82a1756cd7f328382354bc0552c0531608c65bdf
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-15  JF Bastien  <jfbastien@apple.com>
2
3         Remove makePoisonedUnique
4         https://bugs.webkit.org/show_bug.cgi?id=181630
5         <rdar://problem/36498623>
6
7         Reviewed by Mark Lam.
8
9         I added a conversion from std::unique_ptr, so we can just use
10         std::make_unique and it'll auto-poison when converted.
11
12         * bytecode/CodeBlock.h:
13         (JSC::CodeBlock::makePoisonedUnique): Deleted.
14         * runtime/JSGlobalObject.cpp:
15         (JSC::JSGlobalObject::init):
16         * runtime/JSGlobalObject.h:
17         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
18
19 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
20
21         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
22         https://bugs.webkit.org/show_bug.cgi?id=181438
23         <rdar://problem/36376724>
24
25         Reviewed by Carlos Garcia Campos.
26
27         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
28         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
29         get rid of the version script.
30
31         * PlatformGTK.cmake:
32         * javascriptcoregtk-symbols.map: Removed.
33
34 2018-01-14  Saam Barati  <sbarati@apple.com>
35
36         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
37
38         * bytecode/CallLinkStatus.cpp:
39         (JSC::CallLinkStatus::computeFromLLInt):
40         (JSC::CallLinkStatus::computeExitSiteData):
41
42 2018-01-13  Mark Lam  <mark.lam@apple.com>
43
44         Replace all use of ConstExprPoisoned with Poisoned.
45         https://bugs.webkit.org/show_bug.cgi?id=181542
46         <rdar://problem/36442138>
47
48         Reviewed by JF Bastien.
49
50         1. All JSC poisons are now defined in JSCPoison.h.
51
52         2. Change all clients to use the new poison values via the POISON() macro.
53
54         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
55            uses the t5 temp register, which is not available on the Windows port.
56            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
57            it will just work for now.
58
59            When poisoning is enabled for the Windows port, this LLInt code will need a
60            Windows specific implementation to workaround its lack of a t5 register.
61
62         * API/JSAPIWrapperObject.h:
63         * API/JSCallbackFunction.h:
64         * API/JSCallbackObject.h:
65         * JavaScriptCore.xcodeproj/project.pbxproj:
66         * Sources.txt:
67         * assembler/MacroAssemblerCodeRef.h:
68         (JSC::MacroAssemblerCodePtr::emptyValue):
69         (JSC::MacroAssemblerCodePtr::deletedValue):
70         * b3/B3LowerMacros.cpp:
71         * b3/testb3.cpp:
72         (JSC::B3::testInterpreter):
73         * bytecode/CodeBlock.h:
74         (JSC::CodeBlock::instructions):
75         (JSC::CodeBlock::instructions const):
76         (JSC::CodeBlock::makePoisonedUnique):
77         * dfg/DFGOSRExitCompilerCommon.h:
78         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
79         * dfg/DFGSpeculativeJIT.cpp:
80         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
81         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
82         * ftl/FTLLowerDFGToB3.cpp:
83         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
84         * jit/JIT.h:
85         * jit/ThunkGenerators.cpp:
86         (JSC::virtualThunkFor):
87         (JSC::nativeForGenerator):
88         (JSC::boundThisNoArgsFunctionCallGenerator):
89         * llint/LowLevelInterpreter.asm:
90         * llint/LowLevelInterpreter32_64.asm:
91         * llint/LowLevelInterpreter64.asm:
92         * parser/UnlinkedSourceCode.h:
93         * runtime/ArrayPrototype.h:
94         * runtime/CustomGetterSetter.h:
95         * runtime/DateInstance.h:
96         * runtime/InternalFunction.h:
97         * runtime/JSArrayBuffer.h:
98         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
99         (JSC::initializePoison):
100         * runtime/JSCPoison.h:
101         (): Deleted.
102         * runtime/JSCPoisonedPtr.cpp: Removed.
103         * runtime/JSCPoisonedPtr.h: Removed.
104         * runtime/JSGlobalObject.h:
105         (JSC::JSGlobalObject::makePoisonedUnique):
106         * runtime/JSScriptFetchParameters.h:
107         * runtime/JSScriptFetcher.h:
108         * runtime/NativeExecutable.h:
109         * runtime/StructureTransitionTable.h:
110         (JSC::StructureTransitionTable::map const):
111         (JSC::StructureTransitionTable::weakImpl const):
112         * runtime/WriteBarrier.h:
113         (JSC::WriteBarrier::poison):
114         * wasm/js/JSToWasm.cpp:
115         (JSC::Wasm::createJSToWasmWrapper):
116         * wasm/js/JSWebAssemblyCodeBlock.cpp:
117         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
118         * wasm/js/JSWebAssemblyCodeBlock.h:
119         * wasm/js/JSWebAssemblyInstance.h:
120         * wasm/js/JSWebAssemblyMemory.h:
121         * wasm/js/JSWebAssemblyModule.h:
122         * wasm/js/JSWebAssemblyTable.h:
123         * wasm/js/WasmToJS.cpp:
124         (JSC::Wasm::handleBadI64Use):
125         (JSC::Wasm::wasmToJS):
126         * wasm/js/WebAssemblyFunctionBase.h:
127         * wasm/js/WebAssemblyModuleRecord.h:
128         * wasm/js/WebAssemblyToJSCallee.h:
129         * wasm/js/WebAssemblyWrapperFunction.h:
130
131 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
132
133         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
134         https://bugs.webkit.org/show_bug.cgi?id=181182
135
136         Reviewed by Darin Adler.
137
138         Casting double to integer is undefined behavior when the truncation
139         results into a value that doesn't fit into integer size, according C++
140         spec[1]. Thus, we are changing bigIntProtoFuncToString and
141         numberProtoFuncToString to remove these source of undefined behavior.
142
143         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
144
145         * runtime/BigIntPrototype.cpp:
146         (JSC::bigIntProtoFuncToString):
147         * runtime/NumberPrototype.cpp:
148         (JSC::numberProtoFuncToString):
149         (JSC::extractRadixFromArgs): Deleted.
150         (JSC::extractToStringRadixArgument): Added.
151
152 2018-01-12  Saam Barati  <sbarati@apple.com>
153
154         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
155         https://bugs.webkit.org/show_bug.cgi?id=181545
156
157         Reviewed by Michael Saboff.
158
159         This patch follows the theme of putting optimization profiling information on
160         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
161         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
162         pulled from the code cache, making better compilation decisions, usually
163         resulting in fewer exits, and fewer recompilations.
164         
165         This is a 1% Speedometer progression in my testing.
166
167         * bytecode/BytecodeDumper.cpp:
168         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
169         * bytecode/CallLinkStatus.cpp:
170         (JSC::CallLinkStatus::computeFromLLInt):
171         (JSC::CallLinkStatus::computeFor):
172         (JSC::CallLinkStatus::computeExitSiteData):
173         (JSC::CallLinkStatus::computeDFGStatuses):
174         * bytecode/CallLinkStatus.h:
175         * bytecode/CodeBlock.h:
176         (JSC::CodeBlock::addFrequentExitSite): Deleted.
177         (JSC::CodeBlock::hasExitSite const): Deleted.
178         (JSC::CodeBlock::exitProfile): Deleted.
179         * bytecode/DFGExitProfile.cpp:
180         (JSC::DFG::ExitProfile::add):
181         (JSC::DFG::QueryableExitProfile::initialize):
182         * bytecode/DFGExitProfile.h:
183         (JSC::DFG::ExitProfile::hasExitSite const):
184         * bytecode/GetByIdStatus.cpp:
185         (JSC::GetByIdStatus::hasExitSite):
186         (JSC::GetByIdStatus::computeFor):
187         (JSC::GetByIdStatus::computeForStubInfo):
188         * bytecode/GetByIdStatus.h:
189         * bytecode/PutByIdStatus.cpp:
190         (JSC::PutByIdStatus::hasExitSite):
191         (JSC::PutByIdStatus::computeFor):
192         (JSC::PutByIdStatus::computeForStubInfo):
193         * bytecode/PutByIdStatus.h:
194         * bytecode/UnlinkedCodeBlock.cpp:
195         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
196         * bytecode/UnlinkedCodeBlock.h:
197         (JSC::UnlinkedCodeBlock::hasExitSite const):
198         (JSC::UnlinkedCodeBlock::hasExitSite):
199         (JSC::UnlinkedCodeBlock::exitProfile):
200         * dfg/DFGByteCodeParser.cpp:
201         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
202         * dfg/DFGGraph.h:
203         (JSC::DFG::Graph::hasGlobalExitSite):
204         (JSC::DFG::Graph::hasExitSite):
205         * dfg/DFGLICMPhase.cpp:
206         (JSC::DFG::LICMPhase::attemptHoist):
207         * dfg/DFGOSRExitBase.cpp:
208         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
209
210 2018-01-12  JF Bastien  <jfbastien@apple.com>
211
212         PoisonedWriteBarrier
213         https://bugs.webkit.org/show_bug.cgi?id=181599
214         <rdar://problem/36474351>
215
216         Reviewed by Mark Lam.
217
218         Allow poisoning of WriteBarrier objects, and use this for
219         WebAssembly because it is perf-neutral, at least on WasmBench on
220         my MBP. If it indeed is perf-neutral according to the bots, start
221         using it in more performance-sensitive places.
222
223         * heap/HandleTypes.h:
224         * heap/SlotVisitor.h:
225         * heap/SlotVisitorInlines.h:
226         (JSC::SlotVisitor::append):
227         (JSC::SlotVisitor::appendHidden):
228         * runtime/JSCJSValue.h:
229         * runtime/JSCPoison.h:
230         * runtime/Structure.h:
231         * runtime/StructureInlines.h:
232         (JSC::Structure::setPrototypeWithoutTransition):
233         (JSC::Structure::setGlobalObject):
234         (JSC::Structure::setPreviousID):
235         * runtime/WriteBarrier.h:
236         (JSC::WriteBarrierBase::copyFrom):
237         (JSC::WriteBarrierBase::get const):
238         (JSC::WriteBarrierBase::operator* const):
239         (JSC::WriteBarrierBase::operator-> const):
240         (JSC::WriteBarrierBase::clear):
241         (JSC::WriteBarrierBase::slot):
242         (JSC::WriteBarrierBase::operator bool const):
243         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
244         (JSC::WriteBarrierBase::unvalidatedGet const):
245         (JSC::operator==):
246         * runtime/WriteBarrierInlines.h:
247         (JSC::Traits>::set):
248         (JSC::Traits>::setMayBeNull):
249         (JSC::Traits>::setEarlyValue):
250         (JSC::DumbValueTraits<Unknown>>::set):
251         * wasm/WasmInstance.h:
252         * wasm/js/JSWebAssemblyInstance.cpp:
253         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
254         (JSC::JSWebAssemblyInstance::finishCreation):
255         (JSC::JSWebAssemblyInstance::visitChildren):
256         (JSC::JSWebAssemblyInstance::create):
257         * wasm/js/JSWebAssemblyInstance.h:
258         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
259         * wasm/js/JSWebAssemblyMemory.h:
260         * wasm/js/JSWebAssemblyModule.h:
261         * wasm/js/JSWebAssemblyTable.cpp:
262         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
263         (JSC::JSWebAssemblyTable::grow):
264         (JSC::JSWebAssemblyTable::clearFunction):
265         * wasm/js/JSWebAssemblyTable.h:
266         * wasm/js/WasmToJS.cpp:
267         (JSC::Wasm::materializeImportJSCell):
268         (JSC::Wasm::handleBadI64Use):
269         (JSC::Wasm::wasmToJS):
270         * wasm/js/WebAssemblyFunctionBase.h:
271         * wasm/js/WebAssemblyModuleRecord.cpp:
272         (JSC::WebAssemblyModuleRecord::link):
273         (JSC::WebAssemblyModuleRecord::evaluate):
274         * wasm/js/WebAssemblyModuleRecord.h:
275         * wasm/js/WebAssemblyToJSCallee.h:
276         * wasm/js/WebAssemblyWrapperFunction.h:
277
278 2018-01-12  Saam Barati  <sbarati@apple.com>
279
280         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
281         https://bugs.webkit.org/show_bug.cgi?id=181177
282         <rdar://problem/36205704>
283
284         Reviewed by Yusuke Suzuki.
285
286         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
287         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
288         have semantic consequences when validation is turned off. However, with validation on, this trips up
289         our OSR exit machinery that says when an exit is allowed to happen.
290         
291         Consider the following IR:
292         
293         a: GetClosureVar // Or any other node that produces BytecodeTop
294         ...
295         c: CheckStructure(Cell:@a, {s2})
296         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
297         
298         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
299         a: GetClosureVar
300         e: CheckStructureOrEmpty(@a, {s1})
301         ...
302         f: CheckStructureOrEmpty(@a, {s2})
303         c: CheckStructure(Cell:@a, {s2})
304         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
305         
306         This will cause constant folding to change the IR to:
307         a: GetClosureVar
308         e: CheckStructureOrEmpty(@a, {s1})
309         ...
310         f: CheckStructureOrEmpty(@a, {s2})
311         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
312         
313         Our mayExit analysis determines that the PutByOffset should not exit. Note
314         that AI will determine the only value the PutByOffset can see in @a is 
315         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
316         when lowering the PutByOffset, we reach a contradiction in AI and emit
317         an OSR exit. However, because mayExit said we couldn't exit, we assert.
318         
319         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
320         would have determined we would OSR exit at the second CheckStructure.
321         
322         This patch makes it so constant folding produces the following IR:
323         a: GetClosureVar
324         e: CheckStructureOrEmpty(@a, {s1})
325         g: AssertNotEmpty(@a)
326         ...
327         f: CheckStructureOrEmpty(@a, {s2})
328         h: AssertNotEmpty(@a)
329         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
330         
331         This modification will cause AI to know we will OSR exit before even reaching
332         the PutByOffset. Note that in the original IR, the GetClosureVar won't
333         actually produce the TDZ value. If it did, bytecode would have caused us
334         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
335         why this bug is about IR bookkeeping and not an actual error in IR analysis.
336         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
337         more congruous with CheckStructure's semantics of crashing on the empty value
338         as input (on 64 bit platforms).
339
340         * dfg/DFGAbstractInterpreterInlines.h:
341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
342         * dfg/DFGClobberize.h:
343         (JSC::DFG::clobberize):
344         * dfg/DFGConstantFoldingPhase.cpp:
345         (JSC::DFG::ConstantFoldingPhase::foldConstants):
346         * dfg/DFGDoesGC.cpp:
347         (JSC::DFG::doesGC):
348         * dfg/DFGFixupPhase.cpp:
349         (JSC::DFG::FixupPhase::fixupNode):
350         * dfg/DFGNodeType.h:
351         * dfg/DFGPredictionPropagationPhase.cpp:
352         * dfg/DFGSafeToExecute.h:
353         (JSC::DFG::safeToExecute):
354         * dfg/DFGSpeculativeJIT32_64.cpp:
355         (JSC::DFG::SpeculativeJIT::compile):
356         * dfg/DFGSpeculativeJIT64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358         * ftl/FTLCapabilities.cpp:
359         (JSC::FTL::canCompile):
360         * ftl/FTLLowerDFGToB3.cpp:
361         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
362         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
363
364 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
365
366         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
367         https://bugs.webkit.org/show_bug.cgi?id=181579
368         <rdar://problem/36193759>
369
370         Reviewed by Brian Burg.
371
372         * inspector/agents/InspectorConsoleAgent.h:
373         * inspector/agents/InspectorConsoleAgent.cpp:
374         (Inspector::InspectorConsoleAgent::clearMessages):
375         (Inspector::InspectorConsoleAgent::addConsoleMessage):
376         Switch from a raw pointer to m_consoleMessages.last().
377         Also move the expiration check into the if block since it can only
378         happen inside here when the number of console messages changes.
379
380         (Inspector::InspectorConsoleAgent::discardValues):
381         Also clear the expired message count when messages are cleared.
382
383 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         [JSC] Create parallel SlotVisitors apriori
386         https://bugs.webkit.org/show_bug.cgi?id=180907
387
388         Reviewed by Saam Barati.
389
390         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
391         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
392         Then we do not need to grab locks while iterating all the SlotVisitors.
393
394         In addition, we do not need to consider the case that the number of SlotVisitors increases
395         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
396         does not increase any more.
397
398         * heap/Heap.cpp:
399         (JSC::Heap::Heap):
400         (JSC::Heap::runBeginPhase):
401         * heap/Heap.h:
402         * heap/HeapInlines.h:
403         (JSC::Heap::forEachSlotVisitor):
404         (JSC::Heap::numberOfSlotVisitors): Deleted.
405         * heap/MarkingConstraintSolver.cpp:
406         (JSC::MarkingConstraintSolver::didVisitSomething const):
407
408 2018-01-12  Saam Barati  <sbarati@apple.com>
409
410         Each variant of a polymorphic inlined call should be exitOK at the top of the block
411         https://bugs.webkit.org/show_bug.cgi?id=181562
412         <rdar://problem/36445624>
413
414         Reviewed by Yusuke Suzuki.
415
416         Before this patch, the very first block in the switch for polymorphic call
417         inlining will have exitOK at the top. The others are not guaranteed to.
418         That was just a bug. They're all exitOK at the top. This will lead to crashes
419         in FixupPhase because we won't have a node in a block that has ExitOK, so
420         when we fixup various type checks, we assert out.
421
422         * dfg/DFGByteCodeParser.cpp:
423         (JSC::DFG::ByteCodeParser::handleInlining):
424
425 2018-01-11  Keith Miller  <keith_miller@apple.com>
426
427         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
428         https://bugs.webkit.org/show_bug.cgi?id=181573
429
430         Reviewed by Simon Fraser.
431
432         * Configurations/FeatureDefines.xcconfig:
433         * runtime/Options.h:
434
435 2018-01-11  Michael Saboff  <msaboff@apple.com>
436
437         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
438         https://bugs.webkit.org/show_bug.cgi?id=181570
439
440         Reviewed by Keith Miller.
441
442         * assembler/MacroAssemblerARM64.h:
443         (JSC::MacroAssemblerARM64::abortWithReason):
444         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
445         JIT release asserts that will crash the program.
446
447         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
448         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
449         caching is enabled.
450
451 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
452
453         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
454         https://bugs.webkit.org/show_bug.cgi?id=181543
455
456         Rubber stamped by Michael Saboff.
457         
458         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
459         really have anything to do with allocation anymore. The allocation will be done by something
460         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
461         place to find blocks (a "block directory").
462
463         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
464         attributes of the HeapCellType. So let's call them CellAttributes.
465
466         * JavaScriptCore.xcodeproj/project.pbxproj:
467         * Sources.txt:
468         * bytecode/AccessCase.cpp:
469         (JSC::AccessCase::generateImpl):
470         * bytecode/ObjectAllocationProfile.h:
471         * bytecode/ObjectAllocationProfileInlines.h:
472         (JSC::ObjectAllocationProfile::initializeProfile):
473         * dfg/DFGSpeculativeJIT.cpp:
474         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
475         (JSC::DFG::SpeculativeJIT::compileMakeRope):
476         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
477         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
478         (JSC::DFG::SpeculativeJIT::compileNewObject):
479         * dfg/DFGSpeculativeJIT.h:
480         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
481         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
482         * ftl/FTLAbstractHeapRepository.h:
483         * ftl/FTLLowerDFGToB3.cpp:
484         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
485         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
486         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
487         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
488         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
489         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
490         * heap/AlignedMemoryAllocator.cpp:
491         (JSC::AlignedMemoryAllocator::registerDirectory):
492         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
493         * heap/AlignedMemoryAllocator.h:
494         (JSC::AlignedMemoryAllocator::firstDirectory const):
495         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
496         * heap/AllocatorAttributes.cpp: Removed.
497         * heap/AllocatorAttributes.h: Removed.
498         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
499         (JSC::BlockDirectory::BlockDirectory):
500         (JSC::BlockDirectory::setSubspace):
501         (JSC::BlockDirectory::isPagedOut):
502         (JSC::BlockDirectory::findEmptyBlockToSteal):
503         (JSC::BlockDirectory::didConsumeFreeList):
504         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
505         (JSC::BlockDirectory::allocateIn):
506         (JSC::BlockDirectory::tryAllocateIn):
507         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
508         (JSC::BlockDirectory::allocateSlowCase):
509         (JSC::BlockDirectory::blockSizeForBytes):
510         (JSC::BlockDirectory::tryAllocateBlock):
511         (JSC::BlockDirectory::addBlock):
512         (JSC::BlockDirectory::removeBlock):
513         (JSC::BlockDirectory::stopAllocating):
514         (JSC::BlockDirectory::prepareForAllocation):
515         (JSC::BlockDirectory::lastChanceToFinalize):
516         (JSC::BlockDirectory::resumeAllocating):
517         (JSC::BlockDirectory::beginMarkingForFullCollection):
518         (JSC::BlockDirectory::endMarking):
519         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
520         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
521         (JSC::BlockDirectory::findBlockToSweep):
522         (JSC::BlockDirectory::sweep):
523         (JSC::BlockDirectory::shrink):
524         (JSC::BlockDirectory::assertNoUnswept):
525         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
526         (JSC::BlockDirectory::dump const):
527         (JSC::BlockDirectory::dumpBits):
528         (JSC::BlockDirectory::markedSpace const):
529         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
530         (JSC::MarkedAllocator::setSubspace): Deleted.
531         (JSC::MarkedAllocator::isPagedOut): Deleted.
532         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
533         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
534         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
535         (JSC::MarkedAllocator::allocateIn): Deleted.
536         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
537         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
538         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
539         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
540         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
541         (JSC::MarkedAllocator::addBlock): Deleted.
542         (JSC::MarkedAllocator::removeBlock): Deleted.
543         (JSC::MarkedAllocator::stopAllocating): Deleted.
544         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
545         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
546         (JSC::MarkedAllocator::resumeAllocating): Deleted.
547         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
548         (JSC::MarkedAllocator::endMarking): Deleted.
549         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
550         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
551         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
552         (JSC::MarkedAllocator::sweep): Deleted.
553         (JSC::MarkedAllocator::shrink): Deleted.
554         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
555         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
556         (JSC::MarkedAllocator::dump const): Deleted.
557         (JSC::MarkedAllocator::dumpBits): Deleted.
558         (JSC::MarkedAllocator::markedSpace const): Deleted.
559         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
560         (JSC::BlockDirectory::attributes const):
561         (JSC::BlockDirectory::forEachBitVector):
562         (JSC::BlockDirectory::forEachBitVectorWithName):
563         (JSC::BlockDirectory::nextDirectory const):
564         (JSC::BlockDirectory::nextDirectoryInSubspace const):
565         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
566         (JSC::BlockDirectory::setNextDirectory):
567         (JSC::BlockDirectory::setNextDirectoryInSubspace):
568         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
569         (JSC::BlockDirectory::offsetOfFreeList):
570         (JSC::BlockDirectory::offsetOfCellSize):
571         (JSC::MarkedAllocator::cellSize const): Deleted.
572         (JSC::MarkedAllocator::attributes const): Deleted.
573         (JSC::MarkedAllocator::needsDestruction const): Deleted.
574         (JSC::MarkedAllocator::destruction const): Deleted.
575         (JSC::MarkedAllocator::cellKind const): Deleted.
576         (JSC::MarkedAllocator::heap): Deleted.
577         (JSC::MarkedAllocator::bitvectorLock): Deleted.
578         (JSC::MarkedAllocator::forEachBitVector): Deleted.
579         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
580         (JSC::MarkedAllocator::nextAllocator const): Deleted.
581         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
582         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
583         (JSC::MarkedAllocator::setNextAllocator): Deleted.
584         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
585         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
586         (JSC::MarkedAllocator::subspace const): Deleted.
587         (JSC::MarkedAllocator::freeList const): Deleted.
588         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
589         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
590         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
591         (JSC::BlockDirectory::isFreeListedCell const):
592         (JSC::BlockDirectory::allocate):
593         (JSC::BlockDirectory::forEachBlock):
594         (JSC::BlockDirectory::forEachNotEmptyBlock):
595         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
596         (JSC::MarkedAllocator::allocate): Deleted.
597         (JSC::MarkedAllocator::forEachBlock): Deleted.
598         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
599         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
600         (JSC::CellAttributes::dump const):
601         (JSC::AllocatorAttributes::dump const): Deleted.
602         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
603         (JSC::CellAttributes::CellAttributes):
604         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
605         * heap/CompleteSubspace.cpp:
606         (JSC::CompleteSubspace::allocatorFor):
607         (JSC::CompleteSubspace::allocateNonVirtual):
608         (JSC::CompleteSubspace::allocatorForSlow):
609         (JSC::CompleteSubspace::tryAllocateSlow):
610         * heap/CompleteSubspace.h:
611         (JSC::CompleteSubspace::allocatorForSizeStep):
612         (JSC::CompleteSubspace::allocatorForNonVirtual):
613         * heap/GCDeferralContext.h:
614         * heap/Heap.cpp:
615         (JSC::Heap::updateAllocationLimits):
616         * heap/Heap.h:
617         * heap/HeapCell.h:
618         * heap/HeapCellInlines.h:
619         (JSC::HeapCell::cellAttributes const):
620         (JSC::HeapCell::destructionMode const):
621         (JSC::HeapCell::cellKind const):
622         (JSC::HeapCell::allocatorAttributes const): Deleted.
623         * heap/HeapCellType.cpp:
624         (JSC::HeapCellType::HeapCellType):
625         * heap/HeapCellType.h:
626         (JSC::HeapCellType::attributes const):
627         * heap/IncrementalSweeper.cpp:
628         (JSC::IncrementalSweeper::IncrementalSweeper):
629         (JSC::IncrementalSweeper::sweepNextBlock):
630         (JSC::IncrementalSweeper::startSweeping):
631         (JSC::IncrementalSweeper::stopSweeping):
632         * heap/IncrementalSweeper.h:
633         * heap/IsoCellSet.cpp:
634         (JSC::IsoCellSet::IsoCellSet):
635         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
636         (JSC::IsoCellSet::addSlow):
637         (JSC::IsoCellSet::didRemoveBlock):
638         (JSC::IsoCellSet::sweepToFreeList):
639         * heap/IsoCellSetInlines.h:
640         (JSC::IsoCellSet::forEachMarkedCell):
641         (JSC::IsoCellSet::forEachLiveCell):
642         * heap/IsoSubspace.cpp:
643         (JSC::IsoSubspace::IsoSubspace):
644         (JSC::IsoSubspace::allocatorFor):
645         (JSC::IsoSubspace::allocateNonVirtual):
646         * heap/IsoSubspace.h:
647         (JSC::IsoSubspace::allocatorForNonVirtual):
648         * heap/LargeAllocation.h:
649         (JSC::LargeAllocation::attributes const):
650         * heap/MarkedAllocator.cpp: Removed.
651         * heap/MarkedAllocator.h: Removed.
652         * heap/MarkedAllocatorInlines.h: Removed.
653         * heap/MarkedBlock.cpp:
654         (JSC::MarkedBlock::Handle::~Handle):
655         (JSC::MarkedBlock::Handle::setIsFreeListed):
656         (JSC::MarkedBlock::Handle::stopAllocating):
657         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
658         (JSC::MarkedBlock::Handle::resumeAllocating):
659         (JSC::MarkedBlock::aboutToMarkSlow):
660         (JSC::MarkedBlock::Handle::didConsumeFreeList):
661         (JSC::MarkedBlock::noteMarkedSlow):
662         (JSC::MarkedBlock::Handle::removeFromDirectory):
663         (JSC::MarkedBlock::Handle::didAddToDirectory):
664         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
665         (JSC::MarkedBlock::Handle::dumpState):
666         (JSC::MarkedBlock::Handle::subspace const):
667         (JSC::MarkedBlock::Handle::sweep):
668         (JSC::MarkedBlock::Handle::isFreeListedCell const):
669         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
670         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
671         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
672         * heap/MarkedBlock.h:
673         (JSC::MarkedBlock::Handle::directory const):
674         (JSC::MarkedBlock::Handle::attributes const):
675         (JSC::MarkedBlock::attributes const):
676         (JSC::MarkedBlock::Handle::allocator const): Deleted.
677         * heap/MarkedBlockInlines.h:
678         (JSC::MarkedBlock::Handle::isAllocated):
679         (JSC::MarkedBlock::Handle::isLive):
680         (JSC::MarkedBlock::Handle::specializedSweep):
681         (JSC::MarkedBlock::Handle::isEmpty):
682         * heap/MarkedSpace.cpp:
683         (JSC::MarkedSpace::lastChanceToFinalize):
684         (JSC::MarkedSpace::sweep):
685         (JSC::MarkedSpace::stopAllocating):
686         (JSC::MarkedSpace::resumeAllocating):
687         (JSC::MarkedSpace::isPagedOut):
688         (JSC::MarkedSpace::freeBlock):
689         (JSC::MarkedSpace::shrink):
690         (JSC::MarkedSpace::beginMarking):
691         (JSC::MarkedSpace::endMarking):
692         (JSC::MarkedSpace::snapshotUnswept):
693         (JSC::MarkedSpace::assertNoUnswept):
694         (JSC::MarkedSpace::dumpBits):
695         (JSC::MarkedSpace::addBlockDirectory):
696         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
697         * heap/MarkedSpace.h:
698         (JSC::MarkedSpace::firstDirectory const):
699         (JSC::MarkedSpace::directoryLock):
700         (JSC::MarkedSpace::forEachBlock):
701         (JSC::MarkedSpace::forEachDirectory):
702         (JSC::MarkedSpace::firstAllocator const): Deleted.
703         (JSC::MarkedSpace::allocatorLock): Deleted.
704         (JSC::MarkedSpace::forEachAllocator): Deleted.
705         * heap/MarkedSpaceInlines.h:
706         * heap/Subspace.cpp:
707         (JSC::Subspace::initialize):
708         (JSC::Subspace::prepareForAllocation):
709         (JSC::Subspace::findEmptyBlockToSteal):
710         (JSC::Subspace::parallelDirectorySource):
711         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
712         (JSC::Subspace::sweep):
713         (JSC::Subspace::parallelAllocatorSource): Deleted.
714         * heap/Subspace.h:
715         (JSC::Subspace::attributes const):
716         (JSC::Subspace::didCreateFirstDirectory):
717         (JSC::Subspace::didCreateFirstAllocator): Deleted.
718         * heap/SubspaceInlines.h:
719         (JSC::Subspace::forEachDirectory):
720         (JSC::Subspace::forEachMarkedBlock):
721         (JSC::Subspace::forEachNotEmptyMarkedBlock):
722         (JSC::Subspace::forEachAllocator): Deleted.
723         * jit/AssemblyHelpers.h:
724         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
725         (JSC::AssemblyHelpers::emitAllocate):
726         (JSC::AssemblyHelpers::emitAllocateJSCell):
727         (JSC::AssemblyHelpers::emitAllocateJSObject):
728         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
729         * jit/JIT.h:
730         * jit/JITOpcodes.cpp:
731         (JSC::JIT::emit_op_new_object):
732         * jit/JITOpcodes32_64.cpp:
733         (JSC::JIT::emit_op_new_object):
734         * runtime/JSDestructibleObjectHeapCellType.cpp:
735         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
736         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
737         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
738         * runtime/JSStringHeapCellType.cpp:
739         (JSC::JSStringHeapCellType::JSStringHeapCellType):
740         * runtime/VM.cpp:
741         (JSC::VM::VM):
742         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
743         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
744
745 2018-01-11  Saam Barati  <sbarati@apple.com>
746
747         When inserting Unreachable in byte code parser we need to flush all the right things
748         https://bugs.webkit.org/show_bug.cgi?id=181509
749         <rdar://problem/36423110>
750
751         Reviewed by Mark Lam.
752
753         I added code in r226655 that had its own mechanism for preserving liveness when
754         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
755         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
756         I got some of these values wrong, which was leading to a crash when recovering the
757         callee value from an inlined frame. Instead of making the same mistake and repeating
758         similar code again, this patch refactors this logic to be shared with the other
759         liveness preservation code in the DFG bytecode parser. This is what I should have
760         done in my initial patch.
761
762         * bytecode/InlineCallFrame.h:
763         (JSC::remapOperand):
764         * dfg/DFGByteCodeParser.cpp:
765         (JSC::DFG::flushImpl):
766         (JSC::DFG::flushForTerminalImpl):
767         (JSC::DFG::ByteCodeParser::flush):
768         (JSC::DFG::ByteCodeParser::flushForTerminal):
769         (JSC::DFG::ByteCodeParser::parse):
770
771 2018-01-11  Saam Barati  <sbarati@apple.com>
772
773         JITMathIC code in the FTL is wrong when code gets duplicated
774         https://bugs.webkit.org/show_bug.cgi?id=181525
775         <rdar://problem/36351993>
776
777         Reviewed by Michael Saboff and Keith Miller.
778
779         B3/Air may duplicate code for various reasons. Patchpoint generators inside
780         FTLLower must be aware that they can be called multiple times because of this.
781         The patchpoint for math ICs was not aware of this, and shared state amongst
782         all invocations of the patchpoint's generator. This patch fixes this bug so
783         that each invocation of the patchpoint's generator gets a unique math IC.
784
785         * bytecode/CodeBlock.h:
786         (JSC::CodeBlock::addMathIC):
787         * ftl/FTLLowerDFGToB3.cpp:
788         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
789         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
790         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
791         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
792         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
793         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
794         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
795         * jit/JITMathIC.h:
796         (JSC::isProfileEmpty):
797
798 2018-01-11  Michael Saboff  <msaboff@apple.com>
799
800         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
801         https://bugs.webkit.org/show_bug.cgi?id=181512
802
803         Reviewed by Saam Barati.
804
805         * assembler/MacroAssemblerARM64.h:
806         (JSC::MacroAssemblerARM64::abortWithReason):
807         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
808         All current uses of dataTempRegister in these functions are safe, but it makes sense to
809         fix them in case they might be used elsewhere.
810
811 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
812
813         CodeBlocks should be in IsoSubspaces
814         https://bugs.webkit.org/show_bug.cgi?id=180884
815
816         Reviewed by Saam Barati.
817         
818         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
819         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
820         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
821         
822         - Code block sweeping is now just eager sweeping. This means that it automatically takes
823           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
824           its eden set for.
825         
826         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
827           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
828           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
829           longer has to clear the set of weakly visited code blocks. This also means that
830           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
831           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
832           has IsoCellSets to tell us which edges have output constraints (what we used to call
833           CodeBlock's weak reference harvester) and which have unconditional finalizers.
834         
835         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
836         
837         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
838           handle requests from the sampler, debugger, and other facilities. They may want to ask
839           if some pointer corresponds to a CodeBlock during stages of execution during which the
840           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
841           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
842           allocated has now been full constructed.
843         
844         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
845         happening before and after this change, but we misread the revision numbers at first and
846         thought that this was the cause.
847         
848         * JavaScriptCore.xcodeproj/project.pbxproj:
849         * Sources.txt:
850         * bytecode/CodeBlock.cpp:
851         (JSC::CodeBlock::CodeBlock):
852         (JSC::CodeBlock::finishCreation):
853         (JSC::CodeBlock::finishCreationCommon):
854         (JSC::CodeBlock::~CodeBlock):
855         (JSC::CodeBlock::visitChildren):
856         (JSC::CodeBlock::propagateTransitions):
857         (JSC::CodeBlock::determineLiveness):
858         (JSC::CodeBlock::finalizeUnconditionally):
859         (JSC::CodeBlock::stronglyVisitStrongReferences):
860         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
861         (JSC::CodeBlock::installVMTrapBreakpoints):
862         (JSC::CodeBlock::dumpMathICStats):
863         (JSC::CodeBlock::visitWeakly): Deleted.
864         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
865         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
866         * bytecode/CodeBlock.h:
867         (JSC::CodeBlock::subspaceFor):
868         (JSC::CodeBlock::ownerEdge const):
869         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
870         * bytecode/EvalCodeBlock.h:
871         (JSC::EvalCodeBlock::create): Deleted.
872         (JSC::EvalCodeBlock::createStructure): Deleted.
873         (JSC::EvalCodeBlock::variable): Deleted.
874         (JSC::EvalCodeBlock::numVariables): Deleted.
875         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
876         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
877         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
878         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
879         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
880         (JSC::ExecutableToCodeBlockEdge::createStructure):
881         (JSC::ExecutableToCodeBlockEdge::create):
882         (JSC::ExecutableToCodeBlockEdge::visitChildren):
883         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
884         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
885         (JSC::ExecutableToCodeBlockEdge::activate):
886         (JSC::ExecutableToCodeBlockEdge::deactivate):
887         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
888         (JSC::ExecutableToCodeBlockEdge::wrap):
889         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
890         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
891         (JSC::ExecutableToCodeBlockEdge::runConstraint):
892         * bytecode/ExecutableToCodeBlockEdge.h: Added.
893         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
894         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
895         (JSC::ExecutableToCodeBlockEdge::unwrap):
896         * bytecode/FunctionCodeBlock.h:
897         (JSC::FunctionCodeBlock::subspaceFor):
898         (JSC::FunctionCodeBlock::createStructure):
899         * bytecode/ModuleProgramCodeBlock.h:
900         (JSC::ModuleProgramCodeBlock::create): Deleted.
901         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
902         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
903         * bytecode/ProgramCodeBlock.h:
904         (JSC::ProgramCodeBlock::create): Deleted.
905         (JSC::ProgramCodeBlock::createStructure): Deleted.
906         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
907         * debugger/Debugger.cpp:
908         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
909         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
910         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
911         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
912         * heap/CodeBlockSet.cpp:
913         (JSC::CodeBlockSet::contains):
914         (JSC::CodeBlockSet::dump const):
915         (JSC::CodeBlockSet::add):
916         (JSC::CodeBlockSet::remove):
917         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
918         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
919         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
920         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
921         * heap/CodeBlockSet.h:
922         * heap/CodeBlockSetInlines.h:
923         (JSC::CodeBlockSet::iterate):
924         (JSC::CodeBlockSet::iterateViaSubspaces):
925         * heap/ConservativeRoots.cpp:
926         (JSC::ConservativeRoots::genericAddPointer):
927         (JSC::DummyMarkHook::markKnownJSCell):
928         (JSC::CompositeMarkHook::mark):
929         (JSC::CompositeMarkHook::markKnownJSCell):
930         * heap/ConservativeRoots.h:
931         * heap/Heap.cpp:
932         (JSC::Heap::lastChanceToFinalize):
933         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
934         (JSC::Heap::finalizeUnconditionalFinalizers):
935         (JSC::Heap::beginMarking):
936         (JSC::Heap::deleteUnmarkedCompiledCode):
937         (JSC::Heap::sweepInFinalize):
938         (JSC::Heap::forEachCodeBlockImpl):
939         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
940         (JSC::Heap::addCoreConstraints):
941         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
942         * heap/Heap.h:
943         * heap/HeapCell.h:
944         * heap/HeapCellInlines.h:
945         (JSC::HeapCell::subspace const):
946         * heap/HeapInlines.h:
947         (JSC::Heap::forEachCodeBlock):
948         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
949         * heap/HeapUtil.h:
950         (JSC::HeapUtil::findGCObjectPointersForMarking):
951         * heap/IsoCellSet.cpp:
952         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
953         * heap/IsoCellSet.h:
954         * heap/IsoCellSetInlines.h:
955         (JSC::IsoCellSet::forEachMarkedCellInParallel):
956         (JSC::IsoCellSet::forEachLiveCell):
957         * heap/LargeAllocation.h:
958         (JSC::LargeAllocation::subspace const):
959         * heap/MarkStackMergingConstraint.cpp:
960         (JSC::MarkStackMergingConstraint::executeImpl):
961         * heap/MarkStackMergingConstraint.h:
962         * heap/MarkedAllocator.cpp:
963         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
964         * heap/MarkedBlock.cpp:
965         (JSC::MarkedBlock::Handle::didAddToAllocator):
966         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
967         * heap/MarkedBlock.h:
968         (JSC::MarkedBlock::subspace const):
969         * heap/MarkedBlockInlines.h:
970         (JSC::MarkedBlock::Handle::forEachLiveCell):
971         * heap/MarkedSpaceInlines.h:
972         (JSC::MarkedSpace::forEachLiveCell):
973         * heap/MarkingConstraint.cpp:
974         (JSC::MarkingConstraint::execute):
975         (JSC::MarkingConstraint::doParallelWork):
976         (JSC::MarkingConstraint::finishParallelWork): Deleted.
977         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
978         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
979         * heap/MarkingConstraint.h:
980         * heap/MarkingConstraintSet.cpp:
981         (JSC::MarkingConstraintSet::add):
982         * heap/MarkingConstraintSet.h:
983         (JSC::MarkingConstraintSet::add):
984         * heap/MarkingConstraintSolver.cpp:
985         (JSC::MarkingConstraintSolver::execute):
986         (JSC::MarkingConstraintSolver::addParallelTask):
987         (JSC::MarkingConstraintSolver::runExecutionThread):
988         (JSC::MarkingConstraintSolver::didExecute): Deleted.
989         * heap/MarkingConstraintSolver.h:
990         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
991         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
992         * heap/SimpleMarkingConstraint.cpp:
993         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
994         (JSC::SimpleMarkingConstraint::executeImpl):
995         * heap/SimpleMarkingConstraint.h:
996         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
997         * heap/SlotVisitor.cpp:
998         (JSC::SlotVisitor::addParallelConstraintTask):
999         * heap/SlotVisitor.h:
1000         * heap/Subspace.cpp:
1001         (JSC::Subspace::sweep):
1002         * heap/Subspace.h:
1003         * heap/SubspaceInlines.h:
1004         (JSC::Subspace::forEachLiveCell):
1005         * llint/LowLevelInterpreter.asm:
1006         * runtime/EvalExecutable.cpp:
1007         (JSC::EvalExecutable::visitChildren):
1008         * runtime/EvalExecutable.h:
1009         (JSC::EvalExecutable::codeBlock):
1010         * runtime/FunctionExecutable.cpp:
1011         (JSC::FunctionExecutable::baselineCodeBlockFor):
1012         (JSC::FunctionExecutable::visitChildren):
1013         * runtime/FunctionExecutable.h:
1014         * runtime/JSType.h:
1015         * runtime/ModuleProgramExecutable.cpp:
1016         (JSC::ModuleProgramExecutable::visitChildren):
1017         * runtime/ModuleProgramExecutable.h:
1018         * runtime/ProgramExecutable.cpp:
1019         (JSC::ProgramExecutable::visitChildren):
1020         * runtime/ProgramExecutable.h:
1021         * runtime/ScriptExecutable.cpp:
1022         (JSC::ScriptExecutable::installCode):
1023         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1024         * runtime/VM.cpp:
1025         (JSC::VM::VM):
1026         * runtime/VM.h:
1027         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1028         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1029         (JSC::VM::forEachCodeBlockSpace):
1030         * runtime/VMTraps.cpp:
1031         (JSC::VMTraps::handleTraps):
1032         * tools/VMInspector.cpp:
1033         (JSC::VMInspector::codeBlockForMachinePC):
1034         (JSC::VMInspector::isValidCodeBlock):
1035
1036 2018-01-11  Michael Saboff  <msaboff@apple.com>
1037
1038         Add a DOM gadget for Spectre testing
1039         https://bugs.webkit.org/show_bug.cgi?id=181351
1040
1041         Reviewed by Ryosuke Niwa.
1042
1043         * runtime/Options.h:
1044
1045 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1046
1047         [DFG][FTL] regExpMatchFast should be handled
1048         https://bugs.webkit.org/show_bug.cgi?id=180988
1049
1050         Reviewed by Mark Lam.
1051
1052         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
1053         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
1054         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
1055
1056         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
1057         slow path part to `@matchSlow()` private function.
1058
1059         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
1060         this regExpMatchFast function.
1061
1062                                  baseline                  patched
1063
1064         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
1065         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
1066
1067         * builtins/RegExpPrototype.js:
1068         (globalPrivate.matchSlow):
1069         (overriddenName.string_appeared_here.match):
1070         * dfg/DFGAbstractInterpreterInlines.h:
1071         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1072         * dfg/DFGByteCodeParser.cpp:
1073         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1074         * dfg/DFGClobberize.h:
1075         (JSC::DFG::clobberize):
1076         * dfg/DFGDoesGC.cpp:
1077         (JSC::DFG::doesGC):
1078         * dfg/DFGFixupPhase.cpp:
1079         (JSC::DFG::FixupPhase::fixupNode):
1080         * dfg/DFGNode.h:
1081         (JSC::DFG::Node::hasHeapPrediction):
1082         * dfg/DFGNodeType.h:
1083         * dfg/DFGOperations.cpp:
1084         * dfg/DFGOperations.h:
1085         * dfg/DFGPredictionPropagationPhase.cpp:
1086         * dfg/DFGSafeToExecute.h:
1087         (JSC::DFG::safeToExecute):
1088         * dfg/DFGSpeculativeJIT.cpp:
1089         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
1090         * dfg/DFGSpeculativeJIT.h:
1091         * dfg/DFGSpeculativeJIT32_64.cpp:
1092         (JSC::DFG::SpeculativeJIT::compile):
1093         * dfg/DFGSpeculativeJIT64.cpp:
1094         (JSC::DFG::SpeculativeJIT::compile):
1095         * ftl/FTLCapabilities.cpp:
1096         (JSC::FTL::canCompile):
1097         * ftl/FTLLowerDFGToB3.cpp:
1098         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1099         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
1100         * runtime/Intrinsic.cpp:
1101         (JSC::intrinsicName):
1102         * runtime/Intrinsic.h:
1103         * runtime/JSGlobalObject.cpp:
1104         (JSC::JSGlobalObject::init):
1105         * runtime/RegExpPrototype.cpp:
1106         (JSC::regExpProtoFuncMatchFast):
1107
1108 2018-01-11  Saam Barati  <sbarati@apple.com>
1109
1110         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1111         https://bugs.webkit.org/show_bug.cgi?id=181508
1112
1113         Reviewed by Yusuke Suzuki.
1114
1115         Our for-in caching would cache structure chains that had prototypes with
1116         indexed properties. Clearly this is wrong. This caching breaks when a prototype
1117         adds new indexed properties. We would continue to enumerate the old cached
1118         state of properties, and not include the new indexed properties.
1119         
1120         The old code used to prevent caching only if the base structure had
1121         indexed properties. This patch extends it to prevent caching if the
1122         base, or any structure in the prototype chain, has indexed properties.
1123
1124         * runtime/Structure.cpp:
1125         (JSC::Structure::canCachePropertyNameEnumerator const):
1126
1127 2018-01-10  JF Bastien  <jfbastien@apple.com>
1128
1129         Poison small JSObject derivatives which only contain pointers
1130         https://bugs.webkit.org/show_bug.cgi?id=181483
1131         <rdar://problem/36407127>
1132
1133         Reviewed by Mark Lam.
1134
1135         I wrote a script that finds interesting things to poison or
1136         generally harden. These stood out because they derive from
1137         JSObject and only contain a few pointer or pointer-like fields,
1138         and could therefore just be poisoned. This also requires some
1139         template "improvements" to our poisoning machinery. Worth noting
1140         is that I'm making PoisonedUniquePtr move-assignable and
1141         move-constructible from unique_ptr, which makes it a better
1142         drop-in replacement because we don't need to use
1143         makePoisonedUniquePtr. This means function-locals can be
1144         unique_ptr and get the nice RAII pattern, and once the function is
1145         done you can just move to the class' PoisonedUniquePtr without
1146         worrying.
1147
1148         * API/JSAPIWrapperObject.h:
1149         (JSC::JSAPIWrapperObject::wrappedObject):
1150         * API/JSAPIWrapperObject.mm:
1151         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1152         * API/JSCallbackObject.h:
1153         * runtime/ArrayPrototype.h:
1154         * runtime/DateInstance.h:
1155         * runtime/JSArrayBuffer.cpp:
1156         (JSC::JSArrayBuffer::finishCreation):
1157         (JSC::JSArrayBuffer::isShared const):
1158         (JSC::JSArrayBuffer::sharingMode const):
1159         * runtime/JSArrayBuffer.h:
1160         * runtime/JSCPoison.h:
1161
1162 2018-01-10  Commit Queue  <commit-queue@webkit.org>
1163
1164         Unreviewed, rolling out r226667 and r226673.
1165         https://bugs.webkit.org/show_bug.cgi?id=181488
1166
1167         This caused a flaky crash. (Requested by mlewis13 on #webkit).
1168
1169         Reverted changesets:
1170
1171         "CodeBlocks should be in IsoSubspaces"
1172         https://bugs.webkit.org/show_bug.cgi?id=180884
1173         https://trac.webkit.org/changeset/226667
1174
1175         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
1176         https://bugs.webkit.org/show_bug.cgi?id=180884
1177         https://trac.webkit.org/changeset/226673
1178
1179 2018-01-09  David Kilzer  <ddkilzer@apple.com>
1180
1181         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
1182         <https://bugs.webkit.org/show_bug.cgi?id=180884>
1183
1184         Fixes the following build error:
1185
1186             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
1187
1188         * heap/Heap.cpp:
1189         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
1190         fix the build.
1191
1192 2018-01-09  Keith Miller  <keith_miller@apple.com>
1193
1194         and32 with an Address source on ARM64 did not invalidate dataTempRegister
1195         https://bugs.webkit.org/show_bug.cgi?id=181467
1196
1197         Reviewed by Michael Saboff.
1198
1199         * assembler/MacroAssemblerARM64.h:
1200         (JSC::MacroAssemblerARM64::and32):
1201
1202 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
1203
1204         CodeBlocks should be in IsoSubspaces
1205         https://bugs.webkit.org/show_bug.cgi?id=180884
1206
1207         Reviewed by Saam Barati.
1208         
1209         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
1210         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
1211         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
1212         
1213         - Code block sweeping is now just eager sweeping. This means that it automatically takes
1214           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
1215           its eden set for.
1216         
1217         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
1218           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
1219           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
1220           longer has to clear the set of weakly visited code blocks. This also means that
1221           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
1222           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
1223           has IsoCellSets to tell us which edges have output constraints (what we used to call
1224           CodeBlock's weak reference harvester) and which have unconditional finalizers.
1225         
1226         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
1227         
1228         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
1229           handle requests from the sampler, debugger, and other facilities. They may want to ask
1230           if some pointer corresponds to a CodeBlock during stages of execution during which the
1231           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
1232           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
1233           allocated has now been full constructed.
1234         
1235         * JavaScriptCore.xcodeproj/project.pbxproj:
1236         * Sources.txt:
1237         * bytecode/CodeBlock.cpp:
1238         (JSC::CodeBlock::CodeBlock):
1239         (JSC::CodeBlock::finishCreation):
1240         (JSC::CodeBlock::finishCreationCommon):
1241         (JSC::CodeBlock::~CodeBlock):
1242         (JSC::CodeBlock::visitChildren):
1243         (JSC::CodeBlock::propagateTransitions):
1244         (JSC::CodeBlock::determineLiveness):
1245         (JSC::CodeBlock::finalizeUnconditionally):
1246         (JSC::CodeBlock::stronglyVisitStrongReferences):
1247         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
1248         (JSC::CodeBlock::installVMTrapBreakpoints):
1249         (JSC::CodeBlock::dumpMathICStats):
1250         (JSC::CodeBlock::visitWeakly): Deleted.
1251         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
1252         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1253         * bytecode/CodeBlock.h:
1254         (JSC::CodeBlock::subspaceFor):
1255         (JSC::CodeBlock::ownerEdge const):
1256         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
1257         * bytecode/EvalCodeBlock.h:
1258         (JSC::EvalCodeBlock::create): Deleted.
1259         (JSC::EvalCodeBlock::createStructure): Deleted.
1260         (JSC::EvalCodeBlock::variable): Deleted.
1261         (JSC::EvalCodeBlock::numVariables): Deleted.
1262         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
1263         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
1264         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
1265         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
1266         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
1267         (JSC::ExecutableToCodeBlockEdge::createStructure):
1268         (JSC::ExecutableToCodeBlockEdge::create):
1269         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1270         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
1271         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
1272         (JSC::ExecutableToCodeBlockEdge::activate):
1273         (JSC::ExecutableToCodeBlockEdge::deactivate):
1274         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
1275         (JSC::ExecutableToCodeBlockEdge::wrap):
1276         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
1277         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
1278         (JSC::ExecutableToCodeBlockEdge::runConstraint):
1279         * bytecode/ExecutableToCodeBlockEdge.h: Added.
1280         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
1281         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
1282         (JSC::ExecutableToCodeBlockEdge::unwrap):
1283         * bytecode/FunctionCodeBlock.h:
1284         (JSC::FunctionCodeBlock::subspaceFor):
1285         (JSC::FunctionCodeBlock::createStructure):
1286         * bytecode/ModuleProgramCodeBlock.h:
1287         (JSC::ModuleProgramCodeBlock::create): Deleted.
1288         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
1289         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
1290         * bytecode/ProgramCodeBlock.h:
1291         (JSC::ProgramCodeBlock::create): Deleted.
1292         (JSC::ProgramCodeBlock::createStructure): Deleted.
1293         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
1294         * debugger/Debugger.cpp:
1295         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
1296         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
1297         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
1298         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
1299         * heap/CodeBlockSet.cpp:
1300         (JSC::CodeBlockSet::contains):
1301         (JSC::CodeBlockSet::dump const):
1302         (JSC::CodeBlockSet::add):
1303         (JSC::CodeBlockSet::remove):
1304         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
1305         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
1306         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
1307         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
1308         * heap/CodeBlockSet.h:
1309         * heap/CodeBlockSetInlines.h:
1310         (JSC::CodeBlockSet::iterate):
1311         (JSC::CodeBlockSet::iterateViaSubspaces):
1312         * heap/ConservativeRoots.cpp:
1313         (JSC::ConservativeRoots::genericAddPointer):
1314         (JSC::DummyMarkHook::markKnownJSCell):
1315         (JSC::CompositeMarkHook::mark):
1316         (JSC::CompositeMarkHook::markKnownJSCell):
1317         * heap/ConservativeRoots.h:
1318         * heap/Heap.cpp:
1319         (JSC::Heap::lastChanceToFinalize):
1320         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1321         (JSC::Heap::finalizeUnconditionalFinalizers):
1322         (JSC::Heap::beginMarking):
1323         (JSC::Heap::deleteUnmarkedCompiledCode):
1324         (JSC::Heap::sweepInFinalize):
1325         (JSC::Heap::forEachCodeBlockImpl):
1326         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
1327         (JSC::Heap::addCoreConstraints):
1328         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
1329         * heap/Heap.h:
1330         * heap/HeapCell.h:
1331         * heap/HeapCellInlines.h:
1332         (JSC::HeapCell::subspace const):
1333         * heap/HeapInlines.h:
1334         (JSC::Heap::forEachCodeBlock):
1335         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
1336         * heap/HeapUtil.h:
1337         (JSC::HeapUtil::findGCObjectPointersForMarking):
1338         * heap/IsoCellSet.cpp:
1339         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
1340         * heap/IsoCellSet.h:
1341         * heap/IsoCellSetInlines.h:
1342         (JSC::IsoCellSet::forEachMarkedCellInParallel):
1343         (JSC::IsoCellSet::forEachLiveCell):
1344         * heap/LargeAllocation.h:
1345         (JSC::LargeAllocation::subspace const):
1346         * heap/MarkStackMergingConstraint.cpp:
1347         (JSC::MarkStackMergingConstraint::executeImpl):
1348         * heap/MarkStackMergingConstraint.h:
1349         * heap/MarkedAllocator.cpp:
1350         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1351         * heap/MarkedBlock.cpp:
1352         (JSC::MarkedBlock::Handle::didAddToAllocator):
1353         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
1354         * heap/MarkedBlock.h:
1355         (JSC::MarkedBlock::subspace const):
1356         * heap/MarkedBlockInlines.h:
1357         (JSC::MarkedBlock::Handle::forEachLiveCell):
1358         * heap/MarkedSpaceInlines.h:
1359         (JSC::MarkedSpace::forEachLiveCell):
1360         * heap/MarkingConstraint.cpp:
1361         (JSC::MarkingConstraint::execute):
1362         (JSC::MarkingConstraint::doParallelWork):
1363         (JSC::MarkingConstraint::finishParallelWork): Deleted.
1364         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
1365         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
1366         * heap/MarkingConstraint.h:
1367         * heap/MarkingConstraintSet.cpp:
1368         (JSC::MarkingConstraintSet::add):
1369         * heap/MarkingConstraintSet.h:
1370         (JSC::MarkingConstraintSet::add):
1371         * heap/MarkingConstraintSolver.cpp:
1372         (JSC::MarkingConstraintSolver::execute):
1373         (JSC::MarkingConstraintSolver::addParallelTask):
1374         (JSC::MarkingConstraintSolver::runExecutionThread):
1375         (JSC::MarkingConstraintSolver::didExecute): Deleted.
1376         * heap/MarkingConstraintSolver.h:
1377         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
1378         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
1379         * heap/SimpleMarkingConstraint.cpp:
1380         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1381         (JSC::SimpleMarkingConstraint::executeImpl):
1382         * heap/SimpleMarkingConstraint.h:
1383         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1384         * heap/SlotVisitor.cpp:
1385         (JSC::SlotVisitor::addParallelConstraintTask):
1386         * heap/SlotVisitor.h:
1387         * heap/Subspace.cpp:
1388         (JSC::Subspace::sweep):
1389         * heap/Subspace.h:
1390         * heap/SubspaceInlines.h:
1391         (JSC::Subspace::forEachLiveCell):
1392         * llint/LowLevelInterpreter.asm:
1393         * runtime/EvalExecutable.cpp:
1394         (JSC::EvalExecutable::visitChildren):
1395         * runtime/EvalExecutable.h:
1396         (JSC::EvalExecutable::codeBlock):
1397         * runtime/FunctionExecutable.cpp:
1398         (JSC::FunctionExecutable::baselineCodeBlockFor):
1399         (JSC::FunctionExecutable::visitChildren):
1400         * runtime/FunctionExecutable.h:
1401         * runtime/JSType.h:
1402         * runtime/ModuleProgramExecutable.cpp:
1403         (JSC::ModuleProgramExecutable::visitChildren):
1404         * runtime/ModuleProgramExecutable.h:
1405         * runtime/ProgramExecutable.cpp:
1406         (JSC::ProgramExecutable::visitChildren):
1407         * runtime/ProgramExecutable.h:
1408         * runtime/ScriptExecutable.cpp:
1409         (JSC::ScriptExecutable::installCode):
1410         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1411         * runtime/VM.cpp:
1412         (JSC::VM::VM):
1413         * runtime/VM.h:
1414         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1415         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1416         (JSC::VM::forEachCodeBlockSpace):
1417         * runtime/VMTraps.cpp:
1418         (JSC::VMTraps::handleTraps):
1419         * tools/VMInspector.cpp:
1420         (JSC::VMInspector::codeBlockForMachinePC):
1421         (JSC::VMInspector::isValidCodeBlock):
1422
1423 2018-01-09  Michael Saboff  <msaboff@apple.com>
1424
1425         Unreviewed, rolling out r226600 and r226603
1426         https://bugs.webkit.org/show_bug.cgi?id=181351
1427
1428         Add a DOM gadget for Spectre testing
1429
1430         * runtime/Options.h:
1431
1432 2018-01-09  Saam Barati  <sbarati@apple.com>
1433
1434         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
1435         https://bugs.webkit.org/show_bug.cgi?id=181409
1436
1437         Reviewed by Keith Miller.
1438
1439         When I was looking at profiler data for Speedometer, I noticed that one of
1440         the hottest functions in Speedometer is around 1100 bytecode operations long.
1441         Only about 100 of those bytecode ops ever execute. However, we ended up
1442         spending a lot of time compiling basic blocks that never executed. We often
1443         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
1444         This is the case when such a node never executes.
1445         
1446         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
1447         terminal node with an Unreachable node (and remove all nodes after the
1448         ForceOSRExit). This will cut down on graph size when such a block dominates
1449         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
1450         in certain programs. When doing this transformation, we also insert
1451         Flushes/PhantomLocals to ensure we can recover values that are bytecode
1452         live-in to the ForceOSRExit.
1453         
1454         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
1455         does not get rid of all the CFG that it could. If we decide it's worth
1456         it, we could use additional inputs into this mechanism. For example, we could
1457         profile if a basic block ever executes inside the LLInt/Baseline, and
1458         remove parts of the CFG based on that.
1459         
1460         When running Speedometer with the concurrent JIT turned off, this patch
1461         improves DFG/FTL compile times by around 5%.
1462
1463         * dfg/DFGByteCodeParser.cpp:
1464         (JSC::DFG::ByteCodeParser::addToGraph):
1465         (JSC::DFG::ByteCodeParser::parse):
1466
1467 2018-01-09  Mark Lam  <mark.lam@apple.com>
1468
1469         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1470         https://bugs.webkit.org/show_bug.cgi?id=181388
1471         <rdar://problem/36349351>
1472
1473         Reviewed by Saam Barati.
1474
1475         When there are duplicate setters or getters, we may end up overwriting a getter
1476         with a setter, or vice versa.  This patch adds tracking for getters/setters that
1477         have been overwritten with duplicates and ignore them.
1478
1479         * bytecompiler/NodesCodegen.cpp:
1480         (JSC::PropertyListNode::emitBytecode):
1481         * parser/NodeConstructors.h:
1482         (JSC::PropertyNode::PropertyNode):
1483         * parser/Nodes.h:
1484         (JSC::PropertyNode::isOverriddenByDuplicate const):
1485         (JSC::PropertyNode::setIsOverriddenByDuplicate):
1486
1487 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
1488
1489         REGRESSION(r225913): about 30 JSC test failures on ARMv7
1490         https://bugs.webkit.org/show_bug.cgi?id=181162
1491         <rdar://problem/36261349>
1492
1493         Unreviewed follow-up to r226298. Enable the fast case in
1494         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
1495         assuming in good faith that enough GP registers are available on any
1496         such configuration. The accompanying comment is adjusted to describe
1497         this assumption.
1498
1499         * dfg/DFGSpeculativeJIT.cpp:
1500         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1501
1502 2018-01-08  JF Bastien  <jfbastien@apple.com>
1503
1504         WebAssembly: mask indexed accesses to Table
1505         https://bugs.webkit.org/show_bug.cgi?id=181412
1506         <rdar://problem/36363236>
1507
1508         Reviewed by Saam Barati.
1509
1510         WebAssembly Table indexed accesses are user-controlled and
1511         bounds-checked. Force allocations of Table data to be a
1512         power-of-two, and explicitly mask accesses after bounds-check
1513         branches.
1514
1515         Rename misleading usage of "size" when "length" of a Table was
1516         intended.
1517
1518         Rename the Spectre option from "disable" to "enable".
1519
1520         * dfg/DFGSpeculativeJIT.cpp:
1521         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1522         * ftl/FTLLowerDFGToB3.cpp:
1523         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1524         * jit/JIT.cpp:
1525         (JSC::JIT::JIT):
1526         * runtime/Options.h:
1527         * wasm/WasmB3IRGenerator.cpp:
1528         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1529         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1530         * wasm/WasmTable.cpp:
1531         (JSC::Wasm::Table::allocatedLength):
1532         (JSC::Wasm::Table::setLength):
1533         (JSC::Wasm::Table::create):
1534         (JSC::Wasm::Table::Table):
1535         (JSC::Wasm::Table::grow):
1536         (JSC::Wasm::Table::clearFunction):
1537         (JSC::Wasm::Table::setFunction):
1538         * wasm/WasmTable.h:
1539         (JSC::Wasm::Table::length const):
1540         (JSC::Wasm::Table::offsetOfLength):
1541         (JSC::Wasm::Table::offsetOfMask):
1542         (JSC::Wasm::Table::mask const):
1543         (JSC::Wasm::Table::isValidLength):
1544         * wasm/js/JSWebAssemblyInstance.cpp:
1545         (JSC::JSWebAssemblyInstance::create):
1546         * wasm/js/JSWebAssemblyTable.cpp:
1547         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1548         (JSC::JSWebAssemblyTable::visitChildren):
1549         (JSC::JSWebAssemblyTable::grow):
1550         (JSC::JSWebAssemblyTable::getFunction):
1551         (JSC::JSWebAssemblyTable::clearFunction):
1552         (JSC::JSWebAssemblyTable::setFunction):
1553         * wasm/js/JSWebAssemblyTable.h:
1554         (JSC::JSWebAssemblyTable::isValidLength):
1555         (JSC::JSWebAssemblyTable::length const):
1556         (JSC::JSWebAssemblyTable::allocatedLength const):
1557         * wasm/js/WebAssemblyModuleRecord.cpp:
1558         (JSC::WebAssemblyModuleRecord::evaluate):
1559         * wasm/js/WebAssemblyTablePrototype.cpp:
1560         (JSC::webAssemblyTableProtoFuncLength):
1561         (JSC::webAssemblyTableProtoFuncGrow):
1562         (JSC::webAssemblyTableProtoFuncGet):
1563         (JSC::webAssemblyTableProtoFuncSet):
1564
1565 2018-01-08  Michael Saboff  <msaboff@apple.com>
1566
1567         Add a DOM gadget for Spectre testing
1568         https://bugs.webkit.org/show_bug.cgi?id=181351
1569
1570         Reviewed by Michael Saboff.
1571
1572         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
1573         Spectre mitigations.
1574
1575         * runtime/Options.h:
1576
1577 2018-01-08  Mark Lam  <mark.lam@apple.com>
1578
1579         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
1580         https://bugs.webkit.org/show_bug.cgi?id=181403
1581         <rdar://problem/36359789>
1582
1583         Rubber-stamped by JF Bastien.
1584
1585         * bytecode/CodeBlock.cpp:
1586         (JSC::CodeBlock::CodeBlock):
1587         (JSC::CodeBlock::~CodeBlock):
1588         (JSC::CodeBlock::setConstantRegisters):
1589         (JSC::CodeBlock::propagateTransitions):
1590         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1591         (JSC::CodeBlock::jettison):
1592         (JSC::CodeBlock::predictedMachineCodeSize):
1593         * bytecode/CodeBlock.h:
1594         (JSC::CodeBlock::vm const):
1595         (JSC::CodeBlock::addConstant):
1596         (JSC::CodeBlock::heap const):
1597         (JSC::CodeBlock::replaceConstant):
1598         * llint/LowLevelInterpreter.asm:
1599         * llint/LowLevelInterpreter32_64.asm:
1600         * llint/LowLevelInterpreter64.asm:
1601
1602 2018-01-07  Mark Lam  <mark.lam@apple.com>
1603
1604         Apply poisoning to more pointers in JSC.
1605         https://bugs.webkit.org/show_bug.cgi?id=181096
1606         <rdar://problem/36182970>
1607
1608         Reviewed by JF Bastien.
1609
1610         * assembler/MacroAssembler.h:
1611         (JSC::MacroAssembler::xorPtr):
1612         * assembler/MacroAssemblerARM64.h:
1613         (JSC::MacroAssemblerARM64::xor64):
1614         * assembler/MacroAssemblerX86_64.h:
1615         (JSC::MacroAssemblerX86_64::xor64):
1616         - Add xorPtr implementation.
1617
1618         * bytecode/CodeBlock.cpp:
1619         (JSC::CodeBlock::inferredName const):
1620         (JSC::CodeBlock::CodeBlock):
1621         (JSC::CodeBlock::finishCreation):
1622         (JSC::CodeBlock::~CodeBlock):
1623         (JSC::CodeBlock::setConstantRegisters):
1624         (JSC::CodeBlock::visitWeakly):
1625         (JSC::CodeBlock::visitChildren):
1626         (JSC::CodeBlock::propagateTransitions):
1627         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
1628         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1629         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1630         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1631         (JSC::CodeBlock::jettison):
1632         (JSC::CodeBlock::predictedMachineCodeSize):
1633         (JSC::CodeBlock::findPC):
1634         * bytecode/CodeBlock.h:
1635         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
1636         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
1637         (JSC::CodeBlock::stubInfoBegin):
1638         (JSC::CodeBlock::stubInfoEnd):
1639         (JSC::CodeBlock::callLinkInfosBegin):
1640         (JSC::CodeBlock::callLinkInfosEnd):
1641         (JSC::CodeBlock::instructions):
1642         (JSC::CodeBlock::instructions const):
1643         (JSC::CodeBlock::vm const):
1644         * dfg/DFGOSRExitCompilerCommon.h:
1645         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1646         * jit/JIT.h:
1647         * llint/LLIntOfflineAsmConfig.h:
1648         * llint/LowLevelInterpreter.asm:
1649         * llint/LowLevelInterpreter64.asm:
1650         * parser/UnlinkedSourceCode.h:
1651         * runtime/JSCPoison.h:
1652         * runtime/JSGlobalObject.cpp:
1653         (JSC::JSGlobalObject::init):
1654         * runtime/JSGlobalObject.h:
1655         * runtime/JSScriptFetchParameters.h:
1656         * runtime/JSScriptFetcher.h:
1657         * runtime/StructureTransitionTable.h:
1658         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1659         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1660         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1661         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1662         * wasm/js/JSWebAssemblyCodeBlock.h:
1663
1664 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1665
1666         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1667         https://bugs.webkit.org/show_bug.cgi?id=181321
1668
1669         Reviewed by Saam Barati.
1670
1671         According to ECMA262 16.2[1], functions created using the bind method must not have
1672         "caller" and "arguments" own properties.
1673
1674         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
1675
1676         * runtime/JSBoundFunction.cpp:
1677         (JSC::JSBoundFunction::finishCreation):
1678
1679 2018-01-05  JF Bastien  <jfbastien@apple.com>
1680
1681         WebAssembly: poison JS object's secrets
1682         https://bugs.webkit.org/show_bug.cgi?id=181339
1683         <rdar://problem/36325001>
1684
1685         Reviewed by Mark Lam.
1686
1687         Separating WebAssembly's JS objects from their non-JS
1688         implementation means that all interesting information lives
1689         outside of the JS object itself. This patch poisons each JS
1690         object's pointer to non-JS implementation using the poisoning
1691         mechanism and a unique key per JS object type origin.
1692
1693         * runtime/JSCPoison.h:
1694         * wasm/js/JSToWasm.cpp:
1695         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
1696         object in a stack slot when fast TLS is disabled. This requires
1697         that we unpoison the Wasm::Instance.
1698         * wasm/js/JSWebAssemblyCodeBlock.h:
1699         * wasm/js/JSWebAssemblyInstance.h:
1700         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
1701         be explicit that the pointer is poisoned.
1702         * wasm/js/JSWebAssemblyMemory.h:
1703         * wasm/js/JSWebAssemblyModule.h:
1704         * wasm/js/JSWebAssemblyTable.h:
1705
1706 2018-01-05  Michael Saboff  <msaboff@apple.com>
1707
1708         Add ability to disable indexed property masking for testing
1709         https://bugs.webkit.org/show_bug.cgi?id=181350
1710
1711         Reviewed by Keith Miller.
1712
1713         Made the masking of indexed properties runtime controllable via a new JSC::Option
1714         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
1715
1716         The new option has a generic name as it will probably be used to disable future mitigations.
1717
1718         * dfg/DFGSpeculativeJIT.cpp:
1719         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1720         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1721         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1722         * dfg/DFGSpeculativeJIT.h:
1723         * dfg/DFGSpeculativeJIT64.cpp:
1724         (JSC::DFG::SpeculativeJIT::compile):
1725         * ftl/FTLLowerDFGToB3.cpp:
1726         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1727         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1728         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1729         * jit/JIT.cpp:
1730         (JSC::JIT::JIT):
1731         * jit/JIT.h:
1732         * jit/JITPropertyAccess.cpp:
1733         (JSC::JIT::emitDoubleLoad):
1734         (JSC::JIT::emitContiguousLoad):
1735         (JSC::JIT::emitArrayStorageLoad):
1736         * runtime/Options.h:
1737         * wasm/WasmB3IRGenerator.cpp:
1738         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1739
1740 2018-01-05  Michael Saboff  <msaboff@apple.com>
1741
1742         Allow JSC Config Files to set Restricted Options
1743         https://bugs.webkit.org/show_bug.cgi?id=181352
1744
1745         Reviewed by Mark Lam.
1746
1747         * runtime/ConfigFile.cpp:
1748         (JSC::ConfigFile::parse):
1749
1750 2018-01-04  Keith Miller  <keith_miller@apple.com>
1751
1752         TypedArrays and Wasm should use index masking.
1753         https://bugs.webkit.org/show_bug.cgi?id=181313
1754
1755         Reviewed by Michael Saboff.
1756
1757         We should have index masking for our TypedArray code in the
1758         DFG/FTL and for Wasm when doing bounds checking. Index masking for
1759         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
1760         WasmBoundsCheckValues we don't need to worry about combining a
1761         bounds check for a load and a store. I went with fusing the
1762         pointer masking in the WasmBoundsCheckValue since it should reduce
1763         additional compiler overhead.
1764
1765         * b3/B3LowerToAir.cpp:
1766         * b3/B3Validate.cpp:
1767         * b3/B3WasmBoundsCheckValue.cpp:
1768         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1769         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1770         * b3/B3WasmBoundsCheckValue.h:
1771         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
1772         * b3/air/AirCustom.h:
1773         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
1774         * b3/testb3.cpp:
1775         (JSC::B3::testWasmBoundsCheck):
1776         * dfg/DFGSpeculativeJIT.cpp:
1777         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1778         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1779         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1780         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1781         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1782         * dfg/DFGSpeculativeJIT.h:
1783         * dfg/DFGSpeculativeJIT64.cpp:
1784         (JSC::DFG::SpeculativeJIT::compile):
1785         * ftl/FTLLowerDFGToB3.cpp:
1786         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1789         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1790         * jit/JITPropertyAccess.cpp:
1791         (JSC::JIT::emitIntTypedArrayGetByVal):
1792         * runtime/Butterfly.h:
1793         (JSC::Butterfly::computeIndexingMask const):
1794         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
1795         * runtime/JSArrayBufferView.cpp:
1796         (JSC::JSArrayBufferView::JSArrayBufferView):
1797         * wasm/WasmB3IRGenerator.cpp:
1798         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1799         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1800         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1801         (JSC::Wasm::B3IRGenerator::load):
1802         (JSC::Wasm::B3IRGenerator::store):
1803         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1804         * wasm/WasmBinding.cpp:
1805         (JSC::Wasm::wasmToWasm):
1806         * wasm/WasmMemory.cpp:
1807         (JSC::Wasm::Memory::Memory):
1808         (JSC::Wasm::Memory::grow):
1809         * wasm/WasmMemory.h:
1810         (JSC::Wasm::Memory::offsetOfIndexingMask):
1811         * wasm/WasmMemoryInformation.cpp:
1812         (JSC::Wasm::PinnedRegisterInfo::get):
1813         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1814         * wasm/WasmMemoryInformation.h:
1815         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1816         * wasm/js/JSToWasm.cpp:
1817         (JSC::Wasm::createJSToWasmWrapper):
1818
1819 2018-01-05  Commit Queue  <commit-queue@webkit.org>
1820
1821         Unreviewed, rolling out r226434.
1822         https://bugs.webkit.org/show_bug.cgi?id=181322
1823
1824         32bit JSC failure in x86 (Requested by yusukesuzuki on
1825         #webkit).
1826
1827         Reverted changeset:
1828
1829         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
1830         changing 32bit Int32Tag and LowestTag"
1831         https://bugs.webkit.org/show_bug.cgi?id=181134
1832         https://trac.webkit.org/changeset/226434
1833
1834 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
1835
1836         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
1837         https://bugs.webkit.org/show_bug.cgi?id=180770
1838
1839         Reviewed by Joseph Pecoraro.
1840
1841         * inspector/protocol/Canvas.json:
1842
1843 2018-01-04  Commit Queue  <commit-queue@webkit.org>
1844
1845         Unreviewed, rolling out r226405.
1846         https://bugs.webkit.org/show_bug.cgi?id=181318
1847
1848         Speculative rollout due to Octane/SplayLatency,Octane/Splay
1849         regressions (Requested by yusukesuzuki on #webkit).
1850
1851         Reverted changeset:
1852
1853         "[JSC] Create parallel SlotVisitors apriori"
1854         https://bugs.webkit.org/show_bug.cgi?id=180907
1855         https://trac.webkit.org/changeset/226405
1856
1857 2018-01-04  Saam Barati  <sbarati@apple.com>
1858
1859         Do value profiling in to_this
1860         https://bugs.webkit.org/show_bug.cgi?id=181299
1861
1862         Reviewed by Filip Pizlo.
1863
1864         This patch adds value profiling to to_this. We use the result of the value
1865         profiling only for strict mode code when we don't predict that the input is
1866         of a specific type. This helps when the input is SpecCellOther. Such cells
1867         might implement a custom ToThis, which can produce an arbitrary result. Before
1868         this patch, in prediction propagation, we were saying that a ToThis with a
1869         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
1870         given that the input may implement ToThis that produces an arbitrary result.
1871         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
1872         
1873         Interestingly, this patch only does value profiling on the slow path. The fast
1874         path of to_this in the LLInt/baseline just perform a structure check. If it
1875         passes, the result is the same as the input. Therefore, doing value profiling
1876         from the fast path wouldn't actually produce new information for the ValueProfile.
1877
1878         * bytecode/BytecodeDumper.cpp:
1879         (JSC::BytecodeDumper<Block>::dumpBytecode):
1880         * bytecode/BytecodeList.json:
1881         * bytecode/CodeBlock.cpp:
1882         (JSC::CodeBlock::finishCreation):
1883         * bytecompiler/BytecodeGenerator.cpp:
1884         (JSC::BytecodeGenerator::BytecodeGenerator):
1885         (JSC::BytecodeGenerator::emitToThis):
1886         * bytecompiler/BytecodeGenerator.h:
1887         * dfg/DFGByteCodeParser.cpp:
1888         (JSC::DFG::ByteCodeParser::parseBlock):
1889         * dfg/DFGNode.h:
1890         (JSC::DFG::Node::hasHeapPrediction):
1891         * dfg/DFGPredictionPropagationPhase.cpp:
1892         * runtime/CommonSlowPaths.cpp:
1893         (JSC::SLOW_PATH_DECL):
1894
1895 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1896
1897         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
1898         https://bugs.webkit.org/show_bug.cgi?id=181134
1899
1900         Reviewed by Mark Lam.
1901
1902         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
1903         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
1904         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
1905         implementation.
1906
1907         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
1908         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
1909         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
1910         `<= LowestTag(Int32Tag)`.
1911
1912         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
1913
1914         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
1915
1916         * dfg/DFGSpeculativeJIT.cpp:
1917         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1918         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1919         (JSC::DFG::SpeculativeJIT::speculateNumber):
1920         (JSC::DFG::SpeculativeJIT::speculateMisc):
1921         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1922         (JSC::DFG::SpeculativeJIT::compileToNumber):
1923         * dfg/DFGSpeculativeJIT.h:
1924         * dfg/DFGSpeculativeJIT32_64.cpp:
1925         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1926         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1927         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1928         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1929         (JSC::DFG::SpeculativeJIT::compile):
1930         * dfg/DFGSpeculativeJIT64.cpp:
1931         (JSC::DFG::SpeculativeJIT::compile):
1932         * jit/AssemblyHelpers.cpp:
1933         (JSC::AssemblyHelpers::branchIfNotType):
1934         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1935         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1936         * jit/AssemblyHelpers.h:
1937         (JSC::AssemblyHelpers::branchIfMisc):
1938         (JSC::AssemblyHelpers::branchIfNotMisc):
1939         (JSC::AssemblyHelpers::branchIfNumber):
1940         (JSC::AssemblyHelpers::branchIfNotNumber):
1941         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1942         (JSC::AssemblyHelpers::emitTypeOf):
1943         * jit/JITAddGenerator.cpp:
1944         (JSC::JITAddGenerator::generateFastPath):
1945         * jit/JITArithmetic32_64.cpp:
1946         (JSC::JIT::emitBinaryDoubleOp):
1947         * jit/JITDivGenerator.cpp:
1948         (JSC::JITDivGenerator::loadOperand):
1949         * jit/JITMulGenerator.cpp:
1950         (JSC::JITMulGenerator::generateInline):
1951         (JSC::JITMulGenerator::generateFastPath):
1952         * jit/JITNegGenerator.cpp:
1953         (JSC::JITNegGenerator::generateInline):
1954         (JSC::JITNegGenerator::generateFastPath):
1955         * jit/JITOpcodes32_64.cpp:
1956         (JSC::JIT::emit_op_is_number):
1957         (JSC::JIT::emit_op_jeq_null):
1958         (JSC::JIT::emit_op_jneq_null):
1959         (JSC::JIT::emit_op_to_number):
1960         (JSC::JIT::emit_op_profile_type):
1961         * jit/JITRightShiftGenerator.cpp:
1962         (JSC::JITRightShiftGenerator::generateFastPath):
1963         * jit/JITSubGenerator.cpp:
1964         (JSC::JITSubGenerator::generateInline):
1965         (JSC::JITSubGenerator::generateFastPath):
1966         * llint/LLIntData.cpp:
1967         (JSC::LLInt::Data::performAssertions):
1968         * llint/LowLevelInterpreter.asm:
1969         * llint/LowLevelInterpreter32_64.asm:
1970         * runtime/JSCJSValue.h:
1971
1972 2018-01-04  JF Bastien  <jfbastien@apple.com>
1973
1974         Add assembler support for x86 lfence and sfence
1975         https://bugs.webkit.org/show_bug.cgi?id=181311
1976         <rdar://problem/36301780>
1977
1978         Reviewed by Michael Saboff.
1979
1980         Useful for testing performance of serializing instructions (hint:
1981         it's not good).
1982
1983         * assembler/MacroAssemblerX86Common.h:
1984         (JSC::MacroAssemblerX86Common::lfence):
1985         (JSC::MacroAssemblerX86Common::sfence):
1986         * assembler/X86Assembler.h:
1987         (JSC::X86Assembler::lfence):
1988         (JSC::X86Assembler::sfence):
1989
1990 2018-01-04  Saam Barati  <sbarati@apple.com>
1991
1992         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
1993         https://bugs.webkit.org/show_bug.cgi?id=181296
1994
1995         Reviewed by Filip Pizlo.
1996
1997         Inside Speedometer's Ember test, there is a recompile loop like:
1998         a: GetByVal(..., semanticOriginX)
1999         b: SetLocal(Cell:@a, semanticOriginX)
2000         
2001         where the cell check always fails. For reasons I didn't investigate, the
2002         baseline JIT's value profiling doesn't accurately capture the GetByVal's
2003         result.
2004         
2005         However, when compiling this cell speculation check in the DFG, we get a null
2006         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
2007         this IR pattern because both @a and @b have the same semantic origin. We
2008         should not follow the same semantic origin heuristic when dealing with
2009         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
2010         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
2011         For this IR pattern, we will update the value profile for the semantic origin
2012         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
2013         will correctly update the GetByVal's value profile, which will prevent
2014         an OSR exit loop.
2015
2016         * dfg/DFGGraph.cpp:
2017         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2018
2019 2018-01-04  Keith Miller  <keith_miller@apple.com>
2020
2021         Array Storage operations sometimes did not update the indexing mask correctly.
2022         https://bugs.webkit.org/show_bug.cgi?id=181301
2023
2024         Reviewed by Mark Lam.
2025
2026         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
2027
2028         * runtime/JSArray.cpp:
2029         (JSC::JSArray::shiftCountWithArrayStorage):
2030         * runtime/JSObject.cpp:
2031         (JSC::JSObject::increaseVectorLength):
2032
2033 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2034
2035         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2036         https://bugs.webkit.org/show_bug.cgi?id=179911
2037
2038         Reviewed by Saam Barati.
2039
2040         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
2041         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
2042         produce added bucket as its result. Subsequent GetMapBucket will
2043         be removed by CSE.
2044
2045         * dfg/DFGAbstractInterpreterInlines.h:
2046         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2047         * dfg/DFGClobberize.h:
2048         (JSC::DFG::clobberize):
2049         * dfg/DFGNodeType.h:
2050         * dfg/DFGOperations.cpp:
2051         * dfg/DFGOperations.h:
2052         * dfg/DFGPredictionPropagationPhase.cpp:
2053         * dfg/DFGSpeculativeJIT.cpp:
2054         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2055         (JSC::DFG::SpeculativeJIT::compileMapSet):
2056         * dfg/DFGSpeculativeJIT.h:
2057         (JSC::DFG::SpeculativeJIT::callOperation):
2058         * ftl/FTLLowerDFGToB3.cpp:
2059         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2060         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2061         * jit/JITOperations.h:
2062         * runtime/HashMapImpl.h:
2063         (JSC::HashMapImpl::addNormalized):
2064         (JSC::HashMapImpl::addNormalizedInternal):
2065
2066 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2067
2068         [JSC] Remove LocalScope
2069         https://bugs.webkit.org/show_bug.cgi?id=181206
2070
2071         Reviewed by Geoffrey Garen.
2072
2073         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
2074         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
2075         and LocalScope.
2076
2077         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
2078         JSObject* directly in their fields.
2079
2080         * JavaScriptCore.xcodeproj/project.pbxproj:
2081         * Sources.txt:
2082         * heap/HandleStack.cpp: Removed.
2083         * heap/HandleStack.h: Removed.
2084         * heap/Heap.cpp:
2085         (JSC::Heap::addCoreConstraints):
2086         * heap/Heap.h:
2087         (JSC::Heap::handleSet):
2088         (JSC::Heap::handleStack): Deleted.
2089         * heap/Local.h: Removed.
2090         * heap/LocalScope.h: Removed.
2091         * runtime/JSONObject.cpp:
2092         (JSC::Stringifier::Holder::object const):
2093         (JSC::gap):
2094         (JSC::Stringifier::Stringifier):
2095         (JSC::Stringifier::stringify):
2096         (JSC::Stringifier::appendStringifiedValue):
2097         (JSC::Stringifier::Holder::Holder):
2098         (JSC::Stringifier::Holder::appendNextProperty):
2099         (JSC::Walker::Walker):
2100         (JSC::Walker::callReviver):
2101         (JSC::Walker::walk):
2102         (JSC::JSONProtoFuncParse):
2103         (JSC::JSONProtoFuncStringify):
2104         (JSC::JSONParse):
2105         (JSC::JSONStringify):
2106
2107 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2108
2109         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
2110         https://bugs.webkit.org/show_bug.cgi?id=180238
2111
2112         Reviewed by Saam Barati.
2113
2114         We can optimize ObjectAllocationSinking a bit by using removeIf.
2115
2116         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2117
2118 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2119
2120         [JSC] Create parallel SlotVisitors apriori
2121         https://bugs.webkit.org/show_bug.cgi?id=180907
2122
2123         Reviewed by Saam Barati.
2124
2125         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2126         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
2127         Then we do not need to grab locks while iterating all the SlotVisitors.
2128
2129         In addition, we do not need to consider the case that the number of SlotVisitors increases
2130         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2131         does not increase any more.
2132
2133         * heap/Heap.cpp:
2134         (JSC::Heap::Heap):
2135         (JSC::Heap::runBeginPhase):
2136         * heap/Heap.h:
2137         * heap/HeapInlines.h:
2138         (JSC::Heap::forEachSlotVisitor):
2139         (JSC::Heap::numberOfSlotVisitors): Deleted.
2140         * heap/MarkingConstraintSolver.cpp:
2141         (JSC::MarkingConstraintSolver::didVisitSomething const):
2142
2143 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
2144
2145         Replace hard-coded paths in shebangs with #!/usr/bin/env
2146         https://bugs.webkit.org/show_bug.cgi?id=181040
2147
2148         Reviewed by Alex Christensen.
2149
2150         * Scripts/UpdateContents.py:
2151         * Scripts/cssmin.py:
2152         * Scripts/generate-combined-inspector-json.py:
2153         * Scripts/xxd.pl:
2154         * create_hash_table:
2155         * generate-bytecode-files:
2156         * wasm/generateWasm.py:
2157         * wasm/generateWasmOpsHeader.py:
2158         * yarr/generateYarrCanonicalizeUnicode:
2159
2160 2018-01-03  Michael Saboff  <msaboff@apple.com>
2161
2162         Disable SharedArrayBuffers from Web API
2163         https://bugs.webkit.org/show_bug.cgi?id=181266
2164
2165         Reviewed by Saam Barati.
2166
2167         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
2168         to disable.
2169
2170         * runtime/JSGlobalObject.cpp:
2171         (JSC::JSGlobalObject::init):
2172         (JSC::JSGlobalObject::visitChildren):
2173         * runtime/JSGlobalObject.h:
2174         (JSC::JSGlobalObject::arrayBufferPrototype const):
2175         (JSC::JSGlobalObject::arrayBufferStructure const):
2176
2177 2018-01-03  Michael Saboff  <msaboff@apple.com>
2178
2179         Add "noInline" to $vm
2180         https://bugs.webkit.org/show_bug.cgi?id=181265
2181
2182         Reviewed by Mark Lam.
2183
2184         This would be useful for web based tests.
2185
2186         * tools/JSDollarVM.cpp:
2187         (JSC::getExecutableForFunction):
2188         (JSC::functionNoInline):
2189         (JSC::JSDollarVM::finishCreation):
2190
2191 2018-01-03  Michael Saboff  <msaboff@apple.com>
2192
2193         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
2194         https://bugs.webkit.org/show_bug.cgi?id=181263
2195
2196         Reviewed by Mark Lam.
2197
2198         Flushing the butterfly pointer provides no benefit and slows this function.
2199
2200         * tools/JSDollarVM.cpp:
2201         (JSC::functionCpuClflush):
2202
2203 2018-01-03  Saam Barati  <sbarati@apple.com>
2204
2205         Fix BytecodeParser op_catch assert to work with useProfiler=1
2206         https://bugs.webkit.org/show_bug.cgi?id=181260
2207
2208         Reviewed by Keith Miller.
2209
2210         op_catch was asserting that the current block was empty. This is only true
2211         if the profiler isn't enabled. When the profiler is enabled, we will
2212         insert a CountExecution node before each bytecode. This patch fixes the
2213         assert to work with the profiler.
2214
2215         * dfg/DFGByteCodeParser.cpp:
2216         (JSC::DFG::ByteCodeParser::parseBlock):
2217
2218 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
2219
2220         [Win][Debug] testapi link error.
2221         https://bugs.webkit.org/show_bug.cgi?id=181247
2222         <rdar://problem/36166729>
2223
2224         Reviewed by Brent Fulgham.
2225
2226         Do not set the runtime library compile flag for C files, it is already set to the correct value.
2227  
2228         * shell/PlatformWin.cmake:
2229
2230 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2231
2232         Inlining of a function that ends in op_unreachable crashes
2233         https://bugs.webkit.org/show_bug.cgi?id=181027
2234
2235         Reviewed by Filip Pizlo.
2236
2237         * dfg/DFGByteCodeParser.cpp:
2238         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2239         (JSC::DFG::ByteCodeParser::inlineCall):
2240
2241 2018-01-02  Saam Barati  <sbarati@apple.com>
2242
2243         Incorrect assertion inside AccessCase
2244         https://bugs.webkit.org/show_bug.cgi?id=181200
2245         <rdar://problem/35494754>
2246
2247         Reviewed by Yusuke Suzuki.
2248
2249         Consider a PutById compiled to a setter in a function like so:
2250         
2251         ```
2252         function foo(o) { o.f = o; }
2253         ```
2254         
2255         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
2256         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
2257         to the same register. However, we're asserting that they're not the same register.
2258         This patch just removes this invalid assertion.
2259
2260         * bytecode/AccessCase.cpp:
2261         (JSC::AccessCase::generateImpl):
2262
2263 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2264
2265         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2266         https://bugs.webkit.org/show_bug.cgi?id=175359
2267
2268         Reviewed by Yusuke Suzuki.
2269
2270         This patch is implementing BigIntConstructor and BigIntPrototype
2271         following spec[1, 2]. As addition, we are also implementing BigIntObject
2272         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
2273         primitive. With these classes, now it's possible to syntetize
2274         BigInt.prototype and then call "toString", "valueOf" and
2275         "toLocaleString" when the primitive is a BigInt.
2276         BigIntConstructor exposes an API to parse other primitives such as
2277         Number, Boolean and String to BigInt.
2278         We decided to skip parseInt implementation, since it was removed from
2279         spec.
2280
2281         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
2282         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
2283
2284         * CMakeLists.txt:
2285         * DerivedSources.make:
2286         * JavaScriptCore.xcodeproj/project.pbxproj:
2287         * Sources.txt:
2288         * jsc.cpp:
2289         * runtime/BigIntConstructor.cpp: Added.
2290         (JSC::BigIntConstructor::BigIntConstructor):
2291         (JSC::BigIntConstructor::finishCreation):
2292         (JSC::isSafeInteger):
2293         (JSC::toBigInt):
2294         (JSC::callBigIntConstructor):
2295         (JSC::bigIntConstructorFuncAsUintN):
2296         (JSC::bigIntConstructorFuncAsIntN):
2297         * runtime/BigIntConstructor.h: Added.
2298         (JSC::BigIntConstructor::create):
2299         (JSC::BigIntConstructor::createStructure):
2300         * runtime/BigIntObject.cpp: Added.
2301         (JSC::BigIntObject::BigIntObject):
2302         (JSC::BigIntObject::finishCreation):
2303         (JSC::BigIntObject::toStringName):
2304         (JSC::BigIntObject::defaultValue):
2305         * runtime/BigIntObject.h: Added.
2306         (JSC::BigIntObject::create):
2307         (JSC::BigIntObject::internalValue const):
2308         (JSC::BigIntObject::createStructure):
2309         * runtime/BigIntPrototype.cpp: Added.
2310         (JSC::BigIntPrototype::BigIntPrototype):
2311         (JSC::BigIntPrototype::finishCreation):
2312         (JSC::toThisBigIntValue):
2313         (JSC::bigIntProtoFuncToString):
2314         (JSC::bigIntProtoFuncToLocaleString):
2315         (JSC::bigIntProtoFuncValueOf):
2316         * runtime/BigIntPrototype.h: Added.
2317         (JSC::BigIntPrototype::create):
2318         (JSC::BigIntPrototype::createStructure):
2319         * runtime/IntlCollator.cpp:
2320         (JSC::IntlCollator::initializeCollator):
2321         * runtime/IntlNumberFormat.cpp:
2322         (JSC::IntlNumberFormat::initializeNumberFormat):
2323         * runtime/JSBigInt.cpp:
2324         (JSC::JSBigInt::createFrom):
2325         (JSC::JSBigInt::parseInt):
2326         (JSC::JSBigInt::toObject const):
2327         * runtime/JSBigInt.h:
2328         * runtime/JSCJSValue.cpp:
2329         (JSC::JSValue::synthesizePrototype const):
2330         * runtime/JSCPoisonedPtr.cpp:
2331         * runtime/JSCell.cpp:
2332         (JSC::JSCell::toObjectSlow const):
2333         * runtime/JSGlobalObject.cpp:
2334         (JSC::JSGlobalObject::init):
2335         (JSC::JSGlobalObject::visitChildren):
2336         * runtime/JSGlobalObject.h:
2337         (JSC::JSGlobalObject::bigIntPrototype const):
2338         (JSC::JSGlobalObject::bigIntObjectStructure const):
2339         * runtime/StructureCache.h:
2340         * runtime/StructureInlines.h:
2341         (JSC::prototypeForLookupPrimitiveImpl):
2342
2343 2018-01-02  Tim Horton  <timothy_horton@apple.com>
2344
2345         Fix the MathCommon build with a recent compiler
2346         https://bugs.webkit.org/show_bug.cgi?id=181216
2347
2348         Reviewed by Sam Weinig.
2349
2350         * runtime/MathCommon.cpp:
2351         (JSC::fdlibmPow):
2352         This cast drops the 'const' qualifier from the pointer to 'one',
2353         but it doesn't have to, and it makes the compiler sad.
2354
2355 == Rolled over to ChangeLog-2018-01-01 ==