Unreviewed, rolling out r226600 and r226603

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2018-01-09  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling out r226600 and r226603
        https://bugs.webkit.org/show_bug.cgi?id=181351

        Add a DOM gadget for Spectre testing

        * runtime/Options.h:

2018-01-09  Saam Barati  <sbarati@apple.com>

        Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
        https://bugs.webkit.org/show_bug.cgi?id=181409

        Reviewed by Keith Miller.

        When I was looking at profiler data for Speedometer, I noticed that one of
        the hottest functions in Speedometer is around 1100 bytecode operations long.
        Only about 100 of those bytecode ops ever execute. However, we ended up
        spending a lot of time compiling basic blocks that never executed. We often
        plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
        This is the case when such a node never executes.
        
        This patch makes it so that anytime a block has a ForceOSRExit, we replace its
        terminal node with an Unreachable node (and remove all nodes after the
        ForceOSRExit). This will cut down on graph size when such a block dominates
        other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
        in certain programs. When doing this transformation, we also insert
        Flushes/PhantomLocals to ensure we can recover values that are bytecode
        live-in to the ForceOSRExit.
        
        Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
        does not get rid of all the CFG that it could. If we decide it's worth
        it, we could use additional inputs into this mechanism. For example, we could
        profile if a basic block ever executes inside the LLInt/Baseline, and
        remove parts of the CFG based on that.
        
        When running Speedometer with the concurrent JIT turned off, this patch
        improves DFG/FTL compile times by around 5%.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parse):

2018-01-09  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
        https://bugs.webkit.org/show_bug.cgi?id=181388
        <rdar://problem/36349351>

        Reviewed by Saam Barati.

        When there are duplicate setters or getters, we may end up overwriting a getter
        with a setter, or vice versa.  This patch adds tracking for getters/setters that
        have been overwritten with duplicates and ignore them.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode):
        * parser/Nodes.h:
        (JSC::PropertyNode::isOverriddenByDuplicate const):
        (JSC::PropertyNode::setIsOverriddenByDuplicate):

2018-01-08  Zan Dobersek  <zdobersek@igalia.com>

        REGRESSION(r225913): about 30 JSC test failures on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=181162
        <rdar://problem/36261349>

        Unreviewed follow-up to r226298. Enable the fast case in
        DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
        assuming in good faith that enough GP registers are available on any
        such configuration. The accompanying comment is adjusted to describe
        this assumption.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArraySlice):

2018-01-08  JF Bastien  <jfbastien@apple.com>

        WebAssembly: mask indexed accesses to Table
        https://bugs.webkit.org/show_bug.cgi?id=181412
        <rdar://problem/36363236>

        Reviewed by Saam Barati.

        WebAssembly Table indexed accesses are user-controlled and
        bounds-checked. Force allocations of Table data to be a
        power-of-two, and explicitly mask accesses after bounds-check
        branches.

        Rename misleading usage of "size" when "length" of a Table was
        intended.

        Rename the Spectre option from "disable" to "enable".

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::allocatedLength):
        (JSC::Wasm::Table::setLength):
        (JSC::Wasm::Table::create):
        (JSC::Wasm::Table::Table):
        (JSC::Wasm::Table::grow):
        (JSC::Wasm::Table::clearFunction):
        (JSC::Wasm::Table::setFunction):
        * wasm/WasmTable.h:
        (JSC::Wasm::Table::length const):
        (JSC::Wasm::Table::offsetOfLength):
        (JSC::Wasm::Table::offsetOfMask):
        (JSC::Wasm::Table::mask const):
        (JSC::Wasm::Table::isValidLength):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::visitChildren):
        (JSC::JSWebAssemblyTable::grow):
        (JSC::JSWebAssemblyTable::getFunction):
        (JSC::JSWebAssemblyTable::clearFunction):
        (JSC::JSWebAssemblyTable::setFunction):
        * wasm/js/JSWebAssemblyTable.h:
        (JSC::JSWebAssemblyTable::isValidLength):
        (JSC::JSWebAssemblyTable::length const):
        (JSC::JSWebAssemblyTable::allocatedLength const):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncLength):
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):

2018-01-08  Michael Saboff  <msaboff@apple.com>

        Add a DOM gadget for Spectre testing
        https://bugs.webkit.org/show_bug.cgi?id=181351

        Reviewed by Michael Saboff.

        Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
        Spectre mitigations.

        * runtime/Options.h:

2018-01-08  Mark Lam  <mark.lam@apple.com>

        Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
        https://bugs.webkit.org/show_bug.cgi?id=181403
        <rdar://problem/36359789>

        Rubber-stamped by JF Bastien.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::predictedMachineCodeSize):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::vm const):
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::heap const):
        (JSC::CodeBlock::replaceConstant):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2018-01-07  Mark Lam  <mark.lam@apple.com>

        Apply poisoning to more pointers in JSC.
        https://bugs.webkit.org/show_bug.cgi?id=181096
        <rdar://problem/36182970>

        Reviewed by JF Bastien.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::xorPtr):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::xor64):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::xor64):
        - Add xorPtr implementation.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::inferredName const):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::visitWeakly):
        (JSC::CodeBlock::visitChildren):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
        (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::predictedMachineCodeSize):
        (JSC::CodeBlock::findPC):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
        (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
        (JSC::CodeBlock::stubInfoBegin):
        (JSC::CodeBlock::stubInfoEnd):
        (JSC::CodeBlock::callLinkInfosBegin):
        (JSC::CodeBlock::callLinkInfosEnd):
        (JSC::CodeBlock::instructions):
        (JSC::CodeBlock::instructions const):
        (JSC::CodeBlock::vm const):
        * dfg/DFGOSRExitCompilerCommon.h:
        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
        * jit/JIT.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/UnlinkedSourceCode.h:
        * runtime/JSCPoison.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        * runtime/JSScriptFetchParameters.h:
        * runtime/JSScriptFetcher.h:
        * runtime/StructureTransitionTable.h:
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        (JSC::JSWebAssemblyCodeBlock::visitChildren):
        (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
        * wasm/js/JSWebAssemblyCodeBlock.h:

2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
        https://bugs.webkit.org/show_bug.cgi?id=181321

        Reviewed by Saam Barati.

        According to ECMA262 16.2[1], functions created using the bind method must not have
        "caller" and "arguments" own properties.

        [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions

        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):

2018-01-05  JF Bastien  <jfbastien@apple.com>

        WebAssembly: poison JS object's secrets
        https://bugs.webkit.org/show_bug.cgi?id=181339
        <rdar://problem/36325001>

        Reviewed by Mark Lam.

        Separating WebAssembly's JS objects from their non-JS
        implementation means that all interesting information lives
        outside of the JS object itself. This patch poisons each JS
        object's pointer to non-JS implementation using the poisoning
        mechanism and a unique key per JS object type origin.

        * runtime/JSCPoison.h:
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
        object in a stack slot when fast TLS is disabled. This requires
        that we unpoison the Wasm::Instance.
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
        be explicit that the pointer is poisoned.
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/JSWebAssemblyModule.h:
        * wasm/js/JSWebAssemblyTable.h:

2018-01-05  Michael Saboff  <msaboff@apple.com>

        Add ability to disable indexed property masking for testing
        https://bugs.webkit.org/show_bug.cgi?id=181350

        Reviewed by Keith Miller.

        Made the masking of indexed properties runtime controllable via a new JSC::Option
        named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.

        The new option has a generic name as it will probably be used to disable future mitigations.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitDoubleLoad):
        (JSC::JIT::emitContiguousLoad):
        (JSC::JIT::emitArrayStorageLoad):
        * runtime/Options.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):

2018-01-05  Michael Saboff  <msaboff@apple.com>

        Allow JSC Config Files to set Restricted Options
        https://bugs.webkit.org/show_bug.cgi?id=181352

        Reviewed by Mark Lam.

        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::parse):

2018-01-04  Keith Miller  <keith_miller@apple.com>

        TypedArrays and Wasm should use index masking.
        https://bugs.webkit.org/show_bug.cgi?id=181313

        Reviewed by Michael Saboff.

        We should have index masking for our TypedArray code in the
        DFG/FTL and for Wasm when doing bounds checking. Index masking for
        Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
        WasmBoundsCheckValues we don't need to worry about combining a
        bounds check for a load and a store. I went with fusing the
        pointer masking in the WasmBoundsCheckValue since it should reduce
        additional compiler overhead.

        * b3/B3LowerToAir.cpp:
        * b3/B3Validate.cpp:
        * b3/B3WasmBoundsCheckValue.cpp:
        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
        (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
        * b3/B3WasmBoundsCheckValue.h:
        (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
        * b3/air/AirCustom.h:
        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
        * b3/testb3.cpp:
        (JSC::B3::testWasmBoundsCheck):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayGetByVal):
        * runtime/Butterfly.h:
        (JSC::Butterfly::computeIndexingMask const):
        (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::JSArrayBufferView):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::B3IRGenerator::load):
        (JSC::Wasm::B3IRGenerator::store):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmMemory.h:
        (JSC::Wasm::Memory::offsetOfIndexingMask):
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::PinnedRegisterInfo::get):
        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::PinnedRegisterInfo::toSave const):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):

2018-01-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r226434.
        https://bugs.webkit.org/show_bug.cgi?id=181322

        32bit JSC failure in x86 (Requested by yusukesuzuki on
        #webkit).

        Reverted changeset:

        "[DFG] Unify ToNumber implementation in 32bit and 64bit by
        changing 32bit Int32Tag and LowestTag"
        https://bugs.webkit.org/show_bug.cgi?id=181134
        https://trac.webkit.org/changeset/226434

2018-01-04  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
        https://bugs.webkit.org/show_bug.cgi?id=180770

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:

2018-01-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r226405.
        https://bugs.webkit.org/show_bug.cgi?id=181318

        Speculative rollout due to Octane/SplayLatency,Octane/Splay
        regressions (Requested by yusukesuzuki on #webkit).

        Reverted changeset:

        "[JSC] Create parallel SlotVisitors apriori"
        https://bugs.webkit.org/show_bug.cgi?id=180907
        https://trac.webkit.org/changeset/226405

2018-01-04  Saam Barati  <sbarati@apple.com>

        Do value profiling in to_this
        https://bugs.webkit.org/show_bug.cgi?id=181299

        Reviewed by Filip Pizlo.

        This patch adds value profiling to to_this. We use the result of the value
        profiling only for strict mode code when we don't predict that the input is
        of a specific type. This helps when the input is SpecCellOther. Such cells
        might implement a custom ToThis, which can produce an arbitrary result. Before
        this patch, in prediction propagation, we were saying that a ToThis with a
        SpecCellOther input also produced SpecCellOther. However, this is incorrect,
        given that the input may implement ToThis that produces an arbitrary result.
        This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
        
        Interestingly, this patch only does value profiling on the slow path. The fast
        path of to_this in the LLInt/baseline just perform a structure check. If it
        passes, the result is the same as the input. Therefore, doing value profiling
        from the fast path wouldn't actually produce new information for the ValueProfile.

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeList.json:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitToThis):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
        https://bugs.webkit.org/show_bug.cgi?id=181134

        Reviewed by Mark Lam.

        We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
        branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
        an additional scratch register. We do not want to allocate an unnecessary register in 64bit
        implementation.

        This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
        and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
        setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
        `<= LowestTag(Int32Tag)`.

        We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.

        We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
        (JSC::DFG::SpeculativeJIT::compileToNumber):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::branchIfNotType):
        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfMisc):
        (JSC::AssemblyHelpers::branchIfNotMisc):
        (JSC::AssemblyHelpers::branchIfNumber):
        (JSC::AssemblyHelpers::branchIfNotNumber):
        (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
        (JSC::AssemblyHelpers::emitTypeOf):
        * jit/JITAddGenerator.cpp:
        (JSC::JITAddGenerator::generateFastPath):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitBinaryDoubleOp):
        * jit/JITDivGenerator.cpp:
        (JSC::JITDivGenerator::loadOperand):
        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateInline):
        (JSC::JITMulGenerator::generateFastPath):
        * jit/JITNegGenerator.cpp:
        (JSC::JITNegGenerator::generateInline):
        (JSC::JITNegGenerator::generateFastPath):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_to_number):
        (JSC::JIT::emit_op_profile_type):
        * jit/JITRightShiftGenerator.cpp:
        (JSC::JITRightShiftGenerator::generateFastPath):
        * jit/JITSubGenerator.cpp:
        (JSC::JITSubGenerator::generateInline):
        (JSC::JITSubGenerator::generateFastPath):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/JSCJSValue.h:

2018-01-04  JF Bastien  <jfbastien@apple.com>

        Add assembler support for x86 lfence and sfence
        https://bugs.webkit.org/show_bug.cgi?id=181311
        <rdar://problem/36301780>

        Reviewed by Michael Saboff.

        Useful for testing performance of serializing instructions (hint:
        it's not good).

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::lfence):
        (JSC::MacroAssemblerX86Common::sfence):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::lfence):
        (JSC::X86Assembler::sfence):

2018-01-04  Saam Barati  <sbarati@apple.com>

        Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
        https://bugs.webkit.org/show_bug.cgi?id=181296

        Reviewed by Filip Pizlo.

        Inside Speedometer's Ember test, there is a recompile loop like:
        a: GetByVal(..., semanticOriginX)
        b: SetLocal(Cell:@a, semanticOriginX)
        
        where the cell check always fails. For reasons I didn't investigate, the
        baseline JIT's value profiling doesn't accurately capture the GetByVal's
        result.
        
        However, when compiling this cell speculation check in the DFG, we get a null
        MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
        this IR pattern because both @a and @b have the same semantic origin. We
        should not follow the same semantic origin heuristic when dealing with
        SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
        For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
        For this IR pattern, we will update the value profile for the semantic origin
        for @nodeWithHeapPrediction. So, for the Speedometer example above, we
        will correctly update the GetByVal's value profile, which will prevent
        an OSR exit loop.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):

2018-01-04  Keith Miller  <keith_miller@apple.com>

        Array Storage operations sometimes did not update the indexing mask correctly.
        https://bugs.webkit.org/show_bug.cgi?id=181301

        Reviewed by Mark Lam.

        I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303

        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithArrayStorage):
        * runtime/JSObject.cpp:
        (JSC::JSObject::increaseVectorLength):

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Define defs for MapSet/SetAdd to participate in CSE
        https://bugs.webkit.org/show_bug.cgi?id=179911

        Reviewed by Saam Barati.

        With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
        To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
        produce added bucket as its result. Subsequent GetMapBucket will
        be removed by CSE.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSetAdd):
        (JSC::DFG::SpeculativeJIT::compileMapSet):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        * jit/JITOperations.h:
        * runtime/HashMapImpl.h:
        (JSC::HashMapImpl::addNormalized):
        (JSC::HashMapImpl::addNormalizedInternal):

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove LocalScope
        https://bugs.webkit.org/show_bug.cgi?id=181206

        Reviewed by Geoffrey Garen.

        The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
        This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
        and LocalScope.

        We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
        JSObject* directly in their fields.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * heap/HandleStack.cpp: Removed.
        * heap/HandleStack.h: Removed.
        * heap/Heap.cpp:
        (JSC::Heap::addCoreConstraints):
        * heap/Heap.h:
        (JSC::Heap::handleSet):
        (JSC::Heap::handleStack): Deleted.
        * heap/Local.h: Removed.
        * heap/LocalScope.h: Removed.
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::object const):
        (JSC::gap):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::Holder):
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::Walker):
        (JSC::Walker::callReviver):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        (JSC::JSONParse):
        (JSC::JSONStringify):

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
        https://bugs.webkit.org/show_bug.cgi?id=180238

        Reviewed by Saam Barati.

        We can optimize ObjectAllocationSinking a bit by using removeIf.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Create parallel SlotVisitors apriori
        https://bugs.webkit.org/show_bug.cgi?id=180907

        Reviewed by Saam Barati.

        The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
        If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
        Then we do not need to grab locks while iterating all the SlotVisitors.

        In addition, we do not need to consider the case that the number of SlotVisitors increases
        after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
        does not increase any more.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::runBeginPhase):
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::forEachSlotVisitor):
        (JSC::Heap::numberOfSlotVisitors): Deleted.
        * heap/MarkingConstraintSolver.cpp:
        (JSC::MarkingConstraintSolver::didVisitSomething const):

2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>

        Replace hard-coded paths in shebangs with #!/usr/bin/env
        https://bugs.webkit.org/show_bug.cgi?id=181040

        Reviewed by Alex Christensen.

        * Scripts/UpdateContents.py:
        * Scripts/cssmin.py:
        * Scripts/generate-combined-inspector-json.py:
        * Scripts/xxd.pl:
        * create_hash_table:
        * generate-bytecode-files:
        * wasm/generateWasm.py:
        * wasm/generateWasmOpsHeader.py:
        * yarr/generateYarrCanonicalizeUnicode:

2018-01-03  Michael Saboff  <msaboff@apple.com>

        Disable SharedArrayBuffers from Web API
        https://bugs.webkit.org/show_bug.cgi?id=181266

        Reviewed by Saam Barati.

        Removed SharedArrayBuffer prototype and structure from GlobalObject creation
        to disable.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayBufferPrototype const):
        (JSC::JSGlobalObject::arrayBufferStructure const):

2018-01-03  Michael Saboff  <msaboff@apple.com>

        Add "noInline" to $vm
        https://bugs.webkit.org/show_bug.cgi?id=181265

        Reviewed by Mark Lam.

        This would be useful for web based tests.

        * tools/JSDollarVM.cpp:
        (JSC::getExecutableForFunction):
        (JSC::functionNoInline):
        (JSC::JSDollarVM::finishCreation):

2018-01-03  Michael Saboff  <msaboff@apple.com>

        Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
        https://bugs.webkit.org/show_bug.cgi?id=181263

        Reviewed by Mark Lam.

        Flushing the butterfly pointer provides no benefit and slows this function.

        * tools/JSDollarVM.cpp:
        (JSC::functionCpuClflush):

2018-01-03  Saam Barati  <sbarati@apple.com>

        Fix BytecodeParser op_catch assert to work with useProfiler=1
        https://bugs.webkit.org/show_bug.cgi?id=181260

        Reviewed by Keith Miller.

        op_catch was asserting that the current block was empty. This is only true
        if the profiler isn't enabled. When the profiler is enabled, we will
        insert a CountExecution node before each bytecode. This patch fixes the
        assert to work with the profiler.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2018-01-03  Per Arne Vollan  <pvollan@apple.com>

        [Win][Debug] testapi link error.
        https://bugs.webkit.org/show_bug.cgi?id=181247
        <rdar://problem/36166729>

        Reviewed by Brent Fulgham.

        Do not set the runtime library compile flag for C files, it is already set to the correct value.
 
        * shell/PlatformWin.cmake:

2018-01-03  Robin Morisset  <rmorisset@apple.com>

        Inlining of a function that ends in op_unreachable crashes
        https://bugs.webkit.org/show_bug.cgi?id=181027

        Reviewed by Filip Pizlo.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
        (JSC::DFG::ByteCodeParser::inlineCall):

2018-01-02  Saam Barati  <sbarati@apple.com>

        Incorrect assertion inside AccessCase
        https://bugs.webkit.org/show_bug.cgi?id=181200
        <rdar://problem/35494754>

        Reviewed by Yusuke Suzuki.

        Consider a PutById compiled to a setter in a function like so:
        
        ```
        function foo(o) { o.f = o; }
        ```
        
        The DFG will often assign the same registers to the baseGPR (o in o.f) and the
        valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
        to the same register. However, we're asserting that they're not the same register.
        This patch just removes this invalid assertion.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):

2018-01-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
        https://bugs.webkit.org/show_bug.cgi?id=175359

        Reviewed by Yusuke Suzuki.

        This patch is implementing BigIntConstructor and BigIntPrototype
        following spec[1, 2]. As addition, we are also implementing BigIntObject
        warapper to handle ToObject(v) abstract operation when "v" is a BigInt
        primitive. With these classes, now it's possible to syntetize
        BigInt.prototype and then call "toString", "valueOf" and
        "toLocaleString" when the primitive is a BigInt.
        BigIntConstructor exposes an API to parse other primitives such as
        Number, Boolean and String to BigInt.
        We decided to skip parseInt implementation, since it was removed from
        spec.

        [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
        [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * jsc.cpp:
        * runtime/BigIntConstructor.cpp: Added.
        (JSC::BigIntConstructor::BigIntConstructor):
        (JSC::BigIntConstructor::finishCreation):
        (JSC::isSafeInteger):
        (JSC::toBigInt):
        (JSC::callBigIntConstructor):
        (JSC::bigIntConstructorFuncAsUintN):
        (JSC::bigIntConstructorFuncAsIntN):
        * runtime/BigIntConstructor.h: Added.
        (JSC::BigIntConstructor::create):
        (JSC::BigIntConstructor::createStructure):
        * runtime/BigIntObject.cpp: Added.
        (JSC::BigIntObject::BigIntObject):
        (JSC::BigIntObject::finishCreation):
        (JSC::BigIntObject::toStringName):
        (JSC::BigIntObject::defaultValue):
        * runtime/BigIntObject.h: Added.
        (JSC::BigIntObject::create):
        (JSC::BigIntObject::internalValue const):
        (JSC::BigIntObject::createStructure):
        * runtime/BigIntPrototype.cpp: Added.
        (JSC::BigIntPrototype::BigIntPrototype):
        (JSC::BigIntPrototype::finishCreation):
        (JSC::toThisBigIntValue):
        (JSC::bigIntProtoFuncToString):
        (JSC::bigIntProtoFuncToLocaleString):
        (JSC::bigIntProtoFuncValueOf):
        * runtime/BigIntPrototype.h: Added.
        (JSC::BigIntPrototype::create):
        (JSC::BigIntPrototype::createStructure):
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::initializeCollator):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::createFrom):
        (JSC::JSBigInt::parseInt):
        (JSC::JSBigInt::toObject const):
        * runtime/JSBigInt.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::synthesizePrototype const):
        * runtime/JSCPoisonedPtr.cpp:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toObjectSlow const):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::bigIntPrototype const):
        (JSC::JSGlobalObject::bigIntObjectStructure const):
        * runtime/StructureCache.h:
        * runtime/StructureInlines.h:
        (JSC::prototypeForLookupPrimitiveImpl):

2018-01-02  Tim Horton  <timothy_horton@apple.com>

        Fix the MathCommon build with a recent compiler
        https://bugs.webkit.org/show_bug.cgi?id=181216

        Reviewed by Sam Weinig.

        * runtime/MathCommon.cpp:
        (JSC::fdlibmPow):
        This cast drops the 'const' qualifier from the pointer to 'one',
        but it doesn't have to, and it makes the compiler sad.

== Rolled over to ChangeLog-2018-01-01 ==