jsc shell's flashHeapAccess() should not do JS work after releasing access to the...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-30  Mark Lam  <mark.lam@apple.com>
2
3         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
4         https://bugs.webkit.org/show_bug.cgi?id=180219
5         <rdar://problem/35696536>
6
7         Reviewed by Filip Pizlo.
8
9         * jsc.cpp:
10         (functionFlashHeapAccess):
11
12 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
13
14         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
15         https://bugs.webkit.org/show_bug.cgi?id=180190
16
17         Reviewed by Mark Lam.
18
19         If DFG HasIndexedProperty node observes negative index, it goes to a slow
20         path by calling operationHasIndexedProperty. The problem is that
21         operationHasIndexedProperty does not account negative index. Negative index
22         was used as uint32 array index.
23
24         In this patch we add a path for negative index in operationHasIndexedProperty.
25         And rename it to operationHasIndexedPropertyByInt to make intension clear.
26         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
27         since it is only used in DFG and FTL.
28
29         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
30         This causes repeated OSR exit and significantly regresses the performance. We opened
31         a bug to track this issue[1].
32
33         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
34
35         * dfg/DFGOperations.cpp:
36         * dfg/DFGOperations.h:
37         * dfg/DFGSpeculativeJIT32_64.cpp:
38         (JSC::DFG::SpeculativeJIT::compile):
39         * dfg/DFGSpeculativeJIT64.cpp:
40         (JSC::DFG::SpeculativeJIT::compile):
41         * ftl/FTLLowerDFGToB3.cpp:
42         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
43         * jit/JITOperations.cpp:
44         * jit/JITOperations.h:
45
46 2017-11-30  Michael Saboff  <msaboff@apple.com>
47
48         Allow JSC command line tool to accept UTF8
49         https://bugs.webkit.org/show_bug.cgi?id=180205
50
51         Reviewed by Keith Miller.
52
53         This unifies the UTF8 handling of interactive mode with that of source files.
54
55         * jsc.cpp:
56         (runInteractive):
57
58 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
59
60         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
61         https://bugs.webkit.org/show_bug.cgi?id=180185
62
63         Reviewed by Carlos Garcia Campos.
64
65         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
66         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
67         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
68         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
69         DFG node can be emitted if we see untaken path includes String + String code.
70
71         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
72         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
73         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
74         original code used before r225314.
75
76         * dfg/DFGSpeculativeJIT.cpp:
77         (JSC::DFG::SpeculativeJIT::compileMakeRope):
78         * ftl/FTLLowerDFGToB3.cpp:
79         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
80
81 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
82
83         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
84         https://bugs.webkit.org/show_bug.cgi?id=180108
85
86         Reviewed by Saam Barati.
87         
88         This was creating a vector of things to remove and then removing them. I think I remember writing
89         this code, and I did that because at the time we did not have removeAllMatching, which is
90         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
91         obvious improvement before I did more fundamental things to this code.
92
93         * heap/CodeBlockSet.cpp:
94         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
95
96 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
97
98         GC should support isoheaps
99         https://bugs.webkit.org/show_bug.cgi?id=179288
100
101         Reviewed by Saam Barati.
102         
103         This expands the power of the Subspace API in JSC:
104         
105         - Everything associated with describing the types of objects is now part of the HeapCellType class.
106           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
107           HeapCellType; these are orthogonal things.
108         
109         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
110           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
111           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
112           pages but releases the physical pages as part of the respective allocator's scavenging policy
113           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
114           IsoSubspace).
115         
116         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
117         for more things.
118         
119         This does not have any effect on JetStream (0.18% faster with p = 0.69).
120
121         * JavaScriptCore.xcodeproj/project.pbxproj:
122         * Sources.txt:
123         * bytecode/AccessCase.cpp:
124         (JSC::AccessCase::generateImpl):
125         * bytecode/ObjectAllocationProfileInlines.h:
126         (JSC::ObjectAllocationProfile::initializeProfile):
127         * dfg/DFGSpeculativeJIT.cpp:
128         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
129         (JSC::DFG::SpeculativeJIT::compileMakeRope):
130         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
131         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
132         * dfg/DFGSpeculativeJIT64.cpp:
133         (JSC::DFG::SpeculativeJIT::compile):
134         * ftl/FTLAbstractHeapRepository.h:
135         * ftl/FTLLowerDFGToB3.cpp:
136         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
137         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
138         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
139         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
140         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
141         * heap/AlignedMemoryAllocator.cpp:
142         (JSC::AlignedMemoryAllocator::registerAllocator):
143         (JSC::AlignedMemoryAllocator::registerSubspace):
144         * heap/AlignedMemoryAllocator.h:
145         (JSC::AlignedMemoryAllocator::firstAllocator const):
146         * heap/AllocationFailureMode.h: Added.
147         * heap/CompleteSubspace.cpp: Added.
148         (JSC::CompleteSubspace::CompleteSubspace):
149         (JSC::CompleteSubspace::~CompleteSubspace):
150         (JSC::CompleteSubspace::allocatorFor):
151         (JSC::CompleteSubspace::allocate):
152         (JSC::CompleteSubspace::allocateNonVirtual):
153         (JSC::CompleteSubspace::allocatorForSlow):
154         (JSC::CompleteSubspace::allocateSlow):
155         (JSC::CompleteSubspace::tryAllocateSlow):
156         * heap/CompleteSubspace.h: Added.
157         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
158         (JSC::CompleteSubspace::allocatorForSizeStep):
159         (JSC::CompleteSubspace::allocatorForNonVirtual):
160         * heap/HeapCellType.cpp: Added.
161         (JSC::HeapCellType::HeapCellType):
162         (JSC::HeapCellType::~HeapCellType):
163         (JSC::HeapCellType::finishSweep):
164         (JSC::HeapCellType::destroy):
165         * heap/HeapCellType.h: Added.
166         (JSC::HeapCellType::attributes const):
167         * heap/IsoAlignedMemoryAllocator.cpp: Added.
168         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
169         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
170         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
171         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
172         (JSC::IsoAlignedMemoryAllocator::dump const):
173         * heap/IsoAlignedMemoryAllocator.h: Added.
174         * heap/IsoSubspace.cpp: Added.
175         (JSC::IsoSubspace::IsoSubspace):
176         (JSC::IsoSubspace::~IsoSubspace):
177         (JSC::IsoSubspace::allocatorFor):
178         (JSC::IsoSubspace::allocatorForNonVirtual):
179         (JSC::IsoSubspace::allocate):
180         (JSC::IsoSubspace::allocateNonVirtual):
181         * heap/IsoSubspace.h: Added.
182         (JSC::IsoSubspace::size const):
183         * heap/MarkedAllocator.cpp:
184         (JSC::MarkedAllocator::MarkedAllocator):
185         (JSC::MarkedAllocator::setSubspace):
186         (JSC::MarkedAllocator::allocateSlowCase):
187         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
188         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
189         * heap/MarkedAllocator.h:
190         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
191         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
192         * heap/MarkedAllocatorInlines.h:
193         (JSC::MarkedAllocator::allocate):
194         (JSC::MarkedAllocator::tryAllocate): Deleted.
195         * heap/MarkedBlock.h:
196         * heap/MarkedBlockInlines.h:
197         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
198         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
199         * heap/MarkedSpace.cpp:
200         (JSC::MarkedSpace::addMarkedAllocator):
201         * heap/MarkedSpace.h:
202         * heap/Subspace.cpp:
203         (JSC::Subspace::Subspace):
204         (JSC::Subspace::initialize):
205         (JSC::Subspace::finishSweep):
206         (JSC::Subspace::destroy):
207         (JSC::Subspace::prepareForAllocation):
208         (JSC::Subspace::findEmptyBlockToSteal):
209         (): Deleted.
210         (JSC::Subspace::allocate): Deleted.
211         (JSC::Subspace::tryAllocate): Deleted.
212         (JSC::Subspace::allocatorForSlow): Deleted.
213         (JSC::Subspace::allocateSlow): Deleted.
214         (JSC::Subspace::tryAllocateSlow): Deleted.
215         (JSC::Subspace::didAllocate): Deleted.
216         * heap/Subspace.h:
217         (JSC::Subspace::heapCellType const):
218         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
219         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
220         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
221         (JSC::Subspace::allocatorForSizeStep): Deleted.
222         (JSC::Subspace::tryAllocatorFor): Deleted.
223         (JSC::Subspace::allocatorFor): Deleted.
224         * jit/AssemblyHelpers.h:
225         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
226         (JSC::AssemblyHelpers::emitAllocateVariableSized):
227         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
228         * jit/JITOpcodes.cpp:
229         (JSC::JIT::emit_op_new_object):
230         * runtime/ButterflyInlines.h:
231         (JSC::Butterfly::createUninitialized):
232         (JSC::Butterfly::tryCreate):
233         (JSC::Butterfly::growArrayRight):
234         * runtime/DirectArguments.cpp:
235         (JSC::DirectArguments::overrideThings):
236         * runtime/DirectArguments.h:
237         (JSC::DirectArguments::subspaceFor):
238         * runtime/DirectEvalExecutable.h:
239         * runtime/EvalExecutable.h:
240         * runtime/ExecutableBase.h:
241         (JSC::ExecutableBase::subspaceFor):
242         * runtime/FunctionExecutable.h:
243         * runtime/GenericArgumentsInlines.h:
244         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
245         * runtime/HashMapImpl.h:
246         (JSC::HashMapBuffer::create):
247         * runtime/IndirectEvalExecutable.h:
248         * runtime/JSArray.cpp:
249         (JSC::JSArray::tryCreateUninitializedRestricted):
250         (JSC::JSArray::unshiftCountSlowCase):
251         * runtime/JSArray.h:
252         (JSC::JSArray::tryCreate):
253         * runtime/JSArrayBufferView.cpp:
254         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
255         * runtime/JSCell.h:
256         (JSC::subspaceFor):
257         * runtime/JSCellInlines.h:
258         (JSC::JSCell::subspaceFor):
259         (JSC::tryAllocateCellHelper):
260         (JSC::allocateCell):
261         (JSC::tryAllocateCell):
262         * runtime/JSDestructibleObject.h:
263         (JSC::JSDestructibleObject::subspaceFor):
264         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
265         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
266         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
267         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
268         (JSC::JSDestructibleObjectHeapCellType::destroy):
269         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
270         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
271         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
272         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
273         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
274         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
275         * runtime/JSDestructibleObjectSubspace.h: Removed.
276         * runtime/JSLexicalEnvironment.h:
277         (JSC::JSLexicalEnvironment::subspaceFor):
278         * runtime/JSSegmentedVariableObject.h:
279         (JSC::JSSegmentedVariableObject::subspaceFor):
280         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
281         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
282         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
283         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
284         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
285         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
286         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
287         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
288         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
289         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
290         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
291         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
292         * runtime/JSString.h:
293         (JSC::JSString::subspaceFor):
294         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
295         (JSC::JSStringHeapCellType::JSStringHeapCellType):
296         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
297         (JSC::JSStringHeapCellType::finishSweep):
298         (JSC::JSStringHeapCellType::destroy):
299         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
300         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
301         (JSC::JSStringSubspace::finishSweep): Deleted.
302         (JSC::JSStringSubspace::destroy): Deleted.
303         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
304         * runtime/JSStringSubspace.cpp: Removed.
305         * runtime/JSStringSubspace.h: Removed.
306         * runtime/ModuleProgramExecutable.h:
307         * runtime/NativeExecutable.h:
308         * runtime/ProgramExecutable.h:
309         * runtime/RegExpMatchesArray.h:
310         (JSC::tryCreateUninitializedRegExpMatchesArray):
311         * runtime/ScopedArguments.h:
312         (JSC::ScopedArguments::subspaceFor):
313         * runtime/VM.cpp:
314         (JSC::VM::VM):
315         * runtime/VM.h:
316         (JSC::VM::gigacageAuxiliarySpace):
317         * wasm/js/JSWebAssemblyCodeBlock.h:
318         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
319         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
320         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
321         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
322         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
323         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
324         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
325         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
326         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
327         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
328         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
329         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
330         * wasm/js/JSWebAssemblyMemory.h:
331         (JSC::JSWebAssemblyMemory::subspaceFor):
332
333 2017-11-29  Saam Barati  <sbarati@apple.com>
334
335         Remove pointer caging for double arrays
336         https://bugs.webkit.org/show_bug.cgi?id=180163
337
338         Reviewed by Mark Lam.
339
340         This patch removes pointer caging from double arrays. Like
341         my previous removals of pointer caging, this is a security vs
342         performance tradeoff. We believe that butterflies being allocated
343         in the cage and with a 32GB runway gives us enough security that
344         pointer caging the butterfly just for double arrays does not add
345         enough security benefit for the performance hit it incurs.
346         
347         This patch also removes the GetButterflyWithoutCaging node and
348         the FixedButterflyAccessUncaging phase. The node is no longer needed
349         because now all GetButterfly nodes are not caged. The phase is removed
350         since we no longer have two nodes.
351
352         * dfg/DFGAbstractInterpreterInlines.h:
353         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
354         * dfg/DFGArgumentsEliminationPhase.cpp:
355         * dfg/DFGClobberize.h:
356         (JSC::DFG::clobberize):
357         * dfg/DFGDoesGC.cpp:
358         (JSC::DFG::doesGC):
359         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
360         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
361         * dfg/DFGFixupPhase.cpp:
362         (JSC::DFG::FixupPhase::fixupNode):
363         * dfg/DFGHeapLocation.cpp:
364         (WTF::printInternal):
365         * dfg/DFGHeapLocation.h:
366         * dfg/DFGNodeType.h:
367         * dfg/DFGPlan.cpp:
368         (JSC::DFG::Plan::compileInThreadImpl):
369         * dfg/DFGPredictionPropagationPhase.cpp:
370         * dfg/DFGSafeToExecute.h:
371         (JSC::DFG::safeToExecute):
372         * dfg/DFGSpeculativeJIT.cpp:
373         (JSC::DFG::SpeculativeJIT::compileSpread):
374         (JSC::DFG::SpeculativeJIT::compileArraySlice):
375         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
376         * dfg/DFGSpeculativeJIT32_64.cpp:
377         (JSC::DFG::SpeculativeJIT::compile):
378         * dfg/DFGSpeculativeJIT64.cpp:
379         (JSC::DFG::SpeculativeJIT::compile):
380         * dfg/DFGTypeCheckHoistingPhase.cpp:
381         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
382         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
383         * ftl/FTLCapabilities.cpp:
384         (JSC::FTL::canCompile):
385         * ftl/FTLLowerDFGToB3.cpp:
386         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
387         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
388         * jit/JITPropertyAccess.cpp:
389         (JSC::JIT::emitDoubleLoad):
390         (JSC::JIT::emitGenericContiguousPutByVal):
391         * runtime/Butterfly.h:
392         (JSC::Butterfly::pointer):
393         (JSC::Butterfly::contiguousDouble):
394         (JSC::Butterfly::caged): Deleted.
395         * runtime/ButterflyInlines.h:
396         (JSC::Butterfly::createOrGrowPropertyStorage):
397         * runtime/JSObject.cpp:
398         (JSC::JSObject::ensureLengthSlow):
399         (JSC::JSObject::reallocateAndShrinkButterfly):
400
401 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
402
403         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
404         https://bugs.webkit.org/show_bug.cgi?id=175447
405
406         Reviewed by Carlos Alberto Lopez Perez.
407
408         This patch allows DFG JIT to be enabled on MIPS platforms.
409
410         * Sources.txt:
411         * assembler/MIPSAssembler.h:
412         (JSC::MIPSAssembler::lastSPRegister):
413         (JSC::MIPSAssembler::numberOfSPRegisters):
414         (JSC::MIPSAssembler::sprName):
415         * assembler/MacroAssemblerMIPS.cpp: Added.
416         (JSC::MacroAssembler::probe):
417         * assembler/ProbeContext.cpp:
418         (JSC::Probe::executeProbe):
419         * assembler/ProbeContext.h:
420         (JSC::Probe::CPUState::pc):
421         * assembler/testmasm.cpp:
422         (JSC::isSpecialGPR):
423         (JSC::testProbePreservesGPRS):
424         (JSC::testProbeModifiesStackPointer):
425         (JSC::testProbeModifiesStackValues):
426
427 2017-11-29  Matt Lewis  <jlewis3@apple.com>
428
429         Unreviewed, rolling out r225286.
430
431         The source files within this patch have been marked as
432         executable.
433
434         Reverted changeset:
435
436         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
437         https://bugs.webkit.org/show_bug.cgi?id=175447
438         https://trac.webkit.org/changeset/225286
439
440 2017-11-29  Alex Christensen  <achristensen@webkit.org>
441
442         Fix Mac CMake build.
443
444         * PlatformMac.cmake:
445
446 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
447
448         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
449         https://bugs.webkit.org/show_bug.cgi?id=175447
450
451         Reviewed by Carlos Alberto Lopez Perez.
452
453         This patch allows DFG JIT to be enabled on MIPS platforms.
454
455         * Sources.txt:
456         * assembler/MIPSAssembler.h:
457         (JSC::MIPSAssembler::lastSPRegister):
458         (JSC::MIPSAssembler::numberOfSPRegisters):
459         (JSC::MIPSAssembler::sprName):
460         * assembler/MacroAssemblerMIPS.cpp: Added.
461         (JSC::MacroAssembler::probe):
462         * assembler/ProbeContext.cpp:
463         (JSC::Probe::executeProbe):
464         * assembler/ProbeContext.h:
465         (JSC::Probe::CPUState::pc):
466         * assembler/testmasm.cpp:
467         (JSC::isSpecialGPR):
468         (JSC::testProbePreservesGPRS):
469         (JSC::testProbeModifiesStackPointer):
470         (JSC::testProbeModifiesStackValues):
471
472 2017-11-28  JF Bastien  <jfbastien@apple.com>
473
474         Strict and sloppy functions shouldn't share structure
475         https://bugs.webkit.org/show_bug.cgi?id=180103
476         <rdar://problem/35667847>
477
478         Reviewed by Saam Barati.
479
480         Sloppy and strict functions don't act the same when it comes to
481         arguments, caller, and callee. Sharing a structure means that
482         anything that is cached gets shared, and that's incorrect.
483
484         * dfg/DFGAbstractInterpreterInlines.h:
485         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
486         * dfg/DFGSpeculativeJIT.cpp:
487         (JSC::DFG::SpeculativeJIT::compileNewFunction):
488         * ftl/FTLLowerDFGToB3.cpp:
489         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
490         * runtime/FunctionConstructor.cpp:
491         (JSC::constructFunctionSkippingEvalEnabledCheck):
492         * runtime/JSFunction.cpp:
493         (JSC::JSFunction::create): the second ::create is always strict
494         because it applies to native functions.
495         * runtime/JSFunctionInlines.h:
496         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
497         * runtime/JSGlobalObject.cpp:
498         (JSC::JSGlobalObject::init):
499         (JSC::JSGlobalObject::visitChildren):
500         * runtime/JSGlobalObject.h:
501         (JSC::JSGlobalObject::strictFunctionStructure const):
502         (JSC::JSGlobalObject::sloppyFunctionStructure const):
503         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
504         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
505         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
506
507 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
508
509         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
510         https://bugs.webkit.org/show_bug.cgi?id=180070
511
512         Reviewed by Saam Barati.
513
514         This patch adds getEffectiveAddress in all JIT platforms.
515         This is abstracted version of x86 lea.
516
517         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
518
519         * assembler/MacroAssemblerARM.h:
520         (JSC::MacroAssemblerARM::getEffectiveAddress):
521         * assembler/MacroAssemblerARM64.h:
522         (JSC::MacroAssemblerARM64::getEffectiveAddress):
523         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
524         * assembler/MacroAssemblerARMv7.h:
525         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
526         * assembler/MacroAssemblerMIPS.h:
527         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
528         * assembler/MacroAssemblerX86.h:
529         (JSC::MacroAssemblerX86::getEffectiveAddress):
530         * assembler/MacroAssemblerX86_64.h:
531         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
532         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
533         * assembler/testmasm.cpp:
534         (JSC::testGetEffectiveAddress):
535         (JSC::run):
536         * dfg/DFGSpeculativeJIT.cpp:
537         (JSC::DFG::SpeculativeJIT::compileArrayPush):
538         * yarr/YarrJIT.cpp:
539         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
540         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
541
542 2017-11-29  Robin Morisset  <rmorisset@apple.com>
543
544         The recursive tail call optimisation is wrong on closures
545         https://bugs.webkit.org/show_bug.cgi?id=179835
546
547         Reviewed by Saam Barati.
548
549         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
550         As a stopgap measure this patch just does not do the optimisation for closures.
551
552         * dfg/DFGByteCodeParser.cpp:
553         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
554
555 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
556
557         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
558         https://bugs.webkit.org/show_bug.cgi?id=180119
559
560         Reviewed by Devin Rousso.
561
562         * inspector/InjectedScriptManager.h:
563         * inspector/JSGlobalObjectScriptDebugServer.h:
564         * inspector/agents/InspectorHeapAgent.h:
565         * inspector/agents/InspectorRuntimeAgent.h:
566         * inspector/agents/InspectorScriptProfilerAgent.h:
567         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
568
569 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
570
571         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
572         https://bugs.webkit.org/show_bug.cgi?id=179642
573         <rdar://problem/35517704>
574
575         Reviewed by Brian Burg.
576
577         * inspector/protocol/Network.json:
578         Expose the NetworkAgent for a Service Worker inspector.
579
580  2017-11-28  Brian Burg  <bburg@apple.com>
581
582         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
583         https://bugs.webkit.org/show_bug.cgi?id=179696
584
585         Reviewed by Timothy Hatcher.
586
587         * inspector/scripts/codegen/generate_objc_header.py:
588         (ObjCHeaderGenerator._generate_type_interface):
589         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
590         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
591         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
592         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
593         * inspector/scripts/codegen/objc_generator.py:
594         (ObjCGenerator.protocol_type_for_raw_name):
595         (ObjCGenerator.objc_protocol_export_expression_for_variable):
596         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
597         (ObjCGenerator.objc_protocol_import_expression_for_variable):
598         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
599         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
600         (ObjCGenerator.objc_to_protocol_expression_for_member):
601         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
602         (ObjCGenerator.protocol_to_objc_expression_for_member):
603         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
604         (ObjCGenerator.objc_setter_method_for_member_internal):
605         (ObjCGenerator.objc_getter_method_for_member_internal):
606         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
607         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
608         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
609         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
610         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
611         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
612         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
613         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
614         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
615         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
616
617 2017-11-27  JF Bastien  <jfbastien@apple.com>
618
619         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
620         https://bugs.webkit.org/show_bug.cgi?id=180051
621         <rdar://problem/35614371>
622
623         Reviewed by Saam Barati.
624
625         Checking for int32 isn't sufficient when uint32 is expected
626         afterwards. While we're here, also use Checked<>.
627
628         * dfg/DFGAbstractInterpreterInlines.h:
629         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
630
631 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
632
633         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
634         https://bugs.webkit.org/show_bug.cgi?id=173793
635
636         Reviewed by Joseph Pecoraro.
637
638         Based on patch by Brian Burg.
639
640         * JavaScriptCore.xcodeproj/project.pbxproj:
641         * Sources.txt:
642         * bindings/ScriptValue.cpp:
643         (Inspector::jsToInspectorValue):
644         (Inspector::toInspectorValue):
645         (Deprecated::ScriptValue::toInspectorValue const):
646         * bindings/ScriptValue.h:
647         * inspector/AsyncStackTrace.cpp:
648         * inspector/ConsoleMessage.cpp:
649         * inspector/ContentSearchUtilities.cpp:
650         * inspector/DeprecatedInspectorValues.cpp: Added.
651         * inspector/DeprecatedInspectorValues.h: Added.
652         Keep the old symbols around in JavaScriptCore so that builds with the
653         public iOS SDK continue to work. These older SDKs include a version of
654         WebInspector.framework that expects to find InspectorArray and other
655         symbols in JavaScriptCore.framework.
656
657         * inspector/InjectedScript.cpp:
658         (Inspector::InjectedScript::getFunctionDetails):
659         (Inspector::InjectedScript::functionDetails):
660         (Inspector::InjectedScript::getPreview):
661         (Inspector::InjectedScript::getProperties):
662         (Inspector::InjectedScript::getDisplayableProperties):
663         (Inspector::InjectedScript::getInternalProperties):
664         (Inspector::InjectedScript::getCollectionEntries):
665         (Inspector::InjectedScript::saveResult):
666         (Inspector::InjectedScript::wrapCallFrames const):
667         (Inspector::InjectedScript::wrapObject const):
668         (Inspector::InjectedScript::wrapTable const):
669         (Inspector::InjectedScript::previewValue const):
670         (Inspector::InjectedScript::setExceptionValue):
671         (Inspector::InjectedScript::clearExceptionValue):
672         (Inspector::InjectedScript::inspectObject):
673         (Inspector::InjectedScript::releaseObject):
674         * inspector/InjectedScriptBase.cpp:
675         (Inspector::InjectedScriptBase::makeCall):
676         (Inspector::InjectedScriptBase::makeEvalCall):
677         * inspector/InjectedScriptBase.h:
678         * inspector/InjectedScriptManager.cpp:
679         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
680         * inspector/InspectorBackendDispatcher.cpp:
681         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
682         (Inspector::BackendDispatcher::dispatch):
683         (Inspector::BackendDispatcher::sendResponse):
684         (Inspector::BackendDispatcher::sendPendingErrors):
685         (Inspector::BackendDispatcher::getPropertyValue):
686         (Inspector::castToInteger):
687         (Inspector::castToNumber):
688         (Inspector::BackendDispatcher::getInteger):
689         (Inspector::BackendDispatcher::getDouble):
690         (Inspector::BackendDispatcher::getString):
691         (Inspector::BackendDispatcher::getBoolean):
692         (Inspector::BackendDispatcher::getObject):
693         (Inspector::BackendDispatcher::getArray):
694         (Inspector::BackendDispatcher::getValue):
695         * inspector/InspectorBackendDispatcher.h:
696         We need to keep around the sendResponse() variant with a parameter that
697         has the InspectorObject type, as older WebInspector.framework versions
698         expect this symbol to exist. Introduce a variant with arity 3 that can
699         be used in TOT so as to avoid having two methods with the same name, arity, and
700         different parameter types.
701
702         When system WebInspector.framework is updated, we can remove the legacy
703         method variant that uses the InspectorObject type. At that point, we can
704         transition TOT to use the 2-arity variant, and delete the 3-arity variant
705         when system WebInspector.framework is updated once more to use the 2-arity one.
706
707         * inspector/InspectorProtocolTypes.h:
708         (Inspector::Protocol::Array::openAccessors):
709         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
710         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
711         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
712         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
713         * inspector/ScriptCallFrame.cpp:
714         * inspector/ScriptCallStack.cpp:
715         * inspector/agents/InspectorAgent.cpp:
716         (Inspector::InspectorAgent::inspect):
717         * inspector/agents/InspectorAgent.h:
718         * inspector/agents/InspectorDebuggerAgent.cpp:
719         (Inspector::buildAssertPauseReason):
720         (Inspector::buildCSPViolationPauseReason):
721         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
722         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
723         (Inspector::buildObjectForBreakpointCookie):
724         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
725         (Inspector::parseLocation):
726         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
727         (Inspector::InspectorDebuggerAgent::setBreakpoint):
728         (Inspector::InspectorDebuggerAgent::continueToLocation):
729         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
730         (Inspector::InspectorDebuggerAgent::didParseSource):
731         (Inspector::InspectorDebuggerAgent::breakProgram):
732         * inspector/agents/InspectorDebuggerAgent.h:
733         * inspector/agents/InspectorRuntimeAgent.cpp:
734         (Inspector::InspectorRuntimeAgent::callFunctionOn):
735         (Inspector::InspectorRuntimeAgent::saveResult):
736         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
737         * inspector/agents/InspectorRuntimeAgent.h:
738         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
739         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
740         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
741         (CppBackendDispatcherImplementationGenerator.generate_output):
742         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
743         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
744         (CppFrontendDispatcherHeaderGenerator.generate_output):
745         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
746         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
747         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
748         (_generate_unchecked_setter_for_member):
749         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
750         (CppProtocolTypesImplementationGenerator):
751         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
752         (ObjCBackendDispatcherImplementationGenerator.generate_output):
753         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
754         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
755         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
756         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
757         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
758         * inspector/scripts/codegen/generate_objc_internal_header.py:
759         (ObjCInternalHeaderGenerator.generate_output):
760         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
761         (ObjCProtocolTypesImplementationGenerator.generate_output):
762         * inspector/scripts/codegen/generator.py:
763         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
764         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
765         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
766         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
767         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
768         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
769         * inspector/scripts/tests/generic/expected/enum-values.json-result:
770         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
771         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
772         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
773         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
774         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
775         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
776         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
777         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
778         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
779         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
780         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
781         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
782         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
783
784 2017-11-28  Robin Morisset  <rmorisset@apple.com>
785
786         Support recursive tail call optimization for polymorphic calls
787         https://bugs.webkit.org/show_bug.cgi?id=178390
788
789         Reviewed by Saam Barati.
790
791         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
792         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
793
794         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
795
796         * dfg/DFGByteCodeParser.cpp:
797         (JSC::DFG::ByteCodeParser::handleCall):
798         (JSC::DFG::ByteCodeParser::handleVarargsCall):
799         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
800         (JSC::DFG::ByteCodeParser::inlineCall):
801         (JSC::DFG::ByteCodeParser::handleCallVariant):
802         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
803         (JSC::DFG::ByteCodeParser::getInliningBalance):
804         (JSC::DFG::ByteCodeParser::handleInlining):
805         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
806
807 2017-11-27  Saam Barati  <sbarati@apple.com>
808
809         Spread can escape when CreateRest does not
810         https://bugs.webkit.org/show_bug.cgi?id=180057
811         <rdar://problem/35676119>
812
813         Reviewed by JF Bastien.
814
815         We previously did not handle Spread(PhantomCreateRest) only because I did not
816         think it was possible to generate this IR. I was wrong. We can generate
817         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
818         This IR is rare to generate since we normally don't PutStack(Spread) because
819         the SetLocal almost always gets eliminated because of how our bytecode generates
820         op_spread. However, there exists a test case showing it is possible. Supporting
821         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
822         the Validation rule for Spread.
823
824         * dfg/DFGOperations.cpp:
825         * dfg/DFGOperations.h:
826         * dfg/DFGValidate.cpp:
827         * ftl/FTLLowerDFGToB3.cpp:
828         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
829         * runtime/JSFixedArray.h:
830         (JSC::JSFixedArray::tryCreate):
831
832 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
833
834         [CMake][Win] Conditionally select DLL CRT or static CRT
835         https://bugs.webkit.org/show_bug.cgi?id=170594
836
837         Reviewed by Alex Christensen.
838
839         * shell/PlatformWin.cmake:
840
841 2017-11-27  Saam Barati  <sbarati@apple.com>
842
843         Having a bad time watchpoint firing during compilation revealed a racy assertion
844         https://bugs.webkit.org/show_bug.cgi?id=180048
845         <rdar://problem/35700009>
846
847         Reviewed by Mark Lam.
848
849         While a DFG compilation is watching the having a bad time watchpoint, it was
850         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
851         However, if the having a bad time watchpoint fires during the compilation,
852         this particular structure will no longer have ArrayWithContiguous indexing type.
853         This patch fixes this racy assertion to be aware that the watchpoint may fire
854         during compilation.
855
856         * dfg/DFGSpeculativeJIT.cpp:
857         (JSC::DFG::SpeculativeJIT::compileCreateRest):
858         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
859
860 2017-11-27  Tim Horton  <timothy_horton@apple.com>
861
862         One too many zeroes in macOS version number in FeatureDefines
863         https://bugs.webkit.org/show_bug.cgi?id=180011
864
865         Reviewed by Dan Bernstein.
866
867         * Configurations/FeatureDefines.xcconfig:
868
869 2017-11-27  Robin Morisset  <rmorisset@apple.com>
870
871         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
872         https://bugs.webkit.org/show_bug.cgi?id=179821
873
874         Reviewed by Saam Barati.
875
876         * dfg/DFGSafeToExecute.h:
877         (JSC::DFG::safeToExecute):
878
879 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
880
881         [DFG] Add NormalizeMapKey DFG IR
882         https://bugs.webkit.org/show_bug.cgi?id=179912
883
884         Reviewed by Saam Barati.
885
886         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
887         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
888         do not need to call normalizeMapKey conservatively in DFG operations.
889         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
890
891         * dfg/DFGAbstractInterpreterInlines.h:
892         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
893         * dfg/DFGByteCodeParser.cpp:
894         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
895         * dfg/DFGClobberize.h:
896         (JSC::DFG::clobberize):
897         * dfg/DFGDoesGC.cpp:
898         (JSC::DFG::doesGC):
899         * dfg/DFGFixupPhase.cpp:
900         (JSC::DFG::FixupPhase::fixupNode):
901         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
902         * dfg/DFGNodeType.h:
903         * dfg/DFGOperations.cpp:
904         * dfg/DFGPredictionPropagationPhase.cpp:
905         * dfg/DFGSafeToExecute.h:
906         (JSC::DFG::safeToExecute):
907         * dfg/DFGSpeculativeJIT.cpp:
908         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
909         * dfg/DFGSpeculativeJIT.h:
910         * dfg/DFGSpeculativeJIT32_64.cpp:
911         (JSC::DFG::SpeculativeJIT::compile):
912         * dfg/DFGSpeculativeJIT64.cpp:
913         (JSC::DFG::SpeculativeJIT::compile):
914         * ftl/FTLCapabilities.cpp:
915         (JSC::FTL::canCompile):
916         * ftl/FTLLowerDFGToB3.cpp:
917         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
918         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
919         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
920         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
921         * runtime/HashMapImpl.h:
922
923 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
924
925         [FTL] Support DeleteById and DeleteByVal
926         https://bugs.webkit.org/show_bug.cgi?id=180022
927
928         Reviewed by Saam Barati.
929
930         We should increase the coverage of FTL. Even if the code includes DeleteById,
931         it does not mean that remaining part of the code should not be optimized in FTL.
932         Right now, even CallEval and `with` scope are handled in FTL.
933
934         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
935         code including them.
936
937         * ftl/FTLCapabilities.cpp:
938         (JSC::FTL::canCompile):
939         * ftl/FTLLowerDFGToB3.cpp:
940         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
941         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
942         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
943
944 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
945
946         [DFG] Introduce {Set,Map,WeakMap}Fields
947         https://bugs.webkit.org/show_bug.cgi?id=179925
948
949         Reviewed by Saam Barati.
950
951         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
952         writes readonly MiscFields which is used by various nodes and make optimization
953         conservative.
954
955         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
956
957         * dfg/DFGAbstractHeap.h:
958         * dfg/DFGByteCodeParser.cpp:
959         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
960         * dfg/DFGClobberize.h:
961         (JSC::DFG::clobberize):
962         * dfg/DFGHeapLocation.cpp:
963         (WTF::printInternal):
964         * dfg/DFGHeapLocation.h:
965         * dfg/DFGNode.h:
966         (JSC::DFG::Node::hasBucketOwnerType):
967
968 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
969
970         [JSC] Remove JSStringBuilder
971         https://bugs.webkit.org/show_bug.cgi?id=180016
972
973         Reviewed by Saam Barati.
974
975         JSStringBuilder is replaced with WTF::StringBuilder.
976         This patch removes remaning uses and drop JSStringBuilder.
977
978         * JavaScriptCore.xcodeproj/project.pbxproj:
979         * runtime/ArrayPrototype.cpp:
980         * runtime/AsyncFunctionPrototype.cpp:
981         * runtime/AsyncGeneratorFunctionPrototype.cpp:
982         * runtime/ErrorPrototype.cpp:
983         * runtime/FunctionPrototype.cpp:
984         * runtime/GeneratorFunctionPrototype.cpp:
985         * runtime/JSGlobalObjectFunctions.cpp:
986         (JSC::decode):
987         (JSC::globalFuncEscape):
988         * runtime/JSStringBuilder.h: Removed.
989         * runtime/JSStringInlines.h:
990         (JSC::jsMakeNontrivialString):
991         * runtime/RegExpPrototype.cpp:
992         * runtime/StringPrototype.cpp:
993
994 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
995
996         [DFG] Remove GetLocalUnlinked
997         https://bugs.webkit.org/show_bug.cgi?id=180017
998
999         Reviewed by Saam Barati.
1000
1001         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
1002         This patch just removes it.
1003
1004         * dfg/DFGAbstractInterpreterInlines.h:
1005         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1006         * dfg/DFGClobberize.h:
1007         (JSC::DFG::clobberize):
1008         * dfg/DFGCommon.h:
1009         * dfg/DFGDoesGC.cpp:
1010         (JSC::DFG::doesGC):
1011         * dfg/DFGFixupPhase.cpp:
1012         (JSC::DFG::FixupPhase::fixupNode):
1013         * dfg/DFGGraph.cpp:
1014         (JSC::DFG::Graph::dump):
1015         * dfg/DFGNode.h:
1016         (JSC::DFG::Node::hasUnlinkedLocal):
1017         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1018         (JSC::DFG::Node::convertToGetLocal): Deleted.
1019         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1020         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1021         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1022         * dfg/DFGNodeType.h:
1023         * dfg/DFGPredictionPropagationPhase.cpp:
1024         * dfg/DFGSafeToExecute.h:
1025         (JSC::DFG::safeToExecute):
1026         * dfg/DFGSpeculativeJIT32_64.cpp:
1027         (JSC::DFG::SpeculativeJIT::compile):
1028         * dfg/DFGSpeculativeJIT64.cpp:
1029         (JSC::DFG::SpeculativeJIT::compile):
1030         * dfg/DFGStackLayoutPhase.cpp:
1031         (JSC::DFG::StackLayoutPhase::run):
1032         * dfg/DFGValidate.cpp:
1033
1034 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1035
1036         Make ArgList::data() private again when we can remove callWasmFunction().
1037         https://bugs.webkit.org/show_bug.cgi?id=168582
1038
1039         Reviewed by JF Bastien.
1040
1041         Make ArgList::data() private since we already removed callWasmFunction.
1042
1043         * runtime/ArgList.h:
1044
1045 2016-08-05  Darin Adler  <darin@apple.com>
1046
1047         Fix some minor problems in the StringImpl header
1048         https://bugs.webkit.org/show_bug.cgi?id=160630
1049
1050         Reviewed by Brent Fulgham.
1051
1052         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1053         Yarr namespacing since we use "using namespace" in this file.
1054
1055 2017-11-24  Mark Lam  <mark.lam@apple.com>
1056
1057         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1058         https://bugs.webkit.org/show_bug.cgi?id=179936
1059         <rdar://problem/35623998>
1060
1061         Reviewed by Saam Barati.
1062
1063         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1064         See https://bugs.webkit.org/show_bug.cgi?id=179684.
1065
1066         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1067         was allocating stack space to stash arguments (to be forwarded) and new frame
1068         info.  The location of this new stash space happens to lie beyond the top of frame
1069         of the tail call caller frame.  After stashing the arguments, the code proceeded
1070         to load the callee codeBlock.  This triggered an allocation, which in turn,
1071         triggered stack sanitization.  The CLoop stack sanitizer was relying on
1072         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
1073         that turned out to be inadequate.  As a result, part of the stashed data was
1074         zeroed out, and subsequently led to a crash.
1075
1076         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1077         1. JIT builds do stack sanitization in the LLInt code itself (different from the
1078            CLoop implementation), and the sanitizer there is aware of the true top of
1079            stack value (i.e. the stack pointer).
1080         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
1081            parallel stack is one condition necessary for reproducing this issue.
1082
1083         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1084         every time before it calls out to native C++ code.  This also brings the CLoop's
1085         behavior closer to hardware behavior where we can know where the stack pointer
1086         is after calling from JS back into native C++ code, which makes it easier to
1087         reason about correctness.       
1088
1089         Also simplified the various stack boundary calculations (removed the +1 and -1
1090         adjustments).  The CLoopStack bounds are now:
1091
1092             reservationTop(): the lowest reserved address that can be within stack bounds.
1093             m_commitTop: the lowest address within stack bounds that has been committed.
1094             lowAddress() aka m_end: the lowest stack address that JS code can use.
1095             m_lastStackPointer: cache of the last m_currentStackPointer value.
1096             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1097             highAddress(): the highest address just beyond the bounds of the stack.
1098
1099         Also deleted some unneeded code.
1100
1101         * interpreter/CLoopStack.cpp:
1102         (JSC::CLoopStack::CLoopStack):
1103         (JSC::CLoopStack::gatherConservativeRoots):
1104         (JSC::CLoopStack::sanitizeStack):
1105         (JSC::CLoopStack::setSoftReservedZoneSize):
1106         * interpreter/CLoopStack.h:
1107         (JSC::CLoopStack::setCurrentStackPointer):
1108         (JSC::CLoopStack::lowAddress const):
1109
1110         (JSC::CLoopStack::baseOfStack const): Deleted.
1111         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1112           Now, it has the exact same value as highAddress() and can be removed.
1113
1114         * interpreter/CLoopStackInlines.h:
1115         (JSC::CLoopStack::ensureCapacityFor):
1116         (JSC::CLoopStack::currentStackPointer):
1117         (JSC::CLoopStack::setCLoopStackLimit):
1118
1119         (JSC::CLoopStack::topOfFrameFor): Deleted.
1120         - Not needed.
1121
1122         (JSC::CLoopStack::topOfStack): Deleted.
1123         - Supplanted by currentStackPointer().
1124
1125         (JSC::CLoopStack::shrink): Deleted.
1126         - This is unused.
1127
1128         * llint/LowLevelInterpreter.cpp:
1129         (JSC::CLoop::execute):
1130         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1131           upon exitting the interpreter loop.
1132
1133         * offlineasm/cloop.rb:
1134         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1135           call from JS into C++ code.
1136
1137         * tools/VMInspector.h:
1138         - Added some default argument values. These were being used while debugging this
1139           issue.
1140
1141 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1142
1143         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1144         https://bugs.webkit.org/show_bug.cgi?id=179923
1145
1146         Reviewed by Darin Adler.
1147
1148         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1149         So we can use it as a marker of deleted bucket.
1150
1151         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1152         It shrinks the size of HashMapBucket much.
1153
1154         * dfg/DFGSpeculativeJIT.cpp:
1155         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1156         * ftl/FTLAbstractHeapRepository.h:
1157         * ftl/FTLLowerDFGToB3.cpp:
1158         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1159         * runtime/HashMapImpl.h:
1160         (JSC::HashMapBucket::createSentinel):
1161         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1162         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1163         flag of sentinel bucket is not used.
1164
1165         (JSC::HashMapBucket::HashMapBucket):
1166         (JSC::HashMapBucket::deleted const):
1167         (JSC::HashMapBucket::makeDeleted):
1168         (JSC::HashMapImpl::remove):
1169         (JSC::HashMapImpl::clear):
1170         (JSC::HashMapImpl::setUpHeadAndTail):
1171         (JSC::HashMapImpl::addNormalizedInternal):
1172         (JSC::HashMapBucket::setDeleted): Deleted.
1173         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1174         (): Deleted.
1175
1176 2017-11-24  Mark Lam  <mark.lam@apple.com>
1177
1178         Move unsafe jsc shell test functions to the $vm object.
1179         https://bugs.webkit.org/show_bug.cgi?id=179980
1180
1181         Reviewed by Yusuke Suzuki.
1182
1183         Also removed setElementRoot() which was not used.
1184
1185         * jsc.cpp:
1186         (GlobalObject::finishCreation):
1187         (WTF::Element::Element): Deleted.
1188         (WTF::Element::root const): Deleted.
1189         (WTF::Element::setRoot): Deleted.
1190         (WTF::Element::create): Deleted.
1191         (WTF::Element::visitChildren): Deleted.
1192         (WTF::Element::createStructure): Deleted.
1193         (WTF::Root::Root): Deleted.
1194         (WTF::Root::element): Deleted.
1195         (WTF::Root::setElement): Deleted.
1196         (WTF::Root::create): Deleted.
1197         (WTF::Root::createStructure): Deleted.
1198         (WTF::Root::visitChildren): Deleted.
1199         (WTF::ImpureGetter::ImpureGetter): Deleted.
1200         (WTF::ImpureGetter::createStructure): Deleted.
1201         (WTF::ImpureGetter::create): Deleted.
1202         (WTF::ImpureGetter::finishCreation): Deleted.
1203         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1204         (WTF::ImpureGetter::visitChildren): Deleted.
1205         (WTF::ImpureGetter::setDelegate): Deleted.
1206         (WTF::CustomGetter::CustomGetter): Deleted.
1207         (WTF::CustomGetter::createStructure): Deleted.
1208         (WTF::CustomGetter::create): Deleted.
1209         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1210         (WTF::CustomGetter::customGetter): Deleted.
1211         (WTF::CustomGetter::customGetterAcessor): Deleted.
1212         (WTF::RuntimeArray::create): Deleted.
1213         (WTF::RuntimeArray::~RuntimeArray): Deleted.
1214         (WTF::RuntimeArray::destroy): Deleted.
1215         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1216         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1217         (WTF::RuntimeArray::put): Deleted.
1218         (WTF::RuntimeArray::deleteProperty): Deleted.
1219         (WTF::RuntimeArray::getLength const): Deleted.
1220         (WTF::RuntimeArray::createPrototype): Deleted.
1221         (WTF::RuntimeArray::createStructure): Deleted.
1222         (WTF::RuntimeArray::finishCreation): Deleted.
1223         (WTF::RuntimeArray::RuntimeArray): Deleted.
1224         (WTF::RuntimeArray::lengthGetter): Deleted.
1225         (WTF::SimpleObject::SimpleObject): Deleted.
1226         (WTF::SimpleObject::create): Deleted.
1227         (WTF::SimpleObject::visitChildren): Deleted.
1228         (WTF::SimpleObject::createStructure): Deleted.
1229         (WTF::SimpleObject::hiddenValue): Deleted.
1230         (WTF::SimpleObject::setHiddenValue): Deleted.
1231         (WTF::DOMJITNode::DOMJITNode): Deleted.
1232         (WTF::DOMJITNode::createStructure): Deleted.
1233         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
1234         (WTF::DOMJITNode::create): Deleted.
1235         (WTF::DOMJITNode::value const): Deleted.
1236         (WTF::DOMJITNode::offsetOfValue): Deleted.
1237         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
1238         (WTF::DOMJITGetter::createStructure): Deleted.
1239         (WTF::DOMJITGetter::create): Deleted.
1240         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
1241         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
1242         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
1243         (WTF::DOMJITGetter::customGetter): Deleted.
1244         (WTF::DOMJITGetter::finishCreation): Deleted.
1245         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
1246         (WTF::DOMJITGetterComplex::createStructure): Deleted.
1247         (WTF::DOMJITGetterComplex::create): Deleted.
1248         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
1249         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
1250         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
1251         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
1252         (WTF::DOMJITGetterComplex::customGetter): Deleted.
1253         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
1254         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
1255         (WTF::DOMJITFunctionObject::createStructure): Deleted.
1256         (WTF::DOMJITFunctionObject::create): Deleted.
1257         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
1258         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
1259         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
1260         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
1261         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
1262         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
1263         (WTF::DOMJITCheckSubClassObject::create): Deleted.
1264         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
1265         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
1266         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
1267         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
1268         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
1269         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
1270         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
1271         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
1272         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
1273         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
1274         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
1275         (WTF::Element::handleOwner): Deleted.
1276         (WTF::Element::finishCreation): Deleted.
1277         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
1278         (JSTestCustomGetterSetter::create): Deleted.
1279         (JSTestCustomGetterSetter::createStructure): Deleted.
1280         (customGetAccessor): Deleted.
1281         (customGetValue): Deleted.
1282         (customSetAccessor): Deleted.
1283         (customSetValue): Deleted.
1284         (JSTestCustomGetterSetter::finishCreation): Deleted.
1285         (GlobalObject::addConstructableFunction): Deleted.
1286         (functionCreateRoot): Deleted.
1287         (functionCreateElement): Deleted.
1288         (functionGetElement): Deleted.
1289         (functionSetElementRoot): Deleted.
1290         (functionCreateSimpleObject): Deleted.
1291         (functionGetHiddenValue): Deleted.
1292         (functionSetHiddenValue): Deleted.
1293         (functionCreateProxy): Deleted.
1294         (functionCreateRuntimeArray): Deleted.
1295         (functionCreateImpureGetter): Deleted.
1296         (functionCreateCustomGetterObject): Deleted.
1297         (functionCreateDOMJITNodeObject): Deleted.
1298         (functionCreateDOMJITGetterObject): Deleted.
1299         (functionCreateDOMJITGetterComplexObject): Deleted.
1300         (functionCreateDOMJITFunctionObject): Deleted.
1301         (functionCreateDOMJITCheckSubClassObject): Deleted.
1302         (functionCreateDOMJITGetterBaseJSObject): Deleted.
1303         (functionSetImpureGetterDelegate): Deleted.
1304         (functionGetGetterSetter): Deleted.
1305         (functionShadowChickenFunctionsOnStack): Deleted.
1306         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
1307         (functionGlobalObjectForObject): Deleted.
1308         (functionLoadGetterFromGetterSetter): Deleted.
1309         (functionCreateCustomTestGetterSetter): Deleted.
1310         (functionAbort): Deleted.
1311         (functionFindTypeForExpression): Deleted.
1312         (functionReturnTypeFor): Deleted.
1313         (functionDumpBasicBlockExecutionRanges): Deleted.
1314         (functionHasBasicBlockExecuted): Deleted.
1315         (functionBasicBlockExecutionCount): Deleted.
1316         (functionEnableExceptionFuzz): Deleted.
1317         (functionCreateBuiltin): Deleted.
1318         * runtime/JSGlobalObject.cpp:
1319         (JSC::JSGlobalObject::init):
1320         * tools/JSDollarVM.cpp:
1321         (WTF::Element::Element):
1322         (WTF::Element::root const):
1323         (WTF::Element::setRoot):
1324         (WTF::Element::create):
1325         (WTF::Element::visitChildren):
1326         (WTF::Element::createStructure):
1327         (WTF::Root::Root):
1328         (WTF::Root::element):
1329         (WTF::Root::setElement):
1330         (WTF::Root::create):
1331         (WTF::Root::createStructure):
1332         (WTF::Root::visitChildren):
1333         (WTF::SimpleObject::SimpleObject):
1334         (WTF::SimpleObject::create):
1335         (WTF::SimpleObject::visitChildren):
1336         (WTF::SimpleObject::createStructure):
1337         (WTF::SimpleObject::hiddenValue):
1338         (WTF::SimpleObject::setHiddenValue):
1339         (WTF::ImpureGetter::ImpureGetter):
1340         (WTF::ImpureGetter::createStructure):
1341         (WTF::ImpureGetter::create):
1342         (WTF::ImpureGetter::finishCreation):
1343         (WTF::ImpureGetter::getOwnPropertySlot):
1344         (WTF::ImpureGetter::visitChildren):
1345         (WTF::ImpureGetter::setDelegate):
1346         (WTF::CustomGetter::CustomGetter):
1347         (WTF::CustomGetter::createStructure):
1348         (WTF::CustomGetter::create):
1349         (WTF::CustomGetter::getOwnPropertySlot):
1350         (WTF::CustomGetter::customGetter):
1351         (WTF::CustomGetter::customGetterAcessor):
1352         (WTF::RuntimeArray::create):
1353         (WTF::RuntimeArray::~RuntimeArray):
1354         (WTF::RuntimeArray::destroy):
1355         (WTF::RuntimeArray::getOwnPropertySlot):
1356         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1357         (WTF::RuntimeArray::put):
1358         (WTF::RuntimeArray::deleteProperty):
1359         (WTF::RuntimeArray::getLength const):
1360         (WTF::RuntimeArray::createPrototype):
1361         (WTF::RuntimeArray::createStructure):
1362         (WTF::RuntimeArray::finishCreation):
1363         (WTF::RuntimeArray::RuntimeArray):
1364         (WTF::RuntimeArray::lengthGetter):
1365         (WTF::DOMJITNode::DOMJITNode):
1366         (WTF::DOMJITNode::createStructure):
1367         (WTF::DOMJITNode::checkSubClassSnippet):
1368         (WTF::DOMJITNode::create):
1369         (WTF::DOMJITNode::value const):
1370         (WTF::DOMJITNode::offsetOfValue):
1371         (WTF::DOMJITGetter::DOMJITGetter):
1372         (WTF::DOMJITGetter::createStructure):
1373         (WTF::DOMJITGetter::create):
1374         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1375         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1376         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1377         (WTF::DOMJITGetter::customGetter):
1378         (WTF::DOMJITGetter::finishCreation):
1379         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
1380         (WTF::DOMJITGetterComplex::createStructure):
1381         (WTF::DOMJITGetterComplex::create):
1382         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1383         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1384         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1385         (WTF::DOMJITGetterComplex::functionEnableException):
1386         (WTF::DOMJITGetterComplex::customGetter):
1387         (WTF::DOMJITGetterComplex::finishCreation):
1388         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1389         (WTF::DOMJITFunctionObject::createStructure):
1390         (WTF::DOMJITFunctionObject::create):
1391         (WTF::DOMJITFunctionObject::safeFunction):
1392         (WTF::DOMJITFunctionObject::unsafeFunction):
1393         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1394         (WTF::DOMJITFunctionObject::finishCreation):
1395         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1396         (WTF::DOMJITCheckSubClassObject::createStructure):
1397         (WTF::DOMJITCheckSubClassObject::create):
1398         (WTF::DOMJITCheckSubClassObject::safeFunction):
1399         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1400         (WTF::DOMJITCheckSubClassObject::finishCreation):
1401         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1402         (WTF::DOMJITGetterBaseJSObject::createStructure):
1403         (WTF::DOMJITGetterBaseJSObject::create):
1404         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
1405         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1406         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1407         (WTF::DOMJITGetterBaseJSObject::customGetter):
1408         (WTF::DOMJITGetterBaseJSObject::finishCreation):
1409         (WTF::Message::releaseContents):
1410         (WTF::Message::index const):
1411         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1412         (WTF::JSTestCustomGetterSetter::create):
1413         (WTF::JSTestCustomGetterSetter::createStructure):
1414         (WTF::customGetAccessor):
1415         (WTF::customGetValue):
1416         (WTF::customSetAccessor):
1417         (WTF::customSetValue):
1418         (WTF::JSTestCustomGetterSetter::finishCreation):
1419         (WTF::Element::handleOwner):
1420         (WTF::Element::finishCreation):
1421         (JSC::functionCrash):
1422         (JSC::functionCreateProxy):
1423         (JSC::functionCreateRuntimeArray):
1424         (JSC::functionCreateImpureGetter):
1425         (JSC::functionCreateCustomGetterObject):
1426         (JSC::functionCreateDOMJITNodeObject):
1427         (JSC::functionCreateDOMJITGetterObject):
1428         (JSC::functionCreateDOMJITGetterComplexObject):
1429         (JSC::functionCreateDOMJITFunctionObject):
1430         (JSC::functionCreateDOMJITCheckSubClassObject):
1431         (JSC::functionCreateDOMJITGetterBaseJSObject):
1432         (JSC::functionSetImpureGetterDelegate):
1433         (JSC::functionCreateBuiltin):
1434         (JSC::functionCreateRoot):
1435         (JSC::functionCreateElement):
1436         (JSC::functionGetElement):
1437         (JSC::functionCreateSimpleObject):
1438         (JSC::functionGetHiddenValue):
1439         (JSC::functionSetHiddenValue):
1440         (JSC::functionShadowChickenFunctionsOnStack):
1441         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1442         (JSC::functionFindTypeForExpression):
1443         (JSC::functionReturnTypeFor):
1444         (JSC::functionDumpBasicBlockExecutionRanges):
1445         (JSC::functionHasBasicBlockExecuted):
1446         (JSC::functionBasicBlockExecutionCount):
1447         (JSC::functionEnableExceptionFuzz):
1448         (JSC::functionGlobalObjectForObject):
1449         (JSC::functionGetGetterSetter):
1450         (JSC::functionLoadGetterFromGetterSetter):
1451         (JSC::functionCreateCustomTestGetterSetter):
1452         (JSC::JSDollarVM::finishCreation):
1453         (JSC::JSDollarVM::addFunction):
1454         (JSC::JSDollarVM::addConstructibleFunction):
1455         * tools/JSDollarVM.h:
1456         (JSC::JSDollarVM::create):
1457
1458 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
1459
1460         Minor ArrayBufferView cleanup
1461         https://bugs.webkit.org/show_bug.cgi?id=179966
1462
1463         Reviewed by Darin Adler.
1464         
1465         Use void* for data pointers when we don't need to do offset math. Use const for
1466         source pointers.
1467         
1468         Prefer uint8_t* to char*.
1469         
1470         Add comments noting that the assertions should not be made release assertions
1471         as recommended by the style checker, since the point is to avoid the virtual byteLength()
1472         call in release.
1473
1474         * runtime/ArrayBufferView.h:
1475         (JSC::ArrayBufferView::setImpl):
1476         (JSC::ArrayBufferView::setRangeImpl):
1477         (JSC::ArrayBufferView::getRangeImpl):
1478         (JSC::ArrayBufferView::zeroRangeImpl):
1479
1480 2017-11-23  Darin Adler  <darin@apple.com>
1481
1482         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
1483         https://bugs.webkit.org/show_bug.cgi?id=179907
1484
1485         Reviewed by Sam Weinig.
1486
1487         * inspector/agents/InspectorDebuggerAgent.cpp:
1488         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
1489         defaults to that.
1490
1491         * runtime/StringPrototype.cpp:
1492         (JSC::stringIncludesImpl): Use String::find since there is no overload of
1493         String::contains that takes a start offset now that we removed the one that took a
1494         caseSensitive boolean. We can add one later if we like, but this should do for now.
1495
1496         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
1497         the StringImpl.h header because it is only used here.
1498
1499 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
1500
1501         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
1502         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
1503         
1504         Also name the argument to zeroRange() to 'count' since it's an item count.
1505
1506         * runtime/GenericTypedArrayView.h:
1507         (JSC::GenericTypedArrayView::zeroRange):
1508         (JSC::GenericTypedArrayView::getRange):
1509
1510 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
1511
1512         Allow for more efficient use of GenericTypedArrayView
1513         https://bugs.webkit.org/show_bug.cgi?id=179899
1514
1515         Reviewed by Sam Weinig.
1516         
1517         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
1518         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
1519         in a length.
1520
1521         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
1522         byteLength() calls.
1523         
1524         Renamed 'dataLength' to 'count' in setRange() to be clearer.
1525         
1526         Added setNative() for callers who don't need clamping of doubles.
1527
1528         * runtime/ArrayBufferView.h:
1529         (JSC::ArrayBufferView::setRangeImpl):
1530         (JSC::ArrayBufferView::getRangeImpl):
1531         * runtime/GenericTypedArrayView.h:
1532         (JSC::GenericTypedArrayView::setRange):
1533         (JSC::GenericTypedArrayView::setNative const):
1534         (JSC::GenericTypedArrayView::getRange):
1535         (JSC::GenericTypedArrayView::checkInboundData const):
1536         (JSC::GenericTypedArrayView::internalByteLength const):
1537
1538 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1539
1540         [DFG][FTL] Support MapSet / SetAdd intrinsics
1541         https://bugs.webkit.org/show_bug.cgi?id=179858
1542
1543         Reviewed by Saam Barati.
1544
1545         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
1546         By handling them as MapSet and SetAdd DFG nodes and decoupling
1547         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
1548         remove duplicate MapHash calculation for the same key.
1549
1550         One story is *set-if-not-exists*.
1551
1552             if (!map.has(key))
1553                 map.set(key, value);
1554
1555         In the above code, both `has` and `set` require hash value for `key`.
1556         If we can change `set` to the series of DFG nodes:
1557
1558             1: MapHash(key)
1559             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
1560
1561         we can remove duplicate @1 produced by `has` operation.
1562
1563         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
1564
1565                                          baseline                  patched
1566
1567             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
1568             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
1569
1570         Microbenchmarks
1571
1572             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
1573
1574         * dfg/DFGAbstractInterpreterInlines.h:
1575         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1576         * dfg/DFGByteCodeParser.cpp:
1577         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1578         * dfg/DFGClobberize.h:
1579         (JSC::DFG::clobberize):
1580         * dfg/DFGDoesGC.cpp:
1581         (JSC::DFG::doesGC):
1582         * dfg/DFGFixupPhase.cpp:
1583         (JSC::DFG::FixupPhase::fixupNode):
1584         * dfg/DFGNodeType.h:
1585         * dfg/DFGOperations.cpp:
1586         * dfg/DFGOperations.h:
1587         * dfg/DFGPredictionPropagationPhase.cpp:
1588         * dfg/DFGSafeToExecute.h:
1589         (JSC::DFG::safeToExecute):
1590         * dfg/DFGSpeculativeJIT.cpp:
1591         (JSC::DFG::SpeculativeJIT::compileSetAdd):
1592         (JSC::DFG::SpeculativeJIT::compileMapSet):
1593         * dfg/DFGSpeculativeJIT.h:
1594         (JSC::DFG::SpeculativeJIT::callOperation):
1595         * dfg/DFGSpeculativeJIT32_64.cpp:
1596         (JSC::DFG::SpeculativeJIT::compile):
1597         * dfg/DFGSpeculativeJIT64.cpp:
1598         (JSC::DFG::SpeculativeJIT::compile):
1599         * ftl/FTLCapabilities.cpp:
1600         (JSC::FTL::canCompile):
1601         * ftl/FTLLowerDFGToB3.cpp:
1602         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1603         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
1604         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
1605         * jit/JITOperations.h:
1606         * runtime/HashMapImpl.h:
1607         (JSC::HashMapImpl::addNormalized):
1608         (JSC::HashMapImpl::addNormalizedInternal):
1609         * runtime/Intrinsic.cpp:
1610         (JSC::intrinsicName):
1611         * runtime/Intrinsic.h:
1612         * runtime/MapPrototype.cpp:
1613         (JSC::MapPrototype::finishCreation):
1614         * runtime/SetPrototype.cpp:
1615         (JSC::SetPrototype::finishCreation):
1616
1617 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1618
1619         [JSC] Allow poly proto for intrinsic getters
1620         https://bugs.webkit.org/show_bug.cgi?id=179550
1621
1622         Reviewed by Saam Barati.
1623
1624         This patch allows intrinsic getters to accept poly proto.
1625         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
1626         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
1627         code for poly proto case.
1628
1629         * bytecode/IntrinsicGetterAccessCase.cpp:
1630         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1631         (JSC::IntrinsicGetterAccessCase::create):
1632         * bytecode/IntrinsicGetterAccessCase.h:
1633         * jit/IntrinsicEmitter.cpp:
1634         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1635         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1636         * jit/Repatch.cpp:
1637         (JSC::tryCacheGetByID):
1638
1639 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
1640
1641         Detect __declspec within JSBase.h
1642         https://bugs.webkit.org/show_bug.cgi?id=179892
1643
1644         Reviewed by Darin Adler.
1645
1646         * API/JSBase.h:
1647
1648 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1649
1650         Remove unused TOUCH_ICON_LOADING feature flag
1651         https://bugs.webkit.org/show_bug.cgi?id=179873
1652
1653         Reviewed by Simon Fraser.
1654
1655         * Configurations/FeatureDefines.xcconfig:
1656
1657 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1658
1659         Add CPU(UNKNOWN) to cover all the unknown CPU types
1660         https://bugs.webkit.org/show_bug.cgi?id=179243
1661
1662         Reviewed by JF Bastien.
1663
1664         * CMakeLists.txt:
1665
1666 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1667
1668         Remove unused LEGACY_VENDOR_PREFIXES feature flag
1669         https://bugs.webkit.org/show_bug.cgi?id=179872
1670
1671         Reviewed by Darin Adler.
1672
1673         * Configurations/FeatureDefines.xcconfig:
1674
1675 2017-11-18  Tim Horton  <timothy_horton@apple.com>
1676
1677         Fix typos in closing ENABLE() comments
1678         https://bugs.webkit.org/show_bug.cgi?id=179869
1679
1680         Unreviewed.
1681
1682         * wasm/WasmMemory.h:
1683         * wasm/WasmMemoryMode.h:
1684
1685 2017-11-17  JF Bastien  <jfbastien@apple.com>
1686
1687         NFC update ClassInfo to C++14
1688         https://bugs.webkit.org/show_bug.cgi?id=179783
1689
1690         Reviewed by Mark Lam.
1691
1692         Forked from #179734, use `using` instead of `typedef`. It's easier
1693         to read.
1694
1695         * runtime/ClassInfo.h:
1696
1697 2017-11-17  JF Bastien  <jfbastien@apple.com>
1698
1699         WebAssembly JS API: throw when a promise can't be created
1700         https://bugs.webkit.org/show_bug.cgi?id=179826
1701         <rdar://problem/35455813>
1702
1703         Reviewed by Mark Lam.
1704
1705         Failure *in* a promise causes rejection, but failure to create a
1706         promise (because of stack overflow) isn't really spec'd (as all
1707         stack things JS). This applies to WebAssembly.compile and
1708         WebAssembly.instantiate.
1709
1710         Dan's current proposal says:
1711
1712             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
1713
1714             Whenever a stack overflow occurs in WebAssembly code, the same
1715             class of exception is thrown as for a stack overflow in
1716             JavaScript. The particular exception here is
1717             implementation-defined in both cases.
1718
1719             Note: ECMAScript doesn’t specify any sort of behavior on stack
1720             overflow; implementations have been observed to throw RangeError,
1721             InternalError or Error. Any is valid here.
1722
1723         This is for general stack overflow within WebAssembly, not
1724         specifically for promise creation within JavaScript, but it seems
1725         like a stack overflow in promise creation should follow the same
1726         rule instead of, say, swallowing the overflow and returning
1727         undefined.
1728
1729         * wasm/js/WebAssemblyPrototype.cpp:
1730         (JSC::webAssemblyCompileFunc):
1731         (JSC::webAssemblyInstantiateFunc):
1732
1733 2017-11-16  Daniel Bates  <dabates@apple.com>
1734
1735         Add feature define for alternative presentation button element
1736         https://bugs.webkit.org/show_bug.cgi?id=179692
1737         Part of <rdar://problem/34917108>
1738
1739         Reviewed by Andy Estes.
1740
1741         Only enabled on Cocoa platforms by default.
1742
1743         * Configurations/FeatureDefines.xcconfig:
1744
1745 2017-11-16  Saam Barati  <sbarati@apple.com>
1746
1747         Fix a bug with cpuid in the FTL.
1748
1749         Rubber stamped by Mark Lam.
1750
1751         Before uploading the previous patch, I tried to condense the code. I
1752         accidentally removed a crucial line saying that CPUID clobbers various
1753         registers.
1754
1755         * ftl/FTLLowerDFGToB3.cpp:
1756         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1757
1758 2017-11-16  Saam Barati  <sbarati@apple.com>
1759
1760         Add some X86 intrinsics to $vm to help with some perf testing
1761         https://bugs.webkit.org/show_bug.cgi?id=179693
1762
1763         Reviewed by Mark Lam.
1764
1765         I've been doing some local perf testing of various ideas and have
1766         had these come in handy. I'm going to land them to dollarVM to prevent
1767         having to add them to my local build every time I do perf testing.
1768
1769         * assembler/MacroAssemblerX86Common.h:
1770         (JSC::MacroAssemblerX86Common::mfence):
1771         (JSC::MacroAssemblerX86Common::rdtsc):
1772         (JSC::MacroAssemblerX86Common::pause):
1773         (JSC::MacroAssemblerX86Common::cpuid):
1774         * assembler/X86Assembler.h:
1775         (JSC::X86Assembler::rdtsc):
1776         (JSC::X86Assembler::pause):
1777         (JSC::X86Assembler::cpuid):
1778         * dfg/DFGAbstractInterpreterInlines.h:
1779         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1780         * dfg/DFGByteCodeParser.cpp:
1781         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1782         * dfg/DFGClobberize.h:
1783         (JSC::DFG::clobberize):
1784         * dfg/DFGDoesGC.cpp:
1785         (JSC::DFG::doesGC):
1786         * dfg/DFGFixupPhase.cpp:
1787         (JSC::DFG::FixupPhase::fixupNode):
1788         * dfg/DFGGraph.cpp:
1789         (JSC::DFG::Graph::dump):
1790         * dfg/DFGNode.h:
1791         (JSC::DFG::Node::intrinsic):
1792         * dfg/DFGNodeType.h:
1793         * dfg/DFGPredictionPropagationPhase.cpp:
1794         * dfg/DFGSafeToExecute.h:
1795         (JSC::DFG::safeToExecute):
1796         * dfg/DFGSpeculativeJIT32_64.cpp:
1797         (JSC::DFG::SpeculativeJIT::compile):
1798         * dfg/DFGSpeculativeJIT64.cpp:
1799         (JSC::DFG::SpeculativeJIT::compile):
1800         * dfg/DFGValidate.cpp:
1801         * ftl/FTLCapabilities.cpp:
1802         (JSC::FTL::canCompile):
1803         * ftl/FTLLowerDFGToB3.cpp:
1804         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1805         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1806         * runtime/Intrinsic.cpp:
1807         (JSC::intrinsicName):
1808         * runtime/Intrinsic.h:
1809         * tools/JSDollarVM.cpp:
1810         (JSC::functionCpuMfence):
1811         (JSC::functionCpuRdtsc):
1812         (JSC::functionCpuCpuid):
1813         (JSC::functionCpuPause):
1814         (JSC::functionCpuClflush):
1815         (JSC::JSDollarVM::finishCreation):
1816
1817 2017-11-16  JF Bastien  <jfbastien@apple.com>
1818
1819         It should be easier to reify lazy property names
1820         https://bugs.webkit.org/show_bug.cgi?id=179734
1821         <rdar://problem/35492521>
1822
1823         Reviewed by Keith Miller.
1824
1825         We reify lazy property names in a few different ways, each
1826         specific to the JSCell implementation, in put() instead of having
1827         a special function to do reification. Let's make that simpler.
1828
1829         This patch makes it easier to reify property names in a uniform
1830         manner, and does so in JSFunction. As a follow up I'll use the
1831         same mechanics for:
1832
1833         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
1834         ErrorConstructor  stackTraceLimit
1835         ErrorInstance     line, column, sourceURL, stack
1836         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
1837         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
1838         JSArray           length
1839         RegExpObject      lastIndex
1840         StringObject      length
1841
1842         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
1843         * runtime/JSCell.cpp:
1844         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
1845         * runtime/JSCell.h:
1846         * runtime/JSFunction.cpp: `name` and `length` can be reified.
1847         (JSC::JSFunction::reifyPropertyNameIfNeeded):
1848         (JSC::JSFunction::put):
1849         (JSC::JSFunction::reifyLength):
1850         (JSC::JSFunction::reifyName):
1851         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1852         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1853         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1854         (JSC::JSFunction::reifyLazyNameIfNeeded):
1855         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1856         * runtime/JSFunction.h:
1857         (JSC::JSFunction::isLazy):
1858         (JSC::JSFunction::isReified):
1859         * runtime/JSObjectInlines.h:
1860         (JSC::JSObject::putDirectInternal): do the reification here.
1861
1862 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1863
1864         Provide a runtime option for disabling the optimization of recursive tail calls
1865         https://bugs.webkit.org/show_bug.cgi?id=179765
1866
1867         Reviewed by Mark Lam.
1868
1869         * bytecode/PreciseJumpTargets.cpp:
1870         (JSC::getJumpTargetsForBytecodeOffset):
1871         * bytecompiler/BytecodeGenerator.cpp:
1872         (JSC::BytecodeGenerator::emitEnter):
1873         * dfg/DFGByteCodeParser.cpp:
1874         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1875         * runtime/Options.h:
1876
1877 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1878
1879         Fix null pointer dereference in bytecodeDumper
1880         https://bugs.webkit.org/show_bug.cgi?id=179764
1881
1882         Reviewed by Mark Lam.
1883
1884         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
1885
1886         * bytecode/BytecodeDumper.cpp:
1887         (JSC::BytecodeDumper<Block>::printCallOp):
1888
1889 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1890
1891         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1892         https://bugs.webkit.org/show_bug.cgi?id=179763
1893         <rdar://problem/35550513>
1894
1895         Reviewed by Keith Miller.
1896
1897         Fix null pointer dereference caused by an eliminated tdz_check
1898
1899         The problem was when doing an OSR entry in DFG while |this| was null
1900         (because super() had not yet been called in the constructor of this
1901         subclass), it would be marked as non-null, and the tdz_check eliminated.
1902
1903         * dfg/DFGInPlaceAbstractState.cpp:
1904         (JSC::DFG::InPlaceAbstractState::initialize):
1905
1906 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
1907
1908         Unreviewed, rolling out r224863.
1909
1910         Introduced LayoutTest crashes on iOS Simulator.
1911
1912         Reverted changeset:
1913
1914         "Move JSONValues to WTF and convert uses of InspectorValues.h
1915         to JSONValues.h"
1916         https://bugs.webkit.org/show_bug.cgi?id=173793
1917         https://trac.webkit.org/changeset/224863
1918
1919 2017-11-14  Mark Lam  <mark.lam@apple.com>
1920
1921         Gardening: CLoop build fix after r224862.
1922         https://bugs.webkit.org/show_bug.cgi?id=179699
1923
1924         Not reviewed..
1925
1926         * bytecode/CodeBlock.h:
1927         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1928
1929 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1930
1931         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1932         https://bugs.webkit.org/show_bug.cgi?id=173793
1933
1934         Reviewed by Brian Burg.
1935
1936         Based on patch by Brian Burg.
1937
1938         * JavaScriptCore.xcodeproj/project.pbxproj:
1939         * Sources.txt:
1940         * bindings/ScriptValue.cpp:
1941         (Inspector::jsToInspectorValue):
1942         (Inspector::toInspectorValue):
1943         (Deprecated::ScriptValue::toInspectorValue const):
1944         * bindings/ScriptValue.h:
1945         * inspector/AsyncStackTrace.cpp:
1946         * inspector/ConsoleMessage.cpp:
1947         * inspector/ContentSearchUtilities.cpp:
1948         * inspector/InjectedScript.cpp:
1949         (Inspector::InjectedScript::getFunctionDetails):
1950         (Inspector::InjectedScript::functionDetails):
1951         (Inspector::InjectedScript::getPreview):
1952         (Inspector::InjectedScript::getProperties):
1953         (Inspector::InjectedScript::getDisplayableProperties):
1954         (Inspector::InjectedScript::getInternalProperties):
1955         (Inspector::InjectedScript::getCollectionEntries):
1956         (Inspector::InjectedScript::saveResult):
1957         (Inspector::InjectedScript::wrapCallFrames const):
1958         (Inspector::InjectedScript::wrapObject const):
1959         (Inspector::InjectedScript::wrapTable const):
1960         (Inspector::InjectedScript::previewValue const):
1961         (Inspector::InjectedScript::setExceptionValue):
1962         (Inspector::InjectedScript::clearExceptionValue):
1963         (Inspector::InjectedScript::inspectObject):
1964         (Inspector::InjectedScript::releaseObject):
1965         * inspector/InjectedScriptBase.cpp:
1966         (Inspector::InjectedScriptBase::makeCall):
1967         (Inspector::InjectedScriptBase::makeEvalCall):
1968         * inspector/InjectedScriptBase.h:
1969         * inspector/InjectedScriptManager.cpp:
1970         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1971         * inspector/InspectorBackendDispatcher.cpp:
1972         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1973         (Inspector::BackendDispatcher::dispatch):
1974         (Inspector::BackendDispatcher::sendResponse):
1975         (Inspector::BackendDispatcher::sendPendingErrors):
1976         (Inspector::BackendDispatcher::getPropertyValue):
1977         (Inspector::castToInteger):
1978         (Inspector::castToNumber):
1979         (Inspector::BackendDispatcher::getInteger):
1980         (Inspector::BackendDispatcher::getDouble):
1981         (Inspector::BackendDispatcher::getString):
1982         (Inspector::BackendDispatcher::getBoolean):
1983         (Inspector::BackendDispatcher::getObject):
1984         (Inspector::BackendDispatcher::getArray):
1985         (Inspector::BackendDispatcher::getValue):
1986         * inspector/InspectorBackendDispatcher.h:
1987         * inspector/InspectorProtocolTypes.h:
1988         (Inspector::Protocol::Array::openAccessors):
1989         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1990         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1991         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1992         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1993         * inspector/ScriptCallFrame.cpp:
1994         * inspector/ScriptCallStack.cpp:
1995         * inspector/agents/InspectorAgent.cpp:
1996         (Inspector::InspectorAgent::inspect):
1997         * inspector/agents/InspectorAgent.h:
1998         * inspector/agents/InspectorDebuggerAgent.cpp:
1999         (Inspector::buildAssertPauseReason):
2000         (Inspector::buildCSPViolationPauseReason):
2001         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2002         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2003         (Inspector::buildObjectForBreakpointCookie):
2004         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2005         (Inspector::parseLocation):
2006         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2007         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2008         (Inspector::InspectorDebuggerAgent::continueToLocation):
2009         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2010         (Inspector::InspectorDebuggerAgent::didParseSource):
2011         (Inspector::InspectorDebuggerAgent::breakProgram):
2012         * inspector/agents/InspectorDebuggerAgent.h:
2013         * inspector/agents/InspectorRuntimeAgent.cpp:
2014         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2015         (Inspector::InspectorRuntimeAgent::saveResult):
2016         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2017         * inspector/agents/InspectorRuntimeAgent.h:
2018         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2019         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2020         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2021         (CppBackendDispatcherImplementationGenerator.generate_output):
2022         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2023         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2024         (CppFrontendDispatcherHeaderGenerator.generate_output):
2025         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2026         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2027         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2028         (_generate_unchecked_setter_for_member):
2029         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2030         (CppProtocolTypesImplementationGenerator):
2031         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2032         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2033         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2034         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2035         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2036         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2037         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2038         * inspector/scripts/codegen/generate_objc_internal_header.py:
2039         (ObjCInternalHeaderGenerator.generate_output):
2040         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2041         (ObjCProtocolTypesImplementationGenerator.generate_output):
2042         * inspector/scripts/codegen/generator.py:
2043         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2044         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2045         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2046         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2047         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2048         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2049         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2050         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2051         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2052         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2053         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2054         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2055         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2056         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2057         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2058         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2059         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2060         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2061         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2062         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2063
2064 2017-11-14  Mark Lam  <mark.lam@apple.com>
2065
2066         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2067         https://bugs.webkit.org/show_bug.cgi?id=179699
2068         <rdar://problem/35462346>
2069
2070         Reviewed by Michael Saboff.
2071
2072         * interpreter/Interpreter.cpp:
2073         (JSC::Interpreter::dumpRegisters):
2074         - Need to skip the callee saved registers
2075
2076 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
2077
2078         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2079         https://bugs.webkit.org/show_bug.cgi?id=179563
2080
2081         Reviewed by Carlos Alberto Lopez Perez.
2082
2083         When run with BranchIfTruncateSuccessful,
2084         branchTruncateDoubleToInt32() should set the destination register
2085         before branching.
2086         This change also removes branchTruncateDoubleToUInt32() as it is
2087         deprecated (see r160205), merges branchOnTruncateResult() into
2088         branchTruncateDoubleToInt32() and adds test cases in testmasm.
2089
2090         * assembler/MacroAssemblerMIPS.h:
2091         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2092         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2093         Properly set dest before branching.
2094         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2095         * assembler/testmasm.cpp:
2096         (JSC::testBranchTruncateDoubleToInt32):
2097         (JSC::run):
2098         Add tests for branchTruncateDoubleToInt32().
2099
2100 2017-11-14  Daniel Bates  <dabates@apple.com>
2101
2102         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2103         for feature defines
2104
2105         Following r195498 and r201917 the Visual Studio property files for feature defines have
2106         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2107         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2108         files.
2109
2110         * Configurations/FeatureDefines.xcconfig:
2111
2112 2017-11-14  Mark Lam  <mark.lam@apple.com>
2113
2114         Remove JSDollarVMPrototype.
2115         https://bugs.webkit.org/show_bug.cgi?id=179685
2116
2117         Reviewed by Saam Barati.
2118
2119         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2120
2121            This allows us to call these functions during lldb debugging sessions using
2122            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
2123            VMInspector provides VM debugging utility methods.  It doesn't make sense to
2124            have a JSDollarVMPrototype object provide these methods.
2125
2126            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2127
2128         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2129
2130            JSDollarVM is a special object used only for debugging purposes.  There's no
2131            gain in requiring its methods to be stored in a prototype object other than to
2132            conform to typical JS convention.  We can remove this complexity.
2133
2134         * JavaScriptCore.xcodeproj/project.pbxproj:
2135         * Sources.txt:
2136         * runtime/JSGlobalObject.cpp:
2137         (JSC::JSGlobalObject::init):
2138         * tools/JSDollarVM.cpp:
2139         (JSC::JSDollarVM::addFunction):
2140         (JSC::functionCrash):
2141         (JSC::functionDFGTrue):
2142         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2143         (JSC::CallerFrameJITTypeFunctor::operator() const):
2144         (JSC::CallerFrameJITTypeFunctor::jitType):
2145         (JSC::functionLLintTrue):
2146         (JSC::functionJITTrue):
2147         (JSC::functionGC):
2148         (JSC::functionEdenGC):
2149         (JSC::functionCodeBlockForFrame):
2150         (JSC::codeBlockFromArg):
2151         (JSC::functionCodeBlockFor):
2152         (JSC::functionPrintSourceFor):
2153         (JSC::functionPrintBytecodeFor):
2154         (JSC::functionPrint):
2155         (JSC::functionPrintCallFrame):
2156         (JSC::functionPrintStack):
2157         (JSC::functionValue):
2158         (JSC::functionGetPID):
2159         (JSC::JSDollarVM::finishCreation):
2160         * tools/JSDollarVM.h:
2161         (JSC::JSDollarVM::create):
2162         * tools/JSDollarVMPrototype.cpp: Removed.
2163         * tools/JSDollarVMPrototype.h: Removed.
2164         * tools/VMInspector.cpp:
2165         (JSC::VMInspector::currentThreadOwnsJSLock):
2166         (JSC::ensureCurrentThreadOwnsJSLock):
2167         (JSC::VMInspector::gc):
2168         (JSC::VMInspector::edenGC):
2169         (JSC::VMInspector::isInHeap):
2170         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2171         (JSC::CellAddressCheckFunctor::operator() const):
2172         (JSC::VMInspector::isValidCell):
2173         (JSC::VMInspector::isValidCodeBlock):
2174         (JSC::VMInspector::codeBlockForFrame):
2175         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2176         (JSC::PrintFrameFunctor::operator() const):
2177         (JSC::VMInspector::printCallFrame):
2178         (JSC::VMInspector::printStack):
2179         (JSC::VMInspector::printValue):
2180         * tools/VMInspector.h:
2181
2182 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2183
2184         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2185         https://bugs.webkit.org/show_bug.cgi?id=179640
2186         <rdar://problem/35517361>
2187
2188         Reviewed by Devin Rousso.
2189
2190         * CMakeLists.txt:
2191         * DerivedSources.make:
2192         Gate the ServiceWorker domain on the ENABLE feature flag.
2193
2194         * inspector/protocol/ServiceWorker.json: Added.
2195         New domain to be made available inside of a ServiceWorker target.
2196
2197 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2198
2199         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2200         https://bugs.webkit.org/show_bug.cgi?id=179594
2201
2202         Reviewed by Saam Barati.
2203
2204         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2205         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2206         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2207         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2208         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2209
2210         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2211         accept this type, and emit optimized code compared to Array::Generic case.
2212
2213         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2214         exit instead of ExoticObjectMode.
2215
2216         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2217         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2218
2219             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
2220
2221         * dfg/DFGArgumentsEliminationPhase.cpp:
2222         * dfg/DFGArrayMode.cpp:
2223         (JSC::DFG::ArrayMode::refine const):
2224         * dfg/DFGClobberize.h:
2225         (JSC::DFG::clobberize):
2226         * dfg/DFGSpeculativeJIT.cpp:
2227         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2228         * ftl/FTLLowerDFGToB3.cpp:
2229         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2230         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2231
2232 2017-11-14  Saam Barati  <sbarati@apple.com>
2233
2234         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2235         https://bugs.webkit.org/show_bug.cgi?id=179639
2236         <rdar://problem/35513018>
2237
2238         Reviewed by JF Bastien.
2239
2240         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
2241         walk the stack for ShadowChicken (and maybe other things). We weren't updating
2242         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
2243         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
2244         this bug by giving Wasm::Instance a lambda that is called when we need to store
2245         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
2246         Currently, JSWebAssemblyInstance passes in a lambda that stores to
2247         VM.topCallFrame.
2248
2249         * wasm/WasmB3IRGenerator.cpp:
2250         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2251         * wasm/WasmInstance.cpp:
2252         (JSC::Wasm::Instance::Instance):
2253         (JSC::Wasm::Instance::create):
2254         * wasm/WasmInstance.h:
2255         (JSC::Wasm::Instance::storeTopCallFrame):
2256         * wasm/js/JSWebAssemblyInstance.cpp:
2257         (JSC::JSWebAssemblyInstance::create):
2258         * wasm/js/JSWebAssemblyInstance.h:
2259         * wasm/js/WasmToJS.cpp:
2260         (JSC::Wasm::wasmToJSException):
2261         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2262         (JSC::constructJSWebAssemblyInstance):
2263         * wasm/js/WebAssemblyPrototype.cpp:
2264         (JSC::instantiate):
2265
2266 2017-11-13  Saam Barati  <sbarati@apple.com>
2267
2268         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
2269         https://bugs.webkit.org/show_bug.cgi?id=179203
2270
2271         Reviewed by Yusuke Suzuki.
2272
2273         This patch only removes the pointer caging for the described types in the title.
2274         These types still allocate out of the gigacage. This is a just a cost vs benefit
2275         tradeoff of performance vs security.
2276
2277         * dfg/DFGSpeculativeJIT.cpp:
2278         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2279         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2280         * ftl/FTLLowerDFGToB3.cpp:
2281         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2282         * jit/JITPropertyAccess.cpp:
2283         (JSC::JIT::emitDirectArgumentsGetByVal):
2284         (JSC::JIT::emitScopedArgumentsGetByVal):
2285         * runtime/DirectArguments.h:
2286         (JSC::DirectArguments::storage):
2287         * runtime/HashMapImpl.cpp:
2288         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2289         * runtime/HashMapImpl.h:
2290         * runtime/JSLexicalEnvironment.h:
2291         (JSC::JSLexicalEnvironment::variables):
2292         * runtime/ScopedArguments.h:
2293         (JSC::ScopedArguments::overflowStorage const):
2294
2295 2017-11-08  Keith Miller  <keith_miller@apple.com>
2296
2297         Async iteration should only fetch the next method once and add feature flag
2298         https://bugs.webkit.org/show_bug.cgi?id=179451
2299
2300         Reviewed by Geoffrey Garen.
2301
2302         Add feature flag for Async iteration. Also, change async iteration to match
2303         the expected behavior of the proposal.
2304
2305         * Configurations/FeatureDefines.xcconfig:
2306         * builtins/AsyncFromSyncIteratorPrototype.js:
2307         (globalPrivate.createAsyncFromSyncIterator):
2308         (globalPrivate.AsyncFromSyncIteratorConstructor):
2309         * builtins/BuiltinNames.h:
2310         * bytecompiler/BytecodeGenerator.cpp:
2311         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2312         * runtime/Options.h:
2313
2314 2017-11-13  Mark Lam  <mark.lam@apple.com>
2315
2316         Add more overflow check book-keeping for MarkedArgumentBuffer.
2317         https://bugs.webkit.org/show_bug.cgi?id=179634
2318         <rdar://problem/35492517>
2319
2320         Reviewed by Saam Barati.
2321
2322         * runtime/ArgList.h:
2323         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
2324         * runtime/JSJob.cpp:
2325         (JSC::JSJobMicrotask::run):
2326         * runtime/ObjectConstructor.cpp:
2327         (JSC::defineProperties):
2328         * runtime/ReflectObject.cpp:
2329         (JSC::reflectObjectConstruct):
2330
2331 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
2332
2333         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
2334         https://bugs.webkit.org/show_bug.cgi?id=179542
2335
2336         Reviewed by Alex Christensen.
2337
2338         * assembler/MacroAssemblerARM.h:
2339         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
2340
2341 2017-11-13  Mark Lam  <mark.lam@apple.com>
2342
2343         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2344         https://bugs.webkit.org/show_bug.cgi?id=179619
2345         <rdar://problem/35492518>
2346
2347         Reviewed by Saam Barati.
2348
2349         * jsc.cpp:
2350         (functionLoadGetterFromGetterSetter):
2351
2352 2017-11-12  Darin Adler  <darin@apple.com>
2353
2354         More is<> and downcast<>, less static_cast<>
2355         https://bugs.webkit.org/show_bug.cgi?id=179600
2356
2357         Reviewed by Chris Dumez.
2358
2359         * runtime/JSString.h:
2360         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
2361         (JSC::jsSubstringOfResolved): Ditto.
2362
2363 2017-11-12  Mark Lam  <mark.lam@apple.com>
2364
2365         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2366         https://bugs.webkit.org/show_bug.cgi?id=179562
2367         <rdar://problem/35467022>
2368
2369         Reviewed by Saam Barati.
2370
2371         * dfg/DFGFixupPhase.cpp:
2372         (JSC::DFG::FixupPhase::fixupNode):
2373         * dfg/DFGOperations.cpp:
2374         * dfg/DFGSafeToExecute.h:
2375         (JSC::DFG::SafeToExecuteEdge::operator()):
2376         * dfg/DFGSpeculativeJIT.cpp:
2377         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
2378         (JSC::DFG::SpeculativeJIT::speculate):
2379         * dfg/DFGSpeculativeJIT.h:
2380         * dfg/DFGUseKind.cpp:
2381         (WTF::printInternal):
2382         * dfg/DFGUseKind.h:
2383         (JSC::DFG::typeFilterFor):
2384         * ftl/FTLCapabilities.cpp:
2385         (JSC::FTL::canCompile):
2386         * ftl/FTLLowerDFGToB3.cpp:
2387         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2388         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
2389
2390 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
2391
2392         Web Inspector: Canvas tab: show detailed status during canvas recording
2393         https://bugs.webkit.org/show_bug.cgi?id=178185
2394         <rdar://problem/34939862>
2395
2396         Reviewed by Brian Burg.
2397
2398         * inspector/protocol/Canvas.json:
2399         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
2400         payloads since the last Canvas.recordingProgress event and the current buffer usage.
2401
2402         * inspector/protocol/Recording.json:
2403         Remove the required `frames` parameter from the Recording protocol object, as they will be
2404         sent in batches via the Canvas.recordingProgress event.
2405
2406 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
2407
2408         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
2409         https://bugs.webkit.org/show_bug.cgi?id=179543
2410
2411         Reviewed by Antoine Quint.
2412
2413         * inspector/protocol/Network.json:
2414         Use a better type for the status code.
2415
2416 2017-11-10  Robin Morisset  <rmorisset@apple.com>
2417
2418         The memory consumption of DFG::BasicBlock can be easily reduced a bit
2419         https://bugs.webkit.org/show_bug.cgi?id=179528
2420
2421         Reviewed by Saam Barati.
2422
2423         A few changes here:
2424         - Reordering some fields of DFG::BasicBlock to reduce padding
2425         - Making the enum fields that are glorified booleans fit into a u8
2426         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
2427           This change works because we never increase the number of arguments after allocating an Operands object.
2428           It lets us avoid one extra capacity field and one extra pointer field per Operands,
2429           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
2430           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
2431           we have a chance to avoid an allocation.
2432         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
2433
2434         * bytecode/Operands.h:
2435         (JSC::Operands::Operands):
2436         (JSC::Operands::numberOfArguments const):
2437         (JSC::Operands::numberOfLocals const):
2438         (JSC::Operands::argument):
2439         (JSC::Operands::argument const):
2440         (JSC::Operands::local):
2441         (JSC::Operands::local const):
2442         (JSC::Operands::ensureLocals):
2443         (JSC::Operands::setLocal):
2444         (JSC::Operands::getLocal):
2445         (JSC::Operands::setArgumentFirstTime):
2446         (JSC::Operands::setLocalFirstTime):
2447         (JSC::Operands::operand):
2448         (JSC::Operands::setOperand):
2449         (JSC::Operands::size const):
2450         (JSC::Operands::at const):
2451         (JSC::Operands::at):
2452         (JSC::Operands::isArgument const):
2453         (JSC::Operands::isVariable const):
2454         (JSC::Operands::virtualRegisterForIndex const):
2455         (JSC::Operands::fill):
2456         (JSC::Operands::operator== const):
2457         (JSC::Operands::argumentForIndex const): Deleted.
2458         (JSC::Operands::variableForIndex const): Deleted.
2459         (JSC::Operands::indexForOperand const): Deleted.
2460         * dfg/DFGBasicBlock.cpp:
2461         (JSC::DFG::BasicBlock::BasicBlock):
2462         * dfg/DFGBasicBlock.h:
2463         * dfg/DFGBranchDirection.h:
2464         * dfg/DFGStructureClobberState.h:
2465
2466 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2467
2468         [JSC] Retry module fetching if previous request fails
2469         https://bugs.webkit.org/show_bug.cgi?id=178168
2470
2471         Reviewed by Saam Barati.
2472
2473         According to the latest spec, the failed fetching operation can be retried if it is requested again.
2474         For example,
2475
2476             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2477             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2478
2479         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
2480         But when loading the second module, we do not use the cached failure result in the first module loading.
2481         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
2482         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
2483
2484         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
2485         like to cache modules based on their URLs. As a result,
2486
2487             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2488             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2489
2490         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
2491         instantiation are cached in the module pipeline.
2492
2493         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
2494         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
2495         if the previous one fails. As an overview of our change,
2496
2497         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
2498            be unified. But if currently executing one fails, other attempts should retry fetching.
2499
2500         2. Instantiation should be cached if fetching succeeds.
2501
2502         3. Satisfying should be cached if it succeeds.
2503
2504         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
2505
2506         * builtins/ModuleLoaderPrototype.js:
2507         (requestFetch):
2508         (requestInstantiate):
2509         (requestSatisfy):
2510         (link):
2511         (loadModule):
2512         * runtime/JSGlobalObject.cpp:
2513         (JSC::JSGlobalObject::init):
2514
2515 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
2516
2517         Web Inspector: support undo/redo of insertAdjacentHTML
2518         https://bugs.webkit.org/show_bug.cgi?id=179283
2519
2520         Reviewed by Joseph Pecoraro.
2521
2522         * inspector/protocol/DOM.json:
2523         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
2524         on the given node.
2525
2526 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
2527
2528         Web Inspector: Make domain availability a list of types instead of a single type
2529         https://bugs.webkit.org/show_bug.cgi?id=179457
2530
2531         Reviewed by Brian Burg.
2532
2533         * inspector/scripts/codegen/generate_js_backend_commands.py:
2534         (JSBackendCommandsGenerator.generate_domain):
2535         Update output of `InspectorBackend.activateDomain` to include the list.
2536
2537         * inspector/scripts/codegen/models.py:
2538         (Protocol.parse_domain):
2539         Parse `availability` as a list and include a new supported value of "service-worker".
2540
2541         * inspector/protocol/ApplicationCache.json:
2542         * inspector/protocol/CSS.json:
2543         * inspector/protocol/Canvas.json:
2544         * inspector/protocol/DOM.json:
2545         * inspector/protocol/DOMDebugger.json:
2546         * inspector/protocol/DOMStorage.json:
2547         * inspector/protocol/Database.json:
2548         * inspector/protocol/IndexedDB.json:
2549         * inspector/protocol/LayerTree.json:
2550         * inspector/protocol/Memory.json:
2551         * inspector/protocol/Network.json:
2552         * inspector/protocol/Page.json:
2553         * inspector/protocol/Timeline.json:
2554         * inspector/protocol/Worker.json:
2555         Update `availability` to be a list.
2556
2557         * inspector/scripts/tests/generic/domain-availability.json:
2558         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2559         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
2560         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
2561         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
2562         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2563         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2564         Update tests to include a test for the type and an invalid value.
2565
2566 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2567
2568         [JSC][JIT] Clean up SlowPathCall stubs
2569         https://bugs.webkit.org/show_bug.cgi?id=179247
2570
2571         Reviewed by Saam Barati.
2572
2573         We have bunch of duplicate functions that just call a slow path function.
2574         This patch cleans up the above duplication.
2575
2576         * jit/JIT.cpp:
2577         (JSC::JIT::emitSlowCaseCall):
2578         (JSC::JIT::privateCompileSlowCases):
2579         * jit/JIT.h:
2580         * jit/JITArithmetic.cpp:
2581         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2582         (JSC::JIT::emitSlow_op_inc): Deleted.
2583         (JSC::JIT::emitSlow_op_dec): Deleted.
2584         (JSC::JIT::emitSlow_op_bitand): Deleted.
2585         (JSC::JIT::emitSlow_op_bitor): Deleted.
2586         (JSC::JIT::emitSlow_op_bitxor): Deleted.
2587         (JSC::JIT::emitSlow_op_lshift): Deleted.
2588         (JSC::JIT::emitSlow_op_rshift): Deleted.
2589         (JSC::JIT::emitSlow_op_urshift): Deleted.
2590         (JSC::JIT::emitSlow_op_div): Deleted.
2591         * jit/JITArithmetic32_64.cpp:
2592         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2593         (JSC::JIT::emitSlow_op_inc): Deleted.
2594         (JSC::JIT::emitSlow_op_dec): Deleted.
2595         * jit/JITOpcodes.cpp:
2596         (JSC::JIT::emitSlow_op_create_this): Deleted.
2597         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2598         (JSC::JIT::emitSlow_op_to_this): Deleted.
2599         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2600         (JSC::JIT::emitSlow_op_not): Deleted.
2601         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2602         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2603         (JSC::JIT::emitSlow_op_to_number): Deleted.
2604         (JSC::JIT::emitSlow_op_to_string): Deleted.
2605         (JSC::JIT::emitSlow_op_to_object): Deleted.
2606         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2607         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2608         * jit/JITOpcodes32_64.cpp:
2609         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2610         (JSC::JIT::emitSlow_op_not): Deleted.
2611         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2612         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2613         (JSC::JIT::emitSlow_op_to_number): Deleted.
2614         (JSC::JIT::emitSlow_op_to_string): Deleted.
2615         (JSC::JIT::emitSlow_op_to_object): Deleted.
2616         (JSC::JIT::emitSlow_op_create_this): Deleted.
2617         (JSC::JIT::emitSlow_op_to_this): Deleted.
2618         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2619         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2620         * jit/JITPropertyAccess.cpp:
2621         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2622         * jit/JITPropertyAccess32_64.cpp:
2623         (JSC::JIT::emit_op_resolve_scope):
2624         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2625         * jit/SlowPathCall.h:
2626         (JSC::JITSlowPathCall::JITSlowPathCall):
2627         * runtime/CommonSlowPaths.cpp:
2628         (JSC::SLOW_PATH_DECL):
2629         * runtime/CommonSlowPaths.h:
2630
2631 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
2632
2633         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
2634         https://bugs.webkit.org/show_bug.cgi?id=179446
2635
2636         Reviewed by Žan Doberšek.
2637
2638         The trunc.w.d mips instruction should give a 0x7fffffff result when
2639         the source value is Infinity, NaN, or rounds to an integer outside the
2640         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
2641         branchTruncateDoubleToUInt32() have been relying on. It turns out that
2642         this assumption is not true on some CPUs, including on the ci20 on
2643         which we run the testbot (we get 0x80000000 instead). We should the
2644         invalid operation cause bit instead to check whether the source value
2645         could be properly truncated. This requires the addition of the cfc1
2646         instruction, as well as the special registers that can be used with it
2647         (control registers of CP1).
2648
2649         * assembler/MIPSAssembler.h:
2650         (JSC::MIPSAssembler::firstSPRegister):
2651         (JSC::MIPSAssembler::lastSPRegister):
2652         (JSC::MIPSAssembler::numberOfSPRegisters):
2653         (JSC::MIPSAssembler::sprName):
2654         Added control registers of CP1.
2655         (JSC::MIPSAssembler::cfc1):
2656         Added.
2657         * assembler/MacroAssemblerMIPS.h:
2658         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
2659         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2660         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2661         Use fcsr to check if the value could be properly truncated.
2662
2663 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
2664
2665         HTMLMediaElement should not use element fullscreen on iOS
2666         https://bugs.webkit.org/show_bug.cgi?id=179418
2667         rdar://problem/35409277
2668
2669         Reviewed by Eric Carlson.
2670
2671         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
2672
2673         * Configurations/FeatureDefines.xcconfig:
2674
2675 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2676
2677         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
2678         https://bugs.webkit.org/show_bug.cgi?id=179276
2679
2680         Reviewed by Andy Estes.
2681
2682         * inspector/InjectedScriptHost.h:
2683         * inspector/JSInjectedScriptHost.cpp:
2684         (Inspector::JSInjectedScriptHost::getInternalProperties):
2685         Call through to virtual implementation so that WebCore can provide custom
2686         internal properties for Web / DOM objects.
2687
2688 2017-11-08  Saam Barati  <sbarati@apple.com>
2689
2690         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2691         https://bugs.webkit.org/show_bug.cgi?id=177792
2692
2693         Reviewed by Yusuke Suzuki.
2694
2695         Before this patch, if a JSFunction's rare data initialized its allocation profile
2696         before its backing Executable's poly proto watchpoint was invalidated, that
2697         JSFunction would continue to allocate non-poly proto objects until its allocation
2698         profile was cleared (which essentially never happens in practice). This patch
2699         improves on this pathology. A JSFunction's rare data will now watch the poly
2700         proto watchpoint if it's still valid and clear its allocation profile when we
2701         detect that we should go poly proto.
2702
2703         * bytecode/ObjectAllocationProfile.h:
2704         * bytecode/ObjectAllocationProfileInlines.h:
2705         (JSC::ObjectAllocationProfile::initializeProfile):
2706         * runtime/FunctionRareData.cpp:
2707         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2708         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2709         * runtime/FunctionRareData.h:
2710         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
2711         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
2712         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
2713
2714 2017-11-08  Keith Miller  <keith_miller@apple.com>
2715
2716         Add super sampler begin and end bytecodes.
2717         https://bugs.webkit.org/show_bug.cgi?id=179376
2718
2719         Reviewed by Filip Pizlo.
2720
2721         This patch adds a way to measure a narrow range of bytecodes for
2722         performance. This is done using the same infrastructure as the
2723         super sampler. I also added a class that helps do the bytecode
2724         checking with RAII. One problem with the current way this is done
2725         is that we don't handle decrementing early exits, either from
2726         branches or exceptions. So, when using this API users need to
2727         ensure that there are no early exits or that those exits don't
2728         occur on the measure code.
2729
2730         * JavaScriptCore.xcodeproj/project.pbxproj:
2731         * bytecode/BytecodeDumper.cpp:
2732         (JSC::BytecodeDumper<Block>::dumpBytecode):
2733         * bytecode/BytecodeList.json:
2734         * bytecode/BytecodeUseDef.h:
2735         (JSC::computeUsesForBytecodeOffset):
2736         (JSC::computeDefsForBytecodeOffset):
2737         * bytecompiler/BytecodeGenerator.cpp:
2738         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
2739         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
2740         * bytecompiler/BytecodeGenerator.h:
2741         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
2742         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
2743         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
2744         * dfg/DFGAbstractInterpreterInlines.h:
2745         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2746         * dfg/DFGByteCodeParser.cpp:
2747         (JSC::DFG::ByteCodeParser::parseBlock):
2748         * dfg/DFGClobberize.h:
2749         (JSC::DFG::clobberize):
2750         * dfg/DFGClobbersExitState.cpp:
2751         (JSC::DFG::clobbersExitState):
2752         * dfg/DFGDoesGC.cpp:
2753         (JSC::DFG::doesGC):
2754         * dfg/DFGFixupPhase.cpp:
2755         (JSC::DFG::FixupPhase::fixupNode):
2756         * dfg/DFGMayExit.cpp:
2757         * dfg/DFGNodeType.h:
2758         * dfg/DFGPredictionPropagationPhase.cpp:
2759         * dfg/DFGSafeToExecute.h:
2760         (JSC::DFG::safeToExecute):
2761         * dfg/DFGSpeculativeJIT.cpp:
2762         * dfg/DFGSpeculativeJIT32_64.cpp:
2763         (JSC::DFG::SpeculativeJIT::compile):
2764         * dfg/DFGSpeculativeJIT64.cpp:
2765         (JSC::DFG::SpeculativeJIT::compile):
2766         * ftl/FTLCapabilities.cpp:
2767         (JSC::FTL::canCompile):
2768         * ftl/FTLLowerDFGToB3.cpp:
2769         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2770         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
2771         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
2772         * jit/JIT.cpp:
2773         (JSC::JIT::privateCompileMainPass):
2774         * jit/JIT.h:
2775         * jit/JITOpcodes.cpp:
2776         (JSC::JIT::emit_op_super_sampler_begin):
2777         (JSC::JIT::emit_op_super_sampler_end):
2778         * llint/LLIntSlowPaths.cpp:
2779         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2780         * llint/LLIntSlowPaths.h:
2781         * llint/LowLevelInterpreter.asm:
2782
2783 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2784
2785         Turn recursive tail calls into loops
2786         https://bugs.webkit.org/show_bug.cgi?id=176601
2787
2788         Reviewed by Saam Barati.
2789
2790         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2791
2792         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2793         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2794         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2795         We do this part through modifying the computation of the jump targets.
2796         Importantly, we only do this splitting for functions that have tail calls.
2797         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2798
2799         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2800         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2801
2802         * bytecode/CodeBlock.h:
2803         (JSC::CodeBlock::hasTailCalls const):
2804         * bytecode/PreciseJumpTargets.cpp:
2805         (JSC::getJumpTargetsForBytecodeOffset):
2806         (JSC::computePreciseJumpTargetsInternal):
2807         * bytecode/UnlinkedCodeBlock.cpp:
2808         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2809         * bytecode/UnlinkedCodeBlock.h:
2810         (JSC::UnlinkedCodeBlock::hasTailCalls const):
2811         (JSC::UnlinkedCodeBlock::setHasTailCalls):
2812         * bytecompiler/BytecodeGenerator.cpp:
2813         (JSC::BytecodeGenerator::emitEnter):
2814         (JSC::BytecodeGenerator::emitCallInTailPosition):
2815         * dfg/DFGByteCodeParser.cpp:
2816         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2817         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2818         (JSC::DFG::ByteCodeParser::handleCall):
2819         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2820         (JSC::DFG::ByteCodeParser::parseBlock):
2821         (JSC::DFG::ByteCodeParser::parse):
2822
2823 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2824
2825         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
2826         https://bugs.webkit.org/show_bug.cgi?id=179407
2827
2828         Reviewed by Matt Baker.
2829
2830         * inspector/protocol/Page.json:
2831         Remove unused protocol type.
2832
2833 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
2834
2835         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
2836         https://bugs.webkit.org/show_bug.cgi?id=173619
2837
2838         Reviewed by Alex Christensen and Brian Burg.
2839
2840         Eventually all classes used for our JSON-RPC message passing should be outside
2841         of the Inspector namespace since the protocol is used outside of Inspector code.
2842         This will also allow us to unify the primitive JSON types with parameteric types
2843         like Inspector::Protocol::Array<T> and other protocol-related types which don't
2844         need to be in the Inspector namespace.
2845
2846         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
2847         patches, other clients will move to use JSON::Value and friends. When all uses are
2848         changed, the actual implementation will be renamed. This patch just focuses on the typedef
2849         and making changes in generated protocol code.
2850
2851         Original patch by Brian Burg, rebased and updated by me.
2852
2853         * inspector/InspectorValues.cpp:
2854         * inspector/InspectorValues.h:
2855         * inspector/scripts/codegen/cpp_generator.py:
2856         (CppGenerator.cpp_protocol_type_for_type):
2857         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
2858         (CppGenerator.cpp_type_for_type_with_name):
2859         (CppGenerator.cpp_type_for_stack_in_parameter):
2860         * inspector/scripts/codegen/cpp_generator_templates.py:
2861         (void):
2862         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2863         (_generate_class_for_object_declaration):
2864         (_generate_forward_declarations_for_binding_traits):
2865         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2866         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2867         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
2868         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2869         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2870         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2871         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2872         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2873         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2874         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2875         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2876         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2877         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2878         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2879         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2880         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2881         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2882
2883 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
2884
2885         Get rid of unsightly hex numbers from unified build object files
2886         https://bugs.webkit.org/show_bug.cgi?id=179410
2887
2888         Reviewed by Saam Barati.
2889
2890         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
2891
2892 2017-11-07  Saam Barati  <sbarati@apple.com>
2893
2894         Only cage double butterfly accesses
2895         https://bugs.webkit.org/show_bug.cgi?id=179202
2896
2897         Reviewed by Mark Lam.
2898
2899         This patch removes caging from all butterfly accesses except double loads/stores.
2900         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
2901         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
2902         by caging. The other load/stores we are no longer caging to get back performance on
2903         various benchmarks.
2904
2905         * bytecode/AccessCase.cpp:
2906         (JSC::AccessCase::generateImpl):
2907         * bytecode/InlineAccess.cpp:
2908         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2909         (JSC::InlineAccess::generateSelfPropertyAccess):
2910         (JSC::InlineAccess::generateSelfPropertyReplace):
2911         (JSC::InlineAccess::generateArrayLength):
2912         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
2913         * dfg/DFGSpeculativeJIT.cpp:
2914         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2915         (JSC::DFG::SpeculativeJIT::compileSpread):
2916         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2917         * dfg/DFGSpeculativeJIT64.cpp:
2918         (JSC::DFG::SpeculativeJIT::compile):
2919         * ftl/FTLLowerDFGToB3.cpp:
2920         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2921         * jit/JITPropertyAccess.cpp:
2922         (JSC::JIT::emitContiguousLoad):
2923         (JSC::JIT::emitArrayStorageLoad):
2924         (JSC::JIT::emitGenericContiguousPutByVal):
2925         (JSC::JIT::emitArrayStoragePutByVal):
2926         (JSC::JIT::emit_op_get_from_scope):
2927         (JSC::JIT::emit_op_put_to_scope):
2928         * llint/LowLevelInterpreter64.asm:
2929         * runtime/AuxiliaryBarrier.h:
2930         (JSC::AuxiliaryBarrier::operator-> const):
2931         * runtime/Butterfly.h:
2932         (JSC::Butterfly::caged):
2933         (JSC::Butterfly::contiguousDouble):
2934         * runtime/JSArray.cpp:
2935         (JSC::JSArray::setLength):
2936         (JSC::JSArray::pop):
2937         (JSC::JSArray::shiftCountWithAnyIndexingType):
2938         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2939         (JSC::JSArray::fillArgList):
2940         (JSC::JSArray::copyToArguments):
2941         * runtime/JSArrayInlines.h:
2942         (JSC::JSArray::pushInline):
2943         * runtime/JSObject.cpp:
2944         (JSC::JSObject::heapSnapshot):
2945         (JSC::JSObject::createInitialIndexedStorage):
2946         (JSC::JSObject::createArrayStorage):
2947         (JSC::JSObject::convertUndecidedToInt32):
2948         (JSC::JSObject::ensureLengthSlow):
2949         (JSC::JSObject::reallocateAndShrinkButterfly):
2950         (JSC::JSObject::allocateMoreOutOfLineStorage):
2951         * runtime/JSObject.h:
2952         (JSC::JSObject::canGetIndexQuickly):
2953         (JSC::JSObject::getIndexQuickly):
2954         (JSC::JSObject::tryGetIndexQuickly const):
2955         (JSC::JSObject::canSetIndexQuickly):
2956         (JSC::JSObject::butterfly const):
2957         (JSC::JSObject::butterfly):
2958
2959 2017-11-07  Mark Lam  <mark.lam@apple.com>
2960
2961         Introduce a default RegisterSet constructor so that we can use { } notation.
2962         https://bugs.webkit.org/show_bug.cgi?id=179389
2963
2964         Reviewed by Saam Barati.
2965
2966         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2967         does not add any code documentation value.
2968
2969         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2970         * b3/air/AirCode.cpp:
2971         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2972         * b3/air/AirPrintSpecial.cpp:
2973         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2974         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2975         * b3/air/testair.cpp:
2976         * bytecode/PolymorphicAccess.h:
2977         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2978         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2979         * dfg/DFGJITCode.cpp:
2980         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2981         * ftl/FTLJITCode.cpp:
2982         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2983         * jit/JITCode.cpp:
2984         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2985         * jit/RegisterSet.cpp:
2986         (JSC::RegisterSet::reservedHardwareRegisters):
2987         (JSC::RegisterSet::runtimeRegisters):
2988         (JSC::RegisterSet::macroScratchRegisters):
2989         * jit/RegisterSet.h:
2990         (JSC::RegisterSet::RegisterSet):
2991         * wasm/WasmB3IRGenerator.cpp:
2992         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2993
2994 2017-11-07  Mark Lam  <mark.lam@apple.com>
2995
2996         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2997         https://bugs.webkit.org/show_bug.cgi?id=179355
2998         <rdar://problem/35263053>
2999
3000         Reviewed by Saam Barati.
3001
3002         In the Transition case in AccessCase::generateImpl(), we were restoring registers
3003         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
3004         where we previously stashed the reallocated butterfly.  If the generated code is
3005         under heavy register pressure, scratchGPR could have been from the set of preserved
3006         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
3007         As a result, the restoration would trash the butterfly result we stored there.
3008         This patch fixes the issue by excluding the scratchGPR in the restoration.
3009
3010         * bytecode/AccessCase.cpp:
3011         (JSC::AccessCase::generateImpl):
3012
3013 2017-11-06  Robin Morisset  <rmorisset@apple.com>
3014
3015         CodeBlock::usesOpcode() is dead code
3016         https://bugs.webkit.org/show_bug.cgi?id=179316
3017
3018         Reviewed by Yusuke Suzuki.
3019
3020         Remove CodeBlock::usesOpcode which is dead code
3021
3022         * bytecode/CodeBlock.cpp:
3023         * bytecode/CodeBlock.h:
3024
3025 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3026
3027         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3028         https://bugs.webkit.org/show_bug.cgi?id=144458
3029
3030         Reviewed by Saam Barati.
3031
3032         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
3033         InternalFunction calls are not cached and they always go to the slow path. This is not good because
3034
3035         1. We need to query getCallData/getConstructData every time in the slow path.
3036         2. CallLinkInfo tells nothing in the higher tier JITs.
3037
3038         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
3039         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
3040         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
3041
3042         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
3043         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
3044         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3045         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3046
3047         Attached microbenchmarks show performance improvement.
3048
3049                                                            baseline                  patched
3050
3051         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
3052         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
3053         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
3054         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
3055
3056         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3057
3058         * API/JSCallbackFunction.cpp:
3059         (JSC::JSCallbackFunction::JSCallbackFunction):
3060         (JSC::JSCallbackFunction::getCallData): Deleted.
3061         * API/JSCallbackFunction.h:
3062         (JSC::JSCallbackFunction::createStructure):
3063         * API/ObjCCallbackFunction.h:
3064         (JSC::ObjCCallbackFunction::createStructure):
3065         * API/ObjCCallbackFunction.mm:
3066         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3067         (JSC::ObjCCallbackFunction::getCallData): Deleted.
3068         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3069         * bytecode/BytecodeDumper.cpp:
3070         (JSC::BytecodeDumper<Block>::printCallOp):
3071         * bytecode/BytecodeList.json:
3072         * bytecode/CallLinkInfo.cpp:
3073         (JSC::CallLinkInfo::setCallee):
3074         (JSC::CallLinkInfo::callee):
3075         (JSC::CallLinkInfo::setLastSeenCallee):
3076         (JSC::CallLinkInfo::lastSeenCallee):
3077         (JSC::CallLinkInfo::visitWeak):
3078         * bytecode/CallLinkInfo.h:
3079         * bytecode/CallLinkStatus.cpp:
3080         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3081         * bytecode/LLIntCallLinkInfo.h:
3082         * jit/JITOperations.cpp:
3083         * jit/JITThunks.cpp:
3084         (JSC::JITThunks::ctiInternalFunctionCall):
3085         (JSC::JITThunks::ctiInternalFunctionConstruct):
3086         * jit/JITThunks.h:
3087         * jit/Repatch.cpp:
3088         (JSC::linkFor):
3089         (JSC::linkPolymorphicCall):
3090         * jit/Repatch.h:
3091         * jit/ThunkGenerators.cpp:
3092         (JSC::virtualThunkFor):
3093         (JSC::nativeForGenerator):
3094         (JSC::nativeCallGenerator):
3095         (JSC::nativeTailCallGenerator):
3096         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3097         (JSC::nativeConstructGenerator):
3098         (JSC::internalFunctionCallGenerator):
3099         (JSC::internalFunctionConstructGenerator):
3100         * jit/ThunkGenerators.h:
3101         * llint/LLIntSlowPaths.cpp:
3102         (JSC::LLInt::setUpCall):
3103         * llint/LowLevelInterpreter.asm:
3104         * llint/LowLevelInterpreter32_64.asm:
3105         * llint/LowLevelInterpreter64.asm:
3106         * runtime/ArrayConstructor.cpp:
3107         (JSC::ArrayConstructor::ArrayConstructor):
3108         (JSC::ArrayConstructor::getConstructData): Deleted.
3109         (JSC::ArrayConstructor::getCallData): Deleted.
3110         * runtime/ArrayConstructor.h:
3111         (JSC::ArrayConstructor::createStructure):
3112         * runtime/AsyncFunctionConstructor.cpp:
3113         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
3114         (JSC::AsyncFunctionConstructor::finishCreation):
3115         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
3116         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
3117         * runtime/AsyncFunctionConstructor.h:
3118         (JSC::AsyncFunctionConstructor::createStructure):
3119         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3120         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
3121         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
3122         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
3123         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
3124         * runtime/AsyncGeneratorFunctionConstructor.h:
3125         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
3126         * runtime/BooleanConstructor.cpp:
3127         (JSC::callBooleanConstructor):
3128         (JSC::BooleanConstructor::BooleanConstructor):
3129         (JSC::BooleanConstructor::finishCreation):
3130         (JSC::BooleanConstructor::getConstructData): Deleted.
3131         (JSC::BooleanConstructor::getCallData): Deleted.
3132         * runtime/BooleanConstructor.h:
3133         (JSC::BooleanConstructor::createStructure):
3134         * runtime/DateConstructor.cpp:
3135         (JSC::DateConstructor::DateConstructor):
3136         (JSC::DateConstructor::getConstructData): Deleted.
3137         (JSC::DateConstructor::getCallData): Deleted.
3138         * runtime/DateConstructor.h:
3139         (JSC::DateConstructor::createStructure):
3140         * runtime/Error.h:
3141         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3142         (JSC::StrictModeTypeErrorFunction::createStructure):
3143         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
3144         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
3145         * runtime/ErrorConstructor.cpp:
3146         (JSC::ErrorConstructor::ErrorConstructor):
3147         (JSC::ErrorConstructor::getConstructData): Deleted.
3148         (JSC::ErrorConstructor::getCallData): Deleted.
3149         * runtime/ErrorConstructor.h:
3150         (JSC::ErrorConstructor::createStructure):
3151         * runtime/FunctionConstructor.cpp:
3152         (JSC::FunctionConstructor::FunctionConstructor):
3153         (JSC::FunctionConstructor::finishCreation):
3154         (JSC::FunctionConstructor::getConstructData): Deleted.
3155         (JSC::FunctionConstructor::getCallData): Deleted.
3156         * runtime/FunctionConstructor.h:
3157         (JSC::FunctionConstructor::createStructure):
3158         * runtime/FunctionPrototype.cpp:
3159         (JSC::callFunctionPrototype):
3160         (JSC::FunctionPrototype::FunctionPrototype):
3161         (JSC::FunctionPrototype::getCallData): Deleted.
3162         * runtime/FunctionPrototype.h:
3163         (JSC::FunctionPrototype::createStructure):
3164         * runtime/GeneratorFunctionConstructor.cpp:
3165         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
3166         (JSC::GeneratorFunctionConstructor::finishCreation):
3167         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
3168         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
3169         * runtime/GeneratorFunctionConstructor.h:
3170         (JSC::GeneratorFunctionConstructor::createStructure):
3171         * runtime/InternalFunction.cpp:
3172         (JSC::InternalFunction::InternalFunction):
3173         (JSC::InternalFunction::finishCreation):
3174         (JSC::InternalFunction::getCallData):
3175         (JSC::InternalFunction::getConstructData):
3176         * runtime/InternalFunction.h:
3177         (JSC::InternalFunction::createStructure):
3178         (JSC::InternalFunction::nativeFunctionFor):
3179         (JSC::InternalFunction::offsetOfNativeFunctionFor):
3180         * runtime/IntlCollatorConstructor.cpp:
3181         (JSC::IntlCollatorConstructor::createStructure):
3182         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
3183         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
3184         (JSC::IntlCollatorConstructor::getCallData): Deleted.
3185         * runtime/IntlCollatorConstructor.h:
3186         * runtime/IntlDateTimeFormatConstructor.cpp:
3187         (JSC::IntlDateTimeFormatConstructor::createStructure):
3188         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
3189         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
3190         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
3191         * runtime/IntlDateTimeFormatConstructor.h:
3192         * runtime/IntlNumberFormatConstructor.cpp:
3193         (JSC::IntlNumberFormatConstructor::createStructure):
3194         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
3195         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
3196         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
3197         * runtime/IntlNumberFormatConstructor.h:
3198         * runtime/JSArrayBufferConstructor.cpp:
3199         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3200         (JSC::JSArrayBufferConstructor::createStructure):
3201         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
3202         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
3203         * runtime/JSArrayBufferConstructor.h:
3204         * runtime/JSGenericTypedArrayViewConstructor.h:
3205         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3206         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
3207         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
3208         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
3209         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
3210         * runtime/JSInternalPromiseConstructor.cpp:
3211         (JSC::JSInternalPromiseConstructor::createStructure):
3212         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
3213         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
3214         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
3215         * runtime/JSInternalPromiseConstructor.h:
3216         * runtime/JSPromiseConstructor.cpp:
3217         (JSC::JSPromiseConstructor::createStructure):
3218         (JSC::JSPromiseConstructor::JSPromiseConstructor):
3219         (JSC::JSPromiseConstructor::getConstructData): Deleted.
3220         (JSC::JSPromiseConstructor::getCallData): Deleted.
3221         * runtime/JSPromiseConstructor.h:
3222         * runtime/JSType.h:
3223         * runtime/JSTypedArrayViewConstructor.cpp:
3224         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
3225         (JSC::JSTypedArrayViewConstructor::createStructure):
3226         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
3227         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
3228         * runtime/JSTypedArrayViewConstructor.h:
3229         * runtime/MapConstructor.cpp:
3230         (JSC::MapConstructor::MapConstructor):
3231         (JSC::MapConstructor::getConstructData): Deleted.
3232         (JSC::MapConstructor::getCallData): Deleted.
3233         * runtime/MapConstructor.h:
3234         (JSC::MapConstructor::createStructure):
3235         (JSC::MapConstructor::MapConstructor): Deleted.
3236         * runtime/NativeErrorConstructor.cpp:
3237         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3238         (JSC::NativeErrorConstructor::getConstructData): Deleted.
3239         (JSC::NativeErrorConstructor::getCallData): Deleted.
3240         * runtime/NativeErrorConstructor.h:
3241         (JSC::NativeErrorConstructor::createStructure):
3242         * runtime/NullGetterFunction.cpp:
3243         (JSC::NullGetterFunction::NullGetterFunction):
3244         (JSC::NullGetterFunction::getCallData): Deleted.
3245         (JSC::NullGetterFunction::getConstructData): Deleted.
3246         * runtime/NullGetterFunction.h:
3247         (JSC::NullGetterFunction::createStructure):
3248         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
3249         * runtime/NullSetterFunction.cpp:
3250         (JSC::NullSetterFunction::NullSetterFunction):
3251         (JSC::NullSetterFunction::getCallData): Deleted.
3252         (JSC::NullSetterFunction::getConstructData): Deleted.
3253         * runtime/NullSetterFunction.h:
3254         (JSC::NullSetterFunction::createStructure):
3255         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
3256         * runtime/NumberConstructor.cpp:
3257         (JSC::NumberConstructor::NumberConstructor):
3258         (JSC::constructNumberConstructor):
3259         (JSC::constructWithNumberConstructor): Deleted.
3260         (JSC::NumberConstructor::getConstructData): Deleted.
3261         (JSC::NumberConstructor::getCallData): Deleted.
3262         * runtime/NumberConstructor.h:
3263         (JSC::NumberConstructor::createStructure):
3264         * runtime/ObjectConstructor.cpp:
3265         (JSC::ObjectConstructor::ObjectConstructor):
3266         (JSC::ObjectConstructor::getConstructData): Deleted.
3267         (JSC::ObjectConstructor::getCallData): Deleted.
3268         * runtime/ObjectConstructor.h:
3269         (JSC::ObjectConstructor::createStructure):
3270         * runtime/ProxyConstructor.cpp:
3271         (JSC::ProxyConstructor::ProxyConstructor):
3272         (JSC::ProxyConstructor::getConstructData): Deleted.
3273         (JSC::ProxyConstructor::getCallData): Deleted.
3274         * runtime/ProxyConstructor.h:
3275         (JSC::ProxyConstructor::createStructure):
3276         * runtime/ProxyRevoke.cpp:
3277         (JSC::ProxyRevoke::ProxyRevoke):
3278         (JSC::ProxyRevoke::getCallData): Deleted.
3279         * runtime/ProxyRevoke.h:
3280         (JSC::ProxyRevoke::createStructure):
3281         * runtime/RegExpConstructor.cpp:
3282         (JSC::RegExpConstructor::RegExpConstructor):
3283         (JSC::RegExpConstructor::getConstructData): Deleted.
3284         (JSC::RegExpConstructor::getCallData): Deleted.
3285         * runtime/RegExpConstructor.h:
3286         (JSC::RegExpConstructor::createStructure):
3287         * runtime/SetConstructor.cpp:
3288         (JSC::SetConstructor::SetConstructor):
3289         (JSC::SetConstructor::getConstructData): Deleted.
3290         (JSC::SetConstructor::getCallData): Deleted.
3291         * runtime/SetConstructor.h:
3292         (JSC::SetConstructor::createStructure):
3293         (JSC::SetConstructor::SetConstructor): Deleted.
3294         * runtime/StringConstructor.cpp:
3295         (JSC::StringConstructor::StringConstructor):
3296         (JSC::StringConstructor::getConstructData): Deleted.
3297         (JSC::StringConstructor::getCallData): Deleted.
3298         * runtime/StringConstructor.h:
3299         (JSC::StringConstructor::createStructure):
3300         * runtime/SymbolConstructor.cpp:
3301         (JSC::SymbolConstructor::SymbolConstructor):
3302         (JSC::SymbolConstructor::getConstructData): Deleted.
3303         (JSC::SymbolConstructor::getCallData): Deleted.
3304         * runtime/SymbolConstructor.h:
3305         (JSC::SymbolConstructor::createStructure):
3306         * runtime/VM.cpp:
3307         (JSC::VM::VM):
3308         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3309         * runtime/VM.h:
3310         * runtime/WeakMapConstructor.cpp:
3311         (JSC::WeakMapConstructor::WeakMapConstructor):
3312         (JSC::WeakMapConstructor::getConstructData): Deleted.
3313         (JSC::WeakMapConstructor::getCallData): Deleted.
3314         * runtime/WeakMapConstructor.h:
3315         (JSC::WeakMapConstructor::createStructure):
3316         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
3317         * runtime/WeakSetConstructor.cpp:
3318         (JSC::WeakSetConstructor::WeakSetConstructor):
3319         (JSC::WeakSetConstructor::getConstructData): Deleted.
3320         (JSC::WeakSetConstructor::getCallData): Deleted.
3321         * runtime/WeakSetConstructor.h:
3322         (JSC::WeakSetConstructor::createStructure):
3323         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
3324         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3325         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
3326         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
3327         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
3328         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
3329         * wasm/js/WebAssemblyCompileErrorConstructor.h:
3330         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3331         (JSC::WebAssemblyInstanceConstructor::createStructure):
3332         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
3333         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
3334         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
3335         * wasm/js/WebAssemblyInstanceConstructor.h:
3336         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3337         (JS