883e457412186e864841b3ba045ad510c3a39d63
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-13  Darin Adler  <darin@apple.com>
2
3         Event improvements
4         https://bugs.webkit.org/show_bug.cgi?id=179591
5
6         Reviewed by Chris Dumez.
7
8         Remove all uses of ScriptValue other than in the implementation of ScriptObject.
9
10         * bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
11
12         * bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
13         * bindings/ScriptObject.h: Ditto.
14
15         * bindings/ScriptValue.cpp:
16         (Deprecated::ScriptValue::~ScriptValue): Deleted.
17         (Deprecated::ScriptValue::getString const): Deleted.
18         (Deprecated::ScriptValue::toString const): Deleted.
19         (Deprecated::ScriptValue::isEqual const): Deleted.
20         (Deprecated::ScriptValue::isNull const): Deleted.
21         (Deprecated::ScriptValue::isUndefined const): Deleted.
22         (Deprecated::ScriptValue::isObject const): Deleted.
23         (Deprecated::ScriptValue::isFunction const): Deleted.
24         (Deprecated::ScriptValue::toInspectorValue const): Deleted.
25         * bindings/ScriptValue.h: Removed many unused functions. Made the rest
26         protected since this is now used only in ScriptObject.
27
28         * inspector/ConsoleMessage.cpp:
29         (Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
30         (Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
31
32         * inspector/ScriptArguments.cpp:
33         (Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
34         use rvalue reference with move instead of lvalue reference with swap, and take execution
35         state by reference instead of pointer.
36         (Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
37         (Inspector::ScriptArguments::ScriptArguments): Ditto.
38         (Inspector::ScriptArguments::~ScriptArguments): Deleted.
39         (Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
40         (Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
41         (Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
42         instead of calling through the C API.
43         * inspector/ScriptArguments.h: Updated for the above.
44
45         * inspector/ScriptCallStackFactory.cpp:
46         (Inspector::createScriptArguments): Updated for changes to ScriptArguments.
47
48         * inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
49         * inspector/agents/InspectorAgent.cpp: Ditto.
50         * inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
51         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
52         of ScriptValue.
53         (Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
54         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
55         * runtime/ConsoleClient.cpp:
56         (JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
57         (JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
58         instead of calling a separate createEmpty function.
59
60         * runtime/VM.cpp:
61         (JSC::VM::createLeaked): Deleted.
62         * runtime/VM.h: Deleted createLeaked.
63
64 2018-02-06  Brian Burg  <bburg@apple.com>
65
66         Web Inspector: protocol generator should automatically deduce the correct include style to use
67         https://bugs.webkit.org/show_bug.cgi?id=182505
68
69         Reviewed by Timothy Hatcher.
70
71         Currently the generated imports use a mix of system header imports (powered by forwarding headers)
72         and framework-style includes. Since forwarding headers are going away, this patch stops
73         using system header includes for headers that are JavaScriptCore private headers. Instead,
74         use either a relative include or a framework include.
75
76         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
77         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
78         (CppAlternateBackendDispatcherHeaderGenerator):
79         (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
80         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
81         (CppBackendDispatcherHeaderGenerator.generate_output):
82         (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
83         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
84         (CppBackendDispatcherImplementationGenerator.generate_output):
85         (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
86         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
87         (CppFrontendDispatcherHeaderGenerator.generate_output):
88         (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
89         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
90         (CppFrontendDispatcherImplementationGenerator.generate_output):
91         (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
92         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
93         (CppProtocolTypesHeaderGenerator.generate_output):
94         (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
95         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
96         (CppProtocolTypesImplementationGenerator.generate_output):
97         (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
98         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
99         (ObjCBackendDispatcherHeaderGenerator):
100         Convert existing header lists to the new entries format, which includes the
101         allowable target frameworks and the relative path to the header.
102
103         * inspector/scripts/codegen/generator.py:
104         (Generator.generate_includes_from_entries):
105         Copied from the same in the builtins code generator. It still works great.
106
107         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
108         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
109         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
110         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
111         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
112         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
113         * inspector/scripts/tests/generic/expected/enum-values.json-result:
114         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
115         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
116         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
117         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
118         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
119         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
120         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
121         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
122         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
123         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
124         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
125         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
126         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
127         Rebaseline.
128
129 2018-02-06  Keith Miller  <keith_miller@apple.com>
130
131         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
132         https://bugs.webkit.org/show_bug.cgi?id=182549
133         <rdar://problem/36189995>
134
135         Reviewed by Saam Barati.
136
137         Previously, the llint/baseline caching for put_to_scope and
138         get_from_scope would cache lexical environments when the
139         varInjectionWatchpoint had been fired for global properties. Code
140         in the DFG does not follow this same assumption so we could
141         potentially return the wrong result. Additionally, the baseline
142         would write barrier the global object rather than the lexical
143         enviroment object. This patch makes it so that we do not cache
144         anything other than the global object for when the resolve type is
145         GlobalPropertyWithVarInjectionChecks or GlobalProperty.
146
147         * assembler/MacroAssembler.cpp:
148         (JSC::MacroAssembler::jitAssert):
149         * assembler/MacroAssembler.h:
150         * jit/JITPropertyAccess.cpp:
151         (JSC::JIT::emit_op_get_from_scope):
152         (JSC::JIT::emit_op_put_to_scope):
153         * runtime/CommonSlowPaths.h:
154         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
155         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
156         * runtime/Options.h:
157
158 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
159
160         Global objects should be able to use TLCs to allocate from different blocks from each other
161         https://bugs.webkit.org/show_bug.cgi?id=182227
162
163         Reviewed by JF Bastien.
164         
165         This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
166         distance between objects from different origins, using the following combination of things. For
167         short lets refer to that constant as K.
168         
169         - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
170         
171         - Since r227718, MarkedBlock puts at least K bytes in its footer.
172         
173         - Since r227617, global objects can have their own TLCs, which make them allocate from a
174           different set of blocks than other global objects. The TLC of a global object comes into
175           effect when you enter the VM via that global object.
176         
177         - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
178           share the same security origin or empty blocks (in which case we zero the block and change
179           its security origin).
180         
181         WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
182         the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
183         a TLC based on their document's SecurityOrigin.
184         
185         * JavaScriptCore.xcodeproj/project.pbxproj:
186         * Sources.txt:
187         * heap/BlockDirectory.cpp:
188         (JSC::BlockDirectory::findBlockForAllocation):
189         (JSC::BlockDirectory::prepareForAllocation):
190         * heap/BlockDirectory.h:
191         * heap/LocalAllocator.cpp:
192         (JSC::LocalAllocator::LocalAllocator):
193         (JSC::LocalAllocator::reset):
194         (JSC::LocalAllocator::~LocalAllocator):
195         (JSC::LocalAllocator::allocateSlowCase):
196         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
197         * heap/LocalAllocator.h:
198         (JSC::LocalAllocator::tlc const):
199         * heap/MarkStackMergingConstraint.cpp:
200         * heap/MarkStackMergingConstraint.h:
201         * heap/MarkedBlock.cpp:
202         (JSC::MarkedBlock::Handle::associateWithOrigin):
203         * heap/MarkedBlock.h:
204         (JSC::MarkedBlock::Handle::securityOriginToken const):
205         * heap/SecurityOriginToken.cpp: Added.
206         (JSC::uniqueSecurityOriginToken):
207         * heap/SecurityOriginToken.h: Added.
208         * heap/ThreadLocalCache.cpp:
209         (JSC::ThreadLocalCache::create):
210         (JSC::ThreadLocalCache::ThreadLocalCache):
211         (JSC::ThreadLocalCache::allocateData):
212         (JSC::ThreadLocalCache::installSlow):
213         * heap/ThreadLocalCache.h:
214         (JSC::ThreadLocalCache::securityOriginToken const):
215         * heap/ThreadLocalCacheInlines.h:
216         (JSC::ThreadLocalCache::install):
217         * runtime/JSGlobalObject.cpp:
218         (JSC::JSGlobalObject::JSGlobalObject):
219         (JSC::JSGlobalObject::createThreadLocalCache):
220         * runtime/JSGlobalObject.h:
221         (JSC::JSGlobalObject::threadLocalCache):
222         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
223         * runtime/VMEntryScope.cpp:
224         (JSC::VMEntryScope::VMEntryScope):
225         (JSC::VMEntryScope::~VMEntryScope):
226         * runtime/VMEntryScope.h:
227
228 2018-02-05  Don Olmstead  <don.olmstead@sony.com>
229
230         JavaScriptCore files should not be included relatively
231         https://bugs.webkit.org/show_bug.cgi?id=182452
232
233         Reviewed by Keith Miller.
234
235         * API/JSCallbackConstructor.h:
236         * CMakeLists.txt:
237         * disassembler/ARM64Disassembler.cpp:
238         * disassembler/ARMv7Disassembler.cpp:
239         * heap/LockDuringMarking.h:
240         * inspector/InjectedScriptBase.h:
241         * inspector/InjectedScriptHost.h:
242         * inspector/JavaScriptCallFrame.h:
243         * inspector/ScriptArguments.h:
244         * inspector/ScriptDebugListener.h:
245         * inspector/ScriptDebugServer.h:
246         * inspector/agents/InspectorAgent.h:
247         * inspector/agents/InspectorConsoleAgent.h:
248         * inspector/agents/InspectorDebuggerAgent.h:
249         * inspector/agents/InspectorHeapAgent.h:
250         * inspector/agents/InspectorRuntimeAgent.h:
251         * inspector/agents/InspectorScriptProfilerAgent.h:
252         * runtime/RegExp.h:
253
254 2018-02-05  Commit Queue  <commit-queue@webkit.org>
255
256         Unreviewed, rolling out r228012.
257         https://bugs.webkit.org/show_bug.cgi?id=182493
258
259         "It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
260         #webkit).
261
262         Reverted changeset:
263
264         "[JSC] Clean up ArraySpeciesCreate"
265         https://bugs.webkit.org/show_bug.cgi?id=182434
266         https://trac.webkit.org/changeset/228012
267
268 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
269
270         Rebaseline bindings generator tests after r228032.
271         https://bugs.webkit.org/show_bug.cgi?id=182445
272
273         Unreviewed test gardening.
274
275         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
276
277 2018-02-02  Saam Barati  <sbarati@apple.com>
278
279         Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
280         https://bugs.webkit.org/show_bug.cgi?id=182453
281         <rdar://problem/37174236>
282
283         Reviewed by JF Bastien and Mark Lam.
284
285         * dfg/DFGAbstractInterpreterInlines.h:
286         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
287         * dfg/DFGArgumentsEliminationPhase.cpp:
288         * dfg/DFGArgumentsUtilities.cpp:
289         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
290         * dfg/DFGFixupPhase.cpp:
291         (JSC::DFG::FixupPhase::fixupChecksInBlock):
292         * dfg/DFGFlowIndexing.h:
293         (JSC::DFG::FlowIndexing::shadowIndex const):
294         * dfg/DFGLICMPhase.cpp:
295         (JSC::DFG::LICMPhase::run):
296         (JSC::DFG::LICMPhase::attemptHoist):
297         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
298         (JSC::DFG::LoopPreHeaderCreationPhase::run):
299         * dfg/DFGPutStackSinkingPhase.cpp:
300         * dfg/DFGSpeculativeJIT.cpp:
301         (JSC::DFG::SpeculativeJIT::compileArithAbs):
302         (JSC::DFG::SpeculativeJIT::compileArithRounding):
303         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
304         * dfg/DFGSpeculativeJIT64.cpp:
305         (JSC::DFG::SpeculativeJIT::fillJSValue):
306         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
307         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
308         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
309         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
310         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
311         (JSC::DFG::SpeculativeJIT::compile):
312         * dfg/DFGStoreBarrierClusteringPhase.cpp:
313         * dfg/DFGStoreBarrierInsertionPhase.cpp:
314         * ftl/FTLLowerDFGToB3.cpp:
315         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
316         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
317         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
318         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
319         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
320         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
321         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
322         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
323         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
324         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
325         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
326         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
327         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
328         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
329         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
330         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
331         (JSC::FTL::DFG::LowerDFGToB3::compare):
332         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
333         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
334         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
335         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
336         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
337         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
338         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
339
340 2018-02-02  Don Olmstead  <don.olmstead@sony.com>
341
342         JS Builtins should include JavaScriptCore headers directly
343         https://bugs.webkit.org/show_bug.cgi?id=182445
344
345         Reviewed by Yusuke Suzuki.
346
347         * Scripts/builtins/builtins_generator.py:
348         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
349         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
350         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
351         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
352         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
353         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
354
355 2018-02-02  Saam Barati  <sbarati@apple.com>
356
357         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
358         https://bugs.webkit.org/show_bug.cgi?id=182368
359         <rdar://problem/36932466>
360
361         Reviewed by Mark Lam.
362
363         When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
364         we must add the VariableAccessData to the given argument position. Otherwise,
365         we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
366         If we end up with such a situation, it can lead to invalid IR after the
367         arguments elimination phase optimizes a GetByVal to a GetStack.
368
369         * dfg/DFGByteCodeParser.cpp:
370         (JSC::DFG::ByteCodeParser::flushImpl):
371         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
372         (JSC::DFG::ByteCodeParser::flush):
373         (JSC::DFG::ByteCodeParser::flushForTerminal):
374         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
375         (JSC::DFG::ByteCodeParser::parse):
376
377 2018-02-02  Mark Lam  <mark.lam@apple.com>
378
379         More ARM64_32 fixes.
380         https://bugs.webkit.org/show_bug.cgi?id=182441
381         <rdar://problem/37162310>
382
383         Reviewed by Dan Bernstein.
384
385         I also disabled more dynamicPoisoning code in ARM64_32.  This code assumes a
386         64-bit pointer which is not applicable here.
387
388         * jit/AssemblyHelpers.cpp:
389         (JSC::AssemblyHelpers::emitDynamicPoison):
390         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
391         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
392
393 2018-02-02  Saam Barati  <sbarati@apple.com>
394
395         MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
396         https://bugs.webkit.org/show_bug.cgi?id=182402
397
398         Reviewed by Yusuke Suzuki.
399
400         * dfg/DFGDoesGC.cpp:
401         (JSC::DFG::doesGC):
402
403 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
404
405         [JSC] Clean up ArraySpeciesCreate
406         https://bugs.webkit.org/show_bug.cgi?id=182434
407
408         Reviewed by Saam Barati.
409
410         We have duplicate code in filter, map, concatSlowPath.
411         This patch creates a new global private function @arraySpeciesCreate,
412         and use it.
413
414         * builtins/ArrayPrototype.js:
415         (globalPrivate.arraySpeciesCreate):
416         (filter):
417         (map):
418         (globalPrivate.concatSlowPath):
419
420 2018-02-01  Mark Lam  <mark.lam@apple.com>
421
422         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
423         https://bugs.webkit.org/show_bug.cgi?id=182419
424         <rdar://problem/37044945>
425
426         Reviewed by Saam Barati.
427
428         In compileGetMyArgumentByVal(), it computes:
429             limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
430             ...
431             LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
432
433         where the original "limit" is the number of arguments passed in by the caller.
434         If the original limit is less than numberOfArgumentsToSkip, the resultant limit
435         will be a large unsigned number.  As a result, this will defeat the bounds check
436         that follows it.
437
438         Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
439         value by adding numberOfArgumentsToSkip to it, in order to determine the actual
440         entry in the arguments array to get.
441
442         The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
443         subtracting it from limit), and doing an overflow speculation check on that
444         addition before doing the bounds check.
445
446         * ftl/FTLLowerDFGToB3.cpp:
447         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
448
449 2018-02-01  Keith Miller  <keith_miller@apple.com>
450
451         Fix crashes due to mishandling custom sections.
452         https://bugs.webkit.org/show_bug.cgi?id=182404
453         <rdar://problem/36935863>
454
455         Reviewed by Saam Barati.
456
457         This also cleans up some of our validation code. We also
458         mistakenly, allowed unknown (different from custom sections with
459         id: 0) section ids.
460
461         * wasm/WasmModuleParser.cpp:
462         (JSC::Wasm::ModuleParser::parse):
463         * wasm/WasmModuleParser.h:
464         * wasm/WasmSections.h:
465         (JSC::Wasm::isKnownSection):
466         (JSC::Wasm::decodeSection):
467         (JSC::Wasm::validateOrder):
468         (JSC::Wasm::makeString):
469         (JSC::Wasm::isValidSection): Deleted.
470
471 2018-02-01  Michael Catanzaro  <mcatanzaro@igalia.com>
472
473         -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
474         https://bugs.webkit.org/show_bug.cgi?id=182389
475
476         Reviewed by Yusuke Suzuki.
477
478         Fix the warning.
479
480         As a bonus, remove a couple unreachable breaks for good measure.
481
482         * dfg/DFGObjectAllocationSinkingPhase.cpp:
483
484 2018-02-01  Chris Dumez  <cdumez@apple.com>
485
486         Queue a microtask when a waitUntil() promise is settled
487         https://bugs.webkit.org/show_bug.cgi?id=182372
488         <rdar://problem/37101019>
489
490         Reviewed by Mark Lam.
491
492         Export a symbol so it can be used in WebCore.
493
494         * runtime/JSGlobalObject.h:
495
496 2018-01-31  Don Olmstead  <don.olmstead@sony.com>
497
498         [CMake] Make JavaScriptCore headers copies
499         https://bugs.webkit.org/show_bug.cgi?id=182303
500
501         Reviewed by Alex Christensen.
502
503         * CMakeLists.txt:
504         * PlatformGTK.cmake:
505         * PlatformJSCOnly.cmake:
506         * PlatformMac.cmake:
507         * PlatformWPE.cmake:
508         * PlatformWin.cmake:
509         * shell/CMakeLists.txt:
510         * shell/PlatformWin.cmake:
511
512 2018-01-31  Saam Barati  <sbarati@apple.com>
513
514         Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
515         https://bugs.webkit.org/show_bug.cgi?id=182064
516         <rdar://problem/36840132>
517
518         Reviewed by Geoffrey Garen.
519
520         This patch switches WebAssembly Memory to always use bmalloc's
521         zeroed virtual allocation API. This makes it so that we don't
522         dirty the memory to zero it. It's a huge compile time speedup
523         on WasmBench on iOS.
524
525         * wasm/WasmMemory.cpp:
526         (JSC::Wasm::Memory::create):
527         (JSC::Wasm::Memory::~Memory):
528         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
529         (JSC::Wasm::Memory::grow):
530         (JSC::Wasm::commitZeroPages): Deleted.
531
532 2018-01-31  Mark Lam  <mark.lam@apple.com>
533
534         Build fix for CLoop after r227874.
535         https://bugs.webkit.org/show_bug.cgi?id=182155
536         <rdar://problem/36286266>
537
538         Not reviewed.
539
540         Just needed support for lea of a LabelReference in cloop.rb (just like those
541         added for arm64.rb and x86.rb).
542
543         * offlineasm/cloop.rb:
544
545 2018-01-31  Keith Miller  <keith_miller@apple.com>
546
547         Canonicalize aquiring the JSCell lock.
548         https://bugs.webkit.org/show_bug.cgi?id=182320
549
550         Reviewed by Michael Saboff.
551
552         It's currently kinda annoying to figure out where
553         we aquire the a JSCell's lock. This patch adds a
554         helper to make it easier to grep...
555
556         * bytecode/UnlinkedCodeBlock.cpp:
557         (JSC::UnlinkedCodeBlock::visitChildren):
558         (JSC::UnlinkedCodeBlock::setInstructions):
559         (JSC::UnlinkedCodeBlock::shrinkToFit):
560         * runtime/ErrorInstance.cpp:
561         (JSC::ErrorInstance::finishCreation):
562         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
563         (JSC::ErrorInstance::visitChildren):
564         * runtime/JSArray.cpp:
565         (JSC::JSArray::shiftCountWithArrayStorage):
566         (JSC::JSArray::unshiftCountWithArrayStorage):
567         * runtime/JSCell.h:
568         (JSC::JSCell::cellLock):
569         * runtime/JSObject.cpp:
570         (JSC::JSObject::visitButterflyImpl):
571         (JSC::JSObject::convertContiguousToArrayStorage):
572         * runtime/JSPropertyNameEnumerator.cpp:
573         (JSC::JSPropertyNameEnumerator::visitChildren):
574         * runtime/SparseArrayValueMap.cpp:
575         (JSC::SparseArrayValueMap::add):
576         (JSC::SparseArrayValueMap::remove):
577         (JSC::SparseArrayValueMap::visitChildren):
578
579 2018-01-31  Saam Barati  <sbarati@apple.com>
580
581         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
582         https://bugs.webkit.org/show_bug.cgi?id=182074
583         <rdar://problem/36846261>
584
585         Reviewed by Mark Lam.
586
587         This patch teaches the JSONP evaluator about the global lexical environment.
588         Before, it was using the global object as the global scope, but that's wrong.
589         The global lexical environment is the first node in the global scope chain.
590
591         * interpreter/Interpreter.cpp:
592         (JSC::Interpreter::executeProgram):
593         * jsc.cpp:
594         (GlobalObject::finishCreation):
595         (shellSupportsRichSourceInfo):
596         (functionDisableRichSourceInfo):
597         * runtime/LiteralParser.cpp:
598         (JSC::LiteralParser<CharType>::tryJSONPParse):
599         * runtime/LiteralParser.h:
600
601 2018-01-31  Saam Barati  <sbarati@apple.com>
602
603         clean up pushToSaveImmediateWithoutTouchingRegisters a bit
604         https://bugs.webkit.org/show_bug.cgi?id=181774
605
606         Reviewed by JF Bastien.
607
608         This function on ARM64 was considering what to do with the scratch
609         register. And conditionally invalidated what was in it. This is not
610         relevant though, since the function always recovers what was in that
611         register. This patch just switches it to using dataTempRegister
612         directly and updates the comment to describe why it can do so safely.
613
614         * assembler/MacroAssemblerARM64.h:
615         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
616
617 2018-01-30  Mark Lam  <mark.lam@apple.com>
618
619         Apply poisoning to TypedArray vector pointers.
620         https://bugs.webkit.org/show_bug.cgi?id=182155
621         <rdar://problem/36286266>
622
623         Reviewed by JF Bastien.
624
625         The TypeArray's vector pointer is now poisoned.  The poison value is chosen based
626         on a TypeArray's jsType.  The JSType must be between FirstTypedArrayType and
627         LastTypedArrayType.  At runtime, we enforce that the index is well-behaved by
628         masking it against TypedArrayPoisonIndexMask.  TypedArrayPoisonIndexMask (16) is
629         the number of TypedArray types (10) rounded up to the next power of 2.
630         Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
631         can use index masking on the index, and be guaranteed that the masked index will
632         be within bounds of the poisons array.
633
634         1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
635            do any unnecessary work if the TypedArray vector is null.
636
637            FTL's cagedMayBeNull() is no longer needed because it is only used by
638            compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
639            in a TypedArray specific way.  So, might as well do the work inline in
640            compileGetTypedArrayByteOffset() instead.
641
642         2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
643            because there's already a null check above it that ensures that sizeGPR is
644            never null.
645
646         3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
647            loading of the vector for unpoisoning and uncaging.  We don't need the vector
648            if the length is 0.
649
650         Implementation notes on the need to null check the TypeArray vector:
651
652         1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
653            m_poisonedVector null check because the function is a null check.
654
655         2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
656            m_poisonedVector null check because it is followed by a call to
657            cageTypedArrayStorage() which assumes that storageReg cannot be null.
658
659         3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
660            m_poisonedVector null check.
661
662         4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
663            check because the poisoning code is preceded by a sizeGPR null check, which
664            ensures that the storageGPR (vector to be poisoned) is not null.
665
666         5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
667            check because it is followed by a call to caged() which assumes that the
668            vector cannot be null.
669
670         6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
671
672         7. FTL's compileNewTypedArray() does not need a vector null check because the
673            poisoning code is preceded by a size null check, which ensures that the
674            storage (vector to be poisoned) is not null.
675
676         8. FTL's speculateTypedArrayIsNotNeutered() does not need a
677            m_poisonedVector null check because the function is a null check.
678
679         9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
680            case needs a null check so that it does not try to unpoison a null vector.
681
682         10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
683             we already do a length check even before loading the vector.
684
685         11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
686             we already do a length check even before loading the vector.
687
688         12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
689             we already do a length check even before loading the vector.
690
691         13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
692             we already do a length check even before loading the vector.
693
694         14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
695             client will do a TypedArray length check before calling it.
696
697         * dfg/DFGFixupPhase.cpp:
698         (JSC::DFG::FixupPhase::checkArray):
699         * dfg/DFGNode.h:
700         (JSC::DFG::Node::hasArrayMode):
701         * dfg/DFGSpeculativeJIT.cpp:
702         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
703         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
704         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
705         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
706         * ftl/FTLAbstractHeapRepository.h:
707         * ftl/FTLLowerDFGToB3.cpp:
708         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
709         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
710         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
711         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
712         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
713         * jit/IntrinsicEmitter.cpp:
714         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
715         * jit/JITPropertyAccess.cpp:
716         (JSC::JIT::emitIntTypedArrayGetByVal):
717         (JSC::JIT::emitFloatTypedArrayGetByVal):
718         (JSC::JIT::emitIntTypedArrayPutByVal):
719         (JSC::JIT::emitFloatTypedArrayPutByVal):
720         * llint/LowLevelInterpreter.asm:
721         * llint/LowLevelInterpreter64.asm:
722         * offlineasm/arm64.rb:
723         * offlineasm/x86.rb:
724         * runtime/CagedBarrierPtr.h:
725         * runtime/JSArrayBufferView.cpp:
726         (JSC::JSArrayBufferView::JSArrayBufferView):
727         (JSC::JSArrayBufferView::finalize):
728         (JSC::JSArrayBufferView::neuter):
729         * runtime/JSArrayBufferView.h:
730         (JSC::JSArrayBufferView::vector const):
731         (JSC::JSArrayBufferView::offsetOfPoisonedVector):
732         (JSC::JSArrayBufferView::poisonFor):
733         (JSC::JSArrayBufferView::Poison::key):
734         (JSC::JSArrayBufferView::offsetOfVector): Deleted.
735         * runtime/JSCPoison.cpp:
736         (JSC::initializePoison):
737         * runtime/JSCPoison.h:
738         * runtime/JSGenericTypedArrayViewInlines.h:
739         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
740         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
741         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
742         * runtime/JSObject.h:
743
744 2018-01-30  Fujii Hironori  <Hironori.Fujii@sony.com>
745
746         [Win] Warning fix.
747         https://bugs.webkit.org/show_bug.cgi?id=177007
748
749         Reviewed by Yusuke Suzuki.
750
751         * interpreter/StackVisitor.cpp:
752         (JSC::StackVisitor::Frame::dump const):
753         Changed the type of locationRawBits from unsigned to uintptr_t.
754         * runtime/IntlNumberFormat.cpp:
755         (JSC::IntlNumberFormat::createNumberFormat):
756         Initialize 'style' to avoid potentially uninitialized local variable warning.
757
758 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
759
760         [JSC] Implement trimStart and trimEnd
761         https://bugs.webkit.org/show_bug.cgi?id=182233
762
763         Reviewed by Mark Lam.
764
765         String.prototype.{trimStart,trimEnd} are now stage 3[1].
766         String.prototype.{trimLeft,trimRight} are alias to these functions.
767
768         We rename these functions to trimStart and trimEnd, and put them as
769         trimLeft and trimRight too.
770
771         [1]: https://tc39.github.io/proposal-string-left-right-trim/
772
773         * runtime/StringPrototype.cpp:
774         (JSC::StringPrototype::finishCreation):
775         (JSC::trimString):
776         (JSC::stringProtoFuncTrim):
777         (JSC::stringProtoFuncTrimStart):
778         (JSC::stringProtoFuncTrimEnd):
779         (JSC::stringProtoFuncTrimLeft): Deleted.
780         (JSC::stringProtoFuncTrimRight): Deleted.
781
782 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         [JSC] Relax line terminators in String to make JSON subset of JS
785         https://bugs.webkit.org/show_bug.cgi?id=182232
786
787         Reviewed by Keith Miller.
788
789         "Subsume JSON" spec is now stage 3[1]. Before this spec change,
790         JSON can accept \u2028 / \u2029 in string while JS cannot do that.
791         It accidentally made JSON non subset of JS.
792
793         Now we extend our JS string to accept \u2028 / \u2029 to make JSON
794         subset of JS in this spec change.
795
796         [1]: https://github.com/tc39/proposal-json-superset
797
798         * parser/Lexer.cpp:
799         (JSC::Lexer<T>::parseStringSlowCase):
800
801 2018-01-29  Jiewen Tan  <jiewen_tan@apple.com>
802
803         [WebAuthN] Add a compile-time feature flag
804         https://bugs.webkit.org/show_bug.cgi?id=182211
805         <rdar://problem/36936365>
806
807         Reviewed by Brent Fulgham.
808
809         * Configurations/FeatureDefines.xcconfig:
810
811 2018-01-29  Michael Saboff  <msaboff@apple.com>
812
813         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
814         https://bugs.webkit.org/show_bug.cgi?id=182249
815
816         Reviewed by Keith Miller.
817
818         Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
819         Untyped and Object values when compared against built in types.  Such comparisons can
820         invoke toNumber() or other methods.
821
822         * dfg/DFGClobberize.h:
823         (JSC::DFG::clobberize):
824
825 2018-01-29  Matt Lewis  <jlewis3@apple.com>
826
827         Unreviewed, rolling out r227725.
828
829         This caused internal failures.
830
831         Reverted changeset:
832
833         "JSC Sampling Profiler: Detect tester and testee when sampling
834         in RegExp JIT"
835         https://bugs.webkit.org/show_bug.cgi?id=152729
836         https://trac.webkit.org/changeset/227725
837
838 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
839
840         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
841         https://bugs.webkit.org/show_bug.cgi?id=152729
842
843         Reviewed by Saam Barati.
844
845         This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
846         executing RegExp in VM so that SamplingProfiler can detect it. This is better
847         than the previous VM::isExecutingInRegExpJIT flag approach since
848
849         1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
850         if we suspend the thread just before executing this flag, or just after clearing
851         this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
852         should set such a flag before and after executing JIT RegExp code.
853
854         2. This removes VM dependency from YarrJIT which is not essential one.
855
856         We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
857         is done in non JS thread.
858
859         * bytecode/BytecodeDumper.cpp:
860         (JSC::regexpName):
861         (JSC::BytecodeDumper<Block>::dumpRegExps):
862         (JSC::regexpToSourceString): Deleted.
863         * heap/Heap.cpp:
864         (JSC::Heap::addCoreConstraints):
865         * runtime/RegExp.cpp:
866         (JSC::RegExp::compile):
867         (JSC::RegExp::match):
868         (JSC::RegExp::matchConcurrently):
869         (JSC::RegExp::compileMatchOnly):
870         (JSC::RegExp::toSourceString const):
871         * runtime/RegExp.h:
872         * runtime/RegExpInlines.h:
873         (JSC::RegExp::matchInline):
874         * runtime/RegExpMatchesArray.h:
875         (JSC::createRegExpMatchesArray):
876         * runtime/SamplingProfiler.cpp:
877         (JSC::SamplingProfiler::SamplingProfiler):
878         (JSC::SamplingProfiler::timerLoop):
879         (JSC::SamplingProfiler::takeSample):
880         (JSC::SamplingProfiler::processUnverifiedStackTraces):
881         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
882         (JSC::SamplingProfiler::StackFrame::displayName):
883         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
884         (JSC::SamplingProfiler::StackFrame::functionStartLine):
885         (JSC::SamplingProfiler::StackFrame::functionStartColumn):
886         (JSC::SamplingProfiler::StackFrame::sourceID):
887         (JSC::SamplingProfiler::StackFrame::url):
888         (WTF::printInternal):
889         (JSC::SamplingProfiler::~SamplingProfiler): Deleted.
890         * runtime/SamplingProfiler.h:
891         * runtime/VM.h:
892         * yarr/YarrJIT.cpp:
893         (JSC::Yarr::YarrGenerator::generateEnter):
894         (JSC::Yarr::YarrGenerator::generateReturn):
895         (JSC::Yarr::YarrGenerator::YarrGenerator):
896         (JSC::Yarr::jitCompile):
897         * yarr/YarrJIT.h:
898
899 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
900
901         [DFG][FTL] WeakMap#set should have DFG node
902         https://bugs.webkit.org/show_bug.cgi?id=180015
903
904         Reviewed by Saam Barati.
905
906         This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
907         We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
908         the subsequent WeakMapGet if CSE allows.
909
910         * dfg/DFGAbstractInterpreterInlines.h:
911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
912         * dfg/DFGByteCodeParser.cpp:
913         (JSC::DFG::ByteCodeParser::addVarArgChild):
914         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
915         * dfg/DFGClobberize.h:
916         (JSC::DFG::clobberize):
917         * dfg/DFGDoesGC.cpp:
918         (JSC::DFG::doesGC):
919         WeakMap operations do not cause GC.
920
921         * dfg/DFGFixupPhase.cpp:
922         (JSC::DFG::FixupPhase::fixupNode):
923         * dfg/DFGNodeType.h:
924         * dfg/DFGOperations.cpp:
925         * dfg/DFGOperations.h:
926         * dfg/DFGPredictionPropagationPhase.cpp:
927         * dfg/DFGSafeToExecute.h:
928         (JSC::DFG::safeToExecute):
929         * dfg/DFGSpeculativeJIT.cpp:
930         (JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
931         (JSC::DFG::SpeculativeJIT::compileWeakMapSet):
932         * dfg/DFGSpeculativeJIT.h:
933         (JSC::DFG::SpeculativeJIT::callOperation):
934         * dfg/DFGSpeculativeJIT32_64.cpp:
935         (JSC::DFG::SpeculativeJIT::compile):
936         * dfg/DFGSpeculativeJIT64.cpp:
937         (JSC::DFG::SpeculativeJIT::compile):
938         * ftl/FTLCapabilities.cpp:
939         (JSC::FTL::canCompile):
940         * ftl/FTLLowerDFGToB3.cpp:
941         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
942         (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
943         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
944         * jit/JITOperations.h:
945         * runtime/Intrinsic.cpp:
946         (JSC::intrinsicName):
947         * runtime/Intrinsic.h:
948         * runtime/WeakMapPrototype.cpp:
949         (JSC::WeakMapPrototype::finishCreation):
950         * runtime/WeakSetPrototype.cpp:
951         (JSC::WeakSetPrototype::finishCreation):
952
953 2018-01-28  Filip Pizlo  <fpizlo@apple.com>
954
955         LargeAllocation should do the same distancing as MarkedBlock
956         https://bugs.webkit.org/show_bug.cgi?id=182226
957
958         Reviewed by Saam Barati.
959
960         This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
961         
962         To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
963         is doing:
964         
965         - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
966           calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
967           keeps the old way just for a static_assert.
968         
969         - The promised amount of distancing is now codified in HeapCell.h as
970           minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
971           as big as this. I didn't want to just use footer size for this constant because then, if
972           you increased the size of the footer, you'd also add padding to every large allocation.
973         
974         Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
975         allocation. It also zeroes that slice of memory to prevent any information leaks that way.
976         
977         This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
978         ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
979         smaller objects, and diminishing overhead for larger objects. We allocate very few large
980         objects, so we shouldn't have any real space overhead from this.
981
982         * heap/HeapCell.h:
983         * heap/LargeAllocation.cpp:
984         (JSC::LargeAllocation::tryCreate):
985         * heap/MarkedBlock.h:
986         * heap/MarkedSpace.h:
987
988 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
989
990         Make MarkedBlock::Footer bigger
991         https://bugs.webkit.org/show_bug.cgi?id=182220
992
993         Reviewed by JF Bastien.
994         
995         This makes the block footer larger by moving the newlyAllocated bits from the handle into
996         the footer.
997         
998         It used to be profitable to put anything we could into the handle because that would free up
999         payload space inside the block. But now that we want to use the footer for padding, it's
1000         profitable to put GC state information - especially data that is used by the GC itself and so
1001         is not useful for a Spectre attack - into the footer to increase object distancing.
1002
1003         * heap/CellContainer.cpp:
1004         (JSC::CellContainer::isNewlyAllocated const):
1005         * heap/IsoCellSet.cpp:
1006         (JSC::IsoCellSet::sweepToFreeList):
1007         * heap/MarkedBlock.cpp:
1008         (JSC::MarkedBlock::Handle::Handle):
1009         (JSC::MarkedBlock::Footer::Footer):
1010         (JSC::MarkedBlock::Handle::stopAllocating):
1011         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1012         (JSC::MarkedBlock::Handle::resumeAllocating):
1013         (JSC::MarkedBlock::aboutToMarkSlow):
1014         (JSC::MarkedBlock::resetAllocated):
1015         (JSC::MarkedBlock::Handle::resetAllocated): Deleted.
1016         * heap/MarkedBlock.h:
1017         (JSC::MarkedBlock::newlyAllocatedVersion const):
1018         (JSC::MarkedBlock::isNewlyAllocated):
1019         (JSC::MarkedBlock::setNewlyAllocated):
1020         (JSC::MarkedBlock::clearNewlyAllocated):
1021         (JSC::MarkedBlock::newlyAllocated const):
1022         (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
1023         (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
1024         (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
1025         (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
1026         (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
1027         * heap/MarkedBlockInlines.h:
1028         (JSC::MarkedBlock::isNewlyAllocatedStale const):
1029         (JSC::MarkedBlock::hasAnyNewlyAllocated):
1030         (JSC::MarkedBlock::Handle::isLive):
1031         (JSC::MarkedBlock::Handle::specializedSweep):
1032         (JSC::MarkedBlock::Handle::newlyAllocatedMode):
1033         (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
1034         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
1035         * heap/MarkedSpace.cpp:
1036         (JSC::MarkedSpace::endMarking):
1037         * heap/SlotVisitor.cpp:
1038         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1039
1040 2018-01-27  Filip Pizlo  <fpizlo@apple.com>
1041
1042         MarkedBlock should have a footer instead of a header
1043         https://bugs.webkit.org/show_bug.cgi?id=182217
1044
1045         Reviewed by JF Bastien.
1046         
1047         This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
1048         change anything except for some compile-time constants, so it should not affect performance.
1049         
1050         This change is to help protect against Spectre attacks on structure checks, which allow for
1051         small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
1052         OOBs will only get to other objects in the same block or the block footer. The block footer
1053         is not super interesting. So, if we combine this with the TLC change (r227617), this means we
1054         can use blocks as the mechanism of achieving distance between objects from different origins.
1055         We just need to avoid ever putting objects from different origins in the same block. That's
1056         what bug 181636 is about.
1057         
1058         * heap/BlockDirectory.cpp:
1059         (JSC::blockHeaderSize): Deleted.
1060         (JSC::BlockDirectory::blockSizeForBytes): Deleted.
1061         * heap/BlockDirectory.h:
1062         * heap/HeapUtil.h:
1063         (JSC::HeapUtil::findGCObjectPointersForMarking):
1064         * heap/MarkedBlock.cpp:
1065         (JSC::MarkedBlock::MarkedBlock):
1066         (JSC::MarkedBlock::~MarkedBlock):
1067         (JSC::MarkedBlock::Footer::Footer):
1068         (JSC::MarkedBlock::Footer::~Footer):
1069         (JSC::MarkedBlock::Handle::stopAllocating):
1070         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1071         (JSC::MarkedBlock::Handle::resumeAllocating):
1072         (JSC::MarkedBlock::aboutToMarkSlow):
1073         (JSC::MarkedBlock::resetMarks):
1074         (JSC::MarkedBlock::assertMarksNotStale):
1075         (JSC::MarkedBlock::Handle::didConsumeFreeList):
1076         (JSC::MarkedBlock::markCount):
1077         (JSC::MarkedBlock::clearHasAnyMarked):
1078         (JSC::MarkedBlock::Handle::didAddToDirectory):
1079         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
1080         (JSC::MarkedBlock::Handle::sweep):
1081         * heap/MarkedBlock.h:
1082         (JSC::MarkedBlock::markingVersion const):
1083         (JSC::MarkedBlock::lock):
1084         (JSC::MarkedBlock::subspace const):
1085         (JSC::MarkedBlock::footer):
1086         (JSC::MarkedBlock::footer const):
1087         (JSC::MarkedBlock::handle):
1088         (JSC::MarkedBlock::handle const):
1089         (JSC::MarkedBlock::Handle::blockFooter):
1090         (JSC::MarkedBlock::isAtomAligned):
1091         (JSC::MarkedBlock::Handle::cellAlign):
1092         (JSC::MarkedBlock::blockFor):
1093         (JSC::MarkedBlock::vm const):
1094         (JSC::MarkedBlock::weakSet):
1095         (JSC::MarkedBlock::cellSize):
1096         (JSC::MarkedBlock::attributes const):
1097         (JSC::MarkedBlock::atomNumber):
1098         (JSC::MarkedBlock::areMarksStale):
1099         (JSC::MarkedBlock::aboutToMark):
1100         (JSC::MarkedBlock::isMarkedRaw):
1101         (JSC::MarkedBlock::isMarked):
1102         (JSC::MarkedBlock::testAndSetMarked):
1103         (JSC::MarkedBlock::marks const):
1104         (JSC::MarkedBlock::isAtom):
1105         (JSC::MarkedBlock::Handle::forEachCell):
1106         (JSC::MarkedBlock::hasAnyMarked const):
1107         (JSC::MarkedBlock::noteMarked):
1108         (WTF::MarkedBlockHash::hash):
1109         (JSC::MarkedBlock::firstAtom): Deleted.
1110         * heap/MarkedBlockInlines.h:
1111         (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
1112         (JSC::MarkedBlock::Handle::isLive):
1113         (JSC::MarkedBlock::Handle::specializedSweep):
1114         (JSC::MarkedBlock::Handle::forEachLiveCell):
1115         (JSC::MarkedBlock::Handle::forEachDeadCell):
1116         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1117         * heap/MarkedSpace.cpp:
1118         * heap/MarkedSpace.h:
1119         * llint/LowLevelInterpreter.asm:
1120         * llint/LowLevelInterpreter32_64.asm:
1121         * llint/LowLevelInterpreter64.asm:
1122
1123 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1124
1125         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1126         https://bugs.webkit.org/show_bug.cgi?id=182213
1127
1128         Reviewed by Mark Lam.
1129
1130         toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
1131         As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
1132         this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
1133         This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
1134
1135         We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
1136         but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
1137
1138         * runtime/NumberPrototype.cpp:
1139         (JSC::toStringWithRadixInternal):
1140
1141 2018-01-26  Saam Barati  <sbarati@apple.com>
1142
1143         Fix emitAllocateWithNonNullAllocator to work on arm
1144         https://bugs.webkit.org/show_bug.cgi?id=182187
1145         <rdar://problem/36906550>
1146
1147         Reviewed by Filip Pizlo.
1148
1149         This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
1150         and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
1151         register on ARM.
1152
1153         * ftl/FTLLowerDFGToB3.cpp:
1154         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1155         * jit/AssemblyHelpers.cpp:
1156         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1157
1158 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
1159
1160         Rebaselining builtin generator tests after r227685.
1161
1162         Unreviewed.
1163
1164         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1165         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1166         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1167         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1168         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1169         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1170         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1171         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1172         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1173         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1174         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1175         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1176         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1177         It used to be that the builtins generator was minifying by default. That was an accident
1178         and we now only minify on Release builds. The generator tests are now getting the
1179         default unminified output behavior so they need to update their expectations
1180         for some extra whitespace.
1181
1182 2018-01-26  Mark Lam  <mark.lam@apple.com>
1183
1184         We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
1185         https://bugs.webkit.org/show_bug.cgi?id=182180
1186         <rdar://problem/36460697>
1187
1188         Reviewed by Michael Saboff.
1189
1190         Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
1191         but not as the Node's first base class.  ParserArena::m_deletableObjects is
1192         expecting pointers to objects of the shape of ParserArenaDeletable.  We ensure
1193         this by allocating the Node subclass, and casting it to ParserArenaDeletable to
1194         get the correct pointer to append to ParserArena::m_deletableObjects.
1195
1196         To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED 
1197         (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
1198         ParserArenaDeletable.
1199
1200         * parser/NodeConstructors.h:
1201         (JSC::ParserArenaDeletable::operator new):
1202         * parser/Nodes.h:
1203         * parser/ParserArena.h:
1204         (JSC::ParserArena::allocateDeletable):
1205
1206 2018-01-26  Joseph Pecoraro  <pecoraro@apple.com>
1207
1208         JavaScriptCore builtins should be partially minified in Release builds not Debug builds
1209         https://bugs.webkit.org/show_bug.cgi?id=182165
1210
1211         Reviewed by Keith Miller.
1212
1213         * Scripts/builtins/builtins_model.py:
1214         (BuiltinFunction.fromString):
1215         Apply minifications on Release builds instead of Debug builds.
1216         Also eliminate leading whitespace.
1217
1218 2018-01-26  Filip Pizlo  <fpizlo@apple.com>
1219
1220         Disable TLS-based TLCs
1221         https://bugs.webkit.org/show_bug.cgi?id=182175
1222
1223         Reviewed by Saam Barati.
1224
1225         Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
1226
1227         * heap/BlockDirectory.cpp:
1228         (JSC::BlockDirectory::~BlockDirectory):
1229         * heap/BlockDirectory.h:
1230         * heap/ThreadLocalCache.cpp:
1231         (JSC::ThreadLocalCache::installSlow):
1232         (JSC::ThreadLocalCache::installData):
1233         * heap/ThreadLocalCache.h:
1234         * heap/ThreadLocalCacheInlines.h:
1235         (JSC::ThreadLocalCache::getImpl):
1236         * jit/AssemblyHelpers.cpp:
1237         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1238         * runtime/VM.cpp:
1239         (JSC::VM::~VM):
1240         * runtime/VM.h:
1241
1242 2018-01-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1243
1244         imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
1245         https://bugs.webkit.org/show_bug.cgi?id=181980
1246
1247         Reviewed by Ryosuke Niwa.
1248
1249         We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
1250         promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
1251         and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
1252         correctly.
1253
1254         * builtins/ModuleLoaderPrototype.js:
1255         (requestInstantiate):
1256         (requestSatisfy):
1257
1258 2018-01-25  Mark Lam  <mark.lam@apple.com>
1259
1260         Gardening: fix 32-bit build after r227643.
1261         https://bugs.webkit.org/show_bug.cgi?id=182086
1262
1263         Not reviewed.
1264
1265         * jit/AssemblyHelpers.cpp:
1266         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
1267
1268 2018-01-24  Filip Pizlo  <fpizlo@apple.com>
1269
1270         DirectArguments should protect itself using dynamic poisoning and precise index masking
1271         https://bugs.webkit.org/show_bug.cgi?id=182086
1272
1273         Reviewed by Saam Barati.
1274         
1275         This implements dynamic poisoning and precise index masking in DirectArguments, using the
1276         helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
1277         
1278         We use dynamic poisoning for DirectArguments since this object did not have any additional
1279         indirection inside it that could have been poisoned. So, we use the xor of the expected type
1280         and the actual type as an additional input into the pointer.
1281         
1282         We use precise index masking for bounds checks, because it's not worth doing index masking
1283         unless we know that precise index masking is too slow.
1284
1285         * assembler/MacroAssembler.h:
1286         (JSC::MacroAssembler::lshiftPtr):
1287         (JSC::MacroAssembler::rshiftPtr):
1288         * dfg/DFGSpeculativeJIT.cpp:
1289         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1290         * ftl/FTLLowerDFGToB3.cpp:
1291         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1292         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1293         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
1294         (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
1295         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
1296         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
1297         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
1298         * jit/AssemblyHelpers.cpp:
1299         (JSC::AssemblyHelpers::emitPreciseIndexMask32):
1300         (JSC::AssemblyHelpers::emitDynamicPoison):
1301         (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
1302         (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
1303         * jit/AssemblyHelpers.h:
1304         * jit/JITPropertyAccess.cpp:
1305         (JSC::JIT::emitDirectArgumentsGetByVal):
1306         * runtime/DirectArguments.h:
1307         (JSC::DirectArguments::getIndexQuickly const):
1308         (JSC::DirectArguments::setIndexQuickly):
1309         (JSC::DirectArguments::argument):
1310         * runtime/GenericArgumentsInlines.h:
1311
1312 2018-01-25  Mark Lam  <mark.lam@apple.com>
1313
1314         Rename some local vars from type to typedArrayType for greater clarity.
1315         https://bugs.webkit.org/show_bug.cgi?id=182148
1316         <rdar://problem/36882310>
1317
1318         Reviewed by Saam Barati.
1319
1320         * dfg/DFGSpeculativeJIT.cpp:
1321         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1322         * ftl/FTLLowerDFGToB3.cpp:
1323         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1324
1325 2018-01-25  Filip Pizlo  <fpizlo@apple.com>
1326
1327         JSC GC should support TLCs (thread local caches)
1328         https://bugs.webkit.org/show_bug.cgi?id=181559
1329
1330         Reviewed by Mark Lam and Saam Barati.
1331         
1332         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1333         thread-local caches, which allow each thread to allocate from its own free lists. It also
1334         means that any given thread can context-switch TLCs. This will allow us to do separate
1335         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1336         will allow us to have a hard distancing constraint between objects from different origins.
1337         
1338         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1339         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1340         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1341         using the same allocator can share those blocks - but so long as they are in that
1342         BlockDirectory, they will have the size and type of that directory. Previously, each
1343         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1344         LocalAllocators, each of which has a FreeList.
1345         
1346         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1347         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1348         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1349         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1350         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1351         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1352         offsets as opposed to indices to make it easy to do the math on each allocation (if
1353         LocalAllocator had a weird size then every allocation would have to do an imul).
1354         
1355         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1356         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1357         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1358         something there, but it's not significant according to our threshold).
1359         
1360         Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
1361         function needs to be careful to avoid using the scratch register because the FTL will call it
1362         in disallow-scratch-register mode.
1363
1364         * JavaScriptCore.xcodeproj/project.pbxproj:
1365         * Sources.txt:
1366         * b3/B3LowerToAir.cpp:
1367         * b3/B3PatchpointSpecial.cpp:
1368         (JSC::B3::PatchpointSpecial::admitsStack):
1369         * b3/B3StackmapSpecial.cpp:
1370         (JSC::B3::StackmapSpecial::forEachArgImpl):
1371         (JSC::B3::StackmapSpecial::isArgValidForRep):
1372         * b3/B3StackmapValue.cpp:
1373         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1374         * b3/B3StackmapValue.h:
1375         * b3/B3Validate.cpp:
1376         * b3/B3ValueRep.cpp:
1377         (JSC::B3::ValueRep::addUsedRegistersTo const):
1378         (JSC::B3::ValueRep::dump const):
1379         (WTF::printInternal):
1380         * b3/B3ValueRep.h:
1381         (JSC::B3::ValueRep::ValueRep):
1382         * bytecode/AccessCase.cpp:
1383         (JSC::AccessCase::generateImpl):
1384         * bytecode/ObjectAllocationProfile.h:
1385         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1386         (JSC::ObjectAllocationProfile::clear):
1387         * bytecode/ObjectAllocationProfileInlines.h:
1388         (JSC::ObjectAllocationProfile::initializeProfile):
1389         * dfg/DFGSpeculativeJIT.cpp:
1390         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1391         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1392         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1393         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1394         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1395         (JSC::DFG::SpeculativeJIT::compileNewObject):
1396         * dfg/DFGSpeculativeJIT.h:
1397         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1398         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1399         * ftl/FTLAbstractHeapRepository.h:
1400         * ftl/FTLLowerDFGToB3.cpp:
1401         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1402         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1403         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1404         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1405         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1406         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1407         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1408         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1409         * heap/Allocator.cpp: Added.
1410         (JSC::Allocator::cellSize const):
1411         * heap/Allocator.h: Added.
1412         (JSC::Allocator::Allocator):
1413         (JSC::Allocator::offset const):
1414         (JSC::Allocator::operator== const):
1415         (JSC::Allocator::operator!= const):
1416         (JSC::Allocator::operator bool const):
1417         * heap/AllocatorInlines.h: Added.
1418         (JSC::Allocator::allocate const):
1419         (JSC::Allocator::tryAllocate const):
1420         * heap/BlockDirectory.cpp:
1421         (JSC::BlockDirectory::BlockDirectory):
1422         (JSC::BlockDirectory::findBlockForAllocation):
1423         (JSC::BlockDirectory::stopAllocating):
1424         (JSC::BlockDirectory::prepareForAllocation):
1425         (JSC::BlockDirectory::stopAllocatingForGood):
1426         (JSC::BlockDirectory::resumeAllocating):
1427         (JSC::BlockDirectory::endMarking):
1428         (JSC::BlockDirectory::isFreeListedCell):
1429         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1430         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1431         (JSC::BlockDirectory::allocateIn): Deleted.
1432         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1433         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1434         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1435         * heap/BlockDirectory.h:
1436         (JSC::BlockDirectory::cellKind const):
1437         (JSC::BlockDirectory::allocator const):
1438         (JSC::BlockDirectory::freeList const): Deleted.
1439         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1440         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1441         * heap/BlockDirectoryInlines.h:
1442         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1443         (JSC::BlockDirectory::allocate): Deleted.
1444         * heap/CompleteSubspace.cpp:
1445         (JSC::CompleteSubspace::CompleteSubspace):
1446         (JSC::CompleteSubspace::allocatorFor):
1447         (JSC::CompleteSubspace::allocate):
1448         (JSC::CompleteSubspace::allocateNonVirtual):
1449         (JSC::CompleteSubspace::allocatorForSlow):
1450         (JSC::CompleteSubspace::allocateSlow):
1451         (JSC::CompleteSubspace::tryAllocateSlow):
1452         * heap/CompleteSubspace.h:
1453         (JSC::CompleteSubspace::allocatorForSizeStep):
1454         (JSC::CompleteSubspace::allocatorForNonVirtual):
1455         * heap/FreeList.h:
1456         * heap/GCDeferralContext.h:
1457         * heap/Heap.cpp:
1458         (JSC::Heap::Heap):
1459         (JSC::Heap::lastChanceToFinalize):
1460         * heap/Heap.h:
1461         (JSC::Heap::threadLocalCacheLayout):
1462         * heap/IsoCellSet.h:
1463         * heap/IsoSubspace.cpp:
1464         (JSC::IsoSubspace::IsoSubspace):
1465         (JSC::IsoSubspace::allocatorFor):
1466         (JSC::IsoSubspace::allocate):
1467         (JSC::IsoSubspace::allocateNonVirtual):
1468         * heap/IsoSubspace.h:
1469         (JSC::IsoSubspace::allocatorForNonVirtual):
1470         * heap/LocalAllocator.cpp: Added.
1471         (JSC::LocalAllocator::LocalAllocator):
1472         (JSC::LocalAllocator::reset):
1473         (JSC::LocalAllocator::~LocalAllocator):
1474         (JSC::LocalAllocator::stopAllocating):
1475         (JSC::LocalAllocator::resumeAllocating):
1476         (JSC::LocalAllocator::prepareForAllocation):
1477         (JSC::LocalAllocator::stopAllocatingForGood):
1478         (JSC::LocalAllocator::allocateSlowCase):
1479         (JSC::LocalAllocator::didConsumeFreeList):
1480         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1481         (JSC::LocalAllocator::allocateIn):
1482         (JSC::LocalAllocator::tryAllocateIn):
1483         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1484         (JSC::LocalAllocator::isFreeListedCell const):
1485         * heap/LocalAllocator.h: Added.
1486         (JSC::LocalAllocator::offsetOfFreeList):
1487         (JSC::LocalAllocator::offsetOfCellSize):
1488         * heap/LocalAllocatorInlines.h: Added.
1489         (JSC::LocalAllocator::allocate):
1490         * heap/MarkedSpace.cpp:
1491         (JSC::MarkedSpace::stopAllocatingForGood):
1492         * heap/MarkedSpace.h:
1493         * heap/SlotVisitor.cpp:
1494         * heap/SlotVisitor.h:
1495         * heap/Subspace.h:
1496         * heap/ThreadLocalCache.cpp: Added.
1497         (JSC::ThreadLocalCache::create):
1498         (JSC::ThreadLocalCache::ThreadLocalCache):
1499         (JSC::ThreadLocalCache::~ThreadLocalCache):
1500         (JSC::ThreadLocalCache::allocateData):
1501         (JSC::ThreadLocalCache::destroyData):
1502         (JSC::ThreadLocalCache::installSlow):
1503         (JSC::ThreadLocalCache::installData):
1504         (JSC::ThreadLocalCache::allocatorSlow):
1505         (JSC::ThreadLocalCache::destructor):
1506         * heap/ThreadLocalCache.h: Added.
1507         (JSC::ThreadLocalCache::offsetOfSize):
1508         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1509         * heap/ThreadLocalCacheInlines.h: Added.
1510         (JSC::ThreadLocalCache::getImpl):
1511         (JSC::ThreadLocalCache::get):
1512         (JSC::ThreadLocalCache::install):
1513         (JSC::ThreadLocalCache::allocator):
1514         (JSC::ThreadLocalCache::tryGetAllocator):
1515         * heap/ThreadLocalCacheLayout.cpp: Added.
1516         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1517         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1518         (JSC::ThreadLocalCacheLayout::allocateOffset):
1519         (JSC::ThreadLocalCacheLayout::snapshot):
1520         (JSC::ThreadLocalCacheLayout::directory):
1521         * heap/ThreadLocalCacheLayout.h: Added.
1522         * jit/AssemblyHelpers.cpp:
1523         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1524         (JSC::AssemblyHelpers::emitAllocate):
1525         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1526         * jit/AssemblyHelpers.h:
1527         (JSC::AssemblyHelpers::vm):
1528         (JSC::AssemblyHelpers::emitAllocateJSCell):
1529         (JSC::AssemblyHelpers::emitAllocateJSObject):
1530         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1531         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1532         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1533         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1534         * jit/JITOpcodes.cpp:
1535         (JSC::JIT::emit_op_new_object):
1536         (JSC::JIT::emit_op_create_this):
1537         * jit/JITOpcodes32_64.cpp:
1538         (JSC::JIT::emit_op_new_object):
1539         (JSC::JIT::emit_op_create_this):
1540         * runtime/ButterflyInlines.h:
1541         (JSC::Butterfly::createUninitialized):
1542         (JSC::Butterfly::tryCreate):
1543         (JSC::Butterfly::growArrayRight):
1544         * runtime/DirectArguments.cpp:
1545         (JSC::DirectArguments::overrideThings):
1546         * runtime/GenericArgumentsInlines.h:
1547         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1548         * runtime/HashMapImpl.h:
1549         (JSC::HashMapBuffer::create):
1550         * runtime/JSArray.cpp:
1551         (JSC::JSArray::tryCreateUninitializedRestricted):
1552         (JSC::JSArray::unshiftCountSlowCase):
1553         * runtime/JSArray.h:
1554         (JSC::JSArray::tryCreate):
1555         * runtime/JSArrayBufferView.cpp:
1556         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1557         * runtime/JSCellInlines.h:
1558         (JSC::tryAllocateCellHelper):
1559         * runtime/JSGlobalObject.cpp:
1560         (JSC::JSGlobalObject::JSGlobalObject):
1561         * runtime/JSGlobalObject.h:
1562         (JSC::JSGlobalObject::threadLocalCache const):
1563         * runtime/JSLock.cpp:
1564         (JSC::JSLock::didAcquireLock):
1565         * runtime/Options.h:
1566         * runtime/RegExpMatchesArray.h:
1567         (JSC::tryCreateUninitializedRegExpMatchesArray):
1568         * runtime/VM.cpp:
1569         (JSC::VM::VM):
1570         * runtime/VM.h:
1571         * runtime/VMEntryScope.cpp:
1572         (JSC::VMEntryScope::VMEntryScope):
1573
1574 2018-01-25  Commit Queue  <commit-queue@webkit.org>
1575
1576         Unreviewed, rolling out r227592.
1577         https://bugs.webkit.org/show_bug.cgi?id=182110
1578
1579         it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
1580         #webkit).
1581
1582         Reverted changeset:
1583
1584         "JSC GC should support TLCs (thread local caches)"
1585         https://bugs.webkit.org/show_bug.cgi?id=181559
1586         https://trac.webkit.org/changeset/227592
1587
1588 2018-01-25  Alejandro G. Castro  <alex@igalia.com>
1589
1590         undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
1591         https://bugs.webkit.org/show_bug.cgi?id=180637
1592
1593         Reviewed by Michael Catanzaro.
1594
1595         We need to make sure the implementation of the inline functions is
1596         compiled when we compile the code using the function, now that the
1597         compilation is divided, or we could end up with undefined symbols
1598         when the declaration is not inlined, at least with some compilers
1599         and optimizations enabled -O2.
1600
1601         * b3/B3SwitchValue.cpp: replace the include.
1602
1603 2018-01-20  Filip Pizlo  <fpizlo@apple.com>
1604
1605         JSC GC should support TLCs (thread local caches)
1606         https://bugs.webkit.org/show_bug.cgi?id=181559
1607
1608         Reviewed by Mark Lam and Saam Barati.
1609         
1610         This is a big step towards object distancing by site origin. This patch implements TLCs, or
1611         thread-local caches, which allow each thread to allocate from its own free lists. It also
1612         means that any given thread can context-switch TLCs. This will allow us to do separate
1613         allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
1614         will allow us to have a hard distancing constraint between objects from different origins.
1615         
1616         In this new design, every "size class" is represented as a BlockDirectory (formerly known as
1617         MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
1618         aligned memory allocator (which roughly represents which cage you came out of), and anyone
1619         using the same allocator can share those blocks - but so long as they are in that
1620         BlockDirectory, they will have the size and type of that directory. Previously, each
1621         BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
1622         LocalAllocators, each of which has a FreeList.
1623         
1624         To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
1625         BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
1626         call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
1627         starts by figuring out what Allocator it wants (often we have this information at JIT time).
1628         Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
1629         Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
1630         offsets as opposed to indices to make it easy to do the math on each allocation (if
1631         LocalAllocator had a weird size then every allocation would have to do an imul).
1632         
1633         This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
1634         unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
1635         geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
1636         something there, but it's not significant according to our threshold).
1637
1638         * JavaScriptCore.xcodeproj/project.pbxproj:
1639         * Sources.txt:
1640         * b3/B3LowerToAir.cpp:
1641         * b3/B3PatchpointSpecial.cpp:
1642         (JSC::B3::PatchpointSpecial::admitsStack):
1643         * b3/B3StackmapSpecial.cpp:
1644         (JSC::B3::StackmapSpecial::forEachArgImpl):
1645         (JSC::B3::StackmapSpecial::isArgValidForRep):
1646         * b3/B3StackmapValue.cpp:
1647         (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
1648         * b3/B3StackmapValue.h:
1649         * b3/B3Validate.cpp:
1650         * b3/B3ValueRep.cpp:
1651         (JSC::B3::ValueRep::addUsedRegistersTo const):
1652         (JSC::B3::ValueRep::dump const):
1653         (WTF::printInternal):
1654         * b3/B3ValueRep.h:
1655         (JSC::B3::ValueRep::ValueRep):
1656         * bytecode/AccessCase.cpp:
1657         (JSC::AccessCase::generateImpl):
1658         * bytecode/ObjectAllocationProfile.h:
1659         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1660         (JSC::ObjectAllocationProfile::clear):
1661         * bytecode/ObjectAllocationProfileInlines.h:
1662         (JSC::ObjectAllocationProfile::initializeProfile):
1663         * dfg/DFGSpeculativeJIT.cpp:
1664         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1665         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1666         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1667         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1668         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1669         (JSC::DFG::SpeculativeJIT::compileNewObject):
1670         * dfg/DFGSpeculativeJIT.h:
1671         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1672         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1673         * ftl/FTLAbstractHeapRepository.h:
1674         * ftl/FTLLowerDFGToB3.cpp:
1675         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1676         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1677         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1678         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1679         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1680         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1681         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1682         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1683         * heap/Allocator.cpp: Added.
1684         (JSC::Allocator::cellSize const):
1685         * heap/Allocator.h: Added.
1686         (JSC::Allocator::Allocator):
1687         (JSC::Allocator::offset const):
1688         (JSC::Allocator::operator== const):
1689         (JSC::Allocator::operator!= const):
1690         (JSC::Allocator::operator bool const):
1691         * heap/AllocatorInlines.h: Added.
1692         (JSC::Allocator::allocate const):
1693         (JSC::Allocator::tryAllocate const):
1694         * heap/BlockDirectory.cpp:
1695         (JSC::BlockDirectory::BlockDirectory):
1696         (JSC::BlockDirectory::findBlockForAllocation):
1697         (JSC::BlockDirectory::stopAllocating):
1698         (JSC::BlockDirectory::prepareForAllocation):
1699         (JSC::BlockDirectory::stopAllocatingForGood):
1700         (JSC::BlockDirectory::resumeAllocating):
1701         (JSC::BlockDirectory::endMarking):
1702         (JSC::BlockDirectory::isFreeListedCell):
1703         (JSC::BlockDirectory::didConsumeFreeList): Deleted.
1704         (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
1705         (JSC::BlockDirectory::allocateIn): Deleted.
1706         (JSC::BlockDirectory::tryAllocateIn): Deleted.
1707         (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
1708         (JSC::BlockDirectory::allocateSlowCase): Deleted.
1709         * heap/BlockDirectory.h:
1710         (JSC::BlockDirectory::cellKind const):
1711         (JSC::BlockDirectory::allocator const):
1712         (JSC::BlockDirectory::freeList const): Deleted.
1713         (JSC::BlockDirectory::offsetOfFreeList): Deleted.
1714         (JSC::BlockDirectory::offsetOfCellSize): Deleted.
1715         * heap/BlockDirectoryInlines.h:
1716         (JSC::BlockDirectory::isFreeListedCell const): Deleted.
1717         (JSC::BlockDirectory::allocate): Deleted.
1718         * heap/CompleteSubspace.cpp:
1719         (JSC::CompleteSubspace::CompleteSubspace):
1720         (JSC::CompleteSubspace::allocatorFor):
1721         (JSC::CompleteSubspace::allocate):
1722         (JSC::CompleteSubspace::allocateNonVirtual):
1723         (JSC::CompleteSubspace::allocatorForSlow):
1724         (JSC::CompleteSubspace::allocateSlow):
1725         (JSC::CompleteSubspace::tryAllocateSlow):
1726         * heap/CompleteSubspace.h:
1727         (JSC::CompleteSubspace::allocatorForSizeStep):
1728         (JSC::CompleteSubspace::allocatorForNonVirtual):
1729         * heap/FreeList.h:
1730         * heap/GCDeferralContext.h:
1731         * heap/Heap.cpp:
1732         (JSC::Heap::Heap):
1733         (JSC::Heap::lastChanceToFinalize):
1734         * heap/Heap.h:
1735         (JSC::Heap::threadLocalCacheLayout):
1736         * heap/IsoCellSet.h:
1737         * heap/IsoSubspace.cpp:
1738         (JSC::IsoSubspace::IsoSubspace):
1739         (JSC::IsoSubspace::allocatorFor):
1740         (JSC::IsoSubspace::allocate):
1741         (JSC::IsoSubspace::allocateNonVirtual):
1742         * heap/IsoSubspace.h:
1743         (JSC::IsoSubspace::allocatorForNonVirtual):
1744         * heap/LocalAllocator.cpp: Added.
1745         (JSC::LocalAllocator::LocalAllocator):
1746         (JSC::LocalAllocator::reset):
1747         (JSC::LocalAllocator::~LocalAllocator):
1748         (JSC::LocalAllocator::stopAllocating):
1749         (JSC::LocalAllocator::resumeAllocating):
1750         (JSC::LocalAllocator::prepareForAllocation):
1751         (JSC::LocalAllocator::stopAllocatingForGood):
1752         (JSC::LocalAllocator::allocateSlowCase):
1753         (JSC::LocalAllocator::didConsumeFreeList):
1754         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1755         (JSC::LocalAllocator::allocateIn):
1756         (JSC::LocalAllocator::tryAllocateIn):
1757         (JSC::LocalAllocator::doTestCollectionsIfNeeded):
1758         (JSC::LocalAllocator::isFreeListedCell const):
1759         * heap/LocalAllocator.h: Added.
1760         (JSC::LocalAllocator::offsetOfFreeList):
1761         (JSC::LocalAllocator::offsetOfCellSize):
1762         * heap/LocalAllocatorInlines.h: Added.
1763         (JSC::LocalAllocator::allocate):
1764         * heap/MarkedSpace.cpp:
1765         (JSC::MarkedSpace::stopAllocatingForGood):
1766         * heap/MarkedSpace.h:
1767         * heap/SlotVisitor.cpp:
1768         * heap/SlotVisitor.h:
1769         * heap/Subspace.h:
1770         * heap/ThreadLocalCache.cpp: Added.
1771         (JSC::ThreadLocalCache::create):
1772         (JSC::ThreadLocalCache::ThreadLocalCache):
1773         (JSC::ThreadLocalCache::~ThreadLocalCache):
1774         (JSC::ThreadLocalCache::allocateData):
1775         (JSC::ThreadLocalCache::destroyData):
1776         (JSC::ThreadLocalCache::installSlow):
1777         (JSC::ThreadLocalCache::installData):
1778         (JSC::ThreadLocalCache::allocatorSlow):
1779         (JSC::ThreadLocalCache::destructor):
1780         * heap/ThreadLocalCache.h: Added.
1781         (JSC::ThreadLocalCache::offsetOfSize):
1782         (JSC::ThreadLocalCache::offsetOfFirstAllocator):
1783         * heap/ThreadLocalCacheInlines.h: Added.
1784         (JSC::ThreadLocalCache::getImpl):
1785         (JSC::ThreadLocalCache::get):
1786         (JSC::ThreadLocalCache::install):
1787         (JSC::ThreadLocalCache::allocator):
1788         (JSC::ThreadLocalCache::tryGetAllocator):
1789         * heap/ThreadLocalCacheLayout.cpp: Added.
1790         (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
1791         (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
1792         (JSC::ThreadLocalCacheLayout::allocateOffset):
1793         (JSC::ThreadLocalCacheLayout::snapshot):
1794         (JSC::ThreadLocalCacheLayout::directory):
1795         * heap/ThreadLocalCacheLayout.h: Added.
1796         * jit/AssemblyHelpers.cpp:
1797         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1798         (JSC::AssemblyHelpers::emitAllocate):
1799         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1800         * jit/AssemblyHelpers.h:
1801         (JSC::AssemblyHelpers::vm):
1802         (JSC::AssemblyHelpers::emitAllocateJSCell):
1803         (JSC::AssemblyHelpers::emitAllocateJSObject):
1804         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1805         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
1806         (JSC::AssemblyHelpers::emitAllocate): Deleted.
1807         (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
1808         * jit/JITOpcodes.cpp:
1809         (JSC::JIT::emit_op_new_object):
1810         (JSC::JIT::emit_op_create_this):
1811         * jit/JITOpcodes32_64.cpp:
1812         (JSC::JIT::emit_op_new_object):
1813         (JSC::JIT::emit_op_create_this):
1814         * runtime/ButterflyInlines.h:
1815         (JSC::Butterfly::createUninitialized):
1816         (JSC::Butterfly::tryCreate):
1817         (JSC::Butterfly::growArrayRight):
1818         * runtime/DirectArguments.cpp:
1819         (JSC::DirectArguments::overrideThings):
1820         * runtime/GenericArgumentsInlines.h:
1821         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1822         * runtime/HashMapImpl.h:
1823         (JSC::HashMapBuffer::create):
1824         * runtime/JSArray.cpp:
1825         (JSC::JSArray::tryCreateUninitializedRestricted):
1826         (JSC::JSArray::unshiftCountSlowCase):
1827         * runtime/JSArray.h:
1828         (JSC::JSArray::tryCreate):
1829         * runtime/JSArrayBufferView.cpp:
1830         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1831         * runtime/JSCellInlines.h:
1832         (JSC::tryAllocateCellHelper):
1833         * runtime/JSGlobalObject.cpp:
1834         (JSC::JSGlobalObject::JSGlobalObject):
1835         * runtime/JSGlobalObject.h:
1836         (JSC::JSGlobalObject::threadLocalCache const):
1837         * runtime/JSLock.cpp:
1838         (JSC::JSLock::didAcquireLock):
1839         * runtime/Options.h:
1840         * runtime/RegExpMatchesArray.h:
1841         (JSC::tryCreateUninitializedRegExpMatchesArray):
1842         * runtime/VM.cpp:
1843         (JSC::VM::VM):
1844         * runtime/VM.h:
1845         * runtime/VMEntryScope.cpp:
1846         (JSC::VMEntryScope::VMEntryScope):
1847
1848 2018-01-24  Joseph Pecoraro  <pecoraro@apple.com>
1849
1850         Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
1851         https://bugs.webkit.org/show_bug.cgi?id=182067
1852
1853         Reviewed by Brian Burg.
1854
1855         * inspector/scripts/codegen/models.py:
1856         (Framework.fromString):
1857         (Frameworks):
1858         * inspector/scripts/generate-inspector-protocol-bindings.py:
1859         (generate_from_specification):
1860         Allow framework WebInspectorUI to generate just the backend commands files.
1861
1862 2018-01-23  Mark Lam  <mark.lam@apple.com>
1863
1864         Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
1865         https://bugs.webkit.org/show_bug.cgi?id=182017
1866         <rdar://problem/36795513>
1867
1868         Reviewed by Filip Pizlo and JF Bastien.
1869
1870         Removed the POISON() macro.  Now that we have Poison types, we can just use the
1871         the Poison type instead and make the code a bit nicer to read.
1872
1873         * API/JSAPIWrapperObject.h:
1874         * API/JSCallbackFunction.h:
1875         * API/JSCallbackObject.h:
1876         * b3/B3LowerMacros.cpp:
1877         * b3/testb3.cpp:
1878         (JSC::B3::testInterpreter):
1879         * bytecode/CodeBlock.h:
1880         (JSC::CodeBlock::instructions):
1881         (JSC::CodeBlock::instructions const):
1882         * dfg/DFGOSRExitCompilerCommon.h:
1883         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1884         * dfg/DFGSpeculativeJIT.cpp:
1885         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1886         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1887         * ftl/FTLLowerDFGToB3.cpp:
1888         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1889         * jit/JIT.h:
1890         * jit/ThunkGenerators.cpp:
1891         (JSC::virtualThunkFor):
1892         (JSC::nativeForGenerator):
1893         (JSC::boundThisNoArgsFunctionCallGenerator):
1894         * parser/UnlinkedSourceCode.h:
1895         * runtime/ArrayPrototype.h:
1896         * runtime/CustomGetterSetter.h:
1897         * runtime/DateInstance.h:
1898         * runtime/InternalFunction.h:
1899         * runtime/JSArrayBuffer.h:
1900         * runtime/JSCPoison.cpp:
1901         (JSC::initializePoison):
1902         * runtime/JSCPoison.h:
1903         * runtime/JSGlobalObject.h:
1904         * runtime/JSScriptFetchParameters.h:
1905         * runtime/JSScriptFetcher.h:
1906         * runtime/NativeExecutable.h:
1907         * runtime/StructureTransitionTable.h:
1908         * runtime/WriteBarrier.h:
1909         (JSC::WriteBarrier::poison): Deleted.
1910         * wasm/js/JSToWasm.cpp:
1911         (JSC::Wasm::createJSToWasmWrapper):
1912         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1913         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1914         * wasm/js/JSWebAssemblyCodeBlock.h:
1915         * wasm/js/JSWebAssemblyInstance.h:
1916         (JSC::JSWebAssemblyInstance::poison):
1917         * wasm/js/JSWebAssemblyMemory.h:
1918         * wasm/js/JSWebAssemblyModule.h:
1919         * wasm/js/JSWebAssemblyTable.h:
1920         * wasm/js/WasmToJS.cpp:
1921         (JSC::Wasm::handleBadI64Use):
1922         (JSC::Wasm::wasmToJS):
1923         * wasm/js/WebAssemblyFunctionBase.h:
1924         * wasm/js/WebAssemblyModuleRecord.h:
1925         * wasm/js/WebAssemblyToJSCallee.h:
1926         * wasm/js/WebAssemblyWrapperFunction.h:
1927
1928 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1929
1930         Unreviewed, suppress GCC warnings
1931         https://bugs.webkit.org/show_bug.cgi?id=181976
1932
1933         * runtime/TypedArrayType.h:
1934
1935 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1936
1937         [YARR] Add diagnosis for YarrJIT failures
1938         https://bugs.webkit.org/show_bug.cgi?id=181927
1939
1940         Reviewed by Sam Weinig.
1941
1942         It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
1943         This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
1944
1945         * runtime/RegExp.cpp:
1946         (JSC::RegExp::compile):
1947         (JSC::RegExp::compileMatchOnly):
1948         * yarr/YarrJIT.cpp:
1949         (JSC::Yarr::YarrGenerator::generateTerm):
1950         (JSC::Yarr::YarrGenerator::backtrackTerm):
1951         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1952         (JSC::Yarr::YarrGenerator::YarrGenerator):
1953         (JSC::Yarr::YarrGenerator::compile):
1954         (JSC::Yarr::dumpCompileFailure):
1955         (JSC::Yarr::jitCompile):
1956         * yarr/YarrJIT.h:
1957         (JSC::Yarr::YarrCodeBlock::setFallBack):
1958         (JSC::Yarr::YarrCodeBlock::fallBack):
1959         (JSC::Yarr::YarrCodeBlock::clear):
1960         (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
1961         (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
1962         (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
1963
1964 2018-01-23  Alex Christensen  <achristensen@webkit.org>
1965
1966         Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
1967         https://bugs.webkit.org/show_bug.cgi?id=182028
1968
1969         Reviewed by Keith Miller.
1970
1971         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
1972         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1973         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1974
1975 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1976
1977         Use precise index masking for FTL GetByArgumentByVal
1978         https://bugs.webkit.org/show_bug.cgi?id=182006
1979
1980         Reviewed by Keith Miller.
1981         
1982         This protects speculative out-of-bounds on arguments[index].
1983         
1984         Making this work right involved fixing a possible overflow situation with
1985         numberOfArgumentsToSkip.
1986
1987         * dfg/DFGByteCodeParser.cpp:
1988         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
1989         * dfg/DFGGraph.cpp:
1990         (JSC::DFG::Graph::dump):
1991         * dfg/DFGNode.h:
1992         (JSC::DFG::Node::hasNumberOfArgumentsToSkip):
1993         (JSC::DFG::Node::numberOfArgumentsToSkip):
1994         * dfg/DFGStackLayoutPhase.cpp:
1995         (JSC::DFG::StackLayoutPhase::run):
1996         * ftl/FTLLowerDFGToB3.cpp:
1997         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1998
1999 2018-01-23  David Kilzer  <ddkilzer@apple.com>
2000
2001         Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
2002         <https://webkit.org/b/181871>
2003         <rdar://problem/36669691>
2004
2005         Address feedback for this change.
2006
2007         * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
2008         feedback from Konstantin Tokarev.
2009
2010 2018-01-23  Robin Morisset  <rmorisset@apple.com>
2011
2012         Rollout r219636
2013         https://bugs.webkit.org/show_bug.cgi?id=181997
2014         <rdar://problem/35883022>
2015
2016         Unreviewed, as it is a rollout.
2017
2018         * dfg/DFGSpeculativeJIT.cpp:
2019         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2020         * runtime/JSArray.cpp:
2021         (JSC::JSArray::tryCreateUninitializedRestricted):
2022         * runtime/JSArray.h:
2023         (JSC::JSArray::tryCreate):
2024         * runtime/JSObject.cpp:
2025         (JSC::JSObject::ensureLengthSlow):
2026
2027 2018-01-23  Mark Lam  <mark.lam@apple.com>
2028
2029         Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
2030         https://bugs.webkit.org/show_bug.cgi?id=181976
2031         <rdar://problem/36766936>
2032
2033         Reviewed by Filip Pizlo.
2034
2035         1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
2036            list.  I also added static asserts in TypedArrayType.h to enforce this.
2037
2038            Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
2039
2040         2. Define 4 new values:
2041            a. FirstTypedArrayType
2042            b. LastTypedArrayType
2043            c. NumberOfTypedArrayTypesExcludingDataView
2044            d. NumberOfTypedArrayTypes
2045
2046            Use these everywhere where we iterate or bisect the TypedArray JSTypes.
2047
2048         3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
2049
2050         4. Simplify the code that converts between TypedArrayType and JSType.
2051
2052            Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
2053            Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
2054            instead of TypeDataView.  Now, it converts to TypeDataView.
2055
2056            This does not result in any change of behavior because typedArrayTypeForType()
2057            is only called in Structure::hasIndexingHeader(), and its result is passed to
2058            isTypedView(), which handles TypeDataView correctly.
2059
2060         5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
2061            If the vector is null, we can skip the rest of the checks.  While the current
2062            code does not result in incorrect behavior, it is inefficient, and communicates
2063            wrong information to the reader i.e. implying that there's something in the
2064            dataGPR when there's not.  The dataGPR should also be null in this case.
2065
2066         * dfg/DFGByteCodeParser.cpp:
2067         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2068         * dfg/DFGSpeculativeJIT.cpp:
2069         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2070         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2071         * ftl/FTLLowerDFGToB3.cpp:
2072         (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
2073         * ftl/FTLOSRExit.cpp:
2074         * llint/LowLevelInterpreter.asm:
2075         * llint/LowLevelInterpreter64.asm:
2076         * runtime/JSGlobalObject.cpp:
2077         (JSC::JSGlobalObject::visitChildren):
2078         * runtime/JSType.h:
2079         * runtime/TypedArrayType.cpp:
2080         (JSC::typeForTypedArrayType): Deleted.
2081         * runtime/TypedArrayType.h:
2082         (JSC::typedArrayTypeForType):
2083         (JSC::typeForTypedArrayType):
2084
2085 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
2086
2087         DFG should always flush `this`
2088         https://bugs.webkit.org/show_bug.cgi?id=181999
2089
2090         Reviewed by Saam Barati and Mark Lam.
2091         
2092         This is going to make it possible to use precise index masking for arguments-on-the-stack
2093         accesses with an index adjusted so that 0 is this. Without this change, we would have no way
2094         of masking when the argument count is 0, unless we padded the argument area so that there was
2095         always an argument slot after `this` and it was always initialized.
2096         
2097         This is neutral on all benchmarks.
2098
2099         * dfg/DFGByteCodeParser.cpp:
2100         (JSC::DFG::ByteCodeParser::flushImpl):
2101         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2102         (JSC::DFG::ByteCodeParser::flush):
2103         (JSC::DFG::ByteCodeParser::flushForTerminal):
2104         (JSC::DFG::ByteCodeParser::parse):
2105         (JSC::DFG::flushImpl): Deleted.
2106         (JSC::DFG::flushForTerminalImpl): Deleted.
2107         * dfg/DFGPreciseLocalClobberize.h:
2108         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2109
2110 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
2111
2112         JSC should use a speculation fence on VM entry/exit
2113         https://bugs.webkit.org/show_bug.cgi?id=181991
2114
2115         Reviewed by JF Bastien and Mark Lam.
2116         
2117         This adds a WTF::speculationFence on VM entry and exit.
2118         
2119         For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
2120         tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
2121         
2122         * runtime/JSLock.cpp:
2123         (JSC::JSLock::didAcquireLock):
2124         (JSC::JSLock::willReleaseLock):
2125
2126 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2127
2128         [JSC] JIT requires sizeof(bool) == 1
2129         https://bugs.webkit.org/show_bug.cgi?id=181150
2130
2131         Reviewed by Saam Barati.
2132
2133         LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
2134         Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
2135
2136         * runtime/InitializeThreading.cpp:
2137
2138 2018-01-23  Robin Morisset  <rmorisset@apple.com>
2139
2140         Update the argument count in DFGByteCodeParser::handleRecursiveCall
2141         https://bugs.webkit.org/show_bug.cgi?id=181739
2142         <rdar://problem/36627662>
2143
2144         Reviewed by Saam Barati.
2145
2146         When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
2147         into a jump, we should update that stack slot as there is no guarantee that the function was originally
2148         called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
2149
2150         It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
2151         as its first OpInfo field, and stores it to the stack at the right place.
2152
2153         We must be a bit careful in where we put this new node, as it ClobbersExit.
2154         We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
2155
2156         * dfg/DFGAbstractInterpreterInlines.h:
2157         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2158         * dfg/DFGArgumentsEliminationPhase.cpp:
2159         * dfg/DFGByteCodeParser.cpp:
2160         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2161         * dfg/DFGClobberize.h:
2162         (JSC::DFG::clobberize):
2163         * dfg/DFGDoesGC.cpp:
2164         (JSC::DFG::doesGC):
2165         * dfg/DFGFixupPhase.cpp:
2166         (JSC::DFG::FixupPhase::fixupNode):
2167         * dfg/DFGMayExit.cpp:
2168         * dfg/DFGNode.h:
2169         (JSC::DFG::Node::argumentCountIncludingThis):
2170         * dfg/DFGNodeType.h:
2171         * dfg/DFGPredictionPropagationPhase.cpp:
2172         * dfg/DFGPutStackSinkingPhase.cpp:
2173         * dfg/DFGSafeToExecute.h:
2174         (JSC::DFG::safeToExecute):
2175         * dfg/DFGSpeculativeJIT.cpp:
2176         (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
2177         * dfg/DFGSpeculativeJIT.h:
2178         * dfg/DFGSpeculativeJIT32_64.cpp:
2179         (JSC::DFG::SpeculativeJIT::compile):
2180         * dfg/DFGSpeculativeJIT64.cpp:
2181         (JSC::DFG::SpeculativeJIT::compile):
2182         * ftl/FTLCapabilities.cpp:
2183         (JSC::FTL::canCompile):
2184         * ftl/FTLLowerDFGToB3.cpp:
2185         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2186         (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
2187
2188 2018-01-22  Michael Saboff  <msaboff@apple.com>
2189
2190         DFG abstract interpreter needs to properly model effects of some Math ops
2191         https://bugs.webkit.org/show_bug.cgi?id=181886
2192
2193         Reviewed by Saam Barati.
2194
2195         Reviewed the processing of the various ArithXXX and CompareXXX and found that
2196         several nodes don't handle UntypedUse.  Added clobberWorld() for those cases.
2197
2198         * dfg/DFGAbstractInterpreter.h:
2199         * dfg/DFGAbstractInterpreterInlines.h:
2200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2202
2203 2018-01-21  Wenson Hsieh  <wenson_hsieh@apple.com>
2204
2205         Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
2206         https://bugs.webkit.org/show_bug.cgi?id=181918
2207
2208         Reviewed by Tim Horton.
2209
2210         Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
2211
2212         * Configurations/FeatureDefines.xcconfig:
2213
2214 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
2215
2216         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2217         https://bugs.webkit.org/show_bug.cgi?id=181182
2218
2219         Reviewed by Darin Adler.
2220
2221         Casting double to integer is undefined behavior when the truncation
2222         results into a value that doesn't fit into integer size,
2223         according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
2224         numberProtoFuncToString to remove these source of undefined
2225         behavior.
2226
2227         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
2228
2229         * runtime/BigIntPrototype.cpp:
2230         (JSC::bigIntProtoFuncToString):
2231         * runtime/NumberPrototype.cpp:
2232         (JSC::numberProtoFuncToString):
2233         (JSC::extractToStringRadixArgument):
2234         (JSC::extractRadixFromArgs): Deleted.
2235         * runtime/NumberPrototype.h:
2236
2237 2018-01-19  Saam Barati  <sbarati@apple.com>
2238
2239         Kill ArithNegate's ArithProfile assert inside BytecodeParser
2240         https://bugs.webkit.org/show_bug.cgi?id=181877
2241         <rdar://problem/36630552>
2242
2243         Reviewed by Mark Lam.
2244
2245         Before this patch, we used to assert that op_negate's result ArithProfile
2246         only produces number. It's logically true that negate only produces a number.
2247         However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
2248         profiling. So we'll end up profiling something that's likely the input to
2249         negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
2250         is entirely heuristic based, potentially leading to profiling results being imprecise.
2251
2252         * dfg/DFGByteCodeParser.cpp:
2253         (JSC::DFG::ByteCodeParser::makeSafe):
2254
2255 2018-01-19  David Kilzer  <ddkilzer@apple.com>
2256
2257         oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
2258         <https://webkit.org/b/181871>
2259
2260         Rubber-stamped by JF Bastien.
2261
2262         * CMakeLists.txt: Add ICU header search path to
2263         LLIntOffsetsExtractor target by reusing
2264         JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
2265
2266 2018-01-19  Saam Barati  <sbarati@apple.com>
2267
2268         Spread's effects are modeled incorrectly both in AI and in Clobberize
2269         https://bugs.webkit.org/show_bug.cgi?id=181867
2270         <rdar://problem/36290415>
2271
2272         Reviewed by Michael Saboff.
2273
2274         * dfg/DFGAbstractInterpreterInlines.h:
2275         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2276         * dfg/DFGClobberize.h:
2277         (JSC::DFG::clobberize):
2278
2279 2018-01-19  Keith Miller  <keith_miller@apple.com>
2280
2281         HaveInternalSDK includes should be "#include?"
2282         https://bugs.webkit.org/show_bug.cgi?id=179670
2283
2284         Reviewed by Dan Bernstein.
2285
2286         * Configurations/Base.xcconfig:
2287
2288 2018-01-18  JF Bastien  <jfbastien@apple.com>
2289
2290         Set the minimum executable allocator size properly
2291         https://bugs.webkit.org/show_bug.cgi?id=181816
2292         <rdar://problem/36635533>
2293
2294         Reviewed by Saam Barati.
2295
2296         Executable allocator expects at least two page size's worth of
2297         allocation in certain conditions, and that causes some tests to
2298         now fail because they ask for less. Set that minimum correctly. We
2299         were already rounding up to a page size, so having a minimum of 2
2300         page sizes is fine.
2301
2302         * jit/ExecutableAllocator.cpp:
2303         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2304
2305 2018-01-18  Michael Saboff  <msaboff@apple.com>
2306
2307         Unreviewed build fix for Windows
2308
2309         * interpreter/FrameTracers.h:
2310         (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
2311         on Windows.
2312
2313 2018-01-18  Mark Lam  <mark.lam@apple.com>
2314
2315         Poisons should be initialized after Options are initialized.
2316         https://bugs.webkit.org/show_bug.cgi?id=181807
2317         <rdar://problem/36629138>
2318
2319         Reviewed by Keith Miller.
2320
2321         This is because poison initialization may depend on options.
2322
2323         * runtime/InitializeThreading.cpp:
2324         (JSC::initializeThreading):
2325
2326 2018-01-18  Dan Bernstein  <mitz@apple.com>
2327
2328         [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
2329         https://bugs.webkit.org/show_bug.cgi?id=181803
2330
2331         Reviewed by Tim Horton.
2332
2333         * Configurations/Base.xcconfig: Updated.
2334         * Configurations/DebugRelease.xcconfig: Ditto.
2335         * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
2336         * Configurations/Version.xcconfig: Updated.
2337         * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
2338           useful for defining settings that depend on the target macOS version.
2339
2340 2018-01-18  Michael Saboff  <msaboff@apple.com>
2341
2342         REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
2343         https://bugs.webkit.org/show_bug.cgi?id=181802
2344
2345         Reviewed by Filip Pizlo.
2346
2347         There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
2348         Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
2349         The other place was when we call into the operationOSRWriteBarrier().
2350
2351         Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
2352         This helped find the other cases beyond the original problem.
2353
2354         * dfg/DFGOSRExitCompilerCommon.cpp:
2355         (JSC::DFG::osrWriteBarrier):
2356         * interpreter/FrameTracers.h:
2357         (JSC::assertStackPointerIsAligned):
2358         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2359         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2360         * jit/ThunkGenerators.cpp:
2361         (JSC::nativeForGenerator):
2362         * llint/LowLevelInterpreter32_64.asm:
2363
2364 2018-01-18  Commit Queue  <commit-queue@webkit.org>
2365
2366         Unreviewed, rolling out r227096.
2367         https://bugs.webkit.org/show_bug.cgi?id=181788
2368
2369         "it caused a 15% octane regression" (Requested by saamyjoon on
2370         #webkit).
2371
2372         Reverted changeset:
2373
2374         "Support MultiGetByOffset in the DFG"
2375         https://bugs.webkit.org/show_bug.cgi?id=181466
2376         https://trac.webkit.org/changeset/227096
2377
2378 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2379
2380         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
2381         https://bugs.webkit.org/show_bug.cgi?id=181535
2382
2383         Reviewed by Saam Barati.
2384
2385         When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
2386         However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
2387         information. So we should not create RegExpObject for this typical case.
2388
2389         This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
2390         phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
2391         `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
2392         SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
2393
2394         This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
2395         non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
2396         in this patch.
2397
2398         We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
2399         flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
2400         instead of RegExpObject. This offers the chance to make NewRegExp unused.
2401
2402         We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
2403         since they are the same behavior.
2404
2405         The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
2406         somewhat pure execution time of our Yarr implementation.
2407
2408                                      baseline                  patched
2409
2410             regex-u.es5          34.8557+-0.5963     ^      6.1507+-0.5526        ^ definitely 5.6670x faster
2411             regex-u.es6          89.1919+-3.3851     ^     32.0917+-0.4260        ^ definitely 2.7793x faster
2412
2413         This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
2414         this patch right now. We should support StringReplace node in subsequent patches.
2415
2416         * dfg/DFGAbstractInterpreterInlines.h:
2417         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2418         * dfg/DFGByteCodeParser.cpp:
2419         (JSC::DFG::ByteCodeParser::parseBlock):
2420         * dfg/DFGClobberize.h:
2421         (JSC::DFG::clobberize):
2422         * dfg/DFGClobbersExitState.cpp:
2423         (JSC::DFG::clobbersExitState):
2424         * dfg/DFGDoesGC.cpp:
2425         (JSC::DFG::doesGC):
2426         * dfg/DFGFixupPhase.cpp:
2427         (JSC::DFG::FixupPhase::fixupNode):
2428         * dfg/DFGGraph.cpp:
2429         (JSC::DFG::Graph::dump):
2430         * dfg/DFGMayExit.cpp:
2431         * dfg/DFGNode.cpp:
2432         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
2433         * dfg/DFGNode.h:
2434         (JSC::DFG::Node::convertToPhantomNewRegexp):
2435         (JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
2436         (JSC::DFG::Node::hasHeapPrediction):
2437         (JSC::DFG::Node::hasCellOperand):
2438         (JSC::DFG::Node::isPhantomAllocation):
2439         (JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
2440         (JSC::DFG::Node::ignoreLastIndexIsWritable):
2441         * dfg/DFGNodeType.h:
2442         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2443         * dfg/DFGOperations.cpp:
2444         * dfg/DFGOperations.h:
2445         * dfg/DFGPredictionPropagationPhase.cpp:
2446         * dfg/DFGPromotedHeapLocation.cpp:
2447         (WTF::printInternal):
2448         * dfg/DFGPromotedHeapLocation.h:
2449         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
2450         * dfg/DFGSafeToExecute.h:
2451         (JSC::DFG::safeToExecute):
2452         * dfg/DFGSpeculativeJIT.cpp:
2453         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
2454         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2455         (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
2456         * dfg/DFGSpeculativeJIT.h:
2457         (JSC::DFG::SpeculativeJIT::callOperation):
2458         * dfg/DFGSpeculativeJIT32_64.cpp:
2459         (JSC::DFG::SpeculativeJIT::compile):
2460         * dfg/DFGSpeculativeJIT64.cpp:
2461         (JSC::DFG::SpeculativeJIT::compile):
2462         * dfg/DFGStrengthReductionPhase.cpp:
2463         (JSC::DFG::StrengthReductionPhase::handleNode):
2464         * dfg/DFGValidate.cpp:
2465         * ftl/FTLCapabilities.cpp:
2466         (JSC::FTL::canCompile):
2467         * ftl/FTLLowerDFGToB3.cpp:
2468         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2469         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
2470         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2471         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2472         * ftl/FTLOperations.cpp:
2473         (JSC::FTL::operationPopulateObjectInOSR):
2474         (JSC::FTL::operationMaterializeObjectInOSR):
2475         * jit/JITOperations.h:
2476         * runtime/RegExpObject.h:
2477         (JSC::RegExpObject::create):
2478
2479 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2480
2481         [FTL] Remove unused helper functions to convert node to PutHint
2482         https://bugs.webkit.org/show_bug.cgi?id=181775
2483
2484         Reviewed by Saam Barati.
2485
2486         We are using PromotedHeapLocation::createHint. So they are not necessary.
2487
2488         * dfg/DFGNode.cpp:
2489         (JSC::DFG::Node::convertToPutHint): Deleted.
2490         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
2491         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
2492         (JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
2493         * dfg/DFGNode.h:
2494
2495 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2496
2497         Unreviewed, suppress warnings on GCC
2498
2499         Since `length` and `p` are always positive or zero,
2500         static_cast<unsigned>() does what we want.
2501
2502         * runtime/JSBigInt.cpp:
2503         (JSC::JSBigInt::parseInt):
2504
2505 2018-01-17  Saam Barati  <sbarati@apple.com>
2506
2507         Disable Atomics when SharedArrayBuffer isn’t enabled
2508         https://bugs.webkit.org/show_bug.cgi?id=181572
2509         <rdar://problem/36553206>
2510
2511         Reviewed by Michael Saboff.
2512
2513         * runtime/JSGlobalObject.cpp:
2514         (JSC::JSGlobalObject::init):
2515         (JSC::createAtomicsProperty): Deleted.
2516
2517 2018-01-17  Saam Barati  <sbarati@apple.com>
2518
2519         Support MultiGetByOffset in the DFG
2520         https://bugs.webkit.org/show_bug.cgi?id=181466
2521
2522         Reviewed by Keith Miller.
2523
2524         This seems to benefit Speedometer in my local testing. It seems like this
2525         might be around a 0.5% improvement.
2526
2527         * dfg/DFGAbstractInterpreterInlines.h:
2528         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2529         * dfg/DFGByteCodeParser.cpp:
2530         (JSC::DFG::ByteCodeParser::handleGetById):
2531         * dfg/DFGConstantFoldingPhase.cpp:
2532         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2533         * dfg/DFGGraph.h:
2534         (JSC::DFG::Graph::supportsMultiGetByOffset):
2535         * dfg/DFGSpeculativeJIT64.cpp:
2536         (JSC::DFG::SpeculativeJIT::compile):
2537
2538 2018-01-17  Saam Barati  <sbarati@apple.com>
2539
2540         DFG::Node::convertToConstant needs to clear the varargs flags
2541         https://bugs.webkit.org/show_bug.cgi?id=181697
2542         <rdar://problem/36497332>
2543
2544         Reviewed by Yusuke Suzuki.
2545
2546         * dfg/DFGNode.h:
2547         (JSC::DFG::Node::convertToConstant):
2548
2549 2018-01-16  JF Bastien  <jfbastien@apple.com>
2550
2551         Allow dangerous disabling of poison
2552         https://bugs.webkit.org/show_bug.cgi?id=181685
2553         <rdar://problem/36546265>
2554
2555         Reviewed by Keith Miller.
2556
2557         Some tools such as leak detectors and such like to look at real
2558         pointers, and poisoned ones confuse them. Add a JSC option to
2559         disable poisoning, but log to the console when this is done.
2560
2561         * runtime/JSCPoison.cpp:
2562         (JSC::initializePoison):
2563         * runtime/Options.h:
2564
2565 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2566
2567         Unreviewed, rolling out r226937.
2568
2569         Tests added with this change are failing due to a missing
2570         exception check.
2571
2572         Reverted changeset:
2573
2574         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2575         double to int32_t"
2576         https://bugs.webkit.org/show_bug.cgi?id=181182
2577         https://trac.webkit.org/changeset/226937
2578
2579 2018-01-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2580
2581         Test programs should only be built in developer mode
2582         https://bugs.webkit.org/show_bug.cgi?id=181653
2583
2584         Reviewed by Carlos Garcia Campos.
2585
2586         Build test programs only in developer mode, and fix code style.
2587
2588         * shell/CMakeLists.txt:
2589
2590 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2591
2592         Improve use of ExportMacros
2593         https://bugs.webkit.org/show_bug.cgi?id=181652
2594
2595         Reviewed by Konstantin Tokarev.
2596
2597         * API/JSBase.h: Update a comment.
2598         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
2599         * runtime/JSExportMacros.h: Simplify the #defines in this file.
2600
2601 2018-01-15  JF Bastien  <jfbastien@apple.com>
2602
2603         Remove makePoisonedUnique
2604         https://bugs.webkit.org/show_bug.cgi?id=181630
2605         <rdar://problem/36498623>
2606
2607         Reviewed by Mark Lam.
2608
2609         I added a conversion from std::unique_ptr, so we can just use
2610         std::make_unique and it'll auto-poison when converted.
2611
2612         * bytecode/CodeBlock.h:
2613         (JSC::CodeBlock::makePoisonedUnique): Deleted.
2614         * runtime/JSGlobalObject.cpp:
2615         (JSC::JSGlobalObject::init):
2616         * runtime/JSGlobalObject.h:
2617         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2618
2619 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2620
2621         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
2622         https://bugs.webkit.org/show_bug.cgi?id=181438
2623         <rdar://problem/36376724>
2624
2625         Reviewed by Carlos Garcia Campos.
2626
2627         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
2628         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
2629         get rid of the version script.
2630
2631         * PlatformGTK.cmake:
2632         * javascriptcoregtk-symbols.map: Removed.
2633
2634 2018-01-14  Saam Barati  <sbarati@apple.com>
2635
2636         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
2637
2638         * bytecode/CallLinkStatus.cpp:
2639         (JSC::CallLinkStatus::computeFromLLInt):
2640         (JSC::CallLinkStatus::computeExitSiteData):
2641
2642 2018-01-13  Mark Lam  <mark.lam@apple.com>
2643
2644         Replace all use of ConstExprPoisoned with Poisoned.
2645         https://bugs.webkit.org/show_bug.cgi?id=181542
2646         <rdar://problem/36442138>
2647
2648         Reviewed by JF Bastien.
2649
2650         1. All JSC poisons are now defined in JSCPoison.h.
2651
2652         2. Change all clients to use the new poison values via the POISON() macro.
2653
2654         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
2655            uses the t5 temp register, which is not available on the Windows port.
2656            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
2657            it will just work for now.
2658
2659            When poisoning is enabled for the Windows port, this LLInt code will need a
2660            Windows specific implementation to workaround its lack of a t5 register.
2661
2662         * API/JSAPIWrapperObject.h:
2663         * API/JSCallbackFunction.h:
2664         * API/JSCallbackObject.h:
2665         * JavaScriptCore.xcodeproj/project.pbxproj:
2666         * Sources.txt:
2667         * assembler/MacroAssemblerCodeRef.h:
2668         (JSC::MacroAssemblerCodePtr::emptyValue):
2669         (JSC::MacroAssemblerCodePtr::deletedValue):
2670         * b3/B3LowerMacros.cpp:
2671         * b3/testb3.cpp:
2672         (JSC::B3::testInterpreter):
2673         * bytecode/CodeBlock.h:
2674         (JSC::CodeBlock::instructions):
2675         (JSC::CodeBlock::instructions const):
2676         (JSC::CodeBlock::makePoisonedUnique):
2677         * dfg/DFGOSRExitCompilerCommon.h:
2678         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
2679         * dfg/DFGSpeculativeJIT.cpp:
2680         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2681         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2682         * ftl/FTLLowerDFGToB3.cpp:
2683         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2684         * jit/JIT.h:
2685         * jit/ThunkGenerators.cpp:
2686         (JSC::virtualThunkFor):
2687         (JSC::nativeForGenerator):
2688         (JSC::boundThisNoArgsFunctionCallGenerator):
2689         * llint/LowLevelInterpreter.asm:
2690         * llint/LowLevelInterpreter32_64.asm:
2691         * llint/LowLevelInterpreter64.asm:
2692         * parser/UnlinkedSourceCode.h:
2693         * runtime/ArrayPrototype.h:
2694         * runtime/CustomGetterSetter.h:
2695         * runtime/DateInstance.h:
2696         * runtime/InternalFunction.h:
2697         * runtime/JSArrayBuffer.h:
2698         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2699         (JSC::initializePoison):
2700         * runtime/JSCPoison.h:
2701         (): Deleted.
2702         * runtime/JSCPoisonedPtr.cpp: Removed.
2703         * runtime/JSCPoisonedPtr.h: Removed.
2704         * runtime/JSGlobalObject.h:
2705         (JSC::JSGlobalObject::makePoisonedUnique):
2706         * runtime/JSScriptFetchParameters.h:
2707         * runtime/JSScriptFetcher.h:
2708         * runtime/NativeExecutable.h:
2709         * runtime/StructureTransitionTable.h:
2710         (JSC::StructureTransitionTable::map const):
2711         (JSC::StructureTransitionTable::weakImpl const):
2712         * runtime/WriteBarrier.h:
2713         (JSC::WriteBarrier::poison):
2714         * wasm/js/JSToWasm.cpp:
2715         (JSC::Wasm::createJSToWasmWrapper):
2716         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2717         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2718         * wasm/js/JSWebAssemblyCodeBlock.h:
2719         * wasm/js/JSWebAssemblyInstance.h:
2720         * wasm/js/JSWebAssemblyMemory.h:
2721         * wasm/js/JSWebAssemblyModule.h:
2722         * wasm/js/JSWebAssemblyTable.h:
2723         * wasm/js/WasmToJS.cpp:
2724         (JSC::Wasm::handleBadI64Use):
2725         (JSC::Wasm::wasmToJS):
2726         * wasm/js/WebAssemblyFunctionBase.h:
2727         * wasm/js/WebAssemblyModuleRecord.h:
2728         * wasm/js/WebAssemblyToJSCallee.h:
2729         * wasm/js/WebAssemblyWrapperFunction.h:
2730
2731 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2732
2733         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2734         https://bugs.webkit.org/show_bug.cgi?id=181182
2735
2736         Reviewed by Darin Adler.
2737
2738         Casting double to integer is undefined behavior when the truncation
2739         results into a value that doesn't fit into integer size, according C++
2740         spec[1]. Thus, we are changing bigIntProtoFuncToString and
2741         numberProtoFuncToString to remove these source of undefined behavior.
2742
2743         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
2744
2745         * runtime/BigIntPrototype.cpp:
2746         (JSC::bigIntProtoFuncToString):
2747         * runtime/NumberPrototype.cpp:
2748         (JSC::numberProtoFuncToString):
2749         (JSC::extractRadixFromArgs): Deleted.
2750         (JSC::extractToStringRadixArgument): Added.
2751
2752 2018-01-12  Saam Barati  <sbarati@apple.com>
2753
2754         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
2755         https://bugs.webkit.org/show_bug.cgi?id=181545
2756
2757         Reviewed by Michael Saboff.
2758
2759         This patch follows the theme of putting optimization profiling information on
2760         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
2761         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
2762         pulled from the code cache, making better compilation decisions, usually
2763         resulting in fewer exits, and fewer recompilations.
2764         
2765         This is a 1% Speedometer progression in my testing.
2766
2767         * bytecode/BytecodeDumper.cpp:
2768         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
2769         * bytecode/CallLinkStatus.cpp:
2770         (JSC::CallLinkStatus::computeFromLLInt):
2771         (JSC::CallLinkStatus::computeFor):
2772         (JSC::CallLinkStatus::computeExitSiteData):
2773         (JSC::CallLinkStatus::computeDFGStatuses):
2774         * bytecode/CallLinkStatus.h:
2775         * bytecode/CodeBlock.h:
2776         (JSC::CodeBlock::addFrequentExitSite): Deleted.
2777         (JSC::CodeBlock::hasExitSite const): Deleted.
2778         (JSC::CodeBlock::exitProfile): Deleted.
2779         * bytecode/DFGExitProfile.cpp:
2780         (JSC::DFG::ExitProfile::add):
2781         (JSC::DFG::QueryableExitProfile::initialize):
2782         * bytecode/DFGExitProfile.h:
2783         (JSC::DFG::ExitProfile::hasExitSite const):
2784         * bytecode/GetByIdStatus.cpp:
2785         (JSC::GetByIdStatus::hasExitSite):
2786         (JSC::GetByIdStatus::computeFor):
2787         (JSC::GetByIdStatus::computeForStubInfo):
2788         * bytecode/GetByIdStatus.h:
2789         * bytecode/PutByIdStatus.cpp:
2790         (JSC::PutByIdStatus::hasExitSite):
2791         (JSC::PutByIdStatus::computeFor):
2792         (JSC::PutByIdStatus::computeForStubInfo):
2793         * bytecode/PutByIdStatus.h:
2794         * bytecode/UnlinkedCodeBlock.cpp:
2795         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2796         * bytecode/UnlinkedCodeBlock.h:
2797         (JSC::UnlinkedCodeBlock::hasExitSite const):
2798         (JSC::UnlinkedCodeBlock::hasExitSite):
2799         (JSC::UnlinkedCodeBlock::exitProfile):
2800         * dfg/DFGByteCodeParser.cpp:
2801         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2802         * dfg/DFGGraph.h:
2803         (JSC::DFG::Graph::hasGlobalExitSite):
2804         (JSC::DFG::Graph::hasExitSite):
2805         * dfg/DFGLICMPhase.cpp:
2806         (JSC::DFG::LICMPhase::attemptHoist):
2807         * dfg/DFGOSRExitBase.cpp:
2808         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2809
2810 2018-01-12  JF Bastien  <jfbastien@apple.com>
2811
2812         PoisonedWriteBarrier
2813         https://bugs.webkit.org/show_bug.cgi?id=181599
2814         <rdar://problem/36474351>
2815
2816         Reviewed by Mark Lam.
2817
2818         Allow poisoning of WriteBarrier objects, and use this for
2819         WebAssembly because it is perf-neutral, at least on WasmBench on
2820         my MBP. If it indeed is perf-neutral according to the bots, start
2821         using it in more performance-sensitive places.
2822
2823         * heap/HandleTypes.h:
2824         * heap/SlotVisitor.h:
2825         * heap/SlotVisitorInlines.h:
2826         (JSC::SlotVisitor::append):
2827         (JSC::SlotVisitor::appendHidden):
2828         * runtime/JSCJSValue.h:
2829         * runtime/JSCPoison.h:
2830         * runtime/Structure.h:
2831         * runtime/StructureInlines.h:
2832         (JSC::Structure::setPrototypeWithoutTransition):
2833         (JSC::Structure::setGlobalObject):
2834         (JSC::Structure::setPreviousID):
2835         * runtime/WriteBarrier.h:
2836         (JSC::WriteBarrierBase::copyFrom):
2837         (JSC::WriteBarrierBase::get const):
2838         (JSC::WriteBarrierBase::operator* const):
2839         (JSC::WriteBarrierBase::operator-> const):
2840         (JSC::WriteBarrierBase::clear):
2841         (JSC::WriteBarrierBase::slot):
2842         (JSC::WriteBarrierBase::operator bool const):
2843         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
2844         (JSC::WriteBarrierBase::unvalidatedGet const):
2845         (JSC::operator==):
2846         * runtime/WriteBarrierInlines.h:
2847         (JSC::Traits>::set):
2848         (JSC::Traits>::setMayBeNull):
2849         (JSC::Traits>::setEarlyValue):
2850         (JSC::DumbValueTraits<Unknown>>::set):
2851         * wasm/WasmInstance.h:
2852         * wasm/js/JSWebAssemblyInstance.cpp:
2853         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2854         (JSC::JSWebAssemblyInstance::finishCreation):
2855         (JSC::JSWebAssemblyInstance::visitChildren):
2856         (JSC::JSWebAssemblyInstance::create):
2857         * wasm/js/JSWebAssemblyInstance.h:
2858         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
2859         * wasm/js/JSWebAssemblyMemory.h:
2860         * wasm/js/JSWebAssemblyModule.h:
2861         * wasm/js/JSWebAssemblyTable.cpp:
2862         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2863         (JSC::JSWebAssemblyTable::grow):
2864         (JSC::JSWebAssemblyTable::clearFunction):
2865         * wasm/js/JSWebAssemblyTable.h:
2866         * wasm/js/WasmToJS.cpp:
2867         (JSC::Wasm::materializeImportJSCell):
2868         (JSC::Wasm::handleBadI64Use):
2869         (JSC::Wasm::wasmToJS):
2870         * wasm/js/WebAssemblyFunctionBase.h:
2871         * wasm/js/WebAssemblyModuleRecord.cpp:
2872         (JSC::WebAssemblyModuleRecord::link):
2873         (JSC::WebAssemblyModuleRecord::evaluate):
2874         * wasm/js/WebAssemblyModuleRecord.h:
2875         * wasm/js/WebAssemblyToJSCallee.h:
2876         * wasm/js/WebAssemblyWrapperFunction.h:
2877
2878 2018-01-12  Saam Barati  <sbarati@apple.com>
2879
2880         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2881         https://bugs.webkit.org/show_bug.cgi?id=181177
2882         <rdar://problem/36205704>
2883
2884         Reviewed by Yusuke Suzuki.
2885
2886         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
2887         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
2888         have semantic consequences when validation is turned off. However, with validation on, this trips up
2889         our OSR exit machinery that says when an exit is allowed to happen.
2890         
2891         Consider the following IR:
2892         
2893         a: GetClosureVar // Or any other node that produces BytecodeTop
2894         ...
2895         c: CheckStructure(Cell:@a, {s2})
2896         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2897         
2898         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
2899         a: GetClosureVar
2900         e: CheckStructureOrEmpty(@a, {s1})
2901         ...
2902         f: CheckStructureOrEmpty(@a, {s2})
2903         c: CheckStructure(Cell:@a, {s2})
2904         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2905         
2906         This will cause constant folding to change the IR to:
2907         a: GetClosureVar
2908         e: CheckStructureOrEmpty(@a, {s1})
2909         ...
2910         f: CheckStructureOrEmpty(@a, {s2})
2911         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2912         
2913         Our mayExit analysis determines that the PutByOffset should not exit. Note
2914         that AI will determine the only value the PutByOffset can see in @a is 
2915         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
2916         when lowering the PutByOffset, we reach a contradiction in AI and emit
2917         an OSR exit. However, because mayExit said we couldn't exit, we assert.
2918         
2919         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
2920         would have determined we would OSR exit at the second CheckStructure.
2921         
2922         This patch makes it so constant folding produces the following IR:
2923         a: GetClosureVar
2924         e: CheckStructureOrEmpty(@a, {s1})
2925         g: AssertNotEmpty(@a)
2926         ...
2927         f: CheckStructureOrEmpty(@a, {s2})
2928         h: AssertNotEmpty(@a)
2929         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
2930         
2931         This modification will cause AI to know we will OSR exit before even reaching
2932         the PutByOffset. Note that in the original IR, the GetClosureVar won't
2933         actually produce the TDZ value. If it did, bytecode would have caused us
2934         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
2935         why this bug is about IR bookkeeping and not an actual error in IR analysis.
2936         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
2937         more congruous with CheckStructure's semantics of crashing on the empty value
2938         as input (on 64 bit platforms).
2939
2940         * dfg/DFGAbstractInterpreterInlines.h:
2941         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2942         * dfg/DFGClobberize.h:
2943         (JSC::DFG::clobberize):
2944         * dfg/DFGConstantFoldingPhase.cpp:
2945         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2946         * dfg/DFGDoesGC.cpp:
2947         (JSC::DFG::doesGC):
2948         * dfg/DFGFixupPhase.cpp:
2949         (JSC::DFG::FixupPhase::fixupNode):
2950         * dfg/DFGNodeType.h:
2951         * dfg/DFGPredictionPropagationPhase.cpp:
2952         * dfg/DFGSafeToExecute.h:
2953         (JSC::DFG::safeToExecute):
2954         * dfg/DFGSpeculativeJIT32_64.cpp:
2955         (JSC::DFG::SpeculativeJIT::compile):
2956         * dfg/DFGSpeculativeJIT64.cpp:
2957         (JSC::DFG::SpeculativeJIT::compile):
2958         * ftl/FTLCapabilities.cpp:
2959         (JSC::FTL::canCompile):
2960         * ftl/FTLLowerDFGToB3.cpp:
2961         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2962         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2963
2964 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
2965
2966         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
2967         https://bugs.webkit.org/show_bug.cgi?id=181579
2968         <rdar://problem/36193759>
2969
2970         Reviewed by Brian Burg.
2971
2972         * inspector/agents/InspectorConsoleAgent.h:
2973         * inspector/agents/InspectorConsoleAgent.cpp:
2974         (Inspector::InspectorConsoleAgent::clearMessages):
2975         (Inspector::InspectorConsoleAgent::addConsoleMessage):
2976         Switch from a raw pointer to m_consoleMessages.last().
2977         Also move the expiration check into the if block since it can only
2978         happen inside here when the number of console messages changes.
2979
2980         (Inspector::InspectorConsoleAgent::discardValues):
2981         Also clear the expired message count when messages are cleared.
2982
2983 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2984
2985         [JSC] Create parallel SlotVisitors apriori
2986         https://bugs.webkit.org/show_bug.cgi?id=180907
2987
2988         Reviewed by Saam Barati.
2989
2990         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2991         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
2992         Then we do not need to grab locks while iterating all the SlotVisitors.
2993
2994         In addition, we do not need to consider the case that the number of SlotVisitors increases
2995         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2996         does not increase any more.
2997
2998         * heap/Heap.cpp:
2999         (JSC::Heap::Heap):
3000         (JSC::Heap::runBeginPhase):
3001         * heap/Heap.h:
3002         * heap/HeapInlines.h:
3003         (JSC::Heap::forEachSlotVisitor):
3004         (JSC::Heap::numberOfSlotVisitors): Deleted.
3005         * heap/MarkingConstraintSolver.cpp:
3006         (JSC::MarkingConstraintSolver::didVisitSomething const):
3007
3008 2018-01-12  Saam Barati  <sbarati@apple.com>
3009
3010         Each variant of a polymorphic inlined call should be exitOK at the top of the block
3011         https://bugs.webkit.org/show_bug.cgi?id=181562
3012         <rdar://problem/36445624>
3013
3014         Reviewed by Yusuke Suzuki.
3015
3016         Before this patch, the very first block in the switch for polymorphic call
3017         inlining will have exitOK at the top. The others are not guaranteed to.
3018         That was just a bug. They're all exitOK at the top. This will lead to crashes
3019         in FixupPhase because we won't have a node in a block that has ExitOK, so
3020         when we fixup various type checks, we assert out.
3021
3022         * dfg/DFGByteCodeParser.cpp:
3023         (JSC::DFG::ByteCodeParser::handleInlining):
3024
3025 2018-01-11  Keith Miller  <keith_miller@apple.com>
3026
3027         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
3028         https://bugs.webkit.org/show_bug.cgi?id=181573
3029
3030         Reviewed by Simon Fraser.
3031
3032         * Configurations/FeatureDefines.xcconfig:
3033         * runtime/Options.h:
3034
3035 2018-01-11  Michael Saboff  <msaboff@apple.com>
3036
3037         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
3038         https://bugs.webkit.org/show_bug.cgi?id=181570
3039
3040         Reviewed by Keith Miller.
3041
3042         * assembler/MacroAssemblerARM64.h:
3043         (JSC::MacroAssemblerARM64::abortWithReason):
3044         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
3045         JIT release asserts that will crash the program.
3046
3047         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
3048         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
3049         caching is enabled.
3050
3051 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
3052
3053         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
3054         https://bugs.webkit.org/show_bug.cgi?id=181543
3055
3056         Rubber stamped by Michael Saboff.
3057         
3058         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
3059         really have anything to do with allocation anymore. The allocation will be done by something
3060         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
3061         place to find blocks (a "block directory").
3062
3063         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
3064         attributes of the HeapCellType. So let's call them CellAttributes.
3065
3066         * JavaScriptCore.xcodeproj/project.pbxproj:
3067         * Sources.txt:
3068         * bytecode/AccessCase.cpp:
3069         (JSC::AccessCase::generateImpl):
3070         * bytecode/ObjectAllocationProfile.h:
3071         * bytecode/ObjectAllocationProfileInlines.h:
3072         (JSC::ObjectAllocationProfile::initializeProfile):
3073         * dfg/DFGSpeculativeJIT.cpp:
3074         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3075         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3076         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3077         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3078         (JSC::DFG::SpeculativeJIT::compileNewObject):
3079         * dfg/DFGSpeculativeJIT.h:
3080         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3081         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3082         * ftl/FTLAbstractHeapRepository.h:
3083         * ftl/FTLLowerDFGToB3.cpp:
3084         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3085         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3086         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3087         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3088         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3089         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3090         * heap/AlignedMemoryAllocator.cpp:
3091         (JSC::AlignedMemoryAllocator::registerDirectory):
3092         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
3093         * heap/AlignedMemoryAllocator.h:
3094         (JSC::AlignedMemoryAllocator::firstDirectory const):
3095         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
3096         * heap/AllocatorAttributes.cpp: Removed.
3097         * heap/AllocatorAttributes.h: Removed.
3098         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
3099         (JSC::BlockDirectory::BlockDirectory):
3100         (JSC::BlockDirectory::setSubspace):
3101         (JSC::BlockDirectory::isPagedOut):
3102         (JSC::BlockDirectory::findEmptyBlockToSteal):
3103         (JSC::BlockDirectory::didConsumeFreeList):
3104         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
3105         (JSC::BlockDirectory::allocateIn):
3106         (JSC::BlockDirectory::tryAllocateIn):
3107         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
3108         (JSC::BlockDirectory::allocateSlowCase):
3109         (JSC::BlockDirectory::blockSizeForBytes):
3110         (JSC::BlockDirectory::tryAllocateBlock):
3111         (JSC::BlockDirectory::addBlock):
3112         (JSC::BlockDirectory::removeBlock):
3113         (JSC::BlockDirectory::stopAllocating):
3114         (JSC::BlockDirectory::prepareForAllocation):
3115         (JSC::BlockDirectory::lastChanceToFinalize):
3116         (JSC::BlockDirectory::resumeAllocating):
3117         (JSC::BlockDirectory::beginMarkingForFullCollection):
3118         (JSC::BlockDirectory::endMarking):
3119         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
3120         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
3121         (JSC::BlockDirectory::findBlockToSweep):
3122         (JSC::BlockDirectory::sweep):
3123         (JSC::BlockDirectory::shrink):
3124         (JSC::BlockDirectory::assertNoUnswept):
3125         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
3126         (JSC::BlockDirectory::dump const):
3127         (JSC::BlockDirectory::dumpBits):
3128         (JSC::BlockDirectory::markedSpace const):
3129         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3130         (JSC::MarkedAllocator::setSubspace): Deleted.
3131         (JSC::MarkedAllocator::isPagedOut): Deleted.
3132         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
3133         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
3134         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
3135         (JSC::MarkedAllocator::allocateIn): Deleted.
3136         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
3137         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
3138         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
3139         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
3140         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
3141         (JSC::MarkedAllocator::addBlock): Deleted.
3142         (JSC::MarkedAllocator::removeBlock): Deleted.
3143         (JSC::MarkedAllocator::stopAllocating): Deleted.
3144         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
3145         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
3146         (JSC::MarkedAllocator::resumeAllocating): Deleted.
3147         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
3148         (JSC::MarkedAllocator::endMarking): Deleted.
3149         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
3150         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
3151         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
3152         (JSC::MarkedAllocator::sweep): Deleted.
3153         (JSC::MarkedAllocator::shrink): Deleted.
3154         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
3155         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
3156         (JSC::MarkedAllocator::dump const): Deleted.
3157         (JSC::MarkedAllocator::dumpBits): Deleted.
3158         (JSC::MarkedAllocator::markedSpace const): Deleted.
3159         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
3160         (JSC::BlockDirectory::attributes const):
3161         (JSC::BlockDirectory::forEachBitVector):
3162         (JSC::BlockDirectory::forEachBitVectorWithName):
3163         (JSC::BlockDirectory::nextDirectory const):
3164         (JSC::BlockDirectory::nextDirectoryInSubspace const):
3165         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
3166         (JSC::BlockDirectory::setNextDirectory):
3167         (JSC::BlockDirectory::setNextDirectoryInSubspace):
3168         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
3169         (JSC::BlockDirectory::offsetOfFreeList):
3170         (JSC::BlockDirectory::offsetOfCellSize):
3171         (JSC::MarkedAllocator::cellSize const): Deleted.
3172         (JSC::MarkedAllocator::attributes const): Deleted.
3173         (JSC::MarkedAllocator::needsDestruction const): Deleted.
3174         (JSC::MarkedAllocator::destruction const): Deleted.
3175         (JSC::MarkedAllocator::cellKind const): Deleted.
3176         (JSC::MarkedAllocator::heap): Deleted.
3177         (JSC::MarkedAllocator::bitvectorLock): Deleted.
3178         (JSC::MarkedAllocator::forEachBitVector): Deleted.
3179         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
3180         (JSC::MarkedAllocator::nextAllocator const): Deleted.
3181         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
3182         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
3183         (JSC::MarkedAllocator::setNextAllocator): Deleted.
3184         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
3185         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
3186         (JSC::MarkedAllocator::subspace const): Deleted.
3187         (JSC::MarkedAllocator::freeList const): Deleted.
3188         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
3189         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
3190         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
3191         (JSC::BlockDirectory::isFreeListedCell const):
3192         (JSC::BlockDirectory::allocate):
3193         (JSC::BlockDirectory::forEachBlock):
3194         (JSC::BlockDirectory::forEachNotEmptyBlock):
3195         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
3196         (JSC::MarkedAllocator::allocate): Deleted.
3197         (JSC::MarkedAllocator::forEachBlock): Deleted.
3198         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
3199         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
3200         (JSC::CellAttributes::dump const):
3201         (JSC::AllocatorAttributes::dump const): Deleted.
3202         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
3203         (JSC::CellAttributes::CellAttributes):
3204         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
3205         * heap/CompleteSubspace.cpp:
3206         (JSC::CompleteSubspace::allocatorFor):
3207         (JSC::CompleteSubspace::allocateNonVirtual):
3208         (JSC::CompleteSubspace::allocatorForSlow):
3209         (JSC::CompleteSubspace::tryAllocateSlow):
3210         * heap/CompleteSubspace.h:
3211         (JSC::CompleteSubspace::allocatorForSizeStep):
3212         (JSC::CompleteSubspace::allocatorForNonVirtual):
3213         * heap/GCDeferralContext.h:
3214         * heap/Heap.cpp:
3215         (JSC::Heap::updateAllocationLimits):
3216         * heap/Heap.h:
3217         * heap/HeapCell.h:
3218         * heap/HeapCellInlines.h:
3219         (JSC::HeapCell::cellAttributes const):
3220         (JSC::HeapCell::destructionMode const):
3221         (JSC::HeapCell::cellKind const):
3222         (JSC::HeapCell::allocatorAttributes const): Deleted.
3223         * heap/HeapCellType.cpp:
3224         (JSC::HeapCellType::HeapCellType):
3225         * heap/HeapCellType.h:
3226         (JSC::HeapCellType::attributes const):
3227         * heap/IncrementalSweeper.cpp:
3228         (JSC::IncrementalSweeper::IncrementalSweeper):
3229         (JSC::IncrementalSweeper::sweepNextBlock):
3230         (JSC::IncrementalSweeper::startSweeping):
3231         (JSC::IncrementalSweeper::stopSweeping):
3232         * heap/IncrementalSweeper.h:
3233         * heap/IsoCellSet.cpp:
3234         (JSC::IsoCellSet::IsoCellSet):
3235         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3236         (JSC::IsoCellSet::addSlow):
3237         (JSC::IsoCellSet::didRemoveBlock):
3238         (JSC::IsoCellSet::sweepToFreeList):
3239         * heap/IsoCellSetInlines.h:
3240         (JSC::IsoCellSet::forEachMarkedCell):
3241         (JSC::IsoCellSet::forEachLiveCell):
3242         * heap/IsoSubspace.cpp:
3243         (JSC::IsoSubspace::IsoSubspace):
3244         (JSC::IsoSubspace::allocatorFor):
3245         (JSC::IsoSubspace::allocateNonVirtual):
3246         * heap/IsoSubspace.h:
3247         (JSC::IsoSubspace::allocatorForNonVirtual):
3248         * heap/LargeAllocation.h:
3249         (JSC::LargeAllocation::attributes const):
3250         * heap/MarkedAllocator.cpp: Removed.
3251         * heap/MarkedAllocator.h: Removed.
3252         * heap/MarkedAllocatorInlines.h: Removed.
3253         * heap/MarkedBlock.cpp:
3254         (JSC::MarkedBlock::Handle::~Handle):
3255         (JSC::MarkedBlock::Handle::setIsFreeListed):
3256         (JSC::MarkedBlock::Handle::stopAllocating):
3257         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3258         (JSC::MarkedBlock::Handle::resumeAllocating):
3259         (JSC::MarkedBlock::aboutToMarkSlow):
3260         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3261         (JSC::MarkedBlock::noteMarkedSlow):
3262         (JSC::MarkedBlock::Handle::removeFromDirectory):
3263         (JSC::MarkedBlock::Handle::didAddToDirectory):
3264         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
3265         (JSC::MarkedBlock::Handle::dumpState):
3266         (JSC::MarkedBlock::Handle::subspace const):
3267         (JSC::MarkedBlock::Handle::sweep):
3268         (JSC::MarkedBlock::Handle::isFreeListedCell const):
3269         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
3270         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
3271         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
3272         * heap/MarkedBlock.h:
3273         (JSC::MarkedBlock::Handle::directory const):
3274         (JSC::MarkedBlock::Handle::attributes const):
3275         (JSC::MarkedBlock::attributes const):
3276         (JSC::MarkedBlock::Handle::allocator const): Deleted.
3277         * heap/MarkedBlockInlines.h:
3278         (JSC::MarkedBlock::Handle::isAllocated):
3279         (JSC::MarkedBlock::Handle::isLive):
3280         (JSC::MarkedBlock::Handle::specializedSweep):
3281         (JSC::MarkedBlock::Handle::isEmpty):
3282         * heap/MarkedSpace.cpp:
3283         (JSC::MarkedSpace::lastChanceToFinalize):
3284         (JSC::MarkedSpace::sweep):
3285         (JSC::MarkedSpace::stopAllocating):
3286         (JSC::MarkedSpace::resumeAllocating):
3287         (JSC::MarkedSpace::isPagedOut):
3288         (JSC::MarkedSpace::freeBlock):
3289         (JSC::MarkedSpace::shrink):
3290         (JSC::MarkedSpace::beginMarking):
3291         (JSC::MarkedSpace::endMarking):
3292         (JSC::MarkedSpace::snapshotUnswept):
3293         (JSC::MarkedSpace::assertNoUnswept):
3294         (JSC::MarkedSpace::dumpBits):
3295         (JSC::MarkedSpace::addBlockDirectory):
3296         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
3297         * heap/MarkedSpace.h:
3298         (JSC::MarkedSpace::firstDirectory const):
3299         (JSC::MarkedSpace::directoryLock):
3300         (JSC::MarkedSpace::forEachBlock):
3301         (JSC::MarkedSpace::forEachDirectory):
3302         (JSC::MarkedSpace::firstAllocator const): Deleted.
3303         (JSC::MarkedSpace::allocatorLock): Deleted.
3304         (JSC::MarkedSpace::forEachAllocator): Deleted.
3305         * heap/MarkedSpaceInlines.h:
3306         * heap/Subspace.cpp:
3307         (JSC::Subspace::initialize):
3308         (JSC::Subspace::prepareForAllocation):
3309         (JSC::Subspace::findEmptyBlockToSteal):
3310         (JSC::Subspace::parallelDirectorySource):
3311         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
3312         (JSC::Subspace::sweep):
3313         (JSC::Subspace::parallelAllocatorSource): Deleted.
3314         * heap/Subspace.h:
3315         (JSC::Subspace::attributes const):
3316         (JSC::Subspace::didCreateFirstDirectory):
3317         (JSC::Subspace::didCreateFirstAllocator): Deleted.
3318         * heap/SubspaceInlines.h:
3319         (JSC::Subspace::forEachDirectory):
3320         (JSC::Subspace::forEachMarkedBlock):
3321         (JSC::Subspace::forEachNotEmptyMarkedBlock):
3322         (JSC::Subspace::forEachAllocator): Deleted.
3323         * jit/AssemblyHelpers.h:
3324         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3325         (JSC::AssemblyHelpers::emitAllocate):
3326         (JSC::AssemblyHelpers::emitAllocateJSCell):
3327         (JSC::AssemblyHelpers::emitAllocateJSObject):
3328         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3329         * jit/JIT.h:
3330         * jit/JITOpcodes.cpp:
3331         (JSC::JIT::emit_op_new_object):
3332         * jit/JITOpcodes32_64.cpp:
3333         (JSC::JIT::emit_op_new_object):
3334         * runtime/JSDestructibleObjectHeapCellType.cpp:
3335         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3336         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3337         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3338         * runtime/JSStringHeapCellType.cpp:
3339         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3340         * runtime/VM.cpp:
3341         (JSC::VM::VM):
3342         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3343         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3344
3345 2018-01-11  Saam Barati  <sbarati@apple.com>
3346
3347         When inserting Unreachable in byte code parser we need to flush all the right things
3348         https://bugs.webkit.org/show_bug.cgi?id=181509
3349         <rdar://problem/36423110>
3350
3351         Reviewed by Mark Lam.
3352
3353         I added code in r226655 that had its own mechanism for preserving liveness when
3354         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
3355         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
3356         I got some of these values wrong, which was leading to a crash when recovering the
3357         callee value from an inlined frame. Instead of making the same mistake and repeating
3358         similar code again, this patch refactors this logic to be shared with the other
3359         liveness preservation code in the DFG bytecode parser. This is what I should have
3360         done in my initial patch.
3361
3362         * bytecode/InlineCallFrame.h:
3363         (JSC::remapOperand):
3364         * dfg/DFGByteCodeParser.cpp:
3365         (JSC::DFG::flushImpl):
3366         (JSC::DFG::flushForTerminalImpl):
3367         (JSC::DFG::ByteCodeParser::flush):
3368         (JSC::DFG::ByteCodeParser::flushForTerminal):
3369         (JSC::DFG::ByteCodeParser::parse):
3370
3371 2018-01-11  Saam Barati  <sbarati@apple.com>
3372
3373         JITMathIC code in the FTL is wrong when code gets duplicated
3374         https://bugs.webkit.org/show_bug.cgi?id=181525
3375         <rdar://problem/36351993>
3376
3377         Reviewed by Michael Saboff and Keith Miller.
3378
3379         B3/Air may duplicate code for various reasons. Patchpoint generators inside
3380         FTLLower must be aware that they can be called multiple times because of this.
3381         The patchpoint for math ICs was not aware of this, and shared state amongst
3382         all invocations of the patchpoint's generator. This patch fixes this bug so
3383         that each invocation of the patchpoint's generator gets a unique math IC.
3384
3385         * bytecode/CodeBlock.h:
3386         (JSC::CodeBlock::addMathIC):
3387         * ftl/FTLLowerDFGToB3.cpp:
3388         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3389         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
3390         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
3391         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
3392         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3393         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3394         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
3395         * jit/JITMathIC.h:
3396         (JSC::isProfileEmpty):
3397
3398 2018-01-11  Michael Saboff  <msaboff@apple.com>
3399
3400         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
3401         https://bugs.webkit.org/show_bug.cgi?id=181512
3402
3403         Reviewed by Saam Barati.
3404
3405         * assembler/MacroAssemblerARM64.h:
3406         (JSC::MacroAssemblerARM64::abortWithReason):
3407         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
3408         All current uses of dataTempRegister in these functions are safe, but it makes sense to
3409         fix them in case they might be used elsewhere.
3410
3411 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
3412
3413         CodeBlocks should be in IsoSubspaces
3414         https://bugs.webkit.org/show_bug.cgi?id=180884
3415
3416         Reviewed by Saam Barati.
3417         
3418         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
3419         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
3420         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
3421         
3422         - Code block sweeping is now just eager sweeping. This means that it automatically takes
3423           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
3424           its eden set for.
3425         
3426         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
3427           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
3428           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
3429           longer has to clear the set of weakly visited code blocks. This also means that
3430           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
3431           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
3432           has IsoCellSets to tell us which edges have output constraints (what we used to call
3433           CodeBlock's weak reference harvester) and which have unconditional finalizers.
3434         
3435         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
3436         
3437         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
3438           handle requests from the sampler, debugger, and other facilities. They may want to ask
3439           if some pointer corresponds to a CodeBlock during stages of execution during which the
3440           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
3441           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
3442           allocated has now been full constructed.
3443         
3444         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
3445         happening before and after this change, but we misread the revision numbers at first and
3446         thought that this was the cause.
3447         
3448         * JavaScriptCore.xcodeproj/project.pbxproj:
3449         * Sources.txt:
3450         * bytecode/CodeBlock.cpp:
3451         (JSC::CodeBlock::CodeBlock):
3452         (JSC::CodeBlock::finishCreation):
3453         (JSC::CodeBlock::finishCreationCommon):
3454         (JSC::CodeBlock::~CodeBlock):
3455         (JSC::CodeBlock::visitChildren):
3456         (JSC::CodeBlock::propagateTransitions):
3457         (JSC::CodeBlock::determineLiveness):
3458         (JSC::CodeBlock::finalizeUnconditionally):
3459         (JSC::CodeBlock::stronglyVisitStrongReferences):
3460         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3461         (JSC::CodeBlock::installVMTrapBreakpoints):
3462         (JSC::CodeBlock::dumpMathICStats):
3463         (JSC::CodeBlock::visitWeakly): Deleted.
3464         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3465         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3466         * bytecode/CodeBlock.h:
3467         (JSC::CodeBlock::subspaceFor):
3468         (JSC::CodeBlock::ownerEdge const):
3469         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3470         * bytecode/EvalCodeBlock.h:
3471         (JSC::EvalCodeBlock::create): Deleted.
3472         (JSC::EvalCodeBlock::createStructure): Deleted.
3473         (JSC::EvalCodeBlock::variable): Deleted.
3474         (JSC::EvalCodeBlock::numVariables): Deleted.
3475         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3476         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3477         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3478         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3479         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3480         (JSC::ExecutableToCodeBlockEdge::createStructure):
3481         (JSC::ExecutableToCodeBlockEdge::create):
3482         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3483         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3484         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3485         (JSC::ExecutableToCodeBlockEdge::activate):
3486         (JSC::ExecutableToCodeBlockEdge::deactivate):
3487         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3488         (JSC::ExecutableToCodeBlockEdge::wrap):
3489         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3490         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3491         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3492         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3493         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3494         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3495         (JSC::ExecutableToCodeBlockEdge::unwrap):
3496         * bytecode/FunctionCodeBlock.h:
3497         (JSC::FunctionCodeBlock::subspaceFor):
3498         (JSC::FunctionCodeBlock::createStructure):
3499         * bytecode/ModuleProgramCodeBlock.h:
3500         (JSC::ModuleProgramCodeBlock::create): Deleted.
3501         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
3502         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
3503         * bytecode/ProgramCodeBlock.h:
3504         (JSC::ProgramCodeBlock::create): Deleted.
3505         (JSC::ProgramCodeBlock::createStructure): Deleted.
3506         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
3507         * debugger/Debugger.cpp:
3508         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
3509         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
3510         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
3511         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
3512         * heap/CodeBlockSet.cpp:
3513         (JSC::CodeBlockSet::contains):
3514         (JSC::CodeBlockSet::dump const):
3515         (JSC::CodeBlockSet::add):
3516         (JSC::CodeBlockSet::remove):
3517         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
3518         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
3519         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
3520         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
3521         * heap/CodeBlockSet.h:
3522         * heap/CodeBlockSetInlines.h:
3523         (JSC::CodeBlockSet::iterate):
3524         (JSC::CodeBlockSet::iterateViaSubspaces):
3525         * heap/ConservativeRoots.cpp:
3526         (JSC::ConservativeRoots::genericAddPointer):
3527         (JSC::DummyMarkHook::markKnownJSCell):
3528         (JSC::CompositeMarkHook::mark):
3529         (JSC::CompositeMarkHook::markKnownJSCell):
3530         * heap/ConservativeRoots.h:
3531         * heap/Heap.cpp:
3532         (JSC::Heap::lastChanceToFinalize):
3533         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3534         (JSC::Heap::finalizeUnconditionalFinalizers):
3535         (JSC::Heap::beginMarking):
3536         (JSC::Heap::deleteUnmarkedCompiledCode):
3537         (JSC::Heap::sweepInFinalize):
3538         (JSC::Heap::forEachCodeBlockImpl):
3539         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3540         (JSC::Heap::addCoreConstraints):
3541         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
3542         * heap/Heap.h:
3543         * heap/HeapCell.h:
3544         * heap/HeapCellInlines.h:
3545         (JSC::HeapCell::subspace const):
3546         * heap/HeapInlines.h:
3547         (JSC::Heap::forEachCodeBlock):
3548         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3549         * heap/HeapUtil.h:
3550         (JSC::HeapUtil::findGCObjectPointersForMarking):
3551         * heap/IsoCellSet.cpp:
3552         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
3553         * heap/IsoCellSet.h:
3554         * heap/IsoCellSetInlines.h:
3555         (JSC::IsoCellSet::forEachMarkedCellInParallel):
3556         (JSC::IsoCellSet::forEachLiveCell):
3557         * heap/LargeAllocation.h:
3558         (JSC::LargeAllocation::subspace const):
3559         * heap/MarkStackMergingConstraint.cpp:
3560         (JSC::MarkStackMergingConstraint::executeImpl):
3561         * heap/MarkStackMergingConstraint.h:
3562         * heap/MarkedAllocator.cpp:
3563         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
3564         * heap/MarkedBlock.cpp:
3565         (JSC::MarkedBlock::Handle::didAddToAllocator):
3566         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
3567         * heap/MarkedBlock.h:
3568         (JSC::MarkedBlock::subspace const):
3569         * heap/MarkedBlockInlines.h:
3570         (JSC::MarkedBlock::Handle::forEachLiveCell):
3571         * heap/MarkedSpaceInlines.h:
3572         (JSC::MarkedSpace::forEachLiveCell):
3573         * heap/MarkingConstraint.cpp:
3574         (JSC::MarkingConstraint::execute):
3575         (JSC::MarkingConstraint::doParallelWork):
3576         (JSC::MarkingConstraint::finishParallelWork): Deleted.
3577         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
3578         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
3579         * heap/MarkingConstraint.h:
3580         * heap/MarkingConstraintSet.cpp:
3581         (JSC::MarkingConstraintSet::add):
3582         * heap/MarkingConstraintSet.h:
3583         (JSC::MarkingConstraintSet::add):
3584         * heap/MarkingConstraintSolver.cpp:
3585         (JSC::MarkingConstraintSolver::execute):
3586         (JSC::MarkingConstraintSolver::addParallelTask):
3587         (JSC::MarkingConstraintSolver::runExecutionThread):
3588         (JSC::MarkingConstraintSolver::didExecute): Deleted.
3589         * heap/MarkingConstraintSolver.h:
3590         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
3591         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
3592         * heap/SimpleMarkingConstraint.cpp:
3593         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3594         (JSC::SimpleMarkingConstraint::executeImpl):
3595         * heap/SimpleMarkingConstraint.h:
3596         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
3597         * heap/SlotVisitor.cpp:
3598         (JSC::SlotVisitor::addParallelConstraintTask):
3599         * heap/SlotVisitor.h:
3600         * heap/Subspace.cpp:
3601         (JSC::Subspace::sweep):
3602         * heap/Subspace.h:
3603         * heap/SubspaceInlines.h:
3604         (JSC::Subspace::forEachLiveCell):
3605         * llint/LowLevelInterpreter.asm:
3606         * runtime/EvalExecutable.cpp:
3607         (JSC::EvalExecutable::visitChildren):
3608         * runtime/EvalExecutable.h:
3609         (JSC::EvalExecutable::codeBlock):
3610         * runtime/FunctionExecutable.cpp:
3611         (JSC::FunctionExecutable::baselineCodeBlockFor):
3612         (JSC::FunctionExecutable::visitChildren):
3613         * runtime/FunctionExecutable.h:
3614         * runtime/JSType.h:
3615         * runtime/ModuleProgramExecutable.cpp:
3616         (JSC::ModuleProgramExecutable::visitChildren):
3617         * runtime/ModuleProgramExecutable.h:
3618         * runtime/ProgramExecutable.cpp:
3619         (JSC::ProgramExecutable::visitChildren):
3620         * runtime/ProgramExecutable.h:
3621         * runtime/ScriptExecutable.cpp:
3622         (JSC::ScriptExecutable::installCode):
3623         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
3624         * runtime/VM.cpp:
3625         (JSC::VM::VM):
3626         * runtime/VM.h:
3627         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
3628         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
3629         (JSC::VM::forEachCodeBlockSpace):
3630         * runtime/VMTraps.cpp:
3631         (JSC::VMTraps::handleTraps):
3632         * tools/VMInspector.cpp:
3633         (JSC::VMInspector::codeBlockForMachinePC):
3634         (JSC::VMInspector::isValidCodeBlock):
3635
3636 2018-01-11  Michael Saboff  <msaboff@apple.com>
3637
3638         Add a DOM gadget for Spectre testing
3639         https://bugs.webkit.org/show_bug.cgi?id=181351
3640
3641         Reviewed by Ryosuke Niwa.
3642
3643         * runtime/Options.h:
3644
3645 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3646
3647         [DFG][FTL] regExpMatchFast should be handled
3648         https://bugs.webkit.org/show_bug.cgi?id=180988
3649
3650         Reviewed by Mark Lam.
3651
3652         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
3653         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
3654         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
3655
3656         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
3657         slow path part to `@matchSlow()` private function.
3658
3659         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
3660         this regExpMatchFast function.
3661
3662                                  baseline                  patched
3663
3664         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
3665         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
3666
3667         * builtins/RegExpPrototype.js:
3668         (globalPrivate.matchSlow):
3669         (overriddenName.string_appeared_here.match):
3670         * dfg/DFGAbstractInterpreterInlines.h:
3671         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3672         * dfg/DFGByteCodeParser.cpp:
3673         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3674         * dfg/DFGClobberize.h:
3675         (JSC::DFG::clobberize):
3676         * dfg/DFGDoesGC.cpp:
3677         (JSC::DFG::doesGC):
3678         * dfg/DFGFixupPhase.cpp:
3679         (JSC::DFG::FixupPhase::fixupNode):
3680         * dfg/DFGNode.h:
3681         (JSC::DFG::Node::hasHeapPrediction):
3682         * dfg/DFGNodeType.h:
3683         * dfg/DFGOperations.cpp:
3684         * dfg/DFGOperations.h:
3685         * dfg/DFGPredictionPropagationPhase.cpp:
3686         * dfg/DFGSafeToExecute.h:
3687         (JSC::DFG::safeToExecute):
3688         * dfg/DFGSpeculativeJIT.cpp:
3689         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
3690         * dfg/DFGSpeculativeJIT.h:
3691         * dfg/DFGSpeculativeJIT32_64.cpp:
3692         (JSC::DFG::SpeculativeJIT::compile):
3693         * dfg/DFGSpeculativeJIT64.cpp:
3694         (JSC::DFG::SpeculativeJIT::compile):
3695         * ftl/FTLCapabilities.cpp:
3696         (JSC::FTL::canCompile):
3697         * ftl/FTLLowerDFGToB3.cpp:
3698         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3699         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
3700         * runtime/Intrinsic.cpp:
3701         (JSC::intrinsicName):
3702         * runtime/Intrinsic.h:
3703         * runtime/JSGlobalObject.cpp:
3704         (JSC::JSGlobalObject::init):
3705         * runtime/RegExpPrototype.cpp:
3706         (JSC::regExpProtoFuncMatchFast):
3707
3708 2018-01-11  Saam Barati  <sbarati@apple.com>
3709
3710         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
3711         https://bugs.webkit.org/show_bug.cgi?id=181508
3712
3713         Reviewed by Yusuke Suzuki.
3714
3715         Our for-in caching would cache structure chains that had prototypes with
3716         indexed properties. Clearly this is wrong. This caching breaks when a prototype
3717         adds new indexed properties. We would continue to enumerate the old cached
3718         state of properties, and not include the new indexed properties.
3719         
3720         The old code used to prevent caching only if the base structure had
3721         indexed properties. This patch extends it to prevent caching if the
3722         base, or any structure in the prototype chain, has indexed properties.
3723
3724         * runtime/Structure.cpp:
3725         (JSC::Structure::canCachePropertyNameEnumerator const):
3726
3727 2018-01-10  JF Bastien  <jfbastien@apple.com>
3728
3729         Poison small JSObject derivatives which only contain pointers
3730         https://bugs.webkit.org/show_bug.cgi?id=181483
3731         <rdar://problem/36407127>
3732
3733         Reviewed by Mark Lam.
3734
3735         I wrote a script that finds interesting things to poison or
3736         generally harden. These stood out because they derive from
3737         JSObject and only contain a few pointer or pointer-like fields,
3738         and could therefore just be poisoned. This also requires some
3739         template "improvements" to our poisoning machinery. Worth noting
3740         is that I'm making PoisonedUniquePtr move-assignable and
3741         move-constructible from unique_ptr, which makes it a better
3742         drop-in replacement because we don't need to use
3743         makePoisonedUniquePtr. This means function-locals can be
3744         unique_ptr and get the nice RAII pattern, and once the function is
3745         done you can just move to the class' PoisonedUniquePtr without
3746         worrying.
3747
3748         * API/JSAPIWrapperObject.h:
3749         (JSC::JSAPIWrapperObject::wrappedObject):
3750         * API/JSAPIWrapperObject.mm:
3751         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
3752         * API/JSCallbackObject.h:
3753         * runtime/ArrayPrototype.h:
3754         * runtime/DateInstance.h:
3755         * runtime/JSArrayBuffer.cpp:
3756         (JSC::JSArrayBuffer::finishCreation):
3757         (JSC::JSArrayBuffer::isShared const):
3758         (JSC::JSArrayBuffer::sharingMode const):
3759         * runtime/JSArrayBuffer.h:
3760         * runtime/JSCPoison.h:
3761
3762 2018-01-10  Commit Queue  <commit-queue@webkit.org>
3763
3764         Unreviewed, rolling out r226667 and r226673.
3765         https://bugs.webkit.org/show_bug.cgi?id=181488
3766
3767         This caused a flaky crash. (Requested by mlewis13 on #webkit).
3768
3769         Reverted changesets:
3770
3771         "CodeBlocks should be in IsoSubspaces"
3772         https://bugs.webkit.org/show_bug.cgi?id=180884
3773         https://trac.webkit.org/changeset/226667
3774
3775         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
3776         https://bugs.webkit.org/show_bug.cgi?id=180884
3777         https://trac.webkit.org/changeset/226673
3778
3779 2018-01-09  David Kilzer  <ddkilzer@apple.com>
3780
3781         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
3782         <https://bugs.webkit.org/show_bug.cgi?id=180884>
3783
3784         Fixes the following build error:
3785
3786             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
3787
3788         * heap/Heap.cpp:
3789         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
3790         fix the build.
3791
3792 2018-01-09  Keith Miller  <keith_miller@apple.com>
3793
3794         and32 with an Address source on ARM64 did not invalidate dataTempRegister
3795         https://bugs.webkit.org/show_bug.cgi?id=181467
3796
3797         Reviewed by Michael Saboff.
3798
3799         * assembler/MacroAssemblerARM64.h:
3800         (JSC::MacroAssemblerARM64::and32):
3801
3802 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
3803
3804         CodeBlocks should be in IsoSubspaces
3805         https://bugs.webkit.org/show_bug.cgi?id=180884
3806
3807         Reviewed by Saam Barati.
3808         
3809         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
3810         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
3811         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
3812         
3813         - Code block sweeping is now just eager sweeping. This means that it automatically takes
3814           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
3815           its eden set for.
3816         
3817         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
3818           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
3819           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
3820           longer has to clear the set of weakly visited code blocks. This also means that
3821           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
3822           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
3823           has IsoCellSets to tell us which edges have output constraints (what we used to call
3824           CodeBlock's weak reference harvester) and which have unconditional finalizers.
3825         
3826         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
3827         
3828         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
3829           handle requests from the sampler, debugger, and other facilities. They may want to ask
3830           if some pointer corresponds to a CodeBlock during stages of execution during which the
3831           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
3832           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
3833           allocated has now been full constructed.
3834         
3835         * JavaScriptCore.xcodeproj/project.pbxproj:
3836         * Sources.txt:
3837         * bytecode/CodeBlock.cpp:
3838         (JSC::CodeBlock::CodeBlock):
3839         (JSC::CodeBlock::finishCreation):
3840         (JSC::CodeBlock::finishCreationCommon):
3841         (JSC::CodeBlock::~CodeBlock):
3842         (JSC::CodeBlock::visitChildren):
3843         (JSC::CodeBlock::propagateTransitions):
3844         (JSC::CodeBlock::determineLiveness):
3845         (JSC::CodeBlock::finalizeUnconditionally):
3846         (JSC::CodeBlock::stronglyVisitStrongReferences):
3847         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
3848         (JSC::CodeBlock::installVMTrapBreakpoints):
3849         (JSC::CodeBlock::dumpMathICStats):
3850         (JSC::CodeBlock::visitWeakly): Deleted.
3851         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
3852         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3853         * bytecode/CodeBlock.h:
3854         (JSC::CodeBlock::subspaceFor):
3855         (JSC::CodeBlock::ownerEdge const):
3856         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
3857         * bytecode/EvalCodeBlock.h:
3858         (JSC::EvalCodeBlock::create): Deleted.
3859         (JSC::EvalCodeBlock::createStructure): Deleted.
3860         (JSC::EvalCodeBlock::variable): Deleted.
3861         (JSC::EvalCodeBlock::numVariables): Deleted.
3862         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
3863         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
3864         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
3865         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
3866         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
3867         (JSC::ExecutableToCodeBlockEdge::createStructure):
3868         (JSC::ExecutableToCodeBlockEdge::create):
3869         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3870         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
3871         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
3872         (JSC::ExecutableToCodeBlockEdge::activate):
3873         (JSC::ExecutableToCodeBlockEdge::deactivate):
3874         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
3875         (JSC::ExecutableToCodeBlockEdge::wrap):
3876         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
3877         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
3878         (JSC::ExecutableToCodeBlockEdge::runConstraint):
3879         * bytecode/ExecutableToCodeBlockEdge.h: Added.
3880         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
3881         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
3882         (JSC::ExecutableToCodeBlockEdge::unwrap):
3883         * bytecode/FunctionCodeBlock.h:
3884         (JSC::FunctionCodeBlock::subspaceFor):
3885         (JSC::FunctionCodeBlock::createStructure):
3886         * bytecode/ModuleProgramCodeBlock.h:
3887         (JSC::ModuleProgramCodeBlock::create): Deleted.
3888         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.