[WebAssembly][Modules] Prototype wasm import
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WebAssembly][Modules] Prototype wasm import
4         https://bugs.webkit.org/show_bug.cgi?id=184600
5
6         Reviewed by JF Bastien.
7
8         This patch is an initial attempt to implement Wasm loading in module pipeline.
9         Currently,
10
11         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
12            in whatwg HTML, we should integrate this into WebCore.
13
14         2. We only support exporting values from Wasm. Wasm module cannot import anything from
15            the other modules now.
16
17         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
18         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
19         module loader pipeline just handles it as the same to JS. When parsing a module, we
20         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
21         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
22         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
23
24         * builtins/ModuleLoaderPrototype.js:
25         (globalPrivate.newRegistryEntry):
26         (requestInstantiate):
27         (link):
28         * jsc.cpp:
29         (convertShebangToJSComment):
30         (fillBufferWithContentsOfFile):
31         (fetchModuleFromLocalFileSystem):
32         (GlobalObject::moduleLoaderFetch):
33         * parser/SourceProvider.h:
34         (JSC::WebAssemblySourceProvider::create):
35         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
36         * runtime/AbstractModuleRecord.cpp:
37         (JSC::AbstractModuleRecord::hostResolveImportedModule):
38         (JSC::AbstractModuleRecord::link):
39         (JSC::AbstractModuleRecord::evaluate):
40         (JSC::identifierToJSValue): Deleted.
41         * runtime/AbstractModuleRecord.h:
42         * runtime/JSModuleLoader.cpp:
43         (JSC::JSModuleLoader::evaluate):
44         * runtime/JSModuleRecord.cpp:
45         (JSC::JSModuleRecord::link):
46         (JSC::JSModuleRecord::instantiateDeclarations):
47         * runtime/JSModuleRecord.h:
48         * runtime/ModuleLoaderPrototype.cpp:
49         (JSC::moduleLoaderPrototypeParseModule):
50         (JSC::moduleLoaderPrototypeRequestedModules):
51         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
52         * wasm/js/JSWebAssemblyHelpers.h:
53         (JSC::getWasmBufferFromValue):
54         (JSC::createSourceBufferFromValue):
55         * wasm/js/JSWebAssemblyInstance.cpp:
56         (JSC::JSWebAssemblyInstance::finalizeCreation):
57         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
58         (JSC::JSWebAssemblyInstance::create):
59         * wasm/js/JSWebAssemblyInstance.h:
60         * wasm/js/WebAssemblyInstanceConstructor.cpp:
61         (JSC::constructJSWebAssemblyInstance):
62         * wasm/js/WebAssemblyModuleRecord.cpp:
63         (JSC::WebAssemblyModuleRecord::prepareLink):
64         (JSC::WebAssemblyModuleRecord::link):
65         * wasm/js/WebAssemblyModuleRecord.h:
66         * wasm/js/WebAssemblyPrototype.cpp:
67         (JSC::resolve):
68         (JSC::instantiate):
69         (JSC::compileAndInstantiate):
70         (JSC::WebAssemblyPrototype::instantiate):
71         (JSC::webAssemblyInstantiateFunc):
72         (JSC::webAssemblyValidateFunc):
73         * wasm/js/WebAssemblyPrototype.h:
74
75 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
76
77         Function.prototype.caller shouldn't return generator bodies
78         https://bugs.webkit.org/show_bug.cgi?id=184630
79
80         Reviewed by Yusuke Suzuki.
81         
82         Function.prototype.caller no longer returns generator bodies. Those are meant to be
83         private.
84         
85         Also added some builtin debugging tools so that it's easier to do the investigation that I
86         did.
87
88         * builtins/BuiltinNames.h:
89         * runtime/JSFunction.cpp:
90         (JSC::JSFunction::callerGetter):
91         * runtime/JSGlobalObject.cpp:
92         (JSC::JSGlobalObject::init):
93         * runtime/JSGlobalObjectFunctions.cpp:
94         (JSC::globalFuncBuiltinDescribe):
95         * runtime/JSGlobalObjectFunctions.h:
96
97 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
98
99         [DFG] Remove duplicate 32bit ProfileType implementation
100         https://bugs.webkit.org/show_bug.cgi?id=184536
101
102         Reviewed by Saam Barati.
103
104         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
105
106         * dfg/DFGSpeculativeJIT.cpp:
107         (JSC::DFG::SpeculativeJIT::compileProfileType):
108         * dfg/DFGSpeculativeJIT.h:
109         * dfg/DFGSpeculativeJIT32_64.cpp:
110         (JSC::DFG::SpeculativeJIT::compile):
111         * dfg/DFGSpeculativeJIT64.cpp:
112         (JSC::DFG::SpeculativeJIT::compile):
113         * jit/AssemblyHelpers.h:
114         (JSC::AssemblyHelpers::branchIfUndefined):
115         (JSC::AssemblyHelpers::branchIfNull):
116
117 2018-04-12  Mark Lam  <mark.lam@apple.com>
118
119         Consolidate some PtrTags.
120         https://bugs.webkit.org/show_bug.cgi?id=184552
121         <rdar://problem/39389404>
122
123         Reviewed by Filip Pizlo.
124
125         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
126         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
127
128         * assembler/AbstractMacroAssembler.h:
129         (JSC::AbstractMacroAssembler::repatchNearCall):
130         * assembler/MacroAssemblerARM.h:
131         (JSC::MacroAssemblerARM::readCallTarget):
132         * assembler/MacroAssemblerARMv7.h:
133         (JSC::MacroAssemblerARMv7::readCallTarget):
134         * assembler/MacroAssemblerMIPS.h:
135         (JSC::MacroAssemblerMIPS::readCallTarget):
136         * assembler/MacroAssemblerX86.h:
137         (JSC::MacroAssemblerX86::readCallTarget):
138         * assembler/MacroAssemblerX86_64.h:
139         (JSC::MacroAssemblerX86_64::readCallTarget):
140         * bytecode/AccessCase.cpp:
141         (JSC::AccessCase::generateImpl):
142         * bytecode/InlineAccess.cpp:
143         (JSC::InlineAccess::rewireStubAsJump):
144         * bytecode/PolymorphicAccess.cpp:
145         (JSC::PolymorphicAccess::regenerate):
146         * dfg/DFGJITCompiler.cpp:
147         (JSC::DFG::JITCompiler::linkOSRExits):
148         (JSC::DFG::JITCompiler::link):
149         (JSC::DFG::JITCompiler::compileFunction):
150         * dfg/DFGJITFinalizer.cpp:
151         (JSC::DFG::JITFinalizer::finalize):
152         (JSC::DFG::JITFinalizer::finalizeFunction):
153         * dfg/DFGOSREntry.cpp:
154         (JSC::DFG::prepareOSREntry):
155         * dfg/DFGOSRExit.cpp:
156         (JSC::DFG::OSRExit::executeOSRExit):
157         (JSC::DFG::adjustAndJumpToTarget):
158         (JSC::DFG::OSRExit::compileOSRExit):
159         * dfg/DFGOSRExitCompilerCommon.cpp:
160         (JSC::DFG::adjustAndJumpToTarget):
161         * dfg/DFGOperations.cpp:
162         * ftl/FTLJITCode.cpp:
163         (JSC::FTL::JITCode::executableAddressAtOffset):
164         * ftl/FTLJITFinalizer.cpp:
165         (JSC::FTL::JITFinalizer::finalizeCommon):
166         * ftl/FTLLazySlowPath.cpp:
167         (JSC::FTL::LazySlowPath::generate):
168         * ftl/FTLLink.cpp:
169         (JSC::FTL::link):
170         * ftl/FTLLowerDFGToB3.cpp:
171         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
172         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
173         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
174         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
175         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
176         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
177         * ftl/FTLOSRExitCompiler.cpp:
178         (JSC::FTL::compileFTLOSRExit):
179         * ftl/FTLOSRExitHandle.cpp:
180         (JSC::FTL::OSRExitHandle::emitExitThunk):
181         * jit/AssemblyHelpers.cpp:
182         (JSC::AssemblyHelpers::emitDumbVirtualCall):
183         * jit/JIT.cpp:
184         (JSC::JIT::compileWithoutLinking):
185         (JSC::JIT::link):
186         * jit/JITCall.cpp:
187         (JSC::JIT::compileOpCallSlowCase):
188         * jit/JITCode.cpp:
189         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
190         (JSC::NativeJITCode::addressForCall):
191         * jit/JITInlines.h:
192         (JSC::JIT::emitNakedCall):
193         (JSC::JIT::emitNakedTailCall):
194         * jit/JITMathIC.h:
195         (JSC::isProfileEmpty):
196         * jit/JITOpcodes.cpp:
197         (JSC::JIT::privateCompileHasIndexedProperty):
198         * jit/JITOperations.cpp:
199         * jit/JITPropertyAccess.cpp:
200         (JSC::JIT::stringGetByValStubGenerator):
201         (JSC::JIT::privateCompileGetByVal):
202         (JSC::JIT::privateCompileGetByValWithCachedId):
203         (JSC::JIT::privateCompilePutByVal):
204         (JSC::JIT::privateCompilePutByValWithCachedId):
205         * jit/JITThunks.cpp:
206         (JSC::JITThunks::hostFunctionStub):
207         * jit/Repatch.cpp:
208         (JSC::linkSlowFor):
209         (JSC::linkFor):
210         (JSC::linkPolymorphicCall):
211         * jit/SpecializedThunkJIT.h:
212         (JSC::SpecializedThunkJIT::finalize):
213         * jit/ThunkGenerators.cpp:
214         (JSC::virtualThunkFor):
215         (JSC::nativeForGenerator):
216         (JSC::boundThisNoArgsFunctionCallGenerator):
217         * llint/LLIntData.cpp:
218         (JSC::LLInt::initialize):
219         * llint/LLIntEntrypoint.cpp:
220         (JSC::LLInt::setEvalEntrypoint):
221         (JSC::LLInt::setProgramEntrypoint):
222         (JSC::LLInt::setModuleProgramEntrypoint):
223         * llint/LLIntSlowPaths.cpp:
224         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
225         (JSC::LLInt::setUpCall):
226         * llint/LLIntThunks.cpp:
227         (JSC::LLInt::generateThunkWithJumpTo):
228         (JSC::LLInt::functionForCallEntryThunkGenerator):
229         (JSC::LLInt::functionForConstructEntryThunkGenerator):
230         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
231         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
232         (JSC::LLInt::evalEntryThunkGenerator):
233         (JSC::LLInt::programEntryThunkGenerator):
234         (JSC::LLInt::moduleProgramEntryThunkGenerator):
235         * llint/LowLevelInterpreter.asm:
236         * llint/LowLevelInterpreter64.asm:
237         * runtime/NativeExecutable.cpp:
238         (JSC::NativeExecutable::finishCreation):
239         * runtime/NativeFunction.h:
240         (JSC::TaggedNativeFunction::TaggedNativeFunction):
241         (JSC::TaggedNativeFunction::operator NativeFunction):
242         * runtime/PtrTag.h:
243         * wasm/WasmBBQPlan.cpp:
244         (JSC::Wasm::BBQPlan::complete):
245         * wasm/WasmOMGPlan.cpp:
246         (JSC::Wasm::OMGPlan::work):
247         * wasm/WasmThunks.cpp:
248         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
249         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
250         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
251         * wasm/js/WasmToJS.cpp:
252         (JSC::Wasm::wasmToJS):
253         * wasm/js/WebAssemblyFunction.h:
254         * yarr/YarrJIT.cpp:
255         (JSC::Yarr::YarrGenerator::compile):
256
257 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
258
259         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
260         https://bugs.webkit.org/show_bug.cgi?id=184379
261
262         Reviewed by Žan Doberšek.
263
264         Load the module from the new location.
265
266         * PlatformWPE.cmake:
267         * inspector/remote/glib/RemoteInspectorUtils.cpp:
268         (Inspector::backendCommands):
269
270 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
271
272         [DFG] Remove compileBigIntEquality in DFG 32bit
273         https://bugs.webkit.org/show_bug.cgi?id=184535
274
275         Reviewed by Saam Barati.
276
277         We can have the unified implementation for compileBigIntEquality.
278
279         * dfg/DFGSpeculativeJIT.cpp:
280         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
281         * dfg/DFGSpeculativeJIT32_64.cpp:
282         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
283         * dfg/DFGSpeculativeJIT64.cpp:
284         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
285
286 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
287
288         [WPE] Improve include hierarchy
289         https://bugs.webkit.org/show_bug.cgi?id=184376
290
291         Reviewed by Žan Doberšek.
292
293         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
294         /usr/include/wpe-0.1/WPE/jsc.
295
296         * PlatformWPE.cmake:
297
298 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
299
300         [GLIB] Handle strings containing null characters
301         https://bugs.webkit.org/show_bug.cgi?id=184450
302
303         Reviewed by Michael Catanzaro.
304
305         We should be able to evaluate scripts containing null characters and to handle strings that contains them
306         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
307         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
308         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
309         contain null characters.
310
311         * API/OpaqueJSString.cpp:
312         (OpaqueJSString::create): Add a create constructor that takes the String.
313         * API/OpaqueJSString.h:
314         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
315         * API/glib/JSCContext.cpp:
316         (jsc_context_evaluate): Add length parameter.
317         (jsc_context_evaluate_with_source_uri): Ditto.
318         * API/glib/JSCContext.h:
319         * API/glib/JSCValue.cpp:
320         (jsc_value_new_string_from_bytes):
321         (jsc_value_to_string):
322         (jsc_value_to_string_as_bytes):
323         (jsc_value_object_is_instance_of): Pass length to evaluate.
324         * API/glib/JSCValue.h:
325         * API/glib/docs/jsc-glib-4.0-sections.txt:
326
327 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
328
329         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
330         https://bugs.webkit.org/show_bug.cgi?id=184500
331
332         Reviewed by Mark Lam.
333
334         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
335         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
336         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
337         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
338         poke held GPR. The benefit from this CellValue is that we can use the same code
339         for 32bit and 64bit. This patch removes several ifdefs.
340
341         * bytecode/AccessCase.cpp:
342         (JSC::AccessCase::generateImpl):
343         * dfg/DFGSpeculativeJIT.cpp:
344         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
345         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
346         (JSC::DFG::SpeculativeJIT::cachedPutById):
347         * dfg/DFGSpeculativeJIT32_64.cpp:
348         (JSC::DFG::SpeculativeJIT::cachedGetById):
349         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
350         * jit/CCallHelpers.h:
351         (JSC::CCallHelpers::CellValue::CellValue):
352         (JSC::CCallHelpers::CellValue::gpr const):
353         (JSC::CCallHelpers::setupArgumentsImpl):
354
355 2018-04-11  Mark Lam  <mark.lam@apple.com>
356
357         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
358         https://bugs.webkit.org/show_bug.cgi?id=184512
359         <rdar://problem/35391728>
360
361         Not reviewed.
362
363         * bytecode/CodeBlock.h:
364         * jit/JITCodeMap.h:
365
366 2018-04-11  Mark Lam  <mark.lam@apple.com>
367
368         Replace CompactJITCodeMap with JITCodeMap.
369         https://bugs.webkit.org/show_bug.cgi?id=184512
370         <rdar://problem/35391728>
371
372         Reviewed by Filip Pizlo.
373
374         * CMakeLists.txt:
375         * JavaScriptCore.xcodeproj/project.pbxproj:
376         * bytecode/CodeBlock.h:
377         (JSC::CodeBlock::setJITCodeMap):
378         (JSC::CodeBlock::jitCodeMap const):
379         (JSC::CodeBlock::jitCodeMap): Deleted.
380         * dfg/DFGOSRExit.cpp:
381         (JSC::DFG::OSRExit::executeOSRExit):
382         * dfg/DFGOSRExitCompilerCommon.cpp:
383         (JSC::DFG::adjustAndJumpToTarget):
384         * jit/AssemblyHelpers.cpp:
385         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
386         * jit/AssemblyHelpers.h:
387         * jit/CompactJITCodeMap.h: Removed.
388         * jit/JIT.cpp:
389         (JSC::JIT::link):
390         * jit/JITCodeMap.h: Added.
391         (JSC::JITCodeMap::Entry::Entry):
392         (JSC::JITCodeMap::Entry::bytecodeIndex const):
393         (JSC::JITCodeMap::Entry::codeLocation):
394         (JSC::JITCodeMap::append):
395         (JSC::JITCodeMap::finish):
396         (JSC::JITCodeMap::find const):
397         (JSC::JITCodeMap::operator bool const):
398         * llint/LLIntSlowPaths.cpp:
399         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
400
401 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
402
403         [DFG] Remove CompareSlowPathGenerator
404         https://bugs.webkit.org/show_bug.cgi?id=184492
405
406         Reviewed by Mark Lam.
407
408         Now CompareSlowPathGenerator is just calling a specified function.
409         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
410
411         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
412         introducing a new constructor for GPRTemporary.
413
414         * JavaScriptCore.xcodeproj/project.pbxproj:
415         * dfg/DFGCompareSlowPathGenerator.h: Removed.
416         * dfg/DFGSpeculativeJIT.cpp:
417         (JSC::DFG::GPRTemporary::GPRTemporary):
418         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
419         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
420         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
421         (JSC::DFG::SpeculativeJIT::compileIsObject):
422         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
423         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
424         * dfg/DFGSpeculativeJIT.h:
425         (JSC::DFG::GPRTemporary::GPRTemporary):
426         * dfg/DFGSpeculativeJIT64.cpp:
427         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
428
429 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
430
431         Unreviewed, build fix for 32bit
432         https://bugs.webkit.org/show_bug.cgi?id=184236
433
434         * dfg/DFGSpeculativeJIT.cpp:
435         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
436
437 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
438
439         [DFG] Remove duplicate 32bit code more
440         https://bugs.webkit.org/show_bug.cgi?id=184236
441
442         Reviewed by Mark Lam.
443
444         Remove duplicate 32bit code more aggressively part 2.
445
446         * JavaScriptCore.xcodeproj/project.pbxproj:
447         * dfg/DFGCompareSlowPathGenerator.h: Added.
448         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
449         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
450
451         * dfg/DFGOperations.cpp:
452         * dfg/DFGOperations.h:
453         * dfg/DFGSpeculativeJIT.cpp:
454         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
455         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
456         (JSC::DFG::SpeculativeJIT::compileIsObject):
457         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
458         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
459         (JSC::DFG::SpeculativeJIT::compilePutById):
460         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
461         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
462         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
463         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
464         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
465         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
466         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
467         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
468         (JSC::DFG::SpeculativeJIT::cachedPutById):
469         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
470         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
471         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
472         * dfg/DFGSpeculativeJIT.h:
473         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
474         * dfg/DFGSpeculativeJIT32_64.cpp:
475         (JSC::DFG::SpeculativeJIT::compile):
476         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
477         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
478         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
479         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
480         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
481         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
482         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
483         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
484         * dfg/DFGSpeculativeJIT64.cpp:
485         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
486         (JSC::DFG::SpeculativeJIT::compile):
487         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
488         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
489         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
490         (): Deleted.
491         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
492         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
493         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
494         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
495         * ftl/FTLLowerDFGToB3.cpp:
496         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
497         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
498
499         * jit/AssemblyHelpers.h:
500         (JSC::AssemblyHelpers::loadValue):
501         (JSC::AssemblyHelpers::selectScratchGPR):
502         (JSC::AssemblyHelpers::constructRegisterSet):
503         * jit/RegisterSet.h:
504         (JSC::RegisterSet::setAny):
505         Clean up selectScratchGPR code to pass JSValueRegs.
506
507 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
508
509         [ESNext][BigInt] Add support for BigInt in SpeculatedType
510         https://bugs.webkit.org/show_bug.cgi?id=182470
511
512         Reviewed by Saam Barati.
513
514         This patch introduces the SpecBigInt type to DFG to enable BigInt
515         speculation into DFG and FTL.
516
517         With SpecBigInt introduction, we can then specialize "===" operations
518         to BigInts. As we are doing for some cells, we first check if operands
519         are pointing to the same JSCell, and if it is false, we
520         fallback to "operationCompareStrictEqCell". The idea in further
521         patches is to implement BigInt equality check directly in
522         assembly.
523
524         We are also adding support for BigInt constant folding into
525         TypeOf operation.
526
527         * bytecode/SpeculatedType.cpp:
528         (JSC::dumpSpeculation):
529         (JSC::speculationFromClassInfo):
530         (JSC::speculationFromStructure):
531         (JSC::speculationFromJSType):
532         (JSC::speculationFromString):
533         * bytecode/SpeculatedType.h:
534         (JSC::isBigIntSpeculation):
535         * dfg/DFGAbstractInterpreterInlines.h:
536         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
537         * dfg/DFGAbstractValue.cpp:
538         (JSC::DFG::AbstractValue::set):
539         * dfg/DFGConstantFoldingPhase.cpp:
540         (JSC::DFG::ConstantFoldingPhase::foldConstants):
541         * dfg/DFGFixupPhase.cpp:
542         (JSC::DFG::FixupPhase::fixupNode):
543         (JSC::DFG::FixupPhase::fixupToThis):
544         (JSC::DFG::FixupPhase::observeUseKindOnNode):
545         * dfg/DFGInferredTypeCheck.cpp:
546         (JSC::DFG::insertInferredTypeCheck):
547         * dfg/DFGNode.h:
548         (JSC::DFG::Node::shouldSpeculateBigInt):
549         * dfg/DFGPredictionPropagationPhase.cpp:
550         * dfg/DFGSafeToExecute.h:
551         (JSC::DFG::SafeToExecuteEdge::operator()):
552         * dfg/DFGSpeculativeJIT.cpp:
553         (JSC::DFG::SpeculativeJIT::compileStrictEq):
554         (JSC::DFG::SpeculativeJIT::speculateBigInt):
555         (JSC::DFG::SpeculativeJIT::speculate):
556         * dfg/DFGSpeculativeJIT.h:
557         * dfg/DFGSpeculativeJIT32_64.cpp:
558         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
559         * dfg/DFGSpeculativeJIT64.cpp:
560         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
561         * dfg/DFGUseKind.cpp:
562         (WTF::printInternal):
563         * dfg/DFGUseKind.h:
564         (JSC::DFG::typeFilterFor):
565         (JSC::DFG::isCell):
566         * ftl/FTLCapabilities.cpp:
567         (JSC::FTL::canCompile):
568         * ftl/FTLLowerDFGToB3.cpp:
569         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
570         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
571         (JSC::FTL::DFG::LowerDFGToB3::speculate):
572         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
573         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
574         * jit/AssemblyHelpers.cpp:
575         (JSC::AssemblyHelpers::branchIfNotType):
576         * jit/AssemblyHelpers.h:
577         (JSC::AssemblyHelpers::branchIfBigInt):
578         (JSC::AssemblyHelpers::branchIfNotBigInt):
579         * runtime/InferredType.cpp:
580         (JSC::InferredType::Descriptor::forValue):
581         (JSC::InferredType::Descriptor::putByIdFlags const):
582         (JSC::InferredType::Descriptor::merge):
583         (WTF::printInternal):
584         * runtime/InferredType.h:
585         * runtime/JSBigInt.h:
586
587 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
588
589         Unreviewed, fix cloop build.
590
591         * dfg/DFGAbstractInterpreterClobberState.cpp:
592
593 2018-04-10  Mark Lam  <mark.lam@apple.com>
594
595         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
596         https://bugs.webkit.org/show_bug.cgi?id=184464
597         <rdar://problem/39323947>
598
599         Reviewed by Saam Barati.
600
601         * heap/MarkedSpace.h:
602         (JSC::MarkedSpace::sizeClassToIndex):
603
604 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
605
606         DFG AI and clobberize should agree with each other
607         https://bugs.webkit.org/show_bug.cgi?id=184440
608
609         Reviewed by Saam Barati.
610         
611         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
612         agree with each other. That's what this patch does: it adds an assertion that AI's structure
613         state tracking must be equivalent to JSCell_structureID being clobbered.
614         
615         One subtlety is that AI sometimes folds away structure clobbering using information that
616         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
617         ObservedTransitions).
618         
619         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
620         clobberize missing a write(Heap).
621         
622         This also makes some cases more precise in order to appease the assertion. Making things more
623         precise might make things faster, but I didn't measure it because that wasn't the goal.
624
625         * JavaScriptCore.xcodeproj/project.pbxproj:
626         * Sources.txt:
627         * dfg/DFGAbstractInterpreter.h:
628         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
629         (WTF::printInternal):
630         * dfg/DFGAbstractInterpreterClobberState.h: Added.
631         (JSC::DFG::mergeClobberStates):
632         * dfg/DFGAbstractInterpreterInlines.h:
633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
637         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
638         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
639         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
640         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
641         * dfg/DFGAtTailAbstractState.h:
642         (JSC::DFG::AtTailAbstractState::setClobberState):
643         (JSC::DFG::AtTailAbstractState::mergeClobberState):
644         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
645         * dfg/DFGCFAPhase.cpp:
646         (JSC::DFG::CFAPhase::performBlockCFA):
647         * dfg/DFGClobberSet.cpp:
648         (JSC::DFG::writeSet):
649         * dfg/DFGClobberSet.h:
650         * dfg/DFGClobberize.h:
651         (JSC::DFG::clobberize):
652         * dfg/DFGConstantFoldingPhase.cpp:
653         (JSC::DFG::ConstantFoldingPhase::foldConstants):
654         * dfg/DFGInPlaceAbstractState.h:
655         (JSC::DFG::InPlaceAbstractState::clobberState const):
656         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
657         (JSC::DFG::InPlaceAbstractState::didClobber const):
658         (JSC::DFG::InPlaceAbstractState::setClobberState):
659         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
660         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
661
662 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
663
664         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
665         https://bugs.webkit.org/show_bug.cgi?id=184460
666         <rdar://problem/37610966>
667
668         Reviewed by Mark Lam.
669
670         * bytecode/ExecutableToCodeBlockEdge.cpp:
671         (JSC::ExecutableToCodeBlockEdge::visitChildren):
672
673 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
674
675         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
676         https://bugs.webkit.org/show_bug.cgi?id=184455
677
678         Reviewed by Michael Saboff.
679         
680         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
681         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
682         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
683         the thing being hoisted does have effects, then we get a crash.
684         
685         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
686         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
687         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
688         effectful.
689         
690         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
691         clobberize to also think that CompareEq(Untyped:, _) is effectful.
692         
693         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
694         of CompareEq is ComapreEq(Untyped:, Untyped:).
695
696         * dfg/DFGAbstractInterpreterInlines.h:
697         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
698         * dfg/DFGClobberize.h:
699         (JSC::DFG::clobberize):
700
701 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
702
703         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
704         https://bugs.webkit.org/show_bug.cgi?id=184372
705
706         Reviewed by Saam Barati.
707         
708         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
709         have already proved, using techniques that are more precise than AI, that the edge has type
710         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
711         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
712         other than a check - so we think we can call those just because we should have already
713         bailed. It's better to think of them as the result of folding a check. Therefore, we should
714         only do it if there had been a check to begin with.
715
716         * dfg/DFGSpeculativeJIT64.cpp:
717         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
718         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
719         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
720         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
721         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
722         * ftl/FTLLowerDFGToB3.cpp:
723         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
724         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
725         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
726         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
727         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
728         (JSC::FTL::DFG::LowerDFGToB3::speculate):
729         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
730         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
731
732 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
733
734         [JSC] Introduce @putByIdDirectPrivate
735         https://bugs.webkit.org/show_bug.cgi?id=184400
736
737         Reviewed by Saam Barati.
738
739         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
740         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
741         accessing to ECMAScript internal fields.
742
743         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
744         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
745         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
746         fields that accessing to the internal fields does not traverse prototype chains.
747
748         * builtins/ArrayIteratorPrototype.js:
749         (globalPrivate.arrayIteratorValueNext):
750         (globalPrivate.arrayIteratorKeyNext):
751         (globalPrivate.arrayIteratorKeyValueNext):
752         * builtins/ArrayPrototype.js:
753         (globalPrivate.createArrayIterator):
754         * builtins/AsyncFromSyncIteratorPrototype.js:
755         (globalPrivate.AsyncFromSyncIteratorConstructor):
756         * builtins/AsyncFunctionPrototype.js:
757         (globalPrivate.asyncFunctionResume):
758         * builtins/AsyncGeneratorPrototype.js:
759         (globalPrivate.asyncGeneratorQueueEnqueue):
760         (globalPrivate.asyncGeneratorQueueDequeue):
761         (asyncGeneratorYieldAwaited):
762         (globalPrivate.asyncGeneratorYield):
763         (globalPrivate.doAsyncGeneratorBodyCall):
764         (globalPrivate.asyncGeneratorResumeNext):
765         * builtins/GeneratorPrototype.js:
766         (globalPrivate.generatorResume):
767         * builtins/MapIteratorPrototype.js:
768         (globalPrivate.mapIteratorNext):
769         * builtins/MapPrototype.js:
770         (globalPrivate.createMapIterator):
771         * builtins/ModuleLoaderPrototype.js:
772         (forceFulfillPromise):
773         * builtins/PromiseOperations.js:
774         (globalPrivate.newHandledRejectedPromise):
775         (globalPrivate.rejectPromise):
776         (globalPrivate.fulfillPromise):
777         (globalPrivate.initializePromise):
778         * builtins/PromisePrototype.js:
779         (then):
780         * builtins/SetIteratorPrototype.js:
781         (globalPrivate.setIteratorNext):
782         * builtins/SetPrototype.js:
783         (globalPrivate.createSetIterator):
784         * builtins/StringIteratorPrototype.js:
785         (next):
786         * bytecode/BytecodeIntrinsicRegistry.h:
787         * bytecompiler/NodesCodegen.cpp:
788         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
789         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
790
791 2018-04-09  Mark Lam  <mark.lam@apple.com>
792
793         Decorate method table entries to support pointer profiling.
794         https://bugs.webkit.org/show_bug.cgi?id=184430
795         <rdar://problem/39296190>
796
797         Reviewed by Saam Barati.
798
799         * runtime/ClassInfo.h:
800
801 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
802
803         [WPE] Don't install JSC C API headers
804         https://bugs.webkit.org/show_bug.cgi?id=184375
805
806         Reviewed by Žan Doberšek.
807
808         None of the functions declared in these headers are exported in WPE. Use the new jsc API
809         instead.
810
811         * PlatformWPE.cmake:
812
813 2018-04-08  Mark Lam  <mark.lam@apple.com>
814
815         Add pointer profiling to the FTL and supporting code.
816         https://bugs.webkit.org/show_bug.cgi?id=184395
817         <rdar://problem/39264019>
818
819         Reviewed by Michael Saboff and Filip Pizlo.
820
821         * assembler/CodeLocation.h:
822         (JSC::CodeLocationLabel::retagged):
823         (JSC::CodeLocationJump::retagged):
824         * assembler/LinkBuffer.h:
825         (JSC::LinkBuffer::locationOf):
826         * dfg/DFGJITCompiler.cpp:
827         (JSC::DFG::JITCompiler::linkOSRExits):
828         (JSC::DFG::JITCompiler::link):
829         * ftl/FTLCompile.cpp:
830         (JSC::FTL::compile):
831         * ftl/FTLExceptionTarget.cpp:
832         (JSC::FTL::ExceptionTarget::label):
833         (JSC::FTL::ExceptionTarget::jumps):
834         * ftl/FTLExceptionTarget.h:
835         * ftl/FTLJITCode.cpp:
836         (JSC::FTL::JITCode::executableAddressAtOffset):
837         * ftl/FTLLazySlowPath.cpp:
838         (JSC::FTL::LazySlowPath::~LazySlowPath):
839         (JSC::FTL::LazySlowPath::initialize):
840         (JSC::FTL::LazySlowPath::generate):
841         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
842         * ftl/FTLLazySlowPath.h:
843         * ftl/FTLLink.cpp:
844         (JSC::FTL::link):
845         * ftl/FTLLowerDFGToB3.cpp:
846         (JSC::FTL::DFG::LowerDFGToB3::lower):
847         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
848         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
849         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
850         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
851         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
852         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
853         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
854         * ftl/FTLOSRExitCompiler.cpp:
855         (JSC::FTL::compileStub):
856         (JSC::FTL::compileFTLOSRExit):
857         * ftl/FTLOSRExitHandle.cpp:
858         (JSC::FTL::OSRExitHandle::emitExitThunk):
859         * ftl/FTLOperations.cpp:
860         (JSC::FTL::compileFTLLazySlowPath):
861         * ftl/FTLOutput.h:
862         (JSC::FTL::Output::callWithoutSideEffects):
863         (JSC::FTL::Output::operation):
864         * ftl/FTLPatchpointExceptionHandle.cpp:
865         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
866         * ftl/FTLSlowPathCall.cpp:
867         (JSC::FTL::SlowPathCallContext::makeCall):
868         * ftl/FTLSlowPathCallKey.h:
869         (JSC::FTL::SlowPathCallKey::withCallTarget):
870         (JSC::FTL::SlowPathCallKey::callPtrTag const):
871         * ftl/FTLThunks.cpp:
872         (JSC::FTL::genericGenerationThunkGenerator):
873         (JSC::FTL::osrExitGenerationThunkGenerator):
874         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
875         (JSC::FTL::slowPathCallThunkGenerator):
876         * jit/JITMathIC.h:
877         (JSC::isProfileEmpty):
878         * jit/Repatch.cpp:
879         (JSC::readPutICCallTarget):
880         (JSC::ftlThunkAwareRepatchCall):
881         (JSC::tryCacheGetByID):
882         (JSC::repatchGetByID):
883         (JSC::tryCachePutByID):
884         (JSC::repatchPutByID):
885         (JSC::repatchIn):
886         (JSC::resetGetByID):
887         (JSC::resetPutByID):
888         (JSC::readCallTarget): Deleted.
889         * jit/Repatch.h:
890         * runtime/PtrTag.h:
891
892 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
893
894         Unreviewed, attempt to fix Windows build
895         https://bugs.webkit.org/show_bug.cgi?id=183508
896
897         * jit/JIT.h:
898
899 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
900
901         Unreviewed, build fix for Windows by suppressing padding warning for JIT
902         https://bugs.webkit.org/show_bug.cgi?id=183508
903
904         * jit/JIT.h:
905
906 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
907
908         Use alignas instead of compiler-specific attributes
909         https://bugs.webkit.org/show_bug.cgi?id=183508
910
911         Reviewed by Mark Lam.
912
913         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
914
915         * heap/RegisterState.h:
916         * jit/JIT.h:
917         (JSC::JIT::compile): Deleted.
918         (JSC::JIT::compileGetByVal): Deleted.
919         (JSC::JIT::compileGetByValWithCachedId): Deleted.
920         (JSC::JIT::compilePutByVal): Deleted.
921         (JSC::JIT::compileDirectPutByVal): Deleted.
922         (JSC::JIT::compilePutByValWithCachedId): Deleted.
923         (JSC::JIT::compileHasIndexedProperty): Deleted.
924         (JSC::JIT::appendCall): Deleted.
925         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
926         (JSC::JIT::exceptionCheck): Deleted.
927         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
928         (JSC::JIT::emitInt32Load): Deleted.
929         (JSC::JIT::emitInt32GetByVal): Deleted.
930         (JSC::JIT::emitInt32PutByVal): Deleted.
931         (JSC::JIT::emitDoublePutByVal): Deleted.
932         (JSC::JIT::emitContiguousPutByVal): Deleted.
933         (JSC::JIT::emitStoreCell): Deleted.
934         (JSC::JIT::getSlowCase): Deleted.
935         (JSC::JIT::linkSlowCase): Deleted.
936         (JSC::JIT::linkDummySlowCase): Deleted.
937         (JSC::JIT::linkAllSlowCases): Deleted.
938         (JSC::JIT::callOperation): Deleted.
939         (JSC::JIT::callOperationWithProfile): Deleted.
940         (JSC::JIT::callOperationWithResult): Deleted.
941         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
942         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
943         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
944         (JSC::JIT::sampleCodeBlock): Deleted.
945         (JSC::JIT::canBeOptimized): Deleted.
946         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
947         (JSC::JIT::shouldEmitProfiling): Deleted.
948         * runtime/VM.h:
949
950 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
951
952         Unreviewed, follow-up patch for DFG 32bit
953         https://bugs.webkit.org/show_bug.cgi?id=183970
954
955         * dfg/DFGSpeculativeJIT32_64.cpp:
956         (JSC::DFG::SpeculativeJIT::cachedGetById):
957
958 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
959
960         [JSC] Fix incorrect assertion for VM's regexp buffer lock
961         https://bugs.webkit.org/show_bug.cgi?id=184398
962
963         Reviewed by Mark Lam.
964
965         isLocked check before taking a lock is incorrect.
966
967         * runtime/VM.cpp:
968         (JSC::VM::acquireRegExpPatternContexBuffer):
969
970 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
971
972         [JSC] Introduce op_get_by_id_direct
973         https://bugs.webkit.org/show_bug.cgi?id=183970
974
975         Reviewed by Filip Pizlo.
976
977         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
978         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
979         in all the tiers, so using this opcode does not lead to inefficiency.
980
981         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
982         properties indexed with private symbols to implement ECMAScript internal fields. Before this
983         patch, we just use get and put operations. However, it is not the correct semantics: accessing
984         to the internal fields should not traverse prototype chain, which is specified in the spec.
985         We use op_get_by_id_direct to access to properties which are used internal fields, so that
986         prototype chains are not traversed.
987
988         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
989         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
990         bytecode `op_get_by_id_direct, object, @name`.
991
992         * builtins/ArrayIteratorPrototype.js:
993         (next):
994         (globalPrivate.arrayIteratorValueNext):
995         (globalPrivate.arrayIteratorKeyNext):
996         (globalPrivate.arrayIteratorKeyValueNext):
997         * builtins/AsyncFromSyncIteratorPrototype.js:
998         * builtins/AsyncFunctionPrototype.js:
999         (globalPrivate.asyncFunctionResume):
1000         * builtins/AsyncGeneratorPrototype.js:
1001         (globalPrivate.asyncGeneratorQueueIsEmpty):
1002         (globalPrivate.asyncGeneratorQueueEnqueue):
1003         (globalPrivate.asyncGeneratorQueueDequeue):
1004         (globalPrivate.asyncGeneratorDequeue):
1005         (globalPrivate.isExecutionState):
1006         (globalPrivate.isSuspendYieldState):
1007         (globalPrivate.asyncGeneratorReject):
1008         (globalPrivate.asyncGeneratorResolve):
1009         (globalPrivate.doAsyncGeneratorBodyCall):
1010         (globalPrivate.asyncGeneratorEnqueue):
1011         * builtins/GeneratorPrototype.js:
1012         (globalPrivate.generatorResume):
1013         (next):
1014         (return):
1015         (throw):
1016         * builtins/MapIteratorPrototype.js:
1017         (next):
1018         * builtins/PromiseOperations.js:
1019         (globalPrivate.isPromise):
1020         (globalPrivate.rejectPromise):
1021         (globalPrivate.fulfillPromise):
1022         * builtins/PromisePrototype.js:
1023         (then):
1024         * builtins/SetIteratorPrototype.js:
1025         (next):
1026         * builtins/StringIteratorPrototype.js:
1027         (next):
1028         * builtins/TypedArrayConstructor.js:
1029         (of):
1030         (from):
1031         * bytecode/BytecodeDumper.cpp:
1032         (JSC::BytecodeDumper<Block>::dumpBytecode):
1033         * bytecode/BytecodeIntrinsicRegistry.h:
1034         * bytecode/BytecodeList.json:
1035         * bytecode/BytecodeUseDef.h:
1036         (JSC::computeUsesForBytecodeOffset):
1037         (JSC::computeDefsForBytecodeOffset):
1038         * bytecode/CodeBlock.cpp:
1039         (JSC::CodeBlock::finishCreation):
1040         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1041         * bytecode/GetByIdStatus.cpp:
1042         (JSC::GetByIdStatus::computeFromLLInt):
1043         (JSC::GetByIdStatus::computeFor):
1044         * bytecode/StructureStubInfo.cpp:
1045         (JSC::StructureStubInfo::reset):
1046         * bytecode/StructureStubInfo.h:
1047         (JSC::appropriateOptimizingGetByIdFunction):
1048         (JSC::appropriateGenericGetByIdFunction):
1049         * bytecompiler/BytecodeGenerator.cpp:
1050         (JSC::BytecodeGenerator::emitDirectGetById):
1051         * bytecompiler/BytecodeGenerator.h:
1052         * bytecompiler/NodesCodegen.cpp:
1053         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
1054         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1055         * dfg/DFGAbstractInterpreterInlines.h:
1056         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1057         * dfg/DFGByteCodeParser.cpp:
1058         (JSC::DFG::ByteCodeParser::handleGetById):
1059         (JSC::DFG::ByteCodeParser::parseBlock):
1060         * dfg/DFGCapabilities.cpp:
1061         (JSC::DFG::capabilityLevel):
1062         * dfg/DFGClobberize.h:
1063         (JSC::DFG::clobberize):
1064         * dfg/DFGConstantFoldingPhase.cpp:
1065         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1066         * dfg/DFGDoesGC.cpp:
1067         (JSC::DFG::doesGC):
1068         * dfg/DFGFixupPhase.cpp:
1069         (JSC::DFG::FixupPhase::fixupNode):
1070         * dfg/DFGNode.h:
1071         (JSC::DFG::Node::convertToGetByOffset):
1072         (JSC::DFG::Node::convertToMultiGetByOffset):
1073         (JSC::DFG::Node::hasIdentifier):
1074         (JSC::DFG::Node::hasHeapPrediction):
1075         * dfg/DFGNodeType.h:
1076         * dfg/DFGOperations.cpp:
1077         * dfg/DFGOperations.h:
1078         * dfg/DFGPredictionPropagationPhase.cpp:
1079         * dfg/DFGSafeToExecute.h:
1080         (JSC::DFG::safeToExecute):
1081         * dfg/DFGSpeculativeJIT.cpp:
1082         (JSC::DFG::SpeculativeJIT::compileGetById):
1083         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
1084         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
1085         * dfg/DFGSpeculativeJIT.h:
1086         * dfg/DFGSpeculativeJIT32_64.cpp:
1087         (JSC::DFG::SpeculativeJIT::cachedGetById):
1088         (JSC::DFG::SpeculativeJIT::compile):
1089         * dfg/DFGSpeculativeJIT64.cpp:
1090         (JSC::DFG::SpeculativeJIT::cachedGetById):
1091         (JSC::DFG::SpeculativeJIT::compile):
1092         * ftl/FTLCapabilities.cpp:
1093         (JSC::FTL::canCompile):
1094         * ftl/FTLLowerDFGToB3.cpp:
1095         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1096         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1097         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
1098         (JSC::FTL::DFG::LowerDFGToB3::getById):
1099         * jit/JIT.cpp:
1100         (JSC::JIT::privateCompileMainPass):
1101         (JSC::JIT::privateCompileSlowCases):
1102         * jit/JIT.h:
1103         * jit/JITOperations.cpp:
1104         * jit/JITOperations.h:
1105         * jit/JITPropertyAccess.cpp:
1106         (JSC::JIT::emit_op_get_by_id_direct):
1107         (JSC::JIT::emitSlow_op_get_by_id_direct):
1108         * jit/JITPropertyAccess32_64.cpp:
1109         (JSC::JIT::emit_op_get_by_id_direct):
1110         (JSC::JIT::emitSlow_op_get_by_id_direct):
1111         * jit/Repatch.cpp:
1112         (JSC::appropriateOptimizingGetByIdFunction):
1113         (JSC::appropriateGetByIdFunction):
1114         (JSC::tryCacheGetByID):
1115         (JSC::repatchGetByID):
1116         (JSC::appropriateGenericGetByIdFunction): Deleted.
1117         * jit/Repatch.h:
1118         * llint/LLIntSlowPaths.cpp:
1119         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1120         * llint/LLIntSlowPaths.h:
1121         * llint/LowLevelInterpreter32_64.asm:
1122         * llint/LowLevelInterpreter64.asm:
1123         * runtime/JSCJSValue.h:
1124         * runtime/JSCJSValueInlines.h:
1125         (JSC::JSValue::getOwnPropertySlot const):
1126         * runtime/JSObject.h:
1127         * runtime/JSObjectInlines.h:
1128         (JSC::JSObject::getOwnPropertySlotInline):
1129
1130 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1131
1132         [JSC] Remove several asXXX functions
1133         https://bugs.webkit.org/show_bug.cgi?id=184355
1134
1135         Reviewed by JF Bastien.
1136
1137         Remove asActivation, asInternalFunction, and asGetterSetter.
1138         Use jsCast<> / jsDynamicCast<> consistently.
1139
1140         * runtime/ArrayConstructor.cpp:
1141         (JSC::constructArrayWithSizeQuirk):
1142         * runtime/AsyncFunctionConstructor.cpp:
1143         (JSC::callAsyncFunctionConstructor):
1144         (JSC::constructAsyncFunctionConstructor):
1145         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1146         (JSC::callAsyncGeneratorFunctionConstructor):
1147         (JSC::constructAsyncGeneratorFunctionConstructor):
1148         * runtime/BooleanConstructor.cpp:
1149         (JSC::constructWithBooleanConstructor):
1150         * runtime/DateConstructor.cpp:
1151         (JSC::constructWithDateConstructor):
1152         * runtime/ErrorConstructor.cpp:
1153         (JSC::Interpreter::constructWithErrorConstructor):
1154         (JSC::Interpreter::callErrorConstructor):
1155         * runtime/FunctionConstructor.cpp:
1156         (JSC::constructWithFunctionConstructor):
1157         (JSC::callFunctionConstructor):
1158         * runtime/FunctionPrototype.cpp:
1159         (JSC::functionProtoFuncToString):
1160         * runtime/GeneratorFunctionConstructor.cpp:
1161         (JSC::callGeneratorFunctionConstructor):
1162         (JSC::constructGeneratorFunctionConstructor):
1163         * runtime/GetterSetter.h:
1164         (JSC::asGetterSetter): Deleted.
1165         * runtime/InternalFunction.h:
1166         (JSC::asInternalFunction): Deleted.
1167         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1168         (JSC::constructGenericTypedArrayView):
1169         * runtime/JSLexicalEnvironment.h:
1170         (JSC::asActivation): Deleted.
1171         * runtime/JSObject.cpp:
1172         (JSC::validateAndApplyPropertyDescriptor):
1173         * runtime/MapConstructor.cpp:
1174         (JSC::constructMap):
1175         * runtime/PropertyDescriptor.cpp:
1176         (JSC::PropertyDescriptor::setDescriptor):
1177         * runtime/RegExpConstructor.cpp:
1178         (JSC::constructWithRegExpConstructor):
1179         (JSC::callRegExpConstructor):
1180         * runtime/SetConstructor.cpp:
1181         (JSC::constructSet):
1182         * runtime/StringConstructor.cpp:
1183         (JSC::constructWithStringConstructor):
1184         * runtime/WeakMapConstructor.cpp:
1185         (JSC::constructWeakMap):
1186         * runtime/WeakSetConstructor.cpp:
1187         (JSC::constructWeakSet):
1188         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1189         (JSC::constructJSWebAssemblyCompileError):
1190         (JSC::callJSWebAssemblyCompileError):
1191         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1192         (JSC::constructJSWebAssemblyLinkError):
1193         (JSC::callJSWebAssemblyLinkError):
1194         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1195         (JSC::constructJSWebAssemblyRuntimeError):
1196         (JSC::callJSWebAssemblyRuntimeError):
1197
1198 2018-04-05  Mark Lam  <mark.lam@apple.com>
1199
1200         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
1201         https://bugs.webkit.org/show_bug.cgi?id=184347
1202         <rdar://problem/39183165>
1203
1204         Reviewed by Michael Saboff.
1205
1206         * assembler/MacroAssemblerCodeRef.h:
1207         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1208         (JSC::MacroAssemblerCodePtr::retagged const):
1209
1210 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1211
1212         [MIPS] Optimize generated JIT code for branches
1213         https://bugs.webkit.org/show_bug.cgi?id=183130
1214
1215         Reviewed by Yusuke Suzuki.
1216
1217         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
1218         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
1219         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
1220         However, this adds a significant overhead for all other types of branches. Since these nop's
1221         protect the code that is generated by branchPtrWithPatch, this function seems like a better
1222         place to add them.
1223
1224         * assembler/MIPSAssembler.h:
1225         (JSC::MIPSAssembler::repatchInt32):
1226         (JSC::MIPSAssembler::revertJumpToMove):
1227         * assembler/MacroAssemblerMIPS.h:
1228         (JSC::MacroAssemblerMIPS::branchAdd32):
1229         (JSC::MacroAssemblerMIPS::branchMul32):
1230         (JSC::MacroAssemblerMIPS::branchSub32):
1231         (JSC::MacroAssemblerMIPS::branchNeg32):
1232         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
1233         (JSC::MacroAssemblerMIPS::branchEqual):
1234         (JSC::MacroAssemblerMIPS::branchNotEqual):
1235
1236 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1237
1238         [WTF] Remove StaticLock
1239         https://bugs.webkit.org/show_bug.cgi?id=184332
1240
1241         Reviewed by Mark Lam.
1242
1243         * API/JSValue.mm:
1244         (handerForStructTag):
1245         * API/JSVirtualMachine.mm:
1246         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
1247         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
1248         * API/glib/JSCVirtualMachine.cpp:
1249         (addWrapper):
1250         (removeWrapper):
1251         * assembler/testmasm.cpp:
1252         * b3/air/testair.cpp:
1253         * b3/testb3.cpp:
1254         * bytecode/SuperSampler.cpp:
1255         * dfg/DFGCommon.cpp:
1256         * dfg/DFGCommonData.cpp:
1257         * dynbench.cpp:
1258         * heap/MachineStackMarker.cpp:
1259         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1260         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
1261         (Inspector::RemoteTargetHandleRunSourceGlobal):
1262         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
1263         * interpreter/CLoopStack.cpp:
1264         * parser/SourceProvider.cpp:
1265         * profiler/ProfilerDatabase.cpp:
1266         * profiler/ProfilerUID.cpp:
1267         (JSC::Profiler::UID::create):
1268         * runtime/IntlObject.cpp:
1269         (JSC::numberingSystemsForLocale):
1270         * runtime/JSLock.cpp:
1271         * runtime/JSLock.h:
1272         * runtime/SamplingProfiler.cpp:
1273         (JSC::SamplingProfiler::registerForReportAtExit):
1274         * runtime/VM.cpp:
1275         * wasm/WasmFaultSignalHandler.cpp:
1276
1277 2018-04-04  Mark Lam  <mark.lam@apple.com>
1278
1279         Add pointer profiling support to the DFG and supporting files.
1280         https://bugs.webkit.org/show_bug.cgi?id=184316
1281         <rdar://problem/39188524>
1282
1283         Reviewed by Filip Pizlo.
1284
1285         1. Profile lots of pointers with PtrTags.
1286
1287         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
1288            used for debugging anyway, and not normally called in the code.  Making it
1289            an inline function prevents it from taking up code space in builds when not in
1290            use.
1291
1292         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
1293            It doesn't need to be a far call.
1294
1295         * CMakeLists.txt:
1296         * JavaScriptCore.xcodeproj/project.pbxproj:
1297         * Sources.txt:
1298         * assembler/testmasm.cpp:
1299         (JSC::testProbeModifiesProgramCounter):
1300         * b3/B3LowerMacros.cpp:
1301         * b3/air/AirCCallSpecial.cpp:
1302         (JSC::B3::Air::CCallSpecial::generate):
1303         * b3/air/AirCCallSpecial.h:
1304         * b3/testb3.cpp:
1305         (JSC::B3::testInterpreter):
1306         * bytecode/AccessCase.cpp:
1307         (JSC::AccessCase::generateImpl):
1308         * bytecode/HandlerInfo.h:
1309         (JSC::HandlerInfo::initialize):
1310         * bytecode/PolymorphicAccess.cpp:
1311         (JSC::PolymorphicAccess::regenerate):
1312         * dfg/DFGJITCompiler.cpp:
1313         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1314         (JSC::DFG::JITCompiler::link):
1315         (JSC::DFG::JITCompiler::compileFunction):
1316         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1317         * dfg/DFGJITCompiler.h:
1318         (JSC::DFG::JITCompiler::appendCall):
1319         * dfg/DFGOSREntry.cpp:
1320         (JSC::DFG::prepareOSREntry):
1321         * dfg/DFGOSRExit.cpp:
1322         (JSC::DFG::reifyInlinedCallFrames):
1323         (JSC::DFG::adjustAndJumpToTarget):
1324         (JSC::DFG::OSRExit::emitRestoreArguments):
1325         (JSC::DFG::OSRExit::compileOSRExit):
1326         * dfg/DFGOSRExitCompilerCommon.cpp:
1327         (JSC::DFG::handleExitCounts):
1328         (JSC::DFG::reifyInlinedCallFrames):
1329         (JSC::DFG::osrWriteBarrier):
1330         (JSC::DFG::adjustAndJumpToTarget):
1331         * dfg/DFGOperations.cpp:
1332         * dfg/DFGSlowPathGenerator.h:
1333         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1334         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1335         (JSC::DFG::slowPathCall):
1336         * dfg/DFGSpeculativeJIT.cpp:
1337         (JSC::DFG::SpeculativeJIT::compileMathIC):
1338         * dfg/DFGSpeculativeJIT.h:
1339         (JSC::DFG::SpeculativeJIT::callOperation):
1340         (JSC::DFG::SpeculativeJIT::appendCall):
1341         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1342         * dfg/DFGSpeculativeJIT64.cpp:
1343         (JSC::DFG::SpeculativeJIT::cachedGetById):
1344         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1345         (JSC::DFG::SpeculativeJIT::cachedPutById):
1346         (JSC::DFG::SpeculativeJIT::compile):
1347         * dfg/DFGThunks.cpp:
1348         (JSC::DFG::osrExitThunkGenerator):
1349         (JSC::DFG::osrExitGenerationThunkGenerator):
1350         (JSC::DFG::osrEntryThunkGenerator):
1351         * jit/AssemblyHelpers.cpp:
1352         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1353         * jit/JIT.cpp:
1354         (JSC::JIT::emitEnterOptimizationCheck):
1355         (JSC::JIT::compileWithoutLinking):
1356         * jit/JITCall.cpp:
1357         (JSC::JIT::compileOpCallSlowCase):
1358         * jit/JITMathIC.h:
1359         (JSC::isProfileEmpty):
1360         * jit/JITOpcodes.cpp:
1361         (JSC::JIT::emit_op_catch):
1362         (JSC::JIT::emitSlow_op_loop_hint):
1363         * jit/JITOperations.cpp:
1364         * jit/Repatch.cpp:
1365         (JSC::linkSlowFor):
1366         (JSC::linkFor):
1367         (JSC::revertCall):
1368         (JSC::unlinkFor):
1369         (JSC::linkVirtualFor):
1370         (JSC::linkPolymorphicCall):
1371         * jit/ThunkGenerators.cpp:
1372         (JSC::throwExceptionFromCallSlowPathGenerator):
1373         (JSC::linkCallThunkGenerator):
1374         (JSC::linkPolymorphicCallThunkGenerator):
1375         (JSC::virtualThunkFor):
1376         (JSC::arityFixupGenerator):
1377         (JSC::unreachableGenerator):
1378         * runtime/PtrTag.cpp: Removed.
1379         * runtime/PtrTag.h:
1380         (JSC::ptrTagName):
1381         * runtime/VMEntryScope.cpp:
1382         * wasm/js/WasmToJS.cpp:
1383         (JSC::Wasm::wasmToJS):
1384
1385 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
1386
1387         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
1388         https://bugs.webkit.org/show_bug.cgi?id=184319
1389
1390         Reviewed by Saam Barati.
1391
1392         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
1393         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
1394         the ArrayPush.
1395
1396         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
1397         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
1398         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
1399         with a GetByVal(SaneChain), then we will hit the assertion.
1400
1401         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
1402         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
1403         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
1404
1405         * dfg/DFGCSEPhase.cpp:
1406         * dfg/DFGClobberize.h:
1407         (JSC::DFG::clobberize):
1408         * dfg/DFGHeapLocation.cpp:
1409         (WTF::printInternal):
1410         * dfg/DFGHeapLocation.h:
1411         * dfg/DFGSpeculativeJIT.cpp:
1412         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1413
1414 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
1415
1416         Remove poisoning of typed array vector
1417         https://bugs.webkit.org/show_bug.cgi?id=184313
1418
1419         Reviewed by Saam Barati.
1420
1421         * dfg/DFGFixupPhase.cpp:
1422         (JSC::DFG::FixupPhase::checkArray):
1423         * dfg/DFGSpeculativeJIT.cpp:
1424         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
1425         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1426         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1427         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1428         * ftl/FTLAbstractHeapRepository.h:
1429         * ftl/FTLLowerDFGToB3.cpp:
1430         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1431         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1432         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1433         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
1434         * jit/IntrinsicEmitter.cpp:
1435         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1436         * jit/JITPropertyAccess.cpp:
1437         (JSC::JIT::emitIntTypedArrayGetByVal):
1438         (JSC::JIT::emitFloatTypedArrayGetByVal):
1439         (JSC::JIT::emitIntTypedArrayPutByVal):
1440         (JSC::JIT::emitFloatTypedArrayPutByVal):
1441         * llint/LowLevelInterpreter.asm:
1442         * llint/LowLevelInterpreter64.asm:
1443         * offlineasm/arm64.rb:
1444         * offlineasm/x86.rb:
1445         * runtime/CagedBarrierPtr.h:
1446         * runtime/JSArrayBufferView.cpp:
1447         (JSC::JSArrayBufferView::JSArrayBufferView):
1448         (JSC::JSArrayBufferView::finalize):
1449         (JSC::JSArrayBufferView::neuter):
1450         * runtime/JSArrayBufferView.h:
1451         (JSC::JSArrayBufferView::vector const):
1452         (JSC::JSArrayBufferView::offsetOfVector):
1453         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
1454         (JSC::JSArrayBufferView::poisonFor): Deleted.
1455         (JSC::JSArrayBufferView::Poison::key): Deleted.
1456         * runtime/JSCPoison.cpp:
1457         (JSC::initializePoison):
1458         * runtime/JSCPoison.h:
1459         * runtime/JSGenericTypedArrayViewInlines.h:
1460         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1461         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1462         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1463         * runtime/JSObject.h:
1464
1465 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1466
1467         Don't do index masking or poisoning for DirectArguments
1468         https://bugs.webkit.org/show_bug.cgi?id=184280
1469
1470         Reviewed by Saam Barati.
1471
1472         * JavaScriptCore.xcodeproj/project.pbxproj:
1473         * bytecode/AccessCase.cpp:
1474         (JSC::AccessCase::generateWithGuard):
1475         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1476         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1477         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
1478         * dfg/DFGSpeculativeJIT.cpp:
1479         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1480         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1481         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1482         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1483         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1484         * ftl/FTLAbstractHeapRepository.h:
1485         * ftl/FTLLowerDFGToB3.cpp:
1486         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1487         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1488         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1489         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
1490         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
1491         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1492         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
1493         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
1494         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
1495         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
1496         * heap/SecurityKind.h:
1497         * jit/JITPropertyAccess.cpp:
1498         (JSC::JIT::emit_op_get_from_arguments):
1499         (JSC::JIT::emit_op_put_to_arguments):
1500         (JSC::JIT::emitDirectArgumentsGetByVal):
1501         * jit/JITPropertyAccess32_64.cpp:
1502         (JSC::JIT::emit_op_get_from_arguments):
1503         (JSC::JIT::emit_op_put_to_arguments):
1504         * llint/LowLevelInterpreter.asm:
1505         * llint/LowLevelInterpreter32_64.asm:
1506         * llint/LowLevelInterpreter64.asm:
1507         * runtime/DirectArguments.cpp:
1508         (JSC::DirectArguments::DirectArguments):
1509         (JSC::DirectArguments::createUninitialized):
1510         (JSC::DirectArguments::create):
1511         (JSC::DirectArguments::createByCopying):
1512         (JSC::DirectArguments::estimatedSize):
1513         (JSC::DirectArguments::visitChildren):
1514         (JSC::DirectArguments::overrideThings):
1515         (JSC::DirectArguments::copyToArguments):
1516         (JSC::DirectArguments::mappedArgumentsSize):
1517         * runtime/DirectArguments.h:
1518         * runtime/JSCPoison.h:
1519         * runtime/JSLexicalEnvironment.h:
1520         * runtime/JSSymbolTableObject.h:
1521
1522 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1523
1524         JSArray::appendMemcpy seems to be missing a barrier
1525         https://bugs.webkit.org/show_bug.cgi?id=184290
1526
1527         Reviewed by Mark Lam.
1528         
1529         If you write to an array that may contain pointers and you didn't just allocate it, then you need to
1530         barrier right after.
1531         
1532         I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
1533         obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
1534
1535         * runtime/JSArray.cpp:
1536         (JSC::JSArray::appendMemcpy):
1537
1538 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
1539
1540         GC shouldn't do object distancing
1541         https://bugs.webkit.org/show_bug.cgi?id=184195
1542
1543         Reviewed by Saam Barati.
1544         
1545         This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
1546         to be a small speed-up.
1547
1548         * CMakeLists.txt:
1549         * JavaScriptCore.xcodeproj/project.pbxproj:
1550         * Sources.txt:
1551         * heap/BlockDirectory.cpp:
1552         (JSC::BlockDirectory::findBlockForAllocation):
1553         (JSC::BlockDirectory::addBlock):
1554         * heap/BlockDirectory.h:
1555         * heap/CellAttributes.cpp:
1556         (JSC::CellAttributes::dump const):
1557         * heap/CellAttributes.h:
1558         (JSC::CellAttributes::CellAttributes):
1559         * heap/LocalAllocator.cpp:
1560         (JSC::LocalAllocator::allocateSlowCase):
1561         (JSC::LocalAllocator::tryAllocateWithoutCollecting):
1562         * heap/MarkedBlock.cpp:
1563         (JSC::MarkedBlock::Handle::didAddToDirectory):
1564         * heap/MarkedBlock.h:
1565         (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
1566         * heap/SecurityKind.cpp: Removed.
1567         * heap/SecurityKind.h: Removed.
1568         * heap/SecurityOriginToken.cpp: Removed.
1569         * heap/SecurityOriginToken.h: Removed.
1570         * heap/ThreadLocalCache.cpp:
1571         (JSC::ThreadLocalCache::create):
1572         (JSC::ThreadLocalCache::ThreadLocalCache):
1573         * heap/ThreadLocalCache.h:
1574         (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
1575         * runtime/JSDestructibleObjectHeapCellType.cpp:
1576         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1577         * runtime/JSGlobalObject.cpp:
1578         (JSC::JSGlobalObject::JSGlobalObject):
1579         * runtime/JSGlobalObject.h:
1580         (JSC::JSGlobalObject::threadLocalCache const): Deleted.
1581         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
1582         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1583         * runtime/JSStringHeapCellType.cpp:
1584         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1585         * runtime/VM.cpp:
1586         (JSC::VM::VM):
1587         * runtime/VM.h:
1588         * runtime/VMEntryScope.cpp:
1589         (JSC::VMEntryScope::VMEntryScope):
1590         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
1591         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1592
1593 2018-04-02  Saam Barati  <sbarati@apple.com>
1594
1595         bmalloc should compute its own estimate of its footprint
1596         https://bugs.webkit.org/show_bug.cgi?id=184121
1597
1598         Reviewed by Filip Pizlo.
1599
1600         * heap/IsoAlignedMemoryAllocator.cpp:
1601         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1602         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1603         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1604
1605 2018-04-02  Mark Lam  <mark.lam@apple.com>
1606
1607         We should not trash the stack pointer on OSR entry.
1608         https://bugs.webkit.org/show_bug.cgi?id=184243
1609         <rdar://problem/39114319>
1610
1611         Reviewed by Filip Pizlo.
1612
1613         In the DFG OSR entry path, we momentarily over-write the stack pointer with
1614         returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
1615         Hence, this assignment is wrong, and it turns out to be unnecessary as well.
1616         The stack pointer does get corrected later in the thunk (generated by
1617         osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
1618         so far.
1619
1620         This bug only poses an issue if interrupts use the user stack for their stack
1621         frame (e.g. linux), and when we do stack alignment tests during debugging.
1622
1623         The fix is simply to remove the assignment.
1624
1625         * dfg/DFGThunks.cpp:
1626         (JSC::DFG::osrEntryThunkGenerator):
1627         * jit/JIT.cpp:
1628         (JSC::JIT::emitEnterOptimizationCheck):
1629
1630 2018-04-02  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1631
1632         [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
1633         https://bugs.webkit.org/show_bug.cgi?id=183740
1634
1635         Reviewed by Yusuke Suzuki.
1636
1637         In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
1638         first generated and a register operand variant of the same method is called to generate the rest
1639         of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
1640         generate more efficient code using MIPS instructions with immediate operand.
1641
1642         * assembler/MIPSAssembler.h:
1643         (JSC::MIPSAssembler::slti):
1644         * assembler/MacroAssemblerMIPS.h:
1645         (JSC::MacroAssemblerMIPS::lshift32):
1646         (JSC::MacroAssemblerMIPS::xor32):
1647         (JSC::MacroAssemblerMIPS::branch8):
1648         (JSC::MacroAssemblerMIPS::compare8):
1649         (JSC::MacroAssemblerMIPS::branch32):
1650         (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
1651         (JSC::MacroAssemblerMIPS::branchTest32):
1652         (JSC::MacroAssemblerMIPS::mask8OnTest):
1653         (JSC::MacroAssemblerMIPS::branchTest8):
1654         (JSC::MacroAssemblerMIPS::branchAdd32):
1655         (JSC::MacroAssemblerMIPS::branchNeg32):
1656         (JSC::MacroAssemblerMIPS::compare32):
1657         (JSC::MacroAssemblerMIPS::test8):
1658
1659 2018-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         [DFG] More aggressive removal of duplicate 32bit DFG code
1662         https://bugs.webkit.org/show_bug.cgi?id=184089
1663
1664         Reviewed by Saam Barati.
1665
1666         This patch more aggressively removes duplicate 32bit DFG code
1667         by leveraging JSValueRegs and meta-programmed callOperation.
1668
1669         * dfg/DFGSpeculativeJIT.cpp:
1670         (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
1671         (JSC::DFG::SpeculativeJIT::compileArithMinMax):
1672         (JSC::DFG::SpeculativeJIT::compileNewArray):
1673         (JSC::DFG::SpeculativeJIT::compileCheckCell):
1674         (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
1675         (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
1676         (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
1677         (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
1678         (JSC::DFG::SpeculativeJIT::compileGetByOffset):
1679         (JSC::DFG::SpeculativeJIT::compilePutByOffset):
1680         (JSC::DFG::SpeculativeJIT::compileGetExecutable):
1681         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1682         (JSC::DFG::SpeculativeJIT::compileToThis):
1683         (JSC::DFG::SpeculativeJIT::compileIdentity):
1684         * dfg/DFGSpeculativeJIT.h:
1685         * dfg/DFGSpeculativeJIT32_64.cpp:
1686         (JSC::DFG::SpeculativeJIT::compile):
1687         * dfg/DFGSpeculativeJIT64.cpp:
1688         (JSC::DFG::SpeculativeJIT::compile):
1689
1690 2018-04-01  Filip Pizlo  <fpizlo@apple.com>
1691
1692         Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
1693         https://bugs.webkit.org/show_bug.cgi?id=184228
1694
1695         Reviewed by Yusuke Suzuki.
1696
1697         * runtime/Options.h:
1698
1699 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1700
1701         JSObject shouldn't do index masking
1702         https://bugs.webkit.org/show_bug.cgi?id=184194
1703
1704         Reviewed by Yusuke Suzuki.
1705         
1706         Remove index masking, because it's not the way we'll mitigate Spectre.
1707
1708         * API/tests/JSObjectGetProxyTargetTest.cpp:
1709         (testJSObjectGetProxyTarget):
1710         * b3/B3LowerToAir.cpp:
1711         * b3/B3Validate.cpp:
1712         * b3/B3WasmBoundsCheckValue.cpp:
1713         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
1714         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
1715         * b3/B3WasmBoundsCheckValue.h:
1716         (JSC::B3::WasmBoundsCheckValue::bounds const):
1717         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
1718         * b3/testb3.cpp:
1719         (JSC::B3::testWasmBoundsCheck):
1720         (JSC::B3::run):
1721         * dfg/DFGAbstractInterpreterInlines.h:
1722         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1723         * dfg/DFGArgumentsEliminationPhase.cpp:
1724         * dfg/DFGByteCodeParser.cpp:
1725         (JSC::DFG::ByteCodeParser::parseBlock):
1726         * dfg/DFGClobberize.h:
1727         (JSC::DFG::clobberize):
1728         * dfg/DFGDoesGC.cpp:
1729         (JSC::DFG::doesGC):
1730         * dfg/DFGFixupPhase.cpp:
1731         (JSC::DFG::FixupPhase::fixupNode):
1732         * dfg/DFGNodeType.h:
1733         * dfg/DFGPredictionPropagationPhase.cpp:
1734         * dfg/DFGSSALoweringPhase.cpp:
1735         (JSC::DFG::SSALoweringPhase::handleNode):
1736         * dfg/DFGSafeToExecute.h:
1737         (JSC::DFG::safeToExecute):
1738         * dfg/DFGSpeculativeJIT.cpp:
1739         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1740         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1741         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
1742         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1743         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1744         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1745         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1746         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1747         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1748         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1749         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
1750         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
1751         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1752         (JSC::DFG::SpeculativeJIT::compileNewObject):
1753         * dfg/DFGSpeculativeJIT.h:
1754         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1755         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1756         * dfg/DFGSpeculativeJIT32_64.cpp:
1757         (JSC::DFG::SpeculativeJIT::compile):
1758         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1759         * dfg/DFGSpeculativeJIT64.cpp:
1760         (JSC::DFG::SpeculativeJIT::compile):
1761         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1762         * ftl/FTLAbstractHeapRepository.h:
1763         * ftl/FTLCapabilities.cpp:
1764         (JSC::FTL::canCompile):
1765         * ftl/FTLLowerDFGToB3.cpp:
1766         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1767         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1768         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1770         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1771         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1772         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1773         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1774         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1775         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1776         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1777         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1778         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1779         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1780         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1781         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
1782         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
1783         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
1784         * jit/AssemblyHelpers.h:
1785         (JSC::AssemblyHelpers::emitAllocateJSObject):
1786         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1787         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1788         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1789         * jit/JITOpcodes.cpp:
1790         (JSC::JIT::emit_op_new_object):
1791         (JSC::JIT::emit_op_create_this):
1792         * jit/JITOperations.cpp:
1793         * jit/JITPropertyAccess.cpp:
1794         (JSC::JIT::emitDoubleLoad):
1795         (JSC::JIT::emitContiguousLoad):
1796         (JSC::JIT::emitArrayStorageLoad):
1797         * llint/LowLevelInterpreter32_64.asm:
1798         * llint/LowLevelInterpreter64.asm:
1799         * runtime/Butterfly.h:
1800         (JSC::ContiguousData::at const):
1801         (JSC::ContiguousData::at):
1802         (JSC::Butterfly::computeIndexingMask const): Deleted.
1803         * runtime/ButterflyInlines.h:
1804         (JSC::ContiguousData<T>::at const): Deleted.
1805         (JSC::ContiguousData<T>::at): Deleted.
1806         * runtime/ClonedArguments.cpp:
1807         (JSC::ClonedArguments::createEmpty):
1808         * runtime/JSArray.cpp:
1809         (JSC::JSArray::tryCreateUninitializedRestricted):
1810         (JSC::JSArray::appendMemcpy):
1811         (JSC::JSArray::setLength):
1812         (JSC::JSArray::pop):
1813         (JSC::JSArray::shiftCountWithAnyIndexingType):
1814         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1815         (JSC::JSArray::fillArgList):
1816         (JSC::JSArray::copyToArguments):
1817         * runtime/JSArrayBufferView.cpp:
1818         (JSC::JSArrayBufferView::JSArrayBufferView):
1819         * runtime/JSArrayInlines.h:
1820         (JSC::JSArray::pushInline):
1821         * runtime/JSFixedArray.h:
1822         * runtime/JSGenericTypedArrayViewInlines.h:
1823         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1824         * runtime/JSObject.cpp:
1825         (JSC::JSObject::getOwnPropertySlotByIndex):
1826         (JSC::JSObject::putByIndex):
1827         (JSC::JSObject::createInitialUndecided):
1828         (JSC::JSObject::createInitialInt32):
1829         (JSC::JSObject::createInitialDouble):
1830         (JSC::JSObject::createInitialContiguous):
1831         (JSC::JSObject::createArrayStorage):
1832         (JSC::JSObject::convertUndecidedToInt32):
1833         (JSC::JSObject::convertUndecidedToDouble):
1834         (JSC::JSObject::convertUndecidedToContiguous):
1835         (JSC::JSObject::convertUndecidedToArrayStorage):
1836         (JSC::JSObject::convertInt32ToDouble):
1837         (JSC::JSObject::convertInt32ToArrayStorage):
1838         (JSC::JSObject::convertDoubleToContiguous):
1839         (JSC::JSObject::convertDoubleToArrayStorage):
1840         (JSC::JSObject::convertContiguousToArrayStorage):
1841         (JSC::JSObject::createInitialForValueAndSet):
1842         (JSC::JSObject::deletePropertyByIndex):
1843         (JSC::JSObject::getOwnPropertyNames):
1844         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1845         (JSC::JSObject::countElements):
1846         (JSC::JSObject::increaseVectorLength):
1847         (JSC::JSObject::ensureLengthSlow):
1848         (JSC::JSObject::reallocateAndShrinkButterfly):
1849         (JSC::JSObject::getEnumerableLength):
1850         * runtime/JSObject.h:
1851         (JSC::JSObject::canGetIndexQuickly):
1852         (JSC::JSObject::getIndexQuickly):
1853         (JSC::JSObject::tryGetIndexQuickly const):
1854         (JSC::JSObject::setIndexQuickly):
1855         (JSC::JSObject::initializeIndex):
1856         (JSC::JSObject::initializeIndexWithoutBarrier):
1857         (JSC::JSObject::butterflyOffset):
1858         (JSC::JSObject::setButterfly):
1859         (JSC::JSObject::nukeStructureAndSetButterfly):
1860         (JSC::JSObject::JSObject):
1861         (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
1862         (JSC::JSObject::butterflyIndexingMask const): Deleted.
1863         (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
1864         * runtime/JSObjectInlines.h:
1865         (JSC::JSObject::prepareToPutDirectWithoutTransition):
1866         (JSC::JSObject::putDirectInternal):
1867         * runtime/RegExpMatchesArray.h:
1868         (JSC::tryCreateUninitializedRegExpMatchesArray):
1869         * runtime/Structure.cpp:
1870         (JSC::Structure::flattenDictionaryStructure):
1871         * wasm/WasmB3IRGenerator.cpp:
1872         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1873         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1874         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1875         (JSC::Wasm::B3IRGenerator::load):
1876         (JSC::Wasm::B3IRGenerator::store):
1877         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1878         * wasm/WasmBinding.cpp:
1879         (JSC::Wasm::wasmToWasm):
1880         * wasm/WasmInstance.h:
1881         (JSC::Wasm::Instance::updateCachedMemory):
1882         (JSC::Wasm::Instance::offsetOfCachedMemorySize):
1883         (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
1884         * wasm/WasmMemory.cpp:
1885         (JSC::Wasm::Memory::Memory):
1886         (JSC::Wasm::Memory::grow):
1887         * wasm/WasmMemory.h:
1888         (JSC::Wasm::Memory::size const):
1889         (JSC::Wasm::Memory::offsetOfSize):
1890         (JSC::Wasm::Memory::indexingMask): Deleted.
1891         (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
1892         * wasm/WasmMemoryInformation.cpp:
1893         (JSC::Wasm::PinnedRegisterInfo::get):
1894         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
1895         * wasm/WasmMemoryInformation.h:
1896         (JSC::Wasm::PinnedRegisterInfo::toSave const):
1897         * wasm/js/JSToWasm.cpp:
1898         (JSC::Wasm::createJSToWasmWrapper):
1899
1900 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
1901
1902         JSC crash in JIT code with for-of loop and Array/Set iterators
1903         https://bugs.webkit.org/show_bug.cgi?id=183174
1904
1905         Reviewed by Saam Barati.
1906
1907         * dfg/DFGSafeToExecute.h:
1908         (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
1909
1910 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
1911
1912         Strings and Vectors shouldn't do index masking
1913         https://bugs.webkit.org/show_bug.cgi?id=184193
1914
1915         Reviewed by Mark Lam.
1916
1917         * dfg/DFGSpeculativeJIT.cpp:
1918         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1919         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1920         * ftl/FTLAbstractHeapRepository.h:
1921         * ftl/FTLLowerDFGToB3.cpp:
1922         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1923         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1924         * jit/ThunkGenerators.cpp:
1925         (JSC::stringCharLoad):
1926
1927 2018-03-30  Mark Lam  <mark.lam@apple.com>
1928
1929         Add pointer profiling support in baseline JIT and supporting files.
1930         https://bugs.webkit.org/show_bug.cgi?id=184200
1931         <rdar://problem/39057300>
1932
1933         Reviewed by Filip Pizlo.
1934
1935         1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
1936            the code via the arity check entry.
1937         2. To accommodate (1), all JITCode must now populate their arity check entry code
1938            pointers as well.  For native code, programs, evals, and modules that don't
1939            do arity check, we set the normal entry as the arity check entry (though with
1940            the CodeEntryWithArityCheckPtrTag profile instead).
1941
1942         * assembler/AbstractMacroAssembler.h:
1943         * assembler/LinkBuffer.h:
1944         (JSC::LinkBuffer::locationOfNearCall):
1945         * assembler/MacroAssemblerARM64.h:
1946         (JSC::MacroAssemblerARM64::readCallTarget):
1947         (JSC::MacroAssemblerARM64::linkCall):
1948         * bytecode/AccessCase.cpp:
1949         (JSC::AccessCase::generateImpl):
1950         * bytecode/AccessCaseSnippetParams.cpp:
1951         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1952         * bytecode/CodeBlock.cpp:
1953         (JSC::CodeBlock::addJITAddIC):
1954         (JSC::CodeBlock::addJITMulIC):
1955         (JSC::CodeBlock::addJITSubIC):
1956         (JSC::CodeBlock::addJITNegIC):
1957         * bytecode/CodeBlock.h:
1958         (JSC::CodeBlock::addMathIC):
1959         * bytecode/InlineAccess.cpp:
1960         (JSC::InlineAccess::rewireStubAsJump):
1961         * bytecode/LLIntCallLinkInfo.h:
1962         (JSC::LLIntCallLinkInfo::unlink):
1963         (): Deleted.
1964         * bytecode/PolymorphicAccess.cpp:
1965         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1966         (JSC::PolymorphicAccess::regenerate):
1967         * dfg/DFGJITFinalizer.cpp:
1968         (JSC::DFG::JITFinalizer::finalize):
1969         (JSC::DFG::JITFinalizer::finalizeFunction):
1970         * dfg/DFGSpeculativeJIT.cpp:
1971         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1972         (JSC::DFG::SpeculativeJIT::compileArithSub):
1973         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1974         (JSC::DFG::SpeculativeJIT::compileArithMul):
1975         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1976         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1977         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1978         * disassembler/ARM64Disassembler.cpp:
1979         (JSC::tryToDisassemble):
1980         * ftl/FTLJITFinalizer.cpp:
1981         (JSC::FTL::JITFinalizer::finalizeCommon):
1982         * ftl/FTLLowerDFGToB3.cpp:
1983         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1984         (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
1985         (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
1986         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
1987         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1989         * heap/JITStubRoutineSet.h:
1990         (JSC::JITStubRoutineSet::mark):
1991         * jit/AssemblyHelpers.cpp:
1992         (JSC::AssemblyHelpers::callExceptionFuzz):
1993         (JSC::AssemblyHelpers::debugCall):
1994         * jit/AssemblyHelpers.h:
1995         (JSC::AssemblyHelpers::emitFunctionPrologue):
1996         * jit/CCallHelpers.cpp:
1997         (JSC::CCallHelpers::ensureShadowChickenPacket):
1998         * jit/CCallHelpers.h:
1999         (JSC::CCallHelpers::prepareForTailCallSlow):
2000         * jit/CallFrameShuffler.cpp:
2001         (JSC::CallFrameShuffler::prepareForTailCall):
2002         * jit/ExecutableAllocator.cpp:
2003         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2004         * jit/ExecutableAllocator.h:
2005         (JSC::performJITMemcpy):
2006         * jit/JIT.cpp:
2007         (JSC::JIT::compileWithoutLinking):
2008         (JSC::JIT::link):
2009         * jit/JITArithmetic.cpp:
2010         (JSC::JIT::emit_op_negate):
2011         (JSC::JIT::emit_op_add):
2012         (JSC::JIT::emitMathICFast):
2013         (JSC::JIT::emitMathICSlow):
2014         (JSC::JIT::emit_op_mul):
2015         (JSC::JIT::emit_op_sub):
2016         * jit/JITCode.cpp:
2017         (JSC::JITCode::execute):
2018         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2019         (JSC::DirectJITCode::DirectJITCode):
2020         (JSC::DirectJITCode::initializeCodeRef):
2021         (JSC::NativeJITCode::addressForCall):
2022         * jit/JITExceptions.cpp:
2023         (JSC::genericUnwind):
2024         * jit/JITMathIC.h:
2025         (JSC::isProfileEmpty):
2026         (JSC::JITBinaryMathIC::JITBinaryMathIC):
2027         (JSC::JITUnaryMathIC::JITUnaryMathIC):
2028         * jit/JITOpcodes.cpp:
2029         (JSC::JIT::emit_op_switch_imm):
2030         (JSC::JIT::emit_op_switch_char):
2031         (JSC::JIT::emit_op_switch_string):
2032         (JSC::JIT::privateCompileHasIndexedProperty):
2033         (JSC::JIT::emitSlow_op_has_indexed_property):
2034         * jit/JITOpcodes32_64.cpp:
2035         (JSC::JIT::privateCompileHasIndexedProperty):
2036         * jit/JITOperations.cpp:
2037         (JSC::getByVal):
2038         (JSC::tryGetByValOptimize):
2039         * jit/JITPropertyAccess.cpp:
2040         (JSC::JIT::stringGetByValStubGenerator):
2041         (JSC::JIT::emitGetByValWithCachedId):
2042         (JSC::JIT::emitSlow_op_get_by_val):
2043         (JSC::JIT::emitPutByValWithCachedId):
2044         (JSC::JIT::emitSlow_op_put_by_val):
2045         (JSC::JIT::emitSlow_op_try_get_by_id):
2046         (JSC::JIT::emitSlow_op_get_by_id):
2047         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2048         (JSC::JIT::emitSlow_op_put_by_id):
2049         (JSC::JIT::privateCompileGetByVal):
2050         (JSC::JIT::privateCompileGetByValWithCachedId):
2051         (JSC::JIT::privateCompilePutByVal):
2052         (JSC::JIT::privateCompilePutByValWithCachedId):
2053         * jit/JITThunks.cpp:
2054         (JSC::JITThunks::hostFunctionStub):
2055         * jit/Repatch.cpp:
2056         (JSC::tryCacheGetByID):
2057         (JSC::repatchGetByID):
2058         (JSC::appropriateOptimizingPutByIdFunction):
2059         (JSC::tryCachePutByID):
2060         (JSC::repatchPutByID):
2061         (JSC::linkFor):
2062         (JSC::revertCall):
2063         (JSC::linkPolymorphicCall):
2064         (JSC::resetGetByID):
2065         (JSC::resetPutByID):
2066         * jit/Repatch.h:
2067         * jit/SpecializedThunkJIT.h:
2068         (JSC::SpecializedThunkJIT::finalize):
2069         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2070         * jit/ThunkGenerators.cpp:
2071         (JSC::emitPointerValidation):
2072         (JSC::throwExceptionFromCallSlowPathGenerator):
2073         (JSC::slowPathFor):
2074         (JSC::linkCallThunkGenerator): Deleted.
2075         (JSC::linkPolymorphicCallThunkGenerator): Deleted.
2076         (JSC::virtualThunkFor): Deleted.
2077         (JSC::nativeForGenerator): Deleted.
2078         (JSC::nativeCallGenerator): Deleted.
2079         (JSC::nativeTailCallGenerator): Deleted.
2080         (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
2081         (JSC::nativeConstructGenerator): Deleted.
2082         (JSC::internalFunctionCallGenerator): Deleted.
2083         (JSC::internalFunctionConstructGenerator): Deleted.
2084         (JSC::arityFixupGenerator): Deleted.
2085         (JSC::unreachableGenerator): Deleted.
2086         (JSC::stringCharLoad): Deleted.
2087         (JSC::charToString): Deleted.
2088         (JSC::charCodeAtThunkGenerator): Deleted.
2089         (JSC::charAtThunkGenerator): Deleted.
2090         (JSC::fromCharCodeThunkGenerator): Deleted.
2091         (JSC::clz32ThunkGenerator): Deleted.
2092         (JSC::sqrtThunkGenerator): Deleted.
2093         (JSC::floorThunkGenerator): Deleted.
2094         (JSC::ceilThunkGenerator): Deleted.
2095         (JSC::truncThunkGenerator): Deleted.
2096         (JSC::roundThunkGenerator): Deleted.
2097         (JSC::expThunkGenerator): Deleted.
2098         (JSC::logThunkGenerator): Deleted.
2099         (JSC::absThunkGenerator): Deleted.
2100         (JSC::imulThunkGenerator): Deleted.
2101         (JSC::randomThunkGenerator): Deleted.
2102         (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
2103         * llint/LLIntData.cpp:
2104         (JSC::LLInt::initialize):
2105         * llint/LLIntData.h:
2106         (JSC::LLInt::getCodePtr):
2107         * llint/LLIntEntrypoint.cpp:
2108         (JSC::LLInt::setEvalEntrypoint):
2109         (JSC::LLInt::setProgramEntrypoint):
2110         (JSC::LLInt::setModuleProgramEntrypoint):
2111         * llint/LLIntSlowPaths.cpp:
2112         (JSC::LLInt::setUpCall):
2113         * llint/LLIntThunks.cpp:
2114         (JSC::LLInt::generateThunkWithJumpTo):
2115         * llint/LowLevelInterpreter.asm:
2116         * llint/LowLevelInterpreter32_64.asm:
2117         * llint/LowLevelInterpreter64.asm:
2118         * runtime/ExecutableBase.h:
2119         * runtime/NativeExecutable.cpp:
2120         (JSC::NativeExecutable::finishCreation):
2121         * runtime/NativeFunction.h:
2122         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2123         (JSC::TaggedNativeFunction::operator NativeFunction):
2124         * runtime/PropertySlot.h:
2125         (JSC::PropertySlot::setCustom):
2126         (JSC::PropertySlot::setCacheableCustom):
2127         * runtime/PtrTag.h:
2128         * runtime/PutPropertySlot.h:
2129         (JSC::PutPropertySlot::setCustomValue):
2130         (JSC::PutPropertySlot::setCustomAccessor):
2131         * runtime/SamplingProfiler.cpp:
2132         (JSC::SamplingProfiler::takeSample):
2133         * runtime/VMTraps.cpp:
2134         (JSC::SignalContext::SignalContext):
2135         (JSC::VMTraps::tryInstallTrapBreakpoints):
2136         * tools/SigillCrashAnalyzer.cpp:
2137         (JSC::installCrashHandler):
2138         * yarr/YarrJIT.cpp:
2139         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2140         (JSC::Yarr::YarrGenerator::generateEnter):
2141
2142 2018-03-30  Devin Rousso  <webkit@devinrousso.com>
2143
2144         Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
2145         https://bugs.webkit.org/show_bug.cgi?id=175223
2146
2147         Reviewed by Matt Baker.
2148
2149         * inspector/protocol/Canvas.json:
2150         Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
2151         canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
2152         is called. The blend is removed and the previous value is applied once the draw is complete.
2153
2154 2018-03-30  JF Bastien  <jfbastien@apple.com>
2155
2156         WebAssembly: support DataView compilation
2157         https://bugs.webkit.org/show_bug.cgi?id=183342
2158
2159         Reviewed by Mark Lam.
2160
2161         Compiling a module from a DataView was incorrectly dealing with
2162         DataView's offset.
2163
2164         * wasm/WasmModuleParser.cpp:
2165         (JSC::Wasm::ModuleParser::parse):
2166         * wasm/js/JSWebAssemblyHelpers.h:
2167         (JSC::getWasmBufferFromValue):
2168         (JSC::createSourceBufferFromValue):
2169         * wasm/js/WebAssemblyPrototype.cpp:
2170         (JSC::webAssemblyValidateFunc):
2171
2172 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
2173
2174         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
2175         https://bugs.webkit.org/show_bug.cgi?id=184189
2176
2177         Reviewed by JF Bastien.
2178
2179         * bytecompiler/NodesCodegen.cpp:
2180         (JSC::ResolveNode::emitBytecode):
2181
2182 2018-03-30  Mark Lam  <mark.lam@apple.com>
2183
2184         Add pointer profiling support to Wasm.
2185         https://bugs.webkit.org/show_bug.cgi?id=184175
2186         <rdar://problem/39027923>
2187
2188         Reviewed by JF Bastien.
2189
2190         * runtime/PtrTag.h:
2191         * wasm/WasmB3IRGenerator.cpp:
2192         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2193         (JSC::Wasm::B3IRGenerator::addCall):
2194         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2195         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2196         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2197         * wasm/WasmBBQPlan.cpp:
2198         (JSC::Wasm::BBQPlan::prepare):
2199         (JSC::Wasm::BBQPlan::complete):
2200         * wasm/WasmBinding.cpp:
2201         (JSC::Wasm::wasmToWasm):
2202         * wasm/WasmBinding.h:
2203         * wasm/WasmFaultSignalHandler.cpp:
2204         (JSC::Wasm::trapHandler):
2205         * wasm/WasmOMGPlan.cpp:
2206         (JSC::Wasm::OMGPlan::work):
2207         * wasm/WasmThunks.cpp:
2208         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2209         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2210         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2211         * wasm/js/WasmToJS.cpp:
2212         (JSC::Wasm::handleBadI64Use):
2213         (JSC::Wasm::wasmToJS):
2214         * wasm/js/WebAssemblyFunction.cpp:
2215         (JSC::callWebAssemblyFunction):
2216         * wasm/js/WebAssemblyFunction.h:
2217
2218 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
2219
2220         Unreviewed, rolling out r230102.
2221
2222         Caused assertion failures on JSC bots.
2223
2224         Reverted changeset:
2225
2226         "A stack overflow in the parsing of a builtin (called by
2227         createExecutable) cause a crash instead of a catchable js
2228         exception"
2229         https://bugs.webkit.org/show_bug.cgi?id=184074
2230         https://trac.webkit.org/changeset/230102
2231
2232 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2233
2234         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
2235         https://bugs.webkit.org/show_bug.cgi?id=183812
2236
2237         Reviewed by Keith Miller.
2238
2239         The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
2240         The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
2241
2242         * dfg/DFGByteCodeParser.cpp:
2243         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2244         (JSC::DFG::ByteCodeParser::inlineCall):
2245
2246 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2247
2248         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
2249         https://bugs.webkit.org/show_bug.cgi?id=184074
2250         <rdar://problem/37165897>
2251
2252         Reviewed by Keith Miller.
2253
2254         Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
2255         It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
2256         Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
2257         As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
2258
2259         There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
2260         If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
2261
2262         Two other minor changes:
2263         - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
2264         - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
2265
2266         * JavaScriptCore.xcodeproj/project.pbxproj:
2267         * Scripts/builtins/builtins_generate_combined_header.py:
2268         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
2269         (ParserError):
2270         (generate_section_for_object): Deleted.
2271         (generate_externs_for_object): Deleted.
2272         (generate_macros_for_object): Deleted.
2273         (generate_section_for_code_table_macro): Deleted.
2274         (generate_section_for_code_name_macro): Deleted.
2275         (generate_section_for_global_private_code_name_macro): Deleted.
2276         * Scripts/builtins/builtins_generate_separate_header.py:
2277         (generate_secondary_header_includes):
2278         * Scripts/builtins/builtins_templates.py:
2279         * Sources.txt:
2280         * builtins/BuiltinExecutableCreator.cpp: Removed.
2281         * builtins/BuiltinExecutableCreator.h: Removed.
2282         * builtins/BuiltinExecutables.cpp:
2283         (JSC::BuiltinExecutables::createDefaultConstructor):
2284         (JSC::BuiltinExecutables::createBuiltinExecutable):
2285         (JSC::createBuiltinExecutable):
2286         (JSC::BuiltinExecutables::createExecutableOrCrash):
2287         (JSC::BuiltinExecutables::createExecutable):
2288         * builtins/BuiltinExecutables.h:
2289         * bytecompiler/BytecodeGenerator.h:
2290         * parser/ParserError.cpp: Added.
2291         (JSC::ParserError::toErrorObject):
2292         (JSC::ParserError::throwStackOverflowOrOutOfMemory):
2293         (WTF::printInternal):
2294         * parser/ParserError.h:
2295         (JSC::ParserError::toErrorObject): Deleted.
2296         (WTF::printInternal): Deleted.
2297         * runtime/AsyncIteratorPrototype.cpp:
2298         (JSC::AsyncIteratorPrototype::finishCreation):
2299         * runtime/FunctionPrototype.cpp:
2300         (JSC::FunctionPrototype::addFunctionProperties):
2301         * runtime/JSGlobalObject.cpp:
2302         (JSC::JSGlobalObject::init):
2303         * runtime/JSObject.cpp:
2304         (JSC::JSObject::getOwnStaticPropertySlot):
2305         (JSC::JSObject::reifyAllStaticProperties):
2306         * runtime/JSObject.h:
2307         (JSC::JSObject::getOwnNonIndexPropertySlot):
2308         (JSC::JSObject::getOwnPropertySlot):
2309         (JSC::JSObject::getPropertySlot):
2310         * runtime/JSObjectInlines.h:
2311         (JSC::JSObject::getNonIndexPropertySlot):
2312         * runtime/JSTypedArrayViewPrototype.cpp:
2313         (JSC::JSTypedArrayViewPrototype::finishCreation):
2314         * runtime/Lookup.cpp:
2315         (JSC::reifyStaticAccessor):
2316         (JSC::setUpStaticFunctionSlot):
2317         * runtime/Lookup.h:
2318         (JSC::getStaticPropertySlotFromTable):
2319         (JSC::reifyStaticProperty):
2320         * runtime/MapPrototype.cpp:
2321         (JSC::MapPrototype::finishCreation):
2322         * runtime/SetPrototype.cpp:
2323         (JSC::SetPrototype::finishCreation):
2324         * tools/JSDollarVM.cpp:
2325         (JSC::functionCreateBuiltin):
2326
2327 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2328
2329         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
2330         https://bugs.webkit.org/show_bug.cgi?id=183657
2331         <rdar://problem/38464399>
2332
2333         Reviewed by Keith Miller.
2334
2335         There was just a missing check in unshiftCountForIndexingType.
2336         I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
2337         and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
2338         Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
2339
2340         * runtime/ArrayPrototype.cpp:
2341         (JSC::unshift):
2342         * runtime/JSArray.cpp:
2343         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2344         * runtime/JSObject.h:
2345         (JSC::JSObject::ensureLength):
2346
2347 2018-03-29  Mark Lam  <mark.lam@apple.com>
2348
2349         Add some pointer profiling support to B3 and Air.
2350         https://bugs.webkit.org/show_bug.cgi?id=184165
2351         <rdar://problem/39022125>
2352
2353         Reviewed by JF Bastien.
2354
2355         * b3/B3LowerMacros.cpp:
2356         * b3/B3LowerMacrosAfterOptimizations.cpp:
2357         * b3/B3MathExtras.cpp:
2358         * b3/B3ReduceStrength.cpp:
2359         * b3/air/AirCCallSpecial.cpp:
2360         (JSC::B3::Air::CCallSpecial::generate):
2361         * b3/air/AirCCallSpecial.h:
2362         * b3/testb3.cpp:
2363         (JSC::B3::testCallSimple):
2364         (JSC::B3::testCallRare):
2365         (JSC::B3::testCallRareLive):
2366         (JSC::B3::testCallSimplePure):
2367         (JSC::B3::testCallFunctionWithHellaArguments):
2368         (JSC::B3::testCallFunctionWithHellaArguments2):
2369         (JSC::B3::testCallFunctionWithHellaArguments3):
2370         (JSC::B3::testCallSimpleDouble):
2371         (JSC::B3::testCallSimpleFloat):
2372         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
2373         (JSC::B3::testCallFunctionWithHellaFloatArguments):
2374         (JSC::B3::testLinearScanWithCalleeOnStack):
2375         (JSC::B3::testInterpreter):
2376         (JSC::B3::testLICMPure):
2377         (JSC::B3::testLICMPureSideExits):
2378         (JSC::B3::testLICMPureWritesPinned):
2379         (JSC::B3::testLICMPureWrites):
2380         (JSC::B3::testLICMReadsLocalState):
2381         (JSC::B3::testLICMReadsPinned):
2382         (JSC::B3::testLICMReads):
2383         (JSC::B3::testLICMPureNotBackwardsDominant):
2384         (JSC::B3::testLICMPureFoiledByChild):
2385         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2386         (JSC::B3::testLICMExitsSideways):
2387         (JSC::B3::testLICMWritesLocalState):
2388         (JSC::B3::testLICMWrites):
2389         (JSC::B3::testLICMFence):
2390         (JSC::B3::testLICMWritesPinned):
2391         (JSC::B3::testLICMControlDependent):
2392         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2393         (JSC::B3::testLICMControlDependentSideExits):
2394         (JSC::B3::testLICMReadsPinnedWritesPinned):
2395         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2396         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2397         (JSC::B3::testLICMDefaultCall):
2398         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2399         * ftl/FTLLowerDFGToB3.cpp:
2400         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2401         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2402         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2403         * jit/GPRInfo.h:
2404         * runtime/PtrTag.h:
2405         * wasm/WasmBinding.cpp:
2406         (JSC::Wasm::wasmToWasm):
2407
2408 2018-03-29  JF Bastien  <jfbastien@apple.com>
2409
2410         Use Forward.h instead of forward-declaring WTF::String
2411         https://bugs.webkit.org/show_bug.cgi?id=184172
2412         <rdar://problem/39026146>
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         As part of #184164 I'm changing WTF::String, and the forward
2417         declarations are just wrong because I'm making it templated. We
2418         should use Forward.h anyways, so do that instead.
2419
2420         * runtime/DateConversion.h:
2421
2422 2018-03-29  Mark Lam  <mark.lam@apple.com>
2423
2424         Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
2425         https://bugs.webkit.org/show_bug.cgi?id=184163
2426         <rdar://problem/39020397>
2427
2428         Reviewed by JF Bastien.
2429
2430         With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
2431
2432         Also renamed some structs, methods, and variable names to be more accurate.
2433         Previously, there is some confusion between a code pointer and the address of a
2434         code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
2435         the LoadLocation variables appropriately to distinguish them from code pointers.
2436
2437         * wasm/WasmB3IRGenerator.cpp:
2438         (JSC::Wasm::B3IRGenerator::addCall):
2439         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2440         * wasm/WasmBinding.cpp:
2441         (JSC::Wasm::wasmToWasm):
2442         * wasm/WasmCodeBlock.cpp:
2443         (JSC::Wasm::CodeBlock::CodeBlock):
2444         * wasm/WasmCodeBlock.h:
2445         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2446         (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
2447         * wasm/WasmFormat.h:
2448         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
2449         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
2450         (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
2451         (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
2452         * wasm/WasmInstance.h:
2453         (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
2454         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
2455         (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
2456         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2457         * wasm/WasmOMGPlan.cpp:
2458         (JSC::Wasm::OMGPlan::work):
2459         * wasm/WasmTable.cpp:
2460         (JSC::Wasm::Table::Table):
2461         (JSC::Wasm::Table::grow):
2462         (JSC::Wasm::Table::clearFunction):
2463         (JSC::Wasm::Table::setFunction):
2464         * wasm/WasmTable.h:
2465         (JSC::Wasm::Table::offsetOfFunctions):
2466         * wasm/js/JSWebAssemblyCodeBlock.h:
2467         * wasm/js/JSWebAssemblyInstance.cpp:
2468         (JSC::JSWebAssemblyInstance::finalizeCreation):
2469         (JSC::JSWebAssemblyInstance::create):
2470         * wasm/js/JSWebAssemblyTable.cpp:
2471         (JSC::JSWebAssemblyTable::setFunction):
2472         * wasm/js/WebAssemblyFunction.cpp:
2473         (JSC::WebAssemblyFunction::create):
2474         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2475         * wasm/js/WebAssemblyFunction.h:
2476         * wasm/js/WebAssemblyModuleRecord.cpp:
2477         (JSC::WebAssemblyModuleRecord::link):
2478         (JSC::WebAssemblyModuleRecord::evaluate):
2479         * wasm/js/WebAssemblyWrapperFunction.cpp:
2480         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
2481         (JSC::WebAssemblyWrapperFunction::create):
2482         * wasm/js/WebAssemblyWrapperFunction.h:
2483
2484 2018-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2485
2486         Remove WTF_EXPORTDATA and JS_EXPORTDATA
2487         https://bugs.webkit.org/show_bug.cgi?id=184170
2488
2489         Reviewed by JF Bastien.
2490
2491         Replace WTF_EXPORTDATA and JS_EXPORTDATA with
2492         WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
2493
2494         * heap/WriteBarrierSupport.h:
2495         * jit/ExecutableAllocator.cpp:
2496         * jit/ExecutableAllocator.h:
2497         * runtime/JSCPoison.h:
2498         * runtime/JSCell.h:
2499         * runtime/JSExportMacros.h:
2500         * runtime/JSGlobalObject.h:
2501         * runtime/JSObject.h:
2502         * runtime/Options.h:
2503         * runtime/PropertyDescriptor.h:
2504         * runtime/PropertyMapHashTable.h:
2505         * runtime/SamplingCounter.h:
2506
2507 2018-03-29  Ross Kirsling  <ross.kirsling@sony.com>
2508
2509         MSVC __forceinline slows down JSC release build fivefold after r229391
2510         https://bugs.webkit.org/show_bug.cgi?id=184062
2511
2512         Reviewed by Alex Christensen.
2513
2514         * jit/CCallHelpers.h:
2515         (JSC::CCallHelpers::marshallArgumentRegister):
2516         Exempt MSVC from a single forced inline used within recursive templates.
2517
2518 2018-03-29  Keith Miller  <keith_miller@apple.com>
2519
2520         ArrayMode should not try to get the DFG to think it can convert TypedArrays
2521         https://bugs.webkit.org/show_bug.cgi?id=184137
2522
2523         Reviewed by Saam Barati.
2524
2525         * dfg/DFGArrayMode.cpp:
2526         (JSC::DFG::ArrayMode::fromObserved):
2527
2528 2018-03-29  Commit Queue  <commit-queue@webkit.org>
2529
2530         Unreviewed, rolling out r230062.
2531         https://bugs.webkit.org/show_bug.cgi?id=184128
2532
2533         Broke mac port. web content process crashes while loading any
2534         web page (Requested by rniwa on #webkit).
2535
2536         Reverted changeset:
2537
2538         "MSVC __forceinline slows down JSC release build fivefold
2539         after r229391"
2540         https://bugs.webkit.org/show_bug.cgi?id=184062
2541         https://trac.webkit.org/changeset/230062
2542
2543 2018-03-28  Ross Kirsling  <ross.kirsling@sony.com>
2544
2545         MSVC __forceinline slows down JSC release build fivefold after r229391
2546         https://bugs.webkit.org/show_bug.cgi?id=184062
2547
2548         Reviewed by Alex Christensen.
2549
2550         * jit/CCallHelpers.h:
2551         (JSC::CCallHelpers::marshallArgumentRegister):
2552         Exempt MSVC from a single forced inline used within recursive templates.
2553
2554 2018-03-28  Mark Lam  <mark.lam@apple.com>
2555
2556         Enhance ARM64 probe to support pointer profiling.
2557         https://bugs.webkit.org/show_bug.cgi?id=184069
2558         <rdar://problem/38939879>
2559
2560         Reviewed by JF Bastien.
2561
2562         * assembler/MacroAssemblerARM64.cpp:
2563         (JSC::MacroAssembler::probe):
2564         * assembler/MacroAssemblerX86Common.h:
2565         (JSC::MacroAssemblerX86Common::popPair):
2566         (JSC::MacroAssemblerX86Common::pushPair):
2567         * assembler/testmasm.cpp:
2568         (JSC::testProbeReadsArgumentRegisters):
2569         (JSC::testProbeWritesArgumentRegisters):
2570         * runtime/PtrTag.h:
2571         (JSC::tagForPtr):
2572
2573 2018-03-28  Robin Morisset  <rmorisset@apple.com>
2574
2575         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
2576         https://bugs.webkit.org/show_bug.cgi?id=183894
2577
2578         Reviewed by Saam Barati.
2579
2580         Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
2581
2582         * runtime/JSONObject.cpp:
2583         (JSC::Stringifier::appendStringifiedValue):
2584
2585 2018-03-28  Carlos Garcia Campos  <cgarcia@igalia.com>
2586
2587         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
2588         https://bugs.webkit.org/show_bug.cgi?id=184073
2589
2590         Reviewed by Yusuke Suzuki.
2591
2592         We currently have duplicated code in Obj and GLib implementations.
2593
2594         * API/JSManagedValue.mm:
2595         (managedValueHandleOwner):
2596         (-[JSManagedValue initWithValue:]):
2597         * API/JSWeakValue.cpp: Added.
2598         (JSC::JSWeakValue::~JSWeakValue):
2599         (JSC::JSWeakValue::clear):
2600         (JSC::JSWeakValue::isClear const):
2601         (JSC::JSWeakValue::setPrimitive):
2602         (JSC::JSWeakValue::setObject):
2603         (JSC::JSWeakValue::setString):
2604         * API/JSWeakValue.h: Added.
2605         (JSC::JSWeakValue::isSet const):
2606         (JSC::JSWeakValue::isPrimitive const):
2607         (JSC::JSWeakValue::isObject const):
2608         (JSC::JSWeakValue::isString const):
2609         (JSC::JSWeakValue::object const):
2610         (JSC::JSWeakValue::primitive const):
2611         (JSC::JSWeakValue::string const):
2612         * API/glib/JSCWeakValue.cpp:
2613         * JavaScriptCore.xcodeproj/project.pbxproj:
2614         * Sources.txt:
2615
2616 2018-03-27  Carlos Garcia Campos  <cgarcia@igalia.com>
2617
2618         [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
2619         https://bugs.webkit.org/show_bug.cgi?id=184041
2620
2621         Reviewed by Michael Catanzaro.
2622
2623         This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
2624         reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
2625         jsc_weak_value_get_value() will always return nullptr.
2626
2627         * API/glib/JSCWeakValue.cpp: Added.
2628         (WeakValueRef::~WeakValueRef):
2629         (WeakValueRef::clear):
2630         (WeakValueRef::isClear const):
2631         (WeakValueRef::isSet const):
2632         (WeakValueRef::isPrimitive const):
2633         (WeakValueRef::isObject const):
2634         (WeakValueRef::isString const):
2635         (WeakValueRef::setPrimitive):
2636         (WeakValueRef::setObject):
2637         (WeakValueRef::setString):
2638         (WeakValueRef::object const):
2639         (WeakValueRef::primitive const):
2640         (WeakValueRef::string const):
2641         (weakValueHandleOwner):
2642         (jscWeakValueInitialize):
2643         (jscWeakValueSetProperty):
2644         (jscWeakValueDispose):
2645         (jsc_weak_value_class_init):
2646         (jsc_weak_value_new):
2647         (jsc_weak_value_get_value):
2648         * API/glib/JSCWeakValue.h: Added.
2649         * API/glib/docs/jsc-glib-4.0-sections.txt:
2650         * API/glib/docs/jsc-glib-docs.sgml:
2651         * API/glib/jsc.h:
2652         * GLib.cmake:
2653
2654 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
2657         https://bugs.webkit.org/show_bug.cgi?id=181292
2658
2659         Reviewed by Saam Barati.
2660
2661         By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
2662
2663         * dfg/DFGSpeculativeJIT.cpp:
2664         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2665         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2666         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2667         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2668         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2669         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2670         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2671
2672 2018-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2673
2674         Add Load16Z for B3 and use it in WebAssembly
2675         https://bugs.webkit.org/show_bug.cgi?id=165884
2676
2677         Reviewed by JF Bastien.
2678
2679         We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
2680         spec-tests/memory.wast.js already covered this change.
2681
2682         * wasm/WasmB3IRGenerator.cpp:
2683         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2684
2685 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2686
2687         [JSC] Remove repeated iteration of ElementNode
2688         https://bugs.webkit.org/show_bug.cgi?id=183987
2689
2690         Reviewed by Keith Miller.
2691
2692         BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
2693         While it is OK for small arrays, this repeated iteration takes much time
2694         if the array is very large. For example, Kraken's initialization code includes
2695         very large array with numeric literals. This makes bytecode compiling so long.
2696
2697         This patch carefully removes unnecessary iteration when emitting arrays.
2698         This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
2699         to 9.988050 ms.
2700
2701         * bytecompiler/BytecodeGenerator.cpp:
2702         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2703         (JSC::BytecodeGenerator::emitNewArray):
2704         * bytecompiler/BytecodeGenerator.h:
2705         * bytecompiler/NodesCodegen.cpp:
2706         (JSC::ArrayNode::emitBytecode):
2707         (JSC::ArrayPatternNode::bindValue const):
2708         (JSC::ArrayPatternNode::emitDirectBinding):
2709
2710 2018-03-26  Ross Kirsling  <ross.kirsling@sony.com>
2711
2712         JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
2713         https://bugs.webkit.org/show_bug.cgi?id=183655
2714
2715         Reviewed by Keith Miller.
2716
2717         * jit/CCallHelpers.h:
2718         (JSC::CCallHelpers::ArgCollection::argCount):
2719         (JSC::CCallHelpers::marshallArgumentRegister):
2720         (JSC::CCallHelpers::setupArgumentsImpl):
2721         On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
2722
2723         * jit/JIT.h:
2724         (JSC::JIT::callOperation):
2725         (JSC::JIT::is64BitType):
2726         (JSC::JIT::is64BitType<void>):
2727         On Win64, ensure special call is used for SlowPathReturnType.
2728
2729         * jit/JITOperations.h:
2730         Update changed type.
2731
2732 2018-03-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2733
2734         We should have SSE4 detection in the X86 MacroAssembler.
2735         https://bugs.webkit.org/show_bug.cgi?id=165363
2736
2737         Reviewed by JF Bastien.
2738
2739         This patch adds popcnt support to WASM in x86_64 environment.
2740         To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
2741         Our spec-tests already cover popcnt.
2742
2743         * assembler/MacroAssemblerARM64.h:
2744         (JSC::MacroAssemblerARM64::supportsCountPopulation):
2745         * assembler/MacroAssemblerX86Common.cpp:
2746         (JSC::MacroAssemblerX86Common::getCPUID):
2747         (JSC::MacroAssemblerX86Common::getCPUIDEx):
2748         (JSC::MacroAssemblerX86Common::collectCPUFeatures):
2749         * assembler/MacroAssemblerX86Common.h:
2750         (JSC::MacroAssemblerX86Common::countPopulation32):
2751         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
2752         (JSC::MacroAssemblerX86Common::supportsCountPopulation):
2753         (JSC::MacroAssemblerX86Common::supportsAVX):
2754         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2755         (JSC::MacroAssemblerX86Common::supportsBMI1):
2756         (JSC::MacroAssemblerX86Common::isSSE2Present):
2757         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
2758         * assembler/MacroAssemblerX86_64.h:
2759         (JSC::MacroAssemblerX86_64::countPopulation64):
2760         * assembler/X86Assembler.h:
2761         (JSC::X86Assembler::popcnt_rr):
2762         (JSC::X86Assembler::popcnt_mr):
2763         (JSC::X86Assembler::popcntq_rr):
2764         (JSC::X86Assembler::popcntq_mr):
2765         * wasm/WasmB3IRGenerator.cpp:
2766         (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
2767         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2768
2769 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
2770
2771         DFG should know that CreateThis can be effectful
2772         https://bugs.webkit.org/show_bug.cgi?id=184013
2773
2774         Reviewed by Saam Barati.
2775
2776         As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
2777         is a proxy.
2778
2779         * dfg/DFGAbstractInterpreterInlines.h:
2780         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2781         * dfg/DFGClobberize.h:
2782         (JSC::DFG::clobberize):
2783
2784 2018-03-25  Saam Barati  <sbarati@apple.com>
2785
2786         Fix typo in JSC option name
2787         https://bugs.webkit.org/show_bug.cgi?id=184001
2788
2789         Reviewed by Mark Lam.
2790
2791         enableJITDebugAssetions => enableJITDebugAssertions.
2792
2793         * assembler/MacroAssembler.cpp:
2794         (JSC::MacroAssembler::jitAssert):
2795         * runtime/Options.h:
2796
2797 2018-03-25  Saam Barati  <sbarati@apple.com>
2798
2799         r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
2800         https://bugs.webkit.org/show_bug.cgi?id=183995
2801
2802         Reviewed by Filip Pizlo.
2803
2804         The removal of this line of code was unintended and happened during some
2805         refactoring Fil was doing. The consequence of removing this line of code
2806         is that the m_emptyCursor became a monotonically increasing integer, leading
2807         the cursor to usually being out of bounds of the block range (depending on
2808         what the program is doing). This made the functionality of finding an empty
2809         block to steal almost always fail.
2810
2811         * heap/BlockDirectory.cpp:
2812         (JSC::BlockDirectory::prepareForAllocation):
2813
2814 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2815
2816         [DFG] Introduces fused compare and jump
2817         https://bugs.webkit.org/show_bug.cgi?id=177100
2818
2819         Reviewed by Mark Lam.
2820
2821         This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
2822         It offers 3 benefit.
2823
2824         1. They are introduced due to the similar purpose to op_jless etc. It aligns
2825         op_eq families to op_jless families.
2826
2827         2. It reduces the size of bytecode to represent the typical code sequence.
2828
2829         3. It offers the way to fuse check and jump in DFG code generation. Since
2830         we have MovHint between Branch and CompareEq/CompareStrictEq previously,
2831         we cannot do this optimization. It reduces the machine code size in DFG too.
2832
2833         It slightly improves Octane/boyer.
2834
2835             boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
2836
2837         * bytecode/BytecodeDumper.cpp:
2838         (JSC::BytecodeDumper<Block>::dumpBytecode):
2839         * bytecode/BytecodeList.json:
2840         * bytecode/BytecodeUseDef.h:
2841         (JSC::computeUsesForBytecodeOffset):
2842         (JSC::computeDefsForBytecodeOffset):
2843         * bytecode/Opcode.h:
2844         (JSC::isBranch):
2845         * bytecode/PreciseJumpTargetsInlines.h:
2846         (JSC::extractStoredJumpTargetsForBytecodeOffset):
2847         * bytecompiler/BytecodeGenerator.cpp:
2848         (JSC::BytecodeGenerator::emitJumpIfTrue):
2849         (JSC::BytecodeGenerator::emitJumpIfFalse):
2850         * dfg/DFGByteCodeParser.cpp:
2851         (JSC::DFG::ByteCodeParser::parseBlock):
2852         * dfg/DFGCapabilities.cpp:
2853         (JSC::DFG::capabilityLevel):
2854         * dfg/DFGOperations.cpp:
2855         * dfg/DFGOperations.h:
2856         * dfg/DFGSpeculativeJIT.cpp:
2857         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2858         * jit/JIT.cpp:
2859         (JSC::JIT::privateCompileMainPass):
2860         (JSC::JIT::privateCompileSlowCases):
2861         * jit/JIT.h:
2862         * jit/JITOpcodes.cpp:
2863         (JSC::JIT::emit_op_jeq):
2864         (JSC::JIT::emit_op_neq):
2865         (JSC::JIT::emit_op_jneq):
2866         (JSC::JIT::compileOpStrictEq):
2867         (JSC::JIT::emit_op_stricteq):
2868         (JSC::JIT::emit_op_nstricteq):
2869         (JSC::JIT::compileOpStrictEqJump):
2870         (JSC::JIT::emit_op_jstricteq):
2871         (JSC::JIT::emit_op_jnstricteq):
2872         (JSC::JIT::emitSlow_op_jstricteq):
2873         (JSC::JIT::emitSlow_op_jnstricteq):
2874         (JSC::JIT::emitSlow_op_jeq):
2875         (JSC::JIT::emitSlow_op_jneq):
2876         * jit/JITOpcodes32_64.cpp:
2877         (JSC::JIT::emitSlow_op_eq):
2878         (JSC::JIT::emit_op_jeq):
2879         (JSC::JIT::compileOpEqJumpSlow):
2880         (JSC::JIT::emitSlow_op_jeq):
2881         (JSC::JIT::emit_op_jneq):
2882         (JSC::JIT::emitSlow_op_jneq):
2883         (JSC::JIT::compileOpStrictEq):
2884         (JSC::JIT::emit_op_stricteq):
2885         (JSC::JIT::emit_op_nstricteq):
2886         (JSC::JIT::compileOpStrictEqJump):
2887         (JSC::JIT::emit_op_jstricteq):
2888         (JSC::JIT::emit_op_jnstricteq):
2889         (JSC::JIT::emitSlow_op_jstricteq):
2890         (JSC::JIT::emitSlow_op_jnstricteq):
2891         * jit/JITOperations.cpp:
2892         * jit/JITOperations.h:
2893         * llint/LLIntSlowPaths.cpp:
2894         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2895         * llint/LLIntSlowPaths.h:
2896         * llint/LowLevelInterpreter.asm:
2897         * llint/LowLevelInterpreter32_64.asm:
2898         * llint/LowLevelInterpreter64.asm:
2899
2900 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2901
2902         [JSC] Improve constants and add comments for CodeBlockHash
2903         https://bugs.webkit.org/show_bug.cgi?id=183982
2904
2905         Rubber-stamped by Mark Lam.
2906
2907         * bytecode/CodeBlockHash.cpp:
2908         (JSC::CodeBlockHash::CodeBlockHash):
2909         * bytecode/ParseHash.cpp:
2910         (JSC::ParseHash::ParseHash):
2911
2912 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2913
2914         [JSC] Add options to report parsing and bytecode compiling times
2915         https://bugs.webkit.org/show_bug.cgi?id=183982
2916
2917         Reviewed by Mark Lam.
2918
2919         This patch adds reportParseTimes and reportBytecodeCompileTimes options.
2920         When they are enabled, JSC reports times consumed for parsing and bytecode
2921         compiling.
2922
2923         * JavaScriptCore.xcodeproj/project.pbxproj:
2924         * Sources.txt:
2925         * bytecode/ParseHash.cpp: Added.
2926         (JSC::ParseHash::ParseHash):
2927         * bytecode/ParseHash.h: Added.
2928         (JSC::ParseHash::hashForCall const):
2929         (JSC::ParseHash::hashForConstruct const):
2930         * bytecode/UnlinkedFunctionExecutable.cpp:
2931         (JSC::generateUnlinkedFunctionCodeBlock):
2932         * bytecompiler/BytecodeGenerator.h:
2933         (JSC::BytecodeGenerator::generate):
2934         * parser/Parser.h:
2935         (JSC::parse):
2936         * runtime/CodeCache.h:
2937         (JSC::generateUnlinkedCodeBlock):
2938         * runtime/Options.h:
2939
2940 2018-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2941
2942         [JIT] Drop ENABLE_JIT_VERBOSE flag
2943         https://bugs.webkit.org/show_bug.cgi?id=183983
2944
2945         Reviewed by Mark Lam.
2946
2947         Just use JITInternal::verbose value.
2948
2949         * jit/JIT.cpp:
2950         (JSC::JIT::privateCompileMainPass):
2951         (JSC::JIT::privateCompileSlowCases):
2952         (JSC::JIT::link):
2953
2954 2018-03-23  Tim Horton  <timothy_horton@apple.com>
2955
2956         Fix the build with no pasteboard
2957         https://bugs.webkit.org/show_bug.cgi?id=183973
2958
2959         Reviewed by Dan Bernstein.
2960
2961         * Configurations/FeatureDefines.xcconfig:
2962
2963 2018-03-23  Mark Lam  <mark.lam@apple.com>
2964
2965         LLInt TypeArray pointer poisoning should not pick its poison dynamically.
2966         https://bugs.webkit.org/show_bug.cgi?id=183942
2967         <rdar://problem/38798018>
2968
2969         Reviewed by JF Bastien.
2970
2971         1. Move the LLInt TypedArray unpoisoning to just before the array access after
2972            all the branches.
2973         2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
2974         3. Remove a useless instruction in the implementation of emitX86Lea for a global
2975            label.
2976
2977         * llint/LowLevelInterpreter.asm:
2978         * llint/LowLevelInterpreter64.asm:
2979         * offlineasm/x86.rb:
2980
2981 2018-03-23  Mark Lam  <mark.lam@apple.com>
2982
2983         Add more support for pointer profiling.
2984         https://bugs.webkit.org/show_bug.cgi?id=183943
2985         <rdar://problem/38799068>
2986
2987         Reviewed by JF Bastien.
2988
2989         * assembler/ARM64Assembler.h:
2990         (JSC::ARM64Assembler::linkJumpOrCall):
2991         * assembler/AbstractMacroAssembler.h:
2992         (JSC::AbstractMacroAssembler::repatchNearCall):
2993         (JSC::AbstractMacroAssembler::tagReturnAddress):
2994         (JSC::AbstractMacroAssembler::untagReturnAddress):
2995
2996 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2997
2998         [WTF] Add standard containers with FastAllocator specialization
2999         https://bugs.webkit.org/show_bug.cgi?id=183789
3000
3001         Reviewed by Darin Adler.
3002
3003         * b3/air/testair.cpp:
3004         * b3/testb3.cpp:
3005         (JSC::B3::testDoubleLiteralComparison):
3006         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3007         * dfg/DFGGraph.h:
3008         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3009         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3010         * ftl/FTLLowerDFGToB3.cpp:
3011         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3012         * runtime/FunctionHasExecutedCache.h:
3013         * runtime/TypeLocationCache.h:
3014
3015 2018-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3016
3017         [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
3018         https://bugs.webkit.org/show_bug.cgi?id=182960
3019
3020         Reviewed by Saam Barati.
3021
3022         This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
3023         It should always touch ArrayStorage_vector. To unify
3024         vector setting code for the real ArrayStorage_vector and
3025         ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
3026         annotate this.
3027
3028         * ftl/FTLLowerDFGToB3.cpp:
3029         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
3030
3031 2018-03-23  Zan Dobersek  <zdobersek@igalia.com>
3032
3033         Unreviewed build fix for GCC 4.9 builds.
3034
3035         * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
3036         supported in 4.9 libstdc++, so wrap the static assert using it in a
3037         COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
3038         as is done in bitwise_cast() in StdLibExtras.h.
3039
3040 2018-03-22  Tim Horton  <timothy_horton@apple.com>
3041
3042         Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
3043         https://bugs.webkit.org/show_bug.cgi?id=183930
3044         <rdar://problem/38782249>
3045
3046         Reviewed by Dan Bernstein.
3047
3048         * JavaScriptCore.xcodeproj/project.pbxproj:
3049
3050 2018-03-22  Mark Lam  <mark.lam@apple.com>
3051
3052         Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
3053         https://bugs.webkit.org/show_bug.cgi?id=183914
3054         <rdar://problem/38763536>
3055
3056         Reviewed by Saam Barati and JF Bastien.
3057
3058         This is in preparation for supporting pointer profiling work.
3059
3060         * assembler/MacroAssemblerARM.h:
3061         (JSC::MacroAssemblerARM::jump):
3062         (JSC::MacroAssemblerARM::call):
3063         * assembler/MacroAssemblerARM64.h:
3064         (JSC::MacroAssemblerARM64::call):
3065         (JSC::MacroAssemblerARM64::jump):
3066         * assembler/MacroAssemblerARMv7.h:
3067         (JSC::MacroAssemblerARMv7::jump):
3068         (JSC::MacroAssemblerARMv7::call):
3069         * assembler/MacroAssemblerMIPS.h:
3070         (JSC::MacroAssemblerMIPS::jump):
3071         (JSC::MacroAssemblerMIPS::call):
3072         * assembler/MacroAssemblerX86.h:
3073         (JSC::MacroAssemblerX86::call):
3074         (JSC::MacroAssemblerX86::jump):
3075         * assembler/MacroAssemblerX86Common.h:
3076         (JSC::MacroAssemblerX86Common::jump):
3077         (JSC::MacroAssemblerX86Common::call):
3078         * assembler/MacroAssemblerX86_64.h:
3079         (JSC::MacroAssemblerX86_64::call):
3080         (JSC::MacroAssemblerX86_64::jump):
3081
3082 2018-03-22  Tim Horton  <timothy_horton@apple.com>
3083
3084         Improve readability of WebCore's OTHER_LDFLAGS
3085         https://bugs.webkit.org/show_bug.cgi?id=183909
3086         <rdar://problem/38760992>
3087
3088         Reviewed by Dan Bernstein.
3089
3090         * Configurations/Base.xcconfig:
3091         * Configurations/FeatureDefines.xcconfig:
3092
3093 2018-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3094
3095         [ARM] Thumb: Do not decorate bottom bit twice
3096         https://bugs.webkit.org/show_bug.cgi?id=183906
3097
3098         Reviewed by Mark Lam.
3099
3100         Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
3101         MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
3102         a thumb pointer.
3103
3104         * jit/Repatch.cpp:
3105         (JSC::linkPolymorphicCall):
3106
3107 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3108
3109         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
3110         https://bugs.webkit.org/show_bug.cgi?id=183559
3111
3112         Reviewed by Mark Lam.
3113
3114         When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
3115         to clear NodeMustGenerate for this ToString. It should be since it does not have
3116         any user-observable side effect. This patch clears NodeMustGenerate.
3117
3118         * dfg/DFGConstantFoldingPhase.cpp:
3119         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3120
3121 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
3124         https://bugs.webkit.org/show_bug.cgi?id=183897
3125
3126         Reviewed by Mark Lam.
3127
3128         We should not use `default:` clause here since it accidentally catches
3129         the opcode and DFG nodes which should be optimized. For example,
3130         op_super_sampler_begin and op_super_sampler_end are not listed while
3131         they have DFG and FTL backend.
3132
3133         This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
3134         And we also clean up unnecessary checks in FTLCapabilities. Since we
3135         already handles all the possible array types for these nodes (which can
3136         be checked in DFG's code), we do not need to check array types.
3137
3138         We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
3139
3140         * dfg/DFGCapabilities.cpp:
3141         (JSC::DFG::capabilityLevel):
3142         * ftl/FTLCapabilities.cpp:
3143         (JSC::FTL::canCompile):
3144         * ftl/FTLLowerDFGToB3.cpp:
3145         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3146
3147 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3148
3149         [JSC] Drop op_put_by_index
3150         https://bugs.webkit.org/show_bug.cgi?id=183899
3151
3152         Reviewed by Mark Lam.
3153
3154         This patch drops op_put_by_index.
3155
3156         1. This functionality can be just covered by direct put_by_val.
3157         2. put_by_index is not well optimized. It is just calling a C
3158         function. And it does not have DFG handling.
3159
3160         * bytecode/BytecodeDumper.cpp:
3161         (JSC::BytecodeDumper<Block>::dumpBytecode):
3162         * bytecode/BytecodeList.json:
3163         * bytecode/BytecodeUseDef.h:
3164         (JSC::computeUsesForBytecodeOffset):
3165         (JSC::computeDefsForBytecodeOffset):
3166         * bytecompiler/BytecodeGenerator.cpp:
3167         (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
3168         * bytecompiler/BytecodeGenerator.h:
3169         * bytecompiler/NodesCodegen.cpp:
3170         (JSC::ArrayNode::emitBytecode):
3171         (JSC::ArrayPatternNode::emitDirectBinding):
3172         * jit/JIT.cpp:
3173         (JSC::JIT::privateCompileMainPass):
3174         * jit/JIT.h:
3175         * jit/JITPropertyAccess.cpp:
3176         (JSC::JIT::emit_op_put_by_index): Deleted.
3177         * jit/JITPropertyAccess32_64.cpp:
3178         (JSC::JIT::emit_op_put_by_index): Deleted.
3179         * llint/LLIntSlowPaths.cpp:
3180         * llint/LLIntSlowPaths.h:
3181         * llint/LowLevelInterpreter.asm:
3182
3183 2018-03-22  Michael Saboff  <msaboff@apple.com>
3184
3185         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
3186         https://bugs.webkit.org/show_bug.cgi?id=183901
3187
3188         Reviewed by Keith Miller.
3189
3190         Added write barriers to ensure the reversed contents are properly marked.
3191
3192         * runtime/ArrayPrototype.cpp:
3193         (JSC::arrayProtoFuncReverse):
3194
3195 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
3196
3197         ScopedArguments should do poisoning and index masking
3198         https://bugs.webkit.org/show_bug.cgi?id=183863
3199
3200         Reviewed by Mark Lam.
3201         
3202         This outlines the ScopedArguments overflow storage and adds poisoning.
3203
3204         * bytecode/AccessCase.cpp:
3205         (JSC::AccessCase::generateWithGuard):
3206         * dfg/DFGSpeculativeJIT.cpp:
3207         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3208         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3209         * ftl/FTLAbstractHeapRepository.h:
3210         * ftl/FTLLowerDFGToB3.cpp:
3211         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3213         * jit/JITPropertyAccess.cpp:
3214         (JSC::JIT::emitScopedArgumentsGetByVal):
3215         * runtime/JSCPoison.h:
3216         * runtime/ScopedArguments.cpp:
3217         (JSC::ScopedArguments::ScopedArguments):
3218         (JSC::ScopedArguments::createUninitialized):
3219         (JSC::ScopedArguments::visitChildren):
3220         * runtime/ScopedArguments.h:
3221
3222 2018-03-21  Mark Lam  <mark.lam@apple.com>
3223
3224         Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
3225         https://bugs.webkit.org/show_bug.cgi?id=183861
3226         <rdar://problem/38716822>
3227
3228         Reviewed by Filip Pizlo.
3229
3230         Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
3231         new PtrTag macro list.
3232
3233         * CMakeLists.txt:
3234         * JavaScriptCore.xcodeproj/project.pbxproj:
3235         * Sources.txt:
3236         * runtime/PtrTag.cpp: Added.
3237         (JSC::ptrTagName):
3238         * runtime/PtrTag.h:
3239
3240 2018-03-21  Mark Lam  <mark.lam@apple.com>
3241
3242         Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
3243         https://bugs.webkit.org/show_bug.cgi?id=183857
3244         <rdar://problem/38712184>
3245
3246         Reviewed by JF Bastien.
3247
3248         We should avoid doing pointer math with CodeBlock::instructions().begin().
3249         Instead, we should use the operator[] that comes with CodeBlock::instructions()
3250         for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
3251         the bytecode offset of a given Instruction*.  These methods will do assertions
3252         which helps catch bugs sooner, plus they are more descriptive of the operation
3253         we're trying to do.
3254
3255         * bytecode/BytecodeKills.h:
3256         (JSC::BytecodeKills::operandIsKilled const):
3257         (JSC::BytecodeKills::forEachOperandKilledAt const):
3258         * bytecode/CallLinkStatus.cpp:
3259         (JSC::CallLinkStatus::computeFromLLInt):
3260         * bytecode/CodeBlock.cpp:
3261         (JSC::CodeBlock::dumpBytecode):
3262         (JSC::CodeBlock::arithProfileForBytecodeOffset):
3263         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3264         * bytecode/GetByIdStatus.cpp:
3265         (JSC::GetByIdStatus::computeFromLLInt):
3266         * bytecode/PutByIdStatus.cpp:
3267         (JSC::PutByIdStatus::computeFromLLInt):
3268         * dfg/DFGByteCodeParser.cpp:
3269         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3270         * dfg/DFGOSRExit.cpp:
3271         (JSC::DFG::reifyInlinedCallFrames):
3272         * dfg/DFGOSRExitCompilerCommon.cpp:
3273         (JSC::DFG::reifyInlinedCallFrames):
3274         * interpreter/CallFrame.cpp:
3275         (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
3276         (JSC::CallFrame::currentVPC const):
3277         (JSC::CallFrame::setCurrentVPC):
3278         * jit/JITCall.cpp:
3279         (JSC::JIT::compileOpCall):
3280         * jit/JITInlines.h:
3281         (JSC::JIT::updateTopCallFrame):
3282         (JSC::JIT::copiedInstruction):
3283         * jit/JITOpcodes.cpp:
3284         (JSC::JIT::privateCompileHasIndexedProperty):
3285         * jit/JITOpcodes32_64.cpp:
3286         (JSC::JIT::privateCompileHasIndexedProperty):
3287         * jit/JITPropertyAccess.cpp:
3288         (JSC::JIT::privateCompileGetByVal):
3289         (JSC::JIT::privateCompileGetByValWithCachedId):
3290         (JSC::JIT::privateCompilePutByVal):
3291         (JSC::JIT::privateCompilePutByValWithCachedId):
3292         * jit/SlowPathCall.h:
3293         (JSC::JITSlowPathCall::call):
3294         * llint/LLIntSlowPaths.cpp:
3295         (JSC::LLInt::llint_trace_operand):
3296         (JSC::LLInt::llint_trace_value):
3297         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3298         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
3299         (JSC::LLInt::getByVal): Deleted.
3300         (JSC::LLInt::handleHostCall): Deleted.
3301         (JSC::LLInt::setUpCall): Deleted.
3302         (JSC::LLInt::genericCall): Deleted.
3303         (JSC::LLInt::varargsSetup): Deleted.
3304         (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
3305         (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
3306         (JSC::LLInt::llint_write_barrier_slow): Deleted.
3307         (JSC::LLInt::llint_crash): Deleted.
3308         * runtime/SamplingProfiler.cpp:
3309         (JSC::tryGetBytecodeIndex):
3310
3311 2018-03-21  Keith Miller  <keith_miller@apple.com>
3312
3313         btjs should print the bytecode offset in the stack trace for JS frames
3314         https://bugs.webkit.org/show_bug.cgi?id=183856
3315
3316         Reviewed by Filip Pizlo.
3317
3318         * interpreter/CallFrame.cpp:
3319         (JSC::CallFrame::bytecodeOffset):
3320         (JSC::CallFrame::dump):
3321
3322 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3323
3324         Unreviewed. Fix GTK and WPE debug build after r229798.
3325
3326         Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
3327
3328         * API/glib/JSCCallbackFunction.cpp:
3329         (JSC::JSCCallbackFunction::JSCCallbackFunction):
3330         * API/glib/JSCContext.cpp:
3331         (jscContextSetVirtualMachine):
3332         (jscContextGetJSContext):
3333         (wrapperMap):
3334         (jscContextHandleExceptionIfNeeded):
3335         * API/glib/JSCValue.cpp:
3336         (jscValueCallFunction):
3337         * API/glib/JSCVirtualMachine.cpp:
3338         (addWrapper):
3339         (removeWrapper):
3340         (jscVirtualMachineSetContextGroup):
3341         (jscVirtualMachineAddContext):
3342         (jscVirtualMachineRemoveContext):
3343         * API/glib/JSCWrapperMap.cpp:
3344         (JSC::WrapperMap::gobjectWrapper):
3345         (JSC::WrapperMap::unwrap):
3346         (JSC::WrapperMap::registerClass):
3347         (JSC::WrapperMap::createJSWrappper):
3348         (JSC::WrapperMap::wrappedObject const):
3349
3350 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3351
3352         [GTK][WPE] JSC bindings not introspectable
3353         https://bugs.webkit.org/show_bug.cgi?id=136989
3354
3355         Reviewed by Michael Catanzaro.
3356
3357         Make it possible to include individual headers when building WebKit layer.
3358
3359         * API/glib/JSCAutocleanups.h:
3360         * API/glib/JSCClass.h:
3361         * API/glib/JSCContext.h:
3362         * API/glib/JSCException.h:
3363         * API/glib/JSCValue.h:
3364         * API/glib/JSCVersion.h.in:
3365         * API/glib/JSCVirtualMachine.h:
3366
3367 2018-03-21  Carlos Garcia Campos  <cgarcia@igalia.com>
3368
3369         [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
3370         https://bugs.webkit.org/show_bug.cgi?id=164061
3371
3372         Reviewed by Michael Catanzaro.
3373
3374         Add initial GLib API for JavaScriptCore.
3375
3376         * API/JSAPIWrapperObject.h:
3377         * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
3378         (jsAPIWrapperObjectHandleOwner):
3379         (JSAPIWrapperObjectHandleOwner::finalize):
3380         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
3381         (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
3382         (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
3383         (JSC::JSAPIWrapperObject::finishCreation):
3384         (JSC::JSAPIWrapperObject::setWrappedObject):
3385         (JSC::JSAPIWrapperObject::visitChildren):
3386         * API/glib/JSCAutocleanups.h: Added.
3387         * API/glib/JSCCallbackFunction.cpp: Added.
3388         (JSC::callAsFunction):
3389         (JSC::callAsConstructor):
3390         (JSC::JSCCallbackFunction::create):
3391         (JSC::JSCCallbackFunction::JSCCallbackFunction):
3392         (JSC::JSCCallbackFunction::call):
3393         (JSC::JSCCallbackFunction::construct):
3394         (JSC::JSCCallbackFunction::destroy):
3395         * API/glib/JSCCallbackFunction.h: Added.
3396         (JSC::JSCCallbackFunction::createStructure):
3397         (JSC::JSCCallbackFunction::functionCallback):
3398         (JSC::JSCCallbackFunction::constructCallback):
3399         * API/glib/JSCClass.cpp: Added.
3400         (jscClassGetProperty):
3401         (jscClassSetProperty):
3402         (jscClassDispose):
3403         (jscClassConstructed):
3404         (jsc_class_class_init):
3405         (jscClassCreate):
3406         (jscClassGetJSClass):
3407         (jscClassGetOrCreateJSWrapper):
3408         (jscClassInvalidate):
3409         (jsc_class_get_name):
3410         (jsc_class_get_parent):
3411         (jsc_class_add_constructor):
3412         (jsc_class_add_method):
3413         (jsc_class_add_property):
3414         * API/glib/JSCClass.h: Added.
3415         * API/glib/JSCClassPrivate.h: Added.
3416         * API/glib/JSCContext.cpp: Added.
3417     &