[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
4         https://bugs.webkit.org/show_bug.cgi?id=180190
5
6         Reviewed by Mark Lam.
7
8         If DFG HasIndexedProperty node observes negative index, it goes to a slow
9         path by calling operationHasIndexedProperty. The problem is that
10         operationHasIndexedProperty does not account negative index. Negative index
11         was used as uint32 array index.
12
13         In this patch we add a path for negative index in operationHasIndexedProperty.
14         And rename it to operationHasIndexedPropertyByInt to make intension clear.
15         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
16         since it is only used in DFG and FTL.
17
18         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
19         This causes repeated OSR exit and significantly regresses the performance. We opened
20         a bug to track this issue[1].
21
22         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
23
24         * dfg/DFGOperations.cpp:
25         * dfg/DFGOperations.h:
26         * dfg/DFGSpeculativeJIT32_64.cpp:
27         (JSC::DFG::SpeculativeJIT::compile):
28         * dfg/DFGSpeculativeJIT64.cpp:
29         (JSC::DFG::SpeculativeJIT::compile):
30         * ftl/FTLLowerDFGToB3.cpp:
31         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
32         * jit/JITOperations.cpp:
33         * jit/JITOperations.h:
34
35 2017-11-30  Michael Saboff  <msaboff@apple.com>
36
37         Allow JSC command line tool to accept UTF8
38         https://bugs.webkit.org/show_bug.cgi?id=180205
39
40         Reviewed by Keith Miller.
41
42         This unifies the UTF8 handling of interactive mode with that of source files.
43
44         * jsc.cpp:
45         (runInteractive):
46
47 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
48
49         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
50         https://bugs.webkit.org/show_bug.cgi?id=180185
51
52         Reviewed by Carlos Garcia Campos.
53
54         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
55         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
56         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
57         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
58         DFG node can be emitted if we see untaken path includes String + String code.
59
60         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
61         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
62         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
63         original code used before r225314.
64
65         * dfg/DFGSpeculativeJIT.cpp:
66         (JSC::DFG::SpeculativeJIT::compileMakeRope):
67         * ftl/FTLLowerDFGToB3.cpp:
68         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
69
70 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
71
72         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
73         https://bugs.webkit.org/show_bug.cgi?id=180108
74
75         Reviewed by Saam Barati.
76         
77         This was creating a vector of things to remove and then removing them. I think I remember writing
78         this code, and I did that because at the time we did not have removeAllMatching, which is
79         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
80         obvious improvement before I did more fundamental things to this code.
81
82         * heap/CodeBlockSet.cpp:
83         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
84
85 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
86
87         GC should support isoheaps
88         https://bugs.webkit.org/show_bug.cgi?id=179288
89
90         Reviewed by Saam Barati.
91         
92         This expands the power of the Subspace API in JSC:
93         
94         - Everything associated with describing the types of objects is now part of the HeapCellType class.
95           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
96           HeapCellType; these are orthogonal things.
97         
98         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
99           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
100           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
101           pages but releases the physical pages as part of the respective allocator's scavenging policy
102           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
103           IsoSubspace).
104         
105         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
106         for more things.
107         
108         This does not have any effect on JetStream (0.18% faster with p = 0.69).
109
110         * JavaScriptCore.xcodeproj/project.pbxproj:
111         * Sources.txt:
112         * bytecode/AccessCase.cpp:
113         (JSC::AccessCase::generateImpl):
114         * bytecode/ObjectAllocationProfileInlines.h:
115         (JSC::ObjectAllocationProfile::initializeProfile):
116         * dfg/DFGSpeculativeJIT.cpp:
117         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
118         (JSC::DFG::SpeculativeJIT::compileMakeRope):
119         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
120         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
121         * dfg/DFGSpeculativeJIT64.cpp:
122         (JSC::DFG::SpeculativeJIT::compile):
123         * ftl/FTLAbstractHeapRepository.h:
124         * ftl/FTLLowerDFGToB3.cpp:
125         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
126         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
127         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
128         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
129         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
130         * heap/AlignedMemoryAllocator.cpp:
131         (JSC::AlignedMemoryAllocator::registerAllocator):
132         (JSC::AlignedMemoryAllocator::registerSubspace):
133         * heap/AlignedMemoryAllocator.h:
134         (JSC::AlignedMemoryAllocator::firstAllocator const):
135         * heap/AllocationFailureMode.h: Added.
136         * heap/CompleteSubspace.cpp: Added.
137         (JSC::CompleteSubspace::CompleteSubspace):
138         (JSC::CompleteSubspace::~CompleteSubspace):
139         (JSC::CompleteSubspace::allocatorFor):
140         (JSC::CompleteSubspace::allocate):
141         (JSC::CompleteSubspace::allocateNonVirtual):
142         (JSC::CompleteSubspace::allocatorForSlow):
143         (JSC::CompleteSubspace::allocateSlow):
144         (JSC::CompleteSubspace::tryAllocateSlow):
145         * heap/CompleteSubspace.h: Added.
146         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
147         (JSC::CompleteSubspace::allocatorForSizeStep):
148         (JSC::CompleteSubspace::allocatorForNonVirtual):
149         * heap/HeapCellType.cpp: Added.
150         (JSC::HeapCellType::HeapCellType):
151         (JSC::HeapCellType::~HeapCellType):
152         (JSC::HeapCellType::finishSweep):
153         (JSC::HeapCellType::destroy):
154         * heap/HeapCellType.h: Added.
155         (JSC::HeapCellType::attributes const):
156         * heap/IsoAlignedMemoryAllocator.cpp: Added.
157         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
158         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
159         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
160         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
161         (JSC::IsoAlignedMemoryAllocator::dump const):
162         * heap/IsoAlignedMemoryAllocator.h: Added.
163         * heap/IsoSubspace.cpp: Added.
164         (JSC::IsoSubspace::IsoSubspace):
165         (JSC::IsoSubspace::~IsoSubspace):
166         (JSC::IsoSubspace::allocatorFor):
167         (JSC::IsoSubspace::allocatorForNonVirtual):
168         (JSC::IsoSubspace::allocate):
169         (JSC::IsoSubspace::allocateNonVirtual):
170         * heap/IsoSubspace.h: Added.
171         (JSC::IsoSubspace::size const):
172         * heap/MarkedAllocator.cpp:
173         (JSC::MarkedAllocator::MarkedAllocator):
174         (JSC::MarkedAllocator::setSubspace):
175         (JSC::MarkedAllocator::allocateSlowCase):
176         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
177         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
178         * heap/MarkedAllocator.h:
179         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
180         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
181         * heap/MarkedAllocatorInlines.h:
182         (JSC::MarkedAllocator::allocate):
183         (JSC::MarkedAllocator::tryAllocate): Deleted.
184         * heap/MarkedBlock.h:
185         * heap/MarkedBlockInlines.h:
186         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
187         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
188         * heap/MarkedSpace.cpp:
189         (JSC::MarkedSpace::addMarkedAllocator):
190         * heap/MarkedSpace.h:
191         * heap/Subspace.cpp:
192         (JSC::Subspace::Subspace):
193         (JSC::Subspace::initialize):
194         (JSC::Subspace::finishSweep):
195         (JSC::Subspace::destroy):
196         (JSC::Subspace::prepareForAllocation):
197         (JSC::Subspace::findEmptyBlockToSteal):
198         (): Deleted.
199         (JSC::Subspace::allocate): Deleted.
200         (JSC::Subspace::tryAllocate): Deleted.
201         (JSC::Subspace::allocatorForSlow): Deleted.
202         (JSC::Subspace::allocateSlow): Deleted.
203         (JSC::Subspace::tryAllocateSlow): Deleted.
204         (JSC::Subspace::didAllocate): Deleted.
205         * heap/Subspace.h:
206         (JSC::Subspace::heapCellType const):
207         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
208         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
209         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
210         (JSC::Subspace::allocatorForSizeStep): Deleted.
211         (JSC::Subspace::tryAllocatorFor): Deleted.
212         (JSC::Subspace::allocatorFor): Deleted.
213         * jit/AssemblyHelpers.h:
214         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
215         (JSC::AssemblyHelpers::emitAllocateVariableSized):
216         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
217         * jit/JITOpcodes.cpp:
218         (JSC::JIT::emit_op_new_object):
219         * runtime/ButterflyInlines.h:
220         (JSC::Butterfly::createUninitialized):
221         (JSC::Butterfly::tryCreate):
222         (JSC::Butterfly::growArrayRight):
223         * runtime/DirectArguments.cpp:
224         (JSC::DirectArguments::overrideThings):
225         * runtime/DirectArguments.h:
226         (JSC::DirectArguments::subspaceFor):
227         * runtime/DirectEvalExecutable.h:
228         * runtime/EvalExecutable.h:
229         * runtime/ExecutableBase.h:
230         (JSC::ExecutableBase::subspaceFor):
231         * runtime/FunctionExecutable.h:
232         * runtime/GenericArgumentsInlines.h:
233         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
234         * runtime/HashMapImpl.h:
235         (JSC::HashMapBuffer::create):
236         * runtime/IndirectEvalExecutable.h:
237         * runtime/JSArray.cpp:
238         (JSC::JSArray::tryCreateUninitializedRestricted):
239         (JSC::JSArray::unshiftCountSlowCase):
240         * runtime/JSArray.h:
241         (JSC::JSArray::tryCreate):
242         * runtime/JSArrayBufferView.cpp:
243         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
244         * runtime/JSCell.h:
245         (JSC::subspaceFor):
246         * runtime/JSCellInlines.h:
247         (JSC::JSCell::subspaceFor):
248         (JSC::tryAllocateCellHelper):
249         (JSC::allocateCell):
250         (JSC::tryAllocateCell):
251         * runtime/JSDestructibleObject.h:
252         (JSC::JSDestructibleObject::subspaceFor):
253         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
254         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
255         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
256         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
257         (JSC::JSDestructibleObjectHeapCellType::destroy):
258         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
259         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
260         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
261         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
262         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
263         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
264         * runtime/JSDestructibleObjectSubspace.h: Removed.
265         * runtime/JSLexicalEnvironment.h:
266         (JSC::JSLexicalEnvironment::subspaceFor):
267         * runtime/JSSegmentedVariableObject.h:
268         (JSC::JSSegmentedVariableObject::subspaceFor):
269         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
270         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
271         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
272         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
273         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
274         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
275         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
276         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
277         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
278         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
279         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
280         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
281         * runtime/JSString.h:
282         (JSC::JSString::subspaceFor):
283         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
284         (JSC::JSStringHeapCellType::JSStringHeapCellType):
285         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
286         (JSC::JSStringHeapCellType::finishSweep):
287         (JSC::JSStringHeapCellType::destroy):
288         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
289         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
290         (JSC::JSStringSubspace::finishSweep): Deleted.
291         (JSC::JSStringSubspace::destroy): Deleted.
292         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
293         * runtime/JSStringSubspace.cpp: Removed.
294         * runtime/JSStringSubspace.h: Removed.
295         * runtime/ModuleProgramExecutable.h:
296         * runtime/NativeExecutable.h:
297         * runtime/ProgramExecutable.h:
298         * runtime/RegExpMatchesArray.h:
299         (JSC::tryCreateUninitializedRegExpMatchesArray):
300         * runtime/ScopedArguments.h:
301         (JSC::ScopedArguments::subspaceFor):
302         * runtime/VM.cpp:
303         (JSC::VM::VM):
304         * runtime/VM.h:
305         (JSC::VM::gigacageAuxiliarySpace):
306         * wasm/js/JSWebAssemblyCodeBlock.h:
307         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
308         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
309         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
310         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
311         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
312         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
313         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
314         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
315         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
316         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
317         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
318         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
319         * wasm/js/JSWebAssemblyMemory.h:
320         (JSC::JSWebAssemblyMemory::subspaceFor):
321
322 2017-11-29  Saam Barati  <sbarati@apple.com>
323
324         Remove pointer caging for double arrays
325         https://bugs.webkit.org/show_bug.cgi?id=180163
326
327         Reviewed by Mark Lam.
328
329         This patch removes pointer caging from double arrays. Like
330         my previous removals of pointer caging, this is a security vs
331         performance tradeoff. We believe that butterflies being allocated
332         in the cage and with a 32GB runway gives us enough security that
333         pointer caging the butterfly just for double arrays does not add
334         enough security benefit for the performance hit it incurs.
335         
336         This patch also removes the GetButterflyWithoutCaging node and
337         the FixedButterflyAccessUncaging phase. The node is no longer needed
338         because now all GetButterfly nodes are not caged. The phase is removed
339         since we no longer have two nodes.
340
341         * dfg/DFGAbstractInterpreterInlines.h:
342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
343         * dfg/DFGArgumentsEliminationPhase.cpp:
344         * dfg/DFGClobberize.h:
345         (JSC::DFG::clobberize):
346         * dfg/DFGDoesGC.cpp:
347         (JSC::DFG::doesGC):
348         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
349         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
350         * dfg/DFGFixupPhase.cpp:
351         (JSC::DFG::FixupPhase::fixupNode):
352         * dfg/DFGHeapLocation.cpp:
353         (WTF::printInternal):
354         * dfg/DFGHeapLocation.h:
355         * dfg/DFGNodeType.h:
356         * dfg/DFGPlan.cpp:
357         (JSC::DFG::Plan::compileInThreadImpl):
358         * dfg/DFGPredictionPropagationPhase.cpp:
359         * dfg/DFGSafeToExecute.h:
360         (JSC::DFG::safeToExecute):
361         * dfg/DFGSpeculativeJIT.cpp:
362         (JSC::DFG::SpeculativeJIT::compileSpread):
363         (JSC::DFG::SpeculativeJIT::compileArraySlice):
364         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
365         * dfg/DFGSpeculativeJIT32_64.cpp:
366         (JSC::DFG::SpeculativeJIT::compile):
367         * dfg/DFGSpeculativeJIT64.cpp:
368         (JSC::DFG::SpeculativeJIT::compile):
369         * dfg/DFGTypeCheckHoistingPhase.cpp:
370         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
371         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
372         * ftl/FTLCapabilities.cpp:
373         (JSC::FTL::canCompile):
374         * ftl/FTLLowerDFGToB3.cpp:
375         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
376         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
377         * jit/JITPropertyAccess.cpp:
378         (JSC::JIT::emitDoubleLoad):
379         (JSC::JIT::emitGenericContiguousPutByVal):
380         * runtime/Butterfly.h:
381         (JSC::Butterfly::pointer):
382         (JSC::Butterfly::contiguousDouble):
383         (JSC::Butterfly::caged): Deleted.
384         * runtime/ButterflyInlines.h:
385         (JSC::Butterfly::createOrGrowPropertyStorage):
386         * runtime/JSObject.cpp:
387         (JSC::JSObject::ensureLengthSlow):
388         (JSC::JSObject::reallocateAndShrinkButterfly):
389
390 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
391
392         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
393         https://bugs.webkit.org/show_bug.cgi?id=175447
394
395         Reviewed by Carlos Alberto Lopez Perez.
396
397         This patch allows DFG JIT to be enabled on MIPS platforms.
398
399         * Sources.txt:
400         * assembler/MIPSAssembler.h:
401         (JSC::MIPSAssembler::lastSPRegister):
402         (JSC::MIPSAssembler::numberOfSPRegisters):
403         (JSC::MIPSAssembler::sprName):
404         * assembler/MacroAssemblerMIPS.cpp: Added.
405         (JSC::MacroAssembler::probe):
406         * assembler/ProbeContext.cpp:
407         (JSC::Probe::executeProbe):
408         * assembler/ProbeContext.h:
409         (JSC::Probe::CPUState::pc):
410         * assembler/testmasm.cpp:
411         (JSC::isSpecialGPR):
412         (JSC::testProbePreservesGPRS):
413         (JSC::testProbeModifiesStackPointer):
414         (JSC::testProbeModifiesStackValues):
415
416 2017-11-29  Matt Lewis  <jlewis3@apple.com>
417
418         Unreviewed, rolling out r225286.
419
420         The source files within this patch have been marked as
421         executable.
422
423         Reverted changeset:
424
425         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
426         https://bugs.webkit.org/show_bug.cgi?id=175447
427         https://trac.webkit.org/changeset/225286
428
429 2017-11-29  Alex Christensen  <achristensen@webkit.org>
430
431         Fix Mac CMake build.
432
433         * PlatformMac.cmake:
434
435 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
436
437         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
438         https://bugs.webkit.org/show_bug.cgi?id=175447
439
440         Reviewed by Carlos Alberto Lopez Perez.
441
442         This patch allows DFG JIT to be enabled on MIPS platforms.
443
444         * Sources.txt:
445         * assembler/MIPSAssembler.h:
446         (JSC::MIPSAssembler::lastSPRegister):
447         (JSC::MIPSAssembler::numberOfSPRegisters):
448         (JSC::MIPSAssembler::sprName):
449         * assembler/MacroAssemblerMIPS.cpp: Added.
450         (JSC::MacroAssembler::probe):
451         * assembler/ProbeContext.cpp:
452         (JSC::Probe::executeProbe):
453         * assembler/ProbeContext.h:
454         (JSC::Probe::CPUState::pc):
455         * assembler/testmasm.cpp:
456         (JSC::isSpecialGPR):
457         (JSC::testProbePreservesGPRS):
458         (JSC::testProbeModifiesStackPointer):
459         (JSC::testProbeModifiesStackValues):
460
461 2017-11-28  JF Bastien  <jfbastien@apple.com>
462
463         Strict and sloppy functions shouldn't share structure
464         https://bugs.webkit.org/show_bug.cgi?id=180103
465         <rdar://problem/35667847>
466
467         Reviewed by Saam Barati.
468
469         Sloppy and strict functions don't act the same when it comes to
470         arguments, caller, and callee. Sharing a structure means that
471         anything that is cached gets shared, and that's incorrect.
472
473         * dfg/DFGAbstractInterpreterInlines.h:
474         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
475         * dfg/DFGSpeculativeJIT.cpp:
476         (JSC::DFG::SpeculativeJIT::compileNewFunction):
477         * ftl/FTLLowerDFGToB3.cpp:
478         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
479         * runtime/FunctionConstructor.cpp:
480         (JSC::constructFunctionSkippingEvalEnabledCheck):
481         * runtime/JSFunction.cpp:
482         (JSC::JSFunction::create): the second ::create is always strict
483         because it applies to native functions.
484         * runtime/JSFunctionInlines.h:
485         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
486         * runtime/JSGlobalObject.cpp:
487         (JSC::JSGlobalObject::init):
488         (JSC::JSGlobalObject::visitChildren):
489         * runtime/JSGlobalObject.h:
490         (JSC::JSGlobalObject::strictFunctionStructure const):
491         (JSC::JSGlobalObject::sloppyFunctionStructure const):
492         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
493         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
494         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
495
496 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
497
498         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
499         https://bugs.webkit.org/show_bug.cgi?id=180070
500
501         Reviewed by Saam Barati.
502
503         This patch adds getEffectiveAddress in all JIT platforms.
504         This is abstracted version of x86 lea.
505
506         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
507
508         * assembler/MacroAssemblerARM.h:
509         (JSC::MacroAssemblerARM::getEffectiveAddress):
510         * assembler/MacroAssemblerARM64.h:
511         (JSC::MacroAssemblerARM64::getEffectiveAddress):
512         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
513         * assembler/MacroAssemblerARMv7.h:
514         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
515         * assembler/MacroAssemblerMIPS.h:
516         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
517         * assembler/MacroAssemblerX86.h:
518         (JSC::MacroAssemblerX86::getEffectiveAddress):
519         * assembler/MacroAssemblerX86_64.h:
520         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
521         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
522         * assembler/testmasm.cpp:
523         (JSC::testGetEffectiveAddress):
524         (JSC::run):
525         * dfg/DFGSpeculativeJIT.cpp:
526         (JSC::DFG::SpeculativeJIT::compileArrayPush):
527         * yarr/YarrJIT.cpp:
528         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
529         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
530
531 2017-11-29  Robin Morisset  <rmorisset@apple.com>
532
533         The recursive tail call optimisation is wrong on closures
534         https://bugs.webkit.org/show_bug.cgi?id=179835
535
536         Reviewed by Saam Barati.
537
538         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
539         As a stopgap measure this patch just does not do the optimisation for closures.
540
541         * dfg/DFGByteCodeParser.cpp:
542         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
543
544 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
545
546         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
547         https://bugs.webkit.org/show_bug.cgi?id=180119
548
549         Reviewed by Devin Rousso.
550
551         * inspector/InjectedScriptManager.h:
552         * inspector/JSGlobalObjectScriptDebugServer.h:
553         * inspector/agents/InspectorHeapAgent.h:
554         * inspector/agents/InspectorRuntimeAgent.h:
555         * inspector/agents/InspectorScriptProfilerAgent.h:
556         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
557
558 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
559
560         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
561         https://bugs.webkit.org/show_bug.cgi?id=179642
562         <rdar://problem/35517704>
563
564         Reviewed by Brian Burg.
565
566         * inspector/protocol/Network.json:
567         Expose the NetworkAgent for a Service Worker inspector.
568
569  2017-11-28  Brian Burg  <bburg@apple.com>
570
571         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
572         https://bugs.webkit.org/show_bug.cgi?id=179696
573
574         Reviewed by Timothy Hatcher.
575
576         * inspector/scripts/codegen/generate_objc_header.py:
577         (ObjCHeaderGenerator._generate_type_interface):
578         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
579         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
580         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
581         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
582         * inspector/scripts/codegen/objc_generator.py:
583         (ObjCGenerator.protocol_type_for_raw_name):
584         (ObjCGenerator.objc_protocol_export_expression_for_variable):
585         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
586         (ObjCGenerator.objc_protocol_import_expression_for_variable):
587         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
588         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
589         (ObjCGenerator.objc_to_protocol_expression_for_member):
590         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
591         (ObjCGenerator.protocol_to_objc_expression_for_member):
592         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
593         (ObjCGenerator.objc_setter_method_for_member_internal):
594         (ObjCGenerator.objc_getter_method_for_member_internal):
595         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
596         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
597         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
598         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
599         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
600         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
601         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
602         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
603         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
604         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
605
606 2017-11-27  JF Bastien  <jfbastien@apple.com>
607
608         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
609         https://bugs.webkit.org/show_bug.cgi?id=180051
610         <rdar://problem/35614371>
611
612         Reviewed by Saam Barati.
613
614         Checking for int32 isn't sufficient when uint32 is expected
615         afterwards. While we're here, also use Checked<>.
616
617         * dfg/DFGAbstractInterpreterInlines.h:
618         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
619
620 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
621
622         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
623         https://bugs.webkit.org/show_bug.cgi?id=173793
624
625         Reviewed by Joseph Pecoraro.
626
627         Based on patch by Brian Burg.
628
629         * JavaScriptCore.xcodeproj/project.pbxproj:
630         * Sources.txt:
631         * bindings/ScriptValue.cpp:
632         (Inspector::jsToInspectorValue):
633         (Inspector::toInspectorValue):
634         (Deprecated::ScriptValue::toInspectorValue const):
635         * bindings/ScriptValue.h:
636         * inspector/AsyncStackTrace.cpp:
637         * inspector/ConsoleMessage.cpp:
638         * inspector/ContentSearchUtilities.cpp:
639         * inspector/DeprecatedInspectorValues.cpp: Added.
640         * inspector/DeprecatedInspectorValues.h: Added.
641         Keep the old symbols around in JavaScriptCore so that builds with the
642         public iOS SDK continue to work. These older SDKs include a version of
643         WebInspector.framework that expects to find InspectorArray and other
644         symbols in JavaScriptCore.framework.
645
646         * inspector/InjectedScript.cpp:
647         (Inspector::InjectedScript::getFunctionDetails):
648         (Inspector::InjectedScript::functionDetails):
649         (Inspector::InjectedScript::getPreview):
650         (Inspector::InjectedScript::getProperties):
651         (Inspector::InjectedScript::getDisplayableProperties):
652         (Inspector::InjectedScript::getInternalProperties):
653         (Inspector::InjectedScript::getCollectionEntries):
654         (Inspector::InjectedScript::saveResult):
655         (Inspector::InjectedScript::wrapCallFrames const):
656         (Inspector::InjectedScript::wrapObject const):
657         (Inspector::InjectedScript::wrapTable const):
658         (Inspector::InjectedScript::previewValue const):
659         (Inspector::InjectedScript::setExceptionValue):
660         (Inspector::InjectedScript::clearExceptionValue):
661         (Inspector::InjectedScript::inspectObject):
662         (Inspector::InjectedScript::releaseObject):
663         * inspector/InjectedScriptBase.cpp:
664         (Inspector::InjectedScriptBase::makeCall):
665         (Inspector::InjectedScriptBase::makeEvalCall):
666         * inspector/InjectedScriptBase.h:
667         * inspector/InjectedScriptManager.cpp:
668         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
669         * inspector/InspectorBackendDispatcher.cpp:
670         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
671         (Inspector::BackendDispatcher::dispatch):
672         (Inspector::BackendDispatcher::sendResponse):
673         (Inspector::BackendDispatcher::sendPendingErrors):
674         (Inspector::BackendDispatcher::getPropertyValue):
675         (Inspector::castToInteger):
676         (Inspector::castToNumber):
677         (Inspector::BackendDispatcher::getInteger):
678         (Inspector::BackendDispatcher::getDouble):
679         (Inspector::BackendDispatcher::getString):
680         (Inspector::BackendDispatcher::getBoolean):
681         (Inspector::BackendDispatcher::getObject):
682         (Inspector::BackendDispatcher::getArray):
683         (Inspector::BackendDispatcher::getValue):
684         * inspector/InspectorBackendDispatcher.h:
685         We need to keep around the sendResponse() variant with a parameter that
686         has the InspectorObject type, as older WebInspector.framework versions
687         expect this symbol to exist. Introduce a variant with arity 3 that can
688         be used in TOT so as to avoid having two methods with the same name, arity, and
689         different parameter types.
690
691         When system WebInspector.framework is updated, we can remove the legacy
692         method variant that uses the InspectorObject type. At that point, we can
693         transition TOT to use the 2-arity variant, and delete the 3-arity variant
694         when system WebInspector.framework is updated once more to use the 2-arity one.
695
696         * inspector/InspectorProtocolTypes.h:
697         (Inspector::Protocol::Array::openAccessors):
698         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
699         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
700         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
701         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
702         * inspector/ScriptCallFrame.cpp:
703         * inspector/ScriptCallStack.cpp:
704         * inspector/agents/InspectorAgent.cpp:
705         (Inspector::InspectorAgent::inspect):
706         * inspector/agents/InspectorAgent.h:
707         * inspector/agents/InspectorDebuggerAgent.cpp:
708         (Inspector::buildAssertPauseReason):
709         (Inspector::buildCSPViolationPauseReason):
710         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
711         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
712         (Inspector::buildObjectForBreakpointCookie):
713         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
714         (Inspector::parseLocation):
715         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
716         (Inspector::InspectorDebuggerAgent::setBreakpoint):
717         (Inspector::InspectorDebuggerAgent::continueToLocation):
718         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
719         (Inspector::InspectorDebuggerAgent::didParseSource):
720         (Inspector::InspectorDebuggerAgent::breakProgram):
721         * inspector/agents/InspectorDebuggerAgent.h:
722         * inspector/agents/InspectorRuntimeAgent.cpp:
723         (Inspector::InspectorRuntimeAgent::callFunctionOn):
724         (Inspector::InspectorRuntimeAgent::saveResult):
725         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
726         * inspector/agents/InspectorRuntimeAgent.h:
727         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
728         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
729         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
730         (CppBackendDispatcherImplementationGenerator.generate_output):
731         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
732         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
733         (CppFrontendDispatcherHeaderGenerator.generate_output):
734         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
735         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
736         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
737         (_generate_unchecked_setter_for_member):
738         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
739         (CppProtocolTypesImplementationGenerator):
740         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
741         (ObjCBackendDispatcherImplementationGenerator.generate_output):
742         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
743         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
744         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
745         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
746         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
747         * inspector/scripts/codegen/generate_objc_internal_header.py:
748         (ObjCInternalHeaderGenerator.generate_output):
749         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
750         (ObjCProtocolTypesImplementationGenerator.generate_output):
751         * inspector/scripts/codegen/generator.py:
752         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
753         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
754         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
755         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
756         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
757         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
758         * inspector/scripts/tests/generic/expected/enum-values.json-result:
759         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
760         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
761         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
762         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
763         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
764         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
765         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
766         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
767         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
768         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
769         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
770         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
771         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
772
773 2017-11-28  Robin Morisset  <rmorisset@apple.com>
774
775         Support recursive tail call optimization for polymorphic calls
776         https://bugs.webkit.org/show_bug.cgi?id=178390
777
778         Reviewed by Saam Barati.
779
780         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
781         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
782
783         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
784
785         * dfg/DFGByteCodeParser.cpp:
786         (JSC::DFG::ByteCodeParser::handleCall):
787         (JSC::DFG::ByteCodeParser::handleVarargsCall):
788         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
789         (JSC::DFG::ByteCodeParser::inlineCall):
790         (JSC::DFG::ByteCodeParser::handleCallVariant):
791         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
792         (JSC::DFG::ByteCodeParser::getInliningBalance):
793         (JSC::DFG::ByteCodeParser::handleInlining):
794         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
795
796 2017-11-27  Saam Barati  <sbarati@apple.com>
797
798         Spread can escape when CreateRest does not
799         https://bugs.webkit.org/show_bug.cgi?id=180057
800         <rdar://problem/35676119>
801
802         Reviewed by JF Bastien.
803
804         We previously did not handle Spread(PhantomCreateRest) only because I did not
805         think it was possible to generate this IR. I was wrong. We can generate
806         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
807         This IR is rare to generate since we normally don't PutStack(Spread) because
808         the SetLocal almost always gets eliminated because of how our bytecode generates
809         op_spread. However, there exists a test case showing it is possible. Supporting
810         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
811         the Validation rule for Spread.
812
813         * dfg/DFGOperations.cpp:
814         * dfg/DFGOperations.h:
815         * dfg/DFGValidate.cpp:
816         * ftl/FTLLowerDFGToB3.cpp:
817         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
818         * runtime/JSFixedArray.h:
819         (JSC::JSFixedArray::tryCreate):
820
821 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
822
823         [CMake][Win] Conditionally select DLL CRT or static CRT
824         https://bugs.webkit.org/show_bug.cgi?id=170594
825
826         Reviewed by Alex Christensen.
827
828         * shell/PlatformWin.cmake:
829
830 2017-11-27  Saam Barati  <sbarati@apple.com>
831
832         Having a bad time watchpoint firing during compilation revealed a racy assertion
833         https://bugs.webkit.org/show_bug.cgi?id=180048
834         <rdar://problem/35700009>
835
836         Reviewed by Mark Lam.
837
838         While a DFG compilation is watching the having a bad time watchpoint, it was
839         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
840         However, if the having a bad time watchpoint fires during the compilation,
841         this particular structure will no longer have ArrayWithContiguous indexing type.
842         This patch fixes this racy assertion to be aware that the watchpoint may fire
843         during compilation.
844
845         * dfg/DFGSpeculativeJIT.cpp:
846         (JSC::DFG::SpeculativeJIT::compileCreateRest):
847         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
848
849 2017-11-27  Tim Horton  <timothy_horton@apple.com>
850
851         One too many zeroes in macOS version number in FeatureDefines
852         https://bugs.webkit.org/show_bug.cgi?id=180011
853
854         Reviewed by Dan Bernstein.
855
856         * Configurations/FeatureDefines.xcconfig:
857
858 2017-11-27  Robin Morisset  <rmorisset@apple.com>
859
860         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
861         https://bugs.webkit.org/show_bug.cgi?id=179821
862
863         Reviewed by Saam Barati.
864
865         * dfg/DFGSafeToExecute.h:
866         (JSC::DFG::safeToExecute):
867
868 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
869
870         [DFG] Add NormalizeMapKey DFG IR
871         https://bugs.webkit.org/show_bug.cgi?id=179912
872
873         Reviewed by Saam Barati.
874
875         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
876         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
877         do not need to call normalizeMapKey conservatively in DFG operations.
878         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
879
880         * dfg/DFGAbstractInterpreterInlines.h:
881         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
882         * dfg/DFGByteCodeParser.cpp:
883         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
884         * dfg/DFGClobberize.h:
885         (JSC::DFG::clobberize):
886         * dfg/DFGDoesGC.cpp:
887         (JSC::DFG::doesGC):
888         * dfg/DFGFixupPhase.cpp:
889         (JSC::DFG::FixupPhase::fixupNode):
890         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
891         * dfg/DFGNodeType.h:
892         * dfg/DFGOperations.cpp:
893         * dfg/DFGPredictionPropagationPhase.cpp:
894         * dfg/DFGSafeToExecute.h:
895         (JSC::DFG::safeToExecute):
896         * dfg/DFGSpeculativeJIT.cpp:
897         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
898         * dfg/DFGSpeculativeJIT.h:
899         * dfg/DFGSpeculativeJIT32_64.cpp:
900         (JSC::DFG::SpeculativeJIT::compile):
901         * dfg/DFGSpeculativeJIT64.cpp:
902         (JSC::DFG::SpeculativeJIT::compile):
903         * ftl/FTLCapabilities.cpp:
904         (JSC::FTL::canCompile):
905         * ftl/FTLLowerDFGToB3.cpp:
906         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
907         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
908         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
909         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
910         * runtime/HashMapImpl.h:
911
912 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
913
914         [FTL] Support DeleteById and DeleteByVal
915         https://bugs.webkit.org/show_bug.cgi?id=180022
916
917         Reviewed by Saam Barati.
918
919         We should increase the coverage of FTL. Even if the code includes DeleteById,
920         it does not mean that remaining part of the code should not be optimized in FTL.
921         Right now, even CallEval and `with` scope are handled in FTL.
922
923         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
924         code including them.
925
926         * ftl/FTLCapabilities.cpp:
927         (JSC::FTL::canCompile):
928         * ftl/FTLLowerDFGToB3.cpp:
929         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
930         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
931         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
932
933 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
934
935         [DFG] Introduce {Set,Map,WeakMap}Fields
936         https://bugs.webkit.org/show_bug.cgi?id=179925
937
938         Reviewed by Saam Barati.
939
940         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
941         writes readonly MiscFields which is used by various nodes and make optimization
942         conservative.
943
944         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
945
946         * dfg/DFGAbstractHeap.h:
947         * dfg/DFGByteCodeParser.cpp:
948         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
949         * dfg/DFGClobberize.h:
950         (JSC::DFG::clobberize):
951         * dfg/DFGHeapLocation.cpp:
952         (WTF::printInternal):
953         * dfg/DFGHeapLocation.h:
954         * dfg/DFGNode.h:
955         (JSC::DFG::Node::hasBucketOwnerType):
956
957 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
958
959         [JSC] Remove JSStringBuilder
960         https://bugs.webkit.org/show_bug.cgi?id=180016
961
962         Reviewed by Saam Barati.
963
964         JSStringBuilder is replaced with WTF::StringBuilder.
965         This patch removes remaning uses and drop JSStringBuilder.
966
967         * JavaScriptCore.xcodeproj/project.pbxproj:
968         * runtime/ArrayPrototype.cpp:
969         * runtime/AsyncFunctionPrototype.cpp:
970         * runtime/AsyncGeneratorFunctionPrototype.cpp:
971         * runtime/ErrorPrototype.cpp:
972         * runtime/FunctionPrototype.cpp:
973         * runtime/GeneratorFunctionPrototype.cpp:
974         * runtime/JSGlobalObjectFunctions.cpp:
975         (JSC::decode):
976         (JSC::globalFuncEscape):
977         * runtime/JSStringBuilder.h: Removed.
978         * runtime/JSStringInlines.h:
979         (JSC::jsMakeNontrivialString):
980         * runtime/RegExpPrototype.cpp:
981         * runtime/StringPrototype.cpp:
982
983 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         [DFG] Remove GetLocalUnlinked
986         https://bugs.webkit.org/show_bug.cgi?id=180017
987
988         Reviewed by Saam Barati.
989
990         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
991         This patch just removes it.
992
993         * dfg/DFGAbstractInterpreterInlines.h:
994         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
995         * dfg/DFGClobberize.h:
996         (JSC::DFG::clobberize):
997         * dfg/DFGCommon.h:
998         * dfg/DFGDoesGC.cpp:
999         (JSC::DFG::doesGC):
1000         * dfg/DFGFixupPhase.cpp:
1001         (JSC::DFG::FixupPhase::fixupNode):
1002         * dfg/DFGGraph.cpp:
1003         (JSC::DFG::Graph::dump):
1004         * dfg/DFGNode.h:
1005         (JSC::DFG::Node::hasUnlinkedLocal):
1006         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1007         (JSC::DFG::Node::convertToGetLocal): Deleted.
1008         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1009         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1010         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1011         * dfg/DFGNodeType.h:
1012         * dfg/DFGPredictionPropagationPhase.cpp:
1013         * dfg/DFGSafeToExecute.h:
1014         (JSC::DFG::safeToExecute):
1015         * dfg/DFGSpeculativeJIT32_64.cpp:
1016         (JSC::DFG::SpeculativeJIT::compile):
1017         * dfg/DFGSpeculativeJIT64.cpp:
1018         (JSC::DFG::SpeculativeJIT::compile):
1019         * dfg/DFGStackLayoutPhase.cpp:
1020         (JSC::DFG::StackLayoutPhase::run):
1021         * dfg/DFGValidate.cpp:
1022
1023 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1024
1025         Make ArgList::data() private again when we can remove callWasmFunction().
1026         https://bugs.webkit.org/show_bug.cgi?id=168582
1027
1028         Reviewed by JF Bastien.
1029
1030         Make ArgList::data() private since we already removed callWasmFunction.
1031
1032         * runtime/ArgList.h:
1033
1034 2016-08-05  Darin Adler  <darin@apple.com>
1035
1036         Fix some minor problems in the StringImpl header
1037         https://bugs.webkit.org/show_bug.cgi?id=160630
1038
1039         Reviewed by Brent Fulgham.
1040
1041         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1042         Yarr namespacing since we use "using namespace" in this file.
1043
1044 2017-11-24  Mark Lam  <mark.lam@apple.com>
1045
1046         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1047         https://bugs.webkit.org/show_bug.cgi?id=179936
1048         <rdar://problem/35623998>
1049
1050         Reviewed by Saam Barati.
1051
1052         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1053         See https://bugs.webkit.org/show_bug.cgi?id=179684.
1054
1055         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1056         was allocating stack space to stash arguments (to be forwarded) and new frame
1057         info.  The location of this new stash space happens to lie beyond the top of frame
1058         of the tail call caller frame.  After stashing the arguments, the code proceeded
1059         to load the callee codeBlock.  This triggered an allocation, which in turn,
1060         triggered stack sanitization.  The CLoop stack sanitizer was relying on
1061         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
1062         that turned out to be inadequate.  As a result, part of the stashed data was
1063         zeroed out, and subsequently led to a crash.
1064
1065         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1066         1. JIT builds do stack sanitization in the LLInt code itself (different from the
1067            CLoop implementation), and the sanitizer there is aware of the true top of
1068            stack value (i.e. the stack pointer).
1069         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
1070            parallel stack is one condition necessary for reproducing this issue.
1071
1072         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1073         every time before it calls out to native C++ code.  This also brings the CLoop's
1074         behavior closer to hardware behavior where we can know where the stack pointer
1075         is after calling from JS back into native C++ code, which makes it easier to
1076         reason about correctness.       
1077
1078         Also simplified the various stack boundary calculations (removed the +1 and -1
1079         adjustments).  The CLoopStack bounds are now:
1080
1081             reservationTop(): the lowest reserved address that can be within stack bounds.
1082             m_commitTop: the lowest address within stack bounds that has been committed.
1083             lowAddress() aka m_end: the lowest stack address that JS code can use.
1084             m_lastStackPointer: cache of the last m_currentStackPointer value.
1085             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1086             highAddress(): the highest address just beyond the bounds of the stack.
1087
1088         Also deleted some unneeded code.
1089
1090         * interpreter/CLoopStack.cpp:
1091         (JSC::CLoopStack::CLoopStack):
1092         (JSC::CLoopStack::gatherConservativeRoots):
1093         (JSC::CLoopStack::sanitizeStack):
1094         (JSC::CLoopStack::setSoftReservedZoneSize):
1095         * interpreter/CLoopStack.h:
1096         (JSC::CLoopStack::setCurrentStackPointer):
1097         (JSC::CLoopStack::lowAddress const):
1098
1099         (JSC::CLoopStack::baseOfStack const): Deleted.
1100         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1101           Now, it has the exact same value as highAddress() and can be removed.
1102
1103         * interpreter/CLoopStackInlines.h:
1104         (JSC::CLoopStack::ensureCapacityFor):
1105         (JSC::CLoopStack::currentStackPointer):
1106         (JSC::CLoopStack::setCLoopStackLimit):
1107
1108         (JSC::CLoopStack::topOfFrameFor): Deleted.
1109         - Not needed.
1110
1111         (JSC::CLoopStack::topOfStack): Deleted.
1112         - Supplanted by currentStackPointer().
1113
1114         (JSC::CLoopStack::shrink): Deleted.
1115         - This is unused.
1116
1117         * llint/LowLevelInterpreter.cpp:
1118         (JSC::CLoop::execute):
1119         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1120           upon exitting the interpreter loop.
1121
1122         * offlineasm/cloop.rb:
1123         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1124           call from JS into C++ code.
1125
1126         * tools/VMInspector.h:
1127         - Added some default argument values. These were being used while debugging this
1128           issue.
1129
1130 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1131
1132         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1133         https://bugs.webkit.org/show_bug.cgi?id=179923
1134
1135         Reviewed by Darin Adler.
1136
1137         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1138         So we can use it as a marker of deleted bucket.
1139
1140         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1141         It shrinks the size of HashMapBucket much.
1142
1143         * dfg/DFGSpeculativeJIT.cpp:
1144         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1145         * ftl/FTLAbstractHeapRepository.h:
1146         * ftl/FTLLowerDFGToB3.cpp:
1147         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1148         * runtime/HashMapImpl.h:
1149         (JSC::HashMapBucket::createSentinel):
1150         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1151         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1152         flag of sentinel bucket is not used.
1153
1154         (JSC::HashMapBucket::HashMapBucket):
1155         (JSC::HashMapBucket::deleted const):
1156         (JSC::HashMapBucket::makeDeleted):
1157         (JSC::HashMapImpl::remove):
1158         (JSC::HashMapImpl::clear):
1159         (JSC::HashMapImpl::setUpHeadAndTail):
1160         (JSC::HashMapImpl::addNormalizedInternal):
1161         (JSC::HashMapBucket::setDeleted): Deleted.
1162         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1163         (): Deleted.
1164
1165 2017-11-24  Mark Lam  <mark.lam@apple.com>
1166
1167         Move unsafe jsc shell test functions to the $vm object.
1168         https://bugs.webkit.org/show_bug.cgi?id=179980
1169
1170         Reviewed by Yusuke Suzuki.
1171
1172         Also removed setElementRoot() which was not used.
1173
1174         * jsc.cpp:
1175         (GlobalObject::finishCreation):
1176         (WTF::Element::Element): Deleted.
1177         (WTF::Element::root const): Deleted.
1178         (WTF::Element::setRoot): Deleted.
1179         (WTF::Element::create): Deleted.
1180         (WTF::Element::visitChildren): Deleted.
1181         (WTF::Element::createStructure): Deleted.
1182         (WTF::Root::Root): Deleted.
1183         (WTF::Root::element): Deleted.
1184         (WTF::Root::setElement): Deleted.
1185         (WTF::Root::create): Deleted.
1186         (WTF::Root::createStructure): Deleted.
1187         (WTF::Root::visitChildren): Deleted.
1188         (WTF::ImpureGetter::ImpureGetter): Deleted.
1189         (WTF::ImpureGetter::createStructure): Deleted.
1190         (WTF::ImpureGetter::create): Deleted.
1191         (WTF::ImpureGetter::finishCreation): Deleted.
1192         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1193         (WTF::ImpureGetter::visitChildren): Deleted.
1194         (WTF::ImpureGetter::setDelegate): Deleted.
1195         (WTF::CustomGetter::CustomGetter): Deleted.
1196         (WTF::CustomGetter::createStructure): Deleted.
1197         (WTF::CustomGetter::create): Deleted.
1198         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1199         (WTF::CustomGetter::customGetter): Deleted.
1200         (WTF::CustomGetter::customGetterAcessor): Deleted.
1201         (WTF::RuntimeArray::create): Deleted.
1202         (WTF::RuntimeArray::~RuntimeArray): Deleted.
1203         (WTF::RuntimeArray::destroy): Deleted.
1204         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1205         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1206         (WTF::RuntimeArray::put): Deleted.
1207         (WTF::RuntimeArray::deleteProperty): Deleted.
1208         (WTF::RuntimeArray::getLength const): Deleted.
1209         (WTF::RuntimeArray::createPrototype): Deleted.
1210         (WTF::RuntimeArray::createStructure): Deleted.
1211         (WTF::RuntimeArray::finishCreation): Deleted.
1212         (WTF::RuntimeArray::RuntimeArray): Deleted.
1213         (WTF::RuntimeArray::lengthGetter): Deleted.
1214         (WTF::SimpleObject::SimpleObject): Deleted.
1215         (WTF::SimpleObject::create): Deleted.
1216         (WTF::SimpleObject::visitChildren): Deleted.
1217         (WTF::SimpleObject::createStructure): Deleted.
1218         (WTF::SimpleObject::hiddenValue): Deleted.
1219         (WTF::SimpleObject::setHiddenValue): Deleted.
1220         (WTF::DOMJITNode::DOMJITNode): Deleted.
1221         (WTF::DOMJITNode::createStructure): Deleted.
1222         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
1223         (WTF::DOMJITNode::create): Deleted.
1224         (WTF::DOMJITNode::value const): Deleted.
1225         (WTF::DOMJITNode::offsetOfValue): Deleted.
1226         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
1227         (WTF::DOMJITGetter::createStructure): Deleted.
1228         (WTF::DOMJITGetter::create): Deleted.
1229         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
1230         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
1231         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
1232         (WTF::DOMJITGetter::customGetter): Deleted.
1233         (WTF::DOMJITGetter::finishCreation): Deleted.
1234         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
1235         (WTF::DOMJITGetterComplex::createStructure): Deleted.
1236         (WTF::DOMJITGetterComplex::create): Deleted.
1237         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
1238         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
1239         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
1240         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
1241         (WTF::DOMJITGetterComplex::customGetter): Deleted.
1242         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
1243         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
1244         (WTF::DOMJITFunctionObject::createStructure): Deleted.
1245         (WTF::DOMJITFunctionObject::create): Deleted.
1246         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
1247         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
1248         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
1249         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
1250         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
1251         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
1252         (WTF::DOMJITCheckSubClassObject::create): Deleted.
1253         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
1254         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
1255         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
1256         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
1257         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
1258         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
1259         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
1260         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
1261         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
1262         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
1263         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
1264         (WTF::Element::handleOwner): Deleted.
1265         (WTF::Element::finishCreation): Deleted.
1266         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
1267         (JSTestCustomGetterSetter::create): Deleted.
1268         (JSTestCustomGetterSetter::createStructure): Deleted.
1269         (customGetAccessor): Deleted.
1270         (customGetValue): Deleted.
1271         (customSetAccessor): Deleted.
1272         (customSetValue): Deleted.
1273         (JSTestCustomGetterSetter::finishCreation): Deleted.
1274         (GlobalObject::addConstructableFunction): Deleted.
1275         (functionCreateRoot): Deleted.
1276         (functionCreateElement): Deleted.
1277         (functionGetElement): Deleted.
1278         (functionSetElementRoot): Deleted.
1279         (functionCreateSimpleObject): Deleted.
1280         (functionGetHiddenValue): Deleted.
1281         (functionSetHiddenValue): Deleted.
1282         (functionCreateProxy): Deleted.
1283         (functionCreateRuntimeArray): Deleted.
1284         (functionCreateImpureGetter): Deleted.
1285         (functionCreateCustomGetterObject): Deleted.
1286         (functionCreateDOMJITNodeObject): Deleted.
1287         (functionCreateDOMJITGetterObject): Deleted.
1288         (functionCreateDOMJITGetterComplexObject): Deleted.
1289         (functionCreateDOMJITFunctionObject): Deleted.
1290         (functionCreateDOMJITCheckSubClassObject): Deleted.
1291         (functionCreateDOMJITGetterBaseJSObject): Deleted.
1292         (functionSetImpureGetterDelegate): Deleted.
1293         (functionGetGetterSetter): Deleted.
1294         (functionShadowChickenFunctionsOnStack): Deleted.
1295         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
1296         (functionGlobalObjectForObject): Deleted.
1297         (functionLoadGetterFromGetterSetter): Deleted.
1298         (functionCreateCustomTestGetterSetter): Deleted.
1299         (functionAbort): Deleted.
1300         (functionFindTypeForExpression): Deleted.
1301         (functionReturnTypeFor): Deleted.
1302         (functionDumpBasicBlockExecutionRanges): Deleted.
1303         (functionHasBasicBlockExecuted): Deleted.
1304         (functionBasicBlockExecutionCount): Deleted.
1305         (functionEnableExceptionFuzz): Deleted.
1306         (functionCreateBuiltin): Deleted.
1307         * runtime/JSGlobalObject.cpp:
1308         (JSC::JSGlobalObject::init):
1309         * tools/JSDollarVM.cpp:
1310         (WTF::Element::Element):
1311         (WTF::Element::root const):
1312         (WTF::Element::setRoot):
1313         (WTF::Element::create):
1314         (WTF::Element::visitChildren):
1315         (WTF::Element::createStructure):
1316         (WTF::Root::Root):
1317         (WTF::Root::element):
1318         (WTF::Root::setElement):
1319         (WTF::Root::create):
1320         (WTF::Root::createStructure):
1321         (WTF::Root::visitChildren):
1322         (WTF::SimpleObject::SimpleObject):
1323         (WTF::SimpleObject::create):
1324         (WTF::SimpleObject::visitChildren):
1325         (WTF::SimpleObject::createStructure):
1326         (WTF::SimpleObject::hiddenValue):
1327         (WTF::SimpleObject::setHiddenValue):
1328         (WTF::ImpureGetter::ImpureGetter):
1329         (WTF::ImpureGetter::createStructure):
1330         (WTF::ImpureGetter::create):
1331         (WTF::ImpureGetter::finishCreation):
1332         (WTF::ImpureGetter::getOwnPropertySlot):
1333         (WTF::ImpureGetter::visitChildren):
1334         (WTF::ImpureGetter::setDelegate):
1335         (WTF::CustomGetter::CustomGetter):
1336         (WTF::CustomGetter::createStructure):
1337         (WTF::CustomGetter::create):
1338         (WTF::CustomGetter::getOwnPropertySlot):
1339         (WTF::CustomGetter::customGetter):
1340         (WTF::CustomGetter::customGetterAcessor):
1341         (WTF::RuntimeArray::create):
1342         (WTF::RuntimeArray::~RuntimeArray):
1343         (WTF::RuntimeArray::destroy):
1344         (WTF::RuntimeArray::getOwnPropertySlot):
1345         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1346         (WTF::RuntimeArray::put):
1347         (WTF::RuntimeArray::deleteProperty):
1348         (WTF::RuntimeArray::getLength const):
1349         (WTF::RuntimeArray::createPrototype):
1350         (WTF::RuntimeArray::createStructure):
1351         (WTF::RuntimeArray::finishCreation):
1352         (WTF::RuntimeArray::RuntimeArray):
1353         (WTF::RuntimeArray::lengthGetter):
1354         (WTF::DOMJITNode::DOMJITNode):
1355         (WTF::DOMJITNode::createStructure):
1356         (WTF::DOMJITNode::checkSubClassSnippet):
1357         (WTF::DOMJITNode::create):
1358         (WTF::DOMJITNode::value const):
1359         (WTF::DOMJITNode::offsetOfValue):
1360         (WTF::DOMJITGetter::DOMJITGetter):
1361         (WTF::DOMJITGetter::createStructure):
1362         (WTF::DOMJITGetter::create):
1363         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1364         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1365         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1366         (WTF::DOMJITGetter::customGetter):
1367         (WTF::DOMJITGetter::finishCreation):
1368         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
1369         (WTF::DOMJITGetterComplex::createStructure):
1370         (WTF::DOMJITGetterComplex::create):
1371         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1372         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1373         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1374         (WTF::DOMJITGetterComplex::functionEnableException):
1375         (WTF::DOMJITGetterComplex::customGetter):
1376         (WTF::DOMJITGetterComplex::finishCreation):
1377         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1378         (WTF::DOMJITFunctionObject::createStructure):
1379         (WTF::DOMJITFunctionObject::create):
1380         (WTF::DOMJITFunctionObject::safeFunction):
1381         (WTF::DOMJITFunctionObject::unsafeFunction):
1382         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1383         (WTF::DOMJITFunctionObject::finishCreation):
1384         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1385         (WTF::DOMJITCheckSubClassObject::createStructure):
1386         (WTF::DOMJITCheckSubClassObject::create):
1387         (WTF::DOMJITCheckSubClassObject::safeFunction):
1388         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1389         (WTF::DOMJITCheckSubClassObject::finishCreation):
1390         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1391         (WTF::DOMJITGetterBaseJSObject::createStructure):
1392         (WTF::DOMJITGetterBaseJSObject::create):
1393         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
1394         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1395         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1396         (WTF::DOMJITGetterBaseJSObject::customGetter):
1397         (WTF::DOMJITGetterBaseJSObject::finishCreation):
1398         (WTF::Message::releaseContents):
1399         (WTF::Message::index const):
1400         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1401         (WTF::JSTestCustomGetterSetter::create):
1402         (WTF::JSTestCustomGetterSetter::createStructure):
1403         (WTF::customGetAccessor):
1404         (WTF::customGetValue):
1405         (WTF::customSetAccessor):
1406         (WTF::customSetValue):
1407         (WTF::JSTestCustomGetterSetter::finishCreation):
1408         (WTF::Element::handleOwner):
1409         (WTF::Element::finishCreation):
1410         (JSC::functionCrash):
1411         (JSC::functionCreateProxy):
1412         (JSC::functionCreateRuntimeArray):
1413         (JSC::functionCreateImpureGetter):
1414         (JSC::functionCreateCustomGetterObject):
1415         (JSC::functionCreateDOMJITNodeObject):
1416         (JSC::functionCreateDOMJITGetterObject):
1417         (JSC::functionCreateDOMJITGetterComplexObject):
1418         (JSC::functionCreateDOMJITFunctionObject):
1419         (JSC::functionCreateDOMJITCheckSubClassObject):
1420         (JSC::functionCreateDOMJITGetterBaseJSObject):
1421         (JSC::functionSetImpureGetterDelegate):
1422         (JSC::functionCreateBuiltin):
1423         (JSC::functionCreateRoot):
1424         (JSC::functionCreateElement):
1425         (JSC::functionGetElement):
1426         (JSC::functionCreateSimpleObject):
1427         (JSC::functionGetHiddenValue):
1428         (JSC::functionSetHiddenValue):
1429         (JSC::functionShadowChickenFunctionsOnStack):
1430         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1431         (JSC::functionFindTypeForExpression):
1432         (JSC::functionReturnTypeFor):
1433         (JSC::functionDumpBasicBlockExecutionRanges):
1434         (JSC::functionHasBasicBlockExecuted):
1435         (JSC::functionBasicBlockExecutionCount):
1436         (JSC::functionEnableExceptionFuzz):
1437         (JSC::functionGlobalObjectForObject):
1438         (JSC::functionGetGetterSetter):
1439         (JSC::functionLoadGetterFromGetterSetter):
1440         (JSC::functionCreateCustomTestGetterSetter):
1441         (JSC::JSDollarVM::finishCreation):
1442         (JSC::JSDollarVM::addFunction):
1443         (JSC::JSDollarVM::addConstructibleFunction):
1444         * tools/JSDollarVM.h:
1445         (JSC::JSDollarVM::create):
1446
1447 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
1448
1449         Minor ArrayBufferView cleanup
1450         https://bugs.webkit.org/show_bug.cgi?id=179966
1451
1452         Reviewed by Darin Adler.
1453         
1454         Use void* for data pointers when we don't need to do offset math. Use const for
1455         source pointers.
1456         
1457         Prefer uint8_t* to char*.
1458         
1459         Add comments noting that the assertions should not be made release assertions
1460         as recommended by the style checker, since the point is to avoid the virtual byteLength()
1461         call in release.
1462
1463         * runtime/ArrayBufferView.h:
1464         (JSC::ArrayBufferView::setImpl):
1465         (JSC::ArrayBufferView::setRangeImpl):
1466         (JSC::ArrayBufferView::getRangeImpl):
1467         (JSC::ArrayBufferView::zeroRangeImpl):
1468
1469 2017-11-23  Darin Adler  <darin@apple.com>
1470
1471         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
1472         https://bugs.webkit.org/show_bug.cgi?id=179907
1473
1474         Reviewed by Sam Weinig.
1475
1476         * inspector/agents/InspectorDebuggerAgent.cpp:
1477         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
1478         defaults to that.
1479
1480         * runtime/StringPrototype.cpp:
1481         (JSC::stringIncludesImpl): Use String::find since there is no overload of
1482         String::contains that takes a start offset now that we removed the one that took a
1483         caseSensitive boolean. We can add one later if we like, but this should do for now.
1484
1485         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
1486         the StringImpl.h header because it is only used here.
1487
1488 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
1489
1490         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
1491         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
1492         
1493         Also name the argument to zeroRange() to 'count' since it's an item count.
1494
1495         * runtime/GenericTypedArrayView.h:
1496         (JSC::GenericTypedArrayView::zeroRange):
1497         (JSC::GenericTypedArrayView::getRange):
1498
1499 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
1500
1501         Allow for more efficient use of GenericTypedArrayView
1502         https://bugs.webkit.org/show_bug.cgi?id=179899
1503
1504         Reviewed by Sam Weinig.
1505         
1506         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
1507         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
1508         in a length.
1509
1510         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
1511         byteLength() calls.
1512         
1513         Renamed 'dataLength' to 'count' in setRange() to be clearer.
1514         
1515         Added setNative() for callers who don't need clamping of doubles.
1516
1517         * runtime/ArrayBufferView.h:
1518         (JSC::ArrayBufferView::setRangeImpl):
1519         (JSC::ArrayBufferView::getRangeImpl):
1520         * runtime/GenericTypedArrayView.h:
1521         (JSC::GenericTypedArrayView::setRange):
1522         (JSC::GenericTypedArrayView::setNative const):
1523         (JSC::GenericTypedArrayView::getRange):
1524         (JSC::GenericTypedArrayView::checkInboundData const):
1525         (JSC::GenericTypedArrayView::internalByteLength const):
1526
1527 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1528
1529         [DFG][FTL] Support MapSet / SetAdd intrinsics
1530         https://bugs.webkit.org/show_bug.cgi?id=179858
1531
1532         Reviewed by Saam Barati.
1533
1534         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
1535         By handling them as MapSet and SetAdd DFG nodes and decoupling
1536         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
1537         remove duplicate MapHash calculation for the same key.
1538
1539         One story is *set-if-not-exists*.
1540
1541             if (!map.has(key))
1542                 map.set(key, value);
1543
1544         In the above code, both `has` and `set` require hash value for `key`.
1545         If we can change `set` to the series of DFG nodes:
1546
1547             1: MapHash(key)
1548             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
1549
1550         we can remove duplicate @1 produced by `has` operation.
1551
1552         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
1553
1554                                          baseline                  patched
1555
1556             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
1557             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
1558
1559         Microbenchmarks
1560
1561             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
1562
1563         * dfg/DFGAbstractInterpreterInlines.h:
1564         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1565         * dfg/DFGByteCodeParser.cpp:
1566         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1567         * dfg/DFGClobberize.h:
1568         (JSC::DFG::clobberize):
1569         * dfg/DFGDoesGC.cpp:
1570         (JSC::DFG::doesGC):
1571         * dfg/DFGFixupPhase.cpp:
1572         (JSC::DFG::FixupPhase::fixupNode):
1573         * dfg/DFGNodeType.h:
1574         * dfg/DFGOperations.cpp:
1575         * dfg/DFGOperations.h:
1576         * dfg/DFGPredictionPropagationPhase.cpp:
1577         * dfg/DFGSafeToExecute.h:
1578         (JSC::DFG::safeToExecute):
1579         * dfg/DFGSpeculativeJIT.cpp:
1580         (JSC::DFG::SpeculativeJIT::compileSetAdd):
1581         (JSC::DFG::SpeculativeJIT::compileMapSet):
1582         * dfg/DFGSpeculativeJIT.h:
1583         (JSC::DFG::SpeculativeJIT::callOperation):
1584         * dfg/DFGSpeculativeJIT32_64.cpp:
1585         (JSC::DFG::SpeculativeJIT::compile):
1586         * dfg/DFGSpeculativeJIT64.cpp:
1587         (JSC::DFG::SpeculativeJIT::compile):
1588         * ftl/FTLCapabilities.cpp:
1589         (JSC::FTL::canCompile):
1590         * ftl/FTLLowerDFGToB3.cpp:
1591         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1592         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
1593         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
1594         * jit/JITOperations.h:
1595         * runtime/HashMapImpl.h:
1596         (JSC::HashMapImpl::addNormalized):
1597         (JSC::HashMapImpl::addNormalizedInternal):
1598         * runtime/Intrinsic.cpp:
1599         (JSC::intrinsicName):
1600         * runtime/Intrinsic.h:
1601         * runtime/MapPrototype.cpp:
1602         (JSC::MapPrototype::finishCreation):
1603         * runtime/SetPrototype.cpp:
1604         (JSC::SetPrototype::finishCreation):
1605
1606 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1607
1608         [JSC] Allow poly proto for intrinsic getters
1609         https://bugs.webkit.org/show_bug.cgi?id=179550
1610
1611         Reviewed by Saam Barati.
1612
1613         This patch allows intrinsic getters to accept poly proto.
1614         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
1615         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
1616         code for poly proto case.
1617
1618         * bytecode/IntrinsicGetterAccessCase.cpp:
1619         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1620         (JSC::IntrinsicGetterAccessCase::create):
1621         * bytecode/IntrinsicGetterAccessCase.h:
1622         * jit/IntrinsicEmitter.cpp:
1623         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1624         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1625         * jit/Repatch.cpp:
1626         (JSC::tryCacheGetByID):
1627
1628 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
1629
1630         Detect __declspec within JSBase.h
1631         https://bugs.webkit.org/show_bug.cgi?id=179892
1632
1633         Reviewed by Darin Adler.
1634
1635         * API/JSBase.h:
1636
1637 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1638
1639         Remove unused TOUCH_ICON_LOADING feature flag
1640         https://bugs.webkit.org/show_bug.cgi?id=179873
1641
1642         Reviewed by Simon Fraser.
1643
1644         * Configurations/FeatureDefines.xcconfig:
1645
1646 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1647
1648         Add CPU(UNKNOWN) to cover all the unknown CPU types
1649         https://bugs.webkit.org/show_bug.cgi?id=179243
1650
1651         Reviewed by JF Bastien.
1652
1653         * CMakeLists.txt:
1654
1655 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1656
1657         Remove unused LEGACY_VENDOR_PREFIXES feature flag
1658         https://bugs.webkit.org/show_bug.cgi?id=179872
1659
1660         Reviewed by Darin Adler.
1661
1662         * Configurations/FeatureDefines.xcconfig:
1663
1664 2017-11-18  Tim Horton  <timothy_horton@apple.com>
1665
1666         Fix typos in closing ENABLE() comments
1667         https://bugs.webkit.org/show_bug.cgi?id=179869
1668
1669         Unreviewed.
1670
1671         * wasm/WasmMemory.h:
1672         * wasm/WasmMemoryMode.h:
1673
1674 2017-11-17  JF Bastien  <jfbastien@apple.com>
1675
1676         NFC update ClassInfo to C++14
1677         https://bugs.webkit.org/show_bug.cgi?id=179783
1678
1679         Reviewed by Mark Lam.
1680
1681         Forked from #179734, use `using` instead of `typedef`. It's easier
1682         to read.
1683
1684         * runtime/ClassInfo.h:
1685
1686 2017-11-17  JF Bastien  <jfbastien@apple.com>
1687
1688         WebAssembly JS API: throw when a promise can't be created
1689         https://bugs.webkit.org/show_bug.cgi?id=179826
1690         <rdar://problem/35455813>
1691
1692         Reviewed by Mark Lam.
1693
1694         Failure *in* a promise causes rejection, but failure to create a
1695         promise (because of stack overflow) isn't really spec'd (as all
1696         stack things JS). This applies to WebAssembly.compile and
1697         WebAssembly.instantiate.
1698
1699         Dan's current proposal says:
1700
1701             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
1702
1703             Whenever a stack overflow occurs in WebAssembly code, the same
1704             class of exception is thrown as for a stack overflow in
1705             JavaScript. The particular exception here is
1706             implementation-defined in both cases.
1707
1708             Note: ECMAScript doesn’t specify any sort of behavior on stack
1709             overflow; implementations have been observed to throw RangeError,
1710             InternalError or Error. Any is valid here.
1711
1712         This is for general stack overflow within WebAssembly, not
1713         specifically for promise creation within JavaScript, but it seems
1714         like a stack overflow in promise creation should follow the same
1715         rule instead of, say, swallowing the overflow and returning
1716         undefined.
1717
1718         * wasm/js/WebAssemblyPrototype.cpp:
1719         (JSC::webAssemblyCompileFunc):
1720         (JSC::webAssemblyInstantiateFunc):
1721
1722 2017-11-16  Daniel Bates  <dabates@apple.com>
1723
1724         Add feature define for alternative presentation button element
1725         https://bugs.webkit.org/show_bug.cgi?id=179692
1726         Part of <rdar://problem/34917108>
1727
1728         Reviewed by Andy Estes.
1729
1730         Only enabled on Cocoa platforms by default.
1731
1732         * Configurations/FeatureDefines.xcconfig:
1733
1734 2017-11-16  Saam Barati  <sbarati@apple.com>
1735
1736         Fix a bug with cpuid in the FTL.
1737
1738         Rubber stamped by Mark Lam.
1739
1740         Before uploading the previous patch, I tried to condense the code. I
1741         accidentally removed a crucial line saying that CPUID clobbers various
1742         registers.
1743
1744         * ftl/FTLLowerDFGToB3.cpp:
1745         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1746
1747 2017-11-16  Saam Barati  <sbarati@apple.com>
1748
1749         Add some X86 intrinsics to $vm to help with some perf testing
1750         https://bugs.webkit.org/show_bug.cgi?id=179693
1751
1752         Reviewed by Mark Lam.
1753
1754         I've been doing some local perf testing of various ideas and have
1755         had these come in handy. I'm going to land them to dollarVM to prevent
1756         having to add them to my local build every time I do perf testing.
1757
1758         * assembler/MacroAssemblerX86Common.h:
1759         (JSC::MacroAssemblerX86Common::mfence):
1760         (JSC::MacroAssemblerX86Common::rdtsc):
1761         (JSC::MacroAssemblerX86Common::pause):
1762         (JSC::MacroAssemblerX86Common::cpuid):
1763         * assembler/X86Assembler.h:
1764         (JSC::X86Assembler::rdtsc):
1765         (JSC::X86Assembler::pause):
1766         (JSC::X86Assembler::cpuid):
1767         * dfg/DFGAbstractInterpreterInlines.h:
1768         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1769         * dfg/DFGByteCodeParser.cpp:
1770         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1771         * dfg/DFGClobberize.h:
1772         (JSC::DFG::clobberize):
1773         * dfg/DFGDoesGC.cpp:
1774         (JSC::DFG::doesGC):
1775         * dfg/DFGFixupPhase.cpp:
1776         (JSC::DFG::FixupPhase::fixupNode):
1777         * dfg/DFGGraph.cpp:
1778         (JSC::DFG::Graph::dump):
1779         * dfg/DFGNode.h:
1780         (JSC::DFG::Node::intrinsic):
1781         * dfg/DFGNodeType.h:
1782         * dfg/DFGPredictionPropagationPhase.cpp:
1783         * dfg/DFGSafeToExecute.h:
1784         (JSC::DFG::safeToExecute):
1785         * dfg/DFGSpeculativeJIT32_64.cpp:
1786         (JSC::DFG::SpeculativeJIT::compile):
1787         * dfg/DFGSpeculativeJIT64.cpp:
1788         (JSC::DFG::SpeculativeJIT::compile):
1789         * dfg/DFGValidate.cpp:
1790         * ftl/FTLCapabilities.cpp:
1791         (JSC::FTL::canCompile):
1792         * ftl/FTLLowerDFGToB3.cpp:
1793         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1794         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1795         * runtime/Intrinsic.cpp:
1796         (JSC::intrinsicName):
1797         * runtime/Intrinsic.h:
1798         * tools/JSDollarVM.cpp:
1799         (JSC::functionCpuMfence):
1800         (JSC::functionCpuRdtsc):
1801         (JSC::functionCpuCpuid):
1802         (JSC::functionCpuPause):
1803         (JSC::functionCpuClflush):
1804         (JSC::JSDollarVM::finishCreation):
1805
1806 2017-11-16  JF Bastien  <jfbastien@apple.com>
1807
1808         It should be easier to reify lazy property names
1809         https://bugs.webkit.org/show_bug.cgi?id=179734
1810         <rdar://problem/35492521>
1811
1812         Reviewed by Keith Miller.
1813
1814         We reify lazy property names in a few different ways, each
1815         specific to the JSCell implementation, in put() instead of having
1816         a special function to do reification. Let's make that simpler.
1817
1818         This patch makes it easier to reify property names in a uniform
1819         manner, and does so in JSFunction. As a follow up I'll use the
1820         same mechanics for:
1821
1822         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
1823         ErrorConstructor  stackTraceLimit
1824         ErrorInstance     line, column, sourceURL, stack
1825         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
1826         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
1827         JSArray           length
1828         RegExpObject      lastIndex
1829         StringObject      length
1830
1831         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
1832         * runtime/JSCell.cpp:
1833         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
1834         * runtime/JSCell.h:
1835         * runtime/JSFunction.cpp: `name` and `length` can be reified.
1836         (JSC::JSFunction::reifyPropertyNameIfNeeded):
1837         (JSC::JSFunction::put):
1838         (JSC::JSFunction::reifyLength):
1839         (JSC::JSFunction::reifyName):
1840         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1841         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1842         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1843         (JSC::JSFunction::reifyLazyNameIfNeeded):
1844         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1845         * runtime/JSFunction.h:
1846         (JSC::JSFunction::isLazy):
1847         (JSC::JSFunction::isReified):
1848         * runtime/JSObjectInlines.h:
1849         (JSC::JSObject::putDirectInternal): do the reification here.
1850
1851 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1852
1853         Provide a runtime option for disabling the optimization of recursive tail calls
1854         https://bugs.webkit.org/show_bug.cgi?id=179765
1855
1856         Reviewed by Mark Lam.
1857
1858         * bytecode/PreciseJumpTargets.cpp:
1859         (JSC::getJumpTargetsForBytecodeOffset):
1860         * bytecompiler/BytecodeGenerator.cpp:
1861         (JSC::BytecodeGenerator::emitEnter):
1862         * dfg/DFGByteCodeParser.cpp:
1863         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1864         * runtime/Options.h:
1865
1866 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1867
1868         Fix null pointer dereference in bytecodeDumper
1869         https://bugs.webkit.org/show_bug.cgi?id=179764
1870
1871         Reviewed by Mark Lam.
1872
1873         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
1874
1875         * bytecode/BytecodeDumper.cpp:
1876         (JSC::BytecodeDumper<Block>::printCallOp):
1877
1878 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1879
1880         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1881         https://bugs.webkit.org/show_bug.cgi?id=179763
1882         <rdar://problem/35550513>
1883
1884         Reviewed by Keith Miller.
1885
1886         Fix null pointer dereference caused by an eliminated tdz_check
1887
1888         The problem was when doing an OSR entry in DFG while |this| was null
1889         (because super() had not yet been called in the constructor of this
1890         subclass), it would be marked as non-null, and the tdz_check eliminated.
1891
1892         * dfg/DFGInPlaceAbstractState.cpp:
1893         (JSC::DFG::InPlaceAbstractState::initialize):
1894
1895 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
1896
1897         Unreviewed, rolling out r224863.
1898
1899         Introduced LayoutTest crashes on iOS Simulator.
1900
1901         Reverted changeset:
1902
1903         "Move JSONValues to WTF and convert uses of InspectorValues.h
1904         to JSONValues.h"
1905         https://bugs.webkit.org/show_bug.cgi?id=173793
1906         https://trac.webkit.org/changeset/224863
1907
1908 2017-11-14  Mark Lam  <mark.lam@apple.com>
1909
1910         Gardening: CLoop build fix after r224862.
1911         https://bugs.webkit.org/show_bug.cgi?id=179699
1912
1913         Not reviewed..
1914
1915         * bytecode/CodeBlock.h:
1916         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1917
1918 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1919
1920         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1921         https://bugs.webkit.org/show_bug.cgi?id=173793
1922
1923         Reviewed by Brian Burg.
1924
1925         Based on patch by Brian Burg.
1926
1927         * JavaScriptCore.xcodeproj/project.pbxproj:
1928         * Sources.txt:
1929         * bindings/ScriptValue.cpp:
1930         (Inspector::jsToInspectorValue):
1931         (Inspector::toInspectorValue):
1932         (Deprecated::ScriptValue::toInspectorValue const):
1933         * bindings/ScriptValue.h:
1934         * inspector/AsyncStackTrace.cpp:
1935         * inspector/ConsoleMessage.cpp:
1936         * inspector/ContentSearchUtilities.cpp:
1937         * inspector/InjectedScript.cpp:
1938         (Inspector::InjectedScript::getFunctionDetails):
1939         (Inspector::InjectedScript::functionDetails):
1940         (Inspector::InjectedScript::getPreview):
1941         (Inspector::InjectedScript::getProperties):
1942         (Inspector::InjectedScript::getDisplayableProperties):
1943         (Inspector::InjectedScript::getInternalProperties):
1944         (Inspector::InjectedScript::getCollectionEntries):
1945         (Inspector::InjectedScript::saveResult):
1946         (Inspector::InjectedScript::wrapCallFrames const):
1947         (Inspector::InjectedScript::wrapObject const):
1948         (Inspector::InjectedScript::wrapTable const):
1949         (Inspector::InjectedScript::previewValue const):
1950         (Inspector::InjectedScript::setExceptionValue):
1951         (Inspector::InjectedScript::clearExceptionValue):
1952         (Inspector::InjectedScript::inspectObject):
1953         (Inspector::InjectedScript::releaseObject):
1954         * inspector/InjectedScriptBase.cpp:
1955         (Inspector::InjectedScriptBase::makeCall):
1956         (Inspector::InjectedScriptBase::makeEvalCall):
1957         * inspector/InjectedScriptBase.h:
1958         * inspector/InjectedScriptManager.cpp:
1959         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1960         * inspector/InspectorBackendDispatcher.cpp:
1961         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1962         (Inspector::BackendDispatcher::dispatch):
1963         (Inspector::BackendDispatcher::sendResponse):
1964         (Inspector::BackendDispatcher::sendPendingErrors):
1965         (Inspector::BackendDispatcher::getPropertyValue):
1966         (Inspector::castToInteger):
1967         (Inspector::castToNumber):
1968         (Inspector::BackendDispatcher::getInteger):
1969         (Inspector::BackendDispatcher::getDouble):
1970         (Inspector::BackendDispatcher::getString):
1971         (Inspector::BackendDispatcher::getBoolean):
1972         (Inspector::BackendDispatcher::getObject):
1973         (Inspector::BackendDispatcher::getArray):
1974         (Inspector::BackendDispatcher::getValue):
1975         * inspector/InspectorBackendDispatcher.h:
1976         * inspector/InspectorProtocolTypes.h:
1977         (Inspector::Protocol::Array::openAccessors):
1978         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1979         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1980         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1981         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1982         * inspector/ScriptCallFrame.cpp:
1983         * inspector/ScriptCallStack.cpp:
1984         * inspector/agents/InspectorAgent.cpp:
1985         (Inspector::InspectorAgent::inspect):
1986         * inspector/agents/InspectorAgent.h:
1987         * inspector/agents/InspectorDebuggerAgent.cpp:
1988         (Inspector::buildAssertPauseReason):
1989         (Inspector::buildCSPViolationPauseReason):
1990         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1991         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1992         (Inspector::buildObjectForBreakpointCookie):
1993         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1994         (Inspector::parseLocation):
1995         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1996         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1997         (Inspector::InspectorDebuggerAgent::continueToLocation):
1998         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1999         (Inspector::InspectorDebuggerAgent::didParseSource):
2000         (Inspector::InspectorDebuggerAgent::breakProgram):
2001         * inspector/agents/InspectorDebuggerAgent.h:
2002         * inspector/agents/InspectorRuntimeAgent.cpp:
2003         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2004         (Inspector::InspectorRuntimeAgent::saveResult):
2005         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2006         * inspector/agents/InspectorRuntimeAgent.h:
2007         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2008         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2009         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2010         (CppBackendDispatcherImplementationGenerator.generate_output):
2011         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2012         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2013         (CppFrontendDispatcherHeaderGenerator.generate_output):
2014         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2015         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2016         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2017         (_generate_unchecked_setter_for_member):
2018         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2019         (CppProtocolTypesImplementationGenerator):
2020         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2021         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2022         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2023         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2024         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2025         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2026         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2027         * inspector/scripts/codegen/generate_objc_internal_header.py:
2028         (ObjCInternalHeaderGenerator.generate_output):
2029         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2030         (ObjCProtocolTypesImplementationGenerator.generate_output):
2031         * inspector/scripts/codegen/generator.py:
2032         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2033         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2034         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2035         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2036         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2037         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2038         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2039         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2040         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2041         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2042         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2043         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2044         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2045         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2046         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2047         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2048         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2049         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2050         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2051         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2052
2053 2017-11-14  Mark Lam  <mark.lam@apple.com>
2054
2055         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2056         https://bugs.webkit.org/show_bug.cgi?id=179699
2057         <rdar://problem/35462346>
2058
2059         Reviewed by Michael Saboff.
2060
2061         * interpreter/Interpreter.cpp:
2062         (JSC::Interpreter::dumpRegisters):
2063         - Need to skip the callee saved registers
2064
2065 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
2066
2067         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2068         https://bugs.webkit.org/show_bug.cgi?id=179563
2069
2070         Reviewed by Carlos Alberto Lopez Perez.
2071
2072         When run with BranchIfTruncateSuccessful,
2073         branchTruncateDoubleToInt32() should set the destination register
2074         before branching.
2075         This change also removes branchTruncateDoubleToUInt32() as it is
2076         deprecated (see r160205), merges branchOnTruncateResult() into
2077         branchTruncateDoubleToInt32() and adds test cases in testmasm.
2078
2079         * assembler/MacroAssemblerMIPS.h:
2080         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2081         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2082         Properly set dest before branching.
2083         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2084         * assembler/testmasm.cpp:
2085         (JSC::testBranchTruncateDoubleToInt32):
2086         (JSC::run):
2087         Add tests for branchTruncateDoubleToInt32().
2088
2089 2017-11-14  Daniel Bates  <dabates@apple.com>
2090
2091         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2092         for feature defines
2093
2094         Following r195498 and r201917 the Visual Studio property files for feature defines have
2095         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2096         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2097         files.
2098
2099         * Configurations/FeatureDefines.xcconfig:
2100
2101 2017-11-14  Mark Lam  <mark.lam@apple.com>
2102
2103         Remove JSDollarVMPrototype.
2104         https://bugs.webkit.org/show_bug.cgi?id=179685
2105
2106         Reviewed by Saam Barati.
2107
2108         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2109
2110            This allows us to call these functions during lldb debugging sessions using
2111            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
2112            VMInspector provides VM debugging utility methods.  It doesn't make sense to
2113            have a JSDollarVMPrototype object provide these methods.
2114
2115            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2116
2117         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2118
2119            JSDollarVM is a special object used only for debugging purposes.  There's no
2120            gain in requiring its methods to be stored in a prototype object other than to
2121            conform to typical JS convention.  We can remove this complexity.
2122
2123         * JavaScriptCore.xcodeproj/project.pbxproj:
2124         * Sources.txt:
2125         * runtime/JSGlobalObject.cpp:
2126         (JSC::JSGlobalObject::init):
2127         * tools/JSDollarVM.cpp:
2128         (JSC::JSDollarVM::addFunction):
2129         (JSC::functionCrash):
2130         (JSC::functionDFGTrue):
2131         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2132         (JSC::CallerFrameJITTypeFunctor::operator() const):
2133         (JSC::CallerFrameJITTypeFunctor::jitType):
2134         (JSC::functionLLintTrue):
2135         (JSC::functionJITTrue):
2136         (JSC::functionGC):
2137         (JSC::functionEdenGC):
2138         (JSC::functionCodeBlockForFrame):
2139         (JSC::codeBlockFromArg):
2140         (JSC::functionCodeBlockFor):
2141         (JSC::functionPrintSourceFor):
2142         (JSC::functionPrintBytecodeFor):
2143         (JSC::functionPrint):
2144         (JSC::functionPrintCallFrame):
2145         (JSC::functionPrintStack):
2146         (JSC::functionValue):
2147         (JSC::functionGetPID):
2148         (JSC::JSDollarVM::finishCreation):
2149         * tools/JSDollarVM.h:
2150         (JSC::JSDollarVM::create):
2151         * tools/JSDollarVMPrototype.cpp: Removed.
2152         * tools/JSDollarVMPrototype.h: Removed.
2153         * tools/VMInspector.cpp:
2154         (JSC::VMInspector::currentThreadOwnsJSLock):
2155         (JSC::ensureCurrentThreadOwnsJSLock):
2156         (JSC::VMInspector::gc):
2157         (JSC::VMInspector::edenGC):
2158         (JSC::VMInspector::isInHeap):
2159         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2160         (JSC::CellAddressCheckFunctor::operator() const):
2161         (JSC::VMInspector::isValidCell):
2162         (JSC::VMInspector::isValidCodeBlock):
2163         (JSC::VMInspector::codeBlockForFrame):
2164         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2165         (JSC::PrintFrameFunctor::operator() const):
2166         (JSC::VMInspector::printCallFrame):
2167         (JSC::VMInspector::printStack):
2168         (JSC::VMInspector::printValue):
2169         * tools/VMInspector.h:
2170
2171 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2172
2173         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2174         https://bugs.webkit.org/show_bug.cgi?id=179640
2175         <rdar://problem/35517361>
2176
2177         Reviewed by Devin Rousso.
2178
2179         * CMakeLists.txt:
2180         * DerivedSources.make:
2181         Gate the ServiceWorker domain on the ENABLE feature flag.
2182
2183         * inspector/protocol/ServiceWorker.json: Added.
2184         New domain to be made available inside of a ServiceWorker target.
2185
2186 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2187
2188         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2189         https://bugs.webkit.org/show_bug.cgi?id=179594
2190
2191         Reviewed by Saam Barati.
2192
2193         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2194         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2195         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2196         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2197         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2198
2199         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2200         accept this type, and emit optimized code compared to Array::Generic case.
2201
2202         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2203         exit instead of ExoticObjectMode.
2204
2205         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2206         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2207
2208             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
2209
2210         * dfg/DFGArgumentsEliminationPhase.cpp:
2211         * dfg/DFGArrayMode.cpp:
2212         (JSC::DFG::ArrayMode::refine const):
2213         * dfg/DFGClobberize.h:
2214         (JSC::DFG::clobberize):
2215         * dfg/DFGSpeculativeJIT.cpp:
2216         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2217         * ftl/FTLLowerDFGToB3.cpp:
2218         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2219         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2220
2221 2017-11-14  Saam Barati  <sbarati@apple.com>
2222
2223         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2224         https://bugs.webkit.org/show_bug.cgi?id=179639
2225         <rdar://problem/35513018>
2226
2227         Reviewed by JF Bastien.
2228
2229         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
2230         walk the stack for ShadowChicken (and maybe other things). We weren't updating
2231         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
2232         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
2233         this bug by giving Wasm::Instance a lambda that is called when we need to store
2234         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
2235         Currently, JSWebAssemblyInstance passes in a lambda that stores to
2236         VM.topCallFrame.
2237
2238         * wasm/WasmB3IRGenerator.cpp:
2239         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2240         * wasm/WasmInstance.cpp:
2241         (JSC::Wasm::Instance::Instance):
2242         (JSC::Wasm::Instance::create):
2243         * wasm/WasmInstance.h:
2244         (JSC::Wasm::Instance::storeTopCallFrame):
2245         * wasm/js/JSWebAssemblyInstance.cpp:
2246         (JSC::JSWebAssemblyInstance::create):
2247         * wasm/js/JSWebAssemblyInstance.h:
2248         * wasm/js/WasmToJS.cpp:
2249         (JSC::Wasm::wasmToJSException):
2250         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2251         (JSC::constructJSWebAssemblyInstance):
2252         * wasm/js/WebAssemblyPrototype.cpp:
2253         (JSC::instantiate):
2254
2255 2017-11-13  Saam Barati  <sbarati@apple.com>
2256
2257         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
2258         https://bugs.webkit.org/show_bug.cgi?id=179203
2259
2260         Reviewed by Yusuke Suzuki.
2261
2262         This patch only removes the pointer caging for the described types in the title.
2263         These types still allocate out of the gigacage. This is a just a cost vs benefit
2264         tradeoff of performance vs security.
2265
2266         * dfg/DFGSpeculativeJIT.cpp:
2267         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2268         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2269         * ftl/FTLLowerDFGToB3.cpp:
2270         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2271         * jit/JITPropertyAccess.cpp:
2272         (JSC::JIT::emitDirectArgumentsGetByVal):
2273         (JSC::JIT::emitScopedArgumentsGetByVal):
2274         * runtime/DirectArguments.h:
2275         (JSC::DirectArguments::storage):
2276         * runtime/HashMapImpl.cpp:
2277         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2278         * runtime/HashMapImpl.h:
2279         * runtime/JSLexicalEnvironment.h:
2280         (JSC::JSLexicalEnvironment::variables):
2281         * runtime/ScopedArguments.h:
2282         (JSC::ScopedArguments::overflowStorage const):
2283
2284 2017-11-08  Keith Miller  <keith_miller@apple.com>
2285
2286         Async iteration should only fetch the next method once and add feature flag
2287         https://bugs.webkit.org/show_bug.cgi?id=179451
2288
2289         Reviewed by Geoffrey Garen.
2290
2291         Add feature flag for Async iteration. Also, change async iteration to match
2292         the expected behavior of the proposal.
2293
2294         * Configurations/FeatureDefines.xcconfig:
2295         * builtins/AsyncFromSyncIteratorPrototype.js:
2296         (globalPrivate.createAsyncFromSyncIterator):
2297         (globalPrivate.AsyncFromSyncIteratorConstructor):
2298         * builtins/BuiltinNames.h:
2299         * bytecompiler/BytecodeGenerator.cpp:
2300         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2301         * runtime/Options.h:
2302
2303 2017-11-13  Mark Lam  <mark.lam@apple.com>
2304
2305         Add more overflow check book-keeping for MarkedArgumentBuffer.
2306         https://bugs.webkit.org/show_bug.cgi?id=179634
2307         <rdar://problem/35492517>
2308
2309         Reviewed by Saam Barati.
2310
2311         * runtime/ArgList.h:
2312         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
2313         * runtime/JSJob.cpp:
2314         (JSC::JSJobMicrotask::run):
2315         * runtime/ObjectConstructor.cpp:
2316         (JSC::defineProperties):
2317         * runtime/ReflectObject.cpp:
2318         (JSC::reflectObjectConstruct):
2319
2320 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
2321
2322         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
2323         https://bugs.webkit.org/show_bug.cgi?id=179542
2324
2325         Reviewed by Alex Christensen.
2326
2327         * assembler/MacroAssemblerARM.h:
2328         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
2329
2330 2017-11-13  Mark Lam  <mark.lam@apple.com>
2331
2332         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2333         https://bugs.webkit.org/show_bug.cgi?id=179619
2334         <rdar://problem/35492518>
2335
2336         Reviewed by Saam Barati.
2337
2338         * jsc.cpp:
2339         (functionLoadGetterFromGetterSetter):
2340
2341 2017-11-12  Darin Adler  <darin@apple.com>
2342
2343         More is<> and downcast<>, less static_cast<>
2344         https://bugs.webkit.org/show_bug.cgi?id=179600
2345
2346         Reviewed by Chris Dumez.
2347
2348         * runtime/JSString.h:
2349         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
2350         (JSC::jsSubstringOfResolved): Ditto.
2351
2352 2017-11-12  Mark Lam  <mark.lam@apple.com>
2353
2354         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2355         https://bugs.webkit.org/show_bug.cgi?id=179562
2356         <rdar://problem/35467022>
2357
2358         Reviewed by Saam Barati.
2359
2360         * dfg/DFGFixupPhase.cpp:
2361         (JSC::DFG::FixupPhase::fixupNode):
2362         * dfg/DFGOperations.cpp:
2363         * dfg/DFGSafeToExecute.h:
2364         (JSC::DFG::SafeToExecuteEdge::operator()):
2365         * dfg/DFGSpeculativeJIT.cpp:
2366         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
2367         (JSC::DFG::SpeculativeJIT::speculate):
2368         * dfg/DFGSpeculativeJIT.h:
2369         * dfg/DFGUseKind.cpp:
2370         (WTF::printInternal):
2371         * dfg/DFGUseKind.h:
2372         (JSC::DFG::typeFilterFor):
2373         * ftl/FTLCapabilities.cpp:
2374         (JSC::FTL::canCompile):
2375         * ftl/FTLLowerDFGToB3.cpp:
2376         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2377         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
2378
2379 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
2380
2381         Web Inspector: Canvas tab: show detailed status during canvas recording
2382         https://bugs.webkit.org/show_bug.cgi?id=178185
2383         <rdar://problem/34939862>
2384
2385         Reviewed by Brian Burg.
2386
2387         * inspector/protocol/Canvas.json:
2388         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
2389         payloads since the last Canvas.recordingProgress event and the current buffer usage.
2390
2391         * inspector/protocol/Recording.json:
2392         Remove the required `frames` parameter from the Recording protocol object, as they will be
2393         sent in batches via the Canvas.recordingProgress event.
2394
2395 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
2396
2397         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
2398         https://bugs.webkit.org/show_bug.cgi?id=179543
2399
2400         Reviewed by Antoine Quint.
2401
2402         * inspector/protocol/Network.json:
2403         Use a better type for the status code.
2404
2405 2017-11-10  Robin Morisset  <rmorisset@apple.com>
2406
2407         The memory consumption of DFG::BasicBlock can be easily reduced a bit
2408         https://bugs.webkit.org/show_bug.cgi?id=179528
2409
2410         Reviewed by Saam Barati.
2411
2412         A few changes here:
2413         - Reordering some fields of DFG::BasicBlock to reduce padding
2414         - Making the enum fields that are glorified booleans fit into a u8
2415         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
2416           This change works because we never increase the number of arguments after allocating an Operands object.
2417           It lets us avoid one extra capacity field and one extra pointer field per Operands,
2418           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
2419           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
2420           we have a chance to avoid an allocation.
2421         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
2422
2423         * bytecode/Operands.h:
2424         (JSC::Operands::Operands):
2425         (JSC::Operands::numberOfArguments const):
2426         (JSC::Operands::numberOfLocals const):
2427         (JSC::Operands::argument):
2428         (JSC::Operands::argument const):
2429         (JSC::Operands::local):
2430         (JSC::Operands::local const):
2431         (JSC::Operands::ensureLocals):
2432         (JSC::Operands::setLocal):
2433         (JSC::Operands::getLocal):
2434         (JSC::Operands::setArgumentFirstTime):
2435         (JSC::Operands::setLocalFirstTime):
2436         (JSC::Operands::operand):
2437         (JSC::Operands::setOperand):
2438         (JSC::Operands::size const):
2439         (JSC::Operands::at const):
2440         (JSC::Operands::at):
2441         (JSC::Operands::isArgument const):
2442         (JSC::Operands::isVariable const):
2443         (JSC::Operands::virtualRegisterForIndex const):
2444         (JSC::Operands::fill):
2445         (JSC::Operands::operator== const):
2446         (JSC::Operands::argumentForIndex const): Deleted.
2447         (JSC::Operands::variableForIndex const): Deleted.
2448         (JSC::Operands::indexForOperand const): Deleted.
2449         * dfg/DFGBasicBlock.cpp:
2450         (JSC::DFG::BasicBlock::BasicBlock):
2451         * dfg/DFGBasicBlock.h:
2452         * dfg/DFGBranchDirection.h:
2453         * dfg/DFGStructureClobberState.h:
2454
2455 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2456
2457         [JSC] Retry module fetching if previous request fails
2458         https://bugs.webkit.org/show_bug.cgi?id=178168
2459
2460         Reviewed by Saam Barati.
2461
2462         According to the latest spec, the failed fetching operation can be retried if it is requested again.
2463         For example,
2464
2465             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2466             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2467
2468         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
2469         But when loading the second module, we do not use the cached failure result in the first module loading.
2470         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
2471         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
2472
2473         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
2474         like to cache modules based on their URLs. As a result,
2475
2476             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2477             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2478
2479         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
2480         instantiation are cached in the module pipeline.
2481
2482         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
2483         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
2484         if the previous one fails. As an overview of our change,
2485
2486         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
2487            be unified. But if currently executing one fails, other attempts should retry fetching.
2488
2489         2. Instantiation should be cached if fetching succeeds.
2490
2491         3. Satisfying should be cached if it succeeds.
2492
2493         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
2494
2495         * builtins/ModuleLoaderPrototype.js:
2496         (requestFetch):
2497         (requestInstantiate):
2498         (requestSatisfy):
2499         (link):
2500         (loadModule):
2501         * runtime/JSGlobalObject.cpp:
2502         (JSC::JSGlobalObject::init):
2503
2504 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
2505
2506         Web Inspector: support undo/redo of insertAdjacentHTML
2507         https://bugs.webkit.org/show_bug.cgi?id=179283
2508
2509         Reviewed by Joseph Pecoraro.
2510
2511         * inspector/protocol/DOM.json:
2512         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
2513         on the given node.
2514
2515 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
2516
2517         Web Inspector: Make domain availability a list of types instead of a single type
2518         https://bugs.webkit.org/show_bug.cgi?id=179457
2519
2520         Reviewed by Brian Burg.
2521
2522         * inspector/scripts/codegen/generate_js_backend_commands.py:
2523         (JSBackendCommandsGenerator.generate_domain):
2524         Update output of `InspectorBackend.activateDomain` to include the list.
2525
2526         * inspector/scripts/codegen/models.py:
2527         (Protocol.parse_domain):
2528         Parse `availability` as a list and include a new supported value of "service-worker".
2529
2530         * inspector/protocol/ApplicationCache.json:
2531         * inspector/protocol/CSS.json:
2532         * inspector/protocol/Canvas.json:
2533         * inspector/protocol/DOM.json:
2534         * inspector/protocol/DOMDebugger.json:
2535         * inspector/protocol/DOMStorage.json:
2536         * inspector/protocol/Database.json:
2537         * inspector/protocol/IndexedDB.json:
2538         * inspector/protocol/LayerTree.json:
2539         * inspector/protocol/Memory.json:
2540         * inspector/protocol/Network.json:
2541         * inspector/protocol/Page.json:
2542         * inspector/protocol/Timeline.json:
2543         * inspector/protocol/Worker.json:
2544         Update `availability` to be a list.
2545
2546         * inspector/scripts/tests/generic/domain-availability.json:
2547         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2548         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
2549         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
2550         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
2551         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2552         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2553         Update tests to include a test for the type and an invalid value.
2554
2555 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2556
2557         [JSC][JIT] Clean up SlowPathCall stubs
2558         https://bugs.webkit.org/show_bug.cgi?id=179247
2559
2560         Reviewed by Saam Barati.
2561
2562         We have bunch of duplicate functions that just call a slow path function.
2563         This patch cleans up the above duplication.
2564
2565         * jit/JIT.cpp:
2566         (JSC::JIT::emitSlowCaseCall):
2567         (JSC::JIT::privateCompileSlowCases):
2568         * jit/JIT.h:
2569         * jit/JITArithmetic.cpp:
2570         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2571         (JSC::JIT::emitSlow_op_inc): Deleted.
2572         (JSC::JIT::emitSlow_op_dec): Deleted.
2573         (JSC::JIT::emitSlow_op_bitand): Deleted.
2574         (JSC::JIT::emitSlow_op_bitor): Deleted.
2575         (JSC::JIT::emitSlow_op_bitxor): Deleted.
2576         (JSC::JIT::emitSlow_op_lshift): Deleted.
2577         (JSC::JIT::emitSlow_op_rshift): Deleted.
2578         (JSC::JIT::emitSlow_op_urshift): Deleted.
2579         (JSC::JIT::emitSlow_op_div): Deleted.
2580         * jit/JITArithmetic32_64.cpp:
2581         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2582         (JSC::JIT::emitSlow_op_inc): Deleted.
2583         (JSC::JIT::emitSlow_op_dec): Deleted.
2584         * jit/JITOpcodes.cpp:
2585         (JSC::JIT::emitSlow_op_create_this): Deleted.
2586         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2587         (JSC::JIT::emitSlow_op_to_this): Deleted.
2588         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2589         (JSC::JIT::emitSlow_op_not): Deleted.
2590         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2591         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2592         (JSC::JIT::emitSlow_op_to_number): Deleted.
2593         (JSC::JIT::emitSlow_op_to_string): Deleted.
2594         (JSC::JIT::emitSlow_op_to_object): Deleted.
2595         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2596         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2597         * jit/JITOpcodes32_64.cpp:
2598         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2599         (JSC::JIT::emitSlow_op_not): Deleted.
2600         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2601         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2602         (JSC::JIT::emitSlow_op_to_number): Deleted.
2603         (JSC::JIT::emitSlow_op_to_string): Deleted.
2604         (JSC::JIT::emitSlow_op_to_object): Deleted.
2605         (JSC::JIT::emitSlow_op_create_this): Deleted.
2606         (JSC::JIT::emitSlow_op_to_this): Deleted.
2607         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2608         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2609         * jit/JITPropertyAccess.cpp:
2610         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2611         * jit/JITPropertyAccess32_64.cpp:
2612         (JSC::JIT::emit_op_resolve_scope):
2613         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2614         * jit/SlowPathCall.h:
2615         (JSC::JITSlowPathCall::JITSlowPathCall):
2616         * runtime/CommonSlowPaths.cpp:
2617         (JSC::SLOW_PATH_DECL):
2618         * runtime/CommonSlowPaths.h:
2619
2620 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
2621
2622         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
2623         https://bugs.webkit.org/show_bug.cgi?id=179446
2624
2625         Reviewed by Žan Doberšek.
2626
2627         The trunc.w.d mips instruction should give a 0x7fffffff result when
2628         the source value is Infinity, NaN, or rounds to an integer outside the
2629         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
2630         branchTruncateDoubleToUInt32() have been relying on. It turns out that
2631         this assumption is not true on some CPUs, including on the ci20 on
2632         which we run the testbot (we get 0x80000000 instead). We should the
2633         invalid operation cause bit instead to check whether the source value
2634         could be properly truncated. This requires the addition of the cfc1
2635         instruction, as well as the special registers that can be used with it
2636         (control registers of CP1).
2637
2638         * assembler/MIPSAssembler.h:
2639         (JSC::MIPSAssembler::firstSPRegister):
2640         (JSC::MIPSAssembler::lastSPRegister):
2641         (JSC::MIPSAssembler::numberOfSPRegisters):
2642         (JSC::MIPSAssembler::sprName):
2643         Added control registers of CP1.
2644         (JSC::MIPSAssembler::cfc1):
2645         Added.
2646         * assembler/MacroAssemblerMIPS.h:
2647         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
2648         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2649         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2650         Use fcsr to check if the value could be properly truncated.
2651
2652 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
2653
2654         HTMLMediaElement should not use element fullscreen on iOS
2655         https://bugs.webkit.org/show_bug.cgi?id=179418
2656         rdar://problem/35409277
2657
2658         Reviewed by Eric Carlson.
2659
2660         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
2661
2662         * Configurations/FeatureDefines.xcconfig:
2663
2664 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2665
2666         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
2667         https://bugs.webkit.org/show_bug.cgi?id=179276
2668
2669         Reviewed by Andy Estes.
2670
2671         * inspector/InjectedScriptHost.h:
2672         * inspector/JSInjectedScriptHost.cpp:
2673         (Inspector::JSInjectedScriptHost::getInternalProperties):
2674         Call through to virtual implementation so that WebCore can provide custom
2675         internal properties for Web / DOM objects.
2676
2677 2017-11-08  Saam Barati  <sbarati@apple.com>
2678
2679         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2680         https://bugs.webkit.org/show_bug.cgi?id=177792
2681
2682         Reviewed by Yusuke Suzuki.
2683
2684         Before this patch, if a JSFunction's rare data initialized its allocation profile
2685         before its backing Executable's poly proto watchpoint was invalidated, that
2686         JSFunction would continue to allocate non-poly proto objects until its allocation
2687         profile was cleared (which essentially never happens in practice). This patch
2688         improves on this pathology. A JSFunction's rare data will now watch the poly
2689         proto watchpoint if it's still valid and clear its allocation profile when we
2690         detect that we should go poly proto.
2691
2692         * bytecode/ObjectAllocationProfile.h:
2693         * bytecode/ObjectAllocationProfileInlines.h:
2694         (JSC::ObjectAllocationProfile::initializeProfile):
2695         * runtime/FunctionRareData.cpp:
2696         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2697         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2698         * runtime/FunctionRareData.h:
2699         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
2700         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
2701         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
2702
2703 2017-11-08  Keith Miller  <keith_miller@apple.com>
2704
2705         Add super sampler begin and end bytecodes.
2706         https://bugs.webkit.org/show_bug.cgi?id=179376
2707
2708         Reviewed by Filip Pizlo.
2709
2710         This patch adds a way to measure a narrow range of bytecodes for
2711         performance. This is done using the same infrastructure as the
2712         super sampler. I also added a class that helps do the bytecode
2713         checking with RAII. One problem with the current way this is done
2714         is that we don't handle decrementing early exits, either from
2715         branches or exceptions. So, when using this API users need to
2716         ensure that there are no early exits or that those exits don't
2717         occur on the measure code.
2718
2719         * JavaScriptCore.xcodeproj/project.pbxproj:
2720         * bytecode/BytecodeDumper.cpp:
2721         (JSC::BytecodeDumper<Block>::dumpBytecode):
2722         * bytecode/BytecodeList.json:
2723         * bytecode/BytecodeUseDef.h:
2724         (JSC::computeUsesForBytecodeOffset):
2725         (JSC::computeDefsForBytecodeOffset):
2726         * bytecompiler/BytecodeGenerator.cpp:
2727         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
2728         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
2729         * bytecompiler/BytecodeGenerator.h:
2730         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
2731         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
2732         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
2733         * dfg/DFGAbstractInterpreterInlines.h:
2734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2735         * dfg/DFGByteCodeParser.cpp:
2736         (JSC::DFG::ByteCodeParser::parseBlock):
2737         * dfg/DFGClobberize.h:
2738         (JSC::DFG::clobberize):
2739         * dfg/DFGClobbersExitState.cpp:
2740         (JSC::DFG::clobbersExitState):
2741         * dfg/DFGDoesGC.cpp:
2742         (JSC::DFG::doesGC):
2743         * dfg/DFGFixupPhase.cpp:
2744         (JSC::DFG::FixupPhase::fixupNode):
2745         * dfg/DFGMayExit.cpp:
2746         * dfg/DFGNodeType.h:
2747         * dfg/DFGPredictionPropagationPhase.cpp:
2748         * dfg/DFGSafeToExecute.h:
2749         (JSC::DFG::safeToExecute):
2750         * dfg/DFGSpeculativeJIT.cpp:
2751         * dfg/DFGSpeculativeJIT32_64.cpp:
2752         (JSC::DFG::SpeculativeJIT::compile):
2753         * dfg/DFGSpeculativeJIT64.cpp:
2754         (JSC::DFG::SpeculativeJIT::compile):
2755         * ftl/FTLCapabilities.cpp:
2756         (JSC::FTL::canCompile):
2757         * ftl/FTLLowerDFGToB3.cpp:
2758         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2759         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
2760         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
2761         * jit/JIT.cpp:
2762         (JSC::JIT::privateCompileMainPass):
2763         * jit/JIT.h:
2764         * jit/JITOpcodes.cpp:
2765         (JSC::JIT::emit_op_super_sampler_begin):
2766         (JSC::JIT::emit_op_super_sampler_end):
2767         * llint/LLIntSlowPaths.cpp:
2768         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2769         * llint/LLIntSlowPaths.h:
2770         * llint/LowLevelInterpreter.asm:
2771
2772 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2773
2774         Turn recursive tail calls into loops
2775         https://bugs.webkit.org/show_bug.cgi?id=176601
2776
2777         Reviewed by Saam Barati.
2778
2779         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2780
2781         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2782         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2783         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2784         We do this part through modifying the computation of the jump targets.
2785         Importantly, we only do this splitting for functions that have tail calls.
2786         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2787
2788         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2789         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2790
2791         * bytecode/CodeBlock.h:
2792         (JSC::CodeBlock::hasTailCalls const):
2793         * bytecode/PreciseJumpTargets.cpp:
2794         (JSC::getJumpTargetsForBytecodeOffset):
2795         (JSC::computePreciseJumpTargetsInternal):
2796         * bytecode/UnlinkedCodeBlock.cpp:
2797         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2798         * bytecode/UnlinkedCodeBlock.h:
2799         (JSC::UnlinkedCodeBlock::hasTailCalls const):
2800         (JSC::UnlinkedCodeBlock::setHasTailCalls):
2801         * bytecompiler/BytecodeGenerator.cpp:
2802         (JSC::BytecodeGenerator::emitEnter):
2803         (JSC::BytecodeGenerator::emitCallInTailPosition):
2804         * dfg/DFGByteCodeParser.cpp:
2805         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2806         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2807         (JSC::DFG::ByteCodeParser::handleCall):
2808         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2809         (JSC::DFG::ByteCodeParser::parseBlock):
2810         (JSC::DFG::ByteCodeParser::parse):
2811
2812 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2813
2814         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
2815         https://bugs.webkit.org/show_bug.cgi?id=179407
2816
2817         Reviewed by Matt Baker.
2818
2819         * inspector/protocol/Page.json:
2820         Remove unused protocol type.
2821
2822 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
2823
2824         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
2825         https://bugs.webkit.org/show_bug.cgi?id=173619
2826
2827         Reviewed by Alex Christensen and Brian Burg.
2828
2829         Eventually all classes used for our JSON-RPC message passing should be outside
2830         of the Inspector namespace since the protocol is used outside of Inspector code.
2831         This will also allow us to unify the primitive JSON types with parameteric types
2832         like Inspector::Protocol::Array<T> and other protocol-related types which don't
2833         need to be in the Inspector namespace.
2834
2835         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
2836         patches, other clients will move to use JSON::Value and friends. When all uses are
2837         changed, the actual implementation will be renamed. This patch just focuses on the typedef
2838         and making changes in generated protocol code.
2839
2840         Original patch by Brian Burg, rebased and updated by me.
2841
2842         * inspector/InspectorValues.cpp:
2843         * inspector/InspectorValues.h:
2844         * inspector/scripts/codegen/cpp_generator.py:
2845         (CppGenerator.cpp_protocol_type_for_type):
2846         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
2847         (CppGenerator.cpp_type_for_type_with_name):
2848         (CppGenerator.cpp_type_for_stack_in_parameter):
2849         * inspector/scripts/codegen/cpp_generator_templates.py:
2850         (void):
2851         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2852         (_generate_class_for_object_declaration):
2853         (_generate_forward_declarations_for_binding_traits):
2854         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2855         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2856         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
2857         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2858         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2859         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2860         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2861         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2862         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2863         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2864         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2865         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2866         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2867         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2868         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2869         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2870         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2871
2872 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
2873
2874         Get rid of unsightly hex numbers from unified build object files
2875         https://bugs.webkit.org/show_bug.cgi?id=179410
2876
2877         Reviewed by Saam Barati.
2878
2879         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
2880
2881 2017-11-07  Saam Barati  <sbarati@apple.com>
2882
2883         Only cage double butterfly accesses
2884         https://bugs.webkit.org/show_bug.cgi?id=179202
2885
2886         Reviewed by Mark Lam.
2887
2888         This patch removes caging from all butterfly accesses except double loads/stores.
2889         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
2890         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
2891         by caging. The other load/stores we are no longer caging to get back performance on
2892         various benchmarks.
2893
2894         * bytecode/AccessCase.cpp:
2895         (JSC::AccessCase::generateImpl):
2896         * bytecode/InlineAccess.cpp:
2897         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2898         (JSC::InlineAccess::generateSelfPropertyAccess):
2899         (JSC::InlineAccess::generateSelfPropertyReplace):
2900         (JSC::InlineAccess::generateArrayLength):
2901         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
2902         * dfg/DFGSpeculativeJIT.cpp:
2903         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2904         (JSC::DFG::SpeculativeJIT::compileSpread):
2905         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2906         * dfg/DFGSpeculativeJIT64.cpp:
2907         (JSC::DFG::SpeculativeJIT::compile):
2908         * ftl/FTLLowerDFGToB3.cpp:
2909         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2910         * jit/JITPropertyAccess.cpp:
2911         (JSC::JIT::emitContiguousLoad):
2912         (JSC::JIT::emitArrayStorageLoad):
2913         (JSC::JIT::emitGenericContiguousPutByVal):
2914         (JSC::JIT::emitArrayStoragePutByVal):
2915         (JSC::JIT::emit_op_get_from_scope):
2916         (JSC::JIT::emit_op_put_to_scope):
2917         * llint/LowLevelInterpreter64.asm:
2918         * runtime/AuxiliaryBarrier.h:
2919         (JSC::AuxiliaryBarrier::operator-> const):
2920         * runtime/Butterfly.h:
2921         (JSC::Butterfly::caged):
2922         (JSC::Butterfly::contiguousDouble):
2923         * runtime/JSArray.cpp:
2924         (JSC::JSArray::setLength):
2925         (JSC::JSArray::pop):
2926         (JSC::JSArray::shiftCountWithAnyIndexingType):
2927         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2928         (JSC::JSArray::fillArgList):
2929         (JSC::JSArray::copyToArguments):
2930         * runtime/JSArrayInlines.h:
2931         (JSC::JSArray::pushInline):
2932         * runtime/JSObject.cpp:
2933         (JSC::JSObject::heapSnapshot):
2934         (JSC::JSObject::createInitialIndexedStorage):
2935         (JSC::JSObject::createArrayStorage):
2936         (JSC::JSObject::convertUndecidedToInt32):
2937         (JSC::JSObject::ensureLengthSlow):
2938         (JSC::JSObject::reallocateAndShrinkButterfly):
2939         (JSC::JSObject::allocateMoreOutOfLineStorage):
2940         * runtime/JSObject.h:
2941         (JSC::JSObject::canGetIndexQuickly):
2942         (JSC::JSObject::getIndexQuickly):
2943         (JSC::JSObject::tryGetIndexQuickly const):
2944         (JSC::JSObject::canSetIndexQuickly):
2945         (JSC::JSObject::butterfly const):
2946         (JSC::JSObject::butterfly):
2947
2948 2017-11-07  Mark Lam  <mark.lam@apple.com>
2949
2950         Introduce a default RegisterSet constructor so that we can use { } notation.
2951         https://bugs.webkit.org/show_bug.cgi?id=179389
2952
2953         Reviewed by Saam Barati.
2954
2955         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2956         does not add any code documentation value.
2957
2958         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2959         * b3/air/AirCode.cpp:
2960         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2961         * b3/air/AirPrintSpecial.cpp:
2962         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2963         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2964         * b3/air/testair.cpp:
2965         * bytecode/PolymorphicAccess.h:
2966         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2967         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2968         * dfg/DFGJITCode.cpp:
2969         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2970         * ftl/FTLJITCode.cpp:
2971         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2972         * jit/JITCode.cpp:
2973         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2974         * jit/RegisterSet.cpp:
2975         (JSC::RegisterSet::reservedHardwareRegisters):
2976         (JSC::RegisterSet::runtimeRegisters):
2977         (JSC::RegisterSet::macroScratchRegisters):
2978         * jit/RegisterSet.h:
2979         (JSC::RegisterSet::RegisterSet):
2980         * wasm/WasmB3IRGenerator.cpp:
2981         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2982
2983 2017-11-07  Mark Lam  <mark.lam@apple.com>
2984
2985         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2986         https://bugs.webkit.org/show_bug.cgi?id=179355
2987         <rdar://problem/35263053>
2988
2989         Reviewed by Saam Barati.
2990
2991         In the Transition case in AccessCase::generateImpl(), we were restoring registers
2992         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2993         where we previously stashed the reallocated butterfly.  If the generated code is
2994         under heavy register pressure, scratchGPR could have been from the set of preserved
2995         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2996         As a result, the restoration would trash the butterfly result we stored there.
2997         This patch fixes the issue by excluding the scratchGPR in the restoration.
2998
2999         * bytecode/AccessCase.cpp:
3000         (JSC::AccessCase::generateImpl):
3001
3002 2017-11-06  Robin Morisset  <rmorisset@apple.com>
3003
3004         CodeBlock::usesOpcode() is dead code
3005         https://bugs.webkit.org/show_bug.cgi?id=179316
3006
3007         Reviewed by Yusuke Suzuki.
3008
3009         Remove CodeBlock::usesOpcode which is dead code
3010
3011         * bytecode/CodeBlock.cpp:
3012         * bytecode/CodeBlock.h:
3013
3014 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3015
3016         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3017         https://bugs.webkit.org/show_bug.cgi?id=144458
3018
3019         Reviewed by Saam Barati.
3020
3021         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
3022         InternalFunction calls are not cached and they always go to the slow path. This is not good because
3023
3024         1. We need to query getCallData/getConstructData every time in the slow path.
3025         2. CallLinkInfo tells nothing in the higher tier JITs.
3026
3027         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
3028         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
3029         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
3030
3031         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
3032         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
3033         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3034         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3035
3036         Attached microbenchmarks show performance improvement.
3037
3038                                                            baseline                  patched
3039
3040         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
3041         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
3042         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
3043         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
3044
3045         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3046
3047         * API/JSCallbackFunction.cpp:
3048         (JSC::JSCallbackFunction::JSCallbackFunction):
3049         (JSC::JSCallbackFunction::getCallData): Deleted.
3050         * API/JSCallbackFunction.h:
3051         (JSC::JSCallbackFunction::createStructure):
3052         * API/ObjCCallbackFunction.h:
3053         (JSC::ObjCCallbackFunction::createStructure):
3054         * API/ObjCCallbackFunction.mm:
3055         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3056         (JSC::ObjCCallbackFunction::getCallData): Deleted.
3057         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3058         * bytecode/BytecodeDumper.cpp:
3059         (JSC::BytecodeDumper<Block>::printCallOp):
3060         * bytecode/BytecodeList.json:
3061         * bytecode/CallLinkInfo.cpp:
3062         (JSC::CallLinkInfo::setCallee):
3063         (JSC::CallLinkInfo::callee):
3064         (JSC::CallLinkInfo::setLastSeenCallee):
3065         (JSC::CallLinkInfo::lastSeenCallee):
3066         (JSC::CallLinkInfo::visitWeak):
3067         * bytecode/CallLinkInfo.h:
3068         * bytecode/CallLinkStatus.cpp:
3069         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3070         * bytecode/LLIntCallLinkInfo.h:
3071         * jit/JITOperations.cpp:
3072         * jit/JITThunks.cpp:
3073         (JSC::JITThunks::ctiInternalFunctionCall):
3074         (JSC::JITThunks::ctiInternalFunctionConstruct):
3075         * jit/JITThunks.h:
3076         * jit/Repatch.cpp:
3077         (JSC::linkFor):
3078         (JSC::linkPolymorphicCall):
3079         * jit/Repatch.h:
3080         * jit/ThunkGenerators.cpp:
3081         (JSC::virtualThunkFor):
3082         (JSC::nativeForGenerator):
3083         (JSC::nativeCallGenerator):
3084         (JSC::nativeTailCallGenerator):
3085         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3086         (JSC::nativeConstructGenerator):
3087         (JSC::internalFunctionCallGenerator):
3088         (JSC::internalFunctionConstructGenerator):
3089         * jit/ThunkGenerators.h:
3090         * llint/LLIntSlowPaths.cpp:
3091         (JSC::LLInt::setUpCall):
3092         * llint/LowLevelInterpreter.asm:
3093         * llint/LowLevelInterpreter32_64.asm:
3094         * llint/LowLevelInterpreter64.asm:
3095         * runtime/ArrayConstructor.cpp:
3096         (JSC::ArrayConstructor::ArrayConstructor):
3097         (JSC::ArrayConstructor::getConstructData): Deleted.
3098         (JSC::ArrayConstructor::getCallData): Deleted.
3099         * runtime/ArrayConstructor.h:
3100         (JSC::ArrayConstructor::createStructure):
3101         * runtime/AsyncFunctionConstructor.cpp:
3102         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
3103         (JSC::AsyncFunctionConstructor::finishCreation):
3104         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
3105         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
3106         * runtime/AsyncFunctionConstructor.h:
3107         (JSC::AsyncFunctionConstructor::createStructure):
3108         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3109         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
3110         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
3111         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
3112         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
3113         * runtime/AsyncGeneratorFunctionConstructor.h:
3114         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
3115         * runtime/BooleanConstructor.cpp:
3116         (JSC::callBooleanConstructor):
3117         (JSC::BooleanConstructor::BooleanConstructor):
3118         (JSC::BooleanConstructor::finishCreation):
3119         (JSC::BooleanConstructor::getConstructData): Deleted.
3120         (JSC::BooleanConstructor::getCallData): Deleted.
3121         * runtime/BooleanConstructor.h:
3122         (JSC::BooleanConstructor::createStructure):
3123         * runtime/DateConstructor.cpp:
3124         (JSC::DateConstructor::DateConstructor):
3125         (JSC::DateConstructor::getConstructData): Deleted.
3126         (JSC::DateConstructor::getCallData): Deleted.
3127         * runtime/DateConstructor.h:
3128         (JSC::DateConstructor::createStructure):
3129         * runtime/Error.h:
3130         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3131         (JSC::StrictModeTypeErrorFunction::createStructure):
3132         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
3133         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
3134         * runtime/ErrorConstructor.cpp:
3135         (JSC::ErrorConstructor::ErrorConstructor):
3136         (JSC::ErrorConstructor::getConstructData): Deleted.
3137         (JSC::ErrorConstructor::getCallData): Deleted.
3138         * runtime/ErrorConstructor.h:
3139         (JSC::ErrorConstructor::createStructure):
3140         * runtime/FunctionConstructor.cpp:
3141         (JSC::FunctionConstructor::FunctionConstructor):
3142         (JSC::FunctionConstructor::finishCreation):
3143         (JSC::FunctionConstructor::getConstructData): Deleted.
3144         (JSC::FunctionConstructor::getCallData): Deleted.
3145         * runtime/FunctionConstructor.h:
3146         (JSC::FunctionConstructor::createStructure):
3147         * runtime/FunctionPrototype.cpp:
3148         (JSC::callFunctionPrototype):
3149         (JSC::FunctionPrototype::FunctionPrototype):
3150         (JSC::FunctionPrototype::getCallData): Deleted.
3151         * runtime/FunctionPrototype.h:
3152         (JSC::FunctionPrototype::createStructure):
3153         * runtime/GeneratorFunctionConstructor.cpp:
3154         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
3155         (JSC::GeneratorFunctionConstructor::finishCreation):
3156         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
3157         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
3158         * runtime/GeneratorFunctionConstructor.h:
3159         (JSC::GeneratorFunctionConstructor::createStructure):
3160         * runtime/InternalFunction.cpp:
3161         (JSC::InternalFunction::InternalFunction):
3162         (JSC::InternalFunction::finishCreation):
3163         (JSC::InternalFunction::getCallData):
3164         (JSC::InternalFunction::getConstructData):
3165         * runtime/InternalFunction.h:
3166         (JSC::InternalFunction::createStructure):
3167         (JSC::InternalFunction::nativeFunctionFor):
3168         (JSC::InternalFunction::offsetOfNativeFunctionFor):
3169         * runtime/IntlCollatorConstructor.cpp:
3170         (JSC::IntlCollatorConstructor::createStructure):
3171         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
3172         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
3173         (JSC::IntlCollatorConstructor::getCallData): Deleted.
3174         * runtime/IntlCollatorConstructor.h:
3175         * runtime/IntlDateTimeFormatConstructor.cpp:
3176         (JSC::IntlDateTimeFormatConstructor::createStructure):
3177         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
3178         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
3179         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
3180         * runtime/IntlDateTimeFormatConstructor.h:
3181         * runtime/IntlNumberFormatConstructor.cpp:
3182         (JSC::IntlNumberFormatConstructor::createStructure):
3183         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
3184         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
3185         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
3186         * runtime/IntlNumberFormatConstructor.h:
3187         * runtime/JSArrayBufferConstructor.cpp:
3188         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3189         (JSC::JSArrayBufferConstructor::createStructure):
3190         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
3191         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
3192         * runtime/JSArrayBufferConstructor.h:
3193         * runtime/JSGenericTypedArrayViewConstructor.h:
3194         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3195         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
3196         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
3197         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
3198         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
3199         * runtime/JSInternalPromiseConstructor.cpp:
3200         (JSC::JSInternalPromiseConstructor::createStructure):
3201         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
3202         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
3203         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
3204         * runtime/JSInternalPromiseConstructor.h:
3205         * runtime/JSPromiseConstructor.cpp:
3206         (JSC::JSPromiseConstructor::createStructure):
3207         (JSC::JSPromiseConstructor::JSPromiseConstructor):
3208         (JSC::JSPromiseConstructor::getConstructData): Deleted.
3209         (JSC::JSPromiseConstructor::getCallData): Deleted.
3210         * runtime/JSPromiseConstructor.h:
3211         * runtime/JSType.h:
3212         * runtime/JSTypedArrayViewConstructor.cpp:
3213         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
3214         (JSC::JSTypedArrayViewConstructor::createStructure):
3215         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
3216         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
3217         * runtime/JSTypedArrayViewConstructor.h:
3218         * runtime/MapConstructor.cpp:
3219         (JSC::MapConstructor::MapConstructor):
3220         (JSC::MapConstructor::getConstructData): Deleted.
3221         (JSC::MapConstructor::getCallData): Deleted.
3222         * runtime/MapConstructor.h:
3223         (JSC::MapConstructor::createStructure):
3224         (JSC::MapConstructor::MapConstructor): Deleted.
3225         * runtime/NativeErrorConstructor.cpp:
3226         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3227         (JSC::NativeErrorConstructor::getConstructData): Deleted.
3228         (JSC::NativeErrorConstructor::getCallData): Deleted.
3229         * runtime/NativeErrorConstructor.h:
3230         (JSC::NativeErrorConstructor::createStructure):
3231         * runtime/NullGetterFunction.cpp:
3232         (JSC::NullGetterFunction::NullGetterFunction):
3233         (JSC::NullGetterFunction::getCallData): Deleted.
3234         (JSC::NullGetterFunction::getConstructData): Deleted.
3235         * runtime/NullGetterFunction.h:
3236         (JSC::NullGetterFunction::createStructure):
3237         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
3238         * runtime/NullSetterFunction.cpp:
3239         (JSC::NullSetterFunction::NullSetterFunction):
3240         (JSC::NullSetterFunction::getCallData): Deleted.
3241         (JSC::NullSetterFunction::getConstructData): Deleted.
3242         * runtime/NullSetterFunction.h:
3243         (JSC::NullSetterFunction::createStructure):
3244         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
3245         * runtime/NumberConstructor.cpp:
3246         (JSC::NumberConstructor::NumberConstructor):
3247         (JSC::constructNumberConstructor):
3248         (JSC::constructWithNumberConstructor): Deleted.
3249         (JSC::NumberConstructor::getConstructData): Deleted.
3250         (JSC::NumberConstructor::getCallData): Deleted.
3251         * runtime/NumberConstructor.h:
3252         (JSC::NumberConstructor::createStructure):
3253         * runtime/ObjectConstructor.cpp:
3254         (JSC::ObjectConstructor::ObjectConstructor):
3255         (JSC::ObjectConstructor::getConstructData): Deleted.
3256         (JSC::ObjectConstructor::getCallData): Deleted.
3257         * runtime/ObjectConstructor.h:
3258         (JSC::ObjectConstructor::createStructure):
3259         * runtime/ProxyConstructor.cpp:
3260         (JSC::ProxyConstructor::ProxyConstructor):
3261         (JSC::ProxyConstructor::getConstructData): Deleted.
3262         (JSC::ProxyConstructor::getCallData): Deleted.
3263         * runtime/ProxyConstructor.h:
3264         (JSC::ProxyConstructor::createStructure):
3265         * runtime/ProxyRevoke.cpp:
3266         (JSC::ProxyRevoke::ProxyRevoke):
3267         (JSC::ProxyRevoke::getCallData): Deleted.
3268         * runtime/ProxyRevoke.h:
3269         (JSC::ProxyRevoke::createStructure):
3270         * runtime/RegExpConstructor.cpp:
3271         (JSC::RegExpConstructor::RegExpConstructor):
3272         (JSC::RegExpConstructor::getConstructData): Deleted.
3273         (JSC::RegExpConstructor::getCallData): Deleted.
3274         * runtime/RegExpConstructor.h:
3275         (JSC::RegExpConstructor::createStructure):
3276         * runtime/SetConstructor.cpp:
3277         (JSC::SetConstructor::SetConstructor):
3278         (JSC::SetConstructor::getConstructData): Deleted.
3279         (JSC::SetConstructor::getCallData): Deleted.
3280         * runtime/SetConstructor.h:
3281         (JSC::SetConstructor::createStructure):
3282         (JSC::SetConstructor::SetConstructor): Deleted.
3283         * runtime/StringConstructor.cpp:
3284         (JSC::StringConstructor::StringConstructor):
3285         (JSC::StringConstructor::getConstructData): Deleted.
3286         (JSC::StringConstructor::getCallData): Deleted.
3287         * runtime/StringConstructor.h:
3288         (JSC::StringConstructor::createStructure):
3289         * runtime/SymbolConstructor.cpp:
3290         (JSC::SymbolConstructor::SymbolConstructor):
3291         (JSC::SymbolConstructor::getConstructData): Deleted.
3292         (JSC::SymbolConstructor::getCallData): Deleted.
3293         * runtime/SymbolConstructor.h:
3294         (JSC::SymbolConstructor::createStructure):
3295         * runtime/VM.cpp:
3296         (JSC::VM::VM):
3297         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3298         * runtime/VM.h:
3299         * runtime/WeakMapConstructor.cpp:
3300         (JSC::WeakMapConstructor::WeakMapConstructor):
3301         (JSC::WeakMapConstructor::getConstructData): Deleted.
3302         (JSC::WeakMapConstructor::getCallData): Deleted.
3303         * runtime/WeakMapConstructor.h:
3304         (JSC::WeakMapConstructor::createStructure):
3305         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
3306         * runtime/WeakSetConstructor.cpp:
3307         (JSC::WeakSetConstructor::WeakSetConstructor):
3308         (JSC::WeakSetConstructor::getConstructData): Deleted.
3309         (JSC::WeakSetConstructor::getCallData): Deleted.
3310         * runtime/WeakSetConstructor.h:
3311         (JSC::WeakSetConstructor::createStructure):
3312         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
3313         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3314         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
3315         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
3316         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
3317         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
3318         * wasm/js/WebAssemblyCompileErrorConstructor.h:
3319         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3320         (JSC::WebAssemblyInstanceConstructor::createStructure):
3321         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
3322         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
3323         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
3324         * wasm/js/WebAssemblyInstanceConstructor.h:
3325         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3326         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
3327         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
3328         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
3329         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
3330         * wasm/js/WebAssemblyLinkErrorConstructor.h:
3331         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3332         (JSC::WebAssemblyMemoryConstructor::createStructure):
3333         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
3334         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
3335         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.