Improve use of ExportMacros
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2
3         Improve use of ExportMacros
4         https://bugs.webkit.org/show_bug.cgi?id=181652
5
6         Reviewed by Konstantin Tokarev.
7
8         * API/JSBase.h: Update a comment.
9         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
10         * runtime/JSExportMacros.h: Simplify the #defines in this file.
11
12 2018-01-15  JF Bastien  <jfbastien@apple.com>
13
14         Remove makePoisonedUnique
15         https://bugs.webkit.org/show_bug.cgi?id=181630
16         <rdar://problem/36498623>
17
18         Reviewed by Mark Lam.
19
20         I added a conversion from std::unique_ptr, so we can just use
21         std::make_unique and it'll auto-poison when converted.
22
23         * bytecode/CodeBlock.h:
24         (JSC::CodeBlock::makePoisonedUnique): Deleted.
25         * runtime/JSGlobalObject.cpp:
26         (JSC::JSGlobalObject::init):
27         * runtime/JSGlobalObject.h:
28         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
29
30 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
31
32         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
33         https://bugs.webkit.org/show_bug.cgi?id=181438
34         <rdar://problem/36376724>
35
36         Reviewed by Carlos Garcia Campos.
37
38         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
39         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
40         get rid of the version script.
41
42         * PlatformGTK.cmake:
43         * javascriptcoregtk-symbols.map: Removed.
44
45 2018-01-14  Saam Barati  <sbarati@apple.com>
46
47         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
48
49         * bytecode/CallLinkStatus.cpp:
50         (JSC::CallLinkStatus::computeFromLLInt):
51         (JSC::CallLinkStatus::computeExitSiteData):
52
53 2018-01-13  Mark Lam  <mark.lam@apple.com>
54
55         Replace all use of ConstExprPoisoned with Poisoned.
56         https://bugs.webkit.org/show_bug.cgi?id=181542
57         <rdar://problem/36442138>
58
59         Reviewed by JF Bastien.
60
61         1. All JSC poisons are now defined in JSCPoison.h.
62
63         2. Change all clients to use the new poison values via the POISON() macro.
64
65         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
66            uses the t5 temp register, which is not available on the Windows port.
67            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
68            it will just work for now.
69
70            When poisoning is enabled for the Windows port, this LLInt code will need a
71            Windows specific implementation to workaround its lack of a t5 register.
72
73         * API/JSAPIWrapperObject.h:
74         * API/JSCallbackFunction.h:
75         * API/JSCallbackObject.h:
76         * JavaScriptCore.xcodeproj/project.pbxproj:
77         * Sources.txt:
78         * assembler/MacroAssemblerCodeRef.h:
79         (JSC::MacroAssemblerCodePtr::emptyValue):
80         (JSC::MacroAssemblerCodePtr::deletedValue):
81         * b3/B3LowerMacros.cpp:
82         * b3/testb3.cpp:
83         (JSC::B3::testInterpreter):
84         * bytecode/CodeBlock.h:
85         (JSC::CodeBlock::instructions):
86         (JSC::CodeBlock::instructions const):
87         (JSC::CodeBlock::makePoisonedUnique):
88         * dfg/DFGOSRExitCompilerCommon.h:
89         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
90         * dfg/DFGSpeculativeJIT.cpp:
91         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
92         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
93         * ftl/FTLLowerDFGToB3.cpp:
94         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
95         * jit/JIT.h:
96         * jit/ThunkGenerators.cpp:
97         (JSC::virtualThunkFor):
98         (JSC::nativeForGenerator):
99         (JSC::boundThisNoArgsFunctionCallGenerator):
100         * llint/LowLevelInterpreter.asm:
101         * llint/LowLevelInterpreter32_64.asm:
102         * llint/LowLevelInterpreter64.asm:
103         * parser/UnlinkedSourceCode.h:
104         * runtime/ArrayPrototype.h:
105         * runtime/CustomGetterSetter.h:
106         * runtime/DateInstance.h:
107         * runtime/InternalFunction.h:
108         * runtime/JSArrayBuffer.h:
109         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
110         (JSC::initializePoison):
111         * runtime/JSCPoison.h:
112         (): Deleted.
113         * runtime/JSCPoisonedPtr.cpp: Removed.
114         * runtime/JSCPoisonedPtr.h: Removed.
115         * runtime/JSGlobalObject.h:
116         (JSC::JSGlobalObject::makePoisonedUnique):
117         * runtime/JSScriptFetchParameters.h:
118         * runtime/JSScriptFetcher.h:
119         * runtime/NativeExecutable.h:
120         * runtime/StructureTransitionTable.h:
121         (JSC::StructureTransitionTable::map const):
122         (JSC::StructureTransitionTable::weakImpl const):
123         * runtime/WriteBarrier.h:
124         (JSC::WriteBarrier::poison):
125         * wasm/js/JSToWasm.cpp:
126         (JSC::Wasm::createJSToWasmWrapper):
127         * wasm/js/JSWebAssemblyCodeBlock.cpp:
128         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
129         * wasm/js/JSWebAssemblyCodeBlock.h:
130         * wasm/js/JSWebAssemblyInstance.h:
131         * wasm/js/JSWebAssemblyMemory.h:
132         * wasm/js/JSWebAssemblyModule.h:
133         * wasm/js/JSWebAssemblyTable.h:
134         * wasm/js/WasmToJS.cpp:
135         (JSC::Wasm::handleBadI64Use):
136         (JSC::Wasm::wasmToJS):
137         * wasm/js/WebAssemblyFunctionBase.h:
138         * wasm/js/WebAssemblyModuleRecord.h:
139         * wasm/js/WebAssemblyToJSCallee.h:
140         * wasm/js/WebAssemblyWrapperFunction.h:
141
142 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
143
144         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
145         https://bugs.webkit.org/show_bug.cgi?id=181182
146
147         Reviewed by Darin Adler.
148
149         Casting double to integer is undefined behavior when the truncation
150         results into a value that doesn't fit into integer size, according C++
151         spec[1]. Thus, we are changing bigIntProtoFuncToString and
152         numberProtoFuncToString to remove these source of undefined behavior.
153
154         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
155
156         * runtime/BigIntPrototype.cpp:
157         (JSC::bigIntProtoFuncToString):
158         * runtime/NumberPrototype.cpp:
159         (JSC::numberProtoFuncToString):
160         (JSC::extractRadixFromArgs): Deleted.
161         (JSC::extractToStringRadixArgument): Added.
162
163 2018-01-12  Saam Barati  <sbarati@apple.com>
164
165         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
166         https://bugs.webkit.org/show_bug.cgi?id=181545
167
168         Reviewed by Michael Saboff.
169
170         This patch follows the theme of putting optimization profiling information on
171         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
172         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
173         pulled from the code cache, making better compilation decisions, usually
174         resulting in fewer exits, and fewer recompilations.
175         
176         This is a 1% Speedometer progression in my testing.
177
178         * bytecode/BytecodeDumper.cpp:
179         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
180         * bytecode/CallLinkStatus.cpp:
181         (JSC::CallLinkStatus::computeFromLLInt):
182         (JSC::CallLinkStatus::computeFor):
183         (JSC::CallLinkStatus::computeExitSiteData):
184         (JSC::CallLinkStatus::computeDFGStatuses):
185         * bytecode/CallLinkStatus.h:
186         * bytecode/CodeBlock.h:
187         (JSC::CodeBlock::addFrequentExitSite): Deleted.
188         (JSC::CodeBlock::hasExitSite const): Deleted.
189         (JSC::CodeBlock::exitProfile): Deleted.
190         * bytecode/DFGExitProfile.cpp:
191         (JSC::DFG::ExitProfile::add):
192         (JSC::DFG::QueryableExitProfile::initialize):
193         * bytecode/DFGExitProfile.h:
194         (JSC::DFG::ExitProfile::hasExitSite const):
195         * bytecode/GetByIdStatus.cpp:
196         (JSC::GetByIdStatus::hasExitSite):
197         (JSC::GetByIdStatus::computeFor):
198         (JSC::GetByIdStatus::computeForStubInfo):
199         * bytecode/GetByIdStatus.h:
200         * bytecode/PutByIdStatus.cpp:
201         (JSC::PutByIdStatus::hasExitSite):
202         (JSC::PutByIdStatus::computeFor):
203         (JSC::PutByIdStatus::computeForStubInfo):
204         * bytecode/PutByIdStatus.h:
205         * bytecode/UnlinkedCodeBlock.cpp:
206         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
207         * bytecode/UnlinkedCodeBlock.h:
208         (JSC::UnlinkedCodeBlock::hasExitSite const):
209         (JSC::UnlinkedCodeBlock::hasExitSite):
210         (JSC::UnlinkedCodeBlock::exitProfile):
211         * dfg/DFGByteCodeParser.cpp:
212         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
213         * dfg/DFGGraph.h:
214         (JSC::DFG::Graph::hasGlobalExitSite):
215         (JSC::DFG::Graph::hasExitSite):
216         * dfg/DFGLICMPhase.cpp:
217         (JSC::DFG::LICMPhase::attemptHoist):
218         * dfg/DFGOSRExitBase.cpp:
219         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
220
221 2018-01-12  JF Bastien  <jfbastien@apple.com>
222
223         PoisonedWriteBarrier
224         https://bugs.webkit.org/show_bug.cgi?id=181599
225         <rdar://problem/36474351>
226
227         Reviewed by Mark Lam.
228
229         Allow poisoning of WriteBarrier objects, and use this for
230         WebAssembly because it is perf-neutral, at least on WasmBench on
231         my MBP. If it indeed is perf-neutral according to the bots, start
232         using it in more performance-sensitive places.
233
234         * heap/HandleTypes.h:
235         * heap/SlotVisitor.h:
236         * heap/SlotVisitorInlines.h:
237         (JSC::SlotVisitor::append):
238         (JSC::SlotVisitor::appendHidden):
239         * runtime/JSCJSValue.h:
240         * runtime/JSCPoison.h:
241         * runtime/Structure.h:
242         * runtime/StructureInlines.h:
243         (JSC::Structure::setPrototypeWithoutTransition):
244         (JSC::Structure::setGlobalObject):
245         (JSC::Structure::setPreviousID):
246         * runtime/WriteBarrier.h:
247         (JSC::WriteBarrierBase::copyFrom):
248         (JSC::WriteBarrierBase::get const):
249         (JSC::WriteBarrierBase::operator* const):
250         (JSC::WriteBarrierBase::operator-> const):
251         (JSC::WriteBarrierBase::clear):
252         (JSC::WriteBarrierBase::slot):
253         (JSC::WriteBarrierBase::operator bool const):
254         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
255         (JSC::WriteBarrierBase::unvalidatedGet const):
256         (JSC::operator==):
257         * runtime/WriteBarrierInlines.h:
258         (JSC::Traits>::set):
259         (JSC::Traits>::setMayBeNull):
260         (JSC::Traits>::setEarlyValue):
261         (JSC::DumbValueTraits<Unknown>>::set):
262         * wasm/WasmInstance.h:
263         * wasm/js/JSWebAssemblyInstance.cpp:
264         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
265         (JSC::JSWebAssemblyInstance::finishCreation):
266         (JSC::JSWebAssemblyInstance::visitChildren):
267         (JSC::JSWebAssemblyInstance::create):
268         * wasm/js/JSWebAssemblyInstance.h:
269         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
270         * wasm/js/JSWebAssemblyMemory.h:
271         * wasm/js/JSWebAssemblyModule.h:
272         * wasm/js/JSWebAssemblyTable.cpp:
273         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
274         (JSC::JSWebAssemblyTable::grow):
275         (JSC::JSWebAssemblyTable::clearFunction):
276         * wasm/js/JSWebAssemblyTable.h:
277         * wasm/js/WasmToJS.cpp:
278         (JSC::Wasm::materializeImportJSCell):
279         (JSC::Wasm::handleBadI64Use):
280         (JSC::Wasm::wasmToJS):
281         * wasm/js/WebAssemblyFunctionBase.h:
282         * wasm/js/WebAssemblyModuleRecord.cpp:
283         (JSC::WebAssemblyModuleRecord::link):
284         (JSC::WebAssemblyModuleRecord::evaluate):
285         * wasm/js/WebAssemblyModuleRecord.h:
286         * wasm/js/WebAssemblyToJSCallee.h:
287         * wasm/js/WebAssemblyWrapperFunction.h:
288
289 2018-01-12  Saam Barati  <sbarati@apple.com>
290
291         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
292         https://bugs.webkit.org/show_bug.cgi?id=181177
293         <rdar://problem/36205704>
294
295         Reviewed by Yusuke Suzuki.
296
297         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
298         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
299         have semantic consequences when validation is turned off. However, with validation on, this trips up
300         our OSR exit machinery that says when an exit is allowed to happen.
301         
302         Consider the following IR:
303         
304         a: GetClosureVar // Or any other node that produces BytecodeTop
305         ...
306         c: CheckStructure(Cell:@a, {s2})
307         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
308         
309         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
310         a: GetClosureVar
311         e: CheckStructureOrEmpty(@a, {s1})
312         ...
313         f: CheckStructureOrEmpty(@a, {s2})
314         c: CheckStructure(Cell:@a, {s2})
315         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
316         
317         This will cause constant folding to change the IR to:
318         a: GetClosureVar
319         e: CheckStructureOrEmpty(@a, {s1})
320         ...
321         f: CheckStructureOrEmpty(@a, {s2})
322         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
323         
324         Our mayExit analysis determines that the PutByOffset should not exit. Note
325         that AI will determine the only value the PutByOffset can see in @a is 
326         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
327         when lowering the PutByOffset, we reach a contradiction in AI and emit
328         an OSR exit. However, because mayExit said we couldn't exit, we assert.
329         
330         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
331         would have determined we would OSR exit at the second CheckStructure.
332         
333         This patch makes it so constant folding produces the following IR:
334         a: GetClosureVar
335         e: CheckStructureOrEmpty(@a, {s1})
336         g: AssertNotEmpty(@a)
337         ...
338         f: CheckStructureOrEmpty(@a, {s2})
339         h: AssertNotEmpty(@a)
340         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
341         
342         This modification will cause AI to know we will OSR exit before even reaching
343         the PutByOffset. Note that in the original IR, the GetClosureVar won't
344         actually produce the TDZ value. If it did, bytecode would have caused us
345         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
346         why this bug is about IR bookkeeping and not an actual error in IR analysis.
347         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
348         more congruous with CheckStructure's semantics of crashing on the empty value
349         as input (on 64 bit platforms).
350
351         * dfg/DFGAbstractInterpreterInlines.h:
352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
353         * dfg/DFGClobberize.h:
354         (JSC::DFG::clobberize):
355         * dfg/DFGConstantFoldingPhase.cpp:
356         (JSC::DFG::ConstantFoldingPhase::foldConstants):
357         * dfg/DFGDoesGC.cpp:
358         (JSC::DFG::doesGC):
359         * dfg/DFGFixupPhase.cpp:
360         (JSC::DFG::FixupPhase::fixupNode):
361         * dfg/DFGNodeType.h:
362         * dfg/DFGPredictionPropagationPhase.cpp:
363         * dfg/DFGSafeToExecute.h:
364         (JSC::DFG::safeToExecute):
365         * dfg/DFGSpeculativeJIT32_64.cpp:
366         (JSC::DFG::SpeculativeJIT::compile):
367         * dfg/DFGSpeculativeJIT64.cpp:
368         (JSC::DFG::SpeculativeJIT::compile):
369         * ftl/FTLCapabilities.cpp:
370         (JSC::FTL::canCompile):
371         * ftl/FTLLowerDFGToB3.cpp:
372         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
373         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
374
375 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
376
377         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
378         https://bugs.webkit.org/show_bug.cgi?id=181579
379         <rdar://problem/36193759>
380
381         Reviewed by Brian Burg.
382
383         * inspector/agents/InspectorConsoleAgent.h:
384         * inspector/agents/InspectorConsoleAgent.cpp:
385         (Inspector::InspectorConsoleAgent::clearMessages):
386         (Inspector::InspectorConsoleAgent::addConsoleMessage):
387         Switch from a raw pointer to m_consoleMessages.last().
388         Also move the expiration check into the if block since it can only
389         happen inside here when the number of console messages changes.
390
391         (Inspector::InspectorConsoleAgent::discardValues):
392         Also clear the expired message count when messages are cleared.
393
394 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
395
396         [JSC] Create parallel SlotVisitors apriori
397         https://bugs.webkit.org/show_bug.cgi?id=180907
398
399         Reviewed by Saam Barati.
400
401         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
402         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
403         Then we do not need to grab locks while iterating all the SlotVisitors.
404
405         In addition, we do not need to consider the case that the number of SlotVisitors increases
406         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
407         does not increase any more.
408
409         * heap/Heap.cpp:
410         (JSC::Heap::Heap):
411         (JSC::Heap::runBeginPhase):
412         * heap/Heap.h:
413         * heap/HeapInlines.h:
414         (JSC::Heap::forEachSlotVisitor):
415         (JSC::Heap::numberOfSlotVisitors): Deleted.
416         * heap/MarkingConstraintSolver.cpp:
417         (JSC::MarkingConstraintSolver::didVisitSomething const):
418
419 2018-01-12  Saam Barati  <sbarati@apple.com>
420
421         Each variant of a polymorphic inlined call should be exitOK at the top of the block
422         https://bugs.webkit.org/show_bug.cgi?id=181562
423         <rdar://problem/36445624>
424
425         Reviewed by Yusuke Suzuki.
426
427         Before this patch, the very first block in the switch for polymorphic call
428         inlining will have exitOK at the top. The others are not guaranteed to.
429         That was just a bug. They're all exitOK at the top. This will lead to crashes
430         in FixupPhase because we won't have a node in a block that has ExitOK, so
431         when we fixup various type checks, we assert out.
432
433         * dfg/DFGByteCodeParser.cpp:
434         (JSC::DFG::ByteCodeParser::handleInlining):
435
436 2018-01-11  Keith Miller  <keith_miller@apple.com>
437
438         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
439         https://bugs.webkit.org/show_bug.cgi?id=181573
440
441         Reviewed by Simon Fraser.
442
443         * Configurations/FeatureDefines.xcconfig:
444         * runtime/Options.h:
445
446 2018-01-11  Michael Saboff  <msaboff@apple.com>
447
448         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
449         https://bugs.webkit.org/show_bug.cgi?id=181570
450
451         Reviewed by Keith Miller.
452
453         * assembler/MacroAssemblerARM64.h:
454         (JSC::MacroAssemblerARM64::abortWithReason):
455         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
456         JIT release asserts that will crash the program.
457
458         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
459         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
460         caching is enabled.
461
462 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
463
464         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
465         https://bugs.webkit.org/show_bug.cgi?id=181543
466
467         Rubber stamped by Michael Saboff.
468         
469         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
470         really have anything to do with allocation anymore. The allocation will be done by something
471         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
472         place to find blocks (a "block directory").
473
474         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
475         attributes of the HeapCellType. So let's call them CellAttributes.
476
477         * JavaScriptCore.xcodeproj/project.pbxproj:
478         * Sources.txt:
479         * bytecode/AccessCase.cpp:
480         (JSC::AccessCase::generateImpl):
481         * bytecode/ObjectAllocationProfile.h:
482         * bytecode/ObjectAllocationProfileInlines.h:
483         (JSC::ObjectAllocationProfile::initializeProfile):
484         * dfg/DFGSpeculativeJIT.cpp:
485         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
486         (JSC::DFG::SpeculativeJIT::compileMakeRope):
487         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
488         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
489         (JSC::DFG::SpeculativeJIT::compileNewObject):
490         * dfg/DFGSpeculativeJIT.h:
491         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
492         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
493         * ftl/FTLAbstractHeapRepository.h:
494         * ftl/FTLLowerDFGToB3.cpp:
495         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
496         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
497         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
498         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
499         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
500         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
501         * heap/AlignedMemoryAllocator.cpp:
502         (JSC::AlignedMemoryAllocator::registerDirectory):
503         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
504         * heap/AlignedMemoryAllocator.h:
505         (JSC::AlignedMemoryAllocator::firstDirectory const):
506         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
507         * heap/AllocatorAttributes.cpp: Removed.
508         * heap/AllocatorAttributes.h: Removed.
509         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
510         (JSC::BlockDirectory::BlockDirectory):
511         (JSC::BlockDirectory::setSubspace):
512         (JSC::BlockDirectory::isPagedOut):
513         (JSC::BlockDirectory::findEmptyBlockToSteal):
514         (JSC::BlockDirectory::didConsumeFreeList):
515         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
516         (JSC::BlockDirectory::allocateIn):
517         (JSC::BlockDirectory::tryAllocateIn):
518         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
519         (JSC::BlockDirectory::allocateSlowCase):
520         (JSC::BlockDirectory::blockSizeForBytes):
521         (JSC::BlockDirectory::tryAllocateBlock):
522         (JSC::BlockDirectory::addBlock):
523         (JSC::BlockDirectory::removeBlock):
524         (JSC::BlockDirectory::stopAllocating):
525         (JSC::BlockDirectory::prepareForAllocation):
526         (JSC::BlockDirectory::lastChanceToFinalize):
527         (JSC::BlockDirectory::resumeAllocating):
528         (JSC::BlockDirectory::beginMarkingForFullCollection):
529         (JSC::BlockDirectory::endMarking):
530         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
531         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
532         (JSC::BlockDirectory::findBlockToSweep):
533         (JSC::BlockDirectory::sweep):
534         (JSC::BlockDirectory::shrink):
535         (JSC::BlockDirectory::assertNoUnswept):
536         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
537         (JSC::BlockDirectory::dump const):
538         (JSC::BlockDirectory::dumpBits):
539         (JSC::BlockDirectory::markedSpace const):
540         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
541         (JSC::MarkedAllocator::setSubspace): Deleted.
542         (JSC::MarkedAllocator::isPagedOut): Deleted.
543         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
544         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
545         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
546         (JSC::MarkedAllocator::allocateIn): Deleted.
547         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
548         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
549         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
550         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
551         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
552         (JSC::MarkedAllocator::addBlock): Deleted.
553         (JSC::MarkedAllocator::removeBlock): Deleted.
554         (JSC::MarkedAllocator::stopAllocating): Deleted.
555         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
556         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
557         (JSC::MarkedAllocator::resumeAllocating): Deleted.
558         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
559         (JSC::MarkedAllocator::endMarking): Deleted.
560         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
561         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
562         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
563         (JSC::MarkedAllocator::sweep): Deleted.
564         (JSC::MarkedAllocator::shrink): Deleted.
565         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
566         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
567         (JSC::MarkedAllocator::dump const): Deleted.
568         (JSC::MarkedAllocator::dumpBits): Deleted.
569         (JSC::MarkedAllocator::markedSpace const): Deleted.
570         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
571         (JSC::BlockDirectory::attributes const):
572         (JSC::BlockDirectory::forEachBitVector):
573         (JSC::BlockDirectory::forEachBitVectorWithName):
574         (JSC::BlockDirectory::nextDirectory const):
575         (JSC::BlockDirectory::nextDirectoryInSubspace const):
576         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
577         (JSC::BlockDirectory::setNextDirectory):
578         (JSC::BlockDirectory::setNextDirectoryInSubspace):
579         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
580         (JSC::BlockDirectory::offsetOfFreeList):
581         (JSC::BlockDirectory::offsetOfCellSize):
582         (JSC::MarkedAllocator::cellSize const): Deleted.
583         (JSC::MarkedAllocator::attributes const): Deleted.
584         (JSC::MarkedAllocator::needsDestruction const): Deleted.
585         (JSC::MarkedAllocator::destruction const): Deleted.
586         (JSC::MarkedAllocator::cellKind const): Deleted.
587         (JSC::MarkedAllocator::heap): Deleted.
588         (JSC::MarkedAllocator::bitvectorLock): Deleted.
589         (JSC::MarkedAllocator::forEachBitVector): Deleted.
590         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
591         (JSC::MarkedAllocator::nextAllocator const): Deleted.
592         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
593         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
594         (JSC::MarkedAllocator::setNextAllocator): Deleted.
595         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
596         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
597         (JSC::MarkedAllocator::subspace const): Deleted.
598         (JSC::MarkedAllocator::freeList const): Deleted.
599         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
600         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
601         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
602         (JSC::BlockDirectory::isFreeListedCell const):
603         (JSC::BlockDirectory::allocate):
604         (JSC::BlockDirectory::forEachBlock):
605         (JSC::BlockDirectory::forEachNotEmptyBlock):
606         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
607         (JSC::MarkedAllocator::allocate): Deleted.
608         (JSC::MarkedAllocator::forEachBlock): Deleted.
609         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
610         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
611         (JSC::CellAttributes::dump const):
612         (JSC::AllocatorAttributes::dump const): Deleted.
613         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
614         (JSC::CellAttributes::CellAttributes):
615         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
616         * heap/CompleteSubspace.cpp:
617         (JSC::CompleteSubspace::allocatorFor):
618         (JSC::CompleteSubspace::allocateNonVirtual):
619         (JSC::CompleteSubspace::allocatorForSlow):
620         (JSC::CompleteSubspace::tryAllocateSlow):
621         * heap/CompleteSubspace.h:
622         (JSC::CompleteSubspace::allocatorForSizeStep):
623         (JSC::CompleteSubspace::allocatorForNonVirtual):
624         * heap/GCDeferralContext.h:
625         * heap/Heap.cpp:
626         (JSC::Heap::updateAllocationLimits):
627         * heap/Heap.h:
628         * heap/HeapCell.h:
629         * heap/HeapCellInlines.h:
630         (JSC::HeapCell::cellAttributes const):
631         (JSC::HeapCell::destructionMode const):
632         (JSC::HeapCell::cellKind const):
633         (JSC::HeapCell::allocatorAttributes const): Deleted.
634         * heap/HeapCellType.cpp:
635         (JSC::HeapCellType::HeapCellType):
636         * heap/HeapCellType.h:
637         (JSC::HeapCellType::attributes const):
638         * heap/IncrementalSweeper.cpp:
639         (JSC::IncrementalSweeper::IncrementalSweeper):
640         (JSC::IncrementalSweeper::sweepNextBlock):
641         (JSC::IncrementalSweeper::startSweeping):
642         (JSC::IncrementalSweeper::stopSweeping):
643         * heap/IncrementalSweeper.h:
644         * heap/IsoCellSet.cpp:
645         (JSC::IsoCellSet::IsoCellSet):
646         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
647         (JSC::IsoCellSet::addSlow):
648         (JSC::IsoCellSet::didRemoveBlock):
649         (JSC::IsoCellSet::sweepToFreeList):
650         * heap/IsoCellSetInlines.h:
651         (JSC::IsoCellSet::forEachMarkedCell):
652         (JSC::IsoCellSet::forEachLiveCell):
653         * heap/IsoSubspace.cpp:
654         (JSC::IsoSubspace::IsoSubspace):
655         (JSC::IsoSubspace::allocatorFor):
656         (JSC::IsoSubspace::allocateNonVirtual):
657         * heap/IsoSubspace.h:
658         (JSC::IsoSubspace::allocatorForNonVirtual):
659         * heap/LargeAllocation.h:
660         (JSC::LargeAllocation::attributes const):
661         * heap/MarkedAllocator.cpp: Removed.
662         * heap/MarkedAllocator.h: Removed.
663         * heap/MarkedAllocatorInlines.h: Removed.
664         * heap/MarkedBlock.cpp:
665         (JSC::MarkedBlock::Handle::~Handle):
666         (JSC::MarkedBlock::Handle::setIsFreeListed):
667         (JSC::MarkedBlock::Handle::stopAllocating):
668         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
669         (JSC::MarkedBlock::Handle::resumeAllocating):
670         (JSC::MarkedBlock::aboutToMarkSlow):
671         (JSC::MarkedBlock::Handle::didConsumeFreeList):
672         (JSC::MarkedBlock::noteMarkedSlow):
673         (JSC::MarkedBlock::Handle::removeFromDirectory):
674         (JSC::MarkedBlock::Handle::didAddToDirectory):
675         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
676         (JSC::MarkedBlock::Handle::dumpState):
677         (JSC::MarkedBlock::Handle::subspace const):
678         (JSC::MarkedBlock::Handle::sweep):
679         (JSC::MarkedBlock::Handle::isFreeListedCell const):
680         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
681         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
682         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
683         * heap/MarkedBlock.h:
684         (JSC::MarkedBlock::Handle::directory const):
685         (JSC::MarkedBlock::Handle::attributes const):
686         (JSC::MarkedBlock::attributes const):
687         (JSC::MarkedBlock::Handle::allocator const): Deleted.
688         * heap/MarkedBlockInlines.h:
689         (JSC::MarkedBlock::Handle::isAllocated):
690         (JSC::MarkedBlock::Handle::isLive):
691         (JSC::MarkedBlock::Handle::specializedSweep):
692         (JSC::MarkedBlock::Handle::isEmpty):
693         * heap/MarkedSpace.cpp:
694         (JSC::MarkedSpace::lastChanceToFinalize):
695         (JSC::MarkedSpace::sweep):
696         (JSC::MarkedSpace::stopAllocating):
697         (JSC::MarkedSpace::resumeAllocating):
698         (JSC::MarkedSpace::isPagedOut):
699         (JSC::MarkedSpace::freeBlock):
700         (JSC::MarkedSpace::shrink):
701         (JSC::MarkedSpace::beginMarking):
702         (JSC::MarkedSpace::endMarking):
703         (JSC::MarkedSpace::snapshotUnswept):
704         (JSC::MarkedSpace::assertNoUnswept):
705         (JSC::MarkedSpace::dumpBits):
706         (JSC::MarkedSpace::addBlockDirectory):
707         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
708         * heap/MarkedSpace.h:
709         (JSC::MarkedSpace::firstDirectory const):
710         (JSC::MarkedSpace::directoryLock):
711         (JSC::MarkedSpace::forEachBlock):
712         (JSC::MarkedSpace::forEachDirectory):
713         (JSC::MarkedSpace::firstAllocator const): Deleted.
714         (JSC::MarkedSpace::allocatorLock): Deleted.
715         (JSC::MarkedSpace::forEachAllocator): Deleted.
716         * heap/MarkedSpaceInlines.h:
717         * heap/Subspace.cpp:
718         (JSC::Subspace::initialize):
719         (JSC::Subspace::prepareForAllocation):
720         (JSC::Subspace::findEmptyBlockToSteal):
721         (JSC::Subspace::parallelDirectorySource):
722         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
723         (JSC::Subspace::sweep):
724         (JSC::Subspace::parallelAllocatorSource): Deleted.
725         * heap/Subspace.h:
726         (JSC::Subspace::attributes const):
727         (JSC::Subspace::didCreateFirstDirectory):
728         (JSC::Subspace::didCreateFirstAllocator): Deleted.
729         * heap/SubspaceInlines.h:
730         (JSC::Subspace::forEachDirectory):
731         (JSC::Subspace::forEachMarkedBlock):
732         (JSC::Subspace::forEachNotEmptyMarkedBlock):
733         (JSC::Subspace::forEachAllocator): Deleted.
734         * jit/AssemblyHelpers.h:
735         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
736         (JSC::AssemblyHelpers::emitAllocate):
737         (JSC::AssemblyHelpers::emitAllocateJSCell):
738         (JSC::AssemblyHelpers::emitAllocateJSObject):
739         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
740         * jit/JIT.h:
741         * jit/JITOpcodes.cpp:
742         (JSC::JIT::emit_op_new_object):
743         * jit/JITOpcodes32_64.cpp:
744         (JSC::JIT::emit_op_new_object):
745         * runtime/JSDestructibleObjectHeapCellType.cpp:
746         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
747         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
748         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
749         * runtime/JSStringHeapCellType.cpp:
750         (JSC::JSStringHeapCellType::JSStringHeapCellType):
751         * runtime/VM.cpp:
752         (JSC::VM::VM):
753         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
754         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
755
756 2018-01-11  Saam Barati  <sbarati@apple.com>
757
758         When inserting Unreachable in byte code parser we need to flush all the right things
759         https://bugs.webkit.org/show_bug.cgi?id=181509
760         <rdar://problem/36423110>
761
762         Reviewed by Mark Lam.
763
764         I added code in r226655 that had its own mechanism for preserving liveness when
765         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
766         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
767         I got some of these values wrong, which was leading to a crash when recovering the
768         callee value from an inlined frame. Instead of making the same mistake and repeating
769         similar code again, this patch refactors this logic to be shared with the other
770         liveness preservation code in the DFG bytecode parser. This is what I should have
771         done in my initial patch.
772
773         * bytecode/InlineCallFrame.h:
774         (JSC::remapOperand):
775         * dfg/DFGByteCodeParser.cpp:
776         (JSC::DFG::flushImpl):
777         (JSC::DFG::flushForTerminalImpl):
778         (JSC::DFG::ByteCodeParser::flush):
779         (JSC::DFG::ByteCodeParser::flushForTerminal):
780         (JSC::DFG::ByteCodeParser::parse):
781
782 2018-01-11  Saam Barati  <sbarati@apple.com>
783
784         JITMathIC code in the FTL is wrong when code gets duplicated
785         https://bugs.webkit.org/show_bug.cgi?id=181525
786         <rdar://problem/36351993>
787
788         Reviewed by Michael Saboff and Keith Miller.
789
790         B3/Air may duplicate code for various reasons. Patchpoint generators inside
791         FTLLower must be aware that they can be called multiple times because of this.
792         The patchpoint for math ICs was not aware of this, and shared state amongst
793         all invocations of the patchpoint's generator. This patch fixes this bug so
794         that each invocation of the patchpoint's generator gets a unique math IC.
795
796         * bytecode/CodeBlock.h:
797         (JSC::CodeBlock::addMathIC):
798         * ftl/FTLLowerDFGToB3.cpp:
799         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
800         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
801         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
802         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
803         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
804         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
805         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
806         * jit/JITMathIC.h:
807         (JSC::isProfileEmpty):
808
809 2018-01-11  Michael Saboff  <msaboff@apple.com>
810
811         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
812         https://bugs.webkit.org/show_bug.cgi?id=181512
813
814         Reviewed by Saam Barati.
815
816         * assembler/MacroAssemblerARM64.h:
817         (JSC::MacroAssemblerARM64::abortWithReason):
818         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
819         All current uses of dataTempRegister in these functions are safe, but it makes sense to
820         fix them in case they might be used elsewhere.
821
822 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
823
824         CodeBlocks should be in IsoSubspaces
825         https://bugs.webkit.org/show_bug.cgi?id=180884
826
827         Reviewed by Saam Barati.
828         
829         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
830         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
831         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
832         
833         - Code block sweeping is now just eager sweeping. This means that it automatically takes
834           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
835           its eden set for.
836         
837         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
838           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
839           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
840           longer has to clear the set of weakly visited code blocks. This also means that
841           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
842           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
843           has IsoCellSets to tell us which edges have output constraints (what we used to call
844           CodeBlock's weak reference harvester) and which have unconditional finalizers.
845         
846         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
847         
848         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
849           handle requests from the sampler, debugger, and other facilities. They may want to ask
850           if some pointer corresponds to a CodeBlock during stages of execution during which the
851           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
852           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
853           allocated has now been full constructed.
854         
855         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
856         happening before and after this change, but we misread the revision numbers at first and
857         thought that this was the cause.
858         
859         * JavaScriptCore.xcodeproj/project.pbxproj:
860         * Sources.txt:
861         * bytecode/CodeBlock.cpp:
862         (JSC::CodeBlock::CodeBlock):
863         (JSC::CodeBlock::finishCreation):
864         (JSC::CodeBlock::finishCreationCommon):
865         (JSC::CodeBlock::~CodeBlock):
866         (JSC::CodeBlock::visitChildren):
867         (JSC::CodeBlock::propagateTransitions):
868         (JSC::CodeBlock::determineLiveness):
869         (JSC::CodeBlock::finalizeUnconditionally):
870         (JSC::CodeBlock::stronglyVisitStrongReferences):
871         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
872         (JSC::CodeBlock::installVMTrapBreakpoints):
873         (JSC::CodeBlock::dumpMathICStats):
874         (JSC::CodeBlock::visitWeakly): Deleted.
875         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
876         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
877         * bytecode/CodeBlock.h:
878         (JSC::CodeBlock::subspaceFor):
879         (JSC::CodeBlock::ownerEdge const):
880         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
881         * bytecode/EvalCodeBlock.h:
882         (JSC::EvalCodeBlock::create): Deleted.
883         (JSC::EvalCodeBlock::createStructure): Deleted.
884         (JSC::EvalCodeBlock::variable): Deleted.
885         (JSC::EvalCodeBlock::numVariables): Deleted.
886         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
887         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
888         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
889         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
890         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
891         (JSC::ExecutableToCodeBlockEdge::createStructure):
892         (JSC::ExecutableToCodeBlockEdge::create):
893         (JSC::ExecutableToCodeBlockEdge::visitChildren):
894         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
895         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
896         (JSC::ExecutableToCodeBlockEdge::activate):
897         (JSC::ExecutableToCodeBlockEdge::deactivate):
898         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
899         (JSC::ExecutableToCodeBlockEdge::wrap):
900         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
901         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
902         (JSC::ExecutableToCodeBlockEdge::runConstraint):
903         * bytecode/ExecutableToCodeBlockEdge.h: Added.
904         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
905         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
906         (JSC::ExecutableToCodeBlockEdge::unwrap):
907         * bytecode/FunctionCodeBlock.h:
908         (JSC::FunctionCodeBlock::subspaceFor):
909         (JSC::FunctionCodeBlock::createStructure):
910         * bytecode/ModuleProgramCodeBlock.h:
911         (JSC::ModuleProgramCodeBlock::create): Deleted.
912         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
913         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
914         * bytecode/ProgramCodeBlock.h:
915         (JSC::ProgramCodeBlock::create): Deleted.
916         (JSC::ProgramCodeBlock::createStructure): Deleted.
917         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
918         * debugger/Debugger.cpp:
919         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
920         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
921         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
922         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
923         * heap/CodeBlockSet.cpp:
924         (JSC::CodeBlockSet::contains):
925         (JSC::CodeBlockSet::dump const):
926         (JSC::CodeBlockSet::add):
927         (JSC::CodeBlockSet::remove):
928         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
929         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
930         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
931         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
932         * heap/CodeBlockSet.h:
933         * heap/CodeBlockSetInlines.h:
934         (JSC::CodeBlockSet::iterate):
935         (JSC::CodeBlockSet::iterateViaSubspaces):
936         * heap/ConservativeRoots.cpp:
937         (JSC::ConservativeRoots::genericAddPointer):
938         (JSC::DummyMarkHook::markKnownJSCell):
939         (JSC::CompositeMarkHook::mark):
940         (JSC::CompositeMarkHook::markKnownJSCell):
941         * heap/ConservativeRoots.h:
942         * heap/Heap.cpp:
943         (JSC::Heap::lastChanceToFinalize):
944         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
945         (JSC::Heap::finalizeUnconditionalFinalizers):
946         (JSC::Heap::beginMarking):
947         (JSC::Heap::deleteUnmarkedCompiledCode):
948         (JSC::Heap::sweepInFinalize):
949         (JSC::Heap::forEachCodeBlockImpl):
950         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
951         (JSC::Heap::addCoreConstraints):
952         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
953         * heap/Heap.h:
954         * heap/HeapCell.h:
955         * heap/HeapCellInlines.h:
956         (JSC::HeapCell::subspace const):
957         * heap/HeapInlines.h:
958         (JSC::Heap::forEachCodeBlock):
959         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
960         * heap/HeapUtil.h:
961         (JSC::HeapUtil::findGCObjectPointersForMarking):
962         * heap/IsoCellSet.cpp:
963         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
964         * heap/IsoCellSet.h:
965         * heap/IsoCellSetInlines.h:
966         (JSC::IsoCellSet::forEachMarkedCellInParallel):
967         (JSC::IsoCellSet::forEachLiveCell):
968         * heap/LargeAllocation.h:
969         (JSC::LargeAllocation::subspace const):
970         * heap/MarkStackMergingConstraint.cpp:
971         (JSC::MarkStackMergingConstraint::executeImpl):
972         * heap/MarkStackMergingConstraint.h:
973         * heap/MarkedAllocator.cpp:
974         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
975         * heap/MarkedBlock.cpp:
976         (JSC::MarkedBlock::Handle::didAddToAllocator):
977         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
978         * heap/MarkedBlock.h:
979         (JSC::MarkedBlock::subspace const):
980         * heap/MarkedBlockInlines.h:
981         (JSC::MarkedBlock::Handle::forEachLiveCell):
982         * heap/MarkedSpaceInlines.h:
983         (JSC::MarkedSpace::forEachLiveCell):
984         * heap/MarkingConstraint.cpp:
985         (JSC::MarkingConstraint::execute):
986         (JSC::MarkingConstraint::doParallelWork):
987         (JSC::MarkingConstraint::finishParallelWork): Deleted.
988         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
989         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
990         * heap/MarkingConstraint.h:
991         * heap/MarkingConstraintSet.cpp:
992         (JSC::MarkingConstraintSet::add):
993         * heap/MarkingConstraintSet.h:
994         (JSC::MarkingConstraintSet::add):
995         * heap/MarkingConstraintSolver.cpp:
996         (JSC::MarkingConstraintSolver::execute):
997         (JSC::MarkingConstraintSolver::addParallelTask):
998         (JSC::MarkingConstraintSolver::runExecutionThread):
999         (JSC::MarkingConstraintSolver::didExecute): Deleted.
1000         * heap/MarkingConstraintSolver.h:
1001         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
1002         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
1003         * heap/SimpleMarkingConstraint.cpp:
1004         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1005         (JSC::SimpleMarkingConstraint::executeImpl):
1006         * heap/SimpleMarkingConstraint.h:
1007         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1008         * heap/SlotVisitor.cpp:
1009         (JSC::SlotVisitor::addParallelConstraintTask):
1010         * heap/SlotVisitor.h:
1011         * heap/Subspace.cpp:
1012         (JSC::Subspace::sweep):
1013         * heap/Subspace.h:
1014         * heap/SubspaceInlines.h:
1015         (JSC::Subspace::forEachLiveCell):
1016         * llint/LowLevelInterpreter.asm:
1017         * runtime/EvalExecutable.cpp:
1018         (JSC::EvalExecutable::visitChildren):
1019         * runtime/EvalExecutable.h:
1020         (JSC::EvalExecutable::codeBlock):
1021         * runtime/FunctionExecutable.cpp:
1022         (JSC::FunctionExecutable::baselineCodeBlockFor):
1023         (JSC::FunctionExecutable::visitChildren):
1024         * runtime/FunctionExecutable.h:
1025         * runtime/JSType.h:
1026         * runtime/ModuleProgramExecutable.cpp:
1027         (JSC::ModuleProgramExecutable::visitChildren):
1028         * runtime/ModuleProgramExecutable.h:
1029         * runtime/ProgramExecutable.cpp:
1030         (JSC::ProgramExecutable::visitChildren):
1031         * runtime/ProgramExecutable.h:
1032         * runtime/ScriptExecutable.cpp:
1033         (JSC::ScriptExecutable::installCode):
1034         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1035         * runtime/VM.cpp:
1036         (JSC::VM::VM):
1037         * runtime/VM.h:
1038         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1039         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1040         (JSC::VM::forEachCodeBlockSpace):
1041         * runtime/VMTraps.cpp:
1042         (JSC::VMTraps::handleTraps):
1043         * tools/VMInspector.cpp:
1044         (JSC::VMInspector::codeBlockForMachinePC):
1045         (JSC::VMInspector::isValidCodeBlock):
1046
1047 2018-01-11  Michael Saboff  <msaboff@apple.com>
1048
1049         Add a DOM gadget for Spectre testing
1050         https://bugs.webkit.org/show_bug.cgi?id=181351
1051
1052         Reviewed by Ryosuke Niwa.
1053
1054         * runtime/Options.h:
1055
1056 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1057
1058         [DFG][FTL] regExpMatchFast should be handled
1059         https://bugs.webkit.org/show_bug.cgi?id=180988
1060
1061         Reviewed by Mark Lam.
1062
1063         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
1064         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
1065         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
1066
1067         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
1068         slow path part to `@matchSlow()` private function.
1069
1070         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
1071         this regExpMatchFast function.
1072
1073                                  baseline                  patched
1074
1075         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
1076         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
1077
1078         * builtins/RegExpPrototype.js:
1079         (globalPrivate.matchSlow):
1080         (overriddenName.string_appeared_here.match):
1081         * dfg/DFGAbstractInterpreterInlines.h:
1082         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1083         * dfg/DFGByteCodeParser.cpp:
1084         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1085         * dfg/DFGClobberize.h:
1086         (JSC::DFG::clobberize):
1087         * dfg/DFGDoesGC.cpp:
1088         (JSC::DFG::doesGC):
1089         * dfg/DFGFixupPhase.cpp:
1090         (JSC::DFG::FixupPhase::fixupNode):
1091         * dfg/DFGNode.h:
1092         (JSC::DFG::Node::hasHeapPrediction):
1093         * dfg/DFGNodeType.h:
1094         * dfg/DFGOperations.cpp:
1095         * dfg/DFGOperations.h:
1096         * dfg/DFGPredictionPropagationPhase.cpp:
1097         * dfg/DFGSafeToExecute.h:
1098         (JSC::DFG::safeToExecute):
1099         * dfg/DFGSpeculativeJIT.cpp:
1100         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
1101         * dfg/DFGSpeculativeJIT.h:
1102         * dfg/DFGSpeculativeJIT32_64.cpp:
1103         (JSC::DFG::SpeculativeJIT::compile):
1104         * dfg/DFGSpeculativeJIT64.cpp:
1105         (JSC::DFG::SpeculativeJIT::compile):
1106         * ftl/FTLCapabilities.cpp:
1107         (JSC::FTL::canCompile):
1108         * ftl/FTLLowerDFGToB3.cpp:
1109         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1110         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
1111         * runtime/Intrinsic.cpp:
1112         (JSC::intrinsicName):
1113         * runtime/Intrinsic.h:
1114         * runtime/JSGlobalObject.cpp:
1115         (JSC::JSGlobalObject::init):
1116         * runtime/RegExpPrototype.cpp:
1117         (JSC::regExpProtoFuncMatchFast):
1118
1119 2018-01-11  Saam Barati  <sbarati@apple.com>
1120
1121         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1122         https://bugs.webkit.org/show_bug.cgi?id=181508
1123
1124         Reviewed by Yusuke Suzuki.
1125
1126         Our for-in caching would cache structure chains that had prototypes with
1127         indexed properties. Clearly this is wrong. This caching breaks when a prototype
1128         adds new indexed properties. We would continue to enumerate the old cached
1129         state of properties, and not include the new indexed properties.
1130         
1131         The old code used to prevent caching only if the base structure had
1132         indexed properties. This patch extends it to prevent caching if the
1133         base, or any structure in the prototype chain, has indexed properties.
1134
1135         * runtime/Structure.cpp:
1136         (JSC::Structure::canCachePropertyNameEnumerator const):
1137
1138 2018-01-10  JF Bastien  <jfbastien@apple.com>
1139
1140         Poison small JSObject derivatives which only contain pointers
1141         https://bugs.webkit.org/show_bug.cgi?id=181483
1142         <rdar://problem/36407127>
1143
1144         Reviewed by Mark Lam.
1145
1146         I wrote a script that finds interesting things to poison or
1147         generally harden. These stood out because they derive from
1148         JSObject and only contain a few pointer or pointer-like fields,
1149         and could therefore just be poisoned. This also requires some
1150         template "improvements" to our poisoning machinery. Worth noting
1151         is that I'm making PoisonedUniquePtr move-assignable and
1152         move-constructible from unique_ptr, which makes it a better
1153         drop-in replacement because we don't need to use
1154         makePoisonedUniquePtr. This means function-locals can be
1155         unique_ptr and get the nice RAII pattern, and once the function is
1156         done you can just move to the class' PoisonedUniquePtr without
1157         worrying.
1158
1159         * API/JSAPIWrapperObject.h:
1160         (JSC::JSAPIWrapperObject::wrappedObject):
1161         * API/JSAPIWrapperObject.mm:
1162         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1163         * API/JSCallbackObject.h:
1164         * runtime/ArrayPrototype.h:
1165         * runtime/DateInstance.h:
1166         * runtime/JSArrayBuffer.cpp:
1167         (JSC::JSArrayBuffer::finishCreation):
1168         (JSC::JSArrayBuffer::isShared const):
1169         (JSC::JSArrayBuffer::sharingMode const):
1170         * runtime/JSArrayBuffer.h:
1171         * runtime/JSCPoison.h:
1172
1173 2018-01-10  Commit Queue  <commit-queue@webkit.org>
1174
1175         Unreviewed, rolling out r226667 and r226673.
1176         https://bugs.webkit.org/show_bug.cgi?id=181488
1177
1178         This caused a flaky crash. (Requested by mlewis13 on #webkit).
1179
1180         Reverted changesets:
1181
1182         "CodeBlocks should be in IsoSubspaces"
1183         https://bugs.webkit.org/show_bug.cgi?id=180884
1184         https://trac.webkit.org/changeset/226667
1185
1186         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
1187         https://bugs.webkit.org/show_bug.cgi?id=180884
1188         https://trac.webkit.org/changeset/226673
1189
1190 2018-01-09  David Kilzer  <ddkilzer@apple.com>
1191
1192         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
1193         <https://bugs.webkit.org/show_bug.cgi?id=180884>
1194
1195         Fixes the following build error:
1196
1197             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
1198
1199         * heap/Heap.cpp:
1200         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
1201         fix the build.
1202
1203 2018-01-09  Keith Miller  <keith_miller@apple.com>
1204
1205         and32 with an Address source on ARM64 did not invalidate dataTempRegister
1206         https://bugs.webkit.org/show_bug.cgi?id=181467
1207
1208         Reviewed by Michael Saboff.
1209
1210         * assembler/MacroAssemblerARM64.h:
1211         (JSC::MacroAssemblerARM64::and32):
1212
1213 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
1214
1215         CodeBlocks should be in IsoSubspaces
1216         https://bugs.webkit.org/show_bug.cgi?id=180884
1217
1218         Reviewed by Saam Barati.
1219         
1220         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
1221         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
1222         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
1223         
1224         - Code block sweeping is now just eager sweeping. This means that it automatically takes
1225           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
1226           its eden set for.
1227         
1228         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
1229           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
1230           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
1231           longer has to clear the set of weakly visited code blocks. This also means that
1232           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
1233           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
1234           has IsoCellSets to tell us which edges have output constraints (what we used to call
1235           CodeBlock's weak reference harvester) and which have unconditional finalizers.
1236         
1237         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
1238         
1239         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
1240           handle requests from the sampler, debugger, and other facilities. They may want to ask
1241           if some pointer corresponds to a CodeBlock during stages of execution during which the
1242           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
1243           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
1244           allocated has now been full constructed.
1245         
1246         * JavaScriptCore.xcodeproj/project.pbxproj:
1247         * Sources.txt:
1248         * bytecode/CodeBlock.cpp:
1249         (JSC::CodeBlock::CodeBlock):
1250         (JSC::CodeBlock::finishCreation):
1251         (JSC::CodeBlock::finishCreationCommon):
1252         (JSC::CodeBlock::~CodeBlock):
1253         (JSC::CodeBlock::visitChildren):
1254         (JSC::CodeBlock::propagateTransitions):
1255         (JSC::CodeBlock::determineLiveness):
1256         (JSC::CodeBlock::finalizeUnconditionally):
1257         (JSC::CodeBlock::stronglyVisitStrongReferences):
1258         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
1259         (JSC::CodeBlock::installVMTrapBreakpoints):
1260         (JSC::CodeBlock::dumpMathICStats):
1261         (JSC::CodeBlock::visitWeakly): Deleted.
1262         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
1263         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1264         * bytecode/CodeBlock.h:
1265         (JSC::CodeBlock::subspaceFor):
1266         (JSC::CodeBlock::ownerEdge const):
1267         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
1268         * bytecode/EvalCodeBlock.h:
1269         (JSC::EvalCodeBlock::create): Deleted.
1270         (JSC::EvalCodeBlock::createStructure): Deleted.
1271         (JSC::EvalCodeBlock::variable): Deleted.
1272         (JSC::EvalCodeBlock::numVariables): Deleted.
1273         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
1274         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
1275         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
1276         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
1277         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
1278         (JSC::ExecutableToCodeBlockEdge::createStructure):
1279         (JSC::ExecutableToCodeBlockEdge::create):
1280         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1281         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
1282         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
1283         (JSC::ExecutableToCodeBlockEdge::activate):
1284         (JSC::ExecutableToCodeBlockEdge::deactivate):
1285         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
1286         (JSC::ExecutableToCodeBlockEdge::wrap):
1287         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
1288         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
1289         (JSC::ExecutableToCodeBlockEdge::runConstraint):
1290         * bytecode/ExecutableToCodeBlockEdge.h: Added.
1291         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
1292         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
1293         (JSC::ExecutableToCodeBlockEdge::unwrap):
1294         * bytecode/FunctionCodeBlock.h:
1295         (JSC::FunctionCodeBlock::subspaceFor):
1296         (JSC::FunctionCodeBlock::createStructure):
1297         * bytecode/ModuleProgramCodeBlock.h:
1298         (JSC::ModuleProgramCodeBlock::create): Deleted.
1299         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
1300         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
1301         * bytecode/ProgramCodeBlock.h:
1302         (JSC::ProgramCodeBlock::create): Deleted.
1303         (JSC::ProgramCodeBlock::createStructure): Deleted.
1304         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
1305         * debugger/Debugger.cpp:
1306         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
1307         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
1308         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
1309         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
1310         * heap/CodeBlockSet.cpp:
1311         (JSC::CodeBlockSet::contains):
1312         (JSC::CodeBlockSet::dump const):
1313         (JSC::CodeBlockSet::add):
1314         (JSC::CodeBlockSet::remove):
1315         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
1316         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
1317         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
1318         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
1319         * heap/CodeBlockSet.h:
1320         * heap/CodeBlockSetInlines.h:
1321         (JSC::CodeBlockSet::iterate):
1322         (JSC::CodeBlockSet::iterateViaSubspaces):
1323         * heap/ConservativeRoots.cpp:
1324         (JSC::ConservativeRoots::genericAddPointer):
1325         (JSC::DummyMarkHook::markKnownJSCell):
1326         (JSC::CompositeMarkHook::mark):
1327         (JSC::CompositeMarkHook::markKnownJSCell):
1328         * heap/ConservativeRoots.h:
1329         * heap/Heap.cpp:
1330         (JSC::Heap::lastChanceToFinalize):
1331         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1332         (JSC::Heap::finalizeUnconditionalFinalizers):
1333         (JSC::Heap::beginMarking):
1334         (JSC::Heap::deleteUnmarkedCompiledCode):
1335         (JSC::Heap::sweepInFinalize):
1336         (JSC::Heap::forEachCodeBlockImpl):
1337         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
1338         (JSC::Heap::addCoreConstraints):
1339         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
1340         * heap/Heap.h:
1341         * heap/HeapCell.h:
1342         * heap/HeapCellInlines.h:
1343         (JSC::HeapCell::subspace const):
1344         * heap/HeapInlines.h:
1345         (JSC::Heap::forEachCodeBlock):
1346         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
1347         * heap/HeapUtil.h:
1348         (JSC::HeapUtil::findGCObjectPointersForMarking):
1349         * heap/IsoCellSet.cpp:
1350         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
1351         * heap/IsoCellSet.h:
1352         * heap/IsoCellSetInlines.h:
1353         (JSC::IsoCellSet::forEachMarkedCellInParallel):
1354         (JSC::IsoCellSet::forEachLiveCell):
1355         * heap/LargeAllocation.h:
1356         (JSC::LargeAllocation::subspace const):
1357         * heap/MarkStackMergingConstraint.cpp:
1358         (JSC::MarkStackMergingConstraint::executeImpl):
1359         * heap/MarkStackMergingConstraint.h:
1360         * heap/MarkedAllocator.cpp:
1361         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1362         * heap/MarkedBlock.cpp:
1363         (JSC::MarkedBlock::Handle::didAddToAllocator):
1364         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
1365         * heap/MarkedBlock.h:
1366         (JSC::MarkedBlock::subspace const):
1367         * heap/MarkedBlockInlines.h:
1368         (JSC::MarkedBlock::Handle::forEachLiveCell):
1369         * heap/MarkedSpaceInlines.h:
1370         (JSC::MarkedSpace::forEachLiveCell):
1371         * heap/MarkingConstraint.cpp:
1372         (JSC::MarkingConstraint::execute):
1373         (JSC::MarkingConstraint::doParallelWork):
1374         (JSC::MarkingConstraint::finishParallelWork): Deleted.
1375         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
1376         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
1377         * heap/MarkingConstraint.h:
1378         * heap/MarkingConstraintSet.cpp:
1379         (JSC::MarkingConstraintSet::add):
1380         * heap/MarkingConstraintSet.h:
1381         (JSC::MarkingConstraintSet::add):
1382         * heap/MarkingConstraintSolver.cpp:
1383         (JSC::MarkingConstraintSolver::execute):
1384         (JSC::MarkingConstraintSolver::addParallelTask):
1385         (JSC::MarkingConstraintSolver::runExecutionThread):
1386         (JSC::MarkingConstraintSolver::didExecute): Deleted.
1387         * heap/MarkingConstraintSolver.h:
1388         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
1389         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
1390         * heap/SimpleMarkingConstraint.cpp:
1391         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1392         (JSC::SimpleMarkingConstraint::executeImpl):
1393         * heap/SimpleMarkingConstraint.h:
1394         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1395         * heap/SlotVisitor.cpp:
1396         (JSC::SlotVisitor::addParallelConstraintTask):
1397         * heap/SlotVisitor.h:
1398         * heap/Subspace.cpp:
1399         (JSC::Subspace::sweep):
1400         * heap/Subspace.h:
1401         * heap/SubspaceInlines.h:
1402         (JSC::Subspace::forEachLiveCell):
1403         * llint/LowLevelInterpreter.asm:
1404         * runtime/EvalExecutable.cpp:
1405         (JSC::EvalExecutable::visitChildren):
1406         * runtime/EvalExecutable.h:
1407         (JSC::EvalExecutable::codeBlock):
1408         * runtime/FunctionExecutable.cpp:
1409         (JSC::FunctionExecutable::baselineCodeBlockFor):
1410         (JSC::FunctionExecutable::visitChildren):
1411         * runtime/FunctionExecutable.h:
1412         * runtime/JSType.h:
1413         * runtime/ModuleProgramExecutable.cpp:
1414         (JSC::ModuleProgramExecutable::visitChildren):
1415         * runtime/ModuleProgramExecutable.h:
1416         * runtime/ProgramExecutable.cpp:
1417         (JSC::ProgramExecutable::visitChildren):
1418         * runtime/ProgramExecutable.h:
1419         * runtime/ScriptExecutable.cpp:
1420         (JSC::ScriptExecutable::installCode):
1421         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1422         * runtime/VM.cpp:
1423         (JSC::VM::VM):
1424         * runtime/VM.h:
1425         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1426         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1427         (JSC::VM::forEachCodeBlockSpace):
1428         * runtime/VMTraps.cpp:
1429         (JSC::VMTraps::handleTraps):
1430         * tools/VMInspector.cpp:
1431         (JSC::VMInspector::codeBlockForMachinePC):
1432         (JSC::VMInspector::isValidCodeBlock):
1433
1434 2018-01-09  Michael Saboff  <msaboff@apple.com>
1435
1436         Unreviewed, rolling out r226600 and r226603
1437         https://bugs.webkit.org/show_bug.cgi?id=181351
1438
1439         Add a DOM gadget for Spectre testing
1440
1441         * runtime/Options.h:
1442
1443 2018-01-09  Saam Barati  <sbarati@apple.com>
1444
1445         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
1446         https://bugs.webkit.org/show_bug.cgi?id=181409
1447
1448         Reviewed by Keith Miller.
1449
1450         When I was looking at profiler data for Speedometer, I noticed that one of
1451         the hottest functions in Speedometer is around 1100 bytecode operations long.
1452         Only about 100 of those bytecode ops ever execute. However, we ended up
1453         spending a lot of time compiling basic blocks that never executed. We often
1454         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
1455         This is the case when such a node never executes.
1456         
1457         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
1458         terminal node with an Unreachable node (and remove all nodes after the
1459         ForceOSRExit). This will cut down on graph size when such a block dominates
1460         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
1461         in certain programs. When doing this transformation, we also insert
1462         Flushes/PhantomLocals to ensure we can recover values that are bytecode
1463         live-in to the ForceOSRExit.
1464         
1465         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
1466         does not get rid of all the CFG that it could. If we decide it's worth
1467         it, we could use additional inputs into this mechanism. For example, we could
1468         profile if a basic block ever executes inside the LLInt/Baseline, and
1469         remove parts of the CFG based on that.
1470         
1471         When running Speedometer with the concurrent JIT turned off, this patch
1472         improves DFG/FTL compile times by around 5%.
1473
1474         * dfg/DFGByteCodeParser.cpp:
1475         (JSC::DFG::ByteCodeParser::addToGraph):
1476         (JSC::DFG::ByteCodeParser::parse):
1477
1478 2018-01-09  Mark Lam  <mark.lam@apple.com>
1479
1480         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1481         https://bugs.webkit.org/show_bug.cgi?id=181388
1482         <rdar://problem/36349351>
1483
1484         Reviewed by Saam Barati.
1485
1486         When there are duplicate setters or getters, we may end up overwriting a getter
1487         with a setter, or vice versa.  This patch adds tracking for getters/setters that
1488         have been overwritten with duplicates and ignore them.
1489
1490         * bytecompiler/NodesCodegen.cpp:
1491         (JSC::PropertyListNode::emitBytecode):
1492         * parser/NodeConstructors.h:
1493         (JSC::PropertyNode::PropertyNode):
1494         * parser/Nodes.h:
1495         (JSC::PropertyNode::isOverriddenByDuplicate const):
1496         (JSC::PropertyNode::setIsOverriddenByDuplicate):
1497
1498 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
1499
1500         REGRESSION(r225913): about 30 JSC test failures on ARMv7
1501         https://bugs.webkit.org/show_bug.cgi?id=181162
1502         <rdar://problem/36261349>
1503
1504         Unreviewed follow-up to r226298. Enable the fast case in
1505         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
1506         assuming in good faith that enough GP registers are available on any
1507         such configuration. The accompanying comment is adjusted to describe
1508         this assumption.
1509
1510         * dfg/DFGSpeculativeJIT.cpp:
1511         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1512
1513 2018-01-08  JF Bastien  <jfbastien@apple.com>
1514
1515         WebAssembly: mask indexed accesses to Table
1516         https://bugs.webkit.org/show_bug.cgi?id=181412
1517         <rdar://problem/36363236>
1518
1519         Reviewed by Saam Barati.
1520
1521         WebAssembly Table indexed accesses are user-controlled and
1522         bounds-checked. Force allocations of Table data to be a
1523         power-of-two, and explicitly mask accesses after bounds-check
1524         branches.
1525
1526         Rename misleading usage of "size" when "length" of a Table was
1527         intended.
1528
1529         Rename the Spectre option from "disable" to "enable".
1530
1531         * dfg/DFGSpeculativeJIT.cpp:
1532         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1533         * ftl/FTLLowerDFGToB3.cpp:
1534         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1535         * jit/JIT.cpp:
1536         (JSC::JIT::JIT):
1537         * runtime/Options.h:
1538         * wasm/WasmB3IRGenerator.cpp:
1539         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1540         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1541         * wasm/WasmTable.cpp:
1542         (JSC::Wasm::Table::allocatedLength):
1543         (JSC::Wasm::Table::setLength):
1544         (JSC::Wasm::Table::create):
1545         (JSC::Wasm::Table::Table):
1546         (JSC::Wasm::Table::grow):
1547         (JSC::Wasm::Table::clearFunction):
1548         (JSC::Wasm::Table::setFunction):
1549         * wasm/WasmTable.h:
1550         (JSC::Wasm::Table::length const):
1551         (JSC::Wasm::Table::offsetOfLength):
1552         (JSC::Wasm::Table::offsetOfMask):
1553         (JSC::Wasm::Table::mask const):
1554         (JSC::Wasm::Table::isValidLength):
1555         * wasm/js/JSWebAssemblyInstance.cpp:
1556         (JSC::JSWebAssemblyInstance::create):
1557         * wasm/js/JSWebAssemblyTable.cpp:
1558         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1559         (JSC::JSWebAssemblyTable::visitChildren):
1560         (JSC::JSWebAssemblyTable::grow):
1561         (JSC::JSWebAssemblyTable::getFunction):
1562         (JSC::JSWebAssemblyTable::clearFunction):
1563         (JSC::JSWebAssemblyTable::setFunction):
1564         * wasm/js/JSWebAssemblyTable.h:
1565         (JSC::JSWebAssemblyTable::isValidLength):
1566         (JSC::JSWebAssemblyTable::length const):
1567         (JSC::JSWebAssemblyTable::allocatedLength const):
1568         * wasm/js/WebAssemblyModuleRecord.cpp:
1569         (JSC::WebAssemblyModuleRecord::evaluate):
1570         * wasm/js/WebAssemblyTablePrototype.cpp:
1571         (JSC::webAssemblyTableProtoFuncLength):
1572         (JSC::webAssemblyTableProtoFuncGrow):
1573         (JSC::webAssemblyTableProtoFuncGet):
1574         (JSC::webAssemblyTableProtoFuncSet):
1575
1576 2018-01-08  Michael Saboff  <msaboff@apple.com>
1577
1578         Add a DOM gadget for Spectre testing
1579         https://bugs.webkit.org/show_bug.cgi?id=181351
1580
1581         Reviewed by Michael Saboff.
1582
1583         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
1584         Spectre mitigations.
1585
1586         * runtime/Options.h:
1587
1588 2018-01-08  Mark Lam  <mark.lam@apple.com>
1589
1590         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
1591         https://bugs.webkit.org/show_bug.cgi?id=181403
1592         <rdar://problem/36359789>
1593
1594         Rubber-stamped by JF Bastien.
1595
1596         * bytecode/CodeBlock.cpp:
1597         (JSC::CodeBlock::CodeBlock):
1598         (JSC::CodeBlock::~CodeBlock):
1599         (JSC::CodeBlock::setConstantRegisters):
1600         (JSC::CodeBlock::propagateTransitions):
1601         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1602         (JSC::CodeBlock::jettison):
1603         (JSC::CodeBlock::predictedMachineCodeSize):
1604         * bytecode/CodeBlock.h:
1605         (JSC::CodeBlock::vm const):
1606         (JSC::CodeBlock::addConstant):
1607         (JSC::CodeBlock::heap const):
1608         (JSC::CodeBlock::replaceConstant):
1609         * llint/LowLevelInterpreter.asm:
1610         * llint/LowLevelInterpreter32_64.asm:
1611         * llint/LowLevelInterpreter64.asm:
1612
1613 2018-01-07  Mark Lam  <mark.lam@apple.com>
1614
1615         Apply poisoning to more pointers in JSC.
1616         https://bugs.webkit.org/show_bug.cgi?id=181096
1617         <rdar://problem/36182970>
1618
1619         Reviewed by JF Bastien.
1620
1621         * assembler/MacroAssembler.h:
1622         (JSC::MacroAssembler::xorPtr):
1623         * assembler/MacroAssemblerARM64.h:
1624         (JSC::MacroAssemblerARM64::xor64):
1625         * assembler/MacroAssemblerX86_64.h:
1626         (JSC::MacroAssemblerX86_64::xor64):
1627         - Add xorPtr implementation.
1628
1629         * bytecode/CodeBlock.cpp:
1630         (JSC::CodeBlock::inferredName const):
1631         (JSC::CodeBlock::CodeBlock):
1632         (JSC::CodeBlock::finishCreation):
1633         (JSC::CodeBlock::~CodeBlock):
1634         (JSC::CodeBlock::setConstantRegisters):
1635         (JSC::CodeBlock::visitWeakly):
1636         (JSC::CodeBlock::visitChildren):
1637         (JSC::CodeBlock::propagateTransitions):
1638         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
1639         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1640         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1641         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1642         (JSC::CodeBlock::jettison):
1643         (JSC::CodeBlock::predictedMachineCodeSize):
1644         (JSC::CodeBlock::findPC):
1645         * bytecode/CodeBlock.h:
1646         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
1647         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
1648         (JSC::CodeBlock::stubInfoBegin):
1649         (JSC::CodeBlock::stubInfoEnd):
1650         (JSC::CodeBlock::callLinkInfosBegin):
1651         (JSC::CodeBlock::callLinkInfosEnd):
1652         (JSC::CodeBlock::instructions):
1653         (JSC::CodeBlock::instructions const):
1654         (JSC::CodeBlock::vm const):
1655         * dfg/DFGOSRExitCompilerCommon.h:
1656         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1657         * jit/JIT.h:
1658         * llint/LLIntOfflineAsmConfig.h:
1659         * llint/LowLevelInterpreter.asm:
1660         * llint/LowLevelInterpreter64.asm:
1661         * parser/UnlinkedSourceCode.h:
1662         * runtime/JSCPoison.h:
1663         * runtime/JSGlobalObject.cpp:
1664         (JSC::JSGlobalObject::init):
1665         * runtime/JSGlobalObject.h:
1666         * runtime/JSScriptFetchParameters.h:
1667         * runtime/JSScriptFetcher.h:
1668         * runtime/StructureTransitionTable.h:
1669         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1670         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1671         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1672         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1673         * wasm/js/JSWebAssemblyCodeBlock.h:
1674
1675 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1676
1677         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1678         https://bugs.webkit.org/show_bug.cgi?id=181321
1679
1680         Reviewed by Saam Barati.
1681
1682         According to ECMA262 16.2[1], functions created using the bind method must not have
1683         "caller" and "arguments" own properties.
1684
1685         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
1686
1687         * runtime/JSBoundFunction.cpp:
1688         (JSC::JSBoundFunction::finishCreation):
1689
1690 2018-01-05  JF Bastien  <jfbastien@apple.com>
1691
1692         WebAssembly: poison JS object's secrets
1693         https://bugs.webkit.org/show_bug.cgi?id=181339
1694         <rdar://problem/36325001>
1695
1696         Reviewed by Mark Lam.
1697
1698         Separating WebAssembly's JS objects from their non-JS
1699         implementation means that all interesting information lives
1700         outside of the JS object itself. This patch poisons each JS
1701         object's pointer to non-JS implementation using the poisoning
1702         mechanism and a unique key per JS object type origin.
1703
1704         * runtime/JSCPoison.h:
1705         * wasm/js/JSToWasm.cpp:
1706         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
1707         object in a stack slot when fast TLS is disabled. This requires
1708         that we unpoison the Wasm::Instance.
1709         * wasm/js/JSWebAssemblyCodeBlock.h:
1710         * wasm/js/JSWebAssemblyInstance.h:
1711         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
1712         be explicit that the pointer is poisoned.
1713         * wasm/js/JSWebAssemblyMemory.h:
1714         * wasm/js/JSWebAssemblyModule.h:
1715         * wasm/js/JSWebAssemblyTable.h:
1716
1717 2018-01-05  Michael Saboff  <msaboff@apple.com>
1718
1719         Add ability to disable indexed property masking for testing
1720         https://bugs.webkit.org/show_bug.cgi?id=181350
1721
1722         Reviewed by Keith Miller.
1723
1724         Made the masking of indexed properties runtime controllable via a new JSC::Option
1725         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
1726
1727         The new option has a generic name as it will probably be used to disable future mitigations.
1728
1729         * dfg/DFGSpeculativeJIT.cpp:
1730         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1731         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1732         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1733         * dfg/DFGSpeculativeJIT.h:
1734         * dfg/DFGSpeculativeJIT64.cpp:
1735         (JSC::DFG::SpeculativeJIT::compile):
1736         * ftl/FTLLowerDFGToB3.cpp:
1737         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1738         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1739         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1740         * jit/JIT.cpp:
1741         (JSC::JIT::JIT):
1742         * jit/JIT.h:
1743         * jit/JITPropertyAccess.cpp:
1744         (JSC::JIT::emitDoubleLoad):
1745         (JSC::JIT::emitContiguousLoad):
1746         (JSC::JIT::emitArrayStorageLoad):
1747         * runtime/Options.h:
1748         * wasm/WasmB3IRGenerator.cpp:
1749         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1750
1751 2018-01-05  Michael Saboff  <msaboff@apple.com>
1752
1753         Allow JSC Config Files to set Restricted Options
1754         https://bugs.webkit.org/show_bug.cgi?id=181352
1755
1756         Reviewed by Mark Lam.
1757
1758         * runtime/ConfigFile.cpp:
1759         (JSC::ConfigFile::parse):
1760
1761 2018-01-04  Keith Miller  <keith_miller@apple.com>
1762
1763         TypedArrays and Wasm should use index masking.
1764         https://bugs.webkit.org/show_bug.cgi?id=181313
1765
1766         Reviewed by Michael Saboff.
1767
1768         We should have index masking for our TypedArray code in the
1769         DFG/FTL and for Wasm when doing bounds checking. Index masking for
1770         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
1771         WasmBoundsCheckValues we don't need to worry about combining a
1772         bounds check for a load and a store. I went with fusing the
1773         pointer masking in the WasmBoundsCheckValue since it should reduce
1774         additional compiler overhead.
1775
1776         * b3/B3LowerToAir.cpp:
1777         * b3/B3Validate.cpp:
1778         * b3/B3WasmBoundsCheckValue.cpp:
1779         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1780         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1781         * b3/B3WasmBoundsCheckValue.h:
1782         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
1783         * b3/air/AirCustom.h:
1784         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
1785         * b3/testb3.cpp:
1786         (JSC::B3::testWasmBoundsCheck):
1787         * dfg/DFGSpeculativeJIT.cpp:
1788         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1789         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1790         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1791         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1792         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1793         * dfg/DFGSpeculativeJIT.h:
1794         * dfg/DFGSpeculativeJIT64.cpp:
1795         (JSC::DFG::SpeculativeJIT::compile):
1796         * ftl/FTLLowerDFGToB3.cpp:
1797         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1798         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1799         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1800         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1801         * jit/JITPropertyAccess.cpp:
1802         (JSC::JIT::emitIntTypedArrayGetByVal):
1803         * runtime/Butterfly.h:
1804         (JSC::Butterfly::computeIndexingMask const):
1805         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
1806         * runtime/JSArrayBufferView.cpp:
1807         (JSC::JSArrayBufferView::JSArrayBufferView):
1808         * wasm/WasmB3IRGenerator.cpp:
1809         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1810         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1811         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1812         (JSC::Wasm::B3IRGenerator::load):
1813         (JSC::Wasm::B3IRGenerator::store):
1814         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1815         * wasm/WasmBinding.cpp:
1816         (JSC::Wasm::wasmToWasm):
1817         * wasm/WasmMemory.cpp:
1818         (JSC::Wasm::Memory::Memory):
1819         (JSC::Wasm::Memory::grow):
1820         * wasm/WasmMemory.h:
1821         (JSC::Wasm::Memory::offsetOfIndexingMask):
1822         * wasm/WasmMemoryInformation.cpp:
1823         (JSC::Wasm::PinnedRegisterInfo::get):
1824         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1825         * wasm/WasmMemoryInformation.h:
1826         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1827         * wasm/js/JSToWasm.cpp:
1828         (JSC::Wasm::createJSToWasmWrapper):
1829
1830 2018-01-05  Commit Queue  <commit-queue@webkit.org>
1831
1832         Unreviewed, rolling out r226434.
1833         https://bugs.webkit.org/show_bug.cgi?id=181322
1834
1835         32bit JSC failure in x86 (Requested by yusukesuzuki on
1836         #webkit).
1837
1838         Reverted changeset:
1839
1840         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
1841         changing 32bit Int32Tag and LowestTag"
1842         https://bugs.webkit.org/show_bug.cgi?id=181134
1843         https://trac.webkit.org/changeset/226434
1844
1845 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
1846
1847         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
1848         https://bugs.webkit.org/show_bug.cgi?id=180770
1849
1850         Reviewed by Joseph Pecoraro.
1851
1852         * inspector/protocol/Canvas.json:
1853
1854 2018-01-04  Commit Queue  <commit-queue@webkit.org>
1855
1856         Unreviewed, rolling out r226405.
1857         https://bugs.webkit.org/show_bug.cgi?id=181318
1858
1859         Speculative rollout due to Octane/SplayLatency,Octane/Splay
1860         regressions (Requested by yusukesuzuki on #webkit).
1861
1862         Reverted changeset:
1863
1864         "[JSC] Create parallel SlotVisitors apriori"
1865         https://bugs.webkit.org/show_bug.cgi?id=180907
1866         https://trac.webkit.org/changeset/226405
1867
1868 2018-01-04  Saam Barati  <sbarati@apple.com>
1869
1870         Do value profiling in to_this
1871         https://bugs.webkit.org/show_bug.cgi?id=181299
1872
1873         Reviewed by Filip Pizlo.
1874
1875         This patch adds value profiling to to_this. We use the result of the value
1876         profiling only for strict mode code when we don't predict that the input is
1877         of a specific type. This helps when the input is SpecCellOther. Such cells
1878         might implement a custom ToThis, which can produce an arbitrary result. Before
1879         this patch, in prediction propagation, we were saying that a ToThis with a
1880         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
1881         given that the input may implement ToThis that produces an arbitrary result.
1882         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
1883         
1884         Interestingly, this patch only does value profiling on the slow path. The fast
1885         path of to_this in the LLInt/baseline just perform a structure check. If it
1886         passes, the result is the same as the input. Therefore, doing value profiling
1887         from the fast path wouldn't actually produce new information for the ValueProfile.
1888
1889         * bytecode/BytecodeDumper.cpp:
1890         (JSC::BytecodeDumper<Block>::dumpBytecode):
1891         * bytecode/BytecodeList.json:
1892         * bytecode/CodeBlock.cpp:
1893         (JSC::CodeBlock::finishCreation):
1894         * bytecompiler/BytecodeGenerator.cpp:
1895         (JSC::BytecodeGenerator::BytecodeGenerator):
1896         (JSC::BytecodeGenerator::emitToThis):
1897         * bytecompiler/BytecodeGenerator.h:
1898         * dfg/DFGByteCodeParser.cpp:
1899         (JSC::DFG::ByteCodeParser::parseBlock):
1900         * dfg/DFGNode.h:
1901         (JSC::DFG::Node::hasHeapPrediction):
1902         * dfg/DFGPredictionPropagationPhase.cpp:
1903         * runtime/CommonSlowPaths.cpp:
1904         (JSC::SLOW_PATH_DECL):
1905
1906 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1907
1908         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
1909         https://bugs.webkit.org/show_bug.cgi?id=181134
1910
1911         Reviewed by Mark Lam.
1912
1913         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
1914         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
1915         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
1916         implementation.
1917
1918         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
1919         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
1920         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
1921         `<= LowestTag(Int32Tag)`.
1922
1923         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
1924
1925         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
1926
1927         * dfg/DFGSpeculativeJIT.cpp:
1928         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1929         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1930         (JSC::DFG::SpeculativeJIT::speculateNumber):
1931         (JSC::DFG::SpeculativeJIT::speculateMisc):
1932         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1933         (JSC::DFG::SpeculativeJIT::compileToNumber):
1934         * dfg/DFGSpeculativeJIT.h:
1935         * dfg/DFGSpeculativeJIT32_64.cpp:
1936         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1937         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1938         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1939         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1940         (JSC::DFG::SpeculativeJIT::compile):
1941         * dfg/DFGSpeculativeJIT64.cpp:
1942         (JSC::DFG::SpeculativeJIT::compile):
1943         * jit/AssemblyHelpers.cpp:
1944         (JSC::AssemblyHelpers::branchIfNotType):
1945         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1946         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1947         * jit/AssemblyHelpers.h:
1948         (JSC::AssemblyHelpers::branchIfMisc):
1949         (JSC::AssemblyHelpers::branchIfNotMisc):
1950         (JSC::AssemblyHelpers::branchIfNumber):
1951         (JSC::AssemblyHelpers::branchIfNotNumber):
1952         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1953         (JSC::AssemblyHelpers::emitTypeOf):
1954         * jit/JITAddGenerator.cpp:
1955         (JSC::JITAddGenerator::generateFastPath):
1956         * jit/JITArithmetic32_64.cpp:
1957         (JSC::JIT::emitBinaryDoubleOp):
1958         * jit/JITDivGenerator.cpp:
1959         (JSC::JITDivGenerator::loadOperand):
1960         * jit/JITMulGenerator.cpp:
1961         (JSC::JITMulGenerator::generateInline):
1962         (JSC::JITMulGenerator::generateFastPath):
1963         * jit/JITNegGenerator.cpp:
1964         (JSC::JITNegGenerator::generateInline):
1965         (JSC::JITNegGenerator::generateFastPath):
1966         * jit/JITOpcodes32_64.cpp:
1967         (JSC::JIT::emit_op_is_number):
1968         (JSC::JIT::emit_op_jeq_null):
1969         (JSC::JIT::emit_op_jneq_null):
1970         (JSC::JIT::emit_op_to_number):
1971         (JSC::JIT::emit_op_profile_type):
1972         * jit/JITRightShiftGenerator.cpp:
1973         (JSC::JITRightShiftGenerator::generateFastPath):
1974         * jit/JITSubGenerator.cpp:
1975         (JSC::JITSubGenerator::generateInline):
1976         (JSC::JITSubGenerator::generateFastPath):
1977         * llint/LLIntData.cpp:
1978         (JSC::LLInt::Data::performAssertions):
1979         * llint/LowLevelInterpreter.asm:
1980         * llint/LowLevelInterpreter32_64.asm:
1981         * runtime/JSCJSValue.h:
1982
1983 2018-01-04  JF Bastien  <jfbastien@apple.com>
1984
1985         Add assembler support for x86 lfence and sfence
1986         https://bugs.webkit.org/show_bug.cgi?id=181311
1987         <rdar://problem/36301780>
1988
1989         Reviewed by Michael Saboff.
1990
1991         Useful for testing performance of serializing instructions (hint:
1992         it's not good).
1993
1994         * assembler/MacroAssemblerX86Common.h:
1995         (JSC::MacroAssemblerX86Common::lfence):
1996         (JSC::MacroAssemblerX86Common::sfence):
1997         * assembler/X86Assembler.h:
1998         (JSC::X86Assembler::lfence):
1999         (JSC::X86Assembler::sfence):
2000
2001 2018-01-04  Saam Barati  <sbarati@apple.com>
2002
2003         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
2004         https://bugs.webkit.org/show_bug.cgi?id=181296
2005
2006         Reviewed by Filip Pizlo.
2007
2008         Inside Speedometer's Ember test, there is a recompile loop like:
2009         a: GetByVal(..., semanticOriginX)
2010         b: SetLocal(Cell:@a, semanticOriginX)
2011         
2012         where the cell check always fails. For reasons I didn't investigate, the
2013         baseline JIT's value profiling doesn't accurately capture the GetByVal's
2014         result.
2015         
2016         However, when compiling this cell speculation check in the DFG, we get a null
2017         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
2018         this IR pattern because both @a and @b have the same semantic origin. We
2019         should not follow the same semantic origin heuristic when dealing with
2020         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
2021         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
2022         For this IR pattern, we will update the value profile for the semantic origin
2023         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
2024         will correctly update the GetByVal's value profile, which will prevent
2025         an OSR exit loop.
2026
2027         * dfg/DFGGraph.cpp:
2028         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2029
2030 2018-01-04  Keith Miller  <keith_miller@apple.com>
2031
2032         Array Storage operations sometimes did not update the indexing mask correctly.
2033         https://bugs.webkit.org/show_bug.cgi?id=181301
2034
2035         Reviewed by Mark Lam.
2036
2037         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
2038
2039         * runtime/JSArray.cpp:
2040         (JSC::JSArray::shiftCountWithArrayStorage):
2041         * runtime/JSObject.cpp:
2042         (JSC::JSObject::increaseVectorLength):
2043
2044 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2047         https://bugs.webkit.org/show_bug.cgi?id=179911
2048
2049         Reviewed by Saam Barati.
2050
2051         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
2052         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
2053         produce added bucket as its result. Subsequent GetMapBucket will
2054         be removed by CSE.
2055
2056         * dfg/DFGAbstractInterpreterInlines.h:
2057         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2058         * dfg/DFGClobberize.h:
2059         (JSC::DFG::clobberize):
2060         * dfg/DFGNodeType.h:
2061         * dfg/DFGOperations.cpp:
2062         * dfg/DFGOperations.h:
2063         * dfg/DFGPredictionPropagationPhase.cpp:
2064         * dfg/DFGSpeculativeJIT.cpp:
2065         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2066         (JSC::DFG::SpeculativeJIT::compileMapSet):
2067         * dfg/DFGSpeculativeJIT.h:
2068         (JSC::DFG::SpeculativeJIT::callOperation):
2069         * ftl/FTLLowerDFGToB3.cpp:
2070         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2071         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2072         * jit/JITOperations.h:
2073         * runtime/HashMapImpl.h:
2074         (JSC::HashMapImpl::addNormalized):
2075         (JSC::HashMapImpl::addNormalizedInternal):
2076
2077 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2078
2079         [JSC] Remove LocalScope
2080         https://bugs.webkit.org/show_bug.cgi?id=181206
2081
2082         Reviewed by Geoffrey Garen.
2083
2084         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
2085         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
2086         and LocalScope.
2087
2088         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
2089         JSObject* directly in their fields.
2090
2091         * JavaScriptCore.xcodeproj/project.pbxproj:
2092         * Sources.txt:
2093         * heap/HandleStack.cpp: Removed.
2094         * heap/HandleStack.h: Removed.
2095         * heap/Heap.cpp:
2096         (JSC::Heap::addCoreConstraints):
2097         * heap/Heap.h:
2098         (JSC::Heap::handleSet):
2099         (JSC::Heap::handleStack): Deleted.
2100         * heap/Local.h: Removed.
2101         * heap/LocalScope.h: Removed.
2102         * runtime/JSONObject.cpp:
2103         (JSC::Stringifier::Holder::object const):
2104         (JSC::gap):
2105         (JSC::Stringifier::Stringifier):
2106         (JSC::Stringifier::stringify):
2107         (JSC::Stringifier::appendStringifiedValue):
2108         (JSC::Stringifier::Holder::Holder):
2109         (JSC::Stringifier::Holder::appendNextProperty):
2110         (JSC::Walker::Walker):
2111         (JSC::Walker::callReviver):
2112         (JSC::Walker::walk):
2113         (JSC::JSONProtoFuncParse):
2114         (JSC::JSONProtoFuncStringify):
2115         (JSC::JSONParse):
2116         (JSC::JSONStringify):
2117
2118 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2119
2120         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
2121         https://bugs.webkit.org/show_bug.cgi?id=180238
2122
2123         Reviewed by Saam Barati.
2124
2125         We can optimize ObjectAllocationSinking a bit by using removeIf.
2126
2127         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2128
2129 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2130
2131         [JSC] Create parallel SlotVisitors apriori
2132         https://bugs.webkit.org/show_bug.cgi?id=180907
2133
2134         Reviewed by Saam Barati.
2135
2136         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2137         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
2138         Then we do not need to grab locks while iterating all the SlotVisitors.
2139
2140         In addition, we do not need to consider the case that the number of SlotVisitors increases
2141         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2142         does not increase any more.
2143
2144         * heap/Heap.cpp:
2145         (JSC::Heap::Heap):
2146         (JSC::Heap::runBeginPhase):
2147         * heap/Heap.h:
2148         * heap/HeapInlines.h:
2149         (JSC::Heap::forEachSlotVisitor):
2150         (JSC::Heap::numberOfSlotVisitors): Deleted.
2151         * heap/MarkingConstraintSolver.cpp:
2152         (JSC::MarkingConstraintSolver::didVisitSomething const):
2153
2154 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
2155
2156         Replace hard-coded paths in shebangs with #!/usr/bin/env
2157         https://bugs.webkit.org/show_bug.cgi?id=181040
2158
2159         Reviewed by Alex Christensen.
2160
2161         * Scripts/UpdateContents.py:
2162         * Scripts/cssmin.py:
2163         * Scripts/generate-combined-inspector-json.py:
2164         * Scripts/xxd.pl:
2165         * create_hash_table:
2166         * generate-bytecode-files:
2167         * wasm/generateWasm.py:
2168         * wasm/generateWasmOpsHeader.py:
2169         * yarr/generateYarrCanonicalizeUnicode:
2170
2171 2018-01-03  Michael Saboff  <msaboff@apple.com>
2172
2173         Disable SharedArrayBuffers from Web API
2174         https://bugs.webkit.org/show_bug.cgi?id=181266
2175
2176         Reviewed by Saam Barati.
2177
2178         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
2179         to disable.
2180
2181         * runtime/JSGlobalObject.cpp:
2182         (JSC::JSGlobalObject::init):
2183         (JSC::JSGlobalObject::visitChildren):
2184         * runtime/JSGlobalObject.h:
2185         (JSC::JSGlobalObject::arrayBufferPrototype const):
2186         (JSC::JSGlobalObject::arrayBufferStructure const):
2187
2188 2018-01-03  Michael Saboff  <msaboff@apple.com>
2189
2190         Add "noInline" to $vm
2191         https://bugs.webkit.org/show_bug.cgi?id=181265
2192
2193         Reviewed by Mark Lam.
2194
2195         This would be useful for web based tests.
2196
2197         * tools/JSDollarVM.cpp:
2198         (JSC::getExecutableForFunction):
2199         (JSC::functionNoInline):
2200         (JSC::JSDollarVM::finishCreation):
2201
2202 2018-01-03  Michael Saboff  <msaboff@apple.com>
2203
2204         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
2205         https://bugs.webkit.org/show_bug.cgi?id=181263
2206
2207         Reviewed by Mark Lam.
2208
2209         Flushing the butterfly pointer provides no benefit and slows this function.
2210
2211         * tools/JSDollarVM.cpp:
2212         (JSC::functionCpuClflush):
2213
2214 2018-01-03  Saam Barati  <sbarati@apple.com>
2215
2216         Fix BytecodeParser op_catch assert to work with useProfiler=1
2217         https://bugs.webkit.org/show_bug.cgi?id=181260
2218
2219         Reviewed by Keith Miller.
2220
2221         op_catch was asserting that the current block was empty. This is only true
2222         if the profiler isn't enabled. When the profiler is enabled, we will
2223         insert a CountExecution node before each bytecode. This patch fixes the
2224         assert to work with the profiler.
2225
2226         * dfg/DFGByteCodeParser.cpp:
2227         (JSC::DFG::ByteCodeParser::parseBlock):
2228
2229 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
2230
2231         [Win][Debug] testapi link error.
2232         https://bugs.webkit.org/show_bug.cgi?id=181247
2233         <rdar://problem/36166729>
2234
2235         Reviewed by Brent Fulgham.
2236
2237         Do not set the runtime library compile flag for C files, it is already set to the correct value.
2238  
2239         * shell/PlatformWin.cmake:
2240
2241 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2242
2243         Inlining of a function that ends in op_unreachable crashes
2244         https://bugs.webkit.org/show_bug.cgi?id=181027
2245
2246         Reviewed by Filip Pizlo.
2247
2248         * dfg/DFGByteCodeParser.cpp:
2249         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2250         (JSC::DFG::ByteCodeParser::inlineCall):
2251
2252 2018-01-02  Saam Barati  <sbarati@apple.com>
2253
2254         Incorrect assertion inside AccessCase
2255         https://bugs.webkit.org/show_bug.cgi?id=181200
2256         <rdar://problem/35494754>
2257
2258         Reviewed by Yusuke Suzuki.
2259
2260         Consider a PutById compiled to a setter in a function like so:
2261         
2262         ```
2263         function foo(o) { o.f = o; }
2264         ```
2265         
2266         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
2267         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
2268         to the same register. However, we're asserting that they're not the same register.
2269         This patch just removes this invalid assertion.
2270
2271         * bytecode/AccessCase.cpp:
2272         (JSC::AccessCase::generateImpl):
2273
2274 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2275
2276         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2277         https://bugs.webkit.org/show_bug.cgi?id=175359
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         This patch is implementing BigIntConstructor and BigIntPrototype
2282         following spec[1, 2]. As addition, we are also implementing BigIntObject
2283         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
2284         primitive. With these classes, now it's possible to syntetize
2285         BigInt.prototype and then call "toString", "valueOf" and
2286         "toLocaleString" when the primitive is a BigInt.
2287         BigIntConstructor exposes an API to parse other primitives such as
2288         Number, Boolean and String to BigInt.
2289         We decided to skip parseInt implementation, since it was removed from
2290         spec.
2291
2292         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
2293         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
2294
2295         * CMakeLists.txt:
2296         * DerivedSources.make:
2297         * JavaScriptCore.xcodeproj/project.pbxproj:
2298         * Sources.txt:
2299         * jsc.cpp:
2300         * runtime/BigIntConstructor.cpp: Added.
2301         (JSC::BigIntConstructor::BigIntConstructor):
2302         (JSC::BigIntConstructor::finishCreation):
2303         (JSC::isSafeInteger):
2304         (JSC::toBigInt):
2305         (JSC::callBigIntConstructor):
2306         (JSC::bigIntConstructorFuncAsUintN):
2307         (JSC::bigIntConstructorFuncAsIntN):
2308         * runtime/BigIntConstructor.h: Added.
2309         (JSC::BigIntConstructor::create):
2310         (JSC::BigIntConstructor::createStructure):
2311         * runtime/BigIntObject.cpp: Added.
2312         (JSC::BigIntObject::BigIntObject):
2313         (JSC::BigIntObject::finishCreation):
2314         (JSC::BigIntObject::toStringName):
2315         (JSC::BigIntObject::defaultValue):
2316         * runtime/BigIntObject.h: Added.
2317         (JSC::BigIntObject::create):
2318         (JSC::BigIntObject::internalValue const):
2319         (JSC::BigIntObject::createStructure):
2320         * runtime/BigIntPrototype.cpp: Added.
2321         (JSC::BigIntPrototype::BigIntPrototype):
2322         (JSC::BigIntPrototype::finishCreation):
2323         (JSC::toThisBigIntValue):
2324         (JSC::bigIntProtoFuncToString):
2325         (JSC::bigIntProtoFuncToLocaleString):
2326         (JSC::bigIntProtoFuncValueOf):
2327         * runtime/BigIntPrototype.h: Added.
2328         (JSC::BigIntPrototype::create):
2329         (JSC::BigIntPrototype::createStructure):
2330         * runtime/IntlCollator.cpp:
2331         (JSC::IntlCollator::initializeCollator):
2332         * runtime/IntlNumberFormat.cpp:
2333         (JSC::IntlNumberFormat::initializeNumberFormat):
2334         * runtime/JSBigInt.cpp:
2335         (JSC::JSBigInt::createFrom):
2336         (JSC::JSBigInt::parseInt):
2337         (JSC::JSBigInt::toObject const):
2338         * runtime/JSBigInt.h:
2339         * runtime/JSCJSValue.cpp:
2340         (JSC::JSValue::synthesizePrototype const):
2341         * runtime/JSCPoisonedPtr.cpp:
2342         * runtime/JSCell.cpp:
2343         (JSC::JSCell::toObjectSlow const):
2344         * runtime/JSGlobalObject.cpp:
2345         (JSC::JSGlobalObject::init):
2346         (JSC::JSGlobalObject::visitChildren):
2347         * runtime/JSGlobalObject.h:
2348         (JSC::JSGlobalObject::bigIntPrototype const):
2349         (JSC::JSGlobalObject::bigIntObjectStructure const):
2350         * runtime/StructureCache.h:
2351         * runtime/StructureInlines.h:
2352         (JSC::prototypeForLookupPrimitiveImpl):
2353
2354 2018-01-02  Tim Horton  <timothy_horton@apple.com>
2355
2356         Fix the MathCommon build with a recent compiler
2357         https://bugs.webkit.org/show_bug.cgi?id=181216
2358
2359         Reviewed by Sam Weinig.
2360
2361         * runtime/MathCommon.cpp:
2362         (JSC::fdlibmPow):
2363         This cast drops the 'const' qualifier from the pointer to 'one',
2364         but it doesn't have to, and it makes the compiler sad.
2365
2366 == Rolled over to ChangeLog-2018-01-01 ==