4d0f8b51c8cbf4852c01d20dc675d76451d2ab10
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2
3         B3 should run tail duplication at the bitter end
4         https://bugs.webkit.org/show_bug.cgi?id=185123
5
6         Reviewed by Geoffrey Garen.
7         
8         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
9         everywhere else.
10         
11         The goal of this change is to allow us to run path specialization after switch lowering but
12         before tail duplication.
13
14         * b3/B3Generate.cpp:
15         (JSC::B3::generateToAir):
16         * runtime/Options.h:
17
18 2018-04-29  Commit Queue  <commit-queue@webkit.org>
19
20         Unreviewed, rolling out r231137.
21         https://bugs.webkit.org/show_bug.cgi?id=185118
22
23         It is breaking Test262 language/expressions/multiplication
24         /order-of-evaluation.js (Requested by caiolima on #webkit).
25
26         Reverted changeset:
27
28         "[ESNext][BigInt] Implement support for "*" operation"
29         https://bugs.webkit.org/show_bug.cgi?id=183721
30         https://trac.webkit.org/changeset/231137
31
32 2018-04-28  Saam Barati  <sbarati@apple.com>
33
34         We don't model regexp effects properly
35         https://bugs.webkit.org/show_bug.cgi?id=185059
36         <rdar://problem/39736150>
37
38         Reviewed by Filip Pizlo.
39
40         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
41         the regexp is global.
42
43         * dfg/DFGAbstractInterpreterInlines.h:
44         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
45         * dfg/DFGClobberize.h:
46         (JSC::DFG::clobberize):
47
48 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
49
50         Token misspelled "tocken" in error message string
51         https://bugs.webkit.org/show_bug.cgi?id=185030
52
53         Reviewed by Saam Barati.
54
55         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
56         (JSC::Parser<LexerType>::Parser):
57         (JSC::Parser<LexerType>::didFinishParsing):
58         (JSC::Parser<LexerType>::parseSourceElements):
59         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
60         (JSC::Parser<LexerType>::parseVariableDeclaration):
61         (JSC::Parser<LexerType>::parseWhileStatement):
62         (JSC::Parser<LexerType>::parseVariableDeclarationList):
63         (JSC::Parser<LexerType>::createBindingPattern):
64         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
65         (JSC::Parser<LexerType>::parseObjectRestElement):
66         (JSC::Parser<LexerType>::parseDestructuringPattern):
67         (JSC::Parser<LexerType>::parseForStatement):
68         (JSC::Parser<LexerType>::parseBreakStatement):
69         (JSC::Parser<LexerType>::parseContinueStatement):
70         (JSC::Parser<LexerType>::parseThrowStatement):
71         (JSC::Parser<LexerType>::parseWithStatement):
72         (JSC::Parser<LexerType>::parseSwitchStatement):
73         (JSC::Parser<LexerType>::parseSwitchClauses):
74         (JSC::Parser<LexerType>::parseTryStatement):
75         (JSC::Parser<LexerType>::parseBlockStatement):
76         (JSC::Parser<LexerType>::parseFormalParameters):
77         (JSC::Parser<LexerType>::parseFunctionParameters):
78         (JSC::Parser<LexerType>::parseFunctionInfo):
79         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
80         (JSC::Parser<LexerType>::parseExpressionStatement):
81         (JSC::Parser<LexerType>::parseIfStatement):
82         (JSC::Parser<LexerType>::parseAssignmentExpression):
83         (JSC::Parser<LexerType>::parseConditionalExpression):
84         (JSC::Parser<LexerType>::parseBinaryExpression):
85         (JSC::Parser<LexerType>::parseObjectLiteral):
86         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
87         (JSC::Parser<LexerType>::parseArrayLiteral):
88         (JSC::Parser<LexerType>::parseArguments):
89         (JSC::Parser<LexerType>::parseMemberExpression):
90         (JSC::operatorString):
91         (JSC::Parser<LexerType>::parseUnaryExpression):
92         (JSC::Parser<LexerType>::printUnexpectedTokenText):
93
94 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
95
96         [ESNext][BigInt] Implement support for "*" operation
97         https://bugs.webkit.org/show_bug.cgi?id=183721
98
99         Reviewed by Saam Barati.
100
101         Added BigInt support into times binary operator into LLInt and on
102         JITOperations profiledMul and unprofiledMul. We are also replacing all
103         uses of int to unsigned when there is no negative values for
104         variables.
105
106         * dfg/DFGConstantFoldingPhase.cpp:
107         (JSC::DFG::ConstantFoldingPhase::foldConstants):
108         * jit/JITOperations.cpp:
109         * runtime/CommonSlowPaths.cpp:
110         (JSC::SLOW_PATH_DECL):
111         * runtime/JSBigInt.cpp:
112         (JSC::JSBigInt::JSBigInt):
113         (JSC::JSBigInt::allocationSize):
114         (JSC::JSBigInt::createWithLength):
115         (JSC::JSBigInt::toString):
116         (JSC::JSBigInt::multiply):
117         (JSC::JSBigInt::digitDiv):
118         (JSC::JSBigInt::internalMultiplyAdd):
119         (JSC::JSBigInt::multiplyAccumulate):
120         (JSC::JSBigInt::equals):
121         (JSC::JSBigInt::absoluteDivSmall):
122         (JSC::JSBigInt::calculateMaximumCharactersRequired):
123         (JSC::JSBigInt::toStringGeneric):
124         (JSC::JSBigInt::rightTrim):
125         (JSC::JSBigInt::allocateFor):
126         (JSC::JSBigInt::parseInt):
127         (JSC::JSBigInt::digit):
128         (JSC::JSBigInt::setDigit):
129         * runtime/JSBigInt.h:
130         * runtime/Operations.h:
131         (JSC::jsMul):
132
133 2018-04-28  Commit Queue  <commit-queue@webkit.org>
134
135         Unreviewed, rolling out r231131.
136         https://bugs.webkit.org/show_bug.cgi?id=185112
137
138         It is breaking Debug build due to unchecked exception
139         (Requested by caiolima on #webkit).
140
141         Reverted changeset:
142
143         "[ESNext][BigInt] Implement support for "*" operation"
144         https://bugs.webkit.org/show_bug.cgi?id=183721
145         https://trac.webkit.org/changeset/231131
146
147 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
148
149         [ESNext][BigInt] Implement support for "*" operation
150         https://bugs.webkit.org/show_bug.cgi?id=183721
151
152         Reviewed by Saam Barati.
153
154         Added BigInt support into times binary operator into LLInt and on
155         JITOperations profiledMul and unprofiledMul. We are also replacing all
156         uses of int to unsigned when there is no negative values for
157         variables.
158
159         * dfg/DFGConstantFoldingPhase.cpp:
160         (JSC::DFG::ConstantFoldingPhase::foldConstants):
161         * jit/JITOperations.cpp:
162         * runtime/CommonSlowPaths.cpp:
163         (JSC::SLOW_PATH_DECL):
164         * runtime/JSBigInt.cpp:
165         (JSC::JSBigInt::JSBigInt):
166         (JSC::JSBigInt::allocationSize):
167         (JSC::JSBigInt::createWithLength):
168         (JSC::JSBigInt::toString):
169         (JSC::JSBigInt::multiply):
170         (JSC::JSBigInt::digitDiv):
171         (JSC::JSBigInt::internalMultiplyAdd):
172         (JSC::JSBigInt::multiplyAccumulate):
173         (JSC::JSBigInt::equals):
174         (JSC::JSBigInt::absoluteDivSmall):
175         (JSC::JSBigInt::calculateMaximumCharactersRequired):
176         (JSC::JSBigInt::toStringGeneric):
177         (JSC::JSBigInt::rightTrim):
178         (JSC::JSBigInt::allocateFor):
179         (JSC::JSBigInt::parseInt):
180         (JSC::JSBigInt::digit):
181         (JSC::JSBigInt::setDigit):
182         * runtime/JSBigInt.h:
183         * runtime/Operations.h:
184         (JSC::jsMul):
185
186 2018-04-27  JF Bastien  <jfbastien@apple.com>
187
188         Make the first 64 bits of JSString look like a double JSValue
189         https://bugs.webkit.org/show_bug.cgi?id=185081
190
191         Reviewed by Filip Pizlo.
192
193         We can be clever about how we lay out JSString so that, were it
194         reinterpreted as a JSValue, it would look like a double.
195
196         * assembler/MacroAssemblerX86Common.h:
197         (JSC::MacroAssemblerX86Common::and16):
198         * assembler/X86Assembler.h:
199         (JSC::X86Assembler::andw_mr):
200         * dfg/DFGSpeculativeJIT.cpp:
201         (JSC::DFG::SpeculativeJIT::compileMakeRope):
202         * ftl/FTLLowerDFGToB3.cpp:
203         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
204         * ftl/FTLOutput.h:
205         (JSC::FTL::Output::store32As8):
206         (JSC::FTL::Output::store32As16):
207         * runtime/JSString.h:
208         (JSC::JSString::JSString):
209
210 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
213         https://bugs.webkit.org/show_bug.cgi?id=185055
214
215         Reviewed by JF Bastien.
216
217         This patch is paving the way to emitting jscvt instruction if possible.
218         To do that, we need to determine jscvt instruction is supported in the
219         given CPU.
220
221         We add a function collectCPUFeatures, which is responsible to collect
222         CPU features if necessary. In Linux, we can use auxiliary vector to get
223         the information without parsing /proc/cpuinfo.
224
225         Currently, nobody calls this function. It is later called when we emit
226         jscvt instruction. To make it possible, we also need to add disassembler
227         support too.
228
229         * assembler/AbstractMacroAssembler.h:
230         * assembler/MacroAssemblerARM64.cpp:
231         (JSC::MacroAssemblerARM64::collectCPUFeatures):
232         * assembler/MacroAssemblerARM64.h:
233         * assembler/MacroAssemblerX86Common.h:
234
235 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
236
237         Also run foldPathConstants before mussing up SSA
238         https://bugs.webkit.org/show_bug.cgi?id=185069
239
240         Reviewed by Saam Barati.
241         
242         This isn't needed now, but will be once I implement the phase in bug 185060.
243         
244         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
245         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
246         be landed separately and measured separately from that phase.
247         
248         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
249         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
250         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
251         neutral. It all depends on what programs typically look like.
252
253         * b3/B3Generate.cpp:
254         (JSC::B3::generateToAir):
255
256 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
257
258         Unreviewed, rolling out r231086.
259
260         Caused JSC test failures due to an unchecked exception.
261
262         Reverted changeset:
263
264         "[ESNext][BigInt] Implement support for "*" operation"
265         https://bugs.webkit.org/show_bug.cgi?id=183721
266         https://trac.webkit.org/changeset/231086
267
268 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
269
270         [ESNext][BigInt] Implement support for "*" operation
271         https://bugs.webkit.org/show_bug.cgi?id=183721
272
273         Reviewed by Saam Barati.
274
275         Added BigInt support into times binary operator into LLInt and on
276         JITOperations profiledMul and unprofiledMul. We are also replacing all
277         uses of int to unsigned when there is no negative values for
278         variables.
279
280         * dfg/DFGConstantFoldingPhase.cpp:
281         (JSC::DFG::ConstantFoldingPhase::foldConstants):
282         * jit/JITOperations.cpp:
283         * runtime/CommonSlowPaths.cpp:
284         (JSC::SLOW_PATH_DECL):
285         * runtime/JSBigInt.cpp:
286         (JSC::JSBigInt::JSBigInt):
287         (JSC::JSBigInt::allocationSize):
288         (JSC::JSBigInt::createWithLength):
289         (JSC::JSBigInt::toString):
290         (JSC::JSBigInt::multiply):
291         (JSC::JSBigInt::digitDiv):
292         (JSC::JSBigInt::internalMultiplyAdd):
293         (JSC::JSBigInt::multiplyAccumulate):
294         (JSC::JSBigInt::equals):
295         (JSC::JSBigInt::absoluteDivSmall):
296         (JSC::JSBigInt::calculateMaximumCharactersRequired):
297         (JSC::JSBigInt::toStringGeneric):
298         (JSC::JSBigInt::rightTrim):
299         (JSC::JSBigInt::allocateFor):
300         (JSC::JSBigInt::parseInt):
301         (JSC::JSBigInt::digit):
302         (JSC::JSBigInt::setDigit):
303         * runtime/JSBigInt.h:
304         * runtime/Operations.h:
305         (JSC::jsMul):
306
307 2018-04-26  Mark Lam  <mark.lam@apple.com>
308
309         Gardening: Speculative build fix for Windows.
310         https://bugs.webkit.org/show_bug.cgi?id=184976
311         <rdar://problem/39723901>
312
313         Not reviewed.
314
315         * runtime/JSCPtrTag.h:
316
317 2018-04-26  Mark Lam  <mark.lam@apple.com>
318
319         Gardening: Windows build fix.
320
321         Not reviewed.
322
323         * runtime/Options.cpp:
324
325 2018-04-26  Jer Noble  <jer.noble@apple.com>
326
327         WK_COCOA_TOUCH all the things.
328         https://bugs.webkit.org/show_bug.cgi?id=185006
329         <rdar://problem/39736025>
330
331         Reviewed by Tim Horton.
332
333         * Configurations/Base.xcconfig:
334
335 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
336
337         Disable content filtering in minimal simulator mode
338         https://bugs.webkit.org/show_bug.cgi?id=185027
339         <rdar://problem/39736091>
340
341         Reviewed by Jer Noble.
342
343         * Configurations/FeatureDefines.xcconfig:
344
345 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
346
347         [INTL] Implement Intl.PluralRules
348         https://bugs.webkit.org/show_bug.cgi?id=184312
349
350         Reviewed by JF Bastien.
351
352         Use UNumberFormat to enforce formatting, and then UPluralRules to find
353         the correct plural rule for the given number. Relies on ICU v59+ for
354         resolvedOptions().pluralCategories and trailing 0 detection.
355         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
356
357         * CMakeLists.txt:
358         * Configurations/FeatureDefines.xcconfig:
359         * DerivedSources.make:
360         * JavaScriptCore.xcodeproj/project.pbxproj:
361         * Sources.txt:
362         * builtins/BuiltinNames.h:
363         * runtime/BigIntObject.cpp:
364         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
365         * runtime/BigIntObject.h:
366         * runtime/CommonIdentifiers.h:
367         * runtime/IntlObject.cpp:
368         (JSC::IntlObject::finishCreation):
369         * runtime/IntlObject.h:
370         * runtime/IntlPluralRules.cpp: Added.
371         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
372         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
373         (JSC::UEnumerationDeleter::operator() const):
374         (JSC::IntlPluralRules::create):
375         (JSC::IntlPluralRules::createStructure):
376         (JSC::IntlPluralRules::IntlPluralRules):
377         (JSC::IntlPluralRules::finishCreation):
378         (JSC::IntlPluralRules::destroy):
379         (JSC::IntlPluralRules::visitChildren):
380         (JSC::IntlPRInternal::localeData):
381         (JSC::IntlPluralRules::initializePluralRules):
382         (JSC::IntlPluralRules::resolvedOptions):
383         (JSC::IntlPluralRules::select):
384         * runtime/IntlPluralRules.h: Added.
385         * runtime/IntlPluralRulesConstructor.cpp: Added.
386         (JSC::IntlPluralRulesConstructor::create):
387         (JSC::IntlPluralRulesConstructor::createStructure):
388         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
389         (JSC::IntlPluralRulesConstructor::finishCreation):
390         (JSC::constructIntlPluralRules):
391         (JSC::callIntlPluralRules):
392         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
393         (JSC::IntlPluralRulesConstructor::visitChildren):
394         * runtime/IntlPluralRulesConstructor.h: Added.
395         * runtime/IntlPluralRulesPrototype.cpp: Added.
396         (JSC::IntlPluralRulesPrototype::create):
397         (JSC::IntlPluralRulesPrototype::createStructure):
398         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
399         (JSC::IntlPluralRulesPrototype::finishCreation):
400         (JSC::IntlPluralRulesPrototypeFuncSelect):
401         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
402         * runtime/IntlPluralRulesPrototype.h: Added.
403         * runtime/JSGlobalObject.cpp:
404         (JSC::JSGlobalObject::init):
405         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
406         * runtime/JSGlobalObject.h:
407         * runtime/Options.h:
408         * runtime/RegExpPrototype.cpp: Added inlines header.
409         * runtime/VM.cpp:
410         (JSC::VM::VM):
411         * runtime/VM.h:
412
413 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
414
415         [MIPS] Fix branch offsets in branchNeg32
416         https://bugs.webkit.org/show_bug.cgi?id=185025
417
418         Reviewed by Yusuke Suzuki.
419
420         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
421
422         * assembler/MacroAssemblerMIPS.h:
423         (JSC::MacroAssemblerMIPS::branchNeg32):
424
425 2018-04-25  Robin Morisset  <rmorisset@apple.com>
426
427         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
428         https://bugs.webkit.org/show_bug.cgi?id=184773
429         <rdar://problem/37773612>
430
431         Reviewed by Filip Pizlo.
432
433         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
434         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
435         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
436         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
437         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
438
439         * ftl/FTLLowerDFGToB3.cpp:
440         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
441
442 2018-04-25  Mark Lam  <mark.lam@apple.com>
443
444         Push the definition of PtrTag down to the WTF layer.
445         https://bugs.webkit.org/show_bug.cgi?id=184976
446         <rdar://problem/39723901>
447
448         Reviewed by Saam Barati.
449
450         * CMakeLists.txt:
451         * JavaScriptCore.xcodeproj/project.pbxproj:
452         * assembler/ARM64Assembler.h:
453         * assembler/AbstractMacroAssembler.h:
454         * assembler/MacroAssemblerCodeRef.cpp:
455         * assembler/MacroAssemblerCodeRef.h:
456         * b3/B3MathExtras.cpp:
457         * bytecode/LLIntCallLinkInfo.h:
458         * disassembler/Disassembler.h:
459         * ftl/FTLJITCode.cpp:
460         * interpreter/InterpreterInlines.h:
461         * jit/ExecutableAllocator.h:
462         * jit/JITOperations.cpp:
463         * jit/ThunkGenerator.h:
464         * jit/ThunkGenerators.h:
465         * llint/LLIntOffsetsExtractor.cpp:
466         * llint/LLIntPCRanges.h:
467         * runtime/JSCPtrTag.h: Added.
468         * runtime/NativeFunction.h:
469         * runtime/PtrTag.h: Removed.
470         * runtime/VMTraps.cpp:
471
472 2018-04-25  Keith Miller  <keith_miller@apple.com>
473
474         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
475         https://bugs.webkit.org/show_bug.cgi?id=184998
476
477         Reviewed by Saam Barati.
478
479         * runtime/CodeCache.cpp:
480         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
481
482 2018-04-25  Keith Miller  <keith_miller@apple.com>
483
484         Add missing scope release to functionProtoFuncToString
485         https://bugs.webkit.org/show_bug.cgi?id=184995
486
487         Reviewed by Saam Barati.
488
489         * runtime/FunctionPrototype.cpp:
490         (JSC::functionProtoFuncToString):
491
492 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
493
494         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
495         https://bugs.webkit.org/show_bug.cgi?id=184730
496
497         Reviewed by Mark Lam.
498
499         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
500         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
501
502         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
503         ARMv7 implementation.
504
505         * assembler/ARMAssembler.h:
506         * assembler/MacroAssemblerARM.h:
507         (JSC::MacroAssemblerARM::add32):
508         (JSC::MacroAssemblerARM::and32):
509         (JSC::MacroAssemblerARM::lshift32):
510         (JSC::MacroAssemblerARM::mul32):
511         (JSC::MacroAssemblerARM::or32):
512         (JSC::MacroAssemblerARM::rshift32):
513         (JSC::MacroAssemblerARM::urshift32):
514         (JSC::MacroAssemblerARM::sub32):
515         (JSC::MacroAssemblerARM::xor32):
516         (JSC::MacroAssemblerARM::load8):
517         (JSC::MacroAssemblerARM::abortWithReason):
518         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
519         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
520         (JSC::MacroAssemblerARM::store8):
521         (JSC::MacroAssemblerARM::store32):
522         (JSC::MacroAssemblerARM::push):
523         (JSC::MacroAssemblerARM::swap):
524         (JSC::MacroAssemblerARM::branch8):
525         (JSC::MacroAssemblerARM::branchPtr):
526         (JSC::MacroAssemblerARM::branch32):
527         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
528         (JSC::MacroAssemblerARM::branchTest8):
529         (JSC::MacroAssemblerARM::branchTest32):
530         (JSC::MacroAssemblerARM::jump):
531         (JSC::MacroAssemblerARM::branchAdd32):
532         (JSC::MacroAssemblerARM::mull32):
533         (JSC::MacroAssemblerARM::branchMul32):
534         (JSC::MacroAssemblerARM::patchableBranch32):
535         (JSC::MacroAssemblerARM::nearCall):
536         (JSC::MacroAssemblerARM::compare32):
537         (JSC::MacroAssemblerARM::compare8):
538         (JSC::MacroAssemblerARM::test32):
539         (JSC::MacroAssemblerARM::test8):
540         (JSC::MacroAssemblerARM::add64):
541         (JSC::MacroAssemblerARM::load32):
542         (JSC::MacroAssemblerARM::call):
543         (JSC::MacroAssemblerARM::branchPtrWithPatch):
544         (JSC::MacroAssemblerARM::branch32WithPatch):
545         (JSC::MacroAssemblerARM::storePtrWithPatch):
546         (JSC::MacroAssemblerARM::loadDouble):
547         (JSC::MacroAssemblerARM::storeDouble):
548         (JSC::MacroAssemblerARM::addDouble):
549         (JSC::MacroAssemblerARM::divDouble):
550         (JSC::MacroAssemblerARM::subDouble):
551         (JSC::MacroAssemblerARM::mulDouble):
552         (JSC::MacroAssemblerARM::convertInt32ToDouble):
553         (JSC::MacroAssemblerARM::branchDouble):
554         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
555         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
556         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
557         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
558         (JSC::MacroAssemblerARM::branchDoubleNonZero):
559         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
560         (JSC::MacroAssemblerARM::call32):
561         (JSC::MacroAssemblerARM::internalCompare32):
562
563 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
564
565         [WinCairo] Fix js/regexp-unicode.html crash.
566         https://bugs.webkit.org/show_bug.cgi?id=184891
567
568         Reviewed by Yusuke Suzuki.
569
570         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
571         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
572
573         * yarr/YarrJIT.cpp:
574         (JSC::Yarr::YarrGenerator::generateEnter):
575         (JSC::Yarr::YarrGenerator::generateReturn):
576         Unconditionally save and restore RDI on 64-bit Windows.
577
578 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
579
580         [GTK] Miscellaneous build cleanups
581         https://bugs.webkit.org/show_bug.cgi?id=184399
582
583         Reviewed by Žan Doberšek.
584
585         * PlatformGTK.cmake:
586
587 2018-04-24  Keith Miller  <keith_miller@apple.com>
588
589         fromCharCode is missing some exception checks
590         https://bugs.webkit.org/show_bug.cgi?id=184952
591
592         Reviewed by Saam Barati.
593
594         I also removed the pointless slow path function and moved it into the
595         main function.
596
597         * runtime/StringConstructor.cpp:
598         (JSC::stringFromCharCode):
599         (JSC::stringFromCharCodeSlowCase): Deleted.
600
601 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
602
603         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
604         https://bugs.webkit.org/show_bug.cgi?id=184923
605
606         Reviewed by Saam Barati.
607         
608         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
609         (i.e. we know that the object has one of those structures), then previously we would still emit a
610         switch with a case per structure along with a default case. That would mean one extra redundant
611         branch to check that whatever structure we wound up with belongs to the set. In that case, we
612         were already making the default case be an Oops.
613         
614         One possible solution would be to say that the default case being Oops means that B3 doesn't need
615         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
616         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
617         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
618         trap.
619         
620         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
621         extra branch.
622         
623         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
624         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
625         read.
626
627         * ftl/FTLLowerDFGToB3.cpp:
628         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
629         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
630         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
631
632 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
633
634         DFG CSE should know how to decay a MultiGetByOffset
635         https://bugs.webkit.org/show_bug.cgi?id=159859
636
637         Reviewed by Keith Miller.
638         
639         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
640         clobberize() can report a def() for MultiGetByOffset.
641         
642         This is a slight improvement to codegen in splay because splay is a heavy user of
643         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
644         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
645         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
646         splay's time.
647
648         * dfg/DFGClobberize.h:
649         (JSC::DFG::clobberize):
650         * dfg/DFGNode.cpp:
651         (JSC::DFG::Node::remove):
652         (JSC::DFG::Node::removeWithoutChecks):
653         (JSC::DFG::Node::replaceWith):
654         (JSC::DFG::Node::replaceWithWithoutChecks):
655         * dfg/DFGNode.h:
656         (JSC::DFG::Node::convertToMultiGetByOffset):
657         (JSC::DFG::Node::replaceWith): Deleted.
658         * dfg/DFGNodeType.h:
659         * dfg/DFGObjectAllocationSinkingPhase.cpp:
660
661 2018-04-24  Keith Miller  <keith_miller@apple.com>
662
663         Update API docs with information on which run loop the VM will use
664         https://bugs.webkit.org/show_bug.cgi?id=184900
665         <rdar://problem/39166054>
666
667         Reviewed by Mark Lam.
668
669         * API/JSContextRef.h:
670         * API/JSVirtualMachine.h:
671
672 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
673
674         $vm.totalGCTime() should be a thing
675         https://bugs.webkit.org/show_bug.cgi?id=184916
676
677         Reviewed by Sam Weinig.
678         
679         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
680         time spent in GC to determine if the regression is because the GC got slower.
681         
682         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
683
684         * heap/Heap.cpp:
685         (JSC::Heap::runEndPhase):
686         * heap/Heap.h:
687         (JSC::Heap::totalGCTime const):
688         * tools/JSDollarVM.cpp:
689         (JSC::functionTotalGCTime):
690         (JSC::JSDollarVM::finishCreation):
691
692 2018-04-23  Zalan Bujtas  <zalan@apple.com>
693
694         [LayoutFormattingContext] Initial commit.
695         https://bugs.webkit.org/show_bug.cgi?id=184896
696
697         Reviewed by Antti Koivisto.
698
699         * Configurations/FeatureDefines.xcconfig:
700
701 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
702
703         Unreviewed, revert accidental change to verbose flag.
704
705         * dfg/DFGByteCodeParser.cpp:
706
707 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
708
709         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
710
711         Rubber stamped by Saam Barati.
712         
713         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
714         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
715         Seems sensible to just roll it out.
716
717         * dfg/DFGByteCodeParser.cpp:
718         (JSC::DFG::ByteCodeParser::addToGraph):
719         (JSC::DFG::ByteCodeParser::parse):
720
721 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
722
723         [JSC] Remove ModuleLoaderPrototype
724         https://bugs.webkit.org/show_bug.cgi?id=184784
725
726         Reviewed by Mark Lam.
727
728         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
729         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
730         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
731
732         * CMakeLists.txt:
733         * DerivedSources.make:
734         * JavaScriptCore.xcodeproj/project.pbxproj:
735         * Sources.txt:
736         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
737         * runtime/JSGlobalObject.cpp:
738         (JSC::JSGlobalObject::init):
739         (JSC::JSGlobalObject::visitChildren):
740         * runtime/JSGlobalObject.h:
741         (JSC::JSGlobalObject::proxyRevokeStructure const):
742         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
743         * runtime/JSModuleLoader.cpp:
744         (JSC::moduleLoaderParseModule):
745         (JSC::moduleLoaderRequestedModules):
746         (JSC::moduleLoaderModuleDeclarationInstantiation):
747         (JSC::moduleLoaderResolve):
748         (JSC::moduleLoaderResolveSync):
749         (JSC::moduleLoaderFetch):
750         (JSC::moduleLoaderGetModuleNamespaceObject):
751         (JSC::moduleLoaderEvaluate):
752         * runtime/JSModuleLoader.h:
753         * runtime/ModuleLoaderPrototype.cpp: Removed.
754         * runtime/ModuleLoaderPrototype.h: Removed.
755
756 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
757
758         [GLIB] All API tests fail in debug builds
759         https://bugs.webkit.org/show_bug.cgi?id=184813
760
761         Reviewed by Mark Lam.
762
763         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
764         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
765
766         * API/glib/JSCContext.cpp:
767         (JSCContextExceptionHandler::JSCContextExceptionHandler):
768         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
769         (jscContextConstructed):
770         (ExceptionHandler::ExceptionHandler): Deleted.
771         (ExceptionHandler::~ExceptionHandler): Deleted.
772
773 2018-04-20  Tim Horton  <timothy_horton@apple.com>
774
775         Adjust geolocation feature flag
776         https://bugs.webkit.org/show_bug.cgi?id=184856
777
778         Reviewed by Wenson Hsieh.
779
780         * Configurations/FeatureDefines.xcconfig:
781
782 2018-04-20  Brian Burg  <bburg@apple.com>
783
784         Web Inspector: remove some dead code in IdentifiersFactory
785         https://bugs.webkit.org/show_bug.cgi?id=184839
786
787         Reviewed by Timothy Hatcher.
788
789         This was never used on non-Chrome ports, so the identifier always has a
790         prefix of '0.'. We may change this in the future, but for now remove this.
791         Using a PID for this purpose is problematic anyway.
792
793         * inspector/IdentifiersFactory.cpp:
794         (Inspector::addPrefixToIdentifier):
795         (Inspector::IdentifiersFactory::createIdentifier):
796         (Inspector::IdentifiersFactory::requestId):
797         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
798         * inspector/IdentifiersFactory.h:
799
800 2018-04-20  Mark Lam  <mark.lam@apple.com>
801
802         Add the ability to use a hash for setting PtrTag enum values.
803         https://bugs.webkit.org/show_bug.cgi?id=184852
804         <rdar://problem/39613891>
805
806         Reviewed by Saam Barati.
807
808         * runtime/PtrTag.h:
809
810 2018-04-20  Mark Lam  <mark.lam@apple.com>
811
812         Some JSEntryPtrTags should actually be JSInternalPtrTags.
813         https://bugs.webkit.org/show_bug.cgi?id=184712
814         <rdar://problem/39507381>
815
816         Reviewed by Michael Saboff.
817
818         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
819         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
820            only when needed.
821
822         * bytecode/AccessCase.cpp:
823         (JSC::AccessCase::generateImpl):
824         * bytecode/ByValInfo.h:
825         (JSC::ByValInfo::ByValInfo):
826         * bytecode/CallLinkInfo.cpp:
827         (JSC::CallLinkInfo::callReturnLocation):
828         (JSC::CallLinkInfo::patchableJump):
829         (JSC::CallLinkInfo::hotPathBegin):
830         (JSC::CallLinkInfo::slowPathStart):
831         * bytecode/CallLinkInfo.h:
832         (JSC::CallLinkInfo::setCallLocations):
833         (JSC::CallLinkInfo::hotPathOther):
834         * bytecode/PolymorphicAccess.cpp:
835         (JSC::PolymorphicAccess::regenerate):
836         * bytecode/StructureStubInfo.h:
837         (JSC::StructureStubInfo::doneLocation):
838         * dfg/DFGJITCompiler.cpp:
839         (JSC::DFG::JITCompiler::link):
840         * dfg/DFGOSRExit.cpp:
841         (JSC::DFG::reifyInlinedCallFrames):
842         * ftl/FTLLazySlowPath.cpp:
843         (JSC::FTL::LazySlowPath::initialize):
844         * ftl/FTLLazySlowPath.h:
845         (JSC::FTL::LazySlowPath::done const):
846         * ftl/FTLLowerDFGToB3.cpp:
847         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
848         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
849         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
850         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
851         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
852         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
853         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
854         * jit/JIT.cpp:
855         (JSC::JIT::link):
856         * jit/JITExceptions.cpp:
857         (JSC::genericUnwind):
858         * jit/JITMathIC.h:
859         (JSC::isProfileEmpty):
860         * llint/LLIntData.cpp:
861         (JSC::LLInt::initialize):
862         * llint/LLIntData.h:
863         (JSC::LLInt::getCodePtr):
864         (JSC::LLInt::getExecutableAddress): Deleted.
865         * llint/LLIntExceptions.cpp:
866         (JSC::LLInt::callToThrow):
867         * llint/LLIntSlowPaths.cpp:
868         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
869         * wasm/js/WasmToJS.cpp:
870         (JSC::Wasm::wasmToJS):
871
872 2018-04-18  Jer Noble  <jer.noble@apple.com>
873
874         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
875         https://bugs.webkit.org/show_bug.cgi?id=184762
876
877         Reviewed by Dan Bernstein.
878
879         * Configurations/Base.xcconfig:
880         * JavaScriptCore.xcodeproj/project.pbxproj:
881
882 2018-04-20  Daniel Bates  <dabates@apple.com>
883
884         Remove code for compilers that did not support NSDMI for aggregates
885         https://bugs.webkit.org/show_bug.cgi?id=184599
886
887         Reviewed by Per Arne Vollan.
888
889         Remove workaround for earlier Visual Studio versions that did not support non-static data
890         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
891         and EWS bots to a newer version that supports this feature.
892
893         * domjit/DOMJITEffect.h:
894         (JSC::DOMJIT::Effect::Effect): Deleted.
895         * runtime/HasOwnPropertyCache.h:
896         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
897         * wasm/WasmFormat.h:
898         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
899
900 2018-04-20  Mark Lam  <mark.lam@apple.com>
901
902         Build fix for internal builds after r230826.
903         https://bugs.webkit.org/show_bug.cgi?id=184790
904         <rdar://problem/39301369>
905
906         Not reviewed.
907
908         * runtime/Options.cpp:
909         (JSC::overrideDefaults):
910         * tools/SigillCrashAnalyzer.cpp:
911         (JSC::SignalContext::dump):
912
913 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
914
915         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
916         https://bugs.webkit.org/show_bug.cgi?id=184254
917         <rdar://problem/39140200>
918
919         Reviewed by Daniel Bates.
920
921         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
922
923         * runtime/ArrayBuffer.h:
924         (JSC::ArrayBufferContents::ArrayBufferContents):
925
926 2018-04-19  Mark Lam  <mark.lam@apple.com>
927
928         Apply pointer profiling to Signal pointers.
929         https://bugs.webkit.org/show_bug.cgi?id=184790
930         <rdar://problem/39301369>
931
932         Reviewed by Michael Saboff.
933
934         1. Change stackPointer, framePointer, and instructionPointer accessors to
935            be a pair of getter/setter functions.
936         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
937            a pointer profiling variants of these accessors.
938         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
939
940         * JavaScriptCorePrefix.h:
941         * runtime/MachineContext.h:
942         (JSC::MachineContext::stackPointerImpl):
943         (JSC::MachineContext::stackPointer):
944         (JSC::MachineContext::setStackPointer):
945         (JSC::MachineContext::framePointerImpl):
946         (JSC::MachineContext::framePointer):
947         (JSC::MachineContext::setFramePointer):
948         (JSC::MachineContext::instructionPointerImpl):
949         (JSC::MachineContext::instructionPointer):
950         (JSC::MachineContext::setInstructionPointer):
951         (JSC::MachineContext::linkRegisterImpl):
952         (JSC::MachineContext::linkRegister):
953         (JSC::MachineContext::setLinkRegister):
954         * runtime/SamplingProfiler.cpp:
955         (JSC::SamplingProfiler::takeSample):
956         * runtime/VMTraps.cpp:
957         (JSC::SignalContext::SignalContext):
958         (JSC::VMTraps::tryInstallTrapBreakpoints):
959         * tools/CodeProfiling.cpp:
960         (JSC::profilingTimer):
961         * tools/SigillCrashAnalyzer.cpp:
962         (JSC::SignalContext::dump):
963         (JSC::installCrashHandler):
964         (JSC::SigillCrashAnalyzer::analyze):
965         * wasm/WasmFaultSignalHandler.cpp:
966         (JSC::Wasm::trapHandler):
967
968 2018-04-19  David Kilzer  <ddkilzer@apple.com>
969
970         Enable Objective-C weak references
971         <https://webkit.org/b/184789>
972         <rdar://problem/39571716>
973
974         Reviewed by Dan Bernstein.
975
976         * Configurations/Base.xcconfig:
977         (CLANG_ENABLE_OBJC_WEAK): Enable.
978         * Configurations/ToolExecutable.xcconfig:
979         (CLANG_ENABLE_OBJC_ARC): Simplify.
980
981 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
982
983         The InternalFunction hierarchy should be in IsoSubspaces
984         https://bugs.webkit.org/show_bug.cgi?id=184721
985
986         Reviewed by Saam Barati.
987         
988         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
989         but subclasses that are the same size as InternalFunction share its subspace. I did this
990         because the subclasses appear to just override methods, which are called dynamically via the
991         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
992         allocate one kind of InternalFunction over another.
993
994         * API/JSBase.h:
995         * API/JSCallbackFunction.h:
996         * API/ObjCCallbackFunction.h:
997         (JSC::ObjCCallbackFunction::subspaceFor):
998         * CMakeLists.txt:
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         * Sources.txt:
1001         * heap/IsoSubspacePerVM.cpp: Added.
1002         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1003         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1004         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1005         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1006         (JSC::IsoSubspacePerVM::forVM):
1007         * heap/IsoSubspacePerVM.h: Added.
1008         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1009         * runtime/Error.h:
1010         * runtime/ErrorConstructor.h:
1011         * runtime/InternalFunction.h:
1012         (JSC::InternalFunction::subspaceFor):
1013         * runtime/IntlCollatorConstructor.h:
1014         * runtime/IntlDateTimeFormatConstructor.h:
1015         * runtime/IntlNumberFormatConstructor.h:
1016         * runtime/JSArrayBufferConstructor.h:
1017         * runtime/NativeErrorConstructor.h:
1018         * runtime/ProxyRevoke.h:
1019         * runtime/RegExpConstructor.h:
1020         * runtime/VM.cpp:
1021         (JSC::VM::VM):
1022         * runtime/VM.h:
1023
1024 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1025
1026         Unreviewed, Fix jsc shell
1027         https://bugs.webkit.org/show_bug.cgi?id=184600
1028
1029         WebAssembly module loading does not finish with drainMicrotasks().
1030         So JSNativeStdFunction's capturing variables become invalid.
1031         This patch fixes this issue.
1032
1033         * jsc.cpp:
1034         (functionDollarAgentStart):
1035         (runWithOptions):
1036         (runJSC):
1037         (jscmain):
1038
1039 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1040
1041         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1042         https://bugs.webkit.org/show_bug.cgi?id=184725
1043
1044         Reviewed by Mark Lam.
1045
1046         * jit/JIT.h:
1047
1048 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1049
1050         [WebAssembly][Modules] Import tables in wasm modules
1051         https://bugs.webkit.org/show_bug.cgi?id=184738
1052
1053         Reviewed by JF Bastien.
1054
1055         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1056         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1057         just works.
1058
1059         * wasm/js/JSWebAssemblyInstance.cpp:
1060         (JSC::JSWebAssemblyInstance::create):
1061         * wasm/js/WebAssemblyModuleRecord.cpp:
1062         (JSC::WebAssemblyModuleRecord::link):
1063
1064 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1065
1066         [ARM] Fix build error and crash after PtrTag change
1067         https://bugs.webkit.org/show_bug.cgi?id=184732
1068
1069         Reviewed by Mark Lam.
1070
1071         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1072         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1073         twice with ARM-Thumb2.
1074
1075         * assembler/MacroAssemblerCodeRef.h:
1076         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1077         * jit/JITPropertyAccess32_64.cpp:
1078         (JSC::JIT::emitSlow_op_put_by_val):
1079         * jit/Repatch.cpp:
1080         (JSC::linkPolymorphicCall):
1081
1082 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1083
1084         [WebAssembly][Modules] Import globals from wasm modules
1085         https://bugs.webkit.org/show_bug.cgi?id=184736
1086
1087         Reviewed by JF Bastien.
1088
1089         This patch implements a feature importing globals to/from wasm modules.
1090         Since we are not supporting mutable globals now, we can just copy the
1091         global data when importing. Currently we do not support importing/exporting
1092         i64 globals. This will be supported once (1) mutable global bindings are
1093         specified and (2) BigInt based i64 importing/exporting is specified.
1094
1095         * wasm/js/JSWebAssemblyInstance.cpp:
1096         (JSC::JSWebAssemblyInstance::create):
1097         * wasm/js/WebAssemblyModuleRecord.cpp:
1098         (JSC::WebAssemblyModuleRecord::link):
1099
1100 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1101
1102         Unreviewed, fix build on ARM
1103
1104         * assembler/MacroAssemblerARM.h:
1105         (JSC::MacroAssemblerARM::readCallTarget):
1106
1107 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1108
1109         Unreviewed, fix build with GCC
1110
1111         * assembler/LinkBuffer.h:
1112         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1113
1114 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1115
1116         Unreviewed, reland r230697, r230720, and r230724.
1117         https://bugs.webkit.org/show_bug.cgi?id=184600
1118
1119         With CatchScope check.
1120
1121         * JavaScriptCore.xcodeproj/project.pbxproj:
1122         * builtins/ModuleLoaderPrototype.js:
1123         (globalPrivate.newRegistryEntry):
1124         (requestInstantiate):
1125         (link):
1126         * jsc.cpp:
1127         (convertShebangToJSComment):
1128         (fillBufferWithContentsOfFile):
1129         (fetchModuleFromLocalFileSystem):
1130         (GlobalObject::moduleLoaderFetch):
1131         (functionDollarAgentStart):
1132         (checkException):
1133         (runWithOptions):
1134         * parser/NodesAnalyzeModule.cpp:
1135         (JSC::ImportDeclarationNode::analyzeModule):
1136         * parser/SourceProvider.h:
1137         (JSC::WebAssemblySourceProvider::create):
1138         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1139         * runtime/AbstractModuleRecord.cpp:
1140         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1141         (JSC::AbstractModuleRecord::resolveImport):
1142         (JSC::AbstractModuleRecord::link):
1143         (JSC::AbstractModuleRecord::evaluate):
1144         (JSC::identifierToJSValue): Deleted.
1145         * runtime/AbstractModuleRecord.h:
1146         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1147         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1148         * runtime/JSModuleEnvironment.cpp:
1149         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1150         * runtime/JSModuleLoader.cpp:
1151         (JSC::JSModuleLoader::evaluate):
1152         * runtime/JSModuleRecord.cpp:
1153         (JSC::JSModuleRecord::link):
1154         (JSC::JSModuleRecord::instantiateDeclarations):
1155         * runtime/JSModuleRecord.h:
1156         * runtime/ModuleLoaderPrototype.cpp:
1157         (JSC::moduleLoaderPrototypeParseModule):
1158         (JSC::moduleLoaderPrototypeRequestedModules):
1159         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1160         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1161         * wasm/js/JSWebAssemblyHelpers.h:
1162         (JSC::getWasmBufferFromValue):
1163         (JSC::createSourceBufferFromValue):
1164         * wasm/js/JSWebAssemblyInstance.cpp:
1165         (JSC::JSWebAssemblyInstance::finalizeCreation):
1166         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1167         (JSC::JSWebAssemblyInstance::create):
1168         * wasm/js/JSWebAssemblyInstance.h:
1169         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1170         (JSC::constructJSWebAssemblyInstance):
1171         * wasm/js/WebAssemblyModuleRecord.cpp:
1172         (JSC::WebAssemblyModuleRecord::prepareLink):
1173         (JSC::WebAssemblyModuleRecord::link):
1174         * wasm/js/WebAssemblyModuleRecord.h:
1175         * wasm/js/WebAssemblyPrototype.cpp:
1176         (JSC::resolve):
1177         (JSC::instantiate):
1178         (JSC::compileAndInstantiate):
1179         (JSC::WebAssemblyPrototype::instantiate):
1180         (JSC::webAssemblyInstantiateFunc):
1181         (JSC::webAssemblyValidateFunc):
1182         * wasm/js/WebAssemblyPrototype.h:
1183
1184 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1185
1186         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1187         https://bugs.webkit.org/show_bug.cgi?id=184687
1188
1189         Reviewed by Michael Catanzaro.
1190
1191         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1192         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1193         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1194
1195         * API/glib/JSCClass.cpp:
1196         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1197         can throw exceptions.
1198         (VTableExceptionHandler::~VTableExceptionHandler):
1199         (getProperty): Iterate the class chain to call get_property function.
1200         (setProperty): Iterate the class chain to call set_property function.
1201         (hasProperty): Iterate the class chain to call has_property function.
1202         (deleteProperty): Iterate the class chain to call delete_property function.
1203         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1204         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1205         jscClassCreate now.
1206         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1207         * API/glib/JSCClass.h:
1208         * API/glib/JSCClassPrivate.h:
1209         * API/glib/JSCContext.cpp:
1210         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1211         (jsc_context_register_class): Add JSCClassVTable parameter.
1212         * API/glib/JSCContext.h:
1213         * API/glib/JSCContextPrivate.h:
1214         * API/glib/JSCWrapperMap.cpp:
1215         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1216         * API/glib/JSCWrapperMap.h:
1217         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1218
1219 2018-04-17  Mark Lam  <mark.lam@apple.com>
1220
1221         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1222         https://bugs.webkit.org/show_bug.cgi?id=184702
1223         <rdar://problem/35391681>
1224
1225         Reviewed by Filip Pizlo and Saam Barati.
1226
1227         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1228            to take a PtrTag template argument.
1229         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1230
1231         * assembler/AbstractMacroAssembler.h:
1232         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1233         (JSC::AbstractMacroAssembler::linkJump):
1234         (JSC::AbstractMacroAssembler::linkPointer):
1235         (JSC::AbstractMacroAssembler::getLinkerAddress):
1236         (JSC::AbstractMacroAssembler::repatchJump):
1237         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1238         (JSC::AbstractMacroAssembler::repatchNearCall):
1239         (JSC::AbstractMacroAssembler::repatchCompact):
1240         (JSC::AbstractMacroAssembler::repatchInt32):
1241         (JSC::AbstractMacroAssembler::repatchPointer):
1242         (JSC::AbstractMacroAssembler::readPointer):
1243         (JSC::AbstractMacroAssembler::replaceWithLoad):
1244         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1245         * assembler/CodeLocation.h:
1246         (JSC::CodeLocationCommon:: const):
1247         (JSC::CodeLocationCommon::CodeLocationCommon):
1248         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1249         (JSC::CodeLocationLabel::CodeLocationLabel):
1250         (JSC::CodeLocationLabel::retagged):
1251         (JSC::CodeLocationLabel:: const):
1252         (JSC::CodeLocationJump::CodeLocationJump):
1253         (JSC::CodeLocationJump::retagged):
1254         (JSC::CodeLocationCall::CodeLocationCall):
1255         (JSC::CodeLocationCall::retagged):
1256         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1257         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1258         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1259         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1260         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1261         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1262         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1263         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1264         (JSC::CodeLocationCommon<tag>::callAtOffset):
1265         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1266         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1267         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1268         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1269         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1270         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1271         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1272         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1273         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1274         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1275         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1276         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1277         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1278         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1279         * assembler/LinkBuffer.cpp:
1280         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1281         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1282         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1283         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1284         * assembler/LinkBuffer.h:
1285         (JSC::LinkBuffer::link):
1286         (JSC::LinkBuffer::patch):
1287         (JSC::LinkBuffer::entrypoint):
1288         (JSC::LinkBuffer::locationOf):
1289         (JSC::LinkBuffer::locationOfNearCall):
1290         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1291         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1292         (JSC::LinkBuffer::trampolineAt):
1293         * assembler/MacroAssemblerARM.h:
1294         (JSC::MacroAssemblerARM::readCallTarget):
1295         (JSC::MacroAssemblerARM::replaceWithJump):
1296         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1297         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1298         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1299         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1300         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1301         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1302         (JSC::MacroAssemblerARM::repatchCall):
1303         (JSC::MacroAssemblerARM::linkCall):
1304         * assembler/MacroAssemblerARM64.h:
1305         (JSC::MacroAssemblerARM64::readCallTarget):
1306         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1307         (JSC::MacroAssemblerARM64::replaceWithJump):
1308         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1309         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1310         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1311         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1312         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1313         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1314         (JSC::MacroAssemblerARM64::repatchCall):
1315         (JSC::MacroAssemblerARM64::linkCall):
1316         * assembler/MacroAssemblerARMv7.h:
1317         (JSC::MacroAssemblerARMv7::replaceWithJump):
1318         (JSC::MacroAssemblerARMv7::readCallTarget):
1319         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1320         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1321         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1322         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1323         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1324         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1325         (JSC::MacroAssemblerARMv7::repatchCall):
1326         (JSC::MacroAssemblerARMv7::linkCall):
1327         * assembler/MacroAssemblerCodeRef.cpp:
1328         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1329         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1330         (JSC::MacroAssemblerCodeRefBase::disassembly):
1331         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1332         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1333         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1334         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1335         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1336         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1337         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1338         * assembler/MacroAssemblerCodeRef.h:
1339         (JSC::FunctionPtr::FunctionPtr):
1340         (JSC::FunctionPtr::retagged const):
1341         (JSC::FunctionPtr::retaggedExecutableAddress const):
1342         (JSC::FunctionPtr::operator== const):
1343         (JSC::FunctionPtr::operator!= const):
1344         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1345         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1346         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1347         (JSC::MacroAssemblerCodePtr::retagged const):
1348         (JSC::MacroAssemblerCodePtr:: const):
1349         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1350         (JSC::MacroAssemblerCodePtr::dump const):
1351         (JSC::MacroAssemblerCodePtrHash::hash):
1352         (JSC::MacroAssemblerCodePtrHash::equal):
1353         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1354         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1355         (JSC::MacroAssemblerCodeRef::code const):
1356         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1357         (JSC::MacroAssemblerCodeRef::retagged const):
1358         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1359         (JSC::MacroAssemblerCodeRef::disassembly const):
1360         (JSC::MacroAssemblerCodeRef::dump const):
1361         (JSC::FunctionPtr<tag>::FunctionPtr):
1362         * assembler/MacroAssemblerMIPS.h:
1363         (JSC::MacroAssemblerMIPS::readCallTarget):
1364         (JSC::MacroAssemblerMIPS::replaceWithJump):
1365         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1366         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1367         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1368         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1369         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1370         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1371         (JSC::MacroAssemblerMIPS::repatchCall):
1372         (JSC::MacroAssemblerMIPS::linkCall):
1373         * assembler/MacroAssemblerX86.h:
1374         (JSC::MacroAssemblerX86::readCallTarget):
1375         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1376         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1377         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1378         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1379         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1380         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1381         (JSC::MacroAssemblerX86::repatchCall):
1382         (JSC::MacroAssemblerX86::linkCall):
1383         * assembler/MacroAssemblerX86Common.h:
1384         (JSC::MacroAssemblerX86Common::repatchCompact):
1385         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1386         (JSC::MacroAssemblerX86Common::replaceWithJump):
1387         * assembler/MacroAssemblerX86_64.h:
1388         (JSC::MacroAssemblerX86_64::readCallTarget):
1389         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1390         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1391         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1392         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1393         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1394         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1395         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1396         (JSC::MacroAssemblerX86_64::repatchCall):
1397         (JSC::MacroAssemblerX86_64::linkCall):
1398         * assembler/testmasm.cpp:
1399         (JSC::compile):
1400         (JSC::invoke):
1401         (JSC::testProbeModifiesProgramCounter):
1402         * b3/B3Compilation.cpp:
1403         (JSC::B3::Compilation::Compilation):
1404         * b3/B3Compilation.h:
1405         (JSC::B3::Compilation::code const):
1406         (JSC::B3::Compilation::codeRef const):
1407         * b3/B3Compile.cpp:
1408         (JSC::B3::compile):
1409         * b3/B3LowerMacros.cpp:
1410         * b3/air/AirDisassembler.cpp:
1411         (JSC::B3::Air::Disassembler::dump):
1412         * b3/air/testair.cpp:
1413         * b3/testb3.cpp:
1414         (JSC::B3::invoke):
1415         (JSC::B3::testInterpreter):
1416         (JSC::B3::testEntrySwitchSimple):
1417         (JSC::B3::testEntrySwitchNoEntrySwitch):
1418         (JSC::B3::testEntrySwitchWithCommonPaths):
1419         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1420         (JSC::B3::testEntrySwitchLoop):
1421         * bytecode/AccessCase.cpp:
1422         (JSC::AccessCase::generateImpl):
1423         * bytecode/AccessCaseSnippetParams.cpp:
1424         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1425         * bytecode/ByValInfo.h:
1426         (JSC::ByValInfo::ByValInfo):
1427         * bytecode/CallLinkInfo.cpp:
1428         (JSC::CallLinkInfo::callReturnLocation):
1429         (JSC::CallLinkInfo::patchableJump):
1430         (JSC::CallLinkInfo::hotPathBegin):
1431         (JSC::CallLinkInfo::slowPathStart):
1432         * bytecode/CallLinkInfo.h:
1433         (JSC::CallLinkInfo::setCallLocations):
1434         (JSC::CallLinkInfo::hotPathOther):
1435         * bytecode/CodeBlock.cpp:
1436         (JSC::CodeBlock::finishCreation):
1437         * bytecode/GetByIdStatus.cpp:
1438         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1439         * bytecode/GetByIdVariant.cpp:
1440         (JSC::GetByIdVariant::GetByIdVariant):
1441         (JSC::GetByIdVariant::dumpInContext const):
1442         * bytecode/GetByIdVariant.h:
1443         (JSC::GetByIdVariant::customAccessorGetter const):
1444         * bytecode/GetterSetterAccessCase.cpp:
1445         (JSC::GetterSetterAccessCase::create):
1446         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1447         (JSC::GetterSetterAccessCase::dumpImpl const):
1448         * bytecode/GetterSetterAccessCase.h:
1449         (JSC::GetterSetterAccessCase::customAccessor const):
1450         (): Deleted.
1451         * bytecode/HandlerInfo.h:
1452         (JSC::HandlerInfo::initialize):
1453         * bytecode/InlineAccess.cpp:
1454         (JSC::linkCodeInline):
1455         (JSC::InlineAccess::rewireStubAsJump):
1456         * bytecode/InlineAccess.h:
1457         * bytecode/JumpTable.h:
1458         (JSC::StringJumpTable::ctiForValue):
1459         (JSC::SimpleJumpTable::ctiForValue):
1460         * bytecode/LLIntCallLinkInfo.h:
1461         (JSC::LLIntCallLinkInfo::unlink):
1462         * bytecode/PolymorphicAccess.cpp:
1463         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1464         (JSC::PolymorphicAccess::regenerate):
1465         * bytecode/PolymorphicAccess.h:
1466         (JSC::AccessGenerationResult::AccessGenerationResult):
1467         (JSC::AccessGenerationResult::code const):
1468         * bytecode/StructureStubInfo.h:
1469         (JSC::StructureStubInfo::slowPathCallLocation):
1470         (JSC::StructureStubInfo::doneLocation):
1471         (JSC::StructureStubInfo::slowPathStartLocation):
1472         (JSC::StructureStubInfo::patchableJumpForIn):
1473         * dfg/DFGCommonData.h:
1474         (JSC::DFG::CommonData::appendCatchEntrypoint):
1475         * dfg/DFGDisassembler.cpp:
1476         (JSC::DFG::Disassembler::dumpDisassembly):
1477         * dfg/DFGDriver.h:
1478         * dfg/DFGJITCompiler.cpp:
1479         (JSC::DFG::JITCompiler::linkOSRExits):
1480         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1481         (JSC::DFG::JITCompiler::link):
1482         (JSC::DFG::JITCompiler::compileFunction):
1483         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1484         * dfg/DFGJITCompiler.h:
1485         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1486         (JSC::DFG::JITCompiler::appendCall):
1487         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1488         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1489         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1490         * dfg/DFGJITFinalizer.cpp:
1491         (JSC::DFG::JITFinalizer::JITFinalizer):
1492         (JSC::DFG::JITFinalizer::finalize):
1493         (JSC::DFG::JITFinalizer::finalizeFunction):
1494         * dfg/DFGJITFinalizer.h:
1495         * dfg/DFGJumpReplacement.h:
1496         (JSC::DFG::JumpReplacement::JumpReplacement):
1497         * dfg/DFGNode.h:
1498         * dfg/DFGOSREntry.cpp:
1499         (JSC::DFG::prepareOSREntry):
1500         (JSC::DFG::prepareCatchOSREntry):
1501         * dfg/DFGOSREntry.h:
1502         (JSC::DFG::prepareOSREntry):
1503         * dfg/DFGOSRExit.cpp:
1504         (JSC::DFG::OSRExit::executeOSRExit):
1505         (JSC::DFG::reifyInlinedCallFrames):
1506         (JSC::DFG::adjustAndJumpToTarget):
1507         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1508         (JSC::DFG::OSRExit::emitRestoreArguments):
1509         (JSC::DFG::OSRExit::compileOSRExit):
1510         * dfg/DFGOSRExit.h:
1511         * dfg/DFGOSRExitCompilerCommon.cpp:
1512         (JSC::DFG::handleExitCounts):
1513         (JSC::DFG::reifyInlinedCallFrames):
1514         (JSC::DFG::osrWriteBarrier):
1515         (JSC::DFG::adjustAndJumpToTarget):
1516         * dfg/DFGOperations.cpp:
1517         * dfg/DFGSlowPathGenerator.h:
1518         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1519         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1520         (JSC::DFG::slowPathCall):
1521         * dfg/DFGSpeculativeJIT.cpp:
1522         (JSC::DFG::SpeculativeJIT::compileMathIC):
1523         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1524         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1525         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1526         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1527         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1528         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1529         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1530         (JSC::DFG::SpeculativeJIT::cachedPutById):
1531         * dfg/DFGSpeculativeJIT.h:
1532         (JSC::DFG::SpeculativeJIT::callOperation):
1533         (JSC::DFG::SpeculativeJIT::appendCall):
1534         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1535         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1536         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1537         * dfg/DFGSpeculativeJIT64.cpp:
1538         (JSC::DFG::SpeculativeJIT::cachedGetById):
1539         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1540         (JSC::DFG::SpeculativeJIT::compile):
1541         * dfg/DFGThunks.cpp:
1542         (JSC::DFG::osrExitThunkGenerator):
1543         (JSC::DFG::osrExitGenerationThunkGenerator):
1544         (JSC::DFG::osrEntryThunkGenerator):
1545         * dfg/DFGThunks.h:
1546         * disassembler/ARM64Disassembler.cpp:
1547         (JSC::tryToDisassemble):
1548         * disassembler/ARMv7Disassembler.cpp:
1549         (JSC::tryToDisassemble):
1550         * disassembler/Disassembler.cpp:
1551         (JSC::disassemble):
1552         (JSC::disassembleAsynchronously):
1553         * disassembler/Disassembler.h:
1554         (JSC::tryToDisassemble):
1555         * disassembler/UDis86Disassembler.cpp:
1556         (JSC::tryToDisassembleWithUDis86):
1557         * disassembler/UDis86Disassembler.h:
1558         (JSC::tryToDisassembleWithUDis86):
1559         * disassembler/X86Disassembler.cpp:
1560         (JSC::tryToDisassemble):
1561         * ftl/FTLCompile.cpp:
1562         (JSC::FTL::compile):
1563         * ftl/FTLExceptionTarget.cpp:
1564         (JSC::FTL::ExceptionTarget::label):
1565         (JSC::FTL::ExceptionTarget::jumps):
1566         * ftl/FTLExceptionTarget.h:
1567         * ftl/FTLGeneratedFunction.h:
1568         * ftl/FTLJITCode.cpp:
1569         (JSC::FTL::JITCode::initializeB3Code):
1570         (JSC::FTL::JITCode::initializeAddressForCall):
1571         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1572         (JSC::FTL::JITCode::addressForCall):
1573         (JSC::FTL::JITCode::executableAddressAtOffset):
1574         * ftl/FTLJITCode.h:
1575         (JSC::FTL::JITCode::b3Code const):
1576         * ftl/FTLJITFinalizer.cpp:
1577         (JSC::FTL::JITFinalizer::finalizeCommon):
1578         * ftl/FTLLazySlowPath.cpp:
1579         (JSC::FTL::LazySlowPath::initialize):
1580         (JSC::FTL::LazySlowPath::generate):
1581         * ftl/FTLLazySlowPath.h:
1582         (JSC::FTL::LazySlowPath::patchableJump const):
1583         (JSC::FTL::LazySlowPath::done const):
1584         (JSC::FTL::LazySlowPath::stub const):
1585         * ftl/FTLLazySlowPathCall.h:
1586         (JSC::FTL::createLazyCallGenerator):
1587         * ftl/FTLLink.cpp:
1588         (JSC::FTL::link):
1589         * ftl/FTLLowerDFGToB3.cpp:
1590         (JSC::FTL::DFG::LowerDFGToB3::lower):
1591         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1592         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1593         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1594         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1595         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1596         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1597         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1598         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1599         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1600         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1601         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1602         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1603         * ftl/FTLOSRExit.cpp:
1604         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1605         * ftl/FTLOSRExit.h:
1606         * ftl/FTLOSRExitCompiler.cpp:
1607         (JSC::FTL::compileStub):
1608         (JSC::FTL::compileFTLOSRExit):
1609         * ftl/FTLOSRExitHandle.cpp:
1610         (JSC::FTL::OSRExitHandle::emitExitThunk):
1611         * ftl/FTLOperations.cpp:
1612         (JSC::FTL::compileFTLLazySlowPath):
1613         * ftl/FTLPatchpointExceptionHandle.cpp:
1614         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1615         * ftl/FTLSlowPathCall.cpp:
1616         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1617         (JSC::FTL::SlowPathCallContext::makeCall):
1618         * ftl/FTLSlowPathCall.h:
1619         (JSC::FTL::callOperation):
1620         * ftl/FTLSlowPathCallKey.cpp:
1621         (JSC::FTL::SlowPathCallKey::dump const):
1622         * ftl/FTLSlowPathCallKey.h:
1623         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1624         (JSC::FTL::SlowPathCallKey::callTarget const):
1625         (JSC::FTL::SlowPathCallKey::withCallTarget):
1626         (JSC::FTL::SlowPathCallKey::hash const):
1627         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1628         * ftl/FTLState.cpp:
1629         (JSC::FTL::State::State):
1630         * ftl/FTLThunks.cpp:
1631         (JSC::FTL::genericGenerationThunkGenerator):
1632         (JSC::FTL::osrExitGenerationThunkGenerator):
1633         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1634         (JSC::FTL::slowPathCallThunkGenerator):
1635         * ftl/FTLThunks.h:
1636         (JSC::FTL::generateIfNecessary):
1637         (JSC::FTL::keyForThunk):
1638         (JSC::FTL::Thunks::getSlowPathCallThunk):
1639         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1640         * interpreter/InterpreterInlines.h:
1641         (JSC::Interpreter::getOpcodeID):
1642         * jit/AssemblyHelpers.cpp:
1643         (JSC::AssemblyHelpers::callExceptionFuzz):
1644         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1645         (JSC::AssemblyHelpers::debugCall):
1646         * jit/CCallHelpers.cpp:
1647         (JSC::CCallHelpers::ensureShadowChickenPacket):
1648         * jit/ExecutableAllocator.cpp:
1649         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1650         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1651         * jit/ExecutableAllocator.h:
1652         (JSC::performJITMemcpy):
1653         * jit/GCAwareJITStubRoutine.cpp:
1654         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1655         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1656         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1657         (JSC::createJITStubRoutine):
1658         * jit/GCAwareJITStubRoutine.h:
1659         (JSC::createJITStubRoutine):
1660         * jit/JIT.cpp:
1661         (JSC::ctiPatchCallByReturnAddress):
1662         (JSC::JIT::compileWithoutLinking):
1663         (JSC::JIT::link):
1664         (JSC::JIT::privateCompileExceptionHandlers):
1665         * jit/JIT.h:
1666         (JSC::CallRecord::CallRecord):
1667         * jit/JITArithmetic.cpp:
1668         (JSC::JIT::emitMathICFast):
1669         (JSC::JIT::emitMathICSlow):
1670         * jit/JITCall.cpp:
1671         (JSC::JIT::compileOpCallSlowCase):
1672         * jit/JITCall32_64.cpp:
1673         (JSC::JIT::compileOpCallSlowCase):
1674         * jit/JITCode.cpp:
1675         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1676         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1677         (JSC::DirectJITCode::DirectJITCode):
1678         (JSC::DirectJITCode::initializeCodeRef):
1679         (JSC::DirectJITCode::addressForCall):
1680         (JSC::NativeJITCode::NativeJITCode):
1681         (JSC::NativeJITCode::initializeCodeRef):
1682         (JSC::NativeJITCode::addressForCall):
1683         * jit/JITCode.h:
1684         * jit/JITCodeMap.h:
1685         (JSC::JITCodeMap::Entry::Entry):
1686         (JSC::JITCodeMap::Entry::codeLocation):
1687         (JSC::JITCodeMap::append):
1688         (JSC::JITCodeMap::find const):
1689         * jit/JITDisassembler.cpp:
1690         (JSC::JITDisassembler::dumpDisassembly):
1691         * jit/JITExceptions.cpp:
1692         (JSC::genericUnwind):
1693         * jit/JITInlineCacheGenerator.cpp:
1694         (JSC::JITByIdGenerator::finalize):
1695         * jit/JITInlines.h:
1696         (JSC::JIT::emitNakedCall):
1697         (JSC::JIT::emitNakedTailCall):
1698         (JSC::JIT::appendCallWithExceptionCheck):
1699         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1700         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1701         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1702         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1703         * jit/JITMathIC.h:
1704         (JSC::isProfileEmpty):
1705         * jit/JITOpcodes.cpp:
1706         (JSC::JIT::emit_op_catch):
1707         (JSC::JIT::emit_op_switch_imm):
1708         (JSC::JIT::emit_op_switch_char):
1709         (JSC::JIT::emit_op_switch_string):
1710         (JSC::JIT::privateCompileHasIndexedProperty):
1711         (JSC::JIT::emitSlow_op_has_indexed_property):
1712         * jit/JITOpcodes32_64.cpp:
1713         (JSC::JIT::privateCompileHasIndexedProperty):
1714         * jit/JITOperations.cpp:
1715         (JSC::getByVal):
1716         * jit/JITPropertyAccess.cpp:
1717         (JSC::JIT::stringGetByValStubGenerator):
1718         (JSC::JIT::emitGetByValWithCachedId):
1719         (JSC::JIT::emitSlow_op_get_by_val):
1720         (JSC::JIT::emitPutByValWithCachedId):
1721         (JSC::JIT::emitSlow_op_put_by_val):
1722         (JSC::JIT::emitSlow_op_try_get_by_id):
1723         (JSC::JIT::emitSlow_op_get_by_id_direct):
1724         (JSC::JIT::emitSlow_op_get_by_id):
1725         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1726         (JSC::JIT::emitSlow_op_put_by_id):
1727         (JSC::JIT::privateCompileGetByVal):
1728         (JSC::JIT::privateCompileGetByValWithCachedId):
1729         (JSC::JIT::privateCompilePutByVal):
1730         (JSC::JIT::privateCompilePutByValWithCachedId):
1731         * jit/JITPropertyAccess32_64.cpp:
1732         (JSC::JIT::stringGetByValStubGenerator):
1733         (JSC::JIT::emitSlow_op_get_by_val):
1734         (JSC::JIT::emitSlow_op_put_by_val):
1735         * jit/JITStubRoutine.h:
1736         (JSC::JITStubRoutine::JITStubRoutine):
1737         (JSC::JITStubRoutine::createSelfManagedRoutine):
1738         (JSC::JITStubRoutine::code const):
1739         (JSC::JITStubRoutine::asCodePtr):
1740         * jit/JITThunks.cpp:
1741         (JSC::JITThunks::ctiNativeCall):
1742         (JSC::JITThunks::ctiNativeConstruct):
1743         (JSC::JITThunks::ctiNativeTailCall):
1744         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1745         (JSC::JITThunks::ctiInternalFunctionCall):
1746         (JSC::JITThunks::ctiInternalFunctionConstruct):
1747         (JSC::JITThunks::ctiStub):
1748         (JSC::JITThunks::existingCTIStub):
1749         (JSC::JITThunks::hostFunctionStub):
1750         * jit/JITThunks.h:
1751         * jit/PCToCodeOriginMap.cpp:
1752         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1753         * jit/PCToCodeOriginMap.h:
1754         * jit/PolymorphicCallStubRoutine.cpp:
1755         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1756         * jit/PolymorphicCallStubRoutine.h:
1757         * jit/Repatch.cpp:
1758         (JSC::readPutICCallTarget):
1759         (JSC::ftlThunkAwareRepatchCall):
1760         (JSC::appropriateOptimizingGetByIdFunction):
1761         (JSC::appropriateGetByIdFunction):
1762         (JSC::tryCacheGetByID):
1763         (JSC::repatchGetByID):
1764         (JSC::tryCachePutByID):
1765         (JSC::repatchPutByID):
1766         (JSC::tryCacheIn):
1767         (JSC::repatchIn):
1768         (JSC::linkSlowFor):
1769         (JSC::linkFor):
1770         (JSC::linkDirectFor):
1771         (JSC::revertCall):
1772         (JSC::unlinkFor):
1773         (JSC::linkVirtualFor):
1774         (JSC::linkPolymorphicCall):
1775         (JSC::resetGetByID):
1776         (JSC::resetPutByID):
1777         * jit/Repatch.h:
1778         * jit/SlowPathCall.h:
1779         (JSC::JITSlowPathCall::call):
1780         * jit/SpecializedThunkJIT.h:
1781         (JSC::SpecializedThunkJIT::finalize):
1782         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1783         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1784         * jit/ThunkGenerator.h:
1785         * jit/ThunkGenerators.cpp:
1786         (JSC::throwExceptionFromCallSlowPathGenerator):
1787         (JSC::slowPathFor):
1788         (JSC::linkCallThunkGenerator):
1789         (JSC::linkPolymorphicCallThunkGenerator):
1790         (JSC::virtualThunkFor):
1791         (JSC::nativeForGenerator):
1792         (JSC::nativeCallGenerator):
1793         (JSC::nativeTailCallGenerator):
1794         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1795         (JSC::nativeConstructGenerator):
1796         (JSC::internalFunctionCallGenerator):
1797         (JSC::internalFunctionConstructGenerator):
1798         (JSC::arityFixupGenerator):
1799         (JSC::unreachableGenerator):
1800         (JSC::charCodeAtThunkGenerator):
1801         (JSC::charAtThunkGenerator):
1802         (JSC::fromCharCodeThunkGenerator):
1803         (JSC::clz32ThunkGenerator):
1804         (JSC::sqrtThunkGenerator):
1805         (JSC::floorThunkGenerator):
1806         (JSC::ceilThunkGenerator):
1807         (JSC::truncThunkGenerator):
1808         (JSC::roundThunkGenerator):
1809         (JSC::expThunkGenerator):
1810         (JSC::logThunkGenerator):
1811         (JSC::absThunkGenerator):
1812         (JSC::imulThunkGenerator):
1813         (JSC::randomThunkGenerator):
1814         (JSC::boundThisNoArgsFunctionCallGenerator):
1815         * jit/ThunkGenerators.h:
1816         * llint/LLIntData.cpp:
1817         (JSC::LLInt::initialize):
1818         * llint/LLIntData.h:
1819         (JSC::LLInt::getExecutableAddress):
1820         (JSC::LLInt::getCodePtr):
1821         (JSC::LLInt::getCodeRef):
1822         (JSC::LLInt::getCodeFunctionPtr):
1823         * llint/LLIntEntrypoint.cpp:
1824         (JSC::LLInt::setFunctionEntrypoint):
1825         (JSC::LLInt::setEvalEntrypoint):
1826         (JSC::LLInt::setProgramEntrypoint):
1827         (JSC::LLInt::setModuleProgramEntrypoint):
1828         * llint/LLIntExceptions.cpp:
1829         (JSC::LLInt::callToThrow):
1830         * llint/LLIntSlowPaths.cpp:
1831         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1832         (JSC::LLInt::setUpCall):
1833         * llint/LLIntThunks.cpp:
1834         (JSC::vmEntryToWasm):
1835         (JSC::LLInt::generateThunkWithJumpTo):
1836         (JSC::LLInt::functionForCallEntryThunkGenerator):
1837         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1838         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1839         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1840         (JSC::LLInt::evalEntryThunkGenerator):
1841         (JSC::LLInt::programEntryThunkGenerator):
1842         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1843         * llint/LLIntThunks.h:
1844         * llint/LowLevelInterpreter.asm:
1845         * llint/LowLevelInterpreter32_64.asm:
1846         * llint/LowLevelInterpreter64.asm:
1847         * profiler/ProfilerCompilation.cpp:
1848         (JSC::Profiler::Compilation::addOSRExitSite):
1849         * profiler/ProfilerCompilation.h:
1850         * profiler/ProfilerOSRExitSite.cpp:
1851         (JSC::Profiler::OSRExitSite::toJS const):
1852         * profiler/ProfilerOSRExitSite.h:
1853         (JSC::Profiler::OSRExitSite::OSRExitSite):
1854         (JSC::Profiler::OSRExitSite::codeAddress const):
1855         (JSC::Profiler::OSRExitSite:: const): Deleted.
1856         * runtime/ExecutableBase.cpp:
1857         (JSC::ExecutableBase::clearCode):
1858         * runtime/ExecutableBase.h:
1859         (JSC::ExecutableBase::entrypointFor):
1860         * runtime/NativeExecutable.cpp:
1861         (JSC::NativeExecutable::finishCreation):
1862         * runtime/NativeFunction.h:
1863         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1864         (JSC::TaggedNativeFunction::operator NativeFunction):
1865         * runtime/PtrTag.h:
1866         (JSC::tagCodePtr):
1867         (JSC::untagCodePtr):
1868         (JSC::retagCodePtr):
1869         (JSC::tagCFunctionPtr):
1870         (JSC::untagCFunctionPtr):
1871         (JSC::nextPtrTagID): Deleted.
1872         * runtime/PutPropertySlot.h:
1873         (JSC::PutPropertySlot::PutPropertySlot):
1874         (JSC::PutPropertySlot::setCustomValue):
1875         (JSC::PutPropertySlot::setCustomAccessor):
1876         (JSC::PutPropertySlot::customSetter const):
1877         * runtime/ScriptExecutable.cpp:
1878         (JSC::ScriptExecutable::installCode):
1879         * runtime/VM.cpp:
1880         (JSC::VM::getHostFunction):
1881         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1882         * runtime/VM.h:
1883         (JSC::VM::getCTIStub):
1884         * wasm/WasmB3IRGenerator.cpp:
1885         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1886         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1887         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1888         (JSC::Wasm::B3IRGenerator::addCall):
1889         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1890         * wasm/WasmBBQPlan.cpp:
1891         (JSC::Wasm::BBQPlan::prepare):
1892         (JSC::Wasm::BBQPlan::complete):
1893         * wasm/WasmBBQPlan.h:
1894         * wasm/WasmBinding.cpp:
1895         (JSC::Wasm::wasmToWasm):
1896         * wasm/WasmBinding.h:
1897         * wasm/WasmCallee.h:
1898         (JSC::Wasm::Callee::entrypoint const):
1899         * wasm/WasmCallingConvention.h:
1900         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1901         * wasm/WasmCodeBlock.h:
1902         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1903         * wasm/WasmFaultSignalHandler.cpp:
1904         (JSC::Wasm::trapHandler):
1905         * wasm/WasmFormat.h:
1906         * wasm/WasmInstance.h:
1907         * wasm/WasmOMGPlan.cpp:
1908         (JSC::Wasm::OMGPlan::work):
1909         * wasm/WasmThunks.cpp:
1910         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1911         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1912         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1913         (JSC::Wasm::Thunks::stub):
1914         (JSC::Wasm::Thunks::existingStub):
1915         * wasm/WasmThunks.h:
1916         * wasm/js/JSToWasm.cpp:
1917         (JSC::Wasm::createJSToWasmWrapper):
1918         * wasm/js/JSWebAssemblyCodeBlock.h:
1919         * wasm/js/WasmToJS.cpp:
1920         (JSC::Wasm::handleBadI64Use):
1921         (JSC::Wasm::wasmToJS):
1922         * wasm/js/WasmToJS.h:
1923         * wasm/js/WebAssemblyFunction.h:
1924         * yarr/YarrJIT.cpp:
1925         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
1926         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
1927         (JSC::Yarr::YarrGenerator::compile):
1928         * yarr/YarrJIT.h:
1929         (JSC::Yarr::YarrCodeBlock::set8BitCode):
1930         (JSC::Yarr::YarrCodeBlock::set16BitCode):
1931         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
1932         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
1933         (JSC::Yarr::YarrCodeBlock::execute):
1934         (JSC::Yarr::YarrCodeBlock::clear):
1935
1936 2018-04-17  Commit Queue  <commit-queue@webkit.org>
1937
1938         Unreviewed, rolling out r230697, r230720, and r230724.
1939         https://bugs.webkit.org/show_bug.cgi?id=184717
1940
1941         These caused multiple failures on the Test262 testers.
1942         (Requested by mlewis13 on #webkit).
1943
1944         Reverted changesets:
1945
1946         "[WebAssembly][Modules] Prototype wasm import"
1947         https://bugs.webkit.org/show_bug.cgi?id=184600
1948         https://trac.webkit.org/changeset/230697
1949
1950         "[WebAssembly][Modules] Implement function import from wasm
1951         modules"
1952         https://bugs.webkit.org/show_bug.cgi?id=184689
1953         https://trac.webkit.org/changeset/230720
1954
1955         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
1956         https://bugs.webkit.org/show_bug.cgi?id=184703
1957         https://trac.webkit.org/changeset/230724
1958
1959 2018-04-17  JF Bastien  <jfbastien@apple.com>
1960
1961         A put is not an ExistingProperty put when we transition a structure because of an attributes change
1962         https://bugs.webkit.org/show_bug.cgi?id=184706
1963         <rdar://problem/38871451>
1964
1965         Reviewed by Saam Barati.
1966
1967         When putting a property on a structure and the slot is a different
1968         type, the slot can't be said to have already been existing.
1969
1970         * runtime/JSObjectInlines.h:
1971         (JSC::JSObject::putDirectInternal):
1972
1973 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1974
1975         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
1976         https://bugs.webkit.org/show_bug.cgi?id=184705
1977
1978         Reviewed by Michael Saboff.
1979         
1980         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
1981         while testing an unrelated patch, a concurrent GC thread crashed inside
1982         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
1983         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
1984         mode and another vector.
1985         
1986         The fix is to lock inside visitChildren and anyone who changes those fields.
1987         
1988         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
1989         this.
1990
1991         * runtime/JSArrayBufferView.cpp:
1992         (JSC::JSArrayBufferView::neuter):
1993         * runtime/JSGenericTypedArrayViewInlines.h:
1994         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1995         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1996
1997 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
1998
1999         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2000         https://bugs.webkit.org/show_bug.cgi?id=184672
2001
2002         Reviewed by Michael Saboff.
2003
2004         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2005         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2006         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2007         intentional - I don't know.
2008
2009         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2010         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2011         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2012         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2013         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2014         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2015         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2016         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2017         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2018         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2019         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2020         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2021
2022         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2023         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2024         its stack slot for the purpose of clobberize.
2025
2026         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2027         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2028         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2029         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2030
2031 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2032
2033         JSWebAssemblyCodeBlock should be in an IsoSubspace
2034         https://bugs.webkit.org/show_bug.cgi?id=184704
2035
2036         Reviewed by Mark Lam.
2037         
2038         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2039         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2040         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2041         protection.
2042
2043         * runtime/VM.cpp:
2044         (JSC::VM::VM):
2045         * runtime/VM.h:
2046         * wasm/js/JSWebAssemblyCodeBlock.h:
2047
2048 2018-04-17  Jer Noble  <jer.noble@apple.com>
2049
2050         Only enable useSeparatedWXHeap on ARM64.
2051         https://bugs.webkit.org/show_bug.cgi?id=184697
2052
2053         Reviewed by Saam Barati.
2054
2055         * runtime/Options.cpp:
2056         (JSC::recomputeDependentOptions):
2057
2058 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2059
2060         [WebAssembly][Modules] Implement function import from wasm modules
2061         https://bugs.webkit.org/show_bug.cgi?id=184689
2062
2063         Reviewed by JF Bastien.
2064
2065         This patch implements function import from wasm modules. We move function importing part
2066         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2067         is because linking these functions requires that all the dependent modules are created.
2068         While we want to move all the linking functionality from JSWebAssemblyInstance to
2069         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2070         function importing part because efficient compilation of WebAssembly needs to know
2071         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2072         or attached WebAssembly memory object. So we cannot defer this linking to
2073         WebAssemblyModuleRecord::link now.
2074
2075         The largest difference from JS module linking is that WebAssembly module linking links
2076         function from the module by snapshotting. When you have a cyclic module graph like this,
2077
2078         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2079             ^                                                  |
2080             +--------------------------------------------------+
2081
2082         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2083         is described in [1], and tested in this patch.
2084
2085         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2086
2087         * JavaScriptCore.xcodeproj/project.pbxproj:
2088         * jsc.cpp:
2089         (functionDollarAgentStart):
2090         (checkException):
2091         (runWithOptions):
2092         Small fixes for wasm module loading.
2093
2094         * parser/NodesAnalyzeModule.cpp:
2095         (JSC::ImportDeclarationNode::analyzeModule):
2096         * runtime/AbstractModuleRecord.cpp:
2097         (JSC::AbstractModuleRecord::resolveImport):
2098         (JSC::AbstractModuleRecord::link):
2099         * runtime/AbstractModuleRecord.h:
2100         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2101         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2102         Now, wasm modules can have import which is named "*". So this function does not work.
2103         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2104
2105         * runtime/JSModuleEnvironment.cpp:
2106         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2107         * runtime/JSModuleRecord.cpp:
2108         (JSC::JSModuleRecord::instantiateDeclarations):
2109         * wasm/WasmCreationMode.h: Added.
2110         * wasm/js/JSWebAssemblyInstance.cpp:
2111         (JSC::JSWebAssemblyInstance::finalizeCreation):
2112         (JSC::JSWebAssemblyInstance::create):
2113         * wasm/js/JSWebAssemblyInstance.h:
2114         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2115         (JSC::constructJSWebAssemblyInstance):
2116         * wasm/js/WebAssemblyModuleRecord.cpp:
2117         (JSC::WebAssemblyModuleRecord::link):
2118         * wasm/js/WebAssemblyModuleRecord.h:
2119         * wasm/js/WebAssemblyPrototype.cpp:
2120         (JSC::resolve):
2121         (JSC::instantiate):
2122         (JSC::compileAndInstantiate):
2123         (JSC::WebAssemblyPrototype::instantiate):
2124         (JSC::webAssemblyInstantiateFunc):
2125
2126 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2127
2128         Implement setupArgumentsImpl for ARM and MIPS
2129         https://bugs.webkit.org/show_bug.cgi?id=183786
2130
2131         Reviewed by Yusuke Suzuki.
2132
2133         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2134         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2135         registers used for 64-bit values on 32-bit architectures. numCrossSources
2136         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2137
2138         * assembler/MacroAssemblerARMv7.h:
2139         (JSC::MacroAssemblerARMv7::moveDouble):
2140         * assembler/MacroAssemblerMIPS.h:
2141         (JSC::MacroAssemblerMIPS::moveDouble):
2142         * jit/CCallHelpers.h:
2143         (JSC::CCallHelpers::setupStubCrossArgs):
2144         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2145         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2146         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2147         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2148         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2149         (JSC::CCallHelpers::ArgCollection::addStackArg):
2150         (JSC::CCallHelpers::ArgCollection::addPoke):
2151         (JSC::CCallHelpers::ArgCollection::argCount):
2152         (JSC::CCallHelpers::calculatePokeOffset):
2153         (JSC::CCallHelpers::pokeForArgument):
2154         (JSC::CCallHelpers::stackAligned):
2155         (JSC::CCallHelpers::marshallArgumentRegister):
2156         (JSC::CCallHelpers::setupArgumentsImpl):
2157         (JSC::CCallHelpers::pokeArgumentsAligned):
2158         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2159         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2160         (JSC::CCallHelpers::setupArguments):
2161         * jit/FPRInfo.h:
2162         (JSC::FPRInfo::toArgumentRegister):
2163
2164 2018-04-17  Saam Barati  <sbarati@apple.com>
2165
2166         Add system trace points for process launch and for initializeWebProcess
2167         https://bugs.webkit.org/show_bug.cgi?id=184669
2168
2169         Reviewed by Simon Fraser.
2170
2171         * runtime/VMEntryScope.cpp:
2172         (JSC::VMEntryScope::VMEntryScope):
2173         (JSC::VMEntryScope::~VMEntryScope):
2174
2175 2018-04-17  Jer Noble  <jer.noble@apple.com>
2176
2177         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2178         https://bugs.webkit.org/show_bug.cgi?id=184602
2179
2180         Reviewed by Beth Dakin.
2181
2182         * JavaScriptCore.xcodeproj/project.pbxproj:
2183
2184 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2185
2186         [GLIB] Add API to clear JSCContext uncaught exception
2187         https://bugs.webkit.org/show_bug.cgi?id=184685
2188
2189         Reviewed by Žan Doberšek.
2190
2191         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2192
2193         * API/glib/JSCContext.cpp:
2194         (jsc_context_clear_exception):
2195         * API/glib/JSCContext.h:
2196         * API/glib/docs/jsc-glib-4.0-sections.txt:
2197
2198 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2199
2200         [GLIB] Add API to query, delete and enumerate properties
2201         https://bugs.webkit.org/show_bug.cgi?id=184647
2202
2203         Reviewed by Michael Catanzaro.
2204
2205         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2206
2207         * API/glib/JSCValue.cpp:
2208         (jsc_value_object_has_property):
2209         (jsc_value_object_delete_property):
2210         (jsc_value_object_enumerate_properties):
2211         * API/glib/JSCValue.h:
2212         * API/glib/docs/jsc-glib-4.0-sections.txt:
2213
2214 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2215
2216         [WebAssembly][Modules] Prototype wasm import
2217         https://bugs.webkit.org/show_bug.cgi?id=184600
2218
2219         Reviewed by JF Bastien.
2220
2221         This patch is an initial attempt to implement Wasm loading in module pipeline.
2222         Currently,
2223
2224         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2225            in whatwg HTML, we should integrate this into WebCore.
2226
2227         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2228            the other modules now.
2229
2230         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2231         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2232         module loader pipeline just handles it as the same to JS. When parsing a module, we
2233         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2234         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2235         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2236
2237         * builtins/ModuleLoaderPrototype.js:
2238         (globalPrivate.newRegistryEntry):
2239         (requestInstantiate):
2240         (link):
2241         * jsc.cpp:
2242         (convertShebangToJSComment):
2243         (fillBufferWithContentsOfFile):
2244         (fetchModuleFromLocalFileSystem):
2245         (GlobalObject::moduleLoaderFetch):
2246         * parser/SourceProvider.h:
2247         (JSC::WebAssemblySourceProvider::create):
2248         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2249         * runtime/AbstractModuleRecord.cpp:
2250         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2251         (JSC::AbstractModuleRecord::link):
2252         (JSC::AbstractModuleRecord::evaluate):
2253         (JSC::identifierToJSValue): Deleted.
2254         * runtime/AbstractModuleRecord.h:
2255         * runtime/JSModuleLoader.cpp:
2256         (JSC::JSModuleLoader::evaluate):
2257         * runtime/JSModuleRecord.cpp:
2258         (JSC::JSModuleRecord::link):
2259         (JSC::JSModuleRecord::instantiateDeclarations):
2260         * runtime/JSModuleRecord.h:
2261         * runtime/ModuleLoaderPrototype.cpp:
2262         (JSC::moduleLoaderPrototypeParseModule):
2263         (JSC::moduleLoaderPrototypeRequestedModules):
2264         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2265         * wasm/js/JSWebAssemblyHelpers.h:
2266         (JSC::getWasmBufferFromValue):
2267         (JSC::createSourceBufferFromValue):
2268         * wasm/js/JSWebAssemblyInstance.cpp:
2269         (JSC::JSWebAssemblyInstance::finalizeCreation):
2270         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2271         (JSC::JSWebAssemblyInstance::create):
2272         * wasm/js/JSWebAssemblyInstance.h:
2273         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2274         (JSC::constructJSWebAssemblyInstance):
2275         * wasm/js/WebAssemblyModuleRecord.cpp:
2276         (JSC::WebAssemblyModuleRecord::prepareLink):
2277         (JSC::WebAssemblyModuleRecord::link):
2278         * wasm/js/WebAssemblyModuleRecord.h:
2279         * wasm/js/WebAssemblyPrototype.cpp:
2280         (JSC::resolve):
2281         (JSC::instantiate):
2282         (JSC::compileAndInstantiate):
2283         (JSC::WebAssemblyPrototype::instantiate):
2284         (JSC::webAssemblyInstantiateFunc):
2285         (JSC::webAssemblyValidateFunc):
2286         * wasm/js/WebAssemblyPrototype.h:
2287
2288 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2289
2290         Function.prototype.caller shouldn't return generator bodies
2291         https://bugs.webkit.org/show_bug.cgi?id=184630
2292
2293         Reviewed by Yusuke Suzuki.
2294         
2295         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2296         private.
2297         
2298         Also added some builtin debugging tools so that it's easier to do the investigation that I
2299         did.
2300
2301         * builtins/BuiltinNames.h:
2302         * runtime/JSFunction.cpp:
2303         (JSC::JSFunction::callerGetter):
2304         * runtime/JSGlobalObject.cpp:
2305         (JSC::JSGlobalObject::init):
2306         * runtime/JSGlobalObjectFunctions.cpp:
2307         (JSC::globalFuncBuiltinDescribe):
2308         * runtime/JSGlobalObjectFunctions.h:
2309
2310 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2311
2312         [DFG] Remove duplicate 32bit ProfileType implementation
2313         https://bugs.webkit.org/show_bug.cgi?id=184536
2314
2315         Reviewed by Saam Barati.
2316
2317         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2318
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::compileProfileType):
2321         * dfg/DFGSpeculativeJIT.h:
2322         * dfg/DFGSpeculativeJIT32_64.cpp:
2323         (JSC::DFG::SpeculativeJIT::compile):
2324         * dfg/DFGSpeculativeJIT64.cpp:
2325         (JSC::DFG::SpeculativeJIT::compile):
2326         * jit/AssemblyHelpers.h:
2327         (JSC::AssemblyHelpers::branchIfUndefined):
2328         (JSC::AssemblyHelpers::branchIfNull):
2329
2330 2018-04-12  Mark Lam  <mark.lam@apple.com>
2331
2332         Consolidate some PtrTags.
2333         https://bugs.webkit.org/show_bug.cgi?id=184552
2334         <rdar://problem/39389404>
2335
2336         Reviewed by Filip Pizlo.
2337
2338         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2339         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2340
2341         * assembler/AbstractMacroAssembler.h:
2342         (JSC::AbstractMacroAssembler::repatchNearCall):
2343         * assembler/MacroAssemblerARM.h:
2344         (JSC::MacroAssemblerARM::readCallTarget):
2345         * assembler/MacroAssemblerARMv7.h:
2346         (JSC::MacroAssemblerARMv7::readCallTarget):
2347         * assembler/MacroAssemblerMIPS.h:
2348         (JSC::MacroAssemblerMIPS::readCallTarget):
2349         * assembler/MacroAssemblerX86.h:
2350         (JSC::MacroAssemblerX86::readCallTarget):
2351         * assembler/MacroAssemblerX86_64.h:
2352         (JSC::MacroAssemblerX86_64::readCallTarget):
2353         * bytecode/AccessCase.cpp:
2354         (JSC::AccessCase::generateImpl):
2355         * bytecode/InlineAccess.cpp:
2356         (JSC::InlineAccess::rewireStubAsJump):
2357         * bytecode/PolymorphicAccess.cpp:
2358         (JSC::PolymorphicAccess::regenerate):
2359         * dfg/DFGJITCompiler.cpp:
2360         (JSC::DFG::JITCompiler::linkOSRExits):
2361         (JSC::DFG::JITCompiler::link):
2362         (JSC::DFG::JITCompiler::compileFunction):
2363         * dfg/DFGJITFinalizer.cpp:
2364         (JSC::DFG::JITFinalizer::finalize):
2365         (JSC::DFG::JITFinalizer::finalizeFunction):
2366         * dfg/DFGOSREntry.cpp:
2367         (JSC::DFG::prepareOSREntry):
2368         * dfg/DFGOSRExit.cpp:
2369         (JSC::DFG::OSRExit::executeOSRExit):
2370         (JSC::DFG::adjustAndJumpToTarget):
2371         (JSC::DFG::OSRExit::compileOSRExit):
2372         * dfg/DFGOSRExitCompilerCommon.cpp:
2373         (JSC::DFG::adjustAndJumpToTarget):
2374         * dfg/DFGOperations.cpp:
2375         * ftl/FTLJITCode.cpp:
2376         (JSC::FTL::JITCode::executableAddressAtOffset):
2377         * ftl/FTLJITFinalizer.cpp:
2378         (JSC::FTL::JITFinalizer::finalizeCommon):
2379         * ftl/FTLLazySlowPath.cpp:
2380         (JSC::FTL::LazySlowPath::generate):
2381         * ftl/FTLLink.cpp:
2382         (JSC::FTL::link):
2383         * ftl/FTLLowerDFGToB3.cpp:
2384         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2385         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2386         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2387         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2388         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2389         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2390         * ftl/FTLOSRExitCompiler.cpp:
2391         (JSC::FTL::compileFTLOSRExit):
2392         * ftl/FTLOSRExitHandle.cpp:
2393         (JSC::FTL::OSRExitHandle::emitExitThunk):
2394         * jit/AssemblyHelpers.cpp:
2395         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2396         * jit/JIT.cpp:
2397         (JSC::JIT::compileWithoutLinking):
2398         (JSC::JIT::link):
2399         * jit/JITCall.cpp:
2400         (JSC::JIT::compileOpCallSlowCase):
2401         * jit/JITCode.cpp:
2402         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2403         (JSC::NativeJITCode::addressForCall):
2404         * jit/JITInlines.h:
2405         (JSC::JIT::emitNakedCall):
2406         (JSC::JIT::emitNakedTailCall):
2407         * jit/JITMathIC.h:
2408         (JSC::isProfileEmpty):
2409         * jit/JITOpcodes.cpp:
2410         (JSC::JIT::privateCompileHasIndexedProperty):
2411         * jit/JITOperations.cpp:
2412         * jit/JITPropertyAccess.cpp:
2413         (JSC::JIT::stringGetByValStubGenerator):
2414         (JSC::JIT::privateCompileGetByVal):
2415         (JSC::JIT::privateCompileGetByValWithCachedId):
2416         (JSC::JIT::privateCompilePutByVal):
2417         (JSC::JIT::privateCompilePutByValWithCachedId):
2418         * jit/JITThunks.cpp:
2419         (JSC::JITThunks::hostFunctionStub):
2420         * jit/Repatch.cpp:
2421         (JSC::linkSlowFor):
2422         (JSC::linkFor):
2423         (JSC::linkPolymorphicCall):
2424         * jit/SpecializedThunkJIT.h:
2425         (JSC::SpecializedThunkJIT::finalize):
2426         * jit/ThunkGenerators.cpp:
2427         (JSC::virtualThunkFor):
2428         (JSC::nativeForGenerator):
2429         (JSC::boundThisNoArgsFunctionCallGenerator):
2430         * llint/LLIntData.cpp:
2431         (JSC::LLInt::initialize):
2432         * llint/LLIntEntrypoint.cpp:
2433         (JSC::LLInt::setEvalEntrypoint):
2434         (JSC::LLInt::setProgramEntrypoint):
2435         (JSC::LLInt::setModuleProgramEntrypoint):
2436         * llint/LLIntSlowPaths.cpp:
2437         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2438         (JSC::LLInt::setUpCall):
2439         * llint/LLIntThunks.cpp:
2440         (JSC::LLInt::generateThunkWithJumpTo):
2441         (JSC::LLInt::functionForCallEntryThunkGenerator):
2442         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2443         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2444         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2445         (JSC::LLInt::evalEntryThunkGenerator):
2446         (JSC::LLInt::programEntryThunkGenerator):
2447         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2448         * llint/LowLevelInterpreter.asm:
2449         * llint/LowLevelInterpreter64.asm:
2450         * runtime/NativeExecutable.cpp:
2451         (JSC::NativeExecutable::finishCreation):
2452         * runtime/NativeFunction.h:
2453         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2454         (JSC::TaggedNativeFunction::operator NativeFunction):
2455         * runtime/PtrTag.h:
2456         * wasm/WasmBBQPlan.cpp:
2457         (JSC::Wasm::BBQPlan::complete):
2458         * wasm/WasmOMGPlan.cpp:
2459         (JSC::Wasm::OMGPlan::work):
2460         * wasm/WasmThunks.cpp:
2461         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2462         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2463         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2464         * wasm/js/WasmToJS.cpp:
2465         (JSC::Wasm::wasmToJS):
2466         * wasm/js/WebAssemblyFunction.h:
2467         * yarr/YarrJIT.cpp:
2468         (JSC::Yarr::YarrGenerator::compile):
2469
2470 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2471
2472         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2473         https://bugs.webkit.org/show_bug.cgi?id=184379
2474
2475         Reviewed by Žan Doberšek.
2476
2477         Load the module from the new location.
2478
2479         * PlatformWPE.cmake:
2480         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2481         (Inspector::backendCommands):
2482
2483 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2484
2485         [DFG] Remove compileBigIntEquality in DFG 32bit
2486         https://bugs.webkit.org/show_bug.cgi?id=184535
2487
2488         Reviewed by Saam Barati.
2489
2490         We can have the unified implementation for compileBigIntEquality.
2491
2492         * dfg/DFGSpeculativeJIT.cpp:
2493         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2494         * dfg/DFGSpeculativeJIT32_64.cpp:
2495         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2496         * dfg/DFGSpeculativeJIT64.cpp:
2497         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2498
2499 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2500
2501         [WPE] Improve include hierarchy
2502         https://bugs.webkit.org/show_bug.cgi?id=184376
2503
2504         Reviewed by Žan Doberšek.
2505
2506         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2507         /usr/include/wpe-0.1/WPE/jsc.
2508
2509         * PlatformWPE.cmake:
2510
2511 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2512
2513         [GLIB] Handle strings containing null characters
2514         https://bugs.webkit.org/show_bug.cgi?id=184450
2515
2516         Reviewed by Michael Catanzaro.
2517
2518         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2519         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2520         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2521         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2522         contain null characters.
2523
2524         * API/OpaqueJSString.cpp:
2525         (OpaqueJSString::create): Add a create constructor that takes the String.
2526         * API/OpaqueJSString.h:
2527         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2528         * API/glib/JSCContext.cpp:
2529         (jsc_context_evaluate): Add length parameter.
2530         (jsc_context_evaluate_with_source_uri): Ditto.
2531         * API/glib/JSCContext.h:
2532         * API/glib/JSCValue.cpp:
2533         (jsc_value_new_string_from_bytes):
2534         (jsc_value_to_string):
2535         (jsc_value_to_string_as_bytes):
2536         (jsc_value_object_is_instance_of): Pass length to evaluate.
2537         * API/glib/JSCValue.h:
2538         * API/glib/docs/jsc-glib-4.0-sections.txt:
2539
2540 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2541
2542         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2543         https://bugs.webkit.org/show_bug.cgi?id=184500
2544
2545         Reviewed by Mark Lam.
2546
2547         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2548         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2549         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2550         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2551         poke held GPR. The benefit from this CellValue is that we can use the same code
2552         for 32bit and 64bit. This patch removes several ifdefs.
2553
2554         * bytecode/AccessCase.cpp:
2555         (JSC::AccessCase::generateImpl):
2556         * dfg/DFGSpeculativeJIT.cpp:
2557         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2558         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2559         (JSC::DFG::SpeculativeJIT::cachedPutById):
2560         * dfg/DFGSpeculativeJIT32_64.cpp:
2561         (JSC::DFG::SpeculativeJIT::cachedGetById):
2562         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2563         * jit/CCallHelpers.h:
2564         (JSC::CCallHelpers::CellValue::CellValue):
2565         (JSC::CCallHelpers::CellValue::gpr const):
2566         (JSC::CCallHelpers::setupArgumentsImpl):
2567
2568 2018-04-11  Mark Lam  <mark.lam@apple.com>
2569
2570         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2571         https://bugs.webkit.org/show_bug.cgi?id=184512
2572         <rdar://problem/35391728>
2573
2574         Not reviewed.
2575
2576         * bytecode/CodeBlock.h:
2577         * jit/JITCodeMap.h:
2578
2579 2018-04-11  Mark Lam  <mark.lam@apple.com>
2580
2581         Replace CompactJITCodeMap with JITCodeMap.
2582         https://bugs.webkit.org/show_bug.cgi?id=184512
2583         <rdar://problem/35391728>
2584
2585         Reviewed by Filip Pizlo.
2586
2587         * CMakeLists.txt:
2588         * JavaScriptCore.xcodeproj/project.pbxproj:
2589         * bytecode/CodeBlock.h:
2590         (JSC::CodeBlock::setJITCodeMap):
2591         (JSC::CodeBlock::jitCodeMap const):
2592         (JSC::CodeBlock::jitCodeMap): Deleted.
2593         * dfg/DFGOSRExit.cpp:
2594         (JSC::DFG::OSRExit::executeOSRExit):
2595         * dfg/DFGOSRExitCompilerCommon.cpp:
2596         (JSC::DFG::adjustAndJumpToTarget):
2597         * jit/AssemblyHelpers.cpp:
2598         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2599         * jit/AssemblyHelpers.h:
2600         * jit/CompactJITCodeMap.h: Removed.
2601         * jit/JIT.cpp:
2602         (JSC::JIT::link):
2603         * jit/JITCodeMap.h: Added.
2604         (JSC::JITCodeMap::Entry::Entry):
2605         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2606         (JSC::JITCodeMap::Entry::codeLocation):
2607         (JSC::JITCodeMap::append):
2608         (JSC::JITCodeMap::finish):
2609         (JSC::JITCodeMap::find const):
2610         (JSC::JITCodeMap::operator bool const):
2611         * llint/LLIntSlowPaths.cpp:
2612         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2613
2614 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2615
2616         [DFG] Remove CompareSlowPathGenerator
2617         https://bugs.webkit.org/show_bug.cgi?id=184492
2618
2619         Reviewed by Mark Lam.
2620
2621         Now CompareSlowPathGenerator is just calling a specified function.
2622         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2623
2624         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2625         introducing a new constructor for GPRTemporary.
2626
2627         * JavaScriptCore.xcodeproj/project.pbxproj:
2628         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2629         * dfg/DFGSpeculativeJIT.cpp:
2630         (JSC::DFG::GPRTemporary::GPRTemporary):
2631         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2632         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2633         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2634         (JSC::DFG::SpeculativeJIT::compileIsObject):
2635         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2636         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2637         * dfg/DFGSpeculativeJIT.h:
2638         (JSC::DFG::GPRTemporary::GPRTemporary):
2639         * dfg/DFGSpeculativeJIT64.cpp:
2640         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2641
2642 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2643
2644         Unreviewed, build fix for 32bit
2645         https://bugs.webkit.org/show_bug.cgi?id=184236
2646
2647         * dfg/DFGSpeculativeJIT.cpp:
2648         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2649
2650 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2651
2652         [DFG] Remove duplicate 32bit code more
2653         https://bugs.webkit.org/show_bug.cgi?id=184236
2654
2655         Reviewed by Mark Lam.
2656
2657         Remove duplicate 32bit code more aggressively part 2.
2658
2659         * JavaScriptCore.xcodeproj/project.pbxproj:
2660         * dfg/DFGCompareSlowPathGenerator.h: Added.
2661         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2662         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2663
2664         * dfg/DFGOperations.cpp:
2665         * dfg/DFGOperations.h:
2666         * dfg/DFGSpeculativeJIT.cpp:
2667         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2668         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2669         (JSC::DFG::SpeculativeJIT::compileIsObject):
2670         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2671         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2672         (JSC::DFG::SpeculativeJIT::compilePutById):
2673         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2674         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2675         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2676         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2677         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2678         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2679         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2680         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2681         (JSC::DFG::SpeculativeJIT::cachedPutById):
2682         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2683         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2684         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2685         * dfg/DFGSpeculativeJIT.h:
2686         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2687         * dfg/DFGSpeculativeJIT32_64.cpp:
2688         (JSC::DFG::SpeculativeJIT::compile):
2689         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2690         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2691         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2692         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2693         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2694         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2695         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2696         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2697         * dfg/DFGSpeculativeJIT64.cpp:
2698         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2699         (JSC::DFG::SpeculativeJIT::compile):
2700         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2701         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2702         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2703         (): Deleted.
2704         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2705         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2706         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2707         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2708         * ftl/FTLLowerDFGToB3.cpp:
2709         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2710         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2711
2712         * jit/AssemblyHelpers.h:
2713         (JSC::AssemblyHelpers::loadValue):
2714         (JSC::AssemblyHelpers::selectScratchGPR):
2715         (JSC::AssemblyHelpers::constructRegisterSet):
2716         * jit/RegisterSet.h:
2717         (JSC::RegisterSet::setAny):
2718         Clean up selectScratchGPR code to pass JSValueRegs.
2719
2720 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2721
2722         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2723         https://bugs.webkit.org/show_bug.cgi?id=182470
2724
2725         Reviewed by Saam Barati.
2726
2727         This patch introduces the SpecBigInt type to DFG to enable BigInt
2728         speculation into DFG and FTL.
2729
2730         With SpecBigInt introduction, we can then specialize "===" operations
2731         to BigInts. As we are doing for some cells, we first check if operands
2732         are pointing to the same JSCell, and if it is false, we
2733         fallback to "operationCompareStrictEqCell". The idea in further
2734         patches is to implement BigInt equality check directly in
2735         assembly.
2736
2737         We are also adding support for BigInt constant folding into
2738         TypeOf operation.
2739
2740         * bytecode/SpeculatedType.cpp:
2741         (JSC::dumpSpeculation):
2742         (JSC::speculationFromClassInfo):
2743         (JSC::speculationFromStructure):
2744         (JSC::speculationFromJSType):
2745         (JSC::speculationFromString):
2746         * bytecode/SpeculatedType.h:
2747         (JSC::isBigIntSpeculation):
2748         * dfg/DFGAbstractInterpreterInlines.h:
2749         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2750         * dfg/DFGAbstractValue.cpp:
2751         (JSC::DFG::AbstractValue::set):
2752         * dfg/DFGConstantFoldingPhase.cpp:
2753         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2754         * dfg/DFGFixupPhase.cpp:
2755         (JSC::DFG::FixupPhase::fixupNode):
2756         (JSC::DFG::FixupPhase::fixupToThis):
2757         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2758         * dfg/DFGInferredTypeCheck.cpp:
2759         (JSC::DFG::insertInferredTypeCheck):
2760         * dfg/DFGNode.h:
2761         (JSC::DFG::Node::shouldSpeculateBigInt):
2762         * dfg/DFGPredictionPropagationPhase.cpp:
2763         * dfg/DFGSafeToExecute.h:
2764         (JSC::DFG::SafeToExecuteEdge::operator()):
2765         * dfg/DFGSpeculativeJIT.cpp:
2766         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2767         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2768         (JSC::DFG::SpeculativeJIT::speculate):
2769         * dfg/DFGSpeculativeJIT.h:
2770         * dfg/DFGSpeculativeJIT32_64.cpp:
2771         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2772         * dfg/DFGSpeculativeJIT64.cpp:
2773         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2774         * dfg/DFGUseKind.cpp:
2775         (WTF::printInternal):
2776         * dfg/DFGUseKind.h:
2777         (JSC::DFG::typeFilterFor):
2778         (JSC::DFG::isCell):
2779         * ftl/FTLCapabilities.cpp:
2780         (JSC::FTL::canCompile):
2781         * ftl/FTLLowerDFGToB3.cpp:
2782         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2783         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2784         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2785         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2786         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2787         * jit/AssemblyHelpers.cpp:
2788         (JSC::AssemblyHelpers::branchIfNotType):
2789         * jit/AssemblyHelpers.h:
2790         (JSC::AssemblyHelpers::branchIfBigInt):
2791         (JSC::AssemblyHelpers::branchIfNotBigInt):
2792         * runtime/InferredType.cpp:
2793         (JSC::InferredType::Descriptor::forValue):
2794         (JSC::InferredType::Descriptor::putByIdFlags const):
2795         (JSC::InferredType::Descriptor::merge):
2796         (WTF::printInternal):
2797         * runtime/InferredType.h:
2798         * runtime/JSBigInt.h:
2799
2800 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2801
2802         Unreviewed, fix cloop build.
2803
2804         * dfg/DFGAbstractInterpreterClobberState.cpp:
2805
2806 2018-04-10  Mark Lam  <mark.lam@apple.com>
2807
2808         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2809         https://bugs.webkit.org/show_bug.cgi?id=184464
2810         <rdar://problem/39323947>
2811
2812         Reviewed by Saam Barati.
2813
2814         * heap/MarkedSpace.h:
2815         (JSC::MarkedSpace::sizeClassToIndex):
2816
2817 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2818
2819         DFG AI and clobberize should agree with each other
2820         https://bugs.webkit.org/show_bug.cgi?id=184440
2821
2822         Reviewed by Saam Barati.
2823         
2824         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2825         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2826         state tracking must be equivalent to JSCell_structureID being clobbered.
2827         
2828         One subtlety is that AI sometimes folds away structure clobbering using information that
2829         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2830         ObservedTransitions).
2831         
2832         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2833         clobberize missing a write(Heap).
2834         
2835         This also makes some cases more precise in order to appease the assertion. Making things more
2836         precise might make things faster, but I didn't measure it because that wasn't the goal.
2837
2838         * JavaScriptCore.xcodeproj/project.pbxproj:
2839         * Sources.txt:
2840         * dfg/DFGAbstractInterpreter.h:
2841         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2842         (WTF::printInternal):
2843         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2844         (JSC::DFG::mergeClobberStates):
2845         * dfg/DFGAbstractInterpreterInlines.h:
2846         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2847         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2848         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2849         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2850         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2851         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2852         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2853         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2854         * dfg/DFGAtTailAbstractState.h:
2855         (JSC::DFG::AtTailAbstractState::setClobberState):
2856         (JSC::DFG::AtTailAbstractState::mergeClobberState):
2857         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
2858         * dfg/DFGCFAPhase.cpp:
2859         (JSC::DFG::CFAPhase::performBlockCFA):
2860         * dfg/DFGClobberSet.cpp:
2861         (JSC::DFG::writeSet):
2862         * dfg/DFGClobberSet.h:
2863         * dfg/DFGClobberize.h:
2864         (JSC::DFG::clobberize):
2865         * dfg/DFGConstantFoldingPhase.cpp:
2866         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2867         * dfg/DFGInPlaceAbstractState.h:
2868         (JSC::DFG::InPlaceAbstractState::clobberState const):
2869         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
2870         (JSC::DFG::InPlaceAbstractState::didClobber const):
2871         (JSC::DFG::InPlaceAbstractState::setClobberState):
2872         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
2873         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2874
2875 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2876
2877         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
2878         https://bugs.webkit.org/show_bug.cgi?id=184460
2879         <rdar://problem/37610966>
2880
2881         Reviewed by Mark Lam.
2882
2883         * bytecode/ExecutableToCodeBlockEdge.cpp:
2884         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2885
2886 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2887
2888         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
2889         https://bugs.webkit.org/show_bug.cgi?id=184455
2890
2891         Reviewed by Michael Saboff.
2892         
2893         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
2894         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
2895         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
2896         the thing being hoisted does have effects, then we get a crash.
2897         
2898         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
2899         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
2900         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
2901         effectful.
2902         
2903         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
2904         clobberize to also think that CompareEq(Untyped:, _) is effectful.
2905         
2906         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
2907         of CompareEq is ComapreEq(Untyped:, Untyped:).
2908
2909         * dfg/DFGAbstractInterpreterInlines.h:
2910         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2911         * dfg/DFGClobberize.h:
2912         (JSC::DFG::clobberize):
2913
2914 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2915
2916         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
2917         https://bugs.webkit.org/show_bug.cgi?id=184372
2918
2919         Reviewed by Saam Barati.
2920         
2921         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
2922         have already proved, using techniques that are more precise than AI, that the edge has type
2923         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
2924         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
2925         other than a check - so we think we can call those just because we should have already
2926         bailed. It's better to think of them as the result of folding a check. Therefore, we should
2927         only do it if there had been a check to begin with.
2928
2929         * dfg/DFGSpeculativeJIT64.cpp:
2930         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2931         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2932         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2933         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2934         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2935         * ftl/FTLLowerDFGToB3.cpp:
2936         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
2937         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
2938         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2939         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
2940         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
2941         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2942         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2943         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2944
2945 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2946
2947         [JSC] Introduce @putByIdDirectPrivate
2948         https://bugs.webkit.org/show_bug.cgi?id=184400
2949
2950         Reviewed by Saam Barati.
2951
2952         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
2953         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
2954         accessing to ECMAScript internal fields.
2955
2956         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
2957         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
2958         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
2959         fields that accessing to the internal fields does not traverse prototype chains.
2960
2961         * builtins/ArrayIteratorPrototype.js:
2962         (globalPrivate.arrayIteratorValueNext):
2963         (globalPrivate.arrayIteratorKeyNext):
2964         (globalPrivate.arrayIteratorKeyValueNext):
2965         * builtins/ArrayPrototype.js:
2966         (globalPrivate.createArrayIterator):
2967         * builtins/AsyncFromSyncIteratorPrototype.js:
2968         (globalPrivate.AsyncFromSyncIteratorConstructor):
2969         * builtins/AsyncFunctionPrototype.js:
2970         (globalPrivate.asyncFunctionResume):
2971         * builtins/AsyncGeneratorPrototype.js:
2972         (globalPrivate.asyncGeneratorQueueEnqueue):
2973         (globalPrivate.asyncGeneratorQueueDequeue):
2974         (asyncGeneratorYieldAwaited):
2975         (globalPrivate.asyncGeneratorYield):
2976         (globalPrivate.doAsyncGeneratorBodyCall):
2977         (globalPrivate.asyncGeneratorResumeNext):
2978         * builtins/GeneratorPrototype.js:
2979         (globalPrivate.generatorResume):
2980         * builtins/MapIteratorPrototype.js:
2981         (globalPrivate.mapIteratorNext):
2982         * builtins/MapPrototype.js:
2983         (globalPrivate.createMapIterator):
2984         * builtins/ModuleLoaderPrototype.js:
2985         (forceFulfillPromise):
2986         * builtins/PromiseOperations.js:
2987         (globalPrivate.newHandledRejectedPromise):
2988         (globalPrivate.rejectPromise):
2989         (globalPrivate.fulfillPromise):
2990         (globalPrivate.initializePromise):
2991         * builtins/PromisePrototype.js:
2992         (then):
2993         * builtins/SetIteratorPrototype.js:
2994         (globalPrivate.setIteratorNext):
2995         * builtins/SetPrototype.js:
2996         (globalPrivate.createSetIterator):
2997         * builtins/StringIteratorPrototype.js:
2998         (next):
2999         * bytecode/BytecodeIntrinsicRegistry.h:
3000         * bytecompiler/NodesCodegen.cpp:
3001         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3002         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3003
3004 2018-04-09  Mark Lam  <mark.lam@apple.com>
3005
3006         Decorate method table entries to support pointer profiling.
3007         https://bugs.webkit.org/show_bug.cgi?id=184430
3008         <rdar://problem/39296190>
3009
3010         Reviewed by Saam Barati.
3011
3012         * runtime/ClassInfo.h:
3013
3014 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3015
3016         [WPE] Don't install JSC C API headers
3017         https://bugs.webkit.org/show_bug.cgi?id=184375
3018
3019         Reviewed by Žan Doberšek.
3020
3021         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3022         instead.
3023
3024         * PlatformWPE.cmake:
3025
3026 2018-04-08  Mark Lam  <mark.lam@apple.com>
3027
3028         Add pointer profiling to the FTL and supporting code.
3029         https://bugs.webkit.org/show_bug.cgi?id=184395
3030         <rdar://problem/39264019>
3031
3032         Reviewed by Michael Saboff and Filip Pizlo.
3033
3034         * assembler/CodeLocation.h:
3035         (JSC::CodeLocationLabel::retagged):
3036         (JSC::CodeLocationJump::retagged):
3037         * assembler/LinkBuffer.h:
3038         (JSC::LinkBuffer::locationOf):
3039         * dfg/DFGJITCompiler.cpp:
3040         (JSC::DFG::JITCompiler::linkOSRExits):
3041         (JSC::DFG::JITCompiler::link):
3042         * ftl/FTLCompile.cpp:
3043         (JSC::FTL::compile):
3044         * ftl/FTLExceptionTarget.cpp:
3045         (JSC::FTL::ExceptionTarget::label):
3046         (JSC::FTL::ExceptionTarget::jumps):
3047         * ftl/FTLExceptionTarget.h:
3048         * ftl/FTLJITCode.cpp:
3049         (JSC::FTL::JITCode::executableAddressAtOffset):
3050         * ftl/FTLLazySlowPath.cpp:
3051         (JSC::FTL::LazySlowPath::~LazySlowPath):
3052         (JSC::FTL::LazySlowPath::initialize):
3053         (JSC::FTL::LazySlowPath::generate):
3054         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3055         * ftl/FTLLazySlowPath.h:
3056         * ftl/FTLLink.cpp:
3057         (JSC::FTL::link):
3058         * ftl/FTLLowerDFGToB3.cpp:
3059         (JSC::FTL::DFG::LowerDFGToB3::lower):
3060         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3061         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3062         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3063         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3064         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3065         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3066         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3067         * ftl/FTLOSRExitCompiler.cpp:
3068         (JSC::FTL::compileStub):
3069         (JSC::FTL::compileFTLOSRExit):
3070         * ftl/FTLOSRExitHandle.cpp:
3071         (JSC::FTL::OSRExitHandle::emitExitThunk):
3072         * ftl/FTLOperations.cpp:
3073         (JSC::FTL::compileFTLLazySlowPath):
3074         * ftl/FTLOutput.h:
3075         (JSC::FTL::Output::callWithoutSideEffects):
3076         (JSC::FTL::Output::operation):
3077         * ftl/FTLPatchpointExceptionHandle.cpp:
3078         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3079         * ftl/FTLSlowPathCall.cpp:
3080         (JSC::FTL::SlowPathCallContext::makeCall):
3081         * ftl/FTLSlowPathCallKey.h:
3082         (JSC::FTL::SlowPathCallKey::withCallTarget):
3083         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3084         * ftl/FTLThunks.cpp:
3085         (JSC::FTL::genericGenerationThunkGenerator):
3086         (JSC::FTL::osrExitGenerationThunkGenerator):
3087         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3088         (JSC::FTL::slowPathCallThunkGenerator):
3089         * jit/JITMathIC.h:
3090         (JSC::isProfileEmpty):
3091         * jit/Repatch.cpp:
3092         (JSC::readPutICCallTarget):
3093         (JSC::ftlThunkAwareRepatchCall):
3094         (JSC::tryCacheGetByID):
3095         (JSC::repatchGetByID):
3096         (JSC::tryCachePutByID):
3097         (JSC::repatchPutByID):
3098         (JSC::repatchIn):
3099         (JSC::resetGetByID):
3100         (JSC::resetPutByID):
3101         (JSC::readCallTarget): Deleted.
3102         * jit/Repatch.h:
3103         * runtime/PtrTag.h:
3104
3105 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3106
3107         Unreviewed, attempt to fix Windows build
3108         https://bugs.webkit.org/show_bug.cgi?id=183508
3109
3110         * jit/JIT.h:
3111
3112 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3113
3114         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3115         https://bugs.webkit.org/show_bug.cgi?id=183508
3116
3117         * jit/JIT.h:
3118
3119 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3120
3121         Use alignas instead of compiler-specific attributes
3122         https://bugs.webkit.org/show_bug.cgi?id=183508
3123
3124         Reviewed by Mark Lam.
3125
3126         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3127
3128         * heap/RegisterState.h:
3129         * jit/JIT.h:
3130         (JSC::JIT::compile): Deleted.
3131         (JSC::JIT::compileGetByVal): Deleted.
3132         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3133         (JSC::JIT::compilePutByVal): Deleted.
3134         (JSC::JIT::compileDirectPutByVal): Deleted.
3135         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3136         (JSC::JIT::compileHasIndexedProperty): Deleted.
3137         (JSC::JIT::appendCall): Deleted.
3138         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3139         (JSC::JIT::exceptionCheck): Deleted.
3140         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3141         (JSC::JIT::emitInt32Load): Deleted.
3142         (JSC::JIT::emitInt32GetByVal): Deleted.
3143         (JSC::JIT::emitInt32PutByVal): Deleted.
3144         (JSC::JIT::emitDoublePutByVal): Deleted.
3145         (JSC::JIT::emitContiguousPutByVal): Deleted.
3146         (JSC::JIT::emitStoreCell): Deleted.
3147         (JSC::JIT::getSlowCase): Deleted.
3148         (JSC::JIT::linkSlowCase): Deleted.
3149         (JSC::JIT::linkDummySlowCase): Deleted.
3150         (JSC::JIT::linkAllSlowCases): Deleted.
3151         (JSC::JIT::callOperation): Deleted.
3152         (JSC::JIT::callOperationWithProfile): Deleted.
3153         (JSC::JIT::callOperationWithResult): Deleted.
3154         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3155         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3156         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3157         (JSC::JIT::sampleCodeBlock): Deleted.
3158         (JSC::JIT::canBeOptimized): Deleted.
3159         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3160         (JSC::JIT::shouldEmitProfiling): Deleted.
3161         * runtime/VM.h:
3162
3163 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3164
3165         Unreviewed, follow-up patch for DFG 32bit
3166         https://bugs.webkit.org/show_bug.cgi?id=183970
3167
3168         * dfg/DFGSpeculativeJIT32_64.cpp:
3169         (JSC::DFG::SpeculativeJIT::cachedGetById):
3170
3171 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3172
3173         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3174         https://bugs.webkit.org/show_bug.cgi?id=184398
3175
3176         Reviewed by Mark Lam.
3177
3178         isLocked check before taking a lock is incorrect.
3179
3180         * runtime/VM.cpp:
3181         (JSC::VM::acquireRegExpPatternContexBuffer):
3182
3183 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3184
3185         [JSC] Introduce op_get_by_id_direct
3186         https://bugs.webkit.org/show_bug.cgi?id=183970
3187
3188         Reviewed by Filip Pizlo.
3189
3190         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3191         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3192         in all the tiers, so using this opcode does not lead to inefficiency.
3193
3194         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3195         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3196         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3197         to the internal fields should not traverse prototype chain, which is specified in the spec.
3198         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3199         prototype chains are not traversed.
3200
3201         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3202         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3203         bytecode `op_get_by_id_direct, object, @name`.
3204
3205         * builtins/ArrayIteratorPrototype.js:
3206         (next):
3207         (globalPrivate.arrayIteratorValueNext):
3208         (globalPrivate.arrayIteratorKeyNext):
3209         (globalPrivate.arrayIteratorKeyValueNext):
3210         * builtins/AsyncFromSyncIteratorPrototype.js:
3211         * builtins/AsyncFunctionPrototype.js:
3212         (globalPrivate.asyncFunctionResume):
3213         * builtins/AsyncGeneratorPrototype.js:
3214         (globalPrivate.asyncGeneratorQueueIsEmpty):
3215         (globalPrivate.asyncGeneratorQueueEnqueue):
3216         (globalPrivate.asyncGeneratorQueueDequeue):
3217         (globalPrivate.asyncGeneratorDequeue):
3218         (globalPrivate.isExecutionState):
3219         (globalPrivate.isSuspendYieldState):
3220         (globalPrivate.asyncGeneratorReject):
3221         (globalPrivate.asyncGeneratorResolve):
3222         (globalPrivate.doAsyncGeneratorBodyCall):
3223         (globalPrivate.asyncGeneratorEnqueue):
3224         * builtins/GeneratorPrototype.js:
3225         (globalPrivate.generatorResume):
3226         (next):
3227         (return):
3228         (throw):
3229         * builtins/MapIteratorPrototype.js:
3230         (next):
3231         * builtins/PromiseOperations.js:
3232         (globalPrivate.isPromise):
3233         (globalPrivate.rejectPromise):
3234         (globalPrivate.fulfillPromise):
3235         * builtins/PromisePrototype.js:
3236         (then):
3237         * builtins/SetIteratorPrototype.js:
3238         (next):
3239         * builtins/StringIteratorPrototype.js:
3240         (next):
3241         * builtins/TypedArrayConstructor.js:
3242         (of):
3243         (from):
3244         * bytecode/BytecodeDumper.cpp:
3245         (JSC::BytecodeDumper<Block>::dumpBytecode):
3246         * bytecode/BytecodeIntrinsicRegistry.h:
3247         * bytecode/BytecodeList.json:
3248         * bytecode/BytecodeUseDef.h:
3249         (JSC::computeUsesForBytecodeOffset):
3250         (JSC::computeDefsForBytecodeOffset):
3251         * bytecode/CodeBlock.cpp:
3252         (JSC::CodeBlock::finishCreation):
3253         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3254         * bytecode/GetByIdStatus.cpp:
3255         (JSC::GetByIdStatus::computeFromLLInt):
3256         (JSC::GetByIdStatus::computeFor):
3257         * bytecode/StructureStubInfo.cpp:
3258         (JSC::StructureStubInfo::reset):
3259         * bytecode/StructureStubInfo.h:
3260         (JSC::appropriateOptimizingGetByIdFunction):
3261         (JSC::appropriateGenericGetByIdFunction):
3262         * bytecompiler/BytecodeGenerator.cpp:
3263         (JSC::BytecodeGenerator::emitDirectGetById):
3264         * bytecompiler/BytecodeGenerator.h:
3265         * bytecompiler/NodesCodegen.cpp:
3266         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3267         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3268         * dfg/DFGAbstractInterpreterInlines.h:
3269         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3270         * dfg/DFGByteCodeParser.cpp:
3271         (JSC::DFG::ByteCodeParser::handleGetById):
3272         (JSC::DFG::ByteCodeParser::parseBlock):
3273         * dfg/DFGCapabilities.cpp:
3274         (JSC::DFG::capabilityLevel):
3275         * dfg/DFGClobberize.h:
3276         (JSC::DFG::clobberize):
3277         * dfg/DFGConstantFoldingPhase.cpp:
3278         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3279         * dfg/DFGDoesGC.cpp:
3280         (JSC::DFG::doesGC):
3281         * dfg/DFGFixupPhase.cpp:
3282         (JSC::DFG::FixupPhase::fixupNode):
3283         * dfg/DFGNode.h:
3284         (JSC::DFG::Node::convertToGetByOffset):
3285         (JSC::DFG::Node::convertToMultiGetByOffset):
3286         (JSC::DFG::Node::hasIdentifier):
3287         (JSC::DFG::Node::hasHeapPrediction):
3288         * dfg/DFGNodeType.h:
3289         * dfg/DFGOperations.cpp:
3290         * dfg/DFGOperations.h:
3291         * dfg/DFGPredictionPropagationPhase.cpp:
3292         * dfg/DFGSafeToExecute.h:
3293         (JSC::DFG::safeToExecute):
3294         * dfg/DFGSpeculativeJIT.cpp:
3295         (JSC::DFG::SpeculativeJIT::compileGetById):
3296         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3297         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3298         * dfg/DFGSpeculativeJIT.h:
3299         * dfg/DFGSpeculativeJIT32_64.cpp:
3300         (JSC::DFG::SpeculativeJIT::cachedGetById):
3301         (JSC::DFG::SpeculativeJIT::compile):
3302         * dfg/DFGSpeculativeJIT64.cpp:
3303         (JSC::DFG::SpeculativeJIT::cachedGetById):
3304         (JSC::DFG::SpeculativeJIT::compile):
3305         * ftl/FTLCapabilities.cpp:
3306         (JSC::FTL::canCompile):
3307         * ftl/FTLLowerDFGToB3.cpp:
3308         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3309         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3310         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3311         (JSC::FTL::DFG::LowerDFGToB3::getById):
3312         * jit/JIT.cpp:
3313         (JSC::JIT::privateCompileMainPass):
3314         (JSC::JIT::privateCompileSlowCases):
3315         * jit/JIT.h:
3316         * jit/JITOperations.cpp:
3317         * jit/JITOperations.h:
3318         * jit/JITPropertyAccess.cpp:
3319         (JSC::JIT::emit_op_get_by_id_direct):
3320         (JSC::JIT::emitSlow_op_get_by_id_direct):
3321         * jit/JITPropertyAccess32_64.cpp:
3322         (JSC::JIT::emit_op_get_by_id_direct):
3323         (JSC::JIT::emitSlow_op_get_by_id_direct):
3324         * jit/Repatch.cpp:
3325         (JSC::appropriateOptimizingGetByIdFunction):
3326         (JSC::appropriateGetByIdFunction):
3327         (JSC::tryCacheGetByID):
3328         (JSC::repatchGetByID):
3329         (JSC::appropriateGenericGetByIdFunction): Deleted.
3330         * jit/Repatch.h:
3331         * llint/LLIntSlowPaths.cpp:
3332         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3333         * llint/LLIntSlowPaths.h:
3334         * llint/LowLevelInterpreter32_64.asm:
3335         * llint/LowLevelInterpreter64.asm:
3336         * runtime/JSCJSValue.h:
3337         * runtime/JSCJSValueInlines.h:
3338         (JSC::JSValue::getOwnPropertySlot const):
3339         * runtime/JSObject.h:
3340         * runtime/JSObjectInlines.h:
3341         (JSC::JSObject::getOwnPropertySlotInline):
3342
3343 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3344
3345         [JSC] Remove several asXXX functions
3346         https://bugs.webkit.org/show_bug.cgi?id=184355
3347
3348         Reviewed by JF Bastien.
3349
3350         Remove asActivation, asInternalFunction, and asGetterSetter.
3351         Use jsCast<> / jsDynamicCast<> consistently.
3352
3353         * runtime/ArrayConstructor.cpp:
3354         (JSC::constructArrayWithSizeQuirk):
3355         * runtime/AsyncFunctionConstructor.cpp:
3356         (JSC::callAsyncFunctionConstructor):
3357         (JSC::constructAsyncFunctionConstructor):
3358         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3359         (JSC::callAsyncGeneratorFunctionConstructor):
3360         (JSC::constructAsyncGeneratorFunctionConstructor):
3361         * runtime/BooleanConstructor.cpp:
3362         (JSC::constructWithBooleanConstructor):
3363         * runtime/DateConstructor.cpp:
3364         (JSC::constructWithDateConstructor):
3365         * runtime/ErrorConstructor.cpp:
3366         (JSC::Interpreter::constructWithErrorConstructor):
3367         (JSC::Interpreter::callErrorConstructor):
3368         * runtime/FunctionConstructor.cpp:
3369         (JSC::constructWithFunctionConstructor):
3370         (JSC::callFunctionConstructor):
3371         * runtime/FunctionPrototype.cpp:
3372         (JSC::functionProtoFuncToString):
3373         * runtime/GeneratorFunctionConstructor.cpp:
3374         (JSC::callGeneratorFunctionConstructor):
3375         (JSC::constructGeneratorFunctionConstructor):
3376         * runtime/GetterSetter.h:
3377         (JSC::asGetterSetter): Deleted.
3378         * runtime/InternalFunction.h:
3379         (JSC::asInternalFunction): Deleted.
3380         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3381         (JSC::constructGenericTypedArrayView):
3382         * runtime/JSLexicalEnvironment.h:
3383         (JSC::asActivation): Deleted.
3384         * runtime/JSObject.cpp:
3385         (JSC::validateAndApplyPropertyDescriptor):
3386         * runtime/MapConstructor.cpp:
3387         (JSC::constructMap):
3388         * runtime/PropertyDescriptor.cpp:
3389         (JSC::PropertyDescriptor::setDescriptor):
3390         * runtime/RegExpConstructor.cpp:
3391         (JSC::constructWithRegExpConstructor):
3392         (JSC::callRegExpConstructor):
3393         * runtime/SetConstructor.cpp:
3394         (JSC::constructSet):
3395         * runtime/StringConstructor.cpp:
3396         (JSC::constructWithStringConstructor):
3397         * runtime/WeakMapConstructor.cpp:
3398         (JSC::constructWeakMap):
3399         * runtime/WeakSetConstructor.cpp:
3400         (JSC::constructWeakSet):
3401         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3402         (JSC::constructJSWebAssemblyCompileError):
3403         (JSC::callJSWebAssemblyCompileError):
3404         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3405         (JSC::constructJSWebAssemblyLinkError):
3406         (JSC::callJSWebAssemblyLinkError):
3407         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3408         (JSC::constructJSWebAssemblyRuntimeError):
3409         (JSC::callJSWebAssemblyRuntimeError):
3410
3411 2018-04-05  Mark Lam  <mark.lam@apple.com>
3412
3413         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
3414         https://bugs.webkit.org/show_bug.cgi?id=184347
3415         <rdar://problem/39183165>
3416
3417         Reviewed by Michael Saboff.
3418
3419         * assembler/MacroAssemblerCodeRef.h:
3420         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3421         (JSC::MacroAssemblerCodePtr::retagged const):
3422
3423 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3424
3425         [MIPS] Optimize generated JIT code for branches
3426         https://bugs.webkit.org/show_bug.cgi?id=183130
3427
3428         Reviewed by Yusuke Suzuki.
3429
3430         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
3431         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
3432         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
3433         However, this adds a significant overhead for all other types of branches. Since these nop's
3434         protect the code that is generated by branchPtrWithPatch, this function seems like a better
3435         place to add them.
3436
3437         * assembler/MIPSAssembler.h:
3438         (JSC::MIPSAssembler::repatchInt32):
3439         (JSC::MIPSAssembler::revertJumpToMove):
3440         * assembler/MacroAssemblerMIPS.h:
3441         (JSC::MacroAssemblerMIPS::branchAdd32):
3442         (JSC::MacroAssemblerMIPS::branchMul32):
3443         (JSC::MacroAssemblerMIPS::branchSub32):
3444         (JSC::MacroAssemblerMIPS::branchNeg32):
3445         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
3446         (JSC::MacroAssemblerMIPS::branchEqual):
3447         (JSC::MacroAssemblerMIPS::branchNotEqual):
3448
3449 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3450
3451         [WTF] Remove StaticLock
3452         https://bugs.webkit.org/show_bug.cgi?id=184332
3453
3454         Reviewed by Mark Lam.
3455
3456         * API/JSValue.mm:
3457         (handerForStructTag):
3458         * API/JSVirtualMachine.mm:
3459         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3460         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3461         * API/glib/JSCVirtualMachine.cpp:
3462         (addWrapper):
3463         (removeWrapper):
3464         * assembler/testmasm.cpp:
3465         * b3/air/testair.cpp:
3466         * b3/testb3.cpp:
3467         * bytecode/SuperSampler.cpp:
3468         * dfg/DFGCommon.cpp:
3469         * dfg/DFGCommonData.cpp:
3470         * dynbench.cpp:
3471         * heap/MachineStackMarker.cpp:
3472         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3473         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3474         (Inspector::RemoteTargetHandleRunSourceGlobal):
3475         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3476         * interpreter/CLoopStack.cpp:
3477         * parser/SourceProvider.cpp:
3478         * profiler/ProfilerDatabase.cpp:
3479         * profiler/ProfilerUID.cpp:
3480         (JSC::Profiler::UID::create):
3481         * runtime/IntlObject.cpp:
3482         (JSC::numberingSystemsForLocale):
3483         * runtime/JSLock.cpp:
3484         * runtime/JSLock.h:
3485         * runtime/SamplingProfiler.cpp:
3486         (JSC::SamplingProfiler::registerForReportAtExit):
3487         * runtime/VM.cpp:
3488         * wasm/WasmFaultSignalHandler.cpp:
3489
3490 2018-04-04  Mark Lam  <mark.lam@apple.com>
3491
3492         Add pointer profiling support to the DFG and supporting files.
3493         https://bugs.webkit.org/show_bug.cgi?id=184316
3494         <rdar://problem/39188524>
3495
3496         Reviewed by Filip Pizlo.
3497
3498         1. Profile lots of pointers with PtrTags.
3499
3500         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
3501            used for debugging anyway, and not normally called in the code.  Making it
3502            an inline function prevents it from taking up code space in builds when not in
3503            use.
3504
3505         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3506            It doesn't need to be a far call.
3507
3508         * CMakeLists.txt:
3509         * JavaScriptCore.xcodeproj/project.pbxproj:
3510         * Sources.txt:
3511         * assembler/testmasm.cpp:
3512         (JSC::testProbeModifiesProgramCounter):
3513         * b3/B3LowerMacros.cpp:
3514         * b3/air/AirCCallSpecial.cpp:
3515         (JSC::B3::Air::CCallSpecial::generate):
3516         * b3/air/AirCCallSpecial.h:
3517         * b3/testb3.cpp:
3518         (JSC::B3::testInterpreter):
3519         * bytecode/AccessCase.cpp:
3520         (JSC::AccessCase::generateImpl):
3521         * bytecode/HandlerInfo.h:
3522         (JSC::HandlerInfo::initialize):
3523         * bytecode/PolymorphicAccess.cpp:
3524         (JSC::PolymorphicAccess::regenerate):
3525         * dfg/DFGJITCompiler.cpp:
3526         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3527         (JSC::DFG::JITCompiler::link):
3528         (JSC::DFG::JITCompiler::compileFunction):
3529         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3530         * dfg/DFGJITCompiler.h:
3531         (JSC::DFG::JITCompiler::appendCall):
3532         * dfg/DFGOSREntry.cpp:
3533         (JSC::DFG::prepareOSREntry):
3534         * dfg/DFGOSRExit.cpp:
3535         (JSC::DFG::reifyInlinedCallFrames):
3536         (JSC::DFG::adjustAndJumpToTarget):
3537         (JSC::DFG::OSRExit::emitRestoreArguments):
3538         (JSC::DFG::OSRExit::compileOSRExit):
3539         * dfg/DFGOSRExitCompilerCommon.cpp:
3540         (JSC::DFG::handleExitCounts):
3541         (JSC::DFG::reifyInlinedCallFrames):
3542         (JSC::DFG::osrWriteBarrier):
3543         (JSC::DFG::adjustAndJumpToTarget):
3544         * dfg/DFGOperations.cpp:
3545         * dfg/DFGSlowPathGenerator.h:
3546         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3547         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3548         (JSC::DFG::slowPathCall):
3549         * dfg/DFGSpeculativeJIT.cpp:
3550         (JSC::DFG::SpeculativeJIT::compileMathIC):
3551         * dfg/DFGSpeculativeJIT.h:
3552         (JSC::DFG::SpeculativeJIT::callOperation):
3553         (JSC::DFG::SpeculativeJIT::appendCall):
3554         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3555         * dfg/DFGSpeculativeJIT64.cpp:
3556         (JSC::DFG::SpeculativeJIT::cachedGetById):
3557         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3558         (JSC::DFG::SpeculativeJIT::cachedPutById):
3559         (JSC::DFG::SpeculativeJIT::compile):
3560         * dfg/DFGThunks.cpp:
3561         (JSC::DFG::osrExitThunkGenerator):
3562         (JSC::DFG::osrExitGenerationThunkGenerator):
3563         (JSC::DFG::osrEntryThunkGenerator):
3564         * jit/AssemblyHelpers.cpp:
3565         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3566         * jit/JIT.cpp:
3567         (JSC::JIT::emitEnterOptimizationCheck):
3568         (JSC::JIT::compileWithoutLinking):
3569         * jit/JITCall.cpp:
3570         (JSC::JIT::compileOpCallSlowCase):
3571         * jit/JITMathIC.h:
3572         (JSC::isProfileEmpty):
3573         * jit/JITOpcodes.cpp:
3574         (JSC::JIT::emit_op_catch):
3575         (JSC::JIT::emitSlow_op_loop_hint):
3576         * jit/JITOperations.cpp:
3577         * jit/Repatch.cpp:
3578         (JSC::linkSlowFor):
3579         (JSC::linkFor):
3580         (JSC::revertCall):
3581         (JSC::unlinkFor):
3582         (JSC::linkVirtualFor):
3583         (JSC::linkPolymorphicCall):
3584         * jit/ThunkGenerators.cpp:
3585         (JSC::throwExceptionFromCallSlowPathGenerator):
3586         (JSC::linkCallThunkGenerator):
3587         (JSC::linkPolymorphicCallThunkGenerator):
3588         (JSC::virtualThunkFor):
3589         (JSC::arityFixupGenerator):
3590         (JSC::unreachableGenerator):
3591         * runtime/PtrTag.cpp: Removed.
3592         * runtime/PtrTag.h:
3593         (JSC::ptrTagName):
3594         * runtime/VMEntryScope.cpp:
3595         * wasm/js/WasmToJS.cpp:
3596         (JSC::Wasm::wasmToJS):
3597
3598 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3599
3600         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3601         https://bugs.webkit.org/show_bug.cgi?id=184319
3602
3603         Reviewed by Saam Barati.
3604
3605         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3606         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3607         the ArrayPush.
3608
3609         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3610         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3611         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3612         with a GetByVal(SaneChain), then we will hit the assertion.
3613
3614         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3615         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3616         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3617
3618         * dfg/DFGCSEPhase.cpp:
3619         * dfg/DFGClobberize.h:
3620         (JSC::DFG::clobberize):
3621         * dfg/DFGHeapLocation.cpp:
3622         (WTF::printInternal):
3623         * dfg/DFGHeapLocation.h:
3624         * dfg/DFGSpeculativeJIT.cpp:
3625         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3626
3627 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3628
3629         Remove poisoning of typed array vector
3630         https://bugs.webkit.org/show_bug.cgi?id=184313
3631
3632         Reviewed by Saam Barati.
3633
3634         * dfg/DFGFixupPhase.cpp:
3635         (JSC::DFG::FixupPhase::checkArray):
3636         * dfg/DFGSpeculativeJIT.cpp:
3637         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3638         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3639         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3640         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3641         * ftl/FTLAbstractHeapRepository.h:
3642         * ftl/FTLLowerDFGToB3.cpp:
3643         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3644         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3645         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3646         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3647         * jit/IntrinsicEmitter.cpp:
3648         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3649         * jit/JITPropertyAccess.cpp:
3650         (JSC::JIT::emitIntTypedArrayGetByVal):
3651         (JSC::JIT::emitFloatTypedArrayGetByVal):
3652         (JSC::JIT::emitIntTypedArrayPutByVal):
3653         (JSC::JIT::emitFloatTypedArrayPutByVal):
3654         * llint/LowLevelInterpreter.asm:
3655         * llint/LowLevelInterpreter64.asm:
3656         * offlineasm/arm64.rb:
3657         * offlineasm/x86.rb:
3658         * runtime/CagedBarrierPtr.h:
3659         * runtime/JSArrayBufferView.cpp:
3660         (JSC::JSArrayBufferView::JSArrayBufferView):
3661         (JSC::JSArrayBufferView::finalize):
3662         (JSC::JSArrayBufferView::neuter):
3663         * runtime/JSArrayBufferView.h:
3664         (JSC::JSArrayBufferView::vector const):
3665         (JSC::JSArrayBufferView::offsetOfVector):
3666         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3667         (JSC::JSArrayBufferView::poisonFor): Deleted.
3668         (JSC::JSArrayBufferView::Poison::key): Deleted.
3669         * runtime/JSCPoison.cpp:
3670         (JSC::initializePoison):
3671         * runtime/JSCPoison.h:
3672         * runtime/JSGenericTypedArrayViewInlines.h:
3673         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3674         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3675         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3676         * runtime/JSObject.h:
3677
3678 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3679
3680         Don't do index masking or poisoning for DirectArguments
3681         https://bugs.webkit.org/show_bug.cgi?id=184280
3682
3683         Reviewed by Saam Barati.
3684
3685         * JavaScriptCore.xcodeproj/project.pbxproj:
3686         * bytecode/AccessCase.cpp:
3687         (JSC::AccessCase::generateWithGuard):
3688         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3689         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3690         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3691         * dfg/DFGSpeculativeJIT.cpp:
3692         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3693         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3694         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3695         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3696         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3697         * ftl/FTLAbstractHeapRepository.h:
3698         * ftl/FTLLowerDFGToB3.cpp:
3699         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3700         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3701         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3702         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3703         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3704         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3705         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3706         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3707         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3708         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3709         * heap/SecurityKind.h:
3710         * jit/JITPropertyAccess.cpp:
3711         (JSC::JIT::emit_op_get_from_arguments):
3712         (JSC::JIT::emit_op_put_to_arguments):
3713         (JSC::JIT::emitDirectArgumentsGetByVal):
3714         * jit/JITPropertyAccess32_64.cpp:
3715         (JSC::JIT::emit_op_get_from_arguments):
3716         (JSC::JIT::emit_op_put_to_arguments):
3717         * llint/LowLevelInterpreter.asm:
3718         * llint/LowLevelInterpreter32_64.asm:
3719         * llint/LowLevelInterpreter64.asm:
3720         * runtime/DirectArguments.cpp:
3721         (JSC::DirectArguments::DirectArguments):
3722         (JSC::DirectArguments::createUninitialized):
3723         (JSC::DirectArguments::create):
3724         (JSC::DirectArguments::createByCopying):
3725         (JSC::DirectArguments::estimatedSize):
3726         (JSC::DirectArguments::visitChildren):
3727         (JSC::DirectArguments::overrideThings):
3728         (JSC::DirectArguments::copyToArguments):
3729         (JSC::DirectArguments::mappedArgumentsSize):
3730         * runtime/DirectArguments.h:
3731         * runtime/JSCPoison.h:
3732         * runtime/JSLexicalEnvironment.h:
3733         * runtime/JSSymbolTableObject.h:
3734
3735 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3736
3737         JSArray::appendMemcpy seems to be missing a barrier
3738         https://bugs.webkit.org/show_bug.cgi?id=184290
3739
3740         Reviewed by Mark Lam.
3741         
3742         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
3743         barrier right after.
3744         
3745         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
3746         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
3747
3748         * runtime/JSArray.cpp:
3749         (JSC::JSArray::appendMemcpy):
3750
3751 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3752
3753         GC shouldn't do object distancing
3754         https://bugs.webkit.org/show_bug.cgi?id=184195
3755
3756         Reviewed by Saam Barati.
3757         
3758         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
3759         to be a small speed-up.
3760
3761         * CMakeLists.txt:
3762         * JavaScriptCore.xcodeproj/project.pbxproj:
3763         * Sources.txt:
3764         * heap/BlockDirectory.cpp:
3765         (JSC::BlockDirectory::findBlockForAllocation):
3766         (JSC::BlockDirectory::addBlock):
3767         * heap/BlockDirectory.h:
3768         * heap/CellAttributes.cpp:
3769         (JSC::CellAttributes::dump const):
3770         * heap/CellAttributes.h:
3771         (JSC::CellAttributes::CellAttributes):
3772         * heap/LocalAllocator.cpp:
3773         (JSC::LocalAllocator::allocateSlowCase):
3774         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3775         * heap/MarkedBlock.cpp:
3776         (JSC::MarkedBlock::Handle::didAddToDirectory):
3777         * heap/MarkedBlock.h:
3778         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3779         * heap/SecurityKind.cpp: Removed.
3780         * heap/SecurityKind.h: Removed.
3781         * heap/SecurityOriginToken.cpp: Removed.
3782         * heap/SecurityOriginToken.h: Removed.
3783         * heap/ThreadLocalCache.cpp:
3784         (JSC::ThreadLocalCache::create):
3785         (JSC::ThreadLocalCache::ThreadLocalCache):
3786         * heap/ThreadLocalCache.h:
3787         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3788         * runtime/JSDestructibleObjectHeapCellType.cpp:
3789         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3790         * runtime/JSGlobalObject.cpp:
3791         (JSC::JSGlobalObject::JSGlobalObject):
3792         * runtime/JSGlobalObject.h:
3793         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3794         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3795         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3796         * runtime/JSStringHeapCellType.cpp:
3797         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3798         * runtime/VM.cpp:
3799         (JSC::VM::VM):
3800         * runtime/VM.h:
3801         * runtime/VMEntryScope.cpp:
3802         (JSC::VMEntryScope::VMEntryScope):
3803         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3804         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3805
3806 2018-04-02  Saam Barati  <sbarati@apple.com>
3807
3808         bmalloc should compute its own estimate of its footprint
3809         https://bugs.webkit.org/show_bug.cgi?id=184121
3810
3811         Reviewed by Filip Pizlo.
3812
3813         * heap/IsoAlignedMemoryAllocator.cpp:
3814         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3815         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3816         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3817
3818 2018-04-02  Mark Lam  <mark.lam@apple.com>
3819
3820         We should not trash the stack pointer on OSR entry.
3821         https://bugs.webkit.org/show_bug.cgi?id=184243
3822         <rdar://problem/39114319>
3823
3824         Reviewed by Filip Pizlo.
3825
3826         In the DFG OSR entry path, we momentarily over-write the stack pointer with
3827         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3828         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
3829         The stack pointer does get corrected later in the thunk (generated by
3830         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
3831         so far.
3832
3833         This bug only poses an issue if interrupts use the user stack for their stack
3834         frame (e.g. linux), and when we do stack alignment tests during debugging.
3835
3836         The fix is simply to remove the assignment.
3837
3838         * dfg/DFGThunks.cpp:
3839         (JSC::DFG::osrEntryThunkGenerator):
3840         * jit/JIT.cpp:
3841         (JSC::JIT::emitEnterOptimizationCheck):
3842
3843 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3844
3845         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
3846         https://bugs.webkit.org/show_bug.cgi?id=183740
3847
3848         Reviewed by Yusuke Suzuki.
3849
3850         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
3851         first generated and a register operand variant of the same method is called to generate the rest
3852         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
3853         generate more efficient code using MIPS instructions with immediate operand.
3854
3855         * assembler/MIPSAssembler.h:
3856         (JSC::MIPSAssembler::slti):
3857         * assembler/MacroAssemblerMIPS.h:
3858         (JSC::MacroAssemblerMIPS::lshift32):
3859         (JSC::MacroAssemblerMIPS::xor32):
3860         (JSC::MacroAssemblerMIPS::branch8):
3861         (JSC::MacroAssemblerMIPS::compare8):
3862         (JSC::MacroAssemblerMIPS::branch32):
3863         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
3864         (JSC::MacroAssemblerMIPS::branchTest32):
3865         (JSC::MacroAssemblerMIPS::mask8OnTest):
3866         (JSC::MacroAssemblerMIPS::branchTest8):
3867         (JSC::MacroAssemblerMIPS::branchAdd32):
3868         (JSC::MacroAssemblerMIPS::branchNeg32):
3869         (JSC::MacroAssemblerMIPS::compare32):
3870         (JSC::MacroAssemblerMIPS::test8):
3871
3872 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3873
3874         [DFG] More aggressive removal of duplicate 32bit DFG code
3875         https://bugs.webkit.org/show_bug.cgi?id=184089
3876
3877         Reviewed by Saam Barati.
3878
3879         This patch more aggressively removes duplicate 32bit DFG code
3880         by leveraging JSValueRegs and meta-programmed callOperation.
3881
3882         * dfg/DFGSpeculativeJIT.cpp:
3883         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
3884         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
3885         (JSC::DFG::SpeculativeJIT::compileNewArray):
3886         (JSC::DFG::SpeculativeJIT::compileCheckCell):
3887         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
3888         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
3889         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
3890         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
3891         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
3892         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
3893         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
3894         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
3895         (JSC::DFG::SpeculativeJIT::compileToThis):
3896         (JSC::DFG::SpeculativeJIT::compileIdentity):
3897         * dfg/DFGSpeculativeJIT.h:
3898         * dfg/DFGSpeculativeJIT32_64.cpp:
3899         (JSC::DFG::SpeculativeJIT::compile):
3900         * dfg/DFGSpeculativeJIT64.cpp:
3901         (JSC::DFG::SpeculativeJIT::compile):
3902
3903 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
3904
3905         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
3906         https://bugs.webkit.org/show_bug.cgi?id=184228
3907
3908         Reviewed by Yusuke Suzuki.
3909
3910         * runtime/Options.h:
3911
3912 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
3913
3914         JSObject shouldn't do index masking
3915         https://bugs.webkit.org/show_bug.cgi?id=184194
3916
3917         Reviewed by Yusuke Suzuki.
3918         
3919         Remove index masking, because it's not the way we'll mitigate Spectre.
3920
3921         * API/tests/JSObjectGetProxyTargetTest.cpp:
3922         (testJSObjectGetProxyTarget):
3923         * b3/B3LowerToAir.cpp:
3924         * b3/B3Validate.cpp:
3925         * b3/B3WasmBoundsCheckValue.cpp:
3926         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
3927         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
3928         * b3/B3WasmBoundsCheckValue.h:
3929         (JSC::B3::WasmBoundsCheckValue::bounds const):
3930         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
3931         * b3/testb3.cpp:
3932         (JSC::B3::testWasmBoundsCheck):
3933         (JSC::B3::run):
3934         * dfg/DFGAbstractInterpreterInlines.h:
3935         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3936         * dfg/DFGArgumentsEliminationPhase.cpp:
3937         * dfg/DFGByteCodeParser.cpp:
3938         (JSC::DFG::ByteCodeParser::parseBlock):
3939         * dfg/DFGClobberize.h:
3940         (JSC::DFG::clobberize):
3941         * dfg/DFGDoesGC.cpp:
3942         (JSC::DFG::doesGC):
3943         * dfg/DFGFixupPhase.cpp:
3944         (JSC::DFG::FixupPhase::fixupNode):
3945         * dfg/DFGNodeType.h:
3946         * dfg/DFGPredictionPropagationPhase.cpp:
3947         * dfg/DFGSSALoweringPhase.cpp:
3948         (JSC::DFG::SSALoweringPhase::handleNode):
3949         * dfg/DFGSafeToExecute.h:
3950         (JSC::DFG::safeToExecute):
3951         * dfg/DFGSpeculativeJIT.cpp:
3952         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3953         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3954         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
3955         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3956         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3957         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3958         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3959         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3960         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3961         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3962         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3963         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3964         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3965         (JSC::DFG::SpeculativeJIT::compileNewObject):
3966         * dfg/DFGSpeculativeJIT.h: