be14673d54114bc8398703a7135032d1b17caf3f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2
3         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
4         https://bugs.webkit.org/show_bug.cgi?id=185126
5
6         Reviewed by Saam Barati.
7         
8         This change is just restoring functionality that we've already had for a while. It had been
9         accidentally broken due to an unrelated CodeBlock refactoring.
10
11         * dfg/DFGLICMPhase.cpp:
12         (JSC::DFG::LICMPhase::attemptHoist):
13
14 2018-04-30  Mark Lam  <mark.lam@apple.com>
15
16         Apply PtrTags to the MetaAllocator and friends.
17         https://bugs.webkit.org/show_bug.cgi?id=185110
18         <rdar://problem/39533895>
19
20         Reviewed by Saam Barati.
21
22         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
23         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
24            and add a sanity check to verify that allocated code buffers are within those
25            bounds.
26
27         * assembler/LinkBuffer.cpp:
28         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
29         (JSC::LinkBuffer::copyCompactAndLinkCode):
30         (JSC::LinkBuffer::linkCode):
31         (JSC::LinkBuffer::allocate):
32         * assembler/LinkBuffer.h:
33         (JSC::LinkBuffer::LinkBuffer):
34         (JSC::LinkBuffer::debugAddress):
35         (JSC::LinkBuffer::code):
36         * assembler/MacroAssemblerCodeRef.h:
37         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
38         * bytecode/InlineAccess.cpp:
39         (JSC::linkCodeInline):
40         (JSC::InlineAccess::rewireStubAsJump):
41         * dfg/DFGJITCode.cpp:
42         (JSC::DFG::JITCode::findPC):
43         * ftl/FTLJITCode.cpp:
44         (JSC::FTL::JITCode::findPC):
45         * jit/ExecutableAllocator.cpp:
46         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
47         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
48         (JSC::ExecutableAllocator::allocate):
49         * jit/ExecutableAllocator.h:
50         (JSC::isJITPC):
51         (JSC::performJITMemcpy):
52         * jit/JIT.cpp:
53         (JSC::JIT::link):
54         * jit/JITMathIC.h:
55         (JSC::isProfileEmpty):
56         * runtime/JSCPtrTag.h:
57         * wasm/WasmCallee.cpp:
58         (JSC::Wasm::Callee::Callee):
59         * wasm/WasmFaultSignalHandler.cpp:
60         (JSC::Wasm::trapHandler):
61
62 2018-04-30  Keith Miller  <keith_miller@apple.com>
63
64         Move the MayBePrototype JSCell header bit to InlineTypeFlags
65         https://bugs.webkit.org/show_bug.cgi?id=185143
66
67         Reviewed by Mark Lam.
68
69         * runtime/IndexingType.h:
70         * runtime/JSCellInlines.h:
71         (JSC::JSCell::setStructure):
72         (JSC::JSCell::mayBePrototype const):
73         (JSC::JSCell::didBecomePrototype):
74         * runtime/JSTypeInfo.h:
75         (JSC::TypeInfo::mayBePrototype):
76         (JSC::TypeInfo::mergeInlineTypeFlags):
77
78 2018-04-30  Keith Miller  <keith_miller@apple.com>
79
80         Remove unneeded exception check from String.fromCharCode
81         https://bugs.webkit.org/show_bug.cgi?id=185083
82
83         Reviewed by Mark Lam.
84
85         * runtime/StringConstructor.cpp:
86         (JSC::stringFromCharCode):
87
88 2018-04-30  Keith Miller  <keith_miller@apple.com>
89
90         Move StructureIsImmortal to out of line flags.
91         https://bugs.webkit.org/show_bug.cgi?id=185101
92
93         Reviewed by Saam Barati.
94
95         This will free up a bit in the inline flags where we can move the
96         isPrototype bit to. This will, in turn, free a bit for use in
97         implementing copy on write butterflies.
98
99         Also, this patch removes an assertion from Structure::typeInfo()
100         that inadvertently makes the function invalid to call while
101         cleaning up the vm.
102
103         * heap/HeapCellType.cpp:
104         (JSC::DefaultDestroyFunc::operator() const):
105         * runtime/JSCell.h:
106         * runtime/JSCellInlines.h:
107         (JSC::JSCell::callDestructor): Deleted.
108         * runtime/JSTypeInfo.h:
109         (JSC::TypeInfo::hasStaticPropertyTable):
110         (JSC::TypeInfo::structureIsImmortal const):
111         * runtime/Structure.h:
112
113 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
114
115         [JSC] Remove arity fixup check if the number of parameters is 1
116         https://bugs.webkit.org/show_bug.cgi?id=183984
117
118         Reviewed by Mark Lam.
119
120         If the number of parameters is one (|this|), we never hit arity fixup check.
121         We do not need to emit arity fixup check code.
122
123         * dfg/DFGDriver.cpp:
124         (JSC::DFG::compileImpl):
125         * dfg/DFGJITCompiler.cpp:
126         (JSC::DFG::JITCompiler::compileFunction):
127         * dfg/DFGJITCompiler.h:
128         * ftl/FTLLink.cpp:
129         (JSC::FTL::link):
130         * jit/JIT.cpp:
131         (JSC::JIT::compileWithoutLinking):
132
133 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
134
135         Use WordLock instead of std::mutex for Threading
136         https://bugs.webkit.org/show_bug.cgi?id=185121
137
138         Reviewed by Geoffrey Garen.
139
140         ThreadGroup starts using WordLock.
141
142         * heap/MachineStackMarker.h:
143         (JSC::MachineThreads::getLock):
144
145 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
146
147         B3 should run tail duplication at the bitter end
148         https://bugs.webkit.org/show_bug.cgi?id=185123
149
150         Reviewed by Geoffrey Garen.
151         
152         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
153         everywhere else.
154         
155         The goal of this change is to allow us to run path specialization after switch lowering but
156         before tail duplication.
157
158         * b3/B3Generate.cpp:
159         (JSC::B3::generateToAir):
160         * runtime/Options.h:
161
162 2018-04-29  Commit Queue  <commit-queue@webkit.org>
163
164         Unreviewed, rolling out r231137.
165         https://bugs.webkit.org/show_bug.cgi?id=185118
166
167         It is breaking Test262 language/expressions/multiplication
168         /order-of-evaluation.js (Requested by caiolima on #webkit).
169
170         Reverted changeset:
171
172         "[ESNext][BigInt] Implement support for "*" operation"
173         https://bugs.webkit.org/show_bug.cgi?id=183721
174         https://trac.webkit.org/changeset/231137
175
176 2018-04-28  Saam Barati  <sbarati@apple.com>
177
178         We don't model regexp effects properly
179         https://bugs.webkit.org/show_bug.cgi?id=185059
180         <rdar://problem/39736150>
181
182         Reviewed by Filip Pizlo.
183
184         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
185         the regexp is global.
186
187         * dfg/DFGAbstractInterpreterInlines.h:
188         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
189         * dfg/DFGClobberize.h:
190         (JSC::DFG::clobberize):
191
192 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
193
194         Token misspelled "tocken" in error message string
195         https://bugs.webkit.org/show_bug.cgi?id=185030
196
197         Reviewed by Saam Barati.
198
199         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
200         (JSC::Parser<LexerType>::Parser):
201         (JSC::Parser<LexerType>::didFinishParsing):
202         (JSC::Parser<LexerType>::parseSourceElements):
203         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
204         (JSC::Parser<LexerType>::parseVariableDeclaration):
205         (JSC::Parser<LexerType>::parseWhileStatement):
206         (JSC::Parser<LexerType>::parseVariableDeclarationList):
207         (JSC::Parser<LexerType>::createBindingPattern):
208         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
209         (JSC::Parser<LexerType>::parseObjectRestElement):
210         (JSC::Parser<LexerType>::parseDestructuringPattern):
211         (JSC::Parser<LexerType>::parseForStatement):
212         (JSC::Parser<LexerType>::parseBreakStatement):
213         (JSC::Parser<LexerType>::parseContinueStatement):
214         (JSC::Parser<LexerType>::parseThrowStatement):
215         (JSC::Parser<LexerType>::parseWithStatement):
216         (JSC::Parser<LexerType>::parseSwitchStatement):
217         (JSC::Parser<LexerType>::parseSwitchClauses):
218         (JSC::Parser<LexerType>::parseTryStatement):
219         (JSC::Parser<LexerType>::parseBlockStatement):
220         (JSC::Parser<LexerType>::parseFormalParameters):
221         (JSC::Parser<LexerType>::parseFunctionParameters):
222         (JSC::Parser<LexerType>::parseFunctionInfo):
223         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
224         (JSC::Parser<LexerType>::parseExpressionStatement):
225         (JSC::Parser<LexerType>::parseIfStatement):
226         (JSC::Parser<LexerType>::parseAssignmentExpression):
227         (JSC::Parser<LexerType>::parseConditionalExpression):
228         (JSC::Parser<LexerType>::parseBinaryExpression):
229         (JSC::Parser<LexerType>::parseObjectLiteral):
230         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
231         (JSC::Parser<LexerType>::parseArrayLiteral):
232         (JSC::Parser<LexerType>::parseArguments):
233         (JSC::Parser<LexerType>::parseMemberExpression):
234         (JSC::operatorString):
235         (JSC::Parser<LexerType>::parseUnaryExpression):
236         (JSC::Parser<LexerType>::printUnexpectedTokenText):
237
238 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
239
240         [ESNext][BigInt] Implement support for "*" operation
241         https://bugs.webkit.org/show_bug.cgi?id=183721
242
243         Reviewed by Saam Barati.
244
245         Added BigInt support into times binary operator into LLInt and on
246         JITOperations profiledMul and unprofiledMul. We are also replacing all
247         uses of int to unsigned when there is no negative values for
248         variables.
249
250         * dfg/DFGConstantFoldingPhase.cpp:
251         (JSC::DFG::ConstantFoldingPhase::foldConstants):
252         * jit/JITOperations.cpp:
253         * runtime/CommonSlowPaths.cpp:
254         (JSC::SLOW_PATH_DECL):
255         * runtime/JSBigInt.cpp:
256         (JSC::JSBigInt::JSBigInt):
257         (JSC::JSBigInt::allocationSize):
258         (JSC::JSBigInt::createWithLength):
259         (JSC::JSBigInt::toString):
260         (JSC::JSBigInt::multiply):
261         (JSC::JSBigInt::digitDiv):
262         (JSC::JSBigInt::internalMultiplyAdd):
263         (JSC::JSBigInt::multiplyAccumulate):
264         (JSC::JSBigInt::equals):
265         (JSC::JSBigInt::absoluteDivSmall):
266         (JSC::JSBigInt::calculateMaximumCharactersRequired):
267         (JSC::JSBigInt::toStringGeneric):
268         (JSC::JSBigInt::rightTrim):
269         (JSC::JSBigInt::allocateFor):
270         (JSC::JSBigInt::parseInt):
271         (JSC::JSBigInt::digit):
272         (JSC::JSBigInt::setDigit):
273         * runtime/JSBigInt.h:
274         * runtime/Operations.h:
275         (JSC::jsMul):
276
277 2018-04-28  Commit Queue  <commit-queue@webkit.org>
278
279         Unreviewed, rolling out r231131.
280         https://bugs.webkit.org/show_bug.cgi?id=185112
281
282         It is breaking Debug build due to unchecked exception
283         (Requested by caiolima on #webkit).
284
285         Reverted changeset:
286
287         "[ESNext][BigInt] Implement support for "*" operation"
288         https://bugs.webkit.org/show_bug.cgi?id=183721
289         https://trac.webkit.org/changeset/231131
290
291 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
292
293         [ESNext][BigInt] Implement support for "*" operation
294         https://bugs.webkit.org/show_bug.cgi?id=183721
295
296         Reviewed by Saam Barati.
297
298         Added BigInt support into times binary operator into LLInt and on
299         JITOperations profiledMul and unprofiledMul. We are also replacing all
300         uses of int to unsigned when there is no negative values for
301         variables.
302
303         * dfg/DFGConstantFoldingPhase.cpp:
304         (JSC::DFG::ConstantFoldingPhase::foldConstants):
305         * jit/JITOperations.cpp:
306         * runtime/CommonSlowPaths.cpp:
307         (JSC::SLOW_PATH_DECL):
308         * runtime/JSBigInt.cpp:
309         (JSC::JSBigInt::JSBigInt):
310         (JSC::JSBigInt::allocationSize):
311         (JSC::JSBigInt::createWithLength):
312         (JSC::JSBigInt::toString):
313         (JSC::JSBigInt::multiply):
314         (JSC::JSBigInt::digitDiv):
315         (JSC::JSBigInt::internalMultiplyAdd):
316         (JSC::JSBigInt::multiplyAccumulate):
317         (JSC::JSBigInt::equals):
318         (JSC::JSBigInt::absoluteDivSmall):
319         (JSC::JSBigInt::calculateMaximumCharactersRequired):
320         (JSC::JSBigInt::toStringGeneric):
321         (JSC::JSBigInt::rightTrim):
322         (JSC::JSBigInt::allocateFor):
323         (JSC::JSBigInt::parseInt):
324         (JSC::JSBigInt::digit):
325         (JSC::JSBigInt::setDigit):
326         * runtime/JSBigInt.h:
327         * runtime/Operations.h:
328         (JSC::jsMul):
329
330 2018-04-27  JF Bastien  <jfbastien@apple.com>
331
332         Make the first 64 bits of JSString look like a double JSValue
333         https://bugs.webkit.org/show_bug.cgi?id=185081
334
335         Reviewed by Filip Pizlo.
336
337         We can be clever about how we lay out JSString so that, were it
338         reinterpreted as a JSValue, it would look like a double.
339
340         * assembler/MacroAssemblerX86Common.h:
341         (JSC::MacroAssemblerX86Common::and16):
342         * assembler/X86Assembler.h:
343         (JSC::X86Assembler::andw_mr):
344         * dfg/DFGSpeculativeJIT.cpp:
345         (JSC::DFG::SpeculativeJIT::compileMakeRope):
346         * ftl/FTLLowerDFGToB3.cpp:
347         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
348         * ftl/FTLOutput.h:
349         (JSC::FTL::Output::store32As8):
350         (JSC::FTL::Output::store32As16):
351         * runtime/JSString.h:
352         (JSC::JSString::JSString):
353
354 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
355
356         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
357         https://bugs.webkit.org/show_bug.cgi?id=185055
358
359         Reviewed by JF Bastien.
360
361         This patch is paving the way to emitting jscvt instruction if possible.
362         To do that, we need to determine jscvt instruction is supported in the
363         given CPU.
364
365         We add a function collectCPUFeatures, which is responsible to collect
366         CPU features if necessary. In Linux, we can use auxiliary vector to get
367         the information without parsing /proc/cpuinfo.
368
369         Currently, nobody calls this function. It is later called when we emit
370         jscvt instruction. To make it possible, we also need to add disassembler
371         support too.
372
373         * assembler/AbstractMacroAssembler.h:
374         * assembler/MacroAssemblerARM64.cpp:
375         (JSC::MacroAssemblerARM64::collectCPUFeatures):
376         * assembler/MacroAssemblerARM64.h:
377         * assembler/MacroAssemblerX86Common.h:
378
379 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
380
381         Also run foldPathConstants before mussing up SSA
382         https://bugs.webkit.org/show_bug.cgi?id=185069
383
384         Reviewed by Saam Barati.
385         
386         This isn't needed now, but will be once I implement the phase in bug 185060.
387         
388         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
389         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
390         be landed separately and measured separately from that phase.
391         
392         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
393         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
394         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
395         neutral. It all depends on what programs typically look like.
396
397         * b3/B3Generate.cpp:
398         (JSC::B3::generateToAir):
399
400 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
401
402         Unreviewed, rolling out r231086.
403
404         Caused JSC test failures due to an unchecked exception.
405
406         Reverted changeset:
407
408         "[ESNext][BigInt] Implement support for "*" operation"
409         https://bugs.webkit.org/show_bug.cgi?id=183721
410         https://trac.webkit.org/changeset/231086
411
412 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
413
414         [ESNext][BigInt] Implement support for "*" operation
415         https://bugs.webkit.org/show_bug.cgi?id=183721
416
417         Reviewed by Saam Barati.
418
419         Added BigInt support into times binary operator into LLInt and on
420         JITOperations profiledMul and unprofiledMul. We are also replacing all
421         uses of int to unsigned when there is no negative values for
422         variables.
423
424         * dfg/DFGConstantFoldingPhase.cpp:
425         (JSC::DFG::ConstantFoldingPhase::foldConstants):
426         * jit/JITOperations.cpp:
427         * runtime/CommonSlowPaths.cpp:
428         (JSC::SLOW_PATH_DECL):
429         * runtime/JSBigInt.cpp:
430         (JSC::JSBigInt::JSBigInt):
431         (JSC::JSBigInt::allocationSize):
432         (JSC::JSBigInt::createWithLength):
433         (JSC::JSBigInt::toString):
434         (JSC::JSBigInt::multiply):
435         (JSC::JSBigInt::digitDiv):
436         (JSC::JSBigInt::internalMultiplyAdd):
437         (JSC::JSBigInt::multiplyAccumulate):
438         (JSC::JSBigInt::equals):
439         (JSC::JSBigInt::absoluteDivSmall):
440         (JSC::JSBigInt::calculateMaximumCharactersRequired):
441         (JSC::JSBigInt::toStringGeneric):
442         (JSC::JSBigInt::rightTrim):
443         (JSC::JSBigInt::allocateFor):
444         (JSC::JSBigInt::parseInt):
445         (JSC::JSBigInt::digit):
446         (JSC::JSBigInt::setDigit):
447         * runtime/JSBigInt.h:
448         * runtime/Operations.h:
449         (JSC::jsMul):
450
451 2018-04-26  Mark Lam  <mark.lam@apple.com>
452
453         Gardening: Speculative build fix for Windows.
454         https://bugs.webkit.org/show_bug.cgi?id=184976
455         <rdar://problem/39723901>
456
457         Not reviewed.
458
459         * runtime/JSCPtrTag.h:
460
461 2018-04-26  Mark Lam  <mark.lam@apple.com>
462
463         Gardening: Windows build fix.
464
465         Not reviewed.
466
467         * runtime/Options.cpp:
468
469 2018-04-26  Jer Noble  <jer.noble@apple.com>
470
471         WK_COCOA_TOUCH all the things.
472         https://bugs.webkit.org/show_bug.cgi?id=185006
473         <rdar://problem/39736025>
474
475         Reviewed by Tim Horton.
476
477         * Configurations/Base.xcconfig:
478
479 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
480
481         Disable content filtering in minimal simulator mode
482         https://bugs.webkit.org/show_bug.cgi?id=185027
483         <rdar://problem/39736091>
484
485         Reviewed by Jer Noble.
486
487         * Configurations/FeatureDefines.xcconfig:
488
489 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
490
491         [INTL] Implement Intl.PluralRules
492         https://bugs.webkit.org/show_bug.cgi?id=184312
493
494         Reviewed by JF Bastien.
495
496         Use UNumberFormat to enforce formatting, and then UPluralRules to find
497         the correct plural rule for the given number. Relies on ICU v59+ for
498         resolvedOptions().pluralCategories and trailing 0 detection.
499         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
500
501         * CMakeLists.txt:
502         * Configurations/FeatureDefines.xcconfig:
503         * DerivedSources.make:
504         * JavaScriptCore.xcodeproj/project.pbxproj:
505         * Sources.txt:
506         * builtins/BuiltinNames.h:
507         * runtime/BigIntObject.cpp:
508         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
509         * runtime/BigIntObject.h:
510         * runtime/CommonIdentifiers.h:
511         * runtime/IntlObject.cpp:
512         (JSC::IntlObject::finishCreation):
513         * runtime/IntlObject.h:
514         * runtime/IntlPluralRules.cpp: Added.
515         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
516         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
517         (JSC::UEnumerationDeleter::operator() const):
518         (JSC::IntlPluralRules::create):
519         (JSC::IntlPluralRules::createStructure):
520         (JSC::IntlPluralRules::IntlPluralRules):
521         (JSC::IntlPluralRules::finishCreation):
522         (JSC::IntlPluralRules::destroy):
523         (JSC::IntlPluralRules::visitChildren):
524         (JSC::IntlPRInternal::localeData):
525         (JSC::IntlPluralRules::initializePluralRules):
526         (JSC::IntlPluralRules::resolvedOptions):
527         (JSC::IntlPluralRules::select):
528         * runtime/IntlPluralRules.h: Added.
529         * runtime/IntlPluralRulesConstructor.cpp: Added.
530         (JSC::IntlPluralRulesConstructor::create):
531         (JSC::IntlPluralRulesConstructor::createStructure):
532         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
533         (JSC::IntlPluralRulesConstructor::finishCreation):
534         (JSC::constructIntlPluralRules):
535         (JSC::callIntlPluralRules):
536         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
537         (JSC::IntlPluralRulesConstructor::visitChildren):
538         * runtime/IntlPluralRulesConstructor.h: Added.
539         * runtime/IntlPluralRulesPrototype.cpp: Added.
540         (JSC::IntlPluralRulesPrototype::create):
541         (JSC::IntlPluralRulesPrototype::createStructure):
542         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
543         (JSC::IntlPluralRulesPrototype::finishCreation):
544         (JSC::IntlPluralRulesPrototypeFuncSelect):
545         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
546         * runtime/IntlPluralRulesPrototype.h: Added.
547         * runtime/JSGlobalObject.cpp:
548         (JSC::JSGlobalObject::init):
549         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
550         * runtime/JSGlobalObject.h:
551         * runtime/Options.h:
552         * runtime/RegExpPrototype.cpp: Added inlines header.
553         * runtime/VM.cpp:
554         (JSC::VM::VM):
555         * runtime/VM.h:
556
557 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
558
559         [MIPS] Fix branch offsets in branchNeg32
560         https://bugs.webkit.org/show_bug.cgi?id=185025
561
562         Reviewed by Yusuke Suzuki.
563
564         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
565
566         * assembler/MacroAssemblerMIPS.h:
567         (JSC::MacroAssemblerMIPS::branchNeg32):
568
569 2018-04-25  Robin Morisset  <rmorisset@apple.com>
570
571         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
572         https://bugs.webkit.org/show_bug.cgi?id=184773
573         <rdar://problem/37773612>
574
575         Reviewed by Filip Pizlo.
576
577         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
578         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
579         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
580         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
581         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
582
583         * ftl/FTLLowerDFGToB3.cpp:
584         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
585
586 2018-04-25  Mark Lam  <mark.lam@apple.com>
587
588         Push the definition of PtrTag down to the WTF layer.
589         https://bugs.webkit.org/show_bug.cgi?id=184976
590         <rdar://problem/39723901>
591
592         Reviewed by Saam Barati.
593
594         * CMakeLists.txt:
595         * JavaScriptCore.xcodeproj/project.pbxproj:
596         * assembler/ARM64Assembler.h:
597         * assembler/AbstractMacroAssembler.h:
598         * assembler/MacroAssemblerCodeRef.cpp:
599         * assembler/MacroAssemblerCodeRef.h:
600         * b3/B3MathExtras.cpp:
601         * bytecode/LLIntCallLinkInfo.h:
602         * disassembler/Disassembler.h:
603         * ftl/FTLJITCode.cpp:
604         * interpreter/InterpreterInlines.h:
605         * jit/ExecutableAllocator.h:
606         * jit/JITOperations.cpp:
607         * jit/ThunkGenerator.h:
608         * jit/ThunkGenerators.h:
609         * llint/LLIntOffsetsExtractor.cpp:
610         * llint/LLIntPCRanges.h:
611         * runtime/JSCPtrTag.h: Added.
612         * runtime/NativeFunction.h:
613         * runtime/PtrTag.h: Removed.
614         * runtime/VMTraps.cpp:
615
616 2018-04-25  Keith Miller  <keith_miller@apple.com>
617
618         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
619         https://bugs.webkit.org/show_bug.cgi?id=184998
620
621         Reviewed by Saam Barati.
622
623         * runtime/CodeCache.cpp:
624         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
625
626 2018-04-25  Keith Miller  <keith_miller@apple.com>
627
628         Add missing scope release to functionProtoFuncToString
629         https://bugs.webkit.org/show_bug.cgi?id=184995
630
631         Reviewed by Saam Barati.
632
633         * runtime/FunctionPrototype.cpp:
634         (JSC::functionProtoFuncToString):
635
636 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
639         https://bugs.webkit.org/show_bug.cgi?id=184730
640
641         Reviewed by Mark Lam.
642
643         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
644         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
645
646         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
647         ARMv7 implementation.
648
649         * assembler/ARMAssembler.h:
650         * assembler/MacroAssemblerARM.h:
651         (JSC::MacroAssemblerARM::add32):
652         (JSC::MacroAssemblerARM::and32):
653         (JSC::MacroAssemblerARM::lshift32):
654         (JSC::MacroAssemblerARM::mul32):
655         (JSC::MacroAssemblerARM::or32):
656         (JSC::MacroAssemblerARM::rshift32):
657         (JSC::MacroAssemblerARM::urshift32):
658         (JSC::MacroAssemblerARM::sub32):
659         (JSC::MacroAssemblerARM::xor32):
660         (JSC::MacroAssemblerARM::load8):
661         (JSC::MacroAssemblerARM::abortWithReason):
662         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
663         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
664         (JSC::MacroAssemblerARM::store8):
665         (JSC::MacroAssemblerARM::store32):
666         (JSC::MacroAssemblerARM::push):
667         (JSC::MacroAssemblerARM::swap):
668         (JSC::MacroAssemblerARM::branch8):
669         (JSC::MacroAssemblerARM::branchPtr):
670         (JSC::MacroAssemblerARM::branch32):
671         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
672         (JSC::MacroAssemblerARM::branchTest8):
673         (JSC::MacroAssemblerARM::branchTest32):
674         (JSC::MacroAssemblerARM::jump):
675         (JSC::MacroAssemblerARM::branchAdd32):
676         (JSC::MacroAssemblerARM::mull32):
677         (JSC::MacroAssemblerARM::branchMul32):
678         (JSC::MacroAssemblerARM::patchableBranch32):
679         (JSC::MacroAssemblerARM::nearCall):
680         (JSC::MacroAssemblerARM::compare32):
681         (JSC::MacroAssemblerARM::compare8):
682         (JSC::MacroAssemblerARM::test32):
683         (JSC::MacroAssemblerARM::test8):
684         (JSC::MacroAssemblerARM::add64):
685         (JSC::MacroAssemblerARM::load32):
686         (JSC::MacroAssemblerARM::call):
687         (JSC::MacroAssemblerARM::branchPtrWithPatch):
688         (JSC::MacroAssemblerARM::branch32WithPatch):
689         (JSC::MacroAssemblerARM::storePtrWithPatch):
690         (JSC::MacroAssemblerARM::loadDouble):
691         (JSC::MacroAssemblerARM::storeDouble):
692         (JSC::MacroAssemblerARM::addDouble):
693         (JSC::MacroAssemblerARM::divDouble):
694         (JSC::MacroAssemblerARM::subDouble):
695         (JSC::MacroAssemblerARM::mulDouble):
696         (JSC::MacroAssemblerARM::convertInt32ToDouble):
697         (JSC::MacroAssemblerARM::branchDouble):
698         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
699         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
700         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
701         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
702         (JSC::MacroAssemblerARM::branchDoubleNonZero):
703         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
704         (JSC::MacroAssemblerARM::call32):
705         (JSC::MacroAssemblerARM::internalCompare32):
706
707 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
708
709         [WinCairo] Fix js/regexp-unicode.html crash.
710         https://bugs.webkit.org/show_bug.cgi?id=184891
711
712         Reviewed by Yusuke Suzuki.
713
714         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
715         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
716
717         * yarr/YarrJIT.cpp:
718         (JSC::Yarr::YarrGenerator::generateEnter):
719         (JSC::Yarr::YarrGenerator::generateReturn):
720         Unconditionally save and restore RDI on 64-bit Windows.
721
722 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
723
724         [GTK] Miscellaneous build cleanups
725         https://bugs.webkit.org/show_bug.cgi?id=184399
726
727         Reviewed by Žan Doberšek.
728
729         * PlatformGTK.cmake:
730
731 2018-04-24  Keith Miller  <keith_miller@apple.com>
732
733         fromCharCode is missing some exception checks
734         https://bugs.webkit.org/show_bug.cgi?id=184952
735
736         Reviewed by Saam Barati.
737
738         I also removed the pointless slow path function and moved it into the
739         main function.
740
741         * runtime/StringConstructor.cpp:
742         (JSC::stringFromCharCode):
743         (JSC::stringFromCharCodeSlowCase): Deleted.
744
745 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
746
747         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
748         https://bugs.webkit.org/show_bug.cgi?id=184923
749
750         Reviewed by Saam Barati.
751         
752         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
753         (i.e. we know that the object has one of those structures), then previously we would still emit a
754         switch with a case per structure along with a default case. That would mean one extra redundant
755         branch to check that whatever structure we wound up with belongs to the set. In that case, we
756         were already making the default case be an Oops.
757         
758         One possible solution would be to say that the default case being Oops means that B3 doesn't need
759         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
760         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
761         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
762         trap.
763         
764         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
765         extra branch.
766         
767         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
768         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
769         read.
770
771         * ftl/FTLLowerDFGToB3.cpp:
772         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
773         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
774         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
775
776 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
777
778         DFG CSE should know how to decay a MultiGetByOffset
779         https://bugs.webkit.org/show_bug.cgi?id=159859
780
781         Reviewed by Keith Miller.
782         
783         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
784         clobberize() can report a def() for MultiGetByOffset.
785         
786         This is a slight improvement to codegen in splay because splay is a heavy user of
787         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
788         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
789         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
790         splay's time.
791
792         * dfg/DFGClobberize.h:
793         (JSC::DFG::clobberize):
794         * dfg/DFGNode.cpp:
795         (JSC::DFG::Node::remove):
796         (JSC::DFG::Node::removeWithoutChecks):
797         (JSC::DFG::Node::replaceWith):
798         (JSC::DFG::Node::replaceWithWithoutChecks):
799         * dfg/DFGNode.h:
800         (JSC::DFG::Node::convertToMultiGetByOffset):
801         (JSC::DFG::Node::replaceWith): Deleted.
802         * dfg/DFGNodeType.h:
803         * dfg/DFGObjectAllocationSinkingPhase.cpp:
804
805 2018-04-24  Keith Miller  <keith_miller@apple.com>
806
807         Update API docs with information on which run loop the VM will use
808         https://bugs.webkit.org/show_bug.cgi?id=184900
809         <rdar://problem/39166054>
810
811         Reviewed by Mark Lam.
812
813         * API/JSContextRef.h:
814         * API/JSVirtualMachine.h:
815
816 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
817
818         $vm.totalGCTime() should be a thing
819         https://bugs.webkit.org/show_bug.cgi?id=184916
820
821         Reviewed by Sam Weinig.
822         
823         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
824         time spent in GC to determine if the regression is because the GC got slower.
825         
826         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
827
828         * heap/Heap.cpp:
829         (JSC::Heap::runEndPhase):
830         * heap/Heap.h:
831         (JSC::Heap::totalGCTime const):
832         * tools/JSDollarVM.cpp:
833         (JSC::functionTotalGCTime):
834         (JSC::JSDollarVM::finishCreation):
835
836 2018-04-23  Zalan Bujtas  <zalan@apple.com>
837
838         [LayoutFormattingContext] Initial commit.
839         https://bugs.webkit.org/show_bug.cgi?id=184896
840
841         Reviewed by Antti Koivisto.
842
843         * Configurations/FeatureDefines.xcconfig:
844
845 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
846
847         Unreviewed, revert accidental change to verbose flag.
848
849         * dfg/DFGByteCodeParser.cpp:
850
851 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
852
853         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
854
855         Rubber stamped by Saam Barati.
856         
857         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
858         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
859         Seems sensible to just roll it out.
860
861         * dfg/DFGByteCodeParser.cpp:
862         (JSC::DFG::ByteCodeParser::addToGraph):
863         (JSC::DFG::ByteCodeParser::parse):
864
865 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         [JSC] Remove ModuleLoaderPrototype
868         https://bugs.webkit.org/show_bug.cgi?id=184784
869
870         Reviewed by Mark Lam.
871
872         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
873         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
874         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
875
876         * CMakeLists.txt:
877         * DerivedSources.make:
878         * JavaScriptCore.xcodeproj/project.pbxproj:
879         * Sources.txt:
880         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
881         * runtime/JSGlobalObject.cpp:
882         (JSC::JSGlobalObject::init):
883         (JSC::JSGlobalObject::visitChildren):
884         * runtime/JSGlobalObject.h:
885         (JSC::JSGlobalObject::proxyRevokeStructure const):
886         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
887         * runtime/JSModuleLoader.cpp:
888         (JSC::moduleLoaderParseModule):
889         (JSC::moduleLoaderRequestedModules):
890         (JSC::moduleLoaderModuleDeclarationInstantiation):
891         (JSC::moduleLoaderResolve):
892         (JSC::moduleLoaderResolveSync):
893         (JSC::moduleLoaderFetch):
894         (JSC::moduleLoaderGetModuleNamespaceObject):
895         (JSC::moduleLoaderEvaluate):
896         * runtime/JSModuleLoader.h:
897         * runtime/ModuleLoaderPrototype.cpp: Removed.
898         * runtime/ModuleLoaderPrototype.h: Removed.
899
900 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
901
902         [GLIB] All API tests fail in debug builds
903         https://bugs.webkit.org/show_bug.cgi?id=184813
904
905         Reviewed by Mark Lam.
906
907         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
908         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
909
910         * API/glib/JSCContext.cpp:
911         (JSCContextExceptionHandler::JSCContextExceptionHandler):
912         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
913         (jscContextConstructed):
914         (ExceptionHandler::ExceptionHandler): Deleted.
915         (ExceptionHandler::~ExceptionHandler): Deleted.
916
917 2018-04-20  Tim Horton  <timothy_horton@apple.com>
918
919         Adjust geolocation feature flag
920         https://bugs.webkit.org/show_bug.cgi?id=184856
921
922         Reviewed by Wenson Hsieh.
923
924         * Configurations/FeatureDefines.xcconfig:
925
926 2018-04-20  Brian Burg  <bburg@apple.com>
927
928         Web Inspector: remove some dead code in IdentifiersFactory
929         https://bugs.webkit.org/show_bug.cgi?id=184839
930
931         Reviewed by Timothy Hatcher.
932
933         This was never used on non-Chrome ports, so the identifier always has a
934         prefix of '0.'. We may change this in the future, but for now remove this.
935         Using a PID for this purpose is problematic anyway.
936
937         * inspector/IdentifiersFactory.cpp:
938         (Inspector::addPrefixToIdentifier):
939         (Inspector::IdentifiersFactory::createIdentifier):
940         (Inspector::IdentifiersFactory::requestId):
941         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
942         * inspector/IdentifiersFactory.h:
943
944 2018-04-20  Mark Lam  <mark.lam@apple.com>
945
946         Add the ability to use a hash for setting PtrTag enum values.
947         https://bugs.webkit.org/show_bug.cgi?id=184852
948         <rdar://problem/39613891>
949
950         Reviewed by Saam Barati.
951
952         * runtime/PtrTag.h:
953
954 2018-04-20  Mark Lam  <mark.lam@apple.com>
955
956         Some JSEntryPtrTags should actually be JSInternalPtrTags.
957         https://bugs.webkit.org/show_bug.cgi?id=184712
958         <rdar://problem/39507381>
959
960         Reviewed by Michael Saboff.
961
962         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
963         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
964            only when needed.
965
966         * bytecode/AccessCase.cpp:
967         (JSC::AccessCase::generateImpl):
968         * bytecode/ByValInfo.h:
969         (JSC::ByValInfo::ByValInfo):
970         * bytecode/CallLinkInfo.cpp:
971         (JSC::CallLinkInfo::callReturnLocation):
972         (JSC::CallLinkInfo::patchableJump):
973         (JSC::CallLinkInfo::hotPathBegin):
974         (JSC::CallLinkInfo::slowPathStart):
975         * bytecode/CallLinkInfo.h:
976         (JSC::CallLinkInfo::setCallLocations):
977         (JSC::CallLinkInfo::hotPathOther):
978         * bytecode/PolymorphicAccess.cpp:
979         (JSC::PolymorphicAccess::regenerate):
980         * bytecode/StructureStubInfo.h:
981         (JSC::StructureStubInfo::doneLocation):
982         * dfg/DFGJITCompiler.cpp:
983         (JSC::DFG::JITCompiler::link):
984         * dfg/DFGOSRExit.cpp:
985         (JSC::DFG::reifyInlinedCallFrames):
986         * ftl/FTLLazySlowPath.cpp:
987         (JSC::FTL::LazySlowPath::initialize):
988         * ftl/FTLLazySlowPath.h:
989         (JSC::FTL::LazySlowPath::done const):
990         * ftl/FTLLowerDFGToB3.cpp:
991         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
992         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
993         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
994         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
995         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
996         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
997         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
998         * jit/JIT.cpp:
999         (JSC::JIT::link):
1000         * jit/JITExceptions.cpp:
1001         (JSC::genericUnwind):
1002         * jit/JITMathIC.h:
1003         (JSC::isProfileEmpty):
1004         * llint/LLIntData.cpp:
1005         (JSC::LLInt::initialize):
1006         * llint/LLIntData.h:
1007         (JSC::LLInt::getCodePtr):
1008         (JSC::LLInt::getExecutableAddress): Deleted.
1009         * llint/LLIntExceptions.cpp:
1010         (JSC::LLInt::callToThrow):
1011         * llint/LLIntSlowPaths.cpp:
1012         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1013         * wasm/js/WasmToJS.cpp:
1014         (JSC::Wasm::wasmToJS):
1015
1016 2018-04-18  Jer Noble  <jer.noble@apple.com>
1017
1018         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1019         https://bugs.webkit.org/show_bug.cgi?id=184762
1020
1021         Reviewed by Dan Bernstein.
1022
1023         * Configurations/Base.xcconfig:
1024         * JavaScriptCore.xcodeproj/project.pbxproj:
1025
1026 2018-04-20  Daniel Bates  <dabates@apple.com>
1027
1028         Remove code for compilers that did not support NSDMI for aggregates
1029         https://bugs.webkit.org/show_bug.cgi?id=184599
1030
1031         Reviewed by Per Arne Vollan.
1032
1033         Remove workaround for earlier Visual Studio versions that did not support non-static data
1034         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1035         and EWS bots to a newer version that supports this feature.
1036
1037         * domjit/DOMJITEffect.h:
1038         (JSC::DOMJIT::Effect::Effect): Deleted.
1039         * runtime/HasOwnPropertyCache.h:
1040         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1041         * wasm/WasmFormat.h:
1042         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1043
1044 2018-04-20  Mark Lam  <mark.lam@apple.com>
1045
1046         Build fix for internal builds after r230826.
1047         https://bugs.webkit.org/show_bug.cgi?id=184790
1048         <rdar://problem/39301369>
1049
1050         Not reviewed.
1051
1052         * runtime/Options.cpp:
1053         (JSC::overrideDefaults):
1054         * tools/SigillCrashAnalyzer.cpp:
1055         (JSC::SignalContext::dump):
1056
1057 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1058
1059         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1060         https://bugs.webkit.org/show_bug.cgi?id=184254
1061         <rdar://problem/39140200>
1062
1063         Reviewed by Daniel Bates.
1064
1065         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1066
1067         * runtime/ArrayBuffer.h:
1068         (JSC::ArrayBufferContents::ArrayBufferContents):
1069
1070 2018-04-19  Mark Lam  <mark.lam@apple.com>
1071
1072         Apply pointer profiling to Signal pointers.
1073         https://bugs.webkit.org/show_bug.cgi?id=184790
1074         <rdar://problem/39301369>
1075
1076         Reviewed by Michael Saboff.
1077
1078         1. Change stackPointer, framePointer, and instructionPointer accessors to
1079            be a pair of getter/setter functions.
1080         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1081            a pointer profiling variants of these accessors.
1082         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1083
1084         * JavaScriptCorePrefix.h:
1085         * runtime/MachineContext.h:
1086         (JSC::MachineContext::stackPointerImpl):
1087         (JSC::MachineContext::stackPointer):
1088         (JSC::MachineContext::setStackPointer):
1089         (JSC::MachineContext::framePointerImpl):
1090         (JSC::MachineContext::framePointer):
1091         (JSC::MachineContext::setFramePointer):
1092         (JSC::MachineContext::instructionPointerImpl):
1093         (JSC::MachineContext::instructionPointer):
1094         (JSC::MachineContext::setInstructionPointer):
1095         (JSC::MachineContext::linkRegisterImpl):
1096         (JSC::MachineContext::linkRegister):
1097         (JSC::MachineContext::setLinkRegister):
1098         * runtime/SamplingProfiler.cpp:
1099         (JSC::SamplingProfiler::takeSample):
1100         * runtime/VMTraps.cpp:
1101         (JSC::SignalContext::SignalContext):
1102         (JSC::VMTraps::tryInstallTrapBreakpoints):
1103         * tools/CodeProfiling.cpp:
1104         (JSC::profilingTimer):
1105         * tools/SigillCrashAnalyzer.cpp:
1106         (JSC::SignalContext::dump):
1107         (JSC::installCrashHandler):
1108         (JSC::SigillCrashAnalyzer::analyze):
1109         * wasm/WasmFaultSignalHandler.cpp:
1110         (JSC::Wasm::trapHandler):
1111
1112 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1113
1114         Enable Objective-C weak references
1115         <https://webkit.org/b/184789>
1116         <rdar://problem/39571716>
1117
1118         Reviewed by Dan Bernstein.
1119
1120         * Configurations/Base.xcconfig:
1121         (CLANG_ENABLE_OBJC_WEAK): Enable.
1122         * Configurations/ToolExecutable.xcconfig:
1123         (CLANG_ENABLE_OBJC_ARC): Simplify.
1124
1125 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1126
1127         The InternalFunction hierarchy should be in IsoSubspaces
1128         https://bugs.webkit.org/show_bug.cgi?id=184721
1129
1130         Reviewed by Saam Barati.
1131         
1132         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1133         but subclasses that are the same size as InternalFunction share its subspace. I did this
1134         because the subclasses appear to just override methods, which are called dynamically via the
1135         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1136         allocate one kind of InternalFunction over another.
1137
1138         * API/JSBase.h:
1139         * API/JSCallbackFunction.h:
1140         * API/ObjCCallbackFunction.h:
1141         (JSC::ObjCCallbackFunction::subspaceFor):
1142         * CMakeLists.txt:
1143         * JavaScriptCore.xcodeproj/project.pbxproj:
1144         * Sources.txt:
1145         * heap/IsoSubspacePerVM.cpp: Added.
1146         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1147         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1148         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1149         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1150         (JSC::IsoSubspacePerVM::forVM):
1151         * heap/IsoSubspacePerVM.h: Added.
1152         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1153         * runtime/Error.h:
1154         * runtime/ErrorConstructor.h:
1155         * runtime/InternalFunction.h:
1156         (JSC::InternalFunction::subspaceFor):
1157         * runtime/IntlCollatorConstructor.h:
1158         * runtime/IntlDateTimeFormatConstructor.h:
1159         * runtime/IntlNumberFormatConstructor.h:
1160         * runtime/JSArrayBufferConstructor.h:
1161         * runtime/NativeErrorConstructor.h:
1162         * runtime/ProxyRevoke.h:
1163         * runtime/RegExpConstructor.h:
1164         * runtime/VM.cpp:
1165         (JSC::VM::VM):
1166         * runtime/VM.h:
1167
1168 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1169
1170         Unreviewed, Fix jsc shell
1171         https://bugs.webkit.org/show_bug.cgi?id=184600
1172
1173         WebAssembly module loading does not finish with drainMicrotasks().
1174         So JSNativeStdFunction's capturing variables become invalid.
1175         This patch fixes this issue.
1176
1177         * jsc.cpp:
1178         (functionDollarAgentStart):
1179         (runWithOptions):
1180         (runJSC):
1181         (jscmain):
1182
1183 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1184
1185         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1186         https://bugs.webkit.org/show_bug.cgi?id=184725
1187
1188         Reviewed by Mark Lam.
1189
1190         * jit/JIT.h:
1191
1192 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1193
1194         [WebAssembly][Modules] Import tables in wasm modules
1195         https://bugs.webkit.org/show_bug.cgi?id=184738
1196
1197         Reviewed by JF Bastien.
1198
1199         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1200         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1201         just works.
1202
1203         * wasm/js/JSWebAssemblyInstance.cpp:
1204         (JSC::JSWebAssemblyInstance::create):
1205         * wasm/js/WebAssemblyModuleRecord.cpp:
1206         (JSC::WebAssemblyModuleRecord::link):
1207
1208 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1209
1210         [ARM] Fix build error and crash after PtrTag change
1211         https://bugs.webkit.org/show_bug.cgi?id=184732
1212
1213         Reviewed by Mark Lam.
1214
1215         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1216         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1217         twice with ARM-Thumb2.
1218
1219         * assembler/MacroAssemblerCodeRef.h:
1220         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1221         * jit/JITPropertyAccess32_64.cpp:
1222         (JSC::JIT::emitSlow_op_put_by_val):
1223         * jit/Repatch.cpp:
1224         (JSC::linkPolymorphicCall):
1225
1226 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         [WebAssembly][Modules] Import globals from wasm modules
1229         https://bugs.webkit.org/show_bug.cgi?id=184736
1230
1231         Reviewed by JF Bastien.
1232
1233         This patch implements a feature importing globals to/from wasm modules.
1234         Since we are not supporting mutable globals now, we can just copy the
1235         global data when importing. Currently we do not support importing/exporting
1236         i64 globals. This will be supported once (1) mutable global bindings are
1237         specified and (2) BigInt based i64 importing/exporting is specified.
1238
1239         * wasm/js/JSWebAssemblyInstance.cpp:
1240         (JSC::JSWebAssemblyInstance::create):
1241         * wasm/js/WebAssemblyModuleRecord.cpp:
1242         (JSC::WebAssemblyModuleRecord::link):
1243
1244 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1245
1246         Unreviewed, fix build on ARM
1247
1248         * assembler/MacroAssemblerARM.h:
1249         (JSC::MacroAssemblerARM::readCallTarget):
1250
1251 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1252
1253         Unreviewed, fix build with GCC
1254
1255         * assembler/LinkBuffer.h:
1256         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1257
1258 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1259
1260         Unreviewed, reland r230697, r230720, and r230724.
1261         https://bugs.webkit.org/show_bug.cgi?id=184600
1262
1263         With CatchScope check.
1264
1265         * JavaScriptCore.xcodeproj/project.pbxproj:
1266         * builtins/ModuleLoaderPrototype.js:
1267         (globalPrivate.newRegistryEntry):
1268         (requestInstantiate):
1269         (link):
1270         * jsc.cpp:
1271         (convertShebangToJSComment):
1272         (fillBufferWithContentsOfFile):
1273         (fetchModuleFromLocalFileSystem):
1274         (GlobalObject::moduleLoaderFetch):
1275         (functionDollarAgentStart):
1276         (checkException):
1277         (runWithOptions):
1278         * parser/NodesAnalyzeModule.cpp:
1279         (JSC::ImportDeclarationNode::analyzeModule):
1280         * parser/SourceProvider.h:
1281         (JSC::WebAssemblySourceProvider::create):
1282         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1283         * runtime/AbstractModuleRecord.cpp:
1284         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1285         (JSC::AbstractModuleRecord::resolveImport):
1286         (JSC::AbstractModuleRecord::link):
1287         (JSC::AbstractModuleRecord::evaluate):
1288         (JSC::identifierToJSValue): Deleted.
1289         * runtime/AbstractModuleRecord.h:
1290         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1291         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1292         * runtime/JSModuleEnvironment.cpp:
1293         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1294         * runtime/JSModuleLoader.cpp:
1295         (JSC::JSModuleLoader::evaluate):
1296         * runtime/JSModuleRecord.cpp:
1297         (JSC::JSModuleRecord::link):
1298         (JSC::JSModuleRecord::instantiateDeclarations):
1299         * runtime/JSModuleRecord.h:
1300         * runtime/ModuleLoaderPrototype.cpp:
1301         (JSC::moduleLoaderPrototypeParseModule):
1302         (JSC::moduleLoaderPrototypeRequestedModules):
1303         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1304         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1305         * wasm/js/JSWebAssemblyHelpers.h:
1306         (JSC::getWasmBufferFromValue):
1307         (JSC::createSourceBufferFromValue):
1308         * wasm/js/JSWebAssemblyInstance.cpp:
1309         (JSC::JSWebAssemblyInstance::finalizeCreation):
1310         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1311         (JSC::JSWebAssemblyInstance::create):
1312         * wasm/js/JSWebAssemblyInstance.h:
1313         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1314         (JSC::constructJSWebAssemblyInstance):
1315         * wasm/js/WebAssemblyModuleRecord.cpp:
1316         (JSC::WebAssemblyModuleRecord::prepareLink):
1317         (JSC::WebAssemblyModuleRecord::link):
1318         * wasm/js/WebAssemblyModuleRecord.h:
1319         * wasm/js/WebAssemblyPrototype.cpp:
1320         (JSC::resolve):
1321         (JSC::instantiate):
1322         (JSC::compileAndInstantiate):
1323         (JSC::WebAssemblyPrototype::instantiate):
1324         (JSC::webAssemblyInstantiateFunc):
1325         (JSC::webAssemblyValidateFunc):
1326         * wasm/js/WebAssemblyPrototype.h:
1327
1328 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1329
1330         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1331         https://bugs.webkit.org/show_bug.cgi?id=184687
1332
1333         Reviewed by Michael Catanzaro.
1334
1335         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1336         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1337         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1338
1339         * API/glib/JSCClass.cpp:
1340         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1341         can throw exceptions.
1342         (VTableExceptionHandler::~VTableExceptionHandler):
1343         (getProperty): Iterate the class chain to call get_property function.
1344         (setProperty): Iterate the class chain to call set_property function.
1345         (hasProperty): Iterate the class chain to call has_property function.
1346         (deleteProperty): Iterate the class chain to call delete_property function.
1347         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1348         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1349         jscClassCreate now.
1350         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1351         * API/glib/JSCClass.h:
1352         * API/glib/JSCClassPrivate.h:
1353         * API/glib/JSCContext.cpp:
1354         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1355         (jsc_context_register_class): Add JSCClassVTable parameter.
1356         * API/glib/JSCContext.h:
1357         * API/glib/JSCContextPrivate.h:
1358         * API/glib/JSCWrapperMap.cpp:
1359         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1360         * API/glib/JSCWrapperMap.h:
1361         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1362
1363 2018-04-17  Mark Lam  <mark.lam@apple.com>
1364
1365         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1366         https://bugs.webkit.org/show_bug.cgi?id=184702
1367         <rdar://problem/35391681>
1368
1369         Reviewed by Filip Pizlo and Saam Barati.
1370
1371         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1372            to take a PtrTag template argument.
1373         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1374
1375         * assembler/AbstractMacroAssembler.h:
1376         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1377         (JSC::AbstractMacroAssembler::linkJump):
1378         (JSC::AbstractMacroAssembler::linkPointer):
1379         (JSC::AbstractMacroAssembler::getLinkerAddress):
1380         (JSC::AbstractMacroAssembler::repatchJump):
1381         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1382         (JSC::AbstractMacroAssembler::repatchNearCall):
1383         (JSC::AbstractMacroAssembler::repatchCompact):
1384         (JSC::AbstractMacroAssembler::repatchInt32):
1385         (JSC::AbstractMacroAssembler::repatchPointer):
1386         (JSC::AbstractMacroAssembler::readPointer):
1387         (JSC::AbstractMacroAssembler::replaceWithLoad):
1388         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1389         * assembler/CodeLocation.h:
1390         (JSC::CodeLocationCommon:: const):
1391         (JSC::CodeLocationCommon::CodeLocationCommon):
1392         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1393         (JSC::CodeLocationLabel::CodeLocationLabel):
1394         (JSC::CodeLocationLabel::retagged):
1395         (JSC::CodeLocationLabel:: const):
1396         (JSC::CodeLocationJump::CodeLocationJump):
1397         (JSC::CodeLocationJump::retagged):
1398         (JSC::CodeLocationCall::CodeLocationCall):
1399         (JSC::CodeLocationCall::retagged):
1400         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1401         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1402         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1403         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1404         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1405         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1406         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1407         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1408         (JSC::CodeLocationCommon<tag>::callAtOffset):
1409         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1410         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1411         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1412         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1413         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1414         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1415         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1416         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1417         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1418         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1419         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1420         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1421         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1422         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1423         * assembler/LinkBuffer.cpp:
1424         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1425         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1426         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1427         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1428         * assembler/LinkBuffer.h:
1429         (JSC::LinkBuffer::link):
1430         (JSC::LinkBuffer::patch):
1431         (JSC::LinkBuffer::entrypoint):
1432         (JSC::LinkBuffer::locationOf):
1433         (JSC::LinkBuffer::locationOfNearCall):
1434         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1435         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1436         (JSC::LinkBuffer::trampolineAt):
1437         * assembler/MacroAssemblerARM.h:
1438         (JSC::MacroAssemblerARM::readCallTarget):
1439         (JSC::MacroAssemblerARM::replaceWithJump):
1440         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1441         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1442         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1443         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1444         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1445         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1446         (JSC::MacroAssemblerARM::repatchCall):
1447         (JSC::MacroAssemblerARM::linkCall):
1448         * assembler/MacroAssemblerARM64.h:
1449         (JSC::MacroAssemblerARM64::readCallTarget):
1450         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1451         (JSC::MacroAssemblerARM64::replaceWithJump):
1452         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1453         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1454         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1455         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1456         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1457         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1458         (JSC::MacroAssemblerARM64::repatchCall):
1459         (JSC::MacroAssemblerARM64::linkCall):
1460         * assembler/MacroAssemblerARMv7.h:
1461         (JSC::MacroAssemblerARMv7::replaceWithJump):
1462         (JSC::MacroAssemblerARMv7::readCallTarget):
1463         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1464         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1465         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1466         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1467         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1468         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1469         (JSC::MacroAssemblerARMv7::repatchCall):
1470         (JSC::MacroAssemblerARMv7::linkCall):
1471         * assembler/MacroAssemblerCodeRef.cpp:
1472         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1473         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1474         (JSC::MacroAssemblerCodeRefBase::disassembly):
1475         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1476         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1477         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1478         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1479         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1480         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1481         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1482         * assembler/MacroAssemblerCodeRef.h:
1483         (JSC::FunctionPtr::FunctionPtr):
1484         (JSC::FunctionPtr::retagged const):
1485         (JSC::FunctionPtr::retaggedExecutableAddress const):
1486         (JSC::FunctionPtr::operator== const):
1487         (JSC::FunctionPtr::operator!= const):
1488         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1489         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1490         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1491         (JSC::MacroAssemblerCodePtr::retagged const):
1492         (JSC::MacroAssemblerCodePtr:: const):
1493         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1494         (JSC::MacroAssemblerCodePtr::dump const):
1495         (JSC::MacroAssemblerCodePtrHash::hash):
1496         (JSC::MacroAssemblerCodePtrHash::equal):
1497         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1498         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1499         (JSC::MacroAssemblerCodeRef::code const):
1500         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1501         (JSC::MacroAssemblerCodeRef::retagged const):
1502         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1503         (JSC::MacroAssemblerCodeRef::disassembly const):
1504         (JSC::MacroAssemblerCodeRef::dump const):
1505         (JSC::FunctionPtr<tag>::FunctionPtr):
1506         * assembler/MacroAssemblerMIPS.h:
1507         (JSC::MacroAssemblerMIPS::readCallTarget):
1508         (JSC::MacroAssemblerMIPS::replaceWithJump):
1509         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1510         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1511         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1512         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1513         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1514         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1515         (JSC::MacroAssemblerMIPS::repatchCall):
1516         (JSC::MacroAssemblerMIPS::linkCall):
1517         * assembler/MacroAssemblerX86.h:
1518         (JSC::MacroAssemblerX86::readCallTarget):
1519         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1520         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1521         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1522         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1523         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1524         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1525         (JSC::MacroAssemblerX86::repatchCall):
1526         (JSC::MacroAssemblerX86::linkCall):
1527         * assembler/MacroAssemblerX86Common.h:
1528         (JSC::MacroAssemblerX86Common::repatchCompact):
1529         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1530         (JSC::MacroAssemblerX86Common::replaceWithJump):
1531         * assembler/MacroAssemblerX86_64.h:
1532         (JSC::MacroAssemblerX86_64::readCallTarget):
1533         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1534         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1535         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1536         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1537         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1538         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1539         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1540         (JSC::MacroAssemblerX86_64::repatchCall):
1541         (JSC::MacroAssemblerX86_64::linkCall):
1542         * assembler/testmasm.cpp:
1543         (JSC::compile):
1544         (JSC::invoke):
1545         (JSC::testProbeModifiesProgramCounter):
1546         * b3/B3Compilation.cpp:
1547         (JSC::B3::Compilation::Compilation):
1548         * b3/B3Compilation.h:
1549         (JSC::B3::Compilation::code const):
1550         (JSC::B3::Compilation::codeRef const):
1551         * b3/B3Compile.cpp:
1552         (JSC::B3::compile):
1553         * b3/B3LowerMacros.cpp:
1554         * b3/air/AirDisassembler.cpp:
1555         (JSC::B3::Air::Disassembler::dump):
1556         * b3/air/testair.cpp:
1557         * b3/testb3.cpp:
1558         (JSC::B3::invoke):
1559         (JSC::B3::testInterpreter):
1560         (JSC::B3::testEntrySwitchSimple):
1561         (JSC::B3::testEntrySwitchNoEntrySwitch):
1562         (JSC::B3::testEntrySwitchWithCommonPaths):
1563         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1564         (JSC::B3::testEntrySwitchLoop):
1565         * bytecode/AccessCase.cpp:
1566         (JSC::AccessCase::generateImpl):
1567         * bytecode/AccessCaseSnippetParams.cpp:
1568         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1569         * bytecode/ByValInfo.h:
1570         (JSC::ByValInfo::ByValInfo):
1571         * bytecode/CallLinkInfo.cpp:
1572         (JSC::CallLinkInfo::callReturnLocation):
1573         (JSC::CallLinkInfo::patchableJump):
1574         (JSC::CallLinkInfo::hotPathBegin):
1575         (JSC::CallLinkInfo::slowPathStart):
1576         * bytecode/CallLinkInfo.h:
1577         (JSC::CallLinkInfo::setCallLocations):
1578         (JSC::CallLinkInfo::hotPathOther):
1579         * bytecode/CodeBlock.cpp:
1580         (JSC::CodeBlock::finishCreation):
1581         * bytecode/GetByIdStatus.cpp:
1582         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1583         * bytecode/GetByIdVariant.cpp:
1584         (JSC::GetByIdVariant::GetByIdVariant):
1585         (JSC::GetByIdVariant::dumpInContext const):
1586         * bytecode/GetByIdVariant.h:
1587         (JSC::GetByIdVariant::customAccessorGetter const):
1588         * bytecode/GetterSetterAccessCase.cpp:
1589         (JSC::GetterSetterAccessCase::create):
1590         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1591         (JSC::GetterSetterAccessCase::dumpImpl const):
1592         * bytecode/GetterSetterAccessCase.h:
1593         (JSC::GetterSetterAccessCase::customAccessor const):
1594         (): Deleted.
1595         * bytecode/HandlerInfo.h:
1596         (JSC::HandlerInfo::initialize):
1597         * bytecode/InlineAccess.cpp:
1598         (JSC::linkCodeInline):
1599         (JSC::InlineAccess::rewireStubAsJump):
1600         * bytecode/InlineAccess.h:
1601         * bytecode/JumpTable.h:
1602         (JSC::StringJumpTable::ctiForValue):
1603         (JSC::SimpleJumpTable::ctiForValue):
1604         * bytecode/LLIntCallLinkInfo.h:
1605         (JSC::LLIntCallLinkInfo::unlink):
1606         * bytecode/PolymorphicAccess.cpp:
1607         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1608         (JSC::PolymorphicAccess::regenerate):
1609         * bytecode/PolymorphicAccess.h:
1610         (JSC::AccessGenerationResult::AccessGenerationResult):
1611         (JSC::AccessGenerationResult::code const):
1612         * bytecode/StructureStubInfo.h:
1613         (JSC::StructureStubInfo::slowPathCallLocation):
1614         (JSC::StructureStubInfo::doneLocation):
1615         (JSC::StructureStubInfo::slowPathStartLocation):
1616         (JSC::StructureStubInfo::patchableJumpForIn):
1617         * dfg/DFGCommonData.h:
1618         (JSC::DFG::CommonData::appendCatchEntrypoint):
1619         * dfg/DFGDisassembler.cpp:
1620         (JSC::DFG::Disassembler::dumpDisassembly):
1621         * dfg/DFGDriver.h:
1622         * dfg/DFGJITCompiler.cpp:
1623         (JSC::DFG::JITCompiler::linkOSRExits):
1624         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1625         (JSC::DFG::JITCompiler::link):
1626         (JSC::DFG::JITCompiler::compileFunction):
1627         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1628         * dfg/DFGJITCompiler.h:
1629         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1630         (JSC::DFG::JITCompiler::appendCall):
1631         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1632         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1633         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1634         * dfg/DFGJITFinalizer.cpp:
1635         (JSC::DFG::JITFinalizer::JITFinalizer):
1636         (JSC::DFG::JITFinalizer::finalize):
1637         (JSC::DFG::JITFinalizer::finalizeFunction):
1638         * dfg/DFGJITFinalizer.h:
1639         * dfg/DFGJumpReplacement.h:
1640         (JSC::DFG::JumpReplacement::JumpReplacement):
1641         * dfg/DFGNode.h:
1642         * dfg/DFGOSREntry.cpp:
1643         (JSC::DFG::prepareOSREntry):
1644         (JSC::DFG::prepareCatchOSREntry):
1645         * dfg/DFGOSREntry.h:
1646         (JSC::DFG::prepareOSREntry):
1647         * dfg/DFGOSRExit.cpp:
1648         (JSC::DFG::OSRExit::executeOSRExit):
1649         (JSC::DFG::reifyInlinedCallFrames):
1650         (JSC::DFG::adjustAndJumpToTarget):
1651         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1652         (JSC::DFG::OSRExit::emitRestoreArguments):
1653         (JSC::DFG::OSRExit::compileOSRExit):
1654         * dfg/DFGOSRExit.h:
1655         * dfg/DFGOSRExitCompilerCommon.cpp:
1656         (JSC::DFG::handleExitCounts):
1657         (JSC::DFG::reifyInlinedCallFrames):
1658         (JSC::DFG::osrWriteBarrier):
1659         (JSC::DFG::adjustAndJumpToTarget):
1660         * dfg/DFGOperations.cpp:
1661         * dfg/DFGSlowPathGenerator.h:
1662         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1663         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1664         (JSC::DFG::slowPathCall):
1665         * dfg/DFGSpeculativeJIT.cpp:
1666         (JSC::DFG::SpeculativeJIT::compileMathIC):
1667         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1668         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1669         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1670         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1671         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1672         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1673         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1674         (JSC::DFG::SpeculativeJIT::cachedPutById):
1675         * dfg/DFGSpeculativeJIT.h:
1676         (JSC::DFG::SpeculativeJIT::callOperation):
1677         (JSC::DFG::SpeculativeJIT::appendCall):
1678         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1679         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1680         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1681         * dfg/DFGSpeculativeJIT64.cpp:
1682         (JSC::DFG::SpeculativeJIT::cachedGetById):
1683         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1684         (JSC::DFG::SpeculativeJIT::compile):
1685         * dfg/DFGThunks.cpp:
1686         (JSC::DFG::osrExitThunkGenerator):
1687         (JSC::DFG::osrExitGenerationThunkGenerator):
1688         (JSC::DFG::osrEntryThunkGenerator):
1689         * dfg/DFGThunks.h:
1690         * disassembler/ARM64Disassembler.cpp:
1691         (JSC::tryToDisassemble):
1692         * disassembler/ARMv7Disassembler.cpp:
1693         (JSC::tryToDisassemble):
1694         * disassembler/Disassembler.cpp:
1695         (JSC::disassemble):
1696         (JSC::disassembleAsynchronously):
1697         * disassembler/Disassembler.h:
1698         (JSC::tryToDisassemble):
1699         * disassembler/UDis86Disassembler.cpp:
1700         (JSC::tryToDisassembleWithUDis86):
1701         * disassembler/UDis86Disassembler.h:
1702         (JSC::tryToDisassembleWithUDis86):
1703         * disassembler/X86Disassembler.cpp:
1704         (JSC::tryToDisassemble):
1705         * ftl/FTLCompile.cpp:
1706         (JSC::FTL::compile):
1707         * ftl/FTLExceptionTarget.cpp:
1708         (JSC::FTL::ExceptionTarget::label):
1709         (JSC::FTL::ExceptionTarget::jumps):
1710         * ftl/FTLExceptionTarget.h:
1711         * ftl/FTLGeneratedFunction.h:
1712         * ftl/FTLJITCode.cpp:
1713         (JSC::FTL::JITCode::initializeB3Code):
1714         (JSC::FTL::JITCode::initializeAddressForCall):
1715         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1716         (JSC::FTL::JITCode::addressForCall):
1717         (JSC::FTL::JITCode::executableAddressAtOffset):
1718         * ftl/FTLJITCode.h:
1719         (JSC::FTL::JITCode::b3Code const):
1720         * ftl/FTLJITFinalizer.cpp:
1721         (JSC::FTL::JITFinalizer::finalizeCommon):
1722         * ftl/FTLLazySlowPath.cpp:
1723         (JSC::FTL::LazySlowPath::initialize):
1724         (JSC::FTL::LazySlowPath::generate):
1725         * ftl/FTLLazySlowPath.h:
1726         (JSC::FTL::LazySlowPath::patchableJump const):
1727         (JSC::FTL::LazySlowPath::done const):
1728         (JSC::FTL::LazySlowPath::stub const):
1729         * ftl/FTLLazySlowPathCall.h:
1730         (JSC::FTL::createLazyCallGenerator):
1731         * ftl/FTLLink.cpp:
1732         (JSC::FTL::link):
1733         * ftl/FTLLowerDFGToB3.cpp:
1734         (JSC::FTL::DFG::LowerDFGToB3::lower):
1735         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1736         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1737         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1738         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1739         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1740         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1741         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1742         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1743         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1744         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1745         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1746         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1747         * ftl/FTLOSRExit.cpp:
1748         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1749         * ftl/FTLOSRExit.h:
1750         * ftl/FTLOSRExitCompiler.cpp:
1751         (JSC::FTL::compileStub):
1752         (JSC::FTL::compileFTLOSRExit):
1753         * ftl/FTLOSRExitHandle.cpp:
1754         (JSC::FTL::OSRExitHandle::emitExitThunk):
1755         * ftl/FTLOperations.cpp:
1756         (JSC::FTL::compileFTLLazySlowPath):
1757         * ftl/FTLPatchpointExceptionHandle.cpp:
1758         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1759         * ftl/FTLSlowPathCall.cpp:
1760         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1761         (JSC::FTL::SlowPathCallContext::makeCall):
1762         * ftl/FTLSlowPathCall.h:
1763         (JSC::FTL::callOperation):
1764         * ftl/FTLSlowPathCallKey.cpp:
1765         (JSC::FTL::SlowPathCallKey::dump const):
1766         * ftl/FTLSlowPathCallKey.h:
1767         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1768         (JSC::FTL::SlowPathCallKey::callTarget const):
1769         (JSC::FTL::SlowPathCallKey::withCallTarget):
1770         (JSC::FTL::SlowPathCallKey::hash const):
1771         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1772         * ftl/FTLState.cpp:
1773         (JSC::FTL::State::State):
1774         * ftl/FTLThunks.cpp:
1775         (JSC::FTL::genericGenerationThunkGenerator):
1776         (JSC::FTL::osrExitGenerationThunkGenerator):
1777         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1778         (JSC::FTL::slowPathCallThunkGenerator):
1779         * ftl/FTLThunks.h:
1780         (JSC::FTL::generateIfNecessary):
1781         (JSC::FTL::keyForThunk):
1782         (JSC::FTL::Thunks::getSlowPathCallThunk):
1783         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1784         * interpreter/InterpreterInlines.h:
1785         (JSC::Interpreter::getOpcodeID):
1786         * jit/AssemblyHelpers.cpp:
1787         (JSC::AssemblyHelpers::callExceptionFuzz):
1788         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1789         (JSC::AssemblyHelpers::debugCall):
1790         * jit/CCallHelpers.cpp:
1791         (JSC::CCallHelpers::ensureShadowChickenPacket):
1792         * jit/ExecutableAllocator.cpp:
1793         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1794         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1795         * jit/ExecutableAllocator.h:
1796         (JSC::performJITMemcpy):
1797         * jit/GCAwareJITStubRoutine.cpp:
1798         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1799         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1800         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1801         (JSC::createJITStubRoutine):
1802         * jit/GCAwareJITStubRoutine.h:
1803         (JSC::createJITStubRoutine):
1804         * jit/JIT.cpp:
1805         (JSC::ctiPatchCallByReturnAddress):
1806         (JSC::JIT::compileWithoutLinking):
1807         (JSC::JIT::link):
1808         (JSC::JIT::privateCompileExceptionHandlers):
1809         * jit/JIT.h:
1810         (JSC::CallRecord::CallRecord):
1811         * jit/JITArithmetic.cpp:
1812         (JSC::JIT::emitMathICFast):
1813         (JSC::JIT::emitMathICSlow):
1814         * jit/JITCall.cpp:
1815         (JSC::JIT::compileOpCallSlowCase):
1816         * jit/JITCall32_64.cpp:
1817         (JSC::JIT::compileOpCallSlowCase):
1818         * jit/JITCode.cpp:
1819         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1820         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1821         (JSC::DirectJITCode::DirectJITCode):
1822         (JSC::DirectJITCode::initializeCodeRef):
1823         (JSC::DirectJITCode::addressForCall):
1824         (JSC::NativeJITCode::NativeJITCode):
1825         (JSC::NativeJITCode::initializeCodeRef):
1826         (JSC::NativeJITCode::addressForCall):
1827         * jit/JITCode.h:
1828         * jit/JITCodeMap.h:
1829         (JSC::JITCodeMap::Entry::Entry):
1830         (JSC::JITCodeMap::Entry::codeLocation):
1831         (JSC::JITCodeMap::append):
1832         (JSC::JITCodeMap::find const):
1833         * jit/JITDisassembler.cpp:
1834         (JSC::JITDisassembler::dumpDisassembly):
1835         * jit/JITExceptions.cpp:
1836         (JSC::genericUnwind):
1837         * jit/JITInlineCacheGenerator.cpp:
1838         (JSC::JITByIdGenerator::finalize):
1839         * jit/JITInlines.h:
1840         (JSC::JIT::emitNakedCall):
1841         (JSC::JIT::emitNakedTailCall):
1842         (JSC::JIT::appendCallWithExceptionCheck):
1843         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1844         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1845         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1846         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1847         * jit/JITMathIC.h:
1848         (JSC::isProfileEmpty):
1849         * jit/JITOpcodes.cpp:
1850         (JSC::JIT::emit_op_catch):
1851         (JSC::JIT::emit_op_switch_imm):
1852         (JSC::JIT::emit_op_switch_char):
1853         (JSC::JIT::emit_op_switch_string):
1854         (JSC::JIT::privateCompileHasIndexedProperty):
1855         (JSC::JIT::emitSlow_op_has_indexed_property):
1856         * jit/JITOpcodes32_64.cpp:
1857         (JSC::JIT::privateCompileHasIndexedProperty):
1858         * jit/JITOperations.cpp:
1859         (JSC::getByVal):
1860         * jit/JITPropertyAccess.cpp:
1861         (JSC::JIT::stringGetByValStubGenerator):
1862         (JSC::JIT::emitGetByValWithCachedId):
1863         (JSC::JIT::emitSlow_op_get_by_val):
1864         (JSC::JIT::emitPutByValWithCachedId):
1865         (JSC::JIT::emitSlow_op_put_by_val):
1866         (JSC::JIT::emitSlow_op_try_get_by_id):
1867         (JSC::JIT::emitSlow_op_get_by_id_direct):
1868         (JSC::JIT::emitSlow_op_get_by_id):
1869         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1870         (JSC::JIT::emitSlow_op_put_by_id):
1871         (JSC::JIT::privateCompileGetByVal):
1872         (JSC::JIT::privateCompileGetByValWithCachedId):
1873         (JSC::JIT::privateCompilePutByVal):
1874         (JSC::JIT::privateCompilePutByValWithCachedId):
1875         * jit/JITPropertyAccess32_64.cpp:
1876         (JSC::JIT::stringGetByValStubGenerator):
1877         (JSC::JIT::emitSlow_op_get_by_val):
1878         (JSC::JIT::emitSlow_op_put_by_val):
1879         * jit/JITStubRoutine.h:
1880         (JSC::JITStubRoutine::JITStubRoutine):
1881         (JSC::JITStubRoutine::createSelfManagedRoutine):
1882         (JSC::JITStubRoutine::code const):
1883         (JSC::JITStubRoutine::asCodePtr):
1884         * jit/JITThunks.cpp:
1885         (JSC::JITThunks::ctiNativeCall):
1886         (JSC::JITThunks::ctiNativeConstruct):
1887         (JSC::JITThunks::ctiNativeTailCall):
1888         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1889         (JSC::JITThunks::ctiInternalFunctionCall):
1890         (JSC::JITThunks::ctiInternalFunctionConstruct):
1891         (JSC::JITThunks::ctiStub):
1892         (JSC::JITThunks::existingCTIStub):
1893         (JSC::JITThunks::hostFunctionStub):
1894         * jit/JITThunks.h:
1895         * jit/PCToCodeOriginMap.cpp:
1896         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1897         * jit/PCToCodeOriginMap.h:
1898         * jit/PolymorphicCallStubRoutine.cpp:
1899         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1900         * jit/PolymorphicCallStubRoutine.h:
1901         * jit/Repatch.cpp:
1902         (JSC::readPutICCallTarget):
1903         (JSC::ftlThunkAwareRepatchCall):
1904         (JSC::appropriateOptimizingGetByIdFunction):
1905         (JSC::appropriateGetByIdFunction):
1906         (JSC::tryCacheGetByID):
1907         (JSC::repatchGetByID):
1908         (JSC::tryCachePutByID):
1909         (JSC::repatchPutByID):
1910         (JSC::tryCacheIn):
1911         (JSC::repatchIn):
1912         (JSC::linkSlowFor):
1913         (JSC::linkFor):
1914         (JSC::linkDirectFor):
1915         (JSC::revertCall):
1916         (JSC::unlinkFor):
1917         (JSC::linkVirtualFor):
1918         (JSC::linkPolymorphicCall):
1919         (JSC::resetGetByID):
1920         (JSC::resetPutByID):
1921         * jit/Repatch.h:
1922         * jit/SlowPathCall.h:
1923         (JSC::JITSlowPathCall::call):
1924         * jit/SpecializedThunkJIT.h:
1925         (JSC::SpecializedThunkJIT::finalize):
1926         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1927         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1928         * jit/ThunkGenerator.h:
1929         * jit/ThunkGenerators.cpp:
1930         (JSC::throwExceptionFromCallSlowPathGenerator):
1931         (JSC::slowPathFor):
1932         (JSC::linkCallThunkGenerator):
1933         (JSC::linkPolymorphicCallThunkGenerator):
1934         (JSC::virtualThunkFor):
1935         (JSC::nativeForGenerator):
1936         (JSC::nativeCallGenerator):
1937         (JSC::nativeTailCallGenerator):
1938         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1939         (JSC::nativeConstructGenerator):
1940         (JSC::internalFunctionCallGenerator):
1941         (JSC::internalFunctionConstructGenerator):
1942         (JSC::arityFixupGenerator):
1943         (JSC::unreachableGenerator):
1944         (JSC::charCodeAtThunkGenerator):
1945         (JSC::charAtThunkGenerator):
1946         (JSC::fromCharCodeThunkGenerator):
1947         (JSC::clz32ThunkGenerator):
1948         (JSC::sqrtThunkGenerator):
1949         (JSC::floorThunkGenerator):
1950         (JSC::ceilThunkGenerator):
1951         (JSC::truncThunkGenerator):
1952         (JSC::roundThunkGenerator):
1953         (JSC::expThunkGenerator):
1954         (JSC::logThunkGenerator):
1955         (JSC::absThunkGenerator):
1956         (JSC::imulThunkGenerator):
1957         (JSC::randomThunkGenerator):
1958         (JSC::boundThisNoArgsFunctionCallGenerator):
1959         * jit/ThunkGenerators.h:
1960         * llint/LLIntData.cpp:
1961         (JSC::LLInt::initialize):
1962         * llint/LLIntData.h:
1963         (JSC::LLInt::getExecutableAddress):
1964         (JSC::LLInt::getCodePtr):
1965         (JSC::LLInt::getCodeRef):
1966         (JSC::LLInt::getCodeFunctionPtr):
1967         * llint/LLIntEntrypoint.cpp:
1968         (JSC::LLInt::setFunctionEntrypoint):
1969         (JSC::LLInt::setEvalEntrypoint):
1970         (JSC::LLInt::setProgramEntrypoint):
1971         (JSC::LLInt::setModuleProgramEntrypoint):
1972         * llint/LLIntExceptions.cpp:
1973         (JSC::LLInt::callToThrow):
1974         * llint/LLIntSlowPaths.cpp:
1975         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1976         (JSC::LLInt::setUpCall):
1977         * llint/LLIntThunks.cpp:
1978         (JSC::vmEntryToWasm):
1979         (JSC::LLInt::generateThunkWithJumpTo):
1980         (JSC::LLInt::functionForCallEntryThunkGenerator):
1981         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1982         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1983         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1984         (JSC::LLInt::evalEntryThunkGenerator):
1985         (JSC::LLInt::programEntryThunkGenerator):
1986         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1987         * llint/LLIntThunks.h:
1988         * llint/LowLevelInterpreter.asm:
1989         * llint/LowLevelInterpreter32_64.asm:
1990         * llint/LowLevelInterpreter64.asm:
1991         * profiler/ProfilerCompilation.cpp:
1992         (JSC::Profiler::Compilation::addOSRExitSite):
1993         * profiler/ProfilerCompilation.h:
1994         * profiler/ProfilerOSRExitSite.cpp:
1995         (JSC::Profiler::OSRExitSite::toJS const):
1996         * profiler/ProfilerOSRExitSite.h:
1997         (JSC::Profiler::OSRExitSite::OSRExitSite):
1998         (JSC::Profiler::OSRExitSite::codeAddress const):
1999         (JSC::Profiler::OSRExitSite:: const): Deleted.
2000         * runtime/ExecutableBase.cpp:
2001         (JSC::ExecutableBase::clearCode):
2002         * runtime/ExecutableBase.h:
2003         (JSC::ExecutableBase::entrypointFor):
2004         * runtime/NativeExecutable.cpp:
2005         (JSC::NativeExecutable::finishCreation):
2006         * runtime/NativeFunction.h:
2007         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2008         (JSC::TaggedNativeFunction::operator NativeFunction):
2009         * runtime/PtrTag.h:
2010         (JSC::tagCodePtr):
2011         (JSC::untagCodePtr):
2012         (JSC::retagCodePtr):
2013         (JSC::tagCFunctionPtr):
2014         (JSC::untagCFunctionPtr):
2015         (JSC::nextPtrTagID): Deleted.
2016         * runtime/PutPropertySlot.h:
2017         (JSC::PutPropertySlot::PutPropertySlot):
2018         (JSC::PutPropertySlot::setCustomValue):
2019         (JSC::PutPropertySlot::setCustomAccessor):
2020         (JSC::PutPropertySlot::customSetter const):
2021         * runtime/ScriptExecutable.cpp:
2022         (JSC::ScriptExecutable::installCode):
2023         * runtime/VM.cpp:
2024         (JSC::VM::getHostFunction):
2025         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2026         * runtime/VM.h:
2027         (JSC::VM::getCTIStub):
2028         * wasm/WasmB3IRGenerator.cpp:
2029         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2030         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2031         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2032         (JSC::Wasm::B3IRGenerator::addCall):
2033         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2034         * wasm/WasmBBQPlan.cpp:
2035         (JSC::Wasm::BBQPlan::prepare):
2036         (JSC::Wasm::BBQPlan::complete):
2037         * wasm/WasmBBQPlan.h:
2038         * wasm/WasmBinding.cpp:
2039         (JSC::Wasm::wasmToWasm):
2040         * wasm/WasmBinding.h:
2041         * wasm/WasmCallee.h:
2042         (JSC::Wasm::Callee::entrypoint const):
2043         * wasm/WasmCallingConvention.h:
2044         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2045         * wasm/WasmCodeBlock.h:
2046         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2047         * wasm/WasmFaultSignalHandler.cpp:
2048         (JSC::Wasm::trapHandler):
2049         * wasm/WasmFormat.h:
2050         * wasm/WasmInstance.h:
2051         * wasm/WasmOMGPlan.cpp:
2052         (JSC::Wasm::OMGPlan::work):
2053         * wasm/WasmThunks.cpp:
2054         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2055         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2056         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2057         (JSC::Wasm::Thunks::stub):
2058         (JSC::Wasm::Thunks::existingStub):
2059         * wasm/WasmThunks.h:
2060         * wasm/js/JSToWasm.cpp:
2061         (JSC::Wasm::createJSToWasmWrapper):
2062         * wasm/js/JSWebAssemblyCodeBlock.h:
2063         * wasm/js/WasmToJS.cpp:
2064         (JSC::Wasm::handleBadI64Use):
2065         (JSC::Wasm::wasmToJS):
2066         * wasm/js/WasmToJS.h:
2067         * wasm/js/WebAssemblyFunction.h:
2068         * yarr/YarrJIT.cpp:
2069         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2070         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2071         (JSC::Yarr::YarrGenerator::compile):
2072         * yarr/YarrJIT.h:
2073         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2074         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2075         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2076         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2077         (JSC::Yarr::YarrCodeBlock::execute):
2078         (JSC::Yarr::YarrCodeBlock::clear):
2079
2080 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2081
2082         Unreviewed, rolling out r230697, r230720, and r230724.
2083         https://bugs.webkit.org/show_bug.cgi?id=184717
2084
2085         These caused multiple failures on the Test262 testers.
2086         (Requested by mlewis13 on #webkit).
2087
2088         Reverted changesets:
2089
2090         "[WebAssembly][Modules] Prototype wasm import"
2091         https://bugs.webkit.org/show_bug.cgi?id=184600
2092         https://trac.webkit.org/changeset/230697
2093
2094         "[WebAssembly][Modules] Implement function import from wasm
2095         modules"
2096         https://bugs.webkit.org/show_bug.cgi?id=184689
2097         https://trac.webkit.org/changeset/230720
2098
2099         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2100         https://bugs.webkit.org/show_bug.cgi?id=184703
2101         https://trac.webkit.org/changeset/230724
2102
2103 2018-04-17  JF Bastien  <jfbastien@apple.com>
2104
2105         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2106         https://bugs.webkit.org/show_bug.cgi?id=184706
2107         <rdar://problem/38871451>
2108
2109         Reviewed by Saam Barati.
2110
2111         When putting a property on a structure and the slot is a different
2112         type, the slot can't be said to have already been existing.
2113
2114         * runtime/JSObjectInlines.h:
2115         (JSC::JSObject::putDirectInternal):
2116
2117 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2118
2119         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2120         https://bugs.webkit.org/show_bug.cgi?id=184705
2121
2122         Reviewed by Michael Saboff.
2123         
2124         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2125         while testing an unrelated patch, a concurrent GC thread crashed inside
2126         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2127         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2128         mode and another vector.
2129         
2130         The fix is to lock inside visitChildren and anyone who changes those fields.
2131         
2132         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2133         this.
2134
2135         * runtime/JSArrayBufferView.cpp:
2136         (JSC::JSArrayBufferView::neuter):
2137         * runtime/JSGenericTypedArrayViewInlines.h:
2138         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2139         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2140
2141 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2142
2143         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2144         https://bugs.webkit.org/show_bug.cgi?id=184672
2145
2146         Reviewed by Michael Saboff.
2147
2148         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2149         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2150         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2151         intentional - I don't know.
2152
2153         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2154         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2155         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2156         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2157         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2158         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2159         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2160         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2161         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2162         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2163         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2164         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2165
2166         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2167         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2168         its stack slot for the purpose of clobberize.
2169
2170         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2171         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2172         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2173         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2174
2175 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2176
2177         JSWebAssemblyCodeBlock should be in an IsoSubspace
2178         https://bugs.webkit.org/show_bug.cgi?id=184704
2179
2180         Reviewed by Mark Lam.
2181         
2182         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2183         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2184         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2185         protection.
2186
2187         * runtime/VM.cpp:
2188         (JSC::VM::VM):
2189         * runtime/VM.h:
2190         * wasm/js/JSWebAssemblyCodeBlock.h:
2191
2192 2018-04-17  Jer Noble  <jer.noble@apple.com>
2193
2194         Only enable useSeparatedWXHeap on ARM64.
2195         https://bugs.webkit.org/show_bug.cgi?id=184697
2196
2197         Reviewed by Saam Barati.
2198
2199         * runtime/Options.cpp:
2200         (JSC::recomputeDependentOptions):
2201
2202 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2203
2204         [WebAssembly][Modules] Implement function import from wasm modules
2205         https://bugs.webkit.org/show_bug.cgi?id=184689
2206
2207         Reviewed by JF Bastien.
2208
2209         This patch implements function import from wasm modules. We move function importing part
2210         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2211         is because linking these functions requires that all the dependent modules are created.
2212         While we want to move all the linking functionality from JSWebAssemblyInstance to
2213         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2214         function importing part because efficient compilation of WebAssembly needs to know
2215         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2216         or attached WebAssembly memory object. So we cannot defer this linking to
2217         WebAssemblyModuleRecord::link now.
2218
2219         The largest difference from JS module linking is that WebAssembly module linking links
2220         function from the module by snapshotting. When you have a cyclic module graph like this,
2221
2222         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2223             ^                                                  |
2224             +--------------------------------------------------+
2225
2226         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2227         is described in [1], and tested in this patch.
2228
2229         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2230
2231         * JavaScriptCore.xcodeproj/project.pbxproj:
2232         * jsc.cpp:
2233         (functionDollarAgentStart):
2234         (checkException):
2235         (runWithOptions):
2236         Small fixes for wasm module loading.
2237
2238         * parser/NodesAnalyzeModule.cpp:
2239         (JSC::ImportDeclarationNode::analyzeModule):
2240         * runtime/AbstractModuleRecord.cpp:
2241         (JSC::AbstractModuleRecord::resolveImport):
2242         (JSC::AbstractModuleRecord::link):
2243         * runtime/AbstractModuleRecord.h:
2244         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2245         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2246         Now, wasm modules can have import which is named "*". So this function does not work.
2247         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2248
2249         * runtime/JSModuleEnvironment.cpp:
2250         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2251         * runtime/JSModuleRecord.cpp:
2252         (JSC::JSModuleRecord::instantiateDeclarations):
2253         * wasm/WasmCreationMode.h: Added.
2254         * wasm/js/JSWebAssemblyInstance.cpp:
2255         (JSC::JSWebAssemblyInstance::finalizeCreation):
2256         (JSC::JSWebAssemblyInstance::create):
2257         * wasm/js/JSWebAssemblyInstance.h:
2258         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2259         (JSC::constructJSWebAssemblyInstance):
2260         * wasm/js/WebAssemblyModuleRecord.cpp:
2261         (JSC::WebAssemblyModuleRecord::link):
2262         * wasm/js/WebAssemblyModuleRecord.h:
2263         * wasm/js/WebAssemblyPrototype.cpp:
2264         (JSC::resolve):
2265         (JSC::instantiate):
2266         (JSC::compileAndInstantiate):
2267         (JSC::WebAssemblyPrototype::instantiate):
2268         (JSC::webAssemblyInstantiateFunc):
2269
2270 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2271
2272         Implement setupArgumentsImpl for ARM and MIPS
2273         https://bugs.webkit.org/show_bug.cgi?id=183786
2274
2275         Reviewed by Yusuke Suzuki.
2276
2277         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2278         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2279         registers used for 64-bit values on 32-bit architectures. numCrossSources
2280         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2281
2282         * assembler/MacroAssemblerARMv7.h:
2283         (JSC::MacroAssemblerARMv7::moveDouble):
2284         * assembler/MacroAssemblerMIPS.h:
2285         (JSC::MacroAssemblerMIPS::moveDouble):
2286         * jit/CCallHelpers.h:
2287         (JSC::CCallHelpers::setupStubCrossArgs):
2288         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2289         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2290         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2291         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2292         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2293         (JSC::CCallHelpers::ArgCollection::addStackArg):
2294         (JSC::CCallHelpers::ArgCollection::addPoke):
2295         (JSC::CCallHelpers::ArgCollection::argCount):
2296         (JSC::CCallHelpers::calculatePokeOffset):
2297         (JSC::CCallHelpers::pokeForArgument):
2298         (JSC::CCallHelpers::stackAligned):
2299         (JSC::CCallHelpers::marshallArgumentRegister):
2300         (JSC::CCallHelpers::setupArgumentsImpl):
2301         (JSC::CCallHelpers::pokeArgumentsAligned):
2302         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2303         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2304         (JSC::CCallHelpers::setupArguments):
2305         * jit/FPRInfo.h:
2306         (JSC::FPRInfo::toArgumentRegister):
2307
2308 2018-04-17  Saam Barati  <sbarati@apple.com>
2309
2310         Add system trace points for process launch and for initializeWebProcess
2311         https://bugs.webkit.org/show_bug.cgi?id=184669
2312
2313         Reviewed by Simon Fraser.
2314
2315         * runtime/VMEntryScope.cpp:
2316         (JSC::VMEntryScope::VMEntryScope):
2317         (JSC::VMEntryScope::~VMEntryScope):
2318
2319 2018-04-17  Jer Noble  <jer.noble@apple.com>
2320
2321         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2322         https://bugs.webkit.org/show_bug.cgi?id=184602
2323
2324         Reviewed by Beth Dakin.
2325
2326         * JavaScriptCore.xcodeproj/project.pbxproj:
2327
2328 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2329
2330         [GLIB] Add API to clear JSCContext uncaught exception
2331         https://bugs.webkit.org/show_bug.cgi?id=184685
2332
2333         Reviewed by Žan Doberšek.
2334
2335         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2336
2337         * API/glib/JSCContext.cpp:
2338         (jsc_context_clear_exception):
2339         * API/glib/JSCContext.h:
2340         * API/glib/docs/jsc-glib-4.0-sections.txt:
2341
2342 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2343
2344         [GLIB] Add API to query, delete and enumerate properties
2345         https://bugs.webkit.org/show_bug.cgi?id=184647
2346
2347         Reviewed by Michael Catanzaro.
2348
2349         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2350
2351         * API/glib/JSCValue.cpp:
2352         (jsc_value_object_has_property):
2353         (jsc_value_object_delete_property):
2354         (jsc_value_object_enumerate_properties):
2355         * API/glib/JSCValue.h:
2356         * API/glib/docs/jsc-glib-4.0-sections.txt:
2357
2358 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         [WebAssembly][Modules] Prototype wasm import
2361         https://bugs.webkit.org/show_bug.cgi?id=184600
2362
2363         Reviewed by JF Bastien.
2364
2365         This patch is an initial attempt to implement Wasm loading in module pipeline.
2366         Currently,
2367
2368         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2369            in whatwg HTML, we should integrate this into WebCore.
2370
2371         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2372            the other modules now.
2373
2374         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2375         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2376         module loader pipeline just handles it as the same to JS. When parsing a module, we
2377         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2378         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2379         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2380
2381         * builtins/ModuleLoaderPrototype.js:
2382         (globalPrivate.newRegistryEntry):
2383         (requestInstantiate):
2384         (link):
2385         * jsc.cpp:
2386         (convertShebangToJSComment):
2387         (fillBufferWithContentsOfFile):
2388         (fetchModuleFromLocalFileSystem):
2389         (GlobalObject::moduleLoaderFetch):
2390         * parser/SourceProvider.h:
2391         (JSC::WebAssemblySourceProvider::create):
2392         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2393         * runtime/AbstractModuleRecord.cpp:
2394         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2395         (JSC::AbstractModuleRecord::link):
2396         (JSC::AbstractModuleRecord::evaluate):
2397         (JSC::identifierToJSValue): Deleted.
2398         * runtime/AbstractModuleRecord.h:
2399         * runtime/JSModuleLoader.cpp:
2400         (JSC::JSModuleLoader::evaluate):
2401         * runtime/JSModuleRecord.cpp:
2402         (JSC::JSModuleRecord::link):
2403         (JSC::JSModuleRecord::instantiateDeclarations):
2404         * runtime/JSModuleRecord.h:
2405         * runtime/ModuleLoaderPrototype.cpp:
2406         (JSC::moduleLoaderPrototypeParseModule):
2407         (JSC::moduleLoaderPrototypeRequestedModules):
2408         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2409         * wasm/js/JSWebAssemblyHelpers.h:
2410         (JSC::getWasmBufferFromValue):
2411         (JSC::createSourceBufferFromValue):
2412         * wasm/js/JSWebAssemblyInstance.cpp:
2413         (JSC::JSWebAssemblyInstance::finalizeCreation):
2414         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2415         (JSC::JSWebAssemblyInstance::create):
2416         * wasm/js/JSWebAssemblyInstance.h:
2417         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2418         (JSC::constructJSWebAssemblyInstance):
2419         * wasm/js/WebAssemblyModuleRecord.cpp:
2420         (JSC::WebAssemblyModuleRecord::prepareLink):
2421         (JSC::WebAssemblyModuleRecord::link):
2422         * wasm/js/WebAssemblyModuleRecord.h:
2423         * wasm/js/WebAssemblyPrototype.cpp:
2424         (JSC::resolve):
2425         (JSC::instantiate):
2426         (JSC::compileAndInstantiate):
2427         (JSC::WebAssemblyPrototype::instantiate):
2428         (JSC::webAssemblyInstantiateFunc):
2429         (JSC::webAssemblyValidateFunc):
2430         * wasm/js/WebAssemblyPrototype.h:
2431
2432 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2433
2434         Function.prototype.caller shouldn't return generator bodies
2435         https://bugs.webkit.org/show_bug.cgi?id=184630
2436
2437         Reviewed by Yusuke Suzuki.
2438         
2439         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2440         private.
2441         
2442         Also added some builtin debugging tools so that it's easier to do the investigation that I
2443         did.
2444
2445         * builtins/BuiltinNames.h:
2446         * runtime/JSFunction.cpp:
2447         (JSC::JSFunction::callerGetter):
2448         * runtime/JSGlobalObject.cpp:
2449         (JSC::JSGlobalObject::init):
2450         * runtime/JSGlobalObjectFunctions.cpp:
2451         (JSC::globalFuncBuiltinDescribe):
2452         * runtime/JSGlobalObjectFunctions.h:
2453
2454 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2455
2456         [DFG] Remove duplicate 32bit ProfileType implementation
2457         https://bugs.webkit.org/show_bug.cgi?id=184536
2458
2459         Reviewed by Saam Barati.
2460
2461         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2462
2463         * dfg/DFGSpeculativeJIT.cpp:
2464         (JSC::DFG::SpeculativeJIT::compileProfileType):
2465         * dfg/DFGSpeculativeJIT.h:
2466         * dfg/DFGSpeculativeJIT32_64.cpp:
2467         (JSC::DFG::SpeculativeJIT::compile):
2468         * dfg/DFGSpeculativeJIT64.cpp:
2469         (JSC::DFG::SpeculativeJIT::compile):
2470         * jit/AssemblyHelpers.h:
2471         (JSC::AssemblyHelpers::branchIfUndefined):
2472         (JSC::AssemblyHelpers::branchIfNull):
2473
2474 2018-04-12  Mark Lam  <mark.lam@apple.com>
2475
2476         Consolidate some PtrTags.
2477         https://bugs.webkit.org/show_bug.cgi?id=184552
2478         <rdar://problem/39389404>
2479
2480         Reviewed by Filip Pizlo.
2481
2482         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2483         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2484
2485         * assembler/AbstractMacroAssembler.h:
2486         (JSC::AbstractMacroAssembler::repatchNearCall):
2487         * assembler/MacroAssemblerARM.h:
2488         (JSC::MacroAssemblerARM::readCallTarget):
2489         * assembler/MacroAssemblerARMv7.h:
2490         (JSC::MacroAssemblerARMv7::readCallTarget):
2491         * assembler/MacroAssemblerMIPS.h:
2492         (JSC::MacroAssemblerMIPS::readCallTarget):
2493         * assembler/MacroAssemblerX86.h:
2494         (JSC::MacroAssemblerX86::readCallTarget):
2495         * assembler/MacroAssemblerX86_64.h:
2496         (JSC::MacroAssemblerX86_64::readCallTarget):
2497         * bytecode/AccessCase.cpp:
2498         (JSC::AccessCase::generateImpl):
2499         * bytecode/InlineAccess.cpp:
2500         (JSC::InlineAccess::rewireStubAsJump):
2501         * bytecode/PolymorphicAccess.cpp:
2502         (JSC::PolymorphicAccess::regenerate):
2503         * dfg/DFGJITCompiler.cpp:
2504         (JSC::DFG::JITCompiler::linkOSRExits):
2505         (JSC::DFG::JITCompiler::link):
2506         (JSC::DFG::JITCompiler::compileFunction):
2507         * dfg/DFGJITFinalizer.cpp:
2508         (JSC::DFG::JITFinalizer::finalize):
2509         (JSC::DFG::JITFinalizer::finalizeFunction):
2510         * dfg/DFGOSREntry.cpp:
2511         (JSC::DFG::prepareOSREntry):
2512         * dfg/DFGOSRExit.cpp:
2513         (JSC::DFG::OSRExit::executeOSRExit):
2514         (JSC::DFG::adjustAndJumpToTarget):
2515         (JSC::DFG::OSRExit::compileOSRExit):
2516         * dfg/DFGOSRExitCompilerCommon.cpp:
2517         (JSC::DFG::adjustAndJumpToTarget):
2518         * dfg/DFGOperations.cpp:
2519         * ftl/FTLJITCode.cpp:
2520         (JSC::FTL::JITCode::executableAddressAtOffset):
2521         * ftl/FTLJITFinalizer.cpp:
2522         (JSC::FTL::JITFinalizer::finalizeCommon):
2523         * ftl/FTLLazySlowPath.cpp:
2524         (JSC::FTL::LazySlowPath::generate):
2525         * ftl/FTLLink.cpp:
2526         (JSC::FTL::link):
2527         * ftl/FTLLowerDFGToB3.cpp:
2528         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2529         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2530         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2531         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2532         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2533         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2534         * ftl/FTLOSRExitCompiler.cpp:
2535         (JSC::FTL::compileFTLOSRExit):
2536         * ftl/FTLOSRExitHandle.cpp:
2537         (JSC::FTL::OSRExitHandle::emitExitThunk):
2538         * jit/AssemblyHelpers.cpp:
2539         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2540         * jit/JIT.cpp:
2541         (JSC::JIT::compileWithoutLinking):
2542         (JSC::JIT::link):
2543         * jit/JITCall.cpp:
2544         (JSC::JIT::compileOpCallSlowCase):
2545         * jit/JITCode.cpp:
2546         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2547         (JSC::NativeJITCode::addressForCall):
2548         * jit/JITInlines.h:
2549         (JSC::JIT::emitNakedCall):
2550         (JSC::JIT::emitNakedTailCall):
2551         * jit/JITMathIC.h:
2552         (JSC::isProfileEmpty):
2553         * jit/JITOpcodes.cpp:
2554         (JSC::JIT::privateCompileHasIndexedProperty):
2555         * jit/JITOperations.cpp:
2556         * jit/JITPropertyAccess.cpp:
2557         (JSC::JIT::stringGetByValStubGenerator):
2558         (JSC::JIT::privateCompileGetByVal):
2559         (JSC::JIT::privateCompileGetByValWithCachedId):
2560         (JSC::JIT::privateCompilePutByVal):
2561         (JSC::JIT::privateCompilePutByValWithCachedId):
2562         * jit/JITThunks.cpp:
2563         (JSC::JITThunks::hostFunctionStub):
2564         * jit/Repatch.cpp:
2565         (JSC::linkSlowFor):
2566         (JSC::linkFor):
2567         (JSC::linkPolymorphicCall):
2568         * jit/SpecializedThunkJIT.h:
2569         (JSC::SpecializedThunkJIT::finalize):
2570         * jit/ThunkGenerators.cpp:
2571         (JSC::virtualThunkFor):
2572         (JSC::nativeForGenerator):
2573         (JSC::boundThisNoArgsFunctionCallGenerator):
2574         * llint/LLIntData.cpp:
2575         (JSC::LLInt::initialize):
2576         * llint/LLIntEntrypoint.cpp:
2577         (JSC::LLInt::setEvalEntrypoint):
2578         (JSC::LLInt::setProgramEntrypoint):
2579         (JSC::LLInt::setModuleProgramEntrypoint):
2580         * llint/LLIntSlowPaths.cpp:
2581         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2582         (JSC::LLInt::setUpCall):
2583         * llint/LLIntThunks.cpp:
2584         (JSC::LLInt::generateThunkWithJumpTo):
2585         (JSC::LLInt::functionForCallEntryThunkGenerator):
2586         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2587         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2588         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2589         (JSC::LLInt::evalEntryThunkGenerator):
2590         (JSC::LLInt::programEntryThunkGenerator):
2591         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2592         * llint/LowLevelInterpreter.asm:
2593         * llint/LowLevelInterpreter64.asm:
2594         * runtime/NativeExecutable.cpp:
2595         (JSC::NativeExecutable::finishCreation):
2596         * runtime/NativeFunction.h:
2597         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2598         (JSC::TaggedNativeFunction::operator NativeFunction):
2599         * runtime/PtrTag.h:
2600         * wasm/WasmBBQPlan.cpp:
2601         (JSC::Wasm::BBQPlan::complete):
2602         * wasm/WasmOMGPlan.cpp:
2603         (JSC::Wasm::OMGPlan::work):
2604         * wasm/WasmThunks.cpp:
2605         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2606         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2607         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2608         * wasm/js/WasmToJS.cpp:
2609         (JSC::Wasm::wasmToJS):
2610         * wasm/js/WebAssemblyFunction.h:
2611         * yarr/YarrJIT.cpp:
2612         (JSC::Yarr::YarrGenerator::compile):
2613
2614 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2615
2616         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2617         https://bugs.webkit.org/show_bug.cgi?id=184379
2618
2619         Reviewed by Žan Doberšek.
2620
2621         Load the module from the new location.
2622
2623         * PlatformWPE.cmake:
2624         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2625         (Inspector::backendCommands):
2626
2627 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2628
2629         [DFG] Remove compileBigIntEquality in DFG 32bit
2630         https://bugs.webkit.org/show_bug.cgi?id=184535
2631
2632         Reviewed by Saam Barati.
2633
2634         We can have the unified implementation for compileBigIntEquality.
2635
2636         * dfg/DFGSpeculativeJIT.cpp:
2637         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2638         * dfg/DFGSpeculativeJIT32_64.cpp:
2639         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2640         * dfg/DFGSpeculativeJIT64.cpp:
2641         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2642
2643 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2644
2645         [WPE] Improve include hierarchy
2646         https://bugs.webkit.org/show_bug.cgi?id=184376
2647
2648         Reviewed by Žan Doberšek.
2649
2650         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2651         /usr/include/wpe-0.1/WPE/jsc.
2652
2653         * PlatformWPE.cmake:
2654
2655 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2656
2657         [GLIB] Handle strings containing null characters
2658         https://bugs.webkit.org/show_bug.cgi?id=184450
2659
2660         Reviewed by Michael Catanzaro.
2661
2662         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2663         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2664         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2665         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2666         contain null characters.
2667
2668         * API/OpaqueJSString.cpp:
2669         (OpaqueJSString::create): Add a create constructor that takes the String.
2670         * API/OpaqueJSString.h:
2671         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2672         * API/glib/JSCContext.cpp:
2673         (jsc_context_evaluate): Add length parameter.
2674         (jsc_context_evaluate_with_source_uri): Ditto.
2675         * API/glib/JSCContext.h:
2676         * API/glib/JSCValue.cpp:
2677         (jsc_value_new_string_from_bytes):
2678         (jsc_value_to_string):
2679         (jsc_value_to_string_as_bytes):
2680         (jsc_value_object_is_instance_of): Pass length to evaluate.
2681         * API/glib/JSCValue.h:
2682         * API/glib/docs/jsc-glib-4.0-sections.txt:
2683
2684 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2685
2686         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2687         https://bugs.webkit.org/show_bug.cgi?id=184500
2688
2689         Reviewed by Mark Lam.
2690
2691         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2692         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2693         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2694         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2695         poke held GPR. The benefit from this CellValue is that we can use the same code
2696         for 32bit and 64bit. This patch removes several ifdefs.
2697
2698         * bytecode/AccessCase.cpp:
2699         (JSC::AccessCase::generateImpl):
2700         * dfg/DFGSpeculativeJIT.cpp:
2701         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2702         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2703         (JSC::DFG::SpeculativeJIT::cachedPutById):
2704         * dfg/DFGSpeculativeJIT32_64.cpp:
2705         (JSC::DFG::SpeculativeJIT::cachedGetById):
2706         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2707         * jit/CCallHelpers.h:
2708         (JSC::CCallHelpers::CellValue::CellValue):
2709         (JSC::CCallHelpers::CellValue::gpr const):
2710         (JSC::CCallHelpers::setupArgumentsImpl):
2711
2712 2018-04-11  Mark Lam  <mark.lam@apple.com>
2713
2714         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2715         https://bugs.webkit.org/show_bug.cgi?id=184512
2716         <rdar://problem/35391728>
2717
2718         Not reviewed.
2719
2720         * bytecode/CodeBlock.h:
2721         * jit/JITCodeMap.h:
2722
2723 2018-04-11  Mark Lam  <mark.lam@apple.com>
2724
2725         Replace CompactJITCodeMap with JITCodeMap.
2726         https://bugs.webkit.org/show_bug.cgi?id=184512
2727         <rdar://problem/35391728>
2728
2729         Reviewed by Filip Pizlo.
2730
2731         * CMakeLists.txt:
2732         * JavaScriptCore.xcodeproj/project.pbxproj:
2733         * bytecode/CodeBlock.h:
2734         (JSC::CodeBlock::setJITCodeMap):
2735         (JSC::CodeBlock::jitCodeMap const):
2736         (JSC::CodeBlock::jitCodeMap): Deleted.
2737         * dfg/DFGOSRExit.cpp:
2738         (JSC::DFG::OSRExit::executeOSRExit):
2739         * dfg/DFGOSRExitCompilerCommon.cpp:
2740         (JSC::DFG::adjustAndJumpToTarget):
2741         * jit/AssemblyHelpers.cpp:
2742         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2743         * jit/AssemblyHelpers.h:
2744         * jit/CompactJITCodeMap.h: Removed.
2745         * jit/JIT.cpp:
2746         (JSC::JIT::link):
2747         * jit/JITCodeMap.h: Added.
2748         (JSC::JITCodeMap::Entry::Entry):
2749         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2750         (JSC::JITCodeMap::Entry::codeLocation):
2751         (JSC::JITCodeMap::append):
2752         (JSC::JITCodeMap::finish):
2753         (JSC::JITCodeMap::find const):
2754         (JSC::JITCodeMap::operator bool const):
2755         * llint/LLIntSlowPaths.cpp:
2756         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2757
2758 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2759
2760         [DFG] Remove CompareSlowPathGenerator
2761         https://bugs.webkit.org/show_bug.cgi?id=184492
2762
2763         Reviewed by Mark Lam.
2764
2765         Now CompareSlowPathGenerator is just calling a specified function.
2766         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2767
2768         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2769         introducing a new constructor for GPRTemporary.
2770
2771         * JavaScriptCore.xcodeproj/project.pbxproj:
2772         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2773         * dfg/DFGSpeculativeJIT.cpp:
2774         (JSC::DFG::GPRTemporary::GPRTemporary):
2775         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2776         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2777         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2778         (JSC::DFG::SpeculativeJIT::compileIsObject):
2779         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2780         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2781         * dfg/DFGSpeculativeJIT.h:
2782         (JSC::DFG::GPRTemporary::GPRTemporary):
2783         * dfg/DFGSpeculativeJIT64.cpp:
2784         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2785
2786 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2787
2788         Unreviewed, build fix for 32bit
2789         https://bugs.webkit.org/show_bug.cgi?id=184236
2790
2791         * dfg/DFGSpeculativeJIT.cpp:
2792         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2793
2794 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2795
2796         [DFG] Remove duplicate 32bit code more
2797         https://bugs.webkit.org/show_bug.cgi?id=184236
2798
2799         Reviewed by Mark Lam.
2800
2801         Remove duplicate 32bit code more aggressively part 2.
2802
2803         * JavaScriptCore.xcodeproj/project.pbxproj:
2804         * dfg/DFGCompareSlowPathGenerator.h: Added.
2805         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2806         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2807
2808         * dfg/DFGOperations.cpp:
2809         * dfg/DFGOperations.h:
2810         * dfg/DFGSpeculativeJIT.cpp:
2811         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2812         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2813         (JSC::DFG::SpeculativeJIT::compileIsObject):
2814         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2815         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2816         (JSC::DFG::SpeculativeJIT::compilePutById):
2817         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2818         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2819         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2820         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2821         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2822         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2823         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2824         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2825         (JSC::DFG::SpeculativeJIT::cachedPutById):
2826         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2827         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2828         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2829         * dfg/DFGSpeculativeJIT.h:
2830         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2831         * dfg/DFGSpeculativeJIT32_64.cpp:
2832         (JSC::DFG::SpeculativeJIT::compile):
2833         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2834         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2835         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2836         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2837         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2838         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2839         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2840         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2841         * dfg/DFGSpeculativeJIT64.cpp:
2842         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2843         (JSC::DFG::SpeculativeJIT::compile):
2844         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2845         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2846         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2847         (): Deleted.
2848         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2849         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2850         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2851         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2852         * ftl/FTLLowerDFGToB3.cpp:
2853         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2854         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2855
2856         * jit/AssemblyHelpers.h:
2857         (JSC::AssemblyHelpers::loadValue):
2858         (JSC::AssemblyHelpers::selectScratchGPR):
2859         (JSC::AssemblyHelpers::constructRegisterSet):
2860         * jit/RegisterSet.h:
2861         (JSC::RegisterSet::setAny):
2862         Clean up selectScratchGPR code to pass JSValueRegs.
2863
2864 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2865
2866         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2867         https://bugs.webkit.org/show_bug.cgi?id=182470
2868
2869         Reviewed by Saam Barati.
2870
2871         This patch introduces the SpecBigInt type to DFG to enable BigInt
2872         speculation into DFG and FTL.
2873
2874         With SpecBigInt introduction, we can then specialize "===" operations
2875         to BigInts. As we are doing for some cells, we first check if operands
2876         are pointing to the same JSCell, and if it is false, we
2877         fallback to "operationCompareStrictEqCell". The idea in further
2878         patches is to implement BigInt equality check directly in
2879         assembly.
2880
2881         We are also adding support for BigInt constant folding into
2882         TypeOf operation.
2883
2884         * bytecode/SpeculatedType.cpp:
2885         (JSC::dumpSpeculation):
2886         (JSC::speculationFromClassInfo):
2887         (JSC::speculationFromStructure):
2888         (JSC::speculationFromJSType):
2889         (JSC::speculationFromString):
2890         * bytecode/SpeculatedType.h:
2891         (JSC::isBigIntSpeculation):
2892         * dfg/DFGAbstractInterpreterInlines.h:
2893         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2894         * dfg/DFGAbstractValue.cpp:
2895         (JSC::DFG::AbstractValue::set):
2896         * dfg/DFGConstantFoldingPhase.cpp:
2897         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2898         * dfg/DFGFixupPhase.cpp:
2899         (JSC::DFG::FixupPhase::fixupNode):
2900         (JSC::DFG::FixupPhase::fixupToThis):
2901         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2902         * dfg/DFGInferredTypeCheck.cpp:
2903         (JSC::DFG::insertInferredTypeCheck):
2904         * dfg/DFGNode.h:
2905         (JSC::DFG::Node::shouldSpeculateBigInt):
2906         * dfg/DFGPredictionPropagationPhase.cpp:
2907         * dfg/DFGSafeToExecute.h:
2908         (JSC::DFG::SafeToExecuteEdge::operator()):
2909         * dfg/DFGSpeculativeJIT.cpp:
2910         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2911         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2912         (JSC::DFG::SpeculativeJIT::speculate):
2913         * dfg/DFGSpeculativeJIT.h:
2914         * dfg/DFGSpeculativeJIT32_64.cpp:
2915         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2916         * dfg/DFGSpeculativeJIT64.cpp:
2917         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2918         * dfg/DFGUseKind.cpp:
2919         (WTF::printInternal):
2920         * dfg/DFGUseKind.h:
2921         (JSC::DFG::typeFilterFor):
2922         (JSC::DFG::isCell):
2923         * ftl/FTLCapabilities.cpp:
2924         (JSC::FTL::canCompile):
2925         * ftl/FTLLowerDFGToB3.cpp:
2926         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2927         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2928         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2929         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2930         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2931         * jit/AssemblyHelpers.cpp:
2932         (JSC::AssemblyHelpers::branchIfNotType):
2933         * jit/AssemblyHelpers.h:
2934         (JSC::AssemblyHelpers::branchIfBigInt):
2935         (JSC::AssemblyHelpers::branchIfNotBigInt):
2936         * runtime/InferredType.cpp:
2937         (JSC::InferredType::Descriptor::forValue):
2938         (JSC::InferredType::Descriptor::putByIdFlags const):
2939         (JSC::InferredType::Descriptor::merge):
2940         (WTF::printInternal):
2941         * runtime/InferredType.h:
2942         * runtime/JSBigInt.h:
2943
2944 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2945
2946         Unreviewed, fix cloop build.
2947
2948         * dfg/DFGAbstractInterpreterClobberState.cpp:
2949
2950 2018-04-10  Mark Lam  <mark.lam@apple.com>
2951
2952         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2953         https://bugs.webkit.org/show_bug.cgi?id=184464
2954         <rdar://problem/39323947>
2955
2956         Reviewed by Saam Barati.
2957
2958         * heap/MarkedSpace.h:
2959         (JSC::MarkedSpace::sizeClassToIndex):
2960
2961 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2962
2963         DFG AI and clobberize should agree with each other
2964         https://bugs.webkit.org/show_bug.cgi?id=184440
2965
2966         Reviewed by Saam Barati.
2967         
2968         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2969         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2970         state tracking must be equivalent to JSCell_structureID being clobbered.
2971         
2972         One subtlety is that AI sometimes folds away structure clobbering using information that
2973         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2974         ObservedTransitions).
2975         
2976         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2977         clobberize missing a write(Heap).
2978         
2979         This also makes some cases more precise in order to appease the assertion. Making things more
2980         precise might make things faster, but I didn't measure it because that wasn't the goal.
2981
2982         * JavaScriptCore.xcodeproj/project.pbxproj:
2983         * Sources.txt:
2984         * dfg/DFGAbstractInterpreter.h:
2985         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2986         (WTF::printInternal):
2987         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2988         (JSC::DFG::mergeClobberStates):
2989         * dfg/DFGAbstractInterpreterInlines.h:
2990         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2991         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2992         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2993         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2994         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2995         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2996         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2998         * dfg/DFGAtTailAbstractState.h:
2999         (JSC::DFG::AtTailAbstractState::setClobberState):
3000         (JSC::DFG::AtTailAbstractState::mergeClobberState):
3001         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
3002         * dfg/DFGCFAPhase.cpp:
3003         (JSC::DFG::CFAPhase::performBlockCFA):
3004         * dfg/DFGClobberSet.cpp:
3005         (JSC::DFG::writeSet):
3006         * dfg/DFGClobberSet.h:
3007         * dfg/DFGClobberize.h:
3008         (JSC::DFG::clobberize):
3009         * dfg/DFGConstantFoldingPhase.cpp:
3010         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3011         * dfg/DFGInPlaceAbstractState.h:
3012         (JSC::DFG::InPlaceAbstractState::clobberState const):
3013         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3014         (JSC::DFG::InPlaceAbstractState::didClobber const):
3015         (JSC::DFG::InPlaceAbstractState::setClobberState):
3016         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3017         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3018
3019 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3020
3021         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3022         https://bugs.webkit.org/show_bug.cgi?id=184460
3023         <rdar://problem/37610966>
3024
3025         Reviewed by Mark Lam.
3026
3027         * bytecode/ExecutableToCodeBlockEdge.cpp:
3028         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3029
3030 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3031
3032         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3033         https://bugs.webkit.org/show_bug.cgi?id=184455
3034
3035         Reviewed by Michael Saboff.
3036         
3037         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3038         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3039         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3040         the thing being hoisted does have effects, then we get a crash.
3041         
3042         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3043         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3044         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3045         effectful.
3046         
3047         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3048         clobberize to also think that CompareEq(Untyped:, _) is effectful.
3049         
3050         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3051         of CompareEq is ComapreEq(Untyped:, Untyped:).
3052
3053         * dfg/DFGAbstractInterpreterInlines.h:
3054         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3055         * dfg/DFGClobberize.h:
3056         (JSC::DFG::clobberize):
3057
3058 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3059
3060         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3061         https://bugs.webkit.org/show_bug.cgi?id=184372
3062
3063         Reviewed by Saam Barati.
3064         
3065         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3066         have already proved, using techniques that are more precise than AI, that the edge has type
3067         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3068         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3069         other than a check - so we think we can call those just because we should have already
3070         bailed. It's better to think of them as the result of folding a check. Therefore, we should
3071         only do it if there had been a check to begin with.
3072
3073         * dfg/DFGSpeculativeJIT64.cpp:
3074         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3075         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3076         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3077         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3078         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3079         * ftl/FTLLowerDFGToB3.cpp:
3080         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3081         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3082         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3083         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3084         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3085         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3086         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3087         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3088
3089 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3090
3091         [JSC] Introduce @putByIdDirectPrivate
3092         https://bugs.webkit.org/show_bug.cgi?id=184400
3093
3094         Reviewed by Saam Barati.
3095
3096         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3097         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3098         accessing to ECMAScript internal fields.
3099
3100         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3101         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3102         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3103         fields that accessing to the internal fields does not traverse prototype chains.
3104
3105         * builtins/ArrayIteratorPrototype.js:
3106         (globalPrivate.arrayIteratorValueNext):
3107         (globalPrivate.arrayIteratorKeyNext):
3108         (globalPrivate.arrayIteratorKeyValueNext):
3109         * builtins/ArrayPrototype.js:
3110         (globalPrivate.createArrayIterator):
3111         * builtins/AsyncFromSyncIteratorPrototype.js:
3112         (globalPrivate.AsyncFromSyncIteratorConstructor):
3113         * builtins/AsyncFunctionPrototype.js:
3114         (globalPrivate.asyncFunctionResume):
3115         * builtins/AsyncGeneratorPrototype.js:
3116         (globalPrivate.asyncGeneratorQueueEnqueue):
3117         (globalPrivate.asyncGeneratorQueueDequeue):
3118         (asyncGeneratorYieldAwaited):
3119         (globalPrivate.asyncGeneratorYield):
3120         (globalPrivate.doAsyncGeneratorBodyCall):
3121         (globalPrivate.asyncGeneratorResumeNext):
3122         * builtins/GeneratorPrototype.js:
3123         (globalPrivate.generatorResume):
3124         * builtins/MapIteratorPrototype.js:
3125         (globalPrivate.mapIteratorNext):
3126         * builtins/MapPrototype.js:
3127         (globalPrivate.createMapIterator):
3128         * builtins/ModuleLoaderPrototype.js:
3129         (forceFulfillPromise):
3130         * builtins/PromiseOperations.js:
3131         (globalPrivate.newHandledRejectedPromise):
3132         (globalPrivate.rejectPromise):
3133         (globalPrivate.fulfillPromise):
3134         (globalPrivate.initializePromise):
3135         * builtins/PromisePrototype.js:
3136         (then):
3137         * builtins/SetIteratorPrototype.js:
3138         (globalPrivate.setIteratorNext):
3139         * builtins/SetPrototype.js:
3140         (globalPrivate.createSetIterator):
3141         * builtins/StringIteratorPrototype.js:
3142         (next):
3143         * bytecode/BytecodeIntrinsicRegistry.h:
3144         * bytecompiler/NodesCodegen.cpp:
3145         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3146         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3147
3148 2018-04-09  Mark Lam  <mark.lam@apple.com>
3149
3150         Decorate method table entries to support pointer profiling.
3151         https://bugs.webkit.org/show_bug.cgi?id=184430
3152         <rdar://problem/39296190>
3153
3154         Reviewed by Saam Barati.
3155
3156         * runtime/ClassInfo.h:
3157
3158 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3159
3160         [WPE] Don't install JSC C API headers
3161         https://bugs.webkit.org/show_bug.cgi?id=184375
3162
3163         Reviewed by Žan Doberšek.
3164
3165         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3166         instead.
3167
3168         * PlatformWPE.cmake:
3169
3170 2018-04-08  Mark Lam  <mark.lam@apple.com>
3171
3172         Add pointer profiling to the FTL and supporting code.
3173         https://bugs.webkit.org/show_bug.cgi?id=184395
3174         <rdar://problem/39264019>
3175
3176         Reviewed by Michael Saboff and Filip Pizlo.
3177
3178         * assembler/CodeLocation.h:
3179         (JSC::CodeLocationLabel::retagged):
3180         (JSC::CodeLocationJump::retagged):
3181         * assembler/LinkBuffer.h:
3182         (JSC::LinkBuffer::locationOf):
3183         * dfg/DFGJITCompiler.cpp:
3184         (JSC::DFG::JITCompiler::linkOSRExits):
3185         (JSC::DFG::JITCompiler::link):
3186         * ftl/FTLCompile.cpp:
3187         (JSC::FTL::compile):
3188         * ftl/FTLExceptionTarget.cpp:
3189         (JSC::FTL::ExceptionTarget::label):
3190         (JSC::FTL::ExceptionTarget::jumps):
3191         * ftl/FTLExceptionTarget.h:
3192         * ftl/FTLJITCode.cpp:
3193         (JSC::FTL::JITCode::executableAddressAtOffset):
3194         * ftl/FTLLazySlowPath.cpp:
3195         (JSC::FTL::LazySlowPath::~LazySlowPath):
3196         (JSC::FTL::LazySlowPath::initialize):
3197         (JSC::FTL::LazySlowPath::generate):
3198         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3199         * ftl/FTLLazySlowPath.h:
3200         * ftl/FTLLink.cpp:
3201         (JSC::FTL::link):
3202         * ftl/FTLLowerDFGToB3.cpp:
3203         (JSC::FTL::DFG::LowerDFGToB3::lower):
3204         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3205         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3206         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3207         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3208         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3210         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3211         * ftl/FTLOSRExitCompiler.cpp:
3212         (JSC::FTL::compileStub):
3213         (JSC::FTL::compileFTLOSRExit):
3214         * ftl/FTLOSRExitHandle.cpp:
3215         (JSC::FTL::OSRExitHandle::emitExitThunk):
3216         * ftl/FTLOperations.cpp:
3217         (JSC::FTL::compileFTLLazySlowPath):
3218         * ftl/FTLOutput.h:
3219         (JSC::FTL::Output::callWithoutSideEffects):
3220         (JSC::FTL::Output::operation):
3221         * ftl/FTLPatchpointExceptionHandle.cpp:
3222         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3223         * ftl/FTLSlowPathCall.cpp:
3224         (JSC::FTL::SlowPathCallContext::makeCall):
3225         * ftl/FTLSlowPathCallKey.h:
3226         (JSC::FTL::SlowPathCallKey::withCallTarget):
3227         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3228         * ftl/FTLThunks.cpp:
3229         (JSC::FTL::genericGenerationThunkGenerator):
3230         (JSC::FTL::osrExitGenerationThunkGenerator):
3231         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3232         (JSC::FTL::slowPathCallThunkGenerator):
3233         * jit/JITMathIC.h:
3234         (JSC::isProfileEmpty):
3235         * jit/Repatch.cpp:
3236         (JSC::readPutICCallTarget):
3237         (JSC::ftlThunkAwareRepatchCall):
3238         (JSC::tryCacheGetByID):
3239         (JSC::repatchGetByID):
3240         (JSC::tryCachePutByID):
3241         (JSC::repatchPutByID):
3242         (JSC::repatchIn):
3243         (JSC::resetGetByID):
3244         (JSC::resetPutByID):
3245         (JSC::readCallTarget): Deleted.
3246         * jit/Repatch.h:
3247         * runtime/PtrTag.h:
3248
3249 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3250
3251         Unreviewed, attempt to fix Windows build
3252         https://bugs.webkit.org/show_bug.cgi?id=183508
3253
3254         * jit/JIT.h:
3255
3256 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3257
3258         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3259         https://bugs.webkit.org/show_bug.cgi?id=183508
3260
3261         * jit/JIT.h:
3262
3263 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3264
3265         Use alignas instead of compiler-specific attributes
3266         https://bugs.webkit.org/show_bug.cgi?id=183508
3267
3268         Reviewed by Mark Lam.
3269
3270         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3271
3272         * heap/RegisterState.h:
3273         * jit/JIT.h:
3274         (JSC::JIT::compile): Deleted.
3275         (JSC::JIT::compileGetByVal): Deleted.
3276         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3277         (JSC::JIT::compilePutByVal): Deleted.
3278         (JSC::JIT::compileDirectPutByVal): Deleted.
3279         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3280         (JSC::JIT::compileHasIndexedProperty): Deleted.
3281         (JSC::JIT::appendCall): Deleted.
3282         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3283         (JSC::JIT::exceptionCheck): Deleted.
3284         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3285         (JSC::JIT::emitInt32Load): Deleted.
3286         (JSC::JIT::emitInt32GetByVal): Deleted.
3287         (JSC::JIT::emitInt32PutByVal): Deleted.
3288         (JSC::JIT::emitDoublePutByVal): Deleted.
3289         (JSC::JIT::emitContiguousPutByVal): Deleted.
3290         (JSC::JIT::emitStoreCell): Deleted.
3291         (JSC::JIT::getSlowCase): Deleted.
3292         (JSC::JIT::linkSlowCase): Deleted.
3293         (JSC::JIT::linkDummySlowCase): Deleted.
3294         (JSC::JIT::linkAllSlowCases): Deleted.
3295         (JSC::JIT::callOperation): Deleted.
3296         (JSC::JIT::callOperationWithProfile): Deleted.
3297         (JSC::JIT::callOperationWithResult): Deleted.
3298         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3299         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3300         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3301         (JSC::JIT::sampleCodeBlock): Deleted.
3302         (JSC::JIT::canBeOptimized): Deleted.
3303         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3304         (JSC::JIT::shouldEmitProfiling): Deleted.
3305         * runtime/VM.h:
3306
3307 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3308
3309         Unreviewed, follow-up patch for DFG 32bit
3310         https://bugs.webkit.org/show_bug.cgi?id=183970
3311
3312         * dfg/DFGSpeculativeJIT32_64.cpp:
3313         (JSC::DFG::SpeculativeJIT::cachedGetById):
3314
3315 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3316
3317         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3318         https://bugs.webkit.org/show_bug.cgi?id=184398
3319
3320         Reviewed by Mark Lam.
3321
3322         isLocked check before taking a lock is incorrect.
3323
3324         * runtime/VM.cpp:
3325         (JSC::VM::acquireRegExpPatternContexBuffer):
3326
3327 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3328
3329         [JSC] Introduce op_get_by_id_direct
3330         https://bugs.webkit.org/show_bug.cgi?id=183970
3331
3332         Reviewed by Filip Pizlo.
3333
3334         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3335         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3336         in all the tiers, so using this opcode does not lead to inefficiency.
3337
3338         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3339         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3340         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3341         to the internal fields should not traverse prototype chain, which is specified in the spec.
3342         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3343         prototype chains are not traversed.
3344
3345         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3346         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3347         bytecode `op_get_by_id_direct, object, @name`.
3348
3349         * builtins/ArrayIteratorPrototype.js:
3350         (next):
3351         (globalPrivate.arrayIteratorValueNext):
3352         (globalPrivate.arrayIteratorKeyNext):
3353         (globalPrivate.arrayIteratorKeyValueNext):
3354         * builtins/AsyncFromSyncIteratorPrototype.js:
3355         * builtins/AsyncFunctionPrototype.js:
3356         (globalPrivate.asyncFunctionResume):
3357         * builtins/AsyncGeneratorPrototype.js:
3358         (globalPrivate.asyncGeneratorQueueIsEmpty):
3359         (globalPrivate.asyncGeneratorQueueEnqueue):
3360         (globalPrivate.asyncGeneratorQueueDequeue):
3361         (globalPrivate.asyncGeneratorDequeue):
3362         (globalPrivate.isExecutionState):
3363         (globalPrivate.isSuspendYieldState):
3364         (globalPrivate.asyncGeneratorReject):
3365         (globalPrivate.asyncGeneratorResolve):
3366         (globalPrivate.doAsyncGeneratorBodyCall):
3367         (globalPrivate.asyncGeneratorEnqueue):
3368         * builtins/GeneratorPrototype.js:
3369         (globalPrivate.generatorResume):
3370         (next):
3371         (return):
3372         (throw):
3373         * builtins/MapIteratorPrototype.js:
3374         (next):
3375         * builtins/PromiseOperations.js:
3376         (globalPrivate.isPromise):
3377         (globalPrivate.rejectPromise):
3378         (globalPrivate.fulfillPromise):
3379         * builtins/PromisePrototype.js:
3380         (then):
3381         * builtins/SetIteratorPrototype.js:
3382         (next):
3383         * builtins/StringIteratorPrototype.js:
3384         (next):
3385         * builtins/TypedArrayConstructor.js:
3386         (of):
3387         (from):
3388         * bytecode/BytecodeDumper.cpp:
3389         (JSC::BytecodeDumper<Block>::dumpBytecode):
3390         * bytecode/BytecodeIntrinsicRegistry.h:
3391         * bytecode/BytecodeList.json:
3392         * bytecode/BytecodeUseDef.h:
3393         (JSC::computeUsesForBytecodeOffset):
3394         (JSC::computeDefsForBytecodeOffset):
3395         * bytecode/CodeBlock.cpp:
3396         (JSC::CodeBlock::finishCreation):
3397         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3398         * bytecode/GetByIdStatus.cpp:
3399         (JSC::GetByIdStatus::computeFromLLInt):
3400         (JSC::GetByIdStatus::computeFor):
3401         * bytecode/StructureStubInfo.cpp:
3402         (JSC::StructureStubInfo::reset):
3403         * bytecode/StructureStubInfo.h:
3404         (JSC::appropriateOptimizingGetByIdFunction):
3405         (JSC::appropriateGenericGetByIdFunction):
3406         * bytecompiler/BytecodeGenerator.cpp:
3407         (JSC::BytecodeGenerator::emitDirectGetById):
3408         * bytecompiler/BytecodeGenerator.h:
3409         * bytecompiler/NodesCodegen.cpp:
3410         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3411         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3412         * dfg/DFGAbstractInterpreterInlines.h:
3413         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3414         * dfg/DFGByteCodeParser.cpp:
3415         (JSC::DFG::ByteCodeParser::handleGetById):
3416         (JSC::DFG::ByteCodeParser::parseBlock):
3417         * dfg/DFGCapabilities.cpp:
3418         (JSC::DFG::capabilityLevel):
3419         * dfg/DFGClobberize.h:
3420         (JSC::DFG::clobberize):
3421         * dfg/DFGConstantFoldingPhase.cpp:
3422         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3423         * dfg/DFGDoesGC.cpp:
3424         (JSC::DFG::doesGC):
3425         * dfg/DFGFixupPhase.cpp:
3426         (JSC::DFG::FixupPhase::fixupNode):
3427         * dfg/DFGNode.h:
3428         (JSC::DFG::Node::convertToGetByOffset):
3429         (JSC::DFG::Node::convertToMultiGetByOffset):
3430         (JSC::DFG::Node::hasIdentifier):
3431         (JSC::DFG::Node::hasHeapPrediction):
3432         * dfg/DFGNodeType.h:
3433         * dfg/DFGOperations.cpp:
3434         * dfg/DFGOperations.h:
3435         * dfg/DFGPredictionPropagationPhase.cpp:
3436         * dfg/DFGSafeToExecute.h:
3437         (JSC::DFG::safeToExecute):
3438         * dfg/DFGSpeculativeJIT.cpp:
3439         (JSC::DFG::SpeculativeJIT::compileGetById):
3440         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3441         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3442         * dfg/DFGSpeculativeJIT.h:
3443         * dfg/DFGSpeculativeJIT32_64.cpp:
3444         (JSC::DFG::SpeculativeJIT::cachedGetById):
3445         (JSC::DFG::SpeculativeJIT::compile):
3446         * dfg/DFGSpeculativeJIT64.cpp:
3447         (JSC::DFG::SpeculativeJIT::cachedGetById):
3448         (JSC::DFG::SpeculativeJIT::compile):
3449         * ftl/FTLCapabilities.cpp:
3450         (JSC::FTL::canCompile):
3451         * ftl/FTLLowerDFGToB3.cpp:
3452         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3453         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3454         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3455         (JSC::FTL::DFG::LowerDFGToB3::getById):
3456         * jit/JIT.cpp:
3457         (JSC::JIT::privateCompileMainPass):
3458         (JSC::JIT::privateCompileSlowCases):
3459         * jit/JIT.h:
3460         * jit/JITOperations.cpp:
3461         * jit/JITOperations.h:
3462         * jit/JITPropertyAccess.cpp:
3463         (JSC::JIT::emit_op_get_by_id_direct):
3464         (JSC::JIT::emitSlow_op_get_by_id_direct):
3465         * jit/JITPropertyAccess32_64.cpp:
3466         (JSC::JIT::emit_op_get_by_id_direct):
3467         (JSC::JIT::emitSlow_op_get_by_id_direct):
3468         * jit/Repatch.cpp:
3469         (JSC::appropriateOptimizingGetByIdFunction):
3470         (JSC::appropriateGetByIdFunction):
3471         (JSC::tryCacheGetByID):
3472         (JSC::repatchGetByID):
3473         (JSC::appropriateGenericGetByIdFunction): Deleted.
3474         * jit/Repatch.h:
3475         * llint/LLIntSlowPaths.cpp:
3476         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3477         * llint/LLIntSlowPaths.h:
3478         * llint/LowLevelInterpreter32_64.asm:
3479         * llint/LowLevelInterpreter64.asm:
3480         * runtime/JSCJSValue.h:
3481         * runtime/JSCJSValueInlines.h:
3482         (JSC::JSValue::getOwnPropertySlot const):
3483         * runtime/JSObject.h:
3484         * runtime/JSObjectInlines.h:
3485         (JSC::JSObject::getOwnPropertySlotInline):
3486
3487 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3488
3489         [JSC] Remove several asXXX functions
3490         https://bugs.webkit.org/show_bug.cgi?id=184355
3491
3492         Reviewed by JF Bastien.
3493
3494         Remove asActivation, asInternalFunction, and asGetterSetter.
3495         Use jsCast<> / jsDynamicCast<> consistently.
3496
3497         * runtime/ArrayConstructor.cpp:
3498         (JSC::constructArrayWithSizeQuirk):
3499         * runtime/AsyncFunctionConstructor.cpp:
3500         (JSC::callAsyncFunctionConstructor):
3501         (JSC::constructAsyncFunctionConstructor):
3502         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3503         (JSC::callAsyncGeneratorFunctionConstructor):
3504         (JSC::constructAsyncGeneratorFunctionConstructor):
3505         * runtime/BooleanConstructor.cpp:
3506         (JSC::constructWithBooleanConstructor):
3507         * runtime/DateConstructor.cpp:
3508         (JSC::constructWithDateConstructor):
3509         * runtime/ErrorConstructor.cpp:
3510         (JSC::Interpreter::constructWithErrorConstructor):
3511         (JSC::Interpreter::callErrorConstructor):
3512         * runtime/FunctionConstructor.cpp:
3513         (JSC::constructWithFunctionConstructor):
3514         (JSC::callFunctionConstructor):
3515         * runtime/FunctionPrototype.cpp:
3516         (JSC::functionProtoFuncToString):
3517         * runtime/GeneratorFunctionConstructor.cpp:
3518         (JSC::callGeneratorFunctionConstructor):
3519         (JSC::constructGeneratorFunctionConstructor):
3520         * runtime/GetterSetter.h:
3521         (JSC::asGetterSetter): Deleted.
3522         * runtime/InternalFunction.h:
3523         (JSC::asInternalFunction): Deleted.
3524         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3525         (JSC::constructGenericTypedArrayView):
3526         * runtime/JSLexicalEnvironment.h:
3527         (JSC::asActivation): Deleted.
3528         * runtime/JSObject.cpp:
3529         (JSC::validateAndApplyPropertyDescriptor):
3530         * runtime/MapConstructor.cpp:
3531         (JSC::constructMap):
3532         * runtime/PropertyDescriptor.cpp:
3533         (JSC::PropertyDescriptor::setDescriptor):
3534         * runtime/RegExpConstructor.cpp:
3535         (JSC::constructWithRegExpConstructor):
3536         (JSC::callRegExpConstructor):
3537         * runtime/SetConstructor.cpp:
3538         (JSC::constructSet):
3539         * runtime/StringConstructor.cpp:
3540         (JSC::constructWithStringConstructor):
3541         * runtime/WeakMapConstructor.cpp:
3542         (JSC::constructWeakMap):
3543         * runtime/WeakSetConstructor.cpp:
3544         (JSC::constructWeakSet):
3545         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3546         (JSC::constructJSWebAssemblyCompileError):
3547         (JSC::callJSWebAssemblyCompileError):
3548         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3549         (JSC::constructJSWebAssemblyLinkError):
3550         (JSC::callJSWebAssemblyLinkError):
3551         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3552         (JSC::constructJSWebAssemblyRuntimeError):
3553         (JSC::callJSWebAssemblyRuntimeError):
3554
3555 2018-04-05  Mark Lam  <mark.lam@apple.com>
3556
3557         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
3558         https://bugs.webkit.org/show_bug.cgi?id=184347
3559         <rdar://problem/39183165>
3560
3561         Reviewed by Michael Saboff.
3562
3563         * assembler/MacroAssemblerCodeRef.h:
3564         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3565         (JSC::MacroAssemblerCodePtr::retagged const):
3566
3567 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3568
3569         [MIPS] Optimize generated JIT code for branches
3570         https://bugs.webkit.org/show_bug.cgi?id=183130
3571
3572         Reviewed by Yusuke Suzuki.
3573
3574         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
3575         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
3576         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
3577         However, this adds a significant overhead for all other types of branches. Since these nop's
3578         protect the code that is generated by branchPtrWithPatch, this function seems like a better
3579         place to add them.
3580
3581         * assembler/MIPSAssembler.h:
3582         (JSC::MIPSAssembler::repatchInt32):
3583         (JSC::MIPSAssembler::revertJumpToMove):
3584         * assembler/MacroAssemblerMIPS.h:
3585         (JSC::MacroAssemblerMIPS::branchAdd32):
3586         (JSC::MacroAssemblerMIPS::branchMul32):
3587         (JSC::MacroAssemblerMIPS::branchSub32):
3588         (JSC::MacroAssemblerMIPS::branchNeg32):
3589         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
3590         (JSC::MacroAssemblerMIPS::branchEqual):
3591         (JSC::MacroAssemblerMIPS::branchNotEqual):
3592
3593 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3594
3595         [WTF] Remove StaticLock
3596         https://bugs.webkit.org/show_bug.cgi?id=184332
3597
3598         Reviewed by Mark Lam.
3599
3600         * API/JSValue.mm:
3601         (handerForStructTag):
3602         * API/JSVirtualMachine.mm:
3603         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3604         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3605         * API/glib/JSCVirtualMachine.cpp:
3606         (addWrapper):
3607         (removeWrapper):
3608         * assembler/testmasm.cpp:
3609         * b3/air/testair.cpp:
3610         * b3/testb3.cpp:
3611         * bytecode/SuperSampler.cpp:
3612         * dfg/DFGCommon.cpp:
3613         * dfg/DFGCommonData.cpp:
3614         * dynbench.cpp:
3615         * heap/MachineStackMarker.cpp:
3616         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3617         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3618         (Inspector::RemoteTargetHandleRunSourceGlobal):
3619         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3620         * interpreter/CLoopStack.cpp:
3621         * parser/SourceProvider.cpp:
3622         * profiler/ProfilerDatabase.cpp:
3623         * profiler/ProfilerUID.cpp:
3624         (JSC::Profiler::UID::create):
3625         * runtime/IntlObject.cpp:
3626         (JSC::numberingSystemsForLocale):
3627         * runtime/JSLock.cpp:
3628         * runtime/JSLock.h:
3629         * runtime/SamplingProfiler.cpp:
3630         (JSC::SamplingProfiler::registerForReportAtExit):
3631         * runtime/VM.cpp:
3632         * wasm/WasmFaultSignalHandler.cpp:
3633
3634 2018-04-04  Mark Lam  <mark.lam@apple.com>
3635
3636         Add pointer profiling support to the DFG and supporting files.
3637         https://bugs.webkit.org/show_bug.cgi?id=184316
3638         <rdar://problem/39188524>
3639
3640         Reviewed by Filip Pizlo.
3641
3642         1. Profile lots of pointers with PtrTags.
3643
3644         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
3645            used for debugging anyway, and not normally called in the code.  Making it
3646            an inline function prevents it from taking up code space in builds when not in
3647            use.
3648
3649         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3650            It doesn't need to be a far call.
3651
3652         * CMakeLists.txt:
3653         * JavaScriptCore.xcodeproj/project.pbxproj:
3654         * Sources.txt:
3655         * assembler/testmasm.cpp:
3656         (JSC::testProbeModifiesProgramCounter):
3657         * b3/B3LowerMacros.cpp:
3658         * b3/air/AirCCallSpecial.cpp:
3659         (JSC::B3::Air::CCallSpecial::generate):
3660         * b3/air/AirCCallSpecial.h:
3661         * b3/testb3.cpp:
3662         (JSC::B3::testInterpreter):
3663         * bytecode/AccessCase.cpp:
3664         (JSC::AccessCase::generateImpl):
3665         * bytecode/HandlerInfo.h:
3666         (JSC::HandlerInfo::initialize):
3667         * bytecode/PolymorphicAccess.cpp:
3668         (JSC::PolymorphicAccess::regenerate):
3669         * dfg/DFGJITCompiler.cpp:
3670         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3671         (JSC::DFG::JITCompiler::link):
3672         (JSC::DFG::JITCompiler::compileFunction):
3673         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3674         * dfg/DFGJITCompiler.h:
3675         (JSC::DFG::JITCompiler::appendCall):
3676         * dfg/DFGOSREntry.cpp:
3677         (JSC::DFG::prepareOSREntry):
3678         * dfg/DFGOSRExit.cpp:
3679         (JSC::DFG::reifyInlinedCallFrames):
3680         (JSC::DFG::adjustAndJumpToTarget):
3681         (JSC::DFG::OSRExit::emitRestoreArguments):
3682         (JSC::DFG::OSRExit::compileOSRExit):
3683         * dfg/DFGOSRExitCompilerCommon.cpp:
3684         (JSC::DFG::handleExitCounts):
3685         (JSC::DFG::reifyInlinedCallFrames):
3686         (JSC::DFG::osrWriteBarrier):
3687         (JSC::DFG::adjustAndJumpToTarget):
3688         * dfg/DFGOperations.cpp:
3689         * dfg/DFGSlowPathGenerator.h:
3690         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3691         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3692         (JSC::DFG::slowPathCall):
3693         * dfg/DFGSpeculativeJIT.cpp:
3694         (JSC::DFG::SpeculativeJIT::compileMathIC):
3695         * dfg/DFGSpeculativeJIT.h:
3696         (JSC::DFG::SpeculativeJIT::callOperation):
3697         (JSC::DFG::SpeculativeJIT::appendCall):
3698         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3699         * dfg/DFGSpeculativeJIT64.cpp:
3700         (JSC::DFG::SpeculativeJIT::cachedGetById):
3701         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3702         (JSC::DFG::SpeculativeJIT::cachedPutById):
3703         (JSC::DFG::SpeculativeJIT::compile):
3704         * dfg/DFGThunks.cpp:
3705         (JSC::DFG::osrExitThunkGenerator):
3706         (JSC::DFG::osrExitGenerationThunkGenerator):
3707         (JSC::DFG::osrEntryThunkGenerator):
3708         * jit/AssemblyHelpers.cpp:
3709         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3710         * jit/JIT.cpp:
3711         (JSC::JIT::emitEnterOptimizationCheck):
3712         (JSC::JIT::compileWithoutLinking):
3713         * jit/JITCall.cpp:
3714         (JSC::JIT::compileOpCallSlowCase):
3715         * jit/JITMathIC.h:
3716         (JSC::isProfileEmpty):
3717         * jit/JITOpcodes.cpp:
3718         (JSC::JIT::emit_op_catch):
3719         (JSC::JIT::emitSlow_op_loop_hint):
3720         * jit/JITOperations.cpp:
3721         * jit/Repatch.cpp:
3722         (JSC::linkSlowFor):
3723         (JSC::linkFor):
3724         (JSC::revertCall):
3725         (JSC::unlinkFor):
3726         (JSC::linkVirtualFor):
3727         (JSC::linkPolymorphicCall):
3728         * jit/ThunkGenerators.cpp:
3729         (JSC::throwExceptionFromCallSlowPathGenerator):
3730         (JSC::linkCallThunkGenerator):
3731         (JSC::linkPolymorphicCallThunkGenerator):
3732         (JSC::virtualThunkFor):
3733         (JSC::arityFixupGenerator):
3734         (JSC::unreachableGenerator):
3735         * runtime/PtrTag.cpp: Removed.
3736         * runtime/PtrTag.h:
3737         (JSC::ptrTagName):
3738         * runtime/VMEntryScope.cpp:
3739         * wasm/js/WasmToJS.cpp:
3740         (JSC::Wasm::wasmToJS):
3741
3742 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3743
3744         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3745         https://bugs.webkit.org/show_bug.cgi?id=184319
3746
3747         Reviewed by Saam Barati.
3748
3749         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3750         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3751         the ArrayPush.
3752
3753         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3754         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3755         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3756         with a GetByVal(SaneChain), then we will hit the assertion.
3757
3758         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3759         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3760         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3761
3762         * dfg/DFGCSEPhase.cpp:
3763         * dfg/DFGClobberize.h:
3764         (JSC::DFG::clobberize):
3765         * dfg/DFGHeapLocation.cpp:
3766         (WTF::printInternal):
3767         * dfg/DFGHeapLocation.h:
3768         * dfg/DFGSpeculativeJIT.cpp:
3769         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3770
3771 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3772
3773         Remove poisoning of typed array vector
3774         https://bugs.webkit.org/show_bug.cgi?id=184313
3775
3776         Reviewed by Saam Barati.
3777
3778         * dfg/DFGFixupPhase.cpp:
3779         (JSC::DFG::FixupPhase::checkArray):
3780         * dfg/DFGSpeculativeJIT.cpp:
3781         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3782         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3783         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3784         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3785         * ftl/FTLAbstractHeapRepository.h:
3786         * ftl/FTLLowerDFGToB3.cpp:
3787         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3788         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3789         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3790         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3791         * jit/IntrinsicEmitter.cpp:
3792         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3793         * jit/JITPropertyAccess.cpp:
3794         (JSC::JIT::emitIntTypedArrayGetByVal):
3795         (JSC::JIT::emitFloatTypedArrayGetByVal):
3796         (JSC::JIT::emitIntTypedArrayPutByVal):
3797         (JSC::JIT::emitFloatTypedArrayPutByVal):
3798         * llint/LowLevelInterpreter.asm:
3799         * llint/LowLevelInterpreter64.asm:
3800         * offlineasm/arm64.rb:
3801         * offlineasm/x86.rb:
3802         * runtime/CagedBarrierPtr.h:
3803         * runtime/JSArrayBufferView.cpp:
3804         (JSC::JSArrayBufferView::JSArrayBufferView):
3805         (JSC::JSArrayBufferView::finalize):
3806         (JSC::JSArrayBufferView::neuter):
3807         * runtime/JSArrayBufferView.h:
3808         (JSC::JSArrayBufferView::vector const):
3809         (JSC::JSArrayBufferView::offsetOfVector):
3810         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3811         (JSC::JSArrayBufferView::poisonFor): Deleted.
3812         (JSC::JSArrayBufferView::Poison::key): Deleted.
3813         * runtime/JSCPoison.cpp:
3814         (JSC::initializePoison):
3815         * runtime/JSCPoison.h:
3816         * runtime/JSGenericTypedArrayViewInlines.h:
3817         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3818         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3819         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3820         * runtime/JSObject.h:
3821
3822 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3823
3824         Don't do index masking or poisoning for DirectArguments
3825         https://bugs.webkit.org/show_bug.cgi?id=184280
3826
3827         Reviewed by Saam Barati.
3828
3829         * JavaScriptCore.xcodeproj/project.pbxproj:
3830         * bytecode/AccessCase.cpp:
3831         (JSC::AccessCase::generateWithGuard):
3832         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3833         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3834         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3835         * dfg/DFGSpeculativeJIT.cpp:
3836         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3837         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3838         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3839         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3840         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3841         * ftl/FTLAbstractHeapRepository.h:
3842         * ftl/FTLLowerDFGToB3.cpp:
3843         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3844         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3845         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3846         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3847         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3848         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3849         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3850         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3851         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3852         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3853         * heap/SecurityKind.h:
3854         * jit/JITPropertyAccess.cpp:
3855         (JSC::JIT::emit_op_get_from_arguments):
3856         (JSC::JIT::emit_op_put_to_arguments):
3857         (JSC::JIT::emitDirectArgumentsGetByVal):
3858         * jit/JITPropertyAccess32_64.cpp:
3859         (JSC::JIT::emit_op_get_from_arguments):
3860         (JSC::JIT::emit_op_put_to_arguments):
3861         * llint/LowLevelInterpreter.asm:
3862         * llint/LowLevelInterpreter32_64.asm:
3863         * llint/LowLevelInterpreter64.asm:
3864         * runtime/DirectArguments.cpp:
3865         (JSC::DirectArguments::DirectArguments):
3866         (JSC::DirectArguments::createUninitialized):
3867         (JSC::DirectArguments::create):
3868         (JSC::DirectArguments::createByCopying):
3869         (JSC::DirectArguments::estimatedSize):
3870         (JSC::DirectArguments::visitChildren):
3871         (JSC::DirectArguments::overrideThings):
3872         (JSC::DirectArguments::copyToArguments):
3873         (JSC::DirectArguments::mappedArgumentsSize):
3874         * runtime/DirectArguments.h:
3875         * runtime/JSCPoison.h:
3876         * runtime/JSLexicalEnvironment.h:
3877         * runtime/JSSymbolTableObject.h:
3878
3879 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3880
3881         JSArray::appendMemcpy seems to be missing a barrier
3882         https://bugs.webkit.org/show_bug.cgi?id=184290
3883
3884         Reviewed by Mark Lam.
3885         
3886         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
3887         barrier right after.
3888         
3889         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
3890         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
3891
3892         * runtime/JSArray.cpp:
3893         (JSC::JSArray::appendMemcpy):
3894
3895 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3896
3897         GC shouldn't do object distancing
3898         https://bugs.webkit.org/show_bug.cgi?id=184195
3899
3900         Reviewed by Saam Barati.
3901         
3902         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
3903         to be a small speed-up.
3904
3905         * CMakeLists.txt:
3906         * JavaScriptCore.xcodeproj/project.pbxproj:
3907         * Sources.txt:
3908         * heap/BlockDirectory.cpp:
3909         (JSC::BlockDirectory::findBlockForAllocation):
3910         (JSC::BlockDirectory::addBlock):
3911         * heap/BlockDirectory.h:
3912         * heap/CellAttributes.cpp:
3913         (JSC::CellAttributes::dump const):
3914         * heap/CellAttributes.h:
3915         (JSC::CellAttributes::CellAttributes):
3916         * heap/LocalAllocator.cpp:
3917         (JSC::LocalAllocator::allocateSlowCase):
3918         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3919         * heap/MarkedBlock.cpp:
3920         (JSC::MarkedBlock::Handle::didAddToDirectory):
3921         * heap/MarkedBlock.h:
3922         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3923         * heap/SecurityKind.cpp: Removed.
3924         * heap/SecurityKind.h: Removed.
3925         * heap/SecurityOriginToken.cpp: Removed.
3926         * heap/SecurityOriginToken.h: Removed.
3927         * heap/ThreadLocalCache.cpp:
3928         (JSC::ThreadLocalCache::create):
3929         (JSC::ThreadLocalCache::ThreadLocalCache):
3930         * heap/ThreadLocalCache.h:
3931         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3932         * runtime/JSDestructibleObjectHeapCellType.cpp:
3933         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3934         * runtime/JSGlobalObject.cpp:
3935         (JSC::JSGlobalObject::JSGlobalObject):
3936         * runtime/JSGlobalObject.h:
3937         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3938         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3939         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3940         * runtime/JSStringHeapCellType.cpp:
3941         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3942         * runtime/VM.cpp:
3943         (JSC::VM::VM):
3944         * runtime/VM.h:
3945         * runtime/VMEntryScope.cpp:
3946         (JSC::VMEntryScope::VMEntryScope):
3947         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3948         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3949
3950 2018-04-02  Saam Barati  <sbarati@apple.com>
3951
3952         bmalloc should compute its own estimate of its footprint
3953         https://bugs.webkit.org/show_bug.cgi?id=184121
3954
3955         Reviewed by Filip Pizlo.
3956
3957         * heap/IsoAlignedMemoryAllocator.cpp:
3958         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3959         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3960         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3961
3962 2018-04-02  Mark Lam  <mark.lam@apple.com>
3963
3964         We should not trash the stack pointer on OSR entry.
3965         https://bugs.webkit.org/show_bug.cgi?id=184243
3966         <rdar://problem/39114319>
3967
3968         Reviewed by Filip Pizlo.
3969
3970         In the DFG OSR entry path, we momentarily over-write the stack pointer with
3971         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3972         Hence, this assignment is wrong, and it turns out to be unnecessary as well.