429bd8bed350b1efa159a9ec010000e0d60cbe11
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
2
3         Speed up AbstractInterpreter::executeEdges
4         https://bugs.webkit.org/show_bug.cgi?id=185457
5
6         Reviewed by Saam Barati.
7
8         This patch started out with the desire to make executeEdges() faster by making filtering faster.
9         However, when I studied the disassembly, I found that there are many opportunities for
10         improvement and I implemented all of them:
11         
12         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
13           for non-cells.
14         
15         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
16           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
17         
18         - Similarly, edge verification doesn't need to fast-forward in the common case.
19         
20         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
21         
22         - The edge doesn't even have to be considered for execution if it's UntypedUse.
23         
24         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
25         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
26         it means proving that the value could either be formatted as a double (with impure NaN values),
27         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
28         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
29         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
30         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
31         SpecBytecodeNumber (if returning a JSValueRep).
32         
33         But that fix revealed an amazing timeout in
34         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
35         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
36         ever realizing that we should jettison something. The problem was with how
37         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
38         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
39         
40         This is a 1% improvement in V8Spider-CompileTime.
41
42         * bytecode/ExitKind.cpp:
43         (JSC::exitKindMayJettison):
44         * dfg/DFGAbstractInterpreter.h:
45         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
46         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
47         * dfg/DFGAbstractInterpreterInlines.h:
48         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
49         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
50         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
51         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
52         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
53         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
54         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
55         * dfg/DFGAbstractValue.cpp:
56         (JSC::DFG::AbstractValue::filterSlow):
57         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
58         * dfg/DFGAbstractValue.h:
59         (JSC::DFG::AbstractValue::filter):
60         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
61         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
62         (JSC::DFG::AbstractValue::makeTop):
63         * dfg/DFGAtTailAbstractState.h:
64         (JSC::DFG::AtTailAbstractState::fastForward):
65         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
66         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
67         * dfg/DFGGraph.h:
68         (JSC::DFG::Graph::doToChildren):
69         * dfg/DFGInPlaceAbstractState.h:
70         (JSC::DFG::InPlaceAbstractState::fastForward):
71         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
72         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
73         * dfg/DFGOSRExit.cpp:
74         (JSC::DFG::OSRExit::executeOSRExit):
75         * dfg/DFGOSRExitCompilerCommon.cpp:
76         (JSC::DFG::handleExitCounts):
77         * dfg/DFGOperations.cpp:
78         * dfg/DFGOperations.h:
79
80 2018-05-09  Saam Barati  <sbarati@apple.com>
81
82         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
83         https://bugs.webkit.org/show_bug.cgi?id=185441
84         <rdar://problem/39999414>
85
86         Reviewed by Keith Miller.
87
88         This patch adds JSVirtualMachine SPI to release as much memory as possible.
89         The SPI does:
90         - Deletes all code caches.
91         - Synchronous GC.
92         - Run the scavenger.
93
94         * API/JSVirtualMachine.mm:
95         (-[JSVirtualMachine shrinkFootprint]):
96         * API/JSVirtualMachinePrivate.h: Added.
97         * API/tests/testapi.mm:
98         (testObjectiveCAPIMain):
99         * JavaScriptCore.xcodeproj/project.pbxproj:
100         * runtime/VM.cpp:
101         (JSC::VM::shrinkFootprint):
102         * runtime/VM.h:
103
104 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
105
106         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
107         Error found in the following Test262 tests:
108
109         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
110         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
111         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
112
113         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
114         presenting a length > 2**32-1
115         https://bugs.webkit.org/show_bug.cgi?id=185476
116
117         Reviewed by Yusuke Suzuki.
118
119         * runtime/ArrayPrototype.cpp:
120
121 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
122
123         [WPE] Build cleanly with GCC 8 and ICU 60
124         https://bugs.webkit.org/show_bug.cgi?id=185462
125
126         Reviewed by Carlos Alberto Lopez Perez.
127
128         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
129         (jsc_class_add_constructor):
130         (jsc_class_add_method):
131         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
132         (jsc_value_object_define_property_accessor):
133         (jsc_value_new_function):
134         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
135         problem with GCC 7 too, but might as well fix it now.
136         * assembler/ProbeContext.h:
137         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
138         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
139         * b3/air/AirArg.h:
140         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
141         * builtins/BuiltinNames.cpp:
142         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
143         * builtins/BuiltinNames.h:
144         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
145         * dfg/DFGDoubleFormatState.h:
146         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
147         * heap/MarkedBlockInlines.h:
148         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
149         * runtime/ConfigFile.cpp:
150         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
151         with the wrong length parameter and the result is not null-terminated. Also, silence a
152         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
153         * runtime/IntlDateTimeFormat.cpp:
154         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
155         * runtime/JSGlobalObject.cpp:
156         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
157         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
158
159 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
160
161         [ARMv7] Drop ARMv7 disassembler in favor of capstone
162         https://bugs.webkit.org/show_bug.cgi?id=185423
163
164         Reviewed by Michael Catanzaro.
165
166         This patch removes ARMv7Disassembler in our tree.
167         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
168
169         * CMakeLists.txt:
170         * JavaScriptCore.xcodeproj/project.pbxproj:
171         * Sources.txt:
172         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
173         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
174         * disassembler/ARMv7Disassembler.cpp: Removed.
175
176 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
177
178         [MIPS] Optimize generated JIT code using r2
179         https://bugs.webkit.org/show_bug.cgi?id=184584
180
181         Reviewed by Yusuke Suzuki.
182
183         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
184         Also, done some code size optimizations that were discovered in meantime.
185
186         * assembler/MIPSAssembler.h:
187         (JSC::MIPSAssembler::ext):
188         (JSC::MIPSAssembler::mfhc1):
189         * assembler/MacroAssemblerMIPS.cpp:
190         * assembler/MacroAssemblerMIPS.h:
191         (JSC::MacroAssemblerMIPS::isPowerOf2):
192         (JSC::MacroAssemblerMIPS::bitPosition):
193         (JSC::MacroAssemblerMIPS::loadAddress):
194         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
195         (JSC::MacroAssemblerMIPS::load8):
196         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
197         (JSC::MacroAssemblerMIPS::load32):
198         (JSC::MacroAssemblerMIPS::load16Unaligned):
199         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
200         (JSC::MacroAssemblerMIPS::load16):
201         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
202         (JSC::MacroAssemblerMIPS::store8):
203         (JSC::MacroAssemblerMIPS::store16):
204         (JSC::MacroAssemblerMIPS::store32):
205         (JSC::MacroAssemblerMIPS::branchTest32):
206         (JSC::MacroAssemblerMIPS::loadFloat):
207         (JSC::MacroAssemblerMIPS::loadDouble):
208         (JSC::MacroAssemblerMIPS::storeFloat):
209         (JSC::MacroAssemblerMIPS::storeDouble):
210
211 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
212
213         [JSC][GTK][JSCONLY] Use capstone disassembler
214         https://bugs.webkit.org/show_bug.cgi?id=185283
215
216         Reviewed by Michael Catanzaro.
217
218         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
219         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
220
221         And we remove ARM LLVM disassembler.
222
223         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
224
225         * CMakeLists.txt:
226         * Sources.txt:
227         * disassembler/ARMLLVMDisassembler.cpp: Removed.
228         * disassembler/CapstoneDisassembler.cpp: Added.
229         (JSC::tryToDisassemble):
230
231 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
232
233         [MIPS] Use mfhc1 and mthc1 to fix assembler error
234         https://bugs.webkit.org/show_bug.cgi?id=185464
235
236         Reviewed by Yusuke Suzuki.
237
238         The binutils-assembler started to report failures for copying words between
239         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
240         of mfc1 and mtc1 for conversion.
241
242         * offlineasm/mips.rb:
243
244 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
245
246         [MIPS] Collect callee-saved register using inline assembly
247         https://bugs.webkit.org/show_bug.cgi?id=185428
248
249         Reviewed by Yusuke Suzuki.
250
251         MIPS used setjmp instead of collecting registers with inline assembly like
252         other architectures.
253
254         * heap/RegisterState.h:
255
256 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
257
258         [BigInt] Simplifying JSBigInt by using bool addition
259         https://bugs.webkit.org/show_bug.cgi?id=185374
260
261         Reviewed by Alex Christensen.
262
263         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
264         Just adding overflow flag to carry/borrow produces setb + add in x86.
265
266         Also we annotate small helper functions and accessors with `inline` not to call these functions
267         inside internalMultiplyAdd loop.
268
269         * runtime/JSBigInt.cpp:
270         (JSC::JSBigInt::isZero):
271         (JSC::JSBigInt::inplaceMultiplyAdd):
272         (JSC::JSBigInt::digitAdd):
273         (JSC::JSBigInt::digitSub):
274         (JSC::JSBigInt::digitMul):
275         (JSC::JSBigInt::digitPow):
276         (JSC::JSBigInt::digitDiv):
277         (JSC::JSBigInt::offsetOfData):
278         (JSC::JSBigInt::dataStorage):
279         (JSC::JSBigInt::digit):
280         (JSC::JSBigInt::setDigit):
281
282 2018-05-08  Michael Saboff  <msaboff@apple.com>
283
284         Replace multiple Watchpoint Set fireAll() methods with templates
285         https://bugs.webkit.org/show_bug.cgi?id=185456
286
287         Reviewed by Saam Barati.
288
289         Refactored to minimize duplicate code.
290
291         * bytecode/Watchpoint.h:
292         (JSC::WatchpointSet::fireAll):
293         (JSC::InlineWatchpointSet::fireAll):
294
295 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
296
297         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
298         https://bugs.webkit.org/show_bug.cgi?id=185453
299
300         Reviewed by Michael Saboff.
301         
302         Tiny improvement for compile times.
303
304         * dfg/DFGFlowMap.h:
305         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
306         * dfg/DFGInPlaceAbstractState.cpp:
307         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
308
309 2018-05-08  Michael Saboff  <msaboff@apple.com>
310
311         Deferred firing of structure transition watchpoints is racy
312         https://bugs.webkit.org/show_bug.cgi?id=185438
313
314         Reviewed by Saam Barati.
315
316         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
317         and fire them in the destructor.  When the watchpoints are taken from the
318         original WatchpointSet, that WatchpointSet if marked invalid.
319
320         * bytecode/Watchpoint.cpp:
321         (JSC::WatchpointSet::fireAllSlow):
322         (JSC::WatchpointSet::take):
323         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
324         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
325         (JSC::DeferredWatchpointFire::fireAll):
326         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
327         * bytecode/Watchpoint.h:
328         (JSC::WatchpointSet::fireAll):
329         (JSC::InlineWatchpointSet::fireAll):
330         * runtime/JSObject.cpp:
331         (JSC::JSObject::setPrototypeDirect):
332         (JSC::JSObject::convertToDictionary):
333         * runtime/JSObjectInlines.h:
334         (JSC::JSObject::putDirectInternal):
335         * runtime/Structure.cpp:
336         (JSC::Structure::Structure):
337         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
338         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
339         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
340         (JSC::Structure::didTransitionFromThisStructure const):
341         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
342         * runtime/Structure.h:
343         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
344
345 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
346
347         Consecutive messages logged as JSON are coalesced
348         https://bugs.webkit.org/show_bug.cgi?id=185432
349
350         Reviewed by Joseph Pecoraro.
351
352         * inspector/ConsoleMessage.cpp:
353         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
354
355 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
356
357         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
358         https://bugs.webkit.org/show_bug.cgi?id=185365
359
360         Reviewed by Saam Barati.
361         
362         This patch does three things to improve compile times:
363         
364         - Fixes some inlining goofs.
365         
366         - Adds the ability to measure compile times with run-jsc-benchmarks.
367         
368         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
369           code that clears abstract values. It turns out that on constant folding "needed" this, in the
370           sense that this was the only thing protecting it from loading the abstract value of a no-result
371           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
372           Any node that produces a result will explicitly set its abstract value, so this problem can
373           also be guarded by just having constant folding check if the node it wants to fold returns any
374           result.
375         
376         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
377         
378         Rolling back in after fixing cloop build.
379
380         * dfg/DFGAbstractInterpreterInlines.h:
381         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
382         * dfg/DFGAbstractValue.cpp:
383         (JSC::DFG::AbstractValue::set):
384         * dfg/DFGAbstractValue.h:
385         (JSC::DFG::AbstractValue::merge):
386         * dfg/DFGConstantFoldingPhase.cpp:
387         (JSC::DFG::ConstantFoldingPhase::foldConstants):
388         * dfg/DFGGraph.h:
389         (JSC::DFG::Graph::doToChildrenWithNode):
390         (JSC::DFG::Graph::doToChildren):
391         * dfg/DFGInPlaceAbstractState.cpp:
392         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
393         * jit/JIT.cpp:
394         (JSC::JIT::totalCompileTime):
395         * jit/JIT.h:
396         * jsc.cpp:
397         (GlobalObject::finishCreation):
398         (functionTotalCompileTime):
399
400 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
401
402         Unreviewed, rolling out r231468.
403
404         Broke the CLoop build
405
406         Reverted changeset:
407
408         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
409         any abstract values"
410         https://bugs.webkit.org/show_bug.cgi?id=185365
411         https://trac.webkit.org/changeset/231468
412
413 2018-05-07  Daniel Bates  <dabates@apple.com>
414
415         Check X-Frame-Options and CSP frame-ancestors in network process
416         https://bugs.webkit.org/show_bug.cgi?id=185410
417         <rdar://problem/37733934>
418
419         Reviewed by Ryosuke Niwa.
420
421         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
422
423         * runtime/ConsoleTypes.h:
424
425 2018-05-07  Saam Barati  <sbarati@apple.com>
426
427         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
428         https://bugs.webkit.org/show_bug.cgi?id=185329
429         <rdar://problem/39961536>
430
431         Reviewed by Michael Saboff.
432
433         I was made aware of a memory goof inside of JSC where we would inefficiently
434         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
435         
436         We did two things badly:
437         1. We used a HashMap instead of a Vector to represent the environment. Having
438         a HashMap is useful when looking things up when generating bytecode, but it's
439         space inefficient. Because UnlinkedFunctionExecutables live a long time because
440         of the code cache, we should have them store this information efficiently
441         inside of a Vector.
442         
443         2. We didn't hash-cons these environments together. If you think about how
444         some programs are structured, hash-consing these together is hugely profitable.
445         Consider some code like this:
446         ```
447         const/let V_1 = ...;
448         const/let V_2 = ...;
449         ...
450         const/let V_n = ...;
451         
452         function f_1() { ... };
453         function f_2() { ... };
454         ...
455         function f_n() { ... };
456         ```
457         
458         Each f_i would store an identical hash map for its parent TDZ variables
459         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
460         each f_i just holds onto a reference to the environment.
461         
462         I benchmarked this change against an app that made heavy use of the
463         above code pattern and it reduced its peak memory footprint from ~220MB
464         to ~160MB.
465
466         * bytecode/UnlinkedFunctionExecutable.cpp:
467         (JSC::generateUnlinkedFunctionCodeBlock):
468         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
469         * bytecode/UnlinkedFunctionExecutable.h:
470         * parser/VariableEnvironment.cpp:
471         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
472         (JSC::CompactVariableEnvironment::operator== const):
473         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
474         (JSC::CompactVariableMap::get):
475         (JSC::CompactVariableMap::Handle::~Handle):
476         * parser/VariableEnvironment.h:
477         (JSC::VariableEnvironmentEntry::bits const):
478         (JSC::VariableEnvironmentEntry::operator== const):
479         (JSC::VariableEnvironment::isEverythingCaptured const):
480         (JSC::CompactVariableEnvironment::hash const):
481         (JSC::CompactVariableMapKey::CompactVariableMapKey):
482         (JSC::CompactVariableMapKey::hash):
483         (JSC::CompactVariableMapKey::equal):
484         (JSC::CompactVariableMapKey::makeDeletedValue):
485         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
486         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
487         (JSC::CompactVariableMapKey::environment):
488         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
489         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
490         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
491         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
492         (JSC::CompactVariableMap::Handle::Handle):
493         (JSC::CompactVariableMap::Handle::environment const):
494         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
495         * runtime/VM.cpp:
496         (JSC::VM::VM):
497         * runtime/VM.h:
498
499 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
500
501         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
502         https://bugs.webkit.org/show_bug.cgi?id=185371
503
504         Reviewed by Mark Lam.
505
506         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
507         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
508         but actually MIPS have much more registers.
509
510         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
511         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
512         have extra mechanism.
513
514         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
515
516         * dfg/DFGByteCodeParser.cpp:
517         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
518         * dfg/DFGFixupPhase.cpp:
519         (JSC::DFG::FixupPhase::fixupNode):
520         * dfg/DFGSpeculativeJIT32_64.cpp:
521         (JSC::DFG::SpeculativeJIT::compile):
522         * jit/CCallHelpers.h:
523         * jit/GPRInfo.h:
524         (JSC::GPRInfo::toRegister):
525         (JSC::GPRInfo::toIndex):
526         * offlineasm/mips.rb:
527
528 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
529
530         DFG AI should have O(1) clobbering
531         https://bugs.webkit.org/show_bug.cgi?id=185287
532
533         Reviewed by Saam Barati.
534         
535         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
536         would traverse all of the state available to the AI at that time and clobber it.
537         
538         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
539         
540         This is a ~1% speed-up for compile times.
541
542         * JavaScriptCore.xcodeproj/project.pbxproj:
543         * Sources.txt:
544         * dfg/DFGAbstractInterpreter.h:
545         (JSC::DFG::AbstractInterpreter::forNode):
546         (JSC::DFG::AbstractInterpreter::setForNode):
547         (JSC::DFG::AbstractInterpreter::clearForNode):
548         (JSC::DFG::AbstractInterpreter::variables): Deleted.
549         * dfg/DFGAbstractInterpreterInlines.h:
550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
551         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
552         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
553         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
554         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
555         * dfg/DFGAbstractValue.cpp:
556         (JSC::DFG::AbstractValue::fastForwardToSlow):
557         * dfg/DFGAbstractValue.h:
558         (JSC::DFG::AbstractValue::fastForwardTo):
559         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
560         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
561         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
562         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
563         (JSC::DFG::AbstractValueClobberEpoch::dump const):
564         * dfg/DFGAbstractValueClobberEpoch.h: Added.
565         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
566         (JSC::DFG::AbstractValueClobberEpoch::first):
567         (JSC::DFG::AbstractValueClobberEpoch::clobber):
568         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
569         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
570         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
571         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
572         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
573         * dfg/DFGAtTailAbstractState.h:
574         (JSC::DFG::AtTailAbstractState::setForNode):
575         (JSC::DFG::AtTailAbstractState::clearForNode):
576         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
577         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
578         (JSC::DFG::AtTailAbstractState::operand):
579         (JSC::DFG::AtTailAbstractState::local):
580         (JSC::DFG::AtTailAbstractState::argument):
581         (JSC::DFG::AtTailAbstractState::clobberStructures):
582         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
583         (JSC::DFG::AtTailAbstractState::variables): Deleted.
584         * dfg/DFGCFAPhase.cpp:
585         (JSC::DFG::CFAPhase::performBlockCFA):
586         * dfg/DFGConstantFoldingPhase.cpp:
587         (JSC::DFG::ConstantFoldingPhase::foldConstants):
588         * dfg/DFGFlowMap.h:
589         (JSC::DFG::FlowMap::at):
590         (JSC::DFG::FlowMap::atShadow):
591         (JSC::DFG::FlowMap::at const):
592         (JSC::DFG::FlowMap::atShadow const):
593         * dfg/DFGInPlaceAbstractState.cpp:
594         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
595         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
596         * dfg/DFGInPlaceAbstractState.h:
597         (JSC::DFG::InPlaceAbstractState::forNode):
598         (JSC::DFG::InPlaceAbstractState::setForNode):
599         (JSC::DFG::InPlaceAbstractState::clearForNode):
600         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
601         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
602         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
603         (JSC::DFG::InPlaceAbstractState::operand):
604         (JSC::DFG::InPlaceAbstractState::local):
605         (JSC::DFG::InPlaceAbstractState::argument):
606         (JSC::DFG::InPlaceAbstractState::variableAt):
607         (JSC::DFG::InPlaceAbstractState::clobberStructures):
608         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
609         (JSC::DFG::InPlaceAbstractState::fastForward):
610         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
611         * dfg/DFGSpeculativeJIT64.cpp:
612         (JSC::DFG::SpeculativeJIT::compile):
613         * ftl/FTLLowerDFGToB3.cpp:
614         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
615
616 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
617
618         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
619         https://bugs.webkit.org/show_bug.cgi?id=185365
620
621         Reviewed by Saam Barati.
622         
623         This patch does three things to improve compile times:
624         
625         - Fixes some inlining goofs.
626         
627         - Adds the ability to measure compile times with run-jsc-benchmarks.
628         
629         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
630           code that clears abstract values. It turns out that on constant folding "needed" this, in the
631           sense that this was the only thing protecting it from loading the abstract value of a no-result
632           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
633           Any node that produces a result will explicitly set its abstract value, so this problem can
634           also be guarded by just having constant folding check if the node it wants to fold returns any
635           result.
636         
637         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
638
639         * dfg/DFGAbstractInterpreterInlines.h:
640         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
641         * dfg/DFGAbstractValue.cpp:
642         (JSC::DFG::AbstractValue::set):
643         * dfg/DFGAbstractValue.h:
644         (JSC::DFG::AbstractValue::merge):
645         * dfg/DFGConstantFoldingPhase.cpp:
646         (JSC::DFG::ConstantFoldingPhase::foldConstants):
647         * dfg/DFGGraph.h:
648         (JSC::DFG::Graph::doToChildrenWithNode):
649         (JSC::DFG::Graph::doToChildren):
650         * dfg/DFGInPlaceAbstractState.cpp:
651         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
652         * jit/JIT.cpp:
653         (JSC::JIT::totalCompileTime):
654         * jit/JIT.h:
655         * jsc.cpp:
656         (GlobalObject::finishCreation):
657         (functionTotalCompileTime):
658
659 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
660
661         DFG AI doesn't need to merge valuesAtTail - it can just assign them
662         https://bugs.webkit.org/show_bug.cgi?id=185355
663
664         Reviewed by Mark Lam.
665         
666         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
667         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
668         merging will get the same answer because the value computed this time will be either the same
669         as or more general than the value computed last time. If the value does change for some
670         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
671         changes, then we have no reason to believe that this new value is less right than the last
672         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
673         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
674
675         * dfg/DFGInPlaceAbstractState.cpp:
676         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
677
678 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
679
680         Remove defunct email address
681         https://bugs.webkit.org/show_bug.cgi?id=185396
682
683         Reviewed by Mark Lam.
684
685         The email address thetalecrafter@gmail.com is no longer valid, as the
686         associated google account has been closed. This updates the email
687         address so questions about these Intl contributions go to the right
688         place.
689
690         * builtins/DatePrototype.js:
691         * builtins/NumberPrototype.js:
692         * builtins/StringPrototype.js:
693         * runtime/IntlCollator.cpp:
694         * runtime/IntlCollator.h:
695         * runtime/IntlCollatorConstructor.cpp:
696         * runtime/IntlCollatorConstructor.h:
697         * runtime/IntlCollatorPrototype.cpp:
698         * runtime/IntlCollatorPrototype.h:
699         * runtime/IntlDateTimeFormat.cpp:
700         * runtime/IntlDateTimeFormat.h:
701         * runtime/IntlDateTimeFormatConstructor.cpp:
702         * runtime/IntlDateTimeFormatConstructor.h:
703         * runtime/IntlDateTimeFormatPrototype.cpp:
704         * runtime/IntlDateTimeFormatPrototype.h:
705         * runtime/IntlNumberFormat.cpp:
706         * runtime/IntlNumberFormat.h:
707         * runtime/IntlNumberFormatConstructor.cpp:
708         * runtime/IntlNumberFormatConstructor.h:
709         * runtime/IntlNumberFormatPrototype.cpp:
710         * runtime/IntlNumberFormatPrototype.h:
711         * runtime/IntlObject.cpp:
712         * runtime/IntlObject.h:
713         * runtime/IntlPluralRules.cpp:
714         * runtime/IntlPluralRules.h:
715         * runtime/IntlPluralRulesConstructor.cpp:
716         * runtime/IntlPluralRulesConstructor.h:
717         * runtime/IntlPluralRulesPrototype.cpp:
718         * runtime/IntlPluralRulesPrototype.h:
719
720 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
721
722         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
723         https://bugs.webkit.org/show_bug.cgi?id=185362
724
725         Reviewed by Sam Weinig.
726
727         "namespace std" may include many names. It can conflict with names defined by our code,
728         and the other platform provided headers. For example, std::byte conflicts with Windows'
729         ::byte.
730         This patch removes "using namespace std;" from JSC and bmalloc.
731
732         * API/JSClassRef.cpp:
733         (OpaqueJSClass::create):
734         * bytecode/Opcode.cpp:
735         * bytecompiler/BytecodeGenerator.cpp:
736         (JSC::BytecodeGenerator::newRegister):
737         * heap/Heap.cpp:
738         (JSC::Heap::updateAllocationLimits):
739         * interpreter/Interpreter.cpp:
740         * jit/JIT.cpp:
741         * parser/Parser.cpp:
742         * runtime/JSArray.cpp:
743         * runtime/JSLexicalEnvironment.cpp:
744         * runtime/JSModuleEnvironment.cpp:
745         * runtime/Structure.cpp:
746         * shell/DLLLauncherMain.cpp:
747         (getStringValue):
748         (applePathFromRegistry):
749         (appleApplicationSupportDirectory):
750         (copyEnvironmentVariable):
751         (prependPath):
752         (fatalError):
753         (directoryExists):
754         (modifyPath):
755         (getLastErrorString):
756         (wWinMain):
757
758 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
759
760         DFG CFA phase should only do clobber asserts in debug
761         https://bugs.webkit.org/show_bug.cgi?id=185354
762
763         Reviewed by Saam Barati.
764         
765         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
766         unless asserts are enabled.
767
768         * dfg/DFGCFAPhase.cpp:
769         (JSC::DFG::CFAPhase::performBlockCFA):
770
771 2018-05-04  Keith Miller  <keith_miller@apple.com>
772
773         isCacheableArrayLength should return true for undecided arrays
774         https://bugs.webkit.org/show_bug.cgi?id=185309
775
776         Reviewed by Michael Saboff.
777
778         Undecided arrays have butterflies so there is no reason why we
779         should not be able to cache their length.
780
781         * bytecode/InlineAccess.cpp:
782         (JSC::InlineAccess::isCacheableArrayLength):
783
784 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
785
786         Remove std::random_shuffle
787         https://bugs.webkit.org/show_bug.cgi?id=185292
788
789         Reviewed by Darin Adler.
790
791         std::random_shuffle is deprecated in C++14 and removed in C++17,
792         since std::random_shuffle relies on rand and srand.
793         Use std::shuffle instead.
794
795         * jit/BinarySwitch.cpp:
796         (JSC::RandomNumberGenerator::RandomNumberGenerator):
797         (JSC::RandomNumberGenerator::operator()):
798         (JSC::RandomNumberGenerator::min):
799         (JSC::RandomNumberGenerator::max):
800         (JSC::BinarySwitch::build):
801
802 2018-05-03  Saam Barati  <sbarati@apple.com>
803
804         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
805         https://bugs.webkit.org/show_bug.cgi?id=185177
806
807         Reviewed by Filip Pizlo.
808
809         This patch teaches the DFG/FTL how to constant fold CreateThis with
810         a known poly proto Structure to NewObject. We do it by emitting a NewObject
811         followed by a PutByOffset for the prototype value.
812         
813         We make it so that ObjectAllocationProfile holds the prototype value.
814         This is sound because JSFunction clears that profile when its 'prototype'
815         field changes.
816         
817         This patch also renames underscoreProtoPrivateName to polyProtoName since
818         that name was nonsensical: it was only used for poly proto.
819         
820         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
821         regressed that benchmark when I first introduced poly proto.
822
823         * builtins/BuiltinNames.cpp:
824         * builtins/BuiltinNames.h:
825         (JSC::BuiltinNames::BuiltinNames):
826         (JSC::BuiltinNames::polyProtoName const):
827         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
828         * bytecode/ObjectAllocationProfile.h:
829         (JSC::ObjectAllocationProfile::prototype):
830         (JSC::ObjectAllocationProfile::clear):
831         (JSC::ObjectAllocationProfile::visitAggregate):
832         * bytecode/ObjectAllocationProfileInlines.h:
833         (JSC::ObjectAllocationProfile::initializeProfile):
834         * dfg/DFGAbstractInterpreterInlines.h:
835         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
836         * dfg/DFGByteCodeParser.cpp:
837         (JSC::DFG::ByteCodeParser::parseBlock):
838         * dfg/DFGConstantFoldingPhase.cpp:
839         (JSC::DFG::ConstantFoldingPhase::foldConstants):
840         * dfg/DFGOperations.cpp:
841         * runtime/CommonSlowPaths.cpp:
842         (JSC::SLOW_PATH_DECL):
843         * runtime/FunctionRareData.h:
844         * runtime/Structure.cpp:
845         (JSC::Structure::create):
846
847 2018-05-03  Michael Saboff  <msaboff@apple.com>
848
849         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
850         https://bugs.webkit.org/show_bug.cgi?id=185281
851
852         Reviewed by Saam Barati.
853
854         When we compute bytecode block reachability, we need to take into account blocks
855         containing try/catch.
856
857         * jit/JIT.cpp:
858         (JSC::JIT::privateCompileMainPass):
859
860 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
861
862         ARM: Wrong offset for operand rt in disassembler
863         https://bugs.webkit.org/show_bug.cgi?id=184083
864
865         Reviewed by Yusuke Suzuki.
866
867         * disassembler/ARMv7/ARMv7DOpcode.h:
868         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
869         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
870
871 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
872
873         ARM: Support vstr in disassembler
874         https://bugs.webkit.org/show_bug.cgi?id=184084
875
876         Reviewed by Yusuke Suzuki.
877
878         * disassembler/ARMv7/ARMv7DOpcode.cpp:
879         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
880         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
881         * disassembler/ARMv7/ARMv7DOpcode.h:
882         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
883         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
884         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
885         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
886         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
887         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
888         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
889
890 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
891
892         Invoke ensureArrayStorage for all arguments
893         https://bugs.webkit.org/show_bug.cgi?id=185247
894
895         Reviewed by Yusuke Suzuki.
896
897         ensureArrayStorage was only invoked for first argument in each loop iteration.
898
899         * jsc.cpp:
900         (functionEnsureArrayStorage):
901
902 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
903
904         Make it easy to log compile times for all optimizing tiers
905         https://bugs.webkit.org/show_bug.cgi?id=185270
906
907         Reviewed by Keith Miller.
908         
909         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
910         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
911         it.
912         
913         This should help us reduce compile times by telling us where to look. So, far, it looks like
914         CFA is the worst.
915
916         * JavaScriptCore.xcodeproj/project.pbxproj:
917         * Sources.txt:
918         * b3/B3Common.cpp:
919         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
920         * b3/B3Common.h:
921         * b3/B3TimingScope.cpp: Removed.
922         * b3/B3TimingScope.h:
923         (JSC::B3::TimingScope::TimingScope):
924         * dfg/DFGPhase.h:
925         (JSC::DFG::runAndLog):
926         * dfg/DFGPlan.cpp:
927         (JSC::DFG::Plan::compileInThread):
928         * tools/CompilerTimingScope.cpp: Added.
929         (JSC::CompilerTimingScope::CompilerTimingScope):
930         (JSC::CompilerTimingScope::~CompilerTimingScope):
931         * tools/CompilerTimingScope.h: Added.
932         * runtime/Options.cpp:
933         (JSC::recomputeDependentOptions):
934         * runtime/Options.h:
935
936 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
937
938         Strings should not be allocated in a gigacage
939         https://bugs.webkit.org/show_bug.cgi?id=185218
940
941         Reviewed by Saam Barati.
942
943         * runtime/JSBigInt.cpp:
944         (JSC::JSBigInt::toStringGeneric):
945         * runtime/JSString.cpp:
946         (JSC::JSRopeString::resolveRopeToAtomicString const):
947         (JSC::JSRopeString::resolveRope const):
948         * runtime/JSString.h:
949         (JSC::JSString::create):
950         (JSC::JSString::createHasOtherOwner):
951         * runtime/VM.h:
952         (JSC::VM::gigacageAuxiliarySpace):
953
954 2018-05-03  Keith Miller  <keith_miller@apple.com>
955
956         Unreviewed, fix 32-bit profile offset for change in bytecode
957         length of the get_by_id and get_array_length opcodes.
958
959         * llint/LowLevelInterpreter32_64.asm:
960
961 2018-05-03  Michael Saboff  <msaboff@apple.com>
962
963         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
964         https://bugs.webkit.org/show_bug.cgi?id=185231
965
966         Reviewed by Saam Barati.
967
968         We weren't clearing the scratch register cache when switching back and forth between 
969         allowing scratch register usage.  We disallow scratch register usage when we are in
970         code that will freely allocate and use any register.  Such usage can change the
971         contents of scratch registers.  For ARM64, where we cache the contents of scratch
972         registers to reuse some or all of the contained values, we need to invalidate these
973         caches.  We do this when re-enabling scratch register usage, that is when we transition
974         from disallow to allow scratch register usage.
975
976         Added a new Air regression test.
977
978         * assembler/AllowMacroScratchRegisterUsage.h:
979         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
980         * assembler/AllowMacroScratchRegisterUsageIf.h:
981         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
982         * assembler/DisallowMacroScratchRegisterUsage.h:
983         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
984         * b3/air/testair.cpp:
985
986 2018-05-03  Keith Miller  <keith_miller@apple.com>
987
988         Remove the prototype caching for get_by_id in the LLInt
989         https://bugs.webkit.org/show_bug.cgi?id=185226
990
991         Reviewed by Michael Saboff.
992
993         There is no evidence that this is actually a speedup and we keep
994         getting bugs with it. At this point it seems like we should just
995         remove this code.
996
997         * CMakeLists.txt:
998         * JavaScriptCore.xcodeproj/project.pbxproj:
999         * Sources.txt:
1000         * bytecode/BytecodeDumper.cpp:
1001         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1002         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1003         (JSC::BytecodeDumper<Block>::dumpBytecode):
1004         * bytecode/BytecodeList.json:
1005         * bytecode/BytecodeUseDef.h:
1006         (JSC::computeUsesForBytecodeOffset):
1007         (JSC::computeDefsForBytecodeOffset):
1008         * bytecode/CodeBlock.cpp:
1009         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1010         * bytecode/CodeBlock.h:
1011         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
1012         * bytecode/GetByIdStatus.cpp:
1013         (JSC::GetByIdStatus::computeFromLLInt):
1014         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
1015         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
1016         * bytecompiler/BytecodeGenerator.cpp:
1017         (JSC::BytecodeGenerator::emitGetById):
1018         * dfg/DFGByteCodeParser.cpp:
1019         (JSC::DFG::ByteCodeParser::parseBlock):
1020         * dfg/DFGCapabilities.cpp:
1021         (JSC::DFG::capabilityLevel):
1022         * jit/JIT.cpp:
1023         (JSC::JIT::privateCompileMainPass):
1024         (JSC::JIT::privateCompileSlowCases):
1025         * llint/LLIntSlowPaths.cpp:
1026         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1027         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1028         * llint/LowLevelInterpreter32_64.asm:
1029         * llint/LowLevelInterpreter64.asm:
1030         * runtime/Options.h:
1031
1032 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
1033
1034         Unreviewed, rolling out r231197.
1035
1036         The test added with this change crashes on the 32-bit JSC bot.
1037
1038         Reverted changeset:
1039
1040         "Correctly detect string overflow when using the 'Function'
1041         constructor"
1042         https://bugs.webkit.org/show_bug.cgi?id=184883
1043         https://trac.webkit.org/changeset/231197
1044
1045 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1046
1047         Disable usage of fused multiply-add instructions for JSC with compiler flag
1048         https://bugs.webkit.org/show_bug.cgi?id=184909
1049
1050         Reviewed by Yusuke Suzuki.
1051
1052         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
1053         like parseInt() do not return slightly different results depending on whether the
1054         compiler was able to use fused multiply-add instructions or not.
1055
1056         * CMakeLists.txt:
1057
1058 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1059
1060         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
1061         https://bugs.webkit.org/show_bug.cgi?id=185192
1062
1063         compareDouble relies on MacroAssembler::invert function.
1064
1065         * assembler/MacroAssembler.h:
1066         (JSC::MacroAssembler::compareDouble):
1067         * assembler/MacroAssemblerARM.h:
1068         (JSC::MacroAssemblerARM::compareDouble): Deleted.
1069         * assembler/MacroAssemblerARMv7.h:
1070         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
1071         * assembler/MacroAssemblerMIPS.h:
1072         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
1073
1074 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1075
1076         [JSC] Add MacroAssembler::and16 and store16
1077         https://bugs.webkit.org/show_bug.cgi?id=185188
1078
1079         Reviewed by Mark Lam.
1080
1081         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
1082         This patch adds these methods for ARM.
1083
1084         * assembler/MacroAssemblerARM.h:
1085         (JSC::MacroAssemblerARM::and16):
1086         (JSC::MacroAssemblerARM::store16):
1087
1088 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1089
1090         [DFG] Unify compare related code in 32bit and 64bit
1091         https://bugs.webkit.org/show_bug.cgi?id=185189
1092
1093         Reviewed by Mark Lam.
1094
1095         This patch unifies some part of compare related code in 32bit and 64bit
1096         to reduce the size of 32bit specific DFG code.
1097
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1100         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1101         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1102         * dfg/DFGSpeculativeJIT32_64.cpp:
1103         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1104         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1105         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1106         * dfg/DFGSpeculativeJIT64.cpp:
1107         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1108         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1109         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1110
1111 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1112
1113         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
1114         https://bugs.webkit.org/show_bug.cgi?id=185192
1115
1116         Reviewed by Mark Lam.
1117
1118         Now Object.is starts using compareDouble. So we would like to have
1119         efficient implementation for compareDouble and compareFloat for
1120         major architectures, ARM64, X86, and X86_64.
1121
1122         This patch adds compareDouble and compareFloat implementations for
1123         these architectures. And generic implementation is moved to each
1124         architecture's MacroAssembler implementation.
1125
1126         We also add tests for them in testmasm. To implement this test
1127         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
1128         major architectures.
1129
1130         * assembler/MacroAssembler.h:
1131         (JSC::MacroAssembler::compareDouble): Deleted.
1132         (JSC::MacroAssembler::compareFloat): Deleted.
1133         * assembler/MacroAssemblerARM.h:
1134         (JSC::MacroAssemblerARM::compareDouble):
1135         * assembler/MacroAssemblerARM64.h:
1136         (JSC::MacroAssemblerARM64::compareDouble):
1137         (JSC::MacroAssemblerARM64::compareFloat):
1138         (JSC::MacroAssemblerARM64::loadFloat):
1139         (JSC::MacroAssemblerARM64::floatingPointCompare):
1140         * assembler/MacroAssemblerARMv7.h:
1141         (JSC::MacroAssemblerARMv7::compareDouble):
1142         * assembler/MacroAssemblerMIPS.h:
1143         (JSC::MacroAssemblerMIPS::compareDouble):
1144         * assembler/MacroAssemblerX86Common.h:
1145         (JSC::MacroAssemblerX86Common::loadFloat):
1146         (JSC::MacroAssemblerX86Common::compareDouble):
1147         (JSC::MacroAssemblerX86Common::compareFloat):
1148         (JSC::MacroAssemblerX86Common::floatingPointCompare):
1149         * assembler/X86Assembler.h:
1150         (JSC::X86Assembler::movss_mr):
1151         (JSC::X86Assembler::movss_rm):
1152         * assembler/testmasm.cpp:
1153         (JSC::floatOperands):
1154         (JSC::testCompareFloat):
1155         (JSC::run):
1156
1157 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1158
1159         Unreviewed, fix 32bit DFG code
1160         https://bugs.webkit.org/show_bug.cgi?id=185065
1161
1162         * dfg/DFGSpeculativeJIT.cpp:
1163         (JSC::DFG::SpeculativeJIT::compileSameValue):
1164
1165 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
1166
1167         JSC should know how to cache custom getter accesses on the prototype chain
1168         https://bugs.webkit.org/show_bug.cgi?id=185213
1169
1170         Reviewed by Keith Miller.
1171
1172         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
1173
1174         * jit/Repatch.cpp:
1175         (JSC::tryCacheGetByID):
1176
1177 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
1178
1179         JSC should be able to cache custom setter calls on the prototype chain
1180         https://bugs.webkit.org/show_bug.cgi?id=185174
1181
1182         Reviewed by Saam Barati.
1183
1184         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
1185         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
1186         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
1187         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
1188         custom accessors because it won't find the custom property in the structure.
1189
1190         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
1191
1192         This is a 4x speed-up on assign-custom-setter.js.
1193
1194         * bytecode/AccessCase.cpp:
1195         (JSC::AccessCase::hasAlternateBase const):
1196         (JSC::AccessCase::alternateBase const):
1197         (JSC::AccessCase::generateImpl):
1198         * bytecode/AccessCase.h:
1199         (JSC::AccessCase::alternateBase const): Deleted.
1200         * bytecode/GetterSetterAccessCase.cpp:
1201         (JSC::GetterSetterAccessCase::hasAlternateBase const):
1202         (JSC::GetterSetterAccessCase::alternateBase const):
1203         * bytecode/GetterSetterAccessCase.h:
1204         * bytecode/ObjectPropertyConditionSet.cpp:
1205         (JSC::generateConditionsForPrototypePropertyHitCustom):
1206         * bytecode/ObjectPropertyConditionSet.h:
1207         * jit/Repatch.cpp:
1208         (JSC::tryCacheGetByID):
1209         (JSC::tryCachePutByID):
1210
1211 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1212
1213         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
1214         https://bugs.webkit.org/show_bug.cgi?id=185195
1215
1216         Reviewed by Mark Lam.
1217
1218         This implements the given function for MIPS, such that it builds again.
1219
1220         * assembler/MacroAssemblerMIPS.h:
1221         (JSC::MacroAssemblerMIPS::and16):
1222         (JSC::MacroAssemblerMIPS::store16):
1223
1224 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
1225
1226         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
1227         https://bugs.webkit.org/show_bug.cgi?id=185043
1228
1229         Reviewed by Filip Pizlo.
1230
1231         * jsc.cpp:
1232         (GlobalObject::finishCreation):
1233         (functionDollarAgentMonotonicNow):
1234
1235 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1236
1237         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
1238         https://bugs.webkit.org/show_bug.cgi?id=185196
1239
1240         Reviewed by Mark Lam.
1241
1242         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
1243
1244         * assembler/MacroAssemblerARMv7.h:
1245         (JSC::MacroAssemblerARMv7::and16):
1246         (JSC::MacroAssemblerARMv7::store16):
1247
1248 2018-05-02  Robin Morisset  <rmorisset@apple.com>
1249
1250         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
1251         https://bugs.webkit.org/show_bug.cgi?id=183172
1252
1253         Reviewed by Filip Pizlo.
1254
1255         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
1256         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
1257
1258         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
1259         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
1260         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
1261
1262         * dfg/DFGArgumentsEliminationPhase.cpp:
1263         * dfg/DFGArgumentsUtilities.cpp:
1264         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1265
1266 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1267
1268         Unreviewed, stackPointer signature is different from declaration
1269         https://bugs.webkit.org/show_bug.cgi?id=184790
1270
1271         * runtime/MachineContext.h:
1272         (JSC::MachineContext::stackPointer):
1273
1274 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1275
1276         [JSC] Add SameValue DFG node
1277         https://bugs.webkit.org/show_bug.cgi?id=185065
1278
1279         Reviewed by Saam Barati.
1280
1281         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
1282         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
1283         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
1284         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
1285         implementations for these SameValue nodes.
1286
1287         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
1288         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
1289         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
1290         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
1291         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
1292         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
1293
1294         Added microbenchmark shows performance improvement.
1295
1296             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
1297
1298         * assembler/MacroAssembler.h:
1299         * assembler/MacroAssemblerX86Common.h:
1300         (JSC::MacroAssemblerX86Common::compareDouble):
1301         * assembler/MacroAssemblerX86_64.h:
1302         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
1303         * assembler/testmasm.cpp:
1304         (JSC::doubleOperands):
1305         (JSC::testCompareDouble):
1306         (JSC::run):
1307         * dfg/DFGAbstractInterpreterInlines.h:
1308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1309         * dfg/DFGByteCodeParser.cpp:
1310         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1311         * dfg/DFGClobberize.h:
1312         (JSC::DFG::clobberize):
1313         * dfg/DFGConstantFoldingPhase.cpp:
1314         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1315         * dfg/DFGDoesGC.cpp:
1316         (JSC::DFG::doesGC):
1317         * dfg/DFGFixupPhase.cpp:
1318         (JSC::DFG::FixupPhase::fixupNode):
1319         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
1320         * dfg/DFGNodeType.h:
1321         * dfg/DFGOperations.cpp:
1322         * dfg/DFGOperations.h:
1323         * dfg/DFGPredictionPropagationPhase.cpp:
1324         * dfg/DFGSafeToExecute.h:
1325         (JSC::DFG::safeToExecute):
1326         * dfg/DFGSpeculativeJIT.cpp:
1327         (JSC::DFG::SpeculativeJIT::compileSameValue):
1328         * dfg/DFGSpeculativeJIT.h:
1329         * dfg/DFGSpeculativeJIT32_64.cpp:
1330         (JSC::DFG::SpeculativeJIT::compile):
1331         * dfg/DFGSpeculativeJIT64.cpp:
1332         (JSC::DFG::SpeculativeJIT::compile):
1333         * dfg/DFGValidate.cpp:
1334         * ftl/FTLCapabilities.cpp:
1335         (JSC::FTL::canCompile):
1336         * ftl/FTLLowerDFGToB3.cpp:
1337         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1338         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
1339         * runtime/Intrinsic.cpp:
1340         (JSC::intrinsicName):
1341         * runtime/Intrinsic.h:
1342         * runtime/ObjectConstructor.cpp:
1343
1344 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
1345
1346         B3::demoteValues should be able to handle patchpoint terminals
1347         https://bugs.webkit.org/show_bug.cgi?id=185151
1348
1349         Reviewed by Saam Barati.
1350         
1351         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
1352         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
1353         longer the last thing in the block.
1354         
1355         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
1356         really do that because demotion happens as a prerequisite to other transformations.
1357         
1358         One solution might have been to make demoteValues insert a basic block whenever it encounters
1359         this problem. But that would break clients that do CFG analysis before demoteValues and use
1360         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
1361         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
1362         so it's not bad to introduce that requirement.
1363         
1364         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
1365         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
1366         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
1367         successors of the patchpoint terminal.
1368         
1369         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
1370         a unit test in testb3.
1371
1372         * b3/B3BreakCriticalEdges.cpp:
1373         (JSC::B3::breakCriticalEdges):
1374         * b3/B3BreakCriticalEdges.h:
1375         * b3/B3FixSSA.cpp:
1376         (JSC::B3::demoteValues):
1377         (JSC::B3::fixSSA):
1378         * b3/B3FixSSA.h:
1379         * b3/B3Value.cpp:
1380         (JSC::B3::Value::foldIdentity const):
1381         (JSC::B3::Value::performSubstitution):
1382         * b3/B3Value.h:
1383         * b3/testb3.cpp:
1384         (JSC::B3::testDemotePatchpointTerminal):
1385         (JSC::B3::run):
1386
1387 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1388
1389         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
1390         https://bugs.webkit.org/show_bug.cgi?id=184772
1391         <rdar://problem/39146327>
1392
1393         Reviewed by Filip Pizlo.
1394
1395         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
1396         This patch now makes sure that the check correctly detects if there is an integer overflow.
1397
1398         * runtime/JSArray.cpp:
1399         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1400
1401 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1402
1403         Correctly detect string overflow when using the 'Function' constructor
1404         https://bugs.webkit.org/show_bug.cgi?id=184883
1405         <rdar://problem/36320331>
1406
1407         Reviewed by Filip Pizlo.
1408
1409         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
1410         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
1411
1412         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
1413         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
1414         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
1415
1416         * runtime/FunctionConstructor.cpp:
1417         (JSC::constructFunctionSkippingEvalEnabledCheck):
1418         * runtime/JSONObject.cpp:
1419         (JSC::Stringifier::appendStringifiedValue):
1420
1421 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1422
1423         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
1424         https://bugs.webkit.org/show_bug.cgi?id=185162
1425
1426         Reviewed by Filip Pizlo.
1427
1428         * runtime/IntlObject.cpp:
1429         (JSC::removeUnicodeLocaleExtension):
1430
1431 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
1432
1433         Add SetCallee as DFG-Operation
1434         https://bugs.webkit.org/show_bug.cgi?id=184582
1435
1436         Reviewed by Filip Pizlo.
1437
1438         For recursive tail calls not only the argument count can change but also the
1439         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
1440         Also update the callee when optimizing a recursive tail call.
1441         Enable recursive tail call optimization also for closures.
1442
1443         * dfg/DFGAbstractInterpreterInlines.h:
1444         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1445         * dfg/DFGByteCodeParser.cpp:
1446         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1447         (JSC::DFG::ByteCodeParser::handleCallVariant):
1448         * dfg/DFGClobberize.h:
1449         (JSC::DFG::clobberize):
1450         * dfg/DFGDoesGC.cpp:
1451         (JSC::DFG::doesGC):
1452         * dfg/DFGFixupPhase.cpp:
1453         (JSC::DFG::FixupPhase::fixupNode):
1454         * dfg/DFGMayExit.cpp:
1455         * dfg/DFGNodeType.h:
1456         * dfg/DFGPredictionPropagationPhase.cpp:
1457         * dfg/DFGSafeToExecute.h:
1458         (JSC::DFG::safeToExecute):
1459         * dfg/DFGSpeculativeJIT.cpp:
1460         (JSC::DFG::SpeculativeJIT::compileSetCallee):
1461         * dfg/DFGSpeculativeJIT.h:
1462         * dfg/DFGSpeculativeJIT32_64.cpp:
1463         (JSC::DFG::SpeculativeJIT::compile):
1464         * dfg/DFGSpeculativeJIT64.cpp:
1465         (JSC::DFG::SpeculativeJIT::compile):
1466         * ftl/FTLCapabilities.cpp:
1467         (JSC::FTL::canCompile):
1468         * ftl/FTLLowerDFGToB3.cpp:
1469         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1470         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
1471
1472 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
1473
1474         WebAssembly: add support for stream APIs - JavaScript API
1475         https://bugs.webkit.org/show_bug.cgi?id=183442
1476
1477         Reviewed by Yusuke Suzuki and JF Bastien.
1478
1479         Add WebAssembly stream API. Current patch only add functions
1480         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
1481         does not add streaming way of the implementation. So in current version it
1482         only wait for load whole module, than start to parse.
1483
1484         * CMakeLists.txt:
1485         * Configurations/FeatureDefines.xcconfig:
1486         * DerivedSources.make:
1487         * JavaScriptCore.xcodeproj/project.pbxproj:
1488         * builtins/BuiltinNames.h:
1489         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1490         (compileStreaming):
1491         (instantiateStreaming):
1492         * jsc.cpp:
1493         * runtime/JSGlobalObject.cpp:
1494         (JSC::JSGlobalObject::init):
1495         * runtime/JSGlobalObject.h:
1496         * runtime/Options.h:
1497         * runtime/PromiseDeferredTimer.cpp:
1498         (JSC::PromiseDeferredTimer::hasPendingPromise):
1499         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1500         * runtime/PromiseDeferredTimer.h:
1501         * wasm/js/WebAssemblyPrototype.cpp:
1502         (JSC::webAssemblyModuleValidateAsyncInternal):
1503         (JSC::webAssemblyCompileFunc):
1504         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
1505         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1506         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
1507         (JSC::webAssemblyCompileStreamingInternal):
1508         (JSC::webAssemblyInstantiateStreamingInternal):
1509         (JSC::WebAssemblyPrototype::create):
1510         (JSC::WebAssemblyPrototype::finishCreation):
1511         * wasm/js/WebAssemblyPrototype.h:
1512
1513 2018-04-30  Saam Barati  <sbarati@apple.com>
1514
1515         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
1516         https://bugs.webkit.org/show_bug.cgi?id=185149
1517         <rdar://problem/39455917>
1518
1519         Reviewed by Filip Pizlo.
1520
1521         The bug was that we were deleting checks that we shouldn't have deleted.
1522         This patch makes a helper inside strength reduction that converts to
1523         a LazyJSConstant while maintaining checks, and switches users of the
1524         node API inside strength reduction to instead call the helper function.
1525         
1526         This patch also fixes a potential bug where StringReplace and
1527         StringReplaceRegExp may not preserve all their checks.
1528
1529
1530         * dfg/DFGStrengthReductionPhase.cpp:
1531         (JSC::DFG::StrengthReductionPhase::handleNode):
1532         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
1533
1534 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
1535
1536         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
1537         https://bugs.webkit.org/show_bug.cgi?id=185126
1538
1539         Reviewed by Saam Barati.
1540         
1541         This change is just restoring functionality that we've already had for a while. It had been
1542         accidentally broken due to an unrelated CodeBlock refactoring.
1543
1544         * dfg/DFGLICMPhase.cpp:
1545         (JSC::DFG::LICMPhase::attemptHoist):
1546
1547 2018-04-30  Mark Lam  <mark.lam@apple.com>
1548
1549         Apply PtrTags to the MetaAllocator and friends.
1550         https://bugs.webkit.org/show_bug.cgi?id=185110
1551         <rdar://problem/39533895>
1552
1553         Reviewed by Saam Barati.
1554
1555         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
1556         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
1557            and add a sanity check to verify that allocated code buffers are within those
1558            bounds.
1559
1560         * assembler/LinkBuffer.cpp:
1561         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1562         (JSC::LinkBuffer::copyCompactAndLinkCode):
1563         (JSC::LinkBuffer::linkCode):
1564         (JSC::LinkBuffer::allocate):
1565         * assembler/LinkBuffer.h:
1566         (JSC::LinkBuffer::LinkBuffer):
1567         (JSC::LinkBuffer::debugAddress):
1568         (JSC::LinkBuffer::code):
1569         * assembler/MacroAssemblerCodeRef.h:
1570         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1571         * bytecode/InlineAccess.cpp:
1572         (JSC::linkCodeInline):
1573         (JSC::InlineAccess::rewireStubAsJump):
1574         * dfg/DFGJITCode.cpp:
1575         (JSC::DFG::JITCode::findPC):
1576         * ftl/FTLJITCode.cpp:
1577         (JSC::FTL::JITCode::findPC):
1578         * jit/ExecutableAllocator.cpp:
1579         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1580         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1581         (JSC::ExecutableAllocator::allocate):
1582         * jit/ExecutableAllocator.h:
1583         (JSC::isJITPC):
1584         (JSC::performJITMemcpy):
1585         * jit/JIT.cpp:
1586         (JSC::JIT::link):
1587         * jit/JITMathIC.h:
1588         (JSC::isProfileEmpty):
1589         * runtime/JSCPtrTag.h:
1590         * wasm/WasmCallee.cpp:
1591         (JSC::Wasm::Callee::Callee):
1592         * wasm/WasmFaultSignalHandler.cpp:
1593         (JSC::Wasm::trapHandler):
1594
1595 2018-04-30  Keith Miller  <keith_miller@apple.com>
1596
1597         Move the MayBePrototype JSCell header bit to InlineTypeFlags
1598         https://bugs.webkit.org/show_bug.cgi?id=185143
1599
1600         Reviewed by Mark Lam.
1601
1602         * runtime/IndexingType.h:
1603         * runtime/JSCellInlines.h:
1604         (JSC::JSCell::setStructure):
1605         (JSC::JSCell::mayBePrototype const):
1606         (JSC::JSCell::didBecomePrototype):
1607         * runtime/JSTypeInfo.h:
1608         (JSC::TypeInfo::mayBePrototype):
1609         (JSC::TypeInfo::mergeInlineTypeFlags):
1610
1611 2018-04-30  Keith Miller  <keith_miller@apple.com>
1612
1613         Remove unneeded exception check from String.fromCharCode
1614         https://bugs.webkit.org/show_bug.cgi?id=185083
1615
1616         Reviewed by Mark Lam.
1617
1618         * runtime/StringConstructor.cpp:
1619         (JSC::stringFromCharCode):
1620
1621 2018-04-30  Keith Miller  <keith_miller@apple.com>
1622
1623         Move StructureIsImmortal to out of line flags.
1624         https://bugs.webkit.org/show_bug.cgi?id=185101
1625
1626         Reviewed by Saam Barati.
1627
1628         This will free up a bit in the inline flags where we can move the
1629         isPrototype bit to. This will, in turn, free a bit for use in
1630         implementing copy on write butterflies.
1631
1632         Also, this patch removes an assertion from Structure::typeInfo()
1633         that inadvertently makes the function invalid to call while
1634         cleaning up the vm.
1635
1636         * heap/HeapCellType.cpp:
1637         (JSC::DefaultDestroyFunc::operator() const):
1638         * runtime/JSCell.h:
1639         * runtime/JSCellInlines.h:
1640         (JSC::JSCell::callDestructor): Deleted.
1641         * runtime/JSTypeInfo.h:
1642         (JSC::TypeInfo::hasStaticPropertyTable):
1643         (JSC::TypeInfo::structureIsImmortal const):
1644         * runtime/Structure.h:
1645
1646 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1647
1648         [JSC] Remove arity fixup check if the number of parameters is 1
1649         https://bugs.webkit.org/show_bug.cgi?id=183984
1650
1651         Reviewed by Mark Lam.
1652
1653         If the number of parameters is one (|this|), we never hit arity fixup check.
1654         We do not need to emit arity fixup check code.
1655
1656         * dfg/DFGDriver.cpp:
1657         (JSC::DFG::compileImpl):
1658         * dfg/DFGJITCompiler.cpp:
1659         (JSC::DFG::JITCompiler::compileFunction):
1660         * dfg/DFGJITCompiler.h:
1661         * ftl/FTLLink.cpp:
1662         (JSC::FTL::link):
1663         * jit/JIT.cpp:
1664         (JSC::JIT::compileWithoutLinking):
1665
1666 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1667
1668         Use WordLock instead of std::mutex for Threading
1669         https://bugs.webkit.org/show_bug.cgi?id=185121
1670
1671         Reviewed by Geoffrey Garen.
1672
1673         ThreadGroup starts using WordLock.
1674
1675         * heap/MachineStackMarker.h:
1676         (JSC::MachineThreads::getLock):
1677
1678 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
1679
1680         B3 should run tail duplication at the bitter end
1681         https://bugs.webkit.org/show_bug.cgi?id=185123
1682
1683         Reviewed by Geoffrey Garen.
1684         
1685         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
1686         everywhere else.
1687         
1688         The goal of this change is to allow us to run path specialization after switch lowering but
1689         before tail duplication.
1690
1691         * b3/B3Generate.cpp:
1692         (JSC::B3::generateToAir):
1693         * runtime/Options.h:
1694
1695 2018-04-29  Commit Queue  <commit-queue@webkit.org>
1696
1697         Unreviewed, rolling out r231137.
1698         https://bugs.webkit.org/show_bug.cgi?id=185118
1699
1700         It is breaking Test262 language/expressions/multiplication
1701         /order-of-evaluation.js (Requested by caiolima on #webkit).
1702
1703         Reverted changeset:
1704
1705         "[ESNext][BigInt] Implement support for "*" operation"
1706         https://bugs.webkit.org/show_bug.cgi?id=183721
1707         https://trac.webkit.org/changeset/231137
1708
1709 2018-04-28  Saam Barati  <sbarati@apple.com>
1710
1711         We don't model regexp effects properly
1712         https://bugs.webkit.org/show_bug.cgi?id=185059
1713         <rdar://problem/39736150>
1714
1715         Reviewed by Filip Pizlo.
1716
1717         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
1718         the regexp is global.
1719
1720         * dfg/DFGAbstractInterpreterInlines.h:
1721         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1722         * dfg/DFGClobberize.h:
1723         (JSC::DFG::clobberize):
1724
1725 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
1726
1727         Token misspelled "tocken" in error message string
1728         https://bugs.webkit.org/show_bug.cgi?id=185030
1729
1730         Reviewed by Saam Barati.
1731
1732         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
1733         (JSC::Parser<LexerType>::Parser):
1734         (JSC::Parser<LexerType>::didFinishParsing):
1735         (JSC::Parser<LexerType>::parseSourceElements):
1736         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1737         (JSC::Parser<LexerType>::parseVariableDeclaration):
1738         (JSC::Parser<LexerType>::parseWhileStatement):
1739         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1740         (JSC::Parser<LexerType>::createBindingPattern):
1741         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1742         (JSC::Parser<LexerType>::parseObjectRestElement):
1743         (JSC::Parser<LexerType>::parseDestructuringPattern):
1744         (JSC::Parser<LexerType>::parseForStatement):
1745         (JSC::Parser<LexerType>::parseBreakStatement):
1746         (JSC::Parser<LexerType>::parseContinueStatement):
1747         (JSC::Parser<LexerType>::parseThrowStatement):
1748         (JSC::Parser<LexerType>::parseWithStatement):
1749         (JSC::Parser<LexerType>::parseSwitchStatement):
1750         (JSC::Parser<LexerType>::parseSwitchClauses):
1751         (JSC::Parser<LexerType>::parseTryStatement):
1752         (JSC::Parser<LexerType>::parseBlockStatement):
1753         (JSC::Parser<LexerType>::parseFormalParameters):
1754         (JSC::Parser<LexerType>::parseFunctionParameters):
1755         (JSC::Parser<LexerType>::parseFunctionInfo):
1756         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1757         (JSC::Parser<LexerType>::parseExpressionStatement):
1758         (JSC::Parser<LexerType>::parseIfStatement):
1759         (JSC::Parser<LexerType>::parseAssignmentExpression):
1760         (JSC::Parser<LexerType>::parseConditionalExpression):
1761         (JSC::Parser<LexerType>::parseBinaryExpression):
1762         (JSC::Parser<LexerType>::parseObjectLiteral):
1763         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
1764         (JSC::Parser<LexerType>::parseArrayLiteral):
1765         (JSC::Parser<LexerType>::parseArguments):
1766         (JSC::Parser<LexerType>::parseMemberExpression):
1767         (JSC::operatorString):
1768         (JSC::Parser<LexerType>::parseUnaryExpression):
1769         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1770
1771 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
1772
1773         [ESNext][BigInt] Implement support for "*" operation
1774         https://bugs.webkit.org/show_bug.cgi?id=183721
1775
1776         Reviewed by Saam Barati.
1777
1778         Added BigInt support into times binary operator into LLInt and on
1779         JITOperations profiledMul and unprofiledMul. We are also replacing all
1780         uses of int to unsigned when there is no negative values for
1781         variables.
1782
1783         * dfg/DFGConstantFoldingPhase.cpp:
1784         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1785         * jit/JITOperations.cpp:
1786         * runtime/CommonSlowPaths.cpp:
1787         (JSC::SLOW_PATH_DECL):
1788         * runtime/JSBigInt.cpp:
1789         (JSC::JSBigInt::JSBigInt):
1790         (JSC::JSBigInt::allocationSize):
1791         (JSC::JSBigInt::createWithLength):
1792         (JSC::JSBigInt::toString):
1793         (JSC::JSBigInt::multiply):
1794         (JSC::JSBigInt::digitDiv):
1795         (JSC::JSBigInt::internalMultiplyAdd):
1796         (JSC::JSBigInt::multiplyAccumulate):
1797         (JSC::JSBigInt::equals):
1798         (JSC::JSBigInt::absoluteDivSmall):
1799         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1800         (JSC::JSBigInt::toStringGeneric):
1801         (JSC::JSBigInt::rightTrim):
1802         (JSC::JSBigInt::allocateFor):
1803         (JSC::JSBigInt::parseInt):
1804         (JSC::JSBigInt::digit):
1805         (JSC::JSBigInt::setDigit):
1806         * runtime/JSBigInt.h:
1807         * runtime/Operations.h:
1808         (JSC::jsMul):
1809
1810 2018-04-28  Commit Queue  <commit-queue@webkit.org>
1811
1812         Unreviewed, rolling out r231131.
1813         https://bugs.webkit.org/show_bug.cgi?id=185112
1814
1815         It is breaking Debug build due to unchecked exception
1816         (Requested by caiolima on #webkit).
1817
1818         Reverted changeset:
1819
1820         "[ESNext][BigInt] Implement support for "*" operation"
1821         https://bugs.webkit.org/show_bug.cgi?id=183721
1822         https://trac.webkit.org/changeset/231131
1823
1824 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
1825
1826         [ESNext][BigInt] Implement support for "*" operation
1827         https://bugs.webkit.org/show_bug.cgi?id=183721
1828
1829         Reviewed by Saam Barati.
1830
1831         Added BigInt support into times binary operator into LLInt and on
1832         JITOperations profiledMul and unprofiledMul. We are also replacing all
1833         uses of int to unsigned when there is no negative values for
1834         variables.
1835
1836         * dfg/DFGConstantFoldingPhase.cpp:
1837         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1838         * jit/JITOperations.cpp:
1839         * runtime/CommonSlowPaths.cpp:
1840         (JSC::SLOW_PATH_DECL):
1841         * runtime/JSBigInt.cpp:
1842         (JSC::JSBigInt::JSBigInt):
1843         (JSC::JSBigInt::allocationSize):
1844         (JSC::JSBigInt::createWithLength):
1845         (JSC::JSBigInt::toString):
1846         (JSC::JSBigInt::multiply):
1847         (JSC::JSBigInt::digitDiv):
1848         (JSC::JSBigInt::internalMultiplyAdd):
1849         (JSC::JSBigInt::multiplyAccumulate):
1850         (JSC::JSBigInt::equals):
1851         (JSC::JSBigInt::absoluteDivSmall):
1852         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1853         (JSC::JSBigInt::toStringGeneric):
1854         (JSC::JSBigInt::rightTrim):
1855         (JSC::JSBigInt::allocateFor):
1856         (JSC::JSBigInt::parseInt):
1857         (JSC::JSBigInt::digit):
1858         (JSC::JSBigInt::setDigit):
1859         * runtime/JSBigInt.h:
1860         * runtime/Operations.h:
1861         (JSC::jsMul):
1862
1863 2018-04-27  JF Bastien  <jfbastien@apple.com>
1864
1865         Make the first 64 bits of JSString look like a double JSValue
1866         https://bugs.webkit.org/show_bug.cgi?id=185081
1867
1868         Reviewed by Filip Pizlo.
1869
1870         We can be clever about how we lay out JSString so that, were it
1871         reinterpreted as a JSValue, it would look like a double.
1872
1873         * assembler/MacroAssemblerX86Common.h:
1874         (JSC::MacroAssemblerX86Common::and16):
1875         * assembler/X86Assembler.h:
1876         (JSC::X86Assembler::andw_mr):
1877         * dfg/DFGSpeculativeJIT.cpp:
1878         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1879         * ftl/FTLLowerDFGToB3.cpp:
1880         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1881         * ftl/FTLOutput.h:
1882         (JSC::FTL::Output::store32As8):
1883         (JSC::FTL::Output::store32As16):
1884         * runtime/JSString.h:
1885         (JSC::JSString::JSString):
1886
1887 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1888
1889         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
1890         https://bugs.webkit.org/show_bug.cgi?id=185055
1891
1892         Reviewed by JF Bastien.
1893
1894         This patch is paving the way to emitting jscvt instruction if possible.
1895         To do that, we need to determine jscvt instruction is supported in the
1896         given CPU.
1897
1898         We add a function collectCPUFeatures, which is responsible to collect
1899         CPU features if necessary. In Linux, we can use auxiliary vector to get
1900         the information without parsing /proc/cpuinfo.
1901
1902         Currently, nobody calls this function. It is later called when we emit
1903         jscvt instruction. To make it possible, we also need to add disassembler
1904         support too.
1905
1906         * assembler/AbstractMacroAssembler.h:
1907         * assembler/MacroAssemblerARM64.cpp:
1908         (JSC::MacroAssemblerARM64::collectCPUFeatures):
1909         * assembler/MacroAssemblerARM64.h:
1910         * assembler/MacroAssemblerX86Common.h:
1911
1912 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
1913
1914         Also run foldPathConstants before mussing up SSA
1915         https://bugs.webkit.org/show_bug.cgi?id=185069
1916
1917         Reviewed by Saam Barati.
1918         
1919         This isn't needed now, but will be once I implement the phase in bug 185060.
1920         
1921         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
1922         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
1923         be landed separately and measured separately from that phase.
1924         
1925         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
1926         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
1927         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
1928         neutral. It all depends on what programs typically look like.
1929
1930         * b3/B3Generate.cpp:
1931         (JSC::B3::generateToAir):
1932
1933 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
1934
1935         Unreviewed, rolling out r231086.
1936
1937         Caused JSC test failures due to an unchecked exception.
1938
1939         Reverted changeset:
1940
1941         "[ESNext][BigInt] Implement support for "*" operation"
1942         https://bugs.webkit.org/show_bug.cgi?id=183721
1943         https://trac.webkit.org/changeset/231086
1944
1945 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
1946
1947         [ESNext][BigInt] Implement support for "*" operation
1948         https://bugs.webkit.org/show_bug.cgi?id=183721
1949
1950         Reviewed by Saam Barati.
1951
1952         Added BigInt support into times binary operator into LLInt and on
1953         JITOperations profiledMul and unprofiledMul. We are also replacing all
1954         uses of int to unsigned when there is no negative values for
1955         variables.
1956
1957         * dfg/DFGConstantFoldingPhase.cpp:
1958         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1959         * jit/JITOperations.cpp:
1960         * runtime/CommonSlowPaths.cpp:
1961         (JSC::SLOW_PATH_DECL):
1962         * runtime/JSBigInt.cpp:
1963         (JSC::JSBigInt::JSBigInt):
1964         (JSC::JSBigInt::allocationSize):
1965         (JSC::JSBigInt::createWithLength):
1966         (JSC::JSBigInt::toString):
1967         (JSC::JSBigInt::multiply):
1968         (JSC::JSBigInt::digitDiv):
1969         (JSC::JSBigInt::internalMultiplyAdd):
1970         (JSC::JSBigInt::multiplyAccumulate):
1971         (JSC::JSBigInt::equals):
1972         (JSC::JSBigInt::absoluteDivSmall):
1973         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1974         (JSC::JSBigInt::toStringGeneric):
1975         (JSC::JSBigInt::rightTrim):
1976         (JSC::JSBigInt::allocateFor):
1977         (JSC::JSBigInt::parseInt):
1978         (JSC::JSBigInt::digit):
1979         (JSC::JSBigInt::setDigit):
1980         * runtime/JSBigInt.h:
1981         * runtime/Operations.h:
1982         (JSC::jsMul):
1983
1984 2018-04-26  Mark Lam  <mark.lam@apple.com>
1985
1986         Gardening: Speculative build fix for Windows.
1987         https://bugs.webkit.org/show_bug.cgi?id=184976
1988         <rdar://problem/39723901>
1989
1990         Not reviewed.
1991
1992         * runtime/JSCPtrTag.h:
1993
1994 2018-04-26  Mark Lam  <mark.lam@apple.com>
1995
1996         Gardening: Windows build fix.
1997
1998         Not reviewed.
1999
2000         * runtime/Options.cpp:
2001
2002 2018-04-26  Jer Noble  <jer.noble@apple.com>
2003
2004         WK_COCOA_TOUCH all the things.
2005         https://bugs.webkit.org/show_bug.cgi?id=185006
2006         <rdar://problem/39736025>
2007
2008         Reviewed by Tim Horton.
2009
2010         * Configurations/Base.xcconfig:
2011
2012 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
2013
2014         Disable content filtering in minimal simulator mode
2015         https://bugs.webkit.org/show_bug.cgi?id=185027
2016         <rdar://problem/39736091>
2017
2018         Reviewed by Jer Noble.
2019
2020         * Configurations/FeatureDefines.xcconfig:
2021
2022 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
2023
2024         [INTL] Implement Intl.PluralRules
2025         https://bugs.webkit.org/show_bug.cgi?id=184312
2026
2027         Reviewed by JF Bastien.
2028
2029         Use UNumberFormat to enforce formatting, and then UPluralRules to find
2030         the correct plural rule for the given number. Relies on ICU v59+ for
2031         resolvedOptions().pluralCategories and trailing 0 detection.
2032         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
2033
2034         * CMakeLists.txt:
2035         * Configurations/FeatureDefines.xcconfig:
2036         * DerivedSources.make:
2037         * JavaScriptCore.xcodeproj/project.pbxproj:
2038         * Sources.txt:
2039         * builtins/BuiltinNames.h:
2040         * runtime/BigIntObject.cpp:
2041         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
2042         * runtime/BigIntObject.h:
2043         * runtime/CommonIdentifiers.h:
2044         * runtime/IntlObject.cpp:
2045         (JSC::IntlObject::finishCreation):
2046         * runtime/IntlObject.h:
2047         * runtime/IntlPluralRules.cpp: Added.
2048         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
2049         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
2050         (JSC::UEnumerationDeleter::operator() const):
2051         (JSC::IntlPluralRules::create):
2052         (JSC::IntlPluralRules::createStructure):
2053         (JSC::IntlPluralRules::IntlPluralRules):
2054         (JSC::IntlPluralRules::finishCreation):
2055         (JSC::IntlPluralRules::destroy):
2056         (JSC::IntlPluralRules::visitChildren):
2057         (JSC::IntlPRInternal::localeData):
2058         (JSC::IntlPluralRules::initializePluralRules):
2059         (JSC::IntlPluralRules::resolvedOptions):
2060         (JSC::IntlPluralRules::select):
2061         * runtime/IntlPluralRules.h: Added.
2062         * runtime/IntlPluralRulesConstructor.cpp: Added.
2063         (JSC::IntlPluralRulesConstructor::create):
2064         (JSC::IntlPluralRulesConstructor::createStructure):
2065         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
2066         (JSC::IntlPluralRulesConstructor::finishCreation):
2067         (JSC::constructIntlPluralRules):
2068         (JSC::callIntlPluralRules):
2069         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
2070         (JSC::IntlPluralRulesConstructor::visitChildren):
2071         * runtime/IntlPluralRulesConstructor.h: Added.
2072         * runtime/IntlPluralRulesPrototype.cpp: Added.
2073         (JSC::IntlPluralRulesPrototype::create):
2074         (JSC::IntlPluralRulesPrototype::createStructure):
2075         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
2076         (JSC::IntlPluralRulesPrototype::finishCreation):
2077         (JSC::IntlPluralRulesPrototypeFuncSelect):
2078         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2079         * runtime/IntlPluralRulesPrototype.h: Added.
2080         * runtime/JSGlobalObject.cpp:
2081         (JSC::JSGlobalObject::init):
2082         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2083         * runtime/JSGlobalObject.h:
2084         * runtime/Options.h:
2085         * runtime/RegExpPrototype.cpp: Added inlines header.
2086         * runtime/VM.cpp:
2087         (JSC::VM::VM):
2088         * runtime/VM.h:
2089
2090 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
2091
2092         [MIPS] Fix branch offsets in branchNeg32
2093         https://bugs.webkit.org/show_bug.cgi?id=185025
2094
2095         Reviewed by Yusuke Suzuki.
2096
2097         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
2098
2099         * assembler/MacroAssemblerMIPS.h:
2100         (JSC::MacroAssemblerMIPS::branchNeg32):
2101
2102 2018-04-25  Robin Morisset  <rmorisset@apple.com>
2103
2104         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
2105         https://bugs.webkit.org/show_bug.cgi?id=184773
2106         <rdar://problem/37773612>
2107
2108         Reviewed by Filip Pizlo.
2109
2110         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
2111         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
2112         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
2113         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
2114         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
2115
2116         * ftl/FTLLowerDFGToB3.cpp:
2117         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2118
2119 2018-04-25  Mark Lam  <mark.lam@apple.com>
2120
2121         Push the definition of PtrTag down to the WTF layer.
2122         https://bugs.webkit.org/show_bug.cgi?id=184976
2123         <rdar://problem/39723901>
2124
2125         Reviewed by Saam Barati.
2126
2127         * CMakeLists.txt:
2128         * JavaScriptCore.xcodeproj/project.pbxproj:
2129         * assembler/ARM64Assembler.h:
2130         * assembler/AbstractMacroAssembler.h:
2131         * assembler/MacroAssemblerCodeRef.cpp:
2132         * assembler/MacroAssemblerCodeRef.h:
2133         * b3/B3MathExtras.cpp:
2134         * bytecode/LLIntCallLinkInfo.h:
2135         * disassembler/Disassembler.h:
2136         * ftl/FTLJITCode.cpp:
2137         * interpreter/InterpreterInlines.h:
2138         * jit/ExecutableAllocator.h:
2139         * jit/JITOperations.cpp:
2140         * jit/ThunkGenerator.h:
2141         * jit/ThunkGenerators.h:
2142         * llint/LLIntOffsetsExtractor.cpp:
2143         * llint/LLIntPCRanges.h:
2144         * runtime/JSCPtrTag.h: Added.
2145         * runtime/NativeFunction.h:
2146         * runtime/PtrTag.h: Removed.
2147         * runtime/VMTraps.cpp:
2148
2149 2018-04-25  Keith Miller  <keith_miller@apple.com>
2150
2151         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
2152         https://bugs.webkit.org/show_bug.cgi?id=184998
2153
2154         Reviewed by Saam Barati.
2155
2156         * runtime/CodeCache.cpp:
2157         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2158
2159 2018-04-25  Keith Miller  <keith_miller@apple.com>
2160
2161         Add missing scope release to functionProtoFuncToString
2162         https://bugs.webkit.org/show_bug.cgi?id=184995
2163
2164         Reviewed by Saam Barati.
2165
2166         * runtime/FunctionPrototype.cpp:
2167         (JSC::functionProtoFuncToString):
2168
2169 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
2172         https://bugs.webkit.org/show_bug.cgi?id=184730
2173
2174         Reviewed by Mark Lam.
2175
2176         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
2177         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
2178
2179         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
2180         ARMv7 implementation.
2181
2182         * assembler/ARMAssembler.h:
2183         * assembler/MacroAssemblerARM.h:
2184         (JSC::MacroAssemblerARM::add32):
2185         (JSC::MacroAssemblerARM::and32):
2186         (JSC::MacroAssemblerARM::lshift32):
2187         (JSC::MacroAssemblerARM::mul32):
2188         (JSC::MacroAssemblerARM::or32):
2189         (JSC::MacroAssemblerARM::rshift32):
2190         (JSC::MacroAssemblerARM::urshift32):
2191         (JSC::MacroAssemblerARM::sub32):
2192         (JSC::MacroAssemblerARM::xor32):
2193         (JSC::MacroAssemblerARM::load8):
2194         (JSC::MacroAssemblerARM::abortWithReason):
2195         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
2196         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
2197         (JSC::MacroAssemblerARM::store8):
2198         (JSC::MacroAssemblerARM::store32):
2199         (JSC::MacroAssemblerARM::push):
2200         (JSC::MacroAssemblerARM::swap):
2201         (JSC::MacroAssemblerARM::branch8):
2202         (JSC::MacroAssemblerARM::branchPtr):
2203         (JSC::MacroAssemblerARM::branch32):
2204         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
2205         (JSC::MacroAssemblerARM::branchTest8):
2206         (JSC::MacroAssemblerARM::branchTest32):
2207         (JSC::MacroAssemblerARM::jump):
2208         (JSC::MacroAssemblerARM::branchAdd32):
2209         (JSC::MacroAssemblerARM::mull32):
2210         (JSC::MacroAssemblerARM::branchMul32):
2211         (JSC::MacroAssemblerARM::patchableBranch32):
2212         (JSC::MacroAssemblerARM::nearCall):
2213         (JSC::MacroAssemblerARM::compare32):
2214         (JSC::MacroAssemblerARM::compare8):
2215         (JSC::MacroAssemblerARM::test32):
2216         (JSC::MacroAssemblerARM::test8):
2217         (JSC::MacroAssemblerARM::add64):
2218         (JSC::MacroAssemblerARM::load32):
2219         (JSC::MacroAssemblerARM::call):
2220         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2221         (JSC::MacroAssemblerARM::branch32WithPatch):
2222         (JSC::MacroAssemblerARM::storePtrWithPatch):
2223         (JSC::MacroAssemblerARM::loadDouble):
2224         (JSC::MacroAssemblerARM::storeDouble):
2225         (JSC::MacroAssemblerARM::addDouble):
2226         (JSC::MacroAssemblerARM::divDouble):
2227         (JSC::MacroAssemblerARM::subDouble):
2228         (JSC::MacroAssemblerARM::mulDouble):
2229         (JSC::MacroAssemblerARM::convertInt32ToDouble):
2230         (JSC::MacroAssemblerARM::branchDouble):
2231         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
2232         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
2233         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
2234         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
2235         (JSC::MacroAssemblerARM::branchDoubleNonZero):
2236         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
2237         (JSC::MacroAssemblerARM::call32):
2238         (JSC::MacroAssemblerARM::internalCompare32):
2239
2240 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
2241
2242         [WinCairo] Fix js/regexp-unicode.html crash.
2243         https://bugs.webkit.org/show_bug.cgi?id=184891
2244
2245         Reviewed by Yusuke Suzuki.
2246
2247         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
2248         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
2249
2250         * yarr/YarrJIT.cpp:
2251         (JSC::Yarr::YarrGenerator::generateEnter):
2252         (JSC::Yarr::YarrGenerator::generateReturn):
2253         Unconditionally save and restore RDI on 64-bit Windows.
2254
2255 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
2256
2257         [GTK] Miscellaneous build cleanups
2258         https://bugs.webkit.org/show_bug.cgi?id=184399
2259
2260         Reviewed by Žan Doberšek.
2261
2262         * PlatformGTK.cmake:
2263
2264 2018-04-24  Keith Miller  <keith_miller@apple.com>
2265
2266         fromCharCode is missing some exception checks
2267         https://bugs.webkit.org/show_bug.cgi?id=184952
2268
2269         Reviewed by Saam Barati.
2270
2271         I also removed the pointless slow path function and moved it into the
2272         main function.
2273
2274         * runtime/StringConstructor.cpp:
2275         (JSC::stringFromCharCode):
2276         (JSC::stringFromCharCodeSlowCase): Deleted.
2277
2278 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2279
2280         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
2281         https://bugs.webkit.org/show_bug.cgi?id=184923
2282
2283         Reviewed by Saam Barati.
2284         
2285         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
2286         (i.e. we know that the object has one of those structures), then previously we would still emit a
2287         switch with a case per structure along with a default case. That would mean one extra redundant
2288         branch to check that whatever structure we wound up with belongs to the set. In that case, we
2289         were already making the default case be an Oops.
2290         
2291         One possible solution would be to say that the default case being Oops means that B3 doesn't need
2292         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
2293         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
2294         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
2295         trap.
2296         
2297         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
2298         extra branch.
2299         
2300         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
2301         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
2302         read.
2303
2304         * ftl/FTLLowerDFGToB3.cpp:
2305         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2306         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2307         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2308
2309 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2310
2311         DFG CSE should know how to decay a MultiGetByOffset
2312         https://bugs.webkit.org/show_bug.cgi?id=159859
2313
2314         Reviewed by Keith Miller.
2315         
2316         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
2317         clobberize() can report a def() for MultiGetByOffset.
2318         
2319         This is a slight improvement to codegen in splay because splay is a heavy user of
2320         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
2321         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
2322         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
2323         splay's time.
2324
2325         * dfg/DFGClobberize.h:
2326         (JSC::DFG::clobberize):
2327         * dfg/DFGNode.cpp:
2328         (JSC::DFG::Node::remove):
2329         (JSC::DFG::Node::removeWithoutChecks):
2330         (JSC::DFG::Node::replaceWith):
2331         (JSC::DFG::Node::replaceWithWithoutChecks):
2332         * dfg/DFGNode.h:
2333         (JSC::DFG::Node::convertToMultiGetByOffset):
2334         (JSC::DFG::Node::replaceWith): Deleted.
2335         * dfg/DFGNodeType.h:
2336         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2337
2338 2018-04-24  Keith Miller  <keith_miller@apple.com>
2339
2340         Update API docs with information on which run loop the VM will use
2341         https://bugs.webkit.org/show_bug.cgi?id=184900
2342         <rdar://problem/39166054>
2343
2344         Reviewed by Mark Lam.
2345
2346         * API/JSContextRef.h:
2347         * API/JSVirtualMachine.h:
2348
2349 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2350
2351         $vm.totalGCTime() should be a thing
2352         https://bugs.webkit.org/show_bug.cgi?id=184916
2353
2354         Reviewed by Sam Weinig.
2355         
2356         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
2357         time spent in GC to determine if the regression is because the GC got slower.
2358         
2359         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
2360
2361         * heap/Heap.cpp:
2362         (JSC::Heap::runEndPhase):
2363         * heap/Heap.h:
2364         (JSC::Heap::totalGCTime const):
2365         * tools/JSDollarVM.cpp:
2366         (JSC::functionTotalGCTime):
2367         (JSC::JSDollarVM::finishCreation):
2368
2369 2018-04-23  Zalan Bujtas  <zalan@apple.com>
2370
2371         [LayoutFormattingContext] Initial commit.
2372         https://bugs.webkit.org/show_bug.cgi?id=184896
2373
2374         Reviewed by Antti Koivisto.
2375
2376         * Configurations/FeatureDefines.xcconfig:
2377
2378 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2379
2380         Unreviewed, revert accidental change to verbose flag.
2381
2382         * dfg/DFGByteCodeParser.cpp:
2383
2384 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2385
2386         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
2387
2388         Rubber stamped by Saam Barati.
2389         
2390         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
2391         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
2392         Seems sensible to just roll it out.
2393
2394         * dfg/DFGByteCodeParser.cpp:
2395         (JSC::DFG::ByteCodeParser::addToGraph):
2396         (JSC::DFG::ByteCodeParser::parse):
2397
2398 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [JSC] Remove ModuleLoaderPrototype
2401         https://bugs.webkit.org/show_bug.cgi?id=184784
2402
2403         Reviewed by Mark Lam.
2404
2405         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
2406         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
2407         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
2408
2409         * CMakeLists.txt:
2410         * DerivedSources.make:
2411         * JavaScriptCore.xcodeproj/project.pbxproj:
2412         * Sources.txt:
2413         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
2414         * runtime/JSGlobalObject.cpp:
2415         (JSC::JSGlobalObject::init):
2416         (JSC::JSGlobalObject::visitChildren):
2417         * runtime/JSGlobalObject.h:
2418         (JSC::JSGlobalObject::proxyRevokeStructure const):
2419         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
2420         * runtime/JSModuleLoader.cpp:
2421         (JSC::moduleLoaderParseModule):
2422         (JSC::moduleLoaderRequestedModules):
2423         (JSC::moduleLoaderModuleDeclarationInstantiation):
2424         (JSC::moduleLoaderResolve):
2425         (JSC::moduleLoaderResolveSync):
2426         (JSC::moduleLoaderFetch):
2427         (JSC::moduleLoaderGetModuleNamespaceObject):
2428         (JSC::moduleLoaderEvaluate):
2429         * runtime/JSModuleLoader.h:
2430         * runtime/ModuleLoaderPrototype.cpp: Removed.
2431         * runtime/ModuleLoaderPrototype.h: Removed.
2432
2433 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
2434
2435         [GLIB] All API tests fail in debug builds
2436         https://bugs.webkit.org/show_bug.cgi?id=184813
2437
2438         Reviewed by Mark Lam.
2439
2440         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
2441         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
2442
2443         * API/glib/JSCContext.cpp:
2444         (JSCContextExceptionHandler::JSCContextExceptionHandler):
2445         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
2446         (jscContextConstructed):
2447         (ExceptionHandler::ExceptionHandler): Deleted.
2448         (ExceptionHandler::~ExceptionHandler): Deleted.
2449
2450 2018-04-20  Tim Horton  <timothy_horton@apple.com>
2451
2452         Adjust geolocation feature flag
2453         https://bugs.webkit.org/show_bug.cgi?id=184856
2454
2455         Reviewed by Wenson Hsieh.
2456
2457         * Configurations/FeatureDefines.xcconfig:
2458
2459 2018-04-20  Brian Burg  <bburg@apple.com>
2460
2461         Web Inspector: remove some dead code in IdentifiersFactory
2462         https://bugs.webkit.org/show_bug.cgi?id=184839
2463
2464         Reviewed by Timothy Hatcher.
2465
2466         This was never used on non-Chrome ports, so the identifier always has a
2467         prefix of '0.'. We may change this in the future, but for now remove this.
2468         Using a PID for this purpose is problematic anyway.
2469
2470         * inspector/IdentifiersFactory.cpp:
2471         (Inspector::addPrefixToIdentifier):
2472         (Inspector::IdentifiersFactory::createIdentifier):
2473         (Inspector::IdentifiersFactory::requestId):
2474         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
2475         * inspector/IdentifiersFactory.h:
2476
2477 2018-04-20  Mark Lam  <mark.lam@apple.com>
2478
2479         Add the ability to use a hash for setting PtrTag enum values.
2480         https://bugs.webkit.org/show_bug.cgi?id=184852
2481         <rdar://problem/39613891>
2482
2483         Reviewed by Saam Barati.
2484
2485         * runtime/PtrTag.h:
2486
2487 2018-04-20  Mark Lam  <mark.lam@apple.com>
2488
2489         Some JSEntryPtrTags should actually be JSInternalPtrTags.
2490         https://bugs.webkit.org/show_bug.cgi?id=184712
2491         <rdar://problem/39507381>
2492
2493         Reviewed by Michael Saboff.
2494
2495         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
2496         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
2497            only when needed.
2498
2499         * bytecode/AccessCase.cpp:
2500         (JSC::AccessCase::generateImpl):
2501         * bytecode/ByValInfo.h:
2502         (JSC::ByValInfo::ByValInfo):
2503         * bytecode/CallLinkInfo.cpp:
2504         (JSC::CallLinkInfo::callReturnLocation):
2505         (JSC::CallLinkInfo::patchableJump):
2506         (JSC::CallLinkInfo::hotPathBegin):
2507         (JSC::CallLinkInfo::slowPathStart):
2508         * bytecode/CallLinkInfo.h:
2509         (JSC::CallLinkInfo::setCallLocations):
2510         (JSC::CallLinkInfo::hotPathOther):
2511         * bytecode/PolymorphicAccess.cpp:
2512         (JSC::PolymorphicAccess::regenerate):
2513         * bytecode/StructureStubInfo.h:
2514         (JSC::StructureStubInfo::doneLocation):
2515         * dfg/DFGJITCompiler.cpp:
2516         (JSC::DFG::JITCompiler::link):
2517         * dfg/DFGOSRExit.cpp:
2518         (JSC::DFG::reifyInlinedCallFrames):
2519         * ftl/FTLLazySlowPath.cpp:
2520         (JSC::FTL::LazySlowPath::initialize):
2521         * ftl/FTLLazySlowPath.h:
2522         (JSC::FTL::LazySlowPath::done const):
2523         * ftl/FTLLowerDFGToB3.cpp:
2524         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2525         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2526         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2527         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2528         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2529         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2530         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2531         * jit/JIT.cpp:
2532         (JSC::JIT::link):
2533         * jit/JITExceptions.cpp:
2534         (JSC::genericUnwind):
2535         * jit/JITMathIC.h:
2536         (JSC::isProfileEmpty):
2537         * llint/LLIntData.cpp:
2538         (JSC::LLInt::initialize):
2539         * llint/LLIntData.h:
2540         (JSC::LLInt::getCodePtr):
2541         (JSC::LLInt::getExecutableAddress): Deleted.
2542         * llint/LLIntExceptions.cpp:
2543         (JSC::LLInt::callToThrow):
2544         * llint/LLIntSlowPaths.cpp:
2545         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2546         * wasm/js/WasmToJS.cpp:
2547         (JSC::Wasm::wasmToJS):
2548
2549 2018-04-18  Jer Noble  <jer.noble@apple.com>
2550
2551         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
2552         https://bugs.webkit.org/show_bug.cgi?id=184762
2553
2554         Reviewed by Dan Bernstein.
2555
2556         * Configurations/Base.xcconfig:
2557         * JavaScriptCore.xcodeproj/project.pbxproj:
2558
2559 2018-04-20  Daniel Bates  <dabates@apple.com>
2560
2561         Remove code for compilers that did not support NSDMI for aggregates
2562         https://bugs.webkit.org/show_bug.cgi?id=184599
2563
2564         Reviewed by Per Arne Vollan.
2565
2566         Remove workaround for earlier Visual Studio versions that did not support non-static data
2567         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
2568         and EWS bots to a newer version that supports this feature.
2569
2570         * domjit/DOMJITEffect.h:
2571         (JSC::DOMJIT::Effect::Effect): Deleted.
2572         * runtime/HasOwnPropertyCache.h:
2573         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
2574         * wasm/WasmFormat.h:
2575         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
2576
2577 2018-04-20  Mark Lam  <mark.lam@apple.com>
2578
2579         Build fix for internal builds after r230826.
2580         https://bugs.webkit.org/show_bug.cgi?id=184790
2581         <rdar://problem/39301369>
2582
2583         Not reviewed.
2584
2585         * runtime/Options.cpp:
2586         (JSC::overrideDefaults):
2587         * tools/SigillCrashAnalyzer.cpp:
2588         (JSC::SignalContext::dump):
2589
2590 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
2591
2592         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
2593         https://bugs.webkit.org/show_bug.cgi?id=184254
2594         <rdar://problem/39140200>
2595
2596         Reviewed by Daniel Bates.
2597
2598         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
2599
2600         * runtime/ArrayBuffer.h:
2601         (JSC::ArrayBufferContents::ArrayBufferContents):
2602
2603 2018-04-19  Mark Lam  <mark.lam@apple.com>
2604
2605         Apply pointer profiling to Signal pointers.
2606         https://bugs.webkit.org/show_bug.cgi?id=184790
2607         <rdar://problem/39301369>
2608
2609         Reviewed by Michael Saboff.
2610
2611         1. Change stackPointer, framePointer, and instructionPointer accessors to
2612            be a pair of getter/setter functions.
2613         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
2614            a pointer profiling variants of these accessors.
2615         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
2616
2617         * JavaScriptCorePrefix.h:
2618         * runtime/MachineContext.h:
2619         (JSC::MachineContext::stackPointerImpl):
2620         (JSC::MachineContext::stackPointer):
2621         (JSC::MachineContext::setStackPointer):
2622         (JSC::MachineContext::framePointerImpl):
2623         (JSC::MachineContext::framePointer):
2624         (JSC::MachineContext::setFramePointer):
2625         (JSC::MachineContext::instructionPointerImpl):
2626         (JSC::MachineContext::instructionPointer):
2627         (JSC::MachineContext::setInstructionPointer):
2628         (JSC::MachineContext::linkRegisterImpl):
2629         (JSC::MachineContext::linkRegister):
2630         (JSC::MachineContext::setLinkRegister):
2631         * runtime/SamplingProfiler.cpp:
2632         (JSC::SamplingProfiler::takeSample):
2633         * runtime/VMTraps.cpp:
2634         (JSC::SignalContext::SignalContext):
2635         (JSC::VMTraps::tryInstallTrapBreakpoints):
2636         * tools/CodeProfiling.cpp:
2637         (JSC::profilingTimer):
2638         * tools/SigillCrashAnalyzer.cpp:
2639         (JSC::SignalContext::dump):
2640         (JSC::installCrashHandler):
2641         (JSC::SigillCrashAnalyzer::analyze):
2642         * wasm/WasmFaultSignalHandler.cpp:
2643         (JSC::Wasm::trapHandler):
2644
2645 2018-04-19  David Kilzer  <ddkilzer@apple.com>
2646
2647         Enable Objective-C weak references
2648         <https://webkit.org/b/184789>
2649         <rdar://problem/39571716>
2650
2651         Reviewed by Dan Bernstein.
2652
2653         * Configurations/Base.xcconfig:
2654         (CLANG_ENABLE_OBJC_WEAK): Enable.
2655         * Configurations/ToolExecutable.xcconfig:
2656         (CLANG_ENABLE_OBJC_ARC): Simplify.
2657
2658 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2659
2660         The InternalFunction hierarchy should be in IsoSubspaces
2661         https://bugs.webkit.org/show_bug.cgi?id=184721
2662
2663         Reviewed by Saam Barati.
2664         
2665         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
2666         but subclasses that are the same size as InternalFunction share its subspace. I did this
2667         because the subclasses appear to just override methods, which are called dynamically via the
2668         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
2669         allocate one kind of InternalFunction over another.
2670
2671         * API/JSBase.h:
2672         * API/JSCallbackFunction.h:
2673         * API/ObjCCallbackFunction.h:
2674         (JSC::ObjCCallbackFunction::subspaceFor):
2675         * CMakeLists.txt:
2676         * JavaScriptCore.xcodeproj/project.pbxproj:
2677         * Sources.txt:
2678         * heap/IsoSubspacePerVM.cpp: Added.
2679         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
2680         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
2681         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
2682         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
2683         (JSC::IsoSubspacePerVM::forVM):
2684         * heap/IsoSubspacePerVM.h: Added.
2685         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
2686         * runtime/Error.h:
2687         * runtime/ErrorConstructor.h:
2688         * runtime/InternalFunction.h:
2689         (JSC::InternalFunction::subspaceFor):
2690         * runtime/IntlCollatorConstructor.h:
2691         * runtime/IntlDateTimeFormatConstructor.h:
2692         * runtime/IntlNumberFormatConstructor.h:
2693         * runtime/JSArrayBufferConstructor.h:
2694         * runtime/NativeErrorConstructor.h:
2695         * runtime/ProxyRevoke.h:
2696         * runtime/RegExpConstructor.h:
2697         * runtime/VM.cpp:
2698         (JSC::VM::VM):
2699         * runtime/VM.h:
2700
2701 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         Unreviewed, Fix jsc shell
2704         https://bugs.webkit.org/show_bug.cgi?id=184600
2705
2706         WebAssembly module loading does not finish with drainMicrotasks().
2707         So JSNativeStdFunction's capturing variables become invalid.
2708         This patch fixes this issue.
2709
2710         * jsc.cpp:
2711         (functionDollarAgentStart):
2712         (runWithOptions):
2713         (runJSC):
2714         (jscmain):
2715
2716 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
2717
2718         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
2719         https://bugs.webkit.org/show_bug.cgi?id=184725
2720
2721         Reviewed by Mark Lam.
2722
2723         * jit/JIT.h:
2724
2725 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2726
2727         [WebAssembly][Modules] Import tables in wasm modules
2728         https://bugs.webkit.org/show_bug.cgi?id=184738
2729
2730         Reviewed by JF Bastien.
2731
2732         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
2733         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
2734         just works.
2735
2736         * wasm/js/JSWebAssemblyInstance.cpp:
2737         (JSC::JSWebAssemblyInstance::create):
2738         * wasm/js/WebAssemblyModuleRecord.cpp:
2739         (JSC::WebAssemblyModuleRecord::link):
2740
2741 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
2742
2743         [ARM] Fix build error and crash after PtrTag change
2744         https://bugs.webkit.org/show_bug.cgi?id=184732
2745
2746         Reviewed by Mark Lam.
2747
2748         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
2749         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
2750         twice with ARM-Thumb2.
2751
2752         * assembler/MacroAssemblerCodeRef.h:
2753         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2754         * jit/JITPropertyAccess32_64.cpp:
2755         (JSC::JIT::emitSlow_op_put_by_val):
2756         * jit/Repatch.cpp:
2757         (JSC::linkPolymorphicCall):
2758
2759 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2760
2761         [WebAssembly][Modules] Import globals from wasm modules
2762         https://bugs.webkit.org/show_bug.cgi?id=184736
2763
2764         Reviewed by JF Bastien.
2765
2766         This patch implements a feature importing globals to/from wasm modules.
2767         Since we are not supporting mutable globals now, we can just copy the
2768         global data when importing. Currently we do not support importing/exporting
2769         i64 globals. This will be supported once (1) mutable global bindings are
2770         specified and (2) BigInt based i64 importing/exporting is specified.
2771
2772         * wasm/js/JSWebAssemblyInstance.cpp:
2773         (JSC::JSWebAssemblyInstance::create):
2774         * wasm/js/WebAssemblyModuleRecord.cpp:
2775         (JSC::WebAssemblyModuleRecord::link):
2776
2777 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2778
2779         Unreviewed, fix build on ARM
2780
2781         * assembler/MacroAssemblerARM.h:
2782         (JSC::MacroAssemblerARM::readCallTarget):
2783
2784 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2785
2786         Unreviewed, fix build with GCC
2787
2788         * assembler/LinkBuffer.h:
2789         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2790
2791 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2792
2793         Unreviewed, reland r230697, r230720, and r230724.
2794         https://bugs.webkit.org/show_bug.cgi?id=184600
2795
2796         With CatchScope check.
2797
2798         * JavaScriptCore.xcodeproj/project.pbxproj:
2799         * builtins/ModuleLoaderPrototype.js:
2800         (globalPrivate.newRegistryEntry):
2801         (requestInstantiate):
2802         (link):
2803         * jsc.cpp:
2804         (convertShebangToJSComment):
2805         (fillBufferWithContentsOfFile):
2806         (fetchModuleFromLocalFileSystem):
2807         (GlobalObject::moduleLoaderFetch):
2808         (functionDollarAgentStart):
2809         (checkException):
2810         (runWithOptions):
2811         * parser/NodesAnalyzeModule.cpp:
2812         (JSC::ImportDeclarationNode::analyzeModule):
2813         * parser/SourceProvider.h:
2814         (JSC::WebAssemblySourceProvider::create):
2815         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2816         * runtime/AbstractModuleRecord.cpp:
2817         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2818         (JSC::AbstractModuleRecord::resolveImport):
2819         (JSC::AbstractModuleRecord::link):
2820         (JSC::AbstractModuleRecord::evaluate):
2821         (JSC::identifierToJSValue): Deleted.
2822         * runtime/AbstractModuleRecord.h:
2823         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2824         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2825         * runtime/JSModuleEnvironment.cpp:
2826         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2827         * runtime/JSModuleLoader.cpp:
2828         (JSC::JSModuleLoader::evaluate):
2829         * runtime/JSModuleRecord.cpp:
2830         (JSC::JSModuleRecord::link):
2831         (JSC::JSModuleRecord::instantiateDeclarations):
2832         * runtime/JSModuleRecord.h:
2833         * runtime/ModuleLoaderPrototype.cpp:
2834         (JSC::moduleLoaderPrototypeParseModule):
2835         (JSC::moduleLoaderPrototypeRequestedModules):
2836         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2837         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2838         * wasm/js/JSWebAssemblyHelpers.h:
2839         (JSC::getWasmBufferFromValue):
2840         (JSC::createSourceBufferFromValue):
2841         * wasm/js/JSWebAssemblyInstance.cpp:
2842         (JSC::JSWebAssemblyInstance::finalizeCreation):
2843         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2844         (JSC::JSWebAssemblyInstance::create):
2845         * wasm/js/JSWebAssemblyInstance.h:
2846         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2847         (JSC::constructJSWebAssemblyInstance):
2848         * wasm/js/WebAssemblyModuleRecord.cpp:
2849         (JSC::WebAssemblyModuleRecord::prepareLink):
2850         (JSC::WebAssemblyModuleRecord::link):
2851         * wasm/js/WebAssemblyModuleRecord.h:
2852         * wasm/js/WebAssemblyPrototype.cpp:
2853         (JSC::resolve):
2854         (JSC::instantiate):
2855         (JSC::compileAndInstantiate):
2856         (JSC::WebAssemblyPrototype::instantiate):
2857         (JSC::webAssemblyInstantiateFunc):
2858         (JSC::webAssemblyValidateFunc):
2859         * wasm/js/WebAssemblyPrototype.h:
2860
2861 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2862
2863         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
2864         https://bugs.webkit.org/show_bug.cgi?id=184687
2865
2866         Reviewed by Michael Catanzaro.
2867
2868         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
2869         JSClassDefinition. This is required to implement dynamic properties that can't be added with
2870         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
2871
2872         * API/glib/JSCClass.cpp:
2873         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
2874         can throw exceptions.
2875         (VTableExceptionHandler::~VTableExceptionHandler):
2876         (getProperty): Iterate the class chain to call get_property function.
2877         (setProperty): Iterate the class chain to call set_property function.
2878         (hasProperty): Iterate the class chain to call has_property function.
2879         (deleteProperty): Iterate the class chain to call delete_property function.
2880         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
2881         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
2882         jscClassCreate now.
2883         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
2884         * API/glib/JSCClass.h:
2885         * API/glib/JSCClassPrivate.h:
2886         * API/glib/JSCContext.cpp:
2887         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
2888         (jsc_context_register_class): Add JSCClassVTable parameter.
2889         * API/glib/JSCContext.h:
2890         * API/glib/JSCContextPrivate.h:
2891         * API/glib/JSCWrapperMap.cpp:
2892         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
2893         * API/glib/JSCWrapperMap.h:
2894         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
2895
2896 2018-04-17  Mark Lam  <mark.lam@apple.com>
2897
2898         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
2899         https://bugs.webkit.org/show_bug.cgi?id=184702
2900         <rdar://problem/35391681>
2901
2902         Reviewed by Filip Pizlo and Saam Barati.
2903
2904         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
2905            to take a PtrTag template argument.
2906         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
2907
2908         * assembler/AbstractMacroAssembler.h:
2909         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2910         (JSC::AbstractMacroAssembler::linkJump):
2911         (JSC::AbstractMacroAssembler::linkPointer):
2912         (JSC::AbstractMacroAssembler::getLinkerAddress):
2913         (JSC::AbstractMacroAssembler::repatchJump):
2914         (JSC::AbstractMacroAssembler::repatchJumpToNop):
2915         (JSC::AbstractMacroAssembler::repatchNearCall):
2916         (JSC::AbstractMacroAssembler::repatchCompact):
2917         (JSC::AbstractMacroAssembler::repatchInt32):
2918         (JSC::AbstractMacroAssembler::repatchPointer):
2919         (JSC::AbstractMacroAssembler::readPointer):
2920         (JSC::AbstractMacroAssembler::replaceWithLoad):
2921         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2922         * assembler/CodeLocation.h:
2923         (JSC::CodeLocationCommon:: const):
2924         (JSC::CodeLocationCommon::CodeLocationCommon):
2925         (JSC::CodeLocationInstruction::CodeLocationInstruction):
2926         (JSC::CodeLocationLabel::CodeLocationLabel):
2927         (JSC::CodeLocationLabel::retagged):
2928         (JSC::CodeLocationLabel:: const):
2929         (JSC::CodeLocationJump::CodeLocationJump):
2930         (JSC::CodeLocationJump::retagged):
2931         (JSC::CodeLocationCall::CodeLocationCall):
2932         (JSC::CodeLocationCall::retagged):
2933         (JSC::CodeLocationNearCall::CodeLocationNearCall):
2934         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
2935         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
2936         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
2937         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
2938         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
2939         (JSC::CodeLocationCommon<tag>::labelAtOffset):
2940         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
2941         (JSC::CodeLocationCommon<tag>::callAtOffset):
2942         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
2943         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
2944         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
2945         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
2946         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
2947         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
2948         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
2949         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
2950         (JSC::CodeLocationCommon::callAtOffset): Deleted.
2951         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
2952         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
2953         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
2954         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
2955         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
2956         * assembler/LinkBuffer.cpp:
2957         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2958         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
2959         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
2960         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
2961         * assembler/LinkBuffer.h:
2962         (JSC::LinkBuffer::link):
2963         (JSC::LinkBuffer::patch):
2964         (JSC::LinkBuffer::entrypoint):
2965         (JSC::LinkBuffer::locationOf):
2966         (JSC::LinkBuffer::locationOfNearCall):
2967         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2968         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2969         (JSC::LinkBuffer::trampolineAt):
2970         * assembler/MacroAssemblerARM.h:
2971         (JSC::MacroAssemblerARM::readCallTarget):
2972         (JSC::MacroAssemblerARM::replaceWithJump):
2973         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
2974         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
2975         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
2976         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
2977         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
2978         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
2979         (JSC::MacroAssemblerARM::repatchCall):
2980         (JSC::MacroAssemblerARM::linkCall):
2981         * assembler/MacroAssemblerARM64.h:
2982         (JSC::MacroAssemblerARM64::readCallTarget):
2983         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2984         (JSC::MacroAssemblerARM64::replaceWithJump):
2985         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
2986         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
2987         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2988         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
2989         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
2990         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2991         (JSC::MacroAssemblerARM64::repatchCall):
2992         (JSC::MacroAssemblerARM64::linkCall):
2993         * assembler/MacroAssemblerARMv7.h:
2994         (JSC::MacroAssemblerARMv7::replaceWithJump):
2995         (JSC::MacroAssemblerARMv7::readCallTarget):
2996         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
2997         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
2998         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
2999         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
3000         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
3001         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
3002         (JSC::MacroAssemblerARMv7::repatchCall):
3003         (JSC::MacroAssemblerARMv7::linkCall):
3004         * assembler/MacroAssemblerCodeRef.cpp:
3005         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
3006         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
3007         (JSC::MacroAssemblerCodeRefBase::disassembly):
3008         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
3009         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
3010         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
3011         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
3012         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
3013         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
3014         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
3015         * assembler/MacroAssemblerCodeRef.h:
3016         (JSC::FunctionPtr::FunctionPtr):
3017         (JSC::FunctionPtr::retagged const):
3018         (JSC::FunctionPtr::retaggedExecutableAddress const):
3019         (JSC::FunctionPtr::operator== const):
3020         (JSC::FunctionPtr::operator!= const):
3021         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3022         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3023         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3024         (JSC::MacroAssemblerCodePtr::retagged const):
3025         (JSC::MacroAssemblerCodePtr:: const):
3026         (JSC::MacroAssemblerCodePtr::dumpWithName const):
3027         (JSC::MacroAssemblerCodePtr::dump const):
3028         (JSC::MacroAssemblerCodePtrHash::hash):
3029         (JSC::MacroAssemblerCodePtrHash::equal):
3030         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3031         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
3032         (JSC::MacroAssemblerCodeRef::code const):
3033         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3034         (JSC::MacroAssemblerCodeRef::retagged const):
3035         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
3036         (JSC::MacroAssemblerCodeRef::disassembly const):
3037         (JSC::MacroAssemblerCodeRef::dump const):
3038         (JSC::FunctionPtr<tag>::FunctionPtr):
3039         * assembler/MacroAssemblerMIPS.h:
3040         (JSC::MacroAssemblerMIPS::readCallTarget):
3041         (JSC::MacroAssemblerMIPS::replaceWithJump):
3042         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3043         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
3044         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
3045         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
3046         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3047         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
3048         (JSC::MacroAssemblerMIPS::repatchCall):
3049         (JSC::MacroAssemblerMIPS::linkCall):
3050         * assembler/MacroAssemblerX86.h:
3051         (JSC::MacroAssemblerX86::readCallTarget):
3052         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
3053         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
3054         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
3055         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
3056         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
3057         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
3058         (JSC::MacroAssemblerX86::repatchCall):
3059         (JSC::MacroAssemblerX86::linkCall):
3060         * assembler/MacroAssemblerX86Common.h:
3061         (JSC::MacroAssemblerX86Common::repatchCompact):
3062         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3063         (JSC::MacroAssemblerX86Common::replaceWithJump):
3064         * assembler/MacroAssemblerX86_64.h:
3065         (JSC::MacroAssemblerX86_64::readCallTarget):
3066         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
3067         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
3068         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
3069         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
3070         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3071         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
3072         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
3073         (JSC::MacroAssemblerX86_64::repatchCall):
3074         (JSC::MacroAssemblerX86_64::linkCall):
3075         * assembler/testmasm.cpp:
3076         (JSC::compile):
3077         (JSC::invoke):
3078         (JSC::testProbeModifiesProgramCounter):
3079         * b3/B3Compilation.cpp:
3080         (JSC::B3::Compilation::Compilation):
3081         * b3/B3Compilation.h:
3082         (JSC::B3::Compilation::code const):
3083         (JSC::B3::Compilation::codeRef const):
3084         * b3/B3Compile.cpp:
3085         (JSC::B3::compile):
3086         * b3/B3LowerMacros.cpp:
3087         * b3/air/AirDisassembler.cpp:
3088         (JSC::B3::Air::Disassembler::dump):
3089         * b3/air/testair.cpp:
3090         * b3/testb3.cpp:
3091         (JSC::B3::invoke):
3092         (JSC::B3::testInterpreter):
3093         (JSC::B3::testEntrySwitchSimple):
3094         (JSC::B3::testEntrySwitchNoEntrySwitch):
3095         (JSC::B3::testEntrySwitchWithCommonPaths):
3096         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
3097         (JSC::B3::testEntrySwitchLoop):
3098         * bytecode/AccessCase.cpp:
3099         (JSC::AccessCase::generateImpl):
3100         * bytecode/AccessCaseSnippetParams.cpp:
3101         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3102         * bytecode/ByValInfo.h:
3103         (JSC::ByValInfo::ByValInfo):
3104         * bytecode/CallLinkInfo.cpp:
3105         (JSC::CallLinkInfo::callReturnLocation):
3106         (JSC::CallLinkInfo::patchableJump):
3107         (JSC::CallLinkInfo::hotPathBegin):
3108         (JSC::CallLinkInfo::slowPathStart):
3109         * bytecode/CallLinkInfo.h:
3110         (JSC::CallLinkInfo::setCallLocations):
3111         (JSC::CallLinkInfo::hotPathOther):
3112         * bytecode/CodeBlock.cpp:
3113         (JSC::CodeBlock::finishCreation):
3114         * bytecode/GetByIdStatus.cpp:
3115         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3116         * bytecode/GetByIdVariant.cpp:
3117         (JSC::GetByIdVariant::GetByIdVariant):
3118         (JSC::GetByIdVariant::dumpInContext const):
3119         * bytecode/GetByIdVariant.h:
3120         (JSC::GetByIdVariant::customAccessorGetter const):
3121         * bytecode/GetterSetterAccessCase.cpp:
3122         (JSC::GetterSetterAccessCase::create):
3123         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3124         (JSC::GetterSetterAccessCase::dumpImpl const):
3125         * bytecode/GetterSetterAccessCase.h:
3126         (JSC::GetterSetterAccessCase::customAccessor const):
3127         (): Deleted.
3128         * bytecode/HandlerInfo.h:
3129         (JSC::HandlerInfo::initialize):
3130         * bytecode/InlineAccess.cpp:
3131         (JSC::linkCodeInline):
3132         (JSC::InlineAccess::rewireStubAsJump):
3133         * bytecode/InlineAccess.h:
3134         * bytecode/JumpTable.h:
3135         (JSC::StringJumpTable::ctiForValue):
3136         (JSC::SimpleJumpTable::ctiForValue):
3137         * bytecode/LLIntCallLinkInfo.h:
3138         (JSC::LLIntCallLinkInfo::unlink):
3139         * bytecode/PolymorphicAccess.cpp:
3140         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3141         (JSC::PolymorphicAccess::regenerate):
3142         * bytecode/PolymorphicAccess.h:
3143         (JSC::AccessGenerationResult::AccessGenerationResult):
3144         (JSC::AccessGenerationResult::code const):
3145         * bytecode/StructureStubInfo.h:
3146         (JSC::StructureStubInfo::slowPathCallLocation):
3147         (JSC::StructureStubInfo::doneLocation):
3148         (JSC::StructureStubInfo::slowPathStartLocation):
3149         (JSC::StructureStubInfo::patchableJumpForIn):
3150         * dfg/DFGCommonData.h:
3151         (JSC::DFG::CommonData::appendCatchEntrypoint):
3152         * dfg/DFGDisassembler.cpp:
3153         (JSC::DFG::Disassembler::dumpDisassembly):
3154         * dfg/DFGDriver.h:
3155         * dfg/DFGJITCompiler.cpp:
3156         (JSC::DFG::JITCompiler::linkOSRExits):
3157         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3158         (JSC::DFG::JITCompiler::link):
3159         (JSC::DFG::JITCompiler::compileFunction):
3160         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3161         * dfg/DFGJITCompiler.h:
3162         (JSC::DFG::CallLinkRecord::CallLinkRecord):
3163         (JSC::DFG::JITCompiler::appendCall):
3164         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
3165         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
3166         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
3167         * dfg/DFGJITFinalizer.cpp:
3168         (JSC::DFG::JITFinalizer::JITFinalizer):
3169         (JSC::DFG::JITFinalizer::finalize):
3170         (JSC::DFG::JITFinalizer::finalizeFunction):
3171         * dfg/DFGJITFinalizer.h:
3172         * dfg/DFGJumpReplacement.h:
3173         (JSC::DFG::JumpReplacement::JumpReplacement):
3174         * dfg/DFGNode.h:
3175         * dfg/DFGOSREntry.cpp:
3176         (JSC::DFG::prepareOSREntry):
3177         (JSC::DFG::prepareCatchOSREntry):
3178         * dfg/DFGOSREntry.h:
3179         (JSC::DFG::prepareOSREntry):
3180         * dfg/DFGOSRExit.cpp:
3181         (JSC::DFG::OSRExit::executeOSRExit):
3182         (JSC::DFG::reifyInlinedCallFrames):
3183         (JSC::DFG::adjustAndJumpToTarget):
3184         (JSC::DFG::OSRExit::codeLocationForRepatch const):
3185         (JSC::DFG::OSRExit::emitRestoreArguments):
3186         (JSC::DFG::OSRExit::compileOSRExit):
3187         * dfg/DFGOSRExit.h:
3188         * dfg/DFGOSRExitCompilerCommon.cpp:
3189         (JSC::DFG::handleExitCounts):
3190         (JSC::DFG::reifyInlinedCallFrames):
3191         (JSC::DFG::osrWriteBarrier):
3192         (JSC::DFG::adjustAndJumpToTarget):
3193         * dfg/DFGOperations.cpp:
3194         * dfg/DFGSlowPathGenerator.h:
3195         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3196         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3197         (JSC::DFG::slowPathCall):
3198         * dfg/DFGSpeculativeJIT.cpp:
3199         (JSC::DFG::SpeculativeJIT::compileMathIC):
3200         (JSC::DFG::SpeculativeJIT::compileCallDOM):
3201         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3202         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3203         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3204         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3205         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
3206         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
3207         (JSC::DFG::SpeculativeJIT::cachedPutById):
3208         * dfg/DFGSpeculativeJIT.h:
3209         (JSC::DFG::SpeculativeJIT::callOperation):
3210         (JSC::DFG::SpeculativeJIT::appendCall):
3211         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
3212         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
3213         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3214         * dfg/DFGSpeculativeJIT64.cpp:
3215         (JSC::DFG::SpeculativeJIT::cachedGetById):
3216         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3217         (JSC::DFG::SpeculativeJIT::compile):
3218         * dfg/DFGThunks.cpp:
3219         (JSC::DFG::osrExitThunkGenerator):
3220         (JSC::DFG::osrExitGenerationThunkGenerator):
3221         (JSC::DFG::osrEntryThunkGenerator):
3222         * dfg/DFGThunks.h:
3223         * disassembler/ARM64Disassembler.cpp:
3224         (JSC::tryToDisassemble):
3225         * disassembler/ARMv7Disassembler.cpp:
3226         (JSC::tryToDisassemble):
3227         * disassembler/Disassembler.cpp:
3228         (JSC::disassemble):
3229         (JSC::disassembleAsynchronously):
3230         * disassembler/Disassembler.h:
3231         (JSC::tryToDisassemble):
3232         * disassembler/UDis86Disassembler.cpp:
3233         (JSC::tryToDisassembleWithUDis86):
3234         * disassembler/UDis86Disassembler.h:
3235         (JSC::tryToDisassembleWithUDis86):
3236         * disassembler/X86Disassembler.cpp:
3237         (JSC::tryToDisassemble):
3238         * ftl/FTLCompile.cpp:
3239         (JSC::FTL::compile):
3240         * ftl/FTLExceptionTarget.cpp:
3241         (JSC::FTL::ExceptionTarget::label):
3242         (JSC::FTL::ExceptionTarget::jumps):
3243         * ftl/FTLExceptionTarget.h:
3244         * ftl/FTLGeneratedFunction.h:
3245         * ftl/FTLJITCode.cpp:
3246         (JSC::FTL::JITCode::initializeB3Code):
3247         (JSC::FTL::JITCode::initializeAddressForCall):
3248         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
3249         (JSC::FTL::JITCode::addressForCall):
3250         (JSC::FTL::JITCode::executableAddressAtOffset):
3251         * ftl/FTLJITCode.h:
3252         (JSC::FTL::JITCode::b3Code const):
3253         * ftl/FTLJITFinalizer.cpp:
3254         (JSC::FTL::JITFinalizer::finalizeCommon):
3255         * ftl/FTLLazySlowPath.cpp:
3256         (JSC::FTL::LazySlowPath::initialize):
3257         (JSC::FTL::LazySlowPath::generate):
3258         * ftl/FTLLazySlowPath.h:
3259         (JSC::FTL::LazySlowPath::patchableJump const):
3260         (JSC::FTL::LazySlowPath::done const):
3261         (JSC::FTL::LazySlowPath::stub const):
3262         * ftl/FTLLazySlowPathCall.h:
3263         (JSC::FTL::createLazyCallGenerator):
3264         * ftl/FTLLink.cpp:
3265         (JSC::FTL::link):
3266         * ftl/FTLLowerDFGToB3.cpp:
3267         (JSC::FTL::DFG::LowerDFGToB3::lower):
3268         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3269         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3270         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3271         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3272         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3273         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3274         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
3275         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3276         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3277         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
3278         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3279         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3280         * ftl/FTLOSRExit.cpp:
3281         (JSC::FTL::OSRExit::codeLocationForRepatch const):
3282         * ftl/FTLOSRExit.h:
3283         * ftl/FTLOSRExitCompiler.cpp:
3284         (JSC::FTL::compileStub):
3285         (JSC::FTL::compileFTLOSRExit):
3286         * ftl/FTLOSRExitHandle.cpp:
3287         (JSC::FTL::OSRExitHandle::emitExitThunk):
3288         * ftl/FTLOperations.cpp:
3289         (JSC::FTL::compileFTLLazySlowPath):
3290         * ftl/FTLPatchpointExceptionHandle.cpp:
3291         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3292         * ftl/FTLSlowPathCall.cpp:
3293         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
3294         (JSC::FTL::SlowPathCallContext::makeCall):
3295         * ftl/FTLSlowPathCall.h:
3296         (JSC::FTL::callOperation):
3297         * ftl/FTLSlowPathCallKey.cpp:
3298         (JSC::FTL::SlowPathCallKey::dump const):
3299         * ftl/FTLSlowPathCallKey.h:
3300         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
3301         (JSC::FTL::SlowPathCallKey::callTarget const):
3302         (JSC::FTL::SlowPathCallKey::withCallTarget):
3303         (JSC::FTL::SlowPathCallKey::hash const):
3304         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
3305         * ftl/FTLState.cpp:
3306         (JSC::FTL::State::State):
3307         * ftl/FTLThunks.cpp:
3308         (JSC::FTL::genericGenerationThunkGenerator):
3309         (JSC::FTL::osrExitGenerationThunkGenerator):
3310         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3311         (JSC::FTL::slowPathCallThunkGenerator):
3312         * ftl/FTLThunks.h:
3313         (JSC::FTL::generateIfNecessary):
3314         (JSC::FTL::keyForThunk):
3315         (JSC::FTL::Thunks::getSlowPathCallThunk):
3316         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
3317         * interpreter/InterpreterInlines.h:
3318         (JSC::Interpreter::getOpcodeID):
3319         * jit/AssemblyHelpers.cpp:
3320         (JSC::AssemblyHelpers::callExceptionFuzz):
3321         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3322         (JSC::AssemblyHelpers::debugCall):
3323         * jit/CCallHelpers.cpp:
3324         (JSC::CCallHelpers::ensureShadowChickenPacket):
3325         * jit/ExecutableAllocator.cpp:
3326         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3327         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3328         * jit/ExecutableAllocator.h:
3329         (JSC::performJITMemcpy):
3330         * jit/GCAwareJITStubRoutine.cpp:
3331         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3332         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
3333         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3334         (JSC::createJITStubRoutine):
3335         * jit/GCAwareJITStubRoutine.h:
3336         (JSC::createJITStubRoutine):
3337         * jit/JIT.cpp:
3338         (JSC::ctiPatchCallByReturnAddress):
3339         (JSC::JIT::compileWithoutLinking):
3340         (JSC::JIT::link):
3341         (JSC::JIT::privateCompileExceptionHandlers):
3342         * jit/JIT.h:
3343         (JSC::CallRecord::CallRecord):
3344         * jit/JITArithmetic.cpp:
3345         (JSC::JIT::emitMathICFast):
3346         (JSC::JIT::emitMathICSlow):
3347         * jit/JITCall.cpp:
3348         (JSC::JIT::compileOpCallSlowCase):
3349         * jit/JITCall32_64.cpp:
3350         (JSC::JIT::compileOpCallSlowCase):
3351         * jit/JITCode.cpp:
3352         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
3353         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3354         (JSC::DirectJITCode::DirectJITCode):
3355         (JSC::DirectJITCode::initializeCodeRef):
3356         (JSC::DirectJITCode::addressForCall):
3357         (JSC::NativeJITCode::NativeJITCode):
3358         (JSC::NativeJITCode::initializeCodeRef):
3359         (JSC::NativeJITCode::addressForCall):
3360         * jit/JITCode.h:
3361         * jit/JITCodeMap.h:
3362         (JSC::JITCodeMap::Entry::Entry):
3363         (JSC::JITCodeMap::Entry::codeLocation):
3364         (JSC::JITCodeMap::append):
3365         (JSC::JITCodeMap::find const):
3366         * jit/JITDisassembler.cpp:
3367         (JSC::JITDisassembler::dumpDisassembly):
3368         * jit/JITExceptions.cpp:
3369         (JSC::genericUnwind):
3370         * jit/JITInlineCacheGenerator.cpp:
3371         (JSC::JITByIdGenerator::finalize):
3372         * jit/JITInlines.h:
3373         (JSC::JIT::emitNakedCall):
3374         (JSC::JIT::emitNakedTailCall):
3375         (JSC::JIT::appendCallWithExceptionCheck):
3376         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
3377         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
3378         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
3379         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3380         * jit/JITMathIC.h:
3381         (JSC::isProfileEmpty):
3382         * jit/JITOpcodes.cpp:
3383         (JSC::JIT::emit_op_catch):
3384         (JSC::JIT::emit_op_switch_imm):
3385         (JSC::JIT::emit_op_switch_char):
3386         (JSC::JIT::emit_op_switch_string):
3387         (JSC::JIT::privateCompileHasIndexedProperty):
3388         (JSC::JIT::emitSlow_op_has_indexed_property):
3389         * jit/JITOpcodes32_64.cpp:
3390         (JSC::JIT::privateCompileHasIndexedProperty):
3391         * jit/JITOperations.cpp:
3392         (JSC::getByVal):
3393         * jit/JITPropertyAccess.cpp:
3394         (JSC::JIT::stringGetByValStubGenerator):
3395         (JSC::JIT::emitGetByValWithCachedId):
3396         (JSC::JIT::emitSlow_op_get_by_val):
3397         (JSC::JIT::emitPutByValWithCachedId):
3398         (JSC::JIT::emitSlow_op_put_by_val):
3399         (JSC::JIT::emitSlow_op_try_get_by_id):
3400         (JSC::JIT::emitSlow_op_get_by_id_direct):
3401         (JSC::JIT::emitSlow_op_get_by_id):
3402         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3403         (JSC::JIT::emitSlow_op_put_by_id):
3404         (JSC::JIT::privateCompileGetByVal):
3405         (JSC::JIT::privateCompileGetByValWithCachedId):
3406         (JSC::JIT::privateCompilePutByVal):
3407         (JSC::JIT::privateCompilePutByValWithCachedId):
3408         * jit/JITPropertyAccess32_64.cpp:
3409         (JSC::JIT::stringGetByValStubGenerator):
3410         (JSC::JIT::emitSlow_op_get_by_val):
3411         (JSC::JIT::emitSlow_op_put_by_val):
3412         * jit/JITStubRoutine.h:
3413         (JSC::JITStubRoutine::JITStubRoutine):
3414         (JSC::JITStubRoutine::createSelfManagedRoutine):
3415         (JSC::JITStubRoutine::code const):
3416         (JSC::JITStubRoutine::asCodePtr):
3417         * jit/JITThunks.cpp:
3418         (JSC::JITThunks::ctiNativeCall):
3419         (JSC::JITThunks::ctiNativeConstruct):
3420         (JSC::JITThunks::ctiNativeTailCall):
3421         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
3422         (JSC::JITThunks::ctiInternalFunctionCall):
3423         (JSC::JITThunks::ctiInternalFunctionConstruct):
3424         (JSC::JITThunks::ctiStub):
3425         (JSC::JITThunks::existingCTIStub):
3426         (JSC::JITThunks::hostFunctionStub):
3427         * jit/JITThunks.h:
3428         * jit/PCToCodeOriginMap.cpp:
3429         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3430         * jit/PCToCodeOriginMap.h:
3431         * jit/PolymorphicCallStubRoutine.cpp:
3432         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3433         * jit/PolymorphicCallStubRoutine.h:
3434         * jit/Repatch.cpp:
3435         (JSC::readPutICCallTarget):
3436         (JSC::ftlThunkAwareRepatchCall):
3437         (JSC::appropriateOptimizingGetByIdFunction):
3438         (JSC::appropriateGetByIdFunction):
3439         (JSC::tryCacheGetByID):
3440         (JSC::repatchGetByID):
3441         (JSC::tryCachePutByID):
3442         (JSC::repatchPutByID):
3443         (JSC::tryCacheIn):
3444         (JSC::repatchIn):
3445         (JSC::linkSlowFor):
3446         (JSC::linkFor):
3447         (JSC::linkDirectFor):
3448         (JSC::revertCall):
3449         (JSC::unlinkFor):
3450         (JSC::linkVirtualFor):
3451         (JSC::linkPolymorphicCall):
3452         (JSC::resetGetByID):
3453         (JSC::resetPutByID):
3454         * jit/Repatch.h:
3455         * jit/SlowPathCall.h:
3456         (JSC::JITSlowPathCall::call):
3457         * jit/SpecializedThunkJIT.h:
3458         (JSC::SpecializedThunkJIT::finalize):
3459         (JSC::SpecializedThunkJIT::callDoubleToDouble):
3460         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
3461         * jit/ThunkGenerator.h:
3462         * jit/ThunkGenerators.cpp:
3463         (JSC::throwExceptionFromCallSlowPathGenerator):
3464         (JSC::slowPathFor):
3465         (JSC::linkCallThunkGenerator):
3466         (JSC::linkPolymorphicCallThunkGenerator):
3467         (JSC::virtualThunkFor):
3468         (JSC::nativeForGenerator):
3469         (JSC::nativeCallGenerator):
3470         (JSC::nativeTailCallGenerator):
3471         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3472         (JSC::nativeConstructGenerator):
3473         (JSC::internalFunctionCallGenerator):
3474         (JSC::internalFunctionConstructGenerator):
3475         (JSC::arityFixupGenerator):
3476         (JSC::unreachableGenerator):
3477         (JSC::charCodeAtThunkGenerator):
3478         (JSC::charAtThunkGenerator):
3479         (JSC::fromCharCodeThunkGenerator):
3480         (JSC::clz32ThunkGenerator):
3481         (JSC::sqrtThunkGenerator):
3482         (JSC::floorThunkGenerator):
3483         (JSC::ceilThunkGenerator):
3484         (JSC::truncThunkGenerator):
3485         (JSC::roundThunkGenerator):
3486         (JSC::expThunkGenerator):
3487         (JSC::logThunkGenerator):
3488         (JSC::absThunkGenerator):
3489         (JSC::imulThunkGenerator):
3490         (JSC::randomThunkGenerator):
3491         (JSC::boundThisNoArgsFunctionCallGenerator):
3492         * jit/ThunkGenerators.h:
3493         * llint/LLIntData.cpp:
3494         (JSC::LLInt::initialize):
3495         * llint/LLIntData.h:
3496         (JSC::LLInt::getExecutableAddress):
3497         (JSC::LLInt::getCodePtr):
3498         (JSC::LLInt::getCodeRef):
3499         (JSC::LLInt::getCodeFunctionPtr):
3500         * llint/LLIntEntrypoint.cpp:
3501         (JSC::LLInt::setFunctionEntrypoint):
3502         (JSC::LLInt::setEvalEntrypoint):
3503         (JSC::LLInt::setProgramEntrypoint):
3504         (JSC::LLInt::setModuleProgramEntrypoint):
3505         * llint/LLIntExceptions.cpp:
3506         (JSC::LLInt::callToThrow):
3507         * llint/LLIntSlowPaths.cpp:
3508         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3509         (JSC::LLInt::setUpCall):
3510         * llint/LLIntThunks.cpp:
3511         (JSC::vmEntryToWasm):
3512         (JSC::LLInt::generateThunkWithJumpTo):
3513         (JSC::LLInt::functionForCallEntryThunkGenerator):
3514         (JSC::LLInt::functionForConstructEntryThunkGenerator):
3515         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
3516         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
3517         (JSC::LLInt::evalEntryThunkGenerator):
3518         (JSC::LLInt::programEntryThunkGenerator):
3519         (JSC::LLInt::moduleProgramEntryThunkGenerator):
3520         * llint/LLIntThunks.h:
3521         * llint/LowLevelInterpreter.asm:
3522         * llint/LowLevelInterpreter32_64.asm:
3523         * llint/LowLevelInterpreter64.asm:
3524         * profiler/ProfilerCompilation.cpp:
3525         (JSC::Profiler::Compilation::addOSRExitSite):
3526         * profiler/ProfilerCompilation.h:
3527         * profiler/ProfilerOSRExitSite.cpp:
3528         (JSC::Profiler::OSRExitSite::toJS const):
3529         * profiler/ProfilerOSRExitSite.h:
3530         (JSC::Profiler::OSRExitSite::OSRExitSite):
3531         (JSC::Profiler::OSRExitSite::codeAddress const):
3532         (JSC::Profiler::OSRExitSite:: const): Deleted.
3533         * runtime/ExecutableBase.cpp:
3534         (JSC::ExecutableBase::clearCode):
3535         * runtime/ExecutableBase.h:
3536         (JSC::ExecutableBase::entrypointFor):
3537         * runtime/NativeExecutable.cpp:
3538         (JSC::NativeExecutable::finishCreation):
3539         * runtime/NativeFunction.h:
3540         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3541         (JSC::TaggedNativeFunction::operator NativeFunction):
3542         * runtime/PtrTag.h:
3543         (JSC::tagCodePtr):
3544         (JSC::untagCodePtr):
3545         (JSC::retagCodePtr):
3546         (JSC::tagCFunctionPtr):
3547         (JSC::untagCFunctionPtr):
3548         (JSC::nextPtrTagID): Deleted.
3549         * runtime/PutPropertySlot.h:
3550         (JSC::PutPropertySlot::PutPropertySlot):
3551         (JSC::PutPropertySlot::setCustomValue):
3552         (JSC::PutPropertySlot::setCustomAccessor):
3553         (JSC::PutPropertySlot::customSetter const):
3554         * runtime/ScriptExecutable.cpp:
3555         (JSC::ScriptExecutable::installCode):
3556         * runtime/VM.cpp:
3557         (JSC::VM::getHostFunction):
3558         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3559         * runtime/VM.h:
3560         (JSC::VM::getCTIStub):
3561         * wasm/WasmB3IRGenerator.cpp:
3562         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3563         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
3564         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3565         (JSC::Wasm::B3IRGenerator::addCall):
3566         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3567         * wasm/WasmBBQPlan.cpp:
3568         (JSC::Wasm::BBQPlan::prepare):
3569         (JSC::Wasm::BBQPlan::complete):
3570         * wasm/WasmBBQPlan.h:
3571         * wasm/WasmBinding.cpp:
3572         (JSC::Wasm::wasmToWasm):
3573         * wasm/WasmBinding.h:
3574         * wasm/WasmCallee.h:
3575         (JSC::Wasm::Callee::entrypoint const):
3576         * wasm/WasmCallingConvention.h:
3577         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
3578         * wasm/WasmCodeBlock.h:
3579         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
3580         * wasm/WasmFaultSignalHandler.cpp:
3581         (JSC::Wasm::trapHandler):
3582         * wasm/WasmFormat.h:
3583         * wasm/WasmInstance.h:
3584         * wasm/WasmOMGPlan.cpp:
3585         (JSC::Wasm::OMGPlan::work):
3586         * wasm/WasmThunks.cpp:
3587         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3588         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3589         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3590         (JSC::Wasm::Thunks::stub):
3591         (JSC::Wasm::Thunks::existingStub):
3592         * wasm/WasmThunks.h:
3593         * wasm/js/JSToWasm.cpp:
3594         (JSC::Wasm::createJSToWasmWrapper):
3595         * wasm/js/JSWebAssemblyCodeBlock.h:
3596         * wasm/js/WasmToJS.cpp:
3597         (JSC::Wasm::handleBadI64Use):
3598         (JSC::Wasm::wasmToJS):
3599         * wasm/js/WasmToJS.h:
3600         * wasm/js/WebAssemblyFunction.h:
3601         * yarr/YarrJIT.cpp:
3602         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
3603         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
3604         (JSC::Yarr::YarrGenerator::compile):
3605         * yarr/YarrJIT.h:
3606         (JSC::Yarr::YarrCodeBlock::set8BitCode):
3607         (JSC::Yarr::YarrCodeBlock::set16BitCode):
3608         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
3609         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
3610         (JSC::Yarr::YarrCodeBlock::execute):
3611         (JSC::Yarr::YarrCodeBlock::clear):
3612
3613 2018-04-17  Commit Queue  <commit-queue@webkit.org>
3614
3615         Unreviewed, rolling out r230697, r230720, and r230724.
3616         https://bugs.webkit.org/show_bug.cgi?id=184717
3617
3618         These caused multiple failures on the Test262 testers.
3619         (Requested by mlewis13 on #webkit).
3620
3621         Reverted changesets:
3622
3623         "[WebAssembly][Modules] Prototype wasm import"
3624         https://bugs.webkit.org/show_bug.cgi?id=184600
3625         https://trac.webkit.org/changeset/230697
3626
3627         "[WebAssembly][Modules] Implement function import from wasm
3628         modules"
3629         https://bugs.webkit.org/show_bug.cgi?id=184689
3630         https://trac.webkit.org/changeset/230720
3631
3632         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
3633         https://bugs.webkit.org/show_bug.cgi?id=184703
3634         https://trac.webkit.org/changeset/230724
3635
3636 2018-04-17  JF Bastien  <jfbastien@apple.com>
3637
3638         A put is not an ExistingProperty put when we transition a structure because of an attributes change
3639         https://bugs.webkit.org/show_bug.cgi?id=184706
3640         <rdar://problem/38871451>
3641
3642         Reviewed by Saam Barati.
3643
3644         When putting a property on a structure and the slot is a different
3645         type, the slot can't be said to have already been existing.
3646
3647         * runtime/JSObjectInlines.h:
3648         (JSC::JSObject::putDirectInternal):
3649
3650 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
3651
3652         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
3653         https://bugs.webkit.org/show_bug.cgi?id=184705
3654
3655         Reviewed by Michael Saboff.
3656         
3657         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
3658         while testing an unrelated patch, a concurrent GC thread crashed inside
3659         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
3660         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
3661         mode and another vector.
3662         
3663         The fix is to lock inside visitChildren and anyone who changes those fields.
3664         
3665         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
3666         this.
3667
3668         * runtime/JSArrayBufferView.cpp:
3669         (JSC::JSArrayBufferView::neuter):
3670         * runtime/JSGenericTypedArrayViewInlines.h:
3671         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3672         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3673
3674 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
3675
3676         PutStackSinkingPhase should know that KillStack means ConflictingFlush
3677         https://bugs.webkit.org/show_bug.cgi?id=184672
3678
3679         Reviewed by Michael Saboff.
3680
3681         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
3682         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
3683         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
3684         intentional - I don't know.
3685
3686         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
3687         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
3688         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
3689         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
3690         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
3691         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
3692         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
3693         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
3694         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
3695         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
3696         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
3697         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
3698
3699         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
3700         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
3701         its stack slot for the purpose of clobberize.
3702
3703         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
3704         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
3705         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
3706         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
3707
3708 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
3709
3710         JSWebAssemblyCodeBlock should be in an IsoSubspace
3711         https://bugs.webkit.org/show_bug.cgi?id=184704
3712
3713         Reviewed by Mark Lam.
3714         
3715         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
3716         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
3717         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
3718         protection.
3719
3720         * runtime/VM.cpp:
3721         (JSC::VM::VM):
3722         * runtime/VM.h:
3723         * wasm/js/JSWebAssemblyCodeBlock.h:
3724
3725 2018-04-17  Jer Noble  <jer.noble@apple.com>
3726
3727         Only enable useSeparatedWXHeap on ARM64.
3728         https://bugs.webkit.org/show_bug.cgi?id=184697
3729
3730         Reviewed by Saam Barati.
3731
3732         * runtime/Options.cpp:
3733         (JSC::recomputeDependentOptions):
3734
3735 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3736
3737         [WebAssembly][Modules] Implement function import from wasm modules
3738         https://bugs.webkit.org/show_bug.cgi?id=184689
3739
3740         Reviewed by JF Bastien.
3741
3742         This patch implements function import from wasm modules. We move function importing part
3743         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
3744         is because linking these functions requires that all the dependent modules are created.
3745         While we want to move all the linking functionality from JSWebAssemblyInstance to
3746         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
3747         function importing part because efficient compilation of WebAssembly needs to know
3748         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
3749         or attached WebAssembly memory object. So we cannot defer this linking to
3750         WebAssemblyModuleRecord::link now.
3751
3752         The largest difference from JS module linking is that WebAssembly module linking links
3753         function from the module by snapshotting. When you have a cyclic module graph like this,
3754
3755         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
3756             ^                                                  |
3757             +--------------------------------------------------+
3758
3759         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
3760         is described in [1], and tested in this patch.
3761
3762         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
3763
3764         * JavaScriptCore.xcodeproj/project.pbxproj:
3765         * jsc.cpp:
3766         (functionDollarAgentStart):
3767         (checkException):
3768         (runWithOptions):
3769         Small fixes for wasm module loading.
3770
3771         * parser/NodesAnalyzeModule.cpp:
3772         (JSC::ImportDeclarationNode::analyzeModule):
3773         * runtime/AbstractModuleRecord.cpp:
3774         (JSC::AbstractModuleRecord::resolveImport):
3775         (JSC::AbstractModuleRecord::link):
3776         * runtime/AbstractModuleRecord.h:
3777         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
3778         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
3779         Now, wasm modules can have import which is named "*". So this function does not work.
3780         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
3781
3782         * runtime/JSModuleEnvironment.cpp:
3783         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3784         * runtime/JSModuleRecord.cpp:
3785         (JSC::JSModuleRecord::instantiateDeclarations):
3786         * wasm/WasmCreationMode.h: Added.
3787         * wasm/js/JSWebAssemblyInstance.cpp:
3788         (JSC::JSWebAssemblyInstance::finalizeCreation):
3789         (JSC::JSWebAssemblyInstance::create):
3790         * wasm/js/JSWebAssemblyInstance.h:
3791         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3792         (JSC::constructJSWebAssemblyInstance):
3793         * wasm/js/WebAssemblyModuleRecord.cpp:
3794         (JSC::WebAssemblyModuleRecord::link):
3795         * wasm/js/WebAssemblyModuleRecord.h:
3796         * wasm/js/WebAssemblyPrototype.cpp:
3797         (JSC::resolve):
3798         (JSC::instantiate):
3799         (JSC::compileAndInstantiate):
3800         (JSC::WebAssemblyPrototype::instantiate):
3801         (JSC::webAssemblyInstantiateFunc):
3802
3803 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
3804
3805         Implement setupArgumentsImpl for ARM and MIPS
3806         https://bugs.webkit.org/show_bug.cgi?id=183786
3807
3808         Reviewed by Yusuke Suzuki.
3809
3810         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
3811         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
3812         registers used for 64-bit values on 32-bit architectures. numCrossSources
3813         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
3814
3815         * assembler/MacroAssemblerARMv7.h:
3816         (JSC::MacroAssemblerARMv7::moveDouble):
3817         * assembler/MacroAssemblerMIPS.h:
3818         (JSC::MacroAssemblerMIPS::moveDouble):
3819         * jit/CCallHelpers.h:
3820         (JSC::CCallHelpers::setupStubCrossArgs):
3821         (JSC::CCallHelpers::ArgCollection::ArgCollection):
3822         (JSC::CCallHelpers::ArgCollection::pushRegArg):
3823         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
3824         (JSC::CCallHelpers::ArgCollection::addGPRArg):
3825         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
3826         (JSC::CCallHelpers::ArgCollection::addStackArg):
3827         (JSC::CCallHelpers::ArgCollection::addPoke):
3828         (JSC::CCallHelpers::ArgCollection::argCount):
3829         (JSC::CCallHelpers::calculatePokeOffset):
3830         (JSC::CCallHelpers::pokeForArgument):
3831         (JSC::CCallHelpers::stackAligned):
3832         (JSC::CCallHelpers::marshallArgumentRegister):
3833         (JSC::CCallHelpers::setupArgumentsImpl):
3834         (JSC::CCallHelpers::pokeArgumentsAligned):
3835         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
3836         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
3837         (JSC::CCallHelpers::setupArguments):
3838         * jit/FPRInfo.h:
3839         (JSC::FPRInfo::toArgumentRegister):
3840
3841 2018-04-17  Saam Barati  <sbarati@apple.com>
3842
3843         Add system trace points for process launch and for initializeWebProcess
3844         https://bugs.webkit.org/show_bug.cgi?id=184669
3845
3846         Reviewed by Simon Fraser.
3847
3848         * runtime/VMEntryScope.cpp:
3849         (JSC::VMEntryScope::VMEntryScope):
3850         (JSC::VMEntryScope::~VMEntryScope):
3851
3852 2018-04-17  Jer Noble  <jer.noble@apple.com>
3853
3854         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
3855         https://bugs.webkit.org/show_bug.cgi?id=184602
3856
3857         Reviewed by Beth Dakin.
3858
3859         * JavaScriptCore.xcodeproj/project.pbxproj:
3860
3861 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
3862
3863         [GLIB] Add API to clear JSCContext uncaught exception
3864         https://bugs.webkit.org/show_bug.cgi?id=184685
3865
3866         Reviewed by Žan Doberšek.
3867
3868         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
3869
3870         * API/glib/JSCContext.cpp:
3871         (jsc_context_clear_exception):
3872         * API/glib/JSCContext.h:
3873         * API/glib/docs/jsc-glib-4.0-sections.txt:
3874
3875 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
3876
3877         [GLIB] Add API to query, delete and enumerate properties
3878         https://bugs.webkit.org/show_bug.cgi?id=184647
3879
3880         Reviewed by Michael Catanzaro.
3881
3882         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
3883
3884         * API/glib/JSCValue.cpp:
3885         (jsc_value_object_has_property):
3886         (jsc_value_object_delete_property):
3887         (jsc_value_object_enumerate_properties):
3888         * API/glib/JSCValue.h:
3889         * API/glib/docs/jsc-glib-4.0-sections.txt:
3890
3891 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3892
3893         [WebAssembly][Modules] Prototype wasm import
3894         https://bugs.webkit.org/show_bug.cgi?id=184600
3895
3896         Reviewed by JF Bastien.
3897
3898         This patch is an initial attempt to implement Wasm loading in module pipeline.
3899         Currently,
3900
3901         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
3902            in whatwg HTML, we should integrate this into WebCore.
3903
3904         2. We only support exporting values from Wasm. Wasm module cannot import anything from
3905            the other modules now.
3906
3907         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
3908         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
3909         module loader pipeline just handles it as the same to JS. When parsing a module, we
3910         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
3911         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
3912         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
3913
3914         * builtins/ModuleLoaderPrototype.js:
3915         (globalPrivate.newRegistryEntry):
3916         (requestInstantiate):
3917         (link):
3918         * jsc.cpp:
3919         (convertShebangToJSComment):
3920         (fillBufferWithContentsOfFile):
3921         (fetchModuleFromLocalFileSystem):
3922         (GlobalObject::moduleLoaderFetch):
3923         * parser/SourceProvider.h:
3924         (JSC::WebAssemblySourceProvider::create):
3925         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
3926         * runtime/AbstractModuleRecord.cpp:
3927         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3928         (JSC::AbstractModuleRecord::link):
3929         (JSC::AbstractModuleRecord::evaluate):
3930         (JSC::identifierToJSValue): Deleted.
3931         * runtime/AbstractModuleRecord.h:
3932         * runtime/JSModuleLoader.cpp:
3933         (JSC::JSModuleLoader::evaluate):
3934         * runtime/JSModuleRecord.cpp:
3935         (JSC::JSModuleRecord::link):
3936         (JSC::JSModuleRecord::instantiateDeclarations):
3937         * runtime/JSModuleRecord.h:
3938         * runtime/ModuleLoaderPrototype.cpp:
3939         (JSC::moduleLoaderPrototypeParseModule):
3940         (JSC::moduleLoaderPrototypeRequestedModules):
3941         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
3942         * wasm/js/JSWebAssemblyHelpers.h:
3943         (JSC::getWasmBufferFromValue):
3944         (JSC::createSourceBufferFromValue):
3945         * wasm/js/JSWebAssemblyInstance.cpp:
3946         (JSC::JSWebAssemblyInstance::finalizeCreation):
3947         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
3948         (JSC::JSWebAssemblyInstance::create):
3949         * wasm/js/JSWebAssemblyInstance.h:
3950         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3951         (JSC::constructJSWebAssemblyInstance):
3952         * wasm/js/WebAssemblyModuleRecord.cpp:
3953         (JSC::WebAssemblyModuleRecord::prepareLink):
39