Add missing scope release to functionProtoFuncToString
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-25  Keith Miller  <keith_miller@apple.com>
2
3         Add missing scope release to functionProtoFuncToString
4         https://bugs.webkit.org/show_bug.cgi?id=184995
5
6         Reviewed by Saam Barati.
7
8         * runtime/FunctionPrototype.cpp:
9         (JSC::functionProtoFuncToString):
10
11 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
12
13         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
14         https://bugs.webkit.org/show_bug.cgi?id=184730
15
16         Reviewed by Mark Lam.
17
18         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
19         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
20
21         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
22         ARMv7 implementation.
23
24         * assembler/ARMAssembler.h:
25         * assembler/MacroAssemblerARM.h:
26         (JSC::MacroAssemblerARM::add32):
27         (JSC::MacroAssemblerARM::and32):
28         (JSC::MacroAssemblerARM::lshift32):
29         (JSC::MacroAssemblerARM::mul32):
30         (JSC::MacroAssemblerARM::or32):
31         (JSC::MacroAssemblerARM::rshift32):
32         (JSC::MacroAssemblerARM::urshift32):
33         (JSC::MacroAssemblerARM::sub32):
34         (JSC::MacroAssemblerARM::xor32):
35         (JSC::MacroAssemblerARM::load8):
36         (JSC::MacroAssemblerARM::abortWithReason):
37         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
38         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
39         (JSC::MacroAssemblerARM::store8):
40         (JSC::MacroAssemblerARM::store32):
41         (JSC::MacroAssemblerARM::push):
42         (JSC::MacroAssemblerARM::swap):
43         (JSC::MacroAssemblerARM::branch8):
44         (JSC::MacroAssemblerARM::branchPtr):
45         (JSC::MacroAssemblerARM::branch32):
46         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
47         (JSC::MacroAssemblerARM::branchTest8):
48         (JSC::MacroAssemblerARM::branchTest32):
49         (JSC::MacroAssemblerARM::jump):
50         (JSC::MacroAssemblerARM::branchAdd32):
51         (JSC::MacroAssemblerARM::mull32):
52         (JSC::MacroAssemblerARM::branchMul32):
53         (JSC::MacroAssemblerARM::patchableBranch32):
54         (JSC::MacroAssemblerARM::nearCall):
55         (JSC::MacroAssemblerARM::compare32):
56         (JSC::MacroAssemblerARM::compare8):
57         (JSC::MacroAssemblerARM::test32):
58         (JSC::MacroAssemblerARM::test8):
59         (JSC::MacroAssemblerARM::add64):
60         (JSC::MacroAssemblerARM::load32):
61         (JSC::MacroAssemblerARM::call):
62         (JSC::MacroAssemblerARM::branchPtrWithPatch):
63         (JSC::MacroAssemblerARM::branch32WithPatch):
64         (JSC::MacroAssemblerARM::storePtrWithPatch):
65         (JSC::MacroAssemblerARM::loadDouble):
66         (JSC::MacroAssemblerARM::storeDouble):
67         (JSC::MacroAssemblerARM::addDouble):
68         (JSC::MacroAssemblerARM::divDouble):
69         (JSC::MacroAssemblerARM::subDouble):
70         (JSC::MacroAssemblerARM::mulDouble):
71         (JSC::MacroAssemblerARM::convertInt32ToDouble):
72         (JSC::MacroAssemblerARM::branchDouble):
73         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
74         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
75         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
76         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
77         (JSC::MacroAssemblerARM::branchDoubleNonZero):
78         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
79         (JSC::MacroAssemblerARM::call32):
80         (JSC::MacroAssemblerARM::internalCompare32):
81
82 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
83
84         [WinCairo] Fix js/regexp-unicode.html crash.
85         https://bugs.webkit.org/show_bug.cgi?id=184891
86
87         Reviewed by Yusuke Suzuki.
88
89         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
90         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
91
92         * yarr/YarrJIT.cpp:
93         (JSC::Yarr::YarrGenerator::generateEnter):
94         (JSC::Yarr::YarrGenerator::generateReturn):
95         Unconditionally save and restore RDI on 64-bit Windows.
96
97 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
98
99         [GTK] Miscellaneous build cleanups
100         https://bugs.webkit.org/show_bug.cgi?id=184399
101
102         Reviewed by Žan Doberšek.
103
104         * PlatformGTK.cmake:
105
106 2018-04-24  Keith Miller  <keith_miller@apple.com>
107
108         fromCharCode is missing some exception checks
109         https://bugs.webkit.org/show_bug.cgi?id=184952
110
111         Reviewed by Saam Barati.
112
113         I also removed the pointless slow path function and moved it into the
114         main function.
115
116         * runtime/StringConstructor.cpp:
117         (JSC::stringFromCharCode):
118         (JSC::stringFromCharCodeSlowCase): Deleted.
119
120 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
121
122         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
123         https://bugs.webkit.org/show_bug.cgi?id=184923
124
125         Reviewed by Saam Barati.
126         
127         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
128         (i.e. we know that the object has one of those structures), then previously we would still emit a
129         switch with a case per structure along with a default case. That would mean one extra redundant
130         branch to check that whatever structure we wound up with belongs to the set. In that case, we
131         were already making the default case be an Oops.
132         
133         One possible solution would be to say that the default case being Oops means that B3 doesn't need
134         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
135         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
136         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
137         trap.
138         
139         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
140         extra branch.
141         
142         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
143         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
144         read.
145
146         * ftl/FTLLowerDFGToB3.cpp:
147         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
148         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
149         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
150
151 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
152
153         DFG CSE should know how to decay a MultiGetByOffset
154         https://bugs.webkit.org/show_bug.cgi?id=159859
155
156         Reviewed by Keith Miller.
157         
158         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
159         clobberize() can report a def() for MultiGetByOffset.
160         
161         This is a slight improvement to codegen in splay because splay is a heavy user of
162         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
163         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
164         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
165         splay's time.
166
167         * dfg/DFGClobberize.h:
168         (JSC::DFG::clobberize):
169         * dfg/DFGNode.cpp:
170         (JSC::DFG::Node::remove):
171         (JSC::DFG::Node::removeWithoutChecks):
172         (JSC::DFG::Node::replaceWith):
173         (JSC::DFG::Node::replaceWithWithoutChecks):
174         * dfg/DFGNode.h:
175         (JSC::DFG::Node::convertToMultiGetByOffset):
176         (JSC::DFG::Node::replaceWith): Deleted.
177         * dfg/DFGNodeType.h:
178         * dfg/DFGObjectAllocationSinkingPhase.cpp:
179
180 2018-04-24  Keith Miller  <keith_miller@apple.com>
181
182         Update API docs with information on which run loop the VM will use
183         https://bugs.webkit.org/show_bug.cgi?id=184900
184         <rdar://problem/39166054>
185
186         Reviewed by Mark Lam.
187
188         * API/JSContextRef.h:
189         * API/JSVirtualMachine.h:
190
191 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
192
193         $vm.totalGCTime() should be a thing
194         https://bugs.webkit.org/show_bug.cgi?id=184916
195
196         Reviewed by Sam Weinig.
197         
198         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
199         time spent in GC to determine if the regression is because the GC got slower.
200         
201         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
202
203         * heap/Heap.cpp:
204         (JSC::Heap::runEndPhase):
205         * heap/Heap.h:
206         (JSC::Heap::totalGCTime const):
207         * tools/JSDollarVM.cpp:
208         (JSC::functionTotalGCTime):
209         (JSC::JSDollarVM::finishCreation):
210
211 2018-04-23  Zalan Bujtas  <zalan@apple.com>
212
213         [LayoutFormattingContext] Initial commit.
214         https://bugs.webkit.org/show_bug.cgi?id=184896
215
216         Reviewed by Antti Koivisto.
217
218         * Configurations/FeatureDefines.xcconfig:
219
220 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
221
222         Unreviewed, revert accidental change to verbose flag.
223
224         * dfg/DFGByteCodeParser.cpp:
225
226 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
227
228         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
229
230         Rubber stamped by Saam Barati.
231         
232         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
233         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
234         Seems sensible to just roll it out.
235
236         * dfg/DFGByteCodeParser.cpp:
237         (JSC::DFG::ByteCodeParser::addToGraph):
238         (JSC::DFG::ByteCodeParser::parse):
239
240 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
241
242         [JSC] Remove ModuleLoaderPrototype
243         https://bugs.webkit.org/show_bug.cgi?id=184784
244
245         Reviewed by Mark Lam.
246
247         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
248         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
249         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
250
251         * CMakeLists.txt:
252         * DerivedSources.make:
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254         * Sources.txt:
255         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
256         * runtime/JSGlobalObject.cpp:
257         (JSC::JSGlobalObject::init):
258         (JSC::JSGlobalObject::visitChildren):
259         * runtime/JSGlobalObject.h:
260         (JSC::JSGlobalObject::proxyRevokeStructure const):
261         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
262         * runtime/JSModuleLoader.cpp:
263         (JSC::moduleLoaderParseModule):
264         (JSC::moduleLoaderRequestedModules):
265         (JSC::moduleLoaderModuleDeclarationInstantiation):
266         (JSC::moduleLoaderResolve):
267         (JSC::moduleLoaderResolveSync):
268         (JSC::moduleLoaderFetch):
269         (JSC::moduleLoaderGetModuleNamespaceObject):
270         (JSC::moduleLoaderEvaluate):
271         * runtime/JSModuleLoader.h:
272         * runtime/ModuleLoaderPrototype.cpp: Removed.
273         * runtime/ModuleLoaderPrototype.h: Removed.
274
275 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
276
277         [GLIB] All API tests fail in debug builds
278         https://bugs.webkit.org/show_bug.cgi?id=184813
279
280         Reviewed by Mark Lam.
281
282         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
283         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
284
285         * API/glib/JSCContext.cpp:
286         (JSCContextExceptionHandler::JSCContextExceptionHandler):
287         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
288         (jscContextConstructed):
289         (ExceptionHandler::ExceptionHandler): Deleted.
290         (ExceptionHandler::~ExceptionHandler): Deleted.
291
292 2018-04-20  Tim Horton  <timothy_horton@apple.com>
293
294         Adjust geolocation feature flag
295         https://bugs.webkit.org/show_bug.cgi?id=184856
296
297         Reviewed by Wenson Hsieh.
298
299         * Configurations/FeatureDefines.xcconfig:
300
301 2018-04-20  Brian Burg  <bburg@apple.com>
302
303         Web Inspector: remove some dead code in IdentifiersFactory
304         https://bugs.webkit.org/show_bug.cgi?id=184839
305
306         Reviewed by Timothy Hatcher.
307
308         This was never used on non-Chrome ports, so the identifier always has a
309         prefix of '0.'. We may change this in the future, but for now remove this.
310         Using a PID for this purpose is problematic anyway.
311
312         * inspector/IdentifiersFactory.cpp:
313         (Inspector::addPrefixToIdentifier):
314         (Inspector::IdentifiersFactory::createIdentifier):
315         (Inspector::IdentifiersFactory::requestId):
316         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
317         * inspector/IdentifiersFactory.h:
318
319 2018-04-20  Mark Lam  <mark.lam@apple.com>
320
321         Add the ability to use a hash for setting PtrTag enum values.
322         https://bugs.webkit.org/show_bug.cgi?id=184852
323         <rdar://problem/39613891>
324
325         Reviewed by Saam Barati.
326
327         * runtime/PtrTag.h:
328
329 2018-04-20  Mark Lam  <mark.lam@apple.com>
330
331         Some JSEntryPtrTags should actually be JSInternalPtrTags.
332         https://bugs.webkit.org/show_bug.cgi?id=184712
333         <rdar://problem/39507381>
334
335         Reviewed by Michael Saboff.
336
337         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
338         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
339            only when needed.
340
341         * bytecode/AccessCase.cpp:
342         (JSC::AccessCase::generateImpl):
343         * bytecode/ByValInfo.h:
344         (JSC::ByValInfo::ByValInfo):
345         * bytecode/CallLinkInfo.cpp:
346         (JSC::CallLinkInfo::callReturnLocation):
347         (JSC::CallLinkInfo::patchableJump):
348         (JSC::CallLinkInfo::hotPathBegin):
349         (JSC::CallLinkInfo::slowPathStart):
350         * bytecode/CallLinkInfo.h:
351         (JSC::CallLinkInfo::setCallLocations):
352         (JSC::CallLinkInfo::hotPathOther):
353         * bytecode/PolymorphicAccess.cpp:
354         (JSC::PolymorphicAccess::regenerate):
355         * bytecode/StructureStubInfo.h:
356         (JSC::StructureStubInfo::doneLocation):
357         * dfg/DFGJITCompiler.cpp:
358         (JSC::DFG::JITCompiler::link):
359         * dfg/DFGOSRExit.cpp:
360         (JSC::DFG::reifyInlinedCallFrames):
361         * ftl/FTLLazySlowPath.cpp:
362         (JSC::FTL::LazySlowPath::initialize):
363         * ftl/FTLLazySlowPath.h:
364         (JSC::FTL::LazySlowPath::done const):
365         * ftl/FTLLowerDFGToB3.cpp:
366         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
367         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
368         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
369         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
370         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
371         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
372         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
373         * jit/JIT.cpp:
374         (JSC::JIT::link):
375         * jit/JITExceptions.cpp:
376         (JSC::genericUnwind):
377         * jit/JITMathIC.h:
378         (JSC::isProfileEmpty):
379         * llint/LLIntData.cpp:
380         (JSC::LLInt::initialize):
381         * llint/LLIntData.h:
382         (JSC::LLInt::getCodePtr):
383         (JSC::LLInt::getExecutableAddress): Deleted.
384         * llint/LLIntExceptions.cpp:
385         (JSC::LLInt::callToThrow):
386         * llint/LLIntSlowPaths.cpp:
387         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
388         * wasm/js/WasmToJS.cpp:
389         (JSC::Wasm::wasmToJS):
390
391 2018-04-18  Jer Noble  <jer.noble@apple.com>
392
393         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
394         https://bugs.webkit.org/show_bug.cgi?id=184762
395
396         Reviewed by Dan Bernstein.
397
398         * Configurations/Base.xcconfig:
399         * JavaScriptCore.xcodeproj/project.pbxproj:
400
401 2018-04-20  Daniel Bates  <dabates@apple.com>
402
403         Remove code for compilers that did not support NSDMI for aggregates
404         https://bugs.webkit.org/show_bug.cgi?id=184599
405
406         Reviewed by Per Arne Vollan.
407
408         Remove workaround for earlier Visual Studio versions that did not support non-static data
409         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
410         and EWS bots to a newer version that supports this feature.
411
412         * domjit/DOMJITEffect.h:
413         (JSC::DOMJIT::Effect::Effect): Deleted.
414         * runtime/HasOwnPropertyCache.h:
415         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
416         * wasm/WasmFormat.h:
417         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
418
419 2018-04-20  Mark Lam  <mark.lam@apple.com>
420
421         Build fix for internal builds after r230826.
422         https://bugs.webkit.org/show_bug.cgi?id=184790
423         <rdar://problem/39301369>
424
425         Not reviewed.
426
427         * runtime/Options.cpp:
428         (JSC::overrideDefaults):
429         * tools/SigillCrashAnalyzer.cpp:
430         (JSC::SignalContext::dump):
431
432 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
433
434         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
435         https://bugs.webkit.org/show_bug.cgi?id=184254
436         <rdar://problem/39140200>
437
438         Reviewed by Daniel Bates.
439
440         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
441
442         * runtime/ArrayBuffer.h:
443         (JSC::ArrayBufferContents::ArrayBufferContents):
444
445 2018-04-19  Mark Lam  <mark.lam@apple.com>
446
447         Apply pointer profiling to Signal pointers.
448         https://bugs.webkit.org/show_bug.cgi?id=184790
449         <rdar://problem/39301369>
450
451         Reviewed by Michael Saboff.
452
453         1. Change stackPointer, framePointer, and instructionPointer accessors to
454            be a pair of getter/setter functions.
455         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
456            a pointer profiling variants of these accessors.
457         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
458
459         * JavaScriptCorePrefix.h:
460         * runtime/MachineContext.h:
461         (JSC::MachineContext::stackPointerImpl):
462         (JSC::MachineContext::stackPointer):
463         (JSC::MachineContext::setStackPointer):
464         (JSC::MachineContext::framePointerImpl):
465         (JSC::MachineContext::framePointer):
466         (JSC::MachineContext::setFramePointer):
467         (JSC::MachineContext::instructionPointerImpl):
468         (JSC::MachineContext::instructionPointer):
469         (JSC::MachineContext::setInstructionPointer):
470         (JSC::MachineContext::linkRegisterImpl):
471         (JSC::MachineContext::linkRegister):
472         (JSC::MachineContext::setLinkRegister):
473         * runtime/SamplingProfiler.cpp:
474         (JSC::SamplingProfiler::takeSample):
475         * runtime/VMTraps.cpp:
476         (JSC::SignalContext::SignalContext):
477         (JSC::VMTraps::tryInstallTrapBreakpoints):
478         * tools/CodeProfiling.cpp:
479         (JSC::profilingTimer):
480         * tools/SigillCrashAnalyzer.cpp:
481         (JSC::SignalContext::dump):
482         (JSC::installCrashHandler):
483         (JSC::SigillCrashAnalyzer::analyze):
484         * wasm/WasmFaultSignalHandler.cpp:
485         (JSC::Wasm::trapHandler):
486
487 2018-04-19  David Kilzer  <ddkilzer@apple.com>
488
489         Enable Objective-C weak references
490         <https://webkit.org/b/184789>
491         <rdar://problem/39571716>
492
493         Reviewed by Dan Bernstein.
494
495         * Configurations/Base.xcconfig:
496         (CLANG_ENABLE_OBJC_WEAK): Enable.
497         * Configurations/ToolExecutable.xcconfig:
498         (CLANG_ENABLE_OBJC_ARC): Simplify.
499
500 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
501
502         The InternalFunction hierarchy should be in IsoSubspaces
503         https://bugs.webkit.org/show_bug.cgi?id=184721
504
505         Reviewed by Saam Barati.
506         
507         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
508         but subclasses that are the same size as InternalFunction share its subspace. I did this
509         because the subclasses appear to just override methods, which are called dynamically via the
510         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
511         allocate one kind of InternalFunction over another.
512
513         * API/JSBase.h:
514         * API/JSCallbackFunction.h:
515         * API/ObjCCallbackFunction.h:
516         (JSC::ObjCCallbackFunction::subspaceFor):
517         * CMakeLists.txt:
518         * JavaScriptCore.xcodeproj/project.pbxproj:
519         * Sources.txt:
520         * heap/IsoSubspacePerVM.cpp: Added.
521         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
522         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
523         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
524         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
525         (JSC::IsoSubspacePerVM::forVM):
526         * heap/IsoSubspacePerVM.h: Added.
527         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
528         * runtime/Error.h:
529         * runtime/ErrorConstructor.h:
530         * runtime/InternalFunction.h:
531         (JSC::InternalFunction::subspaceFor):
532         * runtime/IntlCollatorConstructor.h:
533         * runtime/IntlDateTimeFormatConstructor.h:
534         * runtime/IntlNumberFormatConstructor.h:
535         * runtime/JSArrayBufferConstructor.h:
536         * runtime/NativeErrorConstructor.h:
537         * runtime/ProxyRevoke.h:
538         * runtime/RegExpConstructor.h:
539         * runtime/VM.cpp:
540         (JSC::VM::VM):
541         * runtime/VM.h:
542
543 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
544
545         Unreviewed, Fix jsc shell
546         https://bugs.webkit.org/show_bug.cgi?id=184600
547
548         WebAssembly module loading does not finish with drainMicrotasks().
549         So JSNativeStdFunction's capturing variables become invalid.
550         This patch fixes this issue.
551
552         * jsc.cpp:
553         (functionDollarAgentStart):
554         (runWithOptions):
555         (runJSC):
556         (jscmain):
557
558 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
559
560         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
561         https://bugs.webkit.org/show_bug.cgi?id=184725
562
563         Reviewed by Mark Lam.
564
565         * jit/JIT.h:
566
567 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
568
569         [WebAssembly][Modules] Import tables in wasm modules
570         https://bugs.webkit.org/show_bug.cgi?id=184738
571
572         Reviewed by JF Bastien.
573
574         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
575         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
576         just works.
577
578         * wasm/js/JSWebAssemblyInstance.cpp:
579         (JSC::JSWebAssemblyInstance::create):
580         * wasm/js/WebAssemblyModuleRecord.cpp:
581         (JSC::WebAssemblyModuleRecord::link):
582
583 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
584
585         [ARM] Fix build error and crash after PtrTag change
586         https://bugs.webkit.org/show_bug.cgi?id=184732
587
588         Reviewed by Mark Lam.
589
590         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
591         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
592         twice with ARM-Thumb2.
593
594         * assembler/MacroAssemblerCodeRef.h:
595         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
596         * jit/JITPropertyAccess32_64.cpp:
597         (JSC::JIT::emitSlow_op_put_by_val):
598         * jit/Repatch.cpp:
599         (JSC::linkPolymorphicCall):
600
601 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
602
603         [WebAssembly][Modules] Import globals from wasm modules
604         https://bugs.webkit.org/show_bug.cgi?id=184736
605
606         Reviewed by JF Bastien.
607
608         This patch implements a feature importing globals to/from wasm modules.
609         Since we are not supporting mutable globals now, we can just copy the
610         global data when importing. Currently we do not support importing/exporting
611         i64 globals. This will be supported once (1) mutable global bindings are
612         specified and (2) BigInt based i64 importing/exporting is specified.
613
614         * wasm/js/JSWebAssemblyInstance.cpp:
615         (JSC::JSWebAssemblyInstance::create):
616         * wasm/js/WebAssemblyModuleRecord.cpp:
617         (JSC::WebAssemblyModuleRecord::link):
618
619 2018-04-18  Tomas Popela  <tpopela@redhat.com>
620
621         Unreviewed, fix build on ARM
622
623         * assembler/MacroAssemblerARM.h:
624         (JSC::MacroAssemblerARM::readCallTarget):
625
626 2018-04-18  Tomas Popela  <tpopela@redhat.com>
627
628         Unreviewed, fix build with GCC
629
630         * assembler/LinkBuffer.h:
631         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
632
633 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
634
635         Unreviewed, reland r230697, r230720, and r230724.
636         https://bugs.webkit.org/show_bug.cgi?id=184600
637
638         With CatchScope check.
639
640         * JavaScriptCore.xcodeproj/project.pbxproj:
641         * builtins/ModuleLoaderPrototype.js:
642         (globalPrivate.newRegistryEntry):
643         (requestInstantiate):
644         (link):
645         * jsc.cpp:
646         (convertShebangToJSComment):
647         (fillBufferWithContentsOfFile):
648         (fetchModuleFromLocalFileSystem):
649         (GlobalObject::moduleLoaderFetch):
650         (functionDollarAgentStart):
651         (checkException):
652         (runWithOptions):
653         * parser/NodesAnalyzeModule.cpp:
654         (JSC::ImportDeclarationNode::analyzeModule):
655         * parser/SourceProvider.h:
656         (JSC::WebAssemblySourceProvider::create):
657         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
658         * runtime/AbstractModuleRecord.cpp:
659         (JSC::AbstractModuleRecord::hostResolveImportedModule):
660         (JSC::AbstractModuleRecord::resolveImport):
661         (JSC::AbstractModuleRecord::link):
662         (JSC::AbstractModuleRecord::evaluate):
663         (JSC::identifierToJSValue): Deleted.
664         * runtime/AbstractModuleRecord.h:
665         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
666         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
667         * runtime/JSModuleEnvironment.cpp:
668         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
669         * runtime/JSModuleLoader.cpp:
670         (JSC::JSModuleLoader::evaluate):
671         * runtime/JSModuleRecord.cpp:
672         (JSC::JSModuleRecord::link):
673         (JSC::JSModuleRecord::instantiateDeclarations):
674         * runtime/JSModuleRecord.h:
675         * runtime/ModuleLoaderPrototype.cpp:
676         (JSC::moduleLoaderPrototypeParseModule):
677         (JSC::moduleLoaderPrototypeRequestedModules):
678         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
679         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
680         * wasm/js/JSWebAssemblyHelpers.h:
681         (JSC::getWasmBufferFromValue):
682         (JSC::createSourceBufferFromValue):
683         * wasm/js/JSWebAssemblyInstance.cpp:
684         (JSC::JSWebAssemblyInstance::finalizeCreation):
685         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
686         (JSC::JSWebAssemblyInstance::create):
687         * wasm/js/JSWebAssemblyInstance.h:
688         * wasm/js/WebAssemblyInstanceConstructor.cpp:
689         (JSC::constructJSWebAssemblyInstance):
690         * wasm/js/WebAssemblyModuleRecord.cpp:
691         (JSC::WebAssemblyModuleRecord::prepareLink):
692         (JSC::WebAssemblyModuleRecord::link):
693         * wasm/js/WebAssemblyModuleRecord.h:
694         * wasm/js/WebAssemblyPrototype.cpp:
695         (JSC::resolve):
696         (JSC::instantiate):
697         (JSC::compileAndInstantiate):
698         (JSC::WebAssemblyPrototype::instantiate):
699         (JSC::webAssemblyInstantiateFunc):
700         (JSC::webAssemblyValidateFunc):
701         * wasm/js/WebAssemblyPrototype.h:
702
703 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
704
705         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
706         https://bugs.webkit.org/show_bug.cgi?id=184687
707
708         Reviewed by Michael Catanzaro.
709
710         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
711         JSClassDefinition. This is required to implement dynamic properties that can't be added with
712         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
713
714         * API/glib/JSCClass.cpp:
715         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
716         can throw exceptions.
717         (VTableExceptionHandler::~VTableExceptionHandler):
718         (getProperty): Iterate the class chain to call get_property function.
719         (setProperty): Iterate the class chain to call set_property function.
720         (hasProperty): Iterate the class chain to call has_property function.
721         (deleteProperty): Iterate the class chain to call delete_property function.
722         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
723         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
724         jscClassCreate now.
725         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
726         * API/glib/JSCClass.h:
727         * API/glib/JSCClassPrivate.h:
728         * API/glib/JSCContext.cpp:
729         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
730         (jsc_context_register_class): Add JSCClassVTable parameter.
731         * API/glib/JSCContext.h:
732         * API/glib/JSCContextPrivate.h:
733         * API/glib/JSCWrapperMap.cpp:
734         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
735         * API/glib/JSCWrapperMap.h:
736         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
737
738 2018-04-17  Mark Lam  <mark.lam@apple.com>
739
740         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
741         https://bugs.webkit.org/show_bug.cgi?id=184702
742         <rdar://problem/35391681>
743
744         Reviewed by Filip Pizlo and Saam Barati.
745
746         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
747            to take a PtrTag template argument.
748         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
749
750         * assembler/AbstractMacroAssembler.h:
751         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
752         (JSC::AbstractMacroAssembler::linkJump):
753         (JSC::AbstractMacroAssembler::linkPointer):
754         (JSC::AbstractMacroAssembler::getLinkerAddress):
755         (JSC::AbstractMacroAssembler::repatchJump):
756         (JSC::AbstractMacroAssembler::repatchJumpToNop):
757         (JSC::AbstractMacroAssembler::repatchNearCall):
758         (JSC::AbstractMacroAssembler::repatchCompact):
759         (JSC::AbstractMacroAssembler::repatchInt32):
760         (JSC::AbstractMacroAssembler::repatchPointer):
761         (JSC::AbstractMacroAssembler::readPointer):
762         (JSC::AbstractMacroAssembler::replaceWithLoad):
763         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
764         * assembler/CodeLocation.h:
765         (JSC::CodeLocationCommon:: const):
766         (JSC::CodeLocationCommon::CodeLocationCommon):
767         (JSC::CodeLocationInstruction::CodeLocationInstruction):
768         (JSC::CodeLocationLabel::CodeLocationLabel):
769         (JSC::CodeLocationLabel::retagged):
770         (JSC::CodeLocationLabel:: const):
771         (JSC::CodeLocationJump::CodeLocationJump):
772         (JSC::CodeLocationJump::retagged):
773         (JSC::CodeLocationCall::CodeLocationCall):
774         (JSC::CodeLocationCall::retagged):
775         (JSC::CodeLocationNearCall::CodeLocationNearCall):
776         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
777         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
778         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
779         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
780         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
781         (JSC::CodeLocationCommon<tag>::labelAtOffset):
782         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
783         (JSC::CodeLocationCommon<tag>::callAtOffset):
784         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
785         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
786         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
787         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
788         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
789         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
790         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
791         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
792         (JSC::CodeLocationCommon::callAtOffset): Deleted.
793         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
794         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
795         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
796         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
797         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
798         * assembler/LinkBuffer.cpp:
799         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
800         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
801         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
802         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
803         * assembler/LinkBuffer.h:
804         (JSC::LinkBuffer::link):
805         (JSC::LinkBuffer::patch):
806         (JSC::LinkBuffer::entrypoint):
807         (JSC::LinkBuffer::locationOf):
808         (JSC::LinkBuffer::locationOfNearCall):
809         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
810         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
811         (JSC::LinkBuffer::trampolineAt):
812         * assembler/MacroAssemblerARM.h:
813         (JSC::MacroAssemblerARM::readCallTarget):
814         (JSC::MacroAssemblerARM::replaceWithJump):
815         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
816         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
817         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
818         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
819         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
820         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
821         (JSC::MacroAssemblerARM::repatchCall):
822         (JSC::MacroAssemblerARM::linkCall):
823         * assembler/MacroAssemblerARM64.h:
824         (JSC::MacroAssemblerARM64::readCallTarget):
825         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
826         (JSC::MacroAssemblerARM64::replaceWithJump):
827         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
828         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
829         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
830         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
831         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
832         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
833         (JSC::MacroAssemblerARM64::repatchCall):
834         (JSC::MacroAssemblerARM64::linkCall):
835         * assembler/MacroAssemblerARMv7.h:
836         (JSC::MacroAssemblerARMv7::replaceWithJump):
837         (JSC::MacroAssemblerARMv7::readCallTarget):
838         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
839         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
840         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
841         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
842         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
843         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
844         (JSC::MacroAssemblerARMv7::repatchCall):
845         (JSC::MacroAssemblerARMv7::linkCall):
846         * assembler/MacroAssemblerCodeRef.cpp:
847         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
848         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
849         (JSC::MacroAssemblerCodeRefBase::disassembly):
850         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
851         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
852         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
853         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
854         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
855         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
856         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
857         * assembler/MacroAssemblerCodeRef.h:
858         (JSC::FunctionPtr::FunctionPtr):
859         (JSC::FunctionPtr::retagged const):
860         (JSC::FunctionPtr::retaggedExecutableAddress const):
861         (JSC::FunctionPtr::operator== const):
862         (JSC::FunctionPtr::operator!= const):
863         (JSC::ReturnAddressPtr::ReturnAddressPtr):
864         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
865         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
866         (JSC::MacroAssemblerCodePtr::retagged const):
867         (JSC::MacroAssemblerCodePtr:: const):
868         (JSC::MacroAssemblerCodePtr::dumpWithName const):
869         (JSC::MacroAssemblerCodePtr::dump const):
870         (JSC::MacroAssemblerCodePtrHash::hash):
871         (JSC::MacroAssemblerCodePtrHash::equal):
872         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
873         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
874         (JSC::MacroAssemblerCodeRef::code const):
875         (JSC::MacroAssemblerCodeRef::retaggedCode const):
876         (JSC::MacroAssemblerCodeRef::retagged const):
877         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
878         (JSC::MacroAssemblerCodeRef::disassembly const):
879         (JSC::MacroAssemblerCodeRef::dump const):
880         (JSC::FunctionPtr<tag>::FunctionPtr):
881         * assembler/MacroAssemblerMIPS.h:
882         (JSC::MacroAssemblerMIPS::readCallTarget):
883         (JSC::MacroAssemblerMIPS::replaceWithJump):
884         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
885         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
886         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
887         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
888         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
889         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
890         (JSC::MacroAssemblerMIPS::repatchCall):
891         (JSC::MacroAssemblerMIPS::linkCall):
892         * assembler/MacroAssemblerX86.h:
893         (JSC::MacroAssemblerX86::readCallTarget):
894         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
895         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
896         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
897         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
898         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
899         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
900         (JSC::MacroAssemblerX86::repatchCall):
901         (JSC::MacroAssemblerX86::linkCall):
902         * assembler/MacroAssemblerX86Common.h:
903         (JSC::MacroAssemblerX86Common::repatchCompact):
904         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
905         (JSC::MacroAssemblerX86Common::replaceWithJump):
906         * assembler/MacroAssemblerX86_64.h:
907         (JSC::MacroAssemblerX86_64::readCallTarget):
908         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
909         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
910         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
911         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
912         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
913         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
914         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
915         (JSC::MacroAssemblerX86_64::repatchCall):
916         (JSC::MacroAssemblerX86_64::linkCall):
917         * assembler/testmasm.cpp:
918         (JSC::compile):
919         (JSC::invoke):
920         (JSC::testProbeModifiesProgramCounter):
921         * b3/B3Compilation.cpp:
922         (JSC::B3::Compilation::Compilation):
923         * b3/B3Compilation.h:
924         (JSC::B3::Compilation::code const):
925         (JSC::B3::Compilation::codeRef const):
926         * b3/B3Compile.cpp:
927         (JSC::B3::compile):
928         * b3/B3LowerMacros.cpp:
929         * b3/air/AirDisassembler.cpp:
930         (JSC::B3::Air::Disassembler::dump):
931         * b3/air/testair.cpp:
932         * b3/testb3.cpp:
933         (JSC::B3::invoke):
934         (JSC::B3::testInterpreter):
935         (JSC::B3::testEntrySwitchSimple):
936         (JSC::B3::testEntrySwitchNoEntrySwitch):
937         (JSC::B3::testEntrySwitchWithCommonPaths):
938         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
939         (JSC::B3::testEntrySwitchLoop):
940         * bytecode/AccessCase.cpp:
941         (JSC::AccessCase::generateImpl):
942         * bytecode/AccessCaseSnippetParams.cpp:
943         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
944         * bytecode/ByValInfo.h:
945         (JSC::ByValInfo::ByValInfo):
946         * bytecode/CallLinkInfo.cpp:
947         (JSC::CallLinkInfo::callReturnLocation):
948         (JSC::CallLinkInfo::patchableJump):
949         (JSC::CallLinkInfo::hotPathBegin):
950         (JSC::CallLinkInfo::slowPathStart):
951         * bytecode/CallLinkInfo.h:
952         (JSC::CallLinkInfo::setCallLocations):
953         (JSC::CallLinkInfo::hotPathOther):
954         * bytecode/CodeBlock.cpp:
955         (JSC::CodeBlock::finishCreation):
956         * bytecode/GetByIdStatus.cpp:
957         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
958         * bytecode/GetByIdVariant.cpp:
959         (JSC::GetByIdVariant::GetByIdVariant):
960         (JSC::GetByIdVariant::dumpInContext const):
961         * bytecode/GetByIdVariant.h:
962         (JSC::GetByIdVariant::customAccessorGetter const):
963         * bytecode/GetterSetterAccessCase.cpp:
964         (JSC::GetterSetterAccessCase::create):
965         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
966         (JSC::GetterSetterAccessCase::dumpImpl const):
967         * bytecode/GetterSetterAccessCase.h:
968         (JSC::GetterSetterAccessCase::customAccessor const):
969         (): Deleted.
970         * bytecode/HandlerInfo.h:
971         (JSC::HandlerInfo::initialize):
972         * bytecode/InlineAccess.cpp:
973         (JSC::linkCodeInline):
974         (JSC::InlineAccess::rewireStubAsJump):
975         * bytecode/InlineAccess.h:
976         * bytecode/JumpTable.h:
977         (JSC::StringJumpTable::ctiForValue):
978         (JSC::SimpleJumpTable::ctiForValue):
979         * bytecode/LLIntCallLinkInfo.h:
980         (JSC::LLIntCallLinkInfo::unlink):
981         * bytecode/PolymorphicAccess.cpp:
982         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
983         (JSC::PolymorphicAccess::regenerate):
984         * bytecode/PolymorphicAccess.h:
985         (JSC::AccessGenerationResult::AccessGenerationResult):
986         (JSC::AccessGenerationResult::code const):
987         * bytecode/StructureStubInfo.h:
988         (JSC::StructureStubInfo::slowPathCallLocation):
989         (JSC::StructureStubInfo::doneLocation):
990         (JSC::StructureStubInfo::slowPathStartLocation):
991         (JSC::StructureStubInfo::patchableJumpForIn):
992         * dfg/DFGCommonData.h:
993         (JSC::DFG::CommonData::appendCatchEntrypoint):
994         * dfg/DFGDisassembler.cpp:
995         (JSC::DFG::Disassembler::dumpDisassembly):
996         * dfg/DFGDriver.h:
997         * dfg/DFGJITCompiler.cpp:
998         (JSC::DFG::JITCompiler::linkOSRExits):
999         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1000         (JSC::DFG::JITCompiler::link):
1001         (JSC::DFG::JITCompiler::compileFunction):
1002         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1003         * dfg/DFGJITCompiler.h:
1004         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1005         (JSC::DFG::JITCompiler::appendCall):
1006         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1007         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1008         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1009         * dfg/DFGJITFinalizer.cpp:
1010         (JSC::DFG::JITFinalizer::JITFinalizer):
1011         (JSC::DFG::JITFinalizer::finalize):
1012         (JSC::DFG::JITFinalizer::finalizeFunction):
1013         * dfg/DFGJITFinalizer.h:
1014         * dfg/DFGJumpReplacement.h:
1015         (JSC::DFG::JumpReplacement::JumpReplacement):
1016         * dfg/DFGNode.h:
1017         * dfg/DFGOSREntry.cpp:
1018         (JSC::DFG::prepareOSREntry):
1019         (JSC::DFG::prepareCatchOSREntry):
1020         * dfg/DFGOSREntry.h:
1021         (JSC::DFG::prepareOSREntry):
1022         * dfg/DFGOSRExit.cpp:
1023         (JSC::DFG::OSRExit::executeOSRExit):
1024         (JSC::DFG::reifyInlinedCallFrames):
1025         (JSC::DFG::adjustAndJumpToTarget):
1026         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1027         (JSC::DFG::OSRExit::emitRestoreArguments):
1028         (JSC::DFG::OSRExit::compileOSRExit):
1029         * dfg/DFGOSRExit.h:
1030         * dfg/DFGOSRExitCompilerCommon.cpp:
1031         (JSC::DFG::handleExitCounts):
1032         (JSC::DFG::reifyInlinedCallFrames):
1033         (JSC::DFG::osrWriteBarrier):
1034         (JSC::DFG::adjustAndJumpToTarget):
1035         * dfg/DFGOperations.cpp:
1036         * dfg/DFGSlowPathGenerator.h:
1037         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1038         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1039         (JSC::DFG::slowPathCall):
1040         * dfg/DFGSpeculativeJIT.cpp:
1041         (JSC::DFG::SpeculativeJIT::compileMathIC):
1042         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1043         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1044         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1045         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1046         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1047         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1048         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1049         (JSC::DFG::SpeculativeJIT::cachedPutById):
1050         * dfg/DFGSpeculativeJIT.h:
1051         (JSC::DFG::SpeculativeJIT::callOperation):
1052         (JSC::DFG::SpeculativeJIT::appendCall):
1053         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1054         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1055         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1056         * dfg/DFGSpeculativeJIT64.cpp:
1057         (JSC::DFG::SpeculativeJIT::cachedGetById):
1058         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1059         (JSC::DFG::SpeculativeJIT::compile):
1060         * dfg/DFGThunks.cpp:
1061         (JSC::DFG::osrExitThunkGenerator):
1062         (JSC::DFG::osrExitGenerationThunkGenerator):
1063         (JSC::DFG::osrEntryThunkGenerator):
1064         * dfg/DFGThunks.h:
1065         * disassembler/ARM64Disassembler.cpp:
1066         (JSC::tryToDisassemble):
1067         * disassembler/ARMv7Disassembler.cpp:
1068         (JSC::tryToDisassemble):
1069         * disassembler/Disassembler.cpp:
1070         (JSC::disassemble):
1071         (JSC::disassembleAsynchronously):
1072         * disassembler/Disassembler.h:
1073         (JSC::tryToDisassemble):
1074         * disassembler/UDis86Disassembler.cpp:
1075         (JSC::tryToDisassembleWithUDis86):
1076         * disassembler/UDis86Disassembler.h:
1077         (JSC::tryToDisassembleWithUDis86):
1078         * disassembler/X86Disassembler.cpp:
1079         (JSC::tryToDisassemble):
1080         * ftl/FTLCompile.cpp:
1081         (JSC::FTL::compile):
1082         * ftl/FTLExceptionTarget.cpp:
1083         (JSC::FTL::ExceptionTarget::label):
1084         (JSC::FTL::ExceptionTarget::jumps):
1085         * ftl/FTLExceptionTarget.h:
1086         * ftl/FTLGeneratedFunction.h:
1087         * ftl/FTLJITCode.cpp:
1088         (JSC::FTL::JITCode::initializeB3Code):
1089         (JSC::FTL::JITCode::initializeAddressForCall):
1090         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1091         (JSC::FTL::JITCode::addressForCall):
1092         (JSC::FTL::JITCode::executableAddressAtOffset):
1093         * ftl/FTLJITCode.h:
1094         (JSC::FTL::JITCode::b3Code const):
1095         * ftl/FTLJITFinalizer.cpp:
1096         (JSC::FTL::JITFinalizer::finalizeCommon):
1097         * ftl/FTLLazySlowPath.cpp:
1098         (JSC::FTL::LazySlowPath::initialize):
1099         (JSC::FTL::LazySlowPath::generate):
1100         * ftl/FTLLazySlowPath.h:
1101         (JSC::FTL::LazySlowPath::patchableJump const):
1102         (JSC::FTL::LazySlowPath::done const):
1103         (JSC::FTL::LazySlowPath::stub const):
1104         * ftl/FTLLazySlowPathCall.h:
1105         (JSC::FTL::createLazyCallGenerator):
1106         * ftl/FTLLink.cpp:
1107         (JSC::FTL::link):
1108         * ftl/FTLLowerDFGToB3.cpp:
1109         (JSC::FTL::DFG::LowerDFGToB3::lower):
1110         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1111         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1112         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1113         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1114         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1115         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1116         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1117         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1118         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1119         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1120         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1121         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1122         * ftl/FTLOSRExit.cpp:
1123         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1124         * ftl/FTLOSRExit.h:
1125         * ftl/FTLOSRExitCompiler.cpp:
1126         (JSC::FTL::compileStub):
1127         (JSC::FTL::compileFTLOSRExit):
1128         * ftl/FTLOSRExitHandle.cpp:
1129         (JSC::FTL::OSRExitHandle::emitExitThunk):
1130         * ftl/FTLOperations.cpp:
1131         (JSC::FTL::compileFTLLazySlowPath):
1132         * ftl/FTLPatchpointExceptionHandle.cpp:
1133         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1134         * ftl/FTLSlowPathCall.cpp:
1135         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1136         (JSC::FTL::SlowPathCallContext::makeCall):
1137         * ftl/FTLSlowPathCall.h:
1138         (JSC::FTL::callOperation):
1139         * ftl/FTLSlowPathCallKey.cpp:
1140         (JSC::FTL::SlowPathCallKey::dump const):
1141         * ftl/FTLSlowPathCallKey.h:
1142         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1143         (JSC::FTL::SlowPathCallKey::callTarget const):
1144         (JSC::FTL::SlowPathCallKey::withCallTarget):
1145         (JSC::FTL::SlowPathCallKey::hash const):
1146         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1147         * ftl/FTLState.cpp:
1148         (JSC::FTL::State::State):
1149         * ftl/FTLThunks.cpp:
1150         (JSC::FTL::genericGenerationThunkGenerator):
1151         (JSC::FTL::osrExitGenerationThunkGenerator):
1152         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1153         (JSC::FTL::slowPathCallThunkGenerator):
1154         * ftl/FTLThunks.h:
1155         (JSC::FTL::generateIfNecessary):
1156         (JSC::FTL::keyForThunk):
1157         (JSC::FTL::Thunks::getSlowPathCallThunk):
1158         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1159         * interpreter/InterpreterInlines.h:
1160         (JSC::Interpreter::getOpcodeID):
1161         * jit/AssemblyHelpers.cpp:
1162         (JSC::AssemblyHelpers::callExceptionFuzz):
1163         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1164         (JSC::AssemblyHelpers::debugCall):
1165         * jit/CCallHelpers.cpp:
1166         (JSC::CCallHelpers::ensureShadowChickenPacket):
1167         * jit/ExecutableAllocator.cpp:
1168         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1169         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1170         * jit/ExecutableAllocator.h:
1171         (JSC::performJITMemcpy):
1172         * jit/GCAwareJITStubRoutine.cpp:
1173         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1174         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1175         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1176         (JSC::createJITStubRoutine):
1177         * jit/GCAwareJITStubRoutine.h:
1178         (JSC::createJITStubRoutine):
1179         * jit/JIT.cpp:
1180         (JSC::ctiPatchCallByReturnAddress):
1181         (JSC::JIT::compileWithoutLinking):
1182         (JSC::JIT::link):
1183         (JSC::JIT::privateCompileExceptionHandlers):
1184         * jit/JIT.h:
1185         (JSC::CallRecord::CallRecord):
1186         * jit/JITArithmetic.cpp:
1187         (JSC::JIT::emitMathICFast):
1188         (JSC::JIT::emitMathICSlow):
1189         * jit/JITCall.cpp:
1190         (JSC::JIT::compileOpCallSlowCase):
1191         * jit/JITCall32_64.cpp:
1192         (JSC::JIT::compileOpCallSlowCase):
1193         * jit/JITCode.cpp:
1194         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1195         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1196         (JSC::DirectJITCode::DirectJITCode):
1197         (JSC::DirectJITCode::initializeCodeRef):
1198         (JSC::DirectJITCode::addressForCall):
1199         (JSC::NativeJITCode::NativeJITCode):
1200         (JSC::NativeJITCode::initializeCodeRef):
1201         (JSC::NativeJITCode::addressForCall):
1202         * jit/JITCode.h:
1203         * jit/JITCodeMap.h:
1204         (JSC::JITCodeMap::Entry::Entry):
1205         (JSC::JITCodeMap::Entry::codeLocation):
1206         (JSC::JITCodeMap::append):
1207         (JSC::JITCodeMap::find const):
1208         * jit/JITDisassembler.cpp:
1209         (JSC::JITDisassembler::dumpDisassembly):
1210         * jit/JITExceptions.cpp:
1211         (JSC::genericUnwind):
1212         * jit/JITInlineCacheGenerator.cpp:
1213         (JSC::JITByIdGenerator::finalize):
1214         * jit/JITInlines.h:
1215         (JSC::JIT::emitNakedCall):
1216         (JSC::JIT::emitNakedTailCall):
1217         (JSC::JIT::appendCallWithExceptionCheck):
1218         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1219         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1220         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1221         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1222         * jit/JITMathIC.h:
1223         (JSC::isProfileEmpty):
1224         * jit/JITOpcodes.cpp:
1225         (JSC::JIT::emit_op_catch):
1226         (JSC::JIT::emit_op_switch_imm):
1227         (JSC::JIT::emit_op_switch_char):
1228         (JSC::JIT::emit_op_switch_string):
1229         (JSC::JIT::privateCompileHasIndexedProperty):
1230         (JSC::JIT::emitSlow_op_has_indexed_property):
1231         * jit/JITOpcodes32_64.cpp:
1232         (JSC::JIT::privateCompileHasIndexedProperty):
1233         * jit/JITOperations.cpp:
1234         (JSC::getByVal):
1235         * jit/JITPropertyAccess.cpp:
1236         (JSC::JIT::stringGetByValStubGenerator):
1237         (JSC::JIT::emitGetByValWithCachedId):
1238         (JSC::JIT::emitSlow_op_get_by_val):
1239         (JSC::JIT::emitPutByValWithCachedId):
1240         (JSC::JIT::emitSlow_op_put_by_val):
1241         (JSC::JIT::emitSlow_op_try_get_by_id):
1242         (JSC::JIT::emitSlow_op_get_by_id_direct):
1243         (JSC::JIT::emitSlow_op_get_by_id):
1244         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1245         (JSC::JIT::emitSlow_op_put_by_id):
1246         (JSC::JIT::privateCompileGetByVal):
1247         (JSC::JIT::privateCompileGetByValWithCachedId):
1248         (JSC::JIT::privateCompilePutByVal):
1249         (JSC::JIT::privateCompilePutByValWithCachedId):
1250         * jit/JITPropertyAccess32_64.cpp:
1251         (JSC::JIT::stringGetByValStubGenerator):
1252         (JSC::JIT::emitSlow_op_get_by_val):
1253         (JSC::JIT::emitSlow_op_put_by_val):
1254         * jit/JITStubRoutine.h:
1255         (JSC::JITStubRoutine::JITStubRoutine):
1256         (JSC::JITStubRoutine::createSelfManagedRoutine):
1257         (JSC::JITStubRoutine::code const):
1258         (JSC::JITStubRoutine::asCodePtr):
1259         * jit/JITThunks.cpp:
1260         (JSC::JITThunks::ctiNativeCall):
1261         (JSC::JITThunks::ctiNativeConstruct):
1262         (JSC::JITThunks::ctiNativeTailCall):
1263         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1264         (JSC::JITThunks::ctiInternalFunctionCall):
1265         (JSC::JITThunks::ctiInternalFunctionConstruct):
1266         (JSC::JITThunks::ctiStub):
1267         (JSC::JITThunks::existingCTIStub):
1268         (JSC::JITThunks::hostFunctionStub):
1269         * jit/JITThunks.h:
1270         * jit/PCToCodeOriginMap.cpp:
1271         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1272         * jit/PCToCodeOriginMap.h:
1273         * jit/PolymorphicCallStubRoutine.cpp:
1274         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1275         * jit/PolymorphicCallStubRoutine.h:
1276         * jit/Repatch.cpp:
1277         (JSC::readPutICCallTarget):
1278         (JSC::ftlThunkAwareRepatchCall):
1279         (JSC::appropriateOptimizingGetByIdFunction):
1280         (JSC::appropriateGetByIdFunction):
1281         (JSC::tryCacheGetByID):
1282         (JSC::repatchGetByID):
1283         (JSC::tryCachePutByID):
1284         (JSC::repatchPutByID):
1285         (JSC::tryCacheIn):
1286         (JSC::repatchIn):
1287         (JSC::linkSlowFor):
1288         (JSC::linkFor):
1289         (JSC::linkDirectFor):
1290         (JSC::revertCall):
1291         (JSC::unlinkFor):
1292         (JSC::linkVirtualFor):
1293         (JSC::linkPolymorphicCall):
1294         (JSC::resetGetByID):
1295         (JSC::resetPutByID):
1296         * jit/Repatch.h:
1297         * jit/SlowPathCall.h:
1298         (JSC::JITSlowPathCall::call):
1299         * jit/SpecializedThunkJIT.h:
1300         (JSC::SpecializedThunkJIT::finalize):
1301         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1302         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1303         * jit/ThunkGenerator.h:
1304         * jit/ThunkGenerators.cpp:
1305         (JSC::throwExceptionFromCallSlowPathGenerator):
1306         (JSC::slowPathFor):
1307         (JSC::linkCallThunkGenerator):
1308         (JSC::linkPolymorphicCallThunkGenerator):
1309         (JSC::virtualThunkFor):
1310         (JSC::nativeForGenerator):
1311         (JSC::nativeCallGenerator):
1312         (JSC::nativeTailCallGenerator):
1313         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1314         (JSC::nativeConstructGenerator):
1315         (JSC::internalFunctionCallGenerator):
1316         (JSC::internalFunctionConstructGenerator):
1317         (JSC::arityFixupGenerator):
1318         (JSC::unreachableGenerator):
1319         (JSC::charCodeAtThunkGenerator):
1320         (JSC::charAtThunkGenerator):
1321         (JSC::fromCharCodeThunkGenerator):
1322         (JSC::clz32ThunkGenerator):
1323         (JSC::sqrtThunkGenerator):
1324         (JSC::floorThunkGenerator):
1325         (JSC::ceilThunkGenerator):
1326         (JSC::truncThunkGenerator):
1327         (JSC::roundThunkGenerator):
1328         (JSC::expThunkGenerator):
1329         (JSC::logThunkGenerator):
1330         (JSC::absThunkGenerator):
1331         (JSC::imulThunkGenerator):
1332         (JSC::randomThunkGenerator):
1333         (JSC::boundThisNoArgsFunctionCallGenerator):
1334         * jit/ThunkGenerators.h:
1335         * llint/LLIntData.cpp:
1336         (JSC::LLInt::initialize):
1337         * llint/LLIntData.h:
1338         (JSC::LLInt::getExecutableAddress):
1339         (JSC::LLInt::getCodePtr):
1340         (JSC::LLInt::getCodeRef):
1341         (JSC::LLInt::getCodeFunctionPtr):
1342         * llint/LLIntEntrypoint.cpp:
1343         (JSC::LLInt::setFunctionEntrypoint):
1344         (JSC::LLInt::setEvalEntrypoint):
1345         (JSC::LLInt::setProgramEntrypoint):
1346         (JSC::LLInt::setModuleProgramEntrypoint):
1347         * llint/LLIntExceptions.cpp:
1348         (JSC::LLInt::callToThrow):
1349         * llint/LLIntSlowPaths.cpp:
1350         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1351         (JSC::LLInt::setUpCall):
1352         * llint/LLIntThunks.cpp:
1353         (JSC::vmEntryToWasm):
1354         (JSC::LLInt::generateThunkWithJumpTo):
1355         (JSC::LLInt::functionForCallEntryThunkGenerator):
1356         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1357         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1358         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1359         (JSC::LLInt::evalEntryThunkGenerator):
1360         (JSC::LLInt::programEntryThunkGenerator):
1361         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1362         * llint/LLIntThunks.h:
1363         * llint/LowLevelInterpreter.asm:
1364         * llint/LowLevelInterpreter32_64.asm:
1365         * llint/LowLevelInterpreter64.asm:
1366         * profiler/ProfilerCompilation.cpp:
1367         (JSC::Profiler::Compilation::addOSRExitSite):
1368         * profiler/ProfilerCompilation.h:
1369         * profiler/ProfilerOSRExitSite.cpp:
1370         (JSC::Profiler::OSRExitSite::toJS const):
1371         * profiler/ProfilerOSRExitSite.h:
1372         (JSC::Profiler::OSRExitSite::OSRExitSite):
1373         (JSC::Profiler::OSRExitSite::codeAddress const):
1374         (JSC::Profiler::OSRExitSite:: const): Deleted.
1375         * runtime/ExecutableBase.cpp:
1376         (JSC::ExecutableBase::clearCode):
1377         * runtime/ExecutableBase.h:
1378         (JSC::ExecutableBase::entrypointFor):
1379         * runtime/NativeExecutable.cpp:
1380         (JSC::NativeExecutable::finishCreation):
1381         * runtime/NativeFunction.h:
1382         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1383         (JSC::TaggedNativeFunction::operator NativeFunction):
1384         * runtime/PtrTag.h:
1385         (JSC::tagCodePtr):
1386         (JSC::untagCodePtr):
1387         (JSC::retagCodePtr):
1388         (JSC::tagCFunctionPtr):
1389         (JSC::untagCFunctionPtr):
1390         (JSC::nextPtrTagID): Deleted.
1391         * runtime/PutPropertySlot.h:
1392         (JSC::PutPropertySlot::PutPropertySlot):
1393         (JSC::PutPropertySlot::setCustomValue):
1394         (JSC::PutPropertySlot::setCustomAccessor):
1395         (JSC::PutPropertySlot::customSetter const):
1396         * runtime/ScriptExecutable.cpp:
1397         (JSC::ScriptExecutable::installCode):
1398         * runtime/VM.cpp:
1399         (JSC::VM::getHostFunction):
1400         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1401         * runtime/VM.h:
1402         (JSC::VM::getCTIStub):
1403         * wasm/WasmB3IRGenerator.cpp:
1404         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1405         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1406         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1407         (JSC::Wasm::B3IRGenerator::addCall):
1408         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1409         * wasm/WasmBBQPlan.cpp:
1410         (JSC::Wasm::BBQPlan::prepare):
1411         (JSC::Wasm::BBQPlan::complete):
1412         * wasm/WasmBBQPlan.h:
1413         * wasm/WasmBinding.cpp:
1414         (JSC::Wasm::wasmToWasm):
1415         * wasm/WasmBinding.h:
1416         * wasm/WasmCallee.h:
1417         (JSC::Wasm::Callee::entrypoint const):
1418         * wasm/WasmCallingConvention.h:
1419         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1420         * wasm/WasmCodeBlock.h:
1421         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1422         * wasm/WasmFaultSignalHandler.cpp:
1423         (JSC::Wasm::trapHandler):
1424         * wasm/WasmFormat.h:
1425         * wasm/WasmInstance.h:
1426         * wasm/WasmOMGPlan.cpp:
1427         (JSC::Wasm::OMGPlan::work):
1428         * wasm/WasmThunks.cpp:
1429         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1430         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1431         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1432         (JSC::Wasm::Thunks::stub):
1433         (JSC::Wasm::Thunks::existingStub):
1434         * wasm/WasmThunks.h:
1435         * wasm/js/JSToWasm.cpp:
1436         (JSC::Wasm::createJSToWasmWrapper):
1437         * wasm/js/JSWebAssemblyCodeBlock.h:
1438         * wasm/js/WasmToJS.cpp:
1439         (JSC::Wasm::handleBadI64Use):
1440         (JSC::Wasm::wasmToJS):
1441         * wasm/js/WasmToJS.h:
1442         * wasm/js/WebAssemblyFunction.h:
1443         * yarr/YarrJIT.cpp:
1444         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
1445         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
1446         (JSC::Yarr::YarrGenerator::compile):
1447         * yarr/YarrJIT.h:
1448         (JSC::Yarr::YarrCodeBlock::set8BitCode):
1449         (JSC::Yarr::YarrCodeBlock::set16BitCode):
1450         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
1451         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
1452         (JSC::Yarr::YarrCodeBlock::execute):
1453         (JSC::Yarr::YarrCodeBlock::clear):
1454
1455 2018-04-17  Commit Queue  <commit-queue@webkit.org>
1456
1457         Unreviewed, rolling out r230697, r230720, and r230724.
1458         https://bugs.webkit.org/show_bug.cgi?id=184717
1459
1460         These caused multiple failures on the Test262 testers.
1461         (Requested by mlewis13 on #webkit).
1462
1463         Reverted changesets:
1464
1465         "[WebAssembly][Modules] Prototype wasm import"
1466         https://bugs.webkit.org/show_bug.cgi?id=184600
1467         https://trac.webkit.org/changeset/230697
1468
1469         "[WebAssembly][Modules] Implement function import from wasm
1470         modules"
1471         https://bugs.webkit.org/show_bug.cgi?id=184689
1472         https://trac.webkit.org/changeset/230720
1473
1474         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
1475         https://bugs.webkit.org/show_bug.cgi?id=184703
1476         https://trac.webkit.org/changeset/230724
1477
1478 2018-04-17  JF Bastien  <jfbastien@apple.com>
1479
1480         A put is not an ExistingProperty put when we transition a structure because of an attributes change
1481         https://bugs.webkit.org/show_bug.cgi?id=184706
1482         <rdar://problem/38871451>
1483
1484         Reviewed by Saam Barati.
1485
1486         When putting a property on a structure and the slot is a different
1487         type, the slot can't be said to have already been existing.
1488
1489         * runtime/JSObjectInlines.h:
1490         (JSC::JSObject::putDirectInternal):
1491
1492 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1493
1494         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
1495         https://bugs.webkit.org/show_bug.cgi?id=184705
1496
1497         Reviewed by Michael Saboff.
1498         
1499         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
1500         while testing an unrelated patch, a concurrent GC thread crashed inside
1501         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
1502         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
1503         mode and another vector.
1504         
1505         The fix is to lock inside visitChildren and anyone who changes those fields.
1506         
1507         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
1508         this.
1509
1510         * runtime/JSArrayBufferView.cpp:
1511         (JSC::JSArrayBufferView::neuter):
1512         * runtime/JSGenericTypedArrayViewInlines.h:
1513         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1514         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1515
1516 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
1517
1518         PutStackSinkingPhase should know that KillStack means ConflictingFlush
1519         https://bugs.webkit.org/show_bug.cgi?id=184672
1520
1521         Reviewed by Michael Saboff.
1522
1523         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
1524         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
1525         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
1526         intentional - I don't know.
1527
1528         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
1529         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
1530         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
1531         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
1532         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
1533         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
1534         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
1535         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
1536         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
1537         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
1538         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
1539         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
1540
1541         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
1542         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
1543         its stack slot for the purpose of clobberize.
1544
1545         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
1546         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
1547         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
1548         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
1549
1550 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1551
1552         JSWebAssemblyCodeBlock should be in an IsoSubspace
1553         https://bugs.webkit.org/show_bug.cgi?id=184704
1554
1555         Reviewed by Mark Lam.
1556         
1557         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
1558         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
1559         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
1560         protection.
1561
1562         * runtime/VM.cpp:
1563         (JSC::VM::VM):
1564         * runtime/VM.h:
1565         * wasm/js/JSWebAssemblyCodeBlock.h:
1566
1567 2018-04-17  Jer Noble  <jer.noble@apple.com>
1568
1569         Only enable useSeparatedWXHeap on ARM64.
1570         https://bugs.webkit.org/show_bug.cgi?id=184697
1571
1572         Reviewed by Saam Barati.
1573
1574         * runtime/Options.cpp:
1575         (JSC::recomputeDependentOptions):
1576
1577 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1578
1579         [WebAssembly][Modules] Implement function import from wasm modules
1580         https://bugs.webkit.org/show_bug.cgi?id=184689
1581
1582         Reviewed by JF Bastien.
1583
1584         This patch implements function import from wasm modules. We move function importing part
1585         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
1586         is because linking these functions requires that all the dependent modules are created.
1587         While we want to move all the linking functionality from JSWebAssemblyInstance to
1588         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
1589         function importing part because efficient compilation of WebAssembly needs to know
1590         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
1591         or attached WebAssembly memory object. So we cannot defer this linking to
1592         WebAssemblyModuleRecord::link now.
1593
1594         The largest difference from JS module linking is that WebAssembly module linking links
1595         function from the module by snapshotting. When you have a cyclic module graph like this,
1596
1597         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
1598             ^                                                  |
1599             +--------------------------------------------------+
1600
1601         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
1602         is described in [1], and tested in this patch.
1603
1604         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
1605
1606         * JavaScriptCore.xcodeproj/project.pbxproj:
1607         * jsc.cpp:
1608         (functionDollarAgentStart):
1609         (checkException):
1610         (runWithOptions):
1611         Small fixes for wasm module loading.
1612
1613         * parser/NodesAnalyzeModule.cpp:
1614         (JSC::ImportDeclarationNode::analyzeModule):
1615         * runtime/AbstractModuleRecord.cpp:
1616         (JSC::AbstractModuleRecord::resolveImport):
1617         (JSC::AbstractModuleRecord::link):
1618         * runtime/AbstractModuleRecord.h:
1619         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1620         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1621         Now, wasm modules can have import which is named "*". So this function does not work.
1622         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
1623
1624         * runtime/JSModuleEnvironment.cpp:
1625         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1626         * runtime/JSModuleRecord.cpp:
1627         (JSC::JSModuleRecord::instantiateDeclarations):
1628         * wasm/WasmCreationMode.h: Added.
1629         * wasm/js/JSWebAssemblyInstance.cpp:
1630         (JSC::JSWebAssemblyInstance::finalizeCreation):
1631         (JSC::JSWebAssemblyInstance::create):
1632         * wasm/js/JSWebAssemblyInstance.h:
1633         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1634         (JSC::constructJSWebAssemblyInstance):
1635         * wasm/js/WebAssemblyModuleRecord.cpp:
1636         (JSC::WebAssemblyModuleRecord::link):
1637         * wasm/js/WebAssemblyModuleRecord.h:
1638         * wasm/js/WebAssemblyPrototype.cpp:
1639         (JSC::resolve):
1640         (JSC::instantiate):
1641         (JSC::compileAndInstantiate):
1642         (JSC::WebAssemblyPrototype::instantiate):
1643         (JSC::webAssemblyInstantiateFunc):
1644
1645 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
1646
1647         Implement setupArgumentsImpl for ARM and MIPS
1648         https://bugs.webkit.org/show_bug.cgi?id=183786
1649
1650         Reviewed by Yusuke Suzuki.
1651
1652         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
1653         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
1654         registers used for 64-bit values on 32-bit architectures. numCrossSources
1655         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
1656
1657         * assembler/MacroAssemblerARMv7.h:
1658         (JSC::MacroAssemblerARMv7::moveDouble):
1659         * assembler/MacroAssemblerMIPS.h:
1660         (JSC::MacroAssemblerMIPS::moveDouble):
1661         * jit/CCallHelpers.h:
1662         (JSC::CCallHelpers::setupStubCrossArgs):
1663         (JSC::CCallHelpers::ArgCollection::ArgCollection):
1664         (JSC::CCallHelpers::ArgCollection::pushRegArg):
1665         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
1666         (JSC::CCallHelpers::ArgCollection::addGPRArg):
1667         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
1668         (JSC::CCallHelpers::ArgCollection::addStackArg):
1669         (JSC::CCallHelpers::ArgCollection::addPoke):
1670         (JSC::CCallHelpers::ArgCollection::argCount):
1671         (JSC::CCallHelpers::calculatePokeOffset):
1672         (JSC::CCallHelpers::pokeForArgument):
1673         (JSC::CCallHelpers::stackAligned):
1674         (JSC::CCallHelpers::marshallArgumentRegister):
1675         (JSC::CCallHelpers::setupArgumentsImpl):
1676         (JSC::CCallHelpers::pokeArgumentsAligned):
1677         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
1678         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
1679         (JSC::CCallHelpers::setupArguments):
1680         * jit/FPRInfo.h:
1681         (JSC::FPRInfo::toArgumentRegister):
1682
1683 2018-04-17  Saam Barati  <sbarati@apple.com>
1684
1685         Add system trace points for process launch and for initializeWebProcess
1686         https://bugs.webkit.org/show_bug.cgi?id=184669
1687
1688         Reviewed by Simon Fraser.
1689
1690         * runtime/VMEntryScope.cpp:
1691         (JSC::VMEntryScope::VMEntryScope):
1692         (JSC::VMEntryScope::~VMEntryScope):
1693
1694 2018-04-17  Jer Noble  <jer.noble@apple.com>
1695
1696         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
1697         https://bugs.webkit.org/show_bug.cgi?id=184602
1698
1699         Reviewed by Beth Dakin.
1700
1701         * JavaScriptCore.xcodeproj/project.pbxproj:
1702
1703 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1704
1705         [GLIB] Add API to clear JSCContext uncaught exception
1706         https://bugs.webkit.org/show_bug.cgi?id=184685
1707
1708         Reviewed by Žan Doberšek.
1709
1710         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
1711
1712         * API/glib/JSCContext.cpp:
1713         (jsc_context_clear_exception):
1714         * API/glib/JSCContext.h:
1715         * API/glib/docs/jsc-glib-4.0-sections.txt:
1716
1717 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1718
1719         [GLIB] Add API to query, delete and enumerate properties
1720         https://bugs.webkit.org/show_bug.cgi?id=184647
1721
1722         Reviewed by Michael Catanzaro.
1723
1724         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
1725
1726         * API/glib/JSCValue.cpp:
1727         (jsc_value_object_has_property):
1728         (jsc_value_object_delete_property):
1729         (jsc_value_object_enumerate_properties):
1730         * API/glib/JSCValue.h:
1731         * API/glib/docs/jsc-glib-4.0-sections.txt:
1732
1733 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1734
1735         [WebAssembly][Modules] Prototype wasm import
1736         https://bugs.webkit.org/show_bug.cgi?id=184600
1737
1738         Reviewed by JF Bastien.
1739
1740         This patch is an initial attempt to implement Wasm loading in module pipeline.
1741         Currently,
1742
1743         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
1744            in whatwg HTML, we should integrate this into WebCore.
1745
1746         2. We only support exporting values from Wasm. Wasm module cannot import anything from
1747            the other modules now.
1748
1749         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
1750         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
1751         module loader pipeline just handles it as the same to JS. When parsing a module, we
1752         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
1753         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
1754         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
1755
1756         * builtins/ModuleLoaderPrototype.js:
1757         (globalPrivate.newRegistryEntry):
1758         (requestInstantiate):
1759         (link):
1760         * jsc.cpp:
1761         (convertShebangToJSComment):
1762         (fillBufferWithContentsOfFile):
1763         (fetchModuleFromLocalFileSystem):
1764         (GlobalObject::moduleLoaderFetch):
1765         * parser/SourceProvider.h:
1766         (JSC::WebAssemblySourceProvider::create):
1767         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1768         * runtime/AbstractModuleRecord.cpp:
1769         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1770         (JSC::AbstractModuleRecord::link):
1771         (JSC::AbstractModuleRecord::evaluate):
1772         (JSC::identifierToJSValue): Deleted.
1773         * runtime/AbstractModuleRecord.h:
1774         * runtime/JSModuleLoader.cpp:
1775         (JSC::JSModuleLoader::evaluate):
1776         * runtime/JSModuleRecord.cpp:
1777         (JSC::JSModuleRecord::link):
1778         (JSC::JSModuleRecord::instantiateDeclarations):
1779         * runtime/JSModuleRecord.h:
1780         * runtime/ModuleLoaderPrototype.cpp:
1781         (JSC::moduleLoaderPrototypeParseModule):
1782         (JSC::moduleLoaderPrototypeRequestedModules):
1783         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1784         * wasm/js/JSWebAssemblyHelpers.h:
1785         (JSC::getWasmBufferFromValue):
1786         (JSC::createSourceBufferFromValue):
1787         * wasm/js/JSWebAssemblyInstance.cpp:
1788         (JSC::JSWebAssemblyInstance::finalizeCreation):
1789         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1790         (JSC::JSWebAssemblyInstance::create):
1791         * wasm/js/JSWebAssemblyInstance.h:
1792         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1793         (JSC::constructJSWebAssemblyInstance):
1794         * wasm/js/WebAssemblyModuleRecord.cpp:
1795         (JSC::WebAssemblyModuleRecord::prepareLink):
1796         (JSC::WebAssemblyModuleRecord::link):
1797         * wasm/js/WebAssemblyModuleRecord.h:
1798         * wasm/js/WebAssemblyPrototype.cpp:
1799         (JSC::resolve):
1800         (JSC::instantiate):
1801         (JSC::compileAndInstantiate):
1802         (JSC::WebAssemblyPrototype::instantiate):
1803         (JSC::webAssemblyInstantiateFunc):
1804         (JSC::webAssemblyValidateFunc):
1805         * wasm/js/WebAssemblyPrototype.h:
1806
1807 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
1808
1809         Function.prototype.caller shouldn't return generator bodies
1810         https://bugs.webkit.org/show_bug.cgi?id=184630
1811
1812         Reviewed by Yusuke Suzuki.
1813         
1814         Function.prototype.caller no longer returns generator bodies. Those are meant to be
1815         private.
1816         
1817         Also added some builtin debugging tools so that it's easier to do the investigation that I
1818         did.
1819
1820         * builtins/BuiltinNames.h:
1821         * runtime/JSFunction.cpp:
1822         (JSC::JSFunction::callerGetter):
1823         * runtime/JSGlobalObject.cpp:
1824         (JSC::JSGlobalObject::init):
1825         * runtime/JSGlobalObjectFunctions.cpp:
1826         (JSC::globalFuncBuiltinDescribe):
1827         * runtime/JSGlobalObjectFunctions.h:
1828
1829 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1830
1831         [DFG] Remove duplicate 32bit ProfileType implementation
1832         https://bugs.webkit.org/show_bug.cgi?id=184536
1833
1834         Reviewed by Saam Barati.
1835
1836         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
1837
1838         * dfg/DFGSpeculativeJIT.cpp:
1839         (JSC::DFG::SpeculativeJIT::compileProfileType):
1840         * dfg/DFGSpeculativeJIT.h:
1841         * dfg/DFGSpeculativeJIT32_64.cpp:
1842         (JSC::DFG::SpeculativeJIT::compile):
1843         * dfg/DFGSpeculativeJIT64.cpp:
1844         (JSC::DFG::SpeculativeJIT::compile):
1845         * jit/AssemblyHelpers.h:
1846         (JSC::AssemblyHelpers::branchIfUndefined):
1847         (JSC::AssemblyHelpers::branchIfNull):
1848
1849 2018-04-12  Mark Lam  <mark.lam@apple.com>
1850
1851         Consolidate some PtrTags.
1852         https://bugs.webkit.org/show_bug.cgi?id=184552
1853         <rdar://problem/39389404>
1854
1855         Reviewed by Filip Pizlo.
1856
1857         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
1858         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
1859
1860         * assembler/AbstractMacroAssembler.h:
1861         (JSC::AbstractMacroAssembler::repatchNearCall):
1862         * assembler/MacroAssemblerARM.h:
1863         (JSC::MacroAssemblerARM::readCallTarget):
1864         * assembler/MacroAssemblerARMv7.h:
1865         (JSC::MacroAssemblerARMv7::readCallTarget):
1866         * assembler/MacroAssemblerMIPS.h:
1867         (JSC::MacroAssemblerMIPS::readCallTarget):
1868         * assembler/MacroAssemblerX86.h:
1869         (JSC::MacroAssemblerX86::readCallTarget):
1870         * assembler/MacroAssemblerX86_64.h:
1871         (JSC::MacroAssemblerX86_64::readCallTarget):
1872         * bytecode/AccessCase.cpp:
1873         (JSC::AccessCase::generateImpl):
1874         * bytecode/InlineAccess.cpp:
1875         (JSC::InlineAccess::rewireStubAsJump):
1876         * bytecode/PolymorphicAccess.cpp:
1877         (JSC::PolymorphicAccess::regenerate):
1878         * dfg/DFGJITCompiler.cpp:
1879         (JSC::DFG::JITCompiler::linkOSRExits):
1880         (JSC::DFG::JITCompiler::link):
1881         (JSC::DFG::JITCompiler::compileFunction):
1882         * dfg/DFGJITFinalizer.cpp:
1883         (JSC::DFG::JITFinalizer::finalize):
1884         (JSC::DFG::JITFinalizer::finalizeFunction):
1885         * dfg/DFGOSREntry.cpp:
1886         (JSC::DFG::prepareOSREntry):
1887         * dfg/DFGOSRExit.cpp:
1888         (JSC::DFG::OSRExit::executeOSRExit):
1889         (JSC::DFG::adjustAndJumpToTarget):
1890         (JSC::DFG::OSRExit::compileOSRExit):
1891         * dfg/DFGOSRExitCompilerCommon.cpp:
1892         (JSC::DFG::adjustAndJumpToTarget):
1893         * dfg/DFGOperations.cpp:
1894         * ftl/FTLJITCode.cpp:
1895         (JSC::FTL::JITCode::executableAddressAtOffset):
1896         * ftl/FTLJITFinalizer.cpp:
1897         (JSC::FTL::JITFinalizer::finalizeCommon):
1898         * ftl/FTLLazySlowPath.cpp:
1899         (JSC::FTL::LazySlowPath::generate):
1900         * ftl/FTLLink.cpp:
1901         (JSC::FTL::link):
1902         * ftl/FTLLowerDFGToB3.cpp:
1903         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1904         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1905         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1906         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1907         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1908         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1909         * ftl/FTLOSRExitCompiler.cpp:
1910         (JSC::FTL::compileFTLOSRExit):
1911         * ftl/FTLOSRExitHandle.cpp:
1912         (JSC::FTL::OSRExitHandle::emitExitThunk):
1913         * jit/AssemblyHelpers.cpp:
1914         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1915         * jit/JIT.cpp:
1916         (JSC::JIT::compileWithoutLinking):
1917         (JSC::JIT::link):
1918         * jit/JITCall.cpp:
1919         (JSC::JIT::compileOpCallSlowCase):
1920         * jit/JITCode.cpp:
1921         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1922         (JSC::NativeJITCode::addressForCall):
1923         * jit/JITInlines.h:
1924         (JSC::JIT::emitNakedCall):
1925         (JSC::JIT::emitNakedTailCall):
1926         * jit/JITMathIC.h:
1927         (JSC::isProfileEmpty):
1928         * jit/JITOpcodes.cpp:
1929         (JSC::JIT::privateCompileHasIndexedProperty):
1930         * jit/JITOperations.cpp:
1931         * jit/JITPropertyAccess.cpp:
1932         (JSC::JIT::stringGetByValStubGenerator):
1933         (JSC::JIT::privateCompileGetByVal):
1934         (JSC::JIT::privateCompileGetByValWithCachedId):
1935         (JSC::JIT::privateCompilePutByVal):
1936         (JSC::JIT::privateCompilePutByValWithCachedId):
1937         * jit/JITThunks.cpp:
1938         (JSC::JITThunks::hostFunctionStub):
1939         * jit/Repatch.cpp:
1940         (JSC::linkSlowFor):
1941         (JSC::linkFor):
1942         (JSC::linkPolymorphicCall):
1943         * jit/SpecializedThunkJIT.h:
1944         (JSC::SpecializedThunkJIT::finalize):
1945         * jit/ThunkGenerators.cpp:
1946         (JSC::virtualThunkFor):
1947         (JSC::nativeForGenerator):
1948         (JSC::boundThisNoArgsFunctionCallGenerator):
1949         * llint/LLIntData.cpp:
1950         (JSC::LLInt::initialize):
1951         * llint/LLIntEntrypoint.cpp:
1952         (JSC::LLInt::setEvalEntrypoint):
1953         (JSC::LLInt::setProgramEntrypoint):
1954         (JSC::LLInt::setModuleProgramEntrypoint):
1955         * llint/LLIntSlowPaths.cpp:
1956         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1957         (JSC::LLInt::setUpCall):
1958         * llint/LLIntThunks.cpp:
1959         (JSC::LLInt::generateThunkWithJumpTo):
1960         (JSC::LLInt::functionForCallEntryThunkGenerator):
1961         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1962         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1963         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1964         (JSC::LLInt::evalEntryThunkGenerator):
1965         (JSC::LLInt::programEntryThunkGenerator):
1966         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1967         * llint/LowLevelInterpreter.asm:
1968         * llint/LowLevelInterpreter64.asm:
1969         * runtime/NativeExecutable.cpp:
1970         (JSC::NativeExecutable::finishCreation):
1971         * runtime/NativeFunction.h:
1972         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1973         (JSC::TaggedNativeFunction::operator NativeFunction):
1974         * runtime/PtrTag.h:
1975         * wasm/WasmBBQPlan.cpp:
1976         (JSC::Wasm::BBQPlan::complete):
1977         * wasm/WasmOMGPlan.cpp:
1978         (JSC::Wasm::OMGPlan::work):
1979         * wasm/WasmThunks.cpp:
1980         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1981         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1982         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1983         * wasm/js/WasmToJS.cpp:
1984         (JSC::Wasm::wasmToJS):
1985         * wasm/js/WebAssemblyFunction.h:
1986         * yarr/YarrJIT.cpp:
1987         (JSC::Yarr::YarrGenerator::compile):
1988
1989 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1990
1991         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
1992         https://bugs.webkit.org/show_bug.cgi?id=184379
1993
1994         Reviewed by Žan Doberšek.
1995
1996         Load the module from the new location.
1997
1998         * PlatformWPE.cmake:
1999         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2000         (Inspector::backendCommands):
2001
2002 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2003
2004         [DFG] Remove compileBigIntEquality in DFG 32bit
2005         https://bugs.webkit.org/show_bug.cgi?id=184535
2006
2007         Reviewed by Saam Barati.
2008
2009         We can have the unified implementation for compileBigIntEquality.
2010
2011         * dfg/DFGSpeculativeJIT.cpp:
2012         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2013         * dfg/DFGSpeculativeJIT32_64.cpp:
2014         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2015         * dfg/DFGSpeculativeJIT64.cpp:
2016         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2017
2018 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2019
2020         [WPE] Improve include hierarchy
2021         https://bugs.webkit.org/show_bug.cgi?id=184376
2022
2023         Reviewed by Žan Doberšek.
2024
2025         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2026         /usr/include/wpe-0.1/WPE/jsc.
2027
2028         * PlatformWPE.cmake:
2029
2030 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2031
2032         [GLIB] Handle strings containing null characters
2033         https://bugs.webkit.org/show_bug.cgi?id=184450
2034
2035         Reviewed by Michael Catanzaro.
2036
2037         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2038         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2039         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2040         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2041         contain null characters.
2042
2043         * API/OpaqueJSString.cpp:
2044         (OpaqueJSString::create): Add a create constructor that takes the String.
2045         * API/OpaqueJSString.h:
2046         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2047         * API/glib/JSCContext.cpp:
2048         (jsc_context_evaluate): Add length parameter.
2049         (jsc_context_evaluate_with_source_uri): Ditto.
2050         * API/glib/JSCContext.h:
2051         * API/glib/JSCValue.cpp:
2052         (jsc_value_new_string_from_bytes):
2053         (jsc_value_to_string):
2054         (jsc_value_to_string_as_bytes):
2055         (jsc_value_object_is_instance_of): Pass length to evaluate.
2056         * API/glib/JSCValue.h:
2057         * API/glib/docs/jsc-glib-4.0-sections.txt:
2058
2059 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2060
2061         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2062         https://bugs.webkit.org/show_bug.cgi?id=184500
2063
2064         Reviewed by Mark Lam.
2065
2066         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2067         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2068         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2069         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2070         poke held GPR. The benefit from this CellValue is that we can use the same code
2071         for 32bit and 64bit. This patch removes several ifdefs.
2072
2073         * bytecode/AccessCase.cpp:
2074         (JSC::AccessCase::generateImpl):
2075         * dfg/DFGSpeculativeJIT.cpp:
2076         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2077         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2078         (JSC::DFG::SpeculativeJIT::cachedPutById):
2079         * dfg/DFGSpeculativeJIT32_64.cpp:
2080         (JSC::DFG::SpeculativeJIT::cachedGetById):
2081         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2082         * jit/CCallHelpers.h:
2083         (JSC::CCallHelpers::CellValue::CellValue):
2084         (JSC::CCallHelpers::CellValue::gpr const):
2085         (JSC::CCallHelpers::setupArgumentsImpl):
2086
2087 2018-04-11  Mark Lam  <mark.lam@apple.com>
2088
2089         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2090         https://bugs.webkit.org/show_bug.cgi?id=184512
2091         <rdar://problem/35391728>
2092
2093         Not reviewed.
2094
2095         * bytecode/CodeBlock.h:
2096         * jit/JITCodeMap.h:
2097
2098 2018-04-11  Mark Lam  <mark.lam@apple.com>
2099
2100         Replace CompactJITCodeMap with JITCodeMap.
2101         https://bugs.webkit.org/show_bug.cgi?id=184512
2102         <rdar://problem/35391728>
2103
2104         Reviewed by Filip Pizlo.
2105
2106         * CMakeLists.txt:
2107         * JavaScriptCore.xcodeproj/project.pbxproj:
2108         * bytecode/CodeBlock.h:
2109         (JSC::CodeBlock::setJITCodeMap):
2110         (JSC::CodeBlock::jitCodeMap const):
2111         (JSC::CodeBlock::jitCodeMap): Deleted.
2112         * dfg/DFGOSRExit.cpp:
2113         (JSC::DFG::OSRExit::executeOSRExit):
2114         * dfg/DFGOSRExitCompilerCommon.cpp:
2115         (JSC::DFG::adjustAndJumpToTarget):
2116         * jit/AssemblyHelpers.cpp:
2117         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2118         * jit/AssemblyHelpers.h:
2119         * jit/CompactJITCodeMap.h: Removed.
2120         * jit/JIT.cpp:
2121         (JSC::JIT::link):
2122         * jit/JITCodeMap.h: Added.
2123         (JSC::JITCodeMap::Entry::Entry):
2124         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2125         (JSC::JITCodeMap::Entry::codeLocation):
2126         (JSC::JITCodeMap::append):
2127         (JSC::JITCodeMap::finish):
2128         (JSC::JITCodeMap::find const):
2129         (JSC::JITCodeMap::operator bool const):
2130         * llint/LLIntSlowPaths.cpp:
2131         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2132
2133 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2134
2135         [DFG] Remove CompareSlowPathGenerator
2136         https://bugs.webkit.org/show_bug.cgi?id=184492
2137
2138         Reviewed by Mark Lam.
2139
2140         Now CompareSlowPathGenerator is just calling a specified function.
2141         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2142
2143         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2144         introducing a new constructor for GPRTemporary.
2145
2146         * JavaScriptCore.xcodeproj/project.pbxproj:
2147         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2148         * dfg/DFGSpeculativeJIT.cpp:
2149         (JSC::DFG::GPRTemporary::GPRTemporary):
2150         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2151         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2152         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2153         (JSC::DFG::SpeculativeJIT::compileIsObject):
2154         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2155         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2156         * dfg/DFGSpeculativeJIT.h:
2157         (JSC::DFG::GPRTemporary::GPRTemporary):
2158         * dfg/DFGSpeculativeJIT64.cpp:
2159         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2160
2161 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2162
2163         Unreviewed, build fix for 32bit
2164         https://bugs.webkit.org/show_bug.cgi?id=184236
2165
2166         * dfg/DFGSpeculativeJIT.cpp:
2167         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2168
2169 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         [DFG] Remove duplicate 32bit code more
2172         https://bugs.webkit.org/show_bug.cgi?id=184236
2173
2174         Reviewed by Mark Lam.
2175
2176         Remove duplicate 32bit code more aggressively part 2.
2177
2178         * JavaScriptCore.xcodeproj/project.pbxproj:
2179         * dfg/DFGCompareSlowPathGenerator.h: Added.
2180         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2181         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2182
2183         * dfg/DFGOperations.cpp:
2184         * dfg/DFGOperations.h:
2185         * dfg/DFGSpeculativeJIT.cpp:
2186         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2187         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2188         (JSC::DFG::SpeculativeJIT::compileIsObject):
2189         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2190         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2191         (JSC::DFG::SpeculativeJIT::compilePutById):
2192         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2193         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2194         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2195         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2196         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2197         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2198         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2199         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2200         (JSC::DFG::SpeculativeJIT::cachedPutById):
2201         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2202         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2203         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2204         * dfg/DFGSpeculativeJIT.h:
2205         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2206         * dfg/DFGSpeculativeJIT32_64.cpp:
2207         (JSC::DFG::SpeculativeJIT::compile):
2208         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2209         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2210         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2211         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2212         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2213         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2214         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2215         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2216         * dfg/DFGSpeculativeJIT64.cpp:
2217         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2218         (JSC::DFG::SpeculativeJIT::compile):
2219         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2220         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2221         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2222         (): Deleted.
2223         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2224         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2225         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2226         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2227         * ftl/FTLLowerDFGToB3.cpp:
2228         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2229         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2230
2231         * jit/AssemblyHelpers.h:
2232         (JSC::AssemblyHelpers::loadValue):
2233         (JSC::AssemblyHelpers::selectScratchGPR):
2234         (JSC::AssemblyHelpers::constructRegisterSet):
2235         * jit/RegisterSet.h:
2236         (JSC::RegisterSet::setAny):
2237         Clean up selectScratchGPR code to pass JSValueRegs.
2238
2239 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2240
2241         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2242         https://bugs.webkit.org/show_bug.cgi?id=182470
2243
2244         Reviewed by Saam Barati.
2245
2246         This patch introduces the SpecBigInt type to DFG to enable BigInt
2247         speculation into DFG and FTL.
2248
2249         With SpecBigInt introduction, we can then specialize "===" operations
2250         to BigInts. As we are doing for some cells, we first check if operands
2251         are pointing to the same JSCell, and if it is false, we
2252         fallback to "operationCompareStrictEqCell". The idea in further
2253         patches is to implement BigInt equality check directly in
2254         assembly.
2255
2256         We are also adding support for BigInt constant folding into
2257         TypeOf operation.
2258
2259         * bytecode/SpeculatedType.cpp:
2260         (JSC::dumpSpeculation):
2261         (JSC::speculationFromClassInfo):
2262         (JSC::speculationFromStructure):
2263         (JSC::speculationFromJSType):
2264         (JSC::speculationFromString):
2265         * bytecode/SpeculatedType.h:
2266         (JSC::isBigIntSpeculation):
2267         * dfg/DFGAbstractInterpreterInlines.h:
2268         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2269         * dfg/DFGAbstractValue.cpp:
2270         (JSC::DFG::AbstractValue::set):
2271         * dfg/DFGConstantFoldingPhase.cpp:
2272         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2273         * dfg/DFGFixupPhase.cpp:
2274         (JSC::DFG::FixupPhase::fixupNode):
2275         (JSC::DFG::FixupPhase::fixupToThis):
2276         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2277         * dfg/DFGInferredTypeCheck.cpp:
2278         (JSC::DFG::insertInferredTypeCheck):
2279         * dfg/DFGNode.h:
2280         (JSC::DFG::Node::shouldSpeculateBigInt):
2281         * dfg/DFGPredictionPropagationPhase.cpp:
2282         * dfg/DFGSafeToExecute.h:
2283         (JSC::DFG::SafeToExecuteEdge::operator()):
2284         * dfg/DFGSpeculativeJIT.cpp:
2285         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2286         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2287         (JSC::DFG::SpeculativeJIT::speculate):
2288         * dfg/DFGSpeculativeJIT.h:
2289         * dfg/DFGSpeculativeJIT32_64.cpp:
2290         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2291         * dfg/DFGSpeculativeJIT64.cpp:
2292         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2293         * dfg/DFGUseKind.cpp:
2294         (WTF::printInternal):
2295         * dfg/DFGUseKind.h:
2296         (JSC::DFG::typeFilterFor):
2297         (JSC::DFG::isCell):
2298         * ftl/FTLCapabilities.cpp:
2299         (JSC::FTL::canCompile):
2300         * ftl/FTLLowerDFGToB3.cpp:
2301         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2302         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2303         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2304         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2305         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2306         * jit/AssemblyHelpers.cpp:
2307         (JSC::AssemblyHelpers::branchIfNotType):
2308         * jit/AssemblyHelpers.h:
2309         (JSC::AssemblyHelpers::branchIfBigInt):
2310         (JSC::AssemblyHelpers::branchIfNotBigInt):
2311         * runtime/InferredType.cpp:
2312         (JSC::InferredType::Descriptor::forValue):
2313         (JSC::InferredType::Descriptor::putByIdFlags const):
2314         (JSC::InferredType::Descriptor::merge):
2315         (WTF::printInternal):
2316         * runtime/InferredType.h:
2317         * runtime/JSBigInt.h:
2318
2319 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2320
2321         Unreviewed, fix cloop build.
2322
2323         * dfg/DFGAbstractInterpreterClobberState.cpp:
2324
2325 2018-04-10  Mark Lam  <mark.lam@apple.com>
2326
2327         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2328         https://bugs.webkit.org/show_bug.cgi?id=184464
2329         <rdar://problem/39323947>
2330
2331         Reviewed by Saam Barati.
2332
2333         * heap/MarkedSpace.h:
2334         (JSC::MarkedSpace::sizeClassToIndex):
2335
2336 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2337
2338         DFG AI and clobberize should agree with each other
2339         https://bugs.webkit.org/show_bug.cgi?id=184440
2340
2341         Reviewed by Saam Barati.
2342         
2343         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2344         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2345         state tracking must be equivalent to JSCell_structureID being clobbered.
2346         
2347         One subtlety is that AI sometimes folds away structure clobbering using information that
2348         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2349         ObservedTransitions).
2350         
2351         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2352         clobberize missing a write(Heap).
2353         
2354         This also makes some cases more precise in order to appease the assertion. Making things more
2355         precise might make things faster, but I didn't measure it because that wasn't the goal.
2356
2357         * JavaScriptCore.xcodeproj/project.pbxproj:
2358         * Sources.txt:
2359         * dfg/DFGAbstractInterpreter.h:
2360         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2361         (WTF::printInternal):
2362         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2363         (JSC::DFG::mergeClobberStates):
2364         * dfg/DFGAbstractInterpreterInlines.h:
2365         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2366         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2367         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2368         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2369         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2370         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2371         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2372         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2373         * dfg/DFGAtTailAbstractState.h:
2374         (JSC::DFG::AtTailAbstractState::setClobberState):
2375         (JSC::DFG::AtTailAbstractState::mergeClobberState):
2376         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
2377         * dfg/DFGCFAPhase.cpp:
2378         (JSC::DFG::CFAPhase::performBlockCFA):
2379         * dfg/DFGClobberSet.cpp:
2380         (JSC::DFG::writeSet):
2381         * dfg/DFGClobberSet.h:
2382         * dfg/DFGClobberize.h:
2383         (JSC::DFG::clobberize):
2384         * dfg/DFGConstantFoldingPhase.cpp:
2385         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2386         * dfg/DFGInPlaceAbstractState.h:
2387         (JSC::DFG::InPlaceAbstractState::clobberState const):
2388         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
2389         (JSC::DFG::InPlaceAbstractState::didClobber const):
2390         (JSC::DFG::InPlaceAbstractState::setClobberState):
2391         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
2392         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2393
2394 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2395
2396         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
2397         https://bugs.webkit.org/show_bug.cgi?id=184460
2398         <rdar://problem/37610966>
2399
2400         Reviewed by Mark Lam.
2401
2402         * bytecode/ExecutableToCodeBlockEdge.cpp:
2403         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2404
2405 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2406
2407         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
2408         https://bugs.webkit.org/show_bug.cgi?id=184455
2409
2410         Reviewed by Michael Saboff.
2411         
2412         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
2413         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
2414         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
2415         the thing being hoisted does have effects, then we get a crash.
2416         
2417         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
2418         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
2419         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
2420         effectful.
2421         
2422         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
2423         clobberize to also think that CompareEq(Untyped:, _) is effectful.
2424         
2425         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
2426         of CompareEq is ComapreEq(Untyped:, Untyped:).
2427
2428         * dfg/DFGAbstractInterpreterInlines.h:
2429         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2430         * dfg/DFGClobberize.h:
2431         (JSC::DFG::clobberize):
2432
2433 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2434
2435         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
2436         https://bugs.webkit.org/show_bug.cgi?id=184372
2437
2438         Reviewed by Saam Barati.
2439         
2440         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
2441         have already proved, using techniques that are more precise than AI, that the edge has type
2442         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
2443         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
2444         other than a check - so we think we can call those just because we should have already
2445         bailed. It's better to think of them as the result of folding a check. Therefore, we should
2446         only do it if there had been a check to begin with.
2447
2448         * dfg/DFGSpeculativeJIT64.cpp:
2449         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2450         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2451         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2452         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2453         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2454         * ftl/FTLLowerDFGToB3.cpp:
2455         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
2456         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
2457         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2458         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
2459         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
2460         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2461         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2462         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2463
2464 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2465
2466         [JSC] Introduce @putByIdDirectPrivate
2467         https://bugs.webkit.org/show_bug.cgi?id=184400
2468
2469         Reviewed by Saam Barati.
2470
2471         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
2472         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
2473         accessing to ECMAScript internal fields.
2474
2475         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
2476         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
2477         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
2478         fields that accessing to the internal fields does not traverse prototype chains.
2479
2480         * builtins/ArrayIteratorPrototype.js:
2481         (globalPrivate.arrayIteratorValueNext):
2482         (globalPrivate.arrayIteratorKeyNext):
2483         (globalPrivate.arrayIteratorKeyValueNext):
2484         * builtins/ArrayPrototype.js:
2485         (globalPrivate.createArrayIterator):
2486         * builtins/AsyncFromSyncIteratorPrototype.js:
2487         (globalPrivate.AsyncFromSyncIteratorConstructor):
2488         * builtins/AsyncFunctionPrototype.js:
2489         (globalPrivate.asyncFunctionResume):
2490         * builtins/AsyncGeneratorPrototype.js:
2491         (globalPrivate.asyncGeneratorQueueEnqueue):
2492         (globalPrivate.asyncGeneratorQueueDequeue):
2493         (asyncGeneratorYieldAwaited):
2494         (globalPrivate.asyncGeneratorYield):
2495         (globalPrivate.doAsyncGeneratorBodyCall):
2496         (globalPrivate.asyncGeneratorResumeNext):
2497         * builtins/GeneratorPrototype.js:
2498         (globalPrivate.generatorResume):
2499         * builtins/MapIteratorPrototype.js:
2500         (globalPrivate.mapIteratorNext):
2501         * builtins/MapPrototype.js:
2502         (globalPrivate.createMapIterator):
2503         * builtins/ModuleLoaderPrototype.js:
2504         (forceFulfillPromise):
2505         * builtins/PromiseOperations.js:
2506         (globalPrivate.newHandledRejectedPromise):
2507         (globalPrivate.rejectPromise):
2508         (globalPrivate.fulfillPromise):
2509         (globalPrivate.initializePromise):
2510         * builtins/PromisePrototype.js:
2511         (then):
2512         * builtins/SetIteratorPrototype.js:
2513         (globalPrivate.setIteratorNext):
2514         * builtins/SetPrototype.js:
2515         (globalPrivate.createSetIterator):
2516         * builtins/StringIteratorPrototype.js:
2517         (next):
2518         * bytecode/BytecodeIntrinsicRegistry.h:
2519         * bytecompiler/NodesCodegen.cpp:
2520         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
2521         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2522
2523 2018-04-09  Mark Lam  <mark.lam@apple.com>
2524
2525         Decorate method table entries to support pointer profiling.
2526         https://bugs.webkit.org/show_bug.cgi?id=184430
2527         <rdar://problem/39296190>
2528
2529         Reviewed by Saam Barati.
2530
2531         * runtime/ClassInfo.h:
2532
2533 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
2534
2535         [WPE] Don't install JSC C API headers
2536         https://bugs.webkit.org/show_bug.cgi?id=184375
2537
2538         Reviewed by Žan Doberšek.
2539
2540         None of the functions declared in these headers are exported in WPE. Use the new jsc API
2541         instead.
2542
2543         * PlatformWPE.cmake:
2544
2545 2018-04-08  Mark Lam  <mark.lam@apple.com>
2546
2547         Add pointer profiling to the FTL and supporting code.
2548         https://bugs.webkit.org/show_bug.cgi?id=184395
2549         <rdar://problem/39264019>
2550
2551         Reviewed by Michael Saboff and Filip Pizlo.
2552
2553         * assembler/CodeLocation.h:
2554         (JSC::CodeLocationLabel::retagged):
2555         (JSC::CodeLocationJump::retagged):
2556         * assembler/LinkBuffer.h:
2557         (JSC::LinkBuffer::locationOf):
2558         * dfg/DFGJITCompiler.cpp:
2559         (JSC::DFG::JITCompiler::linkOSRExits):
2560         (JSC::DFG::JITCompiler::link):
2561         * ftl/FTLCompile.cpp:
2562         (JSC::FTL::compile):
2563         * ftl/FTLExceptionTarget.cpp:
2564         (JSC::FTL::ExceptionTarget::label):
2565         (JSC::FTL::ExceptionTarget::jumps):
2566         * ftl/FTLExceptionTarget.h:
2567         * ftl/FTLJITCode.cpp:
2568         (JSC::FTL::JITCode::executableAddressAtOffset):
2569         * ftl/FTLLazySlowPath.cpp:
2570         (JSC::FTL::LazySlowPath::~LazySlowPath):
2571         (JSC::FTL::LazySlowPath::initialize):
2572         (JSC::FTL::LazySlowPath::generate):
2573         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
2574         * ftl/FTLLazySlowPath.h:
2575         * ftl/FTLLink.cpp:
2576         (JSC::FTL::link):
2577         * ftl/FTLLowerDFGToB3.cpp:
2578         (JSC::FTL::DFG::LowerDFGToB3::lower):
2579         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2580         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2581         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2582         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2583         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2584         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2585         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2586         * ftl/FTLOSRExitCompiler.cpp:
2587         (JSC::FTL::compileStub):
2588         (JSC::FTL::compileFTLOSRExit):
2589         * ftl/FTLOSRExitHandle.cpp:
2590         (JSC::FTL::OSRExitHandle::emitExitThunk):
2591         * ftl/FTLOperations.cpp:
2592         (JSC::FTL::compileFTLLazySlowPath):
2593         * ftl/FTLOutput.h:
2594         (JSC::FTL::Output::callWithoutSideEffects):
2595         (JSC::FTL::Output::operation):
2596         * ftl/FTLPatchpointExceptionHandle.cpp:
2597         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
2598         * ftl/FTLSlowPathCall.cpp:
2599         (JSC::FTL::SlowPathCallContext::makeCall):
2600         * ftl/FTLSlowPathCallKey.h:
2601         (JSC::FTL::SlowPathCallKey::withCallTarget):
2602         (JSC::FTL::SlowPathCallKey::callPtrTag const):
2603         * ftl/FTLThunks.cpp:
2604         (JSC::FTL::genericGenerationThunkGenerator):
2605         (JSC::FTL::osrExitGenerationThunkGenerator):
2606         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2607         (JSC::FTL::slowPathCallThunkGenerator):
2608         * jit/JITMathIC.h:
2609         (JSC::isProfileEmpty):
2610         * jit/Repatch.cpp:
2611         (JSC::readPutICCallTarget):
2612         (JSC::ftlThunkAwareRepatchCall):
2613         (JSC::tryCacheGetByID):
2614         (JSC::repatchGetByID):
2615         (JSC::tryCachePutByID):
2616         (JSC::repatchPutByID):
2617         (JSC::repatchIn):
2618         (JSC::resetGetByID):
2619         (JSC::resetPutByID):
2620         (JSC::readCallTarget): Deleted.
2621         * jit/Repatch.h:
2622         * runtime/PtrTag.h:
2623
2624 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2625
2626         Unreviewed, attempt to fix Windows build
2627         https://bugs.webkit.org/show_bug.cgi?id=183508
2628
2629         * jit/JIT.h:
2630
2631 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2632
2633         Unreviewed, build fix for Windows by suppressing padding warning for JIT
2634         https://bugs.webkit.org/show_bug.cgi?id=183508
2635
2636         * jit/JIT.h:
2637
2638 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2639
2640         Use alignas instead of compiler-specific attributes
2641         https://bugs.webkit.org/show_bug.cgi?id=183508
2642
2643         Reviewed by Mark Lam.
2644
2645         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
2646
2647         * heap/RegisterState.h:
2648         * jit/JIT.h:
2649         (JSC::JIT::compile): Deleted.
2650         (JSC::JIT::compileGetByVal): Deleted.
2651         (JSC::JIT::compileGetByValWithCachedId): Deleted.
2652         (JSC::JIT::compilePutByVal): Deleted.
2653         (JSC::JIT::compileDirectPutByVal): Deleted.
2654         (JSC::JIT::compilePutByValWithCachedId): Deleted.
2655         (JSC::JIT::compileHasIndexedProperty): Deleted.
2656         (JSC::JIT::appendCall): Deleted.
2657         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
2658         (JSC::JIT::exceptionCheck): Deleted.
2659         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
2660         (JSC::JIT::emitInt32Load): Deleted.
2661         (JSC::JIT::emitInt32GetByVal): Deleted.
2662         (JSC::JIT::emitInt32PutByVal): Deleted.
2663         (JSC::JIT::emitDoublePutByVal): Deleted.
2664         (JSC::JIT::emitContiguousPutByVal): Deleted.
2665         (JSC::JIT::emitStoreCell): Deleted.
2666         (JSC::JIT::getSlowCase): Deleted.
2667         (JSC::JIT::linkSlowCase): Deleted.
2668         (JSC::JIT::linkDummySlowCase): Deleted.
2669         (JSC::JIT::linkAllSlowCases): Deleted.
2670         (JSC::JIT::callOperation): Deleted.
2671         (JSC::JIT::callOperationWithProfile): Deleted.
2672         (JSC::JIT::callOperationWithResult): Deleted.
2673         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2674         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
2675         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
2676         (JSC::JIT::sampleCodeBlock): Deleted.
2677         (JSC::JIT::canBeOptimized): Deleted.
2678         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
2679         (JSC::JIT::shouldEmitProfiling): Deleted.
2680         * runtime/VM.h:
2681
2682 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2683
2684         Unreviewed, follow-up patch for DFG 32bit
2685         https://bugs.webkit.org/show_bug.cgi?id=183970
2686
2687         * dfg/DFGSpeculativeJIT32_64.cpp:
2688         (JSC::DFG::SpeculativeJIT::cachedGetById):
2689
2690 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2691
2692         [JSC] Fix incorrect assertion for VM's regexp buffer lock
2693         https://bugs.webkit.org/show_bug.cgi?id=184398
2694
2695         Reviewed by Mark Lam.
2696
2697         isLocked check before taking a lock is incorrect.
2698
2699         * runtime/VM.cpp:
2700         (JSC::VM::acquireRegExpPatternContexBuffer):
2701
2702 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         [JSC] Introduce op_get_by_id_direct
2705         https://bugs.webkit.org/show_bug.cgi?id=183970
2706
2707         Reviewed by Filip Pizlo.
2708
2709         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
2710         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
2711         in all the tiers, so using this opcode does not lead to inefficiency.
2712
2713         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
2714         properties indexed with private symbols to implement ECMAScript internal fields. Before this
2715         patch, we just use get and put operations. However, it is not the correct semantics: accessing
2716         to the internal fields should not traverse prototype chain, which is specified in the spec.
2717         We use op_get_by_id_direct to access to properties which are used internal fields, so that
2718         prototype chains are not traversed.
2719
2720         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
2721         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
2722         bytecode `op_get_by_id_direct, object, @name`.
2723
2724         * builtins/ArrayIteratorPrototype.js:
2725         (next):
2726         (globalPrivate.arrayIteratorValueNext):
2727         (globalPrivate.arrayIteratorKeyNext):
2728         (globalPrivate.arrayIteratorKeyValueNext):
2729         * builtins/AsyncFromSyncIteratorPrototype.js:
2730         * builtins/AsyncFunctionPrototype.js:
2731         (globalPrivate.asyncFunctionResume):
2732         * builtins/AsyncGeneratorPrototype.js:
2733         (globalPrivate.asyncGeneratorQueueIsEmpty):
2734         (globalPrivate.asyncGeneratorQueueEnqueue):
2735         (globalPrivate.asyncGeneratorQueueDequeue):
2736         (globalPrivate.asyncGeneratorDequeue):
2737         (globalPrivate.isExecutionState):
2738         (globalPrivate.isSuspendYieldState):
2739         (globalPrivate.asyncGeneratorReject):
2740         (globalPrivate.asyncGeneratorResolve):
2741         (globalPrivate.doAsyncGeneratorBodyCall):
2742         (globalPrivate.asyncGeneratorEnqueue):
2743         * builtins/GeneratorPrototype.js:
2744         (globalPrivate.generatorResume):
2745         (next):
2746         (return):
2747         (throw):
2748         * builtins/MapIteratorPrototype.js:
2749         (next):
2750         * builtins/PromiseOperations.js:
2751         (globalPrivate.isPromise):
2752         (globalPrivate.rejectPromise):
2753         (globalPrivate.fulfillPromise):
2754         * builtins/PromisePrototype.js:
2755         (then):
2756         * builtins/SetIteratorPrototype.js:
2757         (next):
2758         * builtins/StringIteratorPrototype.js:
2759         (next):
2760         * builtins/TypedArrayConstructor.js:
2761         (of):
2762         (from):
2763         * bytecode/BytecodeDumper.cpp:
2764         (JSC::BytecodeDumper<Block>::dumpBytecode):
2765         * bytecode/BytecodeIntrinsicRegistry.h:
2766         * bytecode/BytecodeList.json:
2767         * bytecode/BytecodeUseDef.h:
2768         (JSC::computeUsesForBytecodeOffset):
2769         (JSC::computeDefsForBytecodeOffset):
2770         * bytecode/CodeBlock.cpp:
2771         (JSC::CodeBlock::finishCreation):
2772         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2773         * bytecode/GetByIdStatus.cpp:
2774         (JSC::GetByIdStatus::computeFromLLInt):
2775         (JSC::GetByIdStatus::computeFor):
2776         * bytecode/StructureStubInfo.cpp:
2777         (JSC::StructureStubInfo::reset):
2778         * bytecode/StructureStubInfo.h:
2779         (JSC::appropriateOptimizingGetByIdFunction):
2780         (JSC::appropriateGenericGetByIdFunction):
2781         * bytecompiler/BytecodeGenerator.cpp:
2782         (JSC::BytecodeGenerator::emitDirectGetById):
2783         * bytecompiler/BytecodeGenerator.h:
2784         * bytecompiler/NodesCodegen.cpp:
2785         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
2786         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2787         * dfg/DFGAbstractInterpreterInlines.h:
2788         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2789         * dfg/DFGByteCodeParser.cpp:
2790         (JSC::DFG::ByteCodeParser::handleGetById):
2791         (JSC::DFG::ByteCodeParser::parseBlock):
2792         * dfg/DFGCapabilities.cpp:
2793         (JSC::DFG::capabilityLevel):
2794         * dfg/DFGClobberize.h:
2795         (JSC::DFG::clobberize):
2796         * dfg/DFGConstantFoldingPhase.cpp:
2797         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2798         * dfg/DFGDoesGC.cpp:
2799         (JSC::DFG::doesGC):
2800         * dfg/DFGFixupPhase.cpp:
2801         (JSC::DFG::FixupPhase::fixupNode):
2802         * dfg/DFGNode.h:
2803         (JSC::DFG::Node::convertToGetByOffset):
2804         (JSC::DFG::Node::convertToMultiGetByOffset):
2805         (JSC::DFG::Node::hasIdentifier):
2806         (JSC::DFG::Node::hasHeapPrediction):
2807         * dfg/DFGNodeType.h:
2808         * dfg/DFGOperations.cpp:
2809         * dfg/DFGOperations.h:
2810         * dfg/DFGPredictionPropagationPhase.cpp:
2811         * dfg/DFGSafeToExecute.h:
2812         (JSC::DFG::safeToExecute):
2813         * dfg/DFGSpeculativeJIT.cpp:
2814         (JSC::DFG::SpeculativeJIT::compileGetById):
2815         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
2816         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
2817         * dfg/DFGSpeculativeJIT.h:
2818         * dfg/DFGSpeculativeJIT32_64.cpp:
2819         (JSC::DFG::SpeculativeJIT::cachedGetById):
2820         (JSC::DFG::SpeculativeJIT::compile):
2821         * dfg/DFGSpeculativeJIT64.cpp:
2822         (JSC::DFG::SpeculativeJIT::cachedGetById):
2823         (JSC::DFG::SpeculativeJIT::compile):
2824         * ftl/FTLCapabilities.cpp:
2825         (JSC::FTL::canCompile):
2826         * ftl/FTLLowerDFGToB3.cpp:
2827         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2828         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2829         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2830         (JSC::FTL::DFG::LowerDFGToB3::getById):
2831         * jit/JIT.cpp:
2832         (JSC::JIT::privateCompileMainPass):
2833         (JSC::JIT::privateCompileSlowCases):
2834         * jit/JIT.h:
2835         * jit/JITOperations.cpp:
2836         * jit/JITOperations.h:
2837         * jit/JITPropertyAccess.cpp:
2838         (JSC::JIT::emit_op_get_by_id_direct):
2839         (JSC::JIT::emitSlow_op_get_by_id_direct):
2840         * jit/JITPropertyAccess32_64.cpp:
2841         (JSC::JIT::emit_op_get_by_id_direct):
2842         (JSC::JIT::emitSlow_op_get_by_id_direct):
2843         * jit/Repatch.cpp:
2844         (JSC::appropriateOptimizingGetByIdFunction):
2845         (JSC::appropriateGetByIdFunction):
2846         (JSC::tryCacheGetByID):
2847         (JSC::repatchGetByID):
2848         (JSC::appropriateGenericGetByIdFunction): Deleted.
2849         * jit/Repatch.h:
2850         * llint/LLIntSlowPaths.cpp:
2851         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2852         * llint/LLIntSlowPaths.h:
2853         * llint/LowLevelInterpreter32_64.asm:
2854         * llint/LowLevelInterpreter64.asm:
2855         * runtime/JSCJSValue.h:
2856         * runtime/JSCJSValueInlines.h:
2857         (JSC::JSValue::getOwnPropertySlot const):
2858         * runtime/JSObject.h:
2859         * runtime/JSObjectInlines.h:
2860         (JSC::JSObject::getOwnPropertySlotInline):
2861
2862 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2863
2864         [JSC] Remove several asXXX functions
2865         https://bugs.webkit.org/show_bug.cgi?id=184355
2866
2867         Reviewed by JF Bastien.
2868
2869         Remove asActivation, asInternalFunction, and asGetterSetter.
2870         Use jsCast<> / jsDynamicCast<> consistently.
2871
2872         * runtime/ArrayConstructor.cpp:
2873         (JSC::constructArrayWithSizeQuirk):
2874         * runtime/AsyncFunctionConstructor.cpp:
2875         (JSC::callAsyncFunctionConstructor):
2876         (JSC::constructAsyncFunctionConstructor):
2877         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2878         (JSC::callAsyncGeneratorFunctionConstructor):
2879         (JSC::constructAsyncGeneratorFunctionConstructor):
2880         * runtime/BooleanConstructor.cpp:
2881         (JSC::constructWithBooleanConstructor):
2882         * runtime/DateConstructor.cpp:
2883         (JSC::constructWithDateConstructor):
2884         * runtime/ErrorConstructor.cpp:
2885         (JSC::Interpreter::constructWithErrorConstructor):
2886         (JSC::Interpreter::callErrorConstructor):
2887         * runtime/FunctionConstructor.cpp:
2888         (JSC::constructWithFunctionConstructor):
2889         (JSC::callFunctionConstructor):
2890         * runtime/FunctionPrototype.cpp:
2891         (JSC::functionProtoFuncToString):
2892         * runtime/GeneratorFunctionConstructor.cpp:
2893         (JSC::callGeneratorFunctionConstructor):
2894         (JSC::constructGeneratorFunctionConstructor):
2895         * runtime/GetterSetter.h:
2896         (JSC::asGetterSetter): Deleted.
2897         * runtime/InternalFunction.h:
2898         (JSC::asInternalFunction): Deleted.
2899         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2900         (JSC::constructGenericTypedArrayView):
2901         * runtime/JSLexicalEnvironment.h:
2902         (JSC::asActivation): Deleted.
2903         * runtime/JSObject.cpp:
2904         (JSC::validateAndApplyPropertyDescriptor):
2905         * runtime/MapConstructor.cpp:
2906         (JSC::constructMap):
2907         * runtime/PropertyDescriptor.cpp:
2908         (JSC::PropertyDescriptor::setDescriptor):
2909         * runtime/RegExpConstructor.cpp:
2910         (JSC::constructWithRegExpConstructor):
2911         (JSC::callRegExpConstructor):
2912         * runtime/SetConstructor.cpp:
2913         (JSC::constructSet):
2914         * runtime/StringConstructor.cpp:
2915         (JSC::constructWithStringConstructor):
2916         * runtime/WeakMapConstructor.cpp:
2917         (JSC::constructWeakMap):
2918         * runtime/WeakSetConstructor.cpp:
2919         (JSC::constructWeakSet):
2920         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2921         (JSC::constructJSWebAssemblyCompileError):
2922         (JSC::callJSWebAssemblyCompileError):
2923         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2924         (JSC::constructJSWebAssemblyLinkError):
2925         (JSC::callJSWebAssemblyLinkError):
2926         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2927         (JSC::constructJSWebAssemblyRuntimeError):
2928         (JSC::callJSWebAssemblyRuntimeError):
2929
2930 2018-04-05  Mark Lam  <mark.lam@apple.com>
2931
2932         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
2933         https://bugs.webkit.org/show_bug.cgi?id=184347
2934         <rdar://problem/39183165>
2935
2936         Reviewed by Michael Saboff.
2937
2938         * assembler/MacroAssemblerCodeRef.h:
2939         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2940         (JSC::MacroAssemblerCodePtr::retagged const):
2941
2942 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2943
2944         [MIPS] Optimize generated JIT code for branches
2945         https://bugs.webkit.org/show_bug.cgi?id=183130
2946
2947         Reviewed by Yusuke Suzuki.
2948
2949         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
2950         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
2951         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
2952         However, this adds a significant overhead for all other types of branches. Since these nop's
2953         protect the code that is generated by branchPtrWithPatch, this function seems like a better
2954         place to add them.
2955
2956         * assembler/MIPSAssembler.h:
2957         (JSC::MIPSAssembler::repatchInt32):
2958         (JSC::MIPSAssembler::revertJumpToMove):
2959         * assembler/MacroAssemblerMIPS.h:
2960         (JSC::MacroAssemblerMIPS::branchAdd32):
2961         (JSC::MacroAssemblerMIPS::branchMul32):
2962         (JSC::MacroAssemblerMIPS::branchSub32):
2963         (JSC::MacroAssemblerMIPS::branchNeg32):
2964         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2965         (JSC::MacroAssemblerMIPS::branchEqual):
2966         (JSC::MacroAssemblerMIPS::branchNotEqual):
2967
2968 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2969
2970         [WTF] Remove StaticLock
2971         https://bugs.webkit.org/show_bug.cgi?id=184332
2972
2973         Reviewed by Mark Lam.
2974
2975         * API/JSValue.mm:
2976         (handerForStructTag):
2977         * API/JSVirtualMachine.mm:
2978         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2979         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2980         * API/glib/JSCVirtualMachine.cpp:
2981         (addWrapper):
2982         (removeWrapper):
2983         * assembler/testmasm.cpp:
2984         * b3/air/testair.cpp:
2985         * b3/testb3.cpp:
2986         * bytecode/SuperSampler.cpp:
2987         * dfg/DFGCommon.cpp:
2988         * dfg/DFGCommonData.cpp:
2989         * dynbench.cpp:
2990         * heap/MachineStackMarker.cpp:
2991         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2992         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2993         (Inspector::RemoteTargetHandleRunSourceGlobal):
2994         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
2995         * interpreter/CLoopStack.cpp:
2996         * parser/SourceProvider.cpp:
2997         * profiler/ProfilerDatabase.cpp:
2998         * profiler/ProfilerUID.cpp:
2999         (JSC::Profiler::UID::create):
3000         * runtime/IntlObject.cpp:
3001         (JSC::numberingSystemsForLocale):
3002         * runtime/JSLock.cpp:
3003         * runtime/JSLock.h:
3004         * runtime/SamplingProfiler.cpp:
3005         (JSC::SamplingProfiler::registerForReportAtExit):
3006         * runtime/VM.cpp:
3007         * wasm/WasmFaultSignalHandler.cpp:
3008
3009 2018-04-04  Mark Lam  <mark.lam@apple.com>
3010
3011         Add pointer profiling support to the DFG and supporting files.
3012         https://bugs.webkit.org/show_bug.cgi?id=184316
3013         <rdar://problem/39188524>
3014
3015         Reviewed by Filip Pizlo.
3016
3017         1. Profile lots of pointers with PtrTags.
3018
3019         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
3020            used for debugging anyway, and not normally called in the code.  Making it
3021            an inline function prevents it from taking up code space in builds when not in
3022            use.
3023
3024         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3025            It doesn't need to be a far call.
3026
3027         * CMakeLists.txt:
3028         * JavaScriptCore.xcodeproj/project.pbxproj:
3029         * Sources.txt:
3030         * assembler/testmasm.cpp:
3031         (JSC::testProbeModifiesProgramCounter):
3032         * b3/B3LowerMacros.cpp:
3033         * b3/air/AirCCallSpecial.cpp:
3034         (JSC::B3::Air::CCallSpecial::generate):
3035         * b3/air/AirCCallSpecial.h:
3036         * b3/testb3.cpp:
3037         (JSC::B3::testInterpreter):
3038         * bytecode/AccessCase.cpp:
3039         (JSC::AccessCase::generateImpl):
3040         * bytecode/HandlerInfo.h:
3041         (JSC::HandlerInfo::initialize):
3042         * bytecode/PolymorphicAccess.cpp:
3043         (JSC::PolymorphicAccess::regenerate):
3044         * dfg/DFGJITCompiler.cpp:
3045         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3046         (JSC::DFG::JITCompiler::link):
3047         (JSC::DFG::JITCompiler::compileFunction):
3048         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3049         * dfg/DFGJITCompiler.h:
3050         (JSC::DFG::JITCompiler::appendCall):
3051         * dfg/DFGOSREntry.cpp:
3052         (JSC::DFG::prepareOSREntry):
3053         * dfg/DFGOSRExit.cpp:
3054         (JSC::DFG::reifyInlinedCallFrames):
3055         (JSC::DFG::adjustAndJumpToTarget):
3056         (JSC::DFG::OSRExit::emitRestoreArguments):
3057         (JSC::DFG::OSRExit::compileOSRExit):
3058         * dfg/DFGOSRExitCompilerCommon.cpp:
3059         (JSC::DFG::handleExitCounts):
3060         (JSC::DFG::reifyInlinedCallFrames):
3061         (JSC::DFG::osrWriteBarrier):
3062         (JSC::DFG::adjustAndJumpToTarget):
3063         * dfg/DFGOperations.cpp:
3064         * dfg/DFGSlowPathGenerator.h:
3065         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3066         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3067         (JSC::DFG::slowPathCall):
3068         * dfg/DFGSpeculativeJIT.cpp:
3069         (JSC::DFG::SpeculativeJIT::compileMathIC):
3070         * dfg/DFGSpeculativeJIT.h:
3071         (JSC::DFG::SpeculativeJIT::callOperation):
3072         (JSC::DFG::SpeculativeJIT::appendCall):
3073         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3074         * dfg/DFGSpeculativeJIT64.cpp:
3075         (JSC::DFG::SpeculativeJIT::cachedGetById):
3076         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3077         (JSC::DFG::SpeculativeJIT::cachedPutById):
3078         (JSC::DFG::SpeculativeJIT::compile):
3079         * dfg/DFGThunks.cpp:
3080         (JSC::DFG::osrExitThunkGenerator):
3081         (JSC::DFG::osrExitGenerationThunkGenerator):
3082         (JSC::DFG::osrEntryThunkGenerator):
3083         * jit/AssemblyHelpers.cpp:
3084         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3085         * jit/JIT.cpp:
3086         (JSC::JIT::emitEnterOptimizationCheck):
3087         (JSC::JIT::compileWithoutLinking):
3088         * jit/JITCall.cpp:
3089         (JSC::JIT::compileOpCallSlowCase):
3090         * jit/JITMathIC.h:
3091         (JSC::isProfileEmpty):
3092         * jit/JITOpcodes.cpp:
3093         (JSC::JIT::emit_op_catch):
3094         (JSC::JIT::emitSlow_op_loop_hint):
3095         * jit/JITOperations.cpp:
3096         * jit/Repatch.cpp:
3097         (JSC::linkSlowFor):
3098         (JSC::linkFor):
3099         (JSC::revertCall):
3100         (JSC::unlinkFor):
3101         (JSC::linkVirtualFor):
3102         (JSC::linkPolymorphicCall):
3103         * jit/ThunkGenerators.cpp:
3104         (JSC::throwExceptionFromCallSlowPathGenerator):
3105         (JSC::linkCallThunkGenerator):
3106         (JSC::linkPolymorphicCallThunkGenerator):
3107         (JSC::virtualThunkFor):
3108         (JSC::arityFixupGenerator):
3109         (JSC::unreachableGenerator):
3110         * runtime/PtrTag.cpp: Removed.
3111         * runtime/PtrTag.h:
3112         (JSC::ptrTagName):
3113         * runtime/VMEntryScope.cpp:
3114         * wasm/js/WasmToJS.cpp:
3115         (JSC::Wasm::wasmToJS):
3116
3117 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3118
3119         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3120         https://bugs.webkit.org/show_bug.cgi?id=184319
3121
3122         Reviewed by Saam Barati.
3123
3124         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3125         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3126         the ArrayPush.
3127
3128         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3129         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3130         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3131         with a GetByVal(SaneChain), then we will hit the assertion.
3132
3133         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3134         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3135         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3136
3137         * dfg/DFGCSEPhase.cpp:
3138         * dfg/DFGClobberize.h:
3139         (JSC::DFG::clobberize):
3140         * dfg/DFGHeapLocation.cpp:
3141         (WTF::printInternal):
3142         * dfg/DFGHeapLocation.h:
3143         * dfg/DFGSpeculativeJIT.cpp:
3144         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3145
3146 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3147
3148         Remove poisoning of typed array vector
3149         https://bugs.webkit.org/show_bug.cgi?id=184313
3150
3151         Reviewed by Saam Barati.
3152
3153         * dfg/DFGFixupPhase.cpp:
3154         (JSC::DFG::FixupPhase::checkArray):
3155         * dfg/DFGSpeculativeJIT.cpp:
3156         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3157         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3158         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3159         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3160         * ftl/FTLAbstractHeapRepository.h:
3161         * ftl/FTLLowerDFGToB3.cpp:
3162         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3163         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3164         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3165         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3166         * jit/IntrinsicEmitter.cpp:
3167         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3168         * jit/JITPropertyAccess.cpp:
3169         (JSC::JIT::emitIntTypedArrayGetByVal):
3170         (JSC::JIT::emitFloatTypedArrayGetByVal):
3171         (JSC::JIT::emitIntTypedArrayPutByVal):
3172         (JSC::JIT::emitFloatTypedArrayPutByVal):
3173         * llint/LowLevelInterpreter.asm:
3174         * llint/LowLevelInterpreter64.asm:
3175         * offlineasm/arm64.rb:
3176         * offlineasm/x86.rb:
3177         * runtime/CagedBarrierPtr.h:
3178         * runtime/JSArrayBufferView.cpp:
3179         (JSC::JSArrayBufferView::JSArrayBufferView):
3180         (JSC::JSArrayBufferView::finalize):
3181         (JSC::JSArrayBufferView::neuter):
3182         * runtime/JSArrayBufferView.h:
3183         (JSC::JSArrayBufferView::vector const):
3184         (JSC::JSArrayBufferView::offsetOfVector):
3185         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3186         (JSC::JSArrayBufferView::poisonFor): Deleted.
3187         (JSC::JSArrayBufferView::Poison::key): Deleted.
3188         * runtime/JSCPoison.cpp:
3189         (JSC::initializePoison):
3190         * runtime/JSCPoison.h:
3191         * runtime/JSGenericTypedArrayViewInlines.h:
3192         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3193         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3194         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3195         * runtime/JSObject.h:
3196
3197 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3198
3199         Don't do index masking or poisoning for DirectArguments
3200         https://bugs.webkit.org/show_bug.cgi?id=184280
3201
3202         Reviewed by Saam Barati.
3203
3204         * JavaScriptCore.xcodeproj/project.pbxproj:
3205         * bytecode/AccessCase.cpp:
3206         (JSC::AccessCase::generateWithGuard):
3207         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3208         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3209         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3210         * dfg/DFGSpeculativeJIT.cpp:
3211         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3212         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3213         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3214         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3215         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3216         * ftl/FTLAbstractHeapRepository.h:
3217         * ftl/FTLLowerDFGToB3.cpp:
3218         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3219         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3220         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3221         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3222         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3223         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3224         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3225         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3226         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3227         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3228         * heap/SecurityKind.h:
3229         * jit/JITPropertyAccess.cpp:
3230         (JSC::JIT::emit_op_get_from_arguments):
3231         (JSC::JIT::emit_op_put_to_arguments):
3232         (JSC::JIT::emitDirectArgumentsGetByVal):
3233         * jit/JITPropertyAccess32_64.cpp:
3234         (JSC::JIT::emit_op_get_from_arguments):
3235         (JSC::JIT::emit_op_put_to_arguments):
3236         * llint/LowLevelInterpreter.asm:
3237         * llint/LowLevelInterpreter32_64.asm:
3238         * llint/LowLevelInterpreter64.asm:
3239         * runtime/DirectArguments.cpp:
3240         (JSC::DirectArguments::DirectArguments):
3241         (JSC::DirectArguments::createUninitialized):
3242         (JSC::DirectArguments::create):
3243         (JSC::DirectArguments::createByCopying):
3244         (JSC::DirectArguments::estimatedSize):
3245         (JSC::DirectArguments::visitChildren):
3246         (JSC::DirectArguments::overrideThings):
3247         (JSC::DirectArguments::copyToArguments):
3248         (JSC::DirectArguments::mappedArgumentsSize):
3249         * runtime/DirectArguments.h:
3250         * runtime/JSCPoison.h:
3251         * runtime/JSLexicalEnvironment.h:
3252         * runtime/JSSymbolTableObject.h:
3253
3254 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3255
3256         JSArray::appendMemcpy seems to be missing a barrier
3257         https://bugs.webkit.org/show_bug.cgi?id=184290
3258
3259         Reviewed by Mark Lam.
3260         
3261         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
3262         barrier right after.
3263         
3264         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
3265         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
3266
3267         * runtime/JSArray.cpp:
3268         (JSC::JSArray::appendMemcpy):
3269
3270 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3271
3272         GC shouldn't do object distancing
3273         https://bugs.webkit.org/show_bug.cgi?id=184195
3274
3275         Reviewed by Saam Barati.
3276         
3277         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
3278         to be a small speed-up.
3279
3280         * CMakeLists.txt:
3281         * JavaScriptCore.xcodeproj/project.pbxproj:
3282         * Sources.txt:
3283         * heap/BlockDirectory.cpp:
3284         (JSC::BlockDirectory::findBlockForAllocation):
3285         (JSC::BlockDirectory::addBlock):
3286         * heap/BlockDirectory.h:
3287         * heap/CellAttributes.cpp:
3288         (JSC::CellAttributes::dump const):
3289         * heap/CellAttributes.h:
3290         (JSC::CellAttributes::CellAttributes):
3291         * heap/LocalAllocator.cpp:
3292         (JSC::LocalAllocator::allocateSlowCase):
3293         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3294         * heap/MarkedBlock.cpp:
3295         (JSC::MarkedBlock::Handle::didAddToDirectory):
3296         * heap/MarkedBlock.h:
3297         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3298         * heap/SecurityKind.cpp: Removed.
3299         * heap/SecurityKind.h: Removed.
3300         * heap/SecurityOriginToken.cpp: Removed.
3301         * heap/SecurityOriginToken.h: Removed.
3302         * heap/ThreadLocalCache.cpp:
3303         (JSC::ThreadLocalCache::create):
3304         (JSC::ThreadLocalCache::ThreadLocalCache):
3305         * heap/ThreadLocalCache.h:
3306         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3307         * runtime/JSDestructibleObjectHeapCellType.cpp:
3308         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3309         * runtime/JSGlobalObject.cpp:
3310         (JSC::JSGlobalObject::JSGlobalObject):
3311         * runtime/JSGlobalObject.h:
3312         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3313         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3314         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3315         * runtime/JSStringHeapCellType.cpp:
3316         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3317         * runtime/VM.cpp:
3318         (JSC::VM::VM):
3319         * runtime/VM.h:
3320         * runtime/VMEntryScope.cpp:
3321         (JSC::VMEntryScope::VMEntryScope):
3322         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3323         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3324
3325 2018-04-02  Saam Barati  <sbarati@apple.com>
3326
3327         bmalloc should compute its own estimate of its footprint
3328         https://bugs.webkit.org/show_bug.cgi?id=184121
3329
3330         Reviewed by Filip Pizlo.
3331
3332         * heap/IsoAlignedMemoryAllocator.cpp:
3333         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3334         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3335         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3336
3337 2018-04-02  Mark Lam  <mark.lam@apple.com>
3338
3339         We should not trash the stack pointer on OSR entry.
3340         https://bugs.webkit.org/show_bug.cgi?id=184243
3341         <rdar://problem/39114319>
3342
3343         Reviewed by Filip Pizlo.
3344
3345         In the DFG OSR entry path, we momentarily over-write the stack pointer with
3346         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3347         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
3348         The stack pointer does get corrected later in the thunk (generated by
3349         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
3350         so far.
3351
3352         This bug only poses an issue if interrupts use the user stack for their stack
3353         frame (e.g. linux), and when we do stack alignment tests during debugging.
3354
3355         The fix is simply to remove the assignment.
3356
3357         * dfg/DFGThunks.cpp:
3358         (JSC::DFG::osrEntryThunkGenerator):
3359         * jit/JIT.cpp:
3360         (JSC::JIT::emitEnterOptimizationCheck):
3361
3362 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3363
3364         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
3365         https://bugs.webkit.org/show_bug.cgi?id=183740
3366
3367         Reviewed by Yusuke Suzuki.
3368
3369         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
3370         first generated and a register operand variant of the same method is called to generate the rest
3371         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
3372         generate more efficient code using MIPS instructions with immediate operand.
3373
3374         * assembler/MIPSAssembler.h:
3375         (JSC::MIPSAssembler::slti):
3376         * assembler/MacroAssemblerMIPS.h:
3377         (JSC::MacroAssemblerMIPS::lshift32):
3378         (JSC::MacroAssemblerMIPS::xor32):
3379         (JSC::MacroAssemblerMIPS::branch8):
3380         (JSC::MacroAssemblerMIPS::compare8):
3381         (JSC::MacroAssemblerMIPS::branch32):
3382         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
3383         (JSC::MacroAssemblerMIPS::branchTest32):
3384         (JSC::MacroAssemblerMIPS::mask8OnTest):
3385         (JSC::MacroAssemblerMIPS::branchTest8):
3386         (JSC::MacroAssemblerMIPS::branchAdd32):
3387         (JSC::MacroA