PutStackSinkingPhase should know that KillStack means ConflictingFlush
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2
3         PutStackSinkingPhase should know that KillStack means ConflictingFlush
4         https://bugs.webkit.org/show_bug.cgi?id=184672
5
6         Reviewed by Michael Saboff.
7
8         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
9         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
10         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
11         intentional - I don't know.
12
13         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
14         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
15         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
16         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
17         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
18         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
19         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
20         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
21         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
22         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
23         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
24         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
25
26         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
27         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
28         its stack slot for the purpose of clobberize.
29
30         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
31         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
32         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
33         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
34
35 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
36
37         JSWebAssemblyCodeBlock should be in an IsoSubspace
38         https://bugs.webkit.org/show_bug.cgi?id=184704
39
40         Reviewed by Mark Lam.
41         
42         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
43         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
44         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
45         protection.
46
47         * runtime/VM.cpp:
48         (JSC::VM::VM):
49         * runtime/VM.h:
50         * wasm/js/JSWebAssemblyCodeBlock.h:
51
52 2018-04-17  Jer Noble  <jer.noble@apple.com>
53
54         Only enable useSeparatedWXHeap on ARM64.
55         https://bugs.webkit.org/show_bug.cgi?id=184697
56
57         Reviewed by Saam Barati.
58
59         * runtime/Options.cpp:
60         (JSC::recomputeDependentOptions):
61
62 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
63
64         [WebAssembly][Modules] Implement function import from wasm modules
65         https://bugs.webkit.org/show_bug.cgi?id=184689
66
67         Reviewed by JF Bastien.
68
69         This patch implements function import from wasm modules. We move function importing part
70         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
71         is because linking these functions requires that all the dependent modules are created.
72         While we want to move all the linking functionality from JSWebAssemblyInstance to
73         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
74         function importing part because efficient compilation of WebAssembly needs to know
75         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
76         or attached WebAssembly memory object. So we cannot defer this linking to
77         WebAssemblyModuleRecord::link now.
78
79         The largest difference from JS module linking is that WebAssembly module linking links
80         function from the module by snapshotting. When you have a cyclic module graph like this,
81
82         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
83             ^                                                  |
84             +--------------------------------------------------+
85
86         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
87         is described in [1], and tested in this patch.
88
89         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
90
91         * JavaScriptCore.xcodeproj/project.pbxproj:
92         * jsc.cpp:
93         (functionDollarAgentStart):
94         (checkException):
95         (runWithOptions):
96         Small fixes for wasm module loading.
97
98         * parser/NodesAnalyzeModule.cpp:
99         (JSC::ImportDeclarationNode::analyzeModule):
100         * runtime/AbstractModuleRecord.cpp:
101         (JSC::AbstractModuleRecord::resolveImport):
102         (JSC::AbstractModuleRecord::link):
103         * runtime/AbstractModuleRecord.h:
104         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
105         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
106         Now, wasm modules can have import which is named "*". So this function does not work.
107         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
108
109         * runtime/JSModuleEnvironment.cpp:
110         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
111         * runtime/JSModuleRecord.cpp:
112         (JSC::JSModuleRecord::instantiateDeclarations):
113         * wasm/WasmCreationMode.h: Added.
114         * wasm/js/JSWebAssemblyInstance.cpp:
115         (JSC::JSWebAssemblyInstance::finalizeCreation):
116         (JSC::JSWebAssemblyInstance::create):
117         * wasm/js/JSWebAssemblyInstance.h:
118         * wasm/js/WebAssemblyInstanceConstructor.cpp:
119         (JSC::constructJSWebAssemblyInstance):
120         * wasm/js/WebAssemblyModuleRecord.cpp:
121         (JSC::WebAssemblyModuleRecord::link):
122         * wasm/js/WebAssemblyModuleRecord.h:
123         * wasm/js/WebAssemblyPrototype.cpp:
124         (JSC::resolve):
125         (JSC::instantiate):
126         (JSC::compileAndInstantiate):
127         (JSC::WebAssemblyPrototype::instantiate):
128         (JSC::webAssemblyInstantiateFunc):
129
130 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
131
132         Implement setupArgumentsImpl for ARM and MIPS
133         https://bugs.webkit.org/show_bug.cgi?id=183786
134
135         Reviewed by Yusuke Suzuki.
136
137         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
138         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
139         registers used for 64-bit values on 32-bit architectures. numCrossSources
140         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
141
142         * assembler/MacroAssemblerARMv7.h:
143         (JSC::MacroAssemblerARMv7::moveDouble):
144         * assembler/MacroAssemblerMIPS.h:
145         (JSC::MacroAssemblerMIPS::moveDouble):
146         * jit/CCallHelpers.h:
147         (JSC::CCallHelpers::setupStubCrossArgs):
148         (JSC::CCallHelpers::ArgCollection::ArgCollection):
149         (JSC::CCallHelpers::ArgCollection::pushRegArg):
150         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
151         (JSC::CCallHelpers::ArgCollection::addGPRArg):
152         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
153         (JSC::CCallHelpers::ArgCollection::addStackArg):
154         (JSC::CCallHelpers::ArgCollection::addPoke):
155         (JSC::CCallHelpers::ArgCollection::argCount):
156         (JSC::CCallHelpers::calculatePokeOffset):
157         (JSC::CCallHelpers::pokeForArgument):
158         (JSC::CCallHelpers::stackAligned):
159         (JSC::CCallHelpers::marshallArgumentRegister):
160         (JSC::CCallHelpers::setupArgumentsImpl):
161         (JSC::CCallHelpers::pokeArgumentsAligned):
162         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
163         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
164         (JSC::CCallHelpers::setupArguments):
165         * jit/FPRInfo.h:
166         (JSC::FPRInfo::toArgumentRegister):
167
168 2018-04-17  Saam Barati  <sbarati@apple.com>
169
170         Add system trace points for process launch and for initializeWebProcess
171         https://bugs.webkit.org/show_bug.cgi?id=184669
172
173         Reviewed by Simon Fraser.
174
175         * runtime/VMEntryScope.cpp:
176         (JSC::VMEntryScope::VMEntryScope):
177         (JSC::VMEntryScope::~VMEntryScope):
178
179 2018-04-17  Jer Noble  <jer.noble@apple.com>
180
181         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
182         https://bugs.webkit.org/show_bug.cgi?id=184602
183
184         Reviewed by Beth Dakin.
185
186         * JavaScriptCore.xcodeproj/project.pbxproj:
187
188 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
189
190         [GLIB] Add API to clear JSCContext uncaught exception
191         https://bugs.webkit.org/show_bug.cgi?id=184685
192
193         Reviewed by Žan Doberšek.
194
195         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
196
197         * API/glib/JSCContext.cpp:
198         (jsc_context_clear_exception):
199         * API/glib/JSCContext.h:
200         * API/glib/docs/jsc-glib-4.0-sections.txt:
201
202 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
203
204         [GLIB] Add API to query, delete and enumerate properties
205         https://bugs.webkit.org/show_bug.cgi?id=184647
206
207         Reviewed by Michael Catanzaro.
208
209         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
210
211         * API/glib/JSCValue.cpp:
212         (jsc_value_object_has_property):
213         (jsc_value_object_delete_property):
214         (jsc_value_object_enumerate_properties):
215         * API/glib/JSCValue.h:
216         * API/glib/docs/jsc-glib-4.0-sections.txt:
217
218 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
219
220         [WebAssembly][Modules] Prototype wasm import
221         https://bugs.webkit.org/show_bug.cgi?id=184600
222
223         Reviewed by JF Bastien.
224
225         This patch is an initial attempt to implement Wasm loading in module pipeline.
226         Currently,
227
228         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
229            in whatwg HTML, we should integrate this into WebCore.
230
231         2. We only support exporting values from Wasm. Wasm module cannot import anything from
232            the other modules now.
233
234         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
235         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
236         module loader pipeline just handles it as the same to JS. When parsing a module, we
237         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
238         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
239         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
240
241         * builtins/ModuleLoaderPrototype.js:
242         (globalPrivate.newRegistryEntry):
243         (requestInstantiate):
244         (link):
245         * jsc.cpp:
246         (convertShebangToJSComment):
247         (fillBufferWithContentsOfFile):
248         (fetchModuleFromLocalFileSystem):
249         (GlobalObject::moduleLoaderFetch):
250         * parser/SourceProvider.h:
251         (JSC::WebAssemblySourceProvider::create):
252         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
253         * runtime/AbstractModuleRecord.cpp:
254         (JSC::AbstractModuleRecord::hostResolveImportedModule):
255         (JSC::AbstractModuleRecord::link):
256         (JSC::AbstractModuleRecord::evaluate):
257         (JSC::identifierToJSValue): Deleted.
258         * runtime/AbstractModuleRecord.h:
259         * runtime/JSModuleLoader.cpp:
260         (JSC::JSModuleLoader::evaluate):
261         * runtime/JSModuleRecord.cpp:
262         (JSC::JSModuleRecord::link):
263         (JSC::JSModuleRecord::instantiateDeclarations):
264         * runtime/JSModuleRecord.h:
265         * runtime/ModuleLoaderPrototype.cpp:
266         (JSC::moduleLoaderPrototypeParseModule):
267         (JSC::moduleLoaderPrototypeRequestedModules):
268         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
269         * wasm/js/JSWebAssemblyHelpers.h:
270         (JSC::getWasmBufferFromValue):
271         (JSC::createSourceBufferFromValue):
272         * wasm/js/JSWebAssemblyInstance.cpp:
273         (JSC::JSWebAssemblyInstance::finalizeCreation):
274         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
275         (JSC::JSWebAssemblyInstance::create):
276         * wasm/js/JSWebAssemblyInstance.h:
277         * wasm/js/WebAssemblyInstanceConstructor.cpp:
278         (JSC::constructJSWebAssemblyInstance):
279         * wasm/js/WebAssemblyModuleRecord.cpp:
280         (JSC::WebAssemblyModuleRecord::prepareLink):
281         (JSC::WebAssemblyModuleRecord::link):
282         * wasm/js/WebAssemblyModuleRecord.h:
283         * wasm/js/WebAssemblyPrototype.cpp:
284         (JSC::resolve):
285         (JSC::instantiate):
286         (JSC::compileAndInstantiate):
287         (JSC::WebAssemblyPrototype::instantiate):
288         (JSC::webAssemblyInstantiateFunc):
289         (JSC::webAssemblyValidateFunc):
290         * wasm/js/WebAssemblyPrototype.h:
291
292 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
293
294         Function.prototype.caller shouldn't return generator bodies
295         https://bugs.webkit.org/show_bug.cgi?id=184630
296
297         Reviewed by Yusuke Suzuki.
298         
299         Function.prototype.caller no longer returns generator bodies. Those are meant to be
300         private.
301         
302         Also added some builtin debugging tools so that it's easier to do the investigation that I
303         did.
304
305         * builtins/BuiltinNames.h:
306         * runtime/JSFunction.cpp:
307         (JSC::JSFunction::callerGetter):
308         * runtime/JSGlobalObject.cpp:
309         (JSC::JSGlobalObject::init):
310         * runtime/JSGlobalObjectFunctions.cpp:
311         (JSC::globalFuncBuiltinDescribe):
312         * runtime/JSGlobalObjectFunctions.h:
313
314 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
315
316         [DFG] Remove duplicate 32bit ProfileType implementation
317         https://bugs.webkit.org/show_bug.cgi?id=184536
318
319         Reviewed by Saam Barati.
320
321         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
322
323         * dfg/DFGSpeculativeJIT.cpp:
324         (JSC::DFG::SpeculativeJIT::compileProfileType):
325         * dfg/DFGSpeculativeJIT.h:
326         * dfg/DFGSpeculativeJIT32_64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGSpeculativeJIT64.cpp:
329         (JSC::DFG::SpeculativeJIT::compile):
330         * jit/AssemblyHelpers.h:
331         (JSC::AssemblyHelpers::branchIfUndefined):
332         (JSC::AssemblyHelpers::branchIfNull):
333
334 2018-04-12  Mark Lam  <mark.lam@apple.com>
335
336         Consolidate some PtrTags.
337         https://bugs.webkit.org/show_bug.cgi?id=184552
338         <rdar://problem/39389404>
339
340         Reviewed by Filip Pizlo.
341
342         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
343         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
344
345         * assembler/AbstractMacroAssembler.h:
346         (JSC::AbstractMacroAssembler::repatchNearCall):
347         * assembler/MacroAssemblerARM.h:
348         (JSC::MacroAssemblerARM::readCallTarget):
349         * assembler/MacroAssemblerARMv7.h:
350         (JSC::MacroAssemblerARMv7::readCallTarget):
351         * assembler/MacroAssemblerMIPS.h:
352         (JSC::MacroAssemblerMIPS::readCallTarget):
353         * assembler/MacroAssemblerX86.h:
354         (JSC::MacroAssemblerX86::readCallTarget):
355         * assembler/MacroAssemblerX86_64.h:
356         (JSC::MacroAssemblerX86_64::readCallTarget):
357         * bytecode/AccessCase.cpp:
358         (JSC::AccessCase::generateImpl):
359         * bytecode/InlineAccess.cpp:
360         (JSC::InlineAccess::rewireStubAsJump):
361         * bytecode/PolymorphicAccess.cpp:
362         (JSC::PolymorphicAccess::regenerate):
363         * dfg/DFGJITCompiler.cpp:
364         (JSC::DFG::JITCompiler::linkOSRExits):
365         (JSC::DFG::JITCompiler::link):
366         (JSC::DFG::JITCompiler::compileFunction):
367         * dfg/DFGJITFinalizer.cpp:
368         (JSC::DFG::JITFinalizer::finalize):
369         (JSC::DFG::JITFinalizer::finalizeFunction):
370         * dfg/DFGOSREntry.cpp:
371         (JSC::DFG::prepareOSREntry):
372         * dfg/DFGOSRExit.cpp:
373         (JSC::DFG::OSRExit::executeOSRExit):
374         (JSC::DFG::adjustAndJumpToTarget):
375         (JSC::DFG::OSRExit::compileOSRExit):
376         * dfg/DFGOSRExitCompilerCommon.cpp:
377         (JSC::DFG::adjustAndJumpToTarget):
378         * dfg/DFGOperations.cpp:
379         * ftl/FTLJITCode.cpp:
380         (JSC::FTL::JITCode::executableAddressAtOffset):
381         * ftl/FTLJITFinalizer.cpp:
382         (JSC::FTL::JITFinalizer::finalizeCommon):
383         * ftl/FTLLazySlowPath.cpp:
384         (JSC::FTL::LazySlowPath::generate):
385         * ftl/FTLLink.cpp:
386         (JSC::FTL::link):
387         * ftl/FTLLowerDFGToB3.cpp:
388         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
389         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
390         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
391         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
392         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
393         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
394         * ftl/FTLOSRExitCompiler.cpp:
395         (JSC::FTL::compileFTLOSRExit):
396         * ftl/FTLOSRExitHandle.cpp:
397         (JSC::FTL::OSRExitHandle::emitExitThunk):
398         * jit/AssemblyHelpers.cpp:
399         (JSC::AssemblyHelpers::emitDumbVirtualCall):
400         * jit/JIT.cpp:
401         (JSC::JIT::compileWithoutLinking):
402         (JSC::JIT::link):
403         * jit/JITCall.cpp:
404         (JSC::JIT::compileOpCallSlowCase):
405         * jit/JITCode.cpp:
406         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
407         (JSC::NativeJITCode::addressForCall):
408         * jit/JITInlines.h:
409         (JSC::JIT::emitNakedCall):
410         (JSC::JIT::emitNakedTailCall):
411         * jit/JITMathIC.h:
412         (JSC::isProfileEmpty):
413         * jit/JITOpcodes.cpp:
414         (JSC::JIT::privateCompileHasIndexedProperty):
415         * jit/JITOperations.cpp:
416         * jit/JITPropertyAccess.cpp:
417         (JSC::JIT::stringGetByValStubGenerator):
418         (JSC::JIT::privateCompileGetByVal):
419         (JSC::JIT::privateCompileGetByValWithCachedId):
420         (JSC::JIT::privateCompilePutByVal):
421         (JSC::JIT::privateCompilePutByValWithCachedId):
422         * jit/JITThunks.cpp:
423         (JSC::JITThunks::hostFunctionStub):
424         * jit/Repatch.cpp:
425         (JSC::linkSlowFor):
426         (JSC::linkFor):
427         (JSC::linkPolymorphicCall):
428         * jit/SpecializedThunkJIT.h:
429         (JSC::SpecializedThunkJIT::finalize):
430         * jit/ThunkGenerators.cpp:
431         (JSC::virtualThunkFor):
432         (JSC::nativeForGenerator):
433         (JSC::boundThisNoArgsFunctionCallGenerator):
434         * llint/LLIntData.cpp:
435         (JSC::LLInt::initialize):
436         * llint/LLIntEntrypoint.cpp:
437         (JSC::LLInt::setEvalEntrypoint):
438         (JSC::LLInt::setProgramEntrypoint):
439         (JSC::LLInt::setModuleProgramEntrypoint):
440         * llint/LLIntSlowPaths.cpp:
441         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
442         (JSC::LLInt::setUpCall):
443         * llint/LLIntThunks.cpp:
444         (JSC::LLInt::generateThunkWithJumpTo):
445         (JSC::LLInt::functionForCallEntryThunkGenerator):
446         (JSC::LLInt::functionForConstructEntryThunkGenerator):
447         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
448         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
449         (JSC::LLInt::evalEntryThunkGenerator):
450         (JSC::LLInt::programEntryThunkGenerator):
451         (JSC::LLInt::moduleProgramEntryThunkGenerator):
452         * llint/LowLevelInterpreter.asm:
453         * llint/LowLevelInterpreter64.asm:
454         * runtime/NativeExecutable.cpp:
455         (JSC::NativeExecutable::finishCreation):
456         * runtime/NativeFunction.h:
457         (JSC::TaggedNativeFunction::TaggedNativeFunction):
458         (JSC::TaggedNativeFunction::operator NativeFunction):
459         * runtime/PtrTag.h:
460         * wasm/WasmBBQPlan.cpp:
461         (JSC::Wasm::BBQPlan::complete):
462         * wasm/WasmOMGPlan.cpp:
463         (JSC::Wasm::OMGPlan::work):
464         * wasm/WasmThunks.cpp:
465         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
466         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
467         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
468         * wasm/js/WasmToJS.cpp:
469         (JSC::Wasm::wasmToJS):
470         * wasm/js/WebAssemblyFunction.h:
471         * yarr/YarrJIT.cpp:
472         (JSC::Yarr::YarrGenerator::compile):
473
474 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
475
476         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
477         https://bugs.webkit.org/show_bug.cgi?id=184379
478
479         Reviewed by Žan Doberšek.
480
481         Load the module from the new location.
482
483         * PlatformWPE.cmake:
484         * inspector/remote/glib/RemoteInspectorUtils.cpp:
485         (Inspector::backendCommands):
486
487 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
488
489         [DFG] Remove compileBigIntEquality in DFG 32bit
490         https://bugs.webkit.org/show_bug.cgi?id=184535
491
492         Reviewed by Saam Barati.
493
494         We can have the unified implementation for compileBigIntEquality.
495
496         * dfg/DFGSpeculativeJIT.cpp:
497         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
498         * dfg/DFGSpeculativeJIT32_64.cpp:
499         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
500         * dfg/DFGSpeculativeJIT64.cpp:
501         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
502
503 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
504
505         [WPE] Improve include hierarchy
506         https://bugs.webkit.org/show_bug.cgi?id=184376
507
508         Reviewed by Žan Doberšek.
509
510         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
511         /usr/include/wpe-0.1/WPE/jsc.
512
513         * PlatformWPE.cmake:
514
515 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
516
517         [GLIB] Handle strings containing null characters
518         https://bugs.webkit.org/show_bug.cgi?id=184450
519
520         Reviewed by Michael Catanzaro.
521
522         We should be able to evaluate scripts containing null characters and to handle strings that contains them
523         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
524         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
525         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
526         contain null characters.
527
528         * API/OpaqueJSString.cpp:
529         (OpaqueJSString::create): Add a create constructor that takes the String.
530         * API/OpaqueJSString.h:
531         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
532         * API/glib/JSCContext.cpp:
533         (jsc_context_evaluate): Add length parameter.
534         (jsc_context_evaluate_with_source_uri): Ditto.
535         * API/glib/JSCContext.h:
536         * API/glib/JSCValue.cpp:
537         (jsc_value_new_string_from_bytes):
538         (jsc_value_to_string):
539         (jsc_value_to_string_as_bytes):
540         (jsc_value_object_is_instance_of): Pass length to evaluate.
541         * API/glib/JSCValue.h:
542         * API/glib/docs/jsc-glib-4.0-sections.txt:
543
544 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
545
546         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
547         https://bugs.webkit.org/show_bug.cgi?id=184500
548
549         Reviewed by Mark Lam.
550
551         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
552         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
553         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
554         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
555         poke held GPR. The benefit from this CellValue is that we can use the same code
556         for 32bit and 64bit. This patch removes several ifdefs.
557
558         * bytecode/AccessCase.cpp:
559         (JSC::AccessCase::generateImpl):
560         * dfg/DFGSpeculativeJIT.cpp:
561         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
562         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
563         (JSC::DFG::SpeculativeJIT::cachedPutById):
564         * dfg/DFGSpeculativeJIT32_64.cpp:
565         (JSC::DFG::SpeculativeJIT::cachedGetById):
566         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
567         * jit/CCallHelpers.h:
568         (JSC::CCallHelpers::CellValue::CellValue):
569         (JSC::CCallHelpers::CellValue::gpr const):
570         (JSC::CCallHelpers::setupArgumentsImpl):
571
572 2018-04-11  Mark Lam  <mark.lam@apple.com>
573
574         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
575         https://bugs.webkit.org/show_bug.cgi?id=184512
576         <rdar://problem/35391728>
577
578         Not reviewed.
579
580         * bytecode/CodeBlock.h:
581         * jit/JITCodeMap.h:
582
583 2018-04-11  Mark Lam  <mark.lam@apple.com>
584
585         Replace CompactJITCodeMap with JITCodeMap.
586         https://bugs.webkit.org/show_bug.cgi?id=184512
587         <rdar://problem/35391728>
588
589         Reviewed by Filip Pizlo.
590
591         * CMakeLists.txt:
592         * JavaScriptCore.xcodeproj/project.pbxproj:
593         * bytecode/CodeBlock.h:
594         (JSC::CodeBlock::setJITCodeMap):
595         (JSC::CodeBlock::jitCodeMap const):
596         (JSC::CodeBlock::jitCodeMap): Deleted.
597         * dfg/DFGOSRExit.cpp:
598         (JSC::DFG::OSRExit::executeOSRExit):
599         * dfg/DFGOSRExitCompilerCommon.cpp:
600         (JSC::DFG::adjustAndJumpToTarget):
601         * jit/AssemblyHelpers.cpp:
602         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
603         * jit/AssemblyHelpers.h:
604         * jit/CompactJITCodeMap.h: Removed.
605         * jit/JIT.cpp:
606         (JSC::JIT::link):
607         * jit/JITCodeMap.h: Added.
608         (JSC::JITCodeMap::Entry::Entry):
609         (JSC::JITCodeMap::Entry::bytecodeIndex const):
610         (JSC::JITCodeMap::Entry::codeLocation):
611         (JSC::JITCodeMap::append):
612         (JSC::JITCodeMap::finish):
613         (JSC::JITCodeMap::find const):
614         (JSC::JITCodeMap::operator bool const):
615         * llint/LLIntSlowPaths.cpp:
616         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
617
618 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
619
620         [DFG] Remove CompareSlowPathGenerator
621         https://bugs.webkit.org/show_bug.cgi?id=184492
622
623         Reviewed by Mark Lam.
624
625         Now CompareSlowPathGenerator is just calling a specified function.
626         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
627
628         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
629         introducing a new constructor for GPRTemporary.
630
631         * JavaScriptCore.xcodeproj/project.pbxproj:
632         * dfg/DFGCompareSlowPathGenerator.h: Removed.
633         * dfg/DFGSpeculativeJIT.cpp:
634         (JSC::DFG::GPRTemporary::GPRTemporary):
635         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
636         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
637         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
638         (JSC::DFG::SpeculativeJIT::compileIsObject):
639         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
640         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
641         * dfg/DFGSpeculativeJIT.h:
642         (JSC::DFG::GPRTemporary::GPRTemporary):
643         * dfg/DFGSpeculativeJIT64.cpp:
644         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
645
646 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
647
648         Unreviewed, build fix for 32bit
649         https://bugs.webkit.org/show_bug.cgi?id=184236
650
651         * dfg/DFGSpeculativeJIT.cpp:
652         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
653
654 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
655
656         [DFG] Remove duplicate 32bit code more
657         https://bugs.webkit.org/show_bug.cgi?id=184236
658
659         Reviewed by Mark Lam.
660
661         Remove duplicate 32bit code more aggressively part 2.
662
663         * JavaScriptCore.xcodeproj/project.pbxproj:
664         * dfg/DFGCompareSlowPathGenerator.h: Added.
665         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
666         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
667
668         * dfg/DFGOperations.cpp:
669         * dfg/DFGOperations.h:
670         * dfg/DFGSpeculativeJIT.cpp:
671         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
672         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
673         (JSC::DFG::SpeculativeJIT::compileIsObject):
674         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
675         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
676         (JSC::DFG::SpeculativeJIT::compilePutById):
677         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
678         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
679         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
680         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
681         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
682         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
683         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
684         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
685         (JSC::DFG::SpeculativeJIT::cachedPutById):
686         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
687         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
688         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
689         * dfg/DFGSpeculativeJIT.h:
690         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
691         * dfg/DFGSpeculativeJIT32_64.cpp:
692         (JSC::DFG::SpeculativeJIT::compile):
693         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
694         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
695         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
696         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
697         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
698         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
699         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
700         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
701         * dfg/DFGSpeculativeJIT64.cpp:
702         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
703         (JSC::DFG::SpeculativeJIT::compile):
704         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
705         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
706         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
707         (): Deleted.
708         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
709         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
710         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
711         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
712         * ftl/FTLLowerDFGToB3.cpp:
713         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
714         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
715
716         * jit/AssemblyHelpers.h:
717         (JSC::AssemblyHelpers::loadValue):
718         (JSC::AssemblyHelpers::selectScratchGPR):
719         (JSC::AssemblyHelpers::constructRegisterSet):
720         * jit/RegisterSet.h:
721         (JSC::RegisterSet::setAny):
722         Clean up selectScratchGPR code to pass JSValueRegs.
723
724 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
725
726         [ESNext][BigInt] Add support for BigInt in SpeculatedType
727         https://bugs.webkit.org/show_bug.cgi?id=182470
728
729         Reviewed by Saam Barati.
730
731         This patch introduces the SpecBigInt type to DFG to enable BigInt
732         speculation into DFG and FTL.
733
734         With SpecBigInt introduction, we can then specialize "===" operations
735         to BigInts. As we are doing for some cells, we first check if operands
736         are pointing to the same JSCell, and if it is false, we
737         fallback to "operationCompareStrictEqCell". The idea in further
738         patches is to implement BigInt equality check directly in
739         assembly.
740
741         We are also adding support for BigInt constant folding into
742         TypeOf operation.
743
744         * bytecode/SpeculatedType.cpp:
745         (JSC::dumpSpeculation):
746         (JSC::speculationFromClassInfo):
747         (JSC::speculationFromStructure):
748         (JSC::speculationFromJSType):
749         (JSC::speculationFromString):
750         * bytecode/SpeculatedType.h:
751         (JSC::isBigIntSpeculation):
752         * dfg/DFGAbstractInterpreterInlines.h:
753         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
754         * dfg/DFGAbstractValue.cpp:
755         (JSC::DFG::AbstractValue::set):
756         * dfg/DFGConstantFoldingPhase.cpp:
757         (JSC::DFG::ConstantFoldingPhase::foldConstants):
758         * dfg/DFGFixupPhase.cpp:
759         (JSC::DFG::FixupPhase::fixupNode):
760         (JSC::DFG::FixupPhase::fixupToThis):
761         (JSC::DFG::FixupPhase::observeUseKindOnNode):
762         * dfg/DFGInferredTypeCheck.cpp:
763         (JSC::DFG::insertInferredTypeCheck):
764         * dfg/DFGNode.h:
765         (JSC::DFG::Node::shouldSpeculateBigInt):
766         * dfg/DFGPredictionPropagationPhase.cpp:
767         * dfg/DFGSafeToExecute.h:
768         (JSC::DFG::SafeToExecuteEdge::operator()):
769         * dfg/DFGSpeculativeJIT.cpp:
770         (JSC::DFG::SpeculativeJIT::compileStrictEq):
771         (JSC::DFG::SpeculativeJIT::speculateBigInt):
772         (JSC::DFG::SpeculativeJIT::speculate):
773         * dfg/DFGSpeculativeJIT.h:
774         * dfg/DFGSpeculativeJIT32_64.cpp:
775         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
776         * dfg/DFGSpeculativeJIT64.cpp:
777         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
778         * dfg/DFGUseKind.cpp:
779         (WTF::printInternal):
780         * dfg/DFGUseKind.h:
781         (JSC::DFG::typeFilterFor):
782         (JSC::DFG::isCell):
783         * ftl/FTLCapabilities.cpp:
784         (JSC::FTL::canCompile):
785         * ftl/FTLLowerDFGToB3.cpp:
786         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
787         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
788         (JSC::FTL::DFG::LowerDFGToB3::speculate):
789         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
790         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
791         * jit/AssemblyHelpers.cpp:
792         (JSC::AssemblyHelpers::branchIfNotType):
793         * jit/AssemblyHelpers.h:
794         (JSC::AssemblyHelpers::branchIfBigInt):
795         (JSC::AssemblyHelpers::branchIfNotBigInt):
796         * runtime/InferredType.cpp:
797         (JSC::InferredType::Descriptor::forValue):
798         (JSC::InferredType::Descriptor::putByIdFlags const):
799         (JSC::InferredType::Descriptor::merge):
800         (WTF::printInternal):
801         * runtime/InferredType.h:
802         * runtime/JSBigInt.h:
803
804 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
805
806         Unreviewed, fix cloop build.
807
808         * dfg/DFGAbstractInterpreterClobberState.cpp:
809
810 2018-04-10  Mark Lam  <mark.lam@apple.com>
811
812         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
813         https://bugs.webkit.org/show_bug.cgi?id=184464
814         <rdar://problem/39323947>
815
816         Reviewed by Saam Barati.
817
818         * heap/MarkedSpace.h:
819         (JSC::MarkedSpace::sizeClassToIndex):
820
821 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
822
823         DFG AI and clobberize should agree with each other
824         https://bugs.webkit.org/show_bug.cgi?id=184440
825
826         Reviewed by Saam Barati.
827         
828         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
829         agree with each other. That's what this patch does: it adds an assertion that AI's structure
830         state tracking must be equivalent to JSCell_structureID being clobbered.
831         
832         One subtlety is that AI sometimes folds away structure clobbering using information that
833         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
834         ObservedTransitions).
835         
836         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
837         clobberize missing a write(Heap).
838         
839         This also makes some cases more precise in order to appease the assertion. Making things more
840         precise might make things faster, but I didn't measure it because that wasn't the goal.
841
842         * JavaScriptCore.xcodeproj/project.pbxproj:
843         * Sources.txt:
844         * dfg/DFGAbstractInterpreter.h:
845         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
846         (WTF::printInternal):
847         * dfg/DFGAbstractInterpreterClobberState.h: Added.
848         (JSC::DFG::mergeClobberStates):
849         * dfg/DFGAbstractInterpreterInlines.h:
850         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
851         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
852         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
853         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
854         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
856         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
857         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
858         * dfg/DFGAtTailAbstractState.h:
859         (JSC::DFG::AtTailAbstractState::setClobberState):
860         (JSC::DFG::AtTailAbstractState::mergeClobberState):
861         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
862         * dfg/DFGCFAPhase.cpp:
863         (JSC::DFG::CFAPhase::performBlockCFA):
864         * dfg/DFGClobberSet.cpp:
865         (JSC::DFG::writeSet):
866         * dfg/DFGClobberSet.h:
867         * dfg/DFGClobberize.h:
868         (JSC::DFG::clobberize):
869         * dfg/DFGConstantFoldingPhase.cpp:
870         (JSC::DFG::ConstantFoldingPhase::foldConstants):
871         * dfg/DFGInPlaceAbstractState.h:
872         (JSC::DFG::InPlaceAbstractState::clobberState const):
873         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
874         (JSC::DFG::InPlaceAbstractState::didClobber const):
875         (JSC::DFG::InPlaceAbstractState::setClobberState):
876         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
877         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
878
879 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
880
881         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
882         https://bugs.webkit.org/show_bug.cgi?id=184460
883         <rdar://problem/37610966>
884
885         Reviewed by Mark Lam.
886
887         * bytecode/ExecutableToCodeBlockEdge.cpp:
888         (JSC::ExecutableToCodeBlockEdge::visitChildren):
889
890 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
891
892         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
893         https://bugs.webkit.org/show_bug.cgi?id=184455
894
895         Reviewed by Michael Saboff.
896         
897         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
898         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
899         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
900         the thing being hoisted does have effects, then we get a crash.
901         
902         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
903         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
904         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
905         effectful.
906         
907         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
908         clobberize to also think that CompareEq(Untyped:, _) is effectful.
909         
910         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
911         of CompareEq is ComapreEq(Untyped:, Untyped:).
912
913         * dfg/DFGAbstractInterpreterInlines.h:
914         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
915         * dfg/DFGClobberize.h:
916         (JSC::DFG::clobberize):
917
918 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
919
920         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
921         https://bugs.webkit.org/show_bug.cgi?id=184372
922
923         Reviewed by Saam Barati.
924         
925         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
926         have already proved, using techniques that are more precise than AI, that the edge has type
927         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
928         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
929         other than a check - so we think we can call those just because we should have already
930         bailed. It's better to think of them as the result of folding a check. Therefore, we should
931         only do it if there had been a check to begin with.
932
933         * dfg/DFGSpeculativeJIT64.cpp:
934         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
935         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
936         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
937         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
938         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
939         * ftl/FTLLowerDFGToB3.cpp:
940         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
941         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
942         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
943         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
944         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
945         (JSC::FTL::DFG::LowerDFGToB3::speculate):
946         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
947         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
948
949 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
950
951         [JSC] Introduce @putByIdDirectPrivate
952         https://bugs.webkit.org/show_bug.cgi?id=184400
953
954         Reviewed by Saam Barati.
955
956         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
957         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
958         accessing to ECMAScript internal fields.
959
960         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
961         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
962         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
963         fields that accessing to the internal fields does not traverse prototype chains.
964
965         * builtins/ArrayIteratorPrototype.js:
966         (globalPrivate.arrayIteratorValueNext):
967         (globalPrivate.arrayIteratorKeyNext):
968         (globalPrivate.arrayIteratorKeyValueNext):
969         * builtins/ArrayPrototype.js:
970         (globalPrivate.createArrayIterator):
971         * builtins/AsyncFromSyncIteratorPrototype.js:
972         (globalPrivate.AsyncFromSyncIteratorConstructor):
973         * builtins/AsyncFunctionPrototype.js:
974         (globalPrivate.asyncFunctionResume):
975         * builtins/AsyncGeneratorPrototype.js:
976         (globalPrivate.asyncGeneratorQueueEnqueue):
977         (globalPrivate.asyncGeneratorQueueDequeue):
978         (asyncGeneratorYieldAwaited):
979         (globalPrivate.asyncGeneratorYield):
980         (globalPrivate.doAsyncGeneratorBodyCall):
981         (globalPrivate.asyncGeneratorResumeNext):
982         * builtins/GeneratorPrototype.js:
983         (globalPrivate.generatorResume):
984         * builtins/MapIteratorPrototype.js:
985         (globalPrivate.mapIteratorNext):
986         * builtins/MapPrototype.js:
987         (globalPrivate.createMapIterator):
988         * builtins/ModuleLoaderPrototype.js:
989         (forceFulfillPromise):
990         * builtins/PromiseOperations.js:
991         (globalPrivate.newHandledRejectedPromise):
992         (globalPrivate.rejectPromise):
993         (globalPrivate.fulfillPromise):
994         (globalPrivate.initializePromise):
995         * builtins/PromisePrototype.js:
996         (then):
997         * builtins/SetIteratorPrototype.js:
998         (globalPrivate.setIteratorNext):
999         * builtins/SetPrototype.js:
1000         (globalPrivate.createSetIterator):
1001         * builtins/StringIteratorPrototype.js:
1002         (next):
1003         * bytecode/BytecodeIntrinsicRegistry.h:
1004         * bytecompiler/NodesCodegen.cpp:
1005         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1006         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1007
1008 2018-04-09  Mark Lam  <mark.lam@apple.com>
1009
1010         Decorate method table entries to support pointer profiling.
1011         https://bugs.webkit.org/show_bug.cgi?id=184430
1012         <rdar://problem/39296190>
1013
1014         Reviewed by Saam Barati.
1015
1016         * runtime/ClassInfo.h:
1017
1018 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1019
1020         [WPE] Don't install JSC C API headers
1021         https://bugs.webkit.org/show_bug.cgi?id=184375
1022
1023         Reviewed by Žan Doberšek.
1024
1025         None of the functions declared in these headers are exported in WPE. Use the new jsc API
1026         instead.
1027
1028         * PlatformWPE.cmake:
1029
1030 2018-04-08  Mark Lam  <mark.lam@apple.com>
1031
1032         Add pointer profiling to the FTL and supporting code.
1033         https://bugs.webkit.org/show_bug.cgi?id=184395
1034         <rdar://problem/39264019>
1035
1036         Reviewed by Michael Saboff and Filip Pizlo.
1037
1038         * assembler/CodeLocation.h:
1039         (JSC::CodeLocationLabel::retagged):
1040         (JSC::CodeLocationJump::retagged):
1041         * assembler/LinkBuffer.h:
1042         (JSC::LinkBuffer::locationOf):
1043         * dfg/DFGJITCompiler.cpp:
1044         (JSC::DFG::JITCompiler::linkOSRExits):
1045         (JSC::DFG::JITCompiler::link):
1046         * ftl/FTLCompile.cpp:
1047         (JSC::FTL::compile):
1048         * ftl/FTLExceptionTarget.cpp:
1049         (JSC::FTL::ExceptionTarget::label):
1050         (JSC::FTL::ExceptionTarget::jumps):
1051         * ftl/FTLExceptionTarget.h:
1052         * ftl/FTLJITCode.cpp:
1053         (JSC::FTL::JITCode::executableAddressAtOffset):
1054         * ftl/FTLLazySlowPath.cpp:
1055         (JSC::FTL::LazySlowPath::~LazySlowPath):
1056         (JSC::FTL::LazySlowPath::initialize):
1057         (JSC::FTL::LazySlowPath::generate):
1058         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
1059         * ftl/FTLLazySlowPath.h:
1060         * ftl/FTLLink.cpp:
1061         (JSC::FTL::link):
1062         * ftl/FTLLowerDFGToB3.cpp:
1063         (JSC::FTL::DFG::LowerDFGToB3::lower):
1064         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1065         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1066         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1067         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1068         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1069         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1070         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1071         * ftl/FTLOSRExitCompiler.cpp:
1072         (JSC::FTL::compileStub):
1073         (JSC::FTL::compileFTLOSRExit):
1074         * ftl/FTLOSRExitHandle.cpp:
1075         (JSC::FTL::OSRExitHandle::emitExitThunk):
1076         * ftl/FTLOperations.cpp:
1077         (JSC::FTL::compileFTLLazySlowPath):
1078         * ftl/FTLOutput.h:
1079         (JSC::FTL::Output::callWithoutSideEffects):
1080         (JSC::FTL::Output::operation):
1081         * ftl/FTLPatchpointExceptionHandle.cpp:
1082         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1083         * ftl/FTLSlowPathCall.cpp:
1084         (JSC::FTL::SlowPathCallContext::makeCall):
1085         * ftl/FTLSlowPathCallKey.h:
1086         (JSC::FTL::SlowPathCallKey::withCallTarget):
1087         (JSC::FTL::SlowPathCallKey::callPtrTag const):
1088         * ftl/FTLThunks.cpp:
1089         (JSC::FTL::genericGenerationThunkGenerator):
1090         (JSC::FTL::osrExitGenerationThunkGenerator):
1091         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1092         (JSC::FTL::slowPathCallThunkGenerator):
1093         * jit/JITMathIC.h:
1094         (JSC::isProfileEmpty):
1095         * jit/Repatch.cpp:
1096         (JSC::readPutICCallTarget):
1097         (JSC::ftlThunkAwareRepatchCall):
1098         (JSC::tryCacheGetByID):
1099         (JSC::repatchGetByID):
1100         (JSC::tryCachePutByID):
1101         (JSC::repatchPutByID):
1102         (JSC::repatchIn):
1103         (JSC::resetGetByID):
1104         (JSC::resetPutByID):
1105         (JSC::readCallTarget): Deleted.
1106         * jit/Repatch.h:
1107         * runtime/PtrTag.h:
1108
1109 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1110
1111         Unreviewed, attempt to fix Windows build
1112         https://bugs.webkit.org/show_bug.cgi?id=183508
1113
1114         * jit/JIT.h:
1115
1116 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1117
1118         Unreviewed, build fix for Windows by suppressing padding warning for JIT
1119         https://bugs.webkit.org/show_bug.cgi?id=183508
1120
1121         * jit/JIT.h:
1122
1123 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1124
1125         Use alignas instead of compiler-specific attributes
1126         https://bugs.webkit.org/show_bug.cgi?id=183508
1127
1128         Reviewed by Mark Lam.
1129
1130         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
1131
1132         * heap/RegisterState.h:
1133         * jit/JIT.h:
1134         (JSC::JIT::compile): Deleted.
1135         (JSC::JIT::compileGetByVal): Deleted.
1136         (JSC::JIT::compileGetByValWithCachedId): Deleted.
1137         (JSC::JIT::compilePutByVal): Deleted.
1138         (JSC::JIT::compileDirectPutByVal): Deleted.
1139         (JSC::JIT::compilePutByValWithCachedId): Deleted.
1140         (JSC::JIT::compileHasIndexedProperty): Deleted.
1141         (JSC::JIT::appendCall): Deleted.
1142         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
1143         (JSC::JIT::exceptionCheck): Deleted.
1144         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
1145         (JSC::JIT::emitInt32Load): Deleted.
1146         (JSC::JIT::emitInt32GetByVal): Deleted.
1147         (JSC::JIT::emitInt32PutByVal): Deleted.
1148         (JSC::JIT::emitDoublePutByVal): Deleted.
1149         (JSC::JIT::emitContiguousPutByVal): Deleted.
1150         (JSC::JIT::emitStoreCell): Deleted.
1151         (JSC::JIT::getSlowCase): Deleted.
1152         (JSC::JIT::linkSlowCase): Deleted.
1153         (JSC::JIT::linkDummySlowCase): Deleted.
1154         (JSC::JIT::linkAllSlowCases): Deleted.
1155         (JSC::JIT::callOperation): Deleted.
1156         (JSC::JIT::callOperationWithProfile): Deleted.
1157         (JSC::JIT::callOperationWithResult): Deleted.
1158         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
1159         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
1160         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
1161         (JSC::JIT::sampleCodeBlock): Deleted.
1162         (JSC::JIT::canBeOptimized): Deleted.
1163         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
1164         (JSC::JIT::shouldEmitProfiling): Deleted.
1165         * runtime/VM.h:
1166
1167 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1168
1169         Unreviewed, follow-up patch for DFG 32bit
1170         https://bugs.webkit.org/show_bug.cgi?id=183970
1171
1172         * dfg/DFGSpeculativeJIT32_64.cpp:
1173         (JSC::DFG::SpeculativeJIT::cachedGetById):
1174
1175 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1176
1177         [JSC] Fix incorrect assertion for VM's regexp buffer lock
1178         https://bugs.webkit.org/show_bug.cgi?id=184398
1179
1180         Reviewed by Mark Lam.
1181
1182         isLocked check before taking a lock is incorrect.
1183
1184         * runtime/VM.cpp:
1185         (JSC::VM::acquireRegExpPatternContexBuffer):
1186
1187 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1188
1189         [JSC] Introduce op_get_by_id_direct
1190         https://bugs.webkit.org/show_bug.cgi?id=183970
1191
1192         Reviewed by Filip Pizlo.
1193
1194         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
1195         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
1196         in all the tiers, so using this opcode does not lead to inefficiency.
1197
1198         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
1199         properties indexed with private symbols to implement ECMAScript internal fields. Before this
1200         patch, we just use get and put operations. However, it is not the correct semantics: accessing
1201         to the internal fields should not traverse prototype chain, which is specified in the spec.
1202         We use op_get_by_id_direct to access to properties which are used internal fields, so that
1203         prototype chains are not traversed.
1204
1205         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
1206         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
1207         bytecode `op_get_by_id_direct, object, @name`.
1208
1209         * builtins/ArrayIteratorPrototype.js:
1210         (next):
1211         (globalPrivate.arrayIteratorValueNext):
1212         (globalPrivate.arrayIteratorKeyNext):
1213         (globalPrivate.arrayIteratorKeyValueNext):
1214         * builtins/AsyncFromSyncIteratorPrototype.js:
1215         * builtins/AsyncFunctionPrototype.js:
1216         (globalPrivate.asyncFunctionResume):
1217         * builtins/AsyncGeneratorPrototype.js:
1218         (globalPrivate.asyncGeneratorQueueIsEmpty):
1219         (globalPrivate.asyncGeneratorQueueEnqueue):
1220         (globalPrivate.asyncGeneratorQueueDequeue):
1221         (globalPrivate.asyncGeneratorDequeue):
1222         (globalPrivate.isExecutionState):
1223         (globalPrivate.isSuspendYieldState):
1224         (globalPrivate.asyncGeneratorReject):
1225         (globalPrivate.asyncGeneratorResolve):
1226         (globalPrivate.doAsyncGeneratorBodyCall):
1227         (globalPrivate.asyncGeneratorEnqueue):
1228         * builtins/GeneratorPrototype.js:
1229         (globalPrivate.generatorResume):
1230         (next):
1231         (return):
1232         (throw):
1233         * builtins/MapIteratorPrototype.js:
1234         (next):
1235         * builtins/PromiseOperations.js:
1236         (globalPrivate.isPromise):
1237         (globalPrivate.rejectPromise):
1238         (globalPrivate.fulfillPromise):
1239         * builtins/PromisePrototype.js:
1240         (then):
1241         * builtins/SetIteratorPrototype.js:
1242         (next):
1243         * builtins/StringIteratorPrototype.js:
1244         (next):
1245         * builtins/TypedArrayConstructor.js:
1246         (of):
1247         (from):
1248         * bytecode/BytecodeDumper.cpp:
1249         (JSC::BytecodeDumper<Block>::dumpBytecode):
1250         * bytecode/BytecodeIntrinsicRegistry.h:
1251         * bytecode/BytecodeList.json:
1252         * bytecode/BytecodeUseDef.h:
1253         (JSC::computeUsesForBytecodeOffset):
1254         (JSC::computeDefsForBytecodeOffset):
1255         * bytecode/CodeBlock.cpp:
1256         (JSC::CodeBlock::finishCreation):
1257         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1258         * bytecode/GetByIdStatus.cpp:
1259         (JSC::GetByIdStatus::computeFromLLInt):
1260         (JSC::GetByIdStatus::computeFor):
1261         * bytecode/StructureStubInfo.cpp:
1262         (JSC::StructureStubInfo::reset):
1263         * bytecode/StructureStubInfo.h:
1264         (JSC::appropriateOptimizingGetByIdFunction):
1265         (JSC::appropriateGenericGetByIdFunction):
1266         * bytecompiler/BytecodeGenerator.cpp:
1267         (JSC::BytecodeGenerator::emitDirectGetById):
1268         * bytecompiler/BytecodeGenerator.h:
1269         * bytecompiler/NodesCodegen.cpp:
1270         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
1271         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1272         * dfg/DFGAbstractInterpreterInlines.h:
1273         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1274         * dfg/DFGByteCodeParser.cpp:
1275         (JSC::DFG::ByteCodeParser::handleGetById):
1276         (JSC::DFG::ByteCodeParser::parseBlock):
1277         * dfg/DFGCapabilities.cpp:
1278         (JSC::DFG::capabilityLevel):
1279         * dfg/DFGClobberize.h:
1280         (JSC::DFG::clobberize):
1281         * dfg/DFGConstantFoldingPhase.cpp:
1282         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1283         * dfg/DFGDoesGC.cpp:
1284         (JSC::DFG::doesGC):
1285         * dfg/DFGFixupPhase.cpp:
1286         (JSC::DFG::FixupPhase::fixupNode):
1287         * dfg/DFGNode.h:
1288         (JSC::DFG::Node::convertToGetByOffset):
1289         (JSC::DFG::Node::convertToMultiGetByOffset):
1290         (JSC::DFG::Node::hasIdentifier):
1291         (JSC::DFG::Node::hasHeapPrediction):
1292         * dfg/DFGNodeType.h:
1293         * dfg/DFGOperations.cpp:
1294         * dfg/DFGOperations.h:
1295         * dfg/DFGPredictionPropagationPhase.cpp:
1296         * dfg/DFGSafeToExecute.h:
1297         (JSC::DFG::safeToExecute):
1298         * dfg/DFGSpeculativeJIT.cpp:
1299         (JSC::DFG::SpeculativeJIT::compileGetById):
1300         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
1301         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
1302         * dfg/DFGSpeculativeJIT.h:
1303         * dfg/DFGSpeculativeJIT32_64.cpp:
1304         (JSC::DFG::SpeculativeJIT::cachedGetById):
1305         (JSC::DFG::SpeculativeJIT::compile):
1306         * dfg/DFGSpeculativeJIT64.cpp:
1307         (JSC::DFG::SpeculativeJIT::cachedGetById):
1308         (JSC::DFG::SpeculativeJIT::compile):
1309         * ftl/FTLCapabilities.cpp:
1310         (JSC::FTL::canCompile):
1311         * ftl/FTLLowerDFGToB3.cpp:
1312         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1313         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1314         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
1315         (JSC::FTL::DFG::LowerDFGToB3::getById):
1316         * jit/JIT.cpp:
1317         (JSC::JIT::privateCompileMainPass):
1318         (JSC::JIT::privateCompileSlowCases):
1319         * jit/JIT.h:
1320         * jit/JITOperations.cpp:
1321         * jit/JITOperations.h:
1322         * jit/JITPropertyAccess.cpp:
1323         (JSC::JIT::emit_op_get_by_id_direct):
1324         (JSC::JIT::emitSlow_op_get_by_id_direct):
1325         * jit/JITPropertyAccess32_64.cpp:
1326         (JSC::JIT::emit_op_get_by_id_direct):
1327         (JSC::JIT::emitSlow_op_get_by_id_direct):
1328         * jit/Repatch.cpp:
1329         (JSC::appropriateOptimizingGetByIdFunction):
1330         (JSC::appropriateGetByIdFunction):
1331         (JSC::tryCacheGetByID):
1332         (JSC::repatchGetByID):
1333         (JSC::appropriateGenericGetByIdFunction): Deleted.
1334         * jit/Repatch.h:
1335         * llint/LLIntSlowPaths.cpp:
1336         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1337         * llint/LLIntSlowPaths.h:
1338         * llint/LowLevelInterpreter32_64.asm:
1339         * llint/LowLevelInterpreter64.asm:
1340         * runtime/JSCJSValue.h:
1341         * runtime/JSCJSValueInlines.h:
1342         (JSC::JSValue::getOwnPropertySlot const):
1343         * runtime/JSObject.h:
1344         * runtime/JSObjectInlines.h:
1345         (JSC::JSObject::getOwnPropertySlotInline):
1346
1347 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1348
1349         [JSC] Remove several asXXX functions
1350         https://bugs.webkit.org/show_bug.cgi?id=184355
1351
1352         Reviewed by JF Bastien.
1353
1354         Remove asActivation, asInternalFunction, and asGetterSetter.
1355         Use jsCast<> / jsDynamicCast<> consistently.
1356
1357         * runtime/ArrayConstructor.cpp:
1358         (JSC::constructArrayWithSizeQuirk):
1359         * runtime/AsyncFunctionConstructor.cpp:
1360         (JSC::callAsyncFunctionConstructor):
1361         (JSC::constructAsyncFunctionConstructor):
1362         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1363         (JSC::callAsyncGeneratorFunctionConstructor):
1364         (JSC::constructAsyncGeneratorFunctionConstructor):
1365         * runtime/BooleanConstructor.cpp:
1366         (JSC::constructWithBooleanConstructor):
1367         * runtime/DateConstructor.cpp:
1368         (JSC::constructWithDateConstructor):
1369         * runtime/ErrorConstructor.cpp:
1370         (JSC::Interpreter::constructWithErrorConstructor):
1371         (JSC::Interpreter::callErrorConstructor):
1372         * runtime/FunctionConstructor.cpp:
1373         (JSC::constructWithFunctionConstructor):
1374         (JSC::callFunctionConstructor):
1375         * runtime/FunctionPrototype.cpp:
1376         (JSC::functionProtoFuncToString):
1377         * runtime/GeneratorFunctionConstructor.cpp:
1378         (JSC::callGeneratorFunctionConstructor):
1379         (JSC::constructGeneratorFunctionConstructor):
1380         * runtime/GetterSetter.h:
1381         (JSC::asGetterSetter): Deleted.
1382         * runtime/InternalFunction.h:
1383         (JSC::asInternalFunction): Deleted.
1384         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1385         (JSC::constructGenericTypedArrayView):
1386         * runtime/JSLexicalEnvironment.h:
1387         (JSC::asActivation): Deleted.
1388         * runtime/JSObject.cpp:
1389         (JSC::validateAndApplyPropertyDescriptor):
1390         * runtime/MapConstructor.cpp:
1391         (JSC::constructMap):
1392         * runtime/PropertyDescriptor.cpp:
1393         (JSC::PropertyDescriptor::setDescriptor):
1394         * runtime/RegExpConstructor.cpp:
1395         (JSC::constructWithRegExpConstructor):
1396         (JSC::callRegExpConstructor):
1397         * runtime/SetConstructor.cpp:
1398         (JSC::constructSet):
1399         * runtime/StringConstructor.cpp:
1400         (JSC::constructWithStringConstructor):
1401         * runtime/WeakMapConstructor.cpp:
1402         (JSC::constructWeakMap):
1403         * runtime/WeakSetConstructor.cpp:
1404         (JSC::constructWeakSet):
1405         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1406         (JSC::constructJSWebAssemblyCompileError):
1407         (JSC::callJSWebAssemblyCompileError):
1408         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1409         (JSC::constructJSWebAssemblyLinkError):
1410         (JSC::callJSWebAssemblyLinkError):
1411         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1412         (JSC::constructJSWebAssemblyRuntimeError):
1413         (JSC::callJSWebAssemblyRuntimeError):
1414
1415 2018-04-05  Mark Lam  <mark.lam@apple.com>
1416
1417         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
1418         https://bugs.webkit.org/show_bug.cgi?id=184347
1419         <rdar://problem/39183165>
1420
1421         Reviewed by Michael Saboff.
1422
1423         * assembler/MacroAssemblerCodeRef.h:
1424         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1425         (JSC::MacroAssemblerCodePtr::retagged const):
1426
1427 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1428
1429         [MIPS] Optimize generated JIT code for branches
1430         https://bugs.webkit.org/show_bug.cgi?id=183130
1431
1432         Reviewed by Yusuke Suzuki.
1433
1434         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
1435         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
1436         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
1437         However, this adds a significant overhead for all other types of branches. Since these nop's
1438         protect the code that is generated by branchPtrWithPatch, this function seems like a better
1439         place to add them.
1440
1441         * assembler/MIPSAssembler.h:
1442         (JSC::MIPSAssembler::repatchInt32):
1443         (JSC::MIPSAssembler::revertJumpToMove):
1444         * assembler/MacroAssemblerMIPS.h:
1445         (JSC::MacroAssemblerMIPS::branchAdd32):
1446         (JSC::MacroAssemblerMIPS::branchMul32):
1447         (JSC::MacroAssemblerMIPS::branchSub32):
1448         (JSC::MacroAssemblerMIPS::branchNeg32):
1449         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
1450         (JSC::MacroAssemblerMIPS::branchEqual):
1451         (JSC::MacroAssemblerMIPS::branchNotEqual):
1452
1453 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1454
1455         [WTF] Remove StaticLock
1456         https://bugs.webkit.org/show_bug.cgi?id=184332
1457
1458         Reviewed by Mark Lam.
1459
1460         * API/JSValue.mm:
1461         (handerForStructTag):
1462         * API/JSVirtualMachine.mm:
1463         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
1464         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
1465         * API/glib/JSCVirtualMachine.cpp:
1466         (addWrapper):
1467         (removeWrapper):
1468         * assembler/testmasm.cpp:
1469         * b3/air/testair.cpp:
1470         * b3/testb3.cpp:
1471         * bytecode/SuperSampler.cpp:
1472         * dfg/DFGCommon.cpp:
1473         * dfg/DFGCommonData.cpp:
1474         * dynbench.cpp:
1475         * heap/MachineStackMarker.cpp:
1476         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1477         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1478         (Inspector::RemoteTargetHandleRunSourceGlobal):
1479         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
1480         * interpreter/CLoopStack.cpp:
1481         * parser/SourceProvider.cpp:
1482         * profiler/ProfilerDatabase.cpp:
1483         * profiler/ProfilerUID.cpp:
1484         (JSC::Profiler::UID::create):
1485         * runtime/IntlObject.cpp:
1486         (JSC::numberingSystemsForLocale):
1487         * runtime/JSLock.cpp:
1488         * runtime/JSLock.h:
1489         * runtime/SamplingProfiler.cpp:
1490         (JSC::SamplingProfiler::registerForReportAtExit):
1491         * runtime/VM.cpp:
1492         * wasm/WasmFaultSignalHandler.cpp:
1493
1494 2018-04-04  Mark Lam  <mark.lam@apple.com>
1495
1496         Add pointer profiling support to the DFG and supporting files.
1497         https://bugs.webkit.org/show_bug.cgi?id=184316
1498         <rdar://problem/39188524>
1499
1500         Reviewed by Filip Pizlo.
1501
1502         1. Profile lots of pointers with PtrTags.
1503
1504         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
1505            used for debugging anyway, and not normally called in the code.  Making it
1506            an inline function prevents it from taking up code space in builds when not in
1507            use.
1508
1509         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
1510            It doesn't need to be a far call.
1511
1512         * CMakeLists.txt:
1513         * JavaScriptCore.xcodeproj/project.pbxproj:
1514         * Sources.txt:
1515         * assembler/testmasm.cpp:
1516         (JSC::testProbeModifiesProgramCounter):
1517         * b3/B3LowerMacros.cpp:
1518         * b3/air/AirCCallSpecial.cpp:
1519         (JSC::B3::Air::CCallSpecial::generate):
1520         * b3/air/AirCCallSpecial.h:
1521         * b3/testb3.cpp:
1522         (JSC::B3::testInterpreter):
1523         * bytecode/AccessCase.cpp:
1524         (JSC::AccessCase::generateImpl):
1525         * bytecode/HandlerInfo.h:
1526         (JSC::HandlerInfo::initialize):
1527         * bytecode/PolymorphicAccess.cpp:
1528         (JSC::PolymorphicAccess::regenerate):
1529         * dfg/DFGJITCompiler.cpp:
1530         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1531         (JSC::DFG::JITCompiler::link):
1532         (JSC::DFG::JITCompiler::compileFunction):
1533         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1534         * dfg/DFGJITCompiler.h:
1535         (JSC::DFG::JITCompiler::appendCall):
1536         * dfg/DFGOSREntry.cpp:
1537         (JSC::DFG::prepareOSREntry):
1538         * dfg/DFGOSRExit.cpp:
1539         (JSC::DFG::reifyInlinedCallFrames):
1540         (JSC::DFG::adjustAndJumpToTarget):
1541         (JSC::DFG::OSRExit::emitRestoreArguments):
1542         (JSC::DFG::OSRExit::compileOSRExit):
1543         * dfg/DFGOSRExitCompilerCommon.cpp:
1544         (JSC::DFG::handleExitCounts):
1545         (JSC::DFG::reifyInlinedCallFrames):
1546         (JSC::DFG::osrWriteBarrier):
1547         (JSC::DFG::adjustAndJumpToTarget):
1548         * dfg/DFGOperations.cpp:
1549         * dfg/DFGSlowPathGenerator.h:
1550         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1551         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1552         (JSC::DFG::slowPathCall):
1553         * dfg/DFGSpeculativeJIT.cpp:
1554         (JSC::DFG::SpeculativeJIT::compileMathIC):
1555         * dfg/DFGSpeculativeJIT.h:
1556         (JSC::DFG::SpeculativeJIT::callOperation):
1557         (JSC::DFG::SpeculativeJIT::appendCall):
1558         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1559         * dfg/DFGSpeculativeJIT64.cpp:
1560         (JSC::DFG::SpeculativeJIT::cachedGetById):
1561         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1562         (JSC::DFG::SpeculativeJIT::cachedPutById):
1563         (JSC::DFG::SpeculativeJIT::compile):
1564         * dfg/DFGThunks.cpp:
1565         (JSC::DFG::osrExitThunkGenerator):
1566         (JSC::DFG::osrExitGenerationThunkGenerator):
1567         (JSC::DFG::osrEntryThunkGenerator):
1568         * jit/AssemblyHelpers.cpp:
1569         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1570         * jit/JIT.cpp:
1571         (JSC::JIT::emitEnterOptimizationCheck):
1572         (JSC::JIT::compileWithoutLinking):
1573         * jit/JITCall.cpp:
1574         (JSC::JIT::compileOpCallSlowCase):
1575         * jit/JITMathIC.h:
1576         (JSC::isProfileEmpty):
1577         * jit/JITOpcodes.cpp:
1578         (JSC::JIT::emit_op_catch):
1579         (JSC::JIT::emitSlow_op_loop_hint):
1580         * jit/JITOperations.cpp:
1581         * jit/Repatch.cpp:
1582         (JSC::linkSlowFor):
1583         (JSC::linkFor):
1584         (JSC::revertCall):
1585         (JSC::unlinkFor):
1586         (JSC::linkVirtualFor):
1587         (JSC::linkPolymorphicCall):
1588         * jit/ThunkGenerators.cpp:
1589         (JSC::throwExceptionFromCallSlowPathGenerator):
1590         (JSC::linkCallThunkGenerator):
1591         (JSC::linkPolymorphicCallThunkGenerator):
1592         (JSC::virtualThunkFor):
1593         (JSC::arityFixupGenerator):
1594         (JSC::unreachableGenerator):
1595         * runtime/PtrTag.cpp: Removed.
1596         * runtime/PtrTag.h:
1597         (JSC::ptrTagName):
1598         * runtime/VMEntryScope.cpp:
1599         * wasm/js/WasmToJS.cpp:
1600         (JSC::Wasm::wasmToJS):
1601
1602 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
1603
1604         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
1605         https://bugs.webkit.org/show_bug.cgi?id=184319
1606
1607         Reviewed by Saam Barati.
1608
1609         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
1610         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
1611         the ArrayPush.
1612
1613         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
1614         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
1615         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
1616         with a GetByVal(SaneChain), then we will hit the assertion.
1617
1618         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
1619         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
1620         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
1621
1622         * dfg/DFGCSEPhase.cpp:
1623         * dfg/DFGClobberize.h:
1624         (JSC::DFG::clobberize):
1625         * dfg/DFGHeapLocation.cpp:
1626         (WTF::printInternal):
1627         * dfg/DFGHeapLocation.h:
1628         * dfg/DFGSpeculativeJIT.cpp:
1629         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1630
1631 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
1632
1633         Remove poisoning of typed array vector
1634         https://bugs.webkit.org/show_bug.cgi?id=184313
1635
1636         Reviewed by Saam Barati.
1637
1638         * dfg/DFGFixupPhase.cpp:
1639         (JSC::DFG::FixupPhase::checkArray):
1640         * dfg/DFGSpeculativeJIT.cpp:
1641         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
1642         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1643         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1644         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1645         * ftl/FTLAbstractHeapRepository.h:
1646         * ftl/FTLLowerDFGToB3.cpp:
1647         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1648         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1649         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1650         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
1651         * jit/IntrinsicEmitter.cpp:
1652         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1653         * jit/JITPropertyAccess.cpp:
1654         (JSC::JIT::emitIntTypedArrayGetByVal):
1655         (JSC::JIT::emitFloatTypedArrayGetByVal):
1656         (JSC::JIT::emitIntTypedArrayPutByVal):
1657         (JSC::JIT::emitFloatTypedArrayPutByVal):
1658         * llint/LowLevelInterpreter.asm:
1659         * llint/LowLevelInterpreter64.asm:
1660         * offlineasm/arm64.rb:
1661         * offlineasm/x86.rb:
1662         * runtime/CagedBarrierPtr.h:
1663         * runtime/JSArrayBufferView.cpp:
1664         (JSC::JSArrayBufferView::JSArrayBufferView):
1665         (JSC::JSArrayBufferView::finalize):
1666         (JSC::JSArrayBufferView::neuter):
1667         * runtime/JSArrayBufferView.h:
1668         (JSC::JSArrayBufferView::vector const):
1669         (JSC::JSArrayBufferView::offsetOfVector):
1670         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
1671         (JSC::JSArrayBufferView::poisonFor): Deleted.
1672         (JSC::JSArrayBufferView::Poison::key): Deleted.
1673         * runtime/JSCPoison.cpp:
1674         (JSC::initializePoison):
1675         * runtime/JSCPoison.h:
1676         * runtime/JSGenericTypedArrayViewInlines.h:
1677         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1678         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1679         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1680         * runtime/JSObject.h:
1681
1682 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1683
1684         Don't do index masking or poisoning for DirectArguments
1685         https://bugs.webkit.org/show_bug.cgi?id=184280
1686
1687         Reviewed by Saam Barati.
1688
1689         * JavaScriptCore.xcodeproj/project.pbxproj:
1690         * bytecode/AccessCase.cpp:
1691         (JSC::AccessCase::generateWithGuard):
1692         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1693         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1694         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
1695         * dfg/DFGSpeculativeJIT.cpp:
1696         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1697         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1698         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1699         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1700         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1701         * ftl/FTLAbstractHeapRepository.h:
1702         * ftl/FTLLowerDFGToB3.cpp:
1703         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1704         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1705         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1706         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
1707         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
1708         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1709         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
1710         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
1711         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
1712         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
1713         * heap/SecurityKind.h:
1714         * jit/JITPropertyAccess.cpp:
1715         (JSC::JIT::emit_op_get_from_arguments):
1716         (JSC::JIT::emit_op_put_to_arguments):
1717         (JSC::JIT::emitDirectArgumentsGetByVal):
1718         * jit/JITPropertyAccess32_64.cpp:
1719         (JSC::JIT::emit_op_get_from_arguments):
1720         (JSC::JIT::emit_op_put_to_arguments):
1721         * llint/LowLevelInterpreter.asm:
1722         * llint/LowLevelInterpreter32_64.asm:
1723         * llint/LowLevelInterpreter64.asm:
1724         * runtime/DirectArguments.cpp:
1725         (JSC::DirectArguments::DirectArguments):
1726         (JSC::DirectArguments::createUninitialized):
1727         (JSC::DirectArguments::create):
1728         (JSC::DirectArguments::createByCopying):
1729         (JSC::DirectArguments::estimatedSize):
1730         (JSC::DirectArguments::visitChildren):
1731         (JSC::DirectArguments::overrideThings):
1732         (JSC::DirectArguments::copyToArguments):
1733         (JSC::DirectArguments::mappedArgumentsSize):
1734         * runtime/DirectArguments.h:
1735         * runtime/JSCPoison.h:
1736         * runtime/JSLexicalEnvironment.h:
1737         * runtime/JSSymbolTableObject.h:
1738
1739 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1740
1741         JSArray::appendMemcpy seems to be missing a barrier
1742         https://bugs.webkit.org/show_bug.cgi?id=184290
1743
1744         Reviewed by Mark Lam.
1745         
1746         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
1747         barrier right after.
1748         
1749         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
1750         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
1751
1752         * runtime/JSArray.cpp:
1753         (JSC::JSArray::appendMemcpy):
1754
1755 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1756
1757         GC shouldn't do object distancing
1758         https://bugs.webkit.org/show_bug.cgi?id=184195
1759
1760         Reviewed by Saam Barati.
1761         
1762         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
1763         to be a small speed-up.
1764
1765         * CMakeLists.txt:
1766         * JavaScriptCore.xcodeproj/project.pbxproj:
1767         * Sources.txt:
1768         * heap/BlockDirectory.cpp:
1769         (JSC::BlockDirectory::findBlockForAllocation):
1770         (JSC::BlockDirectory::addBlock):
1771         * heap/BlockDirectory.h:
1772         * heap/CellAttributes.cpp:
1773         (JSC::CellAttributes::dump const):
1774         * heap/CellAttributes.h:
1775         (JSC::CellAttributes::CellAttributes):
1776         * heap/LocalAllocator.cpp:
1777         (JSC::LocalAllocator::allocateSlowCase):
1778         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1779         * heap/MarkedBlock.cpp:
1780         (JSC::MarkedBlock::Handle::didAddToDirectory):
1781         * heap/MarkedBlock.h:
1782         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
1783         * heap/SecurityKind.cpp: Removed.
1784         * heap/SecurityKind.h: Removed.
1785         * heap/SecurityOriginToken.cpp: Removed.
1786         * heap/SecurityOriginToken.h: Removed.
1787         * heap/ThreadLocalCache.cpp:
1788         (JSC::ThreadLocalCache::create):
1789         (JSC::ThreadLocalCache::ThreadLocalCache):
1790         * heap/ThreadLocalCache.h:
1791         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
1792         * runtime/JSDestructibleObjectHeapCellType.cpp:
1793         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1794         * runtime/JSGlobalObject.cpp:
1795         (JSC::JSGlobalObject::JSGlobalObject):
1796         * runtime/JSGlobalObject.h:
1797         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
1798         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
1799         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1800         * runtime/JSStringHeapCellType.cpp:
1801         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1802         * runtime/VM.cpp:
1803         (JSC::VM::VM):
1804         * runtime/VM.h:
1805         * runtime/VMEntryScope.cpp:
1806         (JSC::VMEntryScope::VMEntryScope):
1807         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
1808         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1809
1810 2018-04-02  Saam Barati  <sbarati@apple.com>
1811
1812         bmalloc should compute its own estimate of its footprint
1813         https://bugs.webkit.org/show_bug.cgi?id=184121
1814
1815         Reviewed by Filip Pizlo.
1816
1817         * heap/IsoAlignedMemoryAllocator.cpp:
1818         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1819         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1820         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1821
1822 2018-04-02  Mark Lam  <mark.lam@apple.com>
1823
1824         We should not trash the stack pointer on OSR entry.
1825         https://bugs.webkit.org/show_bug.cgi?id=184243
1826         <rdar://problem/39114319>
1827
1828         Reviewed by Filip Pizlo.
1829
1830         In the DFG OSR entry path, we momentarily over-write the stack pointer with
1831         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
1832         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
1833         The stack pointer does get corrected later in the thunk (generated by
1834         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
1835         so far.
1836
1837         This bug only poses an issue if interrupts use the user stack for their stack
1838         frame (e.g. linux), and when we do stack alignment tests during debugging.
1839
1840         The fix is simply to remove the assignment.
1841
1842         * dfg/DFGThunks.cpp:
1843         (JSC::DFG::osrEntryThunkGenerator):
1844         * jit/JIT.cpp:
1845         (JSC::JIT::emitEnterOptimizationCheck):
1846
1847 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1848
1849         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
1850         https://bugs.webkit.org/show_bug.cgi?id=183740
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
1855         first generated and a register operand variant of the same method is called to generate the rest
1856         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
1857         generate more efficient code using MIPS instructions with immediate operand.
1858
1859         * assembler/MIPSAssembler.h:
1860         (JSC::MIPSAssembler::slti):
1861         * assembler/MacroAssemblerMIPS.h:
1862         (JSC::MacroAssemblerMIPS::lshift32):
1863         (JSC::MacroAssemblerMIPS::xor32):
1864         (JSC::MacroAssemblerMIPS::branch8):
1865         (JSC::MacroAssemblerMIPS::compare8):
1866         (JSC::MacroAssemblerMIPS::branch32):
1867         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
1868         (JSC::MacroAssemblerMIPS::branchTest32):
1869         (JSC::MacroAssemblerMIPS::mask8OnTest):
1870         (JSC::MacroAssemblerMIPS::branchTest8):
1871         (JSC::MacroAssemblerMIPS::branchAdd32):
1872         (JSC::MacroAssemblerMIPS::branchNeg32):
1873         (JSC::MacroAssemblerMIPS::compare32):
1874         (JSC::MacroAssemblerMIPS::test8):
1875
1876 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1877
1878         [DFG] More aggressive removal of duplicate 32bit DFG code
1879         https://bugs.webkit.org/show_bug.cgi?id=184089
1880
1881         Reviewed by Saam Barati.
1882
1883         This patch more aggressively removes duplicate 32bit DFG code
1884         by leveraging JSValueRegs and meta-programmed callOperation.
1885
1886         * dfg/DFGSpeculativeJIT.cpp:
1887         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
1888         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
1889         (JSC::DFG::SpeculativeJIT::compileNewArray):
1890         (JSC::DFG::SpeculativeJIT::compileCheckCell):
1891         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
1892         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
1893         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
1894         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
1895         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
1896         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
1897         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
1898         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1899         (JSC::DFG::SpeculativeJIT::compileToThis):
1900         (JSC::DFG::SpeculativeJIT::compileIdentity):
1901         * dfg/DFGSpeculativeJIT.h:
1902         * dfg/DFGSpeculativeJIT32_64.cpp:
1903         (JSC::DFG::SpeculativeJIT::compile):
1904         * dfg/DFGSpeculativeJIT64.cpp:
1905         (JSC::DFG::SpeculativeJIT::compile):
1906
1907 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
1908
1909         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
1910         https://bugs.webkit.org/show_bug.cgi?id=184228
1911
1912         Reviewed by Yusuke Suzuki.
1913
1914         * runtime/Options.h:
1915
1916 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1917
1918         JSObject shouldn't do index masking
1919         https://bugs.webkit.org/show_bug.cgi?id=184194
1920
1921         Reviewed by Yusuke Suzuki.
1922         
1923         Remove index masking, because it's not the way we'll mitigate Spectre.
1924
1925         * API/tests/JSObjectGetProxyTargetTest.cpp:
1926         (testJSObjectGetProxyTarget):
1927         * b3/B3LowerToAir.cpp:
1928         * b3/B3Validate.cpp:
1929         * b3/B3WasmBoundsCheckValue.cpp:
1930         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1931         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1932         * b3/B3WasmBoundsCheckValue.h:
1933         (JSC::B3::WasmBoundsCheckValue::bounds const):
1934         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
1935         * b3/testb3.cpp:
1936         (JSC::B3::testWasmBoundsCheck):
1937         (JSC::B3::run):
1938         * dfg/DFGAbstractInterpreterInlines.h:
1939         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1940         * dfg/DFGArgumentsEliminationPhase.cpp:
1941         * dfg/DFGByteCodeParser.cpp:
1942         (JSC::DFG::ByteCodeParser::parseBlock):
1943         * dfg/DFGClobberize.h:
1944         (JSC::DFG::clobberize):
1945         * dfg/DFGDoesGC.cpp:
1946         (JSC::DFG::doesGC):
1947         * dfg/DFGFixupPhase.cpp:
1948         (JSC::DFG::FixupPhase::fixupNode):
1949         * dfg/DFGNodeType.h:
1950         * dfg/DFGPredictionPropagationPhase.cpp:
1951         * dfg/DFGSSALoweringPhase.cpp:
1952         (JSC::DFG::SSALoweringPhase::handleNode):
1953         * dfg/DFGSafeToExecute.h:
1954         (JSC::DFG::safeToExecute):
1955         * dfg/DFGSpeculativeJIT.cpp:
1956         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1957         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1958         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1959         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1960         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1961         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1962         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1963         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1964         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1965         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1966         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1967         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1968         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1969         (JSC::DFG::SpeculativeJIT::compileNewObject):
1970         * dfg/DFGSpeculativeJIT.h:
1971         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1972         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1973         * dfg/DFGSpeculativeJIT32_64.cpp:
1974         (JSC::DFG::SpeculativeJIT::compile):
1975         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1976         * dfg/DFGSpeculativeJIT64.cpp:
1977         (JSC::DFG::SpeculativeJIT::compile):
1978         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1979         * ftl/FTLAbstractHeapRepository.h:
1980         * ftl/FTLCapabilities.cpp:
1981         (JSC::FTL::canCompile):
1982         * ftl/FTLLowerDFGToB3.cpp:
1983         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1984         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1985         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1986         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1987         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1989         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1990         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1991         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1992         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1993         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1994         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1995         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1996         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1997         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1998         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
1999         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
2000         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
2001         * jit/AssemblyHelpers.h:
2002         (JSC::AssemblyHelpers::emitAllocateJSObject):
2003         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2004         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
2005         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2006         * jit/JITOpcodes.cpp:
2007         (JSC::JIT::emit_op_new_object):
2008         (JSC::JIT::emit_op_create_this):
2009         * jit/JITOperations.cpp:
2010         * jit/JITPropertyAccess.cpp:
2011         (JSC::JIT::emitDoubleLoad):
2012         (JSC::JIT::emitContiguousLoad):
2013         (JSC::JIT::emitArrayStorageLoad):
2014         * llint/LowLevelInterpreter32_64.asm:
2015         * llint/LowLevelInterpreter64.asm:
2016         * runtime/Butterfly.h:
2017         (JSC::ContiguousData::at const):
2018         (JSC::ContiguousData::at):
2019         (JSC::Butterfly::computeIndexingMask const): Deleted.
2020         * runtime/ButterflyInlines.h:
2021         (JSC::ContiguousData<T>::at const): Deleted.
2022         (JSC::ContiguousData<T>::at): Deleted.
2023         * runtime/ClonedArguments.cpp:
2024         (JSC::ClonedArguments::createEmpty):
2025         * runtime/JSArray.cpp:
2026         (JSC::JSArray::tryCreateUninitializedRestricted):
2027         (JSC::JSArray::appendMemcpy):
2028         (JSC::JSArray::setLength):
2029         (JSC::JSArray::pop):
2030         (JSC::JSArray::shiftCountWithAnyIndexingType):
2031         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2032         (JSC::JSArray::fillArgList):
2033         (JSC::JSArray::copyToArguments):
2034         * runtime/JSArrayBufferView.cpp:
2035         (JSC::JSArrayBufferView::JSArrayBufferView):
2036         * runtime/JSArrayInlines.h:
2037         (JSC::JSArray::pushInline):
2038         * runtime/JSFixedArray.h:
2039         * runtime/JSGenericTypedArrayViewInlines.h:
2040         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2041         * runtime/JSObject.cpp:
2042         (JSC::JSObject::getOwnPropertySlotByIndex):
2043         (JSC::JSObject::putByIndex):
2044         (JSC::JSObject::createInitialUndecided):
2045         (JSC::JSObject::createInitialInt32):
2046         (JSC::JSObject::createInitialDouble):
2047         (JSC::JSObject::createInitialContiguous):
2048         (JSC::JSObject::createArrayStorage):
2049         (JSC::JSObject::convertUndecidedToInt32):
2050         (JSC::JSObject::convertUndecidedToDouble):
2051         (JSC::JSObject::convertUndecidedToContiguous):
2052         (JSC::JSObject::convertUndecidedToArrayStorage):
2053         (JSC::JSObject::convertInt32ToDouble):
2054         (JSC::JSObject::convertInt32ToArrayStorage):
2055         (JSC::JSObject::convertDoubleToContiguous):
2056         (JSC::JSObject::convertDoubleToArrayStorage):
2057         (JSC::JSObject::convertContiguousToArrayStorage):
2058         (JSC::JSObject::createInitialForValueAndSet):
2059         (JSC::JSObject::deletePropertyByIndex):
2060         (JSC::JSObject::getOwnPropertyNames):
2061         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2062         (JSC::JSObject::countElements):
2063         (JSC::JSObject::increaseVectorLength):
2064         (JSC::JSObject::ensureLengthSlow):
2065         (JSC::JSObject::reallocateAndShrinkButterfly):
2066         (JSC::JSObject::getEnumerableLength):
2067         * runtime/JSObject.h:
2068         (JSC::JSObject::canGetIndexQuickly):
2069         (JSC::JSObject::getIndexQuickly):
2070         (JSC::JSObject::tryGetIndexQuickly const):
2071         (JSC::JSObject::setIndexQuickly):
2072         (JSC::JSObject::initializeIndex):
2073         (JSC::JSObject::initializeIndexWithoutBarrier):
2074         (JSC::JSObject::butterflyOffset):
2075         (JSC::JSObject::setButterfly):
2076         (JSC::JSObject::nukeStructureAndSetButterfly):
2077         (JSC::JSObject::JSObject):
2078         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
2079         (JSC::JSObject::butterflyIndexingMask const): Deleted.
2080         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
2081         * runtime/JSObjectInlines.h:
2082         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2083         (JSC::JSObject::putDirectInternal):
2084         * runtime/RegExpMatchesArray.h:
2085         (JSC::tryCreateUninitializedRegExpMatchesArray):
2086         * runtime/Structure.cpp:
2087         (JSC::Structure::flattenDictionaryStructure):
2088         * wasm/WasmB3IRGenerator.cpp:
2089         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2090         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2091         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2092         (JSC::Wasm::B3IRGenerator::load):
2093         (JSC::Wasm::B3IRGenerator::store):
2094         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2095         * wasm/WasmBinding.cpp:
2096         (JSC::Wasm::wasmToWasm):
2097         * wasm/WasmInstance.h:
2098         (JSC::Wasm::Instance::updateCachedMemory):
2099         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
2100         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
2101         * wasm/WasmMemory.cpp:
2102         (JSC::Wasm::Memory::Memory):
2103         (JSC::Wasm::Memory::grow):
2104         * wasm/WasmMemory.h:
2105         (JSC::Wasm::Memory::size const):
2106         (JSC::Wasm::Memory::offsetOfSize):
2107         (JSC::Wasm::Memory::indexingMask): Deleted.
2108         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
2109         * wasm/WasmMemoryInformation.cpp:
2110         (JSC::Wasm::PinnedRegisterInfo::get):
2111         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2112         * wasm/WasmMemoryInformation.h:
2113         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2114         * wasm/js/JSToWasm.cpp:
2115         (JSC::Wasm::createJSToWasmWrapper):
2116
2117 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
2118
2119         JSC crash in JIT code with for-of loop and Array/Set iterators
2120         https://bugs.webkit.org/show_bug.cgi?id=183174
2121
2122         Reviewed by Saam Barati.
2123
2124         * dfg/DFGSafeToExecute.h:
2125         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
2126
2127 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
2128
2129         Strings and Vectors shouldn't do index masking
2130         https://bugs.webkit.org/show_bug.cgi?id=184193
2131
2132         Reviewed by Mark Lam.
2133
2134         * dfg/DFGSpeculativeJIT.cpp:
2135         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2136         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2137         * ftl/FTLAbstractHeapRepository.h:
2138         * ftl/FTLLowerDFGToB3.cpp:
2139         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2140         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2141         * jit/ThunkGenerators.cpp:
2142         (JSC::stringCharLoad):
2143
2144 2018-03-30  Mark Lam  <mark.lam@apple.com>
2145
2146         Add pointer profiling support in baseline JIT and supporting files.
2147         https://bugs.webkit.org/show_bug.cgi?id=184200
2148         <rdar://problem/39057300>
2149
2150         Reviewed by Filip Pizlo.
2151
2152         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
2153            the code via the arity check entry.
2154         2. To accommodate (1), all JITCode must now populate their arity check entry code
2155            pointers as well.  For native code, programs, evals, and modules that don't
2156            do arity check, we set the normal entry as the arity check entry (though with
2157            the CodeEntryWithArityCheckPtrTag profile instead).
2158
2159         * assembler/AbstractMacroAssembler.h:
2160         * assembler/LinkBuffer.h:
2161         (JSC::LinkBuffer::locationOfNearCall):
2162         * assembler/MacroAssemblerARM64.h:
2163         (JSC::MacroAssemblerARM64::readCallTarget):
2164         (JSC::MacroAssemblerARM64::linkCall):
2165         * bytecode/AccessCase.cpp:
2166         (JSC::AccessCase::generateImpl):
2167         * bytecode/AccessCaseSnippetParams.cpp:
2168         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2169         * bytecode/CodeBlock.cpp:
2170         (JSC::CodeBlock::addJITAddIC):
2171         (JSC::CodeBlock::addJITMulIC):
2172         (JSC::CodeBlock::addJITSubIC):
2173         (JSC::CodeBlock::addJITNegIC):
2174         * bytecode/CodeBlock.h:
2175         (JSC::CodeBlock::addMathIC):
2176         * bytecode/InlineAccess.cpp:
2177         (JSC::InlineAccess::rewireStubAsJump):
2178         * bytecode/LLIntCallLinkInfo.h:
2179         (JSC::LLIntCallLinkInfo::unlink):
2180         (): Deleted.
2181         * bytecode/PolymorphicAccess.cpp:
2182         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2183         (JSC::PolymorphicAccess::regenerate):
2184         * dfg/DFGJITFinalizer.cpp:
2185         (JSC::DFG::JITFinalizer::finalize):
2186         (JSC::DFG::JITFinalizer::finalizeFunction):
2187         * dfg/DFGSpeculativeJIT.cpp:
2188         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2189         (JSC::DFG::SpeculativeJIT::compileArithSub):
2190         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2191         (JSC::DFG::SpeculativeJIT::compileArithMul):
2192         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2193         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2194         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2195         * disassembler/ARM64Disassembler.cpp:
2196         (JSC::tryToDisassemble):
2197         * ftl/FTLJITFinalizer.cpp:
2198         (JSC::FTL::JITFinalizer::finalizeCommon):
2199         * ftl/FTLLowerDFGToB3.cpp:
2200         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2201         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
2202         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
2203         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2204         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
2205         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2206         * heap/JITStubRoutineSet.h:
2207         (JSC::JITStubRoutineSet::mark):
2208         * jit/AssemblyHelpers.cpp:
2209         (JSC::AssemblyHelpers::callExceptionFuzz):
2210         (JSC::AssemblyHelpers::debugCall):
2211         * jit/AssemblyHelpers.h:
2212         (JSC::AssemblyHelpers::emitFunctionPrologue):
2213         * jit/CCallHelpers.cpp:
2214         (JSC::CCallHelpers::ensureShadowChickenPacket):
2215         * jit/CCallHelpers.h:
2216         (JSC::CCallHelpers::prepareForTailCallSlow):
2217         * jit/CallFrameShuffler.cpp:
2218         (JSC::CallFrameShuffler::prepareForTailCall):
2219         * jit/ExecutableAllocator.cpp:
2220         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2221         * jit/ExecutableAllocator.h:
2222         (JSC::performJITMemcpy):
2223         * jit/JIT.cpp:
2224         (JSC::JIT::compileWithoutLinking):
2225         (JSC::JIT::link):
2226         * jit/JITArithmetic.cpp:
2227         (JSC::JIT::emit_op_negate):
2228         (JSC::JIT::emit_op_add):
2229         (JSC::JIT::emitMathICFast):
2230         (JSC::JIT::emitMathICSlow):
2231         (JSC::JIT::emit_op_mul):
2232         (JSC::JIT::emit_op_sub):
2233         * jit/JITCode.cpp:
2234         (JSC::JITCode::execute):
2235         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2236         (JSC::DirectJITCode::DirectJITCode):
2237         (JSC::DirectJITCode::initializeCodeRef):
2238         (JSC::NativeJITCode::addressForCall):
2239         * jit/JITExceptions.cpp:
2240         (JSC::genericUnwind):
2241         * jit/JITMathIC.h:
2242         (JSC::isProfileEmpty):
2243         (JSC::JITBinaryMathIC::JITBinaryMathIC):
2244         (JSC::JITUnaryMathIC::JITUnaryMathIC):
2245         * jit/JITOpcodes.cpp:
2246         (JSC::JIT::emit_op_switch_imm):
2247         (JSC::JIT::emit_op_switch_char):
2248         (JSC::JIT::emit_op_switch_string):
2249         (JSC::JIT::privateCompileHasIndexedProperty):
2250         (JSC::JIT::emitSlow_op_has_indexed_property):
2251         * jit/JITOpcodes32_64.cpp:
2252         (JSC::JIT::privateCompileHasIndexedProperty):
2253         * jit/JITOperations.cpp:
2254         (JSC::getByVal):
2255         (JSC::tryGetByValOptimize):
2256         * jit/JITPropertyAccess.cpp:
2257         (JSC::JIT::stringGetByValStubGenerator):
2258         (JSC::JIT::emitGetByValWithCachedId):
2259         (JSC::JIT::emitSlow_op_get_by_val):
2260         (JSC::JIT::emitPutByValWithCachedId):
2261         (JSC::JIT::emitSlow_op_put_by_val):
2262         (JSC::JIT::emitSlow_op_try_get_by_id):
2263         (JSC::JIT::emitSlow_op_get_by_id):
2264         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2265         (JSC::JIT::emitSlow_op_put_by_id):
2266         (JSC::JIT::privateCompileGetByVal):
2267         (JSC::JIT::privateCompileGetByValWithCachedId):
2268         (JSC::JIT::privateCompilePutByVal):
2269         (JSC::JIT::privateCompilePutByValWithCachedId):
2270         * jit/JITThunks.cpp:
2271         (JSC::JITThunks::hostFunctionStub):
2272         * jit/Repatch.cpp:
2273         (JSC::tryCacheGetByID):
2274         (JSC::repatchGetByID):
2275         (JSC::appropriateOptimizingPutByIdFunction):
2276         (JSC::tryCachePutByID):
2277         (JSC::repatchPutByID):
2278         (JSC::linkFor):
2279         (JSC::revertCall):
2280         (JSC::linkPolymorphicCall):
2281         (JSC::resetGetByID):
2282         (JSC::resetPutByID):
2283         * jit/Repatch.h:
2284         * jit/SpecializedThunkJIT.h:
2285         (JSC::SpecializedThunkJIT::finalize):
2286         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2287         * jit/ThunkGenerators.cpp:
2288         (JSC::emitPointerValidation):
2289         (JSC::throwExceptionFromCallSlowPathGenerator):
2290         (JSC::slowPathFor):
2291         (JSC::linkCallThunkGenerator): Deleted.
2292         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
2293         (JSC::virtualThunkFor): Deleted.
2294         (JSC::nativeForGenerator): Deleted.
2295         (JSC::nativeCallGenerator): Deleted.
2296         (JSC::nativeTailCallGenerator): Deleted.
2297         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
2298         (JSC::nativeConstructGenerator): Deleted.
2299         (JSC::internalFunctionCallGenerator): Deleted.
2300         (JSC::internalFunctionConstructGenerator): Deleted.
2301         (JSC::arityFixupGenerator): Deleted.
2302         (JSC::unreachableGenerator): Deleted.
2303         (JSC::stringCharLoad): Deleted.
2304         (JSC::charToString): Deleted.
2305         (JSC::charCodeAtThunkGenerator): Deleted.
2306         (JSC::charAtThunkGenerator): Deleted.
2307         (JSC::fromCharCodeThunkGenerator): Deleted.
2308         (JSC::clz32ThunkGenerator): Deleted.
2309         (JSC::sqrtThunkGenerator): Deleted.
2310         (JSC::floorThunkGenerator): Deleted.
2311         (JSC::ceilThunkGenerator): Deleted.
2312         (JSC::truncThunkGenerator): Deleted.
2313         (JSC::roundThunkGenerator): Deleted.
2314         (JSC::expThunkGenerator): Deleted.
2315         (JSC::logThunkGenerator): Deleted.
2316         (JSC::absThunkGenerator): Deleted.
2317         (JSC::imulThunkGenerator): Deleted.
2318         (JSC::randomThunkGenerator): Deleted.
2319         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
2320         * llint/LLIntData.cpp:
2321         (JSC::LLInt::initialize):
2322         * llint/LLIntData.h:
2323         (JSC::LLInt::getCodePtr):
2324         * llint/LLIntEntrypoint.cpp:
2325         (JSC::LLInt::setEvalEntrypoint):
2326         (JSC::LLInt::setProgramEntrypoint):
2327         (JSC::LLInt::setModuleProgramEntrypoint):
2328         * llint/LLIntSlowPaths.cpp:
2329         (JSC::LLInt::setUpCall):
2330         * llint/LLIntThunks.cpp:
2331         (JSC::LLInt::generateThunkWithJumpTo):
2332         * llint/LowLevelInterpreter.asm:
2333         * llint/LowLevelInterpreter32_64.asm:
2334         * llint/LowLevelInterpreter64.asm:
2335         * runtime/ExecutableBase.h:
2336         * runtime/NativeExecutable.cpp:
2337         (JSC::NativeExecutable::finishCreation):
2338         * runtime/NativeFunction.h:
2339         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2340         (JSC::TaggedNativeFunction::operator NativeFunction):
2341         * runtime/PropertySlot.h:
2342         (JSC::PropertySlot::setCustom):
2343         (JSC::PropertySlot::setCacheableCustom):
2344         * runtime/PtrTag.h:
2345         * runtime/PutPropertySlot.h:
2346         (JSC::PutPropertySlot::setCustomValue):
2347         (JSC::PutPropertySlot::setCustomAccessor):
2348         * runtime/SamplingProfiler.cpp:
2349         (JSC::SamplingProfiler::takeSample):
2350         * runtime/VMTraps.cpp:
2351         (JSC::SignalContext::SignalContext):
2352         (JSC::VMTraps::tryInstallTrapBreakpoints):
2353         * tools/SigillCrashAnalyzer.cpp:
2354         (JSC::installCrashHandler):
2355         * yarr/YarrJIT.cpp:
2356         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2357         (JSC::Yarr::YarrGenerator::generateEnter):
2358
2359 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
2360
2361         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
2362         https://bugs.webkit.org/show_bug.cgi?id=175223
2363
2364         Reviewed by Matt Baker.
2365
2366         * inspector/protocol/Canvas.json:
2367         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
2368         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
2369         is called. The blend is removed and the previous value is applied once the draw is complete.
2370
2371 2018-03-30  JF Bastien  <jfbastien@apple.com>
2372
2373         WebAssembly: support DataView compilation
2374         https://bugs.webkit.org/show_bug.cgi?id=183342
2375
2376         Reviewed by Mark Lam.
2377
2378         Compiling a module from a DataView was incorrectly dealing with
2379         DataView's offset.
2380
2381         * wasm/WasmModuleParser.cpp:
2382         (JSC::Wasm::ModuleParser::parse):
2383         * wasm/js/JSWebAssemblyHelpers.h:
2384         (JSC::getWasmBufferFromValue):
2385         (JSC::createSourceBufferFromValue):
2386         * wasm/js/WebAssemblyPrototype.cpp:
2387         (JSC::webAssemblyValidateFunc):
2388
2389 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
2390
2391         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
2392         https://bugs.webkit.org/show_bug.cgi?id=184189
2393
2394         Reviewed by JF Bastien.
2395
2396         * bytecompiler/NodesCodegen.cpp:
2397         (JSC::ResolveNode::emitBytecode):
2398
2399 2018-03-30  Mark Lam  <mark.lam@apple.com>
2400
2401         Add pointer profiling support to Wasm.
2402         https://bugs.webkit.org/show_bug.cgi?id=184175
2403         <rdar://problem/39027923>
2404
2405         Reviewed by JF Bastien.
2406
2407         * runtime/PtrTag.h:
2408         * wasm/WasmB3IRGenerator.cpp:
2409         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2410         (JSC::Wasm::B3IRGenerator::addCall):
2411         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2412         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2413         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2414         * wasm/WasmBBQPlan.cpp:
2415         (JSC::Wasm::BBQPlan::prepare):
2416         (JSC::Wasm::BBQPlan::complete):
2417         * wasm/WasmBinding.cpp:
2418         (JSC::Wasm::wasmToWasm):
2419         * wasm/WasmBinding.h:
2420         * wasm/WasmFaultSignalHandler.cpp:
2421         (JSC::Wasm::trapHandler):
2422         * wasm/WasmOMGPlan.cpp:
2423         (JSC::Wasm::OMGPlan::work):
2424         * wasm/WasmThunks.cpp:
2425         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2426         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2427         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2428         * wasm/js/WasmToJS.cpp:
2429         (JSC::Wasm::handleBadI64Use):
2430         (JSC::Wasm::wasmToJS):
2431         * wasm/js/WebAssemblyFunction.cpp:
2432         (JSC::callWebAssemblyFunction):
2433         * wasm/js/WebAssemblyFunction.h:
2434
2435 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
2436
2437         Unreviewed, rolling out r230102.
2438
2439         Caused assertion failures on JSC bots.
2440
2441         Reverted changeset:
2442
2443         "A stack overflow in the parsing of a builtin (called by
2444         createExecutable) cause a crash instead of a catchable js
2445         exception"
2446         https://bugs.webkit.org/show_bug.cgi?id=184074
2447         https://trac.webkit.org/changeset/230102
2448
2449 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2450
2451         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
2452         https://bugs.webkit.org/show_bug.cgi?id=183812
2453
2454         Reviewed by Keith Miller.
2455
2456         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
2457         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
2458
2459         * dfg/DFGByteCodeParser.cpp:
2460         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2461         (JSC::DFG::ByteCodeParser::inlineCall):
2462
2463 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2464
2465         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
2466         https://bugs.webkit.org/show_bug.cgi?id=184074
2467         <rdar://problem/37165897>
2468
2469         Reviewed by Keith Miller.
2470
2471         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
2472         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
2473         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
2474         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
2475
2476         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
2477         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
2478
2479         Two other minor changes:
2480         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
2481         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
2482
2483         * JavaScriptCore.xcodeproj/project.pbxproj:
2484         * Scripts/builtins/builtins_generate_combined_header.py:
2485         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
2486         (ParserError):
2487         (generate_section_for_object): Deleted.
2488         (generate_externs_for_object): Deleted.
2489         (generate_macros_for_object): Deleted.
2490         (generate_section_for_code_table_macro): Deleted.
2491         (generate_section_for_code_name_macro): Deleted.
2492         (generate_section_for_global_private_code_name_macro): Deleted.
2493         * Scripts/builtins/builtins_generate_separate_header.py:
2494         (generate_secondary_header_includes):
2495         * Scripts/builtins/builtins_templates.py:
2496         * Sources.txt:
2497         * builtins/BuiltinExecutableCreator.cpp: Removed.
2498         * builtins/BuiltinExecutableCreator.h: Removed.
2499         * builtins/BuiltinExecutables.cpp:
2500         (JSC::BuiltinExecutables::createDefaultConstructor):
2501         (JSC::BuiltinExecutables::createBuiltinExecutable):
2502         (JSC::createBuiltinExecutable):
2503         (JSC::BuiltinExecutables::createExecutableOrCrash):
2504         (JSC::BuiltinExecutables::createExecutable):
2505         * builtins/BuiltinExecutables.h:
2506         * bytecompiler/BytecodeGenerator.h:
2507         * parser/ParserError.cpp: Added.
2508         (JSC::ParserError::toErrorObject):
2509         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
2510         (WTF::printInternal):
2511         * parser/ParserError.h:
2512         (JSC::ParserError::toErrorObject): Deleted.
2513         (WTF::printInternal): Deleted.
2514         * runtime/AsyncIteratorPrototype.cpp:
2515         (JSC::AsyncIteratorPrototype::finishCreation):
2516         * runtime/FunctionPrototype.cpp:
2517         (JSC::FunctionPrototype::addFunctionProperties):
2518         * runtime/JSGlobalObject.cpp:
2519         (JSC::JSGlobalObject::init):
2520         * runtime/JSObject.cpp:
2521         (JSC::JSObject::getOwnStaticPropertySlot):
2522         (JSC::JSObject::reifyAllStaticProperties):
2523         * runtime/JSObject.h:
2524         (JSC::JSObject::getOwnNonIndexPropertySlot):
2525         (JSC::JSObject::getOwnPropertySlot):
2526         (JSC::JSObject::getPropertySlot):
2527         * runtime/JSObjectInlines.h:
2528         (JSC::JSObject::getNonIndexPropertySlot):
2529         * runtime/JSTypedArrayViewPrototype.cpp:
2530         (JSC::JSTypedArrayViewPrototype::finishCreation):
2531         * runtime/Lookup.cpp:
2532         (JSC::reifyStaticAccessor):
2533         (JSC::setUpStaticFunctionSlot):
2534         * runtime/Lookup.h:
2535         (JSC::getStaticPropertySlotFromTable):
2536         (JSC::reifyStaticProperty):
2537         * runtime/MapPrototype.cpp:
2538         (JSC::MapPrototype::finishCreation):
2539         * runtime/SetPrototype.cpp:
2540         (JSC::SetPrototype::finishCreation):
2541         * tools/JSDollarVM.cpp:
2542         (JSC::functionCreateBuiltin):
2543
2544 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2545
2546         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
2547         https://bugs.webkit.org/show_bug.cgi?id=183657
2548         <rdar://problem/38464399>
2549
2550         Reviewed by Keith Miller.
2551
2552         There was just a missing check in unshiftCountForIndexingType.
2553         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
2554         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
2555         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
2556
2557         * runtime/ArrayPrototype.cpp:
2558         (JSC::unshift):
2559         * runtime/JSArray.cpp:
2560         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2561         * runtime/JSObject.h:
2562         (JSC::JSObject::ensureLength):
2563
2564 2018-03-29  Mark Lam  <mark.lam@apple.com>
2565
2566         Add some pointer profiling support to B3 and Air.
2567         https://bugs.webkit.org/show_bug.cgi?id=184165
2568         <rdar://problem/39022125>
2569
2570         Reviewed by JF Bastien.
2571
2572         * b3/B3LowerMacros.cpp:
2573         * b3/B3LowerMacrosAfterOptimizations.cpp:
2574         * b3/B3MathExtras.cpp:
2575         * b3/B3ReduceStrength.cpp:
2576         * b3/air/AirCCallSpecial.cpp:
2577         (JSC::B3::Air::CCallSpecial::generate):
2578         * b3/air/AirCCallSpecial.h:
2579         * b3/testb3.cpp:
2580         (JSC::B3::testCallSimple):
2581         (JSC::B3::testCallRare):
2582         (JSC::B3::testCallRareLive):
2583         (JSC::B3::testCallSimplePure):
2584         (JSC::B3::testCallFunctionWithHellaArguments):
2585         (JSC::B3::testCallFunctionWithHellaArguments2):
2586         (JSC::B3::testCallFunctionWithHellaArguments3):
2587         (JSC::B3::testCallSimpleDouble):
2588         (JSC::B3::testCallSimpleFloat):
2589         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
2590         (JSC::B3::testCallFunctionWithHellaFloatArguments):
2591         (JSC::B3::testLinearScanWithCalleeOnStack):
2592         (JSC::B3::testInterpreter):
2593         (JSC::B3::testLICMPure):
2594         (JSC::B3::testLICMPureSideExits):
2595         (JSC::B3::testLICMPureWritesPinned):
2596         (JSC::B3::testLICMPureWrites):
2597         (JSC::B3::testLICMReadsLocalState):
2598         (JSC::B3::testLICMReadsPinned):
2599         (JSC::B3::testLICMReads):
2600         (JSC::B3::testLICMPureNotBackwardsDominant):
2601         (JSC::B3::testLICMPureFoiledByChild):
2602         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2603         (JSC::B3::testLICMExitsSideways):
2604         (JSC::B3::testLICMWritesLocalState):
2605         (JSC::B3::testLICMWrites):
2606         (JSC::B3::testLICMFence):
2607         (JSC::B3::testLICMWritesPinned):
2608         (JSC::B3::testLICMControlDependent):
2609         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2610         (JSC::B3::testLICMControlDependentSideExits):
2611         (JSC::B3::testLICMReadsPinnedWritesPinned):
2612         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2613         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2614         (JSC::B3::testLICMDefaultCall):
2615         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2616         * ftl/FTLLowerDFGToB3.cpp:
2617         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2618         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2619         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2620         * jit/GPRInfo.h:
2621         * runtime/PtrTag.h:
2622         * wasm/WasmBinding.cpp:
2623         (JSC::Wasm::wasmToWasm):
2624
2625 2018-03-29  JF Bastien  <jfbastien@apple.com>
2626
2627         Use Forward.h instead of forward-declaring WTF::String
2628         https://bugs.webkit.org/show_bug.cgi?id=184172
2629         <rdar://problem/39026146>
2630
2631         Reviewed by Yusuke Suzuki.
2632
2633         As part of #184164 I'm changing WTF::String, and the forward
2634         declarations are just wrong because I'm making it templated. We
2635         should use Forward.h anyways, so do that instead.
2636
2637         * runtime/DateConversion.h:
2638
2639 2018-03-29  Mark Lam  <mark.lam@apple.com>
2640
2641         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
2642         https://bugs.webkit.org/show_bug.cgi?id=184163
2643         <rdar://problem/39020397>
2644
2645         Reviewed by JF Bastien.
2646
2647         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
2648
2649         Also renamed some structs, methods, and variable names to be more accurate.
2650         Previously, there is some confusion between a code pointer and the address of a
2651         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
2652         the LoadLocation variables appropriately to distinguish them from code pointers.
2653
2654         * wasm/WasmB3IRGenerator.cpp:
2655         (JSC::Wasm::B3IRGenerator::addCall):
2656         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2657         * wasm/WasmBinding.cpp:
2658         (JSC::Wasm::wasmToWasm):
2659         * wasm/WasmCodeBlock.cpp:
2660         (JSC::Wasm::CodeBlock::CodeBlock):
2661         * wasm/WasmCodeBlock.h:
2662         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2663         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
2664         * wasm/WasmFormat.h:
2665         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
2666         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
2667         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
2668         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
2669         * wasm/WasmInstance.h:
2670         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
2671         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
2672         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
2673         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2674         * wasm/WasmOMGPlan.cpp:
2675         (JSC::Wasm::OMGPlan::work):
2676         * wasm/WasmTable.cpp:
2677         (JSC::Wasm::Table::Table):
2678         (JSC::Wasm::Table::grow):
2679         (JSC::Wasm::Table::clearFunction):
2680         (JSC::Wasm::Table::setFunction):
2681         * wasm/WasmTable.h:
2682         (JSC::Wasm::Table::offsetOfFunctions):
2683         * wasm/js/JSWebAssemblyCodeBlock.h:
2684         * wasm/js/JSWebAssemblyInstance.cpp:
2685         (JSC::JSWebAssemblyInstance::finalizeCreation):
2686         (JSC::JSWebAssemblyInstance::create):
2687         * wasm/js/JSWebAssemblyTable.cpp:
2688         (JSC::JSWebAssemblyTable::setFunction):
2689         * wasm/js/WebAssemblyFunction.cpp:
2690         (JSC::WebAssemblyFunction::create):
2691         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2692         * wasm/js/WebAssemblyFunction.h:
2693         * wasm/js/WebAssemblyModuleRecord.cpp:
2694         (JSC::WebAssemblyModuleRecord::link):
2695         (JSC::WebAssemblyModuleRecord::evaluate):
2696         * wasm/js/WebAssemblyWrapperFunction.cpp:
2697         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
2698         (JSC::WebAssemblyWrapperFunction::create):
2699         * wasm/js/WebAssemblyWrapperFunction.h:
2700
2701 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         Remove WTF_EXPORTDATA and JS_EXPORTDATA
2704         https://bugs.webkit.org/show_bug.cgi?id=184170
2705
2706         Reviewed by JF Bastien.
2707
2708         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
2709         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
2710
2711         * heap/WriteBarrierSupport.h:
2712         * jit/ExecutableAllocator.cpp:
2713         * jit/ExecutableAllocator.h:
2714         * runtime/JSCPoison.h:
2715         * runtime/JSCell.h:
2716         * runtime/JSExportMacros.h:
2717         * runtime/JSGlobalObject.h:
2718         * runtime/JSObject.h:
2719         * runtime/Options.h:
2720         * runtime/PropertyDescriptor.h:
2721         * runtime/PropertyMapHashTable.h:
2722         * runtime/SamplingCounter.h:
2723
2724 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
2725
2726         MSVC __forceinline slows down JSC release build fivefold after r229391
2727         https://bugs.webkit.org/show_bug.cgi?id=184062
2728
2729         Reviewed by Alex Christensen.
2730
2731         * jit/CCallHelpers.h:
2732         (JSC::CCallHelpers::marshallArgumentRegister):
2733         Exempt MSVC from a single forced inline used within recursive templates.
2734
2735 2018-03-29  Keith Miller  <keith_miller@apple.com>
2736
2737         ArrayMode should not try to get the DFG to think it can convert TypedArrays
2738         https://bugs.webkit.org/show_bug.cgi?id=184137
2739
2740         Reviewed by Saam Barati.
2741
2742         * dfg/DFGArrayMode.cpp:
2743         (JSC::DFG::ArrayMode::fromObserved):
2744
2745 2018-03-29  Commit Queue  <commit-queue@webkit.org>
2746
2747         Unreviewed, rolling out r230062.
2748         https://bugs.webkit.org/show_bug.cgi?id=184128
2749
2750         Broke mac port. web content process crashes while loading any
2751         web page (Requested by rniwa on #webkit).
2752
2753         Reverted changeset:
2754
2755         "MSVC __forceinline slows down JSC release build fivefold
2756         after r229391"
2757         https://bugs.webkit.org/show_bug.cgi?id=184062
2758         https://trac.webkit.org/changeset/230062
2759
2760 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
2761
2762         MSVC __forceinline slows down JSC release build fivefold after r229391
2763         https://bugs.webkit.org/show_bug.cgi?id=184062
2764
2765         Reviewed by Alex Christensen.
2766
2767         * jit/CCallHelpers.h:
2768         (JSC::CCallHelpers::marshallArgumentRegister):
2769         Exempt MSVC from a single forced inline used within recursive templates.
2770
2771 2018-03-28  Mark Lam  <mark.lam@apple.com>
2772
2773         Enhance ARM64 probe to support pointer profiling.
2774         https://bugs.webkit.org/show_bug.cgi?id=184069
2775         <rdar://problem/38939879>
2776
2777         Reviewed by JF Bastien.
2778
2779         * assembler/MacroAssemblerARM64.cpp:
2780         (JSC::MacroAssembler::probe):
2781         * assembler/MacroAssemblerX86Common.h:
2782         (JSC::MacroAssemblerX86Common::popPair):
2783         (JSC::MacroAssemblerX86Common::pushPair):
2784         * assembler/testmasm.cpp:
2785         (JSC::testProbeReadsArgumentRegisters):
2786         (JSC::testProbeWritesArgumentRegisters):
2787         * runtime/PtrTag.h:
2788         (JSC::tagForPtr):
2789
2790 2018-03-28  Robin Morisset  <rmorisset@apple.com>
2791
2792         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
2793         https://bugs.webkit.org/show_bug.cgi?id=183894
2794
2795         Reviewed by Saam Barati.
2796
2797         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
2798
2799         * runtime/JSONObject.cpp:
2800         (JSC::Stringifier::appendStringifiedValue):
2801
2802 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
2803
2804         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
2805         https://bugs.webkit.org/show_bug.cgi?id=184073
2806
2807         Reviewed by Yusuke Suzuki.
2808
2809         We currently have duplicated code in Obj and GLib implementations.
2810
2811         * API/JSManagedValue.mm:
2812         (managedValueHandleOwner):
2813         (-[JSManagedValue initWithValue:]):
2814         * API/JSWeakValue.cpp: Added.
2815         (JSC::JSWeakValue::~JSWeakValue):
2816         (JSC::JSWeakValue::clear):
2817         (JSC::JSWeakValue::isClear const):
2818         (JSC::JSWeakValue::setPrimitive):
2819         (JSC::JSWeakValue::setObject):
2820         (JSC::JSWeakValue::setString):
2821         * API/JSWeakValue.h: Added.
2822         (JSC::JSWeakValue::isSet const):
2823         (JSC::JSWeakValue::isPrimitive const):
2824         (JSC::JSWeakValue::isObject const):
2825         (JSC::JSWeakValue::isString const):
2826         (JSC::JSWeakValue::object const):
2827         (JSC::JSWeakValue::primitive const):
2828         (JSC::JSWeakValue::string const):
2829         * API/glib/JSCWeakValue.cpp:
2830         * JavaScriptCore.xcodeproj/project.pbxproj:
2831         * Sources.txt:
2832
2833 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
2834
2835         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
2836         https://bugs.webkit.org/show_bug.cgi?id=184041
2837
2838         Reviewed by Michael Catanzaro.
2839
2840         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
2841         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
2842         jsc_weak_value_get_value() will always return nullptr.
2843
2844         * API/glib/JSCWeakValue.cpp: Added.
2845         (WeakValueRef::~WeakValueRef):
2846         (WeakValueRef::clear):
2847         (WeakValueRef::isClear const):
2848         (WeakValueRef::isSet const):
2849         (WeakValueRef::isPrimitive const):
2850         (WeakValueRef::isObject const):
2851         (WeakValueRef::isString const):
2852         (WeakValueRef::setPrimitive):
2853         (WeakValueRef::setObject):
2854         (WeakValueRef::setString):
2855         (WeakValueRef::object const):
2856         (WeakValueRef::primitive const):
2857         (WeakValueRef::string const):
2858         (weakValueHandleOwner):
2859         (jscWeakValueInitialize):
2860         (jscWeakValueSetProperty):
2861         (jscWeakValueDispose):
2862         (jsc_weak_value_class_init):
2863         (jsc_weak_value_new):
2864         (jsc_weak_value_get_value):
2865         * API/glib/JSCWeakValue.h: Added.
2866         * API/glib/docs/jsc-glib-4.0-sections.txt:
2867         * API/glib/docs/jsc-glib-docs.sgml:
2868         * API/glib/jsc.h:
2869         * GLib.cmake:
2870
2871 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2872
2873         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
2874         https://bugs.webkit.org/show_bug.cgi?id=181292
2875
2876         Reviewed by Saam Barati.
2877
2878         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
2879
2880         * dfg/DFGSpeculativeJIT.cpp:
2881         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2882         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2883         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2884         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2885         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2886         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2887         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2888
2889 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         Add Load16Z for B3 and use it in WebAssembly
2892         https://bugs.webkit.org/show_bug.cgi?id=165884
2893
2894         Reviewed by JF Bastien.
2895
2896         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
2897         spec-tests/memory.wast.js already covered this change.
2898
2899         * wasm/WasmB3IRGenerator.cpp:
2900         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2901
2902 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2903
2904         [JSC] Remove repeated iteration of ElementNode
2905         https://bugs.webkit.org/show_bug.cgi?id=183987
2906
2907         Reviewed by Keith Miller.
2908
2909         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
2910         While it is OK for small arrays, this repeated iteration takes much time
2911         if the array is very large. For example, Kraken's initialization code includes
2912         very large array with numeric literals. This makes bytecode compiling so long.
2913
2914         This patch carefully removes unnecessary iteration when emitting arrays.
2915         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
2916         to 9.988050 ms.
2917
2918         * bytecompiler/BytecodeGenerator.cpp:
2919         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2920         (JSC::BytecodeGenerator::emitNewArray):
2921         * bytecompiler/BytecodeGenerator.h:
2922         * bytecompiler/NodesCodegen.cpp:
2923         (JSC::ArrayNode::emitBytecode):
2924         (JSC::ArrayPatternNode::bindValue const):
2925         (JSC::ArrayPatternNode::emitDirectBinding):
2926
2927 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
2928
2929         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
2930         https://bugs.webkit.org/show_bug.cgi?id=183655
2931
2932         Reviewed by Keith Miller.
2933
2934         * jit/CCallHelpers.h:
2935         (JSC::CCallHelpers::ArgCollection::argCount):
2936         (JSC::CCallHelpers::marshallArgumentRegister):
2937         (JSC::CCallHelpers::setupArgumentsImpl):
2938         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
2939
2940         * jit/JIT.h:
2941         (JSC::JIT::callOperation):
2942         (JSC::JIT::is64BitType):
2943         (JSC::JIT::is64BitType<void>):
2944         On Win64, ensure special call is used for SlowPathReturnType.
2945
2946         * jit/JITOperations.h:
2947         Update changed type.
2948
2949 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2950
2951         We should have SSE4 detection in the X86 MacroAssembler.
2952         https://bugs.webkit.org/show_bug.cgi?id=165363
2953
2954         Reviewed by JF Bastien.
2955
2956         This patch adds popcnt support to WASM in x86_64 environment.
2957         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
2958         Our spec-tests already cover popcnt.
2959
2960         * assembler/MacroAssemblerARM64.h:
2961         (JSC::MacroAssemblerARM64::supportsCountPopulation):
2962         * assembler/MacroAssemblerX86Common.cpp:
2963         (JSC::MacroAssemblerX86Common::getCPUID):
2964         (JSC::MacroAssemblerX86Common::getCPUIDEx):
2965         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
2966         * assembler/MacroAssemblerX86Common.h:
2967         (JSC::MacroAssemblerX86Common::countPopulation32):
2968         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2969         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
2970         (JSC::MacroAssemblerX86Common::supportsAVX):
2971         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2972         (JSC::MacroAssemblerX86Common::supportsBMI1):
2973         (JSC::MacroAssemblerX86Common::isSSE2Present):
2974         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
2975         * assembler/MacroAssemblerX86_64.h:
2976         (JSC::MacroAssemblerX86_64::countPopulation64):
2977         * assembler/X86Assembler.h:
2978         (JSC::X86Assembler::popcnt_rr):
2979         (JSC::X86Assembler::popcnt_mr):
2980         (JSC::X86Assembler::popcntq_rr):
2981         (JSC::X86Assembler::popcntq_mr):
2982         * wasm/WasmB3IRGenerator.cpp:
2983         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2984         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2985
2986 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
2987
2988         DFG should know that CreateThis can be effectful
2989         https://bugs.webkit.org/show_bug.cgi?id=184013
2990
2991         Reviewed by Saam Barati.
2992
2993         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
2994         is a proxy.
2995
2996         * dfg/DFGAbstractInterpreterInlines.h:
2997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2998         * dfg/DFGClobberize.h:
2999         (JSC::DFG::clobberize):
3000
3001 2018-03-25  Saam Barati  <sbarati@apple.com>
3002
3003         Fix typo in JSC option name
3004         https://bugs.webkit.org/show_bug.cgi?id=184001
3005
3006         Reviewed by Mark Lam.
3007
3008         enableJITDebugAssetions => enableJITDebugAssertions.
3009
3010         * assembler/MacroAssembler.cpp:
3011         (JSC::MacroAssembler::jitAssert):
3012         * runtime/Options.h:
3013
3014 2018-03-25  Saam Barati  <sbarati@apple.com>
3015
3016         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
3017         https://bugs.webkit.org/show_bug.cgi?id=183995
3018
3019         Reviewed by Filip Pizlo.
3020
3021         The removal of this line of code was unintended and happened during some
3022         refactoring Fil was doing. The consequence of removing this line of code
3023         is that the m_emptyCursor became a monotonically increasing integer, leading
3024         the cursor to usually being out of bounds of the block range (depending on
3025         what the program is doing). This made the functionality of finding an empty
3026         block to steal almost always fail.
3027
3028         * heap/BlockDirectory.cpp:
3029         (JSC::BlockDirectory::prepareForAllocation):
3030
3031 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3032
3033         [DFG] Introduces fused compare and jump
3034         https://bugs.webkit.org/show_bug.cgi?id=177100
3035
3036         Reviewed by Mark Lam.
3037
3038         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
3039         It offers 3 benefit.
3040
3041         1. They are introduced due to the similar purpose to op_jless etc. It aligns
3042         op_eq families to op_jless families.
3043
3044         2. It reduces the size of bytecode to represent the typical code sequence.
3045
3046         3. It offers the way to fuse check and jump in DFG code generation. Since
3047         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
3048         we cannot do this optimization. It reduces the machine code size in DFG too.
3049
3050         It slightly improves Octane/boyer.
3051
3052             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
3053
3054         * bytecode/BytecodeDumper.cpp:
3055         (JSC::BytecodeDumper<Block>::dumpBytecode):
3056         * bytecode/BytecodeList.json:
3057         * bytecode/BytecodeUseDef.h:
3058         (JSC::computeUsesForBytecodeOffset):
3059         (JSC::computeDefsForBytecodeOffset):
3060         * bytecode/Opcode.h:
3061         (JSC::isBranch):
3062         * bytecode/PreciseJumpTargetsInlines.h:
3063         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3064         * bytecompiler/BytecodeGenerator.cpp:
3065         (JSC::BytecodeGenerator::emitJumpIfTrue):
3066         (JSC::BytecodeGenerator::emitJumpIfFalse):
3067         * dfg/DFGByteCodeParser.cpp:
3068         (JSC::DFG::ByteCodeParser::parseBlock):
3069         * dfg/DFGCapabilities.cpp:
3070         (JSC::DFG::capabilityLevel):
3071         * dfg/DFGOperations.cpp:
3072         * dfg/DFGOperations.h:
3073         * dfg/DFGSpeculativeJIT.cpp:
3074         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3075         * jit/JIT.cpp:
3076         (JSC::JIT::privateCompileMainPass):
3077         (JSC::JIT::privateCompileSlowCases):
3078         * jit/JIT.h:
3079         * jit/JITOpcodes.cpp:
3080         (JSC::JIT::emit_op_jeq):
3081         (JSC::JIT::emit_op_neq):
3082         (JSC::JIT::emit_op_jneq):
3083         (JSC::JIT::compileOpStrictEq):
3084         (JSC::JIT::emit_op_stricteq):
3085         (JSC::JIT::emit_op_nstricteq):
3086         (JSC::JIT::compileOpStrictEqJump):
3087         (JSC::JIT::emit_op_jstricteq):
3088         (JSC::JIT::emit_op_jnstricteq):
3089         (JSC::JIT::emitSlow_op_jstricteq):
3090         (JSC::JIT::emitSlow_op_jnstricteq):
3091         (JSC::JIT::emitSlow_op_jeq):
3092         (JSC::JIT::emitSlow_op_jneq):
3093         * jit/JITOpcodes32_64.cpp:
3094         (JSC::JIT::emitSlow_op_eq):
3095         (JSC::JIT::emit_op_jeq):
3096         (JSC::JIT::compileOpEqJumpSlow):
3097         (JSC::JIT::emitSlow_op_jeq):
3098         (JSC::JIT::emit_op_jneq):
3099         (JSC::JIT::emitSlow_op_jneq):
3100         (JSC::JIT::compileOpStrictEq):
3101         (JSC::JIT::emit_op_stricteq):
3102         (JSC::JIT::emit_op_nstricteq):
3103         (JSC::JIT::compileOpStrictEqJump):
3104         (JSC::JIT::emit_op_jstricteq):
3105         (JSC::JIT::emit_op_jnstricteq):
3106         (JSC::JIT::emitSlow_op_jstricteq):
3107         (JSC::JIT::emitSlow_op_jnstricteq):
3108         * jit/JITOperations.cpp:
3109         * jit/JITOperations.h:
3110         * llint/LLIntSlowPaths.cpp:
3111         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3112         * llint/LLIntSlowPaths.h:
3113         * llint/LowLevelInterpreter.asm:
3114         * llint/LowLevelInterpreter32_64.asm:
3115         * llint/LowLevelInterpreter64.asm:
3116
3117 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3118
3119         [JSC] Improve constants and add comments for CodeBlockHash
3120         https://bugs.webkit.org/show_bug.cgi?id=183982
3121
3122         Rubber-stamped by Mark Lam.
3123
3124         * bytecode/CodeBlockHash.cpp:
3125         (JSC::CodeBlockHash::CodeBlockHash):
3126         * bytecode/ParseHash.cpp:
3127         (JSC::ParseHash::ParseHash):
3128
3129 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3130
3131         [JSC] Add options to report parsing and bytecode compiling times
3132         https://bugs.webkit.org/show_bug.cgi?id=183982
3133
3134         Reviewed by Mark Lam.
3135
3136         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
3137         When they are enabled, JSC reports times consumed for parsing and bytecode
3138         compiling.
3139
3140         * JavaScriptCore.xcodeproj/project.pbxproj:
3141         * Sources.txt:
3142         * bytecode/ParseHash.cpp: Added.
3143         (JSC::ParseHash::ParseHash):
3144         * bytecode/ParseHash.h: Added.
3145         (JSC::ParseHash::hashForCall const):
3146         (JSC::ParseHash::hashForConstruct const):
3147         * bytecode/UnlinkedFunctionExecutable.cpp:
3148         (JSC::generateUnlinkedFunctionCodeBlock):
3149         * bytecompiler/BytecodeGenerator.h:
3150         (JSC::BytecodeGenerator::generate):
3151         * parser/Parser.h:
3152         (JSC::parse):
3153         * runtime/CodeCache.h:
3154         (JSC::generateUnlinkedCodeBlock):
3155         * runtime/Options.h:
3156
3157 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3158
3159         [JIT] Drop ENABLE_JIT_VERBOSE flag
3160         https://bugs.webkit.org/show_bug.cgi?id=183983
3161
3162         Reviewed by Mark Lam.
3163
3164         Just use JITInternal::verbose value.
3165
3166         * jit/JIT.cpp:
3167         (JSC::JIT::privateCompileMainPass):
3168         (JSC::JIT::privateCompileSlowCases):
3169         (JSC::JIT::link):
3170
3171 2018-03-23  Tim Horton  <timothy_horton@apple.com>
3172
3173         Fix the build with no pasteboard
3174         https://bugs.webkit.org/show_bug.cgi?id=183973
3175
3176         Reviewed by Dan Bernstein.
3177
3178         * Configurations/FeatureDefines.xcconfig:
3179
3180 2018-03-23  Mark Lam  <mark.lam@apple.com>
3181
3182         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
3183         https://bugs.webkit.org/show_bug.cgi?id=183942
3184         <rdar://problem/38798018>
3185
3186         Reviewed by JF Bastien.
3187
3188         1. Move the LLInt TypedArray unpoisoning to just before the array access after
3189            all the branches.
3190         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
3191         3. Remove a useless instruction in the implementation of emitX86Lea for a global
3192            label.
3193
3194         * llint/LowLevelInterpreter.asm:
3195         * llint/LowLevelInterpreter64.asm:
3196         * offlineasm/x86.rb:
3197
3198 2018-03-23  Mark Lam  <mark.lam@apple.com>
3199
3200         Add more support for pointer profiling.
3201         https://bugs.webkit.org/show_bug.cgi?id=183943
3202         <rdar://problem/38799068>
3203
3204         Reviewed by JF Bastien.
3205
3206         * assembler/ARM64Assembler.h:
3207         (JSC::ARM64Assembler::linkJumpOrCall):
3208         * assembler/AbstractMacroAssembler.h:
3209         (JSC::AbstractMacroAssembler::repatchNearCall):
3210         (JSC::AbstractMacroAssembler::tagReturnAddress):
3211         (JSC::AbstractMacroAssembler::untagReturnAddress):
3212
3213 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3214
3215         [WTF] Add standard containers with FastAllocator specialization
3216         https://bugs.webkit.org/show_bug.cgi?id=183789
3217
3218         Reviewed by Darin Adler.
3219
3220         * b3/air/testair.cpp:
3221         * b3/testb3.cpp:
3222         (JSC::B3::testDoubleLiteralComparison):
3223         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3224         * dfg/DFGGraph.h:
3225         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3226         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3227         * ftl/FTLLowerDFGToB3.cpp:
3228         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3229         * runtime/FunctionHasExecutedCache.h:
3230         * runtime/TypeLocationCache.h:
3231
3232 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3233
3234         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
3235         https://bugs.webkit.org/show_bug.cgi?id=182960
3236
3237         Reviewed by Saam Barati.
3238
3239         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
3240         It should always touch ArrayStorage_vector. To unify
3241         vector setting code for the real ArrayStorage_vector and
3242         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
3243         annotate this.
3244
3245         * ftl/FTLLowerDFGToB3.cpp:
3246         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3247
3248 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
3249
3250         Unreviewed build fix for GCC 4.9 builds.
3251
3252         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
3253         supported in 4.9 libstdc++, so wrap the static assert using it in a
3254         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
3255         as is done in bitwise_cast() in StdLibExtras.h.
3256
3257 2018-03-22  Tim Horton  <timothy_horton@apple.com>
3258
3259         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
3260         https://bugs.webkit.org/show_bug.cgi?id=183930
3261         <rdar://problem/38782249>
3262
3263         Reviewed by Dan Bernstein.
3264
3265         * JavaScriptCore.xcodeproj/project.pbxproj:
3266
3267 2018-03-22  Mark Lam  <mark.lam@apple.com>
3268
3269         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
3270         https://bugs.webkit.org/show_bug.cgi?id=183914
3271         <rdar://problem/38763536>
3272
3273         Reviewed by Saam Barati and JF Bastien.
3274
3275         This is in preparation for supporting pointer profiling work.
3276
3277         * assembler/MacroAssemblerARM.h:
3278         (JSC::MacroAssemblerARM::jump):
3279         (JSC::MacroAssemblerARM::call):
3280         * assembler/MacroAssemblerARM64.h:
3281         (JSC::MacroAssemblerARM64::call):
3282         (JSC::MacroAssemblerARM64::jump):
3283         * assembler/MacroAssemblerARMv7.h:
3284         (JSC::MacroAssemblerARMv7::jump):
3285         (JSC::MacroAssemblerARMv7::call):
3286         * assembler/MacroAssemblerMIPS.h:
3287         (JSC::MacroAssemblerMIPS::jump):
3288         (JSC::MacroAssemblerMIPS::call):
3289         * assembler/MacroAssemblerX86.h:
3290         (JSC::MacroAssemblerX86::call):
3291         (JSC::MacroAssemblerX86::jump):
3292         * assembler/MacroAssemblerX86Common.h:
3293         (JSC::MacroAssemblerX86Common::jump):
3294         (JSC::MacroAssemblerX86Common::call):
3295         * assembler/MacroAssemblerX86_64.h:
3296         (JSC::MacroAssemblerX86_64::call):
3297         (JSC::MacroAssemblerX86_64::jump):
3298
3299 2018-03-22  Tim Horton  <timothy_horton@apple.com>
3300
3301         Improve readability of WebCore's OTHER_LDFLAGS
3302         https://bugs.webkit.org/show_bug.cgi?id=183909
3303         <rdar://problem/38760992>
3304
3305         Reviewed by Dan Bernstein.
3306
3307         * Configurations/Base.xcconfig:
3308         * Configurations/FeatureDefines.xcconfig:
3309
3310 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3311
3312         [ARM] Thumb: Do not decorate bottom bit twice
3313         https://bugs.webkit.org/show_bug.cgi?id=183906
3314
3315         Reviewed by Mark Lam.
3316
3317         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
3318         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
3319         a thumb pointer.
3320
3321         * jit/Repatch.cpp:
3322         (JSC::linkPolymorphicCall):
3323
3324 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3325
3326         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
3327         https://bugs.webkit.org/show_bug.cgi?id=183559
3328
3329         Reviewed by Mark Lam.
3330
3331         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
3332         to clear NodeMustGenerate for this ToString. It should be since it does not have
3333         any user-observable side effect. This patch clears NodeMustGenerate.
3334
3335         * dfg/DFGConstantFoldingPhase.cpp:
3336         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3337
3338 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3339
3340         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
3341         https://bugs.webkit.org/show_bug.cgi?id=183897
3342
3343         Reviewed by Mark Lam.
3344
3345         We should not use `default:` clause here since it accidentally catches
3346         the opcode and DFG nodes which should be optimized. For example,
3347         op_super_sampler_begin and op_super_sampler_end are not listed while
3348         they have DFG and FTL backend.
3349
3350         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
3351         And we also clean up unnecessary checks in FTLCapabilities. Since we
3352         already handles all the possible array types for these nodes (which can
3353         be checked in DFG's code), we do not need to check array types.
3354
3355         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
3356
3357         * dfg/DFGCapabilities.cpp:
3358         (JSC::DFG::capabilityLevel):
3359         * ftl/FTLCapabilities.cpp:
3360         (JSC::FTL::canCompile):
3361         * ftl/FTLLowerDFGToB3.cpp:
3362         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3363
3364 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3365
3366         [JSC] Drop op_put_by_index
3367         https://bugs.webkit.org/show_bug.cgi?id=183899
3368
3369         Reviewed by Mark Lam.
3370
3371         This patch drops op_put_by_index.
3372
3373         1. This functionality can be just covered by direct put_by_val.
3374         2. put_by_index is not well optimized. It is just calling a C
3375         function. And it does not have DFG handling.
3376
3377         * bytecode/BytecodeDumper.cpp:
3378         (JSC::BytecodeDumper<Block>::dumpBytecode):
3379         * bytecode/BytecodeList.json:
3380         * bytecode/BytecodeUseDef.h:
3381         (JSC::computeUsesForBytecodeOffset):
3382         (JSC::computeDefsForBytecodeOffset):
3383         * bytecompiler/BytecodeGenerator.cpp:
3384         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
3385         * bytecompiler/BytecodeGenerator.h:
3386         * bytecompiler/NodesCodegen.cpp:
3387         (JSC::ArrayNode::emitBytecode):
3388         (JSC::ArrayPatternNode::emitDirectBinding):
3389         * jit/JIT.cpp:
3390         (JSC::JIT::privateCompileMainPass):
3391         * jit/JIT.h:
3392         * jit/JITPropertyAccess.cpp:
3393         (JSC::JIT::emit_op_put_by_index): Deleted.
3394         * jit/JITPropertyAccess32_64.cpp:
3395         (JSC::JIT::emit_op_put_by_index): Deleted.
3396         * llint/LLIntSlowPaths.cpp:
3397         * llint/LLIntSlowPaths.h:
3398         * llint/LowLevelInterpreter.asm:
3399
3400 2018-03-22  Michael Saboff  <msaboff@apple.com>
3401
3402         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
3403         https://bugs.webkit.org/show_bug.cgi?id=183901