[DFG][FTL] Make ArraySlice(0) code tight
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG][FTL] Make ArraySlice(0) code tight
4         https://bugs.webkit.org/show_bug.cgi?id=183590
5
6         Reviewed by Saam Barati.
7
8         This patch tightens ArraySlice code, in particular, startIndex = 0 case.
9
10         1. We support array.slice() call. This is a well-used way to clone array.
11         For example, underscore.js uses this technique.
12
13         2. We remove several checks if the given index value is a proven constant.
14
15         * dfg/DFGBackwardsPropagationPhase.cpp:
16         (JSC::DFG::BackwardsPropagationPhase::propagate):
17         * dfg/DFGByteCodeParser.cpp:
18         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
19         * dfg/DFGFixupPhase.cpp:
20         (JSC::DFG::FixupPhase::fixupNode):
21         * dfg/DFGSpeculativeJIT.cpp:
22         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
23         (JSC::DFG::SpeculativeJIT::compileArraySlice):
24         We can skip some of checks if the given value is a proven constant.
25
26         * ftl/FTLLowerDFGToB3.cpp:
27         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
28         Change below to belowOrEqual. It does not change meaning in the code. But it allows us
29         to fold BelowEqual(0, x) to true.
30
31 2018-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
32
33         Drop s_exceptionInstructions static initializer
34         https://bugs.webkit.org/show_bug.cgi?id=183732
35
36         Reviewed by Darin Adler.
37
38         Make Instruction constructor constexpr to drop the static constructor
39         of LLInt::Data::s_exceptionInstructions.
40
41         * bytecode/Instruction.h:
42         (JSC::Instruction::Instruction):
43
44 2018-03-19  Dan Bernstein  <mitz@apple.com>
45
46         Investigate why __cpu_indicator_init is used
47         https://bugs.webkit.org/show_bug.cgi?id=183736
48
49         Reviewed by Tim Horton.
50
51         __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
52         we were passing the -all_load option to the linker, causing it to bring in all members of
53         every static library being linked in, including the compiler runtime library. We only need
54         to load all members of WTF. The linker option for doing that is -force_load, and it requires
55         a path to the library. To support building against libWTF.a built locally as well as against
56         the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
57         appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
58         to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
59         verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
60         in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
61         reexporting libobjc.
62
63         * Configurations/JavaScriptCore.xcconfig:
64         * JavaScriptCore.xcodeproj/project.pbxproj:
65
66 2018-03-19  Jiewen Tan  <jiewen_tan@apple.com>
67
68         Unreviewed, another quick fix for r229699
69
70         Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
71
72         * Configurations/FeatureDefines.xcconfig:
73
74 2018-03-19  Mark Lam  <mark.lam@apple.com>
75
76         FunctionPtr should be passed by value.
77         https://bugs.webkit.org/show_bug.cgi?id=183746
78         <rdar://problem/38625311>
79
80         Reviewed by JF Bastien.
81
82         It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
83         where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
84         treated as if they are C/C++ functions.
85
86         Regardless, there's no need to pass it by reference.
87
88         * assembler/MacroAssemblerCodeRef.h:
89         * dfg/DFGJITCompiler.h:
90         (JSC::DFG::JITCompiler::appendCall):
91         * dfg/DFGSpeculativeJIT.h:
92         (JSC::DFG::SpeculativeJIT::appendCall):
93         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
94         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
95         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
96         * jit/JIT.h:
97         (JSC::JIT::appendCall):
98         (JSC::JIT::appendCallWithSlowPathReturnType):
99         * jit/JITInlines.h:
100         (JSC::JIT::appendCallWithExceptionCheck):
101         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
102         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
103         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
104         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
105
106 2018-03-15  Ross Kirsling  <ross.kirsling@sony.com>
107
108         Fix MSVC run-time check after r229391. 
109         https://bugs.webkit.org/show_bug.cgi?id=183673
110
111         Reviewed by Keith Miller.
112
113         Replaces attempted fix from r229424/r229432.
114         Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
115
116         * jit/CCallHelpers.h:
117         (JSC::CCallHelpers::clampArrayToSize):
118
119 2018-03-15  Tim Horton  <timothy_horton@apple.com>
120
121         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
122         https://bugs.webkit.org/show_bug.cgi?id=183675
123         <rdar://problem/38515281>
124
125         Reviewed by Dan Bernstein.
126
127         * JavaScriptCore.xcodeproj/project.pbxproj:
128         Don't install the JSC alias if we're installing to an alternate location.
129         This should have been a part of r229637.
130
131 2018-03-15  Tim Horton  <timothy_horton@apple.com>
132
133         Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
134         https://bugs.webkit.org/show_bug.cgi?id=183649
135         <rdar://problem/38480526>
136
137         Reviewed by Dan Bernstein.
138
139         * Configurations/Base.xcconfig:
140         * JavaScriptCore.xcodeproj/project.pbxproj:
141
142 2018-03-14  Mark Lam  <mark.lam@apple.com>
143
144         Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
145         https://bugs.webkit.org/show_bug.cgi?id=183623
146         <rdar://problem/38443314>
147
148         Reviewed by Michael Saboff.
149
150         1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
151            emitters to support pointer profiling.
152
153         2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
154
155         3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
156
157         4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
158            a placeholder until we have time to analyze what pointer profile each client
159            site has later.
160     
161         5. Apply PtrTags to the YarrJIT.
162
163         * assembler/ARM64Assembler.h:
164         (JSC::ARM64Assembler::linkJumpOrCall):
165         * assembler/AbstractMacroAssembler.h:
166         (JSC::AbstractMacroAssembler::getLinkerAddress):
167         (JSC::AbstractMacroAssembler::tagPtr):
168         (JSC::AbstractMacroAssembler::untagPtr):
169         (JSC::AbstractMacroAssembler::removePtrTag):
170         * assembler/LinkBuffer.cpp:
171         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
172         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
173         * assembler/LinkBuffer.h:
174         (JSC::LinkBuffer::link):
175         (JSC::LinkBuffer::locationOfNearCall):
176         (JSC::LinkBuffer::locationOf):
177         * assembler/MacroAssemblerARM.h:
178         (JSC::MacroAssemblerARM::jump):
179         (JSC::MacroAssemblerARM::call):
180         (JSC::MacroAssemblerARM::readCallTarget):
181         * assembler/MacroAssemblerARM64.h:
182         (JSC::MacroAssemblerARM64::call):
183         (JSC::MacroAssemblerARM64::jump):
184         (JSC::MacroAssemblerARM64::readCallTarget):
185         (JSC::MacroAssemblerARM64::linkCall):
186         * assembler/MacroAssemblerARMv7.h:
187         (JSC::MacroAssemblerARMv7::jump):
188         (JSC::MacroAssemblerARMv7::relativeTableJump):
189         (JSC::MacroAssemblerARMv7::call):
190         (JSC::MacroAssemblerARMv7::readCallTarget):
191         * assembler/MacroAssemblerCodeRef.cpp:
192         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
193         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
194         * assembler/MacroAssemblerCodeRef.h:
195         (JSC::FunctionPtr::FunctionPtr):
196         (JSC::FunctionPtr::value const):
197         (JSC::MacroAssemblerCodePtr:: const):
198         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
199         (JSC::MacroAssemblerCodeRef::retaggedCode const):
200         * assembler/MacroAssemblerMIPS.h:
201         (JSC::MacroAssemblerMIPS::jump):
202         (JSC::MacroAssemblerMIPS::call):
203         (JSC::MacroAssemblerMIPS::readCallTarget):
204         * assembler/MacroAssemblerX86.h:
205         (JSC::MacroAssemblerX86::call):
206         (JSC::MacroAssemblerX86::jump):
207         (JSC::MacroAssemblerX86::readCallTarget):
208         * assembler/MacroAssemblerX86Common.cpp:
209         (JSC::MacroAssembler::probe):
210         * assembler/MacroAssemblerX86Common.h:
211         (JSC::MacroAssemblerX86Common::jump):
212         (JSC::MacroAssemblerX86Common::call):
213         * assembler/MacroAssemblerX86_64.h:
214         (JSC::MacroAssemblerX86_64::call):
215         (JSC::MacroAssemblerX86_64::jump):
216         (JSC::MacroAssemblerX86_64::readCallTarget):
217         * assembler/testmasm.cpp:
218         (JSC::compile):
219         (JSC::invoke):
220         * b3/B3Compile.cpp:
221         (JSC::B3::compile):
222         * b3/B3LowerMacros.cpp:
223         * b3/air/AirCCallSpecial.cpp:
224         (JSC::B3::Air::CCallSpecial::generate):
225         * b3/air/testair.cpp:
226         * b3/testb3.cpp:
227         (JSC::B3::invoke):
228         (JSC::B3::testInterpreter):
229         (JSC::B3::testEntrySwitchSimple):
230         (JSC::B3::testEntrySwitchNoEntrySwitch):
231         (JSC::B3::testEntrySwitchWithCommonPaths):
232         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
233         (JSC::B3::testEntrySwitchLoop):
234         * bytecode/AccessCase.cpp:
235         (JSC::AccessCase::generateImpl):
236         * bytecode/AccessCaseSnippetParams.cpp:
237         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
238         * bytecode/InlineAccess.cpp:
239         (JSC::linkCodeInline):
240         (JSC::InlineAccess::rewireStubAsJump):
241         * bytecode/PolymorphicAccess.cpp:
242         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
243         (JSC::PolymorphicAccess::regenerate):
244         * dfg/DFGJITCompiler.cpp:
245         (JSC::DFG::JITCompiler::compileExceptionHandlers):
246         (JSC::DFG::JITCompiler::link):
247         (JSC::DFG::JITCompiler::compileFunction):
248         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
249         * dfg/DFGJITCompiler.h:
250         (JSC::DFG::JITCompiler::appendCall):
251         * dfg/DFGJITFinalizer.cpp:
252         (JSC::DFG::JITFinalizer::finalize):
253         (JSC::DFG::JITFinalizer::finalizeFunction):
254         * dfg/DFGOSRExit.cpp:
255         (JSC::DFG::OSRExit::emitRestoreArguments):
256         (JSC::DFG::OSRExit::compileOSRExit):
257         * dfg/DFGOSRExitCompilerCommon.cpp:
258         (JSC::DFG::handleExitCounts):
259         (JSC::DFG::osrWriteBarrier):
260         (JSC::DFG::adjustAndJumpToTarget):
261         * dfg/DFGSpeculativeJIT.cpp:
262         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
263         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
264         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
265         * dfg/DFGSpeculativeJIT64.cpp:
266         (JSC::DFG::SpeculativeJIT::compile):
267         * dfg/DFGThunks.cpp:
268         (JSC::DFG::osrExitThunkGenerator):
269         (JSC::DFG::osrExitGenerationThunkGenerator):
270         (JSC::DFG::osrEntryThunkGenerator):
271         * ftl/FTLCompile.cpp:
272         (JSC::FTL::compile):
273         * ftl/FTLJITFinalizer.cpp:
274         (JSC::FTL::JITFinalizer::finalizeCommon):
275         * ftl/FTLLazySlowPath.cpp:
276         (JSC::FTL::LazySlowPath::generate):
277         * ftl/FTLLink.cpp:
278         (JSC::FTL::link):
279         * ftl/FTLLowerDFGToB3.cpp:
280         (JSC::FTL::DFG::LowerDFGToB3::lower):
281         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
282         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
283         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
284         * ftl/FTLOSRExitCompiler.cpp:
285         (JSC::FTL::compileStub):
286         (JSC::FTL::compileFTLOSRExit):
287         * ftl/FTLSlowPathCall.cpp:
288         (JSC::FTL::SlowPathCallContext::makeCall):
289         * ftl/FTLThunks.cpp:
290         (JSC::FTL::genericGenerationThunkGenerator):
291         (JSC::FTL::osrExitGenerationThunkGenerator):
292         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
293         (JSC::FTL::slowPathCallThunkGenerator):
294         * jit/AssemblyHelpers.cpp:
295         (JSC::AssemblyHelpers::callExceptionFuzz):
296         (JSC::AssemblyHelpers::debugCall):
297         * jit/CCallHelpers.cpp:
298         (JSC::CCallHelpers::ensureShadowChickenPacket):
299         * jit/CCallHelpers.h:
300         (JSC::CCallHelpers::jumpToExceptionHandler):
301         * jit/ExecutableAllocator.cpp:
302         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
303         * jit/JIT.cpp:
304         (JSC::JIT::emitEnterOptimizationCheck):
305         (JSC::JIT::link):
306         (JSC::JIT::privateCompileExceptionHandlers):
307         * jit/JIT.h:
308         (JSC::JIT::appendCall):
309         * jit/JITMathIC.h:
310         (JSC::isProfileEmpty):
311         * jit/JITOpcodes.cpp:
312         (JSC::JIT::emit_op_catch):
313         (JSC::JIT::emit_op_switch_imm):
314         (JSC::JIT::emit_op_switch_char):
315         (JSC::JIT::emit_op_switch_string):
316         (JSC::JIT::emitSlow_op_loop_hint):
317         (JSC::JIT::privateCompileHasIndexedProperty):
318         * jit/JITOpcodes32_64.cpp:
319         (JSC::JIT::emit_op_catch):
320         (JSC::JIT::emit_op_switch_imm):
321         (JSC::JIT::emit_op_switch_char):
322         (JSC::JIT::emit_op_switch_string):
323         (JSC::JIT::privateCompileHasIndexedProperty):
324         * jit/JITPropertyAccess.cpp:
325         (JSC::JIT::stringGetByValStubGenerator):
326         (JSC::JIT::privateCompileGetByVal):
327         (JSC::JIT::privateCompileGetByValWithCachedId):
328         (JSC::JIT::privateCompilePutByVal):
329         (JSC::JIT::privateCompilePutByValWithCachedId):
330         * jit/JITPropertyAccess32_64.cpp:
331         (JSC::JIT::stringGetByValStubGenerator):
332         * jit/JITStubRoutine.h:
333         * jit/Repatch.cpp:
334         (JSC::readCallTarget):
335         (JSC::appropriateOptimizingPutByIdFunction):
336         (JSC::linkPolymorphicCall):
337         (JSC::resetPutByID):
338         * jit/SlowPathCall.h:
339         (JSC::JITSlowPathCall::call):
340         * jit/SpecializedThunkJIT.h:
341         (JSC::SpecializedThunkJIT::finalize):
342         (JSC::SpecializedThunkJIT::callDoubleToDouble):
343         * jit/ThunkGenerators.cpp:
344         (JSC::throwExceptionFromCallSlowPathGenerator):
345         (JSC::slowPathFor):
346         (JSC::linkCallThunkGenerator):
347         (JSC::linkPolymorphicCallThunkGenerator):
348         (JSC::virtualThunkFor):
349         (JSC::nativeForGenerator):
350         (JSC::arityFixupGenerator):
351         (JSC::unreachableGenerator):
352         (JSC::boundThisNoArgsFunctionCallGenerator):
353         * llint/LLIntThunks.cpp:
354         (JSC::LLInt::generateThunkWithJumpTo):
355         (JSC::LLInt::functionForCallEntryThunkGenerator):
356         (JSC::LLInt::functionForConstructEntryThunkGenerator):
357         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
358         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
359         (JSC::LLInt::evalEntryThunkGenerator):
360         (JSC::LLInt::programEntryThunkGenerator):
361         (JSC::LLInt::moduleProgramEntryThunkGenerator):
362         * runtime/PtrTag.h:
363         * wasm/WasmB3IRGenerator.cpp:
364         (JSC::Wasm::B3IRGenerator::addCall):
365         (JSC::Wasm::B3IRGenerator::addCallIndirect):
366         * wasm/WasmBBQPlan.cpp:
367         (JSC::Wasm::BBQPlan::complete):
368         * wasm/WasmBinding.cpp:
369         (JSC::Wasm::wasmToWasm):
370         * wasm/WasmOMGPlan.cpp:
371         (JSC::Wasm::OMGPlan::work):
372         * wasm/WasmThunks.cpp:
373         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
374         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
375         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
376         * wasm/js/WasmToJS.cpp:
377         (JSC::Wasm::handleBadI64Use):
378         (JSC::Wasm::wasmToJS):
379         * yarr/YarrJIT.cpp:
380         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
381         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
382         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
383         (JSC::Yarr::YarrGenerator::generateEnter):
384         (JSC::Yarr::YarrGenerator::YarrGenerator):
385         (JSC::Yarr::YarrGenerator::compile):
386         (JSC::Yarr::jitCompile):
387         * yarr/YarrJIT.h:
388         (JSC::Yarr::YarrCodeBlock::execute):
389
390 2018-03-14  Caitlin Potter  <caitp@igalia.com>
391
392         [JSC] fix order of evaluation for ClassDefinitionEvaluation
393         https://bugs.webkit.org/show_bug.cgi?id=183523
394
395         Reviewed by Keith Miller.
396
397         Computed property names need to be evaluated in source order during class
398         definition evaluation, as it's observable (and specified to work this way).
399
400         This change improves compatibility with Chromium.
401
402         * bytecompiler/BytecodeGenerator.h:
403         (JSC::BytecodeGenerator::emitDefineClassElements):
404         * bytecompiler/NodesCodegen.cpp:
405         (JSC::PropertyListNode::emitBytecode):
406         (JSC::ClassExprNode::emitBytecode):
407         * parser/ASTBuilder.h:
408         (JSC::ASTBuilder::createClassExpr):
409         (JSC::ASTBuilder::createGetterOrSetterProperty):
410         (JSC::ASTBuilder::createProperty):
411         * parser/NodeConstructors.h:
412         (JSC::PropertyNode::PropertyNode):
413         (JSC::ClassExprNode::ClassExprNode):
414         * parser/Nodes.cpp:
415         (JSC::PropertyListNode::hasStaticallyNamedProperty):
416         * parser/Nodes.h:
417         (JSC::PropertyNode::isClassProperty const):
418         (JSC::PropertyNode::isStaticClassProperty const):
419         (JSC::PropertyNode::isInstanceClassProperty const):
420         * parser/Parser.cpp:
421         (JSC::Parser<LexerType>::parseClass):
422         (JSC::Parser<LexerType>::parseProperty):
423         (JSC::Parser<LexerType>::parseGetterSetter):
424         * parser/Parser.h:
425         * parser/SyntaxChecker.h:
426         (JSC::SyntaxChecker::createClassExpr):
427         (JSC::SyntaxChecker::createProperty):
428         (JSC::SyntaxChecker::createGetterOrSetterProperty):
429
430 2018-03-14  Keith Miller  <keith_miller@apple.com>
431
432         Move jsc CLI breakpoint function to $vm
433         https://bugs.webkit.org/show_bug.cgi?id=183512
434
435         Reviewed by Yusuke Suzuki.
436
437         * jsc.cpp:
438         (GlobalObject::finishCreation):
439         (functionBreakpoint): Deleted.
440         * tools/JSDollarVM.cpp:
441         (JSC::functionBreakpoint):
442         (JSC::JSDollarVM::finishCreation):
443
444 2018-03-14  Tim Horton  <timothy_horton@apple.com>
445
446         Fix the build after r229567
447
448         * Configurations/FeatureDefines.xcconfig:
449
450 2018-03-12  Mark Lam  <mark.lam@apple.com>
451
452         Gardening: speculative build fix for WinCairo.
453         https://bugs.webkit.org/show_bug.cgi?id=183573
454
455         Not reviewed.
456
457         * runtime/NativeFunction.h:
458         (JSC::TaggedNativeFunction::TaggedNativeFunction):
459
460 2018-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
461
462         Unreviewed, fix obsolete ASSERT
463         https://bugs.webkit.org/show_bug.cgi?id=183310
464
465         Now NewObject can be conereted from CallObjectConstructor and CreateThis.
466
467         * dfg/DFGNode.h:
468         (JSC::DFG::Node::convertToNewObject):
469
470 2018-03-12  Tim Horton  <timothy_horton@apple.com>
471
472         Stop using SDK conditionals to control feature definitions
473         https://bugs.webkit.org/show_bug.cgi?id=183430
474         <rdar://problem/38251619>
475
476         Reviewed by Dan Bernstein.
477
478         * Configurations/FeatureDefines.xcconfig:
479         * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
480
481 2018-03-12  Yoav Weiss  <yoav@yoav.ws>
482
483         Runtime flag for link prefetch and remove link subresource.
484         https://bugs.webkit.org/show_bug.cgi?id=183540
485
486         Reviewed by Chris Dumez.
487
488         Remove the LINK_PREFETCH build time flag.
489
490         * Configurations/FeatureDefines.xcconfig:
491
492 2018-03-12  Mark Lam  <mark.lam@apple.com>
493
494         Gardening: speculative build fix for Windows.
495         https://bugs.webkit.org/show_bug.cgi?id=183573
496
497         Not reviewed.
498
499         * runtime/NativeFunction.h:
500         (JSC::TaggedNativeFunction::TaggedNativeFunction):
501
502 2018-03-12  Mark Lam  <mark.lam@apple.com>
503
504         Add another PtrTag.
505         https://bugs.webkit.org/show_bug.cgi?id=183580
506         <rdar://problem/38390584>
507
508         Reviewed by Keith Miller.
509
510         * runtime/PtrTag.h:
511
512 2018-03-12  Mark Lam  <mark.lam@apple.com>
513
514         Make a NativeFunction into a class to support pointer profiling.
515         https://bugs.webkit.org/show_bug.cgi?id=183573
516         <rdar://problem/38384697>
517
518         Reviewed by Filip Pizlo.
519
520         1. NativeFunction is now a class, and introducing RawNativeFunction and
521            TaggedNativeFunction.
522
523            RawNativeFunction is the raw pointer type (equivalent
524            to the old definition of NativeFunction).  This is mainly used for underlying
525            storage inside the NativeFunction class, and also for global data tables that
526            cannot embed non-trivially constructed objects.
527
528            NativeFunction's role is mainly to encapsulate a pointer to a C function that
529            we pass into the VM.
530
531            TaggedNativeFunction encapsulates the tagged version of a pointer to a C
532            function that we track in the VM.
533
534         2. Added a convenience constructor for TrustedImmPtr so that we don't have to
535            cast function pointers to void* anymore when constructing a TrustedImmPtr.
536
537         3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
538
539         4. Added more PtrTag utility functions.
540
541         * CMakeLists.txt:
542         * JavaScriptCore.xcodeproj/project.pbxproj:
543         * assembler/AbstractMacroAssembler.h:
544         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
545         * create_hash_table:
546         * interpreter/Interpreter.cpp:
547         (JSC::Interpreter::executeCall):
548         (JSC::Interpreter::executeConstruct):
549         * interpreter/InterpreterInlines.h:
550         (JSC::Interpreter::getOpcodeID):
551         * jit/JITThunks.cpp:
552         (JSC::JITThunks::hostFunctionStub):
553         * jit/JITThunks.h:
554         * llint/LLIntData.cpp:
555         (JSC::LLInt::initialize):
556         * llint/LLIntSlowPaths.cpp:
557         (JSC::LLInt::setUpCall):
558         * llint/LowLevelInterpreter.asm:
559         * llint/LowLevelInterpreter.cpp:
560         (JSC::CLoop::execute):
561         * llint/LowLevelInterpreter64.asm:
562         * offlineasm/ast.rb:
563         * runtime/CallData.h:
564         * runtime/CommonSlowPaths.cpp:
565         * runtime/ConstructData.h:
566         * runtime/InternalFunction.h:
567         (JSC::InternalFunction::nativeFunctionFor):
568         * runtime/JSCell.cpp:
569         (JSC::JSCell::getCallData):
570         (JSC::JSCell::getConstructData):
571         * runtime/JSFunction.h:
572         * runtime/JSFunctionInlines.h:
573         (JSC::JSFunction::nativeFunction):
574         (JSC::JSFunction::nativeConstructor):
575         (JSC::isHostFunction):
576         * runtime/Lookup.h:
577         (JSC::HashTableValue::function const):
578         (JSC::HashTableValue::accessorGetter const):
579         (JSC::HashTableValue::accessorSetter const):
580         (JSC::nonCachingStaticFunctionGetter):
581         * runtime/NativeExecutable.cpp:
582         (JSC::NativeExecutable::create):
583         (JSC::NativeExecutable::NativeExecutable):
584         * runtime/NativeExecutable.h:
585         * runtime/NativeFunction.h: Added.
586         (JSC::NativeFunction::NativeFunction):
587         (JSC::NativeFunction::operator intptr_t const):
588         (JSC::NativeFunction::operator bool const):
589         (JSC::NativeFunction::operator! const):
590         (JSC::NativeFunction::operator== const):
591         (JSC::NativeFunction::operator!= const):
592         (JSC::NativeFunction::operator()):
593         (JSC::NativeFunction::rawPointer const):
594         (JSC::NativeFunctionHash::hash):
595         (JSC::NativeFunctionHash::equal):
596         (JSC::TaggedNativeFunction::TaggedNativeFunction):
597         (JSC::TaggedNativeFunction::operator bool const):
598         (JSC::TaggedNativeFunction::operator! const):
599         (JSC::TaggedNativeFunction::operator== const):
600         (JSC::TaggedNativeFunction::operator!= const):
601         (JSC::TaggedNativeFunction::operator()):
602         (JSC::TaggedNativeFunction::operator NativeFunction):
603         (JSC::TaggedNativeFunction::rawPointer const):
604         (JSC::TaggedNativeFunctionHash::hash):
605         (JSC::TaggedNativeFunctionHash::equal):
606         * runtime/PtrTag.h:
607         (JSC::tagCFunctionPtr):
608         (JSC::untagCFunctionPtr):
609         * runtime/VM.h:
610         (JSC::VM::targetMachinePCForThrowOffset): Deleted.
611
612 2018-03-12  Filip Pizlo  <fpizlo@apple.com>
613
614         Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
615
616         * dfg/DFGSpeculativeJIT.cpp:
617         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
618
619 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
620
621         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
622         https://bugs.webkit.org/show_bug.cgi?id=183310
623
624         Reviewed by Filip Pizlo.
625
626         This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
627         This contributes to 6% win in Octane/raytrace.
628
629                                         baseline                  patched
630
631             raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
632
633         * dfg/DFGAbstractInterpreterInlines.h:
634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
635         * dfg/DFGConstantFoldingPhase.cpp:
636         (JSC::DFG::ConstantFoldingPhase::foldConstants):
637
638 2018-03-11  Wenson Hsieh  <wenson_hsieh@apple.com>
639
640         Disable Sigill crash analyzer on watchOS
641         https://bugs.webkit.org/show_bug.cgi?id=183548
642         <rdar://problem/38338032>
643
644         Reviewed by Mark Lam.
645
646         Sigill is not supported on watchOS.
647
648         * runtime/Options.cpp:
649         (JSC::overrideDefaults):
650
651 2018-03-09  Filip Pizlo  <fpizlo@apple.com>
652
653         Split DirectArguments into JSValueOOB and JSValueStrict parts
654         https://bugs.webkit.org/show_bug.cgi?id=183458
655
656         Reviewed by Yusuke Suzuki.
657         
658         Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
659         unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
660         objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
661         to read and write within a Spectre mitigation window. Writes are important, because within the
662         window, a write could appear to be made speculatively and rolled out later. This means that:
663         
664         - JSValue objects cannot have lengths, masks, or anything else inline.
665         
666         - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
667           check, unless that type is in the form of a poison key.
668         
669         This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
670         means that it's wrong for DirectArguments to have an inline length.
671         
672         This changes DirectArguments to use poisoning according to the universal formula:
673         
674         - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
675         
676         - No inline length.
677         
678         Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
679         amortize whatever cost there was.
680
681         * bytecode/AccessCase.cpp:
682         (JSC::AccessCase::generateWithGuard):
683         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
684         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
685         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
686         (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
687         * dfg/DFGSpeculativeJIT.cpp:
688         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
689         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
690         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
691         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
692         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
693         * ftl/FTLAbstractHeapRepository.h:
694         * ftl/FTLLowerDFGToB3.cpp:
695         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
696         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
697         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
698         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
699         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
700         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
701         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
702         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
703         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
704         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
705         * heap/SecurityKind.h:
706         * jit/JITPropertyAccess.cpp:
707         (JSC::JIT::emit_op_get_from_arguments):
708         (JSC::JIT::emit_op_put_to_arguments):
709         (JSC::JIT::emitDirectArgumentsGetByVal):
710         * jit/JITPropertyAccess32_64.cpp:
711         (JSC::JIT::emit_op_get_from_arguments):
712         (JSC::JIT::emit_op_put_to_arguments):
713         * llint/LowLevelInterpreter.asm:
714         * llint/LowLevelInterpreter32_64.asm:
715         * llint/LowLevelInterpreter64.asm:
716         * runtime/DirectArguments.cpp:
717         (JSC::DirectArguments::DirectArguments):
718         (JSC::DirectArguments::createUninitialized):
719         (JSC::DirectArguments::create):
720         (JSC::DirectArguments::createByCopying):
721         (JSC::DirectArguments::estimatedSize):
722         (JSC::DirectArguments::visitChildren):
723         (JSC::DirectArguments::overrideThings):
724         (JSC::DirectArguments::copyToArguments):
725         (JSC::DirectArguments::mappedArgumentsSize):
726         * runtime/DirectArguments.h:
727         * runtime/JSCPoison.h:
728         * runtime/JSLexicalEnvironment.h:
729         * runtime/JSSymbolTableObject.h:
730         * runtime/VM.cpp:
731         (JSC::VM::VM):
732         * runtime/VM.h:
733
734 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
735
736         [B3] Above/Below should be strength-reduced for comparison with 0
737         https://bugs.webkit.org/show_bug.cgi?id=183543
738
739         Reviewed by Filip Pizlo.
740
741         Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
742         This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
743         be converted to `0`. This patch adds such a folding to comparisons.
744
745         We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
746         a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
747         failure with this B3Const32/64Value change. With this patch, we create a flipped value only
748         when we fail to fold it to a constant.
749
750         * b3/B3Const32Value.cpp:
751         (JSC::B3::Const32Value::lessThanConstant const):
752         (JSC::B3::Const32Value::greaterThanConstant const):
753         (JSC::B3::Const32Value::lessEqualConstant const):
754         (JSC::B3::Const32Value::greaterEqualConstant const):
755         (JSC::B3::Const32Value::aboveConstant const):
756         (JSC::B3::Const32Value::belowConstant const):
757         (JSC::B3::Const32Value::aboveEqualConstant const):
758         (JSC::B3::Const32Value::belowEqualConstant const):
759         * b3/B3Const64Value.cpp:
760         (JSC::B3::Const64Value::lessThanConstant const):
761         (JSC::B3::Const64Value::greaterThanConstant const):
762         (JSC::B3::Const64Value::lessEqualConstant const):
763         (JSC::B3::Const64Value::greaterEqualConstant const):
764         (JSC::B3::Const64Value::aboveConstant const):
765         (JSC::B3::Const64Value::belowConstant const):
766         (JSC::B3::Const64Value::aboveEqualConstant const):
767         (JSC::B3::Const64Value::belowEqualConstant const):
768         * b3/B3ReduceStrength.cpp:
769         * b3/testb3.cpp:
770         (JSC::B3::int64Operands):
771         (JSC::B3::int32Operands):
772
773 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
774
775         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
776         https://bugs.webkit.org/show_bug.cgi?id=181848
777
778         Reviewed by Sam Weinig.
779
780         In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
781         optimized since it sets `lastIndex` value before performing RegExp operation.
782
783         This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
784         RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
785         just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
786         in object allocation sinking phase.
787
788         Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
789         has a global flag. And it improves the performance.
790
791                                       baseline                  patched
792
793         regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
794         regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
795
796         * dfg/DFGAbstractInterpreterInlines.h:
797         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
798         * dfg/DFGClobberize.h:
799         (JSC::DFG::clobberize):
800         * dfg/DFGDoesGC.cpp:
801         (JSC::DFG::doesGC):
802         * dfg/DFGFixupPhase.cpp:
803         (JSC::DFG::FixupPhase::fixupNode):
804         * dfg/DFGMayExit.cpp:
805         * dfg/DFGNode.cpp:
806         (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
807         * dfg/DFGNode.h:
808         (JSC::DFG::Node::hasHeapPrediction):
809         (JSC::DFG::Node::hasCellOperand):
810         * dfg/DFGNodeType.h:
811         * dfg/DFGOperations.cpp:
812         * dfg/DFGOperations.h:
813         * dfg/DFGPredictionPropagationPhase.cpp:
814         * dfg/DFGSafeToExecute.h:
815         (JSC::DFG::safeToExecute):
816         * dfg/DFGSpeculativeJIT.cpp:
817         (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
818         * dfg/DFGSpeculativeJIT.h:
819         * dfg/DFGSpeculativeJIT32_64.cpp:
820         (JSC::DFG::SpeculativeJIT::compile):
821         * dfg/DFGSpeculativeJIT64.cpp:
822         (JSC::DFG::SpeculativeJIT::compile):
823         * dfg/DFGStrengthReductionPhase.cpp:
824         (JSC::DFG::StrengthReductionPhase::handleNode):
825         * ftl/FTLCapabilities.cpp:
826         (JSC::FTL::canCompile):
827         * ftl/FTLLowerDFGToB3.cpp:
828         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
829         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
830         * runtime/RegExpObject.cpp:
831         (JSC::collectMatches): Deleted.
832         * runtime/RegExpObject.h:
833         * runtime/RegExpObjectInlines.h:
834         (JSC::RegExpObject::execInline):
835         (JSC::RegExpObject::matchInline):
836         (JSC::advanceStringUnicode):
837         (JSC::collectMatches):
838         (JSC::RegExpObject::advanceStringUnicode): Deleted.
839         * runtime/RegExpPrototype.cpp:
840         (JSC::advanceStringIndex):
841
842 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
843
844         B3::reduceStrength should canonicalize integer comparisons
845         https://bugs.webkit.org/show_bug.cgi?id=150958
846
847         Reviewed by Filip Pizlo.
848
849         This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
850         converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
851         canonicalize comparisons to have constant value at least on the right hand side, we can
852         remove pattern matchings checking leftImm in B3LowerToAir.
853
854         Since this flipping changes the opcode of the value, to achieve safely, we just create a
855         new value which has flipped opcode and swapped operands. If we can fold it to a constant,
856         we replace m_value with this constant. If we fail to fold it to constant, we replace
857         m_value with the flipped one.
858
859         These comparisons are already handled in testb3.
860
861         * b3/B3LowerToAir.cpp:
862         * b3/B3ReduceStrength.cpp:
863
864 2018-03-09  Mark Lam  <mark.lam@apple.com>
865
866         offlineasm should reset the Assembler's working state before doing another pass for a new target.
867         https://bugs.webkit.org/show_bug.cgi?id=183538
868         <rdar://problem/38325955>
869
870         Reviewed by Michael Saboff.
871
872         * llint/LowLevelInterpreter.cpp:
873         * offlineasm/asm.rb:
874         * offlineasm/cloop.rb:
875
876 2018-03-09  Brian Burg  <bburg@apple.com>
877
878         Web Inspector: there should only be one way for async backend commands to send failure
879         https://bugs.webkit.org/show_bug.cgi?id=183524
880
881         Reviewed by Timothy Hatcher.
882
883         If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
884         To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
885         This change only affects interfaces generated for C++ backend dispatchers.
886
887         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
888         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
889         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
890         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
891         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
892
893 2018-03-09  Mark Lam  <mark.lam@apple.com>
894
895         Build fix after r229476.
896         https://bugs.webkit.org/show_bug.cgi?id=183488
897
898         Not reviewed.
899
900         * runtime/StackAlignment.h:
901
902 2018-03-09  Mark Lam  <mark.lam@apple.com>
903
904         [Re-landing] Add support for ARM64E.
905         https://bugs.webkit.org/show_bug.cgi?id=183398
906         <rdar://problem/38212621>
907
908         Reviewed by Michael Saboff.
909
910         * assembler/MacroAssembler.h:
911         * llint/LLIntOfflineAsmConfig.h:
912         * llint/LowLevelInterpreter.asm:
913         * llint/LowLevelInterpreter64.asm:
914         * offlineasm/backends.rb:
915
916 2018-03-09  Mark Lam  <mark.lam@apple.com>
917
918         [Re-landing] Prepare LLInt code to support pointer profiling.
919         https://bugs.webkit.org/show_bug.cgi?id=183387
920         <rdar://problem/38199678>
921
922         Reviewed by JF Bastien.
923
924         1. Introduced PtrTag enums for supporting pointer profiling later.
925
926         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
927            template functions for the same purpose.
928
929         3. Prepare the offlineasm for supporting pointer profiling later.
930
931         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
932            effect on behavior.
933
934         5. Removed returnToThrowForThrownException() because it is not used anywhere.
935
936         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
937            easier to view and edit these files in Xcode.
938
939         * CMakeLists.txt:
940         * JavaScriptCore.xcodeproj/project.pbxproj:
941         * bytecode/LLIntCallLinkInfo.h:
942         (JSC::LLIntCallLinkInfo::unlink):
943         * llint/LLIntData.cpp:
944         (JSC::LLInt::initialize):
945         * llint/LLIntData.h:
946         * llint/LLIntExceptions.cpp:
947         (JSC::LLInt::returnToThrowForThrownException): Deleted.
948         * llint/LLIntExceptions.h:
949         * llint/LLIntOfflineAsmConfig.h:
950         * llint/LLIntOffsetsExtractor.cpp:
951         * llint/LLIntPCRanges.h:
952         (JSC::LLInt::isLLIntPC):
953         * llint/LLIntSlowPaths.cpp:
954         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
955         (JSC::LLInt::handleHostCall):
956         (JSC::LLInt::setUpCall):
957         * llint/LowLevelInterpreter.asm:
958         * llint/LowLevelInterpreter32_64.asm:
959         * llint/LowLevelInterpreter64.asm:
960         * offlineasm/ast.rb:
961         * offlineasm/instructions.rb:
962         * offlineasm/risc.rb:
963         * runtime/PtrTag.h: Added.
964         (JSC::uniquePtrTagID):
965         (JSC::ptrTag):
966         (JSC::tagCodePtr):
967         (JSC::untagCodePtr):
968         (JSC::retagCodePtr):
969         (JSC::removeCodePtrTag):
970
971 2018-03-09  Mark Lam  <mark.lam@apple.com>
972
973         Remove unused LLINT_STATS feature.
974         https://bugs.webkit.org/show_bug.cgi?id=183522
975         <rdar://problem/38313139>
976
977         Rubber-stamped by Keith Miller.
978
979         We haven't used this in a while, and it is one more option that makes offlineasm
980         build slower.  We can always re-introduce this later if we need it.
981
982         * jsc.cpp:
983         * llint/LLIntCommon.h:
984         * llint/LLIntData.cpp:
985         (JSC::LLInt::initialize):
986         (JSC::LLInt::Data::finalizeStats): Deleted.
987         (JSC::LLInt::compareStats): Deleted.
988         (JSC::LLInt::Data::dumpStats): Deleted.
989         (JSC::LLInt::Data::ensureStats): Deleted.
990         (JSC::LLInt::Data::loadStats): Deleted.
991         (JSC::LLInt::Data::resetStats): Deleted.
992         (JSC::LLInt::Data::saveStats): Deleted.
993         * llint/LLIntData.h:
994         (): Deleted.
995         (JSC::LLInt::Data::opcodeStats): Deleted.
996         * llint/LLIntOfflineAsmConfig.h:
997         * llint/LLIntSlowPaths.cpp:
998         * llint/LLIntSlowPaths.h:
999         * llint/LowLevelInterpreter.asm:
1000         * llint/LowLevelInterpreter32_64.asm:
1001         * llint/LowLevelInterpreter64.asm:
1002         * runtime/Options.cpp:
1003         (JSC::Options::isAvailable):
1004         (JSC::recomputeDependentOptions):
1005         * runtime/Options.h:
1006         * runtime/TestRunnerUtils.cpp:
1007         (JSC::finalizeStatsAtEndOfTesting):
1008
1009 2018-03-09  Michael Saboff  <msaboff@apple.com>
1010
1011         Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
1012         https://bugs.webkit.org/show_bug.cgi?id=183488
1013
1014         It applied and built just fine locally.
1015
1016         * assembler/testmasm.cpp:
1017         (JSC::testBranchTruncateDoubleToInt32):
1018
1019 2018-03-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1020
1021         Unreviewed, remove WebAssemblyFunctionType
1022         https://bugs.webkit.org/show_bug.cgi?id=183429
1023
1024         Drop WebAssemblyFunctionType since it is no longer used. This breaks
1025         JSCast assumption that all the derived classes of JSFunction use
1026         JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
1027
1028         * runtime/JSFunction.cpp:
1029         (JSC::JSFunction::finishCreation):
1030         * runtime/JSType.h:
1031         * wasm/js/WebAssemblyFunction.cpp:
1032         (JSC::WebAssemblyFunction::createStructure):
1033         * wasm/js/WebAssemblyFunction.h:
1034
1035 2018-03-09  Ryan Haddad  <ryanhaddad@apple.com>
1036
1037         Unreviewed, rolling out r229446.
1038
1039         This change relies on changes that have been rolled out.
1040
1041         Reverted changeset:
1042
1043         "testmasm crashes in testBranchTruncateDoubleToInt32() on
1044         ARM64"
1045         https://bugs.webkit.org/show_bug.cgi?id=183488
1046         https://trac.webkit.org/changeset/229446
1047
1048 2018-03-08  Chris Dumez  <cdumez@apple.com>
1049
1050         Safari not handling undefined global variables with same name as element Id correctly.
1051         https://bugs.webkit.org/show_bug.cgi?id=183087
1052         <rdar://problem/37927596>
1053
1054         Reviewed by Ryosuke Niwa.
1055
1056         global variables (var foo;) should not be hidden by:
1057         - Named properties
1058         - Properties on the prototype chain
1059
1060         Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
1061         if !hasOwnProperty() instead of !hasProperty.
1062
1063         This aligns our behavior with Chrome and Firefox.
1064
1065         * runtime/JSGlobalObject.h:
1066         (JSC::JSGlobalObject::addVar):
1067
1068 2018-03-08  Commit Queue  <commit-queue@webkit.org>
1069
1070         Unreviewed, rolling out r229354 and r229364.
1071         https://bugs.webkit.org/show_bug.cgi?id=183492
1072
1073         Breaks internal builds (Requested by ryanhaddad on #webkit).
1074
1075         Reverted changesets:
1076
1077         "Prepare LLInt code to support pointer profiling."
1078         https://bugs.webkit.org/show_bug.cgi?id=183387
1079         https://trac.webkit.org/changeset/229354
1080
1081         "Add support for ARM64E."
1082         https://bugs.webkit.org/show_bug.cgi?id=183398
1083         https://trac.webkit.org/changeset/229364
1084
1085 2018-03-08  Michael Saboff  <msaboff@apple.com>
1086
1087         testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
1088         https://bugs.webkit.org/show_bug.cgi?id=183488
1089
1090         Reviewed by Mark Lam.
1091
1092         Using stackAlignmentBytes() will keep the stack properly aligned.
1093
1094         * assembler/testmasm.cpp:
1095         (JSC::testBranchTruncateDoubleToInt32):
1096
1097 2018-03-08  Michael Saboff  <msaboff@apple.com>
1098
1099         Emit code to zero the stack frame on function entry
1100         Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
1101
1102         Reviewed by Mark Lam.
1103
1104         Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
1105         The default setting of the option is off.
1106
1107         Did some minor refactoring of the YarrJIT stack alignment code.
1108
1109         * b3/air/AirCode.cpp:
1110         (JSC::B3::Air::defaultPrologueGenerator):
1111         * dfg/DFGJITCompiler.cpp:
1112         (JSC::DFG::JITCompiler::compile):
1113         (JSC::DFG::JITCompiler::compileFunction):
1114         * dfg/DFGSpeculativeJIT.cpp:
1115         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1116         * dfg/DFGThunks.cpp:
1117         (JSC::DFG::osrEntryThunkGenerator):
1118         * ftl/FTLLowerDFGToB3.cpp:
1119         (JSC::FTL::DFG::LowerDFGToB3::lower):
1120         * jit/AssemblyHelpers.h:
1121         (JSC::AssemblyHelpers::clearStackFrame):
1122         * jit/JIT.cpp:
1123         (JSC::JIT::compileWithoutLinking):
1124         * llint/LowLevelInterpreter.asm:
1125         * runtime/Options.h:
1126         * yarr/YarrJIT.cpp:
1127         (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
1128         (JSC::Yarr::YarrGenerator::initCallFrame):
1129         (JSC::Yarr::YarrGenerator::removeCallFrame):
1130
1131 2018-03-08  Keith Miller  <keith_miller@apple.com>
1132
1133         Unreviewed, another attempt at fixing the Windows build.
1134         I guess the pragma must be outside the function...
1135
1136         * jit/CCallHelpers.h:
1137         (JSC::CCallHelpers::clampArrayToSize):
1138
1139 2018-03-08  Keith Miller  <keith_miller@apple.com>
1140
1141         Unreviewed, one last try at fixing the windows build before rollout.
1142
1143         * jit/CCallHelpers.h:
1144         (JSC::CCallHelpers::clampArrayToSize):
1145
1146 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1147
1148         [JSC] Optimize inherits<T> if T is final type
1149         https://bugs.webkit.org/show_bug.cgi?id=183435
1150
1151         Reviewed by Mark Lam.
1152
1153         If the type T is a final type (`std::is_final<T>::value == true`), there is no
1154         classes which is derived from T. It means that `jsDynamicCast<T>` only needs
1155         to check the given cell's `classInfo(vm)` is `T::info()`.
1156
1157         This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
1158         final type. And we also add `final` annotations to JS cell types in JSC. This
1159         offers,
1160
1161         1. Readability. If the given class is annotated with `final`, we do not need to
1162         consider about the derived classes of T.
1163
1164         2. Static Checking. If your class is not intended to be used as a base class, attaching
1165         `final` can ensure this invariant.
1166
1167         3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
1168         be smaller.
1169
1170         * API/JSCallbackConstructor.h:
1171         (JSC::JSCallbackConstructor::create): Deleted.
1172         (JSC::JSCallbackConstructor::classRef const): Deleted.
1173         (JSC::JSCallbackConstructor::callback const): Deleted.
1174         (JSC::JSCallbackConstructor::createStructure): Deleted.
1175         (JSC::JSCallbackConstructor::constructCallback): Deleted.
1176         * API/JSCallbackFunction.h:
1177         (JSC::JSCallbackFunction::createStructure): Deleted.
1178         (JSC::JSCallbackFunction::functionCallback): Deleted.
1179         * API/JSCallbackObject.h:
1180         (JSC::JSCallbackObject::create): Deleted.
1181         (JSC::JSCallbackObject::destroy): Deleted.
1182         (JSC::JSCallbackObject::classRef const): Deleted.
1183         (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
1184         (JSC::JSCallbackObject::setPrivateProperty): Deleted.
1185         (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
1186         (JSC::JSCallbackObject::visitChildren): Deleted.
1187         * bytecode/CodeBlock.cpp:
1188         (JSC::CodeBlock::setConstantRegisters):
1189         * bytecode/ExecutableToCodeBlockEdge.h:
1190         (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
1191         (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
1192         (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
1193         * bytecode/FunctionCodeBlock.h:
1194         (JSC::FunctionCodeBlock::subspaceFor): Deleted.
1195         (JSC::FunctionCodeBlock::create): Deleted.
1196         (JSC::FunctionCodeBlock::createStructure): Deleted.
1197         (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
1198         * debugger/DebuggerScope.h:
1199         (JSC::DebuggerScope::createStructure): Deleted.
1200         (JSC::DebuggerScope::iterator::iterator): Deleted.
1201         (JSC::DebuggerScope::iterator::get): Deleted.
1202         (JSC::DebuggerScope::iterator::operator++): Deleted.
1203         (JSC::DebuggerScope::iterator::operator== const): Deleted.
1204         (JSC::DebuggerScope::iterator::operator!= const): Deleted.
1205         (JSC::DebuggerScope::isValid const): Deleted.
1206         (JSC::DebuggerScope::jsScope const): Deleted.
1207         * inspector/JSInjectedScriptHost.h:
1208         (Inspector::JSInjectedScriptHost::createStructure): Deleted.
1209         (Inspector::JSInjectedScriptHost::create): Deleted.
1210         (Inspector::JSInjectedScriptHost::impl const): Deleted.
1211         * inspector/JSInjectedScriptHostPrototype.h:
1212         (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
1213         (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
1214         (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
1215         * inspector/JSJavaScriptCallFrame.h:
1216         (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
1217         (Inspector::JSJavaScriptCallFrame::create): Deleted.
1218         (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
1219         * inspector/JSJavaScriptCallFramePrototype.h:
1220         (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
1221         (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
1222         (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
1223         * jit/Repatch.cpp:
1224         (JSC::tryCacheGetByID):
1225         * runtime/ArrayConstructor.h:
1226         (JSC::ArrayConstructor::create): Deleted.
1227         (JSC::ArrayConstructor::createStructure): Deleted.
1228         * runtime/ArrayIteratorPrototype.h:
1229         (JSC::ArrayIteratorPrototype::create): Deleted.
1230         (JSC::ArrayIteratorPrototype::createStructure): Deleted.
1231         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
1232         * runtime/ArrayPrototype.h:
1233         (JSC::ArrayPrototype::createStructure): Deleted.
1234         * runtime/AsyncFromSyncIteratorPrototype.h:
1235         (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
1236         * runtime/AsyncFunctionConstructor.h:
1237         (JSC::AsyncFunctionConstructor::create): Deleted.
1238         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
1239         * runtime/AsyncFunctionPrototype.h:
1240         (JSC::AsyncFunctionPrototype::create): Deleted.
1241         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
1242         * runtime/AsyncGeneratorFunctionConstructor.h:
1243         (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
1244         (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
1245         * runtime/AsyncGeneratorFunctionPrototype.h:
1246         (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
1247         (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
1248         * runtime/AsyncGeneratorPrototype.h:
1249         (JSC::AsyncGeneratorPrototype::create): Deleted.
1250         (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
1251         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
1252         * runtime/AsyncIteratorPrototype.h:
1253         (JSC::AsyncIteratorPrototype::create): Deleted.
1254         (JSC::AsyncIteratorPrototype::createStructure): Deleted.
1255         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
1256         * runtime/AtomicsObject.h:
1257         * runtime/BigIntConstructor.h:
1258         (JSC::BigIntConstructor::create): Deleted.
1259         (JSC::BigIntConstructor::createStructure): Deleted.
1260         * runtime/BigIntObject.h:
1261         (JSC::BigIntObject::create): Deleted.
1262         (JSC::BigIntObject::internalValue const): Deleted.
1263         (JSC::BigIntObject::createStructure): Deleted.
1264         * runtime/BigIntPrototype.h:
1265         (JSC::BigIntPrototype::create): Deleted.
1266         (JSC::BigIntPrototype::createStructure): Deleted.
1267         * runtime/BooleanConstructor.h:
1268         (JSC::BooleanConstructor::create): Deleted.
1269         (JSC::BooleanConstructor::createStructure): Deleted.
1270         * runtime/BooleanPrototype.h:
1271         (JSC::BooleanPrototype::create): Deleted.
1272         (JSC::BooleanPrototype::createStructure): Deleted.
1273         * runtime/ConsoleObject.h:
1274         (JSC::ConsoleObject::create): Deleted.
1275         (JSC::ConsoleObject::createStructure): Deleted.
1276         * runtime/DOMAttributeGetterSetter.h:
1277         (JSC::isDOMAttributeGetterSetter): Deleted.
1278         * runtime/DateConstructor.h:
1279         (JSC::DateConstructor::create): Deleted.
1280         (JSC::DateConstructor::createStructure): Deleted.
1281         * runtime/DateInstance.h:
1282         (JSC::DateInstance::create): Deleted.
1283         (JSC::DateInstance::internalNumber const): Deleted.
1284         (JSC::DateInstance::gregorianDateTime const): Deleted.
1285         (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
1286         (JSC::DateInstance::createStructure): Deleted.
1287         * runtime/DatePrototype.h:
1288         (JSC::DatePrototype::create): Deleted.
1289         (JSC::DatePrototype::createStructure): Deleted.
1290         * runtime/Error.h:
1291         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
1292         (JSC::StrictModeTypeErrorFunction::create): Deleted.
1293         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
1294         (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
1295         (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
1296         * runtime/ErrorConstructor.h:
1297         (JSC::ErrorConstructor::create): Deleted.
1298         (JSC::ErrorConstructor::createStructure): Deleted.
1299         (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
1300         * runtime/Exception.h:
1301         (JSC::Exception::valueOffset): Deleted.
1302         (JSC::Exception::value const): Deleted.
1303         (JSC::Exception::stack const): Deleted.
1304         (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
1305         (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
1306         * runtime/FunctionConstructor.h:
1307         (JSC::FunctionConstructor::create): Deleted.
1308         (JSC::FunctionConstructor::createStructure): Deleted.
1309         * runtime/FunctionPrototype.h:
1310         (JSC::FunctionPrototype::create): Deleted.
1311         (JSC::FunctionPrototype::createStructure): Deleted.
1312         * runtime/FunctionRareData.h:
1313         (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
1314         (JSC::FunctionRareData::objectAllocationProfile): Deleted.
1315         (JSC::FunctionRareData::objectAllocationStructure): Deleted.
1316         (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
1317         (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
1318         (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
1319         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
1320         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
1321         (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
1322         (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
1323         (JSC::FunctionRareData::hasReifiedLength const): Deleted.
1324         (JSC::FunctionRareData::setHasReifiedLength): Deleted.
1325         (JSC::FunctionRareData::hasReifiedName const): Deleted.
1326         (JSC::FunctionRareData::setHasReifiedName): Deleted.
1327         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
1328         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
1329         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
1330         * runtime/GeneratorFunctionConstructor.h:
1331         (JSC::GeneratorFunctionConstructor::create): Deleted.
1332         (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
1333         * runtime/GeneratorFunctionPrototype.h:
1334         (JSC::GeneratorFunctionPrototype::create): Deleted.
1335         (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
1336         * runtime/GeneratorPrototype.h:
1337         (JSC::GeneratorPrototype::create): Deleted.
1338         (JSC::GeneratorPrototype::createStructure): Deleted.
1339         (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
1340         * runtime/InferredValue.h:
1341         (JSC::InferredValue::subspaceFor): Deleted.
1342         (JSC::InferredValue::inferredValue): Deleted.
1343         (JSC::InferredValue::state const): Deleted.
1344         (JSC::InferredValue::isStillValid const): Deleted.
1345         (JSC::InferredValue::hasBeenInvalidated const): Deleted.
1346         (JSC::InferredValue::add): Deleted.
1347         (JSC::InferredValue::notifyWrite): Deleted.
1348         (JSC::InferredValue::invalidate): Deleted.
1349         * runtime/InspectorInstrumentationObject.h:
1350         (JSC::InspectorInstrumentationObject::create): Deleted.
1351         (JSC::InspectorInstrumentationObject::createStructure): Deleted.
1352         * runtime/IntlCollator.h:
1353         (JSC::IntlCollator::boundCompare const): Deleted.
1354         * runtime/IntlCollatorConstructor.h:
1355         (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
1356         * runtime/IntlCollatorPrototype.h:
1357         * runtime/IntlDateTimeFormat.h:
1358         (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
1359         * runtime/IntlDateTimeFormatConstructor.h:
1360         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
1361         * runtime/IntlDateTimeFormatPrototype.h:
1362         * runtime/IntlNumberFormat.h:
1363         (JSC::IntlNumberFormat::boundFormat const): Deleted.
1364         * runtime/IntlNumberFormatConstructor.h:
1365         (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
1366         * runtime/IntlNumberFormatPrototype.h:
1367         * runtime/IntlObject.h:
1368         * runtime/IteratorPrototype.h:
1369         (JSC::IteratorPrototype::create): Deleted.
1370         (JSC::IteratorPrototype::createStructure): Deleted.
1371         (JSC::IteratorPrototype::IteratorPrototype): Deleted.
1372         * runtime/JSAPIValueWrapper.h:
1373         (JSC::JSAPIValueWrapper::value const): Deleted.
1374         (JSC::JSAPIValueWrapper::createStructure): Deleted.
1375         (JSC::JSAPIValueWrapper::create): Deleted.
1376         (JSC::JSAPIValueWrapper::finishCreation): Deleted.
1377         (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
1378         * runtime/JSArrayBufferConstructor.h:
1379         (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
1380         * runtime/JSArrayBufferPrototype.h:
1381         * runtime/JSAsyncFunction.h:
1382         (JSC::JSAsyncFunction::subspaceFor): Deleted.
1383         (JSC::JSAsyncFunction::allocationSize): Deleted.
1384         (JSC::JSAsyncFunction::createStructure): Deleted.
1385         * runtime/JSAsyncGeneratorFunction.h:
1386         (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
1387         (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
1388         (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
1389         * runtime/JSBigInt.h:
1390         (JSC::JSBigInt::setSign): Deleted.
1391         (JSC::JSBigInt::sign const): Deleted.
1392         (JSC::JSBigInt::setLength): Deleted.
1393         (JSC::JSBigInt::length const): Deleted.
1394         * runtime/JSBoundFunction.h:
1395         (JSC::JSBoundFunction::subspaceFor): Deleted.
1396         (JSC::JSBoundFunction::targetFunction): Deleted.
1397         (JSC::JSBoundFunction::boundThis): Deleted.
1398         (JSC::JSBoundFunction::boundArgs): Deleted.
1399         (JSC::JSBoundFunction::createStructure): Deleted.
1400         (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
1401         (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
1402         * runtime/JSCast.h:
1403         (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
1404         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
1405         (JSC::JSCastingHelpers::InheritsTraits::inherits):
1406         (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
1407         * runtime/JSCustomGetterSetterFunction.cpp:
1408         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1409         * runtime/JSCustomGetterSetterFunction.h:
1410         (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
1411         (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
1412         (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
1413         (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
1414         (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
1415         * runtime/JSDataView.h:
1416         (JSC::JSDataView::possiblySharedBuffer const): Deleted.
1417         (JSC::JSDataView::unsharedBuffer const): Deleted.
1418         * runtime/JSDataViewPrototype.h:
1419         * runtime/JSFixedArray.h:
1420         (JSC::JSFixedArray::createStructure): Deleted.
1421         (JSC::JSFixedArray::tryCreate): Deleted.
1422         (JSC::JSFixedArray::create): Deleted.
1423         (JSC::JSFixedArray::createFromArray): Deleted.
1424         (JSC::JSFixedArray::get const): Deleted.
1425         (JSC::JSFixedArray::set): Deleted.
1426         (JSC::JSFixedArray::buffer): Deleted.
1427         (JSC::JSFixedArray::buffer const): Deleted.
1428         (JSC::JSFixedArray::values const): Deleted.
1429         (JSC::JSFixedArray::size const): Deleted.
1430         (JSC::JSFixedArray::length const): Deleted.
1431         (JSC::JSFixedArray::offsetOfSize): Deleted.
1432         (JSC::JSFixedArray::offsetOfData): Deleted.
1433         (JSC::JSFixedArray::JSFixedArray): Deleted.
1434         (JSC::JSFixedArray::allocationSize): Deleted.
1435         * runtime/JSGeneratorFunction.h:
1436         (JSC::JSGeneratorFunction::subspaceFor): Deleted.
1437         (JSC::JSGeneratorFunction::allocationSize): Deleted.
1438         (JSC::JSGeneratorFunction::createStructure): Deleted.
1439         * runtime/JSGenericTypedArrayView.h:
1440         (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
1441         (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
1442         (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
1443         (JSC::JSGenericTypedArrayView::typedVector): Deleted.
1444         (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
1445         (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
1446         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
1447         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
1448         (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
1449         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
1450         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
1451         (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
1452         (JSC::JSGenericTypedArrayView::setIndex): Deleted.
1453         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
1454         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
1455         (JSC::JSGenericTypedArrayView::sort): Deleted.
1456         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
1457         (JSC::JSGenericTypedArrayView::createStructure): Deleted.
1458         (JSC::JSGenericTypedArrayView::info): Deleted.
1459         (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
1460         (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
1461         (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
1462         * runtime/JSGenericTypedArrayViewConstructor.h:
1463         * runtime/JSGenericTypedArrayViewPrototype.h:
1464         * runtime/JSInternalPromise.h:
1465         * runtime/JSInternalPromiseConstructor.h:
1466         * runtime/JSInternalPromisePrototype.h:
1467         * runtime/JSMapIterator.h:
1468         (JSC::JSMapIterator::createStructure): Deleted.
1469         (JSC::JSMapIterator::create): Deleted.
1470         (JSC::JSMapIterator::advanceIter): Deleted.
1471         (JSC::JSMapIterator::next): Deleted.
1472         (JSC::JSMapIterator::nextKeyValue): Deleted.
1473         (JSC::JSMapIterator::kind const): Deleted.
1474         (JSC::JSMapIterator::iteratedValue const): Deleted.
1475         (JSC::JSMapIterator::JSMapIterator): Deleted.
1476         (JSC::JSMapIterator::setIterator): Deleted.
1477         * runtime/JSModuleLoader.h:
1478         (JSC::JSModuleLoader::create): Deleted.
1479         (JSC::JSModuleLoader::createStructure): Deleted.
1480         * runtime/JSModuleNamespaceObject.h:
1481         (JSC::isJSModuleNamespaceObject): Deleted.
1482         * runtime/JSModuleRecord.h:
1483         (JSC::JSModuleRecord::sourceCode const): Deleted.
1484         (JSC::JSModuleRecord::declaredVariables const): Deleted.
1485         (JSC::JSModuleRecord::lexicalVariables const): Deleted.
1486         * runtime/JSNativeStdFunction.h:
1487         (JSC::JSNativeStdFunction::subspaceFor): Deleted.
1488         (JSC::JSNativeStdFunction::createStructure): Deleted.
1489         (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
1490         * runtime/JSONObject.h:
1491         (JSC::JSONObject::create): Deleted.
1492         (JSC::JSONObject::createStructure): Deleted.
1493         * runtime/JSObject.h:
1494         (JSC::JSObject::fillCustomGetterPropertySlot):
1495         * runtime/JSScriptFetchParameters.h:
1496         (JSC::JSScriptFetchParameters::createStructure): Deleted.
1497         (JSC::JSScriptFetchParameters::create): Deleted.
1498         (JSC::JSScriptFetchParameters::parameters const): Deleted.
1499         (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
1500         * runtime/JSScriptFetcher.h:
1501         (JSC::JSScriptFetcher::createStructure): Deleted.
1502         (JSC::JSScriptFetcher::create): Deleted.
1503         (JSC::JSScriptFetcher::fetcher const): Deleted.
1504         (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
1505         * runtime/JSSetIterator.h:
1506         (JSC::JSSetIterator::createStructure): Deleted.
1507         (JSC::JSSetIterator::create): Deleted.
1508         (JSC::JSSetIterator::advanceIter): Deleted.
1509         (JSC::JSSetIterator::next): Deleted.
1510         (JSC::JSSetIterator::kind const): Deleted.
1511         (JSC::JSSetIterator::iteratedValue const): Deleted.
1512         (JSC::JSSetIterator::JSSetIterator): Deleted.
1513         (JSC::JSSetIterator::setIterator): Deleted.
1514         * runtime/JSSourceCode.h:
1515         (JSC::JSSourceCode::createStructure): Deleted.
1516         (JSC::JSSourceCode::create): Deleted.
1517         (JSC::JSSourceCode::sourceCode const): Deleted.
1518         (JSC::JSSourceCode::JSSourceCode): Deleted.
1519         * runtime/JSStringIterator.h:
1520         (JSC::JSStringIterator::createStructure): Deleted.
1521         (JSC::JSStringIterator::create): Deleted.
1522         (JSC::JSStringIterator::JSStringIterator): Deleted.
1523         * runtime/JSTemplateObjectDescriptor.h:
1524         (JSC::isTemplateObjectDescriptor): Deleted.
1525         * runtime/JSTypedArrayViewConstructor.h:
1526         (JSC::JSTypedArrayViewConstructor::create): Deleted.
1527         * runtime/JSTypedArrayViewPrototype.h:
1528         * runtime/MapConstructor.h:
1529         (JSC::MapConstructor::create): Deleted.
1530         (JSC::MapConstructor::createStructure): Deleted.
1531         * runtime/MapIteratorPrototype.h:
1532         (JSC::MapIteratorPrototype::create): Deleted.
1533         (JSC::MapIteratorPrototype::createStructure): Deleted.
1534         (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
1535         * runtime/MapPrototype.h:
1536         (JSC::MapPrototype::create): Deleted.
1537         (JSC::MapPrototype::createStructure): Deleted.
1538         (JSC::MapPrototype::MapPrototype): Deleted.
1539         * runtime/MathObject.h:
1540         (JSC::MathObject::create): Deleted.
1541         (JSC::MathObject::createStructure): Deleted.
1542         * runtime/ModuleLoaderPrototype.h:
1543         (JSC::ModuleLoaderPrototype::create): Deleted.
1544         (JSC::ModuleLoaderPrototype::createStructure): Deleted.
1545         * runtime/NativeErrorConstructor.h:
1546         (JSC::NativeErrorConstructor::create): Deleted.
1547         (JSC::NativeErrorConstructor::createStructure): Deleted.
1548         (JSC::NativeErrorConstructor::errorStructure): Deleted.
1549         * runtime/NativeErrorPrototype.h:
1550         (JSC::NativeErrorPrototype::create): Deleted.
1551         * runtime/NativeStdFunctionCell.h:
1552         (JSC::NativeStdFunctionCell::createStructure): Deleted.
1553         (JSC::NativeStdFunctionCell::function const): Deleted.
1554         * runtime/NullGetterFunction.h:
1555         (JSC::NullGetterFunction::create): Deleted.
1556         (JSC::NullGetterFunction::createStructure): Deleted.
1557         * runtime/NullSetterFunction.h:
1558         (JSC::NullSetterFunction::create): Deleted.
1559         (JSC::NullSetterFunction::createStructure): Deleted.
1560         * runtime/NumberConstructor.h:
1561         (JSC::NumberConstructor::create): Deleted.
1562         (JSC::NumberConstructor::createStructure): Deleted.
1563         (JSC::NumberConstructor::isIntegerImpl): Deleted.
1564         * runtime/NumberPrototype.h:
1565         (JSC::NumberPrototype::create): Deleted.
1566         (JSC::NumberPrototype::createStructure): Deleted.
1567         * runtime/ObjectConstructor.h:
1568         (JSC::ObjectConstructor::create): Deleted.
1569         (JSC::ObjectConstructor::createStructure): Deleted.
1570         * runtime/ObjectPrototype.h:
1571         (JSC::ObjectPrototype::createStructure): Deleted.
1572         * runtime/ProxyConstructor.h:
1573         (JSC::ProxyConstructor::createStructure): Deleted.
1574         * runtime/ProxyRevoke.h:
1575         (JSC::ProxyRevoke::createStructure): Deleted.
1576         (JSC::ProxyRevoke::proxy): Deleted.
1577         (JSC::ProxyRevoke::setProxyToNull): Deleted.
1578         * runtime/ReflectObject.h:
1579         (JSC::ReflectObject::create): Deleted.
1580         (JSC::ReflectObject::createStructure): Deleted.
1581         * runtime/RegExpConstructor.cpp:
1582         (JSC::regExpConstructorDollar):
1583         (JSC::regExpConstructorInput):
1584         (JSC::regExpConstructorMultiline):
1585         (JSC::regExpConstructorLastMatch):
1586         (JSC::regExpConstructorLastParen):
1587         (JSC::regExpConstructorLeftContext):
1588         (JSC::regExpConstructorRightContext):
1589         * runtime/RegExpConstructor.h:
1590         (JSC::RegExpConstructor::create): Deleted.
1591         (JSC::RegExpConstructor::createStructure): Deleted.
1592         (JSC::RegExpConstructor::setMultiline): Deleted.
1593         (JSC::RegExpConstructor::multiline const): Deleted.
1594         (JSC::RegExpConstructor::setInput): Deleted.
1595         (JSC::RegExpConstructor::input): Deleted.
1596         (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
1597         (JSC::asRegExpConstructor): Deleted.
1598         * runtime/RegExpPrototype.h:
1599         (JSC::RegExpPrototype::create): Deleted.
1600         (JSC::RegExpPrototype::createStructure): Deleted.
1601         (JSC::RegExpPrototype::emptyRegExp const): Deleted.
1602         * runtime/SetConstructor.h:
1603         (JSC::SetConstructor::create): Deleted.
1604         (JSC::SetConstructor::createStructure): Deleted.
1605         * runtime/SetIteratorPrototype.h:
1606         (JSC::SetIteratorPrototype::create): Deleted.
1607         (JSC::SetIteratorPrototype::createStructure): Deleted.
1608         (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
1609         * runtime/SetPrototype.h:
1610         (JSC::SetPrototype::create): Deleted.
1611         (JSC::SetPrototype::createStructure): Deleted.
1612         (JSC::SetPrototype::SetPrototype): Deleted.
1613         * runtime/StringConstructor.h:
1614         (JSC::StringConstructor::create): Deleted.
1615         (JSC::StringConstructor::createStructure): Deleted.
1616         * runtime/StringIteratorPrototype.h:
1617         (JSC::StringIteratorPrototype::create): Deleted.
1618         (JSC::StringIteratorPrototype::createStructure): Deleted.
1619         (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
1620         * runtime/StringPrototype.h:
1621         (JSC::StringPrototype::createStructure): Deleted.
1622         * runtime/SymbolConstructor.h:
1623         (JSC::SymbolConstructor::create): Deleted.
1624         (JSC::SymbolConstructor::createStructure): Deleted.
1625         * runtime/SymbolObject.h:
1626         (JSC::SymbolObject::create): Deleted.
1627         (JSC::SymbolObject::internalValue const): Deleted.
1628         (JSC::SymbolObject::createStructure): Deleted.
1629         * runtime/SymbolPrototype.h:
1630         (JSC::SymbolPrototype::create): Deleted.
1631         (JSC::SymbolPrototype::createStructure): Deleted.
1632         * runtime/WeakMapConstructor.h:
1633         (JSC::WeakMapConstructor::create): Deleted.
1634         (JSC::WeakMapConstructor::createStructure): Deleted.
1635         * runtime/WeakMapPrototype.h:
1636         (JSC::WeakMapPrototype::create): Deleted.
1637         (JSC::WeakMapPrototype::createStructure): Deleted.
1638         (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
1639         * runtime/WeakSetConstructor.h:
1640         (JSC::WeakSetConstructor::create): Deleted.
1641         (JSC::WeakSetConstructor::createStructure): Deleted.
1642         * runtime/WeakSetPrototype.h:
1643         (JSC::WeakSetPrototype::create): Deleted.
1644         (JSC::WeakSetPrototype::createStructure): Deleted.
1645         (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
1646         * tools/JSDollarVM.h:
1647         (JSC::JSDollarVM::createStructure): Deleted.
1648         (JSC::JSDollarVM::create): Deleted.
1649         (JSC::JSDollarVM::JSDollarVM): Deleted.
1650         * wasm/js/JSWebAssembly.h:
1651         * wasm/js/JSWebAssemblyCompileError.h:
1652         (JSC::JSWebAssemblyCompileError::create): Deleted.
1653         * wasm/js/JSWebAssemblyInstance.h:
1654         (JSC::JSWebAssemblyInstance::instance): Deleted.
1655         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
1656         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
1657         (JSC::JSWebAssemblyInstance::memory): Deleted.
1658         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
1659         (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
1660         (JSC::JSWebAssemblyInstance::table): Deleted.
1661         (JSC::JSWebAssemblyInstance::setTable): Deleted.
1662         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
1663         (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
1664         (JSC::JSWebAssemblyInstance::module const): Deleted.
1665         * wasm/js/JSWebAssemblyLinkError.h:
1666         (JSC::JSWebAssemblyLinkError::create): Deleted.
1667         * wasm/js/JSWebAssemblyMemory.h:
1668         (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
1669         (JSC::JSWebAssemblyMemory::memory): Deleted.
1670         * wasm/js/JSWebAssemblyModule.h:
1671         * wasm/js/JSWebAssemblyRuntimeError.h:
1672         (JSC::JSWebAssemblyRuntimeError::create): Deleted.
1673         * wasm/js/JSWebAssemblyTable.h:
1674         (JSC::JSWebAssemblyTable::isValidLength): Deleted.
1675         (JSC::JSWebAssemblyTable::maximum const): Deleted.
1676         (JSC::JSWebAssemblyTable::length const): Deleted.
1677         (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
1678         (JSC::JSWebAssemblyTable::table): Deleted.
1679         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1680         * wasm/js/WebAssemblyCompileErrorPrototype.h:
1681         * wasm/js/WebAssemblyInstanceConstructor.h:
1682         * wasm/js/WebAssemblyInstancePrototype.h:
1683         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1684         * wasm/js/WebAssemblyLinkErrorPrototype.h:
1685         * wasm/js/WebAssemblyMemoryConstructor.h:
1686         * wasm/js/WebAssemblyMemoryPrototype.h:
1687         * wasm/js/WebAssemblyModuleConstructor.h:
1688         * wasm/js/WebAssemblyModulePrototype.h:
1689         * wasm/js/WebAssemblyModuleRecord.h:
1690         * wasm/js/WebAssemblyPrototype.h:
1691         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1692         * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
1693         * wasm/js/WebAssemblyTableConstructor.h:
1694         * wasm/js/WebAssemblyTablePrototype.h:
1695
1696 2018-03-07  Filip Pizlo  <fpizlo@apple.com>
1697
1698         Make it possible to randomize register allocation
1699         https://bugs.webkit.org/show_bug.cgi?id=183416
1700
1701         Reviewed by Keith Miller.
1702         
1703         This is disabled by default for now, because it reveals a regalloc bug in wasm.
1704
1705         * b3/air/AirCode.cpp:
1706         (JSC::B3::Air::Code::Code):
1707         * b3/air/AirCode.h:
1708         (JSC::B3::Air::Code::weakRandom):
1709         * runtime/Options.h:
1710
1711 2018-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1712
1713         [JSC] Add inherits<T>(VM&) leveraging JSCast fast path
1714         https://bugs.webkit.org/show_bug.cgi?id=183429
1715
1716         Reviewed by Mark Lam.
1717
1718         Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
1719         They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
1720         paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
1721         and construct jsDynamicCast and JSCell::inherits based on this.
1722
1723         And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
1724         In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
1725
1726         We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
1727         The embedder can add their extended object types after that.
1728
1729         * API/JSObjectRef.cpp:
1730         (JSObjectGetPrivateProperty):
1731         (JSObjectSetPrivateProperty):
1732         (JSObjectDeletePrivateProperty):
1733         * API/JSValue.mm:
1734         (isDate):
1735         (isArray):
1736         * API/JSValueRef.cpp:
1737         (JSValueIsArray):
1738         (JSValueIsDate):
1739         (JSValueIsObjectOfClass):
1740         * API/JSWeakObjectMapRefPrivate.cpp:
1741         * API/JSWrapperMap.mm:
1742         (tryUnwrapObjcObject):
1743         * API/ObjCCallbackFunction.mm:
1744         (tryUnwrapConstructor):
1745         * dfg/DFGByteCodeParser.cpp:
1746         (JSC::DFG::ByteCodeParser::parseBlock):
1747         * dfg/DFGOperations.cpp:
1748         * ftl/FTLLowerDFGToB3.cpp:
1749         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1750         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1751         * ftl/FTLOperations.cpp:
1752         (JSC::FTL::operationMaterializeObjectInOSR):
1753         * inspector/JSInjectedScriptHost.cpp:
1754         (Inspector::JSInjectedScriptHost::subtype):
1755         (Inspector::JSInjectedScriptHost::functionDetails):
1756         * inspector/agents/InspectorHeapAgent.cpp:
1757         (Inspector::InspectorHeapAgent::getPreview):
1758         * interpreter/Interpreter.cpp:
1759         (JSC::notifyDebuggerOfUnwinding):
1760         * interpreter/ShadowChicken.cpp:
1761         (JSC::ShadowChicken::update):
1762         * jit/JIT.cpp:
1763         (JSC::JIT::privateCompileMainPass):
1764         * jit/JITOperations.cpp:
1765         (JSC::operationNewFunctionCommon):
1766         * jsc.cpp:
1767         (checkException):
1768         * runtime/BooleanObject.h:
1769         (JSC::asBooleanObject): Deleted.
1770         * runtime/BooleanPrototype.cpp:
1771         (JSC::booleanProtoFuncToString):
1772         (JSC::booleanProtoFuncValueOf):
1773         * runtime/DateConstructor.cpp:
1774         (JSC::constructDate):
1775         * runtime/DateInstance.h:
1776         (JSC::asDateInstance): Deleted.
1777         * runtime/DatePrototype.cpp:
1778         (JSC::formateDateInstance):
1779         (JSC::dateProtoFuncToISOString):
1780         (JSC::dateProtoFuncToLocaleString):
1781         (JSC::dateProtoFuncToLocaleDateString):
1782         (JSC::dateProtoFuncToLocaleTimeString):
1783         (JSC::dateProtoFuncGetTime):
1784         (JSC::dateProtoFuncGetFullYear):
1785         (JSC::dateProtoFuncGetUTCFullYear):
1786         (JSC::dateProtoFuncGetMonth):
1787         (JSC::dateProtoFuncGetUTCMonth):
1788         (JSC::dateProtoFuncGetDate):
1789         (JSC::dateProtoFuncGetUTCDate):
1790         (JSC::dateProtoFuncGetDay):
1791         (JSC::dateProtoFuncGetUTCDay):
1792         (JSC::dateProtoFuncGetHours):
1793         (JSC::dateProtoFuncGetUTCHours):
1794         (JSC::dateProtoFuncGetMinutes):
1795         (JSC::dateProtoFuncGetUTCMinutes):
1796         (JSC::dateProtoFuncGetSeconds):
1797         (JSC::dateProtoFuncGetUTCSeconds):
1798         (JSC::dateProtoFuncGetMilliSeconds):
1799         (JSC::dateProtoFuncGetUTCMilliseconds):
1800         (JSC::dateProtoFuncGetTimezoneOffset):
1801         (JSC::dateProtoFuncSetTime):
1802         (JSC::setNewValueFromTimeArgs):
1803         (JSC::setNewValueFromDateArgs):
1804         (JSC::dateProtoFuncSetYear):
1805         (JSC::dateProtoFuncGetYear):
1806         * runtime/ExceptionHelpers.cpp:
1807         (JSC::isTerminatedExecutionException):
1808         * runtime/FunctionPrototype.cpp:
1809         (JSC::functionProtoFuncToString):
1810         * runtime/InternalFunction.h:
1811         (JSC::asInternalFunction):
1812         * runtime/JSArray.h:
1813         (JSC::asArray):
1814         * runtime/JSCJSValue.cpp:
1815         (JSC::JSValue::dumpForBacktrace const):
1816         * runtime/JSCJSValue.h:
1817         * runtime/JSCJSValueInlines.h:
1818         (JSC::JSValue::inherits const):
1819         * runtime/JSCast.h:
1820         (JSC::JSCastingHelpers::inheritsGenericImpl):
1821         (JSC::JSCastingHelpers::inheritsJSTypeImpl):
1822         (JSC::JSCastingHelpers::InheritsTraits::inherits):
1823         (JSC::JSCastingHelpers::inherits):
1824         (JSC::jsDynamicCast):
1825         (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
1826         (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
1827         (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
1828         * runtime/JSCell.h:
1829         * runtime/JSCellInlines.h:
1830         (JSC::JSCell::inherits const):
1831         * runtime/JSFunction.cpp:
1832         (JSC::RetrieveCallerFunctionFunctor::operator() const):
1833         (JSC::JSFunction::callerGetter):
1834         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1835         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1836         * runtime/JSGlobalObject.cpp:
1837         (JSC::enqueueJob):
1838         * runtime/JSGlobalObject.h:
1839         (JSC::asGlobalObject): Deleted.
1840         * runtime/JSInternalPromiseDeferred.cpp:
1841         (JSC::JSInternalPromiseDeferred::create):
1842         * runtime/JSLexicalEnvironment.h:
1843         (JSC::asActivation):
1844         * runtime/JSONObject.cpp:
1845         (JSC::unwrapBoxedPrimitive):
1846         (JSC::Stringifier::Stringifier):
1847         (JSC::Walker::walk):
1848         * runtime/JSPromise.cpp:
1849         (JSC::JSPromise::resolve):
1850         * runtime/JSPromiseDeferred.cpp:
1851         (JSC::JSPromiseDeferred::create):
1852         * runtime/JSType.h:
1853         * runtime/ProxyObject.h:
1854         (JSC::ProxyObject::create): Deleted.
1855         (JSC::ProxyObject::createStructure): Deleted.
1856         (JSC::ProxyObject::target const): Deleted.
1857         (JSC::ProxyObject::handler const): Deleted.
1858         * runtime/RegExpConstructor.cpp:
1859         (JSC::constructRegExp):
1860         * runtime/RegExpConstructor.h:
1861         (JSC::asRegExpConstructor):
1862         (JSC::isRegExp):
1863         * runtime/RegExpObject.cpp:
1864         (JSC::RegExpObject::finishCreation):
1865         (JSC::RegExpObject::getOwnPropertySlot):
1866         (JSC::RegExpObject::defineOwnProperty):
1867         (JSC::regExpObjectSetLastIndexStrict):
1868         (JSC::regExpObjectSetLastIndexNonStrict):
1869         (JSC::RegExpObject::put):
1870         * runtime/RegExpObject.h:
1871         (JSC::RegExpObject::create): Deleted.
1872         (JSC::RegExpObject::setRegExp): Deleted.
1873         (JSC::RegExpObject::regExp const): Deleted.
1874         (JSC::RegExpObject::setLastIndex): Deleted.
1875         (JSC::RegExpObject::getLastIndex const): Deleted.
1876         (JSC::RegExpObject::test): Deleted.
1877         (JSC::RegExpObject::testInline): Deleted.
1878         (JSC::RegExpObject::createStructure): Deleted.
1879         (JSC::RegExpObject::offsetOfRegExp): Deleted.
1880         (JSC::RegExpObject::offsetOfLastIndex): Deleted.
1881         (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
1882         (JSC::RegExpObject::allocationSize): Deleted.
1883         (JSC::asRegExpObject): Deleted.
1884         * runtime/RegExpPrototype.cpp:
1885         (JSC::regExpProtoFuncTestFast):
1886         (JSC::regExpProtoFuncExec):
1887         (JSC::regExpProtoFuncMatchFast):
1888         (JSC::regExpProtoFuncCompile):
1889         (JSC::regExpProtoGetterGlobal):
1890         (JSC::regExpProtoGetterIgnoreCase):
1891         (JSC::regExpProtoGetterMultiline):
1892         (JSC::regExpProtoGetterDotAll):
1893         (JSC::regExpProtoGetterSticky):
1894         (JSC::regExpProtoGetterUnicode):
1895         (JSC::regExpProtoGetterSource):
1896         (JSC::regExpProtoFuncSearchFast):
1897         (JSC::regExpProtoFuncSplitFast):
1898         * runtime/StringObject.h:
1899         (JSC::asStringObject): Deleted.
1900         * runtime/StringPrototype.cpp:
1901         (JSC::replaceUsingRegExpSearch):
1902         (JSC::replace):
1903         (JSC::stringProtoFuncReplaceUsingRegExp):
1904         (JSC::stringProtoFuncToString):
1905         * runtime/SymbolPrototype.cpp:
1906         (JSC::symbolProtoFuncToString):
1907         (JSC::symbolProtoFuncValueOf):
1908         * tools/JSDollarVM.cpp:
1909         (WTF::customGetValue):
1910         (WTF::customSetValue):
1911         * wasm/js/JSWebAssemblyHelpers.h:
1912         (JSC::isWebAssemblyHostFunction):
1913         * wasm/js/WebAssemblyWrapperFunction.cpp:
1914         (JSC::WebAssemblyWrapperFunction::create):
1915
1916 2018-03-07  Tim Horton  <timothy_horton@apple.com>
1917
1918         Sort and separate FeatureDefines.xcconfig
1919         https://bugs.webkit.org/show_bug.cgi?id=183427
1920
1921         Reviewed by Dan Bernstein.
1922
1923         * Configurations/FeatureDefines.xcconfig:
1924         Sort and split FeatureDefines into paragraphs
1925         (to make it easier to sort later).
1926
1927 2018-03-07  Keith Miller  <keith_miller@apple.com>
1928
1929         Unreviewed, fix 32-bit build.
1930
1931         * dfg/DFGSpeculativeJIT.cpp:
1932         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1933
1934 2018-03-07  Keith Miller  <keith_miller@apple.com>
1935
1936         Meta-program setupArguments and callOperation
1937         https://bugs.webkit.org/show_bug.cgi?id=183263
1938
1939         Rubber-stamped by Filip Pizlo.
1940
1941         This patch removes all the custom overrides of callOperation and setupArguments
1942         throughout the JITs. In their place there is a new setupArguments that marshalls
1943         the arguments into place based on the type of the operation's function pointer.
1944         There were a couple of design choices in the implementation of setupArguments:
1945
1946         1) We assume that no TrustedImm floating point values are passed.
1947         2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
1948         3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
1949
1950         The new callOperation/setupArguments do their best to make sure
1951         it's hard to call a function with the wrong parameters. They will
1952         only try to pattern match if the types match up with the next
1953         passed argument. Additionally, the base case should static_assert
1954         of the number of inferred arguments does not match the arity of
1955         the operation's function pointer.
1956
1957         * assembler/AbstractMacroAssembler.h:
1958         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
1959         (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
1960         * assembler/MacroAssembler.h:
1961         (JSC::MacroAssembler::poke):
1962         (JSC::MacroAssembler::move):
1963         * assembler/MacroAssemblerARM64.h:
1964         (JSC::MacroAssemblerARM64::swap):
1965         * assembler/MacroAssemblerX86.h:
1966         (JSC::MacroAssemblerX86::storeDouble):
1967         * assembler/MacroAssemblerX86Common.h:
1968         (JSC::MacroAssemblerX86Common::loadDouble):
1969         (JSC::MacroAssemblerX86Common::swap):
1970         (JSC::MacroAssemblerX86Common::move):
1971         * bytecode/AccessCase.cpp:
1972         (JSC::AccessCase::generateImpl):
1973         * bytecode/AccessCaseSnippetParams.cpp:
1974         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1975         * bytecode/PolymorphicAccess.cpp:
1976         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1977         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1978         * dfg/DFGNode.h:
1979         * dfg/DFGOSRExit.cpp:
1980         (JSC::DFG::OSRExit::emitRestoreArguments):
1981         * dfg/DFGOSRExitCompilerCommon.cpp:
1982         (JSC::DFG::osrWriteBarrier):
1983         * dfg/DFGOperations.cpp:
1984         * dfg/DFGOperations.h:
1985         * dfg/DFGSlowPathGenerator.h:
1986         * dfg/DFGSpeculativeJIT.cpp:
1987         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
1988         (JSC::DFG::SpeculativeJIT::compileArithMod):
1989         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1990         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1991         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1992         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1993         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1994         * dfg/DFGSpeculativeJIT.h:
1995         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
1996         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
1997         (JSC::DFG::SpeculativeJIT::initConstantInfo):
1998         (JSC::DFG::SpeculativeJIT::callOperation):
1999         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
2000         (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
2001         * dfg/DFGSpeculativeJIT32_64.cpp:
2002         (JSC::DFG::SpeculativeJIT::cachedGetById):
2003         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2004         (JSC::DFG::SpeculativeJIT::cachedPutById):
2005         (JSC::DFG::SpeculativeJIT::emitCall):
2006         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2007         (JSC::DFG::SpeculativeJIT::compile):
2008         * dfg/DFGSpeculativeJIT64.cpp:
2009         (JSC::DFG::SpeculativeJIT::emitCall):
2010         (JSC::DFG::SpeculativeJIT::compile):
2011         * ftl/FTLLowerDFGToB3.cpp:
2012         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2013         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2014         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2015         * ftl/FTLOSRExitCompiler.cpp:
2016         (JSC::FTL::compileStub):
2017         * ftl/FTLSlowPathCall.h:
2018         (JSC::FTL::callOperation):
2019         * jit/AssemblyHelpers.cpp:
2020         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2021         * jit/CCallHelpers.cpp:
2022         (JSC::CCallHelpers::ensureShadowChickenPacket):
2023         * jit/CCallHelpers.h:
2024         (JSC::CCallHelpers::setupArgument):
2025         (JSC::CCallHelpers::setupStubArgs):
2026         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2027         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2028         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2029         (JSC::CCallHelpers::ArgCollection::addStackArg):
2030         (JSC::CCallHelpers::ArgCollection::addPoke):
2031         (JSC::CCallHelpers::ArgCollection::argCount):
2032         (JSC::CCallHelpers::clampArrayToSize):
2033         (JSC::CCallHelpers::pokeForArgument):
2034         (JSC::CCallHelpers::marshallArgumentRegister):
2035         (JSC::CCallHelpers::setupArgumentsImpl):
2036         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2037         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2038         (JSC::CCallHelpers::setupArguments):
2039         (JSC::CCallHelpers::prepareForTailCallSlow):
2040         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
2041         (JSC::CCallHelpers::resetCallArguments): Deleted.
2042         (JSC::CCallHelpers::addCallArgument): Deleted.
2043         (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
2044         (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
2045         (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
2046         (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
2047         (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
2048         (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
2049         (JSC::CCallHelpers::setupStubArguments): Deleted.
2050         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
2051         (JSC::CCallHelpers::setupStubArguments134): Deleted.
2052         (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
2053         * jit/FPRInfo.h:
2054         (JSC::toInfoFromReg):
2055         * jit/GPRInfo.h:
2056         (JSC::JSValueRegs::JSValueRegs):
2057         (JSC::toInfoFromReg):
2058         * jit/JIT.h:
2059         (JSC::JIT::callOperation):
2060         (JSC::JIT::callOperationWithProfile):
2061         (JSC::JIT::callOperationWithResult):
2062         (JSC::JIT::callOperationNoExceptionCheck):
2063         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2064         * jit/JITArithmetic.cpp:
2065         (JSC::JIT::emitMathICFast):
2066         (JSC::JIT::emitMathICSlow):
2067         * jit/JITArithmetic32_64.cpp:
2068         (JSC::JIT::emit_compareAndJumpSlow):
2069         * jit/JITCall32_64.cpp:
2070         (JSC::JIT::compileSetupVarargsFrame):
2071         * jit/JITInlines.h:
2072         (JSC::JIT::callOperation): Deleted.
2073         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2074         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
2075         * jit/JITOpcodes.cpp:
2076         (JSC::JIT::emit_op_new_array_with_size):
2077         * jit/JITOpcodes32_64.cpp:
2078         (JSC::JIT::emitSlow_op_instanceof):
2079         (JSC::JIT::emitSlow_op_instanceof_custom):
2080         (JSC::JIT::emit_op_set_function_name):
2081         (JSC::JIT::emitSlow_op_eq):
2082         (JSC::JIT::emitSlow_op_neq):
2083         (JSC::JIT::emit_op_throw):
2084         (JSC::JIT::emit_op_switch_imm):
2085         (JSC::JIT::emit_op_switch_char):
2086         (JSC::JIT::emit_op_switch_string):
2087         (JSC::JIT::emitSlow_op_has_indexed_property):
2088         * jit/JITOperations.cpp:
2089         * jit/JITOperations.h:
2090         * jit/JITPropertyAccess.cpp:
2091         (JSC::JIT::emitGetByValWithCachedId):
2092         (JSC::JIT::emitSlow_op_get_by_id):
2093         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2094         (JSC::JIT::emitSlow_op_get_from_scope):
2095         * jit/JITPropertyAccess32_64.cpp:
2096         (JSC::JIT::emit_op_put_by_index):
2097         (JSC::JIT::emit_op_put_setter_by_id):
2098         (JSC::JIT::emit_op_put_getter_setter_by_id):
2099         (JSC::JIT::emit_op_put_getter_by_val):
2100         (JSC::JIT::emit_op_put_setter_by_val):
2101         (JSC::JIT::emit_op_del_by_id):
2102         (JSC::JIT::emit_op_del_by_val):
2103         (JSC::JIT::emitGetByValWithCachedId):
2104         (JSC::JIT::emitSlow_op_get_by_val):
2105         (JSC::JIT::emitPutByValWithCachedId):
2106         (JSC::JIT::emitSlow_op_put_by_val):
2107         (JSC::JIT::emitSlow_op_try_get_by_id):
2108         (JSC::JIT::emitSlow_op_get_by_id):
2109         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2110         (JSC::JIT::emitSlow_op_put_by_id):
2111         (JSC::JIT::emitSlow_op_get_from_scope):
2112         * jit/RegisterSet.h:
2113         (JSC::RegisterSet::RegisterSet):
2114         * jit/ThunkGenerators.cpp:
2115         (JSC::throwExceptionFromCallSlowPathGenerator):
2116         (JSC::slowPathFor):
2117         * jsc.cpp:
2118         (GlobalObject::finishCreation):
2119         (functionBreakpoint):
2120         * runtime/JSCJSValue.h:
2121         * wasm/js/WasmToJS.cpp:
2122         (JSC::Wasm::wasmToJS):
2123
2124 2018-03-07  Mark Lam  <mark.lam@apple.com>
2125
2126         Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
2127         https://bugs.webkit.org/show_bug.cgi?id=183414
2128         <rdar://problem/38231678>
2129
2130         Reviewed by Michael Saboff.
2131
2132         * interpreter/ProtoCallFrame.cpp:
2133         (JSC::ProtoCallFrame::init):
2134         * interpreter/ProtoCallFrame.h:
2135
2136 2018-03-07  Mark Lam  <mark.lam@apple.com>
2137
2138         Simplify the variants of FunctionPtr constructors.
2139         https://bugs.webkit.org/show_bug.cgi?id=183399
2140         <rdar://problem/38212980>
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         * assembler/MacroAssemblerCodeRef.h:
2145         (JSC::FunctionPtr::FunctionPtr):
2146
2147 2018-03-06  Filip Pizlo  <fpizlo@apple.com>
2148
2149         MarkedArgumentsBuffer should allocate from the JSValue Gigacage
2150         https://bugs.webkit.org/show_bug.cgi?id=183377
2151
2152         Reviewed by Michael Saboff.
2153         
2154         That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
2155
2156         * runtime/ArgList.cpp:
2157         (JSC::MarkedArgumentBuffer::expandCapacity):
2158
2159 2018-03-07  Mark Lam  <mark.lam@apple.com>
2160
2161         Add support for ARM64E.
2162         https://bugs.webkit.org/show_bug.cgi?id=183398
2163         <rdar://problem/38212621>
2164
2165         Reviewed by Michael Saboff.
2166
2167         * assembler/MacroAssembler.h:
2168         * llint/LLIntOfflineAsmConfig.h:
2169         * llint/LowLevelInterpreter.asm:
2170         * llint/LowLevelInterpreter64.asm:
2171         * offlineasm/backends.rb:
2172
2173 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2174
2175         HTML `pattern` attribute should set `u` flag for regular expressions
2176         https://bugs.webkit.org/show_bug.cgi?id=151598
2177
2178         Reviewed by Chris Dumez.
2179
2180         Add UnicodeMode for JSC::Yarr::RegularExpression.
2181
2182         * yarr/RegularExpression.cpp:
2183         (JSC::Yarr::RegularExpression::Private::create):
2184         (JSC::Yarr::RegularExpression::Private::Private):
2185         (JSC::Yarr::RegularExpression::Private::compile):
2186         (JSC::Yarr::RegularExpression::RegularExpression):
2187         * yarr/RegularExpression.h:
2188
2189 2018-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2190
2191         [JSC] Add more JSType based fast path for jsDynamicCast
2192         https://bugs.webkit.org/show_bug.cgi?id=183403
2193
2194         Reviewed by Mark Lam.
2195
2196         We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
2197         are used for jsDynamicCast in JSC, arguments types, and scope types.
2198
2199         We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
2200
2201         * jit/JITOperations.cpp:
2202         * llint/LLIntSlowPaths.cpp:
2203         (JSC::LLInt::setUpCall):
2204         * runtime/ClonedArguments.h:
2205         (JSC::ClonedArguments::specialsMaterialized const): Deleted.
2206         * runtime/DirectArguments.h:
2207         (JSC::DirectArguments::subspaceFor): Deleted.
2208         (JSC::DirectArguments::internalLength const): Deleted.
2209         (JSC::DirectArguments::length const): Deleted.
2210         (JSC::DirectArguments::isMappedArgument const): Deleted.
2211         (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
2212         (JSC::DirectArguments::getIndexQuickly const): Deleted.
2213         (JSC::DirectArguments::setIndexQuickly): Deleted.
2214         (JSC::DirectArguments::callee): Deleted.
2215         (JSC::DirectArguments::argument): Deleted.
2216         (JSC::DirectArguments::overrodeThings const): Deleted.
2217         (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
2218         (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
2219         (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
2220         (JSC::DirectArguments::offsetOfCallee): Deleted.
2221         (JSC::DirectArguments::offsetOfLength): Deleted.
2222         (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
2223         (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
2224         (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
2225         (JSC::DirectArguments::storageOffset): Deleted.
2226         (JSC::DirectArguments::offsetOfSlot): Deleted.
2227         (JSC::DirectArguments::allocationSize): Deleted.
2228         (JSC::DirectArguments::storage): Deleted.
2229         * runtime/JSCast.h:
2230         * runtime/JSGlobalLexicalEnvironment.h:
2231         (JSC::JSGlobalLexicalEnvironment::create): Deleted.
2232         (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
2233         (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
2234         (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
2235         * runtime/JSGlobalObject.cpp:
2236         (JSC::JSGlobalObject::finishCreation):
2237         * runtime/JSMap.h:
2238         (JSC::isJSMap): Deleted.
2239         * runtime/JSModuleEnvironment.h:
2240         (JSC::JSModuleEnvironment::create): Deleted.
2241         (JSC::JSModuleEnvironment::createStructure): Deleted.
2242         (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
2243         (JSC::JSModuleEnvironment::allocationSize): Deleted.
2244         (JSC::JSModuleEnvironment::moduleRecord): Deleted.
2245         (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
2246         * runtime/JSObject.cpp:
2247         (JSC::canDoFastPutDirectIndex):
2248         (JSC::JSObject::defineOwnIndexedProperty):
2249         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2250         * runtime/JSObject.h:
2251         (JSC::JSFinalObject::allocationSize): Deleted.
2252         (JSC::JSFinalObject::typeInfo): Deleted.
2253         (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
2254         (JSC::JSFinalObject::maxInlineCapacity): Deleted.
2255         (JSC::JSFinalObject::createStructure): Deleted.
2256         (JSC::JSFinalObject::finishCreation): Deleted.
2257         (JSC::JSFinalObject::JSFinalObject): Deleted.
2258         (JSC::isJSFinalObject): Deleted.
2259         * runtime/JSScope.cpp:
2260         * runtime/JSScope.h:
2261         * runtime/JSSegmentedVariableObject.cpp:
2262         * runtime/JSSegmentedVariableObject.h:
2263         * runtime/JSSet.h:
2264         (JSC::isJSSet): Deleted.
2265         * runtime/JSType.h:
2266         * runtime/JSWeakMap.h:
2267         (JSC::isJSWeakMap): Deleted.
2268         * runtime/JSWeakSet.h:
2269         (JSC::isJSWeakSet): Deleted.
2270         * runtime/JSWithScope.h:
2271         (JSC::JSWithScope::object): Deleted.
2272         * runtime/MapConstructor.cpp:
2273         (JSC::constructMap):
2274         (JSC::mapPrivateFuncMapBucketHead):
2275         * runtime/MapPrototype.cpp:
2276         (JSC::getMap):
2277         * runtime/NumberObject.cpp:
2278         (JSC::NumberObject::finishCreation):
2279         * runtime/NumberPrototype.cpp:
2280         (JSC::toThisNumber):
2281         (JSC::numberProtoFuncToExponential):
2282         (JSC::numberProtoFuncToFixed):
2283         (JSC::numberProtoFuncToPrecision):
2284         (JSC::numberProtoFuncToString):
2285         (JSC::numberProtoFuncToLocaleString):
2286         (JSC::numberProtoFuncValueOf):
2287         * runtime/ObjectConstructor.cpp:
2288         (JSC::objectConstructorSeal):
2289         (JSC::objectConstructorFreeze):
2290         (JSC::objectConstructorIsSealed):
2291         (JSC::objectConstructorIsFrozen):
2292         * runtime/ProxyObject.cpp:
2293         (JSC::ProxyObject::finishCreation):
2294         * runtime/ScopedArguments.h:
2295         (JSC::ScopedArguments::subspaceFor): Deleted.
2296         (JSC::ScopedArguments::internalLength const): Deleted.
2297         (JSC::ScopedArguments::length const): Deleted.
2298         (JSC::ScopedArguments::isMappedArgument const): Deleted.
2299         (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
2300         (JSC::ScopedArguments::getIndexQuickly const): Deleted.
2301         (JSC::ScopedArguments::setIndexQuickly): Deleted.
2302         (JSC::ScopedArguments::callee): Deleted.
2303         (JSC::ScopedArguments::overrodeThings const): Deleted.
2304         (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
2305         (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
2306         (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
2307         (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
2308         (JSC::ScopedArguments::offsetOfTotalLength): Deleted.
2309         (JSC::ScopedArguments::offsetOfTable): Deleted.
2310         (JSC::ScopedArguments::offsetOfScope): Deleted.
2311         (JSC::ScopedArguments::overflowStorageOffset): Deleted.
2312         (JSC::ScopedArguments::allocationSize): Deleted.
2313         (JSC::ScopedArguments::overflowStorage const): Deleted.
2314         * runtime/SetConstructor.cpp:
2315         (JSC::constructSet):
2316         (JSC::setPrivateFuncSetBucketHead):
2317         * runtime/SetPrototype.cpp:
2318         (JSC::getSet):
2319         * runtime/StrictEvalActivation.h:
2320         (JSC::StrictEvalActivation::create): Deleted.
2321         (JSC::StrictEvalActivation::createStructure): Deleted.
2322         * runtime/WeakMapPrototype.cpp:
2323         (JSC::getWeakMap):
2324         * runtime/WeakSetPrototype.cpp:
2325         (JSC::getWeakSet):
2326
2327 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
2328
2329         [ARM] offlineasm: fix indentation in armOpcodeReversedOperands
2330         https://bugs.webkit.org/show_bug.cgi?id=183400
2331
2332         Reviewed by Mark Lam.
2333
2334         * offlineasm/arm.rb:
2335
2336 2018-03-06  Mark Lam  <mark.lam@apple.com>
2337
2338         Prepare LLInt code to support pointer profiling.
2339         https://bugs.webkit.org/show_bug.cgi?id=183387
2340         <rdar://problem/38199678>
2341
2342         Reviewed by JF Bastien.
2343
2344         1. Introduced PtrTag enums for supporting pointer profiling later.
2345
2346         2. Also introduced tagging, untagging, retagging, and tag removal placeholder
2347            template functions for the same purpose.
2348
2349         3. Prepare the offlineasm for supporting pointer profiling later.
2350
2351         4. Tagged some pointers in LLInt asm code.  Currently, these should have no
2352            effect on behavior.
2353
2354         5. Removed returnToThrowForThrownException() because it is not used anywhere.
2355
2356         6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
2357            easier to view and edit these files in Xcode.
2358
2359         * CMakeLists.txt:
2360         * JavaScriptCore.xcodeproj/project.pbxproj:
2361         * bytecode/LLIntCallLinkInfo.h:
2362         (JSC::LLIntCallLinkInfo::unlink):
2363         * llint/LLIntData.cpp:
2364         (JSC::LLInt::initialize):
2365         * llint/LLIntData.h:
2366         * llint/LLIntExceptions.cpp:
2367         (JSC::LLInt::returnToThrowForThrownException): Deleted.
2368         * llint/LLIntExceptions.h:
2369         * llint/LLIntOfflineAsmConfig.h:
2370         * llint/LLIntOffsetsExtractor.cpp:
2371         * llint/LLIntPCRanges.h:
2372         (JSC::LLInt::isLLIntPC):
2373         * llint/LLIntSlowPaths.cpp:
2374         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2375         (JSC::LLInt::handleHostCall):
2376         (JSC::LLInt::setUpCall):
2377         * llint/LowLevelInterpreter.asm:
2378         * llint/LowLevelInterpreter32_64.asm:
2379         * llint/LowLevelInterpreter64.asm:
2380         * offlineasm/ast.rb:
2381         * offlineasm/instructions.rb:
2382         * offlineasm/risc.rb:
2383         * runtime/PtrTag.h: Added.
2384         (JSC::uniquePtrTagID):
2385         (JSC::ptrTag):
2386         (JSC::tagCodePtr):
2387         (JSC::untagCodePtr):
2388         (JSC::retagCodePtr):
2389         (JSC::removeCodePtrTag):
2390
2391 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
2392
2393         [ARM] Assembler warnings: "use of r13 is deprecated"
2394         https://bugs.webkit.org/show_bug.cgi?id=183286
2395
2396         Reviewed by Mark Lam.
2397
2398         Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
2399         sometimes generates assembly code that triggers this warning. Prevent
2400         this by simply switching operands.
2401
2402         * offlineasm/arm.rb:
2403
2404 2018-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2405
2406         Unreviewed, fix incorrect assertion after r229309
2407         https://bugs.webkit.org/show_bug.cgi?id=182975
2408
2409         * runtime/TypeProfilerLog.cpp:
2410         (JSC::TypeProfilerLog::TypeProfilerLog):
2411
2412 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2413
2414         Fix std::make_unique / new[] using system malloc
2415         https://bugs.webkit.org/show_bug.cgi?id=182975
2416
2417         Reviewed by JF Bastien.
2418
2419         Use Vector, FAST_ALLOCATED, or UniqueArray instead.
2420
2421         * API/JSStringRefCF.cpp:
2422         (JSStringCreateWithCFString):
2423         * bytecode/BytecodeKills.h:
2424         * bytecode/BytecodeLivenessAnalysis.cpp:
2425         (JSC::BytecodeLivenessAnalysis::computeKills):
2426         * dfg/DFGDisassembler.cpp:
2427         (JSC::DFG::Disassembler::dumpDisassembly):
2428         * jit/PolymorphicCallStubRoutine.cpp:
2429         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2430         * jit/PolymorphicCallStubRoutine.h:
2431         * jit/Repatch.cpp:
2432         (JSC::linkPolymorphicCall):
2433         * jsc.cpp:
2434         (currentWorkingDirectory):
2435         * llint/LLIntData.cpp:
2436         (JSC::LLInt::initialize):
2437         * llint/LLIntData.h:
2438         * runtime/ArgList.h:
2439         * runtime/StructureChain.h:
2440         * runtime/StructureIDTable.cpp:
2441         (JSC::StructureIDTable::StructureIDTable):
2442         (JSC::StructureIDTable::resize):
2443         * runtime/StructureIDTable.h:
2444         * runtime/TypeProfilerLog.cpp:
2445         (JSC::TypeProfilerLog::TypeProfilerLog):
2446         (JSC::TypeProfilerLog::initializeLog): Deleted.
2447         * runtime/TypeProfilerLog.h:
2448         (JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
2449         * runtime/VM.cpp:
2450         (JSC::VM::~VM):
2451         (JSC::VM::acquireRegExpPatternContexBuffer):
2452         * runtime/VM.h:
2453         * testRegExp.cpp:
2454         (runFromFiles):
2455         * tools/HeapVerifier.cpp:
2456         (JSC::HeapVerifier::HeapVerifier):
2457         * tools/HeapVerifier.h:
2458
2459 2018-03-05  Mark Lam  <mark.lam@apple.com>
2460
2461         JITThunk functions should only be called when the JIT is enabled.
2462         https://bugs.webkit.org/show_bug.cgi?id=183351
2463         <rdar://problem/38160091>
2464
2465         Reviewed by Keith Miller.
2466
2467         * jit/JITThunks.cpp:
2468         (JSC::JITThunks::ctiNativeCall):
2469         (JSC::JITThunks::ctiNativeConstruct):
2470         (JSC::JITThunks::ctiInternalFunctionCall):
2471         (JSC::JITThunks::ctiInternalFunctionConstruct):
2472         * runtime/VM.cpp:
2473         (JSC::VM::VM):
2474         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2475
2476 2018-03-05  Mark Lam  <mark.lam@apple.com>
2477
2478         Gardening: build fix.
2479
2480         Not reviewed.
2481
2482         * interpreter/AbstractPC.h:
2483         (JSC::AbstractPC::AbstractPC):
2484
2485 2018-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2486
2487         [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
2488         https://bugs.webkit.org/show_bug.cgi?id=183324
2489
2490         Reviewed by JF Bastien.
2491
2492         We have WTF::ArithmeticOperations which has operations with overflow checking.
2493         This is suitable for CLoop's overflow checking operations. This patch emits
2494         WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
2495         lowered to optimized code using CPU's overflow flag.
2496
2497         * offlineasm/cloop.rb:
2498
2499 2018-03-05  Don Olmstead  <don.olmstead@sony.com>
2500
2501         [CMake] Split JSC header copying into public and private targets
2502         https://bugs.webkit.org/show_bug.cgi?id=183251
2503
2504         Reviewed by Konstantin Tokarev.
2505
2506         * CMakeLists.txt:
2507
2508 2018-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2509
2510         [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
2511         https://bugs.webkit.org/show_bug.cgi?id=183312
2512
2513         Reviewed by Mark Lam.
2514
2515         Remove wtf/CurrentTime.h include pragma.
2516
2517         * API/tests/ExecutionTimeLimitTest.cpp:
2518         (currentCPUTimeAsJSFunctionCallback):
2519         (testExecutionTimeLimit):
2520         * bytecode/SuperSampler.cpp:
2521         * dfg/DFGPlan.cpp:
2522         * heap/BlockDirectory.cpp:
2523         * heap/Heap.cpp:
2524         * heap/IncrementalSweeper.cpp:
2525         * inspector/agents/InspectorConsoleAgent.cpp:
2526         * inspector/agents/InspectorRuntimeAgent.cpp:
2527         * profiler/ProfilerDatabase.cpp:
2528         * runtime/CodeCache.h:
2529         * runtime/JSDateMath.cpp:
2530         * runtime/TypeProfilerLog.cpp:
2531         * runtime/VM.cpp:
2532         * runtime/Watchdog.cpp:
2533         (JSC::Watchdog::shouldTerminate):
2534         (JSC::Watchdog::startTimer):
2535         * testRegExp.cpp:
2536         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2537
2538 2018-03-04  Tim Horton  <timothy_horton@apple.com>
2539
2540         Make !ENABLE(DATA_DETECTION) iOS build actually succeed
2541         https://bugs.webkit.org/show_bug.cgi?id=183283
2542         <rdar://problem/38062148>
2543
2544         Reviewed by Sam Weinig.
2545
2546         * Configurations/FeatureDefines.xcconfig:
2547
2548 2018-03-02  Mark Lam  <mark.lam@apple.com>
2549
2550         Make the LLInt probe work for ARM64.
2551         https://bugs.webkit.org/show_bug.cgi?id=183298
2552         <rdar://problem/38077413>
2553
2554         Reviewed by Filip Pizlo.
2555
2556         * llint/LowLevelInterpreter.asm:
2557
2558 2018-03-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2559
2560         [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
2561         https://bugs.webkit.org/show_bug.cgi?id=183279
2562
2563         Reviewed by JF Bastien.
2564
2565         * bytecode/BytecodeIntrinsicRegistry.h:
2566         * ftl/FTLThunks.h:
2567         * heap/CodeBlockSet.h:
2568         * heap/GCSegmentedArray.h:
2569         * heap/MachineStackMarker.h:
2570         * heap/MarkingConstraintSet.h:
2571
2572 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2573
2574         Remove monotonicallyIncreasingTime
2575         https://bugs.webkit.org/show_bug.cgi?id=182911
2576
2577         Reviewed by Michael Catanzaro.
2578
2579         * debugger/Debugger.cpp:
2580         (JSC::Debugger::willEvaluateScript):
2581         (JSC::Debugger::didEvaluateScript):
2582         * debugger/Debugger.h:
2583         * debugger/ScriptProfilingScope.h:
2584         * inspector/agents/InspectorDebuggerAgent.cpp:
2585         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2586         * inspector/agents/InspectorHeapAgent.cpp:
2587         (Inspector::InspectorHeapAgent::snapshot):
2588         (Inspector::InspectorHeapAgent::didGarbageCollect):
2589         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
2590         * inspector/agents/InspectorHeapAgent.h:
2591         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2592         (Inspector::InspectorScriptProfilerAgent::startTracking):
2593         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
2594         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
2595         (Inspector::InspectorScriptProfilerAgent::addEvent):
2596         (Inspector::buildSamples):
2597         * inspector/agents/InspectorScriptProfilerAgent.h:
2598         * runtime/SamplingProfiler.cpp:
2599         (JSC::SamplingProfiler::takeSample):
2600         * runtime/SamplingProfiler.h:
2601
2602 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2603
2604         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
2605         https://bugs.webkit.org/show_bug.cgi?id=183173
2606
2607         Reviewed by Saam Barati.
2608
2609         Classifier could propagate an error which does not occur at the first token
2610         of the given expression. We should check whether the given token is "async"
2611         instead of assertion.
2612
2613         * parser/Parser.cpp:
2614         (JSC::Parser<LexerType>::parseAssignmentExpression):
2615
2616 2018-03-01  Saam Barati  <sbarati@apple.com>
2617
2618         We need to clear cached structures when having a bad time
2619         https://bugs.webkit.org/show_bug.cgi?id=183256
2620         <rdar://problem/36245022>
2621
2622         Reviewed by Mark Lam.
2623
2624         This patch makes both InternalFunctionAllocationProfile and the VM's
2625         structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
2626         we clear them when they'd produce an object with a bad indexing type.
2627         For the VM's Structure cache, we conservatively clear the entire cache 
2628         since it may be housing Structures with bad indexing types.
2629
2630         * runtime/FunctionRareData.h:
2631         (JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
2632         * runtime/JSGlobalObject.cpp:
2633         (JSC::JSGlobalObject::haveABadTime):
2634         * runtime/StructureCache.h:
2635         (JSC::StructureCache::clear):
2636
2637 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2638
2639         Unreviewed, fix exception check for ExceptionScope
2640         https://bugs.webkit.org/show_bug.cgi?id=183175
2641
2642         * jsc.cpp:
2643         (GlobalObject::moduleLoaderFetch):
2644
2645 2018-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2646
2647         [ARM] Fix compile error in debug builds by invoking unpoisoned().
2648
2649         Reviewed by Mark Lam.
2650
2651         * assembler/MacroAssemblerCodeRef.h:
2652         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
2653         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
2654         (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
2655         * yarr/YarrInterpreter.cpp:
2656         (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2657
2658 2018-02-28  JF Bastien  <jfbastien@apple.com>
2659
2660         GC should sweep code block before deleting
2661         https://bugs.webkit.org/show_bug.cgi?id=183229
2662         <rdar://problem/32767615>
2663
2664         Reviewed by Saam Barati, Fil Pizlo.
2665
2666         Stub routines shouldn't get deleted before codeblocks have been
2667         swept, otherwise there's a small race window where the codeblock
2668         thinks it's still reachable.
2669
2670         * heap/Heap.cpp:
2671         (JSC::Heap::deleteUnmarkedCompiledCode):
2672         (JSC::Heap::sweepInFinalize):
2673
2674 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2675
2676         JSC crash with `import("")`
2677         https://bugs.webkit.org/show_bug.cgi?id=183175
2678
2679         Reviewed by Saam Barati.
2680
2681         Add file existence and file type check for module loader implementation in jsc.cpp.
2682         This is not safe for TOCTOU, but it is OK since this functionality is used for the
2683         JSC shell (jsc.cpp): testing purpose.
2684
2685         * jsc.cpp:
2686         (fillBufferWithContentsOfFile):
2687         (fetchModuleFromLocalFileSystem):
2688
2689 2018-02-27  Keith Miller  <keith_miller@apple.com>
2690
2691         Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
2692         https://bugs.webkit.org/show_bug.cgi?id=183195
2693
2694         Reviewed by Mark Lam.
2695
2696         * assembler/AbstractMacroAssembler.h:
2697         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
2698         * assembler/MacroAssembler.h:
2699         (JSC::MacroAssembler::patchableBranchPtr):
2700         (JSC::MacroAssembler::patchableBranchPtrWithPatch):
2701         * assembler/MacroAssemblerARM.h:
2702         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2703         (JSC::MacroAssemblerARM::storePtrWithPatch):
2704         * assembler/MacroAssemblerARM64.h:
2705         (JSC::MacroAssemblerARM64::call):
2706         (JSC::MacroAssemblerARM64::tailRecursiveCall):
2707         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2708         (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
2709         (JSC::MacroAssemblerARM64::storePtrWithPatch):
2710         * assembler/MacroAssemblerARMv7.h:
2711         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
2712         (JSC::MacroAssemblerARMv7::patchableBranchPtr):
2713         (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
2714         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
2715         * assembler/MacroAssemblerMIPS.h:
2716         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
2717         (JSC::MacroAssemblerMIPS::storePtrWithPatch):
2718         * assembler/MacroAssemblerX86.h:
2719         (JSC::MacroAssemblerX86::branchPtrWithPatch):
2720         * assembler/MacroAssemblerX86_64.h:
2721         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
2722         (JSC::MacroAssemblerX86_64::call):
2723         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
2724         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
2725         (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
2726         * bytecode/AccessCase.cpp:
2727         (JSC::AccessCase::generateImpl):
2728         * dfg/DFGSpeculativeJIT.cpp:
2729         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2730         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
2731         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2732         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2733         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2734         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2735         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2736         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2737         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2738         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2739         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
2740         * dfg/DFGSpeculativeJIT.h:
2741         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
2742         * dfg/DFGSpeculativeJIT32_64.cpp:
2743         (JSC::DFG::SpeculativeJIT::compile):
2744         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2745         * dfg/DFGSpeculativeJIT64.cpp:
2746         (JSC::DFG::SpeculativeJIT::emitCall):
2747         (JSC::DFG::SpeculativeJIT::compile):
2748         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2749         * dfg/DFGThunks.cpp:
2750         (JSC::DFG::osrExitGenerationThunkGenerator):
2751         * ftl/FTLLowerDFGToB3.cpp:
2752         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2753         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2754         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2755         * ftl/FTLThunks.cpp:
2756         (JSC::FTL::genericGenerationThunkGenerator):
2757         * jit/AssemblyHelpers.cpp:
2758         (JSC::AssemblyHelpers::debugCall):
2759         (JSC::AssemblyHelpers::sanitizeStackInline):
2760         * jit/IntrinsicEmitter.cpp:
2761         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2762         * jit/JITCall.cpp:
2763         (JSC::JIT::compileOpCall):
2764         * jit/JITCall32_64.cpp:
2765         (JSC::JIT::compileOpCall):
2766         * jit/ScratchRegisterAllocator.cpp:
2767         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2768         * wasm/js/WasmToJS.cpp:
2769         (JSC::Wasm::wasmToJS):
2770         * yarr/YarrJIT.cpp:
2771         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2772         (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
2773         (JSC::Yarr::YarrGenerator::generate):
2774
2775 2018-02-26  Mark Lam  <mark.lam@apple.com>
2776
2777         Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
2778         https://bugs.webkit.org/show_bug.cgi?id=183159
2779         <rdar://problem/37930837>
2780
2781         Reviewed by Keith Miller.
2782
2783         * assembler/LinkBuffer.h:
2784         * assembler/testmasm.cpp:
2785         (JSC::compile):
2786         * b3/B3Compile.cpp:
2787         (JSC::B3::compile):
2788         * b3/air/testair.cpp:
2789         * b3/testb3.cpp:
2790         (JSC::B3::testEntrySwitchSimple):
2791         (JSC::B3::testEntrySwitchNoEntrySwitch):
2792         (JSC::B3::testEntrySwitchWithCommonPaths):
2793         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
2794         (JSC::B3::testEntrySwitchLoop):
2795         * bytecode/InlineAccess.cpp:
2796         (JSC::linkCodeInline):
2797         (JSC::InlineAccess::rewireStubAsJump):
2798         * bytecode/PolymorphicAccess.cpp:
2799         (JSC::PolymorphicAccess::regenerate):
2800         * dfg/DFGJITFinalizer.cpp:
2801         (JSC::DFG::JITFinalizer::finalize):
2802         (JSC::DFG::JITFinalizer::finalizeFunction):
2803         * dfg/DFGOSRExit.cpp:
2804         (JSC::DFG::OSRExit::compileOSRExit):
2805         * dfg/DFGThunks.cpp:
2806         (JSC::DFG::osrExitThunkGenerator):
2807         (JSC::DFG::osrExitGenerationThunkGenerator):
2808         (JSC::DFG::osrEntryThunkGenerator):
2809         * ftl/FTLJITFinalizer.cpp:
2810         (JSC::FTL::JITFinalizer::finalizeCommon):
2811         * ftl/FTLLazySlowPath.cpp:
2812         (JSC::FTL::LazySlowPath::generate):
2813         * ftl/FTLOSRExitCompiler.cpp:
2814         (JSC::FTL::compileStub):
2815         * ftl/FTLThunks.cpp:
2816         (JSC::FTL::genericGenerationThunkGenerator):
2817         (JSC::FTL::slowPathCallThunkGenerator):
2818         * jit/ExecutableAllocator.cpp:
2819         * jit/JIT.cpp:
2820         (JSC::JIT::link):
2821         * jit/JITMathIC.h:
2822         (JSC::isProfileEmpty):
2823         * jit/JITOpcodes.cpp:
2824         (JSC::JIT::privateCompileHasIndexedProperty):
2825         * jit/JITOpcodes32_64.cpp:
2826         (JSC::JIT::privateCompileHasIndexedProperty):
2827         * jit/JITPropertyAccess.cpp:
2828         (JSC::JIT::stringGetByValStubGenerator):
2829         (JSC::JIT::privateCompileGetByVal):
2830         (JSC::JIT::privateCompileGetByValWithCachedId):
2831         (JSC::JIT::privateCompilePutByVal):
2832         (JSC::JIT::privateCompilePutByValWithCachedId):
2833         * jit/JITPropertyAccess32_64.cpp:
2834         (JSC::JIT::stringGetByValStubGenerator):
2835         * jit/JITStubRoutine.h:
2836         * jit/Repatch.cpp:
2837         (JSC::linkPolymorphicCall):
2838         * jit/SpecializedThunkJIT.h:
2839         (JSC::SpecializedThunkJIT::finalize):
2840         * jit/ThunkGenerators.cpp:
2841         (JSC::throwExceptionFromCallSlowPathGenerator):
2842         (JSC::linkCallThunkGenerator):
2843         (JSC::linkPolymorphicCallThunkGenerator):
2844         (JSC::virtualThunkFor):
2845         (JSC::nativeForGenerator):
2846         (JSC::arityFixupGenerator):
2847         (JSC::unreachableGenerator):
2848         (JSC::boundThisNoArgsFunctionCallGenerator):
2849         * llint/LLIntThunks.cpp:
2850         (JSC::LLInt::generateThunkWithJumpTo):
2851         * wasm/WasmBBQPlan.cpp:
2852         (JSC::Wasm::BBQPlan::complete):
2853         * wasm/WasmBinding.cpp:
2854         (JSC::Wasm::wasmToWasm):
2855         * wasm/WasmOMGPlan.cpp:
2856         (JSC::Wasm::OMGPlan::work):
2857         * wasm/WasmThunks.cpp:
2858         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2859         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2860         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2861         * wasm/js/WasmToJS.cpp:
2862         (JSC::Wasm::handleBadI64Use):
2863         (JSC::Wasm::wasmToJS):
2864         * yarr/YarrJIT.cpp:
2865         (JSC::Yarr::YarrGenerator::compile):
2866
2867 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2868
2869         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
2870         https://bugs.webkit.org/show_bug.cgi?id=182965
2871
2872         Reviewed by Saam Barati.
2873
2874         This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
2875         Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
2876         for InBounds case, we do not have OutOfBounds check for that case.
2877         This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
2878
2879         * dfg/DFGOperations.cpp:
2880         * dfg/DFGOperations.h:
2881         * dfg/DFGSpeculativeJIT.cpp:
2882         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2883         * dfg/DFGSpeculativeJIT64.cpp:
2884         (JSC::DFG::SpeculativeJIT::compile):
2885         * ftl/FTLCapabilities.cpp:
2886         (JSC::FTL::canCompile):
2887         * ftl/FTLLowerDFGToB3.cpp:
2888         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2889         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
2890         For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
2891         But except for SlowPutArrayStorage case, basically it is meaningless since
2892         we do not have indexed accessors.
2893
2894 2018-02-26  Saam Barati  <sbarati@apple.com>
2895
2896         validateStackAccess should not validate if the offset is within the stack bounds
2897         https://bugs.webkit.org/show_bug.cgi?id=183067
2898         <rdar://problem/37749988>
2899
2900         Reviewed by Mark Lam.
2901
2902         The validation rule was saying that any load from the stack must be
2903         within the stack bounds of the frame. However, it's natural for a user
2904         of B3 to emit code that may be outside of B3's stack bounds, but guard
2905         such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
2906         B3 is wrong to assert that this is a static property about all stack loads.
2907
2908         * b3/B3Validate.cpp:
2909
2910 2018-02-23  Saam Barati  <sbarati@apple.com>
2911
2912         Make Number.isInteger an intrinsic
2913         https://bugs.webkit.org/show_bug.cgi?id=183088
2914
2915         Reviewed by JF Bastien.
2916
2917         When profiling the ML subtest in ARES, I noticed it was spending some
2918         time in Number.isInteger. This patch makes that operation an intrinsic
2919         in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
2920         it's likely not an aggregate speedup on ARES. However, it is definitely
2921         faster than calling into a builtin function, so we might as well have
2922         it as an intrinsic.
2923
2924         * dfg/DFGAbstractInterpreterInlines.h:
2925         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2926         * dfg/DFGByteCodeParser.cpp:
2927         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2928         * dfg/DFGClobberize.h:
2929         (JSC::DFG::clobberize):
2930         * dfg/DFGDoesGC.cpp:
2931         (JSC::DFG::doesGC):
2932         * dfg/DFGFixupPhase.cpp:
2933         (JSC::DFG::FixupPhase::fixupNode):
2934         * dfg/DFGNodeType.h:
2935         * dfg/DFGOperations.cpp:
2936         * dfg/DFGOperations.h:
2937         * dfg/DFGPredictionPropagationPhase.cpp:
2938         * dfg/DFGSafeToExecute.h:
2939         (JSC::DFG::safeToExecute):
2940         * dfg/DFGSpeculativeJIT32_64.cpp:
2941         (JSC::DFG::SpeculativeJIT::compile):
2942         * dfg/DFGSpeculativeJIT64.cpp:
2943         (JSC::DFG::SpeculativeJIT::compile):
2944         * ftl/FTLCapabilities.cpp:
2945         (JSC::FTL::canCompile):
2946         * ftl/FTLLowerDFGToB3.cpp:
2947         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2948         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2949         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
2950         * runtime/Intrinsic.cpp:
2951         (JSC::intrinsicName):
2952         * runtime/Intrinsic.h:
2953         * runtime/NumberConstructor.cpp:
2954         (JSC::NumberConstructor::finishCreation):
2955         (JSC::numberConstructorFuncIsInteger):
2956         * runtime/NumberConstructor.h:
2957         (JSC::NumberConstructor::isIntegerImpl):
2958
2959 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
2960
2961         WebAssembly: cache memory address / size on instance
2962         https://bugs.webkit.org/show_bug.cgi?id=177305
2963
2964         Reviewed by JF Bastien.
2965
2966         Cache memory address/size in wasm:Instance to avoid load wasm:Memory 
2967         object during access to memory and memory size property in JiT
2968
2969         * wasm/WasmB3IRGenerator.cpp:
2970         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2971         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2972         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2973         * wasm/WasmBinding.cpp:
2974         (JSC::Wasm::wasmToWasm):
2975         * wasm/WasmInstance.h:
2976         (JSC::Wasm::Instance::cachedMemory const):
2977         (JSC::Wasm::Instance::cachedMemorySize const):
2978         (JSC::Wasm::Instance::createWeakPtr):
2979         (JSC::Wasm::Instance::setMemory):
2980         (JSC::Wasm::Instance::updateCachedMemory):
2981         (JSC::Wasm::Instance::offsetOfCachedMemory):
2982         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
2983         (JSC::Wasm::Instance::offsetOfCachedIndexingMask):
2984         (JSC::Wasm::Instance::allocationSize):
2985         * wasm/WasmMemory.cpp:
2986         (JSC::Wasm::Memory::grow):
2987         (JSC::Wasm::Memory::registerInstance):
2988         * wasm/WasmMemory.h:
2989         (JSC::Wasm::Memory::indexingMask):
2990         * wasm/js/JSToWasm.cpp:
2991         (JSC::Wasm::createJSToWasmWrapper):
2992         * wasm/js/WebAssemblyModuleRecord.cpp:
2993         (JSC::WebAssemblyModuleRecord::evaluate):
2994
2995 2018-02-23  Saam Barati  <sbarati@apple.com>
2996
2997         ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
2998         https://bugs.webkit.org/show_bug.cgi?id=182982
2999
3000         Reviewed by Yusuke Suzuki.
3001
3002         I don't know why this check was not always an assert. When we see
3003         a GetByOffset on an eliminated allocation, that allocation *must*
3004         be a PhantomClonedArguments. If it weren't, the GetByOffset would
3005         have escaped it. Because this transformation happens by visiting
3006         blocks in pre-order, and by visiting nodes in a block starting from
3007         index zero to index block->size() - 1, we're guaranteed that eliminated
3008         allocations get transformed before users of it, since we visit nodes
3009         in dominator order.
3010
3011         * dfg/DFGArgumentsEliminationPhase.cpp:
3012
3013 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3014
3015         [JSC] Implement $vm.ftlTrue function for FTL testing
3016         https://bugs.webkit.org/show_bug.cgi?id=183071
3017
3018         Reviewed by Mark Lam.
3019
3020         Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
3021         This is useful for testing whether the caller function is compiled in FTL.
3022
3023         We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
3024
3025         * dfg/DFGByteCodeParser.cpp:
3026         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3027         * jsc.cpp:
3028         (GlobalObject::finishCreation):
3029         (functionFalse1):
3030         (functionFalse2): Deleted.
3031         * runtime/Intrinsic.cpp:
3032         (JSC::intrinsicName):
3033         * runtime/Intrinsic.h:
3034         * tools/JSDollarVM.cpp:
3035         (JSC::functionFTLTrue):
3036         (JSC::JSDollarVM::finishCreation):
3037
3038 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3039
3040         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
3041         https://bugs.webkit.org/show_bug.cgi?id=182792
3042
3043         Reviewed by Mark Lam.
3044
3045         This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
3046         HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
3047         in web-tooling-benchmarks.
3048
3049         * ftl/FTLCapabilities.cpp:
3050         (JSC::FTL::canCompile):
3051         * ftl/FTLLowerDFGToB3.cpp:
3052         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3053
3054 2018-02-22  Mark Lam  <mark.lam@apple.com>
3055
3056         Refactor MacroAssembler code to improve reuse and extensibility.
3057         https://bugs.webkit.org/show_bug.cgi?id=183054
3058         <rdar://problem/37797337>
3059
3060         Reviewed by Saam Barati.
3061
3062         * assembler/ARM64Assembler.h:
3063         * assembler/MacroAssembler.cpp:
3064         * assembler/MacroAssembler.h:
3065         * assembler/MacroAssemblerARM.h:
3066         * assembler/MacroAssemblerARM64.h:
3067         (JSC::MacroAssemblerARM64::canCompact):
3068         (JSC::MacroAssemblerARM64::computeJumpType):
3069         (JSC::MacroAssemblerARM64::jumpSizeDelta):
3070         (JSC::MacroAssemblerARM64::link):
3071         (JSC::MacroAssemblerARM64::load64):
3072         (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
3073         (JSC::MacroAssemblerARM64::load32):
3074         (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
3075         (JSC::MacroAssemblerARM64::load16):
3076         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3077         (JSC::MacroAssemblerARM64::load8):
3078         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3079         (JSC::MacroAssemblerARM64::store64):
3080         (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
3081         (JSC::MacroAssemblerARM64::store32):
3082         (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
3083         (JSC::MacroAssemblerARM64::store16):
3084         (JSC::MacroAssemblerARM64::store8):
3085         (JSC::MacroAssemblerARM64::getEffectiveAddress):
3086         (JSC::MacroAssemblerARM64::branchDoubleNonZero):
3087         (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
3088         (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
3089         (JSC::MacroAssemblerARM64::loadDouble):
3090         (JSC::MacroAssemblerARM64::loadFloat):
3091         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
3092         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
3093         (JSC::MacroAssemblerARM64::storeDouble):
3094         (JSC::MacroAssemblerARM64::storeFloat):
3095         (JSC::MacroAssemblerARM64::call):
3096         (JSC::MacroAssemblerARM64::jump):
3097         (JSC::MacroAssemblerARM64::tailRecursiveCall):
3098         (JSC::MacroAssemblerARM64::setCarry):
3099         (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
3100         (JSC::MacroAssemblerARM64::isBreakpoint):
3101         (JSC::MacroAssemblerARM64::invert):
3102         (JSC::MacroAssemblerARM64::readCallTarget):
3103         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3104         (JSC::MacroAssemblerARM64::replaceWithJump):
3105         (JSC::MacroAssemblerARM64::maxJumpReplacementSize):
3106         (JSC::MacroAssemblerARM64::patchableJumpSize):
3107         (JSC::MacroAssemblerARM64::repatchCall):
3108         (JSC::MacroAssemblerARM64::makeBranch):
3109         (JSC::MacroAssemblerARM64::makeCompareAndBranch):
3110         (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
3111         (JSC::MacroAssemblerARM64::ARM64Condition):
3112         (JSC::MacroAssemblerARM64::moveWithFixedWidth):
3113         (JSC::MacroAssemblerARM64::load):
3114         (JSC::MacroAssemblerARM64::store):
3115         (JSC::MacroAssemblerARM64::tryLoadWithOffset):
3116         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
3117         (JSC::MacroAssemblerARM64::tryStoreWithOffset):
3118         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
3119         (JSC::MacroAssemblerARM64::linkCall):
3120         * assembler/MacroAssemblerARMv7.h:
3121         * assembler/MacroAssemblerMIPS.h:
3122         * assembler/MacroAssemblerX86Common.h:
3123         * assembler/ProbeStack.h:
3124         - Removed a forward declaration of an obsolete class.
3125
3126 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3127
3128         Remove sleep(double) and sleepMS(double) interfaces
3129         https://bugs.webkit.org/show_bug.cgi?id=183038
3130
3131         Reviewed by Mark Lam.
3132
3133         * bytecode/SuperSampler.cpp:
3134         (JSC::initializeSuperSampler):
3135
3136 2018-02-21  Don Olmstead  <don.olmstead@sony.com>
3137
3138         [CMake] Split declaration of JSC headers into public and private
3139         https://bugs.webkit.org/show_bug.cgi?id=182980
3140
3141         Reviewed by Michael Catanzaro.
3142
3143         * CMakeLists.txt:
3144         * PlatformGTK.cmake:
3145         * PlatformMac.cmake:
3146         * PlatformWPE.cmake:
3147         * PlatformWin.cmake:
3148
3149 2018-02-20  Saam Barati  <sbarati@apple.com>
3150
3151         DFG::VarargsForwardingPhase should eliminate getting argument length
3152         https://bugs.webkit.org/show_bug.cgi?id=182959
3153
3154         Reviewed by Keith Miller.
3155
3156         This patch teaches the DFG VarargsForwardingPhase to not treat
3157         length accesses on Cloned/Direct Arguments objects as escapes.
3158         It teaches this phase to materialize the length in the same
3159         way the ArgumentsEliminationPhase does.
3160         
3161         This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
3162         up the ML subtest by 2-4%.
3163         
3164         This patch also extends compileGetArgumentCountIncludingThis to take
3165         a parameter that is the inline call frame to load from (in the case
3166         where the inline call frame is a varargs frame). This allows the
3167         the emitCodeToGetArgumentsArrayLength helper function to just emit
3168         a GetArgumentCountIncludingThis node instead of a GetLocal. If we
3169         emitted a GetLocal, we'd need to rerun CPS rethreading.
3170
3171         * dfg/DFGArgumentsEliminationPhase.cpp:
3172         * dfg/DFGArgumentsUtilities.cpp:
3173         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3174         * dfg/DFGByteCodeParser.cpp:
3175         (JSC::DFG::ByteCodeParser::getArgumentCount):
3176         * dfg/DFGClobberize.h:
3177         (JSC::DFG::clobberize):
3178         * dfg/DFGNode.h:
3179         (JSC::DFG::Node::argumentsInlineCallFrame):
3180         * dfg/DFGSpeculativeJIT.cpp:
3181         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
3182         * dfg/DFGVarargsForwardingPhase.cpp:
3183         * ftl/FTLLowerDFGToB3.cpp:
3184         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
3185
3186 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3187
3188         [FTL] Support ArrayPush for ArrayStorage
3189         https://bugs.webkit.org/show_bug.cgi?id=182782
3190
3191         Reviewed by Saam Barati.
3192
3193         This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
3194
3195         * ftl/FTLAbstractHeapRepository.h:
3196         * ftl/FTLCapabilities.cpp:
3197         (JSC::FTL::canCompile):
3198         * ftl/FTLLowerDFGToB3.cpp:
3199         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3200
3201 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3202
3203         [FTL] Support ArrayPop for ArrayStorage
3204         https://bugs.webkit.org/show_bug.cgi?id=182783
3205
3206         Reviewed by Saam Barati.
3207
3208         This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
3209
3210         * ftl/FTLAbstractHeapRepository.h:
3211         * ftl/FTLCapabilities.cpp:
3212         (JSC::FTL::canCompile):
3213         * ftl/FTLLowerDFGToB3.cpp:
3214         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
3215
3216 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3217
3218         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
3219         https://bugs.webkit.org/show_bug.cgi?id=182731
3220
3221         Reviewed by Saam Barati.
3222
3223         This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
3224         Due to ArrayifyToStructure and CheckArray changes, necessary changes for
3225         supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
3226         is enough.
3227
3228         We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
3229         ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
3230         where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
3231
3232         * dfg/DFGSpeculativeJIT.cpp:
3233         (JSC::DFG::SpeculativeJIT::silentFill):
3234         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3235         * dfg/DFGSpeculativeJIT.h:
3236         * ftl/FTLCapabilities.cpp:
3237         (JSC::FTL::canCompile):
3238         * ftl/FTLLowerDFGToB3.cpp:
3239         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3240
3241 2018-02-19  Saam Barati  <sbarati@apple.com>
3242
3243         Don't use JSFunction's allocation profile when getting the prototype can be effectful
3244         https://bugs.webkit.org/show_bug.cgi?id=182942
3245         <rdar://problem/37584764>
3246
3247         Reviewed by Mark Lam.
3248
3249         Prior to this patch, the create_this implementation assumed that anything
3250         that is a JSFunction can use the object allocation profile and go down the
3251         fast path to allocate the |this| object. Implied by this approach is that
3252         accessing the 'prototype' property of the incoming function is not an
3253         effectful operation. This is inherent to the ObjectAllocationProfile 
3254         data structure: it caches the prototype field. However, getting the
3255         'prototype' property might be an effectful operation, e.g, it could
3256         be a getter. Many variants of functions in JS have the 'prototype' property
3257         as non-configurable. However, some functions, like bound functions, do not
3258         have the 'prototype' field with these attributes.
3259         
3260         This patch adds the notion of 'canUseAllocationProfile' to JSFunction
3261         and threads it through so that we only go down the fast path and use
3262         the allocation profile when the prototype property is non-configurable.
3263
3264         * bytecompiler/NodesCodegen.cpp:
3265         (JSC::ClassExprNode::emitBytecode):
3266         * dfg/DFGOperations.cpp:
3267         * runtime/CommonSlowPaths.cpp:
3268         (JSC::SLOW_PATH_DECL):
3269         * runtime/JSFunction.cpp:
3270         (JSC::JSFunction::prototypeForConstruction):
3271         (JSC::JSFunction::allocateAndInitializeRareData):
3272         (JSC::JSFunction::initializeRareData):
3273         (JSC::JSFunction::getOwnPropertySlot):
3274         (JSC::JSFunction::canUseAllocationProfileNonInline):
3275         * runtime/JSFunction.h:
3276         (JSC::JSFunction::ensureRareDataAndAllocationProfile):
3277         * runtime/JSFunctionInlines.h:
3278         (JSC::JSFunction::canUseAllocationProfile):
3279
3280 2018-02-19  Saam Barati  <sbarati@apple.com>
3281
3282         Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
3283         https://bugs.webkit.org/show_bug.cgi?id=182912
3284         <rdar://problem/37685083>
3285
3286         Reviewed by Keith Miller.
3287
3288         In the baseline JIT and LLInt, when we loading a hole from an original array,
3289         with the array prototype chain being normal, we end up marking the ArrayProfile
3290         for that GetByVal as out of bounds. However, the DFG knows exactly how to
3291         optimize this case by returning undefined when loading from a hole. Currently,
3292         it only does this for Contiguous arrays (and sometimes Double arrays).
3293         This patch just makes sure to not mark the ArrayProfile as out of bounds
3294         in this scenario for Contiguous arrays, since the DFG will always optimize
3295         this case.
3296         
3297         However, we should extend this by profiling when a GetByVal loads a hole. By
3298         doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
3299         arrays. That work will happen in:
3300         https://bugs.webkit.org/show_bug.cgi?id=182940
3301         
3302         This patch is a 30-50%  speedup on JetStream's hash-map test. This patch
3303         speeds up JetStream by 1% when testing on my iMac.
3304
3305         * dfg/DFGArrayMode.cpp:
3306         (JSC::DFG::ArrayMode::refine const):
3307         * dfg/DFGFixupPhase.cpp:
3308         (JSC::DFG::FixupPhase::fixupNode):
3309         * jit/JITOperations.cpp:
3310         (JSC::getByVal):
3311         (JSC::canAccessArgumentIndexQuickly): Deleted.
3312         * llint/LLIntSlowPaths.cpp:
3313         (JSC::LLInt::getByVal):
3314         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3315         * llint/LowLevelInterpreter32_64.asm:
3316         * llint/LowLevelInterpreter64.asm:
3317         * runtime/CommonSlowPaths.h:
3318         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
3319
3320 2018-02-17  Filip Pizlo  <fpizlo@apple.com>
3321
3322         GetArrayMask should support constant folding
3323         https://bugs.webkit.org/show_bug.cgi?id=182907
3324
3325         Reviewed by Saam Barati.
3326         
3327         Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
3328         ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
3329         impossible for that function to get called with a non-null value if the value was not an array view,
3330         due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
3331         the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
3332         array.
3333         
3334         This isn't a measurable progression, but it does save a register in the codegen for typed array
3335         accesses. Hopefully these improvements add up.
3336
3337         * assembler/AssemblerBuffer.h:
3338         * dfg/DFGAbstractInterpreterInlines.h:
3339         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3340         * dfg/DFGGraph.cpp:
3341         (JSC::DFG::Graph::tryGetFoldableView):
3342
3343 2018-02-18  Dominik Inf├╝hr  <dominik.infuehr@gmail.com>
3344
3345         Offlineasm/MIPS: immediates need to be within 16-bit signed values
3346         https://bugs.webkit.org/show_bug.cgi?id=182890
3347
3348         Reviewed by Michael Catanzaro.
3349
3350         In Sequence.getModifiedListMIPS(), we allow immediate values within
3351         the range -0xffff..0xffff for immediates (addresses and other
3352         immediates), but then in Immediate.mipsOperand() and
3353         Address.mipsOperand() we raise if immediate values are not within
3354         -0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
3355         since r228552 made the VM structure bigger meaning we address values
3356         with bigger offsets in llint. This change restricts the allowed range,
3357         so that a separate load of the value is done for values outside of
3358         that range.
3359
3360         * offlineasm/mips.rb:
3361
3362 2018-02-17  Darin Adler  <darin@apple.com>
3363
3364         Web Inspector: get rid of remaining uses of OptOutput<T>
3365         https://bugs.webkit.org/show_bug.cgi?id=180607
3366
3367         Reviewed by Brian Burg.
3368
3369         * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
3370         is inside the Inspector namespace already. Also use auto a bit.
3371         * inspector/AsyncStackTrace.h: Ditto.
3372         * inspector/ConsoleMessage.cpp: Ditto.
3373
3374         * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
3375         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
3376         Vector instead of a unique_ptr<Vector>.
3377         (Inspector::ContentSearchUtilities::lineEndings): Ditto.
3378         (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
3379         (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
3380         a Vector for a fixed size array; also got rid of reinterpret_cast.
3381         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
3382         expression here since it's the only place it was used.
3383
3384         * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
3385
3386         * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
3387         is inside the Inspector namespace already. Also use auto a bit.
3388
3389         * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
3390         Removed base template for BindingTraits; we only need the specializations.