55e305b4702056dbc5bbe997f9ee94364d5d0faa
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Do not check isValid() in op_new_regexp
4         https://bugs.webkit.org/show_bug.cgi?id=180970
5
6         Reviewed by Saam Barati.
7
8         We should not check `isValid()` inside op_new_regexp.
9         This simplifies the semantics of NewRegexp node in DFG.
10
11         * bytecompiler/NodesCodegen.cpp:
12         (JSC::RegExpNode::emitBytecode):
13         * dfg/DFGMayExit.cpp:
14         * dfg/DFGSpeculativeJIT.cpp:
15         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
16         * ftl/FTLLowerDFGToB3.cpp:
17         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
18         * jit/JITOperations.cpp:
19         * llint/LLIntSlowPaths.cpp:
20         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
21
22 2017-12-20  Saam Barati  <sbarati@apple.com>
23
24         GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
25         https://bugs.webkit.org/show_bug.cgi?id=181054
26
27         Reviewed by Mark Lam.
28
29         Speedometer's react subtest has a function that is in an OSR exit loop because
30         we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
31         This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
32         for our compiler to not have this pathology. This patch adds a generic
33         GetPropertyEnumerator to prevent the exit loop.
34
35         * dfg/DFGFixupPhase.cpp:
36         (JSC::DFG::FixupPhase::fixupNode):
37         * dfg/DFGSpeculativeJIT32_64.cpp:
38         (JSC::DFG::SpeculativeJIT::compile):
39         * dfg/DFGSpeculativeJIT64.cpp:
40         (JSC::DFG::SpeculativeJIT::compile):
41         * ftl/FTLLowerDFGToB3.cpp:
42         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
43         * jit/JITOperations.cpp:
44         * jit/JITOperations.h:
45
46 2017-12-20  Daniel Bates  <dabates@apple.com>
47
48         Remove Alternative Presentation Button
49         https://bugs.webkit.org/show_bug.cgi?id=180500
50         <rdar://problem/35891047>
51
52         Reviewed by Simon Fraser.
53
54         We no longer need the alternative presentation button.
55
56         * Configurations/FeatureDefines.xcconfig:
57
58 2017-12-19  Saam Barati  <sbarati@apple.com>
59
60         We forgot to do index masking for in bounds int32 arrays in the FTL
61         https://bugs.webkit.org/show_bug.cgi?id=180987
62
63         Reviewed by Keith Miller.
64
65         * ftl/FTLLowerDFGToB3.cpp:
66         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
67
68 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
69
70         [DFG][FTL] NewRegexp shoud be fast
71         https://bugs.webkit.org/show_bug.cgi?id=180960
72
73         Reviewed by Michael Saboff.
74
75         When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
76         Typical idiom like `string.match(/regexp/)` requires RegExp object creation
77         every time.
78
79         As a first step, this patch accelerates RegExp object creation by handling it
80         in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
81         to remove unnecessary RegExp object creations.
82
83         This patch improves SixSpeed/regex-u.{es5,es6}.
84
85                                      baseline                  patched
86
87             regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
88             regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
89
90         * dfg/DFGSpeculativeJIT.cpp:
91         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
92         * dfg/DFGSpeculativeJIT.h:
93         * dfg/DFGSpeculativeJIT32_64.cpp:
94         (JSC::DFG::SpeculativeJIT::compile):
95         * dfg/DFGSpeculativeJIT64.cpp:
96         (JSC::DFG::SpeculativeJIT::compile):
97         * ftl/FTLAbstractHeapRepository.h:
98         * ftl/FTLLowerDFGToB3.cpp:
99         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
100         * jit/JIT.h:
101         * jit/JITInlines.h:
102         (JSC::JIT::callOperation):
103         * jit/JITOpcodes.cpp:
104         (JSC::JIT::emit_op_new_regexp):
105         * jit/JITOperations.cpp:
106         * jit/JITOperations.h:
107         * llint/LLIntSlowPaths.cpp:
108         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
109         * runtime/RegExpObject.h:
110         (JSC::RegExpObject::offsetOfRegExp):
111         (JSC::RegExpObject::allocationSize):
112
113 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
114
115         Unreviewed, include YarrErrorCode.h in Yarr.h
116         https://bugs.webkit.org/show_bug.cgi?id=180966
117
118         * yarr/Yarr.h:
119
120 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
121
122         [YARR] Yarr should return ErrorCode instead of error messages (const char*)
123         https://bugs.webkit.org/show_bug.cgi?id=180966
124
125         Reviewed by Mark Lam.
126
127         Currently, Yarr returns const char*` for an error message when needed.
128         But it is easier to handle error status if Yarr returns an error code
129         instead of `const char*`.
130
131         In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
132         `const char*`. `std::expected<void, Yarr::ErrorCode>` would be appropriate
133         for the Yarr API interface. But it requires substantial changes removing
134         ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
135         a first step.
136
137         * JavaScriptCore.xcodeproj/project.pbxproj:
138         * Sources.txt:
139         * inspector/ContentSearchUtilities.cpp:
140         (Inspector::ContentSearchUtilities::findMagicComment):
141         * parser/ASTBuilder.h:
142         (JSC::ASTBuilder::createRegExp):
143         * parser/Parser.cpp:
144         (JSC::Parser<LexerType>::parsePrimaryExpression):
145         * parser/SyntaxChecker.h:
146         (JSC::SyntaxChecker::createRegExp):
147         * runtime/RegExp.cpp:
148         (JSC::RegExp::RegExp):
149         (JSC::RegExp::byteCodeCompileIfNecessary):
150         (JSC::RegExp::compile):
151         (JSC::RegExp::compileMatchOnly):
152         * runtime/RegExp.h:
153         * yarr/RegularExpression.cpp:
154         (JSC::Yarr::RegularExpression::Private::Private):
155         (JSC::Yarr::RegularExpression::Private::compile):
156         * yarr/YarrErrorCode.cpp: Added.
157         (JSC::Yarr::errorMessage):
158         * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
159         (JSC::Yarr::hasError):
160         * yarr/YarrParser.h:
161         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
162         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
163         (JSC::Yarr::Parser::Parser):
164         (JSC::Yarr::Parser::isIdentityEscapeAnError):
165         (JSC::Yarr::Parser::parseEscape):
166         (JSC::Yarr::Parser::parseCharacterClass):
167         (JSC::Yarr::Parser::parseParenthesesBegin):
168         (JSC::Yarr::Parser::parseParenthesesEnd):
169         (JSC::Yarr::Parser::parseQuantifier):
170         (JSC::Yarr::Parser::parseTokens):
171         (JSC::Yarr::Parser::parse):
172         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
173         (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
174         (JSC::Yarr::parse):
175         * yarr/YarrPattern.cpp:
176         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
177         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
178         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
179         (JSC::Yarr::YarrPattern::compile):
180         (JSC::Yarr::YarrPattern::YarrPattern):
181         (JSC::Yarr::YarrPattern::errorMessage): Deleted.
182         * yarr/YarrPattern.h:
183         (JSC::Yarr::YarrPattern::reset):
184         * yarr/YarrSyntaxChecker.cpp:
185         (JSC::Yarr::checkSyntax):
186         * yarr/YarrSyntaxChecker.h:
187
188 2017-12-18  Saam Barati  <sbarati@apple.com>
189
190         Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
191
192         * dfg/DFGPreciseLocalClobberize.h:
193         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
194
195 2017-12-16  Filip Pizlo  <fpizlo@apple.com>
196
197         Vector index masking
198         https://bugs.webkit.org/show_bug.cgi?id=180909
199
200         Reviewed by Keith Miller.
201         
202         Adopt index masking for strings.
203
204         * dfg/DFGSpeculativeJIT.cpp:
205         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
206         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
207         * ftl/FTLAbstractHeapRepository.h:
208         * ftl/FTLLowerDFGToB3.cpp:
209         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
210         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
211         * jit/ThunkGenerators.cpp:
212         (JSC::stringCharLoad):
213
214 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
215
216         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
217         https://bugs.webkit.org/show_bug.cgi?id=179762
218
219         Reviewed by Saam Barati.
220
221         This patch extends arguments elimination phase to accept NewArrayBuffer.
222         We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
223         used by spreading nodes.
224
225         This improves SixSpeed spread.es6 by 3.5x.
226
227             spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
228
229         * dfg/DFGAbstractInterpreterInlines.h:
230         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
231         * dfg/DFGArgumentsEliminationPhase.cpp:
232         * dfg/DFGClobberize.h:
233         (JSC::DFG::clobberize):
234         * dfg/DFGDoesGC.cpp:
235         (JSC::DFG::doesGC):
236         * dfg/DFGFixupPhase.cpp:
237         (JSC::DFG::FixupPhase::fixupNode):
238         * dfg/DFGNode.h:
239         (JSC::DFG::Node::hasNewArrayBufferData):
240         (JSC::DFG::Node::hasVectorLengthHint):
241         (JSC::DFG::Node::hasIndexingType):
242         (JSC::DFG::Node::indexingType):
243         (JSC::DFG::Node::hasCellOperand):
244         (JSC::DFG::Node::isPhantomAllocation):
245         * dfg/DFGNodeType.h:
246         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
247         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
248         * dfg/DFGPredictionPropagationPhase.cpp:
249         * dfg/DFGPromotedHeapLocation.cpp:
250         (WTF::printInternal):
251         * dfg/DFGPromotedHeapLocation.h:
252         * dfg/DFGSafeToExecute.h:
253         (JSC::DFG::safeToExecute):
254         * dfg/DFGSpeculativeJIT32_64.cpp:
255         (JSC::DFG::SpeculativeJIT::compile):
256         * dfg/DFGSpeculativeJIT64.cpp:
257         (JSC::DFG::SpeculativeJIT::compile):
258         * dfg/DFGValidate.cpp:
259         * ftl/FTLCapabilities.cpp:
260         (JSC::FTL::canCompile):
261         * ftl/FTLLowerDFGToB3.cpp:
262         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
263         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
264         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
265         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
266         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
267         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
268         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
269         * ftl/FTLOperations.cpp:
270         (JSC::FTL::operationPopulateObjectInOSR):
271         (JSC::FTL::operationMaterializeObjectInOSR):
272
273 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
274
275         [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
276         https://bugs.webkit.org/show_bug.cgi?id=180916
277
278         Reviewed by Darin Adler.
279
280         This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
281         Since these cells always require calling finalizeUnconditionally, we do not need to
282         track cells by using IsoCellSet.
283
284         Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
285         avoid using a global linked-list for this in the future.
286
287         * JavaScriptCore.xcodeproj/project.pbxproj:
288         * heap/Heap.cpp:
289         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
290         (JSC::Heap::finalizeUnconditionalFinalizers):
291         * heap/Heap.h:
292         * runtime/VM.cpp:
293         (JSC::VM::VM):
294         * runtime/VM.h:
295         * runtime/WeakMapImpl.cpp:
296         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
297         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally): Deleted.
298         * runtime/WeakMapImpl.h:
299         (JSC::WeakMapImpl::isWeakMap):
300         (JSC::WeakMapImpl::isWeakSet):
301         (JSC::WeakMapImpl::subspaceFor):
302         * runtime/WeakMapImplInlines.h: Added.
303         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
304
305 2017-12-17  Mark Lam  <mark.lam@apple.com>
306
307         Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
308         https://bugs.webkit.org/show_bug.cgi?id=180901
309         <rdar://problem/36087649>
310
311         Reviewed by Darin Adler.
312
313         We only need to keep a deprecated implementation of InspectorValues,
314         InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
315         older versions of Safari can link against and run with a build of the latest code
316         in WebKit trunk. Older versions of System Safari used InspectorValues (via
317         WebInspector.framework) for two things:
318
319         1. Augmented JSContexts SPIs (via WebInspector.framework).
320         2. maybe WebDriver.
321
322         Neither of these are used when running SafariForWebKitDevelopment.  Since neither
323         are used, we can stub out the symbols (InspectorValues, InspectorObjects,
324         InspectorBackendDispatcher::sendResponse) to do nothing, and
325         SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
326         run without any observable bad behavior.
327
328         * JavaScriptCore.xcodeproj/project.pbxproj:
329         * SourcesCocoa.txt:
330         * inspector/InspectorBackendDispatcher.cpp:
331         * inspector/InspectorBackendDispatcher.h:
332         * inspector/cocoa/DeprecatedInspectorValues.cpp:
333         (Inspector::InspectorValue::null):
334         (Inspector::InspectorValue::create):
335         (Inspector::InspectorValue::asValue):
336         (Inspector::InspectorValue::asObject):
337         (Inspector::InspectorValue::asArray):
338         (Inspector::InspectorValue::parseJSON):
339         (Inspector::InspectorValue::toJSONString const):
340         (Inspector::InspectorValue::asBoolean const):
341         (Inspector::InspectorValue::asDouble const):
342         (Inspector::InspectorValue::asInteger const):
343         (Inspector::InspectorValue::asString const):
344         (Inspector::InspectorValue::writeJSON const):
345         (Inspector::InspectorValue::memoryCost const):
346         (Inspector::InspectorObjectBase::openAccessors):
347         (Inspector::InspectorObjectBase::memoryCost const):
348         (Inspector::InspectorObjectBase::getBoolean const):
349         (Inspector::InspectorObjectBase::getString const):
350         (Inspector::InspectorObjectBase::getObject const):
351         (Inspector::InspectorObjectBase::getArray const):
352         (Inspector::InspectorObjectBase::getValue const):
353         (Inspector::InspectorObjectBase::remove):
354         (Inspector::InspectorObject::create):
355         (Inspector::InspectorArrayBase::get const):
356         (Inspector::InspectorArrayBase::memoryCost const):
357         (Inspector::InspectorArray::create):
358         (Inspector::BackendDispatcher::sendResponse):
359         (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
360         (Inspector::InspectorObjectBase::asObject): Deleted.
361         (Inspector::InspectorObjectBase::writeJSON const): Deleted.
362         (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
363         (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
364         (Inspector::InspectorArrayBase::asArray): Deleted.
365         (Inspector::InspectorArrayBase::writeJSON const): Deleted.
366         (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
367         * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
368
369 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
370
371         [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
372         https://bugs.webkit.org/show_bug.cgi?id=180917
373
374         Reviewed by Sam Weinig.
375
376         We do not need to hold JIT flags in VM. We add
377         static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
378
379         * interpreter/AbstractPC.cpp:
380         (JSC::AbstractPC::AbstractPC):
381         * jit/JITThunks.cpp:
382         (JSC::JITThunks::ctiNativeCall):
383         (JSC::JITThunks::ctiNativeConstruct):
384         (JSC::JITThunks::ctiNativeTailCall):
385         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
386         (JSC::JITThunks::ctiInternalFunctionCall):
387         (JSC::JITThunks::ctiInternalFunctionConstruct):
388         (JSC::JITThunks::hostFunctionStub):
389         * llint/LLIntEntrypoint.cpp:
390         (JSC::LLInt::setFunctionEntrypoint):
391         (JSC::LLInt::setEvalEntrypoint):
392         (JSC::LLInt::setProgramEntrypoint):
393         (JSC::LLInt::setModuleProgramEntrypoint):
394         * llint/LLIntSlowPaths.cpp:
395         (JSC::LLInt::shouldJIT):
396         (JSC::LLInt::entryOSR):
397         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
398         * runtime/RegExp.cpp:
399         (JSC::RegExp::compile):
400         (JSC::RegExp::compileMatchOnly):
401         * runtime/VM.cpp:
402         (JSC::VM::canUseAssembler):
403         (JSC::VM::canUseJIT):
404         (JSC::VM::canUseRegExpJIT):
405         (JSC::VM::VM):
406         * runtime/VM.h:
407         (JSC::VM::canUseJIT): Deleted.
408         (JSC::VM::canUseRegExpJIT): Deleted.
409
410 2017-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
411
412         [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
413         https://bugs.webkit.org/show_bug.cgi?id=180906
414
415         Reviewed by Filip Pizlo.
416
417         The number of SlotVisitors can increase after setting up m_visitCounters.
418         If it happens, our m_visitCounters misses the visit count of newly added
419         SlotVisitors. It accidentally decides that constraints are converged.
420         This leads to random assertion hits in Linux environment.
421
422         In this patch, we compare the number of SlotVisitors in didVisitSomething().
423         If the number of SlotVisitors is changed, we conservatively say we did
424         visit something.
425
426         * heap/Heap.h:
427         * heap/HeapInlines.h:
428         (JSC::Heap::numberOfSlotVisitors):
429         * heap/MarkingConstraintSet.h:
430         * heap/MarkingConstraintSolver.cpp:
431         (JSC::MarkingConstraintSolver::didVisitSomething const):
432
433 2017-12-16  Keith Miller  <keith_miller@apple.com>
434
435         Indexing should only be computed when the new structure has an indexing header.
436         https://bugs.webkit.org/show_bug.cgi?id=180895
437
438         Reviewed by Saam Barati.
439
440         If we don't have an indexing header then we point the butterfly
441         sizeof(IndexingHeader) past the end of the butterfly. This makes
442         the computation of the offset simpler since it doesn't depend on
443         the indexing headeriness of the butterfly.
444
445         * jit/JITOperations.cpp:
446         * runtime/JSObject.cpp:
447         (JSC::JSObject::createInitialUndecided):
448         (JSC::JSObject::createInitialInt32):
449         (JSC::JSObject::createInitialDouble):
450         (JSC::JSObject::createInitialContiguous):
451         (JSC::JSObject::createArrayStorage):
452         (JSC::JSObject::convertUndecidedToArrayStorage):
453         (JSC::JSObject::convertInt32ToArrayStorage):
454         (JSC::JSObject::convertDoubleToArrayStorage):
455         * runtime/JSObject.h:
456         (JSC::JSObject::setButterfly):
457         (JSC::JSObject::nukeStructureAndSetButterfly):
458         * runtime/JSObjectInlines.h:
459         (JSC::JSObject::prepareToPutDirectWithoutTransition):
460         (JSC::JSObject::putDirectInternal):
461
462 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
463
464         Unreviewed, rolling out r225941.
465
466         This change introduced LayoutTest crashes and assertion
467         failures.
468
469         Reverted changeset:
470
471         "Web Inspector: replace HTMLCanvasElement with
472         CanvasRenderingContext for instrumentation logic"
473         https://bugs.webkit.org/show_bug.cgi?id=180770
474         https://trac.webkit.org/changeset/225941
475
476 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
477
478         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
479         https://bugs.webkit.org/show_bug.cgi?id=180804
480
481         Add 32bit path for WeakMapGet.
482
483         * dfg/DFGSpeculativeJIT.cpp:
484         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
485
486 2017-12-14  Saam Barati  <sbarati@apple.com>
487
488         The CleanUp after LICM is erroneously removing a Check
489         https://bugs.webkit.org/show_bug.cgi?id=180852
490         <rdar://problem/36063494>
491
492         Reviewed by Filip Pizlo.
493
494         There was a bug where CleanUp phase relied on isProved() bits and LICM
495         changed them in an invalid way. The bug is as follows:
496         
497         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
498         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
499         and that Check dominates all of L2. This is also a hoisting candidate, so we
500         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
501         the preheader for each loop inside L1, so P1 and P2. When considering P2,
502         we execute the Check. Inside P2, before any hoisting is done, this Check
503         is dead code, because BB dominates P2. When we use AI to "execute" the
504         Check, it'll set its proof status to proved. This is because inside P2,
505         in the program before LICM runs, the Check is indeed proven at P2. But
506         it is not proven inside P1. This "execute" call will set our proof status
507         for the node inside *P1*, hence, we crash.
508         
509         The fix here is to make LICM precise when updating the ProofStatus of an edge.
510         It can trust the AI state at the preheader it hoists the node to, but it can't
511         trust the state when executing effects inside inner loops's preheaders.
512
513         * dfg/DFGPlan.cpp:
514         (JSC::DFG::Plan::compileInThreadImpl):
515
516 2017-12-14  David Kilzer  <ddkilzer@apple.com>
517
518         Enable -Wstrict-prototypes for WebKit
519         <https://webkit.org/b/180757>
520         <rdar://problem/36024132>
521
522         Rubber-stamped by Joseph Pecoraro.
523
524         * API/tests/CompareAndSwapTest.h:
525         (testCompareAndSwap): Add 'void' to C function declaration.
526         * API/tests/ExecutionTimeLimitTest.h:
527         (testExecutionTimeLimit): Ditto.
528         * API/tests/FunctionOverridesTest.h:
529         (testFunctionOverrides): Ditto.
530         * API/tests/GlobalContextWithFinalizerTest.h:
531         (testGlobalContextWithFinalizer): Ditto.
532         * API/tests/JSONParseTest.h:
533         (testJSONParse): Ditto.
534         * API/tests/MultithreadedMultiVMExecutionTest.h:
535         (startMultithreadedMultiVMExecutionTest): Ditto.
536         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
537         * API/tests/PingPongStackOverflowTest.h:
538         (testPingPongStackOverflow): Ditto.
539         * Configurations/Base.xcconfig:
540         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
541
542 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
543
544         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
545         https://bugs.webkit.org/show_bug.cgi?id=180804
546
547         Reviewed by Saam Barati.
548
549         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
550
551         * dfg/DFGRegisterBank.h:
552         (JSC::DFG::RegisterBank::lockedCount const):
553         * dfg/DFGSpeculativeJIT.cpp:
554         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
555
556 2017-12-14  Keith Miller  <keith_miller@apple.com>
557
558         Unreviewed, forgot to add { }
559
560         * runtime/JSObject.h:
561         (JSC::JSObject::setButterfly):
562         (JSC::JSObject::nukeStructureAndSetButterfly):
563
564 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
565
566         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
567         https://bugs.webkit.org/show_bug.cgi?id=180770
568
569         Reviewed by Joseph Pecoraro.
570
571         * inspector/protocol/Canvas.json:
572
573 2017-12-14  Keith Miller  <keith_miller@apple.com>
574
575         Fix assertion in JSObject's structure setting methods
576         https://bugs.webkit.org/show_bug.cgi?id=180840
577
578         Reviewed by Mark Lam.
579
580         I forgot that when Typed Arrays have non-indexed properties
581         added to them, they call the generic code. The generic code
582         in turn calls the regular structure setting methods. Thus,
583         these assertions were invalid and we should just avoid setting
584         the indexing mask if we have a Typed Array.
585
586         * runtime/JSObject.h:
587         (JSC::JSObject::setButterfly):
588         (JSC::JSObject::nukeStructureAndSetButterfly):
589
590 2017-12-14  Michael Saboff  <msaboff@apple.com>
591
592         REGRESSION (r225695): Repro crash on yahoo login page
593         https://bugs.webkit.org/show_bug.cgi?id=180761
594
595         Reviewed by JF Bastien.
596
597         Relanding r225695 with a fix.
598
599         The fix is that we need to save the return address for a parentheses in
600         the ParenContext because it is actually used by any immediately contained
601         alternatives.
602
603         Also did a little refactoring, changing occurances of PatternContext to
604         ParenContext since that is the name of the structure.
605
606         * runtime/RegExp.cpp:
607         (JSC::byteCodeCompilePattern):
608         (JSC::RegExp::byteCodeCompileIfNecessary):
609         (JSC::RegExp::compile):
610         (JSC::RegExp::compileMatchOnly):
611         * runtime/RegExp.h:
612         * runtime/RegExpInlines.h:
613         (JSC::RegExp::matchInline):
614         * testRegExp.cpp:
615         (parseRegExpLine):
616         (runFromFiles):
617         * yarr/Yarr.h:
618         * yarr/YarrInterpreter.cpp:
619         (JSC::Yarr::ByteCompiler::compile):
620         (JSC::Yarr::ByteCompiler::dumpDisjunction):
621         * yarr/YarrJIT.cpp:
622         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
623         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
624         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
625         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
626         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
627         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
628         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
629         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
630         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
631         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
632         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
633         (JSC::Yarr::YarrGenerator::allocateParenContext):
634         (JSC::Yarr::YarrGenerator::freeParenContext):
635         (JSC::Yarr::YarrGenerator::saveParenContext):
636         (JSC::Yarr::YarrGenerator::restoreParenContext):
637         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
638         (JSC::Yarr::YarrGenerator::storeToFrame):
639         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
640         (JSC::Yarr::YarrGenerator::clearMatches):
641         (JSC::Yarr::YarrGenerator::generate):
642         (JSC::Yarr::YarrGenerator::backtrack):
643         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
644         (JSC::Yarr::YarrGenerator::generateEnter):
645         (JSC::Yarr::YarrGenerator::generateReturn):
646         (JSC::Yarr::YarrGenerator::YarrGenerator):
647         (JSC::Yarr::YarrGenerator::compile):
648         * yarr/YarrJIT.h:
649         (JSC::Yarr::YarrCodeBlock::execute):
650         * yarr/YarrPattern.cpp:
651         (JSC::Yarr::indentForNestingLevel):
652         (JSC::Yarr::dumpUChar32):
653         (JSC::Yarr::dumpCharacterClass):
654         (JSC::Yarr::PatternTerm::dump):
655         (JSC::Yarr::YarrPattern::dumpPattern):
656         * yarr/YarrPattern.h:
657         (JSC::Yarr::PatternTerm::containsAnyCaptures):
658         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
659         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
660         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
661         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
662         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
663         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
664
665 2017-12-13  Keith Miller  <keith_miller@apple.com>
666
667         JSObjects should have a mask for loading indexed properties
668         https://bugs.webkit.org/show_bug.cgi?id=180768
669
670         Reviewed by Mark Lam.
671
672         This patch adds a new member to JSObject that holds an indexing
673         mask.  The indexing mask is bitwise anded with the index used to
674         load a property.  If for whatever reason an attacker is able to
675         clobber the vectorLength of our butterfly they still won't be able
676         to read substantially past the end of the buttefly. For
677         performance reasons we don't use the indexing masking for
678         TypedArrays. Since TypedArrays are already gigacaged the risk of
679         wild reads is still restricted.
680
681         This patch is a <1% regression on Speedometer and ~3% regression
682         on JetStream in my testing.
683
684         * assembler/MacroAssembler.h:
685         (JSC::MacroAssembler::urshiftPtr):
686         * bytecode/AccessCase.cpp:
687         (JSC::AccessCase::generateImpl):
688         * dfg/DFGAbstractHeap.h:
689         * dfg/DFGClobberize.h:
690         (JSC::DFG::clobberize):
691         * dfg/DFGSpeculativeJIT.cpp:
692         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
693         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
694         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
695         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
696         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
697         (JSC::DFG::SpeculativeJIT::compileArraySlice):
698         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
699         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
700         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
701         * dfg/DFGSpeculativeJIT.h:
702         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
703         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
704         * dfg/DFGSpeculativeJIT32_64.cpp:
705         (JSC::DFG::SpeculativeJIT::compile):
706         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
707         * dfg/DFGSpeculativeJIT64.cpp:
708         (JSC::DFG::SpeculativeJIT::compile):
709         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
710         * ftl/FTLAbstractHeap.cpp:
711         (JSC::FTL::IndexedAbstractHeap::baseIndex):
712         * ftl/FTLAbstractHeap.h:
713         * ftl/FTLAbstractHeapRepository.h:
714         * ftl/FTLLowerDFGToB3.cpp:
715         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
716         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
717         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
718         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
719         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
720         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
721         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
722         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
723         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
724         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
725         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
726         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
727         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
728         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
729         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
730         * ftl/FTLOutput.h:
731         (JSC::FTL::Output::baseIndex):
732         * jit/AssemblyHelpers.h:
733         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
734         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
735         (JSC::AssemblyHelpers::emitAllocateJSObject):
736         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
737         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
738         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
739         (JSC::AssemblyHelpers::storeButterfly): Deleted.
740         * jit/JITOpcodes.cpp:
741         (JSC::JIT::emit_op_new_object):
742         (JSC::JIT::emit_op_create_this):
743         * jit/JITOpcodes32_64.cpp:
744         (JSC::JIT::emit_op_new_object):
745         (JSC::JIT::emit_op_create_this):
746         * jit/JITPropertyAccess.cpp:
747         (JSC::JIT::emitDoubleLoad):
748         (JSC::JIT::emitContiguousLoad):
749         (JSC::JIT::emitArrayStorageLoad):
750         * llint/LowLevelInterpreter32_64.asm:
751         * llint/LowLevelInterpreter64.asm:
752         * runtime/ArrayStorage.h:
753         (JSC::ArrayStorage::availableVectorLength):
754         * runtime/Butterfly.h:
755         (JSC::ContiguousData::ContiguousData):
756         (JSC::ContiguousData::at const):
757         (JSC::ContiguousData::at):
758         (JSC::Butterfly::publicLength const):
759         (JSC::Butterfly::vectorLength const):
760         (JSC::Butterfly::computeIndexingMaskForVectorLength):
761         (JSC::Butterfly::computeIndexingMask):
762         (JSC::Butterfly::contiguousInt32):
763         (JSC::ContiguousData::operator[] const): Deleted.
764         (JSC::ContiguousData::operator[]): Deleted.
765         (JSC::Butterfly::publicLength): Deleted.
766         (JSC::Butterfly::vectorLength): Deleted.
767         * runtime/ButterflyInlines.h:
768         (JSC::ContiguousData<T>::at const):
769         (JSC::ContiguousData<T>::at):
770         * runtime/ClonedArguments.cpp:
771         (JSC::ClonedArguments::createEmpty):
772         * runtime/JSArray.cpp:
773         (JSC::JSArray::tryCreateUninitializedRestricted):
774         (JSC::JSArray::appendMemcpy):
775         (JSC::JSArray::setLength):
776         (JSC::JSArray::pop):
777         (JSC::JSArray::fastSlice):
778         (JSC::JSArray::shiftCountWithArrayStorage):
779         (JSC::JSArray::shiftCountWithAnyIndexingType):
780         (JSC::JSArray::unshiftCountWithAnyIndexingType):
781         (JSC::JSArray::fillArgList):
782         (JSC::JSArray::copyToArguments):
783         * runtime/JSArrayBufferView.cpp:
784         (JSC::JSArrayBufferView::JSArrayBufferView):
785         * runtime/JSArrayInlines.h:
786         (JSC::JSArray::pushInline):
787         * runtime/JSFixedArray.h:
788         (JSC::JSFixedArray::createFromArray):
789         * runtime/JSGenericTypedArrayViewInlines.h:
790         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
791         * runtime/JSObject.cpp:
792         (JSC::JSObject::getOwnPropertySlotByIndex):
793         (JSC::JSObject::putByIndex):
794         (JSC::JSObject::createInitialInt32):
795         (JSC::JSObject::createInitialDouble):
796         (JSC::JSObject::createInitialContiguous):
797         (JSC::JSObject::convertUndecidedToInt32):
798         (JSC::JSObject::convertUndecidedToDouble):
799         (JSC::JSObject::convertUndecidedToContiguous):
800         (JSC::JSObject::convertInt32ToDouble):
801         (JSC::JSObject::convertInt32ToArrayStorage):
802         (JSC::JSObject::convertDoubleToContiguous):
803         (JSC::JSObject::convertDoubleToArrayStorage):
804         (JSC::JSObject::convertContiguousToArrayStorage):
805         (JSC::JSObject::createInitialForValueAndSet):
806         (JSC::JSObject::deletePropertyByIndex):
807         (JSC::JSObject::getOwnPropertyNames):
808         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
809         (JSC::JSObject::countElements):
810         (JSC::JSObject::ensureLengthSlow):
811         (JSC::JSObject::reallocateAndShrinkButterfly):
812         (JSC::JSObject::getEnumerableLength):
813         * runtime/JSObject.h:
814         (JSC::JSObject::canGetIndexQuickly):
815         (JSC::JSObject::getIndexQuickly):
816         (JSC::JSObject::tryGetIndexQuickly const):
817         (JSC::JSObject::setIndexQuickly):
818         (JSC::JSObject::initializeIndex):
819         (JSC::JSObject::initializeIndexWithoutBarrier):
820         (JSC::JSObject::butterflyIndexingMaskOffset):
821         (JSC::JSObject::butterflyIndexingMask const):
822         (JSC::JSObject::setButterflyWithIndexingMask):
823         (JSC::JSObject::setButterfly):
824         (JSC::JSObject::nukeStructureAndSetButterfly):
825         (JSC::JSObject::JSObject):
826         * runtime/RegExpMatchesArray.h:
827         (JSC::tryCreateUninitializedRegExpMatchesArray):
828         * runtime/Structure.cpp:
829         (JSC::Structure::flattenDictionaryStructure):
830
831 2017-12-14  David Kilzer  <ddkilzer@apple.com>
832
833         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
834
835         Fixes the following warning during builds:
836
837             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
838
839         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
840         entries for JSCPoisonedPtr.h.
841
842 2017-12-14  David Kilzer  <ddkilzer@apple.com>
843
844         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
845         <https://bugs.webkit.org/show_bug.cgi?id=180738>
846
847         * runtime/InferredValue.h: Attempt to fix build by adding
848         missing #include statements.
849
850 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
851
852         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
853         https://bugs.webkit.org/show_bug.cgi?id=180783
854
855         Reviewed by Saam Barati.
856         
857         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
858         
859             BB#1:
860                 a: Load(@x)
861                 b: Load(@x)
862                 c: Load(@b)
863             BB#2:
864                 d: Load(@b)
865             BB#3:
866                 e: Load(@b)
867         
868         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
869         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
870         this:
871
872             BB#1:
873                 a: Load(@x)
874                 b: Load(@x)
875                 c: Load(@a)
876                 memoryAtTail: {@x=>@a, @a=>@c}
877             BB#2:
878                 d: Load(@a) [sic]
879                 memoryAtTail: {@b=>@d}
880             BB#3:
881                 e: Load(@b)
882                 memoryAtTail: {@b=>@e} [sic]
883         
884         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
885         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
886         map, we don't find it and leave the redundancy.
887         
888         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
889         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
890
891         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
892         * b3/B3Generate.cpp:
893         (JSC::B3::generateToAir): Fix the bug.
894         * b3/air/AirReportUsedRegisters.cpp:
895         (JSC::B3::Air::reportUsedRegisters): Logging.
896         * dfg/DFGByteCodeParser.cpp:
897         * dfg/DFGSSAConversionPhase.cpp:
898         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
899         * ftl/FTLLowerDFGToB3.cpp:
900         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
901
902 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
903
904         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
905         https://bugs.webkit.org/show_bug.cgi?id=180787
906         <rdar://problem/35934838>
907
908         Reviewed by Brian Burg.
909
910         * inspector/ContentSearchUtilities.cpp:
911         (Inspector::ContentSearchUtilities::findMagicComment):
912         For empty / null strings just return. There is no use
913         trying to search them for a long common syntax.
914
915 2017-12-13  Saam Barati  <sbarati@apple.com>
916
917         Arrow functions need their own structure because they have different properties than sloppy functions
918         https://bugs.webkit.org/show_bug.cgi?id=180779
919         <rdar://problem/35814591>
920
921         Reviewed by Mark Lam.
922
923         We were using the same structure for sloppy functions and
924         arrow functions. This broke our IC caching machinery because
925         these two types of functions actually have different properties.
926         This patch gives them different structures.
927
928         * dfg/DFGAbstractInterpreterInlines.h:
929         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
930         * dfg/DFGSpeculativeJIT.cpp:
931         (JSC::DFG::SpeculativeJIT::compileNewFunction):
932         * ftl/FTLLowerDFGToB3.cpp:
933         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
934         * runtime/FunctionConstructor.cpp:
935         (JSC::constructFunctionSkippingEvalEnabledCheck):
936         * runtime/JSFunction.cpp:
937         (JSC::JSFunction::selectStructureForNewFuncExp):
938         (JSC::JSFunction::create):
939         * runtime/JSFunction.h:
940         * runtime/JSFunctionInlines.h:
941         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
942         * runtime/JSGlobalObject.cpp:
943         (JSC::JSGlobalObject::init):
944         (JSC::JSGlobalObject::visitChildren):
945         * runtime/JSGlobalObject.h:
946         (JSC::JSGlobalObject::arrowFunctionStructure const):
947
948 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
949
950         InferredValue should use IsoSubspace
951         https://bugs.webkit.org/show_bug.cgi?id=180738
952
953         Reviewed by Keith Miller.
954         
955         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
956         its UnconditionalFinalizer.
957
958         * JavaScriptCore.xcodeproj/project.pbxproj:
959         * heap/Heap.cpp:
960         (JSC::Heap::finalizeUnconditionalFinalizers):
961         * runtime/InferredValue.cpp:
962         (JSC::InferredValue::visitChildren):
963         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
964         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
965         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
966         * runtime/InferredValue.h:
967         (JSC::InferredValue::subspaceFor):
968         * runtime/InferredValueInlines.h: Added.
969         (JSC::InferredValue::finalizeUnconditionally):
970         * runtime/VM.cpp:
971         (JSC::VM::VM):
972         * runtime/VM.h:
973
974 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
975
976         Web Inspector: add instrumentation for ImageBitmapRenderingContext
977         https://bugs.webkit.org/show_bug.cgi?id=180736
978
979         Reviewed by Joseph Pecoraro.
980
981         * inspector/protocol/Canvas.json:
982         * inspector/scripts/codegen/generator.py:
983
984 2017-12-13  Saam Barati  <sbarati@apple.com>
985
986         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
987         https://bugs.webkit.org/show_bug.cgi?id=180771
988
989         Reviewed by JF Bastien.
990
991         * dfg/DFGTypeCheckHoistingPhase.cpp:
992         (JSC::DFG::TypeCheckHoistingPhase::run):
993
994 2017-12-13  Saam Barati  <sbarati@apple.com>
995
996         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
997         https://bugs.webkit.org/show_bug.cgi?id=180764
998
999         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
1000
1001         * dfg/DFGTypeCheckHoistingPhase.cpp:
1002         (JSC::DFG::TypeCheckHoistingPhase::run):
1003
1004 2017-12-13  Michael Saboff  <msaboff@apple.com>
1005
1006         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
1007
1008         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
1009
1010         * runtime/RegExp.cpp:
1011         (JSC::RegExp::compile):
1012         (JSC::RegExp::compileMatchOnly):
1013         (JSC::byteCodeCompilePattern): Deleted.
1014         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
1015         * runtime/RegExp.h:
1016         * runtime/RegExpInlines.h:
1017         (JSC::RegExp::matchInline):
1018         * testRegExp.cpp:
1019         (parseRegExpLine):
1020         (runFromFiles):
1021         * yarr/Yarr.h:
1022         * yarr/YarrInterpreter.cpp:
1023         (JSC::Yarr::ByteCompiler::compile):
1024         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1025         (JSC::Yarr::ByteCompiler::emitDisjunction):
1026         * yarr/YarrJIT.cpp:
1027         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1028         (JSC::Yarr::YarrGenerator::generate):
1029         (JSC::Yarr::YarrGenerator::backtrack):
1030         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1031         (JSC::Yarr::YarrGenerator::generateEnter):
1032         (JSC::Yarr::YarrGenerator::generateReturn):
1033         (JSC::Yarr::YarrGenerator::YarrGenerator):
1034         (JSC::Yarr::YarrGenerator::compile):
1035         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
1036         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
1037         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
1038         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
1039         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
1040         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
1041         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
1042         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
1043         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
1044         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
1045         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
1046         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
1047         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
1048         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
1049         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
1050         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
1051         * yarr/YarrJIT.h:
1052         (JSC::Yarr::YarrCodeBlock::execute):
1053         * yarr/YarrPattern.cpp:
1054         (JSC::Yarr::indentForNestingLevel):
1055         (JSC::Yarr::dumpUChar32):
1056         (JSC::Yarr::PatternTerm::dump):
1057         (JSC::Yarr::YarrPattern::dumpPattern):
1058         (JSC::Yarr::dumpCharacterClass): Deleted.
1059         * yarr/YarrPattern.h:
1060         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1061         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1062         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
1063         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
1064         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
1065         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
1066         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
1067         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
1068
1069 2017-12-13  Mark Lam  <mark.lam@apple.com>
1070
1071         Fill out some Poisoned APIs, fix some bugs, and add some tests.
1072         https://bugs.webkit.org/show_bug.cgi?id=180724
1073         <rdar://problem/36006884>
1074
1075         Reviewed by JF Bastien.
1076
1077         * runtime/StructureTransitionTable.h:
1078
1079 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
1080
1081         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
1082         https://bugs.webkit.org/show_bug.cgi?id=180746
1083
1084         Reviewed by Saam Barati.
1085
1086         We have some uncatched exceptions that could happen due to OOM into
1087         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
1088         catching such exceptions properly.
1089
1090         * runtime/JSBigInt.cpp:
1091         (JSC::JSBigInt::allocateFor):
1092         (JSC::JSBigInt::parseInt):
1093         * runtime/JSCJSValue.cpp:
1094         (JSC::JSValue::toStringSlowCase const):
1095
1096 2017-12-13  Saam Barati  <sbarati@apple.com>
1097
1098         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1099         https://bugs.webkit.org/show_bug.cgi?id=163579
1100         <rdar://problem/35455798>
1101
1102         Reviewed by Mark Lam.
1103
1104         Some functions in JavaScript do not have the "caller" and "arguments" properties.
1105         For example, strict functions do not. When reading our code that dealt with these
1106         types of functions, it was simply all wrong. We were doing weird things depending
1107         on the method table hook. This patch fixes this by doing what we should've been
1108         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
1109         it should defer to its base class implementation for the various method table hooks.
1110
1111         * runtime/JSFunction.cpp:
1112         (JSC::JSFunction::put):
1113         (JSC::JSFunction::deleteProperty):
1114         (JSC::JSFunction::defineOwnProperty):
1115
1116 2017-12-13  Saam Barati  <sbarati@apple.com>
1117
1118         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1119         https://bugs.webkit.org/show_bug.cgi?id=180734
1120         <rdar://problem/35640547>
1121
1122         Reviewed by Yusuke Suzuki.
1123
1124         The |this| value may be TDZ. If type check hoisting phase
1125         hoists a CheckStructure to it, it will crash. This patch
1126         makes it so we emit CheckStructureOrEmpty for |this|.
1127
1128         * dfg/DFGTypeCheckHoistingPhase.cpp:
1129         (JSC::DFG::TypeCheckHoistingPhase::run):
1130
1131 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1132
1133         [JSC] Optimize Object.assign by single transition acceleration
1134         https://bugs.webkit.org/show_bug.cgi?id=180644
1135
1136         Reviewed by Saam Barati.
1137
1138         Handling single transition is critical. Since this get() function is only used
1139         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
1140         to accelerate it.
1141
1142         This improves SixSpeed/object-assign.es6 by 2.8%.
1143
1144                                     baseline                  patched
1145
1146         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
1147
1148         * runtime/Structure.cpp:
1149         (JSC::StructureTransitionTable::get const):
1150
1151 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1152
1153         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
1154         https://bugs.webkit.org/show_bug.cgi?id=180732
1155
1156         Rubber stamped by Mark Lam.
1157         
1158         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
1159         scalable enough to support that, so we should do it carefully.
1160
1161         * heap/MarkedSpace.cpp:
1162         * runtime/PropertyMapHashTable.h:
1163         * runtime/Structure.h:
1164         * runtime/StructureRareData.h:
1165         * runtime/VM.cpp:
1166         (JSC::VM::VM):
1167         * runtime/VM.h:
1168
1169 2017-12-12  Saam Barati  <sbarati@apple.com>
1170
1171         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1172         https://bugs.webkit.org/show_bug.cgi?id=180725
1173         <rdar://problem/35970511>
1174
1175         Reviewed by Michael Saboff.
1176
1177         * dfg/DFGClobberize.h:
1178         (JSC::DFG::clobberize):
1179         * dfg/DFGPreciseLocalClobberize.h:
1180         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1181
1182 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1183
1184         [JSC] Implement optimized WeakMap and WeakSet
1185         https://bugs.webkit.org/show_bug.cgi?id=179929
1186
1187         Reviewed by Saam Barati.
1188
1189         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
1190         This is similar to HashMapImpl. But,
1191
1192         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
1193         do not need to have iterators.
1194
1195         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
1196         of auxiliary buffer. This is because we would like to allocate buffer
1197         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
1198         shrink it if necessary. However, allocating from the GC heap during
1199         finalization is not allowed.
1200
1201         In particular, (2) is important since it ensures any WeakMap operations
1202         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
1203         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
1204         do not cause GC makes our implementation simple. To ensure this, we place
1205         DisallowGC for each WeakMap's interface.
1206
1207         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
1208         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
1209         WeakMap, it returns value. And it returns key if it is WeakSet. If it
1210         does not find a corresponding entry, it returns JSEmpty.
1211         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
1212
1213         This patch improves WeakMap and WeakSet operations.
1214
1215                                      baseline                  patched
1216
1217             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
1218             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
1219
1220         * JavaScriptCore.xcodeproj/project.pbxproj:
1221         * Sources.txt:
1222         * dfg/DFGAbstractHeap.h:
1223         * dfg/DFGAbstractInterpreterInlines.h:
1224         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1225         * dfg/DFGByteCodeParser.cpp:
1226         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1227         * dfg/DFGClobberize.h:
1228         (JSC::DFG::clobberize):
1229         * dfg/DFGDoesGC.cpp:
1230         (JSC::DFG::doesGC):
1231         * dfg/DFGFixupPhase.cpp:
1232         (JSC::DFG::FixupPhase::fixupNode):
1233         * dfg/DFGNode.h:
1234         (JSC::DFG::Node::hasHeapPrediction):
1235         * dfg/DFGNodeType.h:
1236         * dfg/DFGOperations.cpp:
1237         * dfg/DFGOperations.h:
1238         * dfg/DFGPredictionPropagationPhase.cpp:
1239         * dfg/DFGSafeToExecute.h:
1240         (JSC::DFG::safeToExecute):
1241         * dfg/DFGSpeculativeJIT.cpp:
1242         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1243         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1244         * dfg/DFGSpeculativeJIT.h:
1245         * dfg/DFGSpeculativeJIT32_64.cpp:
1246         (JSC::DFG::SpeculativeJIT::compile):
1247         * dfg/DFGSpeculativeJIT64.cpp:
1248         (JSC::DFG::SpeculativeJIT::compile):
1249         * ftl/FTLAbstractHeapRepository.h:
1250         * ftl/FTLCapabilities.cpp:
1251         (JSC::FTL::canCompile):
1252         * ftl/FTLLowerDFGToB3.cpp:
1253         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1254         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
1255         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1256         * inspector/JSInjectedScriptHost.cpp:
1257         (Inspector::JSInjectedScriptHost::weakMapEntries):
1258         (Inspector::JSInjectedScriptHost::weakSetEntries):
1259         Existing code is incorrect. They can run GC and break WeakMap's iterator.
1260         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
1261         entries without causing any GC.
1262
1263         * runtime/HashMapImpl.h:
1264         (JSC::shouldShrink):
1265         (JSC::shouldRehashAfterAdd):
1266         (JSC::nextCapacity):
1267         (JSC::HashMapImpl::shouldRehashAfterAdd const):
1268         (JSC::HashMapImpl::shouldShrink const):
1269         (JSC::HashMapImpl::rehash):
1270         (JSC::WeakMapHash::hash): Deleted.
1271         (JSC::WeakMapHash::equal): Deleted.
1272         * runtime/Intrinsic.cpp:
1273         (JSC::intrinsicName):
1274         * runtime/Intrinsic.h:
1275         * runtime/JSWeakMap.cpp:
1276         * runtime/JSWeakMap.h:
1277         * runtime/JSWeakSet.cpp:
1278         * runtime/JSWeakSet.h:
1279         * runtime/VM.cpp:
1280         * runtime/WeakGCMap.h:
1281         (JSC::WeakGCMap::forEach): Deleted.
1282         * runtime/WeakMapBase.cpp: Removed.
1283         * runtime/WeakMapBase.h: Removed.
1284         * runtime/WeakMapConstructor.cpp:
1285         (JSC::constructWeakMap):
1286         * runtime/WeakMapImpl.cpp: Added.
1287         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
1288         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1289         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1290         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
1291         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
1292         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1293         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
1294         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
1295         * runtime/WeakMapImpl.h: Added.
1296         (JSC::jsWeakMapHash):
1297         (JSC::nextCapacityAfterRemoveBatching):
1298         (JSC::WeakMapBucket::setKey):
1299         (JSC::WeakMapBucket::setValue):
1300         (JSC::WeakMapBucket::key const):
1301         (JSC::WeakMapBucket::value const):
1302         (JSC::WeakMapBucket::copyFrom):
1303         (JSC::WeakMapBucket::offsetOfKey):
1304         (JSC::WeakMapBucket::offsetOfValue):
1305         (JSC::WeakMapBucket::extractValue):
1306         (JSC::WeakMapBucket::isEmpty):
1307         (JSC::WeakMapBucket::deletedKey):
1308         (JSC::WeakMapBucket::isDeleted):
1309         (JSC::WeakMapBucket::makeDeleted):
1310         (JSC::WeakMapBucket::visitAggregate):
1311         (JSC::WeakMapBucket::clearValue):
1312         (JSC::WeakMapBuffer::allocationSize):
1313         (JSC::WeakMapBuffer::buffer const):
1314         (JSC::WeakMapBuffer::create):
1315         (JSC::WeakMapBuffer::reset):
1316         (JSC::WeakMapImpl::WeakMapImpl):
1317         (JSC::WeakMapImpl::finishCreation):
1318         (JSC::WeakMapImpl::get):
1319         (JSC::WeakMapImpl::has):
1320         (JSC::WeakMapImpl::add):
1321         (JSC::WeakMapImpl::remove):
1322         (JSC::WeakMapImpl::size const):
1323         (JSC::WeakMapImpl::offsetOfBuffer):
1324         (JSC::WeakMapImpl::offsetOfCapacity):
1325         (JSC::WeakMapImpl::findBucket):
1326         (JSC::WeakMapImpl::buffer const):
1327         (JSC::WeakMapImpl::forEach):
1328         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
1329         (JSC::WeakMapImpl::shouldShrink const):
1330         (JSC::WeakMapImpl::canUseBucket):
1331         (JSC::WeakMapImpl::addInternal):
1332         (JSC::WeakMapImpl::findBucketAlreadyHashed):
1333         (JSC::WeakMapImpl::rehash):
1334         (JSC::WeakMapImpl::checkConsistency const):
1335         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1336         (JSC::WeakMapImpl::assertBufferIsEmpty const):
1337         (JSC::WeakMapImpl::DeadKeyCleaner::target):
1338         * runtime/WeakMapPrototype.cpp:
1339         (JSC::WeakMapPrototype::finishCreation):
1340         (JSC::protoFuncWeakMapGet):
1341         (JSC::protoFuncWeakMapHas):
1342         * runtime/WeakSetConstructor.cpp:
1343         (JSC::constructWeakSet):
1344         * runtime/WeakSetPrototype.cpp:
1345         (JSC::WeakSetPrototype::finishCreation):
1346         (JSC::protoFuncWeakSetHas):
1347         (JSC::protoFuncWeakSetAdd):
1348
1349 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
1350
1351         It should be possible to flag a cell for unconditional finalization
1352         https://bugs.webkit.org/show_bug.cgi?id=180636
1353
1354         Reviewed by Saam Barati.
1355         
1356         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
1357         global linked list - but they had some nice properties:
1358         
1359         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
1360           survived and needed it.
1361             -> Just needing it wasn't enough.
1362             -> Just surviving wasn't enough.
1363         
1364         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
1365         finalizer logic to be invoked. I think that's not great. InferredType got around this by
1366         making InferredStructure a cell, but this was a gross hack. For one, it meant that
1367         InferredStructure would survive during the GC in which its finalizer obviated the need for its
1368         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
1369         thing that turns out to be subtly broken.
1370         
1371         We really need to have a way of indicating when you have entered into the state that requires
1372         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
1373         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
1374         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
1375         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
1376         another level to say which atoms within a MarkedBlock have unconditional finalizers.
1377         
1378         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
1379         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
1380         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
1381         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
1382         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
1383         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
1384         it makes sense to have a handful per subspace max. This change only needs one per subspace,
1385         but you could imagine more if we do this for WeakReferenceHarvester.
1386         
1387         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
1388         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
1389         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
1390         both survive and need it for the hardest work to take place. The work of adding does involve
1391         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
1392         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
1393         However, it's perfect for running in parallel since the only write operations are to widely
1394         dispersed cache lines that contain the bits underlying the set.
1395         
1396         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
1397         that need unconditional finalizers, and only touches the memory of marked objects that have
1398         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
1399         previously found that this speeds up walking over a lot of objects when I made similar changes
1400         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
1401         HashSet).
1402         
1403         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
1404         
1405         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
1406         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
1407         IsoSubspace in more places.
1408
1409         * JavaScriptCore.xcodeproj/project.pbxproj:
1410         * Sources.txt:
1411         * heap/AtomIndices.h: Added.
1412         (JSC::AtomIndices::AtomIndices):
1413         * heap/Heap.cpp:
1414         (JSC::Heap::finalizeUnconditionalFinalizers):
1415         * heap/Heap.h:
1416         * heap/IsoCellSet.cpp: Added.
1417         (JSC::IsoCellSet::IsoCellSet):
1418         (JSC::IsoCellSet::~IsoCellSet):
1419         (JSC::IsoCellSet::addSlow):
1420         (JSC::IsoCellSet::didResizeBits):
1421         (JSC::IsoCellSet::didRemoveBlock):
1422         (JSC::IsoCellSet::sweepToFreeList):
1423         * heap/IsoCellSet.h: Added.
1424         * heap/IsoCellSetInlines.h: Added.
1425         (JSC::IsoCellSet::add):
1426         (JSC::IsoCellSet::remove):
1427         (JSC::IsoCellSet::contains const):
1428         (JSC::IsoCellSet::forEachMarkedCell):
1429         * heap/IsoSubspace.cpp:
1430         (JSC::IsoSubspace::didResizeBits):
1431         (JSC::IsoSubspace::didRemoveBlock):
1432         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1433         * heap/IsoSubspace.h:
1434         * heap/MarkedAllocator.cpp:
1435         (JSC::MarkedAllocator::addBlock):
1436         (JSC::MarkedAllocator::removeBlock):
1437         * heap/MarkedAllocator.h:
1438         * heap/MarkedAllocatorInlines.h:
1439         * heap/MarkedBlock.cpp:
1440         (JSC::MarkedBlock::Handle::sweep):
1441         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1442         * heap/MarkedBlock.h:
1443         (JSC::MarkedBlock::marks const):
1444         (JSC::MarkedBlock::Handle::newlyAllocated const):
1445         * heap/MarkedBlockInlines.h:
1446         (JSC::MarkedBlock::Handle::isAllocated):
1447         (JSC::MarkedBlock::Handle::isEmpty):
1448         (JSC::MarkedBlock::Handle::emptyMode):
1449         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1450         * heap/Subspace.cpp:
1451         (JSC::Subspace::didResizeBits):
1452         (JSC::Subspace::didRemoveBlock):
1453         (JSC::Subspace::didBeginSweepingToFreeList):
1454         * heap/Subspace.h:
1455         * heap/SubspaceInlines.h:
1456         (JSC::Subspace::forEachMarkedCell):
1457         * runtime/InferredStructure.cpp:
1458         (JSC::InferredStructure::InferredStructure):
1459         (JSC::InferredStructure::create): Deleted.
1460         (JSC::InferredStructure::destroy): Deleted.
1461         (JSC::InferredStructure::createStructure): Deleted.
1462         (JSC::InferredStructure::visitChildren): Deleted.
1463         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1464         (JSC::InferredStructure::finishCreation): Deleted.
1465         * runtime/InferredStructure.h:
1466         * runtime/InferredStructureWatchpoint.cpp:
1467         (JSC::InferredStructureWatchpoint::fireInternal):
1468         * runtime/InferredType.cpp:
1469         (JSC::InferredType::visitChildren):
1470         (JSC::InferredType::willStoreValueSlow):
1471         (JSC::InferredType::makeTopSlow):
1472         (JSC::InferredType::set):
1473         (JSC::InferredType::removeStructure):
1474         (JSC::InferredType::finalizeUnconditionally):
1475         * runtime/InferredType.h:
1476         * runtime/VM.cpp:
1477         (JSC::VM::VM):
1478         * runtime/VM.h:
1479
1480 2017-12-12  Saam Barati  <sbarati@apple.com>
1481
1482         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1483         https://bugs.webkit.org/show_bug.cgi?id=180723
1484         <rdar://problem/35859726>
1485
1486         Reviewed by JF Bastien.
1487
1488         * dfg/DFGConstantFoldingPhase.cpp:
1489         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1490
1491 2017-12-04  Brian Burg  <bburg@apple.com>
1492
1493         Web Inspector: modernize InjectedScript a bit
1494         https://bugs.webkit.org/show_bug.cgi?id=180367
1495
1496         Reviewed by Timothy Hatcher.
1497
1498         Stop using out parameters passed by pointer, use references instead.
1499         Stop using OptOutput<T> in favor of std::optional where possible.
1500         If there is only one out-parameter and a void return type, then return the value.
1501
1502         * inspector/InjectedScript.h:
1503         * inspector/InjectedScript.cpp:
1504         (Inspector::InjectedScript::evaluate):
1505         (Inspector::InjectedScript::callFunctionOn):
1506         (Inspector::InjectedScript::evaluateOnCallFrame):
1507         (Inspector::InjectedScript::getFunctionDetails):
1508         (Inspector::InjectedScript::functionDetails):
1509         (Inspector::InjectedScript::getPreview):
1510         (Inspector::InjectedScript::getProperties):
1511         (Inspector::InjectedScript::getDisplayableProperties):
1512         (Inspector::InjectedScript::getInternalProperties):
1513         (Inspector::InjectedScript::getCollectionEntries):
1514         (Inspector::InjectedScript::saveResult):
1515         (Inspector::InjectedScript::setExceptionValue):
1516         (Inspector::InjectedScript::clearExceptionValue):
1517         (Inspector::InjectedScript::inspectObject):
1518         (Inspector::InjectedScript::releaseObject):
1519
1520         * inspector/InjectedScriptBase.h:
1521         * inspector/InjectedScriptBase.cpp:
1522         (Inspector::InjectedScriptBase::InjectedScriptBase):
1523         Declare m_environment with a default initializer.
1524
1525         (Inspector::InjectedScriptBase::makeCall):
1526         (Inspector::InjectedScriptBase::makeEvalCall):
1527         Just return the result, no need for an out-parameter.
1528         Rearrange some code paths now that we can just return a result.
1529         Return a Ref<JSON::Value> since it is either a result value or error value.
1530         Use out_ prefixes in a few places to improve readability.
1531
1532         * inspector/agents/InspectorDebuggerAgent.cpp:
1533         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1534         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1535         * inspector/agents/InspectorHeapAgent.cpp:
1536         (Inspector::InspectorHeapAgent::getPreview):
1537         * inspector/agents/InspectorRuntimeAgent.cpp:
1538         (Inspector::InspectorRuntimeAgent::evaluate):
1539         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1540         (Inspector::InspectorRuntimeAgent::getPreview):
1541         (Inspector::InspectorRuntimeAgent::getProperties):
1542         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1543         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1544         (Inspector::InspectorRuntimeAgent::saveResult):
1545         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1546         and std::optional until the former is removed from generated method signatures.
1547
1548 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1549
1550         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1551         https://bugs.webkit.org/show_bug.cgi?id=179000
1552
1553         Reviewed by Darin Adler and Yusuke Suzuki.
1554
1555         This patch starts the implementation of BigInt primitive on
1556         JavaScriptCore. We are introducing BigInt primitive and
1557         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1558         field implemented contiguosly on memory as inline storage of JSBigInt to
1559         take advantages on performance due to cache locality. The
1560         implementation allows 64 or 32 bitwise arithmetic operations.
1561         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1562         m_length that keeps track of BigInt length.
1563         The implementation is following the V8 one. [[BigIntData]] is manipulated
1564         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1565         We also have some operations to support arithmetics over digits.
1566
1567         It is important to notice that on our representation,
1568         JSBigInt::dataStorage()[0] represents the least significant digit and
1569         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1570
1571         We are also introducing into this Patch the BigInt literals lexer and
1572         syntax parsing support. The operation Strict Equals on BigInts is also being
1573         implemented to enable tests.
1574         These features are being implemented behind a runtime flage "--useBigInt" and
1575         are disabled by default.
1576
1577         * JavaScriptCore.xcodeproj/project.pbxproj:
1578         * Sources.txt:
1579         * bytecode/CodeBlock.cpp:
1580         * bytecompiler/BytecodeGenerator.cpp:
1581         (JSC::BytecodeGenerator::emitEqualityOp):
1582         (JSC::BytecodeGenerator::addBigIntConstant):
1583         * bytecompiler/BytecodeGenerator.h:
1584         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1585         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1586         * bytecompiler/NodesCodegen.cpp:
1587         (JSC::BigIntNode::jsValue const):
1588         * dfg/DFGAbstractInterpreterInlines.h:
1589         (JSC::DFG::isToThisAnIdentity):
1590         * interpreter/Interpreter.cpp:
1591         (JSC::sizeOfVarargs):
1592         * llint/LLIntData.cpp:
1593         (JSC::LLInt::Data::performAssertions):
1594         * llint/LowLevelInterpreter.asm:
1595         * parser/ASTBuilder.h:
1596         (JSC::ASTBuilder::createBigInt):
1597         * parser/Lexer.cpp:
1598         (JSC::Lexer<T>::parseBinary):
1599         (JSC::Lexer<T>::parseOctal):
1600         (JSC::Lexer<T>::parseDecimal):
1601         (JSC::Lexer<T>::lex):
1602         (JSC::Lexer<T>::parseHex): Deleted.
1603         * parser/Lexer.h:
1604         * parser/NodeConstructors.h:
1605         (JSC::BigIntNode::BigIntNode):
1606         * parser/Nodes.h:
1607         (JSC::ExpressionNode::isBigInt const):
1608         (JSC::BigIntNode::value):
1609         * parser/Parser.cpp:
1610         (JSC::Parser<LexerType>::parsePrimaryExpression):
1611         * parser/ParserTokens.h:
1612         * parser/ResultType.h:
1613         (JSC::ResultType::definitelyIsBigInt const):
1614         (JSC::ResultType::mightBeBigInt const):
1615         (JSC::ResultType::isNotBigInt const):
1616         (JSC::ResultType::addResultType):
1617         (JSC::ResultType::bigIntType):
1618         (JSC::ResultType::forAdd):
1619         (JSC::ResultType::forLogicalOp):
1620         * parser/SyntaxChecker.h:
1621         (JSC::SyntaxChecker::createBigInt):
1622         * runtime/CommonIdentifiers.h:
1623         * runtime/JSBigInt.cpp: Added.
1624         (JSC::JSBigInt::visitChildren):
1625         (JSC::JSBigInt::JSBigInt):
1626         (JSC::JSBigInt::initialize):
1627         (JSC::JSBigInt::createStructure):
1628         (JSC::JSBigInt::createZero):
1629         (JSC::JSBigInt::allocationSize):
1630         (JSC::JSBigInt::createWithLength):
1631         (JSC::JSBigInt::finishCreation):
1632         (JSC::JSBigInt::toPrimitive const):
1633         (JSC::JSBigInt::singleDigitValueForString):
1634         (JSC::JSBigInt::parseInt):
1635         (JSC::JSBigInt::toString):
1636         (JSC::JSBigInt::isZero):
1637         (JSC::JSBigInt::inplaceMultiplyAdd):
1638         (JSC::JSBigInt::digitAdd):
1639         (JSC::JSBigInt::digitSub):
1640         (JSC::JSBigInt::digitMul):
1641         (JSC::JSBigInt::digitPow):
1642         (JSC::JSBigInt::digitDiv):
1643         (JSC::JSBigInt::internalMultiplyAdd):
1644         (JSC::JSBigInt::equalToBigInt):
1645         (JSC::JSBigInt::absoluteDivSmall):
1646         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1647         (JSC::JSBigInt::toStringGeneric):
1648         (JSC::JSBigInt::rightTrim):
1649         (JSC::JSBigInt::allocateFor):
1650         (JSC::JSBigInt::estimatedSize):
1651         (JSC::JSBigInt::toNumber const):
1652         (JSC::JSBigInt::getPrimitiveNumber const):
1653         * runtime/JSBigInt.h: Added.
1654         (JSC::JSBigInt::setSign):
1655         (JSC::JSBigInt::sign const):
1656         (JSC::JSBigInt::setLength):
1657         (JSC::JSBigInt::length const):
1658         (JSC::JSBigInt::parseInt):
1659         (JSC::JSBigInt::offsetOfData):
1660         (JSC::JSBigInt::dataStorage):
1661         (JSC::JSBigInt::digit):
1662         (JSC::JSBigInt::setDigit):
1663         (JSC::asBigInt):
1664         * runtime/JSCJSValue.cpp:
1665         (JSC::JSValue::synthesizePrototype const):
1666         (JSC::JSValue::toStringSlowCase const):
1667         * runtime/JSCJSValue.h:
1668         * runtime/JSCJSValueInlines.h:
1669         (JSC::JSValue::isBigInt const):
1670         (JSC::JSValue::strictEqualSlowCaseInline):
1671         * runtime/JSCell.cpp:
1672         (JSC::JSCell::put):
1673         (JSC::JSCell::putByIndex):
1674         (JSC::JSCell::toPrimitive const):
1675         (JSC::JSCell::getPrimitiveNumber const):
1676         (JSC::JSCell::toNumber const):
1677         (JSC::JSCell::toObjectSlow const):
1678         * runtime/JSCell.h:
1679         * runtime/JSCellInlines.h:
1680         (JSC::JSCell::isBigInt const):
1681         * runtime/JSType.h:
1682         * runtime/MathCommon.h:
1683         (JSC::clz64):
1684         * runtime/NumberPrototype.cpp:
1685         * runtime/Operations.cpp:
1686         (JSC::jsTypeStringForValue):
1687         (JSC::jsIsObjectTypeOrNull):
1688         * runtime/Options.h:
1689         * runtime/ParseInt.h:
1690         * runtime/SmallStrings.h:
1691         (JSC::SmallStrings::typeString const):
1692         * runtime/StructureInlines.h:
1693         (JSC::prototypeForLookupPrimitiveImpl):
1694         * runtime/TypeofType.cpp:
1695         (WTF::printInternal):
1696         * runtime/TypeofType.h:
1697         * runtime/VM.cpp:
1698         (JSC::VM::VM):
1699         * runtime/VM.h:
1700
1701 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1702
1703         LLInt: reserve 16 bytes of stack on MIPS for native calls
1704         https://bugs.webkit.org/show_bug.cgi?id=180653
1705
1706         Reviewed by Carlos Alberto Lopez Perez.
1707
1708         * llint/LowLevelInterpreter32_64.asm:
1709         On MIPS, substract 24 from the stack pointer (16 for calling
1710         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1711         (for alignment).
1712
1713 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1714
1715         [WTF] Thread::create should have Thread::tryCreate
1716         https://bugs.webkit.org/show_bug.cgi?id=180333
1717
1718         Reviewed by Darin Adler.
1719
1720         * assembler/testmasm.cpp:
1721         (JSC::run):
1722         * b3/air/testair.cpp:
1723         * b3/testb3.cpp:
1724         (JSC::B3::run):
1725         * jsc.cpp:
1726         (functionDollarAgentStart):
1727
1728 2017-12-11  Michael Saboff  <msaboff@apple.com>
1729
1730         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1731         https://bugs.webkit.org/show_bug.cgi?id=180685
1732
1733         Reviewed by Saam Barati.
1734
1735         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1736         the character class check to return true without reading the character.  Given that
1737         the character could be a surrogate pair, we need to read the character even if we
1738         don't have the check it.
1739
1740         * yarr/YarrInterpreter.cpp:
1741         (JSC::Yarr::Interpreter::testCharacterClass):
1742         (JSC::Yarr::Interpreter::checkCharacterClass):
1743
1744 2017-12-11  Saam Barati  <sbarati@apple.com>
1745
1746         We need to disableCaching() in ErrorInstance when we materialize properties
1747         https://bugs.webkit.org/show_bug.cgi?id=180343
1748         <rdar://problem/35833002>
1749
1750         Reviewed by Mark Lam.
1751
1752         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1753         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1754         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1755         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1756         existing property only found on Structure B. This is obviously wrong as it would lead to an
1757         OOB store if we didn't already crash when generating the IC.
1758
1759         * jit/Repatch.cpp:
1760         (JSC::tryCachePutByID):
1761         * runtime/ErrorInstance.cpp:
1762         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1763         (JSC::ErrorInstance::put):
1764         * runtime/ErrorInstance.h:
1765         * runtime/Structure.cpp:
1766         (JSC::Structure::didCachePropertyReplacement):
1767
1768 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1769
1770         [WinCairo] DLLLauncherMain should use SetDllDirectory
1771         https://bugs.webkit.org/show_bug.cgi?id=180642
1772
1773         Reviewed by Alex Christensen.
1774
1775         Windows have icuuc.dll in the system directory. WebKit should find
1776         one in WebKitLibraries directory, not one in the system directory.
1777
1778         * shell/DLLLauncherMain.cpp:
1779         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1780
1781 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1782
1783         Web Inspector: Optionally log WebKit log parameters as JSON
1784         https://bugs.webkit.org/show_bug.cgi?id=180529
1785         <rdar://problem/35909462>
1786
1787         Reviewed by Joseph Pecoraro.
1788
1789         * inspector/ConsoleMessage.cpp:
1790         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1791         values. Concatenate all adjacent strings to make logging cleaner.
1792         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1793         (Inspector::ConsoleMessage::scriptState const):
1794         * inspector/ConsoleMessage.h:
1795
1796         * inspector/InjectedScript.cpp:
1797         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1798         * inspector/InjectedScript.h:
1799         * inspector/InjectedScriptSource.js:
1800         (let.InjectedScript.prototype.wrapJSONString):
1801
1802 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1803
1804         Remove unused builtin names
1805         https://bugs.webkit.org/show_bug.cgi?id=180673
1806
1807         Reviewed by Keith Miller.
1808
1809         * builtins/BuiltinNames.h:
1810
1811 2017-12-11  David Quesada  <david_quesada@apple.com>
1812
1813         Turn on ENABLE_APPLICATION_MANIFEST
1814         https://bugs.webkit.org/show_bug.cgi?id=180562
1815         rdar://problem/35924737
1816
1817         Reviewed by Geoffrey Garen.
1818
1819         * Configurations/FeatureDefines.xcconfig:
1820
1821 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1822
1823         Harden a few assertions in GC sweep
1824         https://bugs.webkit.org/show_bug.cgi?id=180634
1825
1826         Reviewed by Saam Barati.
1827         
1828         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1829         assertion.
1830
1831         * heap/MarkedBlock.cpp:
1832         (JSC::MarkedBlock::Handle::sweep):
1833
1834 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1835
1836         [python] Modernize "except" usage for python3 compatibility
1837         https://bugs.webkit.org/show_bug.cgi?id=180612
1838
1839         Reviewed by Michael Catanzaro.
1840
1841         * inspector/scripts/generate-inspector-protocol-bindings.py:
1842
1843 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1844
1845         InferredType should not use UnconditionalFinalizer
1846         https://bugs.webkit.org/show_bug.cgi?id=180456
1847
1848         Reviewed by Saam Barati.
1849         
1850         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1851         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1852         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1853         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1854         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1855
1856         * JavaScriptCore.xcodeproj/project.pbxproj:
1857         * Sources.txt:
1858         * heap/Heap.cpp:
1859         (JSC::Heap::finalizeUnconditionalFinalizers):
1860         * heap/Heap.h:
1861         * runtime/InferredStructure.cpp: Added.
1862         (JSC::InferredStructure::create):
1863         (JSC::InferredStructure::destroy):
1864         (JSC::InferredStructure::createStructure):
1865         (JSC::InferredStructure::visitChildren):
1866         (JSC::InferredStructure::finalizeUnconditionally):
1867         (JSC::InferredStructure::InferredStructure):
1868         (JSC::InferredStructure::finishCreation):
1869         * runtime/InferredStructure.h: Added.
1870         * runtime/InferredStructureWatchpoint.cpp: Added.
1871         (JSC::InferredStructureWatchpoint::fireInternal):
1872         * runtime/InferredStructureWatchpoint.h: Added.
1873         * runtime/InferredType.cpp:
1874         (JSC::InferredType::visitChildren):
1875         (JSC::InferredType::willStoreValueSlow):
1876         (JSC::InferredType::makeTopSlow):
1877         (JSC::InferredType::set):
1878         (JSC::InferredType::removeStructure):
1879         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1880         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1881         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1882         * runtime/InferredType.h:
1883         * runtime/VM.cpp:
1884         (JSC::VM::VM):
1885         * runtime/VM.h:
1886
1887 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1888
1889         [python] Replace print >> operator with print() function for python3 compatibility
1890         https://bugs.webkit.org/show_bug.cgi?id=180611
1891
1892         Reviewed by Michael Catanzaro.
1893
1894         * Scripts/make-js-file-arrays.py:
1895         (main):
1896
1897 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1898
1899         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1900         https://bugs.webkit.org/show_bug.cgi?id=180520
1901         <rdar://problem/35900764>
1902
1903         Reviewed by Brian Burg.
1904
1905         * inspector/protocol/ServiceWorker.json:
1906         Include content script content in the initialization info.
1907
1908 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1909
1910         [python] Replace print operator with print() function for python3 compatibility
1911         https://bugs.webkit.org/show_bug.cgi?id=180592
1912
1913         Reviewed by Michael Catanzaro.
1914
1915         * Scripts/generateYarrUnicodePropertyTables.py:
1916         (openOrExit):
1917         (verifyUCDFilesExist):
1918         (Aliases.parsePropertyAliasesFile):
1919         (Aliases.parsePropertyValueAliasesFile):
1920         * Scripts/make-js-file-arrays.py:
1921         (main):
1922         * generate-bytecode-files:
1923
1924 2017-12-08  Mark Lam  <mark.lam@apple.com>
1925
1926         Need to unpoison native function pointers for CLoop.
1927         https://bugs.webkit.org/show_bug.cgi?id=180601
1928         <rdar://problem/35942028>
1929
1930         Reviewed by JF Bastien.
1931
1932         * llint/LowLevelInterpreter64.asm:
1933
1934 2017-12-08  Michael Saboff  <msaboff@apple.com>
1935
1936         YARR: JIT RegExps with greedy parenthesized sub patterns
1937         https://bugs.webkit.org/show_bug.cgi?id=180538
1938
1939         Reviewed by JF Bastien.
1940
1941         This patch adds JIT support for regular expressions containing greedy counted
1942         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1943
1944         Just like in the interpreter, expressions with nested parenthetical subpatterns
1945         require saving the results of previous matches of the parentheses contents along
1946         with any associated state.  This saved state is needed in the case that we need
1947         to backtrack.  This state is called ParenContext within the code space allocated
1948         for this ParenContext is managed using a simple block allocator within the JIT'ed
1949         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1950
1951         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1952         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1953         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1954         expression.
1955
1956         Due to increased register usage by the parenthesis handling code, the use of
1957         registers by the JIT engine was restructured, with registers used for Unicode
1958         pattern matching replaced with constants.
1959
1960         Reworked some of the context structures that are used across the interpreter
1961         and JIT implementations to make them a little more uniform and to handle the
1962         needs of JIT'ing the new parentheses forms.
1963
1964         To help with development and debugging of this code, compiled patterns dumping
1965         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1966
1967         * runtime/RegExp.cpp:
1968         (JSC::byteCodeCompilePattern):
1969         (JSC::RegExp::byteCodeCompileIfNecessary):
1970         (JSC::RegExp::compile):
1971         (JSC::RegExp::compileMatchOnly):
1972         * runtime/RegExp.h:
1973         * runtime/RegExpInlines.h:
1974         (JSC::RegExp::matchInline):
1975         * testRegExp.cpp:
1976         (parseRegExpLine):
1977         (runFromFiles):
1978         * yarr/Yarr.h:
1979         * yarr/YarrInterpreter.cpp:
1980         (JSC::Yarr::ByteCompiler::compile):
1981         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1982         * yarr/YarrJIT.cpp:
1983         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1984         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1985         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1986         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1987         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1988         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1989         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1990         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1991         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1992         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1993         (JSC::Yarr::YarrGenerator::allocatePatternContext):
1994         (JSC::Yarr::YarrGenerator::freePatternContext):
1995         (JSC::Yarr::YarrGenerator::savePatternContext):
1996         (JSC::Yarr::YarrGenerator::restorePatternContext):
1997         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1998         (JSC::Yarr::YarrGenerator::storeToFrame):
1999         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
2000         (JSC::Yarr::YarrGenerator::clearMatches):
2001         (JSC::Yarr::YarrGenerator::generate):
2002         (JSC::Yarr::YarrGenerator::backtrack):
2003         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2004         (JSC::Yarr::YarrGenerator::generateEnter):
2005         (JSC::Yarr::YarrGenerator::generateReturn):
2006         (JSC::Yarr::YarrGenerator::YarrGenerator):
2007         (JSC::Yarr::YarrGenerator::compile):
2008         * yarr/YarrJIT.h:
2009         (JSC::Yarr::YarrCodeBlock::execute):
2010         * yarr/YarrPattern.cpp:
2011         (JSC::Yarr::indentForNestingLevel):
2012         (JSC::Yarr::dumpUChar32):
2013         (JSC::Yarr::dumpCharacterClass):
2014         (JSC::Yarr::PatternTerm::dump):
2015         (JSC::Yarr::YarrPattern::dumpPattern):
2016         * yarr/YarrPattern.h:
2017         (JSC::Yarr::PatternTerm::containsAnyCaptures):
2018         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
2019         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
2020         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
2021         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
2022         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
2023         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
2024
2025 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2026
2027         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
2028         https://bugs.webkit.org/show_bug.cgi?id=180590
2029         <rdar://problem/35882767>
2030
2031         Reviewed by Mark Lam.
2032
2033         * inspector/agents/InspectorConsoleAgent.cpp:
2034         (Inspector::InspectorConsoleAgent::enable):
2035         Swap the messages to a Vector that won't change during iteration.
2036
2037 2017-12-08  Michael Saboff  <msaboff@apple.com>
2038
2039         YARR: Coalesce constructed character classes
2040         https://bugs.webkit.org/show_bug.cgi?id=180537
2041
2042         Reviewed by JF Bastien.
2043
2044         When adding characters or character ranges to a character class being constructed,
2045         we now coalesce adjacent characters and character ranges.  When we create a
2046         character class after construction is complete, we do a final coalescing pass
2047         across the character list and ranges to catch any remaining coalescing
2048         opportunities.
2049
2050         Added an optimization for character classes that will match any character.
2051         This is somewhat common in code created before the /s (dotAll) flag was added
2052         to the engine.
2053
2054         * yarr/YarrInterpreter.cpp:
2055         (JSC::Yarr::Interpreter::checkCharacterClass):
2056         * yarr/YarrJIT.cpp:
2057         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2058         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2059         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2060         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2061         * yarr/YarrPattern.cpp:
2062         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2063         (JSC::Yarr::CharacterClassConstructor::reset):
2064         (JSC::Yarr::CharacterClassConstructor::charClass):
2065         (JSC::Yarr::CharacterClassConstructor::addSorted):
2066         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2067         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
2068         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
2069         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
2070         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2071         (JSC::Yarr::PatternTerm::dump):
2072         (JSC::Yarr::anycharCreate):
2073         * yarr/YarrPattern.h:
2074         (JSC::Yarr::CharacterClass::CharacterClass):
2075
2076 2017-12-07  Saam Barati  <sbarati@apple.com>
2077
2078         Modify our dollar VM clflush intrinsic to aid in some perf testing
2079         https://bugs.webkit.org/show_bug.cgi?id=180559
2080
2081         Reviewed by Mark Lam.
2082
2083         * tools/JSDollarVM.cpp:
2084         (JSC::functionCpuClflush):
2085         (JSC::functionDeltaBetweenButterflies):
2086         (JSC::JSDollarVM::finishCreation):
2087
2088 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2089
2090         Simplify log channel configuration UI
2091         https://bugs.webkit.org/show_bug.cgi?id=180527
2092         <rdar://problem/35908382>
2093
2094         Reviewed by Joseph Pecoraro.
2095
2096         * inspector/protocol/Console.json:
2097
2098 2017-12-07  Mark Lam  <mark.lam@apple.com>
2099
2100         Apply poisoning to some native code pointers.
2101         https://bugs.webkit.org/show_bug.cgi?id=180541
2102         <rdar://problem/35916875>
2103
2104         Reviewed by Filip Pizlo.
2105
2106         Renamed g_classInfoPoison to g_globalDataPoison.
2107         Renamed g_masmPoison to g_jitCodePoison.
2108         Introduced g_nativeCodePoison.
2109         Applied g_nativeCodePoison to poisoning some native code pointers.
2110
2111         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
2112         to malloc allocated data structures (where needed).
2113
2114         * API/JSCallbackFunction.h:
2115         (JSC::JSCallbackFunction::functionCallback):
2116         * JavaScriptCore.xcodeproj/project.pbxproj:
2117         * jit/ThunkGenerators.cpp:
2118         (JSC::nativeForGenerator):
2119         * llint/LowLevelInterpreter64.asm:
2120         * runtime/CustomGetterSetter.h:
2121         (JSC::CustomGetterSetter::getter const):
2122         (JSC::CustomGetterSetter::setter const):
2123         * runtime/InternalFunction.cpp:
2124         (JSC::InternalFunction::getCallData):
2125         (JSC::InternalFunction::getConstructData):
2126         * runtime/InternalFunction.h:
2127         (JSC::InternalFunction::nativeFunctionFor):
2128         * runtime/JSCPoison.h: Added.
2129         * runtime/JSCPoisonedPtr.cpp:
2130         (JSC::initializePoison):
2131         * runtime/JSCPoisonedPtr.h:
2132         * runtime/Lookup.h:
2133         * runtime/NativeExecutable.cpp:
2134         (JSC::NativeExecutable::hashFor const):
2135         * runtime/NativeExecutable.h:
2136         * runtime/Structure.cpp:
2137         (JSC::StructureTransitionTable::setSingleTransition):
2138         * runtime/StructureTransitionTable.h:
2139         (JSC::StructureTransitionTable::StructureTransitionTable):
2140         (JSC::StructureTransitionTable::isUsingSingleSlot const):
2141         (JSC::StructureTransitionTable::map const):
2142         (JSC::StructureTransitionTable::weakImpl const):
2143         (JSC::StructureTransitionTable::setMap):
2144
2145 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
2146
2147         Web Inspector: Fix style in remote inspector classes
2148         https://bugs.webkit.org/show_bug.cgi?id=180545
2149
2150         Reviewed by Youenn Fablet.
2151
2152         * inspector/remote/RemoteControllableTarget.h:
2153         * inspector/remote/RemoteInspectionTarget.h:
2154         * runtime/JSGlobalObjectDebuggable.h:
2155
2156 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
2157
2158         Use fastAlignedFree to free aligned memory.
2159         https://bugs.webkit.org/show_bug.cgi?id=180540
2160
2161         Reviewed by Saam Barati.
2162
2163         * heap/IsoAlignedMemoryAllocator.cpp:
2164         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2165
2166 2017-12-07  Matt Lewis  <jlewis3@apple.com>
2167
2168         Unreviewed, rolling out r225634.
2169
2170         This caused layout tests to time out.
2171
2172         Reverted changeset:
2173
2174         "Simplify log channel configuration UI"
2175         https://bugs.webkit.org/show_bug.cgi?id=180527
2176         https://trac.webkit.org/changeset/225634
2177
2178 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2179
2180         Simplify log channel configuration UI
2181         https://bugs.webkit.org/show_bug.cgi?id=180527
2182         <rdar://problem/35908382>
2183
2184         Reviewed by Joseph Pecoraro.
2185
2186         * inspector/protocol/Console.json:
2187
2188 2017-12-07  Mark Lam  <mark.lam@apple.com>
2189
2190         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
2191         https://bugs.webkit.org/show_bug.cgi?id=180514
2192
2193         Reviewed by Saam Barati and JF Bastien.
2194
2195         Re-landing r225620 with speculative build fix for GCC 7.
2196
2197         * API/JSCallbackObject.h:
2198         * API/JSObjectRef.cpp:
2199         (classInfoPrivate):
2200         * JavaScriptCore.xcodeproj/project.pbxproj:
2201         * Sources.txt:
2202         * assembler/MacroAssemblerCodeRef.h:
2203         (JSC::FunctionPtr::FunctionPtr):
2204         (JSC::FunctionPtr::value const):
2205         (JSC::FunctionPtr::executableAddress const):
2206         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2207         (JSC::ReturnAddressPtr::value const):
2208         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2209         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2210         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2211         (JSC::MacroAssemblerCodePtr:: const):
2212         (JSC::MacroAssemblerCodePtr::operator! const):
2213         (JSC::MacroAssemblerCodePtr::operator== const):
2214         (JSC::MacroAssemblerCodePtr::emptyValue):
2215         (JSC::MacroAssemblerCodePtr::deletedValue):
2216         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2217         * b3/B3LowerMacros.cpp:
2218         * b3/testb3.cpp:
2219         (JSC::B3::testInterpreter):
2220         * dfg/DFGSpeculativeJIT.cpp:
2221         (JSC::DFG::SpeculativeJIT::checkArray):
2222         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2223         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2224         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2225         * ftl/FTLLowerDFGToB3.cpp:
2226         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2227         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2228         * jit/AssemblyHelpers.h:
2229         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2230         * jit/SpecializedThunkJIT.h:
2231         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2232         * jit/ThunkGenerators.cpp:
2233         (JSC::virtualThunkFor):
2234         (JSC::boundThisNoArgsFunctionCallGenerator):
2235         * llint/LLIntSlowPaths.cpp:
2236         (JSC::LLInt::handleHostCall):
2237         (JSC::LLInt::setUpCall):
2238         * llint/LowLevelInterpreter64.asm:
2239         * runtime/InitializeThreading.cpp:
2240         (JSC::initializeThreading):
2241         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2242         (JSC::initializePoison):
2243         (JSC::initializeScrambledPtrKeys): Deleted.
2244         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2245         * runtime/JSCScrambledPtr.cpp: Removed.
2246         * runtime/JSCScrambledPtr.h: Removed.
2247         * runtime/JSDestructibleObject.h:
2248         (JSC::JSDestructibleObject::classInfo const):
2249         * runtime/JSSegmentedVariableObject.h:
2250         (JSC::JSSegmentedVariableObject::classInfo const):
2251         * runtime/Structure.h:
2252         * runtime/VM.h:
2253
2254 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2255
2256         Unreviewed, rolling out r225620
2257         https://bugs.webkit.org/show_bug.cgi?id=180514
2258         <rdar://problem/35901694>
2259
2260         It broke the build with GCC 7, and I don't know how to fix it.
2261
2262         * API/JSCallbackObject.h:
2263         * API/JSObjectRef.cpp:
2264         (classInfoPrivate):
2265         * JavaScriptCore.xcodeproj/project.pbxproj:
2266         * Sources.txt:
2267         * assembler/MacroAssemblerCodeRef.h:
2268         (JSC::FunctionPtr::FunctionPtr):
2269         (JSC::FunctionPtr::value const):
2270         (JSC::FunctionPtr::executableAddress const):
2271         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2272         (JSC::ReturnAddressPtr::value const):
2273         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2274         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2275         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2276         (JSC::MacroAssemblerCodePtr:: const):
2277         (JSC::MacroAssemblerCodePtr::operator! const):
2278         (JSC::MacroAssemblerCodePtr::operator== const):
2279         (JSC::MacroAssemblerCodePtr::emptyValue):
2280         (JSC::MacroAssemblerCodePtr::deletedValue):
2281         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
2282         * b3/B3LowerMacros.cpp:
2283         * b3/testb3.cpp:
2284         (JSC::B3::testInterpreter):
2285         * dfg/DFGSpeculativeJIT.cpp:
2286         (JSC::DFG::SpeculativeJIT::checkArray):
2287         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2288         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2289         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2290         * ftl/FTLLowerDFGToB3.cpp:
2291         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2292         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2293         * jit/AssemblyHelpers.h:
2294         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2295         * jit/SpecializedThunkJIT.h:
2296         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2297         * jit/ThunkGenerators.cpp:
2298         (JSC::virtualThunkFor):
2299         (JSC::boundThisNoArgsFunctionCallGenerator):
2300         * llint/LLIntSlowPaths.cpp:
2301         (JSC::LLInt::handleHostCall):
2302         (JSC::LLInt::setUpCall):
2303         * llint/LowLevelInterpreter64.asm:
2304         * runtime/InitializeThreading.cpp:
2305         (JSC::initializeThreading):
2306         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2307         (JSC::initializeScrambledPtrKeys):
2308         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
2309         * runtime/JSDestructibleObject.h:
2310         (JSC::JSDestructibleObject::classInfo const):
2311         * runtime/JSSegmentedVariableObject.h:
2312         (JSC::JSSegmentedVariableObject::classInfo const):
2313         * runtime/Structure.h:
2314         * runtime/VM.h:
2315
2316 2017-12-06  Mark Lam  <mark.lam@apple.com>
2317
2318         Refactoring: Rename ScrambledPtr to Poisoned.
2319         https://bugs.webkit.org/show_bug.cgi?id=180514
2320
2321         Reviewed by Saam Barati.
2322
2323         * API/JSCallbackObject.h:
2324         * API/JSObjectRef.cpp:
2325         (classInfoPrivate):
2326         * JavaScriptCore.xcodeproj/project.pbxproj:
2327         * Sources.txt:
2328         * assembler/MacroAssemblerCodeRef.h:
2329         (JSC::FunctionPtr::FunctionPtr):
2330         (JSC::FunctionPtr::value const):
2331         (JSC::FunctionPtr::executableAddress const):
2332         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2333         (JSC::ReturnAddressPtr::value const):
2334         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2335         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2336         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2337         (JSC::MacroAssemblerCodePtr:: const):
2338         (JSC::MacroAssemblerCodePtr::operator! const):
2339         (JSC::MacroAssemblerCodePtr::operator== const):
2340         (JSC::MacroAssemblerCodePtr::emptyValue):
2341         (JSC::MacroAssemblerCodePtr::deletedValue):
2342         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2343         * b3/B3LowerMacros.cpp:
2344         * b3/testb3.cpp:
2345         (JSC::B3::testInterpreter):
2346         * dfg/DFGSpeculativeJIT.cpp:
2347         (JSC::DFG::SpeculativeJIT::checkArray):
2348         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2349         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2350         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2351         * ftl/FTLLowerDFGToB3.cpp:
2352         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2353         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2354         * jit/AssemblyHelpers.h:
2355         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2356         * jit/SpecializedThunkJIT.h:
2357         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2358         * jit/ThunkGenerators.cpp:
2359         (JSC::virtualThunkFor):
2360         (JSC::boundThisNoArgsFunctionCallGenerator):
2361         * llint/LLIntSlowPaths.cpp:
2362         (JSC::LLInt::handleHostCall):
2363         (JSC::LLInt::setUpCall):
2364         * llint/LowLevelInterpreter64.asm:
2365         * runtime/InitializeThreading.cpp:
2366         (JSC::initializeThreading):
2367         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2368         (JSC::initializePoison):
2369         (JSC::initializeScrambledPtrKeys): Deleted.
2370         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2371         * runtime/JSCScrambledPtr.cpp: Removed.
2372         * runtime/JSCScrambledPtr.h: Removed.
2373         * runtime/JSDestructibleObject.h:
2374         (JSC::JSDestructibleObject::classInfo const):
2375         * runtime/JSSegmentedVariableObject.h:
2376         (JSC::JSSegmentedVariableObject::classInfo const):
2377         * runtime/Structure.h:
2378         * runtime/VM.h:
2379
2380 2017-12-02  Darin Adler  <darin@apple.com>
2381
2382         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
2383         https://bugs.webkit.org/show_bug.cgi?id=180009
2384
2385         Reviewed by Alex Christensen.
2386
2387         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
2388         * bytecode/CodeBlock.cpp: Ditto.
2389         * bytecode/ExecutionCounter.cpp: Ditto.
2390         * runtime/ConfigFile.cpp: Ditto.
2391         * runtime/DatePrototype.cpp: Ditto.
2392         * runtime/IndexingType.cpp: Ditto.
2393         * runtime/JSCJSValue.cpp: Ditto.
2394         * runtime/JSDateMath.cpp: Ditto.
2395         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2396         * runtime/Options.cpp: Ditto.
2397         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
2398
2399 2017-12-06  Saam Barati  <sbarati@apple.com>
2400
2401         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
2402         https://bugs.webkit.org/show_bug.cgi?id=180438
2403         <rdar://problem/35862342>
2404
2405         Reviewed by Yusuke Suzuki.
2406
2407         A couple inspector methods that take stacktraces need
2408         to grab the JSLock.
2409
2410         * inspector/ScriptCallStackFactory.cpp:
2411         (Inspector::createScriptCallStack):
2412         (Inspector::createScriptCallStackForConsole):
2413
2414 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
2415
2416         Switch windows build to Visual Studio 2017
2417         https://bugs.webkit.org/show_bug.cgi?id=172412
2418
2419         Reviewed by Per Arne Vollan.
2420
2421         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2422
2423 2017-12-05  JF Bastien  <jfbastien@apple.com>
2424
2425         WebAssembly: don't eagerly checksum
2426         https://bugs.webkit.org/show_bug.cgi?id=180441
2427         <rdar://problem/35156628>
2428
2429         Reviewed by Saam Barati.
2430
2431         Make checksumming of module optional for now. The bots think the
2432         checksum hurt compile-time. I'd measured it and couldn't see a
2433         difference, and still can't at this point in time, but we'll see
2434         if disabling it fixes the bots. If so then I can make it lazy upon
2435         first backtrace construction, or I can try out MD5 instead of
2436         SHA1.
2437
2438         * runtime/Options.h:
2439         * wasm/WasmModuleInformation.cpp:
2440         (JSC::Wasm::ModuleInformation::ModuleInformation):
2441         * wasm/WasmModuleInformation.h:
2442         * wasm/WasmNameSection.h:
2443         (JSC::Wasm::NameSection::NameSection):
2444
2445 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2446
2447         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2448         https://bugs.webkit.org/show_bug.cgi?id=180425
2449
2450         Reviewed by Saam Barati.
2451         
2452         Failure to do so causes leaks after starting workers.
2453
2454         * heap/IsoAlignedMemoryAllocator.cpp:
2455         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2456         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2457
2458 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2459
2460         [Win64] Compile error in testmasm.cpp.
2461         https://bugs.webkit.org/show_bug.cgi?id=180436
2462
2463         Reviewed by Mark Lam.
2464
2465         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2466         
2467         * assembler/testmasm.cpp:
2468         (JSC::testGetEffectiveAddress):
2469
2470 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2471
2472         GC constraint solving should be parallel
2473         https://bugs.webkit.org/show_bug.cgi?id=179934
2474
2475         Reviewed by JF Bastien.
2476         
2477         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2478         speed-up. It's more than 1% on trunk-Speedometer.
2479         
2480         The constraint solver supports running constraints in parallel in two different ways:
2481         
2482         - Run multiple constraints in parallel to each other. This only works for constraints that can
2483           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2484           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2485           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2486           could probably make them concurrent, but I'm playing it safe for now.
2487         
2488         - A constraint can create parallel work for itself, which the constraint solver will interleave
2489           with other stuff. A constraint can report that it has parallel work by returning
2490           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2491           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2492           for as long as that function wants to run.
2493         
2494         It's not possible to have a non-concurrent constraint that creates parallel work.
2495         
2496         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2497         most natural for two reasons:
2498         
2499         - No need to start any other threads.
2500         
2501         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2502           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2503           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2504           thread, that thread will have work it can start doing immediately. Before this change, we had to
2505           contribute the work found by the constraint solver to the global worklist so that it could be
2506           distributed to the marker threads by load balancing. This change probably helps to avoid that
2507           load balancing step.
2508         
2509         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2510         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2511         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2512         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2513         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2514         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2515         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2516         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2517         done is indicated by null).
2518         
2519         * API/JSMarkingConstraintPrivate.cpp:
2520         (JSContextGroupAddMarkingConstraint):
2521         * API/JSVirtualMachine.mm:
2522         (scanExternalObjectGraph):
2523         (scanExternalRememberedSet):
2524         * JavaScriptCore.xcodeproj/project.pbxproj:
2525         * Sources.txt:
2526         * bytecode/AccessCase.cpp:
2527         (JSC::AccessCase::propagateTransitions const):
2528         * bytecode/CodeBlock.cpp:
2529         (JSC::CodeBlock::visitWeakly):
2530         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2531         (JSC::shouldMarkTransition):
2532         (JSC::CodeBlock::propagateTransitions):
2533         (JSC::CodeBlock::determineLiveness):
2534         * dfg/DFGWorklist.cpp:
2535         * ftl/FTLCompile.cpp:
2536         (JSC::FTL::compile):
2537         * heap/ConstraintParallelism.h: Added.
2538         (WTF::printInternal):
2539         * heap/Heap.cpp:
2540         (JSC::Heap::Heap):
2541         (JSC::Heap::addToRememberedSet):
2542         (JSC::Heap::runFixpointPhase):
2543         (JSC::Heap::stopThePeriphery):
2544         (JSC::Heap::resumeThePeriphery):
2545         (JSC::Heap::addCoreConstraints):
2546         (JSC::Heap::setBonusVisitorTask):
2547         (JSC::Heap::runTaskInParallel):
2548         (JSC::Heap::forEachSlotVisitor): Deleted.
2549         * heap/Heap.h:
2550         (JSC::Heap::worldIsRunning const):
2551         (JSC::Heap::runFunctionInParallel):
2552         * heap/HeapInlines.h:
2553         (JSC::Heap::worldIsStopped const):
2554         (JSC::Heap::isMarked):
2555         (JSC::Heap::incrementDeferralDepth):
2556         (JSC::Heap::decrementDeferralDepth):
2557         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2558         (JSC::Heap::forEachSlotVisitor):
2559         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2560         (JSC::Heap::isMarkedConcurrently): Deleted.
2561         * heap/HeapSnapshotBuilder.cpp:
2562         (JSC::HeapSnapshotBuilder::appendNode):
2563         * heap/LargeAllocation.h:
2564         (JSC::LargeAllocation::isMarked):
2565         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2566         * heap/LockDuringMarking.h:
2567         (JSC::lockDuringMarking):
2568         * heap/MarkedAllocator.cpp:
2569         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2570         * heap/MarkedAllocator.h:
2571         * heap/MarkedBlock.h:
2572         (JSC::MarkedBlock::aboutToMark):
2573         (JSC::MarkedBlock::isMarked):
2574         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2575         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2576         * heap/MarkedSpace.h:
2577         (JSC::MarkedSpace::activeWeakSetsBegin):
2578         (JSC::MarkedSpace::activeWeakSetsEnd):
2579         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2580         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2581         * heap/MarkingConstraint.cpp:
2582         (JSC::MarkingConstraint::MarkingConstraint):
2583         (JSC::MarkingConstraint::execute):
2584         (JSC::MarkingConstraint::quickWorkEstimate):
2585         (JSC::MarkingConstraint::workEstimate):
2586         (JSC::MarkingConstraint::doParallelWork):
2587         (JSC::MarkingConstraint::finishParallelWork):
2588         (JSC::MarkingConstraint::doParallelWorkImpl):
2589         (JSC::MarkingConstraint::finishParallelWorkImpl):
2590         * heap/MarkingConstraint.h:
2591         (JSC::MarkingConstraint::lastExecuteParallelism const):
2592         (JSC::MarkingConstraint::parallelism const):
2593         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2594         (JSC::MarkingConstraint::workEstimate): Deleted.
2595         * heap/MarkingConstraintSet.cpp:
2596         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2597         (JSC::MarkingConstraintSet::add):
2598         (JSC::MarkingConstraintSet::executeConvergence):
2599         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2600         (JSC::MarkingConstraintSet::executeAll):
2601         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2602         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2603         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2604         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2605         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2606         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2607         (): Deleted.
2608         * heap/MarkingConstraintSet.h:
2609         * heap/MarkingConstraintSolver.cpp: Added.
2610         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2611         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2612         (JSC::MarkingConstraintSolver::didVisitSomething const):
2613         (JSC::MarkingConstraintSolver::execute):
2614         (JSC::MarkingConstraintSolver::drain):
2615         (JSC::MarkingConstraintSolver::converge):
2616         (JSC::MarkingConstraintSolver::runExecutionThread):
2617         (JSC::MarkingConstraintSolver::didExecute):
2618         * heap/MarkingConstraintSolver.h: Added.
2619         * heap/OpaqueRootSet.h: Removed.
2620         * heap/ParallelSourceAdapter.h: Added.
2621         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2622         (JSC::createParallelSourceAdapter):
2623         * heap/SimpleMarkingConstraint.cpp: Added.
2624         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2625         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2626         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2627         (JSC::SimpleMarkingConstraint::executeImpl):
2628         * heap/SimpleMarkingConstraint.h: Added.
2629         * heap/SlotVisitor.cpp:
2630         (JSC::SlotVisitor::didStartMarking):
2631         (JSC::SlotVisitor::reset):
2632         (JSC::SlotVisitor::appendToMarkStack):
2633         (JSC::SlotVisitor::visitChildren):
2634         (JSC::SlotVisitor::updateMutatorIsStopped):
2635         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2636         (JSC::SlotVisitor::drain):
2637         (JSC::SlotVisitor::performIncrementOfDraining):
2638         (JSC::SlotVisitor::didReachTermination):
2639         (JSC::SlotVisitor::hasWork):
2640         (JSC::SlotVisitor::drainFromShared):
2641         (JSC::SlotVisitor::drainInParallelPassively):
2642         (JSC::SlotVisitor::waitForTermination):
2643         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2644         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2645         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2646         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2647         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2648         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2649         * heap/SlotVisitor.h:
2650         * heap/SlotVisitorInlines.h:
2651         (JSC::SlotVisitor::addOpaqueRoot):
2652         (JSC::SlotVisitor::containsOpaqueRoot const):
2653         (JSC::SlotVisitor::vm):
2654         (JSC::SlotVisitor::vm const):
2655         * heap/Subspace.cpp:
2656         (JSC::Subspace::parallelAllocatorSource):
2657         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2658         * heap/Subspace.h:
2659         * heap/SubspaceInlines.h:
2660         (JSC::Subspace::forEachMarkedCellInParallel):
2661         * heap/VisitCounter.h: Added.
2662         (JSC::VisitCounter::VisitCounter):
2663         (JSC::VisitCounter::visitCount const):
2664         * heap/VisitingTimeout.h: Removed.
2665         * heap/WeakBlock.cpp:
2666         (JSC::WeakBlock::specializedVisit):
2667         * runtime/Structure.cpp:
2668         (JSC::Structure::isCheapDuringGC):
2669         (JSC::Structure::markIfCheap):
2670
2671 2017-12-04  JF Bastien  <jfbastien@apple.com>
2672
2673         Math: don't redundantly check for exceptions, just release scope
2674         https://bugs.webkit.org/show_bug.cgi?id=180395
2675
2676         Rubber stamped by Mark Lam.
2677
2678         Two of the exceptions checks could just have been exception scope
2679         releases before the return, which is ever-so-slightly more
2680         efficient. The same technically applies where we have loops over
2681         parameters, but doing the scope release there isn't really more
2682         efficient and is way harder to read.
2683
2684         * runtime/MathObject.cpp:
2685         (JSC::mathProtoFuncATan2):
2686         (JSC::mathProtoFuncPow):
2687
2688 2017-12-04  David Quesada  <david_quesada@apple.com>
2689
2690         Add a class for parsing application manifests
2691         https://bugs.webkit.org/show_bug.cgi?id=177973
2692         rdar://problem/34747949
2693
2694         Reviewed by Geoffrey Garen.
2695
2696         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2697
2698 2017-12-04  JF Bastien  <jfbastien@apple.com>
2699
2700         Update std::expected to match libc++ coding style
2701         https://bugs.webkit.org/show_bug.cgi?id=180264
2702
2703         Reviewed by Alex Christensen.
2704
2705         Update various uses of Expected.
2706
2707         * wasm/WasmModule.h:
2708         * wasm/WasmModuleParser.cpp:
2709         (JSC::Wasm::ModuleParser::parseImport):
2710         (JSC::Wasm::ModuleParser::parseTableHelper):
2711         (JSC::Wasm::ModuleParser::parseTable):
2712         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2713         * wasm/WasmParser.h:
2714         * wasm/generateWasmValidateInlinesHeader.py:
2715         (loadMacro):
2716         (storeMacro):
2717         * wasm/js/JSWebAssemblyModule.cpp:
2718         (JSC::JSWebAssemblyModule::createStub):
2719         * wasm/js/JSWebAssemblyModule.h:
2720
2721 2017-12-04  Saam Barati  <sbarati@apple.com>
2722
2723         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2724         https://bugs.webkit.org/show_bug.cgi?id=180366
2725         <rdar://problem/35685877>
2726
2727         Reviewed by Michael Saboff.
2728
2729         On the TailCall slow path, the CallFrameShuffler will build the frame with
2730         respect to SP instead of FP. However, this may overwrite slots on the stack
2731         that are needed if the slow path C call does a stack walk. The slow path
2732         C call does a stack walk when it throws an exception. This patch fixes
2733         this bug by ensuring that the top of the stack in the FTL always has enough
2734         space to allow CallFrameShuffler to build a frame without overwriting any
2735         items on the stack that are needed when doing a stack walk.
2736
2737         * ftl/FTLLowerDFGToB3.cpp:
2738         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2739
2740 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2741
2742         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2743         https://bugs.webkit.org/show_bug.cgi?id=175166
2744         <rdar://problem/34040740>
2745
2746         Reviewed by Joseph Pecoraro.
2747
2748         * inspector/protocol/Recording.json:
2749         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2750
2751         * inspector/JSGlobalObjectConsoleClient.h:
2752         * inspector/JSGlobalObjectConsoleClient.cpp:
2753         (Inspector::JSGlobalObjectConsoleClient::record):
2754         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2755
2756         * runtime/ConsoleClient.h:
2757         * runtime/ConsoleObject.cpp:
2758         (JSC::ConsoleObject::finishCreation):
2759         (JSC::consoleProtoFuncRecord):
2760         (JSC::consoleProtoFuncRecordEnd):
2761
2762 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2763
2764         WTF shouldn't have both Thread and ThreadIdentifier
2765         https://bugs.webkit.org/show_bug.cgi?id=180308
2766
2767         Reviewed by Darin Adler.
2768
2769         * heap/MachineStackMarker.cpp:
2770         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2771         * llint/LLIntSlowPaths.cpp:
2772         (JSC::LLInt::llint_trace_operand):
2773         (JSC::LLInt::llint_trace_value):
2774         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2775         (JSC::LLInt::traceFunctionPrologue):
2776         * runtime/ExceptionScope.cpp:
2777         (JSC::ExceptionScope::unexpectedExceptionMessage):
2778         * runtime/JSLock.h:
2779         (JSC::JSLock::currentThreadIsHoldingLock):
2780         * runtime/VM.cpp:
2781         (JSC::VM::throwException):
2782         * runtime/VM.h:
2783         (JSC::VM::throwingThread const):
2784         (JSC::VM::clearException):
2785         * tools/HeapVerifier.cpp:
2786         (JSC::HeapVerifier::printVerificationHeader):
2787
2788 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2789
2790         Rename DestroyFunc to avoid redefinition on unified build
2791         https://bugs.webkit.org/show_bug.cgi?id=180335
2792
2793         Reviewed by Filip Pizlo.
2794
2795         Changing DestroyFunc structures to more specific names to avoid
2796         conflits on unified builds.
2797
2798         * heap/HeapCellType.cpp:
2799         (JSC::HeapCellType::finishSweep):
2800         (JSC::HeapCellType::destroy):
2801         * runtime/JSDestructibleObjectHeapCellType.cpp:
2802         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2803         (JSC::JSDestructibleObjectHeapCellType::destroy):
2804         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2805         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2806         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2807         * runtime/JSStringHeapCellType.cpp:
2808         (JSC::JSStringHeapCellType::finishSweep):
2809         (JSC::JSStringHeapCellType::destroy):
2810         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2811         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2812         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2813
2814 2017-12-01  JF Bastien  <jfbastien@apple.com>
2815
2816         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2817         https://bugs.webkit.org/show_bug.cgi?id=180297
2818         <rdar://problem/35745556>
2819
2820         Reviewed by Mark Lam.
2821
2822         * runtime/MathObject.cpp:
2823         (JSC::mathProtoFuncATan2):
2824         (JSC::mathProtoFuncMax):
2825         (JSC::mathProtoFuncMin):
2826         (JSC::mathProtoFuncPow):
2827
2828 2017-12-01  Mark Lam  <mark.lam@apple.com>
2829
2830         Let's scramble ClassInfo pointers in cells.
2831         https://bugs.webkit.org/show_bug.cgi?id=180291
2832         <rdar://problem/35807620>
2833
2834         Reviewed by JF Bastien.
2835
2836         * API/JSCallbackObject.h:
2837         * API/JSObjectRef.cpp:
2838         (classInfoPrivate):
2839         * JavaScriptCore.xcodeproj/project.pbxproj:
2840         * Sources.txt:
2841         * assembler/MacroAssemblerCodeRef.cpp:
2842         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2843         * assembler/MacroAssemblerCodeRef.h:
2844         (JSC::MacroAssemblerCodePtr:: const):
2845         (JSC::MacroAssemblerCodePtr::hash const):
2846         * dfg/DFGSpeculativeJIT.cpp:
2847         (JSC::DFG::SpeculativeJIT::checkArray):
2848         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2849         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2850         * ftl/FTLLowerDFGToB3.cpp:
2851         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2852         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2853         * jit/AssemblyHelpers.h:
2854         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2855         * jit/SpecializedThunkJIT.h:
2856         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2857         * runtime/InitializeThreading.cpp:
2858         (JSC::initializeThreading):
2859         * runtime/JSCScrambledPtr.cpp: Added.
2860         (JSC::initializeScrambledPtrKeys):
2861         * runtime/JSCScrambledPtr.h: Added.
2862         * runtime/JSDestructibleObject.h:
2863         (JSC::JSDestructibleObject::classInfo const):
2864         * runtime/JSSegmentedVariableObject.h:
2865         (JSC::JSSegmentedVariableObject::classInfo const):
2866         * runtime/Structure.h:
2867         * runtime/VM.h:
2868
2869 2017-12-01  Brian Burg  <bburg@apple.com>
2870
2871         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2872         https://bugs.webkit.org/show_bug.cgi?id=173662
2873
2874         Reviewed by Joseph Pecoraro.
2875
2876         Adopt new type names. Fix protocol generator to use correct type names.
2877
2878         * inspector/ConsoleMessage.cpp:
2879         (Inspector::ConsoleMessage::addToFrontend):
2880         Improve namings and use 'auto' when the type is obvious and repeated.
2881
2882         * inspector/ContentSearchUtilities.cpp:
2883         (Inspector::ContentSearchUtilities::searchInTextByLines):
2884         * inspector/ContentSearchUtilities.h:
2885         * inspector/InjectedScript.cpp:
2886         (Inspector::InjectedScript::getProperties):
2887         (Inspector::InjectedScript::getDisplayableProperties):
2888         (Inspector::InjectedScript::getInternalProperties):
2889         (Inspector::InjectedScript::getCollectionEntries):
2890         (Inspector::InjectedScript::wrapCallFrames const):
2891         * inspector/InjectedScript.h:
2892         * inspector/InspectorProtocolTypes.h:
2893         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2894         (Inspector::Protocol::Array::Array): Deleted.
2895         (Inspector::Protocol::Array::openAccessors): Deleted.
2896         (Inspector::Protocol::Array::addItem): Deleted.
2897         (Inspector::Protocol::Array::create): Deleted.
2898         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2899         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2900         Move the implementation out of this file.
2901
2902         * inspector/ScriptCallStack.cpp:
2903         (Inspector::ScriptCallStack::buildInspectorArray const):
2904         * inspector/ScriptCallStack.h:
2905         * inspector/agents/InspectorAgent.cpp:
2906         (Inspector::InspectorAgent::activateExtraDomain):
2907         (Inspector::InspectorAgent::activateExtraDomains):
2908         * inspector/agents/InspectorAgent.h:
2909         * inspector/agents/InspectorConsoleAgent.cpp:
2910         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2911         * inspector/agents/InspectorConsoleAgent.h:
2912         * inspector/agents/InspectorDebuggerAgent.cpp:
2913         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2914         (Inspector::InspectorDebuggerAgent::searchInContent):
2915         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2916         * inspector/agents/InspectorDebuggerAgent.h:
2917         * inspector/agents/InspectorRuntimeAgent.cpp:
2918         (Inspector::InspectorRuntimeAgent::getProperties):
2919         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2920         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2921         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2922         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2923         * inspector/agents/InspectorRuntimeAgent.h:
2924         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2925         (Inspector::buildSamples):
2926         Use more 'auto' and rename a variable.
2927
2928         * inspector/scripts/codegen/cpp_generator.py:
2929         (CppGenerator.cpp_protocol_type_for_type):
2930         Adopt new type names. This exposed a latent bug where we should have been
2931         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2932         type may be an array, in which case we would have generated the wrong type.
2933
2934         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2935         (_generate_typedefs_for_domain.JSON):
2936         (_generate_typedefs_for_domain.Inspector): Deleted.
2937         * inspector/scripts/codegen/objc_generator.py:
2938         (ObjCGenerator.protocol_type_for_type):
2939         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2940         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2941         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2942         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2943         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2944         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2945         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2946         Rebaseline.
2947
2948         * runtime/TypeSet.cpp:
2949         (JSC::TypeSet::allStructureRepresentations const):
2950         (JSC::StructureShape::inspectorRepresentation):
2951         * runtime/TypeSet.h:
2952
2953 2017-12-01  Saam Barati  <sbarati@apple.com>
2954
2955         Having a bad time needs to handle ArrayClass indexing type as well
2956         https://bugs.webkit.org/show_bug.cgi?id=180274
2957         <rdar://problem/35667869>
2958
2959         Reviewed by Keith Miller and Mark Lam.
2960
2961         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2962         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2963         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2964         hasBrokenIndexing. This patch rewrites that function to automatically opt
2965         in non-empty indexing types as broken, instead of having to opt out all
2966         non-empty indexing types besides SlowPutArrayStorage.
2967
2968         * runtime/IndexingType.h:
2969         (JSC::hasSlowPutArrayStorage):
2970         (JSC::shouldUseSlowPut):
2971         * runtime/JSGlobalObject.cpp:
2972         * runtime/JSObject.cpp:
2973         (JSC::JSObject::switchToSlowPutArrayStorage):
2974
2975 2017-12-01  JF Bastien  <jfbastien@apple.com>
2976
2977         WebAssembly: stack trace improvement follow-ups
2978         https://bugs.webkit.org/show_bug.cgi?id=180273
2979
2980         Reviewed by Saam Barati.
2981
2982         * wasm/WasmIndexOrName.cpp:
2983         (JSC::Wasm::makeString):
2984         * wasm/WasmIndexOrName.h:
2985         (JSC::Wasm::IndexOrName::nameSection const):
2986         * wasm/WasmNameSection.h:
2987         (JSC::Wasm::NameSection::NameSection):
2988         (JSC::Wasm::NameSection::get):
2989
2990 2017-12-01  JF Bastien  <jfbastien@apple.com>
2991
2992         WebAssembly: restore cached stack limit after out-call
2993         https://bugs.webkit.org/show_bug.cgi?id=179106
2994         <rdar://problem/35337525>
2995
2996         Reviewed by Saam Barati.
2997
2998         We cache the stack limit on the Instance so that we can do fast
2999         stack checks where required. In regular usage the stack limit
3000         never changes because we always run on the same thread, but in
3001         rare cases an API user can totally migrate which thread (and
3002         therefore stack) is used for execution between WebAssembly
3003         traces. For that reason we set the cached stack limit to
3004         UINTPTR_MAX on the outgoing Instance when transitioning back into
3005         a different Instance. We usually restore the cached stack limit in
3006         Context::store, but this wasn't called on all code paths. We had a
3007         bug where an Instance calling into itself indirectly would
3008         therefore fail to restore its cached stack limit properly.
3009
3010         This patch therefore restores the cached stack limit after direct
3011         calls which could be to imports (both wasm->wasm and
3012         wasm->embedder). We have to do all of them because we have no way
3013         of knowing what imports will do (they're known at instantiation
3014         time, not compilation time, and different instances can have
3015         different imports). To make this efficient we also add a pointer
3016         to the canonical location of the stack limit (i.e. the extra
3017         indirection we're trying to save by caching the stack limit on the
3018         Instance in the first place). This is potentially a small perf hit
3019         on imported direct calls.
3020
3021         It's hard to say what the performance cost will be because we
3022         haven't seen much code in the wild which does this. We're adding
3023         two dependent loads and a store of the loaded value, which is
3024         unlikely to get used soon after. It's more code, but on an
3025         out-of-order processor it doesn't contribute to the critical path.
3026
3027         * wasm/WasmB3IRGenerator.cpp:
3028         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3029         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3030         (JSC::Wasm::B3IRGenerator::addCall):
3031         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3032         * wasm/WasmInstance.cpp:
3033         (JSC::Wasm::Instance::Instance):
3034         (JSC::Wasm::Instance::create):
3035         * wasm/WasmInstance.h:
3036         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
3037         (JSC::Wasm::Instance::cachedStackLimit const):
3038         (JSC::Wasm::Instance::setCachedStackLimit):
3039         * wasm/js/JSWebAssemblyInstance.cpp:
3040         (JSC::JSWebAssemblyInstance::create):
3041         * wasm/js/WebAssemblyFunction.cpp:
3042         (JSC::callWebAssemblyFunction):
3043
3044 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3045
3046         [JSC] Use JSFixedArray for op_new_array_buffer
3047         https://bugs.webkit.org/show_bug.cgi?id=180084
3048
3049         Reviewed by Saam Barati.
3050
3051         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
3052         But using JSFixedArray is better because,
3053
3054         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
3055            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
3056
3057         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
3058            has JSFixedArray, we can just emit a held JSFixedArray.
3059
3060         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
3061
3062         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
3063
3064         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
3065            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
3066            will be introduced in [1].
3067
3068         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
3069
3070         * bytecode/BytecodeDumper.cpp:
3071         (JSC::BytecodeDumper<Block>::dumpBytecode):
3072         * bytecode/BytecodeList.json:
3073         * bytecode/BytecodeUseDef.h:
3074         (JSC::computeUsesForBytecodeOffset):
3075         * bytecode/CodeBlock.cpp:
3076         (JSC::CodeBlock::finishCreation):
3077         * bytecode/CodeBlock.h:
3078         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
3079         (JSC::CodeBlock::addConstantBuffer): Deleted.
3080         (JSC::CodeBlock::constantBufferAsVector): Deleted.
3081         (JSC::CodeBlock::constantBuffer): Deleted.
3082         * bytecode/UnlinkedCodeBlock.cpp:
3083         (JSC::UnlinkedCodeBlock::shrinkToFit):
3084         * bytecode/UnlinkedCodeBlock.h:
3085         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3086         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3087         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
3088         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3089         * bytecompiler/BytecodeGenerator.cpp:
3090         (JSC::BytecodeGenerator::emitNewArray):
3091         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
3092         * bytecompiler/BytecodeGenerator.h:
3093         * dfg/DFGByteCodeParser.cpp:
3094         (JSC::DFG::ByteCodeParser::parseBlock):
3095         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3096         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
3097         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
3098         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
3099         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
3100         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
3101         (JSC::DFG::ConstantBufferKey::index const): Deleted.
3102         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
3103         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
3104         * dfg/DFGClobberize.h:
3105         (JSC::DFG::clobberize):
3106         * dfg/DFGGraph.cpp:
3107         (JSC::DFG::Graph::dump):
3108         * dfg/DFGGraph.h:
3109         * dfg/DFGNode.h:
3110         (JSC::DFG::Node::hasNewArrayBufferData):
3111         (JSC::DFG::Node::newArrayBufferData):
3112         (JSC::DFG::Node::hasVectorLengthHint):
3113         (JSC::DFG::Node::vectorLengthHint):
3114         (JSC::DFG::Node::indexingType):
3115         (JSC::DFG::Node::hasCellOperand):
3116         (JSC::DFG::Node::OpInfoWrapper::operator=):
3117         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
3118         (JSC::DFG::Node::hasConstantBuffer): Deleted.
3119         (JSC::DFG::Node::startConstant): Deleted.
3120         (JSC::DFG::Node::numConstants): Deleted.
3121         * dfg/DFGOperations.cpp:
3122         * dfg/DFGOperations.h:
3123         * dfg/DFGSpeculativeJIT.h:
3124         (JSC::DFG::SpeculativeJIT::callOperation):
3125         * dfg/DFGSpeculativeJIT32_64.cpp:
3126         (JSC::DFG::SpeculativeJIT::compile):
3127         * dfg/DFGSpeculativeJIT64.cpp:
3128         (JSC::DFG::SpeculativeJIT::compile):
3129         * ftl/FTLLowerDFGToB3.cpp:
3130         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3131         * jit/JIT.cpp:
3132         (JSC::JIT::privateCompileMainPass):
3133         * jit/JIT.h:
3134         * jit/JITOpcodes.cpp:
3135         (JSC::JIT::emit_op_new_array_buffer): Deleted.
3136         * jit/JITOperations.cpp:
3137         * jit/JITOperations.h:
3138         * llint/LLIntSlowPaths.cpp:
3139         * llint/LLIntSlowPaths.h:
3140         * llint/LowLevelInterpreter.asm:
3141         * runtime/CommonSlowPaths.cpp:
3142         (JSC::SLOW_PATH_DECL):
3143         * runtime/CommonSlowPaths.h:
3144         * runtime/JSFixedArray.cpp:
3145         (JSC::JSFixedArray::dumpToStream):
3146         * runtime/JSFixedArray.h:
3147         (JSC::JSFixedArray::create):
3148         (JSC::JSFixedArray::get const):
3149         (JSC::JSFixedArray::set):
3150         (JSC::JSFixedArray::buffer const):
3151         (JSC::JSFixedArray::values const):
3152         (JSC::JSFixedArray::length const):
3153         (JSC::JSFixedArray::get): Deleted.
3154
3155 2017-11-30  JF Bastien  <jfbastien@apple.com>
3156
3157         WebAssembly: improve stack trace
3158         https://bugs.webkit.org/show_bug.cgi?id=179343
3159
3160         Reviewed by Saam Barati.
3161
3162         Stack traces now include:
3163
3164           - Module name, if provided by the name section.
3165           - Module SHA1 hash if no name was provided
3166           - Stub identification, to differentiate from user code
3167           - Slightly different naming to match design from:
3168               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
3169
3170         * interpreter/StackVisitor.cpp:
3171         (JSC::StackVisitor::Frame::functionName const):
3172         * runtime/StackFrame.cpp:
3173         (JSC::StackFrame::functionName const):
3174         (JSC::StackFrame::visitChildren):
3175         * wasm/WasmIndexOrName.cpp:
3176         (JSC::Wasm::IndexOrName::IndexOrName):
3177         (JSC::Wasm::makeString):
3178         * wasm/WasmIndexOrName.h:
3179         (JSC::Wasm::IndexOrName::nameSection const):
3180         * wasm/WasmModuleInformation.cpp:
3181         (JSC::Wasm::ModuleInformation::ModuleInformation):
3182         * wasm/WasmModuleInformation.h:
3183         * wasm/WasmNameSection.h:
3184         (JSC::Wasm::NameSection::NameSection):
3185         (JSC::Wasm::NameSection::get):
3186         * wasm/WasmNameSectionParser.cpp:
3187         (JSC::Wasm::NameSectionParser::parse):
3188
3189 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
3190
3191         Make LegacyCustomProtocolManager optional for network process
3192         https://bugs.webkit.org/show_bug.cgi?id=176230
3193
3194         Reviewed by Alex Christensen.
3195
3196         * Configurations/FeatureDefines.xcconfig:
3197
3198 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3199
3200         [JSC] Remove easy toRemove & map.remove() use in OAS phase
3201         https://bugs.webkit.org/show_bug.cgi?id=180208
3202
3203         Reviewed by Mark Lam.
3204
3205         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
3206         to optimize this common pattern. This patch only modifies apparent ones.
3207         But we can apply this refactoring further to OAS phase in the future.
3208
3209         One thing we should care is that predicate of removeIf should not touch the
3210         removing set itself. In this patch, we apply this change to (1) apparently
3211         correct one and (2) things in DFG OAS phase since it is very slow.
3212
3213         * b3/B3MoveConstants.cpp:
3214         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3215
3216 2017-11-30  Commit Queue  <commit-queue@webkit.org>
3217
3218         Unreviewed, rolling out r225362.
3219         https://bugs.webkit.org/show_bug.cgi?id=180225
3220
3221         removeIf predicate function can touch remove target set
3222         (Requested by yusukesuzuki on #webkit).
3223
3224         Reverted changeset:
3225
3226         "[JSC] Remove easy toRemove & map.remove() use"
3227         https://bugs.webkit.org/show_bug.cgi?id=180208
3228         https://trac.webkit.org/changeset/225362
3229
3230 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3231
3232         [JSC] Use AllocatorIfExists for MaterializeNewObject
3233         https://bugs.webkit.org/show_bug.cgi?id=180189
3234
3235         Reviewed by Filip Pizlo.
3236
3237         I don't think anyone guarantees this allocator exists at this phase.
3238         And nullptr allocator just works here. We change AllocatorForMode
3239         to AllocatorIfExists to accept nullptr for allocator.
3240
3241         * ftl/FTLLowerDFGToB3.cpp:
3242         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3243
3244 2017-11-30  Mark Lam  <mark.lam@apple.com>
3245
3246         Let's scramble MacroAssemblerCodePtr values.
3247         https://bugs.webkit.org/show_bug.cgi?id=180169
3248         <rdar://problem/35758340>
3249
3250         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
3251
3252         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
3253
3254         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
3255            template argument type that will be used to cast the result.  This makes the
3256            client code that uses these functions a little less verbose.
3257
3258         3. Change the code base in general to minimize passing void* code pointers around.
3259            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
3260            at the last moment when we need the underlying code pointer.
3261
3262         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
3263            default.  I'm leaving them in because they are instrumental in finding bugs
3264            where not all MacroAssemblerCodePtr values were not scrambled as expected.
3265            I expect them to be useful in the near future as we add more scrambling.
3266
3267         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
3268            explicit casts to a boolean).  This ensures that clients will always explicitly
3269            use scrambledBits() or executableAddress() to get a value based on which value
3270            they actually need.
3271
3272         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
3273            This was helpful when debugging tests that ran multiple VMs concurrently on
3274            different threads.
3275
3276         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
3277         CLoop).  It is not yet supported in 32-bit and Windows because we don't
3278         currently have a way to read a global variable from their LLInt code.
3279
3280         * assembler/AbstractMacroAssembler.h:
3281         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
3282         (JSC::AbstractMacroAssembler::linkPointer):
3283         * assembler/CodeLocation.h:
3284         (JSC::CodeLocationCommon::instructionAtOffset):
3285         (JSC::CodeLocationCommon::labelAtOffset):
3286         (JSC::CodeLocationCommon::jumpAtOffset):
3287         (JSC::CodeLocationCommon::callAtOffset):
3288         (JSC::CodeLocationCommon::nearCallAtOffset):
3289         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
3290         (JSC::CodeLocationCommon::dataLabel32AtOffset):
3291         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
3292         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
3293         * assembler/LinkBuffer.cpp:
3294         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3295         * assembler/LinkBuffer.h:
3296         (JSC::LinkBuffer::link):
3297         (JSC::LinkBuffer::patch):
3298         * assembler/MacroAssemblerCodeRef.cpp:
3299         (JSC::MacroAssemblerCodePtr::initialize):
3300         * assembler/MacroAssemblerCodeRef.h:
3301         (JSC::FunctionPtr::FunctionPtr):
3302         (JSC::FunctionPtr::value const):
3303         (JSC::FunctionPtr::executableAddress const):
3304         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3305         (JSC::ReturnAddressPtr::value const):
3306         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3307         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3308         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
3309         (JSC::MacroAssemblerCodePtr:: const):
3310         (JSC::MacroAssemblerCodePtr::operator! const):
3311         (JSC::MacroAssemblerCodePtr::operator bool const):
3312         (JSC::MacroAssemblerCodePtr::operator== const):
3313         (JSC::MacroAssemblerCodePtr::hash const):
3314         (JSC::MacroAssemblerCodePtr::emptyValue):
3315         (JSC::MacroAssemblerCodePtr::deletedValue):
3316         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
3317         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
3318         * b3/B3LowerMacros.cpp:
3319         * b3/testb3.cpp:
3320         (JSC::B3::testInterpreter):
3321         * dfg/DFGDisassembler.cpp:
3322         (JSC::DFG::Disassembler::dumpDisassembly):
3323         * dfg/DFGJITCompiler.cpp:
3324         (JSC::DFG::JITCompiler::link):
3325         (JSC::DFG::JITCompiler::compileFunction):
3326         * dfg/DFGOperations.cpp:
3327         * dfg/DFGSpeculativeJIT.cpp:
3328         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3329         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3330         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
3331         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3332         * dfg/DFGSpeculativeJIT.h:
3333         * disassembler/Disassembler.cpp:
3334         (JSC::disassemble):
3335         * disassembler/UDis86Disassembler.cpp:
3336         (JSC::tryToDisassembleWithUDis86):
3337         * ftl/FTLCompile.cpp:
3338         (JSC::FTL::compile):
3339         * ftl/FTLJITCode.cpp:
3340         (JSC::FTL::JITCode::executableAddressAtOffset):
3341         * ftl/FTLLink.cpp:
3342         (JSC::FTL::link):
3343         * ftl/FTLLowerDFGToB3.cpp:
3344         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3345         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3346         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3347         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3348         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3349         * interpreter/InterpreterInlines.h:
3350         (JSC::Interpreter::getOpcodeID):
3351         * jit/JITArithmetic.cpp:
3352         (JSC::JIT::emitMathICFast):
3353         (JSC::JIT::emitMathICSlow):
3354         * jit/JITCode.cpp:
3355         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3356         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
3357         (JSC::JITCodeWithCodeRef::offsetOf):
3358         * jit/JITDisassembler.cpp:
3359         (JSC::JITDisassembler::dumpDisassembly):
3360         * jit/PCToCodeOriginMap.cpp:
3361         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3362         * jit/Repatch.cpp:
3363         (JSC::ftlThunkAwareRepatchCall):
3364         * jit/ThunkGenerators.cpp:
3365         (JSC::virtualThunkFor):
3366         (JSC::boundThisNoArgsFunctionCallGenerator):
3367         * llint/LLIntSlowPaths.cpp:
3368         (JSC::LLInt::llint_trace_operand):
3369         (JSC::LLInt::llint_trace_value):
3370         (JSC::LLInt::handleHostCall):
3371         (JSC::LLInt::setUpCall):
3372         * llint/LowLevelInterpreter64.asm:
3373         * offlineasm/cloop.rb:
3374         * runtime/InitializeThreading.cpp:
3375         (JSC::initializeThreading):
3376         * wasm/WasmBBQPlan.cpp:
3377         (JSC::Wasm::BBQPlan::complete):
3378         * wasm/WasmCallee.h:
3379         (JSC::Wasm::Callee::entrypoint const):
3380         * wasm/WasmCodeBlock.cpp:
3381         (JSC::Wasm::CodeBlock::CodeBlock):
3382         * wasm/WasmOMGPlan.cpp:
3383         (JSC::Wasm::OMGPlan::work):
3384         * wasm/js/WasmToJS.cpp:
3385         (JSC::Wasm::wasmToJS):
3386         * wasm/js/WebAssemblyFunction.cpp:
3387         (JSC::callWebAssemblyFunction):
3388         * wasm/js/WebAssemblyFunction.h:
3389         * wasm/js/WebAssemblyWrapperFunction.cpp:
3390         (JSC::WebAssemblyWrapperFunction::create):
3391
3392 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3393
3394         [JSC] Remove easy toRemove & map.remove() use
3395         https://bugs.webkit.org/show_bug.cgi?id=180208
3396
3397         Reviewed by Mark Lam.
3398
3399         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
3400         to optimize this common pattern. This patch only modifies apparent ones.
3401         But we can apply this refactoring further to OAS phase in the future.
3402
3403         * b3/B3MoveConstants.cpp:
3404         * dfg/DFGArgumentsEliminationPhase.cpp:
3405         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3406         * wasm/WasmSignature.cpp:
3407         (JSC::Wasm::SignatureInformation::tryCleanup):
3408
3409 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3410
3411         [JSC] Use getEffectiveAddress more in JSC
3412         https://bugs.webkit.org/show_bug.cgi?id=180154
3413
3414         Reviewed by Mark Lam.
3415
3416         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
3417         And we also add MacroAssembler::negPtr(src, dest) variation.
3418
3419         * assembler/MacroAssembler.h:
3420         (JSC::MacroAssembler::negPtr):
3421         * assembler/MacroAssemblerARM.h:
3422         (JSC::MacroAssemblerARM::neg32):
3423         * assembler/MacroAssemblerARM64.h:
3424         (JSC::MacroAssemblerARM64::neg32):
3425         (JSC::MacroAssemblerARM64::neg64):
3426         * assembler/MacroAssemblerARMv7.h:
3427         (JSC::MacroAssemblerARMv7::neg32):
3428         * assembler/MacroAssemblerMIPS.h:
3429         (JSC::MacroAssemblerMIPS::neg32):
3430         * assembler/MacroAssemblerX86Common.h:
3431         (JSC::MacroAssemblerX86Common::neg32):
3432         * assembler/MacroAssemblerX86_64.h:
3433         (JSC::MacroAssemblerX86_64::neg64):
3434         * dfg/DFGThunks.cpp:
3435         (JSC::DFG::osrEntryThunkGenerator):
3436         * ftl/FTLLowerDFGToB3.cpp:
3437         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3438         * jit/SetupVarargsFrame.cpp:
3439         (JSC::emitSetVarargsFrame):
3440
3441 2017-11-30  Mark Lam  <mark.lam@apple.com>
3442
3443         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
3444         https://bugs.webkit.org/show_bug.cgi?id=180219
3445         <rdar://problem/35696536>
3446
3447         Reviewed by Filip Pizlo.
3448
3449         * jsc.cpp:
3450         (functionFlashHeapAccess):
3451
3452 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3453
3454         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
3455         https://bugs.webkit.org/show_bug.cgi?id=180190
3456
3457         Reviewed by Mark Lam.
3458
3459         If DFG HasIndexedProperty node observes negative index, it goes to a slow
3460         path by calling operationHasIndexedProperty. The problem is that
3461         operationHasIndexedProperty does not account negative index. Negative index
3462         was used as uint32 array index.
3463
3464         In this patch we add a path for negative index in operationHasIndexedProperty.
3465         And rename it to operationHasIndexedPropertyByInt to make intension clear.
3466         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
3467         since it is only used in DFG and FTL.
3468
3469         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
3470         This causes repeated OSR exit and significantly regresses the performance. We opened
3471         a bug to track this issue[1].
3472
3473         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
3474
3475         * dfg/DFGOperations.cpp:
3476         * dfg/DFGOperations.h:
3477         * dfg/DFGSpeculativeJIT32_64.cpp:
3478         (JSC::DFG::SpeculativeJIT::compile):
3479         * dfg/DFGSpeculativeJIT64.cpp:
3480         (JSC::DFG::SpeculativeJIT::compile):
3481         * ftl/FTLLowerDFGToB3.cpp:
3482         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3483         * jit/JITOperations.cpp:
3484         * jit/JITOperations.h:
3485
3486 2017-11-30  Michael Saboff  <msaboff@apple.com>
3487
3488         Allow JSC command line tool to accept UTF8
3489         https://bugs.webkit.org/show_bug.cgi?id=180205
3490
3491         Reviewed by Keith Miller.
3492
3493         This unifies the UTF8 handling of interactive mode with that of source files.
3494
3495         * jsc.cpp:
3496         (runInteractive):
3497
3498 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3499
3500         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
3501         https://bugs.webkit.org/show_bug.cgi?id=180185
3502
3503         Reviewed by Carlos Garcia Campos.
3504
3505         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
3506         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
3507         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
3508         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
3509         DFG node can be emitted if we see untaken path includes String + String code.
3510
3511         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
3512         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
3513         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
3514         original code used before r225314.
3515
3516         * dfg/DFGSpeculativeJIT.cpp:
3517         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3518         * ftl/FTLLowerDFGToB3.cpp:
3519         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3520
3521 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
3522
3523         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
3524         https://bugs.webkit.org/show_bug.cgi?id=180108
3525
3526         Reviewed by Saam Barati.
3527         
3528         This was creating a vector of things to remove and then removing them. I think I remember writing
3529         this code, and I did that because at the time we did not have removeAllMatching, which is
3530         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
3531         obvious improvement before I did more fundamental things to this code.
3532
3533         * heap/CodeBlockSet.cpp:
3534         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3535
3536 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
3537
3538         GC should support isoheaps
3539         https://bugs.webkit.org/show_bug.cgi?id=179288
3540
3541         Reviewed by Saam Barati.
3542         
3543         This expands the power of the Subspace API in JSC:
3544         
3545         - Everything associated with describing the types of objects is now part of the HeapCellType class.
3546           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
3547           HeapCellType; these are orthogonal things.
3548         
3549         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
3550           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
3551           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
3552           pages but releases the physical pages as part of the respective allocator's scavenging policy
3553           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
3554           IsoSubspace).
3555         
3556         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3557         for more things.
3558         
3559         This does not have any effect on JetStream (0.18% faster with p = 0.69).
3560
3561         * JavaScriptCore.xcodeproj/project.pbxproj:
3562         * Sources.txt:
3563         * bytecode/AccessCase.cpp:
3564         (JSC::AccessCase::generateImpl):
3565         * bytecode/ObjectAllocationProfileInlines.h:
3566         (JSC::ObjectAllocationProfile::initializeProfile):
3567         * dfg/DFGSpeculativeJIT.cpp:
3568         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3569         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3570         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3571         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3572         * dfg/DFGSpeculativeJIT64.cpp:
3573         (JSC::DFG::SpeculativeJIT::compile):
3574         * ftl/FTLAbstractHeapRepository.h:
3575         * ftl/FTLLowerDFGToB3.cpp:
3576         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3577         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3578         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3579         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3580         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3581         * heap/AlignedMemoryAllocator.cpp:
3582         (JSC::AlignedMemoryAllocator::registerAllocator):
3583         (JSC::AlignedMemoryAllocator::registerSubspace):
3584         * heap/AlignedMemoryAllocator.h:
3585         (JSC::AlignedMemoryAllocator::firstAllocator const):
3586         * heap/AllocationFailureMode.h: Added.
3587         * heap/CompleteSubspace.cpp: Added.
3588         (JSC::CompleteSubspace::CompleteSubspace):
3589         (JSC::CompleteSubspace::~CompleteSubspace):
3590         (JSC::CompleteSubspace::allocatorFor):
3591         (JSC::CompleteSubspace::allocate):
3592         (JSC::CompleteSubspace::allocateNonVirtual):
3593         (JSC::CompleteSubspace::allocatorForSlow):
3594         (JSC::CompleteSubspace::allocateSlow):
3595         (JSC::CompleteSubspace::tryAllocateSlow):
3596         * heap/CompleteSubspace.h: Added.
3597         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3598         (JSC::CompleteSubspace::allocatorForSizeStep):
3599         (JSC::CompleteSubspace::allocatorForNonVirtual):
3600         * heap/HeapCellType.cpp: Added.
3601         (JSC::HeapCellType::HeapCellType):
3602         (JSC::HeapCellType::~HeapCellType):
3603         (JSC::HeapCellType::finishSweep):
3604         (JSC::HeapCellType::destroy):
3605         * heap/HeapCellType.h: Added.
3606         (JSC::HeapCellType::attributes const):
3607         * heap/IsoAlignedMemoryAllocator.cpp: Added.
3608         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3609         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3610         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3611         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3612         (JSC::IsoAlignedMemoryAllocator::dump const):
3613         * heap/IsoAlignedMemoryAllocator.h: Added.
3614         * heap/IsoSubspace.cpp: Added.
3615         (JSC::IsoSubspace::IsoSubspace):
3616         (JSC::IsoSubspace::~IsoSubspace):
3617         (JSC::IsoSubspace::allocatorFor):
3618         (JSC::IsoSubspace::allocatorForNonVirtual):
3619         (JSC::IsoSubspace::allocate):
3620         (JSC::IsoSubspace::allocateNonVirtual):
3621         * heap/IsoSubspace.h: Added.
3622         (JSC::IsoSubspace::size const):
3623         * heap/MarkedAllocator.cpp:
3624         (JSC::MarkedAllocator::MarkedAllocator):
3625         (JSC::MarkedAllocator::setSubspace):
3626         (JSC::MarkedAllocator::allocateSlowCase):
3627         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3628         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3629         * heap/MarkedAllocator.h:
3630         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3631         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3632         * heap/MarkedAllocatorInlines.h:
3633         (JSC::MarkedAllocator::allocate):
3634         (JSC::MarkedAllocator::tryAllocate): Deleted.
3635         * heap/MarkedBlock.h:
3636         * heap/MarkedBlockInlines.h:
3637         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3638         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3639         * heap/MarkedSpace.cpp:
3640         (JSC::MarkedSpace::addMarkedAllocator):
3641         * heap/MarkedSpace.h:
3642         * heap/Subspace.cpp:
3643         (JSC::Subspace::Subspace):
3644         (JSC::Subspace::initialize):
3645         (JSC::Subspace::finishSweep):
3646         (JSC::Subspace::destroy):
3647         (JSC::Subspace::prepareForAllocation):
3648         (JSC::Subspace::findEmptyBlockToSteal):
3649         (): Deleted.
3650         (JSC::Subspace::allocate): Deleted.
3651         (JSC::Subspace::tryAllocate): Deleted.
3652         (JSC::Subspace::allocatorForSlow): Deleted.
3653         (JSC::Subspace::allocateSlow): Deleted.
3654         (JSC::Subspace::tryAllocateSlow): Deleted.
3655         (JSC::Subspace::didAllocate): Deleted.
3656         * heap/Subspace.h:
3657         (JSC::Subspace::heapCellType const):
3658         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3659         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3660         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3661         (JSC::Subspace::allocatorForSizeStep): Deleted.
3662         (JSC::Subspace::tryAllocatorFor): Deleted.
3663         (JSC::Subspace::allocatorFor): Deleted.
3664         * jit/AssemblyHelpers.h:
3665         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3666         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3667         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3668         * jit/JITOpcodes.cpp:
3669         (JSC::JIT::emit_op_new_object):
3670         * runtime/ButterflyInlines.h:
3671         (JSC::Butterfly::createUninitialized):
3672         (JSC::Butterfly::tryCreate):
3673         (JSC::Butterfly::growArrayRight):
3674         * runtime/DirectArguments.cpp:
3675         (JSC::DirectArguments::overrideThings):
3676         * runtime/DirectArguments.h:
3677         (JSC::DirectArguments::subspaceFor):
3678         * runtime/DirectEvalExecutable.h:
3679         * runtime/EvalExecutable.h:
3680         * runtime/ExecutableBase.h:
3681         (JSC::ExecutableBase::subspaceFor):
3682         * runtime/FunctionExecutable.h:
3683         * runtime/GenericArgumentsInlines.h:
3684         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3685         * runtime/HashMapImpl.h:
3686         (JSC::HashMapBuffer::create):
3687         * runtime/IndirectEvalExecutable.h:
3688         * runtime/JSArray.cpp:
3689         (JSC::JSArray::tryCreateUninitializedRestricted):
3690         (JSC::JSArray::unshiftCountSlowCase):
3691         * runtime/JSArray.h:
3692         (JSC::JSArray::tryCreate):
3693         * runtime/JSArrayBufferView.cpp:
3694         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3695         * runtime/JSCell.h:
3696         (JSC::subspaceFor):
3697         * runtime/JSCellInlines.h:
3698         (JSC::JSCell::subspaceFor):
3699         (JSC::tryAllocateCellHelper):
3700         (JSC::allocateCell):
3701         (JSC::tryAllocateCell):
3702         * runtime/JSDestructibleObject.h:
3703         (JSC::JSDestructibleObject::subspaceFor):
3704         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3705         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3706         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3707         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3708         (JSC::JSDestructibleObjectHeapCellType::destroy):
3709         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3710         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3711         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3712         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3713         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3714         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3715         * runtime/JSDestructibleObjectSubspace.h: Removed.
3716         * runtime/JSLexicalEnvironment.h:
3717         (JSC::JSLexicalEnvironment::subspaceFor):
3718         * runtime/JSSegmentedVariableObject.h:
3719         (JSC::JSSegmentedVariableObject::subspaceFor):
3720         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3721         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3722         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3723         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3724         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3725         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3726         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3727         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3728         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3729         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3730         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3731         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3732         * runtime/JSString.h:
3733         (JSC::JSString::subspaceFor):
3734         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3735         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3736         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3737         (JSC::JSStringHeapCellType::finishSweep):
3738         (JSC::JSStringHeapCellType::destroy):
3739         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3740         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3741         (JSC::JSStringSubspace::finishSweep): Deleted.
3742         (JSC::JSStringSubspace::destroy): Deleted.
3743         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3744         * runtime/JSStringSubspace.cpp: Removed.
3745         * runtime/JSStringSubspace.h: Removed.
3746         * runtime/ModuleProgramExecutable.h:
3747         * runtime/NativeExecutable.h:
3748         * runtime/ProgramExecutable.h:
3749         * runtime/RegExpMatchesArray.h:
3750         (JSC::tryCreateUninitializedRegExpMatchesArray):
3751         * runtime/ScopedArguments.h:
3752         (JSC::ScopedArguments::subspaceFor):
3753         * runtime/VM.cpp:
3754         (JSC::VM::VM):
3755         * runtime/VM.h:
3756         (JSC::VM::gigacageAuxiliarySpace):
3757         * wasm/js/JSWebAssemblyCodeBlock.h:
3758         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3759         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3760         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3761         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3762         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3763         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3764         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3765         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3766         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3767         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3768         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3769         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3770         * wasm/js/JSWebAssemblyMemory.h:
3771         (JSC::JSWebAssemblyMemory::subspaceFor):
3772
3773 2017-11-29  Saam Barati  <sbarati@apple.com>
3774
3775         Remove pointer caging for double arrays
3776         https://bugs.webkit.org/show_bug.cgi?id=180163
3777
3778         Reviewed by Mark Lam.
3779
3780         This patch removes pointer caging from double arrays. Like
3781         my previous removals of pointer caging, this is a security vs
3782         performance tradeoff. We believe that butterflies being allocated
3783         in the cage and with a 32GB runway gives us enough security that
3784         pointer caging the butterfly just for double arrays does not add
3785         enough security benefit for the performance hit it incurs.
3786         
3787         This patch also removes the GetButterflyWithoutCaging node and
3788         the FixedButterflyAccessUncaging phase. The node is no longer needed
3789         because now all GetButterfly nodes are not caged. The phase is removed
3790         since we no longer have two nodes.
3791
3792         * dfg/DFGAbstractInterpreterInlines.h:
3793         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3794         * dfg/DFGArgumentsEliminationPhase.cpp:
3795         * dfg/DFGClobberize.h:
3796         (JSC::DFG::clobberize):
3797         * dfg/DFGDoesGC.cpp:
3798         (JSC::DFG::doesGC):
3799         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3800         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3801         * dfg/DFGFixupPhase.cpp:
3802         (JSC::DFG::FixupPhase::fixupNode):
3803         * dfg/DFGHeapLocation.cpp:
3804         (WTF::printInternal):
3805         * dfg/DFGHeapLocation.h:
3806         * dfg/DFGNodeType.h:
3807         * dfg/DFGPlan.cpp:
3808         (JSC::DFG::Plan::compileInThreadImpl):
3809         * dfg/DFGPredictionPropagationPhase.cpp:
3810         * dfg/DFGSafeToExecute.h:
3811         (JSC::DFG::safeToExecute):
3812         * dfg/DFGSpeculativeJIT.cpp:
3813         (JSC::DFG::SpeculativeJIT::compileSpread):
3814         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3815         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3816         * dfg/DFGSpeculativeJIT32_64.cpp:
3817         (JSC::DFG::SpeculativeJIT::compile):
3818         * dfg/DFGSpeculativeJIT64.cpp:
3819         (JSC::DFG::SpeculativeJIT::compile):
3820         * dfg/DFGTypeCheckHoistingPhase.cpp:
3821         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3822         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3823         * ftl/FTLCapabilities.cpp:
3824         (JSC::FTL::canCompile):
3825         * ftl/FTLLowerDFGToB3.cpp:
3826         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3827         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3828         * jit/JITPropertyAccess.cpp:
3829         (JSC::JIT::emitDoubleLoad):
3830         (JSC::JIT::emitGenericContiguousPutByVal):
3831         * runtime/Butterfly.h:
3832         (JSC::Butterfly::pointer):
3833         (JSC::Butterfly::contiguousDouble):
3834         (JSC::Butterfly::caged): Deleted.
3835         * runtime/ButterflyInlines.h:
3836         (JSC::Butterfly::createOrGrowPropertyStorage):
3837         * runtime/JSObject.cpp:
3838         (JSC::JSObject::ensureLengthSlow):
3839         (JSC::JSObject::reallocateAndShrinkButterfly):
3840
3841 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3842
3843         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3844         https://bugs.webkit.org/show_bug.cgi?id=175447
3845
3846         Reviewed by Carlos Alberto Lopez Perez.
3847
3848         This patch allows DFG JIT to be enabled on MIPS platforms.
3849
3850         * Sources.txt:
3851         * assembler/MIPSAssembler.h:
3852         (JSC::MIPSAssembler::lastSPRegister):
3853         (JSC::MIPSAssembler::numberOfSPRegisters):
3854         (JSC::MIPSAssembler::sprName):
3855         * assembler/MacroAssemblerMIPS.cpp: Added.
3856         (JSC::MacroAssembler::probe):
3857         * assembler/ProbeContext.cpp:
3858         (JSC::Probe::executeProbe):
3859         * assembler/ProbeContext.h:
3860         (JSC::Probe::CPUState::pc):
3861         * assembler/testmasm.cpp:
3862         (JSC::isSpecialGPR):
3863         (JSC::testProbePreservesGPRS):
3864         (JSC::testProbeModifiesStackPointer):
3865         (JSC::testProbeModifiesStackValues):
3866
3867 2017-11-29  Matt Lewis  <jlewis3@apple.com>
3868
3869         Unreviewed, rolling out r225286.
3870
3871         The source files within this patch have been marked as
3872         executable.
3873
3874         Reverted changeset:
3875
3876         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3877         https://bugs.webkit.org/show_bug.cgi?id=175447
3878         https://trac.webkit.org/changeset/225286
3879
3880 2017-11-29  Alex Christensen  <achristensen@webkit.org>
3881
3882         Fix Mac CMake build.
3883
3884         * PlatformMac.cmake:
3885
3886 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3887
3888         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3889         https://bugs.webkit.org/show_bug.cgi?id=175447
3890
3891         Reviewed by Carlos Alberto Lopez Perez.
3892
3893         This patch allows DFG JIT to be enabled on MIPS platforms.
3894
3895         * Sources.txt:
3896         * assembler/MIPSAssembler.h:
3897         (JSC::MIPSAssembler::lastSPRegister):
3898         (JSC::MIPSAssembler::numberOfSPRegisters):
3899         (JSC::MIPSAssembler::sprName):
3900         * assembler/MacroAssemblerMIPS.cpp: Added.
3901         (JSC::MacroAssembler::probe):
3902         * assembler/ProbeContext.cpp:
3903         (JSC::Probe::executeProbe):
3904         * assembler/ProbeContext.h:
3905         (JSC::Probe::CPUState::pc):
3906         * assembler/testmasm.cpp:
3907         (JSC::isSpecialGPR):
3908         (JSC::testProbePreservesGPRS):
3909         (JSC::testProbeModifiesStackPointer):
3910         (JSC::testProbeModifiesStackValues):
3911
3912 2017-11-28  JF Bastien  <jfbastien@apple.com>
3913
3914         Strict and sloppy functions shouldn't share structure
3915         https://bugs.webkit.org/show_bug.cgi?id=180103
3916         <rdar://problem/35667847>
3917
3918         Reviewed by Saam Barati.
3919
3920         Sloppy and strict functions don't act the same when it comes to
3921         arguments, caller, and callee. Sharing a structure means that
3922         any