IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2
3         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
4         https://bugs.webkit.org/show_bug.cgi?id=185162
5
6         Reviewed by Filip Pizlo.
7
8         * runtime/IntlObject.cpp:
9         (JSC::removeUnicodeLocaleExtension):
10
11 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
12
13         Add SetCallee as DFG-Operation
14         https://bugs.webkit.org/show_bug.cgi?id=184582
15
16         Reviewed by Filip Pizlo.
17
18         For recursive tail calls not only the argument count can change but also the
19         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
20         Also update the callee when optimizing a recursive tail call.
21         Enable recursive tail call optimization also for closures.
22
23         * dfg/DFGAbstractInterpreterInlines.h:
24         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25         * dfg/DFGByteCodeParser.cpp:
26         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
27         (JSC::DFG::ByteCodeParser::handleCallVariant):
28         * dfg/DFGClobberize.h:
29         (JSC::DFG::clobberize):
30         * dfg/DFGDoesGC.cpp:
31         (JSC::DFG::doesGC):
32         * dfg/DFGFixupPhase.cpp:
33         (JSC::DFG::FixupPhase::fixupNode):
34         * dfg/DFGMayExit.cpp:
35         * dfg/DFGNodeType.h:
36         * dfg/DFGPredictionPropagationPhase.cpp:
37         * dfg/DFGSafeToExecute.h:
38         (JSC::DFG::safeToExecute):
39         * dfg/DFGSpeculativeJIT.cpp:
40         (JSC::DFG::SpeculativeJIT::compileSetCallee):
41         * dfg/DFGSpeculativeJIT.h:
42         * dfg/DFGSpeculativeJIT32_64.cpp:
43         (JSC::DFG::SpeculativeJIT::compile):
44         * dfg/DFGSpeculativeJIT64.cpp:
45         (JSC::DFG::SpeculativeJIT::compile):
46         * ftl/FTLCapabilities.cpp:
47         (JSC::FTL::canCompile):
48         * ftl/FTLLowerDFGToB3.cpp:
49         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
50         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
51
52 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
53
54         WebAssembly: add support for stream APIs - JavaScript API
55         https://bugs.webkit.org/show_bug.cgi?id=183442
56
57         Reviewed by Yusuke Suzuki and JF Bastien.
58
59         Add WebAssembly stream API. Current patch only add functions
60         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
61         does not add streaming way of the implementation. So in current version it
62         only wait for load whole module, than start to parse.
63
64         * CMakeLists.txt:
65         * Configurations/FeatureDefines.xcconfig:
66         * DerivedSources.make:
67         * JavaScriptCore.xcodeproj/project.pbxproj:
68         * builtins/BuiltinNames.h:
69         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
70         (compileStreaming):
71         (instantiateStreaming):
72         * jsc.cpp:
73         * runtime/JSGlobalObject.cpp:
74         (JSC::JSGlobalObject::init):
75         * runtime/JSGlobalObject.h:
76         * runtime/Options.h:
77         * runtime/PromiseDeferredTimer.cpp:
78         (JSC::PromiseDeferredTimer::hasPendingPromise):
79         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
80         * runtime/PromiseDeferredTimer.h:
81         * wasm/js/WebAssemblyPrototype.cpp:
82         (JSC::webAssemblyModuleValidateAsyncInternal):
83         (JSC::webAssemblyCompileFunc):
84         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
85         (JSC::webAssemblyModuleInstantinateAsyncInternal):
86         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
87         (JSC::webAssemblyCompileStreamingInternal):
88         (JSC::webAssemblyInstantiateStreamingInternal):
89         (JSC::WebAssemblyPrototype::create):
90         (JSC::WebAssemblyPrototype::finishCreation):
91         * wasm/js/WebAssemblyPrototype.h:
92
93 2018-04-30  Saam Barati  <sbarati@apple.com>
94
95         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
96         https://bugs.webkit.org/show_bug.cgi?id=185149
97         <rdar://problem/39455917>
98
99         Reviewed by Filip Pizlo.
100
101         The bug was that we were deleting checks that we shouldn't have deleted.
102         This patch makes a helper inside strength reduction that converts to
103         a LazyJSConstant while maintaining checks, and switches users of the
104         node API inside strength reduction to instead call the helper function.
105         
106         This patch also fixes a potential bug where StringReplace and
107         StringReplaceRegExp may not preserve all their checks.
108
109
110         * dfg/DFGStrengthReductionPhase.cpp:
111         (JSC::DFG::StrengthReductionPhase::handleNode):
112         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
113
114 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
115
116         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
117         https://bugs.webkit.org/show_bug.cgi?id=185126
118
119         Reviewed by Saam Barati.
120         
121         This change is just restoring functionality that we've already had for a while. It had been
122         accidentally broken due to an unrelated CodeBlock refactoring.
123
124         * dfg/DFGLICMPhase.cpp:
125         (JSC::DFG::LICMPhase::attemptHoist):
126
127 2018-04-30  Mark Lam  <mark.lam@apple.com>
128
129         Apply PtrTags to the MetaAllocator and friends.
130         https://bugs.webkit.org/show_bug.cgi?id=185110
131         <rdar://problem/39533895>
132
133         Reviewed by Saam Barati.
134
135         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
136         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
137            and add a sanity check to verify that allocated code buffers are within those
138            bounds.
139
140         * assembler/LinkBuffer.cpp:
141         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
142         (JSC::LinkBuffer::copyCompactAndLinkCode):
143         (JSC::LinkBuffer::linkCode):
144         (JSC::LinkBuffer::allocate):
145         * assembler/LinkBuffer.h:
146         (JSC::LinkBuffer::LinkBuffer):
147         (JSC::LinkBuffer::debugAddress):
148         (JSC::LinkBuffer::code):
149         * assembler/MacroAssemblerCodeRef.h:
150         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
151         * bytecode/InlineAccess.cpp:
152         (JSC::linkCodeInline):
153         (JSC::InlineAccess::rewireStubAsJump):
154         * dfg/DFGJITCode.cpp:
155         (JSC::DFG::JITCode::findPC):
156         * ftl/FTLJITCode.cpp:
157         (JSC::FTL::JITCode::findPC):
158         * jit/ExecutableAllocator.cpp:
159         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
160         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
161         (JSC::ExecutableAllocator::allocate):
162         * jit/ExecutableAllocator.h:
163         (JSC::isJITPC):
164         (JSC::performJITMemcpy):
165         * jit/JIT.cpp:
166         (JSC::JIT::link):
167         * jit/JITMathIC.h:
168         (JSC::isProfileEmpty):
169         * runtime/JSCPtrTag.h:
170         * wasm/WasmCallee.cpp:
171         (JSC::Wasm::Callee::Callee):
172         * wasm/WasmFaultSignalHandler.cpp:
173         (JSC::Wasm::trapHandler):
174
175 2018-04-30  Keith Miller  <keith_miller@apple.com>
176
177         Move the MayBePrototype JSCell header bit to InlineTypeFlags
178         https://bugs.webkit.org/show_bug.cgi?id=185143
179
180         Reviewed by Mark Lam.
181
182         * runtime/IndexingType.h:
183         * runtime/JSCellInlines.h:
184         (JSC::JSCell::setStructure):
185         (JSC::JSCell::mayBePrototype const):
186         (JSC::JSCell::didBecomePrototype):
187         * runtime/JSTypeInfo.h:
188         (JSC::TypeInfo::mayBePrototype):
189         (JSC::TypeInfo::mergeInlineTypeFlags):
190
191 2018-04-30  Keith Miller  <keith_miller@apple.com>
192
193         Remove unneeded exception check from String.fromCharCode
194         https://bugs.webkit.org/show_bug.cgi?id=185083
195
196         Reviewed by Mark Lam.
197
198         * runtime/StringConstructor.cpp:
199         (JSC::stringFromCharCode):
200
201 2018-04-30  Keith Miller  <keith_miller@apple.com>
202
203         Move StructureIsImmortal to out of line flags.
204         https://bugs.webkit.org/show_bug.cgi?id=185101
205
206         Reviewed by Saam Barati.
207
208         This will free up a bit in the inline flags where we can move the
209         isPrototype bit to. This will, in turn, free a bit for use in
210         implementing copy on write butterflies.
211
212         Also, this patch removes an assertion from Structure::typeInfo()
213         that inadvertently makes the function invalid to call while
214         cleaning up the vm.
215
216         * heap/HeapCellType.cpp:
217         (JSC::DefaultDestroyFunc::operator() const):
218         * runtime/JSCell.h:
219         * runtime/JSCellInlines.h:
220         (JSC::JSCell::callDestructor): Deleted.
221         * runtime/JSTypeInfo.h:
222         (JSC::TypeInfo::hasStaticPropertyTable):
223         (JSC::TypeInfo::structureIsImmortal const):
224         * runtime/Structure.h:
225
226 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
227
228         [JSC] Remove arity fixup check if the number of parameters is 1
229         https://bugs.webkit.org/show_bug.cgi?id=183984
230
231         Reviewed by Mark Lam.
232
233         If the number of parameters is one (|this|), we never hit arity fixup check.
234         We do not need to emit arity fixup check code.
235
236         * dfg/DFGDriver.cpp:
237         (JSC::DFG::compileImpl):
238         * dfg/DFGJITCompiler.cpp:
239         (JSC::DFG::JITCompiler::compileFunction):
240         * dfg/DFGJITCompiler.h:
241         * ftl/FTLLink.cpp:
242         (JSC::FTL::link):
243         * jit/JIT.cpp:
244         (JSC::JIT::compileWithoutLinking):
245
246 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         Use WordLock instead of std::mutex for Threading
249         https://bugs.webkit.org/show_bug.cgi?id=185121
250
251         Reviewed by Geoffrey Garen.
252
253         ThreadGroup starts using WordLock.
254
255         * heap/MachineStackMarker.h:
256         (JSC::MachineThreads::getLock):
257
258 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
259
260         B3 should run tail duplication at the bitter end
261         https://bugs.webkit.org/show_bug.cgi?id=185123
262
263         Reviewed by Geoffrey Garen.
264         
265         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
266         everywhere else.
267         
268         The goal of this change is to allow us to run path specialization after switch lowering but
269         before tail duplication.
270
271         * b3/B3Generate.cpp:
272         (JSC::B3::generateToAir):
273         * runtime/Options.h:
274
275 2018-04-29  Commit Queue  <commit-queue@webkit.org>
276
277         Unreviewed, rolling out r231137.
278         https://bugs.webkit.org/show_bug.cgi?id=185118
279
280         It is breaking Test262 language/expressions/multiplication
281         /order-of-evaluation.js (Requested by caiolima on #webkit).
282
283         Reverted changeset:
284
285         "[ESNext][BigInt] Implement support for "*" operation"
286         https://bugs.webkit.org/show_bug.cgi?id=183721
287         https://trac.webkit.org/changeset/231137
288
289 2018-04-28  Saam Barati  <sbarati@apple.com>
290
291         We don't model regexp effects properly
292         https://bugs.webkit.org/show_bug.cgi?id=185059
293         <rdar://problem/39736150>
294
295         Reviewed by Filip Pizlo.
296
297         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
298         the regexp is global.
299
300         * dfg/DFGAbstractInterpreterInlines.h:
301         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
302         * dfg/DFGClobberize.h:
303         (JSC::DFG::clobberize):
304
305 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
306
307         Token misspelled "tocken" in error message string
308         https://bugs.webkit.org/show_bug.cgi?id=185030
309
310         Reviewed by Saam Barati.
311
312         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
313         (JSC::Parser<LexerType>::Parser):
314         (JSC::Parser<LexerType>::didFinishParsing):
315         (JSC::Parser<LexerType>::parseSourceElements):
316         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
317         (JSC::Parser<LexerType>::parseVariableDeclaration):
318         (JSC::Parser<LexerType>::parseWhileStatement):
319         (JSC::Parser<LexerType>::parseVariableDeclarationList):
320         (JSC::Parser<LexerType>::createBindingPattern):
321         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
322         (JSC::Parser<LexerType>::parseObjectRestElement):
323         (JSC::Parser<LexerType>::parseDestructuringPattern):
324         (JSC::Parser<LexerType>::parseForStatement):
325         (JSC::Parser<LexerType>::parseBreakStatement):
326         (JSC::Parser<LexerType>::parseContinueStatement):
327         (JSC::Parser<LexerType>::parseThrowStatement):
328         (JSC::Parser<LexerType>::parseWithStatement):
329         (JSC::Parser<LexerType>::parseSwitchStatement):
330         (JSC::Parser<LexerType>::parseSwitchClauses):
331         (JSC::Parser<LexerType>::parseTryStatement):
332         (JSC::Parser<LexerType>::parseBlockStatement):
333         (JSC::Parser<LexerType>::parseFormalParameters):
334         (JSC::Parser<LexerType>::parseFunctionParameters):
335         (JSC::Parser<LexerType>::parseFunctionInfo):
336         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
337         (JSC::Parser<LexerType>::parseExpressionStatement):
338         (JSC::Parser<LexerType>::parseIfStatement):
339         (JSC::Parser<LexerType>::parseAssignmentExpression):
340         (JSC::Parser<LexerType>::parseConditionalExpression):
341         (JSC::Parser<LexerType>::parseBinaryExpression):
342         (JSC::Parser<LexerType>::parseObjectLiteral):
343         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
344         (JSC::Parser<LexerType>::parseArrayLiteral):
345         (JSC::Parser<LexerType>::parseArguments):
346         (JSC::Parser<LexerType>::parseMemberExpression):
347         (JSC::operatorString):
348         (JSC::Parser<LexerType>::parseUnaryExpression):
349         (JSC::Parser<LexerType>::printUnexpectedTokenText):
350
351 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
352
353         [ESNext][BigInt] Implement support for "*" operation
354         https://bugs.webkit.org/show_bug.cgi?id=183721
355
356         Reviewed by Saam Barati.
357
358         Added BigInt support into times binary operator into LLInt and on
359         JITOperations profiledMul and unprofiledMul. We are also replacing all
360         uses of int to unsigned when there is no negative values for
361         variables.
362
363         * dfg/DFGConstantFoldingPhase.cpp:
364         (JSC::DFG::ConstantFoldingPhase::foldConstants):
365         * jit/JITOperations.cpp:
366         * runtime/CommonSlowPaths.cpp:
367         (JSC::SLOW_PATH_DECL):
368         * runtime/JSBigInt.cpp:
369         (JSC::JSBigInt::JSBigInt):
370         (JSC::JSBigInt::allocationSize):
371         (JSC::JSBigInt::createWithLength):
372         (JSC::JSBigInt::toString):
373         (JSC::JSBigInt::multiply):
374         (JSC::JSBigInt::digitDiv):
375         (JSC::JSBigInt::internalMultiplyAdd):
376         (JSC::JSBigInt::multiplyAccumulate):
377         (JSC::JSBigInt::equals):
378         (JSC::JSBigInt::absoluteDivSmall):
379         (JSC::JSBigInt::calculateMaximumCharactersRequired):
380         (JSC::JSBigInt::toStringGeneric):
381         (JSC::JSBigInt::rightTrim):
382         (JSC::JSBigInt::allocateFor):
383         (JSC::JSBigInt::parseInt):
384         (JSC::JSBigInt::digit):
385         (JSC::JSBigInt::setDigit):
386         * runtime/JSBigInt.h:
387         * runtime/Operations.h:
388         (JSC::jsMul):
389
390 2018-04-28  Commit Queue  <commit-queue@webkit.org>
391
392         Unreviewed, rolling out r231131.
393         https://bugs.webkit.org/show_bug.cgi?id=185112
394
395         It is breaking Debug build due to unchecked exception
396         (Requested by caiolima on #webkit).
397
398         Reverted changeset:
399
400         "[ESNext][BigInt] Implement support for "*" operation"
401         https://bugs.webkit.org/show_bug.cgi?id=183721
402         https://trac.webkit.org/changeset/231131
403
404 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
405
406         [ESNext][BigInt] Implement support for "*" operation
407         https://bugs.webkit.org/show_bug.cgi?id=183721
408
409         Reviewed by Saam Barati.
410
411         Added BigInt support into times binary operator into LLInt and on
412         JITOperations profiledMul and unprofiledMul. We are also replacing all
413         uses of int to unsigned when there is no negative values for
414         variables.
415
416         * dfg/DFGConstantFoldingPhase.cpp:
417         (JSC::DFG::ConstantFoldingPhase::foldConstants):
418         * jit/JITOperations.cpp:
419         * runtime/CommonSlowPaths.cpp:
420         (JSC::SLOW_PATH_DECL):
421         * runtime/JSBigInt.cpp:
422         (JSC::JSBigInt::JSBigInt):
423         (JSC::JSBigInt::allocationSize):
424         (JSC::JSBigInt::createWithLength):
425         (JSC::JSBigInt::toString):
426         (JSC::JSBigInt::multiply):
427         (JSC::JSBigInt::digitDiv):
428         (JSC::JSBigInt::internalMultiplyAdd):
429         (JSC::JSBigInt::multiplyAccumulate):
430         (JSC::JSBigInt::equals):
431         (JSC::JSBigInt::absoluteDivSmall):
432         (JSC::JSBigInt::calculateMaximumCharactersRequired):
433         (JSC::JSBigInt::toStringGeneric):
434         (JSC::JSBigInt::rightTrim):
435         (JSC::JSBigInt::allocateFor):
436         (JSC::JSBigInt::parseInt):
437         (JSC::JSBigInt::digit):
438         (JSC::JSBigInt::setDigit):
439         * runtime/JSBigInt.h:
440         * runtime/Operations.h:
441         (JSC::jsMul):
442
443 2018-04-27  JF Bastien  <jfbastien@apple.com>
444
445         Make the first 64 bits of JSString look like a double JSValue
446         https://bugs.webkit.org/show_bug.cgi?id=185081
447
448         Reviewed by Filip Pizlo.
449
450         We can be clever about how we lay out JSString so that, were it
451         reinterpreted as a JSValue, it would look like a double.
452
453         * assembler/MacroAssemblerX86Common.h:
454         (JSC::MacroAssemblerX86Common::and16):
455         * assembler/X86Assembler.h:
456         (JSC::X86Assembler::andw_mr):
457         * dfg/DFGSpeculativeJIT.cpp:
458         (JSC::DFG::SpeculativeJIT::compileMakeRope):
459         * ftl/FTLLowerDFGToB3.cpp:
460         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
461         * ftl/FTLOutput.h:
462         (JSC::FTL::Output::store32As8):
463         (JSC::FTL::Output::store32As16):
464         * runtime/JSString.h:
465         (JSC::JSString::JSString):
466
467 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
468
469         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
470         https://bugs.webkit.org/show_bug.cgi?id=185055
471
472         Reviewed by JF Bastien.
473
474         This patch is paving the way to emitting jscvt instruction if possible.
475         To do that, we need to determine jscvt instruction is supported in the
476         given CPU.
477
478         We add a function collectCPUFeatures, which is responsible to collect
479         CPU features if necessary. In Linux, we can use auxiliary vector to get
480         the information without parsing /proc/cpuinfo.
481
482         Currently, nobody calls this function. It is later called when we emit
483         jscvt instruction. To make it possible, we also need to add disassembler
484         support too.
485
486         * assembler/AbstractMacroAssembler.h:
487         * assembler/MacroAssemblerARM64.cpp:
488         (JSC::MacroAssemblerARM64::collectCPUFeatures):
489         * assembler/MacroAssemblerARM64.h:
490         * assembler/MacroAssemblerX86Common.h:
491
492 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
493
494         Also run foldPathConstants before mussing up SSA
495         https://bugs.webkit.org/show_bug.cgi?id=185069
496
497         Reviewed by Saam Barati.
498         
499         This isn't needed now, but will be once I implement the phase in bug 185060.
500         
501         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
502         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
503         be landed separately and measured separately from that phase.
504         
505         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
506         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
507         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
508         neutral. It all depends on what programs typically look like.
509
510         * b3/B3Generate.cpp:
511         (JSC::B3::generateToAir):
512
513 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
514
515         Unreviewed, rolling out r231086.
516
517         Caused JSC test failures due to an unchecked exception.
518
519         Reverted changeset:
520
521         "[ESNext][BigInt] Implement support for "*" operation"
522         https://bugs.webkit.org/show_bug.cgi?id=183721
523         https://trac.webkit.org/changeset/231086
524
525 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
526
527         [ESNext][BigInt] Implement support for "*" operation
528         https://bugs.webkit.org/show_bug.cgi?id=183721
529
530         Reviewed by Saam Barati.
531
532         Added BigInt support into times binary operator into LLInt and on
533         JITOperations profiledMul and unprofiledMul. We are also replacing all
534         uses of int to unsigned when there is no negative values for
535         variables.
536
537         * dfg/DFGConstantFoldingPhase.cpp:
538         (JSC::DFG::ConstantFoldingPhase::foldConstants):
539         * jit/JITOperations.cpp:
540         * runtime/CommonSlowPaths.cpp:
541         (JSC::SLOW_PATH_DECL):
542         * runtime/JSBigInt.cpp:
543         (JSC::JSBigInt::JSBigInt):
544         (JSC::JSBigInt::allocationSize):
545         (JSC::JSBigInt::createWithLength):
546         (JSC::JSBigInt::toString):
547         (JSC::JSBigInt::multiply):
548         (JSC::JSBigInt::digitDiv):
549         (JSC::JSBigInt::internalMultiplyAdd):
550         (JSC::JSBigInt::multiplyAccumulate):
551         (JSC::JSBigInt::equals):
552         (JSC::JSBigInt::absoluteDivSmall):
553         (JSC::JSBigInt::calculateMaximumCharactersRequired):
554         (JSC::JSBigInt::toStringGeneric):
555         (JSC::JSBigInt::rightTrim):
556         (JSC::JSBigInt::allocateFor):
557         (JSC::JSBigInt::parseInt):
558         (JSC::JSBigInt::digit):
559         (JSC::JSBigInt::setDigit):
560         * runtime/JSBigInt.h:
561         * runtime/Operations.h:
562         (JSC::jsMul):
563
564 2018-04-26  Mark Lam  <mark.lam@apple.com>
565
566         Gardening: Speculative build fix for Windows.
567         https://bugs.webkit.org/show_bug.cgi?id=184976
568         <rdar://problem/39723901>
569
570         Not reviewed.
571
572         * runtime/JSCPtrTag.h:
573
574 2018-04-26  Mark Lam  <mark.lam@apple.com>
575
576         Gardening: Windows build fix.
577
578         Not reviewed.
579
580         * runtime/Options.cpp:
581
582 2018-04-26  Jer Noble  <jer.noble@apple.com>
583
584         WK_COCOA_TOUCH all the things.
585         https://bugs.webkit.org/show_bug.cgi?id=185006
586         <rdar://problem/39736025>
587
588         Reviewed by Tim Horton.
589
590         * Configurations/Base.xcconfig:
591
592 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
593
594         Disable content filtering in minimal simulator mode
595         https://bugs.webkit.org/show_bug.cgi?id=185027
596         <rdar://problem/39736091>
597
598         Reviewed by Jer Noble.
599
600         * Configurations/FeatureDefines.xcconfig:
601
602 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
603
604         [INTL] Implement Intl.PluralRules
605         https://bugs.webkit.org/show_bug.cgi?id=184312
606
607         Reviewed by JF Bastien.
608
609         Use UNumberFormat to enforce formatting, and then UPluralRules to find
610         the correct plural rule for the given number. Relies on ICU v59+ for
611         resolvedOptions().pluralCategories and trailing 0 detection.
612         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
613
614         * CMakeLists.txt:
615         * Configurations/FeatureDefines.xcconfig:
616         * DerivedSources.make:
617         * JavaScriptCore.xcodeproj/project.pbxproj:
618         * Sources.txt:
619         * builtins/BuiltinNames.h:
620         * runtime/BigIntObject.cpp:
621         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
622         * runtime/BigIntObject.h:
623         * runtime/CommonIdentifiers.h:
624         * runtime/IntlObject.cpp:
625         (JSC::IntlObject::finishCreation):
626         * runtime/IntlObject.h:
627         * runtime/IntlPluralRules.cpp: Added.
628         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
629         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
630         (JSC::UEnumerationDeleter::operator() const):
631         (JSC::IntlPluralRules::create):
632         (JSC::IntlPluralRules::createStructure):
633         (JSC::IntlPluralRules::IntlPluralRules):
634         (JSC::IntlPluralRules::finishCreation):
635         (JSC::IntlPluralRules::destroy):
636         (JSC::IntlPluralRules::visitChildren):
637         (JSC::IntlPRInternal::localeData):
638         (JSC::IntlPluralRules::initializePluralRules):
639         (JSC::IntlPluralRules::resolvedOptions):
640         (JSC::IntlPluralRules::select):
641         * runtime/IntlPluralRules.h: Added.
642         * runtime/IntlPluralRulesConstructor.cpp: Added.
643         (JSC::IntlPluralRulesConstructor::create):
644         (JSC::IntlPluralRulesConstructor::createStructure):
645         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
646         (JSC::IntlPluralRulesConstructor::finishCreation):
647         (JSC::constructIntlPluralRules):
648         (JSC::callIntlPluralRules):
649         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
650         (JSC::IntlPluralRulesConstructor::visitChildren):
651         * runtime/IntlPluralRulesConstructor.h: Added.
652         * runtime/IntlPluralRulesPrototype.cpp: Added.
653         (JSC::IntlPluralRulesPrototype::create):
654         (JSC::IntlPluralRulesPrototype::createStructure):
655         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
656         (JSC::IntlPluralRulesPrototype::finishCreation):
657         (JSC::IntlPluralRulesPrototypeFuncSelect):
658         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
659         * runtime/IntlPluralRulesPrototype.h: Added.
660         * runtime/JSGlobalObject.cpp:
661         (JSC::JSGlobalObject::init):
662         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
663         * runtime/JSGlobalObject.h:
664         * runtime/Options.h:
665         * runtime/RegExpPrototype.cpp: Added inlines header.
666         * runtime/VM.cpp:
667         (JSC::VM::VM):
668         * runtime/VM.h:
669
670 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
671
672         [MIPS] Fix branch offsets in branchNeg32
673         https://bugs.webkit.org/show_bug.cgi?id=185025
674
675         Reviewed by Yusuke Suzuki.
676
677         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
678
679         * assembler/MacroAssemblerMIPS.h:
680         (JSC::MacroAssemblerMIPS::branchNeg32):
681
682 2018-04-25  Robin Morisset  <rmorisset@apple.com>
683
684         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
685         https://bugs.webkit.org/show_bug.cgi?id=184773
686         <rdar://problem/37773612>
687
688         Reviewed by Filip Pizlo.
689
690         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
691         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
692         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
693         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
694         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
695
696         * ftl/FTLLowerDFGToB3.cpp:
697         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
698
699 2018-04-25  Mark Lam  <mark.lam@apple.com>
700
701         Push the definition of PtrTag down to the WTF layer.
702         https://bugs.webkit.org/show_bug.cgi?id=184976
703         <rdar://problem/39723901>
704
705         Reviewed by Saam Barati.
706
707         * CMakeLists.txt:
708         * JavaScriptCore.xcodeproj/project.pbxproj:
709         * assembler/ARM64Assembler.h:
710         * assembler/AbstractMacroAssembler.h:
711         * assembler/MacroAssemblerCodeRef.cpp:
712         * assembler/MacroAssemblerCodeRef.h:
713         * b3/B3MathExtras.cpp:
714         * bytecode/LLIntCallLinkInfo.h:
715         * disassembler/Disassembler.h:
716         * ftl/FTLJITCode.cpp:
717         * interpreter/InterpreterInlines.h:
718         * jit/ExecutableAllocator.h:
719         * jit/JITOperations.cpp:
720         * jit/ThunkGenerator.h:
721         * jit/ThunkGenerators.h:
722         * llint/LLIntOffsetsExtractor.cpp:
723         * llint/LLIntPCRanges.h:
724         * runtime/JSCPtrTag.h: Added.
725         * runtime/NativeFunction.h:
726         * runtime/PtrTag.h: Removed.
727         * runtime/VMTraps.cpp:
728
729 2018-04-25  Keith Miller  <keith_miller@apple.com>
730
731         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
732         https://bugs.webkit.org/show_bug.cgi?id=184998
733
734         Reviewed by Saam Barati.
735
736         * runtime/CodeCache.cpp:
737         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
738
739 2018-04-25  Keith Miller  <keith_miller@apple.com>
740
741         Add missing scope release to functionProtoFuncToString
742         https://bugs.webkit.org/show_bug.cgi?id=184995
743
744         Reviewed by Saam Barati.
745
746         * runtime/FunctionPrototype.cpp:
747         (JSC::functionProtoFuncToString):
748
749 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
750
751         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
752         https://bugs.webkit.org/show_bug.cgi?id=184730
753
754         Reviewed by Mark Lam.
755
756         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
757         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
758
759         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
760         ARMv7 implementation.
761
762         * assembler/ARMAssembler.h:
763         * assembler/MacroAssemblerARM.h:
764         (JSC::MacroAssemblerARM::add32):
765         (JSC::MacroAssemblerARM::and32):
766         (JSC::MacroAssemblerARM::lshift32):
767         (JSC::MacroAssemblerARM::mul32):
768         (JSC::MacroAssemblerARM::or32):
769         (JSC::MacroAssemblerARM::rshift32):
770         (JSC::MacroAssemblerARM::urshift32):
771         (JSC::MacroAssemblerARM::sub32):
772         (JSC::MacroAssemblerARM::xor32):
773         (JSC::MacroAssemblerARM::load8):
774         (JSC::MacroAssemblerARM::abortWithReason):
775         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
776         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
777         (JSC::MacroAssemblerARM::store8):
778         (JSC::MacroAssemblerARM::store32):
779         (JSC::MacroAssemblerARM::push):
780         (JSC::MacroAssemblerARM::swap):
781         (JSC::MacroAssemblerARM::branch8):
782         (JSC::MacroAssemblerARM::branchPtr):
783         (JSC::MacroAssemblerARM::branch32):
784         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
785         (JSC::MacroAssemblerARM::branchTest8):
786         (JSC::MacroAssemblerARM::branchTest32):
787         (JSC::MacroAssemblerARM::jump):
788         (JSC::MacroAssemblerARM::branchAdd32):
789         (JSC::MacroAssemblerARM::mull32):
790         (JSC::MacroAssemblerARM::branchMul32):
791         (JSC::MacroAssemblerARM::patchableBranch32):
792         (JSC::MacroAssemblerARM::nearCall):
793         (JSC::MacroAssemblerARM::compare32):
794         (JSC::MacroAssemblerARM::compare8):
795         (JSC::MacroAssemblerARM::test32):
796         (JSC::MacroAssemblerARM::test8):
797         (JSC::MacroAssemblerARM::add64):
798         (JSC::MacroAssemblerARM::load32):
799         (JSC::MacroAssemblerARM::call):
800         (JSC::MacroAssemblerARM::branchPtrWithPatch):
801         (JSC::MacroAssemblerARM::branch32WithPatch):
802         (JSC::MacroAssemblerARM::storePtrWithPatch):
803         (JSC::MacroAssemblerARM::loadDouble):
804         (JSC::MacroAssemblerARM::storeDouble):
805         (JSC::MacroAssemblerARM::addDouble):
806         (JSC::MacroAssemblerARM::divDouble):
807         (JSC::MacroAssemblerARM::subDouble):
808         (JSC::MacroAssemblerARM::mulDouble):
809         (JSC::MacroAssemblerARM::convertInt32ToDouble):
810         (JSC::MacroAssemblerARM::branchDouble):
811         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
812         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
813         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
814         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
815         (JSC::MacroAssemblerARM::branchDoubleNonZero):
816         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
817         (JSC::MacroAssemblerARM::call32):
818         (JSC::MacroAssemblerARM::internalCompare32):
819
820 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
821
822         [WinCairo] Fix js/regexp-unicode.html crash.
823         https://bugs.webkit.org/show_bug.cgi?id=184891
824
825         Reviewed by Yusuke Suzuki.
826
827         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
828         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
829
830         * yarr/YarrJIT.cpp:
831         (JSC::Yarr::YarrGenerator::generateEnter):
832         (JSC::Yarr::YarrGenerator::generateReturn):
833         Unconditionally save and restore RDI on 64-bit Windows.
834
835 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
836
837         [GTK] Miscellaneous build cleanups
838         https://bugs.webkit.org/show_bug.cgi?id=184399
839
840         Reviewed by Žan Doberšek.
841
842         * PlatformGTK.cmake:
843
844 2018-04-24  Keith Miller  <keith_miller@apple.com>
845
846         fromCharCode is missing some exception checks
847         https://bugs.webkit.org/show_bug.cgi?id=184952
848
849         Reviewed by Saam Barati.
850
851         I also removed the pointless slow path function and moved it into the
852         main function.
853
854         * runtime/StringConstructor.cpp:
855         (JSC::stringFromCharCode):
856         (JSC::stringFromCharCodeSlowCase): Deleted.
857
858 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
859
860         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
861         https://bugs.webkit.org/show_bug.cgi?id=184923
862
863         Reviewed by Saam Barati.
864         
865         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
866         (i.e. we know that the object has one of those structures), then previously we would still emit a
867         switch with a case per structure along with a default case. That would mean one extra redundant
868         branch to check that whatever structure we wound up with belongs to the set. In that case, we
869         were already making the default case be an Oops.
870         
871         One possible solution would be to say that the default case being Oops means that B3 doesn't need
872         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
873         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
874         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
875         trap.
876         
877         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
878         extra branch.
879         
880         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
881         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
882         read.
883
884         * ftl/FTLLowerDFGToB3.cpp:
885         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
886         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
887         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
888
889 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
890
891         DFG CSE should know how to decay a MultiGetByOffset
892         https://bugs.webkit.org/show_bug.cgi?id=159859
893
894         Reviewed by Keith Miller.
895         
896         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
897         clobberize() can report a def() for MultiGetByOffset.
898         
899         This is a slight improvement to codegen in splay because splay is a heavy user of
900         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
901         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
902         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
903         splay's time.
904
905         * dfg/DFGClobberize.h:
906         (JSC::DFG::clobberize):
907         * dfg/DFGNode.cpp:
908         (JSC::DFG::Node::remove):
909         (JSC::DFG::Node::removeWithoutChecks):
910         (JSC::DFG::Node::replaceWith):
911         (JSC::DFG::Node::replaceWithWithoutChecks):
912         * dfg/DFGNode.h:
913         (JSC::DFG::Node::convertToMultiGetByOffset):
914         (JSC::DFG::Node::replaceWith): Deleted.
915         * dfg/DFGNodeType.h:
916         * dfg/DFGObjectAllocationSinkingPhase.cpp:
917
918 2018-04-24  Keith Miller  <keith_miller@apple.com>
919
920         Update API docs with information on which run loop the VM will use
921         https://bugs.webkit.org/show_bug.cgi?id=184900
922         <rdar://problem/39166054>
923
924         Reviewed by Mark Lam.
925
926         * API/JSContextRef.h:
927         * API/JSVirtualMachine.h:
928
929 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
930
931         $vm.totalGCTime() should be a thing
932         https://bugs.webkit.org/show_bug.cgi?id=184916
933
934         Reviewed by Sam Weinig.
935         
936         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
937         time spent in GC to determine if the regression is because the GC got slower.
938         
939         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
940
941         * heap/Heap.cpp:
942         (JSC::Heap::runEndPhase):
943         * heap/Heap.h:
944         (JSC::Heap::totalGCTime const):
945         * tools/JSDollarVM.cpp:
946         (JSC::functionTotalGCTime):
947         (JSC::JSDollarVM::finishCreation):
948
949 2018-04-23  Zalan Bujtas  <zalan@apple.com>
950
951         [LayoutFormattingContext] Initial commit.
952         https://bugs.webkit.org/show_bug.cgi?id=184896
953
954         Reviewed by Antti Koivisto.
955
956         * Configurations/FeatureDefines.xcconfig:
957
958 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
959
960         Unreviewed, revert accidental change to verbose flag.
961
962         * dfg/DFGByteCodeParser.cpp:
963
964 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
965
966         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
967
968         Rubber stamped by Saam Barati.
969         
970         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
971         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
972         Seems sensible to just roll it out.
973
974         * dfg/DFGByteCodeParser.cpp:
975         (JSC::DFG::ByteCodeParser::addToGraph):
976         (JSC::DFG::ByteCodeParser::parse):
977
978 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
979
980         [JSC] Remove ModuleLoaderPrototype
981         https://bugs.webkit.org/show_bug.cgi?id=184784
982
983         Reviewed by Mark Lam.
984
985         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
986         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
987         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
988
989         * CMakeLists.txt:
990         * DerivedSources.make:
991         * JavaScriptCore.xcodeproj/project.pbxproj:
992         * Sources.txt:
993         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
994         * runtime/JSGlobalObject.cpp:
995         (JSC::JSGlobalObject::init):
996         (JSC::JSGlobalObject::visitChildren):
997         * runtime/JSGlobalObject.h:
998         (JSC::JSGlobalObject::proxyRevokeStructure const):
999         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
1000         * runtime/JSModuleLoader.cpp:
1001         (JSC::moduleLoaderParseModule):
1002         (JSC::moduleLoaderRequestedModules):
1003         (JSC::moduleLoaderModuleDeclarationInstantiation):
1004         (JSC::moduleLoaderResolve):
1005         (JSC::moduleLoaderResolveSync):
1006         (JSC::moduleLoaderFetch):
1007         (JSC::moduleLoaderGetModuleNamespaceObject):
1008         (JSC::moduleLoaderEvaluate):
1009         * runtime/JSModuleLoader.h:
1010         * runtime/ModuleLoaderPrototype.cpp: Removed.
1011         * runtime/ModuleLoaderPrototype.h: Removed.
1012
1013 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
1014
1015         [GLIB] All API tests fail in debug builds
1016         https://bugs.webkit.org/show_bug.cgi?id=184813
1017
1018         Reviewed by Mark Lam.
1019
1020         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
1021         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
1022
1023         * API/glib/JSCContext.cpp:
1024         (JSCContextExceptionHandler::JSCContextExceptionHandler):
1025         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
1026         (jscContextConstructed):
1027         (ExceptionHandler::ExceptionHandler): Deleted.
1028         (ExceptionHandler::~ExceptionHandler): Deleted.
1029
1030 2018-04-20  Tim Horton  <timothy_horton@apple.com>
1031
1032         Adjust geolocation feature flag
1033         https://bugs.webkit.org/show_bug.cgi?id=184856
1034
1035         Reviewed by Wenson Hsieh.
1036
1037         * Configurations/FeatureDefines.xcconfig:
1038
1039 2018-04-20  Brian Burg  <bburg@apple.com>
1040
1041         Web Inspector: remove some dead code in IdentifiersFactory
1042         https://bugs.webkit.org/show_bug.cgi?id=184839
1043
1044         Reviewed by Timothy Hatcher.
1045
1046         This was never used on non-Chrome ports, so the identifier always has a
1047         prefix of '0.'. We may change this in the future, but for now remove this.
1048         Using a PID for this purpose is problematic anyway.
1049
1050         * inspector/IdentifiersFactory.cpp:
1051         (Inspector::addPrefixToIdentifier):
1052         (Inspector::IdentifiersFactory::createIdentifier):
1053         (Inspector::IdentifiersFactory::requestId):
1054         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
1055         * inspector/IdentifiersFactory.h:
1056
1057 2018-04-20  Mark Lam  <mark.lam@apple.com>
1058
1059         Add the ability to use a hash for setting PtrTag enum values.
1060         https://bugs.webkit.org/show_bug.cgi?id=184852
1061         <rdar://problem/39613891>
1062
1063         Reviewed by Saam Barati.
1064
1065         * runtime/PtrTag.h:
1066
1067 2018-04-20  Mark Lam  <mark.lam@apple.com>
1068
1069         Some JSEntryPtrTags should actually be JSInternalPtrTags.
1070         https://bugs.webkit.org/show_bug.cgi?id=184712
1071         <rdar://problem/39507381>
1072
1073         Reviewed by Michael Saboff.
1074
1075         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
1076         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
1077            only when needed.
1078
1079         * bytecode/AccessCase.cpp:
1080         (JSC::AccessCase::generateImpl):
1081         * bytecode/ByValInfo.h:
1082         (JSC::ByValInfo::ByValInfo):
1083         * bytecode/CallLinkInfo.cpp:
1084         (JSC::CallLinkInfo::callReturnLocation):
1085         (JSC::CallLinkInfo::patchableJump):
1086         (JSC::CallLinkInfo::hotPathBegin):
1087         (JSC::CallLinkInfo::slowPathStart):
1088         * bytecode/CallLinkInfo.h:
1089         (JSC::CallLinkInfo::setCallLocations):
1090         (JSC::CallLinkInfo::hotPathOther):
1091         * bytecode/PolymorphicAccess.cpp:
1092         (JSC::PolymorphicAccess::regenerate):
1093         * bytecode/StructureStubInfo.h:
1094         (JSC::StructureStubInfo::doneLocation):
1095         * dfg/DFGJITCompiler.cpp:
1096         (JSC::DFG::JITCompiler::link):
1097         * dfg/DFGOSRExit.cpp:
1098         (JSC::DFG::reifyInlinedCallFrames):
1099         * ftl/FTLLazySlowPath.cpp:
1100         (JSC::FTL::LazySlowPath::initialize):
1101         * ftl/FTLLazySlowPath.h:
1102         (JSC::FTL::LazySlowPath::done const):
1103         * ftl/FTLLowerDFGToB3.cpp:
1104         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1105         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1106         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1107         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1108         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1109         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1110         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1111         * jit/JIT.cpp:
1112         (JSC::JIT::link):
1113         * jit/JITExceptions.cpp:
1114         (JSC::genericUnwind):
1115         * jit/JITMathIC.h:
1116         (JSC::isProfileEmpty):
1117         * llint/LLIntData.cpp:
1118         (JSC::LLInt::initialize):
1119         * llint/LLIntData.h:
1120         (JSC::LLInt::getCodePtr):
1121         (JSC::LLInt::getExecutableAddress): Deleted.
1122         * llint/LLIntExceptions.cpp:
1123         (JSC::LLInt::callToThrow):
1124         * llint/LLIntSlowPaths.cpp:
1125         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1126         * wasm/js/WasmToJS.cpp:
1127         (JSC::Wasm::wasmToJS):
1128
1129 2018-04-18  Jer Noble  <jer.noble@apple.com>
1130
1131         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1132         https://bugs.webkit.org/show_bug.cgi?id=184762
1133
1134         Reviewed by Dan Bernstein.
1135
1136         * Configurations/Base.xcconfig:
1137         * JavaScriptCore.xcodeproj/project.pbxproj:
1138
1139 2018-04-20  Daniel Bates  <dabates@apple.com>
1140
1141         Remove code for compilers that did not support NSDMI for aggregates
1142         https://bugs.webkit.org/show_bug.cgi?id=184599
1143
1144         Reviewed by Per Arne Vollan.
1145
1146         Remove workaround for earlier Visual Studio versions that did not support non-static data
1147         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1148         and EWS bots to a newer version that supports this feature.
1149
1150         * domjit/DOMJITEffect.h:
1151         (JSC::DOMJIT::Effect::Effect): Deleted.
1152         * runtime/HasOwnPropertyCache.h:
1153         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1154         * wasm/WasmFormat.h:
1155         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1156
1157 2018-04-20  Mark Lam  <mark.lam@apple.com>
1158
1159         Build fix for internal builds after r230826.
1160         https://bugs.webkit.org/show_bug.cgi?id=184790
1161         <rdar://problem/39301369>
1162
1163         Not reviewed.
1164
1165         * runtime/Options.cpp:
1166         (JSC::overrideDefaults):
1167         * tools/SigillCrashAnalyzer.cpp:
1168         (JSC::SignalContext::dump):
1169
1170 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1171
1172         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1173         https://bugs.webkit.org/show_bug.cgi?id=184254
1174         <rdar://problem/39140200>
1175
1176         Reviewed by Daniel Bates.
1177
1178         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1179
1180         * runtime/ArrayBuffer.h:
1181         (JSC::ArrayBufferContents::ArrayBufferContents):
1182
1183 2018-04-19  Mark Lam  <mark.lam@apple.com>
1184
1185         Apply pointer profiling to Signal pointers.
1186         https://bugs.webkit.org/show_bug.cgi?id=184790
1187         <rdar://problem/39301369>
1188
1189         Reviewed by Michael Saboff.
1190
1191         1. Change stackPointer, framePointer, and instructionPointer accessors to
1192            be a pair of getter/setter functions.
1193         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1194            a pointer profiling variants of these accessors.
1195         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1196
1197         * JavaScriptCorePrefix.h:
1198         * runtime/MachineContext.h:
1199         (JSC::MachineContext::stackPointerImpl):
1200         (JSC::MachineContext::stackPointer):
1201         (JSC::MachineContext::setStackPointer):
1202         (JSC::MachineContext::framePointerImpl):
1203         (JSC::MachineContext::framePointer):
1204         (JSC::MachineContext::setFramePointer):
1205         (JSC::MachineContext::instructionPointerImpl):
1206         (JSC::MachineContext::instructionPointer):
1207         (JSC::MachineContext::setInstructionPointer):
1208         (JSC::MachineContext::linkRegisterImpl):
1209         (JSC::MachineContext::linkRegister):
1210         (JSC::MachineContext::setLinkRegister):
1211         * runtime/SamplingProfiler.cpp:
1212         (JSC::SamplingProfiler::takeSample):
1213         * runtime/VMTraps.cpp:
1214         (JSC::SignalContext::SignalContext):
1215         (JSC::VMTraps::tryInstallTrapBreakpoints):
1216         * tools/CodeProfiling.cpp:
1217         (JSC::profilingTimer):
1218         * tools/SigillCrashAnalyzer.cpp:
1219         (JSC::SignalContext::dump):
1220         (JSC::installCrashHandler):
1221         (JSC::SigillCrashAnalyzer::analyze):
1222         * wasm/WasmFaultSignalHandler.cpp:
1223         (JSC::Wasm::trapHandler):
1224
1225 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1226
1227         Enable Objective-C weak references
1228         <https://webkit.org/b/184789>
1229         <rdar://problem/39571716>
1230
1231         Reviewed by Dan Bernstein.
1232
1233         * Configurations/Base.xcconfig:
1234         (CLANG_ENABLE_OBJC_WEAK): Enable.
1235         * Configurations/ToolExecutable.xcconfig:
1236         (CLANG_ENABLE_OBJC_ARC): Simplify.
1237
1238 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1239
1240         The InternalFunction hierarchy should be in IsoSubspaces
1241         https://bugs.webkit.org/show_bug.cgi?id=184721
1242
1243         Reviewed by Saam Barati.
1244         
1245         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1246         but subclasses that are the same size as InternalFunction share its subspace. I did this
1247         because the subclasses appear to just override methods, which are called dynamically via the
1248         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1249         allocate one kind of InternalFunction over another.
1250
1251         * API/JSBase.h:
1252         * API/JSCallbackFunction.h:
1253         * API/ObjCCallbackFunction.h:
1254         (JSC::ObjCCallbackFunction::subspaceFor):
1255         * CMakeLists.txt:
1256         * JavaScriptCore.xcodeproj/project.pbxproj:
1257         * Sources.txt:
1258         * heap/IsoSubspacePerVM.cpp: Added.
1259         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1260         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1261         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1262         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1263         (JSC::IsoSubspacePerVM::forVM):
1264         * heap/IsoSubspacePerVM.h: Added.
1265         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1266         * runtime/Error.h:
1267         * runtime/ErrorConstructor.h:
1268         * runtime/InternalFunction.h:
1269         (JSC::InternalFunction::subspaceFor):
1270         * runtime/IntlCollatorConstructor.h:
1271         * runtime/IntlDateTimeFormatConstructor.h:
1272         * runtime/IntlNumberFormatConstructor.h:
1273         * runtime/JSArrayBufferConstructor.h:
1274         * runtime/NativeErrorConstructor.h:
1275         * runtime/ProxyRevoke.h:
1276         * runtime/RegExpConstructor.h:
1277         * runtime/VM.cpp:
1278         (JSC::VM::VM):
1279         * runtime/VM.h:
1280
1281 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1282
1283         Unreviewed, Fix jsc shell
1284         https://bugs.webkit.org/show_bug.cgi?id=184600
1285
1286         WebAssembly module loading does not finish with drainMicrotasks().
1287         So JSNativeStdFunction's capturing variables become invalid.
1288         This patch fixes this issue.
1289
1290         * jsc.cpp:
1291         (functionDollarAgentStart):
1292         (runWithOptions):
1293         (runJSC):
1294         (jscmain):
1295
1296 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1297
1298         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1299         https://bugs.webkit.org/show_bug.cgi?id=184725
1300
1301         Reviewed by Mark Lam.
1302
1303         * jit/JIT.h:
1304
1305 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1306
1307         [WebAssembly][Modules] Import tables in wasm modules
1308         https://bugs.webkit.org/show_bug.cgi?id=184738
1309
1310         Reviewed by JF Bastien.
1311
1312         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1313         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1314         just works.
1315
1316         * wasm/js/JSWebAssemblyInstance.cpp:
1317         (JSC::JSWebAssemblyInstance::create):
1318         * wasm/js/WebAssemblyModuleRecord.cpp:
1319         (JSC::WebAssemblyModuleRecord::link):
1320
1321 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1322
1323         [ARM] Fix build error and crash after PtrTag change
1324         https://bugs.webkit.org/show_bug.cgi?id=184732
1325
1326         Reviewed by Mark Lam.
1327
1328         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1329         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1330         twice with ARM-Thumb2.
1331
1332         * assembler/MacroAssemblerCodeRef.h:
1333         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1334         * jit/JITPropertyAccess32_64.cpp:
1335         (JSC::JIT::emitSlow_op_put_by_val):
1336         * jit/Repatch.cpp:
1337         (JSC::linkPolymorphicCall):
1338
1339 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1340
1341         [WebAssembly][Modules] Import globals from wasm modules
1342         https://bugs.webkit.org/show_bug.cgi?id=184736
1343
1344         Reviewed by JF Bastien.
1345
1346         This patch implements a feature importing globals to/from wasm modules.
1347         Since we are not supporting mutable globals now, we can just copy the
1348         global data when importing. Currently we do not support importing/exporting
1349         i64 globals. This will be supported once (1) mutable global bindings are
1350         specified and (2) BigInt based i64 importing/exporting is specified.
1351
1352         * wasm/js/JSWebAssemblyInstance.cpp:
1353         (JSC::JSWebAssemblyInstance::create):
1354         * wasm/js/WebAssemblyModuleRecord.cpp:
1355         (JSC::WebAssemblyModuleRecord::link):
1356
1357 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1358
1359         Unreviewed, fix build on ARM
1360
1361         * assembler/MacroAssemblerARM.h:
1362         (JSC::MacroAssemblerARM::readCallTarget):
1363
1364 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1365
1366         Unreviewed, fix build with GCC
1367
1368         * assembler/LinkBuffer.h:
1369         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1370
1371 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1372
1373         Unreviewed, reland r230697, r230720, and r230724.
1374         https://bugs.webkit.org/show_bug.cgi?id=184600
1375
1376         With CatchScope check.
1377
1378         * JavaScriptCore.xcodeproj/project.pbxproj:
1379         * builtins/ModuleLoaderPrototype.js:
1380         (globalPrivate.newRegistryEntry):
1381         (requestInstantiate):
1382         (link):
1383         * jsc.cpp:
1384         (convertShebangToJSComment):
1385         (fillBufferWithContentsOfFile):
1386         (fetchModuleFromLocalFileSystem):
1387         (GlobalObject::moduleLoaderFetch):
1388         (functionDollarAgentStart):
1389         (checkException):
1390         (runWithOptions):
1391         * parser/NodesAnalyzeModule.cpp:
1392         (JSC::ImportDeclarationNode::analyzeModule):
1393         * parser/SourceProvider.h:
1394         (JSC::WebAssemblySourceProvider::create):
1395         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1396         * runtime/AbstractModuleRecord.cpp:
1397         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1398         (JSC::AbstractModuleRecord::resolveImport):
1399         (JSC::AbstractModuleRecord::link):
1400         (JSC::AbstractModuleRecord::evaluate):
1401         (JSC::identifierToJSValue): Deleted.
1402         * runtime/AbstractModuleRecord.h:
1403         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1404         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1405         * runtime/JSModuleEnvironment.cpp:
1406         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1407         * runtime/JSModuleLoader.cpp:
1408         (JSC::JSModuleLoader::evaluate):
1409         * runtime/JSModuleRecord.cpp:
1410         (JSC::JSModuleRecord::link):
1411         (JSC::JSModuleRecord::instantiateDeclarations):
1412         * runtime/JSModuleRecord.h:
1413         * runtime/ModuleLoaderPrototype.cpp:
1414         (JSC::moduleLoaderPrototypeParseModule):
1415         (JSC::moduleLoaderPrototypeRequestedModules):
1416         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1417         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1418         * wasm/js/JSWebAssemblyHelpers.h:
1419         (JSC::getWasmBufferFromValue):
1420         (JSC::createSourceBufferFromValue):
1421         * wasm/js/JSWebAssemblyInstance.cpp:
1422         (JSC::JSWebAssemblyInstance::finalizeCreation):
1423         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1424         (JSC::JSWebAssemblyInstance::create):
1425         * wasm/js/JSWebAssemblyInstance.h:
1426         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1427         (JSC::constructJSWebAssemblyInstance):
1428         * wasm/js/WebAssemblyModuleRecord.cpp:
1429         (JSC::WebAssemblyModuleRecord::prepareLink):
1430         (JSC::WebAssemblyModuleRecord::link):
1431         * wasm/js/WebAssemblyModuleRecord.h:
1432         * wasm/js/WebAssemblyPrototype.cpp:
1433         (JSC::resolve):
1434         (JSC::instantiate):
1435         (JSC::compileAndInstantiate):
1436         (JSC::WebAssemblyPrototype::instantiate):
1437         (JSC::webAssemblyInstantiateFunc):
1438         (JSC::webAssemblyValidateFunc):
1439         * wasm/js/WebAssemblyPrototype.h:
1440
1441 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1442
1443         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1444         https://bugs.webkit.org/show_bug.cgi?id=184687
1445
1446         Reviewed by Michael Catanzaro.
1447
1448         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1449         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1450         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1451
1452         * API/glib/JSCClass.cpp:
1453         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1454         can throw exceptions.
1455         (VTableExceptionHandler::~VTableExceptionHandler):
1456         (getProperty): Iterate the class chain to call get_property function.
1457         (setProperty): Iterate the class chain to call set_property function.
1458         (hasProperty): Iterate the class chain to call has_property function.
1459         (deleteProperty): Iterate the class chain to call delete_property function.
1460         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1461         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1462         jscClassCreate now.
1463         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1464         * API/glib/JSCClass.h:
1465         * API/glib/JSCClassPrivate.h:
1466         * API/glib/JSCContext.cpp:
1467         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1468         (jsc_context_register_class): Add JSCClassVTable parameter.
1469         * API/glib/JSCContext.h:
1470         * API/glib/JSCContextPrivate.h:
1471         * API/glib/JSCWrapperMap.cpp:
1472         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1473         * API/glib/JSCWrapperMap.h:
1474         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1475
1476 2018-04-17  Mark Lam  <mark.lam@apple.com>
1477
1478         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1479         https://bugs.webkit.org/show_bug.cgi?id=184702
1480         <rdar://problem/35391681>
1481
1482         Reviewed by Filip Pizlo and Saam Barati.
1483
1484         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1485            to take a PtrTag template argument.
1486         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1487
1488         * assembler/AbstractMacroAssembler.h:
1489         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1490         (JSC::AbstractMacroAssembler::linkJump):
1491         (JSC::AbstractMacroAssembler::linkPointer):
1492         (JSC::AbstractMacroAssembler::getLinkerAddress):
1493         (JSC::AbstractMacroAssembler::repatchJump):
1494         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1495         (JSC::AbstractMacroAssembler::repatchNearCall):
1496         (JSC::AbstractMacroAssembler::repatchCompact):
1497         (JSC::AbstractMacroAssembler::repatchInt32):
1498         (JSC::AbstractMacroAssembler::repatchPointer):
1499         (JSC::AbstractMacroAssembler::readPointer):
1500         (JSC::AbstractMacroAssembler::replaceWithLoad):
1501         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1502         * assembler/CodeLocation.h:
1503         (JSC::CodeLocationCommon:: const):
1504         (JSC::CodeLocationCommon::CodeLocationCommon):
1505         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1506         (JSC::CodeLocationLabel::CodeLocationLabel):
1507         (JSC::CodeLocationLabel::retagged):
1508         (JSC::CodeLocationLabel:: const):
1509         (JSC::CodeLocationJump::CodeLocationJump):
1510         (JSC::CodeLocationJump::retagged):
1511         (JSC::CodeLocationCall::CodeLocationCall):
1512         (JSC::CodeLocationCall::retagged):
1513         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1514         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1515         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1516         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1517         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1518         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1519         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1520         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1521         (JSC::CodeLocationCommon<tag>::callAtOffset):
1522         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1523         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1524         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1525         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1526         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1527         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1528         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1529         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1530         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1531         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1532         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1533         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1534         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1535         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1536         * assembler/LinkBuffer.cpp:
1537         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1538         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1539         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1540         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1541         * assembler/LinkBuffer.h:
1542         (JSC::LinkBuffer::link):
1543         (JSC::LinkBuffer::patch):
1544         (JSC::LinkBuffer::entrypoint):
1545         (JSC::LinkBuffer::locationOf):
1546         (JSC::LinkBuffer::locationOfNearCall):
1547         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1548         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1549         (JSC::LinkBuffer::trampolineAt):
1550         * assembler/MacroAssemblerARM.h:
1551         (JSC::MacroAssemblerARM::readCallTarget):
1552         (JSC::MacroAssemblerARM::replaceWithJump):
1553         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1554         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1555         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1556         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1557         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1558         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1559         (JSC::MacroAssemblerARM::repatchCall):
1560         (JSC::MacroAssemblerARM::linkCall):
1561         * assembler/MacroAssemblerARM64.h:
1562         (JSC::MacroAssemblerARM64::readCallTarget):
1563         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1564         (JSC::MacroAssemblerARM64::replaceWithJump):
1565         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1566         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1567         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1568         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1569         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1570         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1571         (JSC::MacroAssemblerARM64::repatchCall):
1572         (JSC::MacroAssemblerARM64::linkCall):
1573         * assembler/MacroAssemblerARMv7.h:
1574         (JSC::MacroAssemblerARMv7::replaceWithJump):
1575         (JSC::MacroAssemblerARMv7::readCallTarget):
1576         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1577         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1578         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1579         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1580         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1581         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1582         (JSC::MacroAssemblerARMv7::repatchCall):
1583         (JSC::MacroAssemblerARMv7::linkCall):
1584         * assembler/MacroAssemblerCodeRef.cpp:
1585         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1586         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1587         (JSC::MacroAssemblerCodeRefBase::disassembly):
1588         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1589         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1590         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1591         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1592         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1593         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1594         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1595         * assembler/MacroAssemblerCodeRef.h:
1596         (JSC::FunctionPtr::FunctionPtr):
1597         (JSC::FunctionPtr::retagged const):
1598         (JSC::FunctionPtr::retaggedExecutableAddress const):
1599         (JSC::FunctionPtr::operator== const):
1600         (JSC::FunctionPtr::operator!= const):
1601         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1602         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1603         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1604         (JSC::MacroAssemblerCodePtr::retagged const):
1605         (JSC::MacroAssemblerCodePtr:: const):
1606         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1607         (JSC::MacroAssemblerCodePtr::dump const):
1608         (JSC::MacroAssemblerCodePtrHash::hash):
1609         (JSC::MacroAssemblerCodePtrHash::equal):
1610         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1611         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1612         (JSC::MacroAssemblerCodeRef::code const):
1613         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1614         (JSC::MacroAssemblerCodeRef::retagged const):
1615         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1616         (JSC::MacroAssemblerCodeRef::disassembly const):
1617         (JSC::MacroAssemblerCodeRef::dump const):
1618         (JSC::FunctionPtr<tag>::FunctionPtr):
1619         * assembler/MacroAssemblerMIPS.h:
1620         (JSC::MacroAssemblerMIPS::readCallTarget):
1621         (JSC::MacroAssemblerMIPS::replaceWithJump):
1622         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1623         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1624         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1625         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1626         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1627         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1628         (JSC::MacroAssemblerMIPS::repatchCall):
1629         (JSC::MacroAssemblerMIPS::linkCall):
1630         * assembler/MacroAssemblerX86.h:
1631         (JSC::MacroAssemblerX86::readCallTarget):
1632         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1633         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1634         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1635         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1636         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1637         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1638         (JSC::MacroAssemblerX86::repatchCall):
1639         (JSC::MacroAssemblerX86::linkCall):
1640         * assembler/MacroAssemblerX86Common.h:
1641         (JSC::MacroAssemblerX86Common::repatchCompact):
1642         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1643         (JSC::MacroAssemblerX86Common::replaceWithJump):
1644         * assembler/MacroAssemblerX86_64.h:
1645         (JSC::MacroAssemblerX86_64::readCallTarget):
1646         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1647         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1648         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1649         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1650         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1651         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1652         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1653         (JSC::MacroAssemblerX86_64::repatchCall):
1654         (JSC::MacroAssemblerX86_64::linkCall):
1655         * assembler/testmasm.cpp:
1656         (JSC::compile):
1657         (JSC::invoke):
1658         (JSC::testProbeModifiesProgramCounter):
1659         * b3/B3Compilation.cpp:
1660         (JSC::B3::Compilation::Compilation):
1661         * b3/B3Compilation.h:
1662         (JSC::B3::Compilation::code const):
1663         (JSC::B3::Compilation::codeRef const):
1664         * b3/B3Compile.cpp:
1665         (JSC::B3::compile):
1666         * b3/B3LowerMacros.cpp:
1667         * b3/air/AirDisassembler.cpp:
1668         (JSC::B3::Air::Disassembler::dump):
1669         * b3/air/testair.cpp:
1670         * b3/testb3.cpp:
1671         (JSC::B3::invoke):
1672         (JSC::B3::testInterpreter):
1673         (JSC::B3::testEntrySwitchSimple):
1674         (JSC::B3::testEntrySwitchNoEntrySwitch):
1675         (JSC::B3::testEntrySwitchWithCommonPaths):
1676         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1677         (JSC::B3::testEntrySwitchLoop):
1678         * bytecode/AccessCase.cpp:
1679         (JSC::AccessCase::generateImpl):
1680         * bytecode/AccessCaseSnippetParams.cpp:
1681         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1682         * bytecode/ByValInfo.h:
1683         (JSC::ByValInfo::ByValInfo):
1684         * bytecode/CallLinkInfo.cpp:
1685         (JSC::CallLinkInfo::callReturnLocation):
1686         (JSC::CallLinkInfo::patchableJump):
1687         (JSC::CallLinkInfo::hotPathBegin):
1688         (JSC::CallLinkInfo::slowPathStart):
1689         * bytecode/CallLinkInfo.h:
1690         (JSC::CallLinkInfo::setCallLocations):
1691         (JSC::CallLinkInfo::hotPathOther):
1692         * bytecode/CodeBlock.cpp:
1693         (JSC::CodeBlock::finishCreation):
1694         * bytecode/GetByIdStatus.cpp:
1695         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1696         * bytecode/GetByIdVariant.cpp:
1697         (JSC::GetByIdVariant::GetByIdVariant):
1698         (JSC::GetByIdVariant::dumpInContext const):
1699         * bytecode/GetByIdVariant.h:
1700         (JSC::GetByIdVariant::customAccessorGetter const):
1701         * bytecode/GetterSetterAccessCase.cpp:
1702         (JSC::GetterSetterAccessCase::create):
1703         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1704         (JSC::GetterSetterAccessCase::dumpImpl const):
1705         * bytecode/GetterSetterAccessCase.h:
1706         (JSC::GetterSetterAccessCase::customAccessor const):
1707         (): Deleted.
1708         * bytecode/HandlerInfo.h:
1709         (JSC::HandlerInfo::initialize):
1710         * bytecode/InlineAccess.cpp:
1711         (JSC::linkCodeInline):
1712         (JSC::InlineAccess::rewireStubAsJump):
1713         * bytecode/InlineAccess.h:
1714         * bytecode/JumpTable.h:
1715         (JSC::StringJumpTable::ctiForValue):
1716         (JSC::SimpleJumpTable::ctiForValue):
1717         * bytecode/LLIntCallLinkInfo.h:
1718         (JSC::LLIntCallLinkInfo::unlink):
1719         * bytecode/PolymorphicAccess.cpp:
1720         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1721         (JSC::PolymorphicAccess::regenerate):
1722         * bytecode/PolymorphicAccess.h:
1723         (JSC::AccessGenerationResult::AccessGenerationResult):
1724         (JSC::AccessGenerationResult::code const):
1725         * bytecode/StructureStubInfo.h:
1726         (JSC::StructureStubInfo::slowPathCallLocation):
1727         (JSC::StructureStubInfo::doneLocation):
1728         (JSC::StructureStubInfo::slowPathStartLocation):
1729         (JSC::StructureStubInfo::patchableJumpForIn):
1730         * dfg/DFGCommonData.h:
1731         (JSC::DFG::CommonData::appendCatchEntrypoint):
1732         * dfg/DFGDisassembler.cpp:
1733         (JSC::DFG::Disassembler::dumpDisassembly):
1734         * dfg/DFGDriver.h:
1735         * dfg/DFGJITCompiler.cpp:
1736         (JSC::DFG::JITCompiler::linkOSRExits):
1737         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1738         (JSC::DFG::JITCompiler::link):
1739         (JSC::DFG::JITCompiler::compileFunction):
1740         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1741         * dfg/DFGJITCompiler.h:
1742         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1743         (JSC::DFG::JITCompiler::appendCall):
1744         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1745         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1746         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1747         * dfg/DFGJITFinalizer.cpp:
1748         (JSC::DFG::JITFinalizer::JITFinalizer):
1749         (JSC::DFG::JITFinalizer::finalize):
1750         (JSC::DFG::JITFinalizer::finalizeFunction):
1751         * dfg/DFGJITFinalizer.h:
1752         * dfg/DFGJumpReplacement.h:
1753         (JSC::DFG::JumpReplacement::JumpReplacement):
1754         * dfg/DFGNode.h:
1755         * dfg/DFGOSREntry.cpp:
1756         (JSC::DFG::prepareOSREntry):
1757         (JSC::DFG::prepareCatchOSREntry):
1758         * dfg/DFGOSREntry.h:
1759         (JSC::DFG::prepareOSREntry):
1760         * dfg/DFGOSRExit.cpp:
1761         (JSC::DFG::OSRExit::executeOSRExit):
1762         (JSC::DFG::reifyInlinedCallFrames):
1763         (JSC::DFG::adjustAndJumpToTarget):
1764         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1765         (JSC::DFG::OSRExit::emitRestoreArguments):
1766         (JSC::DFG::OSRExit::compileOSRExit):
1767         * dfg/DFGOSRExit.h:
1768         * dfg/DFGOSRExitCompilerCommon.cpp:
1769         (JSC::DFG::handleExitCounts):
1770         (JSC::DFG::reifyInlinedCallFrames):
1771         (JSC::DFG::osrWriteBarrier):
1772         (JSC::DFG::adjustAndJumpToTarget):
1773         * dfg/DFGOperations.cpp:
1774         * dfg/DFGSlowPathGenerator.h:
1775         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1776         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1777         (JSC::DFG::slowPathCall):
1778         * dfg/DFGSpeculativeJIT.cpp:
1779         (JSC::DFG::SpeculativeJIT::compileMathIC):
1780         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1781         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1782         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1783         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1784         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1785         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1786         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1787         (JSC::DFG::SpeculativeJIT::cachedPutById):
1788         * dfg/DFGSpeculativeJIT.h:
1789         (JSC::DFG::SpeculativeJIT::callOperation):
1790         (JSC::DFG::SpeculativeJIT::appendCall):
1791         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1792         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1793         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1794         * dfg/DFGSpeculativeJIT64.cpp:
1795         (JSC::DFG::SpeculativeJIT::cachedGetById):
1796         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1797         (JSC::DFG::SpeculativeJIT::compile):
1798         * dfg/DFGThunks.cpp:
1799         (JSC::DFG::osrExitThunkGenerator):
1800         (JSC::DFG::osrExitGenerationThunkGenerator):
1801         (JSC::DFG::osrEntryThunkGenerator):
1802         * dfg/DFGThunks.h:
1803         * disassembler/ARM64Disassembler.cpp:
1804         (JSC::tryToDisassemble):
1805         * disassembler/ARMv7Disassembler.cpp:
1806         (JSC::tryToDisassemble):
1807         * disassembler/Disassembler.cpp:
1808         (JSC::disassemble):
1809         (JSC::disassembleAsynchronously):
1810         * disassembler/Disassembler.h:
1811         (JSC::tryToDisassemble):
1812         * disassembler/UDis86Disassembler.cpp:
1813         (JSC::tryToDisassembleWithUDis86):
1814         * disassembler/UDis86Disassembler.h:
1815         (JSC::tryToDisassembleWithUDis86):
1816         * disassembler/X86Disassembler.cpp:
1817         (JSC::tryToDisassemble):
1818         * ftl/FTLCompile.cpp:
1819         (JSC::FTL::compile):
1820         * ftl/FTLExceptionTarget.cpp:
1821         (JSC::FTL::ExceptionTarget::label):
1822         (JSC::FTL::ExceptionTarget::jumps):
1823         * ftl/FTLExceptionTarget.h:
1824         * ftl/FTLGeneratedFunction.h:
1825         * ftl/FTLJITCode.cpp:
1826         (JSC::FTL::JITCode::initializeB3Code):
1827         (JSC::FTL::JITCode::initializeAddressForCall):
1828         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1829         (JSC::FTL::JITCode::addressForCall):
1830         (JSC::FTL::JITCode::executableAddressAtOffset):
1831         * ftl/FTLJITCode.h:
1832         (JSC::FTL::JITCode::b3Code const):
1833         * ftl/FTLJITFinalizer.cpp:
1834         (JSC::FTL::JITFinalizer::finalizeCommon):
1835         * ftl/FTLLazySlowPath.cpp:
1836         (JSC::FTL::LazySlowPath::initialize):
1837         (JSC::FTL::LazySlowPath::generate):
1838         * ftl/FTLLazySlowPath.h:
1839         (JSC::FTL::LazySlowPath::patchableJump const):
1840         (JSC::FTL::LazySlowPath::done const):
1841         (JSC::FTL::LazySlowPath::stub const):
1842         * ftl/FTLLazySlowPathCall.h:
1843         (JSC::FTL::createLazyCallGenerator):
1844         * ftl/FTLLink.cpp:
1845         (JSC::FTL::link):
1846         * ftl/FTLLowerDFGToB3.cpp:
1847         (JSC::FTL::DFG::LowerDFGToB3::lower):
1848         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1849         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1850         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1851         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1852         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1853         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1854         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1855         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1856         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1857         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1858         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1859         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1860         * ftl/FTLOSRExit.cpp:
1861         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1862         * ftl/FTLOSRExit.h:
1863         * ftl/FTLOSRExitCompiler.cpp:
1864         (JSC::FTL::compileStub):
1865         (JSC::FTL::compileFTLOSRExit):
1866         * ftl/FTLOSRExitHandle.cpp:
1867         (JSC::FTL::OSRExitHandle::emitExitThunk):
1868         * ftl/FTLOperations.cpp:
1869         (JSC::FTL::compileFTLLazySlowPath):
1870         * ftl/FTLPatchpointExceptionHandle.cpp:
1871         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1872         * ftl/FTLSlowPathCall.cpp:
1873         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1874         (JSC::FTL::SlowPathCallContext::makeCall):
1875         * ftl/FTLSlowPathCall.h:
1876         (JSC::FTL::callOperation):
1877         * ftl/FTLSlowPathCallKey.cpp:
1878         (JSC::FTL::SlowPathCallKey::dump const):
1879         * ftl/FTLSlowPathCallKey.h:
1880         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1881         (JSC::FTL::SlowPathCallKey::callTarget const):
1882         (JSC::FTL::SlowPathCallKey::withCallTarget):
1883         (JSC::FTL::SlowPathCallKey::hash const):
1884         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1885         * ftl/FTLState.cpp:
1886         (JSC::FTL::State::State):
1887         * ftl/FTLThunks.cpp:
1888         (JSC::FTL::genericGenerationThunkGenerator):
1889         (JSC::FTL::osrExitGenerationThunkGenerator):
1890         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1891         (JSC::FTL::slowPathCallThunkGenerator):
1892         * ftl/FTLThunks.h:
1893         (JSC::FTL::generateIfNecessary):
1894         (JSC::FTL::keyForThunk):
1895         (JSC::FTL::Thunks::getSlowPathCallThunk):
1896         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1897         * interpreter/InterpreterInlines.h:
1898         (JSC::Interpreter::getOpcodeID):
1899         * jit/AssemblyHelpers.cpp:
1900         (JSC::AssemblyHelpers::callExceptionFuzz):
1901         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1902         (JSC::AssemblyHelpers::debugCall):
1903         * jit/CCallHelpers.cpp:
1904         (JSC::CCallHelpers::ensureShadowChickenPacket):
1905         * jit/ExecutableAllocator.cpp:
1906         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1907         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1908         * jit/ExecutableAllocator.h:
1909         (JSC::performJITMemcpy):
1910         * jit/GCAwareJITStubRoutine.cpp:
1911         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1912         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1913         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1914         (JSC::createJITStubRoutine):
1915         * jit/GCAwareJITStubRoutine.h:
1916         (JSC::createJITStubRoutine):
1917         * jit/JIT.cpp:
1918         (JSC::ctiPatchCallByReturnAddress):
1919         (JSC::JIT::compileWithoutLinking):
1920         (JSC::JIT::link):
1921         (JSC::JIT::privateCompileExceptionHandlers):
1922         * jit/JIT.h:
1923         (JSC::CallRecord::CallRecord):
1924         * jit/JITArithmetic.cpp:
1925         (JSC::JIT::emitMathICFast):
1926         (JSC::JIT::emitMathICSlow):
1927         * jit/JITCall.cpp:
1928         (JSC::JIT::compileOpCallSlowCase):
1929         * jit/JITCall32_64.cpp:
1930         (JSC::JIT::compileOpCallSlowCase):
1931         * jit/JITCode.cpp:
1932         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1933         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1934         (JSC::DirectJITCode::DirectJITCode):
1935         (JSC::DirectJITCode::initializeCodeRef):
1936         (JSC::DirectJITCode::addressForCall):
1937         (JSC::NativeJITCode::NativeJITCode):
1938         (JSC::NativeJITCode::initializeCodeRef):
1939         (JSC::NativeJITCode::addressForCall):
1940         * jit/JITCode.h:
1941         * jit/JITCodeMap.h:
1942         (JSC::JITCodeMap::Entry::Entry):
1943         (JSC::JITCodeMap::Entry::codeLocation):
1944         (JSC::JITCodeMap::append):
1945         (JSC::JITCodeMap::find const):
1946         * jit/JITDisassembler.cpp:
1947         (JSC::JITDisassembler::dumpDisassembly):
1948         * jit/JITExceptions.cpp:
1949         (JSC::genericUnwind):
1950         * jit/JITInlineCacheGenerator.cpp:
1951         (JSC::JITByIdGenerator::finalize):
1952         * jit/JITInlines.h:
1953         (JSC::JIT::emitNakedCall):
1954         (JSC::JIT::emitNakedTailCall):
1955         (JSC::JIT::appendCallWithExceptionCheck):
1956         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1957         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1958         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1959         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1960         * jit/JITMathIC.h:
1961         (JSC::isProfileEmpty):
1962         * jit/JITOpcodes.cpp:
1963         (JSC::JIT::emit_op_catch):
1964         (JSC::JIT::emit_op_switch_imm):
1965         (JSC::JIT::emit_op_switch_char):
1966         (JSC::JIT::emit_op_switch_string):
1967         (JSC::JIT::privateCompileHasIndexedProperty):
1968         (JSC::JIT::emitSlow_op_has_indexed_property):
1969         * jit/JITOpcodes32_64.cpp:
1970         (JSC::JIT::privateCompileHasIndexedProperty):
1971         * jit/JITOperations.cpp:
1972         (JSC::getByVal):
1973         * jit/JITPropertyAccess.cpp:
1974         (JSC::JIT::stringGetByValStubGenerator):
1975         (JSC::JIT::emitGetByValWithCachedId):
1976         (JSC::JIT::emitSlow_op_get_by_val):
1977         (JSC::JIT::emitPutByValWithCachedId):
1978         (JSC::JIT::emitSlow_op_put_by_val):
1979         (JSC::JIT::emitSlow_op_try_get_by_id):
1980         (JSC::JIT::emitSlow_op_get_by_id_direct):
1981         (JSC::JIT::emitSlow_op_get_by_id):
1982         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1983         (JSC::JIT::emitSlow_op_put_by_id):
1984         (JSC::JIT::privateCompileGetByVal):
1985         (JSC::JIT::privateCompileGetByValWithCachedId):
1986         (JSC::JIT::privateCompilePutByVal):
1987         (JSC::JIT::privateCompilePutByValWithCachedId):
1988         * jit/JITPropertyAccess32_64.cpp:
1989         (JSC::JIT::stringGetByValStubGenerator):
1990         (JSC::JIT::emitSlow_op_get_by_val):
1991         (JSC::JIT::emitSlow_op_put_by_val):
1992         * jit/JITStubRoutine.h:
1993         (JSC::JITStubRoutine::JITStubRoutine):
1994         (JSC::JITStubRoutine::createSelfManagedRoutine):
1995         (JSC::JITStubRoutine::code const):
1996         (JSC::JITStubRoutine::asCodePtr):
1997         * jit/JITThunks.cpp:
1998         (JSC::JITThunks::ctiNativeCall):
1999         (JSC::JITThunks::ctiNativeConstruct):
2000         (JSC::JITThunks::ctiNativeTailCall):
2001         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
2002         (JSC::JITThunks::ctiInternalFunctionCall):
2003         (JSC::JITThunks::ctiInternalFunctionConstruct):
2004         (JSC::JITThunks::ctiStub):
2005         (JSC::JITThunks::existingCTIStub):
2006         (JSC::JITThunks::hostFunctionStub):
2007         * jit/JITThunks.h:
2008         * jit/PCToCodeOriginMap.cpp:
2009         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2010         * jit/PCToCodeOriginMap.h:
2011         * jit/PolymorphicCallStubRoutine.cpp:
2012         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2013         * jit/PolymorphicCallStubRoutine.h:
2014         * jit/Repatch.cpp:
2015         (JSC::readPutICCallTarget):
2016         (JSC::ftlThunkAwareRepatchCall):
2017         (JSC::appropriateOptimizingGetByIdFunction):
2018         (JSC::appropriateGetByIdFunction):
2019         (JSC::tryCacheGetByID):
2020         (JSC::repatchGetByID):
2021         (JSC::tryCachePutByID):
2022         (JSC::repatchPutByID):
2023         (JSC::tryCacheIn):
2024         (JSC::repatchIn):
2025         (JSC::linkSlowFor):
2026         (JSC::linkFor):
2027         (JSC::linkDirectFor):
2028         (JSC::revertCall):
2029         (JSC::unlinkFor):
2030         (JSC::linkVirtualFor):
2031         (JSC::linkPolymorphicCall):
2032         (JSC::resetGetByID):
2033         (JSC::resetPutByID):
2034         * jit/Repatch.h:
2035         * jit/SlowPathCall.h:
2036         (JSC::JITSlowPathCall::call):
2037         * jit/SpecializedThunkJIT.h:
2038         (JSC::SpecializedThunkJIT::finalize):
2039         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2040         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
2041         * jit/ThunkGenerator.h:
2042         * jit/ThunkGenerators.cpp:
2043         (JSC::throwExceptionFromCallSlowPathGenerator):
2044         (JSC::slowPathFor):
2045         (JSC::linkCallThunkGenerator):
2046         (JSC::linkPolymorphicCallThunkGenerator):
2047         (JSC::virtualThunkFor):
2048         (JSC::nativeForGenerator):
2049         (JSC::nativeCallGenerator):
2050         (JSC::nativeTailCallGenerator):
2051         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2052         (JSC::nativeConstructGenerator):
2053         (JSC::internalFunctionCallGenerator):
2054         (JSC::internalFunctionConstructGenerator):
2055         (JSC::arityFixupGenerator):
2056         (JSC::unreachableGenerator):
2057         (JSC::charCodeAtThunkGenerator):
2058         (JSC::charAtThunkGenerator):
2059         (JSC::fromCharCodeThunkGenerator):
2060         (JSC::clz32ThunkGenerator):
2061         (JSC::sqrtThunkGenerator):
2062         (JSC::floorThunkGenerator):
2063         (JSC::ceilThunkGenerator):
2064         (JSC::truncThunkGenerator):
2065         (JSC::roundThunkGenerator):
2066         (JSC::expThunkGenerator):
2067         (JSC::logThunkGenerator):
2068         (JSC::absThunkGenerator):
2069         (JSC::imulThunkGenerator):
2070         (JSC::randomThunkGenerator):
2071         (JSC::boundThisNoArgsFunctionCallGenerator):
2072         * jit/ThunkGenerators.h:
2073         * llint/LLIntData.cpp:
2074         (JSC::LLInt::initialize):
2075         * llint/LLIntData.h:
2076         (JSC::LLInt::getExecutableAddress):
2077         (JSC::LLInt::getCodePtr):
2078         (JSC::LLInt::getCodeRef):
2079         (JSC::LLInt::getCodeFunctionPtr):
2080         * llint/LLIntEntrypoint.cpp:
2081         (JSC::LLInt::setFunctionEntrypoint):
2082         (JSC::LLInt::setEvalEntrypoint):
2083         (JSC::LLInt::setProgramEntrypoint):
2084         (JSC::LLInt::setModuleProgramEntrypoint):
2085         * llint/LLIntExceptions.cpp:
2086         (JSC::LLInt::callToThrow):
2087         * llint/LLIntSlowPaths.cpp:
2088         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2089         (JSC::LLInt::setUpCall):
2090         * llint/LLIntThunks.cpp:
2091         (JSC::vmEntryToWasm):
2092         (JSC::LLInt::generateThunkWithJumpTo):
2093         (JSC::LLInt::functionForCallEntryThunkGenerator):
2094         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2095         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2096         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2097         (JSC::LLInt::evalEntryThunkGenerator):
2098         (JSC::LLInt::programEntryThunkGenerator):
2099         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2100         * llint/LLIntThunks.h:
2101         * llint/LowLevelInterpreter.asm:
2102         * llint/LowLevelInterpreter32_64.asm:
2103         * llint/LowLevelInterpreter64.asm:
2104         * profiler/ProfilerCompilation.cpp:
2105         (JSC::Profiler::Compilation::addOSRExitSite):
2106         * profiler/ProfilerCompilation.h:
2107         * profiler/ProfilerOSRExitSite.cpp:
2108         (JSC::Profiler::OSRExitSite::toJS const):
2109         * profiler/ProfilerOSRExitSite.h:
2110         (JSC::Profiler::OSRExitSite::OSRExitSite):
2111         (JSC::Profiler::OSRExitSite::codeAddress const):
2112         (JSC::Profiler::OSRExitSite:: const): Deleted.
2113         * runtime/ExecutableBase.cpp:
2114         (JSC::ExecutableBase::clearCode):
2115         * runtime/ExecutableBase.h:
2116         (JSC::ExecutableBase::entrypointFor):
2117         * runtime/NativeExecutable.cpp:
2118         (JSC::NativeExecutable::finishCreation):
2119         * runtime/NativeFunction.h:
2120         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2121         (JSC::TaggedNativeFunction::operator NativeFunction):
2122         * runtime/PtrTag.h:
2123         (JSC::tagCodePtr):
2124         (JSC::untagCodePtr):
2125         (JSC::retagCodePtr):
2126         (JSC::tagCFunctionPtr):
2127         (JSC::untagCFunctionPtr):
2128         (JSC::nextPtrTagID): Deleted.
2129         * runtime/PutPropertySlot.h:
2130         (JSC::PutPropertySlot::PutPropertySlot):
2131         (JSC::PutPropertySlot::setCustomValue):
2132         (JSC::PutPropertySlot::setCustomAccessor):
2133         (JSC::PutPropertySlot::customSetter const):
2134         * runtime/ScriptExecutable.cpp:
2135         (JSC::ScriptExecutable::installCode):
2136         * runtime/VM.cpp:
2137         (JSC::VM::getHostFunction):
2138         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2139         * runtime/VM.h:
2140         (JSC::VM::getCTIStub):
2141         * wasm/WasmB3IRGenerator.cpp:
2142         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2143         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2144         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2145         (JSC::Wasm::B3IRGenerator::addCall):
2146         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2147         * wasm/WasmBBQPlan.cpp:
2148         (JSC::Wasm::BBQPlan::prepare):
2149         (JSC::Wasm::BBQPlan::complete):
2150         * wasm/WasmBBQPlan.h:
2151         * wasm/WasmBinding.cpp:
2152         (JSC::Wasm::wasmToWasm):
2153         * wasm/WasmBinding.h:
2154         * wasm/WasmCallee.h:
2155         (JSC::Wasm::Callee::entrypoint const):
2156         * wasm/WasmCallingConvention.h:
2157         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2158         * wasm/WasmCodeBlock.h:
2159         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2160         * wasm/WasmFaultSignalHandler.cpp:
2161         (JSC::Wasm::trapHandler):
2162         * wasm/WasmFormat.h:
2163         * wasm/WasmInstance.h:
2164         * wasm/WasmOMGPlan.cpp:
2165         (JSC::Wasm::OMGPlan::work):
2166         * wasm/WasmThunks.cpp:
2167         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2168         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2169         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2170         (JSC::Wasm::Thunks::stub):
2171         (JSC::Wasm::Thunks::existingStub):
2172         * wasm/WasmThunks.h:
2173         * wasm/js/JSToWasm.cpp:
2174         (JSC::Wasm::createJSToWasmWrapper):
2175         * wasm/js/JSWebAssemblyCodeBlock.h:
2176         * wasm/js/WasmToJS.cpp:
2177         (JSC::Wasm::handleBadI64Use):
2178         (JSC::Wasm::wasmToJS):
2179         * wasm/js/WasmToJS.h:
2180         * wasm/js/WebAssemblyFunction.h:
2181         * yarr/YarrJIT.cpp:
2182         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2183         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2184         (JSC::Yarr::YarrGenerator::compile):
2185         * yarr/YarrJIT.h:
2186         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2187         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2188         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2189         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2190         (JSC::Yarr::YarrCodeBlock::execute):
2191         (JSC::Yarr::YarrCodeBlock::clear):
2192
2193 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2194
2195         Unreviewed, rolling out r230697, r230720, and r230724.
2196         https://bugs.webkit.org/show_bug.cgi?id=184717
2197
2198         These caused multiple failures on the Test262 testers.
2199         (Requested by mlewis13 on #webkit).
2200
2201         Reverted changesets:
2202
2203         "[WebAssembly][Modules] Prototype wasm import"
2204         https://bugs.webkit.org/show_bug.cgi?id=184600
2205         https://trac.webkit.org/changeset/230697
2206
2207         "[WebAssembly][Modules] Implement function import from wasm
2208         modules"
2209         https://bugs.webkit.org/show_bug.cgi?id=184689
2210         https://trac.webkit.org/changeset/230720
2211
2212         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2213         https://bugs.webkit.org/show_bug.cgi?id=184703
2214         https://trac.webkit.org/changeset/230724
2215
2216 2018-04-17  JF Bastien  <jfbastien@apple.com>
2217
2218         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2219         https://bugs.webkit.org/show_bug.cgi?id=184706
2220         <rdar://problem/38871451>
2221
2222         Reviewed by Saam Barati.
2223
2224         When putting a property on a structure and the slot is a different
2225         type, the slot can't be said to have already been existing.
2226
2227         * runtime/JSObjectInlines.h:
2228         (JSC::JSObject::putDirectInternal):
2229
2230 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2231
2232         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2233         https://bugs.webkit.org/show_bug.cgi?id=184705
2234
2235         Reviewed by Michael Saboff.
2236         
2237         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2238         while testing an unrelated patch, a concurrent GC thread crashed inside
2239         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2240         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2241         mode and another vector.
2242         
2243         The fix is to lock inside visitChildren and anyone who changes those fields.
2244         
2245         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2246         this.
2247
2248         * runtime/JSArrayBufferView.cpp:
2249         (JSC::JSArrayBufferView::neuter):
2250         * runtime/JSGenericTypedArrayViewInlines.h:
2251         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2252         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2253
2254 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2255
2256         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2257         https://bugs.webkit.org/show_bug.cgi?id=184672
2258
2259         Reviewed by Michael Saboff.
2260
2261         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2262         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2263         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2264         intentional - I don't know.
2265
2266         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2267         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2268         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2269         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2270         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2271         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2272         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2273         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2274         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2275         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2276         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2277         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2278
2279         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2280         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2281         its stack slot for the purpose of clobberize.
2282
2283         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2284         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2285         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2286         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2287
2288 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2289
2290         JSWebAssemblyCodeBlock should be in an IsoSubspace
2291         https://bugs.webkit.org/show_bug.cgi?id=184704
2292
2293         Reviewed by Mark Lam.
2294         
2295         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2296         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2297         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2298         protection.
2299
2300         * runtime/VM.cpp:
2301         (JSC::VM::VM):
2302         * runtime/VM.h:
2303         * wasm/js/JSWebAssemblyCodeBlock.h:
2304
2305 2018-04-17  Jer Noble  <jer.noble@apple.com>
2306
2307         Only enable useSeparatedWXHeap on ARM64.
2308         https://bugs.webkit.org/show_bug.cgi?id=184697
2309
2310         Reviewed by Saam Barati.
2311
2312         * runtime/Options.cpp:
2313         (JSC::recomputeDependentOptions):
2314
2315 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2316
2317         [WebAssembly][Modules] Implement function import from wasm modules
2318         https://bugs.webkit.org/show_bug.cgi?id=184689
2319
2320         Reviewed by JF Bastien.
2321
2322         This patch implements function import from wasm modules. We move function importing part
2323         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2324         is because linking these functions requires that all the dependent modules are created.
2325         While we want to move all the linking functionality from JSWebAssemblyInstance to
2326         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2327         function importing part because efficient compilation of WebAssembly needs to know
2328         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2329         or attached WebAssembly memory object. So we cannot defer this linking to
2330         WebAssemblyModuleRecord::link now.
2331
2332         The largest difference from JS module linking is that WebAssembly module linking links
2333         function from the module by snapshotting. When you have a cyclic module graph like this,
2334
2335         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2336             ^                                                  |
2337             +--------------------------------------------------+
2338
2339         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2340         is described in [1], and tested in this patch.
2341
2342         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2343
2344         * JavaScriptCore.xcodeproj/project.pbxproj:
2345         * jsc.cpp:
2346         (functionDollarAgentStart):
2347         (checkException):
2348         (runWithOptions):
2349         Small fixes for wasm module loading.
2350
2351         * parser/NodesAnalyzeModule.cpp:
2352         (JSC::ImportDeclarationNode::analyzeModule):
2353         * runtime/AbstractModuleRecord.cpp:
2354         (JSC::AbstractModuleRecord::resolveImport):
2355         (JSC::AbstractModuleRecord::link):
2356         * runtime/AbstractModuleRecord.h:
2357         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2358         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2359         Now, wasm modules can have import which is named "*". So this function does not work.
2360         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2361
2362         * runtime/JSModuleEnvironment.cpp:
2363         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2364         * runtime/JSModuleRecord.cpp:
2365         (JSC::JSModuleRecord::instantiateDeclarations):
2366         * wasm/WasmCreationMode.h: Added.
2367         * wasm/js/JSWebAssemblyInstance.cpp:
2368         (JSC::JSWebAssemblyInstance::finalizeCreation):
2369         (JSC::JSWebAssemblyInstance::create):
2370         * wasm/js/JSWebAssemblyInstance.h:
2371         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2372         (JSC::constructJSWebAssemblyInstance):
2373         * wasm/js/WebAssemblyModuleRecord.cpp:
2374         (JSC::WebAssemblyModuleRecord::link):
2375         * wasm/js/WebAssemblyModuleRecord.h:
2376         * wasm/js/WebAssemblyPrototype.cpp:
2377         (JSC::resolve):
2378         (JSC::instantiate):
2379         (JSC::compileAndInstantiate):
2380         (JSC::WebAssemblyPrototype::instantiate):
2381         (JSC::webAssemblyInstantiateFunc):
2382
2383 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2384
2385         Implement setupArgumentsImpl for ARM and MIPS
2386         https://bugs.webkit.org/show_bug.cgi?id=183786
2387
2388         Reviewed by Yusuke Suzuki.
2389
2390         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2391         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2392         registers used for 64-bit values on 32-bit architectures. numCrossSources
2393         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2394
2395         * assembler/MacroAssemblerARMv7.h:
2396         (JSC::MacroAssemblerARMv7::moveDouble):
2397         * assembler/MacroAssemblerMIPS.h:
2398         (JSC::MacroAssemblerMIPS::moveDouble):
2399         * jit/CCallHelpers.h:
2400         (JSC::CCallHelpers::setupStubCrossArgs):
2401         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2402         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2403         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2404         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2405         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2406         (JSC::CCallHelpers::ArgCollection::addStackArg):
2407         (JSC::CCallHelpers::ArgCollection::addPoke):
2408         (JSC::CCallHelpers::ArgCollection::argCount):
2409         (JSC::CCallHelpers::calculatePokeOffset):
2410         (JSC::CCallHelpers::pokeForArgument):
2411         (JSC::CCallHelpers::stackAligned):
2412         (JSC::CCallHelpers::marshallArgumentRegister):
2413         (JSC::CCallHelpers::setupArgumentsImpl):
2414         (JSC::CCallHelpers::pokeArgumentsAligned):
2415         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2416         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2417         (JSC::CCallHelpers::setupArguments):
2418         * jit/FPRInfo.h:
2419         (JSC::FPRInfo::toArgumentRegister):
2420
2421 2018-04-17  Saam Barati  <sbarati@apple.com>
2422
2423         Add system trace points for process launch and for initializeWebProcess
2424         https://bugs.webkit.org/show_bug.cgi?id=184669
2425
2426         Reviewed by Simon Fraser.
2427
2428         * runtime/VMEntryScope.cpp:
2429         (JSC::VMEntryScope::VMEntryScope):
2430         (JSC::VMEntryScope::~VMEntryScope):
2431
2432 2018-04-17  Jer Noble  <jer.noble@apple.com>
2433
2434         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2435         https://bugs.webkit.org/show_bug.cgi?id=184602
2436
2437         Reviewed by Beth Dakin.
2438
2439         * JavaScriptCore.xcodeproj/project.pbxproj:
2440
2441 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2442
2443         [GLIB] Add API to clear JSCContext uncaught exception
2444         https://bugs.webkit.org/show_bug.cgi?id=184685
2445
2446         Reviewed by Žan Doberšek.
2447
2448         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2449
2450         * API/glib/JSCContext.cpp:
2451         (jsc_context_clear_exception):
2452         * API/glib/JSCContext.h:
2453         * API/glib/docs/jsc-glib-4.0-sections.txt:
2454
2455 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2456
2457         [GLIB] Add API to query, delete and enumerate properties
2458         https://bugs.webkit.org/show_bug.cgi?id=184647
2459
2460         Reviewed by Michael Catanzaro.
2461
2462         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2463
2464         * API/glib/JSCValue.cpp:
2465         (jsc_value_object_has_property):
2466         (jsc_value_object_delete_property):
2467         (jsc_value_object_enumerate_properties):
2468         * API/glib/JSCValue.h:
2469         * API/glib/docs/jsc-glib-4.0-sections.txt:
2470
2471 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2472
2473         [WebAssembly][Modules] Prototype wasm import
2474         https://bugs.webkit.org/show_bug.cgi?id=184600
2475
2476         Reviewed by JF Bastien.
2477
2478         This patch is an initial attempt to implement Wasm loading in module pipeline.
2479         Currently,
2480
2481         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2482            in whatwg HTML, we should integrate this into WebCore.
2483
2484         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2485            the other modules now.
2486
2487         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2488         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2489         module loader pipeline just handles it as the same to JS. When parsing a module, we
2490         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2491         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2492         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2493
2494         * builtins/ModuleLoaderPrototype.js:
2495         (globalPrivate.newRegistryEntry):
2496         (requestInstantiate):
2497         (link):
2498         * jsc.cpp:
2499         (convertShebangToJSComment):
2500         (fillBufferWithContentsOfFile):
2501         (fetchModuleFromLocalFileSystem):
2502         (GlobalObject::moduleLoaderFetch):
2503         * parser/SourceProvider.h:
2504         (JSC::WebAssemblySourceProvider::create):
2505         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2506         * runtime/AbstractModuleRecord.cpp:
2507         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2508         (JSC::AbstractModuleRecord::link):
2509         (JSC::AbstractModuleRecord::evaluate):
2510         (JSC::identifierToJSValue): Deleted.
2511         * runtime/AbstractModuleRecord.h:
2512         * runtime/JSModuleLoader.cpp:
2513         (JSC::JSModuleLoader::evaluate):
2514         * runtime/JSModuleRecord.cpp:
2515         (JSC::JSModuleRecord::link):
2516         (JSC::JSModuleRecord::instantiateDeclarations):
2517         * runtime/JSModuleRecord.h:
2518         * runtime/ModuleLoaderPrototype.cpp:
2519         (JSC::moduleLoaderPrototypeParseModule):
2520         (JSC::moduleLoaderPrototypeRequestedModules):
2521         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2522         * wasm/js/JSWebAssemblyHelpers.h:
2523         (JSC::getWasmBufferFromValue):
2524         (JSC::createSourceBufferFromValue):
2525         * wasm/js/JSWebAssemblyInstance.cpp:
2526         (JSC::JSWebAssemblyInstance::finalizeCreation):
2527         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2528         (JSC::JSWebAssemblyInstance::create):
2529         * wasm/js/JSWebAssemblyInstance.h:
2530         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2531         (JSC::constructJSWebAssemblyInstance):
2532         * wasm/js/WebAssemblyModuleRecord.cpp:
2533         (JSC::WebAssemblyModuleRecord::prepareLink):
2534         (JSC::WebAssemblyModuleRecord::link):
2535         * wasm/js/WebAssemblyModuleRecord.h:
2536         * wasm/js/WebAssemblyPrototype.cpp:
2537         (JSC::resolve):
2538         (JSC::instantiate):
2539         (JSC::compileAndInstantiate):
2540         (JSC::WebAssemblyPrototype::instantiate):
2541         (JSC::webAssemblyInstantiateFunc):
2542         (JSC::webAssemblyValidateFunc):
2543         * wasm/js/WebAssemblyPrototype.h:
2544
2545 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2546
2547         Function.prototype.caller shouldn't return generator bodies
2548         https://bugs.webkit.org/show_bug.cgi?id=184630
2549
2550         Reviewed by Yusuke Suzuki.
2551         
2552         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2553         private.
2554         
2555         Also added some builtin debugging tools so that it's easier to do the investigation that I
2556         did.
2557
2558         * builtins/BuiltinNames.h:
2559         * runtime/JSFunction.cpp:
2560         (JSC::JSFunction::callerGetter):
2561         * runtime/JSGlobalObject.cpp:
2562         (JSC::JSGlobalObject::init):
2563         * runtime/JSGlobalObjectFunctions.cpp:
2564         (JSC::globalFuncBuiltinDescribe):
2565         * runtime/JSGlobalObjectFunctions.h:
2566
2567 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2568
2569         [DFG] Remove duplicate 32bit ProfileType implementation
2570         https://bugs.webkit.org/show_bug.cgi?id=184536
2571
2572         Reviewed by Saam Barati.
2573
2574         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2575
2576         * dfg/DFGSpeculativeJIT.cpp:
2577         (JSC::DFG::SpeculativeJIT::compileProfileType):
2578         * dfg/DFGSpeculativeJIT.h:
2579         * dfg/DFGSpeculativeJIT32_64.cpp:
2580         (JSC::DFG::SpeculativeJIT::compile):
2581         * dfg/DFGSpeculativeJIT64.cpp:
2582         (JSC::DFG::SpeculativeJIT::compile):
2583         * jit/AssemblyHelpers.h:
2584         (JSC::AssemblyHelpers::branchIfUndefined):
2585         (JSC::AssemblyHelpers::branchIfNull):
2586
2587 2018-04-12  Mark Lam  <mark.lam@apple.com>
2588
2589         Consolidate some PtrTags.
2590         https://bugs.webkit.org/show_bug.cgi?id=184552
2591         <rdar://problem/39389404>
2592
2593         Reviewed by Filip Pizlo.
2594
2595         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2596         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2597
2598         * assembler/AbstractMacroAssembler.h:
2599         (JSC::AbstractMacroAssembler::repatchNearCall):
2600         * assembler/MacroAssemblerARM.h:
2601         (JSC::MacroAssemblerARM::readCallTarget):
2602         * assembler/MacroAssemblerARMv7.h:
2603         (JSC::MacroAssemblerARMv7::readCallTarget):
2604         * assembler/MacroAssemblerMIPS.h:
2605         (JSC::MacroAssemblerMIPS::readCallTarget):
2606         * assembler/MacroAssemblerX86.h:
2607         (JSC::MacroAssemblerX86::readCallTarget):
2608         * assembler/MacroAssemblerX86_64.h:
2609         (JSC::MacroAssemblerX86_64::readCallTarget):
2610         * bytecode/AccessCase.cpp:
2611         (JSC::AccessCase::generateImpl):
2612         * bytecode/InlineAccess.cpp:
2613         (JSC::InlineAccess::rewireStubAsJump):
2614         * bytecode/PolymorphicAccess.cpp:
2615         (JSC::PolymorphicAccess::regenerate):
2616         * dfg/DFGJITCompiler.cpp:
2617         (JSC::DFG::JITCompiler::linkOSRExits):
2618         (JSC::DFG::JITCompiler::link):
2619         (JSC::DFG::JITCompiler::compileFunction):
2620         * dfg/DFGJITFinalizer.cpp:
2621         (JSC::DFG::JITFinalizer::finalize):
2622         (JSC::DFG::JITFinalizer::finalizeFunction):
2623         * dfg/DFGOSREntry.cpp:
2624         (JSC::DFG::prepareOSREntry):
2625         * dfg/DFGOSRExit.cpp:
2626         (JSC::DFG::OSRExit::executeOSRExit):
2627         (JSC::DFG::adjustAndJumpToTarget):
2628         (JSC::DFG::OSRExit::compileOSRExit):
2629         * dfg/DFGOSRExitCompilerCommon.cpp:
2630         (JSC::DFG::adjustAndJumpToTarget):
2631         * dfg/DFGOperations.cpp:
2632         * ftl/FTLJITCode.cpp:
2633         (JSC::FTL::JITCode::executableAddressAtOffset):
2634         * ftl/FTLJITFinalizer.cpp:
2635         (JSC::FTL::JITFinalizer::finalizeCommon):
2636         * ftl/FTLLazySlowPath.cpp:
2637         (JSC::FTL::LazySlowPath::generate):
2638         * ftl/FTLLink.cpp:
2639         (JSC::FTL::link):
2640         * ftl/FTLLowerDFGToB3.cpp:
2641         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2642         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2643         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2644         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2645         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2646         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2647         * ftl/FTLOSRExitCompiler.cpp:
2648         (JSC::FTL::compileFTLOSRExit):
2649         * ftl/FTLOSRExitHandle.cpp:
2650         (JSC::FTL::OSRExitHandle::emitExitThunk):
2651         * jit/AssemblyHelpers.cpp:
2652         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2653         * jit/JIT.cpp:
2654         (JSC::JIT::compileWithoutLinking):
2655         (JSC::JIT::link):
2656         * jit/JITCall.cpp:
2657         (JSC::JIT::compileOpCallSlowCase):
2658         * jit/JITCode.cpp:
2659         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2660         (JSC::NativeJITCode::addressForCall):
2661         * jit/JITInlines.h:
2662         (JSC::JIT::emitNakedCall):
2663         (JSC::JIT::emitNakedTailCall):
2664         * jit/JITMathIC.h:
2665         (JSC::isProfileEmpty):
2666         * jit/JITOpcodes.cpp:
2667         (JSC::JIT::privateCompileHasIndexedProperty):
2668         * jit/JITOperations.cpp:
2669         * jit/JITPropertyAccess.cpp:
2670         (JSC::JIT::stringGetByValStubGenerator):
2671         (JSC::JIT::privateCompileGetByVal):
2672         (JSC::JIT::privateCompileGetByValWithCachedId):
2673         (JSC::JIT::privateCompilePutByVal):
2674         (JSC::JIT::privateCompilePutByValWithCachedId):
2675         * jit/JITThunks.cpp:
2676         (JSC::JITThunks::hostFunctionStub):
2677         * jit/Repatch.cpp:
2678         (JSC::linkSlowFor):
2679         (JSC::linkFor):
2680         (JSC::linkPolymorphicCall):
2681         * jit/SpecializedThunkJIT.h:
2682         (JSC::SpecializedThunkJIT::finalize):
2683         * jit/ThunkGenerators.cpp:
2684         (JSC::virtualThunkFor):
2685         (JSC::nativeForGenerator):
2686         (JSC::boundThisNoArgsFunctionCallGenerator):
2687         * llint/LLIntData.cpp:
2688         (JSC::LLInt::initialize):
2689         * llint/LLIntEntrypoint.cpp:
2690         (JSC::LLInt::setEvalEntrypoint):
2691         (JSC::LLInt::setProgramEntrypoint):
2692         (JSC::LLInt::setModuleProgramEntrypoint):
2693         * llint/LLIntSlowPaths.cpp:
2694         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2695         (JSC::LLInt::setUpCall):
2696         * llint/LLIntThunks.cpp:
2697         (JSC::LLInt::generateThunkWithJumpTo):
2698         (JSC::LLInt::functionForCallEntryThunkGenerator):
2699         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2700         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2701         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2702         (JSC::LLInt::evalEntryThunkGenerator):
2703         (JSC::LLInt::programEntryThunkGenerator):
2704         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2705         * llint/LowLevelInterpreter.asm:
2706         * llint/LowLevelInterpreter64.asm:
2707         * runtime/NativeExecutable.cpp:
2708         (JSC::NativeExecutable::finishCreation):
2709         * runtime/NativeFunction.h:
2710         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2711         (JSC::TaggedNativeFunction::operator NativeFunction):
2712         * runtime/PtrTag.h:
2713         * wasm/WasmBBQPlan.cpp:
2714         (JSC::Wasm::BBQPlan::complete):
2715         * wasm/WasmOMGPlan.cpp:
2716         (JSC::Wasm::OMGPlan::work):
2717         * wasm/WasmThunks.cpp:
2718         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2719         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2720         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2721         * wasm/js/WasmToJS.cpp:
2722         (JSC::Wasm::wasmToJS):
2723         * wasm/js/WebAssemblyFunction.h:
2724         * yarr/YarrJIT.cpp:
2725         (JSC::Yarr::YarrGenerator::compile):
2726
2727 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2728
2729         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2730         https://bugs.webkit.org/show_bug.cgi?id=184379
2731
2732         Reviewed by Žan Doberšek.
2733
2734         Load the module from the new location.
2735
2736         * PlatformWPE.cmake:
2737         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2738         (Inspector::backendCommands):
2739
2740 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2741
2742         [DFG] Remove compileBigIntEquality in DFG 32bit
2743         https://bugs.webkit.org/show_bug.cgi?id=184535
2744
2745         Reviewed by Saam Barati.
2746
2747         We can have the unified implementation for compileBigIntEquality.
2748
2749         * dfg/DFGSpeculativeJIT.cpp:
2750         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2751         * dfg/DFGSpeculativeJIT32_64.cpp:
2752         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2753         * dfg/DFGSpeculativeJIT64.cpp:
2754         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2755
2756 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2757
2758         [WPE] Improve include hierarchy
2759         https://bugs.webkit.org/show_bug.cgi?id=184376
2760
2761         Reviewed by Žan Doberšek.
2762
2763         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2764         /usr/include/wpe-0.1/WPE/jsc.
2765
2766         * PlatformWPE.cmake:
2767
2768 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2769
2770         [GLIB] Handle strings containing null characters
2771         https://bugs.webkit.org/show_bug.cgi?id=184450
2772
2773         Reviewed by Michael Catanzaro.
2774
2775         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2776         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2777         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2778         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2779         contain null characters.
2780
2781         * API/OpaqueJSString.cpp:
2782         (OpaqueJSString::create): Add a create constructor that takes the String.
2783         * API/OpaqueJSString.h:
2784         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2785         * API/glib/JSCContext.cpp:
2786         (jsc_context_evaluate): Add length parameter.
2787         (jsc_context_evaluate_with_source_uri): Ditto.
2788         * API/glib/JSCContext.h:
2789         * API/glib/JSCValue.cpp:
2790         (jsc_value_new_string_from_bytes):
2791         (jsc_value_to_string):
2792         (jsc_value_to_string_as_bytes):
2793         (jsc_value_object_is_instance_of): Pass length to evaluate.
2794         * API/glib/JSCValue.h:
2795         * API/glib/docs/jsc-glib-4.0-sections.txt:
2796
2797 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2798
2799         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2800         https://bugs.webkit.org/show_bug.cgi?id=184500
2801
2802         Reviewed by Mark Lam.
2803
2804         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2805         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2806         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2807         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2808         poke held GPR. The benefit from this CellValue is that we can use the same code
2809         for 32bit and 64bit. This patch removes several ifdefs.
2810
2811         * bytecode/AccessCase.cpp:
2812         (JSC::AccessCase::generateImpl):
2813         * dfg/DFGSpeculativeJIT.cpp:
2814         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2815         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2816         (JSC::DFG::SpeculativeJIT::cachedPutById):
2817         * dfg/DFGSpeculativeJIT32_64.cpp:
2818         (JSC::DFG::SpeculativeJIT::cachedGetById):
2819         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2820         * jit/CCallHelpers.h:
2821         (JSC::CCallHelpers::CellValue::CellValue):
2822         (JSC::CCallHelpers::CellValue::gpr const):
2823         (JSC::CCallHelpers::setupArgumentsImpl):
2824
2825 2018-04-11  Mark Lam  <mark.lam@apple.com>
2826
2827         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2828         https://bugs.webkit.org/show_bug.cgi?id=184512
2829         <rdar://problem/35391728>
2830
2831         Not reviewed.
2832
2833         * bytecode/CodeBlock.h:
2834         * jit/JITCodeMap.h:
2835
2836 2018-04-11  Mark Lam  <mark.lam@apple.com>
2837
2838         Replace CompactJITCodeMap with JITCodeMap.
2839         https://bugs.webkit.org/show_bug.cgi?id=184512
2840         <rdar://problem/35391728>
2841
2842         Reviewed by Filip Pizlo.
2843
2844         * CMakeLists.txt:
2845         * JavaScriptCore.xcodeproj/project.pbxproj:
2846         * bytecode/CodeBlock.h:
2847         (JSC::CodeBlock::setJITCodeMap):
2848         (JSC::CodeBlock::jitCodeMap const):
2849         (JSC::CodeBlock::jitCodeMap): Deleted.
2850         * dfg/DFGOSRExit.cpp:
2851         (JSC::DFG::OSRExit::executeOSRExit):
2852         * dfg/DFGOSRExitCompilerCommon.cpp:
2853         (JSC::DFG::adjustAndJumpToTarget):
2854         * jit/AssemblyHelpers.cpp:
2855         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2856         * jit/AssemblyHelpers.h:
2857         * jit/CompactJITCodeMap.h: Removed.
2858         * jit/JIT.cpp:
2859         (JSC::JIT::link):
2860         * jit/JITCodeMap.h: Added.
2861         (JSC::JITCodeMap::Entry::Entry):
2862         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2863         (JSC::JITCodeMap::Entry::codeLocation):
2864         (JSC::JITCodeMap::append):
2865         (JSC::JITCodeMap::finish):
2866         (JSC::JITCodeMap::find const):
2867         (JSC::JITCodeMap::operator bool const):
2868         * llint/LLIntSlowPaths.cpp:
2869         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2870
2871 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2872
2873         [DFG] Remove CompareSlowPathGenerator
2874         https://bugs.webkit.org/show_bug.cgi?id=184492
2875
2876         Reviewed by Mark Lam.
2877
2878         Now CompareSlowPathGenerator is just calling a specified function.
2879         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2880
2881         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2882         introducing a new constructor for GPRTemporary.
2883
2884         * JavaScriptCore.xcodeproj/project.pbxproj:
2885         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2886         * dfg/DFGSpeculativeJIT.cpp:
2887         (JSC::DFG::GPRTemporary::GPRTemporary):
2888         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2889         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2890         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2891         (JSC::DFG::SpeculativeJIT::compileIsObject):
2892         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2893         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2894         * dfg/DFGSpeculativeJIT.h:
2895         (JSC::DFG::GPRTemporary::GPRTemporary):
2896         * dfg/DFGSpeculativeJIT64.cpp:
2897         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2898
2899 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         Unreviewed, build fix for 32bit
2902         https://bugs.webkit.org/show_bug.cgi?id=184236
2903
2904         * dfg/DFGSpeculativeJIT.cpp:
2905         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2906
2907 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2908
2909         [DFG] Remove duplicate 32bit code more
2910         https://bugs.webkit.org/show_bug.cgi?id=184236
2911
2912         Reviewed by Mark Lam.
2913
2914         Remove duplicate 32bit code more aggressively part 2.
2915
2916         * JavaScriptCore.xcodeproj/project.pbxproj:
2917         * dfg/DFGCompareSlowPathGenerator.h: Added.
2918         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2919         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2920
2921         * dfg/DFGOperations.cpp:
2922         * dfg/DFGOperations.h:
2923         * dfg/DFGSpeculativeJIT.cpp:
2924         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2925         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2926         (JSC::DFG::SpeculativeJIT::compileIsObject):
2927         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2928         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2929         (JSC::DFG::SpeculativeJIT::compilePutById):
2930         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2931         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2932         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2933         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2934         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2935         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2936         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2937         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2938         (JSC::DFG::SpeculativeJIT::cachedPutById):
2939         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2940         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2941         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2942         * dfg/DFGSpeculativeJIT.h:
2943         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2944         * dfg/DFGSpeculativeJIT32_64.cpp:
2945         (JSC::DFG::SpeculativeJIT::compile):
2946         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2947         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2948         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2949         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2950         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2951         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2952         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2953         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2954         * dfg/DFGSpeculativeJIT64.cpp:
2955         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2956         (JSC::DFG::SpeculativeJIT::compile):
2957         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2958         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2959         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2960         (): Deleted.
2961         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2962         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2963         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2964         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2965         * ftl/FTLLowerDFGToB3.cpp:
2966         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2967         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2968
2969         * jit/AssemblyHelpers.h:
2970         (JSC::AssemblyHelpers::loadValue):
2971         (JSC::AssemblyHelpers::selectScratchGPR):
2972         (JSC::AssemblyHelpers::constructRegisterSet):
2973         * jit/RegisterSet.h:
2974         (JSC::RegisterSet::setAny):
2975         Clean up selectScratchGPR code to pass JSValueRegs.
2976
2977 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2978
2979         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2980         https://bugs.webkit.org/show_bug.cgi?id=182470
2981
2982         Reviewed by Saam Barati.
2983
2984         This patch introduces the SpecBigInt type to DFG to enable BigInt
2985         speculation into DFG and FTL.
2986
2987         With SpecBigInt introduction, we can then specialize "===" operations
2988         to BigInts. As we are doing for some cells, we first check if operands
2989         are pointing to the same JSCell, and if it is false, we
2990         fallback to "operationCompareStrictEqCell". The idea in further
2991         patches is to implement BigInt equality check directly in
2992         assembly.
2993
2994         We are also adding support for BigInt constant folding into
2995         TypeOf operation.
2996
2997         * bytecode/SpeculatedType.cpp:
2998         (JSC::dumpSpeculation):
2999         (JSC::speculationFromClassInfo):
3000         (JSC::speculationFromStructure):
3001         (JSC::speculationFromJSType):
3002         (JSC::speculationFromString):
3003         * bytecode/SpeculatedType.h:
3004         (JSC::isBigIntSpeculation):
3005         * dfg/DFGAbstractInterpreterInlines.h:
3006         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3007         * dfg/DFGAbstractValue.cpp:
3008         (JSC::DFG::AbstractValue::set):
3009         * dfg/DFGConstantFoldingPhase.cpp:
3010         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3011         * dfg/DFGFixupPhase.cpp:
3012         (JSC::DFG::FixupPhase::fixupNode):
3013         (JSC::DFG::FixupPhase::fixupToThis):
3014         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3015         * dfg/DFGInferredTypeCheck.cpp:
3016         (JSC::DFG::insertInferredTypeCheck):
3017         * dfg/DFGNode.h:
3018         (JSC::DFG::Node::shouldSpeculateBigInt):
3019         * dfg/DFGPredictionPropagationPhase.cpp:
3020         * dfg/DFGSafeToExecute.h:
3021         (JSC::DFG::SafeToExecuteEdge::operator()):
3022         * dfg/DFGSpeculativeJIT.cpp:
3023         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3024         (JSC::DFG::SpeculativeJIT::speculateBigInt):
3025         (JSC::DFG::SpeculativeJIT::speculate):
3026         * dfg/DFGSpeculativeJIT.h:
3027         * dfg/DFGSpeculativeJIT32_64.cpp:
3028         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
3029         * dfg/DFGSpeculativeJIT64.cpp:
3030         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
3031         * dfg/DFGUseKind.cpp:
3032         (WTF::printInternal):
3033         * dfg/DFGUseKind.h:
3034         (JSC::DFG::typeFilterFor):
3035         (JSC::DFG::isCell):
3036         * ftl/FTLCapabilities.cpp:
3037         (JSC::FTL::canCompile):
3038         * ftl/FTLLowerDFGToB3.cpp:
3039         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3040         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
3041         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3042         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
3043         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
3044         * jit/AssemblyHelpers.cpp:
3045         (JSC::AssemblyHelpers::branchIfNotType):
3046         * jit/AssemblyHelpers.h:
3047         (JSC::AssemblyHelpers::branchIfBigInt):
3048         (JSC::AssemblyHelpers::branchIfNotBigInt):
3049         * runtime/InferredType.cpp:
3050         (JSC::InferredType::Descriptor::forValue):
3051         (JSC::InferredType::Descriptor::putByIdFlags const):
3052         (JSC::InferredType::Descriptor::merge):
3053         (WTF::printInternal):
3054         * runtime/InferredType.h:
3055         * runtime/JSBigInt.h:
3056
3057 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3058
3059         Unreviewed, fix cloop build.
3060
3061         * dfg/DFGAbstractInterpreterClobberState.cpp:
3062
3063 2018-04-10  Mark Lam  <mark.lam@apple.com>
3064
3065         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
3066         https://bugs.webkit.org/show_bug.cgi?id=184464
3067         <rdar://problem/39323947>
3068
3069         Reviewed by Saam Barati.
3070
3071         * heap/MarkedSpace.h:
3072         (JSC::MarkedSpace::sizeClassToIndex):
3073
3074 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3075
3076         DFG AI and clobberize should agree with each other
3077         https://bugs.webkit.org/show_bug.cgi?id=184440
3078
3079         Reviewed by Saam Barati.
3080         
3081         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
3082         agree with each other. That's what this patch does: it adds an assertion that AI's structure
3083         state tracking must be equivalent to JSCell_structureID being clobbered.
3084         
3085         One subtlety is that AI sometimes folds away structure clobbering using information that
3086         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
3087         ObservedTransitions).
3088         
3089         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
3090         clobberize missing a write(Heap).
3091         
3092         This also makes some cases more precise in order to appease the assertion. Making things more
3093         precise might make things faster, but I didn't measure it because that wasn't the goal.
3094
3095         * JavaScriptCore.xcodeproj/project.pbxproj:
3096         * Sources.txt:
3097         * dfg/DFGAbstractInterpreter.h:
3098         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
3099         (WTF::printInternal):
3100         * dfg/DFGAbstractInterpreterClobberState.h: Added.
3101         (JSC::DFG::mergeClobberStates):
3102         * dfg/DFGAbstractInterpreterInlines.h:
3103         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
3104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3105         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
3106         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3107         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
3108         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3109         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3110         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
3111         * dfg/DFGAtTailAbstractState.h:
3112         (JSC::DFG::AtTailAbstractState::setClobberState):
3113         (JSC::DFG::AtTailAbstractState::mergeClobberState):
3114         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
3115         * dfg/DFGCFAPhase.cpp:
3116         (JSC::DFG::CFAPhase::performBlockCFA):
3117         * dfg/DFGClobberSet.cpp:
3118         (JSC::DFG::writeSet):
3119         * dfg/DFGClobberSet.h:
3120         * dfg/DFGClobberize.h:
3121         (JSC::DFG::clobberize):
3122         * dfg/DFGConstantFoldingPhase.cpp:
3123         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3124         * dfg/DFGInPlaceAbstractState.h:
3125         (JSC::DFG::InPlaceAbstractState::clobberState const):
3126         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3127         (JSC::DFG::InPlaceAbstractState::didClobber const):
3128         (JSC::DFG::InPlaceAbstractState::setClobberState):
3129         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3130         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3131
3132 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3133
3134         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3135         https://bugs.webkit.org/show_bug.cgi?id=184460
3136         <rdar://problem/37610966>
3137
3138         Reviewed by Mark Lam.
3139
3140         * bytecode/ExecutableToCodeBlockEdge.cpp:
3141         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3142
3143 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3144
3145         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3146         https://bugs.webkit.org/show_bug.cgi?id=184455
3147
3148         Reviewed by Michael Saboff.
3149         
3150         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3151         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3152         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3153         the thing being hoisted does have effects, then we get a crash.
3154         
3155         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3156         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3157         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3158         effectful.
3159         
3160         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3161         clobberize to also think that CompareEq(Untyped:, _) is effectful.
3162         
3163         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3164         of CompareEq is ComapreEq(Untyped:, Untyped:).
3165
3166         * dfg/DFGAbstractInterpreterInlines.h:
3167         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3168         * dfg/DFGClobberize.h:
3169         (JSC::DFG::clobberize):
3170
3171 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3172
3173         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3174         https://bugs.webkit.org/show_bug.cgi?id=184372
3175
3176         Reviewed by Saam Barati.
3177         
3178         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3179         have already proved, using techniques that are more precise than AI, that the edge has type
3180         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3181         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3182         other than a check - so we think we can call those just because we should have already
3183         bailed. It's better to think of them as the result of folding a check. Therefore, we should
3184         only do it if there had been a check to begin with.
3185
3186         * dfg/DFGSpeculativeJIT64.cpp:
3187         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3188         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3189         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3190         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3191         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3192         * ftl/FTLLowerDFGToB3.cpp:
3193         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3194         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3195         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3196         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3197         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3198         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3199         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3200         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3201
3202 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3203
3204         [JSC] Introduce @putByIdDirectPrivate
3205         https://bugs.webkit.org/show_bug.cgi?id=184400
3206
3207         Reviewed by Saam Barati.
3208
3209         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3210         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3211         accessing to ECMAScript internal fields.
3212
3213         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3214         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3215         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3216         fields that accessing to the internal fields does not traverse prototype chains.
3217
3218         * builtins/ArrayIteratorPrototype.js:
3219         (globalPrivate.arrayIteratorValueNext):
3220         (globalPrivate.arrayIteratorKeyNext):
3221         (globalPrivate.arrayIteratorKeyValueNext):
3222         * builtins/ArrayPrototype.js:
3223         (globalPrivate.createArrayIterator):
3224         * builtins/AsyncFromSyncIteratorPrototype.js:
3225         (globalPrivate.AsyncFromSyncIteratorConstructor):
3226         * builtins/AsyncFunctionPrototype.js:
3227         (globalPrivate.asyncFunctionResume):
3228         * builtins/AsyncGeneratorPrototype.js:
3229         (globalPrivate.asyncGeneratorQueueEnqueue):
3230         (globalPrivate.asyncGeneratorQueueDequeue):
3231         (asyncGeneratorYieldAwaited):
3232         (globalPrivate.asyncGeneratorYield):
3233         (globalPrivate.doAsyncGeneratorBodyCall):
3234         (globalPrivate.asyncGeneratorResumeNext):
3235         * builtins/GeneratorPrototype.js:
3236         (globalPrivate.generatorResume):
3237         * builtins/MapIteratorPrototype.js:
3238         (globalPrivate.mapIteratorNext):
3239         * builtins/MapPrototype.js:
3240         (globalPrivate.createMapIterator):
3241         * builtins/ModuleLoaderPrototype.js:
3242         (forceFulfillPromise):
3243         * builtins/PromiseOperations.js:
3244         (globalPrivate.newHandledRejectedPromise):
3245         (globalPrivate.rejectPromise):
3246         (globalPrivate.fulfillPromise):
3247         (globalPrivate.initializePromise):
3248         * builtins/PromisePrototype.js:
3249         (then):
3250         * builtins/SetIteratorPrototype.js:
3251         (globalPrivate.setIteratorNext):
3252         * builtins/SetPrototype.js:
3253         (globalPrivate.createSetIterator):
3254         * builtins/StringIteratorPrototype.js:
3255         (next):
3256         * bytecode/BytecodeIntrinsicRegistry.h:
3257         * bytecompiler/NodesCodegen.cpp:
3258         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3259         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3260
3261 2018-04-09  Mark Lam  <mark.lam@apple.com>
3262
3263         Decorate method table entries to support pointer profiling.
3264         https://bugs.webkit.org/show_bug.cgi?id=184430
3265         <rdar://problem/39296190>
3266
3267         Reviewed by Saam Barati.
3268
3269         * runtime/ClassInfo.h:
3270
3271 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3272
3273         [WPE] Don't install JSC C API headers
3274         https://bugs.webkit.org/show_bug.cgi?id=184375
3275
3276         Reviewed by Žan Doberšek.
3277
3278         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3279         instead.
3280
3281         * PlatformWPE.cmake:
3282
3283 2018-04-08  Mark Lam  <mark.lam@apple.com>
3284
3285         Add pointer profiling to the FTL and supporting code.
3286         https://bugs.webkit.org/show_bug.cgi?id=184395
3287         <rdar://problem/39264019>
3288
3289         Reviewed by Michael Saboff and Filip Pizlo.
3290
3291         * assembler/CodeLocation.h:
3292         (JSC::CodeLocationLabel::retagged):
3293         (JSC::CodeLocationJump::retagged):
3294         * assembler/LinkBuffer.h:
3295         (JSC::LinkBuffer::locationOf):
3296         * dfg/DFGJITCompiler.cpp:
3297         (JSC::DFG::JITCompiler::linkOSRExits):
3298         (JSC::DFG::JITCompiler::link):
3299         * ftl/FTLCompile.cpp:
3300         (JSC::FTL::compile):
3301         * ftl/FTLExceptionTarget.cpp:
3302         (JSC::FTL::ExceptionTarget::label):
3303         (JSC::FTL::ExceptionTarget::jumps):
3304         * ftl/FTLExceptionTarget.h:
3305         * ftl/FTLJITCode.cpp:
3306         (JSC::FTL::JITCode::executableAddressAtOffset):
3307         * ftl/FTLLazySlowPath.cpp:
3308         (JSC::FTL::LazySlowPath::~LazySlowPath):
3309         (JSC::FTL::LazySlowPath::initialize):
3310         (JSC::FTL::LazySlowPath::generate):
3311         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3312         * ftl/FTLLazySlowPath.h:
3313         * ftl/FTLLink.cpp:
3314         (JSC::FTL::link):
3315         * ftl/FTLLowerDFGToB3.cpp:
3316         (JSC::FTL::DFG::LowerDFGToB3::lower):
3317         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3318         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3319         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3320         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3321         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3322         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3323         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3324         * ftl/FTLOSRExitCompiler.cpp:
3325         (JSC::FTL::compileStub):
3326         (JSC::FTL::compileFTLOSRExit):
3327         * ftl/FTLOSRExitHandle.cpp:
3328         (JSC::FTL::OSRExitHandle::emitExitThunk):
3329         * ftl/FTLOperations.cpp:
3330         (JSC::FTL::compileFTLLazySlowPath):
3331         * ftl/FTLOutput.h:
3332         (JSC::FTL::Output::callWithoutSideEffects):
3333         (JSC::FTL::Output::operation):
3334         * ftl/FTLPatchpointExceptionHandle.cpp:
3335         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3336         * ftl/FTLSlowPathCall.cpp:
3337         (JSC::FTL::SlowPathCallContext::makeCall):
3338         * ftl/FTLSlowPathCallKey.h:
3339         (JSC::FTL::SlowPathCallKey::withCallTarget):
3340         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3341         * ftl/FTLThunks.cpp:
3342         (JSC::FTL::genericGenerationThunkGenerator):
3343         (JSC::FTL::osrExitGenerationThunkGenerator):
3344         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3345         (JSC::FTL::slowPathCallThunkGenerator):
3346         * jit/JITMathIC.h:
3347         (JSC::isProfileEmpty):
3348         * jit/Repatch.cpp:
3349         (JSC::readPutICCallTarget):
3350         (JSC::ftlThunkAwareRepatchCall):
3351         (JSC::tryCacheGetByID):
3352         (JSC::repatchGetByID):
3353         (JSC::tryCachePutByID):
3354         (JSC::repatchPutByID):
3355         (JSC::repatchIn):
3356         (JSC::resetGetByID):
3357         (JSC::resetPutByID):
3358         (JSC::readCallTarget): Deleted.
3359         * jit/Repatch.h:
3360         * runtime/PtrTag.h:
3361
3362 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3363
3364         Unreviewed, attempt to fix Windows build
3365         https://bugs.webkit.org/show_bug.cgi?id=183508
3366
3367         * jit/JIT.h:
3368
3369 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3370
3371         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3372         https://bugs.webkit.org/show_bug.cgi?id=183508
3373
3374         * jit/JIT.h:
3375
3376 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3377
3378         Use alignas instead of compiler-specific attributes
3379         https://bugs.webkit.org/show_bug.cgi?id=183508
3380
3381         Reviewed by Mark Lam.
3382
3383         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3384
3385         * heap/RegisterState.h:
3386         * jit/JIT.h:
3387         (JSC::JIT::compile): Deleted.
3388         (JSC::JIT::compileGetByVal): Deleted.
3389         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3390         (JSC::JIT::compilePutByVal): Deleted.
3391         (JSC::JIT::compileDirectPutByVal): Deleted.
3392         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3393         (JSC::JIT::compileHasIndexedProperty): Deleted.
3394         (JSC::JIT::appendCall): Deleted.
3395         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3396         (JSC::JIT::exceptionCheck): Deleted.
3397         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3398         (JSC::JIT::emitInt32Load): Deleted.
3399         (JSC::JIT::emitInt32GetByVal): Deleted.
3400         (JSC::JIT::emitInt32PutByVal): Deleted.
3401         (JSC::JIT::emitDoublePutByVal): Deleted.