711eba3f6b5402b9851bd9b1c19269f544797b20
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-02-05  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r228012.
4         https://bugs.webkit.org/show_bug.cgi?id=182493
5
6         "It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
7         #webkit).
8
9         Reverted changeset:
10
11         "[JSC] Clean up ArraySpeciesCreate"
12         https://bugs.webkit.org/show_bug.cgi?id=182434
13         https://trac.webkit.org/changeset/228012
14
15 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
16
17         Rebaseline bindings generator tests after r228032.
18         https://bugs.webkit.org/show_bug.cgi?id=182445
19
20         Unreviewed test gardening.
21
22         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
23
24 2018-02-02  Saam Barati  <sbarati@apple.com>
25
26         Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
27         https://bugs.webkit.org/show_bug.cgi?id=182453
28         <rdar://problem/37174236>
29
30         Reviewed by JF Bastien and Mark Lam.
31
32         * dfg/DFGAbstractInterpreterInlines.h:
33         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
34         * dfg/DFGArgumentsEliminationPhase.cpp:
35         * dfg/DFGArgumentsUtilities.cpp:
36         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
37         * dfg/DFGFixupPhase.cpp:
38         (JSC::DFG::FixupPhase::fixupChecksInBlock):
39         * dfg/DFGFlowIndexing.h:
40         (JSC::DFG::FlowIndexing::shadowIndex const):
41         * dfg/DFGLICMPhase.cpp:
42         (JSC::DFG::LICMPhase::run):
43         (JSC::DFG::LICMPhase::attemptHoist):
44         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
45         (JSC::DFG::LoopPreHeaderCreationPhase::run):
46         * dfg/DFGPutStackSinkingPhase.cpp:
47         * dfg/DFGSpeculativeJIT.cpp:
48         (JSC::DFG::SpeculativeJIT::compileArithAbs):
49         (JSC::DFG::SpeculativeJIT::compileArithRounding):
50         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
51         * dfg/DFGSpeculativeJIT64.cpp:
52         (JSC::DFG::SpeculativeJIT::fillJSValue):
53         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
54         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
55         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
56         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
57         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
58         (JSC::DFG::SpeculativeJIT::compile):
59         * dfg/DFGStoreBarrierClusteringPhase.cpp:
60         * dfg/DFGStoreBarrierInsertionPhase.cpp:
61         * ftl/FTLLowerDFGToB3.cpp:
62         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
63         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
64         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
65         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
66         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
67         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
68         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
69         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
70         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
71         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
72         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
73         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
74         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
75         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
76         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
77         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
78         (JSC::FTL::DFG::LowerDFGToB3::compare):
79         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
80         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
81         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
82         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
83         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
84         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
85         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
86
87 2018-02-02  Don Olmstead  <don.olmstead@sony.com>
88
89         JS Builtins should include JavaScriptCore headers directly
90         https://bugs.webkit.org/show_bug.cgi?id=182445
91
92         Reviewed by Yusuke Suzuki.
93
94         * Scripts/builtins/builtins_generator.py:
95         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
96         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
97         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
98         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
99         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
100         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
101
102 2018-02-02  Saam Barati  <sbarati@apple.com>
103
104         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
105         https://bugs.webkit.org/show_bug.cgi?id=182368
106         <rdar://problem/36932466>
107
108         Reviewed by Mark Lam.
109
110         When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
111         we must add the VariableAccessData to the given argument position. Otherwise,
112         we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
113         If we end up with such a situation, it can lead to invalid IR after the
114         arguments elimination phase optimizes a GetByVal to a GetStack.
115
116         * dfg/DFGByteCodeParser.cpp:
117         (JSC::DFG::ByteCodeParser::flushImpl):
118         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
119         (JSC::DFG::ByteCodeParser::flush):
120         (JSC::DFG::ByteCodeParser::flushForTerminal):
121         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
122         (JSC::DFG::ByteCodeParser::parse):
123
124 2018-02-02  Mark Lam  <mark.lam@apple.com>
125
126         More ARM64_32 fixes.
127         https://bugs.webkit.org/show_bug.cgi?id=182441
128         <rdar://problem/37162310>
129
130         Reviewed by Dan Bernstein.
131
132         I also disabled more dynamicPoisoning code in ARM64_32.  This code assumes a
133         64-bit pointer which is not applicable here.
134
135         * jit/AssemblyHelpers.cpp:
136         (JSC::AssemblyHelpers::emitDynamicPoison):
137         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
138         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
139
140 2018-02-02  Saam Barati  <sbarati@apple.com>
141
142         MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
143         https://bugs.webkit.org/show_bug.cgi?id=182402
144
145         Reviewed by Yusuke Suzuki.
146
147         * dfg/DFGDoesGC.cpp:
148         (JSC::DFG::doesGC):
149
150 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
151
152         [JSC] Clean up ArraySpeciesCreate
153         https://bugs.webkit.org/show_bug.cgi?id=182434
154
155         Reviewed by Saam Barati.
156
157         We have duplicate code in filter, map, concatSlowPath.
158         This patch creates a new global private function @arraySpeciesCreate,
159         and use it.
160
161         * builtins/ArrayPrototype.js:
162         (globalPrivate.arraySpeciesCreate):
163         (filter):
164         (map):
165         (globalPrivate.concatSlowPath):
166
167 2018-02-01  Mark Lam  <mark.lam@apple.com>
168
169         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
170         https://bugs.webkit.org/show_bug.cgi?id=182419
171         <rdar://problem/37044945>
172
173         Reviewed by Saam Barati.
174
175         In compileGetMyArgumentByVal(), it computes:
176             limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
177             ...
178             LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
179
180         where the original "limit" is the number of arguments passed in by the caller.
181         If the original limit is less than numberOfArgumentsToSkip, the resultant limit
182         will be a large unsigned number.  As a result, this will defeat the bounds check
183         that follows it.
184
185         Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
186         value by adding numberOfArgumentsToSkip to it, in order to determine the actual
187         entry in the arguments array to get.
188
189         The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
190         subtracting it from limit), and doing an overflow speculation check on that
191         addition before doing the bounds check.
192
193         * ftl/FTLLowerDFGToB3.cpp:
194         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
195
196 2018-02-01  Keith Miller  <keith_miller@apple.com>
197
198         Fix crashes due to mishandling custom sections.
199         https://bugs.webkit.org/show_bug.cgi?id=182404
200         <rdar://problem/36935863>
201
202         Reviewed by Saam Barati.
203
204         This also cleans up some of our validation code. We also
205         mistakenly, allowed unknown (different from custom sections with
206         id: 0) section ids.
207
208         * wasm/WasmModuleParser.cpp:
209         (JSC::Wasm::ModuleParser::parse):
210         * wasm/WasmModuleParser.h:
211         * wasm/WasmSections.h:
212         (JSC::Wasm::isKnownSection):
213         (JSC::Wasm::decodeSection):
214         (JSC::Wasm::validateOrder):
215         (JSC::Wasm::makeString):
216         (JSC::Wasm::isValidSection): Deleted.
217
218 2018-02-01  Michael Catanzaro  <mcatanzaro@igalia.com>
219
220         -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
221         https://bugs.webkit.org/show_bug.cgi?id=182389
222
223         Reviewed by Yusuke Suzuki.
224
225         Fix the warning.
226
227         As a bonus, remove a couple unreachable breaks for good measure.
228
229         * dfg/DFGObjectAllocationSinkingPhase.cpp:
230
231 2018-02-01  Chris Dumez  <cdumez@apple.com>
232
233         Queue a microtask when a waitUntil() promise is settled
234         https://bugs.webkit.org/show_bug.cgi?id=182372
235         <rdar://problem/37101019>
236
237         Reviewed by Mark Lam.
238
239         Export a symbol so it can be used in WebCore.
240
241         * runtime/JSGlobalObject.h:
242
243 2018-01-31  Don Olmstead  <don.olmstead@sony.com>
244
245         [CMake] Make JavaScriptCore headers copies
246         https://bugs.webkit.org/show_bug.cgi?id=182303
247
248         Reviewed by Alex Christensen.
249
250         * CMakeLists.txt:
251         * PlatformGTK.cmake:
252         * PlatformJSCOnly.cmake:
253         * PlatformMac.cmake:
254         * PlatformWPE.cmake:
255         * PlatformWin.cmake:
256         * shell/CMakeLists.txt:
257         * shell/PlatformWin.cmake:
258
259 2018-01-31  Saam Barati  <sbarati@apple.com>
260
261         Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
262         https://bugs.webkit.org/show_bug.cgi?id=182064
263         <rdar://problem/36840132>
264
265         Reviewed by Geoffrey Garen.
266
267         This patch switches WebAssembly Memory to always use bmalloc's
268         zeroed virtual allocation API. This makes it so that we don't
269         dirty the memory to zero it. It's a huge compile time speedup
270         on WasmBench on iOS.
271
272         * wasm/WasmMemory.cpp:
273         (JSC::Wasm::Memory::create):
274         (JSC::Wasm::Memory::~Memory):
275         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
276         (JSC::Wasm::Memory::grow):
277         (JSC::Wasm::commitZeroPages): Deleted.
278
279 2018-01-31  Mark Lam  <mark.lam@apple.com>
280
281         Build fix for CLoop after r227874.
282         https://bugs.webkit.org/show_bug.cgi?id=182155
283         <rdar://problem/36286266>
284
285         Not reviewed.
286
287         Just needed support for lea of a LabelReference in cloop.rb (just like those
288         added for arm64.rb and x86.rb).
289
290         * offlineasm/cloop.rb:
291
292 2018-01-31  Keith Miller  <keith_miller@apple.com>
293
294         Canonicalize aquiring the JSCell lock.
295         https://bugs.webkit.org/show_bug.cgi?id=182320
296
297         Reviewed by Michael Saboff.
298
299         It's currently kinda annoying to figure out where
300         we aquire the a JSCell's lock. This patch adds a
301         helper to make it easier to grep...
302
303         * bytecode/UnlinkedCodeBlock.cpp:
304         (JSC::UnlinkedCodeBlock::visitChildren):
305         (JSC::UnlinkedCodeBlock::setInstructions):
306         (JSC::UnlinkedCodeBlock::shrinkToFit):
307         * runtime/ErrorInstance.cpp:
308         (JSC::ErrorInstance::finishCreation):
309         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
310         (JSC::ErrorInstance::visitChildren):
311         * runtime/JSArray.cpp:
312         (JSC::JSArray::shiftCountWithArrayStorage):
313         (JSC::JSArray::unshiftCountWithArrayStorage):
314         * runtime/JSCell.h:
315         (JSC::JSCell::cellLock):
316         * runtime/JSObject.cpp:
317         (JSC::JSObject::visitButterflyImpl):
318         (JSC::JSObject::convertContiguousToArrayStorage):
319         * runtime/JSPropertyNameEnumerator.cpp:
320         (JSC::JSPropertyNameEnumerator::visitChildren):
321         * runtime/SparseArrayValueMap.cpp:
322         (JSC::SparseArrayValueMap::add):
323         (JSC::SparseArrayValueMap::remove):
324         (JSC::SparseArrayValueMap::visitChildren):
325
326 2018-01-31  Saam Barati  <sbarati@apple.com>
327
328         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
329         https://bugs.webkit.org/show_bug.cgi?id=182074
330         <rdar://problem/36846261>
331
332         Reviewed by Mark Lam.
333
334         This patch teaches the JSONP evaluator about the global lexical environment.
335         Before, it was using the global object as the global scope, but that's wrong.
336         The global lexical environment is the first node in the global scope chain.
337
338         * interpreter/Interpreter.cpp:
339         (JSC::Interpreter::executeProgram):
340         * jsc.cpp:
341         (GlobalObject::finishCreation):
342         (shellSupportsRichSourceInfo):
343         (functionDisableRichSourceInfo):
344         * runtime/LiteralParser.cpp:
345         (JSC::LiteralParser<CharType>::tryJSONPParse):
346         * runtime/LiteralParser.h:
347
348 2018-01-31  Saam Barati  <sbarati@apple.com>
349
350         clean up pushToSaveImmediateWithoutTouchingRegisters a bit
351         https://bugs.webkit.org/show_bug.cgi?id=181774
352
353         Reviewed by JF Bastien.
354
355         This function on ARM64 was considering what to do with the scratch
356         register. And conditionally invalidated what was in it. This is not
357         relevant though, since the function always recovers what was in that
358         register. This patch just switches it to using dataTempRegister
359         directly and updates the comment to describe why it can do so safely.
360
361         * assembler/MacroAssemblerARM64.h:
362         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
363
364 2018-01-30  Mark Lam  <mark.lam@apple.com>
365
366         Apply poisoning to TypedArray vector pointers.
367         https://bugs.webkit.org/show_bug.cgi?id=182155
368         <rdar://problem/36286266>
369
370         Reviewed by JF Bastien.
371
372         The TypeArray's vector pointer is now poisoned.  The poison value is chosen based
373         on a TypeArray's jsType.  The JSType must be between FirstTypedArrayType and
374         LastTypedArrayType.  At runtime, we enforce that the index is well-behaved by
375         masking it against TypedArrayPoisonIndexMask.  TypedArrayPoisonIndexMask (16) is
376         the number of TypedArray types (10) rounded up to the next power of 2.
377         Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
378         can use index masking on the index, and be guaranteed that the masked index will
379         be within bounds of the poisons array.
380
381         1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
382            do any unnecessary work if the TypedArray vector is null.
383
384            FTL's cagedMayBeNull() is no longer needed because it is only used by
385            compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
386            in a TypedArray specific way.  So, might as well do the work inline in
387            compileGetTypedArrayByteOffset() instead.
388
389         2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
390            because there's already a null check above it that ensures that sizeGPR is
391            never null.
392
393         3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
394            loading of the vector for unpoisoning and uncaging.  We don't need the vector
395            if the length is 0.
396
397         Implementation notes on the need to null check the TypeArray vector:
398
399         1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
400            m_poisonedVector null check because the function is a null check.
401
402         2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
403            m_poisonedVector null check because it is followed by a call to
404            cageTypedArrayStorage() which assumes that storageReg cannot be null.
405
406         3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
407            m_poisonedVector null check.
408
409         4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
410            check because the poisoning code is preceded by a sizeGPR null check, which
411            ensures that the storageGPR (vector to be poisoned) is not null.
412
413         5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
414            check because it is followed by a call to caged() which assumes that the
415            vector cannot be null.
416
417         6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
418
419         7. FTL's compileNewTypedArray() does not need a vector null check because the
420            poisoning code is preceded by a size null check, which ensures that the
421            storage (vector to be poisoned) is not null.
422
423         8. FTL's speculateTypedArrayIsNotNeutered() does not need a
424            m_poisonedVector null check because the function is a null check.
425
426         9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
427            case needs a null check so that it does not try to unpoison a null vector.
428
429         10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
430             we already do a length check even before loading the vector.
431
432         11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
433             we already do a length check even before loading the vector.
434
435         12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
436             we already do a length check even before loading the vector.
437
438         13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
439             we already do a length check even before loading the vector.
440
441         14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
442             client will do a TypedArray length check before calling it.
443
444         * dfg/DFGFixupPhase.cpp:
445         (JSC::DFG::FixupPhase::checkArray):
446         * dfg/DFGNode.h:
447         (JSC::DFG::Node::hasArrayMode):
448         * dfg/DFGSpeculativeJIT.cpp:
449         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
450         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
451         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
452         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
453         * ftl/FTLAbstractHeapRepository.h:
454         * ftl/FTLLowerDFGToB3.cpp:
455         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
456         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
457         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
458         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
459         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
460         * jit/IntrinsicEmitter.cpp:
461         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
462         * jit/JITPropertyAccess.cpp:
463         (JSC::JIT::emitIntTypedArrayGetByVal):
464         (JSC::JIT::emitFloatTypedArrayGetByVal):
465         (JSC::JIT::emitIntTypedArrayPutByVal):
466         (JSC::JIT::emitFloatTypedArrayPutByVal):
467         * llint/LowLevelInterpreter.asm:
468         * llint/LowLevelInterpreter64.asm:
469         * offlineasm/arm64.rb:
470         * offlineasm/x86.rb:
471         * runtime/CagedBarrierPtr.h:
472         * runtime/JSArrayBufferView.cpp:
473         (JSC::JSArrayBufferView::JSArrayBufferView):
474         (JSC::JSArrayBufferView::finalize):
475         (JSC::JSArrayBufferView::neuter):
476         * runtime/JSArrayBufferView.h:
477         (JSC::JSArrayBufferView::vector const):
478         (JSC::JSArrayBufferView::offsetOfPoisonedVector):
479         (JSC::JSArrayBufferView::poisonFor):
480         (JSC::JSArrayBufferView::Poison::key):
481         (JSC::JSArrayBufferView::offsetOfVector): Deleted.
482         * runtime/JSCPoison.cpp:
483         (JSC::initializePoison):
484         * runtime/JSCPoison.h:
485         * runtime/JSGenericTypedArrayViewInlines.h:
486         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
487         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
488         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
489         * runtime/JSObject.h:
490
491 2018-01-30  Fujii Hironori  <Hironori.Fujii@sony.com>
492
493         [Win] Warning fix.
494         https://bugs.webkit.org/show_bug.cgi?id=177007
495
496         Reviewed by Yusuke Suzuki.
497
498         * interpreter/StackVisitor.cpp:
499         (JSC::StackVisitor::Frame::dump const):
500         Changed the type of locationRawBits from unsigned to uintptr_t.
501         * runtime/IntlNumberFormat.cpp:
502         (JSC::IntlNumberFormat::createNumberFormat):
503         Initialize 'style' to avoid potentially uninitialized local variable warning.
504
505 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
506
507         [JSC] Implement trimStart and trimEnd
508         https://bugs.webkit.org/show_bug.cgi?id=182233
509
510         Reviewed by Mark Lam.
511
512         String.prototype.{trimStart,trimEnd} are now stage 3[1].
513         String.prototype.{trimLeft,trimRight} are alias to these functions.
514
515         We rename these functions to trimStart and trimEnd, and put them as
516         trimLeft and trimRight too.
517
518         [1]: https://tc39.github.io/proposal-string-left-right-trim/
519
520         * runtime/StringPrototype.cpp:
521         (JSC::StringPrototype::finishCreation):
522         (JSC::trimString):
523         (JSC::stringProtoFuncTrim):
524         (JSC::stringProtoFuncTrimStart):
525         (JSC::stringProtoFuncTrimEnd):
526         (JSC::stringProtoFuncTrimLeft): Deleted.
527         (JSC::stringProtoFuncTrimRight): Deleted.
528
529 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
530
531         [JSC] Relax line terminators in String to make JSON subset of JS
532         https://bugs.webkit.org/show_bug.cgi?id=182232
533
534         Reviewed by Keith Miller.
535
536         "Subsume JSON" spec is now stage 3[1]. Before this spec change,
537         JSON can accept \u2028 / \u2029 in string while JS cannot do that.
538         It accidentally made JSON non subset of JS.
539
540         Now we extend our JS string to accept \u2028 / \u2029 to make JSON
541         subset of JS in this spec change.
542
543         [1]: https://github.com/tc39/proposal-json-superset
544
545         * parser/Lexer.cpp:
546         (JSC::Lexer<T>::parseStringSlowCase):
547
548 2018-01-29  Jiewen Tan  <jiewen_tan@apple.com>
549
550         [WebAuthN] Add a compile-time feature flag
551         https://bugs.webkit.org/show_bug.cgi?id=182211
552         <rdar://problem/36936365>
553
554         Reviewed by Brent Fulgham.
555
556         * Configurations/FeatureDefines.xcconfig:
557
558 2018-01-29  Michael Saboff  <msaboff@apple.com>
559
560         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
561         https://bugs.webkit.org/show_bug.cgi?id=182249
562
563         Reviewed by Keith Miller.
564
565         Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
566         Untyped and Object values when compared against built in types.  Such comparisons can
567         invoke toNumber() or other methods.
568
569         * dfg/DFGClobberize.h:
570         (JSC::DFG::clobberize):
571
572 2018-01-29  Matt Lewis  <jlewis3@apple.com>
573
574         Unreviewed, rolling out r227725.
575
576         This caused internal failures.
577
578         Reverted changeset:
579
580         "JSC Sampling Profiler: Detect tester and testee when sampling
581         in RegExp JIT"
582         https://bugs.webkit.org/show_bug.cgi?id=152729
583         https://trac.webkit.org/changeset/227725
584
585 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
586
587         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
588         https://bugs.webkit.org/show_bug.cgi?id=152729
589
590         Reviewed by Saam Barati.
591
592         This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
593         executing RegExp in VM so that SamplingProfiler can detect it. This is better
594         than the previous VM::isExecutingInRegExpJIT flag approach since
595
596         1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
597         if we suspend the thread just before executing this flag, or just after clearing
598         this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
599         should set such a flag before and after executing JIT RegExp code.
600
601         2. This removes VM dependency from YarrJIT which is not essential one.
602
603         We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
604         is done in non JS thread.
605
606         * bytecode/BytecodeDumper.cpp:
607         (JSC::regexpName):
608         (JSC::BytecodeDumper<Block>::dumpRegExps):
609         (JSC::regexpToSourceString): Deleted.
610         * heap/Heap.cpp:
611         (JSC::Heap::addCoreConstraints):
612         * runtime/RegExp.cpp:
613         (JSC::RegExp::compile):
614         (JSC::RegExp::match):
615         (JSC::RegExp::matchConcurrently):
616         (JSC::RegExp::compileMatchOnly):
617         (JSC::RegExp::toSourceString const):
618         * runtime/RegExp.h:
619         * runtime/RegExpInlines.h:
620         (JSC::RegExp::matchInline):
621         * runtime/RegExpMatchesArray.h:
622         (JSC::createRegExpMatchesArray):
623         * runtime/SamplingProfiler.cpp:
624         (JSC::SamplingProfiler::SamplingProfiler):
625         (JSC::SamplingProfiler::timerLoop):
626         (JSC::SamplingProfiler::takeSample):
627         (JSC::SamplingProfiler::processUnverifiedStackTraces):
628         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
629         (JSC::SamplingProfiler::StackFrame::displayName):
630         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
631         (JSC::SamplingProfiler::StackFrame::functionStartLine):
632         (JSC::SamplingProfiler::StackFrame::functionStartColumn):
633         (JSC::SamplingProfiler::StackFrame::sourceID):
634         (JSC::SamplingProfiler::StackFrame::url):
635         (WTF::printInternal):
636         (JSC::SamplingProfiler::~SamplingProfiler): Deleted.
637         * runtime/SamplingProfiler.h:
638         * runtime/VM.h:
639         * yarr/YarrJIT.cpp:
640         (JSC::Yarr::YarrGenerator::generateEnter):
641         (JSC::Yarr::YarrGenerator::generateReturn):
642         (JSC::Yarr::YarrGenerator::YarrGenerator):
643         (JSC::Yarr::jitCompile):
644         * yarr/YarrJIT.h:
645
646 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
647
648         [DFG][FTL] WeakMap#set should have DFG node
649         https://bugs.webkit.org/show_bug.cgi?id=180015
650
651         Reviewed by Saam Barati.
652
653         This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
654         We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
655         the subsequent WeakMapGet if CSE allows.
656
657         * dfg/DFGAbstractInterpreterInlines.h:
658         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
659         * dfg/DFGByteCodeParser.cpp:
660         (JSC::DFG::ByteCodeParser::addVarArgChild):
661         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
662         * dfg/DFGClobberize.h:
663         (JSC::DFG::clobberize):
664         * dfg/DFGDoesGC.cpp:
665         (JSC::DFG::doesGC):
666         WeakMap operations do not cause GC.
667
668         * dfg/DFGFixupPhase.cpp:
669         (JSC::DFG::FixupPhase::fixupNode):
670         * dfg/DFGNodeType.h:
671         * dfg/DFGOperations.cpp:
672         * dfg/DFGOperations.h:
673         * dfg/DFGPredictionPropagationPhase.cpp:
674         * dfg/DFGSafeToExecute.h:
675         (JSC::DFG::safeToExecute):
676         * dfg/DFGSpeculativeJIT.cpp:
677         (JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
678         (JSC::DFG::SpeculativeJIT::compileWeakMapSet):
679         * dfg/DFGSpeculativeJIT.h:
680         (JSC::DFG::SpeculativeJIT::callOperation):
681         * dfg/DFGSpeculativeJIT32_64.cpp:
682         (JSC::DFG::SpeculativeJIT::compile):
683         * dfg/DFGSpeculativeJIT64.cpp:
684         (JSC::DFG::SpeculativeJIT::compile):
685         * ftl/FTLCapabilities.cpp:
686         (JSC::FTL::canCompile):
687         * ftl/FTLLowerDFGToB3.cpp:
688         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
689         (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
690         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
691         * jit/JITOperations.h:
692         * runtime/Intrinsic.cpp:
693         (JSC::intrinsicName):
694         * runtime/Intrinsic.h:
695         * runtime/WeakMapPrototype.cpp:
696         (JSC::WeakMapPrototype::finishCreation):
697         * runtime/WeakSetPrototype.cpp:
698         (JSC::WeakSetPrototype::finishCreation):
699
700 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
701
702         LargeAllocation should do the same distancing as MarkedBlock
703         https://bugs.webkit.org/show_bug.cgi?id=182226
704
705         Reviewed by Saam Barati.
706
707         This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
708         
709         To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
710         is doing:
711         
712         - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
713           calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
714           keeps the old way just for a static_assert.
715         
716         - The promised amount of distancing is now codified in HeapCell.h as
717           minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
718           as big as this. I didn't want to just use footer size for this constant because then, if
719           you increased the size of the footer, you'd also add padding to every large allocation.
720         
721         Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
722         allocation. It also zeroes that slice of memory to prevent any information leaks that way.
723         
724         This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
725         ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
726         smaller objects, and diminishing overhead for larger objects. We allocate very few large
727         objects, so we shouldn't have any real space overhead from this.
728
729         * heap/HeapCell.h:
730         * heap/LargeAllocation.cpp:
731         (JSC::LargeAllocation::tryCreate):
732         * heap/MarkedBlock.h:
733         * heap/MarkedSpace.h:
734
735 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
736
737         Make MarkedBlock::Footer bigger
738         https://bugs.webkit.org/show_bug.cgi?id=182220
739
740         Reviewed by JF Bastien.
741         
742         This makes the block footer larger by moving the newlyAllocated bits from the handle into
743         the footer.
744         
745         It used to be profitable to put anything we could into the handle because that would free up
746         payload space inside the block. But now that we want to use the footer for padding, it's
747         profitable to put GC state information - especially data that is used by the GC itself and so
748         is not useful for a Spectre attack - into the footer to increase object distancing.
749
750         * heap/CellContainer.cpp:
751         (JSC::CellContainer::isNewlyAllocated const):
752         * heap/IsoCellSet.cpp:
753         (JSC::IsoCellSet::sweepToFreeList):
754         * heap/MarkedBlock.cpp:
755         (JSC::MarkedBlock::Handle::Handle):
756         (JSC::MarkedBlock::Footer::Footer):
757         (JSC::MarkedBlock::Handle::stopAllocating):
758         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
759         (JSC::MarkedBlock::Handle::resumeAllocating):
760         (JSC::MarkedBlock::aboutToMarkSlow):
761         (JSC::MarkedBlock::resetAllocated):
762         (JSC::MarkedBlock::Handle::resetAllocated): Deleted.
763         * heap/MarkedBlock.h:
764         (JSC::MarkedBlock::newlyAllocatedVersion const):
765         (JSC::MarkedBlock::isNewlyAllocated):
766         (JSC::MarkedBlock::setNewlyAllocated):
767         (JSC::MarkedBlock::clearNewlyAllocated):
768         (JSC::MarkedBlock::newlyAllocated const):
769         (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
770         (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
771         (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
772         (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
773         (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
774         * heap/MarkedBlockInlines.h:
775         (JSC::MarkedBlock::isNewlyAllocatedStale const):
776         (JSC::MarkedBlock::hasAnyNewlyAllocated):
777         (JSC::MarkedBlock::Handle::isLive):
778         (JSC::MarkedBlock::Handle::specializedSweep):
779         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
780         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
781         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
782         * heap/MarkedSpace.cpp:
783         (JSC::MarkedSpace::endMarking):
784         * heap/SlotVisitor.cpp:
785         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
786
787 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
788
789         MarkedBlock should have a footer instead of a header
790         https://bugs.webkit.org/show_bug.cgi?id=182217
791
792         Reviewed by JF Bastien.
793         
794         This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
795         change anything except for some compile-time constants, so it should not affect performance.
796         
797         This change is to help protect against Spectre attacks on structure checks, which allow for
798         small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
799         OOBs will only get to other objects in the same block or the block footer. The block footer
800         is not super interesting. So, if we combine this with the TLC change (r227617), this means we
801         can use blocks as the mechanism of achieving distance between objects from different origins.
802         We just need to avoid ever putting objects from different origins in the same block. That's
803         what bug 181636 is about.
804         
805         * heap/BlockDirectory.cpp:
806         (JSC::blockHeaderSize): Deleted.
807         (JSC::BlockDirectory::blockSizeForBytes): Deleted.
808         * heap/BlockDirectory.h:
809         * heap/HeapUtil.h:
810         (JSC::HeapUtil::findGCObjectPointersForMarking):
811         * heap/MarkedBlock.cpp:
812         (JSC::MarkedBlock::MarkedBlock):
813         (JSC::MarkedBlock::~MarkedBlock):
814         (JSC::MarkedBlock::Footer::Footer):
815         (JSC::MarkedBlock::Footer::~Footer):
816         (JSC::MarkedBlock::Handle::stopAllocating):
817         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
818         (JSC::MarkedBlock::Handle::resumeAllocating):
819         (JSC::MarkedBlock::aboutToMarkSlow):
820         (JSC::MarkedBlock::resetMarks):
821         (JSC::MarkedBlock::assertMarksNotStale):
822         (JSC::MarkedBlock::Handle::didConsumeFreeList):
823         (JSC::MarkedBlock::markCount):
824         (JSC::MarkedBlock::clearHasAnyMarked):
825         (JSC::MarkedBlock::Handle::didAddToDirectory):
826         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
827         (JSC::MarkedBlock::Handle::sweep):
828         * heap/MarkedBlock.h:
829         (JSC::MarkedBlock::markingVersion const):
830         (JSC::MarkedBlock::lock):
831         (JSC::MarkedBlock::subspace const):
832         (JSC::MarkedBlock::footer):
833         (JSC::MarkedBlock::footer const):
834         (JSC::MarkedBlock::handle):
835         (JSC::MarkedBlock::handle const):
836         (JSC::MarkedBlock::Handle::blockFooter):
837         (JSC::MarkedBlock::isAtomAligned):
838         (JSC::MarkedBlock::Handle::cellAlign):
839         (JSC::MarkedBlock::blockFor):
840         (JSC::MarkedBlock::vm const):
841         (JSC::MarkedBlock::weakSet):
842         (JSC::MarkedBlock::cellSize):
843         (JSC::MarkedBlock::attributes const):
844         (JSC::MarkedBlock::atomNumber):
845         (JSC::MarkedBlock::areMarksStale):
846         (JSC::MarkedBlock::aboutToMark):
847         (JSC::MarkedBlock::isMarkedRaw):
848         (JSC::MarkedBlock::isMarked):
849         (JSC::MarkedBlock::testAndSetMarked):
850         (JSC::MarkedBlock::marks const):
851         (JSC::MarkedBlock::isAtom):
852         (JSC::MarkedBlock::Handle::forEachCell):
853         (JSC::MarkedBlock::hasAnyMarked const):
854         (JSC::MarkedBlock::noteMarked):
855         (WTF::MarkedBlockHash::hash):
856         (JSC::MarkedBlock::firstAtom): Deleted.
857         * heap/MarkedBlockInlines.h:
858         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
859         (JSC::MarkedBlock::Handle::isLive):
860         (JSC::MarkedBlock::Handle::specializedSweep):
861         (JSC::MarkedBlock::Handle::forEachLiveCell):
862         (JSC::MarkedBlock::Handle::forEachDeadCell):
863         (JSC::MarkedBlock::Handle::forEachMarkedCell):
864         * heap/MarkedSpace.cpp:
865         * heap/MarkedSpace.h:
866         * llint/LowLevelInterpreter.asm:
867         * llint/LowLevelInterpreter32_64.asm:
868         * llint/LowLevelInterpreter64.asm:
869
870 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
871
872         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
873         https://bugs.webkit.org/show_bug.cgi?id=182213
874
875         Reviewed by Mark Lam.
876
877         toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
878         As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
879         this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
880         This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
881
882         We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
883         but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
884
885         * runtime/NumberPrototype.cpp:
886         (JSC::toStringWithRadixInternal):
887
888 2018-01-26  Saam Barati  <sbarati@apple.com>
889
890         Fix emitAllocateWithNonNullAllocator to work on arm
891         https://bugs.webkit.org/show_bug.cgi?id=182187
892         <rdar://problem/36906550>
893
894         Reviewed by Filip Pizlo.
895
896         This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
897         and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
898         register on ARM.
899
900         * ftl/FTLLowerDFGToB3.cpp:
901         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
902         * jit/AssemblyHelpers.cpp:
903         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
904
905 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
906
907         Rebaselining builtin generator tests after r227685.
908
909         Unreviewed.
910
911         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
912         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
913         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
914         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
915         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
916         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
917         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
918         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
919         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
920         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
921         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
922         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
923         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
924         It used to be that the builtins generator was minifying by default. That was an accident
925         and we now only minify on Release builds. The generator tests are now getting the
926         default unminified output behavior so they need to update their expectations
927         for some extra whitespace.
928
929 2018-01-26  Mark Lam  <mark.lam@apple.com>
930
931         We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
932         https://bugs.webkit.org/show_bug.cgi?id=182180
933         <rdar://problem/36460697>
934
935         Reviewed by Michael Saboff.
936
937         Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
938         but not as the Node's first base class.  ParserArena::m_deletableObjects is
939         expecting pointers to objects of the shape of ParserArenaDeletable.  We ensure
940         this by allocating the Node subclass, and casting it to ParserArenaDeletable to
941         get the correct pointer to append to ParserArena::m_deletableObjects.
942
943         To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED 
944         (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
945         ParserArenaDeletable.
946
947         * parser/NodeConstructors.h:
948         (JSC::ParserArenaDeletable::operator new):
949         * parser/Nodes.h:
950         * parser/ParserArena.h:
951         (JSC::ParserArena::allocateDeletable):
952
953 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
954
955         JavaScriptCore builtins should be partially minified in Release builds not Debug builds
956         https://bugs.webkit.org/show_bug.cgi?id=182165
957
958         Reviewed by Keith Miller.
959
960         * Scripts/builtins/builtins_model.py:
961         (BuiltinFunction.fromString):
962         Apply minifications on Release builds instead of Debug builds.
963         Also eliminate leading whitespace.
964
965 2018-01-26  Filip Pizlo  <fpizlo@apple.com>
966
967         Disable TLS-based TLCs
968         https://bugs.webkit.org/show_bug.cgi?id=182175
969
970         Reviewed by Saam Barati.
971
972         Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
973
974         * heap/BlockDirectory.cpp:
975         (JSC::BlockDirectory::~BlockDirectory):
976         * heap/BlockDirectory.h:
977         * heap/ThreadLocalCache.cpp:
978         (JSC::ThreadLocalCache::installSlow):
979         (JSC::ThreadLocalCache::installData):
980         * heap/ThreadLocalCache.h:
981         * heap/ThreadLocalCacheInlines.h:
982         (JSC::ThreadLocalCache::getImpl):
983         * jit/AssemblyHelpers.cpp:
984         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
985         * runtime/VM.cpp:
986         (JSC::VM::~VM):
987         * runtime/VM.h:
988
989 2018-01-25  Yusuke Suzuki  <utatane.tea@gmail.com>
990
991         imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
992         https://bugs.webkit.org/show_bug.cgi?id=181980
993
994         Reviewed by Ryosuke Niwa.
995
996         We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
997         promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
998         and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
999         correctly.
1000
1001         * builtins/ModuleLoaderPrototype.js:
1002         (requestInstantiate):
1003         (requestSatisfy):
1004
1005 2018-01-25  Mark Lam  <mark.lam@apple.com>
1006
1007         Gardening: fix 32-bit build after r227643.
1008         https://bugs.webkit.org/show_bug.cgi?id=182086
1009
1010         Not reviewed.
1011
1012         * jit/AssemblyHelpers.cpp:
1013         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
1014
1015 2018-01-24  Filip Pizlo  <fpizlo@apple.com>
1016
1017         DirectArguments should protect itself using dynamic poisoning and precise index masking
1018         https://bugs.webkit.org/show_bug.cgi?id=182086
1019
1020         Reviewed by Saam Barati.
1021         
1022         This implements dynamic poisoning and precise index masking in DirectArguments, using the
1023         helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
1024         
1025         We use dynamic poisoning for DirectArguments since this object did not have any additional
1026         indirection inside it that could have been poisoned. So, we use the xor of the expected type
1027         and the actual type as an additional input into the pointer.
1028         
1029         We use precise index masking for bounds checks, because it's not worth doing index masking
1030         unless we know that precise index masking is too slow.
1031
1032         * assembler/MacroAssembler.h:
1033         (JSC::MacroAssembler::lshiftPtr):
1034         (JSC::MacroAssembler::rshiftPtr):
1035         * dfg/DFGSpeculativeJIT.cpp:
1036         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1037         * ftl/FTLLowerDFGToB3.cpp:
1038         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1039         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1040         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
1041         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
1042         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
1043         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
1044         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
1045         * jit/AssemblyHelpers.cpp:
1046         (JSC::AssemblyHelpers::emitPreciseIndexMask32):
1047         (JSC::AssemblyHelpers::emitDynamicPoison):
1048         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
1049         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
1050         * jit/AssemblyHelpers.h:
1051         * jit/JITPropertyAccess.cpp:
1052         (JSC::JIT::emitDirectArgumentsGetByVal):
1053         * runtime/DirectArguments.h:
1054         (JSC::DirectArguments::getIndexQuickly const):
1055         (JSC::DirectArguments::setIndexQuickly):
1056         (JSC::DirectArguments::argument):
1057         * runtime/GenericArgumentsInlines.h:
1058
1059 2018-01-25  Mark Lam  <mark.lam@apple.com>
1060
1061         Rename some local vars from type to typedArrayType for greater clarity.
1062         https://bugs.webkit.org/show_bug.cgi?id=182148
1063         <rdar://problem/36882310>
1064
1065         Reviewed by Saam Barati.
1066
1067         * dfg/DFGSpeculativeJIT.cpp:
1068         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1069         * ftl/FTLLowerDFGToB3.cpp:
1070         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1071
1072 2018-01-25  Filip Pizlo  <fpizlo@apple.com>
1073
1074         JSC GC should support TLCs (thread local caches)
1075         https://bugs.webkit.org/show_bug.cgi?id=181559
1076
1077         Reviewed by Mark Lam and Saam Barati.
1078         
1079         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1080         thread-local caches, which allow each thread to allocate from its own free lists. It also
1081         means that any given thread can context-switch TLCs. This will allow us to do separate
1082         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1083         will allow us to have a hard distancing constraint between objects from different origins.
1084         
1085         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1086         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1087         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1088         using the same allocator can share those blocks - but so long as they are in that
1089         BlockDirectory, they will have the size and type of that directory. Previously, each
1090         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1091         LocalAllocators, each of which has a FreeList.
1092         
1093         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1094         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1095         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1096         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1097         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1098         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1099         offsets as opposed to indices to make it easy to do the math on each allocation (if
1100         LocalAllocator had a weird size then every allocation would have to do an imul).
1101         
1102         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1103         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1104         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1105         something there, but it's not significant according to our threshold).
1106         
1107         Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
1108         function needs to be careful to avoid using the scratch register because the FTL will call it
1109         in disallow-scratch-register mode.
1110
1111         * JavaScriptCore.xcodeproj/project.pbxproj:
1112         * Sources.txt:
1113         * b3/B3LowerToAir.cpp:
1114         * b3/B3PatchpointSpecial.cpp:
1115         (JSC::B3::PatchpointSpecial::admitsStack):
1116         * b3/B3StackmapSpecial.cpp:
1117         (JSC::B3::StackmapSpecial::forEachArgImpl):
1118         (JSC::B3::StackmapSpecial::isArgValidForRep):
1119         * b3/B3StackmapValue.cpp:
1120         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1121         * b3/B3StackmapValue.h:
1122         * b3/B3Validate.cpp:
1123         * b3/B3ValueRep.cpp:
1124         (JSC::B3::ValueRep::addUsedRegistersTo const):
1125         (JSC::B3::ValueRep::dump const):
1126         (WTF::printInternal):
1127         * b3/B3ValueRep.h:
1128         (JSC::B3::ValueRep::ValueRep):
1129         * bytecode/AccessCase.cpp:
1130         (JSC::AccessCase::generateImpl):
1131         * bytecode/ObjectAllocationProfile.h:
1132         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1133         (JSC::ObjectAllocationProfile::clear):
1134         * bytecode/ObjectAllocationProfileInlines.h:
1135         (JSC::ObjectAllocationProfile::initializeProfile):
1136         * dfg/DFGSpeculativeJIT.cpp:
1137         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1138         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1139         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1140         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1141         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1142         (JSC::DFG::SpeculativeJIT::compileNewObject):
1143         * dfg/DFGSpeculativeJIT.h:
1144         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1145         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1146         * ftl/FTLAbstractHeapRepository.h:
1147         * ftl/FTLLowerDFGToB3.cpp:
1148         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1149         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1150         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1151         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1152         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1153         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1154         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1155         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1156         * heap/Allocator.cpp: Added.
1157         (JSC::Allocator::cellSize const):
1158         * heap/Allocator.h: Added.
1159         (JSC::Allocator::Allocator):
1160         (JSC::Allocator::offset const):
1161         (JSC::Allocator::operator== const):
1162         (JSC::Allocator::operator!= const):
1163         (JSC::Allocator::operator bool const):
1164         * heap/AllocatorInlines.h: Added.
1165         (JSC::Allocator::allocate const):
1166         (JSC::Allocator::tryAllocate const):
1167         * heap/BlockDirectory.cpp:
1168         (JSC::BlockDirectory::BlockDirectory):
1169         (JSC::BlockDirectory::findBlockForAllocation):
1170         (JSC::BlockDirectory::stopAllocating):
1171         (JSC::BlockDirectory::prepareForAllocation):
1172         (JSC::BlockDirectory::stopAllocatingForGood):
1173         (JSC::BlockDirectory::resumeAllocating):
1174         (JSC::BlockDirectory::endMarking):
1175         (JSC::BlockDirectory::isFreeListedCell):
1176         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1177         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1178         (JSC::BlockDirectory::allocateIn): Deleted.
1179         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1180         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1181         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1182         * heap/BlockDirectory.h:
1183         (JSC::BlockDirectory::cellKind const):
1184         (JSC::BlockDirectory::allocator const):
1185         (JSC::BlockDirectory::freeList const): Deleted.
1186         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1187         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1188         * heap/BlockDirectoryInlines.h:
1189         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1190         (JSC::BlockDirectory::allocate): Deleted.
1191         * heap/CompleteSubspace.cpp:
1192         (JSC::CompleteSubspace::CompleteSubspace):
1193         (JSC::CompleteSubspace::allocatorFor):
1194         (JSC::CompleteSubspace::allocate):
1195         (JSC::CompleteSubspace::allocateNonVirtual):
1196         (JSC::CompleteSubspace::allocatorForSlow):
1197         (JSC::CompleteSubspace::allocateSlow):
1198         (JSC::CompleteSubspace::tryAllocateSlow):
1199         * heap/CompleteSubspace.h:
1200         (JSC::CompleteSubspace::allocatorForSizeStep):
1201         (JSC::CompleteSubspace::allocatorForNonVirtual):
1202         * heap/FreeList.h:
1203         * heap/GCDeferralContext.h:
1204         * heap/Heap.cpp:
1205         (JSC::Heap::Heap):
1206         (JSC::Heap::lastChanceToFinalize):
1207         * heap/Heap.h:
1208         (JSC::Heap::threadLocalCacheLayout):
1209         * heap/IsoCellSet.h:
1210         * heap/IsoSubspace.cpp:
1211         (JSC::IsoSubspace::IsoSubspace):
1212         (JSC::IsoSubspace::allocatorFor):
1213         (JSC::IsoSubspace::allocate):
1214         (JSC::IsoSubspace::allocateNonVirtual):
1215         * heap/IsoSubspace.h:
1216         (JSC::IsoSubspace::allocatorForNonVirtual):
1217         * heap/LocalAllocator.cpp: Added.
1218         (JSC::LocalAllocator::LocalAllocator):
1219         (JSC::LocalAllocator::reset):
1220         (JSC::LocalAllocator::~LocalAllocator):
1221         (JSC::LocalAllocator::stopAllocating):
1222         (JSC::LocalAllocator::resumeAllocating):
1223         (JSC::LocalAllocator::prepareForAllocation):
1224         (JSC::LocalAllocator::stopAllocatingForGood):
1225         (JSC::LocalAllocator::allocateSlowCase):
1226         (JSC::LocalAllocator::didConsumeFreeList):
1227         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1228         (JSC::LocalAllocator::allocateIn):
1229         (JSC::LocalAllocator::tryAllocateIn):
1230         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1231         (JSC::LocalAllocator::isFreeListedCell const):
1232         * heap/LocalAllocator.h: Added.
1233         (JSC::LocalAllocator::offsetOfFreeList):
1234         (JSC::LocalAllocator::offsetOfCellSize):
1235         * heap/LocalAllocatorInlines.h: Added.
1236         (JSC::LocalAllocator::allocate):
1237         * heap/MarkedSpace.cpp:
1238         (JSC::MarkedSpace::stopAllocatingForGood):
1239         * heap/MarkedSpace.h:
1240         * heap/SlotVisitor.cpp:
1241         * heap/SlotVisitor.h:
1242         * heap/Subspace.h:
1243         * heap/ThreadLocalCache.cpp: Added.
1244         (JSC::ThreadLocalCache::create):
1245         (JSC::ThreadLocalCache::ThreadLocalCache):
1246         (JSC::ThreadLocalCache::~ThreadLocalCache):
1247         (JSC::ThreadLocalCache::allocateData):
1248         (JSC::ThreadLocalCache::destroyData):
1249         (JSC::ThreadLocalCache::installSlow):
1250         (JSC::ThreadLocalCache::installData):
1251         (JSC::ThreadLocalCache::allocatorSlow):
1252         (JSC::ThreadLocalCache::destructor):
1253         * heap/ThreadLocalCache.h: Added.
1254         (JSC::ThreadLocalCache::offsetOfSize):
1255         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1256         * heap/ThreadLocalCacheInlines.h: Added.
1257         (JSC::ThreadLocalCache::getImpl):
1258         (JSC::ThreadLocalCache::get):
1259         (JSC::ThreadLocalCache::install):
1260         (JSC::ThreadLocalCache::allocator):
1261         (JSC::ThreadLocalCache::tryGetAllocator):
1262         * heap/ThreadLocalCacheLayout.cpp: Added.
1263         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1264         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1265         (JSC::ThreadLocalCacheLayout::allocateOffset):
1266         (JSC::ThreadLocalCacheLayout::snapshot):
1267         (JSC::ThreadLocalCacheLayout::directory):
1268         * heap/ThreadLocalCacheLayout.h: Added.
1269         * jit/AssemblyHelpers.cpp:
1270         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1271         (JSC::AssemblyHelpers::emitAllocate):
1272         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1273         * jit/AssemblyHelpers.h:
1274         (JSC::AssemblyHelpers::vm):
1275         (JSC::AssemblyHelpers::emitAllocateJSCell):
1276         (JSC::AssemblyHelpers::emitAllocateJSObject):
1277         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1278         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1279         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1280         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1281         * jit/JITOpcodes.cpp:
1282         (JSC::JIT::emit_op_new_object):
1283         (JSC::JIT::emit_op_create_this):
1284         * jit/JITOpcodes32_64.cpp:
1285         (JSC::JIT::emit_op_new_object):
1286         (JSC::JIT::emit_op_create_this):
1287         * runtime/ButterflyInlines.h:
1288         (JSC::Butterfly::createUninitialized):
1289         (JSC::Butterfly::tryCreate):
1290         (JSC::Butterfly::growArrayRight):
1291         * runtime/DirectArguments.cpp:
1292         (JSC::DirectArguments::overrideThings):
1293         * runtime/GenericArgumentsInlines.h:
1294         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1295         * runtime/HashMapImpl.h:
1296         (JSC::HashMapBuffer::create):
1297         * runtime/JSArray.cpp:
1298         (JSC::JSArray::tryCreateUninitializedRestricted):
1299         (JSC::JSArray::unshiftCountSlowCase):
1300         * runtime/JSArray.h:
1301         (JSC::JSArray::tryCreate):
1302         * runtime/JSArrayBufferView.cpp:
1303         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1304         * runtime/JSCellInlines.h:
1305         (JSC::tryAllocateCellHelper):
1306         * runtime/JSGlobalObject.cpp:
1307         (JSC::JSGlobalObject::JSGlobalObject):
1308         * runtime/JSGlobalObject.h:
1309         (JSC::JSGlobalObject::threadLocalCache const):
1310         * runtime/JSLock.cpp:
1311         (JSC::JSLock::didAcquireLock):
1312         * runtime/Options.h:
1313         * runtime/RegExpMatchesArray.h:
1314         (JSC::tryCreateUninitializedRegExpMatchesArray):
1315         * runtime/VM.cpp:
1316         (JSC::VM::VM):
1317         * runtime/VM.h:
1318         * runtime/VMEntryScope.cpp:
1319         (JSC::VMEntryScope::VMEntryScope):
1320
1321 2018-01-25  Commit Queue  <commit-queue@webkit.org>
1322
1323         Unreviewed, rolling out r227592.
1324         https://bugs.webkit.org/show_bug.cgi?id=182110
1325
1326         it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
1327         #webkit).
1328
1329         Reverted changeset:
1330
1331         "JSC GC should support TLCs (thread local caches)"
1332         https://bugs.webkit.org/show_bug.cgi?id=181559
1333         https://trac.webkit.org/changeset/227592
1334
1335 2018-01-25  Alejandro G. Castro  <alex@igalia.com>
1336
1337         undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
1338         https://bugs.webkit.org/show_bug.cgi?id=180637
1339
1340         Reviewed by Michael Catanzaro.
1341
1342         We need to make sure the implementation of the inline functions is
1343         compiled when we compile the code using the function, now that the
1344         compilation is divided, or we could end up with undefined symbols
1345         when the declaration is not inlined, at least with some compilers
1346         and optimizations enabled -O2.
1347
1348         * b3/B3SwitchValue.cpp: replace the include.
1349
1350 2018-01-20  Filip Pizlo  <fpizlo@apple.com>
1351
1352         JSC GC should support TLCs (thread local caches)
1353         https://bugs.webkit.org/show_bug.cgi?id=181559
1354
1355         Reviewed by Mark Lam and Saam Barati.
1356         
1357         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1358         thread-local caches, which allow each thread to allocate from its own free lists. It also
1359         means that any given thread can context-switch TLCs. This will allow us to do separate
1360         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1361         will allow us to have a hard distancing constraint between objects from different origins.
1362         
1363         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1364         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1365         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1366         using the same allocator can share those blocks - but so long as they are in that
1367         BlockDirectory, they will have the size and type of that directory. Previously, each
1368         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1369         LocalAllocators, each of which has a FreeList.
1370         
1371         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1372         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1373         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1374         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1375         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1376         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1377         offsets as opposed to indices to make it easy to do the math on each allocation (if
1378         LocalAllocator had a weird size then every allocation would have to do an imul).
1379         
1380         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1381         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1382         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1383         something there, but it's not significant according to our threshold).
1384
1385         * JavaScriptCore.xcodeproj/project.pbxproj:
1386         * Sources.txt:
1387         * b3/B3LowerToAir.cpp:
1388         * b3/B3PatchpointSpecial.cpp:
1389         (JSC::B3::PatchpointSpecial::admitsStack):
1390         * b3/B3StackmapSpecial.cpp:
1391         (JSC::B3::StackmapSpecial::forEachArgImpl):
1392         (JSC::B3::StackmapSpecial::isArgValidForRep):
1393         * b3/B3StackmapValue.cpp:
1394         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1395         * b3/B3StackmapValue.h:
1396         * b3/B3Validate.cpp:
1397         * b3/B3ValueRep.cpp:
1398         (JSC::B3::ValueRep::addUsedRegistersTo const):
1399         (JSC::B3::ValueRep::dump const):
1400         (WTF::printInternal):
1401         * b3/B3ValueRep.h:
1402         (JSC::B3::ValueRep::ValueRep):
1403         * bytecode/AccessCase.cpp:
1404         (JSC::AccessCase::generateImpl):
1405         * bytecode/ObjectAllocationProfile.h:
1406         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1407         (JSC::ObjectAllocationProfile::clear):
1408         * bytecode/ObjectAllocationProfileInlines.h:
1409         (JSC::ObjectAllocationProfile::initializeProfile):
1410         * dfg/DFGSpeculativeJIT.cpp:
1411         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1412         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1413         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1414         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1415         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1416         (JSC::DFG::SpeculativeJIT::compileNewObject):
1417         * dfg/DFGSpeculativeJIT.h:
1418         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1419         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1420         * ftl/FTLAbstractHeapRepository.h:
1421         * ftl/FTLLowerDFGToB3.cpp:
1422         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1423         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1424         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1425         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1426         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1427         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1428         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1429         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1430         * heap/Allocator.cpp: Added.
1431         (JSC::Allocator::cellSize const):
1432         * heap/Allocator.h: Added.
1433         (JSC::Allocator::Allocator):
1434         (JSC::Allocator::offset const):
1435         (JSC::Allocator::operator== const):
1436         (JSC::Allocator::operator!= const):
1437         (JSC::Allocator::operator bool const):
1438         * heap/AllocatorInlines.h: Added.
1439         (JSC::Allocator::allocate const):
1440         (JSC::Allocator::tryAllocate const):
1441         * heap/BlockDirectory.cpp:
1442         (JSC::BlockDirectory::BlockDirectory):
1443         (JSC::BlockDirectory::findBlockForAllocation):
1444         (JSC::BlockDirectory::stopAllocating):
1445         (JSC::BlockDirectory::prepareForAllocation):
1446         (JSC::BlockDirectory::stopAllocatingForGood):
1447         (JSC::BlockDirectory::resumeAllocating):
1448         (JSC::BlockDirectory::endMarking):
1449         (JSC::BlockDirectory::isFreeListedCell):
1450         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1451         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1452         (JSC::BlockDirectory::allocateIn): Deleted.
1453         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1454         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1455         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1456         * heap/BlockDirectory.h:
1457         (JSC::BlockDirectory::cellKind const):
1458         (JSC::BlockDirectory::allocator const):
1459         (JSC::BlockDirectory::freeList const): Deleted.
1460         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1461         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1462         * heap/BlockDirectoryInlines.h:
1463         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1464         (JSC::BlockDirectory::allocate): Deleted.
1465         * heap/CompleteSubspace.cpp:
1466         (JSC::CompleteSubspace::CompleteSubspace):
1467         (JSC::CompleteSubspace::allocatorFor):
1468         (JSC::CompleteSubspace::allocate):
1469         (JSC::CompleteSubspace::allocateNonVirtual):
1470         (JSC::CompleteSubspace::allocatorForSlow):
1471         (JSC::CompleteSubspace::allocateSlow):
1472         (JSC::CompleteSubspace::tryAllocateSlow):
1473         * heap/CompleteSubspace.h:
1474         (JSC::CompleteSubspace::allocatorForSizeStep):
1475         (JSC::CompleteSubspace::allocatorForNonVirtual):
1476         * heap/FreeList.h:
1477         * heap/GCDeferralContext.h:
1478         * heap/Heap.cpp:
1479         (JSC::Heap::Heap):
1480         (JSC::Heap::lastChanceToFinalize):
1481         * heap/Heap.h:
1482         (JSC::Heap::threadLocalCacheLayout):
1483         * heap/IsoCellSet.h:
1484         * heap/IsoSubspace.cpp:
1485         (JSC::IsoSubspace::IsoSubspace):
1486         (JSC::IsoSubspace::allocatorFor):
1487         (JSC::IsoSubspace::allocate):
1488         (JSC::IsoSubspace::allocateNonVirtual):
1489         * heap/IsoSubspace.h:
1490         (JSC::IsoSubspace::allocatorForNonVirtual):
1491         * heap/LocalAllocator.cpp: Added.
1492         (JSC::LocalAllocator::LocalAllocator):
1493         (JSC::LocalAllocator::reset):
1494         (JSC::LocalAllocator::~LocalAllocator):
1495         (JSC::LocalAllocator::stopAllocating):
1496         (JSC::LocalAllocator::resumeAllocating):
1497         (JSC::LocalAllocator::prepareForAllocation):
1498         (JSC::LocalAllocator::stopAllocatingForGood):
1499         (JSC::LocalAllocator::allocateSlowCase):
1500         (JSC::LocalAllocator::didConsumeFreeList):
1501         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1502         (JSC::LocalAllocator::allocateIn):
1503         (JSC::LocalAllocator::tryAllocateIn):
1504         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1505         (JSC::LocalAllocator::isFreeListedCell const):
1506         * heap/LocalAllocator.h: Added.
1507         (JSC::LocalAllocator::offsetOfFreeList):
1508         (JSC::LocalAllocator::offsetOfCellSize):
1509         * heap/LocalAllocatorInlines.h: Added.
1510         (JSC::LocalAllocator::allocate):
1511         * heap/MarkedSpace.cpp:
1512         (JSC::MarkedSpace::stopAllocatingForGood):
1513         * heap/MarkedSpace.h:
1514         * heap/SlotVisitor.cpp:
1515         * heap/SlotVisitor.h:
1516         * heap/Subspace.h:
1517         * heap/ThreadLocalCache.cpp: Added.
1518         (JSC::ThreadLocalCache::create):
1519         (JSC::ThreadLocalCache::ThreadLocalCache):
1520         (JSC::ThreadLocalCache::~ThreadLocalCache):
1521         (JSC::ThreadLocalCache::allocateData):
1522         (JSC::ThreadLocalCache::destroyData):
1523         (JSC::ThreadLocalCache::installSlow):
1524         (JSC::ThreadLocalCache::installData):
1525         (JSC::ThreadLocalCache::allocatorSlow):
1526         (JSC::ThreadLocalCache::destructor):
1527         * heap/ThreadLocalCache.h: Added.
1528         (JSC::ThreadLocalCache::offsetOfSize):
1529         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1530         * heap/ThreadLocalCacheInlines.h: Added.
1531         (JSC::ThreadLocalCache::getImpl):
1532         (JSC::ThreadLocalCache::get):
1533         (JSC::ThreadLocalCache::install):
1534         (JSC::ThreadLocalCache::allocator):
1535         (JSC::ThreadLocalCache::tryGetAllocator):
1536         * heap/ThreadLocalCacheLayout.cpp: Added.
1537         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1538         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1539         (JSC::ThreadLocalCacheLayout::allocateOffset):
1540         (JSC::ThreadLocalCacheLayout::snapshot):
1541         (JSC::ThreadLocalCacheLayout::directory):
1542         * heap/ThreadLocalCacheLayout.h: Added.
1543         * jit/AssemblyHelpers.cpp:
1544         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1545         (JSC::AssemblyHelpers::emitAllocate):
1546         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1547         * jit/AssemblyHelpers.h:
1548         (JSC::AssemblyHelpers::vm):
1549         (JSC::AssemblyHelpers::emitAllocateJSCell):
1550         (JSC::AssemblyHelpers::emitAllocateJSObject):
1551         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1552         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1553         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1554         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1555         * jit/JITOpcodes.cpp:
1556         (JSC::JIT::emit_op_new_object):
1557         (JSC::JIT::emit_op_create_this):
1558         * jit/JITOpcodes32_64.cpp:
1559         (JSC::JIT::emit_op_new_object):
1560         (JSC::JIT::emit_op_create_this):
1561         * runtime/ButterflyInlines.h:
1562         (JSC::Butterfly::createUninitialized):
1563         (JSC::Butterfly::tryCreate):
1564         (JSC::Butterfly::growArrayRight):
1565         * runtime/DirectArguments.cpp:
1566         (JSC::DirectArguments::overrideThings):
1567         * runtime/GenericArgumentsInlines.h:
1568         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1569         * runtime/HashMapImpl.h:
1570         (JSC::HashMapBuffer::create):
1571         * runtime/JSArray.cpp:
1572         (JSC::JSArray::tryCreateUninitializedRestricted):
1573         (JSC::JSArray::unshiftCountSlowCase):
1574         * runtime/JSArray.h:
1575         (JSC::JSArray::tryCreate):
1576         * runtime/JSArrayBufferView.cpp:
1577         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1578         * runtime/JSCellInlines.h:
1579         (JSC::tryAllocateCellHelper):
1580         * runtime/JSGlobalObject.cpp:
1581         (JSC::JSGlobalObject::JSGlobalObject):
1582         * runtime/JSGlobalObject.h:
1583         (JSC::JSGlobalObject::threadLocalCache const):
1584         * runtime/JSLock.cpp:
1585         (JSC::JSLock::didAcquireLock):
1586         * runtime/Options.h:
1587         * runtime/RegExpMatchesArray.h:
1588         (JSC::tryCreateUninitializedRegExpMatchesArray):
1589         * runtime/VM.cpp:
1590         (JSC::VM::VM):
1591         * runtime/VM.h:
1592         * runtime/VMEntryScope.cpp:
1593         (JSC::VMEntryScope::VMEntryScope):
1594
1595 2018-01-24  Joseph Pecoraro  <pecoraro@apple.com>
1596
1597         Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
1598         https://bugs.webkit.org/show_bug.cgi?id=182067
1599
1600         Reviewed by Brian Burg.
1601
1602         * inspector/scripts/codegen/models.py:
1603         (Framework.fromString):
1604         (Frameworks):
1605         * inspector/scripts/generate-inspector-protocol-bindings.py:
1606         (generate_from_specification):
1607         Allow framework WebInspectorUI to generate just the backend commands files.
1608
1609 2018-01-23  Mark Lam  <mark.lam@apple.com>
1610
1611         Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
1612         https://bugs.webkit.org/show_bug.cgi?id=182017
1613         <rdar://problem/36795513>
1614
1615         Reviewed by Filip Pizlo and JF Bastien.
1616
1617         Removed the POISON() macro.  Now that we have Poison types, we can just use the
1618         the Poison type instead and make the code a bit nicer to read.
1619
1620         * API/JSAPIWrapperObject.h:
1621         * API/JSCallbackFunction.h:
1622         * API/JSCallbackObject.h:
1623         * b3/B3LowerMacros.cpp:
1624         * b3/testb3.cpp:
1625         (JSC::B3::testInterpreter):
1626         * bytecode/CodeBlock.h:
1627         (JSC::CodeBlock::instructions):
1628         (JSC::CodeBlock::instructions const):
1629         * dfg/DFGOSRExitCompilerCommon.h:
1630         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1631         * dfg/DFGSpeculativeJIT.cpp:
1632         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1633         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1634         * ftl/FTLLowerDFGToB3.cpp:
1635         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1636         * jit/JIT.h:
1637         * jit/ThunkGenerators.cpp:
1638         (JSC::virtualThunkFor):
1639         (JSC::nativeForGenerator):
1640         (JSC::boundThisNoArgsFunctionCallGenerator):
1641         * parser/UnlinkedSourceCode.h:
1642         * runtime/ArrayPrototype.h:
1643         * runtime/CustomGetterSetter.h:
1644         * runtime/DateInstance.h:
1645         * runtime/InternalFunction.h:
1646         * runtime/JSArrayBuffer.h:
1647         * runtime/JSCPoison.cpp:
1648         (JSC::initializePoison):
1649         * runtime/JSCPoison.h:
1650         * runtime/JSGlobalObject.h:
1651         * runtime/JSScriptFetchParameters.h:
1652         * runtime/JSScriptFetcher.h:
1653         * runtime/NativeExecutable.h:
1654         * runtime/StructureTransitionTable.h:
1655         * runtime/WriteBarrier.h:
1656         (JSC::WriteBarrier::poison): Deleted.
1657         * wasm/js/JSToWasm.cpp:
1658         (JSC::Wasm::createJSToWasmWrapper):
1659         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1660         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1661         * wasm/js/JSWebAssemblyCodeBlock.h:
1662         * wasm/js/JSWebAssemblyInstance.h:
1663         (JSC::JSWebAssemblyInstance::poison):
1664         * wasm/js/JSWebAssemblyMemory.h:
1665         * wasm/js/JSWebAssemblyModule.h:
1666         * wasm/js/JSWebAssemblyTable.h:
1667         * wasm/js/WasmToJS.cpp:
1668         (JSC::Wasm::handleBadI64Use):
1669         (JSC::Wasm::wasmToJS):
1670         * wasm/js/WebAssemblyFunctionBase.h:
1671         * wasm/js/WebAssemblyModuleRecord.h:
1672         * wasm/js/WebAssemblyToJSCallee.h:
1673         * wasm/js/WebAssemblyWrapperFunction.h:
1674
1675 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1676
1677         Unreviewed, suppress GCC warnings
1678         https://bugs.webkit.org/show_bug.cgi?id=181976
1679
1680         * runtime/TypedArrayType.h:
1681
1682 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1683
1684         [YARR] Add diagnosis for YarrJIT failures
1685         https://bugs.webkit.org/show_bug.cgi?id=181927
1686
1687         Reviewed by Sam Weinig.
1688
1689         It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
1690         This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
1691
1692         * runtime/RegExp.cpp:
1693         (JSC::RegExp::compile):
1694         (JSC::RegExp::compileMatchOnly):
1695         * yarr/YarrJIT.cpp:
1696         (JSC::Yarr::YarrGenerator::generateTerm):
1697         (JSC::Yarr::YarrGenerator::backtrackTerm):
1698         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1699         (JSC::Yarr::YarrGenerator::YarrGenerator):
1700         (JSC::Yarr::YarrGenerator::compile):
1701         (JSC::Yarr::dumpCompileFailure):
1702         (JSC::Yarr::jitCompile):
1703         * yarr/YarrJIT.h:
1704         (JSC::Yarr::YarrCodeBlock::setFallBack):
1705         (JSC::Yarr::YarrCodeBlock::fallBack):
1706         (JSC::Yarr::YarrCodeBlock::clear):
1707         (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
1708         (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
1709         (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
1710
1711 2018-01-23  Alex Christensen  <achristensen@webkit.org>
1712
1713         Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
1714         https://bugs.webkit.org/show_bug.cgi?id=182028
1715
1716         Reviewed by Keith Miller.
1717
1718         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
1719         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1720         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1721
1722 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1723
1724         Use precise index masking for FTL GetByArgumentByVal
1725         https://bugs.webkit.org/show_bug.cgi?id=182006
1726
1727         Reviewed by Keith Miller.
1728         
1729         This protects speculative out-of-bounds on arguments[index].
1730         
1731         Making this work right involved fixing a possible overflow situation with
1732         numberOfArgumentsToSkip.
1733
1734         * dfg/DFGByteCodeParser.cpp:
1735         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
1736         * dfg/DFGGraph.cpp:
1737         (JSC::DFG::Graph::dump):
1738         * dfg/DFGNode.h:
1739         (JSC::DFG::Node::hasNumberOfArgumentsToSkip):
1740         (JSC::DFG::Node::numberOfArgumentsToSkip):
1741         * dfg/DFGStackLayoutPhase.cpp:
1742         (JSC::DFG::StackLayoutPhase::run):
1743         * ftl/FTLLowerDFGToB3.cpp:
1744         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1745
1746 2018-01-23  David Kilzer  <ddkilzer@apple.com>
1747
1748         Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
1749         <https://webkit.org/b/181871>
1750         <rdar://problem/36669691>
1751
1752         Address feedback for this change.
1753
1754         * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
1755         feedback from Konstantin Tokarev.
1756
1757 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1758
1759         Rollout r219636
1760         https://bugs.webkit.org/show_bug.cgi?id=181997
1761         <rdar://problem/35883022>
1762
1763         Unreviewed, as it is a rollout.
1764
1765         * dfg/DFGSpeculativeJIT.cpp:
1766         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1767         * runtime/JSArray.cpp:
1768         (JSC::JSArray::tryCreateUninitializedRestricted):
1769         * runtime/JSArray.h:
1770         (JSC::JSArray::tryCreate):
1771         * runtime/JSObject.cpp:
1772         (JSC::JSObject::ensureLengthSlow):
1773
1774 2018-01-23  Mark Lam  <mark.lam@apple.com>
1775
1776         Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
1777         https://bugs.webkit.org/show_bug.cgi?id=181976
1778         <rdar://problem/36766936>
1779
1780         Reviewed by Filip Pizlo.
1781
1782         1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
1783            list.  I also added static asserts in TypedArrayType.h to enforce this.
1784
1785            Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
1786
1787         2. Define 4 new values:
1788            a. FirstTypedArrayType
1789            b. LastTypedArrayType
1790            c. NumberOfTypedArrayTypesExcludingDataView
1791            d. NumberOfTypedArrayTypes
1792
1793            Use these everywhere where we iterate or bisect the TypedArray JSTypes.
1794
1795         3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
1796
1797         4. Simplify the code that converts between TypedArrayType and JSType.
1798
1799            Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
1800            Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
1801            instead of TypeDataView.  Now, it converts to TypeDataView.
1802
1803            This does not result in any change of behavior because typedArrayTypeForType()
1804            is only called in Structure::hasIndexingHeader(), and its result is passed to
1805            isTypedView(), which handles TypeDataView correctly.
1806
1807         5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
1808            If the vector is null, we can skip the rest of the checks.  While the current
1809            code does not result in incorrect behavior, it is inefficient, and communicates
1810            wrong information to the reader i.e. implying that there's something in the
1811            dataGPR when there's not.  The dataGPR should also be null in this case.
1812
1813         * dfg/DFGByteCodeParser.cpp:
1814         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1815         * dfg/DFGSpeculativeJIT.cpp:
1816         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1817         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1818         * ftl/FTLLowerDFGToB3.cpp:
1819         (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
1820         * ftl/FTLOSRExit.cpp:
1821         * llint/LowLevelInterpreter.asm:
1822         * llint/LowLevelInterpreter64.asm:
1823         * runtime/JSGlobalObject.cpp:
1824         (JSC::JSGlobalObject::visitChildren):
1825         * runtime/JSType.h:
1826         * runtime/TypedArrayType.cpp:
1827         (JSC::typeForTypedArrayType): Deleted.
1828         * runtime/TypedArrayType.h:
1829         (JSC::typedArrayTypeForType):
1830         (JSC::typeForTypedArrayType):
1831
1832 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1833
1834         DFG should always flush `this`
1835         https://bugs.webkit.org/show_bug.cgi?id=181999
1836
1837         Reviewed by Saam Barati and Mark Lam.
1838         
1839         This is going to make it possible to use precise index masking for arguments-on-the-stack
1840         accesses with an index adjusted so that 0 is this. Without this change, we would have no way
1841         of masking when the argument count is 0, unless we padded the argument area so that there was
1842         always an argument slot after `this` and it was always initialized.
1843         
1844         This is neutral on all benchmarks.
1845
1846         * dfg/DFGByteCodeParser.cpp:
1847         (JSC::DFG::ByteCodeParser::flushImpl):
1848         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1849         (JSC::DFG::ByteCodeParser::flush):
1850         (JSC::DFG::ByteCodeParser::flushForTerminal):
1851         (JSC::DFG::ByteCodeParser::parse):
1852         (JSC::DFG::flushImpl): Deleted.
1853         (JSC::DFG::flushForTerminalImpl): Deleted.
1854         * dfg/DFGPreciseLocalClobberize.h:
1855         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1856
1857 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1858
1859         JSC should use a speculation fence on VM entry/exit
1860         https://bugs.webkit.org/show_bug.cgi?id=181991
1861
1862         Reviewed by JF Bastien and Mark Lam.
1863         
1864         This adds a WTF::speculationFence on VM entry and exit.
1865         
1866         For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
1867         tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
1868         
1869         * runtime/JSLock.cpp:
1870         (JSC::JSLock::didAcquireLock):
1871         (JSC::JSLock::willReleaseLock):
1872
1873 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1874
1875         [JSC] JIT requires sizeof(bool) == 1
1876         https://bugs.webkit.org/show_bug.cgi?id=181150
1877
1878         Reviewed by Saam Barati.
1879
1880         LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
1881         Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
1882
1883         * runtime/InitializeThreading.cpp:
1884
1885 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1886
1887         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1888         https://bugs.webkit.org/show_bug.cgi?id=181739
1889         <rdar://problem/36627662>
1890
1891         Reviewed by Saam Barati.
1892
1893         When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
1894         into a jump, we should update that stack slot as there is no guarantee that the function was originally
1895         called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
1896
1897         It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
1898         as its first OpInfo field, and stores it to the stack at the right place.
1899
1900         We must be a bit careful in where we put this new node, as it ClobbersExit.
1901         We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
1902
1903         * dfg/DFGAbstractInterpreterInlines.h:
1904         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1905         * dfg/DFGArgumentsEliminationPhase.cpp:
1906         * dfg/DFGByteCodeParser.cpp:
1907         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1908         * dfg/DFGClobberize.h:
1909         (JSC::DFG::clobberize):
1910         * dfg/DFGDoesGC.cpp:
1911         (JSC::DFG::doesGC):
1912         * dfg/DFGFixupPhase.cpp:
1913         (JSC::DFG::FixupPhase::fixupNode):
1914         * dfg/DFGMayExit.cpp:
1915         * dfg/DFGNode.h:
1916         (JSC::DFG::Node::argumentCountIncludingThis):
1917         * dfg/DFGNodeType.h:
1918         * dfg/DFGPredictionPropagationPhase.cpp:
1919         * dfg/DFGPutStackSinkingPhase.cpp:
1920         * dfg/DFGSafeToExecute.h:
1921         (JSC::DFG::safeToExecute):
1922         * dfg/DFGSpeculativeJIT.cpp:
1923         (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
1924         * dfg/DFGSpeculativeJIT.h:
1925         * dfg/DFGSpeculativeJIT32_64.cpp:
1926         (JSC::DFG::SpeculativeJIT::compile):
1927         * dfg/DFGSpeculativeJIT64.cpp:
1928         (JSC::DFG::SpeculativeJIT::compile):
1929         * ftl/FTLCapabilities.cpp:
1930         (JSC::FTL::canCompile):
1931         * ftl/FTLLowerDFGToB3.cpp:
1932         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1933         (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
1934
1935 2018-01-22  Michael Saboff  <msaboff@apple.com>
1936
1937         DFG abstract interpreter needs to properly model effects of some Math ops
1938         https://bugs.webkit.org/show_bug.cgi?id=181886
1939
1940         Reviewed by Saam Barati.
1941
1942         Reviewed the processing of the various ArithXXX and CompareXXX and found that
1943         several nodes don't handle UntypedUse.  Added clobberWorld() for those cases.
1944
1945         * dfg/DFGAbstractInterpreter.h:
1946         * dfg/DFGAbstractInterpreterInlines.h:
1947         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1948         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1949
1950 2018-01-21  Wenson Hsieh  <wenson_hsieh@apple.com>
1951
1952         Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
1953         https://bugs.webkit.org/show_bug.cgi?id=181918
1954
1955         Reviewed by Tim Horton.
1956
1957         Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
1958
1959         * Configurations/FeatureDefines.xcconfig:
1960
1961 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1962
1963         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1964         https://bugs.webkit.org/show_bug.cgi?id=181182
1965
1966         Reviewed by Darin Adler.
1967
1968         Casting double to integer is undefined behavior when the truncation
1969         results into a value that doesn't fit into integer size,
1970         according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
1971         numberProtoFuncToString to remove these source of undefined
1972         behavior.
1973
1974         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
1975
1976         * runtime/BigIntPrototype.cpp:
1977         (JSC::bigIntProtoFuncToString):
1978         * runtime/NumberPrototype.cpp:
1979         (JSC::numberProtoFuncToString):
1980         (JSC::extractToStringRadixArgument):
1981         (JSC::extractRadixFromArgs): Deleted.
1982         * runtime/NumberPrototype.h:
1983
1984 2018-01-19  Saam Barati  <sbarati@apple.com>
1985
1986         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1987         https://bugs.webkit.org/show_bug.cgi?id=181877
1988         <rdar://problem/36630552>
1989
1990         Reviewed by Mark Lam.
1991
1992         Before this patch, we used to assert that op_negate's result ArithProfile
1993         only produces number. It's logically true that negate only produces a number.
1994         However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
1995         profiling. So we'll end up profiling something that's likely the input to
1996         negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
1997         is entirely heuristic based, potentially leading to profiling results being imprecise.
1998
1999         * dfg/DFGByteCodeParser.cpp:
2000         (JSC::DFG::ByteCodeParser::makeSafe):
2001
2002 2018-01-19  David Kilzer  <ddkilzer@apple.com>
2003
2004         oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
2005         <https://webkit.org/b/181871>
2006
2007         Rubber-stamped by JF Bastien.
2008
2009         * CMakeLists.txt: Add ICU header search path to
2010         LLIntOffsetsExtractor target by reusing
2011         JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
2012
2013 2018-01-19  Saam Barati  <sbarati@apple.com>
2014
2015         Spread's effects are modeled incorrectly both in AI and in Clobberize
2016         https://bugs.webkit.org/show_bug.cgi?id=181867
2017         <rdar://problem/36290415>
2018
2019         Reviewed by Michael Saboff.
2020
2021         * dfg/DFGAbstractInterpreterInlines.h:
2022         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2023         * dfg/DFGClobberize.h:
2024         (JSC::DFG::clobberize):
2025
2026 2018-01-19  Keith Miller  <keith_miller@apple.com>
2027
2028         HaveInternalSDK includes should be "#include?"
2029         https://bugs.webkit.org/show_bug.cgi?id=179670
2030
2031         Reviewed by Dan Bernstein.
2032
2033         * Configurations/Base.xcconfig:
2034
2035 2018-01-18  JF Bastien  <jfbastien@apple.com>
2036
2037         Set the minimum executable allocator size properly
2038         https://bugs.webkit.org/show_bug.cgi?id=181816
2039         <rdar://problem/36635533>
2040
2041         Reviewed by Saam Barati.
2042
2043         Executable allocator expects at least two page size's worth of
2044         allocation in certain conditions, and that causes some tests to
2045         now fail because they ask for less. Set that minimum correctly. We
2046         were already rounding up to a page size, so having a minimum of 2
2047         page sizes is fine.
2048
2049         * jit/ExecutableAllocator.cpp:
2050         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2051
2052 2018-01-18  Michael Saboff  <msaboff@apple.com>
2053
2054         Unreviewed build fix for Windows
2055
2056         * interpreter/FrameTracers.h:
2057         (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
2058         on Windows.
2059
2060 2018-01-18  Mark Lam  <mark.lam@apple.com>
2061
2062         Poisons should be initialized after Options are initialized.
2063         https://bugs.webkit.org/show_bug.cgi?id=181807
2064         <rdar://problem/36629138>
2065
2066         Reviewed by Keith Miller.
2067
2068         This is because poison initialization may depend on options.
2069
2070         * runtime/InitializeThreading.cpp:
2071         (JSC::initializeThreading):
2072
2073 2018-01-18  Dan Bernstein  <mitz@apple.com>
2074
2075         [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
2076         https://bugs.webkit.org/show_bug.cgi?id=181803
2077
2078         Reviewed by Tim Horton.
2079
2080         * Configurations/Base.xcconfig: Updated.
2081         * Configurations/DebugRelease.xcconfig: Ditto.
2082         * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
2083         * Configurations/Version.xcconfig: Updated.
2084         * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
2085           useful for defining settings that depend on the target macOS version.
2086
2087 2018-01-18  Michael Saboff  <msaboff@apple.com>
2088
2089         REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
2090         https://bugs.webkit.org/show_bug.cgi?id=181802
2091
2092         Reviewed by Filip Pizlo.
2093
2094         There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
2095         Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
2096         The other place was when we call into the operationOSRWriteBarrier().
2097
2098         Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
2099         This helped find the other cases beyond the original problem.
2100
2101         * dfg/DFGOSRExitCompilerCommon.cpp:
2102         (JSC::DFG::osrWriteBarrier):
2103         * interpreter/FrameTracers.h:
2104         (JSC::assertStackPointerIsAligned):
2105         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2106         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2107         * jit/ThunkGenerators.cpp:
2108         (JSC::nativeForGenerator):
2109         * llint/LowLevelInterpreter32_64.asm:
2110
2111 2018-01-18  Commit Queue  <commit-queue@webkit.org>
2112
2113         Unreviewed, rolling out r227096.
2114         https://bugs.webkit.org/show_bug.cgi?id=181788
2115
2116         "it caused a 15% octane regression" (Requested by saamyjoon on
2117         #webkit).
2118
2119         Reverted changeset:
2120
2121         "Support MultiGetByOffset in the DFG"
2122         https://bugs.webkit.org/show_bug.cgi?id=181466
2123         https://trac.webkit.org/changeset/227096
2124
2125 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2126
2127         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
2128         https://bugs.webkit.org/show_bug.cgi?id=181535
2129
2130         Reviewed by Saam Barati.
2131
2132         When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
2133         However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
2134         information. So we should not create RegExpObject for this typical case.
2135
2136         This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
2137         phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
2138         `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
2139         SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
2140
2141         This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
2142         non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
2143         in this patch.
2144
2145         We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
2146         flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
2147         instead of RegExpObject. This offers the chance to make NewRegExp unused.
2148
2149         We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
2150         since they are the same behavior.
2151
2152         The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
2153         somewhat pure execution time of our Yarr implementation.
2154
2155                                      baseline                  patched
2156
2157             regex-u.es5          34.8557+-0.5963     ^      6.1507+-0.5526        ^ definitely 5.6670x faster
2158             regex-u.es6          89.1919+-3.3851     ^     32.0917+-0.4260        ^ definitely 2.7793x faster
2159
2160         This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
2161         this patch right now. We should support StringReplace node in subsequent patches.
2162
2163         * dfg/DFGAbstractInterpreterInlines.h:
2164         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2165         * dfg/DFGByteCodeParser.cpp:
2166         (JSC::DFG::ByteCodeParser::parseBlock):
2167         * dfg/DFGClobberize.h:
2168         (JSC::DFG::clobberize):
2169         * dfg/DFGClobbersExitState.cpp:
2170         (JSC::DFG::clobbersExitState):
2171         * dfg/DFGDoesGC.cpp:
2172         (JSC::DFG::doesGC):
2173         * dfg/DFGFixupPhase.cpp:
2174         (JSC::DFG::FixupPhase::fixupNode):
2175         * dfg/DFGGraph.cpp:
2176         (JSC::DFG::Graph::dump):
2177         * dfg/DFGMayExit.cpp:
2178         * dfg/DFGNode.cpp:
2179         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
2180         * dfg/DFGNode.h:
2181         (JSC::DFG::Node::convertToPhantomNewRegexp):
2182         (JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
2183         (JSC::DFG::Node::hasHeapPrediction):
2184         (JSC::DFG::Node::hasCellOperand):
2185         (JSC::DFG::Node::isPhantomAllocation):
2186         (JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
2187         (JSC::DFG::Node::ignoreLastIndexIsWritable):
2188         * dfg/DFGNodeType.h:
2189         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2190         * dfg/DFGOperations.cpp:
2191         * dfg/DFGOperations.h:
2192         * dfg/DFGPredictionPropagationPhase.cpp:
2193         * dfg/DFGPromotedHeapLocation.cpp:
2194         (WTF::printInternal):
2195         * dfg/DFGPromotedHeapLocation.h:
2196         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
2197         * dfg/DFGSafeToExecute.h:
2198         (JSC::DFG::safeToExecute):
2199         * dfg/DFGSpeculativeJIT.cpp:
2200         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2201         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2202         (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
2203         * dfg/DFGSpeculativeJIT.h:
2204         (JSC::DFG::SpeculativeJIT::callOperation):
2205         * dfg/DFGSpeculativeJIT32_64.cpp:
2206         (JSC::DFG::SpeculativeJIT::compile):
2207         * dfg/DFGSpeculativeJIT64.cpp:
2208         (JSC::DFG::SpeculativeJIT::compile):
2209         * dfg/DFGStrengthReductionPhase.cpp:
2210         (JSC::DFG::StrengthReductionPhase::handleNode):
2211         * dfg/DFGValidate.cpp:
2212         * ftl/FTLCapabilities.cpp:
2213         (JSC::FTL::canCompile):
2214         * ftl/FTLLowerDFGToB3.cpp:
2215         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2216         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
2217         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2218         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2219         * ftl/FTLOperations.cpp:
2220         (JSC::FTL::operationPopulateObjectInOSR):
2221         (JSC::FTL::operationMaterializeObjectInOSR):
2222         * jit/JITOperations.h:
2223         * runtime/RegExpObject.h:
2224         (JSC::RegExpObject::create):
2225
2226 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [FTL] Remove unused helper functions to convert node to PutHint
2229         https://bugs.webkit.org/show_bug.cgi?id=181775
2230
2231         Reviewed by Saam Barati.
2232
2233         We are using PromotedHeapLocation::createHint. So they are not necessary.
2234
2235         * dfg/DFGNode.cpp:
2236         (JSC::DFG::Node::convertToPutHint): Deleted.
2237         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2238         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2239         (JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
2240         * dfg/DFGNode.h:
2241
2242 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2243
2244         Unreviewed, suppress warnings on GCC
2245
2246         Since `length` and `p` are always positive or zero,
2247         static_cast<unsigned>() does what we want.
2248
2249         * runtime/JSBigInt.cpp:
2250         (JSC::JSBigInt::parseInt):
2251
2252 2018-01-17  Saam Barati  <sbarati@apple.com>
2253
2254         Disable Atomics when SharedArrayBuffer isn’t enabled
2255         https://bugs.webkit.org/show_bug.cgi?id=181572
2256         <rdar://problem/36553206>
2257
2258         Reviewed by Michael Saboff.
2259
2260         * runtime/JSGlobalObject.cpp:
2261         (JSC::JSGlobalObject::init):
2262         (JSC::createAtomicsProperty): Deleted.
2263
2264 2018-01-17  Saam Barati  <sbarati@apple.com>
2265
2266         Support MultiGetByOffset in the DFG
2267         https://bugs.webkit.org/show_bug.cgi?id=181466
2268
2269         Reviewed by Keith Miller.
2270
2271         This seems to benefit Speedometer in my local testing. It seems like this
2272         might be around a 0.5% improvement.
2273
2274         * dfg/DFGAbstractInterpreterInlines.h:
2275         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2276         * dfg/DFGByteCodeParser.cpp:
2277         (JSC::DFG::ByteCodeParser::handleGetById):
2278         * dfg/DFGConstantFoldingPhase.cpp:
2279         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2280         * dfg/DFGGraph.h:
2281         (JSC::DFG::Graph::supportsMultiGetByOffset):
2282         * dfg/DFGSpeculativeJIT64.cpp:
2283         (JSC::DFG::SpeculativeJIT::compile):
2284
2285 2018-01-17  Saam Barati  <sbarati@apple.com>
2286
2287         DFG::Node::convertToConstant needs to clear the varargs flags
2288         https://bugs.webkit.org/show_bug.cgi?id=181697
2289         <rdar://problem/36497332>
2290
2291         Reviewed by Yusuke Suzuki.
2292
2293         * dfg/DFGNode.h:
2294         (JSC::DFG::Node::convertToConstant):
2295
2296 2018-01-16  JF Bastien  <jfbastien@apple.com>
2297
2298         Allow dangerous disabling of poison
2299         https://bugs.webkit.org/show_bug.cgi?id=181685
2300         <rdar://problem/36546265>
2301
2302         Reviewed by Keith Miller.
2303
2304         Some tools such as leak detectors and such like to look at real
2305         pointers, and poisoned ones confuse them. Add a JSC option to
2306         disable poisoning, but log to the console when this is done.
2307
2308         * runtime/JSCPoison.cpp:
2309         (JSC::initializePoison):
2310         * runtime/Options.h:
2311
2312 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2313
2314         Unreviewed, rolling out r226937.
2315
2316         Tests added with this change are failing due to a missing
2317         exception check.
2318
2319         Reverted changeset:
2320
2321         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2322         double to int32_t"
2323         https://bugs.webkit.org/show_bug.cgi?id=181182
2324         https://trac.webkit.org/changeset/226937
2325
2326 2018-01-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2327
2328         Test programs should only be built in developer mode
2329         https://bugs.webkit.org/show_bug.cgi?id=181653
2330
2331         Reviewed by Carlos Garcia Campos.
2332
2333         Build test programs only in developer mode, and fix code style.
2334
2335         * shell/CMakeLists.txt:
2336
2337 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2338
2339         Improve use of ExportMacros
2340         https://bugs.webkit.org/show_bug.cgi?id=181652
2341
2342         Reviewed by Konstantin Tokarev.
2343
2344         * API/JSBase.h: Update a comment.
2345         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
2346         * runtime/JSExportMacros.h: Simplify the #defines in this file.
2347
2348 2018-01-15  JF Bastien  <jfbastien@apple.com>
2349
2350         Remove makePoisonedUnique
2351         https://bugs.webkit.org/show_bug.cgi?id=181630
2352         <rdar://problem/36498623>
2353
2354         Reviewed by Mark Lam.
2355
2356         I added a conversion from std::unique_ptr, so we can just use
2357         std::make_unique and it'll auto-poison when converted.
2358
2359         * bytecode/CodeBlock.h:
2360         (JSC::CodeBlock::makePoisonedUnique): Deleted.
2361         * runtime/JSGlobalObject.cpp:
2362         (JSC::JSGlobalObject::init):
2363         * runtime/JSGlobalObject.h:
2364         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2365
2366 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2367
2368         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
2369         https://bugs.webkit.org/show_bug.cgi?id=181438
2370         <rdar://problem/36376724>
2371
2372         Reviewed by Carlos Garcia Campos.
2373
2374         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
2375         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
2376         get rid of the version script.
2377
2378         * PlatformGTK.cmake:
2379         * javascriptcoregtk-symbols.map: Removed.
2380
2381 2018-01-14  Saam Barati  <sbarati@apple.com>
2382
2383         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
2384
2385         * bytecode/CallLinkStatus.cpp:
2386         (JSC::CallLinkStatus::computeFromLLInt):
2387         (JSC::CallLinkStatus::computeExitSiteData):
2388
2389 2018-01-13  Mark Lam  <mark.lam@apple.com>
2390
2391         Replace all use of ConstExprPoisoned with Poisoned.
2392         https://bugs.webkit.org/show_bug.cgi?id=181542
2393         <rdar://problem/36442138>
2394
2395         Reviewed by JF Bastien.
2396
2397         1. All JSC poisons are now defined in JSCPoison.h.
2398
2399         2. Change all clients to use the new poison values via the POISON() macro.
2400
2401         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
2402            uses the t5 temp register, which is not available on the Windows port.
2403            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
2404            it will just work for now.
2405
2406            When poisoning is enabled for the Windows port, this LLInt code will need a
2407            Windows specific implementation to workaround its lack of a t5 register.
2408
2409         * API/JSAPIWrapperObject.h:
2410         * API/JSCallbackFunction.h:
2411         * API/JSCallbackObject.h:
2412         * JavaScriptCore.xcodeproj/project.pbxproj:
2413         * Sources.txt:
2414         * assembler/MacroAssemblerCodeRef.h:
2415         (JSC::MacroAssemblerCodePtr::emptyValue):
2416         (JSC::MacroAssemblerCodePtr::deletedValue):
2417         * b3/B3LowerMacros.cpp:
2418         * b3/testb3.cpp:
2419         (JSC::B3::testInterpreter):
2420         * bytecode/CodeBlock.h:
2421         (JSC::CodeBlock::instructions):
2422         (JSC::CodeBlock::instructions const):
2423         (JSC::CodeBlock::makePoisonedUnique):
2424         * dfg/DFGOSRExitCompilerCommon.h:
2425         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2426         * dfg/DFGSpeculativeJIT.cpp:
2427         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2428         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2429         * ftl/FTLLowerDFGToB3.cpp:
2430         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2431         * jit/JIT.h:
2432         * jit/ThunkGenerators.cpp:
2433         (JSC::virtualThunkFor):
2434         (JSC::nativeForGenerator):
2435         (JSC::boundThisNoArgsFunctionCallGenerator):
2436         * llint/LowLevelInterpreter.asm:
2437         * llint/LowLevelInterpreter32_64.asm:
2438         * llint/LowLevelInterpreter64.asm:
2439         * parser/UnlinkedSourceCode.h:
2440         * runtime/ArrayPrototype.h:
2441         * runtime/CustomGetterSetter.h:
2442         * runtime/DateInstance.h:
2443         * runtime/InternalFunction.h:
2444         * runtime/JSArrayBuffer.h:
2445         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2446         (JSC::initializePoison):
2447         * runtime/JSCPoison.h:
2448         (): Deleted.
2449         * runtime/JSCPoisonedPtr.cpp: Removed.
2450         * runtime/JSCPoisonedPtr.h: Removed.
2451         * runtime/JSGlobalObject.h:
2452         (JSC::JSGlobalObject::makePoisonedUnique):
2453         * runtime/JSScriptFetchParameters.h:
2454         * runtime/JSScriptFetcher.h:
2455         * runtime/NativeExecutable.h:
2456         * runtime/StructureTransitionTable.h:
2457         (JSC::StructureTransitionTable::map const):
2458         (JSC::StructureTransitionTable::weakImpl const):
2459         * runtime/WriteBarrier.h:
2460         (JSC::WriteBarrier::poison):
2461         * wasm/js/JSToWasm.cpp:
2462         (JSC::Wasm::createJSToWasmWrapper):
2463         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2464         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2465         * wasm/js/JSWebAssemblyCodeBlock.h:
2466         * wasm/js/JSWebAssemblyInstance.h:
2467         * wasm/js/JSWebAssemblyMemory.h:
2468         * wasm/js/JSWebAssemblyModule.h:
2469         * wasm/js/JSWebAssemblyTable.h:
2470         * wasm/js/WasmToJS.cpp:
2471         (JSC::Wasm::handleBadI64Use):
2472         (JSC::Wasm::wasmToJS):
2473         * wasm/js/WebAssemblyFunctionBase.h:
2474         * wasm/js/WebAssemblyModuleRecord.h:
2475         * wasm/js/WebAssemblyToJSCallee.h:
2476         * wasm/js/WebAssemblyWrapperFunction.h:
2477
2478 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2479
2480         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2481         https://bugs.webkit.org/show_bug.cgi?id=181182
2482
2483         Reviewed by Darin Adler.
2484
2485         Casting double to integer is undefined behavior when the truncation
2486         results into a value that doesn't fit into integer size, according C++
2487         spec[1]. Thus, we are changing bigIntProtoFuncToString and
2488         numberProtoFuncToString to remove these source of undefined behavior.
2489
2490         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
2491
2492         * runtime/BigIntPrototype.cpp:
2493         (JSC::bigIntProtoFuncToString):
2494         * runtime/NumberPrototype.cpp:
2495         (JSC::numberProtoFuncToString):
2496         (JSC::extractRadixFromArgs): Deleted.
2497         (JSC::extractToStringRadixArgument): Added.
2498
2499 2018-01-12  Saam Barati  <sbarati@apple.com>
2500
2501         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
2502         https://bugs.webkit.org/show_bug.cgi?id=181545
2503
2504         Reviewed by Michael Saboff.
2505
2506         This patch follows the theme of putting optimization profiling information on
2507         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
2508         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
2509         pulled from the code cache, making better compilation decisions, usually
2510         resulting in fewer exits, and fewer recompilations.
2511         
2512         This is a 1% Speedometer progression in my testing.
2513
2514         * bytecode/BytecodeDumper.cpp:
2515         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
2516         * bytecode/CallLinkStatus.cpp:
2517         (JSC::CallLinkStatus::computeFromLLInt):
2518         (JSC::CallLinkStatus::computeFor):
2519         (JSC::CallLinkStatus::computeExitSiteData):
2520         (JSC::CallLinkStatus::computeDFGStatuses):
2521         * bytecode/CallLinkStatus.h:
2522         * bytecode/CodeBlock.h:
2523         (JSC::CodeBlock::addFrequentExitSite): Deleted.
2524         (JSC::CodeBlock::hasExitSite const): Deleted.
2525         (JSC::CodeBlock::exitProfile): Deleted.
2526         * bytecode/DFGExitProfile.cpp:
2527         (JSC::DFG::ExitProfile::add):
2528         (JSC::DFG::QueryableExitProfile::initialize):
2529         * bytecode/DFGExitProfile.h:
2530         (JSC::DFG::ExitProfile::hasExitSite const):
2531         * bytecode/GetByIdStatus.cpp:
2532         (JSC::GetByIdStatus::hasExitSite):
2533         (JSC::GetByIdStatus::computeFor):
2534         (JSC::GetByIdStatus::computeForStubInfo):
2535         * bytecode/GetByIdStatus.h:
2536         * bytecode/PutByIdStatus.cpp:
2537         (JSC::PutByIdStatus::hasExitSite):
2538         (JSC::PutByIdStatus::computeFor):
2539         (JSC::PutByIdStatus::computeForStubInfo):
2540         * bytecode/PutByIdStatus.h:
2541         * bytecode/UnlinkedCodeBlock.cpp:
2542         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2543         * bytecode/UnlinkedCodeBlock.h:
2544         (JSC::UnlinkedCodeBlock::hasExitSite const):
2545         (JSC::UnlinkedCodeBlock::hasExitSite):
2546         (JSC::UnlinkedCodeBlock::exitProfile):
2547         * dfg/DFGByteCodeParser.cpp:
2548         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2549         * dfg/DFGGraph.h:
2550         (JSC::DFG::Graph::hasGlobalExitSite):
2551         (JSC::DFG::Graph::hasExitSite):
2552         * dfg/DFGLICMPhase.cpp:
2553         (JSC::DFG::LICMPhase::attemptHoist):
2554         * dfg/DFGOSRExitBase.cpp:
2555         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2556
2557 2018-01-12  JF Bastien  <jfbastien@apple.com>
2558
2559         PoisonedWriteBarrier
2560         https://bugs.webkit.org/show_bug.cgi?id=181599
2561         <rdar://problem/36474351>
2562
2563         Reviewed by Mark Lam.
2564
2565         Allow poisoning of WriteBarrier objects, and use this for
2566         WebAssembly because it is perf-neutral, at least on WasmBench on
2567         my MBP. If it indeed is perf-neutral according to the bots, start
2568         using it in more performance-sensitive places.
2569
2570         * heap/HandleTypes.h:
2571         * heap/SlotVisitor.h:
2572         * heap/SlotVisitorInlines.h:
2573         (JSC::SlotVisitor::append):
2574         (JSC::SlotVisitor::appendHidden):
2575         * runtime/JSCJSValue.h:
2576         * runtime/JSCPoison.h:
2577         * runtime/Structure.h:
2578         * runtime/StructureInlines.h:
2579         (JSC::Structure::setPrototypeWithoutTransition):
2580         (JSC::Structure::setGlobalObject):
2581         (JSC::Structure::setPreviousID):
2582         * runtime/WriteBarrier.h:
2583         (JSC::WriteBarrierBase::copyFrom):
2584         (JSC::WriteBarrierBase::get const):
2585         (JSC::WriteBarrierBase::operator* const):
2586         (JSC::WriteBarrierBase::operator-> const):
2587         (JSC::WriteBarrierBase::clear):
2588         (JSC::WriteBarrierBase::slot):
2589         (JSC::WriteBarrierBase::operator bool const):
2590         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
2591         (JSC::WriteBarrierBase::unvalidatedGet const):
2592         (JSC::operator==):
2593         * runtime/WriteBarrierInlines.h:
2594         (JSC::Traits>::set):
2595         (JSC::Traits>::setMayBeNull):
2596         (JSC::Traits>::setEarlyValue):
2597         (JSC::DumbValueTraits<Unknown>>::set):
2598         * wasm/WasmInstance.h:
2599         * wasm/js/JSWebAssemblyInstance.cpp:
2600         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2601         (JSC::JSWebAssemblyInstance::finishCreation):
2602         (JSC::JSWebAssemblyInstance::visitChildren):
2603         (JSC::JSWebAssemblyInstance::create):
2604         * wasm/js/JSWebAssemblyInstance.h:
2605         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
2606         * wasm/js/JSWebAssemblyMemory.h:
2607         * wasm/js/JSWebAssemblyModule.h:
2608         * wasm/js/JSWebAssemblyTable.cpp:
2609         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2610         (JSC::JSWebAssemblyTable::grow):
2611         (JSC::JSWebAssemblyTable::clearFunction):
2612         * wasm/js/JSWebAssemblyTable.h:
2613         * wasm/js/WasmToJS.cpp:
2614         (JSC::Wasm::materializeImportJSCell):
2615         (JSC::Wasm::handleBadI64Use):
2616         (JSC::Wasm::wasmToJS):
2617         * wasm/js/WebAssemblyFunctionBase.h:
2618         * wasm/js/WebAssemblyModuleRecord.cpp:
2619         (JSC::WebAssemblyModuleRecord::link):
2620         (JSC::WebAssemblyModuleRecord::evaluate):
2621         * wasm/js/WebAssemblyModuleRecord.h:
2622         * wasm/js/WebAssemblyToJSCallee.h:
2623         * wasm/js/WebAssemblyWrapperFunction.h:
2624
2625 2018-01-12  Saam Barati  <sbarati@apple.com>
2626
2627         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2628         https://bugs.webkit.org/show_bug.cgi?id=181177
2629         <rdar://problem/36205704>
2630
2631         Reviewed by Yusuke Suzuki.
2632
2633         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
2634         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
2635         have semantic consequences when validation is turned off. However, with validation on, this trips up
2636         our OSR exit machinery that says when an exit is allowed to happen.
2637         
2638         Consider the following IR:
2639         
2640         a: GetClosureVar // Or any other node that produces BytecodeTop
2641         ...
2642         c: CheckStructure(Cell:@a, {s2})
2643         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2644         
2645         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
2646         a: GetClosureVar
2647         e: CheckStructureOrEmpty(@a, {s1})
2648         ...
2649         f: CheckStructureOrEmpty(@a, {s2})
2650         c: CheckStructure(Cell:@a, {s2})
2651         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2652         
2653         This will cause constant folding to change the IR to:
2654         a: GetClosureVar
2655         e: CheckStructureOrEmpty(@a, {s1})
2656         ...
2657         f: CheckStructureOrEmpty(@a, {s2})
2658         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2659         
2660         Our mayExit analysis determines that the PutByOffset should not exit. Note
2661         that AI will determine the only value the PutByOffset can see in @a is 
2662         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
2663         when lowering the PutByOffset, we reach a contradiction in AI and emit
2664         an OSR exit. However, because mayExit said we couldn't exit, we assert.
2665         
2666         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
2667         would have determined we would OSR exit at the second CheckStructure.
2668         
2669         This patch makes it so constant folding produces the following IR:
2670         a: GetClosureVar
2671         e: CheckStructureOrEmpty(@a, {s1})
2672         g: AssertNotEmpty(@a)
2673         ...
2674         f: CheckStructureOrEmpty(@a, {s2})
2675         h: AssertNotEmpty(@a)
2676         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2677         
2678         This modification will cause AI to know we will OSR exit before even reaching
2679         the PutByOffset. Note that in the original IR, the GetClosureVar won't
2680         actually produce the TDZ value. If it did, bytecode would have caused us
2681         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
2682         why this bug is about IR bookkeeping and not an actual error in IR analysis.
2683         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
2684         more congruous with CheckStructure's semantics of crashing on the empty value
2685         as input (on 64 bit platforms).
2686
2687         * dfg/DFGAbstractInterpreterInlines.h:
2688         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2689         * dfg/DFGClobberize.h:
2690         (JSC::DFG::clobberize):
2691         * dfg/DFGConstantFoldingPhase.cpp:
2692         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2693         * dfg/DFGDoesGC.cpp:
2694         (JSC::DFG::doesGC):
2695         * dfg/DFGFixupPhase.cpp:
2696         (JSC::DFG::FixupPhase::fixupNode):
2697         * dfg/DFGNodeType.h:
2698         * dfg/DFGPredictionPropagationPhase.cpp:
2699         * dfg/DFGSafeToExecute.h:
2700         (JSC::DFG::safeToExecute):
2701         * dfg/DFGSpeculativeJIT32_64.cpp:
2702         (JSC::DFG::SpeculativeJIT::compile):
2703         * dfg/DFGSpeculativeJIT64.cpp:
2704         (JSC::DFG::SpeculativeJIT::compile):
2705         * ftl/FTLCapabilities.cpp:
2706         (JSC::FTL::canCompile):
2707         * ftl/FTLLowerDFGToB3.cpp:
2708         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2709         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2710
2711 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
2712
2713         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
2714         https://bugs.webkit.org/show_bug.cgi?id=181579
2715         <rdar://problem/36193759>
2716
2717         Reviewed by Brian Burg.
2718
2719         * inspector/agents/InspectorConsoleAgent.h:
2720         * inspector/agents/InspectorConsoleAgent.cpp:
2721         (Inspector::InspectorConsoleAgent::clearMessages):
2722         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2723         Switch from a raw pointer to m_consoleMessages.last().
2724         Also move the expiration check into the if block since it can only
2725         happen inside here when the number of console messages changes.
2726
2727         (Inspector::InspectorConsoleAgent::discardValues):
2728         Also clear the expired message count when messages are cleared.
2729
2730 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2731
2732         [JSC] Create parallel SlotVisitors apriori
2733         https://bugs.webkit.org/show_bug.cgi?id=180907
2734
2735         Reviewed by Saam Barati.
2736
2737         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2738         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
2739         Then we do not need to grab locks while iterating all the SlotVisitors.
2740
2741         In addition, we do not need to consider the case that the number of SlotVisitors increases
2742         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2743         does not increase any more.
2744
2745         * heap/Heap.cpp:
2746         (JSC::Heap::Heap):
2747         (JSC::Heap::runBeginPhase):
2748         * heap/Heap.h:
2749         * heap/HeapInlines.h:
2750         (JSC::Heap::forEachSlotVisitor):
2751         (JSC::Heap::numberOfSlotVisitors): Deleted.
2752         * heap/MarkingConstraintSolver.cpp:
2753         (JSC::MarkingConstraintSolver::didVisitSomething const):
2754
2755 2018-01-12  Saam Barati  <sbarati@apple.com>
2756
2757         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2758         https://bugs.webkit.org/show_bug.cgi?id=181562
2759         <rdar://problem/36445624>
2760
2761         Reviewed by Yusuke Suzuki.
2762
2763         Before this patch, the very first block in the switch for polymorphic call
2764         inlining will have exitOK at the top. The others are not guaranteed to.
2765         That was just a bug. They're all exitOK at the top. This will lead to crashes
2766         in FixupPhase because we won't have a node in a block that has ExitOK, so
2767         when we fixup various type checks, we assert out.
2768
2769         * dfg/DFGByteCodeParser.cpp:
2770         (JSC::DFG::ByteCodeParser::handleInlining):
2771
2772 2018-01-11  Keith Miller  <keith_miller@apple.com>
2773
2774         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
2775         https://bugs.webkit.org/show_bug.cgi?id=181573
2776
2777         Reviewed by Simon Fraser.
2778
2779         * Configurations/FeatureDefines.xcconfig:
2780         * runtime/Options.h:
2781
2782 2018-01-11  Michael Saboff  <msaboff@apple.com>
2783
2784         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
2785         https://bugs.webkit.org/show_bug.cgi?id=181570
2786
2787         Reviewed by Keith Miller.
2788
2789         * assembler/MacroAssemblerARM64.h:
2790         (JSC::MacroAssemblerARM64::abortWithReason):
2791         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
2792         JIT release asserts that will crash the program.
2793
2794         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2795         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
2796         caching is enabled.
2797
2798 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
2799
2800         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
2801         https://bugs.webkit.org/show_bug.cgi?id=181543
2802
2803         Rubber stamped by Michael Saboff.
2804         
2805         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
2806         really have anything to do with allocation anymore. The allocation will be done by something
2807         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
2808         place to find blocks (a "block directory").
2809
2810         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
2811         attributes of the HeapCellType. So let's call them CellAttributes.
2812
2813         * JavaScriptCore.xcodeproj/project.pbxproj:
2814         * Sources.txt:
2815         * bytecode/AccessCase.cpp:
2816         (JSC::AccessCase::generateImpl):
2817         * bytecode/ObjectAllocationProfile.h:
2818         * bytecode/ObjectAllocationProfileInlines.h:
2819         (JSC::ObjectAllocationProfile::initializeProfile):
2820         * dfg/DFGSpeculativeJIT.cpp:
2821         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2822         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2823         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2824         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2825         (JSC::DFG::SpeculativeJIT::compileNewObject):
2826         * dfg/DFGSpeculativeJIT.h:
2827         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2828         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2829         * ftl/FTLAbstractHeapRepository.h:
2830         * ftl/FTLLowerDFGToB3.cpp:
2831         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2832         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2833         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2834         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2835         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2836         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2837         * heap/AlignedMemoryAllocator.cpp:
2838         (JSC::AlignedMemoryAllocator::registerDirectory):
2839         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
2840         * heap/AlignedMemoryAllocator.h:
2841         (JSC::AlignedMemoryAllocator::firstDirectory const):
2842         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
2843         * heap/AllocatorAttributes.cpp: Removed.
2844         * heap/AllocatorAttributes.h: Removed.
2845         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
2846         (JSC::BlockDirectory::BlockDirectory):
2847         (JSC::BlockDirectory::setSubspace):
2848         (JSC::BlockDirectory::isPagedOut):
2849         (JSC::BlockDirectory::findEmptyBlockToSteal):
2850         (JSC::BlockDirectory::didConsumeFreeList):
2851         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
2852         (JSC::BlockDirectory::allocateIn):
2853         (JSC::BlockDirectory::tryAllocateIn):
2854         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
2855         (JSC::BlockDirectory::allocateSlowCase):
2856         (JSC::BlockDirectory::blockSizeForBytes):
2857         (JSC::BlockDirectory::tryAllocateBlock):
2858         (JSC::BlockDirectory::addBlock):
2859         (JSC::BlockDirectory::removeBlock):
2860         (JSC::BlockDirectory::stopAllocating):
2861         (JSC::BlockDirectory::prepareForAllocation):
2862         (JSC::BlockDirectory::lastChanceToFinalize):
2863         (JSC::BlockDirectory::resumeAllocating):
2864         (JSC::BlockDirectory::beginMarkingForFullCollection):
2865         (JSC::BlockDirectory::endMarking):
2866         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
2867         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
2868         (JSC::BlockDirectory::findBlockToSweep):
2869         (JSC::BlockDirectory::sweep):
2870         (JSC::BlockDirectory::shrink):
2871         (JSC::BlockDirectory::assertNoUnswept):
2872         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
2873         (JSC::BlockDirectory::dump const):
2874         (JSC::BlockDirectory::dumpBits):
2875         (JSC::BlockDirectory::markedSpace const):
2876         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2877         (JSC::MarkedAllocator::setSubspace): Deleted.
2878         (JSC::MarkedAllocator::isPagedOut): Deleted.
2879         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
2880         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
2881         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
2882         (JSC::MarkedAllocator::allocateIn): Deleted.
2883         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
2884         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
2885         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
2886         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
2887         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
2888         (JSC::MarkedAllocator::addBlock): Deleted.
2889         (JSC::MarkedAllocator::removeBlock): Deleted.
2890         (JSC::MarkedAllocator::stopAllocating): Deleted.
2891         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
2892         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
2893         (JSC::MarkedAllocator::resumeAllocating): Deleted.
2894         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
2895         (JSC::MarkedAllocator::endMarking): Deleted.
2896         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
2897         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
2898         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
2899         (JSC::MarkedAllocator::sweep): Deleted.
2900         (JSC::MarkedAllocator::shrink): Deleted.
2901         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
2902         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
2903         (JSC::MarkedAllocator::dump const): Deleted.
2904         (JSC::MarkedAllocator::dumpBits): Deleted.
2905         (JSC::MarkedAllocator::markedSpace const): Deleted.
2906         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
2907         (JSC::BlockDirectory::attributes const):
2908         (JSC::BlockDirectory::forEachBitVector):
2909         (JSC::BlockDirectory::forEachBitVectorWithName):
2910         (JSC::BlockDirectory::nextDirectory const):
2911         (JSC::BlockDirectory::nextDirectoryInSubspace const):
2912         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
2913         (JSC::BlockDirectory::setNextDirectory):
2914         (JSC::BlockDirectory::setNextDirectoryInSubspace):
2915         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
2916         (JSC::BlockDirectory::offsetOfFreeList):
2917         (JSC::BlockDirectory::offsetOfCellSize):
2918         (JSC::MarkedAllocator::cellSize const): Deleted.
2919         (JSC::MarkedAllocator::attributes const): Deleted.
2920         (JSC::MarkedAllocator::needsDestruction const): Deleted.
2921         (JSC::MarkedAllocator::destruction const): Deleted.
2922         (JSC::MarkedAllocator::cellKind const): Deleted.
2923         (JSC::MarkedAllocator::heap): Deleted.
2924         (JSC::MarkedAllocator::bitvectorLock): Deleted.
2925         (JSC::MarkedAllocator::forEachBitVector): Deleted.
2926         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
2927         (JSC::MarkedAllocator::nextAllocator const): Deleted.
2928         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
2929         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
2930         (JSC::MarkedAllocator::setNextAllocator): Deleted.
2931         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
2932         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
2933         (JSC::MarkedAllocator::subspace const): Deleted.
2934         (JSC::MarkedAllocator::freeList const): Deleted.
2935         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
2936         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
2937         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
2938         (JSC::BlockDirectory::isFreeListedCell const):
2939         (JSC::BlockDirectory::allocate):
2940         (JSC::BlockDirectory::forEachBlock):
2941         (JSC::BlockDirectory::forEachNotEmptyBlock):
2942         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
2943         (JSC::MarkedAllocator::allocate): Deleted.
2944         (JSC::MarkedAllocator::forEachBlock): Deleted.
2945         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
2946         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
2947         (JSC::CellAttributes::dump const):
2948         (JSC::AllocatorAttributes::dump const): Deleted.
2949         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
2950         (JSC::CellAttributes::CellAttributes):
2951         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
2952         * heap/CompleteSubspace.cpp:
2953         (JSC::CompleteSubspace::allocatorFor):
2954         (JSC::CompleteSubspace::allocateNonVirtual):
2955         (JSC::CompleteSubspace::allocatorForSlow):
2956         (JSC::CompleteSubspace::tryAllocateSlow):
2957         * heap/CompleteSubspace.h:
2958         (JSC::CompleteSubspace::allocatorForSizeStep):
2959         (JSC::CompleteSubspace::allocatorForNonVirtual):
2960         * heap/GCDeferralContext.h:
2961         * heap/Heap.cpp:
2962         (JSC::Heap::updateAllocationLimits):
2963         * heap/Heap.h:
2964         * heap/HeapCell.h:
2965         * heap/HeapCellInlines.h:
2966         (JSC::HeapCell::cellAttributes const):
2967         (JSC::HeapCell::destructionMode const):
2968         (JSC::HeapCell::cellKind const):
2969         (JSC::HeapCell::allocatorAttributes const): Deleted.
2970         * heap/HeapCellType.cpp:
2971         (JSC::HeapCellType::HeapCellType):
2972         * heap/HeapCellType.h:
2973         (JSC::HeapCellType::attributes const):
2974         * heap/IncrementalSweeper.cpp:
2975         (JSC::IncrementalSweeper::IncrementalSweeper):
2976         (JSC::IncrementalSweeper::sweepNextBlock):
2977         (JSC::IncrementalSweeper::startSweeping):
2978         (JSC::IncrementalSweeper::stopSweeping):
2979         * heap/IncrementalSweeper.h:
2980         * heap/IsoCellSet.cpp:
2981         (JSC::IsoCellSet::IsoCellSet):
2982         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
2983         (JSC::IsoCellSet::addSlow):
2984         (JSC::IsoCellSet::didRemoveBlock):
2985         (JSC::IsoCellSet::sweepToFreeList):
2986         * heap/IsoCellSetInlines.h:
2987         (JSC::IsoCellSet::forEachMarkedCell):
2988         (JSC::IsoCellSet::forEachLiveCell):
2989         * heap/IsoSubspace.cpp:
2990         (JSC::IsoSubspace::IsoSubspace):
2991         (JSC::IsoSubspace::allocatorFor):
2992         (JSC::IsoSubspace::allocateNonVirtual):
2993         * heap/IsoSubspace.h:
2994         (JSC::IsoSubspace::allocatorForNonVirtual):
2995         * heap/LargeAllocation.h:
2996         (JSC::LargeAllocation::attributes const):
2997         * heap/MarkedAllocator.cpp: Removed.
2998         * heap/MarkedAllocator.h: Removed.
2999         * heap/MarkedAllocatorInlines.h: Removed.
3000         * heap/MarkedBlock.cpp:
3001         (JSC::MarkedBlock::Handle::~Handle):
3002         (JSC::MarkedBlock::Handle::setIsFreeListed):
3003         (JSC::MarkedBlock::Handle::stopAllocating):
3004         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3005         (JSC::MarkedBlock::Handle::resumeAllocating):
3006         (JSC::MarkedBlock::aboutToMarkSlow):
3007         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3008         (JSC::MarkedBlock::noteMarkedSlow):
3009         (JSC::MarkedBlock::Handle::removeFromDirectory):
3010         (JSC::MarkedBlock::Handle::didAddToDirectory):
3011         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
3012         (JSC::MarkedBlock::Handle::dumpState):
3013         (JSC::MarkedBlock::Handle::subspace const):
3014         (JSC::MarkedBlock::Handle::sweep):
3015         (JSC::MarkedBlock::Handle::isFreeListedCell const):
3016         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
3017         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
3018         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
3019         * heap/MarkedBlock.h:
3020         (JSC::MarkedBlock::Handle::directory const):
3021         (JSC::MarkedBlock::Handle::attributes const):
3022         (JSC::MarkedBlock::attributes const):
3023         (JSC::MarkedBlock::Handle::allocator const): Deleted.
3024         * heap/MarkedBlockInlines.h:
3025         (JSC::MarkedBlock::Handle::isAllocated):
3026         (JSC::MarkedBlock::Handle::isLive):
3027         (JSC::MarkedBlock::Handle::specializedSweep):
3028         (JSC::MarkedBlock::Handle::isEmpty):
3029         * heap/MarkedSpace.cpp:
3030         (JSC::MarkedSpace::lastChanceToFinalize):
3031         (JSC::MarkedSpace::sweep):
3032         (JSC::MarkedSpace::stopAllocating):
3033         (JSC::MarkedSpace::resumeAllocating):
3034         (JSC::MarkedSpace::isPagedOut):
3035         (JSC::MarkedSpace::freeBlock):
3036         (JSC::MarkedSpace::shrink):
3037         (JSC::MarkedSpace::beginMarking):
3038         (JSC::MarkedSpace::endMarking):
3039         (JSC::MarkedSpace::snapshotUnswept):
3040         (JSC::MarkedSpace::assertNoUnswept):
3041         (JSC::MarkedSpace::dumpBits):
3042         (JSC::MarkedSpace::addBlockDirectory):
3043         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
3044         * heap/MarkedSpace.h:
3045         (JSC::MarkedSpace::firstDirectory const):
3046         (JSC::MarkedSpace::directoryLock):
3047         (JSC::MarkedSpace::forEachBlock):
3048         (JSC::MarkedSpace::forEachDirectory):
3049         (JSC::MarkedSpace::firstAllocator const): Deleted.
3050         (JSC::MarkedSpace::allocatorLock): Deleted.
3051         (JSC::MarkedSpace::forEachAllocator): Deleted.
3052         * heap/MarkedSpaceInlines.h:
3053         * heap/Subspace.cpp:
3054         (JSC::Subspace::initialize):
3055         (JSC::Subspace::prepareForAllocation):
3056         (JSC::Subspace::findEmptyBlockToSteal):
3057         (JSC::Subspace::parallelDirectorySource):
3058         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
3059         (JSC::Subspace::sweep):
3060         (JSC::Subspace::parallelAllocatorSource): Deleted.
3061         * heap/Subspace.h:
3062         (JSC::Subspace::attributes const):
3063         (JSC::Subspace::didCreateFirstDirectory):
3064         (JSC::Subspace::didCreateFirstAllocator): Deleted.
3065         * heap/SubspaceInlines.h:
3066         (JSC::Subspace::forEachDirectory):
3067         (JSC::Subspace::forEachMarkedBlock):
3068         (JSC::Subspace::forEachNotEmptyMarkedBlock):
3069         (JSC::Subspace::forEachAllocator): Deleted.
3070         * jit/AssemblyHelpers.h:
3071         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3072         (JSC::AssemblyHelpers::emitAllocate):
3073         (JSC::AssemblyHelpers::emitAllocateJSCell):
3074         (JSC::AssemblyHelpers::emitAllocateJSObject):
3075         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3076         * jit/JIT.h:
3077         * jit/JITOpcodes.cpp:
3078         (JSC::JIT::emit_op_new_object):
3079         * jit/JITOpcodes32_64.cpp:
3080         (JSC::JIT::emit_op_new_object):
3081         * runtime/JSDestructibleObjectHeapCellType.cpp:
3082         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3083         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3084         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3085         * runtime/JSStringHeapCellType.cpp:
3086         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3087         * runtime/VM.cpp:
3088         (JSC::VM::VM):
3089         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3090         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3091
3092 2018-01-11  Saam Barati  <sbarati@apple.com>
3093
3094         When inserting Unreachable in byte code parser we need to flush all the right things
3095         https://bugs.webkit.org/show_bug.cgi?id=181509
3096         <rdar://problem/36423110>
3097
3098         Reviewed by Mark Lam.
3099
3100         I added code in r226655 that had its own mechanism for preserving liveness when
3101         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
3102         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
3103         I got some of these values wrong, which was leading to a crash when recovering the
3104         callee value from an inlined frame. Instead of making the same mistake and repeating
3105         similar code again, this patch refactors this logic to be shared with the other
3106         liveness preservation code in the DFG bytecode parser. This is what I should have
3107         done in my initial patch.
3108
3109         * bytecode/InlineCallFrame.h:
3110         (JSC::remapOperand):
3111         * dfg/DFGByteCodeParser.cpp:
3112         (JSC::DFG::flushImpl):
3113         (JSC::DFG::flushForTerminalImpl):
3114         (JSC::DFG::ByteCodeParser::flush):
3115         (JSC::DFG::ByteCodeParser::flushForTerminal):
3116         (JSC::DFG::ByteCodeParser::parse):
3117
3118 2018-01-11  Saam Barati  <sbarati@apple.com>
3119
3120         JITMathIC code in the FTL is wrong when code gets duplicated
3121         https://bugs.webkit.org/show_bug.cgi?id=181525
3122         <rdar://problem/36351993>
3123
3124         Reviewed by Michael Saboff and Keith Miller.
3125
3126         B3/Air may duplicate code for various reasons. Patchpoint generators inside
3127         FTLLower must be aware that they can be called multiple times because of this.
3128         The patchpoint for math ICs was not aware of this, and shared state amongst
3129         all invocations of the patchpoint's generator. This patch fixes this bug so
3130         that each invocation of the patchpoint's generator gets a unique math IC.
3131
3132         * bytecode/CodeBlock.h:
3133         (JSC::CodeBlock::addMathIC):
3134         * ftl/FTLLowerDFGToB3.cpp:
3135         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3136         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
3137         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3138         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3140         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3141         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
3142         * jit/JITMathIC.h:
3143         (JSC::isProfileEmpty):
3144
3145 2018-01-11  Michael Saboff  <msaboff@apple.com>
3146
3147         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
3148         https://bugs.webkit.org/show_bug.cgi?id=181512
3149
3150         Reviewed by Saam Barati.
3151
3152         * assembler/MacroAssemblerARM64.h:
3153         (JSC::MacroAssemblerARM64::abortWithReason):
3154         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
3155         All current uses of dataTempRegister in these functions are safe, but it makes sense to
3156         fix them in case they might be used elsewhere.
3157
3158 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
3159
3160         CodeBlocks should be in IsoSubspaces
3161         https://bugs.webkit.org/show_bug.cgi?id=180884
3162
3163         Reviewed by Saam Barati.
3164         
3165         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
3166         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
3167         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
3168         
3169         - Code block sweeping is now just eager sweeping. This means that it automatically takes
3170           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
3171           its eden set for.
3172         
3173         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
3174           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
3175           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
3176           longer has to clear the set of weakly visited code blocks. This also means that
3177           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
3178           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
3179           has IsoCellSets to tell us which edges have output constraints (what we used to call
3180           CodeBlock's weak reference harvester) and which have unconditional finalizers.
3181         
3182         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
3183         
3184         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
3185           handle requests from the sampler, debugger, and other facilities. They may want to ask
3186           if some pointer corresponds to a CodeBlock during stages of execution during which the
3187           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
3188           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
3189           allocated has now been full constructed.
3190         
3191         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
3192         happening before and after this change, but we misread the revision numbers at first and
3193         thought that this was the cause.
3194         
3195         * JavaScriptCore.xcodeproj/project.pbxproj:
3196         * Sources.txt:
3197         * bytecode/CodeBlock.cpp:
3198         (JSC::CodeBlock::CodeBlock):
3199         (JSC::CodeBlock::finishCreation):
3200         (JSC::CodeBlock::finishCreationCommon):
3201         (JSC::CodeBlock::~CodeBlock):
3202         (JSC::CodeBlock::visitChildren):
3203         (JSC::CodeBlock::propagateTransitions):
3204         (JSC::CodeBlock::determineLiveness):
3205         (JSC::CodeBlock::finalizeUnconditionally):
3206         (JSC::CodeBlock::stronglyVisitStrongReferences):
3207         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3208         (JSC::CodeBlock::installVMTrapBreakpoints):
3209         (JSC::CodeBlock::dumpMathICStats):
3210         (JSC::CodeBlock::visitWeakly): Deleted.
3211         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3212         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3213         * bytecode/CodeBlock.h:
3214         (JSC::CodeBlock::subspaceFor):
3215         (JSC::CodeBlock::ownerEdge const):
3216         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3217         * bytecode/EvalCodeBlock.h:
3218         (JSC::EvalCodeBlock::create): Deleted.
3219         (JSC::EvalCodeBlock::createStructure): Deleted.
3220         (JSC::EvalCodeBlock::variable): Deleted.
3221         (JSC::EvalCodeBlock::numVariables): Deleted.
3222         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3223         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3224         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3225         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3226         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3227         (JSC::ExecutableToCodeBlockEdge::createStructure):
3228         (JSC::ExecutableToCodeBlockEdge::create):
3229         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3230         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3231         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3232         (JSC::ExecutableToCodeBlockEdge::activate):
3233         (JSC::ExecutableToCodeBlockEdge::deactivate):
3234         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3235         (JSC::ExecutableToCodeBlockEdge::wrap):
3236         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3237         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3238         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3239         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3240         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3241         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3242         (JSC::ExecutableToCodeBlockEdge::unwrap):
3243         * bytecode/FunctionCodeBlock.h:
3244         (JSC::FunctionCodeBlock::subspaceFor):
3245         (JSC::FunctionCodeBlock::createStructure):
3246         * bytecode/ModuleProgramCodeBlock.h:
3247         (JSC::ModuleProgramCodeBlock::create): Deleted.
3248         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3249         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3250         * bytecode/ProgramCodeBlock.h:
3251         (JSC::ProgramCodeBlock::create): Deleted.
3252         (JSC::ProgramCodeBlock::createStructure): Deleted.
3253         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3254         * debugger/Debugger.cpp:
3255         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3256         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3257         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3258         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3259         * heap/CodeBlockSet.cpp:
3260         (JSC::CodeBlockSet::contains):
3261         (JSC::CodeBlockSet::dump const):
3262         (JSC::CodeBlockSet::add):
3263         (JSC::CodeBlockSet::remove):
3264         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3265         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3266         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3267         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3268         * heap/CodeBlockSet.h:
3269         * heap/CodeBlockSetInlines.h:
3270         (JSC::CodeBlockSet::iterate):
3271         (JSC::CodeBlockSet::iterateViaSubspaces):
3272         * heap/ConservativeRoots.cpp:
3273         (JSC::ConservativeRoots::genericAddPointer):
3274         (JSC::DummyMarkHook::markKnownJSCell):
3275         (JSC::CompositeMarkHook::mark):
3276         (JSC::CompositeMarkHook::markKnownJSCell):
3277         * heap/ConservativeRoots.h:
3278         * heap/Heap.cpp:
3279         (JSC::Heap::lastChanceToFinalize):
3280         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3281         (JSC::Heap::finalizeUnconditionalFinalizers):
3282         (JSC::Heap::beginMarking):
3283         (JSC::Heap::deleteUnmarkedCompiledCode):
3284         (JSC::Heap::sweepInFinalize):
3285         (JSC::Heap::forEachCodeBlockImpl):
3286         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3287         (JSC::Heap::addCoreConstraints):
3288         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3289         * heap/Heap.h:
3290         * heap/HeapCell.h:
3291         * heap/HeapCellInlines.h:
3292         (JSC::HeapCell::subspace const):
3293         * heap/HeapInlines.h:
3294         (JSC::Heap::forEachCodeBlock):
3295         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3296         * heap/HeapUtil.h:
3297         (JSC::HeapUtil::findGCObjectPointersForMarking):
3298         * heap/IsoCellSet.cpp:
3299         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3300         * heap/IsoCellSet.h:
3301         * heap/IsoCellSetInlines.h:
3302         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3303         (JSC::IsoCellSet::forEachLiveCell):
3304         * heap/LargeAllocation.h:
3305         (JSC::LargeAllocation::subspace const):
3306         * heap/MarkStackMergingConstraint.cpp:
3307         (JSC::MarkStackMergingConstraint::executeImpl):
3308         * heap/MarkStackMergingConstraint.h:
3309         * heap/MarkedAllocator.cpp:
3310         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3311         * heap/MarkedBlock.cpp:
3312         (JSC::MarkedBlock::Handle::didAddToAllocator):
3313         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3314         * heap/MarkedBlock.h:
3315         (JSC::MarkedBlock::subspace const):
3316         * heap/MarkedBlockInlines.h:
3317         (JSC::MarkedBlock::Handle::forEachLiveCell):
3318         * heap/MarkedSpaceInlines.h:
3319         (JSC::MarkedSpace::forEachLiveCell):
3320         * heap/MarkingConstraint.cpp:
3321         (JSC::MarkingConstraint::execute):
3322         (JSC::MarkingConstraint::doParallelWork):
3323         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3324         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3325         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3326         * heap/MarkingConstraint.h:
3327         * heap/MarkingConstraintSet.cpp:
3328         (JSC::MarkingConstraintSet::add):
3329         * heap/MarkingConstraintSet.h:
3330         (JSC::MarkingConstraintSet::add):
3331         * heap/MarkingConstraintSolver.cpp:
3332         (JSC::MarkingConstraintSolver::execute):
3333         (JSC::MarkingConstraintSolver::addParallelTask):
3334         (JSC::MarkingConstraintSolver::runExecutionThread):
3335         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3336         * heap/MarkingConstraintSolver.h:
3337         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3338         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3339         * heap/SimpleMarkingConstraint.cpp:
3340         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3341         (JSC::SimpleMarkingConstraint::executeImpl):
3342         * heap/SimpleMarkingConstraint.h:
3343         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3344         * heap/SlotVisitor.cpp:
3345         (JSC::SlotVisitor::addParallelConstraintTask):
3346         * heap/SlotVisitor.h:
3347         * heap/Subspace.cpp:
3348         (JSC::Subspace::sweep):
3349         * heap/Subspace.h:
3350         * heap/SubspaceInlines.h:
3351         (JSC::Subspace::forEachLiveCell):
3352         * llint/LowLevelInterpreter.asm:
3353         * runtime/EvalExecutable.cpp:
3354         (JSC::EvalExecutable::visitChildren):
3355         * runtime/EvalExecutable.h:
3356         (JSC::EvalExecutable::codeBlock):
3357         * runtime/FunctionExecutable.cpp:
3358         (JSC::FunctionExecutable::baselineCodeBlockFor):
3359         (JSC::FunctionExecutable::visitChildren):
3360         * runtime/FunctionExecutable.h:
3361         * runtime/JSType.h:
3362         * runtime/ModuleProgramExecutable.cpp:
3363         (JSC::ModuleProgramExecutable::visitChildren):
3364         * runtime/ModuleProgramExecutable.h:
3365         * runtime/ProgramExecutable.cpp:
3366         (JSC::ProgramExecutable::visitChildren):
3367         * runtime/ProgramExecutable.h:
3368         * runtime/ScriptExecutable.cpp:
3369         (JSC::ScriptExecutable::installCode):
3370         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3371         * runtime/VM.cpp:
3372         (JSC::VM::VM):
3373         * runtime/VM.h:
3374         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3375         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3376         (JSC::VM::forEachCodeBlockSpace):
3377         * runtime/VMTraps.cpp:
3378         (JSC::VMTraps::handleTraps):
3379         * tools/VMInspector.cpp:
3380         (JSC::VMInspector::codeBlockForMachinePC):
3381         (JSC::VMInspector::isValidCodeBlock):
3382
3383 2018-01-11  Michael Saboff  <msaboff@apple.com>
3384
3385         Add a DOM gadget for Spectre testing
3386         https://bugs.webkit.org/show_bug.cgi?id=181351
3387
3388         Reviewed by Ryosuke Niwa.
3389
3390         * runtime/Options.h:
3391
3392 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3393
3394         [DFG][FTL] regExpMatchFast should be handled
3395         https://bugs.webkit.org/show_bug.cgi?id=180988
3396
3397         Reviewed by Mark Lam.
3398
3399         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
3400         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
3401         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
3402
3403         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
3404         slow path part to `@matchSlow()` private function.
3405
3406         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
3407         this regExpMatchFast function.
3408
3409                                  baseline                  patched
3410
3411         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
3412         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
3413
3414         * builtins/RegExpPrototype.js:
3415         (globalPrivate.matchSlow):
3416         (overriddenName.string_appeared_here.match):
3417         * dfg/DFGAbstractInterpreterInlines.h:
3418         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3419         * dfg/DFGByteCodeParser.cpp:
3420         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3421         * dfg/DFGClobberize.h:
3422         (JSC::DFG::clobberize):
3423         * dfg/DFGDoesGC.cpp:
3424         (JSC::DFG::doesGC):
3425         * dfg/DFGFixupPhase.cpp:
3426         (JSC::DFG::FixupPhase::fixupNode):
3427         * dfg/DFGNode.h:
3428         (JSC::DFG::Node::hasHeapPrediction):
3429         * dfg/DFGNodeType.h:
3430         * dfg/DFGOperations.cpp:
3431         * dfg/DFGOperations.h:
3432         * dfg/DFGPredictionPropagationPhase.cpp:
3433         * dfg/DFGSafeToExecute.h:
3434         (JSC::DFG::safeToExecute):
3435         * dfg/DFGSpeculativeJIT.cpp:
3436         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
3437         * dfg/DFGSpeculativeJIT.h:
3438         * dfg/DFGSpeculativeJIT32_64.cpp:
3439         (JSC::DFG::SpeculativeJIT::compile):
3440         * dfg/DFGSpeculativeJIT64.cpp:
3441         (JSC::DFG::SpeculativeJIT::compile):
3442         * ftl/FTLCapabilities.cpp:
3443         (JSC::FTL::canCompile):
3444         * ftl/FTLLowerDFGToB3.cpp:
3445         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3446         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
3447         * runtime/Intrinsic.cpp:
3448         (JSC::intrinsicName):
3449         * runtime/Intrinsic.h:
3450         * runtime/JSGlobalObject.cpp:
3451         (JSC::JSGlobalObject::init):
3452         * runtime/RegExpPrototype.cpp:
3453         (JSC::regExpProtoFuncMatchFast):
3454
3455 2018-01-11  Saam Barati  <sbarati@apple.com>
3456
3457         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
3458         https://bugs.webkit.org/show_bug.cgi?id=181508
3459
3460         Reviewed by Yusuke Suzuki.
3461
3462         Our for-in caching would cache structure chains that had prototypes with
3463         indexed properties. Clearly this is wrong. This caching breaks when a prototype
3464         adds new indexed properties. We would continue to enumerate the old cached
3465         state of properties, and not include the new indexed properties.
3466         
3467         The old code used to prevent caching only if the base structure had
3468         indexed properties. This patch extends it to prevent caching if the
3469         base, or any structure in the prototype chain, has indexed properties.
3470
3471         * runtime/Structure.cpp:
3472         (JSC::Structure::canCachePropertyNameEnumerator const):
3473
3474 2018-01-10  JF Bastien  <jfbastien@apple.com>
3475
3476         Poison small JSObject derivatives which only contain pointers
3477         https://bugs.webkit.org/show_bug.cgi?id=181483
3478         <rdar://problem/36407127>
3479
3480         Reviewed by Mark Lam.
3481
3482         I wrote a script that finds interesting things to poison or
3483         generally harden. These stood out because they derive from
3484         JSObject and only contain a few pointer or pointer-like fields,
3485         and could therefore just be poisoned. This also requires some
3486         template "improvements" to our poisoning machinery. Worth noting
3487         is that I'm making PoisonedUniquePtr move-assignable and
3488         move-constructible from unique_ptr, which makes it a better
3489         drop-in replacement because we don't need to use
3490         makePoisonedUniquePtr. This means function-locals can be
3491         unique_ptr and get the nice RAII pattern, and once the function is
3492         done you can just move to the class' PoisonedUniquePtr without
3493         worrying.
3494
3495         * API/JSAPIWrapperObject.h:
3496         (JSC::JSAPIWrapperObject::wrappedObject):
3497         * API/JSAPIWrapperObject.mm:
3498         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
3499         * API/JSCallbackObject.h:
3500         * runtime/ArrayPrototype.h:
3501         * runtime/DateInstance.h:
3502         * runtime/JSArrayBuffer.cpp:
3503         (JSC::JSArrayBuffer::finishCreation):
3504         (JSC::JSArrayBuffer::isShared const):
3505         (JSC::JSArrayBuffer::sharingMode const):
3506         * runtime/JSArrayBuffer.h:
3507         * runtime/JSCPoison.h:
3508
3509 2018-01-10  Commit Queue  <commit-queue@webkit.org>
3510
3511         Unreviewed, rolling out r226667 and r226673.
3512         https://bugs.webkit.org/show_bug.cgi?id=181488
3513
3514         This caused a flaky crash. (Requested by mlewis13 on #webkit).
3515
3516         Reverted changesets:
3517
3518         "CodeBlocks should be in IsoSubspaces"
3519         https://bugs.webkit.org/show_bug.cgi?id=180884
3520         https://trac.webkit.org/changeset/226667
3521
3522         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
3523         https://bugs.webkit.org/show_bug.cgi?id=180884
3524         https://trac.webkit.org/changeset/226673
3525
3526 2018-01-09  David Kilzer  <ddkilzer@apple.com>
3527
3528         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
3529         <https://bugs.webkit.org/show_bug.cgi?id=180884>
3530
3531         Fixes the following build error:
3532
3533             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
3534
3535         * heap/Heap.cpp:
3536         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
3537         fix the build.
3538
3539 2018-01-09  Keith Miller  <keith_miller@apple.com>
3540
3541         and32 with an Address source on ARM64 did not invalidate dataTempRegister
3542         https://bugs.webkit.org/show_bug.cgi?id=181467
3543
3544         Reviewed by Michael Saboff.
3545
3546         * assembler/MacroAssemblerARM64.h:
3547         (JSC::MacroAssemblerARM64::and32):
3548
3549 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
3550
3551         CodeBlocks should be in IsoSubspaces
3552         https://bugs.webkit.org/show_bug.cgi?id=180884
3553
3554         Reviewed by Saam Barati.
3555         
3556         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
3557         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
3558         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
3559         
3560         - Code block sweeping is now just eager sweeping. This means that it automatically takes
3561           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
3562           its eden set for.
3563         
3564         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
3565           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
3566           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
3567           longer has to clear the set of weakly visited code blocks. This also means that
3568           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
3569           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
3570           has IsoCellSets to tell us which edges have output constraints (what we used to call
3571           CodeBlock's weak reference harvester) and which have unconditional finalizers.
3572         
3573         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
3574         
3575         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
3576           handle requests from the sampler, debugger, and other facilities. They may want to ask
3577           if some pointer corresponds to a CodeBlock during stages of execution during which the
3578           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
3579           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
3580           allocated has now been full constructed.
3581         
3582         * JavaScriptCore.xcodeproj/project.pbxproj:
3583         * Sources.txt:
3584         * bytecode/CodeBlock.cpp:
3585         (JSC::CodeBlock::CodeBlock):
3586         (JSC::CodeBlock::finishCreation):
3587         (JSC::CodeBlock::finishCreationCommon):
3588         (JSC::CodeBlock::~CodeBlock):
3589         (JSC::CodeBlock::visitChildren):
3590         (JSC::CodeBlock::propagateTransitions):
3591         (JSC::CodeBlock::determineLiveness):
3592         (JSC::CodeBlock::finalizeUnconditionally):
3593         (JSC::CodeBlock::stronglyVisitStrongReferences):
3594         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3595         (JSC::CodeBlock::installVMTrapBreakpoints):
3596         (JSC::CodeBlock::dumpMathICStats):
3597         (JSC::CodeBlock::visitWeakly): Deleted.
3598         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3599         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3600         * bytecode/CodeBlock.h:
3601         (JSC::CodeBlock::subspaceFor):
3602         (JSC::CodeBlock::ownerEdge const):
3603         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3604         * bytecode/EvalCodeBlock.h:
3605         (JSC::EvalCodeBlock::create): Deleted.
3606         (JSC::EvalCodeBlock::createStructure): Deleted.
3607         (JSC::EvalCodeBlock::variable): Deleted.
3608         (JSC::EvalCodeBlock::numVariables): Deleted.
3609         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3610         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3611         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3612         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3613         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3614         (JSC::ExecutableToCodeBlockEdge::createStructure):
3615         (JSC::ExecutableToCodeBlockEdge::create):
3616         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3617         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3618         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3619         (JSC::ExecutableToCodeBlockEdge::activate):
3620         (JSC::ExecutableToCodeBlockEdge::deactivate):
3621         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3622         (JSC::ExecutableToCodeBlockEdge::wrap):
3623         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3624         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3625         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3626         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3627         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3628         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3629         (JSC::ExecutableToCodeBlockEdge::unwrap):
3630         * bytecode/FunctionCodeBlock.h:
3631         (JSC::FunctionCodeBlock::subspaceFor):
3632         (JSC::FunctionCodeBlock::createStructure):
3633         * bytecode/ModuleProgramCodeBlock.h:
3634         (JSC::ModuleProgramCodeBlock::create): Deleted.
3635         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3636         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3637         * bytecode/ProgramCodeBlock.h:
3638         (JSC::ProgramCodeBlock::create): Deleted.
3639         (JSC::ProgramCodeBlock::createStructure): Deleted.
3640         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3641         * debugger/Debugger.cpp:
3642         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3643         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3644         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3645         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3646         * heap/CodeBlockSet.cpp:
3647         (JSC::CodeBlockSet::contains):
3648         (JSC::CodeBlockSet::dump const):
3649         (JSC::CodeBlockSet::add):
3650         (JSC::CodeBlockSet::remove):
3651         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3652         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3653         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3654         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3655         * heap/CodeBlockSet.h:
3656         * heap/CodeBlockSetInlines.h:
3657         (JSC::CodeBlockSet::iterate):
3658         (JSC::CodeBlockSet::iterateViaSubspaces):
3659         * heap/ConservativeRoots.cpp:
3660         (JSC::ConservativeRoots::genericAddPointer):
3661         (JSC::DummyMarkHook::markKnownJSCell):
3662         (JSC::CompositeMarkHook::mark):
3663         (JSC::CompositeMarkHook::markKnownJSCell):
3664         * heap/ConservativeRoots.h:
3665         * heap/Heap.cpp:
3666         (JSC::Heap::lastChanceToFinalize):
3667         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3668         (JSC::Heap::finalizeUnconditionalFinalizers):
3669         (JSC::Heap::beginMarking):
3670         (JSC::Heap::deleteUnmarkedCompiledCode):
3671         (JSC::Heap::sweepInFinalize):
3672         (JSC::Heap::forEachCodeBlockImpl):
3673         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3674         (JSC::Heap::addCoreConstraints):
3675         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3676         * heap/Heap.h:
3677         * heap/HeapCell.h:
3678         * heap/HeapCellInlines.h:
3679         (JSC::HeapCell::subspace const):
3680         * heap/HeapInlines.h:
3681         (JSC::Heap::forEachCodeBlock):
3682         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3683         * heap/HeapUtil.h:
3684         (JSC::HeapUtil::findGCObjectPointersForMarking):
3685         * heap/IsoCellSet.cpp:
3686         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3687         * heap/IsoCellSet.h:
3688         * heap/IsoCellSetInlines.h:
3689         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3690         (JSC::IsoCellSet::forEachLiveCell):
3691         * heap/LargeAllocation.h:
3692         (JSC::LargeAllocation::subspace const):
3693         * heap/MarkStackMergingConstraint.cpp:
3694         (JSC::MarkStackMergingConstraint::executeImpl):
3695         * heap/MarkStackMergingConstraint.h:
3696         * heap/MarkedAllocator.cpp:
3697         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3698         * heap/MarkedBlock.cpp:
3699         (JSC::MarkedBlock::Handle::didAddToAllocator):
3700         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3701         * heap/MarkedBlock.h:
3702         (JSC::MarkedBlock::subspace const):
3703         * heap/MarkedBlockInlines.h:
3704         (JSC::MarkedBlock::Handle::forEachLiveCell):
3705         * heap/MarkedSpaceInlines.h:
3706         (JSC::MarkedSpace::forEachLiveCell):
3707         * heap/MarkingConstraint.cpp:
3708         (JSC::MarkingConstraint::execute):
3709         (JSC::MarkingConstraint::doParallelWork):
3710         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3711         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3712         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3713         * heap/MarkingConstraint.h:
3714         * heap/MarkingConstraintSet.cpp:
3715         (JSC::MarkingConstraintSet::add):
3716         * heap/MarkingConstraintSet.h:
3717         (JSC::MarkingConstraintSet::add):
3718         * heap/MarkingConstraintSolver.cpp:
3719         (JSC::MarkingConstraintSolver::execute):
3720         (JSC::MarkingConstraintSolver::addParallelTask):
3721         (JSC::MarkingConstraintSolver::runExecutionThread):
3722         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3723         * heap/MarkingConstraintSolver.h:
3724         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3725         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3726         * heap/SimpleMarkingConstraint.cpp:
3727         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3728         (JSC::SimpleMarkingConstraint::executeImpl):
3729         * heap/SimpleMarkingConstraint.h:
3730         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3731         * heap/SlotVisitor.cpp:
3732         (JSC::SlotVisitor::addParallelConstraintTask):
3733         * heap/SlotVisitor.h:
3734         * heap/Subspace.cpp:
3735         (JSC::Subspace::sweep):
3736         * heap/Subspace.h:
3737         * heap/SubspaceInlines.h:
3738         (JSC::Subspace::forEachLiveCell):
3739         * llint/LowLevelInterpreter.asm:
3740         * runtime/EvalExecutable.cpp:
3741         (JSC::EvalExecutable::visitChildren):
3742         * runtime/EvalExecutable.h:
3743         (JSC::EvalExecutable::codeBlock):
3744         * runtime/FunctionExecutable.cpp:
3745         (JSC::FunctionExecutable::baselineCodeBlockFor):
3746         (JSC::FunctionExecutable::visitChildren):
3747         * runtime/FunctionExecutable.h:
3748         * runtime/JSType.h:
3749         * runtime/ModuleProgramExecutable.cpp:
3750         (JSC::ModuleProgramExecutable::visitChildren):
3751         * runtime/ModuleProgramExecutable.h:
3752         * runtime/ProgramExecutable.cpp:
3753         (JSC::ProgramExecutable::visitChildren):
3754         * runtime/ProgramExecutable.h:
3755         * runtime/ScriptExecutable.cpp:
3756         (JSC::ScriptExecutable::installCode):
3757         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3758         * runtime/VM.cpp:
3759         (JSC::VM::VM):
3760         * runtime/VM.h:
3761         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3762         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3763         (JSC::VM::forEachCodeBlockSpace):
3764         * runtime/VMTraps.cpp:
3765         (JSC::VMTraps::handleTraps):
3766         * tools/VMInspector.cpp:
3767         (JSC::VMInspector::codeBlockForMachinePC):
3768         (JSC::VMInspector::isValidCodeBlock):
3769
3770 2018-01-09  Michael Saboff  <msaboff@apple.com>
3771
3772         Unreviewed, rolling out r226600 and r226603
3773         https://bugs.webkit.org/show_bug.cgi?id=181351
3774
3775         Add a DOM gadget for Spectre testing
3776
3777         * runtime/Options.h:
3778
3779 2018-01-09  Saam Barati  <sbarati@apple.com>
3780
3781         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
3782         https://bugs.webkit.org/show_bug.cgi?id=181409
3783
3784         Reviewed by Keith Miller.
3785
3786         When I was looking at profiler data for Speedometer, I noticed that one of
3787         the hottest functions in Speedometer is around 1100 bytecode operations long.
3788         Only about 100 of those bytecode ops ever execute. However, we ended up
3789         spending a lot of time compiling basic blocks that never executed. We often
3790         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
3791         This is the case when such a node never executes.
3792         
3793         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
3794         terminal node with an Unreachable node (and remove all nodes after the
3795         ForceOSRExit). This will cut down on graph size when such a block dominates
3796         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
3797         in certain programs. When doing this transformation, we also insert
3798         Flushes/PhantomLocals to ensure we can recover values that are bytecode
3799         live-in to the ForceOSRExit.
3800         
3801         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
3802         does not get rid of all the CFG that it could. If we decide it's worth
3803         it, we could use additional inputs into this mechanism. For example, we could
3804         profile if a basic block ever executes inside the LLInt/Baseline, and
3805         remove parts of the CFG based on that.
3806         
3807         When running Speedometer with the concurrent JIT turned off, this patch
3808         improves DFG/FTL compile times by around 5%.
3809
3810         * dfg/DFGByteCodeParser.cpp:
3811         (JSC::DFG::ByteCodeParser::addToGraph):
3812         (JSC::DFG::ByteCodeParser::parse):
3813
3814 2018-01-09  Mark Lam  <mark.lam@apple.com>
3815
3816         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
3817         https://bugs.webkit.org/show_bug.cgi?id=181388
3818         <rdar://problem/36349351>
3819
3820         Reviewed by Saam Barati.
3821
3822         When there are duplicate setters or getters, we may end up overwriting a getter
3823         with a setter, or vice versa.  This patch adds tracking for getters/setters that
3824         have been overwritten with duplicates and ignore them.
3825
3826         * bytecompiler/NodesCodegen.cpp:
3827         (JSC::PropertyListNode::emitBytecode):
3828         * parser/NodeConstructors.h:
3829         (JSC::PropertyNode::PropertyNode):
3830         * parser/Nodes.h:
3831         (JSC::PropertyNode::isOverriddenByDuplicate const):
3832         (JSC::PropertyNode::setIsOverriddenByDuplicate):
3833
3834 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
3835
3836         REGRESSION(r225913): about 30 JSC test failures on ARMv7
3837         https://bugs.webkit.org/show_bug.cgi?id=181162
3838         <rdar://problem/36261349>
3839
3840         Unreviewed follow-up to r226298. Enable the fast case in
3841         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
3842         assuming in good faith that enough GP registers are available on any
3843         such configuration. The accompanying comment is adjusted to describe
3844         this assumption.
3845
3846         * dfg/DFGSpeculativeJIT.cpp:
3847         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3848
3849 2018-01-08  JF Bastien  <jfbastien@apple.com>
3850
3851         WebAssembly: mask indexed accesses to Table
3852         https://bugs.webkit.org/show_bug.cgi?id=181412
3853         <rdar://problem/36363236>
3854
3855         Reviewed by Saam Barati.
3856
3857         WebAssembly Table indexed accesses are user-controlled and
3858         bounds-checked. Force allocations of Table data to be a
3859         power-of-two, and explicitly mask accesses after bounds-check
3860         branches.
3861
3862         Rename misleading usage of "size" when "length" of a Table was
3863         intended.
3864
3865         Rename the Spectre option from "disable" to "enable".
3866
3867         * dfg/DFGSpeculativeJIT.cpp:
3868         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3869         * ftl/FTLLowerDFGToB3.cpp:
3870         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3871         * jit/JIT.cpp:
3872         (JSC::JIT::JIT):
3873         * runtime/Options.h:
3874         * wasm/WasmB3IRGenerator.cpp:
3875         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3876         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3877         * wasm/WasmTable.cpp:
3878         (JSC::Wasm::Table::allocatedLength):
3879         (JSC::Wasm::Table::setLength):
3880         (JSC::Wasm::Table::create):
3881         (JSC::Wasm::Table::Table):
3882         (JSC::Wasm::Table::grow):
3883         (JSC::Wasm::Table::clearFunction):
3884         (JSC::Wasm::Table::setFunction):
3885         * wasm/WasmTable.h:
3886         (JSC::Wasm::Table::length const):
3887         (JSC::Wasm::Table::offsetOfLength):
3888         (JSC::Wasm::Table::offsetOfMask):
3889         (JSC::Wasm::Table::mask const):
3890         (JSC::Wasm::Table::isValidLength):
3891         * wasm/js/JSWebAssemblyInstance.cpp:
3892         (JSC::JSWebAssemblyInstance::create):
3893         * wasm/js/JSWebAssemblyTable.cpp:
3894         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
3895         (JSC::JSWebAssemblyTable::visitChildren):
3896         (JSC::JSWebAssemblyTable::grow):
3897         (JSC::JSWebAssemblyTable::getFunction):
3898         (JSC::JSWebAssemblyTable::clearFunction):
3899         (JSC::JSWebAssemblyTable::setFunction):