Unreviewed, build fix for 32bit
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, build fix for 32bit
4         https://bugs.webkit.org/show_bug.cgi?id=184236
5
6         * dfg/DFGSpeculativeJIT.cpp:
7         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
8
9 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
10
11         [DFG] Remove duplicate 32bit code more
12         https://bugs.webkit.org/show_bug.cgi?id=184236
13
14         Reviewed by Mark Lam.
15
16         Remove duplicate 32bit code more aggressively part 2.
17
18         * JavaScriptCore.xcodeproj/project.pbxproj:
19         * dfg/DFGCompareSlowPathGenerator.h: Added.
20         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
21         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
22
23         * dfg/DFGOperations.cpp:
24         * dfg/DFGOperations.h:
25         * dfg/DFGSpeculativeJIT.cpp:
26         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
27         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
28         (JSC::DFG::SpeculativeJIT::compileIsObject):
29         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
30         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
31         (JSC::DFG::SpeculativeJIT::compilePutById):
32         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
33         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
34         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
35         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
36         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
37         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
38         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
39         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
40         (JSC::DFG::SpeculativeJIT::cachedPutById):
41         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
42         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
43         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
44         * dfg/DFGSpeculativeJIT.h:
45         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
46         * dfg/DFGSpeculativeJIT32_64.cpp:
47         (JSC::DFG::SpeculativeJIT::compile):
48         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
49         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
50         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
51         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
52         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
53         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
54         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
55         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
56         * dfg/DFGSpeculativeJIT64.cpp:
57         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
58         (JSC::DFG::SpeculativeJIT::compile):
59         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
60         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
61         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
62         (): Deleted.
63         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
64         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
65         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
66         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
67         * ftl/FTLLowerDFGToB3.cpp:
68         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
69         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
70
71         * jit/AssemblyHelpers.h:
72         (JSC::AssemblyHelpers::loadValue):
73         (JSC::AssemblyHelpers::selectScratchGPR):
74         (JSC::AssemblyHelpers::constructRegisterSet):
75         * jit/RegisterSet.h:
76         (JSC::RegisterSet::setAny):
77         Clean up selectScratchGPR code to pass JSValueRegs.
78
79 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
80
81         [ESNext][BigInt] Add support for BigInt in SpeculatedType
82         https://bugs.webkit.org/show_bug.cgi?id=182470
83
84         Reviewed by Saam Barati.
85
86         This patch introduces the SpecBigInt type to DFG to enable BigInt
87         speculation into DFG and FTL.
88
89         With SpecBigInt introduction, we can then specialize "===" operations
90         to BigInts. As we are doing for some cells, we first check if operands
91         are pointing to the same JSCell, and if it is false, we
92         fallback to "operationCompareStrictEqCell". The idea in further
93         patches is to implement BigInt equality check directly in
94         assembly.
95
96         We are also adding support for BigInt constant folding into
97         TypeOf operation.
98
99         * bytecode/SpeculatedType.cpp:
100         (JSC::dumpSpeculation):
101         (JSC::speculationFromClassInfo):
102         (JSC::speculationFromStructure):
103         (JSC::speculationFromJSType):
104         (JSC::speculationFromString):
105         * bytecode/SpeculatedType.h:
106         (JSC::isBigIntSpeculation):
107         * dfg/DFGAbstractInterpreterInlines.h:
108         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
109         * dfg/DFGAbstractValue.cpp:
110         (JSC::DFG::AbstractValue::set):
111         * dfg/DFGConstantFoldingPhase.cpp:
112         (JSC::DFG::ConstantFoldingPhase::foldConstants):
113         * dfg/DFGFixupPhase.cpp:
114         (JSC::DFG::FixupPhase::fixupNode):
115         (JSC::DFG::FixupPhase::fixupToThis):
116         (JSC::DFG::FixupPhase::observeUseKindOnNode):
117         * dfg/DFGInferredTypeCheck.cpp:
118         (JSC::DFG::insertInferredTypeCheck):
119         * dfg/DFGNode.h:
120         (JSC::DFG::Node::shouldSpeculateBigInt):
121         * dfg/DFGPredictionPropagationPhase.cpp:
122         * dfg/DFGSafeToExecute.h:
123         (JSC::DFG::SafeToExecuteEdge::operator()):
124         * dfg/DFGSpeculativeJIT.cpp:
125         (JSC::DFG::SpeculativeJIT::compileStrictEq):
126         (JSC::DFG::SpeculativeJIT::speculateBigInt):
127         (JSC::DFG::SpeculativeJIT::speculate):
128         * dfg/DFGSpeculativeJIT.h:
129         * dfg/DFGSpeculativeJIT32_64.cpp:
130         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
131         * dfg/DFGSpeculativeJIT64.cpp:
132         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
133         * dfg/DFGUseKind.cpp:
134         (WTF::printInternal):
135         * dfg/DFGUseKind.h:
136         (JSC::DFG::typeFilterFor):
137         (JSC::DFG::isCell):
138         * ftl/FTLCapabilities.cpp:
139         (JSC::FTL::canCompile):
140         * ftl/FTLLowerDFGToB3.cpp:
141         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
142         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
143         (JSC::FTL::DFG::LowerDFGToB3::speculate):
144         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
145         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
146         * jit/AssemblyHelpers.cpp:
147         (JSC::AssemblyHelpers::branchIfNotType):
148         * jit/AssemblyHelpers.h:
149         (JSC::AssemblyHelpers::branchIfBigInt):
150         (JSC::AssemblyHelpers::branchIfNotBigInt):
151         * runtime/InferredType.cpp:
152         (JSC::InferredType::Descriptor::forValue):
153         (JSC::InferredType::Descriptor::putByIdFlags const):
154         (JSC::InferredType::Descriptor::merge):
155         (WTF::printInternal):
156         * runtime/InferredType.h:
157         * runtime/JSBigInt.h:
158
159 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
160
161         Unreviewed, fix cloop build.
162
163         * dfg/DFGAbstractInterpreterClobberState.cpp:
164
165 2018-04-10  Mark Lam  <mark.lam@apple.com>
166
167         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
168         https://bugs.webkit.org/show_bug.cgi?id=184464
169         <rdar://problem/39323947>
170
171         Reviewed by Saam Barati.
172
173         * heap/MarkedSpace.h:
174         (JSC::MarkedSpace::sizeClassToIndex):
175
176 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
177
178         DFG AI and clobberize should agree with each other
179         https://bugs.webkit.org/show_bug.cgi?id=184440
180
181         Reviewed by Saam Barati.
182         
183         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
184         agree with each other. That's what this patch does: it adds an assertion that AI's structure
185         state tracking must be equivalent to JSCell_structureID being clobbered.
186         
187         One subtlety is that AI sometimes folds away structure clobbering using information that
188         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
189         ObservedTransitions).
190         
191         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
192         clobberize missing a write(Heap).
193         
194         This also makes some cases more precise in order to appease the assertion. Making things more
195         precise might make things faster, but I didn't measure it because that wasn't the goal.
196
197         * JavaScriptCore.xcodeproj/project.pbxproj:
198         * Sources.txt:
199         * dfg/DFGAbstractInterpreter.h:
200         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
201         (WTF::printInternal):
202         * dfg/DFGAbstractInterpreterClobberState.h: Added.
203         (JSC::DFG::mergeClobberStates):
204         * dfg/DFGAbstractInterpreterInlines.h:
205         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
206         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
207         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
208         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
209         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
211         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
212         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
213         * dfg/DFGAtTailAbstractState.h:
214         (JSC::DFG::AtTailAbstractState::setClobberState):
215         (JSC::DFG::AtTailAbstractState::mergeClobberState):
216         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
217         * dfg/DFGCFAPhase.cpp:
218         (JSC::DFG::CFAPhase::performBlockCFA):
219         * dfg/DFGClobberSet.cpp:
220         (JSC::DFG::writeSet):
221         * dfg/DFGClobberSet.h:
222         * dfg/DFGClobberize.h:
223         (JSC::DFG::clobberize):
224         * dfg/DFGConstantFoldingPhase.cpp:
225         (JSC::DFG::ConstantFoldingPhase::foldConstants):
226         * dfg/DFGInPlaceAbstractState.h:
227         (JSC::DFG::InPlaceAbstractState::clobberState const):
228         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
229         (JSC::DFG::InPlaceAbstractState::didClobber const):
230         (JSC::DFG::InPlaceAbstractState::setClobberState):
231         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
232         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
233
234 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
235
236         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
237         https://bugs.webkit.org/show_bug.cgi?id=184460
238         <rdar://problem/37610966>
239
240         Reviewed by Mark Lam.
241
242         * bytecode/ExecutableToCodeBlockEdge.cpp:
243         (JSC::ExecutableToCodeBlockEdge::visitChildren):
244
245 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
246
247         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
248         https://bugs.webkit.org/show_bug.cgi?id=184455
249
250         Reviewed by Michael Saboff.
251         
252         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
253         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
254         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
255         the thing being hoisted does have effects, then we get a crash.
256         
257         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
258         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
259         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
260         effectful.
261         
262         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
263         clobberize to also think that CompareEq(Untyped:, _) is effectful.
264         
265         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
266         of CompareEq is ComapreEq(Untyped:, Untyped:).
267
268         * dfg/DFGAbstractInterpreterInlines.h:
269         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
270         * dfg/DFGClobberize.h:
271         (JSC::DFG::clobberize):
272
273 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
274
275         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
276         https://bugs.webkit.org/show_bug.cgi?id=184372
277
278         Reviewed by Saam Barati.
279         
280         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
281         have already proved, using techniques that are more precise than AI, that the edge has type
282         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
283         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
284         other than a check - so we think we can call those just because we should have already
285         bailed. It's better to think of them as the result of folding a check. Therefore, we should
286         only do it if there had been a check to begin with.
287
288         * dfg/DFGSpeculativeJIT64.cpp:
289         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
290         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
291         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
292         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
293         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
294         * ftl/FTLLowerDFGToB3.cpp:
295         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
296         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
297         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
298         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
299         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
300         (JSC::FTL::DFG::LowerDFGToB3::speculate):
301         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
302         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
303
304 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
305
306         [JSC] Introduce @putByIdDirectPrivate
307         https://bugs.webkit.org/show_bug.cgi?id=184400
308
309         Reviewed by Saam Barati.
310
311         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
312         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
313         accessing to ECMAScript internal fields.
314
315         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
316         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
317         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
318         fields that accessing to the internal fields does not traverse prototype chains.
319
320         * builtins/ArrayIteratorPrototype.js:
321         (globalPrivate.arrayIteratorValueNext):
322         (globalPrivate.arrayIteratorKeyNext):
323         (globalPrivate.arrayIteratorKeyValueNext):
324         * builtins/ArrayPrototype.js:
325         (globalPrivate.createArrayIterator):
326         * builtins/AsyncFromSyncIteratorPrototype.js:
327         (globalPrivate.AsyncFromSyncIteratorConstructor):
328         * builtins/AsyncFunctionPrototype.js:
329         (globalPrivate.asyncFunctionResume):
330         * builtins/AsyncGeneratorPrototype.js:
331         (globalPrivate.asyncGeneratorQueueEnqueue):
332         (globalPrivate.asyncGeneratorQueueDequeue):
333         (asyncGeneratorYieldAwaited):
334         (globalPrivate.asyncGeneratorYield):
335         (globalPrivate.doAsyncGeneratorBodyCall):
336         (globalPrivate.asyncGeneratorResumeNext):
337         * builtins/GeneratorPrototype.js:
338         (globalPrivate.generatorResume):
339         * builtins/MapIteratorPrototype.js:
340         (globalPrivate.mapIteratorNext):
341         * builtins/MapPrototype.js:
342         (globalPrivate.createMapIterator):
343         * builtins/ModuleLoaderPrototype.js:
344         (forceFulfillPromise):
345         * builtins/PromiseOperations.js:
346         (globalPrivate.newHandledRejectedPromise):
347         (globalPrivate.rejectPromise):
348         (globalPrivate.fulfillPromise):
349         (globalPrivate.initializePromise):
350         * builtins/PromisePrototype.js:
351         (then):
352         * builtins/SetIteratorPrototype.js:
353         (globalPrivate.setIteratorNext):
354         * builtins/SetPrototype.js:
355         (globalPrivate.createSetIterator):
356         * builtins/StringIteratorPrototype.js:
357         (next):
358         * bytecode/BytecodeIntrinsicRegistry.h:
359         * bytecompiler/NodesCodegen.cpp:
360         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
361         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
362
363 2018-04-09  Mark Lam  <mark.lam@apple.com>
364
365         Decorate method table entries to support pointer profiling.
366         https://bugs.webkit.org/show_bug.cgi?id=184430
367         <rdar://problem/39296190>
368
369         Reviewed by Saam Barati.
370
371         * runtime/ClassInfo.h:
372
373 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
374
375         [WPE] Don't install JSC C API headers
376         https://bugs.webkit.org/show_bug.cgi?id=184375
377
378         Reviewed by Žan Doberšek.
379
380         None of the functions declared in these headers are exported in WPE. Use the new jsc API
381         instead.
382
383         * PlatformWPE.cmake:
384
385 2018-04-08  Mark Lam  <mark.lam@apple.com>
386
387         Add pointer profiling to the FTL and supporting code.
388         https://bugs.webkit.org/show_bug.cgi?id=184395
389         <rdar://problem/39264019>
390
391         Reviewed by Michael Saboff and Filip Pizlo.
392
393         * assembler/CodeLocation.h:
394         (JSC::CodeLocationLabel::retagged):
395         (JSC::CodeLocationJump::retagged):
396         * assembler/LinkBuffer.h:
397         (JSC::LinkBuffer::locationOf):
398         * dfg/DFGJITCompiler.cpp:
399         (JSC::DFG::JITCompiler::linkOSRExits):
400         (JSC::DFG::JITCompiler::link):
401         * ftl/FTLCompile.cpp:
402         (JSC::FTL::compile):
403         * ftl/FTLExceptionTarget.cpp:
404         (JSC::FTL::ExceptionTarget::label):
405         (JSC::FTL::ExceptionTarget::jumps):
406         * ftl/FTLExceptionTarget.h:
407         * ftl/FTLJITCode.cpp:
408         (JSC::FTL::JITCode::executableAddressAtOffset):
409         * ftl/FTLLazySlowPath.cpp:
410         (JSC::FTL::LazySlowPath::~LazySlowPath):
411         (JSC::FTL::LazySlowPath::initialize):
412         (JSC::FTL::LazySlowPath::generate):
413         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
414         * ftl/FTLLazySlowPath.h:
415         * ftl/FTLLink.cpp:
416         (JSC::FTL::link):
417         * ftl/FTLLowerDFGToB3.cpp:
418         (JSC::FTL::DFG::LowerDFGToB3::lower):
419         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
420         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
421         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
422         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
423         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
424         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
425         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
426         * ftl/FTLOSRExitCompiler.cpp:
427         (JSC::FTL::compileStub):
428         (JSC::FTL::compileFTLOSRExit):
429         * ftl/FTLOSRExitHandle.cpp:
430         (JSC::FTL::OSRExitHandle::emitExitThunk):
431         * ftl/FTLOperations.cpp:
432         (JSC::FTL::compileFTLLazySlowPath):
433         * ftl/FTLOutput.h:
434         (JSC::FTL::Output::callWithoutSideEffects):
435         (JSC::FTL::Output::operation):
436         * ftl/FTLPatchpointExceptionHandle.cpp:
437         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
438         * ftl/FTLSlowPathCall.cpp:
439         (JSC::FTL::SlowPathCallContext::makeCall):
440         * ftl/FTLSlowPathCallKey.h:
441         (JSC::FTL::SlowPathCallKey::withCallTarget):
442         (JSC::FTL::SlowPathCallKey::callPtrTag const):
443         * ftl/FTLThunks.cpp:
444         (JSC::FTL::genericGenerationThunkGenerator):
445         (JSC::FTL::osrExitGenerationThunkGenerator):
446         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
447         (JSC::FTL::slowPathCallThunkGenerator):
448         * jit/JITMathIC.h:
449         (JSC::isProfileEmpty):
450         * jit/Repatch.cpp:
451         (JSC::readPutICCallTarget):
452         (JSC::ftlThunkAwareRepatchCall):
453         (JSC::tryCacheGetByID):
454         (JSC::repatchGetByID):
455         (JSC::tryCachePutByID):
456         (JSC::repatchPutByID):
457         (JSC::repatchIn):
458         (JSC::resetGetByID):
459         (JSC::resetPutByID):
460         (JSC::readCallTarget): Deleted.
461         * jit/Repatch.h:
462         * runtime/PtrTag.h:
463
464 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
465
466         Unreviewed, attempt to fix Windows build
467         https://bugs.webkit.org/show_bug.cgi?id=183508
468
469         * jit/JIT.h:
470
471 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
472
473         Unreviewed, build fix for Windows by suppressing padding warning for JIT
474         https://bugs.webkit.org/show_bug.cgi?id=183508
475
476         * jit/JIT.h:
477
478 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
479
480         Use alignas instead of compiler-specific attributes
481         https://bugs.webkit.org/show_bug.cgi?id=183508
482
483         Reviewed by Mark Lam.
484
485         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
486
487         * heap/RegisterState.h:
488         * jit/JIT.h:
489         (JSC::JIT::compile): Deleted.
490         (JSC::JIT::compileGetByVal): Deleted.
491         (JSC::JIT::compileGetByValWithCachedId): Deleted.
492         (JSC::JIT::compilePutByVal): Deleted.
493         (JSC::JIT::compileDirectPutByVal): Deleted.
494         (JSC::JIT::compilePutByValWithCachedId): Deleted.
495         (JSC::JIT::compileHasIndexedProperty): Deleted.
496         (JSC::JIT::appendCall): Deleted.
497         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
498         (JSC::JIT::exceptionCheck): Deleted.
499         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
500         (JSC::JIT::emitInt32Load): Deleted.
501         (JSC::JIT::emitInt32GetByVal): Deleted.
502         (JSC::JIT::emitInt32PutByVal): Deleted.
503         (JSC::JIT::emitDoublePutByVal): Deleted.
504         (JSC::JIT::emitContiguousPutByVal): Deleted.
505         (JSC::JIT::emitStoreCell): Deleted.
506         (JSC::JIT::getSlowCase): Deleted.
507         (JSC::JIT::linkSlowCase): Deleted.
508         (JSC::JIT::linkDummySlowCase): Deleted.
509         (JSC::JIT::linkAllSlowCases): Deleted.
510         (JSC::JIT::callOperation): Deleted.
511         (JSC::JIT::callOperationWithProfile): Deleted.
512         (JSC::JIT::callOperationWithResult): Deleted.
513         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
514         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
515         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
516         (JSC::JIT::sampleCodeBlock): Deleted.
517         (JSC::JIT::canBeOptimized): Deleted.
518         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
519         (JSC::JIT::shouldEmitProfiling): Deleted.
520         * runtime/VM.h:
521
522 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
523
524         Unreviewed, follow-up patch for DFG 32bit
525         https://bugs.webkit.org/show_bug.cgi?id=183970
526
527         * dfg/DFGSpeculativeJIT32_64.cpp:
528         (JSC::DFG::SpeculativeJIT::cachedGetById):
529
530 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
531
532         [JSC] Fix incorrect assertion for VM's regexp buffer lock
533         https://bugs.webkit.org/show_bug.cgi?id=184398
534
535         Reviewed by Mark Lam.
536
537         isLocked check before taking a lock is incorrect.
538
539         * runtime/VM.cpp:
540         (JSC::VM::acquireRegExpPatternContexBuffer):
541
542 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
543
544         [JSC] Introduce op_get_by_id_direct
545         https://bugs.webkit.org/show_bug.cgi?id=183970
546
547         Reviewed by Filip Pizlo.
548
549         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
550         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
551         in all the tiers, so using this opcode does not lead to inefficiency.
552
553         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
554         properties indexed with private symbols to implement ECMAScript internal fields. Before this
555         patch, we just use get and put operations. However, it is not the correct semantics: accessing
556         to the internal fields should not traverse prototype chain, which is specified in the spec.
557         We use op_get_by_id_direct to access to properties which are used internal fields, so that
558         prototype chains are not traversed.
559
560         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
561         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
562         bytecode `op_get_by_id_direct, object, @name`.
563
564         * builtins/ArrayIteratorPrototype.js:
565         (next):
566         (globalPrivate.arrayIteratorValueNext):
567         (globalPrivate.arrayIteratorKeyNext):
568         (globalPrivate.arrayIteratorKeyValueNext):
569         * builtins/AsyncFromSyncIteratorPrototype.js:
570         * builtins/AsyncFunctionPrototype.js:
571         (globalPrivate.asyncFunctionResume):
572         * builtins/AsyncGeneratorPrototype.js:
573         (globalPrivate.asyncGeneratorQueueIsEmpty):
574         (globalPrivate.asyncGeneratorQueueEnqueue):
575         (globalPrivate.asyncGeneratorQueueDequeue):
576         (globalPrivate.asyncGeneratorDequeue):
577         (globalPrivate.isExecutionState):
578         (globalPrivate.isSuspendYieldState):
579         (globalPrivate.asyncGeneratorReject):
580         (globalPrivate.asyncGeneratorResolve):
581         (globalPrivate.doAsyncGeneratorBodyCall):
582         (globalPrivate.asyncGeneratorEnqueue):
583         * builtins/GeneratorPrototype.js:
584         (globalPrivate.generatorResume):
585         (next):
586         (return):
587         (throw):
588         * builtins/MapIteratorPrototype.js:
589         (next):
590         * builtins/PromiseOperations.js:
591         (globalPrivate.isPromise):
592         (globalPrivate.rejectPromise):
593         (globalPrivate.fulfillPromise):
594         * builtins/PromisePrototype.js:
595         (then):
596         * builtins/SetIteratorPrototype.js:
597         (next):
598         * builtins/StringIteratorPrototype.js:
599         (next):
600         * builtins/TypedArrayConstructor.js:
601         (of):
602         (from):
603         * bytecode/BytecodeDumper.cpp:
604         (JSC::BytecodeDumper<Block>::dumpBytecode):
605         * bytecode/BytecodeIntrinsicRegistry.h:
606         * bytecode/BytecodeList.json:
607         * bytecode/BytecodeUseDef.h:
608         (JSC::computeUsesForBytecodeOffset):
609         (JSC::computeDefsForBytecodeOffset):
610         * bytecode/CodeBlock.cpp:
611         (JSC::CodeBlock::finishCreation):
612         (JSC::CodeBlock::finalizeLLIntInlineCaches):
613         * bytecode/GetByIdStatus.cpp:
614         (JSC::GetByIdStatus::computeFromLLInt):
615         (JSC::GetByIdStatus::computeFor):
616         * bytecode/StructureStubInfo.cpp:
617         (JSC::StructureStubInfo::reset):
618         * bytecode/StructureStubInfo.h:
619         (JSC::appropriateOptimizingGetByIdFunction):
620         (JSC::appropriateGenericGetByIdFunction):
621         * bytecompiler/BytecodeGenerator.cpp:
622         (JSC::BytecodeGenerator::emitDirectGetById):
623         * bytecompiler/BytecodeGenerator.h:
624         * bytecompiler/NodesCodegen.cpp:
625         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
626         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
627         * dfg/DFGAbstractInterpreterInlines.h:
628         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
629         * dfg/DFGByteCodeParser.cpp:
630         (JSC::DFG::ByteCodeParser::handleGetById):
631         (JSC::DFG::ByteCodeParser::parseBlock):
632         * dfg/DFGCapabilities.cpp:
633         (JSC::DFG::capabilityLevel):
634         * dfg/DFGClobberize.h:
635         (JSC::DFG::clobberize):
636         * dfg/DFGConstantFoldingPhase.cpp:
637         (JSC::DFG::ConstantFoldingPhase::foldConstants):
638         * dfg/DFGDoesGC.cpp:
639         (JSC::DFG::doesGC):
640         * dfg/DFGFixupPhase.cpp:
641         (JSC::DFG::FixupPhase::fixupNode):
642         * dfg/DFGNode.h:
643         (JSC::DFG::Node::convertToGetByOffset):
644         (JSC::DFG::Node::convertToMultiGetByOffset):
645         (JSC::DFG::Node::hasIdentifier):
646         (JSC::DFG::Node::hasHeapPrediction):
647         * dfg/DFGNodeType.h:
648         * dfg/DFGOperations.cpp:
649         * dfg/DFGOperations.h:
650         * dfg/DFGPredictionPropagationPhase.cpp:
651         * dfg/DFGSafeToExecute.h:
652         (JSC::DFG::safeToExecute):
653         * dfg/DFGSpeculativeJIT.cpp:
654         (JSC::DFG::SpeculativeJIT::compileGetById):
655         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
656         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
657         * dfg/DFGSpeculativeJIT.h:
658         * dfg/DFGSpeculativeJIT32_64.cpp:
659         (JSC::DFG::SpeculativeJIT::cachedGetById):
660         (JSC::DFG::SpeculativeJIT::compile):
661         * dfg/DFGSpeculativeJIT64.cpp:
662         (JSC::DFG::SpeculativeJIT::cachedGetById):
663         (JSC::DFG::SpeculativeJIT::compile):
664         * ftl/FTLCapabilities.cpp:
665         (JSC::FTL::canCompile):
666         * ftl/FTLLowerDFGToB3.cpp:
667         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
668         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
669         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
670         (JSC::FTL::DFG::LowerDFGToB3::getById):
671         * jit/JIT.cpp:
672         (JSC::JIT::privateCompileMainPass):
673         (JSC::JIT::privateCompileSlowCases):
674         * jit/JIT.h:
675         * jit/JITOperations.cpp:
676         * jit/JITOperations.h:
677         * jit/JITPropertyAccess.cpp:
678         (JSC::JIT::emit_op_get_by_id_direct):
679         (JSC::JIT::emitSlow_op_get_by_id_direct):
680         * jit/JITPropertyAccess32_64.cpp:
681         (JSC::JIT::emit_op_get_by_id_direct):
682         (JSC::JIT::emitSlow_op_get_by_id_direct):
683         * jit/Repatch.cpp:
684         (JSC::appropriateOptimizingGetByIdFunction):
685         (JSC::appropriateGetByIdFunction):
686         (JSC::tryCacheGetByID):
687         (JSC::repatchGetByID):
688         (JSC::appropriateGenericGetByIdFunction): Deleted.
689         * jit/Repatch.h:
690         * llint/LLIntSlowPaths.cpp:
691         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
692         * llint/LLIntSlowPaths.h:
693         * llint/LowLevelInterpreter32_64.asm:
694         * llint/LowLevelInterpreter64.asm:
695         * runtime/JSCJSValue.h:
696         * runtime/JSCJSValueInlines.h:
697         (JSC::JSValue::getOwnPropertySlot const):
698         * runtime/JSObject.h:
699         * runtime/JSObjectInlines.h:
700         (JSC::JSObject::getOwnPropertySlotInline):
701
702 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
703
704         [JSC] Remove several asXXX functions
705         https://bugs.webkit.org/show_bug.cgi?id=184355
706
707         Reviewed by JF Bastien.
708
709         Remove asActivation, asInternalFunction, and asGetterSetter.
710         Use jsCast<> / jsDynamicCast<> consistently.
711
712         * runtime/ArrayConstructor.cpp:
713         (JSC::constructArrayWithSizeQuirk):
714         * runtime/AsyncFunctionConstructor.cpp:
715         (JSC::callAsyncFunctionConstructor):
716         (JSC::constructAsyncFunctionConstructor):
717         * runtime/AsyncGeneratorFunctionConstructor.cpp:
718         (JSC::callAsyncGeneratorFunctionConstructor):
719         (JSC::constructAsyncGeneratorFunctionConstructor):
720         * runtime/BooleanConstructor.cpp:
721         (JSC::constructWithBooleanConstructor):
722         * runtime/DateConstructor.cpp:
723         (JSC::constructWithDateConstructor):
724         * runtime/ErrorConstructor.cpp:
725         (JSC::Interpreter::constructWithErrorConstructor):
726         (JSC::Interpreter::callErrorConstructor):
727         * runtime/FunctionConstructor.cpp:
728         (JSC::constructWithFunctionConstructor):
729         (JSC::callFunctionConstructor):
730         * runtime/FunctionPrototype.cpp:
731         (JSC::functionProtoFuncToString):
732         * runtime/GeneratorFunctionConstructor.cpp:
733         (JSC::callGeneratorFunctionConstructor):
734         (JSC::constructGeneratorFunctionConstructor):
735         * runtime/GetterSetter.h:
736         (JSC::asGetterSetter): Deleted.
737         * runtime/InternalFunction.h:
738         (JSC::asInternalFunction): Deleted.
739         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
740         (JSC::constructGenericTypedArrayView):
741         * runtime/JSLexicalEnvironment.h:
742         (JSC::asActivation): Deleted.
743         * runtime/JSObject.cpp:
744         (JSC::validateAndApplyPropertyDescriptor):
745         * runtime/MapConstructor.cpp:
746         (JSC::constructMap):
747         * runtime/PropertyDescriptor.cpp:
748         (JSC::PropertyDescriptor::setDescriptor):
749         * runtime/RegExpConstructor.cpp:
750         (JSC::constructWithRegExpConstructor):
751         (JSC::callRegExpConstructor):
752         * runtime/SetConstructor.cpp:
753         (JSC::constructSet):
754         * runtime/StringConstructor.cpp:
755         (JSC::constructWithStringConstructor):
756         * runtime/WeakMapConstructor.cpp:
757         (JSC::constructWeakMap):
758         * runtime/WeakSetConstructor.cpp:
759         (JSC::constructWeakSet):
760         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
761         (JSC::constructJSWebAssemblyCompileError):
762         (JSC::callJSWebAssemblyCompileError):
763         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
764         (JSC::constructJSWebAssemblyLinkError):
765         (JSC::callJSWebAssemblyLinkError):
766         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
767         (JSC::constructJSWebAssemblyRuntimeError):
768         (JSC::callJSWebAssemblyRuntimeError):
769
770 2018-04-05  Mark Lam  <mark.lam@apple.com>
771
772         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
773         https://bugs.webkit.org/show_bug.cgi?id=184347
774         <rdar://problem/39183165>
775
776         Reviewed by Michael Saboff.
777
778         * assembler/MacroAssemblerCodeRef.h:
779         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
780         (JSC::MacroAssemblerCodePtr::retagged const):
781
782 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
783
784         [MIPS] Optimize generated JIT code for branches
785         https://bugs.webkit.org/show_bug.cgi?id=183130
786
787         Reviewed by Yusuke Suzuki.
788
789         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
790         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
791         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
792         However, this adds a significant overhead for all other types of branches. Since these nop's
793         protect the code that is generated by branchPtrWithPatch, this function seems like a better
794         place to add them.
795
796         * assembler/MIPSAssembler.h:
797         (JSC::MIPSAssembler::repatchInt32):
798         (JSC::MIPSAssembler::revertJumpToMove):
799         * assembler/MacroAssemblerMIPS.h:
800         (JSC::MacroAssemblerMIPS::branchAdd32):
801         (JSC::MacroAssemblerMIPS::branchMul32):
802         (JSC::MacroAssemblerMIPS::branchSub32):
803         (JSC::MacroAssemblerMIPS::branchNeg32):
804         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
805         (JSC::MacroAssemblerMIPS::branchEqual):
806         (JSC::MacroAssemblerMIPS::branchNotEqual):
807
808 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [WTF] Remove StaticLock
811         https://bugs.webkit.org/show_bug.cgi?id=184332
812
813         Reviewed by Mark Lam.
814
815         * API/JSValue.mm:
816         (handerForStructTag):
817         * API/JSVirtualMachine.mm:
818         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
819         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
820         * API/glib/JSCVirtualMachine.cpp:
821         (addWrapper):
822         (removeWrapper):
823         * assembler/testmasm.cpp:
824         * b3/air/testair.cpp:
825         * b3/testb3.cpp:
826         * bytecode/SuperSampler.cpp:
827         * dfg/DFGCommon.cpp:
828         * dfg/DFGCommonData.cpp:
829         * dynbench.cpp:
830         * heap/MachineStackMarker.cpp:
831         (JSC::MachineThreads::tryCopyOtherThreadStacks):
832         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
833         (Inspector::RemoteTargetHandleRunSourceGlobal):
834         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
835         * interpreter/CLoopStack.cpp:
836         * parser/SourceProvider.cpp:
837         * profiler/ProfilerDatabase.cpp:
838         * profiler/ProfilerUID.cpp:
839         (JSC::Profiler::UID::create):
840         * runtime/IntlObject.cpp:
841         (JSC::numberingSystemsForLocale):
842         * runtime/JSLock.cpp:
843         * runtime/JSLock.h:
844         * runtime/SamplingProfiler.cpp:
845         (JSC::SamplingProfiler::registerForReportAtExit):
846         * runtime/VM.cpp:
847         * wasm/WasmFaultSignalHandler.cpp:
848
849 2018-04-04  Mark Lam  <mark.lam@apple.com>
850
851         Add pointer profiling support to the DFG and supporting files.
852         https://bugs.webkit.org/show_bug.cgi?id=184316
853         <rdar://problem/39188524>
854
855         Reviewed by Filip Pizlo.
856
857         1. Profile lots of pointers with PtrTags.
858
859         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
860            used for debugging anyway, and not normally called in the code.  Making it
861            an inline function prevents it from taking up code space in builds when not in
862            use.
863
864         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
865            It doesn't need to be a far call.
866
867         * CMakeLists.txt:
868         * JavaScriptCore.xcodeproj/project.pbxproj:
869         * Sources.txt:
870         * assembler/testmasm.cpp:
871         (JSC::testProbeModifiesProgramCounter):
872         * b3/B3LowerMacros.cpp:
873         * b3/air/AirCCallSpecial.cpp:
874         (JSC::B3::Air::CCallSpecial::generate):
875         * b3/air/AirCCallSpecial.h:
876         * b3/testb3.cpp:
877         (JSC::B3::testInterpreter):
878         * bytecode/AccessCase.cpp:
879         (JSC::AccessCase::generateImpl):
880         * bytecode/HandlerInfo.h:
881         (JSC::HandlerInfo::initialize):
882         * bytecode/PolymorphicAccess.cpp:
883         (JSC::PolymorphicAccess::regenerate):
884         * dfg/DFGJITCompiler.cpp:
885         (JSC::DFG::JITCompiler::compileExceptionHandlers):
886         (JSC::DFG::JITCompiler::link):
887         (JSC::DFG::JITCompiler::compileFunction):
888         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
889         * dfg/DFGJITCompiler.h:
890         (JSC::DFG::JITCompiler::appendCall):
891         * dfg/DFGOSREntry.cpp:
892         (JSC::DFG::prepareOSREntry):
893         * dfg/DFGOSRExit.cpp:
894         (JSC::DFG::reifyInlinedCallFrames):
895         (JSC::DFG::adjustAndJumpToTarget):
896         (JSC::DFG::OSRExit::emitRestoreArguments):
897         (JSC::DFG::OSRExit::compileOSRExit):
898         * dfg/DFGOSRExitCompilerCommon.cpp:
899         (JSC::DFG::handleExitCounts):
900         (JSC::DFG::reifyInlinedCallFrames):
901         (JSC::DFG::osrWriteBarrier):
902         (JSC::DFG::adjustAndJumpToTarget):
903         * dfg/DFGOperations.cpp:
904         * dfg/DFGSlowPathGenerator.h:
905         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
906         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
907         (JSC::DFG::slowPathCall):
908         * dfg/DFGSpeculativeJIT.cpp:
909         (JSC::DFG::SpeculativeJIT::compileMathIC):
910         * dfg/DFGSpeculativeJIT.h:
911         (JSC::DFG::SpeculativeJIT::callOperation):
912         (JSC::DFG::SpeculativeJIT::appendCall):
913         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
914         * dfg/DFGSpeculativeJIT64.cpp:
915         (JSC::DFG::SpeculativeJIT::cachedGetById):
916         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
917         (JSC::DFG::SpeculativeJIT::cachedPutById):
918         (JSC::DFG::SpeculativeJIT::compile):
919         * dfg/DFGThunks.cpp:
920         (JSC::DFG::osrExitThunkGenerator):
921         (JSC::DFG::osrExitGenerationThunkGenerator):
922         (JSC::DFG::osrEntryThunkGenerator):
923         * jit/AssemblyHelpers.cpp:
924         (JSC::AssemblyHelpers::emitDumbVirtualCall):
925         * jit/JIT.cpp:
926         (JSC::JIT::emitEnterOptimizationCheck):
927         (JSC::JIT::compileWithoutLinking):
928         * jit/JITCall.cpp:
929         (JSC::JIT::compileOpCallSlowCase):
930         * jit/JITMathIC.h:
931         (JSC::isProfileEmpty):
932         * jit/JITOpcodes.cpp:
933         (JSC::JIT::emit_op_catch):
934         (JSC::JIT::emitSlow_op_loop_hint):
935         * jit/JITOperations.cpp:
936         * jit/Repatch.cpp:
937         (JSC::linkSlowFor):
938         (JSC::linkFor):
939         (JSC::revertCall):
940         (JSC::unlinkFor):
941         (JSC::linkVirtualFor):
942         (JSC::linkPolymorphicCall):
943         * jit/ThunkGenerators.cpp:
944         (JSC::throwExceptionFromCallSlowPathGenerator):
945         (JSC::linkCallThunkGenerator):
946         (JSC::linkPolymorphicCallThunkGenerator):
947         (JSC::virtualThunkFor):
948         (JSC::arityFixupGenerator):
949         (JSC::unreachableGenerator):
950         * runtime/PtrTag.cpp: Removed.
951         * runtime/PtrTag.h:
952         (JSC::ptrTagName):
953         * runtime/VMEntryScope.cpp:
954         * wasm/js/WasmToJS.cpp:
955         (JSC::Wasm::wasmToJS):
956
957 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
958
959         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
960         https://bugs.webkit.org/show_bug.cgi?id=184319
961
962         Reviewed by Saam Barati.
963
964         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
965         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
966         the ArrayPush.
967
968         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
969         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
970         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
971         with a GetByVal(SaneChain), then we will hit the assertion.
972
973         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
974         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
975         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
976
977         * dfg/DFGCSEPhase.cpp:
978         * dfg/DFGClobberize.h:
979         (JSC::DFG::clobberize):
980         * dfg/DFGHeapLocation.cpp:
981         (WTF::printInternal):
982         * dfg/DFGHeapLocation.h:
983         * dfg/DFGSpeculativeJIT.cpp:
984         (JSC::DFG::SpeculativeJIT::compileArrayPush):
985
986 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
987
988         Remove poisoning of typed array vector
989         https://bugs.webkit.org/show_bug.cgi?id=184313
990
991         Reviewed by Saam Barati.
992
993         * dfg/DFGFixupPhase.cpp:
994         (JSC::DFG::FixupPhase::checkArray):
995         * dfg/DFGSpeculativeJIT.cpp:
996         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
997         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
998         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
999         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1000         * ftl/FTLAbstractHeapRepository.h:
1001         * ftl/FTLLowerDFGToB3.cpp:
1002         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1003         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1004         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1005         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
1006         * jit/IntrinsicEmitter.cpp:
1007         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1008         * jit/JITPropertyAccess.cpp:
1009         (JSC::JIT::emitIntTypedArrayGetByVal):
1010         (JSC::JIT::emitFloatTypedArrayGetByVal):
1011         (JSC::JIT::emitIntTypedArrayPutByVal):
1012         (JSC::JIT::emitFloatTypedArrayPutByVal):
1013         * llint/LowLevelInterpreter.asm:
1014         * llint/LowLevelInterpreter64.asm:
1015         * offlineasm/arm64.rb:
1016         * offlineasm/x86.rb:
1017         * runtime/CagedBarrierPtr.h:
1018         * runtime/JSArrayBufferView.cpp:
1019         (JSC::JSArrayBufferView::JSArrayBufferView):
1020         (JSC::JSArrayBufferView::finalize):
1021         (JSC::JSArrayBufferView::neuter):
1022         * runtime/JSArrayBufferView.h:
1023         (JSC::JSArrayBufferView::vector const):
1024         (JSC::JSArrayBufferView::offsetOfVector):
1025         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
1026         (JSC::JSArrayBufferView::poisonFor): Deleted.
1027         (JSC::JSArrayBufferView::Poison::key): Deleted.
1028         * runtime/JSCPoison.cpp:
1029         (JSC::initializePoison):
1030         * runtime/JSCPoison.h:
1031         * runtime/JSGenericTypedArrayViewInlines.h:
1032         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1033         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1034         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1035         * runtime/JSObject.h:
1036
1037 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1038
1039         Don't do index masking or poisoning for DirectArguments
1040         https://bugs.webkit.org/show_bug.cgi?id=184280
1041
1042         Reviewed by Saam Barati.
1043
1044         * JavaScriptCore.xcodeproj/project.pbxproj:
1045         * bytecode/AccessCase.cpp:
1046         (JSC::AccessCase::generateWithGuard):
1047         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1048         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1049         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
1050         * dfg/DFGSpeculativeJIT.cpp:
1051         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1052         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1053         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1054         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1055         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1056         * ftl/FTLAbstractHeapRepository.h:
1057         * ftl/FTLLowerDFGToB3.cpp:
1058         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1059         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1060         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1061         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
1062         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
1063         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1064         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
1065         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
1066         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
1067         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
1068         * heap/SecurityKind.h:
1069         * jit/JITPropertyAccess.cpp:
1070         (JSC::JIT::emit_op_get_from_arguments):
1071         (JSC::JIT::emit_op_put_to_arguments):
1072         (JSC::JIT::emitDirectArgumentsGetByVal):
1073         * jit/JITPropertyAccess32_64.cpp:
1074         (JSC::JIT::emit_op_get_from_arguments):
1075         (JSC::JIT::emit_op_put_to_arguments):
1076         * llint/LowLevelInterpreter.asm:
1077         * llint/LowLevelInterpreter32_64.asm:
1078         * llint/LowLevelInterpreter64.asm:
1079         * runtime/DirectArguments.cpp:
1080         (JSC::DirectArguments::DirectArguments):
1081         (JSC::DirectArguments::createUninitialized):
1082         (JSC::DirectArguments::create):
1083         (JSC::DirectArguments::createByCopying):
1084         (JSC::DirectArguments::estimatedSize):
1085         (JSC::DirectArguments::visitChildren):
1086         (JSC::DirectArguments::overrideThings):
1087         (JSC::DirectArguments::copyToArguments):
1088         (JSC::DirectArguments::mappedArgumentsSize):
1089         * runtime/DirectArguments.h:
1090         * runtime/JSCPoison.h:
1091         * runtime/JSLexicalEnvironment.h:
1092         * runtime/JSSymbolTableObject.h:
1093
1094 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1095
1096         JSArray::appendMemcpy seems to be missing a barrier
1097         https://bugs.webkit.org/show_bug.cgi?id=184290
1098
1099         Reviewed by Mark Lam.
1100         
1101         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
1102         barrier right after.
1103         
1104         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
1105         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
1106
1107         * runtime/JSArray.cpp:
1108         (JSC::JSArray::appendMemcpy):
1109
1110 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1111
1112         GC shouldn't do object distancing
1113         https://bugs.webkit.org/show_bug.cgi?id=184195
1114
1115         Reviewed by Saam Barati.
1116         
1117         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
1118         to be a small speed-up.
1119
1120         * CMakeLists.txt:
1121         * JavaScriptCore.xcodeproj/project.pbxproj:
1122         * Sources.txt:
1123         * heap/BlockDirectory.cpp:
1124         (JSC::BlockDirectory::findBlockForAllocation):
1125         (JSC::BlockDirectory::addBlock):
1126         * heap/BlockDirectory.h:
1127         * heap/CellAttributes.cpp:
1128         (JSC::CellAttributes::dump const):
1129         * heap/CellAttributes.h:
1130         (JSC::CellAttributes::CellAttributes):
1131         * heap/LocalAllocator.cpp:
1132         (JSC::LocalAllocator::allocateSlowCase):
1133         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1134         * heap/MarkedBlock.cpp:
1135         (JSC::MarkedBlock::Handle::didAddToDirectory):
1136         * heap/MarkedBlock.h:
1137         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
1138         * heap/SecurityKind.cpp: Removed.
1139         * heap/SecurityKind.h: Removed.
1140         * heap/SecurityOriginToken.cpp: Removed.
1141         * heap/SecurityOriginToken.h: Removed.
1142         * heap/ThreadLocalCache.cpp:
1143         (JSC::ThreadLocalCache::create):
1144         (JSC::ThreadLocalCache::ThreadLocalCache):
1145         * heap/ThreadLocalCache.h:
1146         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
1147         * runtime/JSDestructibleObjectHeapCellType.cpp:
1148         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1149         * runtime/JSGlobalObject.cpp:
1150         (JSC::JSGlobalObject::JSGlobalObject):
1151         * runtime/JSGlobalObject.h:
1152         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
1153         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
1154         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1155         * runtime/JSStringHeapCellType.cpp:
1156         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1157         * runtime/VM.cpp:
1158         (JSC::VM::VM):
1159         * runtime/VM.h:
1160         * runtime/VMEntryScope.cpp:
1161         (JSC::VMEntryScope::VMEntryScope):
1162         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
1163         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1164
1165 2018-04-02  Saam Barati  <sbarati@apple.com>
1166
1167         bmalloc should compute its own estimate of its footprint
1168         https://bugs.webkit.org/show_bug.cgi?id=184121
1169
1170         Reviewed by Filip Pizlo.
1171
1172         * heap/IsoAlignedMemoryAllocator.cpp:
1173         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1174         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1175         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1176
1177 2018-04-02  Mark Lam  <mark.lam@apple.com>
1178
1179         We should not trash the stack pointer on OSR entry.
1180         https://bugs.webkit.org/show_bug.cgi?id=184243
1181         <rdar://problem/39114319>
1182
1183         Reviewed by Filip Pizlo.
1184
1185         In the DFG OSR entry path, we momentarily over-write the stack pointer with
1186         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
1187         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
1188         The stack pointer does get corrected later in the thunk (generated by
1189         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
1190         so far.
1191
1192         This bug only poses an issue if interrupts use the user stack for their stack
1193         frame (e.g. linux), and when we do stack alignment tests during debugging.
1194
1195         The fix is simply to remove the assignment.
1196
1197         * dfg/DFGThunks.cpp:
1198         (JSC::DFG::osrEntryThunkGenerator):
1199         * jit/JIT.cpp:
1200         (JSC::JIT::emitEnterOptimizationCheck):
1201
1202 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1203
1204         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
1205         https://bugs.webkit.org/show_bug.cgi?id=183740
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
1210         first generated and a register operand variant of the same method is called to generate the rest
1211         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
1212         generate more efficient code using MIPS instructions with immediate operand.
1213
1214         * assembler/MIPSAssembler.h:
1215         (JSC::MIPSAssembler::slti):
1216         * assembler/MacroAssemblerMIPS.h:
1217         (JSC::MacroAssemblerMIPS::lshift32):
1218         (JSC::MacroAssemblerMIPS::xor32):
1219         (JSC::MacroAssemblerMIPS::branch8):
1220         (JSC::MacroAssemblerMIPS::compare8):
1221         (JSC::MacroAssemblerMIPS::branch32):
1222         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
1223         (JSC::MacroAssemblerMIPS::branchTest32):
1224         (JSC::MacroAssemblerMIPS::mask8OnTest):
1225         (JSC::MacroAssemblerMIPS::branchTest8):
1226         (JSC::MacroAssemblerMIPS::branchAdd32):
1227         (JSC::MacroAssemblerMIPS::branchNeg32):
1228         (JSC::MacroAssemblerMIPS::compare32):
1229         (JSC::MacroAssemblerMIPS::test8):
1230
1231 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1232
1233         [DFG] More aggressive removal of duplicate 32bit DFG code
1234         https://bugs.webkit.org/show_bug.cgi?id=184089
1235
1236         Reviewed by Saam Barati.
1237
1238         This patch more aggressively removes duplicate 32bit DFG code
1239         by leveraging JSValueRegs and meta-programmed callOperation.
1240
1241         * dfg/DFGSpeculativeJIT.cpp:
1242         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
1243         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
1244         (JSC::DFG::SpeculativeJIT::compileNewArray):
1245         (JSC::DFG::SpeculativeJIT::compileCheckCell):
1246         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
1247         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
1248         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
1249         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
1250         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
1251         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
1252         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
1253         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1254         (JSC::DFG::SpeculativeJIT::compileToThis):
1255         (JSC::DFG::SpeculativeJIT::compileIdentity):
1256         * dfg/DFGSpeculativeJIT.h:
1257         * dfg/DFGSpeculativeJIT32_64.cpp:
1258         (JSC::DFG::SpeculativeJIT::compile):
1259         * dfg/DFGSpeculativeJIT64.cpp:
1260         (JSC::DFG::SpeculativeJIT::compile):
1261
1262 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
1263
1264         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
1265         https://bugs.webkit.org/show_bug.cgi?id=184228
1266
1267         Reviewed by Yusuke Suzuki.
1268
1269         * runtime/Options.h:
1270
1271 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1272
1273         JSObject shouldn't do index masking
1274         https://bugs.webkit.org/show_bug.cgi?id=184194
1275
1276         Reviewed by Yusuke Suzuki.
1277         
1278         Remove index masking, because it's not the way we'll mitigate Spectre.
1279
1280         * API/tests/JSObjectGetProxyTargetTest.cpp:
1281         (testJSObjectGetProxyTarget):
1282         * b3/B3LowerToAir.cpp:
1283         * b3/B3Validate.cpp:
1284         * b3/B3WasmBoundsCheckValue.cpp:
1285         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1286         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1287         * b3/B3WasmBoundsCheckValue.h:
1288         (JSC::B3::WasmBoundsCheckValue::bounds const):
1289         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
1290         * b3/testb3.cpp:
1291         (JSC::B3::testWasmBoundsCheck):
1292         (JSC::B3::run):
1293         * dfg/DFGAbstractInterpreterInlines.h:
1294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1295         * dfg/DFGArgumentsEliminationPhase.cpp:
1296         * dfg/DFGByteCodeParser.cpp:
1297         (JSC::DFG::ByteCodeParser::parseBlock):
1298         * dfg/DFGClobberize.h:
1299         (JSC::DFG::clobberize):
1300         * dfg/DFGDoesGC.cpp:
1301         (JSC::DFG::doesGC):
1302         * dfg/DFGFixupPhase.cpp:
1303         (JSC::DFG::FixupPhase::fixupNode):
1304         * dfg/DFGNodeType.h:
1305         * dfg/DFGPredictionPropagationPhase.cpp:
1306         * dfg/DFGSSALoweringPhase.cpp:
1307         (JSC::DFG::SSALoweringPhase::handleNode):
1308         * dfg/DFGSafeToExecute.h:
1309         (JSC::DFG::safeToExecute):
1310         * dfg/DFGSpeculativeJIT.cpp:
1311         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1312         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1313         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1314         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1315         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1316         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1317         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1318         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1319         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1320         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1321         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1322         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1323         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1324         (JSC::DFG::SpeculativeJIT::compileNewObject):
1325         * dfg/DFGSpeculativeJIT.h:
1326         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1327         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1328         * dfg/DFGSpeculativeJIT32_64.cpp:
1329         (JSC::DFG::SpeculativeJIT::compile):
1330         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1331         * dfg/DFGSpeculativeJIT64.cpp:
1332         (JSC::DFG::SpeculativeJIT::compile):
1333         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1334         * ftl/FTLAbstractHeapRepository.h:
1335         * ftl/FTLCapabilities.cpp:
1336         (JSC::FTL::canCompile):
1337         * ftl/FTLLowerDFGToB3.cpp:
1338         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1339         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1340         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1341         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1342         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1343         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1344         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1345         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1346         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1347         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1348         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1349         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1350         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1351         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1352         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1353         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
1354         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
1355         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
1356         * jit/AssemblyHelpers.h:
1357         (JSC::AssemblyHelpers::emitAllocateJSObject):
1358         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1359         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1360         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1361         * jit/JITOpcodes.cpp:
1362         (JSC::JIT::emit_op_new_object):
1363         (JSC::JIT::emit_op_create_this):
1364         * jit/JITOperations.cpp:
1365         * jit/JITPropertyAccess.cpp:
1366         (JSC::JIT::emitDoubleLoad):
1367         (JSC::JIT::emitContiguousLoad):
1368         (JSC::JIT::emitArrayStorageLoad):
1369         * llint/LowLevelInterpreter32_64.asm:
1370         * llint/LowLevelInterpreter64.asm:
1371         * runtime/Butterfly.h:
1372         (JSC::ContiguousData::at const):
1373         (JSC::ContiguousData::at):
1374         (JSC::Butterfly::computeIndexingMask const): Deleted.
1375         * runtime/ButterflyInlines.h:
1376         (JSC::ContiguousData<T>::at const): Deleted.
1377         (JSC::ContiguousData<T>::at): Deleted.
1378         * runtime/ClonedArguments.cpp:
1379         (JSC::ClonedArguments::createEmpty):
1380         * runtime/JSArray.cpp:
1381         (JSC::JSArray::tryCreateUninitializedRestricted):
1382         (JSC::JSArray::appendMemcpy):
1383         (JSC::JSArray::setLength):
1384         (JSC::JSArray::pop):
1385         (JSC::JSArray::shiftCountWithAnyIndexingType):
1386         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1387         (JSC::JSArray::fillArgList):
1388         (JSC::JSArray::copyToArguments):
1389         * runtime/JSArrayBufferView.cpp:
1390         (JSC::JSArrayBufferView::JSArrayBufferView):
1391         * runtime/JSArrayInlines.h:
1392         (JSC::JSArray::pushInline):
1393         * runtime/JSFixedArray.h:
1394         * runtime/JSGenericTypedArrayViewInlines.h:
1395         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1396         * runtime/JSObject.cpp:
1397         (JSC::JSObject::getOwnPropertySlotByIndex):
1398         (JSC::JSObject::putByIndex):
1399         (JSC::JSObject::createInitialUndecided):
1400         (JSC::JSObject::createInitialInt32):
1401         (JSC::JSObject::createInitialDouble):
1402         (JSC::JSObject::createInitialContiguous):
1403         (JSC::JSObject::createArrayStorage):
1404         (JSC::JSObject::convertUndecidedToInt32):
1405         (JSC::JSObject::convertUndecidedToDouble):
1406         (JSC::JSObject::convertUndecidedToContiguous):
1407         (JSC::JSObject::convertUndecidedToArrayStorage):
1408         (JSC::JSObject::convertInt32ToDouble):
1409         (JSC::JSObject::convertInt32ToArrayStorage):
1410         (JSC::JSObject::convertDoubleToContiguous):
1411         (JSC::JSObject::convertDoubleToArrayStorage):
1412         (JSC::JSObject::convertContiguousToArrayStorage):
1413         (JSC::JSObject::createInitialForValueAndSet):
1414         (JSC::JSObject::deletePropertyByIndex):
1415         (JSC::JSObject::getOwnPropertyNames):
1416         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1417         (JSC::JSObject::countElements):
1418         (JSC::JSObject::increaseVectorLength):
1419         (JSC::JSObject::ensureLengthSlow):
1420         (JSC::JSObject::reallocateAndShrinkButterfly):
1421         (JSC::JSObject::getEnumerableLength):
1422         * runtime/JSObject.h:
1423         (JSC::JSObject::canGetIndexQuickly):
1424         (JSC::JSObject::getIndexQuickly):
1425         (JSC::JSObject::tryGetIndexQuickly const):
1426         (JSC::JSObject::setIndexQuickly):
1427         (JSC::JSObject::initializeIndex):
1428         (JSC::JSObject::initializeIndexWithoutBarrier):
1429         (JSC::JSObject::butterflyOffset):
1430         (JSC::JSObject::setButterfly):
1431         (JSC::JSObject::nukeStructureAndSetButterfly):
1432         (JSC::JSObject::JSObject):
1433         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
1434         (JSC::JSObject::butterflyIndexingMask const): Deleted.
1435         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
1436         * runtime/JSObjectInlines.h:
1437         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1438         (JSC::JSObject::putDirectInternal):
1439         * runtime/RegExpMatchesArray.h:
1440         (JSC::tryCreateUninitializedRegExpMatchesArray):
1441         * runtime/Structure.cpp:
1442         (JSC::Structure::flattenDictionaryStructure):
1443         * wasm/WasmB3IRGenerator.cpp:
1444         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1445         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1446         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1447         (JSC::Wasm::B3IRGenerator::load):
1448         (JSC::Wasm::B3IRGenerator::store):
1449         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1450         * wasm/WasmBinding.cpp:
1451         (JSC::Wasm::wasmToWasm):
1452         * wasm/WasmInstance.h:
1453         (JSC::Wasm::Instance::updateCachedMemory):
1454         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
1455         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
1456         * wasm/WasmMemory.cpp:
1457         (JSC::Wasm::Memory::Memory):
1458         (JSC::Wasm::Memory::grow):
1459         * wasm/WasmMemory.h:
1460         (JSC::Wasm::Memory::size const):
1461         (JSC::Wasm::Memory::offsetOfSize):
1462         (JSC::Wasm::Memory::indexingMask): Deleted.
1463         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
1464         * wasm/WasmMemoryInformation.cpp:
1465         (JSC::Wasm::PinnedRegisterInfo::get):
1466         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1467         * wasm/WasmMemoryInformation.h:
1468         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1469         * wasm/js/JSToWasm.cpp:
1470         (JSC::Wasm::createJSToWasmWrapper):
1471
1472 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1473
1474         JSC crash in JIT code with for-of loop and Array/Set iterators
1475         https://bugs.webkit.org/show_bug.cgi?id=183174
1476
1477         Reviewed by Saam Barati.
1478
1479         * dfg/DFGSafeToExecute.h:
1480         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
1481
1482 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
1483
1484         Strings and Vectors shouldn't do index masking
1485         https://bugs.webkit.org/show_bug.cgi?id=184193
1486
1487         Reviewed by Mark Lam.
1488
1489         * dfg/DFGSpeculativeJIT.cpp:
1490         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1491         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1492         * ftl/FTLAbstractHeapRepository.h:
1493         * ftl/FTLLowerDFGToB3.cpp:
1494         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1495         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1496         * jit/ThunkGenerators.cpp:
1497         (JSC::stringCharLoad):
1498
1499 2018-03-30  Mark Lam  <mark.lam@apple.com>
1500
1501         Add pointer profiling support in baseline JIT and supporting files.
1502         https://bugs.webkit.org/show_bug.cgi?id=184200
1503         <rdar://problem/39057300>
1504
1505         Reviewed by Filip Pizlo.
1506
1507         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
1508            the code via the arity check entry.
1509         2. To accommodate (1), all JITCode must now populate their arity check entry code
1510            pointers as well.  For native code, programs, evals, and modules that don't
1511            do arity check, we set the normal entry as the arity check entry (though with
1512            the CodeEntryWithArityCheckPtrTag profile instead).
1513
1514         * assembler/AbstractMacroAssembler.h:
1515         * assembler/LinkBuffer.h:
1516         (JSC::LinkBuffer::locationOfNearCall):
1517         * assembler/MacroAssemblerARM64.h:
1518         (JSC::MacroAssemblerARM64::readCallTarget):
1519         (JSC::MacroAssemblerARM64::linkCall):
1520         * bytecode/AccessCase.cpp:
1521         (JSC::AccessCase::generateImpl):
1522         * bytecode/AccessCaseSnippetParams.cpp:
1523         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1524         * bytecode/CodeBlock.cpp:
1525         (JSC::CodeBlock::addJITAddIC):
1526         (JSC::CodeBlock::addJITMulIC):
1527         (JSC::CodeBlock::addJITSubIC):
1528         (JSC::CodeBlock::addJITNegIC):
1529         * bytecode/CodeBlock.h:
1530         (JSC::CodeBlock::addMathIC):
1531         * bytecode/InlineAccess.cpp:
1532         (JSC::InlineAccess::rewireStubAsJump):
1533         * bytecode/LLIntCallLinkInfo.h:
1534         (JSC::LLIntCallLinkInfo::unlink):
1535         (): Deleted.
1536         * bytecode/PolymorphicAccess.cpp:
1537         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1538         (JSC::PolymorphicAccess::regenerate):
1539         * dfg/DFGJITFinalizer.cpp:
1540         (JSC::DFG::JITFinalizer::finalize):
1541         (JSC::DFG::JITFinalizer::finalizeFunction):
1542         * dfg/DFGSpeculativeJIT.cpp:
1543         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1544         (JSC::DFG::SpeculativeJIT::compileArithSub):
1545         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1546         (JSC::DFG::SpeculativeJIT::compileArithMul):
1547         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1548         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1549         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1550         * disassembler/ARM64Disassembler.cpp:
1551         (JSC::tryToDisassemble):
1552         * ftl/FTLJITFinalizer.cpp:
1553         (JSC::FTL::JITFinalizer::finalizeCommon):
1554         * ftl/FTLLowerDFGToB3.cpp:
1555         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1556         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1557         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1558         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
1559         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1560         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1561         * heap/JITStubRoutineSet.h:
1562         (JSC::JITStubRoutineSet::mark):
1563         * jit/AssemblyHelpers.cpp:
1564         (JSC::AssemblyHelpers::callExceptionFuzz):
1565         (JSC::AssemblyHelpers::debugCall):
1566         * jit/AssemblyHelpers.h:
1567         (JSC::AssemblyHelpers::emitFunctionPrologue):
1568         * jit/CCallHelpers.cpp:
1569         (JSC::CCallHelpers::ensureShadowChickenPacket):
1570         * jit/CCallHelpers.h:
1571         (JSC::CCallHelpers::prepareForTailCallSlow):
1572         * jit/CallFrameShuffler.cpp:
1573         (JSC::CallFrameShuffler::prepareForTailCall):
1574         * jit/ExecutableAllocator.cpp:
1575         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1576         * jit/ExecutableAllocator.h:
1577         (JSC::performJITMemcpy):
1578         * jit/JIT.cpp:
1579         (JSC::JIT::compileWithoutLinking):
1580         (JSC::JIT::link):
1581         * jit/JITArithmetic.cpp:
1582         (JSC::JIT::emit_op_negate):
1583         (JSC::JIT::emit_op_add):
1584         (JSC::JIT::emitMathICFast):
1585         (JSC::JIT::emitMathICSlow):
1586         (JSC::JIT::emit_op_mul):
1587         (JSC::JIT::emit_op_sub):
1588         * jit/JITCode.cpp:
1589         (JSC::JITCode::execute):
1590         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1591         (JSC::DirectJITCode::DirectJITCode):
1592         (JSC::DirectJITCode::initializeCodeRef):
1593         (JSC::NativeJITCode::addressForCall):
1594         * jit/JITExceptions.cpp:
1595         (JSC::genericUnwind):
1596         * jit/JITMathIC.h:
1597         (JSC::isProfileEmpty):
1598         (JSC::JITBinaryMathIC::JITBinaryMathIC):
1599         (JSC::JITUnaryMathIC::JITUnaryMathIC):
1600         * jit/JITOpcodes.cpp:
1601         (JSC::JIT::emit_op_switch_imm):
1602         (JSC::JIT::emit_op_switch_char):
1603         (JSC::JIT::emit_op_switch_string):
1604         (JSC::JIT::privateCompileHasIndexedProperty):
1605         (JSC::JIT::emitSlow_op_has_indexed_property):
1606         * jit/JITOpcodes32_64.cpp:
1607         (JSC::JIT::privateCompileHasIndexedProperty):
1608         * jit/JITOperations.cpp:
1609         (JSC::getByVal):
1610         (JSC::tryGetByValOptimize):
1611         * jit/JITPropertyAccess.cpp:
1612         (JSC::JIT::stringGetByValStubGenerator):
1613         (JSC::JIT::emitGetByValWithCachedId):
1614         (JSC::JIT::emitSlow_op_get_by_val):
1615         (JSC::JIT::emitPutByValWithCachedId):
1616         (JSC::JIT::emitSlow_op_put_by_val):
1617         (JSC::JIT::emitSlow_op_try_get_by_id):
1618         (JSC::JIT::emitSlow_op_get_by_id):
1619         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1620         (JSC::JIT::emitSlow_op_put_by_id):
1621         (JSC::JIT::privateCompileGetByVal):
1622         (JSC::JIT::privateCompileGetByValWithCachedId):
1623         (JSC::JIT::privateCompilePutByVal):
1624         (JSC::JIT::privateCompilePutByValWithCachedId):
1625         * jit/JITThunks.cpp:
1626         (JSC::JITThunks::hostFunctionStub):
1627         * jit/Repatch.cpp:
1628         (JSC::tryCacheGetByID):
1629         (JSC::repatchGetByID):
1630         (JSC::appropriateOptimizingPutByIdFunction):
1631         (JSC::tryCachePutByID):
1632         (JSC::repatchPutByID):
1633         (JSC::linkFor):
1634         (JSC::revertCall):
1635         (JSC::linkPolymorphicCall):
1636         (JSC::resetGetByID):
1637         (JSC::resetPutByID):
1638         * jit/Repatch.h:
1639         * jit/SpecializedThunkJIT.h:
1640         (JSC::SpecializedThunkJIT::finalize):
1641         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1642         * jit/ThunkGenerators.cpp:
1643         (JSC::emitPointerValidation):
1644         (JSC::throwExceptionFromCallSlowPathGenerator):
1645         (JSC::slowPathFor):
1646         (JSC::linkCallThunkGenerator): Deleted.
1647         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
1648         (JSC::virtualThunkFor): Deleted.
1649         (JSC::nativeForGenerator): Deleted.
1650         (JSC::nativeCallGenerator): Deleted.
1651         (JSC::nativeTailCallGenerator): Deleted.
1652         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
1653         (JSC::nativeConstructGenerator): Deleted.
1654         (JSC::internalFunctionCallGenerator): Deleted.
1655         (JSC::internalFunctionConstructGenerator): Deleted.
1656         (JSC::arityFixupGenerator): Deleted.
1657         (JSC::unreachableGenerator): Deleted.
1658         (JSC::stringCharLoad): Deleted.
1659         (JSC::charToString): Deleted.
1660         (JSC::charCodeAtThunkGenerator): Deleted.
1661         (JSC::charAtThunkGenerator): Deleted.
1662         (JSC::fromCharCodeThunkGenerator): Deleted.
1663         (JSC::clz32ThunkGenerator): Deleted.
1664         (JSC::sqrtThunkGenerator): Deleted.
1665         (JSC::floorThunkGenerator): Deleted.
1666         (JSC::ceilThunkGenerator): Deleted.
1667         (JSC::truncThunkGenerator): Deleted.
1668         (JSC::roundThunkGenerator): Deleted.
1669         (JSC::expThunkGenerator): Deleted.
1670         (JSC::logThunkGenerator): Deleted.
1671         (JSC::absThunkGenerator): Deleted.
1672         (JSC::imulThunkGenerator): Deleted.
1673         (JSC::randomThunkGenerator): Deleted.
1674         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
1675         * llint/LLIntData.cpp:
1676         (JSC::LLInt::initialize):
1677         * llint/LLIntData.h:
1678         (JSC::LLInt::getCodePtr):
1679         * llint/LLIntEntrypoint.cpp:
1680         (JSC::LLInt::setEvalEntrypoint):
1681         (JSC::LLInt::setProgramEntrypoint):
1682         (JSC::LLInt::setModuleProgramEntrypoint):
1683         * llint/LLIntSlowPaths.cpp:
1684         (JSC::LLInt::setUpCall):
1685         * llint/LLIntThunks.cpp:
1686         (JSC::LLInt::generateThunkWithJumpTo):
1687         * llint/LowLevelInterpreter.asm:
1688         * llint/LowLevelInterpreter32_64.asm:
1689         * llint/LowLevelInterpreter64.asm:
1690         * runtime/ExecutableBase.h:
1691         * runtime/NativeExecutable.cpp:
1692         (JSC::NativeExecutable::finishCreation):
1693         * runtime/NativeFunction.h:
1694         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1695         (JSC::TaggedNativeFunction::operator NativeFunction):
1696         * runtime/PropertySlot.h:
1697         (JSC::PropertySlot::setCustom):
1698         (JSC::PropertySlot::setCacheableCustom):
1699         * runtime/PtrTag.h:
1700         * runtime/PutPropertySlot.h:
1701         (JSC::PutPropertySlot::setCustomValue):
1702         (JSC::PutPropertySlot::setCustomAccessor):
1703         * runtime/SamplingProfiler.cpp:
1704         (JSC::SamplingProfiler::takeSample):
1705         * runtime/VMTraps.cpp:
1706         (JSC::SignalContext::SignalContext):
1707         (JSC::VMTraps::tryInstallTrapBreakpoints):
1708         * tools/SigillCrashAnalyzer.cpp:
1709         (JSC::installCrashHandler):
1710         * yarr/YarrJIT.cpp:
1711         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1712         (JSC::Yarr::YarrGenerator::generateEnter):
1713
1714 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
1715
1716         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
1717         https://bugs.webkit.org/show_bug.cgi?id=175223
1718
1719         Reviewed by Matt Baker.
1720
1721         * inspector/protocol/Canvas.json:
1722         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
1723         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
1724         is called. The blend is removed and the previous value is applied once the draw is complete.
1725
1726 2018-03-30  JF Bastien  <jfbastien@apple.com>
1727
1728         WebAssembly: support DataView compilation
1729         https://bugs.webkit.org/show_bug.cgi?id=183342
1730
1731         Reviewed by Mark Lam.
1732
1733         Compiling a module from a DataView was incorrectly dealing with
1734         DataView's offset.
1735
1736         * wasm/WasmModuleParser.cpp:
1737         (JSC::Wasm::ModuleParser::parse):
1738         * wasm/js/JSWebAssemblyHelpers.h:
1739         (JSC::getWasmBufferFromValue):
1740         (JSC::createSourceBufferFromValue):
1741         * wasm/js/WebAssemblyPrototype.cpp:
1742         (JSC::webAssemblyValidateFunc):
1743
1744 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
1745
1746         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
1747         https://bugs.webkit.org/show_bug.cgi?id=184189
1748
1749         Reviewed by JF Bastien.
1750
1751         * bytecompiler/NodesCodegen.cpp:
1752         (JSC::ResolveNode::emitBytecode):
1753
1754 2018-03-30  Mark Lam  <mark.lam@apple.com>
1755
1756         Add pointer profiling support to Wasm.
1757         https://bugs.webkit.org/show_bug.cgi?id=184175
1758         <rdar://problem/39027923>
1759
1760         Reviewed by JF Bastien.
1761
1762         * runtime/PtrTag.h:
1763         * wasm/WasmB3IRGenerator.cpp:
1764         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1765         (JSC::Wasm::B3IRGenerator::addCall):
1766         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1767         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
1768         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
1769         * wasm/WasmBBQPlan.cpp:
1770         (JSC::Wasm::BBQPlan::prepare):
1771         (JSC::Wasm::BBQPlan::complete):
1772         * wasm/WasmBinding.cpp:
1773         (JSC::Wasm::wasmToWasm):
1774         * wasm/WasmBinding.h:
1775         * wasm/WasmFaultSignalHandler.cpp:
1776         (JSC::Wasm::trapHandler):
1777         * wasm/WasmOMGPlan.cpp:
1778         (JSC::Wasm::OMGPlan::work):
1779         * wasm/WasmThunks.cpp:
1780         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1781         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1782         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1783         * wasm/js/WasmToJS.cpp:
1784         (JSC::Wasm::handleBadI64Use):
1785         (JSC::Wasm::wasmToJS):
1786         * wasm/js/WebAssemblyFunction.cpp:
1787         (JSC::callWebAssemblyFunction):
1788         * wasm/js/WebAssemblyFunction.h:
1789
1790 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
1791
1792         Unreviewed, rolling out r230102.
1793
1794         Caused assertion failures on JSC bots.
1795
1796         Reverted changeset:
1797
1798         "A stack overflow in the parsing of a builtin (called by
1799         createExecutable) cause a crash instead of a catchable js
1800         exception"
1801         https://bugs.webkit.org/show_bug.cgi?id=184074
1802         https://trac.webkit.org/changeset/230102
1803
1804 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1805
1806         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
1807         https://bugs.webkit.org/show_bug.cgi?id=183812
1808
1809         Reviewed by Keith Miller.
1810
1811         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
1812         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
1813
1814         * dfg/DFGByteCodeParser.cpp:
1815         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1816         (JSC::DFG::ByteCodeParser::inlineCall):
1817
1818 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1819
1820         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
1821         https://bugs.webkit.org/show_bug.cgi?id=184074
1822         <rdar://problem/37165897>
1823
1824         Reviewed by Keith Miller.
1825
1826         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
1827         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
1828         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
1829         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
1830
1831         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
1832         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
1833
1834         Two other minor changes:
1835         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
1836         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
1837
1838         * JavaScriptCore.xcodeproj/project.pbxproj:
1839         * Scripts/builtins/builtins_generate_combined_header.py:
1840         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
1841         (ParserError):
1842         (generate_section_for_object): Deleted.
1843         (generate_externs_for_object): Deleted.
1844         (generate_macros_for_object): Deleted.
1845         (generate_section_for_code_table_macro): Deleted.
1846         (generate_section_for_code_name_macro): Deleted.
1847         (generate_section_for_global_private_code_name_macro): Deleted.
1848         * Scripts/builtins/builtins_generate_separate_header.py:
1849         (generate_secondary_header_includes):
1850         * Scripts/builtins/builtins_templates.py:
1851         * Sources.txt:
1852         * builtins/BuiltinExecutableCreator.cpp: Removed.
1853         * builtins/BuiltinExecutableCreator.h: Removed.
1854         * builtins/BuiltinExecutables.cpp:
1855         (JSC::BuiltinExecutables::createDefaultConstructor):
1856         (JSC::BuiltinExecutables::createBuiltinExecutable):
1857         (JSC::createBuiltinExecutable):
1858         (JSC::BuiltinExecutables::createExecutableOrCrash):
1859         (JSC::BuiltinExecutables::createExecutable):
1860         * builtins/BuiltinExecutables.h:
1861         * bytecompiler/BytecodeGenerator.h:
1862         * parser/ParserError.cpp: Added.
1863         (JSC::ParserError::toErrorObject):
1864         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
1865         (WTF::printInternal):
1866         * parser/ParserError.h:
1867         (JSC::ParserError::toErrorObject): Deleted.
1868         (WTF::printInternal): Deleted.
1869         * runtime/AsyncIteratorPrototype.cpp:
1870         (JSC::AsyncIteratorPrototype::finishCreation):
1871         * runtime/FunctionPrototype.cpp:
1872         (JSC::FunctionPrototype::addFunctionProperties):
1873         * runtime/JSGlobalObject.cpp:
1874         (JSC::JSGlobalObject::init):
1875         * runtime/JSObject.cpp:
1876         (JSC::JSObject::getOwnStaticPropertySlot):
1877         (JSC::JSObject::reifyAllStaticProperties):
1878         * runtime/JSObject.h:
1879         (JSC::JSObject::getOwnNonIndexPropertySlot):
1880         (JSC::JSObject::getOwnPropertySlot):
1881         (JSC::JSObject::getPropertySlot):
1882         * runtime/JSObjectInlines.h:
1883         (JSC::JSObject::getNonIndexPropertySlot):
1884         * runtime/JSTypedArrayViewPrototype.cpp:
1885         (JSC::JSTypedArrayViewPrototype::finishCreation):
1886         * runtime/Lookup.cpp:
1887         (JSC::reifyStaticAccessor):
1888         (JSC::setUpStaticFunctionSlot):
1889         * runtime/Lookup.h:
1890         (JSC::getStaticPropertySlotFromTable):
1891         (JSC::reifyStaticProperty):
1892         * runtime/MapPrototype.cpp:
1893         (JSC::MapPrototype::finishCreation):
1894         * runtime/SetPrototype.cpp:
1895         (JSC::SetPrototype::finishCreation):
1896         * tools/JSDollarVM.cpp:
1897         (JSC::functionCreateBuiltin):
1898
1899 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1900
1901         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
1902         https://bugs.webkit.org/show_bug.cgi?id=183657
1903         <rdar://problem/38464399>
1904
1905         Reviewed by Keith Miller.
1906
1907         There was just a missing check in unshiftCountForIndexingType.
1908         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
1909         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
1910         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
1911
1912         * runtime/ArrayPrototype.cpp:
1913         (JSC::unshift):
1914         * runtime/JSArray.cpp:
1915         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1916         * runtime/JSObject.h:
1917         (JSC::JSObject::ensureLength):
1918
1919 2018-03-29  Mark Lam  <mark.lam@apple.com>
1920
1921         Add some pointer profiling support to B3 and Air.
1922         https://bugs.webkit.org/show_bug.cgi?id=184165
1923         <rdar://problem/39022125>
1924
1925         Reviewed by JF Bastien.
1926
1927         * b3/B3LowerMacros.cpp:
1928         * b3/B3LowerMacrosAfterOptimizations.cpp:
1929         * b3/B3MathExtras.cpp:
1930         * b3/B3ReduceStrength.cpp:
1931         * b3/air/AirCCallSpecial.cpp:
1932         (JSC::B3::Air::CCallSpecial::generate):
1933         * b3/air/AirCCallSpecial.h:
1934         * b3/testb3.cpp:
1935         (JSC::B3::testCallSimple):
1936         (JSC::B3::testCallRare):
1937         (JSC::B3::testCallRareLive):
1938         (JSC::B3::testCallSimplePure):
1939         (JSC::B3::testCallFunctionWithHellaArguments):
1940         (JSC::B3::testCallFunctionWithHellaArguments2):
1941         (JSC::B3::testCallFunctionWithHellaArguments3):
1942         (JSC::B3::testCallSimpleDouble):
1943         (JSC::B3::testCallSimpleFloat):
1944         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
1945         (JSC::B3::testCallFunctionWithHellaFloatArguments):
1946         (JSC::B3::testLinearScanWithCalleeOnStack):
1947         (JSC::B3::testInterpreter):
1948         (JSC::B3::testLICMPure):
1949         (JSC::B3::testLICMPureSideExits):
1950         (JSC::B3::testLICMPureWritesPinned):
1951         (JSC::B3::testLICMPureWrites):
1952         (JSC::B3::testLICMReadsLocalState):
1953         (JSC::B3::testLICMReadsPinned):
1954         (JSC::B3::testLICMReads):
1955         (JSC::B3::testLICMPureNotBackwardsDominant):
1956         (JSC::B3::testLICMPureFoiledByChild):
1957         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1958         (JSC::B3::testLICMExitsSideways):
1959         (JSC::B3::testLICMWritesLocalState):
1960         (JSC::B3::testLICMWrites):
1961         (JSC::B3::testLICMFence):
1962         (JSC::B3::testLICMWritesPinned):
1963         (JSC::B3::testLICMControlDependent):
1964         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1965         (JSC::B3::testLICMControlDependentSideExits):
1966         (JSC::B3::testLICMReadsPinnedWritesPinned):
1967         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1968         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1969         (JSC::B3::testLICMDefaultCall):
1970         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1971         * ftl/FTLLowerDFGToB3.cpp:
1972         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1973         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1974         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1975         * jit/GPRInfo.h:
1976         * runtime/PtrTag.h:
1977         * wasm/WasmBinding.cpp:
1978         (JSC::Wasm::wasmToWasm):
1979
1980 2018-03-29  JF Bastien  <jfbastien@apple.com>
1981
1982         Use Forward.h instead of forward-declaring WTF::String
1983         https://bugs.webkit.org/show_bug.cgi?id=184172
1984         <rdar://problem/39026146>
1985
1986         Reviewed by Yusuke Suzuki.
1987
1988         As part of #184164 I'm changing WTF::String, and the forward
1989         declarations are just wrong because I'm making it templated. We
1990         should use Forward.h anyways, so do that instead.
1991
1992         * runtime/DateConversion.h:
1993
1994 2018-03-29  Mark Lam  <mark.lam@apple.com>
1995
1996         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
1997         https://bugs.webkit.org/show_bug.cgi?id=184163
1998         <rdar://problem/39020397>
1999
2000         Reviewed by JF Bastien.
2001
2002         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
2003
2004         Also renamed some structs, methods, and variable names to be more accurate.
2005         Previously, there is some confusion between a code pointer and the address of a
2006         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
2007         the LoadLocation variables appropriately to distinguish them from code pointers.
2008
2009         * wasm/WasmB3IRGenerator.cpp:
2010         (JSC::Wasm::B3IRGenerator::addCall):
2011         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2012         * wasm/WasmBinding.cpp:
2013         (JSC::Wasm::wasmToWasm):
2014         * wasm/WasmCodeBlock.cpp:
2015         (JSC::Wasm::CodeBlock::CodeBlock):
2016         * wasm/WasmCodeBlock.h:
2017         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2018         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
2019         * wasm/WasmFormat.h:
2020         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
2021         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
2022         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
2023         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
2024         * wasm/WasmInstance.h:
2025         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
2026         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
2027         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
2028         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2029         * wasm/WasmOMGPlan.cpp:
2030         (JSC::Wasm::OMGPlan::work):
2031         * wasm/WasmTable.cpp:
2032         (JSC::Wasm::Table::Table):
2033         (JSC::Wasm::Table::grow):
2034         (JSC::Wasm::Table::clearFunction):
2035         (JSC::Wasm::Table::setFunction):
2036         * wasm/WasmTable.h:
2037         (JSC::Wasm::Table::offsetOfFunctions):
2038         * wasm/js/JSWebAssemblyCodeBlock.h:
2039         * wasm/js/JSWebAssemblyInstance.cpp:
2040         (JSC::JSWebAssemblyInstance::finalizeCreation):
2041         (JSC::JSWebAssemblyInstance::create):
2042         * wasm/js/JSWebAssemblyTable.cpp:
2043         (JSC::JSWebAssemblyTable::setFunction):
2044         * wasm/js/WebAssemblyFunction.cpp:
2045         (JSC::WebAssemblyFunction::create):
2046         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2047         * wasm/js/WebAssemblyFunction.h:
2048         * wasm/js/WebAssemblyModuleRecord.cpp:
2049         (JSC::WebAssemblyModuleRecord::link):
2050         (JSC::WebAssemblyModuleRecord::evaluate):
2051         * wasm/js/WebAssemblyWrapperFunction.cpp:
2052         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
2053         (JSC::WebAssemblyWrapperFunction::create):
2054         * wasm/js/WebAssemblyWrapperFunction.h:
2055
2056 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2057
2058         Remove WTF_EXPORTDATA and JS_EXPORTDATA
2059         https://bugs.webkit.org/show_bug.cgi?id=184170
2060
2061         Reviewed by JF Bastien.
2062
2063         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
2064         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
2065
2066         * heap/WriteBarrierSupport.h:
2067         * jit/ExecutableAllocator.cpp:
2068         * jit/ExecutableAllocator.h:
2069         * runtime/JSCPoison.h:
2070         * runtime/JSCell.h:
2071         * runtime/JSExportMacros.h:
2072         * runtime/JSGlobalObject.h:
2073         * runtime/JSObject.h:
2074         * runtime/Options.h:
2075         * runtime/PropertyDescriptor.h:
2076         * runtime/PropertyMapHashTable.h:
2077         * runtime/SamplingCounter.h:
2078
2079 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
2080
2081         MSVC __forceinline slows down JSC release build fivefold after r229391
2082         https://bugs.webkit.org/show_bug.cgi?id=184062
2083
2084         Reviewed by Alex Christensen.
2085
2086         * jit/CCallHelpers.h:
2087         (JSC::CCallHelpers::marshallArgumentRegister):
2088         Exempt MSVC from a single forced inline used within recursive templates.
2089
2090 2018-03-29  Keith Miller  <keith_miller@apple.com>
2091
2092         ArrayMode should not try to get the DFG to think it can convert TypedArrays
2093         https://bugs.webkit.org/show_bug.cgi?id=184137
2094
2095         Reviewed by Saam Barati.
2096
2097         * dfg/DFGArrayMode.cpp:
2098         (JSC::DFG::ArrayMode::fromObserved):
2099
2100 2018-03-29  Commit Queue  <commit-queue@webkit.org>
2101
2102         Unreviewed, rolling out r230062.
2103         https://bugs.webkit.org/show_bug.cgi?id=184128
2104
2105         Broke mac port. web content process crashes while loading any
2106         web page (Requested by rniwa on #webkit).
2107
2108         Reverted changeset:
2109
2110         "MSVC __forceinline slows down JSC release build fivefold
2111         after r229391"
2112         https://bugs.webkit.org/show_bug.cgi?id=184062
2113         https://trac.webkit.org/changeset/230062
2114
2115 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
2116
2117         MSVC __forceinline slows down JSC release build fivefold after r229391
2118         https://bugs.webkit.org/show_bug.cgi?id=184062
2119
2120         Reviewed by Alex Christensen.
2121
2122         * jit/CCallHelpers.h:
2123         (JSC::CCallHelpers::marshallArgumentRegister):
2124         Exempt MSVC from a single forced inline used within recursive templates.
2125
2126 2018-03-28  Mark Lam  <mark.lam@apple.com>
2127
2128         Enhance ARM64 probe to support pointer profiling.
2129         https://bugs.webkit.org/show_bug.cgi?id=184069
2130         <rdar://problem/38939879>
2131
2132         Reviewed by JF Bastien.
2133
2134         * assembler/MacroAssemblerARM64.cpp:
2135         (JSC::MacroAssembler::probe):
2136         * assembler/MacroAssemblerX86Common.h:
2137         (JSC::MacroAssemblerX86Common::popPair):
2138         (JSC::MacroAssemblerX86Common::pushPair):
2139         * assembler/testmasm.cpp:
2140         (JSC::testProbeReadsArgumentRegisters):
2141         (JSC::testProbeWritesArgumentRegisters):
2142         * runtime/PtrTag.h:
2143         (JSC::tagForPtr):
2144
2145 2018-03-28  Robin Morisset  <rmorisset@apple.com>
2146
2147         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
2148         https://bugs.webkit.org/show_bug.cgi?id=183894
2149
2150         Reviewed by Saam Barati.
2151
2152         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
2153
2154         * runtime/JSONObject.cpp:
2155         (JSC::Stringifier::appendStringifiedValue):
2156
2157 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
2158
2159         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
2160         https://bugs.webkit.org/show_bug.cgi?id=184073
2161
2162         Reviewed by Yusuke Suzuki.
2163
2164         We currently have duplicated code in Obj and GLib implementations.
2165
2166         * API/JSManagedValue.mm:
2167         (managedValueHandleOwner):
2168         (-[JSManagedValue initWithValue:]):
2169         * API/JSWeakValue.cpp: Added.
2170         (JSC::JSWeakValue::~JSWeakValue):
2171         (JSC::JSWeakValue::clear):
2172         (JSC::JSWeakValue::isClear const):
2173         (JSC::JSWeakValue::setPrimitive):
2174         (JSC::JSWeakValue::setObject):
2175         (JSC::JSWeakValue::setString):
2176         * API/JSWeakValue.h: Added.
2177         (JSC::JSWeakValue::isSet const):
2178         (JSC::JSWeakValue::isPrimitive const):
2179         (JSC::JSWeakValue::isObject const):
2180         (JSC::JSWeakValue::isString const):
2181         (JSC::JSWeakValue::object const):
2182         (JSC::JSWeakValue::primitive const):
2183         (JSC::JSWeakValue::string const):
2184         * API/glib/JSCWeakValue.cpp:
2185         * JavaScriptCore.xcodeproj/project.pbxproj:
2186         * Sources.txt:
2187
2188 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
2189
2190         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
2191         https://bugs.webkit.org/show_bug.cgi?id=184041
2192
2193         Reviewed by Michael Catanzaro.
2194
2195         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
2196         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
2197         jsc_weak_value_get_value() will always return nullptr.
2198
2199         * API/glib/JSCWeakValue.cpp: Added.
2200         (WeakValueRef::~WeakValueRef):
2201         (WeakValueRef::clear):
2202         (WeakValueRef::isClear const):
2203         (WeakValueRef::isSet const):
2204         (WeakValueRef::isPrimitive const):
2205         (WeakValueRef::isObject const):
2206         (WeakValueRef::isString const):
2207         (WeakValueRef::setPrimitive):
2208         (WeakValueRef::setObject):
2209         (WeakValueRef::setString):
2210         (WeakValueRef::object const):
2211         (WeakValueRef::primitive const):
2212         (WeakValueRef::string const):
2213         (weakValueHandleOwner):
2214         (jscWeakValueInitialize):
2215         (jscWeakValueSetProperty):
2216         (jscWeakValueDispose):
2217         (jsc_weak_value_class_init):
2218         (jsc_weak_value_new):
2219         (jsc_weak_value_get_value):
2220         * API/glib/JSCWeakValue.h: Added.
2221         * API/glib/docs/jsc-glib-4.0-sections.txt:
2222         * API/glib/docs/jsc-glib-docs.sgml:
2223         * API/glib/jsc.h:
2224         * GLib.cmake:
2225
2226 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
2229         https://bugs.webkit.org/show_bug.cgi?id=181292
2230
2231         Reviewed by Saam Barati.
2232
2233         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
2234
2235         * dfg/DFGSpeculativeJIT.cpp:
2236         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2237         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2238         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2239         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2240         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2241         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2242         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2243
2244 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2245
2246         Add Load16Z for B3 and use it in WebAssembly
2247         https://bugs.webkit.org/show_bug.cgi?id=165884
2248
2249         Reviewed by JF Bastien.
2250
2251         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
2252         spec-tests/memory.wast.js already covered this change.
2253
2254         * wasm/WasmB3IRGenerator.cpp:
2255         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2256
2257 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2258
2259         [JSC] Remove repeated iteration of ElementNode
2260         https://bugs.webkit.org/show_bug.cgi?id=183987
2261
2262         Reviewed by Keith Miller.
2263
2264         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
2265         While it is OK for small arrays, this repeated iteration takes much time
2266         if the array is very large. For example, Kraken's initialization code includes
2267         very large array with numeric literals. This makes bytecode compiling so long.
2268
2269         This patch carefully removes unnecessary iteration when emitting arrays.
2270         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
2271         to 9.988050 ms.
2272
2273         * bytecompiler/BytecodeGenerator.cpp:
2274         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2275         (JSC::BytecodeGenerator::emitNewArray):
2276         * bytecompiler/BytecodeGenerator.h:
2277         * bytecompiler/NodesCodegen.cpp:
2278         (JSC::ArrayNode::emitBytecode):
2279         (JSC::ArrayPatternNode::bindValue const):
2280         (JSC::ArrayPatternNode::emitDirectBinding):
2281
2282 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
2283
2284         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
2285         https://bugs.webkit.org/show_bug.cgi?id=183655
2286
2287         Reviewed by Keith Miller.
2288
2289         * jit/CCallHelpers.h:
2290         (JSC::CCallHelpers::ArgCollection::argCount):
2291         (JSC::CCallHelpers::marshallArgumentRegister):
2292         (JSC::CCallHelpers::setupArgumentsImpl):
2293         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
2294
2295         * jit/JIT.h:
2296         (JSC::JIT::callOperation):
2297         (JSC::JIT::is64BitType):
2298         (JSC::JIT::is64BitType<void>):
2299         On Win64, ensure special call is used for SlowPathReturnType.
2300
2301         * jit/JITOperations.h:
2302         Update changed type.
2303
2304 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2305
2306         We should have SSE4 detection in the X86 MacroAssembler.
2307         https://bugs.webkit.org/show_bug.cgi?id=165363
2308
2309         Reviewed by JF Bastien.
2310
2311         This patch adds popcnt support to WASM in x86_64 environment.
2312         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
2313         Our spec-tests already cover popcnt.
2314
2315         * assembler/MacroAssemblerARM64.h:
2316         (JSC::MacroAssemblerARM64::supportsCountPopulation):
2317         * assembler/MacroAssemblerX86Common.cpp:
2318         (JSC::MacroAssemblerX86Common::getCPUID):
2319         (JSC::MacroAssemblerX86Common::getCPUIDEx):
2320         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
2321         * assembler/MacroAssemblerX86Common.h:
2322         (JSC::MacroAssemblerX86Common::countPopulation32):
2323         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2324         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
2325         (JSC::MacroAssemblerX86Common::supportsAVX):
2326         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2327         (JSC::MacroAssemblerX86Common::supportsBMI1):
2328         (JSC::MacroAssemblerX86Common::isSSE2Present):
2329         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
2330         * assembler/MacroAssemblerX86_64.h:
2331         (JSC::MacroAssemblerX86_64::countPopulation64):
2332         * assembler/X86Assembler.h:
2333         (JSC::X86Assembler::popcnt_rr):
2334         (JSC::X86Assembler::popcnt_mr):
2335         (JSC::X86Assembler::popcntq_rr):
2336         (JSC::X86Assembler::popcntq_mr):
2337         * wasm/WasmB3IRGenerator.cpp:
2338         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2339         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2340
2341 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
2342
2343         DFG should know that CreateThis can be effectful
2344         https://bugs.webkit.org/show_bug.cgi?id=184013
2345
2346         Reviewed by Saam Barati.
2347
2348         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
2349         is a proxy.
2350
2351         * dfg/DFGAbstractInterpreterInlines.h:
2352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2353         * dfg/DFGClobberize.h:
2354         (JSC::DFG::clobberize):
2355
2356 2018-03-25  Saam Barati  <sbarati@apple.com>
2357
2358         Fix typo in JSC option name
2359         https://bugs.webkit.org/show_bug.cgi?id=184001
2360
2361         Reviewed by Mark Lam.
2362
2363         enableJITDebugAssetions => enableJITDebugAssertions.
2364
2365         * assembler/MacroAssembler.cpp:
2366         (JSC::MacroAssembler::jitAssert):
2367         * runtime/Options.h:
2368
2369 2018-03-25  Saam Barati  <sbarati@apple.com>
2370
2371         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
2372         https://bugs.webkit.org/show_bug.cgi?id=183995
2373
2374         Reviewed by Filip Pizlo.
2375
2376         The removal of this line of code was unintended and happened during some
2377         refactoring Fil was doing. The consequence of removing this line of code
2378         is that the m_emptyCursor became a monotonically increasing integer, leading
2379         the cursor to usually being out of bounds of the block range (depending on
2380         what the program is doing). This made the functionality of finding an empty
2381         block to steal almost always fail.
2382
2383         * heap/BlockDirectory.cpp:
2384         (JSC::BlockDirectory::prepareForAllocation):
2385
2386 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2387
2388         [DFG] Introduces fused compare and jump
2389         https://bugs.webkit.org/show_bug.cgi?id=177100
2390
2391         Reviewed by Mark Lam.
2392
2393         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
2394         It offers 3 benefit.
2395
2396         1. They are introduced due to the similar purpose to op_jless etc. It aligns
2397         op_eq families to op_jless families.
2398
2399         2. It reduces the size of bytecode to represent the typical code sequence.
2400
2401         3. It offers the way to fuse check and jump in DFG code generation. Since
2402         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
2403         we cannot do this optimization. It reduces the machine code size in DFG too.
2404
2405         It slightly improves Octane/boyer.
2406
2407             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
2408
2409         * bytecode/BytecodeDumper.cpp:
2410         (JSC::BytecodeDumper<Block>::dumpBytecode):
2411         * bytecode/BytecodeList.json:
2412         * bytecode/BytecodeUseDef.h:
2413         (JSC::computeUsesForBytecodeOffset):
2414         (JSC::computeDefsForBytecodeOffset):
2415         * bytecode/Opcode.h:
2416         (JSC::isBranch):
2417         * bytecode/PreciseJumpTargetsInlines.h:
2418         (JSC::extractStoredJumpTargetsForBytecodeOffset):
2419         * bytecompiler/BytecodeGenerator.cpp:
2420         (JSC::BytecodeGenerator::emitJumpIfTrue):
2421         (JSC::BytecodeGenerator::emitJumpIfFalse):
2422         * dfg/DFGByteCodeParser.cpp:
2423         (JSC::DFG::ByteCodeParser::parseBlock):
2424         * dfg/DFGCapabilities.cpp:
2425         (JSC::DFG::capabilityLevel):
2426         * dfg/DFGOperations.cpp:
2427         * dfg/DFGOperations.h:
2428         * dfg/DFGSpeculativeJIT.cpp:
2429         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2430         * jit/JIT.cpp:
2431         (JSC::JIT::privateCompileMainPass):
2432         (JSC::JIT::privateCompileSlowCases):
2433         * jit/JIT.h:
2434         * jit/JITOpcodes.cpp:
2435         (JSC::JIT::emit_op_jeq):
2436         (JSC::JIT::emit_op_neq):
2437         (JSC::JIT::emit_op_jneq):
2438         (JSC::JIT::compileOpStrictEq):
2439         (JSC::JIT::emit_op_stricteq):
2440         (JSC::JIT::emit_op_nstricteq):
2441         (JSC::JIT::compileOpStrictEqJump):
2442         (JSC::JIT::emit_op_jstricteq):
2443         (JSC::JIT::emit_op_jnstricteq):
2444         (JSC::JIT::emitSlow_op_jstricteq):
2445         (JSC::JIT::emitSlow_op_jnstricteq):
2446         (JSC::JIT::emitSlow_op_jeq):
2447         (JSC::JIT::emitSlow_op_jneq):
2448         * jit/JITOpcodes32_64.cpp:
2449         (JSC::JIT::emitSlow_op_eq):
2450         (JSC::JIT::emit_op_jeq):
2451         (JSC::JIT::compileOpEqJumpSlow):
2452         (JSC::JIT::emitSlow_op_jeq):
2453         (JSC::JIT::emit_op_jneq):
2454         (JSC::JIT::emitSlow_op_jneq):
2455         (JSC::JIT::compileOpStrictEq):
2456         (JSC::JIT::emit_op_stricteq):
2457         (JSC::JIT::emit_op_nstricteq):
2458         (JSC::JIT::compileOpStrictEqJump):
2459         (JSC::JIT::emit_op_jstricteq):
2460         (JSC::JIT::emit_op_jnstricteq):
2461         (JSC::JIT::emitSlow_op_jstricteq):
2462         (JSC::JIT::emitSlow_op_jnstricteq):
2463         * jit/JITOperations.cpp:
2464         * jit/JITOperations.h:
2465         * llint/LLIntSlowPaths.cpp:
2466         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2467         * llint/LLIntSlowPaths.h:
2468         * llint/LowLevelInterpreter.asm:
2469         * llint/LowLevelInterpreter32_64.asm:
2470         * llint/LowLevelInterpreter64.asm:
2471
2472 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2473
2474         [JSC] Improve constants and add comments for CodeBlockHash
2475         https://bugs.webkit.org/show_bug.cgi?id=183982
2476
2477         Rubber-stamped by Mark Lam.
2478
2479         * bytecode/CodeBlockHash.cpp:
2480         (JSC::CodeBlockHash::CodeBlockHash):
2481         * bytecode/ParseHash.cpp:
2482         (JSC::ParseHash::ParseHash):
2483
2484 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2485
2486         [JSC] Add options to report parsing and bytecode compiling times
2487         https://bugs.webkit.org/show_bug.cgi?id=183982
2488
2489         Reviewed by Mark Lam.
2490
2491         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
2492         When they are enabled, JSC reports times consumed for parsing and bytecode
2493         compiling.
2494
2495         * JavaScriptCore.xcodeproj/project.pbxproj:
2496         * Sources.txt:
2497         * bytecode/ParseHash.cpp: Added.
2498         (JSC::ParseHash::ParseHash):
2499         * bytecode/ParseHash.h: Added.
2500         (JSC::ParseHash::hashForCall const):
2501         (JSC::ParseHash::hashForConstruct const):
2502         * bytecode/UnlinkedFunctionExecutable.cpp:
2503         (JSC::generateUnlinkedFunctionCodeBlock):
2504         * bytecompiler/BytecodeGenerator.h:
2505         (JSC::BytecodeGenerator::generate):
2506         * parser/Parser.h:
2507         (JSC::parse):
2508         * runtime/CodeCache.h:
2509         (JSC::generateUnlinkedCodeBlock):
2510         * runtime/Options.h:
2511
2512 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2513
2514         [JIT] Drop ENABLE_JIT_VERBOSE flag
2515         https://bugs.webkit.org/show_bug.cgi?id=183983
2516
2517         Reviewed by Mark Lam.
2518
2519         Just use JITInternal::verbose value.
2520
2521         * jit/JIT.cpp:
2522         (JSC::JIT::privateCompileMainPass):
2523         (JSC::JIT::privateCompileSlowCases):
2524         (JSC::JIT::link):
2525
2526 2018-03-23  Tim Horton  <timothy_horton@apple.com>
2527
2528         Fix the build with no pasteboard
2529         https://bugs.webkit.org/show_bug.cgi?id=183973
2530
2531         Reviewed by Dan Bernstein.
2532
2533         * Configurations/FeatureDefines.xcconfig:
2534
2535 2018-03-23  Mark Lam  <mark.lam@apple.com>
2536
2537         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
2538         https://bugs.webkit.org/show_bug.cgi?id=183942
2539         <rdar://problem/38798018>
2540
2541         Reviewed by JF Bastien.
2542
2543         1. Move the LLInt TypedArray unpoisoning to just before the array access after
2544            all the branches.
2545         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
2546         3. Remove a useless instruction in the implementation of emitX86Lea for a global
2547            label.
2548
2549         * llint/LowLevelInterpreter.asm:
2550         * llint/LowLevelInterpreter64.asm:
2551         * offlineasm/x86.rb:
2552
2553 2018-03-23  Mark Lam  <mark.lam@apple.com>
2554
2555         Add more support for pointer profiling.
2556         https://bugs.webkit.org/show_bug.cgi?id=183943
2557         <rdar://problem/38799068>
2558
2559         Reviewed by JF Bastien.
2560
2561         * assembler/ARM64Assembler.h:
2562         (JSC::ARM64Assembler::linkJumpOrCall):
2563         * assembler/AbstractMacroAssembler.h:
2564         (JSC::AbstractMacroAssembler::repatchNearCall):
2565         (JSC::AbstractMacroAssembler::tagReturnAddress):
2566         (JSC::AbstractMacroAssembler::untagReturnAddress):
2567
2568 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2569
2570         [WTF] Add standard containers with FastAllocator specialization
2571         https://bugs.webkit.org/show_bug.cgi?id=183789
2572
2573         Reviewed by Darin Adler.
2574
2575         * b3/air/testair.cpp:
2576         * b3/testb3.cpp:
2577         (JSC::B3::testDoubleLiteralComparison):
2578         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
2579         * dfg/DFGGraph.h:
2580         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2581         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2582         * ftl/FTLLowerDFGToB3.cpp:
2583         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2584         * runtime/FunctionHasExecutedCache.h:
2585         * runtime/TypeLocationCache.h:
2586
2587 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2588
2589         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
2590         https://bugs.webkit.org/show_bug.cgi?id=182960
2591
2592         Reviewed by Saam Barati.
2593
2594         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
2595         It should always touch ArrayStorage_vector. To unify
2596         vector setting code for the real ArrayStorage_vector and
2597         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
2598         annotate this.
2599
2600         * ftl/FTLLowerDFGToB3.cpp:
2601         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2602
2603 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
2604
2605         Unreviewed build fix for GCC 4.9 builds.
2606
2607         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
2608         supported in 4.9 libstdc++, so wrap the static assert using it in a
2609         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
2610         as is done in bitwise_cast() in StdLibExtras.h.
2611
2612 2018-03-22  Tim Horton  <timothy_horton@apple.com>
2613
2614         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
2615         https://bugs.webkit.org/show_bug.cgi?id=183930
2616         <rdar://problem/38782249>
2617
2618         Reviewed by Dan Bernstein.
2619
2620         * JavaScriptCore.xcodeproj/project.pbxproj:
2621
2622 2018-03-22  Mark Lam  <mark.lam@apple.com>
2623
2624         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
2625         https://bugs.webkit.org/show_bug.cgi?id=183914
2626         <rdar://problem/38763536>
2627
2628         Reviewed by Saam Barati and JF Bastien.
2629
2630         This is in preparation for supporting pointer profiling work.
2631
2632         * assembler/MacroAssemblerARM.h:
2633         (JSC::MacroAssemblerARM::jump):
2634         (JSC::MacroAssemblerARM::call):
2635         * assembler/MacroAssemblerARM64.h:
2636         (JSC::MacroAssemblerARM64::call):
2637         (JSC::MacroAssemblerARM64::jump):
2638         * assembler/MacroAssemblerARMv7.h:
2639         (JSC::MacroAssemblerARMv7::jump):
2640         (JSC::MacroAssemblerARMv7::call):
2641         * assembler/MacroAssemblerMIPS.h:
2642         (JSC::MacroAssemblerMIPS::jump):
2643         (JSC::MacroAssemblerMIPS::call):
2644         * assembler/MacroAssemblerX86.h:
2645         (JSC::MacroAssemblerX86::call):
2646         (JSC::MacroAssemblerX86::jump):
2647         * assembler/MacroAssemblerX86Common.h:
2648         (JSC::MacroAssemblerX86Common::jump):
2649         (JSC::MacroAssemblerX86Common::call):
2650         * assembler/MacroAssemblerX86_64.h:
2651         (JSC::MacroAssemblerX86_64::call):
2652         (JSC::MacroAssemblerX86_64::jump):
2653
2654 2018-03-22  Tim Horton  <timothy_horton@apple.com>
2655
2656         Improve readability of WebCore's OTHER_LDFLAGS
2657         https://bugs.webkit.org/show_bug.cgi?id=183909
2658         <rdar://problem/38760992>
2659
2660         Reviewed by Dan Bernstein.
2661
2662         * Configurations/Base.xcconfig:
2663         * Configurations/FeatureDefines.xcconfig:
2664
2665 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
2666
2667         [ARM] Thumb: Do not decorate bottom bit twice
2668         https://bugs.webkit.org/show_bug.cgi?id=183906
2669
2670         Reviewed by Mark Lam.
2671
2672         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
2673         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
2674         a thumb pointer.
2675
2676         * jit/Repatch.cpp:
2677         (JSC::linkPolymorphicCall):
2678
2679 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2680
2681         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
2682         https://bugs.webkit.org/show_bug.cgi?id=183559
2683
2684         Reviewed by Mark Lam.
2685
2686         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
2687         to clear NodeMustGenerate for this ToString. It should be since it does not have
2688         any user-observable side effect. This patch clears NodeMustGenerate.
2689
2690         * dfg/DFGConstantFoldingPhase.cpp:
2691         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2692
2693 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2694
2695         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
2696         https://bugs.webkit.org/show_bug.cgi?id=183897
2697
2698         Reviewed by Mark Lam.
2699
2700         We should not use `default:` clause here since it accidentally catches
2701         the opcode and DFG nodes which should be optimized. For example,
2702         op_super_sampler_begin and op_super_sampler_end are not listed while
2703         they have DFG and FTL backend.
2704
2705         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
2706         And we also clean up unnecessary checks in FTLCapabilities. Since we
2707         already handles all the possible array types for these nodes (which can
2708         be checked in DFG's code), we do not need to check array types.
2709
2710         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
2711
2712         * dfg/DFGCapabilities.cpp:
2713         (JSC::DFG::capabilityLevel):
2714         * ftl/FTLCapabilities.cpp:
2715         (JSC::FTL::canCompile):
2716         * ftl/FTLLowerDFGToB3.cpp:
2717         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2718
2719 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2720
2721         [JSC] Drop op_put_by_index
2722         https://bugs.webkit.org/show_bug.cgi?id=183899
2723
2724         Reviewed by Mark Lam.
2725
2726         This patch drops op_put_by_index.
2727
2728         1. This functionality can be just covered by direct put_by_val.
2729         2. put_by_index is not well optimized. It is just calling a C
2730         function. And it does not have DFG handling.
2731
2732         * bytecode/BytecodeDumper.cpp:
2733         (JSC::BytecodeDumper<Block>::dumpBytecode):
2734         * bytecode/BytecodeList.json:
2735         * bytecode/BytecodeUseDef.h:
2736         (JSC::computeUsesForBytecodeOffset):
2737         (JSC::computeDefsForBytecodeOffset):
2738         * bytecompiler/BytecodeGenerator.cpp:
2739         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
2740         * bytecompiler/BytecodeGenerator.h:
2741         * bytecompiler/NodesCodegen.cpp:
2742         (JSC::ArrayNode::emitBytecode):
2743         (JSC::ArrayPatternNode::emitDirectBinding):
2744         * jit/JIT.cpp:
2745         (JSC::JIT::privateCompileMainPass):
2746         * jit/JIT.h:
2747         * jit/JITPropertyAccess.cpp:
2748         (JSC::JIT::emit_op_put_by_index): Deleted.
2749         * jit/JITPropertyAccess32_64.cpp:
2750         (JSC::JIT::emit_op_put_by_index): Deleted.
2751         * llint/LLIntSlowPaths.cpp:
2752         * llint/LLIntSlowPaths.h:
2753         * llint/LowLevelInterpreter.asm:
2754
2755 2018-03-22  Michael Saboff  <msaboff@apple.com>
2756
2757         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
2758         https://bugs.webkit.org/show_bug.cgi?id=183901
2759
2760         Reviewed by Keith Miller.
2761
2762         Added write barriers to ensure the reversed contents are properly marked.
2763
2764         * runtime/ArrayPrototype.cpp:
2765         (JSC::arrayProtoFuncReverse):
2766
2767 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
2768
2769         ScopedArguments should do poisoning and index masking
2770         https://bugs.webkit.org/show_bug.cgi?id=183863
2771
2772         Reviewed by Mark Lam.
2773         
2774         This outlines the ScopedArguments overflow storage and adds poisoning.
2775
2776         * bytecode/AccessCase.cpp:
2777         (JSC::AccessCase::generateWithGuard):
2778         * dfg/DFGSpeculativeJIT.cpp:
2779         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2780         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2781         * ftl/FTLAbstractHeapRepository.h:
2782         * ftl/FTLLowerDFGToB3.cpp:
2783         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2784         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2785         * jit/JITPropertyAccess.cpp:
2786         (JSC::JIT::emitScopedArgumentsGetByVal):
2787         * runtime/JSCPoison.h:
2788         * runtime/ScopedArguments.cpp:
2789         (JSC::ScopedArguments::ScopedArguments):
2790         (JSC::ScopedArguments::createUninitialized):
2791         (JSC::ScopedArguments::visitChildren):
2792         * runtime/ScopedArguments.h:
2793
2794 2018-03-21  Mark Lam  <mark.lam@apple.com>
2795
2796         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
2797         https://bugs.webkit.org/show_bug.cgi?id=183861
2798         <rdar://problem/38716822>
2799
2800         Reviewed by Filip Pizlo.
2801
2802         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
2803         new PtrTag macro list.
2804
2805         * CMakeLists.txt:
2806         * JavaScriptCore.xcodeproj/project.pbxproj:
2807         * Sources.txt:
2808         * runtime/PtrTag.cpp: Added.
2809         (JSC::ptrTagName):
2810         * runtime/PtrTag.h:
2811
2812 2018-03-21  Mark Lam  <mark.lam@apple.com>
2813
2814         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
2815         https://bugs.webkit.org/show_bug.cgi?id=183857
2816         <rdar://problem/38712184>
2817
2818         Reviewed by JF Bastien.
2819
2820         We should avoid doing pointer math with CodeBlock::instructions().begin().
2821         Instead, we should use the operator[] that comes with CodeBlock::instructions()
2822         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
2823         the bytecode offset of a given Instruction*.  These methods will do assertions
2824         which helps catch bugs sooner, plus they are more descriptive of the operation
2825         we're trying to do.
2826
2827         * bytecode/BytecodeKills.h:
2828         (JSC::BytecodeKills::operandIsKilled const):
2829         (JSC::BytecodeKills::forEachOperandKilledAt const):
2830         * bytecode/CallLinkStatus.cpp:
2831         (JSC::CallLinkStatus::computeFromLLInt):
2832         * bytecode/CodeBlock.cpp:
2833         (JSC::CodeBlock::dumpBytecode):
2834         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2835         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2836         * bytecode/GetByIdStatus.cpp:
2837         (JSC::GetByIdStatus::computeFromLLInt):
2838         * bytecode/PutByIdStatus.cpp:
2839         (JSC::PutByIdStatus::computeFromLLInt):
2840         * dfg/DFGByteCodeParser.cpp:
2841         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2842         * dfg/DFGOSRExit.cpp:
2843         (JSC::DFG::reifyInlinedCallFrames):
2844         * dfg/DFGOSRExitCompilerCommon.cpp:
2845         (JSC::DFG::reifyInlinedCallFrames):
2846         * interpreter/CallFrame.cpp:
2847         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
2848         (JSC::CallFrame::currentVPC const):
2849         (JSC::CallFrame::setCurrentVPC):
2850         * jit/JITCall.cpp:
2851         (JSC::JIT::compileOpCall):
2852         * jit/JITInlines.h:
2853         (JSC::JIT::updateTopCallFrame):
2854         (JSC::JIT::copiedInstruction):
2855         * jit/JITOpcodes.cpp:
2856         (JSC::JIT::privateCompileHasIndexedProperty):
2857         * jit/JITOpcodes32_64.cpp:
2858         (JSC::JIT::privateCompileHasIndexedProperty):
2859         * jit/JITPropertyAccess.cpp:
2860         (JSC::JIT::privateCompileGetByVal):
2861         (JSC::JIT::privateCompileGetByValWithCachedId):
2862         (JSC::JIT::privateCompilePutByVal):
2863         (JSC::JIT::privateCompilePutByValWithCachedId):
2864         * jit/SlowPathCall.h:
2865         (JSC::JITSlowPathCall::call):
2866         * llint/LLIntSlowPaths.cpp:
2867         (JSC::LLInt::llint_trace_operand):
2868         (JSC::LLInt::llint_trace_value):
2869         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2870         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2871         (JSC::LLInt::getByVal): Deleted.
2872         (JSC::LLInt::handleHostCall): Deleted.
2873         (JSC::LLInt::setUpCall): Deleted.
2874         (JSC::LLInt::genericCall): Deleted.
2875         (JSC::LLInt::varargsSetup): Deleted.
2876         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
2877         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
2878         (JSC::LLInt::llint_write_barrier_slow): Deleted.
2879         (JSC::LLInt::llint_crash): Deleted.
2880         * runtime/SamplingProfiler.cpp:
2881         (JSC::tryGetBytecodeIndex):
2882
2883 2018-03-21  Keith Miller  <keith_miller@apple.com>
2884
2885         btjs should print the bytecode offset in the stack trace for JS frames
2886         https://bugs.webkit.org/show_bug.cgi?id=183856
2887
2888         Reviewed by Filip Pizlo.
2889
2890         * interpreter/CallFrame.cpp:
2891         (JSC::CallFrame::bytecodeOffset):
2892         (JSC::CallFrame::dump):
2893
2894 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2895
2896         Unreviewed. Fix GTK and WPE debug build after r229798.
2897
2898         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
2899
2900         * API/glib/JSCCallbackFunction.cpp:
2901         (JSC::JSCCallbackFunction::JSCCallbackFunction):
2902         * API/glib/JSCContext.cpp:
2903         (jscContextSetVirtualMachine):
2904         (jscContextGetJSContext):
2905         (wrapperMap):
2906         (jscContextHandleExceptionIfNeeded):
2907         * API/glib/JSCValue.cpp:
2908         (jscValueCallFunction):
2909         * API/glib/JSCVirtualMachine.cpp:
2910         (addWrapper):
2911         (removeWrapper):
2912         (jscVirtualMachineSetContextGroup):
2913         (jscVirtualMachineAddContext):
2914         (jscVirtualMachineRemoveContext):
2915         * API/glib/JSCWrapperMap.cpp:
2916         (JSC::WrapperMap::gobjectWrapper):
2917         (JSC::WrapperMap::unwrap):
2918         (JSC::WrapperMap::registerClass):
2919         (JSC::WrapperMap::createJSWrappper):
2920         (JSC::WrapperMap::wrappedObject const):
2921
2922 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2923
2924         [GTK][WPE] JSC bindings not introspectable
2925         https://bugs.webkit.org/show_bug.cgi?id=136989
2926
2927         Reviewed by Michael Catanzaro.
2928
2929         Make it possible to include individual headers when building WebKit layer.
2930
2931         * API/glib/JSCAutocleanups.h:
2932         * API/glib/JSCClass.h:
2933         * API/glib/JSCContext.h:
2934         * API/glib/JSCException.h:
2935         * API/glib/JSCValue.h:
2936         * API/glib/JSCVersion.h.in:
2937         * API/glib/JSCVirtualMachine.h:
2938
2939 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2940
2941         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
2942         https://bugs.webkit.org/show_bug.cgi?id=164061
2943
2944         Reviewed by Michael Catanzaro.
2945
2946         Add initial GLib API for JavaScriptCore.
2947
2948         * API/JSAPIWrapperObject.h:
2949         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
2950         (jsAPIWrapperObjectHandleOwner):
2951         (JSAPIWrapperObjectHandleOwner::finalize):
2952         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2953         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
2954         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
2955         (JSC::JSAPIWrapperObject::finishCreation):
2956         (JSC::JSAPIWrapperObject::setWrappedObject):
2957         (JSC::JSAPIWrapperObject::visitChildren):
2958         * API/glib/JSCAutocleanups.h: Added.
2959         * API/glib/JSCCallbackFunction.cpp: Added.
2960         (JSC::callAsFunction):
2961         (JSC::callAsConstructor):
2962         (JSC::JSCCallbackFunction::create):
2963         (JSC::JSCCallbackFunction::JSCCallbackFunction):
2964         (JSC::JSCCallbackFunction::call):
2965         (JSC::JSCCallbackFunction::construct):
2966         (JSC::JSCCallbackFunction::destroy):
2967         * API/glib/JSCCallbackFunction.h: Added.
2968         (JSC::JSCCallbackFunction::createStructure):
2969         (JSC::JSCCallbackFunction::functionCallback):
2970         (JSC::JSCCallbackFunction::constructCallback):
2971         * API/glib/JSCClass.cpp: Added.
2972         (jscClassGetProperty):
2973         (jscClassSetProperty):
2974         (jscClassDispose):
2975         (jscClassConstructed):
2976         (jsc_class_class_init):
2977         (jscClassCreate):
2978         (jscClassGetJSClass):
2979         (jscClassGetOrCreateJSWrapper):
2980         (jscClassInvalidate):
2981         (jsc_class_get_name):
2982         (jsc_class_get_parent):
2983         (jsc_class_add_constructor):
2984         (jsc_class_add_method):
2985         (jsc_class_add_property):
2986         * API/glib/JSCClass.h: Added.
2987         * API/glib/JSCClassPrivate.h: Added.
2988         * API/glib/JSCContext.cpp: Added.
2989         (ExceptionHandler::ExceptionHandler):
2990         (ExceptionHandler::~ExceptionHandler):
2991         (jscContextSetVirtualMachine):
2992         (jscContextGetProperty):
2993         (jscContextSetProperty):
2994         (jscContextConstructed):
2995         (jscContextDispose):
2996         (jsc_context_class_init):
2997         (jscContextGetOrCreate):
2998         (jscContextGetJSContext):
2999         (wrapperMap):
3000         (jscContextGetOrCreateValue):
3001         (jscContextValueDestroyed):
3002         (jscContextGetJSWrapper):
3003         (jscContextGetOrCreateJSWrapper):
3004         (jscContextWrappedObject):
3005         (jscContextPushCallback):
3006         (jscContextPopCallback):
3007         (jscContextGArrayToJSArray):
3008         (jscContextJSArrayToGArray):
3009         (jscContextGValueToJSValue):
3010         (jscContextJSValueToGValue):
3011         (jsc_context_new):
3012         (jsc_context_new_with_virtual_machine):
3013         (jsc_context_get_virtual_machine):
3014         (jsc_context_get_exception):
3015         (jsc_context_throw):
3016         (jsc_context_throw_exception):
3017         (jsc_context_push_exception_handler):
3018         (jsc_context_pop_exception_handler):
3019         (jscContextHandleExceptionIfNeeded):
3020         (jsc_context_get_current):
3021         (jsc_context_evaluate):
3022         (jsc_context_evaluate_with_source_uri):
3023         (jsc_context_set_value):
3024         (jsc_context_get_value):
3025         (jsc_context_register_class):
3026         * API/glib/JSCContext.h: Added.
3027         * API/glib/JSCContextPrivate.h: Added.
3028         * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
3029         * API/glib/JSCException.cpp: Added.
3030         (jscExceptionDispose):
3031         (jsc_exception_class_init):
3032         (jscExceptionCreate):
3033         (jscExceptionGetJSValue):
3034         (jscExceptionEnsureProperties):
3035         (jsc_exception_new):
3036         (jsc_exception_get_message):
3037         (jsc_exception_get_line_number):
3038         (jsc_exception_get_source_uri):
3039         * API/glib/JSCException.h: Added.
3040         * API/glib/JSCExceptionPrivate.h: Added.
3041         * API/glib/JSCGLibWrapperObject.h: Added.
3042         (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
3043         (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
3044         (JSC::JSCGLibWrapperObject::object const):
3045         * API/glib/JSCValue.cpp: Added.
3046         (jscValueGetProperty):
3047         (jscValueSetProperty):
3048         (jscValueDispose):
3049         (jsc_value_class_init):
3050         (jscValueGetJSValue):
3051         (jscValueCreate):
3052         (jsc_value_get_context):
3053         (jsc_value_new_undefined):
3054         (jsc_value_is_undefined):
3055         (jsc_value_new_null):
3056         (jsc_value_is_null):
3057         (jsc_value_new_number):
3058         (jsc_value_is_number):
3059         (jsc_value_to_double):
3060         (jsc_value_to_int32):
3061         (jsc_value_new_boolean):
3062         (jsc_value_is_boolean):
3063         (jsc_value_to_boolean):
3064         (jsc_value_new_string):
3065         (jsc_value_is_string):
3066         (jsc_value_to_string):
3067         (jsc_value_new_array):
3068         (jsc_value_new_array_from_garray):
3069         (jsc_value_is_array):
3070         (jsc_value_new_object):
3071         (jsc_value_is_object):
3072         (jsc_value_object_is_instance_of):
3073         (jsc_value_object_set_property):
3074         (jsc_value_object_get_property):
3075         (jsc_value_object_set_property_at_index):
3076         (jsc_value_object_get_property_at_index):
3077         (jscValueCallFunction):
3078         (jsc_value_object_invoke_method):
3079         (jsc_value_object_define_property_data):
3080         (jsc_value_object_define_property_accessor):
3081         (jsc_value_new_function):
3082         (jsc_value_is_function):
3083         (jsc_value_function_call):
3084         (jsc_value_is_constructor):
3085         (jsc_value_constructor_call):
3086         * API/glib/JSCValue.h: Added.
3087         * API/glib/JSCValuePrivate.h: Added.
3088         * API/glib/JSCVersion.cpp: Added.
3089         (jsc_get_major_version):
3090         (jsc_get_minor_version):
3091         (jsc_get_micro_version):
3092         * API/glib/JSCVersion.h.in: Added.
3093         * API/glib/JSCVirtualMachine.cpp: Added.
3094         (addWrapper):
3095         (removeWrapper):
3096         (jscVirtualMachineSetContextGroup):
3097         (jscVirtualMachineEnsureContextGroup):
3098         (jscVirtualMachineDispose):
3099         (jsc_virtual_machine_class_init):
3100         (jscVirtualMachineGetOrCreate):
3101         (jscVirtualMachineGetContextGroup):
3102         (jscVirtualMachineAddContext):
3103         (jscVirtualMachineRemoveContext):
3104         (jscVirtualMachineGetContext):
3105         (jsc_virtual_machine_new):
3106         * API/glib/JSCVirtualMachine.h: Added.
3107         * API/glib/JSCVirtualMachinePrivate.h: Added.
3108         * API/glib/JSCWrapperMap.cpp: Added.
3109         (JSC::WrapperMap::WrapperMap):
3110         (JSC::WrapperMap::~WrapperMap):
3111         (JSC::WrapperMap::gobjectWrapper):
3112         (JSC::WrapperMap::unwrap):
3113         (JSC::WrapperMap::registerClass):
3114         (JSC::WrapperMap::createJSWrappper):
3115         (JSC::WrapperMap::jsWrapper const):
3116         (JSC::WrapperMap::wrappedObject const):
3117         * API/glib/JSCWrapperMap.h: Added.
3118         * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
3119         * API/glib/docs/jsc-glib-4.0.types: Added.
3120         * API/glib/docs/jsc-glib-docs.sgml: Added.
3121         * API/glib/jsc.h: Added.
3122         * CMakeLists.txt:
3123         * GLib.cmake: Added.
3124         * JavaScriptCore.gir.in: Removed.
3125         * PlatformGTK.cmake:
3126         * PlatformWPE.cmake:
3127         * heap/Heap.cpp:
3128         (JSC::Heap::releaseDelayedReleasedObjects):
3129         * heap/Heap.h:
3130         * heap/HeapInlines.h:
3131         (JSC::Heap::releaseSoon):
3132         * javascriptcoregtk.pc.in:
3133         * runtime/JSGlobalObject.cpp:
3134         (JSC::JSGlobalObject::init):
3135         (JSC::JSGlobalObject::visitChildren):
3136         (JSC::JSGlobalObject::setWrapperMap):
3137         * runtime/JSGlobalObject.h:
3138         (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
3139         (JSC::JSGlobalObject::glibWrapperObjectStructure const):
3140         (JSC::JSGlobalObject::wrapperMap const):
3141
3142 2018-03-21  Christopher Reid  <chris.reid@sony.com>
3143
3144         Windows 64-bit build fix after r229767
3145         https://bugs.webkit.org/show_bug.cgi?id=183810
3146
3147         Reviewed by Mark Lam.
3148
3149         Removing an extra parameter in the call to m_assember::call.
3150
3151         * assembler/MacroAssemblerX86_64.h:
3152
3153 2018-03-20  Dan Bernstein  <mitz@apple.com>
3154
3155         [Xcode] JSVALUE_MODEL is unused
3156         https://bugs.webkit.org/show_bug.cgi?id=183809
3157
3158         Reviewed by Tim Horton.
3159
3160         * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
3161
3162 2018-03-20  Tim Horton  <timothy_horton@apple.com>
3163
3164         Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
3165         https://bugs.webkit.org/show_bug.cgi?id=183808
3166         <rdar://problem/38692079>
3167
3168         Reviewed by Dan Bernstein.
3169
3170         * Configurations/JavaScriptCore.xcconfig:
3171
3172 2018-03-20  Tim Horton  <timothy_horton@apple.com>
3173
3174         Enable the minimal simulator feature flag when appropriate
3175         https://bugs.webkit.org/show_bug.cgi?id=183807
3176
3177         Reviewed by Dan Bernstein.
3178
3179         * Configurations/FeatureDefines.xcconfig:
3180
3181 2018-03-20  Saam Barati  <sbarati@apple.com>
3182
3183         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
3184         https://bugs.webkit.org/show_bug.cgi?id=183795
3185         <rdar://problem/38298694>
3186
3187         Reviewed by JF Bastien.
3188
3189         We were just assuming that the constants we were inserting were
3190         always exitOK=true. However, this breaks validation. The exitOK
3191         we emit for the constants in the NewArrayBuffer should respect
3192         the current exit state of the IR we've emitted. This is just IR
3193         bookkeeping since JSConstant is a non-exiting node.
3194
3195         * dfg/DFGArgumentsEliminationPhase.cpp:
3196
3197 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
3198
3199         MIPS+Armv7 builds are broken since r229391
3200         https://bugs.webkit.org/show_bug.cgi?id=183474
3201
3202         Reviewed by Yusuke Suzuki.
3203
3204         Add missing armv7 and mips operations and fix arguments to a call to
3205         operationGetByValCell. This should fix compilation on MIPS and Armv7
3206         (though it does not implement the missing setupArguments stuff in
3207         CCallHelpers).
3208
3209         * assembler/MacroAssembler.h:
3210         * assembler/MacroAssemblerARMv7.h:
3211         (JSC::MacroAssemblerARMv7::swap):
3212         * assembler/MacroAssemblerMIPS.h:
3213         (JSC::MacroAssemblerMIPS::swap):
3214         * dfg/DFGSpeculativeJIT32_64.cpp:
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * jit/FPRInfo.h:
3217
3218 2018-03-20  Tim Horton  <timothy_horton@apple.com>
3219
3220         Add and adopt WK_PLATFORM_NAME and adjust default feature defines
3221         https://bugs.webkit.org/show_bug.cgi?id=183758
3222         <rdar://problem/38017644>
3223
3224         Reviewed by Dan Bernstein.
3225
3226         * Configurations/FeatureDefines.xcconfig:
3227
3228 2018-03-20  Mark Lam  <mark.lam@apple.com>
3229
3230         Improve FunctionPtr and use it in the JIT CallRecord.
3231         https://bugs.webkit.org/show_bug.cgi?id=183756
3232         <rdar://problem/38641335>
3233
3234         Reviewed by JF Bastien.
3235
3236         1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
3237            PtrTag to reflect that.
3238
3239         2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
3240            executableAddress().
3241
3242         3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
3243            take "any" pointer.  "any" in this case means that the pointer may not be typed
3244            as a C/C++ function to the C++ compiler (due to upstream casting or usage of
3245            void* as a storage type), but it is still expected to be pointing to a C/C++
3246            function.
3247
3248         4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
3249            convenience constructor that lets us retag the underlying pointer.  The other
3250            FunctionPtr is still expected to point to a C/C++ function.
3251
3252         5. Added PtrTag assertion placeholder functions to be implemented later.
3253
3254         6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
3255            pointer.  This improves type safety, and assists in getting pointer tagging
3256            right later.
3257
3258         7. Added versions of JIT callOperations methods that will take a PtrTag.
3259            This is preparation for more more pointer tagging work later.
3260
3261         * assembler/MacroAssemblerARM.h:
3262         (JSC::MacroAssemblerARM::linkCall):
3263         * assembler/MacroAssemblerARMv7.h:
3264         (JSC::MacroAssemblerARMv7::linkCall):
3265         * assembler/MacroAssemblerCodeRef.h:
3266         (JSC::FunctionPtr::FunctionPtr):
3267         (JSC::FunctionPtr::operator bool const):
3268         (JSC::FunctionPtr::operator! const):
3269         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3270         (JSC::MacroAssemblerCodePtr::retagged const):
3271         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3272         (JSC::FunctionPtr::value const): Deleted.
3273         * assembler/MacroAssemblerMIPS.h:
3274         (JSC::MacroAssemblerMIPS::linkCall):
3275         * assembler/MacroAssemblerX86.h:
3276         (JSC::MacroAssemblerX86::linkCall):
3277         * assembler/MacroAssemblerX86_64.h:
3278         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
3279         (JSC::MacroAssemblerX86_64::linkCall):
3280         * bytecode/AccessCase.cpp:
3281         (JSC::AccessCase::generateImpl):
3282         * ftl/FTLSlowPathCall.cpp:
3283         (JSC::FTL::SlowPathCallContext::makeCall):
3284         * ftl/FTLSlowPathCall.h:
3285         (JSC::FTL::callOperation):
3286         * ftl/FTLThunks.cpp:
3287         (JSC::FTL::osrExitGenerationThunkGenerator):
3288         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3289         (JSC::FTL::slowPathCallThunkGenerator):
3290         * jit/JIT.cpp:
3291         (JSC::JIT::link):
3292         (JSC::JIT::privateCompileExceptionHandlers):
3293         * jit/JIT.h:
3294         (JSC::CallRecord::CallRecord):
3295         (JSC::JIT::appendCall):
3296         (JSC::JIT::appendCallWithSlowPathReturnType):
3297         (JSC::JIT::callOperation):
3298         (JSC::JIT::callOperationWithProfile):
3299         (JSC::JIT::callOperationWithResult):
3300         (JSC::JIT::callOperationNoExceptionCheck):
3301         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
3302         * jit/JITArithmetic.cpp:
3303         (JSC::JIT::emitMathICFast):
3304         (JSC::JIT::emitMathICSlow):
3305         * jit/JITInlines.h:
3306         (JSC::JIT::emitNakedCall):
3307         (JSC::JIT::emitNakedTailCall):
3308         (JSC::JIT::appendCallWithExceptionCheck):
3309         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
3310         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
3311         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
3312         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3313         * jit/JITPropertyAccess.cpp:
3314         (JSC::JIT::emitSlow_op_get_by_val):
3315         (JSC::JIT::emitSlow_op_put_by_val):
3316         (JSC::JIT::privateCompileGetByValWithCachedId):
3317         (JSC::JIT::privateCompilePutByVal):
3318         (JSC::JIT::privateCompilePutByValWithCachedId):
3319         * jit/JITPropertyAccess32_64.cpp:
3320         (JSC::JIT::emitSlow_op_put_by_val):
3321         * jit/Repatch.cpp:
3322         (JSC::linkPolymorphicCall):
3323         * jit/SlowPathCall.h:
3324         (JSC::JITSlowPathCall::JITSlowPathCall):
3325         (JSC::JITSlowPathCall::call):
3326         * jit/ThunkGenerators.cpp:
3327         (JSC::nativeForGenerator):
3328         * runtime/PtrTag.h:
3329         (JSC::nextPtrTagID):
3330         (JSC::assertIsCFunctionPtr):
3331         (JSC::assertIsNullOrCFunctionPtr):
3332         (JSC::assertIsNotTagged):
3333         (JSC::assertIsTagged):
3334         (JSC::assertIsNullOrTagged):
3335         (JSC::assertIsTaggedWith):
3336         (JSC::assertIsNullOrTaggedWith):
3337         (JSC::uniquePtrTagID): Deleted.
3338
3339 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3340
3341         [MIPS] Optimize generated JIT code for loads/stores
3342         https://bugs.webkit.org/show_bug.cgi?id=183243
3343
3344         Reviewed by Yusuke Suzuki.
3345
3346         JIT generates three MIPS instructions for a load/store from/to an absolute address:
3347
3348           lui adrTmpReg, address >> 16
3349           ori adrTmpReg, address & 0xffff
3350           lw dataReg, 0(adrTmpReg)
3351
3352         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
3353         be encoded into the load/store and ori instruction can be removed:
3354
3355           lui adrTmpReg, (address + 0x8000) >> 16
3356           lw dataReg, (address & 0xffff)(adrTmpReg)
3357
3358         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
3359
3360         * assembler/MacroAssemblerMIPS.h:
3361         (JSC::MacroAssemblerMIPS::add32):
3362         (JSC::MacroAssemblerMIPS::add64):
3363         (JSC::MacroAssemblerMIPS::or32):
3364         (JSC::MacroAssemblerMIPS::sub32):
3365         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
3366         (JSC::MacroAssemblerMIPS::load8):
3367         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3368         (JSC::MacroAssemblerMIPS::load32):
3369         (JSC::MacroAssemblerMIPS::store8):
3370         (JSC::MacroAssemblerMIPS::store32):
3371         (JSC::MacroAssemblerMIPS::branchTest8):
3372         (JSC::MacroAssemblerMIPS::branchAdd32):
3373         (JSC::MacroAssemblerMIPS::loadDouble):
3374         (JSC::MacroAssemblerMIPS::storeDouble):
3375
3376 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3377
3378         [DFG][FTL] Add vectorLengthHint for NewArray
3379         https://bugs.webkit.org/show_bug.cgi?id=183694
3380
3381         Reviewed by Saam Barati.
3382
3383         While the following code is a common, it is not so efficient.
3384
3385         var array = [];
3386         for (...) {
3387             ...
3388             array.push(...);
3389         }
3390
3391         The array is always allocated with 0 vector length. And it is eventually grown.
3392
3393         We have ArrayAllocationProfile, and it tells us that the vector length hint for
3394         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
3395         extends this support for NewArray DFG node.
3396
3397         This patch improves Kraken/stanford-crypto-aes 4%.
3398
3399                                       baseline                  patched
3400
3401         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
3402
3403         NewArray can be optimized.
3404
3405                                                        baseline                  patched
3406
3407         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
3408         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
3409
3410         * dfg/DFGByteCodeParser.cpp:
3411         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3412         (JSC::DFG::ByteCodeParser::parseBlock):
3413         * dfg/DFGNode.h:
3414         (JSC::DFG::Node::hasVectorLengthHint):
3415         (JSC::DFG::Node::vectorLengthHint):