Use WordLock instead of std::mutex for Threading
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Use WordLock instead of std::mutex for Threading
4         https://bugs.webkit.org/show_bug.cgi?id=185121
5
6         Reviewed by Geoffrey Garen.
7
8         ThreadGroup starts using WordLock.
9
10         * heap/MachineStackMarker.h:
11         (JSC::MachineThreads::getLock):
12
13 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
14
15         B3 should run tail duplication at the bitter end
16         https://bugs.webkit.org/show_bug.cgi?id=185123
17
18         Reviewed by Geoffrey Garen.
19         
20         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
21         everywhere else.
22         
23         The goal of this change is to allow us to run path specialization after switch lowering but
24         before tail duplication.
25
26         * b3/B3Generate.cpp:
27         (JSC::B3::generateToAir):
28         * runtime/Options.h:
29
30 2018-04-29  Commit Queue  <commit-queue@webkit.org>
31
32         Unreviewed, rolling out r231137.
33         https://bugs.webkit.org/show_bug.cgi?id=185118
34
35         It is breaking Test262 language/expressions/multiplication
36         /order-of-evaluation.js (Requested by caiolima on #webkit).
37
38         Reverted changeset:
39
40         "[ESNext][BigInt] Implement support for "*" operation"
41         https://bugs.webkit.org/show_bug.cgi?id=183721
42         https://trac.webkit.org/changeset/231137
43
44 2018-04-28  Saam Barati  <sbarati@apple.com>
45
46         We don't model regexp effects properly
47         https://bugs.webkit.org/show_bug.cgi?id=185059
48         <rdar://problem/39736150>
49
50         Reviewed by Filip Pizlo.
51
52         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
53         the regexp is global.
54
55         * dfg/DFGAbstractInterpreterInlines.h:
56         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
57         * dfg/DFGClobberize.h:
58         (JSC::DFG::clobberize):
59
60 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
61
62         Token misspelled "tocken" in error message string
63         https://bugs.webkit.org/show_bug.cgi?id=185030
64
65         Reviewed by Saam Barati.
66
67         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
68         (JSC::Parser<LexerType>::Parser):
69         (JSC::Parser<LexerType>::didFinishParsing):
70         (JSC::Parser<LexerType>::parseSourceElements):
71         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
72         (JSC::Parser<LexerType>::parseVariableDeclaration):
73         (JSC::Parser<LexerType>::parseWhileStatement):
74         (JSC::Parser<LexerType>::parseVariableDeclarationList):
75         (JSC::Parser<LexerType>::createBindingPattern):
76         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
77         (JSC::Parser<LexerType>::parseObjectRestElement):
78         (JSC::Parser<LexerType>::parseDestructuringPattern):
79         (JSC::Parser<LexerType>::parseForStatement):
80         (JSC::Parser<LexerType>::parseBreakStatement):
81         (JSC::Parser<LexerType>::parseContinueStatement):
82         (JSC::Parser<LexerType>::parseThrowStatement):
83         (JSC::Parser<LexerType>::parseWithStatement):
84         (JSC::Parser<LexerType>::parseSwitchStatement):
85         (JSC::Parser<LexerType>::parseSwitchClauses):
86         (JSC::Parser<LexerType>::parseTryStatement):
87         (JSC::Parser<LexerType>::parseBlockStatement):
88         (JSC::Parser<LexerType>::parseFormalParameters):
89         (JSC::Parser<LexerType>::parseFunctionParameters):
90         (JSC::Parser<LexerType>::parseFunctionInfo):
91         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
92         (JSC::Parser<LexerType>::parseExpressionStatement):
93         (JSC::Parser<LexerType>::parseIfStatement):
94         (JSC::Parser<LexerType>::parseAssignmentExpression):
95         (JSC::Parser<LexerType>::parseConditionalExpression):
96         (JSC::Parser<LexerType>::parseBinaryExpression):
97         (JSC::Parser<LexerType>::parseObjectLiteral):
98         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
99         (JSC::Parser<LexerType>::parseArrayLiteral):
100         (JSC::Parser<LexerType>::parseArguments):
101         (JSC::Parser<LexerType>::parseMemberExpression):
102         (JSC::operatorString):
103         (JSC::Parser<LexerType>::parseUnaryExpression):
104         (JSC::Parser<LexerType>::printUnexpectedTokenText):
105
106 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
107
108         [ESNext][BigInt] Implement support for "*" operation
109         https://bugs.webkit.org/show_bug.cgi?id=183721
110
111         Reviewed by Saam Barati.
112
113         Added BigInt support into times binary operator into LLInt and on
114         JITOperations profiledMul and unprofiledMul. We are also replacing all
115         uses of int to unsigned when there is no negative values for
116         variables.
117
118         * dfg/DFGConstantFoldingPhase.cpp:
119         (JSC::DFG::ConstantFoldingPhase::foldConstants):
120         * jit/JITOperations.cpp:
121         * runtime/CommonSlowPaths.cpp:
122         (JSC::SLOW_PATH_DECL):
123         * runtime/JSBigInt.cpp:
124         (JSC::JSBigInt::JSBigInt):
125         (JSC::JSBigInt::allocationSize):
126         (JSC::JSBigInt::createWithLength):
127         (JSC::JSBigInt::toString):
128         (JSC::JSBigInt::multiply):
129         (JSC::JSBigInt::digitDiv):
130         (JSC::JSBigInt::internalMultiplyAdd):
131         (JSC::JSBigInt::multiplyAccumulate):
132         (JSC::JSBigInt::equals):
133         (JSC::JSBigInt::absoluteDivSmall):
134         (JSC::JSBigInt::calculateMaximumCharactersRequired):
135         (JSC::JSBigInt::toStringGeneric):
136         (JSC::JSBigInt::rightTrim):
137         (JSC::JSBigInt::allocateFor):
138         (JSC::JSBigInt::parseInt):
139         (JSC::JSBigInt::digit):
140         (JSC::JSBigInt::setDigit):
141         * runtime/JSBigInt.h:
142         * runtime/Operations.h:
143         (JSC::jsMul):
144
145 2018-04-28  Commit Queue  <commit-queue@webkit.org>
146
147         Unreviewed, rolling out r231131.
148         https://bugs.webkit.org/show_bug.cgi?id=185112
149
150         It is breaking Debug build due to unchecked exception
151         (Requested by caiolima on #webkit).
152
153         Reverted changeset:
154
155         "[ESNext][BigInt] Implement support for "*" operation"
156         https://bugs.webkit.org/show_bug.cgi?id=183721
157         https://trac.webkit.org/changeset/231131
158
159 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
160
161         [ESNext][BigInt] Implement support for "*" operation
162         https://bugs.webkit.org/show_bug.cgi?id=183721
163
164         Reviewed by Saam Barati.
165
166         Added BigInt support into times binary operator into LLInt and on
167         JITOperations profiledMul and unprofiledMul. We are also replacing all
168         uses of int to unsigned when there is no negative values for
169         variables.
170
171         * dfg/DFGConstantFoldingPhase.cpp:
172         (JSC::DFG::ConstantFoldingPhase::foldConstants):
173         * jit/JITOperations.cpp:
174         * runtime/CommonSlowPaths.cpp:
175         (JSC::SLOW_PATH_DECL):
176         * runtime/JSBigInt.cpp:
177         (JSC::JSBigInt::JSBigInt):
178         (JSC::JSBigInt::allocationSize):
179         (JSC::JSBigInt::createWithLength):
180         (JSC::JSBigInt::toString):
181         (JSC::JSBigInt::multiply):
182         (JSC::JSBigInt::digitDiv):
183         (JSC::JSBigInt::internalMultiplyAdd):
184         (JSC::JSBigInt::multiplyAccumulate):
185         (JSC::JSBigInt::equals):
186         (JSC::JSBigInt::absoluteDivSmall):
187         (JSC::JSBigInt::calculateMaximumCharactersRequired):
188         (JSC::JSBigInt::toStringGeneric):
189         (JSC::JSBigInt::rightTrim):
190         (JSC::JSBigInt::allocateFor):
191         (JSC::JSBigInt::parseInt):
192         (JSC::JSBigInt::digit):
193         (JSC::JSBigInt::setDigit):
194         * runtime/JSBigInt.h:
195         * runtime/Operations.h:
196         (JSC::jsMul):
197
198 2018-04-27  JF Bastien  <jfbastien@apple.com>
199
200         Make the first 64 bits of JSString look like a double JSValue
201         https://bugs.webkit.org/show_bug.cgi?id=185081
202
203         Reviewed by Filip Pizlo.
204
205         We can be clever about how we lay out JSString so that, were it
206         reinterpreted as a JSValue, it would look like a double.
207
208         * assembler/MacroAssemblerX86Common.h:
209         (JSC::MacroAssemblerX86Common::and16):
210         * assembler/X86Assembler.h:
211         (JSC::X86Assembler::andw_mr):
212         * dfg/DFGSpeculativeJIT.cpp:
213         (JSC::DFG::SpeculativeJIT::compileMakeRope):
214         * ftl/FTLLowerDFGToB3.cpp:
215         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
216         * ftl/FTLOutput.h:
217         (JSC::FTL::Output::store32As8):
218         (JSC::FTL::Output::store32As16):
219         * runtime/JSString.h:
220         (JSC::JSString::JSString):
221
222 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
223
224         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
225         https://bugs.webkit.org/show_bug.cgi?id=185055
226
227         Reviewed by JF Bastien.
228
229         This patch is paving the way to emitting jscvt instruction if possible.
230         To do that, we need to determine jscvt instruction is supported in the
231         given CPU.
232
233         We add a function collectCPUFeatures, which is responsible to collect
234         CPU features if necessary. In Linux, we can use auxiliary vector to get
235         the information without parsing /proc/cpuinfo.
236
237         Currently, nobody calls this function. It is later called when we emit
238         jscvt instruction. To make it possible, we also need to add disassembler
239         support too.
240
241         * assembler/AbstractMacroAssembler.h:
242         * assembler/MacroAssemblerARM64.cpp:
243         (JSC::MacroAssemblerARM64::collectCPUFeatures):
244         * assembler/MacroAssemblerARM64.h:
245         * assembler/MacroAssemblerX86Common.h:
246
247 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
248
249         Also run foldPathConstants before mussing up SSA
250         https://bugs.webkit.org/show_bug.cgi?id=185069
251
252         Reviewed by Saam Barati.
253         
254         This isn't needed now, but will be once I implement the phase in bug 185060.
255         
256         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
257         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
258         be landed separately and measured separately from that phase.
259         
260         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
261         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
262         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
263         neutral. It all depends on what programs typically look like.
264
265         * b3/B3Generate.cpp:
266         (JSC::B3::generateToAir):
267
268 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
269
270         Unreviewed, rolling out r231086.
271
272         Caused JSC test failures due to an unchecked exception.
273
274         Reverted changeset:
275
276         "[ESNext][BigInt] Implement support for "*" operation"
277         https://bugs.webkit.org/show_bug.cgi?id=183721
278         https://trac.webkit.org/changeset/231086
279
280 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
281
282         [ESNext][BigInt] Implement support for "*" operation
283         https://bugs.webkit.org/show_bug.cgi?id=183721
284
285         Reviewed by Saam Barati.
286
287         Added BigInt support into times binary operator into LLInt and on
288         JITOperations profiledMul and unprofiledMul. We are also replacing all
289         uses of int to unsigned when there is no negative values for
290         variables.
291
292         * dfg/DFGConstantFoldingPhase.cpp:
293         (JSC::DFG::ConstantFoldingPhase::foldConstants):
294         * jit/JITOperations.cpp:
295         * runtime/CommonSlowPaths.cpp:
296         (JSC::SLOW_PATH_DECL):
297         * runtime/JSBigInt.cpp:
298         (JSC::JSBigInt::JSBigInt):
299         (JSC::JSBigInt::allocationSize):
300         (JSC::JSBigInt::createWithLength):
301         (JSC::JSBigInt::toString):
302         (JSC::JSBigInt::multiply):
303         (JSC::JSBigInt::digitDiv):
304         (JSC::JSBigInt::internalMultiplyAdd):
305         (JSC::JSBigInt::multiplyAccumulate):
306         (JSC::JSBigInt::equals):
307         (JSC::JSBigInt::absoluteDivSmall):
308         (JSC::JSBigInt::calculateMaximumCharactersRequired):
309         (JSC::JSBigInt::toStringGeneric):
310         (JSC::JSBigInt::rightTrim):
311         (JSC::JSBigInt::allocateFor):
312         (JSC::JSBigInt::parseInt):
313         (JSC::JSBigInt::digit):
314         (JSC::JSBigInt::setDigit):
315         * runtime/JSBigInt.h:
316         * runtime/Operations.h:
317         (JSC::jsMul):
318
319 2018-04-26  Mark Lam  <mark.lam@apple.com>
320
321         Gardening: Speculative build fix for Windows.
322         https://bugs.webkit.org/show_bug.cgi?id=184976
323         <rdar://problem/39723901>
324
325         Not reviewed.
326
327         * runtime/JSCPtrTag.h:
328
329 2018-04-26  Mark Lam  <mark.lam@apple.com>
330
331         Gardening: Windows build fix.
332
333         Not reviewed.
334
335         * runtime/Options.cpp:
336
337 2018-04-26  Jer Noble  <jer.noble@apple.com>
338
339         WK_COCOA_TOUCH all the things.
340         https://bugs.webkit.org/show_bug.cgi?id=185006
341         <rdar://problem/39736025>
342
343         Reviewed by Tim Horton.
344
345         * Configurations/Base.xcconfig:
346
347 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
348
349         Disable content filtering in minimal simulator mode
350         https://bugs.webkit.org/show_bug.cgi?id=185027
351         <rdar://problem/39736091>
352
353         Reviewed by Jer Noble.
354
355         * Configurations/FeatureDefines.xcconfig:
356
357 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
358
359         [INTL] Implement Intl.PluralRules
360         https://bugs.webkit.org/show_bug.cgi?id=184312
361
362         Reviewed by JF Bastien.
363
364         Use UNumberFormat to enforce formatting, and then UPluralRules to find
365         the correct plural rule for the given number. Relies on ICU v59+ for
366         resolvedOptions().pluralCategories and trailing 0 detection.
367         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
368
369         * CMakeLists.txt:
370         * Configurations/FeatureDefines.xcconfig:
371         * DerivedSources.make:
372         * JavaScriptCore.xcodeproj/project.pbxproj:
373         * Sources.txt:
374         * builtins/BuiltinNames.h:
375         * runtime/BigIntObject.cpp:
376         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
377         * runtime/BigIntObject.h:
378         * runtime/CommonIdentifiers.h:
379         * runtime/IntlObject.cpp:
380         (JSC::IntlObject::finishCreation):
381         * runtime/IntlObject.h:
382         * runtime/IntlPluralRules.cpp: Added.
383         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
384         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
385         (JSC::UEnumerationDeleter::operator() const):
386         (JSC::IntlPluralRules::create):
387         (JSC::IntlPluralRules::createStructure):
388         (JSC::IntlPluralRules::IntlPluralRules):
389         (JSC::IntlPluralRules::finishCreation):
390         (JSC::IntlPluralRules::destroy):
391         (JSC::IntlPluralRules::visitChildren):
392         (JSC::IntlPRInternal::localeData):
393         (JSC::IntlPluralRules::initializePluralRules):
394         (JSC::IntlPluralRules::resolvedOptions):
395         (JSC::IntlPluralRules::select):
396         * runtime/IntlPluralRules.h: Added.
397         * runtime/IntlPluralRulesConstructor.cpp: Added.
398         (JSC::IntlPluralRulesConstructor::create):
399         (JSC::IntlPluralRulesConstructor::createStructure):
400         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
401         (JSC::IntlPluralRulesConstructor::finishCreation):
402         (JSC::constructIntlPluralRules):
403         (JSC::callIntlPluralRules):
404         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
405         (JSC::IntlPluralRulesConstructor::visitChildren):
406         * runtime/IntlPluralRulesConstructor.h: Added.
407         * runtime/IntlPluralRulesPrototype.cpp: Added.
408         (JSC::IntlPluralRulesPrototype::create):
409         (JSC::IntlPluralRulesPrototype::createStructure):
410         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
411         (JSC::IntlPluralRulesPrototype::finishCreation):
412         (JSC::IntlPluralRulesPrototypeFuncSelect):
413         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
414         * runtime/IntlPluralRulesPrototype.h: Added.
415         * runtime/JSGlobalObject.cpp:
416         (JSC::JSGlobalObject::init):
417         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
418         * runtime/JSGlobalObject.h:
419         * runtime/Options.h:
420         * runtime/RegExpPrototype.cpp: Added inlines header.
421         * runtime/VM.cpp:
422         (JSC::VM::VM):
423         * runtime/VM.h:
424
425 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
426
427         [MIPS] Fix branch offsets in branchNeg32
428         https://bugs.webkit.org/show_bug.cgi?id=185025
429
430         Reviewed by Yusuke Suzuki.
431
432         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
433
434         * assembler/MacroAssemblerMIPS.h:
435         (JSC::MacroAssemblerMIPS::branchNeg32):
436
437 2018-04-25  Robin Morisset  <rmorisset@apple.com>
438
439         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
440         https://bugs.webkit.org/show_bug.cgi?id=184773
441         <rdar://problem/37773612>
442
443         Reviewed by Filip Pizlo.
444
445         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
446         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
447         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
448         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
449         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
450
451         * ftl/FTLLowerDFGToB3.cpp:
452         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
453
454 2018-04-25  Mark Lam  <mark.lam@apple.com>
455
456         Push the definition of PtrTag down to the WTF layer.
457         https://bugs.webkit.org/show_bug.cgi?id=184976
458         <rdar://problem/39723901>
459
460         Reviewed by Saam Barati.
461
462         * CMakeLists.txt:
463         * JavaScriptCore.xcodeproj/project.pbxproj:
464         * assembler/ARM64Assembler.h:
465         * assembler/AbstractMacroAssembler.h:
466         * assembler/MacroAssemblerCodeRef.cpp:
467         * assembler/MacroAssemblerCodeRef.h:
468         * b3/B3MathExtras.cpp:
469         * bytecode/LLIntCallLinkInfo.h:
470         * disassembler/Disassembler.h:
471         * ftl/FTLJITCode.cpp:
472         * interpreter/InterpreterInlines.h:
473         * jit/ExecutableAllocator.h:
474         * jit/JITOperations.cpp:
475         * jit/ThunkGenerator.h:
476         * jit/ThunkGenerators.h:
477         * llint/LLIntOffsetsExtractor.cpp:
478         * llint/LLIntPCRanges.h:
479         * runtime/JSCPtrTag.h: Added.
480         * runtime/NativeFunction.h:
481         * runtime/PtrTag.h: Removed.
482         * runtime/VMTraps.cpp:
483
484 2018-04-25  Keith Miller  <keith_miller@apple.com>
485
486         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
487         https://bugs.webkit.org/show_bug.cgi?id=184998
488
489         Reviewed by Saam Barati.
490
491         * runtime/CodeCache.cpp:
492         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
493
494 2018-04-25  Keith Miller  <keith_miller@apple.com>
495
496         Add missing scope release to functionProtoFuncToString
497         https://bugs.webkit.org/show_bug.cgi?id=184995
498
499         Reviewed by Saam Barati.
500
501         * runtime/FunctionPrototype.cpp:
502         (JSC::functionProtoFuncToString):
503
504 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
505
506         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
507         https://bugs.webkit.org/show_bug.cgi?id=184730
508
509         Reviewed by Mark Lam.
510
511         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
512         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
513
514         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
515         ARMv7 implementation.
516
517         * assembler/ARMAssembler.h:
518         * assembler/MacroAssemblerARM.h:
519         (JSC::MacroAssemblerARM::add32):
520         (JSC::MacroAssemblerARM::and32):
521         (JSC::MacroAssemblerARM::lshift32):
522         (JSC::MacroAssemblerARM::mul32):
523         (JSC::MacroAssemblerARM::or32):
524         (JSC::MacroAssemblerARM::rshift32):
525         (JSC::MacroAssemblerARM::urshift32):
526         (JSC::MacroAssemblerARM::sub32):
527         (JSC::MacroAssemblerARM::xor32):
528         (JSC::MacroAssemblerARM::load8):
529         (JSC::MacroAssemblerARM::abortWithReason):
530         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
531         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
532         (JSC::MacroAssemblerARM::store8):
533         (JSC::MacroAssemblerARM::store32):
534         (JSC::MacroAssemblerARM::push):
535         (JSC::MacroAssemblerARM::swap):
536         (JSC::MacroAssemblerARM::branch8):
537         (JSC::MacroAssemblerARM::branchPtr):
538         (JSC::MacroAssemblerARM::branch32):
539         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
540         (JSC::MacroAssemblerARM::branchTest8):
541         (JSC::MacroAssemblerARM::branchTest32):
542         (JSC::MacroAssemblerARM::jump):
543         (JSC::MacroAssemblerARM::branchAdd32):
544         (JSC::MacroAssemblerARM::mull32):
545         (JSC::MacroAssemblerARM::branchMul32):
546         (JSC::MacroAssemblerARM::patchableBranch32):
547         (JSC::MacroAssemblerARM::nearCall):
548         (JSC::MacroAssemblerARM::compare32):
549         (JSC::MacroAssemblerARM::compare8):
550         (JSC::MacroAssemblerARM::test32):
551         (JSC::MacroAssemblerARM::test8):
552         (JSC::MacroAssemblerARM::add64):
553         (JSC::MacroAssemblerARM::load32):
554         (JSC::MacroAssemblerARM::call):
555         (JSC::MacroAssemblerARM::branchPtrWithPatch):
556         (JSC::MacroAssemblerARM::branch32WithPatch):
557         (JSC::MacroAssemblerARM::storePtrWithPatch):
558         (JSC::MacroAssemblerARM::loadDouble):
559         (JSC::MacroAssemblerARM::storeDouble):
560         (JSC::MacroAssemblerARM::addDouble):
561         (JSC::MacroAssemblerARM::divDouble):
562         (JSC::MacroAssemblerARM::subDouble):
563         (JSC::MacroAssemblerARM::mulDouble):
564         (JSC::MacroAssemblerARM::convertInt32ToDouble):
565         (JSC::MacroAssemblerARM::branchDouble):
566         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
567         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
568         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
569         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
570         (JSC::MacroAssemblerARM::branchDoubleNonZero):
571         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
572         (JSC::MacroAssemblerARM::call32):
573         (JSC::MacroAssemblerARM::internalCompare32):
574
575 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
576
577         [WinCairo] Fix js/regexp-unicode.html crash.
578         https://bugs.webkit.org/show_bug.cgi?id=184891
579
580         Reviewed by Yusuke Suzuki.
581
582         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
583         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
584
585         * yarr/YarrJIT.cpp:
586         (JSC::Yarr::YarrGenerator::generateEnter):
587         (JSC::Yarr::YarrGenerator::generateReturn):
588         Unconditionally save and restore RDI on 64-bit Windows.
589
590 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
591
592         [GTK] Miscellaneous build cleanups
593         https://bugs.webkit.org/show_bug.cgi?id=184399
594
595         Reviewed by Žan Doberšek.
596
597         * PlatformGTK.cmake:
598
599 2018-04-24  Keith Miller  <keith_miller@apple.com>
600
601         fromCharCode is missing some exception checks
602         https://bugs.webkit.org/show_bug.cgi?id=184952
603
604         Reviewed by Saam Barati.
605
606         I also removed the pointless slow path function and moved it into the
607         main function.
608
609         * runtime/StringConstructor.cpp:
610         (JSC::stringFromCharCode):
611         (JSC::stringFromCharCodeSlowCase): Deleted.
612
613 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
614
615         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
616         https://bugs.webkit.org/show_bug.cgi?id=184923
617
618         Reviewed by Saam Barati.
619         
620         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
621         (i.e. we know that the object has one of those structures), then previously we would still emit a
622         switch with a case per structure along with a default case. That would mean one extra redundant
623         branch to check that whatever structure we wound up with belongs to the set. In that case, we
624         were already making the default case be an Oops.
625         
626         One possible solution would be to say that the default case being Oops means that B3 doesn't need
627         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
628         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
629         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
630         trap.
631         
632         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
633         extra branch.
634         
635         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
636         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
637         read.
638
639         * ftl/FTLLowerDFGToB3.cpp:
640         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
641         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
642         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
643
644 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
645
646         DFG CSE should know how to decay a MultiGetByOffset
647         https://bugs.webkit.org/show_bug.cgi?id=159859
648
649         Reviewed by Keith Miller.
650         
651         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
652         clobberize() can report a def() for MultiGetByOffset.
653         
654         This is a slight improvement to codegen in splay because splay is a heavy user of
655         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
656         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
657         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
658         splay's time.
659
660         * dfg/DFGClobberize.h:
661         (JSC::DFG::clobberize):
662         * dfg/DFGNode.cpp:
663         (JSC::DFG::Node::remove):
664         (JSC::DFG::Node::removeWithoutChecks):
665         (JSC::DFG::Node::replaceWith):
666         (JSC::DFG::Node::replaceWithWithoutChecks):
667         * dfg/DFGNode.h:
668         (JSC::DFG::Node::convertToMultiGetByOffset):
669         (JSC::DFG::Node::replaceWith): Deleted.
670         * dfg/DFGNodeType.h:
671         * dfg/DFGObjectAllocationSinkingPhase.cpp:
672
673 2018-04-24  Keith Miller  <keith_miller@apple.com>
674
675         Update API docs with information on which run loop the VM will use
676         https://bugs.webkit.org/show_bug.cgi?id=184900
677         <rdar://problem/39166054>
678
679         Reviewed by Mark Lam.
680
681         * API/JSContextRef.h:
682         * API/JSVirtualMachine.h:
683
684 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
685
686         $vm.totalGCTime() should be a thing
687         https://bugs.webkit.org/show_bug.cgi?id=184916
688
689         Reviewed by Sam Weinig.
690         
691         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
692         time spent in GC to determine if the regression is because the GC got slower.
693         
694         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
695
696         * heap/Heap.cpp:
697         (JSC::Heap::runEndPhase):
698         * heap/Heap.h:
699         (JSC::Heap::totalGCTime const):
700         * tools/JSDollarVM.cpp:
701         (JSC::functionTotalGCTime):
702         (JSC::JSDollarVM::finishCreation):
703
704 2018-04-23  Zalan Bujtas  <zalan@apple.com>
705
706         [LayoutFormattingContext] Initial commit.
707         https://bugs.webkit.org/show_bug.cgi?id=184896
708
709         Reviewed by Antti Koivisto.
710
711         * Configurations/FeatureDefines.xcconfig:
712
713 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
714
715         Unreviewed, revert accidental change to verbose flag.
716
717         * dfg/DFGByteCodeParser.cpp:
718
719 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
720
721         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
722
723         Rubber stamped by Saam Barati.
724         
725         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
726         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
727         Seems sensible to just roll it out.
728
729         * dfg/DFGByteCodeParser.cpp:
730         (JSC::DFG::ByteCodeParser::addToGraph):
731         (JSC::DFG::ByteCodeParser::parse):
732
733 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
734
735         [JSC] Remove ModuleLoaderPrototype
736         https://bugs.webkit.org/show_bug.cgi?id=184784
737
738         Reviewed by Mark Lam.
739
740         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
741         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
742         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
743
744         * CMakeLists.txt:
745         * DerivedSources.make:
746         * JavaScriptCore.xcodeproj/project.pbxproj:
747         * Sources.txt:
748         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
749         * runtime/JSGlobalObject.cpp:
750         (JSC::JSGlobalObject::init):
751         (JSC::JSGlobalObject::visitChildren):
752         * runtime/JSGlobalObject.h:
753         (JSC::JSGlobalObject::proxyRevokeStructure const):
754         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
755         * runtime/JSModuleLoader.cpp:
756         (JSC::moduleLoaderParseModule):
757         (JSC::moduleLoaderRequestedModules):
758         (JSC::moduleLoaderModuleDeclarationInstantiation):
759         (JSC::moduleLoaderResolve):
760         (JSC::moduleLoaderResolveSync):
761         (JSC::moduleLoaderFetch):
762         (JSC::moduleLoaderGetModuleNamespaceObject):
763         (JSC::moduleLoaderEvaluate):
764         * runtime/JSModuleLoader.h:
765         * runtime/ModuleLoaderPrototype.cpp: Removed.
766         * runtime/ModuleLoaderPrototype.h: Removed.
767
768 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
769
770         [GLIB] All API tests fail in debug builds
771         https://bugs.webkit.org/show_bug.cgi?id=184813
772
773         Reviewed by Mark Lam.
774
775         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
776         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
777
778         * API/glib/JSCContext.cpp:
779         (JSCContextExceptionHandler::JSCContextExceptionHandler):
780         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
781         (jscContextConstructed):
782         (ExceptionHandler::ExceptionHandler): Deleted.
783         (ExceptionHandler::~ExceptionHandler): Deleted.
784
785 2018-04-20  Tim Horton  <timothy_horton@apple.com>
786
787         Adjust geolocation feature flag
788         https://bugs.webkit.org/show_bug.cgi?id=184856
789
790         Reviewed by Wenson Hsieh.
791
792         * Configurations/FeatureDefines.xcconfig:
793
794 2018-04-20  Brian Burg  <bburg@apple.com>
795
796         Web Inspector: remove some dead code in IdentifiersFactory
797         https://bugs.webkit.org/show_bug.cgi?id=184839
798
799         Reviewed by Timothy Hatcher.
800
801         This was never used on non-Chrome ports, so the identifier always has a
802         prefix of '0.'. We may change this in the future, but for now remove this.
803         Using a PID for this purpose is problematic anyway.
804
805         * inspector/IdentifiersFactory.cpp:
806         (Inspector::addPrefixToIdentifier):
807         (Inspector::IdentifiersFactory::createIdentifier):
808         (Inspector::IdentifiersFactory::requestId):
809         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
810         * inspector/IdentifiersFactory.h:
811
812 2018-04-20  Mark Lam  <mark.lam@apple.com>
813
814         Add the ability to use a hash for setting PtrTag enum values.
815         https://bugs.webkit.org/show_bug.cgi?id=184852
816         <rdar://problem/39613891>
817
818         Reviewed by Saam Barati.
819
820         * runtime/PtrTag.h:
821
822 2018-04-20  Mark Lam  <mark.lam@apple.com>
823
824         Some JSEntryPtrTags should actually be JSInternalPtrTags.
825         https://bugs.webkit.org/show_bug.cgi?id=184712
826         <rdar://problem/39507381>
827
828         Reviewed by Michael Saboff.
829
830         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
831         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
832            only when needed.
833
834         * bytecode/AccessCase.cpp:
835         (JSC::AccessCase::generateImpl):
836         * bytecode/ByValInfo.h:
837         (JSC::ByValInfo::ByValInfo):
838         * bytecode/CallLinkInfo.cpp:
839         (JSC::CallLinkInfo::callReturnLocation):
840         (JSC::CallLinkInfo::patchableJump):
841         (JSC::CallLinkInfo::hotPathBegin):
842         (JSC::CallLinkInfo::slowPathStart):
843         * bytecode/CallLinkInfo.h:
844         (JSC::CallLinkInfo::setCallLocations):
845         (JSC::CallLinkInfo::hotPathOther):
846         * bytecode/PolymorphicAccess.cpp:
847         (JSC::PolymorphicAccess::regenerate):
848         * bytecode/StructureStubInfo.h:
849         (JSC::StructureStubInfo::doneLocation):
850         * dfg/DFGJITCompiler.cpp:
851         (JSC::DFG::JITCompiler::link):
852         * dfg/DFGOSRExit.cpp:
853         (JSC::DFG::reifyInlinedCallFrames):
854         * ftl/FTLLazySlowPath.cpp:
855         (JSC::FTL::LazySlowPath::initialize):
856         * ftl/FTLLazySlowPath.h:
857         (JSC::FTL::LazySlowPath::done const):
858         * ftl/FTLLowerDFGToB3.cpp:
859         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
860         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
861         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
862         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
863         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
864         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
865         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
866         * jit/JIT.cpp:
867         (JSC::JIT::link):
868         * jit/JITExceptions.cpp:
869         (JSC::genericUnwind):
870         * jit/JITMathIC.h:
871         (JSC::isProfileEmpty):
872         * llint/LLIntData.cpp:
873         (JSC::LLInt::initialize):
874         * llint/LLIntData.h:
875         (JSC::LLInt::getCodePtr):
876         (JSC::LLInt::getExecutableAddress): Deleted.
877         * llint/LLIntExceptions.cpp:
878         (JSC::LLInt::callToThrow):
879         * llint/LLIntSlowPaths.cpp:
880         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
881         * wasm/js/WasmToJS.cpp:
882         (JSC::Wasm::wasmToJS):
883
884 2018-04-18  Jer Noble  <jer.noble@apple.com>
885
886         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
887         https://bugs.webkit.org/show_bug.cgi?id=184762
888
889         Reviewed by Dan Bernstein.
890
891         * Configurations/Base.xcconfig:
892         * JavaScriptCore.xcodeproj/project.pbxproj:
893
894 2018-04-20  Daniel Bates  <dabates@apple.com>
895
896         Remove code for compilers that did not support NSDMI for aggregates
897         https://bugs.webkit.org/show_bug.cgi?id=184599
898
899         Reviewed by Per Arne Vollan.
900
901         Remove workaround for earlier Visual Studio versions that did not support non-static data
902         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
903         and EWS bots to a newer version that supports this feature.
904
905         * domjit/DOMJITEffect.h:
906         (JSC::DOMJIT::Effect::Effect): Deleted.
907         * runtime/HasOwnPropertyCache.h:
908         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
909         * wasm/WasmFormat.h:
910         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
911
912 2018-04-20  Mark Lam  <mark.lam@apple.com>
913
914         Build fix for internal builds after r230826.
915         https://bugs.webkit.org/show_bug.cgi?id=184790
916         <rdar://problem/39301369>
917
918         Not reviewed.
919
920         * runtime/Options.cpp:
921         (JSC::overrideDefaults):
922         * tools/SigillCrashAnalyzer.cpp:
923         (JSC::SignalContext::dump):
924
925 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
926
927         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
928         https://bugs.webkit.org/show_bug.cgi?id=184254
929         <rdar://problem/39140200>
930
931         Reviewed by Daniel Bates.
932
933         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
934
935         * runtime/ArrayBuffer.h:
936         (JSC::ArrayBufferContents::ArrayBufferContents):
937
938 2018-04-19  Mark Lam  <mark.lam@apple.com>
939
940         Apply pointer profiling to Signal pointers.
941         https://bugs.webkit.org/show_bug.cgi?id=184790
942         <rdar://problem/39301369>
943
944         Reviewed by Michael Saboff.
945
946         1. Change stackPointer, framePointer, and instructionPointer accessors to
947            be a pair of getter/setter functions.
948         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
949            a pointer profiling variants of these accessors.
950         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
951
952         * JavaScriptCorePrefix.h:
953         * runtime/MachineContext.h:
954         (JSC::MachineContext::stackPointerImpl):
955         (JSC::MachineContext::stackPointer):
956         (JSC::MachineContext::setStackPointer):
957         (JSC::MachineContext::framePointerImpl):
958         (JSC::MachineContext::framePointer):
959         (JSC::MachineContext::setFramePointer):
960         (JSC::MachineContext::instructionPointerImpl):
961         (JSC::MachineContext::instructionPointer):
962         (JSC::MachineContext::setInstructionPointer):
963         (JSC::MachineContext::linkRegisterImpl):
964         (JSC::MachineContext::linkRegister):
965         (JSC::MachineContext::setLinkRegister):
966         * runtime/SamplingProfiler.cpp:
967         (JSC::SamplingProfiler::takeSample):
968         * runtime/VMTraps.cpp:
969         (JSC::SignalContext::SignalContext):
970         (JSC::VMTraps::tryInstallTrapBreakpoints):
971         * tools/CodeProfiling.cpp:
972         (JSC::profilingTimer):
973         * tools/SigillCrashAnalyzer.cpp:
974         (JSC::SignalContext::dump):
975         (JSC::installCrashHandler):
976         (JSC::SigillCrashAnalyzer::analyze):
977         * wasm/WasmFaultSignalHandler.cpp:
978         (JSC::Wasm::trapHandler):
979
980 2018-04-19  David Kilzer  <ddkilzer@apple.com>
981
982         Enable Objective-C weak references
983         <https://webkit.org/b/184789>
984         <rdar://problem/39571716>
985
986         Reviewed by Dan Bernstein.
987
988         * Configurations/Base.xcconfig:
989         (CLANG_ENABLE_OBJC_WEAK): Enable.
990         * Configurations/ToolExecutable.xcconfig:
991         (CLANG_ENABLE_OBJC_ARC): Simplify.
992
993 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
994
995         The InternalFunction hierarchy should be in IsoSubspaces
996         https://bugs.webkit.org/show_bug.cgi?id=184721
997
998         Reviewed by Saam Barati.
999         
1000         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1001         but subclasses that are the same size as InternalFunction share its subspace. I did this
1002         because the subclasses appear to just override methods, which are called dynamically via the
1003         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1004         allocate one kind of InternalFunction over another.
1005
1006         * API/JSBase.h:
1007         * API/JSCallbackFunction.h:
1008         * API/ObjCCallbackFunction.h:
1009         (JSC::ObjCCallbackFunction::subspaceFor):
1010         * CMakeLists.txt:
1011         * JavaScriptCore.xcodeproj/project.pbxproj:
1012         * Sources.txt:
1013         * heap/IsoSubspacePerVM.cpp: Added.
1014         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1015         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1016         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1017         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1018         (JSC::IsoSubspacePerVM::forVM):
1019         * heap/IsoSubspacePerVM.h: Added.
1020         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1021         * runtime/Error.h:
1022         * runtime/ErrorConstructor.h:
1023         * runtime/InternalFunction.h:
1024         (JSC::InternalFunction::subspaceFor):
1025         * runtime/IntlCollatorConstructor.h:
1026         * runtime/IntlDateTimeFormatConstructor.h:
1027         * runtime/IntlNumberFormatConstructor.h:
1028         * runtime/JSArrayBufferConstructor.h:
1029         * runtime/NativeErrorConstructor.h:
1030         * runtime/ProxyRevoke.h:
1031         * runtime/RegExpConstructor.h:
1032         * runtime/VM.cpp:
1033         (JSC::VM::VM):
1034         * runtime/VM.h:
1035
1036 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         Unreviewed, Fix jsc shell
1039         https://bugs.webkit.org/show_bug.cgi?id=184600
1040
1041         WebAssembly module loading does not finish with drainMicrotasks().
1042         So JSNativeStdFunction's capturing variables become invalid.
1043         This patch fixes this issue.
1044
1045         * jsc.cpp:
1046         (functionDollarAgentStart):
1047         (runWithOptions):
1048         (runJSC):
1049         (jscmain):
1050
1051 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1052
1053         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1054         https://bugs.webkit.org/show_bug.cgi?id=184725
1055
1056         Reviewed by Mark Lam.
1057
1058         * jit/JIT.h:
1059
1060 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1061
1062         [WebAssembly][Modules] Import tables in wasm modules
1063         https://bugs.webkit.org/show_bug.cgi?id=184738
1064
1065         Reviewed by JF Bastien.
1066
1067         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1068         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1069         just works.
1070
1071         * wasm/js/JSWebAssemblyInstance.cpp:
1072         (JSC::JSWebAssemblyInstance::create):
1073         * wasm/js/WebAssemblyModuleRecord.cpp:
1074         (JSC::WebAssemblyModuleRecord::link):
1075
1076 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1077
1078         [ARM] Fix build error and crash after PtrTag change
1079         https://bugs.webkit.org/show_bug.cgi?id=184732
1080
1081         Reviewed by Mark Lam.
1082
1083         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1084         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1085         twice with ARM-Thumb2.
1086
1087         * assembler/MacroAssemblerCodeRef.h:
1088         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1089         * jit/JITPropertyAccess32_64.cpp:
1090         (JSC::JIT::emitSlow_op_put_by_val):
1091         * jit/Repatch.cpp:
1092         (JSC::linkPolymorphicCall):
1093
1094 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1095
1096         [WebAssembly][Modules] Import globals from wasm modules
1097         https://bugs.webkit.org/show_bug.cgi?id=184736
1098
1099         Reviewed by JF Bastien.
1100
1101         This patch implements a feature importing globals to/from wasm modules.
1102         Since we are not supporting mutable globals now, we can just copy the
1103         global data when importing. Currently we do not support importing/exporting
1104         i64 globals. This will be supported once (1) mutable global bindings are
1105         specified and (2) BigInt based i64 importing/exporting is specified.
1106
1107         * wasm/js/JSWebAssemblyInstance.cpp:
1108         (JSC::JSWebAssemblyInstance::create):
1109         * wasm/js/WebAssemblyModuleRecord.cpp:
1110         (JSC::WebAssemblyModuleRecord::link):
1111
1112 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1113
1114         Unreviewed, fix build on ARM
1115
1116         * assembler/MacroAssemblerARM.h:
1117         (JSC::MacroAssemblerARM::readCallTarget):
1118
1119 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1120
1121         Unreviewed, fix build with GCC
1122
1123         * assembler/LinkBuffer.h:
1124         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1125
1126 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1127
1128         Unreviewed, reland r230697, r230720, and r230724.
1129         https://bugs.webkit.org/show_bug.cgi?id=184600
1130
1131         With CatchScope check.
1132
1133         * JavaScriptCore.xcodeproj/project.pbxproj:
1134         * builtins/ModuleLoaderPrototype.js:
1135         (globalPrivate.newRegistryEntry):
1136         (requestInstantiate):
1137         (link):
1138         * jsc.cpp:
1139         (convertShebangToJSComment):
1140         (fillBufferWithContentsOfFile):
1141         (fetchModuleFromLocalFileSystem):
1142         (GlobalObject::moduleLoaderFetch):
1143         (functionDollarAgentStart):
1144         (checkException):
1145         (runWithOptions):
1146         * parser/NodesAnalyzeModule.cpp:
1147         (JSC::ImportDeclarationNode::analyzeModule):
1148         * parser/SourceProvider.h:
1149         (JSC::WebAssemblySourceProvider::create):
1150         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1151         * runtime/AbstractModuleRecord.cpp:
1152         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1153         (JSC::AbstractModuleRecord::resolveImport):
1154         (JSC::AbstractModuleRecord::link):
1155         (JSC::AbstractModuleRecord::evaluate):
1156         (JSC::identifierToJSValue): Deleted.
1157         * runtime/AbstractModuleRecord.h:
1158         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1159         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1160         * runtime/JSModuleEnvironment.cpp:
1161         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1162         * runtime/JSModuleLoader.cpp:
1163         (JSC::JSModuleLoader::evaluate):
1164         * runtime/JSModuleRecord.cpp:
1165         (JSC::JSModuleRecord::link):
1166         (JSC::JSModuleRecord::instantiateDeclarations):
1167         * runtime/JSModuleRecord.h:
1168         * runtime/ModuleLoaderPrototype.cpp:
1169         (JSC::moduleLoaderPrototypeParseModule):
1170         (JSC::moduleLoaderPrototypeRequestedModules):
1171         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1172         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1173         * wasm/js/JSWebAssemblyHelpers.h:
1174         (JSC::getWasmBufferFromValue):
1175         (JSC::createSourceBufferFromValue):
1176         * wasm/js/JSWebAssemblyInstance.cpp:
1177         (JSC::JSWebAssemblyInstance::finalizeCreation):
1178         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1179         (JSC::JSWebAssemblyInstance::create):
1180         * wasm/js/JSWebAssemblyInstance.h:
1181         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1182         (JSC::constructJSWebAssemblyInstance):
1183         * wasm/js/WebAssemblyModuleRecord.cpp:
1184         (JSC::WebAssemblyModuleRecord::prepareLink):
1185         (JSC::WebAssemblyModuleRecord::link):
1186         * wasm/js/WebAssemblyModuleRecord.h:
1187         * wasm/js/WebAssemblyPrototype.cpp:
1188         (JSC::resolve):
1189         (JSC::instantiate):
1190         (JSC::compileAndInstantiate):
1191         (JSC::WebAssemblyPrototype::instantiate):
1192         (JSC::webAssemblyInstantiateFunc):
1193         (JSC::webAssemblyValidateFunc):
1194         * wasm/js/WebAssemblyPrototype.h:
1195
1196 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1197
1198         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1199         https://bugs.webkit.org/show_bug.cgi?id=184687
1200
1201         Reviewed by Michael Catanzaro.
1202
1203         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1204         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1205         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1206
1207         * API/glib/JSCClass.cpp:
1208         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1209         can throw exceptions.
1210         (VTableExceptionHandler::~VTableExceptionHandler):
1211         (getProperty): Iterate the class chain to call get_property function.
1212         (setProperty): Iterate the class chain to call set_property function.
1213         (hasProperty): Iterate the class chain to call has_property function.
1214         (deleteProperty): Iterate the class chain to call delete_property function.
1215         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1216         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1217         jscClassCreate now.
1218         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1219         * API/glib/JSCClass.h:
1220         * API/glib/JSCClassPrivate.h:
1221         * API/glib/JSCContext.cpp:
1222         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1223         (jsc_context_register_class): Add JSCClassVTable parameter.
1224         * API/glib/JSCContext.h:
1225         * API/glib/JSCContextPrivate.h:
1226         * API/glib/JSCWrapperMap.cpp:
1227         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1228         * API/glib/JSCWrapperMap.h:
1229         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1230
1231 2018-04-17  Mark Lam  <mark.lam@apple.com>
1232
1233         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1234         https://bugs.webkit.org/show_bug.cgi?id=184702
1235         <rdar://problem/35391681>
1236
1237         Reviewed by Filip Pizlo and Saam Barati.
1238
1239         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1240            to take a PtrTag template argument.
1241         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1242
1243         * assembler/AbstractMacroAssembler.h:
1244         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1245         (JSC::AbstractMacroAssembler::linkJump):
1246         (JSC::AbstractMacroAssembler::linkPointer):
1247         (JSC::AbstractMacroAssembler::getLinkerAddress):
1248         (JSC::AbstractMacroAssembler::repatchJump):
1249         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1250         (JSC::AbstractMacroAssembler::repatchNearCall):
1251         (JSC::AbstractMacroAssembler::repatchCompact):
1252         (JSC::AbstractMacroAssembler::repatchInt32):
1253         (JSC::AbstractMacroAssembler::repatchPointer):
1254         (JSC::AbstractMacroAssembler::readPointer):
1255         (JSC::AbstractMacroAssembler::replaceWithLoad):
1256         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1257         * assembler/CodeLocation.h:
1258         (JSC::CodeLocationCommon:: const):
1259         (JSC::CodeLocationCommon::CodeLocationCommon):
1260         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1261         (JSC::CodeLocationLabel::CodeLocationLabel):
1262         (JSC::CodeLocationLabel::retagged):
1263         (JSC::CodeLocationLabel:: const):
1264         (JSC::CodeLocationJump::CodeLocationJump):
1265         (JSC::CodeLocationJump::retagged):
1266         (JSC::CodeLocationCall::CodeLocationCall):
1267         (JSC::CodeLocationCall::retagged):
1268         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1269         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1270         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1271         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1272         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1273         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1274         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1275         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1276         (JSC::CodeLocationCommon<tag>::callAtOffset):
1277         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1278         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1279         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1280         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1281         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1282         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1283         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1284         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1285         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1286         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1287         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1288         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1289         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1290         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1291         * assembler/LinkBuffer.cpp:
1292         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1293         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1294         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1295         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1296         * assembler/LinkBuffer.h:
1297         (JSC::LinkBuffer::link):
1298         (JSC::LinkBuffer::patch):
1299         (JSC::LinkBuffer::entrypoint):
1300         (JSC::LinkBuffer::locationOf):
1301         (JSC::LinkBuffer::locationOfNearCall):
1302         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1303         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1304         (JSC::LinkBuffer::trampolineAt):
1305         * assembler/MacroAssemblerARM.h:
1306         (JSC::MacroAssemblerARM::readCallTarget):
1307         (JSC::MacroAssemblerARM::replaceWithJump):
1308         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1309         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1310         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1311         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1312         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1313         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1314         (JSC::MacroAssemblerARM::repatchCall):
1315         (JSC::MacroAssemblerARM::linkCall):
1316         * assembler/MacroAssemblerARM64.h:
1317         (JSC::MacroAssemblerARM64::readCallTarget):
1318         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1319         (JSC::MacroAssemblerARM64::replaceWithJump):
1320         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1321         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1322         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1323         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1324         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1325         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1326         (JSC::MacroAssemblerARM64::repatchCall):
1327         (JSC::MacroAssemblerARM64::linkCall):
1328         * assembler/MacroAssemblerARMv7.h:
1329         (JSC::MacroAssemblerARMv7::replaceWithJump):
1330         (JSC::MacroAssemblerARMv7::readCallTarget):
1331         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1332         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1333         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1334         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1335         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1336         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1337         (JSC::MacroAssemblerARMv7::repatchCall):
1338         (JSC::MacroAssemblerARMv7::linkCall):
1339         * assembler/MacroAssemblerCodeRef.cpp:
1340         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1341         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1342         (JSC::MacroAssemblerCodeRefBase::disassembly):
1343         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1344         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1345         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1346         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1347         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1348         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1349         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1350         * assembler/MacroAssemblerCodeRef.h:
1351         (JSC::FunctionPtr::FunctionPtr):
1352         (JSC::FunctionPtr::retagged const):
1353         (JSC::FunctionPtr::retaggedExecutableAddress const):
1354         (JSC::FunctionPtr::operator== const):
1355         (JSC::FunctionPtr::operator!= const):
1356         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1357         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1358         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1359         (JSC::MacroAssemblerCodePtr::retagged const):
1360         (JSC::MacroAssemblerCodePtr:: const):
1361         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1362         (JSC::MacroAssemblerCodePtr::dump const):
1363         (JSC::MacroAssemblerCodePtrHash::hash):
1364         (JSC::MacroAssemblerCodePtrHash::equal):
1365         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1366         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1367         (JSC::MacroAssemblerCodeRef::code const):
1368         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1369         (JSC::MacroAssemblerCodeRef::retagged const):
1370         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1371         (JSC::MacroAssemblerCodeRef::disassembly const):
1372         (JSC::MacroAssemblerCodeRef::dump const):
1373         (JSC::FunctionPtr<tag>::FunctionPtr):
1374         * assembler/MacroAssemblerMIPS.h:
1375         (JSC::MacroAssemblerMIPS::readCallTarget):
1376         (JSC::MacroAssemblerMIPS::replaceWithJump):
1377         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1378         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1379         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1380         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1381         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1382         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1383         (JSC::MacroAssemblerMIPS::repatchCall):
1384         (JSC::MacroAssemblerMIPS::linkCall):
1385         * assembler/MacroAssemblerX86.h:
1386         (JSC::MacroAssemblerX86::readCallTarget):
1387         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1388         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1389         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1390         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1391         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1392         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1393         (JSC::MacroAssemblerX86::repatchCall):
1394         (JSC::MacroAssemblerX86::linkCall):
1395         * assembler/MacroAssemblerX86Common.h:
1396         (JSC::MacroAssemblerX86Common::repatchCompact):
1397         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1398         (JSC::MacroAssemblerX86Common::replaceWithJump):
1399         * assembler/MacroAssemblerX86_64.h:
1400         (JSC::MacroAssemblerX86_64::readCallTarget):
1401         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1402         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1403         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1404         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1405         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1406         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1407         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1408         (JSC::MacroAssemblerX86_64::repatchCall):
1409         (JSC::MacroAssemblerX86_64::linkCall):
1410         * assembler/testmasm.cpp:
1411         (JSC::compile):
1412         (JSC::invoke):
1413         (JSC::testProbeModifiesProgramCounter):
1414         * b3/B3Compilation.cpp:
1415         (JSC::B3::Compilation::Compilation):
1416         * b3/B3Compilation.h:
1417         (JSC::B3::Compilation::code const):
1418         (JSC::B3::Compilation::codeRef const):
1419         * b3/B3Compile.cpp:
1420         (JSC::B3::compile):
1421         * b3/B3LowerMacros.cpp:
1422         * b3/air/AirDisassembler.cpp:
1423         (JSC::B3::Air::Disassembler::dump):
1424         * b3/air/testair.cpp:
1425         * b3/testb3.cpp:
1426         (JSC::B3::invoke):
1427         (JSC::B3::testInterpreter):
1428         (JSC::B3::testEntrySwitchSimple):
1429         (JSC::B3::testEntrySwitchNoEntrySwitch):
1430         (JSC::B3::testEntrySwitchWithCommonPaths):
1431         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1432         (JSC::B3::testEntrySwitchLoop):
1433         * bytecode/AccessCase.cpp:
1434         (JSC::AccessCase::generateImpl):
1435         * bytecode/AccessCaseSnippetParams.cpp:
1436         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1437         * bytecode/ByValInfo.h:
1438         (JSC::ByValInfo::ByValInfo):
1439         * bytecode/CallLinkInfo.cpp:
1440         (JSC::CallLinkInfo::callReturnLocation):
1441         (JSC::CallLinkInfo::patchableJump):
1442         (JSC::CallLinkInfo::hotPathBegin):
1443         (JSC::CallLinkInfo::slowPathStart):
1444         * bytecode/CallLinkInfo.h:
1445         (JSC::CallLinkInfo::setCallLocations):
1446         (JSC::CallLinkInfo::hotPathOther):
1447         * bytecode/CodeBlock.cpp:
1448         (JSC::CodeBlock::finishCreation):
1449         * bytecode/GetByIdStatus.cpp:
1450         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1451         * bytecode/GetByIdVariant.cpp:
1452         (JSC::GetByIdVariant::GetByIdVariant):
1453         (JSC::GetByIdVariant::dumpInContext const):
1454         * bytecode/GetByIdVariant.h:
1455         (JSC::GetByIdVariant::customAccessorGetter const):
1456         * bytecode/GetterSetterAccessCase.cpp:
1457         (JSC::GetterSetterAccessCase::create):
1458         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1459         (JSC::GetterSetterAccessCase::dumpImpl const):
1460         * bytecode/GetterSetterAccessCase.h:
1461         (JSC::GetterSetterAccessCase::customAccessor const):
1462         (): Deleted.
1463         * bytecode/HandlerInfo.h:
1464         (JSC::HandlerInfo::initialize):
1465         * bytecode/InlineAccess.cpp:
1466         (JSC::linkCodeInline):
1467         (JSC::InlineAccess::rewireStubAsJump):
1468         * bytecode/InlineAccess.h:
1469         * bytecode/JumpTable.h:
1470         (JSC::StringJumpTable::ctiForValue):
1471         (JSC::SimpleJumpTable::ctiForValue):
1472         * bytecode/LLIntCallLinkInfo.h:
1473         (JSC::LLIntCallLinkInfo::unlink):
1474         * bytecode/PolymorphicAccess.cpp:
1475         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1476         (JSC::PolymorphicAccess::regenerate):
1477         * bytecode/PolymorphicAccess.h:
1478         (JSC::AccessGenerationResult::AccessGenerationResult):
1479         (JSC::AccessGenerationResult::code const):
1480         * bytecode/StructureStubInfo.h:
1481         (JSC::StructureStubInfo::slowPathCallLocation):
1482         (JSC::StructureStubInfo::doneLocation):
1483         (JSC::StructureStubInfo::slowPathStartLocation):
1484         (JSC::StructureStubInfo::patchableJumpForIn):
1485         * dfg/DFGCommonData.h:
1486         (JSC::DFG::CommonData::appendCatchEntrypoint):
1487         * dfg/DFGDisassembler.cpp:
1488         (JSC::DFG::Disassembler::dumpDisassembly):
1489         * dfg/DFGDriver.h:
1490         * dfg/DFGJITCompiler.cpp:
1491         (JSC::DFG::JITCompiler::linkOSRExits):
1492         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1493         (JSC::DFG::JITCompiler::link):
1494         (JSC::DFG::JITCompiler::compileFunction):
1495         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1496         * dfg/DFGJITCompiler.h:
1497         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1498         (JSC::DFG::JITCompiler::appendCall):
1499         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1500         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1501         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1502         * dfg/DFGJITFinalizer.cpp:
1503         (JSC::DFG::JITFinalizer::JITFinalizer):
1504         (JSC::DFG::JITFinalizer::finalize):
1505         (JSC::DFG::JITFinalizer::finalizeFunction):
1506         * dfg/DFGJITFinalizer.h:
1507         * dfg/DFGJumpReplacement.h:
1508         (JSC::DFG::JumpReplacement::JumpReplacement):
1509         * dfg/DFGNode.h:
1510         * dfg/DFGOSREntry.cpp:
1511         (JSC::DFG::prepareOSREntry):
1512         (JSC::DFG::prepareCatchOSREntry):
1513         * dfg/DFGOSREntry.h:
1514         (JSC::DFG::prepareOSREntry):
1515         * dfg/DFGOSRExit.cpp:
1516         (JSC::DFG::OSRExit::executeOSRExit):
1517         (JSC::DFG::reifyInlinedCallFrames):
1518         (JSC::DFG::adjustAndJumpToTarget):
1519         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1520         (JSC::DFG::OSRExit::emitRestoreArguments):
1521         (JSC::DFG::OSRExit::compileOSRExit):
1522         * dfg/DFGOSRExit.h:
1523         * dfg/DFGOSRExitCompilerCommon.cpp:
1524         (JSC::DFG::handleExitCounts):
1525         (JSC::DFG::reifyInlinedCallFrames):
1526         (JSC::DFG::osrWriteBarrier):
1527         (JSC::DFG::adjustAndJumpToTarget):
1528         * dfg/DFGOperations.cpp:
1529         * dfg/DFGSlowPathGenerator.h:
1530         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1531         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1532         (JSC::DFG::slowPathCall):
1533         * dfg/DFGSpeculativeJIT.cpp:
1534         (JSC::DFG::SpeculativeJIT::compileMathIC):
1535         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1536         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1537         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1538         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1539         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1540         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1541         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1542         (JSC::DFG::SpeculativeJIT::cachedPutById):
1543         * dfg/DFGSpeculativeJIT.h:
1544         (JSC::DFG::SpeculativeJIT::callOperation):
1545         (JSC::DFG::SpeculativeJIT::appendCall):
1546         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1547         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1548         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1549         * dfg/DFGSpeculativeJIT64.cpp:
1550         (JSC::DFG::SpeculativeJIT::cachedGetById):
1551         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1552         (JSC::DFG::SpeculativeJIT::compile):
1553         * dfg/DFGThunks.cpp:
1554         (JSC::DFG::osrExitThunkGenerator):
1555         (JSC::DFG::osrExitGenerationThunkGenerator):
1556         (JSC::DFG::osrEntryThunkGenerator):
1557         * dfg/DFGThunks.h:
1558         * disassembler/ARM64Disassembler.cpp:
1559         (JSC::tryToDisassemble):
1560         * disassembler/ARMv7Disassembler.cpp:
1561         (JSC::tryToDisassemble):
1562         * disassembler/Disassembler.cpp:
1563         (JSC::disassemble):
1564         (JSC::disassembleAsynchronously):
1565         * disassembler/Disassembler.h:
1566         (JSC::tryToDisassemble):
1567         * disassembler/UDis86Disassembler.cpp:
1568         (JSC::tryToDisassembleWithUDis86):
1569         * disassembler/UDis86Disassembler.h:
1570         (JSC::tryToDisassembleWithUDis86):
1571         * disassembler/X86Disassembler.cpp:
1572         (JSC::tryToDisassemble):
1573         * ftl/FTLCompile.cpp:
1574         (JSC::FTL::compile):
1575         * ftl/FTLExceptionTarget.cpp:
1576         (JSC::FTL::ExceptionTarget::label):
1577         (JSC::FTL::ExceptionTarget::jumps):
1578         * ftl/FTLExceptionTarget.h:
1579         * ftl/FTLGeneratedFunction.h:
1580         * ftl/FTLJITCode.cpp:
1581         (JSC::FTL::JITCode::initializeB3Code):
1582         (JSC::FTL::JITCode::initializeAddressForCall):
1583         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1584         (JSC::FTL::JITCode::addressForCall):
1585         (JSC::FTL::JITCode::executableAddressAtOffset):
1586         * ftl/FTLJITCode.h:
1587         (JSC::FTL::JITCode::b3Code const):
1588         * ftl/FTLJITFinalizer.cpp:
1589         (JSC::FTL::JITFinalizer::finalizeCommon):
1590         * ftl/FTLLazySlowPath.cpp:
1591         (JSC::FTL::LazySlowPath::initialize):
1592         (JSC::FTL::LazySlowPath::generate):
1593         * ftl/FTLLazySlowPath.h:
1594         (JSC::FTL::LazySlowPath::patchableJump const):
1595         (JSC::FTL::LazySlowPath::done const):
1596         (JSC::FTL::LazySlowPath::stub const):
1597         * ftl/FTLLazySlowPathCall.h:
1598         (JSC::FTL::createLazyCallGenerator):
1599         * ftl/FTLLink.cpp:
1600         (JSC::FTL::link):
1601         * ftl/FTLLowerDFGToB3.cpp:
1602         (JSC::FTL::DFG::LowerDFGToB3::lower):
1603         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1604         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1605         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1606         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1607         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1608         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1609         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1610         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1611         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1612         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1614         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1615         * ftl/FTLOSRExit.cpp:
1616         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1617         * ftl/FTLOSRExit.h:
1618         * ftl/FTLOSRExitCompiler.cpp:
1619         (JSC::FTL::compileStub):
1620         (JSC::FTL::compileFTLOSRExit):
1621         * ftl/FTLOSRExitHandle.cpp:
1622         (JSC::FTL::OSRExitHandle::emitExitThunk):
1623         * ftl/FTLOperations.cpp:
1624         (JSC::FTL::compileFTLLazySlowPath):
1625         * ftl/FTLPatchpointExceptionHandle.cpp:
1626         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1627         * ftl/FTLSlowPathCall.cpp:
1628         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1629         (JSC::FTL::SlowPathCallContext::makeCall):
1630         * ftl/FTLSlowPathCall.h:
1631         (JSC::FTL::callOperation):
1632         * ftl/FTLSlowPathCallKey.cpp:
1633         (JSC::FTL::SlowPathCallKey::dump const):
1634         * ftl/FTLSlowPathCallKey.h:
1635         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1636         (JSC::FTL::SlowPathCallKey::callTarget const):
1637         (JSC::FTL::SlowPathCallKey::withCallTarget):
1638         (JSC::FTL::SlowPathCallKey::hash const):
1639         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1640         * ftl/FTLState.cpp:
1641         (JSC::FTL::State::State):
1642         * ftl/FTLThunks.cpp:
1643         (JSC::FTL::genericGenerationThunkGenerator):
1644         (JSC::FTL::osrExitGenerationThunkGenerator):
1645         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1646         (JSC::FTL::slowPathCallThunkGenerator):
1647         * ftl/FTLThunks.h:
1648         (JSC::FTL::generateIfNecessary):
1649         (JSC::FTL::keyForThunk):
1650         (JSC::FTL::Thunks::getSlowPathCallThunk):
1651         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1652         * interpreter/InterpreterInlines.h:
1653         (JSC::Interpreter::getOpcodeID):
1654         * jit/AssemblyHelpers.cpp:
1655         (JSC::AssemblyHelpers::callExceptionFuzz):
1656         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1657         (JSC::AssemblyHelpers::debugCall):
1658         * jit/CCallHelpers.cpp:
1659         (JSC::CCallHelpers::ensureShadowChickenPacket):
1660         * jit/ExecutableAllocator.cpp:
1661         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1662         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1663         * jit/ExecutableAllocator.h:
1664         (JSC::performJITMemcpy):
1665         * jit/GCAwareJITStubRoutine.cpp:
1666         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1667         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1668         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1669         (JSC::createJITStubRoutine):
1670         * jit/GCAwareJITStubRoutine.h:
1671         (JSC::createJITStubRoutine):
1672         * jit/JIT.cpp:
1673         (JSC::ctiPatchCallByReturnAddress):
1674         (JSC::JIT::compileWithoutLinking):
1675         (JSC::JIT::link):
1676         (JSC::JIT::privateCompileExceptionHandlers):
1677         * jit/JIT.h:
1678         (JSC::CallRecord::CallRecord):
1679         * jit/JITArithmetic.cpp:
1680         (JSC::JIT::emitMathICFast):
1681         (JSC::JIT::emitMathICSlow):
1682         * jit/JITCall.cpp:
1683         (JSC::JIT::compileOpCallSlowCase):
1684         * jit/JITCall32_64.cpp:
1685         (JSC::JIT::compileOpCallSlowCase):
1686         * jit/JITCode.cpp:
1687         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1688         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1689         (JSC::DirectJITCode::DirectJITCode):
1690         (JSC::DirectJITCode::initializeCodeRef):
1691         (JSC::DirectJITCode::addressForCall):
1692         (JSC::NativeJITCode::NativeJITCode):
1693         (JSC::NativeJITCode::initializeCodeRef):
1694         (JSC::NativeJITCode::addressForCall):
1695         * jit/JITCode.h:
1696         * jit/JITCodeMap.h:
1697         (JSC::JITCodeMap::Entry::Entry):
1698         (JSC::JITCodeMap::Entry::codeLocation):
1699         (JSC::JITCodeMap::append):
1700         (JSC::JITCodeMap::find const):
1701         * jit/JITDisassembler.cpp:
1702         (JSC::JITDisassembler::dumpDisassembly):
1703         * jit/JITExceptions.cpp:
1704         (JSC::genericUnwind):
1705         * jit/JITInlineCacheGenerator.cpp:
1706         (JSC::JITByIdGenerator::finalize):
1707         * jit/JITInlines.h:
1708         (JSC::JIT::emitNakedCall):
1709         (JSC::JIT::emitNakedTailCall):
1710         (JSC::JIT::appendCallWithExceptionCheck):
1711         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1712         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1713         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1714         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1715         * jit/JITMathIC.h:
1716         (JSC::isProfileEmpty):
1717         * jit/JITOpcodes.cpp:
1718         (JSC::JIT::emit_op_catch):
1719         (JSC::JIT::emit_op_switch_imm):
1720         (JSC::JIT::emit_op_switch_char):
1721         (JSC::JIT::emit_op_switch_string):
1722         (JSC::JIT::privateCompileHasIndexedProperty):
1723         (JSC::JIT::emitSlow_op_has_indexed_property):
1724         * jit/JITOpcodes32_64.cpp:
1725         (JSC::JIT::privateCompileHasIndexedProperty):
1726         * jit/JITOperations.cpp:
1727         (JSC::getByVal):
1728         * jit/JITPropertyAccess.cpp:
1729         (JSC::JIT::stringGetByValStubGenerator):
1730         (JSC::JIT::emitGetByValWithCachedId):
1731         (JSC::JIT::emitSlow_op_get_by_val):
1732         (JSC::JIT::emitPutByValWithCachedId):
1733         (JSC::JIT::emitSlow_op_put_by_val):
1734         (JSC::JIT::emitSlow_op_try_get_by_id):
1735         (JSC::JIT::emitSlow_op_get_by_id_direct):
1736         (JSC::JIT::emitSlow_op_get_by_id):
1737         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1738         (JSC::JIT::emitSlow_op_put_by_id):
1739         (JSC::JIT::privateCompileGetByVal):
1740         (JSC::JIT::privateCompileGetByValWithCachedId):
1741         (JSC::JIT::privateCompilePutByVal):
1742         (JSC::JIT::privateCompilePutByValWithCachedId):
1743         * jit/JITPropertyAccess32_64.cpp:
1744         (JSC::JIT::stringGetByValStubGenerator):
1745         (JSC::JIT::emitSlow_op_get_by_val):
1746         (JSC::JIT::emitSlow_op_put_by_val):
1747         * jit/JITStubRoutine.h:
1748         (JSC::JITStubRoutine::JITStubRoutine):
1749         (JSC::JITStubRoutine::createSelfManagedRoutine):
1750         (JSC::JITStubRoutine::code const):
1751         (JSC::JITStubRoutine::asCodePtr):
1752         * jit/JITThunks.cpp:
1753         (JSC::JITThunks::ctiNativeCall):
1754         (JSC::JITThunks::ctiNativeConstruct):
1755         (JSC::JITThunks::ctiNativeTailCall):
1756         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1757         (JSC::JITThunks::ctiInternalFunctionCall):
1758         (JSC::JITThunks::ctiInternalFunctionConstruct):
1759         (JSC::JITThunks::ctiStub):
1760         (JSC::JITThunks::existingCTIStub):
1761         (JSC::JITThunks::hostFunctionStub):
1762         * jit/JITThunks.h:
1763         * jit/PCToCodeOriginMap.cpp:
1764         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1765         * jit/PCToCodeOriginMap.h:
1766         * jit/PolymorphicCallStubRoutine.cpp:
1767         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1768         * jit/PolymorphicCallStubRoutine.h:
1769         * jit/Repatch.cpp:
1770         (JSC::readPutICCallTarget):
1771         (JSC::ftlThunkAwareRepatchCall):
1772         (JSC::appropriateOptimizingGetByIdFunction):
1773         (JSC::appropriateGetByIdFunction):
1774         (JSC::tryCacheGetByID):
1775         (JSC::repatchGetByID):
1776         (JSC::tryCachePutByID):
1777         (JSC::repatchPutByID):
1778         (JSC::tryCacheIn):
1779         (JSC::repatchIn):
1780         (JSC::linkSlowFor):
1781         (JSC::linkFor):
1782         (JSC::linkDirectFor):
1783         (JSC::revertCall):
1784         (JSC::unlinkFor):
1785         (JSC::linkVirtualFor):
1786         (JSC::linkPolymorphicCall):
1787         (JSC::resetGetByID):
1788         (JSC::resetPutByID):
1789         * jit/Repatch.h:
1790         * jit/SlowPathCall.h:
1791         (JSC::JITSlowPathCall::call):
1792         * jit/SpecializedThunkJIT.h:
1793         (JSC::SpecializedThunkJIT::finalize):
1794         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1795         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1796         * jit/ThunkGenerator.h:
1797         * jit/ThunkGenerators.cpp:
1798         (JSC::throwExceptionFromCallSlowPathGenerator):
1799         (JSC::slowPathFor):
1800         (JSC::linkCallThunkGenerator):
1801         (JSC::linkPolymorphicCallThunkGenerator):
1802         (JSC::virtualThunkFor):
1803         (JSC::nativeForGenerator):
1804         (JSC::nativeCallGenerator):
1805         (JSC::nativeTailCallGenerator):
1806         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1807         (JSC::nativeConstructGenerator):
1808         (JSC::internalFunctionCallGenerator):
1809         (JSC::internalFunctionConstructGenerator):
1810         (JSC::arityFixupGenerator):
1811         (JSC::unreachableGenerator):
1812         (JSC::charCodeAtThunkGenerator):
1813         (JSC::charAtThunkGenerator):
1814         (JSC::fromCharCodeThunkGenerator):
1815         (JSC::clz32ThunkGenerator):
1816         (JSC::sqrtThunkGenerator):
1817         (JSC::floorThunkGenerator):
1818         (JSC::ceilThunkGenerator):
1819         (JSC::truncThunkGenerator):
1820         (JSC::roundThunkGenerator):
1821         (JSC::expThunkGenerator):
1822         (JSC::logThunkGenerator):
1823         (JSC::absThunkGenerator):
1824         (JSC::imulThunkGenerator):
1825         (JSC::randomThunkGenerator):
1826         (JSC::boundThisNoArgsFunctionCallGenerator):
1827         * jit/ThunkGenerators.h:
1828         * llint/LLIntData.cpp:
1829         (JSC::LLInt::initialize):
1830         * llint/LLIntData.h:
1831         (JSC::LLInt::getExecutableAddress):
1832         (JSC::LLInt::getCodePtr):
1833         (JSC::LLInt::getCodeRef):
1834         (JSC::LLInt::getCodeFunctionPtr):
1835         * llint/LLIntEntrypoint.cpp:
1836         (JSC::LLInt::setFunctionEntrypoint):
1837         (JSC::LLInt::setEvalEntrypoint):
1838         (JSC::LLInt::setProgramEntrypoint):
1839         (JSC::LLInt::setModuleProgramEntrypoint):
1840         * llint/LLIntExceptions.cpp:
1841         (JSC::LLInt::callToThrow):
1842         * llint/LLIntSlowPaths.cpp:
1843         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1844         (JSC::LLInt::setUpCall):
1845         * llint/LLIntThunks.cpp:
1846         (JSC::vmEntryToWasm):
1847         (JSC::LLInt::generateThunkWithJumpTo):
1848         (JSC::LLInt::functionForCallEntryThunkGenerator):
1849         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1850         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1851         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1852         (JSC::LLInt::evalEntryThunkGenerator):
1853         (JSC::LLInt::programEntryThunkGenerator):
1854         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1855         * llint/LLIntThunks.h:
1856         * llint/LowLevelInterpreter.asm:
1857         * llint/LowLevelInterpreter32_64.asm:
1858         * llint/LowLevelInterpreter64.asm:
1859         * profiler/ProfilerCompilation.cpp:
1860         (JSC::Profiler::Compilation::addOSRExitSite):
1861         * profiler/ProfilerCompilation.h:
1862         * profiler/ProfilerOSRExitSite.cpp:
1863         (JSC::Profiler::OSRExitSite::toJS const):
1864         * profiler/ProfilerOSRExitSite.h:
1865         (JSC::Profiler::OSRExitSite::OSRExitSite):
1866         (JSC::Profiler::OSRExitSite::codeAddress const):
1867         (JSC::Profiler::OSRExitSite:: const): Deleted.
1868         * runtime/ExecutableBase.cpp:
1869         (JSC::ExecutableBase::clearCode):
1870         * runtime/ExecutableBase.h:
1871         (JSC::ExecutableBase::entrypointFor):
1872         * runtime/NativeExecutable.cpp:
1873         (JSC::NativeExecutable::finishCreation):
1874         * runtime/NativeFunction.h:
1875         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1876         (JSC::TaggedNativeFunction::operator NativeFunction):
1877         * runtime/PtrTag.h:
1878         (JSC::tagCodePtr):
1879         (JSC::untagCodePtr):
1880         (JSC::retagCodePtr):
1881         (JSC::tagCFunctionPtr):
1882         (JSC::untagCFunctionPtr):
1883         (JSC::nextPtrTagID): Deleted.
1884         * runtime/PutPropertySlot.h:
1885         (JSC::PutPropertySlot::PutPropertySlot):
1886         (JSC::PutPropertySlot::setCustomValue):
1887         (JSC::PutPropertySlot::setCustomAccessor):
1888         (JSC::PutPropertySlot::customSetter const):
1889         * runtime/ScriptExecutable.cpp:
1890         (JSC::ScriptExecutable::installCode):
1891         * runtime/VM.cpp:
1892         (JSC::VM::getHostFunction):
1893         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1894         * runtime/VM.h:
1895         (JSC::VM::getCTIStub):
1896         * wasm/WasmB3IRGenerator.cpp:
1897         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1898         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1899         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1900         (JSC::Wasm::B3IRGenerator::addCall):
1901         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1902         * wasm/WasmBBQPlan.cpp:
1903         (JSC::Wasm::BBQPlan::prepare):
1904         (JSC::Wasm::BBQPlan::complete):
1905         * wasm/WasmBBQPlan.h:
1906         * wasm/WasmBinding.cpp:
1907         (JSC::Wasm::wasmToWasm):
1908         * wasm/WasmBinding.h:
1909         * wasm/WasmCallee.h:
1910         (JSC::Wasm::Callee::entrypoint const):
1911         * wasm/WasmCallingConvention.h:
1912         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1913         * wasm/WasmCodeBlock.h:
1914         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1915         * wasm/WasmFaultSignalHandler.cpp:
1916         (JSC::Wasm::trapHandler):
1917         * wasm/WasmFormat.h:
1918         * wasm/WasmInstance.h:
1919         * wasm/WasmOMGPlan.cpp:
1920         (JSC::Wasm::OMGPlan::work):
1921         * wasm/WasmThunks.cpp:
1922         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1923         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1924         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1925         (JSC::Wasm::Thunks::stub):
1926         (JSC::Wasm::Thunks::existingStub):
1927         * wasm/WasmThunks.h:
1928         * wasm/js/JSToWasm.cpp:
1929         (JSC::Wasm::createJSToWasmWrapper):
1930         * wasm/js/JSWebAssemblyCodeBlock.h:
1931         * wasm/js/WasmToJS.cpp:
1932         (JSC::Wasm::handleBadI64Use):
1933         (JSC::Wasm::wasmToJS):
1934         * wasm/js/WasmToJS.h:
1935         * wasm/js/WebAssemblyFunction.h:
1936         * yarr/YarrJIT.cpp:
1937         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
1938         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
1939         (JSC::Yarr::YarrGenerator::compile):
1940         * yarr/YarrJIT.h:
1941         (JSC::Yarr::YarrCodeBlock::set8BitCode):
1942         (JSC::Yarr::YarrCodeBlock::set16BitCode):
1943         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
1944         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
1945         (JSC::Yarr::YarrCodeBlock::execute):
1946         (JSC::Yarr::YarrCodeBlock::clear):
1947
1948 2018-04-17  Commit Queue  <commit-queue@webkit.org>
1949
1950         Unreviewed, rolling out r230697, r230720, and r230724.
1951         https://bugs.webkit.org/show_bug.cgi?id=184717
1952
1953         These caused multiple failures on the Test262 testers.
1954         (Requested by mlewis13 on #webkit).
1955
1956         Reverted changesets:
1957
1958         "[WebAssembly][Modules] Prototype wasm import"
1959         https://bugs.webkit.org/show_bug.cgi?id=184600
1960         https://trac.webkit.org/changeset/230697
1961
1962         "[WebAssembly][Modules] Implement function import from wasm
1963         modules"
1964         https://bugs.webkit.org/show_bug.cgi?id=184689
1965         https://trac.webkit.org/changeset/230720
1966
1967         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
1968         https://bugs.webkit.org/show_bug.cgi?id=184703
1969         https://trac.webkit.org/changeset/230724
1970
1971 2018-04-17  JF Bastien  <jfbastien@apple.com>
1972
1973         A put is not an ExistingProperty put when we transition a structure because of an attributes change
1974         https://bugs.webkit.org/show_bug.cgi?id=184706
1975         <rdar://problem/38871451>
1976
1977         Reviewed by Saam Barati.
1978
1979         When putting a property on a structure and the slot is a different
1980         type, the slot can't be said to have already been existing.
1981
1982         * runtime/JSObjectInlines.h:
1983         (JSC::JSObject::putDirectInternal):
1984
1985 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1986
1987         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
1988         https://bugs.webkit.org/show_bug.cgi?id=184705
1989
1990         Reviewed by Michael Saboff.
1991         
1992         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
1993         while testing an unrelated patch, a concurrent GC thread crashed inside
1994         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
1995         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
1996         mode and another vector.
1997         
1998         The fix is to lock inside visitChildren and anyone who changes those fields.
1999         
2000         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2001         this.
2002
2003         * runtime/JSArrayBufferView.cpp:
2004         (JSC::JSArrayBufferView::neuter):
2005         * runtime/JSGenericTypedArrayViewInlines.h:
2006         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2007         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2008
2009 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2010
2011         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2012         https://bugs.webkit.org/show_bug.cgi?id=184672
2013
2014         Reviewed by Michael Saboff.
2015
2016         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2017         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2018         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2019         intentional - I don't know.
2020
2021         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2022         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2023         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2024         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2025         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2026         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2027         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2028         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2029         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2030         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2031         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2032         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2033
2034         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2035         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2036         its stack slot for the purpose of clobberize.
2037
2038         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2039         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2040         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2041         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2042
2043 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2044
2045         JSWebAssemblyCodeBlock should be in an IsoSubspace
2046         https://bugs.webkit.org/show_bug.cgi?id=184704
2047
2048         Reviewed by Mark Lam.
2049         
2050         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2051         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2052         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2053         protection.
2054
2055         * runtime/VM.cpp:
2056         (JSC::VM::VM):
2057         * runtime/VM.h:
2058         * wasm/js/JSWebAssemblyCodeBlock.h:
2059
2060 2018-04-17  Jer Noble  <jer.noble@apple.com>
2061
2062         Only enable useSeparatedWXHeap on ARM64.
2063         https://bugs.webkit.org/show_bug.cgi?id=184697
2064
2065         Reviewed by Saam Barati.
2066
2067         * runtime/Options.cpp:
2068         (JSC::recomputeDependentOptions):
2069
2070 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2071
2072         [WebAssembly][Modules] Implement function import from wasm modules
2073         https://bugs.webkit.org/show_bug.cgi?id=184689
2074
2075         Reviewed by JF Bastien.
2076
2077         This patch implements function import from wasm modules. We move function importing part
2078         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2079         is because linking these functions requires that all the dependent modules are created.
2080         While we want to move all the linking functionality from JSWebAssemblyInstance to
2081         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2082         function importing part because efficient compilation of WebAssembly needs to know
2083         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2084         or attached WebAssembly memory object. So we cannot defer this linking to
2085         WebAssemblyModuleRecord::link now.
2086
2087         The largest difference from JS module linking is that WebAssembly module linking links
2088         function from the module by snapshotting. When you have a cyclic module graph like this,
2089
2090         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2091             ^                                                  |
2092             +--------------------------------------------------+
2093
2094         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2095         is described in [1], and tested in this patch.
2096
2097         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2098
2099         * JavaScriptCore.xcodeproj/project.pbxproj:
2100         * jsc.cpp:
2101         (functionDollarAgentStart):
2102         (checkException):
2103         (runWithOptions):
2104         Small fixes for wasm module loading.
2105
2106         * parser/NodesAnalyzeModule.cpp:
2107         (JSC::ImportDeclarationNode::analyzeModule):
2108         * runtime/AbstractModuleRecord.cpp:
2109         (JSC::AbstractModuleRecord::resolveImport):
2110         (JSC::AbstractModuleRecord::link):
2111         * runtime/AbstractModuleRecord.h:
2112         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2113         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2114         Now, wasm modules can have import which is named "*". So this function does not work.
2115         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2116
2117         * runtime/JSModuleEnvironment.cpp:
2118         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2119         * runtime/JSModuleRecord.cpp:
2120         (JSC::JSModuleRecord::instantiateDeclarations):
2121         * wasm/WasmCreationMode.h: Added.
2122         * wasm/js/JSWebAssemblyInstance.cpp:
2123         (JSC::JSWebAssemblyInstance::finalizeCreation):
2124         (JSC::JSWebAssemblyInstance::create):
2125         * wasm/js/JSWebAssemblyInstance.h:
2126         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2127         (JSC::constructJSWebAssemblyInstance):
2128         * wasm/js/WebAssemblyModuleRecord.cpp:
2129         (JSC::WebAssemblyModuleRecord::link):
2130         * wasm/js/WebAssemblyModuleRecord.h:
2131         * wasm/js/WebAssemblyPrototype.cpp:
2132         (JSC::resolve):
2133         (JSC::instantiate):
2134         (JSC::compileAndInstantiate):
2135         (JSC::WebAssemblyPrototype::instantiate):
2136         (JSC::webAssemblyInstantiateFunc):
2137
2138 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2139
2140         Implement setupArgumentsImpl for ARM and MIPS
2141         https://bugs.webkit.org/show_bug.cgi?id=183786
2142
2143         Reviewed by Yusuke Suzuki.
2144
2145         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2146         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2147         registers used for 64-bit values on 32-bit architectures. numCrossSources
2148         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2149
2150         * assembler/MacroAssemblerARMv7.h:
2151         (JSC::MacroAssemblerARMv7::moveDouble):
2152         * assembler/MacroAssemblerMIPS.h:
2153         (JSC::MacroAssemblerMIPS::moveDouble):
2154         * jit/CCallHelpers.h:
2155         (JSC::CCallHelpers::setupStubCrossArgs):
2156         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2157         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2158         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2159         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2160         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2161         (JSC::CCallHelpers::ArgCollection::addStackArg):
2162         (JSC::CCallHelpers::ArgCollection::addPoke):
2163         (JSC::CCallHelpers::ArgCollection::argCount):
2164         (JSC::CCallHelpers::calculatePokeOffset):
2165         (JSC::CCallHelpers::pokeForArgument):
2166         (JSC::CCallHelpers::stackAligned):
2167         (JSC::CCallHelpers::marshallArgumentRegister):
2168         (JSC::CCallHelpers::setupArgumentsImpl):
2169         (JSC::CCallHelpers::pokeArgumentsAligned):
2170         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2171         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2172         (JSC::CCallHelpers::setupArguments):
2173         * jit/FPRInfo.h:
2174         (JSC::FPRInfo::toArgumentRegister):
2175
2176 2018-04-17  Saam Barati  <sbarati@apple.com>
2177
2178         Add system trace points for process launch and for initializeWebProcess
2179         https://bugs.webkit.org/show_bug.cgi?id=184669
2180
2181         Reviewed by Simon Fraser.
2182
2183         * runtime/VMEntryScope.cpp:
2184         (JSC::VMEntryScope::VMEntryScope):
2185         (JSC::VMEntryScope::~VMEntryScope):
2186
2187 2018-04-17  Jer Noble  <jer.noble@apple.com>
2188
2189         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2190         https://bugs.webkit.org/show_bug.cgi?id=184602
2191
2192         Reviewed by Beth Dakin.
2193
2194         * JavaScriptCore.xcodeproj/project.pbxproj:
2195
2196 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2197
2198         [GLIB] Add API to clear JSCContext uncaught exception
2199         https://bugs.webkit.org/show_bug.cgi?id=184685
2200
2201         Reviewed by Žan Doberšek.
2202
2203         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2204
2205         * API/glib/JSCContext.cpp:
2206         (jsc_context_clear_exception):
2207         * API/glib/JSCContext.h:
2208         * API/glib/docs/jsc-glib-4.0-sections.txt:
2209
2210 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2211
2212         [GLIB] Add API to query, delete and enumerate properties
2213         https://bugs.webkit.org/show_bug.cgi?id=184647
2214
2215         Reviewed by Michael Catanzaro.
2216
2217         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2218
2219         * API/glib/JSCValue.cpp:
2220         (jsc_value_object_has_property):
2221         (jsc_value_object_delete_property):
2222         (jsc_value_object_enumerate_properties):
2223         * API/glib/JSCValue.h:
2224         * API/glib/docs/jsc-glib-4.0-sections.txt:
2225
2226 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [WebAssembly][Modules] Prototype wasm import
2229         https://bugs.webkit.org/show_bug.cgi?id=184600
2230
2231         Reviewed by JF Bastien.
2232
2233         This patch is an initial attempt to implement Wasm loading in module pipeline.
2234         Currently,
2235
2236         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2237            in whatwg HTML, we should integrate this into WebCore.
2238
2239         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2240            the other modules now.
2241
2242         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2243         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2244         module loader pipeline just handles it as the same to JS. When parsing a module, we
2245         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2246         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2247         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2248
2249         * builtins/ModuleLoaderPrototype.js:
2250         (globalPrivate.newRegistryEntry):
2251         (requestInstantiate):
2252         (link):
2253         * jsc.cpp:
2254         (convertShebangToJSComment):
2255         (fillBufferWithContentsOfFile):
2256         (fetchModuleFromLocalFileSystem):
2257         (GlobalObject::moduleLoaderFetch):
2258         * parser/SourceProvider.h:
2259         (JSC::WebAssemblySourceProvider::create):
2260         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2261         * runtime/AbstractModuleRecord.cpp:
2262         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2263         (JSC::AbstractModuleRecord::link):
2264         (JSC::AbstractModuleRecord::evaluate):
2265         (JSC::identifierToJSValue): Deleted.
2266         * runtime/AbstractModuleRecord.h:
2267         * runtime/JSModuleLoader.cpp:
2268         (JSC::JSModuleLoader::evaluate):
2269         * runtime/JSModuleRecord.cpp:
2270         (JSC::JSModuleRecord::link):
2271         (JSC::JSModuleRecord::instantiateDeclarations):
2272         * runtime/JSModuleRecord.h:
2273         * runtime/ModuleLoaderPrototype.cpp:
2274         (JSC::moduleLoaderPrototypeParseModule):
2275         (JSC::moduleLoaderPrototypeRequestedModules):
2276         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2277         * wasm/js/JSWebAssemblyHelpers.h:
2278         (JSC::getWasmBufferFromValue):
2279         (JSC::createSourceBufferFromValue):
2280         * wasm/js/JSWebAssemblyInstance.cpp:
2281         (JSC::JSWebAssemblyInstance::finalizeCreation):
2282         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2283         (JSC::JSWebAssemblyInstance::create):
2284         * wasm/js/JSWebAssemblyInstance.h:
2285         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2286         (JSC::constructJSWebAssemblyInstance):
2287         * wasm/js/WebAssemblyModuleRecord.cpp:
2288         (JSC::WebAssemblyModuleRecord::prepareLink):
2289         (JSC::WebAssemblyModuleRecord::link):
2290         * wasm/js/WebAssemblyModuleRecord.h:
2291         * wasm/js/WebAssemblyPrototype.cpp:
2292         (JSC::resolve):
2293         (JSC::instantiate):
2294         (JSC::compileAndInstantiate):
2295         (JSC::WebAssemblyPrototype::instantiate):
2296         (JSC::webAssemblyInstantiateFunc):
2297         (JSC::webAssemblyValidateFunc):
2298         * wasm/js/WebAssemblyPrototype.h:
2299
2300 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2301
2302         Function.prototype.caller shouldn't return generator bodies
2303         https://bugs.webkit.org/show_bug.cgi?id=184630
2304
2305         Reviewed by Yusuke Suzuki.
2306         
2307         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2308         private.
2309         
2310         Also added some builtin debugging tools so that it's easier to do the investigation that I
2311         did.
2312
2313         * builtins/BuiltinNames.h:
2314         * runtime/JSFunction.cpp:
2315         (JSC::JSFunction::callerGetter):
2316         * runtime/JSGlobalObject.cpp:
2317         (JSC::JSGlobalObject::init):
2318         * runtime/JSGlobalObjectFunctions.cpp:
2319         (JSC::globalFuncBuiltinDescribe):
2320         * runtime/JSGlobalObjectFunctions.h:
2321
2322 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2323
2324         [DFG] Remove duplicate 32bit ProfileType implementation
2325         https://bugs.webkit.org/show_bug.cgi?id=184536
2326
2327         Reviewed by Saam Barati.
2328
2329         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2330
2331         * dfg/DFGSpeculativeJIT.cpp:
2332         (JSC::DFG::SpeculativeJIT::compileProfileType):
2333         * dfg/DFGSpeculativeJIT.h:
2334         * dfg/DFGSpeculativeJIT32_64.cpp:
2335         (JSC::DFG::SpeculativeJIT::compile):
2336         * dfg/DFGSpeculativeJIT64.cpp:
2337         (JSC::DFG::SpeculativeJIT::compile):
2338         * jit/AssemblyHelpers.h:
2339         (JSC::AssemblyHelpers::branchIfUndefined):
2340         (JSC::AssemblyHelpers::branchIfNull):
2341
2342 2018-04-12  Mark Lam  <mark.lam@apple.com>
2343
2344         Consolidate some PtrTags.
2345         https://bugs.webkit.org/show_bug.cgi?id=184552
2346         <rdar://problem/39389404>
2347
2348         Reviewed by Filip Pizlo.
2349
2350         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2351         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2352
2353         * assembler/AbstractMacroAssembler.h:
2354         (JSC::AbstractMacroAssembler::repatchNearCall):
2355         * assembler/MacroAssemblerARM.h:
2356         (JSC::MacroAssemblerARM::readCallTarget):
2357         * assembler/MacroAssemblerARMv7.h:
2358         (JSC::MacroAssemblerARMv7::readCallTarget):
2359         * assembler/MacroAssemblerMIPS.h:
2360         (JSC::MacroAssemblerMIPS::readCallTarget):
2361         * assembler/MacroAssemblerX86.h:
2362         (JSC::MacroAssemblerX86::readCallTarget):
2363         * assembler/MacroAssemblerX86_64.h:
2364         (JSC::MacroAssemblerX86_64::readCallTarget):
2365         * bytecode/AccessCase.cpp:
2366         (JSC::AccessCase::generateImpl):
2367         * bytecode/InlineAccess.cpp:
2368         (JSC::InlineAccess::rewireStubAsJump):
2369         * bytecode/PolymorphicAccess.cpp:
2370         (JSC::PolymorphicAccess::regenerate):
2371         * dfg/DFGJITCompiler.cpp:
2372         (JSC::DFG::JITCompiler::linkOSRExits):
2373         (JSC::DFG::JITCompiler::link):
2374         (JSC::DFG::JITCompiler::compileFunction):
2375         * dfg/DFGJITFinalizer.cpp:
2376         (JSC::DFG::JITFinalizer::finalize):
2377         (JSC::DFG::JITFinalizer::finalizeFunction):
2378         * dfg/DFGOSREntry.cpp:
2379         (JSC::DFG::prepareOSREntry):
2380         * dfg/DFGOSRExit.cpp:
2381         (JSC::DFG::OSRExit::executeOSRExit):
2382         (JSC::DFG::adjustAndJumpToTarget):
2383         (JSC::DFG::OSRExit::compileOSRExit):
2384         * dfg/DFGOSRExitCompilerCommon.cpp:
2385         (JSC::DFG::adjustAndJumpToTarget):
2386         * dfg/DFGOperations.cpp:
2387         * ftl/FTLJITCode.cpp:
2388         (JSC::FTL::JITCode::executableAddressAtOffset):
2389         * ftl/FTLJITFinalizer.cpp:
2390         (JSC::FTL::JITFinalizer::finalizeCommon):
2391         * ftl/FTLLazySlowPath.cpp:
2392         (JSC::FTL::LazySlowPath::generate):
2393         * ftl/FTLLink.cpp:
2394         (JSC::FTL::link):
2395         * ftl/FTLLowerDFGToB3.cpp:
2396         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2397         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2398         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2399         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2400         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2401         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2402         * ftl/FTLOSRExitCompiler.cpp:
2403         (JSC::FTL::compileFTLOSRExit):
2404         * ftl/FTLOSRExitHandle.cpp:
2405         (JSC::FTL::OSRExitHandle::emitExitThunk):
2406         * jit/AssemblyHelpers.cpp:
2407         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2408         * jit/JIT.cpp:
2409         (JSC::JIT::compileWithoutLinking):
2410         (JSC::JIT::link):
2411         * jit/JITCall.cpp:
2412         (JSC::JIT::compileOpCallSlowCase):
2413         * jit/JITCode.cpp:
2414         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2415         (JSC::NativeJITCode::addressForCall):
2416         * jit/JITInlines.h:
2417         (JSC::JIT::emitNakedCall):
2418         (JSC::JIT::emitNakedTailCall):
2419         * jit/JITMathIC.h:
2420         (JSC::isProfileEmpty):
2421         * jit/JITOpcodes.cpp:
2422         (JSC::JIT::privateCompileHasIndexedProperty):
2423         * jit/JITOperations.cpp:
2424         * jit/JITPropertyAccess.cpp:
2425         (JSC::JIT::stringGetByValStubGenerator):
2426         (JSC::JIT::privateCompileGetByVal):
2427         (JSC::JIT::privateCompileGetByValWithCachedId):
2428         (JSC::JIT::privateCompilePutByVal):
2429         (JSC::JIT::privateCompilePutByValWithCachedId):
2430         * jit/JITThunks.cpp:
2431         (JSC::JITThunks::hostFunctionStub):
2432         * jit/Repatch.cpp:
2433         (JSC::linkSlowFor):
2434         (JSC::linkFor):
2435         (JSC::linkPolymorphicCall):
2436         * jit/SpecializedThunkJIT.h:
2437         (JSC::SpecializedThunkJIT::finalize):
2438         * jit/ThunkGenerators.cpp:
2439         (JSC::virtualThunkFor):
2440         (JSC::nativeForGenerator):
2441         (JSC::boundThisNoArgsFunctionCallGenerator):
2442         * llint/LLIntData.cpp:
2443         (JSC::LLInt::initialize):
2444         * llint/LLIntEntrypoint.cpp:
2445         (JSC::LLInt::setEvalEntrypoint):
2446         (JSC::LLInt::setProgramEntrypoint):
2447         (JSC::LLInt::setModuleProgramEntrypoint):
2448         * llint/LLIntSlowPaths.cpp:
2449         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2450         (JSC::LLInt::setUpCall):
2451         * llint/LLIntThunks.cpp:
2452         (JSC::LLInt::generateThunkWithJumpTo):
2453         (JSC::LLInt::functionForCallEntryThunkGenerator):
2454         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2455         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2456         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2457         (JSC::LLInt::evalEntryThunkGenerator):
2458         (JSC::LLInt::programEntryThunkGenerator):
2459         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2460         * llint/LowLevelInterpreter.asm:
2461         * llint/LowLevelInterpreter64.asm:
2462         * runtime/NativeExecutable.cpp:
2463         (JSC::NativeExecutable::finishCreation):
2464         * runtime/NativeFunction.h:
2465         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2466         (JSC::TaggedNativeFunction::operator NativeFunction):
2467         * runtime/PtrTag.h:
2468         * wasm/WasmBBQPlan.cpp:
2469         (JSC::Wasm::BBQPlan::complete):
2470         * wasm/WasmOMGPlan.cpp:
2471         (JSC::Wasm::OMGPlan::work):
2472         * wasm/WasmThunks.cpp:
2473         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2474         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2475         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2476         * wasm/js/WasmToJS.cpp:
2477         (JSC::Wasm::wasmToJS):
2478         * wasm/js/WebAssemblyFunction.h:
2479         * yarr/YarrJIT.cpp:
2480         (JSC::Yarr::YarrGenerator::compile):
2481
2482 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2483
2484         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2485         https://bugs.webkit.org/show_bug.cgi?id=184379
2486
2487         Reviewed by Žan Doberšek.
2488
2489         Load the module from the new location.
2490
2491         * PlatformWPE.cmake:
2492         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2493         (Inspector::backendCommands):
2494
2495 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2496
2497         [DFG] Remove compileBigIntEquality in DFG 32bit
2498         https://bugs.webkit.org/show_bug.cgi?id=184535
2499
2500         Reviewed by Saam Barati.
2501
2502         We can have the unified implementation for compileBigIntEquality.
2503
2504         * dfg/DFGSpeculativeJIT.cpp:
2505         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2506         * dfg/DFGSpeculativeJIT32_64.cpp:
2507         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2508         * dfg/DFGSpeculativeJIT64.cpp:
2509         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2510
2511 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2512
2513         [WPE] Improve include hierarchy
2514         https://bugs.webkit.org/show_bug.cgi?id=184376
2515
2516         Reviewed by Žan Doberšek.
2517
2518         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2519         /usr/include/wpe-0.1/WPE/jsc.
2520
2521         * PlatformWPE.cmake:
2522
2523 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2524
2525         [GLIB] Handle strings containing null characters
2526         https://bugs.webkit.org/show_bug.cgi?id=184450
2527
2528         Reviewed by Michael Catanzaro.
2529
2530         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2531         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2532         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2533         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2534         contain null characters.
2535
2536         * API/OpaqueJSString.cpp:
2537         (OpaqueJSString::create): Add a create constructor that takes the String.
2538         * API/OpaqueJSString.h:
2539         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2540         * API/glib/JSCContext.cpp:
2541         (jsc_context_evaluate): Add length parameter.
2542         (jsc_context_evaluate_with_source_uri): Ditto.
2543         * API/glib/JSCContext.h:
2544         * API/glib/JSCValue.cpp:
2545         (jsc_value_new_string_from_bytes):
2546         (jsc_value_to_string):
2547         (jsc_value_to_string_as_bytes):
2548         (jsc_value_object_is_instance_of): Pass length to evaluate.
2549         * API/glib/JSCValue.h:
2550         * API/glib/docs/jsc-glib-4.0-sections.txt:
2551
2552 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2553
2554         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2555         https://bugs.webkit.org/show_bug.cgi?id=184500
2556
2557         Reviewed by Mark Lam.
2558
2559         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2560         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2561         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2562         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2563         poke held GPR. The benefit from this CellValue is that we can use the same code
2564         for 32bit and 64bit. This patch removes several ifdefs.
2565
2566         * bytecode/AccessCase.cpp:
2567         (JSC::AccessCase::generateImpl):
2568         * dfg/DFGSpeculativeJIT.cpp:
2569         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2570         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2571         (JSC::DFG::SpeculativeJIT::cachedPutById):
2572         * dfg/DFGSpeculativeJIT32_64.cpp:
2573         (JSC::DFG::SpeculativeJIT::cachedGetById):
2574         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2575         * jit/CCallHelpers.h:
2576         (JSC::CCallHelpers::CellValue::CellValue):
2577         (JSC::CCallHelpers::CellValue::gpr const):
2578         (JSC::CCallHelpers::setupArgumentsImpl):
2579
2580 2018-04-11  Mark Lam  <mark.lam@apple.com>
2581
2582         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2583         https://bugs.webkit.org/show_bug.cgi?id=184512
2584         <rdar://problem/35391728>
2585
2586         Not reviewed.
2587
2588         * bytecode/CodeBlock.h:
2589         * jit/JITCodeMap.h:
2590
2591 2018-04-11  Mark Lam  <mark.lam@apple.com>
2592
2593         Replace CompactJITCodeMap with JITCodeMap.
2594         https://bugs.webkit.org/show_bug.cgi?id=184512
2595         <rdar://problem/35391728>
2596
2597         Reviewed by Filip Pizlo.
2598
2599         * CMakeLists.txt:
2600         * JavaScriptCore.xcodeproj/project.pbxproj:
2601         * bytecode/CodeBlock.h:
2602         (JSC::CodeBlock::setJITCodeMap):
2603         (JSC::CodeBlock::jitCodeMap const):
2604         (JSC::CodeBlock::jitCodeMap): Deleted.
2605         * dfg/DFGOSRExit.cpp:
2606         (JSC::DFG::OSRExit::executeOSRExit):
2607         * dfg/DFGOSRExitCompilerCommon.cpp:
2608         (JSC::DFG::adjustAndJumpToTarget):
2609         * jit/AssemblyHelpers.cpp:
2610         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2611         * jit/AssemblyHelpers.h:
2612         * jit/CompactJITCodeMap.h: Removed.
2613         * jit/JIT.cpp:
2614         (JSC::JIT::link):
2615         * jit/JITCodeMap.h: Added.
2616         (JSC::JITCodeMap::Entry::Entry):
2617         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2618         (JSC::JITCodeMap::Entry::codeLocation):
2619         (JSC::JITCodeMap::append):
2620         (JSC::JITCodeMap::finish):
2621         (JSC::JITCodeMap::find const):
2622         (JSC::JITCodeMap::operator bool const):
2623         * llint/LLIntSlowPaths.cpp:
2624         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2625
2626 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2627
2628         [DFG] Remove CompareSlowPathGenerator
2629         https://bugs.webkit.org/show_bug.cgi?id=184492
2630
2631         Reviewed by Mark Lam.
2632
2633         Now CompareSlowPathGenerator is just calling a specified function.
2634         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2635
2636         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2637         introducing a new constructor for GPRTemporary.
2638
2639         * JavaScriptCore.xcodeproj/project.pbxproj:
2640         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2641         * dfg/DFGSpeculativeJIT.cpp:
2642         (JSC::DFG::GPRTemporary::GPRTemporary):
2643         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2644         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2645         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2646         (JSC::DFG::SpeculativeJIT::compileIsObject):
2647         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2648         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2649         * dfg/DFGSpeculativeJIT.h:
2650         (JSC::DFG::GPRTemporary::GPRTemporary):
2651         * dfg/DFGSpeculativeJIT64.cpp:
2652         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2653
2654 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         Unreviewed, build fix for 32bit
2657         https://bugs.webkit.org/show_bug.cgi?id=184236
2658
2659         * dfg/DFGSpeculativeJIT.cpp:
2660         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2661
2662 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2663
2664         [DFG] Remove duplicate 32bit code more
2665         https://bugs.webkit.org/show_bug.cgi?id=184236
2666
2667         Reviewed by Mark Lam.
2668
2669         Remove duplicate 32bit code more aggressively part 2.
2670
2671         * JavaScriptCore.xcodeproj/project.pbxproj:
2672         * dfg/DFGCompareSlowPathGenerator.h: Added.
2673         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2674         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2675
2676         * dfg/DFGOperations.cpp:
2677         * dfg/DFGOperations.h:
2678         * dfg/DFGSpeculativeJIT.cpp:
2679         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2680         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2681         (JSC::DFG::SpeculativeJIT::compileIsObject):
2682         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2683         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2684         (JSC::DFG::SpeculativeJIT::compilePutById):
2685         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2686         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2687         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2688         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2689         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2690         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2691         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2692         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2693         (JSC::DFG::SpeculativeJIT::cachedPutById):
2694         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2695         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2696         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2697         * dfg/DFGSpeculativeJIT.h:
2698         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2699         * dfg/DFGSpeculativeJIT32_64.cpp:
2700         (JSC::DFG::SpeculativeJIT::compile):
2701         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2702         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2703         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2704         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2705         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2706         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2707         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2708         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2709         * dfg/DFGSpeculativeJIT64.cpp:
2710         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2711         (JSC::DFG::SpeculativeJIT::compile):
2712         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2713         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2714         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2715         (): Deleted.
2716         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2717         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2718         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2719         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2720         * ftl/FTLLowerDFGToB3.cpp:
2721         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2722         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2723
2724         * jit/AssemblyHelpers.h:
2725         (JSC::AssemblyHelpers::loadValue):
2726         (JSC::AssemblyHelpers::selectScratchGPR):
2727         (JSC::AssemblyHelpers::constructRegisterSet):
2728         * jit/RegisterSet.h:
2729         (JSC::RegisterSet::setAny):
2730         Clean up selectScratchGPR code to pass JSValueRegs.
2731
2732 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2733
2734         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2735         https://bugs.webkit.org/show_bug.cgi?id=182470
2736
2737         Reviewed by Saam Barati.
2738
2739         This patch introduces the SpecBigInt type to DFG to enable BigInt
2740         speculation into DFG and FTL.
2741
2742         With SpecBigInt introduction, we can then specialize "===" operations
2743         to BigInts. As we are doing for some cells, we first check if operands
2744         are pointing to the same JSCell, and if it is false, we
2745         fallback to "operationCompareStrictEqCell". The idea in further
2746         patches is to implement BigInt equality check directly in
2747         assembly.
2748
2749         We are also adding support for BigInt constant folding into
2750         TypeOf operation.
2751
2752         * bytecode/SpeculatedType.cpp:
2753         (JSC::dumpSpeculation):
2754         (JSC::speculationFromClassInfo):
2755         (JSC::speculationFromStructure):
2756         (JSC::speculationFromJSType):
2757         (JSC::speculationFromString):
2758         * bytecode/SpeculatedType.h:
2759         (JSC::isBigIntSpeculation):
2760         * dfg/DFGAbstractInterpreterInlines.h:
2761         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2762         * dfg/DFGAbstractValue.cpp:
2763         (JSC::DFG::AbstractValue::set):
2764         * dfg/DFGConstantFoldingPhase.cpp:
2765         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2766         * dfg/DFGFixupPhase.cpp:
2767         (JSC::DFG::FixupPhase::fixupNode):
2768         (JSC::DFG::FixupPhase::fixupToThis):
2769         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2770         * dfg/DFGInferredTypeCheck.cpp:
2771         (JSC::DFG::insertInferredTypeCheck):
2772         * dfg/DFGNode.h:
2773         (JSC::DFG::Node::shouldSpeculateBigInt):
2774         * dfg/DFGPredictionPropagationPhase.cpp:
2775         * dfg/DFGSafeToExecute.h:
2776         (JSC::DFG::SafeToExecuteEdge::operator()):
2777         * dfg/DFGSpeculativeJIT.cpp:
2778         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2779         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2780         (JSC::DFG::SpeculativeJIT::speculate):
2781         * dfg/DFGSpeculativeJIT.h:
2782         * dfg/DFGSpeculativeJIT32_64.cpp:
2783         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2784         * dfg/DFGSpeculativeJIT64.cpp:
2785         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2786         * dfg/DFGUseKind.cpp:
2787         (WTF::printInternal):
2788         * dfg/DFGUseKind.h:
2789         (JSC::DFG::typeFilterFor):
2790         (JSC::DFG::isCell):
2791         * ftl/FTLCapabilities.cpp:
2792         (JSC::FTL::canCompile):
2793         * ftl/FTLLowerDFGToB3.cpp:
2794         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2795         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2796         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2797         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2798         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2799         * jit/AssemblyHelpers.cpp:
2800         (JSC::AssemblyHelpers::branchIfNotType):
2801         * jit/AssemblyHelpers.h:
2802         (JSC::AssemblyHelpers::branchIfBigInt):
2803         (JSC::AssemblyHelpers::branchIfNotBigInt):
2804         * runtime/InferredType.cpp:
2805         (JSC::InferredType::Descriptor::forValue):
2806         (JSC::InferredType::Descriptor::putByIdFlags const):
2807         (JSC::InferredType::Descriptor::merge):
2808         (WTF::printInternal):
2809         * runtime/InferredType.h:
2810         * runtime/JSBigInt.h:
2811
2812 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2813
2814         Unreviewed, fix cloop build.
2815
2816         * dfg/DFGAbstractInterpreterClobberState.cpp:
2817
2818 2018-04-10  Mark Lam  <mark.lam@apple.com>
2819
2820         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2821         https://bugs.webkit.org/show_bug.cgi?id=184464
2822         <rdar://problem/39323947>
2823
2824         Reviewed by Saam Barati.
2825
2826         * heap/MarkedSpace.h:
2827         (JSC::MarkedSpace::sizeClassToIndex):
2828
2829 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2830
2831         DFG AI and clobberize should agree with each other
2832         https://bugs.webkit.org/show_bug.cgi?id=184440
2833
2834         Reviewed by Saam Barati.
2835         
2836         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2837         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2838         state tracking must be equivalent to JSCell_structureID being clobbered.
2839         
2840         One subtlety is that AI sometimes folds away structure clobbering using information that
2841         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2842         ObservedTransitions).
2843         
2844         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2845         clobberize missing a write(Heap).
2846         
2847         This also makes some cases more precise in order to appease the assertion. Making things more
2848         precise might make things faster, but I didn't measure it because that wasn't the goal.
2849
2850         * JavaScriptCore.xcodeproj/project.pbxproj:
2851         * Sources.txt:
2852         * dfg/DFGAbstractInterpreter.h:
2853         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2854         (WTF::printInternal):
2855         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2856         (JSC::DFG::mergeClobberStates):
2857         * dfg/DFGAbstractInterpreterInlines.h:
2858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2859         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2860         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2861         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2862         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2863         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2864         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2865         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2866         * dfg/DFGAtTailAbstractState.h:
2867         (JSC::DFG::AtTailAbstractState::setClobberState):
2868         (JSC::DFG::AtTailAbstractState::mergeClobberState):
2869         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
2870         * dfg/DFGCFAPhase.cpp:
2871         (JSC::DFG::CFAPhase::performBlockCFA):
2872         * dfg/DFGClobberSet.cpp:
2873         (JSC::DFG::writeSet):
2874         * dfg/DFGClobberSet.h:
2875         * dfg/DFGClobberize.h:
2876         (JSC::DFG::clobberize):
2877         * dfg/DFGConstantFoldingPhase.cpp:
2878         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2879         * dfg/DFGInPlaceAbstractState.h:
2880         (JSC::DFG::InPlaceAbstractState::clobberState const):
2881         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
2882         (JSC::DFG::InPlaceAbstractState::didClobber const):
2883         (JSC::DFG::InPlaceAbstractState::setClobberState):
2884         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
2885         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2886
2887 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2888
2889         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
2890         https://bugs.webkit.org/show_bug.cgi?id=184460
2891         <rdar://problem/37610966>
2892
2893         Reviewed by Mark Lam.
2894
2895         * bytecode/ExecutableToCodeBlockEdge.cpp:
2896         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2897
2898 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2899
2900         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
2901         https://bugs.webkit.org/show_bug.cgi?id=184455
2902
2903         Reviewed by Michael Saboff.
2904         
2905         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
2906         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
2907         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
2908         the thing being hoisted does have effects, then we get a crash.
2909         
2910         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
2911         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
2912         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
2913         effectful.
2914         
2915         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
2916         clobberize to also think that CompareEq(Untyped:, _) is effectful.
2917         
2918         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
2919         of CompareEq is ComapreEq(Untyped:, Untyped:).
2920
2921         * dfg/DFGAbstractInterpreterInlines.h:
2922         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2923         * dfg/DFGClobberize.h:
2924         (JSC::DFG::clobberize):
2925
2926 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2927
2928         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
2929         https://bugs.webkit.org/show_bug.cgi?id=184372
2930
2931         Reviewed by Saam Barati.
2932         
2933         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
2934         have already proved, using techniques that are more precise than AI, that the edge has type
2935         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
2936         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
2937         other than a check - so we think we can call those just because we should have already
2938         bailed. It's better to think of them as the result of folding a check. Therefore, we should
2939         only do it if there had been a check to begin with.
2940
2941         * dfg/DFGSpeculativeJIT64.cpp:
2942         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2943         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2944         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2945         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2946         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2947         * ftl/FTLLowerDFGToB3.cpp:
2948         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
2949         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
2950         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2951         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
2952         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
2953         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2954         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2955         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2956
2957 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2958
2959         [JSC] Introduce @putByIdDirectPrivate
2960         https://bugs.webkit.org/show_bug.cgi?id=184400
2961
2962         Reviewed by Saam Barati.
2963
2964         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
2965         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
2966         accessing to ECMAScript internal fields.
2967
2968         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
2969         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
2970         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
2971         fields that accessing to the internal fields does not traverse prototype chains.
2972
2973         * builtins/ArrayIteratorPrototype.js:
2974         (globalPrivate.arrayIteratorValueNext):
2975         (globalPrivate.arrayIteratorKeyNext):
2976         (globalPrivate.arrayIteratorKeyValueNext):
2977         * builtins/ArrayPrototype.js:
2978         (globalPrivate.createArrayIterator):
2979         * builtins/AsyncFromSyncIteratorPrototype.js:
2980         (globalPrivate.AsyncFromSyncIteratorConstructor):
2981         * builtins/AsyncFunctionPrototype.js:
2982         (globalPrivate.asyncFunctionResume):
2983         * builtins/AsyncGeneratorPrototype.js:
2984         (globalPrivate.asyncGeneratorQueueEnqueue):
2985         (globalPrivate.asyncGeneratorQueueDequeue):
2986         (asyncGeneratorYieldAwaited):
2987         (globalPrivate.asyncGeneratorYield):
2988         (globalPrivate.doAsyncGeneratorBodyCall):
2989         (globalPrivate.asyncGeneratorResumeNext):
2990         * builtins/GeneratorPrototype.js:
2991         (globalPrivate.generatorResume):
2992         * builtins/MapIteratorPrototype.js:
2993         (globalPrivate.mapIteratorNext):
2994         * builtins/MapPrototype.js:
2995         (globalPrivate.createMapIterator):
2996         * builtins/ModuleLoaderPrototype.js:
2997         (forceFulfillPromise):
2998         * builtins/PromiseOperations.js:
2999         (globalPrivate.newHandledRejectedPromise):
3000         (globalPrivate.rejectPromise):
3001         (globalPrivate.fulfillPromise):
3002         (globalPrivate.initializePromise):
3003         * builtins/PromisePrototype.js:
3004         (then):
3005         * builtins/SetIteratorPrototype.js:
3006         (globalPrivate.setIteratorNext):
3007         * builtins/SetPrototype.js:
3008         (globalPrivate.createSetIterator):
3009         * builtins/StringIteratorPrototype.js:
3010         (next):
3011         * bytecode/BytecodeIntrinsicRegistry.h:
3012         * bytecompiler/NodesCodegen.cpp:
3013         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3014         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3015
3016 2018-04-09  Mark Lam  <mark.lam@apple.com>
3017
3018         Decorate method table entries to support pointer profiling.
3019         https://bugs.webkit.org/show_bug.cgi?id=184430
3020         <rdar://problem/39296190>
3021
3022         Reviewed by Saam Barati.
3023
3024         * runtime/ClassInfo.h:
3025
3026 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3027
3028         [WPE] Don't install JSC C API headers
3029         https://bugs.webkit.org/show_bug.cgi?id=184375
3030
3031         Reviewed by Žan Doberšek.
3032
3033         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3034         instead.
3035
3036         * PlatformWPE.cmake:
3037
3038 2018-04-08  Mark Lam  <mark.lam@apple.com>
3039
3040         Add pointer profiling to the FTL and supporting code.
3041         https://bugs.webkit.org/show_bug.cgi?id=184395
3042         <rdar://problem/39264019>
3043
3044         Reviewed by Michael Saboff and Filip Pizlo.
3045
3046         * assembler/CodeLocation.h:
3047         (JSC::CodeLocationLabel::retagged):
3048         (JSC::CodeLocationJump::retagged):
3049         * assembler/LinkBuffer.h:
3050         (JSC::LinkBuffer::locationOf):
3051         * dfg/DFGJITCompiler.cpp:
3052         (JSC::DFG::JITCompiler::linkOSRExits):
3053         (JSC::DFG::JITCompiler::link):
3054         * ftl/FTLCompile.cpp:
3055         (JSC::FTL::compile):
3056         * ftl/FTLExceptionTarget.cpp:
3057         (JSC::FTL::ExceptionTarget::label):
3058         (JSC::FTL::ExceptionTarget::jumps):
3059         * ftl/FTLExceptionTarget.h:
3060         * ftl/FTLJITCode.cpp:
3061         (JSC::FTL::JITCode::executableAddressAtOffset):
3062         * ftl/FTLLazySlowPath.cpp:
3063         (JSC::FTL::LazySlowPath::~LazySlowPath):
3064         (JSC::FTL::LazySlowPath::initialize):
3065         (JSC::FTL::LazySlowPath::generate):
3066         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3067         * ftl/FTLLazySlowPath.h:
3068         * ftl/FTLLink.cpp:
3069         (JSC::FTL::link):
3070         * ftl/FTLLowerDFGToB3.cpp:
3071         (JSC::FTL::DFG::LowerDFGToB3::lower):
3072         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3073         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3074         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3075         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3076         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3077         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3078         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3079         * ftl/FTLOSRExitCompiler.cpp:
3080         (JSC::FTL::compileStub):
3081         (JSC::FTL::compileFTLOSRExit):
3082         * ftl/FTLOSRExitHandle.cpp:
3083         (JSC::FTL::OSRExitHandle::emitExitThunk):
3084         * ftl/FTLOperations.cpp:
3085         (JSC::FTL::compileFTLLazySlowPath):
3086         * ftl/FTLOutput.h:
3087         (JSC::FTL::Output::callWithoutSideEffects):
3088         (JSC::FTL::Output::operation):
3089         * ftl/FTLPatchpointExceptionHandle.cpp:
3090         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3091         * ftl/FTLSlowPathCall.cpp:
3092         (JSC::FTL::SlowPathCallContext::makeCall):
3093         * ftl/FTLSlowPathCallKey.h:
3094         (JSC::FTL::SlowPathCallKey::withCallTarget):
3095         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3096         * ftl/FTLThunks.cpp:
3097         (JSC::FTL::genericGenerationThunkGenerator):
3098         (JSC::FTL::osrExitGenerationThunkGenerator):
3099         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3100         (JSC::FTL::slowPathCallThunkGenerator):
3101         * jit/JITMathIC.h:
3102         (JSC::isProfileEmpty):
3103         * jit/Repatch.cpp:
3104         (JSC::readPutICCallTarget):
3105         (JSC::ftlThunkAwareRepatchCall):
3106         (JSC::tryCacheGetByID):
3107         (JSC::repatchGetByID):
3108         (JSC::tryCachePutByID):
3109         (JSC::repatchPutByID):
3110         (JSC::repatchIn):
3111         (JSC::resetGetByID):
3112         (JSC::resetPutByID):
3113         (JSC::readCallTarget): Deleted.
3114         * jit/Repatch.h:
3115         * runtime/PtrTag.h:
3116
3117 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3118
3119         Unreviewed, attempt to fix Windows build
3120         https://bugs.webkit.org/show_bug.cgi?id=183508
3121
3122         * jit/JIT.h:
3123
3124 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3125
3126         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3127         https://bugs.webkit.org/show_bug.cgi?id=183508
3128
3129         * jit/JIT.h:
3130
3131 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3132
3133         Use alignas instead of compiler-specific attributes
3134         https://bugs.webkit.org/show_bug.cgi?id=183508
3135
3136         Reviewed by Mark Lam.
3137
3138         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3139
3140         * heap/RegisterState.h:
3141         * jit/JIT.h:
3142         (JSC::JIT::compile): Deleted.
3143         (JSC::JIT::compileGetByVal): Deleted.
3144         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3145         (JSC::JIT::compilePutByVal): Deleted.
3146         (JSC::JIT::compileDirectPutByVal): Deleted.
3147         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3148         (JSC::JIT::compileHasIndexedProperty): Deleted.
3149         (JSC::JIT::appendCall): Deleted.
3150         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3151         (JSC::JIT::exceptionCheck): Deleted.
3152         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3153         (JSC::JIT::emitInt32Load): Deleted.
3154         (JSC::JIT::emitInt32GetByVal): Deleted.
3155         (JSC::JIT::emitInt32PutByVal): Deleted.
3156         (JSC::JIT::emitDoublePutByVal): Deleted.
3157         (JSC::JIT::emitContiguousPutByVal): Deleted.
3158         (JSC::JIT::emitStoreCell): Deleted.
3159         (JSC::JIT::getSlowCase): Deleted.
3160         (JSC::JIT::linkSlowCase): Deleted.
3161         (JSC::JIT::linkDummySlowCase): Deleted.
3162         (JSC::JIT::linkAllSlowCases): Deleted.
3163         (JSC::JIT::callOperation): Deleted.
3164         (JSC::JIT::callOperationWithProfile): Deleted.
3165         (JSC::JIT::callOperationWithResult): Deleted.
3166         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3167         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3168         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3169         (JSC::JIT::sampleCodeBlock): Deleted.
3170         (JSC::JIT::canBeOptimized): Deleted.
3171         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3172         (JSC::JIT::shouldEmitProfiling): Deleted.
3173         * runtime/VM.h:
3174
3175 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3176
3177         Unreviewed, follow-up patch for DFG 32bit
3178         https://bugs.webkit.org/show_bug.cgi?id=183970
3179
3180         * dfg/DFGSpeculativeJIT32_64.cpp:
3181         (JSC::DFG::SpeculativeJIT::cachedGetById):
3182
3183 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3184
3185         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3186         https://bugs.webkit.org/show_bug.cgi?id=184398
3187
3188         Reviewed by Mark Lam.
3189
3190         isLocked check before taking a lock is incorrect.
3191
3192         * runtime/VM.cpp:
3193         (JSC::VM::acquireRegExpPatternContexBuffer):
3194
3195 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3196
3197         [JSC] Introduce op_get_by_id_direct
3198         https://bugs.webkit.org/show_bug.cgi?id=183970
3199
3200         Reviewed by Filip Pizlo.
3201
3202         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3203         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3204         in all the tiers, so using this opcode does not lead to inefficiency.
3205
3206         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3207         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3208         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3209         to the internal fields should not traverse prototype chain, which is specified in the spec.
3210         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3211         prototype chains are not traversed.
3212
3213         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3214         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3215         bytecode `op_get_by_id_direct, object, @name`.
3216
3217         * builtins/ArrayIteratorPrototype.js:
3218         (next):
3219         (globalPrivate.arrayIteratorValueNext):
3220         (globalPrivate.arrayIteratorKeyNext):
3221         (globalPrivate.arrayIteratorKeyValueNext):
3222         * builtins/AsyncFromSyncIteratorPrototype.js:
3223         * builtins/AsyncFunctionPrototype.js:
3224         (globalPrivate.asyncFunctionResume):
3225         * builtins/AsyncGeneratorPrototype.js:
3226         (globalPrivate.asyncGeneratorQueueIsEmpty):
3227         (globalPrivate.asyncGeneratorQueueEnqueue):
3228         (globalPrivate.asyncGeneratorQueueDequeue):
3229         (globalPrivate.asyncGeneratorDequeue):
3230         (globalPrivate.isExecutionState):
3231         (globalPrivate.isSuspendYieldState):
3232         (globalPrivate.asyncGeneratorReject):
3233         (globalPrivate.asyncGeneratorResolve):
3234         (globalPrivate.doAsyncGeneratorBodyCall):
3235         (globalPrivate.asyncGeneratorEnqueue):
3236         * builtins/GeneratorPrototype.js:
3237         (globalPrivate.generatorResume):
3238         (next):
3239         (return):
3240         (throw):
3241         * builtins/MapIteratorPrototype.js:
3242         (next):
3243         * builtins/PromiseOperations.js:
3244         (globalPrivate.isPromise):
3245         (globalPrivate.rejectPromise):
3246         (globalPrivate.fulfillPromise):
3247         * builtins/PromisePrototype.js:
3248         (then):
3249         * builtins/SetIteratorPrototype.js:
3250         (next):
3251         * builtins/StringIteratorPrototype.js:
3252         (next):
3253         * builtins/TypedArrayConstructor.js:
3254         (of):
3255         (from):
3256         * bytecode/BytecodeDumper.cpp:
3257         (JSC::BytecodeDumper<Block>::dumpBytecode):
3258         * bytecode/BytecodeIntrinsicRegistry.h:
3259         * bytecode/BytecodeList.json:
3260         * bytecode/BytecodeUseDef.h:
3261         (JSC::computeUsesForBytecodeOffset):
3262         (JSC::computeDefsForBytecodeOffset):
3263         * bytecode/CodeBlock.cpp:
3264         (JSC::CodeBlock::finishCreation):
3265         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3266         * bytecode/GetByIdStatus.cpp:
3267         (JSC::GetByIdStatus::computeFromLLInt):
3268         (JSC::GetByIdStatus::computeFor):
3269         * bytecode/StructureStubInfo.cpp:
3270         (JSC::StructureStubInfo::reset):
3271         * bytecode/StructureStubInfo.h:
3272         (JSC::appropriateOptimizingGetByIdFunction):
3273         (JSC::appropriateGenericGetByIdFunction):
3274         * bytecompiler/BytecodeGenerator.cpp:
3275         (JSC::BytecodeGenerator::emitDirectGetById):
3276         * bytecompiler/BytecodeGenerator.h:
3277         * bytecompiler/NodesCodegen.cpp:
3278         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3279         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3280         * dfg/DFGAbstractInterpreterInlines.h:
3281         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3282         * dfg/DFGByteCodeParser.cpp:
3283         (JSC::DFG::ByteCodeParser::handleGetById):
3284         (JSC::DFG::ByteCodeParser::parseBlock):
3285         * dfg/DFGCapabilities.cpp:
3286         (JSC::DFG::capabilityLevel):
3287         * dfg/DFGClobberize.h:
3288         (JSC::DFG::clobberize):
3289         * dfg/DFGConstantFoldingPhase.cpp:
3290         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3291         * dfg/DFGDoesGC.cpp:
3292         (JSC::DFG::doesGC):
3293         * dfg/DFGFixupPhase.cpp:
3294         (JSC::DFG::FixupPhase::fixupNode):
3295         * dfg/DFGNode.h:
3296         (JSC::DFG::Node::convertToGetByOffset):
3297         (JSC::DFG::Node::convertToMultiGetByOffset):
3298         (JSC::DFG::Node::hasIdentifier):
3299         (JSC::DFG::Node::hasHeapPrediction):
3300         * dfg/DFGNodeType.h:
3301         * dfg/DFGOperations.cpp:
3302         * dfg/DFGOperations.h:
3303         * dfg/DFGPredictionPropagationPhase.cpp:
3304         * dfg/DFGSafeToExecute.h:
3305         (JSC::DFG::safeToExecute):
3306         * dfg/DFGSpeculativeJIT.cpp:
3307         (JSC::DFG::SpeculativeJIT::compileGetById):
3308         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3309         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3310         * dfg/DFGSpeculativeJIT.h:
3311         * dfg/DFGSpeculativeJIT32_64.cpp:
3312         (JSC::DFG::SpeculativeJIT::cachedGetById):
3313         (JSC::DFG::SpeculativeJIT::compile):
3314         * dfg/DFGSpeculativeJIT64.cpp:
3315         (JSC::DFG::SpeculativeJIT::cachedGetById):
3316         (JSC::DFG::SpeculativeJIT::compile):
3317         * ftl/FTLCapabilities.cpp:
3318         (JSC::FTL::canCompile):
3319         * ftl/FTLLowerDFGToB3.cpp:
3320         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3321         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3322         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3323         (JSC::FTL::DFG::LowerDFGToB3::getById):
3324         * jit/JIT.cpp:
3325         (JSC::JIT::privateCompileMainPass):
3326         (JSC::JIT::privateCompileSlowCases):
3327         * jit/JIT.h:
3328         * jit/JITOperations.cpp:
3329         * jit/JITOperations.h:
3330         * jit/JITPropertyAccess.cpp:
3331         (JSC::JIT::emit_op_get_by_id_direct):
3332         (JSC::JIT::emitSlow_op_get_by_id_direct):
3333         * jit/JITPropertyAccess32_64.cpp:
3334         (JSC::JIT::emit_op_get_by_id_direct):
3335         (JSC::JIT::emitSlow_op_get_by_id_direct):
3336         * jit/Repatch.cpp:
3337         (JSC::appropriateOptimizingGetByIdFunction):
3338         (JSC::appropriateGetByIdFunction):
3339         (JSC::tryCacheGetByID):
3340         (JSC::repatchGetByID):
3341         (JSC::appropriateGenericGetByIdFunction): Deleted.
3342         * jit/Repatch.h:
3343         * llint/LLIntSlowPaths.cpp:
3344         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3345         * llint/LLIntSlowPaths.h:
3346         * llint/LowLevelInterpreter32_64.asm:
3347         * llint/LowLevelInterpreter64.asm:
3348         * runtime/JSCJSValue.h:
3349         * runtime/JSCJSValueInlines.h:
3350         (JSC::JSValue::getOwnPropertySlot const):
3351         * runtime/JSObject.h:
3352         * runtime/JSObjectInlines.h:
3353         (JSC::JSObject::getOwnPropertySlotInline):
3354
3355 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3356
3357         [JSC] Remove several asXXX functions
3358         https://bugs.webkit.org/show_bug.cgi?id=184355
3359
3360         Reviewed by JF Bastien.
3361
3362         Remove asActivation, asInternalFunction, and asGetterSetter.
3363         Use jsCast<> / jsDynamicCast<> consistently.
3364
3365         * runtime/ArrayConstructor.cpp:
3366         (JSC::constructArrayWithSizeQuirk):
3367         * runtime/AsyncFunctionConstructor.cpp:
3368         (JSC::callAsyncFunctionConstructor):
3369         (JSC::constructAsyncFunctionConstructor):
3370         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3371         (JSC::callAsyncGeneratorFunctionConstructor):
3372         (JSC::constructAsyncGeneratorFunctionConstructor):
3373         * runtime/BooleanConstructor.cpp:
3374         (JSC::constructWithBooleanConstructor):
3375         * runtime/DateConstructor.cpp:
3376         (JSC::constructWithDateConstructor):
3377         * runtime/ErrorConstructor.cpp:
3378         (JSC::Interpreter::constructWithErrorConstructor):
3379         (JSC::Interpreter::callErrorConstructor):
3380         * runtime/FunctionConstructor.cpp:
3381         (JSC::constructWithFunctionConstructor):
3382         (JSC::callFunctionConstructor):
3383         * runtime/FunctionPrototype.cpp:
3384         (JSC::functionProtoFuncToString):
3385         * runtime/GeneratorFunctionConstructor.cpp:
3386         (JSC::callGeneratorFunctionConstructor):
3387         (JSC::constructGeneratorFunctionConstructor):
3388         * runtime/GetterSetter.h:
3389         (JSC::asGetterSetter): Deleted.
3390         * runtime/InternalFunction.h:
3391         (JSC::asInternalFunction): Deleted.
3392         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3393         (JSC::constructGenericTypedArrayView):
3394         * runtime/JSLexicalEnvironment.h:
3395         (JSC::asActivation): Deleted.
3396         * runtime/JSObject.cpp:
3397         (JSC::validateAndApplyPropertyDescriptor):