Unreviewed, rolling out r226937.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r226937.
4
5         Tests added with this change are failing due to a missing
6         exception check.
7
8         Reverted changeset:
9
10         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
11         double to int32_t"
12         https://bugs.webkit.org/show_bug.cgi?id=181182
13         https://trac.webkit.org/changeset/226937
14
15 2018-01-16  Michael Catanzaro  <mcatanzaro@igalia.com>
16
17         Test programs should only be built in developer mode
18         https://bugs.webkit.org/show_bug.cgi?id=181653
19
20         Reviewed by Carlos Garcia Campos.
21
22         Build test programs only in developer mode, and fix code style.
23
24         * shell/CMakeLists.txt:
25
26 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
27
28         Improve use of ExportMacros
29         https://bugs.webkit.org/show_bug.cgi?id=181652
30
31         Reviewed by Konstantin Tokarev.
32
33         * API/JSBase.h: Update a comment.
34         * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
35         * runtime/JSExportMacros.h: Simplify the #defines in this file.
36
37 2018-01-15  JF Bastien  <jfbastien@apple.com>
38
39         Remove makePoisonedUnique
40         https://bugs.webkit.org/show_bug.cgi?id=181630
41         <rdar://problem/36498623>
42
43         Reviewed by Mark Lam.
44
45         I added a conversion from std::unique_ptr, so we can just use
46         std::make_unique and it'll auto-poison when converted.
47
48         * bytecode/CodeBlock.h:
49         (JSC::CodeBlock::makePoisonedUnique): Deleted.
50         * runtime/JSGlobalObject.cpp:
51         (JSC::JSGlobalObject::init):
52         * runtime/JSGlobalObject.h:
53         (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
54
55 2018-01-15  Michael Catanzaro  <mcatanzaro@igalia.com>
56
57         REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
58         https://bugs.webkit.org/show_bug.cgi?id=181438
59         <rdar://problem/36376724>
60
61         Reviewed by Carlos Garcia Campos.
62
63         Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
64         cleanup, but we have to switch back to building JSC only as a shared library, and we have to
65         get rid of the version script.
66
67         * PlatformGTK.cmake:
68         * javascriptcoregtk-symbols.map: Removed.
69
70 2018-01-14  Saam Barati  <sbarati@apple.com>
71
72         Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
73
74         * bytecode/CallLinkStatus.cpp:
75         (JSC::CallLinkStatus::computeFromLLInt):
76         (JSC::CallLinkStatus::computeExitSiteData):
77
78 2018-01-13  Mark Lam  <mark.lam@apple.com>
79
80         Replace all use of ConstExprPoisoned with Poisoned.
81         https://bugs.webkit.org/show_bug.cgi?id=181542
82         <rdar://problem/36442138>
83
84         Reviewed by JF Bastien.
85
86         1. All JSC poisons are now defined in JSCPoison.h.
87
88         2. Change all clients to use the new poison values via the POISON() macro.
89
90         3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
91            uses the t5 temp register, which is not available on the Windows port.
92            Fortunately, we don't currently do poisoning on the Windows port yet.  So,
93            it will just work for now.
94
95            When poisoning is enabled for the Windows port, this LLInt code will need a
96            Windows specific implementation to workaround its lack of a t5 register.
97
98         * API/JSAPIWrapperObject.h:
99         * API/JSCallbackFunction.h:
100         * API/JSCallbackObject.h:
101         * JavaScriptCore.xcodeproj/project.pbxproj:
102         * Sources.txt:
103         * assembler/MacroAssemblerCodeRef.h:
104         (JSC::MacroAssemblerCodePtr::emptyValue):
105         (JSC::MacroAssemblerCodePtr::deletedValue):
106         * b3/B3LowerMacros.cpp:
107         * b3/testb3.cpp:
108         (JSC::B3::testInterpreter):
109         * bytecode/CodeBlock.h:
110         (JSC::CodeBlock::instructions):
111         (JSC::CodeBlock::instructions const):
112         (JSC::CodeBlock::makePoisonedUnique):
113         * dfg/DFGOSRExitCompilerCommon.h:
114         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
115         * dfg/DFGSpeculativeJIT.cpp:
116         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
117         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
118         * ftl/FTLLowerDFGToB3.cpp:
119         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
120         * jit/JIT.h:
121         * jit/ThunkGenerators.cpp:
122         (JSC::virtualThunkFor):
123         (JSC::nativeForGenerator):
124         (JSC::boundThisNoArgsFunctionCallGenerator):
125         * llint/LowLevelInterpreter.asm:
126         * llint/LowLevelInterpreter32_64.asm:
127         * llint/LowLevelInterpreter64.asm:
128         * parser/UnlinkedSourceCode.h:
129         * runtime/ArrayPrototype.h:
130         * runtime/CustomGetterSetter.h:
131         * runtime/DateInstance.h:
132         * runtime/InternalFunction.h:
133         * runtime/JSArrayBuffer.h:
134         * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
135         (JSC::initializePoison):
136         * runtime/JSCPoison.h:
137         (): Deleted.
138         * runtime/JSCPoisonedPtr.cpp: Removed.
139         * runtime/JSCPoisonedPtr.h: Removed.
140         * runtime/JSGlobalObject.h:
141         (JSC::JSGlobalObject::makePoisonedUnique):
142         * runtime/JSScriptFetchParameters.h:
143         * runtime/JSScriptFetcher.h:
144         * runtime/NativeExecutable.h:
145         * runtime/StructureTransitionTable.h:
146         (JSC::StructureTransitionTable::map const):
147         (JSC::StructureTransitionTable::weakImpl const):
148         * runtime/WriteBarrier.h:
149         (JSC::WriteBarrier::poison):
150         * wasm/js/JSToWasm.cpp:
151         (JSC::Wasm::createJSToWasmWrapper):
152         * wasm/js/JSWebAssemblyCodeBlock.cpp:
153         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
154         * wasm/js/JSWebAssemblyCodeBlock.h:
155         * wasm/js/JSWebAssemblyInstance.h:
156         * wasm/js/JSWebAssemblyMemory.h:
157         * wasm/js/JSWebAssemblyModule.h:
158         * wasm/js/JSWebAssemblyTable.h:
159         * wasm/js/WasmToJS.cpp:
160         (JSC::Wasm::handleBadI64Use):
161         (JSC::Wasm::wasmToJS):
162         * wasm/js/WebAssemblyFunctionBase.h:
163         * wasm/js/WebAssemblyModuleRecord.h:
164         * wasm/js/WebAssemblyToJSCallee.h:
165         * wasm/js/WebAssemblyWrapperFunction.h:
166
167 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
168
169         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
170         https://bugs.webkit.org/show_bug.cgi?id=181182
171
172         Reviewed by Darin Adler.
173
174         Casting double to integer is undefined behavior when the truncation
175         results into a value that doesn't fit into integer size, according C++
176         spec[1]. Thus, we are changing bigIntProtoFuncToString and
177         numberProtoFuncToString to remove these source of undefined behavior.
178
179         [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
180
181         * runtime/BigIntPrototype.cpp:
182         (JSC::bigIntProtoFuncToString):
183         * runtime/NumberPrototype.cpp:
184         (JSC::numberProtoFuncToString):
185         (JSC::extractRadixFromArgs): Deleted.
186         (JSC::extractToStringRadixArgument): Added.
187
188 2018-01-12  Saam Barati  <sbarati@apple.com>
189
190         Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
191         https://bugs.webkit.org/show_bug.cgi?id=181545
192
193         Reviewed by Michael Saboff.
194
195         This patch follows the theme of putting optimization profiling information on
196         UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
197         This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
198         pulled from the code cache, making better compilation decisions, usually
199         resulting in fewer exits, and fewer recompilations.
200         
201         This is a 1% Speedometer progression in my testing.
202
203         * bytecode/BytecodeDumper.cpp:
204         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
205         * bytecode/CallLinkStatus.cpp:
206         (JSC::CallLinkStatus::computeFromLLInt):
207         (JSC::CallLinkStatus::computeFor):
208         (JSC::CallLinkStatus::computeExitSiteData):
209         (JSC::CallLinkStatus::computeDFGStatuses):
210         * bytecode/CallLinkStatus.h:
211         * bytecode/CodeBlock.h:
212         (JSC::CodeBlock::addFrequentExitSite): Deleted.
213         (JSC::CodeBlock::hasExitSite const): Deleted.
214         (JSC::CodeBlock::exitProfile): Deleted.
215         * bytecode/DFGExitProfile.cpp:
216         (JSC::DFG::ExitProfile::add):
217         (JSC::DFG::QueryableExitProfile::initialize):
218         * bytecode/DFGExitProfile.h:
219         (JSC::DFG::ExitProfile::hasExitSite const):
220         * bytecode/GetByIdStatus.cpp:
221         (JSC::GetByIdStatus::hasExitSite):
222         (JSC::GetByIdStatus::computeFor):
223         (JSC::GetByIdStatus::computeForStubInfo):
224         * bytecode/GetByIdStatus.h:
225         * bytecode/PutByIdStatus.cpp:
226         (JSC::PutByIdStatus::hasExitSite):
227         (JSC::PutByIdStatus::computeFor):
228         (JSC::PutByIdStatus::computeForStubInfo):
229         * bytecode/PutByIdStatus.h:
230         * bytecode/UnlinkedCodeBlock.cpp:
231         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
232         * bytecode/UnlinkedCodeBlock.h:
233         (JSC::UnlinkedCodeBlock::hasExitSite const):
234         (JSC::UnlinkedCodeBlock::hasExitSite):
235         (JSC::UnlinkedCodeBlock::exitProfile):
236         * dfg/DFGByteCodeParser.cpp:
237         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
238         * dfg/DFGGraph.h:
239         (JSC::DFG::Graph::hasGlobalExitSite):
240         (JSC::DFG::Graph::hasExitSite):
241         * dfg/DFGLICMPhase.cpp:
242         (JSC::DFG::LICMPhase::attemptHoist):
243         * dfg/DFGOSRExitBase.cpp:
244         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
245
246 2018-01-12  JF Bastien  <jfbastien@apple.com>
247
248         PoisonedWriteBarrier
249         https://bugs.webkit.org/show_bug.cgi?id=181599
250         <rdar://problem/36474351>
251
252         Reviewed by Mark Lam.
253
254         Allow poisoning of WriteBarrier objects, and use this for
255         WebAssembly because it is perf-neutral, at least on WasmBench on
256         my MBP. If it indeed is perf-neutral according to the bots, start
257         using it in more performance-sensitive places.
258
259         * heap/HandleTypes.h:
260         * heap/SlotVisitor.h:
261         * heap/SlotVisitorInlines.h:
262         (JSC::SlotVisitor::append):
263         (JSC::SlotVisitor::appendHidden):
264         * runtime/JSCJSValue.h:
265         * runtime/JSCPoison.h:
266         * runtime/Structure.h:
267         * runtime/StructureInlines.h:
268         (JSC::Structure::setPrototypeWithoutTransition):
269         (JSC::Structure::setGlobalObject):
270         (JSC::Structure::setPreviousID):
271         * runtime/WriteBarrier.h:
272         (JSC::WriteBarrierBase::copyFrom):
273         (JSC::WriteBarrierBase::get const):
274         (JSC::WriteBarrierBase::operator* const):
275         (JSC::WriteBarrierBase::operator-> const):
276         (JSC::WriteBarrierBase::clear):
277         (JSC::WriteBarrierBase::slot):
278         (JSC::WriteBarrierBase::operator bool const):
279         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
280         (JSC::WriteBarrierBase::unvalidatedGet const):
281         (JSC::operator==):
282         * runtime/WriteBarrierInlines.h:
283         (JSC::Traits>::set):
284         (JSC::Traits>::setMayBeNull):
285         (JSC::Traits>::setEarlyValue):
286         (JSC::DumbValueTraits<Unknown>>::set):
287         * wasm/WasmInstance.h:
288         * wasm/js/JSWebAssemblyInstance.cpp:
289         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
290         (JSC::JSWebAssemblyInstance::finishCreation):
291         (JSC::JSWebAssemblyInstance::visitChildren):
292         (JSC::JSWebAssemblyInstance::create):
293         * wasm/js/JSWebAssemblyInstance.h:
294         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
295         * wasm/js/JSWebAssemblyMemory.h:
296         * wasm/js/JSWebAssemblyModule.h:
297         * wasm/js/JSWebAssemblyTable.cpp:
298         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
299         (JSC::JSWebAssemblyTable::grow):
300         (JSC::JSWebAssemblyTable::clearFunction):
301         * wasm/js/JSWebAssemblyTable.h:
302         * wasm/js/WasmToJS.cpp:
303         (JSC::Wasm::materializeImportJSCell):
304         (JSC::Wasm::handleBadI64Use):
305         (JSC::Wasm::wasmToJS):
306         * wasm/js/WebAssemblyFunctionBase.h:
307         * wasm/js/WebAssemblyModuleRecord.cpp:
308         (JSC::WebAssemblyModuleRecord::link):
309         (JSC::WebAssemblyModuleRecord::evaluate):
310         * wasm/js/WebAssemblyModuleRecord.h:
311         * wasm/js/WebAssemblyToJSCallee.h:
312         * wasm/js/WebAssemblyWrapperFunction.h:
313
314 2018-01-12  Saam Barati  <sbarati@apple.com>
315
316         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
317         https://bugs.webkit.org/show_bug.cgi?id=181177
318         <rdar://problem/36205704>
319
320         Reviewed by Yusuke Suzuki.
321
322         The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
323         However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
324         have semantic consequences when validation is turned off. However, with validation on, this trips up
325         our OSR exit machinery that says when an exit is allowed to happen.
326         
327         Consider the following IR:
328         
329         a: GetClosureVar // Or any other node that produces BytecodeTop
330         ...
331         c: CheckStructure(Cell:@a, {s2})
332         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
333         
334         In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
335         a: GetClosureVar
336         e: CheckStructureOrEmpty(@a, {s1})
337         ...
338         f: CheckStructureOrEmpty(@a, {s2})
339         c: CheckStructure(Cell:@a, {s2})
340         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
341         
342         This will cause constant folding to change the IR to:
343         a: GetClosureVar
344         e: CheckStructureOrEmpty(@a, {s1})
345         ...
346         f: CheckStructureOrEmpty(@a, {s2})
347         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
348         
349         Our mayExit analysis determines that the PutByOffset should not exit. Note
350         that AI will determine the only value the PutByOffset can see in @a is 
351         the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
352         when lowering the PutByOffset, we reach a contradiction in AI and emit
353         an OSR exit. However, because mayExit said we couldn't exit, we assert.
354         
355         Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
356         would have determined we would OSR exit at the second CheckStructure.
357         
358         This patch makes it so constant folding produces the following IR:
359         a: GetClosureVar
360         e: CheckStructureOrEmpty(@a, {s1})
361         g: AssertNotEmpty(@a)
362         ...
363         f: CheckStructureOrEmpty(@a, {s2})
364         h: AssertNotEmpty(@a)
365         d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
366         
367         This modification will cause AI to know we will OSR exit before even reaching
368         the PutByOffset. Note that in the original IR, the GetClosureVar won't
369         actually produce the TDZ value. If it did, bytecode would have caused us
370         to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
371         why this bug is about IR bookkeeping and not an actual error in IR analysis.
372         This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
373         more congruous with CheckStructure's semantics of crashing on the empty value
374         as input (on 64 bit platforms).
375
376         * dfg/DFGAbstractInterpreterInlines.h:
377         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
378         * dfg/DFGClobberize.h:
379         (JSC::DFG::clobberize):
380         * dfg/DFGConstantFoldingPhase.cpp:
381         (JSC::DFG::ConstantFoldingPhase::foldConstants):
382         * dfg/DFGDoesGC.cpp:
383         (JSC::DFG::doesGC):
384         * dfg/DFGFixupPhase.cpp:
385         (JSC::DFG::FixupPhase::fixupNode):
386         * dfg/DFGNodeType.h:
387         * dfg/DFGPredictionPropagationPhase.cpp:
388         * dfg/DFGSafeToExecute.h:
389         (JSC::DFG::safeToExecute):
390         * dfg/DFGSpeculativeJIT32_64.cpp:
391         (JSC::DFG::SpeculativeJIT::compile):
392         * dfg/DFGSpeculativeJIT64.cpp:
393         (JSC::DFG::SpeculativeJIT::compile):
394         * ftl/FTLCapabilities.cpp:
395         (JSC::FTL::canCompile):
396         * ftl/FTLLowerDFGToB3.cpp:
397         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
398         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
399
400 2018-01-12  Joseph Pecoraro  <pecoraro@apple.com>
401
402         Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
403         https://bugs.webkit.org/show_bug.cgi?id=181579
404         <rdar://problem/36193759>
405
406         Reviewed by Brian Burg.
407
408         * inspector/agents/InspectorConsoleAgent.h:
409         * inspector/agents/InspectorConsoleAgent.cpp:
410         (Inspector::InspectorConsoleAgent::clearMessages):
411         (Inspector::InspectorConsoleAgent::addConsoleMessage):
412         Switch from a raw pointer to m_consoleMessages.last().
413         Also move the expiration check into the if block since it can only
414         happen inside here when the number of console messages changes.
415
416         (Inspector::InspectorConsoleAgent::discardValues):
417         Also clear the expired message count when messages are cleared.
418
419 2018-01-12  Yusuke Suzuki  <utatane.tea@gmail.com>
420
421         [JSC] Create parallel SlotVisitors apriori
422         https://bugs.webkit.org/show_bug.cgi?id=180907
423
424         Reviewed by Saam Barati.
425
426         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
427         If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
428         Then we do not need to grab locks while iterating all the SlotVisitors.
429
430         In addition, we do not need to consider the case that the number of SlotVisitors increases
431         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
432         does not increase any more.
433
434         * heap/Heap.cpp:
435         (JSC::Heap::Heap):
436         (JSC::Heap::runBeginPhase):
437         * heap/Heap.h:
438         * heap/HeapInlines.h:
439         (JSC::Heap::forEachSlotVisitor):
440         (JSC::Heap::numberOfSlotVisitors): Deleted.
441         * heap/MarkingConstraintSolver.cpp:
442         (JSC::MarkingConstraintSolver::didVisitSomething const):
443
444 2018-01-12  Saam Barati  <sbarati@apple.com>
445
446         Each variant of a polymorphic inlined call should be exitOK at the top of the block
447         https://bugs.webkit.org/show_bug.cgi?id=181562
448         <rdar://problem/36445624>
449
450         Reviewed by Yusuke Suzuki.
451
452         Before this patch, the very first block in the switch for polymorphic call
453         inlining will have exitOK at the top. The others are not guaranteed to.
454         That was just a bug. They're all exitOK at the top. This will lead to crashes
455         in FixupPhase because we won't have a node in a block that has ExitOK, so
456         when we fixup various type checks, we assert out.
457
458         * dfg/DFGByteCodeParser.cpp:
459         (JSC::DFG::ByteCodeParser::handleInlining):
460
461 2018-01-11  Keith Miller  <keith_miller@apple.com>
462
463         Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
464         https://bugs.webkit.org/show_bug.cgi?id=181573
465
466         Reviewed by Simon Fraser.
467
468         * Configurations/FeatureDefines.xcconfig:
469         * runtime/Options.h:
470
471 2018-01-11  Michael Saboff  <msaboff@apple.com>
472
473         REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
474         https://bugs.webkit.org/show_bug.cgi?id=181570
475
476         Reviewed by Keith Miller.
477
478         * assembler/MacroAssemblerARM64.h:
479         (JSC::MacroAssemblerARM64::abortWithReason):
480         Reverting these functions to use dataTempRegister and memoryTempRegister as they are
481         JIT release asserts that will crash the program.
482
483         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
484         Changed this so that it invalidates any cached dataTmpRegister contents if temp register
485         caching is enabled.
486
487 2018-01-11  Filip Pizlo  <fpizlo@apple.com>
488
489         Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
490         https://bugs.webkit.org/show_bug.cgi?id=181543
491
492         Rubber stamped by Michael Saboff.
493         
494         In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
495         really have anything to do with allocation anymore. The allocation will be done by something
496         in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
497         place to find blocks (a "block directory").
498
499         Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
500         attributes of the HeapCellType. So let's call them CellAttributes.
501
502         * JavaScriptCore.xcodeproj/project.pbxproj:
503         * Sources.txt:
504         * bytecode/AccessCase.cpp:
505         (JSC::AccessCase::generateImpl):
506         * bytecode/ObjectAllocationProfile.h:
507         * bytecode/ObjectAllocationProfileInlines.h:
508         (JSC::ObjectAllocationProfile::initializeProfile):
509         * dfg/DFGSpeculativeJIT.cpp:
510         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
511         (JSC::DFG::SpeculativeJIT::compileMakeRope):
512         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
513         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
514         (JSC::DFG::SpeculativeJIT::compileNewObject):
515         * dfg/DFGSpeculativeJIT.h:
516         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
517         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
518         * ftl/FTLAbstractHeapRepository.h:
519         * ftl/FTLLowerDFGToB3.cpp:
520         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
521         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
522         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
523         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
524         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
525         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
526         * heap/AlignedMemoryAllocator.cpp:
527         (JSC::AlignedMemoryAllocator::registerDirectory):
528         (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
529         * heap/AlignedMemoryAllocator.h:
530         (JSC::AlignedMemoryAllocator::firstDirectory const):
531         (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
532         * heap/AllocatorAttributes.cpp: Removed.
533         * heap/AllocatorAttributes.h: Removed.
534         * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
535         (JSC::BlockDirectory::BlockDirectory):
536         (JSC::BlockDirectory::setSubspace):
537         (JSC::BlockDirectory::isPagedOut):
538         (JSC::BlockDirectory::findEmptyBlockToSteal):
539         (JSC::BlockDirectory::didConsumeFreeList):
540         (JSC::BlockDirectory::tryAllocateWithoutCollecting):
541         (JSC::BlockDirectory::allocateIn):
542         (JSC::BlockDirectory::tryAllocateIn):
543         (JSC::BlockDirectory::doTestCollectionsIfNeeded):
544         (JSC::BlockDirectory::allocateSlowCase):
545         (JSC::BlockDirectory::blockSizeForBytes):
546         (JSC::BlockDirectory::tryAllocateBlock):
547         (JSC::BlockDirectory::addBlock):
548         (JSC::BlockDirectory::removeBlock):
549         (JSC::BlockDirectory::stopAllocating):
550         (JSC::BlockDirectory::prepareForAllocation):
551         (JSC::BlockDirectory::lastChanceToFinalize):
552         (JSC::BlockDirectory::resumeAllocating):
553         (JSC::BlockDirectory::beginMarkingForFullCollection):
554         (JSC::BlockDirectory::endMarking):
555         (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
556         (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
557         (JSC::BlockDirectory::findBlockToSweep):
558         (JSC::BlockDirectory::sweep):
559         (JSC::BlockDirectory::shrink):
560         (JSC::BlockDirectory::assertNoUnswept):
561         (JSC::BlockDirectory::parallelNotEmptyBlockSource):
562         (JSC::BlockDirectory::dump const):
563         (JSC::BlockDirectory::dumpBits):
564         (JSC::BlockDirectory::markedSpace const):
565         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
566         (JSC::MarkedAllocator::setSubspace): Deleted.
567         (JSC::MarkedAllocator::isPagedOut): Deleted.
568         (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
569         (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
570         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
571         (JSC::MarkedAllocator::allocateIn): Deleted.
572         (JSC::MarkedAllocator::tryAllocateIn): Deleted.
573         (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
574         (JSC::MarkedAllocator::allocateSlowCase): Deleted.
575         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
576         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
577         (JSC::MarkedAllocator::addBlock): Deleted.
578         (JSC::MarkedAllocator::removeBlock): Deleted.
579         (JSC::MarkedAllocator::stopAllocating): Deleted.
580         (JSC::MarkedAllocator::prepareForAllocation): Deleted.
581         (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
582         (JSC::MarkedAllocator::resumeAllocating): Deleted.
583         (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
584         (JSC::MarkedAllocator::endMarking): Deleted.
585         (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
586         (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
587         (JSC::MarkedAllocator::findBlockToSweep): Deleted.
588         (JSC::MarkedAllocator::sweep): Deleted.
589         (JSC::MarkedAllocator::shrink): Deleted.
590         (JSC::MarkedAllocator::assertNoUnswept): Deleted.
591         (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
592         (JSC::MarkedAllocator::dump const): Deleted.
593         (JSC::MarkedAllocator::dumpBits): Deleted.
594         (JSC::MarkedAllocator::markedSpace const): Deleted.
595         * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
596         (JSC::BlockDirectory::attributes const):
597         (JSC::BlockDirectory::forEachBitVector):
598         (JSC::BlockDirectory::forEachBitVectorWithName):
599         (JSC::BlockDirectory::nextDirectory const):
600         (JSC::BlockDirectory::nextDirectoryInSubspace const):
601         (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
602         (JSC::BlockDirectory::setNextDirectory):
603         (JSC::BlockDirectory::setNextDirectoryInSubspace):
604         (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
605         (JSC::BlockDirectory::offsetOfFreeList):
606         (JSC::BlockDirectory::offsetOfCellSize):
607         (JSC::MarkedAllocator::cellSize const): Deleted.
608         (JSC::MarkedAllocator::attributes const): Deleted.
609         (JSC::MarkedAllocator::needsDestruction const): Deleted.
610         (JSC::MarkedAllocator::destruction const): Deleted.
611         (JSC::MarkedAllocator::cellKind const): Deleted.
612         (JSC::MarkedAllocator::heap): Deleted.
613         (JSC::MarkedAllocator::bitvectorLock): Deleted.
614         (JSC::MarkedAllocator::forEachBitVector): Deleted.
615         (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
616         (JSC::MarkedAllocator::nextAllocator const): Deleted.
617         (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
618         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
619         (JSC::MarkedAllocator::setNextAllocator): Deleted.
620         (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
621         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
622         (JSC::MarkedAllocator::subspace const): Deleted.
623         (JSC::MarkedAllocator::freeList const): Deleted.
624         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
625         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
626         * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
627         (JSC::BlockDirectory::isFreeListedCell const):
628         (JSC::BlockDirectory::allocate):
629         (JSC::BlockDirectory::forEachBlock):
630         (JSC::BlockDirectory::forEachNotEmptyBlock):
631         (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
632         (JSC::MarkedAllocator::allocate): Deleted.
633         (JSC::MarkedAllocator::forEachBlock): Deleted.
634         (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
635         * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
636         (JSC::CellAttributes::dump const):
637         (JSC::AllocatorAttributes::dump const): Deleted.
638         * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
639         (JSC::CellAttributes::CellAttributes):
640         (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
641         * heap/CompleteSubspace.cpp:
642         (JSC::CompleteSubspace::allocatorFor):
643         (JSC::CompleteSubspace::allocateNonVirtual):
644         (JSC::CompleteSubspace::allocatorForSlow):
645         (JSC::CompleteSubspace::tryAllocateSlow):
646         * heap/CompleteSubspace.h:
647         (JSC::CompleteSubspace::allocatorForSizeStep):
648         (JSC::CompleteSubspace::allocatorForNonVirtual):
649         * heap/GCDeferralContext.h:
650         * heap/Heap.cpp:
651         (JSC::Heap::updateAllocationLimits):
652         * heap/Heap.h:
653         * heap/HeapCell.h:
654         * heap/HeapCellInlines.h:
655         (JSC::HeapCell::cellAttributes const):
656         (JSC::HeapCell::destructionMode const):
657         (JSC::HeapCell::cellKind const):
658         (JSC::HeapCell::allocatorAttributes const): Deleted.
659         * heap/HeapCellType.cpp:
660         (JSC::HeapCellType::HeapCellType):
661         * heap/HeapCellType.h:
662         (JSC::HeapCellType::attributes const):
663         * heap/IncrementalSweeper.cpp:
664         (JSC::IncrementalSweeper::IncrementalSweeper):
665         (JSC::IncrementalSweeper::sweepNextBlock):
666         (JSC::IncrementalSweeper::startSweeping):
667         (JSC::IncrementalSweeper::stopSweeping):
668         * heap/IncrementalSweeper.h:
669         * heap/IsoCellSet.cpp:
670         (JSC::IsoCellSet::IsoCellSet):
671         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
672         (JSC::IsoCellSet::addSlow):
673         (JSC::IsoCellSet::didRemoveBlock):
674         (JSC::IsoCellSet::sweepToFreeList):
675         * heap/IsoCellSetInlines.h:
676         (JSC::IsoCellSet::forEachMarkedCell):
677         (JSC::IsoCellSet::forEachLiveCell):
678         * heap/IsoSubspace.cpp:
679         (JSC::IsoSubspace::IsoSubspace):
680         (JSC::IsoSubspace::allocatorFor):
681         (JSC::IsoSubspace::allocateNonVirtual):
682         * heap/IsoSubspace.h:
683         (JSC::IsoSubspace::allocatorForNonVirtual):
684         * heap/LargeAllocation.h:
685         (JSC::LargeAllocation::attributes const):
686         * heap/MarkedAllocator.cpp: Removed.
687         * heap/MarkedAllocator.h: Removed.
688         * heap/MarkedAllocatorInlines.h: Removed.
689         * heap/MarkedBlock.cpp:
690         (JSC::MarkedBlock::Handle::~Handle):
691         (JSC::MarkedBlock::Handle::setIsFreeListed):
692         (JSC::MarkedBlock::Handle::stopAllocating):
693         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
694         (JSC::MarkedBlock::Handle::resumeAllocating):
695         (JSC::MarkedBlock::aboutToMarkSlow):
696         (JSC::MarkedBlock::Handle::didConsumeFreeList):
697         (JSC::MarkedBlock::noteMarkedSlow):
698         (JSC::MarkedBlock::Handle::removeFromDirectory):
699         (JSC::MarkedBlock::Handle::didAddToDirectory):
700         (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
701         (JSC::MarkedBlock::Handle::dumpState):
702         (JSC::MarkedBlock::Handle::subspace const):
703         (JSC::MarkedBlock::Handle::sweep):
704         (JSC::MarkedBlock::Handle::isFreeListedCell const):
705         (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
706         (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
707         (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
708         * heap/MarkedBlock.h:
709         (JSC::MarkedBlock::Handle::directory const):
710         (JSC::MarkedBlock::Handle::attributes const):
711         (JSC::MarkedBlock::attributes const):
712         (JSC::MarkedBlock::Handle::allocator const): Deleted.
713         * heap/MarkedBlockInlines.h:
714         (JSC::MarkedBlock::Handle::isAllocated):
715         (JSC::MarkedBlock::Handle::isLive):
716         (JSC::MarkedBlock::Handle::specializedSweep):
717         (JSC::MarkedBlock::Handle::isEmpty):
718         * heap/MarkedSpace.cpp:
719         (JSC::MarkedSpace::lastChanceToFinalize):
720         (JSC::MarkedSpace::sweep):
721         (JSC::MarkedSpace::stopAllocating):
722         (JSC::MarkedSpace::resumeAllocating):
723         (JSC::MarkedSpace::isPagedOut):
724         (JSC::MarkedSpace::freeBlock):
725         (JSC::MarkedSpace::shrink):
726         (JSC::MarkedSpace::beginMarking):
727         (JSC::MarkedSpace::endMarking):
728         (JSC::MarkedSpace::snapshotUnswept):
729         (JSC::MarkedSpace::assertNoUnswept):
730         (JSC::MarkedSpace::dumpBits):
731         (JSC::MarkedSpace::addBlockDirectory):
732         (JSC::MarkedSpace::addMarkedAllocator): Deleted.
733         * heap/MarkedSpace.h:
734         (JSC::MarkedSpace::firstDirectory const):
735         (JSC::MarkedSpace::directoryLock):
736         (JSC::MarkedSpace::forEachBlock):
737         (JSC::MarkedSpace::forEachDirectory):
738         (JSC::MarkedSpace::firstAllocator const): Deleted.
739         (JSC::MarkedSpace::allocatorLock): Deleted.
740         (JSC::MarkedSpace::forEachAllocator): Deleted.
741         * heap/MarkedSpaceInlines.h:
742         * heap/Subspace.cpp:
743         (JSC::Subspace::initialize):
744         (JSC::Subspace::prepareForAllocation):
745         (JSC::Subspace::findEmptyBlockToSteal):
746         (JSC::Subspace::parallelDirectorySource):
747         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
748         (JSC::Subspace::sweep):
749         (JSC::Subspace::parallelAllocatorSource): Deleted.
750         * heap/Subspace.h:
751         (JSC::Subspace::attributes const):
752         (JSC::Subspace::didCreateFirstDirectory):
753         (JSC::Subspace::didCreateFirstAllocator): Deleted.
754         * heap/SubspaceInlines.h:
755         (JSC::Subspace::forEachDirectory):
756         (JSC::Subspace::forEachMarkedBlock):
757         (JSC::Subspace::forEachNotEmptyMarkedBlock):
758         (JSC::Subspace::forEachAllocator): Deleted.
759         * jit/AssemblyHelpers.h:
760         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
761         (JSC::AssemblyHelpers::emitAllocate):
762         (JSC::AssemblyHelpers::emitAllocateJSCell):
763         (JSC::AssemblyHelpers::emitAllocateJSObject):
764         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
765         * jit/JIT.h:
766         * jit/JITOpcodes.cpp:
767         (JSC::JIT::emit_op_new_object):
768         * jit/JITOpcodes32_64.cpp:
769         (JSC::JIT::emit_op_new_object):
770         * runtime/JSDestructibleObjectHeapCellType.cpp:
771         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
772         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
773         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
774         * runtime/JSStringHeapCellType.cpp:
775         (JSC::JSStringHeapCellType::JSStringHeapCellType):
776         * runtime/VM.cpp:
777         (JSC::VM::VM):
778         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
779         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
780
781 2018-01-11  Saam Barati  <sbarati@apple.com>
782
783         When inserting Unreachable in byte code parser we need to flush all the right things
784         https://bugs.webkit.org/show_bug.cgi?id=181509
785         <rdar://problem/36423110>
786
787         Reviewed by Mark Lam.
788
789         I added code in r226655 that had its own mechanism for preserving liveness when
790         inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
791         liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
792         I got some of these values wrong, which was leading to a crash when recovering the
793         callee value from an inlined frame. Instead of making the same mistake and repeating
794         similar code again, this patch refactors this logic to be shared with the other
795         liveness preservation code in the DFG bytecode parser. This is what I should have
796         done in my initial patch.
797
798         * bytecode/InlineCallFrame.h:
799         (JSC::remapOperand):
800         * dfg/DFGByteCodeParser.cpp:
801         (JSC::DFG::flushImpl):
802         (JSC::DFG::flushForTerminalImpl):
803         (JSC::DFG::ByteCodeParser::flush):
804         (JSC::DFG::ByteCodeParser::flushForTerminal):
805         (JSC::DFG::ByteCodeParser::parse):
806
807 2018-01-11  Saam Barati  <sbarati@apple.com>
808
809         JITMathIC code in the FTL is wrong when code gets duplicated
810         https://bugs.webkit.org/show_bug.cgi?id=181525
811         <rdar://problem/36351993>
812
813         Reviewed by Michael Saboff and Keith Miller.
814
815         B3/Air may duplicate code for various reasons. Patchpoint generators inside
816         FTLLower must be aware that they can be called multiple times because of this.
817         The patchpoint for math ICs was not aware of this, and shared state amongst
818         all invocations of the patchpoint's generator. This patch fixes this bug so
819         that each invocation of the patchpoint's generator gets a unique math IC.
820
821         * bytecode/CodeBlock.h:
822         (JSC::CodeBlock::addMathIC):
823         * ftl/FTLLowerDFGToB3.cpp:
824         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
825         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
826         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
827         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
828         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
829         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
830         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
831         * jit/JITMathIC.h:
832         (JSC::isProfileEmpty):
833
834 2018-01-11  Michael Saboff  <msaboff@apple.com>
835
836         Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
837         https://bugs.webkit.org/show_bug.cgi?id=181512
838
839         Reviewed by Saam Barati.
840
841         * assembler/MacroAssemblerARM64.h:
842         (JSC::MacroAssemblerARM64::abortWithReason):
843         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
844         All current uses of dataTempRegister in these functions are safe, but it makes sense to
845         fix them in case they might be used elsewhere.
846
847 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
848
849         CodeBlocks should be in IsoSubspaces
850         https://bugs.webkit.org/show_bug.cgi?id=180884
851
852         Reviewed by Saam Barati.
853         
854         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
855         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
856         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
857         
858         - Code block sweeping is now just eager sweeping. This means that it automatically takes
859           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
860           its eden set for.
861         
862         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
863           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
864           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
865           longer has to clear the set of weakly visited code blocks. This also means that
866           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
867           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
868           has IsoCellSets to tell us which edges have output constraints (what we used to call
869           CodeBlock's weak reference harvester) and which have unconditional finalizers.
870         
871         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
872         
873         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
874           handle requests from the sampler, debugger, and other facilities. They may want to ask
875           if some pointer corresponds to a CodeBlock during stages of execution during which the
876           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
877           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
878           allocated has now been full constructed.
879         
880         Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
881         happening before and after this change, but we misread the revision numbers at first and
882         thought that this was the cause.
883         
884         * JavaScriptCore.xcodeproj/project.pbxproj:
885         * Sources.txt:
886         * bytecode/CodeBlock.cpp:
887         (JSC::CodeBlock::CodeBlock):
888         (JSC::CodeBlock::finishCreation):
889         (JSC::CodeBlock::finishCreationCommon):
890         (JSC::CodeBlock::~CodeBlock):
891         (JSC::CodeBlock::visitChildren):
892         (JSC::CodeBlock::propagateTransitions):
893         (JSC::CodeBlock::determineLiveness):
894         (JSC::CodeBlock::finalizeUnconditionally):
895         (JSC::CodeBlock::stronglyVisitStrongReferences):
896         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
897         (JSC::CodeBlock::installVMTrapBreakpoints):
898         (JSC::CodeBlock::dumpMathICStats):
899         (JSC::CodeBlock::visitWeakly): Deleted.
900         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
901         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
902         * bytecode/CodeBlock.h:
903         (JSC::CodeBlock::subspaceFor):
904         (JSC::CodeBlock::ownerEdge const):
905         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
906         * bytecode/EvalCodeBlock.h:
907         (JSC::EvalCodeBlock::create): Deleted.
908         (JSC::EvalCodeBlock::createStructure): Deleted.
909         (JSC::EvalCodeBlock::variable): Deleted.
910         (JSC::EvalCodeBlock::numVariables): Deleted.
911         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
912         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
913         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
914         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
915         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
916         (JSC::ExecutableToCodeBlockEdge::createStructure):
917         (JSC::ExecutableToCodeBlockEdge::create):
918         (JSC::ExecutableToCodeBlockEdge::visitChildren):
919         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
920         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
921         (JSC::ExecutableToCodeBlockEdge::activate):
922         (JSC::ExecutableToCodeBlockEdge::deactivate):
923         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
924         (JSC::ExecutableToCodeBlockEdge::wrap):
925         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
926         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
927         (JSC::ExecutableToCodeBlockEdge::runConstraint):
928         * bytecode/ExecutableToCodeBlockEdge.h: Added.
929         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
930         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
931         (JSC::ExecutableToCodeBlockEdge::unwrap):
932         * bytecode/FunctionCodeBlock.h:
933         (JSC::FunctionCodeBlock::subspaceFor):
934         (JSC::FunctionCodeBlock::createStructure):
935         * bytecode/ModuleProgramCodeBlock.h:
936         (JSC::ModuleProgramCodeBlock::create): Deleted.
937         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
938         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
939         * bytecode/ProgramCodeBlock.h:
940         (JSC::ProgramCodeBlock::create): Deleted.
941         (JSC::ProgramCodeBlock::createStructure): Deleted.
942         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
943         * debugger/Debugger.cpp:
944         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
945         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
946         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
947         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
948         * heap/CodeBlockSet.cpp:
949         (JSC::CodeBlockSet::contains):
950         (JSC::CodeBlockSet::dump const):
951         (JSC::CodeBlockSet::add):
952         (JSC::CodeBlockSet::remove):
953         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
954         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
955         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
956         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
957         * heap/CodeBlockSet.h:
958         * heap/CodeBlockSetInlines.h:
959         (JSC::CodeBlockSet::iterate):
960         (JSC::CodeBlockSet::iterateViaSubspaces):
961         * heap/ConservativeRoots.cpp:
962         (JSC::ConservativeRoots::genericAddPointer):
963         (JSC::DummyMarkHook::markKnownJSCell):
964         (JSC::CompositeMarkHook::mark):
965         (JSC::CompositeMarkHook::markKnownJSCell):
966         * heap/ConservativeRoots.h:
967         * heap/Heap.cpp:
968         (JSC::Heap::lastChanceToFinalize):
969         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
970         (JSC::Heap::finalizeUnconditionalFinalizers):
971         (JSC::Heap::beginMarking):
972         (JSC::Heap::deleteUnmarkedCompiledCode):
973         (JSC::Heap::sweepInFinalize):
974         (JSC::Heap::forEachCodeBlockImpl):
975         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
976         (JSC::Heap::addCoreConstraints):
977         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
978         * heap/Heap.h:
979         * heap/HeapCell.h:
980         * heap/HeapCellInlines.h:
981         (JSC::HeapCell::subspace const):
982         * heap/HeapInlines.h:
983         (JSC::Heap::forEachCodeBlock):
984         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
985         * heap/HeapUtil.h:
986         (JSC::HeapUtil::findGCObjectPointersForMarking):
987         * heap/IsoCellSet.cpp:
988         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
989         * heap/IsoCellSet.h:
990         * heap/IsoCellSetInlines.h:
991         (JSC::IsoCellSet::forEachMarkedCellInParallel):
992         (JSC::IsoCellSet::forEachLiveCell):
993         * heap/LargeAllocation.h:
994         (JSC::LargeAllocation::subspace const):
995         * heap/MarkStackMergingConstraint.cpp:
996         (JSC::MarkStackMergingConstraint::executeImpl):
997         * heap/MarkStackMergingConstraint.h:
998         * heap/MarkedAllocator.cpp:
999         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1000         * heap/MarkedBlock.cpp:
1001         (JSC::MarkedBlock::Handle::didAddToAllocator):
1002         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
1003         * heap/MarkedBlock.h:
1004         (JSC::MarkedBlock::subspace const):
1005         * heap/MarkedBlockInlines.h:
1006         (JSC::MarkedBlock::Handle::forEachLiveCell):
1007         * heap/MarkedSpaceInlines.h:
1008         (JSC::MarkedSpace::forEachLiveCell):
1009         * heap/MarkingConstraint.cpp:
1010         (JSC::MarkingConstraint::execute):
1011         (JSC::MarkingConstraint::doParallelWork):
1012         (JSC::MarkingConstraint::finishParallelWork): Deleted.
1013         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
1014         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
1015         * heap/MarkingConstraint.h:
1016         * heap/MarkingConstraintSet.cpp:
1017         (JSC::MarkingConstraintSet::add):
1018         * heap/MarkingConstraintSet.h:
1019         (JSC::MarkingConstraintSet::add):
1020         * heap/MarkingConstraintSolver.cpp:
1021         (JSC::MarkingConstraintSolver::execute):
1022         (JSC::MarkingConstraintSolver::addParallelTask):
1023         (JSC::MarkingConstraintSolver::runExecutionThread):
1024         (JSC::MarkingConstraintSolver::didExecute): Deleted.
1025         * heap/MarkingConstraintSolver.h:
1026         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
1027         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
1028         * heap/SimpleMarkingConstraint.cpp:
1029         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1030         (JSC::SimpleMarkingConstraint::executeImpl):
1031         * heap/SimpleMarkingConstraint.h:
1032         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1033         * heap/SlotVisitor.cpp:
1034         (JSC::SlotVisitor::addParallelConstraintTask):
1035         * heap/SlotVisitor.h:
1036         * heap/Subspace.cpp:
1037         (JSC::Subspace::sweep):
1038         * heap/Subspace.h:
1039         * heap/SubspaceInlines.h:
1040         (JSC::Subspace::forEachLiveCell):
1041         * llint/LowLevelInterpreter.asm:
1042         * runtime/EvalExecutable.cpp:
1043         (JSC::EvalExecutable::visitChildren):
1044         * runtime/EvalExecutable.h:
1045         (JSC::EvalExecutable::codeBlock):
1046         * runtime/FunctionExecutable.cpp:
1047         (JSC::FunctionExecutable::baselineCodeBlockFor):
1048         (JSC::FunctionExecutable::visitChildren):
1049         * runtime/FunctionExecutable.h:
1050         * runtime/JSType.h:
1051         * runtime/ModuleProgramExecutable.cpp:
1052         (JSC::ModuleProgramExecutable::visitChildren):
1053         * runtime/ModuleProgramExecutable.h:
1054         * runtime/ProgramExecutable.cpp:
1055         (JSC::ProgramExecutable::visitChildren):
1056         * runtime/ProgramExecutable.h:
1057         * runtime/ScriptExecutable.cpp:
1058         (JSC::ScriptExecutable::installCode):
1059         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1060         * runtime/VM.cpp:
1061         (JSC::VM::VM):
1062         * runtime/VM.h:
1063         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1064         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1065         (JSC::VM::forEachCodeBlockSpace):
1066         * runtime/VMTraps.cpp:
1067         (JSC::VMTraps::handleTraps):
1068         * tools/VMInspector.cpp:
1069         (JSC::VMInspector::codeBlockForMachinePC):
1070         (JSC::VMInspector::isValidCodeBlock):
1071
1072 2018-01-11  Michael Saboff  <msaboff@apple.com>
1073
1074         Add a DOM gadget for Spectre testing
1075         https://bugs.webkit.org/show_bug.cgi?id=181351
1076
1077         Reviewed by Ryosuke Niwa.
1078
1079         * runtime/Options.h:
1080
1081 2018-01-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [DFG][FTL] regExpMatchFast should be handled
1084         https://bugs.webkit.org/show_bug.cgi?id=180988
1085
1086         Reviewed by Mark Lam.
1087
1088         RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
1089         with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
1090         make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
1091
1092         To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
1093         slow path part to `@matchSlow()` private function.
1094
1095         It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
1096         this regExpMatchFast function.
1097
1098                                  baseline                  patched
1099
1100         regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
1101         regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
1102
1103         * builtins/RegExpPrototype.js:
1104         (globalPrivate.matchSlow):
1105         (overriddenName.string_appeared_here.match):
1106         * dfg/DFGAbstractInterpreterInlines.h:
1107         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1108         * dfg/DFGByteCodeParser.cpp:
1109         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1110         * dfg/DFGClobberize.h:
1111         (JSC::DFG::clobberize):
1112         * dfg/DFGDoesGC.cpp:
1113         (JSC::DFG::doesGC):
1114         * dfg/DFGFixupPhase.cpp:
1115         (JSC::DFG::FixupPhase::fixupNode):
1116         * dfg/DFGNode.h:
1117         (JSC::DFG::Node::hasHeapPrediction):
1118         * dfg/DFGNodeType.h:
1119         * dfg/DFGOperations.cpp:
1120         * dfg/DFGOperations.h:
1121         * dfg/DFGPredictionPropagationPhase.cpp:
1122         * dfg/DFGSafeToExecute.h:
1123         (JSC::DFG::safeToExecute):
1124         * dfg/DFGSpeculativeJIT.cpp:
1125         (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
1126         * dfg/DFGSpeculativeJIT.h:
1127         * dfg/DFGSpeculativeJIT32_64.cpp:
1128         (JSC::DFG::SpeculativeJIT::compile):
1129         * dfg/DFGSpeculativeJIT64.cpp:
1130         (JSC::DFG::SpeculativeJIT::compile):
1131         * ftl/FTLCapabilities.cpp:
1132         (JSC::FTL::canCompile):
1133         * ftl/FTLLowerDFGToB3.cpp:
1134         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1135         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
1136         * runtime/Intrinsic.cpp:
1137         (JSC::intrinsicName):
1138         * runtime/Intrinsic.h:
1139         * runtime/JSGlobalObject.cpp:
1140         (JSC::JSGlobalObject::init):
1141         * runtime/RegExpPrototype.cpp:
1142         (JSC::regExpProtoFuncMatchFast):
1143
1144 2018-01-11  Saam Barati  <sbarati@apple.com>
1145
1146         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1147         https://bugs.webkit.org/show_bug.cgi?id=181508
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         Our for-in caching would cache structure chains that had prototypes with
1152         indexed properties. Clearly this is wrong. This caching breaks when a prototype
1153         adds new indexed properties. We would continue to enumerate the old cached
1154         state of properties, and not include the new indexed properties.
1155         
1156         The old code used to prevent caching only if the base structure had
1157         indexed properties. This patch extends it to prevent caching if the
1158         base, or any structure in the prototype chain, has indexed properties.
1159
1160         * runtime/Structure.cpp:
1161         (JSC::Structure::canCachePropertyNameEnumerator const):
1162
1163 2018-01-10  JF Bastien  <jfbastien@apple.com>
1164
1165         Poison small JSObject derivatives which only contain pointers
1166         https://bugs.webkit.org/show_bug.cgi?id=181483
1167         <rdar://problem/36407127>
1168
1169         Reviewed by Mark Lam.
1170
1171         I wrote a script that finds interesting things to poison or
1172         generally harden. These stood out because they derive from
1173         JSObject and only contain a few pointer or pointer-like fields,
1174         and could therefore just be poisoned. This also requires some
1175         template "improvements" to our poisoning machinery. Worth noting
1176         is that I'm making PoisonedUniquePtr move-assignable and
1177         move-constructible from unique_ptr, which makes it a better
1178         drop-in replacement because we don't need to use
1179         makePoisonedUniquePtr. This means function-locals can be
1180         unique_ptr and get the nice RAII pattern, and once the function is
1181         done you can just move to the class' PoisonedUniquePtr without
1182         worrying.
1183
1184         * API/JSAPIWrapperObject.h:
1185         (JSC::JSAPIWrapperObject::wrappedObject):
1186         * API/JSAPIWrapperObject.mm:
1187         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
1188         * API/JSCallbackObject.h:
1189         * runtime/ArrayPrototype.h:
1190         * runtime/DateInstance.h:
1191         * runtime/JSArrayBuffer.cpp:
1192         (JSC::JSArrayBuffer::finishCreation):
1193         (JSC::JSArrayBuffer::isShared const):
1194         (JSC::JSArrayBuffer::sharingMode const):
1195         * runtime/JSArrayBuffer.h:
1196         * runtime/JSCPoison.h:
1197
1198 2018-01-10  Commit Queue  <commit-queue@webkit.org>
1199
1200         Unreviewed, rolling out r226667 and r226673.
1201         https://bugs.webkit.org/show_bug.cgi?id=181488
1202
1203         This caused a flaky crash. (Requested by mlewis13 on #webkit).
1204
1205         Reverted changesets:
1206
1207         "CodeBlocks should be in IsoSubspaces"
1208         https://bugs.webkit.org/show_bug.cgi?id=180884
1209         https://trac.webkit.org/changeset/226667
1210
1211         "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
1212         https://bugs.webkit.org/show_bug.cgi?id=180884
1213         https://trac.webkit.org/changeset/226673
1214
1215 2018-01-09  David Kilzer  <ddkilzer@apple.com>
1216
1217         REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
1218         <https://bugs.webkit.org/show_bug.cgi?id=180884>
1219
1220         Fixes the following build error:
1221
1222             heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
1223
1224         * heap/Heap.cpp:
1225         (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
1226         fix the build.
1227
1228 2018-01-09  Keith Miller  <keith_miller@apple.com>
1229
1230         and32 with an Address source on ARM64 did not invalidate dataTempRegister
1231         https://bugs.webkit.org/show_bug.cgi?id=181467
1232
1233         Reviewed by Michael Saboff.
1234
1235         * assembler/MacroAssemblerARM64.h:
1236         (JSC::MacroAssemblerARM64::and32):
1237
1238 2018-01-04  Filip Pizlo  <fpizlo@apple.com>
1239
1240         CodeBlocks should be in IsoSubspaces
1241         https://bugs.webkit.org/show_bug.cgi?id=180884
1242
1243         Reviewed by Saam Barati.
1244         
1245         This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
1246         special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
1247         WeakReferenceHarvester or UnconditionalFinalizer. Instead:
1248         
1249         - Code block sweeping is now just eager sweeping. This means that it automatically takes
1250           advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
1251           its eden set for.
1252         
1253         - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
1254           marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
1255           we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
1256           longer has to clear the set of weakly visited code blocks. This also means that
1257           determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
1258           CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
1259           has IsoCellSets to tell us which edges have output constraints (what we used to call
1260           CodeBlock's weak reference harvester) and which have unconditional finalizers.
1261         
1262         - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
1263         
1264         - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
1265           handle requests from the sampler, debugger, and other facilities. They may want to ask
1266           if some pointer corresponds to a CodeBlock during stages of execution during which the
1267           GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
1268           There is no way that the GC's isLive could tell us of a CodeBlock that had already been
1269           allocated has now been full constructed.
1270         
1271         * JavaScriptCore.xcodeproj/project.pbxproj:
1272         * Sources.txt:
1273         * bytecode/CodeBlock.cpp:
1274         (JSC::CodeBlock::CodeBlock):
1275         (JSC::CodeBlock::finishCreation):
1276         (JSC::CodeBlock::finishCreationCommon):
1277         (JSC::CodeBlock::~CodeBlock):
1278         (JSC::CodeBlock::visitChildren):
1279         (JSC::CodeBlock::propagateTransitions):
1280         (JSC::CodeBlock::determineLiveness):
1281         (JSC::CodeBlock::finalizeUnconditionally):
1282         (JSC::CodeBlock::stronglyVisitStrongReferences):
1283         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
1284         (JSC::CodeBlock::installVMTrapBreakpoints):
1285         (JSC::CodeBlock::dumpMathICStats):
1286         (JSC::CodeBlock::visitWeakly): Deleted.
1287         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
1288         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1289         * bytecode/CodeBlock.h:
1290         (JSC::CodeBlock::subspaceFor):
1291         (JSC::CodeBlock::ownerEdge const):
1292         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
1293         * bytecode/EvalCodeBlock.h:
1294         (JSC::EvalCodeBlock::create): Deleted.
1295         (JSC::EvalCodeBlock::createStructure): Deleted.
1296         (JSC::EvalCodeBlock::variable): Deleted.
1297         (JSC::EvalCodeBlock::numVariables): Deleted.
1298         (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
1299         (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
1300         (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
1301         (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
1302         * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
1303         (JSC::ExecutableToCodeBlockEdge::createStructure):
1304         (JSC::ExecutableToCodeBlockEdge::create):
1305         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1306         (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
1307         (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
1308         (JSC::ExecutableToCodeBlockEdge::activate):
1309         (JSC::ExecutableToCodeBlockEdge::deactivate):
1310         (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
1311         (JSC::ExecutableToCodeBlockEdge::wrap):
1312         (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
1313         (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
1314         (JSC::ExecutableToCodeBlockEdge::runConstraint):
1315         * bytecode/ExecutableToCodeBlockEdge.h: Added.
1316         (JSC::ExecutableToCodeBlockEdge::subspaceFor):
1317         (JSC::ExecutableToCodeBlockEdge::codeBlock const):
1318         (JSC::ExecutableToCodeBlockEdge::unwrap):
1319         * bytecode/FunctionCodeBlock.h:
1320         (JSC::FunctionCodeBlock::subspaceFor):
1321         (JSC::FunctionCodeBlock::createStructure):
1322         * bytecode/ModuleProgramCodeBlock.h:
1323         (JSC::ModuleProgramCodeBlock::create): Deleted.
1324         (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
1325         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
1326         * bytecode/ProgramCodeBlock.h:
1327         (JSC::ProgramCodeBlock::create): Deleted.
1328         (JSC::ProgramCodeBlock::createStructure): Deleted.
1329         (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
1330         * debugger/Debugger.cpp:
1331         (JSC::Debugger::SetSteppingModeFunctor::operator() const):
1332         (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
1333         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
1334         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
1335         * heap/CodeBlockSet.cpp:
1336         (JSC::CodeBlockSet::contains):
1337         (JSC::CodeBlockSet::dump const):
1338         (JSC::CodeBlockSet::add):
1339         (JSC::CodeBlockSet::remove):
1340         (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
1341         (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
1342         (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
1343         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
1344         * heap/CodeBlockSet.h:
1345         * heap/CodeBlockSetInlines.h:
1346         (JSC::CodeBlockSet::iterate):
1347         (JSC::CodeBlockSet::iterateViaSubspaces):
1348         * heap/ConservativeRoots.cpp:
1349         (JSC::ConservativeRoots::genericAddPointer):
1350         (JSC::DummyMarkHook::markKnownJSCell):
1351         (JSC::CompositeMarkHook::mark):
1352         (JSC::CompositeMarkHook::markKnownJSCell):
1353         * heap/ConservativeRoots.h:
1354         * heap/Heap.cpp:
1355         (JSC::Heap::lastChanceToFinalize):
1356         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
1357         (JSC::Heap::finalizeUnconditionalFinalizers):
1358         (JSC::Heap::beginMarking):
1359         (JSC::Heap::deleteUnmarkedCompiledCode):
1360         (JSC::Heap::sweepInFinalize):
1361         (JSC::Heap::forEachCodeBlockImpl):
1362         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
1363         (JSC::Heap::addCoreConstraints):
1364         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
1365         * heap/Heap.h:
1366         * heap/HeapCell.h:
1367         * heap/HeapCellInlines.h:
1368         (JSC::HeapCell::subspace const):
1369         * heap/HeapInlines.h:
1370         (JSC::Heap::forEachCodeBlock):
1371         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
1372         * heap/HeapUtil.h:
1373         (JSC::HeapUtil::findGCObjectPointersForMarking):
1374         * heap/IsoCellSet.cpp:
1375         (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
1376         * heap/IsoCellSet.h:
1377         * heap/IsoCellSetInlines.h:
1378         (JSC::IsoCellSet::forEachMarkedCellInParallel):
1379         (JSC::IsoCellSet::forEachLiveCell):
1380         * heap/LargeAllocation.h:
1381         (JSC::LargeAllocation::subspace const):
1382         * heap/MarkStackMergingConstraint.cpp:
1383         (JSC::MarkStackMergingConstraint::executeImpl):
1384         * heap/MarkStackMergingConstraint.h:
1385         * heap/MarkedAllocator.cpp:
1386         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1387         * heap/MarkedBlock.cpp:
1388         (JSC::MarkedBlock::Handle::didAddToAllocator):
1389         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
1390         * heap/MarkedBlock.h:
1391         (JSC::MarkedBlock::subspace const):
1392         * heap/MarkedBlockInlines.h:
1393         (JSC::MarkedBlock::Handle::forEachLiveCell):
1394         * heap/MarkedSpaceInlines.h:
1395         (JSC::MarkedSpace::forEachLiveCell):
1396         * heap/MarkingConstraint.cpp:
1397         (JSC::MarkingConstraint::execute):
1398         (JSC::MarkingConstraint::doParallelWork):
1399         (JSC::MarkingConstraint::finishParallelWork): Deleted.
1400         (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
1401         (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
1402         * heap/MarkingConstraint.h:
1403         * heap/MarkingConstraintSet.cpp:
1404         (JSC::MarkingConstraintSet::add):
1405         * heap/MarkingConstraintSet.h:
1406         (JSC::MarkingConstraintSet::add):
1407         * heap/MarkingConstraintSolver.cpp:
1408         (JSC::MarkingConstraintSolver::execute):
1409         (JSC::MarkingConstraintSolver::addParallelTask):
1410         (JSC::MarkingConstraintSolver::runExecutionThread):
1411         (JSC::MarkingConstraintSolver::didExecute): Deleted.
1412         * heap/MarkingConstraintSolver.h:
1413         (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
1414         (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
1415         * heap/SimpleMarkingConstraint.cpp:
1416         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1417         (JSC::SimpleMarkingConstraint::executeImpl):
1418         * heap/SimpleMarkingConstraint.h:
1419         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
1420         * heap/SlotVisitor.cpp:
1421         (JSC::SlotVisitor::addParallelConstraintTask):
1422         * heap/SlotVisitor.h:
1423         * heap/Subspace.cpp:
1424         (JSC::Subspace::sweep):
1425         * heap/Subspace.h:
1426         * heap/SubspaceInlines.h:
1427         (JSC::Subspace::forEachLiveCell):
1428         * llint/LowLevelInterpreter.asm:
1429         * runtime/EvalExecutable.cpp:
1430         (JSC::EvalExecutable::visitChildren):
1431         * runtime/EvalExecutable.h:
1432         (JSC::EvalExecutable::codeBlock):
1433         * runtime/FunctionExecutable.cpp:
1434         (JSC::FunctionExecutable::baselineCodeBlockFor):
1435         (JSC::FunctionExecutable::visitChildren):
1436         * runtime/FunctionExecutable.h:
1437         * runtime/JSType.h:
1438         * runtime/ModuleProgramExecutable.cpp:
1439         (JSC::ModuleProgramExecutable::visitChildren):
1440         * runtime/ModuleProgramExecutable.h:
1441         * runtime/ProgramExecutable.cpp:
1442         (JSC::ProgramExecutable::visitChildren):
1443         * runtime/ProgramExecutable.h:
1444         * runtime/ScriptExecutable.cpp:
1445         (JSC::ScriptExecutable::installCode):
1446         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1447         * runtime/VM.cpp:
1448         (JSC::VM::VM):
1449         * runtime/VM.h:
1450         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
1451         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
1452         (JSC::VM::forEachCodeBlockSpace):
1453         * runtime/VMTraps.cpp:
1454         (JSC::VMTraps::handleTraps):
1455         * tools/VMInspector.cpp:
1456         (JSC::VMInspector::codeBlockForMachinePC):
1457         (JSC::VMInspector::isValidCodeBlock):
1458
1459 2018-01-09  Michael Saboff  <msaboff@apple.com>
1460
1461         Unreviewed, rolling out r226600 and r226603
1462         https://bugs.webkit.org/show_bug.cgi?id=181351
1463
1464         Add a DOM gadget for Spectre testing
1465
1466         * runtime/Options.h:
1467
1468 2018-01-09  Saam Barati  <sbarati@apple.com>
1469
1470         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
1471         https://bugs.webkit.org/show_bug.cgi?id=181409
1472
1473         Reviewed by Keith Miller.
1474
1475         When I was looking at profiler data for Speedometer, I noticed that one of
1476         the hottest functions in Speedometer is around 1100 bytecode operations long.
1477         Only about 100 of those bytecode ops ever execute. However, we ended up
1478         spending a lot of time compiling basic blocks that never executed. We often
1479         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
1480         This is the case when such a node never executes.
1481         
1482         This patch makes it so that anytime a block has a ForceOSRExit, we replace its
1483         terminal node with an Unreachable node (and remove all nodes after the
1484         ForceOSRExit). This will cut down on graph size when such a block dominates
1485         other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
1486         in certain programs. When doing this transformation, we also insert
1487         Flushes/PhantomLocals to ensure we can recover values that are bytecode
1488         live-in to the ForceOSRExit.
1489         
1490         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
1491         does not get rid of all the CFG that it could. If we decide it's worth
1492         it, we could use additional inputs into this mechanism. For example, we could
1493         profile if a basic block ever executes inside the LLInt/Baseline, and
1494         remove parts of the CFG based on that.
1495         
1496         When running Speedometer with the concurrent JIT turned off, this patch
1497         improves DFG/FTL compile times by around 5%.
1498
1499         * dfg/DFGByteCodeParser.cpp:
1500         (JSC::DFG::ByteCodeParser::addToGraph):
1501         (JSC::DFG::ByteCodeParser::parse):
1502
1503 2018-01-09  Mark Lam  <mark.lam@apple.com>
1504
1505         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1506         https://bugs.webkit.org/show_bug.cgi?id=181388
1507         <rdar://problem/36349351>
1508
1509         Reviewed by Saam Barati.
1510
1511         When there are duplicate setters or getters, we may end up overwriting a getter
1512         with a setter, or vice versa.  This patch adds tracking for getters/setters that
1513         have been overwritten with duplicates and ignore them.
1514
1515         * bytecompiler/NodesCodegen.cpp:
1516         (JSC::PropertyListNode::emitBytecode):
1517         * parser/NodeConstructors.h:
1518         (JSC::PropertyNode::PropertyNode):
1519         * parser/Nodes.h:
1520         (JSC::PropertyNode::isOverriddenByDuplicate const):
1521         (JSC::PropertyNode::setIsOverriddenByDuplicate):
1522
1523 2018-01-08  Zan Dobersek  <zdobersek@igalia.com>
1524
1525         REGRESSION(r225913): about 30 JSC test failures on ARMv7
1526         https://bugs.webkit.org/show_bug.cgi?id=181162
1527         <rdar://problem/36261349>
1528
1529         Unreviewed follow-up to r226298. Enable the fast case in
1530         DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
1531         assuming in good faith that enough GP registers are available on any
1532         such configuration. The accompanying comment is adjusted to describe
1533         this assumption.
1534
1535         * dfg/DFGSpeculativeJIT.cpp:
1536         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1537
1538 2018-01-08  JF Bastien  <jfbastien@apple.com>
1539
1540         WebAssembly: mask indexed accesses to Table
1541         https://bugs.webkit.org/show_bug.cgi?id=181412
1542         <rdar://problem/36363236>
1543
1544         Reviewed by Saam Barati.
1545
1546         WebAssembly Table indexed accesses are user-controlled and
1547         bounds-checked. Force allocations of Table data to be a
1548         power-of-two, and explicitly mask accesses after bounds-check
1549         branches.
1550
1551         Rename misleading usage of "size" when "length" of a Table was
1552         intended.
1553
1554         Rename the Spectre option from "disable" to "enable".
1555
1556         * dfg/DFGSpeculativeJIT.cpp:
1557         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1558         * ftl/FTLLowerDFGToB3.cpp:
1559         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1560         * jit/JIT.cpp:
1561         (JSC::JIT::JIT):
1562         * runtime/Options.h:
1563         * wasm/WasmB3IRGenerator.cpp:
1564         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1565         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1566         * wasm/WasmTable.cpp:
1567         (JSC::Wasm::Table::allocatedLength):
1568         (JSC::Wasm::Table::setLength):
1569         (JSC::Wasm::Table::create):
1570         (JSC::Wasm::Table::Table):
1571         (JSC::Wasm::Table::grow):
1572         (JSC::Wasm::Table::clearFunction):
1573         (JSC::Wasm::Table::setFunction):
1574         * wasm/WasmTable.h:
1575         (JSC::Wasm::Table::length const):
1576         (JSC::Wasm::Table::offsetOfLength):
1577         (JSC::Wasm::Table::offsetOfMask):
1578         (JSC::Wasm::Table::mask const):
1579         (JSC::Wasm::Table::isValidLength):
1580         * wasm/js/JSWebAssemblyInstance.cpp:
1581         (JSC::JSWebAssemblyInstance::create):
1582         * wasm/js/JSWebAssemblyTable.cpp:
1583         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1584         (JSC::JSWebAssemblyTable::visitChildren):
1585         (JSC::JSWebAssemblyTable::grow):
1586         (JSC::JSWebAssemblyTable::getFunction):
1587         (JSC::JSWebAssemblyTable::clearFunction):
1588         (JSC::JSWebAssemblyTable::setFunction):
1589         * wasm/js/JSWebAssemblyTable.h:
1590         (JSC::JSWebAssemblyTable::isValidLength):
1591         (JSC::JSWebAssemblyTable::length const):
1592         (JSC::JSWebAssemblyTable::allocatedLength const):
1593         * wasm/js/WebAssemblyModuleRecord.cpp:
1594         (JSC::WebAssemblyModuleRecord::evaluate):
1595         * wasm/js/WebAssemblyTablePrototype.cpp:
1596         (JSC::webAssemblyTableProtoFuncLength):
1597         (JSC::webAssemblyTableProtoFuncGrow):
1598         (JSC::webAssemblyTableProtoFuncGet):
1599         (JSC::webAssemblyTableProtoFuncSet):
1600
1601 2018-01-08  Michael Saboff  <msaboff@apple.com>
1602
1603         Add a DOM gadget for Spectre testing
1604         https://bugs.webkit.org/show_bug.cgi?id=181351
1605
1606         Reviewed by Michael Saboff.
1607
1608         Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
1609         Spectre mitigations.
1610
1611         * runtime/Options.h:
1612
1613 2018-01-08  Mark Lam  <mark.lam@apple.com>
1614
1615         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
1616         https://bugs.webkit.org/show_bug.cgi?id=181403
1617         <rdar://problem/36359789>
1618
1619         Rubber-stamped by JF Bastien.
1620
1621         * bytecode/CodeBlock.cpp:
1622         (JSC::CodeBlock::CodeBlock):
1623         (JSC::CodeBlock::~CodeBlock):
1624         (JSC::CodeBlock::setConstantRegisters):
1625         (JSC::CodeBlock::propagateTransitions):
1626         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1627         (JSC::CodeBlock::jettison):
1628         (JSC::CodeBlock::predictedMachineCodeSize):
1629         * bytecode/CodeBlock.h:
1630         (JSC::CodeBlock::vm const):
1631         (JSC::CodeBlock::addConstant):
1632         (JSC::CodeBlock::heap const):
1633         (JSC::CodeBlock::replaceConstant):
1634         * llint/LowLevelInterpreter.asm:
1635         * llint/LowLevelInterpreter32_64.asm:
1636         * llint/LowLevelInterpreter64.asm:
1637
1638 2018-01-07  Mark Lam  <mark.lam@apple.com>
1639
1640         Apply poisoning to more pointers in JSC.
1641         https://bugs.webkit.org/show_bug.cgi?id=181096
1642         <rdar://problem/36182970>
1643
1644         Reviewed by JF Bastien.
1645
1646         * assembler/MacroAssembler.h:
1647         (JSC::MacroAssembler::xorPtr):
1648         * assembler/MacroAssemblerARM64.h:
1649         (JSC::MacroAssemblerARM64::xor64):
1650         * assembler/MacroAssemblerX86_64.h:
1651         (JSC::MacroAssemblerX86_64::xor64):
1652         - Add xorPtr implementation.
1653
1654         * bytecode/CodeBlock.cpp:
1655         (JSC::CodeBlock::inferredName const):
1656         (JSC::CodeBlock::CodeBlock):
1657         (JSC::CodeBlock::finishCreation):
1658         (JSC::CodeBlock::~CodeBlock):
1659         (JSC::CodeBlock::setConstantRegisters):
1660         (JSC::CodeBlock::visitWeakly):
1661         (JSC::CodeBlock::visitChildren):
1662         (JSC::CodeBlock::propagateTransitions):
1663         (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
1664         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1665         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1666         (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1667         (JSC::CodeBlock::jettison):
1668         (JSC::CodeBlock::predictedMachineCodeSize):
1669         (JSC::CodeBlock::findPC):
1670         * bytecode/CodeBlock.h:
1671         (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
1672         (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
1673         (JSC::CodeBlock::stubInfoBegin):
1674         (JSC::CodeBlock::stubInfoEnd):
1675         (JSC::CodeBlock::callLinkInfosBegin):
1676         (JSC::CodeBlock::callLinkInfosEnd):
1677         (JSC::CodeBlock::instructions):
1678         (JSC::CodeBlock::instructions const):
1679         (JSC::CodeBlock::vm const):
1680         * dfg/DFGOSRExitCompilerCommon.h:
1681         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1682         * jit/JIT.h:
1683         * llint/LLIntOfflineAsmConfig.h:
1684         * llint/LowLevelInterpreter.asm:
1685         * llint/LowLevelInterpreter64.asm:
1686         * parser/UnlinkedSourceCode.h:
1687         * runtime/JSCPoison.h:
1688         * runtime/JSGlobalObject.cpp:
1689         (JSC::JSGlobalObject::init):
1690         * runtime/JSGlobalObject.h:
1691         * runtime/JSScriptFetchParameters.h:
1692         * runtime/JSScriptFetcher.h:
1693         * runtime/StructureTransitionTable.h:
1694         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1695         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1696         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1697         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
1698         * wasm/js/JSWebAssemblyCodeBlock.h:
1699
1700 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1701
1702         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1703         https://bugs.webkit.org/show_bug.cgi?id=181321
1704
1705         Reviewed by Saam Barati.
1706
1707         According to ECMA262 16.2[1], functions created using the bind method must not have
1708         "caller" and "arguments" own properties.
1709
1710         [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
1711
1712         * runtime/JSBoundFunction.cpp:
1713         (JSC::JSBoundFunction::finishCreation):
1714
1715 2018-01-05  JF Bastien  <jfbastien@apple.com>
1716
1717         WebAssembly: poison JS object's secrets
1718         https://bugs.webkit.org/show_bug.cgi?id=181339
1719         <rdar://problem/36325001>
1720
1721         Reviewed by Mark Lam.
1722
1723         Separating WebAssembly's JS objects from their non-JS
1724         implementation means that all interesting information lives
1725         outside of the JS object itself. This patch poisons each JS
1726         object's pointer to non-JS implementation using the poisoning
1727         mechanism and a unique key per JS object type origin.
1728
1729         * runtime/JSCPoison.h:
1730         * wasm/js/JSToWasm.cpp:
1731         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
1732         object in a stack slot when fast TLS is disabled. This requires
1733         that we unpoison the Wasm::Instance.
1734         * wasm/js/JSWebAssemblyCodeBlock.h:
1735         * wasm/js/JSWebAssemblyInstance.h:
1736         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
1737         be explicit that the pointer is poisoned.
1738         * wasm/js/JSWebAssemblyMemory.h:
1739         * wasm/js/JSWebAssemblyModule.h:
1740         * wasm/js/JSWebAssemblyTable.h:
1741
1742 2018-01-05  Michael Saboff  <msaboff@apple.com>
1743
1744         Add ability to disable indexed property masking for testing
1745         https://bugs.webkit.org/show_bug.cgi?id=181350
1746
1747         Reviewed by Keith Miller.
1748
1749         Made the masking of indexed properties runtime controllable via a new JSC::Option
1750         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
1751
1752         The new option has a generic name as it will probably be used to disable future mitigations.
1753
1754         * dfg/DFGSpeculativeJIT.cpp:
1755         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1756         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1757         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1758         * dfg/DFGSpeculativeJIT.h:
1759         * dfg/DFGSpeculativeJIT64.cpp:
1760         (JSC::DFG::SpeculativeJIT::compile):
1761         * ftl/FTLLowerDFGToB3.cpp:
1762         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1763         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1764         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1765         * jit/JIT.cpp:
1766         (JSC::JIT::JIT):
1767         * jit/JIT.h:
1768         * jit/JITPropertyAccess.cpp:
1769         (JSC::JIT::emitDoubleLoad):
1770         (JSC::JIT::emitContiguousLoad):
1771         (JSC::JIT::emitArrayStorageLoad):
1772         * runtime/Options.h:
1773         * wasm/WasmB3IRGenerator.cpp:
1774         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1775
1776 2018-01-05  Michael Saboff  <msaboff@apple.com>
1777
1778         Allow JSC Config Files to set Restricted Options
1779         https://bugs.webkit.org/show_bug.cgi?id=181352
1780
1781         Reviewed by Mark Lam.
1782
1783         * runtime/ConfigFile.cpp:
1784         (JSC::ConfigFile::parse):
1785
1786 2018-01-04  Keith Miller  <keith_miller@apple.com>
1787
1788         TypedArrays and Wasm should use index masking.
1789         https://bugs.webkit.org/show_bug.cgi?id=181313
1790
1791         Reviewed by Michael Saboff.
1792
1793         We should have index masking for our TypedArray code in the
1794         DFG/FTL and for Wasm when doing bounds checking. Index masking for
1795         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
1796         WasmBoundsCheckValues we don't need to worry about combining a
1797         bounds check for a load and a store. I went with fusing the
1798         pointer masking in the WasmBoundsCheckValue since it should reduce
1799         additional compiler overhead.
1800
1801         * b3/B3LowerToAir.cpp:
1802         * b3/B3Validate.cpp:
1803         * b3/B3WasmBoundsCheckValue.cpp:
1804         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1805         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1806         * b3/B3WasmBoundsCheckValue.h:
1807         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
1808         * b3/air/AirCustom.h:
1809         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
1810         * b3/testb3.cpp:
1811         (JSC::B3::testWasmBoundsCheck):
1812         * dfg/DFGSpeculativeJIT.cpp:
1813         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1814         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1815         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1816         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1817         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1818         * dfg/DFGSpeculativeJIT.h:
1819         * dfg/DFGSpeculativeJIT64.cpp:
1820         (JSC::DFG::SpeculativeJIT::compile):
1821         * ftl/FTLLowerDFGToB3.cpp:
1822         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1823         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1824         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1825         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1826         * jit/JITPropertyAccess.cpp:
1827         (JSC::JIT::emitIntTypedArrayGetByVal):
1828         * runtime/Butterfly.h:
1829         (JSC::Butterfly::computeIndexingMask const):
1830         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
1831         * runtime/JSArrayBufferView.cpp:
1832         (JSC::JSArrayBufferView::JSArrayBufferView):
1833         * wasm/WasmB3IRGenerator.cpp:
1834         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1835         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1836         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1837         (JSC::Wasm::B3IRGenerator::load):
1838         (JSC::Wasm::B3IRGenerator::store):
1839         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1840         * wasm/WasmBinding.cpp:
1841         (JSC::Wasm::wasmToWasm):
1842         * wasm/WasmMemory.cpp:
1843         (JSC::Wasm::Memory::Memory):
1844         (JSC::Wasm::Memory::grow):
1845         * wasm/WasmMemory.h:
1846         (JSC::Wasm::Memory::offsetOfIndexingMask):
1847         * wasm/WasmMemoryInformation.cpp:
1848         (JSC::Wasm::PinnedRegisterInfo::get):
1849         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1850         * wasm/WasmMemoryInformation.h:
1851         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1852         * wasm/js/JSToWasm.cpp:
1853         (JSC::Wasm::createJSToWasmWrapper):
1854
1855 2018-01-05  Commit Queue  <commit-queue@webkit.org>
1856
1857         Unreviewed, rolling out r226434.
1858         https://bugs.webkit.org/show_bug.cgi?id=181322
1859
1860         32bit JSC failure in x86 (Requested by yusukesuzuki on
1861         #webkit).
1862
1863         Reverted changeset:
1864
1865         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
1866         changing 32bit Int32Tag and LowestTag"
1867         https://bugs.webkit.org/show_bug.cgi?id=181134
1868         https://trac.webkit.org/changeset/226434
1869
1870 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
1871
1872         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
1873         https://bugs.webkit.org/show_bug.cgi?id=180770
1874
1875         Reviewed by Joseph Pecoraro.
1876
1877         * inspector/protocol/Canvas.json:
1878
1879 2018-01-04  Commit Queue  <commit-queue@webkit.org>
1880
1881         Unreviewed, rolling out r226405.
1882         https://bugs.webkit.org/show_bug.cgi?id=181318
1883
1884         Speculative rollout due to Octane/SplayLatency,Octane/Splay
1885         regressions (Requested by yusukesuzuki on #webkit).
1886
1887         Reverted changeset:
1888
1889         "[JSC] Create parallel SlotVisitors apriori"
1890         https://bugs.webkit.org/show_bug.cgi?id=180907
1891         https://trac.webkit.org/changeset/226405
1892
1893 2018-01-04  Saam Barati  <sbarati@apple.com>
1894
1895         Do value profiling in to_this
1896         https://bugs.webkit.org/show_bug.cgi?id=181299
1897
1898         Reviewed by Filip Pizlo.
1899
1900         This patch adds value profiling to to_this. We use the result of the value
1901         profiling only for strict mode code when we don't predict that the input is
1902         of a specific type. This helps when the input is SpecCellOther. Such cells
1903         might implement a custom ToThis, which can produce an arbitrary result. Before
1904         this patch, in prediction propagation, we were saying that a ToThis with a
1905         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
1906         given that the input may implement ToThis that produces an arbitrary result.
1907         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
1908         
1909         Interestingly, this patch only does value profiling on the slow path. The fast
1910         path of to_this in the LLInt/baseline just perform a structure check. If it
1911         passes, the result is the same as the input. Therefore, doing value profiling
1912         from the fast path wouldn't actually produce new information for the ValueProfile.
1913
1914         * bytecode/BytecodeDumper.cpp:
1915         (JSC::BytecodeDumper<Block>::dumpBytecode):
1916         * bytecode/BytecodeList.json:
1917         * bytecode/CodeBlock.cpp:
1918         (JSC::CodeBlock::finishCreation):
1919         * bytecompiler/BytecodeGenerator.cpp:
1920         (JSC::BytecodeGenerator::BytecodeGenerator):
1921         (JSC::BytecodeGenerator::emitToThis):
1922         * bytecompiler/BytecodeGenerator.h:
1923         * dfg/DFGByteCodeParser.cpp:
1924         (JSC::DFG::ByteCodeParser::parseBlock):
1925         * dfg/DFGNode.h:
1926         (JSC::DFG::Node::hasHeapPrediction):
1927         * dfg/DFGPredictionPropagationPhase.cpp:
1928         * runtime/CommonSlowPaths.cpp:
1929         (JSC::SLOW_PATH_DECL):
1930
1931 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1932
1933         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
1934         https://bugs.webkit.org/show_bug.cgi?id=181134
1935
1936         Reviewed by Mark Lam.
1937
1938         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
1939         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
1940         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
1941         implementation.
1942
1943         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
1944         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
1945         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
1946         `<= LowestTag(Int32Tag)`.
1947
1948         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
1949
1950         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
1951
1952         * dfg/DFGSpeculativeJIT.cpp:
1953         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1954         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1955         (JSC::DFG::SpeculativeJIT::speculateNumber):
1956         (JSC::DFG::SpeculativeJIT::speculateMisc):
1957         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1958         (JSC::DFG::SpeculativeJIT::compileToNumber):
1959         * dfg/DFGSpeculativeJIT.h:
1960         * dfg/DFGSpeculativeJIT32_64.cpp:
1961         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1962         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1963         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1964         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1965         (JSC::DFG::SpeculativeJIT::compile):
1966         * dfg/DFGSpeculativeJIT64.cpp:
1967         (JSC::DFG::SpeculativeJIT::compile):
1968         * jit/AssemblyHelpers.cpp:
1969         (JSC::AssemblyHelpers::branchIfNotType):
1970         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1971         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1972         * jit/AssemblyHelpers.h:
1973         (JSC::AssemblyHelpers::branchIfMisc):
1974         (JSC::AssemblyHelpers::branchIfNotMisc):
1975         (JSC::AssemblyHelpers::branchIfNumber):
1976         (JSC::AssemblyHelpers::branchIfNotNumber):
1977         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1978         (JSC::AssemblyHelpers::emitTypeOf):
1979         * jit/JITAddGenerator.cpp:
1980         (JSC::JITAddGenerator::generateFastPath):
1981         * jit/JITArithmetic32_64.cpp:
1982         (JSC::JIT::emitBinaryDoubleOp):
1983         * jit/JITDivGenerator.cpp:
1984         (JSC::JITDivGenerator::loadOperand):
1985         * jit/JITMulGenerator.cpp:
1986         (JSC::JITMulGenerator::generateInline):
1987         (JSC::JITMulGenerator::generateFastPath):
1988         * jit/JITNegGenerator.cpp:
1989         (JSC::JITNegGenerator::generateInline):
1990         (JSC::JITNegGenerator::generateFastPath):
1991         * jit/JITOpcodes32_64.cpp:
1992         (JSC::JIT::emit_op_is_number):
1993         (JSC::JIT::emit_op_jeq_null):
1994         (JSC::JIT::emit_op_jneq_null):
1995         (JSC::JIT::emit_op_to_number):
1996         (JSC::JIT::emit_op_profile_type):
1997         * jit/JITRightShiftGenerator.cpp:
1998         (JSC::JITRightShiftGenerator::generateFastPath):
1999         * jit/JITSubGenerator.cpp:
2000         (JSC::JITSubGenerator::generateInline):
2001         (JSC::JITSubGenerator::generateFastPath):
2002         * llint/LLIntData.cpp:
2003         (JSC::LLInt::Data::performAssertions):
2004         * llint/LowLevelInterpreter.asm:
2005         * llint/LowLevelInterpreter32_64.asm:
2006         * runtime/JSCJSValue.h:
2007
2008 2018-01-04  JF Bastien  <jfbastien@apple.com>
2009
2010         Add assembler support for x86 lfence and sfence
2011         https://bugs.webkit.org/show_bug.cgi?id=181311
2012         <rdar://problem/36301780>
2013
2014         Reviewed by Michael Saboff.
2015
2016         Useful for testing performance of serializing instructions (hint:
2017         it's not good).
2018
2019         * assembler/MacroAssemblerX86Common.h:
2020         (JSC::MacroAssemblerX86Common::lfence):
2021         (JSC::MacroAssemblerX86Common::sfence):
2022         * assembler/X86Assembler.h:
2023         (JSC::X86Assembler::lfence):
2024         (JSC::X86Assembler::sfence):
2025
2026 2018-01-04  Saam Barati  <sbarati@apple.com>
2027
2028         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
2029         https://bugs.webkit.org/show_bug.cgi?id=181296
2030
2031         Reviewed by Filip Pizlo.
2032
2033         Inside Speedometer's Ember test, there is a recompile loop like:
2034         a: GetByVal(..., semanticOriginX)
2035         b: SetLocal(Cell:@a, semanticOriginX)
2036         
2037         where the cell check always fails. For reasons I didn't investigate, the
2038         baseline JIT's value profiling doesn't accurately capture the GetByVal's
2039         result.
2040         
2041         However, when compiling this cell speculation check in the DFG, we get a null
2042         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
2043         this IR pattern because both @a and @b have the same semantic origin. We
2044         should not follow the same semantic origin heuristic when dealing with
2045         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
2046         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
2047         For this IR pattern, we will update the value profile for the semantic origin
2048         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
2049         will correctly update the GetByVal's value profile, which will prevent
2050         an OSR exit loop.
2051
2052         * dfg/DFGGraph.cpp:
2053         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2054
2055 2018-01-04  Keith Miller  <keith_miller@apple.com>
2056
2057         Array Storage operations sometimes did not update the indexing mask correctly.
2058         https://bugs.webkit.org/show_bug.cgi?id=181301
2059
2060         Reviewed by Mark Lam.
2061
2062         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
2063
2064         * runtime/JSArray.cpp:
2065         (JSC::JSArray::shiftCountWithArrayStorage):
2066         * runtime/JSObject.cpp:
2067         (JSC::JSObject::increaseVectorLength):
2068
2069 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2070
2071         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2072         https://bugs.webkit.org/show_bug.cgi?id=179911
2073
2074         Reviewed by Saam Barati.
2075
2076         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
2077         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
2078         produce added bucket as its result. Subsequent GetMapBucket will
2079         be removed by CSE.
2080
2081         * dfg/DFGAbstractInterpreterInlines.h:
2082         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2083         * dfg/DFGClobberize.h:
2084         (JSC::DFG::clobberize):
2085         * dfg/DFGNodeType.h:
2086         * dfg/DFGOperations.cpp:
2087         * dfg/DFGOperations.h:
2088         * dfg/DFGPredictionPropagationPhase.cpp:
2089         * dfg/DFGSpeculativeJIT.cpp:
2090         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2091         (JSC::DFG::SpeculativeJIT::compileMapSet):
2092         * dfg/DFGSpeculativeJIT.h:
2093         (JSC::DFG::SpeculativeJIT::callOperation):
2094         * ftl/FTLLowerDFGToB3.cpp:
2095         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2096         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2097         * jit/JITOperations.h:
2098         * runtime/HashMapImpl.h:
2099         (JSC::HashMapImpl::addNormalized):
2100         (JSC::HashMapImpl::addNormalizedInternal):
2101
2102 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2103
2104         [JSC] Remove LocalScope
2105         https://bugs.webkit.org/show_bug.cgi?id=181206
2106
2107         Reviewed by Geoffrey Garen.
2108
2109         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
2110         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
2111         and LocalScope.
2112
2113         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
2114         JSObject* directly in their fields.
2115
2116         * JavaScriptCore.xcodeproj/project.pbxproj:
2117         * Sources.txt:
2118         * heap/HandleStack.cpp: Removed.
2119         * heap/HandleStack.h: Removed.
2120         * heap/Heap.cpp:
2121         (JSC::Heap::addCoreConstraints):
2122         * heap/Heap.h:
2123         (JSC::Heap::handleSet):
2124         (JSC::Heap::handleStack): Deleted.
2125         * heap/Local.h: Removed.
2126         * heap/LocalScope.h: Removed.
2127         * runtime/JSONObject.cpp:
2128         (JSC::Stringifier::Holder::object const):
2129         (JSC::gap):
2130         (JSC::Stringifier::Stringifier):
2131         (JSC::Stringifier::stringify):
2132         (JSC::Stringifier::appendStringifiedValue):
2133         (JSC::Stringifier::Holder::Holder):
2134         (JSC::Stringifier::Holder::appendNextProperty):
2135         (JSC::Walker::Walker):
2136         (JSC::Walker::callReviver):
2137         (JSC::Walker::walk):
2138         (JSC::JSONProtoFuncParse):
2139         (JSC::JSONProtoFuncStringify):
2140         (JSC::JSONParse):
2141         (JSC::JSONStringify):
2142
2143 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2144
2145         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
2146         https://bugs.webkit.org/show_bug.cgi?id=180238
2147
2148         Reviewed by Saam Barati.
2149
2150         We can optimize ObjectAllocationSinking a bit by using removeIf.
2151
2152         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2153
2154 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2155
2156         [JSC] Create parallel SlotVisitors apriori
2157         https://bugs.webkit.org/show_bug.cgi?id=180907
2158
2159         Reviewed by Saam Barati.
2160
2161         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
2162         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
2163         Then we do not need to grab locks while iterating all the SlotVisitors.
2164
2165         In addition, we do not need to consider the case that the number of SlotVisitors increases
2166         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
2167         does not increase any more.
2168
2169         * heap/Heap.cpp:
2170         (JSC::Heap::Heap):
2171         (JSC::Heap::runBeginPhase):
2172         * heap/Heap.h:
2173         * heap/HeapInlines.h:
2174         (JSC::Heap::forEachSlotVisitor):
2175         (JSC::Heap::numberOfSlotVisitors): Deleted.
2176         * heap/MarkingConstraintSolver.cpp:
2177         (JSC::MarkingConstraintSolver::didVisitSomething const):
2178
2179 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
2180
2181         Replace hard-coded paths in shebangs with #!/usr/bin/env
2182         https://bugs.webkit.org/show_bug.cgi?id=181040
2183
2184         Reviewed by Alex Christensen.
2185
2186         * Scripts/UpdateContents.py:
2187         * Scripts/cssmin.py:
2188         * Scripts/generate-combined-inspector-json.py:
2189         * Scripts/xxd.pl:
2190         * create_hash_table:
2191         * generate-bytecode-files:
2192         * wasm/generateWasm.py:
2193         * wasm/generateWasmOpsHeader.py:
2194         * yarr/generateYarrCanonicalizeUnicode:
2195
2196 2018-01-03  Michael Saboff  <msaboff@apple.com>
2197
2198         Disable SharedArrayBuffers from Web API
2199         https://bugs.webkit.org/show_bug.cgi?id=181266
2200
2201         Reviewed by Saam Barati.
2202
2203         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
2204         to disable.
2205
2206         * runtime/JSGlobalObject.cpp:
2207         (JSC::JSGlobalObject::init):
2208         (JSC::JSGlobalObject::visitChildren):
2209         * runtime/JSGlobalObject.h:
2210         (JSC::JSGlobalObject::arrayBufferPrototype const):
2211         (JSC::JSGlobalObject::arrayBufferStructure const):
2212
2213 2018-01-03  Michael Saboff  <msaboff@apple.com>
2214
2215         Add "noInline" to $vm
2216         https://bugs.webkit.org/show_bug.cgi?id=181265
2217
2218         Reviewed by Mark Lam.
2219
2220         This would be useful for web based tests.
2221
2222         * tools/JSDollarVM.cpp:
2223         (JSC::getExecutableForFunction):
2224         (JSC::functionNoInline):
2225         (JSC::JSDollarVM::finishCreation):
2226
2227 2018-01-03  Michael Saboff  <msaboff@apple.com>
2228
2229         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
2230         https://bugs.webkit.org/show_bug.cgi?id=181263
2231
2232         Reviewed by Mark Lam.
2233
2234         Flushing the butterfly pointer provides no benefit and slows this function.
2235
2236         * tools/JSDollarVM.cpp:
2237         (JSC::functionCpuClflush):
2238
2239 2018-01-03  Saam Barati  <sbarati@apple.com>
2240
2241         Fix BytecodeParser op_catch assert to work with useProfiler=1
2242         https://bugs.webkit.org/show_bug.cgi?id=181260
2243
2244         Reviewed by Keith Miller.
2245
2246         op_catch was asserting that the current block was empty. This is only true
2247         if the profiler isn't enabled. When the profiler is enabled, we will
2248         insert a CountExecution node before each bytecode. This patch fixes the
2249         assert to work with the profiler.
2250
2251         * dfg/DFGByteCodeParser.cpp:
2252         (JSC::DFG::ByteCodeParser::parseBlock):
2253
2254 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
2255
2256         [Win][Debug] testapi link error.
2257         https://bugs.webkit.org/show_bug.cgi?id=181247
2258         <rdar://problem/36166729>
2259
2260         Reviewed by Brent Fulgham.
2261
2262         Do not set the runtime library compile flag for C files, it is already set to the correct value.
2263  
2264         * shell/PlatformWin.cmake:
2265
2266 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2267
2268         Inlining of a function that ends in op_unreachable crashes
2269         https://bugs.webkit.org/show_bug.cgi?id=181027
2270
2271         Reviewed by Filip Pizlo.
2272
2273         * dfg/DFGByteCodeParser.cpp:
2274         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2275         (JSC::DFG::ByteCodeParser::inlineCall):
2276
2277 2018-01-02  Saam Barati  <sbarati@apple.com>
2278
2279         Incorrect assertion inside AccessCase
2280         https://bugs.webkit.org/show_bug.cgi?id=181200
2281         <rdar://problem/35494754>
2282
2283         Reviewed by Yusuke Suzuki.
2284
2285         Consider a PutById compiled to a setter in a function like so:
2286         
2287         ```
2288         function foo(o) { o.f = o; }
2289         ```
2290         
2291         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
2292         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
2293         to the same register. However, we're asserting that they're not the same register.
2294         This patch just removes this invalid assertion.
2295
2296         * bytecode/AccessCase.cpp:
2297         (JSC::AccessCase::generateImpl):
2298
2299 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2300
2301         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2302         https://bugs.webkit.org/show_bug.cgi?id=175359
2303
2304         Reviewed by Yusuke Suzuki.
2305
2306         This patch is implementing BigIntConstructor and BigIntPrototype
2307         following spec[1, 2]. As addition, we are also implementing BigIntObject
2308         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
2309         primitive. With these classes, now it's possible to syntetize
2310         BigInt.prototype and then call "toString", "valueOf" and
2311         "toLocaleString" when the primitive is a BigInt.
2312         BigIntConstructor exposes an API to parse other primitives such as
2313         Number, Boolean and String to BigInt.
2314         We decided to skip parseInt implementation, since it was removed from
2315         spec.
2316
2317         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
2318         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
2319
2320         * CMakeLists.txt:
2321         * DerivedSources.make:
2322         * JavaScriptCore.xcodeproj/project.pbxproj:
2323         * Sources.txt:
2324         * jsc.cpp:
2325         * runtime/BigIntConstructor.cpp: Added.
2326         (JSC::BigIntConstructor::BigIntConstructor):
2327         (JSC::BigIntConstructor::finishCreation):
2328         (JSC::isSafeInteger):
2329         (JSC::toBigInt):
2330         (JSC::callBigIntConstructor):
2331         (JSC::bigIntConstructorFuncAsUintN):
2332         (JSC::bigIntConstructorFuncAsIntN):
2333         * runtime/BigIntConstructor.h: Added.
2334         (JSC::BigIntConstructor::create):
2335         (JSC::BigIntConstructor::createStructure):
2336         * runtime/BigIntObject.cpp: Added.
2337         (JSC::BigIntObject::BigIntObject):
2338         (JSC::BigIntObject::finishCreation):
2339         (JSC::BigIntObject::toStringName):
2340         (JSC::BigIntObject::defaultValue):
2341         * runtime/BigIntObject.h: Added.
2342         (JSC::BigIntObject::create):
2343         (JSC::BigIntObject::internalValue const):
2344         (JSC::BigIntObject::createStructure):
2345         * runtime/BigIntPrototype.cpp: Added.
2346         (JSC::BigIntPrototype::BigIntPrototype):
2347         (JSC::BigIntPrototype::finishCreation):
2348         (JSC::toThisBigIntValue):
2349         (JSC::bigIntProtoFuncToString):
2350         (JSC::bigIntProtoFuncToLocaleString):
2351         (JSC::bigIntProtoFuncValueOf):
2352         * runtime/BigIntPrototype.h: Added.
2353         (JSC::BigIntPrototype::create):
2354         (JSC::BigIntPrototype::createStructure):
2355         * runtime/IntlCollator.cpp:
2356         (JSC::IntlCollator::initializeCollator):
2357         * runtime/IntlNumberFormat.cpp:
2358         (JSC::IntlNumberFormat::initializeNumberFormat):
2359         * runtime/JSBigInt.cpp:
2360         (JSC::JSBigInt::createFrom):
2361         (JSC::JSBigInt::parseInt):
2362         (JSC::JSBigInt::toObject const):
2363         * runtime/JSBigInt.h:
2364         * runtime/JSCJSValue.cpp:
2365         (JSC::JSValue::synthesizePrototype const):
2366         * runtime/JSCPoisonedPtr.cpp:
2367         * runtime/JSCell.cpp:
2368         (JSC::JSCell::toObjectSlow const):
2369         * runtime/JSGlobalObject.cpp:
2370         (JSC::JSGlobalObject::init):
2371         (JSC::JSGlobalObject::visitChildren):
2372         * runtime/JSGlobalObject.h:
2373         (JSC::JSGlobalObject::bigIntPrototype const):
2374         (JSC::JSGlobalObject::bigIntObjectStructure const):
2375         * runtime/StructureCache.h:
2376         * runtime/StructureInlines.h:
2377         (JSC::prototypeForLookupPrimitiveImpl):
2378
2379 2018-01-02  Tim Horton  <timothy_horton@apple.com>
2380
2381         Fix the MathCommon build with a recent compiler
2382         https://bugs.webkit.org/show_bug.cgi?id=181216
2383
2384         Reviewed by Sam Weinig.
2385
2386         * runtime/MathCommon.cpp:
2387         (JSC::fdlibmPow):
2388         This cast drops the 'const' qualifier from the pointer to 'one',
2389         but it doesn't have to, and it makes the compiler sad.
2390
2391 == Rolled over to ChangeLog-2018-01-01 ==