[ESNext][BigInt] Implement support for "==" operation
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Implement support for "==" operation
4         https://bugs.webkit.org/show_bug.cgi?id=184474
5
6         Reviewed by Yusuke Suzuki.
7
8         This patch is implementing support of BigInt for equals operator
9         following the spec semantics[1].
10
11         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
12
13         * runtime/JSBigInt.cpp:
14         (JSC::JSBigInt::parseInt):
15         (JSC::JSBigInt::stringToBigInt):
16         (JSC::JSBigInt::toString):
17         (JSC::JSBigInt::setDigit):
18         (JSC::JSBigInt::equalsToNumber):
19         (JSC::JSBigInt::compareToDouble):
20         * runtime/JSBigInt.h:
21         * runtime/JSCJSValueInlines.h:
22         (JSC::JSValue::equalSlowCaseInline):
23
24 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
25
26         Speed up AbstractInterpreter::executeEdges
27         https://bugs.webkit.org/show_bug.cgi?id=185457
28
29         Reviewed by Saam Barati.
30
31         This patch started out with the desire to make executeEdges() faster by making filtering faster.
32         However, when I studied the disassembly, I found that there are many opportunities for
33         improvement and I implemented all of them:
34         
35         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
36           for non-cells.
37         
38         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
39           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
40         
41         - Similarly, edge verification doesn't need to fast-forward in the common case.
42         
43         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
44         
45         - The edge doesn't even have to be considered for execution if it's UntypedUse.
46         
47         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
48         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
49         it means proving that the value could either be formatted as a double (with impure NaN values),
50         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
51         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
52         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
53         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
54         SpecBytecodeNumber (if returning a JSValueRep).
55         
56         But that fix revealed an amazing timeout in
57         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
58         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
59         ever realizing that we should jettison something. The problem was with how
60         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
61         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
62         
63         This is a 1% improvement in V8Spider-CompileTime.
64
65         * bytecode/ExitKind.cpp:
66         (JSC::exitKindMayJettison):
67         * dfg/DFGAbstractInterpreter.h:
68         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
69         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
70         * dfg/DFGAbstractInterpreterInlines.h:
71         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
72         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
73         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
74         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
75         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
76         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
77         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
78         * dfg/DFGAbstractValue.cpp:
79         (JSC::DFG::AbstractValue::filterSlow):
80         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
81         * dfg/DFGAbstractValue.h:
82         (JSC::DFG::AbstractValue::filter):
83         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
84         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
85         (JSC::DFG::AbstractValue::makeTop):
86         * dfg/DFGAtTailAbstractState.h:
87         (JSC::DFG::AtTailAbstractState::fastForward):
88         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
89         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
90         * dfg/DFGGraph.h:
91         (JSC::DFG::Graph::doToChildren):
92         * dfg/DFGInPlaceAbstractState.h:
93         (JSC::DFG::InPlaceAbstractState::fastForward):
94         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
95         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
96         * dfg/DFGOSRExit.cpp:
97         (JSC::DFG::OSRExit::executeOSRExit):
98         * dfg/DFGOSRExitCompilerCommon.cpp:
99         (JSC::DFG::handleExitCounts):
100         * dfg/DFGOperations.cpp:
101         * dfg/DFGOperations.h:
102
103 2018-05-09  Saam Barati  <sbarati@apple.com>
104
105         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
106         https://bugs.webkit.org/show_bug.cgi?id=185441
107         <rdar://problem/39999414>
108
109         Reviewed by Keith Miller.
110
111         This patch adds JSVirtualMachine SPI to release as much memory as possible.
112         The SPI does:
113         - Deletes all code caches.
114         - Synchronous GC.
115         - Run the scavenger.
116
117         * API/JSVirtualMachine.mm:
118         (-[JSVirtualMachine shrinkFootprint]):
119         * API/JSVirtualMachinePrivate.h: Added.
120         * API/tests/testapi.mm:
121         (testObjectiveCAPIMain):
122         * JavaScriptCore.xcodeproj/project.pbxproj:
123         * runtime/VM.cpp:
124         (JSC::VM::shrinkFootprint):
125         * runtime/VM.h:
126
127 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
128
129         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
130         Error found in the following Test262 tests:
131
132         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
133         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
134         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
135
136         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
137         presenting a length > 2**32-1
138         https://bugs.webkit.org/show_bug.cgi?id=185476
139
140         Reviewed by Yusuke Suzuki.
141
142         * runtime/ArrayPrototype.cpp:
143
144 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
145
146         [WPE] Build cleanly with GCC 8 and ICU 60
147         https://bugs.webkit.org/show_bug.cgi?id=185462
148
149         Reviewed by Carlos Alberto Lopez Perez.
150
151         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
152         (jsc_class_add_constructor):
153         (jsc_class_add_method):
154         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
155         (jsc_value_object_define_property_accessor):
156         (jsc_value_new_function):
157         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
158         problem with GCC 7 too, but might as well fix it now.
159         * assembler/ProbeContext.h:
160         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
161         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
162         * b3/air/AirArg.h:
163         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
164         * builtins/BuiltinNames.cpp:
165         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
166         * builtins/BuiltinNames.h:
167         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
168         * dfg/DFGDoubleFormatState.h:
169         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
170         * heap/MarkedBlockInlines.h:
171         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
172         * runtime/ConfigFile.cpp:
173         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
174         with the wrong length parameter and the result is not null-terminated. Also, silence a
175         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
176         * runtime/IntlDateTimeFormat.cpp:
177         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
178         * runtime/JSGlobalObject.cpp:
179         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
180         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
181
182 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
183
184         [ARMv7] Drop ARMv7 disassembler in favor of capstone
185         https://bugs.webkit.org/show_bug.cgi?id=185423
186
187         Reviewed by Michael Catanzaro.
188
189         This patch removes ARMv7Disassembler in our tree.
190         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
191
192         * CMakeLists.txt:
193         * JavaScriptCore.xcodeproj/project.pbxproj:
194         * Sources.txt:
195         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
196         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
197         * disassembler/ARMv7Disassembler.cpp: Removed.
198
199 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
200
201         [MIPS] Optimize generated JIT code using r2
202         https://bugs.webkit.org/show_bug.cgi?id=184584
203
204         Reviewed by Yusuke Suzuki.
205
206         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
207         Also, done some code size optimizations that were discovered in meantime.
208
209         * assembler/MIPSAssembler.h:
210         (JSC::MIPSAssembler::ext):
211         (JSC::MIPSAssembler::mfhc1):
212         * assembler/MacroAssemblerMIPS.cpp:
213         * assembler/MacroAssemblerMIPS.h:
214         (JSC::MacroAssemblerMIPS::isPowerOf2):
215         (JSC::MacroAssemblerMIPS::bitPosition):
216         (JSC::MacroAssemblerMIPS::loadAddress):
217         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
218         (JSC::MacroAssemblerMIPS::load8):
219         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
220         (JSC::MacroAssemblerMIPS::load32):
221         (JSC::MacroAssemblerMIPS::load16Unaligned):
222         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
223         (JSC::MacroAssemblerMIPS::load16):
224         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
225         (JSC::MacroAssemblerMIPS::store8):
226         (JSC::MacroAssemblerMIPS::store16):
227         (JSC::MacroAssemblerMIPS::store32):
228         (JSC::MacroAssemblerMIPS::branchTest32):
229         (JSC::MacroAssemblerMIPS::loadFloat):
230         (JSC::MacroAssemblerMIPS::loadDouble):
231         (JSC::MacroAssemblerMIPS::storeFloat):
232         (JSC::MacroAssemblerMIPS::storeDouble):
233
234 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
235
236         [JSC][GTK][JSCONLY] Use capstone disassembler
237         https://bugs.webkit.org/show_bug.cgi?id=185283
238
239         Reviewed by Michael Catanzaro.
240
241         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
242         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
243
244         And we remove ARM LLVM disassembler.
245
246         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
247
248         * CMakeLists.txt:
249         * Sources.txt:
250         * disassembler/ARMLLVMDisassembler.cpp: Removed.
251         * disassembler/CapstoneDisassembler.cpp: Added.
252         (JSC::tryToDisassemble):
253
254 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
255
256         [MIPS] Use mfhc1 and mthc1 to fix assembler error
257         https://bugs.webkit.org/show_bug.cgi?id=185464
258
259         Reviewed by Yusuke Suzuki.
260
261         The binutils-assembler started to report failures for copying words between
262         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
263         of mfc1 and mtc1 for conversion.
264
265         * offlineasm/mips.rb:
266
267 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
268
269         [MIPS] Collect callee-saved register using inline assembly
270         https://bugs.webkit.org/show_bug.cgi?id=185428
271
272         Reviewed by Yusuke Suzuki.
273
274         MIPS used setjmp instead of collecting registers with inline assembly like
275         other architectures.
276
277         * heap/RegisterState.h:
278
279 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
280
281         [BigInt] Simplifying JSBigInt by using bool addition
282         https://bugs.webkit.org/show_bug.cgi?id=185374
283
284         Reviewed by Alex Christensen.
285
286         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
287         Just adding overflow flag to carry/borrow produces setb + add in x86.
288
289         Also we annotate small helper functions and accessors with `inline` not to call these functions
290         inside internalMultiplyAdd loop.
291
292         * runtime/JSBigInt.cpp:
293         (JSC::JSBigInt::isZero):
294         (JSC::JSBigInt::inplaceMultiplyAdd):
295         (JSC::JSBigInt::digitAdd):
296         (JSC::JSBigInt::digitSub):
297         (JSC::JSBigInt::digitMul):
298         (JSC::JSBigInt::digitPow):
299         (JSC::JSBigInt::digitDiv):
300         (JSC::JSBigInt::offsetOfData):
301         (JSC::JSBigInt::dataStorage):
302         (JSC::JSBigInt::digit):
303         (JSC::JSBigInt::setDigit):
304
305 2018-05-08  Michael Saboff  <msaboff@apple.com>
306
307         Replace multiple Watchpoint Set fireAll() methods with templates
308         https://bugs.webkit.org/show_bug.cgi?id=185456
309
310         Reviewed by Saam Barati.
311
312         Refactored to minimize duplicate code.
313
314         * bytecode/Watchpoint.h:
315         (JSC::WatchpointSet::fireAll):
316         (JSC::InlineWatchpointSet::fireAll):
317
318 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
319
320         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
321         https://bugs.webkit.org/show_bug.cgi?id=185453
322
323         Reviewed by Michael Saboff.
324         
325         Tiny improvement for compile times.
326
327         * dfg/DFGFlowMap.h:
328         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
329         * dfg/DFGInPlaceAbstractState.cpp:
330         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
331
332 2018-05-08  Michael Saboff  <msaboff@apple.com>
333
334         Deferred firing of structure transition watchpoints is racy
335         https://bugs.webkit.org/show_bug.cgi?id=185438
336
337         Reviewed by Saam Barati.
338
339         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
340         and fire them in the destructor.  When the watchpoints are taken from the
341         original WatchpointSet, that WatchpointSet if marked invalid.
342
343         * bytecode/Watchpoint.cpp:
344         (JSC::WatchpointSet::fireAllSlow):
345         (JSC::WatchpointSet::take):
346         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
347         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
348         (JSC::DeferredWatchpointFire::fireAll):
349         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
350         * bytecode/Watchpoint.h:
351         (JSC::WatchpointSet::fireAll):
352         (JSC::InlineWatchpointSet::fireAll):
353         * runtime/JSObject.cpp:
354         (JSC::JSObject::setPrototypeDirect):
355         (JSC::JSObject::convertToDictionary):
356         * runtime/JSObjectInlines.h:
357         (JSC::JSObject::putDirectInternal):
358         * runtime/Structure.cpp:
359         (JSC::Structure::Structure):
360         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
361         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
362         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
363         (JSC::Structure::didTransitionFromThisStructure const):
364         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
365         * runtime/Structure.h:
366         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
367
368 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
369
370         Consecutive messages logged as JSON are coalesced
371         https://bugs.webkit.org/show_bug.cgi?id=185432
372
373         Reviewed by Joseph Pecoraro.
374
375         * inspector/ConsoleMessage.cpp:
376         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
377
378 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
379
380         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
381         https://bugs.webkit.org/show_bug.cgi?id=185365
382
383         Reviewed by Saam Barati.
384         
385         This patch does three things to improve compile times:
386         
387         - Fixes some inlining goofs.
388         
389         - Adds the ability to measure compile times with run-jsc-benchmarks.
390         
391         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
392           code that clears abstract values. It turns out that on constant folding "needed" this, in the
393           sense that this was the only thing protecting it from loading the abstract value of a no-result
394           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
395           Any node that produces a result will explicitly set its abstract value, so this problem can
396           also be guarded by just having constant folding check if the node it wants to fold returns any
397           result.
398         
399         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
400         
401         Rolling back in after fixing cloop build.
402
403         * dfg/DFGAbstractInterpreterInlines.h:
404         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
405         * dfg/DFGAbstractValue.cpp:
406         (JSC::DFG::AbstractValue::set):
407         * dfg/DFGAbstractValue.h:
408         (JSC::DFG::AbstractValue::merge):
409         * dfg/DFGConstantFoldingPhase.cpp:
410         (JSC::DFG::ConstantFoldingPhase::foldConstants):
411         * dfg/DFGGraph.h:
412         (JSC::DFG::Graph::doToChildrenWithNode):
413         (JSC::DFG::Graph::doToChildren):
414         * dfg/DFGInPlaceAbstractState.cpp:
415         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
416         * jit/JIT.cpp:
417         (JSC::JIT::totalCompileTime):
418         * jit/JIT.h:
419         * jsc.cpp:
420         (GlobalObject::finishCreation):
421         (functionTotalCompileTime):
422
423 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
424
425         Unreviewed, rolling out r231468.
426
427         Broke the CLoop build
428
429         Reverted changeset:
430
431         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
432         any abstract values"
433         https://bugs.webkit.org/show_bug.cgi?id=185365
434         https://trac.webkit.org/changeset/231468
435
436 2018-05-07  Daniel Bates  <dabates@apple.com>
437
438         Check X-Frame-Options and CSP frame-ancestors in network process
439         https://bugs.webkit.org/show_bug.cgi?id=185410
440         <rdar://problem/37733934>
441
442         Reviewed by Ryosuke Niwa.
443
444         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
445
446         * runtime/ConsoleTypes.h:
447
448 2018-05-07  Saam Barati  <sbarati@apple.com>
449
450         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
451         https://bugs.webkit.org/show_bug.cgi?id=185329
452         <rdar://problem/39961536>
453
454         Reviewed by Michael Saboff.
455
456         I was made aware of a memory goof inside of JSC where we would inefficiently
457         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
458         
459         We did two things badly:
460         1. We used a HashMap instead of a Vector to represent the environment. Having
461         a HashMap is useful when looking things up when generating bytecode, but it's
462         space inefficient. Because UnlinkedFunctionExecutables live a long time because
463         of the code cache, we should have them store this information efficiently
464         inside of a Vector.
465         
466         2. We didn't hash-cons these environments together. If you think about how
467         some programs are structured, hash-consing these together is hugely profitable.
468         Consider some code like this:
469         ```
470         const/let V_1 = ...;
471         const/let V_2 = ...;
472         ...
473         const/let V_n = ...;
474         
475         function f_1() { ... };
476         function f_2() { ... };
477         ...
478         function f_n() { ... };
479         ```
480         
481         Each f_i would store an identical hash map for its parent TDZ variables
482         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
483         each f_i just holds onto a reference to the environment.
484         
485         I benchmarked this change against an app that made heavy use of the
486         above code pattern and it reduced its peak memory footprint from ~220MB
487         to ~160MB.
488
489         * bytecode/UnlinkedFunctionExecutable.cpp:
490         (JSC::generateUnlinkedFunctionCodeBlock):
491         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
492         * bytecode/UnlinkedFunctionExecutable.h:
493         * parser/VariableEnvironment.cpp:
494         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
495         (JSC::CompactVariableEnvironment::operator== const):
496         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
497         (JSC::CompactVariableMap::get):
498         (JSC::CompactVariableMap::Handle::~Handle):
499         * parser/VariableEnvironment.h:
500         (JSC::VariableEnvironmentEntry::bits const):
501         (JSC::VariableEnvironmentEntry::operator== const):
502         (JSC::VariableEnvironment::isEverythingCaptured const):
503         (JSC::CompactVariableEnvironment::hash const):
504         (JSC::CompactVariableMapKey::CompactVariableMapKey):
505         (JSC::CompactVariableMapKey::hash):
506         (JSC::CompactVariableMapKey::equal):
507         (JSC::CompactVariableMapKey::makeDeletedValue):
508         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
509         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
510         (JSC::CompactVariableMapKey::environment):
511         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
512         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
513         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
514         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
515         (JSC::CompactVariableMap::Handle::Handle):
516         (JSC::CompactVariableMap::Handle::environment const):
517         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
518         * runtime/VM.cpp:
519         (JSC::VM::VM):
520         * runtime/VM.h:
521
522 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
523
524         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
525         https://bugs.webkit.org/show_bug.cgi?id=185371
526
527         Reviewed by Mark Lam.
528
529         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
530         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
531         but actually MIPS have much more registers.
532
533         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
534         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
535         have extra mechanism.
536
537         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
538
539         * dfg/DFGByteCodeParser.cpp:
540         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
541         * dfg/DFGFixupPhase.cpp:
542         (JSC::DFG::FixupPhase::fixupNode):
543         * dfg/DFGSpeculativeJIT32_64.cpp:
544         (JSC::DFG::SpeculativeJIT::compile):
545         * jit/CCallHelpers.h:
546         * jit/GPRInfo.h:
547         (JSC::GPRInfo::toRegister):
548         (JSC::GPRInfo::toIndex):
549         * offlineasm/mips.rb:
550
551 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
552
553         DFG AI should have O(1) clobbering
554         https://bugs.webkit.org/show_bug.cgi?id=185287
555
556         Reviewed by Saam Barati.
557         
558         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
559         would traverse all of the state available to the AI at that time and clobber it.
560         
561         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
562         
563         This is a ~1% speed-up for compile times.
564
565         * JavaScriptCore.xcodeproj/project.pbxproj:
566         * Sources.txt:
567         * dfg/DFGAbstractInterpreter.h:
568         (JSC::DFG::AbstractInterpreter::forNode):
569         (JSC::DFG::AbstractInterpreter::setForNode):
570         (JSC::DFG::AbstractInterpreter::clearForNode):
571         (JSC::DFG::AbstractInterpreter::variables): Deleted.
572         * dfg/DFGAbstractInterpreterInlines.h:
573         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
575         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
576         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
577         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
578         * dfg/DFGAbstractValue.cpp:
579         (JSC::DFG::AbstractValue::fastForwardToSlow):
580         * dfg/DFGAbstractValue.h:
581         (JSC::DFG::AbstractValue::fastForwardTo):
582         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
583         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
584         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
585         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
586         (JSC::DFG::AbstractValueClobberEpoch::dump const):
587         * dfg/DFGAbstractValueClobberEpoch.h: Added.
588         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
589         (JSC::DFG::AbstractValueClobberEpoch::first):
590         (JSC::DFG::AbstractValueClobberEpoch::clobber):
591         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
592         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
593         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
594         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
595         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
596         * dfg/DFGAtTailAbstractState.h:
597         (JSC::DFG::AtTailAbstractState::setForNode):
598         (JSC::DFG::AtTailAbstractState::clearForNode):
599         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
600         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
601         (JSC::DFG::AtTailAbstractState::operand):
602         (JSC::DFG::AtTailAbstractState::local):
603         (JSC::DFG::AtTailAbstractState::argument):
604         (JSC::DFG::AtTailAbstractState::clobberStructures):
605         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
606         (JSC::DFG::AtTailAbstractState::variables): Deleted.
607         * dfg/DFGCFAPhase.cpp:
608         (JSC::DFG::CFAPhase::performBlockCFA):
609         * dfg/DFGConstantFoldingPhase.cpp:
610         (JSC::DFG::ConstantFoldingPhase::foldConstants):
611         * dfg/DFGFlowMap.h:
612         (JSC::DFG::FlowMap::at):
613         (JSC::DFG::FlowMap::atShadow):
614         (JSC::DFG::FlowMap::at const):
615         (JSC::DFG::FlowMap::atShadow const):
616         * dfg/DFGInPlaceAbstractState.cpp:
617         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
618         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
619         * dfg/DFGInPlaceAbstractState.h:
620         (JSC::DFG::InPlaceAbstractState::forNode):
621         (JSC::DFG::InPlaceAbstractState::setForNode):
622         (JSC::DFG::InPlaceAbstractState::clearForNode):
623         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
624         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
625         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
626         (JSC::DFG::InPlaceAbstractState::operand):
627         (JSC::DFG::InPlaceAbstractState::local):
628         (JSC::DFG::InPlaceAbstractState::argument):
629         (JSC::DFG::InPlaceAbstractState::variableAt):
630         (JSC::DFG::InPlaceAbstractState::clobberStructures):
631         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
632         (JSC::DFG::InPlaceAbstractState::fastForward):
633         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
634         * dfg/DFGSpeculativeJIT64.cpp:
635         (JSC::DFG::SpeculativeJIT::compile):
636         * ftl/FTLLowerDFGToB3.cpp:
637         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
638
639 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
640
641         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
642         https://bugs.webkit.org/show_bug.cgi?id=185365
643
644         Reviewed by Saam Barati.
645         
646         This patch does three things to improve compile times:
647         
648         - Fixes some inlining goofs.
649         
650         - Adds the ability to measure compile times with run-jsc-benchmarks.
651         
652         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
653           code that clears abstract values. It turns out that on constant folding "needed" this, in the
654           sense that this was the only thing protecting it from loading the abstract value of a no-result
655           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
656           Any node that produces a result will explicitly set its abstract value, so this problem can
657           also be guarded by just having constant folding check if the node it wants to fold returns any
658           result.
659         
660         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
661
662         * dfg/DFGAbstractInterpreterInlines.h:
663         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
664         * dfg/DFGAbstractValue.cpp:
665         (JSC::DFG::AbstractValue::set):
666         * dfg/DFGAbstractValue.h:
667         (JSC::DFG::AbstractValue::merge):
668         * dfg/DFGConstantFoldingPhase.cpp:
669         (JSC::DFG::ConstantFoldingPhase::foldConstants):
670         * dfg/DFGGraph.h:
671         (JSC::DFG::Graph::doToChildrenWithNode):
672         (JSC::DFG::Graph::doToChildren):
673         * dfg/DFGInPlaceAbstractState.cpp:
674         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
675         * jit/JIT.cpp:
676         (JSC::JIT::totalCompileTime):
677         * jit/JIT.h:
678         * jsc.cpp:
679         (GlobalObject::finishCreation):
680         (functionTotalCompileTime):
681
682 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
683
684         DFG AI doesn't need to merge valuesAtTail - it can just assign them
685         https://bugs.webkit.org/show_bug.cgi?id=185355
686
687         Reviewed by Mark Lam.
688         
689         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
690         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
691         merging will get the same answer because the value computed this time will be either the same
692         as or more general than the value computed last time. If the value does change for some
693         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
694         changes, then we have no reason to believe that this new value is less right than the last
695         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
696         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
697
698         * dfg/DFGInPlaceAbstractState.cpp:
699         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
700
701 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
702
703         Remove defunct email address
704         https://bugs.webkit.org/show_bug.cgi?id=185396
705
706         Reviewed by Mark Lam.
707
708         The email address thetalecrafter@gmail.com is no longer valid, as the
709         associated google account has been closed. This updates the email
710         address so questions about these Intl contributions go to the right
711         place.
712
713         * builtins/DatePrototype.js:
714         * builtins/NumberPrototype.js:
715         * builtins/StringPrototype.js:
716         * runtime/IntlCollator.cpp:
717         * runtime/IntlCollator.h:
718         * runtime/IntlCollatorConstructor.cpp:
719         * runtime/IntlCollatorConstructor.h:
720         * runtime/IntlCollatorPrototype.cpp:
721         * runtime/IntlCollatorPrototype.h:
722         * runtime/IntlDateTimeFormat.cpp:
723         * runtime/IntlDateTimeFormat.h:
724         * runtime/IntlDateTimeFormatConstructor.cpp:
725         * runtime/IntlDateTimeFormatConstructor.h:
726         * runtime/IntlDateTimeFormatPrototype.cpp:
727         * runtime/IntlDateTimeFormatPrototype.h:
728         * runtime/IntlNumberFormat.cpp:
729         * runtime/IntlNumberFormat.h:
730         * runtime/IntlNumberFormatConstructor.cpp:
731         * runtime/IntlNumberFormatConstructor.h:
732         * runtime/IntlNumberFormatPrototype.cpp:
733         * runtime/IntlNumberFormatPrototype.h:
734         * runtime/IntlObject.cpp:
735         * runtime/IntlObject.h:
736         * runtime/IntlPluralRules.cpp:
737         * runtime/IntlPluralRules.h:
738         * runtime/IntlPluralRulesConstructor.cpp:
739         * runtime/IntlPluralRulesConstructor.h:
740         * runtime/IntlPluralRulesPrototype.cpp:
741         * runtime/IntlPluralRulesPrototype.h:
742
743 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
744
745         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
746         https://bugs.webkit.org/show_bug.cgi?id=185362
747
748         Reviewed by Sam Weinig.
749
750         "namespace std" may include many names. It can conflict with names defined by our code,
751         and the other platform provided headers. For example, std::byte conflicts with Windows'
752         ::byte.
753         This patch removes "using namespace std;" from JSC and bmalloc.
754
755         * API/JSClassRef.cpp:
756         (OpaqueJSClass::create):
757         * bytecode/Opcode.cpp:
758         * bytecompiler/BytecodeGenerator.cpp:
759         (JSC::BytecodeGenerator::newRegister):
760         * heap/Heap.cpp:
761         (JSC::Heap::updateAllocationLimits):
762         * interpreter/Interpreter.cpp:
763         * jit/JIT.cpp:
764         * parser/Parser.cpp:
765         * runtime/JSArray.cpp:
766         * runtime/JSLexicalEnvironment.cpp:
767         * runtime/JSModuleEnvironment.cpp:
768         * runtime/Structure.cpp:
769         * shell/DLLLauncherMain.cpp:
770         (getStringValue):
771         (applePathFromRegistry):
772         (appleApplicationSupportDirectory):
773         (copyEnvironmentVariable):
774         (prependPath):
775         (fatalError):
776         (directoryExists):
777         (modifyPath):
778         (getLastErrorString):
779         (wWinMain):
780
781 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
782
783         DFG CFA phase should only do clobber asserts in debug
784         https://bugs.webkit.org/show_bug.cgi?id=185354
785
786         Reviewed by Saam Barati.
787         
788         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
789         unless asserts are enabled.
790
791         * dfg/DFGCFAPhase.cpp:
792         (JSC::DFG::CFAPhase::performBlockCFA):
793
794 2018-05-04  Keith Miller  <keith_miller@apple.com>
795
796         isCacheableArrayLength should return true for undecided arrays
797         https://bugs.webkit.org/show_bug.cgi?id=185309
798
799         Reviewed by Michael Saboff.
800
801         Undecided arrays have butterflies so there is no reason why we
802         should not be able to cache their length.
803
804         * bytecode/InlineAccess.cpp:
805         (JSC::InlineAccess::isCacheableArrayLength):
806
807 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
808
809         Remove std::random_shuffle
810         https://bugs.webkit.org/show_bug.cgi?id=185292
811
812         Reviewed by Darin Adler.
813
814         std::random_shuffle is deprecated in C++14 and removed in C++17,
815         since std::random_shuffle relies on rand and srand.
816         Use std::shuffle instead.
817
818         * jit/BinarySwitch.cpp:
819         (JSC::RandomNumberGenerator::RandomNumberGenerator):
820         (JSC::RandomNumberGenerator::operator()):
821         (JSC::RandomNumberGenerator::min):
822         (JSC::RandomNumberGenerator::max):
823         (JSC::BinarySwitch::build):
824
825 2018-05-03  Saam Barati  <sbarati@apple.com>
826
827         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
828         https://bugs.webkit.org/show_bug.cgi?id=185177
829
830         Reviewed by Filip Pizlo.
831
832         This patch teaches the DFG/FTL how to constant fold CreateThis with
833         a known poly proto Structure to NewObject. We do it by emitting a NewObject
834         followed by a PutByOffset for the prototype value.
835         
836         We make it so that ObjectAllocationProfile holds the prototype value.
837         This is sound because JSFunction clears that profile when its 'prototype'
838         field changes.
839         
840         This patch also renames underscoreProtoPrivateName to polyProtoName since
841         that name was nonsensical: it was only used for poly proto.
842         
843         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
844         regressed that benchmark when I first introduced poly proto.
845
846         * builtins/BuiltinNames.cpp:
847         * builtins/BuiltinNames.h:
848         (JSC::BuiltinNames::BuiltinNames):
849         (JSC::BuiltinNames::polyProtoName const):
850         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
851         * bytecode/ObjectAllocationProfile.h:
852         (JSC::ObjectAllocationProfile::prototype):
853         (JSC::ObjectAllocationProfile::clear):
854         (JSC::ObjectAllocationProfile::visitAggregate):
855         * bytecode/ObjectAllocationProfileInlines.h:
856         (JSC::ObjectAllocationProfile::initializeProfile):
857         * dfg/DFGAbstractInterpreterInlines.h:
858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
859         * dfg/DFGByteCodeParser.cpp:
860         (JSC::DFG::ByteCodeParser::parseBlock):
861         * dfg/DFGConstantFoldingPhase.cpp:
862         (JSC::DFG::ConstantFoldingPhase::foldConstants):
863         * dfg/DFGOperations.cpp:
864         * runtime/CommonSlowPaths.cpp:
865         (JSC::SLOW_PATH_DECL):
866         * runtime/FunctionRareData.h:
867         * runtime/Structure.cpp:
868         (JSC::Structure::create):
869
870 2018-05-03  Michael Saboff  <msaboff@apple.com>
871
872         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
873         https://bugs.webkit.org/show_bug.cgi?id=185281
874
875         Reviewed by Saam Barati.
876
877         When we compute bytecode block reachability, we need to take into account blocks
878         containing try/catch.
879
880         * jit/JIT.cpp:
881         (JSC::JIT::privateCompileMainPass):
882
883 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
884
885         ARM: Wrong offset for operand rt in disassembler
886         https://bugs.webkit.org/show_bug.cgi?id=184083
887
888         Reviewed by Yusuke Suzuki.
889
890         * disassembler/ARMv7/ARMv7DOpcode.h:
891         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
892         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
893
894 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
895
896         ARM: Support vstr in disassembler
897         https://bugs.webkit.org/show_bug.cgi?id=184084
898
899         Reviewed by Yusuke Suzuki.
900
901         * disassembler/ARMv7/ARMv7DOpcode.cpp:
902         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
903         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
904         * disassembler/ARMv7/ARMv7DOpcode.h:
905         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
906         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
907         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
908         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
909         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
910         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
911         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
912
913 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
914
915         Invoke ensureArrayStorage for all arguments
916         https://bugs.webkit.org/show_bug.cgi?id=185247
917
918         Reviewed by Yusuke Suzuki.
919
920         ensureArrayStorage was only invoked for first argument in each loop iteration.
921
922         * jsc.cpp:
923         (functionEnsureArrayStorage):
924
925 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
926
927         Make it easy to log compile times for all optimizing tiers
928         https://bugs.webkit.org/show_bug.cgi?id=185270
929
930         Reviewed by Keith Miller.
931         
932         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
933         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
934         it.
935         
936         This should help us reduce compile times by telling us where to look. So, far, it looks like
937         CFA is the worst.
938
939         * JavaScriptCore.xcodeproj/project.pbxproj:
940         * Sources.txt:
941         * b3/B3Common.cpp:
942         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
943         * b3/B3Common.h:
944         * b3/B3TimingScope.cpp: Removed.
945         * b3/B3TimingScope.h:
946         (JSC::B3::TimingScope::TimingScope):
947         * dfg/DFGPhase.h:
948         (JSC::DFG::runAndLog):
949         * dfg/DFGPlan.cpp:
950         (JSC::DFG::Plan::compileInThread):
951         * tools/CompilerTimingScope.cpp: Added.
952         (JSC::CompilerTimingScope::CompilerTimingScope):
953         (JSC::CompilerTimingScope::~CompilerTimingScope):
954         * tools/CompilerTimingScope.h: Added.
955         * runtime/Options.cpp:
956         (JSC::recomputeDependentOptions):
957         * runtime/Options.h:
958
959 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
960
961         Strings should not be allocated in a gigacage
962         https://bugs.webkit.org/show_bug.cgi?id=185218
963
964         Reviewed by Saam Barati.
965
966         * runtime/JSBigInt.cpp:
967         (JSC::JSBigInt::toStringGeneric):
968         * runtime/JSString.cpp:
969         (JSC::JSRopeString::resolveRopeToAtomicString const):
970         (JSC::JSRopeString::resolveRope const):
971         * runtime/JSString.h:
972         (JSC::JSString::create):
973         (JSC::JSString::createHasOtherOwner):
974         * runtime/VM.h:
975         (JSC::VM::gigacageAuxiliarySpace):
976
977 2018-05-03  Keith Miller  <keith_miller@apple.com>
978
979         Unreviewed, fix 32-bit profile offset for change in bytecode
980         length of the get_by_id and get_array_length opcodes.
981
982         * llint/LowLevelInterpreter32_64.asm:
983
984 2018-05-03  Michael Saboff  <msaboff@apple.com>
985
986         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
987         https://bugs.webkit.org/show_bug.cgi?id=185231
988
989         Reviewed by Saam Barati.
990
991         We weren't clearing the scratch register cache when switching back and forth between 
992         allowing scratch register usage.  We disallow scratch register usage when we are in
993         code that will freely allocate and use any register.  Such usage can change the
994         contents of scratch registers.  For ARM64, where we cache the contents of scratch
995         registers to reuse some or all of the contained values, we need to invalidate these
996         caches.  We do this when re-enabling scratch register usage, that is when we transition
997         from disallow to allow scratch register usage.
998
999         Added a new Air regression test.
1000
1001         * assembler/AllowMacroScratchRegisterUsage.h:
1002         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
1003         * assembler/AllowMacroScratchRegisterUsageIf.h:
1004         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
1005         * assembler/DisallowMacroScratchRegisterUsage.h:
1006         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
1007         * b3/air/testair.cpp:
1008
1009 2018-05-03  Keith Miller  <keith_miller@apple.com>
1010
1011         Remove the prototype caching for get_by_id in the LLInt
1012         https://bugs.webkit.org/show_bug.cgi?id=185226
1013
1014         Reviewed by Michael Saboff.
1015
1016         There is no evidence that this is actually a speedup and we keep
1017         getting bugs with it. At this point it seems like we should just
1018         remove this code.
1019
1020         * CMakeLists.txt:
1021         * JavaScriptCore.xcodeproj/project.pbxproj:
1022         * Sources.txt:
1023         * bytecode/BytecodeDumper.cpp:
1024         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1025         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1026         (JSC::BytecodeDumper<Block>::dumpBytecode):
1027         * bytecode/BytecodeList.json:
1028         * bytecode/BytecodeUseDef.h:
1029         (JSC::computeUsesForBytecodeOffset):
1030         (JSC::computeDefsForBytecodeOffset):
1031         * bytecode/CodeBlock.cpp:
1032         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1033         * bytecode/CodeBlock.h:
1034         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
1035         * bytecode/GetByIdStatus.cpp:
1036         (JSC::GetByIdStatus::computeFromLLInt):
1037         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
1038         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
1039         * bytecompiler/BytecodeGenerator.cpp:
1040         (JSC::BytecodeGenerator::emitGetById):
1041         * dfg/DFGByteCodeParser.cpp:
1042         (JSC::DFG::ByteCodeParser::parseBlock):
1043         * dfg/DFGCapabilities.cpp:
1044         (JSC::DFG::capabilityLevel):
1045         * jit/JIT.cpp:
1046         (JSC::JIT::privateCompileMainPass):
1047         (JSC::JIT::privateCompileSlowCases):
1048         * llint/LLIntSlowPaths.cpp:
1049         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1050         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1051         * llint/LowLevelInterpreter32_64.asm:
1052         * llint/LowLevelInterpreter64.asm:
1053         * runtime/Options.h:
1054
1055 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
1056
1057         Unreviewed, rolling out r231197.
1058
1059         The test added with this change crashes on the 32-bit JSC bot.
1060
1061         Reverted changeset:
1062
1063         "Correctly detect string overflow when using the 'Function'
1064         constructor"
1065         https://bugs.webkit.org/show_bug.cgi?id=184883
1066         https://trac.webkit.org/changeset/231197
1067
1068 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1069
1070         Disable usage of fused multiply-add instructions for JSC with compiler flag
1071         https://bugs.webkit.org/show_bug.cgi?id=184909
1072
1073         Reviewed by Yusuke Suzuki.
1074
1075         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
1076         like parseInt() do not return slightly different results depending on whether the
1077         compiler was able to use fused multiply-add instructions or not.
1078
1079         * CMakeLists.txt:
1080
1081 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
1084         https://bugs.webkit.org/show_bug.cgi?id=185192
1085
1086         compareDouble relies on MacroAssembler::invert function.
1087
1088         * assembler/MacroAssembler.h:
1089         (JSC::MacroAssembler::compareDouble):
1090         * assembler/MacroAssemblerARM.h:
1091         (JSC::MacroAssemblerARM::compareDouble): Deleted.
1092         * assembler/MacroAssemblerARMv7.h:
1093         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
1094         * assembler/MacroAssemblerMIPS.h:
1095         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
1096
1097 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1098
1099         [JSC] Add MacroAssembler::and16 and store16
1100         https://bugs.webkit.org/show_bug.cgi?id=185188
1101
1102         Reviewed by Mark Lam.
1103
1104         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
1105         This patch adds these methods for ARM.
1106
1107         * assembler/MacroAssemblerARM.h:
1108         (JSC::MacroAssemblerARM::and16):
1109         (JSC::MacroAssemblerARM::store16):
1110
1111 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1112
1113         [DFG] Unify compare related code in 32bit and 64bit
1114         https://bugs.webkit.org/show_bug.cgi?id=185189
1115
1116         Reviewed by Mark Lam.
1117
1118         This patch unifies some part of compare related code in 32bit and 64bit
1119         to reduce the size of 32bit specific DFG code.
1120
1121         * dfg/DFGSpeculativeJIT.cpp:
1122         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1123         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1124         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1125         * dfg/DFGSpeculativeJIT32_64.cpp:
1126         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1127         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1128         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1129         * dfg/DFGSpeculativeJIT64.cpp:
1130         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1131         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1132         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1133
1134 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1135
1136         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
1137         https://bugs.webkit.org/show_bug.cgi?id=185192
1138
1139         Reviewed by Mark Lam.
1140
1141         Now Object.is starts using compareDouble. So we would like to have
1142         efficient implementation for compareDouble and compareFloat for
1143         major architectures, ARM64, X86, and X86_64.
1144
1145         This patch adds compareDouble and compareFloat implementations for
1146         these architectures. And generic implementation is moved to each
1147         architecture's MacroAssembler implementation.
1148
1149         We also add tests for them in testmasm. To implement this test
1150         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
1151         major architectures.
1152
1153         * assembler/MacroAssembler.h:
1154         (JSC::MacroAssembler::compareDouble): Deleted.
1155         (JSC::MacroAssembler::compareFloat): Deleted.
1156         * assembler/MacroAssemblerARM.h:
1157         (JSC::MacroAssemblerARM::compareDouble):
1158         * assembler/MacroAssemblerARM64.h:
1159         (JSC::MacroAssemblerARM64::compareDouble):
1160         (JSC::MacroAssemblerARM64::compareFloat):
1161         (JSC::MacroAssemblerARM64::loadFloat):
1162         (JSC::MacroAssemblerARM64::floatingPointCompare):
1163         * assembler/MacroAssemblerARMv7.h:
1164         (JSC::MacroAssemblerARMv7::compareDouble):
1165         * assembler/MacroAssemblerMIPS.h:
1166         (JSC::MacroAssemblerMIPS::compareDouble):
1167         * assembler/MacroAssemblerX86Common.h:
1168         (JSC::MacroAssemblerX86Common::loadFloat):
1169         (JSC::MacroAssemblerX86Common::compareDouble):
1170         (JSC::MacroAssemblerX86Common::compareFloat):
1171         (JSC::MacroAssemblerX86Common::floatingPointCompare):
1172         * assembler/X86Assembler.h:
1173         (JSC::X86Assembler::movss_mr):
1174         (JSC::X86Assembler::movss_rm):
1175         * assembler/testmasm.cpp:
1176         (JSC::floatOperands):
1177         (JSC::testCompareFloat):
1178         (JSC::run):
1179
1180 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1181
1182         Unreviewed, fix 32bit DFG code
1183         https://bugs.webkit.org/show_bug.cgi?id=185065
1184
1185         * dfg/DFGSpeculativeJIT.cpp:
1186         (JSC::DFG::SpeculativeJIT::compileSameValue):
1187
1188 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
1189
1190         JSC should know how to cache custom getter accesses on the prototype chain
1191         https://bugs.webkit.org/show_bug.cgi?id=185213
1192
1193         Reviewed by Keith Miller.
1194
1195         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
1196
1197         * jit/Repatch.cpp:
1198         (JSC::tryCacheGetByID):
1199
1200 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
1201
1202         JSC should be able to cache custom setter calls on the prototype chain
1203         https://bugs.webkit.org/show_bug.cgi?id=185174
1204
1205         Reviewed by Saam Barati.
1206
1207         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
1208         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
1209         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
1210         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
1211         custom accessors because it won't find the custom property in the structure.
1212
1213         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
1214
1215         This is a 4x speed-up on assign-custom-setter.js.
1216
1217         * bytecode/AccessCase.cpp:
1218         (JSC::AccessCase::hasAlternateBase const):
1219         (JSC::AccessCase::alternateBase const):
1220         (JSC::AccessCase::generateImpl):
1221         * bytecode/AccessCase.h:
1222         (JSC::AccessCase::alternateBase const): Deleted.
1223         * bytecode/GetterSetterAccessCase.cpp:
1224         (JSC::GetterSetterAccessCase::hasAlternateBase const):
1225         (JSC::GetterSetterAccessCase::alternateBase const):
1226         * bytecode/GetterSetterAccessCase.h:
1227         * bytecode/ObjectPropertyConditionSet.cpp:
1228         (JSC::generateConditionsForPrototypePropertyHitCustom):
1229         * bytecode/ObjectPropertyConditionSet.h:
1230         * jit/Repatch.cpp:
1231         (JSC::tryCacheGetByID):
1232         (JSC::tryCachePutByID):
1233
1234 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1235
1236         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
1237         https://bugs.webkit.org/show_bug.cgi?id=185195
1238
1239         Reviewed by Mark Lam.
1240
1241         This implements the given function for MIPS, such that it builds again.
1242
1243         * assembler/MacroAssemblerMIPS.h:
1244         (JSC::MacroAssemblerMIPS::and16):
1245         (JSC::MacroAssemblerMIPS::store16):
1246
1247 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
1248
1249         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
1250         https://bugs.webkit.org/show_bug.cgi?id=185043
1251
1252         Reviewed by Filip Pizlo.
1253
1254         * jsc.cpp:
1255         (GlobalObject::finishCreation):
1256         (functionDollarAgentMonotonicNow):
1257
1258 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1259
1260         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
1261         https://bugs.webkit.org/show_bug.cgi?id=185196
1262
1263         Reviewed by Mark Lam.
1264
1265         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
1266
1267         * assembler/MacroAssemblerARMv7.h:
1268         (JSC::MacroAssemblerARMv7::and16):
1269         (JSC::MacroAssemblerARMv7::store16):
1270
1271 2018-05-02  Robin Morisset  <rmorisset@apple.com>
1272
1273         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
1274         https://bugs.webkit.org/show_bug.cgi?id=183172
1275
1276         Reviewed by Filip Pizlo.
1277
1278         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
1279         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
1280
1281         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
1282         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
1283         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
1284
1285         * dfg/DFGArgumentsEliminationPhase.cpp:
1286         * dfg/DFGArgumentsUtilities.cpp:
1287         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1288
1289 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1290
1291         Unreviewed, stackPointer signature is different from declaration
1292         https://bugs.webkit.org/show_bug.cgi?id=184790
1293
1294         * runtime/MachineContext.h:
1295         (JSC::MachineContext::stackPointer):
1296
1297 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1298
1299         [JSC] Add SameValue DFG node
1300         https://bugs.webkit.org/show_bug.cgi?id=185065
1301
1302         Reviewed by Saam Barati.
1303
1304         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
1305         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
1306         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
1307         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
1308         implementations for these SameValue nodes.
1309
1310         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
1311         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
1312         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
1313         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
1314         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
1315         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
1316
1317         Added microbenchmark shows performance improvement.
1318
1319             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
1320
1321         * assembler/MacroAssembler.h:
1322         * assembler/MacroAssemblerX86Common.h:
1323         (JSC::MacroAssemblerX86Common::compareDouble):
1324         * assembler/MacroAssemblerX86_64.h:
1325         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
1326         * assembler/testmasm.cpp:
1327         (JSC::doubleOperands):
1328         (JSC::testCompareDouble):
1329         (JSC::run):
1330         * dfg/DFGAbstractInterpreterInlines.h:
1331         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1332         * dfg/DFGByteCodeParser.cpp:
1333         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1334         * dfg/DFGClobberize.h:
1335         (JSC::DFG::clobberize):
1336         * dfg/DFGConstantFoldingPhase.cpp:
1337         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1338         * dfg/DFGDoesGC.cpp:
1339         (JSC::DFG::doesGC):
1340         * dfg/DFGFixupPhase.cpp:
1341         (JSC::DFG::FixupPhase::fixupNode):
1342         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
1343         * dfg/DFGNodeType.h:
1344         * dfg/DFGOperations.cpp:
1345         * dfg/DFGOperations.h:
1346         * dfg/DFGPredictionPropagationPhase.cpp:
1347         * dfg/DFGSafeToExecute.h:
1348         (JSC::DFG::safeToExecute):
1349         * dfg/DFGSpeculativeJIT.cpp:
1350         (JSC::DFG::SpeculativeJIT::compileSameValue):
1351         * dfg/DFGSpeculativeJIT.h:
1352         * dfg/DFGSpeculativeJIT32_64.cpp:
1353         (JSC::DFG::SpeculativeJIT::compile):
1354         * dfg/DFGSpeculativeJIT64.cpp:
1355         (JSC::DFG::SpeculativeJIT::compile):
1356         * dfg/DFGValidate.cpp:
1357         * ftl/FTLCapabilities.cpp:
1358         (JSC::FTL::canCompile):
1359         * ftl/FTLLowerDFGToB3.cpp:
1360         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1361         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
1362         * runtime/Intrinsic.cpp:
1363         (JSC::intrinsicName):
1364         * runtime/Intrinsic.h:
1365         * runtime/ObjectConstructor.cpp:
1366
1367 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
1368
1369         B3::demoteValues should be able to handle patchpoint terminals
1370         https://bugs.webkit.org/show_bug.cgi?id=185151
1371
1372         Reviewed by Saam Barati.
1373         
1374         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
1375         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
1376         longer the last thing in the block.
1377         
1378         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
1379         really do that because demotion happens as a prerequisite to other transformations.
1380         
1381         One solution might have been to make demoteValues insert a basic block whenever it encounters
1382         this problem. But that would break clients that do CFG analysis before demoteValues and use
1383         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
1384         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
1385         so it's not bad to introduce that requirement.
1386         
1387         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
1388         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
1389         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
1390         successors of the patchpoint terminal.
1391         
1392         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
1393         a unit test in testb3.
1394
1395         * b3/B3BreakCriticalEdges.cpp:
1396         (JSC::B3::breakCriticalEdges):
1397         * b3/B3BreakCriticalEdges.h:
1398         * b3/B3FixSSA.cpp:
1399         (JSC::B3::demoteValues):
1400         (JSC::B3::fixSSA):
1401         * b3/B3FixSSA.h:
1402         * b3/B3Value.cpp:
1403         (JSC::B3::Value::foldIdentity const):
1404         (JSC::B3::Value::performSubstitution):
1405         * b3/B3Value.h:
1406         * b3/testb3.cpp:
1407         (JSC::B3::testDemotePatchpointTerminal):
1408         (JSC::B3::run):
1409
1410 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1411
1412         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
1413         https://bugs.webkit.org/show_bug.cgi?id=184772
1414         <rdar://problem/39146327>
1415
1416         Reviewed by Filip Pizlo.
1417
1418         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
1419         This patch now makes sure that the check correctly detects if there is an integer overflow.
1420
1421         * runtime/JSArray.cpp:
1422         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1423
1424 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1425
1426         Correctly detect string overflow when using the 'Function' constructor
1427         https://bugs.webkit.org/show_bug.cgi?id=184883
1428         <rdar://problem/36320331>
1429
1430         Reviewed by Filip Pizlo.
1431
1432         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
1433         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
1434
1435         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
1436         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
1437         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
1438
1439         * runtime/FunctionConstructor.cpp:
1440         (JSC::constructFunctionSkippingEvalEnabledCheck):
1441         * runtime/JSONObject.cpp:
1442         (JSC::Stringifier::appendStringifiedValue):
1443
1444 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1445
1446         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
1447         https://bugs.webkit.org/show_bug.cgi?id=185162
1448
1449         Reviewed by Filip Pizlo.
1450
1451         * runtime/IntlObject.cpp:
1452         (JSC::removeUnicodeLocaleExtension):
1453
1454 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
1455
1456         Add SetCallee as DFG-Operation
1457         https://bugs.webkit.org/show_bug.cgi?id=184582
1458
1459         Reviewed by Filip Pizlo.
1460
1461         For recursive tail calls not only the argument count can change but also the
1462         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
1463         Also update the callee when optimizing a recursive tail call.
1464         Enable recursive tail call optimization also for closures.
1465
1466         * dfg/DFGAbstractInterpreterInlines.h:
1467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1468         * dfg/DFGByteCodeParser.cpp:
1469         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1470         (JSC::DFG::ByteCodeParser::handleCallVariant):
1471         * dfg/DFGClobberize.h:
1472         (JSC::DFG::clobberize):
1473         * dfg/DFGDoesGC.cpp:
1474         (JSC::DFG::doesGC):
1475         * dfg/DFGFixupPhase.cpp:
1476         (JSC::DFG::FixupPhase::fixupNode):
1477         * dfg/DFGMayExit.cpp:
1478         * dfg/DFGNodeType.h:
1479         * dfg/DFGPredictionPropagationPhase.cpp:
1480         * dfg/DFGSafeToExecute.h:
1481         (JSC::DFG::safeToExecute):
1482         * dfg/DFGSpeculativeJIT.cpp:
1483         (JSC::DFG::SpeculativeJIT::compileSetCallee):
1484         * dfg/DFGSpeculativeJIT.h:
1485         * dfg/DFGSpeculativeJIT32_64.cpp:
1486         (JSC::DFG::SpeculativeJIT::compile):
1487         * dfg/DFGSpeculativeJIT64.cpp:
1488         (JSC::DFG::SpeculativeJIT::compile):
1489         * ftl/FTLCapabilities.cpp:
1490         (JSC::FTL::canCompile):
1491         * ftl/FTLLowerDFGToB3.cpp:
1492         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1493         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
1494
1495 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
1496
1497         WebAssembly: add support for stream APIs - JavaScript API
1498         https://bugs.webkit.org/show_bug.cgi?id=183442
1499
1500         Reviewed by Yusuke Suzuki and JF Bastien.
1501
1502         Add WebAssembly stream API. Current patch only add functions
1503         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
1504         does not add streaming way of the implementation. So in current version it
1505         only wait for load whole module, than start to parse.
1506
1507         * CMakeLists.txt:
1508         * Configurations/FeatureDefines.xcconfig:
1509         * DerivedSources.make:
1510         * JavaScriptCore.xcodeproj/project.pbxproj:
1511         * builtins/BuiltinNames.h:
1512         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1513         (compileStreaming):
1514         (instantiateStreaming):
1515         * jsc.cpp:
1516         * runtime/JSGlobalObject.cpp:
1517         (JSC::JSGlobalObject::init):
1518         * runtime/JSGlobalObject.h:
1519         * runtime/Options.h:
1520         * runtime/PromiseDeferredTimer.cpp:
1521         (JSC::PromiseDeferredTimer::hasPendingPromise):
1522         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1523         * runtime/PromiseDeferredTimer.h:
1524         * wasm/js/WebAssemblyPrototype.cpp:
1525         (JSC::webAssemblyModuleValidateAsyncInternal):
1526         (JSC::webAssemblyCompileFunc):
1527         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
1528         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1529         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
1530         (JSC::webAssemblyCompileStreamingInternal):
1531         (JSC::webAssemblyInstantiateStreamingInternal):
1532         (JSC::WebAssemblyPrototype::create):
1533         (JSC::WebAssemblyPrototype::finishCreation):
1534         * wasm/js/WebAssemblyPrototype.h:
1535
1536 2018-04-30  Saam Barati  <sbarati@apple.com>
1537
1538         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
1539         https://bugs.webkit.org/show_bug.cgi?id=185149
1540         <rdar://problem/39455917>
1541
1542         Reviewed by Filip Pizlo.
1543
1544         The bug was that we were deleting checks that we shouldn't have deleted.
1545         This patch makes a helper inside strength reduction that converts to
1546         a LazyJSConstant while maintaining checks, and switches users of the
1547         node API inside strength reduction to instead call the helper function.
1548         
1549         This patch also fixes a potential bug where StringReplace and
1550         StringReplaceRegExp may not preserve all their checks.
1551
1552
1553         * dfg/DFGStrengthReductionPhase.cpp:
1554         (JSC::DFG::StrengthReductionPhase::handleNode):
1555         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
1556
1557 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
1558
1559         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
1560         https://bugs.webkit.org/show_bug.cgi?id=185126
1561
1562         Reviewed by Saam Barati.
1563         
1564         This change is just restoring functionality that we've already had for a while. It had been
1565         accidentally broken due to an unrelated CodeBlock refactoring.
1566
1567         * dfg/DFGLICMPhase.cpp:
1568         (JSC::DFG::LICMPhase::attemptHoist):
1569
1570 2018-04-30  Mark Lam  <mark.lam@apple.com>
1571
1572         Apply PtrTags to the MetaAllocator and friends.
1573         https://bugs.webkit.org/show_bug.cgi?id=185110
1574         <rdar://problem/39533895>
1575
1576         Reviewed by Saam Barati.
1577
1578         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
1579         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
1580            and add a sanity check to verify that allocated code buffers are within those
1581            bounds.
1582
1583         * assembler/LinkBuffer.cpp:
1584         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1585         (JSC::LinkBuffer::copyCompactAndLinkCode):
1586         (JSC::LinkBuffer::linkCode):
1587         (JSC::LinkBuffer::allocate):
1588         * assembler/LinkBuffer.h:
1589         (JSC::LinkBuffer::LinkBuffer):
1590         (JSC::LinkBuffer::debugAddress):
1591         (JSC::LinkBuffer::code):
1592         * assembler/MacroAssemblerCodeRef.h:
1593         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1594         * bytecode/InlineAccess.cpp:
1595         (JSC::linkCodeInline):
1596         (JSC::InlineAccess::rewireStubAsJump):
1597         * dfg/DFGJITCode.cpp:
1598         (JSC::DFG::JITCode::findPC):
1599         * ftl/FTLJITCode.cpp:
1600         (JSC::FTL::JITCode::findPC):
1601         * jit/ExecutableAllocator.cpp:
1602         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1603         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1604         (JSC::ExecutableAllocator::allocate):
1605         * jit/ExecutableAllocator.h:
1606         (JSC::isJITPC):
1607         (JSC::performJITMemcpy):
1608         * jit/JIT.cpp:
1609         (JSC::JIT::link):
1610         * jit/JITMathIC.h:
1611         (JSC::isProfileEmpty):
1612         * runtime/JSCPtrTag.h:
1613         * wasm/WasmCallee.cpp:
1614         (JSC::Wasm::Callee::Callee):
1615         * wasm/WasmFaultSignalHandler.cpp:
1616         (JSC::Wasm::trapHandler):
1617
1618 2018-04-30  Keith Miller  <keith_miller@apple.com>
1619
1620         Move the MayBePrototype JSCell header bit to InlineTypeFlags
1621         https://bugs.webkit.org/show_bug.cgi?id=185143
1622
1623         Reviewed by Mark Lam.
1624
1625         * runtime/IndexingType.h:
1626         * runtime/JSCellInlines.h:
1627         (JSC::JSCell::setStructure):
1628         (JSC::JSCell::mayBePrototype const):
1629         (JSC::JSCell::didBecomePrototype):
1630         * runtime/JSTypeInfo.h:
1631         (JSC::TypeInfo::mayBePrototype):
1632         (JSC::TypeInfo::mergeInlineTypeFlags):
1633
1634 2018-04-30  Keith Miller  <keith_miller@apple.com>
1635
1636         Remove unneeded exception check from String.fromCharCode
1637         https://bugs.webkit.org/show_bug.cgi?id=185083
1638
1639         Reviewed by Mark Lam.
1640
1641         * runtime/StringConstructor.cpp:
1642         (JSC::stringFromCharCode):
1643
1644 2018-04-30  Keith Miller  <keith_miller@apple.com>
1645
1646         Move StructureIsImmortal to out of line flags.
1647         https://bugs.webkit.org/show_bug.cgi?id=185101
1648
1649         Reviewed by Saam Barati.
1650
1651         This will free up a bit in the inline flags where we can move the
1652         isPrototype bit to. This will, in turn, free a bit for use in
1653         implementing copy on write butterflies.
1654
1655         Also, this patch removes an assertion from Structure::typeInfo()
1656         that inadvertently makes the function invalid to call while
1657         cleaning up the vm.
1658
1659         * heap/HeapCellType.cpp:
1660         (JSC::DefaultDestroyFunc::operator() const):
1661         * runtime/JSCell.h:
1662         * runtime/JSCellInlines.h:
1663         (JSC::JSCell::callDestructor): Deleted.
1664         * runtime/JSTypeInfo.h:
1665         (JSC::TypeInfo::hasStaticPropertyTable):
1666         (JSC::TypeInfo::structureIsImmortal const):
1667         * runtime/Structure.h:
1668
1669 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1670
1671         [JSC] Remove arity fixup check if the number of parameters is 1
1672         https://bugs.webkit.org/show_bug.cgi?id=183984
1673
1674         Reviewed by Mark Lam.
1675
1676         If the number of parameters is one (|this|), we never hit arity fixup check.
1677         We do not need to emit arity fixup check code.
1678
1679         * dfg/DFGDriver.cpp:
1680         (JSC::DFG::compileImpl):
1681         * dfg/DFGJITCompiler.cpp:
1682         (JSC::DFG::JITCompiler::compileFunction):
1683         * dfg/DFGJITCompiler.h:
1684         * ftl/FTLLink.cpp:
1685         (JSC::FTL::link):
1686         * jit/JIT.cpp:
1687         (JSC::JIT::compileWithoutLinking):
1688
1689 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         Use WordLock instead of std::mutex for Threading
1692         https://bugs.webkit.org/show_bug.cgi?id=185121
1693
1694         Reviewed by Geoffrey Garen.
1695
1696         ThreadGroup starts using WordLock.
1697
1698         * heap/MachineStackMarker.h:
1699         (JSC::MachineThreads::getLock):
1700
1701 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
1702
1703         B3 should run tail duplication at the bitter end
1704         https://bugs.webkit.org/show_bug.cgi?id=185123
1705
1706         Reviewed by Geoffrey Garen.
1707         
1708         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
1709         everywhere else.
1710         
1711         The goal of this change is to allow us to run path specialization after switch lowering but
1712         before tail duplication.
1713
1714         * b3/B3Generate.cpp:
1715         (JSC::B3::generateToAir):
1716         * runtime/Options.h:
1717
1718 2018-04-29  Commit Queue  <commit-queue@webkit.org>
1719
1720         Unreviewed, rolling out r231137.
1721         https://bugs.webkit.org/show_bug.cgi?id=185118
1722
1723         It is breaking Test262 language/expressions/multiplication
1724         /order-of-evaluation.js (Requested by caiolima on #webkit).
1725
1726         Reverted changeset:
1727
1728         "[ESNext][BigInt] Implement support for "*" operation"
1729         https://bugs.webkit.org/show_bug.cgi?id=183721
1730         https://trac.webkit.org/changeset/231137
1731
1732 2018-04-28  Saam Barati  <sbarati@apple.com>
1733
1734         We don't model regexp effects properly
1735         https://bugs.webkit.org/show_bug.cgi?id=185059
1736         <rdar://problem/39736150>
1737
1738         Reviewed by Filip Pizlo.
1739
1740         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
1741         the regexp is global.
1742
1743         * dfg/DFGAbstractInterpreterInlines.h:
1744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1745         * dfg/DFGClobberize.h:
1746         (JSC::DFG::clobberize):
1747
1748 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
1749
1750         Token misspelled "tocken" in error message string
1751         https://bugs.webkit.org/show_bug.cgi?id=185030
1752
1753         Reviewed by Saam Barati.
1754
1755         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
1756         (JSC::Parser<LexerType>::Parser):
1757         (JSC::Parser<LexerType>::didFinishParsing):
1758         (JSC::Parser<LexerType>::parseSourceElements):
1759         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1760         (JSC::Parser<LexerType>::parseVariableDeclaration):
1761         (JSC::Parser<LexerType>::parseWhileStatement):
1762         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1763         (JSC::Parser<LexerType>::createBindingPattern):
1764         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1765         (JSC::Parser<LexerType>::parseObjectRestElement):
1766         (JSC::Parser<LexerType>::parseDestructuringPattern):
1767         (JSC::Parser<LexerType>::parseForStatement):
1768         (JSC::Parser<LexerType>::parseBreakStatement):
1769         (JSC::Parser<LexerType>::parseContinueStatement):
1770         (JSC::Parser<LexerType>::parseThrowStatement):
1771         (JSC::Parser<LexerType>::parseWithStatement):
1772         (JSC::Parser<LexerType>::parseSwitchStatement):
1773         (JSC::Parser<LexerType>::parseSwitchClauses):
1774         (JSC::Parser<LexerType>::parseTryStatement):
1775         (JSC::Parser<LexerType>::parseBlockStatement):
1776         (JSC::Parser<LexerType>::parseFormalParameters):
1777         (JSC::Parser<LexerType>::parseFunctionParameters):
1778         (JSC::Parser<LexerType>::parseFunctionInfo):
1779         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1780         (JSC::Parser<LexerType>::parseExpressionStatement):
1781         (JSC::Parser<LexerType>::parseIfStatement):
1782         (JSC::Parser<LexerType>::parseAssignmentExpression):
1783         (JSC::Parser<LexerType>::parseConditionalExpression):
1784         (JSC::Parser<LexerType>::parseBinaryExpression):
1785         (JSC::Parser<LexerType>::parseObjectLiteral):
1786         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
1787         (JSC::Parser<LexerType>::parseArrayLiteral):
1788         (JSC::Parser<LexerType>::parseArguments):
1789         (JSC::Parser<LexerType>::parseMemberExpression):
1790         (JSC::operatorString):
1791         (JSC::Parser<LexerType>::parseUnaryExpression):
1792         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1793
1794 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
1795
1796         [ESNext][BigInt] Implement support for "*" operation
1797         https://bugs.webkit.org/show_bug.cgi?id=183721
1798
1799         Reviewed by Saam Barati.
1800
1801         Added BigInt support into times binary operator into LLInt and on
1802         JITOperations profiledMul and unprofiledMul. We are also replacing all
1803         uses of int to unsigned when there is no negative values for
1804         variables.
1805
1806         * dfg/DFGConstantFoldingPhase.cpp:
1807         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1808         * jit/JITOperations.cpp:
1809         * runtime/CommonSlowPaths.cpp:
1810         (JSC::SLOW_PATH_DECL):
1811         * runtime/JSBigInt.cpp:
1812         (JSC::JSBigInt::JSBigInt):
1813         (JSC::JSBigInt::allocationSize):
1814         (JSC::JSBigInt::createWithLength):
1815         (JSC::JSBigInt::toString):
1816         (JSC::JSBigInt::multiply):
1817         (JSC::JSBigInt::digitDiv):
1818         (JSC::JSBigInt::internalMultiplyAdd):
1819         (JSC::JSBigInt::multiplyAccumulate):
1820         (JSC::JSBigInt::equals):
1821         (JSC::JSBigInt::absoluteDivSmall):
1822         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1823         (JSC::JSBigInt::toStringGeneric):
1824         (JSC::JSBigInt::rightTrim):
1825         (JSC::JSBigInt::allocateFor):
1826         (JSC::JSBigInt::parseInt):
1827         (JSC::JSBigInt::digit):
1828         (JSC::JSBigInt::setDigit):
1829         * runtime/JSBigInt.h:
1830         * runtime/Operations.h:
1831         (JSC::jsMul):
1832
1833 2018-04-28  Commit Queue  <commit-queue@webkit.org>
1834
1835         Unreviewed, rolling out r231131.
1836         https://bugs.webkit.org/show_bug.cgi?id=185112
1837
1838         It is breaking Debug build due to unchecked exception
1839         (Requested by caiolima on #webkit).
1840
1841         Reverted changeset:
1842
1843         "[ESNext][BigInt] Implement support for "*" operation"
1844         https://bugs.webkit.org/show_bug.cgi?id=183721
1845         https://trac.webkit.org/changeset/231131
1846
1847 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
1848
1849         [ESNext][BigInt] Implement support for "*" operation
1850         https://bugs.webkit.org/show_bug.cgi?id=183721
1851
1852         Reviewed by Saam Barati.
1853
1854         Added BigInt support into times binary operator into LLInt and on
1855         JITOperations profiledMul and unprofiledMul. We are also replacing all
1856         uses of int to unsigned when there is no negative values for
1857         variables.
1858
1859         * dfg/DFGConstantFoldingPhase.cpp:
1860         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1861         * jit/JITOperations.cpp:
1862         * runtime/CommonSlowPaths.cpp:
1863         (JSC::SLOW_PATH_DECL):
1864         * runtime/JSBigInt.cpp:
1865         (JSC::JSBigInt::JSBigInt):
1866         (JSC::JSBigInt::allocationSize):
1867         (JSC::JSBigInt::createWithLength):
1868         (JSC::JSBigInt::toString):
1869         (JSC::JSBigInt::multiply):
1870         (JSC::JSBigInt::digitDiv):
1871         (JSC::JSBigInt::internalMultiplyAdd):
1872         (JSC::JSBigInt::multiplyAccumulate):
1873         (JSC::JSBigInt::equals):
1874         (JSC::JSBigInt::absoluteDivSmall):
1875         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1876         (JSC::JSBigInt::toStringGeneric):
1877         (JSC::JSBigInt::rightTrim):
1878         (JSC::JSBigInt::allocateFor):
1879         (JSC::JSBigInt::parseInt):
1880         (JSC::JSBigInt::digit):
1881         (JSC::JSBigInt::setDigit):
1882         * runtime/JSBigInt.h:
1883         * runtime/Operations.h:
1884         (JSC::jsMul):
1885
1886 2018-04-27  JF Bastien  <jfbastien@apple.com>
1887
1888         Make the first 64 bits of JSString look like a double JSValue
1889         https://bugs.webkit.org/show_bug.cgi?id=185081
1890
1891         Reviewed by Filip Pizlo.
1892
1893         We can be clever about how we lay out JSString so that, were it
1894         reinterpreted as a JSValue, it would look like a double.
1895
1896         * assembler/MacroAssemblerX86Common.h:
1897         (JSC::MacroAssemblerX86Common::and16):
1898         * assembler/X86Assembler.h:
1899         (JSC::X86Assembler::andw_mr):
1900         * dfg/DFGSpeculativeJIT.cpp:
1901         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1902         * ftl/FTLLowerDFGToB3.cpp:
1903         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1904         * ftl/FTLOutput.h:
1905         (JSC::FTL::Output::store32As8):
1906         (JSC::FTL::Output::store32As16):
1907         * runtime/JSString.h:
1908         (JSC::JSString::JSString):
1909
1910 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1911
1912         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
1913         https://bugs.webkit.org/show_bug.cgi?id=185055
1914
1915         Reviewed by JF Bastien.
1916
1917         This patch is paving the way to emitting jscvt instruction if possible.
1918         To do that, we need to determine jscvt instruction is supported in the
1919         given CPU.
1920
1921         We add a function collectCPUFeatures, which is responsible to collect
1922         CPU features if necessary. In Linux, we can use auxiliary vector to get
1923         the information without parsing /proc/cpuinfo.
1924
1925         Currently, nobody calls this function. It is later called when we emit
1926         jscvt instruction. To make it possible, we also need to add disassembler
1927         support too.
1928
1929         * assembler/AbstractMacroAssembler.h:
1930         * assembler/MacroAssemblerARM64.cpp:
1931         (JSC::MacroAssemblerARM64::collectCPUFeatures):
1932         * assembler/MacroAssemblerARM64.h:
1933         * assembler/MacroAssemblerX86Common.h:
1934
1935 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
1936
1937         Also run foldPathConstants before mussing up SSA
1938         https://bugs.webkit.org/show_bug.cgi?id=185069
1939
1940         Reviewed by Saam Barati.
1941         
1942         This isn't needed now, but will be once I implement the phase in bug 185060.
1943         
1944         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
1945         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
1946         be landed separately and measured separately from that phase.
1947         
1948         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
1949         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
1950         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
1951         neutral. It all depends on what programs typically look like.
1952
1953         * b3/B3Generate.cpp:
1954         (JSC::B3::generateToAir):
1955
1956 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
1957
1958         Unreviewed, rolling out r231086.
1959
1960         Caused JSC test failures due to an unchecked exception.
1961
1962         Reverted changeset:
1963
1964         "[ESNext][BigInt] Implement support for "*" operation"
1965         https://bugs.webkit.org/show_bug.cgi?id=183721
1966         https://trac.webkit.org/changeset/231086
1967
1968 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
1969
1970         [ESNext][BigInt] Implement support for "*" operation
1971         https://bugs.webkit.org/show_bug.cgi?id=183721
1972
1973         Reviewed by Saam Barati.
1974
1975         Added BigInt support into times binary operator into LLInt and on
1976         JITOperations profiledMul and unprofiledMul. We are also replacing all
1977         uses of int to unsigned when there is no negative values for
1978         variables.
1979
1980         * dfg/DFGConstantFoldingPhase.cpp:
1981         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1982         * jit/JITOperations.cpp:
1983         * runtime/CommonSlowPaths.cpp:
1984         (JSC::SLOW_PATH_DECL):
1985         * runtime/JSBigInt.cpp:
1986         (JSC::JSBigInt::JSBigInt):
1987         (JSC::JSBigInt::allocationSize):
1988         (JSC::JSBigInt::createWithLength):
1989         (JSC::JSBigInt::toString):
1990         (JSC::JSBigInt::multiply):
1991         (JSC::JSBigInt::digitDiv):
1992         (JSC::JSBigInt::internalMultiplyAdd):
1993         (JSC::JSBigInt::multiplyAccumulate):
1994         (JSC::JSBigInt::equals):
1995         (JSC::JSBigInt::absoluteDivSmall):
1996         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1997         (JSC::JSBigInt::toStringGeneric):
1998         (JSC::JSBigInt::rightTrim):
1999         (JSC::JSBigInt::allocateFor):
2000         (JSC::JSBigInt::parseInt):
2001         (JSC::JSBigInt::digit):
2002         (JSC::JSBigInt::setDigit):
2003         * runtime/JSBigInt.h:
2004         * runtime/Operations.h:
2005         (JSC::jsMul):
2006
2007 2018-04-26  Mark Lam  <mark.lam@apple.com>
2008
2009         Gardening: Speculative build fix for Windows.
2010         https://bugs.webkit.org/show_bug.cgi?id=184976
2011         <rdar://problem/39723901>
2012
2013         Not reviewed.
2014
2015         * runtime/JSCPtrTag.h:
2016
2017 2018-04-26  Mark Lam  <mark.lam@apple.com>
2018
2019         Gardening: Windows build fix.
2020
2021         Not reviewed.
2022
2023         * runtime/Options.cpp:
2024
2025 2018-04-26  Jer Noble  <jer.noble@apple.com>
2026
2027         WK_COCOA_TOUCH all the things.
2028         https://bugs.webkit.org/show_bug.cgi?id=185006
2029         <rdar://problem/39736025>
2030
2031         Reviewed by Tim Horton.
2032
2033         * Configurations/Base.xcconfig:
2034
2035 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
2036
2037         Disable content filtering in minimal simulator mode
2038         https://bugs.webkit.org/show_bug.cgi?id=185027
2039         <rdar://problem/39736091>
2040
2041         Reviewed by Jer Noble.
2042
2043         * Configurations/FeatureDefines.xcconfig:
2044
2045 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
2046
2047         [INTL] Implement Intl.PluralRules
2048         https://bugs.webkit.org/show_bug.cgi?id=184312
2049
2050         Reviewed by JF Bastien.
2051
2052         Use UNumberFormat to enforce formatting, and then UPluralRules to find
2053         the correct plural rule for the given number. Relies on ICU v59+ for
2054         resolvedOptions().pluralCategories and trailing 0 detection.
2055         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
2056
2057         * CMakeLists.txt:
2058         * Configurations/FeatureDefines.xcconfig:
2059         * DerivedSources.make:
2060         * JavaScriptCore.xcodeproj/project.pbxproj:
2061         * Sources.txt:
2062         * builtins/BuiltinNames.h:
2063         * runtime/BigIntObject.cpp:
2064         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
2065         * runtime/BigIntObject.h:
2066         * runtime/CommonIdentifiers.h:
2067         * runtime/IntlObject.cpp:
2068         (JSC::IntlObject::finishCreation):
2069         * runtime/IntlObject.h:
2070         * runtime/IntlPluralRules.cpp: Added.
2071         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
2072         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
2073         (JSC::UEnumerationDeleter::operator() const):
2074         (JSC::IntlPluralRules::create):
2075         (JSC::IntlPluralRules::createStructure):
2076         (JSC::IntlPluralRules::IntlPluralRules):
2077         (JSC::IntlPluralRules::finishCreation):
2078         (JSC::IntlPluralRules::destroy):
2079         (JSC::IntlPluralRules::visitChildren):
2080         (JSC::IntlPRInternal::localeData):
2081         (JSC::IntlPluralRules::initializePluralRules):
2082         (JSC::IntlPluralRules::resolvedOptions):
2083         (JSC::IntlPluralRules::select):
2084         * runtime/IntlPluralRules.h: Added.
2085         * runtime/IntlPluralRulesConstructor.cpp: Added.
2086         (JSC::IntlPluralRulesConstructor::create):
2087         (JSC::IntlPluralRulesConstructor::createStructure):
2088         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
2089         (JSC::IntlPluralRulesConstructor::finishCreation):
2090         (JSC::constructIntlPluralRules):
2091         (JSC::callIntlPluralRules):
2092         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
2093         (JSC::IntlPluralRulesConstructor::visitChildren):
2094         * runtime/IntlPluralRulesConstructor.h: Added.
2095         * runtime/IntlPluralRulesPrototype.cpp: Added.
2096         (JSC::IntlPluralRulesPrototype::create):
2097         (JSC::IntlPluralRulesPrototype::createStructure):
2098         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
2099         (JSC::IntlPluralRulesPrototype::finishCreation):
2100         (JSC::IntlPluralRulesPrototypeFuncSelect):
2101         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2102         * runtime/IntlPluralRulesPrototype.h: Added.
2103         * runtime/JSGlobalObject.cpp:
2104         (JSC::JSGlobalObject::init):
2105         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2106         * runtime/JSGlobalObject.h:
2107         * runtime/Options.h:
2108         * runtime/RegExpPrototype.cpp: Added inlines header.
2109         * runtime/VM.cpp:
2110         (JSC::VM::VM):
2111         * runtime/VM.h:
2112
2113 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
2114
2115         [MIPS] Fix branch offsets in branchNeg32
2116         https://bugs.webkit.org/show_bug.cgi?id=185025
2117
2118         Reviewed by Yusuke Suzuki.
2119
2120         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
2121
2122         * assembler/MacroAssemblerMIPS.h:
2123         (JSC::MacroAssemblerMIPS::branchNeg32):
2124
2125 2018-04-25  Robin Morisset  <rmorisset@apple.com>
2126
2127         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
2128         https://bugs.webkit.org/show_bug.cgi?id=184773
2129         <rdar://problem/37773612>
2130
2131         Reviewed by Filip Pizlo.
2132
2133         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
2134         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
2135         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
2136         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
2137         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
2138
2139         * ftl/FTLLowerDFGToB3.cpp:
2140         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2141
2142 2018-04-25  Mark Lam  <mark.lam@apple.com>
2143
2144         Push the definition of PtrTag down to the WTF layer.
2145         https://bugs.webkit.org/show_bug.cgi?id=184976
2146         <rdar://problem/39723901>
2147
2148         Reviewed by Saam Barati.
2149
2150         * CMakeLists.txt:
2151         * JavaScriptCore.xcodeproj/project.pbxproj:
2152         * assembler/ARM64Assembler.h:
2153         * assembler/AbstractMacroAssembler.h:
2154         * assembler/MacroAssemblerCodeRef.cpp:
2155         * assembler/MacroAssemblerCodeRef.h:
2156         * b3/B3MathExtras.cpp:
2157         * bytecode/LLIntCallLinkInfo.h:
2158         * disassembler/Disassembler.h:
2159         * ftl/FTLJITCode.cpp:
2160         * interpreter/InterpreterInlines.h:
2161         * jit/ExecutableAllocator.h:
2162         * jit/JITOperations.cpp:
2163         * jit/ThunkGenerator.h:
2164         * jit/ThunkGenerators.h:
2165         * llint/LLIntOffsetsExtractor.cpp:
2166         * llint/LLIntPCRanges.h:
2167         * runtime/JSCPtrTag.h: Added.
2168         * runtime/NativeFunction.h:
2169         * runtime/PtrTag.h: Removed.
2170         * runtime/VMTraps.cpp:
2171
2172 2018-04-25  Keith Miller  <keith_miller@apple.com>
2173
2174         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
2175         https://bugs.webkit.org/show_bug.cgi?id=184998
2176
2177         Reviewed by Saam Barati.
2178
2179         * runtime/CodeCache.cpp:
2180         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2181
2182 2018-04-25  Keith Miller  <keith_miller@apple.com>
2183
2184         Add missing scope release to functionProtoFuncToString
2185         https://bugs.webkit.org/show_bug.cgi?id=184995
2186
2187         Reviewed by Saam Barati.
2188
2189         * runtime/FunctionPrototype.cpp:
2190         (JSC::functionProtoFuncToString):
2191
2192 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2193
2194         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
2195         https://bugs.webkit.org/show_bug.cgi?id=184730
2196
2197         Reviewed by Mark Lam.
2198
2199         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
2200         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
2201
2202         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
2203         ARMv7 implementation.
2204
2205         * assembler/ARMAssembler.h:
2206         * assembler/MacroAssemblerARM.h:
2207         (JSC::MacroAssemblerARM::add32):
2208         (JSC::MacroAssemblerARM::and32):
2209         (JSC::MacroAssemblerARM::lshift32):
2210         (JSC::MacroAssemblerARM::mul32):
2211         (JSC::MacroAssemblerARM::or32):
2212         (JSC::MacroAssemblerARM::rshift32):
2213         (JSC::MacroAssemblerARM::urshift32):
2214         (JSC::MacroAssemblerARM::sub32):
2215         (JSC::MacroAssemblerARM::xor32):
2216         (JSC::MacroAssemblerARM::load8):
2217         (JSC::MacroAssemblerARM::abortWithReason):
2218         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
2219         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
2220         (JSC::MacroAssemblerARM::store8):
2221         (JSC::MacroAssemblerARM::store32):
2222         (JSC::MacroAssemblerARM::push):
2223         (JSC::MacroAssemblerARM::swap):
2224         (JSC::MacroAssemblerARM::branch8):
2225         (JSC::MacroAssemblerARM::branchPtr):
2226         (JSC::MacroAssemblerARM::branch32):
2227         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
2228         (JSC::MacroAssemblerARM::branchTest8):
2229         (JSC::MacroAssemblerARM::branchTest32):
2230         (JSC::MacroAssemblerARM::jump):
2231         (JSC::MacroAssemblerARM::branchAdd32):
2232         (JSC::MacroAssemblerARM::mull32):
2233         (JSC::MacroAssemblerARM::branchMul32):
2234         (JSC::MacroAssemblerARM::patchableBranch32):
2235         (JSC::MacroAssemblerARM::nearCall):
2236         (JSC::MacroAssemblerARM::compare32):
2237         (JSC::MacroAssemblerARM::compare8):
2238         (JSC::MacroAssemblerARM::test32):
2239         (JSC::MacroAssemblerARM::test8):
2240         (JSC::MacroAssemblerARM::add64):
2241         (JSC::MacroAssemblerARM::load32):
2242         (JSC::MacroAssemblerARM::call):
2243         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2244         (JSC::MacroAssemblerARM::branch32WithPatch):
2245         (JSC::MacroAssemblerARM::storePtrWithPatch):
2246         (JSC::MacroAssemblerARM::loadDouble):
2247         (JSC::MacroAssemblerARM::storeDouble):
2248         (JSC::MacroAssemblerARM::addDouble):
2249         (JSC::MacroAssemblerARM::divDouble):
2250         (JSC::MacroAssemblerARM::subDouble):
2251         (JSC::MacroAssemblerARM::mulDouble):
2252         (JSC::MacroAssemblerARM::convertInt32ToDouble):
2253         (JSC::MacroAssemblerARM::branchDouble):
2254         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
2255         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
2256         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
2257         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
2258         (JSC::MacroAssemblerARM::branchDoubleNonZero):
2259         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
2260         (JSC::MacroAssemblerARM::call32):
2261         (JSC::MacroAssemblerARM::internalCompare32):
2262
2263 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
2264
2265         [WinCairo] Fix js/regexp-unicode.html crash.
2266         https://bugs.webkit.org/show_bug.cgi?id=184891
2267
2268         Reviewed by Yusuke Suzuki.
2269
2270         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
2271         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
2272
2273         * yarr/YarrJIT.cpp:
2274         (JSC::Yarr::YarrGenerator::generateEnter):
2275         (JSC::Yarr::YarrGenerator::generateReturn):
2276         Unconditionally save and restore RDI on 64-bit Windows.
2277
2278 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
2279
2280         [GTK] Miscellaneous build cleanups
2281         https://bugs.webkit.org/show_bug.cgi?id=184399
2282
2283         Reviewed by Žan Doberšek.
2284
2285         * PlatformGTK.cmake:
2286
2287 2018-04-24  Keith Miller  <keith_miller@apple.com>
2288
2289         fromCharCode is missing some exception checks
2290         https://bugs.webkit.org/show_bug.cgi?id=184952
2291
2292         Reviewed by Saam Barati.
2293
2294         I also removed the pointless slow path function and moved it into the
2295         main function.
2296
2297         * runtime/StringConstructor.cpp:
2298         (JSC::stringFromCharCode):
2299         (JSC::stringFromCharCodeSlowCase): Deleted.
2300
2301 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2302
2303         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
2304         https://bugs.webkit.org/show_bug.cgi?id=184923
2305
2306         Reviewed by Saam Barati.
2307         
2308         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
2309         (i.e. we know that the object has one of those structures), then previously we would still emit a
2310         switch with a case per structure along with a default case. That would mean one extra redundant
2311         branch to check that whatever structure we wound up with belongs to the set. In that case, we
2312         were already making the default case be an Oops.
2313         
2314         One possible solution would be to say that the default case being Oops means that B3 doesn't need
2315         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
2316         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
2317         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
2318         trap.
2319         
2320         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
2321         extra branch.
2322         
2323         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
2324         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
2325         read.
2326
2327         * ftl/FTLLowerDFGToB3.cpp:
2328         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2329         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2330         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2331
2332 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2333
2334         DFG CSE should know how to decay a MultiGetByOffset
2335         https://bugs.webkit.org/show_bug.cgi?id=159859
2336
2337         Reviewed by Keith Miller.
2338         
2339         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
2340         clobberize() can report a def() for MultiGetByOffset.
2341         
2342         This is a slight improvement to codegen in splay because splay is a heavy user of
2343         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
2344         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
2345         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
2346         splay's time.
2347
2348         * dfg/DFGClobberize.h:
2349         (JSC::DFG::clobberize):
2350         * dfg/DFGNode.cpp:
2351         (JSC::DFG::Node::remove):
2352         (JSC::DFG::Node::removeWithoutChecks):
2353         (JSC::DFG::Node::replaceWith):
2354         (JSC::DFG::Node::replaceWithWithoutChecks):
2355         * dfg/DFGNode.h:
2356         (JSC::DFG::Node::convertToMultiGetByOffset):
2357         (JSC::DFG::Node::replaceWith): Deleted.
2358         * dfg/DFGNodeType.h:
2359         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2360
2361 2018-04-24  Keith Miller  <keith_miller@apple.com>
2362
2363         Update API docs with information on which run loop the VM will use
2364         https://bugs.webkit.org/show_bug.cgi?id=184900
2365         <rdar://problem/39166054>
2366
2367         Reviewed by Mark Lam.
2368
2369         * API/JSContextRef.h:
2370         * API/JSVirtualMachine.h:
2371
2372 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2373
2374         $vm.totalGCTime() should be a thing
2375         https://bugs.webkit.org/show_bug.cgi?id=184916
2376
2377         Reviewed by Sam Weinig.
2378         
2379         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
2380         time spent in GC to determine if the regression is because the GC got slower.
2381         
2382         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
2383
2384         * heap/Heap.cpp:
2385         (JSC::Heap::runEndPhase):
2386         * heap/Heap.h:
2387         (JSC::Heap::totalGCTime const):
2388         * tools/JSDollarVM.cpp:
2389         (JSC::functionTotalGCTime):
2390         (JSC::JSDollarVM::finishCreation):
2391
2392 2018-04-23  Zalan Bujtas  <zalan@apple.com>
2393
2394         [LayoutFormattingContext] Initial commit.
2395         https://bugs.webkit.org/show_bug.cgi?id=184896
2396
2397         Reviewed by Antti Koivisto.
2398
2399         * Configurations/FeatureDefines.xcconfig:
2400
2401 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2402
2403         Unreviewed, revert accidental change to verbose flag.
2404
2405         * dfg/DFGByteCodeParser.cpp:
2406
2407 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2408
2409         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
2410
2411         Rubber stamped by Saam Barati.
2412         
2413         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
2414         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
2415         Seems sensible to just roll it out.
2416
2417         * dfg/DFGByteCodeParser.cpp:
2418         (JSC::DFG::ByteCodeParser::addToGraph):
2419         (JSC::DFG::ByteCodeParser::parse):
2420
2421 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2422
2423         [JSC] Remove ModuleLoaderPrototype
2424         https://bugs.webkit.org/show_bug.cgi?id=184784
2425
2426         Reviewed by Mark Lam.
2427
2428         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
2429         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
2430         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
2431
2432         * CMakeLists.txt:
2433         * DerivedSources.make:
2434         * JavaScriptCore.xcodeproj/project.pbxproj:
2435         * Sources.txt:
2436         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
2437         * runtime/JSGlobalObject.cpp:
2438         (JSC::JSGlobalObject::init):
2439         (JSC::JSGlobalObject::visitChildren):
2440         * runtime/JSGlobalObject.h:
2441         (JSC::JSGlobalObject::proxyRevokeStructure const):
2442         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
2443         * runtime/JSModuleLoader.cpp:
2444         (JSC::moduleLoaderParseModule):
2445         (JSC::moduleLoaderRequestedModules):
2446         (JSC::moduleLoaderModuleDeclarationInstantiation):
2447         (JSC::moduleLoaderResolve):
2448         (JSC::moduleLoaderResolveSync):
2449         (JSC::moduleLoaderFetch):
2450         (JSC::moduleLoaderGetModuleNamespaceObject):
2451         (JSC::moduleLoaderEvaluate):
2452         * runtime/JSModuleLoader.h:
2453         * runtime/ModuleLoaderPrototype.cpp: Removed.
2454         * runtime/ModuleLoaderPrototype.h: Removed.
2455
2456 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
2457
2458         [GLIB] All API tests fail in debug builds
2459         https://bugs.webkit.org/show_bug.cgi?id=184813
2460
2461         Reviewed by Mark Lam.
2462
2463         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
2464         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
2465
2466         * API/glib/JSCContext.cpp:
2467         (JSCContextExceptionHandler::JSCContextExceptionHandler):
2468         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
2469         (jscContextConstructed):
2470         (ExceptionHandler::ExceptionHandler): Deleted.
2471         (ExceptionHandler::~ExceptionHandler): Deleted.
2472
2473 2018-04-20  Tim Horton  <timothy_horton@apple.com>
2474
2475         Adjust geolocation feature flag
2476         https://bugs.webkit.org/show_bug.cgi?id=184856
2477
2478         Reviewed by Wenson Hsieh.
2479
2480         * Configurations/FeatureDefines.xcconfig:
2481
2482 2018-04-20  Brian Burg  <bburg@apple.com>
2483
2484         Web Inspector: remove some dead code in IdentifiersFactory
2485         https://bugs.webkit.org/show_bug.cgi?id=184839
2486
2487         Reviewed by Timothy Hatcher.
2488
2489         This was never used on non-Chrome ports, so the identifier always has a
2490         prefix of '0.'. We may change this in the future, but for now remove this.
2491         Using a PID for this purpose is problematic anyway.
2492
2493         * inspector/IdentifiersFactory.cpp:
2494         (Inspector::addPrefixToIdentifier):
2495         (Inspector::IdentifiersFactory::createIdentifier):
2496         (Inspector::IdentifiersFactory::requestId):
2497         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
2498         * inspector/IdentifiersFactory.h:
2499
2500 2018-04-20  Mark Lam  <mark.lam@apple.com>
2501
2502         Add the ability to use a hash for setting PtrTag enum values.
2503         https://bugs.webkit.org/show_bug.cgi?id=184852
2504         <rdar://problem/39613891>
2505
2506         Reviewed by Saam Barati.
2507
2508         * runtime/PtrTag.h:
2509
2510 2018-04-20  Mark Lam  <mark.lam@apple.com>
2511
2512         Some JSEntryPtrTags should actually be JSInternalPtrTags.
2513         https://bugs.webkit.org/show_bug.cgi?id=184712
2514         <rdar://problem/39507381>
2515
2516         Reviewed by Michael Saboff.
2517
2518         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
2519         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
2520            only when needed.
2521
2522         * bytecode/AccessCase.cpp:
2523         (JSC::AccessCase::generateImpl):
2524         * bytecode/ByValInfo.h:
2525         (JSC::ByValInfo::ByValInfo):
2526         * bytecode/CallLinkInfo.cpp:
2527         (JSC::CallLinkInfo::callReturnLocation):
2528         (JSC::CallLinkInfo::patchableJump):
2529         (JSC::CallLinkInfo::hotPathBegin):
2530         (JSC::CallLinkInfo::slowPathStart):
2531         * bytecode/CallLinkInfo.h:
2532         (JSC::CallLinkInfo::setCallLocations):
2533         (JSC::CallLinkInfo::hotPathOther):
2534         * bytecode/PolymorphicAccess.cpp:
2535         (JSC::PolymorphicAccess::regenerate):
2536         * bytecode/StructureStubInfo.h:
2537         (JSC::StructureStubInfo::doneLocation):
2538         * dfg/DFGJITCompiler.cpp:
2539         (JSC::DFG::JITCompiler::link):
2540         * dfg/DFGOSRExit.cpp:
2541         (JSC::DFG::reifyInlinedCallFrames):
2542         * ftl/FTLLazySlowPath.cpp:
2543         (JSC::FTL::LazySlowPath::initialize):
2544         * ftl/FTLLazySlowPath.h:
2545         (JSC::FTL::LazySlowPath::done const):
2546         * ftl/FTLLowerDFGToB3.cpp:
2547         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2548         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2549         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2550         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2551         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2552         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2553         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2554         * jit/JIT.cpp:
2555         (JSC::JIT::link):
2556         * jit/JITExceptions.cpp:
2557         (JSC::genericUnwind):
2558         * jit/JITMathIC.h:
2559         (JSC::isProfileEmpty):
2560         * llint/LLIntData.cpp:
2561         (JSC::LLInt::initialize):
2562         * llint/LLIntData.h:
2563         (JSC::LLInt::getCodePtr):
2564         (JSC::LLInt::getExecutableAddress): Deleted.
2565         * llint/LLIntExceptions.cpp:
2566         (JSC::LLInt::callToThrow):
2567         * llint/LLIntSlowPaths.cpp:
2568         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2569         * wasm/js/WasmToJS.cpp:
2570         (JSC::Wasm::wasmToJS):
2571
2572 2018-04-18  Jer Noble  <jer.noble@apple.com>
2573
2574         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
2575         https://bugs.webkit.org/show_bug.cgi?id=184762
2576
2577         Reviewed by Dan Bernstein.
2578
2579         * Configurations/Base.xcconfig:
2580         * JavaScriptCore.xcodeproj/project.pbxproj:
2581
2582 2018-04-20  Daniel Bates  <dabates@apple.com>
2583
2584         Remove code for compilers that did not support NSDMI for aggregates
2585         https://bugs.webkit.org/show_bug.cgi?id=184599
2586
2587         Reviewed by Per Arne Vollan.
2588
2589         Remove workaround for earlier Visual Studio versions that did not support non-static data
2590         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
2591         and EWS bots to a newer version that supports this feature.
2592
2593         * domjit/DOMJITEffect.h:
2594         (JSC::DOMJIT::Effect::Effect): Deleted.
2595         * runtime/HasOwnPropertyCache.h:
2596         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
2597         * wasm/WasmFormat.h:
2598         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
2599
2600 2018-04-20  Mark Lam  <mark.lam@apple.com>
2601
2602         Build fix for internal builds after r230826.
2603         https://bugs.webkit.org/show_bug.cgi?id=184790
2604         <rdar://problem/39301369>
2605
2606         Not reviewed.
2607
2608         * runtime/Options.cpp:
2609         (JSC::overrideDefaults):
2610         * tools/SigillCrashAnalyzer.cpp:
2611         (JSC::SignalContext::dump):
2612
2613 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
2614
2615         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
2616         https://bugs.webkit.org/show_bug.cgi?id=184254
2617         <rdar://problem/39140200>
2618
2619         Reviewed by Daniel Bates.
2620
2621         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
2622
2623         * runtime/ArrayBuffer.h:
2624         (JSC::ArrayBufferContents::ArrayBufferContents):
2625
2626 2018-04-19  Mark Lam  <mark.lam@apple.com>
2627
2628         Apply pointer profiling to Signal pointers.
2629         https://bugs.webkit.org/show_bug.cgi?id=184790
2630         <rdar://problem/39301369>
2631
2632         Reviewed by Michael Saboff.
2633
2634         1. Change stackPointer, framePointer, and instructionPointer accessors to
2635            be a pair of getter/setter functions.
2636         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
2637            a pointer profiling variants of these accessors.
2638         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
2639
2640         * JavaScriptCorePrefix.h:
2641         * runtime/MachineContext.h:
2642         (JSC::MachineContext::stackPointerImpl):
2643         (JSC::MachineContext::stackPointer):
2644         (JSC::MachineContext::setStackPointer):
2645         (JSC::MachineContext::framePointerImpl):
2646         (JSC::MachineContext::framePointer):
2647         (JSC::MachineContext::setFramePointer):
2648         (JSC::MachineContext::instructionPointerImpl):
2649         (JSC::MachineContext::instructionPointer):
2650         (JSC::MachineContext::setInstructionPointer):
2651         (JSC::MachineContext::linkRegisterImpl):
2652         (JSC::MachineContext::linkRegister):
2653         (JSC::MachineContext::setLinkRegister):
2654         * runtime/SamplingProfiler.cpp:
2655         (JSC::SamplingProfiler::takeSample):
2656         * runtime/VMTraps.cpp:
2657         (JSC::SignalContext::SignalContext):
2658         (JSC::VMTraps::tryInstallTrapBreakpoints):
2659         * tools/CodeProfiling.cpp:
2660         (JSC::profilingTimer):
2661         * tools/SigillCrashAnalyzer.cpp:
2662         (JSC::SignalContext::dump):
2663         (JSC::installCrashHandler):
2664         (JSC::SigillCrashAnalyzer::analyze):
2665         * wasm/WasmFaultSignalHandler.cpp:
2666         (JSC::Wasm::trapHandler):
2667
2668 2018-04-19  David Kilzer  <ddkilzer@apple.com>
2669
2670         Enable Objective-C weak references
2671         <https://webkit.org/b/184789>
2672         <rdar://problem/39571716>
2673
2674         Reviewed by Dan Bernstein.
2675
2676         * Configurations/Base.xcconfig:
2677         (CLANG_ENABLE_OBJC_WEAK): Enable.
2678         * Configurations/ToolExecutable.xcconfig:
2679         (CLANG_ENABLE_OBJC_ARC): Simplify.
2680
2681 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2682
2683         The InternalFunction hierarchy should be in IsoSubspaces
2684         https://bugs.webkit.org/show_bug.cgi?id=184721
2685
2686         Reviewed by Saam Barati.
2687         
2688         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
2689         but subclasses that are the same size as InternalFunction share its subspace. I did this
2690         because the subclasses appear to just override methods, which are called dynamically via the
2691         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
2692         allocate one kind of InternalFunction over another.
2693
2694         * API/JSBase.h:
2695         * API/JSCallbackFunction.h:
2696         * API/ObjCCallbackFunction.h:
2697         (JSC::ObjCCallbackFunction::subspaceFor):
2698         * CMakeLists.txt:
2699         * JavaScriptCore.xcodeproj/project.pbxproj:
2700         * Sources.txt:
2701         * heap/IsoSubspacePerVM.cpp: Added.
2702         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
2703         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2704         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
2705         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
2706         (JSC::IsoSubspacePerVM::forVM):
2707         * heap/IsoSubspacePerVM.h: Added.
2708         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
2709         * runtime/Error.h:
2710         * runtime/ErrorConstructor.h:
2711         * runtime/InternalFunction.h:
2712         (JSC::InternalFunction::subspaceFor):
2713         * runtime/IntlCollatorConstructor.h:
2714         * runtime/IntlDateTimeFormatConstructor.h:
2715         * runtime/IntlNumberFormatConstructor.h:
2716         * runtime/JSArrayBufferConstructor.h:
2717         * runtime/NativeErrorConstructor.h:
2718         * runtime/ProxyRevoke.h:
2719         * runtime/RegExpConstructor.h:
2720         * runtime/VM.cpp:
2721         (JSC::VM::VM):
2722         * runtime/VM.h:
2723
2724 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2725
2726         Unreviewed, Fix jsc shell
2727         https://bugs.webkit.org/show_bug.cgi?id=184600
2728
2729         WebAssembly module loading does not finish with drainMicrotasks().
2730         So JSNativeStdFunction's capturing variables become invalid.
2731         This patch fixes this issue.
2732
2733         * jsc.cpp:
2734         (functionDollarAgentStart):
2735         (runWithOptions):
2736         (runJSC):
2737         (jscmain):
2738
2739 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
2740
2741         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
2742         https://bugs.webkit.org/show_bug.cgi?id=184725
2743
2744         Reviewed by Mark Lam.
2745
2746         * jit/JIT.h:
2747
2748 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2749
2750         [WebAssembly][Modules] Import tables in wasm modules
2751         https://bugs.webkit.org/show_bug.cgi?id=184738
2752
2753         Reviewed by JF Bastien.
2754
2755         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
2756         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
2757         just works.
2758
2759         * wasm/js/JSWebAssemblyInstance.cpp:
2760         (JSC::JSWebAssemblyInstance::create):
2761         * wasm/js/WebAssemblyModuleRecord.cpp:
2762         (JSC::WebAssemblyModuleRecord::link):
2763
2764 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
2765
2766         [ARM] Fix build error and crash after PtrTag change
2767         https://bugs.webkit.org/show_bug.cgi?id=184732
2768
2769         Reviewed by Mark Lam.
2770
2771         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
2772         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
2773         twice with ARM-Thumb2.
2774
2775         * assembler/MacroAssemblerCodeRef.h:
2776         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2777         * jit/JITPropertyAccess32_64.cpp:
2778         (JSC::JIT::emitSlow_op_put_by_val):
2779         * jit/Repatch.cpp:
2780         (JSC::linkPolymorphicCall):
2781
2782 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2783
2784         [WebAssembly][Modules] Import globals from wasm modules
2785         https://bugs.webkit.org/show_bug.cgi?id=184736
2786
2787         Reviewed by JF Bastien.
2788
2789         This patch implements a feature importing globals to/from wasm modules.
2790         Since we are not supporting mutable globals now, we can just copy the
2791         global data when importing. Currently we do not support importing/exporting
2792         i64 globals. This will be supported once (1) mutable global bindings are
2793         specified and (2) BigInt based i64 importing/exporting is specified.
2794
2795         * wasm/js/JSWebAssemblyInstance.cpp:
2796         (JSC::JSWebAssemblyInstance::create):
2797         * wasm/js/WebAssemblyModuleRecord.cpp:
2798         (JSC::WebAssemblyModuleRecord::link):
2799
2800 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2801
2802         Unreviewed, fix build on ARM
2803
2804         * assembler/MacroAssemblerARM.h:
2805         (JSC::MacroAssemblerARM::readCallTarget):
2806
2807 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2808
2809         Unreviewed, fix build with GCC
2810
2811         * assembler/LinkBuffer.h:
2812         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2813
2814 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2815
2816         Unreviewed, reland r230697, r230720, and r230724.
2817         https://bugs.webkit.org/show_bug.cgi?id=184600
2818
2819         With CatchScope check.
2820
2821         * JavaScriptCore.xcodeproj/project.pbxproj:
2822         * builtins/ModuleLoaderPrototype.js:
2823         (globalPrivate.newRegistryEntry):
2824         (requestInstantiate):
2825         (link):
2826         * jsc.cpp:
2827         (convertShebangToJSComment):
2828         (fillBufferWithContentsOfFile):
2829         (fetchModuleFromLocalFileSystem):
2830         (GlobalObject::moduleLoaderFetch):
2831         (functionDollarAgentStart):
2832         (checkException):
2833         (runWithOptions):
2834         * parser/NodesAnalyzeModule.cpp:
2835         (JSC::ImportDeclarationNode::analyzeModule):
2836         * parser/SourceProvider.h:
2837         (JSC::WebAssemblySourceProvider::create):
2838         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2839         * runtime/AbstractModuleRecord.cpp:
2840         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2841         (JSC::AbstractModuleRecord::resolveImport):
2842         (JSC::AbstractModuleRecord::link):
2843         (JSC::AbstractModuleRecord::evaluate):
2844         (JSC::identifierToJSValue): Deleted.
2845         * runtime/AbstractModuleRecord.h:
2846         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2847         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2848         * runtime/JSModuleEnvironment.cpp:
2849         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2850         * runtime/JSModuleLoader.cpp:
2851         (JSC::JSModuleLoader::evaluate):
2852         * runtime/JSModuleRecord.cpp:
2853         (JSC::JSModuleRecord::link):
2854         (JSC::JSModuleRecord::instantiateDeclarations):
2855         * runtime/JSModuleRecord.h:
2856         * runtime/ModuleLoaderPrototype.cpp:
2857         (JSC::moduleLoaderPrototypeParseModule):
2858         (JSC::moduleLoaderPrototypeRequestedModules):
2859         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2860         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2861         * wasm/js/JSWebAssemblyHelpers.h:
2862         (JSC::getWasmBufferFromValue):
2863         (JSC::createSourceBufferFromValue):
2864         * wasm/js/JSWebAssemblyInstance.cpp:
2865         (JSC::JSWebAssemblyInstance::finalizeCreation):
2866         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2867         (JSC::JSWebAssemblyInstance::create):
2868         * wasm/js/JSWebAssemblyInstance.h:
2869         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2870         (JSC::constructJSWebAssemblyInstance):
2871         * wasm/js/WebAssemblyModuleRecord.cpp:
2872         (JSC::WebAssemblyModuleRecord::prepareLink):
2873         (JSC::WebAssemblyModuleRecord::link):
2874         * wasm/js/WebAssemblyModuleRecord.h:
2875         * wasm/js/WebAssemblyPrototype.cpp:
2876         (JSC::resolve):
2877         (JSC::instantiate):
2878         (JSC::compileAndInstantiate):
2879         (JSC::WebAssemblyPrototype::instantiate):
2880         (JSC::webAssemblyInstantiateFunc):
2881         (JSC::webAssemblyValidateFunc):
2882         * wasm/js/WebAssemblyPrototype.h:
2883
2884 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2885
2886         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
2887         https://bugs.webkit.org/show_bug.cgi?id=184687
2888
2889         Reviewed by Michael Catanzaro.
2890
2891         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
2892         JSClassDefinition. This is required to implement dynamic properties that can't be added with
2893         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
2894
2895         * API/glib/JSCClass.cpp:
2896         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
2897         can throw exceptions.
2898         (VTableExceptionHandler::~VTableExceptionHandler):
2899         (getProperty): Iterate the class chain to call get_property function.
2900         (setProperty): Iterate the class chain to call set_property function.
2901         (hasProperty): Iterate the class chain to call has_property function.
2902         (deleteProperty): Iterate the class chain to call delete_property function.
2903         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
2904         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
2905         jscClassCreate now.
2906         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
2907         * API/glib/JSCClass.h:
2908         * API/glib/JSCClassPrivate.h:
2909         * API/glib/JSCContext.cpp:
2910         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
2911         (jsc_context_register_class): Add JSCClassVTable parameter.
2912         * API/glib/JSCContext.h:
2913         * API/glib/JSCContextPrivate.h:
2914         * API/glib/JSCWrapperMap.cpp:
2915         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
2916         * API/glib/JSCWrapperMap.h:
2917         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
2918
2919 2018-04-17  Mark Lam  <mark.lam@apple.com>
2920
2921         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
2922         https://bugs.webkit.org/show_bug.cgi?id=184702
2923         <rdar://problem/35391681>
2924
2925         Reviewed by Filip Pizlo and Saam Barati.
2926
2927         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
2928            to take a PtrTag template argument.
2929         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
2930
2931         * assembler/AbstractMacroAssembler.h:
2932         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2933         (JSC::AbstractMacroAssembler::linkJump):
2934         (JSC::AbstractMacroAssembler::linkPointer):
2935         (JSC::AbstractMacroAssembler::getLinkerAddress):
2936         (JSC::AbstractMacroAssembler::repatchJump):
2937         (JSC::AbstractMacroAssembler::repatchJumpToNop):
2938         (JSC::AbstractMacroAssembler::repatchNearCall):
2939         (JSC::AbstractMacroAssembler::repatchCompact):
2940         (JSC::AbstractMacroAssembler::repatchInt32):
2941         (JSC::AbstractMacroAssembler::repatchPointer):
2942         (JSC::AbstractMacroAssembler::readPointer):
2943         (JSC::AbstractMacroAssembler::replaceWithLoad):
2944         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2945         * assembler/CodeLocation.h:
2946         (JSC::CodeLocationCommon:: const):
2947         (JSC::CodeLocationCommon::CodeLocationCommon):
2948         (JSC::CodeLocationInstruction::CodeLocationInstruction):
2949         (JSC::CodeLocationLabel::CodeLocationLabel):
2950         (JSC::CodeLocationLabel::retagged):
2951         (JSC::CodeLocationLabel:: const):
2952         (JSC::CodeLocationJump::CodeLocationJump):
2953         (JSC::CodeLocationJump::retagged):
2954         (JSC::CodeLocationCall::CodeLocationCall):
2955         (JSC::CodeLocationCall::retagged):
2956         (JSC::CodeLocationNearCall::CodeLocationNearCall):
2957         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
2958         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
2959         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
2960         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
2961         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
2962         (JSC::CodeLocationCommon<tag>::labelAtOffset):
2963         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
2964         (JSC::CodeLocationCommon<tag>::callAtOffset):
2965         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
2966         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
2967         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
2968         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
2969         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
2970         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
2971         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
2972         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
2973         (JSC::CodeLocationCommon::callAtOffset): Deleted.
2974         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
2975         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
2976         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
2977         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
2978         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
2979         * assembler/LinkBuffer.cpp:
2980         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2981         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
2982         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
2983         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
2984         * assembler/LinkBuffer.h:
2985         (JSC::LinkBuffer::link):
2986         (JSC::LinkBuffer::patch):
2987         (JSC::LinkBuffer::entrypoint):
2988         (JSC::LinkBuffer::locationOf):
2989         (JSC::LinkBuffer::locationOfNearCall):
2990         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2991         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2992         (JSC::LinkBuffer::trampolineAt):
2993         * assembler/MacroAssemblerARM.h:
2994         (JSC::MacroAssemblerARM::readCallTarget):
2995         (JSC::MacroAssemblerARM::replaceWithJump):
2996         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
2997         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
2998         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
2999         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
3000         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
3001         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
3002         (JSC::MacroAssemblerARM::repatchCall):
3003         (JSC::MacroAssemblerARM::linkCall):
3004         * assembler/MacroAssemblerARM64.h:
3005         (JSC::MacroAssemblerARM64::readCallTarget):
3006         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3007         (JSC::MacroAssemblerARM64::replaceWithJump):
3008         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
3009         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
3010         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
3011         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
3012         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3013         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
3014         (JSC::MacroAssemblerARM64::repatchCall):
3015         (JSC::MacroAssemblerARM64::linkCall):
3016         * assembler/MacroAssemblerARMv7.h:
3017         (JSC::MacroAssemblerARMv7::replaceWithJump):
3018         (JSC::MacroAssemblerARMv7::readCallTarget):
3019         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
3020         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
3021         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
3022         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
3023         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
3024         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
3025         (JSC::MacroAssemblerARMv7::repatchCall):
3026         (JSC::MacroAssemblerARMv7::linkCall):
3027         * assembler/MacroAssemblerCodeRef.cpp:
3028         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
3029         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
3030         (JSC::MacroAssemblerCodeRefBase::disassembly):
3031         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
3032         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
3033         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
3034         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
3035         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
3036         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
3037         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
3038         * assembler/MacroAssemblerCodeRef.h:
3039         (JSC::FunctionPtr::FunctionPtr):
3040         (JSC::FunctionPtr::retagged const):
3041         (JSC::FunctionPtr::retaggedExecutableAddress const):
3042         (JSC::FunctionPtr::operator== const):
3043         (JSC::FunctionPtr::operator!= const):
3044         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3045         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3046         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3047         (JSC::MacroAssemblerCodePtr::retagged const):
3048         (JSC::MacroAssemblerCodePtr:: const):
3049         (JSC::MacroAssemblerCodePtr::dumpWithName const):
3050         (JSC::MacroAssemblerCodePtr::dump const):
3051         (JSC::MacroAssemblerCodePtrHash::hash):
3052         (JSC::MacroAssemblerCodePtrHash::equal):
3053         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3054         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
3055         (JSC::MacroAssemblerCodeRef::code const):
3056         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3057         (JSC::MacroAssemblerCodeRef::retagged const):
3058         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
3059         (JSC::MacroAssemblerCodeRef::disassembly const):
3060         (JSC::MacroAssemblerCodeRef::dump const):
3061         (JSC::FunctionPtr<tag>::FunctionPtr):
3062         * assembler/MacroAssemblerMIPS.h:
3063         (JSC::MacroAssemblerMIPS::readCallTarget):
3064         (JSC::MacroAssemblerMIPS::replaceWithJump):
3065         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3066         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
3067         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
3068         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
3069         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3070         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
3071         (JSC::MacroAssemblerMIPS::repatchCall):
3072         (JSC::MacroAssemblerMIPS::linkCall):
3073         * assembler/MacroAssemblerX86.h:
3074         (JSC::MacroAssemblerX86::readCallTarget):
3075         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
3076         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
3077         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
3078         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
3079         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
3080         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
3081         (JSC::MacroAssemblerX86::repatchCall):
3082         (JSC::MacroAssemblerX86::linkCall):
3083         * assembler/MacroAssemblerX86Common.h:
3084         (JSC::MacroAssemblerX86Common::repatchCompact):
3085         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3086         (JSC::MacroAssemblerX86Common::replaceWithJump):
3087         * assembler/MacroAssemblerX86_64.h:
3088         (JSC::MacroAssemblerX86_64::readCallTarget):
3089         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
3090         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
3091         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
3092         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
3093         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3094         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
3095         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
3096         (JSC::MacroAssemblerX86_64::repatchCall):
3097         (JSC::MacroAssemblerX86_64::linkCall):
3098         * assembler/testmasm.cpp:
3099         (JSC::compile):
3100         (JSC::invoke):
3101         (JSC::testProbeModifiesProgramCounter):
3102         * b3/B3Compilation.cpp:
3103         (JSC::B3::Compilation::Compilation):
3104         * b3/B3Compilation.h:
3105         (JSC::B3::Compilation::code const):
3106         (JSC::B3::Compilation::codeRef const):
3107         * b3/B3Compile.cpp:
3108         (JSC::B3::compile):
3109         * b3/B3LowerMacros.cpp:
3110         * b3/air/AirDisassembler.cpp:
3111         (JSC::B3::Air::Disassembler::dump):
3112         * b3/air/testair.cpp:
3113         * b3/testb3.cpp:
3114         (JSC::B3::invoke):
3115         (JSC::B3::testInterpreter):
3116         (JSC::B3::testEntrySwitchSimple):
3117         (JSC::B3::testEntrySwitchNoEntrySwitch):
3118         (JSC::B3::testEntrySwitchWithCommonPaths):
3119         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
3120         (JSC::B3::testEntrySwitchLoop):
3121         * bytecode/AccessCase.cpp:
3122         (JSC::AccessCase::generateImpl):
3123         * bytecode/AccessCaseSnippetParams.cpp:
3124         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3125         * bytecode/ByValInfo.h:
3126         (JSC::ByValInfo::ByValInfo):
3127         * bytecode/CallLinkInfo.cpp:
3128         (JSC::CallLinkInfo::callReturnLocation):
3129         (JSC::CallLinkInfo::patchableJump):
3130         (JSC::CallLinkInfo::hotPathBegin):
3131         (JSC::CallLinkInfo::slowPathStart):
3132         * bytecode/CallLinkInfo.h:
3133         (JSC::CallLinkInfo::setCallLocations):
3134         (JSC::CallLinkInfo::hotPathOther):
3135         * bytecode/CodeBlock.cpp:
3136         (JSC::CodeBlock::finishCreation):
3137         * bytecode/GetByIdStatus.cpp:
3138         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3139         * bytecode/GetByIdVariant.cpp:
3140         (JSC::GetByIdVariant::GetByIdVariant):
3141         (JSC::GetByIdVariant::dumpInContext const):
3142         * bytecode/GetByIdVariant.h:
3143         (JSC::GetByIdVariant::customAccessorGetter const):
3144         * bytecode/GetterSetterAccessCase.cpp:
3145         (JSC::GetterSetterAccessCase::create):
3146         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3147         (JSC::GetterSetterAccessCase::dumpImpl const):
3148         * bytecode/GetterSetterAccessCase.h:
3149         (JSC::GetterSetterAccessCase::customAccessor const):
3150         (): Deleted.
3151         * bytecode/HandlerInfo.h:
3152         (JSC::HandlerInfo::initialize):
3153         * bytecode/InlineAccess.cpp:
3154         (JSC::linkCodeInline):
3155         (JSC::InlineAccess::rewireStubAsJump):
3156         * bytecode/InlineAccess.h:
3157         * bytecode/JumpTable.h:
3158         (JSC::StringJumpTable::ctiForValue):
3159         (JSC::SimpleJumpTable::ctiForValue):
3160         * bytecode/LLIntCallLinkInfo.h:
3161         (JSC::LLIntCallLinkInfo::unlink):
3162         * bytecode/PolymorphicAccess.cpp:
3163         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3164         (JSC::PolymorphicAccess::regenerate):
3165         * bytecode/PolymorphicAccess.h:
3166         (JSC::AccessGenerationResult::AccessGenerationResult):
3167         (JSC::AccessGenerationResult::code const):
3168         * bytecode/StructureStubInfo.h:
3169         (JSC::StructureStubInfo::slowPathCallLocation):
3170         (JSC::StructureStubInfo::doneLocation):
3171         (JSC::StructureStubInfo::slowPathStartLocation):
3172         (JSC::StructureStubInfo::patchableJumpForIn):
3173         * dfg/DFGCommonData.h:
3174         (JSC::DFG::CommonData::appendCatchEntrypoint):
3175         * dfg/DFGDisassembler.cpp:
3176         (JSC::DFG::Disassembler::dumpDisassembly):
3177         * dfg/DFGDriver.h:
3178         * dfg/DFGJITCompiler.cpp:
3179         (JSC::DFG::JITCompiler::linkOSRExits):
3180         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3181         (JSC::DFG::JITCompiler::link):
3182         (JSC::DFG::JITCompiler::compileFunction):
3183         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3184         * dfg/DFGJITCompiler.h:
3185         (JSC::DFG::CallLinkRecord::CallLinkRecord):
3186         (JSC::DFG::JITCompiler::appendCall):
3187         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
3188         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
3189         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
3190         * dfg/DFGJITFinalizer.cpp:
3191         (JSC::DFG::JITFinalizer::JITFinalizer):
3192         (JSC::DFG::JITFinalizer::finalize):
3193         (JSC::DFG::JITFinalizer::finalizeFunction):
3194         * dfg/DFGJITFinalizer.h:
3195         * dfg/DFGJumpReplacement.h:
3196         (JSC::DFG::JumpReplacement::JumpReplacement):
3197         * dfg/DFGNode.h:
3198         * dfg/DFGOSREntry.cpp:
3199         (JSC::DFG::prepareOSREntry):
3200         (JSC::DFG::prepareCatchOSREntry):
3201         * dfg/DFGOSREntry.h:
3202         (JSC::DFG::prepareOSREntry):
3203         * dfg/DFGOSRExit.cpp:
3204         (JSC::DFG::OSRExit::executeOSRExit):
3205         (JSC::DFG::reifyInlinedCallFrames):
3206         (JSC::DFG::adjustAndJumpToTarget):
3207         (JSC::DFG::OSRExit::codeLocationForRepatch const):
3208         (JSC::DFG::OSRExit::emitRestoreArguments):
3209         (JSC::DFG::OSRExit::compileOSRExit):
3210         * dfg/DFGOSRExit.h:
3211         * dfg/DFGOSRExitCompilerCommon.cpp:
3212         (JSC::DFG::handleExitCounts):
3213         (JSC::DFG::reifyInlinedCallFrames):
3214         (JSC::DFG::osrWriteBarrier):
3215         (JSC::DFG::adjustAndJumpToTarget):
3216         * dfg/DFGOperations.cpp:
3217         * dfg/DFGSlowPathGenerator.h:
3218         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3219         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3220         (JSC::DFG::slowPathCall):
3221         * dfg/DFGSpeculativeJIT.cpp:
3222         (JSC::DFG::SpeculativeJIT::compileMathIC):
3223         (JSC::DFG::SpeculativeJIT::compileCallDOM):
3224         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3225         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3226         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3227         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3228         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
3229         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
3230         (JSC::DFG::SpeculativeJIT::cachedPutById):
3231         * dfg/DFGSpeculativeJIT.h:
3232         (JSC::DFG::SpeculativeJIT::callOperation):
3233         (JSC::DFG::SpeculativeJIT::appendCall):
3234         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
3235         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
3236         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3237         * dfg/DFGSpeculativeJIT64.cpp:
3238         (JSC::DFG::SpeculativeJIT::cachedGetById):
3239         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3240         (JSC::DFG::SpeculativeJIT::compile):
3241         * dfg/DFGThunks.cpp:
3242         (JSC::DFG::osrExitThunkGenerator):
3243         (JSC::DFG::osrExitGenerationThunkGenerator):
3244         (JSC::DFG::osrEntryThunkGenerator):
3245         * dfg/DFGThunks.h:
3246         * disassembler/ARM64Disassembler.cpp:
3247         (JSC::tryToDisassemble):
3248         * disassembler/ARMv7Disassembler.cpp:
3249         (JSC::tryToDisassemble):
3250         * disassembler/Disassembler.cpp:
3251         (JSC::disassemble):
3252         (JSC::disassembleAsynchronously):
3253         * disassembler/Disassembler.h:
3254         (JSC::tryToDisassemble):
3255         * disassembler/UDis86Disassembler.cpp:
3256         (JSC::tryToDisassembleWithUDis86):
3257         * disassembler/UDis86Disassembler.h:
3258         (JSC::tryToDisassembleWithUDis86):
3259         * disassembler/X86Disassembler.cpp:
3260         (JSC::tryToDisassemble):
3261         * ftl/FTLCompile.cpp:
3262         (JSC::FTL::compile):
3263         * ftl/FTLExceptionTarget.cpp:
3264         (JSC::FTL::ExceptionTarget::label):
3265         (JSC::FTL::ExceptionTarget::jumps):
3266         * ftl/FTLExceptionTarget.h:
3267         * ftl/FTLGeneratedFunction.h:
3268         * ftl/FTLJITCode.cpp:
3269         (JSC::FTL::JITCode::initializeB3Code):
3270         (JSC::FTL::JITCode::initializeAddressForCall):
3271         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
3272         (JSC::FTL::JITCode::addressForCall):
3273         (JSC::FTL::JITCode::executableAddressAtOffset):
3274         * ftl/FTLJITCode.h:
3275         (JSC::FTL::JITCode::b3Code const):
3276         * ftl/FTLJITFinalizer.cpp:
3277         (JSC::FTL::JITFinalizer::finalizeCommon):
3278         * ftl/FTLLazySlowPath.cpp:
3279         (JSC::FTL::LazySlowPath::initialize):
3280         (JSC::FTL::LazySlowPath::generate):
3281         * ftl/FTLLazySlowPath.h:
3282         (JSC::FTL::LazySlowPath::patchableJump const):
3283         (JSC::FTL::LazySlowPath::done const):
3284         (JSC::FTL::LazySlowPath::stub const):
3285         * ftl/FTLLazySlowPathCall.h:
3286         (JSC::FTL::createLazyCallGenerator):
3287         * ftl/FTLLink.cpp:
3288         (JSC::FTL::link):
3289         * ftl/FTLLowerDFGToB3.cpp:
3290         (JSC::FTL::DFG::LowerDFGToB3::lower):
3291         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3292         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3293         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3294         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3295         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3296         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3297         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
3298         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3299         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3300         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
3301         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3302         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3303         * ftl/FTLOSRExit.cpp:
3304         (JSC::FTL::OSRExit::codeLocationForRepatch const):
3305         * ftl/FTLOSRExit.h:
3306         * ftl/FTLOSRExitCompiler.cpp:
3307         (JSC::FTL::compileStub):
3308         (JSC::FTL::compileFTLOSRExit):
3309         * ftl/FTLOSRExitHandle.cpp:
3310         (JSC::FTL::OSRExitHandle::emitExitThunk):
3311         * ftl/FTLOperations.cpp:
3312         (JSC::FTL::compileFTLLazySlowPath):
3313         * ftl/FTLPatchpointExceptionHandle.cpp:
3314         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3315         * ftl/FTLSlowPathCall.cpp:
3316         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
3317         (JSC::FTL::SlowPathCallContext::makeCall):
3318         * ftl/FTLSlowPathCall.h:
3319         (JSC::FTL::callOperation):
3320         * ftl/FTLSlowPathCallKey.cpp:
3321         (JSC::FTL::SlowPathCallKey::dump const):
3322         * ftl/FTLSlowPathCallKey.h:
3323         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
3324         (JSC::FTL::SlowPathCallKey::callTarget const):
3325         (JSC::FTL::SlowPathCallKey::withCallTarget):
3326         (JSC::FTL::SlowPathCallKey::hash const):
3327         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
3328         * ftl/FTLState.cpp:
3329         (JSC::FTL::State::State):
3330         * ftl/FTLThunks.cpp:
3331         (JSC::FTL::genericGenerationThunkGenerator):
3332         (JSC::FTL::osrExitGenerationThunkGenerator):
3333         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3334         (JSC::FTL::slowPathCallThunkGenerator):
3335         * ftl/FTLThunks.h:
3336         (JSC::FTL::generateIfNecessary):
3337         (JSC::FTL::keyForThunk):
3338         (JSC::FTL::Thunks::getSlowPathCallThunk):
3339         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
3340         * interpreter/InterpreterInlines.h:
3341         (JSC::Interpreter::getOpcodeID):
3342         * jit/AssemblyHelpers.cpp:
3343         (JSC::AssemblyHelpers::callExceptionFuzz):
3344         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3345         (JSC::AssemblyHelpers::debugCall):
3346         * jit/CCallHelpers.cpp:
3347         (JSC::CCallHelpers::ensureShadowChickenPacket):
3348         * jit/ExecutableAllocator.cpp:
3349         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3350         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3351         * jit/ExecutableAllocator.h:
3352         (JSC::performJITMemcpy):
3353         * jit/GCAwareJITStubRoutine.cpp:
3354         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3355         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
3356         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3357         (JSC::createJITStubRoutine):
3358         * jit/GCAwareJITStubRoutine.h:
3359         (JSC::createJITStubRoutine):
3360         * jit/JIT.cpp:
3361         (JSC::ctiPatchCallByReturnAddress):
3362         (JSC::JIT::compileWithoutLinking):
3363         (JSC::JIT::link):
3364         (JSC::JIT::privateCompileExceptionHandlers):
3365         * jit/JIT.h:
3366         (JSC::CallRecord::CallRecord):
3367         * jit/JITArithmetic.cpp:
3368         (JSC::JIT::emitMathICFast):
3369         (JSC::JIT::emitMathICSlow):
3370         * jit/JITCall.cpp:
3371         (JSC::JIT::compileOpCallSlowCase):
3372         * jit/JITCall32_64.cpp:
3373         (JSC::JIT::compileOpCallSlowCase):
3374         * jit/JITCode.cpp:
3375         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
3376         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3377         (JSC::DirectJITCode::DirectJITCode):
3378         (JSC::DirectJITCode::initializeCodeRef):
3379         (JSC::DirectJITCode::addressForCall):
3380         (JSC::NativeJITCode::NativeJITCode):
3381         (JSC::NativeJITCode::initializeCodeRef):
3382         (JSC::NativeJITCode::addressForCall):
3383         * jit/JITCode.h:
3384         * jit/JITCodeMap.h:
3385         (JSC::JITCodeMap::Entry::Entry):
3386         (JSC::JITCodeMap::Entry::codeLocation):
3387         (JSC::JITCodeMap::append):
3388         (JSC::JITCodeMap::find const):
3389         * jit/JITDisassembler.cpp:
3390         (JSC::JITDisassembler::dumpDisassembly):
3391         * jit/JITExceptions.cpp:
3392         (JSC::genericUnwind):
3393         * jit/JITInlineCacheGenerator.cpp:
3394         (JSC::JITByIdGenerator::finalize):
3395 &nb