fa5f655e4e9a28b61cbafda9ff6e644e4afdd177
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2
3         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
4         https://bugs.webkit.org/show_bug.cgi?id=184372
5
6         Reviewed by Saam Barati.
7         
8         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
9         have already proved, using techniques that are more precise than AI, that the edge has type
10         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
11         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
12         other than a check - so we think we can call those just because we should have already
13         bailed. It's better to think of them as the result of folding a check. Therefore, we should
14         only do it if there had been a check to begin with.
15
16         * dfg/DFGSpeculativeJIT64.cpp:
17         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
18         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
19         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
20         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
21         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
22         * ftl/FTLLowerDFGToB3.cpp:
23         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
24         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
25         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
26         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
27         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
28         (JSC::FTL::DFG::LowerDFGToB3::speculate):
29         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
30         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
31
32 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
33
34         [JSC] Introduce @putByIdDirectPrivate
35         https://bugs.webkit.org/show_bug.cgi?id=184400
36
37         Reviewed by Saam Barati.
38
39         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
40         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
41         accessing to ECMAScript internal fields.
42
43         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
44         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
45         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
46         fields that accessing to the internal fields does not traverse prototype chains.
47
48         * builtins/ArrayIteratorPrototype.js:
49         (globalPrivate.arrayIteratorValueNext):
50         (globalPrivate.arrayIteratorKeyNext):
51         (globalPrivate.arrayIteratorKeyValueNext):
52         * builtins/ArrayPrototype.js:
53         (globalPrivate.createArrayIterator):
54         * builtins/AsyncFromSyncIteratorPrototype.js:
55         (globalPrivate.AsyncFromSyncIteratorConstructor):
56         * builtins/AsyncFunctionPrototype.js:
57         (globalPrivate.asyncFunctionResume):
58         * builtins/AsyncGeneratorPrototype.js:
59         (globalPrivate.asyncGeneratorQueueEnqueue):
60         (globalPrivate.asyncGeneratorQueueDequeue):
61         (asyncGeneratorYieldAwaited):
62         (globalPrivate.asyncGeneratorYield):
63         (globalPrivate.doAsyncGeneratorBodyCall):
64         (globalPrivate.asyncGeneratorResumeNext):
65         * builtins/GeneratorPrototype.js:
66         (globalPrivate.generatorResume):
67         * builtins/MapIteratorPrototype.js:
68         (globalPrivate.mapIteratorNext):
69         * builtins/MapPrototype.js:
70         (globalPrivate.createMapIterator):
71         * builtins/ModuleLoaderPrototype.js:
72         (forceFulfillPromise):
73         * builtins/PromiseOperations.js:
74         (globalPrivate.newHandledRejectedPromise):
75         (globalPrivate.rejectPromise):
76         (globalPrivate.fulfillPromise):
77         (globalPrivate.initializePromise):
78         * builtins/PromisePrototype.js:
79         (then):
80         * builtins/SetIteratorPrototype.js:
81         (globalPrivate.setIteratorNext):
82         * builtins/SetPrototype.js:
83         (globalPrivate.createSetIterator):
84         * builtins/StringIteratorPrototype.js:
85         (next):
86         * bytecode/BytecodeIntrinsicRegistry.h:
87         * bytecompiler/NodesCodegen.cpp:
88         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
89         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
90
91 2018-04-09  Mark Lam  <mark.lam@apple.com>
92
93         Decorate method table entries to support pointer profiling.
94         https://bugs.webkit.org/show_bug.cgi?id=184430
95         <rdar://problem/39296190>
96
97         Reviewed by Saam Barati.
98
99         * runtime/ClassInfo.h:
100
101 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
102
103         [WPE] Don't install JSC C API headers
104         https://bugs.webkit.org/show_bug.cgi?id=184375
105
106         Reviewed by Žan Doberšek.
107
108         None of the functions declared in these headers are exported in WPE. Use the new jsc API
109         instead.
110
111         * PlatformWPE.cmake:
112
113 2018-04-08  Mark Lam  <mark.lam@apple.com>
114
115         Add pointer profiling to the FTL and supporting code.
116         https://bugs.webkit.org/show_bug.cgi?id=184395
117         <rdar://problem/39264019>
118
119         Reviewed by Michael Saboff and Filip Pizlo.
120
121         * assembler/CodeLocation.h:
122         (JSC::CodeLocationLabel::retagged):
123         (JSC::CodeLocationJump::retagged):
124         * assembler/LinkBuffer.h:
125         (JSC::LinkBuffer::locationOf):
126         * dfg/DFGJITCompiler.cpp:
127         (JSC::DFG::JITCompiler::linkOSRExits):
128         (JSC::DFG::JITCompiler::link):
129         * ftl/FTLCompile.cpp:
130         (JSC::FTL::compile):
131         * ftl/FTLExceptionTarget.cpp:
132         (JSC::FTL::ExceptionTarget::label):
133         (JSC::FTL::ExceptionTarget::jumps):
134         * ftl/FTLExceptionTarget.h:
135         * ftl/FTLJITCode.cpp:
136         (JSC::FTL::JITCode::executableAddressAtOffset):
137         * ftl/FTLLazySlowPath.cpp:
138         (JSC::FTL::LazySlowPath::~LazySlowPath):
139         (JSC::FTL::LazySlowPath::initialize):
140         (JSC::FTL::LazySlowPath::generate):
141         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
142         * ftl/FTLLazySlowPath.h:
143         * ftl/FTLLink.cpp:
144         (JSC::FTL::link):
145         * ftl/FTLLowerDFGToB3.cpp:
146         (JSC::FTL::DFG::LowerDFGToB3::lower):
147         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
148         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
149         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
150         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
151         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
152         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
153         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
154         * ftl/FTLOSRExitCompiler.cpp:
155         (JSC::FTL::compileStub):
156         (JSC::FTL::compileFTLOSRExit):
157         * ftl/FTLOSRExitHandle.cpp:
158         (JSC::FTL::OSRExitHandle::emitExitThunk):
159         * ftl/FTLOperations.cpp:
160         (JSC::FTL::compileFTLLazySlowPath):
161         * ftl/FTLOutput.h:
162         (JSC::FTL::Output::callWithoutSideEffects):
163         (JSC::FTL::Output::operation):
164         * ftl/FTLPatchpointExceptionHandle.cpp:
165         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
166         * ftl/FTLSlowPathCall.cpp:
167         (JSC::FTL::SlowPathCallContext::makeCall):
168         * ftl/FTLSlowPathCallKey.h:
169         (JSC::FTL::SlowPathCallKey::withCallTarget):
170         (JSC::FTL::SlowPathCallKey::callPtrTag const):
171         * ftl/FTLThunks.cpp:
172         (JSC::FTL::genericGenerationThunkGenerator):
173         (JSC::FTL::osrExitGenerationThunkGenerator):
174         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
175         (JSC::FTL::slowPathCallThunkGenerator):
176         * jit/JITMathIC.h:
177         (JSC::isProfileEmpty):
178         * jit/Repatch.cpp:
179         (JSC::readPutICCallTarget):
180         (JSC::ftlThunkAwareRepatchCall):
181         (JSC::tryCacheGetByID):
182         (JSC::repatchGetByID):
183         (JSC::tryCachePutByID):
184         (JSC::repatchPutByID):
185         (JSC::repatchIn):
186         (JSC::resetGetByID):
187         (JSC::resetPutByID):
188         (JSC::readCallTarget): Deleted.
189         * jit/Repatch.h:
190         * runtime/PtrTag.h:
191
192 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
193
194         Unreviewed, attempt to fix Windows build
195         https://bugs.webkit.org/show_bug.cgi?id=183508
196
197         * jit/JIT.h:
198
199 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
200
201         Unreviewed, build fix for Windows by suppressing padding warning for JIT
202         https://bugs.webkit.org/show_bug.cgi?id=183508
203
204         * jit/JIT.h:
205
206 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
207
208         Use alignas instead of compiler-specific attributes
209         https://bugs.webkit.org/show_bug.cgi?id=183508
210
211         Reviewed by Mark Lam.
212
213         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
214
215         * heap/RegisterState.h:
216         * jit/JIT.h:
217         (JSC::JIT::compile): Deleted.
218         (JSC::JIT::compileGetByVal): Deleted.
219         (JSC::JIT::compileGetByValWithCachedId): Deleted.
220         (JSC::JIT::compilePutByVal): Deleted.
221         (JSC::JIT::compileDirectPutByVal): Deleted.
222         (JSC::JIT::compilePutByValWithCachedId): Deleted.
223         (JSC::JIT::compileHasIndexedProperty): Deleted.
224         (JSC::JIT::appendCall): Deleted.
225         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
226         (JSC::JIT::exceptionCheck): Deleted.
227         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
228         (JSC::JIT::emitInt32Load): Deleted.
229         (JSC::JIT::emitInt32GetByVal): Deleted.
230         (JSC::JIT::emitInt32PutByVal): Deleted.
231         (JSC::JIT::emitDoublePutByVal): Deleted.
232         (JSC::JIT::emitContiguousPutByVal): Deleted.
233         (JSC::JIT::emitStoreCell): Deleted.
234         (JSC::JIT::getSlowCase): Deleted.
235         (JSC::JIT::linkSlowCase): Deleted.
236         (JSC::JIT::linkDummySlowCase): Deleted.
237         (JSC::JIT::linkAllSlowCases): Deleted.
238         (JSC::JIT::callOperation): Deleted.
239         (JSC::JIT::callOperationWithProfile): Deleted.
240         (JSC::JIT::callOperationWithResult): Deleted.
241         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
242         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
243         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
244         (JSC::JIT::sampleCodeBlock): Deleted.
245         (JSC::JIT::canBeOptimized): Deleted.
246         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
247         (JSC::JIT::shouldEmitProfiling): Deleted.
248         * runtime/VM.h:
249
250 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
251
252         Unreviewed, follow-up patch for DFG 32bit
253         https://bugs.webkit.org/show_bug.cgi?id=183970
254
255         * dfg/DFGSpeculativeJIT32_64.cpp:
256         (JSC::DFG::SpeculativeJIT::cachedGetById):
257
258 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
259
260         [JSC] Fix incorrect assertion for VM's regexp buffer lock
261         https://bugs.webkit.org/show_bug.cgi?id=184398
262
263         Reviewed by Mark Lam.
264
265         isLocked check before taking a lock is incorrect.
266
267         * runtime/VM.cpp:
268         (JSC::VM::acquireRegExpPatternContexBuffer):
269
270 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
271
272         [JSC] Introduce op_get_by_id_direct
273         https://bugs.webkit.org/show_bug.cgi?id=183970
274
275         Reviewed by Filip Pizlo.
276
277         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
278         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
279         in all the tiers, so using this opcode does not lead to inefficiency.
280
281         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
282         properties indexed with private symbols to implement ECMAScript internal fields. Before this
283         patch, we just use get and put operations. However, it is not the correct semantics: accessing
284         to the internal fields should not traverse prototype chain, which is specified in the spec.
285         We use op_get_by_id_direct to access to properties which are used internal fields, so that
286         prototype chains are not traversed.
287
288         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
289         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
290         bytecode `op_get_by_id_direct, object, @name`.
291
292         * builtins/ArrayIteratorPrototype.js:
293         (next):
294         (globalPrivate.arrayIteratorValueNext):
295         (globalPrivate.arrayIteratorKeyNext):
296         (globalPrivate.arrayIteratorKeyValueNext):
297         * builtins/AsyncFromSyncIteratorPrototype.js:
298         * builtins/AsyncFunctionPrototype.js:
299         (globalPrivate.asyncFunctionResume):
300         * builtins/AsyncGeneratorPrototype.js:
301         (globalPrivate.asyncGeneratorQueueIsEmpty):
302         (globalPrivate.asyncGeneratorQueueEnqueue):
303         (globalPrivate.asyncGeneratorQueueDequeue):
304         (globalPrivate.asyncGeneratorDequeue):
305         (globalPrivate.isExecutionState):
306         (globalPrivate.isSuspendYieldState):
307         (globalPrivate.asyncGeneratorReject):
308         (globalPrivate.asyncGeneratorResolve):
309         (globalPrivate.doAsyncGeneratorBodyCall):
310         (globalPrivate.asyncGeneratorEnqueue):
311         * builtins/GeneratorPrototype.js:
312         (globalPrivate.generatorResume):
313         (next):
314         (return):
315         (throw):
316         * builtins/MapIteratorPrototype.js:
317         (next):
318         * builtins/PromiseOperations.js:
319         (globalPrivate.isPromise):
320         (globalPrivate.rejectPromise):
321         (globalPrivate.fulfillPromise):
322         * builtins/PromisePrototype.js:
323         (then):
324         * builtins/SetIteratorPrototype.js:
325         (next):
326         * builtins/StringIteratorPrototype.js:
327         (next):
328         * builtins/TypedArrayConstructor.js:
329         (of):
330         (from):
331         * bytecode/BytecodeDumper.cpp:
332         (JSC::BytecodeDumper<Block>::dumpBytecode):
333         * bytecode/BytecodeIntrinsicRegistry.h:
334         * bytecode/BytecodeList.json:
335         * bytecode/BytecodeUseDef.h:
336         (JSC::computeUsesForBytecodeOffset):
337         (JSC::computeDefsForBytecodeOffset):
338         * bytecode/CodeBlock.cpp:
339         (JSC::CodeBlock::finishCreation):
340         (JSC::CodeBlock::finalizeLLIntInlineCaches):
341         * bytecode/GetByIdStatus.cpp:
342         (JSC::GetByIdStatus::computeFromLLInt):
343         (JSC::GetByIdStatus::computeFor):
344         * bytecode/StructureStubInfo.cpp:
345         (JSC::StructureStubInfo::reset):
346         * bytecode/StructureStubInfo.h:
347         (JSC::appropriateOptimizingGetByIdFunction):
348         (JSC::appropriateGenericGetByIdFunction):
349         * bytecompiler/BytecodeGenerator.cpp:
350         (JSC::BytecodeGenerator::emitDirectGetById):
351         * bytecompiler/BytecodeGenerator.h:
352         * bytecompiler/NodesCodegen.cpp:
353         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
354         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
355         * dfg/DFGAbstractInterpreterInlines.h:
356         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
357         * dfg/DFGByteCodeParser.cpp:
358         (JSC::DFG::ByteCodeParser::handleGetById):
359         (JSC::DFG::ByteCodeParser::parseBlock):
360         * dfg/DFGCapabilities.cpp:
361         (JSC::DFG::capabilityLevel):
362         * dfg/DFGClobberize.h:
363         (JSC::DFG::clobberize):
364         * dfg/DFGConstantFoldingPhase.cpp:
365         (JSC::DFG::ConstantFoldingPhase::foldConstants):
366         * dfg/DFGDoesGC.cpp:
367         (JSC::DFG::doesGC):
368         * dfg/DFGFixupPhase.cpp:
369         (JSC::DFG::FixupPhase::fixupNode):
370         * dfg/DFGNode.h:
371         (JSC::DFG::Node::convertToGetByOffset):
372         (JSC::DFG::Node::convertToMultiGetByOffset):
373         (JSC::DFG::Node::hasIdentifier):
374         (JSC::DFG::Node::hasHeapPrediction):
375         * dfg/DFGNodeType.h:
376         * dfg/DFGOperations.cpp:
377         * dfg/DFGOperations.h:
378         * dfg/DFGPredictionPropagationPhase.cpp:
379         * dfg/DFGSafeToExecute.h:
380         (JSC::DFG::safeToExecute):
381         * dfg/DFGSpeculativeJIT.cpp:
382         (JSC::DFG::SpeculativeJIT::compileGetById):
383         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
384         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
385         * dfg/DFGSpeculativeJIT.h:
386         * dfg/DFGSpeculativeJIT32_64.cpp:
387         (JSC::DFG::SpeculativeJIT::cachedGetById):
388         (JSC::DFG::SpeculativeJIT::compile):
389         * dfg/DFGSpeculativeJIT64.cpp:
390         (JSC::DFG::SpeculativeJIT::cachedGetById):
391         (JSC::DFG::SpeculativeJIT::compile):
392         * ftl/FTLCapabilities.cpp:
393         (JSC::FTL::canCompile):
394         * ftl/FTLLowerDFGToB3.cpp:
395         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
396         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
397         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
398         (JSC::FTL::DFG::LowerDFGToB3::getById):
399         * jit/JIT.cpp:
400         (JSC::JIT::privateCompileMainPass):
401         (JSC::JIT::privateCompileSlowCases):
402         * jit/JIT.h:
403         * jit/JITOperations.cpp:
404         * jit/JITOperations.h:
405         * jit/JITPropertyAccess.cpp:
406         (JSC::JIT::emit_op_get_by_id_direct):
407         (JSC::JIT::emitSlow_op_get_by_id_direct):
408         * jit/JITPropertyAccess32_64.cpp:
409         (JSC::JIT::emit_op_get_by_id_direct):
410         (JSC::JIT::emitSlow_op_get_by_id_direct):
411         * jit/Repatch.cpp:
412         (JSC::appropriateOptimizingGetByIdFunction):
413         (JSC::appropriateGetByIdFunction):
414         (JSC::tryCacheGetByID):
415         (JSC::repatchGetByID):
416         (JSC::appropriateGenericGetByIdFunction): Deleted.
417         * jit/Repatch.h:
418         * llint/LLIntSlowPaths.cpp:
419         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
420         * llint/LLIntSlowPaths.h:
421         * llint/LowLevelInterpreter32_64.asm:
422         * llint/LowLevelInterpreter64.asm:
423         * runtime/JSCJSValue.h:
424         * runtime/JSCJSValueInlines.h:
425         (JSC::JSValue::getOwnPropertySlot const):
426         * runtime/JSObject.h:
427         * runtime/JSObjectInlines.h:
428         (JSC::JSObject::getOwnPropertySlotInline):
429
430 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
431
432         [JSC] Remove several asXXX functions
433         https://bugs.webkit.org/show_bug.cgi?id=184355
434
435         Reviewed by JF Bastien.
436
437         Remove asActivation, asInternalFunction, and asGetterSetter.
438         Use jsCast<> / jsDynamicCast<> consistently.
439
440         * runtime/ArrayConstructor.cpp:
441         (JSC::constructArrayWithSizeQuirk):
442         * runtime/AsyncFunctionConstructor.cpp:
443         (JSC::callAsyncFunctionConstructor):
444         (JSC::constructAsyncFunctionConstructor):
445         * runtime/AsyncGeneratorFunctionConstructor.cpp:
446         (JSC::callAsyncGeneratorFunctionConstructor):
447         (JSC::constructAsyncGeneratorFunctionConstructor):
448         * runtime/BooleanConstructor.cpp:
449         (JSC::constructWithBooleanConstructor):
450         * runtime/DateConstructor.cpp:
451         (JSC::constructWithDateConstructor):
452         * runtime/ErrorConstructor.cpp:
453         (JSC::Interpreter::constructWithErrorConstructor):
454         (JSC::Interpreter::callErrorConstructor):
455         * runtime/FunctionConstructor.cpp:
456         (JSC::constructWithFunctionConstructor):
457         (JSC::callFunctionConstructor):
458         * runtime/FunctionPrototype.cpp:
459         (JSC::functionProtoFuncToString):
460         * runtime/GeneratorFunctionConstructor.cpp:
461         (JSC::callGeneratorFunctionConstructor):
462         (JSC::constructGeneratorFunctionConstructor):
463         * runtime/GetterSetter.h:
464         (JSC::asGetterSetter): Deleted.
465         * runtime/InternalFunction.h:
466         (JSC::asInternalFunction): Deleted.
467         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
468         (JSC::constructGenericTypedArrayView):
469         * runtime/JSLexicalEnvironment.h:
470         (JSC::asActivation): Deleted.
471         * runtime/JSObject.cpp:
472         (JSC::validateAndApplyPropertyDescriptor):
473         * runtime/MapConstructor.cpp:
474         (JSC::constructMap):
475         * runtime/PropertyDescriptor.cpp:
476         (JSC::PropertyDescriptor::setDescriptor):
477         * runtime/RegExpConstructor.cpp:
478         (JSC::constructWithRegExpConstructor):
479         (JSC::callRegExpConstructor):
480         * runtime/SetConstructor.cpp:
481         (JSC::constructSet):
482         * runtime/StringConstructor.cpp:
483         (JSC::constructWithStringConstructor):
484         * runtime/WeakMapConstructor.cpp:
485         (JSC::constructWeakMap):
486         * runtime/WeakSetConstructor.cpp:
487         (JSC::constructWeakSet):
488         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
489         (JSC::constructJSWebAssemblyCompileError):
490         (JSC::callJSWebAssemblyCompileError):
491         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
492         (JSC::constructJSWebAssemblyLinkError):
493         (JSC::callJSWebAssemblyLinkError):
494         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
495         (JSC::constructJSWebAssemblyRuntimeError):
496         (JSC::callJSWebAssemblyRuntimeError):
497
498 2018-04-05  Mark Lam  <mark.lam@apple.com>
499
500         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
501         https://bugs.webkit.org/show_bug.cgi?id=184347
502         <rdar://problem/39183165>
503
504         Reviewed by Michael Saboff.
505
506         * assembler/MacroAssemblerCodeRef.h:
507         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
508         (JSC::MacroAssemblerCodePtr::retagged const):
509
510 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
511
512         [MIPS] Optimize generated JIT code for branches
513         https://bugs.webkit.org/show_bug.cgi?id=183130
514
515         Reviewed by Yusuke Suzuki.
516
517         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
518         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
519         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
520         However, this adds a significant overhead for all other types of branches. Since these nop's
521         protect the code that is generated by branchPtrWithPatch, this function seems like a better
522         place to add them.
523
524         * assembler/MIPSAssembler.h:
525         (JSC::MIPSAssembler::repatchInt32):
526         (JSC::MIPSAssembler::revertJumpToMove):
527         * assembler/MacroAssemblerMIPS.h:
528         (JSC::MacroAssemblerMIPS::branchAdd32):
529         (JSC::MacroAssemblerMIPS::branchMul32):
530         (JSC::MacroAssemblerMIPS::branchSub32):
531         (JSC::MacroAssemblerMIPS::branchNeg32):
532         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
533         (JSC::MacroAssemblerMIPS::branchEqual):
534         (JSC::MacroAssemblerMIPS::branchNotEqual):
535
536 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
537
538         [WTF] Remove StaticLock
539         https://bugs.webkit.org/show_bug.cgi?id=184332
540
541         Reviewed by Mark Lam.
542
543         * API/JSValue.mm:
544         (handerForStructTag):
545         * API/JSVirtualMachine.mm:
546         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
547         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
548         * API/glib/JSCVirtualMachine.cpp:
549         (addWrapper):
550         (removeWrapper):
551         * assembler/testmasm.cpp:
552         * b3/air/testair.cpp:
553         * b3/testb3.cpp:
554         * bytecode/SuperSampler.cpp:
555         * dfg/DFGCommon.cpp:
556         * dfg/DFGCommonData.cpp:
557         * dynbench.cpp:
558         * heap/MachineStackMarker.cpp:
559         (JSC::MachineThreads::tryCopyOtherThreadStacks):
560         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
561         (Inspector::RemoteTargetHandleRunSourceGlobal):
562         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
563         * interpreter/CLoopStack.cpp:
564         * parser/SourceProvider.cpp:
565         * profiler/ProfilerDatabase.cpp:
566         * profiler/ProfilerUID.cpp:
567         (JSC::Profiler::UID::create):
568         * runtime/IntlObject.cpp:
569         (JSC::numberingSystemsForLocale):
570         * runtime/JSLock.cpp:
571         * runtime/JSLock.h:
572         * runtime/SamplingProfiler.cpp:
573         (JSC::SamplingProfiler::registerForReportAtExit):
574         * runtime/VM.cpp:
575         * wasm/WasmFaultSignalHandler.cpp:
576
577 2018-04-04  Mark Lam  <mark.lam@apple.com>
578
579         Add pointer profiling support to the DFG and supporting files.
580         https://bugs.webkit.org/show_bug.cgi?id=184316
581         <rdar://problem/39188524>
582
583         Reviewed by Filip Pizlo.
584
585         1. Profile lots of pointers with PtrTags.
586
587         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
588            used for debugging anyway, and not normally called in the code.  Making it
589            an inline function prevents it from taking up code space in builds when not in
590            use.
591
592         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
593            It doesn't need to be a far call.
594
595         * CMakeLists.txt:
596         * JavaScriptCore.xcodeproj/project.pbxproj:
597         * Sources.txt:
598         * assembler/testmasm.cpp:
599         (JSC::testProbeModifiesProgramCounter):
600         * b3/B3LowerMacros.cpp:
601         * b3/air/AirCCallSpecial.cpp:
602         (JSC::B3::Air::CCallSpecial::generate):
603         * b3/air/AirCCallSpecial.h:
604         * b3/testb3.cpp:
605         (JSC::B3::testInterpreter):
606         * bytecode/AccessCase.cpp:
607         (JSC::AccessCase::generateImpl):
608         * bytecode/HandlerInfo.h:
609         (JSC::HandlerInfo::initialize):
610         * bytecode/PolymorphicAccess.cpp:
611         (JSC::PolymorphicAccess::regenerate):
612         * dfg/DFGJITCompiler.cpp:
613         (JSC::DFG::JITCompiler::compileExceptionHandlers):
614         (JSC::DFG::JITCompiler::link):
615         (JSC::DFG::JITCompiler::compileFunction):
616         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
617         * dfg/DFGJITCompiler.h:
618         (JSC::DFG::JITCompiler::appendCall):
619         * dfg/DFGOSREntry.cpp:
620         (JSC::DFG::prepareOSREntry):
621         * dfg/DFGOSRExit.cpp:
622         (JSC::DFG::reifyInlinedCallFrames):
623         (JSC::DFG::adjustAndJumpToTarget):
624         (JSC::DFG::OSRExit::emitRestoreArguments):
625         (JSC::DFG::OSRExit::compileOSRExit):
626         * dfg/DFGOSRExitCompilerCommon.cpp:
627         (JSC::DFG::handleExitCounts):
628         (JSC::DFG::reifyInlinedCallFrames):
629         (JSC::DFG::osrWriteBarrier):
630         (JSC::DFG::adjustAndJumpToTarget):
631         * dfg/DFGOperations.cpp:
632         * dfg/DFGSlowPathGenerator.h:
633         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
634         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
635         (JSC::DFG::slowPathCall):
636         * dfg/DFGSpeculativeJIT.cpp:
637         (JSC::DFG::SpeculativeJIT::compileMathIC):
638         * dfg/DFGSpeculativeJIT.h:
639         (JSC::DFG::SpeculativeJIT::callOperation):
640         (JSC::DFG::SpeculativeJIT::appendCall):
641         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
642         * dfg/DFGSpeculativeJIT64.cpp:
643         (JSC::DFG::SpeculativeJIT::cachedGetById):
644         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
645         (JSC::DFG::SpeculativeJIT::cachedPutById):
646         (JSC::DFG::SpeculativeJIT::compile):
647         * dfg/DFGThunks.cpp:
648         (JSC::DFG::osrExitThunkGenerator):
649         (JSC::DFG::osrExitGenerationThunkGenerator):
650         (JSC::DFG::osrEntryThunkGenerator):
651         * jit/AssemblyHelpers.cpp:
652         (JSC::AssemblyHelpers::emitDumbVirtualCall):
653         * jit/JIT.cpp:
654         (JSC::JIT::emitEnterOptimizationCheck):
655         (JSC::JIT::compileWithoutLinking):
656         * jit/JITCall.cpp:
657         (JSC::JIT::compileOpCallSlowCase):
658         * jit/JITMathIC.h:
659         (JSC::isProfileEmpty):
660         * jit/JITOpcodes.cpp:
661         (JSC::JIT::emit_op_catch):
662         (JSC::JIT::emitSlow_op_loop_hint):
663         * jit/JITOperations.cpp:
664         * jit/Repatch.cpp:
665         (JSC::linkSlowFor):
666         (JSC::linkFor):
667         (JSC::revertCall):
668         (JSC::unlinkFor):
669         (JSC::linkVirtualFor):
670         (JSC::linkPolymorphicCall):
671         * jit/ThunkGenerators.cpp:
672         (JSC::throwExceptionFromCallSlowPathGenerator):
673         (JSC::linkCallThunkGenerator):
674         (JSC::linkPolymorphicCallThunkGenerator):
675         (JSC::virtualThunkFor):
676         (JSC::arityFixupGenerator):
677         (JSC::unreachableGenerator):
678         * runtime/PtrTag.cpp: Removed.
679         * runtime/PtrTag.h:
680         (JSC::ptrTagName):
681         * runtime/VMEntryScope.cpp:
682         * wasm/js/WasmToJS.cpp:
683         (JSC::Wasm::wasmToJS):
684
685 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
686
687         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
688         https://bugs.webkit.org/show_bug.cgi?id=184319
689
690         Reviewed by Saam Barati.
691
692         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
693         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
694         the ArrayPush.
695
696         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
697         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
698         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
699         with a GetByVal(SaneChain), then we will hit the assertion.
700
701         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
702         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
703         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
704
705         * dfg/DFGCSEPhase.cpp:
706         * dfg/DFGClobberize.h:
707         (JSC::DFG::clobberize):
708         * dfg/DFGHeapLocation.cpp:
709         (WTF::printInternal):
710         * dfg/DFGHeapLocation.h:
711         * dfg/DFGSpeculativeJIT.cpp:
712         (JSC::DFG::SpeculativeJIT::compileArrayPush):
713
714 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
715
716         Remove poisoning of typed array vector
717         https://bugs.webkit.org/show_bug.cgi?id=184313
718
719         Reviewed by Saam Barati.
720
721         * dfg/DFGFixupPhase.cpp:
722         (JSC::DFG::FixupPhase::checkArray):
723         * dfg/DFGSpeculativeJIT.cpp:
724         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
725         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
726         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
727         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
728         * ftl/FTLAbstractHeapRepository.h:
729         * ftl/FTLLowerDFGToB3.cpp:
730         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
731         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
732         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
733         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
734         * jit/IntrinsicEmitter.cpp:
735         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
736         * jit/JITPropertyAccess.cpp:
737         (JSC::JIT::emitIntTypedArrayGetByVal):
738         (JSC::JIT::emitFloatTypedArrayGetByVal):
739         (JSC::JIT::emitIntTypedArrayPutByVal):
740         (JSC::JIT::emitFloatTypedArrayPutByVal):
741         * llint/LowLevelInterpreter.asm:
742         * llint/LowLevelInterpreter64.asm:
743         * offlineasm/arm64.rb:
744         * offlineasm/x86.rb:
745         * runtime/CagedBarrierPtr.h:
746         * runtime/JSArrayBufferView.cpp:
747         (JSC::JSArrayBufferView::JSArrayBufferView):
748         (JSC::JSArrayBufferView::finalize):
749         (JSC::JSArrayBufferView::neuter):
750         * runtime/JSArrayBufferView.h:
751         (JSC::JSArrayBufferView::vector const):
752         (JSC::JSArrayBufferView::offsetOfVector):
753         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
754         (JSC::JSArrayBufferView::poisonFor): Deleted.
755         (JSC::JSArrayBufferView::Poison::key): Deleted.
756         * runtime/JSCPoison.cpp:
757         (JSC::initializePoison):
758         * runtime/JSCPoison.h:
759         * runtime/JSGenericTypedArrayViewInlines.h:
760         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
761         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
762         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
763         * runtime/JSObject.h:
764
765 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
766
767         Don't do index masking or poisoning for DirectArguments
768         https://bugs.webkit.org/show_bug.cgi?id=184280
769
770         Reviewed by Saam Barati.
771
772         * JavaScriptCore.xcodeproj/project.pbxproj:
773         * bytecode/AccessCase.cpp:
774         (JSC::AccessCase::generateWithGuard):
775         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
776         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
777         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
778         * dfg/DFGSpeculativeJIT.cpp:
779         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
780         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
781         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
782         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
783         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
784         * ftl/FTLAbstractHeapRepository.h:
785         * ftl/FTLLowerDFGToB3.cpp:
786         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
787         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
788         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
789         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
790         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
791         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
792         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
793         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
794         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
795         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
796         * heap/SecurityKind.h:
797         * jit/JITPropertyAccess.cpp:
798         (JSC::JIT::emit_op_get_from_arguments):
799         (JSC::JIT::emit_op_put_to_arguments):
800         (JSC::JIT::emitDirectArgumentsGetByVal):
801         * jit/JITPropertyAccess32_64.cpp:
802         (JSC::JIT::emit_op_get_from_arguments):
803         (JSC::JIT::emit_op_put_to_arguments):
804         * llint/LowLevelInterpreter.asm:
805         * llint/LowLevelInterpreter32_64.asm:
806         * llint/LowLevelInterpreter64.asm:
807         * runtime/DirectArguments.cpp:
808         (JSC::DirectArguments::DirectArguments):
809         (JSC::DirectArguments::createUninitialized):
810         (JSC::DirectArguments::create):
811         (JSC::DirectArguments::createByCopying):
812         (JSC::DirectArguments::estimatedSize):
813         (JSC::DirectArguments::visitChildren):
814         (JSC::DirectArguments::overrideThings):
815         (JSC::DirectArguments::copyToArguments):
816         (JSC::DirectArguments::mappedArgumentsSize):
817         * runtime/DirectArguments.h:
818         * runtime/JSCPoison.h:
819         * runtime/JSLexicalEnvironment.h:
820         * runtime/JSSymbolTableObject.h:
821
822 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
823
824         JSArray::appendMemcpy seems to be missing a barrier
825         https://bugs.webkit.org/show_bug.cgi?id=184290
826
827         Reviewed by Mark Lam.
828         
829         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
830         barrier right after.
831         
832         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
833         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
834
835         * runtime/JSArray.cpp:
836         (JSC::JSArray::appendMemcpy):
837
838 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
839
840         GC shouldn't do object distancing
841         https://bugs.webkit.org/show_bug.cgi?id=184195
842
843         Reviewed by Saam Barati.
844         
845         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
846         to be a small speed-up.
847
848         * CMakeLists.txt:
849         * JavaScriptCore.xcodeproj/project.pbxproj:
850         * Sources.txt:
851         * heap/BlockDirectory.cpp:
852         (JSC::BlockDirectory::findBlockForAllocation):
853         (JSC::BlockDirectory::addBlock):
854         * heap/BlockDirectory.h:
855         * heap/CellAttributes.cpp:
856         (JSC::CellAttributes::dump const):
857         * heap/CellAttributes.h:
858         (JSC::CellAttributes::CellAttributes):
859         * heap/LocalAllocator.cpp:
860         (JSC::LocalAllocator::allocateSlowCase):
861         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
862         * heap/MarkedBlock.cpp:
863         (JSC::MarkedBlock::Handle::didAddToDirectory):
864         * heap/MarkedBlock.h:
865         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
866         * heap/SecurityKind.cpp: Removed.
867         * heap/SecurityKind.h: Removed.
868         * heap/SecurityOriginToken.cpp: Removed.
869         * heap/SecurityOriginToken.h: Removed.
870         * heap/ThreadLocalCache.cpp:
871         (JSC::ThreadLocalCache::create):
872         (JSC::ThreadLocalCache::ThreadLocalCache):
873         * heap/ThreadLocalCache.h:
874         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
875         * runtime/JSDestructibleObjectHeapCellType.cpp:
876         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
877         * runtime/JSGlobalObject.cpp:
878         (JSC::JSGlobalObject::JSGlobalObject):
879         * runtime/JSGlobalObject.h:
880         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
881         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
882         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
883         * runtime/JSStringHeapCellType.cpp:
884         (JSC::JSStringHeapCellType::JSStringHeapCellType):
885         * runtime/VM.cpp:
886         (JSC::VM::VM):
887         * runtime/VM.h:
888         * runtime/VMEntryScope.cpp:
889         (JSC::VMEntryScope::VMEntryScope):
890         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
891         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
892
893 2018-04-02  Saam Barati  <sbarati@apple.com>
894
895         bmalloc should compute its own estimate of its footprint
896         https://bugs.webkit.org/show_bug.cgi?id=184121
897
898         Reviewed by Filip Pizlo.
899
900         * heap/IsoAlignedMemoryAllocator.cpp:
901         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
902         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
903         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
904
905 2018-04-02  Mark Lam  <mark.lam@apple.com>
906
907         We should not trash the stack pointer on OSR entry.
908         https://bugs.webkit.org/show_bug.cgi?id=184243
909         <rdar://problem/39114319>
910
911         Reviewed by Filip Pizlo.
912
913         In the DFG OSR entry path, we momentarily over-write the stack pointer with
914         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
915         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
916         The stack pointer does get corrected later in the thunk (generated by
917         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
918         so far.
919
920         This bug only poses an issue if interrupts use the user stack for their stack
921         frame (e.g. linux), and when we do stack alignment tests during debugging.
922
923         The fix is simply to remove the assignment.
924
925         * dfg/DFGThunks.cpp:
926         (JSC::DFG::osrEntryThunkGenerator):
927         * jit/JIT.cpp:
928         (JSC::JIT::emitEnterOptimizationCheck):
929
930 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
931
932         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
933         https://bugs.webkit.org/show_bug.cgi?id=183740
934
935         Reviewed by Yusuke Suzuki.
936
937         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
938         first generated and a register operand variant of the same method is called to generate the rest
939         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
940         generate more efficient code using MIPS instructions with immediate operand.
941
942         * assembler/MIPSAssembler.h:
943         (JSC::MIPSAssembler::slti):
944         * assembler/MacroAssemblerMIPS.h:
945         (JSC::MacroAssemblerMIPS::lshift32):
946         (JSC::MacroAssemblerMIPS::xor32):
947         (JSC::MacroAssemblerMIPS::branch8):
948         (JSC::MacroAssemblerMIPS::compare8):
949         (JSC::MacroAssemblerMIPS::branch32):
950         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
951         (JSC::MacroAssemblerMIPS::branchTest32):
952         (JSC::MacroAssemblerMIPS::mask8OnTest):
953         (JSC::MacroAssemblerMIPS::branchTest8):
954         (JSC::MacroAssemblerMIPS::branchAdd32):
955         (JSC::MacroAssemblerMIPS::branchNeg32):
956         (JSC::MacroAssemblerMIPS::compare32):
957         (JSC::MacroAssemblerMIPS::test8):
958
959 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
960
961         [DFG] More aggressive removal of duplicate 32bit DFG code
962         https://bugs.webkit.org/show_bug.cgi?id=184089
963
964         Reviewed by Saam Barati.
965
966         This patch more aggressively removes duplicate 32bit DFG code
967         by leveraging JSValueRegs and meta-programmed callOperation.
968
969         * dfg/DFGSpeculativeJIT.cpp:
970         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
971         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
972         (JSC::DFG::SpeculativeJIT::compileNewArray):
973         (JSC::DFG::SpeculativeJIT::compileCheckCell):
974         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
975         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
976         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
977         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
978         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
979         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
980         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
981         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
982         (JSC::DFG::SpeculativeJIT::compileToThis):
983         (JSC::DFG::SpeculativeJIT::compileIdentity):
984         * dfg/DFGSpeculativeJIT.h:
985         * dfg/DFGSpeculativeJIT32_64.cpp:
986         (JSC::DFG::SpeculativeJIT::compile):
987         * dfg/DFGSpeculativeJIT64.cpp:
988         (JSC::DFG::SpeculativeJIT::compile):
989
990 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
991
992         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
993         https://bugs.webkit.org/show_bug.cgi?id=184228
994
995         Reviewed by Yusuke Suzuki.
996
997         * runtime/Options.h:
998
999 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1000
1001         JSObject shouldn't do index masking
1002         https://bugs.webkit.org/show_bug.cgi?id=184194
1003
1004         Reviewed by Yusuke Suzuki.
1005         
1006         Remove index masking, because it's not the way we'll mitigate Spectre.
1007
1008         * API/tests/JSObjectGetProxyTargetTest.cpp:
1009         (testJSObjectGetProxyTarget):
1010         * b3/B3LowerToAir.cpp:
1011         * b3/B3Validate.cpp:
1012         * b3/B3WasmBoundsCheckValue.cpp:
1013         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1014         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1015         * b3/B3WasmBoundsCheckValue.h:
1016         (JSC::B3::WasmBoundsCheckValue::bounds const):
1017         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
1018         * b3/testb3.cpp:
1019         (JSC::B3::testWasmBoundsCheck):
1020         (JSC::B3::run):
1021         * dfg/DFGAbstractInterpreterInlines.h:
1022         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1023         * dfg/DFGArgumentsEliminationPhase.cpp:
1024         * dfg/DFGByteCodeParser.cpp:
1025         (JSC::DFG::ByteCodeParser::parseBlock):
1026         * dfg/DFGClobberize.h:
1027         (JSC::DFG::clobberize):
1028         * dfg/DFGDoesGC.cpp:
1029         (JSC::DFG::doesGC):
1030         * dfg/DFGFixupPhase.cpp:
1031         (JSC::DFG::FixupPhase::fixupNode):
1032         * dfg/DFGNodeType.h:
1033         * dfg/DFGPredictionPropagationPhase.cpp:
1034         * dfg/DFGSSALoweringPhase.cpp:
1035         (JSC::DFG::SSALoweringPhase::handleNode):
1036         * dfg/DFGSafeToExecute.h:
1037         (JSC::DFG::safeToExecute):
1038         * dfg/DFGSpeculativeJIT.cpp:
1039         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1040         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1041         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1042         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1043         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1044         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1045         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1046         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1047         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1048         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1049         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1050         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1051         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1052         (JSC::DFG::SpeculativeJIT::compileNewObject):
1053         * dfg/DFGSpeculativeJIT.h:
1054         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1055         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1056         * dfg/DFGSpeculativeJIT32_64.cpp:
1057         (JSC::DFG::SpeculativeJIT::compile):
1058         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1059         * dfg/DFGSpeculativeJIT64.cpp:
1060         (JSC::DFG::SpeculativeJIT::compile):
1061         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1062         * ftl/FTLAbstractHeapRepository.h:
1063         * ftl/FTLCapabilities.cpp:
1064         (JSC::FTL::canCompile):
1065         * ftl/FTLLowerDFGToB3.cpp:
1066         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1067         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1068         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1069         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1070         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1071         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1072         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1073         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1074         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1075         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1076         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1077         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1078         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1079         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1080         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1081         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
1082         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
1083         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
1084         * jit/AssemblyHelpers.h:
1085         (JSC::AssemblyHelpers::emitAllocateJSObject):
1086         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1087         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1088         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1089         * jit/JITOpcodes.cpp:
1090         (JSC::JIT::emit_op_new_object):
1091         (JSC::JIT::emit_op_create_this):
1092         * jit/JITOperations.cpp:
1093         * jit/JITPropertyAccess.cpp:
1094         (JSC::JIT::emitDoubleLoad):
1095         (JSC::JIT::emitContiguousLoad):
1096         (JSC::JIT::emitArrayStorageLoad):
1097         * llint/LowLevelInterpreter32_64.asm:
1098         * llint/LowLevelInterpreter64.asm:
1099         * runtime/Butterfly.h:
1100         (JSC::ContiguousData::at const):
1101         (JSC::ContiguousData::at):
1102         (JSC::Butterfly::computeIndexingMask const): Deleted.
1103         * runtime/ButterflyInlines.h:
1104         (JSC::ContiguousData<T>::at const): Deleted.
1105         (JSC::ContiguousData<T>::at): Deleted.
1106         * runtime/ClonedArguments.cpp:
1107         (JSC::ClonedArguments::createEmpty):
1108         * runtime/JSArray.cpp:
1109         (JSC::JSArray::tryCreateUninitializedRestricted):
1110         (JSC::JSArray::appendMemcpy):
1111         (JSC::JSArray::setLength):
1112         (JSC::JSArray::pop):
1113         (JSC::JSArray::shiftCountWithAnyIndexingType):
1114         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1115         (JSC::JSArray::fillArgList):
1116         (JSC::JSArray::copyToArguments):
1117         * runtime/JSArrayBufferView.cpp:
1118         (JSC::JSArrayBufferView::JSArrayBufferView):
1119         * runtime/JSArrayInlines.h:
1120         (JSC::JSArray::pushInline):
1121         * runtime/JSFixedArray.h:
1122         * runtime/JSGenericTypedArrayViewInlines.h:
1123         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1124         * runtime/JSObject.cpp:
1125         (JSC::JSObject::getOwnPropertySlotByIndex):
1126         (JSC::JSObject::putByIndex):
1127         (JSC::JSObject::createInitialUndecided):
1128         (JSC::JSObject::createInitialInt32):
1129         (JSC::JSObject::createInitialDouble):
1130         (JSC::JSObject::createInitialContiguous):
1131         (JSC::JSObject::createArrayStorage):
1132         (JSC::JSObject::convertUndecidedToInt32):
1133         (JSC::JSObject::convertUndecidedToDouble):
1134         (JSC::JSObject::convertUndecidedToContiguous):
1135         (JSC::JSObject::convertUndecidedToArrayStorage):
1136         (JSC::JSObject::convertInt32ToDouble):
1137         (JSC::JSObject::convertInt32ToArrayStorage):
1138         (JSC::JSObject::convertDoubleToContiguous):
1139         (JSC::JSObject::convertDoubleToArrayStorage):
1140         (JSC::JSObject::convertContiguousToArrayStorage):
1141         (JSC::JSObject::createInitialForValueAndSet):
1142         (JSC::JSObject::deletePropertyByIndex):
1143         (JSC::JSObject::getOwnPropertyNames):
1144         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1145         (JSC::JSObject::countElements):
1146         (JSC::JSObject::increaseVectorLength):
1147         (JSC::JSObject::ensureLengthSlow):
1148         (JSC::JSObject::reallocateAndShrinkButterfly):
1149         (JSC::JSObject::getEnumerableLength):
1150         * runtime/JSObject.h:
1151         (JSC::JSObject::canGetIndexQuickly):
1152         (JSC::JSObject::getIndexQuickly):
1153         (JSC::JSObject::tryGetIndexQuickly const):
1154         (JSC::JSObject::setIndexQuickly):
1155         (JSC::JSObject::initializeIndex):
1156         (JSC::JSObject::initializeIndexWithoutBarrier):
1157         (JSC::JSObject::butterflyOffset):
1158         (JSC::JSObject::setButterfly):
1159         (JSC::JSObject::nukeStructureAndSetButterfly):
1160         (JSC::JSObject::JSObject):
1161         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
1162         (JSC::JSObject::butterflyIndexingMask const): Deleted.
1163         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
1164         * runtime/JSObjectInlines.h:
1165         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1166         (JSC::JSObject::putDirectInternal):
1167         * runtime/RegExpMatchesArray.h:
1168         (JSC::tryCreateUninitializedRegExpMatchesArray):
1169         * runtime/Structure.cpp:
1170         (JSC::Structure::flattenDictionaryStructure):
1171         * wasm/WasmB3IRGenerator.cpp:
1172         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1173         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1174         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1175         (JSC::Wasm::B3IRGenerator::load):
1176         (JSC::Wasm::B3IRGenerator::store):
1177         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1178         * wasm/WasmBinding.cpp:
1179         (JSC::Wasm::wasmToWasm):
1180         * wasm/WasmInstance.h:
1181         (JSC::Wasm::Instance::updateCachedMemory):
1182         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
1183         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
1184         * wasm/WasmMemory.cpp:
1185         (JSC::Wasm::Memory::Memory):
1186         (JSC::Wasm::Memory::grow):
1187         * wasm/WasmMemory.h:
1188         (JSC::Wasm::Memory::size const):
1189         (JSC::Wasm::Memory::offsetOfSize):
1190         (JSC::Wasm::Memory::indexingMask): Deleted.
1191         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
1192         * wasm/WasmMemoryInformation.cpp:
1193         (JSC::Wasm::PinnedRegisterInfo::get):
1194         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1195         * wasm/WasmMemoryInformation.h:
1196         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1197         * wasm/js/JSToWasm.cpp:
1198         (JSC::Wasm::createJSToWasmWrapper):
1199
1200 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1201
1202         JSC crash in JIT code with for-of loop and Array/Set iterators
1203         https://bugs.webkit.org/show_bug.cgi?id=183174
1204
1205         Reviewed by Saam Barati.
1206
1207         * dfg/DFGSafeToExecute.h:
1208         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
1209
1210 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
1211
1212         Strings and Vectors shouldn't do index masking
1213         https://bugs.webkit.org/show_bug.cgi?id=184193
1214
1215         Reviewed by Mark Lam.
1216
1217         * dfg/DFGSpeculativeJIT.cpp:
1218         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1219         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1220         * ftl/FTLAbstractHeapRepository.h:
1221         * ftl/FTLLowerDFGToB3.cpp:
1222         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1223         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1224         * jit/ThunkGenerators.cpp:
1225         (JSC::stringCharLoad):
1226
1227 2018-03-30  Mark Lam  <mark.lam@apple.com>
1228
1229         Add pointer profiling support in baseline JIT and supporting files.
1230         https://bugs.webkit.org/show_bug.cgi?id=184200
1231         <rdar://problem/39057300>
1232
1233         Reviewed by Filip Pizlo.
1234
1235         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
1236            the code via the arity check entry.
1237         2. To accommodate (1), all JITCode must now populate their arity check entry code
1238            pointers as well.  For native code, programs, evals, and modules that don't
1239            do arity check, we set the normal entry as the arity check entry (though with
1240            the CodeEntryWithArityCheckPtrTag profile instead).
1241
1242         * assembler/AbstractMacroAssembler.h:
1243         * assembler/LinkBuffer.h:
1244         (JSC::LinkBuffer::locationOfNearCall):
1245         * assembler/MacroAssemblerARM64.h:
1246         (JSC::MacroAssemblerARM64::readCallTarget):
1247         (JSC::MacroAssemblerARM64::linkCall):
1248         * bytecode/AccessCase.cpp:
1249         (JSC::AccessCase::generateImpl):
1250         * bytecode/AccessCaseSnippetParams.cpp:
1251         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1252         * bytecode/CodeBlock.cpp:
1253         (JSC::CodeBlock::addJITAddIC):
1254         (JSC::CodeBlock::addJITMulIC):
1255         (JSC::CodeBlock::addJITSubIC):
1256         (JSC::CodeBlock::addJITNegIC):
1257         * bytecode/CodeBlock.h:
1258         (JSC::CodeBlock::addMathIC):
1259         * bytecode/InlineAccess.cpp:
1260         (JSC::InlineAccess::rewireStubAsJump):
1261         * bytecode/LLIntCallLinkInfo.h:
1262         (JSC::LLIntCallLinkInfo::unlink):
1263         (): Deleted.
1264         * bytecode/PolymorphicAccess.cpp:
1265         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1266         (JSC::PolymorphicAccess::regenerate):
1267         * dfg/DFGJITFinalizer.cpp:
1268         (JSC::DFG::JITFinalizer::finalize):
1269         (JSC::DFG::JITFinalizer::finalizeFunction):
1270         * dfg/DFGSpeculativeJIT.cpp:
1271         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1272         (JSC::DFG::SpeculativeJIT::compileArithSub):
1273         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1274         (JSC::DFG::SpeculativeJIT::compileArithMul):
1275         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1276         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1277         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1278         * disassembler/ARM64Disassembler.cpp:
1279         (JSC::tryToDisassemble):
1280         * ftl/FTLJITFinalizer.cpp:
1281         (JSC::FTL::JITFinalizer::finalizeCommon):
1282         * ftl/FTLLowerDFGToB3.cpp:
1283         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1284         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1285         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1286         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
1287         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1288         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1289         * heap/JITStubRoutineSet.h:
1290         (JSC::JITStubRoutineSet::mark):
1291         * jit/AssemblyHelpers.cpp:
1292         (JSC::AssemblyHelpers::callExceptionFuzz):
1293         (JSC::AssemblyHelpers::debugCall):
1294         * jit/AssemblyHelpers.h:
1295         (JSC::AssemblyHelpers::emitFunctionPrologue):
1296         * jit/CCallHelpers.cpp:
1297         (JSC::CCallHelpers::ensureShadowChickenPacket):
1298         * jit/CCallHelpers.h:
1299         (JSC::CCallHelpers::prepareForTailCallSlow):
1300         * jit/CallFrameShuffler.cpp:
1301         (JSC::CallFrameShuffler::prepareForTailCall):
1302         * jit/ExecutableAllocator.cpp:
1303         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1304         * jit/ExecutableAllocator.h:
1305         (JSC::performJITMemcpy):
1306         * jit/JIT.cpp:
1307         (JSC::JIT::compileWithoutLinking):
1308         (JSC::JIT::link):
1309         * jit/JITArithmetic.cpp:
1310         (JSC::JIT::emit_op_negate):
1311         (JSC::JIT::emit_op_add):
1312         (JSC::JIT::emitMathICFast):
1313         (JSC::JIT::emitMathICSlow):
1314         (JSC::JIT::emit_op_mul):
1315         (JSC::JIT::emit_op_sub):
1316         * jit/JITCode.cpp:
1317         (JSC::JITCode::execute):
1318         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1319         (JSC::DirectJITCode::DirectJITCode):
1320         (JSC::DirectJITCode::initializeCodeRef):
1321         (JSC::NativeJITCode::addressForCall):
1322         * jit/JITExceptions.cpp:
1323         (JSC::genericUnwind):
1324         * jit/JITMathIC.h:
1325         (JSC::isProfileEmpty):
1326         (JSC::JITBinaryMathIC::JITBinaryMathIC):
1327         (JSC::JITUnaryMathIC::JITUnaryMathIC):
1328         * jit/JITOpcodes.cpp:
1329         (JSC::JIT::emit_op_switch_imm):
1330         (JSC::JIT::emit_op_switch_char):
1331         (JSC::JIT::emit_op_switch_string):
1332         (JSC::JIT::privateCompileHasIndexedProperty):
1333         (JSC::JIT::emitSlow_op_has_indexed_property):
1334         * jit/JITOpcodes32_64.cpp:
1335         (JSC::JIT::privateCompileHasIndexedProperty):
1336         * jit/JITOperations.cpp:
1337         (JSC::getByVal):
1338         (JSC::tryGetByValOptimize):
1339         * jit/JITPropertyAccess.cpp:
1340         (JSC::JIT::stringGetByValStubGenerator):
1341         (JSC::JIT::emitGetByValWithCachedId):
1342         (JSC::JIT::emitSlow_op_get_by_val):
1343         (JSC::JIT::emitPutByValWithCachedId):
1344         (JSC::JIT::emitSlow_op_put_by_val):
1345         (JSC::JIT::emitSlow_op_try_get_by_id):
1346         (JSC::JIT::emitSlow_op_get_by_id):
1347         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1348         (JSC::JIT::emitSlow_op_put_by_id):
1349         (JSC::JIT::privateCompileGetByVal):
1350         (JSC::JIT::privateCompileGetByValWithCachedId):
1351         (JSC::JIT::privateCompilePutByVal):
1352         (JSC::JIT::privateCompilePutByValWithCachedId):
1353         * jit/JITThunks.cpp:
1354         (JSC::JITThunks::hostFunctionStub):
1355         * jit/Repatch.cpp:
1356         (JSC::tryCacheGetByID):
1357         (JSC::repatchGetByID):
1358         (JSC::appropriateOptimizingPutByIdFunction):
1359         (JSC::tryCachePutByID):
1360         (JSC::repatchPutByID):
1361         (JSC::linkFor):
1362         (JSC::revertCall):
1363         (JSC::linkPolymorphicCall):
1364         (JSC::resetGetByID):
1365         (JSC::resetPutByID):
1366         * jit/Repatch.h:
1367         * jit/SpecializedThunkJIT.h:
1368         (JSC::SpecializedThunkJIT::finalize):
1369         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1370         * jit/ThunkGenerators.cpp:
1371         (JSC::emitPointerValidation):
1372         (JSC::throwExceptionFromCallSlowPathGenerator):
1373         (JSC::slowPathFor):
1374         (JSC::linkCallThunkGenerator): Deleted.
1375         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
1376         (JSC::virtualThunkFor): Deleted.
1377         (JSC::nativeForGenerator): Deleted.
1378         (JSC::nativeCallGenerator): Deleted.
1379         (JSC::nativeTailCallGenerator): Deleted.
1380         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
1381         (JSC::nativeConstructGenerator): Deleted.
1382         (JSC::internalFunctionCallGenerator): Deleted.
1383         (JSC::internalFunctionConstructGenerator): Deleted.
1384         (JSC::arityFixupGenerator): Deleted.
1385         (JSC::unreachableGenerator): Deleted.
1386         (JSC::stringCharLoad): Deleted.
1387         (JSC::charToString): Deleted.
1388         (JSC::charCodeAtThunkGenerator): Deleted.
1389         (JSC::charAtThunkGenerator): Deleted.
1390         (JSC::fromCharCodeThunkGenerator): Deleted.
1391         (JSC::clz32ThunkGenerator): Deleted.
1392         (JSC::sqrtThunkGenerator): Deleted.
1393         (JSC::floorThunkGenerator): Deleted.
1394         (JSC::ceilThunkGenerator): Deleted.
1395         (JSC::truncThunkGenerator): Deleted.
1396         (JSC::roundThunkGenerator): Deleted.
1397         (JSC::expThunkGenerator): Deleted.
1398         (JSC::logThunkGenerator): Deleted.
1399         (JSC::absThunkGenerator): Deleted.
1400         (JSC::imulThunkGenerator): Deleted.
1401         (JSC::randomThunkGenerator): Deleted.
1402         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
1403         * llint/LLIntData.cpp:
1404         (JSC::LLInt::initialize):
1405         * llint/LLIntData.h:
1406         (JSC::LLInt::getCodePtr):
1407         * llint/LLIntEntrypoint.cpp:
1408         (JSC::LLInt::setEvalEntrypoint):
1409         (JSC::LLInt::setProgramEntrypoint):
1410         (JSC::LLInt::setModuleProgramEntrypoint):
1411         * llint/LLIntSlowPaths.cpp:
1412         (JSC::LLInt::setUpCall):
1413         * llint/LLIntThunks.cpp:
1414         (JSC::LLInt::generateThunkWithJumpTo):
1415         * llint/LowLevelInterpreter.asm:
1416         * llint/LowLevelInterpreter32_64.asm:
1417         * llint/LowLevelInterpreter64.asm:
1418         * runtime/ExecutableBase.h:
1419         * runtime/NativeExecutable.cpp:
1420         (JSC::NativeExecutable::finishCreation):
1421         * runtime/NativeFunction.h:
1422         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1423         (JSC::TaggedNativeFunction::operator NativeFunction):
1424         * runtime/PropertySlot.h:
1425         (JSC::PropertySlot::setCustom):
1426         (JSC::PropertySlot::setCacheableCustom):
1427         * runtime/PtrTag.h:
1428         * runtime/PutPropertySlot.h:
1429         (JSC::PutPropertySlot::setCustomValue):
1430         (JSC::PutPropertySlot::setCustomAccessor):
1431         * runtime/SamplingProfiler.cpp:
1432         (JSC::SamplingProfiler::takeSample):
1433         * runtime/VMTraps.cpp:
1434         (JSC::SignalContext::SignalContext):
1435         (JSC::VMTraps::tryInstallTrapBreakpoints):
1436         * tools/SigillCrashAnalyzer.cpp:
1437         (JSC::installCrashHandler):
1438         * yarr/YarrJIT.cpp:
1439         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1440         (JSC::Yarr::YarrGenerator::generateEnter):
1441
1442 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
1443
1444         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
1445         https://bugs.webkit.org/show_bug.cgi?id=175223
1446
1447         Reviewed by Matt Baker.
1448
1449         * inspector/protocol/Canvas.json:
1450         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
1451         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
1452         is called. The blend is removed and the previous value is applied once the draw is complete.
1453
1454 2018-03-30  JF Bastien  <jfbastien@apple.com>
1455
1456         WebAssembly: support DataView compilation
1457         https://bugs.webkit.org/show_bug.cgi?id=183342
1458
1459         Reviewed by Mark Lam.
1460
1461         Compiling a module from a DataView was incorrectly dealing with
1462         DataView's offset.
1463
1464         * wasm/WasmModuleParser.cpp:
1465         (JSC::Wasm::ModuleParser::parse):
1466         * wasm/js/JSWebAssemblyHelpers.h:
1467         (JSC::getWasmBufferFromValue):
1468         (JSC::createSourceBufferFromValue):
1469         * wasm/js/WebAssemblyPrototype.cpp:
1470         (JSC::webAssemblyValidateFunc):
1471
1472 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
1473
1474         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
1475         https://bugs.webkit.org/show_bug.cgi?id=184189
1476
1477         Reviewed by JF Bastien.
1478
1479         * bytecompiler/NodesCodegen.cpp:
1480         (JSC::ResolveNode::emitBytecode):
1481
1482 2018-03-30  Mark Lam  <mark.lam@apple.com>
1483
1484         Add pointer profiling support to Wasm.
1485         https://bugs.webkit.org/show_bug.cgi?id=184175
1486         <rdar://problem/39027923>
1487
1488         Reviewed by JF Bastien.
1489
1490         * runtime/PtrTag.h:
1491         * wasm/WasmB3IRGenerator.cpp:
1492         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1493         (JSC::Wasm::B3IRGenerator::addCall):
1494         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1495         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
1496         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
1497         * wasm/WasmBBQPlan.cpp:
1498         (JSC::Wasm::BBQPlan::prepare):
1499         (JSC::Wasm::BBQPlan::complete):
1500         * wasm/WasmBinding.cpp:
1501         (JSC::Wasm::wasmToWasm):
1502         * wasm/WasmBinding.h:
1503         * wasm/WasmFaultSignalHandler.cpp:
1504         (JSC::Wasm::trapHandler):
1505         * wasm/WasmOMGPlan.cpp:
1506         (JSC::Wasm::OMGPlan::work):
1507         * wasm/WasmThunks.cpp:
1508         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1509         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1510         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1511         * wasm/js/WasmToJS.cpp:
1512         (JSC::Wasm::handleBadI64Use):
1513         (JSC::Wasm::wasmToJS):
1514         * wasm/js/WebAssemblyFunction.cpp:
1515         (JSC::callWebAssemblyFunction):
1516         * wasm/js/WebAssemblyFunction.h:
1517
1518 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
1519
1520         Unreviewed, rolling out r230102.
1521
1522         Caused assertion failures on JSC bots.
1523
1524         Reverted changeset:
1525
1526         "A stack overflow in the parsing of a builtin (called by
1527         createExecutable) cause a crash instead of a catchable js
1528         exception"
1529         https://bugs.webkit.org/show_bug.cgi?id=184074
1530         https://trac.webkit.org/changeset/230102
1531
1532 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1533
1534         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
1535         https://bugs.webkit.org/show_bug.cgi?id=183812
1536
1537         Reviewed by Keith Miller.
1538
1539         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
1540         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
1541
1542         * dfg/DFGByteCodeParser.cpp:
1543         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1544         (JSC::DFG::ByteCodeParser::inlineCall):
1545
1546 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1547
1548         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
1549         https://bugs.webkit.org/show_bug.cgi?id=184074
1550         <rdar://problem/37165897>
1551
1552         Reviewed by Keith Miller.
1553
1554         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
1555         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
1556         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
1557         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
1558
1559         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
1560         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
1561
1562         Two other minor changes:
1563         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
1564         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
1565
1566         * JavaScriptCore.xcodeproj/project.pbxproj:
1567         * Scripts/builtins/builtins_generate_combined_header.py:
1568         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
1569         (ParserError):
1570         (generate_section_for_object): Deleted.
1571         (generate_externs_for_object): Deleted.
1572         (generate_macros_for_object): Deleted.
1573         (generate_section_for_code_table_macro): Deleted.
1574         (generate_section_for_code_name_macro): Deleted.
1575         (generate_section_for_global_private_code_name_macro): Deleted.
1576         * Scripts/builtins/builtins_generate_separate_header.py:
1577         (generate_secondary_header_includes):
1578         * Scripts/builtins/builtins_templates.py:
1579         * Sources.txt:
1580         * builtins/BuiltinExecutableCreator.cpp: Removed.
1581         * builtins/BuiltinExecutableCreator.h: Removed.
1582         * builtins/BuiltinExecutables.cpp:
1583         (JSC::BuiltinExecutables::createDefaultConstructor):
1584         (JSC::BuiltinExecutables::createBuiltinExecutable):
1585         (JSC::createBuiltinExecutable):
1586         (JSC::BuiltinExecutables::createExecutableOrCrash):
1587         (JSC::BuiltinExecutables::createExecutable):
1588         * builtins/BuiltinExecutables.h:
1589         * bytecompiler/BytecodeGenerator.h:
1590         * parser/ParserError.cpp: Added.
1591         (JSC::ParserError::toErrorObject):
1592         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
1593         (WTF::printInternal):
1594         * parser/ParserError.h:
1595         (JSC::ParserError::toErrorObject): Deleted.
1596         (WTF::printInternal): Deleted.
1597         * runtime/AsyncIteratorPrototype.cpp:
1598         (JSC::AsyncIteratorPrototype::finishCreation):
1599         * runtime/FunctionPrototype.cpp:
1600         (JSC::FunctionPrototype::addFunctionProperties):
1601         * runtime/JSGlobalObject.cpp:
1602         (JSC::JSGlobalObject::init):
1603         * runtime/JSObject.cpp:
1604         (JSC::JSObject::getOwnStaticPropertySlot):
1605         (JSC::JSObject::reifyAllStaticProperties):
1606         * runtime/JSObject.h:
1607         (JSC::JSObject::getOwnNonIndexPropertySlot):
1608         (JSC::JSObject::getOwnPropertySlot):
1609         (JSC::JSObject::getPropertySlot):
1610         * runtime/JSObjectInlines.h:
1611         (JSC::JSObject::getNonIndexPropertySlot):
1612         * runtime/JSTypedArrayViewPrototype.cpp:
1613         (JSC::JSTypedArrayViewPrototype::finishCreation):
1614         * runtime/Lookup.cpp:
1615         (JSC::reifyStaticAccessor):
1616         (JSC::setUpStaticFunctionSlot):
1617         * runtime/Lookup.h:
1618         (JSC::getStaticPropertySlotFromTable):
1619         (JSC::reifyStaticProperty):
1620         * runtime/MapPrototype.cpp:
1621         (JSC::MapPrototype::finishCreation):
1622         * runtime/SetPrototype.cpp:
1623         (JSC::SetPrototype::finishCreation):
1624         * tools/JSDollarVM.cpp:
1625         (JSC::functionCreateBuiltin):
1626
1627 2018-03-30  Robin Morisset  <rmorisset@apple.com>
1628
1629         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
1630         https://bugs.webkit.org/show_bug.cgi?id=183657
1631         <rdar://problem/38464399>
1632
1633         Reviewed by Keith Miller.
1634
1635         There was just a missing check in unshiftCountForIndexingType.
1636         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
1637         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
1638         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
1639
1640         * runtime/ArrayPrototype.cpp:
1641         (JSC::unshift):
1642         * runtime/JSArray.cpp:
1643         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1644         * runtime/JSObject.h:
1645         (JSC::JSObject::ensureLength):
1646
1647 2018-03-29  Mark Lam  <mark.lam@apple.com>
1648
1649         Add some pointer profiling support to B3 and Air.
1650         https://bugs.webkit.org/show_bug.cgi?id=184165
1651         <rdar://problem/39022125>
1652
1653         Reviewed by JF Bastien.
1654
1655         * b3/B3LowerMacros.cpp:
1656         * b3/B3LowerMacrosAfterOptimizations.cpp:
1657         * b3/B3MathExtras.cpp:
1658         * b3/B3ReduceStrength.cpp:
1659         * b3/air/AirCCallSpecial.cpp:
1660         (JSC::B3::Air::CCallSpecial::generate):
1661         * b3/air/AirCCallSpecial.h:
1662         * b3/testb3.cpp:
1663         (JSC::B3::testCallSimple):
1664         (JSC::B3::testCallRare):
1665         (JSC::B3::testCallRareLive):
1666         (JSC::B3::testCallSimplePure):
1667         (JSC::B3::testCallFunctionWithHellaArguments):
1668         (JSC::B3::testCallFunctionWithHellaArguments2):
1669         (JSC::B3::testCallFunctionWithHellaArguments3):
1670         (JSC::B3::testCallSimpleDouble):
1671         (JSC::B3::testCallSimpleFloat):
1672         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
1673         (JSC::B3::testCallFunctionWithHellaFloatArguments):
1674         (JSC::B3::testLinearScanWithCalleeOnStack):
1675         (JSC::B3::testInterpreter):
1676         (JSC::B3::testLICMPure):
1677         (JSC::B3::testLICMPureSideExits):
1678         (JSC::B3::testLICMPureWritesPinned):
1679         (JSC::B3::testLICMPureWrites):
1680         (JSC::B3::testLICMReadsLocalState):
1681         (JSC::B3::testLICMReadsPinned):
1682         (JSC::B3::testLICMReads):
1683         (JSC::B3::testLICMPureNotBackwardsDominant):
1684         (JSC::B3::testLICMPureFoiledByChild):
1685         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1686         (JSC::B3::testLICMExitsSideways):
1687         (JSC::B3::testLICMWritesLocalState):
1688         (JSC::B3::testLICMWrites):
1689         (JSC::B3::testLICMFence):
1690         (JSC::B3::testLICMWritesPinned):
1691         (JSC::B3::testLICMControlDependent):
1692         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1693         (JSC::B3::testLICMControlDependentSideExits):
1694         (JSC::B3::testLICMReadsPinnedWritesPinned):
1695         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1696         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1697         (JSC::B3::testLICMDefaultCall):
1698         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1699         * ftl/FTLLowerDFGToB3.cpp:
1700         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1701         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1702         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1703         * jit/GPRInfo.h:
1704         * runtime/PtrTag.h:
1705         * wasm/WasmBinding.cpp:
1706         (JSC::Wasm::wasmToWasm):
1707
1708 2018-03-29  JF Bastien  <jfbastien@apple.com>
1709
1710         Use Forward.h instead of forward-declaring WTF::String
1711         https://bugs.webkit.org/show_bug.cgi?id=184172
1712         <rdar://problem/39026146>
1713
1714         Reviewed by Yusuke Suzuki.
1715
1716         As part of #184164 I'm changing WTF::String, and the forward
1717         declarations are just wrong because I'm making it templated. We
1718         should use Forward.h anyways, so do that instead.
1719
1720         * runtime/DateConversion.h:
1721
1722 2018-03-29  Mark Lam  <mark.lam@apple.com>
1723
1724         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
1725         https://bugs.webkit.org/show_bug.cgi?id=184163
1726         <rdar://problem/39020397>
1727
1728         Reviewed by JF Bastien.
1729
1730         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
1731
1732         Also renamed some structs, methods, and variable names to be more accurate.
1733         Previously, there is some confusion between a code pointer and the address of a
1734         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
1735         the LoadLocation variables appropriately to distinguish them from code pointers.
1736
1737         * wasm/WasmB3IRGenerator.cpp:
1738         (JSC::Wasm::B3IRGenerator::addCall):
1739         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1740         * wasm/WasmBinding.cpp:
1741         (JSC::Wasm::wasmToWasm):
1742         * wasm/WasmCodeBlock.cpp:
1743         (JSC::Wasm::CodeBlock::CodeBlock):
1744         * wasm/WasmCodeBlock.h:
1745         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1746         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
1747         * wasm/WasmFormat.h:
1748         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
1749         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
1750         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
1751         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
1752         * wasm/WasmInstance.h:
1753         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
1754         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
1755         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
1756         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1757         * wasm/WasmOMGPlan.cpp:
1758         (JSC::Wasm::OMGPlan::work):
1759         * wasm/WasmTable.cpp:
1760         (JSC::Wasm::Table::Table):
1761         (JSC::Wasm::Table::grow):
1762         (JSC::Wasm::Table::clearFunction):
1763         (JSC::Wasm::Table::setFunction):
1764         * wasm/WasmTable.h:
1765         (JSC::Wasm::Table::offsetOfFunctions):
1766         * wasm/js/JSWebAssemblyCodeBlock.h:
1767         * wasm/js/JSWebAssemblyInstance.cpp:
1768         (JSC::JSWebAssemblyInstance::finalizeCreation):
1769         (JSC::JSWebAssemblyInstance::create):
1770         * wasm/js/JSWebAssemblyTable.cpp:
1771         (JSC::JSWebAssemblyTable::setFunction):
1772         * wasm/js/WebAssemblyFunction.cpp:
1773         (JSC::WebAssemblyFunction::create):
1774         (JSC::WebAssemblyFunction::WebAssemblyFunction):
1775         * wasm/js/WebAssemblyFunction.h:
1776         * wasm/js/WebAssemblyModuleRecord.cpp:
1777         (JSC::WebAssemblyModuleRecord::link):
1778         (JSC::WebAssemblyModuleRecord::evaluate):
1779         * wasm/js/WebAssemblyWrapperFunction.cpp:
1780         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
1781         (JSC::WebAssemblyWrapperFunction::create):
1782         * wasm/js/WebAssemblyWrapperFunction.h:
1783
1784 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1785
1786         Remove WTF_EXPORTDATA and JS_EXPORTDATA
1787         https://bugs.webkit.org/show_bug.cgi?id=184170
1788
1789         Reviewed by JF Bastien.
1790
1791         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
1792         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
1793
1794         * heap/WriteBarrierSupport.h:
1795         * jit/ExecutableAllocator.cpp:
1796         * jit/ExecutableAllocator.h:
1797         * runtime/JSCPoison.h:
1798         * runtime/JSCell.h:
1799         * runtime/JSExportMacros.h:
1800         * runtime/JSGlobalObject.h:
1801         * runtime/JSObject.h:
1802         * runtime/Options.h:
1803         * runtime/PropertyDescriptor.h:
1804         * runtime/PropertyMapHashTable.h:
1805         * runtime/SamplingCounter.h:
1806
1807 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
1808
1809         MSVC __forceinline slows down JSC release build fivefold after r229391
1810         https://bugs.webkit.org/show_bug.cgi?id=184062
1811
1812         Reviewed by Alex Christensen.
1813
1814         * jit/CCallHelpers.h:
1815         (JSC::CCallHelpers::marshallArgumentRegister):
1816         Exempt MSVC from a single forced inline used within recursive templates.
1817
1818 2018-03-29  Keith Miller  <keith_miller@apple.com>
1819
1820         ArrayMode should not try to get the DFG to think it can convert TypedArrays
1821         https://bugs.webkit.org/show_bug.cgi?id=184137
1822
1823         Reviewed by Saam Barati.
1824
1825         * dfg/DFGArrayMode.cpp:
1826         (JSC::DFG::ArrayMode::fromObserved):
1827
1828 2018-03-29  Commit Queue  <commit-queue@webkit.org>
1829
1830         Unreviewed, rolling out r230062.
1831         https://bugs.webkit.org/show_bug.cgi?id=184128
1832
1833         Broke mac port. web content process crashes while loading any
1834         web page (Requested by rniwa on #webkit).
1835
1836         Reverted changeset:
1837
1838         "MSVC __forceinline slows down JSC release build fivefold
1839         after r229391"
1840         https://bugs.webkit.org/show_bug.cgi?id=184062
1841         https://trac.webkit.org/changeset/230062
1842
1843 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
1844
1845         MSVC __forceinline slows down JSC release build fivefold after r229391
1846         https://bugs.webkit.org/show_bug.cgi?id=184062
1847
1848         Reviewed by Alex Christensen.
1849
1850         * jit/CCallHelpers.h:
1851         (JSC::CCallHelpers::marshallArgumentRegister):
1852         Exempt MSVC from a single forced inline used within recursive templates.
1853
1854 2018-03-28  Mark Lam  <mark.lam@apple.com>
1855
1856         Enhance ARM64 probe to support pointer profiling.
1857         https://bugs.webkit.org/show_bug.cgi?id=184069
1858         <rdar://problem/38939879>
1859
1860         Reviewed by JF Bastien.
1861
1862         * assembler/MacroAssemblerARM64.cpp:
1863         (JSC::MacroAssembler::probe):
1864         * assembler/MacroAssemblerX86Common.h:
1865         (JSC::MacroAssemblerX86Common::popPair):
1866         (JSC::MacroAssemblerX86Common::pushPair):
1867         * assembler/testmasm.cpp:
1868         (JSC::testProbeReadsArgumentRegisters):
1869         (JSC::testProbeWritesArgumentRegisters):
1870         * runtime/PtrTag.h:
1871         (JSC::tagForPtr):
1872
1873 2018-03-28  Robin Morisset  <rmorisset@apple.com>
1874
1875         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
1876         https://bugs.webkit.org/show_bug.cgi?id=183894
1877
1878         Reviewed by Saam Barati.
1879
1880         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
1881
1882         * runtime/JSONObject.cpp:
1883         (JSC::Stringifier::appendStringifiedValue):
1884
1885 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
1886
1887         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
1888         https://bugs.webkit.org/show_bug.cgi?id=184073
1889
1890         Reviewed by Yusuke Suzuki.
1891
1892         We currently have duplicated code in Obj and GLib implementations.
1893
1894         * API/JSManagedValue.mm:
1895         (managedValueHandleOwner):
1896         (-[JSManagedValue initWithValue:]):
1897         * API/JSWeakValue.cpp: Added.
1898         (JSC::JSWeakValue::~JSWeakValue):
1899         (JSC::JSWeakValue::clear):
1900         (JSC::JSWeakValue::isClear const):
1901         (JSC::JSWeakValue::setPrimitive):
1902         (JSC::JSWeakValue::setObject):
1903         (JSC::JSWeakValue::setString):
1904         * API/JSWeakValue.h: Added.
1905         (JSC::JSWeakValue::isSet const):
1906         (JSC::JSWeakValue::isPrimitive const):
1907         (JSC::JSWeakValue::isObject const):
1908         (JSC::JSWeakValue::isString const):
1909         (JSC::JSWeakValue::object const):
1910         (JSC::JSWeakValue::primitive const):
1911         (JSC::JSWeakValue::string const):
1912         * API/glib/JSCWeakValue.cpp:
1913         * JavaScriptCore.xcodeproj/project.pbxproj:
1914         * Sources.txt:
1915
1916 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
1917
1918         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
1919         https://bugs.webkit.org/show_bug.cgi?id=184041
1920
1921         Reviewed by Michael Catanzaro.
1922
1923         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
1924         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
1925         jsc_weak_value_get_value() will always return nullptr.
1926
1927         * API/glib/JSCWeakValue.cpp: Added.
1928         (WeakValueRef::~WeakValueRef):
1929         (WeakValueRef::clear):
1930         (WeakValueRef::isClear const):
1931         (WeakValueRef::isSet const):
1932         (WeakValueRef::isPrimitive const):
1933         (WeakValueRef::isObject const):
1934         (WeakValueRef::isString const):
1935         (WeakValueRef::setPrimitive):
1936         (WeakValueRef::setObject):
1937         (WeakValueRef::setString):
1938         (WeakValueRef::object const):
1939         (WeakValueRef::primitive const):
1940         (WeakValueRef::string const):
1941         (weakValueHandleOwner):
1942         (jscWeakValueInitialize):
1943         (jscWeakValueSetProperty):
1944         (jscWeakValueDispose):
1945         (jsc_weak_value_class_init):
1946         (jsc_weak_value_new):
1947         (jsc_weak_value_get_value):
1948         * API/glib/JSCWeakValue.h: Added.
1949         * API/glib/docs/jsc-glib-4.0-sections.txt:
1950         * API/glib/docs/jsc-glib-docs.sgml:
1951         * API/glib/jsc.h:
1952         * GLib.cmake:
1953
1954 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1955
1956         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
1957         https://bugs.webkit.org/show_bug.cgi?id=181292
1958
1959         Reviewed by Saam Barati.
1960
1961         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
1962
1963         * dfg/DFGSpeculativeJIT.cpp:
1964         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1965         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1966         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1967         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1968         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1969         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1970         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1971
1972 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1973
1974         Add Load16Z for B3 and use it in WebAssembly
1975         https://bugs.webkit.org/show_bug.cgi?id=165884
1976
1977         Reviewed by JF Bastien.
1978
1979         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
1980         spec-tests/memory.wast.js already covered this change.
1981
1982         * wasm/WasmB3IRGenerator.cpp:
1983         (JSC::Wasm::B3IRGenerator::emitLoadOp):
1984
1985 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1986
1987         [JSC] Remove repeated iteration of ElementNode
1988         https://bugs.webkit.org/show_bug.cgi?id=183987
1989
1990         Reviewed by Keith Miller.
1991
1992         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
1993         While it is OK for small arrays, this repeated iteration takes much time
1994         if the array is very large. For example, Kraken's initialization code includes
1995         very large array with numeric literals. This makes bytecode compiling so long.
1996
1997         This patch carefully removes unnecessary iteration when emitting arrays.
1998         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
1999         to 9.988050 ms.
2000
2001         * bytecompiler/BytecodeGenerator.cpp:
2002         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2003         (JSC::BytecodeGenerator::emitNewArray):
2004         * bytecompiler/BytecodeGenerator.h:
2005         * bytecompiler/NodesCodegen.cpp:
2006         (JSC::ArrayNode::emitBytecode):
2007         (JSC::ArrayPatternNode::bindValue const):
2008         (JSC::ArrayPatternNode::emitDirectBinding):
2009
2010 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
2011
2012         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
2013         https://bugs.webkit.org/show_bug.cgi?id=183655
2014
2015         Reviewed by Keith Miller.
2016
2017         * jit/CCallHelpers.h:
2018         (JSC::CCallHelpers::ArgCollection::argCount):
2019         (JSC::CCallHelpers::marshallArgumentRegister):
2020         (JSC::CCallHelpers::setupArgumentsImpl):
2021         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
2022
2023         * jit/JIT.h:
2024         (JSC::JIT::callOperation):
2025         (JSC::JIT::is64BitType):
2026         (JSC::JIT::is64BitType<void>):
2027         On Win64, ensure special call is used for SlowPathReturnType.
2028
2029         * jit/JITOperations.h:
2030         Update changed type.
2031
2032 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2033
2034         We should have SSE4 detection in the X86 MacroAssembler.
2035         https://bugs.webkit.org/show_bug.cgi?id=165363
2036
2037         Reviewed by JF Bastien.
2038
2039         This patch adds popcnt support to WASM in x86_64 environment.
2040         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
2041         Our spec-tests already cover popcnt.
2042
2043         * assembler/MacroAssemblerARM64.h:
2044         (JSC::MacroAssemblerARM64::supportsCountPopulation):
2045         * assembler/MacroAssemblerX86Common.cpp:
2046         (JSC::MacroAssemblerX86Common::getCPUID):
2047         (JSC::MacroAssemblerX86Common::getCPUIDEx):
2048         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
2049         * assembler/MacroAssemblerX86Common.h:
2050         (JSC::MacroAssemblerX86Common::countPopulation32):
2051         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2052         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
2053         (JSC::MacroAssemblerX86Common::supportsAVX):
2054         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2055         (JSC::MacroAssemblerX86Common::supportsBMI1):
2056         (JSC::MacroAssemblerX86Common::isSSE2Present):
2057         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
2058         * assembler/MacroAssemblerX86_64.h:
2059         (JSC::MacroAssemblerX86_64::countPopulation64):
2060         * assembler/X86Assembler.h:
2061         (JSC::X86Assembler::popcnt_rr):
2062         (JSC::X86Assembler::popcnt_mr):
2063         (JSC::X86Assembler::popcntq_rr):
2064         (JSC::X86Assembler::popcntq_mr):
2065         * wasm/WasmB3IRGenerator.cpp:
2066         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2067         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2068
2069 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
2070
2071         DFG should know that CreateThis can be effectful
2072         https://bugs.webkit.org/show_bug.cgi?id=184013
2073
2074         Reviewed by Saam Barati.
2075
2076         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
2077         is a proxy.
2078
2079         * dfg/DFGAbstractInterpreterInlines.h:
2080         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2081         * dfg/DFGClobberize.h:
2082         (JSC::DFG::clobberize):
2083
2084 2018-03-25  Saam Barati  <sbarati@apple.com>
2085
2086         Fix typo in JSC option name
2087         https://bugs.webkit.org/show_bug.cgi?id=184001
2088
2089         Reviewed by Mark Lam.
2090
2091         enableJITDebugAssetions => enableJITDebugAssertions.
2092
2093         * assembler/MacroAssembler.cpp:
2094         (JSC::MacroAssembler::jitAssert):
2095         * runtime/Options.h:
2096
2097 2018-03-25  Saam Barati  <sbarati@apple.com>
2098
2099         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
2100         https://bugs.webkit.org/show_bug.cgi?id=183995
2101
2102         Reviewed by Filip Pizlo.
2103
2104         The removal of this line of code was unintended and happened during some
2105         refactoring Fil was doing. The consequence of removing this line of code
2106         is that the m_emptyCursor became a monotonically increasing integer, leading
2107         the cursor to usually being out of bounds of the block range (depending on
2108         what the program is doing). This made the functionality of finding an empty
2109         block to steal almost always fail.
2110
2111         * heap/BlockDirectory.cpp:
2112         (JSC::BlockDirectory::prepareForAllocation):
2113
2114 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2115
2116         [DFG] Introduces fused compare and jump
2117         https://bugs.webkit.org/show_bug.cgi?id=177100
2118
2119         Reviewed by Mark Lam.
2120
2121         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
2122         It offers 3 benefit.
2123
2124         1. They are introduced due to the similar purpose to op_jless etc. It aligns
2125         op_eq families to op_jless families.
2126
2127         2. It reduces the size of bytecode to represent the typical code sequence.
2128
2129         3. It offers the way to fuse check and jump in DFG code generation. Since
2130         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
2131         we cannot do this optimization. It reduces the machine code size in DFG too.
2132
2133         It slightly improves Octane/boyer.
2134
2135             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
2136
2137         * bytecode/BytecodeDumper.cpp:
2138         (JSC::BytecodeDumper<Block>::dumpBytecode):
2139         * bytecode/BytecodeList.json:
2140         * bytecode/BytecodeUseDef.h:
2141         (JSC::computeUsesForBytecodeOffset):
2142         (JSC::computeDefsForBytecodeOffset):
2143         * bytecode/Opcode.h:
2144         (JSC::isBranch):
2145         * bytecode/PreciseJumpTargetsInlines.h:
2146         (JSC::extractStoredJumpTargetsForBytecodeOffset):
2147         * bytecompiler/BytecodeGenerator.cpp:
2148         (JSC::BytecodeGenerator::emitJumpIfTrue):
2149         (JSC::BytecodeGenerator::emitJumpIfFalse):
2150         * dfg/DFGByteCodeParser.cpp:
2151         (JSC::DFG::ByteCodeParser::parseBlock):
2152         * dfg/DFGCapabilities.cpp:
2153         (JSC::DFG::capabilityLevel):
2154         * dfg/DFGOperations.cpp:
2155         * dfg/DFGOperations.h:
2156         * dfg/DFGSpeculativeJIT.cpp:
2157         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2158         * jit/JIT.cpp:
2159         (JSC::JIT::privateCompileMainPass):
2160         (JSC::JIT::privateCompileSlowCases):
2161         * jit/JIT.h:
2162         * jit/JITOpcodes.cpp:
2163         (JSC::JIT::emit_op_jeq):
2164         (JSC::JIT::emit_op_neq):
2165         (JSC::JIT::emit_op_jneq):
2166         (JSC::JIT::compileOpStrictEq):
2167         (JSC::JIT::emit_op_stricteq):
2168         (JSC::JIT::emit_op_nstricteq):
2169         (JSC::JIT::compileOpStrictEqJump):
2170         (JSC::JIT::emit_op_jstricteq):
2171         (JSC::JIT::emit_op_jnstricteq):
2172         (JSC::JIT::emitSlow_op_jstricteq):
2173         (JSC::JIT::emitSlow_op_jnstricteq):
2174         (JSC::JIT::emitSlow_op_jeq):
2175         (JSC::JIT::emitSlow_op_jneq):
2176         * jit/JITOpcodes32_64.cpp:
2177         (JSC::JIT::emitSlow_op_eq):
2178         (JSC::JIT::emit_op_jeq):
2179         (JSC::JIT::compileOpEqJumpSlow):
2180         (JSC::JIT::emitSlow_op_jeq):
2181         (JSC::JIT::emit_op_jneq):
2182         (JSC::JIT::emitSlow_op_jneq):
2183         (JSC::JIT::compileOpStrictEq):
2184         (JSC::JIT::emit_op_stricteq):
2185         (JSC::JIT::emit_op_nstricteq):
2186         (JSC::JIT::compileOpStrictEqJump):
2187         (JSC::JIT::emit_op_jstricteq):
2188         (JSC::JIT::emit_op_jnstricteq):
2189         (JSC::JIT::emitSlow_op_jstricteq):
2190         (JSC::JIT::emitSlow_op_jnstricteq):
2191         * jit/JITOperations.cpp:
2192         * jit/JITOperations.h:
2193         * llint/LLIntSlowPaths.cpp:
2194         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2195         * llint/LLIntSlowPaths.h:
2196         * llint/LowLevelInterpreter.asm:
2197         * llint/LowLevelInterpreter32_64.asm:
2198         * llint/LowLevelInterpreter64.asm:
2199
2200 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2201
2202         [JSC] Improve constants and add comments for CodeBlockHash
2203         https://bugs.webkit.org/show_bug.cgi?id=183982
2204
2205         Rubber-stamped by Mark Lam.
2206
2207         * bytecode/CodeBlockHash.cpp:
2208         (JSC::CodeBlockHash::CodeBlockHash):
2209         * bytecode/ParseHash.cpp:
2210         (JSC::ParseHash::ParseHash):
2211
2212 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2213
2214         [JSC] Add options to report parsing and bytecode compiling times
2215         https://bugs.webkit.org/show_bug.cgi?id=183982
2216
2217         Reviewed by Mark Lam.
2218
2219         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
2220         When they are enabled, JSC reports times consumed for parsing and bytecode
2221         compiling.
2222
2223         * JavaScriptCore.xcodeproj/project.pbxproj:
2224         * Sources.txt:
2225         * bytecode/ParseHash.cpp: Added.
2226         (JSC::ParseHash::ParseHash):
2227         * bytecode/ParseHash.h: Added.
2228         (JSC::ParseHash::hashForCall const):
2229         (JSC::ParseHash::hashForConstruct const):
2230         * bytecode/UnlinkedFunctionExecutable.cpp:
2231         (JSC::generateUnlinkedFunctionCodeBlock):
2232         * bytecompiler/BytecodeGenerator.h:
2233         (JSC::BytecodeGenerator::generate):
2234         * parser/Parser.h:
2235         (JSC::parse):
2236         * runtime/CodeCache.h:
2237         (JSC::generateUnlinkedCodeBlock):
2238         * runtime/Options.h:
2239
2240 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2241
2242         [JIT] Drop ENABLE_JIT_VERBOSE flag
2243         https://bugs.webkit.org/show_bug.cgi?id=183983
2244
2245         Reviewed by Mark Lam.
2246
2247         Just use JITInternal::verbose value.
2248
2249         * jit/JIT.cpp:
2250         (JSC::JIT::privateCompileMainPass):
2251         (JSC::JIT::privateCompileSlowCases):
2252         (JSC::JIT::link):
2253
2254 2018-03-23  Tim Horton  <timothy_horton@apple.com>
2255
2256         Fix the build with no pasteboard
2257         https://bugs.webkit.org/show_bug.cgi?id=183973
2258
2259         Reviewed by Dan Bernstein.
2260
2261         * Configurations/FeatureDefines.xcconfig:
2262
2263 2018-03-23  Mark Lam  <mark.lam@apple.com>
2264
2265         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
2266         https://bugs.webkit.org/show_bug.cgi?id=183942
2267         <rdar://problem/38798018>
2268
2269         Reviewed by JF Bastien.
2270
2271         1. Move the LLInt TypedArray unpoisoning to just before the array access after
2272            all the branches.
2273         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
2274         3. Remove a useless instruction in the implementation of emitX86Lea for a global
2275            label.
2276
2277         * llint/LowLevelInterpreter.asm:
2278         * llint/LowLevelInterpreter64.asm:
2279         * offlineasm/x86.rb:
2280
2281 2018-03-23  Mark Lam  <mark.lam@apple.com>
2282
2283         Add more support for pointer profiling.
2284         https://bugs.webkit.org/show_bug.cgi?id=183943
2285         <rdar://problem/38799068>
2286
2287         Reviewed by JF Bastien.
2288
2289         * assembler/ARM64Assembler.h:
2290         (JSC::ARM64Assembler::linkJumpOrCall):
2291         * assembler/AbstractMacroAssembler.h:
2292         (JSC::AbstractMacroAssembler::repatchNearCall):
2293         (JSC::AbstractMacroAssembler::tagReturnAddress):
2294         (JSC::AbstractMacroAssembler::untagReturnAddress):
2295
2296 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2297
2298         [WTF] Add standard containers with FastAllocator specialization
2299         https://bugs.webkit.org/show_bug.cgi?id=183789
2300
2301         Reviewed by Darin Adler.
2302
2303         * b3/air/testair.cpp:
2304         * b3/testb3.cpp:
2305         (JSC::B3::testDoubleLiteralComparison):
2306         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
2307         * dfg/DFGGraph.h:
2308         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2309         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2310         * ftl/FTLLowerDFGToB3.cpp:
2311         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2312         * runtime/FunctionHasExecutedCache.h:
2313         * runtime/TypeLocationCache.h:
2314
2315 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2316
2317         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
2318         https://bugs.webkit.org/show_bug.cgi?id=182960
2319
2320         Reviewed by Saam Barati.
2321
2322         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
2323         It should always touch ArrayStorage_vector. To unify
2324         vector setting code for the real ArrayStorage_vector and
2325         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
2326         annotate this.
2327
2328         * ftl/FTLLowerDFGToB3.cpp:
2329         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2330
2331 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
2332
2333         Unreviewed build fix for GCC 4.9 builds.
2334
2335         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
2336         supported in 4.9 libstdc++, so wrap the static assert using it in a
2337         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
2338         as is done in bitwise_cast() in StdLibExtras.h.
2339
2340 2018-03-22  Tim Horton  <timothy_horton@apple.com>
2341
2342         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
2343         https://bugs.webkit.org/show_bug.cgi?id=183930
2344         <rdar://problem/38782249>
2345
2346         Reviewed by Dan Bernstein.
2347
2348         * JavaScriptCore.xcodeproj/project.pbxproj:
2349
2350 2018-03-22  Mark Lam  <mark.lam@apple.com>
2351
2352         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
2353         https://bugs.webkit.org/show_bug.cgi?id=183914
2354         <rdar://problem/38763536>
2355
2356         Reviewed by Saam Barati and JF Bastien.
2357
2358         This is in preparation for supporting pointer profiling work.
2359
2360         * assembler/MacroAssemblerARM.h:
2361         (JSC::MacroAssemblerARM::jump):
2362         (JSC::MacroAssemblerARM::call):
2363         * assembler/MacroAssemblerARM64.h:
2364         (JSC::MacroAssemblerARM64::call):
2365         (JSC::MacroAssemblerARM64::jump):
2366         * assembler/MacroAssemblerARMv7.h:
2367         (JSC::MacroAssemblerARMv7::jump):
2368         (JSC::MacroAssemblerARMv7::call):
2369         * assembler/MacroAssemblerMIPS.h:
2370         (JSC::MacroAssemblerMIPS::jump):
2371         (JSC::MacroAssemblerMIPS::call):
2372         * assembler/MacroAssemblerX86.h:
2373         (JSC::MacroAssemblerX86::call):
2374         (JSC::MacroAssemblerX86::jump):
2375         * assembler/MacroAssemblerX86Common.h:
2376         (JSC::MacroAssemblerX86Common::jump):
2377         (JSC::MacroAssemblerX86Common::call):
2378         * assembler/MacroAssemblerX86_64.h:
2379         (JSC::MacroAssemblerX86_64::call):
2380         (JSC::MacroAssemblerX86_64::jump):
2381
2382 2018-03-22  Tim Horton  <timothy_horton@apple.com>
2383
2384         Improve readability of WebCore's OTHER_LDFLAGS
2385         https://bugs.webkit.org/show_bug.cgi?id=183909
2386         <rdar://problem/38760992>
2387
2388         Reviewed by Dan Bernstein.
2389
2390         * Configurations/Base.xcconfig:
2391         * Configurations/FeatureDefines.xcconfig:
2392
2393 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
2394
2395         [ARM] Thumb: Do not decorate bottom bit twice
2396         https://bugs.webkit.org/show_bug.cgi?id=183906
2397
2398         Reviewed by Mark Lam.
2399
2400         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
2401         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
2402         a thumb pointer.
2403
2404         * jit/Repatch.cpp:
2405         (JSC::linkPolymorphicCall):
2406
2407 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2408
2409         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
2410         https://bugs.webkit.org/show_bug.cgi?id=183559
2411
2412         Reviewed by Mark Lam.
2413
2414         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
2415         to clear NodeMustGenerate for this ToString. It should be since it does not have
2416         any user-observable side effect. This patch clears NodeMustGenerate.
2417
2418         * dfg/DFGConstantFoldingPhase.cpp:
2419         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2420
2421 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2422
2423         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
2424         https://bugs.webkit.org/show_bug.cgi?id=183897
2425
2426         Reviewed by Mark Lam.
2427
2428         We should not use `default:` clause here since it accidentally catches
2429         the opcode and DFG nodes which should be optimized. For example,
2430         op_super_sampler_begin and op_super_sampler_end are not listed while
2431         they have DFG and FTL backend.
2432
2433         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
2434         And we also clean up unnecessary checks in FTLCapabilities. Since we
2435         already handles all the possible array types for these nodes (which can
2436         be checked in DFG's code), we do not need to check array types.
2437
2438         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
2439
2440         * dfg/DFGCapabilities.cpp:
2441         (JSC::DFG::capabilityLevel):
2442         * ftl/FTLCapabilities.cpp:
2443         (JSC::FTL::canCompile):
2444         * ftl/FTLLowerDFGToB3.cpp:
2445         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2446
2447 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2448
2449         [JSC] Drop op_put_by_index
2450         https://bugs.webkit.org/show_bug.cgi?id=183899
2451
2452         Reviewed by Mark Lam.
2453
2454         This patch drops op_put_by_index.
2455
2456         1. This functionality can be just covered by direct put_by_val.
2457         2. put_by_index is not well optimized. It is just calling a C
2458         function. And it does not have DFG handling.
2459
2460         * bytecode/BytecodeDumper.cpp:
2461         (JSC::BytecodeDumper<Block>::dumpBytecode):
2462         * bytecode/BytecodeList.json:
2463         * bytecode/BytecodeUseDef.h:
2464         (JSC::computeUsesForBytecodeOffset):
2465         (JSC::computeDefsForBytecodeOffset):
2466         * bytecompiler/BytecodeGenerator.cpp:
2467         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
2468         * bytecompiler/BytecodeGenerator.h:
2469         * bytecompiler/NodesCodegen.cpp:
2470         (JSC::ArrayNode::emitBytecode):
2471         (JSC::ArrayPatternNode::emitDirectBinding):
2472         * jit/JIT.cpp:
2473         (JSC::JIT::privateCompileMainPass):
2474         * jit/JIT.h:
2475         * jit/JITPropertyAccess.cpp:
2476         (JSC::JIT::emit_op_put_by_index): Deleted.
2477         * jit/JITPropertyAccess32_64.cpp:
2478         (JSC::JIT::emit_op_put_by_index): Deleted.
2479         * llint/LLIntSlowPaths.cpp:
2480         * llint/LLIntSlowPaths.h:
2481         * llint/LowLevelInterpreter.asm:
2482
2483 2018-03-22  Michael Saboff  <msaboff@apple.com>
2484
2485         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
2486         https://bugs.webkit.org/show_bug.cgi?id=183901
2487
2488         Reviewed by Keith Miller.
2489
2490         Added write barriers to ensure the reversed contents are properly marked.
2491
2492         * runtime/ArrayPrototype.cpp:
2493         (JSC::arrayProtoFuncReverse):
2494
2495 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
2496
2497         ScopedArguments should do poisoning and index masking
2498         https://bugs.webkit.org/show_bug.cgi?id=183863
2499
2500         Reviewed by Mark Lam.
2501         
2502         This outlines the ScopedArguments overflow storage and adds poisoning.
2503
2504         * bytecode/AccessCase.cpp:
2505         (JSC::AccessCase::generateWithGuard):
2506         * dfg/DFGSpeculativeJIT.cpp:
2507         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2508         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2509         * ftl/FTLAbstractHeapRepository.h:
2510         * ftl/FTLLowerDFGToB3.cpp:
2511         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2512         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2513         * jit/JITPropertyAccess.cpp:
2514         (JSC::JIT::emitScopedArgumentsGetByVal):
2515         * runtime/JSCPoison.h:
2516         * runtime/ScopedArguments.cpp:
2517         (JSC::ScopedArguments::ScopedArguments):
2518         (JSC::ScopedArguments::createUninitialized):
2519         (JSC::ScopedArguments::visitChildren):
2520         * runtime/ScopedArguments.h:
2521
2522 2018-03-21  Mark Lam  <mark.lam@apple.com>
2523
2524         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
2525         https://bugs.webkit.org/show_bug.cgi?id=183861
2526         <rdar://problem/38716822>
2527
2528         Reviewed by Filip Pizlo.
2529
2530         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
2531         new PtrTag macro list.
2532
2533         * CMakeLists.txt:
2534         * JavaScriptCore.xcodeproj/project.pbxproj:
2535         * Sources.txt:
2536         * runtime/PtrTag.cpp: Added.
2537         (JSC::ptrTagName):
2538         * runtime/PtrTag.h:
2539
2540 2018-03-21  Mark Lam  <mark.lam@apple.com>
2541
2542         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
2543         https://bugs.webkit.org/show_bug.cgi?id=183857
2544         <rdar://problem/38712184>
2545
2546         Reviewed by JF Bastien.
2547
2548         We should avoid doing pointer math with CodeBlock::instructions().begin().
2549         Instead, we should use the operator[] that comes with CodeBlock::instructions()
2550         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
2551         the bytecode offset of a given Instruction*.  These methods will do assertions
2552         which helps catch bugs sooner, plus they are more descriptive of the operation
2553         we're trying to do.
2554
2555         * bytecode/BytecodeKills.h:
2556         (JSC::BytecodeKills::operandIsKilled const):
2557         (JSC::BytecodeKills::forEachOperandKilledAt const):
2558         * bytecode/CallLinkStatus.cpp:
2559         (JSC::CallLinkStatus::computeFromLLInt):
2560         * bytecode/CodeBlock.cpp:
2561         (JSC::CodeBlock::dumpBytecode):
2562         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2563         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2564         * bytecode/GetByIdStatus.cpp:
2565         (JSC::GetByIdStatus::computeFromLLInt):
2566         * bytecode/PutByIdStatus.cpp:
2567         (JSC::PutByIdStatus::computeFromLLInt):
2568         * dfg/DFGByteCodeParser.cpp:
2569         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2570         * dfg/DFGOSRExit.cpp:
2571         (JSC::DFG::reifyInlinedCallFrames):
2572         * dfg/DFGOSRExitCompilerCommon.cpp:
2573         (JSC::DFG::reifyInlinedCallFrames):
2574         * interpreter/CallFrame.cpp:
2575         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
2576         (JSC::CallFrame::currentVPC const):
2577         (JSC::CallFrame::setCurrentVPC):
2578         * jit/JITCall.cpp:
2579         (JSC::JIT::compileOpCall):
2580         * jit/JITInlines.h:
2581         (JSC::JIT::updateTopCallFrame):
2582         (JSC::JIT::copiedInstruction):
2583         * jit/JITOpcodes.cpp:
2584         (JSC::JIT::privateCompileHasIndexedProperty):
2585         * jit/JITOpcodes32_64.cpp:
2586         (JSC::JIT::privateCompileHasIndexedProperty):
2587         * jit/JITPropertyAccess.cpp:
2588         (JSC::JIT::privateCompileGetByVal):
2589         (JSC::JIT::privateCompileGetByValWithCachedId):
2590         (JSC::JIT::privateCompilePutByVal):
2591         (JSC::JIT::privateCompilePutByValWithCachedId):
2592         * jit/SlowPathCall.h:
2593         (JSC::JITSlowPathCall::call):
2594         * llint/LLIntSlowPaths.cpp:
2595         (JSC::LLInt::llint_trace_operand):
2596         (JSC::LLInt::llint_trace_value):
2597         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2598         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2599         (JSC::LLInt::getByVal): Deleted.
2600         (JSC::LLInt::handleHostCall): Deleted.
2601         (JSC::LLInt::setUpCall): Deleted.
2602         (JSC::LLInt::genericCall): Deleted.
2603         (JSC::LLInt::varargsSetup): Deleted.
2604         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
2605         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
2606         (JSC::LLInt::llint_write_barrier_slow): Deleted.
2607         (JSC::LLInt::llint_crash): Deleted.
2608         * runtime/SamplingProfiler.cpp:
2609         (JSC::tryGetBytecodeIndex):
2610
2611 2018-03-21  Keith Miller  <keith_miller@apple.com>
2612
2613         btjs should print the bytecode offset in the stack trace for JS frames
2614         https://bugs.webkit.org/show_bug.cgi?id=183856
2615
2616         Reviewed by Filip Pizlo.
2617
2618         * interpreter/CallFrame.cpp:
2619         (JSC::CallFrame::bytecodeOffset):
2620         (JSC::CallFrame::dump):
2621
2622 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2623
2624         Unreviewed. Fix GTK and WPE debug build after r229798.
2625
2626         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
2627
2628         * API/glib/JSCCallbackFunction.cpp:
2629         (JSC::JSCCallbackFunction::JSCCallbackFunction):
2630         * API/glib/JSCContext.cpp:
2631         (jscContextSetVirtualMachine):
2632         (jscContextGetJSContext):
2633         (wrapperMap):
2634         (jscContextHandleExceptionIfNeeded):
2635         * API/glib/JSCValue.cpp:
2636         (jscValueCallFunction):
2637         * API/glib/JSCVirtualMachine.cpp:
2638         (addWrapper):
2639         (removeWrapper):
2640         (jscVirtualMachineSetContextGroup):
2641         (jscVirtualMachineAddContext):
2642         (jscVirtualMachineRemoveContext):
2643         * API/glib/JSCWrapperMap.cpp:
2644         (JSC::WrapperMap::gobjectWrapper):
2645         (JSC::WrapperMap::unwrap):
2646         (JSC::WrapperMap::registerClass):
2647         (JSC::WrapperMap::createJSWrappper):
2648         (JSC::WrapperMap::wrappedObject const):
2649
2650 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2651
2652         [GTK][WPE] JSC bindings not introspectable
2653         https://bugs.webkit.org/show_bug.cgi?id=136989
2654
2655         Reviewed by Michael Catanzaro.
2656
2657         Make it possible to include individual headers when building WebKit layer.
2658
2659         * API/glib/JSCAutocleanups.h:
2660         * API/glib/JSCClass.h:
2661         * API/glib/JSCContext.h:
2662         * API/glib/JSCException.h:
2663         * API/glib/JSCValue.h:
2664         * API/glib/JSCVersion.h.in:
2665         * API/glib/JSCVirtualMachine.h:
2666
2667 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
2668
2669         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
2670         https://bugs.webkit.org/show_bug.cgi?id=164061
2671
2672         Reviewed by Michael Catanzaro.
2673
2674         Add initial GLib API for JavaScriptCore.
2675
2676         * API/JSAPIWrapperObject.h:
2677         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
2678         (jsAPIWrapperObjectHandleOwner):
2679         (JSAPIWrapperObjectHandleOwner::finalize):
2680         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
2681         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
2682         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
2683         (JSC::JSAPIWrapperObject::finishCreation):
2684         (JSC::JSAPIWrapperObject::setWrappedObject):
2685         (JSC::JSAPIWrapperObject::visitChildren):
2686         * API/glib/JSCAutocleanups.h: Added.
2687         * API/glib/JSCCallbackFunction.cpp: Added.
2688         (JSC::callAsFunction):
2689         (JSC::callAsConstructor):
2690         (JSC::JSCCallbackFunction::create):
2691         (JSC::JSCCallbackFunction::JSCCallbackFunction):
2692         (JSC::JSCCallbackFunction::call):
2693         (JSC::JSCCallbackFunction::construct):
2694         (JSC::JSCCallbackFunction::destroy):
2695         * API/glib/JSCCallbackFunction.h: Added.
2696         (JSC::JSCCallbackFunction::createStructure):
2697         (JSC::JSCCallbackFunction::functionCallback):
2698         (JSC::JSCCallbackFunction::constructCallback):
2699         * API/glib/JSCClass.cpp: Added.
2700         (jscClassGetProperty):
2701         (jscClassSetProperty):
2702         (jscClassDispose):
2703         (jscClassConstructed):
2704         (jsc_class_class_init):
2705         (jscClassCreate):
2706         (jscClassGetJSClass):
2707         (jscClassGetOrCreateJSWrapper):
2708         (jscClassInvalidate):
2709         (jsc_class_get_name):
2710         (jsc_class_get_parent):
2711         (jsc_class_add_constructor):
2712         (jsc_class_add_method):
2713         (jsc_class_add_property):
2714         * API/glib/JSCClass.h: Added.
2715         * API/glib/JSCClassPrivate.h: Added.
2716         * API/glib/JSCContext.cpp: Added.
2717         (ExceptionHandler::ExceptionHandler):
2718         (ExceptionHandler::~ExceptionHandler):
2719         (jscContextSetVirtualMachine):
2720         (jscContextGetProperty):
2721         (jscContextSetProperty):
2722         (jscContextConstructed):
2723         (jscContextDispose):
2724         (jsc_context_class_init):
2725         (jscContextGetOrCreate):
2726         (jscContextGetJSContext):
2727         (wrapperMap):
2728         (jscContextGetOrCreateValue):
2729         (jscContextValueDestroyed):
2730         (jscContextGetJSWrapper):
2731         (jscContextGetOrCreateJSWrapper):
2732         (jscContextWrappedObject):
2733         (jscContextPushCallback):
2734         (jscContextPopCallback):
2735         (jscContextGArrayToJSArray):
2736         (jscContextJSArrayToGArray):
2737         (jscContextGValueToJSValue):
2738         (jscContextJSValueToGValue):
2739         (jsc_context_new):
2740         (jsc_context_new_with_virtual_machine):
2741         (jsc_context_get_virtual_machine):
2742         (jsc_context_get_exception):
2743         (jsc_context_throw):
2744         (jsc_context_throw_exception):
2745         (jsc_context_push_exception_handler):
2746         (jsc_context_pop_exception_handler):
2747         (jscContextHandleExceptionIfNeeded):
2748         (jsc_context_get_current):
2749         (jsc_context_evaluate):
2750         (jsc_context_evaluate_with_source_uri):
2751         (jsc_context_set_value):
2752         (jsc_context_get_value):
2753         (jsc_context_register_class):
2754         * API/glib/JSCContext.h: Added.
2755         * API/glib/JSCContextPrivate.h: Added.
2756         * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
2757         * API/glib/JSCException.cpp: Added.
2758         (jscExceptionDispose):
2759         (jsc_exception_class_init):
2760         (jscExceptionCreate):
2761         (jscExceptionGetJSValue):
2762         (jscExceptionEnsureProperties):
2763         (jsc_exception_new):
2764         (jsc_exception_get_message):
2765         (jsc_exception_get_line_number):
2766         (jsc_exception_get_source_uri):
2767         * API/glib/JSCException.h: Added.
2768         * API/glib/JSCExceptionPrivate.h: Added.
2769         * API/glib/JSCGLibWrapperObject.h: Added.
2770         (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
2771         (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
2772         (JSC::JSCGLibWrapperObject::object const):
2773         * API/glib/JSCValue.cpp: Added.
2774         (jscValueGetProperty):
2775         (jscValueSetProperty):
2776         (jscValueDispose):
2777         (jsc_value_class_init):
2778         (jscValueGetJSValue):
2779         (jscValueCreate):
2780         (jsc_value_get_context):
2781         (jsc_value_new_undefined):
2782         (jsc_value_is_undefined):
2783         (jsc_value_new_null):
2784         (jsc_value_is_null):
2785         (jsc_value_new_number):
2786         (jsc_value_is_number):
2787         (jsc_value_to_double):
2788         (jsc_value_to_int32):
2789         (jsc_value_new_boolean):
2790         (jsc_value_is_boolean):
2791         (jsc_value_to_boolean):
2792         (jsc_value_new_string):
2793         (jsc_value_is_string):
2794         (jsc_value_to_string):
2795         (jsc_value_new_array):
2796         (jsc_value_new_array_from_garray):
2797         (jsc_value_is_array):
2798         (jsc_value_new_object):
2799         (jsc_value_is_object):
2800         (jsc_value_object_is_instance_of):
2801         (jsc_value_object_set_property):
2802         (jsc_value_object_get_property):
2803         (jsc_value_object_set_property_at_index):
2804         (jsc_value_object_get_property_at_index):
2805         (jscValueCallFunction):
2806         (jsc_value_object_invoke_method):
2807         (jsc_value_object_define_property_data):
2808         (jsc_value_object_define_property_accessor):
2809         (jsc_value_new_function):
2810         (jsc_value_is_function):
2811         (jsc_value_function_call):
2812         (jsc_value_is_constructor):
2813         (jsc_value_constructor_call):
2814         * API/glib/JSCValue.h: Added.
2815         * API/glib/JSCValuePrivate.h: Added.
2816         * API/glib/JSCVersion.cpp: Added.
2817         (jsc_get_major_version):
2818         (jsc_get_minor_version):
2819         (jsc_get_micro_version):
2820         * API/glib/JSCVersion.h.in: Added.
2821         * API/glib/JSCVirtualMachine.cpp: Added.
2822         (addWrapper):
2823         (removeWrapper):
2824         (jscVirtualMachineSetContextGroup):
2825         (jscVirtualMachineEnsureContextGroup):
2826         (jscVirtualMachineDispose):
2827         (jsc_virtual_machine_class_init):
2828         (jscVirtualMachineGetOrCreate):
2829         (jscVirtualMachineGetContextGroup):
2830         (jscVirtualMachineAddContext):
2831         (jscVirtualMachineRemoveContext):
2832         (jscVirtualMachineGetContext):
2833         (jsc_virtual_machine_new):
2834         * API/glib/JSCVirtualMachine.h: Added.
2835         * API/glib/JSCVirtualMachinePrivate.h: Added.
2836         * API/glib/JSCWrapperMap.cpp: Added.
2837         (JSC::WrapperMap::WrapperMap):
2838         (JSC::WrapperMap::~WrapperMap):
2839         (JSC::WrapperMap::gobjectWrapper):
2840         (JSC::WrapperMap::unwrap):
2841         (JSC::WrapperMap::registerClass):
2842         (JSC::WrapperMap::createJSWrappper):
2843         (JSC::WrapperMap::jsWrapper const):
2844         (JSC::WrapperMap::wrappedObject const):
2845         * API/glib/JSCWrapperMap.h: Added.
2846         * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
2847         * API/glib/docs/jsc-glib-4.0.types: Added.
2848         * API/glib/docs/jsc-glib-docs.sgml: Added.
2849         * API/glib/jsc.h: Added.
2850         * CMakeLists.txt:
2851         * GLib.cmake: Added.
2852         * JavaScriptCore.gir.in: Removed.
2853         * PlatformGTK.cmake:
2854         * PlatformWPE.cmake:
2855         * heap/Heap.cpp:
2856         (JSC::Heap::releaseDelayedReleasedObjects):
2857         * heap/Heap.h:
2858         * heap/HeapInlines.h:
2859         (JSC::Heap::releaseSoon):
2860         * javascriptcoregtk.pc.in:
2861         * runtime/JSGlobalObject.cpp:
2862         (JSC::JSGlobalObject::init):
2863         (JSC::JSGlobalObject::visitChildren):
2864         (JSC::JSGlobalObject::setWrapperMap):
2865         * runtime/JSGlobalObject.h:
2866         (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
2867         (JSC::JSGlobalObject::glibWrapperObjectStructure const):
2868         (JSC::JSGlobalObject::wrapperMap const):
2869
2870 2018-03-21  Christopher Reid  <chris.reid@sony.com>
2871
2872         Windows 64-bit build fix after r229767
2873         https://bugs.webkit.org/show_bug.cgi?id=183810
2874
2875         Reviewed by Mark Lam.
2876
2877         Removing an extra parameter in the call to m_assember::call.
2878
2879         * assembler/MacroAssemblerX86_64.h:
2880
2881 2018-03-20  Dan Bernstein  <mitz@apple.com>
2882
2883         [Xcode] JSVALUE_MODEL is unused
2884         https://bugs.webkit.org/show_bug.cgi?id=183809
2885
2886         Reviewed by Tim Horton.
2887
2888         * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
2889
2890 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2891
2892         Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
2893         https://bugs.webkit.org/show_bug.cgi?id=183808
2894         <rdar://problem/38692079>
2895
2896         Reviewed by Dan Bernstein.
2897
2898         * Configurations/JavaScriptCore.xcconfig:
2899
2900 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2901
2902         Enable the minimal simulator feature flag when appropriate
2903         https://bugs.webkit.org/show_bug.cgi?id=183807
2904
2905         Reviewed by Dan Bernstein.
2906
2907         * Configurations/FeatureDefines.xcconfig:
2908
2909 2018-03-20  Saam Barati  <sbarati@apple.com>
2910
2911         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
2912         https://bugs.webkit.org/show_bug.cgi?id=183795
2913         <rdar://problem/38298694>
2914
2915         Reviewed by JF Bastien.
2916
2917         We were just assuming that the constants we were inserting were
2918         always exitOK=true. However, this breaks validation. The exitOK
2919         we emit for the constants in the NewArrayBuffer should respect
2920         the current exit state of the IR we've emitted. This is just IR
2921         bookkeeping since JSConstant is a non-exiting node.
2922
2923         * dfg/DFGArgumentsEliminationPhase.cpp:
2924
2925 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
2926
2927         MIPS+Armv7 builds are broken since r229391
2928         https://bugs.webkit.org/show_bug.cgi?id=183474
2929
2930         Reviewed by Yusuke Suzuki.
2931
2932         Add missing armv7 and mips operations and fix arguments to a call to
2933         operationGetByValCell. This should fix compilation on MIPS and Armv7
2934         (though it does not implement the missing setupArguments stuff in
2935         CCallHelpers).
2936
2937         * assembler/MacroAssembler.h:
2938         * assembler/MacroAssemblerARMv7.h:
2939         (JSC::MacroAssemblerARMv7::swap):
2940         * assembler/MacroAssemblerMIPS.h:
2941         (JSC::MacroAssemblerMIPS::swap):
2942         * dfg/DFGSpeculativeJIT32_64.cpp:
2943         (JSC::DFG::SpeculativeJIT::compile):
2944         * jit/FPRInfo.h:
2945
2946 2018-03-20  Tim Horton  <timothy_horton@apple.com>
2947
2948         Add and adopt WK_PLATFORM_NAME and adjust default feature defines
2949         https://bugs.webkit.org/show_bug.cgi?id=183758
2950         <rdar://problem/38017644>
2951
2952         Reviewed by Dan Bernstein.
2953
2954         * Configurations/FeatureDefines.xcconfig:
2955
2956 2018-03-20  Mark Lam  <mark.lam@apple.com>
2957
2958         Improve FunctionPtr and use it in the JIT CallRecord.
2959         https://bugs.webkit.org/show_bug.cgi?id=183756
2960         <rdar://problem/38641335>
2961
2962         Reviewed by JF Bastien.
2963
2964         1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
2965            PtrTag to reflect that.
2966
2967         2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
2968            executableAddress().
2969
2970         3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
2971            take "any" pointer.  "any" in this case means that the pointer may not be typed
2972            as a C/C++ function to the C++ compiler (due to upstream casting or usage of
2973            void* as a storage type), but it is still expected to be pointing to a C/C++
2974            function.
2975
2976         4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
2977            convenience constructor that lets us retag the underlying pointer.  The other
2978            FunctionPtr is still expected to point to a C/C++ function.
2979
2980         5. Added PtrTag assertion placeholder functions to be implemented later.
2981
2982         6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
2983            pointer.  This improves type safety, and assists in getting pointer tagging
2984            right later.
2985
2986         7. Added versions of JIT callOperations methods that will take a PtrTag.
2987            This is preparation for more more pointer tagging work later.
2988
2989         * assembler/MacroAssemblerARM.h:
2990         (JSC::MacroAssemblerARM::linkCall):
2991         * assembler/MacroAssemblerARMv7.h:
2992         (JSC::MacroAssemblerARMv7::linkCall):
2993         * assembler/MacroAssemblerCodeRef.h:
2994         (JSC::FunctionPtr::FunctionPtr):
2995         (JSC::FunctionPtr::operator bool const):
2996         (JSC::FunctionPtr::operator! const):
2997         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2998         (JSC::MacroAssemblerCodePtr::retagged const):
2999         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3000         (JSC::FunctionPtr::value const): Deleted.
3001         * assembler/MacroAssemblerMIPS.h:
3002         (JSC::MacroAssemblerMIPS::linkCall):
3003         * assembler/MacroAssemblerX86.h:
3004         (JSC::MacroAssemblerX86::linkCall):
3005         * assembler/MacroAssemblerX86_64.h:
3006         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
3007         (JSC::MacroAssemblerX86_64::linkCall):
3008         * bytecode/AccessCase.cpp:
3009         (JSC::AccessCase::generateImpl):
3010         * ftl/FTLSlowPathCall.cpp:
3011         (JSC::FTL::SlowPathCallContext::makeCall):
3012         * ftl/FTLSlowPathCall.h:
3013         (JSC::FTL::callOperation):
3014         * ftl/FTLThunks.cpp:
3015         (JSC::FTL::osrExitGenerationThunkGenerator):
3016         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3017         (JSC::FTL::slowPathCallThunkGenerator):
3018         * jit/JIT.cpp:
3019         (JSC::JIT::link):
3020         (JSC::JIT::privateCompileExceptionHandlers):
3021         * jit/JIT.h:
3022         (JSC::CallRecord::CallRecord):
3023         (JSC::JIT::appendCall):
3024         (JSC::JIT::appendCallWithSlowPathReturnType):
3025         (JSC::JIT::callOperation):
3026         (JSC::JIT::callOperationWithProfile):
3027         (JSC::JIT::callOperationWithResult):
3028         (JSC::JIT::callOperationNoExceptionCheck):
3029         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
3030         * jit/JITArithmetic.cpp:
3031         (JSC::JIT::emitMathICFast):
3032         (JSC::JIT::emitMathICSlow):
3033         * jit/JITInlines.h:
3034         (JSC::JIT::emitNakedCall):
3035         (JSC::JIT::emitNakedTailCall):
3036         (JSC::JIT::appendCallWithExceptionCheck):
3037         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
3038         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
3039         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
3040         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3041         * jit/JITPropertyAccess.cpp:
3042         (JSC::JIT::emitSlow_op_get_by_val):
3043         (JSC::JIT::emitSlow_op_put_by_val):
3044         (JSC::JIT::privateCompileGetByValWithCachedId):
3045         (JSC::JIT::privateCompilePutByVal):
3046         (JSC::JIT::privateCompilePutByValWithCachedId):
3047         * jit/JITPropertyAccess32_64.cpp:
3048         (JSC::JIT::emitSlow_op_put_by_val):
3049         * jit/Repatch.cpp:
3050         (JSC::linkPolymorphicCall):
3051         * jit/SlowPathCall.h:
3052         (JSC::JITSlowPathCall::JITSlowPathCall):
3053         (JSC::JITSlowPathCall::call):
3054         * jit/ThunkGenerators.cpp:
3055         (JSC::nativeForGenerator):
3056         * runtime/PtrTag.h:
3057         (JSC::nextPtrTagID):
3058         (JSC::assertIsCFunctionPtr):
3059         (JSC::assertIsNullOrCFunctionPtr):
3060         (JSC::assertIsNotTagged):
3061         (JSC::assertIsTagged):
3062         (JSC::assertIsNullOrTagged):
3063         (JSC::assertIsTaggedWith):
3064         (JSC::assertIsNullOrTaggedWith):
3065         (JSC::uniquePtrTagID): Deleted.
3066
3067 2018-03-20  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3068
3069         [MIPS] Optimize generated JIT code for loads/stores
3070         https://bugs.webkit.org/show_bug.cgi?id=183243
3071
3072         Reviewed by Yusuke Suzuki.
3073
3074         JIT generates three MIPS instructions for a load/store from/to an absolute address:
3075
3076           lui adrTmpReg, address >> 16
3077           ori adrTmpReg, address & 0xffff
3078           lw dataReg, 0(adrTmpReg)
3079
3080         Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
3081         be encoded into the load/store and ori instruction can be removed:
3082
3083           lui adrTmpReg, (address + 0x8000) >> 16
3084           lw dataReg, (address & 0xffff)(adrTmpReg)
3085
3086         Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
3087
3088         * assembler/MacroAssemblerMIPS.h:
3089         (JSC::MacroAssemblerMIPS::add32):
3090         (JSC::MacroAssemblerMIPS::add64):
3091         (JSC::MacroAssemblerMIPS::or32):
3092         (JSC::MacroAssemblerMIPS::sub32):
3093         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
3094         (JSC::MacroAssemblerMIPS::load8):
3095         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3096         (JSC::MacroAssemblerMIPS::load32):
3097         (JSC::MacroAssemblerMIPS::store8):
3098         (JSC::MacroAssemblerMIPS::store32):
3099         (JSC::MacroAssemblerMIPS::branchTest8):
3100         (JSC::MacroAssemblerMIPS::branchAdd32):
3101         (JSC::MacroAssemblerMIPS::loadDouble):
3102         (JSC::MacroAssemblerMIPS::storeDouble):
3103
3104 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3105
3106         [DFG][FTL] Add vectorLengthHint for NewArray
3107         https://bugs.webkit.org/show_bug.cgi?id=183694
3108
3109         Reviewed by Saam Barati.
3110
3111         While the following code is a common, it is not so efficient.
3112
3113         var array = [];
3114         for (...) {
3115             ...
3116             array.push(...);
3117         }
3118
3119         The array is always allocated with 0 vector length. And it is eventually grown.
3120
3121         We have ArrayAllocationProfile, and it tells us that the vector length hint for
3122         the allocated arrays. This hint is already used for NewArrayBuffer. This patch
3123         extends this support for NewArray DFG node.
3124
3125         This patch improves Kraken/stanford-crypto-aes 4%.
3126
3127                                       baseline                  patched
3128
3129         stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
3130
3131         NewArray can be optimized.
3132
3133                                                        baseline                  patched
3134
3135         vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
3136         vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
3137
3138         * dfg/DFGByteCodeParser.cpp:
3139         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3140         (JSC::DFG::ByteCodeParser::parseBlock):
3141         * dfg/DFGNode.h:
3142         (JSC::DFG::Node::hasVectorLengthHint):
3143         (JSC::DFG::Node::vectorLengthHint):
3144         * dfg/DFGSpeculativeJIT64.cpp:
3145         (JSC::DFG::SpeculativeJIT::compile):
3146         * ftl/FTLLowerDFGToB3.cpp:
3147         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3148
3149 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3150
3151         [DFG][FTL] Make ArraySlice(0) code tight
3152         https://bugs.webkit.org/show_bug.cgi?id=183590
3153
3154         Reviewed by Saam Barati.
3155
3156         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
3157
3158         1. We support array.slice() call. This is a well-used way to clone array.
3159         For example, underscore.js uses this technique.
3160
3161         2. We remove several checks if the given index value is a proven constant.
3162
3163         * dfg/DFGBackwardsPropagationPhase.cpp:
3164         (JSC::DFG::BackwardsPropagationPhase::propagate):
3165         * dfg/DFGByteCodeParser.cpp:
3166         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3167         * dfg/DFGFixupPhase.cpp:
3168         (JSC::DFG::FixupPhase::fixupNode):
3169         * dfg/DFGSpeculativeJIT.cpp:
3170         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
3171         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3172         We can skip some of checks if the given value is a proven constant.
3173
3174         * ftl/FTLLowerDFGToB3.cpp:
3175         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3176         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
3177         to fold BelowEqual(0, x) to true.
3178
3179 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3180
3181         Drop s_exceptionInstructions static initializer
3182         https://bugs.webkit.org/show_bug.cgi?id=183732
3183
3184         Reviewed by Darin Adler.
3185
3186         Make Instruction constructor constexpr to drop the static constructor
3187         of LLInt::Data::s_exceptionInstructions.
3188
3189         * bytecode/Instruction.h:
3190         (JSC::Instruction::Instruction):
3191
3192 2018-03-19  Dan Bernstein  <mitz@apple.com>
3193
3194         Investigate why __cpu_indicator_init is used
3195         https://bugs.webkit.org/show_bug.cgi?id=183736
3196
3197         Reviewed by Tim Horton.
3198
3199         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
3200         we were passing the -all_load option to the linker, causing it to bring in all members of
3201         every static library being linked in, including the compiler runtime library. We only need
3202         to load all members of WTF. The linker option for doing that is -force_load, and it requires
3203         a path to the library. To support building against libWTF.a built locally as well as against
3204         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
3205         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
3206         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
3207         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
3208         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
3209         reexporting libobjc.
3210
3211         * Configurations/JavaScriptCore.xcconfig:
3212         * JavaScriptCore.xcodeproj/project.pbxproj:
3213
3214 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
3215
3216         Unreviewed, another quick fix for r229699
3217
3218         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
3219
3220         * Configurations/FeatureDefines.xcconfig:
3221
3222 2018-03-19  Mark Lam  <mark.lam@apple.com>
3223
3224         FunctionPtr should be passed by value.
3225         https://bugs.webkit.org/show_bug.cgi?id=183746
3226         <rdar://problem/38625311>
3227
3228         Reviewed by JF Bastien.
3229
3230         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
3231         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
3232         treated as if they are C/C++ functions.
3233
3234         Regardless, there's no need to pass it by reference.
3235
3236         * assembler/MacroAssemblerCodeRef.h:
3237         * dfg/DFGJITCompiler.h:
3238         (JSC::DFG::JITCompiler::appendCall):
3239         * dfg/DFGSpeculativeJIT.h:
3240         (JSC::DFG::SpeculativeJIT::appendCall):
3241         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
3242         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
3243         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3244         * jit/JIT.h:
3245         (JSC::JIT::appendCall):
3246         (JSC::JIT::appendCallWithSlowPathReturnType):
3247         * jit/JITInlines.h:
3248         (JSC::JIT::appendCallWithExceptionCheck):
3249         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
3250         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
3251         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
3252         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3253
3254 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
3255
3256         Fix MSVC run-time check after r229391. 
3257         https://bugs.webkit.org/show_bug.cgi?id=183673
3258
3259         Reviewed by Keith Miller.
3260
3261         Replaces attempted fix from r229424/r229432.
3262         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
3263
3264         * jit/CCallHelpers.h:
3265         (JSC::CCallHelpers::clampArrayToSize):
3266
3267 2018-03-15  Tim Horton  <timothy_horton@apple.com>
3268
3269         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
3270         https://bugs.webkit.org/show_bug.cgi?id=183675
3271         <rdar://problem/38515281>
3272
3273         Reviewed by Dan Bernstein.
3274
3275         * JavaScriptCore.xcodeproj/project.pbxproj:
3276         Don't install the JSC alias if we're installing to an alternate location.
3277         This should have been a part of r229637.
3278
3279 2018-03-15  Tim Horton  <timothy_horton@apple.com>
3280
3281         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
3282         https://bugs.webkit.org/show_bug.cgi?id=183649
3283         <rdar://problem/38480526>
3284
3285         Reviewed by Dan Bernstein.
3286
3287         * Configurations/Base.xcconfig:
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289
3290 2018-03-14  Mark Lam  <mark.lam@apple.com>
3291
3292         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
3293         https://bugs.webkit.org/show_bug.cgi?id=183623
3294         <rdar://problem/38443314>
3295
3296         Reviewed by Michael Saboff.
3297
3298         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
3299            emitters to support pointer profiling.
3300
3301         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
3302
3303         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
3304
3305         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
3306            a placeholder until we have time to analyze what pointer profile each client
3307            site has later.
3308     
3309         5. Apply PtrTags to the YarrJIT.
3310
3311         * assembler/ARM64Assembler.h:
3312         (JSC::ARM64Assembler::linkJumpOrCall):
3313         * assembler/AbstractMacroAssembler.h:
3314         (JSC::AbstractMacroAssembler::getLinkerAddress):
3315         (JSC::AbstractMacroAssembler::tagPtr):
3316         (JSC::AbstractMacroAssembler::untagPtr):
3317         (JSC::AbstractMacroAssembler::removePtrTag):
3318         * assembler/LinkBuffer.cpp:
3319         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
3320         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3321         * assembler/LinkBuffer.h:
3322         (JSC::LinkBuffer::link):
3323         (JSC::LinkBuffer::locationOfNearCall):
3324         (JSC::LinkBuffer::locationOf):
3325         * assembler/MacroAssemblerARM.h:
3326         (JSC::MacroAssemblerARM::jump):
3327         (JSC::MacroAssemblerARM::call):
3328         (JSC::MacroAssemblerARM::readCallTarget):
3329         * assembler/MacroAssemblerARM64.h:
3330         (JSC::MacroAssemblerARM64::call):
3331         (JSC::MacroAssemblerARM64::jump):
3332         (JSC::MacroAssemblerARM64::readCallTarget):
3333         (JSC::MacroAssemblerARM64::linkCall):
3334         * assembler/MacroAssemblerARMv7.h:
3335         (JSC::MacroAssemblerARMv7::jump):
3336         (JSC::MacroAssemblerARMv7::relativeTableJump):
3337         (JSC::MacroAssemblerARMv7::call):
3338         (JSC::MacroAssemblerARMv7::readCallTarget):
3339         * assembler/MacroAssemblerCodeRef.cpp:
3340         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
3341         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
3342         * assembler/MacroAssemblerCodeRef.h:
3343         (JSC::FunctionPtr::FunctionPtr):
3344         (JSC::FunctionPtr::value const):
3345         (JSC::MacroAssemblerCodePtr:: const):
3346         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3347         (JSC::MacroAssemblerCodeRef::retaggedCode const):
3348         * assembler/MacroAssemblerMIPS.h:
3349         (JSC::MacroAssemblerMIPS::jump):
3350         (JSC::MacroAssemblerMIPS::call):
3351         (JSC::MacroAssemblerMIPS::readCallTarget):
3352         * assembler/MacroAssemblerX86.h:
3353         (JSC::MacroAssemblerX86::call):
3354         (JSC::MacroAssemblerX86::jump):
3355         (JSC::MacroAssemblerX86::readCallTarget):
3356         * assembler/MacroAssemblerX86Common.cpp:
3357         (JSC::MacroAssembler::probe):
3358         * assembler/MacroAssemblerX86Common.h:
3359         (JSC::MacroAssemblerX86Common::jump):
3360         (JSC::MacroAssemblerX86Common::call):
3361         * assembler/MacroAssemblerX86_64.h:
3362         (JSC::MacroAssemblerX86_64::call):
3363         (JSC::MacroAssemblerX86_64::jump):
3364         (JSC::MacroAssemblerX86_64::readCallTarget):
3365         * assembler/testmasm.cpp:
3366         (JSC::compile):
3367         (JSC::invoke):
3368         * b3/B3Compile.cpp:
3369         (JSC::B3::compile):
3370         * b3/B3LowerMacros.cpp:
3371         * b3/air/AirCCallSpecial.cpp:
3372         (JSC::B3::Air::CCallSpecial::generate):
3373         * b3/air/testair.cpp:
3374         * b3/testb3.cpp:
3375         (JSC::B3::invoke):
3376         (JSC::B3::testInterpreter):
3377         (JSC::B3::testEntrySwitchSimple):
3378         (JSC::B3::testEntrySwitchNoEntrySwitch):
3379         (JSC::B3::testEntrySwitchWithCommonPaths):
3380         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
3381         (JSC::B3::testEntrySwitchLoop):
3382         * bytecode/AccessCase.cpp:
3383         (JSC::AccessCase::generateImpl):
3384         * bytecode/AccessCaseSnippetParams.cpp:
3385         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
3386         * bytecode/InlineAccess.cpp:
3387         (JSC::linkCodeInline):
3388         (JSC::InlineAccess::rewireStubAsJump):
3389         * bytecode/PolymorphicAccess.cpp:
3390         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3391         (JSC::PolymorphicAccess::regenerate):
3392         * dfg/DFGJITCompiler.cpp:
3393         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3394         (JSC::DFG::JITCompiler::link):
3395         (JSC::DFG::JITCompiler::compileFunction):
3396         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3397         * dfg/DFGJITCompiler.h:
3398         (JSC::DFG::JITCompiler::appendCall):
3399         * dfg/DFGJITFinalizer.cpp:
3400         (JSC::DFG::JITFinalizer::finalize):
3401         (JSC::DFG::JITFinalizer::finalizeFunction):
3402         * dfg/DFGOSRExit.cpp:
3403         (JSC::DFG::OSRExit::emitRestoreArguments):
3404         (JSC::DFG::OSRExit::compileOSRExit):
3405         * dfg/DFGOSRExitCompilerCommon.cpp:
3406         (JSC::DFG::handleExitCounts):
3407         (JSC::DFG::osrWriteBarrier):
3408         (JSC::DFG::adjustAndJumpToTarget):
3409         * dfg/DFGSpeculativeJIT.cpp:
3410         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3411         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3412         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3413         * dfg/DFGSpeculativeJIT64.cpp:
3414         (JSC::DFG::SpeculativeJIT::compile):
3415         * dfg/DFGThunks.cpp:
3416         (JSC::DFG::osrExitThunkGenerator):
3417         (JSC::DFG::osrExitGenerationThunkGenerator):
3418         (JSC::DFG::osrEntryThunkGenerator):
3419         * ftl/FTLCompile.cpp:
3420         (JSC::FTL::compile):
3421         * ftl/FTLJITFinalizer.cpp:
3422         (JSC::FTL::JITFinalizer::finalizeCommon):
3423         * ftl/FTLLazySlowPath.cpp:
3424         (JSC::FTL::LazySlowPath::generate):
3425         * ftl/FTLLink.cpp:
3426         (JSC::FTL::link):
3427         * ftl/FTLLowerDFGToB3.cpp:
3428         (JSC::FTL::DFG::LowerDFGToB3::lower):
3429         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3430         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3431         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3432         * ftl/FTLOSRExitCompiler.cpp:
3433         (JSC::FTL::compileStub):
3434         (JSC::FTL::compileFTLOSRExit):
3435         * ftl/FTLSlowPathCall.cpp:
3436         (JSC::FTL::SlowPathCallContext::makeCall):
3437         * ftl/FTLThunks.cpp:
3438         (JSC::FTL::genericGenerationThunkGenerator):
3439         (JSC::FTL::osrExitGenerationThunkGenerator):
3440         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3441         (JSC::FTL::slowPathCallThunkGenerator):
3442         * jit/AssemblyHelpers.cpp:
3443         (JSC::AssemblyHelpers::callExceptionFuzz):
3444         (JSC::AssemblyHelpers::debugCall):
3445         * jit/CCallHelpers.cpp:
3446         (JSC::CCallHelpers::ensureShadowChickenPacket):
3447         * jit/CCallHelpers.h:
3448         (JSC::CCallHelpers::jumpToExceptionHandler):
3449         * jit/ExecutableAllocator.cpp:
3450         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3451         * jit/JIT.cpp:
3452         (JSC::JIT::emitEnterOptimizationCheck):
3453         (JSC::JIT::link):
3454         (JSC::JIT::privateCompileExceptionHandlers):
3455         * jit/JIT.h:
3456         (JSC::JIT::appendCall):
3457         * jit/JITMathIC.h:
3458         (JSC::isProfileEmpty):
3459         * jit/JITOpcodes.cpp:
3460         (JSC::JIT::emit_op_catch):
3461         (JSC::JIT::emit_op_switch_imm):
3462         (JSC::JIT::emit_op_switch_char):
3463         (JSC::JIT::emit_op_switch_string):
3464         (JSC::JIT::emitSlow_op_loop_hint):
3465         (JSC::JIT::privateCompileHasIndexedProperty):
3466         * jit/JITOpcodes32_64.cpp:
3467         (JSC::JIT::emit_op_catch):
3468         (JSC::JIT::emit_op_switch_imm):
3469         (JSC::JIT::emit_op_switch_char):
3470         (JSC::JIT::emit_op_switch_string):
3471         (JSC::JIT::privateCompileHasIndexedProperty):
3472         * jit/JITPropertyAccess.cpp:
3473         (JSC::JIT::stringGetByValStubGenerator):
3474         (JSC::JIT::privateCompileGetByVal):
3475         (JSC::JIT::privateCompileGetByValWithCachedId):
3476         (JSC::JIT::privateCompilePutByVal):
3477         (JSC::JIT::privateCompilePutByValWithCachedId):
3478         * jit/JITPropertyAccess32_64.cpp:
3479         (JSC::JIT::stringGetByValStubGenerator):
3480         * jit/JITStubRoutine.h:
3481         * jit/Repatch.cpp:
3482         (JSC::readCallTarget):
3483         (JSC::appropriateOptimizingPutByIdFunction):
3484         (JSC::linkPolymorphicCall):
3485         (JSC::resetPutByID):
3486         * jit/SlowPathCall.h:
3487         (JSC::JITSlowPathCall::call):
3488         * jit/SpecializedThunkJIT.h:
3489         (JSC::SpecializedThunkJIT::finalize):
3490         (JSC::SpecializedThunkJIT::callDoubleToDouble):
3491         * jit/ThunkGenerators.cpp:
3492         (JSC::throwExceptionFromCallSlowPathGenerator):
3493         (JSC::slowPathFor):
3494         (JSC::linkCallThunkGenerator):
3495         (JSC::linkPolymorphicCallThunkGenerator):
3496         (JSC::virtualThunkFor):
3497         (JSC::nativeForGenerator):
3498         (JSC::arityFixupGenerator):
3499         (JSC::unreachableGenerator):
3500         (JSC::boundThisNoArgsFunctionCallGenerator):
3501         * llint/LLIntThunks.cpp:
3502         (JSC::LLInt::generateThunkWithJumpTo):
3503         (JSC::LLInt::functionForCallEntryThunkGenerator):
3504         (JSC::LLInt::functionForConstructEntryThunkGenerator):
3505         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
3506         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
3507         (JSC::LLInt::evalEntryThunkGenerator):
3508         (JSC::LLInt::programEntryThunkGenerator):
3509         (JSC::LLInt::moduleProgramEntryThunkGenerator):
3510         * runtime/PtrTag.h:
3511         * wasm/WasmB3IRGenerator.cpp:
3512         (JSC::Wasm::B3IRGenerator::addCall):
3513         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3514         * wasm/WasmBBQPlan.cpp:
3515         (JSC::Wasm::BBQPlan::complete):
3516         * wasm/WasmBinding.cpp:
3517         (JSC::Wasm::wasmToWasm):
3518         * wasm/WasmOMGPlan.cpp:
3519         (JSC::Wasm::OMGPlan::work):
3520         * wasm/WasmThunks.cpp:
3521         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3522         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3523         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3524         * wasm/js/WasmToJS.cpp:
3525         (JSC::Wasm::handleBadI64Use):
3526         (JSC::Wasm::wasmToJS):
3527         * yarr/YarrJIT.cpp:
3528         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
3529         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
3530         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
3531         (JSC::Yarr::YarrGenerator::generateEnter):
3532         (JSC::Yarr::YarrGenerator::YarrGenerator):
3533         (JSC::Yarr::YarrGenerator::compile):
3534         (JSC::Yarr::jitCompile):
3535         * yarr/YarrJIT.h:
3536         (JSC::Yarr::YarrCodeBlock::execute):
3537
3538 2018-03-14  Caitlin Potter  <caitp@igalia.com>
3539
3540         [JSC] fix order of evaluation for ClassDefinitionEvaluation
3541         https://bugs.webkit.org/show_bug.cgi?id=183523
3542
3543         Reviewed by Keith Miller.
3544
3545         Computed property names need to be evaluated in source order during class
3546         definition evaluation, as it's observable (and specified to work this way).
3547
3548         This change improves compatibility with Chromium.
3549
3550         * bytecompiler/BytecodeGenerator.h:
3551         (JSC::BytecodeGenerator::emitDefineClassElements):
3552         * bytecompiler/NodesCodegen.cpp:
3553         (JSC::PropertyListNode::emitBytecode):
3554         (JSC::ClassExprNode::emitBytecode):
3555         * parser/ASTBuilder.h:
3556         (JSC::ASTBuilder::createClassExpr):
3557         (JSC::ASTBuilder::createGetterOrSetterProperty):
3558         (JSC::ASTBuilder::createProperty):
3559         * parser/NodeConstructors.h:
3560         (JSC::PropertyNode::PropertyNode):
3561         (JSC::ClassExprNode::ClassExprNode):
3562         * parser/Nodes.cpp:
3563         (JSC::PropertyListNode::hasStaticallyNamedProperty):
3564         * parser/Nodes.h:
3565         (JSC::PropertyNode::isClassProperty const):
3566         (JSC::PropertyNode::isStaticClassProperty const):
3567         (JSC::PropertyNode::isInstanceClassProperty const):
3568         * parser/Parser.cpp:
3569         (JSC::Parser<LexerType>::parseClass):
3570         (JSC::Parser<LexerType>::parseProperty):
3571         (JSC::Parser<LexerType>::parseGetterSetter):
3572         * parser/Parser.h:
3573         * parser/SyntaxChecker.h:
3574         (JSC::SyntaxChecker::createClassExpr):
3575         (JSC::SyntaxChecker::createProperty):
3576         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3577
3578 2018-03-14  Keith Miller  <keith_miller@apple.com>
3579
3580         Move jsc CLI breakpoint function to $vm
3581         https://bugs.webkit.org/show_bug.cgi?id=183512
3582
3583         Reviewed by Yusuke Suzuki.
3584
3585         * jsc.cpp:
3586         (GlobalObject::finishCreation):
3587         (functionBreakpoint): Deleted.
3588         * tools/JSDollarVM.cpp:
3589         (JSC::functionBreakpoint):
3590         (JSC::JSDollarVM::finishCreation):
3591
3592 2018-03-14  Tim Horton  <timothy_horton@apple.com>
3593
3594         Fix the build after r229567
3595
3596         * Configurations/FeatureDefines.xcconfig:
3597
3598 2018-03-12  Mark Lam  <mark.lam@apple.com>
3599
3600         Gardening: speculative build fix for WinCairo.
3601         https://bugs.webkit.org/show_bug.cgi?id=183573
3602
3603         Not reviewed.
3604
3605         * runtime/NativeFunction.h:
3606         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3607
3608 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3609
3610         Unreviewed, fix obsolete ASSERT
3611         https://bugs.webkit.org/show_bug.cgi?id=183310
3612
3613         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
3614
3615         * dfg/DFGNode.h:
3616         (JSC::DFG::Node::convertToNewObject):
3617
3618 2018-03-12  Tim Horton  <timothy_horton@apple.com>
3619
3620         Stop using SDK conditionals to control feature definitions
3621         https://bugs.webkit.org/show_bug.cgi?id=183430
3622         <rdar://problem/38251619>
3623
3624         Reviewed by Dan Bernstein.
3625
3626         * Configurations/FeatureDefines.xcconfig:
3627         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
3628
3629 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
3630
3631         Runtime flag for link prefetch and remove link subresource.
3632         https://bugs.webkit.org/show_bug.cgi?id=183540
3633
3634         Reviewed by Chris Dumez.
3635
3636         Remove the LINK_PREFETCH build time flag.
3637
3638         * Configurations/FeatureDefines.xcconfig:
3639
3640 2018-03-12  Mark Lam  <mark.lam@apple.com>
3641
3642         Gardening: speculative build fix for Windows.
3643         https://bugs.webkit.org/show_bug.cgi?id=183573
3644
3645         Not reviewed.
3646
3647         * runtime/NativeFunction.h:
3648         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3649
3650 2018-03-12  Mark Lam  <mark.lam@apple.com>
3651
3652         Add another PtrTag.
3653         https://bugs.webkit.org/show_bug.cgi?id=183580
3654         <rdar://problem/38390584>
3655
3656         Reviewed by Keith Miller.
3657
3658         * runtime/PtrTag.h:
3659
3660 2018-03-12  Mark Lam  <mark.lam@apple.com>
3661
3662         Make a NativeFunction into a class to support pointer profiling.
3663         https://bugs.webkit.org/show_bug.cgi?id=183573
3664         <rdar://problem/38384697>
3665
3666         Reviewed by Filip Pizlo.
3667
3668         1. NativeFunction is now a class, and introducing RawNativeFunction and
3669            TaggedNativeFunction.
3670
3671            RawNativeFunction is the raw pointer type (equivalent
3672            to the old definition of NativeFunction).  This is mainly used for underlying
3673            storage inside the NativeFunction class, and also for global data tables that
3674            cannot embed non-trivially constructed objects.
3675
3676            NativeFunction's role is mainly to encapsulate a pointer to a C function that
3677            we pass into the VM.
3678
3679            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
3680            function that we track in the VM.
3681
3682         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
3683            cast function pointers to void* anymore when constructing a TrustedImmPtr.
3684
3685         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
3686
3687         4. Added more PtrTag utility functions.
3688
3689         * CMakeLists.txt:
3690         * JavaScriptCore.xcodeproj/project.pbxproj:
3691         * assembler/AbstractMacroAssembler.h:
3692         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
3693         * create_hash_table:
3694         * interpreter/Interpreter.cpp:
3695         (JSC::Interpreter::executeCall):
3696         (JSC::Interpreter::executeConstruct):
3697         * interpreter/InterpreterInlines.h:
3698         (JSC::Interpreter::getOpcodeID):
3699         * jit/JITThunks.cpp:
3700         (JSC::JITThunks::hostFunctionStub):
3701         * jit/JITThunks.h:
3702         * llint/LLIntData.cpp:
3703         (JSC::LLInt::initialize):
3704         * llint/LLIntSlowPaths.cpp:
3705         (JSC::LLInt::setUpCall):
3706         * llint/LowLevelInterpreter.asm:
3707         * llint/LowLevelInterpreter.cpp:
3708         (JSC::CLoop::execute):
3709         * llint/LowLevelInterpreter64.asm:
3710         * offlineasm/ast.rb:
3711         * runtime/CallData.h:
3712         * runtime/CommonSlowPaths.cpp:
3713         * runtime/ConstructData.h:
3714         * runtime/InternalFunction.h:
3715         (JSC::InternalFunction::nativeFunctionFor):
3716         * runtime/JSCell.cpp:
3717         (JSC::JSCell::getCallData):
3718         (JSC::JSCell::getConstructData):
3719         * runtime/JSFunction.h:
3720         * runtime/JSFunctionInlines.h:
3721         (JSC::JSFunction::nativeFunction):
3722         (JSC::JSFunction::nativeConstructor):
3723         (JSC::isHostFunction):
3724         * runtime/Lookup.h:
3725         (JSC::HashTableValue::function const):
3726         (JSC::HashTableValue::accessorGetter const):
3727         (JSC::HashTableValue::accessorSetter const):
3728         (JSC::nonCachingStaticFunctionGetter):
3729         * runtime/NativeExecutable.cpp:
3730         (JSC::NativeExecutable::create):
3731         (JSC::NativeExecutable::NativeExecutable):
3732         * runtime/NativeExecutable.h:
3733         * runtime/NativeFunction.h: Added.
3734         (JSC::NativeFunction::NativeFunction):
3735         (JSC::NativeFunction::operator intptr_t const):
3736         (JSC::NativeFunction::operator bool const):
3737         (JSC::NativeFunction::operator! const):
3738         (JSC::NativeFunction::operator== const):
3739         (JSC::NativeFunction::operator!= const):
3740         (JSC::NativeFunction::operator()):
3741         (JSC::NativeFunction::rawPointer const):
3742         (JSC::NativeFunctionHash::hash):
3743         (JSC::NativeFunctionHash::equal):
3744         (JSC::TaggedNativeFunction::TaggedNativeFunction):
3745         (JSC::TaggedNativeFunction::operator bool const):
3746         (JSC::TaggedNativeFunction::operator! const):
3747         (JSC::TaggedNativeFunction::operator== const):
3748         (JSC::TaggedNativeFunction::operator!= const):
3749         (JSC::TaggedNativeFunction::operator()):
3750         (JSC::TaggedNativeFunction::operator NativeFunction):
3751         (JSC::TaggedNativeFunction::rawPointer const):
3752         (JSC::TaggedNativeFunctionHash::hash):
3753         (JSC::TaggedNativeFunctionHash::equal):
3754         * runtime/PtrTag.h:
3755         (JSC::tagCFunctionPtr):
3756         (JSC::untagCFunctionPtr):
3757         * runtime/VM.h:
3758         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
3759
3760 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
3761
3762         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
3763
3764         * dfg/DFGSpeculativeJIT.cpp:
3765         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3766
3767 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3768
3769         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
3770         https://bugs.webkit.org/show_bug.cgi?id=183310
3771
3772         Reviewed by Filip Pizlo.
3773
3774         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
3775         This contributes to 6% win in Octane/raytrace.
3776
3777                                         baseline                  patched
3778
3779             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
3780
3781         * dfg/DFGAbstractInterpreterInlines.h:
3782         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3783         * dfg/DFGConstantFoldingPhase.cpp:
3784         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3785
3786 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
3787
3788         Disable Sigill crash analyzer on watchOS
3789         https://bugs.webkit.org/show_bug.cgi?id=183548
3790         <rdar://problem/38338032>
3791
3792         Reviewed by Mark Lam.
3793
3794         Sigill is not supported on watchOS.
3795
3796         * runtime/Options.cpp:
3797         (JSC::overrideDefaults):
3798
3799 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
3800
3801         Split DirectArguments into JSValueOOB and JSValueStrict parts
3802         https://bugs.webkit.org/show_bug.cgi?id=183458
3803
3804         Reviewed by Yusuke Suzuki.
3805         
3806         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
3807         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
3808         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
3809         to read and write within a Spectre mitigation window. Writes are important, because within the
3810         window, a write could appear to be made speculatively and rolled out later. This means that:
3811         
3812         - JSValue objects cannot have lengths, masks, or anything else inline.
3813         
3814         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
3815           check, unless that type is in the form of a poison key.
3816         
3817         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
3818         means that it's wrong for DirectArguments to have an inline length.
3819         
3820         This changes DirectArguments to use poisoning according to the universal formula:
3821         
3822         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
3823         
3824         - No inline length.
3825         
3826         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
3827         amortize whatever cost there was.
3828
3829         * bytecode/AccessCase.cpp:
3830         (JSC::AccessCase::generateWithGuard):
3831         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3832         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3833         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
3834         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
3835         * dfg/DFGSpeculativeJIT.cpp:
3836         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3837         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3838         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3839         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3840         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3841         * ftl/FTLAbstractHeapRepository.h:
3842         * ftl/FTLLowerDFGToB3.cpp:
3843         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3844         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3845         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3846         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3847         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3848         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3849         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
3850         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
3851         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
3852         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
3853         * heap/SecurityKind.h:
3854         * jit/JITPropertyAccess.cpp:
3855         (JSC::JIT::emit_op_get_from_arguments):
3856         (JSC::JIT::emit_op_put_to_arguments):
3857         (JSC::JIT::emitDirectArgumentsGetByVal):
3858         * jit/JITPropertyAccess32_64.cpp:
3859         (JSC::JIT::emit_op_get_from_arguments):
3860         (JSC::JIT::emit_op_put_to_arguments):
3861         * llint/LowLevelInterpreter.asm:
3862         * llint/LowLevelInterpreter32_64.asm:
3863         * llint/LowLevelInterpreter64.asm:
3864         * runtime/DirectArguments.cpp:
3865         (JSC::DirectArguments::DirectArguments):
3866         (JSC::DirectArguments::createUninitialized):
3867         (JSC::DirectArguments::create):
3868         (JSC::DirectArguments::createByCopying):
3869         (JSC::DirectArguments::estimatedSize):
3870         (JSC::DirectArguments::visitChildren):
3871         (JSC::DirectArguments::overrideThings):
3872         (JSC::DirectArguments::copyToArguments):
3873         (JSC::DirectArguments::mappedArgumentsSize):
3874         * runtime/DirectArguments.h:
3875         * runtime/JSCPoison.h:
3876         * runtime/JSLexicalEnvironment.h:
3877         * runtime/JSSymbolTableObject.h:
3878         * runtime/VM.cpp:
3879         (JSC::VM::VM):
3880         * runtime/VM.h:
3881
3882 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3883
3884         [B3] Above/Below should be strength-reduced for comparison with 0
3885         https://bugs.webkit.org/show_bug.cgi?id=183543
3886
3887         Reviewed by Filip Pizlo.
3888
3889         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
3890         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
3891         be converted to `0`. This patch adds such a folding to comparisons.
3892
3893         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
3894         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
3895         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
3896         when we fail to fold it to a constant.
3897
3898         * b3/B3Const32Value.cpp:
3899         (JSC::B3::Const32Value::lessThanConstant const):
3900         (JSC::B3::Const32Value::greaterThanConstant const):
3901         (JSC::B3::Const32Value::lessEqualConstant const):
3902         (JSC::B3::Const32Value::greaterEqualConstant const):
3903         (JSC::B3::Const32Value::aboveConstant const):
3904         (JSC::B3::Const32Value::belowConstant const):
3905         (JSC::B3::Const32Value::aboveEqualConstant const):
3906         (JSC::B3::Const32Value::belowEqualConstant const):
3907         * b3/B3Const64Value.cpp:
3908         (JSC::B3::Const64Value::lessThanConstant const):
3909         (JSC::B3::Const64Value::greaterThanConstant const):
3910         (JSC::B3::Const64Value::lessEqualConstant const):
3911         (JSC::B3::Const64Value::greaterEqualConstant const):
3912         (JSC::B3::Const64Value::aboveConstant const):
3913         (JSC::B3::Const64Value::belowConstant const):
3914         (JSC::B3::Const64Value::aboveEqualConstant const):
3915         (JSC::B3::Const64Value::belowEqualConstant const):
3916         * b3/B3ReduceStrength.cpp:
3917         * b3/testb3.cpp:
3918         (JSC::B3::int64Operands):
3919         (JSC::B3::int32Operands):
3920
3921 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3922
3923         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
3924         https://bugs.webkit.org/show_bug.cgi?id=181848
3925
3926         Reviewed by Sam Weinig.
3927
3928         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
3929         optimized since it sets `lastIndex` value before performing RegExp operation.
3930
3931         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
3932         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
3933         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
3934         in object allocation sinking phase.
3935
3936         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
3937         has a global flag. And it improves the performance.
3938
3939                                       baseline                  patched
3940
3941         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
3942         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
3943
3944         * dfg/DFGAbstractInterpreterInlines.h:
3945         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3946         * dfg/DFGClobberize.h:
3947         (JSC::DFG::clobberize):
3948         * dfg/DFGDoesGC.cpp:
3949         (JSC::DFG::doesGC):
3950         * dfg/DFGFixupPhase.cpp:
3951         (JSC::DFG::FixupPhase::fixupNode):
3952         * dfg/DFGMayExit.cpp:
3953         * dfg/DFGNode.cpp:
3954         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
3955         * dfg/DFGNode.h:
3956         (JSC::DFG::Node::hasHeapPrediction):
3957         (JSC::DFG::Node::hasCellOperand):
3958         * dfg/DFGNodeType.h:
3959         * dfg/DFGOperations.cpp:
3960         * dfg/DFGOperations.h:
3961         * dfg/DFGPredictionPropagationPhase.cpp:
3962         * dfg/DFGSafeToExecute.h:
3963         (JSC::DFG::safeToExecute):
3964         * dfg/DFGSpeculativeJIT.cpp:
3965         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
3966         * dfg/DFGSpeculativeJIT.h:
3967         * dfg/DFGSpeculativeJIT32_64.cpp:
3968         (JSC::DFG::SpeculativeJIT::compile):
3969         * dfg/DFGSpeculativeJIT64.cpp:
3970         (JSC::DFG::SpeculativeJIT::compile):
3971         * dfg/DFGStrengthReductionPhase.cpp:
3972         (JSC::DFG::StrengthReductionPhase::handleNode):
3973         * ftl/FTLCapabilities.cpp:
3974         (JSC::FTL::canCompile):
3975         * ftl/FTLLowerDFGToB3.cpp:
3976         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3977         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
3978         * runtime/RegExpObject.cpp:
3979         (JSC::collectMatches): Deleted.
3980         * runtime/RegExpObject.h:
3981         * runtime/RegExpObjectInlines.h:
3982         (JSC::RegExpObject::execInline):
3983         (JSC::RegExpObject::matchInline):
3984         (JSC::advanceStringUnicode):
3985         (JSC::collectMatches):
3986         (JSC::RegExpObject::advanceStringUnicode): Deleted.
3987         * runtime/RegExpPrototype.cpp:
3988         (JSC::advanceStringIndex):
3989
3990 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3991
3992         B3::reduceStrength should canonicalize integer comparisons
3993         https://bugs.webkit.org/show_bug.cgi?id=150958
3994
3995         Reviewed by Filip Pizlo.
3996
3997         This patch sorts operands of comparisons by flipping opcode. For example