Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-17  Mark Lam  <mark.lam@apple.com>
2
3         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
4         https://bugs.webkit.org/show_bug.cgi?id=184702
5         <rdar://problem/35391681>
6
7         Reviewed by Filip Pizlo and Saam Barati.
8
9         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
10            to take a PtrTag template argument.
11         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
12
13         * assembler/AbstractMacroAssembler.h:
14         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
15         (JSC::AbstractMacroAssembler::linkJump):
16         (JSC::AbstractMacroAssembler::linkPointer):
17         (JSC::AbstractMacroAssembler::getLinkerAddress):
18         (JSC::AbstractMacroAssembler::repatchJump):
19         (JSC::AbstractMacroAssembler::repatchJumpToNop):
20         (JSC::AbstractMacroAssembler::repatchNearCall):
21         (JSC::AbstractMacroAssembler::repatchCompact):
22         (JSC::AbstractMacroAssembler::repatchInt32):
23         (JSC::AbstractMacroAssembler::repatchPointer):
24         (JSC::AbstractMacroAssembler::readPointer):
25         (JSC::AbstractMacroAssembler::replaceWithLoad):
26         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
27         * assembler/CodeLocation.h:
28         (JSC::CodeLocationCommon:: const):
29         (JSC::CodeLocationCommon::CodeLocationCommon):
30         (JSC::CodeLocationInstruction::CodeLocationInstruction):
31         (JSC::CodeLocationLabel::CodeLocationLabel):
32         (JSC::CodeLocationLabel::retagged):
33         (JSC::CodeLocationLabel:: const):
34         (JSC::CodeLocationJump::CodeLocationJump):
35         (JSC::CodeLocationJump::retagged):
36         (JSC::CodeLocationCall::CodeLocationCall):
37         (JSC::CodeLocationCall::retagged):
38         (JSC::CodeLocationNearCall::CodeLocationNearCall):
39         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
40         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
41         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
42         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
43         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
44         (JSC::CodeLocationCommon<tag>::labelAtOffset):
45         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
46         (JSC::CodeLocationCommon<tag>::callAtOffset):
47         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
48         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
49         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
50         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
51         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
52         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
53         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
54         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
55         (JSC::CodeLocationCommon::callAtOffset): Deleted.
56         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
57         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
58         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
59         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
60         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
61         * assembler/LinkBuffer.cpp:
62         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
63         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
64         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
65         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
66         * assembler/LinkBuffer.h:
67         (JSC::LinkBuffer::link):
68         (JSC::LinkBuffer::patch):
69         (JSC::LinkBuffer::entrypoint):
70         (JSC::LinkBuffer::locationOf):
71         (JSC::LinkBuffer::locationOfNearCall):
72         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
73         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
74         (JSC::LinkBuffer::trampolineAt):
75         * assembler/MacroAssemblerARM.h:
76         (JSC::MacroAssemblerARM::readCallTarget):
77         (JSC::MacroAssemblerARM::replaceWithJump):
78         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
79         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
80         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
81         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
82         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
83         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
84         (JSC::MacroAssemblerARM::repatchCall):
85         (JSC::MacroAssemblerARM::linkCall):
86         * assembler/MacroAssemblerARM64.h:
87         (JSC::MacroAssemblerARM64::readCallTarget):
88         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
89         (JSC::MacroAssemblerARM64::replaceWithJump):
90         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
91         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
92         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
93         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
94         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
95         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
96         (JSC::MacroAssemblerARM64::repatchCall):
97         (JSC::MacroAssemblerARM64::linkCall):
98         * assembler/MacroAssemblerARMv7.h:
99         (JSC::MacroAssemblerARMv7::replaceWithJump):
100         (JSC::MacroAssemblerARMv7::readCallTarget):
101         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
102         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
103         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
104         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
105         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
106         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
107         (JSC::MacroAssemblerARMv7::repatchCall):
108         (JSC::MacroAssemblerARMv7::linkCall):
109         * assembler/MacroAssemblerCodeRef.cpp:
110         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
111         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
112         (JSC::MacroAssemblerCodeRefBase::disassembly):
113         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
114         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
115         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
116         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
117         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
118         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
119         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
120         * assembler/MacroAssemblerCodeRef.h:
121         (JSC::FunctionPtr::FunctionPtr):
122         (JSC::FunctionPtr::retagged const):
123         (JSC::FunctionPtr::retaggedExecutableAddress const):
124         (JSC::FunctionPtr::operator== const):
125         (JSC::FunctionPtr::operator!= const):
126         (JSC::ReturnAddressPtr::ReturnAddressPtr):
127         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
128         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
129         (JSC::MacroAssemblerCodePtr::retagged const):
130         (JSC::MacroAssemblerCodePtr:: const):
131         (JSC::MacroAssemblerCodePtr::dumpWithName const):
132         (JSC::MacroAssemblerCodePtr::dump const):
133         (JSC::MacroAssemblerCodePtrHash::hash):
134         (JSC::MacroAssemblerCodePtrHash::equal):
135         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
136         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
137         (JSC::MacroAssemblerCodeRef::code const):
138         (JSC::MacroAssemblerCodeRef::retaggedCode const):
139         (JSC::MacroAssemblerCodeRef::retagged const):
140         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
141         (JSC::MacroAssemblerCodeRef::disassembly const):
142         (JSC::MacroAssemblerCodeRef::dump const):
143         (JSC::FunctionPtr<tag>::FunctionPtr):
144         * assembler/MacroAssemblerMIPS.h:
145         (JSC::MacroAssemblerMIPS::readCallTarget):
146         (JSC::MacroAssemblerMIPS::replaceWithJump):
147         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
148         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
149         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
150         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
151         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
152         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
153         (JSC::MacroAssemblerMIPS::repatchCall):
154         (JSC::MacroAssemblerMIPS::linkCall):
155         * assembler/MacroAssemblerX86.h:
156         (JSC::MacroAssemblerX86::readCallTarget):
157         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
158         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
159         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
160         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
161         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
162         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
163         (JSC::MacroAssemblerX86::repatchCall):
164         (JSC::MacroAssemblerX86::linkCall):
165         * assembler/MacroAssemblerX86Common.h:
166         (JSC::MacroAssemblerX86Common::repatchCompact):
167         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
168         (JSC::MacroAssemblerX86Common::replaceWithJump):
169         * assembler/MacroAssemblerX86_64.h:
170         (JSC::MacroAssemblerX86_64::readCallTarget):
171         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
172         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
173         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
174         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
175         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
176         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
177         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
178         (JSC::MacroAssemblerX86_64::repatchCall):
179         (JSC::MacroAssemblerX86_64::linkCall):
180         * assembler/testmasm.cpp:
181         (JSC::compile):
182         (JSC::invoke):
183         (JSC::testProbeModifiesProgramCounter):
184         * b3/B3Compilation.cpp:
185         (JSC::B3::Compilation::Compilation):
186         * b3/B3Compilation.h:
187         (JSC::B3::Compilation::code const):
188         (JSC::B3::Compilation::codeRef const):
189         * b3/B3Compile.cpp:
190         (JSC::B3::compile):
191         * b3/B3LowerMacros.cpp:
192         * b3/air/AirDisassembler.cpp:
193         (JSC::B3::Air::Disassembler::dump):
194         * b3/air/testair.cpp:
195         * b3/testb3.cpp:
196         (JSC::B3::invoke):
197         (JSC::B3::testInterpreter):
198         (JSC::B3::testEntrySwitchSimple):
199         (JSC::B3::testEntrySwitchNoEntrySwitch):
200         (JSC::B3::testEntrySwitchWithCommonPaths):
201         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
202         (JSC::B3::testEntrySwitchLoop):
203         * bytecode/AccessCase.cpp:
204         (JSC::AccessCase::generateImpl):
205         * bytecode/AccessCaseSnippetParams.cpp:
206         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
207         * bytecode/ByValInfo.h:
208         (JSC::ByValInfo::ByValInfo):
209         * bytecode/CallLinkInfo.cpp:
210         (JSC::CallLinkInfo::callReturnLocation):
211         (JSC::CallLinkInfo::patchableJump):
212         (JSC::CallLinkInfo::hotPathBegin):
213         (JSC::CallLinkInfo::slowPathStart):
214         * bytecode/CallLinkInfo.h:
215         (JSC::CallLinkInfo::setCallLocations):
216         (JSC::CallLinkInfo::hotPathOther):
217         * bytecode/CodeBlock.cpp:
218         (JSC::CodeBlock::finishCreation):
219         * bytecode/GetByIdStatus.cpp:
220         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
221         * bytecode/GetByIdVariant.cpp:
222         (JSC::GetByIdVariant::GetByIdVariant):
223         (JSC::GetByIdVariant::dumpInContext const):
224         * bytecode/GetByIdVariant.h:
225         (JSC::GetByIdVariant::customAccessorGetter const):
226         * bytecode/GetterSetterAccessCase.cpp:
227         (JSC::GetterSetterAccessCase::create):
228         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
229         (JSC::GetterSetterAccessCase::dumpImpl const):
230         * bytecode/GetterSetterAccessCase.h:
231         (JSC::GetterSetterAccessCase::customAccessor const):
232         (): Deleted.
233         * bytecode/HandlerInfo.h:
234         (JSC::HandlerInfo::initialize):
235         * bytecode/InlineAccess.cpp:
236         (JSC::linkCodeInline):
237         (JSC::InlineAccess::rewireStubAsJump):
238         * bytecode/InlineAccess.h:
239         * bytecode/JumpTable.h:
240         (JSC::StringJumpTable::ctiForValue):
241         (JSC::SimpleJumpTable::ctiForValue):
242         * bytecode/LLIntCallLinkInfo.h:
243         (JSC::LLIntCallLinkInfo::unlink):
244         * bytecode/PolymorphicAccess.cpp:
245         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
246         (JSC::PolymorphicAccess::regenerate):
247         * bytecode/PolymorphicAccess.h:
248         (JSC::AccessGenerationResult::AccessGenerationResult):
249         (JSC::AccessGenerationResult::code const):
250         * bytecode/StructureStubInfo.h:
251         (JSC::StructureStubInfo::slowPathCallLocation):
252         (JSC::StructureStubInfo::doneLocation):
253         (JSC::StructureStubInfo::slowPathStartLocation):
254         (JSC::StructureStubInfo::patchableJumpForIn):
255         * dfg/DFGCommonData.h:
256         (JSC::DFG::CommonData::appendCatchEntrypoint):
257         * dfg/DFGDisassembler.cpp:
258         (JSC::DFG::Disassembler::dumpDisassembly):
259         * dfg/DFGDriver.h:
260         * dfg/DFGJITCompiler.cpp:
261         (JSC::DFG::JITCompiler::linkOSRExits):
262         (JSC::DFG::JITCompiler::compileExceptionHandlers):
263         (JSC::DFG::JITCompiler::link):
264         (JSC::DFG::JITCompiler::compileFunction):
265         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
266         * dfg/DFGJITCompiler.h:
267         (JSC::DFG::CallLinkRecord::CallLinkRecord):
268         (JSC::DFG::JITCompiler::appendCall):
269         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
270         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
271         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
272         * dfg/DFGJITFinalizer.cpp:
273         (JSC::DFG::JITFinalizer::JITFinalizer):
274         (JSC::DFG::JITFinalizer::finalize):
275         (JSC::DFG::JITFinalizer::finalizeFunction):
276         * dfg/DFGJITFinalizer.h:
277         * dfg/DFGJumpReplacement.h:
278         (JSC::DFG::JumpReplacement::JumpReplacement):
279         * dfg/DFGNode.h:
280         * dfg/DFGOSREntry.cpp:
281         (JSC::DFG::prepareOSREntry):
282         (JSC::DFG::prepareCatchOSREntry):
283         * dfg/DFGOSREntry.h:
284         (JSC::DFG::prepareOSREntry):
285         * dfg/DFGOSRExit.cpp:
286         (JSC::DFG::OSRExit::executeOSRExit):
287         (JSC::DFG::reifyInlinedCallFrames):
288         (JSC::DFG::adjustAndJumpToTarget):
289         (JSC::DFG::OSRExit::codeLocationForRepatch const):
290         (JSC::DFG::OSRExit::emitRestoreArguments):
291         (JSC::DFG::OSRExit::compileOSRExit):
292         * dfg/DFGOSRExit.h:
293         * dfg/DFGOSRExitCompilerCommon.cpp:
294         (JSC::DFG::handleExitCounts):
295         (JSC::DFG::reifyInlinedCallFrames):
296         (JSC::DFG::osrWriteBarrier):
297         (JSC::DFG::adjustAndJumpToTarget):
298         * dfg/DFGOperations.cpp:
299         * dfg/DFGSlowPathGenerator.h:
300         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
301         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
302         (JSC::DFG::slowPathCall):
303         * dfg/DFGSpeculativeJIT.cpp:
304         (JSC::DFG::SpeculativeJIT::compileMathIC):
305         (JSC::DFG::SpeculativeJIT::compileCallDOM):
306         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
307         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
308         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
309         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
310         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
311         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
312         (JSC::DFG::SpeculativeJIT::cachedPutById):
313         * dfg/DFGSpeculativeJIT.h:
314         (JSC::DFG::SpeculativeJIT::callOperation):
315         (JSC::DFG::SpeculativeJIT::appendCall):
316         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
317         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
318         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
319         * dfg/DFGSpeculativeJIT64.cpp:
320         (JSC::DFG::SpeculativeJIT::cachedGetById):
321         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
322         (JSC::DFG::SpeculativeJIT::compile):
323         * dfg/DFGThunks.cpp:
324         (JSC::DFG::osrExitThunkGenerator):
325         (JSC::DFG::osrExitGenerationThunkGenerator):
326         (JSC::DFG::osrEntryThunkGenerator):
327         * dfg/DFGThunks.h:
328         * disassembler/ARM64Disassembler.cpp:
329         (JSC::tryToDisassemble):
330         * disassembler/ARMv7Disassembler.cpp:
331         (JSC::tryToDisassemble):
332         * disassembler/Disassembler.cpp:
333         (JSC::disassemble):
334         (JSC::disassembleAsynchronously):
335         * disassembler/Disassembler.h:
336         (JSC::tryToDisassemble):
337         * disassembler/UDis86Disassembler.cpp:
338         (JSC::tryToDisassembleWithUDis86):
339         * disassembler/UDis86Disassembler.h:
340         (JSC::tryToDisassembleWithUDis86):
341         * disassembler/X86Disassembler.cpp:
342         (JSC::tryToDisassemble):
343         * ftl/FTLCompile.cpp:
344         (JSC::FTL::compile):
345         * ftl/FTLExceptionTarget.cpp:
346         (JSC::FTL::ExceptionTarget::label):
347         (JSC::FTL::ExceptionTarget::jumps):
348         * ftl/FTLExceptionTarget.h:
349         * ftl/FTLGeneratedFunction.h:
350         * ftl/FTLJITCode.cpp:
351         (JSC::FTL::JITCode::initializeB3Code):
352         (JSC::FTL::JITCode::initializeAddressForCall):
353         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
354         (JSC::FTL::JITCode::addressForCall):
355         (JSC::FTL::JITCode::executableAddressAtOffset):
356         * ftl/FTLJITCode.h:
357         (JSC::FTL::JITCode::b3Code const):
358         * ftl/FTLJITFinalizer.cpp:
359         (JSC::FTL::JITFinalizer::finalizeCommon):
360         * ftl/FTLLazySlowPath.cpp:
361         (JSC::FTL::LazySlowPath::initialize):
362         (JSC::FTL::LazySlowPath::generate):
363         * ftl/FTLLazySlowPath.h:
364         (JSC::FTL::LazySlowPath::patchableJump const):
365         (JSC::FTL::LazySlowPath::done const):
366         (JSC::FTL::LazySlowPath::stub const):
367         * ftl/FTLLazySlowPathCall.h:
368         (JSC::FTL::createLazyCallGenerator):
369         * ftl/FTLLink.cpp:
370         (JSC::FTL::link):
371         * ftl/FTLLowerDFGToB3.cpp:
372         (JSC::FTL::DFG::LowerDFGToB3::lower):
373         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
374         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
375         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
376         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
377         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
378         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
379         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
380         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
381         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
382         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
383         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
384         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
385         * ftl/FTLOSRExit.cpp:
386         (JSC::FTL::OSRExit::codeLocationForRepatch const):
387         * ftl/FTLOSRExit.h:
388         * ftl/FTLOSRExitCompiler.cpp:
389         (JSC::FTL::compileStub):
390         (JSC::FTL::compileFTLOSRExit):
391         * ftl/FTLOSRExitHandle.cpp:
392         (JSC::FTL::OSRExitHandle::emitExitThunk):
393         * ftl/FTLOperations.cpp:
394         (JSC::FTL::compileFTLLazySlowPath):
395         * ftl/FTLPatchpointExceptionHandle.cpp:
396         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
397         * ftl/FTLSlowPathCall.cpp:
398         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
399         (JSC::FTL::SlowPathCallContext::makeCall):
400         * ftl/FTLSlowPathCall.h:
401         (JSC::FTL::callOperation):
402         * ftl/FTLSlowPathCallKey.cpp:
403         (JSC::FTL::SlowPathCallKey::dump const):
404         * ftl/FTLSlowPathCallKey.h:
405         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
406         (JSC::FTL::SlowPathCallKey::callTarget const):
407         (JSC::FTL::SlowPathCallKey::withCallTarget):
408         (JSC::FTL::SlowPathCallKey::hash const):
409         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
410         * ftl/FTLState.cpp:
411         (JSC::FTL::State::State):
412         * ftl/FTLThunks.cpp:
413         (JSC::FTL::genericGenerationThunkGenerator):
414         (JSC::FTL::osrExitGenerationThunkGenerator):
415         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
416         (JSC::FTL::slowPathCallThunkGenerator):
417         * ftl/FTLThunks.h:
418         (JSC::FTL::generateIfNecessary):
419         (JSC::FTL::keyForThunk):
420         (JSC::FTL::Thunks::getSlowPathCallThunk):
421         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
422         * interpreter/InterpreterInlines.h:
423         (JSC::Interpreter::getOpcodeID):
424         * jit/AssemblyHelpers.cpp:
425         (JSC::AssemblyHelpers::callExceptionFuzz):
426         (JSC::AssemblyHelpers::emitDumbVirtualCall):
427         (JSC::AssemblyHelpers::debugCall):
428         * jit/CCallHelpers.cpp:
429         (JSC::CCallHelpers::ensureShadowChickenPacket):
430         * jit/ExecutableAllocator.cpp:
431         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
432         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
433         * jit/ExecutableAllocator.h:
434         (JSC::performJITMemcpy):
435         * jit/GCAwareJITStubRoutine.cpp:
436         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
437         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
438         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
439         (JSC::createJITStubRoutine):
440         * jit/GCAwareJITStubRoutine.h:
441         (JSC::createJITStubRoutine):
442         * jit/JIT.cpp:
443         (JSC::ctiPatchCallByReturnAddress):
444         (JSC::JIT::compileWithoutLinking):
445         (JSC::JIT::link):
446         (JSC::JIT::privateCompileExceptionHandlers):
447         * jit/JIT.h:
448         (JSC::CallRecord::CallRecord):
449         * jit/JITArithmetic.cpp:
450         (JSC::JIT::emitMathICFast):
451         (JSC::JIT::emitMathICSlow):
452         * jit/JITCall.cpp:
453         (JSC::JIT::compileOpCallSlowCase):
454         * jit/JITCall32_64.cpp:
455         (JSC::JIT::compileOpCallSlowCase):
456         * jit/JITCode.cpp:
457         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
458         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
459         (JSC::DirectJITCode::DirectJITCode):
460         (JSC::DirectJITCode::initializeCodeRef):
461         (JSC::DirectJITCode::addressForCall):
462         (JSC::NativeJITCode::NativeJITCode):
463         (JSC::NativeJITCode::initializeCodeRef):
464         (JSC::NativeJITCode::addressForCall):
465         * jit/JITCode.h:
466         * jit/JITCodeMap.h:
467         (JSC::JITCodeMap::Entry::Entry):
468         (JSC::JITCodeMap::Entry::codeLocation):
469         (JSC::JITCodeMap::append):
470         (JSC::JITCodeMap::find const):
471         * jit/JITDisassembler.cpp:
472         (JSC::JITDisassembler::dumpDisassembly):
473         * jit/JITExceptions.cpp:
474         (JSC::genericUnwind):
475         * jit/JITInlineCacheGenerator.cpp:
476         (JSC::JITByIdGenerator::finalize):
477         * jit/JITInlines.h:
478         (JSC::JIT::emitNakedCall):
479         (JSC::JIT::emitNakedTailCall):
480         (JSC::JIT::appendCallWithExceptionCheck):
481         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
482         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
483         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
484         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
485         * jit/JITMathIC.h:
486         (JSC::isProfileEmpty):
487         * jit/JITOpcodes.cpp:
488         (JSC::JIT::emit_op_catch):
489         (JSC::JIT::emit_op_switch_imm):
490         (JSC::JIT::emit_op_switch_char):
491         (JSC::JIT::emit_op_switch_string):
492         (JSC::JIT::privateCompileHasIndexedProperty):
493         (JSC::JIT::emitSlow_op_has_indexed_property):
494         * jit/JITOpcodes32_64.cpp:
495         (JSC::JIT::privateCompileHasIndexedProperty):
496         * jit/JITOperations.cpp:
497         (JSC::getByVal):
498         * jit/JITPropertyAccess.cpp:
499         (JSC::JIT::stringGetByValStubGenerator):
500         (JSC::JIT::emitGetByValWithCachedId):
501         (JSC::JIT::emitSlow_op_get_by_val):
502         (JSC::JIT::emitPutByValWithCachedId):
503         (JSC::JIT::emitSlow_op_put_by_val):
504         (JSC::JIT::emitSlow_op_try_get_by_id):
505         (JSC::JIT::emitSlow_op_get_by_id_direct):
506         (JSC::JIT::emitSlow_op_get_by_id):
507         (JSC::JIT::emitSlow_op_get_by_id_with_this):
508         (JSC::JIT::emitSlow_op_put_by_id):
509         (JSC::JIT::privateCompileGetByVal):
510         (JSC::JIT::privateCompileGetByValWithCachedId):
511         (JSC::JIT::privateCompilePutByVal):
512         (JSC::JIT::privateCompilePutByValWithCachedId):
513         * jit/JITPropertyAccess32_64.cpp:
514         (JSC::JIT::stringGetByValStubGenerator):
515         (JSC::JIT::emitSlow_op_get_by_val):
516         (JSC::JIT::emitSlow_op_put_by_val):
517         * jit/JITStubRoutine.h:
518         (JSC::JITStubRoutine::JITStubRoutine):
519         (JSC::JITStubRoutine::createSelfManagedRoutine):
520         (JSC::JITStubRoutine::code const):
521         (JSC::JITStubRoutine::asCodePtr):
522         * jit/JITThunks.cpp:
523         (JSC::JITThunks::ctiNativeCall):
524         (JSC::JITThunks::ctiNativeConstruct):
525         (JSC::JITThunks::ctiNativeTailCall):
526         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
527         (JSC::JITThunks::ctiInternalFunctionCall):
528         (JSC::JITThunks::ctiInternalFunctionConstruct):
529         (JSC::JITThunks::ctiStub):
530         (JSC::JITThunks::existingCTIStub):
531         (JSC::JITThunks::hostFunctionStub):
532         * jit/JITThunks.h:
533         * jit/PCToCodeOriginMap.cpp:
534         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
535         * jit/PCToCodeOriginMap.h:
536         * jit/PolymorphicCallStubRoutine.cpp:
537         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
538         * jit/PolymorphicCallStubRoutine.h:
539         * jit/Repatch.cpp:
540         (JSC::readPutICCallTarget):
541         (JSC::ftlThunkAwareRepatchCall):
542         (JSC::appropriateOptimizingGetByIdFunction):
543         (JSC::appropriateGetByIdFunction):
544         (JSC::tryCacheGetByID):
545         (JSC::repatchGetByID):
546         (JSC::tryCachePutByID):
547         (JSC::repatchPutByID):
548         (JSC::tryCacheIn):
549         (JSC::repatchIn):
550         (JSC::linkSlowFor):
551         (JSC::linkFor):
552         (JSC::linkDirectFor):
553         (JSC::revertCall):
554         (JSC::unlinkFor):
555         (JSC::linkVirtualFor):
556         (JSC::linkPolymorphicCall):
557         (JSC::resetGetByID):
558         (JSC::resetPutByID):
559         * jit/Repatch.h:
560         * jit/SlowPathCall.h:
561         (JSC::JITSlowPathCall::call):
562         * jit/SpecializedThunkJIT.h:
563         (JSC::SpecializedThunkJIT::finalize):
564         (JSC::SpecializedThunkJIT::callDoubleToDouble):
565         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
566         * jit/ThunkGenerator.h:
567         * jit/ThunkGenerators.cpp:
568         (JSC::throwExceptionFromCallSlowPathGenerator):
569         (JSC::slowPathFor):
570         (JSC::linkCallThunkGenerator):
571         (JSC::linkPolymorphicCallThunkGenerator):
572         (JSC::virtualThunkFor):
573         (JSC::nativeForGenerator):
574         (JSC::nativeCallGenerator):
575         (JSC::nativeTailCallGenerator):
576         (JSC::nativeTailCallWithoutSavedTagsGenerator):
577         (JSC::nativeConstructGenerator):
578         (JSC::internalFunctionCallGenerator):
579         (JSC::internalFunctionConstructGenerator):
580         (JSC::arityFixupGenerator):
581         (JSC::unreachableGenerator):
582         (JSC::charCodeAtThunkGenerator):
583         (JSC::charAtThunkGenerator):
584         (JSC::fromCharCodeThunkGenerator):
585         (JSC::clz32ThunkGenerator):
586         (JSC::sqrtThunkGenerator):
587         (JSC::floorThunkGenerator):
588         (JSC::ceilThunkGenerator):
589         (JSC::truncThunkGenerator):
590         (JSC::roundThunkGenerator):
591         (JSC::expThunkGenerator):
592         (JSC::logThunkGenerator):
593         (JSC::absThunkGenerator):
594         (JSC::imulThunkGenerator):
595         (JSC::randomThunkGenerator):
596         (JSC::boundThisNoArgsFunctionCallGenerator):
597         * jit/ThunkGenerators.h:
598         * llint/LLIntData.cpp:
599         (JSC::LLInt::initialize):
600         * llint/LLIntData.h:
601         (JSC::LLInt::getExecutableAddress):
602         (JSC::LLInt::getCodePtr):
603         (JSC::LLInt::getCodeRef):
604         (JSC::LLInt::getCodeFunctionPtr):
605         * llint/LLIntEntrypoint.cpp:
606         (JSC::LLInt::setFunctionEntrypoint):
607         (JSC::LLInt::setEvalEntrypoint):
608         (JSC::LLInt::setProgramEntrypoint):
609         (JSC::LLInt::setModuleProgramEntrypoint):
610         * llint/LLIntExceptions.cpp:
611         (JSC::LLInt::callToThrow):
612         * llint/LLIntSlowPaths.cpp:
613         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
614         (JSC::LLInt::setUpCall):
615         * llint/LLIntThunks.cpp:
616         (JSC::vmEntryToWasm):
617         (JSC::LLInt::generateThunkWithJumpTo):
618         (JSC::LLInt::functionForCallEntryThunkGenerator):
619         (JSC::LLInt::functionForConstructEntryThunkGenerator):
620         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
621         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
622         (JSC::LLInt::evalEntryThunkGenerator):
623         (JSC::LLInt::programEntryThunkGenerator):
624         (JSC::LLInt::moduleProgramEntryThunkGenerator):
625         * llint/LLIntThunks.h:
626         * llint/LowLevelInterpreter.asm:
627         * llint/LowLevelInterpreter32_64.asm:
628         * llint/LowLevelInterpreter64.asm:
629         * profiler/ProfilerCompilation.cpp:
630         (JSC::Profiler::Compilation::addOSRExitSite):
631         * profiler/ProfilerCompilation.h:
632         * profiler/ProfilerOSRExitSite.cpp:
633         (JSC::Profiler::OSRExitSite::toJS const):
634         * profiler/ProfilerOSRExitSite.h:
635         (JSC::Profiler::OSRExitSite::OSRExitSite):
636         (JSC::Profiler::OSRExitSite::codeAddress const):
637         (JSC::Profiler::OSRExitSite:: const): Deleted.
638         * runtime/ExecutableBase.cpp:
639         (JSC::ExecutableBase::clearCode):
640         * runtime/ExecutableBase.h:
641         (JSC::ExecutableBase::entrypointFor):
642         * runtime/NativeExecutable.cpp:
643         (JSC::NativeExecutable::finishCreation):
644         * runtime/NativeFunction.h:
645         (JSC::TaggedNativeFunction::TaggedNativeFunction):
646         (JSC::TaggedNativeFunction::operator NativeFunction):
647         * runtime/PtrTag.h:
648         (JSC::tagCodePtr):
649         (JSC::untagCodePtr):
650         (JSC::retagCodePtr):
651         (JSC::tagCFunctionPtr):
652         (JSC::untagCFunctionPtr):
653         (JSC::nextPtrTagID): Deleted.
654         * runtime/PutPropertySlot.h:
655         (JSC::PutPropertySlot::PutPropertySlot):
656         (JSC::PutPropertySlot::setCustomValue):
657         (JSC::PutPropertySlot::setCustomAccessor):
658         (JSC::PutPropertySlot::customSetter const):
659         * runtime/ScriptExecutable.cpp:
660         (JSC::ScriptExecutable::installCode):
661         * runtime/VM.cpp:
662         (JSC::VM::getHostFunction):
663         (JSC::VM::getCTIInternalFunctionTrampolineFor):
664         * runtime/VM.h:
665         (JSC::VM::getCTIStub):
666         * wasm/WasmB3IRGenerator.cpp:
667         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
668         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
669         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
670         (JSC::Wasm::B3IRGenerator::addCall):
671         (JSC::Wasm::B3IRGenerator::addCallIndirect):
672         * wasm/WasmBBQPlan.cpp:
673         (JSC::Wasm::BBQPlan::prepare):
674         (JSC::Wasm::BBQPlan::complete):
675         * wasm/WasmBBQPlan.h:
676         * wasm/WasmBinding.cpp:
677         (JSC::Wasm::wasmToWasm):
678         * wasm/WasmBinding.h:
679         * wasm/WasmCallee.h:
680         (JSC::Wasm::Callee::entrypoint const):
681         * wasm/WasmCallingConvention.h:
682         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
683         * wasm/WasmCodeBlock.h:
684         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
685         * wasm/WasmFaultSignalHandler.cpp:
686         (JSC::Wasm::trapHandler):
687         * wasm/WasmFormat.h:
688         * wasm/WasmInstance.h:
689         * wasm/WasmOMGPlan.cpp:
690         (JSC::Wasm::OMGPlan::work):
691         * wasm/WasmThunks.cpp:
692         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
693         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
694         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
695         (JSC::Wasm::Thunks::stub):
696         (JSC::Wasm::Thunks::existingStub):
697         * wasm/WasmThunks.h:
698         * wasm/js/JSToWasm.cpp:
699         (JSC::Wasm::createJSToWasmWrapper):
700         * wasm/js/JSWebAssemblyCodeBlock.h:
701         * wasm/js/WasmToJS.cpp:
702         (JSC::Wasm::handleBadI64Use):
703         (JSC::Wasm::wasmToJS):
704         * wasm/js/WasmToJS.h:
705         * wasm/js/WebAssemblyFunction.h:
706         * yarr/YarrJIT.cpp:
707         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
708         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
709         (JSC::Yarr::YarrGenerator::compile):
710         * yarr/YarrJIT.h:
711         (JSC::Yarr::YarrCodeBlock::set8BitCode):
712         (JSC::Yarr::YarrCodeBlock::set16BitCode):
713         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
714         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
715         (JSC::Yarr::YarrCodeBlock::execute):
716         (JSC::Yarr::YarrCodeBlock::clear):
717
718 2018-04-17  Commit Queue  <commit-queue@webkit.org>
719
720         Unreviewed, rolling out r230697, r230720, and r230724.
721         https://bugs.webkit.org/show_bug.cgi?id=184717
722
723         These caused multiple failures on the Test262 testers.
724         (Requested by mlewis13 on #webkit).
725
726         Reverted changesets:
727
728         "[WebAssembly][Modules] Prototype wasm import"
729         https://bugs.webkit.org/show_bug.cgi?id=184600
730         https://trac.webkit.org/changeset/230697
731
732         "[WebAssembly][Modules] Implement function import from wasm
733         modules"
734         https://bugs.webkit.org/show_bug.cgi?id=184689
735         https://trac.webkit.org/changeset/230720
736
737         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
738         https://bugs.webkit.org/show_bug.cgi?id=184703
739         https://trac.webkit.org/changeset/230724
740
741 2018-04-17  JF Bastien  <jfbastien@apple.com>
742
743         A put is not an ExistingProperty put when we transition a structure because of an attributes change
744         https://bugs.webkit.org/show_bug.cgi?id=184706
745         <rdar://problem/38871451>
746
747         Reviewed by Saam Barati.
748
749         When putting a property on a structure and the slot is a different
750         type, the slot can't be said to have already been existing.
751
752         * runtime/JSObjectInlines.h:
753         (JSC::JSObject::putDirectInternal):
754
755 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
756
757         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
758         https://bugs.webkit.org/show_bug.cgi?id=184705
759
760         Reviewed by Michael Saboff.
761         
762         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
763         while testing an unrelated patch, a concurrent GC thread crashed inside
764         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
765         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
766         mode and another vector.
767         
768         The fix is to lock inside visitChildren and anyone who changes those fields.
769         
770         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
771         this.
772
773         * runtime/JSArrayBufferView.cpp:
774         (JSC::JSArrayBufferView::neuter):
775         * runtime/JSGenericTypedArrayViewInlines.h:
776         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
777         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
778
779 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
780
781         PutStackSinkingPhase should know that KillStack means ConflictingFlush
782         https://bugs.webkit.org/show_bug.cgi?id=184672
783
784         Reviewed by Michael Saboff.
785
786         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
787         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
788         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
789         intentional - I don't know.
790
791         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
792         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
793         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
794         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
795         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
796         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
797         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
798         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
799         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
800         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
801         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
802         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
803
804         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
805         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
806         its stack slot for the purpose of clobberize.
807
808         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
809         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
810         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
811         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
812
813 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
814
815         JSWebAssemblyCodeBlock should be in an IsoSubspace
816         https://bugs.webkit.org/show_bug.cgi?id=184704
817
818         Reviewed by Mark Lam.
819         
820         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
821         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
822         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
823         protection.
824
825         * runtime/VM.cpp:
826         (JSC::VM::VM):
827         * runtime/VM.h:
828         * wasm/js/JSWebAssemblyCodeBlock.h:
829
830 2018-04-17  Jer Noble  <jer.noble@apple.com>
831
832         Only enable useSeparatedWXHeap on ARM64.
833         https://bugs.webkit.org/show_bug.cgi?id=184697
834
835         Reviewed by Saam Barati.
836
837         * runtime/Options.cpp:
838         (JSC::recomputeDependentOptions):
839
840 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
841
842         [WebAssembly][Modules] Implement function import from wasm modules
843         https://bugs.webkit.org/show_bug.cgi?id=184689
844
845         Reviewed by JF Bastien.
846
847         This patch implements function import from wasm modules. We move function importing part
848         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
849         is because linking these functions requires that all the dependent modules are created.
850         While we want to move all the linking functionality from JSWebAssemblyInstance to
851         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
852         function importing part because efficient compilation of WebAssembly needs to know
853         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
854         or attached WebAssembly memory object. So we cannot defer this linking to
855         WebAssemblyModuleRecord::link now.
856
857         The largest difference from JS module linking is that WebAssembly module linking links
858         function from the module by snapshotting. When you have a cyclic module graph like this,
859
860         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
861             ^                                                  |
862             +--------------------------------------------------+
863
864         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
865         is described in [1], and tested in this patch.
866
867         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
868
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870         * jsc.cpp:
871         (functionDollarAgentStart):
872         (checkException):
873         (runWithOptions):
874         Small fixes for wasm module loading.
875
876         * parser/NodesAnalyzeModule.cpp:
877         (JSC::ImportDeclarationNode::analyzeModule):
878         * runtime/AbstractModuleRecord.cpp:
879         (JSC::AbstractModuleRecord::resolveImport):
880         (JSC::AbstractModuleRecord::link):
881         * runtime/AbstractModuleRecord.h:
882         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
883         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
884         Now, wasm modules can have import which is named "*". So this function does not work.
885         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
886
887         * runtime/JSModuleEnvironment.cpp:
888         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
889         * runtime/JSModuleRecord.cpp:
890         (JSC::JSModuleRecord::instantiateDeclarations):
891         * wasm/WasmCreationMode.h: Added.
892         * wasm/js/JSWebAssemblyInstance.cpp:
893         (JSC::JSWebAssemblyInstance::finalizeCreation):
894         (JSC::JSWebAssemblyInstance::create):
895         * wasm/js/JSWebAssemblyInstance.h:
896         * wasm/js/WebAssemblyInstanceConstructor.cpp:
897         (JSC::constructJSWebAssemblyInstance):
898         * wasm/js/WebAssemblyModuleRecord.cpp:
899         (JSC::WebAssemblyModuleRecord::link):
900         * wasm/js/WebAssemblyModuleRecord.h:
901         * wasm/js/WebAssemblyPrototype.cpp:
902         (JSC::resolve):
903         (JSC::instantiate):
904         (JSC::compileAndInstantiate):
905         (JSC::WebAssemblyPrototype::instantiate):
906         (JSC::webAssemblyInstantiateFunc):
907
908 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
909
910         Implement setupArgumentsImpl for ARM and MIPS
911         https://bugs.webkit.org/show_bug.cgi?id=183786
912
913         Reviewed by Yusuke Suzuki.
914
915         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
916         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
917         registers used for 64-bit values on 32-bit architectures. numCrossSources
918         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
919
920         * assembler/MacroAssemblerARMv7.h:
921         (JSC::MacroAssemblerARMv7::moveDouble):
922         * assembler/MacroAssemblerMIPS.h:
923         (JSC::MacroAssemblerMIPS::moveDouble):
924         * jit/CCallHelpers.h:
925         (JSC::CCallHelpers::setupStubCrossArgs):
926         (JSC::CCallHelpers::ArgCollection::ArgCollection):
927         (JSC::CCallHelpers::ArgCollection::pushRegArg):
928         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
929         (JSC::CCallHelpers::ArgCollection::addGPRArg):
930         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
931         (JSC::CCallHelpers::ArgCollection::addStackArg):
932         (JSC::CCallHelpers::ArgCollection::addPoke):
933         (JSC::CCallHelpers::ArgCollection::argCount):
934         (JSC::CCallHelpers::calculatePokeOffset):
935         (JSC::CCallHelpers::pokeForArgument):
936         (JSC::CCallHelpers::stackAligned):
937         (JSC::CCallHelpers::marshallArgumentRegister):
938         (JSC::CCallHelpers::setupArgumentsImpl):
939         (JSC::CCallHelpers::pokeArgumentsAligned):
940         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
941         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
942         (JSC::CCallHelpers::setupArguments):
943         * jit/FPRInfo.h:
944         (JSC::FPRInfo::toArgumentRegister):
945
946 2018-04-17  Saam Barati  <sbarati@apple.com>
947
948         Add system trace points for process launch and for initializeWebProcess
949         https://bugs.webkit.org/show_bug.cgi?id=184669
950
951         Reviewed by Simon Fraser.
952
953         * runtime/VMEntryScope.cpp:
954         (JSC::VMEntryScope::VMEntryScope):
955         (JSC::VMEntryScope::~VMEntryScope):
956
957 2018-04-17  Jer Noble  <jer.noble@apple.com>
958
959         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
960         https://bugs.webkit.org/show_bug.cgi?id=184602
961
962         Reviewed by Beth Dakin.
963
964         * JavaScriptCore.xcodeproj/project.pbxproj:
965
966 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
967
968         [GLIB] Add API to clear JSCContext uncaught exception
969         https://bugs.webkit.org/show_bug.cgi?id=184685
970
971         Reviewed by Žan Doberšek.
972
973         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
974
975         * API/glib/JSCContext.cpp:
976         (jsc_context_clear_exception):
977         * API/glib/JSCContext.h:
978         * API/glib/docs/jsc-glib-4.0-sections.txt:
979
980 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
981
982         [GLIB] Add API to query, delete and enumerate properties
983         https://bugs.webkit.org/show_bug.cgi?id=184647
984
985         Reviewed by Michael Catanzaro.
986
987         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
988
989         * API/glib/JSCValue.cpp:
990         (jsc_value_object_has_property):
991         (jsc_value_object_delete_property):
992         (jsc_value_object_enumerate_properties):
993         * API/glib/JSCValue.h:
994         * API/glib/docs/jsc-glib-4.0-sections.txt:
995
996 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
997
998         [WebAssembly][Modules] Prototype wasm import
999         https://bugs.webkit.org/show_bug.cgi?id=184600
1000
1001         Reviewed by JF Bastien.
1002
1003         This patch is an initial attempt to implement Wasm loading in module pipeline.
1004         Currently,
1005
1006         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
1007            in whatwg HTML, we should integrate this into WebCore.
1008
1009         2. We only support exporting values from Wasm. Wasm module cannot import anything from
1010            the other modules now.
1011
1012         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
1013         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
1014         module loader pipeline just handles it as the same to JS. When parsing a module, we
1015         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
1016         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
1017         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
1018
1019         * builtins/ModuleLoaderPrototype.js:
1020         (globalPrivate.newRegistryEntry):
1021         (requestInstantiate):
1022         (link):
1023         * jsc.cpp:
1024         (convertShebangToJSComment):
1025         (fillBufferWithContentsOfFile):
1026         (fetchModuleFromLocalFileSystem):
1027         (GlobalObject::moduleLoaderFetch):
1028         * parser/SourceProvider.h:
1029         (JSC::WebAssemblySourceProvider::create):
1030         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1031         * runtime/AbstractModuleRecord.cpp:
1032         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1033         (JSC::AbstractModuleRecord::link):
1034         (JSC::AbstractModuleRecord::evaluate):
1035         (JSC::identifierToJSValue): Deleted.
1036         * runtime/AbstractModuleRecord.h:
1037         * runtime/JSModuleLoader.cpp:
1038         (JSC::JSModuleLoader::evaluate):
1039         * runtime/JSModuleRecord.cpp:
1040         (JSC::JSModuleRecord::link):
1041         (JSC::JSModuleRecord::instantiateDeclarations):
1042         * runtime/JSModuleRecord.h:
1043         * runtime/ModuleLoaderPrototype.cpp:
1044         (JSC::moduleLoaderPrototypeParseModule):
1045         (JSC::moduleLoaderPrototypeRequestedModules):
1046         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1047         * wasm/js/JSWebAssemblyHelpers.h:
1048         (JSC::getWasmBufferFromValue):
1049         (JSC::createSourceBufferFromValue):
1050         * wasm/js/JSWebAssemblyInstance.cpp:
1051         (JSC::JSWebAssemblyInstance::finalizeCreation):
1052         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1053         (JSC::JSWebAssemblyInstance::create):
1054         * wasm/js/JSWebAssemblyInstance.h:
1055         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1056         (JSC::constructJSWebAssemblyInstance):
1057         * wasm/js/WebAssemblyModuleRecord.cpp:
1058         (JSC::WebAssemblyModuleRecord::prepareLink):
1059         (JSC::WebAssemblyModuleRecord::link):
1060         * wasm/js/WebAssemblyModuleRecord.h:
1061         * wasm/js/WebAssemblyPrototype.cpp:
1062         (JSC::resolve):
1063         (JSC::instantiate):
1064         (JSC::compileAndInstantiate):
1065         (JSC::WebAssemblyPrototype::instantiate):
1066         (JSC::webAssemblyInstantiateFunc):
1067         (JSC::webAssemblyValidateFunc):
1068         * wasm/js/WebAssemblyPrototype.h:
1069
1070 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
1071
1072         Function.prototype.caller shouldn't return generator bodies
1073         https://bugs.webkit.org/show_bug.cgi?id=184630
1074
1075         Reviewed by Yusuke Suzuki.
1076         
1077         Function.prototype.caller no longer returns generator bodies. Those are meant to be
1078         private.
1079         
1080         Also added some builtin debugging tools so that it's easier to do the investigation that I
1081         did.
1082
1083         * builtins/BuiltinNames.h:
1084         * runtime/JSFunction.cpp:
1085         (JSC::JSFunction::callerGetter):
1086         * runtime/JSGlobalObject.cpp:
1087         (JSC::JSGlobalObject::init):
1088         * runtime/JSGlobalObjectFunctions.cpp:
1089         (JSC::globalFuncBuiltinDescribe):
1090         * runtime/JSGlobalObjectFunctions.h:
1091
1092 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1093
1094         [DFG] Remove duplicate 32bit ProfileType implementation
1095         https://bugs.webkit.org/show_bug.cgi?id=184536
1096
1097         Reviewed by Saam Barati.
1098
1099         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
1100
1101         * dfg/DFGSpeculativeJIT.cpp:
1102         (JSC::DFG::SpeculativeJIT::compileProfileType):
1103         * dfg/DFGSpeculativeJIT.h:
1104         * dfg/DFGSpeculativeJIT32_64.cpp:
1105         (JSC::DFG::SpeculativeJIT::compile):
1106         * dfg/DFGSpeculativeJIT64.cpp:
1107         (JSC::DFG::SpeculativeJIT::compile):
1108         * jit/AssemblyHelpers.h:
1109         (JSC::AssemblyHelpers::branchIfUndefined):
1110         (JSC::AssemblyHelpers::branchIfNull):
1111
1112 2018-04-12  Mark Lam  <mark.lam@apple.com>
1113
1114         Consolidate some PtrTags.
1115         https://bugs.webkit.org/show_bug.cgi?id=184552
1116         <rdar://problem/39389404>
1117
1118         Reviewed by Filip Pizlo.
1119
1120         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
1121         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
1122
1123         * assembler/AbstractMacroAssembler.h:
1124         (JSC::AbstractMacroAssembler::repatchNearCall):
1125         * assembler/MacroAssemblerARM.h:
1126         (JSC::MacroAssemblerARM::readCallTarget):
1127         * assembler/MacroAssemblerARMv7.h:
1128         (JSC::MacroAssemblerARMv7::readCallTarget):
1129         * assembler/MacroAssemblerMIPS.h:
1130         (JSC::MacroAssemblerMIPS::readCallTarget):
1131         * assembler/MacroAssemblerX86.h:
1132         (JSC::MacroAssemblerX86::readCallTarget):
1133         * assembler/MacroAssemblerX86_64.h:
1134         (JSC::MacroAssemblerX86_64::readCallTarget):
1135         * bytecode/AccessCase.cpp:
1136         (JSC::AccessCase::generateImpl):
1137         * bytecode/InlineAccess.cpp:
1138         (JSC::InlineAccess::rewireStubAsJump):
1139         * bytecode/PolymorphicAccess.cpp:
1140         (JSC::PolymorphicAccess::regenerate):
1141         * dfg/DFGJITCompiler.cpp:
1142         (JSC::DFG::JITCompiler::linkOSRExits):
1143         (JSC::DFG::JITCompiler::link):
1144         (JSC::DFG::JITCompiler::compileFunction):
1145         * dfg/DFGJITFinalizer.cpp:
1146         (JSC::DFG::JITFinalizer::finalize):
1147         (JSC::DFG::JITFinalizer::finalizeFunction):
1148         * dfg/DFGOSREntry.cpp:
1149         (JSC::DFG::prepareOSREntry):
1150         * dfg/DFGOSRExit.cpp:
1151         (JSC::DFG::OSRExit::executeOSRExit):
1152         (JSC::DFG::adjustAndJumpToTarget):
1153         (JSC::DFG::OSRExit::compileOSRExit):
1154         * dfg/DFGOSRExitCompilerCommon.cpp:
1155         (JSC::DFG::adjustAndJumpToTarget):
1156         * dfg/DFGOperations.cpp:
1157         * ftl/FTLJITCode.cpp:
1158         (JSC::FTL::JITCode::executableAddressAtOffset):
1159         * ftl/FTLJITFinalizer.cpp:
1160         (JSC::FTL::JITFinalizer::finalizeCommon):
1161         * ftl/FTLLazySlowPath.cpp:
1162         (JSC::FTL::LazySlowPath::generate):
1163         * ftl/FTLLink.cpp:
1164         (JSC::FTL::link):
1165         * ftl/FTLLowerDFGToB3.cpp:
1166         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1167         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1168         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1169         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1170         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1171         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1172         * ftl/FTLOSRExitCompiler.cpp:
1173         (JSC::FTL::compileFTLOSRExit):
1174         * ftl/FTLOSRExitHandle.cpp:
1175         (JSC::FTL::OSRExitHandle::emitExitThunk):
1176         * jit/AssemblyHelpers.cpp:
1177         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1178         * jit/JIT.cpp:
1179         (JSC::JIT::compileWithoutLinking):
1180         (JSC::JIT::link):
1181         * jit/JITCall.cpp:
1182         (JSC::JIT::compileOpCallSlowCase):
1183         * jit/JITCode.cpp:
1184         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1185         (JSC::NativeJITCode::addressForCall):
1186         * jit/JITInlines.h:
1187         (JSC::JIT::emitNakedCall):
1188         (JSC::JIT::emitNakedTailCall):
1189         * jit/JITMathIC.h:
1190         (JSC::isProfileEmpty):
1191         * jit/JITOpcodes.cpp:
1192         (JSC::JIT::privateCompileHasIndexedProperty):
1193         * jit/JITOperations.cpp:
1194         * jit/JITPropertyAccess.cpp:
1195         (JSC::JIT::stringGetByValStubGenerator):
1196         (JSC::JIT::privateCompileGetByVal):
1197         (JSC::JIT::privateCompileGetByValWithCachedId):
1198         (JSC::JIT::privateCompilePutByVal):
1199         (JSC::JIT::privateCompilePutByValWithCachedId):
1200         * jit/JITThunks.cpp:
1201         (JSC::JITThunks::hostFunctionStub):
1202         * jit/Repatch.cpp:
1203         (JSC::linkSlowFor):
1204         (JSC::linkFor):
1205         (JSC::linkPolymorphicCall):
1206         * jit/SpecializedThunkJIT.h:
1207         (JSC::SpecializedThunkJIT::finalize):
1208         * jit/ThunkGenerators.cpp:
1209         (JSC::virtualThunkFor):
1210         (JSC::nativeForGenerator):
1211         (JSC::boundThisNoArgsFunctionCallGenerator):
1212         * llint/LLIntData.cpp:
1213         (JSC::LLInt::initialize):
1214         * llint/LLIntEntrypoint.cpp:
1215         (JSC::LLInt::setEvalEntrypoint):
1216         (JSC::LLInt::setProgramEntrypoint):
1217         (JSC::LLInt::setModuleProgramEntrypoint):
1218         * llint/LLIntSlowPaths.cpp:
1219         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1220         (JSC::LLInt::setUpCall):
1221         * llint/LLIntThunks.cpp:
1222         (JSC::LLInt::generateThunkWithJumpTo):
1223         (JSC::LLInt::functionForCallEntryThunkGenerator):
1224         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1225         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1226         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1227         (JSC::LLInt::evalEntryThunkGenerator):
1228         (JSC::LLInt::programEntryThunkGenerator):
1229         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1230         * llint/LowLevelInterpreter.asm:
1231         * llint/LowLevelInterpreter64.asm:
1232         * runtime/NativeExecutable.cpp:
1233         (JSC::NativeExecutable::finishCreation):
1234         * runtime/NativeFunction.h:
1235         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1236         (JSC::TaggedNativeFunction::operator NativeFunction):
1237         * runtime/PtrTag.h:
1238         * wasm/WasmBBQPlan.cpp:
1239         (JSC::Wasm::BBQPlan::complete):
1240         * wasm/WasmOMGPlan.cpp:
1241         (JSC::Wasm::OMGPlan::work):
1242         * wasm/WasmThunks.cpp:
1243         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1244         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1245         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1246         * wasm/js/WasmToJS.cpp:
1247         (JSC::Wasm::wasmToJS):
1248         * wasm/js/WebAssemblyFunction.h:
1249         * yarr/YarrJIT.cpp:
1250         (JSC::Yarr::YarrGenerator::compile):
1251
1252 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1253
1254         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
1255         https://bugs.webkit.org/show_bug.cgi?id=184379
1256
1257         Reviewed by Žan Doberšek.
1258
1259         Load the module from the new location.
1260
1261         * PlatformWPE.cmake:
1262         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1263         (Inspector::backendCommands):
1264
1265 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         [DFG] Remove compileBigIntEquality in DFG 32bit
1268         https://bugs.webkit.org/show_bug.cgi?id=184535
1269
1270         Reviewed by Saam Barati.
1271
1272         We can have the unified implementation for compileBigIntEquality.
1273
1274         * dfg/DFGSpeculativeJIT.cpp:
1275         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
1276         * dfg/DFGSpeculativeJIT32_64.cpp:
1277         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
1278         * dfg/DFGSpeculativeJIT64.cpp:
1279         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
1280
1281 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1282
1283         [WPE] Improve include hierarchy
1284         https://bugs.webkit.org/show_bug.cgi?id=184376
1285
1286         Reviewed by Žan Doberšek.
1287
1288         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
1289         /usr/include/wpe-0.1/WPE/jsc.
1290
1291         * PlatformWPE.cmake:
1292
1293 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1294
1295         [GLIB] Handle strings containing null characters
1296         https://bugs.webkit.org/show_bug.cgi?id=184450
1297
1298         Reviewed by Michael Catanzaro.
1299
1300         We should be able to evaluate scripts containing null characters and to handle strings that contains them
1301         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
1302         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
1303         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
1304         contain null characters.
1305
1306         * API/OpaqueJSString.cpp:
1307         (OpaqueJSString::create): Add a create constructor that takes the String.
1308         * API/OpaqueJSString.h:
1309         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
1310         * API/glib/JSCContext.cpp:
1311         (jsc_context_evaluate): Add length parameter.
1312         (jsc_context_evaluate_with_source_uri): Ditto.
1313         * API/glib/JSCContext.h:
1314         * API/glib/JSCValue.cpp:
1315         (jsc_value_new_string_from_bytes):
1316         (jsc_value_to_string):
1317         (jsc_value_to_string_as_bytes):
1318         (jsc_value_object_is_instance_of): Pass length to evaluate.
1319         * API/glib/JSCValue.h:
1320         * API/glib/docs/jsc-glib-4.0-sections.txt:
1321
1322 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1323
1324         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
1325         https://bugs.webkit.org/show_bug.cgi?id=184500
1326
1327         Reviewed by Mark Lam.
1328
1329         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
1330         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
1331         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
1332         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
1333         poke held GPR. The benefit from this CellValue is that we can use the same code
1334         for 32bit and 64bit. This patch removes several ifdefs.
1335
1336         * bytecode/AccessCase.cpp:
1337         (JSC::AccessCase::generateImpl):
1338         * dfg/DFGSpeculativeJIT.cpp:
1339         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1340         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1341         (JSC::DFG::SpeculativeJIT::cachedPutById):
1342         * dfg/DFGSpeculativeJIT32_64.cpp:
1343         (JSC::DFG::SpeculativeJIT::cachedGetById):
1344         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1345         * jit/CCallHelpers.h:
1346         (JSC::CCallHelpers::CellValue::CellValue):
1347         (JSC::CCallHelpers::CellValue::gpr const):
1348         (JSC::CCallHelpers::setupArgumentsImpl):
1349
1350 2018-04-11  Mark Lam  <mark.lam@apple.com>
1351
1352         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
1353         https://bugs.webkit.org/show_bug.cgi?id=184512
1354         <rdar://problem/35391728>
1355
1356         Not reviewed.
1357
1358         * bytecode/CodeBlock.h:
1359         * jit/JITCodeMap.h:
1360
1361 2018-04-11  Mark Lam  <mark.lam@apple.com>
1362
1363         Replace CompactJITCodeMap with JITCodeMap.
1364         https://bugs.webkit.org/show_bug.cgi?id=184512
1365         <rdar://problem/35391728>
1366
1367         Reviewed by Filip Pizlo.
1368
1369         * CMakeLists.txt:
1370         * JavaScriptCore.xcodeproj/project.pbxproj:
1371         * bytecode/CodeBlock.h:
1372         (JSC::CodeBlock::setJITCodeMap):
1373         (JSC::CodeBlock::jitCodeMap const):
1374         (JSC::CodeBlock::jitCodeMap): Deleted.
1375         * dfg/DFGOSRExit.cpp:
1376         (JSC::DFG::OSRExit::executeOSRExit):
1377         * dfg/DFGOSRExitCompilerCommon.cpp:
1378         (JSC::DFG::adjustAndJumpToTarget):
1379         * jit/AssemblyHelpers.cpp:
1380         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
1381         * jit/AssemblyHelpers.h:
1382         * jit/CompactJITCodeMap.h: Removed.
1383         * jit/JIT.cpp:
1384         (JSC::JIT::link):
1385         * jit/JITCodeMap.h: Added.
1386         (JSC::JITCodeMap::Entry::Entry):
1387         (JSC::JITCodeMap::Entry::bytecodeIndex const):
1388         (JSC::JITCodeMap::Entry::codeLocation):
1389         (JSC::JITCodeMap::append):
1390         (JSC::JITCodeMap::finish):
1391         (JSC::JITCodeMap::find const):
1392         (JSC::JITCodeMap::operator bool const):
1393         * llint/LLIntSlowPaths.cpp:
1394         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1395
1396 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1397
1398         [DFG] Remove CompareSlowPathGenerator
1399         https://bugs.webkit.org/show_bug.cgi?id=184492
1400
1401         Reviewed by Mark Lam.
1402
1403         Now CompareSlowPathGenerator is just calling a specified function.
1404         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
1405
1406         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
1407         introducing a new constructor for GPRTemporary.
1408
1409         * JavaScriptCore.xcodeproj/project.pbxproj:
1410         * dfg/DFGCompareSlowPathGenerator.h: Removed.
1411         * dfg/DFGSpeculativeJIT.cpp:
1412         (JSC::DFG::GPRTemporary::GPRTemporary):
1413         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
1414         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1415         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
1416         (JSC::DFG::SpeculativeJIT::compileIsObject):
1417         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1418         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1419         * dfg/DFGSpeculativeJIT.h:
1420         (JSC::DFG::GPRTemporary::GPRTemporary):
1421         * dfg/DFGSpeculativeJIT64.cpp:
1422         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1423
1424 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1425
1426         Unreviewed, build fix for 32bit
1427         https://bugs.webkit.org/show_bug.cgi?id=184236
1428
1429         * dfg/DFGSpeculativeJIT.cpp:
1430         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1431
1432 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1433
1434         [DFG] Remove duplicate 32bit code more
1435         https://bugs.webkit.org/show_bug.cgi?id=184236
1436
1437         Reviewed by Mark Lam.
1438
1439         Remove duplicate 32bit code more aggressively part 2.
1440
1441         * JavaScriptCore.xcodeproj/project.pbxproj:
1442         * dfg/DFGCompareSlowPathGenerator.h: Added.
1443         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
1444         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
1445
1446         * dfg/DFGOperations.cpp:
1447         * dfg/DFGOperations.h:
1448         * dfg/DFGSpeculativeJIT.cpp:
1449         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
1450         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
1451         (JSC::DFG::SpeculativeJIT::compileIsObject):
1452         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
1453         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
1454         (JSC::DFG::SpeculativeJIT::compilePutById):
1455         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
1456         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
1457         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1458         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1459         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1460         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1461         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1462         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
1463         (JSC::DFG::SpeculativeJIT::cachedPutById):
1464         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1465         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1466         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
1467         * dfg/DFGSpeculativeJIT.h:
1468         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
1469         * dfg/DFGSpeculativeJIT32_64.cpp:
1470         (JSC::DFG::SpeculativeJIT::compile):
1471         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
1472         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
1473         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
1474         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
1475         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1476         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
1477         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
1478         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
1479         * dfg/DFGSpeculativeJIT64.cpp:
1480         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1481         (JSC::DFG::SpeculativeJIT::compile):
1482         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
1483         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
1484         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
1485         (): Deleted.
1486         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1487         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
1488         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
1489         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
1490         * ftl/FTLLowerDFGToB3.cpp:
1491         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1492         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
1493
1494         * jit/AssemblyHelpers.h:
1495         (JSC::AssemblyHelpers::loadValue):
1496         (JSC::AssemblyHelpers::selectScratchGPR):
1497         (JSC::AssemblyHelpers::constructRegisterSet):
1498         * jit/RegisterSet.h:
1499         (JSC::RegisterSet::setAny):
1500         Clean up selectScratchGPR code to pass JSValueRegs.
1501
1502 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
1503
1504         [ESNext][BigInt] Add support for BigInt in SpeculatedType
1505         https://bugs.webkit.org/show_bug.cgi?id=182470
1506
1507         Reviewed by Saam Barati.
1508
1509         This patch introduces the SpecBigInt type to DFG to enable BigInt
1510         speculation into DFG and FTL.
1511
1512         With SpecBigInt introduction, we can then specialize "===" operations
1513         to BigInts. As we are doing for some cells, we first check if operands
1514         are pointing to the same JSCell, and if it is false, we
1515         fallback to "operationCompareStrictEqCell". The idea in further
1516         patches is to implement BigInt equality check directly in
1517         assembly.
1518
1519         We are also adding support for BigInt constant folding into
1520         TypeOf operation.
1521
1522         * bytecode/SpeculatedType.cpp:
1523         (JSC::dumpSpeculation):
1524         (JSC::speculationFromClassInfo):
1525         (JSC::speculationFromStructure):
1526         (JSC::speculationFromJSType):
1527         (JSC::speculationFromString):
1528         * bytecode/SpeculatedType.h:
1529         (JSC::isBigIntSpeculation):
1530         * dfg/DFGAbstractInterpreterInlines.h:
1531         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1532         * dfg/DFGAbstractValue.cpp:
1533         (JSC::DFG::AbstractValue::set):
1534         * dfg/DFGConstantFoldingPhase.cpp:
1535         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1536         * dfg/DFGFixupPhase.cpp:
1537         (JSC::DFG::FixupPhase::fixupNode):
1538         (JSC::DFG::FixupPhase::fixupToThis):
1539         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1540         * dfg/DFGInferredTypeCheck.cpp:
1541         (JSC::DFG::insertInferredTypeCheck):
1542         * dfg/DFGNode.h:
1543         (JSC::DFG::Node::shouldSpeculateBigInt):
1544         * dfg/DFGPredictionPropagationPhase.cpp:
1545         * dfg/DFGSafeToExecute.h:
1546         (JSC::DFG::SafeToExecuteEdge::operator()):
1547         * dfg/DFGSpeculativeJIT.cpp:
1548         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1549         (JSC::DFG::SpeculativeJIT::speculateBigInt):
1550         (JSC::DFG::SpeculativeJIT::speculate):
1551         * dfg/DFGSpeculativeJIT.h:
1552         * dfg/DFGSpeculativeJIT32_64.cpp:
1553         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
1554         * dfg/DFGSpeculativeJIT64.cpp:
1555         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
1556         * dfg/DFGUseKind.cpp:
1557         (WTF::printInternal):
1558         * dfg/DFGUseKind.h:
1559         (JSC::DFG::typeFilterFor):
1560         (JSC::DFG::isCell):
1561         * ftl/FTLCapabilities.cpp:
1562         (JSC::FTL::canCompile):
1563         * ftl/FTLLowerDFGToB3.cpp:
1564         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1565         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
1566         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1567         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
1568         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
1569         * jit/AssemblyHelpers.cpp:
1570         (JSC::AssemblyHelpers::branchIfNotType):
1571         * jit/AssemblyHelpers.h:
1572         (JSC::AssemblyHelpers::branchIfBigInt):
1573         (JSC::AssemblyHelpers::branchIfNotBigInt):
1574         * runtime/InferredType.cpp:
1575         (JSC::InferredType::Descriptor::forValue):
1576         (JSC::InferredType::Descriptor::putByIdFlags const):
1577         (JSC::InferredType::Descriptor::merge):
1578         (WTF::printInternal):
1579         * runtime/InferredType.h:
1580         * runtime/JSBigInt.h:
1581
1582 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
1583
1584         Unreviewed, fix cloop build.
1585
1586         * dfg/DFGAbstractInterpreterClobberState.cpp:
1587
1588 2018-04-10  Mark Lam  <mark.lam@apple.com>
1589
1590         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
1591         https://bugs.webkit.org/show_bug.cgi?id=184464
1592         <rdar://problem/39323947>
1593
1594         Reviewed by Saam Barati.
1595
1596         * heap/MarkedSpace.h:
1597         (JSC::MarkedSpace::sizeClassToIndex):
1598
1599 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
1600
1601         DFG AI and clobberize should agree with each other
1602         https://bugs.webkit.org/show_bug.cgi?id=184440
1603
1604         Reviewed by Saam Barati.
1605         
1606         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
1607         agree with each other. That's what this patch does: it adds an assertion that AI's structure
1608         state tracking must be equivalent to JSCell_structureID being clobbered.
1609         
1610         One subtlety is that AI sometimes folds away structure clobbering using information that
1611         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
1612         ObservedTransitions).
1613         
1614         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
1615         clobberize missing a write(Heap).
1616         
1617         This also makes some cases more precise in order to appease the assertion. Making things more
1618         precise might make things faster, but I didn't measure it because that wasn't the goal.
1619
1620         * JavaScriptCore.xcodeproj/project.pbxproj:
1621         * Sources.txt:
1622         * dfg/DFGAbstractInterpreter.h:
1623         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
1624         (WTF::printInternal):
1625         * dfg/DFGAbstractInterpreterClobberState.h: Added.
1626         (JSC::DFG::mergeClobberStates):
1627         * dfg/DFGAbstractInterpreterInlines.h:
1628         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
1629         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1630         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
1631         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
1633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
1636         * dfg/DFGAtTailAbstractState.h:
1637         (JSC::DFG::AtTailAbstractState::setClobberState):
1638         (JSC::DFG::AtTailAbstractState::mergeClobberState):
1639         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
1640         * dfg/DFGCFAPhase.cpp:
1641         (JSC::DFG::CFAPhase::performBlockCFA):
1642         * dfg/DFGClobberSet.cpp:
1643         (JSC::DFG::writeSet):
1644         * dfg/DFGClobberSet.h:
1645         * dfg/DFGClobberize.h:
1646         (JSC::DFG::clobberize):
1647         * dfg/DFGConstantFoldingPhase.cpp:
1648         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1649         * dfg/DFGInPlaceAbstractState.h:
1650         (JSC::DFG::InPlaceAbstractState::clobberState const):
1651         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
1652         (JSC::DFG::InPlaceAbstractState::didClobber const):
1653         (JSC::DFG::InPlaceAbstractState::setClobberState):
1654         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
1655         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
1656
1657 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
1658
1659         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
1660         https://bugs.webkit.org/show_bug.cgi?id=184460
1661         <rdar://problem/37610966>
1662
1663         Reviewed by Mark Lam.
1664
1665         * bytecode/ExecutableToCodeBlockEdge.cpp:
1666         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1667
1668 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
1669
1670         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
1671         https://bugs.webkit.org/show_bug.cgi?id=184455
1672
1673         Reviewed by Michael Saboff.
1674         
1675         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
1676         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
1677         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
1678         the thing being hoisted does have effects, then we get a crash.
1679         
1680         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
1681         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
1682         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
1683         effectful.
1684         
1685         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
1686         clobberize to also think that CompareEq(Untyped:, _) is effectful.
1687         
1688         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
1689         of CompareEq is ComapreEq(Untyped:, Untyped:).
1690
1691         * dfg/DFGAbstractInterpreterInlines.h:
1692         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1693         * dfg/DFGClobberize.h:
1694         (JSC::DFG::clobberize):
1695
1696 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
1697
1698         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
1699         https://bugs.webkit.org/show_bug.cgi?id=184372
1700
1701         Reviewed by Saam Barati.
1702         
1703         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
1704         have already proved, using techniques that are more precise than AI, that the edge has type
1705         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
1706         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
1707         other than a check - so we think we can call those just because we should have already
1708         bailed. It's better to think of them as the result of folding a check. Therefore, we should
1709         only do it if there had been a check to begin with.
1710
1711         * dfg/DFGSpeculativeJIT64.cpp:
1712         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1713         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1714         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1715         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1716         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1717         * ftl/FTLLowerDFGToB3.cpp:
1718         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1719         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
1720         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1721         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1722         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
1723         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1724         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
1725         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
1726
1727 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1728
1729         [JSC] Introduce @putByIdDirectPrivate
1730         https://bugs.webkit.org/show_bug.cgi?id=184400
1731
1732         Reviewed by Saam Barati.
1733
1734         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
1735         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
1736         accessing to ECMAScript internal fields.
1737
1738         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
1739         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
1740         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
1741         fields that accessing to the internal fields does not traverse prototype chains.
1742
1743         * builtins/ArrayIteratorPrototype.js:
1744         (globalPrivate.arrayIteratorValueNext):
1745         (globalPrivate.arrayIteratorKeyNext):
1746         (globalPrivate.arrayIteratorKeyValueNext):
1747         * builtins/ArrayPrototype.js:
1748         (globalPrivate.createArrayIterator):
1749         * builtins/AsyncFromSyncIteratorPrototype.js:
1750         (globalPrivate.AsyncFromSyncIteratorConstructor):
1751         * builtins/AsyncFunctionPrototype.js:
1752         (globalPrivate.asyncFunctionResume):
1753         * builtins/AsyncGeneratorPrototype.js:
1754         (globalPrivate.asyncGeneratorQueueEnqueue):
1755         (globalPrivate.asyncGeneratorQueueDequeue):
1756         (asyncGeneratorYieldAwaited):
1757         (globalPrivate.asyncGeneratorYield):
1758         (globalPrivate.doAsyncGeneratorBodyCall):
1759         (globalPrivate.asyncGeneratorResumeNext):
1760         * builtins/GeneratorPrototype.js:
1761         (globalPrivate.generatorResume):
1762         * builtins/MapIteratorPrototype.js:
1763         (globalPrivate.mapIteratorNext):
1764         * builtins/MapPrototype.js:
1765         (globalPrivate.createMapIterator):
1766         * builtins/ModuleLoaderPrototype.js:
1767         (forceFulfillPromise):
1768         * builtins/PromiseOperations.js:
1769         (globalPrivate.newHandledRejectedPromise):
1770         (globalPrivate.rejectPromise):
1771         (globalPrivate.fulfillPromise):
1772         (globalPrivate.initializePromise):
1773         * builtins/PromisePrototype.js:
1774         (then):
1775         * builtins/SetIteratorPrototype.js:
1776         (globalPrivate.setIteratorNext):
1777         * builtins/SetPrototype.js:
1778         (globalPrivate.createSetIterator):
1779         * builtins/StringIteratorPrototype.js:
1780         (next):
1781         * bytecode/BytecodeIntrinsicRegistry.h:
1782         * bytecompiler/NodesCodegen.cpp:
1783         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1784         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1785
1786 2018-04-09  Mark Lam  <mark.lam@apple.com>
1787
1788         Decorate method table entries to support pointer profiling.
1789         https://bugs.webkit.org/show_bug.cgi?id=184430
1790         <rdar://problem/39296190>
1791
1792         Reviewed by Saam Barati.
1793
1794         * runtime/ClassInfo.h:
1795
1796 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1797
1798         [WPE] Don't install JSC C API headers
1799         https://bugs.webkit.org/show_bug.cgi?id=184375
1800
1801         Reviewed by Žan Doberšek.
1802
1803         None of the functions declared in these headers are exported in WPE. Use the new jsc API
1804         instead.
1805
1806         * PlatformWPE.cmake:
1807
1808 2018-04-08  Mark Lam  <mark.lam@apple.com>
1809
1810         Add pointer profiling to the FTL and supporting code.
1811         https://bugs.webkit.org/show_bug.cgi?id=184395
1812         <rdar://problem/39264019>
1813
1814         Reviewed by Michael Saboff and Filip Pizlo.
1815
1816         * assembler/CodeLocation.h:
1817         (JSC::CodeLocationLabel::retagged):
1818         (JSC::CodeLocationJump::retagged):
1819         * assembler/LinkBuffer.h:
1820         (JSC::LinkBuffer::locationOf):
1821         * dfg/DFGJITCompiler.cpp:
1822         (JSC::DFG::JITCompiler::linkOSRExits):
1823         (JSC::DFG::JITCompiler::link):
1824         * ftl/FTLCompile.cpp:
1825         (JSC::FTL::compile):
1826         * ftl/FTLExceptionTarget.cpp:
1827         (JSC::FTL::ExceptionTarget::label):
1828         (JSC::FTL::ExceptionTarget::jumps):
1829         * ftl/FTLExceptionTarget.h:
1830         * ftl/FTLJITCode.cpp:
1831         (JSC::FTL::JITCode::executableAddressAtOffset):
1832         * ftl/FTLLazySlowPath.cpp:
1833         (JSC::FTL::LazySlowPath::~LazySlowPath):
1834         (JSC::FTL::LazySlowPath::initialize):
1835         (JSC::FTL::LazySlowPath::generate):
1836         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
1837         * ftl/FTLLazySlowPath.h:
1838         * ftl/FTLLink.cpp:
1839         (JSC::FTL::link):
1840         * ftl/FTLLowerDFGToB3.cpp:
1841         (JSC::FTL::DFG::LowerDFGToB3::lower):
1842         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1843         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1844         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1845         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1846         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1847         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1848         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1849         * ftl/FTLOSRExitCompiler.cpp:
1850         (JSC::FTL::compileStub):
1851         (JSC::FTL::compileFTLOSRExit):
1852         * ftl/FTLOSRExitHandle.cpp:
1853         (JSC::FTL::OSRExitHandle::emitExitThunk):
1854         * ftl/FTLOperations.cpp:
1855         (JSC::FTL::compileFTLLazySlowPath):
1856         * ftl/FTLOutput.h:
1857         (JSC::FTL::Output::callWithoutSideEffects):
1858         (JSC::FTL::Output::operation):
1859         * ftl/FTLPatchpointExceptionHandle.cpp:
1860         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1861         * ftl/FTLSlowPathCall.cpp:
1862         (JSC::FTL::SlowPathCallContext::makeCall):
1863         * ftl/FTLSlowPathCallKey.h:
1864         (JSC::FTL::SlowPathCallKey::withCallTarget):
1865         (JSC::FTL::SlowPathCallKey::callPtrTag const):
1866         * ftl/FTLThunks.cpp:
1867         (JSC::FTL::genericGenerationThunkGenerator):
1868         (JSC::FTL::osrExitGenerationThunkGenerator):
1869         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1870         (JSC::FTL::slowPathCallThunkGenerator):
1871         * jit/JITMathIC.h:
1872         (JSC::isProfileEmpty):
1873         * jit/Repatch.cpp:
1874         (JSC::readPutICCallTarget):
1875         (JSC::ftlThunkAwareRepatchCall):
1876         (JSC::tryCacheGetByID):
1877         (JSC::repatchGetByID):
1878         (JSC::tryCachePutByID):
1879         (JSC::repatchPutByID):
1880         (JSC::repatchIn):
1881         (JSC::resetGetByID):
1882         (JSC::resetPutByID):
1883         (JSC::readCallTarget): Deleted.
1884         * jit/Repatch.h:
1885         * runtime/PtrTag.h:
1886
1887 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1888
1889         Unreviewed, attempt to fix Windows build
1890         https://bugs.webkit.org/show_bug.cgi?id=183508
1891
1892         * jit/JIT.h:
1893
1894 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1895
1896         Unreviewed, build fix for Windows by suppressing padding warning for JIT
1897         https://bugs.webkit.org/show_bug.cgi?id=183508
1898
1899         * jit/JIT.h:
1900
1901 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1902
1903         Use alignas instead of compiler-specific attributes
1904         https://bugs.webkit.org/show_bug.cgi?id=183508
1905
1906         Reviewed by Mark Lam.
1907
1908         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
1909
1910         * heap/RegisterState.h:
1911         * jit/JIT.h:
1912         (JSC::JIT::compile): Deleted.
1913         (JSC::JIT::compileGetByVal): Deleted.
1914         (JSC::JIT::compileGetByValWithCachedId): Deleted.
1915         (JSC::JIT::compilePutByVal): Deleted.
1916         (JSC::JIT::compileDirectPutByVal): Deleted.
1917         (JSC::JIT::compilePutByValWithCachedId): Deleted.
1918         (JSC::JIT::compileHasIndexedProperty): Deleted.
1919         (JSC::JIT::appendCall): Deleted.
1920         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
1921         (JSC::JIT::exceptionCheck): Deleted.
1922         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
1923         (JSC::JIT::emitInt32Load): Deleted.
1924         (JSC::JIT::emitInt32GetByVal): Deleted.
1925         (JSC::JIT::emitInt32PutByVal): Deleted.
1926         (JSC::JIT::emitDoublePutByVal): Deleted.
1927         (JSC::JIT::emitContiguousPutByVal): Deleted.
1928         (JSC::JIT::emitStoreCell): Deleted.
1929         (JSC::JIT::getSlowCase): Deleted.
1930         (JSC::JIT::linkSlowCase): Deleted.
1931         (JSC::JIT::linkDummySlowCase): Deleted.
1932         (JSC::JIT::linkAllSlowCases): Deleted.
1933         (JSC::JIT::callOperation): Deleted.
1934         (JSC::JIT::callOperationWithProfile): Deleted.
1935         (JSC::JIT::callOperationWithResult): Deleted.
1936         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
1937         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
1938         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1939         (JSC::JIT::sampleCodeBlock): Deleted.
1940         (JSC::JIT::canBeOptimized): Deleted.
1941         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
1942         (JSC::JIT::shouldEmitProfiling): Deleted.
1943         * runtime/VM.h:
1944
1945 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1946
1947         Unreviewed, follow-up patch for DFG 32bit
1948         https://bugs.webkit.org/show_bug.cgi?id=183970
1949
1950         * dfg/DFGSpeculativeJIT32_64.cpp:
1951         (JSC::DFG::SpeculativeJIT::cachedGetById):
1952
1953 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1954
1955         [JSC] Fix incorrect assertion for VM's regexp buffer lock
1956         https://bugs.webkit.org/show_bug.cgi?id=184398
1957
1958         Reviewed by Mark Lam.
1959
1960         isLocked check before taking a lock is incorrect.
1961
1962         * runtime/VM.cpp:
1963         (JSC::VM::acquireRegExpPatternContexBuffer):
1964
1965 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1966
1967         [JSC] Introduce op_get_by_id_direct
1968         https://bugs.webkit.org/show_bug.cgi?id=183970
1969
1970         Reviewed by Filip Pizlo.
1971
1972         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
1973         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
1974         in all the tiers, so using this opcode does not lead to inefficiency.
1975
1976         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
1977         properties indexed with private symbols to implement ECMAScript internal fields. Before this
1978         patch, we just use get and put operations. However, it is not the correct semantics: accessing
1979         to the internal fields should not traverse prototype chain, which is specified in the spec.
1980         We use op_get_by_id_direct to access to properties which are used internal fields, so that
1981         prototype chains are not traversed.
1982
1983         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
1984         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
1985         bytecode `op_get_by_id_direct, object, @name`.
1986
1987         * builtins/ArrayIteratorPrototype.js:
1988         (next):
1989         (globalPrivate.arrayIteratorValueNext):
1990         (globalPrivate.arrayIteratorKeyNext):
1991         (globalPrivate.arrayIteratorKeyValueNext):
1992         * builtins/AsyncFromSyncIteratorPrototype.js:
1993         * builtins/AsyncFunctionPrototype.js:
1994         (globalPrivate.asyncFunctionResume):
1995         * builtins/AsyncGeneratorPrototype.js:
1996         (globalPrivate.asyncGeneratorQueueIsEmpty):
1997         (globalPrivate.asyncGeneratorQueueEnqueue):
1998         (globalPrivate.asyncGeneratorQueueDequeue):
1999         (globalPrivate.asyncGeneratorDequeue):
2000         (globalPrivate.isExecutionState):
2001         (globalPrivate.isSuspendYieldState):
2002         (globalPrivate.asyncGeneratorReject):
2003         (globalPrivate.asyncGeneratorResolve):
2004         (globalPrivate.doAsyncGeneratorBodyCall):
2005         (globalPrivate.asyncGeneratorEnqueue):
2006         * builtins/GeneratorPrototype.js:
2007         (globalPrivate.generatorResume):
2008         (next):
2009         (return):
2010         (throw):
2011         * builtins/MapIteratorPrototype.js:
2012         (next):
2013         * builtins/PromiseOperations.js:
2014         (globalPrivate.isPromise):
2015         (globalPrivate.rejectPromise):
2016         (globalPrivate.fulfillPromise):
2017         * builtins/PromisePrototype.js:
2018         (then):
2019         * builtins/SetIteratorPrototype.js:
2020         (next):
2021         * builtins/StringIteratorPrototype.js:
2022         (next):
2023         * builtins/TypedArrayConstructor.js:
2024         (of):
2025         (from):
2026         * bytecode/BytecodeDumper.cpp:
2027         (JSC::BytecodeDumper<Block>::dumpBytecode):
2028         * bytecode/BytecodeIntrinsicRegistry.h:
2029         * bytecode/BytecodeList.json:
2030         * bytecode/BytecodeUseDef.h:
2031         (JSC::computeUsesForBytecodeOffset):
2032         (JSC::computeDefsForBytecodeOffset):
2033         * bytecode/CodeBlock.cpp:
2034         (JSC::CodeBlock::finishCreation):
2035         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2036         * bytecode/GetByIdStatus.cpp:
2037         (JSC::GetByIdStatus::computeFromLLInt):
2038         (JSC::GetByIdStatus::computeFor):
2039         * bytecode/StructureStubInfo.cpp:
2040         (JSC::StructureStubInfo::reset):
2041         * bytecode/StructureStubInfo.h:
2042         (JSC::appropriateOptimizingGetByIdFunction):
2043         (JSC::appropriateGenericGetByIdFunction):
2044         * bytecompiler/BytecodeGenerator.cpp:
2045         (JSC::BytecodeGenerator::emitDirectGetById):
2046         * bytecompiler/BytecodeGenerator.h:
2047         * bytecompiler/NodesCodegen.cpp:
2048         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
2049         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2050         * dfg/DFGAbstractInterpreterInlines.h:
2051         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2052         * dfg/DFGByteCodeParser.cpp:
2053         (JSC::DFG::ByteCodeParser::handleGetById):
2054         (JSC::DFG::ByteCodeParser::parseBlock):
2055         * dfg/DFGCapabilities.cpp:
2056         (JSC::DFG::capabilityLevel):
2057         * dfg/DFGClobberize.h:
2058         (JSC::DFG::clobberize):
2059         * dfg/DFGConstantFoldingPhase.cpp:
2060         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2061         * dfg/DFGDoesGC.cpp:
2062         (JSC::DFG::doesGC):
2063         * dfg/DFGFixupPhase.cpp:
2064         (JSC::DFG::FixupPhase::fixupNode):
2065         * dfg/DFGNode.h:
2066         (JSC::DFG::Node::convertToGetByOffset):
2067         (JSC::DFG::Node::convertToMultiGetByOffset):
2068         (JSC::DFG::Node::hasIdentifier):
2069         (JSC::DFG::Node::hasHeapPrediction):
2070         * dfg/DFGNodeType.h:
2071         * dfg/DFGOperations.cpp:
2072         * dfg/DFGOperations.h:
2073         * dfg/DFGPredictionPropagationPhase.cpp:
2074         * dfg/DFGSafeToExecute.h:
2075         (JSC::DFG::safeToExecute):
2076         * dfg/DFGSpeculativeJIT.cpp:
2077         (JSC::DFG::SpeculativeJIT::compileGetById):
2078         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
2079         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
2080         * dfg/DFGSpeculativeJIT.h:
2081         * dfg/DFGSpeculativeJIT32_64.cpp:
2082         (JSC::DFG::SpeculativeJIT::cachedGetById):
2083         (JSC::DFG::SpeculativeJIT::compile):
2084         * dfg/DFGSpeculativeJIT64.cpp:
2085         (JSC::DFG::SpeculativeJIT::cachedGetById):
2086         (JSC::DFG::SpeculativeJIT::compile):
2087         * ftl/FTLCapabilities.cpp:
2088         (JSC::FTL::canCompile):
2089         * ftl/FTLLowerDFGToB3.cpp:
2090         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2091         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2092         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2093         (JSC::FTL::DFG::LowerDFGToB3::getById):
2094         * jit/JIT.cpp:
2095         (JSC::JIT::privateCompileMainPass):
2096         (JSC::JIT::privateCompileSlowCases):
2097         * jit/JIT.h:
2098         * jit/JITOperations.cpp:
2099         * jit/JITOperations.h:
2100         * jit/JITPropertyAccess.cpp:
2101         (JSC::JIT::emit_op_get_by_id_direct):
2102         (JSC::JIT::emitSlow_op_get_by_id_direct):
2103         * jit/JITPropertyAccess32_64.cpp:
2104         (JSC::JIT::emit_op_get_by_id_direct):
2105         (JSC::JIT::emitSlow_op_get_by_id_direct):
2106         * jit/Repatch.cpp:
2107         (JSC::appropriateOptimizingGetByIdFunction):
2108         (JSC::appropriateGetByIdFunction):
2109         (JSC::tryCacheGetByID):
2110         (JSC::repatchGetByID):
2111         (JSC::appropriateGenericGetByIdFunction): Deleted.
2112         * jit/Repatch.h:
2113         * llint/LLIntSlowPaths.cpp:
2114         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2115         * llint/LLIntSlowPaths.h:
2116         * llint/LowLevelInterpreter32_64.asm:
2117         * llint/LowLevelInterpreter64.asm:
2118         * runtime/JSCJSValue.h:
2119         * runtime/JSCJSValueInlines.h:
2120         (JSC::JSValue::getOwnPropertySlot const):
2121         * runtime/JSObject.h:
2122         * runtime/JSObjectInlines.h:
2123         (JSC::JSObject::getOwnPropertySlotInline):
2124
2125 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2126
2127         [JSC] Remove several asXXX functions
2128         https://bugs.webkit.org/show_bug.cgi?id=184355
2129
2130         Reviewed by JF Bastien.
2131
2132         Remove asActivation, asInternalFunction, and asGetterSetter.
2133         Use jsCast<> / jsDynamicCast<> consistently.
2134
2135         * runtime/ArrayConstructor.cpp:
2136         (JSC::constructArrayWithSizeQuirk):
2137         * runtime/AsyncFunctionConstructor.cpp:
2138         (JSC::callAsyncFunctionConstructor):
2139         (JSC::constructAsyncFunctionConstructor):
2140         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2141         (JSC::callAsyncGeneratorFunctionConstructor):
2142         (JSC::constructAsyncGeneratorFunctionConstructor):
2143         * runtime/BooleanConstructor.cpp:
2144         (JSC::constructWithBooleanConstructor):
2145         * runtime/DateConstructor.cpp:
2146         (JSC::constructWithDateConstructor):
2147         * runtime/ErrorConstructor.cpp:
2148         (JSC::Interpreter::constructWithErrorConstructor):
2149         (JSC::Interpreter::callErrorConstructor):
2150         * runtime/FunctionConstructor.cpp:
2151         (JSC::constructWithFunctionConstructor):
2152         (JSC::callFunctionConstructor):
2153         * runtime/FunctionPrototype.cpp:
2154         (JSC::functionProtoFuncToString):
2155         * runtime/GeneratorFunctionConstructor.cpp:
2156         (JSC::callGeneratorFunctionConstructor):
2157         (JSC::constructGeneratorFunctionConstructor):
2158         * runtime/GetterSetter.h:
2159         (JSC::asGetterSetter): Deleted.
2160         * runtime/InternalFunction.h:
2161         (JSC::asInternalFunction): Deleted.
2162         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2163         (JSC::constructGenericTypedArrayView):
2164         * runtime/JSLexicalEnvironment.h:
2165         (JSC::asActivation): Deleted.
2166         * runtime/JSObject.cpp:
2167         (JSC::validateAndApplyPropertyDescriptor):
2168         * runtime/MapConstructor.cpp:
2169         (JSC::constructMap):
2170         * runtime/PropertyDescriptor.cpp:
2171         (JSC::PropertyDescriptor::setDescriptor):
2172         * runtime/RegExpConstructor.cpp:
2173         (JSC::constructWithRegExpConstructor):
2174         (JSC::callRegExpConstructor):
2175         * runtime/SetConstructor.cpp:
2176         (JSC::constructSet):
2177         * runtime/StringConstructor.cpp:
2178         (JSC::constructWithStringConstructor):
2179         * runtime/WeakMapConstructor.cpp:
2180         (JSC::constructWeakMap):
2181         * runtime/WeakSetConstructor.cpp:
2182         (JSC::constructWeakSet):
2183         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2184         (JSC::constructJSWebAssemblyCompileError):
2185         (JSC::callJSWebAssemblyCompileError):
2186         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2187         (JSC::constructJSWebAssemblyLinkError):
2188         (JSC::callJSWebAssemblyLinkError):
2189         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2190         (JSC::constructJSWebAssemblyRuntimeError):
2191         (JSC::callJSWebAssemblyRuntimeError):
2192
2193 2018-04-05  Mark Lam  <mark.lam@apple.com>
2194
2195         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
2196         https://bugs.webkit.org/show_bug.cgi?id=184347
2197         <rdar://problem/39183165>
2198
2199         Reviewed by Michael Saboff.
2200
2201         * assembler/MacroAssemblerCodeRef.h:
2202         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2203         (JSC::MacroAssemblerCodePtr::retagged const):
2204
2205 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2206
2207         [MIPS] Optimize generated JIT code for branches
2208         https://bugs.webkit.org/show_bug.cgi?id=183130
2209
2210         Reviewed by Yusuke Suzuki.
2211
2212         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
2213         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
2214         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
2215         However, this adds a significant overhead for all other types of branches. Since these nop's
2216         protect the code that is generated by branchPtrWithPatch, this function seems like a better
2217         place to add them.
2218
2219         * assembler/MIPSAssembler.h:
2220         (JSC::MIPSAssembler::repatchInt32):
2221         (JSC::MIPSAssembler::revertJumpToMove):
2222         * assembler/MacroAssemblerMIPS.h:
2223         (JSC::MacroAssemblerMIPS::branchAdd32):
2224         (JSC::MacroAssemblerMIPS::branchMul32):
2225         (JSC::MacroAssemblerMIPS::branchSub32):
2226         (JSC::MacroAssemblerMIPS::branchNeg32):
2227         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2228         (JSC::MacroAssemblerMIPS::branchEqual):
2229         (JSC::MacroAssemblerMIPS::branchNotEqual):
2230
2231 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2232
2233         [WTF] Remove StaticLock
2234         https://bugs.webkit.org/show_bug.cgi?id=184332
2235
2236         Reviewed by Mark Lam.
2237
2238         * API/JSValue.mm:
2239         (handerForStructTag):
2240         * API/JSVirtualMachine.mm:
2241         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2242         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2243         * API/glib/JSCVirtualMachine.cpp:
2244         (addWrapper):
2245         (removeWrapper):
2246         * assembler/testmasm.cpp:
2247         * b3/air/testair.cpp:
2248         * b3/testb3.cpp:
2249         * bytecode/SuperSampler.cpp:
2250         * dfg/DFGCommon.cpp:
2251         * dfg/DFGCommonData.cpp:
2252         * dynbench.cpp:
2253         * heap/MachineStackMarker.cpp:
2254         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2255         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2256         (Inspector::RemoteTargetHandleRunSourceGlobal):
2257         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
2258         * interpreter/CLoopStack.cpp:
2259         * parser/SourceProvider.cpp:
2260         * profiler/ProfilerDatabase.cpp:
2261         * profiler/ProfilerUID.cpp:
2262         (JSC::Profiler::UID::create):
2263         * runtime/IntlObject.cpp:
2264         (JSC::numberingSystemsForLocale):
2265         * runtime/JSLock.cpp:
2266         * runtime/JSLock.h:
2267         * runtime/SamplingProfiler.cpp:
2268         (JSC::SamplingProfiler::registerForReportAtExit):
2269         * runtime/VM.cpp:
2270         * wasm/WasmFaultSignalHandler.cpp:
2271
2272 2018-04-04  Mark Lam  <mark.lam@apple.com>
2273
2274         Add pointer profiling support to the DFG and supporting files.
2275         https://bugs.webkit.org/show_bug.cgi?id=184316
2276         <rdar://problem/39188524>
2277
2278         Reviewed by Filip Pizlo.
2279
2280         1. Profile lots of pointers with PtrTags.
2281
2282         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
2283            used for debugging anyway, and not normally called in the code.  Making it
2284            an inline function prevents it from taking up code space in builds when not in
2285            use.
2286
2287         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
2288            It doesn't need to be a far call.
2289
2290         * CMakeLists.txt:
2291         * JavaScriptCore.xcodeproj/project.pbxproj:
2292         * Sources.txt:
2293         * assembler/testmasm.cpp:
2294         (JSC::testProbeModifiesProgramCounter):
2295         * b3/B3LowerMacros.cpp:
2296         * b3/air/AirCCallSpecial.cpp:
2297         (JSC::B3::Air::CCallSpecial::generate):
2298         * b3/air/AirCCallSpecial.h:
2299         * b3/testb3.cpp:
2300         (JSC::B3::testInterpreter):
2301         * bytecode/AccessCase.cpp:
2302         (JSC::AccessCase::generateImpl):
2303         * bytecode/HandlerInfo.h:
2304         (JSC::HandlerInfo::initialize):
2305         * bytecode/PolymorphicAccess.cpp:
2306         (JSC::PolymorphicAccess::regenerate):
2307         * dfg/DFGJITCompiler.cpp:
2308         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2309         (JSC::DFG::JITCompiler::link):
2310         (JSC::DFG::JITCompiler::compileFunction):
2311         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2312         * dfg/DFGJITCompiler.h:
2313         (JSC::DFG::JITCompiler::appendCall):
2314         * dfg/DFGOSREntry.cpp:
2315         (JSC::DFG::prepareOSREntry):
2316         * dfg/DFGOSRExit.cpp:
2317         (JSC::DFG::reifyInlinedCallFrames):
2318         (JSC::DFG::adjustAndJumpToTarget):
2319         (JSC::DFG::OSRExit::emitRestoreArguments):
2320         (JSC::DFG::OSRExit::compileOSRExit):
2321         * dfg/DFGOSRExitCompilerCommon.cpp:
2322         (JSC::DFG::handleExitCounts):
2323         (JSC::DFG::reifyInlinedCallFrames):
2324         (JSC::DFG::osrWriteBarrier):
2325         (JSC::DFG::adjustAndJumpToTarget):
2326         * dfg/DFGOperations.cpp:
2327         * dfg/DFGSlowPathGenerator.h:
2328         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
2329         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
2330         (JSC::DFG::slowPathCall):
2331         * dfg/DFGSpeculativeJIT.cpp:
2332         (JSC::DFG::SpeculativeJIT::compileMathIC):
2333         * dfg/DFGSpeculativeJIT.h:
2334         (JSC::DFG::SpeculativeJIT::callOperation):
2335         (JSC::DFG::SpeculativeJIT::appendCall):
2336         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2337         * dfg/DFGSpeculativeJIT64.cpp:
2338         (JSC::DFG::SpeculativeJIT::cachedGetById):
2339         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2340         (JSC::DFG::SpeculativeJIT::cachedPutById):
2341         (JSC::DFG::SpeculativeJIT::compile):
2342         * dfg/DFGThunks.cpp:
2343         (JSC::DFG::osrExitThunkGenerator):
2344         (JSC::DFG::osrExitGenerationThunkGenerator):
2345         (JSC::DFG::osrEntryThunkGenerator):
2346         * jit/AssemblyHelpers.cpp:
2347         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2348         * jit/JIT.cpp:
2349         (JSC::JIT::emitEnterOptimizationCheck):
2350         (JSC::JIT::compileWithoutLinking):
2351         * jit/JITCall.cpp:
2352         (JSC::JIT::compileOpCallSlowCase):
2353         * jit/JITMathIC.h:
2354         (JSC::isProfileEmpty):
2355         * jit/JITOpcodes.cpp:
2356         (JSC::JIT::emit_op_catch):
2357         (JSC::JIT::emitSlow_op_loop_hint):
2358         * jit/JITOperations.cpp:
2359         * jit/Repatch.cpp:
2360         (JSC::linkSlowFor):
2361         (JSC::linkFor):
2362         (JSC::revertCall):
2363         (JSC::unlinkFor):
2364         (JSC::linkVirtualFor):
2365         (JSC::linkPolymorphicCall):
2366         * jit/ThunkGenerators.cpp:
2367         (JSC::throwExceptionFromCallSlowPathGenerator):
2368         (JSC::linkCallThunkGenerator):
2369         (JSC::linkPolymorphicCallThunkGenerator):
2370         (JSC::virtualThunkFor):
2371         (JSC::arityFixupGenerator):
2372         (JSC::unreachableGenerator):
2373         * runtime/PtrTag.cpp: Removed.
2374         * runtime/PtrTag.h:
2375         (JSC::ptrTagName):
2376         * runtime/VMEntryScope.cpp:
2377         * wasm/js/WasmToJS.cpp:
2378         (JSC::Wasm::wasmToJS):
2379
2380 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2381
2382         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
2383         https://bugs.webkit.org/show_bug.cgi?id=184319
2384
2385         Reviewed by Saam Barati.
2386
2387         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
2388         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
2389         the ArrayPush.
2390
2391         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
2392         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
2393         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
2394         with a GetByVal(SaneChain), then we will hit the assertion.
2395
2396         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
2397         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
2398         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
2399
2400         * dfg/DFGCSEPhase.cpp:
2401         * dfg/DFGClobberize.h:
2402         (JSC::DFG::clobberize):
2403         * dfg/DFGHeapLocation.cpp:
2404         (WTF::printInternal):
2405         * dfg/DFGHeapLocation.h:
2406         * dfg/DFGSpeculativeJIT.cpp:
2407         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2408
2409 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2410
2411         Remove poisoning of typed array vector
2412         https://bugs.webkit.org/show_bug.cgi?id=184313
2413
2414         Reviewed by Saam Barati.
2415
2416         * dfg/DFGFixupPhase.cpp:
2417         (JSC::DFG::FixupPhase::checkArray):
2418         * dfg/DFGSpeculativeJIT.cpp:
2419         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
2420         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2421         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2422         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2423         * ftl/FTLAbstractHeapRepository.h:
2424         * ftl/FTLLowerDFGToB3.cpp:
2425         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2426         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2427         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2428         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
2429         * jit/IntrinsicEmitter.cpp:
2430         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2431         * jit/JITPropertyAccess.cpp:
2432         (JSC::JIT::emitIntTypedArrayGetByVal):
2433         (JSC::JIT::emitFloatTypedArrayGetByVal):
2434         (JSC::JIT::emitIntTypedArrayPutByVal):
2435         (JSC::JIT::emitFloatTypedArrayPutByVal):
2436         * llint/LowLevelInterpreter.asm:
2437         * llint/LowLevelInterpreter64.asm:
2438         * offlineasm/arm64.rb:
2439         * offlineasm/x86.rb:
2440         * runtime/CagedBarrierPtr.h:
2441         * runtime/JSArrayBufferView.cpp:
2442         (JSC::JSArrayBufferView::JSArrayBufferView):
2443         (JSC::JSArrayBufferView::finalize):
2444         (JSC::JSArrayBufferView::neuter):
2445         * runtime/JSArrayBufferView.h:
2446         (JSC::JSArrayBufferView::vector const):
2447         (JSC::JSArrayBufferView::offsetOfVector):
2448         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
2449         (JSC::JSArrayBufferView::poisonFor): Deleted.
2450         (JSC::JSArrayBufferView::Poison::key): Deleted.
2451         * runtime/JSCPoison.cpp:
2452         (JSC::initializePoison):
2453         * runtime/JSCPoison.h:
2454         * runtime/JSGenericTypedArrayViewInlines.h:
2455         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
2456         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2457         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2458         * runtime/JSObject.h:
2459
2460 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2461
2462         Don't do index masking or poisoning for DirectArguments
2463         https://bugs.webkit.org/show_bug.cgi?id=184280
2464
2465         Reviewed by Saam Barati.
2466
2467         * JavaScriptCore.xcodeproj/project.pbxproj:
2468         * bytecode/AccessCase.cpp:
2469         (JSC::AccessCase::generateWithGuard):
2470         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2471         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2472         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
2473         * dfg/DFGSpeculativeJIT.cpp:
2474         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2475         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2476         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2477         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2478         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2479         * ftl/FTLAbstractHeapRepository.h:
2480         * ftl/FTLLowerDFGToB3.cpp:
2481         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2482         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2483         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2484         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
2485         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
2486         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2487         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
2488         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
2489         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
2490         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
2491         * heap/SecurityKind.h:
2492         * jit/JITPropertyAccess.cpp:
2493         (JSC::JIT::emit_op_get_from_arguments):
2494         (JSC::JIT::emit_op_put_to_arguments):
2495         (JSC::JIT::emitDirectArgumentsGetByVal):
2496         * jit/JITPropertyAccess32_64.cpp:
2497         (JSC::JIT::emit_op_get_from_arguments):
2498         (JSC::JIT::emit_op_put_to_arguments):
2499         * llint/LowLevelInterpreter.asm:
2500         * llint/LowLevelInterpreter32_64.asm:
2501         * llint/LowLevelInterpreter64.asm:
2502         * runtime/DirectArguments.cpp:
2503         (JSC::DirectArguments::DirectArguments):
2504         (JSC::DirectArguments::createUninitialized):
2505         (JSC::DirectArguments::create):
2506         (JSC::DirectArguments::createByCopying):
2507         (JSC::DirectArguments::estimatedSize):
2508         (JSC::DirectArguments::visitChildren):
2509         (JSC::DirectArguments::overrideThings):
2510         (JSC::DirectArguments::copyToArguments):
2511         (JSC::DirectArguments::mappedArgumentsSize):
2512         * runtime/DirectArguments.h:
2513         * runtime/JSCPoison.h:
2514         * runtime/JSLexicalEnvironment.h:
2515         * runtime/JSSymbolTableObject.h:
2516
2517 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2518
2519         JSArray::appendMemcpy seems to be missing a barrier
2520         https://bugs.webkit.org/show_bug.cgi?id=184290
2521
2522         Reviewed by Mark Lam.
2523         
2524         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
2525         barrier right after.
2526         
2527         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
2528         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
2529
2530         * runtime/JSArray.cpp:
2531         (JSC::JSArray::appendMemcpy):
2532
2533 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2534
2535         GC shouldn't do object distancing
2536         https://bugs.webkit.org/show_bug.cgi?id=184195
2537
2538         Reviewed by Saam Barati.
2539         
2540         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
2541         to be a small speed-up.
2542
2543         * CMakeLists.txt:
2544         * JavaScriptCore.xcodeproj/project.pbxproj:
2545         * Sources.txt:
2546         * heap/BlockDirectory.cpp:
2547         (JSC::BlockDirectory::findBlockForAllocation):
2548         (JSC::BlockDirectory::addBlock):
2549         * heap/BlockDirectory.h:
2550         * heap/CellAttributes.cpp:
2551         (JSC::CellAttributes::dump const):
2552         * heap/CellAttributes.h:
2553         (JSC::CellAttributes::CellAttributes):
2554         * heap/LocalAllocator.cpp:
2555         (JSC::LocalAllocator::allocateSlowCase):
2556         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
2557         * heap/MarkedBlock.cpp:
2558         (JSC::MarkedBlock::Handle::didAddToDirectory):
2559         * heap/MarkedBlock.h:
2560         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
2561         * heap/SecurityKind.cpp: Removed.
2562         * heap/SecurityKind.h: Removed.
2563         * heap/SecurityOriginToken.cpp: Removed.
2564         * heap/SecurityOriginToken.h: Removed.
2565         * heap/ThreadLocalCache.cpp:
2566         (JSC::ThreadLocalCache::create):
2567         (JSC::ThreadLocalCache::ThreadLocalCache):
2568         * heap/ThreadLocalCache.h:
2569         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
2570         * runtime/JSDestructibleObjectHeapCellType.cpp:
2571         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
2572         * runtime/JSGlobalObject.cpp:
2573         (JSC::JSGlobalObject::JSGlobalObject):
2574         * runtime/JSGlobalObject.h:
2575         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
2576         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2577         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
2578         * runtime/JSStringHeapCellType.cpp:
2579         (JSC::JSStringHeapCellType::JSStringHeapCellType):
2580         * runtime/VM.cpp:
2581         (JSC::VM::VM):
2582         * runtime/VM.h:
2583         * runtime/VMEntryScope.cpp:
2584         (JSC::VMEntryScope::VMEntryScope):
2585         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2586         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2587
2588 2018-04-02  Saam Barati  <sbarati@apple.com>
2589
2590         bmalloc should compute its own estimate of its footprint
2591         https://bugs.webkit.org/show_bug.cgi?id=184121
2592
2593         Reviewed by Filip Pizlo.
2594
2595         * heap/IsoAlignedMemoryAllocator.cpp:
2596         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2597         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2598         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
2599
2600 2018-04-02  Mark Lam  <mark.lam@apple.com>
2601
2602         We should not trash the stack pointer on OSR entry.
2603         https://bugs.webkit.org/show_bug.cgi?id=184243
2604         <rdar://problem/39114319>
2605
2606         Reviewed by Filip Pizlo.
2607
2608         In the DFG OSR entry path, we momentarily over-write the stack pointer with
2609         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
2610         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
2611         The stack pointer does get corrected later in the thunk (generated by
2612         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
2613         so far.
2614
2615         This bug only poses an issue if interrupts use the user stack for their stack
2616         frame (e.g. linux), and when we do stack alignment tests during debugging.
2617
2618         The fix is simply to remove the assignment.
2619
2620         * dfg/DFGThunks.cpp:
2621         (JSC::DFG::osrEntryThunkGenerator):
2622         * jit/JIT.cpp:
2623         (JSC::JIT::emitEnterOptimizationCheck):
2624
2625 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2626
2627         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
2628         https://bugs.webkit.org/show_bug.cgi?id=183740
2629
2630         Reviewed by Yusuke Suzuki.
2631
2632         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
2633         first generated and a register operand variant of the same method is called to generate the rest
2634         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
2635         generate more efficient code using MIPS instructions with immediate operand.
2636
2637         * assembler/MIPSAssembler.h:
2638         (JSC::MIPSAssembler::slti):
2639         * assembler/MacroAssemblerMIPS.h:
2640         (JSC::MacroAssemblerMIPS::lshift32):
2641         (JSC::MacroAssemblerMIPS::xor32):
2642         (JSC::MacroAssemblerMIPS::branch8):
2643         (JSC::MacroAssemblerMIPS::compare8):
2644         (JSC::MacroAssemblerMIPS::branch32):
2645         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
2646         (JSC::MacroAssemblerMIPS::branchTest32):
2647         (JSC::MacroAssemblerMIPS::mask8OnTest):
2648         (JSC::MacroAssemblerMIPS::branchTest8):
2649         (JSC::MacroAssemblerMIPS::branchAdd32):
2650         (JSC::MacroAssemblerMIPS::branchNeg32):
2651         (JSC::MacroAssemblerMIPS::compare32):
2652         (JSC::MacroAssemblerMIPS::test8):
2653
2654 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         [DFG] More aggressive removal of duplicate 32bit DFG code
2657         https://bugs.webkit.org/show_bug.cgi?id=184089
2658
2659         Reviewed by Saam Barati.
2660
2661         This patch more aggressively removes duplicate 32bit DFG code
2662         by leveraging JSValueRegs and meta-programmed callOperation.
2663
2664         * dfg/DFGSpeculativeJIT.cpp:
2665         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
2666         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
2667         (JSC::DFG::SpeculativeJIT::compileNewArray):
2668         (JSC::DFG::SpeculativeJIT::compileCheckCell):
2669         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
2670         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
2671         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
2672         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
2673         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
2674         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
2675         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
2676         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
2677         (JSC::DFG::SpeculativeJIT::compileToThis):
2678         (JSC::DFG::SpeculativeJIT::compileIdentity):
2679         * dfg/DFGSpeculativeJIT.h:
2680         * dfg/DFGSpeculativeJIT32_64.cpp:
2681         (JSC::DFG::SpeculativeJIT::compile):
2682         * dfg/DFGSpeculativeJIT64.cpp:
2683         (JSC::DFG::SpeculativeJIT::compile):
2684
2685 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
2686
2687         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
2688         https://bugs.webkit.org/show_bug.cgi?id=184228
2689
2690         Reviewed by Yusuke Suzuki.
2691
2692         * runtime/Options.h:
2693
2694 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
2695
2696         JSObject shouldn't do index masking
2697         https://bugs.webkit.org/show_bug.cgi?id=184194
2698
2699         Reviewed by Yusuke Suzuki.
2700         
2701         Remove index masking, because it's not the way we'll mitigate Spectre.
2702
2703         * API/tests/JSObjectGetProxyTargetTest.cpp:
2704         (testJSObjectGetProxyTarget):
2705         * b3/B3LowerToAir.cpp:
2706         * b3/B3Validate.cpp:
2707         * b3/B3WasmBoundsCheckValue.cpp:
2708         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
2709         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
2710         * b3/B3WasmBoundsCheckValue.h:
2711         (JSC::B3::WasmBoundsCheckValue::bounds const):
2712         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
2713         * b3/testb3.cpp:
2714         (JSC::B3::testWasmBoundsCheck):
2715         (JSC::B3::run):
2716         * dfg/DFGAbstractInterpreterInlines.h:
2717         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2718         * dfg/DFGArgumentsEliminationPhase.cpp:
2719         * dfg/DFGByteCodeParser.cpp:
2720         (JSC::DFG::ByteCodeParser::parseBlock):
2721         * dfg/DFGClobberize.h:
2722         (JSC::DFG::clobberize):
2723         * dfg/DFGDoesGC.cpp:
2724         (JSC::DFG::doesGC):
2725         * dfg/DFGFixupPhase.cpp:
2726         (JSC::DFG::FixupPhase::fixupNode):
2727         * dfg/DFGNodeType.h:
2728         * dfg/DFGPredictionPropagationPhase.cpp:
2729         * dfg/DFGSSALoweringPhase.cpp:
2730         (JSC::DFG::SSALoweringPhase::handleNode):
2731         * dfg/DFGSafeToExecute.h:
2732         (JSC::DFG::safeToExecute):
2733         * dfg/DFGSpeculativeJIT.cpp:
2734         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2735         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2736         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
2737         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2738         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2739         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2740         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2741         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2742         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2743         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2744         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2745         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2746         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2747         (JSC::DFG::SpeculativeJIT::compileNewObject):
2748         * dfg/DFGSpeculativeJIT.h:
2749         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2750         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2751         * dfg/DFGSpeculativeJIT32_64.cpp:
2752         (JSC::DFG::SpeculativeJIT::compile):
2753         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2754         * dfg/DFGSpeculativeJIT64.cpp:
2755         (JSC::DFG::SpeculativeJIT::compile):
2756         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2757         * ftl/FTLAbstractHeapRepository.h:
2758         * ftl/FTLCapabilities.cpp:
2759         (JSC::FTL::canCompile):
2760         * ftl/FTLLowerDFGToB3.cpp:
2761         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2762         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
2763         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2764         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2765         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2766         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2767         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2768         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2769         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2770         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2771         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2772         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2773         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2774         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2775         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
2776         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
2777         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
2778         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
2779         * jit/AssemblyHelpers.h:
2780         (JSC::AssemblyHelpers::emitAllocateJSObject):
2781         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2782         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
2783         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2784         * jit/JITOpcodes.cpp:
2785         (JSC::JIT::emit_op_new_object):
2786         (JSC::JIT::emit_op_create_this):
2787         * jit/JITOperations.cpp:
2788         * jit/JITPropertyAccess.cpp:
2789         (JSC::JIT::emitDoubleLoad):
2790         (JSC::JIT::emitContiguousLoad):
2791         (JSC::JIT::emitArrayStorageLoad):
2792         * llint/LowLevelInterpreter32_64.asm:
2793         * llint/LowLevelInterpreter64.asm:
2794         * runtime/Butterfly.h:
2795         (JSC::ContiguousData::at const):
2796         (JSC::ContiguousData::at):
2797         (JSC::Butterfly::computeIndexingMask const): Deleted.
2798         * runtime/ButterflyInlines.h:
2799         (JSC::ContiguousData<T>::at const): Deleted.
2800         (JSC::ContiguousData<T>::at): Deleted.
2801         * runtime/ClonedArguments.cpp:
2802         (JSC::ClonedArguments::createEmpty):
2803         * runtime/JSArray.cpp:
2804         (JSC::JSArray::tryCreateUninitializedRestricted):
2805         (JSC::JSArray::appendMemcpy):
2806         (JSC::JSArray::setLength):
2807         (JSC::JSArray::pop):
2808         (JSC::JSArray::shiftCountWithAnyIndexingType):
2809         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2810         (JSC::JSArray::fillArgList):
2811         (JSC::JSArray::copyToArguments):
2812         * runtime/JSArrayBufferView.cpp:
2813         (JSC::JSArrayBufferView::JSArrayBufferView):
2814         * runtime/JSArrayInlines.h:
2815         (JSC::JSArray::pushInline):
2816         * runtime/JSFixedArray.h:
2817         * runtime/JSGenericTypedArrayViewInlines.h:
2818         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2819         * runtime/JSObject.cpp:
2820         (JSC::JSObject::getOwnPropertySlotByIndex):
2821         (JSC::JSObject::putByIndex):
2822         (JSC::JSObject::createInitialUndecided):
2823         (JSC::JSObject::createInitialInt32):
2824         (JSC::JSObject::createInitialDouble):
2825         (JSC::JSObject::createInitialContiguous):
2826         (JSC::JSObject::createArrayStorage):
2827         (JSC::JSObject::convertUndecidedToInt32):
2828         (JSC::JSObject::convertUndecidedToDouble):
2829         (JSC::JSObject::convertUndecidedToContiguous):
2830         (JSC::JSObject::convertUndecidedToArrayStorage):
2831         (JSC::JSObject::convertInt32ToDouble):
2832         (JSC::JSObject::convertInt32ToArrayStorage):
2833         (JSC::JSObject::convertDoubleToContiguous):
2834         (JSC::JSObject::convertDoubleToArrayStorage):
2835         (JSC::JSObject::convertContiguousToArrayStorage):
2836         (JSC::JSObject::createInitialForValueAndSet):
2837         (JSC::JSObject::deletePropertyByIndex):
2838         (JSC::JSObject::getOwnPropertyNames):
2839         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2840         (JSC::JSObject::countElements):
2841         (JSC::JSObject::increaseVectorLength):
2842         (JSC::JSObject::ensureLengthSlow):
2843         (JSC::JSObject::reallocateAndShrinkButterfly):
2844         (JSC::JSObject::getEnumerableLength):
2845         * runtime/JSObject.h:
2846         (JSC::JSObject::canGetIndexQuickly):
2847         (JSC::JSObject::getIndexQuickly):
2848         (JSC::JSObject::tryGetIndexQuickly const):
2849         (JSC::JSObject::setIndexQuickly):
2850         (JSC::JSObject::initializeIndex):
2851         (JSC::JSObject::initializeIndexWithoutBarrier):
2852         (JSC::JSObject::butterflyOffset):
2853         (JSC::JSObject::setButterfly):
2854         (JSC::JSObject::nukeStructureAndSetButterfly):
2855         (JSC::JSObject::JSObject):
2856         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
2857         (JSC::JSObject::butterflyIndexingMask const): Deleted.
2858         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
2859         * runtime/JSObjectInlines.h:
2860         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2861         (JSC::JSObject::putDirectInternal):
2862         * runtime/RegExpMatchesArray.h:
2863         (JSC::tryCreateUninitializedRegExpMatchesArray):
2864         * runtime/Structure.cpp:
2865         (JSC::Structure::flattenDictionaryStructure):
2866         * wasm/WasmB3IRGenerator.cpp:
2867         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2868         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2869         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2870         (JSC::Wasm::B3IRGenerator::load):
2871         (JSC::Wasm::B3IRGenerator::store):
2872         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2873         * wasm/WasmBinding.cpp:
2874         (JSC::Wasm::wasmToWasm):
2875         * wasm/WasmInstance.h:
2876         (JSC::Wasm::Instance::updateCachedMemory):
2877         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
2878         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
2879         * wasm/WasmMemory.cpp:
2880         (JSC::Wasm::Memory::Memory):
2881         (JSC::Wasm::Memory::grow):
2882         * wasm/WasmMemory.h:
2883         (JSC::Wasm::Memory::size const):
2884         (JSC::Wasm::Memory::offsetOfSize):
2885         (JSC::Wasm::Memory::indexingMask): Deleted.
2886         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
2887         * wasm/WasmMemoryInformation.cpp:
2888         (JSC::Wasm::PinnedRegisterInfo::get):
2889         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2890         * wasm/WasmMemoryInformation.h:
2891         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2892         * wasm/js/JSToWasm.cpp:
2893         (JSC::Wasm::createJSToWasmWrapper):
2894
2895 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
2896
2897         JSC crash in JIT code with for-of loop and Array/Set iterators
2898         https://bugs.webkit.org/show_bug.cgi?id=183174
2899
2900         Reviewed by Saam Barati.
2901
2902         * dfg/DFGSafeToExecute.h:
2903         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
2904
2905 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
2906
2907         Strings and Vectors shouldn't do index masking
2908         https://bugs.webkit.org/show_bug.cgi?id=184193
2909
2910         Reviewed by Mark Lam.
2911
2912         * dfg/DFGSpeculativeJIT.cpp:
2913         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2914         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2915         * ftl/FTLAbstractHeapRepository.h:
2916         * ftl/FTLLowerDFGToB3.cpp:
2917         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2918         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2919         * jit/ThunkGenerators.cpp:
2920         (JSC::stringCharLoad):
2921
2922 2018-03-30  Mark Lam  <mark.lam@apple.com>
2923
2924         Add pointer profiling support in baseline JIT and supporting files.
2925         https://bugs.webkit.org/show_bug.cgi?id=184200
2926         <rdar://problem/39057300>
2927
2928         Reviewed by Filip Pizlo.
2929
2930         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
2931            the code via the arity check entry.
2932         2. To accommodate (1), all JITCode must now populate their arity check entry code
2933            pointers as well.  For native code, programs, evals, and modules that don't
2934            do arity check, we set the normal entry as the arity check entry (though with
2935            the CodeEntryWithArityCheckPtrTag profile instead).
2936
2937         * assembler/AbstractMacroAssembler.h:
2938         * assembler/LinkBuffer.h:
2939         (JSC::LinkBuffer::locationOfNearCall):
2940         * assembler/MacroAssemblerARM64.h:
2941         (JSC::MacroAssemblerARM64::readCallTarget):
2942         (JSC::MacroAssemblerARM64::linkCall):
2943         * bytecode/AccessCase.cpp:
2944         (JSC::AccessCase::generateImpl):
2945         * bytecode/AccessCaseSnippetParams.cpp:
2946         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2947         * bytecode/CodeBlock.cpp:
2948         (JSC::CodeBlock::addJITAddIC):
2949         (JSC::CodeBlock::addJITMulIC):
2950         (JSC::CodeBlock::addJITSubIC):
2951         (JSC::CodeBlock::addJITNegIC):
2952         * bytecode/CodeBlock.h:
2953         (JSC::CodeBlock::addMathIC):
2954         * bytecode/InlineAccess.cpp:
2955         (JSC::InlineAccess::rewireStubAsJump):
2956         * bytecode/LLIntCallLinkInfo.h:
2957         (JSC::LLIntCallLinkInfo::unlink):
2958         (): Deleted.
2959         * bytecode/PolymorphicAccess.cpp:
2960         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2961         (JSC::PolymorphicAccess::regenerate):
2962         * dfg/DFGJITFinalizer.cpp:
2963         (JSC::DFG::JITFinalizer::finalize):
2964         (JSC::DFG::JITFinalizer::finalizeFunction):
2965         * dfg/DFGSpeculativeJIT.cpp:
2966         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2967         (JSC::DFG::SpeculativeJIT::compileArithSub):
2968         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2969         (JSC::DFG::SpeculativeJIT::compileArithMul):
2970         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2971         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2972         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2973         * disassembler/ARM64Disassembler.cpp:
2974         (JSC::tryToDisassemble):
2975         * ftl/FTLJITFinalizer.cpp:
2976         (JSC::FTL::JITFinalizer::finalizeCommon):
2977         * ftl/FTLLowerDFGToB3.cpp:
2978         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2979         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
2980         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
2981         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2982         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
2983         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2984         * heap/JITStubRoutineSet.h:
2985         (JSC::JITStubRoutineSet::mark):
2986         * jit/AssemblyHelpers.cpp:
2987         (JSC::AssemblyHelpers::callExceptionFuzz):
2988         (JSC::AssemblyHelpers::debugCall):
2989         * jit/AssemblyHelpers.h:
2990         (JSC::AssemblyHelpers::emitFunctionPrologue):
2991         * jit/CCallHelpers.cpp:
2992         (JSC::CCallHelpers::ensureShadowChickenPacket):
2993         * jit/CCallHelpers.h:
2994         (JSC::CCallHelpers::prepareForTailCallSlow):
2995         * jit/CallFrameShuffler.cpp:
2996         (JSC::CallFrameShuffler::prepareForTailCall):
2997         * jit/ExecutableAllocator.cpp:
2998         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2999         * jit/ExecutableAllocator.h:
3000         (JSC::performJITMemcpy):
3001         * jit/JIT.cpp:
3002         (JSC::JIT::compileWithoutLinking):
3003         (JSC::JIT::link):
3004         * jit/JITArithmetic.cpp:
3005         (JSC::JIT::emit_op_negate):
3006         (JSC::JIT::emit_op_add):
3007         (JSC::JIT::emitMathICFast):
3008         (JSC::JIT::emitMathICSlow):
3009         (JSC::JIT::emit_op_mul):
3010         (JSC::JIT::emit_op_sub):
3011         * jit/JITCode.cpp:
3012         (JSC::JITCode::execute):
3013         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3014         (JSC::DirectJITCode::DirectJITCode):
3015         (JSC::DirectJITCode::initializeCodeRef):
3016         (JSC::NativeJITCode::addressForCall):
3017         * jit/JITExceptions.cpp:
3018         (JSC::genericUnwind):
3019         * jit/JITMathIC.h:
3020         (JSC::isProfileEmpty):
3021         (JSC::JITBinaryMathIC::JITBinaryMathIC):
3022         (JSC::JITUnaryMathIC::JITUnaryMathIC):
3023         * jit/JITOpcodes.cpp:
3024         (JSC::JIT::emit_op_switch_imm):
3025         (JSC::JIT::emit_op_switch_char):
3026         (JSC::JIT::emit_op_switch_string):
3027         (JSC::JIT::privateCompileHasIndexedProperty):
3028         (JSC::JIT::emitSlow_op_has_indexed_property):
3029         * jit/JITOpcodes32_64.cpp:
3030         (JSC::JIT::privateCompileHasIndexedProperty):
3031         * jit/JITOperations.cpp:
3032         (JSC::getByVal):
3033         (JSC::tryGetByValOptimize):
3034         * jit/JITPropertyAccess.cpp:
3035         (JSC::JIT::stringGetByValStubGenerator):
3036         (JSC::JIT::emitGetByValWithCachedId):
3037         (JSC::JIT::emitSlow_op_get_by_val):
3038         (JSC::JIT::emitPutByValWithCachedId):
3039         (JSC::JIT::emitSlow_op_put_by_val):
3040         (JSC::JIT::emitSlow_op_try_get_by_id):
3041         (JSC::JIT::emitSlow_op_get_by_id):
3042         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3043         (JSC::JIT::emitSlow_op_put_by_id):
3044         (JSC::JIT::privateCompileGetByVal):
3045         (JSC::JIT::privateCompileGetByValWithCachedId):
3046         (JSC::JIT::privateCompilePutByVal):
3047         (JSC::JIT::privateCompilePutByValWithCachedId):
3048         * jit/JITThunks.cpp:
3049         (JSC::JITThunks::hostFunctionStub):
3050         * jit/Repatch.cpp:
3051         (JSC::tryCacheGetByID):
3052         (JSC::repatchGetByID):
3053         (JSC::appropriateOptimizingPutByIdFunction):
3054         (JSC::tryCachePutByID):
3055         (JSC::repatchPutByID):
3056         (JSC::linkFor):
3057         (JSC::revertCall):
3058         (JSC::linkPolymorphicCall):
3059         (JSC::resetGetByID):
3060         (JSC::resetPutByID):
3061         * jit/Repatch.h:
3062         * jit/SpecializedThunkJIT.h:
3063         (JSC::SpecializedThunkJIT::finalize):
3064         (JSC::SpecializedThunkJIT::callDoubleToDouble):
3065         * jit/ThunkGenerators.cpp:
3066         (JSC::emitPointerValidation):
3067         (JSC::throwExceptionFromCallSlowPathGenerator):
3068         (JSC::slowPathFor):
3069         (JSC::linkCallThunkGenerator): Deleted.
3070         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
3071         (JSC::virtualThunkFor): Deleted.
3072         (JSC::nativeForGenerator): Deleted.
3073         (JSC::nativeCallGenerator): Deleted.
3074         (JSC::nativeTailCallGenerator): Deleted.
3075         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
3076         (JSC::nativeConstructGenerator): Deleted.
3077         (JSC::internalFunctionCallGenerator): Deleted.
3078         (JSC::internalFunctionConstructGenerator): Deleted.
3079         (JSC::arityFixupGenerator): Deleted.
3080         (JSC::unreachableGenerator): Deleted.
3081         (JSC::stringCharLoad): Deleted.
3082         (JSC::charToString): Deleted.
3083         (JSC::charCodeAtThunkGenerator): Deleted.
3084         (JSC::charAtThunkGenerator): Deleted.
3085         (JSC::fromCharCodeThunkGenerator): Deleted.
3086         (JSC::clz32ThunkGenerator): Deleted.
3087         (JSC::sqrtThunkGenerator): Deleted.
3088         (JSC::floorThunkGenerator): Deleted.
3089         (JSC::ceilThunkGenerator): Deleted.
3090         (JSC::truncThunkGenerator): Deleted.
3091         (JSC::roundThunkGenerator): Deleted.
3092         (JSC::expThunkGenerator): Deleted.
3093         (JSC::logThunkGenerator): Deleted.
3094         (JSC::absThunkGenerator): Deleted.
3095         (JSC::imulThunkGenerator): Deleted.
3096         (JSC::randomThunkGenerator): Deleted.
3097         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
3098         * llint/LLIntData.cpp:
3099         (JSC::LLInt::initialize):
3100         * llint/LLIntData.h:
3101         (JSC::LLInt::getCodePtr):
3102         * llint/LLIntEntrypoint.cpp:
3103         (JSC::LLInt::setEvalEntrypoint):
3104         (JSC::LLInt::setProgramEntrypoint):
3105         (JSC::LLInt::setModuleProgramEntrypoint):
3106         * llint/LLIntSlowPaths.cpp:
3107         (JSC::LLInt::setUpCall):
3108         * llint/LLIntThunks.cpp:
3109         (JSC::LLInt::generateThunkWithJumpTo):
3110         * llint/LowLevelInterpreter.asm:
3111         * llint/LowLevelInterpreter32_64.asm:
3112         * llint/LowLevelInterpreter64.asm:
3113         * runtime/ExecutableBase.h:
3114         * runtime/NativeExecutable.cpp:
3115         (JSC::NativeExecutable::finishCreation):
3116         * runtime/NativeFunction.h:
3117         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3118         (JSC::TaggedNativeFunction::operator NativeFunction):
3119         * runtime/PropertySlot.h:
3120         (JSC::PropertySlot::setCustom):
3121         (JSC::PropertySlot::setCacheableCustom):
3122         * runtime/PtrTag.h:
3123         * runtime/PutPropertySlot.h:
3124         (JSC::PutPropertySlot::setCustomValue):
3125         (JSC::PutPropertySlot::setCustomAccessor):
3126         * runtime/SamplingProfiler.cpp:
3127         (JSC::SamplingProfiler::takeSample):
3128         * runtime/VMTraps.cpp:
3129         (JSC::SignalContext::SignalContext):
3130         (JSC::VMTraps::tryInstallTrapBreakpoints):
3131         * tools/SigillCrashAnalyzer.cpp:
3132         (JSC::installCrashHandler):
3133         * yarr/YarrJIT.cpp:
3134         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
3135         (JSC::Yarr::YarrGenerator::generateEnter):
3136
3137 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
3138
3139         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
3140         https://bugs.webkit.org/show_bug.cgi?id=175223
3141
3142         Reviewed by Matt Baker.
3143
3144         * inspector/protocol/Canvas.json:
3145         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
3146         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
3147         is called. The blend is removed and the previous value is applied once the draw is complete.
3148
3149 2018-03-30  JF Bastien  <jfbastien@apple.com>
3150
3151         WebAssembly: support DataView compilation
3152         https://bugs.webkit.org/show_bug.cgi?id=183342
3153
3154         Reviewed by Mark Lam.
3155
3156         Compiling a module from a DataView was incorrectly dealing with
3157         DataView's offset.
3158
3159         * wasm/WasmModuleParser.cpp:
3160         (JSC::Wasm::ModuleParser::parse):
3161         * wasm/js/JSWebAssemblyHelpers.h:
3162         (JSC::getWasmBufferFromValue):
3163         (JSC::createSourceBufferFromValue):
3164         * wasm/js/WebAssemblyPrototype.cpp:
3165         (JSC::webAssemblyValidateFunc):
3166
3167 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
3168
3169         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
3170         https://bugs.webkit.org/show_bug.cgi?id=184189
3171
3172         Reviewed by JF Bastien.
3173
3174         * bytecompiler/NodesCodegen.cpp:
3175         (JSC::ResolveNode::emitBytecode):
3176
3177 2018-03-30  Mark Lam  <mark.lam@apple.com>
3178
3179         Add pointer profiling support to Wasm.
3180         https://bugs.webkit.org/show_bug.cgi?id=184175
3181         <rdar://problem/39027923>
3182
3183         Reviewed by JF Bastien.
3184
3185         * runtime/PtrTag.h:
3186         * wasm/WasmB3IRGenerator.cpp:
3187         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3188         (JSC::Wasm::B3IRGenerator::addCall):
3189         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3190         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
3191         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
3192         * wasm/WasmBBQPlan.cpp:
3193         (JSC::Wasm::BBQPlan::prepare):
3194         (JSC::Wasm::BBQPlan::complete):
3195         * wasm/WasmBinding.cpp:
3196         (JSC::Wasm::wasmToWasm):
3197         * wasm/WasmBinding.h:
3198         * wasm/WasmFaultSignalHandler.cpp:
3199         (JSC::Wasm::trapHandler):
3200         * wasm/WasmOMGPlan.cpp:
3201         (JSC::Wasm::OMGPlan::work):
3202         * wasm/WasmThunks.cpp:
3203         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3204         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3205         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3206         * wasm/js/WasmToJS.cpp:
3207         (JSC::Wasm::handleBadI64Use):
3208         (JSC::Wasm::wasmToJS):
3209         * wasm/js/WebAssemblyFunction.cpp:
3210         (JSC::callWebAssemblyFunction):
3211         * wasm/js/WebAssemblyFunction.h:
3212
3213 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
3214
3215         Unreviewed, rolling out r230102.
3216
3217         Caused assertion failures on JSC bots.
3218
3219         Reverted changeset:
3220
3221         "A stack overflow in the parsing of a builtin (called by
3222         createExecutable) cause a crash instead of a catchable js
3223         exception"
3224         https://bugs.webkit.org/show_bug.cgi?id=184074
3225         https://trac.webkit.org/changeset/230102
3226
3227 2018-03-30  Robin Morisset  <rmorisset@apple.com>
3228
3229         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
3230         https://bugs.webkit.org/show_bug.cgi?id=183812
3231
3232         Reviewed by Keith Miller.
3233
3234         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
3235         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
3236
3237         * dfg/DFGByteCodeParser.cpp:
3238         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3239         (JSC::DFG::ByteCodeParser::inlineCall):
3240
3241 2018-03-30  Robin Morisset  <rmorisset@apple.com>
3242
3243         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
3244         https://bugs.webkit.org/show_bug.cgi?id=184074
3245         <rdar://problem/37165897>
3246
3247         Reviewed by Keith Miller.
3248
3249         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
3250         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
3251         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
3252         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
3253
3254         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
3255         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
3256
3257         Two other minor changes:
3258         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
3259         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
3260
3261         * JavaScriptCore.xcodeproj/project.pbxproj:
3262         * Scripts/builtins/builtins_generate_combined_header.py:
3263         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
3264         (ParserError):
3265         (generate_section_for_object): Deleted.
3266         (generate_externs_for_object): Deleted.
3267         (generate_macros_for_object): Deleted.
3268         (generate_section_for_code_table_macro): Deleted.
3269         (generate_section_for_code_name_macro): Deleted.
3270         (generate_section_for_global_private_code_name_macro): Deleted.
3271         * Scripts/builtins/builtins_generate_separate_header.py:
3272         (generate_secondary_header_includes):
3273         * Scripts/builtins/builtins_templates.py:
3274         * Sources.txt:
3275         * builtins/BuiltinExecutableCreator.cpp: Removed.
3276         * builtins/BuiltinExecutableCreator.h: Removed.
3277         * builtins/BuiltinExecutables.cpp:
3278         (JSC::BuiltinExecutables::createDefaultConstructor):
3279         (JSC::BuiltinExecutables::createBuiltinExecutable):
3280         (JSC::createBuiltinExecutable):
3281         (JSC::BuiltinExecutables::createExecutableOrCrash):
3282         (JSC::BuiltinExecutables::createExecutable):
3283         * builtins/BuiltinExecutables.h:
3284         * bytecompiler/BytecodeGenerator.h:
3285         * parser/ParserError.cpp: Added.
3286         (JSC::ParserError::toErrorObject):
3287         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
3288         (WTF::printInternal):
3289         * parser/ParserError.h:
3290         (JSC::ParserError::toErrorObject): Deleted.
3291         (WTF::printInternal): Deleted.
3292         * runtime/AsyncIteratorPrototype.cpp:
3293         (JSC::AsyncIteratorPrototype::finishCreation):
3294         * runtime/FunctionPrototype.cpp:
3295         (JSC::FunctionPrototype::addFunctionProperties):
3296         * runtime/JSGlobalObject.cpp:
3297         (JSC::JSGlobalObject::init):
3298         * runtime/JSObject.cpp:
3299         (JSC::JSObject::getOwnStaticPropertySlot):
3300         (JSC::JSObject::reifyAllStaticProperties):
3301         * runtime/JSObject.h:
3302         (JSC::JSObject::getOwnNonIndexPropertySlot):
3303         (JSC::JSObject::getOwnPropertySlot):
3304         (JSC::JSObject::getPropertySlot):
3305         * runtime/JSObjectInlines.h:
3306         (JSC::JSObject::getNonIndexPropertySlot):
3307         * runtime/JSTypedArrayViewPrototype.cpp:
3308         (JSC::JSTypedArrayViewPrototype::finishCreation):
3309         * runtime/Lookup.cpp:
3310         (JSC::reifyStaticAccessor):
3311         (JSC::setUpStaticFunctionSlot):
3312         * runtime/Lookup.h:
3313         (JSC::getStaticPropertySlotFromTable):
3314         (JSC::reifyStaticProperty):
3315         * runtime/MapPrototype.cpp:
3316         (JSC::MapPrototype::finishCreation):
3317         * runtime/SetPrototype.cpp:
3318         (JSC::SetPrototype::finishCreation):
3319         * tools/JSDollarVM.cpp:
3320         (JSC::functionCreateBuiltin):
3321
3322 2018-03-30  Robin Morisset  <rmorisset@apple.com>
3323
3324         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
3325         https://bugs.webkit.org/show_bug.cgi?id=183657
3326         <rdar://problem/38464399>
3327
3328         Reviewed by Keith Miller.
3329
3330         There was just a missing check in unshiftCountForIndexingType.
3331         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
3332         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
3333         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
3334
3335         * runtime/ArrayPrototype.cpp:
3336         (JSC::unshift):
3337         * runtime/JSArray.cpp:
3338         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3339         * runtime/JSObject.h:
3340         (JSC::JSObject::ensureLength):
3341
3342 2018-03-29  Mark Lam  <mark.lam@apple.com>
3343
3344         Add some pointer profiling support to B3 and Air.
3345         https://bugs.webkit.org/show_bug.cgi?id=184165
3346         <rdar://problem/39022125>
3347
3348         Reviewed by JF Bastien.
3349
3350         * b3/B3LowerMacros.cpp:
3351         * b3/B3LowerMacrosAfterOptimizations.cpp:
3352         * b3/B3MathExtras.cpp:
3353         * b3/B3ReduceStrength.cpp:
3354         * b3/air/AirCCallSpecial.cpp:
3355         (JSC::B3::Air::CCallSpecial::generate):
3356         * b3/air/AirCCallSpecial.h:
3357         * b3/testb3.cpp:
3358         (JSC::B3::testCallSimple):
3359         (JSC::B3::testCallRare):
3360         (JSC::B3::testCallRareLive):
3361         (JSC::B3::testCallSimplePure):
3362         (JSC::B3::testCallFunctionWithHellaArguments):
3363         (JSC::B3::testCallFunctionWithHellaArguments2):
3364         (JSC::B3::testCallFunctionWithHellaArguments3):
3365         (JSC::B3::testCallSimpleDouble):
3366         (JSC::B3::testCallSimpleFloat):
3367         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
3368         (JSC::B3::testCallFunctionWithHellaFloatArguments):
3369         (JSC::B3::testLinearScanWithCalleeOnStack):
3370         (JSC::B3::testInterpreter):
3371         (JSC::B3::testLICMPure):
3372         (JSC::B3::testLICMPureSideExits):
3373         (JSC::B3::testLICMPureWritesPinned):
3374         (JSC::B3::testLICMPureWrites):