CodeBlocks should be in IsoSubspaces
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
2
3         CodeBlocks should be in IsoSubspaces
4         https://bugs.webkit.org/show_bug.cgi?id=180884
5
6         Reviewed by Saam Barati.
7         
8         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
9         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
10         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
11         
12         - Code block sweeping is now just eager sweeping. This means that it automatically takes
13           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
14           its eden set for.
15         
16         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
17           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
18           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
19           longer has to clear the set of weakly visited code blocks. This also means that
20           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
21           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
22           has IsoCellSets to tell us which edges have output constraints (what we used to call
23           CodeBlock's weak reference harvester) and which have unconditional finalizers.
24         
25         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
26         
27         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
28           handle requests from the sampler, debugger, and other facilities. They may want to ask
29           if some pointer corresponds to a CodeBlock during stages of execution during which the
30           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
31           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
32           allocated has now been full constructed.
33         
34         * JavaScriptCore.xcodeproj/project.pbxproj:
35         * Sources.txt:
36         * bytecode/CodeBlock.cpp:
37         (JSC::CodeBlock::CodeBlock):
38         (JSC::CodeBlock::finishCreation):
39         (JSC::CodeBlock::finishCreationCommon):
40         (JSC::CodeBlock::~CodeBlock):
41         (JSC::CodeBlock::visitChildren):
42         (JSC::CodeBlock::propagateTransitions):
43         (JSC::CodeBlock::determineLiveness):
44         (JSC::CodeBlock::finalizeUnconditionally):
45         (JSC::CodeBlock::stronglyVisitStrongReferences):
46         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
47         (JSC::CodeBlock::installVMTrapBreakpoints):
48         (JSC::CodeBlock::dumpMathICStats):
49         (JSC::CodeBlock::visitWeakly): Deleted.
50         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
51         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
52         * bytecode/CodeBlock.h:
53         (JSC::CodeBlock::subspaceFor):
54         (JSC::CodeBlock::ownerEdge const):
55         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
56         * bytecode/EvalCodeBlock.h:
57         (JSC::EvalCodeBlock::create): Deleted.
58         (JSC::EvalCodeBlock::createStructure): Deleted.
59         (JSC::EvalCodeBlock::variable): Deleted.
60         (JSC::EvalCodeBlock::numVariables): Deleted.
61         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
62         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
63         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
64         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
65         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
66         (JSC::ExecutableToCodeBlockEdge::createStructure):
67         (JSC::ExecutableToCodeBlockEdge::create):
68         (JSC::ExecutableToCodeBlockEdge::visitChildren):
69         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
70         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
71         (JSC::ExecutableToCodeBlockEdge::activate):
72         (JSC::ExecutableToCodeBlockEdge::deactivate):
73         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
74         (JSC::ExecutableToCodeBlockEdge::wrap):
75         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
76         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
77         (JSC::ExecutableToCodeBlockEdge::runConstraint):
78         * bytecode/ExecutableToCodeBlockEdge.h: Added.
79         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
80         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
81         (JSC::ExecutableToCodeBlockEdge::unwrap):
82         * bytecode/FunctionCodeBlock.h:
83         (JSC::FunctionCodeBlock::subspaceFor):
84         (JSC::FunctionCodeBlock::createStructure):
85         * bytecode/ModuleProgramCodeBlock.h:
86         (JSC::ModuleProgramCodeBlock::create): Deleted.
87         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
88         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
89         * bytecode/ProgramCodeBlock.h:
90         (JSC::ProgramCodeBlock::create): Deleted.
91         (JSC::ProgramCodeBlock::createStructure): Deleted.
92         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
93         * debugger/Debugger.cpp:
94         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
95         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
96         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
97         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
98         * heap/CodeBlockSet.cpp:
99         (JSC::CodeBlockSet::contains):
100         (JSC::CodeBlockSet::dump const):
101         (JSC::CodeBlockSet::add):
102         (JSC::CodeBlockSet::remove):
103         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
104         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
105         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
106         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
107         * heap/CodeBlockSet.h:
108         * heap/CodeBlockSetInlines.h:
109         (JSC::CodeBlockSet::iterate):
110         (JSC::CodeBlockSet::iterateViaSubspaces):
111         * heap/ConservativeRoots.cpp:
112         (JSC::ConservativeRoots::genericAddPointer):
113         (JSC::DummyMarkHook::markKnownJSCell):
114         (JSC::CompositeMarkHook::mark):
115         (JSC::CompositeMarkHook::markKnownJSCell):
116         * heap/ConservativeRoots.h:
117         * heap/Heap.cpp:
118         (JSC::Heap::lastChanceToFinalize):
119         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
120         (JSC::Heap::finalizeUnconditionalFinalizers):
121         (JSC::Heap::beginMarking):
122         (JSC::Heap::deleteUnmarkedCompiledCode):
123         (JSC::Heap::sweepInFinalize):
124         (JSC::Heap::forEachCodeBlockImpl):
125         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
126         (JSC::Heap::addCoreConstraints):
127         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
128         * heap/Heap.h:
129         * heap/HeapCell.h:
130         * heap/HeapCellInlines.h:
131         (JSC::HeapCell::subspace const):
132         * heap/HeapInlines.h:
133         (JSC::Heap::forEachCodeBlock):
134         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
135         * heap/HeapUtil.h:
136         (JSC::HeapUtil::findGCObjectPointersForMarking):
137         * heap/IsoCellSet.cpp:
138         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
139         * heap/IsoCellSet.h:
140         * heap/IsoCellSetInlines.h:
141         (JSC::IsoCellSet::forEachMarkedCellInParallel):
142         (JSC::IsoCellSet::forEachLiveCell):
143         * heap/LargeAllocation.h:
144         (JSC::LargeAllocation::subspace const):
145         * heap/MarkStackMergingConstraint.cpp:
146         (JSC::MarkStackMergingConstraint::executeImpl):
147         * heap/MarkStackMergingConstraint.h:
148         * heap/MarkedAllocator.cpp:
149         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
150         * heap/MarkedBlock.cpp:
151         (JSC::MarkedBlock::Handle::didAddToAllocator):
152         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
153         * heap/MarkedBlock.h:
154         (JSC::MarkedBlock::subspace const):
155         * heap/MarkedBlockInlines.h:
156         (JSC::MarkedBlock::Handle::forEachLiveCell):
157         * heap/MarkedSpaceInlines.h:
158         (JSC::MarkedSpace::forEachLiveCell):
159         * heap/MarkingConstraint.cpp:
160         (JSC::MarkingConstraint::execute):
161         (JSC::MarkingConstraint::doParallelWork):
162         (JSC::MarkingConstraint::finishParallelWork): Deleted.
163         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
164         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
165         * heap/MarkingConstraint.h:
166         * heap/MarkingConstraintSet.cpp:
167         (JSC::MarkingConstraintSet::add):
168         * heap/MarkingConstraintSet.h:
169         (JSC::MarkingConstraintSet::add):
170         * heap/MarkingConstraintSolver.cpp:
171         (JSC::MarkingConstraintSolver::execute):
172         (JSC::MarkingConstraintSolver::addParallelTask):
173         (JSC::MarkingConstraintSolver::runExecutionThread):
174         (JSC::MarkingConstraintSolver::didExecute): Deleted.
175         * heap/MarkingConstraintSolver.h:
176         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
177         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
178         * heap/SimpleMarkingConstraint.cpp:
179         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
180         (JSC::SimpleMarkingConstraint::executeImpl):
181         * heap/SimpleMarkingConstraint.h:
182         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
183         * heap/SlotVisitor.cpp:
184         (JSC::SlotVisitor::addParallelConstraintTask):
185         * heap/SlotVisitor.h:
186         * heap/Subspace.cpp:
187         (JSC::Subspace::sweep):
188         * heap/Subspace.h:
189         * heap/SubspaceInlines.h:
190         (JSC::Subspace::forEachLiveCell):
191         * llint/LowLevelInterpreter.asm:
192         * runtime/EvalExecutable.cpp:
193         (JSC::EvalExecutable::visitChildren):
194         * runtime/EvalExecutable.h:
195         (JSC::EvalExecutable::codeBlock):
196         * runtime/FunctionExecutable.cpp:
197         (JSC::FunctionExecutable::baselineCodeBlockFor):
198         (JSC::FunctionExecutable::visitChildren):
199         * runtime/FunctionExecutable.h:
200         * runtime/JSType.h:
201         * runtime/ModuleProgramExecutable.cpp:
202         (JSC::ModuleProgramExecutable::visitChildren):
203         * runtime/ModuleProgramExecutable.h:
204         * runtime/ProgramExecutable.cpp:
205         (JSC::ProgramExecutable::visitChildren):
206         * runtime/ProgramExecutable.h:
207         * runtime/ScriptExecutable.cpp:
208         (JSC::ScriptExecutable::installCode):
209         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
210         * runtime/VM.cpp:
211         (JSC::VM::VM):
212         * runtime/VM.h:
213         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
214         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
215         (JSC::VM::forEachCodeBlockSpace):
216         * runtime/VMTraps.cpp:
217         (JSC::VMTraps::handleTraps):
218         * tools/VMInspector.cpp:
219         (JSC::VMInspector::codeBlockForMachinePC):
220         (JSC::VMInspector::isValidCodeBlock):
221
222 2018-01-09  Michael Saboff  <msaboff@apple.com>
223
224         Unreviewed, rolling out r226600 and r226603
225         https://bugs.webkit.org/show_bug.cgi?id=181351
226
227         Add a DOM gadget for Spectre testing
228
229         * runtime/Options.h:
230
231 2018-01-09  Saam Barati  <sbarati@apple.com>
232
233         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
234         https://bugs.webkit.org/show_bug.cgi?id=181409
235
236         Reviewed by Keith Miller.
237
238         When I was looking at profiler data for Speedometer, I noticed that one of
239         the hottest functions in Speedometer is around 1100 bytecode operations long.
240         Only about 100 of those bytecode ops ever execute. However, we ended up
241         spending a lot of time compiling basic blocks that never executed. We often
242         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
243         This is the case when such a node never executes.
244         
245         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
246         terminal node with an Unreachable node (and remove all nodes after the
247         ForceOSRExit). This will cut down on graph size when such a block dominates
248         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
249         in certain programs. When doing this transformation, we also insert
250         Flushes/PhantomLocals to ensure we can recover values that are bytecode
251         live-in to the ForceOSRExit.
252         
253         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
254         does not get rid of all the CFG that it could. If we decide it's worth
255         it, we could use additional inputs into this mechanism. For example, we could
256         profile if a basic block ever executes inside the LLInt/Baseline, and
257         remove parts of the CFG based on that.
258         
259         When running Speedometer with the concurrent JIT turned off, this patch
260         improves DFG/FTL compile times by around 5%.
261
262         * dfg/DFGByteCodeParser.cpp:
263         (JSC::DFG::ByteCodeParser::addToGraph):
264         (JSC::DFG::ByteCodeParser::parse):
265
266 2018-01-09  Mark Lam  <mark.lam@apple.com>
267
268         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
269         https://bugs.webkit.org/show_bug.cgi?id=181388
270         <rdar://problem/36349351>
271
272         Reviewed by Saam Barati.
273
274         When there are duplicate setters or getters, we may end up overwriting a getter
275         with a setter, or vice versa.  This patch adds tracking for getters/setters that
276         have been overwritten with duplicates and ignore them.
277
278         * bytecompiler/NodesCodegen.cpp:
279         (JSC::PropertyListNode::emitBytecode):
280         * parser/NodeConstructors.h:
281         (JSC::PropertyNode::PropertyNode):
282         * parser/Nodes.h:
283         (JSC::PropertyNode::isOverriddenByDuplicate const):
284         (JSC::PropertyNode::setIsOverriddenByDuplicate):
285
286 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
287
288         REGRESSION(r225913): about 30 JSC test failures on ARMv7
289         https://bugs.webkit.org/show_bug.cgi?id=181162
290         <rdar://problem/36261349>
291
292         Unreviewed follow-up to r226298. Enable the fast case in
293         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
294         assuming in good faith that enough GP registers are available on any
295         such configuration. The accompanying comment is adjusted to describe
296         this assumption.
297
298         * dfg/DFGSpeculativeJIT.cpp:
299         (JSC::DFG::SpeculativeJIT::compileArraySlice):
300
301 2018-01-08  JF Bastien  <jfbastien@apple.com>
302
303         WebAssembly: mask indexed accesses to Table
304         https://bugs.webkit.org/show_bug.cgi?id=181412
305         <rdar://problem/36363236>
306
307         Reviewed by Saam Barati.
308
309         WebAssembly Table indexed accesses are user-controlled and
310         bounds-checked. Force allocations of Table data to be a
311         power-of-two, and explicitly mask accesses after bounds-check
312         branches.
313
314         Rename misleading usage of "size" when "length" of a Table was
315         intended.
316
317         Rename the Spectre option from "disable" to "enable".
318
319         * dfg/DFGSpeculativeJIT.cpp:
320         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
321         * ftl/FTLLowerDFGToB3.cpp:
322         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
323         * jit/JIT.cpp:
324         (JSC::JIT::JIT):
325         * runtime/Options.h:
326         * wasm/WasmB3IRGenerator.cpp:
327         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
328         (JSC::Wasm::B3IRGenerator::addCallIndirect):
329         * wasm/WasmTable.cpp:
330         (JSC::Wasm::Table::allocatedLength):
331         (JSC::Wasm::Table::setLength):
332         (JSC::Wasm::Table::create):
333         (JSC::Wasm::Table::Table):
334         (JSC::Wasm::Table::grow):
335         (JSC::Wasm::Table::clearFunction):
336         (JSC::Wasm::Table::setFunction):
337         * wasm/WasmTable.h:
338         (JSC::Wasm::Table::length const):
339         (JSC::Wasm::Table::offsetOfLength):
340         (JSC::Wasm::Table::offsetOfMask):
341         (JSC::Wasm::Table::mask const):
342         (JSC::Wasm::Table::isValidLength):
343         * wasm/js/JSWebAssemblyInstance.cpp:
344         (JSC::JSWebAssemblyInstance::create):
345         * wasm/js/JSWebAssemblyTable.cpp:
346         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
347         (JSC::JSWebAssemblyTable::visitChildren):
348         (JSC::JSWebAssemblyTable::grow):
349         (JSC::JSWebAssemblyTable::getFunction):
350         (JSC::JSWebAssemblyTable::clearFunction):
351         (JSC::JSWebAssemblyTable::setFunction):
352         * wasm/js/JSWebAssemblyTable.h:
353         (JSC::JSWebAssemblyTable::isValidLength):
354         (JSC::JSWebAssemblyTable::length const):
355         (JSC::JSWebAssemblyTable::allocatedLength const):
356         * wasm/js/WebAssemblyModuleRecord.cpp:
357         (JSC::WebAssemblyModuleRecord::evaluate):
358         * wasm/js/WebAssemblyTablePrototype.cpp:
359         (JSC::webAssemblyTableProtoFuncLength):
360         (JSC::webAssemblyTableProtoFuncGrow):
361         (JSC::webAssemblyTableProtoFuncGet):
362         (JSC::webAssemblyTableProtoFuncSet):
363
364 2018-01-08  Michael Saboff  <msaboff@apple.com>
365
366         Add a DOM gadget for Spectre testing
367         https://bugs.webkit.org/show_bug.cgi?id=181351
368
369         Reviewed by Michael Saboff.
370
371         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
372         Spectre mitigations.
373
374         * runtime/Options.h:
375
376 2018-01-08  Mark Lam  <mark.lam@apple.com>
377
378         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
379         https://bugs.webkit.org/show_bug.cgi?id=181403
380         <rdar://problem/36359789>
381
382         Rubber-stamped by JF Bastien.
383
384         * bytecode/CodeBlock.cpp:
385         (JSC::CodeBlock::CodeBlock):
386         (JSC::CodeBlock::~CodeBlock):
387         (JSC::CodeBlock::setConstantRegisters):
388         (JSC::CodeBlock::propagateTransitions):
389         (JSC::CodeBlock::finalizeLLIntInlineCaches):
390         (JSC::CodeBlock::jettison):
391         (JSC::CodeBlock::predictedMachineCodeSize):
392         * bytecode/CodeBlock.h:
393         (JSC::CodeBlock::vm const):
394         (JSC::CodeBlock::addConstant):
395         (JSC::CodeBlock::heap const):
396         (JSC::CodeBlock::replaceConstant):
397         * llint/LowLevelInterpreter.asm:
398         * llint/LowLevelInterpreter32_64.asm:
399         * llint/LowLevelInterpreter64.asm:
400
401 2018-01-07  Mark Lam  <mark.lam@apple.com>
402
403         Apply poisoning to more pointers in JSC.
404         https://bugs.webkit.org/show_bug.cgi?id=181096
405         <rdar://problem/36182970>
406
407         Reviewed by JF Bastien.
408
409         * assembler/MacroAssembler.h:
410         (JSC::MacroAssembler::xorPtr):
411         * assembler/MacroAssemblerARM64.h:
412         (JSC::MacroAssemblerARM64::xor64):
413         * assembler/MacroAssemblerX86_64.h:
414         (JSC::MacroAssemblerX86_64::xor64):
415         - Add xorPtr implementation.
416
417         * bytecode/CodeBlock.cpp:
418         (JSC::CodeBlock::inferredName const):
419         (JSC::CodeBlock::CodeBlock):
420         (JSC::CodeBlock::finishCreation):
421         (JSC::CodeBlock::~CodeBlock):
422         (JSC::CodeBlock::setConstantRegisters):
423         (JSC::CodeBlock::visitWeakly):
424         (JSC::CodeBlock::visitChildren):
425         (JSC::CodeBlock::propagateTransitions):
426         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
427         (JSC::CodeBlock::finalizeLLIntInlineCaches):
428         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
429         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
430         (JSC::CodeBlock::jettison):
431         (JSC::CodeBlock::predictedMachineCodeSize):
432         (JSC::CodeBlock::findPC):
433         * bytecode/CodeBlock.h:
434         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
435         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
436         (JSC::CodeBlock::stubInfoBegin):
437         (JSC::CodeBlock::stubInfoEnd):
438         (JSC::CodeBlock::callLinkInfosBegin):
439         (JSC::CodeBlock::callLinkInfosEnd):
440         (JSC::CodeBlock::instructions):
441         (JSC::CodeBlock::instructions const):
442         (JSC::CodeBlock::vm const):
443         * dfg/DFGOSRExitCompilerCommon.h:
444         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
445         * jit/JIT.h:
446         * llint/LLIntOfflineAsmConfig.h:
447         * llint/LowLevelInterpreter.asm:
448         * llint/LowLevelInterpreter64.asm:
449         * parser/UnlinkedSourceCode.h:
450         * runtime/JSCPoison.h:
451         * runtime/JSGlobalObject.cpp:
452         (JSC::JSGlobalObject::init):
453         * runtime/JSGlobalObject.h:
454         * runtime/JSScriptFetchParameters.h:
455         * runtime/JSScriptFetcher.h:
456         * runtime/StructureTransitionTable.h:
457         * wasm/js/JSWebAssemblyCodeBlock.cpp:
458         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
459         (JSC::JSWebAssemblyCodeBlock::visitChildren):
460         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
461         * wasm/js/JSWebAssemblyCodeBlock.h:
462
463 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
464
465         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
466         https://bugs.webkit.org/show_bug.cgi?id=181321
467
468         Reviewed by Saam Barati.
469
470         According to ECMA262 16.2[1], functions created using the bind method must not have
471         "caller" and "arguments" own properties.
472
473         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
474
475         * runtime/JSBoundFunction.cpp:
476         (JSC::JSBoundFunction::finishCreation):
477
478 2018-01-05  JF Bastien  <jfbastien@apple.com>
479
480         WebAssembly: poison JS object's secrets
481         https://bugs.webkit.org/show_bug.cgi?id=181339
482         <rdar://problem/36325001>
483
484         Reviewed by Mark Lam.
485
486         Separating WebAssembly's JS objects from their non-JS
487         implementation means that all interesting information lives
488         outside of the JS object itself. This patch poisons each JS
489         object's pointer to non-JS implementation using the poisoning
490         mechanism and a unique key per JS object type origin.
491
492         * runtime/JSCPoison.h:
493         * wasm/js/JSToWasm.cpp:
494         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
495         object in a stack slot when fast TLS is disabled. This requires
496         that we unpoison the Wasm::Instance.
497         * wasm/js/JSWebAssemblyCodeBlock.h:
498         * wasm/js/JSWebAssemblyInstance.h:
499         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
500         be explicit that the pointer is poisoned.
501         * wasm/js/JSWebAssemblyMemory.h:
502         * wasm/js/JSWebAssemblyModule.h:
503         * wasm/js/JSWebAssemblyTable.h:
504
505 2018-01-05  Michael Saboff  <msaboff@apple.com>
506
507         Add ability to disable indexed property masking for testing
508         https://bugs.webkit.org/show_bug.cgi?id=181350
509
510         Reviewed by Keith Miller.
511
512         Made the masking of indexed properties runtime controllable via a new JSC::Option
513         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
514
515         The new option has a generic name as it will probably be used to disable future mitigations.
516
517         * dfg/DFGSpeculativeJIT.cpp:
518         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
519         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
520         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
521         * dfg/DFGSpeculativeJIT.h:
522         * dfg/DFGSpeculativeJIT64.cpp:
523         (JSC::DFG::SpeculativeJIT::compile):
524         * ftl/FTLLowerDFGToB3.cpp:
525         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
526         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
527         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
528         * jit/JIT.cpp:
529         (JSC::JIT::JIT):
530         * jit/JIT.h:
531         * jit/JITPropertyAccess.cpp:
532         (JSC::JIT::emitDoubleLoad):
533         (JSC::JIT::emitContiguousLoad):
534         (JSC::JIT::emitArrayStorageLoad):
535         * runtime/Options.h:
536         * wasm/WasmB3IRGenerator.cpp:
537         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
538
539 2018-01-05  Michael Saboff  <msaboff@apple.com>
540
541         Allow JSC Config Files to set Restricted Options
542         https://bugs.webkit.org/show_bug.cgi?id=181352
543
544         Reviewed by Mark Lam.
545
546         * runtime/ConfigFile.cpp:
547         (JSC::ConfigFile::parse):
548
549 2018-01-04  Keith Miller  <keith_miller@apple.com>
550
551         TypedArrays and Wasm should use index masking.
552         https://bugs.webkit.org/show_bug.cgi?id=181313
553
554         Reviewed by Michael Saboff.
555
556         We should have index masking for our TypedArray code in the
557         DFG/FTL and for Wasm when doing bounds checking. Index masking for
558         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
559         WasmBoundsCheckValues we don't need to worry about combining a
560         bounds check for a load and a store. I went with fusing the
561         pointer masking in the WasmBoundsCheckValue since it should reduce
562         additional compiler overhead.
563
564         * b3/B3LowerToAir.cpp:
565         * b3/B3Validate.cpp:
566         * b3/B3WasmBoundsCheckValue.cpp:
567         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
568         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
569         * b3/B3WasmBoundsCheckValue.h:
570         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
571         * b3/air/AirCustom.h:
572         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
573         * b3/testb3.cpp:
574         (JSC::B3::testWasmBoundsCheck):
575         * dfg/DFGSpeculativeJIT.cpp:
576         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
577         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
578         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
579         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
580         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
581         * dfg/DFGSpeculativeJIT.h:
582         * dfg/DFGSpeculativeJIT64.cpp:
583         (JSC::DFG::SpeculativeJIT::compile):
584         * ftl/FTLLowerDFGToB3.cpp:
585         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
586         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
587         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
588         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
589         * jit/JITPropertyAccess.cpp:
590         (JSC::JIT::emitIntTypedArrayGetByVal):
591         * runtime/Butterfly.h:
592         (JSC::Butterfly::computeIndexingMask const):
593         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
594         * runtime/JSArrayBufferView.cpp:
595         (JSC::JSArrayBufferView::JSArrayBufferView):
596         * wasm/WasmB3IRGenerator.cpp:
597         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
598         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
599         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
600         (JSC::Wasm::B3IRGenerator::load):
601         (JSC::Wasm::B3IRGenerator::store):
602         (JSC::Wasm::B3IRGenerator::addCallIndirect):
603         * wasm/WasmBinding.cpp:
604         (JSC::Wasm::wasmToWasm):
605         * wasm/WasmMemory.cpp:
606         (JSC::Wasm::Memory::Memory):
607         (JSC::Wasm::Memory::grow):
608         * wasm/WasmMemory.h:
609         (JSC::Wasm::Memory::offsetOfIndexingMask):
610         * wasm/WasmMemoryInformation.cpp:
611         (JSC::Wasm::PinnedRegisterInfo::get):
612         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
613         * wasm/WasmMemoryInformation.h:
614         (JSC::Wasm::PinnedRegisterInfo::toSave const):
615         * wasm/js/JSToWasm.cpp:
616         (JSC::Wasm::createJSToWasmWrapper):
617
618 2018-01-05  Commit Queue  <commit-queue@webkit.org>
619
620         Unreviewed, rolling out r226434.
621         https://bugs.webkit.org/show_bug.cgi?id=181322
622
623         32bit JSC failure in x86 (Requested by yusukesuzuki on
624         #webkit).
625
626         Reverted changeset:
627
628         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
629         changing 32bit Int32Tag and LowestTag"
630         https://bugs.webkit.org/show_bug.cgi?id=181134
631         https://trac.webkit.org/changeset/226434
632
633 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
634
635         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
636         https://bugs.webkit.org/show_bug.cgi?id=180770
637
638         Reviewed by Joseph Pecoraro.
639
640         * inspector/protocol/Canvas.json:
641
642 2018-01-04  Commit Queue  <commit-queue@webkit.org>
643
644         Unreviewed, rolling out r226405.
645         https://bugs.webkit.org/show_bug.cgi?id=181318
646
647         Speculative rollout due to Octane/SplayLatency,Octane/Splay
648         regressions (Requested by yusukesuzuki on #webkit).
649
650         Reverted changeset:
651
652         "[JSC] Create parallel SlotVisitors apriori"
653         https://bugs.webkit.org/show_bug.cgi?id=180907
654         https://trac.webkit.org/changeset/226405
655
656 2018-01-04  Saam Barati  <sbarati@apple.com>
657
658         Do value profiling in to_this
659         https://bugs.webkit.org/show_bug.cgi?id=181299
660
661         Reviewed by Filip Pizlo.
662
663         This patch adds value profiling to to_this. We use the result of the value
664         profiling only for strict mode code when we don't predict that the input is
665         of a specific type. This helps when the input is SpecCellOther. Such cells
666         might implement a custom ToThis, which can produce an arbitrary result. Before
667         this patch, in prediction propagation, we were saying that a ToThis with a
668         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
669         given that the input may implement ToThis that produces an arbitrary result.
670         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
671         
672         Interestingly, this patch only does value profiling on the slow path. The fast
673         path of to_this in the LLInt/baseline just perform a structure check. If it
674         passes, the result is the same as the input. Therefore, doing value profiling
675         from the fast path wouldn't actually produce new information for the ValueProfile.
676
677         * bytecode/BytecodeDumper.cpp:
678         (JSC::BytecodeDumper<Block>::dumpBytecode):
679         * bytecode/BytecodeList.json:
680         * bytecode/CodeBlock.cpp:
681         (JSC::CodeBlock::finishCreation):
682         * bytecompiler/BytecodeGenerator.cpp:
683         (JSC::BytecodeGenerator::BytecodeGenerator):
684         (JSC::BytecodeGenerator::emitToThis):
685         * bytecompiler/BytecodeGenerator.h:
686         * dfg/DFGByteCodeParser.cpp:
687         (JSC::DFG::ByteCodeParser::parseBlock):
688         * dfg/DFGNode.h:
689         (JSC::DFG::Node::hasHeapPrediction):
690         * dfg/DFGPredictionPropagationPhase.cpp:
691         * runtime/CommonSlowPaths.cpp:
692         (JSC::SLOW_PATH_DECL):
693
694 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
695
696         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
697         https://bugs.webkit.org/show_bug.cgi?id=181134
698
699         Reviewed by Mark Lam.
700
701         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
702         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
703         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
704         implementation.
705
706         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
707         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
708         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
709         `<= LowestTag(Int32Tag)`.
710
711         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
712
713         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
714
715         * dfg/DFGSpeculativeJIT.cpp:
716         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
717         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
718         (JSC::DFG::SpeculativeJIT::speculateNumber):
719         (JSC::DFG::SpeculativeJIT::speculateMisc):
720         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
721         (JSC::DFG::SpeculativeJIT::compileToNumber):
722         * dfg/DFGSpeculativeJIT.h:
723         * dfg/DFGSpeculativeJIT32_64.cpp:
724         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
725         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
726         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
727         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
728         (JSC::DFG::SpeculativeJIT::compile):
729         * dfg/DFGSpeculativeJIT64.cpp:
730         (JSC::DFG::SpeculativeJIT::compile):
731         * jit/AssemblyHelpers.cpp:
732         (JSC::AssemblyHelpers::branchIfNotType):
733         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
734         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
735         * jit/AssemblyHelpers.h:
736         (JSC::AssemblyHelpers::branchIfMisc):
737         (JSC::AssemblyHelpers::branchIfNotMisc):
738         (JSC::AssemblyHelpers::branchIfNumber):
739         (JSC::AssemblyHelpers::branchIfNotNumber):
740         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
741         (JSC::AssemblyHelpers::emitTypeOf):
742         * jit/JITAddGenerator.cpp:
743         (JSC::JITAddGenerator::generateFastPath):
744         * jit/JITArithmetic32_64.cpp:
745         (JSC::JIT::emitBinaryDoubleOp):
746         * jit/JITDivGenerator.cpp:
747         (JSC::JITDivGenerator::loadOperand):
748         * jit/JITMulGenerator.cpp:
749         (JSC::JITMulGenerator::generateInline):
750         (JSC::JITMulGenerator::generateFastPath):
751         * jit/JITNegGenerator.cpp:
752         (JSC::JITNegGenerator::generateInline):
753         (JSC::JITNegGenerator::generateFastPath):
754         * jit/JITOpcodes32_64.cpp:
755         (JSC::JIT::emit_op_is_number):
756         (JSC::JIT::emit_op_jeq_null):
757         (JSC::JIT::emit_op_jneq_null):
758         (JSC::JIT::emit_op_to_number):
759         (JSC::JIT::emit_op_profile_type):
760         * jit/JITRightShiftGenerator.cpp:
761         (JSC::JITRightShiftGenerator::generateFastPath):
762         * jit/JITSubGenerator.cpp:
763         (JSC::JITSubGenerator::generateInline):
764         (JSC::JITSubGenerator::generateFastPath):
765         * llint/LLIntData.cpp:
766         (JSC::LLInt::Data::performAssertions):
767         * llint/LowLevelInterpreter.asm:
768         * llint/LowLevelInterpreter32_64.asm:
769         * runtime/JSCJSValue.h:
770
771 2018-01-04  JF Bastien  <jfbastien@apple.com>
772
773         Add assembler support for x86 lfence and sfence
774         https://bugs.webkit.org/show_bug.cgi?id=181311
775         <rdar://problem/36301780>
776
777         Reviewed by Michael Saboff.
778
779         Useful for testing performance of serializing instructions (hint:
780         it's not good).
781
782         * assembler/MacroAssemblerX86Common.h:
783         (JSC::MacroAssemblerX86Common::lfence):
784         (JSC::MacroAssemblerX86Common::sfence):
785         * assembler/X86Assembler.h:
786         (JSC::X86Assembler::lfence):
787         (JSC::X86Assembler::sfence):
788
789 2018-01-04  Saam Barati  <sbarati@apple.com>
790
791         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
792         https://bugs.webkit.org/show_bug.cgi?id=181296
793
794         Reviewed by Filip Pizlo.
795
796         Inside Speedometer's Ember test, there is a recompile loop like:
797         a: GetByVal(..., semanticOriginX)
798         b: SetLocal(Cell:@a, semanticOriginX)
799         
800         where the cell check always fails. For reasons I didn't investigate, the
801         baseline JIT's value profiling doesn't accurately capture the GetByVal's
802         result.
803         
804         However, when compiling this cell speculation check in the DFG, we get a null
805         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
806         this IR pattern because both @a and @b have the same semantic origin. We
807         should not follow the same semantic origin heuristic when dealing with
808         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
809         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
810         For this IR pattern, we will update the value profile for the semantic origin
811         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
812         will correctly update the GetByVal's value profile, which will prevent
813         an OSR exit loop.
814
815         * dfg/DFGGraph.cpp:
816         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
817
818 2018-01-04  Keith Miller  <keith_miller@apple.com>
819
820         Array Storage operations sometimes did not update the indexing mask correctly.
821         https://bugs.webkit.org/show_bug.cgi?id=181301
822
823         Reviewed by Mark Lam.
824
825         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
826
827         * runtime/JSArray.cpp:
828         (JSC::JSArray::shiftCountWithArrayStorage):
829         * runtime/JSObject.cpp:
830         (JSC::JSObject::increaseVectorLength):
831
832 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
833
834         [DFG] Define defs for MapSet/SetAdd to participate in CSE
835         https://bugs.webkit.org/show_bug.cgi?id=179911
836
837         Reviewed by Saam Barati.
838
839         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
840         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
841         produce added bucket as its result. Subsequent GetMapBucket will
842         be removed by CSE.
843
844         * dfg/DFGAbstractInterpreterInlines.h:
845         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
846         * dfg/DFGClobberize.h:
847         (JSC::DFG::clobberize):
848         * dfg/DFGNodeType.h:
849         * dfg/DFGOperations.cpp:
850         * dfg/DFGOperations.h:
851         * dfg/DFGPredictionPropagationPhase.cpp:
852         * dfg/DFGSpeculativeJIT.cpp:
853         (JSC::DFG::SpeculativeJIT::compileSetAdd):
854         (JSC::DFG::SpeculativeJIT::compileMapSet):
855         * dfg/DFGSpeculativeJIT.h:
856         (JSC::DFG::SpeculativeJIT::callOperation):
857         * ftl/FTLLowerDFGToB3.cpp:
858         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
859         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
860         * jit/JITOperations.h:
861         * runtime/HashMapImpl.h:
862         (JSC::HashMapImpl::addNormalized):
863         (JSC::HashMapImpl::addNormalizedInternal):
864
865 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         [JSC] Remove LocalScope
868         https://bugs.webkit.org/show_bug.cgi?id=181206
869
870         Reviewed by Geoffrey Garen.
871
872         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
873         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
874         and LocalScope.
875
876         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
877         JSObject* directly in their fields.
878
879         * JavaScriptCore.xcodeproj/project.pbxproj:
880         * Sources.txt:
881         * heap/HandleStack.cpp: Removed.
882         * heap/HandleStack.h: Removed.
883         * heap/Heap.cpp:
884         (JSC::Heap::addCoreConstraints):
885         * heap/Heap.h:
886         (JSC::Heap::handleSet):
887         (JSC::Heap::handleStack): Deleted.
888         * heap/Local.h: Removed.
889         * heap/LocalScope.h: Removed.
890         * runtime/JSONObject.cpp:
891         (JSC::Stringifier::Holder::object const):
892         (JSC::gap):
893         (JSC::Stringifier::Stringifier):
894         (JSC::Stringifier::stringify):
895         (JSC::Stringifier::appendStringifiedValue):
896         (JSC::Stringifier::Holder::Holder):
897         (JSC::Stringifier::Holder::appendNextProperty):
898         (JSC::Walker::Walker):
899         (JSC::Walker::callReviver):
900         (JSC::Walker::walk):
901         (JSC::JSONProtoFuncParse):
902         (JSC::JSONProtoFuncStringify):
903         (JSC::JSONParse):
904         (JSC::JSONStringify):
905
906 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
907
908         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
909         https://bugs.webkit.org/show_bug.cgi?id=180238
910
911         Reviewed by Saam Barati.
912
913         We can optimize ObjectAllocationSinking a bit by using removeIf.
914
915         * dfg/DFGObjectAllocationSinkingPhase.cpp:
916
917 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
918
919         [JSC] Create parallel SlotVisitors apriori
920         https://bugs.webkit.org/show_bug.cgi?id=180907
921
922         Reviewed by Saam Barati.
923
924         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
925         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
926         Then we do not need to grab locks while iterating all the SlotVisitors.
927
928         In addition, we do not need to consider the case that the number of SlotVisitors increases
929         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
930         does not increase any more.
931
932         * heap/Heap.cpp:
933         (JSC::Heap::Heap):
934         (JSC::Heap::runBeginPhase):
935         * heap/Heap.h:
936         * heap/HeapInlines.h:
937         (JSC::Heap::forEachSlotVisitor):
938         (JSC::Heap::numberOfSlotVisitors): Deleted.
939         * heap/MarkingConstraintSolver.cpp:
940         (JSC::MarkingConstraintSolver::didVisitSomething const):
941
942 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
943
944         Replace hard-coded paths in shebangs with #!/usr/bin/env
945         https://bugs.webkit.org/show_bug.cgi?id=181040
946
947         Reviewed by Alex Christensen.
948
949         * Scripts/UpdateContents.py:
950         * Scripts/cssmin.py:
951         * Scripts/generate-combined-inspector-json.py:
952         * Scripts/xxd.pl:
953         * create_hash_table:
954         * generate-bytecode-files:
955         * wasm/generateWasm.py:
956         * wasm/generateWasmOpsHeader.py:
957         * yarr/generateYarrCanonicalizeUnicode:
958
959 2018-01-03  Michael Saboff  <msaboff@apple.com>
960
961         Disable SharedArrayBuffers from Web API
962         https://bugs.webkit.org/show_bug.cgi?id=181266
963
964         Reviewed by Saam Barati.
965
966         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
967         to disable.
968
969         * runtime/JSGlobalObject.cpp:
970         (JSC::JSGlobalObject::init):
971         (JSC::JSGlobalObject::visitChildren):
972         * runtime/JSGlobalObject.h:
973         (JSC::JSGlobalObject::arrayBufferPrototype const):
974         (JSC::JSGlobalObject::arrayBufferStructure const):
975
976 2018-01-03  Michael Saboff  <msaboff@apple.com>
977
978         Add "noInline" to $vm
979         https://bugs.webkit.org/show_bug.cgi?id=181265
980
981         Reviewed by Mark Lam.
982
983         This would be useful for web based tests.
984
985         * tools/JSDollarVM.cpp:
986         (JSC::getExecutableForFunction):
987         (JSC::functionNoInline):
988         (JSC::JSDollarVM::finishCreation):
989
990 2018-01-03  Michael Saboff  <msaboff@apple.com>
991
992         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
993         https://bugs.webkit.org/show_bug.cgi?id=181263
994
995         Reviewed by Mark Lam.
996
997         Flushing the butterfly pointer provides no benefit and slows this function.
998
999         * tools/JSDollarVM.cpp:
1000         (JSC::functionCpuClflush):
1001
1002 2018-01-03  Saam Barati  <sbarati@apple.com>
1003
1004         Fix BytecodeParser op_catch assert to work with useProfiler=1
1005         https://bugs.webkit.org/show_bug.cgi?id=181260
1006
1007         Reviewed by Keith Miller.
1008
1009         op_catch was asserting that the current block was empty. This is only true
1010         if the profiler isn't enabled. When the profiler is enabled, we will
1011         insert a CountExecution node before each bytecode. This patch fixes the
1012         assert to work with the profiler.
1013
1014         * dfg/DFGByteCodeParser.cpp:
1015         (JSC::DFG::ByteCodeParser::parseBlock):
1016
1017 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
1018
1019         [Win][Debug] testapi link error.
1020         https://bugs.webkit.org/show_bug.cgi?id=181247
1021         <rdar://problem/36166729>
1022
1023         Reviewed by Brent Fulgham.
1024
1025         Do not set the runtime library compile flag for C files, it is already set to the correct value.
1026  
1027         * shell/PlatformWin.cmake:
1028
1029 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1030
1031         Inlining of a function that ends in op_unreachable crashes
1032         https://bugs.webkit.org/show_bug.cgi?id=181027
1033
1034         Reviewed by Filip Pizlo.
1035
1036         * dfg/DFGByteCodeParser.cpp:
1037         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1038         (JSC::DFG::ByteCodeParser::inlineCall):
1039
1040 2018-01-02  Saam Barati  <sbarati@apple.com>
1041
1042         Incorrect assertion inside AccessCase
1043         https://bugs.webkit.org/show_bug.cgi?id=181200
1044         <rdar://problem/35494754>
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         Consider a PutById compiled to a setter in a function like so:
1049         
1050         ```
1051         function foo(o) { o.f = o; }
1052         ```
1053         
1054         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
1055         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
1056         to the same register. However, we're asserting that they're not the same register.
1057         This patch just removes this invalid assertion.
1058
1059         * bytecode/AccessCase.cpp:
1060         (JSC::AccessCase::generateImpl):
1061
1062 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1063
1064         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1065         https://bugs.webkit.org/show_bug.cgi?id=175359
1066
1067         Reviewed by Yusuke Suzuki.
1068
1069         This patch is implementing BigIntConstructor and BigIntPrototype
1070         following spec[1, 2]. As addition, we are also implementing BigIntObject
1071         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
1072         primitive. With these classes, now it's possible to syntetize
1073         BigInt.prototype and then call "toString", "valueOf" and
1074         "toLocaleString" when the primitive is a BigInt.
1075         BigIntConstructor exposes an API to parse other primitives such as
1076         Number, Boolean and String to BigInt.
1077         We decided to skip parseInt implementation, since it was removed from
1078         spec.
1079
1080         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
1081         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
1082
1083         * CMakeLists.txt:
1084         * DerivedSources.make:
1085         * JavaScriptCore.xcodeproj/project.pbxproj:
1086         * Sources.txt:
1087         * jsc.cpp:
1088         * runtime/BigIntConstructor.cpp: Added.
1089         (JSC::BigIntConstructor::BigIntConstructor):
1090         (JSC::BigIntConstructor::finishCreation):
1091         (JSC::isSafeInteger):
1092         (JSC::toBigInt):
1093         (JSC::callBigIntConstructor):
1094         (JSC::bigIntConstructorFuncAsUintN):
1095         (JSC::bigIntConstructorFuncAsIntN):
1096         * runtime/BigIntConstructor.h: Added.
1097         (JSC::BigIntConstructor::create):
1098         (JSC::BigIntConstructor::createStructure):
1099         * runtime/BigIntObject.cpp: Added.
1100         (JSC::BigIntObject::BigIntObject):
1101         (JSC::BigIntObject::finishCreation):
1102         (JSC::BigIntObject::toStringName):
1103         (JSC::BigIntObject::defaultValue):
1104         * runtime/BigIntObject.h: Added.
1105         (JSC::BigIntObject::create):
1106         (JSC::BigIntObject::internalValue const):
1107         (JSC::BigIntObject::createStructure):
1108         * runtime/BigIntPrototype.cpp: Added.
1109         (JSC::BigIntPrototype::BigIntPrototype):
1110         (JSC::BigIntPrototype::finishCreation):
1111         (JSC::toThisBigIntValue):
1112         (JSC::bigIntProtoFuncToString):
1113         (JSC::bigIntProtoFuncToLocaleString):
1114         (JSC::bigIntProtoFuncValueOf):
1115         * runtime/BigIntPrototype.h: Added.
1116         (JSC::BigIntPrototype::create):
1117         (JSC::BigIntPrototype::createStructure):
1118         * runtime/IntlCollator.cpp:
1119         (JSC::IntlCollator::initializeCollator):
1120         * runtime/IntlNumberFormat.cpp:
1121         (JSC::IntlNumberFormat::initializeNumberFormat):
1122         * runtime/JSBigInt.cpp:
1123         (JSC::JSBigInt::createFrom):
1124         (JSC::JSBigInt::parseInt):
1125         (JSC::JSBigInt::toObject const):
1126         * runtime/JSBigInt.h:
1127         * runtime/JSCJSValue.cpp:
1128         (JSC::JSValue::synthesizePrototype const):
1129         * runtime/JSCPoisonedPtr.cpp:
1130         * runtime/JSCell.cpp:
1131         (JSC::JSCell::toObjectSlow const):
1132         * runtime/JSGlobalObject.cpp:
1133         (JSC::JSGlobalObject::init):
1134         (JSC::JSGlobalObject::visitChildren):
1135         * runtime/JSGlobalObject.h:
1136         (JSC::JSGlobalObject::bigIntPrototype const):
1137         (JSC::JSGlobalObject::bigIntObjectStructure const):
1138         * runtime/StructureCache.h:
1139         * runtime/StructureInlines.h:
1140         (JSC::prototypeForLookupPrimitiveImpl):
1141
1142 2018-01-02  Tim Horton  <timothy_horton@apple.com>
1143
1144         Fix the MathCommon build with a recent compiler
1145         https://bugs.webkit.org/show_bug.cgi?id=181216
1146
1147         Reviewed by Sam Weinig.
1148
1149         * runtime/MathCommon.cpp:
1150         (JSC::fdlibmPow):
1151         This cast drops the 'const' qualifier from the pointer to 'one',
1152         but it doesn't have to, and it makes the compiler sad.
1153
1154 == Rolled over to ChangeLog-2018-01-01 ==