isCacheableArrayLength should return true for undecided arrays
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-04  Keith Miller  <keith_miller@apple.com>
2
3         isCacheableArrayLength should return true for undecided arrays
4         https://bugs.webkit.org/show_bug.cgi?id=185309
5
6         Reviewed by Michael Saboff.
7
8         Undecided arrays have butterflies so there is no reason why we
9         should not be able to cache their length.
10
11         * bytecode/InlineAccess.cpp:
12         (JSC::InlineAccess::isCacheableArrayLength):
13
14 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         Remove std::random_shuffle
17         https://bugs.webkit.org/show_bug.cgi?id=185292
18
19         Reviewed by Darin Adler.
20
21         std::random_shuffle is deprecated in C++14 and removed in C++17,
22         since std::random_shuffle relies on rand and srand.
23         Use std::shuffle instead.
24
25         * jit/BinarySwitch.cpp:
26         (JSC::RandomNumberGenerator::RandomNumberGenerator):
27         (JSC::RandomNumberGenerator::operator()):
28         (JSC::RandomNumberGenerator::min):
29         (JSC::RandomNumberGenerator::max):
30         (JSC::BinarySwitch::build):
31
32 2018-05-03  Saam Barati  <sbarati@apple.com>
33
34         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
35         https://bugs.webkit.org/show_bug.cgi?id=185177
36
37         Reviewed by Filip Pizlo.
38
39         This patch teaches the DFG/FTL how to constant fold CreateThis with
40         a known poly proto Structure to NewObject. We do it by emitting a NewObject
41         followed by a PutByOffset for the prototype value.
42         
43         We make it so that ObjectAllocationProfile holds the prototype value.
44         This is sound because JSFunction clears that profile when its 'prototype'
45         field changes.
46         
47         This patch also renames underscoreProtoPrivateName to polyProtoName since
48         that name was nonsensical: it was only used for poly proto.
49         
50         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
51         regressed that benchmark when I first introduced poly proto.
52
53         * builtins/BuiltinNames.cpp:
54         * builtins/BuiltinNames.h:
55         (JSC::BuiltinNames::BuiltinNames):
56         (JSC::BuiltinNames::polyProtoName const):
57         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
58         * bytecode/ObjectAllocationProfile.h:
59         (JSC::ObjectAllocationProfile::prototype):
60         (JSC::ObjectAllocationProfile::clear):
61         (JSC::ObjectAllocationProfile::visitAggregate):
62         * bytecode/ObjectAllocationProfileInlines.h:
63         (JSC::ObjectAllocationProfile::initializeProfile):
64         * dfg/DFGAbstractInterpreterInlines.h:
65         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
66         * dfg/DFGByteCodeParser.cpp:
67         (JSC::DFG::ByteCodeParser::parseBlock):
68         * dfg/DFGConstantFoldingPhase.cpp:
69         (JSC::DFG::ConstantFoldingPhase::foldConstants):
70         * dfg/DFGOperations.cpp:
71         * runtime/CommonSlowPaths.cpp:
72         (JSC::SLOW_PATH_DECL):
73         * runtime/FunctionRareData.h:
74         * runtime/Structure.cpp:
75         (JSC::Structure::create):
76
77 2018-05-03  Michael Saboff  <msaboff@apple.com>
78
79         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
80         https://bugs.webkit.org/show_bug.cgi?id=185281
81
82         Reviewed by Saam Barati.
83
84         When we compute bytecode block reachability, we need to take into account blocks
85         containing try/catch.
86
87         * jit/JIT.cpp:
88         (JSC::JIT::privateCompileMainPass):
89
90 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
91
92         ARM: Wrong offset for operand rt in disassembler
93         https://bugs.webkit.org/show_bug.cgi?id=184083
94
95         Reviewed by Yusuke Suzuki.
96
97         * disassembler/ARMv7/ARMv7DOpcode.h:
98         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
99         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
100
101 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
102
103         ARM: Support vstr in disassembler
104         https://bugs.webkit.org/show_bug.cgi?id=184084
105
106         Reviewed by Yusuke Suzuki.
107
108         * disassembler/ARMv7/ARMv7DOpcode.cpp:
109         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
110         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
111         * disassembler/ARMv7/ARMv7DOpcode.h:
112         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
113         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
114         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
115         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
116         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
117         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
118         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
119
120 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
121
122         Invoke ensureArrayStorage for all arguments
123         https://bugs.webkit.org/show_bug.cgi?id=185247
124
125         Reviewed by Yusuke Suzuki.
126
127         ensureArrayStorage was only invoked for first argument in each loop iteration.
128
129         * jsc.cpp:
130         (functionEnsureArrayStorage):
131
132 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
133
134         Make it easy to log compile times for all optimizing tiers
135         https://bugs.webkit.org/show_bug.cgi?id=185270
136
137         Reviewed by Keith Miller.
138         
139         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
140         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
141         it.
142         
143         This should help us reduce compile times by telling us where to look. So, far, it looks like
144         CFA is the worst.
145
146         * JavaScriptCore.xcodeproj/project.pbxproj:
147         * Sources.txt:
148         * b3/B3Common.cpp:
149         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
150         * b3/B3Common.h:
151         * b3/B3TimingScope.cpp: Removed.
152         * b3/B3TimingScope.h:
153         (JSC::B3::TimingScope::TimingScope):
154         * dfg/DFGPhase.h:
155         (JSC::DFG::runAndLog):
156         * dfg/DFGPlan.cpp:
157         (JSC::DFG::Plan::compileInThread):
158         * tools/CompilerTimingScope.cpp: Added.
159         (JSC::CompilerTimingScope::CompilerTimingScope):
160         (JSC::CompilerTimingScope::~CompilerTimingScope):
161         * tools/CompilerTimingScope.h: Added.
162         * runtime/Options.cpp:
163         (JSC::recomputeDependentOptions):
164         * runtime/Options.h:
165
166 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
167
168         Strings should not be allocated in a gigacage
169         https://bugs.webkit.org/show_bug.cgi?id=185218
170
171         Reviewed by Saam Barati.
172
173         * runtime/JSBigInt.cpp:
174         (JSC::JSBigInt::toStringGeneric):
175         * runtime/JSString.cpp:
176         (JSC::JSRopeString::resolveRopeToAtomicString const):
177         (JSC::JSRopeString::resolveRope const):
178         * runtime/JSString.h:
179         (JSC::JSString::create):
180         (JSC::JSString::createHasOtherOwner):
181         * runtime/VM.h:
182         (JSC::VM::gigacageAuxiliarySpace):
183
184 2018-05-03  Keith Miller  <keith_miller@apple.com>
185
186         Unreviewed, fix 32-bit profile offset for change in bytecode
187         length of the get_by_id and get_array_length opcodes.
188
189         * llint/LowLevelInterpreter32_64.asm:
190
191 2018-05-03  Michael Saboff  <msaboff@apple.com>
192
193         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
194         https://bugs.webkit.org/show_bug.cgi?id=185231
195
196         Reviewed by Saam Barati.
197
198         We weren't clearing the scratch register cache when switching back and forth between 
199         allowing scratch register usage.  We disallow scratch register usage when we are in
200         code that will freely allocate and use any register.  Such usage can change the
201         contents of scratch registers.  For ARM64, where we cache the contents of scratch
202         registers to reuse some or all of the contained values, we need to invalidate these
203         caches.  We do this when re-enabling scratch register usage, that is when we transition
204         from disallow to allow scratch register usage.
205
206         Added a new Air regression test.
207
208         * assembler/AllowMacroScratchRegisterUsage.h:
209         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
210         * assembler/AllowMacroScratchRegisterUsageIf.h:
211         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
212         * assembler/DisallowMacroScratchRegisterUsage.h:
213         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
214         * b3/air/testair.cpp:
215
216 2018-05-03  Keith Miller  <keith_miller@apple.com>
217
218         Remove the prototype caching for get_by_id in the LLInt
219         https://bugs.webkit.org/show_bug.cgi?id=185226
220
221         Reviewed by Michael Saboff.
222
223         There is no evidence that this is actually a speedup and we keep
224         getting bugs with it. At this point it seems like we should just
225         remove this code.
226
227         * CMakeLists.txt:
228         * JavaScriptCore.xcodeproj/project.pbxproj:
229         * Sources.txt:
230         * bytecode/BytecodeDumper.cpp:
231         (JSC::BytecodeDumper<Block>::printGetByIdOp):
232         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
233         (JSC::BytecodeDumper<Block>::dumpBytecode):
234         * bytecode/BytecodeList.json:
235         * bytecode/BytecodeUseDef.h:
236         (JSC::computeUsesForBytecodeOffset):
237         (JSC::computeDefsForBytecodeOffset):
238         * bytecode/CodeBlock.cpp:
239         (JSC::CodeBlock::finalizeLLIntInlineCaches):
240         * bytecode/CodeBlock.h:
241         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
242         * bytecode/GetByIdStatus.cpp:
243         (JSC::GetByIdStatus::computeFromLLInt):
244         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
245         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
246         * bytecompiler/BytecodeGenerator.cpp:
247         (JSC::BytecodeGenerator::emitGetById):
248         * dfg/DFGByteCodeParser.cpp:
249         (JSC::DFG::ByteCodeParser::parseBlock):
250         * dfg/DFGCapabilities.cpp:
251         (JSC::DFG::capabilityLevel):
252         * jit/JIT.cpp:
253         (JSC::JIT::privateCompileMainPass):
254         (JSC::JIT::privateCompileSlowCases):
255         * llint/LLIntSlowPaths.cpp:
256         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
257         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
258         * llint/LowLevelInterpreter32_64.asm:
259         * llint/LowLevelInterpreter64.asm:
260         * runtime/Options.h:
261
262 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
263
264         Unreviewed, rolling out r231197.
265
266         The test added with this change crashes on the 32-bit JSC bot.
267
268         Reverted changeset:
269
270         "Correctly detect string overflow when using the 'Function'
271         constructor"
272         https://bugs.webkit.org/show_bug.cgi?id=184883
273         https://trac.webkit.org/changeset/231197
274
275 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
276
277         Disable usage of fused multiply-add instructions for JSC with compiler flag
278         https://bugs.webkit.org/show_bug.cgi?id=184909
279
280         Reviewed by Yusuke Suzuki.
281
282         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
283         like parseInt() do not return slightly different results depending on whether the
284         compiler was able to use fused multiply-add instructions or not.
285
286         * CMakeLists.txt:
287
288 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
289
290         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
291         https://bugs.webkit.org/show_bug.cgi?id=185192
292
293         compareDouble relies on MacroAssembler::invert function.
294
295         * assembler/MacroAssembler.h:
296         (JSC::MacroAssembler::compareDouble):
297         * assembler/MacroAssemblerARM.h:
298         (JSC::MacroAssemblerARM::compareDouble): Deleted.
299         * assembler/MacroAssemblerARMv7.h:
300         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
301         * assembler/MacroAssemblerMIPS.h:
302         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
303
304 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
305
306         [JSC] Add MacroAssembler::and16 and store16
307         https://bugs.webkit.org/show_bug.cgi?id=185188
308
309         Reviewed by Mark Lam.
310
311         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
312         This patch adds these methods for ARM.
313
314         * assembler/MacroAssemblerARM.h:
315         (JSC::MacroAssemblerARM::and16):
316         (JSC::MacroAssemblerARM::store16):
317
318 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
319
320         [DFG] Unify compare related code in 32bit and 64bit
321         https://bugs.webkit.org/show_bug.cgi?id=185189
322
323         Reviewed by Mark Lam.
324
325         This patch unifies some part of compare related code in 32bit and 64bit
326         to reduce the size of 32bit specific DFG code.
327
328         * dfg/DFGSpeculativeJIT.cpp:
329         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
330         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
331         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
332         * dfg/DFGSpeculativeJIT32_64.cpp:
333         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
334         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
335         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
336         * dfg/DFGSpeculativeJIT64.cpp:
337         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
338         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
339         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
340
341 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
344         https://bugs.webkit.org/show_bug.cgi?id=185192
345
346         Reviewed by Mark Lam.
347
348         Now Object.is starts using compareDouble. So we would like to have
349         efficient implementation for compareDouble and compareFloat for
350         major architectures, ARM64, X86, and X86_64.
351
352         This patch adds compareDouble and compareFloat implementations for
353         these architectures. And generic implementation is moved to each
354         architecture's MacroAssembler implementation.
355
356         We also add tests for them in testmasm. To implement this test
357         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
358         major architectures.
359
360         * assembler/MacroAssembler.h:
361         (JSC::MacroAssembler::compareDouble): Deleted.
362         (JSC::MacroAssembler::compareFloat): Deleted.
363         * assembler/MacroAssemblerARM.h:
364         (JSC::MacroAssemblerARM::compareDouble):
365         * assembler/MacroAssemblerARM64.h:
366         (JSC::MacroAssemblerARM64::compareDouble):
367         (JSC::MacroAssemblerARM64::compareFloat):
368         (JSC::MacroAssemblerARM64::loadFloat):
369         (JSC::MacroAssemblerARM64::floatingPointCompare):
370         * assembler/MacroAssemblerARMv7.h:
371         (JSC::MacroAssemblerARMv7::compareDouble):
372         * assembler/MacroAssemblerMIPS.h:
373         (JSC::MacroAssemblerMIPS::compareDouble):
374         * assembler/MacroAssemblerX86Common.h:
375         (JSC::MacroAssemblerX86Common::loadFloat):
376         (JSC::MacroAssemblerX86Common::compareDouble):
377         (JSC::MacroAssemblerX86Common::compareFloat):
378         (JSC::MacroAssemblerX86Common::floatingPointCompare):
379         * assembler/X86Assembler.h:
380         (JSC::X86Assembler::movss_mr):
381         (JSC::X86Assembler::movss_rm):
382         * assembler/testmasm.cpp:
383         (JSC::floatOperands):
384         (JSC::testCompareFloat):
385         (JSC::run):
386
387 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
388
389         Unreviewed, fix 32bit DFG code
390         https://bugs.webkit.org/show_bug.cgi?id=185065
391
392         * dfg/DFGSpeculativeJIT.cpp:
393         (JSC::DFG::SpeculativeJIT::compileSameValue):
394
395 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
396
397         JSC should know how to cache custom getter accesses on the prototype chain
398         https://bugs.webkit.org/show_bug.cgi?id=185213
399
400         Reviewed by Keith Miller.
401
402         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
403
404         * jit/Repatch.cpp:
405         (JSC::tryCacheGetByID):
406
407 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
408
409         JSC should be able to cache custom setter calls on the prototype chain
410         https://bugs.webkit.org/show_bug.cgi?id=185174
411
412         Reviewed by Saam Barati.
413
414         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
415         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
416         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
417         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
418         custom accessors because it won't find the custom property in the structure.
419
420         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
421
422         This is a 4x speed-up on assign-custom-setter.js.
423
424         * bytecode/AccessCase.cpp:
425         (JSC::AccessCase::hasAlternateBase const):
426         (JSC::AccessCase::alternateBase const):
427         (JSC::AccessCase::generateImpl):
428         * bytecode/AccessCase.h:
429         (JSC::AccessCase::alternateBase const): Deleted.
430         * bytecode/GetterSetterAccessCase.cpp:
431         (JSC::GetterSetterAccessCase::hasAlternateBase const):
432         (JSC::GetterSetterAccessCase::alternateBase const):
433         * bytecode/GetterSetterAccessCase.h:
434         * bytecode/ObjectPropertyConditionSet.cpp:
435         (JSC::generateConditionsForPrototypePropertyHitCustom):
436         * bytecode/ObjectPropertyConditionSet.h:
437         * jit/Repatch.cpp:
438         (JSC::tryCacheGetByID):
439         (JSC::tryCachePutByID):
440
441 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
442
443         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
444         https://bugs.webkit.org/show_bug.cgi?id=185195
445
446         Reviewed by Mark Lam.
447
448         This implements the given function for MIPS, such that it builds again.
449
450         * assembler/MacroAssemblerMIPS.h:
451         (JSC::MacroAssemblerMIPS::and16):
452         (JSC::MacroAssemblerMIPS::store16):
453
454 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
455
456         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
457         https://bugs.webkit.org/show_bug.cgi?id=185043
458
459         Reviewed by Filip Pizlo.
460
461         * jsc.cpp:
462         (GlobalObject::finishCreation):
463         (functionDollarAgentMonotonicNow):
464
465 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
466
467         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
468         https://bugs.webkit.org/show_bug.cgi?id=185196
469
470         Reviewed by Mark Lam.
471
472         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
473
474         * assembler/MacroAssemblerARMv7.h:
475         (JSC::MacroAssemblerARMv7::and16):
476         (JSC::MacroAssemblerARMv7::store16):
477
478 2018-05-02  Robin Morisset  <rmorisset@apple.com>
479
480         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
481         https://bugs.webkit.org/show_bug.cgi?id=183172
482
483         Reviewed by Filip Pizlo.
484
485         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
486         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
487
488         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
489         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
490         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
491
492         * dfg/DFGArgumentsEliminationPhase.cpp:
493         * dfg/DFGArgumentsUtilities.cpp:
494         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
495
496 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
497
498         Unreviewed, stackPointer signature is different from declaration
499         https://bugs.webkit.org/show_bug.cgi?id=184790
500
501         * runtime/MachineContext.h:
502         (JSC::MachineContext::stackPointer):
503
504 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
505
506         [JSC] Add SameValue DFG node
507         https://bugs.webkit.org/show_bug.cgi?id=185065
508
509         Reviewed by Saam Barati.
510
511         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
512         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
513         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
514         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
515         implementations for these SameValue nodes.
516
517         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
518         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
519         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
520         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
521         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
522         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
523
524         Added microbenchmark shows performance improvement.
525
526             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
527
528         * assembler/MacroAssembler.h:
529         * assembler/MacroAssemblerX86Common.h:
530         (JSC::MacroAssemblerX86Common::compareDouble):
531         * assembler/MacroAssemblerX86_64.h:
532         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
533         * assembler/testmasm.cpp:
534         (JSC::doubleOperands):
535         (JSC::testCompareDouble):
536         (JSC::run):
537         * dfg/DFGAbstractInterpreterInlines.h:
538         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
539         * dfg/DFGByteCodeParser.cpp:
540         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
541         * dfg/DFGClobberize.h:
542         (JSC::DFG::clobberize):
543         * dfg/DFGConstantFoldingPhase.cpp:
544         (JSC::DFG::ConstantFoldingPhase::foldConstants):
545         * dfg/DFGDoesGC.cpp:
546         (JSC::DFG::doesGC):
547         * dfg/DFGFixupPhase.cpp:
548         (JSC::DFG::FixupPhase::fixupNode):
549         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
550         * dfg/DFGNodeType.h:
551         * dfg/DFGOperations.cpp:
552         * dfg/DFGOperations.h:
553         * dfg/DFGPredictionPropagationPhase.cpp:
554         * dfg/DFGSafeToExecute.h:
555         (JSC::DFG::safeToExecute):
556         * dfg/DFGSpeculativeJIT.cpp:
557         (JSC::DFG::SpeculativeJIT::compileSameValue):
558         * dfg/DFGSpeculativeJIT.h:
559         * dfg/DFGSpeculativeJIT32_64.cpp:
560         (JSC::DFG::SpeculativeJIT::compile):
561         * dfg/DFGSpeculativeJIT64.cpp:
562         (JSC::DFG::SpeculativeJIT::compile):
563         * dfg/DFGValidate.cpp:
564         * ftl/FTLCapabilities.cpp:
565         (JSC::FTL::canCompile):
566         * ftl/FTLLowerDFGToB3.cpp:
567         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
568         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
569         * runtime/Intrinsic.cpp:
570         (JSC::intrinsicName):
571         * runtime/Intrinsic.h:
572         * runtime/ObjectConstructor.cpp:
573
574 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
575
576         B3::demoteValues should be able to handle patchpoint terminals
577         https://bugs.webkit.org/show_bug.cgi?id=185151
578
579         Reviewed by Saam Barati.
580         
581         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
582         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
583         longer the last thing in the block.
584         
585         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
586         really do that because demotion happens as a prerequisite to other transformations.
587         
588         One solution might have been to make demoteValues insert a basic block whenever it encounters
589         this problem. But that would break clients that do CFG analysis before demoteValues and use
590         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
591         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
592         so it's not bad to introduce that requirement.
593         
594         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
595         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
596         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
597         successors of the patchpoint terminal.
598         
599         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
600         a unit test in testb3.
601
602         * b3/B3BreakCriticalEdges.cpp:
603         (JSC::B3::breakCriticalEdges):
604         * b3/B3BreakCriticalEdges.h:
605         * b3/B3FixSSA.cpp:
606         (JSC::B3::demoteValues):
607         (JSC::B3::fixSSA):
608         * b3/B3FixSSA.h:
609         * b3/B3Value.cpp:
610         (JSC::B3::Value::foldIdentity const):
611         (JSC::B3::Value::performSubstitution):
612         * b3/B3Value.h:
613         * b3/testb3.cpp:
614         (JSC::B3::testDemotePatchpointTerminal):
615         (JSC::B3::run):
616
617 2018-05-01  Robin Morisset  <rmorisset@apple.com>
618
619         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
620         https://bugs.webkit.org/show_bug.cgi?id=184772
621         <rdar://problem/39146327>
622
623         Reviewed by Filip Pizlo.
624
625         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
626         This patch now makes sure that the check correctly detects if there is an integer overflow.
627
628         * runtime/JSArray.cpp:
629         (JSC::JSArray::unshiftCountWithAnyIndexingType):
630
631 2018-05-01  Robin Morisset  <rmorisset@apple.com>
632
633         Correctly detect string overflow when using the 'Function' constructor
634         https://bugs.webkit.org/show_bug.cgi?id=184883
635         <rdar://problem/36320331>
636
637         Reviewed by Filip Pizlo.
638
639         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
640         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
641
642         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
643         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
644         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
645
646         * runtime/FunctionConstructor.cpp:
647         (JSC::constructFunctionSkippingEvalEnabledCheck):
648         * runtime/JSONObject.cpp:
649         (JSC::Stringifier::appendStringifiedValue):
650
651 2018-05-01  Robin Morisset  <rmorisset@apple.com>
652
653         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
654         https://bugs.webkit.org/show_bug.cgi?id=185162
655
656         Reviewed by Filip Pizlo.
657
658         * runtime/IntlObject.cpp:
659         (JSC::removeUnicodeLocaleExtension):
660
661 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
662
663         Add SetCallee as DFG-Operation
664         https://bugs.webkit.org/show_bug.cgi?id=184582
665
666         Reviewed by Filip Pizlo.
667
668         For recursive tail calls not only the argument count can change but also the
669         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
670         Also update the callee when optimizing a recursive tail call.
671         Enable recursive tail call optimization also for closures.
672
673         * dfg/DFGAbstractInterpreterInlines.h:
674         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
675         * dfg/DFGByteCodeParser.cpp:
676         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
677         (JSC::DFG::ByteCodeParser::handleCallVariant):
678         * dfg/DFGClobberize.h:
679         (JSC::DFG::clobberize):
680         * dfg/DFGDoesGC.cpp:
681         (JSC::DFG::doesGC):
682         * dfg/DFGFixupPhase.cpp:
683         (JSC::DFG::FixupPhase::fixupNode):
684         * dfg/DFGMayExit.cpp:
685         * dfg/DFGNodeType.h:
686         * dfg/DFGPredictionPropagationPhase.cpp:
687         * dfg/DFGSafeToExecute.h:
688         (JSC::DFG::safeToExecute):
689         * dfg/DFGSpeculativeJIT.cpp:
690         (JSC::DFG::SpeculativeJIT::compileSetCallee):
691         * dfg/DFGSpeculativeJIT.h:
692         * dfg/DFGSpeculativeJIT32_64.cpp:
693         (JSC::DFG::SpeculativeJIT::compile):
694         * dfg/DFGSpeculativeJIT64.cpp:
695         (JSC::DFG::SpeculativeJIT::compile):
696         * ftl/FTLCapabilities.cpp:
697         (JSC::FTL::canCompile):
698         * ftl/FTLLowerDFGToB3.cpp:
699         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
700         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
701
702 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
703
704         WebAssembly: add support for stream APIs - JavaScript API
705         https://bugs.webkit.org/show_bug.cgi?id=183442
706
707         Reviewed by Yusuke Suzuki and JF Bastien.
708
709         Add WebAssembly stream API. Current patch only add functions
710         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
711         does not add streaming way of the implementation. So in current version it
712         only wait for load whole module, than start to parse.
713
714         * CMakeLists.txt:
715         * Configurations/FeatureDefines.xcconfig:
716         * DerivedSources.make:
717         * JavaScriptCore.xcodeproj/project.pbxproj:
718         * builtins/BuiltinNames.h:
719         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
720         (compileStreaming):
721         (instantiateStreaming):
722         * jsc.cpp:
723         * runtime/JSGlobalObject.cpp:
724         (JSC::JSGlobalObject::init):
725         * runtime/JSGlobalObject.h:
726         * runtime/Options.h:
727         * runtime/PromiseDeferredTimer.cpp:
728         (JSC::PromiseDeferredTimer::hasPendingPromise):
729         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
730         * runtime/PromiseDeferredTimer.h:
731         * wasm/js/WebAssemblyPrototype.cpp:
732         (JSC::webAssemblyModuleValidateAsyncInternal):
733         (JSC::webAssemblyCompileFunc):
734         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
735         (JSC::webAssemblyModuleInstantinateAsyncInternal):
736         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
737         (JSC::webAssemblyCompileStreamingInternal):
738         (JSC::webAssemblyInstantiateStreamingInternal):
739         (JSC::WebAssemblyPrototype::create):
740         (JSC::WebAssemblyPrototype::finishCreation):
741         * wasm/js/WebAssemblyPrototype.h:
742
743 2018-04-30  Saam Barati  <sbarati@apple.com>
744
745         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
746         https://bugs.webkit.org/show_bug.cgi?id=185149
747         <rdar://problem/39455917>
748
749         Reviewed by Filip Pizlo.
750
751         The bug was that we were deleting checks that we shouldn't have deleted.
752         This patch makes a helper inside strength reduction that converts to
753         a LazyJSConstant while maintaining checks, and switches users of the
754         node API inside strength reduction to instead call the helper function.
755         
756         This patch also fixes a potential bug where StringReplace and
757         StringReplaceRegExp may not preserve all their checks.
758
759
760         * dfg/DFGStrengthReductionPhase.cpp:
761         (JSC::DFG::StrengthReductionPhase::handleNode):
762         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
763
764 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
765
766         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
767         https://bugs.webkit.org/show_bug.cgi?id=185126
768
769         Reviewed by Saam Barati.
770         
771         This change is just restoring functionality that we've already had for a while. It had been
772         accidentally broken due to an unrelated CodeBlock refactoring.
773
774         * dfg/DFGLICMPhase.cpp:
775         (JSC::DFG::LICMPhase::attemptHoist):
776
777 2018-04-30  Mark Lam  <mark.lam@apple.com>
778
779         Apply PtrTags to the MetaAllocator and friends.
780         https://bugs.webkit.org/show_bug.cgi?id=185110
781         <rdar://problem/39533895>
782
783         Reviewed by Saam Barati.
784
785         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
786         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
787            and add a sanity check to verify that allocated code buffers are within those
788            bounds.
789
790         * assembler/LinkBuffer.cpp:
791         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
792         (JSC::LinkBuffer::copyCompactAndLinkCode):
793         (JSC::LinkBuffer::linkCode):
794         (JSC::LinkBuffer::allocate):
795         * assembler/LinkBuffer.h:
796         (JSC::LinkBuffer::LinkBuffer):
797         (JSC::LinkBuffer::debugAddress):
798         (JSC::LinkBuffer::code):
799         * assembler/MacroAssemblerCodeRef.h:
800         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
801         * bytecode/InlineAccess.cpp:
802         (JSC::linkCodeInline):
803         (JSC::InlineAccess::rewireStubAsJump):
804         * dfg/DFGJITCode.cpp:
805         (JSC::DFG::JITCode::findPC):
806         * ftl/FTLJITCode.cpp:
807         (JSC::FTL::JITCode::findPC):
808         * jit/ExecutableAllocator.cpp:
809         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
810         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
811         (JSC::ExecutableAllocator::allocate):
812         * jit/ExecutableAllocator.h:
813         (JSC::isJITPC):
814         (JSC::performJITMemcpy):
815         * jit/JIT.cpp:
816         (JSC::JIT::link):
817         * jit/JITMathIC.h:
818         (JSC::isProfileEmpty):
819         * runtime/JSCPtrTag.h:
820         * wasm/WasmCallee.cpp:
821         (JSC::Wasm::Callee::Callee):
822         * wasm/WasmFaultSignalHandler.cpp:
823         (JSC::Wasm::trapHandler):
824
825 2018-04-30  Keith Miller  <keith_miller@apple.com>
826
827         Move the MayBePrototype JSCell header bit to InlineTypeFlags
828         https://bugs.webkit.org/show_bug.cgi?id=185143
829
830         Reviewed by Mark Lam.
831
832         * runtime/IndexingType.h:
833         * runtime/JSCellInlines.h:
834         (JSC::JSCell::setStructure):
835         (JSC::JSCell::mayBePrototype const):
836         (JSC::JSCell::didBecomePrototype):
837         * runtime/JSTypeInfo.h:
838         (JSC::TypeInfo::mayBePrototype):
839         (JSC::TypeInfo::mergeInlineTypeFlags):
840
841 2018-04-30  Keith Miller  <keith_miller@apple.com>
842
843         Remove unneeded exception check from String.fromCharCode
844         https://bugs.webkit.org/show_bug.cgi?id=185083
845
846         Reviewed by Mark Lam.
847
848         * runtime/StringConstructor.cpp:
849         (JSC::stringFromCharCode):
850
851 2018-04-30  Keith Miller  <keith_miller@apple.com>
852
853         Move StructureIsImmortal to out of line flags.
854         https://bugs.webkit.org/show_bug.cgi?id=185101
855
856         Reviewed by Saam Barati.
857
858         This will free up a bit in the inline flags where we can move the
859         isPrototype bit to. This will, in turn, free a bit for use in
860         implementing copy on write butterflies.
861
862         Also, this patch removes an assertion from Structure::typeInfo()
863         that inadvertently makes the function invalid to call while
864         cleaning up the vm.
865
866         * heap/HeapCellType.cpp:
867         (JSC::DefaultDestroyFunc::operator() const):
868         * runtime/JSCell.h:
869         * runtime/JSCellInlines.h:
870         (JSC::JSCell::callDestructor): Deleted.
871         * runtime/JSTypeInfo.h:
872         (JSC::TypeInfo::hasStaticPropertyTable):
873         (JSC::TypeInfo::structureIsImmortal const):
874         * runtime/Structure.h:
875
876 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
877
878         [JSC] Remove arity fixup check if the number of parameters is 1
879         https://bugs.webkit.org/show_bug.cgi?id=183984
880
881         Reviewed by Mark Lam.
882
883         If the number of parameters is one (|this|), we never hit arity fixup check.
884         We do not need to emit arity fixup check code.
885
886         * dfg/DFGDriver.cpp:
887         (JSC::DFG::compileImpl):
888         * dfg/DFGJITCompiler.cpp:
889         (JSC::DFG::JITCompiler::compileFunction):
890         * dfg/DFGJITCompiler.h:
891         * ftl/FTLLink.cpp:
892         (JSC::FTL::link):
893         * jit/JIT.cpp:
894         (JSC::JIT::compileWithoutLinking):
895
896 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
897
898         Use WordLock instead of std::mutex for Threading
899         https://bugs.webkit.org/show_bug.cgi?id=185121
900
901         Reviewed by Geoffrey Garen.
902
903         ThreadGroup starts using WordLock.
904
905         * heap/MachineStackMarker.h:
906         (JSC::MachineThreads::getLock):
907
908 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
909
910         B3 should run tail duplication at the bitter end
911         https://bugs.webkit.org/show_bug.cgi?id=185123
912
913         Reviewed by Geoffrey Garen.
914         
915         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
916         everywhere else.
917         
918         The goal of this change is to allow us to run path specialization after switch lowering but
919         before tail duplication.
920
921         * b3/B3Generate.cpp:
922         (JSC::B3::generateToAir):
923         * runtime/Options.h:
924
925 2018-04-29  Commit Queue  <commit-queue@webkit.org>
926
927         Unreviewed, rolling out r231137.
928         https://bugs.webkit.org/show_bug.cgi?id=185118
929
930         It is breaking Test262 language/expressions/multiplication
931         /order-of-evaluation.js (Requested by caiolima on #webkit).
932
933         Reverted changeset:
934
935         "[ESNext][BigInt] Implement support for "*" operation"
936         https://bugs.webkit.org/show_bug.cgi?id=183721
937         https://trac.webkit.org/changeset/231137
938
939 2018-04-28  Saam Barati  <sbarati@apple.com>
940
941         We don't model regexp effects properly
942         https://bugs.webkit.org/show_bug.cgi?id=185059
943         <rdar://problem/39736150>
944
945         Reviewed by Filip Pizlo.
946
947         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
948         the regexp is global.
949
950         * dfg/DFGAbstractInterpreterInlines.h:
951         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
952         * dfg/DFGClobberize.h:
953         (JSC::DFG::clobberize):
954
955 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
956
957         Token misspelled "tocken" in error message string
958         https://bugs.webkit.org/show_bug.cgi?id=185030
959
960         Reviewed by Saam Barati.
961
962         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
963         (JSC::Parser<LexerType>::Parser):
964         (JSC::Parser<LexerType>::didFinishParsing):
965         (JSC::Parser<LexerType>::parseSourceElements):
966         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
967         (JSC::Parser<LexerType>::parseVariableDeclaration):
968         (JSC::Parser<LexerType>::parseWhileStatement):
969         (JSC::Parser<LexerType>::parseVariableDeclarationList):
970         (JSC::Parser<LexerType>::createBindingPattern):
971         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
972         (JSC::Parser<LexerType>::parseObjectRestElement):
973         (JSC::Parser<LexerType>::parseDestructuringPattern):
974         (JSC::Parser<LexerType>::parseForStatement):
975         (JSC::Parser<LexerType>::parseBreakStatement):
976         (JSC::Parser<LexerType>::parseContinueStatement):
977         (JSC::Parser<LexerType>::parseThrowStatement):
978         (JSC::Parser<LexerType>::parseWithStatement):
979         (JSC::Parser<LexerType>::parseSwitchStatement):
980         (JSC::Parser<LexerType>::parseSwitchClauses):
981         (JSC::Parser<LexerType>::parseTryStatement):
982         (JSC::Parser<LexerType>::parseBlockStatement):
983         (JSC::Parser<LexerType>::parseFormalParameters):
984         (JSC::Parser<LexerType>::parseFunctionParameters):
985         (JSC::Parser<LexerType>::parseFunctionInfo):
986         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
987         (JSC::Parser<LexerType>::parseExpressionStatement):
988         (JSC::Parser<LexerType>::parseIfStatement):
989         (JSC::Parser<LexerType>::parseAssignmentExpression):
990         (JSC::Parser<LexerType>::parseConditionalExpression):
991         (JSC::Parser<LexerType>::parseBinaryExpression):
992         (JSC::Parser<LexerType>::parseObjectLiteral):
993         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
994         (JSC::Parser<LexerType>::parseArrayLiteral):
995         (JSC::Parser<LexerType>::parseArguments):
996         (JSC::Parser<LexerType>::parseMemberExpression):
997         (JSC::operatorString):
998         (JSC::Parser<LexerType>::parseUnaryExpression):
999         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1000
1001 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
1002
1003         [ESNext][BigInt] Implement support for "*" operation
1004         https://bugs.webkit.org/show_bug.cgi?id=183721
1005
1006         Reviewed by Saam Barati.
1007
1008         Added BigInt support into times binary operator into LLInt and on
1009         JITOperations profiledMul and unprofiledMul. We are also replacing all
1010         uses of int to unsigned when there is no negative values for
1011         variables.
1012
1013         * dfg/DFGConstantFoldingPhase.cpp:
1014         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1015         * jit/JITOperations.cpp:
1016         * runtime/CommonSlowPaths.cpp:
1017         (JSC::SLOW_PATH_DECL):
1018         * runtime/JSBigInt.cpp:
1019         (JSC::JSBigInt::JSBigInt):
1020         (JSC::JSBigInt::allocationSize):
1021         (JSC::JSBigInt::createWithLength):
1022         (JSC::JSBigInt::toString):
1023         (JSC::JSBigInt::multiply):
1024         (JSC::JSBigInt::digitDiv):
1025         (JSC::JSBigInt::internalMultiplyAdd):
1026         (JSC::JSBigInt::multiplyAccumulate):
1027         (JSC::JSBigInt::equals):
1028         (JSC::JSBigInt::absoluteDivSmall):
1029         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1030         (JSC::JSBigInt::toStringGeneric):
1031         (JSC::JSBigInt::rightTrim):
1032         (JSC::JSBigInt::allocateFor):
1033         (JSC::JSBigInt::parseInt):
1034         (JSC::JSBigInt::digit):
1035         (JSC::JSBigInt::setDigit):
1036         * runtime/JSBigInt.h:
1037         * runtime/Operations.h:
1038         (JSC::jsMul):
1039
1040 2018-04-28  Commit Queue  <commit-queue@webkit.org>
1041
1042         Unreviewed, rolling out r231131.
1043         https://bugs.webkit.org/show_bug.cgi?id=185112
1044
1045         It is breaking Debug build due to unchecked exception
1046         (Requested by caiolima on #webkit).
1047
1048         Reverted changeset:
1049
1050         "[ESNext][BigInt] Implement support for "*" operation"
1051         https://bugs.webkit.org/show_bug.cgi?id=183721
1052         https://trac.webkit.org/changeset/231131
1053
1054 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
1055
1056         [ESNext][BigInt] Implement support for "*" operation
1057         https://bugs.webkit.org/show_bug.cgi?id=183721
1058
1059         Reviewed by Saam Barati.
1060
1061         Added BigInt support into times binary operator into LLInt and on
1062         JITOperations profiledMul and unprofiledMul. We are also replacing all
1063         uses of int to unsigned when there is no negative values for
1064         variables.
1065
1066         * dfg/DFGConstantFoldingPhase.cpp:
1067         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1068         * jit/JITOperations.cpp:
1069         * runtime/CommonSlowPaths.cpp:
1070         (JSC::SLOW_PATH_DECL):
1071         * runtime/JSBigInt.cpp:
1072         (JSC::JSBigInt::JSBigInt):
1073         (JSC::JSBigInt::allocationSize):
1074         (JSC::JSBigInt::createWithLength):
1075         (JSC::JSBigInt::toString):
1076         (JSC::JSBigInt::multiply):
1077         (JSC::JSBigInt::digitDiv):
1078         (JSC::JSBigInt::internalMultiplyAdd):
1079         (JSC::JSBigInt::multiplyAccumulate):
1080         (JSC::JSBigInt::equals):
1081         (JSC::JSBigInt::absoluteDivSmall):
1082         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1083         (JSC::JSBigInt::toStringGeneric):
1084         (JSC::JSBigInt::rightTrim):
1085         (JSC::JSBigInt::allocateFor):
1086         (JSC::JSBigInt::parseInt):
1087         (JSC::JSBigInt::digit):
1088         (JSC::JSBigInt::setDigit):
1089         * runtime/JSBigInt.h:
1090         * runtime/Operations.h:
1091         (JSC::jsMul):
1092
1093 2018-04-27  JF Bastien  <jfbastien@apple.com>
1094
1095         Make the first 64 bits of JSString look like a double JSValue
1096         https://bugs.webkit.org/show_bug.cgi?id=185081
1097
1098         Reviewed by Filip Pizlo.
1099
1100         We can be clever about how we lay out JSString so that, were it
1101         reinterpreted as a JSValue, it would look like a double.
1102
1103         * assembler/MacroAssemblerX86Common.h:
1104         (JSC::MacroAssemblerX86Common::and16):
1105         * assembler/X86Assembler.h:
1106         (JSC::X86Assembler::andw_mr):
1107         * dfg/DFGSpeculativeJIT.cpp:
1108         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1109         * ftl/FTLLowerDFGToB3.cpp:
1110         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1111         * ftl/FTLOutput.h:
1112         (JSC::FTL::Output::store32As8):
1113         (JSC::FTL::Output::store32As16):
1114         * runtime/JSString.h:
1115         (JSC::JSString::JSString):
1116
1117 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1118
1119         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
1120         https://bugs.webkit.org/show_bug.cgi?id=185055
1121
1122         Reviewed by JF Bastien.
1123
1124         This patch is paving the way to emitting jscvt instruction if possible.
1125         To do that, we need to determine jscvt instruction is supported in the
1126         given CPU.
1127
1128         We add a function collectCPUFeatures, which is responsible to collect
1129         CPU features if necessary. In Linux, we can use auxiliary vector to get
1130         the information without parsing /proc/cpuinfo.
1131
1132         Currently, nobody calls this function. It is later called when we emit
1133         jscvt instruction. To make it possible, we also need to add disassembler
1134         support too.
1135
1136         * assembler/AbstractMacroAssembler.h:
1137         * assembler/MacroAssemblerARM64.cpp:
1138         (JSC::MacroAssemblerARM64::collectCPUFeatures):
1139         * assembler/MacroAssemblerARM64.h:
1140         * assembler/MacroAssemblerX86Common.h:
1141
1142 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
1143
1144         Also run foldPathConstants before mussing up SSA
1145         https://bugs.webkit.org/show_bug.cgi?id=185069
1146
1147         Reviewed by Saam Barati.
1148         
1149         This isn't needed now, but will be once I implement the phase in bug 185060.
1150         
1151         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
1152         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
1153         be landed separately and measured separately from that phase.
1154         
1155         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
1156         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
1157         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
1158         neutral. It all depends on what programs typically look like.
1159
1160         * b3/B3Generate.cpp:
1161         (JSC::B3::generateToAir):
1162
1163 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
1164
1165         Unreviewed, rolling out r231086.
1166
1167         Caused JSC test failures due to an unchecked exception.
1168
1169         Reverted changeset:
1170
1171         "[ESNext][BigInt] Implement support for "*" operation"
1172         https://bugs.webkit.org/show_bug.cgi?id=183721
1173         https://trac.webkit.org/changeset/231086
1174
1175 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
1176
1177         [ESNext][BigInt] Implement support for "*" operation
1178         https://bugs.webkit.org/show_bug.cgi?id=183721
1179
1180         Reviewed by Saam Barati.
1181
1182         Added BigInt support into times binary operator into LLInt and on
1183         JITOperations profiledMul and unprofiledMul. We are also replacing all
1184         uses of int to unsigned when there is no negative values for
1185         variables.
1186
1187         * dfg/DFGConstantFoldingPhase.cpp:
1188         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1189         * jit/JITOperations.cpp:
1190         * runtime/CommonSlowPaths.cpp:
1191         (JSC::SLOW_PATH_DECL):
1192         * runtime/JSBigInt.cpp:
1193         (JSC::JSBigInt::JSBigInt):
1194         (JSC::JSBigInt::allocationSize):
1195         (JSC::JSBigInt::createWithLength):
1196         (JSC::JSBigInt::toString):
1197         (JSC::JSBigInt::multiply):
1198         (JSC::JSBigInt::digitDiv):
1199         (JSC::JSBigInt::internalMultiplyAdd):
1200         (JSC::JSBigInt::multiplyAccumulate):
1201         (JSC::JSBigInt::equals):
1202         (JSC::JSBigInt::absoluteDivSmall):
1203         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1204         (JSC::JSBigInt::toStringGeneric):
1205         (JSC::JSBigInt::rightTrim):
1206         (JSC::JSBigInt::allocateFor):
1207         (JSC::JSBigInt::parseInt):
1208         (JSC::JSBigInt::digit):
1209         (JSC::JSBigInt::setDigit):
1210         * runtime/JSBigInt.h:
1211         * runtime/Operations.h:
1212         (JSC::jsMul):
1213
1214 2018-04-26  Mark Lam  <mark.lam@apple.com>
1215
1216         Gardening: Speculative build fix for Windows.
1217         https://bugs.webkit.org/show_bug.cgi?id=184976
1218         <rdar://problem/39723901>
1219
1220         Not reviewed.
1221
1222         * runtime/JSCPtrTag.h:
1223
1224 2018-04-26  Mark Lam  <mark.lam@apple.com>
1225
1226         Gardening: Windows build fix.
1227
1228         Not reviewed.
1229
1230         * runtime/Options.cpp:
1231
1232 2018-04-26  Jer Noble  <jer.noble@apple.com>
1233
1234         WK_COCOA_TOUCH all the things.
1235         https://bugs.webkit.org/show_bug.cgi?id=185006
1236         <rdar://problem/39736025>
1237
1238         Reviewed by Tim Horton.
1239
1240         * Configurations/Base.xcconfig:
1241
1242 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
1243
1244         Disable content filtering in minimal simulator mode
1245         https://bugs.webkit.org/show_bug.cgi?id=185027
1246         <rdar://problem/39736091>
1247
1248         Reviewed by Jer Noble.
1249
1250         * Configurations/FeatureDefines.xcconfig:
1251
1252 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
1253
1254         [INTL] Implement Intl.PluralRules
1255         https://bugs.webkit.org/show_bug.cgi?id=184312
1256
1257         Reviewed by JF Bastien.
1258
1259         Use UNumberFormat to enforce formatting, and then UPluralRules to find
1260         the correct plural rule for the given number. Relies on ICU v59+ for
1261         resolvedOptions().pluralCategories and trailing 0 detection.
1262         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
1263
1264         * CMakeLists.txt:
1265         * Configurations/FeatureDefines.xcconfig:
1266         * DerivedSources.make:
1267         * JavaScriptCore.xcodeproj/project.pbxproj:
1268         * Sources.txt:
1269         * builtins/BuiltinNames.h:
1270         * runtime/BigIntObject.cpp:
1271         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
1272         * runtime/BigIntObject.h:
1273         * runtime/CommonIdentifiers.h:
1274         * runtime/IntlObject.cpp:
1275         (JSC::IntlObject::finishCreation):
1276         * runtime/IntlObject.h:
1277         * runtime/IntlPluralRules.cpp: Added.
1278         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
1279         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
1280         (JSC::UEnumerationDeleter::operator() const):
1281         (JSC::IntlPluralRules::create):
1282         (JSC::IntlPluralRules::createStructure):
1283         (JSC::IntlPluralRules::IntlPluralRules):
1284         (JSC::IntlPluralRules::finishCreation):
1285         (JSC::IntlPluralRules::destroy):
1286         (JSC::IntlPluralRules::visitChildren):
1287         (JSC::IntlPRInternal::localeData):
1288         (JSC::IntlPluralRules::initializePluralRules):
1289         (JSC::IntlPluralRules::resolvedOptions):
1290         (JSC::IntlPluralRules::select):
1291         * runtime/IntlPluralRules.h: Added.
1292         * runtime/IntlPluralRulesConstructor.cpp: Added.
1293         (JSC::IntlPluralRulesConstructor::create):
1294         (JSC::IntlPluralRulesConstructor::createStructure):
1295         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
1296         (JSC::IntlPluralRulesConstructor::finishCreation):
1297         (JSC::constructIntlPluralRules):
1298         (JSC::callIntlPluralRules):
1299         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1300         (JSC::IntlPluralRulesConstructor::visitChildren):
1301         * runtime/IntlPluralRulesConstructor.h: Added.
1302         * runtime/IntlPluralRulesPrototype.cpp: Added.
1303         (JSC::IntlPluralRulesPrototype::create):
1304         (JSC::IntlPluralRulesPrototype::createStructure):
1305         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
1306         (JSC::IntlPluralRulesPrototype::finishCreation):
1307         (JSC::IntlPluralRulesPrototypeFuncSelect):
1308         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1309         * runtime/IntlPluralRulesPrototype.h: Added.
1310         * runtime/JSGlobalObject.cpp:
1311         (JSC::JSGlobalObject::init):
1312         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
1313         * runtime/JSGlobalObject.h:
1314         * runtime/Options.h:
1315         * runtime/RegExpPrototype.cpp: Added inlines header.
1316         * runtime/VM.cpp:
1317         (JSC::VM::VM):
1318         * runtime/VM.h:
1319
1320 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
1321
1322         [MIPS] Fix branch offsets in branchNeg32
1323         https://bugs.webkit.org/show_bug.cgi?id=185025
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
1328
1329         * assembler/MacroAssemblerMIPS.h:
1330         (JSC::MacroAssemblerMIPS::branchNeg32):
1331
1332 2018-04-25  Robin Morisset  <rmorisset@apple.com>
1333
1334         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
1335         https://bugs.webkit.org/show_bug.cgi?id=184773
1336         <rdar://problem/37773612>
1337
1338         Reviewed by Filip Pizlo.
1339
1340         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
1341         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
1342         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
1343         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
1344         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
1345
1346         * ftl/FTLLowerDFGToB3.cpp:
1347         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
1348
1349 2018-04-25  Mark Lam  <mark.lam@apple.com>
1350
1351         Push the definition of PtrTag down to the WTF layer.
1352         https://bugs.webkit.org/show_bug.cgi?id=184976
1353         <rdar://problem/39723901>
1354
1355         Reviewed by Saam Barati.
1356
1357         * CMakeLists.txt:
1358         * JavaScriptCore.xcodeproj/project.pbxproj:
1359         * assembler/ARM64Assembler.h:
1360         * assembler/AbstractMacroAssembler.h:
1361         * assembler/MacroAssemblerCodeRef.cpp:
1362         * assembler/MacroAssemblerCodeRef.h:
1363         * b3/B3MathExtras.cpp:
1364         * bytecode/LLIntCallLinkInfo.h:
1365         * disassembler/Disassembler.h:
1366         * ftl/FTLJITCode.cpp:
1367         * interpreter/InterpreterInlines.h:
1368         * jit/ExecutableAllocator.h:
1369         * jit/JITOperations.cpp:
1370         * jit/ThunkGenerator.h:
1371         * jit/ThunkGenerators.h:
1372         * llint/LLIntOffsetsExtractor.cpp:
1373         * llint/LLIntPCRanges.h:
1374         * runtime/JSCPtrTag.h: Added.
1375         * runtime/NativeFunction.h:
1376         * runtime/PtrTag.h: Removed.
1377         * runtime/VMTraps.cpp:
1378
1379 2018-04-25  Keith Miller  <keith_miller@apple.com>
1380
1381         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
1382         https://bugs.webkit.org/show_bug.cgi?id=184998
1383
1384         Reviewed by Saam Barati.
1385
1386         * runtime/CodeCache.cpp:
1387         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1388
1389 2018-04-25  Keith Miller  <keith_miller@apple.com>
1390
1391         Add missing scope release to functionProtoFuncToString
1392         https://bugs.webkit.org/show_bug.cgi?id=184995
1393
1394         Reviewed by Saam Barati.
1395
1396         * runtime/FunctionPrototype.cpp:
1397         (JSC::functionProtoFuncToString):
1398
1399 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1400
1401         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
1402         https://bugs.webkit.org/show_bug.cgi?id=184730
1403
1404         Reviewed by Mark Lam.
1405
1406         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
1407         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
1408
1409         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
1410         ARMv7 implementation.
1411
1412         * assembler/ARMAssembler.h:
1413         * assembler/MacroAssemblerARM.h:
1414         (JSC::MacroAssemblerARM::add32):
1415         (JSC::MacroAssemblerARM::and32):
1416         (JSC::MacroAssemblerARM::lshift32):
1417         (JSC::MacroAssemblerARM::mul32):
1418         (JSC::MacroAssemblerARM::or32):
1419         (JSC::MacroAssemblerARM::rshift32):
1420         (JSC::MacroAssemblerARM::urshift32):
1421         (JSC::MacroAssemblerARM::sub32):
1422         (JSC::MacroAssemblerARM::xor32):
1423         (JSC::MacroAssemblerARM::load8):
1424         (JSC::MacroAssemblerARM::abortWithReason):
1425         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
1426         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
1427         (JSC::MacroAssemblerARM::store8):
1428         (JSC::MacroAssemblerARM::store32):
1429         (JSC::MacroAssemblerARM::push):
1430         (JSC::MacroAssemblerARM::swap):
1431         (JSC::MacroAssemblerARM::branch8):
1432         (JSC::MacroAssemblerARM::branchPtr):
1433         (JSC::MacroAssemblerARM::branch32):
1434         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
1435         (JSC::MacroAssemblerARM::branchTest8):
1436         (JSC::MacroAssemblerARM::branchTest32):
1437         (JSC::MacroAssemblerARM::jump):
1438         (JSC::MacroAssemblerARM::branchAdd32):
1439         (JSC::MacroAssemblerARM::mull32):
1440         (JSC::MacroAssemblerARM::branchMul32):
1441         (JSC::MacroAssemblerARM::patchableBranch32):
1442         (JSC::MacroAssemblerARM::nearCall):
1443         (JSC::MacroAssemblerARM::compare32):
1444         (JSC::MacroAssemblerARM::compare8):
1445         (JSC::MacroAssemblerARM::test32):
1446         (JSC::MacroAssemblerARM::test8):
1447         (JSC::MacroAssemblerARM::add64):
1448         (JSC::MacroAssemblerARM::load32):
1449         (JSC::MacroAssemblerARM::call):
1450         (JSC::MacroAssemblerARM::branchPtrWithPatch):
1451         (JSC::MacroAssemblerARM::branch32WithPatch):
1452         (JSC::MacroAssemblerARM::storePtrWithPatch):
1453         (JSC::MacroAssemblerARM::loadDouble):
1454         (JSC::MacroAssemblerARM::storeDouble):
1455         (JSC::MacroAssemblerARM::addDouble):
1456         (JSC::MacroAssemblerARM::divDouble):
1457         (JSC::MacroAssemblerARM::subDouble):
1458         (JSC::MacroAssemblerARM::mulDouble):
1459         (JSC::MacroAssemblerARM::convertInt32ToDouble):
1460         (JSC::MacroAssemblerARM::branchDouble):
1461         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
1462         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
1463         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
1464         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
1465         (JSC::MacroAssemblerARM::branchDoubleNonZero):
1466         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
1467         (JSC::MacroAssemblerARM::call32):
1468         (JSC::MacroAssemblerARM::internalCompare32):
1469
1470 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
1471
1472         [WinCairo] Fix js/regexp-unicode.html crash.
1473         https://bugs.webkit.org/show_bug.cgi?id=184891
1474
1475         Reviewed by Yusuke Suzuki.
1476
1477         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
1478         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
1479
1480         * yarr/YarrJIT.cpp:
1481         (JSC::Yarr::YarrGenerator::generateEnter):
1482         (JSC::Yarr::YarrGenerator::generateReturn):
1483         Unconditionally save and restore RDI on 64-bit Windows.
1484
1485 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
1486
1487         [GTK] Miscellaneous build cleanups
1488         https://bugs.webkit.org/show_bug.cgi?id=184399
1489
1490         Reviewed by Žan Doberšek.
1491
1492         * PlatformGTK.cmake:
1493
1494 2018-04-24  Keith Miller  <keith_miller@apple.com>
1495
1496         fromCharCode is missing some exception checks
1497         https://bugs.webkit.org/show_bug.cgi?id=184952
1498
1499         Reviewed by Saam Barati.
1500
1501         I also removed the pointless slow path function and moved it into the
1502         main function.
1503
1504         * runtime/StringConstructor.cpp:
1505         (JSC::stringFromCharCode):
1506         (JSC::stringFromCharCodeSlowCase): Deleted.
1507
1508 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
1509
1510         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
1511         https://bugs.webkit.org/show_bug.cgi?id=184923
1512
1513         Reviewed by Saam Barati.
1514         
1515         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
1516         (i.e. we know that the object has one of those structures), then previously we would still emit a
1517         switch with a case per structure along with a default case. That would mean one extra redundant
1518         branch to check that whatever structure we wound up with belongs to the set. In that case, we
1519         were already making the default case be an Oops.
1520         
1521         One possible solution would be to say that the default case being Oops means that B3 doesn't need
1522         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
1523         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
1524         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
1525         trap.
1526         
1527         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
1528         extra branch.
1529         
1530         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
1531         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
1532         read.
1533
1534         * ftl/FTLLowerDFGToB3.cpp:
1535         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1536         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1537         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
1538
1539 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
1540
1541         DFG CSE should know how to decay a MultiGetByOffset
1542         https://bugs.webkit.org/show_bug.cgi?id=159859
1543
1544         Reviewed by Keith Miller.
1545         
1546         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
1547         clobberize() can report a def() for MultiGetByOffset.
1548         
1549         This is a slight improvement to codegen in splay because splay is a heavy user of
1550         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
1551         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
1552         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
1553         splay's time.
1554
1555         * dfg/DFGClobberize.h:
1556         (JSC::DFG::clobberize):
1557         * dfg/DFGNode.cpp:
1558         (JSC::DFG::Node::remove):
1559         (JSC::DFG::Node::removeWithoutChecks):
1560         (JSC::DFG::Node::replaceWith):
1561         (JSC::DFG::Node::replaceWithWithoutChecks):
1562         * dfg/DFGNode.h:
1563         (JSC::DFG::Node::convertToMultiGetByOffset):
1564         (JSC::DFG::Node::replaceWith): Deleted.
1565         * dfg/DFGNodeType.h:
1566         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1567
1568 2018-04-24  Keith Miller  <keith_miller@apple.com>
1569
1570         Update API docs with information on which run loop the VM will use
1571         https://bugs.webkit.org/show_bug.cgi?id=184900
1572         <rdar://problem/39166054>
1573
1574         Reviewed by Mark Lam.
1575
1576         * API/JSContextRef.h:
1577         * API/JSVirtualMachine.h:
1578
1579 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
1580
1581         $vm.totalGCTime() should be a thing
1582         https://bugs.webkit.org/show_bug.cgi?id=184916
1583
1584         Reviewed by Sam Weinig.
1585         
1586         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
1587         time spent in GC to determine if the regression is because the GC got slower.
1588         
1589         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
1590
1591         * heap/Heap.cpp:
1592         (JSC::Heap::runEndPhase):
1593         * heap/Heap.h:
1594         (JSC::Heap::totalGCTime const):
1595         * tools/JSDollarVM.cpp:
1596         (JSC::functionTotalGCTime):
1597         (JSC::JSDollarVM::finishCreation):
1598
1599 2018-04-23  Zalan Bujtas  <zalan@apple.com>
1600
1601         [LayoutFormattingContext] Initial commit.
1602         https://bugs.webkit.org/show_bug.cgi?id=184896
1603
1604         Reviewed by Antti Koivisto.
1605
1606         * Configurations/FeatureDefines.xcconfig:
1607
1608 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
1609
1610         Unreviewed, revert accidental change to verbose flag.
1611
1612         * dfg/DFGByteCodeParser.cpp:
1613
1614 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
1615
1616         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
1617
1618         Rubber stamped by Saam Barati.
1619         
1620         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
1621         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
1622         Seems sensible to just roll it out.
1623
1624         * dfg/DFGByteCodeParser.cpp:
1625         (JSC::DFG::ByteCodeParser::addToGraph):
1626         (JSC::DFG::ByteCodeParser::parse):
1627
1628 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1629
1630         [JSC] Remove ModuleLoaderPrototype
1631         https://bugs.webkit.org/show_bug.cgi?id=184784
1632
1633         Reviewed by Mark Lam.
1634
1635         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
1636         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
1637         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
1638
1639         * CMakeLists.txt:
1640         * DerivedSources.make:
1641         * JavaScriptCore.xcodeproj/project.pbxproj:
1642         * Sources.txt:
1643         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
1644         * runtime/JSGlobalObject.cpp:
1645         (JSC::JSGlobalObject::init):
1646         (JSC::JSGlobalObject::visitChildren):
1647         * runtime/JSGlobalObject.h:
1648         (JSC::JSGlobalObject::proxyRevokeStructure const):
1649         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
1650         * runtime/JSModuleLoader.cpp:
1651         (JSC::moduleLoaderParseModule):
1652         (JSC::moduleLoaderRequestedModules):
1653         (JSC::moduleLoaderModuleDeclarationInstantiation):
1654         (JSC::moduleLoaderResolve):
1655         (JSC::moduleLoaderResolveSync):
1656         (JSC::moduleLoaderFetch):
1657         (JSC::moduleLoaderGetModuleNamespaceObject):
1658         (JSC::moduleLoaderEvaluate):
1659         * runtime/JSModuleLoader.h:
1660         * runtime/ModuleLoaderPrototype.cpp: Removed.
1661         * runtime/ModuleLoaderPrototype.h: Removed.
1662
1663 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
1664
1665         [GLIB] All API tests fail in debug builds
1666         https://bugs.webkit.org/show_bug.cgi?id=184813
1667
1668         Reviewed by Mark Lam.
1669
1670         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
1671         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
1672
1673         * API/glib/JSCContext.cpp:
1674         (JSCContextExceptionHandler::JSCContextExceptionHandler):
1675         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
1676         (jscContextConstructed):
1677         (ExceptionHandler::ExceptionHandler): Deleted.
1678         (ExceptionHandler::~ExceptionHandler): Deleted.
1679
1680 2018-04-20  Tim Horton  <timothy_horton@apple.com>
1681
1682         Adjust geolocation feature flag
1683         https://bugs.webkit.org/show_bug.cgi?id=184856
1684
1685         Reviewed by Wenson Hsieh.
1686
1687         * Configurations/FeatureDefines.xcconfig:
1688
1689 2018-04-20  Brian Burg  <bburg@apple.com>
1690
1691         Web Inspector: remove some dead code in IdentifiersFactory
1692         https://bugs.webkit.org/show_bug.cgi?id=184839
1693
1694         Reviewed by Timothy Hatcher.
1695
1696         This was never used on non-Chrome ports, so the identifier always has a
1697         prefix of '0.'. We may change this in the future, but for now remove this.
1698         Using a PID for this purpose is problematic anyway.
1699
1700         * inspector/IdentifiersFactory.cpp:
1701         (Inspector::addPrefixToIdentifier):
1702         (Inspector::IdentifiersFactory::createIdentifier):
1703         (Inspector::IdentifiersFactory::requestId):
1704         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
1705         * inspector/IdentifiersFactory.h:
1706
1707 2018-04-20  Mark Lam  <mark.lam@apple.com>
1708
1709         Add the ability to use a hash for setting PtrTag enum values.
1710         https://bugs.webkit.org/show_bug.cgi?id=184852
1711         <rdar://problem/39613891>
1712
1713         Reviewed by Saam Barati.
1714
1715         * runtime/PtrTag.h:
1716
1717 2018-04-20  Mark Lam  <mark.lam@apple.com>
1718
1719         Some JSEntryPtrTags should actually be JSInternalPtrTags.
1720         https://bugs.webkit.org/show_bug.cgi?id=184712
1721         <rdar://problem/39507381>
1722
1723         Reviewed by Michael Saboff.
1724
1725         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
1726         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
1727            only when needed.
1728
1729         * bytecode/AccessCase.cpp:
1730         (JSC::AccessCase::generateImpl):
1731         * bytecode/ByValInfo.h:
1732         (JSC::ByValInfo::ByValInfo):
1733         * bytecode/CallLinkInfo.cpp:
1734         (JSC::CallLinkInfo::callReturnLocation):
1735         (JSC::CallLinkInfo::patchableJump):
1736         (JSC::CallLinkInfo::hotPathBegin):
1737         (JSC::CallLinkInfo::slowPathStart):
1738         * bytecode/CallLinkInfo.h:
1739         (JSC::CallLinkInfo::setCallLocations):
1740         (JSC::CallLinkInfo::hotPathOther):
1741         * bytecode/PolymorphicAccess.cpp:
1742         (JSC::PolymorphicAccess::regenerate):
1743         * bytecode/StructureStubInfo.h:
1744         (JSC::StructureStubInfo::doneLocation):
1745         * dfg/DFGJITCompiler.cpp:
1746         (JSC::DFG::JITCompiler::link):
1747         * dfg/DFGOSRExit.cpp:
1748         (JSC::DFG::reifyInlinedCallFrames):
1749         * ftl/FTLLazySlowPath.cpp:
1750         (JSC::FTL::LazySlowPath::initialize):
1751         * ftl/FTLLazySlowPath.h:
1752         (JSC::FTL::LazySlowPath::done const):
1753         * ftl/FTLLowerDFGToB3.cpp:
1754         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1755         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1756         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1757         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1758         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1759         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1760         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1761         * jit/JIT.cpp:
1762         (JSC::JIT::link):
1763         * jit/JITExceptions.cpp:
1764         (JSC::genericUnwind):
1765         * jit/JITMathIC.h:
1766         (JSC::isProfileEmpty):
1767         * llint/LLIntData.cpp:
1768         (JSC::LLInt::initialize):
1769         * llint/LLIntData.h:
1770         (JSC::LLInt::getCodePtr):
1771         (JSC::LLInt::getExecutableAddress): Deleted.
1772         * llint/LLIntExceptions.cpp:
1773         (JSC::LLInt::callToThrow):
1774         * llint/LLIntSlowPaths.cpp:
1775         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1776         * wasm/js/WasmToJS.cpp:
1777         (JSC::Wasm::wasmToJS):
1778
1779 2018-04-18  Jer Noble  <jer.noble@apple.com>
1780
1781         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1782         https://bugs.webkit.org/show_bug.cgi?id=184762
1783
1784         Reviewed by Dan Bernstein.
1785
1786         * Configurations/Base.xcconfig:
1787         * JavaScriptCore.xcodeproj/project.pbxproj:
1788
1789 2018-04-20  Daniel Bates  <dabates@apple.com>
1790
1791         Remove code for compilers that did not support NSDMI for aggregates
1792         https://bugs.webkit.org/show_bug.cgi?id=184599
1793
1794         Reviewed by Per Arne Vollan.
1795
1796         Remove workaround for earlier Visual Studio versions that did not support non-static data
1797         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1798         and EWS bots to a newer version that supports this feature.
1799
1800         * domjit/DOMJITEffect.h:
1801         (JSC::DOMJIT::Effect::Effect): Deleted.
1802         * runtime/HasOwnPropertyCache.h:
1803         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1804         * wasm/WasmFormat.h:
1805         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1806
1807 2018-04-20  Mark Lam  <mark.lam@apple.com>
1808
1809         Build fix for internal builds after r230826.
1810         https://bugs.webkit.org/show_bug.cgi?id=184790
1811         <rdar://problem/39301369>
1812
1813         Not reviewed.
1814
1815         * runtime/Options.cpp:
1816         (JSC::overrideDefaults):
1817         * tools/SigillCrashAnalyzer.cpp:
1818         (JSC::SignalContext::dump):
1819
1820 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1821
1822         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1823         https://bugs.webkit.org/show_bug.cgi?id=184254
1824         <rdar://problem/39140200>
1825
1826         Reviewed by Daniel Bates.
1827
1828         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1829
1830         * runtime/ArrayBuffer.h:
1831         (JSC::ArrayBufferContents::ArrayBufferContents):
1832
1833 2018-04-19  Mark Lam  <mark.lam@apple.com>
1834
1835         Apply pointer profiling to Signal pointers.
1836         https://bugs.webkit.org/show_bug.cgi?id=184790
1837         <rdar://problem/39301369>
1838
1839         Reviewed by Michael Saboff.
1840
1841         1. Change stackPointer, framePointer, and instructionPointer accessors to
1842            be a pair of getter/setter functions.
1843         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1844            a pointer profiling variants of these accessors.
1845         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1846
1847         * JavaScriptCorePrefix.h:
1848         * runtime/MachineContext.h:
1849         (JSC::MachineContext::stackPointerImpl):
1850         (JSC::MachineContext::stackPointer):
1851         (JSC::MachineContext::setStackPointer):
1852         (JSC::MachineContext::framePointerImpl):
1853         (JSC::MachineContext::framePointer):
1854         (JSC::MachineContext::setFramePointer):
1855         (JSC::MachineContext::instructionPointerImpl):
1856         (JSC::MachineContext::instructionPointer):
1857         (JSC::MachineContext::setInstructionPointer):
1858         (JSC::MachineContext::linkRegisterImpl):
1859         (JSC::MachineContext::linkRegister):
1860         (JSC::MachineContext::setLinkRegister):
1861         * runtime/SamplingProfiler.cpp:
1862         (JSC::SamplingProfiler::takeSample):
1863         * runtime/VMTraps.cpp:
1864         (JSC::SignalContext::SignalContext):
1865         (JSC::VMTraps::tryInstallTrapBreakpoints):
1866         * tools/CodeProfiling.cpp:
1867         (JSC::profilingTimer):
1868         * tools/SigillCrashAnalyzer.cpp:
1869         (JSC::SignalContext::dump):
1870         (JSC::installCrashHandler):
1871         (JSC::SigillCrashAnalyzer::analyze):
1872         * wasm/WasmFaultSignalHandler.cpp:
1873         (JSC::Wasm::trapHandler):
1874
1875 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1876
1877         Enable Objective-C weak references
1878         <https://webkit.org/b/184789>
1879         <rdar://problem/39571716>
1880
1881         Reviewed by Dan Bernstein.
1882
1883         * Configurations/Base.xcconfig:
1884         (CLANG_ENABLE_OBJC_WEAK): Enable.
1885         * Configurations/ToolExecutable.xcconfig:
1886         (CLANG_ENABLE_OBJC_ARC): Simplify.
1887
1888 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1889
1890         The InternalFunction hierarchy should be in IsoSubspaces
1891         https://bugs.webkit.org/show_bug.cgi?id=184721
1892
1893         Reviewed by Saam Barati.
1894         
1895         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1896         but subclasses that are the same size as InternalFunction share its subspace. I did this
1897         because the subclasses appear to just override methods, which are called dynamically via the
1898         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1899         allocate one kind of InternalFunction over another.
1900
1901         * API/JSBase.h:
1902         * API/JSCallbackFunction.h:
1903         * API/ObjCCallbackFunction.h:
1904         (JSC::ObjCCallbackFunction::subspaceFor):
1905         * CMakeLists.txt:
1906         * JavaScriptCore.xcodeproj/project.pbxproj:
1907         * Sources.txt:
1908         * heap/IsoSubspacePerVM.cpp: Added.
1909         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1910         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1911         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1912         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1913         (JSC::IsoSubspacePerVM::forVM):
1914         * heap/IsoSubspacePerVM.h: Added.
1915         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1916         * runtime/Error.h:
1917         * runtime/ErrorConstructor.h:
1918         * runtime/InternalFunction.h:
1919         (JSC::InternalFunction::subspaceFor):
1920         * runtime/IntlCollatorConstructor.h:
1921         * runtime/IntlDateTimeFormatConstructor.h:
1922         * runtime/IntlNumberFormatConstructor.h:
1923         * runtime/JSArrayBufferConstructor.h:
1924         * runtime/NativeErrorConstructor.h:
1925         * runtime/ProxyRevoke.h:
1926         * runtime/RegExpConstructor.h:
1927         * runtime/VM.cpp:
1928         (JSC::VM::VM):
1929         * runtime/VM.h:
1930
1931 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1932
1933         Unreviewed, Fix jsc shell
1934         https://bugs.webkit.org/show_bug.cgi?id=184600
1935
1936         WebAssembly module loading does not finish with drainMicrotasks().
1937         So JSNativeStdFunction's capturing variables become invalid.
1938         This patch fixes this issue.
1939
1940         * jsc.cpp:
1941         (functionDollarAgentStart):
1942         (runWithOptions):
1943         (runJSC):
1944         (jscmain):
1945
1946 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1947
1948         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1949         https://bugs.webkit.org/show_bug.cgi?id=184725
1950
1951         Reviewed by Mark Lam.
1952
1953         * jit/JIT.h:
1954
1955 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1956
1957         [WebAssembly][Modules] Import tables in wasm modules
1958         https://bugs.webkit.org/show_bug.cgi?id=184738
1959
1960         Reviewed by JF Bastien.
1961
1962         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1963         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1964         just works.
1965
1966         * wasm/js/JSWebAssemblyInstance.cpp:
1967         (JSC::JSWebAssemblyInstance::create):
1968         * wasm/js/WebAssemblyModuleRecord.cpp:
1969         (JSC::WebAssemblyModuleRecord::link):
1970
1971 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1972
1973         [ARM] Fix build error and crash after PtrTag change
1974         https://bugs.webkit.org/show_bug.cgi?id=184732
1975
1976         Reviewed by Mark Lam.
1977
1978         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1979         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1980         twice with ARM-Thumb2.
1981
1982         * assembler/MacroAssemblerCodeRef.h:
1983         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1984         * jit/JITPropertyAccess32_64.cpp:
1985         (JSC::JIT::emitSlow_op_put_by_val):
1986         * jit/Repatch.cpp:
1987         (JSC::linkPolymorphicCall):
1988
1989 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1990
1991         [WebAssembly][Modules] Import globals from wasm modules
1992         https://bugs.webkit.org/show_bug.cgi?id=184736
1993
1994         Reviewed by JF Bastien.
1995
1996         This patch implements a feature importing globals to/from wasm modules.
1997         Since we are not supporting mutable globals now, we can just copy the
1998         global data when importing. Currently we do not support importing/exporting
1999         i64 globals. This will be supported once (1) mutable global bindings are
2000         specified and (2) BigInt based i64 importing/exporting is specified.
2001
2002         * wasm/js/JSWebAssemblyInstance.cpp:
2003         (JSC::JSWebAssemblyInstance::create):
2004         * wasm/js/WebAssemblyModuleRecord.cpp:
2005         (JSC::WebAssemblyModuleRecord::link):
2006
2007 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2008
2009         Unreviewed, fix build on ARM
2010
2011         * assembler/MacroAssemblerARM.h:
2012         (JSC::MacroAssemblerARM::readCallTarget):
2013
2014 2018-04-18  Tomas Popela  <tpopela@redhat.com>
2015
2016         Unreviewed, fix build with GCC
2017
2018         * assembler/LinkBuffer.h:
2019         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2020
2021 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2022
2023         Unreviewed, reland r230697, r230720, and r230724.
2024         https://bugs.webkit.org/show_bug.cgi?id=184600
2025
2026         With CatchScope check.
2027
2028         * JavaScriptCore.xcodeproj/project.pbxproj:
2029         * builtins/ModuleLoaderPrototype.js:
2030         (globalPrivate.newRegistryEntry):
2031         (requestInstantiate):
2032         (link):
2033         * jsc.cpp:
2034         (convertShebangToJSComment):
2035         (fillBufferWithContentsOfFile):
2036         (fetchModuleFromLocalFileSystem):
2037         (GlobalObject::moduleLoaderFetch):
2038         (functionDollarAgentStart):
2039         (checkException):
2040         (runWithOptions):
2041         * parser/NodesAnalyzeModule.cpp:
2042         (JSC::ImportDeclarationNode::analyzeModule):
2043         * parser/SourceProvider.h:
2044         (JSC::WebAssemblySourceProvider::create):
2045         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2046         * runtime/AbstractModuleRecord.cpp:
2047         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2048         (JSC::AbstractModuleRecord::resolveImport):
2049         (JSC::AbstractModuleRecord::link):
2050         (JSC::AbstractModuleRecord::evaluate):
2051         (JSC::identifierToJSValue): Deleted.
2052         * runtime/AbstractModuleRecord.h:
2053         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2054         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2055         * runtime/JSModuleEnvironment.cpp:
2056         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2057         * runtime/JSModuleLoader.cpp:
2058         (JSC::JSModuleLoader::evaluate):
2059         * runtime/JSModuleRecord.cpp:
2060         (JSC::JSModuleRecord::link):
2061         (JSC::JSModuleRecord::instantiateDeclarations):
2062         * runtime/JSModuleRecord.h:
2063         * runtime/ModuleLoaderPrototype.cpp:
2064         (JSC::moduleLoaderPrototypeParseModule):
2065         (JSC::moduleLoaderPrototypeRequestedModules):
2066         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2067         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2068         * wasm/js/JSWebAssemblyHelpers.h:
2069         (JSC::getWasmBufferFromValue):
2070         (JSC::createSourceBufferFromValue):
2071         * wasm/js/JSWebAssemblyInstance.cpp:
2072         (JSC::JSWebAssemblyInstance::finalizeCreation):
2073         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2074         (JSC::JSWebAssemblyInstance::create):
2075         * wasm/js/JSWebAssemblyInstance.h:
2076         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2077         (JSC::constructJSWebAssemblyInstance):
2078         * wasm/js/WebAssemblyModuleRecord.cpp:
2079         (JSC::WebAssemblyModuleRecord::prepareLink):
2080         (JSC::WebAssemblyModuleRecord::link):
2081         * wasm/js/WebAssemblyModuleRecord.h:
2082         * wasm/js/WebAssemblyPrototype.cpp:
2083         (JSC::resolve):
2084         (JSC::instantiate):
2085         (JSC::compileAndInstantiate):
2086         (JSC::WebAssemblyPrototype::instantiate):
2087         (JSC::webAssemblyInstantiateFunc):
2088         (JSC::webAssemblyValidateFunc):
2089         * wasm/js/WebAssemblyPrototype.h:
2090
2091 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2092
2093         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
2094         https://bugs.webkit.org/show_bug.cgi?id=184687
2095
2096         Reviewed by Michael Catanzaro.
2097
2098         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
2099         JSClassDefinition. This is required to implement dynamic properties that can't be added with
2100         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
2101
2102         * API/glib/JSCClass.cpp:
2103         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
2104         can throw exceptions.
2105         (VTableExceptionHandler::~VTableExceptionHandler):
2106         (getProperty): Iterate the class chain to call get_property function.
2107         (setProperty): Iterate the class chain to call set_property function.
2108         (hasProperty): Iterate the class chain to call has_property function.
2109         (deleteProperty): Iterate the class chain to call delete_property function.
2110         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
2111         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
2112         jscClassCreate now.
2113         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
2114         * API/glib/JSCClass.h:
2115         * API/glib/JSCClassPrivate.h:
2116         * API/glib/JSCContext.cpp:
2117         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
2118         (jsc_context_register_class): Add JSCClassVTable parameter.
2119         * API/glib/JSCContext.h:
2120         * API/glib/JSCContextPrivate.h:
2121         * API/glib/JSCWrapperMap.cpp:
2122         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
2123         * API/glib/JSCWrapperMap.h:
2124         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
2125
2126 2018-04-17  Mark Lam  <mark.lam@apple.com>
2127
2128         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
2129         https://bugs.webkit.org/show_bug.cgi?id=184702
2130         <rdar://problem/35391681>
2131
2132         Reviewed by Filip Pizlo and Saam Barati.
2133
2134         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
2135            to take a PtrTag template argument.
2136         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
2137
2138         * assembler/AbstractMacroAssembler.h:
2139         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2140         (JSC::AbstractMacroAssembler::linkJump):
2141         (JSC::AbstractMacroAssembler::linkPointer):
2142         (JSC::AbstractMacroAssembler::getLinkerAddress):
2143         (JSC::AbstractMacroAssembler::repatchJump):
2144         (JSC::AbstractMacroAssembler::repatchJumpToNop):
2145         (JSC::AbstractMacroAssembler::repatchNearCall):
2146         (JSC::AbstractMacroAssembler::repatchCompact):
2147         (JSC::AbstractMacroAssembler::repatchInt32):
2148         (JSC::AbstractMacroAssembler::repatchPointer):
2149         (JSC::AbstractMacroAssembler::readPointer):
2150         (JSC::AbstractMacroAssembler::replaceWithLoad):
2151         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2152         * assembler/CodeLocation.h:
2153         (JSC::CodeLocationCommon:: const):
2154         (JSC::CodeLocationCommon::CodeLocationCommon):
2155         (JSC::CodeLocationInstruction::CodeLocationInstruction):
2156         (JSC::CodeLocationLabel::CodeLocationLabel):
2157         (JSC::CodeLocationLabel::retagged):
2158         (JSC::CodeLocationLabel:: const):
2159         (JSC::CodeLocationJump::CodeLocationJump):
2160         (JSC::CodeLocationJump::retagged):
2161         (JSC::CodeLocationCall::CodeLocationCall):
2162         (JSC::CodeLocationCall::retagged):
2163         (JSC::CodeLocationNearCall::CodeLocationNearCall):
2164         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
2165         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
2166         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
2167         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
2168         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
2169         (JSC::CodeLocationCommon<tag>::labelAtOffset):
2170         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
2171         (JSC::CodeLocationCommon<tag>::callAtOffset):
2172         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
2173         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
2174         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
2175         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
2176         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
2177         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
2178         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
2179         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
2180         (JSC::CodeLocationCommon::callAtOffset): Deleted.
2181         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
2182         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
2183         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
2184         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
2185         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
2186         * assembler/LinkBuffer.cpp:
2187         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2188         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
2189         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
2190         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
2191         * assembler/LinkBuffer.h:
2192         (JSC::LinkBuffer::link):
2193         (JSC::LinkBuffer::patch):
2194         (JSC::LinkBuffer::entrypoint):
2195         (JSC::LinkBuffer::locationOf):
2196         (JSC::LinkBuffer::locationOfNearCall):
2197         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2198         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2199         (JSC::LinkBuffer::trampolineAt):
2200         * assembler/MacroAssemblerARM.h:
2201         (JSC::MacroAssemblerARM::readCallTarget):
2202         (JSC::MacroAssemblerARM::replaceWithJump):
2203         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
2204         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
2205         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
2206         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
2207         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
2208         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
2209         (JSC::MacroAssemblerARM::repatchCall):
2210         (JSC::MacroAssemblerARM::linkCall):
2211         * assembler/MacroAssemblerARM64.h:
2212         (JSC::MacroAssemblerARM64::readCallTarget):
2213         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2214         (JSC::MacroAssemblerARM64::replaceWithJump):
2215         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
2216         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
2217         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2218         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
2219         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
2220         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2221         (JSC::MacroAssemblerARM64::repatchCall):
2222         (JSC::MacroAssemblerARM64::linkCall):
2223         * assembler/MacroAssemblerARMv7.h:
2224         (JSC::MacroAssemblerARMv7::replaceWithJump):
2225         (JSC::MacroAssemblerARMv7::readCallTarget):
2226         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
2227         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
2228         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
2229         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
2230         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2231         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
2232         (JSC::MacroAssemblerARMv7::repatchCall):
2233         (JSC::MacroAssemblerARMv7::linkCall):
2234         * assembler/MacroAssemblerCodeRef.cpp:
2235         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
2236         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
2237         (JSC::MacroAssemblerCodeRefBase::disassembly):
2238         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2239         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
2240         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
2241         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2242         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
2243         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
2244         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
2245         * assembler/MacroAssemblerCodeRef.h:
2246         (JSC::FunctionPtr::FunctionPtr):
2247         (JSC::FunctionPtr::retagged const):
2248         (JSC::FunctionPtr::retaggedExecutableAddress const):
2249         (JSC::FunctionPtr::operator== const):
2250         (JSC::FunctionPtr::operator!= const):
2251         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2252         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2253         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2254         (JSC::MacroAssemblerCodePtr::retagged const):
2255         (JSC::MacroAssemblerCodePtr:: const):
2256         (JSC::MacroAssemblerCodePtr::dumpWithName const):
2257         (JSC::MacroAssemblerCodePtr::dump const):
2258         (JSC::MacroAssemblerCodePtrHash::hash):
2259         (JSC::MacroAssemblerCodePtrHash::equal):
2260         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2261         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
2262         (JSC::MacroAssemblerCodeRef::code const):
2263         (JSC::MacroAssemblerCodeRef::retaggedCode const):
2264         (JSC::MacroAssemblerCodeRef::retagged const):
2265         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
2266         (JSC::MacroAssemblerCodeRef::disassembly const):
2267         (JSC::MacroAssemblerCodeRef::dump const):
2268         (JSC::FunctionPtr<tag>::FunctionPtr):
2269         * assembler/MacroAssemblerMIPS.h:
2270         (JSC::MacroAssemblerMIPS::readCallTarget):
2271         (JSC::MacroAssemblerMIPS::replaceWithJump):
2272         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
2273         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
2274         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
2275         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
2276         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
2277         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
2278         (JSC::MacroAssemblerMIPS::repatchCall):
2279         (JSC::MacroAssemblerMIPS::linkCall):
2280         * assembler/MacroAssemblerX86.h:
2281         (JSC::MacroAssemblerX86::readCallTarget):
2282         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
2283         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
2284         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
2285         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
2286         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
2287         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
2288         (JSC::MacroAssemblerX86::repatchCall):
2289         (JSC::MacroAssemblerX86::linkCall):
2290         * assembler/MacroAssemblerX86Common.h:
2291         (JSC::MacroAssemblerX86Common::repatchCompact):
2292         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
2293         (JSC::MacroAssemblerX86Common::replaceWithJump):
2294         * assembler/MacroAssemblerX86_64.h:
2295         (JSC::MacroAssemblerX86_64::readCallTarget):
2296         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
2297         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
2298         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
2299         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
2300         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
2301         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
2302         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
2303         (JSC::MacroAssemblerX86_64::repatchCall):
2304         (JSC::MacroAssemblerX86_64::linkCall):
2305         * assembler/testmasm.cpp:
2306         (JSC::compile):
2307         (JSC::invoke):
2308         (JSC::testProbeModifiesProgramCounter):
2309         * b3/B3Compilation.cpp:
2310         (JSC::B3::Compilation::Compilation):
2311         * b3/B3Compilation.h:
2312         (JSC::B3::Compilation::code const):
2313         (JSC::B3::Compilation::codeRef const):
2314         * b3/B3Compile.cpp:
2315         (JSC::B3::compile):
2316         * b3/B3LowerMacros.cpp:
2317         * b3/air/AirDisassembler.cpp:
2318         (JSC::B3::Air::Disassembler::dump):
2319         * b3/air/testair.cpp:
2320         * b3/testb3.cpp:
2321         (JSC::B3::invoke):
2322         (JSC::B3::testInterpreter):
2323         (JSC::B3::testEntrySwitchSimple):
2324         (JSC::B3::testEntrySwitchNoEntrySwitch):
2325         (JSC::B3::testEntrySwitchWithCommonPaths):
2326         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
2327         (JSC::B3::testEntrySwitchLoop):
2328         * bytecode/AccessCase.cpp:
2329         (JSC::AccessCase::generateImpl):
2330         * bytecode/AccessCaseSnippetParams.cpp:
2331         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2332         * bytecode/ByValInfo.h:
2333         (JSC::ByValInfo::ByValInfo):
2334         * bytecode/CallLinkInfo.cpp:
2335         (JSC::CallLinkInfo::callReturnLocation):
2336         (JSC::CallLinkInfo::patchableJump):
2337         (JSC::CallLinkInfo::hotPathBegin):
2338         (JSC::CallLinkInfo::slowPathStart):
2339         * bytecode/CallLinkInfo.h:
2340         (JSC::CallLinkInfo::setCallLocations):
2341         (JSC::CallLinkInfo::hotPathOther):
2342         * bytecode/CodeBlock.cpp:
2343         (JSC::CodeBlock::finishCreation):
2344         * bytecode/GetByIdStatus.cpp:
2345         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2346         * bytecode/GetByIdVariant.cpp:
2347         (JSC::GetByIdVariant::GetByIdVariant):
2348         (JSC::GetByIdVariant::dumpInContext const):
2349         * bytecode/GetByIdVariant.h:
2350         (JSC::GetByIdVariant::customAccessorGetter const):
2351         * bytecode/GetterSetterAccessCase.cpp:
2352         (JSC::GetterSetterAccessCase::create):
2353         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2354         (JSC::GetterSetterAccessCase::dumpImpl const):
2355         * bytecode/GetterSetterAccessCase.h:
2356         (JSC::GetterSetterAccessCase::customAccessor const):
2357         (): Deleted.
2358         * bytecode/HandlerInfo.h:
2359         (JSC::HandlerInfo::initialize):
2360         * bytecode/InlineAccess.cpp:
2361         (JSC::linkCodeInline):
2362         (JSC::InlineAccess::rewireStubAsJump):
2363         * bytecode/InlineAccess.h:
2364         * bytecode/JumpTable.h:
2365         (JSC::StringJumpTable::ctiForValue):
2366         (JSC::SimpleJumpTable::ctiForValue):
2367         * bytecode/LLIntCallLinkInfo.h:
2368         (JSC::LLIntCallLinkInfo::unlink):
2369         * bytecode/PolymorphicAccess.cpp:
2370         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2371         (JSC::PolymorphicAccess::regenerate):
2372         * bytecode/PolymorphicAccess.h:
2373         (JSC::AccessGenerationResult::AccessGenerationResult):
2374         (JSC::AccessGenerationResult::code const):
2375         * bytecode/StructureStubInfo.h:
2376         (JSC::StructureStubInfo::slowPathCallLocation):
2377         (JSC::StructureStubInfo::doneLocation):
2378         (JSC::StructureStubInfo::slowPathStartLocation):
2379         (JSC::StructureStubInfo::patchableJumpForIn):
2380         * dfg/DFGCommonData.h:
2381         (JSC::DFG::CommonData::appendCatchEntrypoint):
2382         * dfg/DFGDisassembler.cpp:
2383         (JSC::DFG::Disassembler::dumpDisassembly):
2384         * dfg/DFGDriver.h:
2385         * dfg/DFGJITCompiler.cpp:
2386         (JSC::DFG::JITCompiler::linkOSRExits):
2387         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2388         (JSC::DFG::JITCompiler::link):
2389         (JSC::DFG::JITCompiler::compileFunction):
2390         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2391         * dfg/DFGJITCompiler.h:
2392         (JSC::DFG::CallLinkRecord::CallLinkRecord):
2393         (JSC::DFG::JITCompiler::appendCall):
2394         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
2395         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
2396         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
2397         * dfg/DFGJITFinalizer.cpp:
2398         (JSC::DFG::JITFinalizer::JITFinalizer):
2399         (JSC::DFG::JITFinalizer::finalize):
2400         (JSC::DFG::JITFinalizer::finalizeFunction):
2401         * dfg/DFGJITFinalizer.h:
2402         * dfg/DFGJumpReplacement.h:
2403         (JSC::DFG::JumpReplacement::JumpReplacement):
2404         * dfg/DFGNode.h:
2405         * dfg/DFGOSREntry.cpp:
2406         (JSC::DFG::prepareOSREntry):
2407         (JSC::DFG::prepareCatchOSREntry):
2408         * dfg/DFGOSREntry.h:
2409         (JSC::DFG::prepareOSREntry):
2410         * dfg/DFGOSRExit.cpp:
2411         (JSC::DFG::OSRExit::executeOSRExit):
2412         (JSC::DFG::reifyInlinedCallFrames):
2413         (JSC::DFG::adjustAndJumpToTarget):
2414         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2415         (JSC::DFG::OSRExit::emitRestoreArguments):
2416         (JSC::DFG::OSRExit::compileOSRExit):
2417         * dfg/DFGOSRExit.h:
2418         * dfg/DFGOSRExitCompilerCommon.cpp:
2419         (JSC::DFG::handleExitCounts):
2420         (JSC::DFG::reifyInlinedCallFrames):
2421         (JSC::DFG::osrWriteBarrier):
2422         (JSC::DFG::adjustAndJumpToTarget):
2423         * dfg/DFGOperations.cpp:
2424         * dfg/DFGSlowPathGenerator.h:
2425         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
2426         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
2427         (JSC::DFG::slowPathCall):
2428         * dfg/DFGSpeculativeJIT.cpp:
2429         (JSC::DFG::SpeculativeJIT::compileMathIC):
2430         (JSC::DFG::SpeculativeJIT::compileCallDOM):
2431         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2432         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2433         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2434         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2435         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2436         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2437         (JSC::DFG::SpeculativeJIT::cachedPutById):
2438         * dfg/DFGSpeculativeJIT.h:
2439         (JSC::DFG::SpeculativeJIT::callOperation):
2440         (JSC::DFG::SpeculativeJIT::appendCall):
2441         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
2442         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
2443         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2444         * dfg/DFGSpeculativeJIT64.cpp:
2445         (JSC::DFG::SpeculativeJIT::cachedGetById):
2446         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2447         (JSC::DFG::SpeculativeJIT::compile):
2448         * dfg/DFGThunks.cpp:
2449         (JSC::DFG::osrExitThunkGenerator):
2450         (JSC::DFG::osrExitGenerationThunkGenerator):
2451         (JSC::DFG::osrEntryThunkGenerator):
2452         * dfg/DFGThunks.h:
2453         * disassembler/ARM64Disassembler.cpp:
2454         (JSC::tryToDisassemble):
2455         * disassembler/ARMv7Disassembler.cpp:
2456         (JSC::tryToDisassemble):
2457         * disassembler/Disassembler.cpp:
2458         (JSC::disassemble):
2459         (JSC::disassembleAsynchronously):
2460         * disassembler/Disassembler.h:
2461         (JSC::tryToDisassemble):
2462         * disassembler/UDis86Disassembler.cpp:
2463         (JSC::tryToDisassembleWithUDis86):
2464         * disassembler/UDis86Disassembler.h:
2465         (JSC::tryToDisassembleWithUDis86):
2466         * disassembler/X86Disassembler.cpp:
2467         (JSC::tryToDisassemble):
2468         * ftl/FTLCompile.cpp:
2469         (JSC::FTL::compile):
2470         * ftl/FTLExceptionTarget.cpp:
2471         (JSC::FTL::ExceptionTarget::label):
2472         (JSC::FTL::ExceptionTarget::jumps):
2473         * ftl/FTLExceptionTarget.h:
2474         * ftl/FTLGeneratedFunction.h:
2475         * ftl/FTLJITCode.cpp:
2476         (JSC::FTL::JITCode::initializeB3Code):
2477         (JSC::FTL::JITCode::initializeAddressForCall):
2478         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
2479         (JSC::FTL::JITCode::addressForCall):
2480         (JSC::FTL::JITCode::executableAddressAtOffset):
2481         * ftl/FTLJITCode.h:
2482         (JSC::FTL::JITCode::b3Code const):
2483         * ftl/FTLJITFinalizer.cpp:
2484         (JSC::FTL::JITFinalizer::finalizeCommon):
2485         * ftl/FTLLazySlowPath.cpp:
2486         (JSC::FTL::LazySlowPath::initialize):
2487         (JSC::FTL::LazySlowPath::generate):
2488         * ftl/FTLLazySlowPath.h:
2489         (JSC::FTL::LazySlowPath::patchableJump const):
2490         (JSC::FTL::LazySlowPath::done const):
2491         (JSC::FTL::LazySlowPath::stub const):
2492         * ftl/FTLLazySlowPathCall.h:
2493         (JSC::FTL::createLazyCallGenerator):
2494         * ftl/FTLLink.cpp:
2495         (JSC::FTL::link):
2496         * ftl/FTLLowerDFGToB3.cpp:
2497         (JSC::FTL::DFG::LowerDFGToB3::lower):
2498         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2499         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2500         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2501         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2502         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2503         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2504         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
2505         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2506         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2507         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
2508         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2509         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2510         * ftl/FTLOSRExit.cpp:
2511         (JSC::FTL::OSRExit::codeLocationForRepatch const):
2512         * ftl/FTLOSRExit.h:
2513         * ftl/FTLOSRExitCompiler.cpp:
2514         (JSC::FTL::compileStub):
2515         (JSC::FTL::compileFTLOSRExit):
2516         * ftl/FTLOSRExitHandle.cpp:
2517         (JSC::FTL::OSRExitHandle::emitExitThunk):
2518         * ftl/FTLOperations.cpp:
2519         (JSC::FTL::compileFTLLazySlowPath):
2520         * ftl/FTLPatchpointExceptionHandle.cpp:
2521         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
2522         * ftl/FTLSlowPathCall.cpp:
2523         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
2524         (JSC::FTL::SlowPathCallContext::makeCall):
2525         * ftl/FTLSlowPathCall.h:
2526         (JSC::FTL::callOperation):
2527         * ftl/FTLSlowPathCallKey.cpp:
2528         (JSC::FTL::SlowPathCallKey::dump const):
2529         * ftl/FTLSlowPathCallKey.h:
2530         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
2531         (JSC::FTL::SlowPathCallKey::callTarget const):
2532         (JSC::FTL::SlowPathCallKey::withCallTarget):
2533         (JSC::FTL::SlowPathCallKey::hash const):
2534         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
2535         * ftl/FTLState.cpp:
2536         (JSC::FTL::State::State):
2537         * ftl/FTLThunks.cpp:
2538         (JSC::FTL::genericGenerationThunkGenerator):
2539         (JSC::FTL::osrExitGenerationThunkGenerator):
2540         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2541         (JSC::FTL::slowPathCallThunkGenerator):
2542         * ftl/FTLThunks.h:
2543         (JSC::FTL::generateIfNecessary):
2544         (JSC::FTL::keyForThunk):
2545         (JSC::FTL::Thunks::getSlowPathCallThunk):
2546         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
2547         * interpreter/InterpreterInlines.h:
2548         (JSC::Interpreter::getOpcodeID):
2549         * jit/AssemblyHelpers.cpp:
2550         (JSC::AssemblyHelpers::callExceptionFuzz):
2551         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2552         (JSC::AssemblyHelpers::debugCall):
2553         * jit/CCallHelpers.cpp:
2554         (JSC::CCallHelpers::ensureShadowChickenPacket):
2555         * jit/ExecutableAllocator.cpp:
2556         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2557         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2558         * jit/ExecutableAllocator.h:
2559         (JSC::performJITMemcpy):
2560         * jit/GCAwareJITStubRoutine.cpp:
2561         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2562         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
2563         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
2564         (JSC::createJITStubRoutine):
2565         * jit/GCAwareJITStubRoutine.h:
2566         (JSC::createJITStubRoutine):
2567         * jit/JIT.cpp:
2568         (JSC::ctiPatchCallByReturnAddress):
2569         (JSC::JIT::compileWithoutLinking):
2570         (JSC::JIT::link):
2571         (JSC::JIT::privateCompileExceptionHandlers):
2572         * jit/JIT.h:
2573         (JSC::CallRecord::CallRecord):
2574         * jit/JITArithmetic.cpp:
2575         (JSC::JIT::emitMathICFast):
2576         (JSC::JIT::emitMathICSlow):
2577         * jit/JITCall.cpp:
2578         (JSC::JIT::compileOpCallSlowCase):
2579         * jit/JITCall32_64.cpp:
2580         (JSC::JIT::compileOpCallSlowCase):
2581         * jit/JITCode.cpp:
2582         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
2583         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2584         (JSC::DirectJITCode::DirectJITCode):
2585         (JSC::DirectJITCode::initializeCodeRef):
2586         (JSC::DirectJITCode::addressForCall):
2587         (JSC::NativeJITCode::NativeJITCode):
2588         (JSC::NativeJITCode::initializeCodeRef):
2589         (JSC::NativeJITCode::addressForCall):
2590         * jit/JITCode.h:
2591         * jit/JITCodeMap.h:
2592         (JSC::JITCodeMap::Entry::Entry):
2593         (JSC::JITCodeMap::Entry::codeLocation):
2594         (JSC::JITCodeMap::append):
2595         (JSC::JITCodeMap::find const):
2596         * jit/JITDisassembler.cpp:
2597         (JSC::JITDisassembler::dumpDisassembly):
2598         * jit/JITExceptions.cpp:
2599         (JSC::genericUnwind):
2600         * jit/JITInlineCacheGenerator.cpp:
2601         (JSC::JITByIdGenerator::finalize):
2602         * jit/JITInlines.h:
2603         (JSC::JIT::emitNakedCall):
2604         (JSC::JIT::emitNakedTailCall):
2605         (JSC::JIT::appendCallWithExceptionCheck):
2606         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
2607         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
2608         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
2609         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2610         * jit/JITMathIC.h:
2611         (JSC::isProfileEmpty):
2612         * jit/JITOpcodes.cpp:
2613         (JSC::JIT::emit_op_catch):
2614         (JSC::JIT::emit_op_switch_imm):
2615         (JSC::JIT::emit_op_switch_char):
2616         (JSC::JIT::emit_op_switch_string):
2617         (JSC::JIT::privateCompileHasIndexedProperty):
2618         (JSC::JIT::emitSlow_op_has_indexed_property):
2619         * jit/JITOpcodes32_64.cpp:
2620         (JSC::JIT::privateCompileHasIndexedProperty):
2621         * jit/JITOperations.cpp:
2622         (JSC::getByVal):
2623         * jit/JITPropertyAccess.cpp:
2624         (JSC::JIT::stringGetByValStubGenerator):
2625         (JSC::JIT::emitGetByValWithCachedId):
2626         (JSC::JIT::emitSlow_op_get_by_val):
2627         (JSC::JIT::emitPutByValWithCachedId):
2628         (JSC::JIT::emitSlow_op_put_by_val):
2629         (JSC::JIT::emitSlow_op_try_get_by_id):
2630         (JSC::JIT::emitSlow_op_get_by_id_direct):
2631         (JSC::JIT::emitSlow_op_get_by_id):
2632         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2633         (JSC::JIT::emitSlow_op_put_by_id):
2634         (JSC::JIT::privateCompileGetByVal):
2635         (JSC::JIT::privateCompileGetByValWithCachedId):
2636         (JSC::JIT::privateCompilePutByVal):
2637         (JSC::JIT::privateCompilePutByValWithCachedId):
2638         * jit/JITPropertyAccess32_64.cpp:
2639         (JSC::JIT::stringGetByValStubGenerator):
2640         (JSC::JIT::emitSlow_op_get_by_val):
2641         (JSC::JIT::emitSlow_op_put_by_val):
2642         * jit/JITStubRoutine.h:
2643         (JSC::JITStubRoutine::JITStubRoutine):
2644         (JSC::JITStubRoutine::createSelfManagedRoutine):
2645         (JSC::JITStubRoutine::code const):
2646         (JSC::JITStubRoutine::asCodePtr):
2647         * jit/JITThunks.cpp:
2648         (JSC::JITThunks::ctiNativeCall):
2649         (JSC::JITThunks::ctiNativeConstruct):
2650         (JSC::JITThunks::ctiNativeTailCall):
2651         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2652         (JSC::JITThunks::ctiInternalFunctionCall):
2653         (JSC::JITThunks::ctiInternalFunctionConstruct):
2654         (JSC::JITThunks::ctiStub):
2655         (JSC::JITThunks::existingCTIStub):
2656         (JSC::JITThunks::hostFunctionStub):
2657         * jit/JITThunks.h:
2658         * jit/PCToCodeOriginMap.cpp:
2659         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2660         * jit/PCToCodeOriginMap.h:
2661         * jit/PolymorphicCallStubRoutine.cpp:
2662         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2663         * jit/PolymorphicCallStubRoutine.h:
2664         * jit/Repatch.cpp:
2665         (JSC::readPutICCallTarget):
2666         (JSC::ftlThunkAwareRepatchCall):
2667         (JSC::appropriateOptimizingGetByIdFunction):
2668         (JSC::appropriateGetByIdFunction):
2669         (JSC::tryCacheGetByID):
2670         (JSC::repatchGetByID):
2671         (JSC::tryCachePutByID):
2672         (JSC::repatchPutByID):
2673         (JSC::tryCacheIn):
2674         (JSC::repatchIn):
2675         (JSC::linkSlowFor):
2676         (JSC::linkFor):
2677         (JSC::linkDirectFor):
2678         (JSC::revertCall):
2679         (JSC::unlinkFor):
2680         (JSC::linkVirtualFor):
2681         (JSC::linkPolymorphicCall):
2682         (JSC::resetGetByID):
2683         (JSC::resetPutByID):
2684         * jit/Repatch.h:
2685         * jit/SlowPathCall.h:
2686         (JSC::JITSlowPathCall::call):
2687         * jit/SpecializedThunkJIT.h:
2688         (JSC::SpecializedThunkJIT::finalize):
2689         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2690         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
2691         * jit/ThunkGenerator.h:
2692         * jit/ThunkGenerators.cpp:
2693         (JSC::throwExceptionFromCallSlowPathGenerator):
2694         (JSC::slowPathFor):
2695         (JSC::linkCallThunkGenerator):
2696         (JSC::linkPolymorphicCallThunkGenerator):
2697         (JSC::virtualThunkFor):
2698         (JSC::nativeForGenerator):
2699         (JSC::nativeCallGenerator):
2700         (JSC::nativeTailCallGenerator):
2701         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2702         (JSC::nativeConstructGenerator):
2703         (JSC::internalFunctionCallGenerator):
2704         (JSC::internalFunctionConstructGenerator):
2705         (JSC::arityFixupGenerator):
2706         (JSC::unreachableGenerator):
2707         (JSC::charCodeAtThunkGenerator):
2708         (JSC::charAtThunkGenerator):
2709         (JSC::fromCharCodeThunkGenerator):
2710         (JSC::clz32ThunkGenerator):
2711         (JSC::sqrtThunkGenerator):
2712         (JSC::floorThunkGenerator):
2713         (JSC::ceilThunkGenerator):
2714         (JSC::truncThunkGenerator):
2715         (JSC::roundThunkGenerator):
2716         (JSC::expThunkGenerator):
2717         (JSC::logThunkGenerator):
2718         (JSC::absThunkGenerator):
2719         (JSC::imulThunkGenerator):
2720         (JSC::randomThunkGenerator):
2721         (JSC::boundThisNoArgsFunctionCallGenerator):
2722         * jit/ThunkGenerators.h:
2723         * llint/LLIntData.cpp:
2724         (JSC::LLInt::initialize):
2725         * llint/LLIntData.h:
2726         (JSC::LLInt::getExecutableAddress):
2727         (JSC::LLInt::getCodePtr):
2728         (JSC::LLInt::getCodeRef):
2729         (JSC::LLInt::getCodeFunctionPtr):
2730         * llint/LLIntEntrypoint.cpp:
2731         (JSC::LLInt::setFunctionEntrypoint):
2732         (JSC::LLInt::setEvalEntrypoint):
2733         (JSC::LLInt::setProgramEntrypoint):
2734         (JSC::LLInt::setModuleProgramEntrypoint):
2735         * llint/LLIntExceptions.cpp:
2736         (JSC::LLInt::callToThrow):
2737         * llint/LLIntSlowPaths.cpp:
2738         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2739         (JSC::LLInt::setUpCall):
2740         * llint/LLIntThunks.cpp:
2741         (JSC::vmEntryToWasm):
2742         (JSC::LLInt::generateThunkWithJumpTo):
2743         (JSC::LLInt::functionForCallEntryThunkGenerator):
2744         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2745         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2746         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2747         (JSC::LLInt::evalEntryThunkGenerator):
2748         (JSC::LLInt::programEntryThunkGenerator):
2749         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2750         * llint/LLIntThunks.h:
2751         * llint/LowLevelInterpreter.asm:
2752         * llint/LowLevelInterpreter32_64.asm:
2753         * llint/LowLevelInterpreter64.asm:
2754         * profiler/ProfilerCompilation.cpp:
2755         (JSC::Profiler::Compilation::addOSRExitSite):
2756         * profiler/ProfilerCompilation.h:
2757         * profiler/ProfilerOSRExitSite.cpp:
2758         (JSC::Profiler::OSRExitSite::toJS const):
2759         * profiler/ProfilerOSRExitSite.h:
2760         (JSC::Profiler::OSRExitSite::OSRExitSite):
2761         (JSC::Profiler::OSRExitSite::codeAddress const):
2762         (JSC::Profiler::OSRExitSite:: const): Deleted.
2763         * runtime/ExecutableBase.cpp:
2764         (JSC::ExecutableBase::clearCode):
2765         * runtime/ExecutableBase.h:
2766         (JSC::ExecutableBase::entrypointFor):
2767         * runtime/NativeExecutable.cpp:
2768         (JSC::NativeExecutable::finishCreation):
2769         * runtime/NativeFunction.h:
2770         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2771         (JSC::TaggedNativeFunction::operator NativeFunction):
2772         * runtime/PtrTag.h:
2773         (JSC::tagCodePtr):
2774         (JSC::untagCodePtr):
2775         (JSC::retagCodePtr):
2776         (JSC::tagCFunctionPtr):
2777         (JSC::untagCFunctionPtr):
2778         (JSC::nextPtrTagID): Deleted.
2779         * runtime/PutPropertySlot.h:
2780         (JSC::PutPropertySlot::PutPropertySlot):
2781         (JSC::PutPropertySlot::setCustomValue):
2782         (JSC::PutPropertySlot::setCustomAccessor):
2783         (JSC::PutPropertySlot::customSetter const):
2784         * runtime/ScriptExecutable.cpp:
2785         (JSC::ScriptExecutable::installCode):
2786         * runtime/VM.cpp:
2787         (JSC::VM::getHostFunction):
2788         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2789         * runtime/VM.h:
2790         (JSC::VM::getCTIStub):
2791         * wasm/WasmB3IRGenerator.cpp:
2792         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2793         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2794         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2795         (JSC::Wasm::B3IRGenerator::addCall):
2796         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2797         * wasm/WasmBBQPlan.cpp:
2798         (JSC::Wasm::BBQPlan::prepare):
2799         (JSC::Wasm::BBQPlan::complete):
2800         * wasm/WasmBBQPlan.h:
2801         * wasm/WasmBinding.cpp:
2802         (JSC::Wasm::wasmToWasm):
2803         * wasm/WasmBinding.h:
2804         * wasm/WasmCallee.h:
2805         (JSC::Wasm::Callee::entrypoint const):
2806         * wasm/WasmCallingConvention.h:
2807         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2808         * wasm/WasmCodeBlock.h:
2809         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2810         * wasm/WasmFaultSignalHandler.cpp:
2811         (JSC::Wasm::trapHandler):
2812         * wasm/WasmFormat.h:
2813         * wasm/WasmInstance.h:
2814         * wasm/WasmOMGPlan.cpp:
2815         (JSC::Wasm::OMGPlan::work):
2816         * wasm/WasmThunks.cpp:
2817         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2818         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2819         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2820         (JSC::Wasm::Thunks::stub):
2821         (JSC::Wasm::Thunks::existingStub):
2822         * wasm/WasmThunks.h:
2823         * wasm/js/JSToWasm.cpp:
2824         (JSC::Wasm::createJSToWasmWrapper):
2825         * wasm/js/JSWebAssemblyCodeBlock.h:
2826         * wasm/js/WasmToJS.cpp:
2827         (JSC::Wasm::handleBadI64Use):
2828         (JSC::Wasm::wasmToJS):
2829         * wasm/js/WasmToJS.h:
2830         * wasm/js/WebAssemblyFunction.h:
2831         * yarr/YarrJIT.cpp:
2832         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2833         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2834         (JSC::Yarr::YarrGenerator::compile):
2835         * yarr/YarrJIT.h:
2836         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2837         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2838         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2839         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2840         (JSC::Yarr::YarrCodeBlock::execute):
2841         (JSC::Yarr::YarrCodeBlock::clear):
2842
2843 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2844
2845         Unreviewed, rolling out r230697, r230720, and r230724.
2846         https://bugs.webkit.org/show_bug.cgi?id=184717
2847
2848         These caused multiple failures on the Test262 testers.
2849         (Requested by mlewis13 on #webkit).
2850
2851         Reverted changesets:
2852
2853         "[WebAssembly][Modules] Prototype wasm import"
2854         https://bugs.webkit.org/show_bug.cgi?id=184600
2855         https://trac.webkit.org/changeset/230697
2856
2857         "[WebAssembly][Modules] Implement function import from wasm
2858         modules"
2859         https://bugs.webkit.org/show_bug.cgi?id=184689
2860         https://trac.webkit.org/changeset/230720
2861
2862         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2863         https://bugs.webkit.org/show_bug.cgi?id=184703
2864         https://trac.webkit.org/changeset/230724
2865
2866 2018-04-17  JF Bastien  <jfbastien@apple.com>
2867
2868         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2869         https://bugs.webkit.org/show_bug.cgi?id=184706
2870         <rdar://problem/38871451>
2871
2872         Reviewed by Saam Barati.
2873
2874         When putting a property on a structure and the slot is a different
2875         type, the slot can't be said to have already been existing.
2876
2877         * runtime/JSObjectInlines.h:
2878         (JSC::JSObject::putDirectInternal):
2879
2880 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2881
2882         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2883         https://bugs.webkit.org/show_bug.cgi?id=184705
2884
2885         Reviewed by Michael Saboff.
2886         
2887         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2888         while testing an unrelated patch, a concurrent GC thread crashed inside
2889         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2890         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2891         mode and another vector.
2892         
2893         The fix is to lock inside visitChildren and anyone who changes those fields.
2894         
2895         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2896         this.
2897
2898         * runtime/JSArrayBufferView.cpp:
2899         (JSC::JSArrayBufferView::neuter):
2900         * runtime/JSGenericTypedArrayViewInlines.h:
2901         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2902         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2903
2904 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2905
2906         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2907         https://bugs.webkit.org/show_bug.cgi?id=184672
2908
2909         Reviewed by Michael Saboff.
2910
2911         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2912         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2913         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2914         intentional - I don't know.
2915
2916         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2917         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2918         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2919         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2920         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2921         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2922         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2923         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2924         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2925         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2926         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2927         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2928
2929         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2930         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2931         its stack slot for the purpose of clobberize.
2932
2933         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2934         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2935         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2936         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2937
2938 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2939
2940         JSWebAssemblyCodeBlock should be in an IsoSubspace
2941         https://bugs.webkit.org/show_bug.cgi?id=184704
2942
2943         Reviewed by Mark Lam.
2944         
2945         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2946         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2947         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2948         protection.
2949
2950         * runtime/VM.cpp:
2951         (JSC::VM::VM):
2952         * runtime/VM.h:
2953         * wasm/js/JSWebAssemblyCodeBlock.h:
2954
2955 2018-04-17  Jer Noble  <jer.noble@apple.com>
2956
2957         Only enable useSeparatedWXHeap on ARM64.
2958         https://bugs.webkit.org/show_bug.cgi?id=184697
2959
2960         Reviewed by Saam Barati.
2961
2962         * runtime/Options.cpp:
2963         (JSC::recomputeDependentOptions):
2964
2965 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2966
2967         [WebAssembly][Modules] Implement function import from wasm modules
2968         https://bugs.webkit.org/show_bug.cgi?id=184689
2969
2970         Reviewed by JF Bastien.
2971
2972         This patch implements function import from wasm modules. We move function importing part
2973         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2974         is because linking these functions requires that all the dependent modules are created.
2975         While we want to move all the linking functionality from JSWebAssemblyInstance to
2976         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2977         function importing part because efficient compilation of WebAssembly needs to know
2978         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2979         or attached WebAssembly memory object. So we cannot defer this linking to
2980         WebAssemblyModuleRecord::link now.
2981
2982         The largest difference from JS module linking is that WebAssembly module linking links
2983         function from the module by snapshotting. When you have a cyclic module graph like this,
2984
2985         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2986             ^                                                  |
2987             +--------------------------------------------------+
2988
2989         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2990         is described in [1], and tested in this patch.
2991
2992         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2993
2994         * JavaScriptCore.xcodeproj/project.pbxproj:
2995         * jsc.cpp:
2996         (functionDollarAgentStart):
2997         (checkException):
2998         (runWithOptions):
2999         Small fixes for wasm module loading.
3000
3001         * parser/NodesAnalyzeModule.cpp:
3002         (JSC::ImportDeclarationNode::analyzeModule):
3003         * runtime/AbstractModuleRecord.cpp:
3004         (JSC::AbstractModuleRecord::resolveImport):
3005         (JSC::AbstractModuleRecord::link):
3006         * runtime/AbstractModuleRecord.h:
3007         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
3008         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
3009         Now, wasm modules can have import which is named "*". So this function does not work.
3010         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
3011
3012         * runtime/JSModuleEnvironment.cpp:
3013         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3014         * runtime/JSModuleRecord.cpp:
3015         (JSC::JSModuleRecord::instantiateDeclarations):
3016         * wasm/WasmCreationMode.h: Added.
3017         * wasm/js/JSWebAssemblyInstance.cpp:
3018         (JSC::JSWebAssemblyInstance::finalizeCreation):
3019         (JSC::JSWebAssemblyInstance::create):
3020         * wasm/js/JSWebAssemblyInstance.h:
3021         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3022         (JSC::constructJSWebAssemblyInstance):
3023         * wasm/js/WebAssemblyModuleRecord.cpp:
3024         (JSC::WebAssemblyModuleRecord::link):
3025         * wasm/js/WebAssemblyModuleRecord.h:
3026         * wasm/js/WebAssemblyPrototype.cpp:
3027         (JSC::resolve):
3028         (JSC::instantiate):
3029         (JSC::compileAndInstantiate):
3030         (JSC::WebAssemblyPrototype::instantiate):
3031         (JSC::webAssemblyInstantiateFunc):
3032
3033 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
3034
3035         Implement setupArgumentsImpl for ARM and MIPS
3036         https://bugs.webkit.org/show_bug.cgi?id=183786
3037
3038         Reviewed by Yusuke Suzuki.
3039
3040         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
3041         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
3042         registers used for 64-bit values on 32-bit architectures. numCrossSources
3043         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
3044
3045         * assembler/MacroAssemblerARMv7.h:
3046         (JSC::MacroAssemblerARMv7::moveDouble):
3047         * assembler/MacroAssemblerMIPS.h:
3048         (JSC::MacroAssemblerMIPS::moveDouble):
3049         * jit/CCallHelpers.h:
3050         (JSC::CCallHelpers::setupStubCrossArgs):
3051         (JSC::CCallHelpers::ArgCollection::ArgCollection):
3052         (JSC::CCallHelpers::ArgCollection::pushRegArg):
3053         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
3054         (JSC::CCallHelpers::ArgCollection::addGPRArg):
3055         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
3056         (JSC::CCallHelpers::ArgCollection::addStackArg):
3057         (JSC::CCallHelpers::ArgCollection::addPoke):
3058         (JSC::CCallHelpers::ArgCollection::argCount):
3059         (JSC::CCallHelpers::calculatePokeOffset):
3060         (JSC::CCallHelpers::pokeForArgument):
3061         (JSC::CCallHelpers::stackAligned):
3062         (JSC::CCallHelpers::marshallArgumentRegister):
3063         (JSC::CCallHelpers::setupArgumentsImpl):
3064         (JSC::CCallHelpers::pokeArgumentsAligned):
3065         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
3066         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
3067         (JSC::CCallHelpers::setupArguments):
3068         * jit/FPRInfo.h:
3069         (JSC::FPRInfo::toArgumentRegister):
3070
3071 2018-04-17  Saam Barati  <sbarati@apple.com>
3072
3073         Add system trace points for process launch and for initializeWebProcess
3074         https://bugs.webkit.org/show_bug.cgi?id=184669
3075
3076         Reviewed by Simon Fraser.
3077
3078         * runtime/VMEntryScope.cpp:
3079         (JSC::VMEntryScope::VMEntryScope):
3080         (JSC::VMEntryScope::~VMEntryScope):
3081
3082 2018-04-17  Jer Noble  <jer.noble@apple.com>
3083
3084         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
3085         https://bugs.webkit.org/show_bug.cgi?id=184602
3086
3087         Reviewed by Beth Dakin.
3088
3089         * JavaScriptCore.xcodeproj/project.pbxproj:
3090
3091 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
3092
3093         [GLIB] Add API to clear JSCContext uncaught exception
3094         https://bugs.webkit.org/show_bug.cgi?id=184685
3095
3096         Reviewed by Žan Doberšek.
3097
3098         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
3099
3100         * API/glib/JSCContext.cpp:
3101         (jsc_context_clear_exception):
3102         * API/glib/JSCContext.h:
3103         * API/glib/docs/jsc-glib-4.0-sections.txt:
3104
3105 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
3106
3107         [GLIB] Add API to query, delete and enumerate properties
3108         https://bugs.webkit.org/show_bug.cgi?id=184647
3109
3110         Reviewed by Michael Catanzaro.
3111
3112         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
3113
3114         * API/glib/JSCValue.cpp:
3115         (jsc_value_object_has_property):
3116         (jsc_value_object_delete_property):
3117         (jsc_value_object_enumerate_properties):
3118         * API/glib/JSCValue.h:
3119         * API/glib/docs/jsc-glib-4.0-sections.txt:
3120
3121 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [WebAssembly][Modules] Prototype wasm import
3124         https://bugs.webkit.org/show_bug.cgi?id=184600
3125
3126         Reviewed by JF Bastien.
3127
3128         This patch is an initial attempt to implement Wasm loading in module pipeline.
3129         Currently,
3130
3131         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
3132            in whatwg HTML, we should integrate this into WebCore.
3133
3134         2. We only support exporting values from Wasm. Wasm module cannot import anything from
3135            the other modules now.
3136
3137         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
3138         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
3139         module loader pipeline just handles it as the same to JS. When parsing a module, we
3140         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
3141         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
3142         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
3143
3144         * builtins/ModuleLoaderPrototype.js:
3145         (globalPrivate.newRegistryEntry):
3146         (requestInstantiate):
3147         (link):
3148         * jsc.cpp:
3149         (convertShebangToJSComment):
3150         (fillBufferWithContentsOfFile):
3151         (fetchModuleFromLocalFileSystem):
3152         (GlobalObject::moduleLoaderFetch):
3153         * parser/SourceProvider.h:
3154         (JSC::WebAssemblySourceProvider::create):
3155         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
3156         * runtime/AbstractModuleRecord.cpp:
3157         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3158         (JSC::AbstractModuleRecord::link):
3159         (JSC::AbstractModuleRecord::evaluate):
3160         (JSC::identifierToJSValue): Deleted.
3161         * runtime/AbstractModuleRecord.h:
3162         * runtime/JSModuleLoader.cpp:
3163         (JSC::JSModuleLoader::evaluate):
3164         * runtime/JSModuleRecord.cpp:
3165         (JSC::JSModuleRecord::link):
3166         (JSC::JSModuleRecord::instantiateDeclarations):
3167         * runtime/JSModuleRecord.h:
3168         * runtime/ModuleLoaderPrototype.cpp:
3169         (JSC::moduleLoaderPrototypeParseModule):
3170         (JSC::moduleLoaderPrototypeRequestedModules):
3171         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
3172         * wasm/js/JSWebAssemblyHelpers.h:
3173         (JSC::getWasmBufferFromValue):
3174         (JSC::createSourceBufferFromValue):
3175         * wasm/js/JSWebAssemblyInstance.cpp:
3176         (JSC::JSWebAssemblyInstance::finalizeCreation):
3177         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
3178         (JSC::JSWebAssemblyInstance::create):
3179         * wasm/js/JSWebAssemblyInstance.h:
3180         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3181         (JSC::constructJSWebAssemblyInstance):
3182         * wasm/js/WebAssemblyModuleRecord.cpp:
3183         (JSC::WebAssemblyModuleRecord::prepareLink):
3184         (JSC::WebAssemblyModuleRecord::link):
3185         * wasm/js/WebAssemblyModuleRecord.h:
3186         * wasm/js/WebAssemblyPrototype.cpp:
3187         (JSC::resolve):
3188         (JSC::instantiate):
3189         (JSC::compileAndInstantiate):
3190         (JSC::WebAssemblyPrototype::instantiate):
3191         (JSC::webAssemblyInstantiateFunc):
3192         (JSC::webAssemblyValidateFunc):
3193         * wasm/js/WebAssemblyPrototype.h:
3194
3195 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
3196
3197         Function.prototype.caller shouldn't return generator bodies
3198         https://bugs.webkit.org/show_bug.cgi?id=184630
3199
3200         Reviewed by Yusuke Suzuki.
3201         
3202         Function.prototype.caller no longer returns generator bodies. Those are meant to be
3203         private.
3204         
3205         Also added some builtin debugging tools so that it's easier to do the investigation that I
3206         did.
3207
3208         * builtins/BuiltinNames.h:
3209         * runtime/JSFunction.cpp:
3210         (JSC::JSFunction::callerGetter):
3211         * runtime/JSGlobalObject.cpp:
3212         (JSC::JSGlobalObject::init):
3213         * runtime/JSGlobalObjectFunctions.cpp:
3214         (JSC::globalFuncBuiltinDescribe):
3215         * runtime/JSGlobalObjectFunctions.h:
3216
3217 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3218
3219         [DFG] Remove duplicate 32bit ProfileType implementation
3220         https://bugs.webkit.org/show_bug.cgi?id=184536
3221
3222         Reviewed by Saam Barati.
3223
3224         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
3225
3226         * dfg/DFGSpeculativeJIT.cpp:
3227         (JSC::DFG::SpeculativeJIT::compileProfileType):
3228         * dfg/DFGSpeculativeJIT.h:
3229         * dfg/DFGSpeculativeJIT32_64.cpp:
3230         (JSC::DFG::SpeculativeJIT::compile):
3231         * dfg/DFGSpeculativeJIT64.cpp:
3232         (JSC::DFG::SpeculativeJIT::compile):
3233         * jit/AssemblyHelpers.h:
3234         (JSC::AssemblyHelpers::branchIfUndefined):
3235         (JSC::AssemblyHelpers::branchIfNull):
3236
3237 2018-04-12  Mark Lam  <mark.lam@apple.com>
3238
3239         Consolidate some PtrTags.
3240         https://bugs.webkit.org/show_bug.cgi?id=184552
3241         <rdar://problem/39389404>
3242
3243         Reviewed by Filip Pizlo.
3244
3245         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
3246         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
3247
3248         * assembler/AbstractMacroAssembler.h:
3249         (JSC::AbstractMacroAssembler::repatchNearCall):
3250         * assembler/MacroAssemblerARM.h:
3251         (JSC::MacroAssemblerARM::readCallTarget):
3252         * assembler/MacroAssemblerARMv7.h:
3253         (JSC::MacroAssemblerARMv7::readCallTarget):
3254         * assembler/MacroAssemblerMIPS.h:
3255         (JSC::MacroAssemblerMIPS::readCallTarget):
3256         * assembler/MacroAssemblerX86.h:
3257         (JSC::MacroAssemblerX86::readCallTarget):
3258         * assembler/MacroAssemblerX86_64.h:
3259         (JSC::MacroAssemblerX86_64::readCallTarget):
3260         * bytecode/AccessCase.cpp:
3261         (JSC::AccessCase::generateImpl):
3262         * bytecode/InlineAccess.cpp:
3263         (JSC::InlineAccess::rewireStubAsJump):
3264         * bytecode/PolymorphicAccess.cpp:
3265         (JSC::PolymorphicAccess::regenerate):
3266         * dfg/DFGJITCompiler.cpp:
3267         (JSC::DFG::JITCompiler::linkOSRExits):
3268         (JSC::DFG::JITCompiler::link):
3269         (JSC::DFG::JITCompiler::compileFunction):
3270         * dfg/DFGJITFinalizer.cpp:
3271         (JSC::DFG::JITFinalizer::finalize):
3272         (JSC::DFG::JITFinalizer::finalizeFunction):
3273         * dfg/DFGOSREntry.cpp:
3274         (JSC::DFG::prepareOSREntry):
3275         * dfg/DFGOSRExit.cpp:
3276         (JSC::DFG::OSRExit::executeOSRExit):
3277         (JSC::DFG::adjustAndJumpToTarget):
3278         (JSC::DFG::OSRExit::compileOSRExit):
3279         * dfg/DFGOSRExitCompilerCommon.cpp:
3280         (JSC::DFG::adjustAndJumpToTarget):
3281         * dfg/DFGOperations.cpp:
3282         * ftl/FTLJITCode.cpp:
3283         (JSC::FTL::JITCode::executableAddressAtOffset):
3284         * ftl/FTLJITFinalizer.cpp:
3285         (JSC::FTL::JITFinalizer::finalizeCommon):
3286         * ftl/FTLLazySlowPath.cpp:
3287         (JSC::FTL::LazySlowPath::generate):
3288         * ftl/FTLLink.cpp:
3289         (JSC::FTL::link):
3290         * ftl/FTLLowerDFGToB3.cpp:
3291         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3292         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3293         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3294         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3295         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3296         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3297         * ftl/FTLOSRExitCompiler.cpp:
3298         (JSC::FTL::compileFTLOSRExit):
3299         * ftl/FTLOSRExitHandle.cpp:
3300         (JSC::FTL::OSRExitHandle::emitExitThunk):
3301         * jit/AssemblyHelpers.cpp:
3302         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3303         * jit/JIT.cpp:
3304         (JSC::JIT::compileWithoutLinking):
3305         (JSC::JIT::link):
3306         * jit/JITCall.cpp:
3307         (JSC::JIT::compileOpCallSlowCase):
3308         * jit/JITCode.cpp:
3309         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3310         (JSC::NativeJITCode::addressForCall):
3311         * jit/JITInlines.h:
3312         (JSC::JIT::emitNakedCall):
3313         (JSC::JIT::emitNakedTailCall):
3314         * jit/JITMathIC.h:
3315         (JSC::isProfileEmpty):
3316         * jit/JITOpcodes.cpp:
3317         (JSC::JIT::privateCompileHasIndexedProperty):
3318         * jit/JITOperations.cpp:
3319         * jit/JITPropertyAccess.cpp:
3320         (JSC::JIT::stringGetByValStubGenerator):
3321         (JSC::JIT::privateCompileGetByVal):
3322         (JSC::JIT::privateCompileGetByValWithCachedId):
3323         (JSC::JIT::privateCompilePutByVal):
3324         (JSC::JIT::privateCompilePutByValWithCachedId):
3325         * jit/JITThunks.cpp:
3326         (JSC::JITThunks::hostFunctionStub):
3327         * jit/Repatch.cpp:
3328         (JSC::linkSlowFor):
3329         (JSC::linkFor):
3330         (JSC::linkPolymorphicCall):
3331         * jit/SpecializedThunkJIT.h:
3332         (JSC::SpecializedThunkJIT::finalize):
3333         * jit/ThunkGenerators.cpp:
3334         (JSC::virtualThunkFor):
3335         (JSC::nativeForGenerator):
3336         (JSC::boundThisNoArgsFunctionCallGenerator):
3337         * llint/LLIntData.cpp:
3338         (JSC::LLInt::initialize):
3339         * llint/LLIntEntrypoint.cpp:
3340         (JSC::LLInt::setEvalEntrypoint):
3341         (JSC::LLInt::setProgramEntrypoint):
3342         (JSC::LLInt::setModuleProgramEntrypoint):
3343         * llint/LLIntSlowPaths.cpp:
3344         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3345         (JSC::LLInt::setUpCall):
3346         * llint/LLIntThunks.cpp:
3347         (JSC::LLInt::generateThunkWithJumpTo):
3348         (JSC::LLInt::functionForCallEntryThunkGenerator):
3349         (JSC::LLInt::functionForConstructEntryThunkGenerator):
3350         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
3351         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
3352         (JSC::LLInt::evalEntryThunkGenerator):
3353         (JSC::LLInt::programEntryThunkGenerator):
3354         (JSC::LLInt::moduleProgramEntryThunkGenerator):
3355         * llint/LowLevelInterpreter.asm:
3356         * llint/LowLevelInterpreter64.asm:
3357         * runtime/NativeExecutable.cpp:
3358         (JSC::NativeExecutable::finishCreation):
3359         * runtime/NativeFunction.h:
3360         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3361         (JSC::TaggedNativeFunction::operator NativeFunction):
3362         * runtime/PtrTag.h:
3363         * wasm/WasmBBQPlan.cpp:
3364         (JSC::Wasm::BBQPlan::complete):
3365         * wasm/WasmOMGPlan.cpp:
3366         (JSC::Wasm::OMGPlan::work):
3367         * wasm/WasmThunks.cpp:
3368         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3369         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3370         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3371         * wasm/js/WasmToJS.cpp:
3372         (JSC::Wasm::wasmToJS):
3373         * wasm/js/WebAssemblyFunction.h:
3374         * yarr/YarrJIT.cpp:
3375         (JSC::Yarr::YarrGenerator::compile):
3376
3377 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
3378
3379         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
3380         https://bugs.webkit.org/show_bug.cgi?id=184379
3381
3382         Reviewed by Žan Doberšek.
3383
3384         Load the module from the new location.
3385
3386         * PlatformWPE.cmake:
3387         * inspector/remote/glib/RemoteInspectorUtils.cpp:
3388         (Inspector::backendCommands):
3389
3390 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3391
3392         [DFG] Remove compileBigIntEquality in DFG 32bit
3393         https://bugs.webkit.org/show_bug.cgi?id=184535
3394
3395         Reviewed by Saam Barati.
3396
3397         We can have the unified implementation for compileBigIntEquality.
3398
3399         * dfg/DFGSpeculativeJIT.cpp:
3400         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
3401         * dfg/DFGSpeculativeJIT32_64.cpp:
3402         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
3403         * dfg/DFGSpeculativeJIT64.cpp: