ada68775615ca216ed99e14c48e84ba47a1f9e50
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2
3         Build fix after r226299 (3)
4         https://bugs.webkit.org/show_bug.cgi?id=181160
5
6         Unreviewed build fix.
7
8         * API/tests/TypedArrayCTest.cpp: fix typo in header name.
9
10 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
11
12         Build fix after r226299 (2)
13         https://bugs.webkit.org/show_bug.cgi?id=181160
14
15         Unreviewed build fix.
16
17         * API/tests/TypedArrayCTest.cpp: Add missing header include.
18
19 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
20
21         Build fix after r226299
22         https://bugs.webkit.org/show_bug.cgi?id=181160
23
24         Unreviewed build fix.
25
26         * API/tests/TypedArrayCTest.cpp:
27         (assertEqualsAsNumber): Disambiguate usage of isnan.
28
29 2017-12-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
30
31         REGRESSION(r225769): Build error with constexpr std::max // std::min in libdstdc++4
32         https://bugs.webkit.org/show_bug.cgi?id=181160
33
34         Reviewed by Myles C. Maxfield.
35
36         Disambiguate usage of min and max (Use the version from stdlib).
37
38         * runtime/JSArray.cpp:
39         (JSC::JSArray::unshiftCountSlowCase):
40         (JSC::JSArray::setLengthWithArrayStorage):
41         (JSC::JSArray::shiftCountWithArrayStorage):
42         (JSC::JSArray::fillArgList):
43         (JSC::JSArray::copyToArguments):
44
45 2017-12-27  Zan Dobersek  <zdobersek@igalia.com>
46
47         REGRESSION(r225913): about 30 JSC test failures on ARMv7
48         https://bugs.webkit.org/show_bug.cgi?id=181162
49
50         Reviewed by Michael Catanzaro.
51
52         Fast case in DFG::SpeculativeJIT::compileArraySlice() was enabled in
53         r225913 on all but 32-bit x86 platform. Other 32-bit platforms have the
54         same lack of GP registers, so the conditional is changed here to only
55         enable this optimization explicitly on ARM64 and x86-64.
56
57         * dfg/DFGSpeculativeJIT.cpp:
58         (JSC::DFG::SpeculativeJIT::compileArraySlice):
59
60 2017-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
61
62         [JSC] Remove std::chrono completely
63         https://bugs.webkit.org/show_bug.cgi?id=181165
64
65         Reviewed by Konstantin Tokarev.
66
67         This patch removes std::chrono use completely from JSC.
68
69         * API/JSContextRef.cpp:
70         (JSContextGroupSetExecutionTimeLimit):
71         * API/tests/ExecutionTimeLimitTest.cpp:
72         (currentCPUTimeAsJSFunctionCallback):
73         (testExecutionTimeLimit):
74         * bytecode/CodeBlock.cpp:
75         (JSC::CodeBlock::CodeBlock):
76         (JSC::timeToLive):
77         * bytecode/CodeBlock.h:
78         (JSC::CodeBlock::timeSinceCreation):
79         * runtime/SamplingProfiler.cpp:
80         (JSC::SamplingProfiler::SamplingProfiler):
81         (JSC::SamplingProfiler::timerLoop):
82         (JSC::SamplingProfiler::takeSample):
83         (JSC::SamplingProfiler::reportTopFunctions):
84         (JSC::SamplingProfiler::reportTopBytecodes):
85         * runtime/SamplingProfiler.h:
86         (JSC::SamplingProfiler::setTimingInterval):
87         * runtime/VM.cpp:
88         (JSC::VM::VM):
89         * runtime/Watchdog.cpp:
90         (JSC::Watchdog::Watchdog):
91         (JSC::Watchdog::setTimeLimit):
92         (JSC::Watchdog::shouldTerminate):
93         (JSC::Watchdog::startTimer):
94         (JSC::currentWallClockTime): Deleted.
95         * runtime/Watchdog.h:
96
97 2017-12-26  Zan Dobersek  <zdobersek@igalia.com>
98
99         REGRESSION(r226269): 60 JSC test failures on ARMv7
100         https://bugs.webkit.org/show_bug.cgi?id=181163
101
102         Reviewed by Yusuke Suzuki.
103
104         In r226269, DFG::SpeculativeJIT::compile() changed behavior for the
105         GetDirectPname operation on non-x86 platforms, switching to using
106         GPRFlushedCallResult registers for the payload and tag pair of the
107         return value (through the JSValueRegsFlushedCallResult struct). This
108         tripped about 60 test cases on ARMv7.
109
110         As before this change, GPRTemporary registers should be used, but this
111         can now be done through a JSValueRegsTemporary object.
112
113         * dfg/DFGSpeculativeJIT32_64.cpp:
114         (JSC::DFG::SpeculativeJIT::compile):
115
116 2017-12-22  Caio Lima  <ticaiolima@gmail.com>
117
118         [JSC] IntlCollator and IntlNumberFormat has static fields with same name
119         https://bugs.webkit.org/show_bug.cgi?id=181128
120
121         Reviewed by Yusuke Suzuki.
122
123         Minor fixes into IntlNumberFormat::initializeNumberFormat and
124         IntlCollator::initializeCollator that makes JSC unified sources
125         compile. These files were generating compilation error when placed at
126         the same UnifiedSource.cpp, because they had static variables with same name.
127
128         * runtime/IntlCollator.cpp:
129         (JSC::IntlCollator::initializeCollator):
130         * runtime/IntlNumberFormat.cpp:
131         (JSC::IntlNumberFormat::initializeNumberFormat):
132
133 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
134
135         generate_offset_extractor.rb should not print to stderr by default
136         https://bugs.webkit.org/show_bug.cgi?id=181133
137
138         Reviewed by Mark Lam.
139
140         Remove unneeded print output.
141
142         * offlineasm/generate_offset_extractor.rb:
143
144 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
145
146         [DFG] Cleaning up and unifying 32bit code more
147         https://bugs.webkit.org/show_bug.cgi?id=181124
148
149         Reviewed by Mark Lam.
150
151         This patch unifies DFG 32bit code into 64bit code more. In this patch, we move RegExp DFG nodes
152         from 32bit / 64bit code to the common code. We change some RegExp operations to returning JSCell*
153         instead of EncodedJSValue. This simplifies DFG implementation.
154
155         And we also move HasGenericProperty since we now have JSValueRegsFlushedCallResult. ToPrimive,
156         LogShadowChickenPrologue, and LogShadowChickenTail are almost the same in 32bit and 64bit.
157         Thus, it is unified easily.
158
159         And we also move some GPRFlushedCallResult from the original places to the places just after
160         `flushRegisters()` not to spill unnecessary registers.
161
162         * dfg/DFGOperations.cpp:
163         * dfg/DFGOperations.h:
164         * dfg/DFGSpeculativeJIT.cpp:
165         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
166         (JSC::DFG::SpeculativeJIT::compileRegExpTest):
167         (JSC::DFG::SpeculativeJIT::compileStringReplace):
168         (JSC::DFG::SpeculativeJIT::compileHasGenericProperty):
169         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
170         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
171         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
172         * dfg/DFGSpeculativeJIT.h:
173         (JSC::DFG::SpeculativeJIT::callOperation):
174         * dfg/DFGSpeculativeJIT32_64.cpp:
175         (JSC::DFG::SpeculativeJIT::emitCall):
176         (JSC::DFG::SpeculativeJIT::compile):
177         * dfg/DFGSpeculativeJIT64.cpp:
178         (JSC::DFG::SpeculativeJIT::compile):
179         (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
180         * ftl/FTLLowerDFGToB3.cpp:
181         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
182         * jit/JITOperations.cpp:
183         * jit/JITOperations.h:
184         * runtime/StringPrototype.cpp:
185         (JSC::jsSpliceSubstrings):
186         (JSC::jsSpliceSubstringsWithSeparators):
187         (JSC::removeUsingRegExpSearch):
188         (JSC::replaceUsingRegExpSearch):
189         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
190         (JSC::operationStringProtoFuncReplaceRegExpString):
191         (JSC::replaceUsingStringSearch):
192         (JSC::replace):
193         (JSC::stringProtoFuncReplaceUsingRegExp):
194         (JSC::stringProtoFuncReplaceUsingStringSearch):
195         (JSC::operationStringProtoFuncReplaceGeneric):
196         * runtime/StringPrototype.h:
197
198 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
199
200         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
201         https://bugs.webkit.org/show_bug.cgi?id=179914
202         <rdar://problem/36196039>
203
204         Unreviewed.
205
206         * PlatformGTK.cmake:
207
208 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
209
210         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
211         https://bugs.webkit.org/show_bug.cgi?id=179914
212
213         Reviewed by Carlos Garcia Campos.
214
215         Add a new JavaScriptCoreGTK build target, to build JSC as a shared library. Link the
216         original JavaScriptCore build target, which is now a static library, to it. Use
217         --whole-archive to prevent all the JavaScriptCore symbols from being dropped, since none are
218         used directly by JavaScriptCoreGTK.
219
220         The installed libjavascriptcoregtk-4.0 now corresponds to the JavaScriptCoreGTK target,
221         instead of the JavaScriptCore target. There is almost no difference on the installed system,
222         except that we now use a version script when linking, to hide private symbols, since they're
223         no longer needed by libwebkit2gtk-4.0.so.
224
225         Also, move the symbols map here.
226
227         * PlatformGTK.cmake:
228         * javascriptcoregtk-symbols.map: Added.
229
230 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [DFG] Unify bunch of DFG 32bit code into 64bit code
233         https://bugs.webkit.org/show_bug.cgi?id=181083
234
235         Reviewed by Mark Lam.
236
237         There are bunch of the completely same code in 32bit and 64bit DFG.
238         This is largely because of the old DFG code. At that time, we do not
239         have enough abstraction to describe them in one code. But now, we have
240         JSValueRegs, JSValueRegsTemporary etc. They allow DFG to write 32bit and
241         64bit handling in one code.
242
243         This patch unifies easy ones. This is nice since basically 32bit code is
244         a bit old and not maintained so much compared to 64bit. If we can drop
245         32bit specific code as much as possible, it would be nice. Furthermore,
246         we can find various mistakes in 32bit: For example, NewObject does not have
247         mutatorFence in 32bit while 64bit has it. This unification is a chance
248         to fix miscellaneous bugs in 32bit while reducing maintenance burden.
249
250         * dfg/DFGSpeculativeJIT.cpp:
251         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
252         (JSC::DFG::SpeculativeJIT::compileGetEnumerableLength):
253         (JSC::DFG::SpeculativeJIT::compileToIndexString):
254         (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis):
255         (JSC::DFG::SpeculativeJIT::compileHasStructureProperty):
256         (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator):
257         (JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname):
258         (JSC::DFG::SpeculativeJIT::compileGetGetter):
259         (JSC::DFG::SpeculativeJIT::compileGetSetter):
260         (JSC::DFG::SpeculativeJIT::compileGetCallee):
261         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
262         (JSC::DFG::SpeculativeJIT::compileStrCat):
263         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
264         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
265         (JSC::DFG::SpeculativeJIT::compileCreateThis):
266         (JSC::DFG::SpeculativeJIT::compileNewObject):
267         * dfg/DFGSpeculativeJIT.h:
268         (JSC::DFG::SpeculativeJIT::callOperation):
269         * dfg/DFGSpeculativeJIT32_64.cpp:
270         (JSC::DFG::SpeculativeJIT::compile):
271         * dfg/DFGSpeculativeJIT64.cpp:
272         (JSC::DFG::SpeculativeJIT::compile):
273
274 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
275
276         [DFG] Add JSValueRegsFlushedCallResult
277         https://bugs.webkit.org/show_bug.cgi?id=181075
278
279         Reviewed by Mark Lam.
280
281         Add JSValueRegsFlushedCallResult, which is appropriate for the JSValueRegs result
282         of the function call after flushing. We can remove bunch of `#if USE(JSVALUE32_64)`
283         code and simplify them.
284
285         * dfg/DFGSpeculativeJIT.cpp:
286         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
287         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
288         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
289         (JSC::DFG::SpeculativeJIT::compileParseInt):
290         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
291         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
292         (JSC::DFG::SpeculativeJIT::compileValueAdd):
293         (JSC::DFG::SpeculativeJIT::compileArithMul):
294         (JSC::DFG::SpeculativeJIT::compileArithDiv):
295         (JSC::DFG::SpeculativeJIT::compileArithRounding):
296         (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
297         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
298         * dfg/DFGSpeculativeJIT.h:
299         (JSC::DFG::SpeculativeJIT::callOperation):
300         (JSC::DFG::JSValueRegsFlushedCallResult::JSValueRegsFlushedCallResult):
301         (JSC::DFG::JSValueRegsFlushedCallResult::regs):
302
303 2017-12-21  Saam Barati  <sbarati@apple.com>
304
305         lowering get_by_val to GetById inside bytecode parser should check for BadType exit kind
306         https://bugs.webkit.org/show_bug.cgi?id=181112
307
308         Reviewed by Mark Lam.
309
310         The React subtest in Speedometer has a get_by_val it always converts
311         into a GetById in the DFG. This GetById always exits because of the incoming
312         identifier is a rope. This patch fixes this infinite exit loop
313         by only doing this transformation if we haven't exited due to BadType.
314
315         * dfg/DFGByteCodeParser.cpp:
316         (JSC::DFG::ByteCodeParser::parseBlock):
317
318 2017-12-21  Mark Lam  <mark.lam@apple.com>
319
320         Add WTF::PoisonedUniquePtr to replace std::unique_ptr when poisoning is desired.
321         https://bugs.webkit.org/show_bug.cgi?id=181062
322         <rdar://problem/36167040>
323
324         Reviewed by Chris Dumez.
325
326         * runtime/JSCPoisonedPtr.cpp:
327         - Added a needed #include.
328
329 2017-12-21  Jeremy Jones  <jeremyj@apple.com>
330
331         Update FULLSCREEN_API feature defines.
332         https://bugs.webkit.org/show_bug.cgi?id=181015
333
334         Reviewed by Tim Horton.
335
336         Change enabled iphone sdk for FULLSCREEN_API.
337
338         * Configurations/FeatureDefines.xcconfig:
339
340 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
341
342         [JSC] Do not check isValid() in op_new_regexp
343         https://bugs.webkit.org/show_bug.cgi?id=180970
344
345         Reviewed by Saam Barati.
346
347         We should not check `isValid()` inside op_new_regexp.
348         This simplifies the semantics of NewRegexp node in DFG.
349
350         * bytecompiler/NodesCodegen.cpp:
351         (JSC::RegExpNode::emitBytecode):
352         * dfg/DFGMayExit.cpp:
353         * dfg/DFGSpeculativeJIT.cpp:
354         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
355         * ftl/FTLLowerDFGToB3.cpp:
356         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
357         * jit/JITOperations.cpp:
358         * llint/LLIntSlowPaths.cpp:
359         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
360
361 2017-12-20  Saam Barati  <sbarati@apple.com>
362
363         GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
364         https://bugs.webkit.org/show_bug.cgi?id=181054
365
366         Reviewed by Mark Lam.
367
368         Speedometer's react subtest has a function that is in an OSR exit loop because
369         we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
370         This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
371         for our compiler to not have this pathology. This patch adds a generic
372         GetPropertyEnumerator to prevent the exit loop.
373
374         * dfg/DFGFixupPhase.cpp:
375         (JSC::DFG::FixupPhase::fixupNode):
376         * dfg/DFGSpeculativeJIT32_64.cpp:
377         (JSC::DFG::SpeculativeJIT::compile):
378         * dfg/DFGSpeculativeJIT64.cpp:
379         (JSC::DFG::SpeculativeJIT::compile):
380         * ftl/FTLLowerDFGToB3.cpp:
381         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
382         * jit/JITOperations.cpp:
383         * jit/JITOperations.h:
384
385 2017-12-20  Daniel Bates  <dabates@apple.com>
386
387         Remove Alternative Presentation Button
388         https://bugs.webkit.org/show_bug.cgi?id=180500
389         <rdar://problem/35891047>
390
391         Reviewed by Simon Fraser.
392
393         We no longer need the alternative presentation button.
394
395         * Configurations/FeatureDefines.xcconfig:
396
397 2017-12-19  Saam Barati  <sbarati@apple.com>
398
399         We forgot to do index masking for in bounds int32 arrays in the FTL
400         https://bugs.webkit.org/show_bug.cgi?id=180987
401
402         Reviewed by Keith Miller.
403
404         * ftl/FTLLowerDFGToB3.cpp:
405         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
406
407 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
408
409         [DFG][FTL] NewRegexp shoud be fast
410         https://bugs.webkit.org/show_bug.cgi?id=180960
411
412         Reviewed by Michael Saboff.
413
414         When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
415         Typical idiom like `string.match(/regexp/)` requires RegExp object creation
416         every time.
417
418         As a first step, this patch accelerates RegExp object creation by handling it
419         in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
420         to remove unnecessary RegExp object creations.
421
422         This patch improves SixSpeed/regex-u.{es5,es6}.
423
424                                      baseline                  patched
425
426             regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
427             regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
428
429         * dfg/DFGSpeculativeJIT.cpp:
430         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
431         * dfg/DFGSpeculativeJIT.h:
432         * dfg/DFGSpeculativeJIT32_64.cpp:
433         (JSC::DFG::SpeculativeJIT::compile):
434         * dfg/DFGSpeculativeJIT64.cpp:
435         (JSC::DFG::SpeculativeJIT::compile):
436         * ftl/FTLAbstractHeapRepository.h:
437         * ftl/FTLLowerDFGToB3.cpp:
438         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
439         * jit/JIT.h:
440         * jit/JITInlines.h:
441         (JSC::JIT::callOperation):
442         * jit/JITOpcodes.cpp:
443         (JSC::JIT::emit_op_new_regexp):
444         * jit/JITOperations.cpp:
445         * jit/JITOperations.h:
446         * llint/LLIntSlowPaths.cpp:
447         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
448         * runtime/RegExpObject.h:
449         (JSC::RegExpObject::offsetOfRegExp):
450         (JSC::RegExpObject::allocationSize):
451
452 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
453
454         Unreviewed, include YarrErrorCode.h in Yarr.h
455         https://bugs.webkit.org/show_bug.cgi?id=180966
456
457         * yarr/Yarr.h:
458
459 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
460
461         [YARR] Yarr should return ErrorCode instead of error messages (const char*)
462         https://bugs.webkit.org/show_bug.cgi?id=180966
463
464         Reviewed by Mark Lam.
465
466         Currently, Yarr returns const char*` for an error message when needed.
467         But it is easier to handle error status if Yarr returns an error code
468         instead of `const char*`.
469
470         In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
471         `const char*`. `std::expected<void, Yarr::ErrorCode>` would be appropriate
472         for the Yarr API interface. But it requires substantial changes removing
473         ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
474         a first step.
475
476         * JavaScriptCore.xcodeproj/project.pbxproj:
477         * Sources.txt:
478         * inspector/ContentSearchUtilities.cpp:
479         (Inspector::ContentSearchUtilities::findMagicComment):
480         * parser/ASTBuilder.h:
481         (JSC::ASTBuilder::createRegExp):
482         * parser/Parser.cpp:
483         (JSC::Parser<LexerType>::parsePrimaryExpression):
484         * parser/SyntaxChecker.h:
485         (JSC::SyntaxChecker::createRegExp):
486         * runtime/RegExp.cpp:
487         (JSC::RegExp::RegExp):
488         (JSC::RegExp::byteCodeCompileIfNecessary):
489         (JSC::RegExp::compile):
490         (JSC::RegExp::compileMatchOnly):
491         * runtime/RegExp.h:
492         * yarr/RegularExpression.cpp:
493         (JSC::Yarr::RegularExpression::Private::Private):
494         (JSC::Yarr::RegularExpression::Private::compile):
495         * yarr/YarrErrorCode.cpp: Added.
496         (JSC::Yarr::errorMessage):
497         * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
498         (JSC::Yarr::hasError):
499         * yarr/YarrParser.h:
500         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
501         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
502         (JSC::Yarr::Parser::Parser):
503         (JSC::Yarr::Parser::isIdentityEscapeAnError):
504         (JSC::Yarr::Parser::parseEscape):
505         (JSC::Yarr::Parser::parseCharacterClass):
506         (JSC::Yarr::Parser::parseParenthesesBegin):
507         (JSC::Yarr::Parser::parseParenthesesEnd):
508         (JSC::Yarr::Parser::parseQuantifier):
509         (JSC::Yarr::Parser::parseTokens):
510         (JSC::Yarr::Parser::parse):
511         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
512         (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
513         (JSC::Yarr::parse):
514         * yarr/YarrPattern.cpp:
515         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
516         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
517         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
518         (JSC::Yarr::YarrPattern::compile):
519         (JSC::Yarr::YarrPattern::YarrPattern):
520         (JSC::Yarr::YarrPattern::errorMessage): Deleted.
521         * yarr/YarrPattern.h:
522         (JSC::Yarr::YarrPattern::reset):
523         * yarr/YarrSyntaxChecker.cpp:
524         (JSC::Yarr::checkSyntax):
525         * yarr/YarrSyntaxChecker.h:
526
527 2017-12-18  Saam Barati  <sbarati@apple.com>
528
529         Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
530
531         * dfg/DFGPreciseLocalClobberize.h:
532         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
533
534 2017-12-16  Filip Pizlo  <fpizlo@apple.com>
535
536         Vector index masking
537         https://bugs.webkit.org/show_bug.cgi?id=180909
538
539         Reviewed by Keith Miller.
540         
541         Adopt index masking for strings.
542
543         * dfg/DFGSpeculativeJIT.cpp:
544         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
545         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
546         * ftl/FTLAbstractHeapRepository.h:
547         * ftl/FTLLowerDFGToB3.cpp:
548         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
549         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
550         * jit/ThunkGenerators.cpp:
551         (JSC::stringCharLoad):
552
553 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
554
555         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
556         https://bugs.webkit.org/show_bug.cgi?id=179762
557
558         Reviewed by Saam Barati.
559
560         This patch extends arguments elimination phase to accept NewArrayBuffer.
561         We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
562         used by spreading nodes.
563
564         This improves SixSpeed spread.es6 by 3.5x.
565
566             spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
567
568         * dfg/DFGAbstractInterpreterInlines.h:
569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
570         * dfg/DFGArgumentsEliminationPhase.cpp:
571         * dfg/DFGClobberize.h:
572         (JSC::DFG::clobberize):
573         * dfg/DFGDoesGC.cpp:
574         (JSC::DFG::doesGC):
575         * dfg/DFGFixupPhase.cpp:
576         (JSC::DFG::FixupPhase::fixupNode):
577         * dfg/DFGNode.h:
578         (JSC::DFG::Node::hasNewArrayBufferData):
579         (JSC::DFG::Node::hasVectorLengthHint):
580         (JSC::DFG::Node::hasIndexingType):
581         (JSC::DFG::Node::indexingType):
582         (JSC::DFG::Node::hasCellOperand):
583         (JSC::DFG::Node::isPhantomAllocation):
584         * dfg/DFGNodeType.h:
585         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
586         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
587         * dfg/DFGPredictionPropagationPhase.cpp:
588         * dfg/DFGPromotedHeapLocation.cpp:
589         (WTF::printInternal):
590         * dfg/DFGPromotedHeapLocation.h:
591         * dfg/DFGSafeToExecute.h:
592         (JSC::DFG::safeToExecute):
593         * dfg/DFGSpeculativeJIT32_64.cpp:
594         (JSC::DFG::SpeculativeJIT::compile):
595         * dfg/DFGSpeculativeJIT64.cpp:
596         (JSC::DFG::SpeculativeJIT::compile):
597         * dfg/DFGValidate.cpp:
598         * ftl/FTLCapabilities.cpp:
599         (JSC::FTL::canCompile):
600         * ftl/FTLLowerDFGToB3.cpp:
601         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
602         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
603         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
604         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
605         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
606         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
607         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
608         * ftl/FTLOperations.cpp:
609         (JSC::FTL::operationPopulateObjectInOSR):
610         (JSC::FTL::operationMaterializeObjectInOSR):
611
612 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
613
614         [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
615         https://bugs.webkit.org/show_bug.cgi?id=180916
616
617         Reviewed by Darin Adler.
618
619         This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
620         Since these cells always require calling finalizeUnconditionally, we do not need to
621         track cells by using IsoCellSet.
622
623         Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
624         avoid using a global linked-list for this in the future.
625
626         * JavaScriptCore.xcodeproj/project.pbxproj:
627         * heap/Heap.cpp:
628         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
629         (JSC::Heap::finalizeUnconditionalFinalizers):
630         * heap/Heap.h:
631         * runtime/VM.cpp:
632         (JSC::VM::VM):
633         * runtime/VM.h:
634         * runtime/WeakMapImpl.cpp:
635         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
636         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally): Deleted.
637         * runtime/WeakMapImpl.h:
638         (JSC::WeakMapImpl::isWeakMap):
639         (JSC::WeakMapImpl::isWeakSet):
640         (JSC::WeakMapImpl::subspaceFor):
641         * runtime/WeakMapImplInlines.h: Added.
642         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
643
644 2017-12-17  Mark Lam  <mark.lam@apple.com>
645
646         Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
647         https://bugs.webkit.org/show_bug.cgi?id=180901
648         <rdar://problem/36087649>
649
650         Reviewed by Darin Adler.
651
652         We only need to keep a deprecated implementation of InspectorValues,
653         InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
654         older versions of Safari can link against and run with a build of the latest code
655         in WebKit trunk. Older versions of System Safari used InspectorValues (via
656         WebInspector.framework) for two things:
657
658         1. Augmented JSContexts SPIs (via WebInspector.framework).
659         2. maybe WebDriver.
660
661         Neither of these are used when running SafariForWebKitDevelopment.  Since neither
662         are used, we can stub out the symbols (InspectorValues, InspectorObjects,
663         InspectorBackendDispatcher::sendResponse) to do nothing, and
664         SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
665         run without any observable bad behavior.
666
667         * JavaScriptCore.xcodeproj/project.pbxproj:
668         * SourcesCocoa.txt:
669         * inspector/InspectorBackendDispatcher.cpp:
670         * inspector/InspectorBackendDispatcher.h:
671         * inspector/cocoa/DeprecatedInspectorValues.cpp:
672         (Inspector::InspectorValue::null):
673         (Inspector::InspectorValue::create):
674         (Inspector::InspectorValue::asValue):
675         (Inspector::InspectorValue::asObject):
676         (Inspector::InspectorValue::asArray):
677         (Inspector::InspectorValue::parseJSON):
678         (Inspector::InspectorValue::toJSONString const):
679         (Inspector::InspectorValue::asBoolean const):
680         (Inspector::InspectorValue::asDouble const):
681         (Inspector::InspectorValue::asInteger const):
682         (Inspector::InspectorValue::asString const):
683         (Inspector::InspectorValue::writeJSON const):
684         (Inspector::InspectorValue::memoryCost const):
685         (Inspector::InspectorObjectBase::openAccessors):
686         (Inspector::InspectorObjectBase::memoryCost const):
687         (Inspector::InspectorObjectBase::getBoolean const):
688         (Inspector::InspectorObjectBase::getString const):
689         (Inspector::InspectorObjectBase::getObject const):
690         (Inspector::InspectorObjectBase::getArray const):
691         (Inspector::InspectorObjectBase::getValue const):
692         (Inspector::InspectorObjectBase::remove):
693         (Inspector::InspectorObject::create):
694         (Inspector::InspectorArrayBase::get const):
695         (Inspector::InspectorArrayBase::memoryCost const):
696         (Inspector::InspectorArray::create):
697         (Inspector::BackendDispatcher::sendResponse):
698         (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
699         (Inspector::InspectorObjectBase::asObject): Deleted.
700         (Inspector::InspectorObjectBase::writeJSON const): Deleted.
701         (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
702         (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
703         (Inspector::InspectorArrayBase::asArray): Deleted.
704         (Inspector::InspectorArrayBase::writeJSON const): Deleted.
705         (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
706         * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
707
708 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
709
710         [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
711         https://bugs.webkit.org/show_bug.cgi?id=180917
712
713         Reviewed by Sam Weinig.
714
715         We do not need to hold JIT flags in VM. We add
716         static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
717
718         * interpreter/AbstractPC.cpp:
719         (JSC::AbstractPC::AbstractPC):
720         * jit/JITThunks.cpp:
721         (JSC::JITThunks::ctiNativeCall):
722         (JSC::JITThunks::ctiNativeConstruct):
723         (JSC::JITThunks::ctiNativeTailCall):
724         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
725         (JSC::JITThunks::ctiInternalFunctionCall):
726         (JSC::JITThunks::ctiInternalFunctionConstruct):
727         (JSC::JITThunks::hostFunctionStub):
728         * llint/LLIntEntrypoint.cpp:
729         (JSC::LLInt::setFunctionEntrypoint):
730         (JSC::LLInt::setEvalEntrypoint):
731         (JSC::LLInt::setProgramEntrypoint):
732         (JSC::LLInt::setModuleProgramEntrypoint):
733         * llint/LLIntSlowPaths.cpp:
734         (JSC::LLInt::shouldJIT):
735         (JSC::LLInt::entryOSR):
736         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
737         * runtime/RegExp.cpp:
738         (JSC::RegExp::compile):
739         (JSC::RegExp::compileMatchOnly):
740         * runtime/VM.cpp:
741         (JSC::VM::canUseAssembler):
742         (JSC::VM::canUseJIT):
743         (JSC::VM::canUseRegExpJIT):
744         (JSC::VM::VM):
745         * runtime/VM.h:
746         (JSC::VM::canUseJIT): Deleted.
747         (JSC::VM::canUseRegExpJIT): Deleted.
748
749 2017-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
750
751         [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
752         https://bugs.webkit.org/show_bug.cgi?id=180906
753
754         Reviewed by Filip Pizlo.
755
756         The number of SlotVisitors can increase after setting up m_visitCounters.
757         If it happens, our m_visitCounters misses the visit count of newly added
758         SlotVisitors. It accidentally decides that constraints are converged.
759         This leads to random assertion hits in Linux environment.
760
761         In this patch, we compare the number of SlotVisitors in didVisitSomething().
762         If the number of SlotVisitors is changed, we conservatively say we did
763         visit something.
764
765         * heap/Heap.h:
766         * heap/HeapInlines.h:
767         (JSC::Heap::numberOfSlotVisitors):
768         * heap/MarkingConstraintSet.h:
769         * heap/MarkingConstraintSolver.cpp:
770         (JSC::MarkingConstraintSolver::didVisitSomething const):
771
772 2017-12-16  Keith Miller  <keith_miller@apple.com>
773
774         Indexing should only be computed when the new structure has an indexing header.
775         https://bugs.webkit.org/show_bug.cgi?id=180895
776
777         Reviewed by Saam Barati.
778
779         If we don't have an indexing header then we point the butterfly
780         sizeof(IndexingHeader) past the end of the butterfly. This makes
781         the computation of the offset simpler since it doesn't depend on
782         the indexing headeriness of the butterfly.
783
784         * jit/JITOperations.cpp:
785         * runtime/JSObject.cpp:
786         (JSC::JSObject::createInitialUndecided):
787         (JSC::JSObject::createInitialInt32):
788         (JSC::JSObject::createInitialDouble):
789         (JSC::JSObject::createInitialContiguous):
790         (JSC::JSObject::createArrayStorage):
791         (JSC::JSObject::convertUndecidedToArrayStorage):
792         (JSC::JSObject::convertInt32ToArrayStorage):
793         (JSC::JSObject::convertDoubleToArrayStorage):
794         * runtime/JSObject.h:
795         (JSC::JSObject::setButterfly):
796         (JSC::JSObject::nukeStructureAndSetButterfly):
797         * runtime/JSObjectInlines.h:
798         (JSC::JSObject::prepareToPutDirectWithoutTransition):
799         (JSC::JSObject::putDirectInternal):
800
801 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
802
803         Unreviewed, rolling out r225941.
804
805         This change introduced LayoutTest crashes and assertion
806         failures.
807
808         Reverted changeset:
809
810         "Web Inspector: replace HTMLCanvasElement with
811         CanvasRenderingContext for instrumentation logic"
812         https://bugs.webkit.org/show_bug.cgi?id=180770
813         https://trac.webkit.org/changeset/225941
814
815 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
816
817         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
818         https://bugs.webkit.org/show_bug.cgi?id=180804
819
820         Add 32bit path for WeakMapGet.
821
822         * dfg/DFGSpeculativeJIT.cpp:
823         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
824
825 2017-12-14  Saam Barati  <sbarati@apple.com>
826
827         The CleanUp after LICM is erroneously removing a Check
828         https://bugs.webkit.org/show_bug.cgi?id=180852
829         <rdar://problem/36063494>
830
831         Reviewed by Filip Pizlo.
832
833         There was a bug where CleanUp phase relied on isProved() bits and LICM
834         changed them in an invalid way. The bug is as follows:
835         
836         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
837         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
838         and that Check dominates all of L2. This is also a hoisting candidate, so we
839         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
840         the preheader for each loop inside L1, so P1 and P2. When considering P2,
841         we execute the Check. Inside P2, before any hoisting is done, this Check
842         is dead code, because BB dominates P2. When we use AI to "execute" the
843         Check, it'll set its proof status to proved. This is because inside P2,
844         in the program before LICM runs, the Check is indeed proven at P2. But
845         it is not proven inside P1. This "execute" call will set our proof status
846         for the node inside *P1*, hence, we crash.
847         
848         The fix here is to make LICM precise when updating the ProofStatus of an edge.
849         It can trust the AI state at the preheader it hoists the node to, but it can't
850         trust the state when executing effects inside inner loops's preheaders.
851
852         * dfg/DFGPlan.cpp:
853         (JSC::DFG::Plan::compileInThreadImpl):
854
855 2017-12-14  David Kilzer  <ddkilzer@apple.com>
856
857         Enable -Wstrict-prototypes for WebKit
858         <https://webkit.org/b/180757>
859         <rdar://problem/36024132>
860
861         Rubber-stamped by Joseph Pecoraro.
862
863         * API/tests/CompareAndSwapTest.h:
864         (testCompareAndSwap): Add 'void' to C function declaration.
865         * API/tests/ExecutionTimeLimitTest.h:
866         (testExecutionTimeLimit): Ditto.
867         * API/tests/FunctionOverridesTest.h:
868         (testFunctionOverrides): Ditto.
869         * API/tests/GlobalContextWithFinalizerTest.h:
870         (testGlobalContextWithFinalizer): Ditto.
871         * API/tests/JSONParseTest.h:
872         (testJSONParse): Ditto.
873         * API/tests/MultithreadedMultiVMExecutionTest.h:
874         (startMultithreadedMultiVMExecutionTest): Ditto.
875         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
876         * API/tests/PingPongStackOverflowTest.h:
877         (testPingPongStackOverflow): Ditto.
878         * Configurations/Base.xcconfig:
879         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
880
881 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
882
883         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
884         https://bugs.webkit.org/show_bug.cgi?id=180804
885
886         Reviewed by Saam Barati.
887
888         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
889
890         * dfg/DFGRegisterBank.h:
891         (JSC::DFG::RegisterBank::lockedCount const):
892         * dfg/DFGSpeculativeJIT.cpp:
893         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
894
895 2017-12-14  Keith Miller  <keith_miller@apple.com>
896
897         Unreviewed, forgot to add { }
898
899         * runtime/JSObject.h:
900         (JSC::JSObject::setButterfly):
901         (JSC::JSObject::nukeStructureAndSetButterfly):
902
903 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
904
905         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
906         https://bugs.webkit.org/show_bug.cgi?id=180770
907
908         Reviewed by Joseph Pecoraro.
909
910         * inspector/protocol/Canvas.json:
911
912 2017-12-14  Keith Miller  <keith_miller@apple.com>
913
914         Fix assertion in JSObject's structure setting methods
915         https://bugs.webkit.org/show_bug.cgi?id=180840
916
917         Reviewed by Mark Lam.
918
919         I forgot that when Typed Arrays have non-indexed properties
920         added to them, they call the generic code. The generic code
921         in turn calls the regular structure setting methods. Thus,
922         these assertions were invalid and we should just avoid setting
923         the indexing mask if we have a Typed Array.
924
925         * runtime/JSObject.h:
926         (JSC::JSObject::setButterfly):
927         (JSC::JSObject::nukeStructureAndSetButterfly):
928
929 2017-12-14  Michael Saboff  <msaboff@apple.com>
930
931         REGRESSION (r225695): Repro crash on yahoo login page
932         https://bugs.webkit.org/show_bug.cgi?id=180761
933
934         Reviewed by JF Bastien.
935
936         Relanding r225695 with a fix.
937
938         The fix is that we need to save the return address for a parentheses in
939         the ParenContext because it is actually used by any immediately contained
940         alternatives.
941
942         Also did a little refactoring, changing occurances of PatternContext to
943         ParenContext since that is the name of the structure.
944
945         * runtime/RegExp.cpp:
946         (JSC::byteCodeCompilePattern):
947         (JSC::RegExp::byteCodeCompileIfNecessary):
948         (JSC::RegExp::compile):
949         (JSC::RegExp::compileMatchOnly):
950         * runtime/RegExp.h:
951         * runtime/RegExpInlines.h:
952         (JSC::RegExp::matchInline):
953         * testRegExp.cpp:
954         (parseRegExpLine):
955         (runFromFiles):
956         * yarr/Yarr.h:
957         * yarr/YarrInterpreter.cpp:
958         (JSC::Yarr::ByteCompiler::compile):
959         (JSC::Yarr::ByteCompiler::dumpDisjunction):
960         * yarr/YarrJIT.cpp:
961         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
962         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
963         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
964         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
965         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
966         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
967         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
968         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
969         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
970         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
971         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
972         (JSC::Yarr::YarrGenerator::allocateParenContext):
973         (JSC::Yarr::YarrGenerator::freeParenContext):
974         (JSC::Yarr::YarrGenerator::saveParenContext):
975         (JSC::Yarr::YarrGenerator::restoreParenContext):
976         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
977         (JSC::Yarr::YarrGenerator::storeToFrame):
978         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
979         (JSC::Yarr::YarrGenerator::clearMatches):
980         (JSC::Yarr::YarrGenerator::generate):
981         (JSC::Yarr::YarrGenerator::backtrack):
982         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
983         (JSC::Yarr::YarrGenerator::generateEnter):
984         (JSC::Yarr::YarrGenerator::generateReturn):
985         (JSC::Yarr::YarrGenerator::YarrGenerator):
986         (JSC::Yarr::YarrGenerator::compile):
987         * yarr/YarrJIT.h:
988         (JSC::Yarr::YarrCodeBlock::execute):
989         * yarr/YarrPattern.cpp:
990         (JSC::Yarr::indentForNestingLevel):
991         (JSC::Yarr::dumpUChar32):
992         (JSC::Yarr::dumpCharacterClass):
993         (JSC::Yarr::PatternTerm::dump):
994         (JSC::Yarr::YarrPattern::dumpPattern):
995         * yarr/YarrPattern.h:
996         (JSC::Yarr::PatternTerm::containsAnyCaptures):
997         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
998         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
999         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1000         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1001         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
1002         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1003
1004 2017-12-13  Keith Miller  <keith_miller@apple.com>
1005
1006         JSObjects should have a mask for loading indexed properties
1007         https://bugs.webkit.org/show_bug.cgi?id=180768
1008
1009         Reviewed by Mark Lam.
1010
1011         This patch adds a new member to JSObject that holds an indexing
1012         mask.  The indexing mask is bitwise anded with the index used to
1013         load a property.  If for whatever reason an attacker is able to
1014         clobber the vectorLength of our butterfly they still won't be able
1015         to read substantially past the end of the buttefly. For
1016         performance reasons we don't use the indexing masking for
1017         TypedArrays. Since TypedArrays are already gigacaged the risk of
1018         wild reads is still restricted.
1019
1020         This patch is a <1% regression on Speedometer and ~3% regression
1021         on JetStream in my testing.
1022
1023         * assembler/MacroAssembler.h:
1024         (JSC::MacroAssembler::urshiftPtr):
1025         * bytecode/AccessCase.cpp:
1026         (JSC::AccessCase::generateImpl):
1027         * dfg/DFGAbstractHeap.h:
1028         * dfg/DFGClobberize.h:
1029         (JSC::DFG::clobberize):
1030         * dfg/DFGSpeculativeJIT.cpp:
1031         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1032         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1033         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1034         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1035         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1036         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1037         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1038         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1039         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1040         * dfg/DFGSpeculativeJIT.h:
1041         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1042         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1043         * dfg/DFGSpeculativeJIT32_64.cpp:
1044         (JSC::DFG::SpeculativeJIT::compile):
1045         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1046         * dfg/DFGSpeculativeJIT64.cpp:
1047         (JSC::DFG::SpeculativeJIT::compile):
1048         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1049         * ftl/FTLAbstractHeap.cpp:
1050         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1051         * ftl/FTLAbstractHeap.h:
1052         * ftl/FTLAbstractHeapRepository.h:
1053         * ftl/FTLLowerDFGToB3.cpp:
1054         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1055         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1056         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1057         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1058         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1059         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1060         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1061         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1062         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1063         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1064         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
1065         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1066         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1067         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1068         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1069         * ftl/FTLOutput.h:
1070         (JSC::FTL::Output::baseIndex):
1071         * jit/AssemblyHelpers.h:
1072         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1073         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
1074         (JSC::AssemblyHelpers::emitAllocateJSObject):
1075         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1076         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1077         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1078         (JSC::AssemblyHelpers::storeButterfly): Deleted.
1079         * jit/JITOpcodes.cpp:
1080         (JSC::JIT::emit_op_new_object):
1081         (JSC::JIT::emit_op_create_this):
1082         * jit/JITOpcodes32_64.cpp:
1083         (JSC::JIT::emit_op_new_object):
1084         (JSC::JIT::emit_op_create_this):
1085         * jit/JITPropertyAccess.cpp:
1086         (JSC::JIT::emitDoubleLoad):
1087         (JSC::JIT::emitContiguousLoad):
1088         (JSC::JIT::emitArrayStorageLoad):
1089         * llint/LowLevelInterpreter32_64.asm:
1090         * llint/LowLevelInterpreter64.asm:
1091         * runtime/ArrayStorage.h:
1092         (JSC::ArrayStorage::availableVectorLength):
1093         * runtime/Butterfly.h:
1094         (JSC::ContiguousData::ContiguousData):
1095         (JSC::ContiguousData::at const):
1096         (JSC::ContiguousData::at):
1097         (JSC::Butterfly::publicLength const):
1098         (JSC::Butterfly::vectorLength const):
1099         (JSC::Butterfly::computeIndexingMaskForVectorLength):
1100         (JSC::Butterfly::computeIndexingMask):
1101         (JSC::Butterfly::contiguousInt32):
1102         (JSC::ContiguousData::operator[] const): Deleted.
1103         (JSC::ContiguousData::operator[]): Deleted.
1104         (JSC::Butterfly::publicLength): Deleted.
1105         (JSC::Butterfly::vectorLength): Deleted.
1106         * runtime/ButterflyInlines.h:
1107         (JSC::ContiguousData<T>::at const):
1108         (JSC::ContiguousData<T>::at):
1109         * runtime/ClonedArguments.cpp:
1110         (JSC::ClonedArguments::createEmpty):
1111         * runtime/JSArray.cpp:
1112         (JSC::JSArray::tryCreateUninitializedRestricted):
1113         (JSC::JSArray::appendMemcpy):
1114         (JSC::JSArray::setLength):
1115         (JSC::JSArray::pop):
1116         (JSC::JSArray::fastSlice):
1117         (JSC::JSArray::shiftCountWithArrayStorage):
1118         (JSC::JSArray::shiftCountWithAnyIndexingType):
1119         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1120         (JSC::JSArray::fillArgList):
1121         (JSC::JSArray::copyToArguments):
1122         * runtime/JSArrayBufferView.cpp:
1123         (JSC::JSArrayBufferView::JSArrayBufferView):
1124         * runtime/JSArrayInlines.h:
1125         (JSC::JSArray::pushInline):
1126         * runtime/JSFixedArray.h:
1127         (JSC::JSFixedArray::createFromArray):
1128         * runtime/JSGenericTypedArrayViewInlines.h:
1129         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1130         * runtime/JSObject.cpp:
1131         (JSC::JSObject::getOwnPropertySlotByIndex):
1132         (JSC::JSObject::putByIndex):
1133         (JSC::JSObject::createInitialInt32):
1134         (JSC::JSObject::createInitialDouble):
1135         (JSC::JSObject::createInitialContiguous):
1136         (JSC::JSObject::convertUndecidedToInt32):
1137         (JSC::JSObject::convertUndecidedToDouble):
1138         (JSC::JSObject::convertUndecidedToContiguous):
1139         (JSC::JSObject::convertInt32ToDouble):
1140         (JSC::JSObject::convertInt32ToArrayStorage):
1141         (JSC::JSObject::convertDoubleToContiguous):
1142         (JSC::JSObject::convertDoubleToArrayStorage):
1143         (JSC::JSObject::convertContiguousToArrayStorage):
1144         (JSC::JSObject::createInitialForValueAndSet):
1145         (JSC::JSObject::deletePropertyByIndex):
1146         (JSC::JSObject::getOwnPropertyNames):
1147         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1148         (JSC::JSObject::countElements):
1149         (JSC::JSObject::ensureLengthSlow):
1150         (JSC::JSObject::reallocateAndShrinkButterfly):
1151         (JSC::JSObject::getEnumerableLength):
1152         * runtime/JSObject.h:
1153         (JSC::JSObject::canGetIndexQuickly):
1154         (JSC::JSObject::getIndexQuickly):
1155         (JSC::JSObject::tryGetIndexQuickly const):
1156         (JSC::JSObject::setIndexQuickly):
1157         (JSC::JSObject::initializeIndex):
1158         (JSC::JSObject::initializeIndexWithoutBarrier):
1159         (JSC::JSObject::butterflyIndexingMaskOffset):
1160         (JSC::JSObject::butterflyIndexingMask const):
1161         (JSC::JSObject::setButterflyWithIndexingMask):
1162         (JSC::JSObject::setButterfly):
1163         (JSC::JSObject::nukeStructureAndSetButterfly):
1164         (JSC::JSObject::JSObject):
1165         * runtime/RegExpMatchesArray.h:
1166         (JSC::tryCreateUninitializedRegExpMatchesArray):
1167         * runtime/Structure.cpp:
1168         (JSC::Structure::flattenDictionaryStructure):
1169
1170 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1171
1172         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
1173
1174         Fixes the following warning during builds:
1175
1176             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
1177
1178         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
1179         entries for JSCPoisonedPtr.h.
1180
1181 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1182
1183         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
1184         <https://bugs.webkit.org/show_bug.cgi?id=180738>
1185
1186         * runtime/InferredValue.h: Attempt to fix build by adding
1187         missing #include statements.
1188
1189 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
1190
1191         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
1192         https://bugs.webkit.org/show_bug.cgi?id=180783
1193
1194         Reviewed by Saam Barati.
1195         
1196         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
1197         
1198             BB#1:
1199                 a: Load(@x)
1200                 b: Load(@x)
1201                 c: Load(@b)
1202             BB#2:
1203                 d: Load(@b)
1204             BB#3:
1205                 e: Load(@b)
1206         
1207         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
1208         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
1209         this:
1210
1211             BB#1:
1212                 a: Load(@x)
1213                 b: Load(@x)
1214                 c: Load(@a)
1215                 memoryAtTail: {@x=>@a, @a=>@c}
1216             BB#2:
1217                 d: Load(@a) [sic]
1218                 memoryAtTail: {@b=>@d}
1219             BB#3:
1220                 e: Load(@b)
1221                 memoryAtTail: {@b=>@e} [sic]
1222         
1223         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
1224         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
1225         map, we don't find it and leave the redundancy.
1226         
1227         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
1228         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
1229
1230         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
1231         * b3/B3Generate.cpp:
1232         (JSC::B3::generateToAir): Fix the bug.
1233         * b3/air/AirReportUsedRegisters.cpp:
1234         (JSC::B3::Air::reportUsedRegisters): Logging.
1235         * dfg/DFGByteCodeParser.cpp:
1236         * dfg/DFGSSAConversionPhase.cpp:
1237         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1238         * ftl/FTLLowerDFGToB3.cpp:
1239         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1240
1241 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1242
1243         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
1244         https://bugs.webkit.org/show_bug.cgi?id=180787
1245         <rdar://problem/35934838>
1246
1247         Reviewed by Brian Burg.
1248
1249         * inspector/ContentSearchUtilities.cpp:
1250         (Inspector::ContentSearchUtilities::findMagicComment):
1251         For empty / null strings just return. There is no use
1252         trying to search them for a long common syntax.
1253
1254 2017-12-13  Saam Barati  <sbarati@apple.com>
1255
1256         Arrow functions need their own structure because they have different properties than sloppy functions
1257         https://bugs.webkit.org/show_bug.cgi?id=180779
1258         <rdar://problem/35814591>
1259
1260         Reviewed by Mark Lam.
1261
1262         We were using the same structure for sloppy functions and
1263         arrow functions. This broke our IC caching machinery because
1264         these two types of functions actually have different properties.
1265         This patch gives them different structures.
1266
1267         * dfg/DFGAbstractInterpreterInlines.h:
1268         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1269         * dfg/DFGSpeculativeJIT.cpp:
1270         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1271         * ftl/FTLLowerDFGToB3.cpp:
1272         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1273         * runtime/FunctionConstructor.cpp:
1274         (JSC::constructFunctionSkippingEvalEnabledCheck):
1275         * runtime/JSFunction.cpp:
1276         (JSC::JSFunction::selectStructureForNewFuncExp):
1277         (JSC::JSFunction::create):
1278         * runtime/JSFunction.h:
1279         * runtime/JSFunctionInlines.h:
1280         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1281         * runtime/JSGlobalObject.cpp:
1282         (JSC::JSGlobalObject::init):
1283         (JSC::JSGlobalObject::visitChildren):
1284         * runtime/JSGlobalObject.h:
1285         (JSC::JSGlobalObject::arrowFunctionStructure const):
1286
1287 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1288
1289         InferredValue should use IsoSubspace
1290         https://bugs.webkit.org/show_bug.cgi?id=180738
1291
1292         Reviewed by Keith Miller.
1293         
1294         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
1295         its UnconditionalFinalizer.
1296
1297         * JavaScriptCore.xcodeproj/project.pbxproj:
1298         * heap/Heap.cpp:
1299         (JSC::Heap::finalizeUnconditionalFinalizers):
1300         * runtime/InferredValue.cpp:
1301         (JSC::InferredValue::visitChildren):
1302         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
1303         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
1304         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
1305         * runtime/InferredValue.h:
1306         (JSC::InferredValue::subspaceFor):
1307         * runtime/InferredValueInlines.h: Added.
1308         (JSC::InferredValue::finalizeUnconditionally):
1309         * runtime/VM.cpp:
1310         (JSC::VM::VM):
1311         * runtime/VM.h:
1312
1313 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
1314
1315         Web Inspector: add instrumentation for ImageBitmapRenderingContext
1316         https://bugs.webkit.org/show_bug.cgi?id=180736
1317
1318         Reviewed by Joseph Pecoraro.
1319
1320         * inspector/protocol/Canvas.json:
1321         * inspector/scripts/codegen/generator.py:
1322
1323 2017-12-13  Saam Barati  <sbarati@apple.com>
1324
1325         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
1326         https://bugs.webkit.org/show_bug.cgi?id=180771
1327
1328         Reviewed by JF Bastien.
1329
1330         * dfg/DFGTypeCheckHoistingPhase.cpp:
1331         (JSC::DFG::TypeCheckHoistingPhase::run):
1332
1333 2017-12-13  Saam Barati  <sbarati@apple.com>
1334
1335         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
1336         https://bugs.webkit.org/show_bug.cgi?id=180764
1337
1338         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
1339
1340         * dfg/DFGTypeCheckHoistingPhase.cpp:
1341         (JSC::DFG::TypeCheckHoistingPhase::run):
1342
1343 2017-12-13  Michael Saboff  <msaboff@apple.com>
1344
1345         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
1346
1347         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
1348
1349         * runtime/RegExp.cpp:
1350         (JSC::RegExp::compile):
1351         (JSC::RegExp::compileMatchOnly):
1352         (JSC::byteCodeCompilePattern): Deleted.
1353         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
1354         * runtime/RegExp.h:
1355         * runtime/RegExpInlines.h:
1356         (JSC::RegExp::matchInline):
1357         * testRegExp.cpp:
1358         (parseRegExpLine):
1359         (runFromFiles):
1360         * yarr/Yarr.h:
1361         * yarr/YarrInterpreter.cpp:
1362         (JSC::Yarr::ByteCompiler::compile):
1363         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1364         (JSC::Yarr::ByteCompiler::emitDisjunction):
1365         * yarr/YarrJIT.cpp:
1366         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1367         (JSC::Yarr::YarrGenerator::generate):
1368         (JSC::Yarr::YarrGenerator::backtrack):
1369         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1370         (JSC::Yarr::YarrGenerator::generateEnter):
1371         (JSC::Yarr::YarrGenerator::generateReturn):
1372         (JSC::Yarr::YarrGenerator::YarrGenerator):
1373         (JSC::Yarr::YarrGenerator::compile):
1374         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
1375         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
1376         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
1377         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
1378         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
1379         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
1380         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
1381         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
1382         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
1383         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
1384         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
1385         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
1386         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
1387         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
1388         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
1389         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
1390         * yarr/YarrJIT.h:
1391         (JSC::Yarr::YarrCodeBlock::execute):
1392         * yarr/YarrPattern.cpp:
1393         (JSC::Yarr::indentForNestingLevel):
1394         (JSC::Yarr::dumpUChar32):
1395         (JSC::Yarr::PatternTerm::dump):
1396         (JSC::Yarr::YarrPattern::dumpPattern):
1397         (JSC::Yarr::dumpCharacterClass): Deleted.
1398         * yarr/YarrPattern.h:
1399         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1400         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1401         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
1402         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
1403         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
1404         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
1405         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
1406         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
1407
1408 2017-12-13  Mark Lam  <mark.lam@apple.com>
1409
1410         Fill out some Poisoned APIs, fix some bugs, and add some tests.
1411         https://bugs.webkit.org/show_bug.cgi?id=180724
1412         <rdar://problem/36006884>
1413
1414         Reviewed by JF Bastien.
1415
1416         * runtime/StructureTransitionTable.h:
1417
1418 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
1419
1420         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
1421         https://bugs.webkit.org/show_bug.cgi?id=180746
1422
1423         Reviewed by Saam Barati.
1424
1425         We have some uncatched exceptions that could happen due to OOM into
1426         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
1427         catching such exceptions properly.
1428
1429         * runtime/JSBigInt.cpp:
1430         (JSC::JSBigInt::allocateFor):
1431         (JSC::JSBigInt::parseInt):
1432         * runtime/JSCJSValue.cpp:
1433         (JSC::JSValue::toStringSlowCase const):
1434
1435 2017-12-13  Saam Barati  <sbarati@apple.com>
1436
1437         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1438         https://bugs.webkit.org/show_bug.cgi?id=163579
1439         <rdar://problem/35455798>
1440
1441         Reviewed by Mark Lam.
1442
1443         Some functions in JavaScript do not have the "caller" and "arguments" properties.
1444         For example, strict functions do not. When reading our code that dealt with these
1445         types of functions, it was simply all wrong. We were doing weird things depending
1446         on the method table hook. This patch fixes this by doing what we should've been
1447         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
1448         it should defer to its base class implementation for the various method table hooks.
1449
1450         * runtime/JSFunction.cpp:
1451         (JSC::JSFunction::put):
1452         (JSC::JSFunction::deleteProperty):
1453         (JSC::JSFunction::defineOwnProperty):
1454
1455 2017-12-13  Saam Barati  <sbarati@apple.com>
1456
1457         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1458         https://bugs.webkit.org/show_bug.cgi?id=180734
1459         <rdar://problem/35640547>
1460
1461         Reviewed by Yusuke Suzuki.
1462
1463         The |this| value may be TDZ. If type check hoisting phase
1464         hoists a CheckStructure to it, it will crash. This patch
1465         makes it so we emit CheckStructureOrEmpty for |this|.
1466
1467         * dfg/DFGTypeCheckHoistingPhase.cpp:
1468         (JSC::DFG::TypeCheckHoistingPhase::run):
1469
1470 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1471
1472         [JSC] Optimize Object.assign by single transition acceleration
1473         https://bugs.webkit.org/show_bug.cgi?id=180644
1474
1475         Reviewed by Saam Barati.
1476
1477         Handling single transition is critical. Since this get() function is only used
1478         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
1479         to accelerate it.
1480
1481         This improves SixSpeed/object-assign.es6 by 2.8%.
1482
1483                                     baseline                  patched
1484
1485         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
1486
1487         * runtime/Structure.cpp:
1488         (JSC::StructureTransitionTable::get const):
1489
1490 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1491
1492         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
1493         https://bugs.webkit.org/show_bug.cgi?id=180732
1494
1495         Rubber stamped by Mark Lam.
1496         
1497         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
1498         scalable enough to support that, so we should do it carefully.
1499
1500         * heap/MarkedSpace.cpp:
1501         * runtime/PropertyMapHashTable.h:
1502         * runtime/Structure.h:
1503         * runtime/StructureRareData.h:
1504         * runtime/VM.cpp:
1505         (JSC::VM::VM):
1506         * runtime/VM.h:
1507
1508 2017-12-12  Saam Barati  <sbarati@apple.com>
1509
1510         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1511         https://bugs.webkit.org/show_bug.cgi?id=180725
1512         <rdar://problem/35970511>
1513
1514         Reviewed by Michael Saboff.
1515
1516         * dfg/DFGClobberize.h:
1517         (JSC::DFG::clobberize):
1518         * dfg/DFGPreciseLocalClobberize.h:
1519         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1520
1521 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1522
1523         [JSC] Implement optimized WeakMap and WeakSet
1524         https://bugs.webkit.org/show_bug.cgi?id=179929
1525
1526         Reviewed by Saam Barati.
1527
1528         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
1529         This is similar to HashMapImpl. But,
1530
1531         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
1532         do not need to have iterators.
1533
1534         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
1535         of auxiliary buffer. This is because we would like to allocate buffer
1536         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
1537         shrink it if necessary. However, allocating from the GC heap during
1538         finalization is not allowed.
1539
1540         In particular, (2) is important since it ensures any WeakMap operations
1541         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
1542         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
1543         do not cause GC makes our implementation simple. To ensure this, we place
1544         DisallowGC for each WeakMap's interface.
1545
1546         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
1547         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
1548         WeakMap, it returns value. And it returns key if it is WeakSet. If it
1549         does not find a corresponding entry, it returns JSEmpty.
1550         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
1551
1552         This patch improves WeakMap and WeakSet operations.
1553
1554                                      baseline                  patched
1555
1556             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
1557             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
1558
1559         * JavaScriptCore.xcodeproj/project.pbxproj:
1560         * Sources.txt:
1561         * dfg/DFGAbstractHeap.h:
1562         * dfg/DFGAbstractInterpreterInlines.h:
1563         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1564         * dfg/DFGByteCodeParser.cpp:
1565         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1566         * dfg/DFGClobberize.h:
1567         (JSC::DFG::clobberize):
1568         * dfg/DFGDoesGC.cpp:
1569         (JSC::DFG::doesGC):
1570         * dfg/DFGFixupPhase.cpp:
1571         (JSC::DFG::FixupPhase::fixupNode):
1572         * dfg/DFGNode.h:
1573         (JSC::DFG::Node::hasHeapPrediction):
1574         * dfg/DFGNodeType.h:
1575         * dfg/DFGOperations.cpp:
1576         * dfg/DFGOperations.h:
1577         * dfg/DFGPredictionPropagationPhase.cpp:
1578         * dfg/DFGSafeToExecute.h:
1579         (JSC::DFG::safeToExecute):
1580         * dfg/DFGSpeculativeJIT.cpp:
1581         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1582         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1583         * dfg/DFGSpeculativeJIT.h:
1584         * dfg/DFGSpeculativeJIT32_64.cpp:
1585         (JSC::DFG::SpeculativeJIT::compile):
1586         * dfg/DFGSpeculativeJIT64.cpp:
1587         (JSC::DFG::SpeculativeJIT::compile):
1588         * ftl/FTLAbstractHeapRepository.h:
1589         * ftl/FTLCapabilities.cpp:
1590         (JSC::FTL::canCompile):
1591         * ftl/FTLLowerDFGToB3.cpp:
1592         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1593         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
1594         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1595         * inspector/JSInjectedScriptHost.cpp:
1596         (Inspector::JSInjectedScriptHost::weakMapEntries):
1597         (Inspector::JSInjectedScriptHost::weakSetEntries):
1598         Existing code is incorrect. They can run GC and break WeakMap's iterator.
1599         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
1600         entries without causing any GC.
1601
1602         * runtime/HashMapImpl.h:
1603         (JSC::shouldShrink):
1604         (JSC::shouldRehashAfterAdd):
1605         (JSC::nextCapacity):
1606         (JSC::HashMapImpl::shouldRehashAfterAdd const):
1607         (JSC::HashMapImpl::shouldShrink const):
1608         (JSC::HashMapImpl::rehash):
1609         (JSC::WeakMapHash::hash): Deleted.
1610         (JSC::WeakMapHash::equal): Deleted.
1611         * runtime/Intrinsic.cpp:
1612         (JSC::intrinsicName):
1613         * runtime/Intrinsic.h:
1614         * runtime/JSWeakMap.cpp:
1615         * runtime/JSWeakMap.h:
1616         * runtime/JSWeakSet.cpp:
1617         * runtime/JSWeakSet.h:
1618         * runtime/VM.cpp:
1619         * runtime/WeakGCMap.h:
1620         (JSC::WeakGCMap::forEach): Deleted.
1621         * runtime/WeakMapBase.cpp: Removed.
1622         * runtime/WeakMapBase.h: Removed.
1623         * runtime/WeakMapConstructor.cpp:
1624         (JSC::constructWeakMap):
1625         * runtime/WeakMapImpl.cpp: Added.
1626         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
1627         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1628         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1629         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
1630         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
1631         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1632         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
1633         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
1634         * runtime/WeakMapImpl.h: Added.
1635         (JSC::jsWeakMapHash):
1636         (JSC::nextCapacityAfterRemoveBatching):
1637         (JSC::WeakMapBucket::setKey):
1638         (JSC::WeakMapBucket::setValue):
1639         (JSC::WeakMapBucket::key const):
1640         (JSC::WeakMapBucket::value const):
1641         (JSC::WeakMapBucket::copyFrom):
1642         (JSC::WeakMapBucket::offsetOfKey):
1643         (JSC::WeakMapBucket::offsetOfValue):
1644         (JSC::WeakMapBucket::extractValue):
1645         (JSC::WeakMapBucket::isEmpty):
1646         (JSC::WeakMapBucket::deletedKey):
1647         (JSC::WeakMapBucket::isDeleted):
1648         (JSC::WeakMapBucket::makeDeleted):
1649         (JSC::WeakMapBucket::visitAggregate):
1650         (JSC::WeakMapBucket::clearValue):
1651         (JSC::WeakMapBuffer::allocationSize):
1652         (JSC::WeakMapBuffer::buffer const):
1653         (JSC::WeakMapBuffer::create):
1654         (JSC::WeakMapBuffer::reset):
1655         (JSC::WeakMapImpl::WeakMapImpl):
1656         (JSC::WeakMapImpl::finishCreation):
1657         (JSC::WeakMapImpl::get):
1658         (JSC::WeakMapImpl::has):
1659         (JSC::WeakMapImpl::add):
1660         (JSC::WeakMapImpl::remove):
1661         (JSC::WeakMapImpl::size const):
1662         (JSC::WeakMapImpl::offsetOfBuffer):
1663         (JSC::WeakMapImpl::offsetOfCapacity):
1664         (JSC::WeakMapImpl::findBucket):
1665         (JSC::WeakMapImpl::buffer const):
1666         (JSC::WeakMapImpl::forEach):
1667         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
1668         (JSC::WeakMapImpl::shouldShrink const):
1669         (JSC::WeakMapImpl::canUseBucket):
1670         (JSC::WeakMapImpl::addInternal):
1671         (JSC::WeakMapImpl::findBucketAlreadyHashed):
1672         (JSC::WeakMapImpl::rehash):
1673         (JSC::WeakMapImpl::checkConsistency const):
1674         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1675         (JSC::WeakMapImpl::assertBufferIsEmpty const):
1676         (JSC::WeakMapImpl::DeadKeyCleaner::target):
1677         * runtime/WeakMapPrototype.cpp:
1678         (JSC::WeakMapPrototype::finishCreation):
1679         (JSC::protoFuncWeakMapGet):
1680         (JSC::protoFuncWeakMapHas):
1681         * runtime/WeakSetConstructor.cpp:
1682         (JSC::constructWeakSet):
1683         * runtime/WeakSetPrototype.cpp:
1684         (JSC::WeakSetPrototype::finishCreation):
1685         (JSC::protoFuncWeakSetHas):
1686         (JSC::protoFuncWeakSetAdd):
1687
1688 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
1689
1690         It should be possible to flag a cell for unconditional finalization
1691         https://bugs.webkit.org/show_bug.cgi?id=180636
1692
1693         Reviewed by Saam Barati.
1694         
1695         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
1696         global linked list - but they had some nice properties:
1697         
1698         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
1699           survived and needed it.
1700             -> Just needing it wasn't enough.
1701             -> Just surviving wasn't enough.
1702         
1703         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
1704         finalizer logic to be invoked. I think that's not great. InferredType got around this by
1705         making InferredStructure a cell, but this was a gross hack. For one, it meant that
1706         InferredStructure would survive during the GC in which its finalizer obviated the need for its
1707         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
1708         thing that turns out to be subtly broken.
1709         
1710         We really need to have a way of indicating when you have entered into the state that requires
1711         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
1712         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
1713         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
1714         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
1715         another level to say which atoms within a MarkedBlock have unconditional finalizers.
1716         
1717         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
1718         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
1719         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
1720         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
1721         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
1722         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
1723         it makes sense to have a handful per subspace max. This change only needs one per subspace,
1724         but you could imagine more if we do this for WeakReferenceHarvester.
1725         
1726         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
1727         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
1728         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
1729         both survive and need it for the hardest work to take place. The work of adding does involve
1730         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
1731         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
1732         However, it's perfect for running in parallel since the only write operations are to widely
1733         dispersed cache lines that contain the bits underlying the set.
1734         
1735         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
1736         that need unconditional finalizers, and only touches the memory of marked objects that have
1737         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
1738         previously found that this speeds up walking over a lot of objects when I made similar changes
1739         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
1740         HashSet).
1741         
1742         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
1743         
1744         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
1745         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
1746         IsoSubspace in more places.
1747
1748         * JavaScriptCore.xcodeproj/project.pbxproj:
1749         * Sources.txt:
1750         * heap/AtomIndices.h: Added.
1751         (JSC::AtomIndices::AtomIndices):
1752         * heap/Heap.cpp:
1753         (JSC::Heap::finalizeUnconditionalFinalizers):
1754         * heap/Heap.h:
1755         * heap/IsoCellSet.cpp: Added.
1756         (JSC::IsoCellSet::IsoCellSet):
1757         (JSC::IsoCellSet::~IsoCellSet):
1758         (JSC::IsoCellSet::addSlow):
1759         (JSC::IsoCellSet::didResizeBits):
1760         (JSC::IsoCellSet::didRemoveBlock):
1761         (JSC::IsoCellSet::sweepToFreeList):
1762         * heap/IsoCellSet.h: Added.
1763         * heap/IsoCellSetInlines.h: Added.
1764         (JSC::IsoCellSet::add):
1765         (JSC::IsoCellSet::remove):
1766         (JSC::IsoCellSet::contains const):
1767         (JSC::IsoCellSet::forEachMarkedCell):
1768         * heap/IsoSubspace.cpp:
1769         (JSC::IsoSubspace::didResizeBits):
1770         (JSC::IsoSubspace::didRemoveBlock):
1771         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1772         * heap/IsoSubspace.h:
1773         * heap/MarkedAllocator.cpp:
1774         (JSC::MarkedAllocator::addBlock):
1775         (JSC::MarkedAllocator::removeBlock):
1776         * heap/MarkedAllocator.h:
1777         * heap/MarkedAllocatorInlines.h:
1778         * heap/MarkedBlock.cpp:
1779         (JSC::MarkedBlock::Handle::sweep):
1780         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1781         * heap/MarkedBlock.h:
1782         (JSC::MarkedBlock::marks const):
1783         (JSC::MarkedBlock::Handle::newlyAllocated const):
1784         * heap/MarkedBlockInlines.h:
1785         (JSC::MarkedBlock::Handle::isAllocated):
1786         (JSC::MarkedBlock::Handle::isEmpty):
1787         (JSC::MarkedBlock::Handle::emptyMode):
1788         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1789         * heap/Subspace.cpp:
1790         (JSC::Subspace::didResizeBits):
1791         (JSC::Subspace::didRemoveBlock):
1792         (JSC::Subspace::didBeginSweepingToFreeList):
1793         * heap/Subspace.h:
1794         * heap/SubspaceInlines.h:
1795         (JSC::Subspace::forEachMarkedCell):
1796         * runtime/InferredStructure.cpp:
1797         (JSC::InferredStructure::InferredStructure):
1798         (JSC::InferredStructure::create): Deleted.
1799         (JSC::InferredStructure::destroy): Deleted.
1800         (JSC::InferredStructure::createStructure): Deleted.
1801         (JSC::InferredStructure::visitChildren): Deleted.
1802         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1803         (JSC::InferredStructure::finishCreation): Deleted.
1804         * runtime/InferredStructure.h:
1805         * runtime/InferredStructureWatchpoint.cpp:
1806         (JSC::InferredStructureWatchpoint::fireInternal):
1807         * runtime/InferredType.cpp:
1808         (JSC::InferredType::visitChildren):
1809         (JSC::InferredType::willStoreValueSlow):
1810         (JSC::InferredType::makeTopSlow):
1811         (JSC::InferredType::set):
1812         (JSC::InferredType::removeStructure):
1813         (JSC::InferredType::finalizeUnconditionally):
1814         * runtime/InferredType.h:
1815         * runtime/VM.cpp:
1816         (JSC::VM::VM):
1817         * runtime/VM.h:
1818
1819 2017-12-12  Saam Barati  <sbarati@apple.com>
1820
1821         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1822         https://bugs.webkit.org/show_bug.cgi?id=180723
1823         <rdar://problem/35859726>
1824
1825         Reviewed by JF Bastien.
1826
1827         * dfg/DFGConstantFoldingPhase.cpp:
1828         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1829
1830 2017-12-04  Brian Burg  <bburg@apple.com>
1831
1832         Web Inspector: modernize InjectedScript a bit
1833         https://bugs.webkit.org/show_bug.cgi?id=180367
1834
1835         Reviewed by Timothy Hatcher.
1836
1837         Stop using out parameters passed by pointer, use references instead.
1838         Stop using OptOutput<T> in favor of std::optional where possible.
1839         If there is only one out-parameter and a void return type, then return the value.
1840
1841         * inspector/InjectedScript.h:
1842         * inspector/InjectedScript.cpp:
1843         (Inspector::InjectedScript::evaluate):
1844         (Inspector::InjectedScript::callFunctionOn):
1845         (Inspector::InjectedScript::evaluateOnCallFrame):
1846         (Inspector::InjectedScript::getFunctionDetails):
1847         (Inspector::InjectedScript::functionDetails):
1848         (Inspector::InjectedScript::getPreview):
1849         (Inspector::InjectedScript::getProperties):
1850         (Inspector::InjectedScript::getDisplayableProperties):
1851         (Inspector::InjectedScript::getInternalProperties):
1852         (Inspector::InjectedScript::getCollectionEntries):
1853         (Inspector::InjectedScript::saveResult):
1854         (Inspector::InjectedScript::setExceptionValue):
1855         (Inspector::InjectedScript::clearExceptionValue):
1856         (Inspector::InjectedScript::inspectObject):
1857         (Inspector::InjectedScript::releaseObject):
1858
1859         * inspector/InjectedScriptBase.h:
1860         * inspector/InjectedScriptBase.cpp:
1861         (Inspector::InjectedScriptBase::InjectedScriptBase):
1862         Declare m_environment with a default initializer.
1863
1864         (Inspector::InjectedScriptBase::makeCall):
1865         (Inspector::InjectedScriptBase::makeEvalCall):
1866         Just return the result, no need for an out-parameter.
1867         Rearrange some code paths now that we can just return a result.
1868         Return a Ref<JSON::Value> since it is either a result value or error value.
1869         Use out_ prefixes in a few places to improve readability.
1870
1871         * inspector/agents/InspectorDebuggerAgent.cpp:
1872         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1873         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1874         * inspector/agents/InspectorHeapAgent.cpp:
1875         (Inspector::InspectorHeapAgent::getPreview):
1876         * inspector/agents/InspectorRuntimeAgent.cpp:
1877         (Inspector::InspectorRuntimeAgent::evaluate):
1878         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1879         (Inspector::InspectorRuntimeAgent::getPreview):
1880         (Inspector::InspectorRuntimeAgent::getProperties):
1881         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1882         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1883         (Inspector::InspectorRuntimeAgent::saveResult):
1884         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1885         and std::optional until the former is removed from generated method signatures.
1886
1887 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1888
1889         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1890         https://bugs.webkit.org/show_bug.cgi?id=179000
1891
1892         Reviewed by Darin Adler and Yusuke Suzuki.
1893
1894         This patch starts the implementation of BigInt primitive on
1895         JavaScriptCore. We are introducing BigInt primitive and
1896         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1897         field implemented contiguosly on memory as inline storage of JSBigInt to
1898         take advantages on performance due to cache locality. The
1899         implementation allows 64 or 32 bitwise arithmetic operations.
1900         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1901         m_length that keeps track of BigInt length.
1902         The implementation is following the V8 one. [[BigIntData]] is manipulated
1903         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1904         We also have some operations to support arithmetics over digits.
1905
1906         It is important to notice that on our representation,
1907         JSBigInt::dataStorage()[0] represents the least significant digit and
1908         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1909
1910         We are also introducing into this Patch the BigInt literals lexer and
1911         syntax parsing support. The operation Strict Equals on BigInts is also being
1912         implemented to enable tests.
1913         These features are being implemented behind a runtime flage "--useBigInt" and
1914         are disabled by default.
1915
1916         * JavaScriptCore.xcodeproj/project.pbxproj:
1917         * Sources.txt:
1918         * bytecode/CodeBlock.cpp:
1919         * bytecompiler/BytecodeGenerator.cpp:
1920         (JSC::BytecodeGenerator::emitEqualityOp):
1921         (JSC::BytecodeGenerator::addBigIntConstant):
1922         * bytecompiler/BytecodeGenerator.h:
1923         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1924         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1925         * bytecompiler/NodesCodegen.cpp:
1926         (JSC::BigIntNode::jsValue const):
1927         * dfg/DFGAbstractInterpreterInlines.h:
1928         (JSC::DFG::isToThisAnIdentity):
1929         * interpreter/Interpreter.cpp:
1930         (JSC::sizeOfVarargs):
1931         * llint/LLIntData.cpp:
1932         (JSC::LLInt::Data::performAssertions):
1933         * llint/LowLevelInterpreter.asm:
1934         * parser/ASTBuilder.h:
1935         (JSC::ASTBuilder::createBigInt):
1936         * parser/Lexer.cpp:
1937         (JSC::Lexer<T>::parseBinary):
1938         (JSC::Lexer<T>::parseOctal):
1939         (JSC::Lexer<T>::parseDecimal):
1940         (JSC::Lexer<T>::lex):
1941         (JSC::Lexer<T>::parseHex): Deleted.
1942         * parser/Lexer.h:
1943         * parser/NodeConstructors.h:
1944         (JSC::BigIntNode::BigIntNode):
1945         * parser/Nodes.h:
1946         (JSC::ExpressionNode::isBigInt const):
1947         (JSC::BigIntNode::value):
1948         * parser/Parser.cpp:
1949         (JSC::Parser<LexerType>::parsePrimaryExpression):
1950         * parser/ParserTokens.h:
1951         * parser/ResultType.h:
1952         (JSC::ResultType::definitelyIsBigInt const):
1953         (JSC::ResultType::mightBeBigInt const):
1954         (JSC::ResultType::isNotBigInt const):
1955         (JSC::ResultType::addResultType):
1956         (JSC::ResultType::bigIntType):
1957         (JSC::ResultType::forAdd):
1958         (JSC::ResultType::forLogicalOp):
1959         * parser/SyntaxChecker.h:
1960         (JSC::SyntaxChecker::createBigInt):
1961         * runtime/CommonIdentifiers.h:
1962         * runtime/JSBigInt.cpp: Added.
1963         (JSC::JSBigInt::visitChildren):
1964         (JSC::JSBigInt::JSBigInt):
1965         (JSC::JSBigInt::initialize):
1966         (JSC::JSBigInt::createStructure):
1967         (JSC::JSBigInt::createZero):
1968         (JSC::JSBigInt::allocationSize):
1969         (JSC::JSBigInt::createWithLength):
1970         (JSC::JSBigInt::finishCreation):
1971         (JSC::JSBigInt::toPrimitive const):
1972         (JSC::JSBigInt::singleDigitValueForString):
1973         (JSC::JSBigInt::parseInt):
1974         (JSC::JSBigInt::toString):
1975         (JSC::JSBigInt::isZero):
1976         (JSC::JSBigInt::inplaceMultiplyAdd):
1977         (JSC::JSBigInt::digitAdd):
1978         (JSC::JSBigInt::digitSub):
1979         (JSC::JSBigInt::digitMul):
1980         (JSC::JSBigInt::digitPow):
1981         (JSC::JSBigInt::digitDiv):
1982         (JSC::JSBigInt::internalMultiplyAdd):
1983         (JSC::JSBigInt::equalToBigInt):
1984         (JSC::JSBigInt::absoluteDivSmall):
1985         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1986         (JSC::JSBigInt::toStringGeneric):
1987         (JSC::JSBigInt::rightTrim):
1988         (JSC::JSBigInt::allocateFor):
1989         (JSC::JSBigInt::estimatedSize):
1990         (JSC::JSBigInt::toNumber const):
1991         (JSC::JSBigInt::getPrimitiveNumber const):
1992         * runtime/JSBigInt.h: Added.
1993         (JSC::JSBigInt::setSign):
1994         (JSC::JSBigInt::sign const):
1995         (JSC::JSBigInt::setLength):
1996         (JSC::JSBigInt::length const):
1997         (JSC::JSBigInt::parseInt):
1998         (JSC::JSBigInt::offsetOfData):
1999         (JSC::JSBigInt::dataStorage):
2000         (JSC::JSBigInt::digit):
2001         (JSC::JSBigInt::setDigit):
2002         (JSC::asBigInt):
2003         * runtime/JSCJSValue.cpp:
2004         (JSC::JSValue::synthesizePrototype const):
2005         (JSC::JSValue::toStringSlowCase const):
2006         * runtime/JSCJSValue.h:
2007         * runtime/JSCJSValueInlines.h:
2008         (JSC::JSValue::isBigInt const):
2009         (JSC::JSValue::strictEqualSlowCaseInline):
2010         * runtime/JSCell.cpp:
2011         (JSC::JSCell::put):
2012         (JSC::JSCell::putByIndex):
2013         (JSC::JSCell::toPrimitive const):
2014         (JSC::JSCell::getPrimitiveNumber const):
2015         (JSC::JSCell::toNumber const):
2016         (JSC::JSCell::toObjectSlow const):
2017         * runtime/JSCell.h:
2018         * runtime/JSCellInlines.h:
2019         (JSC::JSCell::isBigInt const):
2020         * runtime/JSType.h:
2021         * runtime/MathCommon.h:
2022         (JSC::clz64):
2023         * runtime/NumberPrototype.cpp:
2024         * runtime/Operations.cpp:
2025         (JSC::jsTypeStringForValue):
2026         (JSC::jsIsObjectTypeOrNull):
2027         * runtime/Options.h:
2028         * runtime/ParseInt.h:
2029         * runtime/SmallStrings.h:
2030         (JSC::SmallStrings::typeString const):
2031         * runtime/StructureInlines.h:
2032         (JSC::prototypeForLookupPrimitiveImpl):
2033         * runtime/TypeofType.cpp:
2034         (WTF::printInternal):
2035         * runtime/TypeofType.h:
2036         * runtime/VM.cpp:
2037         (JSC::VM::VM):
2038         * runtime/VM.h:
2039
2040 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
2041
2042         LLInt: reserve 16 bytes of stack on MIPS for native calls
2043         https://bugs.webkit.org/show_bug.cgi?id=180653
2044
2045         Reviewed by Carlos Alberto Lopez Perez.
2046
2047         * llint/LowLevelInterpreter32_64.asm:
2048         On MIPS, substract 24 from the stack pointer (16 for calling
2049         convention + 8 to be 16-aligned) instead of the 8 on other platforms
2050         (for alignment).
2051
2052 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2053
2054         [WTF] Thread::create should have Thread::tryCreate
2055         https://bugs.webkit.org/show_bug.cgi?id=180333
2056
2057         Reviewed by Darin Adler.
2058
2059         * assembler/testmasm.cpp:
2060         (JSC::run):
2061         * b3/air/testair.cpp:
2062         * b3/testb3.cpp:
2063         (JSC::B3::run):
2064         * jsc.cpp:
2065         (functionDollarAgentStart):
2066
2067 2017-12-11  Michael Saboff  <msaboff@apple.com>
2068
2069         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
2070         https://bugs.webkit.org/show_bug.cgi?id=180685
2071
2072         Reviewed by Saam Barati.
2073
2074         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
2075         the character class check to return true without reading the character.  Given that
2076         the character could be a surrogate pair, we need to read the character even if we
2077         don't have the check it.
2078
2079         * yarr/YarrInterpreter.cpp:
2080         (JSC::Yarr::Interpreter::testCharacterClass):
2081         (JSC::Yarr::Interpreter::checkCharacterClass):
2082
2083 2017-12-11  Saam Barati  <sbarati@apple.com>
2084
2085         We need to disableCaching() in ErrorInstance when we materialize properties
2086         https://bugs.webkit.org/show_bug.cgi?id=180343
2087         <rdar://problem/35833002>
2088
2089         Reviewed by Mark Lam.
2090
2091         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
2092         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
2093         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
2094         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
2095         existing property only found on Structure B. This is obviously wrong as it would lead to an
2096         OOB store if we didn't already crash when generating the IC.
2097
2098         * jit/Repatch.cpp:
2099         (JSC::tryCachePutByID):
2100         * runtime/ErrorInstance.cpp:
2101         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2102         (JSC::ErrorInstance::put):
2103         * runtime/ErrorInstance.h:
2104         * runtime/Structure.cpp:
2105         (JSC::Structure::didCachePropertyReplacement):
2106
2107 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
2108
2109         [WinCairo] DLLLauncherMain should use SetDllDirectory
2110         https://bugs.webkit.org/show_bug.cgi?id=180642
2111
2112         Reviewed by Alex Christensen.
2113
2114         Windows have icuuc.dll in the system directory. WebKit should find
2115         one in WebKitLibraries directory, not one in the system directory.
2116
2117         * shell/DLLLauncherMain.cpp:
2118         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
2119
2120 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
2121
2122         Web Inspector: Optionally log WebKit log parameters as JSON
2123         https://bugs.webkit.org/show_bug.cgi?id=180529
2124         <rdar://problem/35909462>
2125
2126         Reviewed by Joseph Pecoraro.
2127
2128         * inspector/ConsoleMessage.cpp:
2129         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
2130         values. Concatenate all adjacent strings to make logging cleaner.
2131         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
2132         (Inspector::ConsoleMessage::scriptState const):
2133         * inspector/ConsoleMessage.h:
2134
2135         * inspector/InjectedScript.cpp:
2136         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
2137         * inspector/InjectedScript.h:
2138         * inspector/InjectedScriptSource.js:
2139         (let.InjectedScript.prototype.wrapJSONString):
2140
2141 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2142
2143         Remove unused builtin names
2144         https://bugs.webkit.org/show_bug.cgi?id=180673
2145
2146         Reviewed by Keith Miller.
2147
2148         * builtins/BuiltinNames.h:
2149
2150 2017-12-11  David Quesada  <david_quesada@apple.com>
2151
2152         Turn on ENABLE_APPLICATION_MANIFEST
2153         https://bugs.webkit.org/show_bug.cgi?id=180562
2154         rdar://problem/35924737
2155
2156         Reviewed by Geoffrey Garen.
2157
2158         * Configurations/FeatureDefines.xcconfig:
2159
2160 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
2161
2162         Harden a few assertions in GC sweep
2163         https://bugs.webkit.org/show_bug.cgi?id=180634
2164
2165         Reviewed by Saam Barati.
2166         
2167         This turns one dynamic check into a release assertion and upgrades another assertion to a release
2168         assertion.
2169
2170         * heap/MarkedBlock.cpp:
2171         (JSC::MarkedBlock::Handle::sweep):
2172
2173 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
2174
2175         [python] Modernize "except" usage for python3 compatibility
2176         https://bugs.webkit.org/show_bug.cgi?id=180612
2177
2178         Reviewed by Michael Catanzaro.
2179
2180         * inspector/scripts/generate-inspector-protocol-bindings.py:
2181
2182 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2183
2184         InferredType should not use UnconditionalFinalizer
2185         https://bugs.webkit.org/show_bug.cgi?id=180456
2186
2187         Reviewed by Saam Barati.
2188         
2189         This turns InferredStructure into a cell so that we can unconditionally finalize them without
2190         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
2191         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
2192         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
2193         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
2194
2195         * JavaScriptCore.xcodeproj/project.pbxproj:
2196         * Sources.txt:
2197         * heap/Heap.cpp:
2198         (JSC::Heap::finalizeUnconditionalFinalizers):
2199         * heap/Heap.h:
2200         * runtime/InferredStructure.cpp: Added.
2201         (JSC::InferredStructure::create):
2202         (JSC::InferredStructure::destroy):
2203         (JSC::InferredStructure::createStructure):
2204         (JSC::InferredStructure::visitChildren):
2205         (JSC::InferredStructure::finalizeUnconditionally):
2206         (JSC::InferredStructure::InferredStructure):
2207         (JSC::InferredStructure::finishCreation):
2208         * runtime/InferredStructure.h: Added.
2209         * runtime/InferredStructureWatchpoint.cpp: Added.
2210         (JSC::InferredStructureWatchpoint::fireInternal):
2211         * runtime/InferredStructureWatchpoint.h: Added.
2212         * runtime/InferredType.cpp:
2213         (JSC::InferredType::visitChildren):
2214         (JSC::InferredType::willStoreValueSlow):
2215         (JSC::InferredType::makeTopSlow):
2216         (JSC::InferredType::set):
2217         (JSC::InferredType::removeStructure):
2218         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
2219         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
2220         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
2221         * runtime/InferredType.h:
2222         * runtime/VM.cpp:
2223         (JSC::VM::VM):
2224         * runtime/VM.h:
2225
2226 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
2227
2228         [python] Replace print >> operator with print() function for python3 compatibility
2229         https://bugs.webkit.org/show_bug.cgi?id=180611
2230
2231         Reviewed by Michael Catanzaro.
2232
2233         * Scripts/make-js-file-arrays.py:
2234         (main):
2235
2236 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2237
2238         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
2239         https://bugs.webkit.org/show_bug.cgi?id=180520
2240         <rdar://problem/35900764>
2241
2242         Reviewed by Brian Burg.
2243
2244         * inspector/protocol/ServiceWorker.json:
2245         Include content script content in the initialization info.
2246
2247 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
2248
2249         [python] Replace print operator with print() function for python3 compatibility
2250         https://bugs.webkit.org/show_bug.cgi?id=180592
2251
2252         Reviewed by Michael Catanzaro.
2253
2254         * Scripts/generateYarrUnicodePropertyTables.py:
2255         (openOrExit):
2256         (verifyUCDFilesExist):
2257         (Aliases.parsePropertyAliasesFile):
2258         (Aliases.parsePropertyValueAliasesFile):
2259         * Scripts/make-js-file-arrays.py:
2260         (main):
2261         * generate-bytecode-files:
2262
2263 2017-12-08  Mark Lam  <mark.lam@apple.com>
2264
2265         Need to unpoison native function pointers for CLoop.
2266         https://bugs.webkit.org/show_bug.cgi?id=180601
2267         <rdar://problem/35942028>
2268
2269         Reviewed by JF Bastien.
2270
2271         * llint/LowLevelInterpreter64.asm:
2272
2273 2017-12-08  Michael Saboff  <msaboff@apple.com>
2274
2275         YARR: JIT RegExps with greedy parenthesized sub patterns
2276         https://bugs.webkit.org/show_bug.cgi?id=180538
2277
2278         Reviewed by JF Bastien.
2279
2280         This patch adds JIT support for regular expressions containing greedy counted
2281         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
2282
2283         Just like in the interpreter, expressions with nested parenthetical subpatterns
2284         require saving the results of previous matches of the parentheses contents along
2285         with any associated state.  This saved state is needed in the case that we need
2286         to backtrack.  This state is called ParenContext within the code space allocated
2287         for this ParenContext is managed using a simple block allocator within the JIT'ed
2288         code.  The raw space managed by this allocator is passed into the JIT'ed function.
2289
2290         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
2291         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
2292         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
2293         expression.
2294
2295         Due to increased register usage by the parenthesis handling code, the use of
2296         registers by the JIT engine was restructured, with registers used for Unicode
2297         pattern matching replaced with constants.
2298
2299         Reworked some of the context structures that are used across the interpreter
2300         and JIT implementations to make them a little more uniform and to handle the
2301         needs of JIT'ing the new parentheses forms.
2302
2303         To help with development and debugging of this code, compiled patterns dumping
2304         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
2305
2306         * runtime/RegExp.cpp:
2307         (JSC::byteCodeCompilePattern):
2308         (JSC::RegExp::byteCodeCompileIfNecessary):
2309         (JSC::RegExp::compile):
2310         (JSC::RegExp::compileMatchOnly):
2311         * runtime/RegExp.h:
2312         * runtime/RegExpInlines.h:
2313         (JSC::RegExp::matchInline):
2314         * testRegExp.cpp:
2315         (parseRegExpLine):
2316         (runFromFiles):
2317         * yarr/Yarr.h:
2318         * yarr/YarrInterpreter.cpp:
2319         (JSC::Yarr::ByteCompiler::compile):
2320         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2321         * yarr/YarrJIT.cpp:
2322         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
2323         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
2324         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
2325         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
2326         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
2327         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
2328         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
2329         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
2330         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
2331         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2332         (JSC::Yarr::YarrGenerator::allocatePatternContext):
2333         (JSC::Yarr::YarrGenerator::freePatternContext):
2334         (JSC::Yarr::YarrGenerator::savePatternContext):
2335         (JSC::Yarr::YarrGenerator::restorePatternContext):
2336         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2337         (JSC::Yarr::YarrGenerator::storeToFrame):
2338         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
2339         (JSC::Yarr::YarrGenerator::clearMatches):
2340         (JSC::Yarr::YarrGenerator::generate):
2341         (JSC::Yarr::YarrGenerator::backtrack):
2342         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2343         (JSC::Yarr::YarrGenerator::generateEnter):
2344         (JSC::Yarr::YarrGenerator::generateReturn):
2345         (JSC::Yarr::YarrGenerator::YarrGenerator):
2346         (JSC::Yarr::YarrGenerator::compile):
2347         * yarr/YarrJIT.h:
2348         (JSC::Yarr::YarrCodeBlock::execute):
2349         * yarr/YarrPattern.cpp:
2350         (JSC::Yarr::indentForNestingLevel):
2351         (JSC::Yarr::dumpUChar32):
2352         (JSC::Yarr::dumpCharacterClass):
2353         (JSC::Yarr::PatternTerm::dump):
2354         (JSC::Yarr::YarrPattern::dumpPattern):
2355         * yarr/YarrPattern.h:
2356         (JSC::Yarr::PatternTerm::containsAnyCaptures):
2357         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
2358         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
2359         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
2360         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
2361         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
2362         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
2363
2364 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2365
2366         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
2367         https://bugs.webkit.org/show_bug.cgi?id=180590
2368         <rdar://problem/35882767>
2369
2370         Reviewed by Mark Lam.
2371
2372         * inspector/agents/InspectorConsoleAgent.cpp:
2373         (Inspector::InspectorConsoleAgent::enable):
2374         Swap the messages to a Vector that won't change during iteration.
2375
2376 2017-12-08  Michael Saboff  <msaboff@apple.com>
2377
2378         YARR: Coalesce constructed character classes
2379         https://bugs.webkit.org/show_bug.cgi?id=180537
2380
2381         Reviewed by JF Bastien.
2382
2383         When adding characters or character ranges to a character class being constructed,
2384         we now coalesce adjacent characters and character ranges.  When we create a
2385         character class after construction is complete, we do a final coalescing pass
2386         across the character list and ranges to catch any remaining coalescing
2387         opportunities.
2388
2389         Added an optimization for character classes that will match any character.
2390         This is somewhat common in code created before the /s (dotAll) flag was added
2391         to the engine.
2392
2393         * yarr/YarrInterpreter.cpp:
2394         (JSC::Yarr::Interpreter::checkCharacterClass):
2395         * yarr/YarrJIT.cpp:
2396         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2397         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2398         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2399         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2400         * yarr/YarrPattern.cpp:
2401         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2402         (JSC::Yarr::CharacterClassConstructor::reset):
2403         (JSC::Yarr::CharacterClassConstructor::charClass):
2404         (JSC::Yarr::CharacterClassConstructor::addSorted):
2405         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2406         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
2407         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
2408         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
2409         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2410         (JSC::Yarr::PatternTerm::dump):
2411         (JSC::Yarr::anycharCreate):
2412         * yarr/YarrPattern.h:
2413         (JSC::Yarr::CharacterClass::CharacterClass):
2414
2415 2017-12-07  Saam Barati  <sbarati@apple.com>
2416
2417         Modify our dollar VM clflush intrinsic to aid in some perf testing
2418         https://bugs.webkit.org/show_bug.cgi?id=180559
2419
2420         Reviewed by Mark Lam.
2421
2422         * tools/JSDollarVM.cpp:
2423         (JSC::functionCpuClflush):
2424         (JSC::functionDeltaBetweenButterflies):
2425         (JSC::JSDollarVM::finishCreation):
2426
2427 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2428
2429         Simplify log channel configuration UI
2430         https://bugs.webkit.org/show_bug.cgi?id=180527
2431         <rdar://problem/35908382>
2432
2433         Reviewed by Joseph Pecoraro.
2434
2435         * inspector/protocol/Console.json:
2436
2437 2017-12-07  Mark Lam  <mark.lam@apple.com>
2438
2439         Apply poisoning to some native code pointers.
2440         https://bugs.webkit.org/show_bug.cgi?id=180541
2441         <rdar://problem/35916875>
2442
2443         Reviewed by Filip Pizlo.
2444
2445         Renamed g_classInfoPoison to g_globalDataPoison.
2446         Renamed g_masmPoison to g_jitCodePoison.
2447         Introduced g_nativeCodePoison.
2448         Applied g_nativeCodePoison to poisoning some native code pointers.
2449
2450         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
2451         to malloc allocated data structures (where needed).
2452
2453         * API/JSCallbackFunction.h:
2454         (JSC::JSCallbackFunction::functionCallback):
2455         * JavaScriptCore.xcodeproj/project.pbxproj:
2456         * jit/ThunkGenerators.cpp:
2457         (JSC::nativeForGenerator):
2458         * llint/LowLevelInterpreter64.asm:
2459         * runtime/CustomGetterSetter.h:
2460         (JSC::CustomGetterSetter::getter const):
2461         (JSC::CustomGetterSetter::setter const):
2462         * runtime/InternalFunction.cpp:
2463         (JSC::InternalFunction::getCallData):
2464         (JSC::InternalFunction::getConstructData):
2465         * runtime/InternalFunction.h:
2466         (JSC::InternalFunction::nativeFunctionFor):
2467         * runtime/JSCPoison.h: Added.
2468         * runtime/JSCPoisonedPtr.cpp:
2469         (JSC::initializePoison):
2470         * runtime/JSCPoisonedPtr.h:
2471         * runtime/Lookup.h:
2472         * runtime/NativeExecutable.cpp:
2473         (JSC::NativeExecutable::hashFor const):
2474         * runtime/NativeExecutable.h:
2475         * runtime/Structure.cpp:
2476         (JSC::StructureTransitionTable::setSingleTransition):
2477         * runtime/StructureTransitionTable.h:
2478         (JSC::StructureTransitionTable::StructureTransitionTable):
2479         (JSC::StructureTransitionTable::isUsingSingleSlot const):
2480         (JSC::StructureTransitionTable::map const):
2481         (JSC::StructureTransitionTable::weakImpl const):
2482         (JSC::StructureTransitionTable::setMap):
2483
2484 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
2485
2486         Web Inspector: Fix style in remote inspector classes
2487         https://bugs.webkit.org/show_bug.cgi?id=180545
2488
2489         Reviewed by Youenn Fablet.
2490
2491         * inspector/remote/RemoteControllableTarget.h:
2492         * inspector/remote/RemoteInspectionTarget.h:
2493         * runtime/JSGlobalObjectDebuggable.h:
2494
2495 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
2496
2497         Use fastAlignedFree to free aligned memory.
2498         https://bugs.webkit.org/show_bug.cgi?id=180540
2499
2500         Reviewed by Saam Barati.
2501
2502         * heap/IsoAlignedMemoryAllocator.cpp:
2503         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2504
2505 2017-12-07  Matt Lewis  <jlewis3@apple.com>
2506
2507         Unreviewed, rolling out r225634.
2508
2509         This caused layout tests to time out.
2510
2511         Reverted changeset:
2512
2513         "Simplify log channel configuration UI"
2514         https://bugs.webkit.org/show_bug.cgi?id=180527
2515         https://trac.webkit.org/changeset/225634
2516
2517 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2518
2519         Simplify log channel configuration UI
2520         https://bugs.webkit.org/show_bug.cgi?id=180527
2521         <rdar://problem/35908382>
2522
2523         Reviewed by Joseph Pecoraro.
2524
2525         * inspector/protocol/Console.json:
2526
2527 2017-12-07  Mark Lam  <mark.lam@apple.com>
2528
2529         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
2530         https://bugs.webkit.org/show_bug.cgi?id=180514
2531
2532         Reviewed by Saam Barati and JF Bastien.
2533
2534         Re-landing r225620 with speculative build fix for GCC 7.
2535
2536         * API/JSCallbackObject.h:
2537         * API/JSObjectRef.cpp:
2538         (classInfoPrivate):
2539         * JavaScriptCore.xcodeproj/project.pbxproj:
2540         * Sources.txt:
2541         * assembler/MacroAssemblerCodeRef.h:
2542         (JSC::FunctionPtr::FunctionPtr):
2543         (JSC::FunctionPtr::value const):
2544         (JSC::FunctionPtr::executableAddress const):
2545         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2546         (JSC::ReturnAddressPtr::value const):
2547         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2548         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2549         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2550         (JSC::MacroAssemblerCodePtr:: const):
2551         (JSC::MacroAssemblerCodePtr::operator! const):
2552         (JSC::MacroAssemblerCodePtr::operator== const):
2553         (JSC::MacroAssemblerCodePtr::emptyValue):
2554         (JSC::MacroAssemblerCodePtr::deletedValue):
2555         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2556         * b3/B3LowerMacros.cpp:
2557         * b3/testb3.cpp:
2558         (JSC::B3::testInterpreter):
2559         * dfg/DFGSpeculativeJIT.cpp:
2560         (JSC::DFG::SpeculativeJIT::checkArray):
2561         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2562         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2563         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2564         * ftl/FTLLowerDFGToB3.cpp:
2565         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2566         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2567         * jit/AssemblyHelpers.h:
2568         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2569         * jit/SpecializedThunkJIT.h:
2570         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2571         * jit/ThunkGenerators.cpp:
2572         (JSC::virtualThunkFor):
2573         (JSC::boundThisNoArgsFunctionCallGenerator):
2574         * llint/LLIntSlowPaths.cpp:
2575         (JSC::LLInt::handleHostCall):
2576         (JSC::LLInt::setUpCall):
2577         * llint/LowLevelInterpreter64.asm:
2578         * runtime/InitializeThreading.cpp:
2579         (JSC::initializeThreading):
2580         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2581         (JSC::initializePoison):
2582         (JSC::initializeScrambledPtrKeys): Deleted.
2583         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2584         * runtime/JSCScrambledPtr.cpp: Removed.
2585         * runtime/JSCScrambledPtr.h: Removed.
2586         * runtime/JSDestructibleObject.h:
2587         (JSC::JSDestructibleObject::classInfo const):
2588         * runtime/JSSegmentedVariableObject.h:
2589         (JSC::JSSegmentedVariableObject::classInfo const):
2590         * runtime/Structure.h:
2591         * runtime/VM.h:
2592
2593 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2594
2595         Unreviewed, rolling out r225620
2596         https://bugs.webkit.org/show_bug.cgi?id=180514
2597         <rdar://problem/35901694>
2598
2599         It broke the build with GCC 7, and I don't know how to fix it.
2600
2601         * API/JSCallbackObject.h:
2602         * API/JSObjectRef.cpp:
2603         (classInfoPrivate):
2604         * JavaScriptCore.xcodeproj/project.pbxproj:
2605         * Sources.txt:
2606         * assembler/MacroAssemblerCodeRef.h:
2607         (JSC::FunctionPtr::FunctionPtr):
2608         (JSC::FunctionPtr::value const):
2609         (JSC::FunctionPtr::executableAddress const):
2610         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2611         (JSC::ReturnAddressPtr::value const):
2612         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2613         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2614         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2615         (JSC::MacroAssemblerCodePtr:: const):
2616         (JSC::MacroAssemblerCodePtr::operator! const):
2617         (JSC::MacroAssemblerCodePtr::operator== const):
2618         (JSC::MacroAssemblerCodePtr::emptyValue):
2619         (JSC::MacroAssemblerCodePtr::deletedValue):
2620         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
2621         * b3/B3LowerMacros.cpp:
2622         * b3/testb3.cpp:
2623         (JSC::B3::testInterpreter):
2624         * dfg/DFGSpeculativeJIT.cpp:
2625         (JSC::DFG::SpeculativeJIT::checkArray):
2626         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2627         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2628         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2629         * ftl/FTLLowerDFGToB3.cpp:
2630         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2631         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2632         * jit/AssemblyHelpers.h:
2633         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2634         * jit/SpecializedThunkJIT.h:
2635         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2636         * jit/ThunkGenerators.cpp:
2637         (JSC::virtualThunkFor):
2638         (JSC::boundThisNoArgsFunctionCallGenerator):
2639         * llint/LLIntSlowPaths.cpp:
2640         (JSC::LLInt::handleHostCall):
2641         (JSC::LLInt::setUpCall):
2642         * llint/LowLevelInterpreter64.asm:
2643         * runtime/InitializeThreading.cpp:
2644         (JSC::initializeThreading):
2645         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2646         (JSC::initializeScrambledPtrKeys):
2647         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
2648         * runtime/JSDestructibleObject.h:
2649         (JSC::JSDestructibleObject::classInfo const):
2650         * runtime/JSSegmentedVariableObject.h:
2651         (JSC::JSSegmentedVariableObject::classInfo const):
2652         * runtime/Structure.h:
2653         * runtime/VM.h:
2654
2655 2017-12-06  Mark Lam  <mark.lam@apple.com>
2656
2657         Refactoring: Rename ScrambledPtr to Poisoned.
2658         https://bugs.webkit.org/show_bug.cgi?id=180514
2659
2660         Reviewed by Saam Barati.
2661
2662         * API/JSCallbackObject.h:
2663         * API/JSObjectRef.cpp:
2664         (classInfoPrivate):
2665         * JavaScriptCore.xcodeproj/project.pbxproj:
2666         * Sources.txt:
2667         * assembler/MacroAssemblerCodeRef.h:
2668         (JSC::FunctionPtr::FunctionPtr):
2669         (JSC::FunctionPtr::value const):
2670         (JSC::FunctionPtr::executableAddress const):
2671         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2672         (JSC::ReturnAddressPtr::value const):
2673         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2674         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2675         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2676         (JSC::MacroAssemblerCodePtr:: const):
2677         (JSC::MacroAssemblerCodePtr::operator! const):
2678         (JSC::MacroAssemblerCodePtr::operator== const):
2679         (JSC::MacroAssemblerCodePtr::emptyValue):
2680         (JSC::MacroAssemblerCodePtr::deletedValue):
2681         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2682         * b3/B3LowerMacros.cpp:
2683         * b3/testb3.cpp:
2684         (JSC::B3::testInterpreter):
2685         * dfg/DFGSpeculativeJIT.cpp:
2686         (JSC::DFG::SpeculativeJIT::checkArray):
2687         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2688         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2689         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2690         * ftl/FTLLowerDFGToB3.cpp:
2691         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2692         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2693         * jit/AssemblyHelpers.h:
2694         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2695         * jit/SpecializedThunkJIT.h:
2696         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2697         * jit/ThunkGenerators.cpp:
2698         (JSC::virtualThunkFor):
2699         (JSC::boundThisNoArgsFunctionCallGenerator):
2700         * llint/LLIntSlowPaths.cpp:
2701         (JSC::LLInt::handleHostCall):
2702         (JSC::LLInt::setUpCall):
2703         * llint/LowLevelInterpreter64.asm:
2704         * runtime/InitializeThreading.cpp:
2705         (JSC::initializeThreading):
2706         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2707         (JSC::initializePoison):
2708         (JSC::initializeScrambledPtrKeys): Deleted.
2709         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2710         * runtime/JSCScrambledPtr.cpp: Removed.
2711         * runtime/JSCScrambledPtr.h: Removed.
2712         * runtime/JSDestructibleObject.h:
2713         (JSC::JSDestructibleObject::classInfo const):
2714         * runtime/JSSegmentedVariableObject.h:
2715         (JSC::JSSegmentedVariableObject::classInfo const):
2716         * runtime/Structure.h:
2717         * runtime/VM.h:
2718
2719 2017-12-02  Darin Adler  <darin@apple.com>
2720
2721         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
2722         https://bugs.webkit.org/show_bug.cgi?id=180009
2723
2724         Reviewed by Alex Christensen.
2725
2726         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
2727         * bytecode/CodeBlock.cpp: Ditto.
2728         * bytecode/ExecutionCounter.cpp: Ditto.
2729         * runtime/ConfigFile.cpp: Ditto.
2730         * runtime/DatePrototype.cpp: Ditto.
2731         * runtime/IndexingType.cpp: Ditto.
2732         * runtime/JSCJSValue.cpp: Ditto.
2733         * runtime/JSDateMath.cpp: Ditto.
2734         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2735         * runtime/Options.cpp: Ditto.
2736         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
2737
2738 2017-12-06  Saam Barati  <sbarati@apple.com>
2739
2740         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
2741         https://bugs.webkit.org/show_bug.cgi?id=180438
2742         <rdar://problem/35862342>
2743
2744         Reviewed by Yusuke Suzuki.
2745
2746         A couple inspector methods that take stacktraces need
2747         to grab the JSLock.
2748
2749         * inspector/ScriptCallStackFactory.cpp:
2750         (Inspector::createScriptCallStack):
2751         (Inspector::createScriptCallStackForConsole):
2752
2753 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
2754
2755         Switch windows build to Visual Studio 2017
2756         https://bugs.webkit.org/show_bug.cgi?id=172412
2757
2758         Reviewed by Per Arne Vollan.
2759
2760         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2761
2762 2017-12-05  JF Bastien  <jfbastien@apple.com>
2763
2764         WebAssembly: don't eagerly checksum
2765         https://bugs.webkit.org/show_bug.cgi?id=180441
2766         <rdar://problem/35156628>
2767
2768         Reviewed by Saam Barati.
2769
2770         Make checksumming of module optional for now. The bots think the
2771         checksum hurt compile-time. I'd measured it and couldn't see a
2772         difference, and still can't at this point in time, but we'll see
2773         if disabling it fixes the bots. If so then I can make it lazy upon
2774         first backtrace construction, or I can try out MD5 instead of
2775         SHA1.
2776
2777         * runtime/Options.h:
2778         * wasm/WasmModuleInformation.cpp:
2779         (JSC::Wasm::ModuleInformation::ModuleInformation):
2780         * wasm/WasmModuleInformation.h:
2781         * wasm/WasmNameSection.h:
2782         (JSC::Wasm::NameSection::NameSection):
2783
2784 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2785
2786         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2787         https://bugs.webkit.org/show_bug.cgi?id=180425
2788
2789         Reviewed by Saam Barati.
2790         
2791         Failure to do so causes leaks after starting workers.
2792
2793         * heap/IsoAlignedMemoryAllocator.cpp:
2794         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2795         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2796
2797 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2798
2799         [Win64] Compile error in testmasm.cpp.
2800         https://bugs.webkit.org/show_bug.cgi?id=180436
2801
2802         Reviewed by Mark Lam.
2803
2804         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2805         
2806         * assembler/testmasm.cpp:
2807         (JSC::testGetEffectiveAddress):
2808
2809 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2810
2811         GC constraint solving should be parallel
2812         https://bugs.webkit.org/show_bug.cgi?id=179934
2813
2814         Reviewed by JF Bastien.
2815         
2816         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2817         speed-up. It's more than 1% on trunk-Speedometer.
2818         
2819         The constraint solver supports running constraints in parallel in two different ways:
2820         
2821         - Run multiple constraints in parallel to each other. This only works for constraints that can
2822           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2823           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2824           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2825           could probably make them concurrent, but I'm playing it safe for now.
2826         
2827         - A constraint can create parallel work for itself, which the constraint solver will interleave
2828           with other stuff. A constraint can report that it has parallel work by returning
2829           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2830           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2831           for as long as that function wants to run.
2832         
2833         It's not possible to have a non-concurrent constraint that creates parallel work.
2834         
2835         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2836         most natural for two reasons:
2837         
2838         - No need to start any other threads.
2839         
2840         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2841           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2842           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2843           thread, that thread will have work it can start doing immediately. Before this change, we had to
2844           contribute the work found by the constraint solver to the global worklist so that it could be
2845           distributed to the marker threads by load balancing. This change probably helps to avoid that
2846           load balancing step.
2847         
2848         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2849         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2850         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2851         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2852         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2853         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2854         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2855         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2856         done is indicated by null).
2857         
2858         * API/JSMarkingConstraintPrivate.cpp:
2859         (JSContextGroupAddMarkingConstraint):
2860         * API/JSVirtualMachine.mm:
2861         (scanExternalObjectGraph):
2862         (scanExternalRememberedSet):
2863         * JavaScriptCore.xcodeproj/project.pbxproj:
2864         * Sources.txt:
2865         * bytecode/AccessCase.cpp:
2866         (JSC::AccessCase::propagateTransitions const):
2867         * bytecode/CodeBlock.cpp:
2868         (JSC::CodeBlock::visitWeakly):
2869         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2870         (JSC::shouldMarkTransition):
2871         (JSC::CodeBlock::propagateTransitions):
2872         (JSC::CodeBlock::determineLiveness):
2873         * dfg/DFGWorklist.cpp:
2874         * ftl/FTLCompile.cpp:
2875         (JSC::FTL::compile):
2876         * heap/ConstraintParallelism.h: Added.
2877         (WTF::printInternal):
2878         * heap/Heap.cpp:
2879         (JSC::Heap::Heap):
2880         (JSC::Heap::addToRememberedSet):
2881         (JSC::Heap::runFixpointPhase):
2882         (JSC::Heap::stopThePeriphery):
2883         (JSC::Heap::resumeThePeriphery):
2884         (JSC::Heap::addCoreConstraints):
2885         (JSC::Heap::setBonusVisitorTask):
2886         (JSC::Heap::runTaskInParallel):
2887         (JSC::Heap::forEachSlotVisitor): Deleted.
2888         * heap/Heap.h:
2889         (JSC::Heap::worldIsRunning const):
2890         (JSC::Heap::runFunctionInParallel):
2891         * heap/HeapInlines.h:
2892         (JSC::Heap::worldIsStopped const):
2893         (JSC::Heap::isMarked):
2894         (JSC::Heap::incrementDeferralDepth):
2895         (JSC::Heap::decrementDeferralDepth):
2896         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2897         (JSC::Heap::forEachSlotVisitor):
2898         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2899         (JSC::Heap::isMarkedConcurrently): Deleted.
2900         * heap/HeapSnapshotBuilder.cpp:
2901         (JSC::HeapSnapshotBuilder::appendNode):
2902         * heap/LargeAllocation.h:
2903         (JSC::LargeAllocation::isMarked):
2904         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2905         * heap/LockDuringMarking.h:
2906         (JSC::lockDuringMarking):
2907         * heap/MarkedAllocator.cpp:
2908         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2909         * heap/MarkedAllocator.h:
2910         * heap/MarkedBlock.h:
2911         (JSC::MarkedBlock::aboutToMark):
2912         (JSC::MarkedBlock::isMarked):
2913         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2914         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2915         * heap/MarkedSpace.h:
2916         (JSC::MarkedSpace::activeWeakSetsBegin):
2917         (JSC::MarkedSpace::activeWeakSetsEnd):
2918         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2919         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2920         * heap/MarkingConstraint.cpp:
2921         (JSC::MarkingConstraint::MarkingConstraint):
2922         (JSC::MarkingConstraint::execute):
2923         (JSC::MarkingConstraint::quickWorkEstimate):
2924         (JSC::MarkingConstraint::workEstimate):
2925         (JSC::MarkingConstraint::doParallelWork):
2926         (JSC::MarkingConstraint::finishParallelWork):
2927         (JSC::MarkingConstraint::doParallelWorkImpl):
2928         (JSC::MarkingConstraint::finishParallelWorkImpl):
2929         * heap/MarkingConstraint.h:
2930         (JSC::MarkingConstraint::lastExecuteParallelism const):
2931         (JSC::MarkingConstraint::parallelism const):
2932         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2933         (JSC::MarkingConstraint::workEstimate): Deleted.
2934         * heap/MarkingConstraintSet.cpp:
2935         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2936         (JSC::MarkingConstraintSet::add):
2937         (JSC::MarkingConstraintSet::executeConvergence):
2938         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2939         (JSC::MarkingConstraintSet::executeAll):
2940         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2941         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2942         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2943         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2944         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2945         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2946         (): Deleted.
2947         * heap/MarkingConstraintSet.h:
2948         * heap/MarkingConstraintSolver.cpp: Added.
2949         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2950         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2951         (JSC::MarkingConstraintSolver::didVisitSomething const):
2952         (JSC::MarkingConstraintSolver::execute):
2953         (JSC::MarkingConstraintSolver::drain):
2954         (JSC::MarkingConstraintSolver::converge):
2955         (JSC::MarkingConstraintSolver::runExecutionThread):
2956         (JSC::MarkingConstraintSolver::didExecute):
2957         * heap/MarkingConstraintSolver.h: Added.
2958         * heap/OpaqueRootSet.h: Removed.
2959         * heap/ParallelSourceAdapter.h: Added.
2960         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2961         (JSC::createParallelSourceAdapter):
2962         * heap/SimpleMarkingConstraint.cpp: Added.
2963         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2964         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2965         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2966         (JSC::SimpleMarkingConstraint::executeImpl):
2967         * heap/SimpleMarkingConstraint.h: Added.
2968         * heap/SlotVisitor.cpp:
2969         (JSC::SlotVisitor::didStartMarking):
2970         (JSC::SlotVisitor::reset):
2971         (JSC::SlotVisitor::appendToMarkStack):
2972         (JSC::SlotVisitor::visitChildren):
2973         (JSC::SlotVisitor::updateMutatorIsStopped):
2974         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2975         (JSC::SlotVisitor::drain):
2976         (JSC::SlotVisitor::performIncrementOfDraining):
2977         (JSC::SlotVisitor::didReachTermination):
2978         (JSC::SlotVisitor::hasWork):
2979         (JSC::SlotVisitor::drainFromShared):
2980         (JSC::SlotVisitor::drainInParallelPassively):
2981         (JSC::SlotVisitor::waitForTermination):
2982         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2983         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2984         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2985         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2986         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2987         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2988         * heap/SlotVisitor.h:
2989         * heap/SlotVisitorInlines.h:
2990         (JSC::SlotVisitor::addOpaqueRoot):
2991         (JSC::SlotVisitor::containsOpaqueRoot const):
2992         (JSC::SlotVisitor::vm):
2993         (JSC::SlotVisitor::vm const):
2994         * heap/Subspace.cpp:
2995         (JSC::Subspace::parallelAllocatorSource):
2996         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2997         * heap/Subspace.h:
2998         * heap/SubspaceInlines.h:
2999         (JSC::Subspace::forEachMarkedCellInParallel):
3000         * heap/VisitCounter.h: Added.
3001         (JSC::VisitCounter::VisitCounter):
3002         (JSC::VisitCounter::visitCount const):
3003         * heap/VisitingTimeout.h: Removed.
3004         * heap/WeakBlock.cpp:
3005         (JSC::WeakBlock::specializedVisit):
3006         * runtime/Structure.cpp:
3007         (JSC::Structure::isCheapDuringGC):
3008         (JSC::Structure::markIfCheap):
3009
3010 2017-12-04  JF Bastien  <jfbastien@apple.com>
3011
3012         Math: don't redundantly check for exceptions, just release scope
3013         https://bugs.webkit.org/show_bug.cgi?id=180395
3014
3015         Rubber stamped by Mark Lam.
3016
3017         Two of the exceptions checks could just have been exception scope
3018         releases before the return, which is ever-so-slightly more
3019         efficient. The same technically applies where we have loops over
3020         parameters, but doing the scope release there isn't really more
3021         efficient and is way harder to read.
3022
3023         * runtime/MathObject.cpp:
3024         (JSC::mathProtoFuncATan2):
3025         (JSC::mathProtoFuncPow):
3026
3027 2017-12-04  David Quesada  <david_quesada@apple.com>
3028
3029         Add a class for parsing application manifests
3030         https://bugs.webkit.org/show_bug.cgi?id=177973
3031         rdar://problem/34747949
3032
3033         Reviewed by Geoffrey Garen.
3034
3035         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
3036
3037 2017-12-04  JF Bastien  <jfbastien@apple.com>
3038
3039         Update std::expected to match libc++ coding style
3040         https://bugs.webkit.org/show_bug.cgi?id=180264
3041
3042         Reviewed by Alex Christensen.
3043
3044         Update various uses of Expected.
3045
3046         * wasm/WasmModule.h:
3047         * wasm/WasmModuleParser.cpp:
3048         (JSC::Wasm::ModuleParser::parseImport):
3049         (JSC::Wasm::ModuleParser::parseTableHelper):
3050         (JSC::Wasm::ModuleParser::parseTable):
3051         (JSC::Wasm::ModuleParser::parseMemoryHelper):
3052         * wasm/WasmParser.h:
3053         * wasm/generateWasmValidateInlinesHeader.py:
3054         (loadMacro):
3055         (storeMacro):
3056         * wasm/js/JSWebAssemblyModule.cpp:
3057         (JSC::JSWebAssemblyModule::createStub):
3058         * wasm/js/JSWebAssemblyModule.h:
3059
3060 2017-12-04  Saam Barati  <sbarati@apple.com>
3061
3062         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
3063         https://bugs.webkit.org/show_bug.cgi?id=180366
3064         <rdar://problem/35685877>
3065
3066         Reviewed by Michael Saboff.
3067
3068         On the TailCall slow path, the CallFrameShuffler will build the frame with
3069         respect to SP instead of FP. However, this may overwrite slots on the stack
3070         that are needed if the slow path C call does a stack walk. The slow path
3071         C call does a stack walk when it throws an exception. This patch fixes
3072         this bug by ensuring that the top of the stack in the FTL always has enough
3073         space to allow CallFrameShuffler to build a frame without overwriting any
3074         items on the stack that are needed when doing a stack walk.
3075
3076         * ftl/FTLLowerDFGToB3.cpp:
3077         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3078
3079 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
3080
3081         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
3082         https://bugs.webkit.org/show_bug.cgi?id=175166
3083         <rdar://problem/34040740>
3084
3085         Reviewed by Joseph Pecoraro.
3086
3087         * inspector/protocol/Recording.json:
3088         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
3089
3090         * inspector/JSGlobalObjectConsoleClient.h:
3091         * inspector/JSGlobalObjectConsoleClient.cpp:
3092         (Inspector::JSGlobalObjectConsoleClient::record):
3093         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
3094
3095         * runtime/ConsoleClient.h:
3096         * runtime/ConsoleObject.cpp:
3097         (JSC::ConsoleObject::finishCreation):
3098         (JSC::consoleProtoFuncRecord):
3099         (JSC::consoleProtoFuncRecordEnd):
3100
3101 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3102
3103         WTF shouldn't have both Thread and ThreadIdentifier
3104         https://bugs.webkit.org/show_bug.cgi?id=180308
3105
3106         Reviewed by Darin Adler.
3107
3108         * heap/MachineStackMarker.cpp:
3109         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3110         * llint/LLIntSlowPaths.cpp:
3111         (JSC::LLInt::llint_trace_operand):
3112         (JSC::LLInt::llint_trace_value):
3113         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3114         (JSC::LLInt::traceFunctionPrologue):
3115         * runtime/ExceptionScope.cpp:
3116         (JSC::ExceptionScope::unexpectedExceptionMessage):
3117         * runtime/JSLock.h:
3118         (JSC::JSLock::currentThreadIsHoldingLock):
3119         * runtime/VM.cpp:
3120         (JSC::VM::throwException):
3121         * runtime/VM.h:
3122         (JSC::VM::throwingThread const):
3123         (JSC::VM::clearException):
3124         * tools/HeapVerifier.cpp:
3125         (JSC::HeapVerifier::printVerificationHeader):
3126
3127 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
3128
3129         Rename DestroyFunc to avoid redefinition on unified build
3130         https://bugs.webkit.org/show_bug.cgi?id=180335
3131
3132         Reviewed by Filip Pizlo.
3133
3134         Changing DestroyFunc structures to more specific names to avoid
3135         conflits on unified builds.
3136
3137         * heap/HeapCellType.cpp:
3138         (JSC::HeapCellType::finishSweep):
3139         (JSC::HeapCellType::destroy):
3140         * runtime/JSDestructibleObjectHeapCellType.cpp:
3141         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3142         (JSC::JSDestructibleObjectHeapCellType::destroy):
3143         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3144         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3145         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3146         * runtime/JSStringHeapCellType.cpp:
3147         (JSC::JSStringHeapCellType::finishSweep):
3148         (JSC::JSStringHeapCellType::destroy):
3149         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3150         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3151         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3152
3153 2017-12-01  JF Bastien  <jfbastien@apple.com>
3154
3155         JavaScriptCore: missing exception checks in Math functions that take more than one argument
3156         https://bugs.webkit.org/show_bug.cgi?id=180297
3157         <rdar://problem/35745556>
3158
3159         Reviewed by Mark Lam.
3160
3161         * runtime/MathObject.cpp:
3162         (JSC::mathProtoFuncATan2):
3163         (JSC::mathProtoFuncMax):
3164         (JSC::mathProtoFuncMin):
3165         (JSC::mathProtoFuncPow):
3166
3167 2017-12-01  Mark Lam  <mark.lam@apple.com>
3168
3169         Let's scramble ClassInfo pointers in cells.
3170         https://bugs.webkit.org/show_bug.cgi?id=180291
3171         <rdar://problem/35807620>
3172
3173         Reviewed by JF Bastien.
3174
3175         * API/JSCallbackObject.h:
3176         * API/JSObjectRef.cpp:
3177         (classInfoPrivate):
3178         * JavaScriptCore.xcodeproj/project.pbxproj:
3179         * Sources.txt:
3180         * assembler/MacroAssemblerCodeRef.cpp:
3181         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
3182         * assembler/MacroAssemblerCodeRef.h:
3183         (JSC::MacroAssemblerCodePtr:: const):
3184         (JSC::MacroAssemblerCodePtr::hash const):
3185         * dfg/DFGSpeculativeJIT.cpp:
3186         (JSC::DFG::SpeculativeJIT::checkArray):
3187         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3188         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3191         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3192         * jit/AssemblyHelpers.h:
3193         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3194         * jit/SpecializedThunkJIT.h:
3195         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
3196         * runtime/InitializeThreading.cpp:
3197         (JSC::initializeThreading):
3198         * runtime/JSCScrambledPtr.cpp: Added.
3199         (JSC::initializeScrambledPtrKeys):
3200         * runtime/JSCScrambledPtr.h: Added.
3201         * runtime/JSDestructibleObject.h:
3202         (JSC::JSDestructibleObject::classInfo const):
3203         * runtime/JSSegmentedVariableObject.h:
3204         (JSC::JSSegmentedVariableObject::classInfo const):
3205         * runtime/Structure.h:
3206         * runtime/VM.h:
3207
3208 2017-12-01  Brian Burg  <bburg@apple.com>
3209
3210         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
3211         https://bugs.webkit.org/show_bug.cgi?id=173662
3212
3213         Reviewed by Joseph Pecoraro.
3214
3215         Adopt new type names. Fix protocol generator to use correct type names.
3216
3217         * inspector/ConsoleMessage.cpp:
3218         (Inspector::ConsoleMessage::addToFrontend):
3219         Improve namings and use 'auto' when the type is obvious and repeated.
3220
3221         * inspector/ContentSearchUtilities.cpp:
3222         (Inspector::ContentSearchUtilities::searchInTextByLines):
3223         * inspector/ContentSearchUtilities.h:
3224         * inspector/InjectedScript.cpp:
3225         (Inspector::InjectedScript::getProperties):
3226         (Inspector::InjectedScript::getDisplayableProperties):
3227         (Inspector::InjectedScript::getInternalProperties):
3228         (Inspector::InjectedScript::getCollectionEntries):
3229         (Inspector::InjectedScript::wrapCallFrames const):
3230         * inspector/InjectedScript.h:
3231         * inspector/InspectorProtocolTypes.h:
3232         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
3233         (Inspector::Protocol::Array::Array): Deleted.
3234         (Inspector::Protocol::Array::openAccessors): Deleted.
3235         (Inspector::Protocol::Array::addItem): Deleted.
3236         (Inspector::Protocol::Array::create): Deleted.
3237         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
3238         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
3239         Move the implementation out of this file.
3240
3241         * inspector/ScriptCallStack.cpp:
3242         (Inspector::ScriptCallStack::buildInspectorArray const):
3243         * inspector/ScriptCallStack.h:
3244         * inspector/agents/InspectorAgent.cpp:
3245         (Inspector::InspectorAgent::activateExtraDomain):
3246         (Inspector::InspectorAgent::activateExtraDomains):
3247         * inspector/agents/InspectorAgent.h:
3248         * inspector/agents/InspectorConsoleAgent.cpp:
3249         (Inspector::InspectorConsoleAgent::getLoggingChannels):
3250         * inspector/agents/InspectorConsoleAgent.h:
3251         * inspector/agents/InspectorDebuggerAgent.cpp:
3252         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3253         (Inspector::InspectorDebuggerAgent::searchInContent):
3254         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3255         * inspector/agents/InspectorDebuggerAgent.h:
3256         * inspector/agents/InspectorRuntimeAgent.cpp:
3257         (Inspector::InspectorRuntimeAgent::getProperties):
3258         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3259         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3260         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3261         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3262         * inspector/agents/InspectorRuntimeAgent.h:
3263         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3264         (Inspector::buildSamples):
3265         Use more 'auto' and rename a variable.
3266
3267         * inspector/scripts/codegen/cpp_generator.py:
3268         (CppGenerator.cpp_protocol_type_for_type):
3269         Adopt new type names. This exposed a latent bug where we should have been
3270         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
3271         type may be an array, in which case we would have generated the wrong type.
3272
3273         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3274         (_generate_typedefs_for_domain.JSON):
3275         (_generate_typedefs_for_domain.Inspector): Deleted.
3276         * inspector/scripts/codegen/objc_generator.py:
3277         (ObjCGenerator.protocol_type_for_type):
3278         (ObjCGenerator.objc_protocol_export_expression_for_variable):
3279         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3280         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3281         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3282         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3283         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3284         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3285         Rebaseline.
3286
3287         * runtime/TypeSet.cpp:
3288         (JSC::TypeSet::allStructureRepresentations const):
3289         (JSC::StructureShape::inspectorRepresentation):
3290         * runtime/TypeSet.h:
3291
3292 2017-12-01  Saam Barati  <sbarati@apple.com>
3293
3294         Having a bad time needs to handle ArrayClass indexing type as well
3295         https://bugs.webkit.org/show_bug.cgi?id=180274
3296         <rdar://problem/35667869>
3297
3298         Reviewed by Keith Miller and Mark Lam.
3299
3300         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
3301         Otherwise, we'll end up with the wrong Structure, which will lead us to not
3302         adhere to the spec. The bug was that we were not considering ArrayClass inside 
3303         hasBrokenIndexing. This patch rewrites that function to automatically opt
3304         in non-empty indexing types as broken, instead of having to opt out all
3305         non-empty indexing types besides SlowPutArrayStorage.
3306
3307         * runtime/IndexingType.h:
3308         (JSC::hasSlowPutArrayStorage):
3309         (JSC::shouldUseSlowPut):
3310         * runtime/JSGlobalObject.cpp:
3311         * runtime/JSObject.cpp:
3312         (JSC::JSObject::switchToSlowPutArrayStorage):
3313
3314 2017-12-01  JF Bastien  <jfbastien@apple.com>
3315
3316         WebAssembly: stack trace improvement follow-ups
3317         https://bugs.webkit.org/show_bug.cgi?id=180273
3318
3319         Reviewed by Saam Barati.
3320
3321         * wasm/WasmIndexOrName.cpp:
3322         (JSC::Wasm::makeString):
3323         * wasm/WasmIndexOrName.h:
3324         (JSC::Wasm::IndexOrName::nameSection const):
3325         * wasm/WasmNameSection.h:
3326         (JSC::Wasm::NameSection::NameSection):
3327         (JSC::Wasm::NameSection::get):
3328
3329 2017-12-01  JF Bastien  <jfbastien@apple.com>
3330
3331         WebAssembly: restore cached stack limit after out-call
3332         https://bugs.webkit.org/show_bug.cgi?id=179106
3333         <rdar://problem/35337525>
3334
3335         Reviewed by Saam Barati.
3336
3337         We cache the stack limit on the Instance so that we can do fast
3338         stack checks where required. In regular usage the stack limit
3339         never changes because we always run on the same thread, but in
3340         rare cases an API user can totally migrate which thread (and
3341         therefore stack) is used for execution between WebAssembly
3342         traces. For that reason we set the cached stack limit to
3343         UINTPTR_MAX on the outgoing Instance when transitioning back into
3344         a different Instance. We usually restore the cached stack limit in
3345         Context::store, but this wasn't called on all code paths. We had a
3346         bug where an Instance calling into itself indirectly would
3347         therefore fail to restore its cached stack limit properly.
3348
3349         This patch therefore restores the cached stack limit after direct
3350         calls which could be to imports (both wasm->wasm and
3351         wasm->embedder). We have to do all of them because we have no way
3352         of knowing what imports will do (they're known at instantiation
3353         time, not compilation time, and different instances can have
3354         different imports). To make this efficient we also add a pointer
3355         to the canonical location of the stack limit (i.e. the extra
3356         indirection we're trying to save by caching the stack limit on the
3357         Instance in the first place). This is potentially a small perf hit
3358         on imported direct calls.
3359
3360         It's hard to say what the performance cost will be because we
3361         haven't seen much code in the wild which does this. We're adding
3362         two dependent loads and a store of the loaded value, which is
3363         unlikely to get used soon after. It's more code, but on an
3364         out-of-order processor it doesn't contribute to the critical path.
3365
3366         * wasm/WasmB3IRGenerator.cpp:
3367         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3368         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3369         (JSC::Wasm::B3IRGenerator::addCall):
3370         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3371         * wasm/WasmInstance.cpp:
3372         (JSC::Wasm::Instance::Instance):
3373         (JSC::Wasm::Instance::create):
3374         * wasm/WasmInstance.h:
3375         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
3376         (JSC::Wasm::Instance::cachedStackLimit const):
3377         (JSC::Wasm::Instance::setCachedStackLimit):
3378         * wasm/js/JSWebAssemblyInstance.cpp:
3379         (JSC::JSWebAssemblyInstance::create):
3380         * wasm/js/WebAssemblyFunction.cpp:
3381         (JSC::callWebAssemblyFunction):
3382
3383 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3384
3385         [JSC] Use JSFixedArray for op_new_array_buffer
3386         https://bugs.webkit.org/show_bug.cgi?id=180084
3387
3388         Reviewed by Saam Barati.
3389
3390         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
3391         But using JSFixedArray is better because,
3392
3393         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
3394            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
3395
3396         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
3397            has JSFixedArray, we can just emit a held JSFixedArray.
3398
3399         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
3400
3401         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
3402
3403         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
3404            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
3405            will be introduced in [1].
3406
3407         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
3408
3409         * bytecode/BytecodeDumper.cpp:
3410         (JSC::BytecodeDumper<Block>::dumpBytecode):
3411         * bytecode/BytecodeList.json:
3412         * bytecode/BytecodeUseDef.h:
3413         (JSC::computeUsesForBytecodeOffset):
3414         * bytecode/CodeBlock.cpp:
3415         (JSC::CodeBlock::finishCreation):
3416         * bytecode/CodeBlock.h:
3417         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
3418         (JSC::CodeBlock::addConstantBuffer): Deleted.
3419         (JSC::CodeBlock::constantBufferAsVector): Deleted.
3420         (JSC::CodeBlock::constantBuffer): Deleted.
3421         * bytecode/UnlinkedCodeBlock.cpp:
3422         (JSC::UnlinkedCodeBlock::shrinkToFit):
3423         * bytecode/UnlinkedCodeBlock.h:
3424         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3425         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3426         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
3427         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3428         * bytecompiler/BytecodeGenerator.cpp:
3429         (JSC::BytecodeGenerator::emitNewArray):
3430         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
3431         * bytecompiler/BytecodeGenerator.h:
3432         * dfg/DFGByteCodeParser.cpp:
3433         (JSC::DFG::ByteCodeParser::parseBlock):
3434         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3435         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
3436         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
3437         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
3438         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
3439         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
3440         (JSC::DFG::ConstantBufferKey::index const): Deleted.
3441         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
3442         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
3443         * dfg/DFGClobberize.h:
3444         (JSC::DFG::clobberize):
3445         * dfg/DFGGraph.cpp:
3446         (JSC::DFG::Graph::dump):
3447         * dfg/DFGGraph.h:
3448         * dfg/DFGNode.h:
3449         (JSC::DFG::Node::hasNewArrayBufferData):
3450         (JSC::DFG::Node::newArrayBufferData):
3451         (JSC::DFG::Node::hasVectorLengthHint):
3452         (JSC::DFG::Node::vectorLengthHint):
3453         (JSC::DFG::Node::indexingType):
3454         (JSC::DFG::Node::hasCellOperand):
3455         (JSC::DFG::Node::OpInfoWrapper::operator=):
3456         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
3457         (JSC::DFG::Node::hasConstantBuffer): Deleted.
3458         (JSC::DFG::Node::startConstant): Deleted.
3459         (JSC::DFG::Node::numConstants): Deleted.
3460         * dfg/DFGOperations.cpp:
3461         * dfg/DFGOperations.h:
3462         * dfg/DFGSpeculativeJIT.h:
3463         (JSC::DFG::SpeculativeJIT::callOperation):
3464         * dfg/DFGSpeculativeJIT32_64.cpp:
3465         (JSC::DFG::SpeculativeJIT::compile):
3466         * dfg/DFGSpeculativeJIT64.cpp:
3467         (JSC::DFG::SpeculativeJIT::compile):
3468         * ftl/FTLLowerDFGToB3.cpp:
3469         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3470         * jit/JIT.cpp:
3471         (JSC::JIT::privateCompileMainPass):
3472         * jit/JIT.h:
3473         * jit/JITOpcodes.cpp:
3474         (JSC::JIT::emit_op_new_array_buffer): Deleted.
3475         * jit/JITOperations.cpp:
3476         * jit/JITOperations.h:
3477         * llint/LLIntSlowPaths.cpp:
3478         * llint/LLIntSlowPaths.h:
3479         * llint/LowLevelInterpreter.asm:
3480         * runtime/CommonSlowPaths.cpp:
3481         (JSC::SLOW_PATH_DECL):
3482         * runtime/CommonSlowPaths.h:
3483         * runtime/JSFixedArray.cpp:
3484         (JSC::JSFixedArray::dumpToStream):
3485         * runtime/JSFixedArray.h:
3486         (JSC::JSFixedArray::create):
3487         (JSC::JSFixedArray::get const):
3488         (JSC::JSFixedArray::set):
3489         (JSC::JSFixedArray::buffer const):
3490         (JSC::JSFixedArray::values const):
3491         (JSC::JSFixedArray::length const):
3492         (JSC::JSFixedArray::get): Deleted.
3493
3494 2017-11-30  JF Bastien  <jfbastien@apple.com>
3495
3496         WebAssembly: improve stack trace
3497         https://bugs.webkit.org/show_bug.cgi?id=179343
3498
3499         Reviewed by Saam Barati.
3500
3501         Stack traces now include:
3502
3503           - Module name, if provided by the name section.
3504           - Module SHA1 hash if no name was provided
3505           - Stub identification, to differentiate from user code
3506           - Slightly different naming to match design from:
3507               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
3508
3509         * interpreter/StackVisitor.cpp:
3510         (JSC::StackVisitor::Frame::functionName const):
3511         * runtime/StackFrame.cpp:
3512         (JSC::StackFrame::functionName const):
3513         (JSC::StackFrame::visitChildren):
3514         * wasm/WasmIndexOrName.cpp:
3515         (JSC::Wasm::IndexOrName::IndexOrName):
3516         (JSC::Wasm::makeString):
3517         * wasm/WasmIndexOrName.h:
3518         (JSC::Wasm::IndexOrName::nameSection const):
3519         * wasm/WasmModuleInformation.cpp:
3520         (JSC::Wasm::ModuleInformation::ModuleInformation):
3521         * wasm/WasmModuleInformation.h:
3522         * wasm/WasmNameSection.h:
3523         (JSC::Wasm::NameSection::NameSection):
3524         (JSC::Wasm::NameSection::get):
3525         * wasm/WasmNameSectionParser.cpp:
3526         (JSC::Wasm::NameSectionParser::parse):
3527
3528 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
3529
3530         Make LegacyCustomProtocolManager optional for network process
3531         https://bugs.webkit.org/show_bug.cgi?id=176230
3532
3533         Reviewed by Alex Christensen.
3534
3535         * Configurations/FeatureDefines.xcconfig:
3536
3537 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3538
3539         [JSC] Remove easy toRemove & map.remove() use in OAS phase
3540         https://bugs.webkit.org/show_bug.cgi?id=180208
3541
3542         Reviewed by Mark Lam.
3543
3544         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
3545         to optimize this common pattern. This patch only modifies apparent ones.
3546         But we can apply this refactoring further to OAS phase in the future.
3547
3548         One thing we should care is that predicate of removeIf should not touch the
3549         removing set itself. In this patch, we apply this change to (1) apparently
3550         correct one and (2) things in DFG OAS phase since it is very slow.
3551
3552         * b3/B3MoveConstants.cpp:
3553         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3554
3555 2017-11-30  Commit Queue  <commit-queue@webkit.org>
3556
3557         Unreviewed, rolling out r225362.
3558         https://bugs.webkit.org/show_bug.cgi?id=180225
3559
3560         removeIf predicate function can touch remove target set
3561         (Requested by yusukesuzuki on #webkit).
3562
3563         Reverted changeset:
3564
3565         "[JSC] Remove easy toRemove & map.remove() use"
3566         https://bugs.webkit.org/show_bug.cgi?id=180208
3567         https://trac.webkit.org/changeset/225362
3568
3569 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3570
3571         [JSC] Use AllocatorIfExists for MaterializeNewObject
3572         https://bugs.webkit.org/show_bug.cgi?id=180189
3573
3574         Reviewed by Filip Pizlo.
3575
3576         I don't think anyone guarantees this allocator exists at this phase.
3577         And nullptr allocator just works here. We change AllocatorForMode
3578         to AllocatorIfExists to accept nullptr for allocator.
3579
3580         * ftl/FTLLowerDFGToB3.cpp:
3581         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3582
3583 2017-11-30  Mark Lam  <mark.lam@apple.com>
3584
3585         Let's scramble MacroAssemblerCodePtr values.
3586         https://bugs.webkit.org/show_bug.cgi?id=180169
3587         <rdar://problem/35758340>
3588
3589         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
3590
3591         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
3592
3593         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
3594            template argument type that will be used to cast the result.  This makes the
3595            client code that uses these functions a little less verbose.
3596
3597         3. Change the code base in general to minimize passing void* code pointers around.
3598            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
3599            at the last moment when we need the underlying code pointer.
3600
3601         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
3602            default.  I'm leaving them in because they are instrumental in finding bugs
3603            where not all MacroAssemblerCodePtr values were not scrambled as expected.
3604            I expect them to be useful in the near future as we add more scrambling.
3605
3606         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
3607            explicit casts to a boolean).  This ensures that clients will always explicitly
3608            use scrambledBits() or executableAddress() to get a value based on which value
3609            they actually need.
3610
3611         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
3612            This was helpful when debugging tests that ran multiple VMs concurrently on
3613            different threads.
3614
3615         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
3616         CLoop).  It is not yet supported in 32-bit and Windows because we don't
3617         currently have a way to read a global variable from their LLInt code.
3618
3619         * assembler/AbstractMacroAssembler.h:
3620         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
3621         (JSC::AbstractMacroAssembler::linkPointer):
3622         * assembler/CodeLocation.h:
3623         (JSC::CodeLocationCommon::instructionAtOffset):
3624         (JSC::CodeLocationCommon::labelAtOffset):
3625         (JSC::CodeLocationCommon::jumpAtOffset):
3626         (JSC::CodeLocationCommon::callAtOffset):
3627         (JSC::CodeLocationCommon::nearCallAtOffset):
3628         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
3629         (JSC::CodeLocationCommon::dataLabel32AtOffset):
3630         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
3631         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
3632         * assembler/LinkBuffer.cpp:
3633         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3634         * assembler/LinkBuffer.h:
3635         (JSC::LinkBuffer::link):
3636         (JSC::LinkBuffer::patch):
3637         * assembler/MacroAssemblerCodeRef.cpp:
3638         (JSC::MacroAssemblerCodePtr::initialize):
3639         * assembler/MacroAssemblerCodeRef.h:
3640         (JSC::FunctionPtr::FunctionPtr):
3641         (JSC::FunctionPtr::value const):
3642         (JSC::FunctionPtr::executableAddress const):
3643         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3644         (JSC::ReturnAddressPtr::value const):
3645         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3646         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3647         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
3648         (JSC::MacroAssemblerCodePtr:: const):
3649         (JSC::MacroAssemblerCodePtr::operator! const):
3650         (JSC::MacroAssemblerCodePtr::operator bool const):
3651         (JSC::MacroAssemblerCodePtr::operator== const):
3652         (JSC::MacroAssemblerCodePtr::hash const):
3653         (JSC::MacroAssemblerCodePtr::emptyValue):
3654         (JSC::MacroAssemblerCodePtr::deletedValue):
3655         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
3656         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
3657         * b3/B3LowerMacros.cpp:
3658         * b3/testb3.cpp:
3659         (JSC::B3::testInterpreter):
3660         * dfg/DFGDisassembler.cpp:
3661         (JSC::DFG::Disassembler::dumpDisassembly):
3662         * dfg/DFGJITCompiler.cpp:
3663         (JSC::DFG::JITCompiler::link):
3664         (JSC::DFG::JITCompiler::compileFunction):
3665         * dfg/DFGOperations.cpp:
3666         * dfg/DFGSpeculativeJIT.cpp:
3667         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3668         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3669         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
3670         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3671         * dfg/DFGSpeculativeJIT.h:
3672         * disassembler/Disassembler.cpp:
3673         (JSC::disassemble):
3674         * disassembler/UDis86Disassembler.cpp:
3675         (JSC::tryToDisassembleWithUDis86):
3676         * ftl/FTLCompile.cpp:
3677         (JSC::FTL::compile):
3678         * ftl/FTLJITCode.cpp:
3679         (JSC::FTL::JITCode::executableAddressAtOffset):
3680         * ftl/FTLLink.cpp:
3681         (JSC::FTL::link):
3682         * ftl/FTLLowerDFGToB3.cpp:
3683         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3684         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3685         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3686         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3687         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3688         * interpreter/InterpreterInlines.h:
3689         (JSC::Interpreter::getOpcodeID):
3690         * jit/JITArithmetic.cpp:
3691         (JSC::JIT::emitMathICFast):
3692         (JSC::JIT::emitMathICSlow):
3693         * jit/JITCode.cpp:
3694         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
3695         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
3696         (JSC::JITCodeWithCodeRef::offsetOf):
3697         * jit/JITDisassembler.cpp:
3698         (JSC::JITDisassembler::dumpDisassembly):
3699         * jit/PCToCodeOriginMap.cpp:
3700         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
3701         * jit/Repatch.cpp:
3702         (JSC::ftlThunkAwareRepatchCall):
3703         * jit/ThunkGenerators.cpp:
3704         (JSC::virtualThunkFor):
3705         (JSC::boundThisNoArgsFunctionCallGenerator):
3706         * llint/LLIntSlowPaths.cpp:
3707         (JSC::LLInt::llint_trace_operand):
3708         (JSC::LLInt::llint_trace_value):
3709         (JSC::LLInt::handleHostCall):
3710         (JSC::LLInt::setUpCall):
3711         * llint/LowLevelInterpreter64.asm:
3712         * offlineasm/cloop.rb:
3713         * runtime/InitializeThreading.cpp:
3714         (JSC::initializeThreading):
3715         * wasm/WasmBBQPlan.cpp:
3716         (JSC::Wasm::BBQPlan::complete):
3717         * wasm/WasmCallee.h:
3718         (JSC::Wasm::Callee::entrypoint const):
3719         * wasm/WasmCodeBlock.cpp:
3720         (JSC::Wasm::CodeBlock::CodeBlock):
3721         * wasm/WasmOMGPlan.cpp:
3722         (JSC::Wasm::OMGPlan::work):
3723         * wasm/js/WasmToJS.cpp:
3724         (JSC::Wasm::wasmToJS):
3725         * wasm/js/WebAssemblyFunction.cpp:
3726         (JSC::callWebAssemblyFunction):
3727         * wasm/js/WebAssemblyFunction.h:
3728         * wasm/js/WebAssemblyWrapperFunction.cpp:
3729         (JSC::WebAssemblyWrapperFunction::create):
3730
3731 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3732
3733         [JSC] Remove easy toRemove & map.remove() use
3734         https://bugs.webkit.org/show_bug.cgi?id=180208
3735
3736         Reviewed by Mark Lam.
3737
3738         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
3739         to optimize this common pattern. This patch only modifies apparent ones.
3740         But we can apply this refactoring further to OAS phase in the future.
3741
3742         * b3/B3MoveConstants.cpp:
3743         * dfg/DFGArgumentsEliminationPhase.cpp:
3744         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3745         * wasm/WasmSignature.cpp:
3746         (JSC::Wasm::SignatureInformation::tryCleanup):
3747
3748 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3749
3750         [JSC] Use getEffectiveAddress more in JSC
3751         https://bugs.webkit.org/show_bug.cgi?id=180154
3752
3753         Reviewed by Mark Lam.
3754
3755         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
3756         And we also add MacroAssembler::negPtr(src, dest) variation.
3757
3758         * assembler/MacroAssembler.h:
3759         (JSC::MacroAssembler::negPtr):
3760         * assembler/MacroAssemblerARM.h:
3761         (JSC::MacroAssemblerARM::neg32):
3762         * assembler/MacroAssemblerARM64.h:
3763         (JSC::MacroAssemblerARM64::neg32):
3764         (JSC::MacroAssemblerARM64::neg64):
3765         * assembler/MacroAssemblerARMv7.h:
3766         (JSC::MacroAssemblerARMv7::neg32):
3767         * assembler/MacroAssemblerMIPS.h:
3768         (JSC::MacroAssemblerMIPS::neg32):
3769         * assembler/MacroAssemblerX86Common.h:
3770         (JSC::MacroAssemblerX86Common::neg32):
3771         * assembler/MacroAssemblerX86_64.h:
3772         (JSC::MacroAssemblerX86_64::neg64):
3773         * dfg/DFGThunks.cpp:
3774         (JSC::DFG::osrEntryThunkGenerator):
3775         * ftl/FTLLowerDFGToB3.cpp:
3776         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3777         * jit/SetupVarargsFrame.cpp:
3778         (JSC::emitSetVarargsFrame):
3779
3780 2017-11-30  Mark Lam  <mark.lam@apple.com>
3781
3782         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
3783         https://bugs.webkit.org/show_bug.cgi?id=180219
3784         <rdar://problem/35696536>
3785
3786         Reviewed by Filip Pizlo.
3787
3788         * jsc.cpp:
3789         (functionFlashHeapAccess):
3790
3791 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3792
3793         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
3794         https://bugs.webkit.org/show_bug.cgi?id=180190
3795
3796         Reviewed by Mark Lam.
3797
3798         If DFG HasIndexedProperty node observes negative index, it goes to a slow
3799         path by calling operationHasIndexedProperty. The problem is that
3800         operationHasIndexedProperty does not account negative index. Negative index
3801         was used as uint32 array index.
3802
3803         In this patch we add a path for negative index in operationHasIndexedProperty.
3804         And rename it to operationHasIndexedPropertyByInt to make intension clear.
3805         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
3806         since it is only used in DFG and FTL.
3807
3808         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
3809         This causes repeated OSR exit and significantly regresses the performance. We opened
3810         a bug to track this issue[1].
3811
3812         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
3813
3814         * dfg/DFGOperations.cpp:
3815         * dfg/DFGOperations.h:
3816         * dfg/DFGSpeculativeJIT32_64.cpp:
3817         (JSC::DFG::SpeculativeJIT::compile):
3818         * dfg/DFGSpeculativeJIT64.cpp:
3819         (JSC::DFG::SpeculativeJIT::compile):
3820         * ftl/FTLLowerDFGToB3.cpp:
3821         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3822         * jit/JITOperations.cpp:
3823         * jit/JITOperations.h:
3824
3825 2017-11-30  Michael Saboff  <msaboff@apple.com>
3826
3827         Allow JSC command line tool to accept UTF8
3828         https://bugs.webkit.org/show_bug.cgi?id=180205
3829
3830         Reviewed by Keith Miller.
3831
3832         This unifies the UTF8 handling of interactive mode with that of source files.
3833
3834         * jsc.cpp:
3835         (runInteractive):
3836
3837 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3838
3839         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
3840         https://bugs.webkit.org/show_bug.cgi?id=180185
3841
3842         Reviewed by Carlos Garcia Campos.
3843
3844         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
3845         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
3846         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
3847         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
3848         DFG node can be emitted if we see untaken path includes String + String code.
3849
3850         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
3851         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
3852         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
3853         original code used before r225314.
3854
3855         * dfg/DFGSpeculativeJIT.cpp:
3856         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3857         * ftl/FTLLowerDFGToB3.cpp:
3858         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3859
3860 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
3861
3862         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
3863         https://bugs.webkit.org/show_bug.cgi?id=180108
3864
3865         Reviewed by Saam Barati.
3866         
3867         This was creating a vector of things to remove and then removing them. I think I remember writing
3868         this code, and I did that because at the time we did not have removeAllMatching, which is
3869         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
3870         obvious improvement before I did more fundamental things to this code.
3871
3872         * heap/CodeBlockSet.cpp:
3873         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3874
3875 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
3876
3877         GC should support isoheaps
3878         https://bugs.webkit.org/show_bug.cgi?id=179288
3879
3880         Reviewed by Saam Barati.
3881         
3882         This expands the power of the Subspace API in JSC:
3883         
3884         - Everything associated with describing the types of objects is now part of the HeapCellType class.
3885           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
3886           HeapCellType; these are orthogonal things.
3887         
3888         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
3889           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
3890           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
3891           pages but releases the physical pages as part of the respective allocator's scavenging policy
3892           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
3893           IsoSubspace).
3894         
3895         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3896         for more things.
3897         
3898         This does not have any effect on JetStream (0.18% faster with p = 0.69).
3899
3900         * JavaScriptCore.xcodeproj/project.pbxproj:
3901         * Sources.txt:
3902         * bytecode/AccessCase.cpp:
3903         (JSC::AccessCase::generateImpl):
3904         * bytecode/ObjectAllocationProfileInlines.h:
3905         (JSC::ObjectAllocationProfile::initializeProfile):
3906         * dfg/DFGSpeculativeJIT.cpp:
3907         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3908         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3909         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3910         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3911         * dfg/DFGSpeculativeJIT64.cpp:
3912         (JSC::DFG::SpeculativeJIT::compile):
3913         * ftl/FTLAbstractHeapRepository.h:
3914         * ftl/FTLLowerDFGToB3.cpp:
3915         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3916         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3917         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3918         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3919         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3920         * heap/AlignedMemoryAllocator.cpp:
3921         (JSC::AlignedMemoryAllocator::registerAllocator):
3922         (JSC::AlignedMemoryAllocator::registerSubspace):
3923         * heap/AlignedMemoryAllocator.h:
3924         (JSC::AlignedMemoryAllocator::firstAllocator const):
3925         * heap/AllocationFailureMode.h: Added.
3926         * heap/CompleteSubspace.cpp: Added.
3927         (JSC::CompleteSubspace::CompleteSubspace):
3928         (JSC::CompleteSubspace::~CompleteSubspace):
3929         (JSC::CompleteSubspace::allocatorFor):
3930         (JSC::CompleteSubspace::allocate):
3931         (JSC::CompleteSubspace::allocateNonVirtual):
3932         (JSC::CompleteSubspa