4ea039915c5e76869d8408198194d265d281a813
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-30  Mark Lam  <mark.lam@apple.com>
2
3         Apply PtrTags to the MetaAllocator and friends.
4         https://bugs.webkit.org/show_bug.cgi?id=185110
5         <rdar://problem/39533895>
6
7         Reviewed by Saam Barati.
8
9         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
10         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
11            and add a sanity check to verify that allocated code buffers are within those
12            bounds.
13
14         * assembler/LinkBuffer.cpp:
15         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
16         (JSC::LinkBuffer::copyCompactAndLinkCode):
17         (JSC::LinkBuffer::linkCode):
18         (JSC::LinkBuffer::allocate):
19         * assembler/LinkBuffer.h:
20         (JSC::LinkBuffer::LinkBuffer):
21         (JSC::LinkBuffer::debugAddress):
22         (JSC::LinkBuffer::code):
23         * assembler/MacroAssemblerCodeRef.h:
24         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
25         * bytecode/InlineAccess.cpp:
26         (JSC::linkCodeInline):
27         (JSC::InlineAccess::rewireStubAsJump):
28         * dfg/DFGJITCode.cpp:
29         (JSC::DFG::JITCode::findPC):
30         * ftl/FTLJITCode.cpp:
31         (JSC::FTL::JITCode::findPC):
32         * jit/ExecutableAllocator.cpp:
33         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
34         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
35         (JSC::ExecutableAllocator::allocate):
36         * jit/ExecutableAllocator.h:
37         (JSC::isJITPC):
38         (JSC::performJITMemcpy):
39         * jit/JIT.cpp:
40         (JSC::JIT::link):
41         * jit/JITMathIC.h:
42         (JSC::isProfileEmpty):
43         * runtime/JSCPtrTag.h:
44         * wasm/WasmCallee.cpp:
45         (JSC::Wasm::Callee::Callee):
46         * wasm/WasmFaultSignalHandler.cpp:
47         (JSC::Wasm::trapHandler):
48
49 2018-04-30  Keith Miller  <keith_miller@apple.com>
50
51         Move the MayBePrototype JSCell header bit to InlineTypeFlags
52         https://bugs.webkit.org/show_bug.cgi?id=185143
53
54         Reviewed by Mark Lam.
55
56         * runtime/IndexingType.h:
57         * runtime/JSCellInlines.h:
58         (JSC::JSCell::setStructure):
59         (JSC::JSCell::mayBePrototype const):
60         (JSC::JSCell::didBecomePrototype):
61         * runtime/JSTypeInfo.h:
62         (JSC::TypeInfo::mayBePrototype):
63         (JSC::TypeInfo::mergeInlineTypeFlags):
64
65 2018-04-30  Keith Miller  <keith_miller@apple.com>
66
67         Remove unneeded exception check from String.fromCharCode
68         https://bugs.webkit.org/show_bug.cgi?id=185083
69
70         Reviewed by Mark Lam.
71
72         * runtime/StringConstructor.cpp:
73         (JSC::stringFromCharCode):
74
75 2018-04-30  Keith Miller  <keith_miller@apple.com>
76
77         Move StructureIsImmortal to out of line flags.
78         https://bugs.webkit.org/show_bug.cgi?id=185101
79
80         Reviewed by Saam Barati.
81
82         This will free up a bit in the inline flags where we can move the
83         isPrototype bit to. This will, in turn, free a bit for use in
84         implementing copy on write butterflies.
85
86         Also, this patch removes an assertion from Structure::typeInfo()
87         that inadvertently makes the function invalid to call while
88         cleaning up the vm.
89
90         * heap/HeapCellType.cpp:
91         (JSC::DefaultDestroyFunc::operator() const):
92         * runtime/JSCell.h:
93         * runtime/JSCellInlines.h:
94         (JSC::JSCell::callDestructor): Deleted.
95         * runtime/JSTypeInfo.h:
96         (JSC::TypeInfo::hasStaticPropertyTable):
97         (JSC::TypeInfo::structureIsImmortal const):
98         * runtime/Structure.h:
99
100 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
101
102         [JSC] Remove arity fixup check if the number of parameters is 1
103         https://bugs.webkit.org/show_bug.cgi?id=183984
104
105         Reviewed by Mark Lam.
106
107         If the number of parameters is one (|this|), we never hit arity fixup check.
108         We do not need to emit arity fixup check code.
109
110         * dfg/DFGDriver.cpp:
111         (JSC::DFG::compileImpl):
112         * dfg/DFGJITCompiler.cpp:
113         (JSC::DFG::JITCompiler::compileFunction):
114         * dfg/DFGJITCompiler.h:
115         * ftl/FTLLink.cpp:
116         (JSC::FTL::link):
117         * jit/JIT.cpp:
118         (JSC::JIT::compileWithoutLinking):
119
120 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
121
122         Use WordLock instead of std::mutex for Threading
123         https://bugs.webkit.org/show_bug.cgi?id=185121
124
125         Reviewed by Geoffrey Garen.
126
127         ThreadGroup starts using WordLock.
128
129         * heap/MachineStackMarker.h:
130         (JSC::MachineThreads::getLock):
131
132 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
133
134         B3 should run tail duplication at the bitter end
135         https://bugs.webkit.org/show_bug.cgi?id=185123
136
137         Reviewed by Geoffrey Garen.
138         
139         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
140         everywhere else.
141         
142         The goal of this change is to allow us to run path specialization after switch lowering but
143         before tail duplication.
144
145         * b3/B3Generate.cpp:
146         (JSC::B3::generateToAir):
147         * runtime/Options.h:
148
149 2018-04-29  Commit Queue  <commit-queue@webkit.org>
150
151         Unreviewed, rolling out r231137.
152         https://bugs.webkit.org/show_bug.cgi?id=185118
153
154         It is breaking Test262 language/expressions/multiplication
155         /order-of-evaluation.js (Requested by caiolima on #webkit).
156
157         Reverted changeset:
158
159         "[ESNext][BigInt] Implement support for "*" operation"
160         https://bugs.webkit.org/show_bug.cgi?id=183721
161         https://trac.webkit.org/changeset/231137
162
163 2018-04-28  Saam Barati  <sbarati@apple.com>
164
165         We don't model regexp effects properly
166         https://bugs.webkit.org/show_bug.cgi?id=185059
167         <rdar://problem/39736150>
168
169         Reviewed by Filip Pizlo.
170
171         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
172         the regexp is global.
173
174         * dfg/DFGAbstractInterpreterInlines.h:
175         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
176         * dfg/DFGClobberize.h:
177         (JSC::DFG::clobberize):
178
179 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
180
181         Token misspelled "tocken" in error message string
182         https://bugs.webkit.org/show_bug.cgi?id=185030
183
184         Reviewed by Saam Barati.
185
186         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
187         (JSC::Parser<LexerType>::Parser):
188         (JSC::Parser<LexerType>::didFinishParsing):
189         (JSC::Parser<LexerType>::parseSourceElements):
190         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
191         (JSC::Parser<LexerType>::parseVariableDeclaration):
192         (JSC::Parser<LexerType>::parseWhileStatement):
193         (JSC::Parser<LexerType>::parseVariableDeclarationList):
194         (JSC::Parser<LexerType>::createBindingPattern):
195         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
196         (JSC::Parser<LexerType>::parseObjectRestElement):
197         (JSC::Parser<LexerType>::parseDestructuringPattern):
198         (JSC::Parser<LexerType>::parseForStatement):
199         (JSC::Parser<LexerType>::parseBreakStatement):
200         (JSC::Parser<LexerType>::parseContinueStatement):
201         (JSC::Parser<LexerType>::parseThrowStatement):
202         (JSC::Parser<LexerType>::parseWithStatement):
203         (JSC::Parser<LexerType>::parseSwitchStatement):
204         (JSC::Parser<LexerType>::parseSwitchClauses):
205         (JSC::Parser<LexerType>::parseTryStatement):
206         (JSC::Parser<LexerType>::parseBlockStatement):
207         (JSC::Parser<LexerType>::parseFormalParameters):
208         (JSC::Parser<LexerType>::parseFunctionParameters):
209         (JSC::Parser<LexerType>::parseFunctionInfo):
210         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
211         (JSC::Parser<LexerType>::parseExpressionStatement):
212         (JSC::Parser<LexerType>::parseIfStatement):
213         (JSC::Parser<LexerType>::parseAssignmentExpression):
214         (JSC::Parser<LexerType>::parseConditionalExpression):
215         (JSC::Parser<LexerType>::parseBinaryExpression):
216         (JSC::Parser<LexerType>::parseObjectLiteral):
217         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
218         (JSC::Parser<LexerType>::parseArrayLiteral):
219         (JSC::Parser<LexerType>::parseArguments):
220         (JSC::Parser<LexerType>::parseMemberExpression):
221         (JSC::operatorString):
222         (JSC::Parser<LexerType>::parseUnaryExpression):
223         (JSC::Parser<LexerType>::printUnexpectedTokenText):
224
225 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
226
227         [ESNext][BigInt] Implement support for "*" operation
228         https://bugs.webkit.org/show_bug.cgi?id=183721
229
230         Reviewed by Saam Barati.
231
232         Added BigInt support into times binary operator into LLInt and on
233         JITOperations profiledMul and unprofiledMul. We are also replacing all
234         uses of int to unsigned when there is no negative values for
235         variables.
236
237         * dfg/DFGConstantFoldingPhase.cpp:
238         (JSC::DFG::ConstantFoldingPhase::foldConstants):
239         * jit/JITOperations.cpp:
240         * runtime/CommonSlowPaths.cpp:
241         (JSC::SLOW_PATH_DECL):
242         * runtime/JSBigInt.cpp:
243         (JSC::JSBigInt::JSBigInt):
244         (JSC::JSBigInt::allocationSize):
245         (JSC::JSBigInt::createWithLength):
246         (JSC::JSBigInt::toString):
247         (JSC::JSBigInt::multiply):
248         (JSC::JSBigInt::digitDiv):
249         (JSC::JSBigInt::internalMultiplyAdd):
250         (JSC::JSBigInt::multiplyAccumulate):
251         (JSC::JSBigInt::equals):
252         (JSC::JSBigInt::absoluteDivSmall):
253         (JSC::JSBigInt::calculateMaximumCharactersRequired):
254         (JSC::JSBigInt::toStringGeneric):
255         (JSC::JSBigInt::rightTrim):
256         (JSC::JSBigInt::allocateFor):
257         (JSC::JSBigInt::parseInt):
258         (JSC::JSBigInt::digit):
259         (JSC::JSBigInt::setDigit):
260         * runtime/JSBigInt.h:
261         * runtime/Operations.h:
262         (JSC::jsMul):
263
264 2018-04-28  Commit Queue  <commit-queue@webkit.org>
265
266         Unreviewed, rolling out r231131.
267         https://bugs.webkit.org/show_bug.cgi?id=185112
268
269         It is breaking Debug build due to unchecked exception
270         (Requested by caiolima on #webkit).
271
272         Reverted changeset:
273
274         "[ESNext][BigInt] Implement support for "*" operation"
275         https://bugs.webkit.org/show_bug.cgi?id=183721
276         https://trac.webkit.org/changeset/231131
277
278 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
279
280         [ESNext][BigInt] Implement support for "*" operation
281         https://bugs.webkit.org/show_bug.cgi?id=183721
282
283         Reviewed by Saam Barati.
284
285         Added BigInt support into times binary operator into LLInt and on
286         JITOperations profiledMul and unprofiledMul. We are also replacing all
287         uses of int to unsigned when there is no negative values for
288         variables.
289
290         * dfg/DFGConstantFoldingPhase.cpp:
291         (JSC::DFG::ConstantFoldingPhase::foldConstants):
292         * jit/JITOperations.cpp:
293         * runtime/CommonSlowPaths.cpp:
294         (JSC::SLOW_PATH_DECL):
295         * runtime/JSBigInt.cpp:
296         (JSC::JSBigInt::JSBigInt):
297         (JSC::JSBigInt::allocationSize):
298         (JSC::JSBigInt::createWithLength):
299         (JSC::JSBigInt::toString):
300         (JSC::JSBigInt::multiply):
301         (JSC::JSBigInt::digitDiv):
302         (JSC::JSBigInt::internalMultiplyAdd):
303         (JSC::JSBigInt::multiplyAccumulate):
304         (JSC::JSBigInt::equals):
305         (JSC::JSBigInt::absoluteDivSmall):
306         (JSC::JSBigInt::calculateMaximumCharactersRequired):
307         (JSC::JSBigInt::toStringGeneric):
308         (JSC::JSBigInt::rightTrim):
309         (JSC::JSBigInt::allocateFor):
310         (JSC::JSBigInt::parseInt):
311         (JSC::JSBigInt::digit):
312         (JSC::JSBigInt::setDigit):
313         * runtime/JSBigInt.h:
314         * runtime/Operations.h:
315         (JSC::jsMul):
316
317 2018-04-27  JF Bastien  <jfbastien@apple.com>
318
319         Make the first 64 bits of JSString look like a double JSValue
320         https://bugs.webkit.org/show_bug.cgi?id=185081
321
322         Reviewed by Filip Pizlo.
323
324         We can be clever about how we lay out JSString so that, were it
325         reinterpreted as a JSValue, it would look like a double.
326
327         * assembler/MacroAssemblerX86Common.h:
328         (JSC::MacroAssemblerX86Common::and16):
329         * assembler/X86Assembler.h:
330         (JSC::X86Assembler::andw_mr):
331         * dfg/DFGSpeculativeJIT.cpp:
332         (JSC::DFG::SpeculativeJIT::compileMakeRope):
333         * ftl/FTLLowerDFGToB3.cpp:
334         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
335         * ftl/FTLOutput.h:
336         (JSC::FTL::Output::store32As8):
337         (JSC::FTL::Output::store32As16):
338         * runtime/JSString.h:
339         (JSC::JSString::JSString):
340
341 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
344         https://bugs.webkit.org/show_bug.cgi?id=185055
345
346         Reviewed by JF Bastien.
347
348         This patch is paving the way to emitting jscvt instruction if possible.
349         To do that, we need to determine jscvt instruction is supported in the
350         given CPU.
351
352         We add a function collectCPUFeatures, which is responsible to collect
353         CPU features if necessary. In Linux, we can use auxiliary vector to get
354         the information without parsing /proc/cpuinfo.
355
356         Currently, nobody calls this function. It is later called when we emit
357         jscvt instruction. To make it possible, we also need to add disassembler
358         support too.
359
360         * assembler/AbstractMacroAssembler.h:
361         * assembler/MacroAssemblerARM64.cpp:
362         (JSC::MacroAssemblerARM64::collectCPUFeatures):
363         * assembler/MacroAssemblerARM64.h:
364         * assembler/MacroAssemblerX86Common.h:
365
366 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
367
368         Also run foldPathConstants before mussing up SSA
369         https://bugs.webkit.org/show_bug.cgi?id=185069
370
371         Reviewed by Saam Barati.
372         
373         This isn't needed now, but will be once I implement the phase in bug 185060.
374         
375         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
376         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
377         be landed separately and measured separately from that phase.
378         
379         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
380         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
381         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
382         neutral. It all depends on what programs typically look like.
383
384         * b3/B3Generate.cpp:
385         (JSC::B3::generateToAir):
386
387 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
388
389         Unreviewed, rolling out r231086.
390
391         Caused JSC test failures due to an unchecked exception.
392
393         Reverted changeset:
394
395         "[ESNext][BigInt] Implement support for "*" operation"
396         https://bugs.webkit.org/show_bug.cgi?id=183721
397         https://trac.webkit.org/changeset/231086
398
399 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
400
401         [ESNext][BigInt] Implement support for "*" operation
402         https://bugs.webkit.org/show_bug.cgi?id=183721
403
404         Reviewed by Saam Barati.
405
406         Added BigInt support into times binary operator into LLInt and on
407         JITOperations profiledMul and unprofiledMul. We are also replacing all
408         uses of int to unsigned when there is no negative values for
409         variables.
410
411         * dfg/DFGConstantFoldingPhase.cpp:
412         (JSC::DFG::ConstantFoldingPhase::foldConstants):
413         * jit/JITOperations.cpp:
414         * runtime/CommonSlowPaths.cpp:
415         (JSC::SLOW_PATH_DECL):
416         * runtime/JSBigInt.cpp:
417         (JSC::JSBigInt::JSBigInt):
418         (JSC::JSBigInt::allocationSize):
419         (JSC::JSBigInt::createWithLength):
420         (JSC::JSBigInt::toString):
421         (JSC::JSBigInt::multiply):
422         (JSC::JSBigInt::digitDiv):
423         (JSC::JSBigInt::internalMultiplyAdd):
424         (JSC::JSBigInt::multiplyAccumulate):
425         (JSC::JSBigInt::equals):
426         (JSC::JSBigInt::absoluteDivSmall):
427         (JSC::JSBigInt::calculateMaximumCharactersRequired):
428         (JSC::JSBigInt::toStringGeneric):
429         (JSC::JSBigInt::rightTrim):
430         (JSC::JSBigInt::allocateFor):
431         (JSC::JSBigInt::parseInt):
432         (JSC::JSBigInt::digit):
433         (JSC::JSBigInt::setDigit):
434         * runtime/JSBigInt.h:
435         * runtime/Operations.h:
436         (JSC::jsMul):
437
438 2018-04-26  Mark Lam  <mark.lam@apple.com>
439
440         Gardening: Speculative build fix for Windows.
441         https://bugs.webkit.org/show_bug.cgi?id=184976
442         <rdar://problem/39723901>
443
444         Not reviewed.
445
446         * runtime/JSCPtrTag.h:
447
448 2018-04-26  Mark Lam  <mark.lam@apple.com>
449
450         Gardening: Windows build fix.
451
452         Not reviewed.
453
454         * runtime/Options.cpp:
455
456 2018-04-26  Jer Noble  <jer.noble@apple.com>
457
458         WK_COCOA_TOUCH all the things.
459         https://bugs.webkit.org/show_bug.cgi?id=185006
460         <rdar://problem/39736025>
461
462         Reviewed by Tim Horton.
463
464         * Configurations/Base.xcconfig:
465
466 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
467
468         Disable content filtering in minimal simulator mode
469         https://bugs.webkit.org/show_bug.cgi?id=185027
470         <rdar://problem/39736091>
471
472         Reviewed by Jer Noble.
473
474         * Configurations/FeatureDefines.xcconfig:
475
476 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
477
478         [INTL] Implement Intl.PluralRules
479         https://bugs.webkit.org/show_bug.cgi?id=184312
480
481         Reviewed by JF Bastien.
482
483         Use UNumberFormat to enforce formatting, and then UPluralRules to find
484         the correct plural rule for the given number. Relies on ICU v59+ for
485         resolvedOptions().pluralCategories and trailing 0 detection.
486         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
487
488         * CMakeLists.txt:
489         * Configurations/FeatureDefines.xcconfig:
490         * DerivedSources.make:
491         * JavaScriptCore.xcodeproj/project.pbxproj:
492         * Sources.txt:
493         * builtins/BuiltinNames.h:
494         * runtime/BigIntObject.cpp:
495         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
496         * runtime/BigIntObject.h:
497         * runtime/CommonIdentifiers.h:
498         * runtime/IntlObject.cpp:
499         (JSC::IntlObject::finishCreation):
500         * runtime/IntlObject.h:
501         * runtime/IntlPluralRules.cpp: Added.
502         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
503         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
504         (JSC::UEnumerationDeleter::operator() const):
505         (JSC::IntlPluralRules::create):
506         (JSC::IntlPluralRules::createStructure):
507         (JSC::IntlPluralRules::IntlPluralRules):
508         (JSC::IntlPluralRules::finishCreation):
509         (JSC::IntlPluralRules::destroy):
510         (JSC::IntlPluralRules::visitChildren):
511         (JSC::IntlPRInternal::localeData):
512         (JSC::IntlPluralRules::initializePluralRules):
513         (JSC::IntlPluralRules::resolvedOptions):
514         (JSC::IntlPluralRules::select):
515         * runtime/IntlPluralRules.h: Added.
516         * runtime/IntlPluralRulesConstructor.cpp: Added.
517         (JSC::IntlPluralRulesConstructor::create):
518         (JSC::IntlPluralRulesConstructor::createStructure):
519         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
520         (JSC::IntlPluralRulesConstructor::finishCreation):
521         (JSC::constructIntlPluralRules):
522         (JSC::callIntlPluralRules):
523         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
524         (JSC::IntlPluralRulesConstructor::visitChildren):
525         * runtime/IntlPluralRulesConstructor.h: Added.
526         * runtime/IntlPluralRulesPrototype.cpp: Added.
527         (JSC::IntlPluralRulesPrototype::create):
528         (JSC::IntlPluralRulesPrototype::createStructure):
529         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
530         (JSC::IntlPluralRulesPrototype::finishCreation):
531         (JSC::IntlPluralRulesPrototypeFuncSelect):
532         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
533         * runtime/IntlPluralRulesPrototype.h: Added.
534         * runtime/JSGlobalObject.cpp:
535         (JSC::JSGlobalObject::init):
536         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
537         * runtime/JSGlobalObject.h:
538         * runtime/Options.h:
539         * runtime/RegExpPrototype.cpp: Added inlines header.
540         * runtime/VM.cpp:
541         (JSC::VM::VM):
542         * runtime/VM.h:
543
544 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
545
546         [MIPS] Fix branch offsets in branchNeg32
547         https://bugs.webkit.org/show_bug.cgi?id=185025
548
549         Reviewed by Yusuke Suzuki.
550
551         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
552
553         * assembler/MacroAssemblerMIPS.h:
554         (JSC::MacroAssemblerMIPS::branchNeg32):
555
556 2018-04-25  Robin Morisset  <rmorisset@apple.com>
557
558         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
559         https://bugs.webkit.org/show_bug.cgi?id=184773
560         <rdar://problem/37773612>
561
562         Reviewed by Filip Pizlo.
563
564         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
565         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
566         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
567         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
568         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
569
570         * ftl/FTLLowerDFGToB3.cpp:
571         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
572
573 2018-04-25  Mark Lam  <mark.lam@apple.com>
574
575         Push the definition of PtrTag down to the WTF layer.
576         https://bugs.webkit.org/show_bug.cgi?id=184976
577         <rdar://problem/39723901>
578
579         Reviewed by Saam Barati.
580
581         * CMakeLists.txt:
582         * JavaScriptCore.xcodeproj/project.pbxproj:
583         * assembler/ARM64Assembler.h:
584         * assembler/AbstractMacroAssembler.h:
585         * assembler/MacroAssemblerCodeRef.cpp:
586         * assembler/MacroAssemblerCodeRef.h:
587         * b3/B3MathExtras.cpp:
588         * bytecode/LLIntCallLinkInfo.h:
589         * disassembler/Disassembler.h:
590         * ftl/FTLJITCode.cpp:
591         * interpreter/InterpreterInlines.h:
592         * jit/ExecutableAllocator.h:
593         * jit/JITOperations.cpp:
594         * jit/ThunkGenerator.h:
595         * jit/ThunkGenerators.h:
596         * llint/LLIntOffsetsExtractor.cpp:
597         * llint/LLIntPCRanges.h:
598         * runtime/JSCPtrTag.h: Added.
599         * runtime/NativeFunction.h:
600         * runtime/PtrTag.h: Removed.
601         * runtime/VMTraps.cpp:
602
603 2018-04-25  Keith Miller  <keith_miller@apple.com>
604
605         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
606         https://bugs.webkit.org/show_bug.cgi?id=184998
607
608         Reviewed by Saam Barati.
609
610         * runtime/CodeCache.cpp:
611         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
612
613 2018-04-25  Keith Miller  <keith_miller@apple.com>
614
615         Add missing scope release to functionProtoFuncToString
616         https://bugs.webkit.org/show_bug.cgi?id=184995
617
618         Reviewed by Saam Barati.
619
620         * runtime/FunctionPrototype.cpp:
621         (JSC::functionProtoFuncToString):
622
623 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
624
625         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
626         https://bugs.webkit.org/show_bug.cgi?id=184730
627
628         Reviewed by Mark Lam.
629
630         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
631         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
632
633         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
634         ARMv7 implementation.
635
636         * assembler/ARMAssembler.h:
637         * assembler/MacroAssemblerARM.h:
638         (JSC::MacroAssemblerARM::add32):
639         (JSC::MacroAssemblerARM::and32):
640         (JSC::MacroAssemblerARM::lshift32):
641         (JSC::MacroAssemblerARM::mul32):
642         (JSC::MacroAssemblerARM::or32):
643         (JSC::MacroAssemblerARM::rshift32):
644         (JSC::MacroAssemblerARM::urshift32):
645         (JSC::MacroAssemblerARM::sub32):
646         (JSC::MacroAssemblerARM::xor32):
647         (JSC::MacroAssemblerARM::load8):
648         (JSC::MacroAssemblerARM::abortWithReason):
649         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
650         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
651         (JSC::MacroAssemblerARM::store8):
652         (JSC::MacroAssemblerARM::store32):
653         (JSC::MacroAssemblerARM::push):
654         (JSC::MacroAssemblerARM::swap):
655         (JSC::MacroAssemblerARM::branch8):
656         (JSC::MacroAssemblerARM::branchPtr):
657         (JSC::MacroAssemblerARM::branch32):
658         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
659         (JSC::MacroAssemblerARM::branchTest8):
660         (JSC::MacroAssemblerARM::branchTest32):
661         (JSC::MacroAssemblerARM::jump):
662         (JSC::MacroAssemblerARM::branchAdd32):
663         (JSC::MacroAssemblerARM::mull32):
664         (JSC::MacroAssemblerARM::branchMul32):
665         (JSC::MacroAssemblerARM::patchableBranch32):
666         (JSC::MacroAssemblerARM::nearCall):
667         (JSC::MacroAssemblerARM::compare32):
668         (JSC::MacroAssemblerARM::compare8):
669         (JSC::MacroAssemblerARM::test32):
670         (JSC::MacroAssemblerARM::test8):
671         (JSC::MacroAssemblerARM::add64):
672         (JSC::MacroAssemblerARM::load32):
673         (JSC::MacroAssemblerARM::call):
674         (JSC::MacroAssemblerARM::branchPtrWithPatch):
675         (JSC::MacroAssemblerARM::branch32WithPatch):
676         (JSC::MacroAssemblerARM::storePtrWithPatch):
677         (JSC::MacroAssemblerARM::loadDouble):
678         (JSC::MacroAssemblerARM::storeDouble):
679         (JSC::MacroAssemblerARM::addDouble):
680         (JSC::MacroAssemblerARM::divDouble):
681         (JSC::MacroAssemblerARM::subDouble):
682         (JSC::MacroAssemblerARM::mulDouble):
683         (JSC::MacroAssemblerARM::convertInt32ToDouble):
684         (JSC::MacroAssemblerARM::branchDouble):
685         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
686         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
687         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
688         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
689         (JSC::MacroAssemblerARM::branchDoubleNonZero):
690         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
691         (JSC::MacroAssemblerARM::call32):
692         (JSC::MacroAssemblerARM::internalCompare32):
693
694 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
695
696         [WinCairo] Fix js/regexp-unicode.html crash.
697         https://bugs.webkit.org/show_bug.cgi?id=184891
698
699         Reviewed by Yusuke Suzuki.
700
701         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
702         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
703
704         * yarr/YarrJIT.cpp:
705         (JSC::Yarr::YarrGenerator::generateEnter):
706         (JSC::Yarr::YarrGenerator::generateReturn):
707         Unconditionally save and restore RDI on 64-bit Windows.
708
709 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
710
711         [GTK] Miscellaneous build cleanups
712         https://bugs.webkit.org/show_bug.cgi?id=184399
713
714         Reviewed by Žan Doberšek.
715
716         * PlatformGTK.cmake:
717
718 2018-04-24  Keith Miller  <keith_miller@apple.com>
719
720         fromCharCode is missing some exception checks
721         https://bugs.webkit.org/show_bug.cgi?id=184952
722
723         Reviewed by Saam Barati.
724
725         I also removed the pointless slow path function and moved it into the
726         main function.
727
728         * runtime/StringConstructor.cpp:
729         (JSC::stringFromCharCode):
730         (JSC::stringFromCharCodeSlowCase): Deleted.
731
732 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
733
734         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
735         https://bugs.webkit.org/show_bug.cgi?id=184923
736
737         Reviewed by Saam Barati.
738         
739         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
740         (i.e. we know that the object has one of those structures), then previously we would still emit a
741         switch with a case per structure along with a default case. That would mean one extra redundant
742         branch to check that whatever structure we wound up with belongs to the set. In that case, we
743         were already making the default case be an Oops.
744         
745         One possible solution would be to say that the default case being Oops means that B3 doesn't need
746         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
747         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
748         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
749         trap.
750         
751         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
752         extra branch.
753         
754         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
755         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
756         read.
757
758         * ftl/FTLLowerDFGToB3.cpp:
759         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
760         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
761         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
762
763 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
764
765         DFG CSE should know how to decay a MultiGetByOffset
766         https://bugs.webkit.org/show_bug.cgi?id=159859
767
768         Reviewed by Keith Miller.
769         
770         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
771         clobberize() can report a def() for MultiGetByOffset.
772         
773         This is a slight improvement to codegen in splay because splay is a heavy user of
774         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
775         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
776         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
777         splay's time.
778
779         * dfg/DFGClobberize.h:
780         (JSC::DFG::clobberize):
781         * dfg/DFGNode.cpp:
782         (JSC::DFG::Node::remove):
783         (JSC::DFG::Node::removeWithoutChecks):
784         (JSC::DFG::Node::replaceWith):
785         (JSC::DFG::Node::replaceWithWithoutChecks):
786         * dfg/DFGNode.h:
787         (JSC::DFG::Node::convertToMultiGetByOffset):
788         (JSC::DFG::Node::replaceWith): Deleted.
789         * dfg/DFGNodeType.h:
790         * dfg/DFGObjectAllocationSinkingPhase.cpp:
791
792 2018-04-24  Keith Miller  <keith_miller@apple.com>
793
794         Update API docs with information on which run loop the VM will use
795         https://bugs.webkit.org/show_bug.cgi?id=184900
796         <rdar://problem/39166054>
797
798         Reviewed by Mark Lam.
799
800         * API/JSContextRef.h:
801         * API/JSVirtualMachine.h:
802
803 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
804
805         $vm.totalGCTime() should be a thing
806         https://bugs.webkit.org/show_bug.cgi?id=184916
807
808         Reviewed by Sam Weinig.
809         
810         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
811         time spent in GC to determine if the regression is because the GC got slower.
812         
813         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
814
815         * heap/Heap.cpp:
816         (JSC::Heap::runEndPhase):
817         * heap/Heap.h:
818         (JSC::Heap::totalGCTime const):
819         * tools/JSDollarVM.cpp:
820         (JSC::functionTotalGCTime):
821         (JSC::JSDollarVM::finishCreation):
822
823 2018-04-23  Zalan Bujtas  <zalan@apple.com>
824
825         [LayoutFormattingContext] Initial commit.
826         https://bugs.webkit.org/show_bug.cgi?id=184896
827
828         Reviewed by Antti Koivisto.
829
830         * Configurations/FeatureDefines.xcconfig:
831
832 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
833
834         Unreviewed, revert accidental change to verbose flag.
835
836         * dfg/DFGByteCodeParser.cpp:
837
838 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
839
840         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
841
842         Rubber stamped by Saam Barati.
843         
844         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
845         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
846         Seems sensible to just roll it out.
847
848         * dfg/DFGByteCodeParser.cpp:
849         (JSC::DFG::ByteCodeParser::addToGraph):
850         (JSC::DFG::ByteCodeParser::parse):
851
852 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
853
854         [JSC] Remove ModuleLoaderPrototype
855         https://bugs.webkit.org/show_bug.cgi?id=184784
856
857         Reviewed by Mark Lam.
858
859         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
860         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
861         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
862
863         * CMakeLists.txt:
864         * DerivedSources.make:
865         * JavaScriptCore.xcodeproj/project.pbxproj:
866         * Sources.txt:
867         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
868         * runtime/JSGlobalObject.cpp:
869         (JSC::JSGlobalObject::init):
870         (JSC::JSGlobalObject::visitChildren):
871         * runtime/JSGlobalObject.h:
872         (JSC::JSGlobalObject::proxyRevokeStructure const):
873         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
874         * runtime/JSModuleLoader.cpp:
875         (JSC::moduleLoaderParseModule):
876         (JSC::moduleLoaderRequestedModules):
877         (JSC::moduleLoaderModuleDeclarationInstantiation):
878         (JSC::moduleLoaderResolve):
879         (JSC::moduleLoaderResolveSync):
880         (JSC::moduleLoaderFetch):
881         (JSC::moduleLoaderGetModuleNamespaceObject):
882         (JSC::moduleLoaderEvaluate):
883         * runtime/JSModuleLoader.h:
884         * runtime/ModuleLoaderPrototype.cpp: Removed.
885         * runtime/ModuleLoaderPrototype.h: Removed.
886
887 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
888
889         [GLIB] All API tests fail in debug builds
890         https://bugs.webkit.org/show_bug.cgi?id=184813
891
892         Reviewed by Mark Lam.
893
894         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
895         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
896
897         * API/glib/JSCContext.cpp:
898         (JSCContextExceptionHandler::JSCContextExceptionHandler):
899         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
900         (jscContextConstructed):
901         (ExceptionHandler::ExceptionHandler): Deleted.
902         (ExceptionHandler::~ExceptionHandler): Deleted.
903
904 2018-04-20  Tim Horton  <timothy_horton@apple.com>
905
906         Adjust geolocation feature flag
907         https://bugs.webkit.org/show_bug.cgi?id=184856
908
909         Reviewed by Wenson Hsieh.
910
911         * Configurations/FeatureDefines.xcconfig:
912
913 2018-04-20  Brian Burg  <bburg@apple.com>
914
915         Web Inspector: remove some dead code in IdentifiersFactory
916         https://bugs.webkit.org/show_bug.cgi?id=184839
917
918         Reviewed by Timothy Hatcher.
919
920         This was never used on non-Chrome ports, so the identifier always has a
921         prefix of '0.'. We may change this in the future, but for now remove this.
922         Using a PID for this purpose is problematic anyway.
923
924         * inspector/IdentifiersFactory.cpp:
925         (Inspector::addPrefixToIdentifier):
926         (Inspector::IdentifiersFactory::createIdentifier):
927         (Inspector::IdentifiersFactory::requestId):
928         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
929         * inspector/IdentifiersFactory.h:
930
931 2018-04-20  Mark Lam  <mark.lam@apple.com>
932
933         Add the ability to use a hash for setting PtrTag enum values.
934         https://bugs.webkit.org/show_bug.cgi?id=184852
935         <rdar://problem/39613891>
936
937         Reviewed by Saam Barati.
938
939         * runtime/PtrTag.h:
940
941 2018-04-20  Mark Lam  <mark.lam@apple.com>
942
943         Some JSEntryPtrTags should actually be JSInternalPtrTags.
944         https://bugs.webkit.org/show_bug.cgi?id=184712
945         <rdar://problem/39507381>
946
947         Reviewed by Michael Saboff.
948
949         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
950         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
951            only when needed.
952
953         * bytecode/AccessCase.cpp:
954         (JSC::AccessCase::generateImpl):
955         * bytecode/ByValInfo.h:
956         (JSC::ByValInfo::ByValInfo):
957         * bytecode/CallLinkInfo.cpp:
958         (JSC::CallLinkInfo::callReturnLocation):
959         (JSC::CallLinkInfo::patchableJump):
960         (JSC::CallLinkInfo::hotPathBegin):
961         (JSC::CallLinkInfo::slowPathStart):
962         * bytecode/CallLinkInfo.h:
963         (JSC::CallLinkInfo::setCallLocations):
964         (JSC::CallLinkInfo::hotPathOther):
965         * bytecode/PolymorphicAccess.cpp:
966         (JSC::PolymorphicAccess::regenerate):
967         * bytecode/StructureStubInfo.h:
968         (JSC::StructureStubInfo::doneLocation):
969         * dfg/DFGJITCompiler.cpp:
970         (JSC::DFG::JITCompiler::link):
971         * dfg/DFGOSRExit.cpp:
972         (JSC::DFG::reifyInlinedCallFrames):
973         * ftl/FTLLazySlowPath.cpp:
974         (JSC::FTL::LazySlowPath::initialize):
975         * ftl/FTLLazySlowPath.h:
976         (JSC::FTL::LazySlowPath::done const):
977         * ftl/FTLLowerDFGToB3.cpp:
978         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
979         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
980         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
981         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
982         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
983         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
984         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
985         * jit/JIT.cpp:
986         (JSC::JIT::link):
987         * jit/JITExceptions.cpp:
988         (JSC::genericUnwind):
989         * jit/JITMathIC.h:
990         (JSC::isProfileEmpty):
991         * llint/LLIntData.cpp:
992         (JSC::LLInt::initialize):
993         * llint/LLIntData.h:
994         (JSC::LLInt::getCodePtr):
995         (JSC::LLInt::getExecutableAddress): Deleted.
996         * llint/LLIntExceptions.cpp:
997         (JSC::LLInt::callToThrow):
998         * llint/LLIntSlowPaths.cpp:
999         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1000         * wasm/js/WasmToJS.cpp:
1001         (JSC::Wasm::wasmToJS):
1002
1003 2018-04-18  Jer Noble  <jer.noble@apple.com>
1004
1005         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1006         https://bugs.webkit.org/show_bug.cgi?id=184762
1007
1008         Reviewed by Dan Bernstein.
1009
1010         * Configurations/Base.xcconfig:
1011         * JavaScriptCore.xcodeproj/project.pbxproj:
1012
1013 2018-04-20  Daniel Bates  <dabates@apple.com>
1014
1015         Remove code for compilers that did not support NSDMI for aggregates
1016         https://bugs.webkit.org/show_bug.cgi?id=184599
1017
1018         Reviewed by Per Arne Vollan.
1019
1020         Remove workaround for earlier Visual Studio versions that did not support non-static data
1021         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1022         and EWS bots to a newer version that supports this feature.
1023
1024         * domjit/DOMJITEffect.h:
1025         (JSC::DOMJIT::Effect::Effect): Deleted.
1026         * runtime/HasOwnPropertyCache.h:
1027         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1028         * wasm/WasmFormat.h:
1029         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1030
1031 2018-04-20  Mark Lam  <mark.lam@apple.com>
1032
1033         Build fix for internal builds after r230826.
1034         https://bugs.webkit.org/show_bug.cgi?id=184790
1035         <rdar://problem/39301369>
1036
1037         Not reviewed.
1038
1039         * runtime/Options.cpp:
1040         (JSC::overrideDefaults):
1041         * tools/SigillCrashAnalyzer.cpp:
1042         (JSC::SignalContext::dump):
1043
1044 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1045
1046         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1047         https://bugs.webkit.org/show_bug.cgi?id=184254
1048         <rdar://problem/39140200>
1049
1050         Reviewed by Daniel Bates.
1051
1052         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1053
1054         * runtime/ArrayBuffer.h:
1055         (JSC::ArrayBufferContents::ArrayBufferContents):
1056
1057 2018-04-19  Mark Lam  <mark.lam@apple.com>
1058
1059         Apply pointer profiling to Signal pointers.
1060         https://bugs.webkit.org/show_bug.cgi?id=184790
1061         <rdar://problem/39301369>
1062
1063         Reviewed by Michael Saboff.
1064
1065         1. Change stackPointer, framePointer, and instructionPointer accessors to
1066            be a pair of getter/setter functions.
1067         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1068            a pointer profiling variants of these accessors.
1069         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1070
1071         * JavaScriptCorePrefix.h:
1072         * runtime/MachineContext.h:
1073         (JSC::MachineContext::stackPointerImpl):
1074         (JSC::MachineContext::stackPointer):
1075         (JSC::MachineContext::setStackPointer):
1076         (JSC::MachineContext::framePointerImpl):
1077         (JSC::MachineContext::framePointer):
1078         (JSC::MachineContext::setFramePointer):
1079         (JSC::MachineContext::instructionPointerImpl):
1080         (JSC::MachineContext::instructionPointer):
1081         (JSC::MachineContext::setInstructionPointer):
1082         (JSC::MachineContext::linkRegisterImpl):
1083         (JSC::MachineContext::linkRegister):
1084         (JSC::MachineContext::setLinkRegister):
1085         * runtime/SamplingProfiler.cpp:
1086         (JSC::SamplingProfiler::takeSample):
1087         * runtime/VMTraps.cpp:
1088         (JSC::SignalContext::SignalContext):
1089         (JSC::VMTraps::tryInstallTrapBreakpoints):
1090         * tools/CodeProfiling.cpp:
1091         (JSC::profilingTimer):
1092         * tools/SigillCrashAnalyzer.cpp:
1093         (JSC::SignalContext::dump):
1094         (JSC::installCrashHandler):
1095         (JSC::SigillCrashAnalyzer::analyze):
1096         * wasm/WasmFaultSignalHandler.cpp:
1097         (JSC::Wasm::trapHandler):
1098
1099 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1100
1101         Enable Objective-C weak references
1102         <https://webkit.org/b/184789>
1103         <rdar://problem/39571716>
1104
1105         Reviewed by Dan Bernstein.
1106
1107         * Configurations/Base.xcconfig:
1108         (CLANG_ENABLE_OBJC_WEAK): Enable.
1109         * Configurations/ToolExecutable.xcconfig:
1110         (CLANG_ENABLE_OBJC_ARC): Simplify.
1111
1112 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1113
1114         The InternalFunction hierarchy should be in IsoSubspaces
1115         https://bugs.webkit.org/show_bug.cgi?id=184721
1116
1117         Reviewed by Saam Barati.
1118         
1119         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1120         but subclasses that are the same size as InternalFunction share its subspace. I did this
1121         because the subclasses appear to just override methods, which are called dynamically via the
1122         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1123         allocate one kind of InternalFunction over another.
1124
1125         * API/JSBase.h:
1126         * API/JSCallbackFunction.h:
1127         * API/ObjCCallbackFunction.h:
1128         (JSC::ObjCCallbackFunction::subspaceFor):
1129         * CMakeLists.txt:
1130         * JavaScriptCore.xcodeproj/project.pbxproj:
1131         * Sources.txt:
1132         * heap/IsoSubspacePerVM.cpp: Added.
1133         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1134         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1135         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1136         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1137         (JSC::IsoSubspacePerVM::forVM):
1138         * heap/IsoSubspacePerVM.h: Added.
1139         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1140         * runtime/Error.h:
1141         * runtime/ErrorConstructor.h:
1142         * runtime/InternalFunction.h:
1143         (JSC::InternalFunction::subspaceFor):
1144         * runtime/IntlCollatorConstructor.h:
1145         * runtime/IntlDateTimeFormatConstructor.h:
1146         * runtime/IntlNumberFormatConstructor.h:
1147         * runtime/JSArrayBufferConstructor.h:
1148         * runtime/NativeErrorConstructor.h:
1149         * runtime/ProxyRevoke.h:
1150         * runtime/RegExpConstructor.h:
1151         * runtime/VM.cpp:
1152         (JSC::VM::VM):
1153         * runtime/VM.h:
1154
1155 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1156
1157         Unreviewed, Fix jsc shell
1158         https://bugs.webkit.org/show_bug.cgi?id=184600
1159
1160         WebAssembly module loading does not finish with drainMicrotasks().
1161         So JSNativeStdFunction's capturing variables become invalid.
1162         This patch fixes this issue.
1163
1164         * jsc.cpp:
1165         (functionDollarAgentStart):
1166         (runWithOptions):
1167         (runJSC):
1168         (jscmain):
1169
1170 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1171
1172         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1173         https://bugs.webkit.org/show_bug.cgi?id=184725
1174
1175         Reviewed by Mark Lam.
1176
1177         * jit/JIT.h:
1178
1179 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1180
1181         [WebAssembly][Modules] Import tables in wasm modules
1182         https://bugs.webkit.org/show_bug.cgi?id=184738
1183
1184         Reviewed by JF Bastien.
1185
1186         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1187         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1188         just works.
1189
1190         * wasm/js/JSWebAssemblyInstance.cpp:
1191         (JSC::JSWebAssemblyInstance::create):
1192         * wasm/js/WebAssemblyModuleRecord.cpp:
1193         (JSC::WebAssemblyModuleRecord::link):
1194
1195 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1196
1197         [ARM] Fix build error and crash after PtrTag change
1198         https://bugs.webkit.org/show_bug.cgi?id=184732
1199
1200         Reviewed by Mark Lam.
1201
1202         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1203         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1204         twice with ARM-Thumb2.
1205
1206         * assembler/MacroAssemblerCodeRef.h:
1207         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1208         * jit/JITPropertyAccess32_64.cpp:
1209         (JSC::JIT::emitSlow_op_put_by_val):
1210         * jit/Repatch.cpp:
1211         (JSC::linkPolymorphicCall):
1212
1213 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1214
1215         [WebAssembly][Modules] Import globals from wasm modules
1216         https://bugs.webkit.org/show_bug.cgi?id=184736
1217
1218         Reviewed by JF Bastien.
1219
1220         This patch implements a feature importing globals to/from wasm modules.
1221         Since we are not supporting mutable globals now, we can just copy the
1222         global data when importing. Currently we do not support importing/exporting
1223         i64 globals. This will be supported once (1) mutable global bindings are
1224         specified and (2) BigInt based i64 importing/exporting is specified.
1225
1226         * wasm/js/JSWebAssemblyInstance.cpp:
1227         (JSC::JSWebAssemblyInstance::create):
1228         * wasm/js/WebAssemblyModuleRecord.cpp:
1229         (JSC::WebAssemblyModuleRecord::link):
1230
1231 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1232
1233         Unreviewed, fix build on ARM
1234
1235         * assembler/MacroAssemblerARM.h:
1236         (JSC::MacroAssemblerARM::readCallTarget):
1237
1238 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1239
1240         Unreviewed, fix build with GCC
1241
1242         * assembler/LinkBuffer.h:
1243         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1244
1245 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1246
1247         Unreviewed, reland r230697, r230720, and r230724.
1248         https://bugs.webkit.org/show_bug.cgi?id=184600
1249
1250         With CatchScope check.
1251
1252         * JavaScriptCore.xcodeproj/project.pbxproj:
1253         * builtins/ModuleLoaderPrototype.js:
1254         (globalPrivate.newRegistryEntry):
1255         (requestInstantiate):
1256         (link):
1257         * jsc.cpp:
1258         (convertShebangToJSComment):
1259         (fillBufferWithContentsOfFile):
1260         (fetchModuleFromLocalFileSystem):
1261         (GlobalObject::moduleLoaderFetch):
1262         (functionDollarAgentStart):
1263         (checkException):
1264         (runWithOptions):
1265         * parser/NodesAnalyzeModule.cpp:
1266         (JSC::ImportDeclarationNode::analyzeModule):
1267         * parser/SourceProvider.h:
1268         (JSC::WebAssemblySourceProvider::create):
1269         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1270         * runtime/AbstractModuleRecord.cpp:
1271         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1272         (JSC::AbstractModuleRecord::resolveImport):
1273         (JSC::AbstractModuleRecord::link):
1274         (JSC::AbstractModuleRecord::evaluate):
1275         (JSC::identifierToJSValue): Deleted.
1276         * runtime/AbstractModuleRecord.h:
1277         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1278         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1279         * runtime/JSModuleEnvironment.cpp:
1280         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1281         * runtime/JSModuleLoader.cpp:
1282         (JSC::JSModuleLoader::evaluate):
1283         * runtime/JSModuleRecord.cpp:
1284         (JSC::JSModuleRecord::link):
1285         (JSC::JSModuleRecord::instantiateDeclarations):
1286         * runtime/JSModuleRecord.h:
1287         * runtime/ModuleLoaderPrototype.cpp:
1288         (JSC::moduleLoaderPrototypeParseModule):
1289         (JSC::moduleLoaderPrototypeRequestedModules):
1290         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1291         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1292         * wasm/js/JSWebAssemblyHelpers.h:
1293         (JSC::getWasmBufferFromValue):
1294         (JSC::createSourceBufferFromValue):
1295         * wasm/js/JSWebAssemblyInstance.cpp:
1296         (JSC::JSWebAssemblyInstance::finalizeCreation):
1297         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1298         (JSC::JSWebAssemblyInstance::create):
1299         * wasm/js/JSWebAssemblyInstance.h:
1300         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1301         (JSC::constructJSWebAssemblyInstance):
1302         * wasm/js/WebAssemblyModuleRecord.cpp:
1303         (JSC::WebAssemblyModuleRecord::prepareLink):
1304         (JSC::WebAssemblyModuleRecord::link):
1305         * wasm/js/WebAssemblyModuleRecord.h:
1306         * wasm/js/WebAssemblyPrototype.cpp:
1307         (JSC::resolve):
1308         (JSC::instantiate):
1309         (JSC::compileAndInstantiate):
1310         (JSC::WebAssemblyPrototype::instantiate):
1311         (JSC::webAssemblyInstantiateFunc):
1312         (JSC::webAssemblyValidateFunc):
1313         * wasm/js/WebAssemblyPrototype.h:
1314
1315 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1316
1317         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1318         https://bugs.webkit.org/show_bug.cgi?id=184687
1319
1320         Reviewed by Michael Catanzaro.
1321
1322         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1323         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1324         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1325
1326         * API/glib/JSCClass.cpp:
1327         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1328         can throw exceptions.
1329         (VTableExceptionHandler::~VTableExceptionHandler):
1330         (getProperty): Iterate the class chain to call get_property function.
1331         (setProperty): Iterate the class chain to call set_property function.
1332         (hasProperty): Iterate the class chain to call has_property function.
1333         (deleteProperty): Iterate the class chain to call delete_property function.
1334         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1335         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1336         jscClassCreate now.
1337         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1338         * API/glib/JSCClass.h:
1339         * API/glib/JSCClassPrivate.h:
1340         * API/glib/JSCContext.cpp:
1341         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1342         (jsc_context_register_class): Add JSCClassVTable parameter.
1343         * API/glib/JSCContext.h:
1344         * API/glib/JSCContextPrivate.h:
1345         * API/glib/JSCWrapperMap.cpp:
1346         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1347         * API/glib/JSCWrapperMap.h:
1348         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1349
1350 2018-04-17  Mark Lam  <mark.lam@apple.com>
1351
1352         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1353         https://bugs.webkit.org/show_bug.cgi?id=184702
1354         <rdar://problem/35391681>
1355
1356         Reviewed by Filip Pizlo and Saam Barati.
1357
1358         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1359            to take a PtrTag template argument.
1360         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1361
1362         * assembler/AbstractMacroAssembler.h:
1363         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1364         (JSC::AbstractMacroAssembler::linkJump):
1365         (JSC::AbstractMacroAssembler::linkPointer):
1366         (JSC::AbstractMacroAssembler::getLinkerAddress):
1367         (JSC::AbstractMacroAssembler::repatchJump):
1368         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1369         (JSC::AbstractMacroAssembler::repatchNearCall):
1370         (JSC::AbstractMacroAssembler::repatchCompact):
1371         (JSC::AbstractMacroAssembler::repatchInt32):
1372         (JSC::AbstractMacroAssembler::repatchPointer):
1373         (JSC::AbstractMacroAssembler::readPointer):
1374         (JSC::AbstractMacroAssembler::replaceWithLoad):
1375         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1376         * assembler/CodeLocation.h:
1377         (JSC::CodeLocationCommon:: const):
1378         (JSC::CodeLocationCommon::CodeLocationCommon):
1379         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1380         (JSC::CodeLocationLabel::CodeLocationLabel):
1381         (JSC::CodeLocationLabel::retagged):
1382         (JSC::CodeLocationLabel:: const):
1383         (JSC::CodeLocationJump::CodeLocationJump):
1384         (JSC::CodeLocationJump::retagged):
1385         (JSC::CodeLocationCall::CodeLocationCall):
1386         (JSC::CodeLocationCall::retagged):
1387         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1388         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1389         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1390         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1391         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1392         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1393         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1394         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1395         (JSC::CodeLocationCommon<tag>::callAtOffset):
1396         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1397         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1398         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1399         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1400         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1401         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1402         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1403         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1404         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1405         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1406         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1407         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1408         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1409         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1410         * assembler/LinkBuffer.cpp:
1411         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1412         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1413         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1414         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1415         * assembler/LinkBuffer.h:
1416         (JSC::LinkBuffer::link):
1417         (JSC::LinkBuffer::patch):
1418         (JSC::LinkBuffer::entrypoint):
1419         (JSC::LinkBuffer::locationOf):
1420         (JSC::LinkBuffer::locationOfNearCall):
1421         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1422         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1423         (JSC::LinkBuffer::trampolineAt):
1424         * assembler/MacroAssemblerARM.h:
1425         (JSC::MacroAssemblerARM::readCallTarget):
1426         (JSC::MacroAssemblerARM::replaceWithJump):
1427         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1428         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1429         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1430         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1431         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1432         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1433         (JSC::MacroAssemblerARM::repatchCall):
1434         (JSC::MacroAssemblerARM::linkCall):
1435         * assembler/MacroAssemblerARM64.h:
1436         (JSC::MacroAssemblerARM64::readCallTarget):
1437         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1438         (JSC::MacroAssemblerARM64::replaceWithJump):
1439         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1440         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1441         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1442         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1443         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1444         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1445         (JSC::MacroAssemblerARM64::repatchCall):
1446         (JSC::MacroAssemblerARM64::linkCall):
1447         * assembler/MacroAssemblerARMv7.h:
1448         (JSC::MacroAssemblerARMv7::replaceWithJump):
1449         (JSC::MacroAssemblerARMv7::readCallTarget):
1450         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1451         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1452         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1453         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1454         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1455         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1456         (JSC::MacroAssemblerARMv7::repatchCall):
1457         (JSC::MacroAssemblerARMv7::linkCall):
1458         * assembler/MacroAssemblerCodeRef.cpp:
1459         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1460         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1461         (JSC::MacroAssemblerCodeRefBase::disassembly):
1462         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1463         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1464         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1465         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1466         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1467         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1468         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1469         * assembler/MacroAssemblerCodeRef.h:
1470         (JSC::FunctionPtr::FunctionPtr):
1471         (JSC::FunctionPtr::retagged const):
1472         (JSC::FunctionPtr::retaggedExecutableAddress const):
1473         (JSC::FunctionPtr::operator== const):
1474         (JSC::FunctionPtr::operator!= const):
1475         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1476         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1477         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1478         (JSC::MacroAssemblerCodePtr::retagged const):
1479         (JSC::MacroAssemblerCodePtr:: const):
1480         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1481         (JSC::MacroAssemblerCodePtr::dump const):
1482         (JSC::MacroAssemblerCodePtrHash::hash):
1483         (JSC::MacroAssemblerCodePtrHash::equal):
1484         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1485         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1486         (JSC::MacroAssemblerCodeRef::code const):
1487         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1488         (JSC::MacroAssemblerCodeRef::retagged const):
1489         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1490         (JSC::MacroAssemblerCodeRef::disassembly const):
1491         (JSC::MacroAssemblerCodeRef::dump const):
1492         (JSC::FunctionPtr<tag>::FunctionPtr):
1493         * assembler/MacroAssemblerMIPS.h:
1494         (JSC::MacroAssemblerMIPS::readCallTarget):
1495         (JSC::MacroAssemblerMIPS::replaceWithJump):
1496         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1497         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1498         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1499         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1500         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1501         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1502         (JSC::MacroAssemblerMIPS::repatchCall):
1503         (JSC::MacroAssemblerMIPS::linkCall):
1504         * assembler/MacroAssemblerX86.h:
1505         (JSC::MacroAssemblerX86::readCallTarget):
1506         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1507         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1508         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1509         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1510         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1511         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1512         (JSC::MacroAssemblerX86::repatchCall):
1513         (JSC::MacroAssemblerX86::linkCall):
1514         * assembler/MacroAssemblerX86Common.h:
1515         (JSC::MacroAssemblerX86Common::repatchCompact):
1516         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1517         (JSC::MacroAssemblerX86Common::replaceWithJump):
1518         * assembler/MacroAssemblerX86_64.h:
1519         (JSC::MacroAssemblerX86_64::readCallTarget):
1520         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1521         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1522         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1523         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1524         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1525         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1526         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1527         (JSC::MacroAssemblerX86_64::repatchCall):
1528         (JSC::MacroAssemblerX86_64::linkCall):
1529         * assembler/testmasm.cpp:
1530         (JSC::compile):
1531         (JSC::invoke):
1532         (JSC::testProbeModifiesProgramCounter):
1533         * b3/B3Compilation.cpp:
1534         (JSC::B3::Compilation::Compilation):
1535         * b3/B3Compilation.h:
1536         (JSC::B3::Compilation::code const):
1537         (JSC::B3::Compilation::codeRef const):
1538         * b3/B3Compile.cpp:
1539         (JSC::B3::compile):
1540         * b3/B3LowerMacros.cpp:
1541         * b3/air/AirDisassembler.cpp:
1542         (JSC::B3::Air::Disassembler::dump):
1543         * b3/air/testair.cpp:
1544         * b3/testb3.cpp:
1545         (JSC::B3::invoke):
1546         (JSC::B3::testInterpreter):
1547         (JSC::B3::testEntrySwitchSimple):
1548         (JSC::B3::testEntrySwitchNoEntrySwitch):
1549         (JSC::B3::testEntrySwitchWithCommonPaths):
1550         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1551         (JSC::B3::testEntrySwitchLoop):
1552         * bytecode/AccessCase.cpp:
1553         (JSC::AccessCase::generateImpl):
1554         * bytecode/AccessCaseSnippetParams.cpp:
1555         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1556         * bytecode/ByValInfo.h:
1557         (JSC::ByValInfo::ByValInfo):
1558         * bytecode/CallLinkInfo.cpp:
1559         (JSC::CallLinkInfo::callReturnLocation):
1560         (JSC::CallLinkInfo::patchableJump):
1561         (JSC::CallLinkInfo::hotPathBegin):
1562         (JSC::CallLinkInfo::slowPathStart):
1563         * bytecode/CallLinkInfo.h:
1564         (JSC::CallLinkInfo::setCallLocations):
1565         (JSC::CallLinkInfo::hotPathOther):
1566         * bytecode/CodeBlock.cpp:
1567         (JSC::CodeBlock::finishCreation):
1568         * bytecode/GetByIdStatus.cpp:
1569         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1570         * bytecode/GetByIdVariant.cpp:
1571         (JSC::GetByIdVariant::GetByIdVariant):
1572         (JSC::GetByIdVariant::dumpInContext const):
1573         * bytecode/GetByIdVariant.h:
1574         (JSC::GetByIdVariant::customAccessorGetter const):
1575         * bytecode/GetterSetterAccessCase.cpp:
1576         (JSC::GetterSetterAccessCase::create):
1577         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1578         (JSC::GetterSetterAccessCase::dumpImpl const):
1579         * bytecode/GetterSetterAccessCase.h:
1580         (JSC::GetterSetterAccessCase::customAccessor const):
1581         (): Deleted.
1582         * bytecode/HandlerInfo.h:
1583         (JSC::HandlerInfo::initialize):
1584         * bytecode/InlineAccess.cpp:
1585         (JSC::linkCodeInline):
1586         (JSC::InlineAccess::rewireStubAsJump):
1587         * bytecode/InlineAccess.h:
1588         * bytecode/JumpTable.h:
1589         (JSC::StringJumpTable::ctiForValue):
1590         (JSC::SimpleJumpTable::ctiForValue):
1591         * bytecode/LLIntCallLinkInfo.h:
1592         (JSC::LLIntCallLinkInfo::unlink):
1593         * bytecode/PolymorphicAccess.cpp:
1594         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1595         (JSC::PolymorphicAccess::regenerate):
1596         * bytecode/PolymorphicAccess.h:
1597         (JSC::AccessGenerationResult::AccessGenerationResult):
1598         (JSC::AccessGenerationResult::code const):
1599         * bytecode/StructureStubInfo.h:
1600         (JSC::StructureStubInfo::slowPathCallLocation):
1601         (JSC::StructureStubInfo::doneLocation):
1602         (JSC::StructureStubInfo::slowPathStartLocation):
1603         (JSC::StructureStubInfo::patchableJumpForIn):
1604         * dfg/DFGCommonData.h:
1605         (JSC::DFG::CommonData::appendCatchEntrypoint):
1606         * dfg/DFGDisassembler.cpp:
1607         (JSC::DFG::Disassembler::dumpDisassembly):
1608         * dfg/DFGDriver.h:
1609         * dfg/DFGJITCompiler.cpp:
1610         (JSC::DFG::JITCompiler::linkOSRExits):
1611         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1612         (JSC::DFG::JITCompiler::link):
1613         (JSC::DFG::JITCompiler::compileFunction):
1614         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1615         * dfg/DFGJITCompiler.h:
1616         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1617         (JSC::DFG::JITCompiler::appendCall):
1618         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1619         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1620         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1621         * dfg/DFGJITFinalizer.cpp:
1622         (JSC::DFG::JITFinalizer::JITFinalizer):
1623         (JSC::DFG::JITFinalizer::finalize):
1624         (JSC::DFG::JITFinalizer::finalizeFunction):
1625         * dfg/DFGJITFinalizer.h:
1626         * dfg/DFGJumpReplacement.h:
1627         (JSC::DFG::JumpReplacement::JumpReplacement):
1628         * dfg/DFGNode.h:
1629         * dfg/DFGOSREntry.cpp:
1630         (JSC::DFG::prepareOSREntry):
1631         (JSC::DFG::prepareCatchOSREntry):
1632         * dfg/DFGOSREntry.h:
1633         (JSC::DFG::prepareOSREntry):
1634         * dfg/DFGOSRExit.cpp:
1635         (JSC::DFG::OSRExit::executeOSRExit):
1636         (JSC::DFG::reifyInlinedCallFrames):
1637         (JSC::DFG::adjustAndJumpToTarget):
1638         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1639         (JSC::DFG::OSRExit::emitRestoreArguments):
1640         (JSC::DFG::OSRExit::compileOSRExit):
1641         * dfg/DFGOSRExit.h:
1642         * dfg/DFGOSRExitCompilerCommon.cpp:
1643         (JSC::DFG::handleExitCounts):
1644         (JSC::DFG::reifyInlinedCallFrames):
1645         (JSC::DFG::osrWriteBarrier):
1646         (JSC::DFG::adjustAndJumpToTarget):
1647         * dfg/DFGOperations.cpp:
1648         * dfg/DFGSlowPathGenerator.h:
1649         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1650         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1651         (JSC::DFG::slowPathCall):
1652         * dfg/DFGSpeculativeJIT.cpp:
1653         (JSC::DFG::SpeculativeJIT::compileMathIC):
1654         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1655         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1656         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1657         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1658         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1659         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1660         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1661         (JSC::DFG::SpeculativeJIT::cachedPutById):
1662         * dfg/DFGSpeculativeJIT.h:
1663         (JSC::DFG::SpeculativeJIT::callOperation):
1664         (JSC::DFG::SpeculativeJIT::appendCall):
1665         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1666         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1667         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1668         * dfg/DFGSpeculativeJIT64.cpp:
1669         (JSC::DFG::SpeculativeJIT::cachedGetById):
1670         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1671         (JSC::DFG::SpeculativeJIT::compile):
1672         * dfg/DFGThunks.cpp:
1673         (JSC::DFG::osrExitThunkGenerator):
1674         (JSC::DFG::osrExitGenerationThunkGenerator):
1675         (JSC::DFG::osrEntryThunkGenerator):
1676         * dfg/DFGThunks.h:
1677         * disassembler/ARM64Disassembler.cpp:
1678         (JSC::tryToDisassemble):
1679         * disassembler/ARMv7Disassembler.cpp:
1680         (JSC::tryToDisassemble):
1681         * disassembler/Disassembler.cpp:
1682         (JSC::disassemble):
1683         (JSC::disassembleAsynchronously):
1684         * disassembler/Disassembler.h:
1685         (JSC::tryToDisassemble):
1686         * disassembler/UDis86Disassembler.cpp:
1687         (JSC::tryToDisassembleWithUDis86):
1688         * disassembler/UDis86Disassembler.h:
1689         (JSC::tryToDisassembleWithUDis86):
1690         * disassembler/X86Disassembler.cpp:
1691         (JSC::tryToDisassemble):
1692         * ftl/FTLCompile.cpp:
1693         (JSC::FTL::compile):
1694         * ftl/FTLExceptionTarget.cpp:
1695         (JSC::FTL::ExceptionTarget::label):
1696         (JSC::FTL::ExceptionTarget::jumps):
1697         * ftl/FTLExceptionTarget.h:
1698         * ftl/FTLGeneratedFunction.h:
1699         * ftl/FTLJITCode.cpp:
1700         (JSC::FTL::JITCode::initializeB3Code):
1701         (JSC::FTL::JITCode::initializeAddressForCall):
1702         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1703         (JSC::FTL::JITCode::addressForCall):
1704         (JSC::FTL::JITCode::executableAddressAtOffset):
1705         * ftl/FTLJITCode.h:
1706         (JSC::FTL::JITCode::b3Code const):
1707         * ftl/FTLJITFinalizer.cpp:
1708         (JSC::FTL::JITFinalizer::finalizeCommon):
1709         * ftl/FTLLazySlowPath.cpp:
1710         (JSC::FTL::LazySlowPath::initialize):
1711         (JSC::FTL::LazySlowPath::generate):
1712         * ftl/FTLLazySlowPath.h:
1713         (JSC::FTL::LazySlowPath::patchableJump const):
1714         (JSC::FTL::LazySlowPath::done const):
1715         (JSC::FTL::LazySlowPath::stub const):
1716         * ftl/FTLLazySlowPathCall.h:
1717         (JSC::FTL::createLazyCallGenerator):
1718         * ftl/FTLLink.cpp:
1719         (JSC::FTL::link):
1720         * ftl/FTLLowerDFGToB3.cpp:
1721         (JSC::FTL::DFG::LowerDFGToB3::lower):
1722         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1723         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1724         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1725         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1726         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1727         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1728         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1729         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1730         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1731         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1732         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1733         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1734         * ftl/FTLOSRExit.cpp:
1735         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1736         * ftl/FTLOSRExit.h:
1737         * ftl/FTLOSRExitCompiler.cpp:
1738         (JSC::FTL::compileStub):
1739         (JSC::FTL::compileFTLOSRExit):
1740         * ftl/FTLOSRExitHandle.cpp:
1741         (JSC::FTL::OSRExitHandle::emitExitThunk):
1742         * ftl/FTLOperations.cpp:
1743         (JSC::FTL::compileFTLLazySlowPath):
1744         * ftl/FTLPatchpointExceptionHandle.cpp:
1745         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1746         * ftl/FTLSlowPathCall.cpp:
1747         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1748         (JSC::FTL::SlowPathCallContext::makeCall):
1749         * ftl/FTLSlowPathCall.h:
1750         (JSC::FTL::callOperation):
1751         * ftl/FTLSlowPathCallKey.cpp:
1752         (JSC::FTL::SlowPathCallKey::dump const):
1753         * ftl/FTLSlowPathCallKey.h:
1754         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1755         (JSC::FTL::SlowPathCallKey::callTarget const):
1756         (JSC::FTL::SlowPathCallKey::withCallTarget):
1757         (JSC::FTL::SlowPathCallKey::hash const):
1758         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1759         * ftl/FTLState.cpp:
1760         (JSC::FTL::State::State):
1761         * ftl/FTLThunks.cpp:
1762         (JSC::FTL::genericGenerationThunkGenerator):
1763         (JSC::FTL::osrExitGenerationThunkGenerator):
1764         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1765         (JSC::FTL::slowPathCallThunkGenerator):
1766         * ftl/FTLThunks.h:
1767         (JSC::FTL::generateIfNecessary):
1768         (JSC::FTL::keyForThunk):
1769         (JSC::FTL::Thunks::getSlowPathCallThunk):
1770         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1771         * interpreter/InterpreterInlines.h:
1772         (JSC::Interpreter::getOpcodeID):
1773         * jit/AssemblyHelpers.cpp:
1774         (JSC::AssemblyHelpers::callExceptionFuzz):
1775         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1776         (JSC::AssemblyHelpers::debugCall):
1777         * jit/CCallHelpers.cpp:
1778         (JSC::CCallHelpers::ensureShadowChickenPacket):
1779         * jit/ExecutableAllocator.cpp:
1780         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1781         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1782         * jit/ExecutableAllocator.h:
1783         (JSC::performJITMemcpy):
1784         * jit/GCAwareJITStubRoutine.cpp:
1785         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1786         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1787         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1788         (JSC::createJITStubRoutine):
1789         * jit/GCAwareJITStubRoutine.h:
1790         (JSC::createJITStubRoutine):
1791         * jit/JIT.cpp:
1792         (JSC::ctiPatchCallByReturnAddress):
1793         (JSC::JIT::compileWithoutLinking):
1794         (JSC::JIT::link):
1795         (JSC::JIT::privateCompileExceptionHandlers):
1796         * jit/JIT.h:
1797         (JSC::CallRecord::CallRecord):
1798         * jit/JITArithmetic.cpp:
1799         (JSC::JIT::emitMathICFast):
1800         (JSC::JIT::emitMathICSlow):
1801         * jit/JITCall.cpp:
1802         (JSC::JIT::compileOpCallSlowCase):
1803         * jit/JITCall32_64.cpp:
1804         (JSC::JIT::compileOpCallSlowCase):
1805         * jit/JITCode.cpp:
1806         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1807         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1808         (JSC::DirectJITCode::DirectJITCode):
1809         (JSC::DirectJITCode::initializeCodeRef):
1810         (JSC::DirectJITCode::addressForCall):
1811         (JSC::NativeJITCode::NativeJITCode):
1812         (JSC::NativeJITCode::initializeCodeRef):
1813         (JSC::NativeJITCode::addressForCall):
1814         * jit/JITCode.h:
1815         * jit/JITCodeMap.h:
1816         (JSC::JITCodeMap::Entry::Entry):
1817         (JSC::JITCodeMap::Entry::codeLocation):
1818         (JSC::JITCodeMap::append):
1819         (JSC::JITCodeMap::find const):
1820         * jit/JITDisassembler.cpp:
1821         (JSC::JITDisassembler::dumpDisassembly):
1822         * jit/JITExceptions.cpp:
1823         (JSC::genericUnwind):
1824         * jit/JITInlineCacheGenerator.cpp:
1825         (JSC::JITByIdGenerator::finalize):
1826         * jit/JITInlines.h:
1827         (JSC::JIT::emitNakedCall):
1828         (JSC::JIT::emitNakedTailCall):
1829         (JSC::JIT::appendCallWithExceptionCheck):
1830         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1831         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1832         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1833         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1834         * jit/JITMathIC.h:
1835         (JSC::isProfileEmpty):
1836         * jit/JITOpcodes.cpp:
1837         (JSC::JIT::emit_op_catch):
1838         (JSC::JIT::emit_op_switch_imm):
1839         (JSC::JIT::emit_op_switch_char):
1840         (JSC::JIT::emit_op_switch_string):
1841         (JSC::JIT::privateCompileHasIndexedProperty):
1842         (JSC::JIT::emitSlow_op_has_indexed_property):
1843         * jit/JITOpcodes32_64.cpp:
1844         (JSC::JIT::privateCompileHasIndexedProperty):
1845         * jit/JITOperations.cpp:
1846         (JSC::getByVal):
1847         * jit/JITPropertyAccess.cpp:
1848         (JSC::JIT::stringGetByValStubGenerator):
1849         (JSC::JIT::emitGetByValWithCachedId):
1850         (JSC::JIT::emitSlow_op_get_by_val):
1851         (JSC::JIT::emitPutByValWithCachedId):
1852         (JSC::JIT::emitSlow_op_put_by_val):
1853         (JSC::JIT::emitSlow_op_try_get_by_id):
1854         (JSC::JIT::emitSlow_op_get_by_id_direct):
1855         (JSC::JIT::emitSlow_op_get_by_id):
1856         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1857         (JSC::JIT::emitSlow_op_put_by_id):
1858         (JSC::JIT::privateCompileGetByVal):
1859         (JSC::JIT::privateCompileGetByValWithCachedId):
1860         (JSC::JIT::privateCompilePutByVal):
1861         (JSC::JIT::privateCompilePutByValWithCachedId):
1862         * jit/JITPropertyAccess32_64.cpp:
1863         (JSC::JIT::stringGetByValStubGenerator):
1864         (JSC::JIT::emitSlow_op_get_by_val):
1865         (JSC::JIT::emitSlow_op_put_by_val):
1866         * jit/JITStubRoutine.h:
1867         (JSC::JITStubRoutine::JITStubRoutine):
1868         (JSC::JITStubRoutine::createSelfManagedRoutine):
1869         (JSC::JITStubRoutine::code const):
1870         (JSC::JITStubRoutine::asCodePtr):
1871         * jit/JITThunks.cpp:
1872         (JSC::JITThunks::ctiNativeCall):
1873         (JSC::JITThunks::ctiNativeConstruct):
1874         (JSC::JITThunks::ctiNativeTailCall):
1875         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1876         (JSC::JITThunks::ctiInternalFunctionCall):
1877         (JSC::JITThunks::ctiInternalFunctionConstruct):
1878         (JSC::JITThunks::ctiStub):
1879         (JSC::JITThunks::existingCTIStub):
1880         (JSC::JITThunks::hostFunctionStub):
1881         * jit/JITThunks.h:
1882         * jit/PCToCodeOriginMap.cpp:
1883         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1884         * jit/PCToCodeOriginMap.h:
1885         * jit/PolymorphicCallStubRoutine.cpp:
1886         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1887         * jit/PolymorphicCallStubRoutine.h:
1888         * jit/Repatch.cpp:
1889         (JSC::readPutICCallTarget):
1890         (JSC::ftlThunkAwareRepatchCall):
1891         (JSC::appropriateOptimizingGetByIdFunction):
1892         (JSC::appropriateGetByIdFunction):
1893         (JSC::tryCacheGetByID):
1894         (JSC::repatchGetByID):
1895         (JSC::tryCachePutByID):
1896         (JSC::repatchPutByID):
1897         (JSC::tryCacheIn):
1898         (JSC::repatchIn):
1899         (JSC::linkSlowFor):
1900         (JSC::linkFor):
1901         (JSC::linkDirectFor):
1902         (JSC::revertCall):
1903         (JSC::unlinkFor):
1904         (JSC::linkVirtualFor):
1905         (JSC::linkPolymorphicCall):
1906         (JSC::resetGetByID):
1907         (JSC::resetPutByID):
1908         * jit/Repatch.h:
1909         * jit/SlowPathCall.h:
1910         (JSC::JITSlowPathCall::call):
1911         * jit/SpecializedThunkJIT.h:
1912         (JSC::SpecializedThunkJIT::finalize):
1913         (JSC::SpecializedThunkJIT::callDoubleToDouble):
1914         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1915         * jit/ThunkGenerator.h:
1916         * jit/ThunkGenerators.cpp:
1917         (JSC::throwExceptionFromCallSlowPathGenerator):
1918         (JSC::slowPathFor):
1919         (JSC::linkCallThunkGenerator):
1920         (JSC::linkPolymorphicCallThunkGenerator):
1921         (JSC::virtualThunkFor):
1922         (JSC::nativeForGenerator):
1923         (JSC::nativeCallGenerator):
1924         (JSC::nativeTailCallGenerator):
1925         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1926         (JSC::nativeConstructGenerator):
1927         (JSC::internalFunctionCallGenerator):
1928         (JSC::internalFunctionConstructGenerator):
1929         (JSC::arityFixupGenerator):
1930         (JSC::unreachableGenerator):
1931         (JSC::charCodeAtThunkGenerator):
1932         (JSC::charAtThunkGenerator):
1933         (JSC::fromCharCodeThunkGenerator):
1934         (JSC::clz32ThunkGenerator):
1935         (JSC::sqrtThunkGenerator):
1936         (JSC::floorThunkGenerator):
1937         (JSC::ceilThunkGenerator):
1938         (JSC::truncThunkGenerator):
1939         (JSC::roundThunkGenerator):
1940         (JSC::expThunkGenerator):
1941         (JSC::logThunkGenerator):
1942         (JSC::absThunkGenerator):
1943         (JSC::imulThunkGenerator):
1944         (JSC::randomThunkGenerator):
1945         (JSC::boundThisNoArgsFunctionCallGenerator):
1946         * jit/ThunkGenerators.h:
1947         * llint/LLIntData.cpp:
1948         (JSC::LLInt::initialize):
1949         * llint/LLIntData.h:
1950         (JSC::LLInt::getExecutableAddress):
1951         (JSC::LLInt::getCodePtr):
1952         (JSC::LLInt::getCodeRef):
1953         (JSC::LLInt::getCodeFunctionPtr):
1954         * llint/LLIntEntrypoint.cpp:
1955         (JSC::LLInt::setFunctionEntrypoint):
1956         (JSC::LLInt::setEvalEntrypoint):
1957         (JSC::LLInt::setProgramEntrypoint):
1958         (JSC::LLInt::setModuleProgramEntrypoint):
1959         * llint/LLIntExceptions.cpp:
1960         (JSC::LLInt::callToThrow):
1961         * llint/LLIntSlowPaths.cpp:
1962         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1963         (JSC::LLInt::setUpCall):
1964         * llint/LLIntThunks.cpp:
1965         (JSC::vmEntryToWasm):
1966         (JSC::LLInt::generateThunkWithJumpTo):
1967         (JSC::LLInt::functionForCallEntryThunkGenerator):
1968         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1969         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1970         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1971         (JSC::LLInt::evalEntryThunkGenerator):
1972         (JSC::LLInt::programEntryThunkGenerator):
1973         (JSC::LLInt::moduleProgramEntryThunkGenerator):
1974         * llint/LLIntThunks.h:
1975         * llint/LowLevelInterpreter.asm:
1976         * llint/LowLevelInterpreter32_64.asm:
1977         * llint/LowLevelInterpreter64.asm:
1978         * profiler/ProfilerCompilation.cpp:
1979         (JSC::Profiler::Compilation::addOSRExitSite):
1980         * profiler/ProfilerCompilation.h:
1981         * profiler/ProfilerOSRExitSite.cpp:
1982         (JSC::Profiler::OSRExitSite::toJS const):
1983         * profiler/ProfilerOSRExitSite.h:
1984         (JSC::Profiler::OSRExitSite::OSRExitSite):
1985         (JSC::Profiler::OSRExitSite::codeAddress const):
1986         (JSC::Profiler::OSRExitSite:: const): Deleted.
1987         * runtime/ExecutableBase.cpp:
1988         (JSC::ExecutableBase::clearCode):
1989         * runtime/ExecutableBase.h:
1990         (JSC::ExecutableBase::entrypointFor):
1991         * runtime/NativeExecutable.cpp:
1992         (JSC::NativeExecutable::finishCreation):
1993         * runtime/NativeFunction.h:
1994         (JSC::TaggedNativeFunction::TaggedNativeFunction):
1995         (JSC::TaggedNativeFunction::operator NativeFunction):
1996         * runtime/PtrTag.h:
1997         (JSC::tagCodePtr):
1998         (JSC::untagCodePtr):
1999         (JSC::retagCodePtr):
2000         (JSC::tagCFunctionPtr):
2001         (JSC::untagCFunctionPtr):
2002         (JSC::nextPtrTagID): Deleted.
2003         * runtime/PutPropertySlot.h:
2004         (JSC::PutPropertySlot::PutPropertySlot):
2005         (JSC::PutPropertySlot::setCustomValue):
2006         (JSC::PutPropertySlot::setCustomAccessor):
2007         (JSC::PutPropertySlot::customSetter const):
2008         * runtime/ScriptExecutable.cpp:
2009         (JSC::ScriptExecutable::installCode):
2010         * runtime/VM.cpp:
2011         (JSC::VM::getHostFunction):
2012         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2013         * runtime/VM.h:
2014         (JSC::VM::getCTIStub):
2015         * wasm/WasmB3IRGenerator.cpp:
2016         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2017         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2018         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2019         (JSC::Wasm::B3IRGenerator::addCall):
2020         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2021         * wasm/WasmBBQPlan.cpp:
2022         (JSC::Wasm::BBQPlan::prepare):
2023         (JSC::Wasm::BBQPlan::complete):
2024         * wasm/WasmBBQPlan.h:
2025         * wasm/WasmBinding.cpp:
2026         (JSC::Wasm::wasmToWasm):
2027         * wasm/WasmBinding.h:
2028         * wasm/WasmCallee.h:
2029         (JSC::Wasm::Callee::entrypoint const):
2030         * wasm/WasmCallingConvention.h:
2031         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2032         * wasm/WasmCodeBlock.h:
2033         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2034         * wasm/WasmFaultSignalHandler.cpp:
2035         (JSC::Wasm::trapHandler):
2036         * wasm/WasmFormat.h:
2037         * wasm/WasmInstance.h:
2038         * wasm/WasmOMGPlan.cpp:
2039         (JSC::Wasm::OMGPlan::work):
2040         * wasm/WasmThunks.cpp:
2041         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2042         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2043         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2044         (JSC::Wasm::Thunks::stub):
2045         (JSC::Wasm::Thunks::existingStub):
2046         * wasm/WasmThunks.h:
2047         * wasm/js/JSToWasm.cpp:
2048         (JSC::Wasm::createJSToWasmWrapper):
2049         * wasm/js/JSWebAssemblyCodeBlock.h:
2050         * wasm/js/WasmToJS.cpp:
2051         (JSC::Wasm::handleBadI64Use):
2052         (JSC::Wasm::wasmToJS):
2053         * wasm/js/WasmToJS.h:
2054         * wasm/js/WebAssemblyFunction.h:
2055         * yarr/YarrJIT.cpp:
2056         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2057         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2058         (JSC::Yarr::YarrGenerator::compile):
2059         * yarr/YarrJIT.h:
2060         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2061         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2062         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2063         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2064         (JSC::Yarr::YarrCodeBlock::execute):
2065         (JSC::Yarr::YarrCodeBlock::clear):
2066
2067 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2068
2069         Unreviewed, rolling out r230697, r230720, and r230724.
2070         https://bugs.webkit.org/show_bug.cgi?id=184717
2071
2072         These caused multiple failures on the Test262 testers.
2073         (Requested by mlewis13 on #webkit).
2074
2075         Reverted changesets:
2076
2077         "[WebAssembly][Modules] Prototype wasm import"
2078         https://bugs.webkit.org/show_bug.cgi?id=184600
2079         https://trac.webkit.org/changeset/230697
2080
2081         "[WebAssembly][Modules] Implement function import from wasm
2082         modules"
2083         https://bugs.webkit.org/show_bug.cgi?id=184689
2084         https://trac.webkit.org/changeset/230720
2085
2086         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2087         https://bugs.webkit.org/show_bug.cgi?id=184703
2088         https://trac.webkit.org/changeset/230724
2089
2090 2018-04-17  JF Bastien  <jfbastien@apple.com>
2091
2092         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2093         https://bugs.webkit.org/show_bug.cgi?id=184706
2094         <rdar://problem/38871451>
2095
2096         Reviewed by Saam Barati.
2097
2098         When putting a property on a structure and the slot is a different
2099         type, the slot can't be said to have already been existing.
2100
2101         * runtime/JSObjectInlines.h:
2102         (JSC::JSObject::putDirectInternal):
2103
2104 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2105
2106         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2107         https://bugs.webkit.org/show_bug.cgi?id=184705
2108
2109         Reviewed by Michael Saboff.
2110         
2111         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2112         while testing an unrelated patch, a concurrent GC thread crashed inside
2113         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2114         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2115         mode and another vector.
2116         
2117         The fix is to lock inside visitChildren and anyone who changes those fields.
2118         
2119         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2120         this.
2121
2122         * runtime/JSArrayBufferView.cpp:
2123         (JSC::JSArrayBufferView::neuter):
2124         * runtime/JSGenericTypedArrayViewInlines.h:
2125         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2126         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2127
2128 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2129
2130         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2131         https://bugs.webkit.org/show_bug.cgi?id=184672
2132
2133         Reviewed by Michael Saboff.
2134
2135         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2136         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2137         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2138         intentional - I don't know.
2139
2140         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2141         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2142         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2143         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2144         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2145         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2146         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2147         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2148         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2149         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2150         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2151         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2152
2153         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2154         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2155         its stack slot for the purpose of clobberize.
2156
2157         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2158         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2159         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2160         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2161
2162 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2163
2164         JSWebAssemblyCodeBlock should be in an IsoSubspace
2165         https://bugs.webkit.org/show_bug.cgi?id=184704
2166
2167         Reviewed by Mark Lam.
2168         
2169         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2170         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2171         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2172         protection.
2173
2174         * runtime/VM.cpp:
2175         (JSC::VM::VM):
2176         * runtime/VM.h:
2177         * wasm/js/JSWebAssemblyCodeBlock.h:
2178
2179 2018-04-17  Jer Noble  <jer.noble@apple.com>
2180
2181         Only enable useSeparatedWXHeap on ARM64.
2182         https://bugs.webkit.org/show_bug.cgi?id=184697
2183
2184         Reviewed by Saam Barati.
2185
2186         * runtime/Options.cpp:
2187         (JSC::recomputeDependentOptions):
2188
2189 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2190
2191         [WebAssembly][Modules] Implement function import from wasm modules
2192         https://bugs.webkit.org/show_bug.cgi?id=184689
2193
2194         Reviewed by JF Bastien.
2195
2196         This patch implements function import from wasm modules. We move function importing part
2197         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2198         is because linking these functions requires that all the dependent modules are created.
2199         While we want to move all the linking functionality from JSWebAssemblyInstance to
2200         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2201         function importing part because efficient compilation of WebAssembly needs to know
2202         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2203         or attached WebAssembly memory object. So we cannot defer this linking to
2204         WebAssemblyModuleRecord::link now.
2205
2206         The largest difference from JS module linking is that WebAssembly module linking links
2207         function from the module by snapshotting. When you have a cyclic module graph like this,
2208
2209         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2210             ^                                                  |
2211             +--------------------------------------------------+
2212
2213         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2214         is described in [1], and tested in this patch.
2215
2216         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2217
2218         * JavaScriptCore.xcodeproj/project.pbxproj:
2219         * jsc.cpp:
2220         (functionDollarAgentStart):
2221         (checkException):
2222         (runWithOptions):
2223         Small fixes for wasm module loading.
2224
2225         * parser/NodesAnalyzeModule.cpp:
2226         (JSC::ImportDeclarationNode::analyzeModule):
2227         * runtime/AbstractModuleRecord.cpp:
2228         (JSC::AbstractModuleRecord::resolveImport):
2229         (JSC::AbstractModuleRecord::link):
2230         * runtime/AbstractModuleRecord.h:
2231         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2232         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2233         Now, wasm modules can have import which is named "*". So this function does not work.
2234         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2235
2236         * runtime/JSModuleEnvironment.cpp:
2237         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2238         * runtime/JSModuleRecord.cpp:
2239         (JSC::JSModuleRecord::instantiateDeclarations):
2240         * wasm/WasmCreationMode.h: Added.
2241         * wasm/js/JSWebAssemblyInstance.cpp:
2242         (JSC::JSWebAssemblyInstance::finalizeCreation):
2243         (JSC::JSWebAssemblyInstance::create):
2244         * wasm/js/JSWebAssemblyInstance.h:
2245         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2246         (JSC::constructJSWebAssemblyInstance):
2247         * wasm/js/WebAssemblyModuleRecord.cpp:
2248         (JSC::WebAssemblyModuleRecord::link):
2249         * wasm/js/WebAssemblyModuleRecord.h:
2250         * wasm/js/WebAssemblyPrototype.cpp:
2251         (JSC::resolve):
2252         (JSC::instantiate):
2253         (JSC::compileAndInstantiate):
2254         (JSC::WebAssemblyPrototype::instantiate):
2255         (JSC::webAssemblyInstantiateFunc):
2256
2257 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2258
2259         Implement setupArgumentsImpl for ARM and MIPS
2260         https://bugs.webkit.org/show_bug.cgi?id=183786
2261
2262         Reviewed by Yusuke Suzuki.
2263
2264         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2265         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2266         registers used for 64-bit values on 32-bit architectures. numCrossSources
2267         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2268
2269         * assembler/MacroAssemblerARMv7.h:
2270         (JSC::MacroAssemblerARMv7::moveDouble):
2271         * assembler/MacroAssemblerMIPS.h:
2272         (JSC::MacroAssemblerMIPS::moveDouble):
2273         * jit/CCallHelpers.h:
2274         (JSC::CCallHelpers::setupStubCrossArgs):
2275         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2276         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2277         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2278         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2279         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2280         (JSC::CCallHelpers::ArgCollection::addStackArg):
2281         (JSC::CCallHelpers::ArgCollection::addPoke):
2282         (JSC::CCallHelpers::ArgCollection::argCount):
2283         (JSC::CCallHelpers::calculatePokeOffset):
2284         (JSC::CCallHelpers::pokeForArgument):
2285         (JSC::CCallHelpers::stackAligned):
2286         (JSC::CCallHelpers::marshallArgumentRegister):
2287         (JSC::CCallHelpers::setupArgumentsImpl):
2288         (JSC::CCallHelpers::pokeArgumentsAligned):
2289         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2290         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2291         (JSC::CCallHelpers::setupArguments):
2292         * jit/FPRInfo.h:
2293         (JSC::FPRInfo::toArgumentRegister):
2294
2295 2018-04-17  Saam Barati  <sbarati@apple.com>
2296
2297         Add system trace points for process launch and for initializeWebProcess
2298         https://bugs.webkit.org/show_bug.cgi?id=184669
2299
2300         Reviewed by Simon Fraser.
2301
2302         * runtime/VMEntryScope.cpp:
2303         (JSC::VMEntryScope::VMEntryScope):
2304         (JSC::VMEntryScope::~VMEntryScope):
2305
2306 2018-04-17  Jer Noble  <jer.noble@apple.com>
2307
2308         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2309         https://bugs.webkit.org/show_bug.cgi?id=184602
2310
2311         Reviewed by Beth Dakin.
2312
2313         * JavaScriptCore.xcodeproj/project.pbxproj:
2314
2315 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2316
2317         [GLIB] Add API to clear JSCContext uncaught exception
2318         https://bugs.webkit.org/show_bug.cgi?id=184685
2319
2320         Reviewed by Žan Doberšek.
2321
2322         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2323
2324         * API/glib/JSCContext.cpp:
2325         (jsc_context_clear_exception):
2326         * API/glib/JSCContext.h:
2327         * API/glib/docs/jsc-glib-4.0-sections.txt:
2328
2329 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2330
2331         [GLIB] Add API to query, delete and enumerate properties
2332         https://bugs.webkit.org/show_bug.cgi?id=184647
2333
2334         Reviewed by Michael Catanzaro.
2335
2336         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2337
2338         * API/glib/JSCValue.cpp:
2339         (jsc_value_object_has_property):
2340         (jsc_value_object_delete_property):
2341         (jsc_value_object_enumerate_properties):
2342         * API/glib/JSCValue.h:
2343         * API/glib/docs/jsc-glib-4.0-sections.txt:
2344
2345 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         [WebAssembly][Modules] Prototype wasm import
2348         https://bugs.webkit.org/show_bug.cgi?id=184600
2349
2350         Reviewed by JF Bastien.
2351
2352         This patch is an initial attempt to implement Wasm loading in module pipeline.
2353         Currently,
2354
2355         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2356            in whatwg HTML, we should integrate this into WebCore.
2357
2358         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2359            the other modules now.
2360
2361         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2362         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2363         module loader pipeline just handles it as the same to JS. When parsing a module, we
2364         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2365         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2366         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2367
2368         * builtins/ModuleLoaderPrototype.js:
2369         (globalPrivate.newRegistryEntry):
2370         (requestInstantiate):
2371         (link):
2372         * jsc.cpp:
2373         (convertShebangToJSComment):
2374         (fillBufferWithContentsOfFile):
2375         (fetchModuleFromLocalFileSystem):
2376         (GlobalObject::moduleLoaderFetch):
2377         * parser/SourceProvider.h:
2378         (JSC::WebAssemblySourceProvider::create):
2379         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2380         * runtime/AbstractModuleRecord.cpp:
2381         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2382         (JSC::AbstractModuleRecord::link):
2383         (JSC::AbstractModuleRecord::evaluate):
2384         (JSC::identifierToJSValue): Deleted.
2385         * runtime/AbstractModuleRecord.h:
2386         * runtime/JSModuleLoader.cpp:
2387         (JSC::JSModuleLoader::evaluate):
2388         * runtime/JSModuleRecord.cpp:
2389         (JSC::JSModuleRecord::link):
2390         (JSC::JSModuleRecord::instantiateDeclarations):
2391         * runtime/JSModuleRecord.h:
2392         * runtime/ModuleLoaderPrototype.cpp:
2393         (JSC::moduleLoaderPrototypeParseModule):
2394         (JSC::moduleLoaderPrototypeRequestedModules):
2395         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2396         * wasm/js/JSWebAssemblyHelpers.h:
2397         (JSC::getWasmBufferFromValue):
2398         (JSC::createSourceBufferFromValue):
2399         * wasm/js/JSWebAssemblyInstance.cpp:
2400         (JSC::JSWebAssemblyInstance::finalizeCreation):
2401         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2402         (JSC::JSWebAssemblyInstance::create):
2403         * wasm/js/JSWebAssemblyInstance.h:
2404         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2405         (JSC::constructJSWebAssemblyInstance):
2406         * wasm/js/WebAssemblyModuleRecord.cpp:
2407         (JSC::WebAssemblyModuleRecord::prepareLink):
2408         (JSC::WebAssemblyModuleRecord::link):
2409         * wasm/js/WebAssemblyModuleRecord.h:
2410         * wasm/js/WebAssemblyPrototype.cpp:
2411         (JSC::resolve):
2412         (JSC::instantiate):
2413         (JSC::compileAndInstantiate):
2414         (JSC::WebAssemblyPrototype::instantiate):
2415         (JSC::webAssemblyInstantiateFunc):
2416         (JSC::webAssemblyValidateFunc):
2417         * wasm/js/WebAssemblyPrototype.h:
2418
2419 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2420
2421         Function.prototype.caller shouldn't return generator bodies
2422         https://bugs.webkit.org/show_bug.cgi?id=184630
2423
2424         Reviewed by Yusuke Suzuki.
2425         
2426         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2427         private.
2428         
2429         Also added some builtin debugging tools so that it's easier to do the investigation that I
2430         did.
2431
2432         * builtins/BuiltinNames.h:
2433         * runtime/JSFunction.cpp:
2434         (JSC::JSFunction::callerGetter):
2435         * runtime/JSGlobalObject.cpp:
2436         (JSC::JSGlobalObject::init):
2437         * runtime/JSGlobalObjectFunctions.cpp:
2438         (JSC::globalFuncBuiltinDescribe):
2439         * runtime/JSGlobalObjectFunctions.h:
2440
2441 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2442
2443         [DFG] Remove duplicate 32bit ProfileType implementation
2444         https://bugs.webkit.org/show_bug.cgi?id=184536
2445
2446         Reviewed by Saam Barati.
2447
2448         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2449
2450         * dfg/DFGSpeculativeJIT.cpp:
2451         (JSC::DFG::SpeculativeJIT::compileProfileType):
2452         * dfg/DFGSpeculativeJIT.h:
2453         * dfg/DFGSpeculativeJIT32_64.cpp:
2454         (JSC::DFG::SpeculativeJIT::compile):
2455         * dfg/DFGSpeculativeJIT64.cpp:
2456         (JSC::DFG::SpeculativeJIT::compile):
2457         * jit/AssemblyHelpers.h:
2458         (JSC::AssemblyHelpers::branchIfUndefined):
2459         (JSC::AssemblyHelpers::branchIfNull):
2460
2461 2018-04-12  Mark Lam  <mark.lam@apple.com>
2462
2463         Consolidate some PtrTags.
2464         https://bugs.webkit.org/show_bug.cgi?id=184552
2465         <rdar://problem/39389404>
2466
2467         Reviewed by Filip Pizlo.
2468
2469         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2470         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2471
2472         * assembler/AbstractMacroAssembler.h:
2473         (JSC::AbstractMacroAssembler::repatchNearCall):
2474         * assembler/MacroAssemblerARM.h:
2475         (JSC::MacroAssemblerARM::readCallTarget):
2476         * assembler/MacroAssemblerARMv7.h:
2477         (JSC::MacroAssemblerARMv7::readCallTarget):
2478         * assembler/MacroAssemblerMIPS.h:
2479         (JSC::MacroAssemblerMIPS::readCallTarget):
2480         * assembler/MacroAssemblerX86.h:
2481         (JSC::MacroAssemblerX86::readCallTarget):
2482         * assembler/MacroAssemblerX86_64.h:
2483         (JSC::MacroAssemblerX86_64::readCallTarget):
2484         * bytecode/AccessCase.cpp:
2485         (JSC::AccessCase::generateImpl):
2486         * bytecode/InlineAccess.cpp:
2487         (JSC::InlineAccess::rewireStubAsJump):
2488         * bytecode/PolymorphicAccess.cpp:
2489         (JSC::PolymorphicAccess::regenerate):
2490         * dfg/DFGJITCompiler.cpp:
2491         (JSC::DFG::JITCompiler::linkOSRExits):
2492         (JSC::DFG::JITCompiler::link):
2493         (JSC::DFG::JITCompiler::compileFunction):
2494         * dfg/DFGJITFinalizer.cpp:
2495         (JSC::DFG::JITFinalizer::finalize):
2496         (JSC::DFG::JITFinalizer::finalizeFunction):
2497         * dfg/DFGOSREntry.cpp:
2498         (JSC::DFG::prepareOSREntry):
2499         * dfg/DFGOSRExit.cpp:
2500         (JSC::DFG::OSRExit::executeOSRExit):
2501         (JSC::DFG::adjustAndJumpToTarget):
2502         (JSC::DFG::OSRExit::compileOSRExit):
2503         * dfg/DFGOSRExitCompilerCommon.cpp:
2504         (JSC::DFG::adjustAndJumpToTarget):
2505         * dfg/DFGOperations.cpp:
2506         * ftl/FTLJITCode.cpp:
2507         (JSC::FTL::JITCode::executableAddressAtOffset):
2508         * ftl/FTLJITFinalizer.cpp:
2509         (JSC::FTL::JITFinalizer::finalizeCommon):
2510         * ftl/FTLLazySlowPath.cpp:
2511         (JSC::FTL::LazySlowPath::generate):
2512         * ftl/FTLLink.cpp:
2513         (JSC::FTL::link):
2514         * ftl/FTLLowerDFGToB3.cpp:
2515         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2516         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2517         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2518         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2519         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2520         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2521         * ftl/FTLOSRExitCompiler.cpp:
2522         (JSC::FTL::compileFTLOSRExit):
2523         * ftl/FTLOSRExitHandle.cpp:
2524         (JSC::FTL::OSRExitHandle::emitExitThunk):
2525         * jit/AssemblyHelpers.cpp:
2526         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2527         * jit/JIT.cpp:
2528         (JSC::JIT::compileWithoutLinking):
2529         (JSC::JIT::link):
2530         * jit/JITCall.cpp:
2531         (JSC::JIT::compileOpCallSlowCase):
2532         * jit/JITCode.cpp:
2533         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2534         (JSC::NativeJITCode::addressForCall):
2535         * jit/JITInlines.h:
2536         (JSC::JIT::emitNakedCall):
2537         (JSC::JIT::emitNakedTailCall):
2538         * jit/JITMathIC.h:
2539         (JSC::isProfileEmpty):
2540         * jit/JITOpcodes.cpp:
2541         (JSC::JIT::privateCompileHasIndexedProperty):
2542         * jit/JITOperations.cpp:
2543         * jit/JITPropertyAccess.cpp:
2544         (JSC::JIT::stringGetByValStubGenerator):
2545         (JSC::JIT::privateCompileGetByVal):
2546         (JSC::JIT::privateCompileGetByValWithCachedId):
2547         (JSC::JIT::privateCompilePutByVal):
2548         (JSC::JIT::privateCompilePutByValWithCachedId):
2549         * jit/JITThunks.cpp:
2550         (JSC::JITThunks::hostFunctionStub):
2551         * jit/Repatch.cpp:
2552         (JSC::linkSlowFor):
2553         (JSC::linkFor):
2554         (JSC::linkPolymorphicCall):
2555         * jit/SpecializedThunkJIT.h:
2556         (JSC::SpecializedThunkJIT::finalize):
2557         * jit/ThunkGenerators.cpp:
2558         (JSC::virtualThunkFor):
2559         (JSC::nativeForGenerator):
2560         (JSC::boundThisNoArgsFunctionCallGenerator):
2561         * llint/LLIntData.cpp:
2562         (JSC::LLInt::initialize):
2563         * llint/LLIntEntrypoint.cpp:
2564         (JSC::LLInt::setEvalEntrypoint):
2565         (JSC::LLInt::setProgramEntrypoint):
2566         (JSC::LLInt::setModuleProgramEntrypoint):
2567         * llint/LLIntSlowPaths.cpp:
2568         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2569         (JSC::LLInt::setUpCall):
2570         * llint/LLIntThunks.cpp:
2571         (JSC::LLInt::generateThunkWithJumpTo):
2572         (JSC::LLInt::functionForCallEntryThunkGenerator):
2573         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2574         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2575         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2576         (JSC::LLInt::evalEntryThunkGenerator):
2577         (JSC::LLInt::programEntryThunkGenerator):
2578         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2579         * llint/LowLevelInterpreter.asm:
2580         * llint/LowLevelInterpreter64.asm:
2581         * runtime/NativeExecutable.cpp:
2582         (JSC::NativeExecutable::finishCreation):
2583         * runtime/NativeFunction.h:
2584         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2585         (JSC::TaggedNativeFunction::operator NativeFunction):
2586         * runtime/PtrTag.h:
2587         * wasm/WasmBBQPlan.cpp:
2588         (JSC::Wasm::BBQPlan::complete):
2589         * wasm/WasmOMGPlan.cpp:
2590         (JSC::Wasm::OMGPlan::work):
2591         * wasm/WasmThunks.cpp:
2592         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2593         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2594         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2595         * wasm/js/WasmToJS.cpp:
2596         (JSC::Wasm::wasmToJS):
2597         * wasm/js/WebAssemblyFunction.h:
2598         * yarr/YarrJIT.cpp:
2599         (JSC::Yarr::YarrGenerator::compile):
2600
2601 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2602
2603         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2604         https://bugs.webkit.org/show_bug.cgi?id=184379
2605
2606         Reviewed by Žan Doberšek.
2607
2608         Load the module from the new location.
2609
2610         * PlatformWPE.cmake:
2611         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2612         (Inspector::backendCommands):
2613
2614 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2615
2616         [DFG] Remove compileBigIntEquality in DFG 32bit
2617         https://bugs.webkit.org/show_bug.cgi?id=184535
2618
2619         Reviewed by Saam Barati.
2620
2621         We can have the unified implementation for compileBigIntEquality.
2622
2623         * dfg/DFGSpeculativeJIT.cpp:
2624         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2625         * dfg/DFGSpeculativeJIT32_64.cpp:
2626         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2627         * dfg/DFGSpeculativeJIT64.cpp:
2628         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2629
2630 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2631
2632         [WPE] Improve include hierarchy
2633         https://bugs.webkit.org/show_bug.cgi?id=184376
2634
2635         Reviewed by Žan Doberšek.
2636
2637         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2638         /usr/include/wpe-0.1/WPE/jsc.
2639
2640         * PlatformWPE.cmake:
2641
2642 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2643
2644         [GLIB] Handle strings containing null characters
2645         https://bugs.webkit.org/show_bug.cgi?id=184450
2646
2647         Reviewed by Michael Catanzaro.
2648
2649         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2650         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2651         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2652         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2653         contain null characters.
2654
2655         * API/OpaqueJSString.cpp:
2656         (OpaqueJSString::create): Add a create constructor that takes the String.
2657         * API/OpaqueJSString.h:
2658         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2659         * API/glib/JSCContext.cpp:
2660         (jsc_context_evaluate): Add length parameter.
2661         (jsc_context_evaluate_with_source_uri): Ditto.
2662         * API/glib/JSCContext.h:
2663         * API/glib/JSCValue.cpp:
2664         (jsc_value_new_string_from_bytes):
2665         (jsc_value_to_string):
2666         (jsc_value_to_string_as_bytes):
2667         (jsc_value_object_is_instance_of): Pass length to evaluate.
2668         * API/glib/JSCValue.h:
2669         * API/glib/docs/jsc-glib-4.0-sections.txt:
2670
2671 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2672
2673         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2674         https://bugs.webkit.org/show_bug.cgi?id=184500
2675
2676         Reviewed by Mark Lam.
2677
2678         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2679         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2680         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2681         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2682         poke held GPR. The benefit from this CellValue is that we can use the same code
2683         for 32bit and 64bit. This patch removes several ifdefs.
2684
2685         * bytecode/AccessCase.cpp:
2686         (JSC::AccessCase::generateImpl):
2687         * dfg/DFGSpeculativeJIT.cpp:
2688         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2689         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2690         (JSC::DFG::SpeculativeJIT::cachedPutById):
2691         * dfg/DFGSpeculativeJIT32_64.cpp:
2692         (JSC::DFG::SpeculativeJIT::cachedGetById):
2693         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2694         * jit/CCallHelpers.h:
2695         (JSC::CCallHelpers::CellValue::CellValue):
2696         (JSC::CCallHelpers::CellValue::gpr const):
2697         (JSC::CCallHelpers::setupArgumentsImpl):
2698
2699 2018-04-11  Mark Lam  <mark.lam@apple.com>
2700
2701         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2702         https://bugs.webkit.org/show_bug.cgi?id=184512
2703         <rdar://problem/35391728>
2704
2705         Not reviewed.
2706
2707         * bytecode/CodeBlock.h:
2708         * jit/JITCodeMap.h:
2709
2710 2018-04-11  Mark Lam  <mark.lam@apple.com>
2711
2712         Replace CompactJITCodeMap with JITCodeMap.
2713         https://bugs.webkit.org/show_bug.cgi?id=184512
2714         <rdar://problem/35391728>
2715
2716         Reviewed by Filip Pizlo.
2717
2718         * CMakeLists.txt:
2719         * JavaScriptCore.xcodeproj/project.pbxproj:
2720         * bytecode/CodeBlock.h:
2721         (JSC::CodeBlock::setJITCodeMap):
2722         (JSC::CodeBlock::jitCodeMap const):
2723         (JSC::CodeBlock::jitCodeMap): Deleted.
2724         * dfg/DFGOSRExit.cpp:
2725         (JSC::DFG::OSRExit::executeOSRExit):
2726         * dfg/DFGOSRExitCompilerCommon.cpp:
2727         (JSC::DFG::adjustAndJumpToTarget):
2728         * jit/AssemblyHelpers.cpp:
2729         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2730         * jit/AssemblyHelpers.h:
2731         * jit/CompactJITCodeMap.h: Removed.
2732         * jit/JIT.cpp:
2733         (JSC::JIT::link):
2734         * jit/JITCodeMap.h: Added.
2735         (JSC::JITCodeMap::Entry::Entry):
2736         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2737         (JSC::JITCodeMap::Entry::codeLocation):
2738         (JSC::JITCodeMap::append):
2739         (JSC::JITCodeMap::finish):
2740         (JSC::JITCodeMap::find const):
2741         (JSC::JITCodeMap::operator bool const):
2742         * llint/LLIntSlowPaths.cpp:
2743         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2744
2745 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2746
2747         [DFG] Remove CompareSlowPathGenerator
2748         https://bugs.webkit.org/show_bug.cgi?id=184492
2749
2750         Reviewed by Mark Lam.
2751
2752         Now CompareSlowPathGenerator is just calling a specified function.
2753         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2754
2755         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2756         introducing a new constructor for GPRTemporary.
2757
2758         * JavaScriptCore.xcodeproj/project.pbxproj:
2759         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2760         * dfg/DFGSpeculativeJIT.cpp:
2761         (JSC::DFG::GPRTemporary::GPRTemporary):
2762         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2763         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2764         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2765         (JSC::DFG::SpeculativeJIT::compileIsObject):
2766         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2767         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2768         * dfg/DFGSpeculativeJIT.h:
2769         (JSC::DFG::GPRTemporary::GPRTemporary):
2770         * dfg/DFGSpeculativeJIT64.cpp:
2771         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2772
2773 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2774
2775         Unreviewed, build fix for 32bit
2776         https://bugs.webkit.org/show_bug.cgi?id=184236
2777
2778         * dfg/DFGSpeculativeJIT.cpp:
2779         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2780
2781 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2782
2783         [DFG] Remove duplicate 32bit code more
2784         https://bugs.webkit.org/show_bug.cgi?id=184236
2785
2786         Reviewed by Mark Lam.
2787
2788         Remove duplicate 32bit code more aggressively part 2.
2789
2790         * JavaScriptCore.xcodeproj/project.pbxproj:
2791         * dfg/DFGCompareSlowPathGenerator.h: Added.
2792         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2793         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2794
2795         * dfg/DFGOperations.cpp:
2796         * dfg/DFGOperations.h:
2797         * dfg/DFGSpeculativeJIT.cpp:
2798         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2799         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2800         (JSC::DFG::SpeculativeJIT::compileIsObject):
2801         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2802         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2803         (JSC::DFG::SpeculativeJIT::compilePutById):
2804         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2805         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2806         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2807         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2808         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2809         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2810         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2811         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2812         (JSC::DFG::SpeculativeJIT::cachedPutById):
2813         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2814         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2815         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2816         * dfg/DFGSpeculativeJIT.h:
2817         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2818         * dfg/DFGSpeculativeJIT32_64.cpp:
2819         (JSC::DFG::SpeculativeJIT::compile):
2820         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2821         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2822         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2823         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2824         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2825         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2826         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2827         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2828         * dfg/DFGSpeculativeJIT64.cpp:
2829         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2830         (JSC::DFG::SpeculativeJIT::compile):
2831         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2832         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2833         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2834         (): Deleted.
2835         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2836         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2837         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2838         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2839         * ftl/FTLLowerDFGToB3.cpp:
2840         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2841         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2842
2843         * jit/AssemblyHelpers.h:
2844         (JSC::AssemblyHelpers::loadValue):
2845         (JSC::AssemblyHelpers::selectScratchGPR):
2846         (JSC::AssemblyHelpers::constructRegisterSet):
2847         * jit/RegisterSet.h:
2848         (JSC::RegisterSet::setAny):
2849         Clean up selectScratchGPR code to pass JSValueRegs.
2850
2851 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2852
2853         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2854         https://bugs.webkit.org/show_bug.cgi?id=182470
2855
2856         Reviewed by Saam Barati.
2857
2858         This patch introduces the SpecBigInt type to DFG to enable BigInt
2859         speculation into DFG and FTL.
2860
2861         With SpecBigInt introduction, we can then specialize "===" operations
2862         to BigInts. As we are doing for some cells, we first check if operands
2863         are pointing to the same JSCell, and if it is false, we
2864         fallback to "operationCompareStrictEqCell". The idea in further
2865         patches is to implement BigInt equality check directly in
2866         assembly.
2867
2868         We are also adding support for BigInt constant folding into
2869         TypeOf operation.
2870
2871         * bytecode/SpeculatedType.cpp:
2872         (JSC::dumpSpeculation):
2873         (JSC::speculationFromClassInfo):
2874         (JSC::speculationFromStructure):
2875         (JSC::speculationFromJSType):
2876         (JSC::speculationFromString):
2877         * bytecode/SpeculatedType.h:
2878         (JSC::isBigIntSpeculation):
2879         * dfg/DFGAbstractInterpreterInlines.h:
2880         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2881         * dfg/DFGAbstractValue.cpp:
2882         (JSC::DFG::AbstractValue::set):
2883         * dfg/DFGConstantFoldingPhase.cpp:
2884         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2885         * dfg/DFGFixupPhase.cpp:
2886         (JSC::DFG::FixupPhase::fixupNode):
2887         (JSC::DFG::FixupPhase::fixupToThis):
2888         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2889         * dfg/DFGInferredTypeCheck.cpp:
2890         (JSC::DFG::insertInferredTypeCheck):
2891         * dfg/DFGNode.h:
2892         (JSC::DFG::Node::shouldSpeculateBigInt):
2893         * dfg/DFGPredictionPropagationPhase.cpp:
2894         * dfg/DFGSafeToExecute.h:
2895         (JSC::DFG::SafeToExecuteEdge::operator()):
2896         * dfg/DFGSpeculativeJIT.cpp:
2897         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2898         (JSC::DFG::SpeculativeJIT::speculateBigInt):
2899         (JSC::DFG::SpeculativeJIT::speculate):
2900         * dfg/DFGSpeculativeJIT.h:
2901         * dfg/DFGSpeculativeJIT32_64.cpp:
2902         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2903         * dfg/DFGSpeculativeJIT64.cpp:
2904         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2905         * dfg/DFGUseKind.cpp:
2906         (WTF::printInternal):
2907         * dfg/DFGUseKind.h:
2908         (JSC::DFG::typeFilterFor):
2909         (JSC::DFG::isCell):
2910         * ftl/FTLCapabilities.cpp:
2911         (JSC::FTL::canCompile):
2912         * ftl/FTLLowerDFGToB3.cpp:
2913         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2914         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2915         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2916         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2917         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2918         * jit/AssemblyHelpers.cpp:
2919         (JSC::AssemblyHelpers::branchIfNotType):
2920         * jit/AssemblyHelpers.h:
2921         (JSC::AssemblyHelpers::branchIfBigInt):
2922         (JSC::AssemblyHelpers::branchIfNotBigInt):
2923         * runtime/InferredType.cpp:
2924         (JSC::InferredType::Descriptor::forValue):
2925         (JSC::InferredType::Descriptor::putByIdFlags const):
2926         (JSC::InferredType::Descriptor::merge):
2927         (WTF::printInternal):
2928         * runtime/InferredType.h:
2929         * runtime/JSBigInt.h:
2930
2931 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2932
2933         Unreviewed, fix cloop build.
2934
2935         * dfg/DFGAbstractInterpreterClobberState.cpp:
2936
2937 2018-04-10  Mark Lam  <mark.lam@apple.com>
2938
2939         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2940         https://bugs.webkit.org/show_bug.cgi?id=184464
2941         <rdar://problem/39323947>
2942
2943         Reviewed by Saam Barati.
2944
2945         * heap/MarkedSpace.h:
2946         (JSC::MarkedSpace::sizeClassToIndex):
2947
2948 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
2949
2950         DFG AI and clobberize should agree with each other
2951         https://bugs.webkit.org/show_bug.cgi?id=184440
2952
2953         Reviewed by Saam Barati.
2954         
2955         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2956         agree with each other. That's what this patch does: it adds an assertion that AI's structure
2957         state tracking must be equivalent to JSCell_structureID being clobbered.
2958         
2959         One subtlety is that AI sometimes folds away structure clobbering using information that
2960         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2961         ObservedTransitions).
2962         
2963         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2964         clobberize missing a write(Heap).
2965         
2966         This also makes some cases more precise in order to appease the assertion. Making things more
2967         precise might make things faster, but I didn't measure it because that wasn't the goal.
2968
2969         * JavaScriptCore.xcodeproj/project.pbxproj:
2970         * Sources.txt:
2971         * dfg/DFGAbstractInterpreter.h:
2972         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2973         (WTF::printInternal):
2974         * dfg/DFGAbstractInterpreterClobberState.h: Added.
2975         (JSC::DFG::mergeClobberStates):
2976         * dfg/DFGAbstractInterpreterInlines.h:
2977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2978         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2979         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2980         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2981         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2982         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2983         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2984         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2985         * dfg/DFGAtTailAbstractState.h:
2986         (JSC::DFG::AtTailAbstractState::setClobberState):
2987         (JSC::DFG::AtTailAbstractState::mergeClobberState):
2988         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
2989         * dfg/DFGCFAPhase.cpp:
2990         (JSC::DFG::CFAPhase::performBlockCFA):
2991         * dfg/DFGClobberSet.cpp:
2992         (JSC::DFG::writeSet):
2993         * dfg/DFGClobberSet.h:
2994         * dfg/DFGClobberize.h:
2995         (JSC::DFG::clobberize):
2996         * dfg/DFGConstantFoldingPhase.cpp:
2997         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2998         * dfg/DFGInPlaceAbstractState.h:
2999         (JSC::DFG::InPlaceAbstractState::clobberState const):
3000         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3001         (JSC::DFG::InPlaceAbstractState::didClobber const):
3002         (JSC::DFG::InPlaceAbstractState::setClobberState):
3003         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3004         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3005
3006 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3007
3008         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3009         https://bugs.webkit.org/show_bug.cgi?id=184460
3010         <rdar://problem/37610966>
3011
3012         Reviewed by Mark Lam.
3013
3014         * bytecode/ExecutableToCodeBlockEdge.cpp:
3015         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3016
3017 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3018
3019         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3020         https://bugs.webkit.org/show_bug.cgi?id=184455
3021
3022         Reviewed by Michael Saboff.
3023         
3024         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3025         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3026         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3027         the thing being hoisted does have effects, then we get a crash.
3028         
3029         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3030         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3031         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3032         effectful.
3033         
3034         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3035         clobberize to also think that CompareEq(Untyped:, _) is effectful.
3036         
3037         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3038         of CompareEq is ComapreEq(Untyped:, Untyped:).
3039
3040         * dfg/DFGAbstractInterpreterInlines.h:
3041         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3042         * dfg/DFGClobberize.h:
3043         (JSC::DFG::clobberize):
3044
3045 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3046
3047         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3048         https://bugs.webkit.org/show_bug.cgi?id=184372
3049
3050         Reviewed by Saam Barati.
3051         
3052         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3053         have already proved, using techniques that are more precise than AI, that the edge has type
3054         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3055         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3056         other than a check - so we think we can call those just because we should have already
3057         bailed. It's better to think of them as the result of folding a check. Therefore, we should
3058         only do it if there had been a check to begin with.
3059
3060         * dfg/DFGSpeculativeJIT64.cpp:
3061         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3062         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3063         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3064         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3065         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3066         * ftl/FTLLowerDFGToB3.cpp:
3067         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3068         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3069         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3070         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3071         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3072         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3073         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3074         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3075
3076 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3077
3078         [JSC] Introduce @putByIdDirectPrivate
3079         https://bugs.webkit.org/show_bug.cgi?id=184400
3080
3081         Reviewed by Saam Barati.
3082
3083         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3084         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3085         accessing to ECMAScript internal fields.
3086
3087         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3088         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3089         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3090         fields that accessing to the internal fields does not traverse prototype chains.
3091
3092         * builtins/ArrayIteratorPrototype.js:
3093         (globalPrivate.arrayIteratorValueNext):
3094         (globalPrivate.arrayIteratorKeyNext):
3095         (globalPrivate.arrayIteratorKeyValueNext):
3096         * builtins/ArrayPrototype.js:
3097         (globalPrivate.createArrayIterator):
3098         * builtins/AsyncFromSyncIteratorPrototype.js:
3099         (globalPrivate.AsyncFromSyncIteratorConstructor):
3100         * builtins/AsyncFunctionPrototype.js:
3101         (globalPrivate.asyncFunctionResume):
3102         * builtins/AsyncGeneratorPrototype.js:
3103         (globalPrivate.asyncGeneratorQueueEnqueue):
3104         (globalPrivate.asyncGeneratorQueueDequeue):
3105         (asyncGeneratorYieldAwaited):
3106         (globalPrivate.asyncGeneratorYield):
3107         (globalPrivate.doAsyncGeneratorBodyCall):
3108         (globalPrivate.asyncGeneratorResumeNext):
3109         * builtins/GeneratorPrototype.js:
3110         (globalPrivate.generatorResume):
3111         * builtins/MapIteratorPrototype.js:
3112         (globalPrivate.mapIteratorNext):
3113         * builtins/MapPrototype.js:
3114         (globalPrivate.createMapIterator):
3115         * builtins/ModuleLoaderPrototype.js:
3116         (forceFulfillPromise):
3117         * builtins/PromiseOperations.js:
3118         (globalPrivate.newHandledRejectedPromise):
3119         (globalPrivate.rejectPromise):
3120         (globalPrivate.fulfillPromise):
3121         (globalPrivate.initializePromise):
3122         * builtins/PromisePrototype.js:
3123         (then):
3124         * builtins/SetIteratorPrototype.js:
3125         (globalPrivate.setIteratorNext):
3126         * builtins/SetPrototype.js:
3127         (globalPrivate.createSetIterator):
3128         * builtins/StringIteratorPrototype.js:
3129         (next):
3130         * bytecode/BytecodeIntrinsicRegistry.h:
3131         * bytecompiler/NodesCodegen.cpp:
3132         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3133         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3134
3135 2018-04-09  Mark Lam  <mark.lam@apple.com>
3136
3137         Decorate method table entries to support pointer profiling.
3138         https://bugs.webkit.org/show_bug.cgi?id=184430
3139         <rdar://problem/39296190>
3140
3141         Reviewed by Saam Barati.
3142
3143         * runtime/ClassInfo.h:
3144
3145 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3146
3147         [WPE] Don't install JSC C API headers
3148         https://bugs.webkit.org/show_bug.cgi?id=184375
3149
3150         Reviewed by Žan Doberšek.
3151
3152         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3153         instead.
3154
3155         * PlatformWPE.cmake:
3156
3157 2018-04-08  Mark Lam  <mark.lam@apple.com>
3158
3159         Add pointer profiling to the FTL and supporting code.
3160         https://bugs.webkit.org/show_bug.cgi?id=184395
3161         <rdar://problem/39264019>
3162
3163         Reviewed by Michael Saboff and Filip Pizlo.
3164
3165         * assembler/CodeLocation.h:
3166         (JSC::CodeLocationLabel::retagged):
3167         (JSC::CodeLocationJump::retagged):
3168         * assembler/LinkBuffer.h:
3169         (JSC::LinkBuffer::locationOf):
3170         * dfg/DFGJITCompiler.cpp:
3171         (JSC::DFG::JITCompiler::linkOSRExits):
3172         (JSC::DFG::JITCompiler::link):
3173         * ftl/FTLCompile.cpp:
3174         (JSC::FTL::compile):
3175         * ftl/FTLExceptionTarget.cpp:
3176         (JSC::FTL::ExceptionTarget::label):
3177         (JSC::FTL::ExceptionTarget::jumps):
3178         * ftl/FTLExceptionTarget.h:
3179         * ftl/FTLJITCode.cpp:
3180         (JSC::FTL::JITCode::executableAddressAtOffset):
3181         * ftl/FTLLazySlowPath.cpp:
3182         (JSC::FTL::LazySlowPath::~LazySlowPath):
3183         (JSC::FTL::LazySlowPath::initialize):
3184         (JSC::FTL::LazySlowPath::generate):
3185         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3186         * ftl/FTLLazySlowPath.h:
3187         * ftl/FTLLink.cpp:
3188         (JSC::FTL::link):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::lower):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3192         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3193         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3194         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3195         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3196         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3197         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3198         * ftl/FTLOSRExitCompiler.cpp:
3199         (JSC::FTL::compileStub):
3200         (JSC::FTL::compileFTLOSRExit):
3201         * ftl/FTLOSRExitHandle.cpp:
3202         (JSC::FTL::OSRExitHandle::emitExitThunk):
3203         * ftl/FTLOperations.cpp:
3204         (JSC::FTL::compileFTLLazySlowPath):
3205         * ftl/FTLOutput.h:
3206         (JSC::FTL::Output::callWithoutSideEffects):
3207         (JSC::FTL::Output::operation):
3208         * ftl/FTLPatchpointExceptionHandle.cpp:
3209         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3210         * ftl/FTLSlowPathCall.cpp:
3211         (JSC::FTL::SlowPathCallContext::makeCall):
3212         * ftl/FTLSlowPathCallKey.h:
3213         (JSC::FTL::SlowPathCallKey::withCallTarget):
3214         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3215         * ftl/FTLThunks.cpp:
3216         (JSC::FTL::genericGenerationThunkGenerator):
3217         (JSC::FTL::osrExitGenerationThunkGenerator):
3218         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3219         (JSC::FTL::slowPathCallThunkGenerator):
3220         * jit/JITMathIC.h:
3221         (JSC::isProfileEmpty):
3222         * jit/Repatch.cpp:
3223         (JSC::readPutICCallTarget):
3224         (JSC::ftlThunkAwareRepatchCall):
3225         (JSC::tryCacheGetByID):
3226         (JSC::repatchGetByID):
3227         (JSC::tryCachePutByID):
3228         (JSC::repatchPutByID):
3229         (JSC::repatchIn):
3230         (JSC::resetGetByID):
3231         (JSC::resetPutByID):
3232         (JSC::readCallTarget): Deleted.
3233         * jit/Repatch.h:
3234         * runtime/PtrTag.h:
3235
3236 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3237
3238         Unreviewed, attempt to fix Windows build
3239         https://bugs.webkit.org/show_bug.cgi?id=183508
3240
3241         * jit/JIT.h:
3242
3243 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3244
3245         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3246         https://bugs.webkit.org/show_bug.cgi?id=183508
3247
3248         * jit/JIT.h:
3249
3250 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3251
3252         Use alignas instead of compiler-specific attributes
3253         https://bugs.webkit.org/show_bug.cgi?id=183508
3254
3255         Reviewed by Mark Lam.
3256
3257         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3258
3259         * heap/RegisterState.h:
3260         * jit/JIT.h:
3261         (JSC::JIT::compile): Deleted.
3262         (JSC::JIT::compileGetByVal): Deleted.
3263         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3264         (JSC::JIT::compilePutByVal): Deleted.
3265         (JSC::JIT::compileDirectPutByVal): Deleted.
3266         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3267         (JSC::JIT::compileHasIndexedProperty): Deleted.
3268         (JSC::JIT::appendCall): Deleted.
3269         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3270         (JSC::JIT::exceptionCheck): Deleted.
3271         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3272         (JSC::JIT::emitInt32Load): Deleted.
3273         (JSC::JIT::emitInt32GetByVal): Deleted.
3274         (JSC::JIT::emitInt32PutByVal): Deleted.
3275         (JSC::JIT::emitDoublePutByVal): Deleted.
3276         (JSC::JIT::emitContiguousPutByVal): Deleted.
3277         (JSC::JIT::emitStoreCell): Deleted.
3278         (JSC::JIT::getSlowCase): Deleted.
3279         (JSC::JIT::linkSlowCase): Deleted.
3280         (JSC::JIT::linkDummySlowCase): Deleted.
3281         (JSC::JIT::linkAllSlowCases): Deleted.
3282         (JSC::JIT::callOperation): Deleted.
3283         (JSC::JIT::callOperationWithProfile): Deleted.
3284         (JSC::JIT::callOperationWithResult): Deleted.
3285         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3286         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3287         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3288         (JSC::JIT::sampleCodeBlock): Deleted.
3289         (JSC::JIT::canBeOptimized): Deleted.
3290         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3291         (JSC::JIT::shouldEmitProfiling): Deleted.
3292         * runtime/VM.h:
3293
3294 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3295
3296         Unreviewed, follow-up patch for DFG 32bit
3297         https://bugs.webkit.org/show_bug.cgi?id=183970
3298
3299         * dfg/DFGSpeculativeJIT32_64.cpp:
3300         (JSC::DFG::SpeculativeJIT::cachedGetById):
3301
3302 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3303
3304         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3305         https://bugs.webkit.org/show_bug.cgi?id=184398
3306
3307         Reviewed by Mark Lam.
3308
3309         isLocked check before taking a lock is incorrect.
3310
3311         * runtime/VM.cpp:
3312         (JSC::VM::acquireRegExpPatternContexBuffer):
3313
3314 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3315
3316         [JSC] Introduce op_get_by_id_direct
3317         https://bugs.webkit.org/show_bug.cgi?id=183970
3318
3319         Reviewed by Filip Pizlo.
3320
3321         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3322         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3323         in all the tiers, so using this opcode does not lead to inefficiency.
3324
3325         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3326         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3327         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3328         to the internal fields should not traverse prototype chain, which is specified in the spec.
3329         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3330         prototype chains are not traversed.
3331
3332         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3333         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3334         bytecode `op_get_by_id_direct, object, @name`.
3335
3336         * builtins/ArrayIteratorPrototype.js:
3337         (next):
3338         (globalPrivate.arrayIteratorValueNext):
3339         (globalPrivate.arrayIteratorKeyNext):
3340         (globalPrivate.arrayIteratorKeyValueNext):
3341         * builtins/AsyncFromSyncIteratorPrototype.js:
3342         * builtins/AsyncFunctionPrototype.js:
3343         (globalPrivate.asyncFunctionResume):
3344         * builtins/AsyncGeneratorPrototype.js:
3345         (globalPrivate.asyncGeneratorQueueIsEmpty):
3346         (globalPrivate.asyncGeneratorQueueEnqueue):
3347         (globalPrivate.asyncGeneratorQueueDequeue):
3348         (globalPrivate.asyncGeneratorDequeue):
3349         (globalPrivate.isExecutionState):
3350         (globalPrivate.isSuspendYieldState):
3351         (globalPrivate.asyncGeneratorReject):
3352         (globalPrivate.asyncGeneratorResolve):
3353         (globalPrivate.doAsyncGeneratorBodyCall):
3354         (globalPrivate.asyncGeneratorEnqueue):
3355         * builtins/GeneratorPrototype.js:
3356         (globalPrivate.generatorResume):
3357         (next):
3358         (return):
3359         (throw):
3360         * builtins/MapIteratorPrototype.js:
3361         (next):
3362         * builtins/PromiseOperations.js:
3363         (globalPrivate.isPromise):
3364         (globalPrivate.rejectPromise):
3365         (globalPrivate.fulfillPromise):
3366         * builtins/PromisePrototype.js:
3367         (then):
3368         * builtins/SetIteratorPrototype.js:
3369         (next):
3370         * builtins/StringIteratorPrototype.js:
3371         (next):
3372         * builtins/TypedArrayConstructor.js:
3373         (of):
3374         (from):
3375         * bytecode/BytecodeDumper.cpp:
3376         (JSC::BytecodeDumper<Block>::dumpBytecode):
3377         * bytecode/BytecodeIntrinsicRegistry.h:
3378         * bytecode/BytecodeList.json:
3379         * bytecode/BytecodeUseDef.h:
3380         (JSC::computeUsesForBytecodeOffset):
3381         (JSC::computeDefsForBytecodeOffset):
3382         * bytecode/CodeBlock.cpp:
3383         (JSC::CodeBlock::finishCreation):
3384         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3385         * bytecode/GetByIdStatus.cpp:
3386         (JSC::GetByIdStatus::computeFromLLInt):
3387         (JSC::GetByIdStatus::computeFor):
3388         * bytecode/StructureStubInfo.cpp:
3389         (JSC::StructureStubInfo::reset):
3390         * bytecode/StructureStubInfo.h:
3391         (JSC::appropriateOptimizingGetByIdFunction):
3392         (JSC::appropriateGenericGetByIdFunction):
3393         * bytecompiler/BytecodeGenerator.cpp:
3394         (JSC::BytecodeGenerator::emitDirectGetById):
3395         * bytecompiler/BytecodeGenerator.h:
3396         * bytecompiler/NodesCodegen.cpp:
3397         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3398         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3399         * dfg/DFGAbstractInterpreterInlines.h:
3400         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3401         * dfg/DFGByteCodeParser.cpp:
3402         (JSC::DFG::ByteCodeParser::handleGetById):
3403         (JSC::DFG::ByteCodeParser::parseBlock):
3404         * dfg/DFGCapabilities.cpp:
3405         (JSC::DFG::capabilityLevel):
3406         * dfg/DFGClobberize.h:
3407         (JSC::DFG::clobberize):
3408         * dfg/DFGConstantFoldingPhase.cpp:
3409         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3410         * dfg/DFGDoesGC.cpp:
3411         (JSC::DFG::doesGC):
3412         * dfg/DFGFixupPhase.cpp:
3413         (JSC::DFG::FixupPhase::fixupNode):
3414         * dfg/DFGNode.h:
3415         (JSC::DFG::Node::convertToGetByOffset):
3416         (JSC::DFG::Node::convertToMultiGetByOffset):
3417         (JSC::DFG::Node::hasIdentifier):
3418         (JSC::DFG::Node::hasHeapPrediction):
3419         * dfg/DFGNodeType.h:
3420         * dfg/DFGOperations.cpp:
3421         * dfg/DFGOperations.h:
3422         * dfg/DFGPredictionPropagationPhase.cpp:
3423         * dfg/DFGSafeToExecute.h:
3424         (JSC::DFG::safeToExecute):
3425         * dfg/DFGSpeculativeJIT.cpp:
3426         (JSC::DFG::SpeculativeJIT::compileGetById):
3427         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3428         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3429         * dfg/DFGSpeculativeJIT.h:
3430         * dfg/DFGSpeculativeJIT32_64.cpp:
3431         (JSC::DFG::SpeculativeJIT::cachedGetById):
3432         (JSC::DFG::SpeculativeJIT::compile):
3433         * dfg/DFGSpeculativeJIT64.cpp:
3434         (JSC::DFG::SpeculativeJIT::cachedGetById):
3435         (JSC::DFG::SpeculativeJIT::compile):
3436         * ftl/FTLCapabilities.cpp:
3437         (JSC::FTL::canCompile):
3438         * ftl/FTLLowerDFGToB3.cpp:
3439         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3440         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3441         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3442         (JSC::FTL::DFG::LowerDFGToB3::getById):
3443         * jit/JIT.cpp:
3444         (JSC::JIT::privateCompileMainPass):
3445         (JSC::JIT::privateCompileSlowCases):
3446         * jit/JIT.h:
3447         * jit/JITOperations.cpp:
3448         * jit/JITOperations.h:
3449         * jit/JITPropertyAccess.cpp:
3450         (JSC::JIT::emit_op_get_by_id_direct):
3451         (JSC::JIT::emitSlow_op_get_by_id_direct):
3452         * jit/JITPropertyAccess32_64.cpp:
3453         (JSC::JIT::emit_op_get_by_id_direct):
3454         (JSC::JIT::emitSlow_op_get_by_id_direct):
3455         * jit/Repatch.cpp:
3456         (JSC::appropriateOptimizingGetByIdFunction):
3457         (JSC::appropriateGetByIdFunction):
3458         (JSC::tryCacheGetByID):
3459         (JSC::repatchGetByID):
3460         (JSC::appropriateGenericGetByIdFunction): Deleted.
3461         * jit/Repatch.h:
3462         * llint/LLIntSlowPaths.cpp:
3463         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3464         * llint/LLIntSlowPaths.h:
3465         * llint/LowLevelInterpreter32_64.asm:
3466         * llint/LowLevelInterpreter64.asm:
3467         * runtime/JSCJSValue.h:
3468         * runtime/JSCJSValueInlines.h:
3469         (JSC::JSValue::getOwnPropertySlot const):
3470         * runtime/JSObject.h:
3471         * runtime/JSObjectInlines.h:
3472         (JSC::JSObject::getOwnPropertySlotInline):
3473
3474 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3475
3476         [JSC] Remove several asXXX functions
3477         https://bugs.webkit.org/show_bug.cgi?id=184355
3478
3479         Reviewed by JF Bastien.
3480
3481         Remove asActivation, asInternalFunction, and asGetterSetter.
3482         Use jsCast<> / jsDynamicCast<> consistently.
3483
3484         * runtime/ArrayConstructor.cpp:
3485         (JSC::constructArrayWithSizeQuirk):
3486         * runtime/AsyncFunctionConstructor.cpp:
3487         (JSC::callAsyncFunctionConstructor):
3488         (JSC::constructAsyncFunctionConstructor):
3489         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3490         (JSC::callAsyncGeneratorFunctionConstructor):
3491         (JSC::constructAsyncGeneratorFunctionConstructor):
3492         * runtime/BooleanConstructor.cpp:
3493         (JSC::constructWithBooleanConstructor):
3494         * runtime/DateConstructor.cpp:
3495         (JSC::constructWithDateConstructor):
3496         * runtime/ErrorConstructor.cpp:
3497         (JSC::Interpreter::constructWithErrorConstructor):
3498         (JSC::Interpreter::callErrorConstructor):
3499         * runtime/FunctionConstructor.cpp:
3500         (JSC::constructWithFunctionConstructor):
3501         (JSC::callFunctionConstructor):
3502         * runtime/FunctionPrototype.cpp:
3503         (JSC::functionProtoFuncToString):
3504         * runtime/GeneratorFunctionConstructor.cpp:
3505         (JSC::callGeneratorFunctionConstructor):
3506         (JSC::constructGeneratorFunctionConstructor):
3507         * runtime/GetterSetter.h:
3508         (JSC::asGetterSetter): Deleted.
3509         * runtime/InternalFunction.h:
3510         (JSC::asInternalFunction): Deleted.
3511         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3512         (JSC::constructGenericTypedArrayView):
3513         * runtime/JSLexicalEnvironment.h:
3514         (JSC::asActivation): Deleted.
3515         * runtime/JSObject.cpp:
3516         (JSC::validateAndApplyPropertyDescriptor):
3517         * runtime/MapConstructor.cpp:
3518         (JSC::constructMap):
3519         * runtime/PropertyDescriptor.cpp:
3520         (JSC::PropertyDescriptor::setDescriptor):
3521         * runtime/RegExpConstructor.cpp:
3522         (JSC::constructWithRegExpConstructor):
3523         (JSC::callRegExpConstructor):
3524         * runtime/SetConstructor.cpp:
3525         (JSC::constructSet):
3526         * runtime/StringConstructor.cpp:
3527         (JSC::constructWithStringConstructor):
3528         * runtime/WeakMapConstructor.cpp:
3529         (JSC::constructWeakMap):
3530         * runtime/WeakSetConstructor.cpp:
3531         (JSC::constructWeakSet):
3532         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3533         (JSC::constructJSWebAssemblyCompileError):
3534         (JSC::callJSWebAssemblyCompileError):
3535         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3536         (JSC::constructJSWebAssemblyLinkError):
3537         (JSC::callJSWebAssemblyLinkError):
3538         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3539         (JSC::constructJSWebAssemblyRuntimeError):
3540         (JSC::callJSWebAssemblyRuntimeError):
3541
3542 2018-04-05  Mark Lam  <mark.lam@apple.com>
3543
3544         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
3545         https://bugs.webkit.org/show_bug.cgi?id=184347
3546         <rdar://problem/39183165>
3547
3548         Reviewed by Michael Saboff.
3549
3550         * assembler/MacroAssemblerCodeRef.h:
3551         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3552         (JSC::MacroAssemblerCodePtr::retagged const):
3553
3554 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3555
3556         [MIPS] Optimize generated JIT code for branches
3557         https://bugs.webkit.org/show_bug.cgi?id=183130
3558
3559         Reviewed by Yusuke Suzuki.
3560
3561         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
3562         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
3563         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
3564         However, this adds a significant overhead for all other types of branches. Since these nop's
3565         protect the code that is generated by branchPtrWithPatch, this function seems like a better
3566         place to add them.
3567
3568         * assembler/MIPSAssembler.h:
3569         (JSC::MIPSAssembler::repatchInt32):
3570         (JSC::MIPSAssembler::revertJumpToMove):
3571         * assembler/MacroAssemblerMIPS.h:
3572         (JSC::MacroAssemblerMIPS::branchAdd32):
3573         (JSC::MacroAssemblerMIPS::branchMul32):
3574         (JSC::MacroAssemblerMIPS::branchSub32):
3575         (JSC::MacroAssemblerMIPS::branchNeg32):
3576         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
3577         (JSC::MacroAssemblerMIPS::branchEqual):
3578         (JSC::MacroAssemblerMIPS::branchNotEqual):
3579
3580 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3581
3582         [WTF] Remove StaticLock
3583         https://bugs.webkit.org/show_bug.cgi?id=184332
3584
3585         Reviewed by Mark Lam.
3586
3587         * API/JSValue.mm:
3588         (handerForStructTag):
3589         * API/JSVirtualMachine.mm:
3590         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3591         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3592         * API/glib/JSCVirtualMachine.cpp:
3593         (addWrapper):
3594         (removeWrapper):
3595         * assembler/testmasm.cpp:
3596         * b3/air/testair.cpp:
3597         * b3/testb3.cpp:
3598         * bytecode/SuperSampler.cpp:
3599         * dfg/DFGCommon.cpp:
3600         * dfg/DFGCommonData.cpp:
3601         * dynbench.cpp:
3602         * heap/MachineStackMarker.cpp:
3603         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3604         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3605         (Inspector::RemoteTargetHandleRunSourceGlobal):
3606         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3607         * interpreter/CLoopStack.cpp:
3608         * parser/SourceProvider.cpp:
3609         * profiler/ProfilerDatabase.cpp:
3610         * profiler/ProfilerUID.cpp:
3611         (JSC::Profiler::UID::create):
3612         * runtime/IntlObject.cpp:
3613         (JSC::numberingSystemsForLocale):
3614         * runtime/JSLock.cpp:
3615         * runtime/JSLock.h:
3616         * runtime/SamplingProfiler.cpp:
3617         (JSC::SamplingProfiler::registerForReportAtExit):
3618         * runtime/VM.cpp:
3619         * wasm/WasmFaultSignalHandler.cpp:
3620
3621 2018-04-04  Mark Lam  <mark.lam@apple.com>
3622
3623         Add pointer profiling support to the DFG and supporting files.
3624         https://bugs.webkit.org/show_bug.cgi?id=184316
3625         <rdar://problem/39188524>
3626
3627         Reviewed by Filip Pizlo.
3628
3629         1. Profile lots of pointers with PtrTags.
3630
3631         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
3632            used for debugging anyway, and not normally called in the code.  Making it
3633            an inline function prevents it from taking up code space in builds when not in
3634            use.
3635
3636         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3637            It doesn't need to be a far call.
3638
3639         * CMakeLists.txt:
3640         * JavaScriptCore.xcodeproj/project.pbxproj:
3641         * Sources.txt:
3642         * assembler/testmasm.cpp:
3643         (JSC::testProbeModifiesProgramCounter):
3644         * b3/B3LowerMacros.cpp:
3645         * b3/air/AirCCallSpecial.cpp:
3646         (JSC::B3::Air::CCallSpecial::generate):
3647         * b3/air/AirCCallSpecial.h:
3648         * b3/testb3.cpp:
3649         (JSC::B3::testInterpreter):
3650         * bytecode/AccessCase.cpp:
3651         (JSC::AccessCase::generateImpl):
3652         * bytecode/HandlerInfo.h:
3653         (JSC::HandlerInfo::initialize):
3654         * bytecode/PolymorphicAccess.cpp:
3655         (JSC::PolymorphicAccess::regenerate):
3656         * dfg/DFGJITCompiler.cpp:
3657         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3658         (JSC::DFG::JITCompiler::link):
3659         (JSC::DFG::JITCompiler::compileFunction):
3660         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3661         * dfg/DFGJITCompiler.h:
3662         (JSC::DFG::JITCompiler::appendCall):
3663         * dfg/DFGOSREntry.cpp:
3664         (JSC::DFG::prepareOSREntry):
3665         * dfg/DFGOSRExit.cpp:
3666         (JSC::DFG::reifyInlinedCallFrames):
3667         (JSC::DFG::adjustAndJumpToTarget):
3668         (JSC::DFG::OSRExit::emitRestoreArguments):
3669         (JSC::DFG::OSRExit::compileOSRExit):
3670         * dfg/DFGOSRExitCompilerCommon.cpp:
3671         (JSC::DFG::handleExitCounts):
3672         (JSC::DFG::reifyInlinedCallFrames):
3673         (JSC::DFG::osrWriteBarrier):
3674         (JSC::DFG::adjustAndJumpToTarget):
3675         * dfg/DFGOperations.cpp:
3676         * dfg/DFGSlowPathGenerator.h:
3677         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3678         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3679         (JSC::DFG::slowPathCall):
3680         * dfg/DFGSpeculativeJIT.cpp:
3681         (JSC::DFG::SpeculativeJIT::compileMathIC):
3682         * dfg/DFGSpeculativeJIT.h:
3683         (JSC::DFG::SpeculativeJIT::callOperation):
3684         (JSC::DFG::SpeculativeJIT::appendCall):
3685         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3686         * dfg/DFGSpeculativeJIT64.cpp:
3687         (JSC::DFG::SpeculativeJIT::cachedGetById):
3688         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3689         (JSC::DFG::SpeculativeJIT::cachedPutById):
3690         (JSC::DFG::SpeculativeJIT::compile):
3691         * dfg/DFGThunks.cpp:
3692         (JSC::DFG::osrExitThunkGenerator):
3693         (JSC::DFG::osrExitGenerationThunkGenerator):
3694         (JSC::DFG::osrEntryThunkGenerator):
3695         * jit/AssemblyHelpers.cpp:
3696         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3697         * jit/JIT.cpp:
3698         (JSC::JIT::emitEnterOptimizationCheck):
3699         (JSC::JIT::compileWithoutLinking):
3700         * jit/JITCall.cpp:
3701         (JSC::JIT::compileOpCallSlowCase):
3702         * jit/JITMathIC.h:
3703         (JSC::isProfileEmpty):
3704         * jit/JITOpcodes.cpp:
3705         (JSC::JIT::emit_op_catch):
3706         (JSC::JIT::emitSlow_op_loop_hint):
3707         * jit/JITOperations.cpp:
3708         * jit/Repatch.cpp:
3709         (JSC::linkSlowFor):
3710         (JSC::linkFor):
3711         (JSC::revertCall):
3712         (JSC::unlinkFor):
3713         (JSC::linkVirtualFor):
3714         (JSC::linkPolymorphicCall):
3715         * jit/ThunkGenerators.cpp:
3716         (JSC::throwExceptionFromCallSlowPathGenerator):
3717         (JSC::linkCallThunkGenerator):
3718         (JSC::linkPolymorphicCallThunkGenerator):
3719         (JSC::virtualThunkFor):
3720         (JSC::arityFixupGenerator):
3721         (JSC::unreachableGenerator):
3722         * runtime/PtrTag.cpp: Removed.
3723         * runtime/PtrTag.h:
3724         (JSC::ptrTagName):
3725         * runtime/VMEntryScope.cpp:
3726         * wasm/js/WasmToJS.cpp:
3727         (JSC::Wasm::wasmToJS):
3728
3729 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3730
3731         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3732         https://bugs.webkit.org/show_bug.cgi?id=184319
3733
3734         Reviewed by Saam Barati.
3735
3736         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3737         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3738         the ArrayPush.
3739
3740         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3741         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3742         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3743         with a GetByVal(SaneChain), then we will hit the assertion.
3744
3745         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3746         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3747         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3748
3749         * dfg/DFGCSEPhase.cpp:
3750         * dfg/DFGClobberize.h:
3751         (JSC::DFG::clobberize):
3752         * dfg/DFGHeapLocation.cpp:
3753         (WTF::printInternal):
3754         * dfg/DFGHeapLocation.h:
3755         * dfg/DFGSpeculativeJIT.cpp:
3756         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3757
3758 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3759
3760         Remove poisoning of typed array vector
3761         https://bugs.webkit.org/show_bug.cgi?id=184313
3762
3763         Reviewed by Saam Barati.
3764
3765         * dfg/DFGFixupPhase.cpp:
3766         (JSC::DFG::FixupPhase::checkArray):
3767         * dfg/DFGSpeculativeJIT.cpp:
3768         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3769         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3770         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3771         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3772         * ftl/FTLAbstractHeapRepository.h:
3773         * ftl/FTLLowerDFGToB3.cpp:
3774         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3775         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3776         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3777         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3778         * jit/IntrinsicEmitter.cpp:
3779         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3780         * jit/JITPropertyAccess.cpp:
3781         (JSC::JIT::emitIntTypedArrayGetByVal):
3782         (JSC::JIT::emitFloatTypedArrayGetByVal):
3783         (JSC::JIT::emitIntTypedArrayPutByVal):
3784         (JSC::JIT::emitFloatTypedArrayPutByVal):
3785         * llint/LowLevelInterpreter.asm:
3786         * llint/LowLevelInterpreter64.asm:
3787         * offlineasm/arm64.rb:
3788         * offlineasm/x86.rb:
3789         * runtime/CagedBarrierPtr.h:
3790         * runtime/JSArrayBufferView.cpp:
3791         (JSC::JSArrayBufferView::JSArrayBufferView):
3792         (JSC::JSArrayBufferView::finalize):
3793         (JSC::JSArrayBufferView::neuter):
3794         * runtime/JSArrayBufferView.h:
3795         (JSC::JSArrayBufferView::vector const):
3796         (JSC::JSArrayBufferView::offsetOfVector):
3797         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3798         (JSC::JSArrayBufferView::poisonFor): Deleted.
3799         (JSC::JSArrayBufferView::Poison::key): Deleted.
3800         * runtime/JSCPoison.cpp:
3801         (JSC::initializePoison):
3802         * runtime/JSCPoison.h:
3803         * runtime/JSGenericTypedArrayViewInlines.h:
3804         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3805         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3806         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3807         * runtime/JSObject.h:
3808
3809 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3810
3811         Don't do index masking or poisoning for DirectArguments
3812         https://bugs.webkit.org/show_bug.cgi?id=184280
3813
3814         Reviewed by Saam Barati.
3815
3816         * JavaScriptCore.xcodeproj/project.pbxproj:
3817         * bytecode/AccessCase.cpp:
3818         (JSC::AccessCase::generateWithGuard):
3819         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3820         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3821         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3822         * dfg/DFGSpeculativeJIT.cpp:
3823         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3824         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3825         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3826         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3827         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3828         * ftl/FTLAbstractHeapRepository.h:
3829         * ftl/FTLLowerDFGToB3.cpp:
3830         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3831         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3832         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3833         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3834         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3835         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3836         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3837         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3838         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3839         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3840         * heap/SecurityKind.h:
3841         * jit/JITPropertyAccess.cpp:
3842         (JSC::JIT::emit_op_get_from_arguments):
3843         (JSC::JIT::emit_op_put_to_arguments):
3844         (JSC::JIT::emitDirectArgumentsGetByVal):
3845         * jit/JITPropertyAccess32_64.cpp:
3846         (JSC::JIT::emit_op_get_from_arguments):
3847         (JSC::JIT::emit_op_put_to_arguments):
3848         * llint/LowLevelInterpreter.asm:
3849         * llint/LowLevelInterpreter32_64.asm:
3850         * llint/LowLevelInterpreter64.asm:
3851         * runtime/DirectArguments.cpp:
3852         (JSC::DirectArguments::DirectArguments):
3853         (JSC::DirectArguments::createUninitialized):
3854         (JSC::DirectArguments::create):
3855         (JSC::DirectArguments::createByCopying):
3856         (JSC::DirectArguments::estimatedSize):
3857         (JSC::DirectArguments::visitChildren):
3858         (JSC::DirectArguments::overrideThings):
3859         (JSC::DirectArguments::copyToArguments):
3860         (JSC::DirectArguments::mappedArgumentsSize):
3861         * runtime/DirectArguments.h:
3862         * runtime/JSCPoison.h:
3863         * runtime/JSLexicalEnvironment.h:
3864         * runtime/JSSymbolTableObject.h:
3865
3866 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3867
3868         JSArray::appendMemcpy seems to be missing a barrier
3869         https://bugs.webkit.org/show_bug.cgi?id=184290
3870
3871         Reviewed by Mark Lam.
3872         
3873         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
3874         barrier right after.
3875         
3876         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
3877         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
3878
3879         * runtime/JSArray.cpp:
3880         (JSC::JSArray::appendMemcpy):
3881
3882 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3883
3884         GC shouldn't do object distancing
3885         https://bugs.webkit.org/show_bug.cgi?id=184195
3886
3887         Reviewed by Saam Barati.
3888         
3889         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
3890         to be a small speed-up.
3891
3892         * CMakeLists.txt:
3893         * JavaScriptCore.xcodeproj/project.pbxproj:
3894         * Sources.txt:
3895         * heap/BlockDirectory.cpp:
3896         (JSC::BlockDirectory::findBlockForAllocation):
3897         (JSC::BlockDirectory::addBlock):
3898         * heap/BlockDirectory.h:
3899         * heap/CellAttributes.cpp:
3900         (JSC::CellAttributes::dump const):
3901         * heap/CellAttributes.h:
3902         (JSC::CellAttributes::CellAttributes):
3903         * heap/LocalAllocator.cpp:
3904         (JSC::LocalAllocator::allocateSlowCase):
3905         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3906         * heap/MarkedBlock.cpp:
3907         (JSC::MarkedBlock::Handle::didAddToDirectory):
3908         * heap/MarkedBlock.h:
3909         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3910         * heap/SecurityKind.cpp: Removed.
3911         * heap/SecurityKind.h: Removed.
3912         * heap/SecurityOriginToken.cpp: Removed.
3913         * heap/SecurityOriginToken.h: Removed.
3914         * heap/ThreadLocalCache.cpp:
3915         (JSC::ThreadLocalCache::create):
3916         (JSC::ThreadLocalCache::ThreadLocalCache):
3917         * heap/ThreadLocalCache.h:
3918         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3919         * runtime/JSDestructibleObjectHeapCellType.cpp:
3920         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3921         * runtime/JSGlobalObject.cpp:
3922         (JSC::JSGlobalObject::JSGlobalObject):
3923         * runtime/JSGlobalObject.h:
3924         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3925         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3926         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3927         * runtime/JSStringHeapCellType.cpp:
3928         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3929         * runtime/VM.cpp:
3930         (JSC::VM::VM):
3931         * runtime/VM.h:
3932         * runtime/VMEntryScope.cpp:
3933         (JSC::VMEntryScope::VMEntryScope):
3934         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3935         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3936
3937 2018-04-02  Saam Barati  <sbarati@apple.com>
3938
3939         bmalloc should compute its own estimate of its footprint
3940         https://bugs.webkit.org/show_bug.cgi?id=184121
3941
3942         Reviewed by Filip Pizlo.
3943
3944         * heap/IsoAlignedMemoryAllocator.cpp:
3945         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3946         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3947         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3948
3949 2018-04-02  Mark Lam  <mark.lam@apple.com>
3950
3951         We should not trash the stack pointer on OSR entry.
3952         https://bugs.webkit.org/show_bug.cgi?id=184243
3953         <rdar://problem/39114319>
3954
3955         Reviewed by Filip Pizlo.
3956
3957         In the DFG OSR entry path, we momentarily over-write the stack pointer with
3958         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3959         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
3960         The stack pointer does get corrected later in the thunk (generated by
3961         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
3962         so far.
3963
3964         This bug only poses an issue if interrupts use the user stack for their stack
3965         frame (e.g. linux), and when we do stack alignment tests during debugging.
3966
3967         The fix is simply to remove the assignment.
3968
3969         * dfg/DFGThunks.cpp:
3970         (JSC::DFG::osrEntryThunkGenerator):
3971         * jit/JIT.cpp:
397