Adjust geolocation feature flag
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-20  Tim Horton  <timothy_horton@apple.com>
2
3         Adjust geolocation feature flag
4         https://bugs.webkit.org/show_bug.cgi?id=184856
5
6         Reviewed by Wenson Hsieh.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2018-04-20  Brian Burg  <bburg@apple.com>
11
12         Web Inspector: remove some dead code in IdentifiersFactory
13         https://bugs.webkit.org/show_bug.cgi?id=184839
14
15         Reviewed by Timothy Hatcher.
16
17         This was never used on non-Chrome ports, so the identifier always has a
18         prefix of '0.'. We may change this in the future, but for now remove this.
19         Using a PID for this purpose is problematic anyway.
20
21         * inspector/IdentifiersFactory.cpp:
22         (Inspector::addPrefixToIdentifier):
23         (Inspector::IdentifiersFactory::createIdentifier):
24         (Inspector::IdentifiersFactory::requestId):
25         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
26         * inspector/IdentifiersFactory.h:
27
28 2018-04-20  Mark Lam  <mark.lam@apple.com>
29
30         Add the ability to use a hash for setting PtrTag enum values.
31         https://bugs.webkit.org/show_bug.cgi?id=184852
32         <rdar://problem/39613891>
33
34         Reviewed by Saam Barati.
35
36         * runtime/PtrTag.h:
37
38 2018-04-20  Mark Lam  <mark.lam@apple.com>
39
40         Some JSEntryPtrTags should actually be JSInternalPtrTags.
41         https://bugs.webkit.org/show_bug.cgi?id=184712
42         <rdar://problem/39507381>
43
44         Reviewed by Michael Saboff.
45
46         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
47         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
48            only when needed.
49
50         * bytecode/AccessCase.cpp:
51         (JSC::AccessCase::generateImpl):
52         * bytecode/ByValInfo.h:
53         (JSC::ByValInfo::ByValInfo):
54         * bytecode/CallLinkInfo.cpp:
55         (JSC::CallLinkInfo::callReturnLocation):
56         (JSC::CallLinkInfo::patchableJump):
57         (JSC::CallLinkInfo::hotPathBegin):
58         (JSC::CallLinkInfo::slowPathStart):
59         * bytecode/CallLinkInfo.h:
60         (JSC::CallLinkInfo::setCallLocations):
61         (JSC::CallLinkInfo::hotPathOther):
62         * bytecode/PolymorphicAccess.cpp:
63         (JSC::PolymorphicAccess::regenerate):
64         * bytecode/StructureStubInfo.h:
65         (JSC::StructureStubInfo::doneLocation):
66         * dfg/DFGJITCompiler.cpp:
67         (JSC::DFG::JITCompiler::link):
68         * dfg/DFGOSRExit.cpp:
69         (JSC::DFG::reifyInlinedCallFrames):
70         * ftl/FTLLazySlowPath.cpp:
71         (JSC::FTL::LazySlowPath::initialize):
72         * ftl/FTLLazySlowPath.h:
73         (JSC::FTL::LazySlowPath::done const):
74         * ftl/FTLLowerDFGToB3.cpp:
75         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
76         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
77         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
78         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
79         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
80         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
81         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
82         * jit/JIT.cpp:
83         (JSC::JIT::link):
84         * jit/JITExceptions.cpp:
85         (JSC::genericUnwind):
86         * jit/JITMathIC.h:
87         (JSC::isProfileEmpty):
88         * llint/LLIntData.cpp:
89         (JSC::LLInt::initialize):
90         * llint/LLIntData.h:
91         (JSC::LLInt::getCodePtr):
92         (JSC::LLInt::getExecutableAddress): Deleted.
93         * llint/LLIntExceptions.cpp:
94         (JSC::LLInt::callToThrow):
95         * llint/LLIntSlowPaths.cpp:
96         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
97         * wasm/js/WasmToJS.cpp:
98         (JSC::Wasm::wasmToJS):
99
100 2018-04-18  Jer Noble  <jer.noble@apple.com>
101
102         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
103         https://bugs.webkit.org/show_bug.cgi?id=184762
104
105         Reviewed by Dan Bernstein.
106
107         * Configurations/Base.xcconfig:
108         * JavaScriptCore.xcodeproj/project.pbxproj:
109
110 2018-04-20  Daniel Bates  <dabates@apple.com>
111
112         Remove code for compilers that did not support NSDMI for aggregates
113         https://bugs.webkit.org/show_bug.cgi?id=184599
114
115         Reviewed by Per Arne Vollan.
116
117         Remove workaround for earlier Visual Studio versions that did not support non-static data
118         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
119         and EWS bots to a newer version that supports this feature.
120
121         * domjit/DOMJITEffect.h:
122         (JSC::DOMJIT::Effect::Effect): Deleted.
123         * runtime/HasOwnPropertyCache.h:
124         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
125         * wasm/WasmFormat.h:
126         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
127
128 2018-04-20  Mark Lam  <mark.lam@apple.com>
129
130         Build fix for internal builds after r230826.
131         https://bugs.webkit.org/show_bug.cgi?id=184790
132         <rdar://problem/39301369>
133
134         Not reviewed.
135
136         * runtime/Options.cpp:
137         (JSC::overrideDefaults):
138         * tools/SigillCrashAnalyzer.cpp:
139         (JSC::SignalContext::dump):
140
141 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
142
143         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
144         https://bugs.webkit.org/show_bug.cgi?id=184254
145         <rdar://problem/39140200>
146
147         Reviewed by Daniel Bates.
148
149         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
150
151         * runtime/ArrayBuffer.h:
152         (JSC::ArrayBufferContents::ArrayBufferContents):
153
154 2018-04-19  Mark Lam  <mark.lam@apple.com>
155
156         Apply pointer profiling to Signal pointers.
157         https://bugs.webkit.org/show_bug.cgi?id=184790
158         <rdar://problem/39301369>
159
160         Reviewed by Michael Saboff.
161
162         1. Change stackPointer, framePointer, and instructionPointer accessors to
163            be a pair of getter/setter functions.
164         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
165            a pointer profiling variants of these accessors.
166         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
167
168         * JavaScriptCorePrefix.h:
169         * runtime/MachineContext.h:
170         (JSC::MachineContext::stackPointerImpl):
171         (JSC::MachineContext::stackPointer):
172         (JSC::MachineContext::setStackPointer):
173         (JSC::MachineContext::framePointerImpl):
174         (JSC::MachineContext::framePointer):
175         (JSC::MachineContext::setFramePointer):
176         (JSC::MachineContext::instructionPointerImpl):
177         (JSC::MachineContext::instructionPointer):
178         (JSC::MachineContext::setInstructionPointer):
179         (JSC::MachineContext::linkRegisterImpl):
180         (JSC::MachineContext::linkRegister):
181         (JSC::MachineContext::setLinkRegister):
182         * runtime/SamplingProfiler.cpp:
183         (JSC::SamplingProfiler::takeSample):
184         * runtime/VMTraps.cpp:
185         (JSC::SignalContext::SignalContext):
186         (JSC::VMTraps::tryInstallTrapBreakpoints):
187         * tools/CodeProfiling.cpp:
188         (JSC::profilingTimer):
189         * tools/SigillCrashAnalyzer.cpp:
190         (JSC::SignalContext::dump):
191         (JSC::installCrashHandler):
192         (JSC::SigillCrashAnalyzer::analyze):
193         * wasm/WasmFaultSignalHandler.cpp:
194         (JSC::Wasm::trapHandler):
195
196 2018-04-19  David Kilzer  <ddkilzer@apple.com>
197
198         Enable Objective-C weak references
199         <https://webkit.org/b/184789>
200         <rdar://problem/39571716>
201
202         Reviewed by Dan Bernstein.
203
204         * Configurations/Base.xcconfig:
205         (CLANG_ENABLE_OBJC_WEAK): Enable.
206         * Configurations/ToolExecutable.xcconfig:
207         (CLANG_ENABLE_OBJC_ARC): Simplify.
208
209 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
210
211         The InternalFunction hierarchy should be in IsoSubspaces
212         https://bugs.webkit.org/show_bug.cgi?id=184721
213
214         Reviewed by Saam Barati.
215         
216         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
217         but subclasses that are the same size as InternalFunction share its subspace. I did this
218         because the subclasses appear to just override methods, which are called dynamically via the
219         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
220         allocate one kind of InternalFunction over another.
221
222         * API/JSBase.h:
223         * API/JSCallbackFunction.h:
224         * API/ObjCCallbackFunction.h:
225         (JSC::ObjCCallbackFunction::subspaceFor):
226         * CMakeLists.txt:
227         * JavaScriptCore.xcodeproj/project.pbxproj:
228         * Sources.txt:
229         * heap/IsoSubspacePerVM.cpp: Added.
230         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
231         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
232         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
233         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
234         (JSC::IsoSubspacePerVM::forVM):
235         * heap/IsoSubspacePerVM.h: Added.
236         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
237         * runtime/Error.h:
238         * runtime/ErrorConstructor.h:
239         * runtime/InternalFunction.h:
240         (JSC::InternalFunction::subspaceFor):
241         * runtime/IntlCollatorConstructor.h:
242         * runtime/IntlDateTimeFormatConstructor.h:
243         * runtime/IntlNumberFormatConstructor.h:
244         * runtime/JSArrayBufferConstructor.h:
245         * runtime/NativeErrorConstructor.h:
246         * runtime/ProxyRevoke.h:
247         * runtime/RegExpConstructor.h:
248         * runtime/VM.cpp:
249         (JSC::VM::VM):
250         * runtime/VM.h:
251
252 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
253
254         Unreviewed, Fix jsc shell
255         https://bugs.webkit.org/show_bug.cgi?id=184600
256
257         WebAssembly module loading does not finish with drainMicrotasks().
258         So JSNativeStdFunction's capturing variables become invalid.
259         This patch fixes this issue.
260
261         * jsc.cpp:
262         (functionDollarAgentStart):
263         (runWithOptions):
264         (runJSC):
265         (jscmain):
266
267 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
268
269         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
270         https://bugs.webkit.org/show_bug.cgi?id=184725
271
272         Reviewed by Mark Lam.
273
274         * jit/JIT.h:
275
276 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
277
278         [WebAssembly][Modules] Import tables in wasm modules
279         https://bugs.webkit.org/show_bug.cgi?id=184738
280
281         Reviewed by JF Bastien.
282
283         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
284         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
285         just works.
286
287         * wasm/js/JSWebAssemblyInstance.cpp:
288         (JSC::JSWebAssemblyInstance::create):
289         * wasm/js/WebAssemblyModuleRecord.cpp:
290         (JSC::WebAssemblyModuleRecord::link):
291
292 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
293
294         [ARM] Fix build error and crash after PtrTag change
295         https://bugs.webkit.org/show_bug.cgi?id=184732
296
297         Reviewed by Mark Lam.
298
299         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
300         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
301         twice with ARM-Thumb2.
302
303         * assembler/MacroAssemblerCodeRef.h:
304         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
305         * jit/JITPropertyAccess32_64.cpp:
306         (JSC::JIT::emitSlow_op_put_by_val):
307         * jit/Repatch.cpp:
308         (JSC::linkPolymorphicCall):
309
310 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         [WebAssembly][Modules] Import globals from wasm modules
313         https://bugs.webkit.org/show_bug.cgi?id=184736
314
315         Reviewed by JF Bastien.
316
317         This patch implements a feature importing globals to/from wasm modules.
318         Since we are not supporting mutable globals now, we can just copy the
319         global data when importing. Currently we do not support importing/exporting
320         i64 globals. This will be supported once (1) mutable global bindings are
321         specified and (2) BigInt based i64 importing/exporting is specified.
322
323         * wasm/js/JSWebAssemblyInstance.cpp:
324         (JSC::JSWebAssemblyInstance::create):
325         * wasm/js/WebAssemblyModuleRecord.cpp:
326         (JSC::WebAssemblyModuleRecord::link):
327
328 2018-04-18  Tomas Popela  <tpopela@redhat.com>
329
330         Unreviewed, fix build on ARM
331
332         * assembler/MacroAssemblerARM.h:
333         (JSC::MacroAssemblerARM::readCallTarget):
334
335 2018-04-18  Tomas Popela  <tpopela@redhat.com>
336
337         Unreviewed, fix build with GCC
338
339         * assembler/LinkBuffer.h:
340         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
341
342 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
343
344         Unreviewed, reland r230697, r230720, and r230724.
345         https://bugs.webkit.org/show_bug.cgi?id=184600
346
347         With CatchScope check.
348
349         * JavaScriptCore.xcodeproj/project.pbxproj:
350         * builtins/ModuleLoaderPrototype.js:
351         (globalPrivate.newRegistryEntry):
352         (requestInstantiate):
353         (link):
354         * jsc.cpp:
355         (convertShebangToJSComment):
356         (fillBufferWithContentsOfFile):
357         (fetchModuleFromLocalFileSystem):
358         (GlobalObject::moduleLoaderFetch):
359         (functionDollarAgentStart):
360         (checkException):
361         (runWithOptions):
362         * parser/NodesAnalyzeModule.cpp:
363         (JSC::ImportDeclarationNode::analyzeModule):
364         * parser/SourceProvider.h:
365         (JSC::WebAssemblySourceProvider::create):
366         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
367         * runtime/AbstractModuleRecord.cpp:
368         (JSC::AbstractModuleRecord::hostResolveImportedModule):
369         (JSC::AbstractModuleRecord::resolveImport):
370         (JSC::AbstractModuleRecord::link):
371         (JSC::AbstractModuleRecord::evaluate):
372         (JSC::identifierToJSValue): Deleted.
373         * runtime/AbstractModuleRecord.h:
374         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
375         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
376         * runtime/JSModuleEnvironment.cpp:
377         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
378         * runtime/JSModuleLoader.cpp:
379         (JSC::JSModuleLoader::evaluate):
380         * runtime/JSModuleRecord.cpp:
381         (JSC::JSModuleRecord::link):
382         (JSC::JSModuleRecord::instantiateDeclarations):
383         * runtime/JSModuleRecord.h:
384         * runtime/ModuleLoaderPrototype.cpp:
385         (JSC::moduleLoaderPrototypeParseModule):
386         (JSC::moduleLoaderPrototypeRequestedModules):
387         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
388         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
389         * wasm/js/JSWebAssemblyHelpers.h:
390         (JSC::getWasmBufferFromValue):
391         (JSC::createSourceBufferFromValue):
392         * wasm/js/JSWebAssemblyInstance.cpp:
393         (JSC::JSWebAssemblyInstance::finalizeCreation):
394         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
395         (JSC::JSWebAssemblyInstance::create):
396         * wasm/js/JSWebAssemblyInstance.h:
397         * wasm/js/WebAssemblyInstanceConstructor.cpp:
398         (JSC::constructJSWebAssemblyInstance):
399         * wasm/js/WebAssemblyModuleRecord.cpp:
400         (JSC::WebAssemblyModuleRecord::prepareLink):
401         (JSC::WebAssemblyModuleRecord::link):
402         * wasm/js/WebAssemblyModuleRecord.h:
403         * wasm/js/WebAssemblyPrototype.cpp:
404         (JSC::resolve):
405         (JSC::instantiate):
406         (JSC::compileAndInstantiate):
407         (JSC::WebAssemblyPrototype::instantiate):
408         (JSC::webAssemblyInstantiateFunc):
409         (JSC::webAssemblyValidateFunc):
410         * wasm/js/WebAssemblyPrototype.h:
411
412 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
413
414         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
415         https://bugs.webkit.org/show_bug.cgi?id=184687
416
417         Reviewed by Michael Catanzaro.
418
419         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
420         JSClassDefinition. This is required to implement dynamic properties that can't be added with
421         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
422
423         * API/glib/JSCClass.cpp:
424         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
425         can throw exceptions.
426         (VTableExceptionHandler::~VTableExceptionHandler):
427         (getProperty): Iterate the class chain to call get_property function.
428         (setProperty): Iterate the class chain to call set_property function.
429         (hasProperty): Iterate the class chain to call has_property function.
430         (deleteProperty): Iterate the class chain to call delete_property function.
431         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
432         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
433         jscClassCreate now.
434         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
435         * API/glib/JSCClass.h:
436         * API/glib/JSCClassPrivate.h:
437         * API/glib/JSCContext.cpp:
438         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
439         (jsc_context_register_class): Add JSCClassVTable parameter.
440         * API/glib/JSCContext.h:
441         * API/glib/JSCContextPrivate.h:
442         * API/glib/JSCWrapperMap.cpp:
443         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
444         * API/glib/JSCWrapperMap.h:
445         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
446
447 2018-04-17  Mark Lam  <mark.lam@apple.com>
448
449         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
450         https://bugs.webkit.org/show_bug.cgi?id=184702
451         <rdar://problem/35391681>
452
453         Reviewed by Filip Pizlo and Saam Barati.
454
455         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
456            to take a PtrTag template argument.
457         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
458
459         * assembler/AbstractMacroAssembler.h:
460         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
461         (JSC::AbstractMacroAssembler::linkJump):
462         (JSC::AbstractMacroAssembler::linkPointer):
463         (JSC::AbstractMacroAssembler::getLinkerAddress):
464         (JSC::AbstractMacroAssembler::repatchJump):
465         (JSC::AbstractMacroAssembler::repatchJumpToNop):
466         (JSC::AbstractMacroAssembler::repatchNearCall):
467         (JSC::AbstractMacroAssembler::repatchCompact):
468         (JSC::AbstractMacroAssembler::repatchInt32):
469         (JSC::AbstractMacroAssembler::repatchPointer):
470         (JSC::AbstractMacroAssembler::readPointer):
471         (JSC::AbstractMacroAssembler::replaceWithLoad):
472         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
473         * assembler/CodeLocation.h:
474         (JSC::CodeLocationCommon:: const):
475         (JSC::CodeLocationCommon::CodeLocationCommon):
476         (JSC::CodeLocationInstruction::CodeLocationInstruction):
477         (JSC::CodeLocationLabel::CodeLocationLabel):
478         (JSC::CodeLocationLabel::retagged):
479         (JSC::CodeLocationLabel:: const):
480         (JSC::CodeLocationJump::CodeLocationJump):
481         (JSC::CodeLocationJump::retagged):
482         (JSC::CodeLocationCall::CodeLocationCall):
483         (JSC::CodeLocationCall::retagged):
484         (JSC::CodeLocationNearCall::CodeLocationNearCall):
485         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
486         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
487         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
488         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
489         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
490         (JSC::CodeLocationCommon<tag>::labelAtOffset):
491         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
492         (JSC::CodeLocationCommon<tag>::callAtOffset):
493         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
494         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
495         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
496         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
497         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
498         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
499         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
500         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
501         (JSC::CodeLocationCommon::callAtOffset): Deleted.
502         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
503         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
504         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
505         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
506         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
507         * assembler/LinkBuffer.cpp:
508         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
509         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
510         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
511         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
512         * assembler/LinkBuffer.h:
513         (JSC::LinkBuffer::link):
514         (JSC::LinkBuffer::patch):
515         (JSC::LinkBuffer::entrypoint):
516         (JSC::LinkBuffer::locationOf):
517         (JSC::LinkBuffer::locationOfNearCall):
518         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
519         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
520         (JSC::LinkBuffer::trampolineAt):
521         * assembler/MacroAssemblerARM.h:
522         (JSC::MacroAssemblerARM::readCallTarget):
523         (JSC::MacroAssemblerARM::replaceWithJump):
524         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
525         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
526         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
527         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
528         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
529         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
530         (JSC::MacroAssemblerARM::repatchCall):
531         (JSC::MacroAssemblerARM::linkCall):
532         * assembler/MacroAssemblerARM64.h:
533         (JSC::MacroAssemblerARM64::readCallTarget):
534         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
535         (JSC::MacroAssemblerARM64::replaceWithJump):
536         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
537         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
538         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
539         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
540         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
541         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
542         (JSC::MacroAssemblerARM64::repatchCall):
543         (JSC::MacroAssemblerARM64::linkCall):
544         * assembler/MacroAssemblerARMv7.h:
545         (JSC::MacroAssemblerARMv7::replaceWithJump):
546         (JSC::MacroAssemblerARMv7::readCallTarget):
547         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
548         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
549         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
550         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
551         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
552         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
553         (JSC::MacroAssemblerARMv7::repatchCall):
554         (JSC::MacroAssemblerARMv7::linkCall):
555         * assembler/MacroAssemblerCodeRef.cpp:
556         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
557         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
558         (JSC::MacroAssemblerCodeRefBase::disassembly):
559         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
560         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
561         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
562         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
563         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
564         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
565         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
566         * assembler/MacroAssemblerCodeRef.h:
567         (JSC::FunctionPtr::FunctionPtr):
568         (JSC::FunctionPtr::retagged const):
569         (JSC::FunctionPtr::retaggedExecutableAddress const):
570         (JSC::FunctionPtr::operator== const):
571         (JSC::FunctionPtr::operator!= const):
572         (JSC::ReturnAddressPtr::ReturnAddressPtr):
573         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
574         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
575         (JSC::MacroAssemblerCodePtr::retagged const):
576         (JSC::MacroAssemblerCodePtr:: const):
577         (JSC::MacroAssemblerCodePtr::dumpWithName const):
578         (JSC::MacroAssemblerCodePtr::dump const):
579         (JSC::MacroAssemblerCodePtrHash::hash):
580         (JSC::MacroAssemblerCodePtrHash::equal):
581         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
582         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
583         (JSC::MacroAssemblerCodeRef::code const):
584         (JSC::MacroAssemblerCodeRef::retaggedCode const):
585         (JSC::MacroAssemblerCodeRef::retagged const):
586         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
587         (JSC::MacroAssemblerCodeRef::disassembly const):
588         (JSC::MacroAssemblerCodeRef::dump const):
589         (JSC::FunctionPtr<tag>::FunctionPtr):
590         * assembler/MacroAssemblerMIPS.h:
591         (JSC::MacroAssemblerMIPS::readCallTarget):
592         (JSC::MacroAssemblerMIPS::replaceWithJump):
593         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
594         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
595         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
596         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
597         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
598         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
599         (JSC::MacroAssemblerMIPS::repatchCall):
600         (JSC::MacroAssemblerMIPS::linkCall):
601         * assembler/MacroAssemblerX86.h:
602         (JSC::MacroAssemblerX86::readCallTarget):
603         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
604         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
605         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
606         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
607         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
608         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
609         (JSC::MacroAssemblerX86::repatchCall):
610         (JSC::MacroAssemblerX86::linkCall):
611         * assembler/MacroAssemblerX86Common.h:
612         (JSC::MacroAssemblerX86Common::repatchCompact):
613         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
614         (JSC::MacroAssemblerX86Common::replaceWithJump):
615         * assembler/MacroAssemblerX86_64.h:
616         (JSC::MacroAssemblerX86_64::readCallTarget):
617         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
618         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
619         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
620         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
621         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
622         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
623         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
624         (JSC::MacroAssemblerX86_64::repatchCall):
625         (JSC::MacroAssemblerX86_64::linkCall):
626         * assembler/testmasm.cpp:
627         (JSC::compile):
628         (JSC::invoke):
629         (JSC::testProbeModifiesProgramCounter):
630         * b3/B3Compilation.cpp:
631         (JSC::B3::Compilation::Compilation):
632         * b3/B3Compilation.h:
633         (JSC::B3::Compilation::code const):
634         (JSC::B3::Compilation::codeRef const):
635         * b3/B3Compile.cpp:
636         (JSC::B3::compile):
637         * b3/B3LowerMacros.cpp:
638         * b3/air/AirDisassembler.cpp:
639         (JSC::B3::Air::Disassembler::dump):
640         * b3/air/testair.cpp:
641         * b3/testb3.cpp:
642         (JSC::B3::invoke):
643         (JSC::B3::testInterpreter):
644         (JSC::B3::testEntrySwitchSimple):
645         (JSC::B3::testEntrySwitchNoEntrySwitch):
646         (JSC::B3::testEntrySwitchWithCommonPaths):
647         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
648         (JSC::B3::testEntrySwitchLoop):
649         * bytecode/AccessCase.cpp:
650         (JSC::AccessCase::generateImpl):
651         * bytecode/AccessCaseSnippetParams.cpp:
652         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
653         * bytecode/ByValInfo.h:
654         (JSC::ByValInfo::ByValInfo):
655         * bytecode/CallLinkInfo.cpp:
656         (JSC::CallLinkInfo::callReturnLocation):
657         (JSC::CallLinkInfo::patchableJump):
658         (JSC::CallLinkInfo::hotPathBegin):
659         (JSC::CallLinkInfo::slowPathStart):
660         * bytecode/CallLinkInfo.h:
661         (JSC::CallLinkInfo::setCallLocations):
662         (JSC::CallLinkInfo::hotPathOther):
663         * bytecode/CodeBlock.cpp:
664         (JSC::CodeBlock::finishCreation):
665         * bytecode/GetByIdStatus.cpp:
666         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
667         * bytecode/GetByIdVariant.cpp:
668         (JSC::GetByIdVariant::GetByIdVariant):
669         (JSC::GetByIdVariant::dumpInContext const):
670         * bytecode/GetByIdVariant.h:
671         (JSC::GetByIdVariant::customAccessorGetter const):
672         * bytecode/GetterSetterAccessCase.cpp:
673         (JSC::GetterSetterAccessCase::create):
674         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
675         (JSC::GetterSetterAccessCase::dumpImpl const):
676         * bytecode/GetterSetterAccessCase.h:
677         (JSC::GetterSetterAccessCase::customAccessor const):
678         (): Deleted.
679         * bytecode/HandlerInfo.h:
680         (JSC::HandlerInfo::initialize):
681         * bytecode/InlineAccess.cpp:
682         (JSC::linkCodeInline):
683         (JSC::InlineAccess::rewireStubAsJump):
684         * bytecode/InlineAccess.h:
685         * bytecode/JumpTable.h:
686         (JSC::StringJumpTable::ctiForValue):
687         (JSC::SimpleJumpTable::ctiForValue):
688         * bytecode/LLIntCallLinkInfo.h:
689         (JSC::LLIntCallLinkInfo::unlink):
690         * bytecode/PolymorphicAccess.cpp:
691         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
692         (JSC::PolymorphicAccess::regenerate):
693         * bytecode/PolymorphicAccess.h:
694         (JSC::AccessGenerationResult::AccessGenerationResult):
695         (JSC::AccessGenerationResult::code const):
696         * bytecode/StructureStubInfo.h:
697         (JSC::StructureStubInfo::slowPathCallLocation):
698         (JSC::StructureStubInfo::doneLocation):
699         (JSC::StructureStubInfo::slowPathStartLocation):
700         (JSC::StructureStubInfo::patchableJumpForIn):
701         * dfg/DFGCommonData.h:
702         (JSC::DFG::CommonData::appendCatchEntrypoint):
703         * dfg/DFGDisassembler.cpp:
704         (JSC::DFG::Disassembler::dumpDisassembly):
705         * dfg/DFGDriver.h:
706         * dfg/DFGJITCompiler.cpp:
707         (JSC::DFG::JITCompiler::linkOSRExits):
708         (JSC::DFG::JITCompiler::compileExceptionHandlers):
709         (JSC::DFG::JITCompiler::link):
710         (JSC::DFG::JITCompiler::compileFunction):
711         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
712         * dfg/DFGJITCompiler.h:
713         (JSC::DFG::CallLinkRecord::CallLinkRecord):
714         (JSC::DFG::JITCompiler::appendCall):
715         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
716         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
717         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
718         * dfg/DFGJITFinalizer.cpp:
719         (JSC::DFG::JITFinalizer::JITFinalizer):
720         (JSC::DFG::JITFinalizer::finalize):
721         (JSC::DFG::JITFinalizer::finalizeFunction):
722         * dfg/DFGJITFinalizer.h:
723         * dfg/DFGJumpReplacement.h:
724         (JSC::DFG::JumpReplacement::JumpReplacement):
725         * dfg/DFGNode.h:
726         * dfg/DFGOSREntry.cpp:
727         (JSC::DFG::prepareOSREntry):
728         (JSC::DFG::prepareCatchOSREntry):
729         * dfg/DFGOSREntry.h:
730         (JSC::DFG::prepareOSREntry):
731         * dfg/DFGOSRExit.cpp:
732         (JSC::DFG::OSRExit::executeOSRExit):
733         (JSC::DFG::reifyInlinedCallFrames):
734         (JSC::DFG::adjustAndJumpToTarget):
735         (JSC::DFG::OSRExit::codeLocationForRepatch const):
736         (JSC::DFG::OSRExit::emitRestoreArguments):
737         (JSC::DFG::OSRExit::compileOSRExit):
738         * dfg/DFGOSRExit.h:
739         * dfg/DFGOSRExitCompilerCommon.cpp:
740         (JSC::DFG::handleExitCounts):
741         (JSC::DFG::reifyInlinedCallFrames):
742         (JSC::DFG::osrWriteBarrier):
743         (JSC::DFG::adjustAndJumpToTarget):
744         * dfg/DFGOperations.cpp:
745         * dfg/DFGSlowPathGenerator.h:
746         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
747         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
748         (JSC::DFG::slowPathCall):
749         * dfg/DFGSpeculativeJIT.cpp:
750         (JSC::DFG::SpeculativeJIT::compileMathIC):
751         (JSC::DFG::SpeculativeJIT::compileCallDOM):
752         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
753         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
754         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
755         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
756         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
757         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
758         (JSC::DFG::SpeculativeJIT::cachedPutById):
759         * dfg/DFGSpeculativeJIT.h:
760         (JSC::DFG::SpeculativeJIT::callOperation):
761         (JSC::DFG::SpeculativeJIT::appendCall):
762         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
763         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
764         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
765         * dfg/DFGSpeculativeJIT64.cpp:
766         (JSC::DFG::SpeculativeJIT::cachedGetById):
767         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
768         (JSC::DFG::SpeculativeJIT::compile):
769         * dfg/DFGThunks.cpp:
770         (JSC::DFG::osrExitThunkGenerator):
771         (JSC::DFG::osrExitGenerationThunkGenerator):
772         (JSC::DFG::osrEntryThunkGenerator):
773         * dfg/DFGThunks.h:
774         * disassembler/ARM64Disassembler.cpp:
775         (JSC::tryToDisassemble):
776         * disassembler/ARMv7Disassembler.cpp:
777         (JSC::tryToDisassemble):
778         * disassembler/Disassembler.cpp:
779         (JSC::disassemble):
780         (JSC::disassembleAsynchronously):
781         * disassembler/Disassembler.h:
782         (JSC::tryToDisassemble):
783         * disassembler/UDis86Disassembler.cpp:
784         (JSC::tryToDisassembleWithUDis86):
785         * disassembler/UDis86Disassembler.h:
786         (JSC::tryToDisassembleWithUDis86):
787         * disassembler/X86Disassembler.cpp:
788         (JSC::tryToDisassemble):
789         * ftl/FTLCompile.cpp:
790         (JSC::FTL::compile):
791         * ftl/FTLExceptionTarget.cpp:
792         (JSC::FTL::ExceptionTarget::label):
793         (JSC::FTL::ExceptionTarget::jumps):
794         * ftl/FTLExceptionTarget.h:
795         * ftl/FTLGeneratedFunction.h:
796         * ftl/FTLJITCode.cpp:
797         (JSC::FTL::JITCode::initializeB3Code):
798         (JSC::FTL::JITCode::initializeAddressForCall):
799         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
800         (JSC::FTL::JITCode::addressForCall):
801         (JSC::FTL::JITCode::executableAddressAtOffset):
802         * ftl/FTLJITCode.h:
803         (JSC::FTL::JITCode::b3Code const):
804         * ftl/FTLJITFinalizer.cpp:
805         (JSC::FTL::JITFinalizer::finalizeCommon):
806         * ftl/FTLLazySlowPath.cpp:
807         (JSC::FTL::LazySlowPath::initialize):
808         (JSC::FTL::LazySlowPath::generate):
809         * ftl/FTLLazySlowPath.h:
810         (JSC::FTL::LazySlowPath::patchableJump const):
811         (JSC::FTL::LazySlowPath::done const):
812         (JSC::FTL::LazySlowPath::stub const):
813         * ftl/FTLLazySlowPathCall.h:
814         (JSC::FTL::createLazyCallGenerator):
815         * ftl/FTLLink.cpp:
816         (JSC::FTL::link):
817         * ftl/FTLLowerDFGToB3.cpp:
818         (JSC::FTL::DFG::LowerDFGToB3::lower):
819         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
820         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
821         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
822         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
823         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
824         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
825         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
826         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
827         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
828         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
829         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
830         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
831         * ftl/FTLOSRExit.cpp:
832         (JSC::FTL::OSRExit::codeLocationForRepatch const):
833         * ftl/FTLOSRExit.h:
834         * ftl/FTLOSRExitCompiler.cpp:
835         (JSC::FTL::compileStub):
836         (JSC::FTL::compileFTLOSRExit):
837         * ftl/FTLOSRExitHandle.cpp:
838         (JSC::FTL::OSRExitHandle::emitExitThunk):
839         * ftl/FTLOperations.cpp:
840         (JSC::FTL::compileFTLLazySlowPath):
841         * ftl/FTLPatchpointExceptionHandle.cpp:
842         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
843         * ftl/FTLSlowPathCall.cpp:
844         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
845         (JSC::FTL::SlowPathCallContext::makeCall):
846         * ftl/FTLSlowPathCall.h:
847         (JSC::FTL::callOperation):
848         * ftl/FTLSlowPathCallKey.cpp:
849         (JSC::FTL::SlowPathCallKey::dump const):
850         * ftl/FTLSlowPathCallKey.h:
851         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
852         (JSC::FTL::SlowPathCallKey::callTarget const):
853         (JSC::FTL::SlowPathCallKey::withCallTarget):
854         (JSC::FTL::SlowPathCallKey::hash const):
855         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
856         * ftl/FTLState.cpp:
857         (JSC::FTL::State::State):
858         * ftl/FTLThunks.cpp:
859         (JSC::FTL::genericGenerationThunkGenerator):
860         (JSC::FTL::osrExitGenerationThunkGenerator):
861         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
862         (JSC::FTL::slowPathCallThunkGenerator):
863         * ftl/FTLThunks.h:
864         (JSC::FTL::generateIfNecessary):
865         (JSC::FTL::keyForThunk):
866         (JSC::FTL::Thunks::getSlowPathCallThunk):
867         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
868         * interpreter/InterpreterInlines.h:
869         (JSC::Interpreter::getOpcodeID):
870         * jit/AssemblyHelpers.cpp:
871         (JSC::AssemblyHelpers::callExceptionFuzz):
872         (JSC::AssemblyHelpers::emitDumbVirtualCall):
873         (JSC::AssemblyHelpers::debugCall):
874         * jit/CCallHelpers.cpp:
875         (JSC::CCallHelpers::ensureShadowChickenPacket):
876         * jit/ExecutableAllocator.cpp:
877         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
878         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
879         * jit/ExecutableAllocator.h:
880         (JSC::performJITMemcpy):
881         * jit/GCAwareJITStubRoutine.cpp:
882         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
883         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
884         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
885         (JSC::createJITStubRoutine):
886         * jit/GCAwareJITStubRoutine.h:
887         (JSC::createJITStubRoutine):
888         * jit/JIT.cpp:
889         (JSC::ctiPatchCallByReturnAddress):
890         (JSC::JIT::compileWithoutLinking):
891         (JSC::JIT::link):
892         (JSC::JIT::privateCompileExceptionHandlers):
893         * jit/JIT.h:
894         (JSC::CallRecord::CallRecord):
895         * jit/JITArithmetic.cpp:
896         (JSC::JIT::emitMathICFast):
897         (JSC::JIT::emitMathICSlow):
898         * jit/JITCall.cpp:
899         (JSC::JIT::compileOpCallSlowCase):
900         * jit/JITCall32_64.cpp:
901         (JSC::JIT::compileOpCallSlowCase):
902         * jit/JITCode.cpp:
903         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
904         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
905         (JSC::DirectJITCode::DirectJITCode):
906         (JSC::DirectJITCode::initializeCodeRef):
907         (JSC::DirectJITCode::addressForCall):
908         (JSC::NativeJITCode::NativeJITCode):
909         (JSC::NativeJITCode::initializeCodeRef):
910         (JSC::NativeJITCode::addressForCall):
911         * jit/JITCode.h:
912         * jit/JITCodeMap.h:
913         (JSC::JITCodeMap::Entry::Entry):
914         (JSC::JITCodeMap::Entry::codeLocation):
915         (JSC::JITCodeMap::append):
916         (JSC::JITCodeMap::find const):
917         * jit/JITDisassembler.cpp:
918         (JSC::JITDisassembler::dumpDisassembly):
919         * jit/JITExceptions.cpp:
920         (JSC::genericUnwind):
921         * jit/JITInlineCacheGenerator.cpp:
922         (JSC::JITByIdGenerator::finalize):
923         * jit/JITInlines.h:
924         (JSC::JIT::emitNakedCall):
925         (JSC::JIT::emitNakedTailCall):
926         (JSC::JIT::appendCallWithExceptionCheck):
927         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
928         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
929         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
930         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
931         * jit/JITMathIC.h:
932         (JSC::isProfileEmpty):
933         * jit/JITOpcodes.cpp:
934         (JSC::JIT::emit_op_catch):
935         (JSC::JIT::emit_op_switch_imm):
936         (JSC::JIT::emit_op_switch_char):
937         (JSC::JIT::emit_op_switch_string):
938         (JSC::JIT::privateCompileHasIndexedProperty):
939         (JSC::JIT::emitSlow_op_has_indexed_property):
940         * jit/JITOpcodes32_64.cpp:
941         (JSC::JIT::privateCompileHasIndexedProperty):
942         * jit/JITOperations.cpp:
943         (JSC::getByVal):
944         * jit/JITPropertyAccess.cpp:
945         (JSC::JIT::stringGetByValStubGenerator):
946         (JSC::JIT::emitGetByValWithCachedId):
947         (JSC::JIT::emitSlow_op_get_by_val):
948         (JSC::JIT::emitPutByValWithCachedId):
949         (JSC::JIT::emitSlow_op_put_by_val):
950         (JSC::JIT::emitSlow_op_try_get_by_id):
951         (JSC::JIT::emitSlow_op_get_by_id_direct):
952         (JSC::JIT::emitSlow_op_get_by_id):
953         (JSC::JIT::emitSlow_op_get_by_id_with_this):
954         (JSC::JIT::emitSlow_op_put_by_id):
955         (JSC::JIT::privateCompileGetByVal):
956         (JSC::JIT::privateCompileGetByValWithCachedId):
957         (JSC::JIT::privateCompilePutByVal):
958         (JSC::JIT::privateCompilePutByValWithCachedId):
959         * jit/JITPropertyAccess32_64.cpp:
960         (JSC::JIT::stringGetByValStubGenerator):
961         (JSC::JIT::emitSlow_op_get_by_val):
962         (JSC::JIT::emitSlow_op_put_by_val):
963         * jit/JITStubRoutine.h:
964         (JSC::JITStubRoutine::JITStubRoutine):
965         (JSC::JITStubRoutine::createSelfManagedRoutine):
966         (JSC::JITStubRoutine::code const):
967         (JSC::JITStubRoutine::asCodePtr):
968         * jit/JITThunks.cpp:
969         (JSC::JITThunks::ctiNativeCall):
970         (JSC::JITThunks::ctiNativeConstruct):
971         (JSC::JITThunks::ctiNativeTailCall):
972         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
973         (JSC::JITThunks::ctiInternalFunctionCall):
974         (JSC::JITThunks::ctiInternalFunctionConstruct):
975         (JSC::JITThunks::ctiStub):
976         (JSC::JITThunks::existingCTIStub):
977         (JSC::JITThunks::hostFunctionStub):
978         * jit/JITThunks.h:
979         * jit/PCToCodeOriginMap.cpp:
980         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
981         * jit/PCToCodeOriginMap.h:
982         * jit/PolymorphicCallStubRoutine.cpp:
983         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
984         * jit/PolymorphicCallStubRoutine.h:
985         * jit/Repatch.cpp:
986         (JSC::readPutICCallTarget):
987         (JSC::ftlThunkAwareRepatchCall):
988         (JSC::appropriateOptimizingGetByIdFunction):
989         (JSC::appropriateGetByIdFunction):
990         (JSC::tryCacheGetByID):
991         (JSC::repatchGetByID):
992         (JSC::tryCachePutByID):
993         (JSC::repatchPutByID):
994         (JSC::tryCacheIn):
995         (JSC::repatchIn):
996         (JSC::linkSlowFor):
997         (JSC::linkFor):
998         (JSC::linkDirectFor):
999         (JSC::revertCall):
1000         (JSC::unlinkFor):
1001         (JSC::linkVirtualFor):
1002         (JSC::linkPolymorphicCall):
1003         (JSC::resetGetByID):
1004         (JSC::resetPutByID):
1005         * jit/Repatch.h:
1006         * jit/SlowPathCall.h:
1007         (JSC::JITSlowPathCall::call):
1008         * jit/SpecializedThunkJIT.h:
1009         (JSC::SpecializedThunkJIT::finalize):
1010         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1011         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1012         * jit/ThunkGenerator.h:
1013         * jit/ThunkGenerators.cpp:
1014         (JSC::throwExceptionFromCallSlowPathGenerator):
1015         (JSC::slowPathFor):
1016         (JSC::linkCallThunkGenerator):
1017         (JSC::linkPolymorphicCallThunkGenerator):
1018         (JSC::virtualThunkFor):
1019         (JSC::nativeForGenerator):
1020         (JSC::nativeCallGenerator):
1021         (JSC::nativeTailCallGenerator):
1022         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1023         (JSC::nativeConstructGenerator):
1024         (JSC::internalFunctionCallGenerator):
1025         (JSC::internalFunctionConstructGenerator):
1026         (JSC::arityFixupGenerator):
1027         (JSC::unreachableGenerator):
1028         (JSC::charCodeAtThunkGenerator):
1029         (JSC::charAtThunkGenerator):
1030         (JSC::fromCharCodeThunkGenerator):
1031         (JSC::clz32ThunkGenerator):
1032         (JSC::sqrtThunkGenerator):
1033         (JSC::floorThunkGenerator):
1034         (JSC::ceilThunkGenerator):
1035         (JSC::truncThunkGenerator):
1036         (JSC::roundThunkGenerator):
1037         (JSC::expThunkGenerator):
1038         (JSC::logThunkGenerator):
1039         (JSC::absThunkGenerator):
1040         (JSC::imulThunkGenerator):
1041         (JSC::randomThunkGenerator):
1042         (JSC::boundThisNoArgsFunctionCallGenerator):
1043         * jit/ThunkGenerators.h:
1044         * llint/LLIntData.cpp:
1045         (JSC::LLInt::initialize):
1046         * llint/LLIntData.h:
1047         (JSC::LLInt::getExecutableAddress):
1048         (JSC::LLInt::getCodePtr):
1049         (JSC::LLInt::getCodeRef):
1050         (JSC::LLInt::getCodeFunctionPtr):
1051         * llint/LLIntEntrypoint.cpp:
1052         (JSC::LLInt::setFunctionEntrypoint):
1053         (JSC::LLInt::setEvalEntrypoint):
1054         (JSC::LLInt::setProgramEntrypoint):
1055         (JSC::LLInt::setModuleProgramEntrypoint):
1056         * llint/LLIntExceptions.cpp:
1057         (JSC::LLInt::callToThrow):
1058         * llint/LLIntSlowPaths.cpp:
1059         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1060         (JSC::LLInt::setUpCall):
1061         * llint/LLIntThunks.cpp:
1062         (JSC::vmEntryToWasm):
1063         (JSC::LLInt::generateThunkWithJumpTo):
1064         (JSC::LLInt::functionForCallEntryThunkGenerator):
1065         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1066         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1067         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1068         (JSC::LLInt::evalEntryThunkGenerator):
1069         (JSC::LLInt::programEntryThunkGenerator):
1070         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1071         * llint/LLIntThunks.h:
1072         * llint/LowLevelInterpreter.asm:
1073         * llint/LowLevelInterpreter32_64.asm:
1074         * llint/LowLevelInterpreter64.asm:
1075         * profiler/ProfilerCompilation.cpp:
1076         (JSC::Profiler::Compilation::addOSRExitSite):
1077         * profiler/ProfilerCompilation.h:
1078         * profiler/ProfilerOSRExitSite.cpp:
1079         (JSC::Profiler::OSRExitSite::toJS const):
1080         * profiler/ProfilerOSRExitSite.h:
1081         (JSC::Profiler::OSRExitSite::OSRExitSite):
1082         (JSC::Profiler::OSRExitSite::codeAddress const):
1083         (JSC::Profiler::OSRExitSite:: const): Deleted.
1084         * runtime/ExecutableBase.cpp:
1085         (JSC::ExecutableBase::clearCode):
1086         * runtime/ExecutableBase.h:
1087         (JSC::ExecutableBase::entrypointFor):
1088         * runtime/NativeExecutable.cpp:
1089         (JSC::NativeExecutable::finishCreation):
1090         * runtime/NativeFunction.h:
1091         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1092         (JSC::TaggedNativeFunction::operator NativeFunction):
1093         * runtime/PtrTag.h:
1094         (JSC::tagCodePtr):
1095         (JSC::untagCodePtr):
1096         (JSC::retagCodePtr):
1097         (JSC::tagCFunctionPtr):
1098         (JSC::untagCFunctionPtr):
1099         (JSC::nextPtrTagID): Deleted.
1100         * runtime/PutPropertySlot.h:
1101         (JSC::PutPropertySlot::PutPropertySlot):
1102         (JSC::PutPropertySlot::setCustomValue):
1103         (JSC::PutPropertySlot::setCustomAccessor):
1104         (JSC::PutPropertySlot::customSetter const):
1105         * runtime/ScriptExecutable.cpp:
1106         (JSC::ScriptExecutable::installCode):
1107         * runtime/VM.cpp:
1108         (JSC::VM::getHostFunction):
1109         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1110         * runtime/VM.h:
1111         (JSC::VM::getCTIStub):
1112         * wasm/WasmB3IRGenerator.cpp:
1113         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1114         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1115         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1116         (JSC::Wasm::B3IRGenerator::addCall):
1117         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1118         * wasm/WasmBBQPlan.cpp:
1119         (JSC::Wasm::BBQPlan::prepare):
1120         (JSC::Wasm::BBQPlan::complete):
1121         * wasm/WasmBBQPlan.h:
1122         * wasm/WasmBinding.cpp:
1123         (JSC::Wasm::wasmToWasm):
1124         * wasm/WasmBinding.h:
1125         * wasm/WasmCallee.h:
1126         (JSC::Wasm::Callee::entrypoint const):
1127         * wasm/WasmCallingConvention.h:
1128         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
1129         * wasm/WasmCodeBlock.h:
1130         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
1131         * wasm/WasmFaultSignalHandler.cpp:
1132         (JSC::Wasm::trapHandler):
1133         * wasm/WasmFormat.h:
1134         * wasm/WasmInstance.h:
1135         * wasm/WasmOMGPlan.cpp:
1136         (JSC::Wasm::OMGPlan::work):
1137         * wasm/WasmThunks.cpp:
1138         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1139         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1140         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1141         (JSC::Wasm::Thunks::stub):
1142         (JSC::Wasm::Thunks::existingStub):
1143         * wasm/WasmThunks.h:
1144         * wasm/js/JSToWasm.cpp:
1145         (JSC::Wasm::createJSToWasmWrapper):
1146         * wasm/js/JSWebAssemblyCodeBlock.h:
1147         * wasm/js/WasmToJS.cpp:
1148         (JSC::Wasm::handleBadI64Use):
1149         (JSC::Wasm::wasmToJS):
1150         * wasm/js/WasmToJS.h:
1151         * wasm/js/WebAssemblyFunction.h:
1152         * yarr/YarrJIT.cpp:
1153         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
1154         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
1155         (JSC::Yarr::YarrGenerator::compile):
1156         * yarr/YarrJIT.h:
1157         (JSC::Yarr::YarrCodeBlock::set8BitCode):
1158         (JSC::Yarr::YarrCodeBlock::set16BitCode):
1159         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
1160         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
1161         (JSC::Yarr::YarrCodeBlock::execute):
1162         (JSC::Yarr::YarrCodeBlock::clear):
1163
1164 2018-04-17  Commit Queue  <commit-queue@webkit.org>
1165
1166         Unreviewed, rolling out r230697, r230720, and r230724.
1167         https://bugs.webkit.org/show_bug.cgi?id=184717
1168
1169         These caused multiple failures on the Test262 testers.
1170         (Requested by mlewis13 on #webkit).
1171
1172         Reverted changesets:
1173
1174         "[WebAssembly][Modules] Prototype wasm import"
1175         https://bugs.webkit.org/show_bug.cgi?id=184600
1176         https://trac.webkit.org/changeset/230697
1177
1178         "[WebAssembly][Modules] Implement function import from wasm
1179         modules"
1180         https://bugs.webkit.org/show_bug.cgi?id=184689
1181         https://trac.webkit.org/changeset/230720
1182
1183         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
1184         https://bugs.webkit.org/show_bug.cgi?id=184703
1185         https://trac.webkit.org/changeset/230724
1186
1187 2018-04-17  JF Bastien  <jfbastien@apple.com>
1188
1189         A put is not an ExistingProperty put when we transition a structure because of an attributes change
1190         https://bugs.webkit.org/show_bug.cgi?id=184706
1191         <rdar://problem/38871451>
1192
1193         Reviewed by Saam Barati.
1194
1195         When putting a property on a structure and the slot is a different
1196         type, the slot can't be said to have already been existing.
1197
1198         * runtime/JSObjectInlines.h:
1199         (JSC::JSObject::putDirectInternal):
1200
1201 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1202
1203         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
1204         https://bugs.webkit.org/show_bug.cgi?id=184705
1205
1206         Reviewed by Michael Saboff.
1207         
1208         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
1209         while testing an unrelated patch, a concurrent GC thread crashed inside
1210         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
1211         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
1212         mode and another vector.
1213         
1214         The fix is to lock inside visitChildren and anyone who changes those fields.
1215         
1216         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
1217         this.
1218
1219         * runtime/JSArrayBufferView.cpp:
1220         (JSC::JSArrayBufferView::neuter):
1221         * runtime/JSGenericTypedArrayViewInlines.h:
1222         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1223         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1224
1225 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
1226
1227         PutStackSinkingPhase should know that KillStack means ConflictingFlush
1228         https://bugs.webkit.org/show_bug.cgi?id=184672
1229
1230         Reviewed by Michael Saboff.
1231
1232         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
1233         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
1234         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
1235         intentional - I don't know.
1236
1237         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
1238         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
1239         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
1240         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
1241         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
1242         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
1243         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
1244         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
1245         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
1246         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
1247         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
1248         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
1249
1250         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
1251         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
1252         its stack slot for the purpose of clobberize.
1253
1254         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
1255         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
1256         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
1257         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
1258
1259 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1260
1261         JSWebAssemblyCodeBlock should be in an IsoSubspace
1262         https://bugs.webkit.org/show_bug.cgi?id=184704
1263
1264         Reviewed by Mark Lam.
1265         
1266         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
1267         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
1268         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
1269         protection.
1270
1271         * runtime/VM.cpp:
1272         (JSC::VM::VM):
1273         * runtime/VM.h:
1274         * wasm/js/JSWebAssemblyCodeBlock.h:
1275
1276 2018-04-17  Jer Noble  <jer.noble@apple.com>
1277
1278         Only enable useSeparatedWXHeap on ARM64.
1279         https://bugs.webkit.org/show_bug.cgi?id=184697
1280
1281         Reviewed by Saam Barati.
1282
1283         * runtime/Options.cpp:
1284         (JSC::recomputeDependentOptions):
1285
1286 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1287
1288         [WebAssembly][Modules] Implement function import from wasm modules
1289         https://bugs.webkit.org/show_bug.cgi?id=184689
1290
1291         Reviewed by JF Bastien.
1292
1293         This patch implements function import from wasm modules. We move function importing part
1294         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
1295         is because linking these functions requires that all the dependent modules are created.
1296         While we want to move all the linking functionality from JSWebAssemblyInstance to
1297         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
1298         function importing part because efficient compilation of WebAssembly needs to know
1299         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
1300         or attached WebAssembly memory object. So we cannot defer this linking to
1301         WebAssemblyModuleRecord::link now.
1302
1303         The largest difference from JS module linking is that WebAssembly module linking links
1304         function from the module by snapshotting. When you have a cyclic module graph like this,
1305
1306         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
1307             ^                                                  |
1308             +--------------------------------------------------+
1309
1310         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
1311         is described in [1], and tested in this patch.
1312
1313         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
1314
1315         * JavaScriptCore.xcodeproj/project.pbxproj:
1316         * jsc.cpp:
1317         (functionDollarAgentStart):
1318         (checkException):
1319         (runWithOptions):
1320         Small fixes for wasm module loading.
1321
1322         * parser/NodesAnalyzeModule.cpp:
1323         (JSC::ImportDeclarationNode::analyzeModule):
1324         * runtime/AbstractModuleRecord.cpp:
1325         (JSC::AbstractModuleRecord::resolveImport):
1326         (JSC::AbstractModuleRecord::link):
1327         * runtime/AbstractModuleRecord.h:
1328         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1329         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1330         Now, wasm modules can have import which is named "*". So this function does not work.
1331         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
1332
1333         * runtime/JSModuleEnvironment.cpp:
1334         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1335         * runtime/JSModuleRecord.cpp:
1336         (JSC::JSModuleRecord::instantiateDeclarations):
1337         * wasm/WasmCreationMode.h: Added.
1338         * wasm/js/JSWebAssemblyInstance.cpp:
1339         (JSC::JSWebAssemblyInstance::finalizeCreation):
1340         (JSC::JSWebAssemblyInstance::create):
1341         * wasm/js/JSWebAssemblyInstance.h:
1342         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1343         (JSC::constructJSWebAssemblyInstance):
1344         * wasm/js/WebAssemblyModuleRecord.cpp:
1345         (JSC::WebAssemblyModuleRecord::link):
1346         * wasm/js/WebAssemblyModuleRecord.h:
1347         * wasm/js/WebAssemblyPrototype.cpp:
1348         (JSC::resolve):
1349         (JSC::instantiate):
1350         (JSC::compileAndInstantiate):
1351         (JSC::WebAssemblyPrototype::instantiate):
1352         (JSC::webAssemblyInstantiateFunc):
1353
1354 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
1355
1356         Implement setupArgumentsImpl for ARM and MIPS
1357         https://bugs.webkit.org/show_bug.cgi?id=183786
1358
1359         Reviewed by Yusuke Suzuki.
1360
1361         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
1362         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
1363         registers used for 64-bit values on 32-bit architectures. numCrossSources
1364         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
1365
1366         * assembler/MacroAssemblerARMv7.h:
1367         (JSC::MacroAssemblerARMv7::moveDouble):
1368         * assembler/MacroAssemblerMIPS.h:
1369         (JSC::MacroAssemblerMIPS::moveDouble):
1370         * jit/CCallHelpers.h:
1371         (JSC::CCallHelpers::setupStubCrossArgs):
1372         (JSC::CCallHelpers::ArgCollection::ArgCollection):
1373         (JSC::CCallHelpers::ArgCollection::pushRegArg):
1374         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
1375         (JSC::CCallHelpers::ArgCollection::addGPRArg):
1376         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
1377         (JSC::CCallHelpers::ArgCollection::addStackArg):
1378         (JSC::CCallHelpers::ArgCollection::addPoke):
1379         (JSC::CCallHelpers::ArgCollection::argCount):
1380         (JSC::CCallHelpers::calculatePokeOffset):
1381         (JSC::CCallHelpers::pokeForArgument):
1382         (JSC::CCallHelpers::stackAligned):
1383         (JSC::CCallHelpers::marshallArgumentRegister):
1384         (JSC::CCallHelpers::setupArgumentsImpl):
1385         (JSC::CCallHelpers::pokeArgumentsAligned):
1386         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
1387         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
1388         (JSC::CCallHelpers::setupArguments):
1389         * jit/FPRInfo.h:
1390         (JSC::FPRInfo::toArgumentRegister):
1391
1392 2018-04-17  Saam Barati  <sbarati@apple.com>
1393
1394         Add system trace points for process launch and for initializeWebProcess
1395         https://bugs.webkit.org/show_bug.cgi?id=184669
1396
1397         Reviewed by Simon Fraser.
1398
1399         * runtime/VMEntryScope.cpp:
1400         (JSC::VMEntryScope::VMEntryScope):
1401         (JSC::VMEntryScope::~VMEntryScope):
1402
1403 2018-04-17  Jer Noble  <jer.noble@apple.com>
1404
1405         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
1406         https://bugs.webkit.org/show_bug.cgi?id=184602
1407
1408         Reviewed by Beth Dakin.
1409
1410         * JavaScriptCore.xcodeproj/project.pbxproj:
1411
1412 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1413
1414         [GLIB] Add API to clear JSCContext uncaught exception
1415         https://bugs.webkit.org/show_bug.cgi?id=184685
1416
1417         Reviewed by Žan Doberšek.
1418
1419         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
1420
1421         * API/glib/JSCContext.cpp:
1422         (jsc_context_clear_exception):
1423         * API/glib/JSCContext.h:
1424         * API/glib/docs/jsc-glib-4.0-sections.txt:
1425
1426 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1427
1428         [GLIB] Add API to query, delete and enumerate properties
1429         https://bugs.webkit.org/show_bug.cgi?id=184647
1430
1431         Reviewed by Michael Catanzaro.
1432
1433         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
1434
1435         * API/glib/JSCValue.cpp:
1436         (jsc_value_object_has_property):
1437         (jsc_value_object_delete_property):
1438         (jsc_value_object_enumerate_properties):
1439         * API/glib/JSCValue.h:
1440         * API/glib/docs/jsc-glib-4.0-sections.txt:
1441
1442 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1443
1444         [WebAssembly][Modules] Prototype wasm import
1445         https://bugs.webkit.org/show_bug.cgi?id=184600
1446
1447         Reviewed by JF Bastien.
1448
1449         This patch is an initial attempt to implement Wasm loading in module pipeline.
1450         Currently,
1451
1452         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
1453            in whatwg HTML, we should integrate this into WebCore.
1454
1455         2. We only support exporting values from Wasm. Wasm module cannot import anything from
1456            the other modules now.
1457
1458         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
1459         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
1460         module loader pipeline just handles it as the same to JS. When parsing a module, we
1461         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
1462         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
1463         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
1464
1465         * builtins/ModuleLoaderPrototype.js:
1466         (globalPrivate.newRegistryEntry):
1467         (requestInstantiate):
1468         (link):
1469         * jsc.cpp:
1470         (convertShebangToJSComment):
1471         (fillBufferWithContentsOfFile):
1472         (fetchModuleFromLocalFileSystem):
1473         (GlobalObject::moduleLoaderFetch):
1474         * parser/SourceProvider.h:
1475         (JSC::WebAssemblySourceProvider::create):
1476         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1477         * runtime/AbstractModuleRecord.cpp:
1478         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1479         (JSC::AbstractModuleRecord::link):
1480         (JSC::AbstractModuleRecord::evaluate):
1481         (JSC::identifierToJSValue): Deleted.
1482         * runtime/AbstractModuleRecord.h:
1483         * runtime/JSModuleLoader.cpp:
1484         (JSC::JSModuleLoader::evaluate):
1485         * runtime/JSModuleRecord.cpp:
1486         (JSC::JSModuleRecord::link):
1487         (JSC::JSModuleRecord::instantiateDeclarations):
1488         * runtime/JSModuleRecord.h:
1489         * runtime/ModuleLoaderPrototype.cpp:
1490         (JSC::moduleLoaderPrototypeParseModule):
1491         (JSC::moduleLoaderPrototypeRequestedModules):
1492         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1493         * wasm/js/JSWebAssemblyHelpers.h:
1494         (JSC::getWasmBufferFromValue):
1495         (JSC::createSourceBufferFromValue):
1496         * wasm/js/JSWebAssemblyInstance.cpp:
1497         (JSC::JSWebAssemblyInstance::finalizeCreation):
1498         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1499         (JSC::JSWebAssemblyInstance::create):
1500         * wasm/js/JSWebAssemblyInstance.h:
1501         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1502         (JSC::constructJSWebAssemblyInstance):
1503         * wasm/js/WebAssemblyModuleRecord.cpp:
1504         (JSC::WebAssemblyModuleRecord::prepareLink):
1505         (JSC::WebAssemblyModuleRecord::link):
1506         * wasm/js/WebAssemblyModuleRecord.h:
1507         * wasm/js/WebAssemblyPrototype.cpp:
1508         (JSC::resolve):
1509         (JSC::instantiate):
1510         (JSC::compileAndInstantiate):
1511         (JSC::WebAssemblyPrototype::instantiate):
1512         (JSC::webAssemblyInstantiateFunc):
1513         (JSC::webAssemblyValidateFunc):
1514         * wasm/js/WebAssemblyPrototype.h:
1515
1516 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
1517
1518         Function.prototype.caller shouldn't return generator bodies
1519         https://bugs.webkit.org/show_bug.cgi?id=184630
1520
1521         Reviewed by Yusuke Suzuki.
1522         
1523         Function.prototype.caller no longer returns generator bodies. Those are meant to be
1524         private.
1525         
1526         Also added some builtin debugging tools so that it's easier to do the investigation that I
1527         did.
1528
1529         * builtins/BuiltinNames.h:
1530         * runtime/JSFunction.cpp:
1531         (JSC::JSFunction::callerGetter):
1532         * runtime/JSGlobalObject.cpp:
1533         (JSC::JSGlobalObject::init):
1534         * runtime/JSGlobalObjectFunctions.cpp:
1535         (JSC::globalFuncBuiltinDescribe):
1536         * runtime/JSGlobalObjectFunctions.h:
1537
1538 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1539
1540         [DFG] Remove duplicate 32bit ProfileType implementation
1541         https://bugs.webkit.org/show_bug.cgi?id=184536
1542
1543         Reviewed by Saam Barati.
1544
1545         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
1546
1547         * dfg/DFGSpeculativeJIT.cpp:
1548         (JSC::DFG::SpeculativeJIT::compileProfileType):
1549         * dfg/DFGSpeculativeJIT.h:
1550         * dfg/DFGSpeculativeJIT32_64.cpp:
1551         (JSC::DFG::SpeculativeJIT::compile):
1552         * dfg/DFGSpeculativeJIT64.cpp:
1553         (JSC::DFG::SpeculativeJIT::compile):
1554         * jit/AssemblyHelpers.h:
1555         (JSC::AssemblyHelpers::branchIfUndefined):
1556         (JSC::AssemblyHelpers::branchIfNull):
1557
1558 2018-04-12  Mark Lam  <mark.lam@apple.com>
1559
1560         Consolidate some PtrTags.
1561         https://bugs.webkit.org/show_bug.cgi?id=184552
1562         <rdar://problem/39389404>
1563
1564         Reviewed by Filip Pizlo.
1565
1566         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
1567         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
1568
1569         * assembler/AbstractMacroAssembler.h:
1570         (JSC::AbstractMacroAssembler::repatchNearCall):
1571         * assembler/MacroAssemblerARM.h:
1572         (JSC::MacroAssemblerARM::readCallTarget):
1573         * assembler/MacroAssemblerARMv7.h:
1574         (JSC::MacroAssemblerARMv7::readCallTarget):
1575         * assembler/MacroAssemblerMIPS.h:
1576         (JSC::MacroAssemblerMIPS::readCallTarget):
1577         * assembler/MacroAssemblerX86.h:
1578         (JSC::MacroAssemblerX86::readCallTarget):
1579         * assembler/MacroAssemblerX86_64.h:
1580         (JSC::MacroAssemblerX86_64::readCallTarget):
1581         * bytecode/AccessCase.cpp:
1582         (JSC::AccessCase::generateImpl):
1583         * bytecode/InlineAccess.cpp:
1584         (JSC::InlineAccess::rewireStubAsJump):
1585         * bytecode/PolymorphicAccess.cpp:
1586         (JSC::PolymorphicAccess::regenerate):
1587         * dfg/DFGJITCompiler.cpp:
1588         (JSC::DFG::JITCompiler::linkOSRExits):
1589         (JSC::DFG::JITCompiler::link):
1590         (JSC::DFG::JITCompiler::compileFunction):
1591         * dfg/DFGJITFinalizer.cpp:
1592         (JSC::DFG::JITFinalizer::finalize):
1593         (JSC::DFG::JITFinalizer::finalizeFunction):
1594         * dfg/DFGOSREntry.cpp:
1595         (JSC::DFG::prepareOSREntry):
1596         * dfg/DFGOSRExit.cpp:
1597         (JSC::DFG::OSRExit::executeOSRExit):
1598         (JSC::DFG::adjustAndJumpToTarget):
1599         (JSC::DFG::OSRExit::compileOSRExit):
1600         * dfg/DFGOSRExitCompilerCommon.cpp:
1601         (JSC::DFG::adjustAndJumpToTarget):
1602         * dfg/DFGOperations.cpp:
1603         * ftl/FTLJITCode.cpp:
1604         (JSC::FTL::JITCode::executableAddressAtOffset):
1605         * ftl/FTLJITFinalizer.cpp:
1606         (JSC::FTL::JITFinalizer::finalizeCommon):
1607         * ftl/FTLLazySlowPath.cpp:
1608         (JSC::FTL::LazySlowPath::generate):
1609         * ftl/FTLLink.cpp:
1610         (JSC::FTL::link):
1611         * ftl/FTLLowerDFGToB3.cpp:
1612         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1614         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1615         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1616         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1617         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1618         * ftl/FTLOSRExitCompiler.cpp:
1619         (JSC::FTL::compileFTLOSRExit):
1620         * ftl/FTLOSRExitHandle.cpp:
1621         (JSC::FTL::OSRExitHandle::emitExitThunk):
1622         * jit/AssemblyHelpers.cpp:
1623         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1624         * jit/JIT.cpp:
1625         (JSC::JIT::compileWithoutLinking):
1626         (JSC::JIT::link):
1627         * jit/JITCall.cpp:
1628         (JSC::JIT::compileOpCallSlowCase):
1629         * jit/JITCode.cpp:
1630         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1631         (JSC::NativeJITCode::addressForCall):
1632         * jit/JITInlines.h:
1633         (JSC::JIT::emitNakedCall):
1634         (JSC::JIT::emitNakedTailCall):
1635         * jit/JITMathIC.h:
1636         (JSC::isProfileEmpty):
1637         * jit/JITOpcodes.cpp:
1638         (JSC::JIT::privateCompileHasIndexedProperty):
1639         * jit/JITOperations.cpp:
1640         * jit/JITPropertyAccess.cpp:
1641         (JSC::JIT::stringGetByValStubGenerator):
1642         (JSC::JIT::privateCompileGetByVal):
1643         (JSC::JIT::privateCompileGetByValWithCachedId):
1644         (JSC::JIT::privateCompilePutByVal):
1645         (JSC::JIT::privateCompilePutByValWithCachedId):
1646         * jit/JITThunks.cpp:
1647         (JSC::JITThunks::hostFunctionStub):
1648         * jit/Repatch.cpp:
1649         (JSC::linkSlowFor):
1650         (JSC::linkFor):
1651         (JSC::linkPolymorphicCall):
1652         * jit/SpecializedThunkJIT.h:
1653         (JSC::SpecializedThunkJIT::finalize):
1654         * jit/ThunkGenerators.cpp:
1655         (JSC::virtualThunkFor):
1656         (JSC::nativeForGenerator):
1657         (JSC::boundThisNoArgsFunctionCallGenerator):
1658         * llint/LLIntData.cpp:
1659         (JSC::LLInt::initialize):
1660         * llint/LLIntEntrypoint.cpp:
1661         (JSC::LLInt::setEvalEntrypoint):
1662         (JSC::LLInt::setProgramEntrypoint):
1663         (JSC::LLInt::setModuleProgramEntrypoint):
1664         * llint/LLIntSlowPaths.cpp:
1665         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1666         (JSC::LLInt::setUpCall):
1667         * llint/LLIntThunks.cpp:
1668         (JSC::LLInt::generateThunkWithJumpTo):
1669         (JSC::LLInt::functionForCallEntryThunkGenerator):
1670         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1671         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1672         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1673         (JSC::LLInt::evalEntryThunkGenerator):
1674         (JSC::LLInt::programEntryThunkGenerator):
1675         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1676         * llint/LowLevelInterpreter.asm:
1677         * llint/LowLevelInterpreter64.asm:
1678         * runtime/NativeExecutable.cpp:
1679         (JSC::NativeExecutable::finishCreation):
1680         * runtime/NativeFunction.h:
1681         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1682         (JSC::TaggedNativeFunction::operator NativeFunction):
1683         * runtime/PtrTag.h:
1684         * wasm/WasmBBQPlan.cpp:
1685         (JSC::Wasm::BBQPlan::complete):
1686         * wasm/WasmOMGPlan.cpp:
1687         (JSC::Wasm::OMGPlan::work):
1688         * wasm/WasmThunks.cpp:
1689         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1690         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1691         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1692         * wasm/js/WasmToJS.cpp:
1693         (JSC::Wasm::wasmToJS):
1694         * wasm/js/WebAssemblyFunction.h:
1695         * yarr/YarrJIT.cpp:
1696         (JSC::Yarr::YarrGenerator::compile):
1697
1698 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1699
1700         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
1701         https://bugs.webkit.org/show_bug.cgi?id=184379
1702
1703         Reviewed by Žan Doberšek.
1704
1705         Load the module from the new location.
1706
1707         * PlatformWPE.cmake:
1708         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1709         (Inspector::backendCommands):
1710
1711 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1712
1713         [DFG] Remove compileBigIntEquality in DFG 32bit
1714         https://bugs.webkit.org/show_bug.cgi?id=184535
1715
1716         Reviewed by Saam Barati.
1717
1718         We can have the unified implementation for compileBigIntEquality.
1719
1720         * dfg/DFGSpeculativeJIT.cpp:
1721         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
1722         * dfg/DFGSpeculativeJIT32_64.cpp:
1723         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
1724         * dfg/DFGSpeculativeJIT64.cpp:
1725         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
1726
1727 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1728
1729         [WPE] Improve include hierarchy
1730         https://bugs.webkit.org/show_bug.cgi?id=184376
1731
1732         Reviewed by Žan Doberšek.
1733
1734         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
1735         /usr/include/wpe-0.1/WPE/jsc.
1736
1737         * PlatformWPE.cmake:
1738
1739 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1740
1741         [GLIB] Handle strings containing null characters
1742         https://bugs.webkit.org/show_bug.cgi?id=184450
1743
1744         Reviewed by Michael Catanzaro.
1745
1746         We should be able to evaluate scripts containing null characters and to handle strings that contains them
1747         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
1748         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
1749         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
1750         contain null characters.
1751
1752         * API/OpaqueJSString.cpp:
1753         (OpaqueJSString::create): Add a create constructor that takes the String.
1754         * API/OpaqueJSString.h:
1755         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
1756         * API/glib/JSCContext.cpp:
1757         (jsc_context_evaluate): Add length parameter.
1758         (jsc_context_evaluate_with_source_uri): Ditto.
1759         * API/glib/JSCContext.h:
1760         * API/glib/JSCValue.cpp:
1761         (jsc_value_new_string_from_bytes):
1762         (jsc_value_to_string):
1763         (jsc_value_to_string_as_bytes):
1764         (jsc_value_object_is_instance_of): Pass length to evaluate.
1765         * API/glib/JSCValue.h:
1766         * API/glib/docs/jsc-glib-4.0-sections.txt:
1767
1768 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1769
1770         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
1771         https://bugs.webkit.org/show_bug.cgi?id=184500
1772
1773         Reviewed by Mark Lam.
1774
1775         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
1776         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
1777         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
1778         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
1779         poke held GPR. The benefit from this CellValue is that we can use the same code
1780         for 32bit and 64bit. This patch removes several ifdefs.
1781
1782         * bytecode/AccessCase.cpp:
1783         (JSC::AccessCase::generateImpl):
1784         * dfg/DFGSpeculativeJIT.cpp:
1785         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1786         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1787         (JSC::DFG::SpeculativeJIT::cachedPutById):
1788         * dfg/DFGSpeculativeJIT32_64.cpp:
1789         (JSC::DFG::SpeculativeJIT::cachedGetById):
1790         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1791         * jit/CCallHelpers.h:
1792         (JSC::CCallHelpers::CellValue::CellValue):
1793         (JSC::CCallHelpers::CellValue::gpr const):
1794         (JSC::CCallHelpers::setupArgumentsImpl):
1795
1796 2018-04-11  Mark Lam  <mark.lam@apple.com>
1797
1798         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
1799         https://bugs.webkit.org/show_bug.cgi?id=184512
1800         <rdar://problem/35391728>
1801
1802         Not reviewed.
1803
1804         * bytecode/CodeBlock.h:
1805         * jit/JITCodeMap.h:
1806
1807 2018-04-11  Mark Lam  <mark.lam@apple.com>
1808
1809         Replace CompactJITCodeMap with JITCodeMap.
1810         https://bugs.webkit.org/show_bug.cgi?id=184512
1811         <rdar://problem/35391728>
1812
1813         Reviewed by Filip Pizlo.
1814
1815         * CMakeLists.txt:
1816         * JavaScriptCore.xcodeproj/project.pbxproj:
1817         * bytecode/CodeBlock.h:
1818         (JSC::CodeBlock::setJITCodeMap):
1819         (JSC::CodeBlock::jitCodeMap const):
1820         (JSC::CodeBlock::jitCodeMap): Deleted.
1821         * dfg/DFGOSRExit.cpp:
1822         (JSC::DFG::OSRExit::executeOSRExit):
1823         * dfg/DFGOSRExitCompilerCommon.cpp:
1824         (JSC::DFG::adjustAndJumpToTarget):
1825         * jit/AssemblyHelpers.cpp:
1826         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
1827         * jit/AssemblyHelpers.h:
1828         * jit/CompactJITCodeMap.h: Removed.
1829         * jit/JIT.cpp:
1830         (JSC::JIT::link):
1831         * jit/JITCodeMap.h: Added.
1832         (JSC::JITCodeMap::Entry::Entry):
1833         (JSC::JITCodeMap::Entry::bytecodeIndex const):
1834         (JSC::JITCodeMap::Entry::codeLocation):
1835         (JSC::JITCodeMap::append):
1836         (JSC::JITCodeMap::finish):
1837         (JSC::JITCodeMap::find const):
1838         (JSC::JITCodeMap::operator bool const):
1839         * llint/LLIntSlowPaths.cpp:
1840         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1841
1842 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1843
1844         [DFG] Remove CompareSlowPathGenerator
1845         https://bugs.webkit.org/show_bug.cgi?id=184492
1846
1847         Reviewed by Mark Lam.
1848
1849         Now CompareSlowPathGenerator is just calling a specified function.
1850         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
1851
1852         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
1853         introducing a new constructor for GPRTemporary.
1854
1855         * JavaScriptCore.xcodeproj/project.pbxproj:
1856         * dfg/DFGCompareSlowPathGenerator.h: Removed.
1857         * dfg/DFGSpeculativeJIT.cpp:
1858         (JSC::DFG::GPRTemporary::GPRTemporary):
1859         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
1860         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
1861         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
1862         (JSC::DFG::SpeculativeJIT::compileIsObject):
1863         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1864         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1865         * dfg/DFGSpeculativeJIT.h:
1866         (JSC::DFG::GPRTemporary::GPRTemporary):
1867         * dfg/DFGSpeculativeJIT64.cpp:
1868         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1869
1870 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1871
1872         Unreviewed, build fix for 32bit
1873         https://bugs.webkit.org/show_bug.cgi?id=184236
1874
1875         * dfg/DFGSpeculativeJIT.cpp:
1876         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1877
1878 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1879
1880         [DFG] Remove duplicate 32bit code more
1881         https://bugs.webkit.org/show_bug.cgi?id=184236
1882
1883         Reviewed by Mark Lam.
1884
1885         Remove duplicate 32bit code more aggressively part 2.
1886
1887         * JavaScriptCore.xcodeproj/project.pbxproj:
1888         * dfg/DFGCompareSlowPathGenerator.h: Added.
1889         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
1890         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
1891
1892         * dfg/DFGOperations.cpp:
1893         * dfg/DFGOperations.h:
1894         * dfg/DFGSpeculativeJIT.cpp:
1895         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
1896         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
1897         (JSC::DFG::SpeculativeJIT::compileIsObject):
1898         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
1899         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
1900         (JSC::DFG::SpeculativeJIT::compilePutById):
1901         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
1902         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
1903         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1904         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
1905         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1906         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1907         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1908         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
1909         (JSC::DFG::SpeculativeJIT::cachedPutById):
1910         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1911         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1912         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
1913         * dfg/DFGSpeculativeJIT.h:
1914         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
1915         * dfg/DFGSpeculativeJIT32_64.cpp:
1916         (JSC::DFG::SpeculativeJIT::compile):
1917         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
1918         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
1919         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
1920         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
1921         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1922         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
1923         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
1924         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
1925         * dfg/DFGSpeculativeJIT64.cpp:
1926         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1927         (JSC::DFG::SpeculativeJIT::compile):
1928         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
1929         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
1930         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
1931         (): Deleted.
1932         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
1933         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
1934         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
1935         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
1936         * ftl/FTLLowerDFGToB3.cpp:
1937         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1938         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
1939
1940         * jit/AssemblyHelpers.h:
1941         (JSC::AssemblyHelpers::loadValue):
1942         (JSC::AssemblyHelpers::selectScratchGPR):
1943         (JSC::AssemblyHelpers::constructRegisterSet):
1944         * jit/RegisterSet.h:
1945         (JSC::RegisterSet::setAny):
1946         Clean up selectScratchGPR code to pass JSValueRegs.
1947
1948 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
1949
1950         [ESNext][BigInt] Add support for BigInt in SpeculatedType
1951         https://bugs.webkit.org/show_bug.cgi?id=182470
1952
1953         Reviewed by Saam Barati.
1954
1955         This patch introduces the SpecBigInt type to DFG to enable BigInt
1956         speculation into DFG and FTL.
1957
1958         With SpecBigInt introduction, we can then specialize "===" operations
1959         to BigInts. As we are doing for some cells, we first check if operands
1960         are pointing to the same JSCell, and if it is false, we
1961         fallback to "operationCompareStrictEqCell". The idea in further
1962         patches is to implement BigInt equality check directly in
1963         assembly.
1964
1965         We are also adding support for BigInt constant folding into
1966         TypeOf operation.
1967
1968         * bytecode/SpeculatedType.cpp:
1969         (JSC::dumpSpeculation):
1970         (JSC::speculationFromClassInfo):
1971         (JSC::speculationFromStructure):
1972         (JSC::speculationFromJSType):
1973         (JSC::speculationFromString):
1974         * bytecode/SpeculatedType.h:
1975         (JSC::isBigIntSpeculation):
1976         * dfg/DFGAbstractInterpreterInlines.h:
1977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1978         * dfg/DFGAbstractValue.cpp:
1979         (JSC::DFG::AbstractValue::set):
1980         * dfg/DFGConstantFoldingPhase.cpp:
1981         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1982         * dfg/DFGFixupPhase.cpp:
1983         (JSC::DFG::FixupPhase::fixupNode):
1984         (JSC::DFG::FixupPhase::fixupToThis):
1985         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1986         * dfg/DFGInferredTypeCheck.cpp:
1987         (JSC::DFG::insertInferredTypeCheck):
1988         * dfg/DFGNode.h:
1989         (JSC::DFG::Node::shouldSpeculateBigInt):
1990         * dfg/DFGPredictionPropagationPhase.cpp:
1991         * dfg/DFGSafeToExecute.h:
1992         (JSC::DFG::SafeToExecuteEdge::operator()):
1993         * dfg/DFGSpeculativeJIT.cpp:
1994         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1995         (JSC::DFG::SpeculativeJIT::speculateBigInt):
1996         (JSC::DFG::SpeculativeJIT::speculate):
1997         * dfg/DFGSpeculativeJIT.h:
1998         * dfg/DFGSpeculativeJIT32_64.cpp:
1999         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2000         * dfg/DFGSpeculativeJIT64.cpp:
2001         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2002         * dfg/DFGUseKind.cpp:
2003         (WTF::printInternal):
2004         * dfg/DFGUseKind.h:
2005         (JSC::DFG::typeFilterFor):
2006         (JSC::DFG::isCell):
2007         * ftl/FTLCapabilities.cpp:
2008         (JSC::FTL::canCompile):
2009         * ftl/FTLLowerDFGToB3.cpp:
2010         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2011         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2012         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2013         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2014         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2015         * jit/AssemblyHelpers.cpp:
2016         (JSC::AssemblyHelpers::branchIfNotType):
2017         * jit/AssemblyHelpers.h:
2018         (JSC::AssemblyHelpers::branchIfBigInt):
2019         (JSC::AssemblyHelpers::branchIfNotBigInt):
2020         * runtime/InferredType.cpp:
2021         (JSC::InferredType::Descriptor::forValue):
2022         (JSC::InferredType::Descriptor::putByIdFlags const):
2023         (JSC::InferredType::Descriptor::merge):
2024         (WTF::printInternal):
2025         * runtime/InferredType.h:
2026         * runtime/JSBigInt.h:
2027
2028 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2029
2030         Unreviewed, fix cloop build.
2031
2032         * dfg/DFGAbstractInterpreterClobberState.cpp:
2033
2034 2018-04-10  Mark Lam  <mark.lam@apple.com>
2035
2036         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2037         https://bugs.webkit.org/show_bug.cgi?id=184464
2038         <rdar://problem/39323947>
2039
2040         Reviewed by Saam Barati.
2041
2042         * heap/MarkedSpace.h:
2043         (JSC::MarkedSpace::sizeClassToIndex):
2044
2045 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2046
2047         DFG AI and clobberize should agree with each other
2048         https://bugs.webkit.org/show_bug.cgi?id=184440
2049
2050         Reviewed by Saam Barati.
2051         
2052         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2053         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2054         state tracking must be equivalent to JSCell_structureID being clobbered.
2055         
2056         One subtlety is that AI sometimes folds away structure clobbering using information that
2057         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2058         ObservedTransitions).
2059         
2060         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2061         clobberize missing a write(Heap).
2062         
2063         This also makes some cases more precise in order to appease the assertion. Making things more
2064         precise might make things faster, but I didn't measure it because that wasn't the goal.
2065
2066         * JavaScriptCore.xcodeproj/project.pbxproj:
2067         * Sources.txt:
2068         * dfg/DFGAbstractInterpreter.h:
2069         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2070         (WTF::printInternal):
2071         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2072         (JSC::DFG::mergeClobberStates):
2073         * dfg/DFGAbstractInterpreterInlines.h:
2074         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2075         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2076         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2077         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2078         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2079         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2080         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2081         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2082         * dfg/DFGAtTailAbstractState.h:
2083         (JSC::DFG::AtTailAbstractState::setClobberState):
2084         (JSC::DFG::AtTailAbstractState::mergeClobberState):
2085         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
2086         * dfg/DFGCFAPhase.cpp:
2087         (JSC::DFG::CFAPhase::performBlockCFA):
2088         * dfg/DFGClobberSet.cpp:
2089         (JSC::DFG::writeSet):
2090         * dfg/DFGClobberSet.h:
2091         * dfg/DFGClobberize.h:
2092         (JSC::DFG::clobberize):
2093         * dfg/DFGConstantFoldingPhase.cpp:
2094         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2095         * dfg/DFGInPlaceAbstractState.h:
2096         (JSC::DFG::InPlaceAbstractState::clobberState const):
2097         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
2098         (JSC::DFG::InPlaceAbstractState::didClobber const):
2099         (JSC::DFG::InPlaceAbstractState::setClobberState):
2100         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
2101         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2102
2103 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2104
2105         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
2106         https://bugs.webkit.org/show_bug.cgi?id=184460
2107         <rdar://problem/37610966>
2108
2109         Reviewed by Mark Lam.
2110
2111         * bytecode/ExecutableToCodeBlockEdge.cpp:
2112         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2113
2114 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2115
2116         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
2117         https://bugs.webkit.org/show_bug.cgi?id=184455
2118
2119         Reviewed by Michael Saboff.
2120         
2121         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
2122         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
2123         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
2124         the thing being hoisted does have effects, then we get a crash.
2125         
2126         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
2127         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
2128         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
2129         effectful.
2130         
2131         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
2132         clobberize to also think that CompareEq(Untyped:, _) is effectful.
2133         
2134         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
2135         of CompareEq is ComapreEq(Untyped:, Untyped:).
2136
2137         * dfg/DFGAbstractInterpreterInlines.h:
2138         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2139         * dfg/DFGClobberize.h:
2140         (JSC::DFG::clobberize):
2141
2142 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2143
2144         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
2145         https://bugs.webkit.org/show_bug.cgi?id=184372
2146
2147         Reviewed by Saam Barati.
2148         
2149         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
2150         have already proved, using techniques that are more precise than AI, that the edge has type
2151         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
2152         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
2153         other than a check - so we think we can call those just because we should have already
2154         bailed. It's better to think of them as the result of folding a check. Therefore, we should
2155         only do it if there had been a check to begin with.
2156
2157         * dfg/DFGSpeculativeJIT64.cpp:
2158         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2159         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2160         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2161         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2162         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2163         * ftl/FTLLowerDFGToB3.cpp:
2164         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
2165         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
2166         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2167         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
2168         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
2169         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2170         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2171         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2172
2173 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2174
2175         [JSC] Introduce @putByIdDirectPrivate
2176         https://bugs.webkit.org/show_bug.cgi?id=184400
2177
2178         Reviewed by Saam Barati.
2179
2180         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
2181         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
2182         accessing to ECMAScript internal fields.
2183
2184         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
2185         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
2186         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
2187         fields that accessing to the internal fields does not traverse prototype chains.
2188
2189         * builtins/ArrayIteratorPrototype.js:
2190         (globalPrivate.arrayIteratorValueNext):
2191         (globalPrivate.arrayIteratorKeyNext):
2192         (globalPrivate.arrayIteratorKeyValueNext):
2193         * builtins/ArrayPrototype.js:
2194         (globalPrivate.createArrayIterator):
2195         * builtins/AsyncFromSyncIteratorPrototype.js:
2196         (globalPrivate.AsyncFromSyncIteratorConstructor):
2197         * builtins/AsyncFunctionPrototype.js:
2198         (globalPrivate.asyncFunctionResume):
2199         * builtins/AsyncGeneratorPrototype.js:
2200         (globalPrivate.asyncGeneratorQueueEnqueue):
2201         (globalPrivate.asyncGeneratorQueueDequeue):
2202         (asyncGeneratorYieldAwaited):
2203         (globalPrivate.asyncGeneratorYield):
2204         (globalPrivate.doAsyncGeneratorBodyCall):
2205         (globalPrivate.asyncGeneratorResumeNext):
2206         * builtins/GeneratorPrototype.js:
2207         (globalPrivate.generatorResume):
2208         * builtins/MapIteratorPrototype.js:
2209         (globalPrivate.mapIteratorNext):
2210         * builtins/MapPrototype.js:
2211         (globalPrivate.createMapIterator):
2212         * builtins/ModuleLoaderPrototype.js:
2213         (forceFulfillPromise):
2214         * builtins/PromiseOperations.js:
2215         (globalPrivate.newHandledRejectedPromise):
2216         (globalPrivate.rejectPromise):
2217         (globalPrivate.fulfillPromise):
2218         (globalPrivate.initializePromise):
2219         * builtins/PromisePrototype.js:
2220         (then):
2221         * builtins/SetIteratorPrototype.js:
2222         (globalPrivate.setIteratorNext):
2223         * builtins/SetPrototype.js:
2224         (globalPrivate.createSetIterator):
2225         * builtins/StringIteratorPrototype.js:
2226         (next):
2227         * bytecode/BytecodeIntrinsicRegistry.h:
2228         * bytecompiler/NodesCodegen.cpp:
2229         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
2230         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2231
2232 2018-04-09  Mark Lam  <mark.lam@apple.com>
2233
2234         Decorate method table entries to support pointer profiling.
2235         https://bugs.webkit.org/show_bug.cgi?id=184430
2236         <rdar://problem/39296190>
2237
2238         Reviewed by Saam Barati.
2239
2240         * runtime/ClassInfo.h:
2241
2242 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
2243
2244         [WPE] Don't install JSC C API headers
2245         https://bugs.webkit.org/show_bug.cgi?id=184375
2246
2247         Reviewed by Žan Doberšek.
2248
2249         None of the functions declared in these headers are exported in WPE. Use the new jsc API
2250         instead.
2251
2252         * PlatformWPE.cmake:
2253
2254 2018-04-08  Mark Lam  <mark.lam@apple.com>
2255
2256         Add pointer profiling to the FTL and supporting code.
2257         https://bugs.webkit.org/show_bug.cgi?id=184395
2258         <rdar://problem/39264019>
2259
2260         Reviewed by Michael Saboff and Filip Pizlo.
2261
2262         * assembler/CodeLocation.h:
2263         (JSC::CodeLocationLabel::retagged):
2264         (JSC::CodeLocationJump::retagged):
2265         * assembler/LinkBuffer.h:
2266         (JSC::LinkBuffer::locationOf):
2267         * dfg/DFGJITCompiler.cpp:
2268         (JSC::DFG::JITCompiler::linkOSRExits):
2269         (JSC::DFG::JITCompiler::link):
2270         * ftl/FTLCompile.cpp:
2271         (JSC::FTL::compile):
2272         * ftl/FTLExceptionTarget.cpp:
2273         (JSC::FTL::ExceptionTarget::label):
2274         (JSC::FTL::ExceptionTarget::jumps):
2275         * ftl/FTLExceptionTarget.h:
2276         * ftl/FTLJITCode.cpp:
2277         (JSC::FTL::JITCode::executableAddressAtOffset):
2278         * ftl/FTLLazySlowPath.cpp:
2279         (JSC::FTL::LazySlowPath::~LazySlowPath):
2280         (JSC::FTL::LazySlowPath::initialize):
2281         (JSC::FTL::LazySlowPath::generate):
2282         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
2283         * ftl/FTLLazySlowPath.h:
2284         * ftl/FTLLink.cpp:
2285         (JSC::FTL::link):
2286         * ftl/FTLLowerDFGToB3.cpp:
2287         (JSC::FTL::DFG::LowerDFGToB3::lower):
2288         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2289         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2290         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2291         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2292         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2293         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2294         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2295         * ftl/FTLOSRExitCompiler.cpp:
2296         (JSC::FTL::compileStub):
2297         (JSC::FTL::compileFTLOSRExit):
2298         * ftl/FTLOSRExitHandle.cpp:
2299         (JSC::FTL::OSRExitHandle::emitExitThunk):
2300         * ftl/FTLOperations.cpp:
2301         (JSC::FTL::compileFTLLazySlowPath):
2302         * ftl/FTLOutput.h:
2303         (JSC::FTL::Output::callWithoutSideEffects):
2304         (JSC::FTL::Output::operation):
2305         * ftl/FTLPatchpointExceptionHandle.cpp:
2306         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
2307         * ftl/FTLSlowPathCall.cpp:
2308         (JSC::FTL::SlowPathCallContext::makeCall):
2309         * ftl/FTLSlowPathCallKey.h:
2310         (JSC::FTL::SlowPathCallKey::withCallTarget):
2311         (JSC::FTL::SlowPathCallKey::callPtrTag const):
2312         * ftl/FTLThunks.cpp:
2313         (JSC::FTL::genericGenerationThunkGenerator):
2314         (JSC::FTL::osrExitGenerationThunkGenerator):
2315         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2316         (JSC::FTL::slowPathCallThunkGenerator):
2317         * jit/JITMathIC.h:
2318         (JSC::isProfileEmpty):
2319         * jit/Repatch.cpp:
2320         (JSC::readPutICCallTarget):
2321         (JSC::ftlThunkAwareRepatchCall):
2322         (JSC::tryCacheGetByID):
2323         (JSC::repatchGetByID):
2324         (JSC::tryCachePutByID):
2325         (JSC::repatchPutByID):
2326         (JSC::repatchIn):
2327         (JSC::resetGetByID):
2328         (JSC::resetPutByID):
2329         (JSC::readCallTarget): Deleted.
2330         * jit/Repatch.h:
2331         * runtime/PtrTag.h:
2332
2333 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2334
2335         Unreviewed, attempt to fix Windows build
2336         https://bugs.webkit.org/show_bug.cgi?id=183508
2337
2338         * jit/JIT.h:
2339
2340 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2341
2342         Unreviewed, build fix for Windows by suppressing padding warning for JIT
2343         https://bugs.webkit.org/show_bug.cgi?id=183508
2344
2345         * jit/JIT.h:
2346
2347 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2348
2349         Use alignas instead of compiler-specific attributes
2350         https://bugs.webkit.org/show_bug.cgi?id=183508
2351
2352         Reviewed by Mark Lam.
2353
2354         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
2355
2356         * heap/RegisterState.h:
2357         * jit/JIT.h:
2358         (JSC::JIT::compile): Deleted.
2359         (JSC::JIT::compileGetByVal): Deleted.
2360         (JSC::JIT::compileGetByValWithCachedId): Deleted.
2361         (JSC::JIT::compilePutByVal): Deleted.
2362         (JSC::JIT::compileDirectPutByVal): Deleted.
2363         (JSC::JIT::compilePutByValWithCachedId): Deleted.
2364         (JSC::JIT::compileHasIndexedProperty): Deleted.
2365         (JSC::JIT::appendCall): Deleted.
2366         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
2367         (JSC::JIT::exceptionCheck): Deleted.
2368         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
2369         (JSC::JIT::emitInt32Load): Deleted.
2370         (JSC::JIT::emitInt32GetByVal): Deleted.
2371         (JSC::JIT::emitInt32PutByVal): Deleted.
2372         (JSC::JIT::emitDoublePutByVal): Deleted.
2373         (JSC::JIT::emitContiguousPutByVal): Deleted.
2374         (JSC::JIT::emitStoreCell): Deleted.
2375         (JSC::JIT::getSlowCase): Deleted.
2376         (JSC::JIT::linkSlowCase): Deleted.
2377         (JSC::JIT::linkDummySlowCase): Deleted.
2378         (JSC::JIT::linkAllSlowCases): Deleted.
2379         (JSC::JIT::callOperation): Deleted.
2380         (JSC::JIT::callOperationWithProfile): Deleted.
2381         (JSC::JIT::callOperationWithResult): Deleted.
2382         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2383         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
2384         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
2385         (JSC::JIT::sampleCodeBlock): Deleted.
2386         (JSC::JIT::canBeOptimized): Deleted.
2387         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
2388         (JSC::JIT::shouldEmitProfiling): Deleted.
2389         * runtime/VM.h:
2390
2391 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2392
2393         Unreviewed, follow-up patch for DFG 32bit
2394         https://bugs.webkit.org/show_bug.cgi?id=183970
2395
2396         * dfg/DFGSpeculativeJIT32_64.cpp:
2397         (JSC::DFG::SpeculativeJIT::cachedGetById):
2398
2399 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2400
2401         [JSC] Fix incorrect assertion for VM's regexp buffer lock
2402         https://bugs.webkit.org/show_bug.cgi?id=184398
2403
2404         Reviewed by Mark Lam.
2405
2406         isLocked check before taking a lock is incorrect.
2407
2408         * runtime/VM.cpp:
2409         (JSC::VM::acquireRegExpPatternContexBuffer):
2410
2411 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2412
2413         [JSC] Introduce op_get_by_id_direct
2414         https://bugs.webkit.org/show_bug.cgi?id=183970
2415
2416         Reviewed by Filip Pizlo.
2417
2418         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
2419         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
2420         in all the tiers, so using this opcode does not lead to inefficiency.
2421
2422         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
2423         properties indexed with private symbols to implement ECMAScript internal fields. Before this
2424         patch, we just use get and put operations. However, it is not the correct semantics: accessing
2425         to the internal fields should not traverse prototype chain, which is specified in the spec.
2426         We use op_get_by_id_direct to access to properties which are used internal fields, so that
2427         prototype chains are not traversed.
2428
2429         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
2430         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
2431         bytecode `op_get_by_id_direct, object, @name`.
2432
2433         * builtins/ArrayIteratorPrototype.js:
2434         (next):
2435         (globalPrivate.arrayIteratorValueNext):
2436         (globalPrivate.arrayIteratorKeyNext):
2437         (globalPrivate.arrayIteratorKeyValueNext):
2438         * builtins/AsyncFromSyncIteratorPrototype.js:
2439         * builtins/AsyncFunctionPrototype.js:
2440         (globalPrivate.asyncFunctionResume):
2441         * builtins/AsyncGeneratorPrototype.js:
2442         (globalPrivate.asyncGeneratorQueueIsEmpty):
2443         (globalPrivate.asyncGeneratorQueueEnqueue):
2444         (globalPrivate.asyncGeneratorQueueDequeue):
2445         (globalPrivate.asyncGeneratorDequeue):
2446         (globalPrivate.isExecutionState):
2447         (globalPrivate.isSuspendYieldState):
2448         (globalPrivate.asyncGeneratorReject):
2449         (globalPrivate.asyncGeneratorResolve):
2450         (globalPrivate.doAsyncGeneratorBodyCall):
2451         (globalPrivate.asyncGeneratorEnqueue):
2452         * builtins/GeneratorPrototype.js:
2453         (globalPrivate.generatorResume):
2454         (next):
2455         (return):
2456         (throw):
2457         * builtins/MapIteratorPrototype.js:
2458         (next):
2459         * builtins/PromiseOperations.js:
2460         (globalPrivate.isPromise):
2461         (globalPrivate.rejectPromise):
2462         (globalPrivate.fulfillPromise):
2463         * builtins/PromisePrototype.js:
2464         (then):
2465         * builtins/SetIteratorPrototype.js:
2466         (next):
2467         * builtins/StringIteratorPrototype.js:
2468         (next):
2469         * builtins/TypedArrayConstructor.js:
2470         (of):
2471         (from):
2472         * bytecode/BytecodeDumper.cpp:
2473         (JSC::BytecodeDumper<Block>::dumpBytecode):
2474         * bytecode/BytecodeIntrinsicRegistry.h:
2475         * bytecode/BytecodeList.json:
2476         * bytecode/BytecodeUseDef.h:
2477         (JSC::computeUsesForBytecodeOffset):
2478         (JSC::computeDefsForBytecodeOffset):
2479         * bytecode/CodeBlock.cpp:
2480         (JSC::CodeBlock::finishCreation):
2481         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2482         * bytecode/GetByIdStatus.cpp:
2483         (JSC::GetByIdStatus::computeFromLLInt):
2484         (JSC::GetByIdStatus::computeFor):
2485         * bytecode/StructureStubInfo.cpp:
2486         (JSC::StructureStubInfo::reset):
2487         * bytecode/StructureStubInfo.h:
2488         (JSC::appropriateOptimizingGetByIdFunction):
2489         (JSC::appropriateGenericGetByIdFunction):
2490         * bytecompiler/BytecodeGenerator.cpp:
2491         (JSC::BytecodeGenerator::emitDirectGetById):
2492         * bytecompiler/BytecodeGenerator.h:
2493         * bytecompiler/NodesCodegen.cpp:
2494         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
2495         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
2496         * dfg/DFGAbstractInterpreterInlines.h:
2497         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2498         * dfg/DFGByteCodeParser.cpp:
2499         (JSC::DFG::ByteCodeParser::handleGetById):
2500         (JSC::DFG::ByteCodeParser::parseBlock):
2501         * dfg/DFGCapabilities.cpp:
2502         (JSC::DFG::capabilityLevel):
2503         * dfg/DFGClobberize.h:
2504         (JSC::DFG::clobberize):
2505         * dfg/DFGConstantFoldingPhase.cpp:
2506         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2507         * dfg/DFGDoesGC.cpp:
2508         (JSC::DFG::doesGC):
2509         * dfg/DFGFixupPhase.cpp:
2510         (JSC::DFG::FixupPhase::fixupNode):
2511         * dfg/DFGNode.h:
2512         (JSC::DFG::Node::convertToGetByOffset):
2513         (JSC::DFG::Node::convertToMultiGetByOffset):
2514         (JSC::DFG::Node::hasIdentifier):
2515         (JSC::DFG::Node::hasHeapPrediction):
2516         * dfg/DFGNodeType.h:
2517         * dfg/DFGOperations.cpp:
2518         * dfg/DFGOperations.h:
2519         * dfg/DFGPredictionPropagationPhase.cpp:
2520         * dfg/DFGSafeToExecute.h:
2521         (JSC::DFG::safeToExecute):
2522         * dfg/DFGSpeculativeJIT.cpp:
2523         (JSC::DFG::SpeculativeJIT::compileGetById):
2524         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
2525         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
2526         * dfg/DFGSpeculativeJIT.h:
2527         * dfg/DFGSpeculativeJIT32_64.cpp:
2528         (JSC::DFG::SpeculativeJIT::cachedGetById):
2529         (JSC::DFG::SpeculativeJIT::compile):
2530         * dfg/DFGSpeculativeJIT64.cpp:
2531         (JSC::DFG::SpeculativeJIT::cachedGetById):
2532         (JSC::DFG::SpeculativeJIT::compile):
2533         * ftl/FTLCapabilities.cpp:
2534         (JSC::FTL::canCompile):
2535         * ftl/FTLLowerDFGToB3.cpp:
2536         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2537         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2538         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2539         (JSC::FTL::DFG::LowerDFGToB3::getById):
2540         * jit/JIT.cpp:
2541         (JSC::JIT::privateCompileMainPass):
2542         (JSC::JIT::privateCompileSlowCases):
2543         * jit/JIT.h:
2544         * jit/JITOperations.cpp:
2545         * jit/JITOperations.h:
2546         * jit/JITPropertyAccess.cpp:
2547         (JSC::JIT::emit_op_get_by_id_direct):
2548         (JSC::JIT::emitSlow_op_get_by_id_direct):
2549         * jit/JITPropertyAccess32_64.cpp:
2550         (JSC::JIT::emit_op_get_by_id_direct):
2551         (JSC::JIT::emitSlow_op_get_by_id_direct):
2552         * jit/Repatch.cpp:
2553         (JSC::appropriateOptimizingGetByIdFunction):
2554         (JSC::appropriateGetByIdFunction):
2555         (JSC::tryCacheGetByID):
2556         (JSC::repatchGetByID):
2557         (JSC::appropriateGenericGetByIdFunction): Deleted.
2558         * jit/Repatch.h:
2559         * llint/LLIntSlowPaths.cpp:
2560         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2561         * llint/LLIntSlowPaths.h:
2562         * llint/LowLevelInterpreter32_64.asm:
2563         * llint/LowLevelInterpreter64.asm:
2564         * runtime/JSCJSValue.h:
2565         * runtime/JSCJSValueInlines.h:
2566         (JSC::JSValue::getOwnPropertySlot const):
2567         * runtime/JSObject.h:
2568         * runtime/JSObjectInlines.h:
2569         (JSC::JSObject::getOwnPropertySlotInline):
2570
2571 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2572
2573         [JSC] Remove several asXXX functions
2574         https://bugs.webkit.org/show_bug.cgi?id=184355
2575
2576         Reviewed by JF Bastien.
2577
2578         Remove asActivation, asInternalFunction, and asGetterSetter.
2579         Use jsCast<> / jsDynamicCast<> consistently.
2580
2581         * runtime/ArrayConstructor.cpp:
2582         (JSC::constructArrayWithSizeQuirk):
2583         * runtime/AsyncFunctionConstructor.cpp:
2584         (JSC::callAsyncFunctionConstructor):
2585         (JSC::constructAsyncFunctionConstructor):
2586         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2587         (JSC::callAsyncGeneratorFunctionConstructor):
2588         (JSC::constructAsyncGeneratorFunctionConstructor):
2589         * runtime/BooleanConstructor.cpp:
2590         (JSC::constructWithBooleanConstructor):
2591         * runtime/DateConstructor.cpp:
2592         (JSC::constructWithDateConstructor):
2593         * runtime/ErrorConstructor.cpp:
2594         (JSC::Interpreter::constructWithErrorConstructor):
2595         (JSC::Interpreter::callErrorConstructor):
2596         * runtime/FunctionConstructor.cpp:
2597         (JSC::constructWithFunctionConstructor):
2598         (JSC::callFunctionConstructor):
2599         * runtime/FunctionPrototype.cpp:
2600         (JSC::functionProtoFuncToString):
2601         * runtime/GeneratorFunctionConstructor.cpp:
2602         (JSC::callGeneratorFunctionConstructor):
2603         (JSC::constructGeneratorFunctionConstructor):
2604         * runtime/GetterSetter.h:
2605         (JSC::asGetterSetter): Deleted.
2606         * runtime/InternalFunction.h:
2607         (JSC::asInternalFunction): Deleted.
2608         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2609         (JSC::constructGenericTypedArrayView):
2610         * runtime/JSLexicalEnvironment.h:
2611         (JSC::asActivation): Deleted.
2612         * runtime/JSObject.cpp:
2613         (JSC::validateAndApplyPropertyDescriptor):
2614         * runtime/MapConstructor.cpp:
2615         (JSC::constructMap):
2616         * runtime/PropertyDescriptor.cpp:
2617         (JSC::PropertyDescriptor::setDescriptor):
2618         * runtime/RegExpConstructor.cpp:
2619         (JSC::constructWithRegExpConstructor):
2620         (JSC::callRegExpConstructor):
2621         * runtime/SetConstructor.cpp:
2622         (JSC::constructSet):
2623         * runtime/StringConstructor.cpp:
2624         (JSC::constructWithStringConstructor):
2625         * runtime/WeakMapConstructor.cpp:
2626         (JSC::constructWeakMap):
2627         * runtime/WeakSetConstructor.cpp:
2628         (JSC::constructWeakSet):
2629         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2630         (JSC::constructJSWebAssemblyCompileError):
2631         (JSC::callJSWebAssemblyCompileError):
2632         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2633         (JSC::constructJSWebAssemblyLinkError):
2634         (JSC::callJSWebAssemblyLinkError):
2635         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2636         (JSC::constructJSWebAssemblyRuntimeError):
2637         (JSC::callJSWebAssemblyRuntimeError):
2638
2639 2018-04-05  Mark Lam  <mark.lam@apple.com>
2640
2641         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
2642         https://bugs.webkit.org/show_bug.cgi?id=184347
2643         <rdar://problem/39183165>
2644
2645         Reviewed by Michael Saboff.
2646
2647         * assembler/MacroAssemblerCodeRef.h:
2648         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2649         (JSC::MacroAssemblerCodePtr::retagged const):
2650
2651 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
2652
2653         [MIPS] Optimize generated JIT code for branches
2654         https://bugs.webkit.org/show_bug.cgi?id=183130
2655
2656         Reviewed by Yusuke Suzuki.
2657
2658         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
2659         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
2660         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
2661         However, this adds a significant overhead for all other types of branches. Since these nop's
2662         protect the code that is generated by branchPtrWithPatch, this function seems like a better
2663         place to add them.
2664
2665         * assembler/MIPSAssembler.h:
2666         (JSC::MIPSAssembler::repatchInt32):
2667         (JSC::MIPSAssembler::revertJumpToMove):
2668         * assembler/MacroAssemblerMIPS.h:
2669         (JSC::MacroAssemblerMIPS::branchAdd32):
2670         (JSC::MacroAssemblerMIPS::branchMul32):
2671         (JSC::MacroAssemblerMIPS::branchSub32):
2672         (JSC::MacroAssemblerMIPS::branchNeg32):
2673         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2674         (JSC::MacroAssemblerMIPS::branchEqual):
2675         (JSC::MacroAssemblerMIPS::branchNotEqual):
2676
2677 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2678
2679         [WTF] Remove StaticLock
2680         https://bugs.webkit.org/show_bug.cgi?id=184332
2681
2682         Reviewed by Mark Lam.
2683
2684         * API/JSValue.mm:
2685         (handerForStructTag):
2686         * API/JSVirtualMachine.mm:
2687         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2688         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2689         * API/glib/JSCVirtualMachine.cpp:
2690         (addWrapper):
2691         (removeWrapper):
2692         * assembler/testmasm.cpp:
2693         * b3/air/testair.cpp:
2694         * b3/testb3.cpp:
2695         * bytecode/SuperSampler.cpp:
2696         * dfg/DFGCommon.cpp:
2697         * dfg/DFGCommonData.cpp:
2698         * dynbench.cpp:
2699         * heap/MachineStackMarker.cpp:
2700         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2701         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2702         (Inspector::RemoteTargetHandleRunSourceGlobal):
2703         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
2704         * interpreter/CLoopStack.cpp:
2705         * parser/SourceProvider.cpp:
2706         * profiler/ProfilerDatabase.cpp:
2707         * profiler/ProfilerUID.cpp:
2708         (JSC::Profiler::UID::create):
2709         * runtime/IntlObject.cpp:
2710         (JSC::numberingSystemsForLocale):
2711         * runtime/JSLock.cpp:
2712         * runtime/JSLock.h:
2713         * runtime/SamplingProfiler.cpp:
2714         (JSC::SamplingProfiler::registerForReportAtExit):
2715         * runtime/VM.cpp:
2716         * wasm/WasmFaultSignalHandler.cpp:
2717
2718 2018-04-04  Mark Lam  <mark.lam@apple.com>
2719
2720         Add pointer profiling support to the DFG and supporting files.
2721         https://bugs.webkit.org/show_bug.cgi?id=184316
2722         <rdar://problem/39188524>
2723
2724         Reviewed by Filip Pizlo.
2725
2726         1. Profile lots of pointers with PtrTags.
2727
2728         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
2729            used for debugging anyway, and not normally called in the code.  Making it
2730            an inline function prevents it from taking up code space in builds when not in
2731            use.
2732
2733         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
2734            It doesn't need to be a far call.
2735
2736         * CMakeLists.txt:
2737         * JavaScriptCore.xcodeproj/project.pbxproj:
2738         * Sources.txt:
2739         * assembler/testmasm.cpp:
2740         (JSC::testProbeModifiesProgramCounter):
2741         * b3/B3LowerMacros.cpp:
2742         * b3/air/AirCCallSpecial.cpp:
2743         (JSC::B3::Air::CCallSpecial::generate):
2744         * b3/air/AirCCallSpecial.h:
2745         * b3/testb3.cpp:
2746         (JSC::B3::testInterpreter):
2747         * bytecode/AccessCase.cpp:
2748         (JSC::AccessCase::generateImpl):
2749         * bytecode/HandlerInfo.h:
2750         (JSC::HandlerInfo::initialize):
2751         * bytecode/PolymorphicAccess.cpp:
2752         (JSC::PolymorphicAccess::regenerate):
2753         * dfg/DFGJITCompiler.cpp:
2754         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2755         (JSC::DFG::JITCompiler::link):
2756         (JSC::DFG::JITCompiler::compileFunction):
2757         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2758         * dfg/DFGJITCompiler.h:
2759         (JSC::DFG::JITCompiler::appendCall):
2760         * dfg/DFGOSREntry.cpp:
2761         (JSC::DFG::prepareOSREntry):
2762         * dfg/DFGOSRExit.cpp:
2763         (JSC::DFG::reifyInlinedCallFrames):
2764         (JSC::DFG::adjustAndJumpToTarget):
2765         (JSC::DFG::OSRExit::emitRestoreArguments):
2766         (JSC::DFG::OSRExit::compileOSRExit):
2767         * dfg/DFGOSRExitCompilerCommon.cpp:
2768         (JSC::DFG::handleExitCounts):
2769         (JSC::DFG::reifyInlinedCallFrames):
2770         (JSC::DFG::osrWriteBarrier):
2771         (JSC::DFG::adjustAndJumpToTarget):
2772         * dfg/DFGOperations.cpp:
2773         * dfg/DFGSlowPathGenerator.h:
2774         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
2775         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
2776         (JSC::DFG::slowPathCall):
2777         * dfg/DFGSpeculativeJIT.cpp:
2778         (JSC::DFG::SpeculativeJIT::compileMathIC):
2779         * dfg/DFGSpeculativeJIT.h:
2780         (JSC::DFG::SpeculativeJIT::callOperation):
2781         (JSC::DFG::SpeculativeJIT::appendCall):
2782         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2783         * dfg/DFGSpeculativeJIT64.cpp:
2784         (JSC::DFG::SpeculativeJIT::cachedGetById):
2785         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2786         (JSC::DFG::SpeculativeJIT::cachedPutById):
2787         (JSC::DFG::SpeculativeJIT::compile):
2788         * dfg/DFGThunks.cpp:
2789         (JSC::DFG::osrExitThunkGenerator):
2790         (JSC::DFG::osrExitGenerationThunkGenerator):
2791         (JSC::DFG::osrEntryThunkGenerator):
2792         * jit/AssemblyHelpers.cpp:
2793         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2794         * jit/JIT.cpp:
2795         (JSC::JIT::emitEnterOptimizationCheck):
2796         (JSC::JIT::compileWithoutLinking):
2797         * jit/JITCall.cpp:
2798         (JSC::JIT::compileOpCallSlowCase):
2799         * jit/JITMathIC.h:
2800         (JSC::isProfileEmpty):
2801         * jit/JITOpcodes.cpp:
2802         (JSC::JIT::emit_op_catch):
2803         (JSC::JIT::emitSlow_op_loop_hint):
2804         * jit/JITOperations.cpp:
2805         * jit/Repatch.cpp:
2806         (JSC::linkSlowFor):
2807         (JSC::linkFor):
2808         (JSC::revertCall):
2809         (JSC::unlinkFor):
2810         (JSC::linkVirtualFor):
2811         (JSC::linkPolymorphicCall):
2812         * jit/ThunkGenerators.cpp:
2813         (JSC::throwExceptionFromCallSlowPathGenerator):
2814         (JSC::linkCallThunkGenerator):
2815         (JSC::linkPolymorphicCallThunkGenerator):
2816         (JSC::virtualThunkFor):
2817         (JSC::arityFixupGenerator):
2818         (JSC::unreachableGenerator):
2819         * runtime/PtrTag.cpp: Removed.
2820         * runtime/PtrTag.h:
2821         (JSC::ptrTagName):
2822         * runtime/VMEntryScope.cpp:
2823         * wasm/js/WasmToJS.cpp:
2824         (JSC::Wasm::wasmToJS):
2825
2826 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2827
2828         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
2829         https://bugs.webkit.org/show_bug.cgi?id=184319
2830
2831         Reviewed by Saam Barati.
2832
2833         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
2834         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
2835         the ArrayPush.
2836
2837         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
2838         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
2839         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
2840         with a GetByVal(SaneChain), then we will hit the assertion.
2841
2842         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
2843         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
2844         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
2845
2846         * dfg/DFGCSEPhase.cpp:
2847         * dfg/DFGClobberize.h:
2848         (JSC::DFG::clobberize):
2849         * dfg/DFGHeapLocation.cpp:
2850         (WTF::printInternal):
2851         * dfg/DFGHeapLocation.h:
2852         * dfg/DFGSpeculativeJIT.cpp:
2853         (JSC::DFG::SpeculativeJIT::compileArrayPush):
2854
2855 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2856
2857         Remove poisoning of typed array vector
2858         https://bugs.webkit.org/show_bug.cgi?id=184313
2859
2860         Reviewed by Saam Barati.
2861
2862         * dfg/DFGFixupPhase.cpp:
2863         (JSC::DFG::FixupPhase::checkArray):
2864         * dfg/DFGSpeculativeJIT.cpp:
2865         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
2866         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2867         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2868         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2869         * ftl/FTLAbstractHeapRepository.h:
2870         * ftl/FTLLowerDFGToB3.cpp:
2871         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2872         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2873         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2874         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
2875         * jit/IntrinsicEmitter.cpp:
2876         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2877         * jit/JITPropertyAccess.cpp:
2878         (JSC::JIT::emitIntTypedArrayGetByVal):
2879         (JSC::JIT::emitFloatTypedArrayGetByVal):
2880         (JSC::JIT::emitIntTypedArrayPutByVal):
2881         (JSC::JIT::emitFloatTypedArrayPutByVal):
2882         * llint/LowLevelInterpreter.asm:
2883         * llint/LowLevelInterpreter64.asm:
2884         * offlineasm/arm64.rb:
2885         * offlineasm/x86.rb:
2886         * runtime/CagedBarrierPtr.h:
2887         * runtime/JSArrayBufferView.cpp:
2888         (JSC::JSArrayBufferView::JSArrayBufferView):
2889         (JSC::JSArrayBufferView::finalize):
2890         (JSC::JSArrayBufferView::neuter):
2891         * runtime/JSArrayBufferView.h:
2892         (JSC::JSArrayBufferView::vector const):
2893         (JSC::JSArrayBufferView::offsetOfVector):
2894         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
2895         (JSC::JSArrayBufferView::poisonFor): Deleted.
2896         (JSC::JSArrayBufferView::Poison::key): Deleted.
2897         * runtime/JSCPoison.cpp:
2898         (JSC::initializePoison):
2899         * runtime/JSCPoison.h:
2900         * runtime/JSGenericTypedArrayViewInlines.h:
2901         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
2902         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2903         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2904         * runtime/JSObject.h:
2905
2906 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2907
2908         Don't do index masking or poisoning for DirectArguments
2909         https://bugs.webkit.org/show_bug.cgi?id=184280
2910
2911         Reviewed by Saam Barati.
2912
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * bytecode/AccessCase.cpp:
2915         (JSC::AccessCase::generateWithGuard):
2916         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2917         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2918         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
2919         * dfg/DFGSpeculativeJIT.cpp:
2920         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2921         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2922         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2923         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2924         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2925         * ftl/FTLAbstractHeapRepository.h:
2926         * ftl/FTLLowerDFGToB3.cpp:
2927         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
2928         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2929         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2930         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
2931         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
2932         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2933         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
2934         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
2935         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
2936         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
2937         * heap/SecurityKind.h:
2938         * jit/JITPropertyAccess.cpp:
2939         (JSC::JIT::emit_op_get_from_arguments):
2940         (JSC::JIT::emit_op_put_to_arguments):
2941         (JSC::JIT::emitDirectArgumentsGetByVal):
2942         * jit/JITPropertyAccess32_64.cpp:
2943         (JSC::JIT::emit_op_get_from_arguments):
2944         (JSC::JIT::emit_op_put_to_arguments):
2945         * llint/LowLevelInterpreter.asm:
2946         * llint/LowLevelInterpreter32_64.asm:
2947         * llint/LowLevelInterpreter64.asm:
2948         * runtime/DirectArguments.cpp:
2949         (JSC::DirectArguments::DirectArguments):
2950         (JSC::DirectArguments::createUninitialized):
2951         (JSC::DirectArguments::create):
2952         (JSC::DirectArguments::createByCopying):
2953         (JSC::DirectArguments::estimatedSize):
2954         (JSC::DirectArguments::visitChildren):
2955         (JSC::DirectArguments::overrideThings):
2956         (JSC::DirectArguments::copyToArguments):
2957         (JSC::DirectArguments::mappedArgumentsSize):
2958         * runtime/DirectArguments.h:
2959         * runtime/JSCPoison.h:
2960         * runtime/JSLexicalEnvironment.h:
2961         * runtime/JSSymbolTableObject.h:
2962
2963 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2964
2965         JSArray::appendMemcpy seems to be missing a barrier
2966         https://bugs.webkit.org/show_bug.cgi?id=184290
2967
2968         Reviewed by Mark Lam.
2969         
2970         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
2971         barrier right after.
2972         
2973         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
2974         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
2975
2976         * runtime/JSArray.cpp:
2977         (JSC::JSArray::appendMemcpy):
2978
2979 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
2980
2981         GC shouldn't do object distancing
2982         https://bugs.webkit.org/show_bug.cgi?id=184195
2983
2984         Reviewed by Saam Barati.
2985         
2986         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
2987         to be a small speed-up.
2988
2989         * CMakeLists.txt:
2990         * JavaScriptCore.xcodeproj/project.pbxproj:
2991         * Sources.txt:
2992         * heap/BlockDirectory.cpp:
2993         (JSC::BlockDirectory::findBlockForAllocation):
2994         (JSC::BlockDirectory::addBlock):
2995         * heap/BlockDirectory.h:
2996         * heap/CellAttributes.cpp:
2997         (JSC::CellAttributes::dump const):
2998         * heap/CellAttributes.h:
2999         (JSC::CellAttributes::CellAttributes):
3000         * heap/LocalAllocator.cpp:
3001         (JSC::LocalAllocator::allocateSlowCase):
3002         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3003         * heap/MarkedBlock.cpp:
3004         (JSC::MarkedBlock::Handle::didAddToDirectory):
3005         * heap/MarkedBlock.h:
3006         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3007         * heap/SecurityKind.cpp: Removed.
3008         * heap/SecurityKind.h: Removed.
3009         * heap/SecurityOriginToken.cpp: Removed.
3010         * heap/SecurityOriginToken.h: Removed.
3011         * heap/ThreadLocalCache.cpp:
3012         (JSC::ThreadLocalCache::create):
3013         (JSC::ThreadLocalCache::ThreadLocalCache):
3014         * heap/ThreadLocalCache.h:
3015         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3016         * runtime/JSDestructibleObjectHeapCellType.cpp:
3017         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3018         * runtime/JSGlobalObject.cpp:
3019         (JSC::JSGlobalObject::JSGlobalObject):
3020         * runtime/JSGlobalObject.h:
3021         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3022         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3023         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3024         * runtime/JSStringHeapCellType.cpp:
3025         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3026         * runtime/VM.cpp:
3027         (JSC::VM::VM):
3028         * runtime/VM.h:
3029         * runtime/VMEntryScope.cpp:
3030         (JSC::VMEntryScope::VMEntryScope):
3031         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3032         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3033
3034 2018-04-02  Saam Barati  <sbarati@apple.com>
3035
3036         bmalloc should compute its own estimate of its footprint
3037         https://bugs.webkit.org/show_bug.cgi?id=184121
3038
3039         Reviewed by Filip Pizlo.
3040
3041         * heap/IsoAlignedMemoryAllocator.cpp:
3042         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3043         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3044         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3045
3046 2018-04-02  Mark Lam  <mark.lam@apple.com>
3047
3048         We should not trash the stack pointer on OSR entry.
3049         https://bugs.webkit.org/show_bug.cgi?id=184243
3050         <rdar://problem/39114319>
3051
3052         Reviewed by Filip Pizlo.
3053
3054         In the DFG OSR entry path, we momentarily over-write the stack pointer with
3055         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3056         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
3057         The stack pointer does get corrected later in the thunk (generated by
3058         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
3059         so far.
3060
3061         This bug only poses an issue if interrupts use the user stack for their stack
3062         frame (e.g. linux), and when we do stack alignment tests during debugging.
3063
3064         The fix is simply to remove the assignment.
3065
3066         * dfg/DFGThunks.cpp:
3067         (JSC::DFG::osrEntryThunkGenerator):
3068         * jit/JIT.cpp:
3069         (JSC::JIT::emitEnterOptimizationCheck):
3070
3071 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3072
3073         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
3074         https://bugs.webkit.org/show_bug.cgi?id=183740
3075
3076         Reviewed by Yusuke Suzuki.
3077
3078         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
3079         first generated and a register operand variant of the same method is called to generate the rest
3080         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
3081         generate more efficient code using MIPS instructions with immediate operand.
3082
3083         * assembler/MIPSAssembler.h:
3084         (JSC::MIPSAssembler::slti):
3085         * assembler/MacroAssemblerMIPS.h:
3086         (JSC::MacroAssemblerMIPS::lshift32):
3087         (JSC::MacroAssemblerMIPS::xor32):
3088         (JSC::MacroAssemblerMIPS::branch8):
3089         (JSC::MacroAssemblerMIPS::compare8):
3090         (JSC::MacroAssemblerMIPS::branch32):
3091         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
3092         (JSC::MacroAssemblerMIPS::branchTest32):
3093         (JSC::MacroAssemblerMIPS::mask8OnTest):
3094         (JSC::MacroAssemblerMIPS::branchTest8):
3095         (JSC::MacroAssemblerMIPS::branchAdd32):
3096         (JSC::MacroAssemblerMIPS::branchNeg32):
3097         (JSC::MacroAssemblerMIPS::compare32):
3098         (JSC::MacroAssemblerMIPS::test8):
3099
3100 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3101
3102         [DFG] More aggressive removal of duplicate 32bit DFG code
3103         https://bugs.webkit.org/show_bug.cgi?id=184089
3104
3105         Reviewed by Saam Barati.
3106
3107         This patch more aggressively removes duplicate 32bit DFG code
3108         by leveraging JSValueRegs and meta-programmed callOperation.
3109
3110         * dfg/DFGSpeculativeJIT.cpp:
3111         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
3112         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
3113         (JSC::DFG::SpeculativeJIT::compileNewArray):
3114         (JSC::DFG::SpeculativeJIT::compileCheckCell):
3115         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
3116         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
3117         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
3118         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
3119         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
3120         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
3121         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
3122         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
3123         (JSC::DFG::SpeculativeJIT::compileToThis):
3124         (JSC::DFG::SpeculativeJIT::compileIdentity):
3125         * dfg/DFGSpeculativeJIT.h:
3126         * dfg/DFGSpeculativeJIT32_64.cpp:
3127         (JSC::DFG::SpeculativeJIT::compile):
3128         * dfg/DFGSpeculativeJIT64.cpp:
3129         (JSC::DFG::SpeculativeJIT::compile):
3130
3131 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
3132
3133         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
3134         https://bugs.webkit.org/show_bug.cgi?id=184228
3135
3136         Reviewed by Yusuke Suzuki.
3137
3138         * runtime/Options.h:
3139
3140 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
3141
3142         JSObject shouldn't do index masking
3143         https://bugs.webkit.org/show_bug.cgi?id=184194
3144
3145         Reviewed by Yusuke Suzuki.
3146         
3147         Remove index masking, because it's not the way we'll mitigate Spectre.
3148
3149         * API/tests/JSObjectGetProxyTargetTest.cpp:
3150         (testJSObjectGetProxyTarget):
3151         * b3/B3LowerToAir.cpp:
3152         * b3/B3Validate.cpp:
3153         * b3/B3WasmBoundsCheckValue.cpp:
3154         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
3155         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
3156         * b3/B3WasmBoundsCheckValue.h:
3157         (JSC::B3::WasmBoundsCheckValue::bounds const):
3158         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
3159         * b3/testb3.cpp:
3160         (JSC::B3::testWasmBoundsCheck):
3161         (JSC::B3::run):
3162         * dfg/DFGAbstractInterpreterInlines.h:
3163         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3164         * dfg/DFGArgumentsEliminationPhase.cpp:
3165         * dfg/DFGByteCodeParser.cpp:
3166         (JSC::DFG::ByteCodeParser::parseBlock):
3167         * dfg/DFGClobberize.h:
3168         (JSC::DFG::clobberize):
3169         * dfg/DFGDoesGC.cpp:
3170         (JSC::DFG::doesGC):
3171         * dfg/DFGFixupPhase.cpp:
3172         (JSC::DFG::FixupPhase::fixupNode):
3173         * dfg/DFGNodeType.h:
3174         * dfg/DFGPredictionPropagationPhase.cpp:
3175         * dfg/DFGSSALoweringPhase.cpp:
3176         (JSC::DFG::SSALoweringPhase::handleNode):
3177         * dfg/DFGSafeToExecute.h:
3178         (JSC::DFG::safeToExecute):
3179         * dfg/DFGSpeculativeJIT.cpp:
3180         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3181         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3182         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
3183         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3184         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3185         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3186         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3187         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3188         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3189         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3190         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3191         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3192         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3193         (JSC::DFG::SpeculativeJIT::compileNewObject):
3194         * dfg/DFGSpeculativeJIT.h:
3195         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3196         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3197         * dfg/DFGSpeculativeJIT32_64.cpp:
3198         (JSC::DFG::SpeculativeJIT::compile):
3199         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3200         * dfg/DFGSpeculativeJIT64.cpp:
3201         (JSC::DFG::SpeculativeJIT::compile):
3202         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3203         * ftl/FTLAbstractHeapRepository.h:
3204         * ftl/FTLCapabilities.cpp:
3205         (JSC::FTL::canCompile):
3206         * ftl/FTLLowerDFGToB3.cpp:
3207         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3208         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
3211         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3213         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3214         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3215         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3216         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3217         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3218         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3219         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3220         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3221         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
3222         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
3223         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
3224         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
3225         * jit/AssemblyHelpers.h:
3226         (JSC::AssemblyHelpers::emitAllocateJSObject):
3227         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3228         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3229         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3230         * jit/JITOpcodes.cpp:
3231         (JSC::JIT::emit_op_new_object):
3232         (JSC::JIT::emit_op_create_this):
3233         * jit/JITOperations.cpp:
3234         * jit/JITPropertyAccess.cpp:
3235         (JSC::JIT::emitDoubleLoad):
3236         (JSC::JIT::emitContiguousLoad):
3237         (JSC::JIT::emitArrayStorageLoad):
3238         * llint/LowLevelInterpreter32_64.asm:
3239         * llint/LowLevelInterpreter64.asm:
3240         * runtime/Butterfly.h:
3241         (JSC::ContiguousData::at const):
3242         (JSC::ContiguousData::at):
3243         (JSC::Butterfly::computeIndexingMask const): Deleted.
3244         * runtime/ButterflyInlines.h:
3245         (JSC::ContiguousData<T>::at const): Deleted.
3246         (JSC::ContiguousData<T>::at): Deleted.
3247         * runtime/ClonedArguments.cpp:
3248         (JSC::ClonedArguments::createEmpty):
3249         * runtime/JSArray.cpp:
3250         (JSC::JSArray::tryCreateUninitializedRestricted):
3251         (JSC::JSArray::appendMemcpy):
3252         (JSC::JSArray::setLength):
3253         (JSC::JSArray::pop):
3254         (JSC::JSArray::shiftCountWithAnyIndexingType):
3255         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3256         (JSC::JSArray::fillArgList):
3257         (JSC::JSArray::copyToArguments):
3258         * runtime/JSArrayBufferView.cpp:
3259         (JSC::JSArrayBufferView::JSArrayBufferView):
3260         * runtime/JSArrayInlines.h:
3261         (JSC::JSArray::pushInline):
3262         * runtime/JSFixedArray.h:
3263         * runtime/JSGenericTypedArrayViewInlines.h:
3264         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3265         * runtime/JSObject.cpp:
3266         (JSC::JSObject::getOwnPropertySlotByIndex):
3267         (JSC::JSObject::putByIndex):
3268         (JSC::JSObject::createInitialUndecided):
3269         (JSC::JSObject::createInitialInt32):
3270         (JSC::JSObject::createInitialDouble):
3271         (JSC::JSObject::createInitialContiguous):
3272         (JSC::JSObject::createArrayStorage):
3273         (JSC::JSObject::convertUndecidedToInt32):
3274         (JSC::JSObject::convertUndecidedToDouble):
3275         (JSC::JSObject::convertUndecidedToContiguous):
3276         (JSC::JSObject::convertUndecidedToArrayStorage):
3277         (JSC::JSObject::convertInt32ToDouble):
3278         (JSC::JSObject::convertInt32ToArrayStorage):
3279         (JSC::JSObject::convertDoubleToContiguous):
3280         (JSC::JSObject::convertDoubleToArrayStorage):
3281         (JSC::JSObject::convertContiguousToArrayStorage):
3282         (JSC::JSObject::createInitialForValueAndSet):
3283         (JSC::JSObject::deletePropertyByIndex):
3284         (JSC::JSObject::getOwnPropertyNames):
3285         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3286         (JSC::JSObject::countElements):
3287         (JSC::JSObject::increaseVectorLength):
3288         (JSC::JSObject::ensureLengthSlow):
3289         (JSC::JSObject::reallocateAndShrinkButterfly):
3290         (JSC::JSObject::getEnumerableLength):
3291         * runtime/JSObject.h:
3292         (JSC::JSObject::canGetIndexQuickly):
3293         (JSC::JSObject::getIndexQuickly):
3294         (JSC::JSObject::tryGetIndexQuickly const):
3295         (JSC::JSObject::setIndexQuickly):
3296         (JSC::JSObject::initializeIndex):
3297         (JSC::JSObject::initializeIndexWithoutBarrier):
3298         (JSC::JSObject::butterflyOffset):
3299         (JSC::JSObject::setButterfly):
3300         (JSC::JSObject::nukeStructureAndSetButterfly):
3301         (JSC::JSObject::JSObject):
3302         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
3303         (JSC::JSObject::butterflyIndexingMask const): Deleted.
3304         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
3305         * runtime/JSObjectInlines.h:
3306         (JSC::JSObject::prepareToPutDirectWithoutTransition):
3307         (JSC::JSObject::putDirectInternal):
3308         * runtime/RegExpMatchesArray.h:
3309         (JSC::tryCreateUninitializedRegExpMatchesArray):
3310         * runtime/Structure.cpp:
3311         (JSC::Structure::flattenDictionaryStructure):
3312         * wasm/WasmB3IRGenerator.cpp:
3313         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3314         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3315         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3316         (JSC::Wasm::B3IRGenerator::load):
3317         (JSC::Wasm::B3IRGenerator::store):
3318         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3319         * wasm/WasmBinding.cpp:
3320         (JSC::Wasm::wasmToWasm):
3321         * wasm/WasmInstance.h:
3322         (JSC::Wasm::Instance::updateCachedMemory):
3323         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
3324         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
3325         * wasm/WasmMemory.cpp:
3326         (JSC::Wasm::Memory::Memory):
3327         (JSC::Wasm::Memory::grow):
3328         * wasm/WasmMemory.h:
3329         (JSC::Wasm::Memory::size const):
3330         (JSC::Wasm::Memory::offsetOfSize):
3331         (JSC::Wasm::Memory::indexingMask): Deleted.
3332         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
3333         * wasm/WasmMemoryInformation.cpp:
3334         (JSC::Wasm::PinnedRegisterInfo::get):
3335         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3336         * wasm/WasmMemoryInformation.h:
3337         (JSC::Wasm::PinnedRegisterInfo::toSave const):
3338         * wasm/js/JSToWasm.cpp:
3339         (JSC::Wasm::createJSToWasmWrapper):
3340
3341 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
3342
3343         JSC crash in JIT code with for-of loop and Array/Set iterators
3344         https://bugs.webkit.org/show_bug.cgi?id=183174
3345
3346         Reviewed by Saam Barati.
3347
3348         * dfg/DFGSafeToExecute.h:
3349         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
3350
3351 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
3352
3353         Strings and Vectors shouldn't do index masking
3354         https://bugs.webkit.org/show_bug.cgi?id=184193
3355
3356         Reviewed by Mark Lam.
3357
3358         * dfg/DFGSpeculativeJIT.cpp:
3359         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
3360         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3361         * ftl/FTLAbstractHeapRepository.h:
3362         * ftl/FTLLowerDFGToB3.cpp:
3363         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3364         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
3365         * jit/ThunkGenerators.cpp:
3366         (JSC::stringCharLoad):
3367
3368 2018-03-30  Mark Lam  <mark.lam@apple.com>
3369
3370         Add pointer profiling support in baseline JIT and supporting files.
3371         https://bugs.webkit.org/show_bug.cgi?id=184200
3372         <rdar://problem/39057300>
3373
3374         Reviewed by Filip Pizlo.
3375
3376         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
3377            the code via the arity check entry.
3378         2. To accommodate (1), all JITCode must now populate their arity check entry code
3379            pointers as well.  For native code, programs, evals, and modules that don't
3380            do arity check, we set the normal entry as the arity check entry (though with
3381            the CodeEntryWithArityCheckPtrTag profile instead).
3382
3383         * assembler/AbstractMacroAssembler.h:
3384         * assembler/LinkBuffer.h:
3385         (JSC::LinkBuffer::locationOfNearCall):