Unreviewed, rolling out r226600 and r226603
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-09  Michael Saboff  <msaboff@apple.com>
2
3         Unreviewed, rolling out r226600 and r226603
4         https://bugs.webkit.org/show_bug.cgi?id=181351
5
6         Add a DOM gadget for Spectre testing
7
8         * runtime/Options.h:
9
10 2018-01-09  Saam Barati  <sbarati@apple.com>
11
12         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
13         https://bugs.webkit.org/show_bug.cgi?id=181409
14
15         Reviewed by Keith Miller.
16
17         When I was looking at profiler data for Speedometer, I noticed that one of
18         the hottest functions in Speedometer is around 1100 bytecode operations long.
19         Only about 100 of those bytecode ops ever execute. However, we ended up
20         spending a lot of time compiling basic blocks that never executed. We often
21         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
22         This is the case when such a node never executes.
23         
24         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
25         terminal node with an Unreachable node (and remove all nodes after the
26         ForceOSRExit). This will cut down on graph size when such a block dominates
27         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
28         in certain programs. When doing this transformation, we also insert
29         Flushes/PhantomLocals to ensure we can recover values that are bytecode
30         live-in to the ForceOSRExit.
31         
32         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
33         does not get rid of all the CFG that it could. If we decide it's worth
34         it, we could use additional inputs into this mechanism. For example, we could
35         profile if a basic block ever executes inside the LLInt/Baseline, and
36         remove parts of the CFG based on that.
37         
38         When running Speedometer with the concurrent JIT turned off, this patch
39         improves DFG/FTL compile times by around 5%.
40
41         * dfg/DFGByteCodeParser.cpp:
42         (JSC::DFG::ByteCodeParser::addToGraph):
43         (JSC::DFG::ByteCodeParser::parse):
44
45 2018-01-09  Mark Lam  <mark.lam@apple.com>
46
47         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
48         https://bugs.webkit.org/show_bug.cgi?id=181388
49         <rdar://problem/36349351>
50
51         Reviewed by Saam Barati.
52
53         When there are duplicate setters or getters, we may end up overwriting a getter
54         with a setter, or vice versa.  This patch adds tracking for getters/setters that
55         have been overwritten with duplicates and ignore them.
56
57         * bytecompiler/NodesCodegen.cpp:
58         (JSC::PropertyListNode::emitBytecode):
59         * parser/NodeConstructors.h:
60         (JSC::PropertyNode::PropertyNode):
61         * parser/Nodes.h:
62         (JSC::PropertyNode::isOverriddenByDuplicate const):
63         (JSC::PropertyNode::setIsOverriddenByDuplicate):
64
65 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
66
67         REGRESSION(r225913): about 30 JSC test failures on ARMv7
68         https://bugs.webkit.org/show_bug.cgi?id=181162
69         <rdar://problem/36261349>
70
71         Unreviewed follow-up to r226298. Enable the fast case in
72         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
73         assuming in good faith that enough GP registers are available on any
74         such configuration. The accompanying comment is adjusted to describe
75         this assumption.
76
77         * dfg/DFGSpeculativeJIT.cpp:
78         (JSC::DFG::SpeculativeJIT::compileArraySlice):
79
80 2018-01-08  JF Bastien  <jfbastien@apple.com>
81
82         WebAssembly: mask indexed accesses to Table
83         https://bugs.webkit.org/show_bug.cgi?id=181412
84         <rdar://problem/36363236>
85
86         Reviewed by Saam Barati.
87
88         WebAssembly Table indexed accesses are user-controlled and
89         bounds-checked. Force allocations of Table data to be a
90         power-of-two, and explicitly mask accesses after bounds-check
91         branches.
92
93         Rename misleading usage of "size" when "length" of a Table was
94         intended.
95
96         Rename the Spectre option from "disable" to "enable".
97
98         * dfg/DFGSpeculativeJIT.cpp:
99         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
100         * ftl/FTLLowerDFGToB3.cpp:
101         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
102         * jit/JIT.cpp:
103         (JSC::JIT::JIT):
104         * runtime/Options.h:
105         * wasm/WasmB3IRGenerator.cpp:
106         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
107         (JSC::Wasm::B3IRGenerator::addCallIndirect):
108         * wasm/WasmTable.cpp:
109         (JSC::Wasm::Table::allocatedLength):
110         (JSC::Wasm::Table::setLength):
111         (JSC::Wasm::Table::create):
112         (JSC::Wasm::Table::Table):
113         (JSC::Wasm::Table::grow):
114         (JSC::Wasm::Table::clearFunction):
115         (JSC::Wasm::Table::setFunction):
116         * wasm/WasmTable.h:
117         (JSC::Wasm::Table::length const):
118         (JSC::Wasm::Table::offsetOfLength):
119         (JSC::Wasm::Table::offsetOfMask):
120         (JSC::Wasm::Table::mask const):
121         (JSC::Wasm::Table::isValidLength):
122         * wasm/js/JSWebAssemblyInstance.cpp:
123         (JSC::JSWebAssemblyInstance::create):
124         * wasm/js/JSWebAssemblyTable.cpp:
125         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
126         (JSC::JSWebAssemblyTable::visitChildren):
127         (JSC::JSWebAssemblyTable::grow):
128         (JSC::JSWebAssemblyTable::getFunction):
129         (JSC::JSWebAssemblyTable::clearFunction):
130         (JSC::JSWebAssemblyTable::setFunction):
131         * wasm/js/JSWebAssemblyTable.h:
132         (JSC::JSWebAssemblyTable::isValidLength):
133         (JSC::JSWebAssemblyTable::length const):
134         (JSC::JSWebAssemblyTable::allocatedLength const):
135         * wasm/js/WebAssemblyModuleRecord.cpp:
136         (JSC::WebAssemblyModuleRecord::evaluate):
137         * wasm/js/WebAssemblyTablePrototype.cpp:
138         (JSC::webAssemblyTableProtoFuncLength):
139         (JSC::webAssemblyTableProtoFuncGrow):
140         (JSC::webAssemblyTableProtoFuncGet):
141         (JSC::webAssemblyTableProtoFuncSet):
142
143 2018-01-08  Michael Saboff  <msaboff@apple.com>
144
145         Add a DOM gadget for Spectre testing
146         https://bugs.webkit.org/show_bug.cgi?id=181351
147
148         Reviewed by Michael Saboff.
149
150         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
151         Spectre mitigations.
152
153         * runtime/Options.h:
154
155 2018-01-08  Mark Lam  <mark.lam@apple.com>
156
157         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
158         https://bugs.webkit.org/show_bug.cgi?id=181403
159         <rdar://problem/36359789>
160
161         Rubber-stamped by JF Bastien.
162
163         * bytecode/CodeBlock.cpp:
164         (JSC::CodeBlock::CodeBlock):
165         (JSC::CodeBlock::~CodeBlock):
166         (JSC::CodeBlock::setConstantRegisters):
167         (JSC::CodeBlock::propagateTransitions):
168         (JSC::CodeBlock::finalizeLLIntInlineCaches):
169         (JSC::CodeBlock::jettison):
170         (JSC::CodeBlock::predictedMachineCodeSize):
171         * bytecode/CodeBlock.h:
172         (JSC::CodeBlock::vm const):
173         (JSC::CodeBlock::addConstant):
174         (JSC::CodeBlock::heap const):
175         (JSC::CodeBlock::replaceConstant):
176         * llint/LowLevelInterpreter.asm:
177         * llint/LowLevelInterpreter32_64.asm:
178         * llint/LowLevelInterpreter64.asm:
179
180 2018-01-07  Mark Lam  <mark.lam@apple.com>
181
182         Apply poisoning to more pointers in JSC.
183         https://bugs.webkit.org/show_bug.cgi?id=181096
184         <rdar://problem/36182970>
185
186         Reviewed by JF Bastien.
187
188         * assembler/MacroAssembler.h:
189         (JSC::MacroAssembler::xorPtr):
190         * assembler/MacroAssemblerARM64.h:
191         (JSC::MacroAssemblerARM64::xor64):
192         * assembler/MacroAssemblerX86_64.h:
193         (JSC::MacroAssemblerX86_64::xor64):
194         - Add xorPtr implementation.
195
196         * bytecode/CodeBlock.cpp:
197         (JSC::CodeBlock::inferredName const):
198         (JSC::CodeBlock::CodeBlock):
199         (JSC::CodeBlock::finishCreation):
200         (JSC::CodeBlock::~CodeBlock):
201         (JSC::CodeBlock::setConstantRegisters):
202         (JSC::CodeBlock::visitWeakly):
203         (JSC::CodeBlock::visitChildren):
204         (JSC::CodeBlock::propagateTransitions):
205         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
206         (JSC::CodeBlock::finalizeLLIntInlineCaches):
207         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
208         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
209         (JSC::CodeBlock::jettison):
210         (JSC::CodeBlock::predictedMachineCodeSize):
211         (JSC::CodeBlock::findPC):
212         * bytecode/CodeBlock.h:
213         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
214         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
215         (JSC::CodeBlock::stubInfoBegin):
216         (JSC::CodeBlock::stubInfoEnd):
217         (JSC::CodeBlock::callLinkInfosBegin):
218         (JSC::CodeBlock::callLinkInfosEnd):
219         (JSC::CodeBlock::instructions):
220         (JSC::CodeBlock::instructions const):
221         (JSC::CodeBlock::vm const):
222         * dfg/DFGOSRExitCompilerCommon.h:
223         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
224         * jit/JIT.h:
225         * llint/LLIntOfflineAsmConfig.h:
226         * llint/LowLevelInterpreter.asm:
227         * llint/LowLevelInterpreter64.asm:
228         * parser/UnlinkedSourceCode.h:
229         * runtime/JSCPoison.h:
230         * runtime/JSGlobalObject.cpp:
231         (JSC::JSGlobalObject::init):
232         * runtime/JSGlobalObject.h:
233         * runtime/JSScriptFetchParameters.h:
234         * runtime/JSScriptFetcher.h:
235         * runtime/StructureTransitionTable.h:
236         * wasm/js/JSWebAssemblyCodeBlock.cpp:
237         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
238         (JSC::JSWebAssemblyCodeBlock::visitChildren):
239         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
240         * wasm/js/JSWebAssemblyCodeBlock.h:
241
242 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
243
244         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
245         https://bugs.webkit.org/show_bug.cgi?id=181321
246
247         Reviewed by Saam Barati.
248
249         According to ECMA262 16.2[1], functions created using the bind method must not have
250         "caller" and "arguments" own properties.
251
252         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
253
254         * runtime/JSBoundFunction.cpp:
255         (JSC::JSBoundFunction::finishCreation):
256
257 2018-01-05  JF Bastien  <jfbastien@apple.com>
258
259         WebAssembly: poison JS object's secrets
260         https://bugs.webkit.org/show_bug.cgi?id=181339
261         <rdar://problem/36325001>
262
263         Reviewed by Mark Lam.
264
265         Separating WebAssembly's JS objects from their non-JS
266         implementation means that all interesting information lives
267         outside of the JS object itself. This patch poisons each JS
268         object's pointer to non-JS implementation using the poisoning
269         mechanism and a unique key per JS object type origin.
270
271         * runtime/JSCPoison.h:
272         * wasm/js/JSToWasm.cpp:
273         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
274         object in a stack slot when fast TLS is disabled. This requires
275         that we unpoison the Wasm::Instance.
276         * wasm/js/JSWebAssemblyCodeBlock.h:
277         * wasm/js/JSWebAssemblyInstance.h:
278         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
279         be explicit that the pointer is poisoned.
280         * wasm/js/JSWebAssemblyMemory.h:
281         * wasm/js/JSWebAssemblyModule.h:
282         * wasm/js/JSWebAssemblyTable.h:
283
284 2018-01-05  Michael Saboff  <msaboff@apple.com>
285
286         Add ability to disable indexed property masking for testing
287         https://bugs.webkit.org/show_bug.cgi?id=181350
288
289         Reviewed by Keith Miller.
290
291         Made the masking of indexed properties runtime controllable via a new JSC::Option
292         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
293
294         The new option has a generic name as it will probably be used to disable future mitigations.
295
296         * dfg/DFGSpeculativeJIT.cpp:
297         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
298         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
299         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
300         * dfg/DFGSpeculativeJIT.h:
301         * dfg/DFGSpeculativeJIT64.cpp:
302         (JSC::DFG::SpeculativeJIT::compile):
303         * ftl/FTLLowerDFGToB3.cpp:
304         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
305         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
306         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
307         * jit/JIT.cpp:
308         (JSC::JIT::JIT):
309         * jit/JIT.h:
310         * jit/JITPropertyAccess.cpp:
311         (JSC::JIT::emitDoubleLoad):
312         (JSC::JIT::emitContiguousLoad):
313         (JSC::JIT::emitArrayStorageLoad):
314         * runtime/Options.h:
315         * wasm/WasmB3IRGenerator.cpp:
316         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
317
318 2018-01-05  Michael Saboff  <msaboff@apple.com>
319
320         Allow JSC Config Files to set Restricted Options
321         https://bugs.webkit.org/show_bug.cgi?id=181352
322
323         Reviewed by Mark Lam.
324
325         * runtime/ConfigFile.cpp:
326         (JSC::ConfigFile::parse):
327
328 2018-01-04  Keith Miller  <keith_miller@apple.com>
329
330         TypedArrays and Wasm should use index masking.
331         https://bugs.webkit.org/show_bug.cgi?id=181313
332
333         Reviewed by Michael Saboff.
334
335         We should have index masking for our TypedArray code in the
336         DFG/FTL and for Wasm when doing bounds checking. Index masking for
337         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
338         WasmBoundsCheckValues we don't need to worry about combining a
339         bounds check for a load and a store. I went with fusing the
340         pointer masking in the WasmBoundsCheckValue since it should reduce
341         additional compiler overhead.
342
343         * b3/B3LowerToAir.cpp:
344         * b3/B3Validate.cpp:
345         * b3/B3WasmBoundsCheckValue.cpp:
346         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
347         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
348         * b3/B3WasmBoundsCheckValue.h:
349         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
350         * b3/air/AirCustom.h:
351         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
352         * b3/testb3.cpp:
353         (JSC::B3::testWasmBoundsCheck):
354         * dfg/DFGSpeculativeJIT.cpp:
355         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
356         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
357         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
358         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
359         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
360         * dfg/DFGSpeculativeJIT.h:
361         * dfg/DFGSpeculativeJIT64.cpp:
362         (JSC::DFG::SpeculativeJIT::compile):
363         * ftl/FTLLowerDFGToB3.cpp:
364         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
365         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
366         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
367         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
368         * jit/JITPropertyAccess.cpp:
369         (JSC::JIT::emitIntTypedArrayGetByVal):
370         * runtime/Butterfly.h:
371         (JSC::Butterfly::computeIndexingMask const):
372         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
373         * runtime/JSArrayBufferView.cpp:
374         (JSC::JSArrayBufferView::JSArrayBufferView):
375         * wasm/WasmB3IRGenerator.cpp:
376         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
377         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
378         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
379         (JSC::Wasm::B3IRGenerator::load):
380         (JSC::Wasm::B3IRGenerator::store):
381         (JSC::Wasm::B3IRGenerator::addCallIndirect):
382         * wasm/WasmBinding.cpp:
383         (JSC::Wasm::wasmToWasm):
384         * wasm/WasmMemory.cpp:
385         (JSC::Wasm::Memory::Memory):
386         (JSC::Wasm::Memory::grow):
387         * wasm/WasmMemory.h:
388         (JSC::Wasm::Memory::offsetOfIndexingMask):
389         * wasm/WasmMemoryInformation.cpp:
390         (JSC::Wasm::PinnedRegisterInfo::get):
391         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
392         * wasm/WasmMemoryInformation.h:
393         (JSC::Wasm::PinnedRegisterInfo::toSave const):
394         * wasm/js/JSToWasm.cpp:
395         (JSC::Wasm::createJSToWasmWrapper):
396
397 2018-01-05  Commit Queue  <commit-queue@webkit.org>
398
399         Unreviewed, rolling out r226434.
400         https://bugs.webkit.org/show_bug.cgi?id=181322
401
402         32bit JSC failure in x86 (Requested by yusukesuzuki on
403         #webkit).
404
405         Reverted changeset:
406
407         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
408         changing 32bit Int32Tag and LowestTag"
409         https://bugs.webkit.org/show_bug.cgi?id=181134
410         https://trac.webkit.org/changeset/226434
411
412 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
413
414         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
415         https://bugs.webkit.org/show_bug.cgi?id=180770
416
417         Reviewed by Joseph Pecoraro.
418
419         * inspector/protocol/Canvas.json:
420
421 2018-01-04  Commit Queue  <commit-queue@webkit.org>
422
423         Unreviewed, rolling out r226405.
424         https://bugs.webkit.org/show_bug.cgi?id=181318
425
426         Speculative rollout due to Octane/SplayLatency,Octane/Splay
427         regressions (Requested by yusukesuzuki on #webkit).
428
429         Reverted changeset:
430
431         "[JSC] Create parallel SlotVisitors apriori"
432         https://bugs.webkit.org/show_bug.cgi?id=180907
433         https://trac.webkit.org/changeset/226405
434
435 2018-01-04  Saam Barati  <sbarati@apple.com>
436
437         Do value profiling in to_this
438         https://bugs.webkit.org/show_bug.cgi?id=181299
439
440         Reviewed by Filip Pizlo.
441
442         This patch adds value profiling to to_this. We use the result of the value
443         profiling only for strict mode code when we don't predict that the input is
444         of a specific type. This helps when the input is SpecCellOther. Such cells
445         might implement a custom ToThis, which can produce an arbitrary result. Before
446         this patch, in prediction propagation, we were saying that a ToThis with a
447         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
448         given that the input may implement ToThis that produces an arbitrary result.
449         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
450         
451         Interestingly, this patch only does value profiling on the slow path. The fast
452         path of to_this in the LLInt/baseline just perform a structure check. If it
453         passes, the result is the same as the input. Therefore, doing value profiling
454         from the fast path wouldn't actually produce new information for the ValueProfile.
455
456         * bytecode/BytecodeDumper.cpp:
457         (JSC::BytecodeDumper<Block>::dumpBytecode):
458         * bytecode/BytecodeList.json:
459         * bytecode/CodeBlock.cpp:
460         (JSC::CodeBlock::finishCreation):
461         * bytecompiler/BytecodeGenerator.cpp:
462         (JSC::BytecodeGenerator::BytecodeGenerator):
463         (JSC::BytecodeGenerator::emitToThis):
464         * bytecompiler/BytecodeGenerator.h:
465         * dfg/DFGByteCodeParser.cpp:
466         (JSC::DFG::ByteCodeParser::parseBlock):
467         * dfg/DFGNode.h:
468         (JSC::DFG::Node::hasHeapPrediction):
469         * dfg/DFGPredictionPropagationPhase.cpp:
470         * runtime/CommonSlowPaths.cpp:
471         (JSC::SLOW_PATH_DECL):
472
473 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
474
475         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
476         https://bugs.webkit.org/show_bug.cgi?id=181134
477
478         Reviewed by Mark Lam.
479
480         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
481         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
482         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
483         implementation.
484
485         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
486         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
487         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
488         `<= LowestTag(Int32Tag)`.
489
490         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
491
492         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
493
494         * dfg/DFGSpeculativeJIT.cpp:
495         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
496         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
497         (JSC::DFG::SpeculativeJIT::speculateNumber):
498         (JSC::DFG::SpeculativeJIT::speculateMisc):
499         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
500         (JSC::DFG::SpeculativeJIT::compileToNumber):
501         * dfg/DFGSpeculativeJIT.h:
502         * dfg/DFGSpeculativeJIT32_64.cpp:
503         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
504         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
505         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
506         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
507         (JSC::DFG::SpeculativeJIT::compile):
508         * dfg/DFGSpeculativeJIT64.cpp:
509         (JSC::DFG::SpeculativeJIT::compile):
510         * jit/AssemblyHelpers.cpp:
511         (JSC::AssemblyHelpers::branchIfNotType):
512         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
513         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
514         * jit/AssemblyHelpers.h:
515         (JSC::AssemblyHelpers::branchIfMisc):
516         (JSC::AssemblyHelpers::branchIfNotMisc):
517         (JSC::AssemblyHelpers::branchIfNumber):
518         (JSC::AssemblyHelpers::branchIfNotNumber):
519         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
520         (JSC::AssemblyHelpers::emitTypeOf):
521         * jit/JITAddGenerator.cpp:
522         (JSC::JITAddGenerator::generateFastPath):
523         * jit/JITArithmetic32_64.cpp:
524         (JSC::JIT::emitBinaryDoubleOp):
525         * jit/JITDivGenerator.cpp:
526         (JSC::JITDivGenerator::loadOperand):
527         * jit/JITMulGenerator.cpp:
528         (JSC::JITMulGenerator::generateInline):
529         (JSC::JITMulGenerator::generateFastPath):
530         * jit/JITNegGenerator.cpp:
531         (JSC::JITNegGenerator::generateInline):
532         (JSC::JITNegGenerator::generateFastPath):
533         * jit/JITOpcodes32_64.cpp:
534         (JSC::JIT::emit_op_is_number):
535         (JSC::JIT::emit_op_jeq_null):
536         (JSC::JIT::emit_op_jneq_null):
537         (JSC::JIT::emit_op_to_number):
538         (JSC::JIT::emit_op_profile_type):
539         * jit/JITRightShiftGenerator.cpp:
540         (JSC::JITRightShiftGenerator::generateFastPath):
541         * jit/JITSubGenerator.cpp:
542         (JSC::JITSubGenerator::generateInline):
543         (JSC::JITSubGenerator::generateFastPath):
544         * llint/LLIntData.cpp:
545         (JSC::LLInt::Data::performAssertions):
546         * llint/LowLevelInterpreter.asm:
547         * llint/LowLevelInterpreter32_64.asm:
548         * runtime/JSCJSValue.h:
549
550 2018-01-04  JF Bastien  <jfbastien@apple.com>
551
552         Add assembler support for x86 lfence and sfence
553         https://bugs.webkit.org/show_bug.cgi?id=181311
554         <rdar://problem/36301780>
555
556         Reviewed by Michael Saboff.
557
558         Useful for testing performance of serializing instructions (hint:
559         it's not good).
560
561         * assembler/MacroAssemblerX86Common.h:
562         (JSC::MacroAssemblerX86Common::lfence):
563         (JSC::MacroAssemblerX86Common::sfence):
564         * assembler/X86Assembler.h:
565         (JSC::X86Assembler::lfence):
566         (JSC::X86Assembler::sfence):
567
568 2018-01-04  Saam Barati  <sbarati@apple.com>
569
570         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
571         https://bugs.webkit.org/show_bug.cgi?id=181296
572
573         Reviewed by Filip Pizlo.
574
575         Inside Speedometer's Ember test, there is a recompile loop like:
576         a: GetByVal(..., semanticOriginX)
577         b: SetLocal(Cell:@a, semanticOriginX)
578         
579         where the cell check always fails. For reasons I didn't investigate, the
580         baseline JIT's value profiling doesn't accurately capture the GetByVal's
581         result.
582         
583         However, when compiling this cell speculation check in the DFG, we get a null
584         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
585         this IR pattern because both @a and @b have the same semantic origin. We
586         should not follow the same semantic origin heuristic when dealing with
587         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
588         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
589         For this IR pattern, we will update the value profile for the semantic origin
590         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
591         will correctly update the GetByVal's value profile, which will prevent
592         an OSR exit loop.
593
594         * dfg/DFGGraph.cpp:
595         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
596
597 2018-01-04  Keith Miller  <keith_miller@apple.com>
598
599         Array Storage operations sometimes did not update the indexing mask correctly.
600         https://bugs.webkit.org/show_bug.cgi?id=181301
601
602         Reviewed by Mark Lam.
603
604         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
605
606         * runtime/JSArray.cpp:
607         (JSC::JSArray::shiftCountWithArrayStorage):
608         * runtime/JSObject.cpp:
609         (JSC::JSObject::increaseVectorLength):
610
611 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
612
613         [DFG] Define defs for MapSet/SetAdd to participate in CSE
614         https://bugs.webkit.org/show_bug.cgi?id=179911
615
616         Reviewed by Saam Barati.
617
618         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
619         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
620         produce added bucket as its result. Subsequent GetMapBucket will
621         be removed by CSE.
622
623         * dfg/DFGAbstractInterpreterInlines.h:
624         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
625         * dfg/DFGClobberize.h:
626         (JSC::DFG::clobberize):
627         * dfg/DFGNodeType.h:
628         * dfg/DFGOperations.cpp:
629         * dfg/DFGOperations.h:
630         * dfg/DFGPredictionPropagationPhase.cpp:
631         * dfg/DFGSpeculativeJIT.cpp:
632         (JSC::DFG::SpeculativeJIT::compileSetAdd):
633         (JSC::DFG::SpeculativeJIT::compileMapSet):
634         * dfg/DFGSpeculativeJIT.h:
635         (JSC::DFG::SpeculativeJIT::callOperation):
636         * ftl/FTLLowerDFGToB3.cpp:
637         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
638         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
639         * jit/JITOperations.h:
640         * runtime/HashMapImpl.h:
641         (JSC::HashMapImpl::addNormalized):
642         (JSC::HashMapImpl::addNormalizedInternal):
643
644 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
645
646         [JSC] Remove LocalScope
647         https://bugs.webkit.org/show_bug.cgi?id=181206
648
649         Reviewed by Geoffrey Garen.
650
651         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
652         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
653         and LocalScope.
654
655         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
656         JSObject* directly in their fields.
657
658         * JavaScriptCore.xcodeproj/project.pbxproj:
659         * Sources.txt:
660         * heap/HandleStack.cpp: Removed.
661         * heap/HandleStack.h: Removed.
662         * heap/Heap.cpp:
663         (JSC::Heap::addCoreConstraints):
664         * heap/Heap.h:
665         (JSC::Heap::handleSet):
666         (JSC::Heap::handleStack): Deleted.
667         * heap/Local.h: Removed.
668         * heap/LocalScope.h: Removed.
669         * runtime/JSONObject.cpp:
670         (JSC::Stringifier::Holder::object const):
671         (JSC::gap):
672         (JSC::Stringifier::Stringifier):
673         (JSC::Stringifier::stringify):
674         (JSC::Stringifier::appendStringifiedValue):
675         (JSC::Stringifier::Holder::Holder):
676         (JSC::Stringifier::Holder::appendNextProperty):
677         (JSC::Walker::Walker):
678         (JSC::Walker::callReviver):
679         (JSC::Walker::walk):
680         (JSC::JSONProtoFuncParse):
681         (JSC::JSONProtoFuncStringify):
682         (JSC::JSONParse):
683         (JSC::JSONStringify):
684
685 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
686
687         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
688         https://bugs.webkit.org/show_bug.cgi?id=180238
689
690         Reviewed by Saam Barati.
691
692         We can optimize ObjectAllocationSinking a bit by using removeIf.
693
694         * dfg/DFGObjectAllocationSinkingPhase.cpp:
695
696 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
697
698         [JSC] Create parallel SlotVisitors apriori
699         https://bugs.webkit.org/show_bug.cgi?id=180907
700
701         Reviewed by Saam Barati.
702
703         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
704         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
705         Then we do not need to grab locks while iterating all the SlotVisitors.
706
707         In addition, we do not need to consider the case that the number of SlotVisitors increases
708         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
709         does not increase any more.
710
711         * heap/Heap.cpp:
712         (JSC::Heap::Heap):
713         (JSC::Heap::runBeginPhase):
714         * heap/Heap.h:
715         * heap/HeapInlines.h:
716         (JSC::Heap::forEachSlotVisitor):
717         (JSC::Heap::numberOfSlotVisitors): Deleted.
718         * heap/MarkingConstraintSolver.cpp:
719         (JSC::MarkingConstraintSolver::didVisitSomething const):
720
721 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
722
723         Replace hard-coded paths in shebangs with #!/usr/bin/env
724         https://bugs.webkit.org/show_bug.cgi?id=181040
725
726         Reviewed by Alex Christensen.
727
728         * Scripts/UpdateContents.py:
729         * Scripts/cssmin.py:
730         * Scripts/generate-combined-inspector-json.py:
731         * Scripts/xxd.pl:
732         * create_hash_table:
733         * generate-bytecode-files:
734         * wasm/generateWasm.py:
735         * wasm/generateWasmOpsHeader.py:
736         * yarr/generateYarrCanonicalizeUnicode:
737
738 2018-01-03  Michael Saboff  <msaboff@apple.com>
739
740         Disable SharedArrayBuffers from Web API
741         https://bugs.webkit.org/show_bug.cgi?id=181266
742
743         Reviewed by Saam Barati.
744
745         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
746         to disable.
747
748         * runtime/JSGlobalObject.cpp:
749         (JSC::JSGlobalObject::init):
750         (JSC::JSGlobalObject::visitChildren):
751         * runtime/JSGlobalObject.h:
752         (JSC::JSGlobalObject::arrayBufferPrototype const):
753         (JSC::JSGlobalObject::arrayBufferStructure const):
754
755 2018-01-03  Michael Saboff  <msaboff@apple.com>
756
757         Add "noInline" to $vm
758         https://bugs.webkit.org/show_bug.cgi?id=181265
759
760         Reviewed by Mark Lam.
761
762         This would be useful for web based tests.
763
764         * tools/JSDollarVM.cpp:
765         (JSC::getExecutableForFunction):
766         (JSC::functionNoInline):
767         (JSC::JSDollarVM::finishCreation):
768
769 2018-01-03  Michael Saboff  <msaboff@apple.com>
770
771         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
772         https://bugs.webkit.org/show_bug.cgi?id=181263
773
774         Reviewed by Mark Lam.
775
776         Flushing the butterfly pointer provides no benefit and slows this function.
777
778         * tools/JSDollarVM.cpp:
779         (JSC::functionCpuClflush):
780
781 2018-01-03  Saam Barati  <sbarati@apple.com>
782
783         Fix BytecodeParser op_catch assert to work with useProfiler=1
784         https://bugs.webkit.org/show_bug.cgi?id=181260
785
786         Reviewed by Keith Miller.
787
788         op_catch was asserting that the current block was empty. This is only true
789         if the profiler isn't enabled. When the profiler is enabled, we will
790         insert a CountExecution node before each bytecode. This patch fixes the
791         assert to work with the profiler.
792
793         * dfg/DFGByteCodeParser.cpp:
794         (JSC::DFG::ByteCodeParser::parseBlock):
795
796 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
797
798         [Win][Debug] testapi link error.
799         https://bugs.webkit.org/show_bug.cgi?id=181247
800         <rdar://problem/36166729>
801
802         Reviewed by Brent Fulgham.
803
804         Do not set the runtime library compile flag for C files, it is already set to the correct value.
805  
806         * shell/PlatformWin.cmake:
807
808 2018-01-03  Robin Morisset  <rmorisset@apple.com>
809
810         Inlining of a function that ends in op_unreachable crashes
811         https://bugs.webkit.org/show_bug.cgi?id=181027
812
813         Reviewed by Filip Pizlo.
814
815         * dfg/DFGByteCodeParser.cpp:
816         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
817         (JSC::DFG::ByteCodeParser::inlineCall):
818
819 2018-01-02  Saam Barati  <sbarati@apple.com>
820
821         Incorrect assertion inside AccessCase
822         https://bugs.webkit.org/show_bug.cgi?id=181200
823         <rdar://problem/35494754>
824
825         Reviewed by Yusuke Suzuki.
826
827         Consider a PutById compiled to a setter in a function like so:
828         
829         ```
830         function foo(o) { o.f = o; }
831         ```
832         
833         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
834         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
835         to the same register. However, we're asserting that they're not the same register.
836         This patch just removes this invalid assertion.
837
838         * bytecode/AccessCase.cpp:
839         (JSC::AccessCase::generateImpl):
840
841 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
842
843         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
844         https://bugs.webkit.org/show_bug.cgi?id=175359
845
846         Reviewed by Yusuke Suzuki.
847
848         This patch is implementing BigIntConstructor and BigIntPrototype
849         following spec[1, 2]. As addition, we are also implementing BigIntObject
850         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
851         primitive. With these classes, now it's possible to syntetize
852         BigInt.prototype and then call "toString", "valueOf" and
853         "toLocaleString" when the primitive is a BigInt.
854         BigIntConstructor exposes an API to parse other primitives such as
855         Number, Boolean and String to BigInt.
856         We decided to skip parseInt implementation, since it was removed from
857         spec.
858
859         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
860         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
861
862         * CMakeLists.txt:
863         * DerivedSources.make:
864         * JavaScriptCore.xcodeproj/project.pbxproj:
865         * Sources.txt:
866         * jsc.cpp:
867         * runtime/BigIntConstructor.cpp: Added.
868         (JSC::BigIntConstructor::BigIntConstructor):
869         (JSC::BigIntConstructor::finishCreation):
870         (JSC::isSafeInteger):
871         (JSC::toBigInt):
872         (JSC::callBigIntConstructor):
873         (JSC::bigIntConstructorFuncAsUintN):
874         (JSC::bigIntConstructorFuncAsIntN):
875         * runtime/BigIntConstructor.h: Added.
876         (JSC::BigIntConstructor::create):
877         (JSC::BigIntConstructor::createStructure):
878         * runtime/BigIntObject.cpp: Added.
879         (JSC::BigIntObject::BigIntObject):
880         (JSC::BigIntObject::finishCreation):
881         (JSC::BigIntObject::toStringName):
882         (JSC::BigIntObject::defaultValue):
883         * runtime/BigIntObject.h: Added.
884         (JSC::BigIntObject::create):
885         (JSC::BigIntObject::internalValue const):
886         (JSC::BigIntObject::createStructure):
887         * runtime/BigIntPrototype.cpp: Added.
888         (JSC::BigIntPrototype::BigIntPrototype):
889         (JSC::BigIntPrototype::finishCreation):
890         (JSC::toThisBigIntValue):
891         (JSC::bigIntProtoFuncToString):
892         (JSC::bigIntProtoFuncToLocaleString):
893         (JSC::bigIntProtoFuncValueOf):
894         * runtime/BigIntPrototype.h: Added.
895         (JSC::BigIntPrototype::create):
896         (JSC::BigIntPrototype::createStructure):
897         * runtime/IntlCollator.cpp:
898         (JSC::IntlCollator::initializeCollator):
899         * runtime/IntlNumberFormat.cpp:
900         (JSC::IntlNumberFormat::initializeNumberFormat):
901         * runtime/JSBigInt.cpp:
902         (JSC::JSBigInt::createFrom):
903         (JSC::JSBigInt::parseInt):
904         (JSC::JSBigInt::toObject const):
905         * runtime/JSBigInt.h:
906         * runtime/JSCJSValue.cpp:
907         (JSC::JSValue::synthesizePrototype const):
908         * runtime/JSCPoisonedPtr.cpp:
909         * runtime/JSCell.cpp:
910         (JSC::JSCell::toObjectSlow const):
911         * runtime/JSGlobalObject.cpp:
912         (JSC::JSGlobalObject::init):
913         (JSC::JSGlobalObject::visitChildren):
914         * runtime/JSGlobalObject.h:
915         (JSC::JSGlobalObject::bigIntPrototype const):
916         (JSC::JSGlobalObject::bigIntObjectStructure const):
917         * runtime/StructureCache.h:
918         * runtime/StructureInlines.h:
919         (JSC::prototypeForLookupPrimitiveImpl):
920
921 2018-01-02  Tim Horton  <timothy_horton@apple.com>
922
923         Fix the MathCommon build with a recent compiler
924         https://bugs.webkit.org/show_bug.cgi?id=181216
925
926         Reviewed by Sam Weinig.
927
928         * runtime/MathCommon.cpp:
929         (JSC::fdlibmPow):
930         This cast drops the 'const' qualifier from the pointer to 'one',
931         but it doesn't have to, and it makes the compiler sad.
932
933 == Rolled over to ChangeLog-2018-01-01 ==