ToString constant folds without preserving checks, causing us to break assumptions...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-30  Saam Barati  <sbarati@apple.com>
2
3         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
4         https://bugs.webkit.org/show_bug.cgi?id=185149
5         <rdar://problem/39455917>
6
7         Reviewed by Filip Pizlo.
8
9         The bug was that we were deleting checks that we shouldn't have deleted.
10         This patch makes a helper inside strength reduction that converts to
11         a LazyJSConstant while maintaining checks, and switches users of the
12         node API inside strength reduction to instead call the helper function.
13         
14         This patch also fixes a potential bug where StringReplace and
15         StringReplaceRegExp may not preserve all their checks.
16
17
18         * dfg/DFGStrengthReductionPhase.cpp:
19         (JSC::DFG::StrengthReductionPhase::handleNode):
20         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
21
22 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
23
24         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
25         https://bugs.webkit.org/show_bug.cgi?id=185126
26
27         Reviewed by Saam Barati.
28         
29         This change is just restoring functionality that we've already had for a while. It had been
30         accidentally broken due to an unrelated CodeBlock refactoring.
31
32         * dfg/DFGLICMPhase.cpp:
33         (JSC::DFG::LICMPhase::attemptHoist):
34
35 2018-04-30  Mark Lam  <mark.lam@apple.com>
36
37         Apply PtrTags to the MetaAllocator and friends.
38         https://bugs.webkit.org/show_bug.cgi?id=185110
39         <rdar://problem/39533895>
40
41         Reviewed by Saam Barati.
42
43         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
44         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
45            and add a sanity check to verify that allocated code buffers are within those
46            bounds.
47
48         * assembler/LinkBuffer.cpp:
49         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
50         (JSC::LinkBuffer::copyCompactAndLinkCode):
51         (JSC::LinkBuffer::linkCode):
52         (JSC::LinkBuffer::allocate):
53         * assembler/LinkBuffer.h:
54         (JSC::LinkBuffer::LinkBuffer):
55         (JSC::LinkBuffer::debugAddress):
56         (JSC::LinkBuffer::code):
57         * assembler/MacroAssemblerCodeRef.h:
58         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
59         * bytecode/InlineAccess.cpp:
60         (JSC::linkCodeInline):
61         (JSC::InlineAccess::rewireStubAsJump):
62         * dfg/DFGJITCode.cpp:
63         (JSC::DFG::JITCode::findPC):
64         * ftl/FTLJITCode.cpp:
65         (JSC::FTL::JITCode::findPC):
66         * jit/ExecutableAllocator.cpp:
67         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
68         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
69         (JSC::ExecutableAllocator::allocate):
70         * jit/ExecutableAllocator.h:
71         (JSC::isJITPC):
72         (JSC::performJITMemcpy):
73         * jit/JIT.cpp:
74         (JSC::JIT::link):
75         * jit/JITMathIC.h:
76         (JSC::isProfileEmpty):
77         * runtime/JSCPtrTag.h:
78         * wasm/WasmCallee.cpp:
79         (JSC::Wasm::Callee::Callee):
80         * wasm/WasmFaultSignalHandler.cpp:
81         (JSC::Wasm::trapHandler):
82
83 2018-04-30  Keith Miller  <keith_miller@apple.com>
84
85         Move the MayBePrototype JSCell header bit to InlineTypeFlags
86         https://bugs.webkit.org/show_bug.cgi?id=185143
87
88         Reviewed by Mark Lam.
89
90         * runtime/IndexingType.h:
91         * runtime/JSCellInlines.h:
92         (JSC::JSCell::setStructure):
93         (JSC::JSCell::mayBePrototype const):
94         (JSC::JSCell::didBecomePrototype):
95         * runtime/JSTypeInfo.h:
96         (JSC::TypeInfo::mayBePrototype):
97         (JSC::TypeInfo::mergeInlineTypeFlags):
98
99 2018-04-30  Keith Miller  <keith_miller@apple.com>
100
101         Remove unneeded exception check from String.fromCharCode
102         https://bugs.webkit.org/show_bug.cgi?id=185083
103
104         Reviewed by Mark Lam.
105
106         * runtime/StringConstructor.cpp:
107         (JSC::stringFromCharCode):
108
109 2018-04-30  Keith Miller  <keith_miller@apple.com>
110
111         Move StructureIsImmortal to out of line flags.
112         https://bugs.webkit.org/show_bug.cgi?id=185101
113
114         Reviewed by Saam Barati.
115
116         This will free up a bit in the inline flags where we can move the
117         isPrototype bit to. This will, in turn, free a bit for use in
118         implementing copy on write butterflies.
119
120         Also, this patch removes an assertion from Structure::typeInfo()
121         that inadvertently makes the function invalid to call while
122         cleaning up the vm.
123
124         * heap/HeapCellType.cpp:
125         (JSC::DefaultDestroyFunc::operator() const):
126         * runtime/JSCell.h:
127         * runtime/JSCellInlines.h:
128         (JSC::JSCell::callDestructor): Deleted.
129         * runtime/JSTypeInfo.h:
130         (JSC::TypeInfo::hasStaticPropertyTable):
131         (JSC::TypeInfo::structureIsImmortal const):
132         * runtime/Structure.h:
133
134 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
135
136         [JSC] Remove arity fixup check if the number of parameters is 1
137         https://bugs.webkit.org/show_bug.cgi?id=183984
138
139         Reviewed by Mark Lam.
140
141         If the number of parameters is one (|this|), we never hit arity fixup check.
142         We do not need to emit arity fixup check code.
143
144         * dfg/DFGDriver.cpp:
145         (JSC::DFG::compileImpl):
146         * dfg/DFGJITCompiler.cpp:
147         (JSC::DFG::JITCompiler::compileFunction):
148         * dfg/DFGJITCompiler.h:
149         * ftl/FTLLink.cpp:
150         (JSC::FTL::link):
151         * jit/JIT.cpp:
152         (JSC::JIT::compileWithoutLinking):
153
154 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
155
156         Use WordLock instead of std::mutex for Threading
157         https://bugs.webkit.org/show_bug.cgi?id=185121
158
159         Reviewed by Geoffrey Garen.
160
161         ThreadGroup starts using WordLock.
162
163         * heap/MachineStackMarker.h:
164         (JSC::MachineThreads::getLock):
165
166 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
167
168         B3 should run tail duplication at the bitter end
169         https://bugs.webkit.org/show_bug.cgi?id=185123
170
171         Reviewed by Geoffrey Garen.
172         
173         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
174         everywhere else.
175         
176         The goal of this change is to allow us to run path specialization after switch lowering but
177         before tail duplication.
178
179         * b3/B3Generate.cpp:
180         (JSC::B3::generateToAir):
181         * runtime/Options.h:
182
183 2018-04-29  Commit Queue  <commit-queue@webkit.org>
184
185         Unreviewed, rolling out r231137.
186         https://bugs.webkit.org/show_bug.cgi?id=185118
187
188         It is breaking Test262 language/expressions/multiplication
189         /order-of-evaluation.js (Requested by caiolima on #webkit).
190
191         Reverted changeset:
192
193         "[ESNext][BigInt] Implement support for "*" operation"
194         https://bugs.webkit.org/show_bug.cgi?id=183721
195         https://trac.webkit.org/changeset/231137
196
197 2018-04-28  Saam Barati  <sbarati@apple.com>
198
199         We don't model regexp effects properly
200         https://bugs.webkit.org/show_bug.cgi?id=185059
201         <rdar://problem/39736150>
202
203         Reviewed by Filip Pizlo.
204
205         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
206         the regexp is global.
207
208         * dfg/DFGAbstractInterpreterInlines.h:
209         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
210         * dfg/DFGClobberize.h:
211         (JSC::DFG::clobberize):
212
213 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
214
215         Token misspelled "tocken" in error message string
216         https://bugs.webkit.org/show_bug.cgi?id=185030
217
218         Reviewed by Saam Barati.
219
220         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
221         (JSC::Parser<LexerType>::Parser):
222         (JSC::Parser<LexerType>::didFinishParsing):
223         (JSC::Parser<LexerType>::parseSourceElements):
224         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
225         (JSC::Parser<LexerType>::parseVariableDeclaration):
226         (JSC::Parser<LexerType>::parseWhileStatement):
227         (JSC::Parser<LexerType>::parseVariableDeclarationList):
228         (JSC::Parser<LexerType>::createBindingPattern):
229         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
230         (JSC::Parser<LexerType>::parseObjectRestElement):
231         (JSC::Parser<LexerType>::parseDestructuringPattern):
232         (JSC::Parser<LexerType>::parseForStatement):
233         (JSC::Parser<LexerType>::parseBreakStatement):
234         (JSC::Parser<LexerType>::parseContinueStatement):
235         (JSC::Parser<LexerType>::parseThrowStatement):
236         (JSC::Parser<LexerType>::parseWithStatement):
237         (JSC::Parser<LexerType>::parseSwitchStatement):
238         (JSC::Parser<LexerType>::parseSwitchClauses):
239         (JSC::Parser<LexerType>::parseTryStatement):
240         (JSC::Parser<LexerType>::parseBlockStatement):
241         (JSC::Parser<LexerType>::parseFormalParameters):
242         (JSC::Parser<LexerType>::parseFunctionParameters):
243         (JSC::Parser<LexerType>::parseFunctionInfo):
244         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
245         (JSC::Parser<LexerType>::parseExpressionStatement):
246         (JSC::Parser<LexerType>::parseIfStatement):
247         (JSC::Parser<LexerType>::parseAssignmentExpression):
248         (JSC::Parser<LexerType>::parseConditionalExpression):
249         (JSC::Parser<LexerType>::parseBinaryExpression):
250         (JSC::Parser<LexerType>::parseObjectLiteral):
251         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
252         (JSC::Parser<LexerType>::parseArrayLiteral):
253         (JSC::Parser<LexerType>::parseArguments):
254         (JSC::Parser<LexerType>::parseMemberExpression):
255         (JSC::operatorString):
256         (JSC::Parser<LexerType>::parseUnaryExpression):
257         (JSC::Parser<LexerType>::printUnexpectedTokenText):
258
259 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
260
261         [ESNext][BigInt] Implement support for "*" operation
262         https://bugs.webkit.org/show_bug.cgi?id=183721
263
264         Reviewed by Saam Barati.
265
266         Added BigInt support into times binary operator into LLInt and on
267         JITOperations profiledMul and unprofiledMul. We are also replacing all
268         uses of int to unsigned when there is no negative values for
269         variables.
270
271         * dfg/DFGConstantFoldingPhase.cpp:
272         (JSC::DFG::ConstantFoldingPhase::foldConstants):
273         * jit/JITOperations.cpp:
274         * runtime/CommonSlowPaths.cpp:
275         (JSC::SLOW_PATH_DECL):
276         * runtime/JSBigInt.cpp:
277         (JSC::JSBigInt::JSBigInt):
278         (JSC::JSBigInt::allocationSize):
279         (JSC::JSBigInt::createWithLength):
280         (JSC::JSBigInt::toString):
281         (JSC::JSBigInt::multiply):
282         (JSC::JSBigInt::digitDiv):
283         (JSC::JSBigInt::internalMultiplyAdd):
284         (JSC::JSBigInt::multiplyAccumulate):
285         (JSC::JSBigInt::equals):
286         (JSC::JSBigInt::absoluteDivSmall):
287         (JSC::JSBigInt::calculateMaximumCharactersRequired):
288         (JSC::JSBigInt::toStringGeneric):
289         (JSC::JSBigInt::rightTrim):
290         (JSC::JSBigInt::allocateFor):
291         (JSC::JSBigInt::parseInt):
292         (JSC::JSBigInt::digit):
293         (JSC::JSBigInt::setDigit):
294         * runtime/JSBigInt.h:
295         * runtime/Operations.h:
296         (JSC::jsMul):
297
298 2018-04-28  Commit Queue  <commit-queue@webkit.org>
299
300         Unreviewed, rolling out r231131.
301         https://bugs.webkit.org/show_bug.cgi?id=185112
302
303         It is breaking Debug build due to unchecked exception
304         (Requested by caiolima on #webkit).
305
306         Reverted changeset:
307
308         "[ESNext][BigInt] Implement support for "*" operation"
309         https://bugs.webkit.org/show_bug.cgi?id=183721
310         https://trac.webkit.org/changeset/231131
311
312 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
313
314         [ESNext][BigInt] Implement support for "*" operation
315         https://bugs.webkit.org/show_bug.cgi?id=183721
316
317         Reviewed by Saam Barati.
318
319         Added BigInt support into times binary operator into LLInt and on
320         JITOperations profiledMul and unprofiledMul. We are also replacing all
321         uses of int to unsigned when there is no negative values for
322         variables.
323
324         * dfg/DFGConstantFoldingPhase.cpp:
325         (JSC::DFG::ConstantFoldingPhase::foldConstants):
326         * jit/JITOperations.cpp:
327         * runtime/CommonSlowPaths.cpp:
328         (JSC::SLOW_PATH_DECL):
329         * runtime/JSBigInt.cpp:
330         (JSC::JSBigInt::JSBigInt):
331         (JSC::JSBigInt::allocationSize):
332         (JSC::JSBigInt::createWithLength):
333         (JSC::JSBigInt::toString):
334         (JSC::JSBigInt::multiply):
335         (JSC::JSBigInt::digitDiv):
336         (JSC::JSBigInt::internalMultiplyAdd):
337         (JSC::JSBigInt::multiplyAccumulate):
338         (JSC::JSBigInt::equals):
339         (JSC::JSBigInt::absoluteDivSmall):
340         (JSC::JSBigInt::calculateMaximumCharactersRequired):
341         (JSC::JSBigInt::toStringGeneric):
342         (JSC::JSBigInt::rightTrim):
343         (JSC::JSBigInt::allocateFor):
344         (JSC::JSBigInt::parseInt):
345         (JSC::JSBigInt::digit):
346         (JSC::JSBigInt::setDigit):
347         * runtime/JSBigInt.h:
348         * runtime/Operations.h:
349         (JSC::jsMul):
350
351 2018-04-27  JF Bastien  <jfbastien@apple.com>
352
353         Make the first 64 bits of JSString look like a double JSValue
354         https://bugs.webkit.org/show_bug.cgi?id=185081
355
356         Reviewed by Filip Pizlo.
357
358         We can be clever about how we lay out JSString so that, were it
359         reinterpreted as a JSValue, it would look like a double.
360
361         * assembler/MacroAssemblerX86Common.h:
362         (JSC::MacroAssemblerX86Common::and16):
363         * assembler/X86Assembler.h:
364         (JSC::X86Assembler::andw_mr):
365         * dfg/DFGSpeculativeJIT.cpp:
366         (JSC::DFG::SpeculativeJIT::compileMakeRope):
367         * ftl/FTLLowerDFGToB3.cpp:
368         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
369         * ftl/FTLOutput.h:
370         (JSC::FTL::Output::store32As8):
371         (JSC::FTL::Output::store32As16):
372         * runtime/JSString.h:
373         (JSC::JSString::JSString):
374
375 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
376
377         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
378         https://bugs.webkit.org/show_bug.cgi?id=185055
379
380         Reviewed by JF Bastien.
381
382         This patch is paving the way to emitting jscvt instruction if possible.
383         To do that, we need to determine jscvt instruction is supported in the
384         given CPU.
385
386         We add a function collectCPUFeatures, which is responsible to collect
387         CPU features if necessary. In Linux, we can use auxiliary vector to get
388         the information without parsing /proc/cpuinfo.
389
390         Currently, nobody calls this function. It is later called when we emit
391         jscvt instruction. To make it possible, we also need to add disassembler
392         support too.
393
394         * assembler/AbstractMacroAssembler.h:
395         * assembler/MacroAssemblerARM64.cpp:
396         (JSC::MacroAssemblerARM64::collectCPUFeatures):
397         * assembler/MacroAssemblerARM64.h:
398         * assembler/MacroAssemblerX86Common.h:
399
400 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
401
402         Also run foldPathConstants before mussing up SSA
403         https://bugs.webkit.org/show_bug.cgi?id=185069
404
405         Reviewed by Saam Barati.
406         
407         This isn't needed now, but will be once I implement the phase in bug 185060.
408         
409         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
410         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
411         be landed separately and measured separately from that phase.
412         
413         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
414         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
415         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
416         neutral. It all depends on what programs typically look like.
417
418         * b3/B3Generate.cpp:
419         (JSC::B3::generateToAir):
420
421 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
422
423         Unreviewed, rolling out r231086.
424
425         Caused JSC test failures due to an unchecked exception.
426
427         Reverted changeset:
428
429         "[ESNext][BigInt] Implement support for "*" operation"
430         https://bugs.webkit.org/show_bug.cgi?id=183721
431         https://trac.webkit.org/changeset/231086
432
433 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
434
435         [ESNext][BigInt] Implement support for "*" operation
436         https://bugs.webkit.org/show_bug.cgi?id=183721
437
438         Reviewed by Saam Barati.
439
440         Added BigInt support into times binary operator into LLInt and on
441         JITOperations profiledMul and unprofiledMul. We are also replacing all
442         uses of int to unsigned when there is no negative values for
443         variables.
444
445         * dfg/DFGConstantFoldingPhase.cpp:
446         (JSC::DFG::ConstantFoldingPhase::foldConstants):
447         * jit/JITOperations.cpp:
448         * runtime/CommonSlowPaths.cpp:
449         (JSC::SLOW_PATH_DECL):
450         * runtime/JSBigInt.cpp:
451         (JSC::JSBigInt::JSBigInt):
452         (JSC::JSBigInt::allocationSize):
453         (JSC::JSBigInt::createWithLength):
454         (JSC::JSBigInt::toString):
455         (JSC::JSBigInt::multiply):
456         (JSC::JSBigInt::digitDiv):
457         (JSC::JSBigInt::internalMultiplyAdd):
458         (JSC::JSBigInt::multiplyAccumulate):
459         (JSC::JSBigInt::equals):
460         (JSC::JSBigInt::absoluteDivSmall):
461         (JSC::JSBigInt::calculateMaximumCharactersRequired):
462         (JSC::JSBigInt::toStringGeneric):
463         (JSC::JSBigInt::rightTrim):
464         (JSC::JSBigInt::allocateFor):
465         (JSC::JSBigInt::parseInt):
466         (JSC::JSBigInt::digit):
467         (JSC::JSBigInt::setDigit):
468         * runtime/JSBigInt.h:
469         * runtime/Operations.h:
470         (JSC::jsMul):
471
472 2018-04-26  Mark Lam  <mark.lam@apple.com>
473
474         Gardening: Speculative build fix for Windows.
475         https://bugs.webkit.org/show_bug.cgi?id=184976
476         <rdar://problem/39723901>
477
478         Not reviewed.
479
480         * runtime/JSCPtrTag.h:
481
482 2018-04-26  Mark Lam  <mark.lam@apple.com>
483
484         Gardening: Windows build fix.
485
486         Not reviewed.
487
488         * runtime/Options.cpp:
489
490 2018-04-26  Jer Noble  <jer.noble@apple.com>
491
492         WK_COCOA_TOUCH all the things.
493         https://bugs.webkit.org/show_bug.cgi?id=185006
494         <rdar://problem/39736025>
495
496         Reviewed by Tim Horton.
497
498         * Configurations/Base.xcconfig:
499
500 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
501
502         Disable content filtering in minimal simulator mode
503         https://bugs.webkit.org/show_bug.cgi?id=185027
504         <rdar://problem/39736091>
505
506         Reviewed by Jer Noble.
507
508         * Configurations/FeatureDefines.xcconfig:
509
510 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
511
512         [INTL] Implement Intl.PluralRules
513         https://bugs.webkit.org/show_bug.cgi?id=184312
514
515         Reviewed by JF Bastien.
516
517         Use UNumberFormat to enforce formatting, and then UPluralRules to find
518         the correct plural rule for the given number. Relies on ICU v59+ for
519         resolvedOptions().pluralCategories and trailing 0 detection.
520         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
521
522         * CMakeLists.txt:
523         * Configurations/FeatureDefines.xcconfig:
524         * DerivedSources.make:
525         * JavaScriptCore.xcodeproj/project.pbxproj:
526         * Sources.txt:
527         * builtins/BuiltinNames.h:
528         * runtime/BigIntObject.cpp:
529         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
530         * runtime/BigIntObject.h:
531         * runtime/CommonIdentifiers.h:
532         * runtime/IntlObject.cpp:
533         (JSC::IntlObject::finishCreation):
534         * runtime/IntlObject.h:
535         * runtime/IntlPluralRules.cpp: Added.
536         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
537         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
538         (JSC::UEnumerationDeleter::operator() const):
539         (JSC::IntlPluralRules::create):
540         (JSC::IntlPluralRules::createStructure):
541         (JSC::IntlPluralRules::IntlPluralRules):
542         (JSC::IntlPluralRules::finishCreation):
543         (JSC::IntlPluralRules::destroy):
544         (JSC::IntlPluralRules::visitChildren):
545         (JSC::IntlPRInternal::localeData):
546         (JSC::IntlPluralRules::initializePluralRules):
547         (JSC::IntlPluralRules::resolvedOptions):
548         (JSC::IntlPluralRules::select):
549         * runtime/IntlPluralRules.h: Added.
550         * runtime/IntlPluralRulesConstructor.cpp: Added.
551         (JSC::IntlPluralRulesConstructor::create):
552         (JSC::IntlPluralRulesConstructor::createStructure):
553         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
554         (JSC::IntlPluralRulesConstructor::finishCreation):
555         (JSC::constructIntlPluralRules):
556         (JSC::callIntlPluralRules):
557         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
558         (JSC::IntlPluralRulesConstructor::visitChildren):
559         * runtime/IntlPluralRulesConstructor.h: Added.
560         * runtime/IntlPluralRulesPrototype.cpp: Added.
561         (JSC::IntlPluralRulesPrototype::create):
562         (JSC::IntlPluralRulesPrototype::createStructure):
563         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
564         (JSC::IntlPluralRulesPrototype::finishCreation):
565         (JSC::IntlPluralRulesPrototypeFuncSelect):
566         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
567         * runtime/IntlPluralRulesPrototype.h: Added.
568         * runtime/JSGlobalObject.cpp:
569         (JSC::JSGlobalObject::init):
570         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
571         * runtime/JSGlobalObject.h:
572         * runtime/Options.h:
573         * runtime/RegExpPrototype.cpp: Added inlines header.
574         * runtime/VM.cpp:
575         (JSC::VM::VM):
576         * runtime/VM.h:
577
578 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
579
580         [MIPS] Fix branch offsets in branchNeg32
581         https://bugs.webkit.org/show_bug.cgi?id=185025
582
583         Reviewed by Yusuke Suzuki.
584
585         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
586
587         * assembler/MacroAssemblerMIPS.h:
588         (JSC::MacroAssemblerMIPS::branchNeg32):
589
590 2018-04-25  Robin Morisset  <rmorisset@apple.com>
591
592         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
593         https://bugs.webkit.org/show_bug.cgi?id=184773
594         <rdar://problem/37773612>
595
596         Reviewed by Filip Pizlo.
597
598         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
599         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
600         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
601         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
602         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
603
604         * ftl/FTLLowerDFGToB3.cpp:
605         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
606
607 2018-04-25  Mark Lam  <mark.lam@apple.com>
608
609         Push the definition of PtrTag down to the WTF layer.
610         https://bugs.webkit.org/show_bug.cgi?id=184976
611         <rdar://problem/39723901>
612
613         Reviewed by Saam Barati.
614
615         * CMakeLists.txt:
616         * JavaScriptCore.xcodeproj/project.pbxproj:
617         * assembler/ARM64Assembler.h:
618         * assembler/AbstractMacroAssembler.h:
619         * assembler/MacroAssemblerCodeRef.cpp:
620         * assembler/MacroAssemblerCodeRef.h:
621         * b3/B3MathExtras.cpp:
622         * bytecode/LLIntCallLinkInfo.h:
623         * disassembler/Disassembler.h:
624         * ftl/FTLJITCode.cpp:
625         * interpreter/InterpreterInlines.h:
626         * jit/ExecutableAllocator.h:
627         * jit/JITOperations.cpp:
628         * jit/ThunkGenerator.h:
629         * jit/ThunkGenerators.h:
630         * llint/LLIntOffsetsExtractor.cpp:
631         * llint/LLIntPCRanges.h:
632         * runtime/JSCPtrTag.h: Added.
633         * runtime/NativeFunction.h:
634         * runtime/PtrTag.h: Removed.
635         * runtime/VMTraps.cpp:
636
637 2018-04-25  Keith Miller  <keith_miller@apple.com>
638
639         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
640         https://bugs.webkit.org/show_bug.cgi?id=184998
641
642         Reviewed by Saam Barati.
643
644         * runtime/CodeCache.cpp:
645         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
646
647 2018-04-25  Keith Miller  <keith_miller@apple.com>
648
649         Add missing scope release to functionProtoFuncToString
650         https://bugs.webkit.org/show_bug.cgi?id=184995
651
652         Reviewed by Saam Barati.
653
654         * runtime/FunctionPrototype.cpp:
655         (JSC::functionProtoFuncToString):
656
657 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
658
659         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
660         https://bugs.webkit.org/show_bug.cgi?id=184730
661
662         Reviewed by Mark Lam.
663
664         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
665         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
666
667         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
668         ARMv7 implementation.
669
670         * assembler/ARMAssembler.h:
671         * assembler/MacroAssemblerARM.h:
672         (JSC::MacroAssemblerARM::add32):
673         (JSC::MacroAssemblerARM::and32):
674         (JSC::MacroAssemblerARM::lshift32):
675         (JSC::MacroAssemblerARM::mul32):
676         (JSC::MacroAssemblerARM::or32):
677         (JSC::MacroAssemblerARM::rshift32):
678         (JSC::MacroAssemblerARM::urshift32):
679         (JSC::MacroAssemblerARM::sub32):
680         (JSC::MacroAssemblerARM::xor32):
681         (JSC::MacroAssemblerARM::load8):
682         (JSC::MacroAssemblerARM::abortWithReason):
683         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
684         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
685         (JSC::MacroAssemblerARM::store8):
686         (JSC::MacroAssemblerARM::store32):
687         (JSC::MacroAssemblerARM::push):
688         (JSC::MacroAssemblerARM::swap):
689         (JSC::MacroAssemblerARM::branch8):
690         (JSC::MacroAssemblerARM::branchPtr):
691         (JSC::MacroAssemblerARM::branch32):
692         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
693         (JSC::MacroAssemblerARM::branchTest8):
694         (JSC::MacroAssemblerARM::branchTest32):
695         (JSC::MacroAssemblerARM::jump):
696         (JSC::MacroAssemblerARM::branchAdd32):
697         (JSC::MacroAssemblerARM::mull32):
698         (JSC::MacroAssemblerARM::branchMul32):
699         (JSC::MacroAssemblerARM::patchableBranch32):
700         (JSC::MacroAssemblerARM::nearCall):
701         (JSC::MacroAssemblerARM::compare32):
702         (JSC::MacroAssemblerARM::compare8):
703         (JSC::MacroAssemblerARM::test32):
704         (JSC::MacroAssemblerARM::test8):
705         (JSC::MacroAssemblerARM::add64):
706         (JSC::MacroAssemblerARM::load32):
707         (JSC::MacroAssemblerARM::call):
708         (JSC::MacroAssemblerARM::branchPtrWithPatch):
709         (JSC::MacroAssemblerARM::branch32WithPatch):
710         (JSC::MacroAssemblerARM::storePtrWithPatch):
711         (JSC::MacroAssemblerARM::loadDouble):
712         (JSC::MacroAssemblerARM::storeDouble):
713         (JSC::MacroAssemblerARM::addDouble):
714         (JSC::MacroAssemblerARM::divDouble):
715         (JSC::MacroAssemblerARM::subDouble):
716         (JSC::MacroAssemblerARM::mulDouble):
717         (JSC::MacroAssemblerARM::convertInt32ToDouble):
718         (JSC::MacroAssemblerARM::branchDouble):
719         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
720         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
721         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
722         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
723         (JSC::MacroAssemblerARM::branchDoubleNonZero):
724         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
725         (JSC::MacroAssemblerARM::call32):
726         (JSC::MacroAssemblerARM::internalCompare32):
727
728 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
729
730         [WinCairo] Fix js/regexp-unicode.html crash.
731         https://bugs.webkit.org/show_bug.cgi?id=184891
732
733         Reviewed by Yusuke Suzuki.
734
735         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
736         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
737
738         * yarr/YarrJIT.cpp:
739         (JSC::Yarr::YarrGenerator::generateEnter):
740         (JSC::Yarr::YarrGenerator::generateReturn):
741         Unconditionally save and restore RDI on 64-bit Windows.
742
743 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
744
745         [GTK] Miscellaneous build cleanups
746         https://bugs.webkit.org/show_bug.cgi?id=184399
747
748         Reviewed by Žan Doberšek.
749
750         * PlatformGTK.cmake:
751
752 2018-04-24  Keith Miller  <keith_miller@apple.com>
753
754         fromCharCode is missing some exception checks
755         https://bugs.webkit.org/show_bug.cgi?id=184952
756
757         Reviewed by Saam Barati.
758
759         I also removed the pointless slow path function and moved it into the
760         main function.
761
762         * runtime/StringConstructor.cpp:
763         (JSC::stringFromCharCode):
764         (JSC::stringFromCharCodeSlowCase): Deleted.
765
766 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
767
768         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
769         https://bugs.webkit.org/show_bug.cgi?id=184923
770
771         Reviewed by Saam Barati.
772         
773         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
774         (i.e. we know that the object has one of those structures), then previously we would still emit a
775         switch with a case per structure along with a default case. That would mean one extra redundant
776         branch to check that whatever structure we wound up with belongs to the set. In that case, we
777         were already making the default case be an Oops.
778         
779         One possible solution would be to say that the default case being Oops means that B3 doesn't need
780         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
781         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
782         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
783         trap.
784         
785         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
786         extra branch.
787         
788         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
789         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
790         read.
791
792         * ftl/FTLLowerDFGToB3.cpp:
793         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
794         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
795         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
796
797 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
798
799         DFG CSE should know how to decay a MultiGetByOffset
800         https://bugs.webkit.org/show_bug.cgi?id=159859
801
802         Reviewed by Keith Miller.
803         
804         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
805         clobberize() can report a def() for MultiGetByOffset.
806         
807         This is a slight improvement to codegen in splay because splay is a heavy user of
808         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
809         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
810         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
811         splay's time.
812
813         * dfg/DFGClobberize.h:
814         (JSC::DFG::clobberize):
815         * dfg/DFGNode.cpp:
816         (JSC::DFG::Node::remove):
817         (JSC::DFG::Node::removeWithoutChecks):
818         (JSC::DFG::Node::replaceWith):
819         (JSC::DFG::Node::replaceWithWithoutChecks):
820         * dfg/DFGNode.h:
821         (JSC::DFG::Node::convertToMultiGetByOffset):
822         (JSC::DFG::Node::replaceWith): Deleted.
823         * dfg/DFGNodeType.h:
824         * dfg/DFGObjectAllocationSinkingPhase.cpp:
825
826 2018-04-24  Keith Miller  <keith_miller@apple.com>
827
828         Update API docs with information on which run loop the VM will use
829         https://bugs.webkit.org/show_bug.cgi?id=184900
830         <rdar://problem/39166054>
831
832         Reviewed by Mark Lam.
833
834         * API/JSContextRef.h:
835         * API/JSVirtualMachine.h:
836
837 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
838
839         $vm.totalGCTime() should be a thing
840         https://bugs.webkit.org/show_bug.cgi?id=184916
841
842         Reviewed by Sam Weinig.
843         
844         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
845         time spent in GC to determine if the regression is because the GC got slower.
846         
847         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
848
849         * heap/Heap.cpp:
850         (JSC::Heap::runEndPhase):
851         * heap/Heap.h:
852         (JSC::Heap::totalGCTime const):
853         * tools/JSDollarVM.cpp:
854         (JSC::functionTotalGCTime):
855         (JSC::JSDollarVM::finishCreation):
856
857 2018-04-23  Zalan Bujtas  <zalan@apple.com>
858
859         [LayoutFormattingContext] Initial commit.
860         https://bugs.webkit.org/show_bug.cgi?id=184896
861
862         Reviewed by Antti Koivisto.
863
864         * Configurations/FeatureDefines.xcconfig:
865
866 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
867
868         Unreviewed, revert accidental change to verbose flag.
869
870         * dfg/DFGByteCodeParser.cpp:
871
872 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
873
874         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
875
876         Rubber stamped by Saam Barati.
877         
878         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
879         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
880         Seems sensible to just roll it out.
881
882         * dfg/DFGByteCodeParser.cpp:
883         (JSC::DFG::ByteCodeParser::addToGraph):
884         (JSC::DFG::ByteCodeParser::parse):
885
886 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
887
888         [JSC] Remove ModuleLoaderPrototype
889         https://bugs.webkit.org/show_bug.cgi?id=184784
890
891         Reviewed by Mark Lam.
892
893         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
894         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
895         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
896
897         * CMakeLists.txt:
898         * DerivedSources.make:
899         * JavaScriptCore.xcodeproj/project.pbxproj:
900         * Sources.txt:
901         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
902         * runtime/JSGlobalObject.cpp:
903         (JSC::JSGlobalObject::init):
904         (JSC::JSGlobalObject::visitChildren):
905         * runtime/JSGlobalObject.h:
906         (JSC::JSGlobalObject::proxyRevokeStructure const):
907         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
908         * runtime/JSModuleLoader.cpp:
909         (JSC::moduleLoaderParseModule):
910         (JSC::moduleLoaderRequestedModules):
911         (JSC::moduleLoaderModuleDeclarationInstantiation):
912         (JSC::moduleLoaderResolve):
913         (JSC::moduleLoaderResolveSync):
914         (JSC::moduleLoaderFetch):
915         (JSC::moduleLoaderGetModuleNamespaceObject):
916         (JSC::moduleLoaderEvaluate):
917         * runtime/JSModuleLoader.h:
918         * runtime/ModuleLoaderPrototype.cpp: Removed.
919         * runtime/ModuleLoaderPrototype.h: Removed.
920
921 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
922
923         [GLIB] All API tests fail in debug builds
924         https://bugs.webkit.org/show_bug.cgi?id=184813
925
926         Reviewed by Mark Lam.
927
928         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
929         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
930
931         * API/glib/JSCContext.cpp:
932         (JSCContextExceptionHandler::JSCContextExceptionHandler):
933         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
934         (jscContextConstructed):
935         (ExceptionHandler::ExceptionHandler): Deleted.
936         (ExceptionHandler::~ExceptionHandler): Deleted.
937
938 2018-04-20  Tim Horton  <timothy_horton@apple.com>
939
940         Adjust geolocation feature flag
941         https://bugs.webkit.org/show_bug.cgi?id=184856
942
943         Reviewed by Wenson Hsieh.
944
945         * Configurations/FeatureDefines.xcconfig:
946
947 2018-04-20  Brian Burg  <bburg@apple.com>
948
949         Web Inspector: remove some dead code in IdentifiersFactory
950         https://bugs.webkit.org/show_bug.cgi?id=184839
951
952         Reviewed by Timothy Hatcher.
953
954         This was never used on non-Chrome ports, so the identifier always has a
955         prefix of '0.'. We may change this in the future, but for now remove this.
956         Using a PID for this purpose is problematic anyway.
957
958         * inspector/IdentifiersFactory.cpp:
959         (Inspector::addPrefixToIdentifier):
960         (Inspector::IdentifiersFactory::createIdentifier):
961         (Inspector::IdentifiersFactory::requestId):
962         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
963         * inspector/IdentifiersFactory.h:
964
965 2018-04-20  Mark Lam  <mark.lam@apple.com>
966
967         Add the ability to use a hash for setting PtrTag enum values.
968         https://bugs.webkit.org/show_bug.cgi?id=184852
969         <rdar://problem/39613891>
970
971         Reviewed by Saam Barati.
972
973         * runtime/PtrTag.h:
974
975 2018-04-20  Mark Lam  <mark.lam@apple.com>
976
977         Some JSEntryPtrTags should actually be JSInternalPtrTags.
978         https://bugs.webkit.org/show_bug.cgi?id=184712
979         <rdar://problem/39507381>
980
981         Reviewed by Michael Saboff.
982
983         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
984         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
985            only when needed.
986
987         * bytecode/AccessCase.cpp:
988         (JSC::AccessCase::generateImpl):
989         * bytecode/ByValInfo.h:
990         (JSC::ByValInfo::ByValInfo):
991         * bytecode/CallLinkInfo.cpp:
992         (JSC::CallLinkInfo::callReturnLocation):
993         (JSC::CallLinkInfo::patchableJump):
994         (JSC::CallLinkInfo::hotPathBegin):
995         (JSC::CallLinkInfo::slowPathStart):
996         * bytecode/CallLinkInfo.h:
997         (JSC::CallLinkInfo::setCallLocations):
998         (JSC::CallLinkInfo::hotPathOther):
999         * bytecode/PolymorphicAccess.cpp:
1000         (JSC::PolymorphicAccess::regenerate):
1001         * bytecode/StructureStubInfo.h:
1002         (JSC::StructureStubInfo::doneLocation):
1003         * dfg/DFGJITCompiler.cpp:
1004         (JSC::DFG::JITCompiler::link):
1005         * dfg/DFGOSRExit.cpp:
1006         (JSC::DFG::reifyInlinedCallFrames):
1007         * ftl/FTLLazySlowPath.cpp:
1008         (JSC::FTL::LazySlowPath::initialize):
1009         * ftl/FTLLazySlowPath.h:
1010         (JSC::FTL::LazySlowPath::done const):
1011         * ftl/FTLLowerDFGToB3.cpp:
1012         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1013         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1014         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1015         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1016         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1017         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1018         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1019         * jit/JIT.cpp:
1020         (JSC::JIT::link):
1021         * jit/JITExceptions.cpp:
1022         (JSC::genericUnwind):
1023         * jit/JITMathIC.h:
1024         (JSC::isProfileEmpty):
1025         * llint/LLIntData.cpp:
1026         (JSC::LLInt::initialize):
1027         * llint/LLIntData.h:
1028         (JSC::LLInt::getCodePtr):
1029         (JSC::LLInt::getExecutableAddress): Deleted.
1030         * llint/LLIntExceptions.cpp:
1031         (JSC::LLInt::callToThrow):
1032         * llint/LLIntSlowPaths.cpp:
1033         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1034         * wasm/js/WasmToJS.cpp:
1035         (JSC::Wasm::wasmToJS):
1036
1037 2018-04-18  Jer Noble  <jer.noble@apple.com>
1038
1039         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1040         https://bugs.webkit.org/show_bug.cgi?id=184762
1041
1042         Reviewed by Dan Bernstein.
1043
1044         * Configurations/Base.xcconfig:
1045         * JavaScriptCore.xcodeproj/project.pbxproj:
1046
1047 2018-04-20  Daniel Bates  <dabates@apple.com>
1048
1049         Remove code for compilers that did not support NSDMI for aggregates
1050         https://bugs.webkit.org/show_bug.cgi?id=184599
1051
1052         Reviewed by Per Arne Vollan.
1053
1054         Remove workaround for earlier Visual Studio versions that did not support non-static data
1055         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1056         and EWS bots to a newer version that supports this feature.
1057
1058         * domjit/DOMJITEffect.h:
1059         (JSC::DOMJIT::Effect::Effect): Deleted.
1060         * runtime/HasOwnPropertyCache.h:
1061         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1062         * wasm/WasmFormat.h:
1063         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1064
1065 2018-04-20  Mark Lam  <mark.lam@apple.com>
1066
1067         Build fix for internal builds after r230826.
1068         https://bugs.webkit.org/show_bug.cgi?id=184790
1069         <rdar://problem/39301369>
1070
1071         Not reviewed.
1072
1073         * runtime/Options.cpp:
1074         (JSC::overrideDefaults):
1075         * tools/SigillCrashAnalyzer.cpp:
1076         (JSC::SignalContext::dump):
1077
1078 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1079
1080         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1081         https://bugs.webkit.org/show_bug.cgi?id=184254
1082         <rdar://problem/39140200>
1083
1084         Reviewed by Daniel Bates.
1085
1086         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1087
1088         * runtime/ArrayBuffer.h:
1089         (JSC::ArrayBufferContents::ArrayBufferContents):
1090
1091 2018-04-19  Mark Lam  <mark.lam@apple.com>
1092
1093         Apply pointer profiling to Signal pointers.
1094         https://bugs.webkit.org/show_bug.cgi?id=184790
1095         <rdar://problem/39301369>
1096
1097         Reviewed by Michael Saboff.
1098
1099         1. Change stackPointer, framePointer, and instructionPointer accessors to
1100            be a pair of getter/setter functions.
1101         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1102            a pointer profiling variants of these accessors.
1103         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1104
1105         * JavaScriptCorePrefix.h:
1106         * runtime/MachineContext.h:
1107         (JSC::MachineContext::stackPointerImpl):
1108         (JSC::MachineContext::stackPointer):
1109         (JSC::MachineContext::setStackPointer):
1110         (JSC::MachineContext::framePointerImpl):
1111         (JSC::MachineContext::framePointer):
1112         (JSC::MachineContext::setFramePointer):
1113         (JSC::MachineContext::instructionPointerImpl):
1114         (JSC::MachineContext::instructionPointer):
1115         (JSC::MachineContext::setInstructionPointer):
1116         (JSC::MachineContext::linkRegisterImpl):
1117         (JSC::MachineContext::linkRegister):
1118         (JSC::MachineContext::setLinkRegister):
1119         * runtime/SamplingProfiler.cpp:
1120         (JSC::SamplingProfiler::takeSample):
1121         * runtime/VMTraps.cpp:
1122         (JSC::SignalContext::SignalContext):
1123         (JSC::VMTraps::tryInstallTrapBreakpoints):
1124         * tools/CodeProfiling.cpp:
1125         (JSC::profilingTimer):
1126         * tools/SigillCrashAnalyzer.cpp:
1127         (JSC::SignalContext::dump):
1128         (JSC::installCrashHandler):
1129         (JSC::SigillCrashAnalyzer::analyze):
1130         * wasm/WasmFaultSignalHandler.cpp:
1131         (JSC::Wasm::trapHandler):
1132
1133 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1134
1135         Enable Objective-C weak references
1136         <https://webkit.org/b/184789>
1137         <rdar://problem/39571716>
1138
1139         Reviewed by Dan Bernstein.
1140
1141         * Configurations/Base.xcconfig:
1142         (CLANG_ENABLE_OBJC_WEAK): Enable.
1143         * Configurations/ToolExecutable.xcconfig:
1144         (CLANG_ENABLE_OBJC_ARC): Simplify.
1145
1146 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1147
1148         The InternalFunction hierarchy should be in IsoSubspaces
1149         https://bugs.webkit.org/show_bug.cgi?id=184721
1150
1151         Reviewed by Saam Barati.
1152         
1153         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1154         but subclasses that are the same size as InternalFunction share its subspace. I did this
1155         because the subclasses appear to just override methods, which are called dynamically via the
1156         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1157         allocate one kind of InternalFunction over another.
1158
1159         * API/JSBase.h:
1160         * API/JSCallbackFunction.h:
1161         * API/ObjCCallbackFunction.h:
1162         (JSC::ObjCCallbackFunction::subspaceFor):
1163         * CMakeLists.txt:
1164         * JavaScriptCore.xcodeproj/project.pbxproj:
1165         * Sources.txt:
1166         * heap/IsoSubspacePerVM.cpp: Added.
1167         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1168         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1169         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1170         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1171         (JSC::IsoSubspacePerVM::forVM):
1172         * heap/IsoSubspacePerVM.h: Added.
1173         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1174         * runtime/Error.h:
1175         * runtime/ErrorConstructor.h:
1176         * runtime/InternalFunction.h:
1177         (JSC::InternalFunction::subspaceFor):
1178         * runtime/IntlCollatorConstructor.h:
1179         * runtime/IntlDateTimeFormatConstructor.h:
1180         * runtime/IntlNumberFormatConstructor.h:
1181         * runtime/JSArrayBufferConstructor.h:
1182         * runtime/NativeErrorConstructor.h:
1183         * runtime/ProxyRevoke.h:
1184         * runtime/RegExpConstructor.h:
1185         * runtime/VM.cpp:
1186         (JSC::VM::VM):
1187         * runtime/VM.h:
1188
1189 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1190
1191         Unreviewed, Fix jsc shell
1192         https://bugs.webkit.org/show_bug.cgi?id=184600
1193
1194         WebAssembly module loading does not finish with drainMicrotasks().
1195         So JSNativeStdFunction's capturing variables become invalid.
1196         This patch fixes this issue.
1197
1198         * jsc.cpp:
1199         (functionDollarAgentStart):
1200         (runWithOptions):
1201         (runJSC):
1202         (jscmain):
1203
1204 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1205
1206         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1207         https://bugs.webkit.org/show_bug.cgi?id=184725
1208
1209         Reviewed by Mark Lam.
1210
1211         * jit/JIT.h:
1212
1213 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1214
1215         [WebAssembly][Modules] Import tables in wasm modules
1216         https://bugs.webkit.org/show_bug.cgi?id=184738
1217
1218         Reviewed by JF Bastien.
1219
1220         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1221         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1222         just works.
1223
1224         * wasm/js/JSWebAssemblyInstance.cpp:
1225         (JSC::JSWebAssemblyInstance::create):
1226         * wasm/js/WebAssemblyModuleRecord.cpp:
1227         (JSC::WebAssemblyModuleRecord::link):
1228
1229 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1230
1231         [ARM] Fix build error and crash after PtrTag change
1232         https://bugs.webkit.org/show_bug.cgi?id=184732
1233
1234         Reviewed by Mark Lam.
1235
1236         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1237         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1238         twice with ARM-Thumb2.
1239
1240         * assembler/MacroAssemblerCodeRef.h:
1241         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1242         * jit/JITPropertyAccess32_64.cpp:
1243         (JSC::JIT::emitSlow_op_put_by_val):
1244         * jit/Repatch.cpp:
1245         (JSC::linkPolymorphicCall):
1246
1247 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1248
1249         [WebAssembly][Modules] Import globals from wasm modules
1250         https://bugs.webkit.org/show_bug.cgi?id=184736
1251
1252         Reviewed by JF Bastien.
1253
1254         This patch implements a feature importing globals to/from wasm modules.
1255         Since we are not supporting mutable globals now, we can just copy the
1256         global data when importing. Currently we do not support importing/exporting
1257         i64 globals. This will be supported once (1) mutable global bindings are
1258         specified and (2) BigInt based i64 importing/exporting is specified.
1259
1260         * wasm/js/JSWebAssemblyInstance.cpp:
1261         (JSC::JSWebAssemblyInstance::create):
1262         * wasm/js/WebAssemblyModuleRecord.cpp:
1263         (JSC::WebAssemblyModuleRecord::link):
1264
1265 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1266
1267         Unreviewed, fix build on ARM
1268
1269         * assembler/MacroAssemblerARM.h:
1270         (JSC::MacroAssemblerARM::readCallTarget):
1271
1272 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1273
1274         Unreviewed, fix build with GCC
1275
1276         * assembler/LinkBuffer.h:
1277         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1278
1279 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1280
1281         Unreviewed, reland r230697, r230720, and r230724.
1282         https://bugs.webkit.org/show_bug.cgi?id=184600
1283
1284         With CatchScope check.
1285
1286         * JavaScriptCore.xcodeproj/project.pbxproj:
1287         * builtins/ModuleLoaderPrototype.js:
1288         (globalPrivate.newRegistryEntry):
1289         (requestInstantiate):
1290         (link):
1291         * jsc.cpp:
1292         (convertShebangToJSComment):
1293         (fillBufferWithContentsOfFile):
1294         (fetchModuleFromLocalFileSystem):
1295         (GlobalObject::moduleLoaderFetch):
1296         (functionDollarAgentStart):
1297         (checkException):
1298         (runWithOptions):
1299         * parser/NodesAnalyzeModule.cpp:
1300         (JSC::ImportDeclarationNode::analyzeModule):
1301         * parser/SourceProvider.h:
1302         (JSC::WebAssemblySourceProvider::create):
1303         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1304         * runtime/AbstractModuleRecord.cpp:
1305         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1306         (JSC::AbstractModuleRecord::resolveImport):
1307         (JSC::AbstractModuleRecord::link):
1308         (JSC::AbstractModuleRecord::evaluate):
1309         (JSC::identifierToJSValue): Deleted.
1310         * runtime/AbstractModuleRecord.h:
1311         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1312         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1313         * runtime/JSModuleEnvironment.cpp:
1314         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1315         * runtime/JSModuleLoader.cpp:
1316         (JSC::JSModuleLoader::evaluate):
1317         * runtime/JSModuleRecord.cpp:
1318         (JSC::JSModuleRecord::link):
1319         (JSC::JSModuleRecord::instantiateDeclarations):
1320         * runtime/JSModuleRecord.h:
1321         * runtime/ModuleLoaderPrototype.cpp:
1322         (JSC::moduleLoaderPrototypeParseModule):
1323         (JSC::moduleLoaderPrototypeRequestedModules):
1324         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1325         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1326         * wasm/js/JSWebAssemblyHelpers.h:
1327         (JSC::getWasmBufferFromValue):
1328         (JSC::createSourceBufferFromValue):
1329         * wasm/js/JSWebAssemblyInstance.cpp:
1330         (JSC::JSWebAssemblyInstance::finalizeCreation):
1331         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1332         (JSC::JSWebAssemblyInstance::create):
1333         * wasm/js/JSWebAssemblyInstance.h:
1334         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1335         (JSC::constructJSWebAssemblyInstance):
1336         * wasm/js/WebAssemblyModuleRecord.cpp:
1337         (JSC::WebAssemblyModuleRecord::prepareLink):
1338         (JSC::WebAssemblyModuleRecord::link):
1339         * wasm/js/WebAssemblyModuleRecord.h:
1340         * wasm/js/WebAssemblyPrototype.cpp:
1341         (JSC::resolve):
1342         (JSC::instantiate):
1343         (JSC::compileAndInstantiate):
1344         (JSC::WebAssemblyPrototype::instantiate):
1345         (JSC::webAssemblyInstantiateFunc):
1346         (JSC::webAssemblyValidateFunc):
1347         * wasm/js/WebAssemblyPrototype.h:
1348
1349 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1350
1351         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1352         https://bugs.webkit.org/show_bug.cgi?id=184687
1353
1354         Reviewed by Michael Catanzaro.
1355
1356         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1357         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1358         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1359
1360         * API/glib/JSCClass.cpp:
1361         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1362         can throw exceptions.
1363         (VTableExceptionHandler::~VTableExceptionHandler):
1364         (getProperty): Iterate the class chain to call get_property function.
1365         (setProperty): Iterate the class chain to call set_property function.
1366         (hasProperty): Iterate the class chain to call has_property function.
1367         (deleteProperty): Iterate the class chain to call delete_property function.
1368         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1369         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1370         jscClassCreate now.
1371         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1372         * API/glib/JSCClass.h:
1373         * API/glib/JSCClassPrivate.h:
1374         * API/glib/JSCContext.cpp:
1375         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1376         (jsc_context_register_class): Add JSCClassVTable parameter.
1377         * API/glib/JSCContext.h:
1378         * API/glib/JSCContextPrivate.h:
1379         * API/glib/JSCWrapperMap.cpp:
1380         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1381         * API/glib/JSCWrapperMap.h:
1382         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1383
1384 2018-04-17  Mark Lam  <mark.lam@apple.com>
1385
1386         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1387         https://bugs.webkit.org/show_bug.cgi?id=184702
1388         <rdar://problem/35391681>
1389
1390         Reviewed by Filip Pizlo and Saam Barati.
1391
1392         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1393            to take a PtrTag template argument.
1394         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1395
1396         * assembler/AbstractMacroAssembler.h:
1397         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1398         (JSC::AbstractMacroAssembler::linkJump):
1399         (JSC::AbstractMacroAssembler::linkPointer):
1400         (JSC::AbstractMacroAssembler::getLinkerAddress):
1401         (JSC::AbstractMacroAssembler::repatchJump):
1402         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1403         (JSC::AbstractMacroAssembler::repatchNearCall):
1404         (JSC::AbstractMacroAssembler::repatchCompact):
1405         (JSC::AbstractMacroAssembler::repatchInt32):
1406         (JSC::AbstractMacroAssembler::repatchPointer):
1407         (JSC::AbstractMacroAssembler::readPointer):
1408         (JSC::AbstractMacroAssembler::replaceWithLoad):
1409         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1410         * assembler/CodeLocation.h:
1411         (JSC::CodeLocationCommon:: const):
1412         (JSC::CodeLocationCommon::CodeLocationCommon):
1413         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1414         (JSC::CodeLocationLabel::CodeLocationLabel):
1415         (JSC::CodeLocationLabel::retagged):
1416         (JSC::CodeLocationLabel:: const):
1417         (JSC::CodeLocationJump::CodeLocationJump):
1418         (JSC::CodeLocationJump::retagged):
1419         (JSC::CodeLocationCall::CodeLocationCall):
1420         (JSC::CodeLocationCall::retagged):
1421         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1422         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1423         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1424         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1425         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1426         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1427         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1428         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1429         (JSC::CodeLocationCommon<tag>::callAtOffset):
1430         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1431         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1432         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1433         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1434         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1435         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1436         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1437         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1438         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1439         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1440         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1441         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1442         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1443         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1444         * assembler/LinkBuffer.cpp:
1445         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1446         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1447         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1448         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1449         * assembler/LinkBuffer.h:
1450         (JSC::LinkBuffer::link):
1451         (JSC::LinkBuffer::patch):
1452         (JSC::LinkBuffer::entrypoint):
1453         (JSC::LinkBuffer::locationOf):
1454         (JSC::LinkBuffer::locationOfNearCall):
1455         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1456         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1457         (JSC::LinkBuffer::trampolineAt):
1458         * assembler/MacroAssemblerARM.h:
1459         (JSC::MacroAssemblerARM::readCallTarget):
1460         (JSC::MacroAssemblerARM::replaceWithJump):
1461         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1462         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1463         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1464         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1465         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1466         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1467         (JSC::MacroAssemblerARM::repatchCall):
1468         (JSC::MacroAssemblerARM::linkCall):
1469         * assembler/MacroAssemblerARM64.h:
1470         (JSC::MacroAssemblerARM64::readCallTarget):
1471         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1472         (JSC::MacroAssemblerARM64::replaceWithJump):
1473         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1474         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1475         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1476         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1477         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1478         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1479         (JSC::MacroAssemblerARM64::repatchCall):
1480         (JSC::MacroAssemblerARM64::linkCall):
1481         * assembler/MacroAssemblerARMv7.h:
1482         (JSC::MacroAssemblerARMv7::replaceWithJump):
1483         (JSC::MacroAssemblerARMv7::readCallTarget):
1484         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1485         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1486         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1487         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1488         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1489         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1490         (JSC::MacroAssemblerARMv7::repatchCall):
1491         (JSC::MacroAssemblerARMv7::linkCall):
1492         * assembler/MacroAssemblerCodeRef.cpp:
1493         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1494         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1495         (JSC::MacroAssemblerCodeRefBase::disassembly):
1496         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1497         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1498         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1499         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1500         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1501         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1502         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1503         * assembler/MacroAssemblerCodeRef.h:
1504         (JSC::FunctionPtr::FunctionPtr):
1505         (JSC::FunctionPtr::retagged const):
1506         (JSC::FunctionPtr::retaggedExecutableAddress const):
1507         (JSC::FunctionPtr::operator== const):
1508         (JSC::FunctionPtr::operator!= const):
1509         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1510         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1511         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1512         (JSC::MacroAssemblerCodePtr::retagged const):
1513         (JSC::MacroAssemblerCodePtr:: const):
1514         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1515         (JSC::MacroAssemblerCodePtr::dump const):
1516         (JSC::MacroAssemblerCodePtrHash::hash):
1517         (JSC::MacroAssemblerCodePtrHash::equal):
1518         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1519         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1520         (JSC::MacroAssemblerCodeRef::code const):
1521         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1522         (JSC::MacroAssemblerCodeRef::retagged const):
1523         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1524         (JSC::MacroAssemblerCodeRef::disassembly const):
1525         (JSC::MacroAssemblerCodeRef::dump const):
1526         (JSC::FunctionPtr<tag>::FunctionPtr):
1527         * assembler/MacroAssemblerMIPS.h:
1528         (JSC::MacroAssemblerMIPS::readCallTarget):
1529         (JSC::MacroAssemblerMIPS::replaceWithJump):
1530         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1531         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1532         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1533         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1534         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1535         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1536         (JSC::MacroAssemblerMIPS::repatchCall):
1537         (JSC::MacroAssemblerMIPS::linkCall):
1538         * assembler/MacroAssemblerX86.h:
1539         (JSC::MacroAssemblerX86::readCallTarget):
1540         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1541         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1542         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1543         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1544         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1545         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1546         (JSC::MacroAssemblerX86::repatchCall):
1547         (JSC::MacroAssemblerX86::linkCall):
1548         * assembler/MacroAssemblerX86Common.h:
1549         (JSC::MacroAssemblerX86Common::repatchCompact):
1550         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1551         (JSC::MacroAssemblerX86Common::replaceWithJump):
1552         * assembler/MacroAssemblerX86_64.h:
1553         (JSC::MacroAssemblerX86_64::readCallTarget):
1554         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1555         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1556         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1557         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1558         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1559         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1560         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1561         (JSC::MacroAssemblerX86_64::repatchCall):
1562         (JSC::MacroAssemblerX86_64::linkCall):
1563         * assembler/testmasm.cpp:
1564         (JSC::compile):
1565         (JSC::invoke):
1566         (JSC::testProbeModifiesProgramCounter):
1567         * b3/B3Compilation.cpp:
1568         (JSC::B3::Compilation::Compilation):
1569         * b3/B3Compilation.h:
1570         (JSC::B3::Compilation::code const):
1571         (JSC::B3::Compilation::codeRef const):
1572         * b3/B3Compile.cpp:
1573         (JSC::B3::compile):
1574         * b3/B3LowerMacros.cpp:
1575         * b3/air/AirDisassembler.cpp:
1576         (JSC::B3::Air::Disassembler::dump):
1577         * b3/air/testair.cpp:
1578         * b3/testb3.cpp:
1579         (JSC::B3::invoke):
1580         (JSC::B3::testInterpreter):
1581         (JSC::B3::testEntrySwitchSimple):
1582         (JSC::B3::testEntrySwitchNoEntrySwitch):
1583         (JSC::B3::testEntrySwitchWithCommonPaths):
1584         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1585         (JSC::B3::testEntrySwitchLoop):
1586         * bytecode/AccessCase.cpp:
1587         (JSC::AccessCase::generateImpl):
1588         * bytecode/AccessCaseSnippetParams.cpp:
1589         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1590         * bytecode/ByValInfo.h:
1591         (JSC::ByValInfo::ByValInfo):
1592         * bytecode/CallLinkInfo.cpp:
1593         (JSC::CallLinkInfo::callReturnLocation):
1594         (JSC::CallLinkInfo::patchableJump):
1595         (JSC::CallLinkInfo::hotPathBegin):
1596         (JSC::CallLinkInfo::slowPathStart):
1597         * bytecode/CallLinkInfo.h:
1598         (JSC::CallLinkInfo::setCallLocations):
1599         (JSC::CallLinkInfo::hotPathOther):
1600         * bytecode/CodeBlock.cpp:
1601         (JSC::CodeBlock::finishCreation):
1602         * bytecode/GetByIdStatus.cpp:
1603         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1604         * bytecode/GetByIdVariant.cpp:
1605         (JSC::GetByIdVariant::GetByIdVariant):
1606         (JSC::GetByIdVariant::dumpInContext const):
1607         * bytecode/GetByIdVariant.h:
1608         (JSC::GetByIdVariant::customAccessorGetter const):
1609         * bytecode/GetterSetterAccessCase.cpp:
1610         (JSC::GetterSetterAccessCase::create):
1611         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1612         (JSC::GetterSetterAccessCase::dumpImpl const):
1613         * bytecode/GetterSetterAccessCase.h:
1614         (JSC::GetterSetterAccessCase::customAccessor const):
1615         (): Deleted.
1616         * bytecode/HandlerInfo.h:
1617         (JSC::HandlerInfo::initialize):
1618         * bytecode/InlineAccess.cpp:
1619         (JSC::linkCodeInline):
1620         (JSC::InlineAccess::rewireStubAsJump):
1621         * bytecode/InlineAccess.h:
1622         * bytecode/JumpTable.h:
1623         (JSC::StringJumpTable::ctiForValue):
1624         (JSC::SimpleJumpTable::ctiForValue):
1625         * bytecode/LLIntCallLinkInfo.h:
1626         (JSC::LLIntCallLinkInfo::unlink):
1627         * bytecode/PolymorphicAccess.cpp:
1628         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1629         (JSC::PolymorphicAccess::regenerate):
1630         * bytecode/PolymorphicAccess.h:
1631         (JSC::AccessGenerationResult::AccessGenerationResult):
1632         (JSC::AccessGenerationResult::code const):
1633         * bytecode/StructureStubInfo.h:
1634         (JSC::StructureStubInfo::slowPathCallLocation):
1635         (JSC::StructureStubInfo::doneLocation):
1636         (JSC::StructureStubInfo::slowPathStartLocation):
1637         (JSC::StructureStubInfo::patchableJumpForIn):
1638         * dfg/DFGCommonData.h:
1639         (JSC::DFG::CommonData::appendCatchEntrypoint):
1640         * dfg/DFGDisassembler.cpp:
1641         (JSC::DFG::Disassembler::dumpDisassembly):
1642         * dfg/DFGDriver.h:
1643         * dfg/DFGJITCompiler.cpp:
1644         (JSC::DFG::JITCompiler::linkOSRExits):
1645         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1646         (JSC::DFG::JITCompiler::link):
1647         (JSC::DFG::JITCompiler::compileFunction):
1648         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1649         * dfg/DFGJITCompiler.h:
1650         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1651         (JSC::DFG::JITCompiler::appendCall):
1652         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1653         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1654         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1655         * dfg/DFGJITFinalizer.cpp:
1656         (JSC::DFG::JITFinalizer::JITFinalizer):
1657         (JSC::DFG::JITFinalizer::finalize):
1658         (JSC::DFG::JITFinalizer::finalizeFunction):
1659         * dfg/DFGJITFinalizer.h:
1660         * dfg/DFGJumpReplacement.h:
1661         (JSC::DFG::JumpReplacement::JumpReplacement):
1662         * dfg/DFGNode.h:
1663         * dfg/DFGOSREntry.cpp:
1664         (JSC::DFG::prepareOSREntry):
1665         (JSC::DFG::prepareCatchOSREntry):
1666         * dfg/DFGOSREntry.h:
1667         (JSC::DFG::prepareOSREntry):
1668         * dfg/DFGOSRExit.cpp:
1669         (JSC::DFG::OSRExit::executeOSRExit):
1670         (JSC::DFG::reifyInlinedCallFrames):
1671         (JSC::DFG::adjustAndJumpToTarget):
1672         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1673         (JSC::DFG::OSRExit::emitRestoreArguments):
1674         (JSC::DFG::OSRExit::compileOSRExit):
1675         * dfg/DFGOSRExit.h:
1676         * dfg/DFGOSRExitCompilerCommon.cpp:
1677         (JSC::DFG::handleExitCounts):
1678         (JSC::DFG::reifyInlinedCallFrames):
1679         (JSC::DFG::osrWriteBarrier):
1680         (JSC::DFG::adjustAndJumpToTarget):
1681         * dfg/DFGOperations.cpp:
1682         * dfg/DFGSlowPathGenerator.h:
1683         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1684         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1685         (JSC::DFG::slowPathCall):
1686         * dfg/DFGSpeculativeJIT.cpp:
1687         (JSC::DFG::SpeculativeJIT::compileMathIC):
1688         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1689         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1690         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1691         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1692         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1693         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1694         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1695         (JSC::DFG::SpeculativeJIT::cachedPutById):
1696         * dfg/DFGSpeculativeJIT.h:
1697         (JSC::DFG::SpeculativeJIT::callOperation):
1698         (JSC::DFG::SpeculativeJIT::appendCall):
1699         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1700         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1701         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1702         * dfg/DFGSpeculativeJIT64.cpp:
1703         (JSC::DFG::SpeculativeJIT::cachedGetById):
1704         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1705         (JSC::DFG::SpeculativeJIT::compile):
1706         * dfg/DFGThunks.cpp:
1707         (JSC::DFG::osrExitThunkGenerator):
1708         (JSC::DFG::osrExitGenerationThunkGenerator):
1709         (JSC::DFG::osrEntryThunkGenerator):
1710         * dfg/DFGThunks.h:
1711         * disassembler/ARM64Disassembler.cpp:
1712         (JSC::tryToDisassemble):
1713         * disassembler/ARMv7Disassembler.cpp:
1714         (JSC::tryToDisassemble):
1715         * disassembler/Disassembler.cpp:
1716         (JSC::disassemble):
1717         (JSC::disassembleAsynchronously):
1718         * disassembler/Disassembler.h:
1719         (JSC::tryToDisassemble):
1720         * disassembler/UDis86Disassembler.cpp:
1721         (JSC::tryToDisassembleWithUDis86):
1722         * disassembler/UDis86Disassembler.h:
1723         (JSC::tryToDisassembleWithUDis86):
1724         * disassembler/X86Disassembler.cpp:
1725         (JSC::tryToDisassemble):
1726         * ftl/FTLCompile.cpp:
1727         (JSC::FTL::compile):
1728         * ftl/FTLExceptionTarget.cpp:
1729         (JSC::FTL::ExceptionTarget::label):
1730         (JSC::FTL::ExceptionTarget::jumps):
1731         * ftl/FTLExceptionTarget.h:
1732         * ftl/FTLGeneratedFunction.h:
1733         * ftl/FTLJITCode.cpp:
1734         (JSC::FTL::JITCode::initializeB3Code):
1735         (JSC::FTL::JITCode::initializeAddressForCall):
1736         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1737         (JSC::FTL::JITCode::addressForCall):
1738         (JSC::FTL::JITCode::executableAddressAtOffset):
1739         * ftl/FTLJITCode.h:
1740         (JSC::FTL::JITCode::b3Code const):
1741         * ftl/FTLJITFinalizer.cpp:
1742         (JSC::FTL::JITFinalizer::finalizeCommon):
1743         * ftl/FTLLazySlowPath.cpp:
1744         (JSC::FTL::LazySlowPath::initialize):
1745         (JSC::FTL::LazySlowPath::generate):
1746         * ftl/FTLLazySlowPath.h:
1747         (JSC::FTL::LazySlowPath::patchableJump const):
1748         (JSC::FTL::LazySlowPath::done const):
1749         (JSC::FTL::LazySlowPath::stub const):
1750         * ftl/FTLLazySlowPathCall.h:
1751         (JSC::FTL::createLazyCallGenerator):
1752         * ftl/FTLLink.cpp:
1753         (JSC::FTL::link):
1754         * ftl/FTLLowerDFGToB3.cpp:
1755         (JSC::FTL::DFG::LowerDFGToB3::lower):
1756         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1757         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1758         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1759         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1760         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1761         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1762         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1763         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1766         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1767         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1768         * ftl/FTLOSRExit.cpp:
1769         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1770         * ftl/FTLOSRExit.h:
1771         * ftl/FTLOSRExitCompiler.cpp:
1772         (JSC::FTL::compileStub):
1773         (JSC::FTL::compileFTLOSRExit):
1774         * ftl/FTLOSRExitHandle.cpp:
1775         (JSC::FTL::OSRExitHandle::emitExitThunk):
1776         * ftl/FTLOperations.cpp:
1777         (JSC::FTL::compileFTLLazySlowPath):
1778         * ftl/FTLPatchpointExceptionHandle.cpp:
1779         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1780         * ftl/FTLSlowPathCall.cpp:
1781         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1782         (JSC::FTL::SlowPathCallContext::makeCall):
1783         * ftl/FTLSlowPathCall.h:
1784         (JSC::FTL::callOperation):
1785         * ftl/FTLSlowPathCallKey.cpp:
1786         (JSC::FTL::SlowPathCallKey::dump const):
1787         * ftl/FTLSlowPathCallKey.h:
1788         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1789         (JSC::FTL::SlowPathCallKey::callTarget const):
1790         (JSC::FTL::SlowPathCallKey::withCallTarget):
1791         (JSC::FTL::SlowPathCallKey::hash const):
1792         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1793         * ftl/FTLState.cpp:
1794         (JSC::FTL::State::State):
1795         * ftl/FTLThunks.cpp:
1796         (JSC::FTL::genericGenerationThunkGenerator):
1797         (JSC::FTL::osrExitGenerationThunkGenerator):
1798         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1799         (JSC::FTL::slowPathCallThunkGenerator):
1800         * ftl/FTLThunks.h:
1801         (JSC::FTL::generateIfNecessary):
1802         (JSC::FTL::keyForThunk):
1803         (JSC::FTL::Thunks::getSlowPathCallThunk):
1804         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1805         * interpreter/InterpreterInlines.h:
1806         (JSC::Interpreter::getOpcodeID):
1807         * jit/AssemblyHelpers.cpp:
1808         (JSC::AssemblyHelpers::callExceptionFuzz):
1809         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1810         (JSC::AssemblyHelpers::debugCall):
1811         * jit/CCallHelpers.cpp:
1812         (JSC::CCallHelpers::ensureShadowChickenPacket):
1813         * jit/ExecutableAllocator.cpp:
1814         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1815         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1816         * jit/ExecutableAllocator.h:
1817         (JSC::performJITMemcpy):
1818         * jit/GCAwareJITStubRoutine.cpp:
1819         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1820         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1821         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1822         (JSC::createJITStubRoutine):
1823         * jit/GCAwareJITStubRoutine.h:
1824         (JSC::createJITStubRoutine):
1825         * jit/JIT.cpp:
1826         (JSC::ctiPatchCallByReturnAddress):
1827         (JSC::JIT::compileWithoutLinking):
1828         (JSC::JIT::link):
1829         (JSC::JIT::privateCompileExceptionHandlers):
1830         * jit/JIT.h:
1831         (JSC::CallRecord::CallRecord):
1832         * jit/JITArithmetic.cpp:
1833         (JSC::JIT::emitMathICFast):
1834         (JSC::JIT::emitMathICSlow):
1835         * jit/JITCall.cpp:
1836         (JSC::JIT::compileOpCallSlowCase):
1837         * jit/JITCall32_64.cpp:
1838         (JSC::JIT::compileOpCallSlowCase):
1839         * jit/JITCode.cpp:
1840         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1841         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1842         (JSC::DirectJITCode::DirectJITCode):
1843         (JSC::DirectJITCode::initializeCodeRef):
1844         (JSC::DirectJITCode::addressForCall):
1845         (JSC::NativeJITCode::NativeJITCode):
1846         (JSC::NativeJITCode::initializeCodeRef):
1847         (JSC::NativeJITCode::addressForCall):
1848         * jit/JITCode.h:
1849         * jit/JITCodeMap.h:
1850         (JSC::JITCodeMap::Entry::Entry):
1851         (JSC::JITCodeMap::Entry::codeLocation):
1852         (JSC::JITCodeMap::append):
1853         (JSC::JITCodeMap::find const):
1854         * jit/JITDisassembler.cpp:
1855         (JSC::JITDisassembler::dumpDisassembly):
1856         * jit/JITExceptions.cpp:
1857         (JSC::genericUnwind):
1858         * jit/JITInlineCacheGenerator.cpp:
1859         (JSC::JITByIdGenerator::finalize):
1860         * jit/JITInlines.h:
1861         (JSC::JIT::emitNakedCall):
1862         (JSC::JIT::emitNakedTailCall):
1863         (JSC::JIT::appendCallWithExceptionCheck):
1864         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1865         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1866         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1867         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1868         * jit/JITMathIC.h:
1869         (JSC::isProfileEmpty):
1870         * jit/JITOpcodes.cpp:
1871         (JSC::JIT::emit_op_catch):
1872         (JSC::JIT::emit_op_switch_imm):
1873         (JSC::JIT::emit_op_switch_char):
1874         (JSC::JIT::emit_op_switch_string):
1875         (JSC::JIT::privateCompileHasIndexedProperty):
1876         (JSC::JIT::emitSlow_op_has_indexed_property):
1877         * jit/JITOpcodes32_64.cpp:
1878         (JSC::JIT::privateCompileHasIndexedProperty):
1879         * jit/JITOperations.cpp:
1880         (JSC::getByVal):
1881         * jit/JITPropertyAccess.cpp:
1882         (JSC::JIT::stringGetByValStubGenerator):
1883         (JSC::JIT::emitGetByValWithCachedId):
1884         (JSC::JIT::emitSlow_op_get_by_val):
1885         (JSC::JIT::emitPutByValWithCachedId):
1886         (JSC::JIT::emitSlow_op_put_by_val):
1887         (JSC::JIT::emitSlow_op_try_get_by_id):
1888         (JSC::JIT::emitSlow_op_get_by_id_direct):
1889         (JSC::JIT::emitSlow_op_get_by_id):
1890         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1891         (JSC::JIT::emitSlow_op_put_by_id):
1892         (JSC::JIT::privateCompileGetByVal):
1893         (JSC::JIT::privateCompileGetByValWithCachedId):
1894         (JSC::JIT::privateCompilePutByVal):
1895         (JSC::JIT::privateCompilePutByValWithCachedId):
1896         * jit/JITPropertyAccess32_64.cpp:
1897         (JSC::JIT::stringGetByValStubGenerator):
1898         (JSC::JIT::emitSlow_op_get_by_val):
1899         (JSC::JIT::emitSlow_op_put_by_val):
1900         * jit/JITStubRoutine.h:
1901         (JSC::JITStubRoutine::JITStubRoutine):
1902         (JSC::JITStubRoutine::createSelfManagedRoutine):
1903         (JSC::JITStubRoutine::code const):
1904         (JSC::JITStubRoutine::asCodePtr):
1905         * jit/JITThunks.cpp:
1906         (JSC::JITThunks::ctiNativeCall):
1907         (JSC::JITThunks::ctiNativeConstruct):
1908         (JSC::JITThunks::ctiNativeTailCall):
1909         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1910         (JSC::JITThunks::ctiInternalFunctionCall):
1911         (JSC::JITThunks::ctiInternalFunctionConstruct):
1912         (JSC::JITThunks::ctiStub):
1913         (JSC::JITThunks::existingCTIStub):
1914         (JSC::JITThunks::hostFunctionStub):
1915         * jit/JITThunks.h:
1916         * jit/PCToCodeOriginMap.cpp:
1917         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1918         * jit/PCToCodeOriginMap.h:
1919         * jit/PolymorphicCallStubRoutine.cpp:
1920         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1921         * jit/PolymorphicCallStubRoutine.h:
1922         * jit/Repatch.cpp:
1923         (JSC::readPutICCallTarget):
1924         (JSC::ftlThunkAwareRepatchCall):
1925         (JSC::appropriateOptimizingGetByIdFunction):
1926         (JSC::appropriateGetByIdFunction):
1927         (JSC::tryCacheGetByID):
1928         (JSC::repatchGetByID):
1929         (JSC::tryCachePutByID):
1930         (JSC::repatchPutByID):
1931         (JSC::tryCacheIn):
1932         (JSC::repatchIn):
1933         (JSC::linkSlowFor):
1934         (JSC::linkFor):
1935         (JSC::linkDirectFor):
1936         (JSC::revertCall):
1937         (JSC::unlinkFor):
1938         (JSC::linkVirtualFor):
1939         (JSC::linkPolymorphicCall):
1940         (JSC::resetGetByID):
1941         (JSC::resetPutByID):
1942         * jit/Repatch.h:
1943         * jit/SlowPathCall.h:
1944         (JSC::JITSlowPathCall::call):
1945         * jit/SpecializedThunkJIT.h:
1946         (JSC::SpecializedThunkJIT::finalize):
1947         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1948         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1949         * jit/ThunkGenerator.h:
1950         * jit/ThunkGenerators.cpp:
1951         (JSC::throwExceptionFromCallSlowPathGenerator):
1952         (JSC::slowPathFor):
1953         (JSC::linkCallThunkGenerator):
1954         (JSC::linkPolymorphicCallThunkGenerator):
1955         (JSC::virtualThunkFor):
1956         (JSC::nativeForGenerator):
1957         (JSC::nativeCallGenerator):
1958         (JSC::nativeTailCallGenerator):
1959         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1960         (JSC::nativeConstructGenerator):
1961         (JSC::internalFunctionCallGenerator):
1962         (JSC::internalFunctionConstructGenerator):
1963         (JSC::arityFixupGenerator):
1964         (JSC::unreachableGenerator):
1965         (JSC::charCodeAtThunkGenerator):
1966         (JSC::charAtThunkGenerator):
1967         (JSC::fromCharCodeThunkGenerator):
1968         (JSC::clz32ThunkGenerator):
1969         (JSC::sqrtThunkGenerator):
1970         (JSC::floorThunkGenerator):
1971         (JSC::ceilThunkGenerator):
1972         (JSC::truncThunkGenerator):
1973         (JSC::roundThunkGenerator):
1974         (JSC::expThunkGenerator):
1975         (JSC::logThunkGenerator):
1976         (JSC::absThunkGenerator):
1977         (JSC::imulThunkGenerator):
1978         (JSC::randomThunkGenerator):
1979         (JSC::boundThisNoArgsFunctionCallGenerator):
1980         * jit/ThunkGenerators.h:
1981         * llint/LLIntData.cpp:
1982         (JSC::LLInt::initialize):
1983         * llint/LLIntData.h:
1984         (JSC::LLInt::getExecutableAddress):
1985         (JSC::LLInt::getCodePtr):
1986         (JSC::LLInt::getCodeRef):
1987         (JSC::LLInt::getCodeFunctionPtr):
1988         * llint/LLIntEntrypoint.cpp:
1989         (JSC::LLInt::setFunctionEntrypoint):
1990         (JSC::LLInt::setEvalEntrypoint):
1991         (JSC::LLInt::setProgramEntrypoint):
1992         (JSC::LLInt::setModuleProgramEntrypoint):
1993         * llint/LLIntExceptions.cpp:
1994         (JSC::LLInt::callToThrow):
1995         * llint/LLIntSlowPaths.cpp:
1996         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1997         (JSC::LLInt::setUpCall):
1998         * llint/LLIntThunks.cpp:
1999         (JSC::vmEntryToWasm):
2000         (JSC::LLInt::generateThunkWithJumpTo):
2001         (JSC::LLInt::functionForCallEntryThunkGenerator):
2002         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2003         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2004         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2005         (JSC::LLInt::evalEntryThunkGenerator):
2006         (JSC::LLInt::programEntryThunkGenerator):
2007         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2008         * llint/LLIntThunks.h:
2009         * llint/LowLevelInterpreter.asm:
2010         * llint/LowLevelInterpreter32_64.asm:
2011         * llint/LowLevelInterpreter64.asm:
2012         * profiler/ProfilerCompilation.cpp:
2013         (JSC::Profiler::Compilation::addOSRExitSite):
2014         * profiler/ProfilerCompilation.h:
2015         * profiler/ProfilerOSRExitSite.cpp:
2016         (JSC::Profiler::OSRExitSite::toJS const):
2017         * profiler/ProfilerOSRExitSite.h:
2018         (JSC::Profiler::OSRExitSite::OSRExitSite):
2019         (JSC::Profiler::OSRExitSite::codeAddress const):
2020         (JSC::Profiler::OSRExitSite:: const): Deleted.
2021         * runtime/ExecutableBase.cpp:
2022         (JSC::ExecutableBase::clearCode):
2023         * runtime/ExecutableBase.h:
2024         (JSC::ExecutableBase::entrypointFor):
2025         * runtime/NativeExecutable.cpp:
2026         (JSC::NativeExecutable::finishCreation):
2027         * runtime/NativeFunction.h:
2028         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2029         (JSC::TaggedNativeFunction::operator NativeFunction):
2030         * runtime/PtrTag.h:
2031         (JSC::tagCodePtr):
2032         (JSC::untagCodePtr):
2033         (JSC::retagCodePtr):
2034         (JSC::tagCFunctionPtr):
2035         (JSC::untagCFunctionPtr):
2036         (JSC::nextPtrTagID): Deleted.
2037         * runtime/PutPropertySlot.h:
2038         (JSC::PutPropertySlot::PutPropertySlot):
2039         (JSC::PutPropertySlot::setCustomValue):
2040         (JSC::PutPropertySlot::setCustomAccessor):
2041         (JSC::PutPropertySlot::customSetter const):
2042         * runtime/ScriptExecutable.cpp:
2043         (JSC::ScriptExecutable::installCode):
2044         * runtime/VM.cpp:
2045         (JSC::VM::getHostFunction):
2046         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2047         * runtime/VM.h:
2048         (JSC::VM::getCTIStub):
2049         * wasm/WasmB3IRGenerator.cpp:
2050         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2051         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2052         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2053         (JSC::Wasm::B3IRGenerator::addCall):
2054         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2055         * wasm/WasmBBQPlan.cpp:
2056         (JSC::Wasm::BBQPlan::prepare):
2057         (JSC::Wasm::BBQPlan::complete):
2058         * wasm/WasmBBQPlan.h:
2059         * wasm/WasmBinding.cpp:
2060         (JSC::Wasm::wasmToWasm):
2061         * wasm/WasmBinding.h:
2062         * wasm/WasmCallee.h:
2063         (JSC::Wasm::Callee::entrypoint const):
2064         * wasm/WasmCallingConvention.h:
2065         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2066         * wasm/WasmCodeBlock.h:
2067         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2068         * wasm/WasmFaultSignalHandler.cpp:
2069         (JSC::Wasm::trapHandler):
2070         * wasm/WasmFormat.h:
2071         * wasm/WasmInstance.h:
2072         * wasm/WasmOMGPlan.cpp:
2073         (JSC::Wasm::OMGPlan::work):
2074         * wasm/WasmThunks.cpp:
2075         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2076         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2077         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2078         (JSC::Wasm::Thunks::stub):
2079         (JSC::Wasm::Thunks::existingStub):
2080         * wasm/WasmThunks.h:
2081         * wasm/js/JSToWasm.cpp:
2082         (JSC::Wasm::createJSToWasmWrapper):
2083         * wasm/js/JSWebAssemblyCodeBlock.h:
2084         * wasm/js/WasmToJS.cpp:
2085         (JSC::Wasm::handleBadI64Use):
2086         (JSC::Wasm::wasmToJS):
2087         * wasm/js/WasmToJS.h:
2088         * wasm/js/WebAssemblyFunction.h:
2089         * yarr/YarrJIT.cpp:
2090         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2091         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2092         (JSC::Yarr::YarrGenerator::compile):
2093         * yarr/YarrJIT.h:
2094         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2095         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2096         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2097         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2098         (JSC::Yarr::YarrCodeBlock::execute):
2099         (JSC::Yarr::YarrCodeBlock::clear):
2100
2101 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2102
2103         Unreviewed, rolling out r230697, r230720, and r230724.
2104         https://bugs.webkit.org/show_bug.cgi?id=184717
2105
2106         These caused multiple failures on the Test262 testers.
2107         (Requested by mlewis13 on #webkit).
2108
2109         Reverted changesets:
2110
2111         "[WebAssembly][Modules] Prototype wasm import"
2112         https://bugs.webkit.org/show_bug.cgi?id=184600
2113         https://trac.webkit.org/changeset/230697
2114
2115         "[WebAssembly][Modules] Implement function import from wasm
2116         modules"
2117         https://bugs.webkit.org/show_bug.cgi?id=184689
2118         https://trac.webkit.org/changeset/230720
2119
2120         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2121         https://bugs.webkit.org/show_bug.cgi?id=184703
2122         https://trac.webkit.org/changeset/230724
2123
2124 2018-04-17  JF Bastien  <jfbastien@apple.com>
2125
2126         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2127         https://bugs.webkit.org/show_bug.cgi?id=184706
2128         <rdar://problem/38871451>
2129
2130         Reviewed by Saam Barati.
2131
2132         When putting a property on a structure and the slot is a different
2133         type, the slot can't be said to have already been existing.
2134
2135         * runtime/JSObjectInlines.h:
2136         (JSC::JSObject::putDirectInternal):
2137
2138 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2139
2140         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2141         https://bugs.webkit.org/show_bug.cgi?id=184705
2142
2143         Reviewed by Michael Saboff.
2144         
2145         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2146         while testing an unrelated patch, a concurrent GC thread crashed inside
2147         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2148         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2149         mode and another vector.
2150         
2151         The fix is to lock inside visitChildren and anyone who changes those fields.
2152         
2153         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2154         this.
2155
2156         * runtime/JSArrayBufferView.cpp:
2157         (JSC::JSArrayBufferView::neuter):
2158         * runtime/JSGenericTypedArrayViewInlines.h:
2159         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2160         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2161
2162 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2163
2164         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2165         https://bugs.webkit.org/show_bug.cgi?id=184672
2166
2167         Reviewed by Michael Saboff.
2168
2169         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2170         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2171         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2172         intentional - I don't know.
2173
2174         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2175         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2176         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2177         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2178         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2179         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2180         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2181         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2182         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2183         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2184         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2185         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2186
2187         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2188         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2189         its stack slot for the purpose of clobberize.
2190
2191         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2192         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2193         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2194         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2195
2196 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2197
2198         JSWebAssemblyCodeBlock should be in an IsoSubspace
2199         https://bugs.webkit.org/show_bug.cgi?id=184704
2200
2201         Reviewed by Mark Lam.
2202         
2203         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2204         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2205         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2206         protection.
2207
2208         * runtime/VM.cpp:
2209         (JSC::VM::VM):
2210         * runtime/VM.h:
2211         * wasm/js/JSWebAssemblyCodeBlock.h:
2212
2213 2018-04-17  Jer Noble  <jer.noble@apple.com>
2214
2215         Only enable useSeparatedWXHeap on ARM64.
2216         https://bugs.webkit.org/show_bug.cgi?id=184697
2217
2218         Reviewed by Saam Barati.
2219
2220         * runtime/Options.cpp:
2221         (JSC::recomputeDependentOptions):
2222
2223 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2224
2225         [WebAssembly][Modules] Implement function import from wasm modules
2226         https://bugs.webkit.org/show_bug.cgi?id=184689
2227
2228         Reviewed by JF Bastien.
2229
2230         This patch implements function import from wasm modules. We move function importing part
2231         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2232         is because linking these functions requires that all the dependent modules are created.
2233         While we want to move all the linking functionality from JSWebAssemblyInstance to
2234         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2235         function importing part because efficient compilation of WebAssembly needs to know
2236         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2237         or attached WebAssembly memory object. So we cannot defer this linking to
2238         WebAssemblyModuleRecord::link now.
2239
2240         The largest difference from JS module linking is that WebAssembly module linking links
2241         function from the module by snapshotting. When you have a cyclic module graph like this,
2242
2243         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2244             ^                                                  |
2245             +--------------------------------------------------+
2246
2247         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2248         is described in [1], and tested in this patch.
2249
2250         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2251
2252         * JavaScriptCore.xcodeproj/project.pbxproj:
2253         * jsc.cpp:
2254         (functionDollarAgentStart):
2255         (checkException):
2256         (runWithOptions):
2257         Small fixes for wasm module loading.
2258
2259         * parser/NodesAnalyzeModule.cpp:
2260         (JSC::ImportDeclarationNode::analyzeModule):
2261         * runtime/AbstractModuleRecord.cpp:
2262         (JSC::AbstractModuleRecord::resolveImport):
2263         (JSC::AbstractModuleRecord::link):
2264         * runtime/AbstractModuleRecord.h:
2265         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2266         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2267         Now, wasm modules can have import which is named "*". So this function does not work.
2268         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2269
2270         * runtime/JSModuleEnvironment.cpp:
2271         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2272         * runtime/JSModuleRecord.cpp:
2273         (JSC::JSModuleRecord::instantiateDeclarations):
2274         * wasm/WasmCreationMode.h: Added.
2275         * wasm/js/JSWebAssemblyInstance.cpp:
2276         (JSC::JSWebAssemblyInstance::finalizeCreation):
2277         (JSC::JSWebAssemblyInstance::create):
2278         * wasm/js/JSWebAssemblyInstance.h:
2279         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2280         (JSC::constructJSWebAssemblyInstance):
2281         * wasm/js/WebAssemblyModuleRecord.cpp:
2282         (JSC::WebAssemblyModuleRecord::link):
2283         * wasm/js/WebAssemblyModuleRecord.h:
2284         * wasm/js/WebAssemblyPrototype.cpp:
2285         (JSC::resolve):
2286         (JSC::instantiate):
2287         (JSC::compileAndInstantiate):
2288         (JSC::WebAssemblyPrototype::instantiate):
2289         (JSC::webAssemblyInstantiateFunc):
2290
2291 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2292
2293         Implement setupArgumentsImpl for ARM and MIPS
2294         https://bugs.webkit.org/show_bug.cgi?id=183786
2295
2296         Reviewed by Yusuke Suzuki.
2297
2298         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2299         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2300         registers used for 64-bit values on 32-bit architectures. numCrossSources
2301         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2302
2303         * assembler/MacroAssemblerARMv7.h:
2304         (JSC::MacroAssemblerARMv7::moveDouble):
2305         * assembler/MacroAssemblerMIPS.h:
2306         (JSC::MacroAssemblerMIPS::moveDouble):
2307         * jit/CCallHelpers.h:
2308         (JSC::CCallHelpers::setupStubCrossArgs):
2309         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2310         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2311         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2312         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2313         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2314         (JSC::CCallHelpers::ArgCollection::addStackArg):
2315         (JSC::CCallHelpers::ArgCollection::addPoke):
2316         (JSC::CCallHelpers::ArgCollection::argCount):
2317         (JSC::CCallHelpers::calculatePokeOffset):
2318         (JSC::CCallHelpers::pokeForArgument):
2319         (JSC::CCallHelpers::stackAligned):
2320         (JSC::CCallHelpers::marshallArgumentRegister):
2321         (JSC::CCallHelpers::setupArgumentsImpl):
2322         (JSC::CCallHelpers::pokeArgumentsAligned):
2323         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2324         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2325         (JSC::CCallHelpers::setupArguments):
2326         * jit/FPRInfo.h:
2327         (JSC::FPRInfo::toArgumentRegister):
2328
2329 2018-04-17  Saam Barati  <sbarati@apple.com>
2330
2331         Add system trace points for process launch and for initializeWebProcess
2332         https://bugs.webkit.org/show_bug.cgi?id=184669
2333
2334         Reviewed by Simon Fraser.
2335
2336         * runtime/VMEntryScope.cpp:
2337         (JSC::VMEntryScope::VMEntryScope):
2338         (JSC::VMEntryScope::~VMEntryScope):
2339
2340 2018-04-17  Jer Noble  <jer.noble@apple.com>
2341
2342         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2343         https://bugs.webkit.org/show_bug.cgi?id=184602
2344
2345         Reviewed by Beth Dakin.
2346
2347         * JavaScriptCore.xcodeproj/project.pbxproj:
2348
2349 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2350
2351         [GLIB] Add API to clear JSCContext uncaught exception
2352         https://bugs.webkit.org/show_bug.cgi?id=184685
2353
2354         Reviewed by Žan Doberšek.
2355
2356         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2357
2358         * API/glib/JSCContext.cpp:
2359         (jsc_context_clear_exception):
2360         * API/glib/JSCContext.h:
2361         * API/glib/docs/jsc-glib-4.0-sections.txt:
2362
2363 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2364
2365         [GLIB] Add API to query, delete and enumerate properties
2366         https://bugs.webkit.org/show_bug.cgi?id=184647
2367
2368         Reviewed by Michael Catanzaro.
2369
2370         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2371
2372         * API/glib/JSCValue.cpp:
2373         (jsc_value_object_has_property):
2374         (jsc_value_object_delete_property):
2375         (jsc_value_object_enumerate_properties):
2376         * API/glib/JSCValue.h:
2377         * API/glib/docs/jsc-glib-4.0-sections.txt:
2378
2379 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2380
2381         [WebAssembly][Modules] Prototype wasm import
2382         https://bugs.webkit.org/show_bug.cgi?id=184600
2383
2384         Reviewed by JF Bastien.
2385
2386         This patch is an initial attempt to implement Wasm loading in module pipeline.
2387         Currently,
2388
2389         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2390            in whatwg HTML, we should integrate this into WebCore.
2391
2392         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2393            the other modules now.
2394
2395         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2396         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2397         module loader pipeline just handles it as the same to JS. When parsing a module, we
2398         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2399         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2400         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2401
2402         * builtins/ModuleLoaderPrototype.js:
2403         (globalPrivate.newRegistryEntry):
2404         (requestInstantiate):
2405         (link):
2406         * jsc.cpp:
2407         (convertShebangToJSComment):
2408         (fillBufferWithContentsOfFile):
2409         (fetchModuleFromLocalFileSystem):
2410         (GlobalObject::moduleLoaderFetch):
2411         * parser/SourceProvider.h:
2412         (JSC::WebAssemblySourceProvider::create):
2413         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2414         * runtime/AbstractModuleRecord.cpp:
2415         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2416         (JSC::AbstractModuleRecord::link):
2417         (JSC::AbstractModuleRecord::evaluate):
2418         (JSC::identifierToJSValue): Deleted.
2419         * runtime/AbstractModuleRecord.h:
2420         * runtime/JSModuleLoader.cpp:
2421         (JSC::JSModuleLoader::evaluate):
2422         * runtime/JSModuleRecord.cpp:
2423         (JSC::JSModuleRecord::link):
2424         (JSC::JSModuleRecord::instantiateDeclarations):
2425         * runtime/JSModuleRecord.h:
2426         * runtime/ModuleLoaderPrototype.cpp:
2427         (JSC::moduleLoaderPrototypeParseModule):
2428         (JSC::moduleLoaderPrototypeRequestedModules):
2429         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2430         * wasm/js/JSWebAssemblyHelpers.h:
2431         (JSC::getWasmBufferFromValue):
2432         (JSC::createSourceBufferFromValue):
2433         * wasm/js/JSWebAssemblyInstance.cpp:
2434         (JSC::JSWebAssemblyInstance::finalizeCreation):
2435         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2436         (JSC::JSWebAssemblyInstance::create):
2437         * wasm/js/JSWebAssemblyInstance.h:
2438         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2439         (JSC::constructJSWebAssemblyInstance):
2440         * wasm/js/WebAssemblyModuleRecord.cpp:
2441         (JSC::WebAssemblyModuleRecord::prepareLink):
2442         (JSC::WebAssemblyModuleRecord::link):
2443         * wasm/js/WebAssemblyModuleRecord.h:
2444         * wasm/js/WebAssemblyPrototype.cpp:
2445         (JSC::resolve):
2446         (JSC::instantiate):
2447         (JSC::compileAndInstantiate):
2448         (JSC::WebAssemblyPrototype::instantiate):
2449         (JSC::webAssemblyInstantiateFunc):
2450         (JSC::webAssemblyValidateFunc):
2451         * wasm/js/WebAssemblyPrototype.h:
2452
2453 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2454
2455         Function.prototype.caller shouldn't return generator bodies
2456         https://bugs.webkit.org/show_bug.cgi?id=184630
2457
2458         Reviewed by Yusuke Suzuki.
2459         
2460         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2461         private.
2462         
2463         Also added some builtin debugging tools so that it's easier to do the investigation that I
2464         did.
2465
2466         * builtins/BuiltinNames.h:
2467         * runtime/JSFunction.cpp:
2468         (JSC::JSFunction::callerGetter):
2469         * runtime/JSGlobalObject.cpp:
2470         (JSC::JSGlobalObject::init):
2471         * runtime/JSGlobalObjectFunctions.cpp:
2472         (JSC::globalFuncBuiltinDescribe):
2473         * runtime/JSGlobalObjectFunctions.h:
2474
2475 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2476
2477         [DFG] Remove duplicate 32bit ProfileType implementation
2478         https://bugs.webkit.org/show_bug.cgi?id=184536
2479
2480         Reviewed by Saam Barati.
2481
2482         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2483
2484         * dfg/DFGSpeculativeJIT.cpp:
2485         (JSC::DFG::SpeculativeJIT::compileProfileType):
2486         * dfg/DFGSpeculativeJIT.h:
2487         * dfg/DFGSpeculativeJIT32_64.cpp:
2488         (JSC::DFG::SpeculativeJIT::compile):
2489         * dfg/DFGSpeculativeJIT64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compile):
2491         * jit/AssemblyHelpers.h:
2492         (JSC::AssemblyHelpers::branchIfUndefined):
2493         (JSC::AssemblyHelpers::branchIfNull):
2494
2495 2018-04-12  Mark Lam  <mark.lam@apple.com>
2496
2497         Consolidate some PtrTags.
2498         https://bugs.webkit.org/show_bug.cgi?id=184552
2499         <rdar://problem/39389404>
2500
2501         Reviewed by Filip Pizlo.
2502
2503         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2504         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2505
2506         * assembler/AbstractMacroAssembler.h:
2507         (JSC::AbstractMacroAssembler::repatchNearCall):
2508         * assembler/MacroAssemblerARM.h:
2509         (JSC::MacroAssemblerARM::readCallTarget):
2510         * assembler/MacroAssemblerARMv7.h:
2511         (JSC::MacroAssemblerARMv7::readCallTarget):
2512         * assembler/MacroAssemblerMIPS.h:
2513         (JSC::MacroAssemblerMIPS::readCallTarget):
2514         * assembler/MacroAssemblerX86.h:
2515         (JSC::MacroAssemblerX86::readCallTarget):
2516         * assembler/MacroAssemblerX86_64.h:
2517         (JSC::MacroAssemblerX86_64::readCallTarget):
2518         * bytecode/AccessCase.cpp:
2519         (JSC::AccessCase::generateImpl):
2520         * bytecode/InlineAccess.cpp:
2521         (JSC::InlineAccess::rewireStubAsJump):
2522         * bytecode/PolymorphicAccess.cpp:
2523         (JSC::PolymorphicAccess::regenerate):
2524         * dfg/DFGJITCompiler.cpp:
2525         (JSC::DFG::JITCompiler::linkOSRExits):
2526         (JSC::DFG::JITCompiler::link):
2527         (JSC::DFG::JITCompiler::compileFunction):
2528         * dfg/DFGJITFinalizer.cpp:
2529         (JSC::DFG::JITFinalizer::finalize):
2530         (JSC::DFG::JITFinalizer::finalizeFunction):
2531         * dfg/DFGOSREntry.cpp:
2532         (JSC::DFG::prepareOSREntry):
2533         * dfg/DFGOSRExit.cpp:
2534         (JSC::DFG::OSRExit::executeOSRExit):
2535         (JSC::DFG::adjustAndJumpToTarget):
2536         (JSC::DFG::OSRExit::compileOSRExit):
2537         * dfg/DFGOSRExitCompilerCommon.cpp:
2538         (JSC::DFG::adjustAndJumpToTarget):
2539         * dfg/DFGOperations.cpp:
2540         * ftl/FTLJITCode.cpp:
2541         (JSC::FTL::JITCode::executableAddressAtOffset):
2542         * ftl/FTLJITFinalizer.cpp:
2543         (JSC::FTL::JITFinalizer::finalizeCommon):
2544         * ftl/FTLLazySlowPath.cpp:
2545         (JSC::FTL::LazySlowPath::generate):
2546         * ftl/FTLLink.cpp:
2547         (JSC::FTL::link):
2548         * ftl/FTLLowerDFGToB3.cpp:
2549         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2550         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2551         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2552         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2553         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2554         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2555         * ftl/FTLOSRExitCompiler.cpp:
2556         (JSC::FTL::compileFTLOSRExit):
2557         * ftl/FTLOSRExitHandle.cpp:
2558         (JSC::FTL::OSRExitHandle::emitExitThunk):
2559         * jit/AssemblyHelpers.cpp:
2560         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2561         * jit/JIT.cpp:
2562         (JSC::JIT::compileWithoutLinking):
2563         (JSC::JIT::link):
2564         * jit/JITCall.cpp:
2565         (JSC::JIT::compileOpCallSlowCase):
2566         * jit/JITCode.cpp:
2567         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2568         (JSC::NativeJITCode::addressForCall):
2569         * jit/JITInlines.h:
2570         (JSC::JIT::emitNakedCall):
2571         (JSC::JIT::emitNakedTailCall):
2572         * jit/JITMathIC.h:
2573         (JSC::isProfileEmpty):
2574         * jit/JITOpcodes.cpp:
2575         (JSC::JIT::privateCompileHasIndexedProperty):
2576         * jit/JITOperations.cpp:
2577         * jit/JITPropertyAccess.cpp:
2578         (JSC::JIT::stringGetByValStubGenerator):
2579         (JSC::JIT::privateCompileGetByVal):
2580         (JSC::JIT::privateCompileGetByValWithCachedId):
2581         (JSC::JIT::privateCompilePutByVal):
2582         (JSC::JIT::privateCompilePutByValWithCachedId):
2583         * jit/JITThunks.cpp:
2584         (JSC::JITThunks::hostFunctionStub):
2585         * jit/Repatch.cpp:
2586         (JSC::linkSlowFor):
2587         (JSC::linkFor):
2588         (JSC::linkPolymorphicCall):
2589         * jit/SpecializedThunkJIT.h:
2590         (JSC::SpecializedThunkJIT::finalize):
2591         * jit/ThunkGenerators.cpp:
2592         (JSC::virtualThunkFor):
2593         (JSC::nativeForGenerator):
2594         (JSC::boundThisNoArgsFunctionCallGenerator):
2595         * llint/LLIntData.cpp:
2596         (JSC::LLInt::initialize):
2597         * llint/LLIntEntrypoint.cpp:
2598         (JSC::LLInt::setEvalEntrypoint):
2599         (JSC::LLInt::setProgramEntrypoint):
2600         (JSC::LLInt::setModuleProgramEntrypoint):
2601         * llint/LLIntSlowPaths.cpp:
2602         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2603         (JSC::LLInt::setUpCall):
2604         * llint/LLIntThunks.cpp:
2605         (JSC::LLInt::generateThunkWithJumpTo):
2606         (JSC::LLInt::functionForCallEntryThunkGenerator):
2607         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2608         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2609         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2610         (JSC::LLInt::evalEntryThunkGenerator):
2611         (JSC::LLInt::programEntryThunkGenerator):
2612         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2613         * llint/LowLevelInterpreter.asm:
2614         * llint/LowLevelInterpreter64.asm:
2615         * runtime/NativeExecutable.cpp:
2616         (JSC::NativeExecutable::finishCreation):
2617         * runtime/NativeFunction.h:
2618         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2619         (JSC::TaggedNativeFunction::operator NativeFunction):
2620         * runtime/PtrTag.h:
2621         * wasm/WasmBBQPlan.cpp:
2622         (JSC::Wasm::BBQPlan::complete):
2623         * wasm/WasmOMGPlan.cpp:
2624         (JSC::Wasm::OMGPlan::work):
2625         * wasm/WasmThunks.cpp:
2626         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2627         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2628         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2629         * wasm/js/WasmToJS.cpp:
2630         (JSC::Wasm::wasmToJS):
2631         * wasm/js/WebAssemblyFunction.h:
2632         * yarr/YarrJIT.cpp:
2633         (JSC::Yarr::YarrGenerator::compile):
2634
2635 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2636
2637         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2638         https://bugs.webkit.org/show_bug.cgi?id=184379
2639
2640         Reviewed by Žan Doberšek.
2641
2642         Load the module from the new location.
2643
2644         * PlatformWPE.cmake:
2645         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2646         (Inspector::backendCommands):
2647
2648 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2649
2650         [DFG] Remove compileBigIntEquality in DFG 32bit
2651         https://bugs.webkit.org/show_bug.cgi?id=184535
2652
2653         Reviewed by Saam Barati.
2654
2655         We can have the unified implementation for compileBigIntEquality.
2656
2657         * dfg/DFGSpeculativeJIT.cpp:
2658         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2659         * dfg/DFGSpeculativeJIT32_64.cpp:
2660         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2661         * dfg/DFGSpeculativeJIT64.cpp:
2662         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2663
2664 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2665
2666         [WPE] Improve include hierarchy
2667         https://bugs.webkit.org/show_bug.cgi?id=184376
2668
2669         Reviewed by Žan Doberšek.
2670
2671         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2672         /usr/include/wpe-0.1/WPE/jsc.
2673
2674         * PlatformWPE.cmake:
2675
2676 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2677
2678         [GLIB] Handle strings containing null characters
2679         https://bugs.webkit.org/show_bug.cgi?id=184450
2680
2681         Reviewed by Michael Catanzaro.
2682
2683         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2684         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2685         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2686         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2687         contain null characters.
2688
2689         * API/OpaqueJSString.cpp:
2690         (OpaqueJSString::create): Add a create constructor that takes the String.
2691         * API/OpaqueJSString.h:
2692         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2693         * API/glib/JSCContext.cpp:
2694         (jsc_context_evaluate): Add length parameter.
2695         (jsc_context_evaluate_with_source_uri): Ditto.
2696         * API/glib/JSCContext.h:
2697         * API/glib/JSCValue.cpp:
2698         (jsc_value_new_string_from_bytes):
2699         (jsc_value_to_string):
2700         (jsc_value_to_string_as_bytes):
2701         (jsc_value_object_is_instance_of): Pass length to evaluate.
2702         * API/glib/JSCValue.h:
2703         * API/glib/docs/jsc-glib-4.0-sections.txt:
2704
2705 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2706
2707         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2708         https://bugs.webkit.org/show_bug.cgi?id=184500
2709
2710         Reviewed by Mark Lam.
2711
2712         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2713         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2714         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2715         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2716         poke held GPR. The benefit from this CellValue is that we can use the same code
2717         for 32bit and 64bit. This patch removes several ifdefs.
2718
2719         * bytecode/AccessCase.cpp:
2720         (JSC::AccessCase::generateImpl):
2721         * dfg/DFGSpeculativeJIT.cpp:
2722         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2723         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2724         (JSC::DFG::SpeculativeJIT::cachedPutById):
2725         * dfg/DFGSpeculativeJIT32_64.cpp:
2726         (JSC::DFG::SpeculativeJIT::cachedGetById):
2727         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2728         * jit/CCallHelpers.h:
2729         (JSC::CCallHelpers::CellValue::CellValue):
2730         (JSC::CCallHelpers::CellValue::gpr const):
2731         (JSC::CCallHelpers::setupArgumentsImpl):
2732
2733 2018-04-11  Mark Lam  <mark.lam@apple.com>
2734
2735         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2736         https://bugs.webkit.org/show_bug.cgi?id=184512
2737         <rdar://problem/35391728>
2738
2739         Not reviewed.
2740
2741         * bytecode/CodeBlock.h:
2742         * jit/JITCodeMap.h:
2743
2744 2018-04-11  Mark Lam  <mark.lam@apple.com>
2745
2746         Replace CompactJITCodeMap with JITCodeMap.
2747         https://bugs.webkit.org/show_bug.cgi?id=184512
2748         <rdar://problem/35391728>
2749
2750         Reviewed by Filip Pizlo.
2751
2752         * CMakeLists.txt:
2753         * JavaScriptCore.xcodeproj/project.pbxproj:
2754         * bytecode/CodeBlock.h:
2755         (JSC::CodeBlock::setJITCodeMap):
2756         (JSC::CodeBlock::jitCodeMap const):
2757         (JSC::CodeBlock::jitCodeMap): Deleted.
2758         * dfg/DFGOSRExit.cpp:
2759         (JSC::DFG::OSRExit::executeOSRExit):
2760         * dfg/DFGOSRExitCompilerCommon.cpp:
2761         (JSC::DFG::adjustAndJumpToTarget):
2762         * jit/AssemblyHelpers.cpp:
2763         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2764         * jit/AssemblyHelpers.h:
2765         * jit/CompactJITCodeMap.h: Removed.
2766         * jit/JIT.cpp:
2767         (JSC::JIT::link):
2768         * jit/JITCodeMap.h: Added.
2769         (JSC::JITCodeMap::Entry::Entry):
2770         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2771         (JSC::JITCodeMap::Entry::codeLocation):
2772         (JSC::JITCodeMap::append):
2773         (JSC::JITCodeMap::finish):
2774         (JSC::JITCodeMap::find const):
2775         (JSC::JITCodeMap::operator bool const):
2776         * llint/LLIntSlowPaths.cpp:
2777         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2778
2779 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2780
2781         [DFG] Remove CompareSlowPathGenerator
2782         https://bugs.webkit.org/show_bug.cgi?id=184492
2783
2784         Reviewed by Mark Lam.
2785
2786         Now CompareSlowPathGenerator is just calling a specified function.
2787         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2788
2789         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2790         introducing a new constructor for GPRTemporary.
2791
2792         * JavaScriptCore.xcodeproj/project.pbxproj:
2793         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2794         * dfg/DFGSpeculativeJIT.cpp:
2795         (JSC::DFG::GPRTemporary::GPRTemporary):
2796         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2797         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2798         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2799         (JSC::DFG::SpeculativeJIT::compileIsObject):
2800         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2801         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2802         * dfg/DFGSpeculativeJIT.h:
2803         (JSC::DFG::GPRTemporary::GPRTemporary):
2804         * dfg/DFGSpeculativeJIT64.cpp:
2805         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2806
2807 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2808
2809         Unreviewed, build fix for 32bit
2810         https://bugs.webkit.org/show_bug.cgi?id=184236
2811
2812         * dfg/DFGSpeculativeJIT.cpp:
2813         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2814
2815 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2816
2817         [DFG] Remove duplicate 32bit code more
2818         https://bugs.webkit.org/show_bug.cgi?id=184236
2819
2820         Reviewed by Mark Lam.
2821
2822         Remove duplicate 32bit code more aggressively part 2.
2823
2824         * JavaScriptCore.xcodeproj/project.pbxproj:
2825         * dfg/DFGCompareSlowPathGenerator.h: Added.
2826         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2827         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2828
2829         * dfg/DFGOperations.cpp:
2830         * dfg/DFGOperations.h:
2831         * dfg/DFGSpeculativeJIT.cpp:
2832         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2833         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2834         (JSC::DFG::SpeculativeJIT::compileIsObject):
2835         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2836         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2837         (JSC::DFG::SpeculativeJIT::compilePutById):
2838         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2839         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2840         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2841         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2842         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2843         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2844         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2845         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2846         (JSC::DFG::SpeculativeJIT::cachedPutById):
2847         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2848         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2849         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2850         * dfg/DFGSpeculativeJIT.h:
2851         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2852         * dfg/DFGSpeculativeJIT32_64.cpp:
2853         (JSC::DFG::SpeculativeJIT::compile):
2854         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2855         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2856         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2857         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2858         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2859         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2860         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2861         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2862         * dfg/DFGSpeculativeJIT64.cpp:
2863         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2864         (JSC::DFG::SpeculativeJIT::compile):
2865         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2866         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2867         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2868         (): Deleted.
2869         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2870         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2871         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2872         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2873         * ftl/FTLLowerDFGToB3.cpp:
2874         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2875         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2876
2877         * jit/AssemblyHelpers.h:
2878         (JSC::AssemblyHelpers::loadValue):
2879         (JSC::AssemblyHelpers::selectScratchGPR):
2880         (JSC::AssemblyHelpers::constructRegisterSet):
2881         * jit/RegisterSet.h:
2882         (JSC::RegisterSet::setAny):
2883         Clean up selectScratchGPR code to pass JSValueRegs.
2884
2885 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2886
2887         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2888         https://bugs.webkit.org/show_bug.cgi?id=182470
2889
2890         Reviewed by Saam Barati.
2891
2892         This patch introduces the SpecBigInt type to DFG to enable BigInt
2893         speculation into DFG and FTL.
2894
2895         With SpecBigInt introduction, we can then specialize "===" operations
2896         to BigInts. As we are doing for some cells, we first check if operands
2897         are pointing to the same JSCell, and if it is false, we
2898         fallback to "operationCompareStrictEqCell". The idea in further
2899         patches is to implement BigInt equality check directly in
2900         assembly.
2901
2902         We are also adding support for BigInt constant folding into
2903         TypeOf operation.
2904
2905         * bytecode/SpeculatedType.cpp:
2906         (JSC::dumpSpeculation):
2907         (JSC::speculationFromClassInfo):
2908         (JSC::speculationFromStructure):
2909         (JSC::speculationFromJSType):
2910         (JSC::speculationFromString):
2911         * bytecode/SpeculatedType.h:
2912         (JSC::isBigIntSpeculation):
2913         * dfg/DFGAbstractInterpreterInlines.h:
2914         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2915         * dfg/DFGAbstractValue.cpp:
2916         (JSC::DFG::AbstractValue::set):
2917         * dfg/DFGConstantFoldingPhase.cpp:
2918         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2919         * dfg/DFGFixupPhase.cpp:
2920         (JSC::DFG::FixupPhase::fixupNode):
2921         (JSC::DFG::FixupPhase::fixupToThis):
2922         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2923         * dfg/DFGInferredTypeCheck.cpp:
2924         (JSC::DFG::insertInferredTypeCheck):
2925         * dfg/DFGNode.h:
2926         (JSC::DFG::Node::shouldSpeculateBigInt):
2927         * dfg/DFGPredictionPropagationPhase.cpp:
2928         * dfg/DFGSafeToExecute.h:
2929         (JSC::DFG::SafeToExecuteEdge::operator()):
2930         * dfg/DFGSpeculativeJIT.cpp:
2931         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2932         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2933         (JSC::DFG::SpeculativeJIT::speculate):
2934         * dfg/DFGSpeculativeJIT.h:
2935         * dfg/DFGSpeculativeJIT32_64.cpp:
2936         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2937         * dfg/DFGSpeculativeJIT64.cpp:
2938         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2939         * dfg/DFGUseKind.cpp:
2940         (WTF::printInternal):
2941         * dfg/DFGUseKind.h:
2942         (JSC::DFG::typeFilterFor):
2943         (JSC::DFG::isCell):
2944         * ftl/FTLCapabilities.cpp:
2945         (JSC::FTL::canCompile):
2946         * ftl/FTLLowerDFGToB3.cpp:
2947         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2948         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2949         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2950         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2951         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2952         * jit/AssemblyHelpers.cpp:
2953         (JSC::AssemblyHelpers::branchIfNotType):
2954         * jit/AssemblyHelpers.h:
2955         (JSC::AssemblyHelpers::branchIfBigInt):
2956         (JSC::AssemblyHelpers::branchIfNotBigInt):
2957         * runtime/InferredType.cpp:
2958         (JSC::InferredType::Descriptor::forValue):
2959         (JSC::InferredType::Descriptor::putByIdFlags const):
2960         (JSC::InferredType::Descriptor::merge):
2961         (WTF::printInternal):
2962         * runtime/InferredType.h:
2963         * runtime/JSBigInt.h:
2964
2965 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2966
2967         Unreviewed, fix cloop build.
2968
2969         * dfg/DFGAbstractInterpreterClobberState.cpp:
2970
2971 2018-04-10  Mark Lam  <mark.lam@apple.com>
2972
2973         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2974         https://bugs.webkit.org/show_bug.cgi?id=184464
2975         <rdar://problem/39323947>
2976
2977         Reviewed by Saam Barati.
2978
2979         * heap/MarkedSpace.h:
2980         (JSC::MarkedSpace::sizeClassToIndex):
2981
2982 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2983
2984         DFG AI and clobberize should agree with each other
2985         https://bugs.webkit.org/show_bug.cgi?id=184440
2986
2987         Reviewed by Saam Barati.
2988         
2989         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2990         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2991         state tracking must be equivalent to JSCell_structureID being clobbered.
2992         
2993         One subtlety is that AI sometimes folds away structure clobbering using information that
2994         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2995         ObservedTransitions).
2996         
2997         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2998         clobberize missing a write(Heap).
2999         
3000         This also makes some cases more precise in order to appease the assertion. Making things more
3001         precise might make things faster, but I didn't measure it because that wasn't the goal.
3002
3003         * JavaScriptCore.xcodeproj/project.pbxproj:
3004         * Sources.txt:
3005         * dfg/DFGAbstractInterpreter.h:
3006         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
3007         (WTF::printInternal):
3008         * dfg/DFGAbstractInterpreterClobberState.h: Added.
3009         (JSC::DFG::mergeClobberStates):
3010         * dfg/DFGAbstractInterpreterInlines.h:
3011         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
3012         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3013         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
3014         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3015         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
3016         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3017         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3018         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
3019         * dfg/DFGAtTailAbstractState.h:
3020         (JSC::DFG::AtTailAbstractState::setClobberState):
3021         (JSC::DFG::AtTailAbstractState::mergeClobberState):
3022         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
3023         * dfg/DFGCFAPhase.cpp:
3024         (JSC::DFG::CFAPhase::performBlockCFA):
3025         * dfg/DFGClobberSet.cpp:
3026         (JSC::DFG::writeSet):
3027         * dfg/DFGClobberSet.h:
3028         * dfg/DFGClobberize.h:
3029         (JSC::DFG::clobberize):
3030         * dfg/DFGConstantFoldingPhase.cpp:
3031         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3032         * dfg/DFGInPlaceAbstractState.h:
3033         (JSC::DFG::InPlaceAbstractState::clobberState const):
3034         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3035         (JSC::DFG::InPlaceAbstractState::didClobber const):
3036         (JSC::DFG::InPlaceAbstractState::setClobberState):
3037         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3038         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3039
3040 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3041
3042         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3043         https://bugs.webkit.org/show_bug.cgi?id=184460
3044         <rdar://problem/37610966>
3045
3046         Reviewed by Mark Lam.
3047
3048         * bytecode/ExecutableToCodeBlockEdge.cpp:
3049         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3050
3051 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3052
3053         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3054         https://bugs.webkit.org/show_bug.cgi?id=184455
3055
3056         Reviewed by Michael Saboff.
3057         
3058         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3059         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3060         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3061         the thing being hoisted does have effects, then we get a crash.
3062         
3063         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3064         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3065         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3066         effectful.
3067         
3068         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3069         clobberize to also think that CompareEq(Untyped:, _) is effectful.
3070         
3071         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3072         of CompareEq is ComapreEq(Untyped:, Untyped:).
3073
3074         * dfg/DFGAbstractInterpreterInlines.h:
3075         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3076         * dfg/DFGClobberize.h:
3077         (JSC::DFG::clobberize):
3078
3079 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3080
3081         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3082         https://bugs.webkit.org/show_bug.cgi?id=184372
3083
3084         Reviewed by Saam Barati.
3085         
3086         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3087         have already proved, using techniques that are more precise than AI, that the edge has type
3088         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3089         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3090         other than a check - so we think we can call those just because we should have already
3091         bailed. It's better to think of them as the result of folding a check. Therefore, we should
3092         only do it if there had been a check to begin with.
3093
3094         * dfg/DFGSpeculativeJIT64.cpp:
3095         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3096         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3097         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3098         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3099         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3100         * ftl/FTLLowerDFGToB3.cpp:
3101         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3102         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3103         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3104         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3105         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3106         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3107         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3108         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3109
3110 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3111
3112         [JSC] Introduce @putByIdDirectPrivate
3113         https://bugs.webkit.org/show_bug.cgi?id=184400
3114
3115         Reviewed by Saam Barati.
3116
3117         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3118         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3119         accessing to ECMAScript internal fields.
3120
3121         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3122         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3123         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3124         fields that accessing to the internal fields does not traverse prototype chains.
3125
3126         * builtins/ArrayIteratorPrototype.js:
3127         (globalPrivate.arrayIteratorValueNext):
3128         (globalPrivate.arrayIteratorKeyNext):
3129         (globalPrivate.arrayIteratorKeyValueNext):
3130         * builtins/ArrayPrototype.js:
3131         (globalPrivate.createArrayIterator):
3132         * builtins/AsyncFromSyncIteratorPrototype.js:
3133         (globalPrivate.AsyncFromSyncIteratorConstructor):
3134         * builtins/AsyncFunctionPrototype.js:
3135         (globalPrivate.asyncFunctionResume):
3136         * builtins/AsyncGeneratorPrototype.js:
3137         (globalPrivate.asyncGeneratorQueueEnqueue):
3138         (globalPrivate.asyncGeneratorQueueDequeue):
3139         (asyncGeneratorYieldAwaited):
3140         (globalPrivate.asyncGeneratorYield):
3141         (globalPrivate.doAsyncGeneratorBodyCall):
3142         (globalPrivate.asyncGeneratorResumeNext):
3143         * builtins/GeneratorPrototype.js:
3144         (globalPrivate.generatorResume):
3145         * builtins/MapIteratorPrototype.js:
3146         (globalPrivate.mapIteratorNext):
3147         * builtins/MapPrototype.js:
3148         (globalPrivate.createMapIterator):
3149         * builtins/ModuleLoaderPrototype.js:
3150         (forceFulfillPromise):
3151         * builtins/PromiseOperations.js:
3152         (globalPrivate.newHandledRejectedPromise):
3153         (globalPrivate.rejectPromise):
3154         (globalPrivate.fulfillPromise):
3155         (globalPrivate.initializePromise):
3156         * builtins/PromisePrototype.js:
3157         (then):
3158         * builtins/SetIteratorPrototype.js:
3159         (globalPrivate.setIteratorNext):
3160         * builtins/SetPrototype.js:
3161         (globalPrivate.createSetIterator):
3162         * builtins/StringIteratorPrototype.js:
3163         (next):
3164         * bytecode/BytecodeIntrinsicRegistry.h:
3165         * bytecompiler/NodesCodegen.cpp:
3166         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3167         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3168
3169 2018-04-09  Mark Lam  <mark.lam@apple.com>
3170
3171         Decorate method table entries to support pointer profiling.
3172         https://bugs.webkit.org/show_bug.cgi?id=184430
3173         <rdar://problem/39296190>
3174
3175         Reviewed by Saam Barati.
3176
3177         * runtime/ClassInfo.h:
3178
3179 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3180
3181         [WPE] Don't install JSC C API headers
3182         https://bugs.webkit.org/show_bug.cgi?id=184375
3183
3184         Reviewed by Žan Doberšek.
3185
3186         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3187         instead.
3188
3189         * PlatformWPE.cmake:
3190
3191 2018-04-08  Mark Lam  <mark.lam@apple.com>
3192
3193         Add pointer profiling to the FTL and supporting code.
3194         https://bugs.webkit.org/show_bug.cgi?id=184395
3195         <rdar://problem/39264019>
3196
3197         Reviewed by Michael Saboff and Filip Pizlo.
3198
3199         * assembler/CodeLocation.h:
3200         (JSC::CodeLocationLabel::retagged):
3201         (JSC::CodeLocationJump::retagged):
3202         * assembler/LinkBuffer.h:
3203         (JSC::LinkBuffer::locationOf):
3204         * dfg/DFGJITCompiler.cpp:
3205         (JSC::DFG::JITCompiler::linkOSRExits):
3206         (JSC::DFG::JITCompiler::link):
3207         * ftl/FTLCompile.cpp:
3208         (JSC::FTL::compile):
3209         * ftl/FTLExceptionTarget.cpp:
3210         (JSC::FTL::ExceptionTarget::label):
3211         (JSC::FTL::ExceptionTarget::jumps):
3212         * ftl/FTLExceptionTarget.h:
3213         * ftl/FTLJITCode.cpp:
3214         (JSC::FTL::JITCode::executableAddressAtOffset):
3215         * ftl/FTLLazySlowPath.cpp:
3216         (JSC::FTL::LazySlowPath::~LazySlowPath):
3217         (JSC::FTL::LazySlowPath::initialize):
3218         (JSC::FTL::LazySlowPath::generate):
3219         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3220         * ftl/FTLLazySlowPath.h:
3221         * ftl/FTLLink.cpp:
3222         (JSC::FTL::link):
3223         * ftl/FTLLowerDFGToB3.cpp:
3224         (JSC::FTL::DFG::LowerDFGToB3::lower):
3225         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3226         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3227         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3228         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3229         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3230         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3231         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3232         * ftl/FTLOSRExitCompiler.cpp:
3233         (JSC::FTL::compileStub):
3234         (JSC::FTL::compileFTLOSRExit):
3235         * ftl/FTLOSRExitHandle.cpp:
3236         (JSC::FTL::OSRExitHandle::emitExitThunk):
3237         * ftl/FTLOperations.cpp:
3238         (JSC::FTL::compileFTLLazySlowPath):
3239         * ftl/FTLOutput.h:
3240         (JSC::FTL::Output::callWithoutSideEffects):
3241         (JSC::FTL::Output::operation):
3242         * ftl/FTLPatchpointExceptionHandle.cpp:
3243         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3244         * ftl/FTLSlowPathCall.cpp:
3245         (JSC::FTL::SlowPathCallContext::makeCall):
3246         * ftl/FTLSlowPathCallKey.h:
3247         (JSC::FTL::SlowPathCallKey::withCallTarget):
3248         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3249         * ftl/FTLThunks.cpp:
3250         (JSC::FTL::genericGenerationThunkGenerator):
3251         (JSC::FTL::osrExitGenerationThunkGenerator):
3252         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3253         (JSC::FTL::slowPathCallThunkGenerator):
3254         * jit/JITMathIC.h:
3255         (JSC::isProfileEmpty):
3256         * jit/Repatch.cpp:
3257         (JSC::readPutICCallTarget):
3258         (JSC::ftlThunkAwareRepatchCall):
3259         (JSC::tryCacheGetByID):
3260         (JSC::repatchGetByID):
3261         (JSC::tryCachePutByID):
3262         (JSC::repatchPutByID):
3263         (JSC::repatchIn):
3264         (JSC::resetGetByID):
3265         (JSC::resetPutByID):
3266         (JSC::readCallTarget): Deleted.
3267         * jit/Repatch.h:
3268         * runtime/PtrTag.h:
3269
3270 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3271
3272         Unreviewed, attempt to fix Windows build
3273         https://bugs.webkit.org/show_bug.cgi?id=183508
3274
3275         * jit/JIT.h:
3276
3277 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3280         https://bugs.webkit.org/show_bug.cgi?id=183508
3281
3282         * jit/JIT.h:
3283
3284 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3285
3286         Use alignas instead of compiler-specific attributes
3287         https://bugs.webkit.org/show_bug.cgi?id=183508
3288
3289         Reviewed by Mark Lam.
3290
3291         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3292
3293         * heap/RegisterState.h:
3294         * jit/JIT.h:
3295         (JSC::JIT::compile): Deleted.
3296         (JSC::JIT::compileGetByVal): Deleted.
3297         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3298         (JSC::JIT::compilePutByVal): Deleted.
3299         (JSC::JIT::compileDirectPutByVal): Deleted.
3300         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3301         (JSC::JIT::compileHasIndexedProperty): Deleted.
3302         (JSC::JIT::appendCall): Deleted.
3303         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3304         (JSC::JIT::exceptionCheck): Deleted.
3305         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3306         (JSC::JIT::emitInt32Load): Deleted.
3307         (JSC::JIT::emitInt32GetByVal): Deleted.
3308         (JSC::JIT::emitInt32PutByVal): Deleted.
3309         (JSC::JIT::emitDoublePutByVal): Deleted.
3310         (JSC::JIT::emitContiguousPutByVal): Deleted.
3311         (JSC::JIT::emitStoreCell): Deleted.
3312         (JSC::JIT::getSlowCase): Deleted.
3313         (JSC::JIT::linkSlowCase): Deleted.
3314         (JSC::JIT::linkDummySlowCase): Deleted.
3315         (JSC::JIT::linkAllSlowCases): Deleted.
3316         (JSC::JIT::callOperation): Deleted.
3317         (JSC::JIT::callOperationWithProfile): Deleted.
3318         (JSC::JIT::callOperationWithResult): Deleted.
3319         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3320         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3321         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3322         (JSC::JIT::sampleCodeBlock): Deleted.
3323         (JSC::JIT::canBeOptimized): Deleted.
3324         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3325         (JSC::JIT::shouldEmitProfiling): Deleted.
3326         * runtime/VM.h:
3327
3328 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         Unreviewed, follow-up patch for DFG 32bit
3331         https://bugs.webkit.org/show_bug.cgi?id=183970
3332
3333         * dfg/DFGSpeculativeJIT32_64.cpp:
3334         (JSC::DFG::SpeculativeJIT::cachedGetById):
3335
3336 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3337
3338         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3339         https://bugs.webkit.org/show_bug.cgi?id=184398
3340
3341         Reviewed by Mark Lam.
3342
3343         isLocked check before taking a lock is incorrect.
3344
3345         * runtime/VM.cpp:
3346         (JSC::VM::acquireRegExpPatternContexBuffer):
3347
3348 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3349
3350         [JSC] Introduce op_get_by_id_direct
3351         https://bugs.webkit.org/show_bug.cgi?id=183970
3352
3353         Reviewed by Filip Pizlo.
3354
3355         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3356         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3357         in all the tiers, so using this opcode does not lead to inefficiency.
3358
3359         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3360         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3361         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3362         to the internal fields should not traverse prototype chain, which is specified in the spec.
3363         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3364         prototype chains are not traversed.
3365
3366         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3367         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3368         bytecode `op_get_by_id_direct, object, @name`.
3369
3370         * builtins/ArrayIteratorPrototype.js:
3371         (next):
3372         (globalPrivate.arrayIteratorValueNext):
3373         (globalPrivate.arrayIteratorKeyNext):
3374         (globalPrivate.arrayIteratorKeyValueNext):
3375         * builtins/AsyncFromSyncIteratorPrototype.js:
3376         * builtins/AsyncFunctionPrototype.js:
3377         (globalPrivate.asyncFunctionResume):
3378         * builtins/AsyncGeneratorPrototype.js:
3379         (globalPrivate.asyncGeneratorQueueIsEmpty):
3380         (globalPrivate.asyncGeneratorQueueEnqueue):
3381         (globalPrivate.asyncGeneratorQueueDequeue):
3382         (globalPrivate.asyncGeneratorDequeue):
3383         (globalPrivate.isExecutionState):
3384         (globalPrivate.isSuspendYieldState):
3385         (globalPrivate.asyncGeneratorReject):
3386         (globalPrivate.asyncGeneratorResolve):
3387         (globalPrivate.doAsyncGeneratorBodyCall):
3388         (globalPrivate.asyncGeneratorEnqueue):
3389         * builtins/GeneratorPrototype.js:
3390         (globalPrivate.generatorResume):
3391         (next):
3392         (return):
3393         (throw):
3394         * builtins/MapIteratorPrototype.js:
3395         (next):
3396         * builtins/PromiseOperations.js:
3397         (globalPrivate.isPromise):
3398         (globalPrivate.rejectPromise):
3399         (globalPrivate.fulfillPromise):
3400         * builtins/PromisePrototype.js: