[JSC] Implement optimized WeakMap and WeakSet
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Implement optimized WeakMap and WeakSet
4         https://bugs.webkit.org/show_bug.cgi?id=179929
5
6         Reviewed by Saam Barati.
7
8         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
9         This is similar to HashMapImpl. But,
10
11         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
12         do not need to have iterators.
13
14         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
15         of auxiliary buffer. This is because we would like to allocate buffer
16         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
17         shrink it if necessary. However, allocating from the GC heap during
18         finalization is not allowed.
19
20         In particular, (2) is important since it ensures any WeakMap operations
21         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
22         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
23         do not cause GC makes our implementation simple. To ensure this, we place
24         DisallowGC for each WeakMap's interface.
25
26         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
27         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
28         WeakMap, it returns value. And it returns key if it is WeakSet. If it
29         does not find a corresponding entry, it returns JSEmpty.
30         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
31
32         This patch improves WeakMap and WeakSet operations.
33
34                                      baseline                  patched
35
36             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
37             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
38
39         * JavaScriptCore.xcodeproj/project.pbxproj:
40         * Sources.txt:
41         * dfg/DFGAbstractHeap.h:
42         * dfg/DFGAbstractInterpreterInlines.h:
43         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
44         * dfg/DFGByteCodeParser.cpp:
45         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
46         * dfg/DFGClobberize.h:
47         (JSC::DFG::clobberize):
48         * dfg/DFGDoesGC.cpp:
49         (JSC::DFG::doesGC):
50         * dfg/DFGFixupPhase.cpp:
51         (JSC::DFG::FixupPhase::fixupNode):
52         * dfg/DFGNode.h:
53         (JSC::DFG::Node::hasHeapPrediction):
54         * dfg/DFGNodeType.h:
55         * dfg/DFGOperations.cpp:
56         * dfg/DFGOperations.h:
57         * dfg/DFGPredictionPropagationPhase.cpp:
58         * dfg/DFGSafeToExecute.h:
59         (JSC::DFG::safeToExecute):
60         * dfg/DFGSpeculativeJIT.cpp:
61         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
62         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
63         * dfg/DFGSpeculativeJIT.h:
64         * dfg/DFGSpeculativeJIT32_64.cpp:
65         (JSC::DFG::SpeculativeJIT::compile):
66         * dfg/DFGSpeculativeJIT64.cpp:
67         (JSC::DFG::SpeculativeJIT::compile):
68         * ftl/FTLAbstractHeapRepository.h:
69         * ftl/FTLCapabilities.cpp:
70         (JSC::FTL::canCompile):
71         * ftl/FTLLowerDFGToB3.cpp:
72         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
73         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
74         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
75         * inspector/JSInjectedScriptHost.cpp:
76         (Inspector::JSInjectedScriptHost::weakMapEntries):
77         (Inspector::JSInjectedScriptHost::weakSetEntries):
78         Existing code is incorrect. They can run GC and break WeakMap's iterator.
79         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
80         entries without causing any GC.
81
82         * runtime/HashMapImpl.h:
83         (JSC::shouldShrink):
84         (JSC::shouldRehashAfterAdd):
85         (JSC::nextCapacity):
86         (JSC::HashMapImpl::shouldRehashAfterAdd const):
87         (JSC::HashMapImpl::shouldShrink const):
88         (JSC::HashMapImpl::rehash):
89         (JSC::WeakMapHash::hash): Deleted.
90         (JSC::WeakMapHash::equal): Deleted.
91         * runtime/Intrinsic.cpp:
92         (JSC::intrinsicName):
93         * runtime/Intrinsic.h:
94         * runtime/JSWeakMap.cpp:
95         * runtime/JSWeakMap.h:
96         * runtime/JSWeakSet.cpp:
97         * runtime/JSWeakSet.h:
98         * runtime/VM.cpp:
99         * runtime/WeakGCMap.h:
100         (JSC::WeakGCMap::forEach): Deleted.
101         * runtime/WeakMapBase.cpp: Removed.
102         * runtime/WeakMapBase.h: Removed.
103         * runtime/WeakMapConstructor.cpp:
104         (JSC::constructWeakMap):
105         * runtime/WeakMapImpl.cpp: Added.
106         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
107         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
108         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
109         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
110         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
111         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
112         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
113         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
114         * runtime/WeakMapImpl.h: Added.
115         (JSC::jsWeakMapHash):
116         (JSC::nextCapacityAfterRemoveBatching):
117         (JSC::WeakMapBucket::setKey):
118         (JSC::WeakMapBucket::setValue):
119         (JSC::WeakMapBucket::key const):
120         (JSC::WeakMapBucket::value const):
121         (JSC::WeakMapBucket::copyFrom):
122         (JSC::WeakMapBucket::offsetOfKey):
123         (JSC::WeakMapBucket::offsetOfValue):
124         (JSC::WeakMapBucket::extractValue):
125         (JSC::WeakMapBucket::isEmpty):
126         (JSC::WeakMapBucket::deletedKey):
127         (JSC::WeakMapBucket::isDeleted):
128         (JSC::WeakMapBucket::makeDeleted):
129         (JSC::WeakMapBucket::visitAggregate):
130         (JSC::WeakMapBucket::clearValue):
131         (JSC::WeakMapBuffer::allocationSize):
132         (JSC::WeakMapBuffer::buffer const):
133         (JSC::WeakMapBuffer::create):
134         (JSC::WeakMapBuffer::reset):
135         (JSC::WeakMapImpl::WeakMapImpl):
136         (JSC::WeakMapImpl::finishCreation):
137         (JSC::WeakMapImpl::get):
138         (JSC::WeakMapImpl::has):
139         (JSC::WeakMapImpl::add):
140         (JSC::WeakMapImpl::remove):
141         (JSC::WeakMapImpl::size const):
142         (JSC::WeakMapImpl::offsetOfBuffer):
143         (JSC::WeakMapImpl::offsetOfCapacity):
144         (JSC::WeakMapImpl::findBucket):
145         (JSC::WeakMapImpl::buffer const):
146         (JSC::WeakMapImpl::forEach):
147         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
148         (JSC::WeakMapImpl::shouldShrink const):
149         (JSC::WeakMapImpl::canUseBucket):
150         (JSC::WeakMapImpl::addInternal):
151         (JSC::WeakMapImpl::findBucketAlreadyHashed):
152         (JSC::WeakMapImpl::rehash):
153         (JSC::WeakMapImpl::checkConsistency const):
154         (JSC::WeakMapImpl::makeAndSetNewBuffer):
155         (JSC::WeakMapImpl::assertBufferIsEmpty const):
156         (JSC::WeakMapImpl::DeadKeyCleaner::target):
157         * runtime/WeakMapPrototype.cpp:
158         (JSC::WeakMapPrototype::finishCreation):
159         (JSC::protoFuncWeakMapGet):
160         (JSC::protoFuncWeakMapHas):
161         * runtime/WeakSetConstructor.cpp:
162         (JSC::constructWeakSet):
163         * runtime/WeakSetPrototype.cpp:
164         (JSC::WeakSetPrototype::finishCreation):
165         (JSC::protoFuncWeakSetHas):
166         (JSC::protoFuncWeakSetAdd):
167
168 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
169
170         It should be possible to flag a cell for unconditional finalization
171         https://bugs.webkit.org/show_bug.cgi?id=180636
172
173         Reviewed by Saam Barati.
174         
175         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
176         global linked list - but they had some nice properties:
177         
178         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
179           survived and needed it.
180             -> Just needing it wasn't enough.
181             -> Just surviving wasn't enough.
182         
183         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
184         finalizer logic to be invoked. I think that's not great. InferredType got around this by
185         making InferredStructure a cell, but this was a gross hack. For one, it meant that
186         InferredStructure would survive during the GC in which its finalizer obviated the need for its
187         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
188         thing that turns out to be subtly broken.
189         
190         We really need to have a way of indicating when you have entered into the state that requires
191         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
192         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
193         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
194         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
195         another level to say which atoms within a MarkedBlock have unconditional finalizers.
196         
197         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
198         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
199         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
200         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
201         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
202         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
203         it makes sense to have a handful per subspace max. This change only needs one per subspace,
204         but you could imagine more if we do this for WeakReferenceHarvester.
205         
206         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
207         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
208         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
209         both survive and need it for the hardest work to take place. The work of adding does involve
210         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
211         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
212         However, it's perfect for running in parallel since the only write operations are to widely
213         dispersed cache lines that contain the bits underlying the set.
214         
215         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
216         that need unconditional finalizers, and only touches the memory of marked objects that have
217         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
218         previously found that this speeds up walking over a lot of objects when I made similar changes
219         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
220         HashSet).
221         
222         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
223         
224         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
225         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
226         IsoSubspace in more places.
227
228         * JavaScriptCore.xcodeproj/project.pbxproj:
229         * Sources.txt:
230         * heap/AtomIndices.h: Added.
231         (JSC::AtomIndices::AtomIndices):
232         * heap/Heap.cpp:
233         (JSC::Heap::finalizeUnconditionalFinalizers):
234         * heap/Heap.h:
235         * heap/IsoCellSet.cpp: Added.
236         (JSC::IsoCellSet::IsoCellSet):
237         (JSC::IsoCellSet::~IsoCellSet):
238         (JSC::IsoCellSet::addSlow):
239         (JSC::IsoCellSet::didResizeBits):
240         (JSC::IsoCellSet::didRemoveBlock):
241         (JSC::IsoCellSet::sweepToFreeList):
242         * heap/IsoCellSet.h: Added.
243         * heap/IsoCellSetInlines.h: Added.
244         (JSC::IsoCellSet::add):
245         (JSC::IsoCellSet::remove):
246         (JSC::IsoCellSet::contains const):
247         (JSC::IsoCellSet::forEachMarkedCell):
248         * heap/IsoSubspace.cpp:
249         (JSC::IsoSubspace::didResizeBits):
250         (JSC::IsoSubspace::didRemoveBlock):
251         (JSC::IsoSubspace::didBeginSweepingToFreeList):
252         * heap/IsoSubspace.h:
253         * heap/MarkedAllocator.cpp:
254         (JSC::MarkedAllocator::addBlock):
255         (JSC::MarkedAllocator::removeBlock):
256         * heap/MarkedAllocator.h:
257         * heap/MarkedAllocatorInlines.h:
258         * heap/MarkedBlock.cpp:
259         (JSC::MarkedBlock::Handle::sweep):
260         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
261         * heap/MarkedBlock.h:
262         (JSC::MarkedBlock::marks const):
263         (JSC::MarkedBlock::Handle::newlyAllocated const):
264         * heap/MarkedBlockInlines.h:
265         (JSC::MarkedBlock::Handle::isAllocated):
266         (JSC::MarkedBlock::Handle::isEmpty):
267         (JSC::MarkedBlock::Handle::emptyMode):
268         (JSC::MarkedBlock::Handle::forEachMarkedCell):
269         * heap/Subspace.cpp:
270         (JSC::Subspace::didResizeBits):
271         (JSC::Subspace::didRemoveBlock):
272         (JSC::Subspace::didBeginSweepingToFreeList):
273         * heap/Subspace.h:
274         * heap/SubspaceInlines.h:
275         (JSC::Subspace::forEachMarkedCell):
276         * runtime/InferredStructure.cpp:
277         (JSC::InferredStructure::InferredStructure):
278         (JSC::InferredStructure::create): Deleted.
279         (JSC::InferredStructure::destroy): Deleted.
280         (JSC::InferredStructure::createStructure): Deleted.
281         (JSC::InferredStructure::visitChildren): Deleted.
282         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
283         (JSC::InferredStructure::finishCreation): Deleted.
284         * runtime/InferredStructure.h:
285         * runtime/InferredStructureWatchpoint.cpp:
286         (JSC::InferredStructureWatchpoint::fireInternal):
287         * runtime/InferredType.cpp:
288         (JSC::InferredType::visitChildren):
289         (JSC::InferredType::willStoreValueSlow):
290         (JSC::InferredType::makeTopSlow):
291         (JSC::InferredType::set):
292         (JSC::InferredType::removeStructure):
293         (JSC::InferredType::finalizeUnconditionally):
294         * runtime/InferredType.h:
295         * runtime/VM.cpp:
296         (JSC::VM::VM):
297         * runtime/VM.h:
298
299 2017-12-12  Saam Barati  <sbarati@apple.com>
300
301         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
302         https://bugs.webkit.org/show_bug.cgi?id=180723
303         <rdar://problem/35859726>
304
305         Reviewed by JF Bastien.
306
307         * dfg/DFGConstantFoldingPhase.cpp:
308         (JSC::DFG::ConstantFoldingPhase::foldConstants):
309
310 2017-12-04  Brian Burg  <bburg@apple.com>
311
312         Web Inspector: modernize InjectedScript a bit
313         https://bugs.webkit.org/show_bug.cgi?id=180367
314
315         Reviewed by Timothy Hatcher.
316
317         Stop using out parameters passed by pointer, use references instead.
318         Stop using OptOutput<T> in favor of std::optional where possible.
319         If there is only one out-parameter and a void return type, then return the value.
320
321         * inspector/InjectedScript.h:
322         * inspector/InjectedScript.cpp:
323         (Inspector::InjectedScript::evaluate):
324         (Inspector::InjectedScript::callFunctionOn):
325         (Inspector::InjectedScript::evaluateOnCallFrame):
326         (Inspector::InjectedScript::getFunctionDetails):
327         (Inspector::InjectedScript::functionDetails):
328         (Inspector::InjectedScript::getPreview):
329         (Inspector::InjectedScript::getProperties):
330         (Inspector::InjectedScript::getDisplayableProperties):
331         (Inspector::InjectedScript::getInternalProperties):
332         (Inspector::InjectedScript::getCollectionEntries):
333         (Inspector::InjectedScript::saveResult):
334         (Inspector::InjectedScript::setExceptionValue):
335         (Inspector::InjectedScript::clearExceptionValue):
336         (Inspector::InjectedScript::inspectObject):
337         (Inspector::InjectedScript::releaseObject):
338
339         * inspector/InjectedScriptBase.h:
340         * inspector/InjectedScriptBase.cpp:
341         (Inspector::InjectedScriptBase::InjectedScriptBase):
342         Declare m_environment with a default initializer.
343
344         (Inspector::InjectedScriptBase::makeCall):
345         (Inspector::InjectedScriptBase::makeEvalCall):
346         Just return the result, no need for an out-parameter.
347         Rearrange some code paths now that we can just return a result.
348         Return a Ref<JSON::Value> since it is either a result value or error value.
349         Use out_ prefixes in a few places to improve readability.
350
351         * inspector/agents/InspectorDebuggerAgent.cpp:
352         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
353         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
354         * inspector/agents/InspectorHeapAgent.cpp:
355         (Inspector::InspectorHeapAgent::getPreview):
356         * inspector/agents/InspectorRuntimeAgent.cpp:
357         (Inspector::InspectorRuntimeAgent::evaluate):
358         (Inspector::InspectorRuntimeAgent::callFunctionOn):
359         (Inspector::InspectorRuntimeAgent::getPreview):
360         (Inspector::InspectorRuntimeAgent::getProperties):
361         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
362         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
363         (Inspector::InspectorRuntimeAgent::saveResult):
364         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
365         and std::optional until the former is removed from generated method signatures.
366
367 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
368
369         [ESNext][BigInt] Implement BigInt literals and JSBigInt
370         https://bugs.webkit.org/show_bug.cgi?id=179000
371
372         Reviewed by Darin Adler and Yusuke Suzuki.
373
374         This patch starts the implementation of BigInt primitive on
375         JavaScriptCore. We are introducing BigInt primitive and
376         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
377         field implemented contiguosly on memory as inline storage of JSBigInt to
378         take advantages on performance due to cache locality. The
379         implementation allows 64 or 32 bitwise arithmetic operations.
380         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
381         m_length that keeps track of BigInt length.
382         The implementation is following the V8 one. [[BigIntData]] is manipulated
383         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
384         We also have some operations to support arithmetics over digits.
385
386         It is important to notice that on our representation,
387         JSBigInt::dataStorage()[0] represents the least significant digit and
388         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
389
390         We are also introducing into this Patch the BigInt literals lexer and
391         syntax parsing support. The operation Strict Equals on BigInts is also being
392         implemented to enable tests.
393         These features are being implemented behind a runtime flage "--useBigInt" and
394         are disabled by default.
395
396         * JavaScriptCore.xcodeproj/project.pbxproj:
397         * Sources.txt:
398         * bytecode/CodeBlock.cpp:
399         * bytecompiler/BytecodeGenerator.cpp:
400         (JSC::BytecodeGenerator::emitEqualityOp):
401         (JSC::BytecodeGenerator::addBigIntConstant):
402         * bytecompiler/BytecodeGenerator.h:
403         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
404         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
405         * bytecompiler/NodesCodegen.cpp:
406         (JSC::BigIntNode::jsValue const):
407         * dfg/DFGAbstractInterpreterInlines.h:
408         (JSC::DFG::isToThisAnIdentity):
409         * interpreter/Interpreter.cpp:
410         (JSC::sizeOfVarargs):
411         * llint/LLIntData.cpp:
412         (JSC::LLInt::Data::performAssertions):
413         * llint/LowLevelInterpreter.asm:
414         * parser/ASTBuilder.h:
415         (JSC::ASTBuilder::createBigInt):
416         * parser/Lexer.cpp:
417         (JSC::Lexer<T>::parseBinary):
418         (JSC::Lexer<T>::parseOctal):
419         (JSC::Lexer<T>::parseDecimal):
420         (JSC::Lexer<T>::lex):
421         (JSC::Lexer<T>::parseHex): Deleted.
422         * parser/Lexer.h:
423         * parser/NodeConstructors.h:
424         (JSC::BigIntNode::BigIntNode):
425         * parser/Nodes.h:
426         (JSC::ExpressionNode::isBigInt const):
427         (JSC::BigIntNode::value):
428         * parser/Parser.cpp:
429         (JSC::Parser<LexerType>::parsePrimaryExpression):
430         * parser/ParserTokens.h:
431         * parser/ResultType.h:
432         (JSC::ResultType::definitelyIsBigInt const):
433         (JSC::ResultType::mightBeBigInt const):
434         (JSC::ResultType::isNotBigInt const):
435         (JSC::ResultType::addResultType):
436         (JSC::ResultType::bigIntType):
437         (JSC::ResultType::forAdd):
438         (JSC::ResultType::forLogicalOp):
439         * parser/SyntaxChecker.h:
440         (JSC::SyntaxChecker::createBigInt):
441         * runtime/CommonIdentifiers.h:
442         * runtime/JSBigInt.cpp: Added.
443         (JSC::JSBigInt::visitChildren):
444         (JSC::JSBigInt::JSBigInt):
445         (JSC::JSBigInt::initialize):
446         (JSC::JSBigInt::createStructure):
447         (JSC::JSBigInt::createZero):
448         (JSC::JSBigInt::allocationSize):
449         (JSC::JSBigInt::createWithLength):
450         (JSC::JSBigInt::finishCreation):
451         (JSC::JSBigInt::toPrimitive const):
452         (JSC::JSBigInt::singleDigitValueForString):
453         (JSC::JSBigInt::parseInt):
454         (JSC::JSBigInt::toString):
455         (JSC::JSBigInt::isZero):
456         (JSC::JSBigInt::inplaceMultiplyAdd):
457         (JSC::JSBigInt::digitAdd):
458         (JSC::JSBigInt::digitSub):
459         (JSC::JSBigInt::digitMul):
460         (JSC::JSBigInt::digitPow):
461         (JSC::JSBigInt::digitDiv):
462         (JSC::JSBigInt::internalMultiplyAdd):
463         (JSC::JSBigInt::equalToBigInt):
464         (JSC::JSBigInt::absoluteDivSmall):
465         (JSC::JSBigInt::calculateMaximumCharactersRequired):
466         (JSC::JSBigInt::toStringGeneric):
467         (JSC::JSBigInt::rightTrim):
468         (JSC::JSBigInt::allocateFor):
469         (JSC::JSBigInt::estimatedSize):
470         (JSC::JSBigInt::toNumber const):
471         (JSC::JSBigInt::getPrimitiveNumber const):
472         * runtime/JSBigInt.h: Added.
473         (JSC::JSBigInt::setSign):
474         (JSC::JSBigInt::sign const):
475         (JSC::JSBigInt::setLength):
476         (JSC::JSBigInt::length const):
477         (JSC::JSBigInt::parseInt):
478         (JSC::JSBigInt::offsetOfData):
479         (JSC::JSBigInt::dataStorage):
480         (JSC::JSBigInt::digit):
481         (JSC::JSBigInt::setDigit):
482         (JSC::asBigInt):
483         * runtime/JSCJSValue.cpp:
484         (JSC::JSValue::synthesizePrototype const):
485         (JSC::JSValue::toStringSlowCase const):
486         * runtime/JSCJSValue.h:
487         * runtime/JSCJSValueInlines.h:
488         (JSC::JSValue::isBigInt const):
489         (JSC::JSValue::strictEqualSlowCaseInline):
490         * runtime/JSCell.cpp:
491         (JSC::JSCell::put):
492         (JSC::JSCell::putByIndex):
493         (JSC::JSCell::toPrimitive const):
494         (JSC::JSCell::getPrimitiveNumber const):
495         (JSC::JSCell::toNumber const):
496         (JSC::JSCell::toObjectSlow const):
497         * runtime/JSCell.h:
498         * runtime/JSCellInlines.h:
499         (JSC::JSCell::isBigInt const):
500         * runtime/JSType.h:
501         * runtime/MathCommon.h:
502         (JSC::clz64):
503         * runtime/NumberPrototype.cpp:
504         * runtime/Operations.cpp:
505         (JSC::jsTypeStringForValue):
506         (JSC::jsIsObjectTypeOrNull):
507         * runtime/Options.h:
508         * runtime/ParseInt.h:
509         * runtime/SmallStrings.h:
510         (JSC::SmallStrings::typeString const):
511         * runtime/StructureInlines.h:
512         (JSC::prototypeForLookupPrimitiveImpl):
513         * runtime/TypeofType.cpp:
514         (WTF::printInternal):
515         * runtime/TypeofType.h:
516         * runtime/VM.cpp:
517         (JSC::VM::VM):
518         * runtime/VM.h:
519
520 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
521
522         LLInt: reserve 16 bytes of stack on MIPS for native calls
523         https://bugs.webkit.org/show_bug.cgi?id=180653
524
525         Reviewed by Carlos Alberto Lopez Perez.
526
527         * llint/LowLevelInterpreter32_64.asm:
528         On MIPS, substract 24 from the stack pointer (16 for calling
529         convention + 8 to be 16-aligned) instead of the 8 on other platforms
530         (for alignment).
531
532 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
533
534         [WTF] Thread::create should have Thread::tryCreate
535         https://bugs.webkit.org/show_bug.cgi?id=180333
536
537         Reviewed by Darin Adler.
538
539         * assembler/testmasm.cpp:
540         (JSC::run):
541         * b3/air/testair.cpp:
542         * b3/testb3.cpp:
543         (JSC::B3::run):
544         * jsc.cpp:
545         (functionDollarAgentStart):
546
547 2017-12-11  Michael Saboff  <msaboff@apple.com>
548
549         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
550         https://bugs.webkit.org/show_bug.cgi?id=180685
551
552         Reviewed by Saam Barati.
553
554         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
555         the character class check to return true without reading the character.  Given that
556         the character could be a surrogate pair, we need to read the character even if we
557         don't have the check it.
558
559         * yarr/YarrInterpreter.cpp:
560         (JSC::Yarr::Interpreter::testCharacterClass):
561         (JSC::Yarr::Interpreter::checkCharacterClass):
562
563 2017-12-11  Saam Barati  <sbarati@apple.com>
564
565         We need to disableCaching() in ErrorInstance when we materialize properties
566         https://bugs.webkit.org/show_bug.cgi?id=180343
567         <rdar://problem/35833002>
568
569         Reviewed by Mark Lam.
570
571         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
572         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
573         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
574         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
575         existing property only found on Structure B. This is obviously wrong as it would lead to an
576         OOB store if we didn't already crash when generating the IC.
577
578         * jit/Repatch.cpp:
579         (JSC::tryCachePutByID):
580         * runtime/ErrorInstance.cpp:
581         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
582         (JSC::ErrorInstance::put):
583         * runtime/ErrorInstance.h:
584         * runtime/Structure.cpp:
585         (JSC::Structure::didCachePropertyReplacement):
586
587 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
588
589         [WinCairo] DLLLauncherMain should use SetDllDirectory
590         https://bugs.webkit.org/show_bug.cgi?id=180642
591
592         Reviewed by Alex Christensen.
593
594         Windows have icuuc.dll in the system directory. WebKit should find
595         one in WebKitLibraries directory, not one in the system directory.
596
597         * shell/DLLLauncherMain.cpp:
598         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
599
600 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
601
602         Web Inspector: Optionally log WebKit log parameters as JSON
603         https://bugs.webkit.org/show_bug.cgi?id=180529
604         <rdar://problem/35909462>
605
606         Reviewed by Joseph Pecoraro.
607
608         * inspector/ConsoleMessage.cpp:
609         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
610         values. Concatenate all adjacent strings to make logging cleaner.
611         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
612         (Inspector::ConsoleMessage::scriptState const):
613         * inspector/ConsoleMessage.h:
614
615         * inspector/InjectedScript.cpp:
616         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
617         * inspector/InjectedScript.h:
618         * inspector/InjectedScriptSource.js:
619         (let.InjectedScript.prototype.wrapJSONString):
620
621 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
622
623         Remove unused builtin names
624         https://bugs.webkit.org/show_bug.cgi?id=180673
625
626         Reviewed by Keith Miller.
627
628         * builtins/BuiltinNames.h:
629
630 2017-12-11  David Quesada  <david_quesada@apple.com>
631
632         Turn on ENABLE_APPLICATION_MANIFEST
633         https://bugs.webkit.org/show_bug.cgi?id=180562
634         rdar://problem/35924737
635
636         Reviewed by Geoffrey Garen.
637
638         * Configurations/FeatureDefines.xcconfig:
639
640 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
641
642         Harden a few assertions in GC sweep
643         https://bugs.webkit.org/show_bug.cgi?id=180634
644
645         Reviewed by Saam Barati.
646         
647         This turns one dynamic check into a release assertion and upgrades another assertion to a release
648         assertion.
649
650         * heap/MarkedBlock.cpp:
651         (JSC::MarkedBlock::Handle::sweep):
652
653 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
654
655         [python] Modernize "except" usage for python3 compatibility
656         https://bugs.webkit.org/show_bug.cgi?id=180612
657
658         Reviewed by Michael Catanzaro.
659
660         * inspector/scripts/generate-inspector-protocol-bindings.py:
661
662 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
663
664         InferredType should not use UnconditionalFinalizer
665         https://bugs.webkit.org/show_bug.cgi?id=180456
666
667         Reviewed by Saam Barati.
668         
669         This turns InferredStructure into a cell so that we can unconditionally finalize them without
670         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
671         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
672         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
673         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
674
675         * JavaScriptCore.xcodeproj/project.pbxproj:
676         * Sources.txt:
677         * heap/Heap.cpp:
678         (JSC::Heap::finalizeUnconditionalFinalizers):
679         * heap/Heap.h:
680         * runtime/InferredStructure.cpp: Added.
681         (JSC::InferredStructure::create):
682         (JSC::InferredStructure::destroy):
683         (JSC::InferredStructure::createStructure):
684         (JSC::InferredStructure::visitChildren):
685         (JSC::InferredStructure::finalizeUnconditionally):
686         (JSC::InferredStructure::InferredStructure):
687         (JSC::InferredStructure::finishCreation):
688         * runtime/InferredStructure.h: Added.
689         * runtime/InferredStructureWatchpoint.cpp: Added.
690         (JSC::InferredStructureWatchpoint::fireInternal):
691         * runtime/InferredStructureWatchpoint.h: Added.
692         * runtime/InferredType.cpp:
693         (JSC::InferredType::visitChildren):
694         (JSC::InferredType::willStoreValueSlow):
695         (JSC::InferredType::makeTopSlow):
696         (JSC::InferredType::set):
697         (JSC::InferredType::removeStructure):
698         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
699         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
700         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
701         * runtime/InferredType.h:
702         * runtime/VM.cpp:
703         (JSC::VM::VM):
704         * runtime/VM.h:
705
706 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
707
708         [python] Replace print >> operator with print() function for python3 compatibility
709         https://bugs.webkit.org/show_bug.cgi?id=180611
710
711         Reviewed by Michael Catanzaro.
712
713         * Scripts/make-js-file-arrays.py:
714         (main):
715
716 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
717
718         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
719         https://bugs.webkit.org/show_bug.cgi?id=180520
720         <rdar://problem/35900764>
721
722         Reviewed by Brian Burg.
723
724         * inspector/protocol/ServiceWorker.json:
725         Include content script content in the initialization info.
726
727 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
728
729         [python] Replace print operator with print() function for python3 compatibility
730         https://bugs.webkit.org/show_bug.cgi?id=180592
731
732         Reviewed by Michael Catanzaro.
733
734         * Scripts/generateYarrUnicodePropertyTables.py:
735         (openOrExit):
736         (verifyUCDFilesExist):
737         (Aliases.parsePropertyAliasesFile):
738         (Aliases.parsePropertyValueAliasesFile):
739         * Scripts/make-js-file-arrays.py:
740         (main):
741         * generate-bytecode-files:
742
743 2017-12-08  Mark Lam  <mark.lam@apple.com>
744
745         Need to unpoison native function pointers for CLoop.
746         https://bugs.webkit.org/show_bug.cgi?id=180601
747         <rdar://problem/35942028>
748
749         Reviewed by JF Bastien.
750
751         * llint/LowLevelInterpreter64.asm:
752
753 2017-12-08  Michael Saboff  <msaboff@apple.com>
754
755         YARR: JIT RegExps with greedy parenthesized sub patterns
756         https://bugs.webkit.org/show_bug.cgi?id=180538
757
758         Reviewed by JF Bastien.
759
760         This patch adds JIT support for regular expressions containing greedy counted
761         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
762
763         Just like in the interpreter, expressions with nested parenthetical subpatterns
764         require saving the results of previous matches of the parentheses contents along
765         with any associated state.  This saved state is needed in the case that we need
766         to backtrack.  This state is called ParenContext within the code space allocated
767         for this ParenContext is managed using a simple block allocator within the JIT'ed
768         code.  The raw space managed by this allocator is passed into the JIT'ed function.
769
770         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
771         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
772         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
773         expression.
774
775         Due to increased register usage by the parenthesis handling code, the use of
776         registers by the JIT engine was restructured, with registers used for Unicode
777         pattern matching replaced with constants.
778
779         Reworked some of the context structures that are used across the interpreter
780         and JIT implementations to make them a little more uniform and to handle the
781         needs of JIT'ing the new parentheses forms.
782
783         To help with development and debugging of this code, compiled patterns dumping
784         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
785
786         * runtime/RegExp.cpp:
787         (JSC::byteCodeCompilePattern):
788         (JSC::RegExp::byteCodeCompileIfNecessary):
789         (JSC::RegExp::compile):
790         (JSC::RegExp::compileMatchOnly):
791         * runtime/RegExp.h:
792         * runtime/RegExpInlines.h:
793         (JSC::RegExp::matchInline):
794         * testRegExp.cpp:
795         (parseRegExpLine):
796         (runFromFiles):
797         * yarr/Yarr.h:
798         * yarr/YarrInterpreter.cpp:
799         (JSC::Yarr::ByteCompiler::compile):
800         (JSC::Yarr::ByteCompiler::dumpDisjunction):
801         * yarr/YarrJIT.cpp:
802         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
803         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
804         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
805         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
806         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
807         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
808         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
809         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
810         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
811         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
812         (JSC::Yarr::YarrGenerator::allocatePatternContext):
813         (JSC::Yarr::YarrGenerator::freePatternContext):
814         (JSC::Yarr::YarrGenerator::savePatternContext):
815         (JSC::Yarr::YarrGenerator::restorePatternContext):
816         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
817         (JSC::Yarr::YarrGenerator::storeToFrame):
818         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
819         (JSC::Yarr::YarrGenerator::clearMatches):
820         (JSC::Yarr::YarrGenerator::generate):
821         (JSC::Yarr::YarrGenerator::backtrack):
822         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
823         (JSC::Yarr::YarrGenerator::generateEnter):
824         (JSC::Yarr::YarrGenerator::generateReturn):
825         (JSC::Yarr::YarrGenerator::YarrGenerator):
826         (JSC::Yarr::YarrGenerator::compile):
827         * yarr/YarrJIT.h:
828         (JSC::Yarr::YarrCodeBlock::execute):
829         * yarr/YarrPattern.cpp:
830         (JSC::Yarr::indentForNestingLevel):
831         (JSC::Yarr::dumpUChar32):
832         (JSC::Yarr::dumpCharacterClass):
833         (JSC::Yarr::PatternTerm::dump):
834         (JSC::Yarr::YarrPattern::dumpPattern):
835         * yarr/YarrPattern.h:
836         (JSC::Yarr::PatternTerm::containsAnyCaptures):
837         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
838         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
839         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
840         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
841         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
842         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
843
844 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
845
846         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
847         https://bugs.webkit.org/show_bug.cgi?id=180590
848         <rdar://problem/35882767>
849
850         Reviewed by Mark Lam.
851
852         * inspector/agents/InspectorConsoleAgent.cpp:
853         (Inspector::InspectorConsoleAgent::enable):
854         Swap the messages to a Vector that won't change during iteration.
855
856 2017-12-08  Michael Saboff  <msaboff@apple.com>
857
858         YARR: Coalesce constructed character classes
859         https://bugs.webkit.org/show_bug.cgi?id=180537
860
861         Reviewed by JF Bastien.
862
863         When adding characters or character ranges to a character class being constructed,
864         we now coalesce adjacent characters and character ranges.  When we create a
865         character class after construction is complete, we do a final coalescing pass
866         across the character list and ranges to catch any remaining coalescing
867         opportunities.
868
869         Added an optimization for character classes that will match any character.
870         This is somewhat common in code created before the /s (dotAll) flag was added
871         to the engine.
872
873         * yarr/YarrInterpreter.cpp:
874         (JSC::Yarr::Interpreter::checkCharacterClass):
875         * yarr/YarrJIT.cpp:
876         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
877         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
878         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
879         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
880         * yarr/YarrPattern.cpp:
881         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
882         (JSC::Yarr::CharacterClassConstructor::reset):
883         (JSC::Yarr::CharacterClassConstructor::charClass):
884         (JSC::Yarr::CharacterClassConstructor::addSorted):
885         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
886         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
887         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
888         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
889         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
890         (JSC::Yarr::PatternTerm::dump):
891         (JSC::Yarr::anycharCreate):
892         * yarr/YarrPattern.h:
893         (JSC::Yarr::CharacterClass::CharacterClass):
894
895 2017-12-07  Saam Barati  <sbarati@apple.com>
896
897         Modify our dollar VM clflush intrinsic to aid in some perf testing
898         https://bugs.webkit.org/show_bug.cgi?id=180559
899
900         Reviewed by Mark Lam.
901
902         * tools/JSDollarVM.cpp:
903         (JSC::functionCpuClflush):
904         (JSC::functionDeltaBetweenButterflies):
905         (JSC::JSDollarVM::finishCreation):
906
907 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
908
909         Simplify log channel configuration UI
910         https://bugs.webkit.org/show_bug.cgi?id=180527
911         <rdar://problem/35908382>
912
913         Reviewed by Joseph Pecoraro.
914
915         * inspector/protocol/Console.json:
916
917 2017-12-07  Mark Lam  <mark.lam@apple.com>
918
919         Apply poisoning to some native code pointers.
920         https://bugs.webkit.org/show_bug.cgi?id=180541
921         <rdar://problem/35916875>
922
923         Reviewed by Filip Pizlo.
924
925         Renamed g_classInfoPoison to g_globalDataPoison.
926         Renamed g_masmPoison to g_jitCodePoison.
927         Introduced g_nativeCodePoison.
928         Applied g_nativeCodePoison to poisoning some native code pointers.
929
930         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
931         to malloc allocated data structures (where needed).
932
933         * API/JSCallbackFunction.h:
934         (JSC::JSCallbackFunction::functionCallback):
935         * JavaScriptCore.xcodeproj/project.pbxproj:
936         * jit/ThunkGenerators.cpp:
937         (JSC::nativeForGenerator):
938         * llint/LowLevelInterpreter64.asm:
939         * runtime/CustomGetterSetter.h:
940         (JSC::CustomGetterSetter::getter const):
941         (JSC::CustomGetterSetter::setter const):
942         * runtime/InternalFunction.cpp:
943         (JSC::InternalFunction::getCallData):
944         (JSC::InternalFunction::getConstructData):
945         * runtime/InternalFunction.h:
946         (JSC::InternalFunction::nativeFunctionFor):
947         * runtime/JSCPoison.h: Added.
948         * runtime/JSCPoisonedPtr.cpp:
949         (JSC::initializePoison):
950         * runtime/JSCPoisonedPtr.h:
951         * runtime/Lookup.h:
952         * runtime/NativeExecutable.cpp:
953         (JSC::NativeExecutable::hashFor const):
954         * runtime/NativeExecutable.h:
955         * runtime/Structure.cpp:
956         (JSC::StructureTransitionTable::setSingleTransition):
957         * runtime/StructureTransitionTable.h:
958         (JSC::StructureTransitionTable::StructureTransitionTable):
959         (JSC::StructureTransitionTable::isUsingSingleSlot const):
960         (JSC::StructureTransitionTable::map const):
961         (JSC::StructureTransitionTable::weakImpl const):
962         (JSC::StructureTransitionTable::setMap):
963
964 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
965
966         Web Inspector: Fix style in remote inspector classes
967         https://bugs.webkit.org/show_bug.cgi?id=180545
968
969         Reviewed by Youenn Fablet.
970
971         * inspector/remote/RemoteControllableTarget.h:
972         * inspector/remote/RemoteInspectionTarget.h:
973         * runtime/JSGlobalObjectDebuggable.h:
974
975 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
976
977         Use fastAlignedFree to free aligned memory.
978         https://bugs.webkit.org/show_bug.cgi?id=180540
979
980         Reviewed by Saam Barati.
981
982         * heap/IsoAlignedMemoryAllocator.cpp:
983         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
984
985 2017-12-07  Matt Lewis  <jlewis3@apple.com>
986
987         Unreviewed, rolling out r225634.
988
989         This caused layout tests to time out.
990
991         Reverted changeset:
992
993         "Simplify log channel configuration UI"
994         https://bugs.webkit.org/show_bug.cgi?id=180527
995         https://trac.webkit.org/changeset/225634
996
997 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
998
999         Simplify log channel configuration UI
1000         https://bugs.webkit.org/show_bug.cgi?id=180527
1001         <rdar://problem/35908382>
1002
1003         Reviewed by Joseph Pecoraro.
1004
1005         * inspector/protocol/Console.json:
1006
1007 2017-12-07  Mark Lam  <mark.lam@apple.com>
1008
1009         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1010         https://bugs.webkit.org/show_bug.cgi?id=180514
1011
1012         Reviewed by Saam Barati and JF Bastien.
1013
1014         Re-landing r225620 with speculative build fix for GCC 7.
1015
1016         * API/JSCallbackObject.h:
1017         * API/JSObjectRef.cpp:
1018         (classInfoPrivate):
1019         * JavaScriptCore.xcodeproj/project.pbxproj:
1020         * Sources.txt:
1021         * assembler/MacroAssemblerCodeRef.h:
1022         (JSC::FunctionPtr::FunctionPtr):
1023         (JSC::FunctionPtr::value const):
1024         (JSC::FunctionPtr::executableAddress const):
1025         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1026         (JSC::ReturnAddressPtr::value const):
1027         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1028         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1029         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1030         (JSC::MacroAssemblerCodePtr:: const):
1031         (JSC::MacroAssemblerCodePtr::operator! const):
1032         (JSC::MacroAssemblerCodePtr::operator== const):
1033         (JSC::MacroAssemblerCodePtr::emptyValue):
1034         (JSC::MacroAssemblerCodePtr::deletedValue):
1035         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1036         * b3/B3LowerMacros.cpp:
1037         * b3/testb3.cpp:
1038         (JSC::B3::testInterpreter):
1039         * dfg/DFGSpeculativeJIT.cpp:
1040         (JSC::DFG::SpeculativeJIT::checkArray):
1041         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1042         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1043         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1044         * ftl/FTLLowerDFGToB3.cpp:
1045         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1046         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1047         * jit/AssemblyHelpers.h:
1048         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1049         * jit/SpecializedThunkJIT.h:
1050         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1051         * jit/ThunkGenerators.cpp:
1052         (JSC::virtualThunkFor):
1053         (JSC::boundThisNoArgsFunctionCallGenerator):
1054         * llint/LLIntSlowPaths.cpp:
1055         (JSC::LLInt::handleHostCall):
1056         (JSC::LLInt::setUpCall):
1057         * llint/LowLevelInterpreter64.asm:
1058         * runtime/InitializeThreading.cpp:
1059         (JSC::initializeThreading):
1060         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1061         (JSC::initializePoison):
1062         (JSC::initializeScrambledPtrKeys): Deleted.
1063         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1064         * runtime/JSCScrambledPtr.cpp: Removed.
1065         * runtime/JSCScrambledPtr.h: Removed.
1066         * runtime/JSDestructibleObject.h:
1067         (JSC::JSDestructibleObject::classInfo const):
1068         * runtime/JSSegmentedVariableObject.h:
1069         (JSC::JSSegmentedVariableObject::classInfo const):
1070         * runtime/Structure.h:
1071         * runtime/VM.h:
1072
1073 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1074
1075         Unreviewed, rolling out r225620
1076         https://bugs.webkit.org/show_bug.cgi?id=180514
1077         <rdar://problem/35901694>
1078
1079         It broke the build with GCC 7, and I don't know how to fix it.
1080
1081         * API/JSCallbackObject.h:
1082         * API/JSObjectRef.cpp:
1083         (classInfoPrivate):
1084         * JavaScriptCore.xcodeproj/project.pbxproj:
1085         * Sources.txt:
1086         * assembler/MacroAssemblerCodeRef.h:
1087         (JSC::FunctionPtr::FunctionPtr):
1088         (JSC::FunctionPtr::value const):
1089         (JSC::FunctionPtr::executableAddress const):
1090         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1091         (JSC::ReturnAddressPtr::value const):
1092         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1093         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1094         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1095         (JSC::MacroAssemblerCodePtr:: const):
1096         (JSC::MacroAssemblerCodePtr::operator! const):
1097         (JSC::MacroAssemblerCodePtr::operator== const):
1098         (JSC::MacroAssemblerCodePtr::emptyValue):
1099         (JSC::MacroAssemblerCodePtr::deletedValue):
1100         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1101         * b3/B3LowerMacros.cpp:
1102         * b3/testb3.cpp:
1103         (JSC::B3::testInterpreter):
1104         * dfg/DFGSpeculativeJIT.cpp:
1105         (JSC::DFG::SpeculativeJIT::checkArray):
1106         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1107         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1108         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1109         * ftl/FTLLowerDFGToB3.cpp:
1110         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1111         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1112         * jit/AssemblyHelpers.h:
1113         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1114         * jit/SpecializedThunkJIT.h:
1115         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1116         * jit/ThunkGenerators.cpp:
1117         (JSC::virtualThunkFor):
1118         (JSC::boundThisNoArgsFunctionCallGenerator):
1119         * llint/LLIntSlowPaths.cpp:
1120         (JSC::LLInt::handleHostCall):
1121         (JSC::LLInt::setUpCall):
1122         * llint/LowLevelInterpreter64.asm:
1123         * runtime/InitializeThreading.cpp:
1124         (JSC::initializeThreading):
1125         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1126         (JSC::initializeScrambledPtrKeys):
1127         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1128         * runtime/JSDestructibleObject.h:
1129         (JSC::JSDestructibleObject::classInfo const):
1130         * runtime/JSSegmentedVariableObject.h:
1131         (JSC::JSSegmentedVariableObject::classInfo const):
1132         * runtime/Structure.h:
1133         * runtime/VM.h:
1134
1135 2017-12-06  Mark Lam  <mark.lam@apple.com>
1136
1137         Refactoring: Rename ScrambledPtr to Poisoned.
1138         https://bugs.webkit.org/show_bug.cgi?id=180514
1139
1140         Reviewed by Saam Barati.
1141
1142         * API/JSCallbackObject.h:
1143         * API/JSObjectRef.cpp:
1144         (classInfoPrivate):
1145         * JavaScriptCore.xcodeproj/project.pbxproj:
1146         * Sources.txt:
1147         * assembler/MacroAssemblerCodeRef.h:
1148         (JSC::FunctionPtr::FunctionPtr):
1149         (JSC::FunctionPtr::value const):
1150         (JSC::FunctionPtr::executableAddress const):
1151         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1152         (JSC::ReturnAddressPtr::value const):
1153         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1154         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1155         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1156         (JSC::MacroAssemblerCodePtr:: const):
1157         (JSC::MacroAssemblerCodePtr::operator! const):
1158         (JSC::MacroAssemblerCodePtr::operator== const):
1159         (JSC::MacroAssemblerCodePtr::emptyValue):
1160         (JSC::MacroAssemblerCodePtr::deletedValue):
1161         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1162         * b3/B3LowerMacros.cpp:
1163         * b3/testb3.cpp:
1164         (JSC::B3::testInterpreter):
1165         * dfg/DFGSpeculativeJIT.cpp:
1166         (JSC::DFG::SpeculativeJIT::checkArray):
1167         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1168         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1169         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1170         * ftl/FTLLowerDFGToB3.cpp:
1171         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1172         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1173         * jit/AssemblyHelpers.h:
1174         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1175         * jit/SpecializedThunkJIT.h:
1176         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1177         * jit/ThunkGenerators.cpp:
1178         (JSC::virtualThunkFor):
1179         (JSC::boundThisNoArgsFunctionCallGenerator):
1180         * llint/LLIntSlowPaths.cpp:
1181         (JSC::LLInt::handleHostCall):
1182         (JSC::LLInt::setUpCall):
1183         * llint/LowLevelInterpreter64.asm:
1184         * runtime/InitializeThreading.cpp:
1185         (JSC::initializeThreading):
1186         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1187         (JSC::initializePoison):
1188         (JSC::initializeScrambledPtrKeys): Deleted.
1189         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1190         * runtime/JSCScrambledPtr.cpp: Removed.
1191         * runtime/JSCScrambledPtr.h: Removed.
1192         * runtime/JSDestructibleObject.h:
1193         (JSC::JSDestructibleObject::classInfo const):
1194         * runtime/JSSegmentedVariableObject.h:
1195         (JSC::JSSegmentedVariableObject::classInfo const):
1196         * runtime/Structure.h:
1197         * runtime/VM.h:
1198
1199 2017-12-02  Darin Adler  <darin@apple.com>
1200
1201         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1202         https://bugs.webkit.org/show_bug.cgi?id=180009
1203
1204         Reviewed by Alex Christensen.
1205
1206         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1207         * bytecode/CodeBlock.cpp: Ditto.
1208         * bytecode/ExecutionCounter.cpp: Ditto.
1209         * runtime/ConfigFile.cpp: Ditto.
1210         * runtime/DatePrototype.cpp: Ditto.
1211         * runtime/IndexingType.cpp: Ditto.
1212         * runtime/JSCJSValue.cpp: Ditto.
1213         * runtime/JSDateMath.cpp: Ditto.
1214         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1215         * runtime/Options.cpp: Ditto.
1216         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1217
1218 2017-12-06  Saam Barati  <sbarati@apple.com>
1219
1220         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1221         https://bugs.webkit.org/show_bug.cgi?id=180438
1222         <rdar://problem/35862342>
1223
1224         Reviewed by Yusuke Suzuki.
1225
1226         A couple inspector methods that take stacktraces need
1227         to grab the JSLock.
1228
1229         * inspector/ScriptCallStackFactory.cpp:
1230         (Inspector::createScriptCallStack):
1231         (Inspector::createScriptCallStackForConsole):
1232
1233 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
1234
1235         Switch windows build to Visual Studio 2017
1236         https://bugs.webkit.org/show_bug.cgi?id=172412
1237
1238         Reviewed by Per Arne Vollan.
1239
1240         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1241
1242 2017-12-05  JF Bastien  <jfbastien@apple.com>
1243
1244         WebAssembly: don't eagerly checksum
1245         https://bugs.webkit.org/show_bug.cgi?id=180441
1246         <rdar://problem/35156628>
1247
1248         Reviewed by Saam Barati.
1249
1250         Make checksumming of module optional for now. The bots think the
1251         checksum hurt compile-time. I'd measured it and couldn't see a
1252         difference, and still can't at this point in time, but we'll see
1253         if disabling it fixes the bots. If so then I can make it lazy upon
1254         first backtrace construction, or I can try out MD5 instead of
1255         SHA1.
1256
1257         * runtime/Options.h:
1258         * wasm/WasmModuleInformation.cpp:
1259         (JSC::Wasm::ModuleInformation::ModuleInformation):
1260         * wasm/WasmModuleInformation.h:
1261         * wasm/WasmNameSection.h:
1262         (JSC::Wasm::NameSection::NameSection):
1263
1264 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1265
1266         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1267         https://bugs.webkit.org/show_bug.cgi?id=180425
1268
1269         Reviewed by Saam Barati.
1270         
1271         Failure to do so causes leaks after starting workers.
1272
1273         * heap/IsoAlignedMemoryAllocator.cpp:
1274         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1275         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1276
1277 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
1278
1279         [Win64] Compile error in testmasm.cpp.
1280         https://bugs.webkit.org/show_bug.cgi?id=180436
1281
1282         Reviewed by Mark Lam.
1283
1284         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1285         
1286         * assembler/testmasm.cpp:
1287         (JSC::testGetEffectiveAddress):
1288
1289 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
1290
1291         GC constraint solving should be parallel
1292         https://bugs.webkit.org/show_bug.cgi?id=179934
1293
1294         Reviewed by JF Bastien.
1295         
1296         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1297         speed-up. It's more than 1% on trunk-Speedometer.
1298         
1299         The constraint solver supports running constraints in parallel in two different ways:
1300         
1301         - Run multiple constraints in parallel to each other. This only works for constraints that can
1302           tolerate other constraints running concurrently to them (constraint.concurrency() ==
1303           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
1304           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
1305           could probably make them concurrent, but I'm playing it safe for now.
1306         
1307         - A constraint can create parallel work for itself, which the constraint solver will interleave
1308           with other stuff. A constraint can report that it has parallel work by returning
1309           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
1310           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
1311           for as long as that function wants to run.
1312         
1313         It's not possible to have a non-concurrent constraint that creates parallel work.
1314         
1315         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
1316         most natural for two reasons:
1317         
1318         - No need to start any other threads.
1319         
1320         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
1321           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
1322           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
1323           thread, that thread will have work it can start doing immediately. Before this change, we had to
1324           contribute the work found by the constraint solver to the global worklist so that it could be
1325           distributed to the marker threads by load balancing. This change probably helps to avoid that
1326           load balancing step.
1327         
1328         A lot of this change is about making it easy to iterate GC data structures in parallel. This
1329         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
1330         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
1331         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
1332         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
1333         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
1334         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
1335         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
1336         done is indicated by null).
1337         
1338         * API/JSMarkingConstraintPrivate.cpp:
1339         (JSContextGroupAddMarkingConstraint):
1340         * API/JSVirtualMachine.mm:
1341         (scanExternalObjectGraph):
1342         (scanExternalRememberedSet):
1343         * JavaScriptCore.xcodeproj/project.pbxproj:
1344         * Sources.txt:
1345         * bytecode/AccessCase.cpp:
1346         (JSC::AccessCase::propagateTransitions const):
1347         * bytecode/CodeBlock.cpp:
1348         (JSC::CodeBlock::visitWeakly):
1349         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1350         (JSC::shouldMarkTransition):
1351         (JSC::CodeBlock::propagateTransitions):
1352         (JSC::CodeBlock::determineLiveness):
1353         * dfg/DFGWorklist.cpp:
1354         * ftl/FTLCompile.cpp:
1355         (JSC::FTL::compile):
1356         * heap/ConstraintParallelism.h: Added.
1357         (WTF::printInternal):
1358         * heap/Heap.cpp:
1359         (JSC::Heap::Heap):
1360         (JSC::Heap::addToRememberedSet):
1361         (JSC::Heap::runFixpointPhase):
1362         (JSC::Heap::stopThePeriphery):
1363         (JSC::Heap::resumeThePeriphery):
1364         (JSC::Heap::addCoreConstraints):
1365         (JSC::Heap::setBonusVisitorTask):
1366         (JSC::Heap::runTaskInParallel):
1367         (JSC::Heap::forEachSlotVisitor): Deleted.
1368         * heap/Heap.h:
1369         (JSC::Heap::worldIsRunning const):
1370         (JSC::Heap::runFunctionInParallel):
1371         * heap/HeapInlines.h:
1372         (JSC::Heap::worldIsStopped const):
1373         (JSC::Heap::isMarked):
1374         (JSC::Heap::incrementDeferralDepth):
1375         (JSC::Heap::decrementDeferralDepth):
1376         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1377         (JSC::Heap::forEachSlotVisitor):
1378         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
1379         (JSC::Heap::isMarkedConcurrently): Deleted.
1380         * heap/HeapSnapshotBuilder.cpp:
1381         (JSC::HeapSnapshotBuilder::appendNode):
1382         * heap/LargeAllocation.h:
1383         (JSC::LargeAllocation::isMarked):
1384         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
1385         * heap/LockDuringMarking.h:
1386         (JSC::lockDuringMarking):
1387         * heap/MarkedAllocator.cpp:
1388         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1389         * heap/MarkedAllocator.h:
1390         * heap/MarkedBlock.h:
1391         (JSC::MarkedBlock::aboutToMark):
1392         (JSC::MarkedBlock::isMarked):
1393         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
1394         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
1395         * heap/MarkedSpace.h:
1396         (JSC::MarkedSpace::activeWeakSetsBegin):
1397         (JSC::MarkedSpace::activeWeakSetsEnd):
1398         (JSC::MarkedSpace::newActiveWeakSetsBegin):
1399         (JSC::MarkedSpace::newActiveWeakSetsEnd):
1400         * heap/MarkingConstraint.cpp:
1401         (JSC::MarkingConstraint::MarkingConstraint):
1402         (JSC::MarkingConstraint::execute):
1403         (JSC::MarkingConstraint::quickWorkEstimate):
1404         (JSC::MarkingConstraint::workEstimate):
1405         (JSC::MarkingConstraint::doParallelWork):
1406         (JSC::MarkingConstraint::finishParallelWork):
1407         (JSC::MarkingConstraint::doParallelWorkImpl):
1408         (JSC::MarkingConstraint::finishParallelWorkImpl):
1409         * heap/MarkingConstraint.h:
1410         (JSC::MarkingConstraint::lastExecuteParallelism const):
1411         (JSC::MarkingConstraint::parallelism const):
1412         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
1413         (JSC::MarkingConstraint::workEstimate): Deleted.
1414         * heap/MarkingConstraintSet.cpp:
1415         (JSC::MarkingConstraintSet::MarkingConstraintSet):
1416         (JSC::MarkingConstraintSet::add):
1417         (JSC::MarkingConstraintSet::executeConvergence):
1418         (JSC::MarkingConstraintSet::executeConvergenceImpl):
1419         (JSC::MarkingConstraintSet::executeAll):
1420         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
1421         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
1422         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
1423         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
1424         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
1425         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
1426         (): Deleted.
1427         * heap/MarkingConstraintSet.h:
1428         * heap/MarkingConstraintSolver.cpp: Added.
1429         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
1430         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
1431         (JSC::MarkingConstraintSolver::didVisitSomething const):
1432         (JSC::MarkingConstraintSolver::execute):
1433         (JSC::MarkingConstraintSolver::drain):
1434         (JSC::MarkingConstraintSolver::converge):
1435         (JSC::MarkingConstraintSolver::runExecutionThread):
1436         (JSC::MarkingConstraintSolver::didExecute):
1437         * heap/MarkingConstraintSolver.h: Added.
1438         * heap/OpaqueRootSet.h: Removed.
1439         * heap/ParallelSourceAdapter.h: Added.
1440         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
1441         (JSC::createParallelSourceAdapter):
1442         * heap/SimpleMarkingConstraint.cpp: Added.
1443         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1444         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
1445         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
1446         (JSC::SimpleMarkingConstraint::executeImpl):
1447         * heap/SimpleMarkingConstraint.h: Added.
1448         * heap/SlotVisitor.cpp:
1449         (JSC::SlotVisitor::didStartMarking):
1450         (JSC::SlotVisitor::reset):
1451         (JSC::SlotVisitor::appendToMarkStack):
1452         (JSC::SlotVisitor::visitChildren):
1453         (JSC::SlotVisitor::updateMutatorIsStopped):
1454         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
1455         (JSC::SlotVisitor::drain):
1456         (JSC::SlotVisitor::performIncrementOfDraining):
1457         (JSC::SlotVisitor::didReachTermination):
1458         (JSC::SlotVisitor::hasWork):
1459         (JSC::SlotVisitor::drainFromShared):
1460         (JSC::SlotVisitor::drainInParallelPassively):
1461         (JSC::SlotVisitor::waitForTermination):
1462         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
1463         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
1464         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
1465         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
1466         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
1467         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
1468         * heap/SlotVisitor.h:
1469         * heap/SlotVisitorInlines.h:
1470         (JSC::SlotVisitor::addOpaqueRoot):
1471         (JSC::SlotVisitor::containsOpaqueRoot const):
1472         (JSC::SlotVisitor::vm):
1473         (JSC::SlotVisitor::vm const):
1474         * heap/Subspace.cpp:
1475         (JSC::Subspace::parallelAllocatorSource):
1476         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
1477         * heap/Subspace.h:
1478         * heap/SubspaceInlines.h:
1479         (JSC::Subspace::forEachMarkedCellInParallel):
1480         * heap/VisitCounter.h: Added.
1481         (JSC::VisitCounter::VisitCounter):
1482         (JSC::VisitCounter::visitCount const):
1483         * heap/VisitingTimeout.h: Removed.
1484         * heap/WeakBlock.cpp:
1485         (JSC::WeakBlock::specializedVisit):
1486         * runtime/Structure.cpp:
1487         (JSC::Structure::isCheapDuringGC):
1488         (JSC::Structure::markIfCheap):
1489
1490 2017-12-04  JF Bastien  <jfbastien@apple.com>
1491
1492         Math: don't redundantly check for exceptions, just release scope
1493         https://bugs.webkit.org/show_bug.cgi?id=180395
1494
1495         Rubber stamped by Mark Lam.
1496
1497         Two of the exceptions checks could just have been exception scope
1498         releases before the return, which is ever-so-slightly more
1499         efficient. The same technically applies where we have loops over
1500         parameters, but doing the scope release there isn't really more
1501         efficient and is way harder to read.
1502
1503         * runtime/MathObject.cpp:
1504         (JSC::mathProtoFuncATan2):
1505         (JSC::mathProtoFuncPow):
1506
1507 2017-12-04  David Quesada  <david_quesada@apple.com>
1508
1509         Add a class for parsing application manifests
1510         https://bugs.webkit.org/show_bug.cgi?id=177973
1511         rdar://problem/34747949
1512
1513         Reviewed by Geoffrey Garen.
1514
1515         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
1516
1517 2017-12-04  JF Bastien  <jfbastien@apple.com>
1518
1519         Update std::expected to match libc++ coding style
1520         https://bugs.webkit.org/show_bug.cgi?id=180264
1521
1522         Reviewed by Alex Christensen.
1523
1524         Update various uses of Expected.
1525
1526         * wasm/WasmModule.h:
1527         * wasm/WasmModuleParser.cpp:
1528         (JSC::Wasm::ModuleParser::parseImport):
1529         (JSC::Wasm::ModuleParser::parseTableHelper):
1530         (JSC::Wasm::ModuleParser::parseTable):
1531         (JSC::Wasm::ModuleParser::parseMemoryHelper):
1532         * wasm/WasmParser.h:
1533         * wasm/generateWasmValidateInlinesHeader.py:
1534         (loadMacro):
1535         (storeMacro):
1536         * wasm/js/JSWebAssemblyModule.cpp:
1537         (JSC::JSWebAssemblyModule::createStub):
1538         * wasm/js/JSWebAssemblyModule.h:
1539
1540 2017-12-04  Saam Barati  <sbarati@apple.com>
1541
1542         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1543         https://bugs.webkit.org/show_bug.cgi?id=180366
1544         <rdar://problem/35685877>
1545
1546         Reviewed by Michael Saboff.
1547
1548         On the TailCall slow path, the CallFrameShuffler will build the frame with
1549         respect to SP instead of FP. However, this may overwrite slots on the stack
1550         that are needed if the slow path C call does a stack walk. The slow path
1551         C call does a stack walk when it throws an exception. This patch fixes
1552         this bug by ensuring that the top of the stack in the FTL always has enough
1553         space to allow CallFrameShuffler to build a frame without overwriting any
1554         items on the stack that are needed when doing a stack walk.
1555
1556         * ftl/FTLLowerDFGToB3.cpp:
1557         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1558
1559 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
1560
1561         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
1562         https://bugs.webkit.org/show_bug.cgi?id=175166
1563         <rdar://problem/34040740>
1564
1565         Reviewed by Joseph Pecoraro.
1566
1567         * inspector/protocol/Recording.json:
1568         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
1569
1570         * inspector/JSGlobalObjectConsoleClient.h:
1571         * inspector/JSGlobalObjectConsoleClient.cpp:
1572         (Inspector::JSGlobalObjectConsoleClient::record):
1573         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
1574
1575         * runtime/ConsoleClient.h:
1576         * runtime/ConsoleObject.cpp:
1577         (JSC::ConsoleObject::finishCreation):
1578         (JSC::consoleProtoFuncRecord):
1579         (JSC::consoleProtoFuncRecordEnd):
1580
1581 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1582
1583         WTF shouldn't have both Thread and ThreadIdentifier
1584         https://bugs.webkit.org/show_bug.cgi?id=180308
1585
1586         Reviewed by Darin Adler.
1587
1588         * heap/MachineStackMarker.cpp:
1589         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1590         * llint/LLIntSlowPaths.cpp:
1591         (JSC::LLInt::llint_trace_operand):
1592         (JSC::LLInt::llint_trace_value):
1593         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1594         (JSC::LLInt::traceFunctionPrologue):
1595         * runtime/ExceptionScope.cpp:
1596         (JSC::ExceptionScope::unexpectedExceptionMessage):
1597         * runtime/JSLock.h:
1598         (JSC::JSLock::currentThreadIsHoldingLock):
1599         * runtime/VM.cpp:
1600         (JSC::VM::throwException):
1601         * runtime/VM.h:
1602         (JSC::VM::throwingThread const):
1603         (JSC::VM::clearException):
1604         * tools/HeapVerifier.cpp:
1605         (JSC::HeapVerifier::printVerificationHeader):
1606
1607 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
1608
1609         Rename DestroyFunc to avoid redefinition on unified build
1610         https://bugs.webkit.org/show_bug.cgi?id=180335
1611
1612         Reviewed by Filip Pizlo.
1613
1614         Changing DestroyFunc structures to more specific names to avoid
1615         conflits on unified builds.
1616
1617         * heap/HeapCellType.cpp:
1618         (JSC::HeapCellType::finishSweep):
1619         (JSC::HeapCellType::destroy):
1620         * runtime/JSDestructibleObjectHeapCellType.cpp:
1621         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1622         (JSC::JSDestructibleObjectHeapCellType::destroy):
1623         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
1624         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1625         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1626         * runtime/JSStringHeapCellType.cpp:
1627         (JSC::JSStringHeapCellType::finishSweep):
1628         (JSC::JSStringHeapCellType::destroy):
1629         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
1630         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1631         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1632
1633 2017-12-01  JF Bastien  <jfbastien@apple.com>
1634
1635         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1636         https://bugs.webkit.org/show_bug.cgi?id=180297
1637         <rdar://problem/35745556>
1638
1639         Reviewed by Mark Lam.
1640
1641         * runtime/MathObject.cpp:
1642         (JSC::mathProtoFuncATan2):
1643         (JSC::mathProtoFuncMax):
1644         (JSC::mathProtoFuncMin):
1645         (JSC::mathProtoFuncPow):
1646
1647 2017-12-01  Mark Lam  <mark.lam@apple.com>
1648
1649         Let's scramble ClassInfo pointers in cells.
1650         https://bugs.webkit.org/show_bug.cgi?id=180291
1651         <rdar://problem/35807620>
1652
1653         Reviewed by JF Bastien.
1654
1655         * API/JSCallbackObject.h:
1656         * API/JSObjectRef.cpp:
1657         (classInfoPrivate):
1658         * JavaScriptCore.xcodeproj/project.pbxproj:
1659         * Sources.txt:
1660         * assembler/MacroAssemblerCodeRef.cpp:
1661         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
1662         * assembler/MacroAssemblerCodeRef.h:
1663         (JSC::MacroAssemblerCodePtr:: const):
1664         (JSC::MacroAssemblerCodePtr::hash const):
1665         * dfg/DFGSpeculativeJIT.cpp:
1666         (JSC::DFG::SpeculativeJIT::checkArray):
1667         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1668         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1669         * ftl/FTLLowerDFGToB3.cpp:
1670         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1671         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1672         * jit/AssemblyHelpers.h:
1673         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1674         * jit/SpecializedThunkJIT.h:
1675         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1676         * runtime/InitializeThreading.cpp:
1677         (JSC::initializeThreading):
1678         * runtime/JSCScrambledPtr.cpp: Added.
1679         (JSC::initializeScrambledPtrKeys):
1680         * runtime/JSCScrambledPtr.h: Added.
1681         * runtime/JSDestructibleObject.h:
1682         (JSC::JSDestructibleObject::classInfo const):
1683         * runtime/JSSegmentedVariableObject.h:
1684         (JSC::JSSegmentedVariableObject::classInfo const):
1685         * runtime/Structure.h:
1686         * runtime/VM.h:
1687
1688 2017-12-01  Brian Burg  <bburg@apple.com>
1689
1690         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
1691         https://bugs.webkit.org/show_bug.cgi?id=173662
1692
1693         Reviewed by Joseph Pecoraro.
1694
1695         Adopt new type names. Fix protocol generator to use correct type names.
1696
1697         * inspector/ConsoleMessage.cpp:
1698         (Inspector::ConsoleMessage::addToFrontend):
1699         Improve namings and use 'auto' when the type is obvious and repeated.
1700
1701         * inspector/ContentSearchUtilities.cpp:
1702         (Inspector::ContentSearchUtilities::searchInTextByLines):
1703         * inspector/ContentSearchUtilities.h:
1704         * inspector/InjectedScript.cpp:
1705         (Inspector::InjectedScript::getProperties):
1706         (Inspector::InjectedScript::getDisplayableProperties):
1707         (Inspector::InjectedScript::getInternalProperties):
1708         (Inspector::InjectedScript::getCollectionEntries):
1709         (Inspector::InjectedScript::wrapCallFrames const):
1710         * inspector/InjectedScript.h:
1711         * inspector/InspectorProtocolTypes.h:
1712         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
1713         (Inspector::Protocol::Array::Array): Deleted.
1714         (Inspector::Protocol::Array::openAccessors): Deleted.
1715         (Inspector::Protocol::Array::addItem): Deleted.
1716         (Inspector::Protocol::Array::create): Deleted.
1717         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
1718         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
1719         Move the implementation out of this file.
1720
1721         * inspector/ScriptCallStack.cpp:
1722         (Inspector::ScriptCallStack::buildInspectorArray const):
1723         * inspector/ScriptCallStack.h:
1724         * inspector/agents/InspectorAgent.cpp:
1725         (Inspector::InspectorAgent::activateExtraDomain):
1726         (Inspector::InspectorAgent::activateExtraDomains):
1727         * inspector/agents/InspectorAgent.h:
1728         * inspector/agents/InspectorConsoleAgent.cpp:
1729         (Inspector::InspectorConsoleAgent::getLoggingChannels):
1730         * inspector/agents/InspectorConsoleAgent.h:
1731         * inspector/agents/InspectorDebuggerAgent.cpp:
1732         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1733         (Inspector::InspectorDebuggerAgent::searchInContent):
1734         (Inspector::InspectorDebuggerAgent::currentCallFrames):
1735         * inspector/agents/InspectorDebuggerAgent.h:
1736         * inspector/agents/InspectorRuntimeAgent.cpp:
1737         (Inspector::InspectorRuntimeAgent::getProperties):
1738         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1739         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1740         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1741         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1742         * inspector/agents/InspectorRuntimeAgent.h:
1743         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1744         (Inspector::buildSamples):
1745         Use more 'auto' and rename a variable.
1746
1747         * inspector/scripts/codegen/cpp_generator.py:
1748         (CppGenerator.cpp_protocol_type_for_type):
1749         Adopt new type names. This exposed a latent bug where we should have been
1750         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
1751         type may be an array, in which case we would have generated the wrong type.
1752
1753         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1754         (_generate_typedefs_for_domain.JSON):
1755         (_generate_typedefs_for_domain.Inspector): Deleted.
1756         * inspector/scripts/codegen/objc_generator.py:
1757         (ObjCGenerator.protocol_type_for_type):
1758         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1759         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1760         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1761         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1762         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1763         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1764         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1765         Rebaseline.
1766
1767         * runtime/TypeSet.cpp:
1768         (JSC::TypeSet::allStructureRepresentations const):
1769         (JSC::StructureShape::inspectorRepresentation):
1770         * runtime/TypeSet.h:
1771
1772 2017-12-01  Saam Barati  <sbarati@apple.com>
1773
1774         Having a bad time needs to handle ArrayClass indexing type as well
1775         https://bugs.webkit.org/show_bug.cgi?id=180274
1776         <rdar://problem/35667869>
1777
1778         Reviewed by Keith Miller and Mark Lam.
1779
1780         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
1781         Otherwise, we'll end up with the wrong Structure, which will lead us to not
1782         adhere to the spec. The bug was that we were not considering ArrayClass inside 
1783         hasBrokenIndexing. This patch rewrites that function to automatically opt
1784         in non-empty indexing types as broken, instead of having to opt out all
1785         non-empty indexing types besides SlowPutArrayStorage.
1786
1787         * runtime/IndexingType.h:
1788         (JSC::hasSlowPutArrayStorage):
1789         (JSC::shouldUseSlowPut):
1790         * runtime/JSGlobalObject.cpp:
1791         * runtime/JSObject.cpp:
1792         (JSC::JSObject::switchToSlowPutArrayStorage):
1793
1794 2017-12-01  JF Bastien  <jfbastien@apple.com>
1795
1796         WebAssembly: stack trace improvement follow-ups
1797         https://bugs.webkit.org/show_bug.cgi?id=180273
1798
1799         Reviewed by Saam Barati.
1800
1801         * wasm/WasmIndexOrName.cpp:
1802         (JSC::Wasm::makeString):
1803         * wasm/WasmIndexOrName.h:
1804         (JSC::Wasm::IndexOrName::nameSection const):
1805         * wasm/WasmNameSection.h:
1806         (JSC::Wasm::NameSection::NameSection):
1807         (JSC::Wasm::NameSection::get):
1808
1809 2017-12-01  JF Bastien  <jfbastien@apple.com>
1810
1811         WebAssembly: restore cached stack limit after out-call
1812         https://bugs.webkit.org/show_bug.cgi?id=179106
1813         <rdar://problem/35337525>
1814
1815         Reviewed by Saam Barati.
1816
1817         We cache the stack limit on the Instance so that we can do fast
1818         stack checks where required. In regular usage the stack limit
1819         never changes because we always run on the same thread, but in
1820         rare cases an API user can totally migrate which thread (and
1821         therefore stack) is used for execution between WebAssembly
1822         traces. For that reason we set the cached stack limit to
1823         UINTPTR_MAX on the outgoing Instance when transitioning back into
1824         a different Instance. We usually restore the cached stack limit in
1825         Context::store, but this wasn't called on all code paths. We had a
1826         bug where an Instance calling into itself indirectly would
1827         therefore fail to restore its cached stack limit properly.
1828
1829         This patch therefore restores the cached stack limit after direct
1830         calls which could be to imports (both wasm->wasm and
1831         wasm->embedder). We have to do all of them because we have no way
1832         of knowing what imports will do (they're known at instantiation
1833         time, not compilation time, and different instances can have
1834         different imports). To make this efficient we also add a pointer
1835         to the canonical location of the stack limit (i.e. the extra
1836         indirection we're trying to save by caching the stack limit on the
1837         Instance in the first place). This is potentially a small perf hit
1838         on imported direct calls.
1839
1840         It's hard to say what the performance cost will be because we
1841         haven't seen much code in the wild which does this. We're adding
1842         two dependent loads and a store of the loaded value, which is
1843         unlikely to get used soon after. It's more code, but on an
1844         out-of-order processor it doesn't contribute to the critical path.
1845
1846         * wasm/WasmB3IRGenerator.cpp:
1847         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1848         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1849         (JSC::Wasm::B3IRGenerator::addCall):
1850         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1851         * wasm/WasmInstance.cpp:
1852         (JSC::Wasm::Instance::Instance):
1853         (JSC::Wasm::Instance::create):
1854         * wasm/WasmInstance.h:
1855         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
1856         (JSC::Wasm::Instance::cachedStackLimit const):
1857         (JSC::Wasm::Instance::setCachedStackLimit):
1858         * wasm/js/JSWebAssemblyInstance.cpp:
1859         (JSC::JSWebAssemblyInstance::create):
1860         * wasm/js/WebAssemblyFunction.cpp:
1861         (JSC::callWebAssemblyFunction):
1862
1863 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1864
1865         [JSC] Use JSFixedArray for op_new_array_buffer
1866         https://bugs.webkit.org/show_bug.cgi?id=180084
1867
1868         Reviewed by Saam Barati.
1869
1870         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
1871         But using JSFixedArray is better because,
1872
1873         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
1874            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
1875
1876         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
1877            has JSFixedArray, we can just emit a held JSFixedArray.
1878
1879         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
1880
1881         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
1882
1883         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
1884            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
1885            will be introduced in [1].
1886
1887         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
1888
1889         * bytecode/BytecodeDumper.cpp:
1890         (JSC::BytecodeDumper<Block>::dumpBytecode):
1891         * bytecode/BytecodeList.json:
1892         * bytecode/BytecodeUseDef.h:
1893         (JSC::computeUsesForBytecodeOffset):
1894         * bytecode/CodeBlock.cpp:
1895         (JSC::CodeBlock::finishCreation):
1896         * bytecode/CodeBlock.h:
1897         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
1898         (JSC::CodeBlock::addConstantBuffer): Deleted.
1899         (JSC::CodeBlock::constantBufferAsVector): Deleted.
1900         (JSC::CodeBlock::constantBuffer): Deleted.
1901         * bytecode/UnlinkedCodeBlock.cpp:
1902         (JSC::UnlinkedCodeBlock::shrinkToFit):
1903         * bytecode/UnlinkedCodeBlock.h:
1904         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
1905         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
1906         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
1907         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
1908         * bytecompiler/BytecodeGenerator.cpp:
1909         (JSC::BytecodeGenerator::emitNewArray):
1910         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
1911         * bytecompiler/BytecodeGenerator.h:
1912         * dfg/DFGByteCodeParser.cpp:
1913         (JSC::DFG::ByteCodeParser::parseBlock):
1914         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1915         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
1916         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
1917         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
1918         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
1919         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
1920         (JSC::DFG::ConstantBufferKey::index const): Deleted.
1921         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
1922         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
1923         * dfg/DFGClobberize.h:
1924         (JSC::DFG::clobberize):
1925         * dfg/DFGGraph.cpp:
1926         (JSC::DFG::Graph::dump):
1927         * dfg/DFGGraph.h:
1928         * dfg/DFGNode.h:
1929         (JSC::DFG::Node::hasNewArrayBufferData):
1930         (JSC::DFG::Node::newArrayBufferData):
1931         (JSC::DFG::Node::hasVectorLengthHint):
1932         (JSC::DFG::Node::vectorLengthHint):
1933         (JSC::DFG::Node::indexingType):
1934         (JSC::DFG::Node::hasCellOperand):
1935         (JSC::DFG::Node::OpInfoWrapper::operator=):
1936         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
1937         (JSC::DFG::Node::hasConstantBuffer): Deleted.
1938         (JSC::DFG::Node::startConstant): Deleted.
1939         (JSC::DFG::Node::numConstants): Deleted.
1940         * dfg/DFGOperations.cpp:
1941         * dfg/DFGOperations.h:
1942         * dfg/DFGSpeculativeJIT.h:
1943         (JSC::DFG::SpeculativeJIT::callOperation):
1944         * dfg/DFGSpeculativeJIT32_64.cpp:
1945         (JSC::DFG::SpeculativeJIT::compile):
1946         * dfg/DFGSpeculativeJIT64.cpp:
1947         (JSC::DFG::SpeculativeJIT::compile):
1948         * ftl/FTLLowerDFGToB3.cpp:
1949         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1950         * jit/JIT.cpp:
1951         (JSC::JIT::privateCompileMainPass):
1952         * jit/JIT.h:
1953         * jit/JITOpcodes.cpp:
1954         (JSC::JIT::emit_op_new_array_buffer): Deleted.
1955         * jit/JITOperations.cpp:
1956         * jit/JITOperations.h:
1957         * llint/LLIntSlowPaths.cpp:
1958         * llint/LLIntSlowPaths.h:
1959         * llint/LowLevelInterpreter.asm:
1960         * runtime/CommonSlowPaths.cpp:
1961         (JSC::SLOW_PATH_DECL):
1962         * runtime/CommonSlowPaths.h:
1963         * runtime/JSFixedArray.cpp:
1964         (JSC::JSFixedArray::dumpToStream):
1965         * runtime/JSFixedArray.h:
1966         (JSC::JSFixedArray::create):
1967         (JSC::JSFixedArray::get const):
1968         (JSC::JSFixedArray::set):
1969         (JSC::JSFixedArray::buffer const):
1970         (JSC::JSFixedArray::values const):
1971         (JSC::JSFixedArray::length const):
1972         (JSC::JSFixedArray::get): Deleted.
1973
1974 2017-11-30  JF Bastien  <jfbastien@apple.com>
1975
1976         WebAssembly: improve stack trace
1977         https://bugs.webkit.org/show_bug.cgi?id=179343
1978
1979         Reviewed by Saam Barati.
1980
1981         Stack traces now include:
1982
1983           - Module name, if provided by the name section.
1984           - Module SHA1 hash if no name was provided
1985           - Stub identification, to differentiate from user code
1986           - Slightly different naming to match design from:
1987               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
1988
1989         * interpreter/StackVisitor.cpp:
1990         (JSC::StackVisitor::Frame::functionName const):
1991         * runtime/StackFrame.cpp:
1992         (JSC::StackFrame::functionName const):
1993         (JSC::StackFrame::visitChildren):
1994         * wasm/WasmIndexOrName.cpp:
1995         (JSC::Wasm::IndexOrName::IndexOrName):
1996         (JSC::Wasm::makeString):
1997         * wasm/WasmIndexOrName.h:
1998         (JSC::Wasm::IndexOrName::nameSection const):
1999         * wasm/WasmModuleInformation.cpp:
2000         (JSC::Wasm::ModuleInformation::ModuleInformation):
2001         * wasm/WasmModuleInformation.h:
2002         * wasm/WasmNameSection.h:
2003         (JSC::Wasm::NameSection::NameSection):
2004         (JSC::Wasm::NameSection::get):
2005         * wasm/WasmNameSectionParser.cpp:
2006         (JSC::Wasm::NameSectionParser::parse):
2007
2008 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2009
2010         Make LegacyCustomProtocolManager optional for network process
2011         https://bugs.webkit.org/show_bug.cgi?id=176230
2012
2013         Reviewed by Alex Christensen.
2014
2015         * Configurations/FeatureDefines.xcconfig:
2016
2017 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2018
2019         [JSC] Remove easy toRemove & map.remove() use in OAS phase
2020         https://bugs.webkit.org/show_bug.cgi?id=180208
2021
2022         Reviewed by Mark Lam.
2023
2024         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2025         to optimize this common pattern. This patch only modifies apparent ones.
2026         But we can apply this refactoring further to OAS phase in the future.
2027
2028         One thing we should care is that predicate of removeIf should not touch the
2029         removing set itself. In this patch, we apply this change to (1) apparently
2030         correct one and (2) things in DFG OAS phase since it is very slow.
2031
2032         * b3/B3MoveConstants.cpp:
2033         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2034
2035 2017-11-30  Commit Queue  <commit-queue@webkit.org>
2036
2037         Unreviewed, rolling out r225362.
2038         https://bugs.webkit.org/show_bug.cgi?id=180225
2039
2040         removeIf predicate function can touch remove target set
2041         (Requested by yusukesuzuki on #webkit).
2042
2043         Reverted changeset:
2044
2045         "[JSC] Remove easy toRemove & map.remove() use"
2046         https://bugs.webkit.org/show_bug.cgi?id=180208
2047         https://trac.webkit.org/changeset/225362
2048
2049 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2050
2051         [JSC] Use AllocatorIfExists for MaterializeNewObject
2052         https://bugs.webkit.org/show_bug.cgi?id=180189
2053
2054         Reviewed by Filip Pizlo.
2055
2056         I don't think anyone guarantees this allocator exists at this phase.
2057         And nullptr allocator just works here. We change AllocatorForMode
2058         to AllocatorIfExists to accept nullptr for allocator.
2059
2060         * ftl/FTLLowerDFGToB3.cpp:
2061         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2062
2063 2017-11-30  Mark Lam  <mark.lam@apple.com>
2064
2065         Let's scramble MacroAssemblerCodePtr values.
2066         https://bugs.webkit.org/show_bug.cgi?id=180169
2067         <rdar://problem/35758340>
2068
2069         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2070
2071         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2072
2073         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2074            template argument type that will be used to cast the result.  This makes the
2075            client code that uses these functions a little less verbose.
2076
2077         3. Change the code base in general to minimize passing void* code pointers around.
2078            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2079            at the last moment when we need the underlying code pointer.
2080
2081         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2082            default.  I'm leaving them in because they are instrumental in finding bugs
2083            where not all MacroAssemblerCodePtr values were not scrambled as expected.
2084            I expect them to be useful in the near future as we add more scrambling.
2085
2086         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2087            explicit casts to a boolean).  This ensures that clients will always explicitly
2088            use scrambledBits() or executableAddress() to get a value based on which value
2089            they actually need.
2090
2091         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2092            This was helpful when debugging tests that ran multiple VMs concurrently on
2093            different threads.
2094
2095         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2096         CLoop).  It is not yet supported in 32-bit and Windows because we don't
2097         currently have a way to read a global variable from their LLInt code.
2098
2099         * assembler/AbstractMacroAssembler.h:
2100         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2101         (JSC::AbstractMacroAssembler::linkPointer):
2102         * assembler/CodeLocation.h:
2103         (JSC::CodeLocationCommon::instructionAtOffset):
2104         (JSC::CodeLocationCommon::labelAtOffset):
2105         (JSC::CodeLocationCommon::jumpAtOffset):
2106         (JSC::CodeLocationCommon::callAtOffset):
2107         (JSC::CodeLocationCommon::nearCallAtOffset):
2108         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2109         (JSC::CodeLocationCommon::dataLabel32AtOffset):
2110         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2111         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2112         * assembler/LinkBuffer.cpp:
2113         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2114         * assembler/LinkBuffer.h:
2115         (JSC::LinkBuffer::link):
2116         (JSC::LinkBuffer::patch):
2117         * assembler/MacroAssemblerCodeRef.cpp:
2118         (JSC::MacroAssemblerCodePtr::initialize):
2119         * assembler/MacroAssemblerCodeRef.h:
2120         (JSC::FunctionPtr::FunctionPtr):
2121         (JSC::FunctionPtr::value const):
2122         (JSC::FunctionPtr::executableAddress const):
2123         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2124         (JSC::ReturnAddressPtr::value const):
2125         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2126         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2127         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2128         (JSC::MacroAssemblerCodePtr:: const):
2129         (JSC::MacroAssemblerCodePtr::operator! const):
2130         (JSC::MacroAssemblerCodePtr::operator bool const):
2131         (JSC::MacroAssemblerCodePtr::operator== const):
2132         (JSC::MacroAssemblerCodePtr::hash const):
2133         (JSC::MacroAssemblerCodePtr::emptyValue):
2134         (JSC::MacroAssemblerCodePtr::deletedValue):
2135         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2136         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2137         * b3/B3LowerMacros.cpp:
2138         * b3/testb3.cpp:
2139         (JSC::B3::testInterpreter):
2140         * dfg/DFGDisassembler.cpp:
2141         (JSC::DFG::Disassembler::dumpDisassembly):
2142         * dfg/DFGJITCompiler.cpp:
2143         (JSC::DFG::JITCompiler::link):
2144         (JSC::DFG::JITCompiler::compileFunction):
2145         * dfg/DFGOperations.cpp:
2146         * dfg/DFGSpeculativeJIT.cpp:
2147         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2148         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2149         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2150         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2151         * dfg/DFGSpeculativeJIT.h:
2152         * disassembler/Disassembler.cpp:
2153         (JSC::disassemble):
2154         * disassembler/UDis86Disassembler.cpp:
2155         (JSC::tryToDisassembleWithUDis86):
2156         * ftl/FTLCompile.cpp:
2157         (JSC::FTL::compile):
2158         * ftl/FTLJITCode.cpp:
2159         (JSC::FTL::JITCode::executableAddressAtOffset):
2160         * ftl/FTLLink.cpp:
2161         (JSC::FTL::link):
2162         * ftl/FTLLowerDFGToB3.cpp:
2163         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2164         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2165         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2166         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2167         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2168         * interpreter/InterpreterInlines.h:
2169         (JSC::Interpreter::getOpcodeID):
2170         * jit/JITArithmetic.cpp:
2171         (JSC::JIT::emitMathICFast):
2172         (JSC::JIT::emitMathICSlow):
2173         * jit/JITCode.cpp:
2174         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2175         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2176         (JSC::JITCodeWithCodeRef::offsetOf):
2177         * jit/JITDisassembler.cpp:
2178         (JSC::JITDisassembler::dumpDisassembly):
2179         * jit/PCToCodeOriginMap.cpp:
2180         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2181         * jit/Repatch.cpp:
2182         (JSC::ftlThunkAwareRepatchCall):
2183         * jit/ThunkGenerators.cpp:
2184         (JSC::virtualThunkFor):
2185         (JSC::boundThisNoArgsFunctionCallGenerator):
2186         * llint/LLIntSlowPaths.cpp:
2187         (JSC::LLInt::llint_trace_operand):
2188         (JSC::LLInt::llint_trace_value):
2189         (JSC::LLInt::handleHostCall):
2190         (JSC::LLInt::setUpCall):
2191         * llint/LowLevelInterpreter64.asm:
2192         * offlineasm/cloop.rb:
2193         * runtime/InitializeThreading.cpp:
2194         (JSC::initializeThreading):
2195         * wasm/WasmBBQPlan.cpp:
2196         (JSC::Wasm::BBQPlan::complete):
2197         * wasm/WasmCallee.h:
2198         (JSC::Wasm::Callee::entrypoint const):
2199         * wasm/WasmCodeBlock.cpp:
2200         (JSC::Wasm::CodeBlock::CodeBlock):
2201         * wasm/WasmOMGPlan.cpp:
2202         (JSC::Wasm::OMGPlan::work):
2203         * wasm/js/WasmToJS.cpp:
2204         (JSC::Wasm::wasmToJS):
2205         * wasm/js/WebAssemblyFunction.cpp:
2206         (JSC::callWebAssemblyFunction):
2207         * wasm/js/WebAssemblyFunction.h:
2208         * wasm/js/WebAssemblyWrapperFunction.cpp:
2209         (JSC::WebAssemblyWrapperFunction::create):
2210
2211 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2212
2213         [JSC] Remove easy toRemove & map.remove() use
2214         https://bugs.webkit.org/show_bug.cgi?id=180208
2215
2216         Reviewed by Mark Lam.
2217
2218         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2219         to optimize this common pattern. This patch only modifies apparent ones.
2220         But we can apply this refactoring further to OAS phase in the future.
2221
2222         * b3/B3MoveConstants.cpp:
2223         * dfg/DFGArgumentsEliminationPhase.cpp:
2224         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2225         * wasm/WasmSignature.cpp:
2226         (JSC::Wasm::SignatureInformation::tryCleanup):
2227
2228 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2229
2230         [JSC] Use getEffectiveAddress more in JSC
2231         https://bugs.webkit.org/show_bug.cgi?id=180154
2232
2233         Reviewed by Mark Lam.
2234
2235         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2236         And we also add MacroAssembler::negPtr(src, dest) variation.
2237
2238         * assembler/MacroAssembler.h:
2239         (JSC::MacroAssembler::negPtr):
2240         * assembler/MacroAssemblerARM.h:
2241         (JSC::MacroAssemblerARM::neg32):
2242         * assembler/MacroAssemblerARM64.h:
2243         (JSC::MacroAssemblerARM64::neg32):
2244         (JSC::MacroAssemblerARM64::neg64):
2245         * assembler/MacroAssemblerARMv7.h:
2246         (JSC::MacroAssemblerARMv7::neg32):
2247         * assembler/MacroAssemblerMIPS.h:
2248         (JSC::MacroAssemblerMIPS::neg32):
2249         * assembler/MacroAssemblerX86Common.h:
2250         (JSC::MacroAssemblerX86Common::neg32):
2251         * assembler/MacroAssemblerX86_64.h:
2252         (JSC::MacroAssemblerX86_64::neg64):
2253         * dfg/DFGThunks.cpp:
2254         (JSC::DFG::osrEntryThunkGenerator):
2255         * ftl/FTLLowerDFGToB3.cpp:
2256         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2257         * jit/SetupVarargsFrame.cpp:
2258         (JSC::emitSetVarargsFrame):
2259
2260 2017-11-30  Mark Lam  <mark.lam@apple.com>
2261
2262         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2263         https://bugs.webkit.org/show_bug.cgi?id=180219
2264         <rdar://problem/35696536>
2265
2266         Reviewed by Filip Pizlo.
2267
2268         * jsc.cpp:
2269         (functionFlashHeapAccess):
2270
2271 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2272
2273         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2274         https://bugs.webkit.org/show_bug.cgi?id=180190
2275
2276         Reviewed by Mark Lam.
2277
2278         If DFG HasIndexedProperty node observes negative index, it goes to a slow
2279         path by calling operationHasIndexedProperty. The problem is that
2280         operationHasIndexedProperty does not account negative index. Negative index
2281         was used as uint32 array index.
2282
2283         In this patch we add a path for negative index in operationHasIndexedProperty.
2284         And rename it to operationHasIndexedPropertyByInt to make intension clear.
2285         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2286         since it is only used in DFG and FTL.
2287
2288         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2289         This causes repeated OSR exit and significantly regresses the performance. We opened
2290         a bug to track this issue[1].
2291
2292         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2293
2294         * dfg/DFGOperations.cpp:
2295         * dfg/DFGOperations.h:
2296         * dfg/DFGSpeculativeJIT32_64.cpp:
2297         (JSC::DFG::SpeculativeJIT::compile):
2298         * dfg/DFGSpeculativeJIT64.cpp:
2299         (JSC::DFG::SpeculativeJIT::compile):
2300         * ftl/FTLLowerDFGToB3.cpp:
2301         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2302         * jit/JITOperations.cpp:
2303         * jit/JITOperations.h:
2304
2305 2017-11-30  Michael Saboff  <msaboff@apple.com>
2306
2307         Allow JSC command line tool to accept UTF8
2308         https://bugs.webkit.org/show_bug.cgi?id=180205
2309
2310         Reviewed by Keith Miller.
2311
2312         This unifies the UTF8 handling of interactive mode with that of source files.
2313
2314         * jsc.cpp:
2315         (runInteractive):
2316
2317 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2318
2319         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
2320         https://bugs.webkit.org/show_bug.cgi?id=180185
2321
2322         Reviewed by Carlos Garcia Campos.
2323
2324         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
2325         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
2326         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
2327         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
2328         DFG node can be emitted if we see untaken path includes String + String code.
2329
2330         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
2331         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
2332         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
2333         original code used before r225314.
2334
2335         * dfg/DFGSpeculativeJIT.cpp:
2336         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2337         * ftl/FTLLowerDFGToB3.cpp:
2338         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2339
2340 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
2341
2342         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
2343         https://bugs.webkit.org/show_bug.cgi?id=180108
2344
2345         Reviewed by Saam Barati.
2346         
2347         This was creating a vector of things to remove and then removing them. I think I remember writing
2348         this code, and I did that because at the time we did not have removeAllMatching, which is
2349         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
2350         obvious improvement before I did more fundamental things to this code.
2351
2352         * heap/CodeBlockSet.cpp:
2353         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2354
2355 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
2356
2357         GC should support isoheaps
2358         https://bugs.webkit.org/show_bug.cgi?id=179288
2359
2360         Reviewed by Saam Barati.
2361         
2362         This expands the power of the Subspace API in JSC:
2363         
2364         - Everything associated with describing the types of objects is now part of the HeapCellType class.
2365           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
2366           HeapCellType; these are orthogonal things.
2367         
2368         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
2369           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
2370           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
2371           pages but releases the physical pages as part of the respective allocator's scavenging policy
2372           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
2373           IsoSubspace).
2374         
2375         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
2376         for more things.
2377         
2378         This does not have any effect on JetStream (0.18% faster with p = 0.69).
2379
2380         * JavaScriptCore.xcodeproj/project.pbxproj:
2381         * Sources.txt:
2382         * bytecode/AccessCase.cpp:
2383         (JSC::AccessCase::generateImpl):
2384         * bytecode/ObjectAllocationProfileInlines.h:
2385         (JSC::ObjectAllocationProfile::initializeProfile):
2386         * dfg/DFGSpeculativeJIT.cpp:
2387         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2388         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2389         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2390         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2391         * dfg/DFGSpeculativeJIT64.cpp:
2392         (JSC::DFG::SpeculativeJIT::compile):
2393         * ftl/FTLAbstractHeapRepository.h:
2394         * ftl/FTLLowerDFGToB3.cpp:
2395         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2396         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2397         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2398         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2399         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2400         * heap/AlignedMemoryAllocator.cpp:
2401         (JSC::AlignedMemoryAllocator::registerAllocator):
2402         (JSC::AlignedMemoryAllocator::registerSubspace):
2403         * heap/AlignedMemoryAllocator.h:
2404         (JSC::AlignedMemoryAllocator::firstAllocator const):
2405         * heap/AllocationFailureMode.h: Added.
2406         * heap/CompleteSubspace.cpp: Added.
2407         (JSC::CompleteSubspace::CompleteSubspace):
2408         (JSC::CompleteSubspace::~CompleteSubspace):
2409         (JSC::CompleteSubspace::allocatorFor):
2410         (JSC::CompleteSubspace::allocate):
2411         (JSC::CompleteSubspace::allocateNonVirtual):
2412         (JSC::CompleteSubspace::allocatorForSlow):
2413         (JSC::CompleteSubspace::allocateSlow):
2414         (JSC::CompleteSubspace::tryAllocateSlow):
2415         * heap/CompleteSubspace.h: Added.
2416         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
2417         (JSC::CompleteSubspace::allocatorForSizeStep):
2418         (JSC::CompleteSubspace::allocatorForNonVirtual):
2419         * heap/HeapCellType.cpp: Added.
2420         (JSC::HeapCellType::HeapCellType):
2421         (JSC::HeapCellType::~HeapCellType):
2422         (JSC::HeapCellType::finishSweep):
2423         (JSC::HeapCellType::destroy):
2424         * heap/HeapCellType.h: Added.
2425         (JSC::HeapCellType::attributes const):
2426         * heap/IsoAlignedMemoryAllocator.cpp: Added.
2427         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
2428         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2429         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2430         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
2431         (JSC::IsoAlignedMemoryAllocator::dump const):
2432         * heap/IsoAlignedMemoryAllocator.h: Added.
2433         * heap/IsoSubspace.cpp: Added.
2434         (JSC::IsoSubspace::IsoSubspace):
2435         (JSC::IsoSubspace::~IsoSubspace):
2436         (JSC::IsoSubspace::allocatorFor):
2437         (JSC::IsoSubspace::allocatorForNonVirtual):
2438         (JSC::IsoSubspace::allocate):
2439         (JSC::IsoSubspace::allocateNonVirtual):
2440         * heap/IsoSubspace.h: Added.
2441         (JSC::IsoSubspace::size const):
2442         * heap/MarkedAllocator.cpp:
2443         (JSC::MarkedAllocator::MarkedAllocator):
2444         (JSC::MarkedAllocator::setSubspace):
2445         (JSC::MarkedAllocator::allocateSlowCase):
2446         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
2447         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
2448         * heap/MarkedAllocator.h:
2449         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
2450         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
2451         * heap/MarkedAllocatorInlines.h:
2452         (JSC::MarkedAllocator::allocate):
2453         (JSC::MarkedAllocator::tryAllocate): Deleted.
2454         * heap/MarkedBlock.h:
2455         * heap/MarkedBlockInlines.h:
2456         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
2457         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
2458         * heap/MarkedSpace.cpp:
2459         (JSC::MarkedSpace::addMarkedAllocator):
2460         * heap/MarkedSpace.h:
2461         * heap/Subspace.cpp:
2462         (JSC::Subspace::Subspace):
2463         (JSC::Subspace::initialize):
2464         (JSC::Subspace::finishSweep):
2465         (JSC::Subspace::destroy):
2466         (JSC::Subspace::prepareForAllocation):
2467         (JSC::Subspace::findEmptyBlockToSteal):
2468         (): Deleted.
2469         (JSC::Subspace::allocate): Deleted.
2470         (JSC::Subspace::tryAllocate): Deleted.
2471         (JSC::Subspace::allocatorForSlow): Deleted.
2472         (JSC::Subspace::allocateSlow): Deleted.
2473         (JSC::Subspace::tryAllocateSlow): Deleted.
2474         (JSC::Subspace::didAllocate): Deleted.
2475         * heap/Subspace.h:
2476         (JSC::Subspace::heapCellType const):
2477         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
2478         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
2479         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
2480         (JSC::Subspace::allocatorForSizeStep): Deleted.
2481         (JSC::Subspace::tryAllocatorFor): Deleted.
2482         (JSC::Subspace::allocatorFor): Deleted.
2483         * jit/AssemblyHelpers.h:
2484         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2485         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2486         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2487         * jit/JITOpcodes.cpp:
2488         (JSC::JIT::emit_op_new_object):
2489         * runtime/ButterflyInlines.h:
2490         (JSC::Butterfly::createUninitialized):
2491         (JSC::Butterfly::tryCreate):
2492         (JSC::Butterfly::growArrayRight):
2493         * runtime/DirectArguments.cpp:
2494         (JSC::DirectArguments::overrideThings):
2495         * runtime/DirectArguments.h:
2496         (JSC::DirectArguments::subspaceFor):
2497         * runtime/DirectEvalExecutable.h:
2498         * runtime/EvalExecutable.h:
2499         * runtime/ExecutableBase.h:
2500         (JSC::ExecutableBase::subspaceFor):
2501         * runtime/FunctionExecutable.h:
2502         * runtime/GenericArgumentsInlines.h:
2503         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
2504         * runtime/HashMapImpl.h:
2505         (JSC::HashMapBuffer::create):
2506         * runtime/IndirectEvalExecutable.h:
2507         * runtime/JSArray.cpp:
2508         (JSC::JSArray::tryCreateUninitializedRestricted):
2509         (JSC::JSArray::unshiftCountSlowCase):
2510         * runtime/JSArray.h:
2511         (JSC::JSArray::tryCreate):
2512         * runtime/JSArrayBufferView.cpp:
2513         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2514         * runtime/JSCell.h:
2515         (JSC::subspaceFor):
2516         * runtime/JSCellInlines.h:
2517         (JSC::JSCell::subspaceFor):
2518         (JSC::tryAllocateCellHelper):
2519         (JSC::allocateCell):
2520         (JSC::tryAllocateCell):
2521         * runtime/JSDestructibleObject.h:
2522         (JSC::JSDestructibleObject::subspaceFor):
2523         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
2524         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
2525         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
2526         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2527         (JSC::JSDestructibleObjectHeapCellType::destroy):
2528         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
2529         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
2530         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
2531         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
2532         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
2533         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
2534         * runtime/JSDestructibleObjectSubspace.h: Removed.
2535         * runtime/JSLexicalEnvironment.h:
2536         (JSC::JSLexicalEnvironment::subspaceFor):
2537         * runtime/JSSegmentedVariableObject.h:
2538         (JSC::JSSegmentedVariableObject::subspaceFor):
2539         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
2540         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
2541         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
2542         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2543         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2544         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
2545         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
2546         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
2547         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
2548         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
2549         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
2550         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
2551         * runtime/JSString.h:
2552         (JSC::JSString::subspaceFor):
2553         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
2554         (JSC::JSStringHeapCellType::JSStringHeapCellType):
2555         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
2556         (JSC::JSStringHeapCellType::finishSweep):
2557         (JSC::JSStringHeapCellType::destroy):
2558         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
2559         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
2560         (JSC::JSStringSubspace::finishSweep): Deleted.
2561         (JSC::JSStringSubspace::destroy): Deleted.
2562         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
2563         * runtime/JSStringSubspace.cpp: Removed.
2564         * runtime/JSStringSubspace.h: Removed.
2565         * runtime/ModuleProgramExecutable.h:
2566         * runtime/NativeExecutable.h:
2567         * runtime/ProgramExecutable.h:
2568         * runtime/RegExpMatchesArray.h:
2569         (JSC::tryCreateUninitializedRegExpMatchesArray):
2570         * runtime/ScopedArguments.h:
2571         (JSC::ScopedArguments::subspaceFor):
2572         * runtime/VM.cpp:
2573         (JSC::VM::VM):
2574         * runtime/VM.h:
2575         (JSC::VM::gigacageAuxiliarySpace):
2576         * wasm/js/JSWebAssemblyCodeBlock.h:
2577         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
2578         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2579         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
2580         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2581         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2582         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
2583         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
2584         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
2585         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
2586         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
2587         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
2588         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
2589         * wasm/js/JSWebAssemblyMemory.h:
2590         (JSC::JSWebAssemblyMemory::subspaceFor):
2591
2592 2017-11-29  Saam Barati  <sbarati@apple.com>
2593
2594         Remove pointer caging for double arrays
2595         https://bugs.webkit.org/show_bug.cgi?id=180163
2596
2597         Reviewed by Mark Lam.
2598
2599         This patch removes pointer caging from double arrays. Like
2600         my previous removals of pointer caging, this is a security vs
2601         performance tradeoff. We believe that butterflies being allocated
2602         in the cage and with a 32GB runway gives us enough security that
2603         pointer caging the butterfly just for double arrays does not add
2604         enough security benefit for the performance hit it incurs.
2605         
2606         This patch also removes the GetButterflyWithoutCaging node and
2607         the FixedButterflyAccessUncaging phase. The node is no longer needed
2608         because now all GetButterfly nodes are not caged. The phase is removed
2609         since we no longer have two nodes.
2610
2611         * dfg/DFGAbstractInterpreterInlines.h:
2612         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2613         * dfg/DFGArgumentsEliminationPhase.cpp:
2614         * dfg/DFGClobberize.h:
2615         (JSC::DFG::clobberize):
2616         * dfg/DFGDoesGC.cpp:
2617         (JSC::DFG::doesGC):
2618         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
2619         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
2620         * dfg/DFGFixupPhase.cpp:
2621         (JSC::DFG::FixupPhase::fixupNode):
2622         * dfg/DFGHeapLocation.cpp:
2623         (WTF::printInternal):
2624         * dfg/DFGHeapLocation.h:
2625         * dfg/DFGNodeType.h:
2626         * dfg/DFGPlan.cpp:
2627         (JSC::DFG::Plan::compileInThreadImpl):
2628         * dfg/DFGPredictionPropagationPhase.cpp:
2629         * dfg/DFGSafeToExecute.h:
2630         (JSC::DFG::safeToExecute):
2631         * dfg/DFGSpeculativeJIT.cpp:
2632         (JSC::DFG::SpeculativeJIT::compileSpread):
2633         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2634         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2635         * dfg/DFGSpeculativeJIT32_64.cpp:
2636         (JSC::DFG::SpeculativeJIT::compile):
2637         * dfg/DFGSpeculativeJIT64.cpp:
2638         (JSC::DFG::SpeculativeJIT::compile):
2639         * dfg/DFGTypeCheckHoistingPhase.cpp:
2640         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2641         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2642         * ftl/FTLCapabilities.cpp:
2643         (JSC::FTL::canCompile):
2644         * ftl/FTLLowerDFGToB3.cpp:
2645         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2646         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2647         * jit/JITPropertyAccess.cpp:
2648         (JSC::JIT::emitDoubleLoad):
2649         (JSC::JIT::emitGenericContiguousPutByVal):
2650         * runtime/Butterfly.h:
2651         (JSC::Butterfly::pointer):
2652         (JSC::Butterfly::contiguousDouble):
2653         (JSC::Butterfly::caged): Deleted.
2654         * runtime/ButterflyInlines.h:
2655         (JSC::Butterfly::createOrGrowPropertyStorage):
2656         * runtime/JSObject.cpp:
2657         (JSC::JSObject::ensureLengthSlow):
2658         (JSC::JSObject::reallocateAndShrinkButterfly):
2659
2660 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2661
2662         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
2663         https://bugs.webkit.org/show_bug.cgi?id=175447
2664
2665         Reviewed by Carlos Alberto Lopez Perez.
2666
2667         This patch allows DFG JIT to be enabled on MIPS platforms.
2668
2669         * Sources.txt:
2670         * assembler/MIPSAssembler.h:
2671         (JSC::MIPSAssembler::lastSPRegister):
2672         (JSC::MIPSAssembler::numberOfSPRegisters):
2673         (JSC::MIPSAssembler::sprName):
2674         * assembler/MacroAssemblerMIPS.cpp: Added.
2675         (JSC::MacroAssembler::probe):
2676         * assembler/ProbeContext.cpp:
2677         (JSC::Probe::executeProbe):
2678         * assembler/ProbeContext.h:
2679         (JSC::Probe::CPUState::pc):
2680         * assembler/testmasm.cpp:
2681         (JSC::isSpecialGPR):
2682         (JSC::testProbePreservesGPRS):
2683         (JSC::testProbeModifiesStackPointer):
2684         (JSC::testProbeModifiesStackValues):
2685
2686 2017-11-29  Matt Lewis  <jlewis3@apple.com>
2687
2688         Unreviewed, rolling out r225286.
2689
2690         The source files within this patch have been marked as
2691         executable.
2692
2693         Reverted changeset:
2694
2695         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
2696         https://bugs.webkit.org/show_bug.cgi?id=175447
2697         https://trac.webkit.org/changeset/225286
2698
2699 2017-11-29  Alex Christensen  <achristensen@webkit.org>
2700
2701         Fix Mac CMake build.
2702
2703         * PlatformMac.cmake:
2704
2705 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2706
2707         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
2708         https://bugs.webkit.org/show_bug.cgi?id=175447
2709
2710         Reviewed by Carlos Alberto Lopez Perez.
2711
2712         This patch allows DFG JIT to be enabled on MIPS platforms.
2713
2714         * Sources.txt:
2715         * assembler/MIPSAssembler.h:
2716         (JSC::MIPSAssembler::lastSPRegister):
2717         (JSC::MIPSAssembler::numberOfSPRegisters):
2718         (JSC::MIPSAssembler::sprName):
2719         * assembler/MacroAssemblerMIPS.cpp: Added.
2720         (JSC::MacroAssembler::probe):
2721         * assembler/ProbeContext.cpp:
2722         (JSC::Probe::executeProbe):
2723         * assembler/ProbeContext.h:
2724         (JSC::Probe::CPUState::pc):
2725         * assembler/testmasm.cpp:
2726         (JSC::isSpecialGPR):
2727         (JSC::testProbePreservesGPRS):
2728         (JSC::testProbeModifiesStackPointer):
2729         (JSC::testProbeModifiesStackValues):
2730
2731 2017-11-28  JF Bastien  <jfbastien@apple.com>
2732
2733         Strict and sloppy functions shouldn't share structure
2734         https://bugs.webkit.org/show_bug.cgi?id=180103
2735         <rdar://problem/35667847>
2736
2737         Reviewed by Saam Barati.
2738
2739         Sloppy and strict functions don't act the same when it comes to
2740         arguments, caller, and callee. Sharing a structure means that
2741         anything that is cached gets shared, and that's incorrect.
2742
2743         * dfg/DFGAbstractInterpreterInlines.h:
2744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2745         * dfg/DFGSpeculativeJIT.cpp:
2746         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2747         * ftl/FTLLowerDFGToB3.cpp:
2748         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2749         * runtime/FunctionConstructor.cpp:
2750         (JSC::constructFunctionSkippingEvalEnabledCheck):
2751         * runtime/JSFunction.cpp:
2752         (JSC::JSFunction::create): the second ::create is always strict
2753         because it applies to native functions.
2754         * runtime/JSFunctionInlines.h:
2755         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2756         * runtime/JSGlobalObject.cpp:
2757         (JSC::JSGlobalObject::init):
2758         (JSC::JSGlobalObject::visitChildren):
2759         * runtime/JSGlobalObject.h:
2760         (JSC::JSGlobalObject::strictFunctionStructure const):
2761         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2762         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
2763         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
2764         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
2765
2766 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2767
2768         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
2769         https://bugs.webkit.org/show_bug.cgi?id=180070
2770
2771         Reviewed by Saam Barati.
2772
2773         This patch adds getEffectiveAddress in all JIT platforms.
2774         This is abstracted version of x86 lea.
2775
2776         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
2777
2778         * assembler/MacroAssemblerARM.h:
2779         (JSC::MacroAssemblerARM::getEffectiveAddress):
2780         * assembler/MacroAssemblerARM64.h:
2781         (JSC::MacroAssemblerARM64::getEffectiveAddress):
2782         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
2783         * assembler/MacroAssemblerARMv7.h:
2784         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
2785         * assembler/MacroAssemblerMIPS.h:
2786         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
2787         * assembler/MacroAssemblerX86.h:
2788         (JSC::MacroAssemblerX86::getEffectiveAddress):
2789         * assembler/MacroAssemblerX86_64.h:
2790         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
2791         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
2792         * assembler/testmasm.cpp:
2793         (JSC::testGetEffectiveAddress):
2794         (JSC::run):
2795         * dfg/DFGSpeculativeJIT.cpp:
2796         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2797         * yarr/YarrJIT.cpp:
2798         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2799         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
2800
2801 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2802
2803         The recursive tail call optimisation is wrong on closures
2804         https://bugs.webkit.org/show_bug.cgi?id=179835
2805
2806         Reviewed by Saam Barati.
2807
2808         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
2809         As a stopgap measure this patch just does not do the optimisation for closures.
2810
2811         * dfg/DFGByteCodeParser.cpp:
2812         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2813
2814 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
2815
2816         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
2817         https://bugs.webkit.org/show_bug.cgi?id=180119
2818
2819         Reviewed by Devin Rousso.
2820
2821         * inspector/InjectedScriptManager.h:
2822         * inspector/JSGlobalObjectScriptDebugServer.h:
2823         * inspector/agents/InspectorHeapAgent.h:
2824         * inspector/agents/InspectorRuntimeAgent.h:
2825         * inspector/agents/InspectorScriptProfilerAgent.h:
2826         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2827
2828 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
2829
2830         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
2831         https://bugs.webkit.org/show_bug.cgi?id=179642
2832         <rdar://problem/35517704>
2833
2834         Reviewed by Brian Burg.
2835
2836         * inspector/protocol/Network.json:
2837         Expose the NetworkAgent for a Service Worker inspector.
2838
2839  2017-11-28  Brian Burg  <bburg@apple.com>
2840
2841         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
2842         https://bugs.webkit.org/show_bug.cgi?id=179696
2843
2844         Reviewed by Timothy Hatcher.
2845
2846         * inspector/scripts/codegen/generate_objc_header.py:
2847         (ObjCHeaderGenerator._generate_type_interface):
2848         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2849         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2850         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
2851         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
2852         * inspector/scripts/codegen/objc_generator.py:
2853         (ObjCGenerator.protocol_type_for_raw_name):
2854         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2855         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
2856         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2857         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
2858         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
2859         (ObjCGenerator.objc_to_protocol_expression_for_member):
2860         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
2861         (ObjCGenerator.protocol_to_objc_expression_for_member):
2862         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
2863         (ObjCGenerator.objc_setter_method_for_member_internal):
2864         (ObjCGenerator.objc_getter_method_for_member_internal):
2865         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2866         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2867         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2868         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2869         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2870         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2871         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2872         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2873         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2874         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2875
2876 2017-11-27  JF Bastien  <jfbastien@apple.com>
2877
2878         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2879         https://bugs.webkit.org/show_bug.cgi?id=180051
2880         <rdar://problem/35614371>
2881
2882         Reviewed by Saam Barati.
2883
2884         Checking for int32 isn't sufficient when uint32 is expected
2885         afterwards. While we're here, also use Checked<>.
2886
2887         * dfg/DFGAbstractInterpreterInlines.h:
2888         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2889
2890 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2891
2892         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2893         https://bugs.webkit.org/show_bug.cgi?id=173793
2894
2895         Reviewed by Joseph Pecoraro.
2896
2897         Based on patch by Brian Burg.
2898
2899         * JavaScriptCore.xcodeproj/project.pbxproj:
2900         * Sources.txt:
2901         * bindings/ScriptValue.cpp:
2902         (Inspector::jsToInspectorValue):
2903         (Inspector::toInspectorValue):
2904         (Deprecated::ScriptValue::toInspectorValue const):
2905         * bindings/ScriptValue.h:
2906         * inspector/AsyncStackTrace.cpp:
2907         * inspector/ConsoleMessage.cpp:
2908         * inspector/ContentSearchUtilities.cpp:
2909         * inspector/DeprecatedInspectorValues.cpp: Added.
2910         * inspector/DeprecatedInspectorValues.h: Added.
2911         Keep the old symbols around in JavaScriptCore so that builds with the
2912         public iOS SDK continue to work. These older SDKs include a version of
2913         WebInspector.framework that expects to find InspectorArray and other
2914         symbols in JavaScriptCore.framework.
2915
2916         * inspector/InjectedScript.cpp:
2917         (Inspector::InjectedScript::getFunctionDetails):
2918         (Inspector::InjectedScript::functionDetails):
2919         (Inspector::InjectedScript::getPreview):
2920         (Inspector::InjectedScript::getProperties):
2921         (Inspector::InjectedScript::getDisplayableProperties):
2922         (Inspector::InjectedScript::getInternalProperties):
2923         (Inspector::InjectedScript::getCollectionEntries):
2924         (Inspector::InjectedScript::saveResult):
2925         (Inspector::InjectedScript::wrapCallFrames const):
2926         (Inspector::InjectedScript::wrapObject const):
2927         (Inspector::InjectedScript::wrapTable const):
2928         (Inspector::InjectedScript::previewValue const):
2929         (Inspector::InjectedScript::setExceptionValue):
2930         (Inspector::InjectedScript::clearExceptionValue):
2931         (Inspector::InjectedScript::inspectObject):
2932         (Inspector::InjectedScript::releaseObject):
2933         * inspector/InjectedScriptBase.cpp:
2934         (Inspector::InjectedScriptBase::makeCall):
2935         (Inspector::InjectedScriptBase::makeEvalCall):
2936         * inspector/InjectedScriptBase.h:
2937         * inspector/InjectedScriptManager.cpp:
2938         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2939         * inspector/InspectorBackendDispatcher.cpp:
2940         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
2941         (Inspector::BackendDispatcher::dispatch):
2942         (Inspector::BackendDispatcher::sendResponse):
2943         (Inspector::BackendDispatcher::sendPendingErrors):
2944         (Inspector::BackendDispatcher::getPropertyValue):
2945         (Inspector::castToInteger):
2946         (Inspector::castToNumber):
2947         (Inspector::BackendDispatcher::getInteger):
2948         (Inspector::BackendDispatcher::getDouble):
2949         (Inspector::BackendDispatcher::getString):
2950         (Inspector::BackendDispatcher::getBoolean):
2951         (Inspector::BackendDispatcher::getObject):
2952         (Inspector::BackendDispatcher::getArray):
2953         (Inspector::BackendDispatcher::getValue):
2954         * inspector/InspectorBackendDispatcher.h:
2955         We need to keep around the sendResponse() variant with a parameter that
2956         has the InspectorObject type, as older WebInspector.framework versions
2957         expect this symbol to exist. Introduce a variant with arity 3 that can
2958         be used in TOT so as to avoid having two methods with the same name, arity, and
2959         different parameter types.
2960
2961         When system WebInspector.framework is updated, we can remove the legacy
2962         method variant that uses the InspectorObject type. At that point, we can
2963         transition TOT to use the 2-arity variant, and delete the 3-arity variant
2964         when system WebInspector.framework is updated once more to use the 2-arity one.
2965
2966         * inspector/InspectorProtocolTypes.h:
2967         (Inspector::Protocol::Array::openAccessors):
2968         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
2969         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
2970         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
2971         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
2972         * inspector/ScriptCallFrame.cpp:
2973         * inspector/ScriptCallStack.cpp:
2974         * inspector/agents/InspectorAgent.cpp:
2975         (Inspector::InspectorAgent::inspect):
2976         * inspector/agents/InspectorAgent.h:
2977         * inspector/agents/InspectorDebuggerAgent.cpp:
2978         (Inspector::buildAssertPauseReason):
2979         (Inspector::buildCSPViolationPauseReason):
2980         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2981         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2982         (Inspector::buildObjectForBreakpointCookie):
2983         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2984         (Inspector::parseLocation):
2985         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2986         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2987         (Inspector::InspectorDebuggerAgent::continueToLocation):
2988         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2989         (Inspector::InspectorDebuggerAgent::didParseSource):
2990         (Inspector::InspectorDebuggerAgent::breakProgram):
2991         * inspector/agents/InspectorDebuggerAgent.h:
2992         * inspector/agents/InspectorRuntimeAgent.cpp:
2993         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2994         (Inspector::InspectorRuntimeAgent::saveResult):
2995         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2996         * inspector/agents/InspectorRuntimeAgent.h:
2997         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2998         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2999         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3000         (CppBackendDispatcherImplementationGenerator.generate_output):
3001         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3002         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3003         (CppFrontendDispatcherHeaderGenerator.generate_output):
3004         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3005         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3006         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3007         (_generate_unchecked_setter_for_member):
3008         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3009         (CppProtocolTypesImplementationGenerator):
3010         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3011         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3012         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3013         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3014         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3015         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3016         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3017         * inspector/scripts/codegen/generate_objc_internal_header.py:
3018         (ObjCInternalHeaderGenerator.generate_output):
3019         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3020         (ObjCProtocolTypesImplementationGenerator.generate_output):
3021         * inspector/scripts/codegen/generator.py:
3022         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3023         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3024         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3025         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3026         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3027         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3028         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3029         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3030         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3031         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3032         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3033         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3034         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3035         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3036         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3037         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3038         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3039         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3040         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3041         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3042
3043 2017-11-28  Robin Morisset  <rmorisset@apple.com>
3044
3045         Support recursive tail call optimization for polymorphic calls
3046         https://bugs.webkit.org/show_bug.cgi?id=178390
3047
3048         Reviewed by Saam Barati.
3049
3050         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
3051         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
3052
3053         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
3054
3055         * dfg/DFGByteCodeParser.cpp:
3056         (JSC::DFG::ByteCodeParser::handleCall):
3057         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3058         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3059         (JSC::DFG::ByteCodeParser::inlineCall):
3060         (JSC::DFG::ByteCodeParser::handleCallVariant):
3061         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3062         (JSC::DFG::ByteCodeParser::getInliningBalance):
3063         (JSC::DFG::ByteCodeParser::handleInlining):
3064         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
3065
3066 2017-11-27  Saam Barati  <sbarati@apple.com>
3067
3068         Spread can escape when CreateRest does not
3069         https://bugs.webkit.org/show_bug.cgi?id=180057
3070         <rdar://problem/35676119>
3071
3072         Reviewed by JF Bastien.
3073
3074         We previously did not handle Spread(PhantomCreateRest) only because I did not
3075         think it was possible to generate this IR. I was wrong. We can generate
3076         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
3077         This IR is rare to generate since we normally don't PutStack(Spread) because
3078         the SetLocal almost always gets eliminated because of how our bytecode generates
3079         op_spread. However, there exists a test case showing it is possible. Supporting
3080         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
3081         the Validation rule for Spread.
3082
3083         * dfg/DFGOperations.cpp:
3084         * dfg/DFGOperations.h:
3085         * dfg/DFGValidate.cpp:
3086         * ftl/FTLLowerDFGToB3.cpp:
3087         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3088         * runtime/JSFixedArray.h:
3089         (JSC::JSFixedArray::tryCreate):
3090
3091 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
3092
3093         [CMake][Win] Conditionally select DLL CRT or static CRT
3094         https://bugs.webkit.org/show_bug.cgi?id=170594
3095
3096         Reviewed by Alex Christensen.
3097
3098         * shell/PlatformWin.cmake:
3099
3100 2017-11-27  Saam Barati  <sbarati@apple.com>
3101
3102         Having a bad time watchpoint firing during compilation revealed a racy assertion
3103         https://bugs.webkit.org/show_bug.cgi?id=180048
3104         <rdar://problem/35700009>
3105
3106         Reviewed by Mark Lam.
3107
3108         While a DFG compilation is watching the having a bad time watchpoint, it was
3109         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
3110         However, if the having a bad time watchpoint fires during the compilation,
3111         this particular structure will no longer have ArrayWithContiguous indexing type.
3112         This patch fixes this racy assertion to be aware that the watchpoint may fire
3113         during compilation.
3114
3115         * dfg/DFGSpeculativeJIT.cpp:
3116         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3117         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3118
3119 2017-11-27  Tim Horton  <timothy_horton@apple.com>
3120
3121         One too many zeroes in macOS version number in FeatureDefines
3122         https://bugs.webkit.org/show_bug.cgi?id=180011
3123
3124         Reviewed by Dan Bernstein.
3125
3126         * Configurations/FeatureDefines.xcconfig:
3127
3128 2017-11-27  Robin Morisset  <rmorisset@apple.com>
3129
3130         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
3131         https://bugs.webkit.org/show_bug.cgi?id=179821
3132
3133         Reviewed by Saam Barati.
3134
3135         * dfg/DFGSafeToExecute.h:
3136         (JSC::DFG::safeToExecute):
3137
3138 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3139
3140         [DFG] Add NormalizeMapKey DFG IR
3141         https://bugs.webkit.org/show_bug.cgi?id=179912
3142
3143         Reviewed by Saam Barati.
3144
3145         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
3146         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
3147         do not need to call normalizeMapKey conservatively in DFG operations.
3148         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
3149
3150         * dfg/DFGAbstractInterpreterInlines.h:
3151         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3152         * dfg/DFGByteCodeParser.cpp:
3153         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3154         * dfg/DFGClobberize.h:
3155         (JSC::DFG::clobberize):
3156         * dfg/DFGDoesGC.cpp:
3157         (JSC::DFG::doesGC):
3158         * dfg/DFGFixupPhase.cpp:
3159         (JSC::DFG::FixupPhase::fixupNode):
3160         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
3161         * dfg/DFGNodeType.h:
3162         * dfg/DFGOperations.cpp:
3163         * dfg/DFGPredictionPropagationPhase.cpp:
3164         * dfg/DFGSafeToExecute.h:
3165         (JSC::DFG::safeToExecute):
3166         * dfg/DFGSpeculativeJIT.cpp:
3167         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
3168         * dfg/DFGSpeculativeJIT.h:
3169         * dfg/DFGSpeculativeJIT32_64.cpp:
3170         (JSC::DFG::SpeculativeJIT::compile):
3171         * dfg/DFGSpeculativeJIT64.cpp:
3172         (JSC::DFG::SpeculativeJIT::compile):
3173         * ftl/FTLCapabilities.cpp:
3174         (JSC::FTL::canCompile):
3175         * ftl/FTLLowerDFGToB3.cpp:
3176         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3177         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3178         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
3179         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3180         * runtime/HashMapImpl.h:
3181
3182 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3183
3184         [FTL] Support DeleteById and DeleteByVal
3185         https://bugs.webkit.org/show_bug.cgi?id=180022
3186
3187         Reviewed by Saam Barati.
3188
3189         We should increase the coverage of FTL. Even if the code includes DeleteById,
3190         it does not mean that remaining part of the code should not be optimized in FTL.
3191         Right now, even CallEval and `with` scope are handled in FTL.
3192
3193         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
3194         code including them.
3195
3196         * ftl/FTLCapabilities.cpp:
3197         (JSC::FTL::canCompile):
3198         * ftl/FTLLowerDFGToB3.cpp:
3199         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3200         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
3201         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
3202
3203 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3204
3205         [DFG] Introduce {Set,Map,WeakMap}Fields
3206         https://bugs.webkit.org/show_bug.cgi?id=179925
3207
3208         Reviewed by Saam Barati.
3209
3210         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
3211         writes readonly MiscFields which is used by various nodes and make optimization
3212         conservative.
3213
3214         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
3215
3216         * dfg/DFGAbstractHeap.h:
3217         * dfg/DFGByteCodeParser.cpp:
3218         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3219         * dfg/DFGClobberize.h:
3220         (JSC::DFG::clobberize):
3221         * dfg/DFGHeapLocation.cpp:
3222         (WTF::printInternal):
3223         * dfg/DFGHeapLocation.h:
3224         * dfg/DFGNode.h:
3225         (JSC::DFG::Node::hasBucketOwnerType):
3226
3227 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3228
3229         [JSC] Remove JSStringBuilder
3230         https://bugs.webkit.org/show_bug.cgi?id=180016
3231
3232         Reviewed by Saam Barati.
3233
3234         JSStringBuilder is replaced with WTF::StringBuilder.
3235         This patch removes remaning uses and drop JSStringBuilder.
3236
3237         * JavaScriptCore.xcodeproj/project.pbxproj:
3238         * runtime/ArrayPrototype.cpp:
3239         * runtime/AsyncFunctionPrototype.cpp:
3240         * runtime/AsyncGeneratorFunctionPrototype.cpp:
3241         * runtime/ErrorPrototype.cpp:
3242         * runtime/FunctionPrototype.cpp:
3243         * runtime/GeneratorFunctionPrototype.cpp:
3244         * runtime/JSGlobalObjectFunctions.cpp:
3245         (JSC::decode):
3246         (JSC::globalFuncEscape):
3247         * runtime/JSStringBuilder.h: Removed.
3248         * runtime/JSStringInlines.h:
3249         (JSC::jsMakeNontrivialString):
3250         * runtime/RegExpPrototype.cpp:
3251         * runtime/StringPrototype.cpp:
3252
3253 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3254
3255         [DFG] Remove GetLocalUnlinked
3256         https://bugs.webkit.org/show_bug.cgi?id=180017
3257
3258         Reviewed by Saam Barati.
3259
3260         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
3261         This patch just removes it.
3262
3263         * dfg/DFGAbstractInterpreterInlines.h:
3264         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3265         * dfg/DFGClobberize.h:
3266         (JSC::DFG::clobberize):
3267         * dfg/DFGCommon.h:
3268         * dfg/DFGDoesGC.cpp:
3269         (JSC::DFG::doesGC):
3270         * dfg/DFGFixupPhase.cpp:
3271         (JSC::DFG::FixupPhase::fixupNode):
3272         * dfg/DFGGraph.cpp:
3273         (JSC::DFG::Graph::dump):
3274         * dfg/DFGNode.h:
3275         (JSC::DFG::Node::hasUnlinkedLocal):
3276         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
3277         (JSC::DFG::Node::convertToGetLocal): Deleted.
3278         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
3279         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
3280         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
3281         * dfg/DFGNodeType.h:
3282         * dfg/DFGPredictionPropagationPhase.cpp:
3283         * dfg/DFGSafeToExecute.h:
3284         (JSC::DFG::safeToExecute):
3285         * dfg/DFGSpeculativeJIT32_64.cpp:
3286         (JSC::DFG::SpeculativeJIT::compile):
3287         * dfg/DFGSpeculativeJIT64.cpp:
3288         (JSC::DFG::SpeculativeJIT::compile):
3289         * dfg/DFGStackLayoutPhase.cpp:
3290         (JSC::DFG::StackLayoutPhase::run):
3291         * dfg/DFGValidate.cpp:
3292
3293 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3294
3295         Make ArgList::data() private again when we can remove callWasmFunction().
3296         https://bugs.webkit.org/show_bug.cgi?id=168582
3297
3298         Reviewed by JF Bastien.
3299
3300         Make ArgList::data() private since we already removed callWasmFunction.
3301
3302         * runtime/ArgList.h:
3303
3304 2016-08-05  Darin Adler  <darin@apple.com>
3305
3306         Fix some minor problems in the StringImpl header
3307         https://bugs.webkit.org/show_bug.cgi?id=160630
3308
3309         Reviewed by Brent Fulgham.
3310
3311         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
3312         Yarr namespacing since we use "using namespace" in this file.
3313
3314 2017-11-24  Mark Lam  <mark.lam@apple.com>
3315
3316         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
3317         https://bugs.webkit.org/show_bug.cgi?id=179936
3318         <rdar://problem/35623998>
3319
3320         Reviewed by Saam Barati.
3321
3322         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
3323         See https://bugs.webkit.org/show_bug.cgi?id=179684.
3324
3325         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
3326         was allocating stack space to stash arguments (to be forwarded) and new frame
3327         info.  The location of this new stash space happens to lie beyond the top of frame
3328         of the tail call caller frame.  After stashing the arguments, the code proceeded
3329         to load the callee codeBlock.  This triggered an allocation, which in turn,
3330         triggered stack sanitization.  The CLoop stack sanitizer was relying on
3331         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
3332         that turned out to be inadequate.  As a result, part of the stashed data was
3333         zeroed out, and subsequently led to a crash.
3334
3335         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
3336         1. JIT builds do stack sanitization in the LLInt code itself (different from the
3337            CLoop implementation), and the sanitizer there is aware of the true top of
3338            stack value (i.e. the stack pointer).
3339         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
3340            parallel stack is one condition necessary for reproducing this issue.
3341
3342         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
3343         every time before it calls out to native C++ code.  This also brings the CLoop's
3344         behavior closer to hardware behavior where we can know where the stack pointer
3345         is after calling from JS back into native C++ code, which makes it easier to
3346         reason about correctness.