5cf240d6e645c5312a23745f8a479ff91a53b718
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
2
3         Web Inspector: create a navigation item for toggling the overlay rulers/guides
4         https://bugs.webkit.org/show_bug.cgi?id=185644
5
6         Reviewed by Matt Baker.
7
8         * inspector/protocol/OverlayTypes.json:
9         * inspector/protocol/Page.json:
10
11 2018-05-16  Commit Queue  <commit-queue@webkit.org>
12
13         Unreviewed, rolling out r231845.
14         https://bugs.webkit.org/show_bug.cgi?id=185702
15
16         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
17         caiolima on #webkit).
18
19         Reverted changeset:
20
21         "[ESNext][BigInt] Implement support for "/" operation"
22         https://bugs.webkit.org/show_bug.cgi?id=183996
23         https://trac.webkit.org/changeset/231845
24
25 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
26
27         DFG models InstanceOf incorrectly
28         https://bugs.webkit.org/show_bug.cgi?id=185694
29
30         Reviewed by Keith Miller.
31         
32         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
33         hoist it.
34
35         * dfg/DFGAbstractInterpreterInlines.h:
36         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
37         * dfg/DFGClobberize.h:
38         (JSC::DFG::clobberize):
39         * dfg/DFGHeapLocation.cpp:
40         (WTF::printInternal):
41         * dfg/DFGHeapLocation.h:
42         * dfg/DFGNodeType.h:
43
44 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
45
46         Add support for Intl NumberFormat formatToParts
47         https://bugs.webkit.org/show_bug.cgi?id=185375
48
49         Reviewed by Yusuke Suzuki.
50
51         Add flag for NumberFormat formatToParts. Implement formatToParts using
52         unum_formatDoubleForFields. Because the fields are nested and come back
53         in no guaranteed order, the simple algorithm to convert them to the
54         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
55         it appears to perform well enough for the initial implementation. Another
56         issue has been created to improve this algorithm.
57
58         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
59         on macOS, since only v57 is available.
60
61         * Configurations/FeatureDefines.xcconfig:
62         * runtime/IntlNumberFormat.cpp:
63         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
64         (JSC::IntlNumberFormat::partTypeString):
65         (JSC::IntlNumberFormat::formatToParts):
66         * runtime/IntlNumberFormat.h:
67         * runtime/IntlNumberFormatPrototype.cpp:
68         (JSC::IntlNumberFormatPrototype::create):
69         (JSC::IntlNumberFormatPrototype::finishCreation):
70         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
71         * runtime/IntlNumberFormatPrototype.h:
72         * runtime/Options.h:
73
74 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
75
76         [ESNext][BigInt] Implement support for "/" operation
77         https://bugs.webkit.org/show_bug.cgi?id=183996
78
79         Reviewed by Yusuke Suzuki.
80
81         This patch is introducing the support for BigInt into divide
82         operation int LLInt and JIT layers.
83
84         * dfg/DFGOperations.cpp:
85         * runtime/CommonSlowPaths.cpp:
86         (JSC::SLOW_PATH_DECL):
87         * runtime/JSBigInt.cpp:
88         (JSC::JSBigInt::divide):
89         (JSC::JSBigInt::copy):
90         (JSC::JSBigInt::unaryMinus):
91         (JSC::JSBigInt::absoluteCompare):
92         (JSC::JSBigInt::absoluteDivLarge):
93         (JSC::JSBigInt::productGreaterThan):
94         (JSC::JSBigInt::inplaceAdd):
95         (JSC::JSBigInt::inplaceSub):
96         (JSC::JSBigInt::inplaceRightShift):
97         (JSC::JSBigInt::specialLeftShift):
98         (JSC::JSBigInt::digit):
99         (JSC::JSBigInt::setDigit):
100         * runtime/JSBigInt.h:
101
102 2018-05-16  Alberto Garcia  <berto@igalia.com>
103
104         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
105         https://bugs.webkit.org/show_bug.cgi?id=182622
106
107         Reviewed by Michael Catanzaro.
108
109         We were linking JavaScriptCore against libatomic in MIPS because
110         in that architecture __atomic_fetch_add_8() is not a compiler
111         intrinsic and is provided by that library instead. However other
112         architectures (e.g armel) are in the same situation, so we need a
113         generic test.
114
115         That test already exists in WebKit/CMakeLists.txt, so we just have
116         to move it to a common file (WebKitCompilerFlags.cmake) and use
117         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
118
119         * CMakeLists.txt:
120
121 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
122
123         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
124         https://bugs.webkit.org/show_bug.cgi?id=185601
125
126         Reviewed by Saam Barati.
127
128         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
129         before calling getCallData when we would like to check whether a given object is callable
130         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
131         is fine. But if we would like to check whether the object is callable, we can have non
132         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
133
134         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
135         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
136         OverridesGetCallData checking before calling getCallData.
137
138         We found that this virtual call exists in JSON.stringify's critial path. Checking
139         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
140
141                                                baseline                  patched
142
143             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
144
145         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
146         since major cases are covered by this fast JSFunctionType checking.
147
148         * API/JSCallbackObject.h:
149         * dfg/DFGAbstractInterpreterInlines.h:
150         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
151         * dfg/DFGOperations.cpp:
152         * dfg/DFGSpeculativeJIT.cpp:
153         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
154         (JSC::DFG::SpeculativeJIT::compileIsFunction):
155         * ftl/FTLLowerDFGToB3.cpp:
156         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
157         * jit/AssemblyHelpers.h:
158         (JSC::AssemblyHelpers::emitTypeOf):
159         * runtime/ExceptionHelpers.cpp:
160         (JSC::createError):
161         (JSC::createInvalidFunctionApplyParameterError):
162         * runtime/FunctionPrototype.cpp:
163         (JSC::functionProtoFuncToString):
164         * runtime/InternalFunction.h:
165         * runtime/JSCJSValue.h:
166         * runtime/JSCJSValueInlines.h:
167         (JSC::JSValue::isFunction const):
168         (JSC::JSValue::isCallable const):
169         * runtime/JSCell.h:
170         * runtime/JSCellInlines.h:
171         (JSC::JSCell::isFunction):
172         ALWAYS_INLINE works well for my environment.
173         (JSC::JSCell::isCallable):
174         * runtime/JSFunction.h:
175         * runtime/JSONObject.cpp:
176         (JSC::Stringifier::toJSON):
177         (JSC::Stringifier::toJSONImpl):
178         (JSC::Stringifier::appendStringifiedValue):
179         * runtime/JSObjectInlines.h:
180         (JSC::createListFromArrayLike):
181         * runtime/JSTypeInfo.h:
182         (JSC::TypeInfo::overridesGetCallData const):
183         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
184         * runtime/Operations.cpp:
185         (JSC::jsTypeStringForValue):
186         (JSC::jsIsObjectTypeOrNull):
187         * runtime/ProxyObject.h:
188         * runtime/RuntimeType.cpp:
189         (JSC::runtimeTypeForValue):
190         * runtime/RuntimeType.h:
191         * runtime/Structure.cpp:
192         (JSC::Structure::Structure):
193         * runtime/TypeProfilerLog.cpp:
194         (JSC::TypeProfilerLog::TypeProfilerLog):
195         (JSC::TypeProfilerLog::processLogEntries):
196         * runtime/TypeProfilerLog.h:
197         * runtime/VM.cpp:
198         (JSC::VM::enableTypeProfiler):
199         * tools/JSDollarVM.cpp:
200         (JSC::functionFindTypeForExpression):
201         (JSC::functionReturnTypeFor):
202         (JSC::functionHasBasicBlockExecuted):
203         (JSC::functionBasicBlockExecutionCount):
204         * wasm/js/JSWebAssemblyHelpers.h:
205         (JSC::getWasmBufferFromValue):
206         * wasm/js/JSWebAssemblyInstance.cpp:
207         (JSC::JSWebAssemblyInstance::create):
208         * wasm/js/WebAssemblyFunction.cpp:
209         (JSC::callWebAssemblyFunction):
210         * wasm/js/WebAssemblyInstanceConstructor.cpp:
211         (JSC::constructJSWebAssemblyInstance):
212         * wasm/js/WebAssemblyModuleRecord.cpp:
213         (JSC::WebAssemblyModuleRecord::link):
214         * wasm/js/WebAssemblyPrototype.cpp:
215         (JSC::webAssemblyInstantiateFunc):
216         (JSC::webAssemblyInstantiateStreamingInternal):
217         * wasm/js/WebAssemblyWrapperFunction.cpp:
218         (JSC::WebAssemblyWrapperFunction::finishCreation):
219
220 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
221
222         Web Inspector: Add rulers and guides
223         https://bugs.webkit.org/show_bug.cgi?id=32263
224         <rdar://problem/19281564>
225
226         Reviewed by Matt Baker.
227
228         * inspector/protocol/OverlayTypes.json:
229
230 2018-05-14  Keith Miller  <keith_miller@apple.com>
231
232         Remove butterflyMask from DFGAbstractHeap
233         https://bugs.webkit.org/show_bug.cgi?id=185640
234
235         Reviewed by Saam Barati.
236
237         We don't have a butterfly indexing mask anymore so we don't need
238         the abstract heap information for it anymore.
239
240         * dfg/DFGAbstractHeap.h:
241         * dfg/DFGClobberize.h:
242         (JSC::DFG::clobberize):
243
244 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
245
246         [INTL] Handle error in defineProperty for supported locales length
247         https://bugs.webkit.org/show_bug.cgi?id=185623
248
249         Reviewed by Saam Barati.
250
251         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
252         length of the supported locales array.
253
254         * runtime/IntlObject.cpp:
255         (JSC::supportedLocales):
256
257 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
258
259         [JSC] Tweak LiteralParser to improve lexing performance
260         https://bugs.webkit.org/show_bug.cgi?id=185541
261
262         Reviewed by Saam Barati.
263
264         This patch attemps to improve LiteralParser performance.
265
266         This patch improves Kraken/json-parse-financial by roughly ~10%.
267                                            baseline                  patched
268
269             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
270
271         * parser/Lexer.cpp:
272         (JSC::Lexer<T>::Lexer):
273         * runtime/ArgList.h:
274         (JSC::MarkedArgumentBuffer::takeLast):
275         Add takeLast() for idiomatic last() + removeLast() calls.
276
277         * runtime/LiteralParser.cpp:
278         (JSC::LiteralParser<CharType>::Lexer::lex):
279         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
280         We should not include this mode in its template parameter to reduce the code size.
281         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
282         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
283
284         (JSC::LiteralParser<CharType>::Lexer::next):
285         (JSC::isSafeStringCharacter):
286         Take mode in its template parameter. But do not take terminator character in its template parameter.
287
288         (JSC::LiteralParser<CharType>::Lexer::lexString):
289         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
290         Duplicate while statements manually since this is a critical path.
291
292         (JSC::LiteralParser<CharType>::parse):
293         Use takeLast().
294
295         * runtime/LiteralParser.h:
296
297 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
298
299         [MIPS] Use btpz to compare against 0 instead of bpeq
300         https://bugs.webkit.org/show_bug.cgi?id=185607
301
302         Reviewed by Yusuke Suzuki.
303
304         Fixes build on MIPS since MIPS doesn't have an instruction to
305         compare a register against an immediate. Since the immediate is just 0
306         in this case the simplest solution is just to use btpz instead of bpeq
307         to compare to 0.
308
309         * llint/LowLevelInterpreter.asm:
310
311 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
312
313         CachedCall::call() should be faster
314         https://bugs.webkit.org/show_bug.cgi?id=185583
315
316         Reviewed by Yusuke Suzuki.
317         
318         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
319         Unfortunately, because of a combination of abstraction and assertions, this code path had a
320         lot of overhead. This patch reduces this overhead by:
321         
322         - Turning off some assertions. These assertions don't look to have security value; they're
323           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
324           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
325           call, considering that the caller would have already been strongly assuming that the JSLock
326           is held.
327         
328         - Making more things inlineable.
329         
330         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
331
332         * JavaScriptCore.xcodeproj/project.pbxproj:
333         * interpreter/CachedCall.h:
334         (JSC::CachedCall::call):
335         * interpreter/Interpreter.cpp:
336         (JSC::checkedReturn): Deleted.
337         * interpreter/Interpreter.h:
338         (JSC::Interpreter::checkedReturn):
339         * interpreter/InterpreterInlines.h:
340         (JSC::Interpreter::execute):
341         * jit/JITCode.cpp:
342         (JSC::JITCode::execute): Deleted.
343         * jit/JITCodeInlines.h: Added.
344         (JSC::JITCode::execute):
345         * llint/LowLevelInterpreter.asm:
346         * runtime/StringPrototype.cpp:
347
348 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
349
350         [INTL] Improve spec & test262 compliance for Intl APIs
351         https://bugs.webkit.org/show_bug.cgi?id=185578
352
353         Reviewed by Yusuke Suzuki.
354
355         Use putDirectIndex over push for lists to arrays.
356         Update default options to construct with a null prototype.
357         Define constructor and toStringTag on prototypes.
358         Add proper time clipping.
359         Remove some outdated comment spec text, use url instead.
360
361         * runtime/IntlCollator.cpp:
362         (JSC::IntlCollator::initializeCollator):
363         * runtime/IntlCollatorConstructor.cpp:
364         (JSC::IntlCollatorConstructor::finishCreation):
365         * runtime/IntlCollatorPrototype.cpp:
366         (JSC::IntlCollatorPrototype::finishCreation):
367         * runtime/IntlDateTimeFormatConstructor.cpp:
368         (JSC::IntlDateTimeFormatConstructor::finishCreation):
369         * runtime/IntlDateTimeFormatPrototype.cpp:
370         (JSC::IntlDateTimeFormatPrototype::finishCreation):
371         (JSC::IntlDateTimeFormatFuncFormatDateTime):
372         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
373         * runtime/IntlNumberFormat.cpp:
374         (JSC::IntlNumberFormat::initializeNumberFormat):
375         * runtime/IntlNumberFormatConstructor.cpp:
376         (JSC::IntlNumberFormatConstructor::finishCreation):
377         * runtime/IntlNumberFormatPrototype.cpp:
378         (JSC::IntlNumberFormatPrototype::finishCreation):
379         * runtime/IntlObject.cpp:
380         (JSC::lookupSupportedLocales):
381         (JSC::supportedLocales):
382         (JSC::intlObjectFuncGetCanonicalLocales):
383         * runtime/IntlPluralRules.cpp:
384         (JSC::IntlPluralRules::resolvedOptions):
385         * runtime/IntlPluralRulesConstructor.cpp:
386         (JSC::IntlPluralRulesConstructor::finishCreation):
387
388 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
389
390         [ESNext][BigInt] Implement support for "*" operation
391         https://bugs.webkit.org/show_bug.cgi?id=183721
392
393         Reviewed by Yusuke Suzuki.
394
395         Added BigInt support into times binary operator into LLInt and on
396         JITOperations profiledMul and unprofiledMul. We are also replacing all
397         uses of int to unsigned when there is no negative values for
398         variables.
399
400         * dfg/DFGConstantFoldingPhase.cpp:
401         (JSC::DFG::ConstantFoldingPhase::foldConstants):
402         * jit/JITOperations.cpp:
403         * runtime/CommonSlowPaths.cpp:
404         (JSC::SLOW_PATH_DECL):
405         * runtime/JSBigInt.cpp:
406         (JSC::JSBigInt::JSBigInt):
407         (JSC::JSBigInt::allocationSize):
408         (JSC::JSBigInt::createWithLength):
409         (JSC::JSBigInt::toString):
410         (JSC::JSBigInt::multiply):
411         (JSC::JSBigInt::digitDiv):
412         (JSC::JSBigInt::internalMultiplyAdd):
413         (JSC::JSBigInt::multiplyAccumulate):
414         (JSC::JSBigInt::equals):
415         (JSC::JSBigInt::absoluteDivSmall):
416         (JSC::JSBigInt::calculateMaximumCharactersRequired):
417         (JSC::JSBigInt::toStringGeneric):
418         (JSC::JSBigInt::rightTrim):
419         (JSC::JSBigInt::allocateFor):
420         (JSC::JSBigInt::parseInt):
421         (JSC::JSBigInt::digit):
422         (JSC::JSBigInt::setDigit):
423         * runtime/JSBigInt.h:
424         * runtime/JSCJSValue.h:
425         * runtime/JSCJSValueInlines.h:
426         (JSC::JSValue::toNumeric const):
427         * runtime/Operations.h:
428         (JSC::jsMul):
429
430 2018-05-11  Commit Queue  <commit-queue@webkit.org>
431
432         Unreviewed, rolling out r231316 and r231332.
433         https://bugs.webkit.org/show_bug.cgi?id=185564
434
435         Appears to be a Speedometer2/MotionMark regression (Requested
436         by keith_miller on #webkit).
437
438         Reverted changesets:
439
440         "Remove the prototype caching for get_by_id in the LLInt"
441         https://bugs.webkit.org/show_bug.cgi?id=185226
442         https://trac.webkit.org/changeset/231316
443
444         "Unreviewed, fix 32-bit profile offset for change in bytecode"
445         https://trac.webkit.org/changeset/231332
446
447 2018-05-11  Michael Saboff  <msaboff@apple.com>
448
449         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
450         https://bugs.webkit.org/show_bug.cgi?id=185328
451
452         Reviewed by Keith Miller.
453
454         Fixed a typo from when this code was added in r228968 where resultGPR
455         was assigned the input register instead of the result.gpr().
456
457         * dfg/DFGSpeculativeJIT64.cpp:
458         (JSC::DFG::SpeculativeJIT::compile):
459
460 2018-05-11  Saam Barati  <sbarati@apple.com>
461
462         Don't use inferred types when the JIT is disabled
463         https://bugs.webkit.org/show_bug.cgi?id=185539
464
465         Reviewed by Yusuke Suzuki.
466
467         There are many JSC API clients that run with the JIT disabled. They were
468         all allocating and tracking inferred types for no benefit. Inferred types
469         only benefit programs when they make it to the DFG/FTL. I was seeing cases
470         where the inferred type machinery used ~0.5MB. This patch makes is so we
471         don't allocate that machinery when the JIT is disabled.
472
473         * runtime/Structure.cpp:
474         (JSC::Structure::willStoreValueSlow):
475         * runtime/Structure.h:
476
477 2018-05-11  Saam Barati  <sbarati@apple.com>
478
479         Don't allocate value profiles when the JIT is disabled
480         https://bugs.webkit.org/show_bug.cgi?id=185525
481
482         Reviewed by Michael Saboff.
483
484         There are many JSC API clients that run with the JIT disabled. We were
485         still allocating a ton of value profiles in this use case even though
486         these clients get no benefit from doing value profiling. This patch makes
487         it so that we don't allocate value profiles or argument value profiles
488         when we're not using the JIT. We now just make all value profiles in
489         the instruction stream point to a global value profile that the VM owns.
490         And we make the argument value profile array have zero length and teach
491         the LLInt how to handle that. Heap clears the global value profile on each GC.
492
493         In an app that I'm testing this against, this saves ~1MB of memory.
494
495         * bytecode/CodeBlock.cpp:
496         (JSC::CodeBlock::finishCreation):
497         (JSC::CodeBlock::setNumParameters):
498         * bytecode/CodeBlock.h:
499         (JSC::CodeBlock::numberOfArgumentValueProfiles):
500         (JSC::CodeBlock::valueProfileForArgument):
501         * bytecompiler/BytecodeGenerator.cpp:
502         (JSC::BytecodeGenerator::emitProfiledOpcode):
503         * heap/Heap.cpp:
504         (JSC::Heap::runEndPhase):
505         * llint/LowLevelInterpreter.asm:
506         * runtime/VM.cpp:
507         (JSC::VM::VM):
508         * runtime/VM.h:
509
510 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
511
512         [JSC][GLIB] Add introspectable alternatives to functions using vargars
513         https://bugs.webkit.org/show_bug.cgi?id=185508
514
515         Reviewed by Michael Catanzaro.
516
517         * API/glib/JSCClass.cpp:
518         (jscClassCreateConstructor):
519         (jsc_class_add_constructor):
520         (jsc_class_add_constructorv):
521         (jscClassAddMethod):
522         (jsc_class_add_method):
523         (jsc_class_add_methodv):
524         * API/glib/JSCClass.h:
525         * API/glib/JSCValue.cpp:
526         (jsObjectCall):
527         (jscValueCallFunction):
528         (jsc_value_object_invoke_methodv):
529         (jscValueFunctionCreate):
530         (jsc_value_new_function):
531         (jsc_value_new_functionv):
532         (jsc_value_function_callv):
533         (jsc_value_constructor_callv):
534         * API/glib/JSCValue.h:
535         * API/glib/docs/jsc-glib-4.0-sections.txt:
536
537 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
538
539         [JSC] Make return types of construction functions tight
540         https://bugs.webkit.org/show_bug.cgi?id=185509
541
542         Reviewed by Saam Barati.
543
544         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
545
546         * runtime/ArrayConstructor.cpp:
547         (JSC::constructArrayWithSizeQuirk):
548         * runtime/ArrayConstructor.h:
549         * runtime/ObjectConstructor.h:
550         (JSC::constructEmptyObject):
551
552 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
553
554         [JSC] Object.assign for final objects should be faster
555         https://bugs.webkit.org/show_bug.cgi?id=185348
556
557         Reviewed by Saam Barati.
558
559         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
560         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
561
562         If enumerating properties of source objects and putting properties to target object are non observable,
563         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
564         and put them to target object. This patch adds this fast path to Object.assign implementation.
565
566         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
567         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
568         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
569
570         This improves object-assign.es6 by 1.85x.
571
572                                         baseline                  patched
573
574             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
575
576         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
577
578         * runtime/JSObject.h:
579         * runtime/JSObjectInlines.h:
580         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
581         (JSC::JSObject::canPerformFastPutInline):
582         * runtime/ObjectConstructor.cpp:
583         (JSC::objectConstructorAssign):
584         * runtime/Structure.cpp:
585         (JSC::Structure::Structure):
586         * runtime/Structure.h:
587         * runtime/StructureInlines.h:
588         (JSC::Structure::forEachProperty):
589         (JSC::Structure::add):
590
591 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
592
593         DFG CFA should pick the right time to inject OSR entry data
594         https://bugs.webkit.org/show_bug.cgi?id=185530
595
596         Reviewed by Saam Barati.
597         
598         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
599         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
600         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
601         would eventually LUB to non-constant.
602         
603         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
604         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
605         useless regexp/string execution in the compiler.
606
607         * dfg/DFGBlockSet.h:
608         (JSC::DFG::BlockSet::remove):
609         * dfg/DFGCFAPhase.cpp:
610         (JSC::DFG::CFAPhase::run):
611         (JSC::DFG::CFAPhase::injectOSR):
612         (JSC::DFG::CFAPhase::performBlockCFA):
613
614 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
615
616         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
617         https://bugs.webkit.org/show_bug.cgi?id=185452
618
619         Reviewed by Michael Saboff.
620         
621         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
622         from the block head to InPlaceAbstractState::m_variables. It is necessary for
623         InPlaceAbstractState to have its own copy since we need to mutate it separately from
624         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
625         of superfluous work.
626         
627         This change adds a bitvector called m_activeVariables that tracks which variables have been
628         copied. We lazily copy the variables on first use. Variables that were never copied also have
629         a simplified merging path, which just needs to consider if the variable got clobbered between
630         head and tail.
631         
632         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
633
634         * bytecode/Operands.h:
635         (JSC::Operands::argumentIndex const):
636         (JSC::Operands::localIndex const):
637         (JSC::Operands::argument):
638         (JSC::Operands::argument const):
639         (JSC::Operands::local):
640         (JSC::Operands::local const):
641         (JSC::Operands::operandIndex const):
642         * dfg/DFGAbstractValue.h:
643         (JSC::DFG::AbstractValue::fastForwardFromTo):
644         * dfg/DFGCFAPhase.cpp:
645         (JSC::DFG::CFAPhase::performForwardCFA):
646         * dfg/DFGInPlaceAbstractState.cpp:
647         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
648         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
649         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
650         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
651         (JSC::DFG::InPlaceAbstractState::activateVariable):
652         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
653         * dfg/DFGInPlaceAbstractState.h:
654         (JSC::DFG::InPlaceAbstractState::variableAt):
655         (JSC::DFG::InPlaceAbstractState::operand):
656         (JSC::DFG::InPlaceAbstractState::local):
657         (JSC::DFG::InPlaceAbstractState::argument):
658         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
659         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
660
661 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
662
663         [ESNext][BigInt] Implement support for "==" operation
664         https://bugs.webkit.org/show_bug.cgi?id=184474
665
666         Reviewed by Yusuke Suzuki.
667
668         This patch is implementing support of BigInt for equals operator
669         following the spec semantics[1].
670
671         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
672
673         * runtime/JSBigInt.cpp:
674         (JSC::JSBigInt::parseInt):
675         (JSC::JSBigInt::stringToBigInt):
676         (JSC::JSBigInt::toString):
677         (JSC::JSBigInt::setDigit):
678         (JSC::JSBigInt::equalsToNumber):
679         (JSC::JSBigInt::compareToDouble):
680         * runtime/JSBigInt.h:
681         * runtime/JSCJSValueInlines.h:
682         (JSC::JSValue::equalSlowCaseInline):
683
684 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
685
686         Speed up AbstractInterpreter::executeEdges
687         https://bugs.webkit.org/show_bug.cgi?id=185457
688
689         Reviewed by Saam Barati.
690
691         This patch started out with the desire to make executeEdges() faster by making filtering faster.
692         However, when I studied the disassembly, I found that there are many opportunities for
693         improvement and I implemented all of them:
694         
695         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
696           for non-cells.
697         
698         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
699           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
700         
701         - Similarly, edge verification doesn't need to fast-forward in the common case.
702         
703         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
704         
705         - The edge doesn't even have to be considered for execution if it's UntypedUse.
706         
707         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
708         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
709         it means proving that the value could either be formatted as a double (with impure NaN values),
710         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
711         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
712         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
713         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
714         SpecBytecodeNumber (if returning a JSValueRep).
715         
716         But that fix revealed an amazing timeout in
717         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
718         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
719         ever realizing that we should jettison something. The problem was with how
720         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
721         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
722         
723         This is a 1% improvement in V8Spider-CompileTime.
724
725         * bytecode/ExitKind.cpp:
726         (JSC::exitKindMayJettison):
727         * dfg/DFGAbstractInterpreter.h:
728         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
729         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
730         * dfg/DFGAbstractInterpreterInlines.h:
731         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
732         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
733         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
735         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
736         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
737         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
738         * dfg/DFGAbstractValue.cpp:
739         (JSC::DFG::AbstractValue::filterSlow):
740         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
741         * dfg/DFGAbstractValue.h:
742         (JSC::DFG::AbstractValue::filter):
743         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
744         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
745         (JSC::DFG::AbstractValue::makeTop):
746         * dfg/DFGAtTailAbstractState.h:
747         (JSC::DFG::AtTailAbstractState::fastForward):
748         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
749         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
750         * dfg/DFGGraph.h:
751         (JSC::DFG::Graph::doToChildren):
752         * dfg/DFGInPlaceAbstractState.h:
753         (JSC::DFG::InPlaceAbstractState::fastForward):
754         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
755         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
756         * dfg/DFGOSRExit.cpp:
757         (JSC::DFG::OSRExit::executeOSRExit):
758         * dfg/DFGOSRExitCompilerCommon.cpp:
759         (JSC::DFG::handleExitCounts):
760         * dfg/DFGOperations.cpp:
761         * dfg/DFGOperations.h:
762
763 2018-05-09  Saam Barati  <sbarati@apple.com>
764
765         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
766         https://bugs.webkit.org/show_bug.cgi?id=185441
767         <rdar://problem/39999414>
768
769         Reviewed by Keith Miller.
770
771         This patch adds JSVirtualMachine SPI to release as much memory as possible.
772         The SPI does:
773         - Deletes all code caches.
774         - Synchronous GC.
775         - Run the scavenger.
776
777         * API/JSVirtualMachine.mm:
778         (-[JSVirtualMachine shrinkFootprint]):
779         * API/JSVirtualMachinePrivate.h: Added.
780         * API/tests/testapi.mm:
781         (testObjectiveCAPIMain):
782         * JavaScriptCore.xcodeproj/project.pbxproj:
783         * runtime/VM.cpp:
784         (JSC::VM::shrinkFootprint):
785         * runtime/VM.h:
786
787 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
788
789         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
790         Error found in the following Test262 tests:
791
792         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
793         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
794         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
795
796         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
797         presenting a length > 2**32-1
798         https://bugs.webkit.org/show_bug.cgi?id=185476
799
800         Reviewed by Yusuke Suzuki.
801
802         * runtime/ArrayPrototype.cpp:
803
804 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
805
806         [WPE] Build cleanly with GCC 8 and ICU 60
807         https://bugs.webkit.org/show_bug.cgi?id=185462
808
809         Reviewed by Carlos Alberto Lopez Perez.
810
811         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
812         (jsc_class_add_constructor):
813         (jsc_class_add_method):
814         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
815         (jsc_value_object_define_property_accessor):
816         (jsc_value_new_function):
817         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
818         problem with GCC 7 too, but might as well fix it now.
819         * assembler/ProbeContext.h:
820         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
821         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
822         * b3/air/AirArg.h:
823         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
824         * builtins/BuiltinNames.cpp:
825         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
826         * builtins/BuiltinNames.h:
827         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
828         * dfg/DFGDoubleFormatState.h:
829         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
830         * heap/MarkedBlockInlines.h:
831         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
832         * runtime/ConfigFile.cpp:
833         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
834         with the wrong length parameter and the result is not null-terminated. Also, silence a
835         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
836         * runtime/IntlDateTimeFormat.cpp:
837         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
838         * runtime/JSGlobalObject.cpp:
839         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
840         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
841
842 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
843
844         [ARMv7] Drop ARMv7 disassembler in favor of capstone
845         https://bugs.webkit.org/show_bug.cgi?id=185423
846
847         Reviewed by Michael Catanzaro.
848
849         This patch removes ARMv7Disassembler in our tree.
850         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
851
852         * CMakeLists.txt:
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * Sources.txt:
855         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
856         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
857         * disassembler/ARMv7Disassembler.cpp: Removed.
858
859 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
860
861         [MIPS] Optimize generated JIT code using r2
862         https://bugs.webkit.org/show_bug.cgi?id=184584
863
864         Reviewed by Yusuke Suzuki.
865
866         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
867         Also, done some code size optimizations that were discovered in meantime.
868
869         * assembler/MIPSAssembler.h:
870         (JSC::MIPSAssembler::ext):
871         (JSC::MIPSAssembler::mfhc1):
872         * assembler/MacroAssemblerMIPS.cpp:
873         * assembler/MacroAssemblerMIPS.h:
874         (JSC::MacroAssemblerMIPS::isPowerOf2):
875         (JSC::MacroAssemblerMIPS::bitPosition):
876         (JSC::MacroAssemblerMIPS::loadAddress):
877         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
878         (JSC::MacroAssemblerMIPS::load8):
879         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
880         (JSC::MacroAssemblerMIPS::load32):
881         (JSC::MacroAssemblerMIPS::load16Unaligned):
882         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
883         (JSC::MacroAssemblerMIPS::load16):
884         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
885         (JSC::MacroAssemblerMIPS::store8):
886         (JSC::MacroAssemblerMIPS::store16):
887         (JSC::MacroAssemblerMIPS::store32):
888         (JSC::MacroAssemblerMIPS::branchTest32):
889         (JSC::MacroAssemblerMIPS::loadFloat):
890         (JSC::MacroAssemblerMIPS::loadDouble):
891         (JSC::MacroAssemblerMIPS::storeFloat):
892         (JSC::MacroAssemblerMIPS::storeDouble):
893
894 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
895
896         [JSC][GTK][JSCONLY] Use capstone disassembler
897         https://bugs.webkit.org/show_bug.cgi?id=185283
898
899         Reviewed by Michael Catanzaro.
900
901         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
902         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
903
904         And we remove ARM LLVM disassembler.
905
906         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
907
908         * CMakeLists.txt:
909         * Sources.txt:
910         * disassembler/ARMLLVMDisassembler.cpp: Removed.
911         * disassembler/CapstoneDisassembler.cpp: Added.
912         (JSC::tryToDisassemble):
913
914 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
915
916         [MIPS] Use mfhc1 and mthc1 to fix assembler error
917         https://bugs.webkit.org/show_bug.cgi?id=185464
918
919         Reviewed by Yusuke Suzuki.
920
921         The binutils-assembler started to report failures for copying words between
922         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
923         of mfc1 and mtc1 for conversion.
924
925         * offlineasm/mips.rb:
926
927 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
928
929         [MIPS] Collect callee-saved register using inline assembly
930         https://bugs.webkit.org/show_bug.cgi?id=185428
931
932         Reviewed by Yusuke Suzuki.
933
934         MIPS used setjmp instead of collecting registers with inline assembly like
935         other architectures.
936
937         * heap/RegisterState.h:
938
939 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
940
941         [BigInt] Simplifying JSBigInt by using bool addition
942         https://bugs.webkit.org/show_bug.cgi?id=185374
943
944         Reviewed by Alex Christensen.
945
946         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
947         Just adding overflow flag to carry/borrow produces setb + add in x86.
948
949         Also we annotate small helper functions and accessors with `inline` not to call these functions
950         inside internalMultiplyAdd loop.
951
952         * runtime/JSBigInt.cpp:
953         (JSC::JSBigInt::isZero):
954         (JSC::JSBigInt::inplaceMultiplyAdd):
955         (JSC::JSBigInt::digitAdd):
956         (JSC::JSBigInt::digitSub):
957         (JSC::JSBigInt::digitMul):
958         (JSC::JSBigInt::digitPow):
959         (JSC::JSBigInt::digitDiv):
960         (JSC::JSBigInt::offsetOfData):
961         (JSC::JSBigInt::dataStorage):
962         (JSC::JSBigInt::digit):
963         (JSC::JSBigInt::setDigit):
964
965 2018-05-08  Michael Saboff  <msaboff@apple.com>
966
967         Replace multiple Watchpoint Set fireAll() methods with templates
968         https://bugs.webkit.org/show_bug.cgi?id=185456
969
970         Reviewed by Saam Barati.
971
972         Refactored to minimize duplicate code.
973
974         * bytecode/Watchpoint.h:
975         (JSC::WatchpointSet::fireAll):
976         (JSC::InlineWatchpointSet::fireAll):
977
978 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
979
980         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
981         https://bugs.webkit.org/show_bug.cgi?id=185453
982
983         Reviewed by Michael Saboff.
984         
985         Tiny improvement for compile times.
986
987         * dfg/DFGFlowMap.h:
988         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
989         * dfg/DFGInPlaceAbstractState.cpp:
990         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
991
992 2018-05-08  Michael Saboff  <msaboff@apple.com>
993
994         Deferred firing of structure transition watchpoints is racy
995         https://bugs.webkit.org/show_bug.cgi?id=185438
996
997         Reviewed by Saam Barati.
998
999         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1000         and fire them in the destructor.  When the watchpoints are taken from the
1001         original WatchpointSet, that WatchpointSet if marked invalid.
1002
1003         * bytecode/Watchpoint.cpp:
1004         (JSC::WatchpointSet::fireAllSlow):
1005         (JSC::WatchpointSet::take):
1006         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1007         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1008         (JSC::DeferredWatchpointFire::fireAll):
1009         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1010         * bytecode/Watchpoint.h:
1011         (JSC::WatchpointSet::fireAll):
1012         (JSC::InlineWatchpointSet::fireAll):
1013         * runtime/JSObject.cpp:
1014         (JSC::JSObject::setPrototypeDirect):
1015         (JSC::JSObject::convertToDictionary):
1016         * runtime/JSObjectInlines.h:
1017         (JSC::JSObject::putDirectInternal):
1018         * runtime/Structure.cpp:
1019         (JSC::Structure::Structure):
1020         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1021         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1022         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1023         (JSC::Structure::didTransitionFromThisStructure const):
1024         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1025         * runtime/Structure.h:
1026         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1027
1028 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1029
1030         Consecutive messages logged as JSON are coalesced
1031         https://bugs.webkit.org/show_bug.cgi?id=185432
1032
1033         Reviewed by Joseph Pecoraro.
1034
1035         * inspector/ConsoleMessage.cpp:
1036         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1037
1038 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1039
1040         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1041         https://bugs.webkit.org/show_bug.cgi?id=185365
1042
1043         Reviewed by Saam Barati.
1044         
1045         This patch does three things to improve compile times:
1046         
1047         - Fixes some inlining goofs.
1048         
1049         - Adds the ability to measure compile times with run-jsc-benchmarks.
1050         
1051         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1052           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1053           sense that this was the only thing protecting it from loading the abstract value of a no-result
1054           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1055           Any node that produces a result will explicitly set its abstract value, so this problem can
1056           also be guarded by just having constant folding check if the node it wants to fold returns any
1057           result.
1058         
1059         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1060         
1061         Rolling back in after fixing cloop build.
1062
1063         * dfg/DFGAbstractInterpreterInlines.h:
1064         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1065         * dfg/DFGAbstractValue.cpp:
1066         (JSC::DFG::AbstractValue::set):
1067         * dfg/DFGAbstractValue.h:
1068         (JSC::DFG::AbstractValue::merge):
1069         * dfg/DFGConstantFoldingPhase.cpp:
1070         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1071         * dfg/DFGGraph.h:
1072         (JSC::DFG::Graph::doToChildrenWithNode):
1073         (JSC::DFG::Graph::doToChildren):
1074         * dfg/DFGInPlaceAbstractState.cpp:
1075         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1076         * jit/JIT.cpp:
1077         (JSC::JIT::totalCompileTime):
1078         * jit/JIT.h:
1079         * jsc.cpp:
1080         (GlobalObject::finishCreation):
1081         (functionTotalCompileTime):
1082
1083 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1084
1085         Unreviewed, rolling out r231468.
1086
1087         Broke the CLoop build
1088
1089         Reverted changeset:
1090
1091         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1092         any abstract values"
1093         https://bugs.webkit.org/show_bug.cgi?id=185365
1094         https://trac.webkit.org/changeset/231468
1095
1096 2018-05-07  Daniel Bates  <dabates@apple.com>
1097
1098         Check X-Frame-Options and CSP frame-ancestors in network process
1099         https://bugs.webkit.org/show_bug.cgi?id=185410
1100         <rdar://problem/37733934>
1101
1102         Reviewed by Ryosuke Niwa.
1103
1104         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1105
1106         * runtime/ConsoleTypes.h:
1107
1108 2018-05-07  Saam Barati  <sbarati@apple.com>
1109
1110         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1111         https://bugs.webkit.org/show_bug.cgi?id=185329
1112         <rdar://problem/39961536>
1113
1114         Reviewed by Michael Saboff.
1115
1116         I was made aware of a memory goof inside of JSC where we would inefficiently
1117         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1118         
1119         We did two things badly:
1120         1. We used a HashMap instead of a Vector to represent the environment. Having
1121         a HashMap is useful when looking things up when generating bytecode, but it's
1122         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1123         of the code cache, we should have them store this information efficiently
1124         inside of a Vector.
1125         
1126         2. We didn't hash-cons these environments together. If you think about how
1127         some programs are structured, hash-consing these together is hugely profitable.
1128         Consider some code like this:
1129         ```
1130         const/let V_1 = ...;
1131         const/let V_2 = ...;
1132         ...
1133         const/let V_n = ...;
1134         
1135         function f_1() { ... };
1136         function f_2() { ... };
1137         ...
1138         function f_n() { ... };
1139         ```
1140         
1141         Each f_i would store an identical hash map for its parent TDZ variables
1142         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1143         each f_i just holds onto a reference to the environment.
1144         
1145         I benchmarked this change against an app that made heavy use of the
1146         above code pattern and it reduced its peak memory footprint from ~220MB
1147         to ~160MB.
1148
1149         * bytecode/UnlinkedFunctionExecutable.cpp:
1150         (JSC::generateUnlinkedFunctionCodeBlock):
1151         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1152         * bytecode/UnlinkedFunctionExecutable.h:
1153         * parser/VariableEnvironment.cpp:
1154         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1155         (JSC::CompactVariableEnvironment::operator== const):
1156         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1157         (JSC::CompactVariableMap::get):
1158         (JSC::CompactVariableMap::Handle::~Handle):
1159         * parser/VariableEnvironment.h:
1160         (JSC::VariableEnvironmentEntry::bits const):
1161         (JSC::VariableEnvironmentEntry::operator== const):
1162         (JSC::VariableEnvironment::isEverythingCaptured const):
1163         (JSC::CompactVariableEnvironment::hash const):
1164         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1165         (JSC::CompactVariableMapKey::hash):
1166         (JSC::CompactVariableMapKey::equal):
1167         (JSC::CompactVariableMapKey::makeDeletedValue):
1168         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1169         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1170         (JSC::CompactVariableMapKey::environment):
1171         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1172         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1173         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1174         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1175         (JSC::CompactVariableMap::Handle::Handle):
1176         (JSC::CompactVariableMap::Handle::environment const):
1177         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1178         * runtime/VM.cpp:
1179         (JSC::VM::VM):
1180         * runtime/VM.h:
1181
1182 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1183
1184         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1185         https://bugs.webkit.org/show_bug.cgi?id=185371
1186
1187         Reviewed by Mark Lam.
1188
1189         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1190         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1191         but actually MIPS have much more registers.
1192
1193         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1194         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1195         have extra mechanism.
1196
1197         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1198
1199         * dfg/DFGByteCodeParser.cpp:
1200         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1201         * dfg/DFGFixupPhase.cpp:
1202         (JSC::DFG::FixupPhase::fixupNode):
1203         * dfg/DFGSpeculativeJIT32_64.cpp:
1204         (JSC::DFG::SpeculativeJIT::compile):
1205         * jit/CCallHelpers.h:
1206         * jit/GPRInfo.h:
1207         (JSC::GPRInfo::toRegister):
1208         (JSC::GPRInfo::toIndex):
1209         * offlineasm/mips.rb:
1210
1211 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1212
1213         DFG AI should have O(1) clobbering
1214         https://bugs.webkit.org/show_bug.cgi?id=185287
1215
1216         Reviewed by Saam Barati.
1217         
1218         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1219         would traverse all of the state available to the AI at that time and clobber it.
1220         
1221         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1222         
1223         This is a ~1% speed-up for compile times.
1224
1225         * JavaScriptCore.xcodeproj/project.pbxproj:
1226         * Sources.txt:
1227         * dfg/DFGAbstractInterpreter.h:
1228         (JSC::DFG::AbstractInterpreter::forNode):
1229         (JSC::DFG::AbstractInterpreter::setForNode):
1230         (JSC::DFG::AbstractInterpreter::clearForNode):
1231         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1232         * dfg/DFGAbstractInterpreterInlines.h:
1233         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1234         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1235         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1236         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1237         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1238         * dfg/DFGAbstractValue.cpp:
1239         (JSC::DFG::AbstractValue::fastForwardToSlow):
1240         * dfg/DFGAbstractValue.h:
1241         (JSC::DFG::AbstractValue::fastForwardTo):
1242         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1243         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1244         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1245         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1246         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1247         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1248         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1249         (JSC::DFG::AbstractValueClobberEpoch::first):
1250         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1251         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1252         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1253         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1254         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1255         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1256         * dfg/DFGAtTailAbstractState.h:
1257         (JSC::DFG::AtTailAbstractState::setForNode):
1258         (JSC::DFG::AtTailAbstractState::clearForNode):
1259         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1260         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1261         (JSC::DFG::AtTailAbstractState::operand):
1262         (JSC::DFG::AtTailAbstractState::local):
1263         (JSC::DFG::AtTailAbstractState::argument):
1264         (JSC::DFG::AtTailAbstractState::clobberStructures):
1265         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1266         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1267         * dfg/DFGCFAPhase.cpp:
1268         (JSC::DFG::CFAPhase::performBlockCFA):
1269         * dfg/DFGConstantFoldingPhase.cpp:
1270         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1271         * dfg/DFGFlowMap.h:
1272         (JSC::DFG::FlowMap::at):
1273         (JSC::DFG::FlowMap::atShadow):
1274         (JSC::DFG::FlowMap::at const):
1275         (JSC::DFG::FlowMap::atShadow const):
1276         * dfg/DFGInPlaceAbstractState.cpp:
1277         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1278         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1279         * dfg/DFGInPlaceAbstractState.h:
1280         (JSC::DFG::InPlaceAbstractState::forNode):
1281         (JSC::DFG::InPlaceAbstractState::setForNode):
1282         (JSC::DFG::InPlaceAbstractState::clearForNode):
1283         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1284         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1285         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1286         (JSC::DFG::InPlaceAbstractState::operand):
1287         (JSC::DFG::InPlaceAbstractState::local):
1288         (JSC::DFG::InPlaceAbstractState::argument):
1289         (JSC::DFG::InPlaceAbstractState::variableAt):
1290         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1291         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1292         (JSC::DFG::InPlaceAbstractState::fastForward):
1293         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1294         * dfg/DFGSpeculativeJIT64.cpp:
1295         (JSC::DFG::SpeculativeJIT::compile):
1296         * ftl/FTLLowerDFGToB3.cpp:
1297         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1298
1299 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1300
1301         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1302         https://bugs.webkit.org/show_bug.cgi?id=185365
1303
1304         Reviewed by Saam Barati.
1305         
1306         This patch does three things to improve compile times:
1307         
1308         - Fixes some inlining goofs.
1309         
1310         - Adds the ability to measure compile times with run-jsc-benchmarks.
1311         
1312         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1313           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1314           sense that this was the only thing protecting it from loading the abstract value of a no-result
1315           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1316           Any node that produces a result will explicitly set its abstract value, so this problem can
1317           also be guarded by just having constant folding check if the node it wants to fold returns any
1318           result.
1319         
1320         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1321
1322         * dfg/DFGAbstractInterpreterInlines.h:
1323         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1324         * dfg/DFGAbstractValue.cpp:
1325         (JSC::DFG::AbstractValue::set):
1326         * dfg/DFGAbstractValue.h:
1327         (JSC::DFG::AbstractValue::merge):
1328         * dfg/DFGConstantFoldingPhase.cpp:
1329         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1330         * dfg/DFGGraph.h:
1331         (JSC::DFG::Graph::doToChildrenWithNode):
1332         (JSC::DFG::Graph::doToChildren):
1333         * dfg/DFGInPlaceAbstractState.cpp:
1334         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1335         * jit/JIT.cpp:
1336         (JSC::JIT::totalCompileTime):
1337         * jit/JIT.h:
1338         * jsc.cpp:
1339         (GlobalObject::finishCreation):
1340         (functionTotalCompileTime):
1341
1342 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1343
1344         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1345         https://bugs.webkit.org/show_bug.cgi?id=185355
1346
1347         Reviewed by Mark Lam.
1348         
1349         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1350         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1351         merging will get the same answer because the value computed this time will be either the same
1352         as or more general than the value computed last time. If the value does change for some
1353         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1354         changes, then we have no reason to believe that this new value is less right than the last
1355         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1356         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1357
1358         * dfg/DFGInPlaceAbstractState.cpp:
1359         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1360
1361 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1362
1363         Remove defunct email address
1364         https://bugs.webkit.org/show_bug.cgi?id=185396
1365
1366         Reviewed by Mark Lam.
1367
1368         The email address thetalecrafter@gmail.com is no longer valid, as the
1369         associated google account has been closed. This updates the email
1370         address so questions about these Intl contributions go to the right
1371         place.
1372
1373         * builtins/DatePrototype.js:
1374         * builtins/NumberPrototype.js:
1375         * builtins/StringPrototype.js:
1376         * runtime/IntlCollator.cpp:
1377         * runtime/IntlCollator.h:
1378         * runtime/IntlCollatorConstructor.cpp:
1379         * runtime/IntlCollatorConstructor.h:
1380         * runtime/IntlCollatorPrototype.cpp:
1381         * runtime/IntlCollatorPrototype.h:
1382         * runtime/IntlDateTimeFormat.cpp:
1383         * runtime/IntlDateTimeFormat.h:
1384         * runtime/IntlDateTimeFormatConstructor.cpp:
1385         * runtime/IntlDateTimeFormatConstructor.h:
1386         * runtime/IntlDateTimeFormatPrototype.cpp:
1387         * runtime/IntlDateTimeFormatPrototype.h:
1388         * runtime/IntlNumberFormat.cpp:
1389         * runtime/IntlNumberFormat.h:
1390         * runtime/IntlNumberFormatConstructor.cpp:
1391         * runtime/IntlNumberFormatConstructor.h:
1392         * runtime/IntlNumberFormatPrototype.cpp:
1393         * runtime/IntlNumberFormatPrototype.h:
1394         * runtime/IntlObject.cpp:
1395         * runtime/IntlObject.h:
1396         * runtime/IntlPluralRules.cpp:
1397         * runtime/IntlPluralRules.h:
1398         * runtime/IntlPluralRulesConstructor.cpp:
1399         * runtime/IntlPluralRulesConstructor.h:
1400         * runtime/IntlPluralRulesPrototype.cpp:
1401         * runtime/IntlPluralRulesPrototype.h:
1402
1403 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1404
1405         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1406         https://bugs.webkit.org/show_bug.cgi?id=185362
1407
1408         Reviewed by Sam Weinig.
1409
1410         "namespace std" may include many names. It can conflict with names defined by our code,
1411         and the other platform provided headers. For example, std::byte conflicts with Windows'
1412         ::byte.
1413         This patch removes "using namespace std;" from JSC and bmalloc.
1414
1415         * API/JSClassRef.cpp:
1416         (OpaqueJSClass::create):
1417         * bytecode/Opcode.cpp:
1418         * bytecompiler/BytecodeGenerator.cpp:
1419         (JSC::BytecodeGenerator::newRegister):
1420         * heap/Heap.cpp:
1421         (JSC::Heap::updateAllocationLimits):
1422         * interpreter/Interpreter.cpp:
1423         * jit/JIT.cpp:
1424         * parser/Parser.cpp:
1425         * runtime/JSArray.cpp:
1426         * runtime/JSLexicalEnvironment.cpp:
1427         * runtime/JSModuleEnvironment.cpp:
1428         * runtime/Structure.cpp:
1429         * shell/DLLLauncherMain.cpp:
1430         (getStringValue):
1431         (applePathFromRegistry):
1432         (appleApplicationSupportDirectory):
1433         (copyEnvironmentVariable):
1434         (prependPath):
1435         (fatalError):
1436         (directoryExists):
1437         (modifyPath):
1438         (getLastErrorString):
1439         (wWinMain):
1440
1441 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1442
1443         DFG CFA phase should only do clobber asserts in debug
1444         https://bugs.webkit.org/show_bug.cgi?id=185354
1445
1446         Reviewed by Saam Barati.
1447         
1448         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
1449         unless asserts are enabled.
1450
1451         * dfg/DFGCFAPhase.cpp:
1452         (JSC::DFG::CFAPhase::performBlockCFA):
1453
1454 2018-05-04  Keith Miller  <keith_miller@apple.com>
1455
1456         isCacheableArrayLength should return true for undecided arrays
1457         https://bugs.webkit.org/show_bug.cgi?id=185309
1458
1459         Reviewed by Michael Saboff.
1460
1461         Undecided arrays have butterflies so there is no reason why we
1462         should not be able to cache their length.
1463
1464         * bytecode/InlineAccess.cpp:
1465         (JSC::InlineAccess::isCacheableArrayLength):
1466
1467 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1468
1469         Remove std::random_shuffle
1470         https://bugs.webkit.org/show_bug.cgi?id=185292
1471
1472         Reviewed by Darin Adler.
1473
1474         std::random_shuffle is deprecated in C++14 and removed in C++17,
1475         since std::random_shuffle relies on rand and srand.
1476         Use std::shuffle instead.
1477
1478         * jit/BinarySwitch.cpp:
1479         (JSC::RandomNumberGenerator::RandomNumberGenerator):
1480         (JSC::RandomNumberGenerator::operator()):
1481         (JSC::RandomNumberGenerator::min):
1482         (JSC::RandomNumberGenerator::max):
1483         (JSC::BinarySwitch::build):
1484
1485 2018-05-03  Saam Barati  <sbarati@apple.com>
1486
1487         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
1488         https://bugs.webkit.org/show_bug.cgi?id=185177
1489
1490         Reviewed by Filip Pizlo.
1491
1492         This patch teaches the DFG/FTL how to constant fold CreateThis with
1493         a known poly proto Structure to NewObject. We do it by emitting a NewObject
1494         followed by a PutByOffset for the prototype value.
1495         
1496         We make it so that ObjectAllocationProfile holds the prototype value.
1497         This is sound because JSFunction clears that profile when its 'prototype'
1498         field changes.
1499         
1500         This patch also renames underscoreProtoPrivateName to polyProtoName since
1501         that name was nonsensical: it was only used for poly proto.
1502         
1503         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
1504         regressed that benchmark when I first introduced poly proto.
1505
1506         * builtins/BuiltinNames.cpp:
1507         * builtins/BuiltinNames.h:
1508         (JSC::BuiltinNames::BuiltinNames):
1509         (JSC::BuiltinNames::polyProtoName const):
1510         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
1511         * bytecode/ObjectAllocationProfile.h:
1512         (JSC::ObjectAllocationProfile::prototype):
1513         (JSC::ObjectAllocationProfile::clear):
1514         (JSC::ObjectAllocationProfile::visitAggregate):
1515         * bytecode/ObjectAllocationProfileInlines.h:
1516         (JSC::ObjectAllocationProfile::initializeProfile):
1517         * dfg/DFGAbstractInterpreterInlines.h:
1518         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1519         * dfg/DFGByteCodeParser.cpp:
1520         (JSC::DFG::ByteCodeParser::parseBlock):
1521         * dfg/DFGConstantFoldingPhase.cpp:
1522         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1523         * dfg/DFGOperations.cpp:
1524         * runtime/CommonSlowPaths.cpp:
1525         (JSC::SLOW_PATH_DECL):
1526         * runtime/FunctionRareData.h:
1527         * runtime/Structure.cpp:
1528         (JSC::Structure::create):
1529
1530 2018-05-03  Michael Saboff  <msaboff@apple.com>
1531
1532         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
1533         https://bugs.webkit.org/show_bug.cgi?id=185281
1534
1535         Reviewed by Saam Barati.
1536
1537         When we compute bytecode block reachability, we need to take into account blocks
1538         containing try/catch.
1539
1540         * jit/JIT.cpp:
1541         (JSC::JIT::privateCompileMainPass):
1542
1543 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1544
1545         ARM: Wrong offset for operand rt in disassembler
1546         https://bugs.webkit.org/show_bug.cgi?id=184083
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * disassembler/ARMv7/ARMv7DOpcode.h:
1551         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
1552         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
1553
1554 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1555
1556         ARM: Support vstr in disassembler
1557         https://bugs.webkit.org/show_bug.cgi?id=184084
1558
1559         Reviewed by Yusuke Suzuki.
1560
1561         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1562         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
1563         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
1564         * disassembler/ARMv7/ARMv7DOpcode.h:
1565         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
1566         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
1567         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
1568         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
1569         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
1570         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
1571         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
1572
1573 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1574
1575         Invoke ensureArrayStorage for all arguments
1576         https://bugs.webkit.org/show_bug.cgi?id=185247
1577
1578         Reviewed by Yusuke Suzuki.
1579
1580         ensureArrayStorage was only invoked for first argument in each loop iteration.
1581
1582         * jsc.cpp:
1583         (functionEnsureArrayStorage):
1584
1585 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
1586
1587         Make it easy to log compile times for all optimizing tiers
1588         https://bugs.webkit.org/show_bug.cgi?id=185270
1589
1590         Reviewed by Keith Miller.
1591         
1592         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
1593         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
1594         it.
1595         
1596         This should help us reduce compile times by telling us where to look. So, far, it looks like
1597         CFA is the worst.
1598
1599         * JavaScriptCore.xcodeproj/project.pbxproj:
1600         * Sources.txt:
1601         * b3/B3Common.cpp:
1602         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
1603         * b3/B3Common.h:
1604         * b3/B3TimingScope.cpp: Removed.
1605         * b3/B3TimingScope.h:
1606         (JSC::B3::TimingScope::TimingScope):
1607         * dfg/DFGPhase.h:
1608         (JSC::DFG::runAndLog):
1609         * dfg/DFGPlan.cpp:
1610         (JSC::DFG::Plan::compileInThread):
1611         * tools/CompilerTimingScope.cpp: Added.
1612         (JSC::CompilerTimingScope::CompilerTimingScope):
1613         (JSC::CompilerTimingScope::~CompilerTimingScope):
1614         * tools/CompilerTimingScope.h: Added.
1615         * runtime/Options.cpp:
1616         (JSC::recomputeDependentOptions):
1617         * runtime/Options.h:
1618
1619 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
1620
1621         Strings should not be allocated in a gigacage
1622         https://bugs.webkit.org/show_bug.cgi?id=185218
1623
1624         Reviewed by Saam Barati.
1625
1626         * runtime/JSBigInt.cpp:
1627         (JSC::JSBigInt::toStringGeneric):
1628         * runtime/JSString.cpp:
1629         (JSC::JSRopeString::resolveRopeToAtomicString const):
1630         (JSC::JSRopeString::resolveRope const):
1631         * runtime/JSString.h:
1632         (JSC::JSString::create):
1633         (JSC::JSString::createHasOtherOwner):
1634         * runtime/VM.h:
1635         (JSC::VM::gigacageAuxiliarySpace):
1636
1637 2018-05-03  Keith Miller  <keith_miller@apple.com>
1638
1639         Unreviewed, fix 32-bit profile offset for change in bytecode
1640         length of the get_by_id and get_array_length opcodes.
1641
1642         * llint/LowLevelInterpreter32_64.asm:
1643
1644 2018-05-03  Michael Saboff  <msaboff@apple.com>
1645
1646         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
1647         https://bugs.webkit.org/show_bug.cgi?id=185231
1648
1649         Reviewed by Saam Barati.
1650
1651         We weren't clearing the scratch register cache when switching back and forth between 
1652         allowing scratch register usage.  We disallow scratch register usage when we are in
1653         code that will freely allocate and use any register.  Such usage can change the
1654         contents of scratch registers.  For ARM64, where we cache the contents of scratch
1655         registers to reuse some or all of the contained values, we need to invalidate these
1656         caches.  We do this when re-enabling scratch register usage, that is when we transition
1657         from disallow to allow scratch register usage.
1658
1659         Added a new Air regression test.
1660
1661         * assembler/AllowMacroScratchRegisterUsage.h:
1662         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
1663         * assembler/AllowMacroScratchRegisterUsageIf.h:
1664         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
1665         * assembler/DisallowMacroScratchRegisterUsage.h:
1666         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
1667         * b3/air/testair.cpp:
1668
1669 2018-05-03  Keith Miller  <keith_miller@apple.com>
1670
1671         Remove the prototype caching for get_by_id in the LLInt
1672         https://bugs.webkit.org/show_bug.cgi?id=185226
1673
1674         Reviewed by Michael Saboff.
1675
1676         There is no evidence that this is actually a speedup and we keep
1677         getting bugs with it. At this point it seems like we should just
1678         remove this code.
1679
1680         * CMakeLists.txt:
1681         * JavaScriptCore.xcodeproj/project.pbxproj:
1682         * Sources.txt:
1683         * bytecode/BytecodeDumper.cpp:
1684         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1685         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1686         (JSC::BytecodeDumper<Block>::dumpBytecode):
1687         * bytecode/BytecodeList.json:
1688         * bytecode/BytecodeUseDef.h:
1689         (JSC::computeUsesForBytecodeOffset):
1690         (JSC::computeDefsForBytecodeOffset):
1691         * bytecode/CodeBlock.cpp:
1692         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1693         * bytecode/CodeBlock.h:
1694         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
1695         * bytecode/GetByIdStatus.cpp:
1696         (JSC::GetByIdStatus::computeFromLLInt):
1697         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
1698         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
1699         * bytecompiler/BytecodeGenerator.cpp:
1700         (JSC::BytecodeGenerator::emitGetById):
1701         * dfg/DFGByteCodeParser.cpp:
1702         (JSC::DFG::ByteCodeParser::parseBlock):
1703         * dfg/DFGCapabilities.cpp:
1704         (JSC::DFG::capabilityLevel):
1705         * jit/JIT.cpp:
1706         (JSC::JIT::privateCompileMainPass):
1707         (JSC::JIT::privateCompileSlowCases):
1708         * llint/LLIntSlowPaths.cpp:
1709         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1710         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1711         * llint/LowLevelInterpreter32_64.asm:
1712         * llint/LowLevelInterpreter64.asm:
1713         * runtime/Options.h:
1714
1715 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
1716
1717         Unreviewed, rolling out r231197.
1718
1719         The test added with this change crashes on the 32-bit JSC bot.
1720
1721         Reverted changeset:
1722
1723         "Correctly detect string overflow when using the 'Function'
1724         constructor"
1725         https://bugs.webkit.org/show_bug.cgi?id=184883
1726         https://trac.webkit.org/changeset/231197
1727
1728 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1729
1730         Disable usage of fused multiply-add instructions for JSC with compiler flag
1731         https://bugs.webkit.org/show_bug.cgi?id=184909
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
1736         like parseInt() do not return slightly different results depending on whether the
1737         compiler was able to use fused multiply-add instructions or not.
1738
1739         * CMakeLists.txt:
1740
1741 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1742
1743         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
1744         https://bugs.webkit.org/show_bug.cgi?id=185192
1745
1746         compareDouble relies on MacroAssembler::invert function.
1747
1748         * assembler/MacroAssembler.h:
1749         (JSC::MacroAssembler::compareDouble):
1750         * assembler/MacroAssemblerARM.h:
1751         (JSC::MacroAssemblerARM::compareDouble): Deleted.
1752         * assembler/MacroAssemblerARMv7.h:
1753         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
1754         * assembler/MacroAssemblerMIPS.h:
1755         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
1756
1757 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1758
1759         [JSC] Add MacroAssembler::and16 and store16
1760         https://bugs.webkit.org/show_bug.cgi?id=185188
1761
1762         Reviewed by Mark Lam.
1763
1764         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
1765         This patch adds these methods for ARM.
1766
1767         * assembler/MacroAssemblerARM.h:
1768         (JSC::MacroAssemblerARM::and16):
1769         (JSC::MacroAssemblerARM::store16):
1770
1771 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         [DFG] Unify compare related code in 32bit and 64bit
1774         https://bugs.webkit.org/show_bug.cgi?id=185189
1775
1776         Reviewed by Mark Lam.
1777
1778         This patch unifies some part of compare related code in 32bit and 64bit
1779         to reduce the size of 32bit specific DFG code.
1780
1781         * dfg/DFGSpeculativeJIT.cpp:
1782         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1783         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1784         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1785         * dfg/DFGSpeculativeJIT32_64.cpp:
1786         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1787         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1788         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1789         * dfg/DFGSpeculativeJIT64.cpp:
1790         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1791         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1792         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1793
1794 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1795
1796         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
1797         https://bugs.webkit.org/show_bug.cgi?id=185192
1798
1799         Reviewed by Mark Lam.
1800
1801         Now Object.is starts using compareDouble. So we would like to have
1802         efficient implementation for compareDouble and compareFloat for
1803         major architectures, ARM64, X86, and X86_64.
1804
1805         This patch adds compareDouble and compareFloat implementations for
1806         these architectures. And generic implementation is moved to each
1807         architecture's MacroAssembler implementation.
1808
1809         We also add tests for them in testmasm. To implement this test
1810         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
1811         major architectures.
1812
1813         * assembler/MacroAssembler.h:
1814         (JSC::MacroAssembler::compareDouble): Deleted.
1815         (JSC::MacroAssembler::compareFloat): Deleted.
1816         * assembler/MacroAssemblerARM.h:
1817         (JSC::MacroAssemblerARM::compareDouble):
1818         * assembler/MacroAssemblerARM64.h:
1819         (JSC::MacroAssemblerARM64::compareDouble):
1820         (JSC::MacroAssemblerARM64::compareFloat):
1821         (JSC::MacroAssemblerARM64::loadFloat):
1822         (JSC::MacroAssemblerARM64::floatingPointCompare):
1823         * assembler/MacroAssemblerARMv7.h:
1824         (JSC::MacroAssemblerARMv7::compareDouble):
1825         * assembler/MacroAssemblerMIPS.h:
1826         (JSC::MacroAssemblerMIPS::compareDouble):
1827         * assembler/MacroAssemblerX86Common.h:
1828         (JSC::MacroAssemblerX86Common::loadFloat):
1829         (JSC::MacroAssemblerX86Common::compareDouble):
1830         (JSC::MacroAssemblerX86Common::compareFloat):
1831         (JSC::MacroAssemblerX86Common::floatingPointCompare):
1832         * assembler/X86Assembler.h:
1833         (JSC::X86Assembler::movss_mr):
1834         (JSC::X86Assembler::movss_rm):
1835         * assembler/testmasm.cpp:
1836         (JSC::floatOperands):
1837         (JSC::testCompareFloat):
1838         (JSC::run):
1839
1840 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1841
1842         Unreviewed, fix 32bit DFG code
1843         https://bugs.webkit.org/show_bug.cgi?id=185065
1844
1845         * dfg/DFGSpeculativeJIT.cpp:
1846         (JSC::DFG::SpeculativeJIT::compileSameValue):
1847
1848 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
1849
1850         JSC should know how to cache custom getter accesses on the prototype chain
1851         https://bugs.webkit.org/show_bug.cgi?id=185213
1852
1853         Reviewed by Keith Miller.
1854
1855         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
1856
1857         * jit/Repatch.cpp:
1858         (JSC::tryCacheGetByID):
1859
1860 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
1861
1862         JSC should be able to cache custom setter calls on the prototype chain
1863         https://bugs.webkit.org/show_bug.cgi?id=185174
1864
1865         Reviewed by Saam Barati.
1866
1867         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
1868         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
1869         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
1870         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
1871         custom accessors because it won't find the custom property in the structure.
1872
1873         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
1874
1875         This is a 4x speed-up on assign-custom-setter.js.
1876
1877         * bytecode/AccessCase.cpp:
1878         (JSC::AccessCase::hasAlternateBase const):
1879         (JSC::AccessCase::alternateBase const):
1880         (JSC::AccessCase::generateImpl):
1881         * bytecode/AccessCase.h:
1882         (JSC::AccessCase::alternateBase const): Deleted.
1883         * bytecode/GetterSetterAccessCase.cpp:
1884         (JSC::GetterSetterAccessCase::hasAlternateBase const):
1885         (JSC::GetterSetterAccessCase::alternateBase const):
1886         * bytecode/GetterSetterAccessCase.h:
1887         * bytecode/ObjectPropertyConditionSet.cpp:
1888         (JSC::generateConditionsForPrototypePropertyHitCustom):
1889         * bytecode/ObjectPropertyConditionSet.h:
1890         * jit/Repatch.cpp:
1891         (JSC::tryCacheGetByID):
1892         (JSC::tryCachePutByID):
1893
1894 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1895
1896         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
1897         https://bugs.webkit.org/show_bug.cgi?id=185195
1898
1899         Reviewed by Mark Lam.
1900
1901         This implements the given function for MIPS, such that it builds again.
1902
1903         * assembler/MacroAssemblerMIPS.h:
1904         (JSC::MacroAssemblerMIPS::and16):
1905         (JSC::MacroAssemblerMIPS::store16):
1906
1907 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
1908
1909         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
1910         https://bugs.webkit.org/show_bug.cgi?id=185043
1911
1912         Reviewed by Filip Pizlo.
1913
1914         * jsc.cpp:
1915         (GlobalObject::finishCreation):
1916         (functionDollarAgentMonotonicNow):
1917
1918 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1919
1920         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
1921         https://bugs.webkit.org/show_bug.cgi?id=185196
1922
1923         Reviewed by Mark Lam.
1924
1925         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
1926
1927         * assembler/MacroAssemblerARMv7.h:
1928         (JSC::MacroAssemblerARMv7::and16):
1929         (JSC::MacroAssemblerARMv7::store16):
1930
1931 2018-05-02  Robin Morisset  <rmorisset@apple.com>
1932
1933         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
1934         https://bugs.webkit.org/show_bug.cgi?id=183172
1935
1936         Reviewed by Filip Pizlo.
1937
1938         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
1939         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
1940
1941         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
1942         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
1943         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
1944
1945         * dfg/DFGArgumentsEliminationPhase.cpp:
1946         * dfg/DFGArgumentsUtilities.cpp:
1947         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1948
1949 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1950
1951         Unreviewed, stackPointer signature is different from declaration
1952         https://bugs.webkit.org/show_bug.cgi?id=184790
1953
1954         * runtime/MachineContext.h:
1955         (JSC::MachineContext::stackPointer):
1956
1957 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1958
1959         [JSC] Add SameValue DFG node
1960         https://bugs.webkit.org/show_bug.cgi?id=185065
1961
1962         Reviewed by Saam Barati.
1963
1964         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
1965         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
1966         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
1967         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
1968         implementations for these SameValue nodes.
1969
1970         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
1971         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
1972         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
1973         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
1974         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
1975         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
1976
1977         Added microbenchmark shows performance improvement.
1978
1979             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
1980
1981         * assembler/MacroAssembler.h:
1982         * assembler/MacroAssemblerX86Common.h:
1983         (JSC::MacroAssemblerX86Common::compareDouble):
1984         * assembler/MacroAssemblerX86_64.h:
1985         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
1986         * assembler/testmasm.cpp:
1987         (JSC::doubleOperands):
1988         (JSC::testCompareDouble):
1989         (JSC::run):
1990         * dfg/DFGAbstractInterpreterInlines.h:
1991         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1992         * dfg/DFGByteCodeParser.cpp:
1993         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1994         * dfg/DFGClobberize.h:
1995         (JSC::DFG::clobberize):
1996         * dfg/DFGConstantFoldingPhase.cpp:
1997         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1998         * dfg/DFGDoesGC.cpp:
1999         (JSC::DFG::doesGC):
2000         * dfg/DFGFixupPhase.cpp:
2001         (JSC::DFG::FixupPhase::fixupNode):
2002         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2003         * dfg/DFGNodeType.h:
2004         * dfg/DFGOperations.cpp:
2005         * dfg/DFGOperations.h:
2006         * dfg/DFGPredictionPropagationPhase.cpp:
2007         * dfg/DFGSafeToExecute.h:
2008         (JSC::DFG::safeToExecute):
2009         * dfg/DFGSpeculativeJIT.cpp:
2010         (JSC::DFG::SpeculativeJIT::compileSameValue):
2011         * dfg/DFGSpeculativeJIT.h:
2012         * dfg/DFGSpeculativeJIT32_64.cpp:
2013         (JSC::DFG::SpeculativeJIT::compile):
2014         * dfg/DFGSpeculativeJIT64.cpp:
2015         (JSC::DFG::SpeculativeJIT::compile):
2016         * dfg/DFGValidate.cpp:
2017         * ftl/FTLCapabilities.cpp:
2018         (JSC::FTL::canCompile):
2019         * ftl/FTLLowerDFGToB3.cpp:
2020         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2021         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2022         * runtime/Intrinsic.cpp:
2023         (JSC::intrinsicName):
2024         * runtime/Intrinsic.h:
2025         * runtime/ObjectConstructor.cpp:
2026
2027 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2028
2029         B3::demoteValues should be able to handle patchpoint terminals
2030         https://bugs.webkit.org/show_bug.cgi?id=185151
2031
2032         Reviewed by Saam Barati.
2033         
2034         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2035         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2036         longer the last thing in the block.
2037         
2038         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2039         really do that because demotion happens as a prerequisite to other transformations.
2040         
2041         One solution might have been to make demoteValues insert a basic block whenever it encounters
2042         this problem. But that would break clients that do CFG analysis before demoteValues and use
2043         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2044         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2045         so it's not bad to introduce that requirement.
2046         
2047         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2048         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2049         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2050         successors of the patchpoint terminal.
2051         
2052         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2053         a unit test in testb3.
2054
2055         * b3/B3BreakCriticalEdges.cpp:
2056         (JSC::B3::breakCriticalEdges):
2057         * b3/B3BreakCriticalEdges.h:
2058         * b3/B3FixSSA.cpp:
2059         (JSC::B3::demoteValues):
2060         (JSC::B3::fixSSA):
2061         * b3/B3FixSSA.h:
2062         * b3/B3Value.cpp:
2063         (JSC::B3::Value::foldIdentity const):
2064         (JSC::B3::Value::performSubstitution):
2065         * b3/B3Value.h:
2066         * b3/testb3.cpp:
2067         (JSC::B3::testDemotePatchpointTerminal):
2068         (JSC::B3::run):
2069
2070 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2071
2072         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2073         https://bugs.webkit.org/show_bug.cgi?id=184772
2074         <rdar://problem/39146327>
2075
2076         Reviewed by Filip Pizlo.
2077
2078         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2079         This patch now makes sure that the check correctly detects if there is an integer overflow.
2080
2081         * runtime/JSArray.cpp:
2082         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2083
2084 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2085
2086         Correctly detect string overflow when using the 'Function' constructor
2087         https://bugs.webkit.org/show_bug.cgi?id=184883
2088         <rdar://problem/36320331>
2089
2090         Reviewed by Filip Pizlo.
2091
2092         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2093         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2094
2095         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2096         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2097         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2098
2099         * runtime/FunctionConstructor.cpp:
2100         (JSC::constructFunctionSkippingEvalEnabledCheck):
2101         * runtime/JSONObject.cpp:
2102         (JSC::Stringifier::appendStringifiedValue):
2103
2104 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2105
2106         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2107         https://bugs.webkit.org/show_bug.cgi?id=185162
2108
2109         Reviewed by Filip Pizlo.
2110
2111         * runtime/IntlObject.cpp:
2112         (JSC::removeUnicodeLocaleExtension):
2113
2114 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2115
2116         Add SetCallee as DFG-Operation
2117         https://bugs.webkit.org/show_bug.cgi?id=184582
2118
2119         Reviewed by Filip Pizlo.
2120
2121         For recursive tail calls not only the argument count can change but also the
2122         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2123         Also update the callee when optimizing a recursive tail call.
2124         Enable recursive tail call optimization also for closures.
2125
2126         * dfg/DFGAbstractInterpreterInlines.h:
2127         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2128         * dfg/DFGByteCodeParser.cpp:
2129         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2130         (JSC::DFG::ByteCodeParser::handleCallVariant):
2131         * dfg/DFGClobberize.h:
2132         (JSC::DFG::clobberize):
2133         * dfg/DFGDoesGC.cpp:
2134         (JSC::DFG::doesGC):
2135         * dfg/DFGFixupPhase.cpp:
2136         (JSC::DFG::FixupPhase::fixupNode):
2137         * dfg/DFGMayExit.cpp:
2138         * dfg/DFGNodeType.h:
2139         * dfg/DFGPredictionPropagationPhase.cpp:
2140         * dfg/DFGSafeToExecute.h:
2141         (JSC::DFG::safeToExecute):
2142         * dfg/DFGSpeculativeJIT.cpp:
2143         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2144         * dfg/DFGSpeculativeJIT.h:
2145         * dfg/DFGSpeculativeJIT32_64.cpp:
2146         (JSC::DFG::SpeculativeJIT::compile):
2147         * dfg/DFGSpeculativeJIT64.cpp:
2148         (JSC::DFG::SpeculativeJIT::compile):
2149         * ftl/FTLCapabilities.cpp:
2150         (JSC::FTL::canCompile):
2151         * ftl/FTLLowerDFGToB3.cpp:
2152         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2153         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2154
2155 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2156
2157         WebAssembly: add support for stream APIs - JavaScript API
2158         https://bugs.webkit.org/show_bug.cgi?id=183442
2159
2160         Reviewed by Yusuke Suzuki and JF Bastien.
2161
2162         Add WebAssembly stream API. Current patch only add functions
2163         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2164         does not add streaming way of the implementation. So in current version it
2165         only wait for load whole module, than start to parse.
2166
2167         * CMakeLists.txt:
2168         * Configurations/FeatureDefines.xcconfig:
2169         * DerivedSources.make:
2170         * JavaScriptCore.xcodeproj/project.pbxproj:
2171         * builtins/BuiltinNames.h:
2172         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2173         (compileStreaming):
2174         (instantiateStreaming):
2175         * jsc.cpp:
2176         * runtime/JSGlobalObject.cpp:
2177         (JSC::JSGlobalObject::init):
2178         * runtime/JSGlobalObject.h:
2179         * runtime/Options.h:
2180         * runtime/PromiseDeferredTimer.cpp:
2181         (JSC::PromiseDeferredTimer::hasPendingPromise):
2182         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2183         * runtime/PromiseDeferredTimer.h:
2184         * wasm/js/WebAssemblyPrototype.cpp:
2185         (JSC::webAssemblyModuleValidateAsyncInternal):
2186         (JSC::webAssemblyCompileFunc):
2187         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2188         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2189         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2190         (JSC::webAssemblyCompileStreamingInternal):
2191         (JSC::webAssemblyInstantiateStreamingInternal):
2192         (JSC::WebAssemblyPrototype::create):
2193         (JSC::WebAssemblyPrototype::finishCreation):
2194         * wasm/js/WebAssemblyPrototype.h:
2195
2196 2018-04-30  Saam Barati  <sbarati@apple.com>
2197
2198         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2199         https://bugs.webkit.org/show_bug.cgi?id=185149
2200         <rdar://problem/39455917>
2201
2202         Reviewed by Filip Pizlo.
2203
2204         The bug was that we were deleting checks that we shouldn't have deleted.
2205         This patch makes a helper inside strength reduction that converts to
2206         a LazyJSConstant while maintaining checks, and switches users of the
2207         node API inside strength reduction to instead call the helper function.
2208         
2209         This patch also fixes a potential bug where StringReplace and
2210         StringReplaceRegExp may not preserve all their checks.
2211
2212
2213         * dfg/DFGStrengthReductionPhase.cpp:
2214         (JSC::DFG::StrengthReductionPhase::handleNode):
2215         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2216
2217 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2218
2219         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2220         https://bugs.webkit.org/show_bug.cgi?id=185126
2221
2222         Reviewed by Saam Barati.
2223         
2224         This change is just restoring functionality that we've already had for a while. It had been
2225         accidentally broken due to an unrelated CodeBlock refactoring.
2226
2227         * dfg/DFGLICMPhase.cpp:
2228         (JSC::DFG::LICMPhase::attemptHoist):
2229
2230 2018-04-30  Mark Lam  <mark.lam@apple.com>
2231
2232         Apply PtrTags to the MetaAllocator and friends.
2233         https://bugs.webkit.org/show_bug.cgi?id=185110
2234         <rdar://problem/39533895>
2235
2236         Reviewed by Saam Barati.
2237
2238         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2239         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2240            and add a sanity check to verify that allocated code buffers are within those
2241            bounds.
2242
2243         * assembler/LinkBuffer.cpp:
2244         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2245         (JSC::LinkBuffer::copyCompactAndLinkCode):
2246         (JSC::LinkBuffer::linkCode):
2247         (JSC::LinkBuffer::allocate):
2248         * assembler/LinkBuffer.h:
2249         (JSC::LinkBuffer::LinkBuffer):
2250         (JSC::LinkBuffer::debugAddress):
2251         (JSC::LinkBuffer::code):
2252         * assembler/MacroAssemblerCodeRef.h:
2253         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2254         * bytecode/InlineAccess.cpp:
2255         (JSC::linkCodeInline):
2256         (JSC::InlineAccess::rewireStubAsJump):
2257         * dfg/DFGJITCode.cpp:
2258         (JSC::DFG::JITCode::findPC):
2259         * ftl/FTLJITCode.cpp:
2260         (JSC::FTL::JITCode::findPC):
2261         * jit/ExecutableAllocator.cpp:
2262         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2263         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2264         (JSC::ExecutableAllocator::allocate):
2265         * jit/ExecutableAllocator.h:
2266         (JSC::isJITPC):
2267         (JSC::performJITMemcpy):
2268         * jit/JIT.cpp:
2269         (JSC::JIT::link):
2270         * jit/JITMathIC.h:
2271         (JSC::isProfileEmpty):
2272         * runtime/JSCPtrTag.h:
2273         * wasm/WasmCallee.cpp:
2274         (JSC::Wasm::Callee::Callee):
2275         * wasm/WasmFaultSignalHandler.cpp:
2276         (JSC::Wasm::trapHandler):
2277
2278 2018-04-30  Keith Miller  <keith_miller@apple.com>
2279
2280         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2281         https://bugs.webkit.org/show_bug.cgi?id=185143
2282
2283         Reviewed by Mark Lam.
2284
2285         * runtime/IndexingType.h:
2286         * runtime/JSCellInlines.h:
2287         (JSC::JSCell::setStructure):
2288         (JSC::JSCell::mayBePrototype const):
2289         (JSC::JSCell::didBecomePrototype):
2290         * runtime/JSTypeInfo.h:
2291         (JSC::TypeInfo::mayBePrototype):
2292         (JSC::TypeInfo::mergeInlineTypeFlags):
2293
2294 2018-04-30  Keith Miller  <keith_miller@apple.com>
2295
2296         Remove unneeded exception check from String.fromCharCode
2297         https://bugs.webkit.org/show_bug.cgi?id=185083
2298
2299         Reviewed by Mark Lam.
2300
2301         * runtime/StringConstructor.cpp:
2302         (JSC::stringFromCharCode):
2303
2304 2018-04-30  Keith Miller  <keith_miller@apple.com>
2305
2306         Move StructureIsImmortal to out of line flags.
2307         https://bugs.webkit.org/show_bug.cgi?id=185101
2308
2309         Reviewed by Saam Barati.
2310
2311         This will free up a bit in the inline flags where we can move the
2312         isPrototype bit to. This will, in turn, free a bit for use in
2313         implementing copy on write butterflies.
2314
2315         Also, this patch removes an assertion from Structure::typeInfo()
2316         that inadvertently makes the function invalid to call while
2317         cleaning up the vm.
2318
2319         * heap/HeapCellType.cpp:
2320         (JSC::DefaultDestroyFunc::operator() const):
2321         * runtime/JSCell.h:
2322         * runtime/JSCellInlines.h:
2323         (JSC::JSCell::callDestructor): Deleted.
2324         * runtime/JSTypeInfo.h:
2325         (JSC::TypeInfo::hasStaticPropertyTable):
2326         (JSC::TypeInfo::structureIsImmortal const):
2327         * runtime/Structure.h:
2328
2329 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         [JSC] Remove arity fixup check if the number of parameters is 1
2332         https://bugs.webkit.org/show_bug.cgi?id=183984
2333
2334         Reviewed by Mark Lam.
2335
2336         If the number of parameters is one (|this|), we never hit arity fixup check.
2337         We do not need to emit arity fixup check code.
2338
2339         * dfg/DFGDriver.cpp:
2340         (JSC::DFG::compileImpl):
2341         * dfg/DFGJITCompiler.cpp:
2342         (JSC::DFG::JITCompiler::compileFunction):
2343         * dfg/DFGJITCompiler.h:
2344         * ftl/FTLLink.cpp:
2345         (JSC::FTL::link):
2346         * jit/JIT.cpp:
2347         (JSC::JIT::compileWithoutLinking):
2348
2349 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2350
2351         Use WordLock instead of std::mutex for Threading
2352         https://bugs.webkit.org/show_bug.cgi?id=185121
2353
2354         Reviewed by Geoffrey Garen.
2355
2356         ThreadGroup starts using WordLock.
2357
2358         * heap/MachineStackMarker.h:
2359         (JSC::MachineThreads::getLock):
2360
2361 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2362
2363         B3 should run tail duplication at the bitter end
2364         https://bugs.webkit.org/show_bug.cgi?id=185123
2365
2366         Reviewed by Geoffrey Garen.
2367         
2368         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2369         everywhere else.
2370         
2371         The goal of this change is to allow us to run path specialization after switch lowering but
2372         before tail duplication.
2373
2374         * b3/B3Generate.cpp:
2375         (JSC::B3::generateToAir):
2376         * runtime/Options.h:
2377
2378 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2379
2380         Unreviewed, rolling out r231137.
2381         https://bugs.webkit.org/show_bug.cgi?id=185118
2382
2383         It is breaking Test262 language/expressions/multiplication
2384         /order-of-evaluation.js (Requested by caiolima on #webkit).
2385
2386         Reverted changeset:
2387
2388         "[ESNext][BigInt] Implement support for "*" operation"
2389         https://bugs.webkit.org/show_bug.cgi?id=183721
2390         https://trac.webkit.org/changeset/231137
2391
2392 2018-04-28  Saam Barati  <sbarati@apple.com>
2393
2394         We don't model regexp effects properly
2395         https://bugs.webkit.org/show_bug.cgi?id=185059
2396         <rdar://problem/39736150>
2397
2398         Reviewed by Filip Pizlo.
2399
2400         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2401         the regexp is global.
2402
2403         * dfg/DFGAbstractInterpreterInlines.h:
2404         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2405         * dfg/DFGClobberize.h:
2406         (JSC::DFG::clobberize):
2407
2408 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2409
2410         Token misspelled "tocken" in error message string
2411         https://bugs.webkit.org/show_bug.cgi?id=185030
2412
2413         Reviewed by Saam Barati.
2414
2415         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2416         (JSC::Parser<LexerType>::Parser):
2417         (JSC::Parser<LexerType>::didFinishParsing):
2418         (JSC::Parser<LexerType>::parseSourceElements):
2419         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2420         (JSC::Parser<LexerType>::parseVariableDeclaration):
2421         (JSC::Parser<LexerType>::parseWhileStatement):
2422         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2423         (JSC::Parser<LexerType>::createBindingPattern):
2424         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2425         (JSC::Parser<LexerType>::parseObjectRestElement):
2426         (JSC::Parser<LexerType>::parseDestructuringPattern):
2427         (JSC::Parser<LexerType>::parseForStatement):
2428         (JSC::Parser<LexerType>::parseBreakStatement):
2429         (JSC::Parser<LexerType>::parseContinueStatement):
2430         (JSC::Parser<LexerType>::parseThrowStatement):
2431         (JSC::Parser<LexerType>::parseWithStatement):
2432         (JSC::Parser<LexerType>::parseSwitchStatement):
2433         (JSC::Parser<LexerType>::parseSwitchClauses):
2434         (JSC::Parser<LexerType>::parseTryStatement):
2435         (JSC::Parser<LexerType>::parseBlockStatement):
2436         (JSC::Parser<LexerType>::parseFormalParameters):
2437         (JSC::Parser<LexerType>::parseFunctionParameters):
2438         (JSC::Parser<LexerType>::parseFunctionInfo):
2439         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2440         (JSC::Parser<LexerType>::parseExpressionStatement):
2441         (JSC::Parser<LexerType>::parseIfStatement):
2442         (JSC::Parser<LexerType>::parseAssignmentExpression):
2443         (JSC::Parser<LexerType>::parseConditionalExpression):
2444         (JSC::Parser<LexerType>::parseBinaryExpression):
2445         (JSC::Parser<LexerType>::parseObjectLiteral):
2446         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2447         (JSC::Parser<LexerType>::parseArrayLiteral):
2448         (JSC::Parser<LexerType>::parseArguments):
2449         (JSC::Parser<LexerType>::parseMemberExpression):
2450         (JSC::operatorString):
2451         (JSC::Parser<LexerType>::parseUnaryExpression):
2452         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2453
2454 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
2455
2456         [ESNext][BigInt] Implement support for "*" operation
2457         https://bugs.webkit.org/show_bug.cgi?id=183721
2458
2459         Reviewed by Saam Barati.
2460
2461         Added BigInt support into times binary operator into LLInt and on
2462         JITOperations profiledMul and unprofiledMul. We are also replacing all
2463         uses of int to unsigned when there is no negative values for
2464         variables.
2465
2466         * dfg/DFGConstantFoldingPhase.cpp:
2467         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2468         * jit/JITOperations.cpp:
2469         * runtime/CommonSlowPaths.cpp:
2470         (JSC::SLOW_PATH_DECL):
2471         * runtime/JSBigInt.cpp:
2472         (JSC::JSBigInt::JSBigInt):
2473         (JSC::JSBigInt::allocationSize):
2474         (JSC::JSBigInt::createWithLength):
2475         (JSC::JSBigInt::toString):
2476         (JSC::JSBigInt::multiply):
2477         (JSC::JSBigInt::digitDiv):
2478         (JSC::JSBigInt::internalMultiplyAdd):
2479         (JSC::JSBigInt::multiplyAccumulate):
2480         (JSC::JSBigInt::equals):
2481         (JSC::JSBigInt::absoluteDivSmall):
2482         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2483         (JSC::JSBigInt::toStringGeneric):
2484         (JSC::JSBigInt::rightTrim):
2485         (JSC::JSBigInt::allocateFor):
2486         (JSC::JSBigInt::parseInt):
2487         (JSC::JSBigInt::digit):
2488         (JSC::JSBigInt::setDigit):
2489         * runtime/JSBigInt.h:
2490         * runtime/Operations.h:
2491         (JSC::jsMul):
2492
2493 2018-04-28  Commit Queue  <commit-queue@webkit.org>
2494
2495         Unreviewed, rolling out r231131.
2496         https://bugs.webkit.org/show_bug.cgi?id=185112
2497
2498         It is breaking Debug build due to unchecked exception
2499         (Requested by caiolima on #webkit).
2500
2501         Reverted changeset:
2502
2503         "[ESNext][BigInt] Implement support for "*" operation"
2504         https://bugs.webkit.org/show_bug.cgi?id=183721
2505         https://trac.webkit.org/changeset/231131
2506
2507 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
2508
2509         [ESNext][BigInt] Implement support for "*" operation
2510         https://bugs.webkit.org/show_bug.cgi?id=183721
2511
2512         Reviewed by Saam Barati.
2513
2514         Added BigInt support into times binary operator into LLInt and on
2515         JITOperations profiledMul and unprofiledMul. We are also replacing all
2516         uses of int to unsigned when there is no negative values for
2517         variables.
2518
2519         * dfg/DFGConstantFoldingPhase.cpp:
2520         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2521         * jit/JITOperations.cpp:
2522         * runtime/CommonSlowPaths.cpp:
2523         (JSC::SLOW_PATH_DECL):
2524         * runtime/JSBigInt.cpp:
2525         (JSC::JSBigInt::JSBigInt):
2526         (JSC::JSBigInt::allocationSize):
2527         (JSC::JSBigInt::createWithLength):
2528         (JSC::JSBigInt::toString):
2529         (JSC::JSBigInt::multiply):
2530         (JSC::JSBigInt::digitDiv):
2531         (JSC::JSBigInt::internalMultiplyAdd):
2532         (JSC::JSBigInt::multiplyAccumulate):
2533         (JSC::JSBigInt::equals):
2534         (JSC::JSBigInt::absoluteDivSmall):
2535         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2536         (JSC::JSBigInt::toStringGeneric):
2537         (JSC::JSBigInt::rightTrim):
2538         (JSC::JSBigInt::allocateFor):
2539         (JSC::JSBigInt::parseInt):
2540         (JSC::JSBigInt::digit):
2541         (JSC::JSBigInt::setDigit):
2542         * runtime/JSBigInt.h:
2543         * runtime/Operations.h:
2544         (JSC::jsMul):
2545
2546 2018-04-27  JF Bastien  <jfbastien@apple.com>
2547
2548         Make the first 64 bits of JSString look like a double JSValue
2549         https://bugs.webkit.org/show_bug.cgi?id=185081
2550
2551         Reviewed by Filip Pizlo.
2552
2553         We can be clever about how we lay out JSString so that, were it
2554         reinterpreted as a JSValue, it would look like a double.
2555
2556         * assembler/MacroAssemblerX86Common.h:
2557         (JSC::MacroAssemblerX86Common::and16):
2558         * assembler/X86Assembler.h:
2559         (JSC::X86Assembler::andw_mr):
2560         * dfg/DFGSpeculativeJIT.cpp:
2561         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2562         * ftl/FTLLowerDFGToB3.cpp:
2563         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2564         * ftl/FTLOutput.h:
2565         (JSC::FTL::Output::store32As8):
2566         (JSC::FTL::Output::store32As16):
2567         * runtime/JSString.h:
2568         (JSC::JSString::JSString):
2569
2570 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2571
2572         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
2573         https://bugs.webkit.org/show_bug.cgi?id=185055
2574
2575         Reviewed by JF Bastien.
2576
2577         This patch is paving the way to emitting jscvt instruction if possible.
2578         To do that, we need to determine jscvt instruction is supported in the
2579         given CPU.
2580
2581         We add a function collectCPUFeatures, which is responsible to collect
2582         CPU features if necessary. In Linux, we can use auxiliary vector to get
2583         the information without parsing /proc/cpuinfo.
2584
2585         Currently, nobody calls this function. It is later called when we emit
2586         jscvt instruction. To make it possible, we also need to add disassembler
2587         support too.
2588
2589         * assembler/AbstractMacroAssembler.h:
2590         * assembler/MacroAssemblerARM64.cpp:
2591         (JSC::MacroAssemblerARM64::collectCPUFeatures):
2592         * assembler/MacroAssemblerARM64.h:
2593         * assembler/MacroAssemblerX86Common.h:
2594
2595 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
2596
2597         Also run foldPathConstants before mussing up SSA
2598         https://bugs.webkit.org/show_bug.cgi?id=185069
2599
2600         Reviewed by Saam Barati.
2601         
2602         This isn't needed now, but will be once I implement the phase in bug 185060.
2603         
2604         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
2605         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
2606         be landed separately and measured separately from that phase.
2607         
2608         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
2609         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
2610         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
2611         neutral. It all depends on what programs typically look like.
2612
2613         * b3/B3Generate.cpp:
2614         (JSC::B3::generateToAir):
2615
2616 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
2617
2618         Unreviewed, rolling out r231086.
2619
2620         Caused JSC test failures due to an unchecked exception.
2621
2622         Reverted changeset:
2623
2624         "[ESNext][BigInt] Implement support for "*" operation"
2625         https://bugs.webkit.org/show_bug.cgi?id=183721
2626         https://trac.webkit.org/changeset/231086
2627
2628 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
2629
2630         [ESNext][BigInt] Implement support for "*" operation
2631         https://bugs.webkit.org/show_bug.cgi?id=183721
2632
2633         Reviewed by Saam Barati.
2634
2635         Added BigInt support into times binary operator into LLInt and on
2636         JITOperations profiledMul and unprofiledMul. We are also replacing all
2637         uses of int to unsigned when there is no negative values for
2638         variables.
2639
2640         * dfg/DFGConstantFoldingPhase.cpp:
2641         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2642         * jit/JITOperations.cpp:
2643         * runtime/CommonSlowPaths.cpp:
2644         (JSC::SLOW_PATH_DECL):
2645         * runtime/JSBigInt.cpp:
2646         (JSC::JSBigInt::JSBigInt):
2647         (JSC::JSBigInt::allocationSize):
2648         (JSC::JSBigInt::createWithLength):
2649         (JSC::JSBigInt::toString):
2650         (JSC::JSBigInt::multiply):
2651         (JSC::JSBigInt::digitDiv):
2652         (JSC::JSBigInt::internalMultiplyAdd):
2653         (JSC::JSBigInt::multiplyAccumulate):
2654         (JSC::JSBigInt::equals):
2655         (JSC::JSBigInt::absoluteDivSmall):
2656         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2657         (JSC::JSBigInt::toStringGeneric):
2658         (JSC::JSBigInt::rightTrim):
2659         (JSC::JSBigInt::allocateFor):
2660         (JSC::JSBigInt::parseInt):
2661         (JSC::JSBigInt::digit):
2662         (JSC::JSBigInt::setDigit):
2663         * runtime/JSBigInt.h:
2664         * runtime/Operations.h:
2665         (JSC::jsMul):
2666
2667 2018-04-26  Mark Lam  <mark.lam@apple.com>
2668
2669         Gardening: Speculative build fix for Windows.
2670         https://bugs.webkit.org/show_bug.cgi?id=184976
2671         <rdar://problem/39723901>
2672
2673         Not reviewed.
2674
2675         * runtime/JSCPtrTag.h:
2676
2677 2018-04-26  Mark Lam  <mark.lam@apple.com>
2678
2679         Gardening: Windows build fix.
2680
2681         Not reviewed.
2682
2683         * runtime/Options.cpp:
2684
2685 2018-04-26  Jer Noble  <jer.noble@apple.com>
2686
2687         WK_COCOA_TOUCH all the things.
2688         https://bugs.webkit.org/show_bug.cgi?id=185006
2689         <rdar://problem/39736025>
2690
2691         Reviewed by Tim Horton.
2692
2693         * Configurations/Base.xcconfig:
2694
2695 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
2696
2697         Disable content filtering in minimal simulator mode
2698         https://bugs.webkit.org/show_bug.cgi?id=185027
2699         <rdar://problem/39736091>
2700
2701         Reviewed by Jer Noble.
2702
2703         * Configurations/FeatureDefines.xcconfig:
2704
2705 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
2706
2707         [INTL] Implement Intl.PluralRules
2708         https://bugs.webkit.org/show_bug.cgi?id=184312
2709
2710         Reviewed by JF Bastien.
2711
2712         Use UNumberFormat to enforce formatting, and then UPluralRules to find
2713         the correct plural rule for the given number. Relies on ICU v59+ for
2714         resolvedOptions().pluralCategories and trailing 0 detection.
2715         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
2716
2717         * CMakeLists.txt:
2718         * Configurations/FeatureDefines.xcconfig:
2719         * DerivedSources.make:
2720         * JavaScriptCore.xcodeproj/project.pbxproj:
2721         * Sources.txt:
2722         * builtins/BuiltinNames.h:
2723         * runtime/BigIntObject.cpp:
2724         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
2725         * runtime/BigIntObject.h:
2726         * runtime/CommonIdentifiers.h:
2727         * runtime/IntlObject.cpp:
2728         (JSC::IntlObject::finishCreation):
2729         * runtime/IntlObject.h:
2730         * runtime/IntlPluralRules.cpp: Added.
2731         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
2732         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
2733         (JSC::UEnumerationDeleter::operator() const):
2734         (JSC::IntlPluralRules::create):
2735         (JSC::IntlPluralRules::createStructure):
2736         (JSC::IntlPluralRules::IntlPluralRules):
2737         (JSC::IntlPluralRules::finishCreation):
2738         (JSC::IntlPluralRules::destroy):
2739         (JSC::IntlPluralRules::visitChildren):
2740         (JSC::IntlPRInternal::localeData):
2741         (JSC::IntlPluralRules::initializePluralRules):
2742         (JSC::IntlPluralRules::resolvedOptions):
2743         (JSC::IntlPluralRules::select):
2744         * runtime/IntlPluralRules.h: Added.
2745         * runtime/IntlPluralRulesConstructor.cpp: Added.
2746         (JSC::IntlPluralRulesConstructor::create):
2747         (JSC::IntlPluralRulesConstructor::createStructure):
2748         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
2749         (JSC::IntlPluralRulesConstructor::finishCreation):
2750         (JSC::constructIntlPluralRules):
2751         (JSC::callIntlPluralRules):
2752         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
2753         (JSC::IntlPluralRulesConstructor::visitChildren):
2754         * runtime/IntlPluralRulesConstructor.h: Added.
2755         * runtime/IntlPluralRulesPrototype.cpp: Added.
2756         (JSC::IntlPluralRulesPrototype::create):
2757         (JSC::IntlPluralRulesPrototype::createStructure):
2758         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
2759         (JSC::IntlPluralRulesPrototype::finishCreation):
2760         (JSC::IntlPluralRulesPrototypeFuncSelect):
2761         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2762         * runtime/IntlPluralRulesPrototype.h: Added.
2763         * runtime/JSGlobalObject.cpp:
2764         (JSC::JSGlobalObject::init):
2765         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2766         * runtime/JSGlobalObject.h:
2767         * runtime/Options.h:
2768         * runtime/RegExpPrototype.cpp: Added inlines header.
2769         * runtime/VM.cpp:
2770         (JSC::VM::VM):
2771         * runtime/VM.h:
2772
2773 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
2774
2775         [MIPS] Fix branch offsets in branchNeg32
2776         https://bugs.webkit.org/show_bug.cgi?id=185025
2777
2778         Reviewed by Yusuke Suzuki.
2779
2780         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
2781
2782         * assembler/MacroAssemblerMIPS.h:
2783         (JSC::MacroAssemblerMIPS::branchNeg32):
2784
2785 2018-04-25  Robin Morisset  <rmorisset@apple.com>
2786
2787         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
2788         https://bugs.webkit.org/show_bug.cgi?id=184773
2789         <rdar://problem/37773612>
2790
2791         Reviewed by Filip Pizlo.
2792
2793         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
2794         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
2795         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
2796         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
2797         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
2798
2799         * ftl/FTLLowerDFGToB3.cpp:
2800         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2801
2802 2018-04-25  Mark Lam  <mark.lam@apple.com>
2803
2804         Push the definition of PtrTag down to the WTF layer.
2805         https://bugs.webkit.org/show_bug.cgi?id=184976
2806         <rdar://problem/39723901>
2807
2808         Reviewed by Saam Barati.
2809
2810         * CMakeLists.txt:
2811         * JavaScriptCore.xcodeproj/project.pbxproj:
2812         * assembler/ARM64Assembler.h:
2813         * assembler/AbstractMacroAssembler.h:
2814         * assembler/MacroAssemblerCodeRef.cpp:
2815         * assembler/MacroAssemblerCodeRef.h:
2816         * b3/B3MathExtras.cpp:
2817         * bytecode/LLIntCallLinkInfo.h:
2818         * disassembler/Disassembler.h:
2819         * ftl/FTLJITCode.cpp:
2820         * interpreter/InterpreterInlines.h:
2821         * jit/ExecutableAllocator.h:
2822         * jit/JITOperations.cpp:
2823         * jit/ThunkGenerator.h:
2824         * jit/ThunkGenerators.h:
2825         * llint/LLIntOffsetsExtractor.cpp:
2826         * llint/LLIntPCRanges.h:
2827         * runtime/JSCPtrTag.h: Added.
2828         * runtime/NativeFunction.h:
2829         * runtime/PtrTag.h: Removed.
2830         * runtime/VMTraps.cpp:
2831
2832 2018-04-25  Keith Miller  <keith_miller@apple.com>
2833
2834         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
2835         https://bugs.webkit.org/show_bug.cgi?id=184998
2836
2837         Reviewed by Saam Barati.
2838
2839         * runtime/CodeCache.cpp:
2840         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2841
2842 2018-04-25  Keith Miller  <keith_miller@apple.com>
2843
2844         Add missing scope release to functionProtoFuncToString
2845         https://bugs.webkit.org/show_bug.cgi?id=184995
2846
2847         Reviewed by Saam Barati.
2848
2849         * runtime/FunctionPrototype.cpp:
2850         (JSC::functionProtoFuncToString):
2851
2852 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2853
2854         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
2855         https://bugs.webkit.org/show_bug.cgi?id=184730
2856
2857         Reviewed by Mark Lam.
2858
2859         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
2860         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
2861
2862         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
2863         ARMv7 implementation.
2864
2865         * assembler/ARMAssembler.h:
2866         * assembler/MacroAssemblerARM.h:
2867         (JSC::MacroAssemblerARM::add32):
2868         (JSC::MacroAssemblerARM::and32):
2869         (JSC::MacroAssemblerARM::lshift32):
2870         (JSC::MacroAssemblerARM::mul32):
2871         (JSC::MacroAssemblerARM::or32):
2872         (JSC::MacroAssemblerARM::rshift32):
2873         (JSC::MacroAssemblerARM::urshift32):
2874         (JSC::MacroAssemblerARM::sub32):
2875         (JSC::MacroAssemblerARM::xor32):
2876         (JSC::MacroAssemblerARM::load8):
2877         (JSC::MacroAssemblerARM::abortWithReason):
2878         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
2879         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
2880         (JSC::MacroAssemblerARM::store8):
2881         (JSC::MacroAssemblerARM::store32):
2882         (JSC::MacroAssemblerARM::push):
2883         (JSC::MacroAssemblerARM::swap):
2884         (JSC::MacroAssemblerARM::branch8):
2885         (JSC::MacroAssemblerARM::branchPtr):
2886         (JSC::MacroAssemblerARM::branch32):
2887         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
2888         (JSC::MacroAssemblerARM::branchTest8):
2889         (JSC::MacroAssemblerARM::branchTest32):
2890         (JSC::MacroAssemblerARM::jump):
2891         (JSC::MacroAssemblerARM::branchAdd32):
2892         (JSC::MacroAssemblerARM::mull32):
2893         (JSC::MacroAssemblerARM::branchMul32):
2894         (JSC::MacroAssemblerARM::patchableBranch32):
2895         (JSC::MacroAssemblerARM::nearCall):
2896         (JSC::MacroAssemblerARM::compare32):
2897         (JSC::MacroAssemblerARM::compare8):
2898         (JSC::MacroAssemblerARM::test32):
2899         (JSC::MacroAssemblerARM::test8):
2900         (JSC::MacroAssemblerARM::add64):
2901         (JSC::MacroAssemblerARM::load32):
2902         (JSC::MacroAssemblerARM::call):
2903         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2904         (JSC::MacroAssemblerARM::branch32WithPatch):
2905         (JSC::MacroAssemblerARM::storePtrWithPatch):
2906         (JSC::MacroAssemblerARM::loadDouble):
2907         (JSC::MacroAssemblerARM::storeDouble):
2908         (JSC::MacroAssemblerARM::addDouble):
2909         (JSC::MacroAssemblerARM::divDouble):
2910         (JSC::MacroAssemblerARM::subDouble):
2911         (JSC::MacroAssemblerARM::mulDouble):
2912         (JSC::MacroAssemblerARM::convertInt32ToDouble):
2913         (JSC::MacroAssemblerARM::branchDouble):
2914         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
2915         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
2916         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
2917         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
2918         (JSC::MacroAssemblerARM::branchDoubleNonZero):
2919         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
2920         (JSC::MacroAssemblerARM::call32):
2921         (JSC::MacroAssemblerARM::internalCompare32):
2922
2923 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
2924
2925         [WinCairo] Fix js/regexp-unicode.html crash.
2926         https://bugs.webkit.org/show_bug.cgi?id=184891
2927
2928         Reviewed by Yusuke Suzuki.
2929
2930         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
2931         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
2932
2933         * yarr/YarrJIT.cpp:
2934         (JSC::Yarr::YarrGenerator::generateEnter):
2935         (JSC::Yarr::YarrGenerator::generateReturn):
2936         Unconditionally save and restore RDI on 64-bit Windows.
2937
2938 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
2939
2940         [GTK] Miscellaneous build cleanups
2941         https://bugs.webkit.org/show_bug.cgi?id=184399
2942
2943         Reviewed by Žan Doberšek.
2944
2945         * PlatformGTK.cmake:
2946
2947 2018-04-24  Keith Miller  <keith_miller@apple.com>
2948
2949         fromCharCode is missing some exception checks
2950         https://bugs.webkit.org/show_bug.cgi?id=184952
2951
2952         Reviewed by Saam Barati.
2953
2954         I also removed the pointless slow path function and moved it into the
2955         main function.
2956
2957         * runtime/StringConstructor.cpp:
2958         (JSC::stringFromCharCode):
2959         (JSC::stringFromCharCodeSlowCase): Deleted.
2960
2961 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2962
2963         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
2964         https://bugs.webkit.org/show_bug.cgi?id=184923
2965
2966         Reviewed by Saam Barati.
2967         
2968         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
2969         (i.e. we know that the object has one of those structures), then previously we would still emit a
2970         switch with a case per structure along with a default case. That would mean one extra redundant
2971         branch to check that whatever structure we wound up with belongs to the set. In that case, we
2972         were already making the default case be an Oops.
2973         
2974         One possible solution would be to say that the default case being Oops means that B3 doesn't need
2975         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
2976         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
2977         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
2978         trap.
2979         
2980         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
2981         extra branch.
2982         
2983         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
2984         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
2985         read.
2986
2987         * ftl/FTLLowerDFGToB3.cpp:
2988         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2989         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2990         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2991
2992 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2993
2994         DFG CSE should know how to decay a MultiGetByOffset
2995         https://bugs.webkit.org/show_bug.cgi?id=159859
2996
2997         Reviewed by Keith Miller.
2998         
2999         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
3000         clobberize() can report a def() for MultiGetByOffset.
3001         
3002         This is a slight improvement to codegen in splay because splay is a heavy user of
3003         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
3004         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
3005         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
3006         splay's time.
3007
3008         * dfg/DFGClobberize.h:
3009         (JSC::DFG::clobberize):
3010         * dfg/DFGNode.cpp:
3011         (JSC::DFG::Node::remove):
3012         (JSC::DFG::Node::removeWithoutChecks):
3013         (JSC::DFG::Node::replaceWith):
3014         (JSC::DFG::Node::replaceWithWithoutChecks):
3015         * dfg/DFGNode.h:
3016         (JSC::DFG::Node::convertToMultiGetByOffset):
3017         (JSC::DFG::Node::replaceWith): Deleted.
3018         * dfg/DFGNodeType.h:
3019         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3020
3021 2018-04-24  Keith Miller  <keith_miller@apple.com>
3022
3023         Update API docs with information on which run loop the VM will use
3024         https://bugs.webkit.org/show_bug.cgi?id=184900
3025         <rdar://problem/39166054>
3026
3027         Reviewed by Mark Lam.
3028
3029         * API/JSContextRef.h:
3030         * API/JSVirtualMachine.h:
3031
3032 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
3033
3034         $vm.totalGCTime() should be a thing
3035         https://bugs.webkit.org/show_bug.cgi?id=184916
3036
3037         Reviewed by Sam Weinig.
3038         
3039         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
3040         time spent in GC to determine if the regression is because the GC got slower.
3041         
3042         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
3043
3044         * heap/Heap.cpp:
3045         (JSC::Heap::runEndPhase):
3046         * heap/Heap.h:
3047         (JSC::Heap::totalGCTime const):
3048         * tools/JSDollarVM.cpp:
3049         (JSC::functionTotalGCTime):
3050         (JSC::JSDollarVM::finishCreation):
3051
3052 2018-04-23  Zalan Bujtas  <zalan@apple.com>
3053
3054         [LayoutFormattingContext] Initial commit.
3055         https://bugs.webkit.org/show_bug.cgi?id=184896
3056
3057         Reviewed by Antti Koivisto.
3058
3059         * Configurations/FeatureDefines.xcconfig:
3060
3061 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
3062
3063         Unreviewed, revert accidental change to verbose flag.
3064
3065         * dfg/DFGByteCodeParser.cpp:
3066
3067 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
3068
3069         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
3070
3071         Rubber stamped by Saam Barati.
3072         
3073         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
3074         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
3075         Seems sensible to just roll it out.
3076
3077         * dfg/DFGByteCodeParser.cpp:
3078         (JSC::DFG::ByteCodeParser::addToGraph):
3079         (JSC::DFG::ByteCodeParser::parse):
3080
3081 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3082
3083         [JSC] Remove ModuleLoaderPrototype
3084         https://bugs.webkit.org/show_bug.cgi?id=184784
3085
3086         Reviewed by Mark Lam.
3087
3088         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
3089         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
3090         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
3091
3092         * CMakeLists.txt:
3093         * DerivedSources.make:
3094         * JavaScriptCore.xcodeproj/project.pbxproj:
3095         * Sources.txt:
3096         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
3097         * runtime/JSGlobalObject.cpp:
3098         (JSC::JSGlobalObject::init):
3099         (JSC::JSGlobalObject::visitChildren):
3100         * runtime/JSGlobalObject.h:
3101         (JSC::JSGlobalObject::proxyRevokeStructure const):
3102         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
3103         * runtime/JSModuleLoader.cpp:
3104         (JSC::moduleLoaderParseModule):
3105         (JSC::moduleLoaderRequestedModules):
3106         (JSC::moduleLoaderModuleDeclarationInstantiation):
3107         (JSC::moduleLoaderResolve):
3108         (JSC::moduleLoaderResolveSync):
3109         (JSC::moduleLoaderFetch):
3110         (JSC::moduleLoaderGetModuleNamespaceObject):
3111         (JSC::moduleLoaderEvaluate):
3112         * runtime/JSModuleLoader.h:
3113         * runtime/ModuleLoaderPrototype.cpp: Removed.
3114         * runtime/ModuleLoaderPrototype.h: Removed.
3115
3116 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3117
3118         [GLIB] All API tests fail in debug builds
3119         https://bugs.webkit.org/show_bug.cgi?id=184813
3120
3121         Reviewed by Mark Lam.
3122
3123         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
3124         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
3125
3126         * API/glib/JSCContext.cpp:
3127         (JSCContextExceptionHandler::JSCContextExceptionHandler):
3128         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
3129         (jscContextConstructed):
3130         (ExceptionHandler::ExceptionHandler): Deleted.
3131         (ExceptionHandler::~ExceptionHandler): Deleted.
3132
3133 2018-04-20  Tim Horton  <timothy_horton@apple.com>
3134
3135         Adjust geolocation feature flag
3136         https://bugs.webkit.org/show_bug.cgi?id=184856
3137
3138         Reviewed by Wenson Hsieh.
3139
3140         * Configurations/FeatureDefines.xcconfig:
3141
3142 2018-04-20  Brian Burg  <bburg@apple.com>
3143
3144         Web Inspector: remove some dead code in IdentifiersFactory
3145         https://bugs.webkit.org/show_bug.cgi?id=184839
3146
3147         Reviewed by Timothy Hatcher.
3148
3149         This was never used on non-Chrome ports, so the identifier always has a
3150         prefix of '0.'. We may change this in the future, but for now remove this.
3151         Using a PID for this purpose is problematic anyway.
3152
3153         * inspector/IdentifiersFactory.cpp:
3154         (Inspector::addPrefixToIdentifier):
3155         (Inspector::IdentifiersFactory::createIdentifier):
3156         (Inspector::IdentifiersFactory::requestId):
3157         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
3158         * inspector/IdentifiersFactory.h:
3159
3160 2018-04-20  Mark Lam  <mark.lam@apple.com>
3161
3162         Add the ability to use a hash for setting PtrTag enum values.
3163         https://bugs.webkit.org/show_bug.cgi?id=184852
3164         <rdar://problem/39613891>
3165
3166         Reviewed by Saam Barati.
3167
3168         * runtime/PtrTag.h:
3169
3170 2018-04-20  Mark Lam  <mark.lam@apple.com>
3171
3172         Some JSEntryPtrTags should actually be JSInternalPtrTags.
3173         https://bugs.webkit.org/show_bug.cgi?id=184712
3174         <rdar://problem/39507381>
3175
3176         Reviewed by Michael Saboff.
3177
3178         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
3179         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
3180            only when needed.
3181
3182         * bytecode/AccessCase.cpp:
3183         (JSC::AccessCase::generateImpl):
3184         * bytecode/ByValInfo.h:
3185         (JSC::ByValInfo::ByValInfo):
3186         * bytecode/CallLinkInfo.cpp:
3187         (JSC::CallLinkInfo::callReturnLocation):
3188         (JSC::CallLinkInfo::patchableJump):
3189         (JSC::CallLinkInfo::hotPathBegin):
3190         (JSC::CallLinkInfo::slowPathStart):
3191         * bytecode/CallLinkInfo.h:
3192         (JSC::CallLinkInfo::setCallLocations):
3193         (JSC::CallLinkInfo::hotPathOther):
3194         * bytecode/PolymorphicAccess.cpp:
3195         (JSC::PolymorphicAccess::regenerate):
3196         * bytecode/StructureStubInfo.h:
3197         (JSC::StructureStubInfo::doneLocation):
3198         * dfg/DFGJITCompiler.cpp:
3199         (JSC::DFG::JITCompiler::link):
3200         * dfg/DFGOSRExit.cpp:
3201         (JSC::DFG::reifyInlinedCallFrames):
3202         * ftl/FTLLazySlowPath.cpp:
3203         (JSC::FTL::LazySlowPath::initialize):
3204         * ftl/FTLLazySlowPath.h:
3205         (JSC::FTL::LazySlowPath::done const):
3206         * ftl/FTLLowerDFGToB3.cpp:
3207         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3208         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3211         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3213         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3214         * jit/JIT.cpp:
3215         (JSC::JIT::link):
3216         * jit/JITExceptions.cpp:
3217         (JSC::genericUnwind):
3218         * jit/JITMathIC.h:
3219         (JSC::isProfileEmpty):
3220         * llint/LLIntData.cpp:
3221         (JSC::LLInt::initialize):
3222         * llint/LLIntData.h:
3223         (JSC::LLInt::getCodePtr):
3224         (JSC::LLInt::getExecutableAddress): Deleted.
3225         * llint/LLIntExceptions.cpp:
3226         (JSC::LLInt::callToThrow):
3227         * llint/LLIntSlowPaths.cpp:
3228         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3229         * wasm/js/WasmToJS.cpp:
3230         (JSC::Wasm::wasmToJS):
3231
3232 2018-04-18  Jer Noble  <jer.noble@apple.com>
3233
3234         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
3235         https://bugs.webkit.org/show_bug.cgi?id=184762
3236
3237         Reviewed by Dan Bernstein.
3238
3239         * Configurations/Base.xcconfig:
3240         * JavaScriptCore.xcodeproj/project.pbxproj:
3241
3242 2018-04-20  Daniel Bates  <dabates@apple.com>
3243
3244         Remove code for compilers that did not support NSDMI for aggregates
3245         https://bugs.webkit.org/show_bug.cgi?id=184599
3246
3247         Reviewed by Per Arne Vollan.
3248
3249         Remove workaround for earlier Visual Studio versions that did not support non-static data
3250         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
3251         and EWS bots to a newer version that supports this feature.
3252
3253         * domjit/DOMJITEffect.h:
3254         (JSC::DOMJIT::Effect::Effect): Deleted.
3255         * runtime/HasOwnPropertyCache.h:
3256         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
3257         * wasm/WasmFormat.h:
3258         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
3259
3260 2018-04-20  Mark Lam  <mark.lam@apple.com>
3261
3262         Build fix for internal builds after r230826.
3263         https://bugs.webkit.org/show_bug.cgi?id=184790
3264         <rdar://problem/39301369>
3265
3266         Not reviewed.
3267
3268         * runtime/Options.cpp:
3269         (JSC::overrideDefaults):
3270         * tools/SigillCrashAnalyzer.cpp:
3271         (JSC::SignalContext::dump):
3272
3273 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
3274
3275         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
3276         https://bugs.webkit.org/show_bug.cgi?id=184254
3277         <rdar://problem/39140200>
3278
3279         Reviewed by Daniel Bates.
3280
3281         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
3282
3283         * runtime/ArrayBuffer.h:
3284         (JSC::ArrayBufferContents::ArrayBufferContents):
3285
3286 2018-04-19  Mark Lam  <mark.lam@apple.com>
3287
3288         Apply pointer profiling to Signal pointers.
3289         https://bugs.webkit.org/show_bug.cgi?id=184790
3290         <rdar://problem/39301369>
3291
3292         Reviewed by Michael Saboff.
3293
3294         1. Change stackPointer, framePointer, and instructionPointer accessors to
3295            be a pair of getter/setter functions.
3296         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
3297            a pointer profiling variants of these accessors.
3298         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
3299
3300         * JavaScriptCorePrefix.h:
3301         * runtime/MachineContext.h:
3302         (JSC::MachineContext::stackPointerImpl):
3303         (JSC::MachineContext::stackPointer):
3304         (JSC::MachineContext::setStackPointer):
3305         (JSC::MachineContext::framePointerImpl):
3306         (JSC::MachineContext::framePointer):
3307         (JSC::MachineContext::setFramePointer):
3308         (JSC::MachineContext::instructionPointerImpl):
3309         (JSC::MachineContext::instructionPointer):
3310         (JSC::MachineContext::setInstructionPointer):
3311         (JSC::MachineContext::linkRegisterImpl):
3312         (JSC::MachineContext::linkRegister):
3313         (JSC::MachineContext::setLinkRegister):
3314         * runtime/SamplingProfiler.cpp:
3315         (JSC::SamplingProfiler::takeSample):
3316         * runtime/VMTraps.cpp:
3317         (JSC::SignalContext::SignalContext):
3318         (JSC::VMTraps::tryInstallTrapBreakpoints):
3319         * tools/CodeProfiling.cpp:
3320         (JSC::profilingTimer):
3321         * tools/SigillCrashAnalyzer.cpp:
3322         (JSC::SignalContext::dump):
3323         (JSC::installCrashHandler):
3324         (JSC::SigillCrashAnalyzer::analyze):
3325         * wasm/WasmFaultSignalHandler.cpp:
3326         (JSC::Wasm::trapHandler):
3327
3328 2018-04-19  David Kilzer  <ddkilzer@apple.com>
3329
3330         Enable Objective-C weak references
3331         <https://webkit.org/b/184789>
3332         <rdar://problem/39571716>
3333
3334         Reviewed by Dan Bernstein.
3335
3336         * Configurations/Base.xcconfig:
3337         (CLANG_ENABLE_OBJC_WEAK): Enable.
3338         * Configurations/ToolExecutable.xcconfig:
3339         (CLANG_ENABLE_OBJC_ARC): Simplify.
3340
3341 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
3342
3343         The InternalFunction hierarchy should be in IsoSubspaces
3344         https://bugs.webkit.org/show_bug.cgi?id=184721
3345
3346         Reviewed by Saam Barati.
3347         
3348         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
3349         but subclasses that are the same size as InternalFunction share its subspace. I did this
3350         because the subclasses appear to just override methods, which are called dynamically via the
3351         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
3352         allocate one kind of InternalFunction over another.
3353
3354         * API/JSBase.h:
3355         * API/JSCallbackFunction.h:
3356         * API/ObjCCallbackFunction.h:
3357         (JSC::ObjCCallbackFunction::subspaceFor):
3358         * CMakeLists.txt:
3359         * JavaScriptCore.xcodeproj/project.pbxproj:
3360         * Sources.txt:
3361         * heap/IsoSubspacePerVM.cpp: Added.
3362         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
3363         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
3364         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
3365         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
3366         (JSC::IsoSubspacePerVM::forVM):
3367         * heap/IsoSubspacePerVM.h: Added.
3368         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
3369         * runtime/Error.h:
3370         * runtime/ErrorConstructor.h:
3371         * runtime/InternalFunction.h:
3372         (JSC::InternalFunction::subspaceFor):
3373         * runtime/IntlCollatorConstructor.h:
3374         * runtime/IntlDateTimeFormatConstructor.h:
3375         * runtime/IntlNumberFormatConstructor.h:
3376         * runtime/JSArrayBufferConstructor.h:
3377         * runtime/NativeErrorConstructor.h:
3378         * runtime/ProxyRevoke.h:
3379         * runtime/RegExpConstructor.h:
3380         * runtime/VM.cpp:
3381         (JSC::VM::VM):
3382         * runtime/VM.h:
3383
3384 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3385
3386         Unreviewed, Fix jsc shell
3387         https://bugs.webkit.org/show_bug.cgi?id=184600
3388
3389         WebAssembly module loading does not finish with drainMicrotasks().
3390         So JSNativeStdFunction's capturing variables become invalid.
3391         This patch fixes this issue.
3392
3393         * jsc.cpp:
3394         (functionDollarAgentStart):
3395         (runWithOptions):
3396         (runJSC):
3397         (jscmain):
3398
3399 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
3400
3401         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
3402         https://bugs.webkit.org/show_bug.cgi?id=184725
3403
3404         Reviewed by Mark Lam.
3405
3406         * jit/JIT.h:
3407
3408 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3409
3410         [WebAssembly][Modules] Import tables in wasm modules
3411         https://bugs.webkit.org/show_bug.cgi?id=184738
3412
3413         Reviewed by JF Bastien.
3414
3415         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
3416         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
3417         just works.
3418
3419         * wasm/js/JSWebAssemblyInstance.cpp:
3420         (JSC::JSWebAssemblyInstance::create):
3421         * wasm/js/WebAssemblyModuleRecord.cpp:
3422         (JSC::WebAssemblyModuleRecord::link):
3423
3424 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
3425
3426         [ARM] Fix build error and crash after PtrTag change
3427         https://bugs.webkit.org/show_bug.cgi?id=184732
3428
3429         Reviewed by Mark Lam.
3430
3431         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
3432         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
3433         twice with ARM-Thumb2.
3434
3435         * assembler/MacroAssemblerCodeRef.h:
3436         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3437         * jit/JITPropertyAccess32_64.cpp:
3438         (JSC::JIT::emitSlow_op_put_by_val):
3439         * jit/Repatch.cpp:
3440         (JSC::linkPolymorphicCall):
3441
3442 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3443
3444         [WebAssembly][Modules] Import globals from wasm modules
3445         https://bugs.webkit.org/show_bug.cgi?id=184736
3446
3447         Reviewed by JF Bastien.
3448
3449         This patch implements a feature importing globals to/from wasm modules.
3450         Since we are not supporting mutable globals now, we can just copy the
3451         global data when importing. Currently we do not support importing/exporting
3452         i64 globals. This will be supported once (1) mutable global bindings are
3453         specified and (2) BigInt based i64 importing/exporting is specified.
3454
3455         * wasm/js/JSWebAssemblyInstance.cpp:
3456         (JSC::JSWebAssemblyInstance::create):
3457         * wasm/js/WebAssemblyModuleRecord.cpp:
3458         (JSC::WebAssemblyModuleRecord::link):
3459
3460 2018-04-18  Tomas Popela  <tpopela@redhat.com>
3461
3462         Unreviewed, fix build on ARM
3463
3464         * assembler/MacroAssemblerARM.h:
3465         (JSC::MacroAssemblerARM::readCallTarget):
3466
3467 2018-04-18  Tomas Popela  <tpopela@redhat.com>
3468
3469         Unreviewed, fix build with GCC
3470
3471         * assembler/LinkBuffer.h:
3472         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3473
3474 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3475
3476         Unreviewed, reland r230697, r230720, and r230724.
3477         https://bugs.webkit.org/show_bug.cgi?id=184600
3478
3479         With CatchScope check.
3480
3481         * JavaScriptCore.xcodeproj/project.pbxproj:
3482         * builtins/ModuleLoaderPrototype.js:
3483         (globalPrivate.newRegistryEntry):
3484         (requestInstantiate):
3485         (link):
3486         * jsc.cpp:
3487         (convertShebangToJSComment):
3488         (fillBufferWithContentsOfFile):
3489         (fetchModuleFromLocalFileSystem):
3490         (GlobalObject::moduleLoaderFetch):
3491         (functionDollarAgentStart):
3492         (checkException):
3493         (runWithOptions):
3494         * parser/NodesAnalyzeModule.cpp:
3495         (JSC::ImportDeclarationNode::analyzeModule):
3496         * parser/SourceProvider.h:
3497         (JSC::WebAssemblySourceProvider::create):
3498         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
3499         * runtime/AbstractModuleRecord.cpp:
3500         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3501         (JSC::AbstractModuleRecord::resolveImport):
3502         (JSC::AbstractModuleRecord::link):
3503         (JSC::AbstractModuleRecord::evaluate):
3504         (JSC::identifierToJSValue): Deleted.
3505         * runtime/AbstractModuleRecord.h:
3506         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
3507         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
3508         * runtime/JSModuleEnvironment.cpp:
3509         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3510         * runtime/JSModuleLoader.cpp:
3511         (JSC::JSModuleLoader::evaluate):
3512         * runtime/JSModuleRecord.cpp:
3513         (JSC::JSModuleRecord::link):
3514         (JSC::JSModuleRecord::instantiateDeclarations):
3515         * runtime/JSModuleRecord.h:
3516         * runtime/ModuleLoaderPrototype.cpp:
3517         (JSC::moduleLoaderPrototypeParseModule):
3518         (JSC::moduleLoaderPrototypeRequestedModules):
3519         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
3520         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
3521         * wasm/js/JSWebAssemblyHelpers.h:
3522         (JSC::getWasmBufferFromValue):
3523         (JSC::createSourceBufferFromValue):
3524         * wasm/js/JSWebAssemblyInstance.cpp:
3525         (JSC::JSWebAssemblyInstance::finalizeCreation):
3526         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
3527         (JSC::JSWebAssemblyInstance::create):
3528         * wasm/js/JSWebAssemblyInstance.h:
3529         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3530         (JSC::constructJSWebAssemblyInstance):
3531         * wasm/js/WebAssemblyModuleRecord.cpp:
3532         (JSC::WebAssemblyModuleRecord::prepareLink):
3533         (JSC::WebAssemblyModuleRecord::link):
3534         * wasm/js/WebAssemblyModuleRecord.h:
3535         * wasm/js/WebAssemblyPrototype.cpp:
3536         (JSC::resolve):
3537         (JSC::instantiate):
3538         (JSC::compileAndInstantiate):
3539         (JSC::WebAssemblyPrototype::instantiate):
3540         (JSC::webAssemblyInstantiateFunc):
3541         (JSC::webAssemblyValidateFunc):
3542         * wasm/js/WebAssemblyPrototype.h:
3543
3544 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
3545
3546         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
3547         https://bugs.webkit.org/show_bug.cgi?id=184687
3548
3549         Reviewed by Michael Catanzaro.
3550
3551         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
3552         JSClassDefinition. This is required to implement dynamic properties that can't be added with
3553         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
3554
3555         * API/glib/JSCClass.cpp:
3556         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
3557         can throw exceptions.
3558         (VTableExceptionHandler::~VTableExceptionHandler):
3559         (getProperty): Iterate the class chain to call get_property function.
3560         (setProperty): Iterate the class chain to call set_property function.
3561         (hasProperty): Iterate the class chain to call has_property function.
3562         (deleteProperty): Iterate the class chain to call delete_property function.
3563         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
3564         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
3565         jscClassCreate now.
3566         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
3567         * API/glib/JSCClass.h:
3568         * API/glib/JSCClassPrivate.h:
3569         * API/glib/JSCContext.cpp:
3570         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
3571         (jsc_context_register_class): Add JSCClassVTable parameter.
3572         * API/glib/JSCContext.h:
3573         * API/glib/JSCContextPrivate.h:
3574         * API/glib/JSCWrapperMap.cpp:
3575         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
3576         * API/glib/JSCWrapperMap.h:
3577         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
3578
3579 2018-04-17  Mark Lam  <mark.lam@apple.com>
3580
3581         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
3582         https://bugs.webkit.org/show_bug.cgi?id=184702
3583         <rdar://problem/35391681>
3584
3585         Reviewed by Filip Pizlo and Saam Barati.
3586
3587         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
3588            to take a PtrTag template argument.
3589         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
3590
3591         * assembler/AbstractMacroAssembler.h:
3592         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
3593         (JSC::AbstractMacroAssembler::linkJump):
3594         (JSC::AbstractMacroAssembler::linkPointer):
3595         (JSC::AbstractMacroAssembler::getLinkerAddress):
3596         (JSC::AbstractMacroAssembler::repatchJump):
3597         (JSC::AbstractMacroAssembler::repatchJumpToNop):
3598         (JSC::AbstractMacroAssembler::repatchNearCall):
3599         (JSC::AbstractMacroAssembler::repatchCompact):
3600         (JSC::AbstractMacroAssembler::repatchInt32):
3601         (JSC::AbstractMacroAssembler::repatchPointer):
3602         (JSC::AbstractMacroAssembler::readPointer):
3603         (JSC::AbstractMacroAssembler::replaceWithLoad):
3604         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
3605         * assembler/CodeLocation.h:
3606         (JSC::CodeLocationCommon:: const):
3607         (JSC::CodeLocationCommon::CodeLocationCommon):
3608         (JSC::CodeLocationInstruction::CodeLocationInstruction):
3609         (JSC::CodeLocationLabel::CodeLocationLabel):
3610         (JSC::CodeLocationLabel::retagged):
3611         (JSC::CodeLocationLabel:: const):
3612         (JSC::CodeLocationJump::CodeLocationJump):
3613         (JSC::CodeLocationJump::retagged):
3614         (JSC::CodeLocationCall::CodeLocationCall):
3615         (JSC::CodeLocationCall::retagged):
3616         (JSC::CodeLocationNearCall::CodeLocationNearCall):
3617         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
3618         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
3619         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
3620         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
3621         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
3622         (JSC::CodeLocationCommon<tag>::labelAtOffset):
3623         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
3624         (JSC::CodeLocationCommon<tag>::callAtOffset):
3625         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
3626         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
3627         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
3628         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
3629         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
3630         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
3631         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
3632         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
3633         (JSC::CodeLocationCommon::callAtOffset): Deleted.
3634         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
3635         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
3636         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
3637         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
3638         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
3639         * assembler/LinkBuffer.cpp:
3640         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
3641         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
3642         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
3643         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
3644         * assembler/LinkBuffer.h:
3645         (JSC::LinkBuffer::link):
3646         (JSC::LinkBuffer::patch):
3647         (JSC::LinkBuffer::entrypoint):
3648         (JSC::LinkBuffer::locationOf):
3649         (JSC::LinkBuffer::locationOfNearCall):
3650         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
3651         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3652         (JSC::LinkBuffer::trampolineAt):
3653         * assembler/MacroAssemblerARM.h:
3654         (JSC::MacroAssemblerARM::readCallTarget):
3655         (JSC::MacroAssemblerARM::replaceWithJump):
3656         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
3657         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
3658         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
3659         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
3660         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
3661         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
3662         (JSC::MacroAssemblerARM::repatchCall):
3663         (JSC::MacroAssemblerARM::linkCall):
3664         * assembler/MacroAssemblerARM64.h:
3665         (JSC::MacroAssemblerARM64::readCallTarget):
3666         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3667         (JSC::MacroAssemblerARM64::replaceWithJump):
3668         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
3669         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
3670         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
3671         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
3672         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3673         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
3674         (JSC::MacroAssemblerARM64::repatchCall):
3675         (JSC::MacroAssemblerARM64::linkCall):
3676         * assembler/MacroAssemblerARMv7.h:
3677         (JSC::MacroAssemblerARMv7::replaceWithJump):
3678         (JSC::MacroAssemblerARMv7::readCallTarget):
3679         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
3680         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
3681         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
3682         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
3683         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
3684         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
3685         (JSC::MacroAssemblerARMv7::repatchCall):
3686         (JSC::MacroAssemblerARMv7::linkCall):
3687         * assembler/MacroAssemblerCodeRef.cpp:
3688         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
3689         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
3690         (JSC::MacroAssemblerCodeRefBase::disassembly):
3691         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
3692         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
3693         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
3694         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
3695         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
3696         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
3697         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
3698         * assembler/MacroAssemblerCodeRef.h:
3699         (JSC::FunctionPtr::FunctionPtr):
3700         (JSC::FunctionPtr::retagged const):
3701         (JSC::FunctionPtr::retaggedExecutableAddress const):
3702         (JSC::FunctionPtr::operator== const):
3703         (JSC::FunctionPtr::operator!= const):
3704         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3705         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3706         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3707         (JSC::MacroAssemblerCodePtr::retagged const):
3708         (JSC::MacroAssemblerCodePtr:: const):
3709         (JSC::MacroAssemblerCodePtr::dumpWithName const):
3710         (JSC::MacroAssemblerCodePtr::dump const):
3711         (JSC::MacroAssemblerCodePtrHash::hash):
3712         (JSC::MacroAssemblerCodePtrHash::equal):
3713         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3714         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
3715         (JSC::MacroAssemblerCodeRef::code const):
3716         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3717         (JSC::MacroAssemblerCodeRef::retagged const):
3718         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
3719         (JSC::MacroAssemblerCodeRef::disassembly const):
3720         (JSC::MacroAssemblerCodeRef::dump const):
3721         (JSC::FunctionPtr<tag>::FunctionPtr):
3722         * assembler/MacroAssemblerMIPS.h:
3723         (JSC::MacroAssemblerMIPS::readCallTarget):
3724         (JSC::MacroAssemblerMIPS::replaceWithJump):
3725         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3726         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
3727         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
3728         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
3729         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3730         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
3731         (JSC::MacroAssemblerMIPS::repatchCall):
3732         (JSC::MacroAssemblerMIPS::linkCall):
3733         * assembler/MacroAssemblerX86.h:
3734         (JSC::MacroAssemblerX86::readCallTarget):
3735         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
3736         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
3737         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
3738         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
3739         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
3740         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
3741         (JSC::MacroAssemblerX86::repatchCall):
3742         (JSC::MacroAssemblerX86::linkCall):
3743         * assembler/MacroAssemblerX86Common.h:
3744         (JSC::MacroAssemblerX86Common::repatchCompact):
3745         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3746         (JSC::MacroAssemblerX86Common::replaceWithJump):
3747         * assembler/MacroAssemblerX86_64.h:
3748         (JSC::MacroAssemblerX86_64::readCallTarget):
3749         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
3750         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
3751         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
3752         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
3753         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3754         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
3755         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
3756         (JSC::MacroAssemblerX86_64::repatchCall):
3757         (JSC::MacroAssemblerX86_64::linkCall):
3758         * assembler/testmasm.cpp:
3759         (JSC::compile):
3760         (JSC::invoke):
3761         (JSC::testProbeModifiesProgramCounter):
3762         * b3/B3Compilation.cpp:
3763         (JSC::B3::Compilation::Compilation):
3764         * b3/B3Compilation.h:
3765         (JSC::B3::Compilation::code const):
3766         (JSC::B3::Compilation::codeRef const):
3767         * b3/B3Compile.cpp:
3768         (JSC::B3::compile):
3769         * b3/B3LowerMacros.cpp:
3770         * b3/air/AirDisassembler.cpp:
3771         (JSC::B3::Air::Disassembler::dump):
3772         * b3/air/testair.cpp:
3773         * b3/testb3.cpp:
3774         (JSC::B3::invoke):
3775         (JSC::B3::testInterpreter):
3776         (JSC::B3::testEntrySwitchSimple):
3777         (JSC::B3::testEntrySwitchNoEntrySwitch):
3778         (JSC::B3::testEntrySwitchWithCommonPaths):
3779         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
3780         (JSC::B3::testEntrySwitchLoop):
3781         * bytecode/AccessCase.cpp:
3782         (JSC::AccessCase::generateImpl):
3783         * bytecode/AccessCaseSnippetParams.cpp:
3784         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3785         * bytecode/ByValInfo.h:
3786         (JSC::ByValInfo::ByValInfo):
3787         * bytecode/CallLinkInfo.cpp:
3788         (JSC::CallLinkInfo::callReturnLocation):
3789         (JSC::CallLinkInfo::patchableJump):
3790         (JSC::CallLinkInfo::hotPathBegin):
3791         (JSC::CallLinkInfo::slowPathStart):
3792         * bytecode/CallLinkInfo.h:
3793         (JSC::CallLinkInfo::setCallLocations):
3794         (JSC::CallLinkInfo::hotPathOther):
3795         * bytecode/CodeBlock.cpp:
3796         (JSC::CodeBlock::finishCreation):
3797         * bytecode/GetByIdStatus.cpp:
3798         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3799         * bytecode/GetByIdVariant.cpp:
3800         (JSC::GetByIdVariant::GetByIdVariant):
3801         (JSC::GetByIdVariant::dumpInContext const):
3802         * bytecode/GetByIdVariant.h:
3803         (JSC::GetByIdVariant::customAccessorGetter const):
3804         * bytecode/GetterSetterAccessCase.cpp:
3805         (JSC::GetterSetterAccessCase::create):
3806         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3807         (JSC::GetterSetterAccessCase::dumpImpl const):
3808         * bytecode/GetterSetterAccessCase.h:
3809         (JSC::GetterSetterAccessCase::customAccessor const):
3810         (): Deleted.
3811         * bytecode/HandlerInfo.h:
3812         (JSC::HandlerInfo::initialize):
3813         * bytecode/InlineAccess.cpp:
3814         (JSC::linkCodeInline):
3815         (JSC::InlineAccess::rewireStubAsJump):
3816         * bytecode/InlineAccess.h:
3817         * bytecode/JumpTable.h:
3818         (JSC::StringJumpTable::ctiForValue):
3819         (JSC::SimpleJumpTable::ctiForValue):
3820         * bytecode/LLIntCallLinkInfo.h:
3821         (JSC::LLIntCallLinkInfo::unlink):
3822         * bytecode/PolymorphicAccess.cpp:
3823         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3824         (JSC::PolymorphicAccess::regenerate):
3825         * bytecode/PolymorphicAccess.h:
3826         (JSC::AccessGenerationResult::AccessGenerationResult):
3827         (JSC::AccessGenerationResult::code const):
3828         * bytecode/StructureStubInfo.h:
3829         (JSC::StructureStubInfo::slowPathCallLocation):
3830         (JSC::StructureStubInfo::doneLocation):
3831         (JSC::StructureStubInfo::slowPathStartLocation):
3832         (JSC::StructureStubInfo::patchableJumpForIn):
3833         * dfg/DFGCommonData.h:
3834         (JSC::DFG::CommonData::appendCatchEntrypoint):
3835         * dfg/DFGDisassembler.cpp:
3836         (JSC::DFG::Disassembler::dumpDisassembly):
3837         * dfg/DFGDriver.h:
3838         * dfg/DFGJITCompiler.cpp:
3839         (JSC::DFG::JITCompiler::linkOSRExits):
3840         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3841         (JSC::DFG::JITCompiler::link):
3842         (JSC::DFG::JITCompiler::compileFunction):
3843         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3844         * dfg/DFGJITCompiler.h:
3845         (JSC::DFG::CallLinkRecord::CallLinkRecord):
3846         (JSC::DFG::JITCompiler::appendCall):
3847         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
3848         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
3849         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
3850         * dfg/DFGJITFinalizer.cpp:
3851         (JSC::DFG::JITFinalizer::JITFinalizer):
3852         (JSC::DFG::JITFinalizer::finalize):
3853         (JSC::DFG::JITFinalizer::finalizeFunction):
3854         * dfg/DFGJITFinalizer.h:
3855         * dfg/DFGJumpReplacement.h:
3856         (JSC::DFG::JumpReplacement::JumpReplacement):
3857         * dfg/DFGNode.h:
3858         * dfg/DFGOSREntry.cpp:
3859         (JSC::DFG::prepareOSREntry):
3860         (JSC::DFG::prepareCatchOSREntry):
3861         * dfg/DFGOSREntry.h:
3862         (JSC::DFG::prepareOSREntry):
3863         * dfg/DFGOSRExit.cpp:
3864         (JSC::DFG::OSRExit::executeOSRExit):
3865         (JSC::DFG::reifyInlinedCallFrames):
3866         (JSC::DFG::adjustAndJumpToTarget):
3867         (JSC::DFG::OSRExit::codeLocationForRepatch const):
3868         (JSC::DFG::OSRExit::emitRestoreArguments):
3869         (JSC::DFG::OSRExit::compileOSRExit):
3870         * dfg/DFGOSRExit.h:
3871         * dfg/DFGOSRExitCompilerCommon.cpp:
3872         (JSC::DFG::handleExitCounts):
3873         (JSC::DFG::reifyInlinedCallFrames):
3874         (JSC::DFG::osrWriteBarrier):
3875         (JSC::DFG::adjustAndJumpToTarget):
3876         * dfg/DFGOperations.cpp:
3877         * dfg/DFGSlowPathGenerator.h:
3878         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3879         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3880         (JSC::DFG::slowPathCall):
3881         * dfg/DFGSpeculativeJIT.cpp:
3882         (JSC::DFG::SpeculativeJIT::compileMathIC):
3883         (JSC::DFG::SpeculativeJIT::compileCallDOM):
3884         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3885         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3886         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3887         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3888         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
3889         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
3890         (JSC::DFG::SpeculativeJIT::cachedPutById):
3891         * dfg/DFGSpeculativeJIT.h:
3892         (JSC::DFG::SpeculativeJIT::callOperation):
3893         (JSC::DFG::SpeculativeJIT::appendCall):
3894         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
3895         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
3896         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3897         * dfg/DFGSpeculativeJIT64.cpp:
3898         (JSC::DFG::SpeculativeJIT::cachedGetById):
3899         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3900         (JSC::DFG::SpeculativeJIT::compile):
3901         * dfg/DFGThunks.cpp:
3902         (JSC::DFG::osrExitThunkGenerator):
3903         (JSC::DFG::osrExitGenerationThunkGenerator):
3904         (JSC::DFG::osrEntryThunkGenerator):
3905         * dfg/DFGThunks.h:
3906         * disassembler/ARM64Disassembler.cpp:
3907         (JSC::tryToDisassemble):
3908         * disassembler/ARMv7Disassembler.cpp:
3909         (JSC::tryToDisassemble):
3910         * disassembler/Disassembler.cpp:
3911         (JSC::disassemble):
3912         (JSC::disassembleAsynchronously):
3913         * disassembler/Disassembler.h:
3914         (JSC::tryToDisassemble):
3915         * disassembler/UDis86Disassembler.cpp:
3916         (JSC::tryToDisassembleWithUDis86):
3917         * disassembler/UDis86Disassembler.h:
3918         (JSC::tryToDisassembleWithUDis86):
3919         * disassembler/X86Disassembler.cpp:
3920         (JSC::tryToDisassemble):
3921         * ftl/FTLCompile.cpp:
3922         (JSC::FTL::compile):
3923         * ftl/FTLExceptionTarget.cpp:
3924         (JSC::FTL::ExceptionTarget::label):
3925         (JSC::FTL::ExceptionTarget::jumps):
3926         * ftl/FTLExceptionTarget.h:
3927         * ftl/FTLGeneratedFunction.h:
3928         * ftl/FTLJITCode.cpp:
3929         (JSC::FTL::JITCode::initializeB3Code):
3930         (JSC::FTL::JITCode::initializeAddressForCall):
3931         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
3932         (JSC::FTL::JITCode::addressForCall):
3933         (JSC::FTL::JITCode::executableAddressAtOffset):
3934         * ftl/FTLJITCode.h:
3935         (JSC::FTL::JITCode::b3Code const):
3936         * ftl/FTLJITFinalizer.cpp:
3937         (JSC::FTL::JITFinalizer::finalizeCommon):
3938         * ftl/FTLLazySlowPath.cpp:
3939         (JSC::FTL::LazySlowPath::initialize):
3940         (JSC::FTL::LazySlowPath::generate):
3941         * ftl/FTLLazySlowPath.h:
3942         (JSC::FTL::LazySlowPath::patchableJump const):
3943         (JSC::FTL::LazySlowPath::done const):
3944         (JSC::FTL::LazySlowPath::stub const):
3945         * ftl/FTLLazySlowPathCall.h:
3946         (JSC::FTL::createLazyCallGenerator):
3947         * ftl/FTLLink.cpp:
3948         (JSC::FTL::link):
3949         * ftl/FTLLowerDFGToB3.cpp:
3950         (JSC::FTL::DFG::LowerDFGToB3::lower):
3951         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3952         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3953         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3954         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3955         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3956         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3957         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
3958         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3959         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3960         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):