSObject::convertContiguousToArrayStorage):
102         * runtime/JSPropertyNameEnumerator.cpp:
103         (JSC::JSPropertyNameEnumerator::visitChildren):
104         * runtime/SparseArrayValueMap.cpp:
105         (JSC::SparseArrayValueMap::add):
106         (JSC::SparseArrayValueMap::remove):
107         (JSC::SparseArrayValueMap::visitChildren):
108
109 2018-01-31  Saam Barati  <sbarati@apple.com>
110
111         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
112         https://bugs.webkit.org/show_bug.cgi?id=182074
113         <rdar://problem/36846261>
114
115         Reviewed by Mark Lam.
116
117         This patch teaches the JSONP evaluator about the global lexical environment.
118         Before, it was using the global object as the global scope, but that's wrong.
119         The global lexical environment is the first node in the global scope chain.
120
121         * interpreter/Interpreter.cpp:
122         (JSC::Interpreter::executeProgram):
123         * jsc.cpp:
124         (GlobalObject::finishCreation):
125         (shellSupportsRichSourceInfo):
126         (functionDisableRichSourceInfo):
127         * runtime/LiteralParser.cpp:
128         (JSC::LiteralParser<CharType>::tryJSONPParse):
129         * runtime/LiteralParser.h:
130
131 2018-01-31  Saam Barati  <sbarati@apple.com>
132
133         clean up pushToSaveImmediateWithoutTouchingRegisters a bit
134         https://bugs.webkit.org/show_bug.cgi?id=181774
135
136         Reviewed by JF Bastien.
137
138         This function on ARM64 was considering what to do with the scratch
139         register. And conditionally invalidated what was in it. This is not
140         relevant though, since the function always recovers what was in that
141         register. This patch just switches it to using dataTempRegister
142         directly and updates the comment to describe why it can do so safely.
143
144         * assembler/MacroAssemblerARM64.h:
145         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
146
147 2018-01-30  Mark Lam  <mark.lam@apple.com>
148
149         Apply poisoning to TypedArray vector pointers.
150         https://bugs.webkit.org/show_bug.cgi?id=182155
151         <rdar://problem/36286266>
152
153         Reviewed by JF Bastien.
154
155         The TypeArray's vector pointer is now poisoned.  The poison value is chosen based
156         on a TypeArray's jsType.  The JSType must be between FirstTypedArrayType and
157         LastTypedArrayType.  At runtime, we enforce that the index is well-behaved by
158         masking it against TypedArrayPoisonIndexMask.  TypedArrayPoisonIndexMask (16) is
159         the number of TypedArray types (10) rounded up to the next power of 2.
160         Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
161         can use index masking on the index, and be guaranteed that the masked index will
162         be within bounds of the poisons array.
163
164         1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
165            do any unnecessary work if the TypedArray vector is null.
166
167            FTL's cagedMayBeNull() is no longer needed because it is only used by
168            compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
169            in a TypedArray specific way.  So, might as well do the work inline in
170            compileGetTypedArrayByteOffset() instead.
171
172         2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
173            because there's already a null check above it that ensures that sizeGPR is
174            never null.
175
176         3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
177            loading of the vector for unpoisoning and uncaging.  We don't need the vector
178            if the length is 0.
179
180         Implementation notes on the need to null check the TypeArray vector:
181
182         1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
183            m_poisonedVector null check because the function is a null check.
184
185         2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
186            m_poisonedVector null check because it is followed by a call to
187            cageTypedArrayStorage() which assumes that storageReg cannot be null.
188
189         3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
190            m_poisonedVector null check.
191
192         4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
193            check because the poisoning code is preceded by a sizeGPR null check, which
194            ensures that the storageGPR (vector to be poisoned) is not null.
195
196         5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
197            check because it is followed by a call to caged() which assumes that the
198            vector cannot be null.
199
200         6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
201
202         7. FTL's compileNewTypedArray() does not need a vector null check because the
203            poisoning code is preceded by a size null check, which ensures that the
204            storage (vector to be poisoned) is not null.
205
206         8. FTL's speculateTypedArrayIsNotNeutered() does not need a
207            m_poisonedVector null check because the function is a null check.
208
209         9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
210            case needs a null check so that it does not try to unpoison a null vector.
211
212         10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
213             we already do a length check even before loading the vector.
214
215         11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
216             we already do a length check even before loading the vector.
217
218         12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
219             we already do a length check even before loading the vector.
220
221         13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
222             we already do a length check even before loading the vector.
223
224         14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
225             client will do a TypedArray length check before calling it.
226
227         * dfg/DFGFixupPhase.cpp:
228         (JSC::DFG::FixupPhase::checkArray):
229         * dfg/DFGNode.h:
230         (JSC::DFG::Node::hasArrayMode):
231         * dfg/DFGSpeculativeJIT.cpp:
232         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
233         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
234         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
235         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
236         * ftl/FTLAbstractHeapRepository.h:
237         * ftl/FTLLowerDFGToB3.cpp:
238         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
239         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
240         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
241         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
242         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
243         * jit/IntrinsicEmitter.cpp:
244         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
245         * jit/JITPropertyAccess.cpp:
246         (JSC::JIT::emitIntTypedArrayGetByVal):
247         (JSC::JIT::emitFloatTypedArrayGetByVal):
248         (JSC::JIT::emitIntTypedArrayPutByVal):
249         (JSC::JIT::emitFloatTypedArrayPutByVal):
250         * llint/LowLevelInterpreter.asm:
251         * llint/LowLevelInterpreter64.asm:
252         * offlineasm/arm64.rb:
253         * offlineasm/x86.rb:
254         * runtime/CagedBarrierPtr.h:
255         * runtime/JSArrayBufferView.cpp:
256         (JSC::JSArrayBufferView::JSArrayBufferView):
257         (JSC::JSArrayBufferView::finalize):
258         (JSC::JSArrayBufferView::neuter):
259         * runtime/JSArrayBufferView.h:
260         (JSC::JSArrayBufferView::vector const):
261         (JSC::JSArrayBufferView::offsetOfPoisonedVector):
262         (JSC::JSArrayBufferView::poisonFor):
263         (JSC::JSArrayBufferView::Poison::key):
264         (JSC::JSArrayBufferView::offsetOfVector): Deleted.
265         * runtime/JSCPoison.cpp:
266         (JSC::initializePoison):
267         * runtime/JSCPoison.h:
268         * runtime/JSGenericTypedArrayViewInlines.h:
269         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
270         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
271         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
272         * runtime/JSObject.h:
273
274 2018-01-30  Fujii Hironori  <Hironori.Fujii@sony.com>
275
276         [Win] Warning fix.
277         https://bugs.webkit.org/show_bug.cgi?id=177007
278
279         Reviewed by Yusuke Suzuki.
280
281         * interpreter/StackVisitor.cpp:
282         (JSC::StackVisitor::Frame::dump const):
283         Changed the type of locationRawBits from unsigned to uintptr_t.
284         * runtime/IntlNumberFormat.cpp:
285         (JSC::IntlNumberFormat::createNumberFormat):
286         Initialize 'style' to avoid potentially uninitialized local variable warning.
287
288 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
289
290         [JSC] Implement trimStart and trimEnd
291         https://bugs.webkit.org/show_bug.cgi?id=182233
292
293         Reviewed by Mark Lam.
294
295         String.prototype.{trimStart,trimEnd} are now stage 3[1].
296         String.prototype.{trimLeft,trimRight} are alias to these functions.
297
298         We rename these functions to trimStart and trimEnd, and put them as
299         trimLeft and trimRight too.
300
301         [1]: https://tc39.github.io/proposal-string-left-right-trim/
302
303         * runtime/StringPrototype.cpp:
304         (JSC::StringPrototype::finishCreation):
305         (JSC::trimString):
306         (JSC::stringProtoFuncTrim):
307         (JSC::stringProtoFuncTrimStart):
308         (JSC::stringProtoFuncTrimEnd):
309         (JSC::stringProtoFuncTrimLeft): Deleted.
310         (JSC::stringProtoFuncTrimRight): Deleted.
311
312 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
313
314         [JSC] Relax line terminators in String to make JSON subset of JS
315         https://bugs.webkit.org/show_bug.cgi?id=182232
316
317         Reviewed by Keith Miller.
318
319         "Subsume JSON" spec is now stage 3[1]. Before this spec change,
320         JSON can accept \u2028 / \u2029 in string while JS cannot do that.
321         It accidentally made JSON non subset of JS.
322
323         Now we extend our JS string to accept \u2028 / \u2029 to make JSON
324         subset of JS in this spec change.
325
326         [1]: https://github.com/tc39/proposal-json-superset
327
328         * parser/Lexer.cpp:
329         (JSC::Lexer<T>::parseStringSlowCase):
330
331 2018-01-29  Jiewen Tan  <jiewen_tan@apple.com>
332
333         [WebAuthN] Add a compile-time feature flag
334         https://bugs.webkit.org/show_bug.cgi?id=182211
335         <rdar://problem/36936365>
336
337         Reviewed by Brent Fulgham.
338
339         * Configurations/FeatureDefines.xcconfig:
340
341 2018-01-29  Michael Saboff  <msaboff@apple.com>
342
343         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
344         https://bugs.webkit.org/show_bug.cgi?id=182249
345
346         Reviewed by Keith Miller.
347
348         Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
349         Untyped and Object values when compared against built in types.  Such comparisons can
350         invoke toNumber() or other methods.
351
352         * dfg/DFGClobberize.h:
353         (JSC::DFG::clobberize):
354
355 2018-01-29  Matt Lewis  <jlewis3@apple.com>
356
357         Unreviewed, rolling out r227725.
358
359         This caused internal failures.
360
361         Reverted changeset:
362
363         "JSC Sampling Profiler: Detect tester and testee when sampling
364         in RegExp JIT"
365         https://bugs.webkit.org/show_bug.cgi?id=152729
366         https://trac.webkit.org/changeset/227725
367
368 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
369
370         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
371         https://bugs.webkit.org/show_bug.cgi?id=152729
372
373         Reviewed by Saam Barati.
374
375         This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
376         executing RegExp in VM so that SamplingProfiler can detect it. This is better
377         than the previous VM::isExecutingInRegExpJIT flag approach since
378
379         1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
380         if we suspend the thread just before executing this flag, or just after clearing
381         this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
382         should set such a flag before and after executing JIT RegExp code.
383
384         2. This removes VM dependency from YarrJIT which is not essential one.
385
386         We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
387         is done in non JS thread.
388
389         * bytecode/BytecodeDumper.cpp:
390         (JSC::regexpName):
391         (JSC::BytecodeDumper<Block>::dumpRegExps):
392         (JSC::regexpToSourceString): Deleted.
393         * heap/Heap.cpp:
394         (JSC::Heap::addCoreConstraints):
395         * runtime/RegExp.cpp:
396         (JSC::RegExp::compile):
397         (JSC::RegExp::match):
398         (JSC::RegExp::matchConcurrently):
399         (JSC::RegExp::compileMatchOnly):
400         (JSC::RegExp::toSourceString const):
401         * runtime/RegExp.h:
402         * runtime/RegExpInlines.h:
403         (JSC::RegExp::matchInline):
404         * runtime/RegExpMatchesArray.h:
405         (JSC::createRegExpMatchesArray):
406         * runtime/SamplingProfiler.cpp:
407         (JSC::SamplingProfiler::SamplingProfiler):
408         (JSC::SamplingProfiler::timerLoop):
409         (JSC::SamplingProfiler::takeSample):
410         (JSC::SamplingProfiler::processUnverifiedStackTraces):
411         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
412         (JSC::SamplingProfiler::StackFrame::displayName):
413         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
414         (JSC::SamplingProfiler::StackFrame::functionStartLine):
415         (JSC::SamplingProfiler::StackFrame::functionStartColumn):
416         (JSC::SamplingProfiler::StackFrame::sourceID):
417         (JSC::SamplingProfiler::StackFrame::url):
418         (WTF::printInternal):
419         (JSC::SamplingProfiler::~SamplingProfiler): Deleted.
420         * runtime/SamplingProfiler.h:
421         * runtime/VM.h:
422         * yarr/YarrJIT.cpp:
423         (JSC::Yarr::YarrGenerator::generateEnter):
424         (JSC::Yarr::YarrGenerator::generateReturn):
425         (JSC::Yarr::YarrGenerator::YarrGenerator):
426         (JSC::Yarr::jitCompile):
427         * yarr/YarrJIT.h:
428
429 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
430
431         [DFG][FTL] WeakMap#set should have DFG node
432         https://bugs.webkit.org/show_bug.cgi?id=180015
433
434         Reviewed by Saam Barati.
435
436         This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
437         We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
438         the subsequent WeakMapGet if CSE allows.
439
440         * dfg/DFGAbstractInterpreterInlines.h:
441         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
442         * dfg/DFGByteCodeParser.cpp:
443         (JSC::DFG::ByteCodeParser::addVarArgChild):
444         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
445         * dfg/DFGClobberize.h:
446         (JSC::DFG::clobberize):
447         * dfg/DFGDoesGC.cpp:
448         (JSC::DFG::doesGC):
449         WeakMap operations do not cause GC.
450
451         * dfg/DFGFixupPhase.cpp:
452         (JSC::DFG::FixupPhase::fixupNode):
453         * dfg/DFGNodeType.h:
454         * dfg/DFGOperations.cpp:
455         * dfg/DFGOperations.h:
456         * dfg/DFGPredictionPropagationPhase.cpp:
457         * dfg/DFGSafeToExecute.h:
458         (JSC::DFG::safeToExecute):
459         * dfg/DFGSpeculativeJIT.cpp:
460         (JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
461         (JSC::DFG::SpeculativeJIT::compileWeakMapSet):
462         * dfg/DFGSpeculativeJIT.h:
463         (JSC::DFG::SpeculativeJIT::callOperation):
464         * dfg/DFGSpeculativeJIT32_64.cpp:
465         (JSC::DFG::SpeculativeJIT::compile):
466         * dfg/DFGSpeculativeJIT64.cpp:
467         (JSC::DFG::SpeculativeJIT::compile):
468         * ftl/FTLCapabilities.cpp:
469         (JSC::FTL::canCompile):
470         * ftl/FTLLowerDFGToB3.cpp:
471         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
472         (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
473         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
474         * jit/JITOperations.h:
475         * runtime/Intrinsic.cpp:
476         (JSC::intrinsicName):
477         * runtime/Intrinsic.h:
478         * runtime/WeakMapPrototype.cpp:
479         (JSC::WeakMapPrototype::finishCreation):
480         * runtime/WeakSetPrototype.cpp:
481         (JSC::WeakSetPrototype::finishCreation):
482
483 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
484
485         LargeAllocation should do the same distancing as MarkedBlock
486         https://bugs.webkit.org/show_bug.cgi?id=182226
487
488         Reviewed by Saam Barati.
489
490         This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
491         
492         To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
493         is doing:
494         
495         - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
496           calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
497           keeps the old way just for a static_assert.
498         
499         - The promised amount of distancing is now codified in HeapCell.h as
500           minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
501           as big as this. I didn't want to just use footer size for this constant because then, if
502           you increased the size of the footer, you'd also add padding to every large allocation.
503         
504         Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
505         allocation. It also zeroes that slice of memory to prevent any information leaks that way.
506         
507         This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
508         ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
509         smaller objects, and diminishing overhead for larger objects. We allocate very few large
510         objects, so we shouldn't have any real space overhead from this.
511
512         * heap/HeapCell.h:
513         * heap/LargeAllocation.cpp:
514         (JSC::LargeAllocation::tryCreate):
515         * heap/MarkedBlock.h:
516         * heap/MarkedSpace.h:
517
518 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
519
520         Make MarkedBlock::Footer bigger
521         https://bugs.webkit.org/show_bug.cgi?id=182220
522
523         Reviewed by JF Bastien.
524         
525         This makes the block footer larger by moving the newlyAllocated bits from the handle into
526         the footer.
527         
528         It used to be profitable to put anything we could into the handle because that would free up
529         payload space inside the block. But now that we want to use the footer for padding, it's
530         profitable to put GC state information - especially data that is used by the GC itself and so
531         is not useful for a Spectre attack - into the footer to increase object distancing.
532
533         * heap/CellContainer.cpp:
534         (JSC::CellContainer::isNewlyAllocated const):
535         * heap/IsoCellSet.cpp:
536         (JSC::IsoCellSet::sweepToFreeList):
537         * heap/MarkedBlock.cpp:
538         (JSC::MarkedBlock::Handle::Handle):
539         (JSC::MarkedBlock::Footer::Footer):
540         (JSC::MarkedBlock::Handle::stopAllocating):
541         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
542         (JSC::MarkedBlock::Handle::resumeAllocating):
543         (JSC::MarkedBlock::aboutToMarkSlow):
544         (JSC::MarkedBlock::resetAllocated):
545         (JSC::MarkedBlock::Handle::resetAllocated): Deleted.
546         * heap/MarkedBlock.h:
547         (JSC::MarkedBlock::newlyAllocatedVersion const):
548         (JSC::MarkedBlock::isNewlyAllocated):
549         (JSC::MarkedBlock::setNewlyAllocated):
550         (JSC::MarkedBlock::clearNewlyAllocated):
551         (JSC::MarkedBlock::newlyAllocated const):
552         (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
553         (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
554         (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
555         (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
556         (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
557         * heap/MarkedBlockInlines.h:
558         (JSC::MarkedBlock::isNewlyAllocatedStale const):
559         (JSC::MarkedBlock::hasAnyNewlyAllocated):
560         (JSC::MarkedBlock::Handle::isLive):
561         (JSC::MarkedBlock::Handle::specializedSweep):
562         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
563         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
564         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
565         * heap/MarkedSpace.cpp:
566         (JSC::MarkedSpace::endMarking):
567         * heap/SlotVisitor.cpp:
568         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
569
570 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
571
572         MarkedBlock should have a footer instead of a header
573         https://bugs.webkit.org/show_bug.cgi?id=182217
574
575         Reviewed by JF Bastien.
576         
577         This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
578         change anything except for some compile-time constants, so it should not affect performance.
579         
580         This change is to help protect against Spectre attacks on structure checks, which allow for
581         small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
582         OOBs will only get to other objects in the same block or the block footer. The block footer
583         is not super interesting. So, if we combine this with the TLC change (r227617), this means we
584         can use blocks as the mechanism of achieving distance between objects from different origins.
585         We just need to avoid ever putting objects from different origins in the same block. That's
586         what bug 181636 is about.
587         
588         * heap/BlockDirectory.cpp:
589         (JSC::blockHeaderSize): Deleted.
590         (JSC::BlockDirectory::blockSizeForBytes): Deleted.
591         * heap/BlockDirectory.h:
592         * heap/HeapUtil.h:
593         (JSC::HeapUtil::findGCObjectPointersForMarking):
594         * heap/MarkedBlock.cpp:
595         (JSC::MarkedBlock::MarkedBlock):
596         (JSC::MarkedBlock::~MarkedBlock):
597         (JSC::MarkedBlock::Footer::Footer):
598         (JSC::MarkedBlock::Footer::~Footer):
599         (JSC::MarkedBlock::Handle::stopAllocating):
600         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
601         (JSC::MarkedBlock::Handle::resumeAllocating):
602         (JSC::MarkedBlock::aboutToMarkSlow):
603         (JSC::MarkedBlock::resetMarks):
604         (JSC::MarkedBlock::assertMarksNotStale):
605         (JSC::MarkedBlock::Handle::didConsumeFreeList):
606         (JSC::MarkedBlock::markCount):
607         (JSC::MarkedBlock::clearHasAnyMarked):
608         (JSC::MarkedBlock::Handle::didAddToDirectory):
609         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
610         (JSC::MarkedBlock::Handle::sweep):
611         * heap/MarkedBlock.h:
612         (JSC::MarkedBlock::markingVersion const):
613         (JSC::MarkedBlock::lock):
614         (JSC::MarkedBlock::subspace const):
615         (JSC::MarkedBlock::footer):
616         (JSC::MarkedBlock::footer const):
617         (JSC::MarkedBlock::handle):
618         (JSC::MarkedBlock::handle const):
619         (JSC::MarkedBlock::Handle::blockFooter):
620         (JSC::MarkedBlock::isAtomAligned):
621         (JSC::MarkedBlock::Handle::cellAlign):
622         (JSC::MarkedBlock::blockFor):
623         (JSC::MarkedBlock::vm const):
624         (JSC::MarkedBlock::weakSet):
625         (JSC::MarkedBlock::cellSize):
626         (JSC::MarkedBlock::attributes const):
627         (JSC::MarkedBlock::atomNumber):
628         (JSC::MarkedBlock::areMarksStale):
629         (JSC::MarkedBlock::aboutToMark):
630         (JSC::MarkedBlock::isMarkedRaw):
631         (JSC::MarkedBlock::isMarked):
632         (JSC::MarkedBlock::testAndSetMarked):
633         (JSC::MarkedBlock::marks const):
634         (JSC::MarkedBlock::isAtom):
635         (JSC::MarkedBlock::Handle::forEachCell):
636         (JSC::MarkedBlock::hasAnyMarked const):
637         (JSC::MarkedBlock::noteMarked):
638         (WTF::MarkedBlockHash::hash):
639         (JSC::MarkedBlock::firstAtom): Deleted.
640         * heap/MarkedBlockInlines.h:
641         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
642         (JSC::MarkedBlock::Handle::isLive):
643         (JSC::MarkedBlock::Handle::specializedSweep):
644         (JSC::MarkedBlock::Handle::forEachLiveCell):
645         (JSC::MarkedBlock::Handle::forEachDeadCell):
646         (JSC::MarkedBlock::Handle::forEachMarkedCell):
647         * heap/MarkedSpace.cpp:
648         * heap/MarkedSpace.h:
649         * llint/LowLevelInterpreter.asm:
650         * llint/LowLevelInterpreter32_64.asm:
651         * llint/LowLevelInterpreter64.asm:
652
653 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
654
655         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
656         https://bugs.webkit.org/show_bug.cgi?id=182213
657
658         Reviewed by Mark Lam.
659
660         toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
661         As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
662         this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
663         This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
664
665         We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
666         but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
667
668         * runtime/NumberPrototype.cpp:
669         (JSC::toStringWithRadixInternal):
670
671 2018-01-26  Saam Barati  <sbarati@apple.com>
672
673         Fix emitAllocateWithNonNullAllocator to work on arm
674         https://bugs.webkit.org/show_bug.cgi?id=182187
675         <rdar://problem/36906550>
676
677         Reviewed by Filip Pizlo.
678
679         This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
680         and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
681         register on ARM.
682
683         * ftl/FTLLowerDFGToB3.cpp:
684         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
685         * jit/AssemblyHelpers.cpp:
686         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
687
688 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
689
690         Rebaselining builtin generator tests after r227685.
691
692         Unreviewed.
693
694         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
695         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
696         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
697         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
698         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
699         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
700         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
701         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
702         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
703         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
704         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
705         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
706         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
707         It used to be that the builtins generator was minifying by default. That was an accident
708         and we now only minify on Release builds. The generator tests are now getting the
709         default unminified output behavior so they need to update their expectations
710         for some extra whitespace.
711
712 2018-01-26  Mark Lam  <mark.lam@apple.com>
713
714         We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
715         https://bugs.webkit.org/show_bug.cgi?id=182180
716         <rdar://problem/36460697>
717
718         Reviewed by Michael Saboff.
719
720         Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
721         but not as the Node's first base class.  ParserArena::m_deletableObjects is
722         expecting pointers to objects of the shape of ParserArenaDeletable.  We ensure
723         this by allocating the Node subclass, and casting it to ParserArenaDeletable to
724         get the correct pointer to append to ParserArena::m_deletableObjects.
725
726         To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED 
727         (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
728         ParserArenaDeletable.
729
730         * parser/NodeConstructors.h:
731         (JSC::ParserArenaDeletable::operator new):
732         * parser/Nodes.h:
733         * parser/ParserArena.h:
734         (JSC::ParserArena::allocateDeletable):
735
736 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
737
738         JavaScriptCore builtins should be partially minified in Release builds not Debug builds
739         https://bugs.webkit.org/show_bug.cgi?id=182165
740
741         Reviewed by Keith Miller.
742
743         * Scripts/builtins/builtins_model.py:
744         (BuiltinFunction.fromString):
745         Apply minifications on Release builds instead of Debug builds.
746         Also eliminate leading whitespace.
747
748 2018-01-26  Filip Pizlo  <fpizlo@apple.com>
749
750         Disable TLS-based TLCs
751         https://bugs.webkit.org/show_bug.cgi?id=182175
752
753         Reviewed by Saam Barati.
754
755         Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
756
757         * heap/BlockDirectory.cpp:
758         (JSC::BlockDirectory::~BlockDirectory):
759         * heap/BlockDirectory.h:
760         * heap/ThreadLocalCache.cpp:
761         (JSC::ThreadLocalCache::installSlow):
762         (JSC::ThreadLocalCache::installData):
763         * heap/ThreadLocalCache.h:
764         * heap/ThreadLocalCacheInlines.h:
765         (JSC::ThreadLocalCache::getImpl):
766         * jit/AssemblyHelpers.cpp:
767         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
768         * runtime/VM.cpp:
769         (JSC::VM::~VM):
770         * runtime/VM.h:
771
772 2018-01-25  Yusuke Suzuki  <utatane.tea@gmail.com>
773
774         imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
775         https://bugs.webkit.org/show_bug.cgi?id=181980
776
777         Reviewed by Ryosuke Niwa.
778
779         We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
780         promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
781         and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
782         correctly.
783
784         * builtins/ModuleLoaderPrototype.js:
785         (requestInstantiate):
786         (requestSatisfy):
787
788 2018-01-25  Mark Lam  <mark.lam@apple.com>
789
790         Gardening: fix 32-bit build after r227643.
791         https://bugs.webkit.org/show_bug.cgi?id=182086
792
793         Not reviewed.
794
795         * jit/AssemblyHelpers.cpp:
796         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
797
798 2018-01-24  Filip Pizlo  <fpizlo@apple.com>
799
800         DirectArguments should protect itself using dynamic poisoning and precise index masking
801         https://bugs.webkit.org/show_bug.cgi?id=182086
802
803         Reviewed by Saam Barati.
804         
805         This implements dynamic poisoning and precise index masking in DirectArguments, using the
806         helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
807         
808         We use dynamic poisoning for DirectArguments since this object did not have any additional
809         indirection inside it that could have been poisoned. So, we use the xor of the expected type
810         and the actual type as an additional input into the pointer.
811         
812         We use precise index masking for bounds checks, because it's not worth doing index masking
813         unless we know that precise index masking is too slow.
814
815         * assembler/MacroAssembler.h:
816         (JSC::MacroAssembler::lshiftPtr):
817         (JSC::MacroAssembler::rshiftPtr):
818         * dfg/DFGSpeculativeJIT.cpp:
819         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
820         * ftl/FTLLowerDFGToB3.cpp:
821         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
822         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
823         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
824         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
825         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
826         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
827         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
828         * jit/AssemblyHelpers.cpp:
829         (JSC::AssemblyHelpers::emitPreciseIndexMask32):
830         (JSC::AssemblyHelpers::emitDynamicPoison):
831         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
832         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
833         * jit/AssemblyHelpers.h:
834         * jit/JITPropertyAccess.cpp:
835         (JSC::JIT::emitDirectArgumentsGetByVal):
836         * runtime/DirectArguments.h:
837         (JSC::DirectArguments::getIndexQuickly const):
838         (JSC::DirectArguments::setIndexQuickly):
839         (JSC::DirectArguments::argument):
840         * runtime/GenericArgumentsInlines.h:
841
842 2018-01-25  Mark Lam  <mark.lam@apple.com>
843
844         Rename some local vars from type to typedArrayType for greater clarity.
845         https://bugs.webkit.org/show_bug.cgi?id=182148
846         <rdar://problem/36882310>
847
848         Reviewed by Saam Barati.
849
850         * dfg/DFGSpeculativeJIT.cpp:
851         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
852         * ftl/FTLLowerDFGToB3.cpp:
853         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
854
855 2018-01-25  Filip Pizlo  <fpizlo@apple.com>
856
857         JSC GC should support TLCs (thread local caches)
858         https://bugs.webkit.org/show_bug.cgi?id=181559
859
860         Reviewed by Mark Lam and Saam Barati.
861         
862         This is a big step towards object distancing by site origin. This patch implements TLCs, or
863         thread-local caches, which allow each thread to allocate from its own free lists. It also
864         means that any given thread can context-switch TLCs. This will allow us to do separate
865         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
866         will allow us to have a hard distancing constraint between objects from different origins.
867         
868         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
869         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
870         aligned memory allocator (which roughly represents which cage you came out of), and anyone
871         using the same allocator can share those blocks - but so long as they are in that
872         BlockDirectory, they will have the size and type of that directory. Previously, each
873         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
874         LocalAllocators, each of which has a FreeList.
875         
876         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
877         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
878         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
879         starts by figuring out what Allocator it wants (often we have this information at JIT time).
880         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
881         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
882         offsets as opposed to indices to make it easy to do the math on each allocation (if
883         LocalAllocator had a weird size then every allocation would have to do an imul).
884         
885         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
886         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
887         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
888         something there, but it's not significant according to our threshold).
889         
890         Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
891         function needs to be careful to avoid using the scratch register because the FTL will call it
892         in disallow-scratch-register mode.
893
894         * JavaScriptCore.xcodeproj/project.pbxproj:
895         * Sources.txt:
896         * b3/B3LowerToAir.cpp:
897         * b3/B3PatchpointSpecial.cpp:
898         (JSC::B3::PatchpointSpecial::admitsStack):
899         * b3/B3StackmapSpecial.cpp:
900         (JSC::B3::StackmapSpecial::forEachArgImpl):
901         (JSC::B3::StackmapSpecial::isArgValidForRep):
902         * b3/B3StackmapValue.cpp:
903         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
904         * b3/B3StackmapValue.h:
905         * b3/B3Validate.cpp:
906         * b3/B3ValueRep.cpp:
907         (JSC::B3::ValueRep::addUsedRegistersTo const):
908         (JSC::B3::ValueRep::dump const):
909         (WTF::printInternal):
910         * b3/B3ValueRep.h:
911         (JSC::B3::ValueRep::ValueRep):
912         * bytecode/AccessCase.cpp:
913         (JSC::AccessCase::generateImpl):
914         * bytecode/ObjectAllocationProfile.h:
915         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
916         (JSC::ObjectAllocationProfile::clear):
917         * bytecode/ObjectAllocationProfileInlines.h:
918         (JSC::ObjectAllocationProfile::initializeProfile):
919         * dfg/DFGSpeculativeJIT.cpp:
920         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
921         (JSC::DFG::SpeculativeJIT::compileMakeRope):
922         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
923         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
924         (JSC::DFG::SpeculativeJIT::compileCreateThis):
925         (JSC::DFG::SpeculativeJIT::compileNewObject):
926         * dfg/DFGSpeculativeJIT.h:
927         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
928         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
929         * ftl/FTLAbstractHeapRepository.h:
930         * ftl/FTLLowerDFGToB3.cpp:
931         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
932         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
933         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
934         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
935         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
936         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
937         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
938         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
939         * heap/Allocator.cpp: Added.
940         (JSC::Allocator::cellSize const):
941         * heap/Allocator.h: Added.
942         (JSC::Allocator::Allocator):
943         (JSC::Allocator::offset const):
944         (JSC::Allocator::operator== const):
945         (JSC::Allocator::operator!= const):
946         (JSC::Allocator::operator bool const):
947         * heap/AllocatorInlines.h: Added.
948         (JSC::Allocator::allocate const):
949         (JSC::Allocator::tryAllocate const):
950         * heap/BlockDirectory.cpp:
951         (JSC::BlockDirectory::BlockDirectory):
952         (JSC::BlockDirectory::findBlockForAllocation):
953         (JSC::BlockDirectory::stopAllocating):
954         (JSC::BlockDirectory::prepareForAllocation):
955         (JSC::BlockDirectory::stopAllocatingForGood):
956         (JSC::BlockDirectory::resumeAllocating):
957         (JSC::BlockDirectory::endMarking):
958         (JSC::BlockDirectory::isFreeListedCell):
959         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
960         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
961         (JSC::BlockDirectory::allocateIn): Deleted.
962         (JSC::BlockDirectory::tryAllocateIn): Deleted.
963         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
964         (JSC::BlockDirectory::allocateSlowCase): Deleted.
965         * heap/BlockDirectory.h:
966         (JSC::BlockDirectory::cellKind const):
967         (JSC::BlockDirectory::allocator const):
968         (JSC::BlockDirectory::freeList const): Deleted.
969         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
970         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
971         * heap/BlockDirectoryInlines.h:
972         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
973         (JSC::BlockDirectory::allocate): Deleted.
974         * heap/CompleteSubspace.cpp:
975         (JSC::CompleteSubspace::CompleteSubspace):
976         (JSC::CompleteSubspace::allocatorFor):
977         (JSC::CompleteSubspace::allocate):
978         (JSC::CompleteSubspace::allocateNonVirtual):
979         (JSC::CompleteSubspace::allocatorForSlow):
980         (JSC::CompleteSubspace::allocateSlow):
981         (JSC::CompleteSubspace::tryAllocateSlow):
982         * heap/CompleteSubspace.h:
983         (JSC::CompleteSubspace::allocatorForSizeStep):
984         (JSC::CompleteSubspace::allocatorForNonVirtual):
985         * heap/FreeList.h:
986         * heap/GCDeferralContext.h:
987         * heap/Heap.cpp:
988         (JSC::Heap::Heap):
989         (JSC::Heap::lastChanceToFinalize):
990         * heap/Heap.h:
991         (JSC::Heap::threadLocalCacheLayout):
992         * heap/IsoCellSet.h:
993         * heap/IsoSubspace.cpp:
994         (JSC::IsoSubspace::IsoSubspace):
995         (JSC::IsoSubspace::allocatorFor):
996         (JSC::IsoSubspace::allocate):
997         (JSC::IsoSubspace::allocateNonVirtual):
998         * heap/IsoSubspace.h:
999         (JSC::IsoSubspace::allocatorForNonVirtual):
1000         * heap/LocalAllocator.cpp: Added.
1001         (JSC::LocalAllocator::LocalAllocator):
1002         (JSC::LocalAllocator::reset):
1003         (JSC::LocalAllocator::~LocalAllocator):
1004         (JSC::LocalAllocator::stopAllocating):
1005         (JSC::LocalAllocator::resumeAllocating):
1006         (JSC::LocalAllocator::prepareForAllocation):
1007         (JSC::LocalAllocator::stopAllocatingForGood):
1008         (JSC::LocalAllocator::allocateSlowCase):
1009         (JSC::LocalAllocator::didConsumeFreeList):
1010         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1011         (JSC::LocalAllocator::allocateIn):
1012         (JSC::LocalAllocator::tryAllocateIn):
1013         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1014         (JSC::LocalAllocator::isFreeListedCell const):
1015         * heap/LocalAllocator.h: Added.
1016         (JSC::LocalAllocator::offsetOfFreeList):
1017         (JSC::LocalAllocator::offsetOfCellSize):
1018         * heap/LocalAllocatorInlines.h: Added.
1019         (JSC::LocalAllocator::allocate):
1020         * heap/MarkedSpace.cpp:
1021         (JSC::MarkedSpace::stopAllocatingForGood):
1022         * heap/MarkedSpace.h:
1023         * heap/SlotVisitor.cpp:
1024         * heap/SlotVisitor.h:
1025         * heap/Subspace.h:
1026         * heap/ThreadLocalCache.cpp: Added.
1027         (JSC::ThreadLocalCache::create):
1028         (JSC::ThreadLocalCache::ThreadLocalCache):
1029         (JSC::ThreadLocalCache::~ThreadLocalCache):
1030         (JSC::ThreadLocalCache::allocateData):
1031         (JSC::ThreadLocalCache::destroyData):
1032         (JSC::ThreadLocalCache::installSlow):
1033         (JSC::ThreadLocalCache::installData):
1034         (JSC::ThreadLocalCache::allocatorSlow):
1035         (JSC::ThreadLocalCache::destructor):
1036         * heap/ThreadLocalCache.h: Added.
1037         (JSC::ThreadLocalCache::offsetOfSize):
1038         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1039         * heap/ThreadLocalCacheInlines.h: Added.
1040         (JSC::ThreadLocalCache::getImpl):
1041         (JSC::ThreadLocalCache::get):
1042         (JSC::ThreadLocalCache::install):
1043         (JSC::ThreadLocalCache::allocator):
1044         (JSC::ThreadLocalCache::tryGetAllocator):
1045         * heap/ThreadLocalCacheLayout.cpp: Added.
1046         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1047         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1048         (JSC::ThreadLocalCacheLayout::allocateOffset):
1049         (JSC::ThreadLocalCacheLayout::snapshot):
1050         (JSC::ThreadLocalCacheLayout::directory):
1051         * heap/ThreadLocalCacheLayout.h: Added.
1052         * jit/AssemblyHelpers.cpp:
1053         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1054         (JSC::AssemblyHelpers::emitAllocate):
1055         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1056         * jit/AssemblyHelpers.h:
1057         (JSC::AssemblyHelpers::vm):
1058         (JSC::AssemblyHelpers::emitAllocateJSCell):
1059         (JSC::AssemblyHelpers::emitAllocateJSObject):
1060         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1061         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1062         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1063         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1064         * jit/JITOpcodes.cpp:
1065         (JSC::JIT::emit_op_new_object):
1066         (JSC::JIT::emit_op_create_this):
1067         * jit/JITOpcodes32_64.cpp:
1068         (JSC::JIT::emit_op_new_object):
1069         (JSC::JIT::emit_op_create_this):
1070         * runtime/ButterflyInlines.h:
1071         (JSC::Butterfly::createUninitialized):
1072         (JSC::Butterfly::tryCreate):
1073         (JSC::Butterfly::growArrayRight):
1074         * runtime/DirectArguments.cpp:
1075         (JSC::DirectArguments::overrideThings):
1076         * runtime/GenericArgumentsInlines.h:
1077         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1078         * runtime/HashMapImpl.h:
1079         (JSC::HashMapBuffer::create):
1080         * runtime/JSArray.cpp:
1081         (JSC::JSArray::tryCreateUninitializedRestricted):
1082         (JSC::JSArray::unshiftCountSlowCase):
1083         * runtime/JSArray.h:
1084         (JSC::JSArray::tryCreate):
1085         * runtime/JSArrayBufferView.cpp:
1086         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1087         * runtime/JSCellInlines.h:
1088         (JSC::tryAllocateCellHelper):
1089         * runtime/JSGlobalObject.cpp:
1090         (JSC::JSGlobalObject::JSGlobalObject):
1091         * runtime/JSGlobalObject.h:
1092         (JSC::JSGlobalObject::threadLocalCache const):
1093         * runtime/JSLock.cpp:
1094         (JSC::JSLock::didAcquireLock):
1095         * runtime/Options.h:
1096         * runtime/RegExpMatchesArray.h:
1097         (JSC::tryCreateUninitializedRegExpMatchesArray):
1098         * runtime/VM.cpp:
1099         (JSC::VM::VM):
1100         * runtime/VM.h:
1101         * runtime/VMEntryScope.cpp:
1102         (JSC::VMEntryScope::VMEntryScope):
1103
1104 2018-01-25  Commit Queue  <commit-queue@webkit.org>
1105
1106         Unreviewed, rolling out r227592.
1107         https://bugs.webkit.org/show_bug.cgi?id=182110
1108
1109         it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
1110         #webkit).
1111
1112         Reverted changeset:
1113
1114         "JSC GC should support TLCs (thread local caches)"
1115         https://bugs.webkit.org/show_bug.cgi?id=181559
1116         https://trac.webkit.org/changeset/227592
1117
1118 2018-01-25  Alejandro G. Castro  <alex@igalia.com>
1119
1120         undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
1121         https://bugs.webkit.org/show_bug.cgi?id=180637
1122
1123         Reviewed by Michael Catanzaro.
1124
1125         We need to make sure the implementation of the inline functions is
1126         compiled when we compile the code using the function, now that the
1127         compilation is divided, or we could end up with undefined symbols
1128         when the declaration is not inlined, at least with some compilers
1129         and optimizations enabled -O2.
1130
1131         * b3/B3SwitchValue.cpp: replace the include.
1132
1133 2018-01-20  Filip Pizlo  <fpizlo@apple.com>
1134
1135         JSC GC should support TLCs (thread local caches)
1136         https://bugs.webkit.org/show_bug.cgi?id=181559
1137
1138         Reviewed by Mark Lam and Saam Barati.
1139         
1140         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1141         thread-local caches, which allow each thread to allocate from its own free lists. It also
1142         means that any given thread can context-switch TLCs. This will allow us to do separate
1143         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1144         will allow us to have a hard distancing constraint between objects from different origins.
1145         
1146         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1147         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1148         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1149         using the same allocator can share those blocks - but so long as they are in that
1150         BlockDirectory, they will have the size and type of that directory. Previously, each
1151         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1152         LocalAllocators, each of which has a FreeList.
1153         
1154         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1155         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1156         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1157         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1158         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1159         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1160         offsets as opposed to indices to make it easy to do the math on each allocation (if
1161         LocalAllocator had a weird size then every allocation would have to do an imul).
1162         
1163         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1164         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1165         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1166         something there, but it's not significant according to our threshold).
1167
1168         * JavaScriptCore.xcodeproj/project.pbxproj:
1169         * Sources.txt:
1170         * b3/B3LowerToAir.cpp:
1171         * b3/B3PatchpointSpecial.cpp:
1172         (JSC::B3::PatchpointSpecial::admitsStack):
1173         * b3/B3StackmapSpecial.cpp:
1174         (JSC::B3::StackmapSpecial::forEachArgImpl):
1175         (JSC::B3::StackmapSpecial::isArgValidForRep):
1176         * b3/B3StackmapValue.cpp:
1177         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1178         * b3/B3StackmapValue.h:
1179         * b3/B3Validate.cpp:
1180         * b3/B3ValueRep.cpp:
1181         (JSC::B3::ValueRep::addUsedRegistersTo const):
1182         (JSC::B3::ValueRep::dump const):
1183         (WTF::printInternal):
1184         * b3/B3ValueRep.h:
1185         (JSC::B3::ValueRep::ValueRep):
1186         * bytecode/AccessCase.cpp:
1187         (JSC::AccessCase::generateImpl):
1188         * bytecode/ObjectAllocationProfile.h:
1189         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1190         (JSC::ObjectAllocationProfile::clear):
1191         * bytecode/ObjectAllocationProfileInlines.h:
1192         (JSC::ObjectAllocationProfile::initializeProfile):
1193         * dfg/DFGSpeculativeJIT.cpp:
1194         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1195         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1196         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1197         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1198         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1199         (JSC::DFG::SpeculativeJIT::compileNewObject):
1200         * dfg/DFGSpeculativeJIT.h:
1201         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1202         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1203         * ftl/FTLAbstractHeapRepository.h:
1204         * ftl/FTLLowerDFGToB3.cpp:
1205         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1206         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1207         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1208         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1209         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1210         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1211         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1212         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1213         * heap/Allocator.cpp: Added.
1214         (JSC::Allocator::cellSize const):
1215         * heap/Allocator.h: Added.
1216         (JSC::Allocator::Allocator):
1217         (JSC::Allocator::offset const):
1218         (JSC::Allocator::operator== const):
1219         (JSC::Allocator::operator!= const):
1220         (JSC::Allocator::operator bool const):
1221         * heap/AllocatorInlines.h: Added.
1222         (JSC::Allocator::allocate const):
1223         (JSC::Allocator::tryAllocate const):
1224         * heap/BlockDirectory.cpp:
1225         (JSC::BlockDirectory::BlockDirectory):
1226         (JSC::BlockDirectory::findBlockForAllocation):
1227         (JSC::BlockDirectory::stopAllocating):
1228         (JSC::BlockDirectory::prepareForAllocation):
1229         (JSC::BlockDirectory::stopAllocatingForGood):
1230         (JSC::BlockDirectory::resumeAllocating):
1231         (JSC::BlockDirectory::endMarking):
1232         (JSC::BlockDirectory::isFreeListedCell):
1233         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1234         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1235         (JSC::BlockDirectory::allocateIn): Deleted.
1236         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1237         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1238         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1239         * heap/BlockDirectory.h:
1240         (JSC::BlockDirectory::cellKind const):
1241         (JSC::BlockDirectory::allocator const):
1242         (JSC::BlockDirectory::freeList const): Deleted.
1243         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1244         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1245         * heap/BlockDirectoryInlines.h:
1246         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1247         (JSC::BlockDirectory::allocate): Deleted.
1248         * heap/CompleteSubspace.cpp:
1249         (JSC::CompleteSubspace::CompleteSubspace):
1250         (JSC::CompleteSubspace::allocatorFor):
1251         (JSC::CompleteSubspace::allocate):
1252         (JSC::CompleteSubspace::allocateNonVirtual):
1253         (JSC::CompleteSubspace::allocatorForSlow):
1254         (JSC::CompleteSubspace::allocateSlow):
1255         (JSC::CompleteSubspace::tryAllocateSlow):
1256         * heap/CompleteSubspace.h:
1257         (JSC::CompleteSubspace::allocatorForSizeStep):
1258         (JSC::CompleteSubspace::allocatorForNonVirtual):
1259         * heap/FreeList.h:
1260         * heap/GCDeferralContext.h:
1261         * heap/Heap.cpp:
1262         (JSC::Heap::Heap):
1263         (JSC::Heap::lastChanceToFinalize):
1264         * heap/Heap.h:
1265         (JSC::Heap::threadLocalCacheLayout):
1266         * heap/IsoCellSet.h:
1267         * heap/IsoSubspace.cpp:
1268         (JSC::IsoSubspace::IsoSubspace):
1269         (JSC::IsoSubspace::allocatorFor):
1270         (JSC::IsoSubspace::allocate):
1271         (JSC::IsoSubspace::allocateNonVirtual):
1272         * heap/IsoSubspace.h:
1273         (JSC::IsoSubspace::allocatorForNonVirtual):
1274         * heap/LocalAllocator.cpp: Added.
1275         (JSC::LocalAllocator::LocalAllocator):
1276         (JSC::LocalAllocator::reset):
1277         (JSC::LocalAllocator::~LocalAllocator):
1278         (JSC::LocalAllocator::stopAllocating):
1279         (JSC::LocalAllocator::resumeAllocating):
1280         (JSC::LocalAllocator::prepareForAllocation):
1281         (JSC::LocalAllocator::stopAllocatingForGood):
1282         (JSC::LocalAllocator::allocateSlowCase):
1283         (JSC::LocalAllocator::didConsumeFreeList):
1284         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1285         (JSC::LocalAllocator::allocateIn):
1286         (JSC::LocalAllocator::tryAllocateIn):
1287         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1288         (JSC::LocalAllocator::isFreeListedCell const):
1289         * heap/LocalAllocator.h: Added.
1290         (JSC::LocalAllocator::offsetOfFreeList):
1291         (JSC::LocalAllocator::offsetOfCellSize):
1292         * heap/LocalAllocatorInlines.h: Added.
1293         (JSC::LocalAllocator::allocate):
1294         * heap/MarkedSpace.cpp:
1295         (JSC::MarkedSpace::stopAllocatingForGood):
1296         * heap/MarkedSpace.h:
1297         * heap/SlotVisitor.cpp:
1298         * heap/SlotVisitor.h:
1299         * heap/Subspace.h:
1300         * heap/ThreadLocalCache.cpp: Added.
1301         (JSC::ThreadLocalCache::create):
1302         (JSC::ThreadLocalCache::ThreadLocalCache):
1303         (JSC::ThreadLocalCache::~ThreadLocalCache):
1304         (JSC::ThreadLocalCache::allocateData):
1305         (JSC::ThreadLocalCache::destroyData):
1306         (JSC::ThreadLocalCache::installSlow):
1307         (JSC::ThreadLocalCache::installData):
1308         (JSC::ThreadLocalCache::allocatorSlow):
1309         (JSC::ThreadLocalCache::destructor):
1310         * heap/ThreadLocalCache.h: Added.
1311         (JSC::ThreadLocalCache::offsetOfSize):
1312         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1313         * heap/ThreadLocalCacheInlines.h: Added.
1314         (JSC::ThreadLocalCache::getImpl):
1315         (JSC::ThreadLocalCache::get):
1316         (JSC::ThreadLocalCache::install):
1317         (JSC::ThreadLocalCache::allocator):
1318         (JSC::ThreadLocalCache::tryGetAllocator):
1319         * heap/ThreadLocalCacheLayout.cpp: Added.
1320         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1321         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1322         (JSC::ThreadLocalCacheLayout::allocateOffset):
1323         (JSC::ThreadLocalCacheLayout::snapshot):
1324         (JSC::ThreadLocalCacheLayout::directory):
1325         * heap/ThreadLocalCacheLayout.h: Added.
1326         * jit/AssemblyHelpers.cpp:
1327         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1328         (JSC::AssemblyHelpers::emitAllocate):
1329         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1330         * jit/AssemblyHelpers.h:
1331         (JSC::AssemblyHelpers::vm):
1332         (JSC::AssemblyHelpers::emitAllocateJSCell):
1333         (JSC::AssemblyHelpers::emitAllocateJSObject):
1334         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1335         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1336         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1337         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1338         * jit/JITOpcodes.cpp:
1339         (JSC::JIT::emit_op_new_object):
1340         (JSC::JIT::emit_op_create_this):
1341         * jit/JITOpcodes32_64.cpp:
1342         (JSC::JIT::emit_op_new_object):
1343         (JSC::JIT::emit_op_create_this):
1344         * runtime/ButterflyInlines.h:
1345         (JSC::Butterfly::createUninitialized):
1346         (JSC::Butterfly::tryCreate):
1347         (JSC::Butterfly::growArrayRight):
1348         * runtime/DirectArguments.cpp:
1349         (JSC::DirectArguments::overrideThings):
1350         * runtime/GenericArgumentsInlines.h:
1351         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1352         * runtime/HashMapImpl.h:
1353         (JSC::HashMapBuffer::create):
1354         * runtime/JSArray.cpp:
1355         (JSC::JSArray::tryCreateUninitializedRestricted):
1356         (JSC::JSArray::unshiftCountSlowCase):
1357         * runtime/JSArray.h:
1358         (JSC::JSArray::tryCreate):
1359         * runtime/JSArrayBufferView.cpp:
1360         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1361         * runtime/JSCellInlines.h:
1362         (JSC::tryAllocateCellHelper):
1363         * runtime/JSGlobalObject.cpp:
1364         (JSC::JSGlobalObject::JSGlobalObject):
1365         * runtime/JSGlobalObject.h:
1366         (JSC::JSGlobalObject::threadLocalCache const):
1367         * runtime/JSLock.cpp:
1368         (JSC::JSLock::didAcquireLock):
1369         * runtime/Options.h:
1370         * runtime/RegExpMatchesArray.h:
1371         (JSC::tryCreateUninitializedRegExpMatchesArray):
1372         * runtime/VM.cpp:
1373         (JSC::VM::VM):
1374         * runtime/VM.h:
1375         * runtime/VMEntryScope.cpp:
1376         (JSC::VMEntryScope::VMEntryScope):
1377
1378 2018-01-24  Joseph Pecoraro  <pecoraro@apple.com>
1379
1380         Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
1381         https://bugs.webkit.org/show_bug.cgi?id=182067
1382
1383         Reviewed by Brian Burg.
1384
1385         * inspector/scripts/codegen/models.py:
1386         (Framework.fromString):
1387         (Frameworks):
1388         * inspector/scripts/generate-inspector-protocol-bindings.py:
1389         (generate_from_specification):
1390         Allow framework WebInspectorUI to generate just the backend commands files.
1391
1392 2018-01-23  Mark Lam  <mark.lam@apple.com>
1393
1394         Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
1395         https://bugs.webkit.org/show_bug.cgi?id=182017
1396         <rdar://problem/36795513>
1397
1398         Reviewed by Filip Pizlo and JF Bastien.
1399
1400         Removed the POISON() macro.  Now that we have Poison types, we can just use the
1401         the Poison type instead and make the code a bit nicer to read.
1402
1403         * API/JSAPIWrapperObject.h:
1404         * API/JSCallbackFunction.h:
1405         * API/JSCallbackObject.h:
1406         * b3/B3LowerMacros.cpp:
1407         * b3/testb3.cpp:
1408         (JSC::B3::testInterpreter):
1409         * bytecode/CodeBlock.h:
1410         (JSC::CodeBlock::instructions):
1411         (JSC::CodeBlock::instructions const):
1412         * dfg/DFGOSRExitCompilerCommon.h:
1413         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1414         * dfg/DFGSpeculativeJIT.cpp:
1415         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1416         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1417         * ftl/FTLLowerDFGToB3.cpp:
1418         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1419         * jit/JIT.h:
1420         * jit/ThunkGenerators.cpp:
1421         (JSC::virtualThunkFor):
1422         (JSC::nativeForGenerator):
1423         (JSC::boundThisNoArgsFunctionCallGenerator):
1424         * parser/UnlinkedSourceCode.h:
1425         * runtime/ArrayPrototype.h:
1426         * runtime/CustomGetterSetter.h:
1427         * runtime/DateInstance.h:
1428         * runtime/InternalFunction.h:
1429         * runtime/JSArrayBuffer.h:
1430         * runtime/JSCPoison.cpp:
1431         (JSC::initializePoison):
1432         * runtime/JSCPoison.h:
1433         * runtime/JSGlobalObject.h:
1434         * runtime/JSScriptFetchParameters.h:
1435         * runtime/JSScriptFetcher.h:
1436         * runtime/NativeExecutable.h:
1437         * runtime/StructureTransitionTable.h:
1438         * runtime/WriteBarrier.h:
1439         (JSC::WriteBarrier::poison): Deleted.
1440         * wasm/js/JSToWasm.cpp:
1441         (JSC::Wasm::createJSToWasmWrapper):
1442         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1443         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1444         * wasm/js/JSWebAssemblyCodeBlock.h:
1445         * wasm/js/JSWebAssemblyInstance.h:
1446         (JSC::JSWebAssemblyInstance::poison):
1447         * wasm/js/JSWebAssemblyMemory.h:
1448         * wasm/js/JSWebAssemblyModule.h:
1449         * wasm/js/JSWebAssemblyTable.h:
1450         * wasm/js/WasmToJS.cpp:
1451         (JSC::Wasm::handleBadI64Use):
1452         (JSC::Wasm::wasmToJS):
1453         * wasm/js/WebAssemblyFunctionBase.h:
1454         * wasm/js/WebAssemblyModuleRecord.h:
1455         * wasm/js/WebAssemblyToJSCallee.h:
1456         * wasm/js/WebAssemblyWrapperFunction.h:
1457
1458 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1459
1460         Unreviewed, suppress GCC warnings
1461         https://bugs.webkit.org/show_bug.cgi?id=181976
1462
1463         * runtime/TypedArrayType.h:
1464
1465 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1466
1467         [YARR] Add diagnosis for YarrJIT failures
1468         https://bugs.webkit.org/show_bug.cgi?id=181927
1469
1470         Reviewed by Sam Weinig.
1471
1472         It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
1473         This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
1474
1475         * runtime/RegExp.cpp:
1476         (JSC::RegExp::compile):
1477         (JSC::RegExp::compileMatchOnly):
1478         * yarr/YarrJIT.cpp:
1479         (JSC::Yarr::YarrGenerator::generateTerm):
1480         (JSC::Yarr::YarrGenerator::backtrackTerm):
1481         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1482         (JSC::Yarr::YarrGenerator::YarrGenerator):
1483         (JSC::Yarr::YarrGenerator::compile):
1484         (JSC::Yarr::dumpCompileFailure):
1485         (JSC::Yarr::jitCompile):
1486         * yarr/YarrJIT.h:
1487         (JSC::Yarr::YarrCodeBlock::setFallBack):
1488         (JSC::Yarr::YarrCodeBlock::fallBack):
1489         (JSC::Yarr::YarrCodeBlock::clear):
1490         (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
1491         (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
1492         (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
1493
1494 2018-01-23  Alex Christensen  <achristensen@webkit.org>
1495
1496         Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
1497         https://bugs.webkit.org/show_bug.cgi?id=182028
1498
1499         Reviewed by Keith Miller.
1500
1501         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
1502         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1503         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1504
1505 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1506
1507         Use precise index masking for FTL GetByArgumentByVal
1508         https://bugs.webkit.org/show_bug.cgi?id=182006
1509
1510         Reviewed by Keith Miller.
1511         
1512         This protects speculative out-of-bounds on arguments[index].
1513         
1514         Making this work right involved fixing a possible overflow situation with
1515         numberOfArgumentsToSkip.
1516
1517         * dfg/DFGByteCodeParser.cpp:
1518         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
1519         * dfg/DFGGraph.cpp:
1520         (JSC::DFG::Graph::dump):
1521         * dfg/DFGNode.h:
1522         (JSC::DFG::Node::hasNumberOfArgumentsToSkip):
1523         (JSC::DFG::Node::numberOfArgumentsToSkip):
1524         * dfg/DFGStackLayoutPhase.cpp:
1525         (JSC::DFG::StackLayoutPhase::run):
1526         * ftl/FTLLowerDFGToB3.cpp:
1527         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1528
1529 2018-01-23  David Kilzer  <ddkilzer@apple.com>
1530
1531         Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
1532         <https://webkit.org/b/181871>
1533         <rdar://problem/36669691>
1534
1535         Address feedback for this change.
1536
1537         * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
1538         feedback from Konstantin Tokarev.
1539
1540 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1541
1542         Rollout r219636
1543         https://bugs.webkit.org/show_bug.cgi?id=181997
1544         <rdar://problem/35883022>
1545
1546         Unreviewed, as it is a rollout.
1547
1548         * dfg/DFGSpeculativeJIT.cpp:
1549         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1550         * runtime/JSArray.cpp:
1551         (JSC::JSArray::tryCreateUninitializedRestricted):
1552         * runtime/JSArray.h:
1553         (JSC::JSArray::tryCreate):
1554         * runtime/JSObject.cpp:
1555         (JSC::JSObject::ensureLengthSlow):
1556
1557 2018-01-23  Mark Lam  <mark.lam@apple.com>
1558
1559         Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
1560         https://bugs.webkit.org/show_bug.cgi?id=181976
1561         <rdar://problem/36766936>
1562
1563         Reviewed by Filip Pizlo.
1564
1565         1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
1566            list.  I also added static asserts in TypedArrayType.h to enforce this.
1567
1568            Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
1569
1570         2. Define 4 new values:
1571            a. FirstTypedArrayType
1572            b. LastTypedArrayType
1573            c. NumberOfTypedArrayTypesExcludingDataView
1574            d. NumberOfTypedArrayTypes
1575
1576            Use these everywhere where we iterate or bisect the TypedArray JSTypes.
1577
1578         3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
1579
1580         4. Simplify the code that converts between TypedArrayType and JSType.
1581
1582            Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
1583            Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
1584            instead of TypeDataView.  Now, it converts to TypeDataView.
1585
1586            This does not result in any change of behavior because typedArrayTypeForType()
1587            is only called in Structure::hasIndexingHeader(), and its result is passed to
1588            isTypedView(), which handles TypeDataView correctly.
1589
1590         5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
1591            If the vector is null, we can skip the rest of the checks.  While the current
1592            code does not result in incorrect behavior, it is inefficient, and communicates
1593            wrong information to the reader i.e. implying that there's something in the
1594            dataGPR when there's not.  The dataGPR should also be null in this case.
1595
1596         * dfg/DFGByteCodeParser.cpp:
1597         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1598         * dfg/DFGSpeculativeJIT.cpp:
1599         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1600         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1601         * ftl/FTLLowerDFGToB3.cpp:
1602         (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
1603         * ftl/FTLOSRExit.cpp:
1604         * llint/LowLevelInterpreter.asm:
1605         * llint/LowLevelInterpreter64.asm:
1606         * runtime/JSGlobalObject.cpp:
1607         (JSC::JSGlobalObject::visitChildren):
1608         * runtime/JSType.h:
1609         * runtime/TypedArrayType.cpp:
1610         (JSC::typeForTypedArrayType): Deleted.
1611         * runtime/TypedArrayType.h:
1612         (JSC::typedArrayTypeForType):
1613         (JSC::typeForTypedArrayType):
1614
1615 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1616
1617         DFG should always flush `this`
1618         https://bugs.webkit.org/show_bug.cgi?id=181999
1619
1620         Reviewed by Saam Barati and Mark Lam.
1621         
1622         This is going to make it possible to use precise index masking for arguments-on-the-stack
1623         accesses with an index adjusted so that 0 is this. Without this change, we would have no way
1624         of masking when the argument count is 0, unless we padded the argument area so that there was
1625         always an argument slot after `this` and it was always initialized.
1626         
1627         This is neutral on all benchmarks.
1628
1629         * dfg/DFGByteCodeParser.cpp:
1630         (JSC::DFG::ByteCodeParser::flushImpl):
1631         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1632         (JSC::DFG::ByteCodeParser::flush):
1633         (JSC::DFG::ByteCodeParser::flushForTerminal):
1634         (JSC::DFG::ByteCodeParser::parse):
1635         (JSC::DFG::flushImpl): Deleted.
1636         (JSC::DFG::flushForTerminalImpl): Deleted.
1637         * dfg/DFGPreciseLocalClobberize.h:
1638         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1639
1640 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1641
1642         JSC should use a speculation fence on VM entry/exit
1643         https://bugs.webkit.org/show_bug.cgi?id=181991
1644
1645         Reviewed by JF Bastien and Mark Lam.
1646         
1647         This adds a WTF::speculationFence on VM entry and exit.
1648         
1649         For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
1650         tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
1651         
1652         * runtime/JSLock.cpp:
1653         (JSC::JSLock::didAcquireLock):
1654         (JSC::JSLock::willReleaseLock):
1655
1656 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1657
1658         [JSC] JIT requires sizeof(bool) == 1
1659         https://bugs.webkit.org/show_bug.cgi?id=181150
1660
1661         Reviewed by Saam Barati.
1662
1663         LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
1664         Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
1665
1666         * runtime/InitializeThreading.cpp:
1667
1668 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1669
1670         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1671         https://bugs.webkit.org/show_bug.cgi?id=181739
1672         <rdar://problem/36627662>
1673
1674         Reviewed by Saam Barati.
1675
1676         When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
1677         into a jump, we should update that stack slot as there is no guarantee that the function was originally
1678         called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
1679
1680         It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
1681         as its first OpInfo field, and stores it to the stack at the right place.
1682
1683         We must be a bit careful in where we put this new node, as it ClobbersExit.
1684         We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
1685
1686         * dfg/DFGAbstractInterpreterInlines.h:
1687         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1688         * dfg/DFGArgumentsEliminationPhase.cpp:
1689         * dfg/DFGByteCodeParser.cpp:
1690         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1691         * dfg/DFGClobberize.h:
1692         (JSC::DFG::clobberize):
1693         * dfg/DFGDoesGC.cpp:
1694         (JSC::DFG::doesGC):
1695         * dfg/DFGFixupPhase.cpp:
1696         (JSC::DFG::FixupPhase::fixupNode):
1697         * dfg/DFGMayExit.cpp:
1698         * dfg/DFGNode.h:
1699         (JSC::DFG::Node::argumentCountIncludingThis):
1700         * dfg/DFGNodeType.h:
1701         * dfg/DFGPredictionPropagationPhase.cpp:
1702         * dfg/DFGPutStackSinkingPhase.cpp:
1703         * dfg/DFGSafeToExecute.h:
1704         (JSC::DFG::safeToExecute):
1705         * dfg/DFGSpeculativeJIT.cpp:
1706         (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
1707         * dfg/DFGSpeculativeJIT.h:
1708         * dfg/DFGSpeculativeJIT32_64.cpp:
1709         (JSC::DFG::SpeculativeJIT::compile):
1710         * dfg/DFGSpeculativeJIT64.cpp:
1711         (JSC::DFG::SpeculativeJIT::compile):
1712         * ftl/FTLCapabilities.cpp:
1713         (JSC::FTL::canCompile):
1714         * ftl/FTLLowerDFGToB3.cpp:
1715         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1716         (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
1717
1718 2018-01-22  Michael Saboff  <msaboff@apple.com>
1719
1720         DFG abstract interpreter needs to properly model effects of some Math ops
1721         https://bugs.webkit.org/show_bug.cgi?id=181886
1722
1723         Reviewed by Saam Barati.
1724
1725         Reviewed the processing of the various ArithXXX and CompareXXX and found that
1726         several nodes don't handle UntypedUse.  Added clobberWorld() for those cases.
1727
1728         * dfg/DFGAbstractInterpreter.h:
1729         * dfg/DFGAbstractInterpreterInlines.h:
1730         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1731         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1732
1733 2018-01-21  Wenson Hsieh  <wenson_hsieh@apple.com>
1734
1735         Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
1736         https://bugs.webkit.org/show_bug.cgi?id=181918
1737
1738         Reviewed by Tim Horton.
1739
1740         Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
1741
1742         * Configurations/FeatureDefines.xcconfig:
1743
1744 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1745
1746         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1747         https://bugs.webkit.org/show_bug.cgi?id=181182
1748
1749         Reviewed by Darin Adler.
1750
1751         Casting double to integer is undefined behavior when the truncation
1752         results into a value that doesn't fit into integer size,
1753         according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
1754         numberProtoFuncToString to remove these source of undefined
1755         behavior.
1756
1757         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
1758
1759         * runtime/BigIntPrototype.cpp:
1760         (JSC::bigIntProtoFuncToString):
1761         * runtime/NumberPrototype.cpp:
1762         (JSC::numberProtoFuncToString):
1763         (JSC::extractToStringRadixArgument):
1764         (JSC::extractRadixFromArgs): Deleted.
1765         * runtime/NumberPrototype.h:
1766
1767 2018-01-19  Saam Barati  <sbarati@apple.com>
1768
1769         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1770         https://bugs.webkit.org/show_bug.cgi?id=181877
1771         <rdar://problem/36630552>
1772
1773         Reviewed by Mark Lam.
1774
1775         Before this patch, we used to assert that op_negate's result ArithProfile
1776         only produces number. It's logically true that negate only produces a number.
1777         However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
1778         profiling. So we'll end up profiling something that's likely the input to
1779         negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
1780         is entirely heuristic based, potentially leading to profiling results being imprecise.
1781
1782         * dfg/DFGByteCodeParser.cpp:
1783         (JSC::DFG::ByteCodeParser::makeSafe):
1784
1785 2018-01-19  David Kilzer  <ddkilzer@apple.com>
1786
1787         oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
1788         <https://webkit.org/b/181871>
1789
1790         Rubber-stamped by JF Bastien.
1791
1792         * CMakeLists.txt: Add ICU header search path to
1793         LLIntOffsetsExtractor target by reusing
1794         JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
1795
1796 2018-01-19  Saam Barati  <sbarati@apple.com>
1797
1798         Spread's effects are modeled incorrectly both in AI and in Clobberize
1799         https://bugs.webkit.org/show_bug.cgi?id=181867
1800         <rdar://problem/36290415>
1801
1802         Reviewed by Michael Saboff.
1803
1804         * dfg/DFGAbstractInterpreterInlines.h:
1805         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1806         * dfg/DFGClobberize.h:
1807         (JSC::DFG::clobberize):
1808
1809 2018-01-19  Keith Miller  <keith_miller@apple.com>
1810
1811         HaveInternalSDK includes should be "#include?"
1812         https://bugs.webkit.org/show_bug.cgi?id=179670
1813
1814         Reviewed by Dan Bernstein.
1815
1816         * Configurations/Base.xcconfig:
1817
1818 2018-01-18  JF Bastien  <jfbastien@apple.com>
1819
1820         Set the minimum executable allocator size properly
1821         https://bugs.webkit.org/show_bug.cgi?id=181816
1822         <rdar://problem/36635533>
1823
1824         Reviewed by Saam Barati.
1825
1826         Executable allocator expects at least two page size's worth of
1827         allocation in certain conditions, and that causes some tests to
1828         now fail because they ask for less. Set that minimum correctly. We
1829         were already rounding up to a page size, so having a minimum of 2
1830         page sizes is fine.
1831
1832         * jit/ExecutableAllocator.cpp:
1833         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1834
1835 2018-01-18  Michael Saboff  <msaboff@apple.com>
1836
1837         Unreviewed build fix for Windows
1838
1839         * interpreter/FrameTracers.h:
1840         (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
1841         on Windows.
1842
1843 2018-01-18  Mark Lam  <mark.lam@apple.com>
1844
1845         Poisons should be initialized after Options are initialized.
1846         https://bugs.webkit.org/show_bug.cgi?id=181807
1847         <rdar://problem/36629138>
1848
1849         Reviewed by Keith Miller.
1850
1851         This is because poison initialization may depend on options.
1852
1853         * runtime/InitializeThreading.cpp:
1854         (JSC::initializeThreading):
1855
1856 2018-01-18  Dan Bernstein  <mitz@apple.com>
1857
1858         [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
1859         https://bugs.webkit.org/show_bug.cgi?id=181803
1860
1861         Reviewed by Tim Horton.
1862
1863         * Configurations/Base.xcconfig: Updated.
1864         * Configurations/DebugRelease.xcconfig: Ditto.
1865         * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
1866         * Configurations/Version.xcconfig: Updated.
1867         * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
1868           useful for defining settings that depend on the target macOS version.
1869
1870 2018-01-18  Michael Saboff  <msaboff@apple.com>
1871
1872         REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
1873         https://bugs.webkit.org/show_bug.cgi?id=181802
1874
1875         Reviewed by Filip Pizlo.
1876
1877         There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
1878         Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
1879         The other place was when we call into the operationOSRWriteBarrier().
1880
1881         Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
1882         This helped find the other cases beyond the original problem.
1883
1884         * dfg/DFGOSRExitCompilerCommon.cpp:
1885         (JSC::DFG::osrWriteBarrier):
1886         * interpreter/FrameTracers.h:
1887         (JSC::assertStackPointerIsAligned):
1888         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1889         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
1890         * jit/ThunkGenerators.cpp:
1891         (JSC::nativeForGenerator):
1892         * llint/LowLevelInterpreter32_64.asm:
1893
1894 2018-01-18  Commit Queue  <commit-queue@webkit.org>
1895
1896         Unreviewed, rolling out r227096.
1897         https://bugs.webkit.org/show_bug.cgi?id=181788
1898
1899         "it caused a 15% octane regression" (Requested by saamyjoon on
1900         #webkit).
1901
1902         Reverted changeset:
1903
1904         "Support MultiGetByOffset in the DFG"
1905         https://bugs.webkit.org/show_bug.cgi?id=181466
1906         https://trac.webkit.org/changeset/227096
1907
1908 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1909
1910         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1911         https://bugs.webkit.org/show_bug.cgi?id=181535
1912
1913         Reviewed by Saam Barati.
1914
1915         When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
1916         However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
1917         information. So we should not create RegExpObject for this typical case.
1918
1919         This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
1920         phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
1921         `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
1922         SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
1923
1924         This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
1925         non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
1926         in this patch.
1927
1928         We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
1929         flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
1930         instead of RegExpObject. This offers the chance to make NewRegExp unused.
1931
1932         We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
1933         since they are the same behavior.
1934
1935         The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
1936         somewhat pure execution time of our Yarr implementation.
1937
1938                                      baseline                  patched
1939
1940             regex-u.es5          34.8557+-0.5963     ^      6.1507+-0.5526        ^ definitely 5.6670x faster
1941             regex-u.es6          89.1919+-3.3851     ^     32.0917+-0.4260        ^ definitely 2.7793x faster
1942
1943         This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
1944         this patch right now. We should support StringReplace node in subsequent patches.
1945
1946         * dfg/DFGAbstractInterpreterInlines.h:
1947         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1948         * dfg/DFGByteCodeParser.cpp:
1949         (JSC::DFG::ByteCodeParser::parseBlock):
1950         * dfg/DFGClobberize.h:
1951         (JSC::DFG::clobberize):
1952         * dfg/DFGClobbersExitState.cpp:
1953         (JSC::DFG::clobbersExitState):
1954         * dfg/DFGDoesGC.cpp:
1955         (JSC::DFG::doesGC):
1956         * dfg/DFGFixupPhase.cpp:
1957         (JSC::DFG::FixupPhase::fixupNode):
1958         * dfg/DFGGraph.cpp:
1959         (JSC::DFG::Graph::dump):
1960         * dfg/DFGMayExit.cpp:
1961         * dfg/DFGNode.cpp:
1962         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
1963         * dfg/DFGNode.h:
1964         (JSC::DFG::Node::convertToPhantomNewRegexp):
1965         (JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
1966         (JSC::DFG::Node::hasHeapPrediction):
1967         (JSC::DFG::Node::hasCellOperand):
1968         (JSC::DFG::Node::isPhantomAllocation):
1969         (JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
1970         (JSC::DFG::Node::ignoreLastIndexIsWritable):
1971         * dfg/DFGNodeType.h:
1972         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1973         * dfg/DFGOperations.cpp:
1974         * dfg/DFGOperations.h:
1975         * dfg/DFGPredictionPropagationPhase.cpp:
1976         * dfg/DFGPromotedHeapLocation.cpp:
1977         (WTF::printInternal):
1978         * dfg/DFGPromotedHeapLocation.h:
1979         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
1980         * dfg/DFGSafeToExecute.h:
1981         (JSC::DFG::safeToExecute):
1982         * dfg/DFGSpeculativeJIT.cpp:
1983         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1984         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
1985         (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
1986         * dfg/DFGSpeculativeJIT.h:
1987         (JSC::DFG::SpeculativeJIT::callOperation):
1988         * dfg/DFGSpeculativeJIT32_64.cpp:
1989         (JSC::DFG::SpeculativeJIT::compile):
1990         * dfg/DFGSpeculativeJIT64.cpp:
1991         (JSC::DFG::SpeculativeJIT::compile):
1992         * dfg/DFGStrengthReductionPhase.cpp:
1993         (JSC::DFG::StrengthReductionPhase::handleNode):
1994         * dfg/DFGValidate.cpp:
1995         * ftl/FTLCapabilities.cpp:
1996         (JSC::FTL::canCompile):
1997         * ftl/FTLLowerDFGToB3.cpp:
1998         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1999         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
2000         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2001         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2002         * ftl/FTLOperations.cpp:
2003         (JSC::FTL::operationPopulateObjectInOSR):
2004         (JSC::FTL::operationMaterializeObjectInOSR):
2005         * jit/JITOperations.h:
2006         * runtime/RegExpObject.h:
2007         (JSC::RegExpObject::create):
2008
2009 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2010
2011         [FTL] Remove unused helper functions to convert node to PutHint
2012         https://bugs.webkit.org/show_bug.cgi?id=181775
2013
2014         Reviewed by Saam Barati.
2015
2016         We are using PromotedHeapLocation::createHint. So they are not necessary.
2017
2018         * dfg/DFGNode.cpp:
2019         (JSC::DFG::Node::convertToPutHint): Deleted.
2020         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2021         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2022         (JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
2023         * dfg/DFGNode.h:
2024
2025 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2026
2027         Unreviewed, suppress warnings on GCC
2028
2029         Since `length` and `p` are always positive or zero,
2030         static_cast<unsigned>() does what we want.
2031
2032         * runtime/JSBigInt.cpp:
2033         (JSC::JSBigInt::parseInt):
2034
2035 2018-01-17  Saam Barati  <sbarati@apple.com>
2036
2037         Disable Atomics when SharedArrayBuffer isn’t enabled
2038         https://bugs.webkit.org/show_bug.cgi?id=181572
2039         <rdar://problem/36553206>
2040
2041         Reviewed by Michael Saboff.
2042
2043         * runtime/JSGlobalObject.cpp:
2044         (JSC::JSGlobalObject::init):
2045         (JSC::createAtomicsProperty): Deleted.
2046
2047 2018-01-17  Saam Barati  <sbarati@apple.com>
2048
2049         Support MultiGetByOffset in the DFG
2050         https://bugs.webkit.org/show_bug.cgi?id=181466
2051
2052         Reviewed by Keith Miller.
2053
2054         This seems to benefit Speedometer in my local testing. It seems like this
2055         might be around a 0.5% improvement.
2056
2057         * dfg/DFGAbstractInterpreterInlines.h:
2058         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2059         * dfg/DFGByteCodeParser.cpp:
2060         (JSC::DFG::ByteCodeParser::handleGetById):
2061         * dfg/DFGConstantFoldingPhase.cpp:
2062         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2063         * dfg/DFGGraph.h:
2064         (JSC::DFG::Graph::supportsMultiGetByOffset):
2065         * dfg/DFGSpeculativeJIT64.cpp:
2066         (JSC::DFG::SpeculativeJIT::compile):
2067
2068 2018-01-17  Saam Barati  <sbarati@apple.com>
2069
2070         DFG::Node::convertToConstant needs to clear the varargs flags
2071         https://bugs.webkit.org/show_bug.cgi?id=181697
2072         <rdar://problem/36497332>
2073
2074         Reviewed by Yusuke Suzuki.
2075
2076         * dfg/DFGNode.h:
2077         (JSC::DFG::Node::convertToConstant):
2078
2079 2018-01-16  JF Bastien  <jfbastien@apple.com>
2080
2081         Allow dangerous disabling of poison
2082         https://bugs.webkit.org/show_bug.cgi?id=181685
2083         <rdar://problem/36546265>
2084
2085         Reviewed by Keith Miller.
2086
2087         Some tools such as leak detectors and such like to look at real
2088         pointers, and poisoned ones confuse them. Add a JSC option to
2089         disable poisoning, but log to the console when this is done.
2090
2091         * runtime/JSCPoison.cpp:
2092         (JSC::initializePoison):
2093         * runtime/Options.h:
2094
2095 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2096
2097         Unreviewed, rolling out r226937.
2098
2099         Tests added with this change are failing due to a missing
2100         exception check.
2101
2102         Reverted changeset:
2103
2104         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2105         double to int32_t"
2106         https://bugs.webkit.org/show_bug.cgi?id=181182
2107         https://trac.webkit.org/changeset/226937
2108
2109 2018-01-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2110
2111         Test programs should only be built in developer mode
2112         https://bugs.webkit.org/show_bug.cgi?id=181653
2113
2114         Reviewed by Carlos Garcia Campos.
2115
2116         Build test programs only in developer mode, and fix code style.
2117
2118         * shell/CMakeLists.txt:
2119
2120 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2121
2122         Improve use of ExportMacros
2123         https://bugs.webkit.org/show_bug.cgi?id=181652
2124
2125         Reviewed by Konstantin Tokarev.
2126
2127         * API/JSBase.h: Update a comment.
2128         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
2129         * runtime/JSExportMacros.h: Simplify the #defines in this file.
2130
2131 2018-01-15  JF Bastien  <jfbastien@apple.com>
2132
2133         Remove makePoisonedUnique
2134         https://bugs.webkit.org/show_bug.cgi?id=181630
2135         <rdar://problem/36498623>
2136
2137         Reviewed by Mark Lam.
2138
2139         I added a conversion from std::unique_ptr, so we can just use
2140         std::make_unique and it'll auto-poison when converted.
2141
2142         * bytecode/CodeBlock.h:
2143         (JSC::CodeBlock::makePoisonedUnique): Deleted.
2144         * runtime/JSGlobalObject.cpp:
2145         (JSC::JSGlobalObject::init):
2146         * runtime/JSGlobalObject.h:
2147         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2148
2149 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2150
2151         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
2152         https://bugs.webkit.org/show_bug.cgi?id=181438
2153         <rdar://problem/36376724>
2154
2155         Reviewed by Carlos Garcia Campos.
2156
2157         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
2158         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
2159         get rid of the version script.
2160
2161         * PlatformGTK.cmake:
2162         * javascriptcoregtk-symbols.map: Removed.
2163
2164 2018-01-14  Saam Barati  <sbarati@apple.com>
2165
2166         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
2167
2168         * bytecode/CallLinkStatus.cpp:
2169         (JSC::CallLinkStatus::computeFromLLInt):
2170         (JSC::CallLinkStatus::computeExitSiteData):
2171
2172 2018-01-13  Mark Lam  <mark.lam@apple.com>
2173
2174         Replace all use of ConstExprPoisoned with Poisoned.
2175         https://bugs.webkit.org/show_bug.cgi?id=181542
2176         <rdar://problem/36442138>
2177
2178         Reviewed by JF Bastien.
2179
2180         1. All JSC poisons are now defined in JSCPoison.h.
2181
2182         2. Change all clients to use the new poison values via the POISON() macro.
2183
2184         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
2185            uses the t5 temp register, which is not available on the Windows port.
2186            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
2187            it will just work for now.
2188
2189            When poisoning is enabled for the Windows port, this LLInt code will need a
2190            Windows specific implementation to workaround its lack of a t5 register.
2191
2192         * API/JSAPIWrapperObject.h:
2193         * API/JSCallbackFunction.h:
2194         * API/JSCallbackObject.h:
2195         * JavaScriptCore.xcodeproj/project.pbxproj:
2196         * Sources.txt:
2197         * assembler/MacroAssemblerCodeRef.h:
2198         (JSC::MacroAssemblerCodePtr::emptyValue):
2199         (JSC::MacroAssemblerCodePtr::deletedValue):
2200         * b3/B3LowerMacros.cpp:
2201         * b3/testb3.cpp:
2202         (JSC::B3::testInterpreter):
2203         * bytecode/CodeBlock.h:
2204         (JSC::CodeBlock::instructions):
2205         (JSC::CodeBlock::instructions const):
2206         (JSC::CodeBlock::makePoisonedUnique):
2207         * dfg/DFGOSRExitCompilerCommon.h:
2208         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2209         * dfg/DFGSpeculativeJIT.cpp:
2210         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2211         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2212         * ftl/FTLLowerDFGToB3.cpp:
2213         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2214         * jit/JIT.h:
2215         * jit/ThunkGenerators.cpp:
2216         (JSC::virtualThunkFor):
2217         (JSC::nativeForGenerator):
2218         (JSC::boundThisNoArgsFunctionCallGenerator):
2219         * llint/LowLevelInterpreter.asm:
2220         * llint/LowLevelInterpreter32_64.asm:
2221         * llint/LowLevelInterpreter64.asm:
2222         * parser/UnlinkedSourceCode.h:
2223         * runtime/ArrayPrototype.h:
2224         * runtime/CustomGetterSetter.h:
2225         * runtime/DateInstance.h:
2226         * runtime/InternalFunction.h:
2227         * runtime/JSArrayBuffer.h:
2228         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2229         (JSC::initializePoison):
2230         * runtime/JSCPoison.h:
2231         (): Deleted.
2232         * runtime/JSCPoisonedPtr.cpp: Removed.
2233         * runtime/JSCPoisonedPtr.h: Removed.
2234         * runtime/JSGlobalObject.h:
2235         (JSC::JSGlobalObject::makePoisonedUnique):
2236         * runtime/JSScriptFetchParameters.h:
2237         * runtime/JSScriptFetcher.h:
2238         * runtime/NativeExecutable.h:
2239         * runtime/StructureTransitionTable.h:
2240         (JSC::StructureTransitionTable::map const):
2241         (JSC::StructureTransitionTable::weakImpl const):
2242         * runtime/WriteBarrier.h:
2243         (JSC::WriteBarrier::poison):
2244         * wasm/js/JSToWasm.cpp:
2245         (JSC::Wasm::createJSToWasmWrapper):
2246         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2247         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2248         * wasm/js/JSWebAssemblyCodeBlock.h:
2249         * wasm/js/JSWebAssemblyInstance.h:
2250         * wasm/js/JSWebAssemblyMemory.h:
2251         * wasm/js/JSWebAssemblyModule.h:
2252         * wasm/js/JSWebAssemblyTable.h:
2253         * wasm/js/WasmToJS.cpp:
2254         (JSC::Wasm::handleBadI64Use):
2255         (JSC::Wasm::wasmToJS):
2256         * wasm/js/WebAssemblyFunctionBase.h:
2257         * wasm/js/WebAssemblyModuleRecord.h:
2258         * wasm/js/WebAssemblyToJSCallee.h:
2259         * wasm/js/WebAssemblyWrapperFunction.h:
2260
2261 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2262
2263         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2264         https://bugs.webkit.org/show_bug.cgi?id=181182
2265
2266         Reviewed by Darin Adler.
2267
2268         Casting double to integer is undefined behavior when the truncation
2269         results into a value that doesn't fit into integer size, according C++
2270         spec[1]. Thus, we are changing bigIntProtoFuncToString and
2271         numberProtoFuncToString to remove these source of undefined behavior.
2272
2273         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
2274
2275         * runtime/BigIntPrototype.cpp:
2276         (JSC::bigIntProtoFuncToString):
2277         * runtime/NumberPrototype.cpp:
2278         (JSC::numberProtoFuncToString):
2279         (JSC::extractRadixFromArgs): Deleted.
2280         (JSC::extractToStringRadixArgument): Added.
2281
2282 2018-01-12  Saam Barati  <sbarati@apple.com>
2283
2284         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
2285         https://bugs.webkit.org/show_bug.cgi?id=181545
2286
2287         Reviewed by Michael Saboff.
2288
2289         This patch follows the theme of putting optimization profiling information on
2290         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
2291         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
2292         pulled from the code cache, making better compilation decisions, usually
2293         resulting in fewer exits, and fewer recompilations.
2294         
2295         This is a 1% Speedometer progression in my testing.
2296
2297         * bytecode/BytecodeDumper.cpp:
2298         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
2299         * bytecode/CallLinkStatus.cpp:
2300         (JSC::CallLinkStatus::computeFromLLInt):
2301         (JSC::CallLinkStatus::computeFor):
2302         (JSC::CallLinkStatus::computeExitSiteData):
2303         (JSC::CallLinkStatus::computeDFGStatuses):
2304         * bytecode/CallLinkStatus.h:
2305         * bytecode/CodeBlock.h:
2306         (JSC::CodeBlock::addFrequentExitSite): Deleted.
2307         (JSC::CodeBlock::hasExitSite const): Deleted.
2308         (JSC::CodeBlock::exitProfile): Deleted.
2309         * bytecode/DFGExitProfile.cpp:
2310         (JSC::DFG::ExitProfile::add):
2311         (JSC::DFG::QueryableExitProfile::initialize):
2312         * bytecode/DFGExitProfile.h:
2313         (JSC::DFG::ExitProfile::hasExitSite const):
2314         * bytecode/GetByIdStatus.cpp:
2315         (JSC::GetByIdStatus::hasExitSite):
2316         (JSC::GetByIdStatus::computeFor):
2317         (JSC::GetByIdStatus::computeForStubInfo):
2318         * bytecode/GetByIdStatus.h:
2319         * bytecode/PutByIdStatus.cpp:
2320         (JSC::PutByIdStatus::hasExitSite):
2321         (JSC::PutByIdStatus::computeFor):
2322         (JSC::PutByIdStatus::computeForStubInfo):
2323         * bytecode/PutByIdStatus.h:
2324         * bytecode/UnlinkedCodeBlock.cpp:
2325         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2326         * bytecode/UnlinkedCodeBlock.h:
2327         (JSC::UnlinkedCodeBlock::hasExitSite const):
2328         (JSC::UnlinkedCodeBlock::hasExitSite):
2329         (JSC::UnlinkedCodeBlock::exitProfile):
2330         * dfg/DFGByteCodeParser.cpp:
2331         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2332         * dfg/DFGGraph.h:
2333         (JSC::DFG::Graph::hasGlobalExitSite):
2334         (JSC::DFG::Graph::hasExitSite):
2335         * dfg/DFGLICMPhase.cpp:
2336         (JSC::DFG::LICMPhase::attemptHoist):
2337         * dfg/DFGOSRExitBase.cpp:
2338         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2339
2340 2018-01-12  JF Bastien  <jfbastien@apple.com>
2341
2342         PoisonedWriteBarrier
2343         https://bugs.webkit.org/show_bug.cgi?id=181599
2344         <rdar://problem/36474351>
2345
2346         Reviewed by Mark Lam.
2347
2348         Allow poisoning of WriteBarrier objects, and use this for
2349         WebAssembly because it is perf-neutral, at least on WasmBench on
2350         my MBP. If it indeed is perf-neutral according to the bots, start
2351         using it in more performance-sensitive places.
2352
2353         * heap/HandleTypes.h:
2354         * heap/SlotVisitor.h:
2355         * heap/SlotVisitorInlines.h:
2356         (JSC::SlotVisitor::append):
2357         (JSC::SlotVisitor::appendHidden):
2358         * runtime/JSCJSValue.h:
2359         * runtime/JSCPoison.h:
2360         * runtime/Structure.h:
2361         * runtime/StructureInlines.h:
2362         (JSC::Structure::setPrototypeWithoutTransition):
2363         (JSC::Structure::setGlobalObject):
2364         (JSC::Structure::setPreviousID):
2365         * runtime/WriteBarrier.h:
2366         (JSC::WriteBarrierBase::copyFrom):
2367         (JSC::WriteBarrierBase::get const):
2368         (JSC::WriteBarrierBase::operator* const):
2369         (JSC::WriteBarrierBase::operator-> const):
2370         (JSC::WriteBarrierBase::clear):
2371         (JSC::WriteBarrierBase::slot):
2372         (JSC::WriteBarrierBase::operator bool const):
2373         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
2374         (JSC::WriteBarrierBase::unvalidatedGet const):
2375         (JSC::operator==):
2376         * runtime/WriteBarrierInlines.h:
2377         (JSC::Traits>::set):
2378         (JSC::Traits>::setMayBeNull):
2379         (JSC::Traits>::setEarlyValue):
2380         (JSC::DumbValueTraits<Unknown>>::set):
2381         * wasm/WasmInstance.h:
2382         * wasm/js/JSWebAssemblyInstance.cpp:
2383         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2384         (JSC::JSWebAssemblyInstance::finishCreation):
2385         (JSC::JSWebAssemblyInstance::visitChildren):
2386         (JSC::JSWebAssemblyInstance::create):
2387         * wasm/js/JSWebAssemblyInstance.h:
2388         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
2389         * wasm/js/JSWebAssemblyMemory.h:
2390         * wasm/js/JSWebAssemblyModule.h:
2391         * wasm/js/JSWebAssemblyTable.cpp:
2392         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2393         (JSC::JSWebAssemblyTable::grow):
2394         (JSC::JSWebAssemblyTable::clearFunction):
2395         * wasm/js/JSWebAssemblyTable.h:
2396         * wasm/js/WasmToJS.cpp:
2397         (JSC::Wasm::materializeImportJSCell):
2398         (JSC::Wasm::handleBadI64Use):
2399         (JSC::Wasm::wasmToJS):
2400         * wasm/js/WebAssemblyFunctionBase.h:
2401         * wasm/js/WebAssemblyModuleRecord.cpp:
2402         (JSC::WebAssemblyModuleRecord::link):
2403         (JSC::WebAssemblyModuleRecord::evaluate):
2404         * wasm/js/WebAssemblyModuleRecord.h:
2405         * wasm/js/WebAssemblyToJSCallee.h:
2406         * wasm/js/WebAssemblyWrapperFunction.h:
2407
2408 2018-01-12  Saam Barati  <sbarati@apple.com>
2409
2410         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2411         https://bugs.webkit.org/show_bug.cgi?id=181177
2412         <rdar://problem/36205704>
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
2417         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
2418         have semantic consequences when validation is turned off. However, with validation on, this trips up
2419         our OSR exit machinery that says when an exit is allowed to happen.
2420         
2421         Consider the following IR:
2422         
2423         a: GetClosureVar // Or any other node that produces BytecodeTop
2424         ...
2425         c: CheckStructure(Cell:@a, {s2})
2426         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2427         
2428         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
2429         a: GetClosureVar
2430         e: CheckStructureOrEmpty(@a, {s1})
2431         ...
2432         f: CheckStructureOrEmpty(@a, {s2})
2433         c: CheckStructure(Cell:@a, {s2})
2434         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2435         
2436         This will cause constant folding to change the IR to:
2437         a: GetClosureVar
2438         e: CheckStructureOrEmpty(@a, {s1})
2439         ...
2440         f: CheckStructureOrEmpty(@a, {s2})
2441         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2442         
2443         Our mayExit analysis determines that the PutByOffset should not exit. Note
2444         that AI will determine the only value the PutByOffset can see in @a is 
2445         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
2446         when lowering the PutByOffset, we reach a contradiction in AI and emit
2447         an OSR exit. However, because mayExit said we couldn't exit, we assert.
2448         
2449         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
2450         would have determined we would OSR exit at the second CheckStructure.
2451         
2452         This patch makes it so constant folding produces the following IR:
2453         a: GetClosureVar
2454         e: CheckStructureOrEmpty(@a, {s1})
2455         g: AssertNotEmpty(@a)
2456         ...
2457         f: CheckStructureOrEmpty(@a, {s2})
2458         h: AssertNotEmpty(@a)
2459         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2460         
2461         This modification will cause AI to know we will OSR exit before even reaching
2462         the PutByOffset. Note that in the original IR, the GetClosureVar won't
2463         actually produce the TDZ value. If it did, bytecode would have caused us
2464         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
2465         why this bug is about IR bookkeeping and not an actual error in IR analysis.
2466         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
2467         more congruous with CheckStructure's semantics of crashing on the empty value
2468         as input (on 64 bit platforms).
2469
2470         * dfg/DFGAbstractInterpreterInlines.h:
2471         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2472         * dfg/DFGClobberize.h:
2473         (JSC::DFG::clobberize):
2474         * dfg/DFGConstantFoldingPhase.cpp:
2475         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2476         * dfg/DFGDoesGC.cpp:
2477         (JSC::DFG::doesGC):
2478         * dfg/DFGFixupPhase.cpp:
2479         (JSC::DFG::FixupPhase::fixupNode):
2480         * dfg/DFGNodeType.h:
2481         * dfg/DFGPredictionPropagationPhase.cpp:
2482         * dfg/DFGSafeToExecute.h:
2483         (JSC::DFG::safeToExecute):
2484         * dfg/DFGSpeculativeJIT32_64.cpp:
2485         (JSC::DFG::SpeculativeJIT::compile):
2486         * dfg/DFGSpeculativeJIT64.cpp:
2487         (JSC::DFG::SpeculativeJIT::compile):
2488         * ftl/FTLCapabilities.cpp:
2489         (JSC::FTL::canCompile):
2490         * ftl/FTLLowerDFGToB3.cpp:
2491         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2492         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2493
2494 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
2495
2496         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
2497         https://bugs.webkit.org/show_bug.cgi?id=181579
2498         <rdar://problem/36193759>
2499
2500         Reviewed by Brian Burg.
2501
2502         * inspector/agents/InspectorConsoleAgent.h:
2503         * inspector/agents/InspectorConsoleAgent.cpp:
2504         (Inspector::InspectorConsoleAgent::clearMessages):
2505         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2506         Switch from a raw pointer to m_consoleMessages.last().
2507         Also move the expiration check into the if block since it can only
2508         happen inside here when the number of console messages changes.
2509
2510         (Inspector::InspectorConsoleAgent::discardValues):
2511         Also clear the expired message count when messages are cleared.
2512
2513 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2514
2515         [JSC] Create parallel SlotVisitors apriori
2516         https://bugs.webkit.org/show_bug.cgi?id=180907
2517
2518         Reviewed by Saam Barati.
2519
2520         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2521         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
2522         Then we do not need to grab locks while iterating all the SlotVisitors.
2523
2524         In addition, we do not need to consider the case that the number of SlotVisitors increases
2525         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2526         does not increase any more.
2527
2528         * heap/Heap.cpp:
2529         (JSC::Heap::Heap):
2530         (JSC::Heap::runBeginPhase):
2531         * heap/Heap.h:
2532         * heap/HeapInlines.h:
2533         (JSC::Heap::forEachSlotVisitor):
2534         (JSC::Heap::numberOfSlotVisitors): Deleted.
2535         * heap/MarkingConstraintSolver.cpp:
2536         (JSC::MarkingConstraintSolver::didVisitSomething const):
2537
2538 2018-01-12  Saam Barati  <sbarati@apple.com>
2539
2540         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2541         https://bugs.webkit.org/show_bug.cgi?id=181562
2542         <rdar://problem/36445624>
2543
2544         Reviewed by Yusuke Suzuki.
2545
2546         Before this patch, the very first block in the switch for polymorphic call
2547         inlining will have exitOK at the top. The others are not guaranteed to.
2548         That was just a bug. They're all exitOK at the top. This will lead to crashes
2549         in FixupPhase because we won't have a node in a block that has ExitOK, so
2550         when we fixup various type checks, we assert out.
2551
2552         * dfg/DFGByteCodeParser.cpp:
2553         (JSC::DFG::ByteCodeParser::handleInlining):
2554
2555 2018-01-11  Keith Miller  <keith_miller@apple.com>
2556
2557         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
2558         https://bugs.webkit.org/show_bug.cgi?id=181573
2559
2560         Reviewed by Simon Fraser.
2561
2562         * Configurations/FeatureDefines.xcconfig:
2563         * runtime/Options.h:
2564
2565 2018-01-11  Michael Saboff  <msaboff@apple.com>
2566
2567         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
2568         https://bugs.webkit.org/show_bug.cgi?id=181570
2569
2570         Reviewed by Keith Miller.
2571
2572         * assembler/MacroAssemblerARM64.h:
2573         (JSC::MacroAssemblerARM64::abortWithReason):
2574         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
2575         JIT release asserts that will crash the program.
2576
2577         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2578         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
2579         caching is enabled.
2580
2581 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
2582
2583         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
2584         https://bugs.webkit.org/show_bug.cgi?id=181543
2585
2586         Rubber stamped by Michael Saboff.
2587         
2588         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
2589         really have anything to do with allocation anymore. The allocation will be done by something
2590         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
2591         place to find blocks (a "block directory").
2592
2593         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
2594         attributes of the HeapCellType. So let's call them CellAttributes.
2595
2596         * JavaScriptCore.xcodeproj/project.pbxproj:
2597         * Sources.txt:
2598         * bytecode/AccessCase.cpp:
2599         (JSC::AccessCase::generateImpl):
2600         * bytecode/ObjectAllocationProfile.h:
2601         * bytecode/ObjectAllocationProfileInlines.h:
2602         (JSC::ObjectAllocationProfile::initializeProfile):
2603         * dfg/DFGSpeculativeJIT.cpp:
2604         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2605         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2606         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2607         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2608         (JSC::DFG::SpeculativeJIT::compileNewObject):
2609         * dfg/DFGSpeculativeJIT.h:
2610         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2611         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2612         * ftl/FTLAbstractHeapRepository.h:
2613         * ftl/FTLLowerDFGToB3.cpp:
2614         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2615         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2616         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2617         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2618         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2619         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2620         * heap/AlignedMemoryAllocator.cpp:
2621         (JSC::AlignedMemoryAllocator::registerDirectory):
2622         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
2623         * heap/AlignedMemoryAllocator.h:
2624         (JSC::AlignedMemoryAllocator::firstDirectory const):
2625         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
2626         * heap/AllocatorAttributes.cpp: Removed.
2627         * heap/AllocatorAttributes.h: Removed.
2628         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
2629         (JSC::BlockDirectory::BlockDirectory):
2630         (JSC::BlockDirectory::setSubspace):
2631         (JSC::BlockDirectory::isPagedOut):
2632         (JSC::BlockDirectory::findEmptyBlockToSteal):
2633         (JSC::BlockDirectory::didConsumeFreeList):
2634         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
2635         (JSC::BlockDirectory::allocateIn):
2636         (JSC::BlockDirectory::tryAllocateIn):
2637         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
2638         (JSC::BlockDirectory::allocateSlowCase):
2639         (JSC::BlockDirectory::blockSizeForBytes):
2640         (JSC::BlockDirectory::tryAllocateBlock):
2641         (JSC::BlockDirectory::addBlock):
2642         (JSC::BlockDirectory::removeBlock):
2643         (JSC::BlockDirectory::stopAllocating):
2644         (JSC::BlockDirectory::prepareForAllocation):
2645         (JSC::BlockDirectory::lastChanceToFinalize):
2646         (JSC::BlockDirectory::resumeAllocating):
2647         (JSC::BlockDirectory::beginMarkingForFullCollection):
2648         (JSC::BlockDirectory::endMarking):
2649         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
2650         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
2651         (JSC::BlockDirectory::findBlockToSweep):
2652         (JSC::BlockDirectory::sweep):
2653         (JSC::BlockDirectory::shrink):
2654         (JSC::BlockDirectory::assertNoUnswept):
2655         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
2656         (JSC::BlockDirectory::dump const):
2657         (JSC::BlockDirectory::dumpBits):
2658         (JSC::BlockDirectory::markedSpace const):
2659         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2660         (JSC::MarkedAllocator::setSubspace): Deleted.
2661         (JSC::MarkedAllocator::isPagedOut): Deleted.
2662         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
2663         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
2664         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
2665         (JSC::MarkedAllocator::allocateIn): Deleted.
2666         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
2667         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
2668         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
2669         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
2670         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
2671         (JSC::MarkedAllocator::addBlock): Deleted.
2672         (JSC::MarkedAllocator::removeBlock): Deleted.
2673         (JSC::MarkedAllocator::stopAllocating): Deleted.
2674         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
2675         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
2676         (JSC::MarkedAllocator::resumeAllocating): Deleted.
2677         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
2678         (JSC::MarkedAllocator::endMarking): Deleted.
2679         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
2680         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
2681         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
2682         (JSC::MarkedAllocator::sweep): Deleted.
2683         (JSC::MarkedAllocator::shrink): Deleted.
2684         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
2685         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
2686         (JSC::MarkedAllocator::dump const): Deleted.
2687         (JSC::MarkedAllocator::dumpBits): Deleted.
2688         (JSC::MarkedAllocator::markedSpace const): Deleted.
2689         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
2690         (JSC::BlockDirectory::attributes const):
2691         (JSC::BlockDirectory::forEachBitVector):
2692         (JSC::BlockDirectory::forEachBitVectorWithName):
2693         (JSC::BlockDirectory::nextDirectory const):
2694         (JSC::BlockDirectory::nextDirectoryInSubspace const):
2695         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
2696         (JSC::BlockDirectory::setNextDirectory):
2697         (JSC::BlockDirectory::setNextDirectoryInSubspace):
2698         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
2699         (JSC::BlockDirectory::offsetOfFreeList):
2700         (JSC::BlockDirectory::offsetOfCellSize):
2701         (JSC::MarkedAllocator::cellSize const): Deleted.
2702         (JSC::MarkedAllocator::attributes const): Deleted.
2703         (JSC::MarkedAllocator::needsDestruction const): Deleted.
2704         (JSC::MarkedAllocator::destruction const): Deleted.
2705         (JSC::MarkedAllocator::cellKind const): Deleted.
2706         (JSC::MarkedAllocator::heap): Deleted.
2707         (JSC::MarkedAllocator::bitvectorLock): Deleted.
2708         (JSC::MarkedAllocator::forEachBitVector): Deleted.
2709         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
2710         (JSC::MarkedAllocator::nextAllocator const): Deleted.
2711         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
2712         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
2713         (JSC::MarkedAllocator::setNextAllocator): Deleted.
2714         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
2715         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
2716         (JSC::MarkedAllocator::subspace const): Deleted.
2717         (JSC::MarkedAllocator::freeList const): Deleted.
2718         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
2719         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
2720         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
2721         (JSC::BlockDirectory::isFreeListedCell const):
2722         (JSC::BlockDirectory::allocate):
2723         (JSC::BlockDirectory::forEachBlock):
2724         (JSC::BlockDirectory::forEachNotEmptyBlock):
2725         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
2726         (JSC::MarkedAllocator::allocate): Deleted.
2727         (JSC::MarkedAllocator::forEachBlock): Deleted.
2728         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
2729         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
2730         (JSC::CellAttributes::dump const):
2731         (JSC::AllocatorAttributes::dump const): Deleted.
2732         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
2733         (JSC::CellAttributes::CellAttributes):
2734         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
2735         * heap/CompleteSubspace.cpp:
2736         (JSC::CompleteSubspace::allocatorFor):
2737         (JSC::CompleteSubspace::allocateNonVirtual):
2738         (JSC::CompleteSubspace::allocatorForSlow):
2739         (JSC::CompleteSubspace::tryAllocateSlow):
2740         * heap/CompleteSubspace.h:
2741         (JSC::CompleteSubspace::allocatorForSizeStep):
2742         (JSC::CompleteSubspace::allocatorForNonVirtual):
2743         * heap/GCDeferralContext.h:
2744         * heap/Heap.cpp:
2745         (JSC::Heap::updateAllocationLimits):
2746         * heap/Heap.h:
2747         * heap/HeapCell.h:
2748         * heap/HeapCellInlines.h:
2749         (JSC::HeapCell::cellAttributes const):
2750         (JSC::HeapCell::destructionMode const):
2751         (JSC::HeapCell::cellKind const):
2752         (JSC::HeapCell::allocatorAttributes const): Deleted.
2753         * heap/HeapCellType.cpp:
2754         (JSC::HeapCellType::HeapCellType):
2755         * heap/HeapCellType.h:
2756         (JSC::HeapCellType::attributes const):
2757         * heap/IncrementalSweeper.cpp:
2758         (JSC::IncrementalSweeper::IncrementalSweeper):
2759         (JSC::IncrementalSweeper::sweepNextBlock):
2760         (JSC::IncrementalSweeper::startSweeping):
2761         (JSC::IncrementalSweeper::stopSweeping):
2762         * heap/IncrementalSweeper.h:
2763         * heap/IsoCellSet.cpp:
2764         (JSC::IsoCellSet::IsoCellSet):
2765         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
2766         (JSC::IsoCellSet::addSlow):
2767         (JSC::IsoCellSet::didRemoveBlock):
2768         (JSC::IsoCellSet::sweepToFreeList):
2769         * heap/IsoCellSetInlines.h:
2770         (JSC::IsoCellSet::forEachMarkedCell):
2771         (JSC::IsoCellSet::forEachLiveCell):
2772         * heap/IsoSubspace.cpp:
2773         (JSC::IsoSubspace::IsoSubspace):
2774         (JSC::IsoSubspace::allocatorFor):
2775         (JSC::IsoSubspace::allocateNonVirtual):
2776         * heap/IsoSubspace.h:
2777         (JSC::IsoSubspace::allocatorForNonVirtual):
2778         * heap/LargeAllocation.h:
2779         (JSC::LargeAllocation::attributes const):
2780         * heap/MarkedAllocator.cpp: Removed.
2781         * heap/MarkedAllocator.h: Removed.
2782         * heap/MarkedAllocatorInlines.h: Removed.
2783         * heap/MarkedBlock.cpp:
2784         (JSC::MarkedBlock::Handle::~Handle):
2785         (JSC::MarkedBlock::Handle::setIsFreeListed):
2786         (JSC::MarkedBlock::Handle::stopAllocating):
2787         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2788         (JSC::MarkedBlock::Handle::resumeAllocating):
2789         (JSC::MarkedBlock::aboutToMarkSlow):
2790         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2791         (JSC::MarkedBlock::noteMarkedSlow):
2792         (JSC::MarkedBlock::Handle::removeFromDirectory):
2793         (JSC::MarkedBlock::Handle::didAddToDirectory):
2794         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
2795         (JSC::MarkedBlock::Handle::dumpState):
2796         (JSC::MarkedBlock::Handle::subspace const):
2797         (JSC::MarkedBlock::Handle::sweep):
2798         (JSC::MarkedBlock::Handle::isFreeListedCell const):
2799         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
2800         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
2801         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
2802         * heap/MarkedBlock.h:
2803         (JSC::MarkedBlock::Handle::directory const):
2804         (JSC::MarkedBlock::Handle::attributes const):
2805         (JSC::MarkedBlock::attributes const):
2806         (JSC::MarkedBlock::Handle::allocator const): Deleted.
2807         * heap/MarkedBlockInlines.h:
2808         (JSC::MarkedBlock::Handle::isAllocated):
2809         (JSC::MarkedBlock::Handle::isLive):
2810         (JSC::MarkedBlock::Handle::specializedSweep):
2811         (JSC::MarkedBlock::Handle::isEmpty):
2812         * heap/MarkedSpace.cpp:
2813         (JSC::MarkedSpace::lastChanceToFinalize):
2814         (JSC::MarkedSpace::sweep):
2815         (JSC::MarkedSpace::stopAllocating):
2816         (JSC::MarkedSpace::resumeAllocating):
2817         (JSC::MarkedSpace::isPagedOut):
2818         (JSC::MarkedSpace::freeBlock):
2819         (JSC::MarkedSpace::shrink):
2820         (JSC::MarkedSpace::beginMarking):
2821         (JSC::MarkedSpace::endMarking):
2822         (JSC::MarkedSpace::snapshotUnswept):
2823         (JSC::MarkedSpace::assertNoUnswept):
2824         (JSC::MarkedSpace::dumpBits):
2825         (JSC::MarkedSpace::addBlockDirectory):
2826         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
2827         * heap/MarkedSpace.h:
2828         (JSC::MarkedSpace::firstDirectory const):
2829         (JSC::MarkedSpace::directoryLock):
2830         (JSC::MarkedSpace::forEachBlock):
2831         (JSC::MarkedSpace::forEachDirectory):
2832         (JSC::MarkedSpace::firstAllocator const): Deleted.
2833         (JSC::MarkedSpace::allocatorLock): Deleted.
2834         (JSC::MarkedSpace::forEachAllocator): Deleted.
2835         * heap/MarkedSpaceInlines.h:
2836         * heap/Subspace.cpp:
2837         (JSC::Subspace::initialize):
2838         (JSC::Subspace::prepareForAllocation):
2839         (JSC::Subspace::findEmptyBlockToSteal):
2840         (JSC::Subspace::parallelDirectorySource):
2841         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2842         (JSC::Subspace::sweep):
2843         (JSC::Subspace::parallelAllocatorSource): Deleted.
2844         * heap/Subspace.h:
2845         (JSC::Subspace::attributes const):
2846         (JSC::Subspace::didCreateFirstDirectory):
2847         (JSC::Subspace::didCreateFirstAllocator): Deleted.
2848         * heap/SubspaceInlines.h:
2849         (JSC::Subspace::forEachDirectory):
2850         (JSC::Subspace::forEachMarkedBlock):
2851         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2852         (JSC::Subspace::forEachAllocator): Deleted.
2853         * jit/AssemblyHelpers.h:
2854         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2855         (JSC::AssemblyHelpers::emitAllocate):
2856         (JSC::AssemblyHelpers::emitAllocateJSCell):
2857         (JSC::AssemblyHelpers::emitAllocateJSObject):
2858         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2859         * jit/JIT.h:
2860         * jit/JITOpcodes.cpp:
2861         (JSC::JIT::emit_op_new_object):
2862         * jit/JITOpcodes32_64.cpp:
2863         (JSC::JIT::emit_op_new_object):
2864         * runtime/JSDestructibleObjectHeapCellType.cpp:
2865         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
2866         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2867         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
2868         * runtime/JSStringHeapCellType.cpp:
2869         (JSC::JSStringHeapCellType::JSStringHeapCellType):
2870         * runtime/VM.cpp:
2871         (JSC::VM::VM):
2872         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2873         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2874
2875 2018-01-11  Saam Barati  <sbarati@apple.com>
2876
2877         When inserting Unreachable in byte code parser we need to flush all the right things
2878         https://bugs.webkit.org/show_bug.cgi?id=181509
2879         <rdar://problem/36423110>
2880
2881         Reviewed by Mark Lam.
2882
2883         I added code in r226655 that had its own mechanism for preserving liveness when
2884         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
2885         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
2886         I got some of these values wrong, which was leading to a crash when recovering the
2887         callee value from an inlined frame. Instead of making the same mistake and repeating
2888         similar code again, this patch refactors this logic to be shared with the other
2889         liveness preservation code in the DFG bytecode parser. This is what I should have
2890         done in my initial patch.
2891
2892         * bytecode/InlineCallFrame.h:
2893         (JSC::remapOperand):
2894         * dfg/DFGByteCodeParser.cpp:
2895         (JSC::DFG::flushImpl):
2896         (JSC::DFG::flushForTerminalImpl):
2897         (JSC::DFG::ByteCodeParser::flush):
2898         (JSC::DFG::ByteCodeParser::flushForTerminal):
2899         (JSC::DFG::ByteCodeParser::parse):
2900
2901 2018-01-11  Saam Barati  <sbarati@apple.com>
2902
2903         JITMathIC code in the FTL is wrong when code gets duplicated
2904         https://bugs.webkit.org/show_bug.cgi?id=181525
2905         <rdar://problem/36351993>
2906
2907         Reviewed by Michael Saboff and Keith Miller.
2908
2909         B3/Air may duplicate code for various reasons. Patchpoint generators inside
2910         FTLLower must be aware that they can be called multiple times because of this.
2911         The patchpoint for math ICs was not aware of this, and shared state amongst
2912         all invocations of the patchpoint's generator. This patch fixes this bug so
2913         that each invocation of the patchpoint's generator gets a unique math IC.
2914
2915         * bytecode/CodeBlock.h:
2916         (JSC::CodeBlock::addMathIC):
2917         * ftl/FTLLowerDFGToB3.cpp:
2918         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2919         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
2920         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
2921         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2922         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
2923         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2924         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
2925         * jit/JITMathIC.h:
2926         (JSC::isProfileEmpty):
2927
2928 2018-01-11  Michael Saboff  <msaboff@apple.com>
2929
2930         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
2931         https://bugs.webkit.org/show_bug.cgi?id=181512
2932
2933         Reviewed by Saam Barati.
2934
2935         * assembler/MacroAssemblerARM64.h:
2936         (JSC::MacroAssemblerARM64::abortWithReason):
2937         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2938         All current uses of dataTempRegister in these functions are safe, but it makes sense to
2939         fix them in case they might be used elsewhere.
2940
2941 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
2942
2943         CodeBlocks should be in IsoSubspaces
2944         https://bugs.webkit.org/show_bug.cgi?id=180884
2945
2946         Reviewed by Saam Barati.
2947         
2948         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
2949         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
2950         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
2951         
2952         - Code block sweeping is now just eager sweeping. This means that it automatically takes
2953           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
2954           its eden set for.
2955         
2956         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
2957           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
2958           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
2959           longer has to clear the set of weakly visited code blocks. This also means that
2960           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
2961           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
2962           has IsoCellSets to tell us which edges have output constraints (what we used to call
2963           CodeBlock's weak reference harvester) and which have unconditional finalizers.
2964         
2965         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
2966         
2967         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
2968           handle requests from the sampler, debugger, and other facilities. They may want to ask
2969           if some pointer corresponds to a CodeBlock during stages of execution during which the
2970           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
2971           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
2972           allocated has now been full constructed.
2973         
2974         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
2975         happening before and after this change, but we misread the revision numbers at first and
2976         thought that this was the cause.
2977         
2978         * JavaScriptCore.xcodeproj/project.pbxproj:
2979         * Sources.txt:
2980         * bytecode/CodeBlock.cpp:
2981         (JSC::CodeBlock::CodeBlock):
2982         (JSC::CodeBlock::finishCreation):
2983         (JSC::CodeBlock::finishCreationCommon):
2984         (JSC::CodeBlock::~CodeBlock):
2985         (JSC::CodeBlock::visitChildren):
2986         (JSC::CodeBlock::propagateTransitions):
2987         (JSC::CodeBlock::determineLiveness):
2988         (JSC::CodeBlock::finalizeUnconditionally):
2989         (JSC::CodeBlock::stronglyVisitStrongReferences):
2990         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
2991         (JSC::CodeBlock::installVMTrapBreakpoints):
2992         (JSC::CodeBlock::dumpMathICStats):
2993         (JSC::CodeBlock::visitWeakly): Deleted.
2994         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
2995         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2996         * bytecode/CodeBlock.h:
2997         (JSC::CodeBlock::subspaceFor):
2998         (JSC::CodeBlock::ownerEdge const):
2999         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3000         * bytecode/EvalCodeBlock.h:
3001         (JSC::EvalCodeBlock::create): Deleted.
3002         (JSC::EvalCodeBlock::createStructure): Deleted.
3003         (JSC::EvalCodeBlock::variable): Deleted.
3004         (JSC::EvalCodeBlock::numVariables): Deleted.
3005         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3006         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3007         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3008         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3009         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3010         (JSC::ExecutableToCodeBlockEdge::createStructure):
3011         (JSC::ExecutableToCodeBlockEdge::create):
3012         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3013         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3014         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3015         (JSC::ExecutableToCodeBlockEdge::activate):
3016         (JSC::ExecutableToCodeBlockEdge::deactivate):
3017         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3018         (JSC::ExecutableToCodeBlockEdge::wrap):
3019         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3020         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3021         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3022         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3023         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3024         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3025         (JSC::ExecutableToCodeBlockEdge::unwrap):
3026         * bytecode/FunctionCodeBlock.h:
3027         (JSC::FunctionCodeBlock::subspaceFor):
3028         (JSC::FunctionCodeBlock::createStructure):
3029         * bytecode/ModuleProgramCodeBlock.h:
3030         (JSC::ModuleProgramCodeBlock::create): Deleted.
3031         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3032         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3033         * bytecode/ProgramCodeBlock.h:
3034         (JSC::ProgramCodeBlock::create): Deleted.
3035         (JSC::ProgramCodeBlock::createStructure): Deleted.
3036         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3037         * debugger/Debugger.cpp:
3038         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3039         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3040         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3041         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3042         * heap/CodeBlockSet.cpp:
3043         (JSC::CodeBlockSet::contains):
3044         (JSC::CodeBlockSet::dump const):
3045         (JSC::CodeBlockSet::add):
3046         (JSC::CodeBlockSet::remove):
3047         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3048         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3049         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3050         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3051         * heap/CodeBlockSet.h:
3052         * heap/CodeBlockSetInlines.h:
3053         (JSC::CodeBlockSet::iterate):
3054         (JSC::CodeBlockSet::iterateViaSubspaces):
3055         * heap/ConservativeRoots.cpp:
3056         (JSC::ConservativeRoots::genericAddPointer):
3057         (JSC::DummyMarkHook::markKnownJSCell):
3058         (JSC::CompositeMarkHook::mark):
3059         (JSC::CompositeMarkHook::markKnownJSCell):
3060         * heap/ConservativeRoots.h:
3061         * heap/Heap.cpp:
3062         (JSC::Heap::lastChanceToFinalize):
3063         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3064         (JSC::Heap::finalizeUnconditionalFinalizers):
3065         (JSC::Heap::beginMarking):
3066         (JSC::Heap::deleteUnmarkedCompiledCode):
3067         (JSC::Heap::sweepInFinalize):
3068         (JSC::Heap::forEachCodeBlockImpl):
3069         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3070         (JSC::Heap::addCoreConstraints):
3071         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3072         * heap/Heap.h:
3073         * heap/HeapCell.h:
3074         * heap/HeapCellInlines.h:
3075         (JSC::HeapCell::subspace const):
3076         * heap/HeapInlines.h:
3077         (JSC::Heap::forEachCodeBlock):
3078         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3079         * heap/HeapUtil.h:
3080         (JSC::HeapUtil::findGCObjectPointersForMarking):
3081         * heap/IsoCellSet.cpp:
3082         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3083         * heap/IsoCellSet.h:
3084         * heap/IsoCellSetInlines.h:
3085         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3086         (JSC::IsoCellSet::forEachLiveCell):
3087         * heap/LargeAllocation.h:
3088         (JSC::LargeAllocation::subspace const):
3089         * heap/MarkStackMergingConstraint.cpp:
3090         (JSC::MarkStackMergingConstraint::executeImpl):
3091         * heap/MarkStackMergingConstraint.h:
3092         * heap/MarkedAllocator.cpp:
3093         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3094         * heap/MarkedBlock.cpp:
3095         (JSC::MarkedBlock::Handle::didAddToAllocator):
3096         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3097         * heap/MarkedBlock.h:
3098         (JSC::MarkedBlock::subspace const):
3099         * heap/MarkedBlockInlines.h:
3100         (JSC::MarkedBlock::Handle::forEachLiveCell):
3101         * heap/MarkedSpaceInlines.h:
3102         (JSC::MarkedSpace::forEachLiveCell):
3103         * heap/MarkingConstraint.cpp:
3104         (JSC::MarkingConstraint::execute):
3105         (JSC::MarkingConstraint::doParallelWork):
3106         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3107         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3108         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3109         * heap/MarkingConstraint.h:
3110         * heap/MarkingConstraintSet.cpp:
3111         (JSC::MarkingConstraintSet::add):
3112         * heap/MarkingConstraintSet.h:
3113         (JSC::MarkingConstraintSet::add):
3114         * heap/MarkingConstraintSolver.cpp:
3115         (JSC::MarkingConstraintSolver::execute):
3116         (JSC::MarkingConstraintSolver::addParallelTask):
3117         (JSC::MarkingConstraintSolver::runExecutionThread):
3118         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3119         * heap/MarkingConstraintSolver.h:
3120         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3121         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3122         * heap/SimpleMarkingConstraint.cpp:
3123         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3124         (JSC::SimpleMarkingConstraint::executeImpl):
3125         * heap/SimpleMarkingConstraint.h:
3126         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3127         * heap/SlotVisitor.cpp:
3128         (JSC::SlotVisitor::addParallelConstraintTask):
3129         * heap/SlotVisitor.h:
3130         * heap/Subspace.cpp:
3131         (JSC::Subspace::sweep):
3132         * heap/Subspace.h:
3133         * heap/SubspaceInlines.h:
3134         (JSC::Subspace::forEachLiveCell):
3135         * llint/LowLevelInterpreter.asm:
3136         * runtime/EvalExecutable.cpp:
3137         (JSC::EvalExecutable::visitChildren):
3138         * runtime/EvalExecutable.h:
3139         (JSC::EvalExecutable::codeBlock):
3140         * runtime/FunctionExecutable.cpp:
3141         (JSC::FunctionExecutable::baselineCodeBlockFor):
3142         (JSC::FunctionExecutable::visitChildren):
3143         * runtime/FunctionExecutable.h:
3144         * runtime/JSType.h:
3145         * runtime/ModuleProgramExecutable.cpp:
3146         (JSC::ModuleProgramExecutable::visitChildren):
3147         * runtime/ModuleProgramExecutable.h:
3148         * runtime/ProgramExecutable.cpp:
3149         (JSC::ProgramExecutable::visitChildren):
3150         * runtime/ProgramExecutable.h:
3151         * runtime/ScriptExecutable.cpp:
3152         (JSC::ScriptExecutable::installCode):
3153         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3154         * runtime/VM.cpp:
3155         (JSC::VM::VM):
3156         * runtime/VM.h:
3157         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3158         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3159         (JSC::VM::forEachCodeBlockSpace):
3160         * runtime/VMTraps.cpp:
3161         (JSC::VMTraps::handleTraps):
3162         * tools/VMInspector.cpp:
3163         (JSC::VMInspector::codeBlockForMachinePC):
3164         (JSC::VMInspector::isValidCodeBlock):
3165
3166 2018-01-11  Michael Saboff  <msaboff@apple.com>
3167
3168         Add a DOM gadget for Spectre testing
3169         https://bugs.webkit.org/show_bug.cgi?id=181351
3170
3171         Reviewed by Ryosuke Niwa.
3172
3173         * runtime/Options.h:
3174
3175 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3176
3177         [DFG][FTL] regExpMatchFast should be handled
3178         https://bugs.webkit.org/show_bug.cgi?id=180988
3179
3180         Reviewed by Mark Lam.
3181
3182         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
3183         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
3184         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
3185
3186         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
3187         slow path part to `@matchSlow()` private function.
3188
3189         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
3190         this regExpMatchFast function.
3191
3192                                  baseline                  patched
3193
3194         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
3195         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
3196
3197         * builtins/RegExpPrototype.js:
3198         (globalPrivate.matchSlow):
3199         (overriddenName.string_appeared_here.match):
3200         * dfg/DFGAbstractInterpreterInlines.h:
3201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3202         * dfg/DFGByteCodeParser.cpp:
3203         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3204         * dfg/DFGClobberize.h:
3205         (JSC::DFG::clobberize):
3206         * dfg/DFGDoesGC.cpp:
3207         (JSC::DFG::doesGC):
3208         * dfg/DFGFixupPhase.cpp:
3209         (JSC::DFG::FixupPhase::fixupNode):
3210         * dfg/DFGNode.h:
3211         (JSC::DFG::Node::hasHeapPrediction):
3212         * dfg/DFGNodeType.h:
3213         * dfg/DFGOperations.cpp:
3214         * dfg/DFGOperations.h:
3215         * dfg/DFGPredictionPropagationPhase.cpp:
3216         * dfg/DFGSafeToExecute.h:
3217         (JSC::DFG::safeToExecute):
3218         * dfg/DFGSpeculativeJIT.cpp:
3219         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
3220         * dfg/DFGSpeculativeJIT.h:
3221         * dfg/DFGSpeculativeJIT32_64.cpp:
3222         (JSC::DFG::SpeculativeJIT::compile):
3223         * dfg/DFGSpeculativeJIT64.cpp:
3224         (JSC::DFG::SpeculativeJIT::compile):
3225         * ftl/FTLCapabilities.cpp:
3226         (JSC::FTL::canCompile):
3227         * ftl/FTLLowerDFGToB3.cpp:
3228         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3229         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
3230         * runtime/Intrinsic.cpp:
3231         (JSC::intrinsicName):
3232         * runtime/Intrinsic.h:
3233         * runtime/JSGlobalObject.cpp:
3234         (JSC::JSGlobalObject::init):
3235         * runtime/RegExpPrototype.cpp:
3236         (JSC::regExpProtoFuncMatchFast):
3237
3238 2018-01-11  Saam Barati  <sbarati@apple.com>
3239
3240         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
3241         https://bugs.webkit.org/show_bug.cgi?id=181508
3242
3243         Reviewed by Yusuke Suzuki.
3244
3245         Our for-in caching would cache structure chains that had prototypes with
3246         indexed properties. Clearly this is wrong. This caching breaks when a prototype
3247         adds new indexed properties. We would continue to enumerate the old cached
3248         state of properties, and not include the new indexed properties.
3249         
3250         The old code used to prevent caching only if the base structure had
3251         indexed properties. This patch extends it to prevent caching if the
3252         base, or any structure in the prototype chain, has indexed properties.
3253
3254         * runtime/Structure.cpp:
3255         (JSC::Structure::canCachePropertyNameEnumerator const):
3256
3257 2018-01-10  JF Bastien  <jfbastien@apple.com>
3258
3259         Poison small JSObject derivatives which only contain pointers
3260         https://bugs.webkit.org/show_bug.cgi?id=181483
3261         <rdar://problem/36407127>
3262
3263         Reviewed by Mark Lam.
3264
3265         I wrote a script that finds interesting things to poison or
3266         generally harden. These stood out because they derive from
3267         JSObject and only contain a few pointer or pointer-like fields,
3268         and could therefore just be poisoned. This also requires some
3269         template "improvements" to our poisoning machinery. Worth noting
3270         is that I'm making PoisonedUniquePtr move-assignable and
3271         move-constructible from unique_ptr, which makes it a better
3272         drop-in replacement because we don't need to use
3273         makePoisonedUniquePtr. This means function-locals can be
3274         unique_ptr and get the nice RAII pattern, and once the function is
3275         done you can just move to the class' PoisonedUniquePtr without
3276         worrying.
3277
3278         * API/JSAPIWrapperObject.h:
3279         (JSC::JSAPIWrapperObject::wrappedObject):
3280         * API/JSAPIWrapperObject.mm:
3281         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
3282         * API/JSCallbackObject.h:
3283         * runtime/ArrayPrototype.h:
3284         * runtime/DateInstance.h:
3285         * runtime/JSArrayBuffer.cpp:
3286         (JSC::JSArrayBuffer::finishCreation):
3287         (JSC::JSArrayBuffer::isShared const):
3288         (JSC::JSArrayBuffer::sharingMode const):
3289         * runtime/JSArrayBuffer.h:
3290         * runtime/JSCPoison.h:
3291
3292 2018-01-10  Commit Queue  <commit-queue@webkit.org>
3293
3294         Unreviewed, rolling out r226667 and r226673.
3295         https://bugs.webkit.org/show_bug.cgi?id=181488
3296
3297         This caused a flaky crash. (Requested by mlewis13 on #webkit).
3298
3299         Reverted changesets:
3300
3301         "CodeBlocks should be in IsoSubspaces"
3302         https://bugs.webkit.org/show_bug.cgi?id=180884
3303         https://trac.webkit.org/changeset/226667
3304
3305         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
3306         https://bugs.webkit.org/show_bug.cgi?id=180884
3307         https://trac.webkit.org/changeset/226673
3308
3309 2018-01-09  David Kilzer  <ddkilzer@apple.com>
3310
3311         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
3312         <https://bugs.webkit.org/show_bug.cgi?id=180884>
3313
3314         Fixes the following build error:
3315
3316             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
3317
3318         * heap/Heap.cpp:
3319         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
3320         fix the build.
3321
3322 2018-01-09  Keith Miller  <keith_miller@apple.com>
3323
3324         and32 with an Address source on ARM64 did not invalidate dataTempRegister
3325         https://bugs.webkit.org/show_bug.cgi?id=181467
3326
3327         Reviewed by Michael Saboff.
3328
3329         * assembler/MacroAssemblerARM64.h:
3330         (JSC::MacroAssemblerARM64::and32):
3331
3332 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
3333
3334         CodeBlocks should be in IsoSubspaces
3335         https://bugs.webkit.org/show_bug.cgi?id=180884
3336
3337         Reviewed by Saam Barati.
3338         
3339         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
3340         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
3341         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
3342         
3343         - Code block sweeping is now just eager sweeping. This means that it automatically takes
3344           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
3345           its eden set for.
3346         
3347         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
3348           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
3349           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
3350           longer has to clear the set of weakly visited code blocks. This also means that
3351           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
3352           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
3353           has IsoCellSets to tell us which edges have output constraints (what we used to call
3354           CodeBlock's weak reference harvester) and which have unconditional finalizers.
3355         
3356         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
3357         
3358         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
3359           handle requests from the sampler, debugger, and other facilities. They may want to ask
3360           if some pointer corresponds to a CodeBlock during stages of execution during which the
3361           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
3362           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
3363           allocated has now been full constructed.
3364         
3365         * JavaScriptCore.xcodeproj/project.pbxproj:
3366         * Sources.txt:
3367         * bytecode/CodeBlock.cpp:
3368         (JSC::CodeBlock::CodeBlock):
3369         (JSC::CodeBlock::finishCreation):
3370         (JSC::CodeBlock::finishCreationCommon):
3371         (JSC::CodeBlock::~CodeBlock):
3372         (JSC::CodeBlock::visitChildren):
3373         (JSC::CodeBlock::propagateTransitions):
3374         (JSC::CodeBlock::determineLiveness):
3375         (JSC::CodeBlock::finalizeUnconditionally):
3376         (JSC::CodeBlock::stronglyVisitStrongReferences):
3377         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3378         (JSC::CodeBlock::installVMTrapBreakpoints):
3379         (JSC::CodeBlock::dumpMathICStats):
3380         (JSC::CodeBlock::visitWeakly): Deleted.
3381         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3382         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3383         * bytecode/CodeBlock.h:
3384         (JSC::CodeBlock::subspaceFor):
3385         (JSC::CodeBlock::ownerEdge const):
3386         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3387         * bytecode/EvalCodeBlock.h:
3388         (JSC::EvalCodeBlock::create): Deleted.
3389         (JSC::EvalCodeBlock::createStructure): Deleted.
3390         (JSC::EvalCodeBlock::variable): Deleted.
3391         (JSC::EvalCodeBlock::numVariables): Deleted.
3392         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3393         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3394         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3395         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3396         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3397         (JSC::ExecutableToCodeBlockEdge::createStructure):
3398         (JSC::ExecutableToCodeBlockEdge::create):
3399         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3400         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3401         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3402         (JSC::ExecutableToCodeBlockEdge::activate):
3403         (JSC::ExecutableToCodeBlockEdge::deactivate):
3404         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3405         (JSC::ExecutableToCodeBlockEdge::wrap):
3406         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3407         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3408         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3409         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3410         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3411         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3412         (JSC::ExecutableToCodeBlockEdge::unwrap):
3413         * bytecode/FunctionCodeBlock.h:
3414         (JSC::FunctionCodeBlock::subspaceFor):
3415         (JSC::FunctionCodeBlock::createStructure):
3416         * bytecode/ModuleProgramCodeBlock.h:
3417         (JSC::ModuleProgramCodeBlock::create): Deleted.
3418         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3419         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3420         * bytecode/ProgramCodeBlock.h:
3421         (JSC::ProgramCodeBlock::create): Deleted.
3422         (JSC::ProgramCodeBlock::createStructure): Deleted.
3423         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3424         * debugger/Debugger.cpp:
3425         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3426         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3427         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3428         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3429         * heap/CodeBlockSet.cpp:
3430         (JSC::CodeBlockSet::contains):
3431         (JSC::CodeBlockSet::dump const):
3432         (JSC::CodeBlockSet::add):
3433         (JSC::CodeBlockSet::remove):
3434         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3435         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3436         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3437         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3438         * heap/CodeBlockSet.h:
3439         * heap/CodeBlockSetInlines.h:
3440         (JSC::CodeBlockSet::iterate):
3441         (JSC::CodeBlockSet::iterateViaSubspaces):
3442         * heap/ConservativeRoots.cpp:
3443         (JSC::ConservativeRoots::genericAddPointer):
3444         (JSC::DummyMarkHook::markKnownJSCell):
3445         (JSC::CompositeMarkHook::mark):
3446         (JSC::CompositeMarkHook::markKnownJSCell):
3447         * heap/ConservativeRoots.h:
3448         * heap/Heap.cpp:
3449         (JSC::Heap::lastChanceToFinalize):
3450         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3451         (JSC::Heap::finalizeUnconditionalFinalizers):
3452         (JSC::Heap::beginMarking):
3453         (JSC::Heap::deleteUnmarkedCompiledCode):
3454         (JSC::Heap::sweepInFinalize):
3455         (JSC::Heap::forEachCodeBlockImpl):
3456         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3457         (JSC::Heap::addCoreConstraints):
3458         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3459         * heap/Heap.h:
3460         * heap/HeapCell.h:
3461         * heap/HeapCellInlines.h:
3462         (JSC::HeapCell::subspace const):
3463         * heap/HeapInlines.h:
3464         (JSC::Heap::forEachCodeBlock):
3465         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3466         * heap/HeapUtil.h:
3467         (JSC::HeapUtil::findGCObjectPointersForMarking):
3468         * heap/IsoCellSet.cpp:
3469         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3470         * heap/IsoCellSet.h:
3471         * heap/IsoCellSetInlines.h:
3472         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3473         (JSC::IsoCellSet::forEachLiveCell):
3474         * heap/LargeAllocation.h:
3475         (JSC::LargeAllocation::subspace const):
3476         * heap/MarkStackMergingConstraint.cpp:
3477         (JSC::MarkStackMergingConstraint::executeImpl):
3478         * heap/MarkStackMergingConstraint.h:
3479         * heap/MarkedAllocator.cpp:
3480         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3481         * heap/MarkedBlock.cpp:
3482         (JSC::MarkedBlock::Handle::didAddToAllocator):
3483         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3484         * heap/MarkedBlock.h:
3485         (JSC::MarkedBlock::subspace const):
3486         * heap/MarkedBlockInlines.h:
3487         (JSC::MarkedBlock::Handle::forEachLiveCell):
3488         * heap/MarkedSpaceInlines.h:
3489         (JSC::MarkedSpace::forEachLiveCell):
3490         * heap/MarkingConstraint.cpp:
3491         (JSC::MarkingConstraint::execute):
3492         (JSC::MarkingConstraint::doParallelWork):
3493         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3494         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3495         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3496         * heap/MarkingConstraint.h:
3497         * heap/MarkingConstraintSet.cpp:
3498         (JSC::MarkingConstraintSet::add):
3499         * heap/MarkingConstraintSet.h:
3500         (JSC::MarkingConstraintSet::add):
3501         * heap/MarkingConstraintSolver.cpp:
3502         (JSC::MarkingConstraintSolver::execute):
3503         (JSC::MarkingConstraintSolver::addParallelTask):
3504         (JSC::MarkingConstraintSolver::runExecutionThread):
3505         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3506         * heap/MarkingConstraintSolver.h:
3507         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3508         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3509         * heap/SimpleMarkingConstraint.cpp:
3510         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3511         (JSC::SimpleMarkingConstraint::executeImpl):
3512         * heap/SimpleMarkingConstraint.h:
3513         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3514         * heap/SlotVisitor.cpp:
3515         (JSC::SlotVisitor::addParallelConstraintTask):
3516         * heap/SlotVisitor.h:
3517         * heap/Subspace.cpp:
3518         (JSC::Subspace::sweep):
3519         * heap/Subspace.h:
3520         * heap/SubspaceInlines.h:
3521         (JSC::Subspace::forEachLiveCell):
3522         * llint/LowLevelInterpreter.asm:
3523         * runtime/EvalExecutable.cpp:
3524         (JSC::EvalExecutable::visitChildren):
3525         * runtime/EvalExecutable.h:
3526         (JSC::EvalExecutable::codeBlock):
3527         * runtime/FunctionExecutable.cpp:
3528         (JSC::FunctionExecutable::baselineCodeBlockFor):
3529         (JSC::FunctionExecutable::visitChildren):
3530         * runtime/FunctionExecutable.h:
3531         * runtime/JSType.h:
3532         * runtime/ModuleProgramExecutable.cpp:
3533         (JSC::ModuleProgramExecutable::visitChildren):
3534         * runtime/ModuleProgramExecutable.h:
3535         * runtime/ProgramExecutable.cpp:
3536         (JSC::ProgramExecutable::visitChildren):
3537         * runtime/ProgramExecutable.h:
3538         * runtime/ScriptExecutable.cpp:
3539         (JSC::ScriptExecutable::installCode):
3540         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3541         * runtime/VM.cpp:
3542         (JSC::VM::VM):
3543         * runtime/VM.h:
3544         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3545         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3546         (JSC::VM::forEachCodeBlockSpace):
3547         * runtime/VMTraps.cpp:
3548         (JSC::VMTraps::handleTraps):
3549         * tools/VMInspector.cpp:
3550         (JSC::VMInspector::codeBlockForMachinePC):
3551         (JSC::VMInspector::isValidCodeBlock):
3552
3553 2018-01-09  Michael Saboff  <msaboff@apple.com>
3554
3555         Unreviewed, rolling out r226600 and r226603
3556         https://bugs.webkit.org/show_bug.cgi?id=181351
3557
3558         Add a DOM gadget for Spectre testing
3559
3560         * runtime/Options.h:
3561
3562 2018-01-09  Saam Barati  <sbarati@apple.com>
3563
3564         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
3565         https://bugs.webkit.org/show_bug.cgi?id=181409
3566
3567         Reviewed by Keith Miller.
3568
3569         When I was looking at profiler data for Speedometer, I noticed that one of
3570         the hottest functions in Speedometer is around 1100 bytecode operations long.
3571         Only about 100 of those bytecode ops ever execute. However, we ended up
3572         spending a lot of time compiling basic blocks that never executed. We often
3573         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
3574         This is the case when such a node never executes.
3575         
3576         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
3577         terminal node with an Unreachable node (and remove all nodes after the
3578         ForceOSRExit). This will cut down on graph size when such a block dominates
3579         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
3580         in certain programs. When doing this transformation, we also insert
3581         Flushes/PhantomLocals to ensure we can recover values that are bytecode
3582         live-in to the ForceOSRExit.
3583         
3584         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
3585         does not get rid of all the CFG that it could. If we decide it's worth
3586         it, we could use additional inputs into this mechanism. For example, we could
3587         profile if a basic block ever executes inside the LLInt/Baseline, and
3588         remove parts of the CFG based on that.
3589         
3590         When running Speedometer with the concurrent JIT turned off, this patch
3591         improves DFG/FTL compile times by around 5%.
3592
3593         * dfg/DFGByteCodeParser.cpp:
3594         (JSC::DFG::ByteCodeParser::addToGraph):
3595         (JSC::DFG::ByteCodeParser::parse):
3596
3597 2018-01-09  Mark Lam  <mark.lam@apple.com>
3598
3599         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
3600         https://bugs.webkit.org/show_bug.cgi?id=181388
3601         <rdar://problem/36349351>
3602
3603         Reviewed by Saam Barati.
3604
3605         When there are duplicate setters or getters, we may end up overwriting a getter
3606         with a setter, or vice versa.  This patch adds tracking for getters/setters that
3607         have been overwritten with duplicates and ignore them.
3608
3609         * bytecompiler/NodesCodegen.cpp:
3610         (JSC::PropertyListNode::emitBytecode):
3611         * parser/NodeConstructors.h:
3612         (JSC::PropertyNode::PropertyNode):
3613         * parser/Nodes.h:
3614         (JSC::PropertyNode::isOverriddenByDuplicate const):
3615         (JSC::PropertyNode::setIsOverriddenByDuplicate):
3616
3617 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
3618
3619         REGRESSION(r225913): about 30 JSC test failures on ARMv7
3620         https://bugs.webkit.org/show_bug.cgi?id=181162
3621         <rdar://problem/36261349>
3622
3623         Unreviewed follow-up to r226298. Enable the fast case in
3624         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
3625         assuming in good faith that enough GP registers are available on any
3626         such configuration. The accompanying comment is adjusted to describe
3627         this assumption.
3628
3629         * dfg/DFGSpeculativeJIT.cpp:
3630         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3631
3632 2018-01-08  JF Bastien  <jfbastien@apple.com>
3633
3634         WebAssembly: mask indexed accesses to Table
3635         https://bugs.webkit.org/show_bug.cgi?id=181412
3636         <rdar://problem/36363236>
3637
3638         Reviewed by Saam Barati.
3639
3640         WebAssembly Table indexed accesses are user-controlled and
3641         bounds-checked. Force allocations of Table data to be a
3642         power-of-two, and explicitly mask accesses after bounds-check
3643         branches.
3644
3645         Rename misleading usage of "size" when "length" of a Table was
3646         intended.
3647
3648         Rename the Spectre option from "disable" to "enable".
3649
3650         * dfg/DFGSpeculativeJIT.cpp:
3651         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3652         * ftl/FTLLowerDFGToB3.cpp:
3653         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3654         * jit/JIT.cpp:
3655         (JSC::JIT::JIT):
3656         * runtime/Options.h:
3657         * wasm/WasmB3IRGenerator.cpp:
3658         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3659         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3660         * wasm/WasmTable.cpp:
3661         (JSC::Wasm::Table::allocatedLength):
3662         (JSC::Wasm::Table::setLength):
3663         (JSC::Wasm::Table::create):
3664         (JSC::Wasm::Table::Table):
3665         (JSC::Wasm::Table::grow):
3666         (JSC::Wasm::Table::clearFunction):
3667         (JSC::Wasm::Table::setFunction):
3668         * wasm/WasmTable.h:
3669         (JSC::Wasm::Table::length const):
3670         (JSC::Wasm::Table::offsetOfLength):
3671         (JSC::Wasm::Table::offsetOfMask):
3672         (JSC::Wasm::Table::mask const):
3673         (JSC::Wasm::Table::isValidLength):
3674         * wasm/js/JSWebAssemblyInstance.cpp:
3675         (JSC::JSWebAssemblyInstance::create):
3676         * wasm/js/JSWebAssemblyTable.cpp:
3677         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
3678         (JSC::JSWebAssemblyTable::visitChildren):
3679         (JSC::JSWebAssemblyTable::grow):
3680         (JSC::JSWebAssemblyTable::getFunction):
3681         (JSC::JSWebAssemblyTable::clearFunction):
3682         (JSC::JSWebAssemblyTable::setFunction):
3683         * wasm/js/JSWebAssemblyTable.h:
3684         (JSC::JSWebAssemblyTable::isValidLength):
3685         (JSC::JSWebAssemblyTable::length const):
3686         (JSC::JSWebAssemblyTable::allocatedLength const):
3687         * wasm/js/WebAssemblyModuleRecord.cpp:
3688         (JSC::WebAssemblyModuleRecord::evaluate):
3689         * wasm/js/WebAssemblyTablePrototype.cpp:
3690         (JSC::webAssemblyTableProtoFuncLength):
3691         (JSC::webAssemblyTableProtoFuncGrow):
3692         (JSC::webAssemblyTableProtoFuncGet):
3693         (JSC::webAssemblyTableProtoFuncSet):
3694
3695 2018-01-08  Michael Saboff  <msaboff@apple.com>
3696
3697         Add a DOM gadget for Spectre testing
3698         https://bugs.webkit.org/show_bug.cgi?id=181351
3699
3700         Reviewed by Michael Saboff.
3701
3702         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
3703         Spectre mitigations.
3704
3705         * runtime/Options.h:
3706
3707 2018-01-08  Mark Lam  <mark.lam@apple.com>
3708
3709         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
3710         https://bugs.webkit.org/show_bug.cgi?id=181403
3711         <rdar://problem/36359789>
3712
3713         Rubber-stamped by JF Bastien.
3714
3715         * bytecode/CodeBlock.cpp:
3716         (JSC::CodeBlock::CodeBlock):
3717         (JSC::CodeBlock::~CodeBlock):
3718         (JSC::CodeBlock::setConstantRegisters):
3719         (JSC::CodeBlock::propagateTransitions):
3720         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3721         (JSC::CodeBlock::jettison):
3722         (JSC::CodeBlock::predictedMachineCodeSize):
3723         * bytecode/CodeBlock.h:
3724         (JSC::CodeBlock::vm const):
3725         (JSC::CodeBlock::addConstant):
3726         (JSC::CodeBlock::heap const):
3727         (JSC::CodeBlock::replaceConstant):
3728         * llint/LowLevelInterpreter.asm:
3729         * llint/LowLevelInterpreter32_64.asm:
3730         * llint/LowLevelInterpreter64.asm:
3731
3732 2018-01-07  Mark Lam  <mark.lam@apple.com>
3733
3734         Apply poisoning to more pointers in JSC.
3735         https://bugs.webkit.org/show_bug.cgi?id=181096
3736         <rdar://problem/36182970>
3737
3738         Reviewed by JF Bastien.
3739
3740         * assembler/MacroAssembler.h:
3741         (JSC::MacroAssembler::xorPtr):
3742         * assembler/MacroAssemblerARM64.h:
3743         (JSC::MacroAssemblerARM64::xor64):
3744         * assembler/MacroAssemblerX86_64.h:
3745         (JSC::MacroAssemblerX86_64::xor64):
3746         - Add xorPtr implementation.
3747
3748         * bytecode/CodeBlock.cpp:
3749         (JSC::CodeBlock::inferredName const):
3750         (JSC::CodeBlock::CodeBlock):
3751         (JSC::CodeBlock::finishCreation):
3752         (JSC::CodeBlock::~CodeBlock):
3753         (JSC::CodeBlock::setConstantRegisters):
3754         (JSC::CodeBlock::visitWeakly):
3755         (JSC::CodeBlock::visitChildren):
3756         (JSC::CodeBlock::propagateTransitions):
3757         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
3758         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3759         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
3760         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
3761         (JSC::CodeBlock::jettison):
3762         (JSC::CodeBlock::predictedMachineCodeSize):
3763         (JSC::CodeBlock::findPC):
3764         * bytecode/CodeBlock.h:
3765         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
3766         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
3767         (JSC::CodeBlock::stubInfoBegin):
3768         (JSC::CodeBlock::stubInfoEnd):
3769         (JSC::CodeBlock::callLinkInfosBegin):
3770         (JSC::CodeBlock::callLinkInfosEnd):
3771         (JSC::CodeBlock::instructions):
3772         (JSC::CodeBlock::instructions const):
3773         (JSC::CodeBlock::vm const):
3774         * dfg/DFGOSRExitCompilerCommon.h:
3775         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
3776         * jit/JIT.h:
3777         * llint/LLIntOfflineAsmConfig.h:
3778         * llint/LowLevelInterpreter.asm:
3779         * llint/LowLevelInterpreter64.asm:
3780         * parser/UnlinkedSourceCode.h:
3781         * runtime/JSCPoison.h:
3782         * runtime/JSGlobalObject.cpp:
3783         (JSC::JSGlobalObject::init):
3784         * runtime/JSGlobalObject.h:
3785         * runtime/JSScriptFetchParameters.h:
3786         * runtime/JSScriptFetcher.h:
3787         * runtime/StructureTransitionTable.h:
3788         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3789         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3790         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3791         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
3792         * wasm/js/JSWebAssemblyCodeBlock.h:
3793
3794 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3795
3796         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
3797         https://bugs.webkit.org/show_bug.cgi?id=181321
3798
3799         Reviewed by Saam Barati.
3800
3801         According to ECMA262 16.2[1], functions created using the bind method must not have
3802         "caller" and "arguments" own properties.
3803
3804         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
3805
3806         * runtime/JSBoundFunction.cpp:
3807         (JSC::JSBoundFunction::finishCreation):
3808
3809 2018-01-05  JF Bastien  <jfbastien@apple.com>
3810
3811         WebAssembly: poison JS object's secrets
3812         https://bugs.webkit.org/show_bug.cgi?id=181339
3813         <rdar://problem/36325001>
3814
3815         Reviewed by Mark Lam.
3816
3817         Separating WebAssembly's JS objects from their non-JS
3818         implementation means that all interesting information lives
3819         outside of the JS object itself. This patch poisons each JS
3820         object's pointer to non-JS implementation using the poisoning
3821         mechanism and a unique key per JS object type origin.
3822
3823         * runtime/JSCPoison.h:
3824         * wasm/js/JSToWasm.cpp:
3825         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
3826         object in a stack slot when fast TLS is disabled. This requires
3827         that we unpoison the Wasm::Instance.
3828         * wasm/js/JSWebAssemblyCodeBlock.h:
3829         * wasm/js/JSWebAssemblyInstance.h:
3830         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
3831         be explicit that the pointer is poisoned.
3832         * wasm/js/JSWebAssemblyMemory.h:
3833         * wasm/js/JSWebAssemblyModule.h:
3834         * wasm/js/JSWebAssemblyTable.h:
3835
3836 2018-01-05  Michael Saboff  <msaboff@apple.com>
3837
3838         Add ability to disable indexed property masking for testing
3839         https://bugs.webkit.org/show_bug.cgi?id=181350
3840
3841         Reviewed by Keith Miller.
3842
3843         Made the masking of indexed properties runtime controllable via a new JSC::Option
3844         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
3845
3846         The new option has a generic name as it will probably be used to disable future mitigations.
3847
3848         * dfg/DFGSpeculativeJIT.cpp:
3849         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3850         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
3851         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3852         * dfg/DFGSpeculativeJIT.h:
3853         * dfg/DFGSpeculativeJIT64.cpp:
3854         (JSC::DFG::SpeculativeJIT::compile):
3855         * ftl/FTLLowerDFGToB3.cpp:
3856         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3857         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
3858         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
3859         * jit/JIT.cpp:
3860         (JSC::JIT::JIT):
3861         * jit/JIT.h:
3862         * jit/JITPropertyAccess.cpp:
3863         (JSC::JIT::emitDoubleLoad):
3864         (JSC::JIT::emitContiguousLoad):
3865         (JSC::JIT::emitArrayStorageLoad):
3866         * runtime/Options.h:
3867         * wasm/WasmB3IRGenerator.cpp:
3868         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3869
3870 2018-01-05  Michael Saboff  <msaboff@apple.com>
3871
3872         Allow JSC Config Files to set Restricted Options
3873         https://bugs.webkit.org/show_bug.cgi?id=181352
3874
3875         Reviewed by Mark Lam.
3876
3877         * runtime/ConfigFile.cpp:
3878         (JSC::ConfigFile::parse):
3879
3880 2018-01-04  Keith Miller  <keith_miller@apple.com>
3881
3882         TypedArrays and Wasm should use index masking.
3883         https://bugs.webkit.org/show_bug.cgi?id=181313
3884
3885         Reviewed by Michael Saboff.
3886
3887         We should have index masking for our TypedArray code in the
3888         DFG/FTL and for Wasm when doing bounds checking. Index masking for
3889         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
3890         WasmBoundsCheckValues we don't need to worry about combining a
3891         bounds check for a load and a store. I went with fusing the
3892         pointer masking in the WasmBoundsCheckValue since it should reduce
3893         additional compiler overhead.
3894
3895         * b3/B3LowerToAir.cpp:
3896         * b3/B3Validate.cpp:
3897         * b3/B3WasmBoundsCheckValue.cpp:
3898         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
3899         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
3900         * b3/B3WasmBoundsCheckValue.h: