Add a DOM gadget for Spectre testing
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-08  Michael Saboff  <msaboff@apple.com>
2
3         Add a DOM gadget for Spectre testing
4         https://bugs.webkit.org/show_bug.cgi?id=181351
5
6         Reviewed by Michael Saboff.
7
8         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
9         Spectre mitigations.
10
11         * runtime/Options.h:
12
13 2018-01-08  Mark Lam  <mark.lam@apple.com>
14
15         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
16         https://bugs.webkit.org/show_bug.cgi?id=181403
17         <rdar://problem/36359789>
18
19         Rubber-stamped by JF Bastien.
20
21         * bytecode/CodeBlock.cpp:
22         (JSC::CodeBlock::CodeBlock):
23         (JSC::CodeBlock::~CodeBlock):
24         (JSC::CodeBlock::setConstantRegisters):
25         (JSC::CodeBlock::propagateTransitions):
26         (JSC::CodeBlock::finalizeLLIntInlineCaches):
27         (JSC::CodeBlock::jettison):
28         (JSC::CodeBlock::predictedMachineCodeSize):
29         * bytecode/CodeBlock.h:
30         (JSC::CodeBlock::vm const):
31         (JSC::CodeBlock::addConstant):
32         (JSC::CodeBlock::heap const):
33         (JSC::CodeBlock::replaceConstant):
34         * llint/LowLevelInterpreter.asm:
35         * llint/LowLevelInterpreter32_64.asm:
36         * llint/LowLevelInterpreter64.asm:
37
38 2018-01-07  Mark Lam  <mark.lam@apple.com>
39
40         Apply poisoning to more pointers in JSC.
41         https://bugs.webkit.org/show_bug.cgi?id=181096
42         <rdar://problem/36182970>
43
44         Reviewed by JF Bastien.
45
46         * assembler/MacroAssembler.h:
47         (JSC::MacroAssembler::xorPtr):
48         * assembler/MacroAssemblerARM64.h:
49         (JSC::MacroAssemblerARM64::xor64):
50         * assembler/MacroAssemblerX86_64.h:
51         (JSC::MacroAssemblerX86_64::xor64):
52         - Add xorPtr implementation.
53
54         * bytecode/CodeBlock.cpp:
55         (JSC::CodeBlock::inferredName const):
56         (JSC::CodeBlock::CodeBlock):
57         (JSC::CodeBlock::finishCreation):
58         (JSC::CodeBlock::~CodeBlock):
59         (JSC::CodeBlock::setConstantRegisters):
60         (JSC::CodeBlock::visitWeakly):
61         (JSC::CodeBlock::visitChildren):
62         (JSC::CodeBlock::propagateTransitions):
63         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
64         (JSC::CodeBlock::finalizeLLIntInlineCaches):
65         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
66         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
67         (JSC::CodeBlock::jettison):
68         (JSC::CodeBlock::predictedMachineCodeSize):
69         (JSC::CodeBlock::findPC):
70         * bytecode/CodeBlock.h:
71         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
72         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
73         (JSC::CodeBlock::stubInfoBegin):
74         (JSC::CodeBlock::stubInfoEnd):
75         (JSC::CodeBlock::callLinkInfosBegin):
76         (JSC::CodeBlock::callLinkInfosEnd):
77         (JSC::CodeBlock::instructions):
78         (JSC::CodeBlock::instructions const):
79         (JSC::CodeBlock::vm const):
80         * dfg/DFGOSRExitCompilerCommon.h:
81         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
82         * jit/JIT.h:
83         * llint/LLIntOfflineAsmConfig.h:
84         * llint/LowLevelInterpreter.asm:
85         * llint/LowLevelInterpreter64.asm:
86         * parser/UnlinkedSourceCode.h:
87         * runtime/JSCPoison.h:
88         * runtime/JSGlobalObject.cpp:
89         (JSC::JSGlobalObject::init):
90         * runtime/JSGlobalObject.h:
91         * runtime/JSScriptFetchParameters.h:
92         * runtime/JSScriptFetcher.h:
93         * runtime/StructureTransitionTable.h:
94         * wasm/js/JSWebAssemblyCodeBlock.cpp:
95         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
96         (JSC::JSWebAssemblyCodeBlock::visitChildren):
97         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
98         * wasm/js/JSWebAssemblyCodeBlock.h:
99
100 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
101
102         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
103         https://bugs.webkit.org/show_bug.cgi?id=181321
104
105         Reviewed by Saam Barati.
106
107         According to ECMA262 16.2[1], functions created using the bind method must not have
108         "caller" and "arguments" own properties.
109
110         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
111
112         * runtime/JSBoundFunction.cpp:
113         (JSC::JSBoundFunction::finishCreation):
114
115 2018-01-05  JF Bastien  <jfbastien@apple.com>
116
117         WebAssembly: poison JS object's secrets
118         https://bugs.webkit.org/show_bug.cgi?id=181339
119         <rdar://problem/36325001>
120
121         Reviewed by Mark Lam.
122
123         Separating WebAssembly's JS objects from their non-JS
124         implementation means that all interesting information lives
125         outside of the JS object itself. This patch poisons each JS
126         object's pointer to non-JS implementation using the poisoning
127         mechanism and a unique key per JS object type origin.
128
129         * runtime/JSCPoison.h:
130         * wasm/js/JSToWasm.cpp:
131         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
132         object in a stack slot when fast TLS is disabled. This requires
133         that we unpoison the Wasm::Instance.
134         * wasm/js/JSWebAssemblyCodeBlock.h:
135         * wasm/js/JSWebAssemblyInstance.h:
136         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
137         be explicit that the pointer is poisoned.
138         * wasm/js/JSWebAssemblyMemory.h:
139         * wasm/js/JSWebAssemblyModule.h:
140         * wasm/js/JSWebAssemblyTable.h:
141
142 2018-01-05  Michael Saboff  <msaboff@apple.com>
143
144         Add ability to disable indexed property masking for testing
145         https://bugs.webkit.org/show_bug.cgi?id=181350
146
147         Reviewed by Keith Miller.
148
149         Made the masking of indexed properties runtime controllable via a new JSC::Option
150         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
151
152         The new option has a generic name as it will probably be used to disable future mitigations.
153
154         * dfg/DFGSpeculativeJIT.cpp:
155         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
156         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
157         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
158         * dfg/DFGSpeculativeJIT.h:
159         * dfg/DFGSpeculativeJIT64.cpp:
160         (JSC::DFG::SpeculativeJIT::compile):
161         * ftl/FTLLowerDFGToB3.cpp:
162         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
163         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
164         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
165         * jit/JIT.cpp:
166         (JSC::JIT::JIT):
167         * jit/JIT.h:
168         * jit/JITPropertyAccess.cpp:
169         (JSC::JIT::emitDoubleLoad):
170         (JSC::JIT::emitContiguousLoad):
171         (JSC::JIT::emitArrayStorageLoad):
172         * runtime/Options.h:
173         * wasm/WasmB3IRGenerator.cpp:
174         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
175
176 2018-01-05  Michael Saboff  <msaboff@apple.com>
177
178         Allow JSC Config Files to set Restricted Options
179         https://bugs.webkit.org/show_bug.cgi?id=181352
180
181         Reviewed by Mark Lam.
182
183         * runtime/ConfigFile.cpp:
184         (JSC::ConfigFile::parse):
185
186 2018-01-04  Keith Miller  <keith_miller@apple.com>
187
188         TypedArrays and Wasm should use index masking.
189         https://bugs.webkit.org/show_bug.cgi?id=181313
190
191         Reviewed by Michael Saboff.
192
193         We should have index masking for our TypedArray code in the
194         DFG/FTL and for Wasm when doing bounds checking. Index masking for
195         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
196         WasmBoundsCheckValues we don't need to worry about combining a
197         bounds check for a load and a store. I went with fusing the
198         pointer masking in the WasmBoundsCheckValue since it should reduce
199         additional compiler overhead.
200
201         * b3/B3LowerToAir.cpp:
202         * b3/B3Validate.cpp:
203         * b3/B3WasmBoundsCheckValue.cpp:
204         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
205         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
206         * b3/B3WasmBoundsCheckValue.h:
207         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
208         * b3/air/AirCustom.h:
209         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
210         * b3/testb3.cpp:
211         (JSC::B3::testWasmBoundsCheck):
212         * dfg/DFGSpeculativeJIT.cpp:
213         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
214         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
215         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
216         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
217         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
218         * dfg/DFGSpeculativeJIT.h:
219         * dfg/DFGSpeculativeJIT64.cpp:
220         (JSC::DFG::SpeculativeJIT::compile):
221         * ftl/FTLLowerDFGToB3.cpp:
222         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
223         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
224         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
225         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
226         * jit/JITPropertyAccess.cpp:
227         (JSC::JIT::emitIntTypedArrayGetByVal):
228         * runtime/Butterfly.h:
229         (JSC::Butterfly::computeIndexingMask const):
230         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
231         * runtime/JSArrayBufferView.cpp:
232         (JSC::JSArrayBufferView::JSArrayBufferView):
233         * wasm/WasmB3IRGenerator.cpp:
234         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
235         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
236         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
237         (JSC::Wasm::B3IRGenerator::load):
238         (JSC::Wasm::B3IRGenerator::store):
239         (JSC::Wasm::B3IRGenerator::addCallIndirect):
240         * wasm/WasmBinding.cpp:
241         (JSC::Wasm::wasmToWasm):
242         * wasm/WasmMemory.cpp:
243         (JSC::Wasm::Memory::Memory):
244         (JSC::Wasm::Memory::grow):
245         * wasm/WasmMemory.h:
246         (JSC::Wasm::Memory::offsetOfIndexingMask):
247         * wasm/WasmMemoryInformation.cpp:
248         (JSC::Wasm::PinnedRegisterInfo::get):
249         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
250         * wasm/WasmMemoryInformation.h:
251         (JSC::Wasm::PinnedRegisterInfo::toSave const):
252         * wasm/js/JSToWasm.cpp:
253         (JSC::Wasm::createJSToWasmWrapper):
254
255 2018-01-05  Commit Queue  <commit-queue@webkit.org>
256
257         Unreviewed, rolling out r226434.
258         https://bugs.webkit.org/show_bug.cgi?id=181322
259
260         32bit JSC failure in x86 (Requested by yusukesuzuki on
261         #webkit).
262
263         Reverted changeset:
264
265         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
266         changing 32bit Int32Tag and LowestTag"
267         https://bugs.webkit.org/show_bug.cgi?id=181134
268         https://trac.webkit.org/changeset/226434
269
270 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
271
272         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
273         https://bugs.webkit.org/show_bug.cgi?id=180770
274
275         Reviewed by Joseph Pecoraro.
276
277         * inspector/protocol/Canvas.json:
278
279 2018-01-04  Commit Queue  <commit-queue@webkit.org>
280
281         Unreviewed, rolling out r226405.
282         https://bugs.webkit.org/show_bug.cgi?id=181318
283
284         Speculative rollout due to Octane/SplayLatency,Octane/Splay
285         regressions (Requested by yusukesuzuki on #webkit).
286
287         Reverted changeset:
288
289         "[JSC] Create parallel SlotVisitors apriori"
290         https://bugs.webkit.org/show_bug.cgi?id=180907
291         https://trac.webkit.org/changeset/226405
292
293 2018-01-04  Saam Barati  <sbarati@apple.com>
294
295         Do value profiling in to_this
296         https://bugs.webkit.org/show_bug.cgi?id=181299
297
298         Reviewed by Filip Pizlo.
299
300         This patch adds value profiling to to_this. We use the result of the value
301         profiling only for strict mode code when we don't predict that the input is
302         of a specific type. This helps when the input is SpecCellOther. Such cells
303         might implement a custom ToThis, which can produce an arbitrary result. Before
304         this patch, in prediction propagation, we were saying that a ToThis with a
305         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
306         given that the input may implement ToThis that produces an arbitrary result.
307         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
308         
309         Interestingly, this patch only does value profiling on the slow path. The fast
310         path of to_this in the LLInt/baseline just perform a structure check. If it
311         passes, the result is the same as the input. Therefore, doing value profiling
312         from the fast path wouldn't actually produce new information for the ValueProfile.
313
314         * bytecode/BytecodeDumper.cpp:
315         (JSC::BytecodeDumper<Block>::dumpBytecode):
316         * bytecode/BytecodeList.json:
317         * bytecode/CodeBlock.cpp:
318         (JSC::CodeBlock::finishCreation):
319         * bytecompiler/BytecodeGenerator.cpp:
320         (JSC::BytecodeGenerator::BytecodeGenerator):
321         (JSC::BytecodeGenerator::emitToThis):
322         * bytecompiler/BytecodeGenerator.h:
323         * dfg/DFGByteCodeParser.cpp:
324         (JSC::DFG::ByteCodeParser::parseBlock):
325         * dfg/DFGNode.h:
326         (JSC::DFG::Node::hasHeapPrediction):
327         * dfg/DFGPredictionPropagationPhase.cpp:
328         * runtime/CommonSlowPaths.cpp:
329         (JSC::SLOW_PATH_DECL):
330
331 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
332
333         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
334         https://bugs.webkit.org/show_bug.cgi?id=181134
335
336         Reviewed by Mark Lam.
337
338         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
339         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
340         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
341         implementation.
342
343         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
344         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
345         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
346         `<= LowestTag(Int32Tag)`.
347
348         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
349
350         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
351
352         * dfg/DFGSpeculativeJIT.cpp:
353         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
354         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
355         (JSC::DFG::SpeculativeJIT::speculateNumber):
356         (JSC::DFG::SpeculativeJIT::speculateMisc):
357         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
358         (JSC::DFG::SpeculativeJIT::compileToNumber):
359         * dfg/DFGSpeculativeJIT.h:
360         * dfg/DFGSpeculativeJIT32_64.cpp:
361         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
362         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
363         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
364         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
365         (JSC::DFG::SpeculativeJIT::compile):
366         * dfg/DFGSpeculativeJIT64.cpp:
367         (JSC::DFG::SpeculativeJIT::compile):
368         * jit/AssemblyHelpers.cpp:
369         (JSC::AssemblyHelpers::branchIfNotType):
370         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
371         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
372         * jit/AssemblyHelpers.h:
373         (JSC::AssemblyHelpers::branchIfMisc):
374         (JSC::AssemblyHelpers::branchIfNotMisc):
375         (JSC::AssemblyHelpers::branchIfNumber):
376         (JSC::AssemblyHelpers::branchIfNotNumber):
377         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
378         (JSC::AssemblyHelpers::emitTypeOf):
379         * jit/JITAddGenerator.cpp:
380         (JSC::JITAddGenerator::generateFastPath):
381         * jit/JITArithmetic32_64.cpp:
382         (JSC::JIT::emitBinaryDoubleOp):
383         * jit/JITDivGenerator.cpp:
384         (JSC::JITDivGenerator::loadOperand):
385         * jit/JITMulGenerator.cpp:
386         (JSC::JITMulGenerator::generateInline):
387         (JSC::JITMulGenerator::generateFastPath):
388         * jit/JITNegGenerator.cpp:
389         (JSC::JITNegGenerator::generateInline):
390         (JSC::JITNegGenerator::generateFastPath):
391         * jit/JITOpcodes32_64.cpp:
392         (JSC::JIT::emit_op_is_number):
393         (JSC::JIT::emit_op_jeq_null):
394         (JSC::JIT::emit_op_jneq_null):
395         (JSC::JIT::emit_op_to_number):
396         (JSC::JIT::emit_op_profile_type):
397         * jit/JITRightShiftGenerator.cpp:
398         (JSC::JITRightShiftGenerator::generateFastPath):
399         * jit/JITSubGenerator.cpp:
400         (JSC::JITSubGenerator::generateInline):
401         (JSC::JITSubGenerator::generateFastPath):
402         * llint/LLIntData.cpp:
403         (JSC::LLInt::Data::performAssertions):
404         * llint/LowLevelInterpreter.asm:
405         * llint/LowLevelInterpreter32_64.asm:
406         * runtime/JSCJSValue.h:
407
408 2018-01-04  JF Bastien  <jfbastien@apple.com>
409
410         Add assembler support for x86 lfence and sfence
411         https://bugs.webkit.org/show_bug.cgi?id=181311
412         <rdar://problem/36301780>
413
414         Reviewed by Michael Saboff.
415
416         Useful for testing performance of serializing instructions (hint:
417         it's not good).
418
419         * assembler/MacroAssemblerX86Common.h:
420         (JSC::MacroAssemblerX86Common::lfence):
421         (JSC::MacroAssemblerX86Common::sfence):
422         * assembler/X86Assembler.h:
423         (JSC::X86Assembler::lfence):
424         (JSC::X86Assembler::sfence):
425
426 2018-01-04  Saam Barati  <sbarati@apple.com>
427
428         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
429         https://bugs.webkit.org/show_bug.cgi?id=181296
430
431         Reviewed by Filip Pizlo.
432
433         Inside Speedometer's Ember test, there is a recompile loop like:
434         a: GetByVal(..., semanticOriginX)
435         b: SetLocal(Cell:@a, semanticOriginX)
436         
437         where the cell check always fails. For reasons I didn't investigate, the
438         baseline JIT's value profiling doesn't accurately capture the GetByVal's
439         result.
440         
441         However, when compiling this cell speculation check in the DFG, we get a null
442         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
443         this IR pattern because both @a and @b have the same semantic origin. We
444         should not follow the same semantic origin heuristic when dealing with
445         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
446         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
447         For this IR pattern, we will update the value profile for the semantic origin
448         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
449         will correctly update the GetByVal's value profile, which will prevent
450         an OSR exit loop.
451
452         * dfg/DFGGraph.cpp:
453         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
454
455 2018-01-04  Keith Miller  <keith_miller@apple.com>
456
457         Array Storage operations sometimes did not update the indexing mask correctly.
458         https://bugs.webkit.org/show_bug.cgi?id=181301
459
460         Reviewed by Mark Lam.
461
462         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
463
464         * runtime/JSArray.cpp:
465         (JSC::JSArray::shiftCountWithArrayStorage):
466         * runtime/JSObject.cpp:
467         (JSC::JSObject::increaseVectorLength):
468
469 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
470
471         [DFG] Define defs for MapSet/SetAdd to participate in CSE
472         https://bugs.webkit.org/show_bug.cgi?id=179911
473
474         Reviewed by Saam Barati.
475
476         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
477         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
478         produce added bucket as its result. Subsequent GetMapBucket will
479         be removed by CSE.
480
481         * dfg/DFGAbstractInterpreterInlines.h:
482         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
483         * dfg/DFGClobberize.h:
484         (JSC::DFG::clobberize):
485         * dfg/DFGNodeType.h:
486         * dfg/DFGOperations.cpp:
487         * dfg/DFGOperations.h:
488         * dfg/DFGPredictionPropagationPhase.cpp:
489         * dfg/DFGSpeculativeJIT.cpp:
490         (JSC::DFG::SpeculativeJIT::compileSetAdd):
491         (JSC::DFG::SpeculativeJIT::compileMapSet):
492         * dfg/DFGSpeculativeJIT.h:
493         (JSC::DFG::SpeculativeJIT::callOperation):
494         * ftl/FTLLowerDFGToB3.cpp:
495         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
496         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
497         * jit/JITOperations.h:
498         * runtime/HashMapImpl.h:
499         (JSC::HashMapImpl::addNormalized):
500         (JSC::HashMapImpl::addNormalizedInternal):
501
502 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
503
504         [JSC] Remove LocalScope
505         https://bugs.webkit.org/show_bug.cgi?id=181206
506
507         Reviewed by Geoffrey Garen.
508
509         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
510         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
511         and LocalScope.
512
513         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
514         JSObject* directly in their fields.
515
516         * JavaScriptCore.xcodeproj/project.pbxproj:
517         * Sources.txt:
518         * heap/HandleStack.cpp: Removed.
519         * heap/HandleStack.h: Removed.
520         * heap/Heap.cpp:
521         (JSC::Heap::addCoreConstraints):
522         * heap/Heap.h:
523         (JSC::Heap::handleSet):
524         (JSC::Heap::handleStack): Deleted.
525         * heap/Local.h: Removed.
526         * heap/LocalScope.h: Removed.
527         * runtime/JSONObject.cpp:
528         (JSC::Stringifier::Holder::object const):
529         (JSC::gap):
530         (JSC::Stringifier::Stringifier):
531         (JSC::Stringifier::stringify):
532         (JSC::Stringifier::appendStringifiedValue):
533         (JSC::Stringifier::Holder::Holder):
534         (JSC::Stringifier::Holder::appendNextProperty):
535         (JSC::Walker::Walker):
536         (JSC::Walker::callReviver):
537         (JSC::Walker::walk):
538         (JSC::JSONProtoFuncParse):
539         (JSC::JSONProtoFuncStringify):
540         (JSC::JSONParse):
541         (JSC::JSONStringify):
542
543 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
544
545         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
546         https://bugs.webkit.org/show_bug.cgi?id=180238
547
548         Reviewed by Saam Barati.
549
550         We can optimize ObjectAllocationSinking a bit by using removeIf.
551
552         * dfg/DFGObjectAllocationSinkingPhase.cpp:
553
554 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
555
556         [JSC] Create parallel SlotVisitors apriori
557         https://bugs.webkit.org/show_bug.cgi?id=180907
558
559         Reviewed by Saam Barati.
560
561         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
562         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
563         Then we do not need to grab locks while iterating all the SlotVisitors.
564
565         In addition, we do not need to consider the case that the number of SlotVisitors increases
566         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
567         does not increase any more.
568
569         * heap/Heap.cpp:
570         (JSC::Heap::Heap):
571         (JSC::Heap::runBeginPhase):
572         * heap/Heap.h:
573         * heap/HeapInlines.h:
574         (JSC::Heap::forEachSlotVisitor):
575         (JSC::Heap::numberOfSlotVisitors): Deleted.
576         * heap/MarkingConstraintSolver.cpp:
577         (JSC::MarkingConstraintSolver::didVisitSomething const):
578
579 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
580
581         Replace hard-coded paths in shebangs with #!/usr/bin/env
582         https://bugs.webkit.org/show_bug.cgi?id=181040
583
584         Reviewed by Alex Christensen.
585
586         * Scripts/UpdateContents.py:
587         * Scripts/cssmin.py:
588         * Scripts/generate-combined-inspector-json.py:
589         * Scripts/xxd.pl:
590         * create_hash_table:
591         * generate-bytecode-files:
592         * wasm/generateWasm.py:
593         * wasm/generateWasmOpsHeader.py:
594         * yarr/generateYarrCanonicalizeUnicode:
595
596 2018-01-03  Michael Saboff  <msaboff@apple.com>
597
598         Disable SharedArrayBuffers from Web API
599         https://bugs.webkit.org/show_bug.cgi?id=181266
600
601         Reviewed by Saam Barati.
602
603         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
604         to disable.
605
606         * runtime/JSGlobalObject.cpp:
607         (JSC::JSGlobalObject::init):
608         (JSC::JSGlobalObject::visitChildren):
609         * runtime/JSGlobalObject.h:
610         (JSC::JSGlobalObject::arrayBufferPrototype const):
611         (JSC::JSGlobalObject::arrayBufferStructure const):
612
613 2018-01-03  Michael Saboff  <msaboff@apple.com>
614
615         Add "noInline" to $vm
616         https://bugs.webkit.org/show_bug.cgi?id=181265
617
618         Reviewed by Mark Lam.
619
620         This would be useful for web based tests.
621
622         * tools/JSDollarVM.cpp:
623         (JSC::getExecutableForFunction):
624         (JSC::functionNoInline):
625         (JSC::JSDollarVM::finishCreation):
626
627 2018-01-03  Michael Saboff  <msaboff@apple.com>
628
629         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
630         https://bugs.webkit.org/show_bug.cgi?id=181263
631
632         Reviewed by Mark Lam.
633
634         Flushing the butterfly pointer provides no benefit and slows this function.
635
636         * tools/JSDollarVM.cpp:
637         (JSC::functionCpuClflush):
638
639 2018-01-03  Saam Barati  <sbarati@apple.com>
640
641         Fix BytecodeParser op_catch assert to work with useProfiler=1
642         https://bugs.webkit.org/show_bug.cgi?id=181260
643
644         Reviewed by Keith Miller.
645
646         op_catch was asserting that the current block was empty. This is only true
647         if the profiler isn't enabled. When the profiler is enabled, we will
648         insert a CountExecution node before each bytecode. This patch fixes the
649         assert to work with the profiler.
650
651         * dfg/DFGByteCodeParser.cpp:
652         (JSC::DFG::ByteCodeParser::parseBlock):
653
654 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
655
656         [Win][Debug] testapi link error.
657         https://bugs.webkit.org/show_bug.cgi?id=181247
658         <rdar://problem/36166729>
659
660         Reviewed by Brent Fulgham.
661
662         Do not set the runtime library compile flag for C files, it is already set to the correct value.
663  
664         * shell/PlatformWin.cmake:
665
666 2018-01-03  Robin Morisset  <rmorisset@apple.com>
667
668         Inlining of a function that ends in op_unreachable crashes
669         https://bugs.webkit.org/show_bug.cgi?id=181027
670
671         Reviewed by Filip Pizlo.
672
673         * dfg/DFGByteCodeParser.cpp:
674         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
675         (JSC::DFG::ByteCodeParser::inlineCall):
676
677 2018-01-02  Saam Barati  <sbarati@apple.com>
678
679         Incorrect assertion inside AccessCase
680         https://bugs.webkit.org/show_bug.cgi?id=181200
681         <rdar://problem/35494754>
682
683         Reviewed by Yusuke Suzuki.
684
685         Consider a PutById compiled to a setter in a function like so:
686         
687         ```
688         function foo(o) { o.f = o; }
689         ```
690         
691         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
692         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
693         to the same register. However, we're asserting that they're not the same register.
694         This patch just removes this invalid assertion.
695
696         * bytecode/AccessCase.cpp:
697         (JSC::AccessCase::generateImpl):
698
699 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
700
701         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
702         https://bugs.webkit.org/show_bug.cgi?id=175359
703
704         Reviewed by Yusuke Suzuki.
705
706         This patch is implementing BigIntConstructor and BigIntPrototype
707         following spec[1, 2]. As addition, we are also implementing BigIntObject
708         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
709         primitive. With these classes, now it's possible to syntetize
710         BigInt.prototype and then call "toString", "valueOf" and
711         "toLocaleString" when the primitive is a BigInt.
712         BigIntConstructor exposes an API to parse other primitives such as
713         Number, Boolean and String to BigInt.
714         We decided to skip parseInt implementation, since it was removed from
715         spec.
716
717         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
718         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
719
720         * CMakeLists.txt:
721         * DerivedSources.make:
722         * JavaScriptCore.xcodeproj/project.pbxproj:
723         * Sources.txt:
724         * jsc.cpp:
725         * runtime/BigIntConstructor.cpp: Added.
726         (JSC::BigIntConstructor::BigIntConstructor):
727         (JSC::BigIntConstructor::finishCreation):
728         (JSC::isSafeInteger):
729         (JSC::toBigInt):
730         (JSC::callBigIntConstructor):
731         (JSC::bigIntConstructorFuncAsUintN):
732         (JSC::bigIntConstructorFuncAsIntN):
733         * runtime/BigIntConstructor.h: Added.
734         (JSC::BigIntConstructor::create):
735         (JSC::BigIntConstructor::createStructure):
736         * runtime/BigIntObject.cpp: Added.
737         (JSC::BigIntObject::BigIntObject):
738         (JSC::BigIntObject::finishCreation):
739         (JSC::BigIntObject::toStringName):
740         (JSC::BigIntObject::defaultValue):
741         * runtime/BigIntObject.h: Added.
742         (JSC::BigIntObject::create):
743         (JSC::BigIntObject::internalValue const):
744         (JSC::BigIntObject::createStructure):
745         * runtime/BigIntPrototype.cpp: Added.
746         (JSC::BigIntPrototype::BigIntPrototype):
747         (JSC::BigIntPrototype::finishCreation):
748         (JSC::toThisBigIntValue):
749         (JSC::bigIntProtoFuncToString):
750         (JSC::bigIntProtoFuncToLocaleString):
751         (JSC::bigIntProtoFuncValueOf):
752         * runtime/BigIntPrototype.h: Added.
753         (JSC::BigIntPrototype::create):
754         (JSC::BigIntPrototype::createStructure):
755         * runtime/IntlCollator.cpp:
756         (JSC::IntlCollator::initializeCollator):
757         * runtime/IntlNumberFormat.cpp:
758         (JSC::IntlNumberFormat::initializeNumberFormat):
759         * runtime/JSBigInt.cpp:
760         (JSC::JSBigInt::createFrom):
761         (JSC::JSBigInt::parseInt):
762         (JSC::JSBigInt::toObject const):
763         * runtime/JSBigInt.h:
764         * runtime/JSCJSValue.cpp:
765         (JSC::JSValue::synthesizePrototype const):
766         * runtime/JSCPoisonedPtr.cpp:
767         * runtime/JSCell.cpp:
768         (JSC::JSCell::toObjectSlow const):
769         * runtime/JSGlobalObject.cpp:
770         (JSC::JSGlobalObject::init):
771         (JSC::JSGlobalObject::visitChildren):
772         * runtime/JSGlobalObject.h:
773         (JSC::JSGlobalObject::bigIntPrototype const):
774         (JSC::JSGlobalObject::bigIntObjectStructure const):
775         * runtime/StructureCache.h:
776         * runtime/StructureInlines.h:
777         (JSC::prototypeForLookupPrimitiveImpl):
778
779 2018-01-02  Tim Horton  <timothy_horton@apple.com>
780
781         Fix the MathCommon build with a recent compiler
782         https://bugs.webkit.org/show_bug.cgi?id=181216
783
784         Reviewed by Sam Weinig.
785
786         * runtime/MathCommon.cpp:
787         (JSC::fdlibmPow):
788         This cast drops the 'const' qualifier from the pointer to 'one',
789         but it doesn't have to, and it makes the compiler sad.
790
791 == Rolled over to ChangeLog-2018-01-01 ==