[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
4         https://bugs.webkit.org/show_bug.cgi?id=183310
5
6         Reviewed by Filip Pizlo.
7
8         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
9         This contributes to 6% win in Octane/raytrace.
10
11                                         baseline                  patched
12
13             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
14
15         * dfg/DFGAbstractInterpreterInlines.h:
16         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
17         * dfg/DFGConstantFoldingPhase.cpp:
18         (JSC::DFG::ConstantFoldingPhase::foldConstants):
19
20 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
21
22         Disable Sigill crash analyzer on watchOS
23         https://bugs.webkit.org/show_bug.cgi?id=183548
24         <rdar://problem/38338032>
25
26         Reviewed by Mark Lam.
27
28         Sigill is not supported on watchOS.
29
30         * runtime/Options.cpp:
31         (JSC::overrideDefaults):
32
33 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
34
35         Split DirectArguments into JSValueOOB and JSValueStrict parts
36         https://bugs.webkit.org/show_bug.cgi?id=183458
37
38         Reviewed by Yusuke Suzuki.
39         
40         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
41         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
42         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
43         to read and write within a Spectre mitigation window. Writes are important, because within the
44         window, a write could appear to be made speculatively and rolled out later. This means that:
45         
46         - JSValue objects cannot have lengths, masks, or anything else inline.
47         
48         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
49           check, unless that type is in the form of a poison key.
50         
51         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
52         means that it's wrong for DirectArguments to have an inline length.
53         
54         This changes DirectArguments to use poisoning according to the universal formula:
55         
56         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
57         
58         - No inline length.
59         
60         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
61         amortize whatever cost there was.
62
63         * bytecode/AccessCase.cpp:
64         (JSC::AccessCase::generateWithGuard):
65         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
66         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
67         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
68         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
69         * dfg/DFGSpeculativeJIT.cpp:
70         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
71         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
72         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
73         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
74         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
75         * ftl/FTLAbstractHeapRepository.h:
76         * ftl/FTLLowerDFGToB3.cpp:
77         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
78         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
79         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
80         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
81         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
82         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
83         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
84         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
85         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
86         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
87         * heap/SecurityKind.h:
88         * jit/JITPropertyAccess.cpp:
89         (JSC::JIT::emit_op_get_from_arguments):
90         (JSC::JIT::emit_op_put_to_arguments):
91         (JSC::JIT::emitDirectArgumentsGetByVal):
92         * jit/JITPropertyAccess32_64.cpp:
93         (JSC::JIT::emit_op_get_from_arguments):
94         (JSC::JIT::emit_op_put_to_arguments):
95         * llint/LowLevelInterpreter.asm:
96         * llint/LowLevelInterpreter32_64.asm:
97         * llint/LowLevelInterpreter64.asm:
98         * runtime/DirectArguments.cpp:
99         (JSC::DirectArguments::DirectArguments):
100         (JSC::DirectArguments::createUninitialized):
101         (JSC::DirectArguments::create):
102         (JSC::DirectArguments::createByCopying):
103         (JSC::DirectArguments::estimatedSize):
104         (JSC::DirectArguments::visitChildren):
105         (JSC::DirectArguments::overrideThings):
106         (JSC::DirectArguments::copyToArguments):
107         (JSC::DirectArguments::mappedArgumentsSize):
108         * runtime/DirectArguments.h:
109         * runtime/JSCPoison.h:
110         * runtime/JSLexicalEnvironment.h:
111         * runtime/JSSymbolTableObject.h:
112         * runtime/VM.cpp:
113         (JSC::VM::VM):
114         * runtime/VM.h:
115
116 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
117
118         [B3] Above/Below should be strength-reduced for comparison with 0
119         https://bugs.webkit.org/show_bug.cgi?id=183543
120
121         Reviewed by Filip Pizlo.
122
123         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
124         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
125         be converted to `0`. This patch adds such a folding to comparisons.
126
127         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
128         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
129         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
130         when we fail to fold it to a constant.
131
132         * b3/B3Const32Value.cpp:
133         (JSC::B3::Const32Value::lessThanConstant const):
134         (JSC::B3::Const32Value::greaterThanConstant const):
135         (JSC::B3::Const32Value::lessEqualConstant const):
136         (JSC::B3::Const32Value::greaterEqualConstant const):
137         (JSC::B3::Const32Value::aboveConstant const):
138         (JSC::B3::Const32Value::belowConstant const):
139         (JSC::B3::Const32Value::aboveEqualConstant const):
140         (JSC::B3::Const32Value::belowEqualConstant const):
141         * b3/B3Const64Value.cpp:
142         (JSC::B3::Const64Value::lessThanConstant const):
143         (JSC::B3::Const64Value::greaterThanConstant const):
144         (JSC::B3::Const64Value::lessEqualConstant const):
145         (JSC::B3::Const64Value::greaterEqualConstant const):
146         (JSC::B3::Const64Value::aboveConstant const):
147         (JSC::B3::Const64Value::belowConstant const):
148         (JSC::B3::Const64Value::aboveEqualConstant const):
149         (JSC::B3::Const64Value::belowEqualConstant const):
150         * b3/B3ReduceStrength.cpp:
151         * b3/testb3.cpp:
152         (JSC::B3::int64Operands):
153         (JSC::B3::int32Operands):
154
155 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
156
157         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
158         https://bugs.webkit.org/show_bug.cgi?id=181848
159
160         Reviewed by Sam Weinig.
161
162         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
163         optimized since it sets `lastIndex` value before performing RegExp operation.
164
165         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
166         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
167         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
168         in object allocation sinking phase.
169
170         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
171         has a global flag. And it improves the performance.
172
173                                       baseline                  patched
174
175         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
176         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
177
178         * dfg/DFGAbstractInterpreterInlines.h:
179         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
180         * dfg/DFGClobberize.h:
181         (JSC::DFG::clobberize):
182         * dfg/DFGDoesGC.cpp:
183         (JSC::DFG::doesGC):
184         * dfg/DFGFixupPhase.cpp:
185         (JSC::DFG::FixupPhase::fixupNode):
186         * dfg/DFGMayExit.cpp:
187         * dfg/DFGNode.cpp:
188         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
189         * dfg/DFGNode.h:
190         (JSC::DFG::Node::hasHeapPrediction):
191         (JSC::DFG::Node::hasCellOperand):
192         * dfg/DFGNodeType.h:
193         * dfg/DFGOperations.cpp:
194         * dfg/DFGOperations.h:
195         * dfg/DFGPredictionPropagationPhase.cpp:
196         * dfg/DFGSafeToExecute.h:
197         (JSC::DFG::safeToExecute):
198         * dfg/DFGSpeculativeJIT.cpp:
199         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
200         * dfg/DFGSpeculativeJIT.h:
201         * dfg/DFGSpeculativeJIT32_64.cpp:
202         (JSC::DFG::SpeculativeJIT::compile):
203         * dfg/DFGSpeculativeJIT64.cpp:
204         (JSC::DFG::SpeculativeJIT::compile):
205         * dfg/DFGStrengthReductionPhase.cpp:
206         (JSC::DFG::StrengthReductionPhase::handleNode):
207         * ftl/FTLCapabilities.cpp:
208         (JSC::FTL::canCompile):
209         * ftl/FTLLowerDFGToB3.cpp:
210         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
211         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
212         * runtime/RegExpObject.cpp:
213         (JSC::collectMatches): Deleted.
214         * runtime/RegExpObject.h:
215         * runtime/RegExpObjectInlines.h:
216         (JSC::RegExpObject::execInline):
217         (JSC::RegExpObject::matchInline):
218         (JSC::advanceStringUnicode):
219         (JSC::collectMatches):
220         (JSC::RegExpObject::advanceStringUnicode): Deleted.
221         * runtime/RegExpPrototype.cpp:
222         (JSC::advanceStringIndex):
223
224 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
225
226         B3::reduceStrength should canonicalize integer comparisons
227         https://bugs.webkit.org/show_bug.cgi?id=150958
228
229         Reviewed by Filip Pizlo.
230
231         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
232         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
233         canonicalize comparisons to have constant value at least on the right hand side, we can
234         remove pattern matchings checking leftImm in B3LowerToAir.
235
236         Since this flipping changes the opcode of the value, to achieve safely, we just create a
237         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
238         we replace m_value with this constant. If we fail to fold it to constant, we replace
239         m_value with the flipped one.
240
241         These comparisons are already handled in testb3.
242
243         * b3/B3LowerToAir.cpp:
244         * b3/B3ReduceStrength.cpp:
245
246 2018-03-09  Mark Lam  <mark.lam@apple.com>
247
248         offlineasm should reset the Assembler's working state before doing another pass for a new target.
249         https://bugs.webkit.org/show_bug.cgi?id=183538
250         <rdar://problem/38325955>
251
252         Reviewed by Michael Saboff.
253
254         * llint/LowLevelInterpreter.cpp:
255         * offlineasm/asm.rb:
256         * offlineasm/cloop.rb:
257
258 2018-03-09  Brian Burg  <bburg@apple.com>
259
260         Web Inspector: there should only be one way for async backend commands to send failure
261         https://bugs.webkit.org/show_bug.cgi?id=183524
262
263         Reviewed by Timothy Hatcher.
264
265         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
266         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
267         This change only affects interfaces generated for C++ backend dispatchers.
268
269         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
270         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
271         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
272         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
273         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
274
275 2018-03-09  Mark Lam  <mark.lam@apple.com>
276
277         Build fix after r229476.
278         https://bugs.webkit.org/show_bug.cgi?id=183488
279
280         Not reviewed.
281
282         * runtime/StackAlignment.h:
283
284 2018-03-09  Mark Lam  <mark.lam@apple.com>
285
286         [Re-landing] Add support for ARM64E.
287         https://bugs.webkit.org/show_bug.cgi?id=183398
288         <rdar://problem/38212621>
289
290         Reviewed by Michael Saboff.
291
292         * assembler/MacroAssembler.h:
293         * llint/LLIntOfflineAsmConfig.h:
294         * llint/LowLevelInterpreter.asm:
295         * llint/LowLevelInterpreter64.asm:
296         * offlineasm/backends.rb:
297
298 2018-03-09  Mark Lam  <mark.lam@apple.com>
299
300         [Re-landing] Prepare LLInt code to support pointer profiling.
301         https://bugs.webkit.org/show_bug.cgi?id=183387
302         <rdar://problem/38199678>
303
304         Reviewed by JF Bastien.
305
306         1. Introduced PtrTag enums for supporting pointer profiling later.
307
308         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
309            template functions for the same purpose.
310
311         3. Prepare the offlineasm for supporting pointer profiling later.
312
313         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
314            effect on behavior.
315
316         5. Removed returnToThrowForThrownException() because it is not used anywhere.
317
318         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
319            easier to view and edit these files in Xcode.
320
321         * CMakeLists.txt:
322         * JavaScriptCore.xcodeproj/project.pbxproj:
323         * bytecode/LLIntCallLinkInfo.h:
324         (JSC::LLIntCallLinkInfo::unlink):
325         * llint/LLIntData.cpp:
326         (JSC::LLInt::initialize):
327         * llint/LLIntData.h:
328         * llint/LLIntExceptions.cpp:
329         (JSC::LLInt::returnToThrowForThrownException): Deleted.
330         * llint/LLIntExceptions.h:
331         * llint/LLIntOfflineAsmConfig.h:
332         * llint/LLIntOffsetsExtractor.cpp:
333         * llint/LLIntPCRanges.h:
334         (JSC::LLInt::isLLIntPC):
335         * llint/LLIntSlowPaths.cpp:
336         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
337         (JSC::LLInt::handleHostCall):
338         (JSC::LLInt::setUpCall):
339         * llint/LowLevelInterpreter.asm:
340         * llint/LowLevelInterpreter32_64.asm:
341         * llint/LowLevelInterpreter64.asm:
342         * offlineasm/ast.rb:
343         * offlineasm/instructions.rb:
344         * offlineasm/risc.rb:
345         * runtime/PtrTag.h: Added.
346         (JSC::uniquePtrTagID):
347         (JSC::ptrTag):
348         (JSC::tagCodePtr):
349         (JSC::untagCodePtr):
350         (JSC::retagCodePtr):
351         (JSC::removeCodePtrTag):
352
353 2018-03-09  Mark Lam  <mark.lam@apple.com>
354
355         Remove unused LLINT_STATS feature.
356         https://bugs.webkit.org/show_bug.cgi?id=183522
357         <rdar://problem/38313139>
358
359         Rubber-stamped by Keith Miller.
360
361         We haven't used this in a while, and it is one more option that makes offlineasm
362         build slower.  We can always re-introduce this later if we need it.
363
364         * jsc.cpp:
365         * llint/LLIntCommon.h:
366         * llint/LLIntData.cpp:
367         (JSC::LLInt::initialize):
368         (JSC::LLInt::Data::finalizeStats): Deleted.
369         (JSC::LLInt::compareStats): Deleted.
370         (JSC::LLInt::Data::dumpStats): Deleted.
371         (JSC::LLInt::Data::ensureStats): Deleted.
372         (JSC::LLInt::Data::loadStats): Deleted.
373         (JSC::LLInt::Data::resetStats): Deleted.
374         (JSC::LLInt::Data::saveStats): Deleted.
375         * llint/LLIntData.h:
376         (): Deleted.
377         (JSC::LLInt::Data::opcodeStats): Deleted.
378         * llint/LLIntOfflineAsmConfig.h:
379         * llint/LLIntSlowPaths.cpp:
380         * llint/LLIntSlowPaths.h:
381         * llint/LowLevelInterpreter.asm:
382         * llint/LowLevelInterpreter32_64.asm:
383         * llint/LowLevelInterpreter64.asm:
384         * runtime/Options.cpp:
385         (JSC::Options::isAvailable):
386         (JSC::recomputeDependentOptions):
387         * runtime/Options.h:
388         * runtime/TestRunnerUtils.cpp:
389         (JSC::finalizeStatsAtEndOfTesting):
390
391 2018-03-09  Michael Saboff  <msaboff@apple.com>
392
393         Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
394         https://bugs.webkit.org/show_bug.cgi?id=183488
395
396         It applied and built just fine locally.
397
398         * assembler/testmasm.cpp:
399         (JSC::testBranchTruncateDoubleToInt32):
400
401 2018-03-09  Yusuke Suzuki  <utatane.tea@gmail.com>
402
403         Unreviewed, remove WebAssemblyFunctionType
404         https://bugs.webkit.org/show_bug.cgi?id=183429
405
406         Drop WebAssemblyFunctionType since it is no longer used. This breaks
407         JSCast assumption that all the derived classes of JSFunction use
408         JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
409
410         * runtime/JSFunction.cpp:
411         (JSC::JSFunction::finishCreation):
412         * runtime/JSType.h:
413         * wasm/js/WebAssemblyFunction.cpp:
414         (JSC::WebAssemblyFunction::createStructure):
415         * wasm/js/WebAssemblyFunction.h:
416
417 2018-03-09  Ryan Haddad  <ryanhaddad@apple.com>
418
419         Unreviewed, rolling out r229446.
420
421         This change relies on changes that have been rolled out.
422
423         Reverted changeset:
424
425         "testmasm crashes in testBranchTruncateDoubleToInt32() on
426         ARM64"
427         https://bugs.webkit.org/show_bug.cgi?id=183488
428         https://trac.webkit.org/changeset/229446
429
430 2018-03-08  Chris Dumez  <cdumez@apple.com>
431
432         Safari not handling undefined global variables with same name as element Id correctly.
433         https://bugs.webkit.org/show_bug.cgi?id=183087
434         <rdar://problem/37927596>
435
436         Reviewed by Ryosuke Niwa.
437
438         global variables (var foo;) should not be hidden by:
439         - Named properties
440         - Properties on the prototype chain
441
442         Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
443         if !hasOwnProperty() instead of !hasProperty.
444
445         This aligns our behavior with Chrome and Firefox.
446
447         * runtime/JSGlobalObject.h:
448         (JSC::JSGlobalObject::addVar):
449
450 2018-03-08  Commit Queue  <commit-queue@webkit.org>
451
452         Unreviewed, rolling out r229354 and r229364.
453         https://bugs.webkit.org/show_bug.cgi?id=183492
454
455         Breaks internal builds (Requested by ryanhaddad on #webkit).
456
457         Reverted changesets:
458
459         "Prepare LLInt code to support pointer profiling."
460         https://bugs.webkit.org/show_bug.cgi?id=183387
461         https://trac.webkit.org/changeset/229354
462
463         "Add support for ARM64E."
464         https://bugs.webkit.org/show_bug.cgi?id=183398
465         https://trac.webkit.org/changeset/229364
466
467 2018-03-08  Michael Saboff  <msaboff@apple.com>
468
469         testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
470         https://bugs.webkit.org/show_bug.cgi?id=183488
471
472         Reviewed by Mark Lam.
473
474         Using stackAlignmentBytes() will keep the stack properly aligned.
475
476         * assembler/testmasm.cpp:
477         (JSC::testBranchTruncateDoubleToInt32):
478
479 2018-03-08  Michael Saboff  <msaboff@apple.com>
480
481         Emit code to zero the stack frame on function entry
482         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
483
484         Reviewed by Mark Lam.
485
486         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
487         The default setting of the option is off.
488
489         Did some minor refactoring of the YarrJIT stack alignment code.
490
491         * b3/air/AirCode.cpp:
492         (JSC::B3::Air::defaultPrologueGenerator):
493         * dfg/DFGJITCompiler.cpp:
494         (JSC::DFG::JITCompiler::compile):
495         (JSC::DFG::JITCompiler::compileFunction):
496         * dfg/DFGSpeculativeJIT.cpp:
497         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
498         * dfg/DFGThunks.cpp:
499         (JSC::DFG::osrEntryThunkGenerator):
500         * ftl/FTLLowerDFGToB3.cpp:
501         (JSC::FTL::DFG::LowerDFGToB3::lower):
502         * jit/AssemblyHelpers.h:
503         (JSC::AssemblyHelpers::clearStackFrame):
504         * jit/JIT.cpp:
505         (JSC::JIT::compileWithoutLinking):
506         * llint/LowLevelInterpreter.asm:
507         * runtime/Options.h:
508         * yarr/YarrJIT.cpp:
509         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
510         (JSC::Yarr::YarrGenerator::initCallFrame):
511         (JSC::Yarr::YarrGenerator::removeCallFrame):
512
513 2018-03-08  Keith Miller  <keith_miller@apple.com>
514
515         Unreviewed, another attempt at fixing the Windows build.
516         I guess the pragma must be outside the function...
517
518         * jit/CCallHelpers.h:
519         (JSC::CCallHelpers::clampArrayToSize):
520
521 2018-03-08  Keith Miller  <keith_miller@apple.com>
522
523         Unreviewed, one last try at fixing the windows build before rollout.
524
525         * jit/CCallHelpers.h:
526         (JSC::CCallHelpers::clampArrayToSize):
527
528 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         [JSC] Optimize inherits<T> if T is final type
531         https://bugs.webkit.org/show_bug.cgi?id=183435
532
533         Reviewed by Mark Lam.
534
535         If the type T is a final type (`std::is_final<T>::value == true`), there is no
536         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
537         to check the given cell's `classInfo(vm)` is `T::info()`.
538
539         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
540         final type. And we also add `final` annotations to JS cell types in JSC. This
541         offers,
542
543         1. Readability. If the given class is annotated with `final`, we do not need to
544         consider about the derived classes of T.
545
546         2. Static Checking. If your class is not intended to be used as a base class, attaching
547         `final` can ensure this invariant.
548
549         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
550         be smaller.
551
552         * API/JSCallbackConstructor.h:
553         (JSC::JSCallbackConstructor::create): Deleted.
554         (JSC::JSCallbackConstructor::classRef const): Deleted.
555         (JSC::JSCallbackConstructor::callback const): Deleted.
556         (JSC::JSCallbackConstructor::createStructure): Deleted.
557         (JSC::JSCallbackConstructor::constructCallback): Deleted.
558         * API/JSCallbackFunction.h:
559         (JSC::JSCallbackFunction::createStructure): Deleted.
560         (JSC::JSCallbackFunction::functionCallback): Deleted.
561         * API/JSCallbackObject.h:
562         (JSC::JSCallbackObject::create): Deleted.
563         (JSC::JSCallbackObject::destroy): Deleted.
564         (JSC::JSCallbackObject::classRef const): Deleted.
565         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
566         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
567         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
568         (JSC::JSCallbackObject::visitChildren): Deleted.
569         * bytecode/CodeBlock.cpp:
570         (JSC::CodeBlock::setConstantRegisters):
571         * bytecode/ExecutableToCodeBlockEdge.h:
572         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
573         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
574         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
575         * bytecode/FunctionCodeBlock.h:
576         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
577         (JSC::FunctionCodeBlock::create): Deleted.
578         (JSC::FunctionCodeBlock::createStructure): Deleted.
579         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
580         * debugger/DebuggerScope.h:
581         (JSC::DebuggerScope::createStructure): Deleted.
582         (JSC::DebuggerScope::iterator::iterator): Deleted.
583         (JSC::DebuggerScope::iterator::get): Deleted.
584         (JSC::DebuggerScope::iterator::operator++): Deleted.
585         (JSC::DebuggerScope::iterator::operator== const): Deleted.
586         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
587         (JSC::DebuggerScope::isValid const): Deleted.
588         (JSC::DebuggerScope::jsScope const): Deleted.
589         * inspector/JSInjectedScriptHost.h:
590         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
591         (Inspector::JSInjectedScriptHost::create): Deleted.
592         (Inspector::JSInjectedScriptHost::impl const): Deleted.
593         * inspector/JSInjectedScriptHostPrototype.h:
594         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
595         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
596         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
597         * inspector/JSJavaScriptCallFrame.h:
598         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
599         (Inspector::JSJavaScriptCallFrame::create): Deleted.
600         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
601         * inspector/JSJavaScriptCallFramePrototype.h:
602         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
603         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
604         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
605         * jit/Repatch.cpp:
606         (JSC::tryCacheGetByID):
607         * runtime/ArrayConstructor.h:
608         (JSC::ArrayConstructor::create): Deleted.
609         (JSC::ArrayConstructor::createStructure): Deleted.
610         * runtime/ArrayIteratorPrototype.h:
611         (JSC::ArrayIteratorPrototype::create): Deleted.
612         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
613         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
614         * runtime/ArrayPrototype.h:
615         (JSC::ArrayPrototype::createStructure): Deleted.
616         * runtime/AsyncFromSyncIteratorPrototype.h:
617         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
618         * runtime/AsyncFunctionConstructor.h:
619         (JSC::AsyncFunctionConstructor::create): Deleted.
620         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
621         * runtime/AsyncFunctionPrototype.h:
622         (JSC::AsyncFunctionPrototype::create): Deleted.
623         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
624         * runtime/AsyncGeneratorFunctionConstructor.h:
625         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
626         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
627         * runtime/AsyncGeneratorFunctionPrototype.h:
628         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
629         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
630         * runtime/AsyncGeneratorPrototype.h:
631         (JSC::AsyncGeneratorPrototype::create): Deleted.
632         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
633         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
634         * runtime/AsyncIteratorPrototype.h:
635         (JSC::AsyncIteratorPrototype::create): Deleted.
636         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
637         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
638         * runtime/AtomicsObject.h:
639         * runtime/BigIntConstructor.h:
640         (JSC::BigIntConstructor::create): Deleted.
641         (JSC::BigIntConstructor::createStructure): Deleted.
642         * runtime/BigIntObject.h:
643         (JSC::BigIntObject::create): Deleted.
644         (JSC::BigIntObject::internalValue const): Deleted.
645         (JSC::BigIntObject::createStructure): Deleted.
646         * runtime/BigIntPrototype.h:
647         (JSC::BigIntPrototype::create): Deleted.
648         (JSC::BigIntPrototype::createStructure): Deleted.
649         * runtime/BooleanConstructor.h:
650         (JSC::BooleanConstructor::create): Deleted.
651         (JSC::BooleanConstructor::createStructure): Deleted.
652         * runtime/BooleanPrototype.h:
653         (JSC::BooleanPrototype::create): Deleted.
654         (JSC::BooleanPrototype::createStructure): Deleted.
655         * runtime/ConsoleObject.h:
656         (JSC::ConsoleObject::create): Deleted.
657         (JSC::ConsoleObject::createStructure): Deleted.
658         * runtime/DOMAttributeGetterSetter.h:
659         (JSC::isDOMAttributeGetterSetter): Deleted.
660         * runtime/DateConstructor.h:
661         (JSC::DateConstructor::create): Deleted.
662         (JSC::DateConstructor::createStructure): Deleted.
663         * runtime/DateInstance.h:
664         (JSC::DateInstance::create): Deleted.
665         (JSC::DateInstance::internalNumber const): Deleted.
666         (JSC::DateInstance::gregorianDateTime const): Deleted.
667         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
668         (JSC::DateInstance::createStructure): Deleted.
669         * runtime/DatePrototype.h:
670         (JSC::DatePrototype::create): Deleted.
671         (JSC::DatePrototype::createStructure): Deleted.
672         * runtime/Error.h:
673         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
674         (JSC::StrictModeTypeErrorFunction::create): Deleted.
675         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
676         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
677         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
678         * runtime/ErrorConstructor.h:
679         (JSC::ErrorConstructor::create): Deleted.
680         (JSC::ErrorConstructor::createStructure): Deleted.
681         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
682         * runtime/Exception.h:
683         (JSC::Exception::valueOffset): Deleted.
684         (JSC::Exception::value const): Deleted.
685         (JSC::Exception::stack const): Deleted.
686         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
687         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
688         * runtime/FunctionConstructor.h:
689         (JSC::FunctionConstructor::create): Deleted.
690         (JSC::FunctionConstructor::createStructure): Deleted.
691         * runtime/FunctionPrototype.h:
692         (JSC::FunctionPrototype::create): Deleted.
693         (JSC::FunctionPrototype::createStructure): Deleted.
694         * runtime/FunctionRareData.h:
695         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
696         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
697         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
698         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
699         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
700         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
701         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
702         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
703         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
704         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
705         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
706         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
707         (JSC::FunctionRareData::hasReifiedName const): Deleted.
708         (JSC::FunctionRareData::setHasReifiedName): Deleted.
709         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
710         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
711         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
712         * runtime/GeneratorFunctionConstructor.h:
713         (JSC::GeneratorFunctionConstructor::create): Deleted.
714         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
715         * runtime/GeneratorFunctionPrototype.h:
716         (JSC::GeneratorFunctionPrototype::create): Deleted.
717         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
718         * runtime/GeneratorPrototype.h:
719         (JSC::GeneratorPrototype::create): Deleted.
720         (JSC::GeneratorPrototype::createStructure): Deleted.
721         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
722         * runtime/InferredValue.h:
723         (JSC::InferredValue::subspaceFor): Deleted.
724         (JSC::InferredValue::inferredValue): Deleted.
725         (JSC::InferredValue::state const): Deleted.
726         (JSC::InferredValue::isStillValid const): Deleted.
727         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
728         (JSC::InferredValue::add): Deleted.
729         (JSC::InferredValue::notifyWrite): Deleted.
730         (JSC::InferredValue::invalidate): Deleted.
731         * runtime/InspectorInstrumentationObject.h:
732         (JSC::InspectorInstrumentationObject::create): Deleted.
733         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
734         * runtime/IntlCollator.h:
735         (JSC::IntlCollator::boundCompare const): Deleted.
736         * runtime/IntlCollatorConstructor.h:
737         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
738         * runtime/IntlCollatorPrototype.h:
739         * runtime/IntlDateTimeFormat.h:
740         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
741         * runtime/IntlDateTimeFormatConstructor.h:
742         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
743         * runtime/IntlDateTimeFormatPrototype.h:
744         * runtime/IntlNumberFormat.h:
745         (JSC::IntlNumberFormat::boundFormat const): Deleted.
746         * runtime/IntlNumberFormatConstructor.h:
747         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
748         * runtime/IntlNumberFormatPrototype.h:
749         * runtime/IntlObject.h:
750         * runtime/IteratorPrototype.h:
751         (JSC::IteratorPrototype::create): Deleted.
752         (JSC::IteratorPrototype::createStructure): Deleted.
753         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
754         * runtime/JSAPIValueWrapper.h:
755         (JSC::JSAPIValueWrapper::value const): Deleted.
756         (JSC::JSAPIValueWrapper::createStructure): Deleted.
757         (JSC::JSAPIValueWrapper::create): Deleted.
758         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
759         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
760         * runtime/JSArrayBufferConstructor.h:
761         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
762         * runtime/JSArrayBufferPrototype.h:
763         * runtime/JSAsyncFunction.h:
764         (JSC::JSAsyncFunction::subspaceFor): Deleted.
765         (JSC::JSAsyncFunction::allocationSize): Deleted.
766         (JSC::JSAsyncFunction::createStructure): Deleted.
767         * runtime/JSAsyncGeneratorFunction.h:
768         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
769         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
770         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
771         * runtime/JSBigInt.h:
772         (JSC::JSBigInt::setSign): Deleted.
773         (JSC::JSBigInt::sign const): Deleted.
774         (JSC::JSBigInt::setLength): Deleted.
775         (JSC::JSBigInt::length const): Deleted.
776         * runtime/JSBoundFunction.h:
777         (JSC::JSBoundFunction::subspaceFor): Deleted.
778         (JSC::JSBoundFunction::targetFunction): Deleted.
779         (JSC::JSBoundFunction::boundThis): Deleted.
780         (JSC::JSBoundFunction::boundArgs): Deleted.
781         (JSC::JSBoundFunction::createStructure): Deleted.
782         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
783         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
784         * runtime/JSCast.h:
785         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
786         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
787         (JSC::JSCastingHelpers::InheritsTraits::inherits):
788         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
789         * runtime/JSCustomGetterSetterFunction.cpp:
790         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
791         * runtime/JSCustomGetterSetterFunction.h:
792         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
793         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
794         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
795         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
796         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
797         * runtime/JSDataView.h:
798         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
799         (JSC::JSDataView::unsharedBuffer const): Deleted.
800         * runtime/JSDataViewPrototype.h:
801         * runtime/JSFixedArray.h:
802         (JSC::JSFixedArray::createStructure): Deleted.
803         (JSC::JSFixedArray::tryCreate): Deleted.
804         (JSC::JSFixedArray::create): Deleted.
805         (JSC::JSFixedArray::createFromArray): Deleted.
806         (JSC::JSFixedArray::get const): Deleted.
807         (JSC::JSFixedArray::set): Deleted.
808         (JSC::JSFixedArray::buffer): Deleted.
809         (JSC::JSFixedArray::buffer const): Deleted.
810         (JSC::JSFixedArray::values const): Deleted.
811         (JSC::JSFixedArray::size const): Deleted.
812         (JSC::JSFixedArray::length const): Deleted.
813         (JSC::JSFixedArray::offsetOfSize): Deleted.
814         (JSC::JSFixedArray::offsetOfData): Deleted.
815         (JSC::JSFixedArray::JSFixedArray): Deleted.
816         (JSC::JSFixedArray::allocationSize): Deleted.
817         * runtime/JSGeneratorFunction.h:
818         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
819         (JSC::JSGeneratorFunction::allocationSize): Deleted.
820         (JSC::JSGeneratorFunction::createStructure): Deleted.
821         * runtime/JSGenericTypedArrayView.h:
822         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
823         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
824         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
825         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
826         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
827         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
828         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
829         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
830         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
831         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
832         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
833         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
834         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
835         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
836         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
837         (JSC::JSGenericTypedArrayView::sort): Deleted.
838         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
839         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
840         (JSC::JSGenericTypedArrayView::info): Deleted.
841         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
842         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
843         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
844         * runtime/JSGenericTypedArrayViewConstructor.h:
845         * runtime/JSGenericTypedArrayViewPrototype.h:
846         * runtime/JSInternalPromise.h:
847         * runtime/JSInternalPromiseConstructor.h:
848         * runtime/JSInternalPromisePrototype.h:
849         * runtime/JSMapIterator.h:
850         (JSC::JSMapIterator::createStructure): Deleted.
851         (JSC::JSMapIterator::create): Deleted.
852         (JSC::JSMapIterator::advanceIter): Deleted.
853         (JSC::JSMapIterator::next): Deleted.
854         (JSC::JSMapIterator::nextKeyValue): Deleted.
855         (JSC::JSMapIterator::kind const): Deleted.
856         (JSC::JSMapIterator::iteratedValue const): Deleted.
857         (JSC::JSMapIterator::JSMapIterator): Deleted.
858         (JSC::JSMapIterator::setIterator): Deleted.
859         * runtime/JSModuleLoader.h:
860         (JSC::JSModuleLoader::create): Deleted.
861         (JSC::JSModuleLoader::createStructure): Deleted.
862         * runtime/JSModuleNamespaceObject.h:
863         (JSC::isJSModuleNamespaceObject): Deleted.
864         * runtime/JSModuleRecord.h:
865         (JSC::JSModuleRecord::sourceCode const): Deleted.
866         (JSC::JSModuleRecord::declaredVariables const): Deleted.
867         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
868         * runtime/JSNativeStdFunction.h:
869         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
870         (JSC::JSNativeStdFunction::createStructure): Deleted.
871         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
872         * runtime/JSONObject.h:
873         (JSC::JSONObject::create): Deleted.
874         (JSC::JSONObject::createStructure): Deleted.
875         * runtime/JSObject.h:
876         (JSC::JSObject::fillCustomGetterPropertySlot):
877         * runtime/JSScriptFetchParameters.h:
878         (JSC::JSScriptFetchParameters::createStructure): Deleted.
879         (JSC::JSScriptFetchParameters::create): Deleted.
880         (JSC::JSScriptFetchParameters::parameters const): Deleted.
881         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
882         * runtime/JSScriptFetcher.h:
883         (JSC::JSScriptFetcher::createStructure): Deleted.
884         (JSC::JSScriptFetcher::create): Deleted.
885         (JSC::JSScriptFetcher::fetcher const): Deleted.
886         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
887         * runtime/JSSetIterator.h:
888         (JSC::JSSetIterator::createStructure): Deleted.
889         (JSC::JSSetIterator::create): Deleted.
890         (JSC::JSSetIterator::advanceIter): Deleted.
891         (JSC::JSSetIterator::next): Deleted.
892         (JSC::JSSetIterator::kind const): Deleted.
893         (JSC::JSSetIterator::iteratedValue const): Deleted.
894         (JSC::JSSetIterator::JSSetIterator): Deleted.
895         (JSC::JSSetIterator::setIterator): Deleted.
896         * runtime/JSSourceCode.h:
897         (JSC::JSSourceCode::createStructure): Deleted.
898         (JSC::JSSourceCode::create): Deleted.
899         (JSC::JSSourceCode::sourceCode const): Deleted.
900         (JSC::JSSourceCode::JSSourceCode): Deleted.
901         * runtime/JSStringIterator.h:
902         (JSC::JSStringIterator::createStructure): Deleted.
903         (JSC::JSStringIterator::create): Deleted.
904         (JSC::JSStringIterator::JSStringIterator): Deleted.
905         * runtime/JSTemplateObjectDescriptor.h:
906         (JSC::isTemplateObjectDescriptor): Deleted.
907         * runtime/JSTypedArrayViewConstructor.h:
908         (JSC::JSTypedArrayViewConstructor::create): Deleted.
909         * runtime/JSTypedArrayViewPrototype.h:
910         * runtime/MapConstructor.h:
911         (JSC::MapConstructor::create): Deleted.
912         (JSC::MapConstructor::createStructure): Deleted.
913         * runtime/MapIteratorPrototype.h:
914         (JSC::MapIteratorPrototype::create): Deleted.
915         (JSC::MapIteratorPrototype::createStructure): Deleted.
916         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
917         * runtime/MapPrototype.h:
918         (JSC::MapPrototype::create): Deleted.
919         (JSC::MapPrototype::createStructure): Deleted.
920         (JSC::MapPrototype::MapPrototype): Deleted.
921         * runtime/MathObject.h:
922         (JSC::MathObject::create): Deleted.
923         (JSC::MathObject::createStructure): Deleted.
924         * runtime/ModuleLoaderPrototype.h:
925         (JSC::ModuleLoaderPrototype::create): Deleted.
926         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
927         * runtime/NativeErrorConstructor.h:
928         (JSC::NativeErrorConstructor::create): Deleted.
929         (JSC::NativeErrorConstructor::createStructure): Deleted.
930         (JSC::NativeErrorConstructor::errorStructure): Deleted.
931         * runtime/NativeErrorPrototype.h:
932         (JSC::NativeErrorPrototype::create): Deleted.
933         * runtime/NativeStdFunctionCell.h:
934         (JSC::NativeStdFunctionCell::createStructure): Deleted.
935         (JSC::NativeStdFunctionCell::function const): Deleted.
936         * runtime/NullGetterFunction.h:
937         (JSC::NullGetterFunction::create): Deleted.
938         (JSC::NullGetterFunction::createStructure): Deleted.
939         * runtime/NullSetterFunction.h:
940         (JSC::NullSetterFunction::create): Deleted.
941         (JSC::NullSetterFunction::createStructure): Deleted.
942         * runtime/NumberConstructor.h:
943         (JSC::NumberConstructor::create): Deleted.
944         (JSC::NumberConstructor::createStructure): Deleted.
945         (JSC::NumberConstructor::isIntegerImpl): Deleted.
946         * runtime/NumberPrototype.h:
947         (JSC::NumberPrototype::create): Deleted.
948         (JSC::NumberPrototype::createStructure): Deleted.
949         * runtime/ObjectConstructor.h:
950         (JSC::ObjectConstructor::create): Deleted.
951         (JSC::ObjectConstructor::createStructure): Deleted.
952         * runtime/ObjectPrototype.h:
953         (JSC::ObjectPrototype::createStructure): Deleted.
954         * runtime/ProxyConstructor.h:
955         (JSC::ProxyConstructor::createStructure): Deleted.
956         * runtime/ProxyRevoke.h:
957         (JSC::ProxyRevoke::createStructure): Deleted.
958         (JSC::ProxyRevoke::proxy): Deleted.
959         (JSC::ProxyRevoke::setProxyToNull): Deleted.
960         * runtime/ReflectObject.h:
961         (JSC::ReflectObject::create): Deleted.
962         (JSC::ReflectObject::createStructure): Deleted.
963         * runtime/RegExpConstructor.cpp:
964         (JSC::regExpConstructorDollar):
965         (JSC::regExpConstructorInput):
966         (JSC::regExpConstructorMultiline):
967         (JSC::regExpConstructorLastMatch):
968         (JSC::regExpConstructorLastParen):
969         (JSC::regExpConstructorLeftContext):
970         (JSC::regExpConstructorRightContext):
971         * runtime/RegExpConstructor.h:
972         (JSC::RegExpConstructor::create): Deleted.
973         (JSC::RegExpConstructor::createStructure): Deleted.
974         (JSC::RegExpConstructor::setMultiline): Deleted.
975         (JSC::RegExpConstructor::multiline const): Deleted.
976         (JSC::RegExpConstructor::setInput): Deleted.
977         (JSC::RegExpConstructor::input): Deleted.
978         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
979         (JSC::asRegExpConstructor): Deleted.
980         * runtime/RegExpPrototype.h:
981         (JSC::RegExpPrototype::create): Deleted.
982         (JSC::RegExpPrototype::createStructure): Deleted.
983         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
984         * runtime/SetConstructor.h:
985         (JSC::SetConstructor::create): Deleted.
986         (JSC::SetConstructor::createStructure): Deleted.
987         * runtime/SetIteratorPrototype.h:
988         (JSC::SetIteratorPrototype::create): Deleted.
989         (JSC::SetIteratorPrototype::createStructure): Deleted.
990         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
991         * runtime/SetPrototype.h:
992         (JSC::SetPrototype::create): Deleted.
993         (JSC::SetPrototype::createStructure): Deleted.
994         (JSC::SetPrototype::SetPrototype): Deleted.
995         * runtime/StringConstructor.h:
996         (JSC::StringConstructor::create): Deleted.
997         (JSC::StringConstructor::createStructure): Deleted.
998         * runtime/StringIteratorPrototype.h:
999         (JSC::StringIteratorPrototype::create): Deleted.
1000         (JSC::StringIteratorPrototype::createStructure): Deleted.
1001         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
1002         * runtime/StringPrototype.h:
1003         (JSC::StringPrototype::createStructure): Deleted.
1004         * runtime/SymbolConstructor.h:
1005         (JSC::SymbolConstructor::create): Deleted.
1006         (JSC::SymbolConstructor::createStructure): Deleted.
1007         * runtime/SymbolObject.h:
1008         (JSC::SymbolObject::create): Deleted.
1009         (JSC::SymbolObject::internalValue const): Deleted.
1010         (JSC::SymbolObject::createStructure): Deleted.
1011         * runtime/SymbolPrototype.h:
1012         (JSC::SymbolPrototype::create): Deleted.
1013         (JSC::SymbolPrototype::createStructure): Deleted.
1014         * runtime/WeakMapConstructor.h:
1015         (JSC::WeakMapConstructor::create): Deleted.
1016         (JSC::WeakMapConstructor::createStructure): Deleted.
1017         * runtime/WeakMapPrototype.h:
1018         (JSC::WeakMapPrototype::create): Deleted.
1019         (JSC::WeakMapPrototype::createStructure): Deleted.
1020         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
1021         * runtime/WeakSetConstructor.h:
1022         (JSC::WeakSetConstructor::create): Deleted.
1023         (JSC::WeakSetConstructor::createStructure): Deleted.
1024         * runtime/WeakSetPrototype.h:
1025         (JSC::WeakSetPrototype::create): Deleted.
1026         (JSC::WeakSetPrototype::createStructure): Deleted.
1027         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
1028         * tools/JSDollarVM.h:
1029         (JSC::JSDollarVM::createStructure): Deleted.
1030         (JSC::JSDollarVM::create): Deleted.
1031         (JSC::JSDollarVM::JSDollarVM): Deleted.
1032         * wasm/js/JSWebAssembly.h:
1033         * wasm/js/JSWebAssemblyCompileError.h:
1034         (JSC::JSWebAssemblyCompileError::create): Deleted.
1035         * wasm/js/JSWebAssemblyInstance.h:
1036         (JSC::JSWebAssemblyInstance::instance): Deleted.
1037         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
1038         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
1039         (JSC::JSWebAssemblyInstance::memory): Deleted.
1040         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
1041         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
1042         (JSC::JSWebAssemblyInstance::table): Deleted.
1043         (JSC::JSWebAssemblyInstance::setTable): Deleted.
1044         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
1045         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
1046         (JSC::JSWebAssemblyInstance::module const): Deleted.
1047         * wasm/js/JSWebAssemblyLinkError.h:
1048         (JSC::JSWebAssemblyLinkError::create): Deleted.
1049         * wasm/js/JSWebAssemblyMemory.h:
1050         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
1051         (JSC::JSWebAssemblyMemory::memory): Deleted.
1052         * wasm/js/JSWebAssemblyModule.h:
1053         * wasm/js/JSWebAssemblyRuntimeError.h:
1054         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
1055         * wasm/js/JSWebAssemblyTable.h:
1056         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
1057         (JSC::JSWebAssemblyTable::maximum const): Deleted.
1058         (JSC::JSWebAssemblyTable::length const): Deleted.
1059         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
1060         (JSC::JSWebAssemblyTable::table): Deleted.
1061         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1062         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1063         * wasm/js/WebAssemblyInstanceConstructor.h:
1064         * wasm/js/WebAssemblyInstancePrototype.h:
1065         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1066         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1067         * wasm/js/WebAssemblyMemoryConstructor.h:
1068         * wasm/js/WebAssemblyMemoryPrototype.h:
1069         * wasm/js/WebAssemblyModuleConstructor.h:
1070         * wasm/js/WebAssemblyModulePrototype.h:
1071         * wasm/js/WebAssemblyModuleRecord.h:
1072         * wasm/js/WebAssemblyPrototype.h:
1073         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1074         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1075         * wasm/js/WebAssemblyTableConstructor.h:
1076         * wasm/js/WebAssemblyTablePrototype.h:
1077
1078 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
1079
1080         Make it possible to randomize register allocation
1081         https://bugs.webkit.org/show_bug.cgi?id=183416
1082
1083         Reviewed by Keith Miller.
1084         
1085         This is disabled by default for now, because it reveals a regalloc bug in wasm.
1086
1087         * b3/air/AirCode.cpp:
1088         (JSC::B3::Air::Code::Code):
1089         * b3/air/AirCode.h:
1090         (JSC::B3::Air::Code::weakRandom):
1091         * runtime/Options.h:
1092
1093 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1094
1095         [JSC] Add inherits<T>(VM&) leveraging JSCast fast path
1096         https://bugs.webkit.org/show_bug.cgi?id=183429
1097
1098         Reviewed by Mark Lam.
1099
1100         Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
1101         They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
1102         paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
1103         and construct jsDynamicCast and JSCell::inherits based on this.
1104
1105         And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
1106         In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
1107
1108         We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
1109         The embedder can add their extended object types after that.
1110
1111         * API/JSObjectRef.cpp:
1112         (JSObjectGetPrivateProperty):
1113         (JSObjectSetPrivateProperty):
1114         (JSObjectDeletePrivateProperty):
1115         * API/JSValue.mm:
1116         (isDate):
1117         (isArray):
1118         * API/JSValueRef.cpp:
1119         (JSValueIsArray):
1120         (JSValueIsDate):
1121         (JSValueIsObjectOfClass):
1122         * API/JSWeakObjectMapRefPrivate.cpp:
1123         * API/JSWrapperMap.mm:
1124         (tryUnwrapObjcObject):
1125         * API/ObjCCallbackFunction.mm:
1126         (tryUnwrapConstructor):
1127         * dfg/DFGByteCodeParser.cpp:
1128         (JSC::DFG::ByteCodeParser::parseBlock):
1129         * dfg/DFGOperations.cpp:
1130         * ftl/FTLLowerDFGToB3.cpp:
1131         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1132         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1133         * ftl/FTLOperations.cpp:
1134         (JSC::FTL::operationMaterializeObjectInOSR):
1135         * inspector/JSInjectedScriptHost.cpp:
1136         (Inspector::JSInjectedScriptHost::subtype):
1137         (Inspector::JSInjectedScriptHost::functionDetails):
1138         * inspector/agents/InspectorHeapAgent.cpp:
1139         (Inspector::InspectorHeapAgent::getPreview):
1140         * interpreter/Interpreter.cpp:
1141         (JSC::notifyDebuggerOfUnwinding):
1142         * interpreter/ShadowChicken.cpp:
1143         (JSC::ShadowChicken::update):
1144         * jit/JIT.cpp:
1145         (JSC::JIT::privateCompileMainPass):
1146         * jit/JITOperations.cpp:
1147         (JSC::operationNewFunctionCommon):
1148         * jsc.cpp:
1149         (checkException):
1150         * runtime/BooleanObject.h:
1151         (JSC::asBooleanObject): Deleted.
1152         * runtime/BooleanPrototype.cpp:
1153         (JSC::booleanProtoFuncToString):
1154         (JSC::booleanProtoFuncValueOf):
1155         * runtime/DateConstructor.cpp:
1156         (JSC::constructDate):
1157         * runtime/DateInstance.h:
1158         (JSC::asDateInstance): Deleted.
1159         * runtime/DatePrototype.cpp:
1160         (JSC::formateDateInstance):
1161         (JSC::dateProtoFuncToISOString):
1162         (JSC::dateProtoFuncToLocaleString):
1163         (JSC::dateProtoFuncToLocaleDateString):
1164         (JSC::dateProtoFuncToLocaleTimeString):
1165         (JSC::dateProtoFuncGetTime):
1166         (JSC::dateProtoFuncGetFullYear):
1167         (JSC::dateProtoFuncGetUTCFullYear):
1168         (JSC::dateProtoFuncGetMonth):
1169         (JSC::dateProtoFuncGetUTCMonth):
1170         (JSC::dateProtoFuncGetDate):
1171         (JSC::dateProtoFuncGetUTCDate):
1172         (JSC::dateProtoFuncGetDay):
1173         (JSC::dateProtoFuncGetUTCDay):
1174         (JSC::dateProtoFuncGetHours):
1175         (JSC::dateProtoFuncGetUTCHours):
1176         (JSC::dateProtoFuncGetMinutes):
1177         (JSC::dateProtoFuncGetUTCMinutes):
1178         (JSC::dateProtoFuncGetSeconds):
1179         (JSC::dateProtoFuncGetUTCSeconds):
1180         (JSC::dateProtoFuncGetMilliSeconds):
1181         (JSC::dateProtoFuncGetUTCMilliseconds):
1182         (JSC::dateProtoFuncGetTimezoneOffset):
1183         (JSC::dateProtoFuncSetTime):
1184         (JSC::setNewValueFromTimeArgs):
1185         (JSC::setNewValueFromDateArgs):
1186         (JSC::dateProtoFuncSetYear):
1187         (JSC::dateProtoFuncGetYear):
1188         * runtime/ExceptionHelpers.cpp:
1189         (JSC::isTerminatedExecutionException):
1190         * runtime/FunctionPrototype.cpp:
1191         (JSC::functionProtoFuncToString):
1192         * runtime/InternalFunction.h:
1193         (JSC::asInternalFunction):
1194         * runtime/JSArray.h:
1195         (JSC::asArray):
1196         * runtime/JSCJSValue.cpp:
1197         (JSC::JSValue::dumpForBacktrace const):
1198         * runtime/JSCJSValue.h:
1199         * runtime/JSCJSValueInlines.h:
1200         (JSC::JSValue::inherits const):
1201         * runtime/JSCast.h:
1202         (JSC::JSCastingHelpers::inheritsGenericImpl):
1203         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
1204         (JSC::JSCastingHelpers::InheritsTraits::inherits):
1205         (JSC::JSCastingHelpers::inherits):
1206         (JSC::jsDynamicCast):
1207         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
1208         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
1209         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
1210         * runtime/JSCell.h:
1211         * runtime/JSCellInlines.h:
1212         (JSC::JSCell::inherits const):
1213         * runtime/JSFunction.cpp:
1214         (JSC::RetrieveCallerFunctionFunctor::operator() const):
1215         (JSC::JSFunction::callerGetter):
1216         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1217         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1218         * runtime/JSGlobalObject.cpp:
1219         (JSC::enqueueJob):
1220         * runtime/JSGlobalObject.h:
1221         (JSC::asGlobalObject): Deleted.
1222         * runtime/JSInternalPromiseDeferred.cpp:
1223         (JSC::JSInternalPromiseDeferred::create):
1224         * runtime/JSLexicalEnvironment.h:
1225         (JSC::asActivation):
1226         * runtime/JSONObject.cpp:
1227         (JSC::unwrapBoxedPrimitive):
1228         (JSC::Stringifier::Stringifier):
1229         (JSC::Walker::walk):
1230         * runtime/JSPromise.cpp:
1231         (JSC::JSPromise::resolve):
1232         * runtime/JSPromiseDeferred.cpp:
1233         (JSC::JSPromiseDeferred::create):
1234         * runtime/JSType.h:
1235         * runtime/ProxyObject.h:
1236         (JSC::ProxyObject::create): Deleted.
1237         (JSC::ProxyObject::createStructure): Deleted.
1238         (JSC::ProxyObject::target const): Deleted.
1239         (JSC::ProxyObject::handler const): Deleted.
1240         * runtime/RegExpConstructor.cpp:
1241         (JSC::constructRegExp):
1242         * runtime/RegExpConstructor.h:
1243         (JSC::asRegExpConstructor):
1244         (JSC::isRegExp):
1245         * runtime/RegExpObject.cpp:
1246         (JSC::RegExpObject::finishCreation):
1247         (JSC::RegExpObject::getOwnPropertySlot):
1248         (JSC::RegExpObject::defineOwnProperty):
1249         (JSC::regExpObjectSetLastIndexStrict):
1250         (JSC::regExpObjectSetLastIndexNonStrict):
1251         (JSC::RegExpObject::put):
1252         * runtime/RegExpObject.h:
1253         (JSC::RegExpObject::create): Deleted.
1254         (JSC::RegExpObject::setRegExp): Deleted.
1255         (JSC::RegExpObject::regExp const): Deleted.
1256         (JSC::RegExpObject::setLastIndex): Deleted.
1257         (JSC::RegExpObject::getLastIndex const): Deleted.
1258         (JSC::RegExpObject::test): Deleted.
1259         (JSC::RegExpObject::testInline): Deleted.
1260         (JSC::RegExpObject::createStructure): Deleted.
1261         (JSC::RegExpObject::offsetOfRegExp): Deleted.
1262         (JSC::RegExpObject::offsetOfLastIndex): Deleted.
1263         (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
1264         (JSC::RegExpObject::allocationSize): Deleted.
1265         (JSC::asRegExpObject): Deleted.
1266         * runtime/RegExpPrototype.cpp:
1267         (JSC::regExpProtoFuncTestFast):
1268         (JSC::regExpProtoFuncExec):
1269         (JSC::regExpProtoFuncMatchFast):
1270         (JSC::regExpProtoFuncCompile):
1271         (JSC::regExpProtoGetterGlobal):
1272         (JSC::regExpProtoGetterIgnoreCase):
1273         (JSC::regExpProtoGetterMultiline):
1274         (JSC::regExpProtoGetterDotAll):
1275         (JSC::regExpProtoGetterSticky):
1276         (JSC::regExpProtoGetterUnicode):
1277         (JSC::regExpProtoGetterSource):
1278         (JSC::regExpProtoFuncSearchFast):
1279         (JSC::regExpProtoFuncSplitFast):
1280         * runtime/StringObject.h:
1281         (JSC::asStringObject): Deleted.
1282         * runtime/StringPrototype.cpp:
1283         (JSC::replaceUsingRegExpSearch):
1284         (JSC::replace):
1285         (JSC::stringProtoFuncReplaceUsingRegExp):
1286         (JSC::stringProtoFuncToString):
1287         * runtime/SymbolPrototype.cpp:
1288         (JSC::symbolProtoFuncToString):
1289         (JSC::symbolProtoFuncValueOf):
1290         * tools/JSDollarVM.cpp:
1291         (WTF::customGetValue):
1292         (WTF::customSetValue):
1293         * wasm/js/JSWebAssemblyHelpers.h:
1294         (JSC::isWebAssemblyHostFunction):
1295         * wasm/js/WebAssemblyWrapperFunction.cpp:
1296         (JSC::WebAssemblyWrapperFunction::create):
1297
1298 2018-03-07  Tim Horton  <timothy_horton@apple.com>
1299
1300         Sort and separate FeatureDefines.xcconfig
1301         https://bugs.webkit.org/show_bug.cgi?id=183427
1302
1303         Reviewed by Dan Bernstein.
1304
1305         * Configurations/FeatureDefines.xcconfig:
1306         Sort and split FeatureDefines into paragraphs
1307         (to make it easier to sort later).
1308
1309 2018-03-07  Keith Miller  <keith_miller@apple.com>
1310
1311         Unreviewed, fix 32-bit build.
1312
1313         * dfg/DFGSpeculativeJIT.cpp:
1314         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1315
1316 2018-03-07  Keith Miller  <keith_miller@apple.com>
1317
1318         Meta-program setupArguments and callOperation
1319         https://bugs.webkit.org/show_bug.cgi?id=183263
1320
1321         Rubber-stamped by Filip Pizlo.
1322
1323         This patch removes all the custom overrides of callOperation and setupArguments
1324         throughout the JITs. In their place there is a new setupArguments that marshalls
1325         the arguments into place based on the type of the operation's function pointer.
1326         There were a couple of design choices in the implementation of setupArguments:
1327
1328         1) We assume that no TrustedImm floating point values are passed.
1329         2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
1330         3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
1331
1332         The new callOperation/setupArguments do their best to make sure
1333         it's hard to call a function with the wrong parameters. They will
1334         only try to pattern match if the types match up with the next
1335         passed argument. Additionally, the base case should static_assert
1336         of the number of inferred arguments does not match the arity of
1337         the operation's function pointer.
1338
1339         * assembler/AbstractMacroAssembler.h:
1340         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
1341         (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
1342         * assembler/MacroAssembler.h:
1343         (JSC::MacroAssembler::poke):
1344         (JSC::MacroAssembler::move):
1345         * assembler/MacroAssemblerARM64.h:
1346         (JSC::MacroAssemblerARM64::swap):
1347         * assembler/MacroAssemblerX86.h:
1348         (JSC::MacroAssemblerX86::storeDouble):
1349         * assembler/MacroAssemblerX86Common.h:
1350         (JSC::MacroAssemblerX86Common::loadDouble):
1351         (JSC::MacroAssemblerX86Common::swap):
1352         (JSC::MacroAssemblerX86Common::move):
1353         * bytecode/AccessCase.cpp:
1354         (JSC::AccessCase::generateImpl):
1355         * bytecode/AccessCaseSnippetParams.cpp:
1356         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1357         * bytecode/PolymorphicAccess.cpp:
1358         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1359         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1360         * dfg/DFGNode.h:
1361         * dfg/DFGOSRExit.cpp:
1362         (JSC::DFG::OSRExit::emitRestoreArguments):
1363         * dfg/DFGOSRExitCompilerCommon.cpp:
1364         (JSC::DFG::osrWriteBarrier):
1365         * dfg/DFGOperations.cpp:
1366         * dfg/DFGOperations.h:
1367         * dfg/DFGSlowPathGenerator.h:
1368         * dfg/DFGSpeculativeJIT.cpp:
1369         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
1370         (JSC::DFG::SpeculativeJIT::compileArithMod):
1371         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1372         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1373         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1374         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1375         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1376         * dfg/DFGSpeculativeJIT.h:
1377         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
1378         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
1379         (JSC::DFG::SpeculativeJIT::initConstantInfo):
1380         (JSC::DFG::SpeculativeJIT::callOperation):
1381         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1382         (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
1383         * dfg/DFGSpeculativeJIT32_64.cpp:
1384         (JSC::DFG::SpeculativeJIT::cachedGetById):
1385         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1386         (JSC::DFG::SpeculativeJIT::cachedPutById):
1387         (JSC::DFG::SpeculativeJIT::emitCall):
1388         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1389         (JSC::DFG::SpeculativeJIT::compile):
1390         * dfg/DFGSpeculativeJIT64.cpp:
1391         (JSC::DFG::SpeculativeJIT::emitCall):
1392         (JSC::DFG::SpeculativeJIT::compile):
1393         * ftl/FTLLowerDFGToB3.cpp:
1394         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1395         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1396         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1397         * ftl/FTLOSRExitCompiler.cpp:
1398         (JSC::FTL::compileStub):
1399         * ftl/FTLSlowPathCall.h:
1400         (JSC::FTL::callOperation):
1401         * jit/AssemblyHelpers.cpp:
1402         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1403         * jit/CCallHelpers.cpp:
1404         (JSC::CCallHelpers::ensureShadowChickenPacket):
1405         * jit/CCallHelpers.h:
1406         (JSC::CCallHelpers::setupArgument):
1407         (JSC::CCallHelpers::setupStubArgs):
1408         (JSC::CCallHelpers::ArgCollection::ArgCollection):
1409         (JSC::CCallHelpers::ArgCollection::pushRegArg):
1410         (JSC::CCallHelpers::ArgCollection::addGPRArg):
1411         (JSC::CCallHelpers::ArgCollection::addStackArg):
1412         (JSC::CCallHelpers::ArgCollection::addPoke):
1413         (JSC::CCallHelpers::ArgCollection::argCount):
1414         (JSC::CCallHelpers::clampArrayToSize):
1415         (JSC::CCallHelpers::pokeForArgument):
1416         (JSC::CCallHelpers::marshallArgumentRegister):
1417         (JSC::CCallHelpers::setupArgumentsImpl):
1418         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
1419         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
1420         (JSC::CCallHelpers::setupArguments):
1421         (JSC::CCallHelpers::prepareForTailCallSlow):
1422         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
1423         (JSC::CCallHelpers::resetCallArguments): Deleted.
1424         (JSC::CCallHelpers::addCallArgument): Deleted.
1425         (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
1426         (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
1427         (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
1428         (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
1429         (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
1430         (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
1431         (JSC::CCallHelpers::setupStubArguments): Deleted.
1432         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
1433         (JSC::CCallHelpers::setupStubArguments134): Deleted.
1434         (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
1435         * jit/FPRInfo.h:
1436         (JSC::toInfoFromReg):
1437         * jit/GPRInfo.h:
1438         (JSC::JSValueRegs::JSValueRegs):
1439         (JSC::toInfoFromReg):
1440         * jit/JIT.h:
1441         (JSC::JIT::callOperation):
1442         (JSC::JIT::callOperationWithProfile):
1443         (JSC::JIT::callOperationWithResult):
1444         (JSC::JIT::callOperationNoExceptionCheck):
1445         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1446         * jit/JITArithmetic.cpp:
1447         (JSC::JIT::emitMathICFast):
1448         (JSC::JIT::emitMathICSlow):
1449         * jit/JITArithmetic32_64.cpp:
1450         (JSC::JIT::emit_compareAndJumpSlow):
1451         * jit/JITCall32_64.cpp:
1452         (JSC::JIT::compileSetupVarargsFrame):
1453         * jit/JITInlines.h:
1454         (JSC::JIT::callOperation): Deleted.
1455         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
1456         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
1457         * jit/JITOpcodes.cpp:
1458         (JSC::JIT::emit_op_new_array_with_size):
1459         * jit/JITOpcodes32_64.cpp:
1460         (JSC::JIT::emitSlow_op_instanceof):
1461         (JSC::JIT::emitSlow_op_instanceof_custom):
1462         (JSC::JIT::emit_op_set_function_name):
1463         (JSC::JIT::emitSlow_op_eq):
1464         (JSC::JIT::emitSlow_op_neq):
1465         (JSC::JIT::emit_op_throw):
1466         (JSC::JIT::emit_op_switch_imm):
1467         (JSC::JIT::emit_op_switch_char):
1468         (JSC::JIT::emit_op_switch_string):
1469         (JSC::JIT::emitSlow_op_has_indexed_property):
1470         * jit/JITOperations.cpp:
1471         * jit/JITOperations.h:
1472         * jit/JITPropertyAccess.cpp:
1473         (JSC::JIT::emitGetByValWithCachedId):
1474         (JSC::JIT::emitSlow_op_get_by_id):
1475         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1476         (JSC::JIT::emitSlow_op_get_from_scope):
1477         * jit/JITPropertyAccess32_64.cpp:
1478         (JSC::JIT::emit_op_put_by_index):
1479         (JSC::JIT::emit_op_put_setter_by_id):
1480         (JSC::JIT::emit_op_put_getter_setter_by_id):
1481         (JSC::JIT::emit_op_put_getter_by_val):
1482         (JSC::JIT::emit_op_put_setter_by_val):
1483         (JSC::JIT::emit_op_del_by_id):
1484         (JSC::JIT::emit_op_del_by_val):
1485         (JSC::JIT::emitGetByValWithCachedId):
1486         (JSC::JIT::emitSlow_op_get_by_val):
1487         (JSC::JIT::emitPutByValWithCachedId):
1488         (JSC::JIT::emitSlow_op_put_by_val):
1489         (JSC::JIT::emitSlow_op_try_get_by_id):
1490         (JSC::JIT::emitSlow_op_get_by_id):
1491         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1492         (JSC::JIT::emitSlow_op_put_by_id):
1493         (JSC::JIT::emitSlow_op_get_from_scope):
1494         * jit/RegisterSet.h:
1495         (JSC::RegisterSet::RegisterSet):
1496         * jit/ThunkGenerators.cpp:
1497         (JSC::throwExceptionFromCallSlowPathGenerator):
1498         (JSC::slowPathFor):
1499         * jsc.cpp:
1500         (GlobalObject::finishCreation):
1501         (functionBreakpoint):
1502         * runtime/JSCJSValue.h:
1503         * wasm/js/WasmToJS.cpp:
1504         (JSC::Wasm::wasmToJS):
1505
1506 2018-03-07  Mark Lam  <mark.lam@apple.com>
1507
1508         Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
1509         https://bugs.webkit.org/show_bug.cgi?id=183414
1510         <rdar://problem/38231678>
1511
1512         Reviewed by Michael Saboff.
1513
1514         * interpreter/ProtoCallFrame.cpp:
1515         (JSC::ProtoCallFrame::init):
1516         * interpreter/ProtoCallFrame.h:
1517
1518 2018-03-07  Mark Lam  <mark.lam@apple.com>
1519
1520         Simplify the variants of FunctionPtr constructors.
1521         https://bugs.webkit.org/show_bug.cgi?id=183399
1522         <rdar://problem/38212980>
1523
1524         Reviewed by Yusuke Suzuki.
1525
1526         * assembler/MacroAssemblerCodeRef.h:
1527         (JSC::FunctionPtr::FunctionPtr):
1528
1529 2018-03-06  Filip Pizlo  <fpizlo@apple.com>
1530
1531         MarkedArgumentsBuffer should allocate from the JSValue Gigacage
1532         https://bugs.webkit.org/show_bug.cgi?id=183377
1533
1534         Reviewed by Michael Saboff.
1535         
1536         That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
1537
1538         * runtime/ArgList.cpp:
1539         (JSC::MarkedArgumentBuffer::expandCapacity):
1540
1541 2018-03-07  Mark Lam  <mark.lam@apple.com>
1542
1543         Add support for ARM64E.
1544         https://bugs.webkit.org/show_bug.cgi?id=183398
1545         <rdar://problem/38212621>
1546
1547         Reviewed by Michael Saboff.
1548
1549         * assembler/MacroAssembler.h:
1550         * llint/LLIntOfflineAsmConfig.h:
1551         * llint/LowLevelInterpreter.asm:
1552         * llint/LowLevelInterpreter64.asm:
1553         * offlineasm/backends.rb:
1554
1555 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1556
1557         HTML `pattern` attribute should set `u` flag for regular expressions
1558         https://bugs.webkit.org/show_bug.cgi?id=151598
1559
1560         Reviewed by Chris Dumez.
1561
1562         Add UnicodeMode for JSC::Yarr::RegularExpression.
1563
1564         * yarr/RegularExpression.cpp:
1565         (JSC::Yarr::RegularExpression::Private::create):
1566         (JSC::Yarr::RegularExpression::Private::Private):
1567         (JSC::Yarr::RegularExpression::Private::compile):
1568         (JSC::Yarr::RegularExpression::RegularExpression):
1569         * yarr/RegularExpression.h:
1570
1571 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1572
1573         [JSC] Add more JSType based fast path for jsDynamicCast
1574         https://bugs.webkit.org/show_bug.cgi?id=183403
1575
1576         Reviewed by Mark Lam.
1577
1578         We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
1579         are used for jsDynamicCast in JSC, arguments types, and scope types.
1580
1581         We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
1582
1583         * jit/JITOperations.cpp:
1584         * llint/LLIntSlowPaths.cpp:
1585         (JSC::LLInt::setUpCall):
1586         * runtime/ClonedArguments.h:
1587         (JSC::ClonedArguments::specialsMaterialized const): Deleted.
1588         * runtime/DirectArguments.h:
1589         (JSC::DirectArguments::subspaceFor): Deleted.
1590         (JSC::DirectArguments::internalLength const): Deleted.
1591         (JSC::DirectArguments::length const): Deleted.
1592         (JSC::DirectArguments::isMappedArgument const): Deleted.
1593         (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
1594         (JSC::DirectArguments::getIndexQuickly const): Deleted.
1595         (JSC::DirectArguments::setIndexQuickly): Deleted.
1596         (JSC::DirectArguments::callee): Deleted.
1597         (JSC::DirectArguments::argument): Deleted.
1598         (JSC::DirectArguments::overrodeThings const): Deleted.
1599         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
1600         (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
1601         (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
1602         (JSC::DirectArguments::offsetOfCallee): Deleted.
1603         (JSC::DirectArguments::offsetOfLength): Deleted.
1604         (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
1605         (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
1606         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
1607         (JSC::DirectArguments::storageOffset): Deleted.
1608         (JSC::DirectArguments::offsetOfSlot): Deleted.
1609         (JSC::DirectArguments::allocationSize): Deleted.
1610         (JSC::DirectArguments::storage): Deleted.
1611         * runtime/JSCast.h:
1612         * runtime/JSGlobalLexicalEnvironment.h:
1613         (JSC::JSGlobalLexicalEnvironment::create): Deleted.
1614         (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
1615         (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
1616         (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
1617         * runtime/JSGlobalObject.cpp:
1618         (JSC::JSGlobalObject::finishCreation):
1619         * runtime/JSMap.h:
1620         (JSC::isJSMap): Deleted.
1621         * runtime/JSModuleEnvironment.h:
1622         (JSC::JSModuleEnvironment::create): Deleted.
1623         (JSC::JSModuleEnvironment::createStructure): Deleted.
1624         (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
1625         (JSC::JSModuleEnvironment::allocationSize): Deleted.
1626         (JSC::JSModuleEnvironment::moduleRecord): Deleted.
1627         (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
1628         * runtime/JSObject.cpp:
1629         (JSC::canDoFastPutDirectIndex):
1630         (JSC::JSObject::defineOwnIndexedProperty):
1631         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1632         * runtime/JSObject.h:
1633         (JSC::JSFinalObject::allocationSize): Deleted.
1634         (JSC::JSFinalObject::typeInfo): Deleted.
1635         (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
1636         (JSC::JSFinalObject::maxInlineCapacity): Deleted.
1637         (JSC::JSFinalObject::createStructure): Deleted.
1638         (JSC::JSFinalObject::finishCreation): Deleted.
1639         (JSC::JSFinalObject::JSFinalObject): Deleted.
1640         (JSC::isJSFinalObject): Deleted.
1641         * runtime/JSScope.cpp:
1642         * runtime/JSScope.h:
1643         * runtime/JSSegmentedVariableObject.cpp:
1644         * runtime/JSSegmentedVariableObject.h:
1645         * runtime/JSSet.h:
1646         (JSC::isJSSet): Deleted.
1647         * runtime/JSType.h:
1648         * runtime/JSWeakMap.h:
1649         (JSC::isJSWeakMap): Deleted.
1650         * runtime/JSWeakSet.h:
1651         (JSC::isJSWeakSet): Deleted.
1652         * runtime/JSWithScope.h:
1653         (JSC::JSWithScope::object): Deleted.
1654         * runtime/MapConstructor.cpp:
1655         (JSC::constructMap):
1656         (JSC::mapPrivateFuncMapBucketHead):
1657         * runtime/MapPrototype.cpp:
1658         (JSC::getMap):
1659         * runtime/NumberObject.cpp:
1660         (JSC::NumberObject::finishCreation):
1661         * runtime/NumberPrototype.cpp:
1662         (JSC::toThisNumber):
1663         (JSC::numberProtoFuncToExponential):
1664         (JSC::numberProtoFuncToFixed):
1665         (JSC::numberProtoFuncToPrecision):
1666         (JSC::numberProtoFuncToString):
1667         (JSC::numberProtoFuncToLocaleString):
1668         (JSC::numberProtoFuncValueOf):
1669         * runtime/ObjectConstructor.cpp:
1670         (JSC::objectConstructorSeal):
1671         (JSC::objectConstructorFreeze):
1672         (JSC::objectConstructorIsSealed):
1673         (JSC::objectConstructorIsFrozen):
1674         * runtime/ProxyObject.cpp:
1675         (JSC::ProxyObject::finishCreation):
1676         * runtime/ScopedArguments.h:
1677         (JSC::ScopedArguments::subspaceFor): Deleted.
1678         (JSC::ScopedArguments::internalLength const): Deleted.
1679         (JSC::ScopedArguments::length const): Deleted.
1680         (JSC::ScopedArguments::isMappedArgument const): Deleted.
1681         (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
1682         (JSC::ScopedArguments::getIndexQuickly const): Deleted.
1683         (JSC::ScopedArguments::setIndexQuickly): Deleted.
1684         (JSC::ScopedArguments::callee): Deleted.
1685         (JSC::ScopedArguments::overrodeThings const): Deleted.
1686         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
1687         (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
1688         (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
1689         (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
1690         (JSC::ScopedArguments::offsetOfTotalLength): Deleted.
1691         (JSC::ScopedArguments::offsetOfTable): Deleted.
1692         (JSC::ScopedArguments::offsetOfScope): Deleted.
1693         (JSC::ScopedArguments::overflowStorageOffset): Deleted.
1694         (JSC::ScopedArguments::allocationSize): Deleted.
1695         (JSC::ScopedArguments::overflowStorage const): Deleted.
1696         * runtime/SetConstructor.cpp:
1697         (JSC::constructSet):
1698         (JSC::setPrivateFuncSetBucketHead):
1699         * runtime/SetPrototype.cpp:
1700         (JSC::getSet):
1701         * runtime/StrictEvalActivation.h:
1702         (JSC::StrictEvalActivation::create): Deleted.
1703         (JSC::StrictEvalActivation::createStructure): Deleted.
1704         * runtime/WeakMapPrototype.cpp:
1705         (JSC::getWeakMap):
1706         * runtime/WeakSetPrototype.cpp:
1707         (JSC::getWeakSet):
1708
1709 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1710
1711         [ARM] offlineasm: fix indentation in armOpcodeReversedOperands
1712         https://bugs.webkit.org/show_bug.cgi?id=183400
1713
1714         Reviewed by Mark Lam.
1715
1716         * offlineasm/arm.rb:
1717
1718 2018-03-06  Mark Lam  <mark.lam@apple.com>
1719
1720         Prepare LLInt code to support pointer profiling.
1721         https://bugs.webkit.org/show_bug.cgi?id=183387
1722         <rdar://problem/38199678>
1723
1724         Reviewed by JF Bastien.
1725
1726         1. Introduced PtrTag enums for supporting pointer profiling later.
1727
1728         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
1729            template functions for the same purpose.
1730
1731         3. Prepare the offlineasm for supporting pointer profiling later.
1732
1733         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
1734            effect on behavior.
1735
1736         5. Removed returnToThrowForThrownException() because it is not used anywhere.
1737
1738         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
1739            easier to view and edit these files in Xcode.
1740
1741         * CMakeLists.txt:
1742         * JavaScriptCore.xcodeproj/project.pbxproj:
1743         * bytecode/LLIntCallLinkInfo.h:
1744         (JSC::LLIntCallLinkInfo::unlink):
1745         * llint/LLIntData.cpp:
1746         (JSC::LLInt::initialize):
1747         * llint/LLIntData.h:
1748         * llint/LLIntExceptions.cpp:
1749         (JSC::LLInt::returnToThrowForThrownException): Deleted.
1750         * llint/LLIntExceptions.h:
1751         * llint/LLIntOfflineAsmConfig.h:
1752         * llint/LLIntOffsetsExtractor.cpp:
1753         * llint/LLIntPCRanges.h:
1754         (JSC::LLInt::isLLIntPC):
1755         * llint/LLIntSlowPaths.cpp:
1756         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1757         (JSC::LLInt::handleHostCall):
1758         (JSC::LLInt::setUpCall):
1759         * llint/LowLevelInterpreter.asm:
1760         * llint/LowLevelInterpreter32_64.asm:
1761         * llint/LowLevelInterpreter64.asm:
1762         * offlineasm/ast.rb:
1763         * offlineasm/instructions.rb:
1764         * offlineasm/risc.rb:
1765         * runtime/PtrTag.h: Added.
1766         (JSC::uniquePtrTagID):
1767         (JSC::ptrTag):
1768         (JSC::tagCodePtr):
1769         (JSC::untagCodePtr):
1770         (JSC::retagCodePtr):
1771         (JSC::removeCodePtrTag):
1772
1773 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1774
1775         [ARM] Assembler warnings: "use of r13 is deprecated"
1776         https://bugs.webkit.org/show_bug.cgi?id=183286
1777
1778         Reviewed by Mark Lam.
1779
1780         Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
1781         sometimes generates assembly code that triggers this warning. Prevent
1782         this by simply switching operands.
1783
1784         * offlineasm/arm.rb:
1785
1786 2018-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1787
1788         Unreviewed, fix incorrect assertion after r229309
1789         https://bugs.webkit.org/show_bug.cgi?id=182975
1790
1791         * runtime/TypeProfilerLog.cpp:
1792         (JSC::TypeProfilerLog::TypeProfilerLog):
1793
1794 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1795
1796         Fix std::make_unique / new[] using system malloc
1797         https://bugs.webkit.org/show_bug.cgi?id=182975
1798
1799         Reviewed by JF Bastien.
1800
1801         Use Vector, FAST_ALLOCATED, or UniqueArray instead.
1802
1803         * API/JSStringRefCF.cpp:
1804         (JSStringCreateWithCFString):
1805         * bytecode/BytecodeKills.h:
1806         * bytecode/BytecodeLivenessAnalysis.cpp:
1807         (JSC::BytecodeLivenessAnalysis::computeKills):
1808         * dfg/DFGDisassembler.cpp:
1809         (JSC::DFG::Disassembler::dumpDisassembly):
1810         * jit/PolymorphicCallStubRoutine.cpp:
1811         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1812         * jit/PolymorphicCallStubRoutine.h:
1813         * jit/Repatch.cpp:
1814         (JSC::linkPolymorphicCall):
1815         * jsc.cpp:
1816         (currentWorkingDirectory):
1817         * llint/LLIntData.cpp:
1818         (JSC::LLInt::initialize):
1819         * llint/LLIntData.h:
1820         * runtime/ArgList.h:
1821         * runtime/StructureChain.h:
1822         * runtime/StructureIDTable.cpp:
1823         (JSC::StructureIDTable::StructureIDTable):
1824         (JSC::StructureIDTable::resize):
1825         * runtime/StructureIDTable.h:
1826         * runtime/TypeProfilerLog.cpp:
1827         (JSC::TypeProfilerLog::TypeProfilerLog):
1828         (JSC::TypeProfilerLog::initializeLog): Deleted.
1829         * runtime/TypeProfilerLog.h:
1830         (JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
1831         * runtime/VM.cpp:
1832         (JSC::VM::~VM):
1833         (JSC::VM::acquireRegExpPatternContexBuffer):
1834         * runtime/VM.h:
1835         * testRegExp.cpp:
1836         (runFromFiles):
1837         * tools/HeapVerifier.cpp:
1838         (JSC::HeapVerifier::HeapVerifier):
1839         * tools/HeapVerifier.h:
1840
1841 2018-03-05  Mark Lam  <mark.lam@apple.com>
1842
1843         JITThunk functions should only be called when the JIT is enabled.
1844         https://bugs.webkit.org/show_bug.cgi?id=183351
1845         <rdar://problem/38160091>
1846
1847         Reviewed by Keith Miller.
1848
1849         * jit/JITThunks.cpp:
1850         (JSC::JITThunks::ctiNativeCall):
1851         (JSC::JITThunks::ctiNativeConstruct):
1852         (JSC::JITThunks::ctiInternalFunctionCall):
1853         (JSC::JITThunks::ctiInternalFunctionConstruct):
1854         * runtime/VM.cpp:
1855         (JSC::VM::VM):
1856         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1857
1858 2018-03-05  Mark Lam  <mark.lam@apple.com>
1859
1860         Gardening: build fix.
1861
1862         Not reviewed.
1863
1864         * interpreter/AbstractPC.h:
1865         (JSC::AbstractPC::AbstractPC):
1866
1867 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1868
1869         [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
1870         https://bugs.webkit.org/show_bug.cgi?id=183324
1871
1872         Reviewed by JF Bastien.
1873
1874         We have WTF::ArithmeticOperations which has operations with overflow checking.
1875         This is suitable for CLoop's overflow checking operations. This patch emits
1876         WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
1877         lowered to optimized code using CPU's overflow flag.
1878
1879         * offlineasm/cloop.rb:
1880
1881 2018-03-05  Don Olmstead  <don.olmstead@sony.com>
1882
1883         [CMake] Split JSC header copying into public and private targets
1884         https://bugs.webkit.org/show_bug.cgi?id=183251
1885
1886         Reviewed by Konstantin Tokarev.
1887
1888         * CMakeLists.txt:
1889
1890 2018-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1891
1892         [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
1893         https://bugs.webkit.org/show_bug.cgi?id=183312
1894
1895         Reviewed by Mark Lam.
1896
1897         Remove wtf/CurrentTime.h include pragma.
1898
1899         * API/tests/ExecutionTimeLimitTest.cpp:
1900         (currentCPUTimeAsJSFunctionCallback):
1901         (testExecutionTimeLimit):
1902         * bytecode/SuperSampler.cpp:
1903         * dfg/DFGPlan.cpp:
1904         * heap/BlockDirectory.cpp:
1905         * heap/Heap.cpp:
1906         * heap/IncrementalSweeper.cpp:
1907         * inspector/agents/InspectorConsoleAgent.cpp:
1908         * inspector/agents/InspectorRuntimeAgent.cpp:
1909         * profiler/ProfilerDatabase.cpp:
1910         * runtime/CodeCache.h:
1911         * runtime/JSDateMath.cpp:
1912         * runtime/TypeProfilerLog.cpp:
1913         * runtime/VM.cpp:
1914         * runtime/Watchdog.cpp:
1915         (JSC::Watchdog::shouldTerminate):
1916         (JSC::Watchdog::startTimer):
1917         * testRegExp.cpp:
1918         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1919
1920 2018-03-04  Tim Horton  <timothy_horton@apple.com>
1921
1922         Make !ENABLE(DATA_DETECTION) iOS build actually succeed
1923         https://bugs.webkit.org/show_bug.cgi?id=183283
1924         <rdar://problem/38062148>
1925
1926         Reviewed by Sam Weinig.
1927
1928         * Configurations/FeatureDefines.xcconfig:
1929
1930 2018-03-02  Mark Lam  <mark.lam@apple.com>
1931
1932         Make the LLInt probe work for ARM64.
1933         https://bugs.webkit.org/show_bug.cgi?id=183298
1934         <rdar://problem/38077413>
1935
1936         Reviewed by Filip Pizlo.
1937
1938         * llint/LowLevelInterpreter.asm:
1939
1940 2018-03-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1941
1942         [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
1943         https://bugs.webkit.org/show_bug.cgi?id=183279
1944
1945         Reviewed by JF Bastien.
1946
1947         * bytecode/BytecodeIntrinsicRegistry.h:
1948         * ftl/FTLThunks.h:
1949         * heap/CodeBlockSet.h:
1950         * heap/GCSegmentedArray.h:
1951         * heap/MachineStackMarker.h:
1952         * heap/MarkingConstraintSet.h:
1953
1954 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1955
1956         Remove monotonicallyIncreasingTime
1957         https://bugs.webkit.org/show_bug.cgi?id=182911
1958
1959         Reviewed by Michael Catanzaro.
1960
1961         * debugger/Debugger.cpp:
1962         (JSC::Debugger::willEvaluateScript):
1963         (JSC::Debugger::didEvaluateScript):
1964         * debugger/Debugger.h:
1965         * debugger/ScriptProfilingScope.h:
1966         * inspector/agents/InspectorDebuggerAgent.cpp:
1967         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
1968         * inspector/agents/InspectorHeapAgent.cpp:
1969         (Inspector::InspectorHeapAgent::snapshot):
1970         (Inspector::InspectorHeapAgent::didGarbageCollect):
1971         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
1972         * inspector/agents/InspectorHeapAgent.h:
1973         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1974         (Inspector::InspectorScriptProfilerAgent::startTracking):
1975         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
1976         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
1977         (Inspector::InspectorScriptProfilerAgent::addEvent):
1978         (Inspector::buildSamples):
1979         * inspector/agents/InspectorScriptProfilerAgent.h:
1980         * runtime/SamplingProfiler.cpp:
1981         (JSC::SamplingProfiler::takeSample):
1982         * runtime/SamplingProfiler.h:
1983
1984 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1985
1986         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1987         https://bugs.webkit.org/show_bug.cgi?id=183173
1988
1989         Reviewed by Saam Barati.
1990
1991         Classifier could propagate an error which does not occur at the first token
1992         of the given expression. We should check whether the given token is "async"
1993         instead of assertion.
1994
1995         * parser/Parser.cpp:
1996         (JSC::Parser<LexerType>::parseAssignmentExpression):
1997
1998 2018-03-01  Saam Barati  <sbarati@apple.com>
1999
2000         We need to clear cached structures when having a bad time
2001         https://bugs.webkit.org/show_bug.cgi?id=183256
2002         <rdar://problem/36245022>
2003
2004         Reviewed by Mark Lam.
2005
2006         This patch makes both InternalFunctionAllocationProfile and the VM's
2007         structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
2008         we clear them when they'd produce an object with a bad indexing type.
2009         For the VM's Structure cache, we conservatively clear the entire cache 
2010         since it may be housing Structures with bad indexing types.
2011
2012         * runtime/FunctionRareData.h:
2013         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
2014         * runtime/JSGlobalObject.cpp:
2015         (JSC::JSGlobalObject::haveABadTime):
2016         * runtime/StructureCache.h:
2017         (JSC::StructureCache::clear):
2018
2019 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2020
2021         Unreviewed, fix exception check for ExceptionScope
2022         https://bugs.webkit.org/show_bug.cgi?id=183175
2023
2024         * jsc.cpp:
2025         (GlobalObject::moduleLoaderFetch):
2026
2027 2018-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2028
2029         [ARM] Fix compile error in debug builds by invoking unpoisoned().
2030
2031         Reviewed by Mark Lam.
2032
2033         * assembler/MacroAssemblerCodeRef.h:
2034         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
2035         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
2036         (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
2037         * yarr/YarrInterpreter.cpp:
2038         (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2039
2040 2018-02-28  JF Bastien  <jfbastien@apple.com>
2041
2042         GC should sweep code block before deleting
2043         https://bugs.webkit.org/show_bug.cgi?id=183229
2044         <rdar://problem/32767615>
2045
2046         Reviewed by Saam Barati, Fil Pizlo.
2047
2048         Stub routines shouldn't get deleted before codeblocks have been
2049         swept, otherwise there's a small race window where the codeblock
2050         thinks it's still reachable.
2051
2052         * heap/Heap.cpp:
2053         (JSC::Heap::deleteUnmarkedCompiledCode):
2054         (JSC::Heap::sweepInFinalize):
2055
2056 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2057
2058         JSC crash with `import("")`
2059         https://bugs.webkit.org/show_bug.cgi?id=183175
2060
2061         Reviewed by Saam Barati.
2062
2063         Add file existence and file type check for module loader implementation in jsc.cpp.
2064         This is not safe for TOCTOU, but it is OK since this functionality is used for the
2065         JSC shell (jsc.cpp): testing purpose.
2066
2067         * jsc.cpp:
2068         (fillBufferWithContentsOfFile):
2069         (fetchModuleFromLocalFileSystem):
2070
2071 2018-02-27  Keith Miller  <keith_miller@apple.com>
2072
2073         Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
2074         https://bugs.webkit.org/show_bug.cgi?id=183195
2075
2076         Reviewed by Mark Lam.
2077
2078         * assembler/AbstractMacroAssembler.h:
2079         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2080         * assembler/MacroAssembler.h:
2081         (JSC::MacroAssembler::patchableBranchPtr):
2082         (JSC::MacroAssembler::patchableBranchPtrWithPatch):
2083         * assembler/MacroAssemblerARM.h:
2084         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2085         (JSC::MacroAssemblerARM::storePtrWithPatch):
2086         * assembler/MacroAssemblerARM64.h:
2087         (JSC::MacroAssemblerARM64::call):
2088         (JSC::MacroAssemblerARM64::tailRecursiveCall):
2089         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2090         (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
2091         (JSC::MacroAssemblerARM64::storePtrWithPatch):
2092         * assembler/MacroAssemblerARMv7.h:
2093         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
2094         (JSC::MacroAssemblerARMv7::patchableBranchPtr):
2095         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
2096         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
2097         * assembler/MacroAssemblerMIPS.h:
2098         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2099         (JSC::MacroAssemblerMIPS::storePtrWithPatch):
2100         * assembler/MacroAssemblerX86.h:
2101         (JSC::MacroAssemblerX86::branchPtrWithPatch):
2102         * assembler/MacroAssemblerX86_64.h:
2103         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
2104         (JSC::MacroAssemblerX86_64::call):
2105         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
2106         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
2107         (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
2108         * bytecode/AccessCase.cpp:
2109         (JSC::AccessCase::generateImpl):
2110         * dfg/DFGSpeculativeJIT.cpp:
2111         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2112         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2113         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2114         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2115         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2116         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2117         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2118         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2119         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2120         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2121         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2122         * dfg/DFGSpeculativeJIT.h:
2123         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
2124         * dfg/DFGSpeculativeJIT32_64.cpp:
2125         (JSC::DFG::SpeculativeJIT::compile):
2126         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2127         * dfg/DFGSpeculativeJIT64.cpp:
2128         (JSC::DFG::SpeculativeJIT::emitCall):
2129         (JSC::DFG::SpeculativeJIT::compile):
2130         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2131         * dfg/DFGThunks.cpp:
2132         (JSC::DFG::osrExitGenerationThunkGenerator):
2133         * ftl/FTLLowerDFGToB3.cpp:
2134         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2135         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2136         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2137         * ftl/FTLThunks.cpp:
2138         (JSC::FTL::genericGenerationThunkGenerator):
2139         * jit/AssemblyHelpers.cpp:
2140         (JSC::AssemblyHelpers::debugCall):
2141         (JSC::AssemblyHelpers::sanitizeStackInline):
2142         * jit/IntrinsicEmitter.cpp:
2143         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2144         * jit/JITCall.cpp:
2145         (JSC::JIT::compileOpCall):
2146         * jit/JITCall32_64.cpp:
2147         (JSC::JIT::compileOpCall):
2148         * jit/ScratchRegisterAllocator.cpp:
2149         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2150         * wasm/js/WasmToJS.cpp:
2151         (JSC::Wasm::wasmToJS):
2152         * yarr/YarrJIT.cpp:
2153         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2154         (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
2155         (JSC::Yarr::YarrGenerator::generate):
2156
2157 2018-02-26  Mark Lam  <mark.lam@apple.com>
2158
2159         Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
2160         https://bugs.webkit.org/show_bug.cgi?id=183159
2161         <rdar://problem/37930837>
2162
2163         Reviewed by Keith Miller.
2164
2165         * assembler/LinkBuffer.h:
2166         * assembler/testmasm.cpp:
2167         (JSC::compile):
2168         * b3/B3Compile.cpp:
2169         (JSC::B3::compile):
2170         * b3/air/testair.cpp:
2171         * b3/testb3.cpp:
2172         (JSC::B3::testEntrySwitchSimple):
2173         (JSC::B3::testEntrySwitchNoEntrySwitch):
2174         (JSC::B3::testEntrySwitchWithCommonPaths):
2175         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
2176         (JSC::B3::testEntrySwitchLoop):
2177         * bytecode/InlineAccess.cpp:
2178         (JSC::linkCodeInline):
2179         (JSC::InlineAccess::rewireStubAsJump):
2180         * bytecode/PolymorphicAccess.cpp:
2181         (JSC::PolymorphicAccess::regenerate):
2182         * dfg/DFGJITFinalizer.cpp:
2183         (JSC::DFG::JITFinalizer::finalize):
2184         (JSC::DFG::JITFinalizer::finalizeFunction):
2185         * dfg/DFGOSRExit.cpp:
2186         (JSC::DFG::OSRExit::compileOSRExit):
2187         * dfg/DFGThunks.cpp:
2188         (JSC::DFG::osrExitThunkGenerator):
2189         (JSC::DFG::osrExitGenerationThunkGenerator):
2190         (JSC::DFG::osrEntryThunkGenerator):
2191         * ftl/FTLJITFinalizer.cpp:
2192         (JSC::FTL::JITFinalizer::finalizeCommon):
2193         * ftl/FTLLazySlowPath.cpp:
2194         (JSC::FTL::LazySlowPath::generate):
2195         * ftl/FTLOSRExitCompiler.cpp:
2196         (JSC::FTL::compileStub):
2197         * ftl/FTLThunks.cpp:
2198         (JSC::FTL::genericGenerationThunkGenerator):
2199         (JSC::FTL::slowPathCallThunkGenerator):
2200         * jit/ExecutableAllocator.cpp:
2201         * jit/JIT.cpp:
2202         (JSC::JIT::link):
2203         * jit/JITMathIC.h:
2204         (JSC::isProfileEmpty):
2205         * jit/JITOpcodes.cpp:
2206         (JSC::JIT::privateCompileHasIndexedProperty):
2207         * jit/JITOpcodes32_64.cpp:
2208         (JSC::JIT::privateCompileHasIndexedProperty):
2209         * jit/JITPropertyAccess.cpp:
2210         (JSC::JIT::stringGetByValStubGenerator):
2211         (JSC::JIT::privateCompileGetByVal):
2212         (JSC::JIT::privateCompileGetByValWithCachedId):
2213         (JSC::JIT::privateCompilePutByVal):
2214         (JSC::JIT::privateCompilePutByValWithCachedId):
2215         * jit/JITPropertyAccess32_64.cpp:
2216         (JSC::JIT::stringGetByValStubGenerator):
2217         * jit/JITStubRoutine.h:
2218         * jit/Repatch.cpp:
2219         (JSC::linkPolymorphicCall):
2220         * jit/SpecializedThunkJIT.h:
2221         (JSC::SpecializedThunkJIT::finalize):
2222         * jit/ThunkGenerators.cpp:
2223         (JSC::throwExceptionFromCallSlowPathGenerator):
2224         (JSC::linkCallThunkGenerator):
2225         (JSC::linkPolymorphicCallThunkGenerator):
2226         (JSC::virtualThunkFor):
2227         (JSC::nativeForGenerator):
2228         (JSC::arityFixupGenerator):
2229         (JSC::unreachableGenerator):
2230         (JSC::boundThisNoArgsFunctionCallGenerator):
2231         * llint/LLIntThunks.cpp:
2232         (JSC::LLInt::generateThunkWithJumpTo):
2233         * wasm/WasmBBQPlan.cpp:
2234         (JSC::Wasm::BBQPlan::complete):
2235         * wasm/WasmBinding.cpp:
2236         (JSC::Wasm::wasmToWasm):
2237         * wasm/WasmOMGPlan.cpp:
2238         (JSC::Wasm::OMGPlan::work):
2239         * wasm/WasmThunks.cpp:
2240         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2241         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2242         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2243         * wasm/js/WasmToJS.cpp:
2244         (JSC::Wasm::handleBadI64Use):
2245         (JSC::Wasm::wasmToJS):
2246         * yarr/YarrJIT.cpp:
2247         (JSC::Yarr::YarrGenerator::compile):
2248
2249 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2250
2251         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
2252         https://bugs.webkit.org/show_bug.cgi?id=182965
2253
2254         Reviewed by Saam Barati.
2255
2256         This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
2257         Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
2258         for InBounds case, we do not have OutOfBounds check for that case.
2259         This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
2260
2261         * dfg/DFGOperations.cpp:
2262         * dfg/DFGOperations.h:
2263         * dfg/DFGSpeculativeJIT.cpp:
2264         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2265         * dfg/DFGSpeculativeJIT64.cpp:
2266         (JSC::DFG::SpeculativeJIT::compile):
2267         * ftl/FTLCapabilities.cpp:
2268         (JSC::FTL::canCompile):
2269         * ftl/FTLLowerDFGToB3.cpp:
2270         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2271         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
2272         For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
2273         But except for SlowPutArrayStorage case, basically it is meaningless since
2274         we do not have indexed accessors.
2275
2276 2018-02-26  Saam Barati  <sbarati@apple.com>
2277
2278         validateStackAccess should not validate if the offset is within the stack bounds
2279         https://bugs.webkit.org/show_bug.cgi?id=183067
2280         <rdar://problem/37749988>
2281
2282         Reviewed by Mark Lam.
2283
2284         The validation rule was saying that any load from the stack must be
2285         within the stack bounds of the frame. However, it's natural for a user
2286         of B3 to emit code that may be outside of B3's stack bounds, but guard
2287         such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
2288         B3 is wrong to assert that this is a static property about all stack loads.
2289
2290         * b3/B3Validate.cpp:
2291
2292 2018-02-23  Saam Barati  <sbarati@apple.com>
2293
2294         Make Number.isInteger an intrinsic
2295         https://bugs.webkit.org/show_bug.cgi?id=183088
2296
2297         Reviewed by JF Bastien.
2298
2299         When profiling the ML subtest in ARES, I noticed it was spending some
2300         time in Number.isInteger. This patch makes that operation an intrinsic
2301         in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
2302         it's likely not an aggregate speedup on ARES. However, it is definitely
2303         faster than calling into a builtin function, so we might as well have
2304         it as an intrinsic.
2305
2306         * dfg/DFGAbstractInterpreterInlines.h:
2307         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2308         * dfg/DFGByteCodeParser.cpp:
2309         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2310         * dfg/DFGClobberize.h:
2311         (JSC::DFG::clobberize):
2312         * dfg/DFGDoesGC.cpp:
2313         (JSC::DFG::doesGC):
2314         * dfg/DFGFixupPhase.cpp:
2315         (JSC::DFG::FixupPhase::fixupNode):
2316         * dfg/DFGNodeType.h:
2317         * dfg/DFGOperations.cpp:
2318         * dfg/DFGOperations.h:
2319         * dfg/DFGPredictionPropagationPhase.cpp:
2320         * dfg/DFGSafeToExecute.h:
2321         (JSC::DFG::safeToExecute):
2322         * dfg/DFGSpeculativeJIT32_64.cpp:
2323         (JSC::DFG::SpeculativeJIT::compile):
2324         * dfg/DFGSpeculativeJIT64.cpp:
2325         (JSC::DFG::SpeculativeJIT::compile):
2326         * ftl/FTLCapabilities.cpp:
2327         (JSC::FTL::canCompile):
2328         * ftl/FTLLowerDFGToB3.cpp:
2329         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2330         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2331         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
2332         * runtime/Intrinsic.cpp:
2333         (JSC::intrinsicName):
2334         * runtime/Intrinsic.h:
2335         * runtime/NumberConstructor.cpp:
2336         (JSC::NumberConstructor::finishCreation):
2337         (JSC::numberConstructorFuncIsInteger):
2338         * runtime/NumberConstructor.h:
2339         (JSC::NumberConstructor::isIntegerImpl):
2340
2341 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
2342
2343         WebAssembly: cache memory address / size on instance
2344         https://bugs.webkit.org/show_bug.cgi?id=177305
2345
2346         Reviewed by JF Bastien.
2347
2348         Cache memory address/size in wasm:Instance to avoid load wasm:Memory 
2349         object during access to memory and memory size property in JiT
2350
2351         * wasm/WasmB3IRGenerator.cpp:
2352         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2353         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2354         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2355         * wasm/WasmBinding.cpp:
2356         (JSC::Wasm::wasmToWasm):
2357         * wasm/WasmInstance.h:
2358         (JSC::Wasm::Instance::cachedMemory const):
2359         (JSC::Wasm::Instance::cachedMemorySize const):
2360         (JSC::Wasm::Instance::createWeakPtr):
2361         (JSC::Wasm::Instance::setMemory):
2362         (JSC::Wasm::Instance::updateCachedMemory):
2363         (JSC::Wasm::Instance::offsetOfCachedMemory):
2364         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
2365         (JSC::Wasm::Instance::offsetOfCachedIndexingMask):
2366         (JSC::Wasm::Instance::allocationSize):
2367         * wasm/WasmMemory.cpp:
2368         (JSC::Wasm::Memory::grow):
2369         (JSC::Wasm::Memory::registerInstance):
2370         * wasm/WasmMemory.h:
2371         (JSC::Wasm::Memory::indexingMask):
2372         * wasm/js/JSToWasm.cpp:
2373         (JSC::Wasm::createJSToWasmWrapper):
2374         * wasm/js/WebAssemblyModuleRecord.cpp:
2375         (JSC::WebAssemblyModuleRecord::evaluate):
2376
2377 2018-02-23  Saam Barati  <sbarati@apple.com>
2378
2379         ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
2380         https://bugs.webkit.org/show_bug.cgi?id=182982
2381
2382         Reviewed by Yusuke Suzuki.
2383
2384         I don't know why this check was not always an assert. When we see
2385         a GetByOffset on an eliminated allocation, that allocation *must*
2386         be a PhantomClonedArguments. If it weren't, the GetByOffset would
2387         have escaped it. Because this transformation happens by visiting
2388         blocks in pre-order, and by visiting nodes in a block starting from
2389         index zero to index block->size() - 1, we're guaranteed that eliminated
2390         allocations get transformed before users of it, since we visit nodes
2391         in dominator order.
2392
2393         * dfg/DFGArgumentsEliminationPhase.cpp:
2394
2395 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2396
2397         [JSC] Implement $vm.ftlTrue function for FTL testing
2398         https://bugs.webkit.org/show_bug.cgi?id=183071
2399
2400         Reviewed by Mark Lam.
2401
2402         Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
2403         This is useful for testing whether the caller function is compiled in FTL.
2404
2405         We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
2406
2407         * dfg/DFGByteCodeParser.cpp:
2408         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2409         * jsc.cpp:
2410         (GlobalObject::finishCreation):
2411         (functionFalse1):
2412         (functionFalse2): Deleted.
2413         * runtime/Intrinsic.cpp:
2414         (JSC::intrinsicName):
2415         * runtime/Intrinsic.h:
2416         * tools/JSDollarVM.cpp:
2417         (JSC::functionFTLTrue):
2418         (JSC::JSDollarVM::finishCreation):
2419
2420 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2421
2422         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
2423         https://bugs.webkit.org/show_bug.cgi?id=182792
2424
2425         Reviewed by Mark Lam.
2426
2427         This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
2428         HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
2429         in web-tooling-benchmarks.
2430
2431         * ftl/FTLCapabilities.cpp:
2432         (JSC::FTL::canCompile):
2433         * ftl/FTLLowerDFGToB3.cpp:
2434         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2435
2436 2018-02-22  Mark Lam  <mark.lam@apple.com>
2437
2438         Refactor MacroAssembler code to improve reuse and extensibility.
2439         https://bugs.webkit.org/show_bug.cgi?id=183054
2440         <rdar://problem/37797337>
2441
2442         Reviewed by Saam Barati.
2443
2444         * assembler/ARM64Assembler.h:
2445         * assembler/MacroAssembler.cpp:
2446         * assembler/MacroAssembler.h:
2447         * assembler/MacroAssemblerARM.h:
2448         * assembler/MacroAssemblerARM64.h:
2449         (JSC::MacroAssemblerARM64::canCompact):
2450         (JSC::MacroAssemblerARM64::computeJumpType):
2451         (JSC::MacroAssemblerARM64::jumpSizeDelta):
2452         (JSC::MacroAssemblerARM64::link):
2453         (JSC::MacroAssemblerARM64::load64):
2454         (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
2455         (JSC::MacroAssemblerARM64::load32):
2456         (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
2457         (JSC::MacroAssemblerARM64::load16):
2458         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2459         (JSC::MacroAssemblerARM64::load8):
2460         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2461         (JSC::MacroAssemblerARM64::store64):
2462         (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
2463         (JSC::MacroAssemblerARM64::store32):
2464         (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
2465         (JSC::MacroAssemblerARM64::store16):
2466         (JSC::MacroAssemblerARM64::store8):
2467         (JSC::MacroAssemblerARM64::getEffectiveAddress):
2468         (JSC::MacroAssemblerARM64::branchDoubleNonZero):
2469         (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
2470         (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
2471         (JSC::MacroAssemblerARM64::loadDouble):
2472         (JSC::MacroAssemblerARM64::loadFloat):
2473         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2474         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
2475         (JSC::MacroAssemblerARM64::storeDouble):
2476         (JSC::MacroAssemblerARM64::storeFloat):
2477         (JSC::MacroAssemblerARM64::call):
2478         (JSC::MacroAssemblerARM64::jump):
2479         (JSC::MacroAssemblerARM64::tailRecursiveCall):
2480         (JSC::MacroAssemblerARM64::setCarry):
2481         (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
2482         (JSC::MacroAssemblerARM64::isBreakpoint):
2483         (JSC::MacroAssemblerARM64::invert):
2484         (JSC::MacroAssemblerARM64::readCallTarget):
2485         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2486         (JSC::MacroAssemblerARM64::replaceWithJump):
2487         (JSC::MacroAssemblerARM64::maxJumpReplacementSize):
2488         (JSC::MacroAssemblerARM64::patchableJumpSize):
2489         (JSC::MacroAssemblerARM64::repatchCall):
2490         (JSC::MacroAssemblerARM64::makeBranch):
2491         (JSC::MacroAssemblerARM64::makeCompareAndBranch):
2492         (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
2493         (JSC::MacroAssemblerARM64::ARM64Condition):
2494         (JSC::MacroAssemblerARM64::moveWithFixedWidth):
2495         (JSC::MacroAssemblerARM64::load):
2496         (JSC::MacroAssemblerARM64::store):
2497         (JSC::MacroAssemblerARM64::tryLoadWithOffset):
2498         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2499         (JSC::MacroAssemblerARM64::tryStoreWithOffset):
2500         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
2501         (JSC::MacroAssemblerARM64::linkCall):
2502         * assembler/MacroAssemblerARMv7.h:
2503         * assembler/MacroAssemblerMIPS.h:
2504         * assembler/MacroAssemblerX86Common.h:
2505         * assembler/ProbeStack.h:
2506         - Removed a forward declaration of an obsolete class.
2507
2508 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2509
2510         Remove sleep(double) and sleepMS(double) interfaces
2511         https://bugs.webkit.org/show_bug.cgi?id=183038
2512
2513         Reviewed by Mark Lam.
2514
2515         * bytecode/SuperSampler.cpp:
2516         (JSC::initializeSuperSampler):
2517
2518 2018-02-21  Don Olmstead  <don.olmstead@sony.com>
2519
2520         [CMake] Split declaration of JSC headers into public and private
2521         https://bugs.webkit.org/show_bug.cgi?id=182980
2522
2523         Reviewed by Michael Catanzaro.
2524
2525         * CMakeLists.txt:
2526         * PlatformGTK.cmake:
2527         * PlatformMac.cmake:
2528         * PlatformWPE.cmake:
2529         * PlatformWin.cmake:
2530
2531 2018-02-20  Saam Barati  <sbarati@apple.com>
2532
2533         DFG::VarargsForwardingPhase should eliminate getting argument length
2534         https://bugs.webkit.org/show_bug.cgi?id=182959
2535
2536         Reviewed by Keith Miller.
2537
2538         This patch teaches the DFG VarargsForwardingPhase to not treat
2539         length accesses on Cloned/Direct Arguments objects as escapes.
2540         It teaches this phase to materialize the length in the same
2541         way the ArgumentsEliminationPhase does.
2542         
2543         This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
2544         up the ML subtest by 2-4%.
2545         
2546         This patch also extends compileGetArgumentCountIncludingThis to take
2547         a parameter that is the inline call frame to load from (in the case
2548         where the inline call frame is a varargs frame). This allows the
2549         the emitCodeToGetArgumentsArrayLength helper function to just emit
2550         a GetArgumentCountIncludingThis node instead of a GetLocal. If we
2551         emitted a GetLocal, we'd need to rerun CPS rethreading.
2552
2553         * dfg/DFGArgumentsEliminationPhase.cpp:
2554         * dfg/DFGArgumentsUtilities.cpp:
2555         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2556         * dfg/DFGByteCodeParser.cpp:
2557         (JSC::DFG::ByteCodeParser::getArgumentCount):
2558         * dfg/DFGClobberize.h:
2559         (JSC::DFG::clobberize):
2560         * dfg/DFGNode.h:
2561         (JSC::DFG::Node::argumentsInlineCallFrame):
2562         * dfg/DFGSpeculativeJIT.cpp:
2563         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
2564         * dfg/DFGVarargsForwardingPhase.cpp:
2565         * ftl/FTLLowerDFGToB3.cpp:
2566         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
2567
2568 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2569
2570         [FTL] Support ArrayPush for ArrayStorage
2571         https://bugs.webkit.org/show_bug.cgi?id=182782
2572
2573         Reviewed by Saam Barati.
2574
2575         This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
2576
2577         * ftl/FTLAbstractHeapRepository.h:
2578         * ftl/FTLCapabilities.cpp:
2579         (JSC::FTL::canCompile):
2580         * ftl/FTLLowerDFGToB3.cpp:
2581         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2582
2583 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2584
2585         [FTL] Support ArrayPop for ArrayStorage
2586         https://bugs.webkit.org/show_bug.cgi?id=182783
2587
2588         Reviewed by Saam Barati.
2589
2590         This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
2591
2592         * ftl/FTLAbstractHeapRepository.h:
2593         * ftl/FTLCapabilities.cpp:
2594         (JSC::FTL::canCompile):
2595         * ftl/FTLLowerDFGToB3.cpp:
2596         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2597
2598 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2599
2600         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
2601         https://bugs.webkit.org/show_bug.cgi?id=182731
2602
2603         Reviewed by Saam Barati.
2604
2605         This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
2606         Due to ArrayifyToStructure and CheckArray changes, necessary changes for
2607         supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
2608         is enough.
2609
2610         We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
2611         ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
2612         where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
2613
2614         * dfg/DFGSpeculativeJIT.cpp:
2615         (JSC::DFG::SpeculativeJIT::silentFill):
2616         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2617         * dfg/DFGSpeculativeJIT.h:
2618         * ftl/FTLCapabilities.cpp:
2619         (JSC::FTL::canCompile):
2620         * ftl/FTLLowerDFGToB3.cpp:
2621         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2622
2623 2018-02-19  Saam Barati  <sbarati@apple.com>
2624
2625         Don't use JSFunction's allocation profile when getting the prototype can be effectful
2626         https://bugs.webkit.org/show_bug.cgi?id=182942
2627         <rdar://problem/37584764>
2628
2629         Reviewed by Mark Lam.
2630
2631         Prior to this patch, the create_this implementation assumed that anything
2632         that is a JSFunction can use the object allocation profile and go down the
2633         fast path to allocate the |this| object. Implied by this approach is that
2634         accessing the 'prototype' property of the incoming function is not an
2635         effectful operation. This is inherent to the ObjectAllocationProfile 
2636         data structure: it caches the prototype field. However, getting the
2637         'prototype' property might be an effectful operation, e.g, it could
2638         be a getter. Many variants of functions in JS have the 'prototype' property
2639         as non-configurable. However, some functions, like bound functions, do not
2640         have the 'prototype' field with these attributes.
2641         
2642         This patch adds the notion of 'canUseAllocationProfile' to JSFunction
2643         and threads it through so that we only go down the fast path and use
2644         the allocation profile when the prototype property is non-configurable.
2645
2646         * bytecompiler/NodesCodegen.cpp:
2647         (JSC::ClassExprNode::emitBytecode):
2648         * dfg/DFGOperations.cpp:
2649         * runtime/CommonSlowPaths.cpp:
2650         (JSC::SLOW_PATH_DECL):
2651         * runtime/JSFunction.cpp:
2652         (JSC::JSFunction::prototypeForConstruction):
2653         (JSC::JSFunction::allocateAndInitializeRareData):
2654         (JSC::JSFunction::initializeRareData):
2655         (JSC::JSFunction::getOwnPropertySlot):
2656         (JSC::JSFunction::canUseAllocationProfileNonInline):
2657         * runtime/JSFunction.h:
2658         (JSC::JSFunction::ensureRareDataAndAllocationProfile):
2659         * runtime/JSFunctionInlines.h:
2660         (JSC::JSFunction::canUseAllocationProfile):
2661
2662 2018-02-19  Saam Barati  <sbarati@apple.com>
2663
2664         Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
2665         https://bugs.webkit.org/show_bug.cgi?id=182912
2666         <rdar://problem/37685083>
2667
2668         Reviewed by Keith Miller.
2669
2670         In the baseline JIT and LLInt, when we loading a hole from an original array,
2671         with the array prototype chain being normal, we end up marking the ArrayProfile
2672         for that GetByVal as out of bounds. However, the DFG knows exactly how to
2673         optimize this case by returning undefined when loading from a hole. Currently,
2674         it only does this for Contiguous arrays (and sometimes Double arrays).
2675         This patch just makes sure to not mark the ArrayProfile as out of bounds
2676         in this scenario for Contiguous arrays, since the DFG will always optimize
2677         this case.
2678         
2679         However, we should extend this by profiling when a GetByVal loads a hole. By
2680         doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
2681         arrays. That work will happen in:
2682         https://bugs.webkit.org/show_bug.cgi?id=182940
2683         
2684         This patch is a 30-50%  speedup on JetStream's hash-map test. This patch
2685         speeds up JetStream by 1% when testing on my iMac.
2686
2687         * dfg/DFGArrayMode.cpp:
2688         (JSC::DFG::ArrayMode::refine const):
2689         * dfg/DFGFixupPhase.cpp:
2690         (JSC::DFG::FixupPhase::fixupNode):
2691         * jit/JITOperations.cpp:
2692         (JSC::getByVal):
2693         (JSC::canAccessArgumentIndexQuickly): Deleted.
2694         * llint/LLIntSlowPaths.cpp:
2695         (JSC::LLInt::getByVal):
2696         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2697         * llint/LowLevelInterpreter32_64.asm:
2698         * llint/LowLevelInterpreter64.asm:
2699         * runtime/CommonSlowPaths.h:
2700         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2701
2702 2018-02-17  Filip Pizlo  <fpizlo@apple.com>
2703
2704         GetArrayMask should support constant folding
2705         https://bugs.webkit.org/show_bug.cgi?id=182907
2706
2707         Reviewed by Saam Barati.
2708         
2709         Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
2710         ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
2711         impossible for that function to get called with a non-null value if the value was not an array view,
2712         due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
2713         the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
2714         array.
2715         
2716         This isn't a measurable progression, but it does save a register in the codegen for typed array
2717         accesses. Hopefully these improvements add up.
2718
2719         * assembler/AssemblerBuffer.h:
2720         * dfg/DFGAbstractInterpreterInlines.h:
2721         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2722         * dfg/DFGGraph.cpp:
2723         (JSC::DFG::Graph::tryGetFoldableView):
2724
2725 2018-02-18  Dominik Inf├╝hr  <dominik.infuehr@gmail.com>
2726
2727         Offlineasm/MIPS: immediates need to be within 16-bit signed values
2728         https://bugs.webkit.org/show_bug.cgi?id=182890
2729
2730         Reviewed by Michael Catanzaro.
2731
2732         In Sequence.getModifiedListMIPS(), we allow immediate values within
2733         the range -0xffff..0xffff for immediates (addresses and other
2734         immediates), but then in Immediate.mipsOperand() and
2735         Address.mipsOperand() we raise if immediate values are not within
2736         -0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
2737         since r228552 made the VM structure bigger meaning we address values
2738         with bigger offsets in llint. This change restricts the allowed range,
2739         so that a separate load of the value is done for values outside of
2740         that range.
2741
2742         * offlineasm/mips.rb:
2743
2744 2018-02-17  Darin Adler  <darin@apple.com>
2745
2746         Web Inspector: get rid of remaining uses of OptOutput<T>
2747         https://bugs.webkit.org/show_bug.cgi?id=180607
2748
2749         Reviewed by Brian Burg.
2750
2751         * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
2752         is inside the Inspector namespace already. Also use auto a bit.
2753         * inspector/AsyncStackTrace.h: Ditto.
2754         * inspector/ConsoleMessage.cpp: Ditto.
2755
2756         * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
2757         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
2758         Vector instead of a unique_ptr<Vector>.
2759         (Inspector::ContentSearchUtilities::lineEndings): Ditto.
2760         (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
2761         (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
2762         a Vector for a fixed size array; also got rid of reinterpret_cast.
2763         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
2764         expression here since it's the only place it was used.
2765
2766         * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
2767
2768         * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
2769         is inside the Inspector namespace already. Also use auto a bit.
2770
2771         * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
2772         Removed base template for BindingTraits; we only need the specializations.
2773
2774         * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
2775         is inside the Inspector namespace already. Also use auto a bit.
2776         * inspector/ScriptCallFrame.h: Ditto.
2777         * inspector/ScriptCallStack.cpp: Ditto.
2778         * inspector/ScriptCallStack.h: Ditto.
2779         * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
2780         * inspector/agents/InspectorConsoleAgent.h: Ditto.
2781
2782         * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
2783         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
2784         OptOutput* for out arguments.
2785         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
2786
2787         * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
2788         (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
2789         for out arguments.
2790         * inspector/agents/InspectorHeapAgent.h: Ditto.
2791
2792         * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
2793         (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
2794         for out arguments.
2795         (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
2796         (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
2797         (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
2798         * inspector/agents/InspectorRuntimeAgent.h: Ditto.
2799
2800         * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
2801         and removed some bogus const.
2802         * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
2803
2804         * inspector/scripts/codegen/cpp_generator.py:
2805         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
2806         (CppGenerator.cpp_type_for_type_with_name): Ditto.
2807         (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
2808         Inspector::Protocol::OptOutput*.
2809         (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
2810         (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
2811         (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
2812
2813         * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
2814         conditional around assertion code which will now compile to nothing if ASSERT is disabled.
2815         Build strings more simply in a few cases.
2816
2817         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2818         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2819         Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
2820         replace OptOutput here.
2821         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2822         Pass by reference instead of pointer now.
2823
2824         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2825         Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
2826         if ASSERT is disabled.
2827
2828         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2829         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
2830         the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
2831         (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
2832
2833         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2834         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
2835         more simply.
2836
2837         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2838         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2839         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2840         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2841         Rebaselined.
2842
2843 2018-02-16  Matt Lewis  <jlewis3@apple.com>
2844
2845         Unreviewed, rolling out r228318.
2846
2847         The patch that this attempted to fix was rolled out already.
2848
2849         Reverted changeset:
2850
2851         "Fix build on ARMv7 traditional JSCOnly bot after r228306"
2852         https://bugs.webkit.org/show_bug.cgi?id=182563
2853         https://trac.webkit.org/changeset/228318
2854
2855 2018-02-16  Filip Pizlo  <fpizlo@apple.com>
2856
2857         Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
2858         progression.
2859
2860         * assembler/AssemblerBuffer.h:
2861         (JSC::AssemblerBuffer::append):
2862         * heap/LargeAllocation.cpp:
2863         (JSC::LargeAllocation::tryCreate):
2864         * heap/MarkedBlock.cpp:
2865         (JSC::MarkedBlock::Handle::didAddToDirectory):
2866         * runtime/ArrayBuffer.cpp:
2867         (JSC::ArrayBufferContents::tryAllocate):
2868         (JSC::ArrayBufferContents::copyTo):
2869         (JSC::ArrayBuffer::createInternal):
2870         * runtime/ArrayBufferView.h:
2871         (JSC::ArrayBufferView::zeroRangeImpl):
2872         * runtime/ArrayConventions.cpp:
2873         (JSC::clearArrayMemset):
2874         * runtime/ArrayConventions.h:
2875         (JSC::clearArray):
2876         * runtime/ArrayPrototype.cpp:
2877         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2878         * runtime/ButterflyInlines.h:
2879         (JSC::Butterfly::tryCreate):
2880         (JSC::Butterfly::createOrGrowPropertyStorage):
2881         (JSC::Butterfly::growArrayRight):
2882         (JSC::Butterfly::resizeArray):
2883         * runtime/GenericTypedArrayViewInlines.h:
2884         (JSC::GenericTypedArrayView<Adaptor>::create):
2885         * runtime/JSArray.cpp:
2886         (JSC::JSArray::appendMemcpy):
2887         (JSC::JSArray::fastSlice):
2888         * runtime/JSArrayBufferView.cpp:
2889         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2890         * runtime/JSGenericTypedArrayViewInlines.h:
2891         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2892         * runtime/JSObject.cpp:
2893         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2894         (JSC::JSObject::shiftButterflyAfterFlattening):
2895         * runtime/PropertyTable.cpp:
2896         (JSC::PropertyTable::PropertyTable):
2897
2898 2018-02-16  Saam Barati  <sbarati@apple.com>
2899
2900         Fix bugs from r228411
2901         https://bugs.webkit.org/show_bug.cgi?id=182851
2902         <rdar://problem/37577732>
2903
2904         Reviewed by JF Bastien.
2905
2906         There was a bug from r228411 where inside the constant folding phase,
2907         we used an insertCheck method that didn't handle varargs. This would
2908         lead to a crash. When thinking about the fix for that function, I realized
2909         a made a couple of mistakes in r228411. One is probably a security bug, and
2910         the other is a performance bug because it'll prevent CSE for certain flavors
2911         of GetByVal nodes. Both blunders are similar in nature.
2912         
2913         In r228411, I added code in LICM that inserted a CheckVarargs node with children
2914         of another varargs node. However, to construct this new node's children,
2915         I just copied the AdjacencyList. This does a shallow copy. What we needed
2916         was a deep copy. We needed to create a new vararg AdjacencyList that points
2917         to edges that are deep copies of the original varargs children. This patch
2918         fixes this goof in LICM.
2919         
2920         r228411 made it so that PureValue over a varargs node would just compare actual
2921         AdjacencyLists structs. So, if you had two GetByVals that had equal santized
2922         children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
2923         have different firstChild values. Instead, we need to do a deep compare of their
2924         adjacency lists. This patch teaches PureValue how to do that.
2925
2926         * dfg/DFGClobberize.h:
2927         (JSC::DFG::clobberize):
2928         * dfg/DFGConstantFoldingPhase.cpp:
2929         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2930         * dfg/DFGGraph.h:
2931         (JSC::DFG::Graph::copyVarargChildren):
2932         * dfg/DFGInsertionSet.h:
2933         (JSC::DFG::InsertionSet::insertCheck):
2934         * dfg/DFGLICMPhase.cpp:
2935         (JSC::DFG::LICMPhase::attemptHoist):
2936         * dfg/DFGPureValue.cpp:
2937         (JSC::DFG::PureValue::dump const):
2938         * dfg/DFGPureValue.h:
2939         (JSC::DFG::PureValue::PureValue):
2940         (JSC::DFG::PureValue::op const):
2941         (JSC::DFG::PureValue::hash const):
2942         (JSC::DFG::PureValue::operator== const):
2943         (JSC::DFG::PureValue::isVarargs const):
2944         (JSC::DFG::PureValue::children const): Deleted.
2945         * dfg/DFGStrengthReductionPhase.cpp:
2946         (JSC::DFG::StrengthReductionPhase::handleNode):
2947         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2948
2949 2018-02-16  Matt Lewis  <jlewis3@apple.com>
2950
2951         Unreviewed, rolling out r228546.
2952
2953         This caused a consistent crash on all macOS WK2 platforms.
2954
2955         Reverted changeset:
2956
2957         "Web Inspector: get rid of remaining uses of OptOutput<T>"
2958         https://bugs.webkit.org/show_bug.cgi?id=180607
2959         https://trac.webkit.org/changeset/228546
2960
2961 2018-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
2962
2963         fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
2964         https://bugs.webkit.org/show_bug.cgi?id=172952
2965
2966         Reviewed by Michael Catanzaro.
2967
2968         Null dereference of VM::topCallFrame happens in
2969         Inspector::createScriptCallStackForConsole if the ExecState has no
2970         call frames.
2971
2972         * inspector/ScriptCallStackFactory.cpp:
2973         (Inspector::createScriptCallStack): Do null check of topCallFrame.
2974         (Inspector::createScriptCallStackForConsole): Ditto.
2975
2976 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
2977
2978         Objects that contain dangerous things should be allocated far away from objects that can do OOB
2979         https://bugs.webkit.org/show_bug.cgi?id=182843
2980
2981         Reviewed by Saam Barati.
2982         
2983         To complete our object distancing plan, we need to put objects that can contain unpoisoned data
2984         far away from objects that cannot. Objects referenceable from JSValues cannot contain
2985         unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
2986         storing mostly JSValues from data that is meant for storing anything.
2987         
2988         This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
2989         zeroing sort of the same way SecurityOriginToken already was.
2990         
2991         This change shouldn't make anything slower. If anything, it will be a small speed-up because it
2992         removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
2993         the SecurityKinds.
2994
2995         * Sources.txt:
2996         * bytecode/ObjectAllocationProfileInlines.h:
2997         (JSC::ObjectAllocationProfile::initializeProfile):
2998         * heap/BlockDirectory.cpp:
2999         (JSC::BlockDirectory::addBlock):
3000         * heap/BlockDirectory.h:
3001         * heap/CellAttributes.cpp:
3002         (JSC::CellAttributes::dump const):
3003         * heap/CellAttributes.h:
3004         (JSC::CellAttributes::CellAttributes):
3005         * heap/LocalAllocator.cpp:
3006         (JSC::LocalAllocator::allocateSlowCase):
3007         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3008         * heap/MarkedBlock.cpp:
3009         (JSC::MarkedBlock::Handle::didAddToDirectory):
3010         (JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
3011         * heap/MarkedBlock.h:
3012         * heap/SecurityKind.cpp: Added.
3013         (WTF::printInternal):
3014         * heap/SecurityKind.h: Added.
3015         * runtime/JSCellInlines.h:
3016         (JSC::JSCell::subspaceFor):
3017         * runtime/JSDestructibleObjectHeapCellType.cpp:
3018         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3019         * runtime/JSObject.h:
3020         (JSC::JSObject::subspaceFor):
3021         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3022         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3023         * runtime/JSStringHeapCellType.cpp:
3024         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3025         * runtime/Symbol.h:
3026         (JSC::Symbol::subspaceFor):
3027         * runtime/VM.cpp:
3028         (JSC::VM::VM):
3029         * runtime/VM.h:
3030         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3031         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3032
3033 2018-02-15  Darin Adler  <darin@apple.com>
3034
3035         Web Inspector: get rid of remaining uses of OptOutput<T>
3036         https://bugs.webkit.org/show_bug.cgi?id=180607
3037
3038         Reviewed by Brian Burg.
3039
3040         * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
3041         is inside the Inspector namespace already. Also use auto a bit.
3042         * inspector/AsyncStackTrace.h: Ditto.
3043         * inspector/ConsoleMessage.cpp: Ditto.
3044
3045         * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
3046         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
3047         Vector instead of a unique_ptr<Vector>.
3048         (Inspector::ContentSearchUtilities::lineEndings): Ditto.
3049         (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
3050         (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
3051         a Vector for a fixed size array; also got rid of reinterpret_cast.
3052         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
3053         expression here since it's the only place it was used.
3054
3055         * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
3056
3057         * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
3058         is inside the Inspector namespace already. Also use auto a bit.
3059
3060         * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
3061         Removed base template for BindingTraits; we only need the specializations.
3062
3063         * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
3064         is inside the Inspector namespace already. Also use auto a bit.
3065         * inspector/ScriptCallFrame.h: Ditto.
3066         * inspector/ScriptCallStack.cpp: Ditto.
3067         * inspector/ScriptCallStack.h: Ditto.
3068         * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
3069         * inspector/agents/InspectorConsoleAgent.h: Ditto.
3070
3071         * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
3072         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
3073         OptOutput* for out arguments.
3074         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
3075
3076         * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
3077         (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
3078         for out arguments.
3079         * inspector/agents/InspectorHeapAgent.h: Ditto.
3080
3081         * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
3082         (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
3083         for out arguments.
3084         (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
3085         (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
3086         (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
3087         * inspector/agents/InspectorRuntimeAgent.h: Ditto.
3088
3089         * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
3090         and removed some bogus const.
3091         * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
3092
3093         * inspector/scripts/codegen/cpp_generator.py:
3094         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
3095         (CppGenerator.cpp_type_for_type_with_name): Ditto.
3096         (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
3097         Inspector::Protocol::OptOutput*.
3098         (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
3099         (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
3100         (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
3101
3102         * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
3103         conditional around assertion code which will now compile to nothing if ASSERT is disabled.
3104         Build strings more simply in a few cases.
3105
3106         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3107         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3108         Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
3109         replace OptOutput here.
3110         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3111         Pass by reference instead of pointer now.
3112
3113         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3114         Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
3115         if ASSERT is disabled.
3116
3117         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3118         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
3119         the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
3120         (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
3121
3122         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3123         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
3124         more simply.
3125
3126         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3127         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3128         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3129         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3130         Rebaselined.
3131
3132 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
3133
3134         Unreviewed, roll out r228366 since it did not progress anything.
3135
3136         * heap/Heap.cpp:
3137         (JSC::Heap::finalizeUnconditionalFinalizers):
3138         * runtime/ErrorInstance.cpp:
3139         (JSC::ErrorInstance::visitChildren):
3140         (JSC::ErrorInstance::finalizeUnconditionally): Deleted.
3141         * runtime/ErrorInstance.h:
3142         (JSC::ErrorInstance::stackTrace):
3143         (JSC::ErrorInstance::subspaceFor): Deleted.
3144         * runtime/Exception.cpp:
3145         (JSC::Exception::visitChildren):
3146         (JSC::Exception::finalizeUnconditionally): Deleted.
3147         * runtime/Exception.h:
3148         * runtime/StackFrame.cpp:
3149         (JSC::StackFrame::visitChildren):
3150         (JSC::StackFrame::isFinalizationCandidate): Deleted.
3151         (JSC::StackFrame::finalizeUnconditionally): Deleted.
3152         * runtime/StackFrame.h:
3153         * runtime/VM.cpp:
3154         (JSC::VM::VM):
3155         * runtime/VM.h:
3156
3157 2018-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3158
3159         [JSC] Remove monotonicallyIncreasingTime and currentTime
3160         https://bugs.webkit.org/show_bug.cgi?id=182793
3161
3162         Reviewed by Saam Barati.
3163
3164         We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
3165         replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
3166         compared to double.
3167         This patch removes monotonicallyIncreasingTime and currentTime in JSC.
3168
3169         * b3/testb3.cpp:
3170         (JSC::B3::testComplex):
3171         * dfg/DFGPhase.h:
3172         (JSC::DFG::runAndLog):
3173         * dfg/DFGPlan.cpp:
3174         (JSC::DFG::Plan::compileInThread):
3175         (JSC::DFG::Plan::compileInThreadImpl):
3176         * dfg/DFGPlan.h:
3177         * dynbench.cpp:
3178         (JSC::benchmarkImpl):
3179         * heap/BlockDirectory.cpp:
3180         (JSC::BlockDirectory::isPagedOut):
3181         * heap/BlockDirectory.h:
3182         * heap/FullGCActivityCallback.cpp:
3183         (JSC::FullGCActivityCallback::doCollection):
3184         * heap/Heap.cpp:
3185         (JSC::Heap::isPagedOut):
3186         (JSC::Heap::sweepSynchronously):
3187         * heap/Heap.h:
3188         * heap/MarkedSpace.cpp:
3189         (JSC::MarkedSpace::isPagedOut):
3190         * heap/MarkedSpace.h:
3191         * inspector/agents/InspectorConsoleAgent.cpp:
3192         (Inspector::InspectorConsoleAgent::startTiming):
3193         (Inspector::InspectorConsoleAgent::stopTiming):
3194         * inspector/agents/InspectorConsoleAgent.h:
3195         * inspector/agents/InspectorRuntimeAgent.cpp:
3196         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3197         * jit/JIT.cpp:
3198         (JSC::JIT::compileWithoutLinking):
3199         (JSC::JIT::compileTimeStats):
3200         * jit/JIT.h:
3201         * jsc.cpp:
3202         (StopWatch::start):
3203         (StopWatch::stop):
3204         (StopWatch::getElapsedMS):
3205         (functionPreciseTime):
3206         (runJSC):
3207         * profiler/ProfilerDatabase.cpp:
3208         (JSC::Profiler::Database::logEvent):
3209         * profiler/ProfilerEvent.cpp:
3210         (JSC::Profiler::Event::toJS const):
3211         * profiler/ProfilerEvent.h:
3212         (JSC::Profiler::Event::Event):
3213         (JSC::Profiler::Event::time const):
3214         * runtime/CodeCache.cpp:
3215         (JSC::CodeCacheMap::pruneSlowCase):
3216         * runtime/CodeCache.h:
3217         (JSC::CodeCacheMap::CodeCacheMap):
3218         (JSC::CodeCacheMap::prune):
3219         * runtime/DateConstructor.cpp:
3220         (JSC::callDate):
3221         * runtime/TypeProfilerLog.cpp:
3222         (JSC::TypeProfilerLog::processLogEntries):
3223         * testRegExp.cpp:
3224         (StopWatch::start):
3225         (StopWatch::stop):
3226         (StopWatch::getElapsedMS):
3227
3228 2018-02-14  Keith Miller  <keith_miller@apple.com>
3229
3230         We should be able to jsDynamicCast from JSType when possible
3231         https://bugs.webkit.org/show_bug.cgi?id=182804
3232
3233         Reviewed by Filip Pizlo and Mark Lam.
3234
3235         This patch beefs up jsDynamicCast in some of the cases where we
3236         can use the JSType to quickly determine if a cell is a subclass of
3237         the desired type. Since all JSCells have a range of JSTypes they support,
3238         if there is a range exclusive to a class and all subclasses we can use
3239         that range to quickly determine if the cast should be successful.
3240
3241         Additionally, the JSValue versions of jsCast and jsDynamicCast now
3242         call the JSCell version after checking the value is a cell.
3243
3244         Finally, the casting functions have been moved to a new header,
3245         JSCast.h
3246
3247         * JavaScriptCore.xcodeproj/project.pbxproj:
3248         * bytecode/CallVariant.h:
3249         * bytecode/CodeBlock.h:
3250         * bytecode/ExecutableToCodeBlockEdge.h:
3251         * bytecode/TrackedReferences.h:
3252         * bytecode/UnlinkedCodeBlock.h:
3253         * bytecode/UnlinkedFunctionExecutable.h:
3254         * dfg/DFGAbstractValue.h:
3255         * dfg/DFGCommonData.h:
3256         * dfg/DFGFrozenValue.h:
3257         * dfg/DFGStructureAbstractValue.h:
3258         * heap/CellContainerInlines.h:
3259         * heap/ConservativeRoots.cpp:
3260         * heap/GCLogging.cpp:
3261         * heap/HeapInlines.h:
3262         * heap/HeapSnapshotBuilder.cpp:
3263         * heap/MarkedBlock.cpp:
3264         * heap/MarkedBlockInlines.h:
3265         * heap/SubspaceInlines.h:
3266         * heap/WeakInlines.h:
3267         * jit/JITOpcodes.cpp:
3268         * jit/JITOpcodes32_64.cpp:
3269         * llint/LLIntOffsetsExtractor.cpp:
3270         * runtime/ArrayBufferNeuteringWatchpoint.h:
3271         * runtime/BigIntPrototype.cpp:
3272         * runtime/ClassInfo.h:
3273         * runtime/CustomGetterSetter.h:
3274         * runtime/FunctionRareData.h:
3275         * runtime/GetterSetter.h:
3276         * runtime/InferredType.h:
3277         * runtime/InferredTypeTable.h:
3278         * runtime/InferredValue.h:
3279         * runtime/InternalFunction.cpp:
3280         (JSC::InternalFunction::finishCreation):
3281         * runtime/JSAPIValueWrapper.h:
3282         * runtime/JSArray.h:
3283         (JSC::JSArray::finishCreation):
3284         * runtime/JSArrayBufferView.cpp:
3285         (JSC::JSArrayBufferView::finishCreation):
3286         * runtime/JSCast.h: Added.
3287         (JSC::jsCast):
3288         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
3289         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
3290         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
3291         (JSC::jsDynamicCast):
3292         * runtime/JSCell.cpp:
3293         * runtime/JSCell.h:
3294         (JSC::jsCast): Deleted.
3295         (JSC::jsDynamicCast): Deleted.
3296         * runtime/JSCellInlines.h:
3297         * runtime/JSFunction.cpp:
3298         (JSC::JSFunction::finishCreation):
3299         * runtime/JSJob.h:
3300         * runtime/JSObject.h:
3301         (JSC::JSObject::finishCreation):
3302         * runtime/JSPromiseDeferred.h:
3303         * runtime/JSPropertyNameEnumerator.h:
3304         * runtime/NativeStdFunctionCell.h:
3305         * runtime/ScopedArgumentsTable.h:
3306         * runtime/SparseArrayValueMap.h:
3307         * runtime/Structure.h:
3308         * runtime/StructureChain.h:
3309         * runtime/StructureRareData.h:
3310         * tools/CellProfile.h:
3311         * wasm/js/JSWebAssemblyCodeBlock.h:
3312
3313 2018-02-14  Michael Saboff  <msaboff@apple.com>
3314
3315         Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
3316         https://bugs.webkit.org/show_bug.cgi?id=182808
3317
3318         Reviewed by Keith Miller.
3319
3320         Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
3321         thunk.
3322
3323         * wasm/WasmThunks.cpp:
3324         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3325
3326 2018-02-14  Saam Barati  <sbarati@apple.com>
3327
3328         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
3329         https://bugs.webkit.org/show_bug.cgi?id=182801
3330
3331         Reviewed by Keith Miller.
3332
3333         VMTraps would sometimes install traps when it paused the JS thread when it
3334         was in C code. This is wrong, as installing traps mallocs, and the JS thread
3335         may have been holding the malloc lock while in C code. This could lead to a
3336         deadlock when C code was holding the malloc lock.
3337         
3338         This patch makes it so that we only install traps when we've proven the PC
3339         is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
3340         we're not holding the malloc lock.
3341
3342         * jsc.cpp:
3343         (GlobalObject::finishCreation):
3344         (functionMallocInALoop):
3345         * runtime/VMTraps.cpp:
3346         (JSC::VMTraps::tryInstallTrapBreakpoints):
3347
3348 2018-02-14  Michael Saboff  <msaboff@apple.com>
3349
3350         REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
3351         https://bugs.webkit.org/show_bug.cgi?id=182705
3352
3353         Reviewed by Mark Lam.
3354
3355         Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
3356         buffer on the VM.  Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
3357         Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
3358         compilation thread.
3359
3360         * runtime/RegExpInlines.h:
3361         (JSC::RegExp::matchInline):
3362         * runtime/VM.cpp:
3363         (JSC::VM::~VM):
3364         (JSC::VM::acquireRegExpPatternContexBuffer):
3365         (JSC::VM::releaseRegExpPatternContexBuffer):
3366         * runtime/VM.h:
3367         * yarr/YarrJIT.cpp: