Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTre...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
2
3         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
4         https://bugs.webkit.org/show_bug.cgi?id=175223
5
6         Reviewed by Matt Baker.
7
8         * inspector/protocol/Canvas.json:
9         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
10         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
11         is called. The blend is removed and the previous value is applied once the draw is complete.
12
13 2018-03-30  JF Bastien  <jfbastien@apple.com>
14
15         WebAssembly: support DataView compilation
16         https://bugs.webkit.org/show_bug.cgi?id=183342
17
18         Reviewed by Mark Lam.
19
20         Compiling a module from a DataView was incorrectly dealing with
21         DataView's offset.
22
23         * wasm/WasmModuleParser.cpp:
24         (JSC::Wasm::ModuleParser::parse):
25         * wasm/js/JSWebAssemblyHelpers.h:
26         (JSC::getWasmBufferFromValue):
27         (JSC::createSourceBufferFromValue):
28         * wasm/js/WebAssemblyPrototype.cpp:
29         (JSC::webAssemblyValidateFunc):
30
31 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
32
33         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
34         https://bugs.webkit.org/show_bug.cgi?id=184189
35
36         Reviewed by JF Bastien.
37
38         * bytecompiler/NodesCodegen.cpp:
39         (JSC::ResolveNode::emitBytecode):
40
41 2018-03-30  Mark Lam  <mark.lam@apple.com>
42
43         Add pointer profiling support to Wasm.
44         https://bugs.webkit.org/show_bug.cgi?id=184175
45         <rdar://problem/39027923>
46
47         Reviewed by JF Bastien.
48
49         * runtime/PtrTag.h:
50         * wasm/WasmB3IRGenerator.cpp:
51         (JSC::Wasm::B3IRGenerator::addGrowMemory):
52         (JSC::Wasm::B3IRGenerator::addCall):
53         (JSC::Wasm::B3IRGenerator::addCallIndirect):
54         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
55         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
56         * wasm/WasmBBQPlan.cpp:
57         (JSC::Wasm::BBQPlan::prepare):
58         (JSC::Wasm::BBQPlan::complete):
59         * wasm/WasmBinding.cpp:
60         (JSC::Wasm::wasmToWasm):
61         * wasm/WasmBinding.h:
62         * wasm/WasmFaultSignalHandler.cpp:
63         (JSC::Wasm::trapHandler):
64         * wasm/WasmOMGPlan.cpp:
65         (JSC::Wasm::OMGPlan::work):
66         * wasm/WasmThunks.cpp:
67         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
68         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
69         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
70         * wasm/js/WasmToJS.cpp:
71         (JSC::Wasm::handleBadI64Use):
72         (JSC::Wasm::wasmToJS):
73         * wasm/js/WebAssemblyFunction.cpp:
74         (JSC::callWebAssemblyFunction):
75         * wasm/js/WebAssemblyFunction.h:
76
77 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
78
79         Unreviewed, rolling out r230102.
80
81         Caused assertion failures on JSC bots.
82
83         Reverted changeset:
84
85         "A stack overflow in the parsing of a builtin (called by
86         createExecutable) cause a crash instead of a catchable js
87         exception"
88         https://bugs.webkit.org/show_bug.cgi?id=184074
89         https://trac.webkit.org/changeset/230102
90
91 2018-03-30  Robin Morisset  <rmorisset@apple.com>
92
93         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
94         https://bugs.webkit.org/show_bug.cgi?id=183812
95
96         Reviewed by Keith Miller.
97
98         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
99         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
100
101         * dfg/DFGByteCodeParser.cpp:
102         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
103         (JSC::DFG::ByteCodeParser::inlineCall):
104
105 2018-03-30  Robin Morisset  <rmorisset@apple.com>
106
107         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
108         https://bugs.webkit.org/show_bug.cgi?id=184074
109         <rdar://problem/37165897>
110
111         Reviewed by Keith Miller.
112
113         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
114         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
115         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
116         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
117
118         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
119         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
120
121         Two other minor changes:
122         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
123         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
124
125         * JavaScriptCore.xcodeproj/project.pbxproj:
126         * Scripts/builtins/builtins_generate_combined_header.py:
127         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
128         (ParserError):
129         (generate_section_for_object): Deleted.
130         (generate_externs_for_object): Deleted.
131         (generate_macros_for_object): Deleted.
132         (generate_section_for_code_table_macro): Deleted.
133         (generate_section_for_code_name_macro): Deleted.
134         (generate_section_for_global_private_code_name_macro): Deleted.
135         * Scripts/builtins/builtins_generate_separate_header.py:
136         (generate_secondary_header_includes):
137         * Scripts/builtins/builtins_templates.py:
138         * Sources.txt:
139         * builtins/BuiltinExecutableCreator.cpp: Removed.
140         * builtins/BuiltinExecutableCreator.h: Removed.
141         * builtins/BuiltinExecutables.cpp:
142         (JSC::BuiltinExecutables::createDefaultConstructor):
143         (JSC::BuiltinExecutables::createBuiltinExecutable):
144         (JSC::createBuiltinExecutable):
145         (JSC::BuiltinExecutables::createExecutableOrCrash):
146         (JSC::BuiltinExecutables::createExecutable):
147         * builtins/BuiltinExecutables.h:
148         * bytecompiler/BytecodeGenerator.h:
149         * parser/ParserError.cpp: Added.
150         (JSC::ParserError::toErrorObject):
151         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
152         (WTF::printInternal):
153         * parser/ParserError.h:
154         (JSC::ParserError::toErrorObject): Deleted.
155         (WTF::printInternal): Deleted.
156         * runtime/AsyncIteratorPrototype.cpp:
157         (JSC::AsyncIteratorPrototype::finishCreation):
158         * runtime/FunctionPrototype.cpp:
159         (JSC::FunctionPrototype::addFunctionProperties):
160         * runtime/JSGlobalObject.cpp:
161         (JSC::JSGlobalObject::init):
162         * runtime/JSObject.cpp:
163         (JSC::JSObject::getOwnStaticPropertySlot):
164         (JSC::JSObject::reifyAllStaticProperties):
165         * runtime/JSObject.h:
166         (JSC::JSObject::getOwnNonIndexPropertySlot):
167         (JSC::JSObject::getOwnPropertySlot):
168         (JSC::JSObject::getPropertySlot):
169         * runtime/JSObjectInlines.h:
170         (JSC::JSObject::getNonIndexPropertySlot):
171         * runtime/JSTypedArrayViewPrototype.cpp:
172         (JSC::JSTypedArrayViewPrototype::finishCreation):
173         * runtime/Lookup.cpp:
174         (JSC::reifyStaticAccessor):
175         (JSC::setUpStaticFunctionSlot):
176         * runtime/Lookup.h:
177         (JSC::getStaticPropertySlotFromTable):
178         (JSC::reifyStaticProperty):
179         * runtime/MapPrototype.cpp:
180         (JSC::MapPrototype::finishCreation):
181         * runtime/SetPrototype.cpp:
182         (JSC::SetPrototype::finishCreation):
183         * tools/JSDollarVM.cpp:
184         (JSC::functionCreateBuiltin):
185
186 2018-03-30  Robin Morisset  <rmorisset@apple.com>
187
188         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
189         https://bugs.webkit.org/show_bug.cgi?id=183657
190         <rdar://problem/38464399>
191
192         Reviewed by Keith Miller.
193
194         There was just a missing check in unshiftCountForIndexingType.
195         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
196         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
197         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
198
199         * runtime/ArrayPrototype.cpp:
200         (JSC::unshift):
201         * runtime/JSArray.cpp:
202         (JSC::JSArray::unshiftCountWithAnyIndexingType):
203         * runtime/JSObject.h:
204         (JSC::JSObject::ensureLength):
205
206 2018-03-29  Mark Lam  <mark.lam@apple.com>
207
208         Add some pointer profiling support to B3 and Air.
209         https://bugs.webkit.org/show_bug.cgi?id=184165
210         <rdar://problem/39022125>
211
212         Reviewed by JF Bastien.
213
214         * b3/B3LowerMacros.cpp:
215         * b3/B3LowerMacrosAfterOptimizations.cpp:
216         * b3/B3MathExtras.cpp:
217         * b3/B3ReduceStrength.cpp:
218         * b3/air/AirCCallSpecial.cpp:
219         (JSC::B3::Air::CCallSpecial::generate):
220         * b3/air/AirCCallSpecial.h:
221         * b3/testb3.cpp:
222         (JSC::B3::testCallSimple):
223         (JSC::B3::testCallRare):
224         (JSC::B3::testCallRareLive):
225         (JSC::B3::testCallSimplePure):
226         (JSC::B3::testCallFunctionWithHellaArguments):
227         (JSC::B3::testCallFunctionWithHellaArguments2):
228         (JSC::B3::testCallFunctionWithHellaArguments3):
229         (JSC::B3::testCallSimpleDouble):
230         (JSC::B3::testCallSimpleFloat):
231         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
232         (JSC::B3::testCallFunctionWithHellaFloatArguments):
233         (JSC::B3::testLinearScanWithCalleeOnStack):
234         (JSC::B3::testInterpreter):
235         (JSC::B3::testLICMPure):
236         (JSC::B3::testLICMPureSideExits):
237         (JSC::B3::testLICMPureWritesPinned):
238         (JSC::B3::testLICMPureWrites):
239         (JSC::B3::testLICMReadsLocalState):
240         (JSC::B3::testLICMReadsPinned):
241         (JSC::B3::testLICMReads):
242         (JSC::B3::testLICMPureNotBackwardsDominant):
243         (JSC::B3::testLICMPureFoiledByChild):
244         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
245         (JSC::B3::testLICMExitsSideways):
246         (JSC::B3::testLICMWritesLocalState):
247         (JSC::B3::testLICMWrites):
248         (JSC::B3::testLICMFence):
249         (JSC::B3::testLICMWritesPinned):
250         (JSC::B3::testLICMControlDependent):
251         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
252         (JSC::B3::testLICMControlDependentSideExits):
253         (JSC::B3::testLICMReadsPinnedWritesPinned):
254         (JSC::B3::testLICMReadsWritesDifferentHeaps):
255         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
256         (JSC::B3::testLICMDefaultCall):
257         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
258         * ftl/FTLLowerDFGToB3.cpp:
259         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
260         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
261         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
262         * jit/GPRInfo.h:
263         * runtime/PtrTag.h:
264         * wasm/WasmBinding.cpp:
265         (JSC::Wasm::wasmToWasm):
266
267 2018-03-29  JF Bastien  <jfbastien@apple.com>
268
269         Use Forward.h instead of forward-declaring WTF::String
270         https://bugs.webkit.org/show_bug.cgi?id=184172
271         <rdar://problem/39026146>
272
273         Reviewed by Yusuke Suzuki.
274
275         As part of #184164 I'm changing WTF::String, and the forward
276         declarations are just wrong because I'm making it templated. We
277         should use Forward.h anyways, so do that instead.
278
279         * runtime/DateConversion.h:
280
281 2018-03-29  Mark Lam  <mark.lam@apple.com>
282
283         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
284         https://bugs.webkit.org/show_bug.cgi?id=184163
285         <rdar://problem/39020397>
286
287         Reviewed by JF Bastien.
288
289         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
290
291         Also renamed some structs, methods, and variable names to be more accurate.
292         Previously, there is some confusion between a code pointer and the address of a
293         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
294         the LoadLocation variables appropriately to distinguish them from code pointers.
295
296         * wasm/WasmB3IRGenerator.cpp:
297         (JSC::Wasm::B3IRGenerator::addCall):
298         (JSC::Wasm::B3IRGenerator::addCallIndirect):
299         * wasm/WasmBinding.cpp:
300         (JSC::Wasm::wasmToWasm):
301         * wasm/WasmCodeBlock.cpp:
302         (JSC::Wasm::CodeBlock::CodeBlock):
303         * wasm/WasmCodeBlock.h:
304         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
305         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
306         * wasm/WasmFormat.h:
307         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
308         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
309         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
310         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
311         * wasm/WasmInstance.h:
312         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
313         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
314         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
315         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
316         * wasm/WasmOMGPlan.cpp:
317         (JSC::Wasm::OMGPlan::work):
318         * wasm/WasmTable.cpp:
319         (JSC::Wasm::Table::Table):
320         (JSC::Wasm::Table::grow):
321         (JSC::Wasm::Table::clearFunction):
322         (JSC::Wasm::Table::setFunction):
323         * wasm/WasmTable.h:
324         (JSC::Wasm::Table::offsetOfFunctions):
325         * wasm/js/JSWebAssemblyCodeBlock.h:
326         * wasm/js/JSWebAssemblyInstance.cpp:
327         (JSC::JSWebAssemblyInstance::finalizeCreation):
328         (JSC::JSWebAssemblyInstance::create):
329         * wasm/js/JSWebAssemblyTable.cpp:
330         (JSC::JSWebAssemblyTable::setFunction):
331         * wasm/js/WebAssemblyFunction.cpp:
332         (JSC::WebAssemblyFunction::create):
333         (JSC::WebAssemblyFunction::WebAssemblyFunction):
334         * wasm/js/WebAssemblyFunction.h:
335         * wasm/js/WebAssemblyModuleRecord.cpp:
336         (JSC::WebAssemblyModuleRecord::link):
337         (JSC::WebAssemblyModuleRecord::evaluate):
338         * wasm/js/WebAssemblyWrapperFunction.cpp:
339         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
340         (JSC::WebAssemblyWrapperFunction::create):
341         * wasm/js/WebAssemblyWrapperFunction.h:
342
343 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
344
345         Remove WTF_EXPORTDATA and JS_EXPORTDATA
346         https://bugs.webkit.org/show_bug.cgi?id=184170
347
348         Reviewed by JF Bastien.
349
350         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
351         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
352
353         * heap/WriteBarrierSupport.h:
354         * jit/ExecutableAllocator.cpp:
355         * jit/ExecutableAllocator.h:
356         * runtime/JSCPoison.h:
357         * runtime/JSCell.h:
358         * runtime/JSExportMacros.h:
359         * runtime/JSGlobalObject.h:
360         * runtime/JSObject.h:
361         * runtime/Options.h:
362         * runtime/PropertyDescriptor.h:
363         * runtime/PropertyMapHashTable.h:
364         * runtime/SamplingCounter.h:
365
366 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
367
368         MSVC __forceinline slows down JSC release build fivefold after r229391
369         https://bugs.webkit.org/show_bug.cgi?id=184062
370
371         Reviewed by Alex Christensen.
372
373         * jit/CCallHelpers.h:
374         (JSC::CCallHelpers::marshallArgumentRegister):
375         Exempt MSVC from a single forced inline used within recursive templates.
376
377 2018-03-29  Keith Miller  <keith_miller@apple.com>
378
379         ArrayMode should not try to get the DFG to think it can convert TypedArrays
380         https://bugs.webkit.org/show_bug.cgi?id=184137
381
382         Reviewed by Saam Barati.
383
384         * dfg/DFGArrayMode.cpp:
385         (JSC::DFG::ArrayMode::fromObserved):
386
387 2018-03-29  Commit Queue  <commit-queue@webkit.org>
388
389         Unreviewed, rolling out r230062.
390         https://bugs.webkit.org/show_bug.cgi?id=184128
391
392         Broke mac port. web content process crashes while loading any
393         web page (Requested by rniwa on #webkit).
394
395         Reverted changeset:
396
397         "MSVC __forceinline slows down JSC release build fivefold
398         after r229391"
399         https://bugs.webkit.org/show_bug.cgi?id=184062
400         https://trac.webkit.org/changeset/230062
401
402 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
403
404         MSVC __forceinline slows down JSC release build fivefold after r229391
405         https://bugs.webkit.org/show_bug.cgi?id=184062
406
407         Reviewed by Alex Christensen.
408
409         * jit/CCallHelpers.h:
410         (JSC::CCallHelpers::marshallArgumentRegister):
411         Exempt MSVC from a single forced inline used within recursive templates.
412
413 2018-03-28  Mark Lam  <mark.lam@apple.com>
414
415         Enhance ARM64 probe to support pointer profiling.
416         https://bugs.webkit.org/show_bug.cgi?id=184069
417         <rdar://problem/38939879>
418
419         Reviewed by JF Bastien.
420
421         * assembler/MacroAssemblerARM64.cpp:
422         (JSC::MacroAssembler::probe):
423         * assembler/MacroAssemblerX86Common.h:
424         (JSC::MacroAssemblerX86Common::popPair):
425         (JSC::MacroAssemblerX86Common::pushPair):
426         * assembler/testmasm.cpp:
427         (JSC::testProbeReadsArgumentRegisters):
428         (JSC::testProbeWritesArgumentRegisters):
429         * runtime/PtrTag.h:
430         (JSC::tagForPtr):
431
432 2018-03-28  Robin Morisset  <rmorisset@apple.com>
433
434         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
435         https://bugs.webkit.org/show_bug.cgi?id=183894
436
437         Reviewed by Saam Barati.
438
439         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
440
441         * runtime/JSONObject.cpp:
442         (JSC::Stringifier::appendStringifiedValue):
443
444 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
445
446         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
447         https://bugs.webkit.org/show_bug.cgi?id=184073
448
449         Reviewed by Yusuke Suzuki.
450
451         We currently have duplicated code in Obj and GLib implementations.
452
453         * API/JSManagedValue.mm:
454         (managedValueHandleOwner):
455         (-[JSManagedValue initWithValue:]):
456         * API/JSWeakValue.cpp: Added.
457         (JSC::JSWeakValue::~JSWeakValue):
458         (JSC::JSWeakValue::clear):
459         (JSC::JSWeakValue::isClear const):
460         (JSC::JSWeakValue::setPrimitive):
461         (JSC::JSWeakValue::setObject):
462         (JSC::JSWeakValue::setString):
463         * API/JSWeakValue.h: Added.
464         (JSC::JSWeakValue::isSet const):
465         (JSC::JSWeakValue::isPrimitive const):
466         (JSC::JSWeakValue::isObject const):
467         (JSC::JSWeakValue::isString const):
468         (JSC::JSWeakValue::object const):
469         (JSC::JSWeakValue::primitive const):
470         (JSC::JSWeakValue::string const):
471         * API/glib/JSCWeakValue.cpp:
472         * JavaScriptCore.xcodeproj/project.pbxproj:
473         * Sources.txt:
474
475 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
476
477         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
478         https://bugs.webkit.org/show_bug.cgi?id=184041
479
480         Reviewed by Michael Catanzaro.
481
482         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
483         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
484         jsc_weak_value_get_value() will always return nullptr.
485
486         * API/glib/JSCWeakValue.cpp: Added.
487         (WeakValueRef::~WeakValueRef):
488         (WeakValueRef::clear):
489         (WeakValueRef::isClear const):
490         (WeakValueRef::isSet const):
491         (WeakValueRef::isPrimitive const):
492         (WeakValueRef::isObject const):
493         (WeakValueRef::isString const):
494         (WeakValueRef::setPrimitive):
495         (WeakValueRef::setObject):
496         (WeakValueRef::setString):
497         (WeakValueRef::object const):
498         (WeakValueRef::primitive const):
499         (WeakValueRef::string const):
500         (weakValueHandleOwner):
501         (jscWeakValueInitialize):
502         (jscWeakValueSetProperty):
503         (jscWeakValueDispose):
504         (jsc_weak_value_class_init):
505         (jsc_weak_value_new):
506         (jsc_weak_value_get_value):
507         * API/glib/JSCWeakValue.h: Added.
508         * API/glib/docs/jsc-glib-4.0-sections.txt:
509         * API/glib/docs/jsc-glib-docs.sgml:
510         * API/glib/jsc.h:
511         * GLib.cmake:
512
513 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
514
515         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
516         https://bugs.webkit.org/show_bug.cgi?id=181292
517
518         Reviewed by Saam Barati.
519
520         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
521
522         * dfg/DFGSpeculativeJIT.cpp:
523         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
524         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
525         (JSC::DFG::SpeculativeJIT::compileCreateRest):
526         (JSC::DFG::SpeculativeJIT::compileArraySlice):
527         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
528         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
529         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
530
531 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
532
533         Add Load16Z for B3 and use it in WebAssembly
534         https://bugs.webkit.org/show_bug.cgi?id=165884
535
536         Reviewed by JF Bastien.
537
538         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
539         spec-tests/memory.wast.js already covered this change.
540
541         * wasm/WasmB3IRGenerator.cpp:
542         (JSC::Wasm::B3IRGenerator::emitLoadOp):
543
544 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
545
546         [JSC] Remove repeated iteration of ElementNode
547         https://bugs.webkit.org/show_bug.cgi?id=183987
548
549         Reviewed by Keith Miller.
550
551         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
552         While it is OK for small arrays, this repeated iteration takes much time
553         if the array is very large. For example, Kraken's initialization code includes
554         very large array with numeric literals. This makes bytecode compiling so long.
555
556         This patch carefully removes unnecessary iteration when emitting arrays.
557         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
558         to 9.988050 ms.
559
560         * bytecompiler/BytecodeGenerator.cpp:
561         (JSC::BytecodeGenerator::emitNewArrayBuffer):
562         (JSC::BytecodeGenerator::emitNewArray):
563         * bytecompiler/BytecodeGenerator.h:
564         * bytecompiler/NodesCodegen.cpp:
565         (JSC::ArrayNode::emitBytecode):
566         (JSC::ArrayPatternNode::bindValue const):
567         (JSC::ArrayPatternNode::emitDirectBinding):
568
569 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
570
571         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
572         https://bugs.webkit.org/show_bug.cgi?id=183655
573
574         Reviewed by Keith Miller.
575
576         * jit/CCallHelpers.h:
577         (JSC::CCallHelpers::ArgCollection::argCount):
578         (JSC::CCallHelpers::marshallArgumentRegister):
579         (JSC::CCallHelpers::setupArgumentsImpl):
580         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
581
582         * jit/JIT.h:
583         (JSC::JIT::callOperation):
584         (JSC::JIT::is64BitType):
585         (JSC::JIT::is64BitType<void>):
586         On Win64, ensure special call is used for SlowPathReturnType.
587
588         * jit/JITOperations.h:
589         Update changed type.
590
591 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
592
593         We should have SSE4 detection in the X86 MacroAssembler.
594         https://bugs.webkit.org/show_bug.cgi?id=165363
595
596         Reviewed by JF Bastien.
597
598         This patch adds popcnt support to WASM in x86_64 environment.
599         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
600         Our spec-tests already cover popcnt.
601
602         * assembler/MacroAssemblerARM64.h:
603         (JSC::MacroAssemblerARM64::supportsCountPopulation):
604         * assembler/MacroAssemblerX86Common.cpp:
605         (JSC::MacroAssemblerX86Common::getCPUID):
606         (JSC::MacroAssemblerX86Common::getCPUIDEx):
607         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
608         * assembler/MacroAssemblerX86Common.h:
609         (JSC::MacroAssemblerX86Common::countPopulation32):
610         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
611         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
612         (JSC::MacroAssemblerX86Common::supportsAVX):
613         (JSC::MacroAssemblerX86Common::supportsLZCNT):
614         (JSC::MacroAssemblerX86Common::supportsBMI1):
615         (JSC::MacroAssemblerX86Common::isSSE2Present):
616         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
617         * assembler/MacroAssemblerX86_64.h:
618         (JSC::MacroAssemblerX86_64::countPopulation64):
619         * assembler/X86Assembler.h:
620         (JSC::X86Assembler::popcnt_rr):
621         (JSC::X86Assembler::popcnt_mr):
622         (JSC::X86Assembler::popcntq_rr):
623         (JSC::X86Assembler::popcntq_mr):
624         * wasm/WasmB3IRGenerator.cpp:
625         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
626         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
627
628 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
629
630         DFG should know that CreateThis can be effectful
631         https://bugs.webkit.org/show_bug.cgi?id=184013
632
633         Reviewed by Saam Barati.
634
635         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
636         is a proxy.
637
638         * dfg/DFGAbstractInterpreterInlines.h:
639         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
640         * dfg/DFGClobberize.h:
641         (JSC::DFG::clobberize):
642
643 2018-03-25  Saam Barati  <sbarati@apple.com>
644
645         Fix typo in JSC option name
646         https://bugs.webkit.org/show_bug.cgi?id=184001
647
648         Reviewed by Mark Lam.
649
650         enableJITDebugAssetions => enableJITDebugAssertions.
651
652         * assembler/MacroAssembler.cpp:
653         (JSC::MacroAssembler::jitAssert):
654         * runtime/Options.h:
655
656 2018-03-25  Saam Barati  <sbarati@apple.com>
657
658         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
659         https://bugs.webkit.org/show_bug.cgi?id=183995
660
661         Reviewed by Filip Pizlo.
662
663         The removal of this line of code was unintended and happened during some
664         refactoring Fil was doing. The consequence of removing this line of code
665         is that the m_emptyCursor became a monotonically increasing integer, leading
666         the cursor to usually being out of bounds of the block range (depending on
667         what the program is doing). This made the functionality of finding an empty
668         block to steal almost always fail.
669
670         * heap/BlockDirectory.cpp:
671         (JSC::BlockDirectory::prepareForAllocation):
672
673 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
674
675         [DFG] Introduces fused compare and jump
676         https://bugs.webkit.org/show_bug.cgi?id=177100
677
678         Reviewed by Mark Lam.
679
680         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
681         It offers 3 benefit.
682
683         1. They are introduced due to the similar purpose to op_jless etc. It aligns
684         op_eq families to op_jless families.
685
686         2. It reduces the size of bytecode to represent the typical code sequence.
687
688         3. It offers the way to fuse check and jump in DFG code generation. Since
689         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
690         we cannot do this optimization. It reduces the machine code size in DFG too.
691
692         It slightly improves Octane/boyer.
693
694             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
695
696         * bytecode/BytecodeDumper.cpp:
697         (JSC::BytecodeDumper<Block>::dumpBytecode):
698         * bytecode/BytecodeList.json:
699         * bytecode/BytecodeUseDef.h:
700         (JSC::computeUsesForBytecodeOffset):
701         (JSC::computeDefsForBytecodeOffset):
702         * bytecode/Opcode.h:
703         (JSC::isBranch):
704         * bytecode/PreciseJumpTargetsInlines.h:
705         (JSC::extractStoredJumpTargetsForBytecodeOffset):
706         * bytecompiler/BytecodeGenerator.cpp:
707         (JSC::BytecodeGenerator::emitJumpIfTrue):
708         (JSC::BytecodeGenerator::emitJumpIfFalse):
709         * dfg/DFGByteCodeParser.cpp:
710         (JSC::DFG::ByteCodeParser::parseBlock):
711         * dfg/DFGCapabilities.cpp:
712         (JSC::DFG::capabilityLevel):
713         * dfg/DFGOperations.cpp:
714         * dfg/DFGOperations.h:
715         * dfg/DFGSpeculativeJIT.cpp:
716         (JSC::DFG::SpeculativeJIT::compileStrictEq):
717         * jit/JIT.cpp:
718         (JSC::JIT::privateCompileMainPass):
719         (JSC::JIT::privateCompileSlowCases):
720         * jit/JIT.h:
721         * jit/JITOpcodes.cpp:
722         (JSC::JIT::emit_op_jeq):
723         (JSC::JIT::emit_op_neq):
724         (JSC::JIT::emit_op_jneq):
725         (JSC::JIT::compileOpStrictEq):
726         (JSC::JIT::emit_op_stricteq):
727         (JSC::JIT::emit_op_nstricteq):
728         (JSC::JIT::compileOpStrictEqJump):
729         (JSC::JIT::emit_op_jstricteq):
730         (JSC::JIT::emit_op_jnstricteq):
731         (JSC::JIT::emitSlow_op_jstricteq):
732         (JSC::JIT::emitSlow_op_jnstricteq):
733         (JSC::JIT::emitSlow_op_jeq):
734         (JSC::JIT::emitSlow_op_jneq):
735         * jit/JITOpcodes32_64.cpp:
736         (JSC::JIT::emitSlow_op_eq):
737         (JSC::JIT::emit_op_jeq):
738         (JSC::JIT::compileOpEqJumpSlow):
739         (JSC::JIT::emitSlow_op_jeq):
740         (JSC::JIT::emit_op_jneq):
741         (JSC::JIT::emitSlow_op_jneq):
742         (JSC::JIT::compileOpStrictEq):
743         (JSC::JIT::emit_op_stricteq):
744         (JSC::JIT::emit_op_nstricteq):
745         (JSC::JIT::compileOpStrictEqJump):
746         (JSC::JIT::emit_op_jstricteq):
747         (JSC::JIT::emit_op_jnstricteq):
748         (JSC::JIT::emitSlow_op_jstricteq):
749         (JSC::JIT::emitSlow_op_jnstricteq):
750         * jit/JITOperations.cpp:
751         * jit/JITOperations.h:
752         * llint/LLIntSlowPaths.cpp:
753         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
754         * llint/LLIntSlowPaths.h:
755         * llint/LowLevelInterpreter.asm:
756         * llint/LowLevelInterpreter32_64.asm:
757         * llint/LowLevelInterpreter64.asm:
758
759 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [JSC] Improve constants and add comments for CodeBlockHash
762         https://bugs.webkit.org/show_bug.cgi?id=183982
763
764         Rubber-stamped by Mark Lam.
765
766         * bytecode/CodeBlockHash.cpp:
767         (JSC::CodeBlockHash::CodeBlockHash):
768         * bytecode/ParseHash.cpp:
769         (JSC::ParseHash::ParseHash):
770
771 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
772
773         [JSC] Add options to report parsing and bytecode compiling times
774         https://bugs.webkit.org/show_bug.cgi?id=183982
775
776         Reviewed by Mark Lam.
777
778         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
779         When they are enabled, JSC reports times consumed for parsing and bytecode
780         compiling.
781
782         * JavaScriptCore.xcodeproj/project.pbxproj:
783         * Sources.txt:
784         * bytecode/ParseHash.cpp: Added.
785         (JSC::ParseHash::ParseHash):
786         * bytecode/ParseHash.h: Added.
787         (JSC::ParseHash::hashForCall const):
788         (JSC::ParseHash::hashForConstruct const):
789         * bytecode/UnlinkedFunctionExecutable.cpp:
790         (JSC::generateUnlinkedFunctionCodeBlock):
791         * bytecompiler/BytecodeGenerator.h:
792         (JSC::BytecodeGenerator::generate):
793         * parser/Parser.h:
794         (JSC::parse):
795         * runtime/CodeCache.h:
796         (JSC::generateUnlinkedCodeBlock):
797         * runtime/Options.h:
798
799 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
800
801         [JIT] Drop ENABLE_JIT_VERBOSE flag
802         https://bugs.webkit.org/show_bug.cgi?id=183983
803
804         Reviewed by Mark Lam.
805
806         Just use JITInternal::verbose value.
807
808         * jit/JIT.cpp:
809         (JSC::JIT::privateCompileMainPass):
810         (JSC::JIT::privateCompileSlowCases):
811         (JSC::JIT::link):
812
813 2018-03-23  Tim Horton  <timothy_horton@apple.com>
814
815         Fix the build with no pasteboard
816         https://bugs.webkit.org/show_bug.cgi?id=183973
817
818         Reviewed by Dan Bernstein.
819
820         * Configurations/FeatureDefines.xcconfig:
821
822 2018-03-23  Mark Lam  <mark.lam@apple.com>
823
824         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
825         https://bugs.webkit.org/show_bug.cgi?id=183942
826         <rdar://problem/38798018>
827
828         Reviewed by JF Bastien.
829
830         1. Move the LLInt TypedArray unpoisoning to just before the array access after
831            all the branches.
832         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
833         3. Remove a useless instruction in the implementation of emitX86Lea for a global
834            label.
835
836         * llint/LowLevelInterpreter.asm:
837         * llint/LowLevelInterpreter64.asm:
838         * offlineasm/x86.rb:
839
840 2018-03-23  Mark Lam  <mark.lam@apple.com>
841
842         Add more support for pointer profiling.
843         https://bugs.webkit.org/show_bug.cgi?id=183943
844         <rdar://problem/38799068>
845
846         Reviewed by JF Bastien.
847
848         * assembler/ARM64Assembler.h:
849         (JSC::ARM64Assembler::linkJumpOrCall):
850         * assembler/AbstractMacroAssembler.h:
851         (JSC::AbstractMacroAssembler::repatchNearCall):
852         (JSC::AbstractMacroAssembler::tagReturnAddress):
853         (JSC::AbstractMacroAssembler::untagReturnAddress):
854
855 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
856
857         [WTF] Add standard containers with FastAllocator specialization
858         https://bugs.webkit.org/show_bug.cgi?id=183789
859
860         Reviewed by Darin Adler.
861
862         * b3/air/testair.cpp:
863         * b3/testb3.cpp:
864         (JSC::B3::testDoubleLiteralComparison):
865         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
866         * dfg/DFGGraph.h:
867         * dfg/DFGIntegerCheckCombiningPhase.cpp:
868         * dfg/DFGObjectAllocationSinkingPhase.cpp:
869         * ftl/FTLLowerDFGToB3.cpp:
870         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
871         * runtime/FunctionHasExecutedCache.h:
872         * runtime/TypeLocationCache.h:
873
874 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
875
876         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
877         https://bugs.webkit.org/show_bug.cgi?id=182960
878
879         Reviewed by Saam Barati.
880
881         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
882         It should always touch ArrayStorage_vector. To unify
883         vector setting code for the real ArrayStorage_vector and
884         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
885         annotate this.
886
887         * ftl/FTLLowerDFGToB3.cpp:
888         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
889
890 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
891
892         Unreviewed build fix for GCC 4.9 builds.
893
894         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
895         supported in 4.9 libstdc++, so wrap the static assert using it in a
896         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
897         as is done in bitwise_cast() in StdLibExtras.h.
898
899 2018-03-22  Tim Horton  <timothy_horton@apple.com>
900
901         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
902         https://bugs.webkit.org/show_bug.cgi?id=183930
903         <rdar://problem/38782249>
904
905         Reviewed by Dan Bernstein.
906
907         * JavaScriptCore.xcodeproj/project.pbxproj:
908
909 2018-03-22  Mark Lam  <mark.lam@apple.com>
910
911         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
912         https://bugs.webkit.org/show_bug.cgi?id=183914
913         <rdar://problem/38763536>
914
915         Reviewed by Saam Barati and JF Bastien.
916
917         This is in preparation for supporting pointer profiling work.
918
919         * assembler/MacroAssemblerARM.h:
920         (JSC::MacroAssemblerARM::jump):
921         (JSC::MacroAssemblerARM::call):
922         * assembler/MacroAssemblerARM64.h:
923         (JSC::MacroAssemblerARM64::call):
924         (JSC::MacroAssemblerARM64::jump):
925         * assembler/MacroAssemblerARMv7.h:
926         (JSC::MacroAssemblerARMv7::jump):
927         (JSC::MacroAssemblerARMv7::call):
928         * assembler/MacroAssemblerMIPS.h:
929         (JSC::MacroAssemblerMIPS::jump):
930         (JSC::MacroAssemblerMIPS::call):
931         * assembler/MacroAssemblerX86.h:
932         (JSC::MacroAssemblerX86::call):
933         (JSC::MacroAssemblerX86::jump):
934         * assembler/MacroAssemblerX86Common.h:
935         (JSC::MacroAssemblerX86Common::jump):
936         (JSC::MacroAssemblerX86Common::call):
937         * assembler/MacroAssemblerX86_64.h:
938         (JSC::MacroAssemblerX86_64::call):
939         (JSC::MacroAssemblerX86_64::jump):
940
941 2018-03-22  Tim Horton  <timothy_horton@apple.com>
942
943         Improve readability of WebCore's OTHER_LDFLAGS
944         https://bugs.webkit.org/show_bug.cgi?id=183909
945         <rdar://problem/38760992>
946
947         Reviewed by Dan Bernstein.
948
949         * Configurations/Base.xcconfig:
950         * Configurations/FeatureDefines.xcconfig:
951
952 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
953
954         [ARM] Thumb: Do not decorate bottom bit twice
955         https://bugs.webkit.org/show_bug.cgi?id=183906
956
957         Reviewed by Mark Lam.
958
959         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
960         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
961         a thumb pointer.
962
963         * jit/Repatch.cpp:
964         (JSC::linkPolymorphicCall):
965
966 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
967
968         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
969         https://bugs.webkit.org/show_bug.cgi?id=183559
970
971         Reviewed by Mark Lam.
972
973         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
974         to clear NodeMustGenerate for this ToString. It should be since it does not have
975         any user-observable side effect. This patch clears NodeMustGenerate.
976
977         * dfg/DFGConstantFoldingPhase.cpp:
978         (JSC::DFG::ConstantFoldingPhase::foldConstants):
979
980 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
981
982         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
983         https://bugs.webkit.org/show_bug.cgi?id=183897
984
985         Reviewed by Mark Lam.
986
987         We should not use `default:` clause here since it accidentally catches
988         the opcode and DFG nodes which should be optimized. For example,
989         op_super_sampler_begin and op_super_sampler_end are not listed while
990         they have DFG and FTL backend.
991
992         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
993         And we also clean up unnecessary checks in FTLCapabilities. Since we
994         already handles all the possible array types for these nodes (which can
995         be checked in DFG's code), we do not need to check array types.
996
997         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
998
999         * dfg/DFGCapabilities.cpp:
1000         (JSC::DFG::capabilityLevel):
1001         * ftl/FTLCapabilities.cpp:
1002         (JSC::FTL::canCompile):
1003         * ftl/FTLLowerDFGToB3.cpp:
1004         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1005
1006 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1007
1008         [JSC] Drop op_put_by_index
1009         https://bugs.webkit.org/show_bug.cgi?id=183899
1010
1011         Reviewed by Mark Lam.
1012
1013         This patch drops op_put_by_index.
1014
1015         1. This functionality can be just covered by direct put_by_val.
1016         2. put_by_index is not well optimized. It is just calling a C
1017         function. And it does not have DFG handling.
1018
1019         * bytecode/BytecodeDumper.cpp:
1020         (JSC::BytecodeDumper<Block>::dumpBytecode):
1021         * bytecode/BytecodeList.json:
1022         * bytecode/BytecodeUseDef.h:
1023         (JSC::computeUsesForBytecodeOffset):
1024         (JSC::computeDefsForBytecodeOffset):
1025         * bytecompiler/BytecodeGenerator.cpp:
1026         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
1027         * bytecompiler/BytecodeGenerator.h:
1028         * bytecompiler/NodesCodegen.cpp:
1029         (JSC::ArrayNode::emitBytecode):
1030         (JSC::ArrayPatternNode::emitDirectBinding):
1031         * jit/JIT.cpp:
1032         (JSC::JIT::privateCompileMainPass):
1033         * jit/JIT.h:
1034         * jit/JITPropertyAccess.cpp:
1035         (JSC::JIT::emit_op_put_by_index): Deleted.
1036         * jit/JITPropertyAccess32_64.cpp:
1037         (JSC::JIT::emit_op_put_by_index): Deleted.
1038         * llint/LLIntSlowPaths.cpp:
1039         * llint/LLIntSlowPaths.h:
1040         * llint/LowLevelInterpreter.asm:
1041
1042 2018-03-22  Michael Saboff  <msaboff@apple.com>
1043
1044         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
1045         https://bugs.webkit.org/show_bug.cgi?id=183901
1046
1047         Reviewed by Keith Miller.
1048
1049         Added write barriers to ensure the reversed contents are properly marked.
1050
1051         * runtime/ArrayPrototype.cpp:
1052         (JSC::arrayProtoFuncReverse):
1053
1054 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
1055
1056         ScopedArguments should do poisoning and index masking
1057         https://bugs.webkit.org/show_bug.cgi?id=183863
1058
1059         Reviewed by Mark Lam.
1060         
1061         This outlines the ScopedArguments overflow storage and adds poisoning.
1062
1063         * bytecode/AccessCase.cpp:
1064         (JSC::AccessCase::generateWithGuard):
1065         * dfg/DFGSpeculativeJIT.cpp:
1066         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1067         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1068         * ftl/FTLAbstractHeapRepository.h:
1069         * ftl/FTLLowerDFGToB3.cpp:
1070         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1071         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1072         * jit/JITPropertyAccess.cpp:
1073         (JSC::JIT::emitScopedArgumentsGetByVal):
1074         * runtime/JSCPoison.h:
1075         * runtime/ScopedArguments.cpp:
1076         (JSC::ScopedArguments::ScopedArguments):
1077         (JSC::ScopedArguments::createUninitialized):
1078         (JSC::ScopedArguments::visitChildren):
1079         * runtime/ScopedArguments.h:
1080
1081 2018-03-21  Mark Lam  <mark.lam@apple.com>
1082
1083         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
1084         https://bugs.webkit.org/show_bug.cgi?id=183861
1085         <rdar://problem/38716822>
1086
1087         Reviewed by Filip Pizlo.
1088
1089         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
1090         new PtrTag macro list.
1091
1092         * CMakeLists.txt:
1093         * JavaScriptCore.xcodeproj/project.pbxproj:
1094         * Sources.txt:
1095         * runtime/PtrTag.cpp: Added.
1096         (JSC::ptrTagName):
1097         * runtime/PtrTag.h:
1098
1099 2018-03-21  Mark Lam  <mark.lam@apple.com>
1100
1101         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
1102         https://bugs.webkit.org/show_bug.cgi?id=183857
1103         <rdar://problem/38712184>
1104
1105         Reviewed by JF Bastien.
1106
1107         We should avoid doing pointer math with CodeBlock::instructions().begin().
1108         Instead, we should use the operator[] that comes with CodeBlock::instructions()
1109         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
1110         the bytecode offset of a given Instruction*.  These methods will do assertions
1111         which helps catch bugs sooner, plus they are more descriptive of the operation
1112         we're trying to do.
1113
1114         * bytecode/BytecodeKills.h:
1115         (JSC::BytecodeKills::operandIsKilled const):
1116         (JSC::BytecodeKills::forEachOperandKilledAt const):
1117         * bytecode/CallLinkStatus.cpp:
1118         (JSC::CallLinkStatus::computeFromLLInt):
1119         * bytecode/CodeBlock.cpp:
1120         (JSC::CodeBlock::dumpBytecode):
1121         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1122         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1123         * bytecode/GetByIdStatus.cpp:
1124         (JSC::GetByIdStatus::computeFromLLInt):
1125         * bytecode/PutByIdStatus.cpp:
1126         (JSC::PutByIdStatus::computeFromLLInt):
1127         * dfg/DFGByteCodeParser.cpp:
1128         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1129         * dfg/DFGOSRExit.cpp:
1130         (JSC::DFG::reifyInlinedCallFrames):
1131         * dfg/DFGOSRExitCompilerCommon.cpp:
1132         (JSC::DFG::reifyInlinedCallFrames):
1133         * interpreter/CallFrame.cpp:
1134         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
1135         (JSC::CallFrame::currentVPC const):
1136         (JSC::CallFrame::setCurrentVPC):
1137         * jit/JITCall.cpp:
1138         (JSC::JIT::compileOpCall):
1139         * jit/JITInlines.h:
1140         (JSC::JIT::updateTopCallFrame):
1141         (JSC::JIT::copiedInstruction):
1142         * jit/JITOpcodes.cpp:
1143         (JSC::JIT::privateCompileHasIndexedProperty):
1144         * jit/JITOpcodes32_64.cpp:
1145         (JSC::JIT::privateCompileHasIndexedProperty):
1146         * jit/JITPropertyAccess.cpp:
1147         (JSC::JIT::privateCompileGetByVal):
1148         (JSC::JIT::privateCompileGetByValWithCachedId):
1149         (JSC::JIT::privateCompilePutByVal):
1150         (JSC::JIT::privateCompilePutByValWithCachedId):
1151         * jit/SlowPathCall.h:
1152         (JSC::JITSlowPathCall::call):
1153         * llint/LLIntSlowPaths.cpp:
1154         (JSC::LLInt::llint_trace_operand):
1155         (JSC::LLInt::llint_trace_value):
1156         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1157         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1158         (JSC::LLInt::getByVal): Deleted.
1159         (JSC::LLInt::handleHostCall): Deleted.
1160         (JSC::LLInt::setUpCall): Deleted.
1161         (JSC::LLInt::genericCall): Deleted.
1162         (JSC::LLInt::varargsSetup): Deleted.
1163         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
1164         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
1165         (JSC::LLInt::llint_write_barrier_slow): Deleted.
1166         (JSC::LLInt::llint_crash): Deleted.
1167         * runtime/SamplingProfiler.cpp:
1168         (JSC::tryGetBytecodeIndex):
1169
1170 2018-03-21  Keith Miller  <keith_miller@apple.com>
1171
1172         btjs should print the bytecode offset in the stack trace for JS frames
1173         https://bugs.webkit.org/show_bug.cgi?id=183856
1174
1175         Reviewed by Filip Pizlo.
1176
1177         * interpreter/CallFrame.cpp:
1178         (JSC::CallFrame::bytecodeOffset):
1179         (JSC::CallFrame::dump):
1180
1181 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1182
1183         Unreviewed. Fix GTK and WPE debug build after r229798.
1184
1185         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
1186
1187         * API/glib/JSCCallbackFunction.cpp:
1188         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1189         * API/glib/JSCContext.cpp:
1190         (jscContextSetVirtualMachine):
1191         (jscContextGetJSContext):
1192         (wrapperMap):
1193         (jscContextHandleExceptionIfNeeded):
1194         * API/glib/JSCValue.cpp:
1195         (jscValueCallFunction):
1196         * API/glib/JSCVirtualMachine.cpp:
1197         (addWrapper):
1198         (removeWrapper):
1199         (jscVirtualMachineSetContextGroup):
1200         (jscVirtualMachineAddContext):
1201         (jscVirtualMachineRemoveContext):
1202         * API/glib/JSCWrapperMap.cpp:
1203         (JSC::WrapperMap::gobjectWrapper):
1204         (JSC::WrapperMap::unwrap):
1205         (JSC::WrapperMap::registerClass):
1206         (JSC::WrapperMap::createJSWrappper):
1207         (JSC::WrapperMap::wrappedObject const):
1208
1209 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1210
1211         [GTK][WPE] JSC bindings not introspectable
1212         https://bugs.webkit.org/show_bug.cgi?id=136989
1213
1214         Reviewed by Michael Catanzaro.
1215
1216         Make it possible to include individual headers when building WebKit layer.
1217
1218         * API/glib/JSCAutocleanups.h:
1219         * API/glib/JSCClass.h:
1220         * API/glib/JSCContext.h:
1221         * API/glib/JSCException.h:
1222         * API/glib/JSCValue.h:
1223         * API/glib/JSCVersion.h.in:
1224         * API/glib/JSCVirtualMachine.h:
1225
1226 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
1227
1228         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
1229         https://bugs.webkit.org/show_bug.cgi?id=164061
1230
1231         Reviewed by Michael Catanzaro.
1232
1233         Add initial GLib API for JavaScriptCore.
1234
1235         * API/JSAPIWrapperObject.h:
1236         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
1237         (jsAPIWrapperObjectHandleOwner):
1238         (JSAPIWrapperObjectHandleOwner::finalize):
1239         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1240         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
1241         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1242         (JSC::JSAPIWrapperObject::finishCreation):
1243         (JSC::JSAPIWrapperObject::setWrappedObject):
1244         (JSC::JSAPIWrapperObject::visitChildren):
1245         * API/glib/JSCAutocleanups.h: Added.
1246         * API/glib/JSCCallbackFunction.cpp: Added.
1247         (JSC::callAsFunction):
1248         (JSC::callAsConstructor):
1249         (JSC::JSCCallbackFunction::create):
1250         (JSC::JSCCallbackFunction::JSCCallbackFunction):
1251         (JSC::JSCCallbackFunction::call):
1252         (JSC::JSCCallbackFunction::construct):
1253         (JSC::JSCCallbackFunction::destroy):
1254         * API/glib/JSCCallbackFunction.h: Added.
1255         (JSC::JSCCallbackFunction::createStructure):
1256         (JSC::JSCCallbackFunction::functionCallback):
1257         (JSC::JSCCallbackFunction::constructCallback):
1258         * API/glib/JSCClass.cpp: Added.
1259         (jscClassGetProperty):
1260         (jscClassSetProperty):
1261         (jscClassDispose):
1262         (jscClassConstructed):
1263         (jsc_class_class_init):
1264         (jscClassCreate):
1265         (jscClassGetJSClass):
1266         (jscClassGetOrCreateJSWrapper):
1267         (jscClassInvalidate):
1268         (jsc_class_get_name):
1269         (jsc_class_get_parent):
1270         (jsc_class_add_constructor):
1271         (jsc_class_add_method):
1272         (jsc_class_add_property):
1273         * API/glib/JSCClass.h: Added.
1274         * API/glib/JSCClassPrivate.h: Added.
1275         * API/glib/JSCContext.cpp: Added.
1276         (ExceptionHandler::ExceptionHandler):
1277         (ExceptionHandler::~ExceptionHandler):
1278         (jscContextSetVirtualMachine):
1279         (jscContextGetProperty):
1280         (jscContextSetProperty):
1281         (jscContextConstructed):
1282         (jscContextDispose):
1283         (jsc_context_class_init):
1284         (jscContextGetOrCreate):
1285         (jscContextGetJSContext):
1286         (wrapperMap):
1287         (jscContextGetOrCreateValue):
1288         (jscContextValueDestroyed):
1289         (jscContextGetJSWrapper):
1290         (jscContextGetOrCreateJSWrapper):
1291         (jscContextWrappedObject):
1292         (jscContextPushCallback):
1293         (jscContextPopCallback):
1294         (jscContextGArrayToJSArray):
1295         (jscContextJSArrayToGArray):
1296         (jscContextGValueToJSValue):
1297         (jscContextJSValueToGValue):
1298         (jsc_context_new):
1299         (jsc_context_new_with_virtual_machine):
1300         (jsc_context_get_virtual_machine):
1301         (jsc_context_get_exception):
1302         (jsc_context_throw):
1303         (jsc_context_throw_exception):
1304         (jsc_context_push_exception_handler):
1305         (jsc_context_pop_exception_handler):
1306         (jscContextHandleExceptionIfNeeded):
1307         (jsc_context_get_current):
1308         (jsc_context_evaluate):
1309         (jsc_context_evaluate_with_source_uri):
1310         (jsc_context_set_value):
1311         (jsc_context_get_value):
1312         (jsc_context_register_class):
1313         * API/glib/JSCContext.h: Added.
1314         * API/glib/JSCContextPrivate.h: Added.
1315         * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
1316         * API/glib/JSCException.cpp: Added.
1317         (jscExceptionDispose):
1318         (jsc_exception_class_init):
1319         (jscExceptionCreate):
1320         (jscExceptionGetJSValue):
1321         (jscExceptionEnsureProperties):
1322         (jsc_exception_new):
1323         (jsc_exception_get_message):
1324         (jsc_exception_get_line_number):
1325         (jsc_exception_get_source_uri):
1326         * API/glib/JSCException.h: Added.
1327         * API/glib/JSCExceptionPrivate.h: Added.
1328         * API/glib/JSCGLibWrapperObject.h: Added.
1329         (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
1330         (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
1331         (JSC::JSCGLibWrapperObject::object const):
1332         * API/glib/JSCValue.cpp: Added.
1333         (jscValueGetProperty):
1334         (jscValueSetProperty):
1335         (jscValueDispose):
1336         (jsc_value_class_init):
1337         (jscValueGetJSValue):
1338         (jscValueCreate):
1339         (jsc_value_get_context):
1340         (jsc_value_new_undefined):
1341         (jsc_value_is_undefined):
1342         (jsc_value_new_null):
1343         (jsc_value_is_null):
1344         (jsc_value_new_number):
1345         (jsc_value_is_number):
1346         (jsc_value_to_double):
1347         (jsc_value_to_int32):
1348         (jsc_value_new_boolean):
1349         (jsc_value_is_boolean):
1350         (jsc_value_to_boolean):
1351         (jsc_value_new_string):
1352         (jsc_value_is_string):
1353         (jsc_value_to_string):
1354         (jsc_value_new_array):
1355         (jsc_value_new_array_from_garray):
1356         (jsc_value_is_array):
1357         (jsc_value_new_object):
1358         (jsc_value_is_object):
1359         (jsc_value_object_is_instance_of):
1360         (jsc_value_object_set_property):
1361         (jsc_value_object_get_property):
1362         (jsc_value_object_set_property_at_index):
1363         (jsc_value_object_get_property_at_index):
1364         (jscValueCallFunction):
1365         (jsc_value_object_invoke_method):
1366         (jsc_value_object_define_property_data):
1367         (jsc_value_object_define_property_accessor):
1368         (jsc_value_new_function):
1369         (jsc_value_is_function):
1370         (jsc_value_function_call):
1371         (jsc_value_is_constructor):
1372         (jsc_value_constructor_call):
1373         * API/glib/JSCValue.h: Added.
1374         * API/glib/JSCValuePrivate.h: Added.
1375         * API/glib/JSCVersion.cpp: Added.
1376         (jsc_get_major_version):
1377         (jsc_get_minor_version):
1378         (jsc_get_micro_version):
1379         * API/glib/JSCVersion.h.in: Added.
1380         * API/glib/JSCVirtualMachine.cpp: Added.
1381         (addWrapper):
1382         (removeWrapper):
1383         (jscVirtualMachineSetContextGroup):
1384         (jscVirtualMachineEnsureContextGroup):
1385         (jscVirtualMachineDispose):
1386         (jsc_virtual_machine_class_init):
1387         (jscVirtualMachineGetOrCreate):
1388         (jscVirtualMachineGetContextGroup):
1389         (jscVirtualMachineAddContext):
1390         (jscVirtualMachineRemoveContext):
1391         (jscVirtualMachineGetContext):
1392         (jsc_virtual_machine_new):
1393         * API/glib/JSCVirtualMachine.h: Added.
1394         * API/glib/JSCVirtualMachinePrivate.h: Added.
1395         * API/glib/JSCWrapperMap.cpp: Added.
1396         (JSC::WrapperMap::WrapperMap):
1397         (JSC::WrapperMap::~WrapperMap):
1398         (JSC::WrapperMap::gobjectWrapper):
1399         (JSC::WrapperMap::unwrap):
1400         (JSC::WrapperMap::registerClass):
1401         (JSC::WrapperMap::createJSWrappper):
1402         (JSC::WrapperMap::jsWrapper const):
1403         (JSC::WrapperMap::wrappedObject const):
1404         * API/glib/JSCWrapperMap.h: Added.
1405         * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
1406         * API/glib/docs/jsc-glib-4.0.types: Added.
1407         * API/glib/docs/jsc-glib-docs.sgml: Added.
1408         * API/glib/jsc.h: Added.
1409         * CMakeLists.txt:
1410         * GLib.cmake: Added.
1411         * JavaScriptCore.gir.in: Removed.
1412         * PlatformGTK.cmake:
1413         * PlatformWPE.cmake:
1414         * heap/Heap.cpp:
1415         (JSC::Heap::releaseDelayedReleasedObjects):
1416         * heap/Heap.h:
1417         * heap/HeapInlines.h:
1418         (JSC::Heap::releaseSoon):
1419         * javascriptcoregtk.pc.in:
1420         * runtime/JSGlobalObject.cpp:
1421         (JSC::JSGlobalObject::init):
1422         (JSC::JSGlobalObject::visitChildren):
1423         (JSC::JSGlobalObject::setWrapperMap):
1424         * runtime/JSGlobalObject.h:
1425         (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
1426         (JSC::JSGlobalObject::glibWrapperObjectStructure const):
1427         (JSC::JSGlobalObject::wrapperMap const):
1428
1429 2018-03-21  Christopher Reid  <chris.reid@sony.com>
1430
1431         Windows 64-bit build fix after r229767
1432         https://bugs.webkit.org/show_bug.cgi?id=183810
1433
1434         Reviewed by Mark Lam.
1435
1436         Removing an extra parameter in the call to m_assember::call.
1437
1438         * assembler/MacroAssemblerX86_64.h:
1439
1440 2018-03-20  Dan Bernstein  <mitz@apple.com>
1441
1442         [Xcode] JSVALUE_MODEL is unused
1443         https://bugs.webkit.org/show_bug.cgi?id=183809
1444
1445         Reviewed by Tim Horton.
1446
1447         * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
1448
1449 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1450
1451         Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
1452         https://bugs.webkit.org/show_bug.cgi?id=183808
1453         <rdar://problem/38692079>
1454
1455         Reviewed by Dan Bernstein.
1456
1457         * Configurations/JavaScriptCore.xcconfig:
1458
1459 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1460
1461         Enable the minimal simulator feature flag when appropriate
1462         https://bugs.webkit.org/show_bug.cgi?id=183807
1463
1464         Reviewed by Dan Bernstein.
1465
1466         * Configurations/FeatureDefines.xcconfig:
1467
1468 2018-03-20  Saam Barati  <sbarati@apple.com>
1469
1470         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
1471         https://bugs.webkit.org/show_bug.cgi?id=183795
1472         <rdar://problem/38298694>
1473
1474         Reviewed by JF Bastien.
1475
1476         We were just assuming that the constants we were inserting were
1477         always exitOK=true. However, this breaks validation. The exitOK
1478         we emit for the constants in the NewArrayBuffer should respect
1479         the current exit state of the IR we've emitted. This is just IR
1480         bookkeeping since JSConstant is a non-exiting node.
1481
1482         * dfg/DFGArgumentsEliminationPhase.cpp:
1483
1484 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
1485
1486         MIPS+Armv7 builds are broken since r229391
1487         https://bugs.webkit.org/show_bug.cgi?id=183474
1488
1489         Reviewed by Yusuke Suzuki.
1490
1491         Add missing armv7 and mips operations and fix arguments to a call to
1492         operationGetByValCell. This should fix compilation on MIPS and Armv7
1493         (though it does not implement the missing setupArguments stuff in
1494         CCallHelpers).
1495
1496         * assembler/MacroAssembler.h:
1497         * assembler/MacroAssemblerARMv7.h:
1498         (JSC::MacroAssemblerARMv7::swap):
1499         * assembler/MacroAssemblerMIPS.h:
1500         (JSC::MacroAssemblerMIPS::swap):
1501         * dfg/DFGSpeculativeJIT32_64.cpp:
1502         (JSC::DFG::SpeculativeJIT::compile):
1503         * jit/FPRInfo.h:
1504
1505 2018-03-20  Tim Horton  <timothy_horton@apple.com>
1506
1507         Add and adopt WK_PLATFORM_NAME and adjust default feature defines
1508         https://bugs.webkit.org/show_bug.cgi?id=183758
1509         <rdar://problem/38017644>
1510
1511         Reviewed by Dan Bernstein.
1512
1513         * Configurations/FeatureDefines.xcconfig:
1514
1515 2018-03-20  Mark Lam  <mark.lam@apple.com>
1516
1517         Improve FunctionPtr and use it in the JIT CallRecord.
1518         https://bugs.webkit.org/show_bug.cgi?id=183756
1519         <rdar://problem/38641335>
1520
1521         Reviewed by JF Bastien.
1522
1523         1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
1524            PtrTag to reflect that.
1525
1526         2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
1527            executableAddress().
1528
1529         3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
1530            take "any" pointer.  "any" in this case means that the pointer may not be typed
1531            as a C/C++ function to the C++ compiler (due to upstream casting or usage of
1532            void* as a storage type), but it is still expected to be pointing to a C/C++
1533            function.
1534
1535         4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
1536            convenience constructor that lets us retag the underlying pointer.  The other
1537            FunctionPtr is still expected to point to a C/C++ function.
1538
1539         5. Added PtrTag assertion placeholder functions to be implemented later.
1540
1541         6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
1542            pointer.  This improves type safety, and assists in getting pointer tagging
1543            right later.
1544
1545         7. Added versions of JIT callOperations methods that will take a PtrTag.
1546            This is preparation for more more pointer tagging work later.
1547
1548         * assembler/MacroAssemblerARM.h:
1549         (JSC::MacroAssemblerARM::linkCall):
1550         * assembler/MacroAssemblerARMv7.h:
1551         (JSC::MacroAssemblerARMv7::linkCall):
1552         * assembler/MacroAssemblerCodeRef.h:
1553         (JSC::FunctionPtr::FunctionPtr):
1554         (JSC::FunctionPtr::operator bool const):
1555         (JSC::FunctionPtr::operator! const):
1556         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1557         (JSC::MacroAssemblerCodePtr::retagged const):
1558         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1559         (JSC::FunctionPtr::value const): Deleted.
1560         * assembler/MacroAssemblerMIPS.h:
1561         (JSC::MacroAssemblerMIPS::linkCall):
1562         * assembler/MacroAssemblerX86.h:
1563         (JSC::MacroAssemblerX86::linkCall):
1564         * assembler/MacroAssemblerX86_64.h:
1565         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
1566         (JSC::MacroAssemblerX86_64::linkCall):
1567         * bytecode/AccessCase.cpp:
1568         (JSC::AccessCase::generateImpl):
1569         * ftl/FTLSlowPathCall.cpp:
1570         (JSC::FTL::SlowPathCallContext::makeCall):
1571         * ftl/FTLSlowPathCall.h:
1572         (JSC::FTL::callOperation):
1573         * ftl/FTLThunks.cpp:
1574         (JSC::FTL::osrExitGenerationThunkGenerator):
1575         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1576         (JSC::FTL::slowPathCallThunkGenerator):
1577         * jit/JIT.cpp:
1578         (JSC::JIT::link):
1579         (JSC::JIT::privateCompileExceptionHandlers):
1580         * jit/JIT.h:
1581         (JSC::CallRecord::CallRecord):
1582         (JSC::JIT::appendCall):
1583         (JSC::JIT::appendCallWithSlowPathReturnType):
1584         (JSC::JIT::callOperation):
1585         (JSC::JIT::callOperationWithProfile):
1586         (JSC::JIT::callOperationWithResult):
1587         (JSC::JIT::callOperationNoExceptionCheck):
1588         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1589         * jit/JITArithmetic.cpp:
1590         (JSC::JIT::emitMathICFast):
1591         (JSC::JIT::emitMathICSlow):
1592         * jit/JITInlines.h:
1593         (JSC::JIT::emitNakedCall):
1594         (JSC::JIT::emitNakedTailCall):
1595         (JSC::JIT::appendCallWithExceptionCheck):
1596         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1597         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1598         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1599         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1600         * jit/JITPropertyAccess.cpp:
1601         (JSC::JIT::emitSlow_op_get_by_val):
1602         (JSC::JIT::emitSlow_op_put_by_val):
1603         (JSC::JIT::privateCompileGetByValWithCachedId):
1604         (JSC::JIT::privateCompilePutByVal):
1605         (JSC::JIT::privateCompilePutByValWithCachedId):
1606         * jit/JITPropertyAccess32_64.cpp:
1607         (JSC::JIT::emitSlow_op_put_by_val):
1608         * jit/Repatch.cpp:
1609         (JSC::linkPolymorphicCall):
1610         * jit/SlowPathCall.h:
1611         (JSC::JITSlowPathCall::JITSlowPathCall):
1612         (JSC::JITSlowPathCall::call):
1613         * jit/ThunkGenerators.cpp:
1614         (JSC::nativeForGenerator):
1615         * runtime/PtrTag.h:
1616         (JSC::nextPtrTagID):
1617         (JSC::assertIsCFunctionPtr):
1618         (JSC::assertIsNullOrCFunctionPtr):
1619         (JSC::assertIsNotTagged):
1620         (JSC::assertIsTagged):
1621         (JSC::assertIsNullOrTagged):
1622         (JSC::assertIsTaggedWith):
1623         (JSC::assertIsNullOrTaggedWith):
1624         (JSC::uniquePtrTagID): Deleted.
1625
1626 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1627
1628         [MIPS] Optimize generated JIT code for loads/stores
1629         https://bugs.webkit.org/show_bug.cgi?id=183243
1630
1631         Reviewed by Yusuke Suzuki.
1632
1633         JIT generates three MIPS instructions for a load/store from/to an absolute address:
1634
1635           lui adrTmpReg, address >> 16
1636           ori adrTmpReg, address & 0xffff
1637           lw dataReg, 0(adrTmpReg)
1638
1639         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
1640         be encoded into the load/store and ori instruction can be removed:
1641
1642           lui adrTmpReg, (address + 0x8000) >> 16
1643           lw dataReg, (address & 0xffff)(adrTmpReg)
1644
1645         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
1646
1647         * assembler/MacroAssemblerMIPS.h:
1648         (JSC::MacroAssemblerMIPS::add32):
1649         (JSC::MacroAssemblerMIPS::add64):
1650         (JSC::MacroAssemblerMIPS::or32):
1651         (JSC::MacroAssemblerMIPS::sub32):
1652         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
1653         (JSC::MacroAssemblerMIPS::load8):
1654         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1655         (JSC::MacroAssemblerMIPS::load32):
1656         (JSC::MacroAssemblerMIPS::store8):
1657         (JSC::MacroAssemblerMIPS::store32):
1658         (JSC::MacroAssemblerMIPS::branchTest8):
1659         (JSC::MacroAssemblerMIPS::branchAdd32):
1660         (JSC::MacroAssemblerMIPS::loadDouble):
1661         (JSC::MacroAssemblerMIPS::storeDouble):
1662
1663 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1664
1665         [DFG][FTL] Add vectorLengthHint for NewArray
1666         https://bugs.webkit.org/show_bug.cgi?id=183694
1667
1668         Reviewed by Saam Barati.
1669
1670         While the following code is a common, it is not so efficient.
1671
1672         var array = [];
1673         for (...) {
1674             ...
1675             array.push(...);
1676         }
1677
1678         The array is always allocated with 0 vector length. And it is eventually grown.
1679
1680         We have ArrayAllocationProfile, and it tells us that the vector length hint for
1681         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
1682         extends this support for NewArray DFG node.
1683
1684         This patch improves Kraken/stanford-crypto-aes 4%.
1685
1686                                       baseline                  patched
1687
1688         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
1689
1690         NewArray can be optimized.
1691
1692                                                        baseline                  patched
1693
1694         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
1695         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
1696
1697         * dfg/DFGByteCodeParser.cpp:
1698         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1699         (JSC::DFG::ByteCodeParser::parseBlock):
1700         * dfg/DFGNode.h:
1701         (JSC::DFG::Node::hasVectorLengthHint):
1702         (JSC::DFG::Node::vectorLengthHint):
1703         * dfg/DFGSpeculativeJIT64.cpp:
1704         (JSC::DFG::SpeculativeJIT::compile):
1705         * ftl/FTLLowerDFGToB3.cpp:
1706         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1707
1708 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1709
1710         [DFG][FTL] Make ArraySlice(0) code tight
1711         https://bugs.webkit.org/show_bug.cgi?id=183590
1712
1713         Reviewed by Saam Barati.
1714
1715         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
1716
1717         1. We support array.slice() call. This is a well-used way to clone array.
1718         For example, underscore.js uses this technique.
1719
1720         2. We remove several checks if the given index value is a proven constant.
1721
1722         * dfg/DFGBackwardsPropagationPhase.cpp:
1723         (JSC::DFG::BackwardsPropagationPhase::propagate):
1724         * dfg/DFGByteCodeParser.cpp:
1725         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1726         * dfg/DFGFixupPhase.cpp:
1727         (JSC::DFG::FixupPhase::fixupNode):
1728         * dfg/DFGSpeculativeJIT.cpp:
1729         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
1730         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1731         We can skip some of checks if the given value is a proven constant.
1732
1733         * ftl/FTLLowerDFGToB3.cpp:
1734         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1735         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
1736         to fold BelowEqual(0, x) to true.
1737
1738 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1739
1740         Drop s_exceptionInstructions static initializer
1741         https://bugs.webkit.org/show_bug.cgi?id=183732
1742
1743         Reviewed by Darin Adler.
1744
1745         Make Instruction constructor constexpr to drop the static constructor
1746         of LLInt::Data::s_exceptionInstructions.
1747
1748         * bytecode/Instruction.h:
1749         (JSC::Instruction::Instruction):
1750
1751 2018-03-19  Dan Bernstein  <mitz@apple.com>
1752
1753         Investigate why __cpu_indicator_init is used
1754         https://bugs.webkit.org/show_bug.cgi?id=183736
1755
1756         Reviewed by Tim Horton.
1757
1758         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
1759         we were passing the -all_load option to the linker, causing it to bring in all members of
1760         every static library being linked in, including the compiler runtime library. We only need
1761         to load all members of WTF. The linker option for doing that is -force_load, and it requires
1762         a path to the library. To support building against libWTF.a built locally as well as against
1763         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
1764         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
1765         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
1766         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
1767         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
1768         reexporting libobjc.
1769
1770         * Configurations/JavaScriptCore.xcconfig:
1771         * JavaScriptCore.xcodeproj/project.pbxproj:
1772
1773 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
1774
1775         Unreviewed, another quick fix for r229699
1776
1777         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
1778
1779         * Configurations/FeatureDefines.xcconfig:
1780
1781 2018-03-19  Mark Lam  <mark.lam@apple.com>
1782
1783         FunctionPtr should be passed by value.
1784         https://bugs.webkit.org/show_bug.cgi?id=183746
1785         <rdar://problem/38625311>
1786
1787         Reviewed by JF Bastien.
1788
1789         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
1790         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
1791         treated as if they are C/C++ functions.
1792
1793         Regardless, there's no need to pass it by reference.
1794
1795         * assembler/MacroAssemblerCodeRef.h:
1796         * dfg/DFGJITCompiler.h:
1797         (JSC::DFG::JITCompiler::appendCall):
1798         * dfg/DFGSpeculativeJIT.h:
1799         (JSC::DFG::SpeculativeJIT::appendCall):
1800         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1801         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1802         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1803         * jit/JIT.h:
1804         (JSC::JIT::appendCall):
1805         (JSC::JIT::appendCallWithSlowPathReturnType):
1806         * jit/JITInlines.h:
1807         (JSC::JIT::appendCallWithExceptionCheck):
1808         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1809         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1810         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1811         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1812
1813 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
1814
1815         Fix MSVC run-time check after r229391. 
1816         https://bugs.webkit.org/show_bug.cgi?id=183673
1817
1818         Reviewed by Keith Miller.
1819
1820         Replaces attempted fix from r229424/r229432.
1821         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
1822
1823         * jit/CCallHelpers.h:
1824         (JSC::CCallHelpers::clampArrayToSize):
1825
1826 2018-03-15  Tim Horton  <timothy_horton@apple.com>
1827
1828         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
1829         https://bugs.webkit.org/show_bug.cgi?id=183675
1830         <rdar://problem/38515281>
1831
1832         Reviewed by Dan Bernstein.
1833
1834         * JavaScriptCore.xcodeproj/project.pbxproj:
1835         Don't install the JSC alias if we're installing to an alternate location.
1836         This should have been a part of r229637.
1837
1838 2018-03-15  Tim Horton  <timothy_horton@apple.com>
1839
1840         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
1841         https://bugs.webkit.org/show_bug.cgi?id=183649
1842         <rdar://problem/38480526>
1843
1844         Reviewed by Dan Bernstein.
1845
1846         * Configurations/Base.xcconfig:
1847         * JavaScriptCore.xcodeproj/project.pbxproj:
1848
1849 2018-03-14  Mark Lam  <mark.lam@apple.com>
1850
1851         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
1852         https://bugs.webkit.org/show_bug.cgi?id=183623
1853         <rdar://problem/38443314>
1854
1855         Reviewed by Michael Saboff.
1856
1857         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
1858            emitters to support pointer profiling.
1859
1860         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
1861
1862         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
1863
1864         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
1865            a placeholder until we have time to analyze what pointer profile each client
1866            site has later.
1867     
1868         5. Apply PtrTags to the YarrJIT.
1869
1870         * assembler/ARM64Assembler.h:
1871         (JSC::ARM64Assembler::linkJumpOrCall):
1872         * assembler/AbstractMacroAssembler.h:
1873         (JSC::AbstractMacroAssembler::getLinkerAddress):
1874         (JSC::AbstractMacroAssembler::tagPtr):
1875         (JSC::AbstractMacroAssembler::untagPtr):
1876         (JSC::AbstractMacroAssembler::removePtrTag):
1877         * assembler/LinkBuffer.cpp:
1878         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1879         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1880         * assembler/LinkBuffer.h:
1881         (JSC::LinkBuffer::link):
1882         (JSC::LinkBuffer::locationOfNearCall):
1883         (JSC::LinkBuffer::locationOf):
1884         * assembler/MacroAssemblerARM.h:
1885         (JSC::MacroAssemblerARM::jump):
1886         (JSC::MacroAssemblerARM::call):
1887         (JSC::MacroAssemblerARM::readCallTarget):
1888         * assembler/MacroAssemblerARM64.h:
1889         (JSC::MacroAssemblerARM64::call):
1890         (JSC::MacroAssemblerARM64::jump):
1891         (JSC::MacroAssemblerARM64::readCallTarget):
1892         (JSC::MacroAssemblerARM64::linkCall):
1893         * assembler/MacroAssemblerARMv7.h:
1894         (JSC::MacroAssemblerARMv7::jump):
1895         (JSC::MacroAssemblerARMv7::relativeTableJump):
1896         (JSC::MacroAssemblerARMv7::call):
1897         (JSC::MacroAssemblerARMv7::readCallTarget):
1898         * assembler/MacroAssemblerCodeRef.cpp:
1899         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1900         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1901         * assembler/MacroAssemblerCodeRef.h:
1902         (JSC::FunctionPtr::FunctionPtr):
1903         (JSC::FunctionPtr::value const):
1904         (JSC::MacroAssemblerCodePtr:: const):
1905         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1906         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1907         * assembler/MacroAssemblerMIPS.h:
1908         (JSC::MacroAssemblerMIPS::jump):
1909         (JSC::MacroAssemblerMIPS::call):
1910         (JSC::MacroAssemblerMIPS::readCallTarget):
1911         * assembler/MacroAssemblerX86.h:
1912         (JSC::MacroAssemblerX86::call):
1913         (JSC::MacroAssemblerX86::jump):
1914         (JSC::MacroAssemblerX86::readCallTarget):
1915         * assembler/MacroAssemblerX86Common.cpp:
1916         (JSC::MacroAssembler::probe):
1917         * assembler/MacroAssemblerX86Common.h:
1918         (JSC::MacroAssemblerX86Common::jump):
1919         (JSC::MacroAssemblerX86Common::call):
1920         * assembler/MacroAssemblerX86_64.h:
1921         (JSC::MacroAssemblerX86_64::call):
1922         (JSC::MacroAssemblerX86_64::jump):
1923         (JSC::MacroAssemblerX86_64::readCallTarget):
1924         * assembler/testmasm.cpp:
1925         (JSC::compile):
1926         (JSC::invoke):
1927         * b3/B3Compile.cpp:
1928         (JSC::B3::compile):
1929         * b3/B3LowerMacros.cpp:
1930         * b3/air/AirCCallSpecial.cpp:
1931         (JSC::B3::Air::CCallSpecial::generate):
1932         * b3/air/testair.cpp:
1933         * b3/testb3.cpp:
1934         (JSC::B3::invoke):
1935         (JSC::B3::testInterpreter):
1936         (JSC::B3::testEntrySwitchSimple):
1937         (JSC::B3::testEntrySwitchNoEntrySwitch):
1938         (JSC::B3::testEntrySwitchWithCommonPaths):
1939         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1940         (JSC::B3::testEntrySwitchLoop):
1941         * bytecode/AccessCase.cpp:
1942         (JSC::AccessCase::generateImpl):
1943         * bytecode/AccessCaseSnippetParams.cpp:
1944         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1945         * bytecode/InlineAccess.cpp:
1946         (JSC::linkCodeInline):
1947         (JSC::InlineAccess::rewireStubAsJump):
1948         * bytecode/PolymorphicAccess.cpp:
1949         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1950         (JSC::PolymorphicAccess::regenerate):
1951         * dfg/DFGJITCompiler.cpp:
1952         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1953         (JSC::DFG::JITCompiler::link):
1954         (JSC::DFG::JITCompiler::compileFunction):
1955         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1956         * dfg/DFGJITCompiler.h:
1957         (JSC::DFG::JITCompiler::appendCall):
1958         * dfg/DFGJITFinalizer.cpp:
1959         (JSC::DFG::JITFinalizer::finalize):
1960         (JSC::DFG::JITFinalizer::finalizeFunction):
1961         * dfg/DFGOSRExit.cpp:
1962         (JSC::DFG::OSRExit::emitRestoreArguments):
1963         (JSC::DFG::OSRExit::compileOSRExit):
1964         * dfg/DFGOSRExitCompilerCommon.cpp:
1965         (JSC::DFG::handleExitCounts):
1966         (JSC::DFG::osrWriteBarrier):
1967         (JSC::DFG::adjustAndJumpToTarget):
1968         * dfg/DFGSpeculativeJIT.cpp:
1969         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1970         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1971         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1972         * dfg/DFGSpeculativeJIT64.cpp:
1973         (JSC::DFG::SpeculativeJIT::compile):
1974         * dfg/DFGThunks.cpp:
1975         (JSC::DFG::osrExitThunkGenerator):
1976         (JSC::DFG::osrExitGenerationThunkGenerator):
1977         (JSC::DFG::osrEntryThunkGenerator):
1978         * ftl/FTLCompile.cpp:
1979         (JSC::FTL::compile):
1980         * ftl/FTLJITFinalizer.cpp:
1981         (JSC::FTL::JITFinalizer::finalizeCommon):
1982         * ftl/FTLLazySlowPath.cpp:
1983         (JSC::FTL::LazySlowPath::generate):
1984         * ftl/FTLLink.cpp:
1985         (JSC::FTL::link):
1986         * ftl/FTLLowerDFGToB3.cpp:
1987         (JSC::FTL::DFG::LowerDFGToB3::lower):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1989         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1990         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1991         * ftl/FTLOSRExitCompiler.cpp:
1992         (JSC::FTL::compileStub):
1993         (JSC::FTL::compileFTLOSRExit):
1994         * ftl/FTLSlowPathCall.cpp:
1995         (JSC::FTL::SlowPathCallContext::makeCall):
1996         * ftl/FTLThunks.cpp:
1997         (JSC::FTL::genericGenerationThunkGenerator):
1998         (JSC::FTL::osrExitGenerationThunkGenerator):
1999         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2000         (JSC::FTL::slowPathCallThunkGenerator):
2001         * jit/AssemblyHelpers.cpp:
2002         (JSC::AssemblyHelpers::callExceptionFuzz):
2003         (JSC::AssemblyHelpers::debugCall):
2004         * jit/CCallHelpers.cpp:
2005         (JSC::CCallHelpers::ensureShadowChickenPacket):
2006         * jit/CCallHelpers.h:
2007         (JSC::CCallHelpers::jumpToExceptionHandler):
2008         * jit/ExecutableAllocator.cpp:
2009         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2010         * jit/JIT.cpp:
2011         (JSC::JIT::emitEnterOptimizationCheck):
2012         (JSC::JIT::link):
2013         (JSC::JIT::privateCompileExceptionHandlers):
2014         * jit/JIT.h:
2015         (JSC::JIT::appendCall):
2016         * jit/JITMathIC.h:
2017         (JSC::isProfileEmpty):
2018         * jit/JITOpcodes.cpp:
2019         (JSC::JIT::emit_op_catch):
2020         (JSC::JIT::emit_op_switch_imm):
2021         (JSC::JIT::emit_op_switch_char):
2022         (JSC::JIT::emit_op_switch_string):
2023         (JSC::JIT::emitSlow_op_loop_hint):
2024         (JSC::JIT::privateCompileHasIndexedProperty):
2025         * jit/JITOpcodes32_64.cpp:
2026         (JSC::JIT::emit_op_catch):
2027         (JSC::JIT::emit_op_switch_imm):
2028         (JSC::JIT::emit_op_switch_char):
2029         (JSC::JIT::emit_op_switch_string):
2030         (JSC::JIT::privateCompileHasIndexedProperty):
2031         * jit/JITPropertyAccess.cpp:
2032         (JSC::JIT::stringGetByValStubGenerator):
2033         (JSC::JIT::privateCompileGetByVal):
2034         (JSC::JIT::privateCompileGetByValWithCachedId):
2035         (JSC::JIT::privateCompilePutByVal):
2036         (JSC::JIT::privateCompilePutByValWithCachedId):
2037         * jit/JITPropertyAccess32_64.cpp:
2038         (JSC::JIT::stringGetByValStubGenerator):
2039         * jit/JITStubRoutine.h:
2040         * jit/Repatch.cpp:
2041         (JSC::readCallTarget):
2042         (JSC::appropriateOptimizingPutByIdFunction):
2043         (JSC::linkPolymorphicCall):
2044         (JSC::resetPutByID):
2045         * jit/SlowPathCall.h:
2046         (JSC::JITSlowPathCall::call):
2047         * jit/SpecializedThunkJIT.h:
2048         (JSC::SpecializedThunkJIT::finalize):
2049         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2050         * jit/ThunkGenerators.cpp:
2051         (JSC::throwExceptionFromCallSlowPathGenerator):
2052         (JSC::slowPathFor):
2053         (JSC::linkCallThunkGenerator):
2054         (JSC::linkPolymorphicCallThunkGenerator):
2055         (JSC::virtualThunkFor):
2056         (JSC::nativeForGenerator):
2057         (JSC::arityFixupGenerator):
2058         (JSC::unreachableGenerator):
2059         (JSC::boundThisNoArgsFunctionCallGenerator):
2060         * llint/LLIntThunks.cpp:
2061         (JSC::LLInt::generateThunkWithJumpTo):
2062         (JSC::LLInt::functionForCallEntryThunkGenerator):
2063         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2064         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2065         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2066         (JSC::LLInt::evalEntryThunkGenerator):
2067         (JSC::LLInt::programEntryThunkGenerator):
2068         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2069         * runtime/PtrTag.h:
2070         * wasm/WasmB3IRGenerator.cpp:
2071         (JSC::Wasm::B3IRGenerator::addCall):
2072         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2073         * wasm/WasmBBQPlan.cpp:
2074         (JSC::Wasm::BBQPlan::complete):
2075         * wasm/WasmBinding.cpp:
2076         (JSC::Wasm::wasmToWasm):
2077         * wasm/WasmOMGPlan.cpp:
2078         (JSC::Wasm::OMGPlan::work):
2079         * wasm/WasmThunks.cpp:
2080         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2081         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2082         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2083         * wasm/js/WasmToJS.cpp:
2084         (JSC::Wasm::handleBadI64Use):
2085         (JSC::Wasm::wasmToJS):
2086         * yarr/YarrJIT.cpp:
2087         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2088         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2089         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2090         (JSC::Yarr::YarrGenerator::generateEnter):
2091         (JSC::Yarr::YarrGenerator::YarrGenerator):
2092         (JSC::Yarr::YarrGenerator::compile):
2093         (JSC::Yarr::jitCompile):
2094         * yarr/YarrJIT.h:
2095         (JSC::Yarr::YarrCodeBlock::execute):
2096
2097 2018-03-14  Caitlin Potter  <caitp@igalia.com>
2098
2099         [JSC] fix order of evaluation for ClassDefinitionEvaluation
2100         https://bugs.webkit.org/show_bug.cgi?id=183523
2101
2102         Reviewed by Keith Miller.
2103
2104         Computed property names need to be evaluated in source order during class
2105         definition evaluation, as it's observable (and specified to work this way).
2106
2107         This change improves compatibility with Chromium.
2108
2109         * bytecompiler/BytecodeGenerator.h:
2110         (JSC::BytecodeGenerator::emitDefineClassElements):
2111         * bytecompiler/NodesCodegen.cpp:
2112         (JSC::PropertyListNode::emitBytecode):
2113         (JSC::ClassExprNode::emitBytecode):
2114         * parser/ASTBuilder.h:
2115         (JSC::ASTBuilder::createClassExpr):
2116         (JSC::ASTBuilder::createGetterOrSetterProperty):
2117         (JSC::ASTBuilder::createProperty):
2118         * parser/NodeConstructors.h:
2119         (JSC::PropertyNode::PropertyNode):
2120         (JSC::ClassExprNode::ClassExprNode):
2121         * parser/Nodes.cpp:
2122         (JSC::PropertyListNode::hasStaticallyNamedProperty):
2123         * parser/Nodes.h:
2124         (JSC::PropertyNode::isClassProperty const):
2125         (JSC::PropertyNode::isStaticClassProperty const):
2126         (JSC::PropertyNode::isInstanceClassProperty const):
2127         * parser/Parser.cpp:
2128         (JSC::Parser<LexerType>::parseClass):
2129         (JSC::Parser<LexerType>::parseProperty):
2130         (JSC::Parser<LexerType>::parseGetterSetter):
2131         * parser/Parser.h:
2132         * parser/SyntaxChecker.h:
2133         (JSC::SyntaxChecker::createClassExpr):
2134         (JSC::SyntaxChecker::createProperty):
2135         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2136
2137 2018-03-14  Keith Miller  <keith_miller@apple.com>
2138
2139         Move jsc CLI breakpoint function to $vm
2140         https://bugs.webkit.org/show_bug.cgi?id=183512
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         * jsc.cpp:
2145         (GlobalObject::finishCreation):
2146         (functionBreakpoint): Deleted.
2147         * tools/JSDollarVM.cpp:
2148         (JSC::functionBreakpoint):
2149         (JSC::JSDollarVM::finishCreation):
2150
2151 2018-03-14  Tim Horton  <timothy_horton@apple.com>
2152
2153         Fix the build after r229567
2154
2155         * Configurations/FeatureDefines.xcconfig:
2156
2157 2018-03-12  Mark Lam  <mark.lam@apple.com>
2158
2159         Gardening: speculative build fix for WinCairo.
2160         https://bugs.webkit.org/show_bug.cgi?id=183573
2161
2162         Not reviewed.
2163
2164         * runtime/NativeFunction.h:
2165         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2166
2167 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2168
2169         Unreviewed, fix obsolete ASSERT
2170         https://bugs.webkit.org/show_bug.cgi?id=183310
2171
2172         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
2173
2174         * dfg/DFGNode.h:
2175         (JSC::DFG::Node::convertToNewObject):
2176
2177 2018-03-12  Tim Horton  <timothy_horton@apple.com>
2178
2179         Stop using SDK conditionals to control feature definitions
2180         https://bugs.webkit.org/show_bug.cgi?id=183430
2181         <rdar://problem/38251619>
2182
2183         Reviewed by Dan Bernstein.
2184
2185         * Configurations/FeatureDefines.xcconfig:
2186         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
2187
2188 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
2189
2190         Runtime flag for link prefetch and remove link subresource.
2191         https://bugs.webkit.org/show_bug.cgi?id=183540
2192
2193         Reviewed by Chris Dumez.
2194
2195         Remove the LINK_PREFETCH build time flag.
2196
2197         * Configurations/FeatureDefines.xcconfig:
2198
2199 2018-03-12  Mark Lam  <mark.lam@apple.com>
2200
2201         Gardening: speculative build fix for Windows.
2202         https://bugs.webkit.org/show_bug.cgi?id=183573
2203
2204         Not reviewed.
2205
2206         * runtime/NativeFunction.h:
2207         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2208
2209 2018-03-12  Mark Lam  <mark.lam@apple.com>
2210
2211         Add another PtrTag.
2212         https://bugs.webkit.org/show_bug.cgi?id=183580
2213         <rdar://problem/38390584>
2214
2215         Reviewed by Keith Miller.
2216
2217         * runtime/PtrTag.h:
2218
2219 2018-03-12  Mark Lam  <mark.lam@apple.com>
2220
2221         Make a NativeFunction into a class to support pointer profiling.
2222         https://bugs.webkit.org/show_bug.cgi?id=183573
2223         <rdar://problem/38384697>
2224
2225         Reviewed by Filip Pizlo.
2226
2227         1. NativeFunction is now a class, and introducing RawNativeFunction and
2228            TaggedNativeFunction.
2229
2230            RawNativeFunction is the raw pointer type (equivalent
2231            to the old definition of NativeFunction).  This is mainly used for underlying
2232            storage inside the NativeFunction class, and also for global data tables that
2233            cannot embed non-trivially constructed objects.
2234
2235            NativeFunction's role is mainly to encapsulate a pointer to a C function that
2236            we pass into the VM.
2237
2238            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
2239            function that we track in the VM.
2240
2241         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
2242            cast function pointers to void* anymore when constructing a TrustedImmPtr.
2243
2244         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
2245
2246         4. Added more PtrTag utility functions.
2247
2248         * CMakeLists.txt:
2249         * JavaScriptCore.xcodeproj/project.pbxproj:
2250         * assembler/AbstractMacroAssembler.h:
2251         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2252         * create_hash_table:
2253         * interpreter/Interpreter.cpp:
2254         (JSC::Interpreter::executeCall):
2255         (JSC::Interpreter::executeConstruct):
2256         * interpreter/InterpreterInlines.h:
2257         (JSC::Interpreter::getOpcodeID):
2258         * jit/JITThunks.cpp:
2259         (JSC::JITThunks::hostFunctionStub):
2260         * jit/JITThunks.h:
2261         * llint/LLIntData.cpp:
2262         (JSC::LLInt::initialize):
2263         * llint/LLIntSlowPaths.cpp:
2264         (JSC::LLInt::setUpCall):
2265         * llint/LowLevelInterpreter.asm:
2266         * llint/LowLevelInterpreter.cpp:
2267         (JSC::CLoop::execute):
2268         * llint/LowLevelInterpreter64.asm:
2269         * offlineasm/ast.rb:
2270         * runtime/CallData.h:
2271         * runtime/CommonSlowPaths.cpp:
2272         * runtime/ConstructData.h:
2273         * runtime/InternalFunction.h:
2274         (JSC::InternalFunction::nativeFunctionFor):
2275         * runtime/JSCell.cpp:
2276         (JSC::JSCell::getCallData):
2277         (JSC::JSCell::getConstructData):
2278         * runtime/JSFunction.h:
2279         * runtime/JSFunctionInlines.h:
2280         (JSC::JSFunction::nativeFunction):
2281         (JSC::JSFunction::nativeConstructor):
2282         (JSC::isHostFunction):
2283         * runtime/Lookup.h:
2284         (JSC::HashTableValue::function const):
2285         (JSC::HashTableValue::accessorGetter const):
2286         (JSC::HashTableValue::accessorSetter const):
2287         (JSC::nonCachingStaticFunctionGetter):
2288         * runtime/NativeExecutable.cpp:
2289         (JSC::NativeExecutable::create):
2290         (JSC::NativeExecutable::NativeExecutable):
2291         * runtime/NativeExecutable.h:
2292         * runtime/NativeFunction.h: Added.
2293         (JSC::NativeFunction::NativeFunction):
2294         (JSC::NativeFunction::operator intptr_t const):
2295         (JSC::NativeFunction::operator bool const):
2296         (JSC::NativeFunction::operator! const):
2297         (JSC::NativeFunction::operator== const):
2298         (JSC::NativeFunction::operator!= const):
2299         (JSC::NativeFunction::operator()):
2300         (JSC::NativeFunction::rawPointer const):
2301         (JSC::NativeFunctionHash::hash):
2302         (JSC::NativeFunctionHash::equal):
2303         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2304         (JSC::TaggedNativeFunction::operator bool const):
2305         (JSC::TaggedNativeFunction::operator! const):
2306         (JSC::TaggedNativeFunction::operator== const):
2307         (JSC::TaggedNativeFunction::operator!= const):
2308         (JSC::TaggedNativeFunction::operator()):
2309         (JSC::TaggedNativeFunction::operator NativeFunction):
2310         (JSC::TaggedNativeFunction::rawPointer const):
2311         (JSC::TaggedNativeFunctionHash::hash):
2312         (JSC::TaggedNativeFunctionHash::equal):
2313         * runtime/PtrTag.h:
2314         (JSC::tagCFunctionPtr):
2315         (JSC::untagCFunctionPtr):
2316         * runtime/VM.h:
2317         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
2318
2319 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
2320
2321         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
2322
2323         * dfg/DFGSpeculativeJIT.cpp:
2324         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2325
2326 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2327
2328         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
2329         https://bugs.webkit.org/show_bug.cgi?id=183310
2330
2331         Reviewed by Filip Pizlo.
2332
2333         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
2334         This contributes to 6% win in Octane/raytrace.
2335
2336                                         baseline                  patched
2337
2338             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
2339
2340         * dfg/DFGAbstractInterpreterInlines.h:
2341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2342         * dfg/DFGConstantFoldingPhase.cpp:
2343         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2344
2345 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
2346
2347         Disable Sigill crash analyzer on watchOS
2348         https://bugs.webkit.org/show_bug.cgi?id=183548
2349         <rdar://problem/38338032>
2350
2351         Reviewed by Mark Lam.
2352
2353         Sigill is not supported on watchOS.
2354
2355         * runtime/Options.cpp:
2356         (JSC::overrideDefaults):
2357
2358 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
2359
2360         Split DirectArguments into JSValueOOB and JSValueStrict parts
2361         https://bugs.webkit.org/show_bug.cgi?id=183458
2362
2363         Reviewed by Yusuke Suzuki.
2364         
2365         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
2366         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
2367         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
2368         to read and write within a Spectre mitigation window. Writes are important, because within the
2369         window, a write could appear to be made speculatively and rolled out later. This means that:
2370         
2371         - JSValue objects cannot have lengths, masks, or anything else inline.
2372         
2373         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
2374           check, unless that type is in the form of a poison key.
2375         
2376         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
2377         means that it's wrong for DirectArguments to have an inline length.
2378         
2379         This changes DirectArguments to use poisoning according to the universal formula:
2380         
2381         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
2382         
2383         - No inline length.
2384         
2385         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
2386         amortize whatever cost there was.
2387
2388         * bytecode/AccessCase.cpp:
2389         (JSC::AccessCase::generateWithGuard):
2390         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2391         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2392         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
2393         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
2394         * dfg/DFGSpeculativeJIT.cpp:
2395         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2396         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2397         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2398         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2399         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2400         * ftl/FTLAbstractHeapRepository.h:
2401         * ftl/FTLLowerDFGToB3.cpp:
2402         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2403         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2404         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2405         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
2406         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
2407         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2408         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
2409         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
2410         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
2411         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
2412         * heap/SecurityKind.h:
2413         * jit/JITPropertyAccess.cpp:
2414         (JSC::JIT::emit_op_get_from_arguments):
2415         (JSC::JIT::emit_op_put_to_arguments):
2416         (JSC::JIT::emitDirectArgumentsGetByVal):
2417         * jit/JITPropertyAccess32_64.cpp:
2418         (JSC::JIT::emit_op_get_from_arguments):
2419         (JSC::JIT::emit_op_put_to_arguments):
2420         * llint/LowLevelInterpreter.asm:
2421         * llint/LowLevelInterpreter32_64.asm:
2422         * llint/LowLevelInterpreter64.asm:
2423         * runtime/DirectArguments.cpp:
2424         (JSC::DirectArguments::DirectArguments):
2425         (JSC::DirectArguments::createUninitialized):
2426         (JSC::DirectArguments::create):
2427         (JSC::DirectArguments::createByCopying):
2428         (JSC::DirectArguments::estimatedSize):
2429         (JSC::DirectArguments::visitChildren):
2430         (JSC::DirectArguments::overrideThings):
2431         (JSC::DirectArguments::copyToArguments):
2432         (JSC::DirectArguments::mappedArgumentsSize):
2433         * runtime/DirectArguments.h:
2434         * runtime/JSCPoison.h:
2435         * runtime/JSLexicalEnvironment.h:
2436         * runtime/JSSymbolTableObject.h:
2437         * runtime/VM.cpp:
2438         (JSC::VM::VM):
2439         * runtime/VM.h:
2440
2441 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2442
2443         [B3] Above/Below should be strength-reduced for comparison with 0
2444         https://bugs.webkit.org/show_bug.cgi?id=183543
2445
2446         Reviewed by Filip Pizlo.
2447
2448         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
2449         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
2450         be converted to `0`. This patch adds such a folding to comparisons.
2451
2452         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
2453         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
2454         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
2455         when we fail to fold it to a constant.
2456
2457         * b3/B3Const32Value.cpp:
2458         (JSC::B3::Const32Value::lessThanConstant const):
2459         (JSC::B3::Const32Value::greaterThanConstant const):
2460         (JSC::B3::Const32Value::lessEqualConstant const):
2461         (JSC::B3::Const32Value::greaterEqualConstant const):
2462         (JSC::B3::Const32Value::aboveConstant const):
2463         (JSC::B3::Const32Value::belowConstant const):
2464         (JSC::B3::Const32Value::aboveEqualConstant const):
2465         (JSC::B3::Const32Value::belowEqualConstant const):
2466         * b3/B3Const64Value.cpp:
2467         (JSC::B3::Const64Value::lessThanConstant const):
2468         (JSC::B3::Const64Value::greaterThanConstant const):
2469         (JSC::B3::Const64Value::lessEqualConstant const):
2470         (JSC::B3::Const64Value::greaterEqualConstant const):
2471         (JSC::B3::Const64Value::aboveConstant const):
2472         (JSC::B3::Const64Value::belowConstant const):
2473         (JSC::B3::Const64Value::aboveEqualConstant const):
2474         (JSC::B3::Const64Value::belowEqualConstant const):
2475         * b3/B3ReduceStrength.cpp:
2476         * b3/testb3.cpp:
2477         (JSC::B3::int64Operands):
2478         (JSC::B3::int32Operands):
2479
2480 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2481
2482         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
2483         https://bugs.webkit.org/show_bug.cgi?id=181848
2484
2485         Reviewed by Sam Weinig.
2486
2487         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
2488         optimized since it sets `lastIndex` value before performing RegExp operation.
2489
2490         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
2491         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
2492         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
2493         in object allocation sinking phase.
2494
2495         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
2496         has a global flag. And it improves the performance.
2497
2498                                       baseline                  patched
2499
2500         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
2501         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
2502
2503         * dfg/DFGAbstractInterpreterInlines.h:
2504         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2505         * dfg/DFGClobberize.h:
2506         (JSC::DFG::clobberize):
2507         * dfg/DFGDoesGC.cpp:
2508         (JSC::DFG::doesGC):
2509         * dfg/DFGFixupPhase.cpp:
2510         (JSC::DFG::FixupPhase::fixupNode):
2511         * dfg/DFGMayExit.cpp:
2512         * dfg/DFGNode.cpp:
2513         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
2514         * dfg/DFGNode.h:
2515         (JSC::DFG::Node::hasHeapPrediction):
2516         (JSC::DFG::Node::hasCellOperand):
2517         * dfg/DFGNodeType.h:
2518         * dfg/DFGOperations.cpp:
2519         * dfg/DFGOperations.h:
2520         * dfg/DFGPredictionPropagationPhase.cpp:
2521         * dfg/DFGSafeToExecute.h:
2522         (JSC::DFG::safeToExecute):
2523         * dfg/DFGSpeculativeJIT.cpp:
2524         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
2525         * dfg/DFGSpeculativeJIT.h:
2526         * dfg/DFGSpeculativeJIT32_64.cpp:
2527         (JSC::DFG::SpeculativeJIT::compile):
2528         * dfg/DFGSpeculativeJIT64.cpp:
2529         (JSC::DFG::SpeculativeJIT::compile):
2530         * dfg/DFGStrengthReductionPhase.cpp:
2531         (JSC::DFG::StrengthReductionPhase::handleNode):
2532         * ftl/FTLCapabilities.cpp:
2533         (JSC::FTL::canCompile):
2534         * ftl/FTLLowerDFGToB3.cpp:
2535         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2536         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
2537         * runtime/RegExpObject.cpp:
2538         (JSC::collectMatches): Deleted.
2539         * runtime/RegExpObject.h:
2540         * runtime/RegExpObjectInlines.h:
2541         (JSC::RegExpObject::execInline):
2542         (JSC::RegExpObject::matchInline):
2543         (JSC::advanceStringUnicode):
2544         (JSC::collectMatches):
2545         (JSC::RegExpObject::advanceStringUnicode): Deleted.
2546         * runtime/RegExpPrototype.cpp:
2547         (JSC::advanceStringIndex):
2548
2549 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2550
2551         B3::reduceStrength should canonicalize integer comparisons
2552         https://bugs.webkit.org/show_bug.cgi?id=150958
2553
2554         Reviewed by Filip Pizlo.
2555
2556         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
2557         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
2558         canonicalize comparisons to have constant value at least on the right hand side, we can
2559         remove pattern matchings checking leftImm in B3LowerToAir.
2560
2561         Since this flipping changes the opcode of the value, to achieve safely, we just create a
2562         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
2563         we replace m_value with this constant. If we fail to fold it to constant, we replace
2564         m_value with the flipped one.
2565
2566         These comparisons are already handled in testb3.
2567
2568         * b3/B3LowerToAir.cpp:
2569         * b3/B3ReduceStrength.cpp:
2570
2571 2018-03-09  Mark Lam  <mark.lam@apple.com>
2572
2573         offlineasm should reset the Assembler's working state before doing another pass for a new target.
2574         https://bugs.webkit.org/show_bug.cgi?id=183538
2575         <rdar://problem/38325955>
2576
2577         Reviewed by Michael Saboff.
2578
2579         * llint/LowLevelInterpreter.cpp:
2580         * offlineasm/asm.rb:
2581         * offlineasm/cloop.rb:
2582
2583 2018-03-09  Brian Burg  <bburg@apple.com>
2584
2585         Web Inspector: there should only be one way for async backend commands to send failure
2586         https://bugs.webkit.org/show_bug.cgi?id=183524
2587
2588         Reviewed by Timothy Hatcher.
2589
2590         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
2591         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
2592         This change only affects interfaces generated for C++ backend dispatchers.
2593
2594         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2595         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
2596         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2597         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2598         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2599
2600 2018-03-09  Mark Lam  <mark.lam@apple.com>
2601
2602         Build fix after r229476.
2603         https://bugs.webkit.org/show_bug.cgi?id=183488
2604
2605         Not reviewed.
2606
2607         * runtime/StackAlignment.h:
2608
2609 2018-03-09  Mark Lam  <mark.lam@apple.com>
2610
2611         [Re-landing] Add support for ARM64E.
2612         https://bugs.webkit.org/show_bug.cgi?id=183398
2613         <rdar://problem/38212621>
2614
2615         Reviewed by Michael Saboff.
2616
2617         * assembler/MacroAssembler.h:
2618         * llint/LLIntOfflineAsmConfig.h:
2619         * llint/LowLevelInterpreter.asm:
2620         * llint/LowLevelInterpreter64.asm:
2621         * offlineasm/backends.rb:
2622
2623 2018-03-09  Mark Lam  <mark.lam@apple.com>
2624
2625         [Re-landing] Prepare LLInt code to support pointer profiling.
2626         https://bugs.webkit.org/show_bug.cgi?id=183387
2627         <rdar://problem/38199678>
2628
2629         Reviewed by JF Bastien.
2630
2631         1. Introduced PtrTag enums for supporting pointer profiling later.
2632
2633         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
2634            template functions for the same purpose.
2635
2636         3. Prepare the offlineasm for supporting pointer profiling later.
2637
2638         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
2639            effect on behavior.
2640
2641         5. Removed returnToThrowForThrownException() because it is not used anywhere.
2642
2643         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
2644            easier to view and edit these files in Xcode.
2645
2646         * CMakeLists.txt:
2647         * JavaScriptCore.xcodeproj/project.pbxproj:
2648         * bytecode/LLIntCallLinkInfo.h:
2649         (JSC::LLIntCallLinkInfo::unlink):
2650         * llint/LLIntData.cpp:
2651         (JSC::LLInt::initialize):
2652         * llint/LLIntData.h:
2653         * llint/LLIntExceptions.cpp:
2654         (JSC::LLInt::returnToThrowForThrownException): Deleted.
2655         * llint/LLIntExceptions.h:
2656         * llint/LLIntOfflineAsmConfig.h:
2657         * llint/LLIntOffsetsExtractor.cpp:
2658         * llint/LLIntPCRanges.h:
2659         (JSC::LLInt::isLLIntPC):
2660         * llint/LLIntSlowPaths.cpp:
2661         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2662         (JSC::LLInt::handleHostCall):
2663         (JSC::LLInt::setUpCall):
2664         * llint/LowLevelInterpreter.asm:
2665         * llint/LowLevelInterpreter32_64.asm:
2666         * llint/LowLevelInterpreter64.asm:
2667         * offlineasm/ast.rb:
2668         * offlineasm/instructions.rb:
2669         * offlineasm/risc.rb:
2670         * runtime/PtrTag.h: Added.
2671         (JSC::uniquePtrTagID):
2672         (JSC::ptrTag):
2673         (JSC::tagCodePtr):
2674         (JSC::untagCodePtr):
2675         (JSC::retagCodePtr):
2676         (JSC::removeCodePtrTag):
2677
2678 2018-03-09  Mark Lam  <mark.lam@apple.com>
2679
2680         Remove unused LLINT_STATS feature.
2681         https://bugs.webkit.org/show_bug.cgi?id=183522
2682         <rdar://problem/38313139>
2683
2684         Rubber-stamped by Keith Miller.
2685
2686         We haven't used this in a while, and it is one more option that makes offlineasm
2687         build slower.  We can always re-introduce this later if we need it.
2688
2689         * jsc.cpp:
2690         * llint/LLIntCommon.h:
2691         * llint/LLIntData.cpp:
2692         (JSC::LLInt::initialize):
2693         (JSC::LLInt::Data::finalizeStats): Deleted.
2694         (JSC::LLInt::compareStats): Deleted.
2695         (JSC::LLInt::Data::dumpStats): Deleted.
2696         (JSC::LLInt::Data::ensureStats): Deleted.
2697         (JSC::LLInt::Data::loadStats): Deleted.
2698         (JSC::LLInt::Data::resetStats): Deleted.
2699         (JSC::LLInt::Data::saveStats): Deleted.
2700         * llint/LLIntData.h:
2701         (): Deleted.
2702         (JSC::LLInt::Data::opcodeStats): Deleted.
2703         * llint/LLIntOfflineAsmConfig.h:
2704         * llint/LLIntSlowPaths.cpp:
2705         * llint/LLIntSlowPaths.h:
2706         * llint/LowLevelInterpreter.asm:
2707         * llint/LowLevelInterpreter32_64.asm:
2708         * llint/LowLevelInterpreter64.asm:
2709         * runtime/Options.cpp:
2710         (JSC::Options::isAvailable):
2711         (JSC::recomputeDependentOptions):
2712         * runtime/Options.h:
2713         * runtime/TestRunnerUtils.cpp:
2714         (JSC::finalizeStatsAtEndOfTesting):
2715
2716 2018-03-09  Michael Saboff  <msaboff@apple.com>
2717
2718         Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
2719         https://bugs.webkit.org/show_bug.cgi?id=183488
2720
2721         It applied and built just fine locally.
2722
2723         * assembler/testmasm.cpp:
2724         (JSC::testBranchTruncateDoubleToInt32):
2725
2726 2018-03-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2727
2728         Unreviewed, remove WebAssemblyFunctionType
2729         https://bugs.webkit.org/show_bug.cgi?id=183429
2730
2731         Drop WebAssemblyFunctionType since it is no longer used. This breaks
2732         JSCast assumption that all the derived classes of JSFunction use
2733         JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
2734
2735         * runtime/JSFunction.cpp:
2736         (JSC::JSFunction::finishCreation):
2737         * runtime/JSType.h:
2738         * wasm/js/WebAssemblyFunction.cpp:
2739         (JSC::WebAssemblyFunction::createStructure):
2740         * wasm/js/WebAssemblyFunction.h:
2741
2742 2018-03-09  Ryan Haddad  <ryanhaddad@apple.com>
2743
2744         Unreviewed, rolling out r229446.
2745
2746         This change relies on changes that have been rolled out.
2747
2748         Reverted changeset:
2749
2750         "testmasm crashes in testBranchTruncateDoubleToInt32() on
2751         ARM64"
2752         https://bugs.webkit.org/show_bug.cgi?id=183488
2753         https://trac.webkit.org/changeset/229446
2754
2755 2018-03-08  Chris Dumez  <cdumez@apple.com>
2756
2757         Safari not handling undefined global variables with same name as element Id correctly.
2758         https://bugs.webkit.org/show_bug.cgi?id=183087
2759         <rdar://problem/37927596>
2760
2761         Reviewed by Ryosuke Niwa.
2762
2763         global variables (var foo;) should not be hidden by:
2764         - Named properties
2765         - Properties on the prototype chain
2766
2767         Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
2768         if !hasOwnProperty() instead of !hasProperty.
2769
2770         This aligns our behavior with Chrome and Firefox.
2771
2772         * runtime/JSGlobalObject.h:
2773         (JSC::JSGlobalObject::addVar):
2774
2775 2018-03-08  Commit Queue  <commit-queue@webkit.org>
2776
2777         Unreviewed, rolling out r229354 and r229364.
2778         https://bugs.webkit.org/show_bug.cgi?id=183492
2779
2780         Breaks internal builds (Requested by ryanhaddad on #webkit).
2781
2782         Reverted changesets:
2783
2784         "Prepare LLInt code to support pointer profiling."
2785         https://bugs.webkit.org/show_bug.cgi?id=183387
2786         https://trac.webkit.org/changeset/229354
2787
2788         "Add support for ARM64E."
2789         https://bugs.webkit.org/show_bug.cgi?id=183398
2790         https://trac.webkit.org/changeset/229364
2791
2792 2018-03-08  Michael Saboff  <msaboff@apple.com>
2793
2794         testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
2795         https://bugs.webkit.org/show_bug.cgi?id=183488
2796
2797         Reviewed by Mark Lam.
2798
2799         Using stackAlignmentBytes() will keep the stack properly aligned.
2800
2801         * assembler/testmasm.cpp:
2802         (JSC::testBranchTruncateDoubleToInt32):
2803
2804 2018-03-08  Michael Saboff  <msaboff@apple.com>
2805
2806         Emit code to zero the stack frame on function entry
2807         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
2808
2809         Reviewed by Mark Lam.
2810
2811         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
2812         The default setting of the option is off.
2813
2814         Did some minor refactoring of the YarrJIT stack alignment code.
2815
2816         * b3/air/AirCode.cpp:
2817         (JSC::B3::Air::defaultPrologueGenerator):
2818         * dfg/DFGJITCompiler.cpp:
2819         (JSC::DFG::JITCompiler::compile):
2820         (JSC::DFG::JITCompiler::compileFunction):
2821         * dfg/DFGSpeculativeJIT.cpp:
2822         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2823         * dfg/DFGThunks.cpp:
2824         (JSC::DFG::osrEntryThunkGenerator):
2825         * ftl/FTLLowerDFGToB3.cpp:
2826         (JSC::FTL::DFG::LowerDFGToB3::lower):
2827         * jit/AssemblyHelpers.h:
2828         (JSC::AssemblyHelpers::clearStackFrame):
2829         * jit/JIT.cpp:
2830         (JSC::JIT::compileWithoutLinking):
2831         * llint/LowLevelInterpreter.asm:
2832         * runtime/Options.h:
2833         * yarr/YarrJIT.cpp:
2834         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
2835         (JSC::Yarr::YarrGenerator::initCallFrame):
2836         (JSC::Yarr::YarrGenerator::removeCallFrame):
2837
2838 2018-03-08  Keith Miller  <keith_miller@apple.com>
2839
2840         Unreviewed, another attempt at fixing the Windows build.
2841         I guess the pragma must be outside the function...
2842
2843         * jit/CCallHelpers.h:
2844         (JSC::CCallHelpers::clampArrayToSize):
2845
2846 2018-03-08  Keith Miller  <keith_miller@apple.com>
2847
2848         Unreviewed, one last try at fixing the windows build before rollout.
2849
2850         * jit/CCallHelpers.h:
2851         (JSC::CCallHelpers::clampArrayToSize):
2852
2853 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2854
2855         [JSC] Optimize inherits<T> if T is final type
2856         https://bugs.webkit.org/show_bug.cgi?id=183435
2857
2858         Reviewed by Mark Lam.
2859
2860         If the type T is a final type (`std::is_final<T>::value == true`), there is no
2861         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
2862         to check the given cell's `classInfo(vm)` is `T::info()`.
2863
2864         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
2865         final type. And we also add `final` annotations to JS cell types in JSC. This
2866         offers,
2867
2868         1. Readability. If the given class is annotated with `final`, we do not need to
2869         consider about the derived classes of T.
2870
2871         2. Static Checking. If your class is not intended to be used as a base class, attaching
2872         `final` can ensure this invariant.
2873
2874         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
2875         be smaller.
2876
2877         * API/JSCallbackConstructor.h:
2878         (JSC::JSCallbackConstructor::create): Deleted.
2879         (JSC::JSCallbackConstructor::classRef const): Deleted.
2880         (JSC::JSCallbackConstructor::callback const): Deleted.
2881         (JSC::JSCallbackConstructor::createStructure): Deleted.
2882         (JSC::JSCallbackConstructor::constructCallback): Deleted.
2883         * API/JSCallbackFunction.h:
2884         (JSC::JSCallbackFunction::createStructure): Deleted.
2885         (JSC::JSCallbackFunction::functionCallback): Deleted.
2886         * API/JSCallbackObject.h:
2887         (JSC::JSCallbackObject::create): Deleted.
2888         (JSC::JSCallbackObject::destroy): Deleted.
2889         (JSC::JSCallbackObject::classRef const): Deleted.
2890         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
2891         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
2892         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
2893         (JSC::JSCallbackObject::visitChildren): Deleted.
2894         * bytecode/CodeBlock.cpp:
2895         (JSC::CodeBlock::setConstantRegisters):
2896         * bytecode/ExecutableToCodeBlockEdge.h:
2897         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
2898         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
2899         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
2900         * bytecode/FunctionCodeBlock.h:
2901         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
2902         (JSC::FunctionCodeBlock::create): Deleted.
2903         (JSC::FunctionCodeBlock::createStructure): Deleted.
2904         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
2905         * debugger/DebuggerScope.h:
2906         (JSC::DebuggerScope::createStructure): Deleted.
2907         (JSC::DebuggerScope::iterator::iterator): Deleted.
2908         (JSC::DebuggerScope::iterator::get): Deleted.
2909         (JSC::DebuggerScope::iterator::operator++): Deleted.
2910         (JSC::DebuggerScope::iterator::operator== const): Deleted.
2911         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
2912         (JSC::DebuggerScope::isValid const): Deleted.
2913         (JSC::DebuggerScope::jsScope const): Deleted.
2914         * inspector/JSInjectedScriptHost.h:
2915         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
2916         (Inspector::JSInjectedScriptHost::create): Deleted.
2917         (Inspector::JSInjectedScriptHost::impl const): Deleted.
2918         * inspector/JSInjectedScriptHostPrototype.h:
2919         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
2920         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
2921         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
2922         * inspector/JSJavaScriptCallFrame.h:
2923         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
2924         (Inspector::JSJavaScriptCallFrame::create): Deleted.
2925         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
2926         * inspector/JSJavaScriptCallFramePrototype.h:
2927         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
2928         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
2929         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
2930         * jit/Repatch.cpp:
2931         (JSC::tryCacheGetByID):
2932         * runtime/ArrayConstructor.h:
2933         (JSC::ArrayConstructor::create): Deleted.
2934         (JSC::ArrayConstructor::createStructure): Deleted.
2935         * runtime/ArrayIteratorPrototype.h:
2936         (JSC::ArrayIteratorPrototype::create): Deleted.
2937         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
2938         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
2939         * runtime/ArrayPrototype.h:
2940         (JSC::ArrayPrototype::createStructure): Deleted.
2941         * runtime/AsyncFromSyncIteratorPrototype.h:
2942         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
2943         * runtime/AsyncFunctionConstructor.h:
2944         (JSC::AsyncFunctionConstructor::create): Deleted.
2945         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
2946         * runtime/AsyncFunctionPrototype.h:
2947         (JSC::AsyncFunctionPrototype::create): Deleted.
2948         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
2949         * runtime/AsyncGeneratorFunctionConstructor.h:
2950         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
2951         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
2952         * runtime/AsyncGeneratorFunctionPrototype.h:
2953         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
2954         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
2955         * runtime/AsyncGeneratorPrototype.h:
2956         (JSC::AsyncGeneratorPrototype::create): Deleted.
2957         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
2958         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
2959         * runtime/AsyncIteratorPrototype.h:
2960         (JSC::AsyncIteratorPrototype::create): Deleted.
2961         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
2962         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
2963         * runtime/AtomicsObject.h:
2964         * runtime/BigIntConstructor.h:
2965         (JSC::BigIntConstructor::create): Deleted.
2966         (JSC::BigIntConstructor::createStructure): Deleted.
2967         * runtime/BigIntObject.h:
2968         (JSC::BigIntObject::create): Deleted.
2969         (JSC::BigIntObject::internalValue const): Deleted.
2970         (JSC::BigIntObject::createStructure): Deleted.
2971         * runtime/BigIntPrototype.h:
2972         (JSC::BigIntPrototype::create): Deleted.
2973         (JSC::BigIntPrototype::createStructure): Deleted.
2974         * runtime/BooleanConstructor.h:
2975         (JSC::BooleanConstructor::create): Deleted.
2976         (JSC::BooleanConstructor::createStructure): Deleted.
2977         * runtime/BooleanPrototype.h:
2978         (JSC::BooleanPrototype::create): Deleted.
2979         (JSC::BooleanPrototype::createStructure): Deleted.
2980         * runtime/ConsoleObject.h:
2981         (JSC::ConsoleObject::create): Deleted.
2982         (JSC::ConsoleObject::createStructure): Deleted.
2983         * runtime/DOMAttributeGetterSetter.h:
2984         (JSC::isDOMAttributeGetterSetter): Deleted.
2985         * runtime/DateConstructor.h:
2986         (JSC::DateConstructor::create): Deleted.
2987         (JSC::DateConstructor::createStructure): Deleted.
2988         * runtime/DateInstance.h:
2989         (JSC::DateInstance::create): Deleted.
2990         (JSC::DateInstance::internalNumber const): Deleted.
2991         (JSC::DateInstance::gregorianDateTime const): Deleted.
2992         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
2993         (JSC::DateInstance::createStructure): Deleted.
2994         * runtime/DatePrototype.h:
2995         (JSC::DatePrototype::create): Deleted.
2996         (JSC::DatePrototype::createStructure): Deleted.
2997         * runtime/Error.h:
2998         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
2999         (JSC::StrictModeTypeErrorFunction::create): Deleted.
3000         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
3001         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
3002         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
3003         * runtime/ErrorConstructor.h:
3004         (JSC::ErrorConstructor::create): Deleted.
3005         (JSC::ErrorConstructor::createStructure): Deleted.
3006         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
3007         * runtime/Exception.h:
3008         (JSC::Exception::valueOffset): Deleted.
3009         (JSC::Exception::value const): Deleted.
3010         (JSC::Exception::stack const): Deleted.
3011         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
3012         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
3013         * runtime/FunctionConstructor.h:
3014         (JSC::FunctionConstructor::create): Deleted.
3015         (JSC::FunctionConstructor::createStructure): Deleted.
3016         * runtime/FunctionPrototype.h:
3017         (JSC::FunctionPrototype::create): Deleted.
3018         (JSC::FunctionPrototype::createStructure): Deleted.
3019         * runtime/FunctionRareData.h:
3020         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
3021         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
3022         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
3023         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
3024         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
3025         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
3026         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
3027         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
3028         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
3029         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
3030         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
3031         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
3032         (JSC::FunctionRareData::hasReifiedName const): Deleted.
3033         (JSC::FunctionRareData::setHasReifiedName): Deleted.
3034         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
3035         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
3036         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
3037         * runtime/GeneratorFunctionConstructor.h:
3038         (JSC::GeneratorFunctionConstructor::create): Deleted.
3039         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
3040         * runtime/GeneratorFunctionPrototype.h:
3041         (JSC::GeneratorFunctionPrototype::create): Deleted.
3042         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
3043         * runtime/GeneratorPrototype.h:
3044         (JSC::GeneratorPrototype::create): Deleted.
3045         (JSC::GeneratorPrototype::createStructure): Deleted.
3046         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
3047         * runtime/InferredValue.h:
3048         (JSC::InferredValue::subspaceFor): Deleted.
3049         (JSC::InferredValue::inferredValue): Deleted.
3050         (JSC::InferredValue::state const): Deleted.
3051         (JSC::InferredValue::isStillValid const): Deleted.
3052         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
3053         (JSC::InferredValue::add): Deleted.
3054         (JSC::InferredValue::notifyWrite): Deleted.
3055         (JSC::InferredValue::invalidate): Deleted.
3056         * runtime/InspectorInstrumentationObject.h:
3057         (JSC::InspectorInstrumentationObject::create): Deleted.
3058         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
3059         * runtime/IntlCollator.h:
3060         (JSC::IntlCollator::boundCompare const): Deleted.
3061         * runtime/IntlCollatorConstructor.h:
3062         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
3063         * runtime/IntlCollatorPrototype.h:
3064         * runtime/IntlDateTimeFormat.h:
3065         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
3066         * runtime/IntlDateTimeFormatConstructor.h:
3067         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
3068         * runtime/IntlDateTimeFormatPrototype.h:
3069         * runtime/IntlNumberFormat.h:
3070         (JSC::IntlNumberFormat::boundFormat const): Deleted.
3071         * runtime/IntlNumberFormatConstructor.h:
3072         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
3073         * runtime/IntlNumberFormatPrototype.h:
3074         * runtime/IntlObject.h:
3075         * runtime/IteratorPrototype.h:
3076         (JSC::IteratorPrototype::create): Deleted.
3077         (JSC::IteratorPrototype::createStructure): Deleted.
3078         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
3079         * runtime/JSAPIValueWrapper.h:
3080         (JSC::JSAPIValueWrapper::value const): Deleted.
3081         (JSC::JSAPIValueWrapper::createStructure): Deleted.
3082         (JSC::JSAPIValueWrapper::create): Deleted.
3083         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
3084         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
3085         * runtime/JSArrayBufferConstructor.h:
3086         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
3087         * runtime/JSArrayBufferPrototype.h:
3088         * runtime/JSAsyncFunction.h:
3089         (JSC::JSAsyncFunction::subspaceFor): Deleted.
3090         (JSC::JSAsyncFunction::allocationSize): Deleted.
3091         (JSC::JSAsyncFunction::createStructure): Deleted.
3092         * runtime/JSAsyncGeneratorFunction.h:
3093         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
3094         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
3095         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
3096         * runtime/JSBigInt.h:
3097         (JSC::JSBigInt::setSign): Deleted.
3098         (JSC::JSBigInt::sign const): Deleted.
3099         (JSC::JSBigInt::setLength): Deleted.
3100         (JSC::JSBigInt::length const): Deleted.
3101         * runtime/JSBoundFunction.h:
3102         (JSC::JSBoundFunction::subspaceFor): Deleted.
3103         (JSC::JSBoundFunction::targetFunction): Deleted.
3104         (JSC::JSBoundFunction::boundThis): Deleted.
3105         (JSC::JSBoundFunction::boundArgs): Deleted.
3106         (JSC::JSBoundFunction::createStructure): Deleted.
3107         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
3108         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
3109         * runtime/JSCast.h:
3110         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
3111         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
3112         (JSC::JSCastingHelpers::InheritsTraits::inherits):
3113         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
3114         * runtime/JSCustomGetterSetterFunction.cpp:
3115         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3116         * runtime/JSCustomGetterSetterFunction.h:
3117         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
3118         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
3119         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
3120         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
3121         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
3122         * runtime/JSDataView.h:
3123         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
3124         (JSC::JSDataView::unsharedBuffer const): Deleted.
3125         * runtime/JSDataViewPrototype.h:
3126         * runtime/JSFixedArray.h:
3127         (JSC::JSFixedArray::createStructure): Deleted.
3128         (JSC::JSFixedArray::tryCreate): Deleted.
3129         (JSC::JSFixedArray::create): Deleted.
3130         (JSC::JSFixedArray::createFromArray): Deleted.
3131         (JSC::JSFixedArray::get const): Deleted.
3132         (JSC::JSFixedArray::set): Deleted.
3133         (JSC::JSFixedArray::buffer): Deleted.
3134         (JSC::JSFixedArray::buffer const): Deleted.
3135         (JSC::JSFixedArray::values const): Deleted.
3136         (JSC::JSFixedArray::size const): Deleted.
3137         (JSC::JSFixedArray::length const): Deleted.
3138         (JSC::JSFixedArray::offsetOfSize): Deleted.
3139         (JSC::JSFixedArray::offsetOfData): Deleted.
3140         (JSC::JSFixedArray::JSFixedArray): Deleted.
3141         (JSC::JSFixedArray::allocationSize): Deleted.
3142         * runtime/JSGeneratorFunction.h:
3143         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
3144         (JSC::JSGeneratorFunction::allocationSize): Deleted.
3145         (JSC::JSGeneratorFunction::createStructure): Deleted.
3146         * runtime/JSGenericTypedArrayView.h:
3147         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
3148         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
3149         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
3150         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
3151         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
3152         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
3153         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
3154         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
3155         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
3156         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
3157         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
3158         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
3159         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
3160         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
3161         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
3162         (JSC::JSGenericTypedArrayView::sort): Deleted.
3163         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
3164         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
3165         (JSC::JSGenericTypedArrayView::info): Deleted.
3166         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
3167         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
3168         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
3169         * runtime/JSGenericTypedArrayViewConstructor.h:
3170         * runtime/JSGenericTypedArrayViewPrototype.h:
3171         * runtime/JSInternalPromise.h:
3172         * runtime/JSInternalPromiseConstructor.h:
3173         * runtime/JSInternalPromisePrototype.h:
3174         * runtime/JSMapIterator.h:
3175         (JSC::JSMapIterator::createStructure): Deleted.
3176         (JSC::JSMapIterator::create): Deleted.
3177         (JSC::JSMapIterator::advanceIter): Deleted.
3178         (JSC::JSMapIterator::next): Deleted.
3179         (JSC::JSMapIterator::nextKeyValue): Deleted.
3180         (JSC::JSMapIterator::kind const): Deleted.
3181         (JSC::JSMapIterator::iteratedValue const): Deleted.
3182         (JSC::JSMapIterator::JSMapIterator): Deleted.
3183         (JSC::JSMapIterator::setIterator): Deleted.
3184         * runtime/JSModuleLoader.h:
3185         (JSC::JSModuleLoader::create): Deleted.
3186         (JSC::JSModuleLoader::createStructure): Deleted.
3187         * runtime/JSModuleNamespaceObject.h:
3188         (JSC::isJSModuleNamespaceObject): Deleted.
3189         * runtime/JSModuleRecord.h:
3190         (JSC::JSModuleRecord::sourceCode const): Deleted.
3191         (JSC::JSModuleRecord::declaredVariables const): Deleted.
3192         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
3193         * runtime/JSNativeStdFunction.h:
3194         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
3195         (JSC::JSNativeStdFunction::createStructure): Deleted.
3196         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
3197         * runtime/JSONObject.h:
3198         (JSC::JSONObject::create): Deleted.
3199         (JSC::JSONObject::createStructure): Deleted.
3200         * runtime/JSObject.h:
3201         (JSC::JSObject::fillCustomGetterPropertySlot):
3202         * runtime/JSScriptFetchParameters.h:
3203         (JSC::JSScriptFetchParameters::createStructure): Deleted.
3204         (JSC::JSScriptFetchParameters::create): Deleted.
3205         (JSC::JSScriptFetchParameters::parameters const): Deleted.
3206         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
3207         * runtime/JSScriptFetcher.h:
3208         (JSC::JSScriptFetcher::createStructure): Deleted.
3209         (JSC::JSScriptFetcher::create): Deleted.
3210         (JSC::JSScriptFetcher::fetcher const): Deleted.
3211         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
3212         * runtime/JSSetIterator.h:
3213         (JSC::JSSetIterator::createStructure): Deleted.
3214         (JSC::JSSetIterator::create): Deleted.
3215         (JSC::JSSetIterator::advanceIter): Deleted.
3216         (JSC::JSSetIterator::next): Deleted.
3217         (JSC::JSSetIterator::kind const): Deleted.
3218         (JSC::JSSetIterator::iteratedValue const): Deleted.
3219         (JSC::JSSetIterator::JSSetIterator): Deleted.
3220         (JSC::JSSetIterator::setIterator): Deleted.
3221         * runtime/JSSourceCode.h:
3222         (JSC::JSSourceCode::createStructure): Deleted.
3223         (JSC::JSSourceCode::create): Deleted.
3224         (JSC::JSSourceCode::sourceCode const): Deleted.
3225         (JSC::JSSourceCode::JSSourceCode): Deleted.
3226         * runtime/JSStringIterator.h:
3227         (JSC::JSStringIterator::createStructure): Deleted.
3228         (JSC::JSStringIterator::create): Deleted.
3229         (JSC::JSStringIterator::JSStringIterator): Deleted.
3230         * runtime/JSTemplateObjectDescriptor.h:
3231         (JSC::isTemplateObjectDescriptor): Deleted.
3232         * runtime/JSTypedArrayViewConstructor.h:
3233         (JSC::JSTypedArrayViewConstructor::create): Deleted.
3234         * runtime/JSTypedArrayViewPrototype.h:
3235         * runtime/MapConstructor.h:
3236         (JSC::MapConstructor::create): Deleted.
3237         (JSC::MapConstructor::createStructure): Deleted.
3238         * runtime/MapIteratorPrototype.h:
3239         (JSC::MapIteratorPrototype::create): Deleted.
3240         (JSC::MapIteratorPrototype::createStructure): Deleted.
3241         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
3242         * runtime/MapPrototype.h:
3243         (JSC::MapPrototype::create): Deleted.
3244         (JSC::MapPrototype::createStructure): Deleted.
3245         (JSC::MapPrototype::MapPrototype): Deleted.
3246         * runtime/MathObject.h:
3247         (JSC::MathObject::create): Deleted.
3248         (JSC::MathObject::createStructure): Deleted.
3249         * runtime/ModuleLoaderPrototype.h:
3250         (JSC::ModuleLoaderPrototype::create): Deleted.
3251         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
3252         * runtime/NativeErrorConstructor.h:
3253         (JSC::NativeErrorConstructor::create): Deleted.
3254         (JSC::NativeErrorConstructor::createStructure): Deleted.
3255         (JSC::NativeErrorConstructor::errorStructure): Deleted.
3256         * runtime/NativeErrorPrototype.h:
3257         (JSC::NativeErrorPrototype::create): Deleted.
3258         * runtime/NativeStdFunctionCell.h:
3259         (JSC::NativeStdFunctionCell::createStructure): Deleted.
3260         (JSC::NativeStdFunctionCell::function const): Deleted.
3261         * runtime/NullGetterFunction.h:
3262         (JSC::NullGetterFunction::create): Deleted.
3263         (JSC::NullGetterFunction::createStructure): Deleted.
3264         * runtime/NullSetterFunction.h:
3265         (JSC::NullSetterFunction::create): Deleted.
3266         (JSC::NullSetterFunction::createStructure): Deleted.
3267         * runtime/NumberConstructor.h:
3268         (JSC::NumberConstructor::create): Deleted.
3269         (JSC::NumberConstructor::createStructure): Deleted.
3270         (JSC::NumberConstructor::isIntegerImpl): Deleted.
3271         * runtime/NumberPrototype.h:
3272         (JSC::NumberPrototype::create): Deleted.
3273         (JSC::NumberPrototype::createStructure): Deleted.
3274         * runtime/ObjectConstructor.h:
3275         (JSC::ObjectConstructor::create): Deleted.
3276         (JSC::ObjectConstructor::createStructure): Deleted.
3277         * runtime/ObjectPrototype.h:
3278         (JSC::ObjectPrototype::createStructure): Deleted.
3279         * runtime/ProxyConstructor.h:
3280         (JSC::ProxyConstructor::createStructure): Deleted.
3281         * runtime/ProxyRevoke.h:
3282         (JSC::ProxyRevoke::createStructure): Deleted.
3283         (JSC::ProxyRevoke::proxy): Deleted.
3284         (JSC::ProxyRevoke::setProxyToNull): Deleted.
3285         * runtime/ReflectObject.h:
3286         (JSC::ReflectObject::create): Deleted.
3287         (JSC::ReflectObject::createStructure): Deleted.
3288         * runtime/RegExpConstructor.cpp:
3289         (JSC::regExpConstructorDollar):
3290         (JSC::regExpConstructorInput):
3291         (JSC::regExpConstructorMultiline):
3292         (JSC::regExpConstructorLastMatch):
3293         (JSC::regExpConstructorLastParen):
3294         (JSC::regExpConstructorLeftContext):
3295         (JSC::regExpConstructorRightContext):
3296         * runtime/RegExpConstructor.h:
3297         (JSC::RegExpConstructor::create): Deleted.
3298         (JSC::RegExpConstructor::createStructure): Deleted.
3299         (JSC::RegExpConstructor::setMultiline): Deleted.
3300         (JSC::RegExpConstructor::multiline const): Deleted.
3301         (JSC::RegExpConstructor::setInput): Deleted.
3302         (JSC::RegExpConstructor::input): Deleted.
3303         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
3304         (JSC::asRegExpConstructor): Deleted.
3305         * runtime/RegExpPrototype.h:
3306         (JSC::RegExpPrototype::create): Deleted.
3307         (JSC::RegExpPrototype::createStructure): Deleted.
3308         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
3309         * runtime/SetConstructor.h:
3310         (JSC::SetConstructor::create): Deleted.
3311         (JSC::SetConstructor::createStructure): Deleted.
3312         * runtime/SetIteratorPrototype.h:
3313         (JSC::SetIteratorPrototype::create): Deleted.
3314         (JSC::SetIteratorPrototype::createStructure): Deleted.
3315         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
3316         * runtime/SetPrototype.h:
3317         (JSC::SetPrototype::create): Deleted.
3318         (JSC::SetPrototype::createStructure): Deleted.
3319         (JSC::SetPrototype::SetPrototype): Deleted.
3320         * runtime/StringConstructor.h:
3321         (JSC::StringConstructor::create): Deleted.
3322         (JSC::StringConstructor::createStructure): Deleted.
3323         * runtime/StringIteratorPrototype.h:
3324         (JSC::StringIteratorPrototype::create): Deleted.
3325         (JSC::StringIteratorPrototype::createStructure): Deleted.
3326         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
3327         * runtime/StringPrototype.h:
3328         (JSC::StringPrototype::createStructure): Deleted.
3329         * runtime/SymbolConstructor.h:
3330         (JSC::SymbolConstructor::create): Deleted.
3331         (JSC::SymbolConstructor::createStructure): Deleted.
3332         * runtime/SymbolObject.h:
3333         (JSC::SymbolObject::create): Deleted.
3334         (JSC::SymbolObject::internalValue const): Deleted.
3335         (JSC::SymbolObject::createStructure): Deleted.
3336         * runtime/SymbolPrototype.h:
3337         (JSC::SymbolPrototype::create): Deleted.
3338         (JSC::SymbolPrototype::createStructure): Deleted.
3339         * runtime/WeakMapConstructor.h:
3340         (JSC::WeakMapConstructor::create): Deleted.
3341         (JSC::WeakMapConstructor::createStructure): Deleted.
3342         * runtime/WeakMapPrototype.h:
3343         (JSC::WeakMapPrototype::create): Deleted.
3344         (JSC::WeakMapPrototype::createStructure): Deleted.
3345         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
3346         * runtime/WeakSetConstructor.h:
3347         (JSC::WeakSetConstructor::create): Deleted.
3348         (JSC::WeakSetConstructor::createStructure): Deleted.
3349         * runtime/WeakSetPrototype.h:
3350         (JSC::WeakSetPrototype::create): Deleted.
3351         (JSC::WeakSetPrototype::createStructure): Deleted.
3352         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
3353         * tools/JSDollarVM.h:
3354         (JSC::JSDollarVM::createStructure): Deleted.
3355         (JSC::JSDollarVM::create): Deleted.
3356         (JSC::JSDollarVM::JSDollarVM): Deleted.
3357         * wasm/js/JSWebAssembly.h:
3358         * wasm/js/JSWebAssemblyCompileError.h:
3359         (JSC::JSWebAssemblyCompileError::create): Deleted.
3360         * wasm/js/JSWebAssemblyInstance.h:
3361         (JSC::JSWebAssemblyInstance::instance): Deleted.
3362         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
3363         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
3364         (JSC::JSWebAssemblyInstance::memory): Deleted.
3365         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
3366         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
3367         (JSC::JSWebAssemblyInstance::table): Deleted.
3368         (JSC::JSWebAssemblyInstance::setTable): Deleted.
3369         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
3370         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
3371         (JSC::JSWebAssemblyInstance::module const): Deleted.
3372         * wasm/js/JSWebAssemblyLinkError.h:
3373         (JSC::JSWebAssemblyLinkError::create): Deleted.
3374         * wasm/js/JSWebAssemblyMemory.h:
3375         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
3376         (JSC::JSWebAssemblyMemory::memory): Deleted.
3377         * wasm/js/JSWebAssemblyModule.h:
3378         * wasm/js/JSWebAssemblyRuntimeError.h:
3379         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
3380         * wasm/js/JSWebAssemblyTable.h:
3381         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
3382         (JSC::JSWebAssemblyTable::maximum const): Deleted.
3383         (JSC::JSWebAssemblyTable::length const): Deleted.
3384         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
3385         (JSC::JSWebAssemblyTable::table): Deleted.
3386         * wasm/js/WebAssemblyCompileErrorConstructor.h:
3387         * wasm/js/WebAssemblyCompileErrorPrototype.h:
3388         * wasm/js/WebAssemblyInstanceConstructor.h:
3389         * wasm/js/WebAssemblyInstancePrototype.h:
3390         * wasm/js/WebAssemblyLinkErrorConstructor.h:
3391         * wasm/js/WebAssemblyLinkErrorPrototype.h:
3392         * wasm/js/WebAssemblyMemoryConstructor.h:
3393         * wasm/js/WebAssemblyMemoryPrototype.h:
3394         * wasm/js/WebAssemblyModuleConstructor.h:
3395         * wasm/js/WebAssemblyModulePrototype.h:
3396         * wasm/js/WebAssemblyModuleRecord.h:
3397         * wasm/js/WebAssemblyPrototype.h:
3398         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
3399         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
3400         * wasm/js/WebAssemblyTableConstructor.h:
3401         * wasm/js/WebAssemblyTablePrototype.h:
3402
3403 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
3404
3405         Make it possible to randomize register allocation
3406      &nb