Update FULLSCREEN_API feature defines.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-21  Jeremy Jones  <jeremyj@apple.com>
2
3         Update FULLSCREEN_API feature defines.
4         https://bugs.webkit.org/show_bug.cgi?id=181015
5
6         Reviewed by Tim Horton.
7
8         Change enabled iphone sdk for FULLSCREEN_API.
9
10         * Configurations/FeatureDefines.xcconfig:
11
12 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
13
14         [JSC] Do not check isValid() in op_new_regexp
15         https://bugs.webkit.org/show_bug.cgi?id=180970
16
17         Reviewed by Saam Barati.
18
19         We should not check `isValid()` inside op_new_regexp.
20         This simplifies the semantics of NewRegexp node in DFG.
21
22         * bytecompiler/NodesCodegen.cpp:
23         (JSC::RegExpNode::emitBytecode):
24         * dfg/DFGMayExit.cpp:
25         * dfg/DFGSpeculativeJIT.cpp:
26         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
27         * ftl/FTLLowerDFGToB3.cpp:
28         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
29         * jit/JITOperations.cpp:
30         * llint/LLIntSlowPaths.cpp:
31         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32
33 2017-12-20  Saam Barati  <sbarati@apple.com>
34
35         GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
36         https://bugs.webkit.org/show_bug.cgi?id=181054
37
38         Reviewed by Mark Lam.
39
40         Speedometer's react subtest has a function that is in an OSR exit loop because
41         we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
42         This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
43         for our compiler to not have this pathology. This patch adds a generic
44         GetPropertyEnumerator to prevent the exit loop.
45
46         * dfg/DFGFixupPhase.cpp:
47         (JSC::DFG::FixupPhase::fixupNode):
48         * dfg/DFGSpeculativeJIT32_64.cpp:
49         (JSC::DFG::SpeculativeJIT::compile):
50         * dfg/DFGSpeculativeJIT64.cpp:
51         (JSC::DFG::SpeculativeJIT::compile):
52         * ftl/FTLLowerDFGToB3.cpp:
53         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
54         * jit/JITOperations.cpp:
55         * jit/JITOperations.h:
56
57 2017-12-20  Daniel Bates  <dabates@apple.com>
58
59         Remove Alternative Presentation Button
60         https://bugs.webkit.org/show_bug.cgi?id=180500
61         <rdar://problem/35891047>
62
63         Reviewed by Simon Fraser.
64
65         We no longer need the alternative presentation button.
66
67         * Configurations/FeatureDefines.xcconfig:
68
69 2017-12-19  Saam Barati  <sbarati@apple.com>
70
71         We forgot to do index masking for in bounds int32 arrays in the FTL
72         https://bugs.webkit.org/show_bug.cgi?id=180987
73
74         Reviewed by Keith Miller.
75
76         * ftl/FTLLowerDFGToB3.cpp:
77         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
78
79 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
80
81         [DFG][FTL] NewRegexp shoud be fast
82         https://bugs.webkit.org/show_bug.cgi?id=180960
83
84         Reviewed by Michael Saboff.
85
86         When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
87         Typical idiom like `string.match(/regexp/)` requires RegExp object creation
88         every time.
89
90         As a first step, this patch accelerates RegExp object creation by handling it
91         in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
92         to remove unnecessary RegExp object creations.
93
94         This patch improves SixSpeed/regex-u.{es5,es6}.
95
96                                      baseline                  patched
97
98             regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
99             regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
100
101         * dfg/DFGSpeculativeJIT.cpp:
102         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
103         * dfg/DFGSpeculativeJIT.h:
104         * dfg/DFGSpeculativeJIT32_64.cpp:
105         (JSC::DFG::SpeculativeJIT::compile):
106         * dfg/DFGSpeculativeJIT64.cpp:
107         (JSC::DFG::SpeculativeJIT::compile):
108         * ftl/FTLAbstractHeapRepository.h:
109         * ftl/FTLLowerDFGToB3.cpp:
110         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
111         * jit/JIT.h:
112         * jit/JITInlines.h:
113         (JSC::JIT::callOperation):
114         * jit/JITOpcodes.cpp:
115         (JSC::JIT::emit_op_new_regexp):
116         * jit/JITOperations.cpp:
117         * jit/JITOperations.h:
118         * llint/LLIntSlowPaths.cpp:
119         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
120         * runtime/RegExpObject.h:
121         (JSC::RegExpObject::offsetOfRegExp):
122         (JSC::RegExpObject::allocationSize):
123
124 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
125
126         Unreviewed, include YarrErrorCode.h in Yarr.h
127         https://bugs.webkit.org/show_bug.cgi?id=180966
128
129         * yarr/Yarr.h:
130
131 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
132
133         [YARR] Yarr should return ErrorCode instead of error messages (const char*)
134         https://bugs.webkit.org/show_bug.cgi?id=180966
135
136         Reviewed by Mark Lam.
137
138         Currently, Yarr returns const char*` for an error message when needed.
139         But it is easier to handle error status if Yarr returns an error code
140         instead of `const char*`.
141
142         In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
143         `const char*`. `std::expected<void, Yarr::ErrorCode>` would be appropriate
144         for the Yarr API interface. But it requires substantial changes removing
145         ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
146         a first step.
147
148         * JavaScriptCore.xcodeproj/project.pbxproj:
149         * Sources.txt:
150         * inspector/ContentSearchUtilities.cpp:
151         (Inspector::ContentSearchUtilities::findMagicComment):
152         * parser/ASTBuilder.h:
153         (JSC::ASTBuilder::createRegExp):
154         * parser/Parser.cpp:
155         (JSC::Parser<LexerType>::parsePrimaryExpression):
156         * parser/SyntaxChecker.h:
157         (JSC::SyntaxChecker::createRegExp):
158         * runtime/RegExp.cpp:
159         (JSC::RegExp::RegExp):
160         (JSC::RegExp::byteCodeCompileIfNecessary):
161         (JSC::RegExp::compile):
162         (JSC::RegExp::compileMatchOnly):
163         * runtime/RegExp.h:
164         * yarr/RegularExpression.cpp:
165         (JSC::Yarr::RegularExpression::Private::Private):
166         (JSC::Yarr::RegularExpression::Private::compile):
167         * yarr/YarrErrorCode.cpp: Added.
168         (JSC::Yarr::errorMessage):
169         * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
170         (JSC::Yarr::hasError):
171         * yarr/YarrParser.h:
172         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
173         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
174         (JSC::Yarr::Parser::Parser):
175         (JSC::Yarr::Parser::isIdentityEscapeAnError):
176         (JSC::Yarr::Parser::parseEscape):
177         (JSC::Yarr::Parser::parseCharacterClass):
178         (JSC::Yarr::Parser::parseParenthesesBegin):
179         (JSC::Yarr::Parser::parseParenthesesEnd):
180         (JSC::Yarr::Parser::parseQuantifier):
181         (JSC::Yarr::Parser::parseTokens):
182         (JSC::Yarr::Parser::parse):
183         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
184         (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
185         (JSC::Yarr::parse):
186         * yarr/YarrPattern.cpp:
187         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
188         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
189         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
190         (JSC::Yarr::YarrPattern::compile):
191         (JSC::Yarr::YarrPattern::YarrPattern):
192         (JSC::Yarr::YarrPattern::errorMessage): Deleted.
193         * yarr/YarrPattern.h:
194         (JSC::Yarr::YarrPattern::reset):
195         * yarr/YarrSyntaxChecker.cpp:
196         (JSC::Yarr::checkSyntax):
197         * yarr/YarrSyntaxChecker.h:
198
199 2017-12-18  Saam Barati  <sbarati@apple.com>
200
201         Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
202
203         * dfg/DFGPreciseLocalClobberize.h:
204         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
205
206 2017-12-16  Filip Pizlo  <fpizlo@apple.com>
207
208         Vector index masking
209         https://bugs.webkit.org/show_bug.cgi?id=180909
210
211         Reviewed by Keith Miller.
212         
213         Adopt index masking for strings.
214
215         * dfg/DFGSpeculativeJIT.cpp:
216         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
217         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
218         * ftl/FTLAbstractHeapRepository.h:
219         * ftl/FTLLowerDFGToB3.cpp:
220         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
221         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
222         * jit/ThunkGenerators.cpp:
223         (JSC::stringCharLoad):
224
225 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
226
227         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
228         https://bugs.webkit.org/show_bug.cgi?id=179762
229
230         Reviewed by Saam Barati.
231
232         This patch extends arguments elimination phase to accept NewArrayBuffer.
233         We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
234         used by spreading nodes.
235
236         This improves SixSpeed spread.es6 by 3.5x.
237
238             spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
239
240         * dfg/DFGAbstractInterpreterInlines.h:
241         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
242         * dfg/DFGArgumentsEliminationPhase.cpp:
243         * dfg/DFGClobberize.h:
244         (JSC::DFG::clobberize):
245         * dfg/DFGDoesGC.cpp:
246         (JSC::DFG::doesGC):
247         * dfg/DFGFixupPhase.cpp:
248         (JSC::DFG::FixupPhase::fixupNode):
249         * dfg/DFGNode.h:
250         (JSC::DFG::Node::hasNewArrayBufferData):
251         (JSC::DFG::Node::hasVectorLengthHint):
252         (JSC::DFG::Node::hasIndexingType):
253         (JSC::DFG::Node::indexingType):
254         (JSC::DFG::Node::hasCellOperand):
255         (JSC::DFG::Node::isPhantomAllocation):
256         * dfg/DFGNodeType.h:
257         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
258         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
259         * dfg/DFGPredictionPropagationPhase.cpp:
260         * dfg/DFGPromotedHeapLocation.cpp:
261         (WTF::printInternal):
262         * dfg/DFGPromotedHeapLocation.h:
263         * dfg/DFGSafeToExecute.h:
264         (JSC::DFG::safeToExecute):
265         * dfg/DFGSpeculativeJIT32_64.cpp:
266         (JSC::DFG::SpeculativeJIT::compile):
267         * dfg/DFGSpeculativeJIT64.cpp:
268         (JSC::DFG::SpeculativeJIT::compile):
269         * dfg/DFGValidate.cpp:
270         * ftl/FTLCapabilities.cpp:
271         (JSC::FTL::canCompile):
272         * ftl/FTLLowerDFGToB3.cpp:
273         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
274         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
275         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
276         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
277         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
278         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
279         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
280         * ftl/FTLOperations.cpp:
281         (JSC::FTL::operationPopulateObjectInOSR):
282         (JSC::FTL::operationMaterializeObjectInOSR):
283
284 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
285
286         [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
287         https://bugs.webkit.org/show_bug.cgi?id=180916
288
289         Reviewed by Darin Adler.
290
291         This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
292         Since these cells always require calling finalizeUnconditionally, we do not need to
293         track cells by using IsoCellSet.
294
295         Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
296         avoid using a global linked-list for this in the future.
297
298         * JavaScriptCore.xcodeproj/project.pbxproj:
299         * heap/Heap.cpp:
300         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
301         (JSC::Heap::finalizeUnconditionalFinalizers):
302         * heap/Heap.h:
303         * runtime/VM.cpp:
304         (JSC::VM::VM):
305         * runtime/VM.h:
306         * runtime/WeakMapImpl.cpp:
307         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
308         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally): Deleted.
309         * runtime/WeakMapImpl.h:
310         (JSC::WeakMapImpl::isWeakMap):
311         (JSC::WeakMapImpl::isWeakSet):
312         (JSC::WeakMapImpl::subspaceFor):
313         * runtime/WeakMapImplInlines.h: Added.
314         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
315
316 2017-12-17  Mark Lam  <mark.lam@apple.com>
317
318         Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
319         https://bugs.webkit.org/show_bug.cgi?id=180901
320         <rdar://problem/36087649>
321
322         Reviewed by Darin Adler.
323
324         We only need to keep a deprecated implementation of InspectorValues,
325         InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
326         older versions of Safari can link against and run with a build of the latest code
327         in WebKit trunk. Older versions of System Safari used InspectorValues (via
328         WebInspector.framework) for two things:
329
330         1. Augmented JSContexts SPIs (via WebInspector.framework).
331         2. maybe WebDriver.
332
333         Neither of these are used when running SafariForWebKitDevelopment.  Since neither
334         are used, we can stub out the symbols (InspectorValues, InspectorObjects,
335         InspectorBackendDispatcher::sendResponse) to do nothing, and
336         SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
337         run without any observable bad behavior.
338
339         * JavaScriptCore.xcodeproj/project.pbxproj:
340         * SourcesCocoa.txt:
341         * inspector/InspectorBackendDispatcher.cpp:
342         * inspector/InspectorBackendDispatcher.h:
343         * inspector/cocoa/DeprecatedInspectorValues.cpp:
344         (Inspector::InspectorValue::null):
345         (Inspector::InspectorValue::create):
346         (Inspector::InspectorValue::asValue):
347         (Inspector::InspectorValue::asObject):
348         (Inspector::InspectorValue::asArray):
349         (Inspector::InspectorValue::parseJSON):
350         (Inspector::InspectorValue::toJSONString const):
351         (Inspector::InspectorValue::asBoolean const):
352         (Inspector::InspectorValue::asDouble const):
353         (Inspector::InspectorValue::asInteger const):
354         (Inspector::InspectorValue::asString const):
355         (Inspector::InspectorValue::writeJSON const):
356         (Inspector::InspectorValue::memoryCost const):
357         (Inspector::InspectorObjectBase::openAccessors):
358         (Inspector::InspectorObjectBase::memoryCost const):
359         (Inspector::InspectorObjectBase::getBoolean const):
360         (Inspector::InspectorObjectBase::getString const):
361         (Inspector::InspectorObjectBase::getObject const):
362         (Inspector::InspectorObjectBase::getArray const):
363         (Inspector::InspectorObjectBase::getValue const):
364         (Inspector::InspectorObjectBase::remove):
365         (Inspector::InspectorObject::create):
366         (Inspector::InspectorArrayBase::get const):
367         (Inspector::InspectorArrayBase::memoryCost const):
368         (Inspector::InspectorArray::create):
369         (Inspector::BackendDispatcher::sendResponse):
370         (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
371         (Inspector::InspectorObjectBase::asObject): Deleted.
372         (Inspector::InspectorObjectBase::writeJSON const): Deleted.
373         (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
374         (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
375         (Inspector::InspectorArrayBase::asArray): Deleted.
376         (Inspector::InspectorArrayBase::writeJSON const): Deleted.
377         (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
378         * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
379
380 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
381
382         [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
383         https://bugs.webkit.org/show_bug.cgi?id=180917
384
385         Reviewed by Sam Weinig.
386
387         We do not need to hold JIT flags in VM. We add
388         static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
389
390         * interpreter/AbstractPC.cpp:
391         (JSC::AbstractPC::AbstractPC):
392         * jit/JITThunks.cpp:
393         (JSC::JITThunks::ctiNativeCall):
394         (JSC::JITThunks::ctiNativeConstruct):
395         (JSC::JITThunks::ctiNativeTailCall):
396         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
397         (JSC::JITThunks::ctiInternalFunctionCall):
398         (JSC::JITThunks::ctiInternalFunctionConstruct):
399         (JSC::JITThunks::hostFunctionStub):
400         * llint/LLIntEntrypoint.cpp:
401         (JSC::LLInt::setFunctionEntrypoint):
402         (JSC::LLInt::setEvalEntrypoint):
403         (JSC::LLInt::setProgramEntrypoint):
404         (JSC::LLInt::setModuleProgramEntrypoint):
405         * llint/LLIntSlowPaths.cpp:
406         (JSC::LLInt::shouldJIT):
407         (JSC::LLInt::entryOSR):
408         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
409         * runtime/RegExp.cpp:
410         (JSC::RegExp::compile):
411         (JSC::RegExp::compileMatchOnly):
412         * runtime/VM.cpp:
413         (JSC::VM::canUseAssembler):
414         (JSC::VM::canUseJIT):
415         (JSC::VM::canUseRegExpJIT):
416         (JSC::VM::VM):
417         * runtime/VM.h:
418         (JSC::VM::canUseJIT): Deleted.
419         (JSC::VM::canUseRegExpJIT): Deleted.
420
421 2017-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
422
423         [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
424         https://bugs.webkit.org/show_bug.cgi?id=180906
425
426         Reviewed by Filip Pizlo.
427
428         The number of SlotVisitors can increase after setting up m_visitCounters.
429         If it happens, our m_visitCounters misses the visit count of newly added
430         SlotVisitors. It accidentally decides that constraints are converged.
431         This leads to random assertion hits in Linux environment.
432
433         In this patch, we compare the number of SlotVisitors in didVisitSomething().
434         If the number of SlotVisitors is changed, we conservatively say we did
435         visit something.
436
437         * heap/Heap.h:
438         * heap/HeapInlines.h:
439         (JSC::Heap::numberOfSlotVisitors):
440         * heap/MarkingConstraintSet.h:
441         * heap/MarkingConstraintSolver.cpp:
442         (JSC::MarkingConstraintSolver::didVisitSomething const):
443
444 2017-12-16  Keith Miller  <keith_miller@apple.com>
445
446         Indexing should only be computed when the new structure has an indexing header.
447         https://bugs.webkit.org/show_bug.cgi?id=180895
448
449         Reviewed by Saam Barati.
450
451         If we don't have an indexing header then we point the butterfly
452         sizeof(IndexingHeader) past the end of the butterfly. This makes
453         the computation of the offset simpler since it doesn't depend on
454         the indexing headeriness of the butterfly.
455
456         * jit/JITOperations.cpp:
457         * runtime/JSObject.cpp:
458         (JSC::JSObject::createInitialUndecided):
459         (JSC::JSObject::createInitialInt32):
460         (JSC::JSObject::createInitialDouble):
461         (JSC::JSObject::createInitialContiguous):
462         (JSC::JSObject::createArrayStorage):
463         (JSC::JSObject::convertUndecidedToArrayStorage):
464         (JSC::JSObject::convertInt32ToArrayStorage):
465         (JSC::JSObject::convertDoubleToArrayStorage):
466         * runtime/JSObject.h:
467         (JSC::JSObject::setButterfly):
468         (JSC::JSObject::nukeStructureAndSetButterfly):
469         * runtime/JSObjectInlines.h:
470         (JSC::JSObject::prepareToPutDirectWithoutTransition):
471         (JSC::JSObject::putDirectInternal):
472
473 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
474
475         Unreviewed, rolling out r225941.
476
477         This change introduced LayoutTest crashes and assertion
478         failures.
479
480         Reverted changeset:
481
482         "Web Inspector: replace HTMLCanvasElement with
483         CanvasRenderingContext for instrumentation logic"
484         https://bugs.webkit.org/show_bug.cgi?id=180770
485         https://trac.webkit.org/changeset/225941
486
487 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
488
489         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
490         https://bugs.webkit.org/show_bug.cgi?id=180804
491
492         Add 32bit path for WeakMapGet.
493
494         * dfg/DFGSpeculativeJIT.cpp:
495         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
496
497 2017-12-14  Saam Barati  <sbarati@apple.com>
498
499         The CleanUp after LICM is erroneously removing a Check
500         https://bugs.webkit.org/show_bug.cgi?id=180852
501         <rdar://problem/36063494>
502
503         Reviewed by Filip Pizlo.
504
505         There was a bug where CleanUp phase relied on isProved() bits and LICM
506         changed them in an invalid way. The bug is as follows:
507         
508         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
509         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
510         and that Check dominates all of L2. This is also a hoisting candidate, so we
511         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
512         the preheader for each loop inside L1, so P1 and P2. When considering P2,
513         we execute the Check. Inside P2, before any hoisting is done, this Check
514         is dead code, because BB dominates P2. When we use AI to "execute" the
515         Check, it'll set its proof status to proved. This is because inside P2,
516         in the program before LICM runs, the Check is indeed proven at P2. But
517         it is not proven inside P1. This "execute" call will set our proof status
518         for the node inside *P1*, hence, we crash.
519         
520         The fix here is to make LICM precise when updating the ProofStatus of an edge.
521         It can trust the AI state at the preheader it hoists the node to, but it can't
522         trust the state when executing effects inside inner loops's preheaders.
523
524         * dfg/DFGPlan.cpp:
525         (JSC::DFG::Plan::compileInThreadImpl):
526
527 2017-12-14  David Kilzer  <ddkilzer@apple.com>
528
529         Enable -Wstrict-prototypes for WebKit
530         <https://webkit.org/b/180757>
531         <rdar://problem/36024132>
532
533         Rubber-stamped by Joseph Pecoraro.
534
535         * API/tests/CompareAndSwapTest.h:
536         (testCompareAndSwap): Add 'void' to C function declaration.
537         * API/tests/ExecutionTimeLimitTest.h:
538         (testExecutionTimeLimit): Ditto.
539         * API/tests/FunctionOverridesTest.h:
540         (testFunctionOverrides): Ditto.
541         * API/tests/GlobalContextWithFinalizerTest.h:
542         (testGlobalContextWithFinalizer): Ditto.
543         * API/tests/JSONParseTest.h:
544         (testJSONParse): Ditto.
545         * API/tests/MultithreadedMultiVMExecutionTest.h:
546         (startMultithreadedMultiVMExecutionTest): Ditto.
547         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
548         * API/tests/PingPongStackOverflowTest.h:
549         (testPingPongStackOverflow): Ditto.
550         * Configurations/Base.xcconfig:
551         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
552
553 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
554
555         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
556         https://bugs.webkit.org/show_bug.cgi?id=180804
557
558         Reviewed by Saam Barati.
559
560         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
561
562         * dfg/DFGRegisterBank.h:
563         (JSC::DFG::RegisterBank::lockedCount const):
564         * dfg/DFGSpeculativeJIT.cpp:
565         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
566
567 2017-12-14  Keith Miller  <keith_miller@apple.com>
568
569         Unreviewed, forgot to add { }
570
571         * runtime/JSObject.h:
572         (JSC::JSObject::setButterfly):
573         (JSC::JSObject::nukeStructureAndSetButterfly):
574
575 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
576
577         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
578         https://bugs.webkit.org/show_bug.cgi?id=180770
579
580         Reviewed by Joseph Pecoraro.
581
582         * inspector/protocol/Canvas.json:
583
584 2017-12-14  Keith Miller  <keith_miller@apple.com>
585
586         Fix assertion in JSObject's structure setting methods
587         https://bugs.webkit.org/show_bug.cgi?id=180840
588
589         Reviewed by Mark Lam.
590
591         I forgot that when Typed Arrays have non-indexed properties
592         added to them, they call the generic code. The generic code
593         in turn calls the regular structure setting methods. Thus,
594         these assertions were invalid and we should just avoid setting
595         the indexing mask if we have a Typed Array.
596
597         * runtime/JSObject.h:
598         (JSC::JSObject::setButterfly):
599         (JSC::JSObject::nukeStructureAndSetButterfly):
600
601 2017-12-14  Michael Saboff  <msaboff@apple.com>
602
603         REGRESSION (r225695): Repro crash on yahoo login page
604         https://bugs.webkit.org/show_bug.cgi?id=180761
605
606         Reviewed by JF Bastien.
607
608         Relanding r225695 with a fix.
609
610         The fix is that we need to save the return address for a parentheses in
611         the ParenContext because it is actually used by any immediately contained
612         alternatives.
613
614         Also did a little refactoring, changing occurances of PatternContext to
615         ParenContext since that is the name of the structure.
616
617         * runtime/RegExp.cpp:
618         (JSC::byteCodeCompilePattern):
619         (JSC::RegExp::byteCodeCompileIfNecessary):
620         (JSC::RegExp::compile):
621         (JSC::RegExp::compileMatchOnly):
622         * runtime/RegExp.h:
623         * runtime/RegExpInlines.h:
624         (JSC::RegExp::matchInline):
625         * testRegExp.cpp:
626         (parseRegExpLine):
627         (runFromFiles):
628         * yarr/Yarr.h:
629         * yarr/YarrInterpreter.cpp:
630         (JSC::Yarr::ByteCompiler::compile):
631         (JSC::Yarr::ByteCompiler::dumpDisjunction):
632         * yarr/YarrJIT.cpp:
633         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
634         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
635         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
636         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
637         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
638         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
639         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
640         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
641         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
642         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
643         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
644         (JSC::Yarr::YarrGenerator::allocateParenContext):
645         (JSC::Yarr::YarrGenerator::freeParenContext):
646         (JSC::Yarr::YarrGenerator::saveParenContext):
647         (JSC::Yarr::YarrGenerator::restoreParenContext):
648         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
649         (JSC::Yarr::YarrGenerator::storeToFrame):
650         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
651         (JSC::Yarr::YarrGenerator::clearMatches):
652         (JSC::Yarr::YarrGenerator::generate):
653         (JSC::Yarr::YarrGenerator::backtrack):
654         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
655         (JSC::Yarr::YarrGenerator::generateEnter):
656         (JSC::Yarr::YarrGenerator::generateReturn):
657         (JSC::Yarr::YarrGenerator::YarrGenerator):
658         (JSC::Yarr::YarrGenerator::compile):
659         * yarr/YarrJIT.h:
660         (JSC::Yarr::YarrCodeBlock::execute):
661         * yarr/YarrPattern.cpp:
662         (JSC::Yarr::indentForNestingLevel):
663         (JSC::Yarr::dumpUChar32):
664         (JSC::Yarr::dumpCharacterClass):
665         (JSC::Yarr::PatternTerm::dump):
666         (JSC::Yarr::YarrPattern::dumpPattern):
667         * yarr/YarrPattern.h:
668         (JSC::Yarr::PatternTerm::containsAnyCaptures):
669         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
670         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
671         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
672         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
673         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
674         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
675
676 2017-12-13  Keith Miller  <keith_miller@apple.com>
677
678         JSObjects should have a mask for loading indexed properties
679         https://bugs.webkit.org/show_bug.cgi?id=180768
680
681         Reviewed by Mark Lam.
682
683         This patch adds a new member to JSObject that holds an indexing
684         mask.  The indexing mask is bitwise anded with the index used to
685         load a property.  If for whatever reason an attacker is able to
686         clobber the vectorLength of our butterfly they still won't be able
687         to read substantially past the end of the buttefly. For
688         performance reasons we don't use the indexing masking for
689         TypedArrays. Since TypedArrays are already gigacaged the risk of
690         wild reads is still restricted.
691
692         This patch is a <1% regression on Speedometer and ~3% regression
693         on JetStream in my testing.
694
695         * assembler/MacroAssembler.h:
696         (JSC::MacroAssembler::urshiftPtr):
697         * bytecode/AccessCase.cpp:
698         (JSC::AccessCase::generateImpl):
699         * dfg/DFGAbstractHeap.h:
700         * dfg/DFGClobberize.h:
701         (JSC::DFG::clobberize):
702         * dfg/DFGSpeculativeJIT.cpp:
703         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
704         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
705         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
706         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
707         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
708         (JSC::DFG::SpeculativeJIT::compileArraySlice):
709         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
710         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
711         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
712         * dfg/DFGSpeculativeJIT.h:
713         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
714         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
715         * dfg/DFGSpeculativeJIT32_64.cpp:
716         (JSC::DFG::SpeculativeJIT::compile):
717         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
718         * dfg/DFGSpeculativeJIT64.cpp:
719         (JSC::DFG::SpeculativeJIT::compile):
720         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
721         * ftl/FTLAbstractHeap.cpp:
722         (JSC::FTL::IndexedAbstractHeap::baseIndex):
723         * ftl/FTLAbstractHeap.h:
724         * ftl/FTLAbstractHeapRepository.h:
725         * ftl/FTLLowerDFGToB3.cpp:
726         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
727         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
728         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
729         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
730         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
731         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
732         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
733         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
734         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
735         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
736         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
737         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
738         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
739         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
740         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
741         * ftl/FTLOutput.h:
742         (JSC::FTL::Output::baseIndex):
743         * jit/AssemblyHelpers.h:
744         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
745         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
746         (JSC::AssemblyHelpers::emitAllocateJSObject):
747         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
748         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
749         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
750         (JSC::AssemblyHelpers::storeButterfly): Deleted.
751         * jit/JITOpcodes.cpp:
752         (JSC::JIT::emit_op_new_object):
753         (JSC::JIT::emit_op_create_this):
754         * jit/JITOpcodes32_64.cpp:
755         (JSC::JIT::emit_op_new_object):
756         (JSC::JIT::emit_op_create_this):
757         * jit/JITPropertyAccess.cpp:
758         (JSC::JIT::emitDoubleLoad):
759         (JSC::JIT::emitContiguousLoad):
760         (JSC::JIT::emitArrayStorageLoad):
761         * llint/LowLevelInterpreter32_64.asm:
762         * llint/LowLevelInterpreter64.asm:
763         * runtime/ArrayStorage.h:
764         (JSC::ArrayStorage::availableVectorLength):
765         * runtime/Butterfly.h:
766         (JSC::ContiguousData::ContiguousData):
767         (JSC::ContiguousData::at const):
768         (JSC::ContiguousData::at):
769         (JSC::Butterfly::publicLength const):
770         (JSC::Butterfly::vectorLength const):
771         (JSC::Butterfly::computeIndexingMaskForVectorLength):
772         (JSC::Butterfly::computeIndexingMask):
773         (JSC::Butterfly::contiguousInt32):
774         (JSC::ContiguousData::operator[] const): Deleted.
775         (JSC::ContiguousData::operator[]): Deleted.
776         (JSC::Butterfly::publicLength): Deleted.
777         (JSC::Butterfly::vectorLength): Deleted.
778         * runtime/ButterflyInlines.h:
779         (JSC::ContiguousData<T>::at const):
780         (JSC::ContiguousData<T>::at):
781         * runtime/ClonedArguments.cpp:
782         (JSC::ClonedArguments::createEmpty):
783         * runtime/JSArray.cpp:
784         (JSC::JSArray::tryCreateUninitializedRestricted):
785         (JSC::JSArray::appendMemcpy):
786         (JSC::JSArray::setLength):
787         (JSC::JSArray::pop):
788         (JSC::JSArray::fastSlice):
789         (JSC::JSArray::shiftCountWithArrayStorage):
790         (JSC::JSArray::shiftCountWithAnyIndexingType):
791         (JSC::JSArray::unshiftCountWithAnyIndexingType):
792         (JSC::JSArray::fillArgList):
793         (JSC::JSArray::copyToArguments):
794         * runtime/JSArrayBufferView.cpp:
795         (JSC::JSArrayBufferView::JSArrayBufferView):
796         * runtime/JSArrayInlines.h:
797         (JSC::JSArray::pushInline):
798         * runtime/JSFixedArray.h:
799         (JSC::JSFixedArray::createFromArray):
800         * runtime/JSGenericTypedArrayViewInlines.h:
801         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
802         * runtime/JSObject.cpp:
803         (JSC::JSObject::getOwnPropertySlotByIndex):
804         (JSC::JSObject::putByIndex):
805         (JSC::JSObject::createInitialInt32):
806         (JSC::JSObject::createInitialDouble):
807         (JSC::JSObject::createInitialContiguous):
808         (JSC::JSObject::convertUndecidedToInt32):
809         (JSC::JSObject::convertUndecidedToDouble):
810         (JSC::JSObject::convertUndecidedToContiguous):
811         (JSC::JSObject::convertInt32ToDouble):
812         (JSC::JSObject::convertInt32ToArrayStorage):
813         (JSC::JSObject::convertDoubleToContiguous):
814         (JSC::JSObject::convertDoubleToArrayStorage):
815         (JSC::JSObject::convertContiguousToArrayStorage):
816         (JSC::JSObject::createInitialForValueAndSet):
817         (JSC::JSObject::deletePropertyByIndex):
818         (JSC::JSObject::getOwnPropertyNames):
819         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
820         (JSC::JSObject::countElements):
821         (JSC::JSObject::ensureLengthSlow):
822         (JSC::JSObject::reallocateAndShrinkButterfly):
823         (JSC::JSObject::getEnumerableLength):
824         * runtime/JSObject.h:
825         (JSC::JSObject::canGetIndexQuickly):
826         (JSC::JSObject::getIndexQuickly):
827         (JSC::JSObject::tryGetIndexQuickly const):
828         (JSC::JSObject::setIndexQuickly):
829         (JSC::JSObject::initializeIndex):
830         (JSC::JSObject::initializeIndexWithoutBarrier):
831         (JSC::JSObject::butterflyIndexingMaskOffset):
832         (JSC::JSObject::butterflyIndexingMask const):
833         (JSC::JSObject::setButterflyWithIndexingMask):
834         (JSC::JSObject::setButterfly):
835         (JSC::JSObject::nukeStructureAndSetButterfly):
836         (JSC::JSObject::JSObject):
837         * runtime/RegExpMatchesArray.h:
838         (JSC::tryCreateUninitializedRegExpMatchesArray):
839         * runtime/Structure.cpp:
840         (JSC::Structure::flattenDictionaryStructure):
841
842 2017-12-14  David Kilzer  <ddkilzer@apple.com>
843
844         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
845
846         Fixes the following warning during builds:
847
848             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
849
850         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
851         entries for JSCPoisonedPtr.h.
852
853 2017-12-14  David Kilzer  <ddkilzer@apple.com>
854
855         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
856         <https://bugs.webkit.org/show_bug.cgi?id=180738>
857
858         * runtime/InferredValue.h: Attempt to fix build by adding
859         missing #include statements.
860
861 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
862
863         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
864         https://bugs.webkit.org/show_bug.cgi?id=180783
865
866         Reviewed by Saam Barati.
867         
868         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
869         
870             BB#1:
871                 a: Load(@x)
872                 b: Load(@x)
873                 c: Load(@b)
874             BB#2:
875                 d: Load(@b)
876             BB#3:
877                 e: Load(@b)
878         
879         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
880         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
881         this:
882
883             BB#1:
884                 a: Load(@x)
885                 b: Load(@x)
886                 c: Load(@a)
887                 memoryAtTail: {@x=>@a, @a=>@c}
888             BB#2:
889                 d: Load(@a) [sic]
890                 memoryAtTail: {@b=>@d}
891             BB#3:
892                 e: Load(@b)
893                 memoryAtTail: {@b=>@e} [sic]
894         
895         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
896         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
897         map, we don't find it and leave the redundancy.
898         
899         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
900         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
901
902         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
903         * b3/B3Generate.cpp:
904         (JSC::B3::generateToAir): Fix the bug.
905         * b3/air/AirReportUsedRegisters.cpp:
906         (JSC::B3::Air::reportUsedRegisters): Logging.
907         * dfg/DFGByteCodeParser.cpp:
908         * dfg/DFGSSAConversionPhase.cpp:
909         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
910         * ftl/FTLLowerDFGToB3.cpp:
911         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
912
913 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
914
915         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
916         https://bugs.webkit.org/show_bug.cgi?id=180787
917         <rdar://problem/35934838>
918
919         Reviewed by Brian Burg.
920
921         * inspector/ContentSearchUtilities.cpp:
922         (Inspector::ContentSearchUtilities::findMagicComment):
923         For empty / null strings just return. There is no use
924         trying to search them for a long common syntax.
925
926 2017-12-13  Saam Barati  <sbarati@apple.com>
927
928         Arrow functions need their own structure because they have different properties than sloppy functions
929         https://bugs.webkit.org/show_bug.cgi?id=180779
930         <rdar://problem/35814591>
931
932         Reviewed by Mark Lam.
933
934         We were using the same structure for sloppy functions and
935         arrow functions. This broke our IC caching machinery because
936         these two types of functions actually have different properties.
937         This patch gives them different structures.
938
939         * dfg/DFGAbstractInterpreterInlines.h:
940         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
941         * dfg/DFGSpeculativeJIT.cpp:
942         (JSC::DFG::SpeculativeJIT::compileNewFunction):
943         * ftl/FTLLowerDFGToB3.cpp:
944         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
945         * runtime/FunctionConstructor.cpp:
946         (JSC::constructFunctionSkippingEvalEnabledCheck):
947         * runtime/JSFunction.cpp:
948         (JSC::JSFunction::selectStructureForNewFuncExp):
949         (JSC::JSFunction::create):
950         * runtime/JSFunction.h:
951         * runtime/JSFunctionInlines.h:
952         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
953         * runtime/JSGlobalObject.cpp:
954         (JSC::JSGlobalObject::init):
955         (JSC::JSGlobalObject::visitChildren):
956         * runtime/JSGlobalObject.h:
957         (JSC::JSGlobalObject::arrowFunctionStructure const):
958
959 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
960
961         InferredValue should use IsoSubspace
962         https://bugs.webkit.org/show_bug.cgi?id=180738
963
964         Reviewed by Keith Miller.
965         
966         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
967         its UnconditionalFinalizer.
968
969         * JavaScriptCore.xcodeproj/project.pbxproj:
970         * heap/Heap.cpp:
971         (JSC::Heap::finalizeUnconditionalFinalizers):
972         * runtime/InferredValue.cpp:
973         (JSC::InferredValue::visitChildren):
974         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
975         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
976         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
977         * runtime/InferredValue.h:
978         (JSC::InferredValue::subspaceFor):
979         * runtime/InferredValueInlines.h: Added.
980         (JSC::InferredValue::finalizeUnconditionally):
981         * runtime/VM.cpp:
982         (JSC::VM::VM):
983         * runtime/VM.h:
984
985 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
986
987         Web Inspector: add instrumentation for ImageBitmapRenderingContext
988         https://bugs.webkit.org/show_bug.cgi?id=180736
989
990         Reviewed by Joseph Pecoraro.
991
992         * inspector/protocol/Canvas.json:
993         * inspector/scripts/codegen/generator.py:
994
995 2017-12-13  Saam Barati  <sbarati@apple.com>
996
997         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
998         https://bugs.webkit.org/show_bug.cgi?id=180771
999
1000         Reviewed by JF Bastien.
1001
1002         * dfg/DFGTypeCheckHoistingPhase.cpp:
1003         (JSC::DFG::TypeCheckHoistingPhase::run):
1004
1005 2017-12-13  Saam Barati  <sbarati@apple.com>
1006
1007         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
1008         https://bugs.webkit.org/show_bug.cgi?id=180764
1009
1010         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
1011
1012         * dfg/DFGTypeCheckHoistingPhase.cpp:
1013         (JSC::DFG::TypeCheckHoistingPhase::run):
1014
1015 2017-12-13  Michael Saboff  <msaboff@apple.com>
1016
1017         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
1018
1019         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
1020
1021         * runtime/RegExp.cpp:
1022         (JSC::RegExp::compile):
1023         (JSC::RegExp::compileMatchOnly):
1024         (JSC::byteCodeCompilePattern): Deleted.
1025         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
1026         * runtime/RegExp.h:
1027         * runtime/RegExpInlines.h:
1028         (JSC::RegExp::matchInline):
1029         * testRegExp.cpp:
1030         (parseRegExpLine):
1031         (runFromFiles):
1032         * yarr/Yarr.h:
1033         * yarr/YarrInterpreter.cpp:
1034         (JSC::Yarr::ByteCompiler::compile):
1035         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1036         (JSC::Yarr::ByteCompiler::emitDisjunction):
1037         * yarr/YarrJIT.cpp:
1038         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1039         (JSC::Yarr::YarrGenerator::generate):
1040         (JSC::Yarr::YarrGenerator::backtrack):
1041         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1042         (JSC::Yarr::YarrGenerator::generateEnter):
1043         (JSC::Yarr::YarrGenerator::generateReturn):
1044         (JSC::Yarr::YarrGenerator::YarrGenerator):
1045         (JSC::Yarr::YarrGenerator::compile):
1046         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
1047         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
1048         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
1049         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
1050         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
1051         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
1052         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
1053         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
1054         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
1055         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
1056         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
1057         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
1058         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
1059         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
1060         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
1061         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
1062         * yarr/YarrJIT.h:
1063         (JSC::Yarr::YarrCodeBlock::execute):
1064         * yarr/YarrPattern.cpp:
1065         (JSC::Yarr::indentForNestingLevel):
1066         (JSC::Yarr::dumpUChar32):
1067         (JSC::Yarr::PatternTerm::dump):
1068         (JSC::Yarr::YarrPattern::dumpPattern):
1069         (JSC::Yarr::dumpCharacterClass): Deleted.
1070         * yarr/YarrPattern.h:
1071         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1072         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1073         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
1074         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
1075         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
1076         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
1077         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
1078         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
1079
1080 2017-12-13  Mark Lam  <mark.lam@apple.com>
1081
1082         Fill out some Poisoned APIs, fix some bugs, and add some tests.
1083         https://bugs.webkit.org/show_bug.cgi?id=180724
1084         <rdar://problem/36006884>
1085
1086         Reviewed by JF Bastien.
1087
1088         * runtime/StructureTransitionTable.h:
1089
1090 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
1091
1092         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
1093         https://bugs.webkit.org/show_bug.cgi?id=180746
1094
1095         Reviewed by Saam Barati.
1096
1097         We have some uncatched exceptions that could happen due to OOM into
1098         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
1099         catching such exceptions properly.
1100
1101         * runtime/JSBigInt.cpp:
1102         (JSC::JSBigInt::allocateFor):
1103         (JSC::JSBigInt::parseInt):
1104         * runtime/JSCJSValue.cpp:
1105         (JSC::JSValue::toStringSlowCase const):
1106
1107 2017-12-13  Saam Barati  <sbarati@apple.com>
1108
1109         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1110         https://bugs.webkit.org/show_bug.cgi?id=163579
1111         <rdar://problem/35455798>
1112
1113         Reviewed by Mark Lam.
1114
1115         Some functions in JavaScript do not have the "caller" and "arguments" properties.
1116         For example, strict functions do not. When reading our code that dealt with these
1117         types of functions, it was simply all wrong. We were doing weird things depending
1118         on the method table hook. This patch fixes this by doing what we should've been
1119         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
1120         it should defer to its base class implementation for the various method table hooks.
1121
1122         * runtime/JSFunction.cpp:
1123         (JSC::JSFunction::put):
1124         (JSC::JSFunction::deleteProperty):
1125         (JSC::JSFunction::defineOwnProperty):
1126
1127 2017-12-13  Saam Barati  <sbarati@apple.com>
1128
1129         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1130         https://bugs.webkit.org/show_bug.cgi?id=180734
1131         <rdar://problem/35640547>
1132
1133         Reviewed by Yusuke Suzuki.
1134
1135         The |this| value may be TDZ. If type check hoisting phase
1136         hoists a CheckStructure to it, it will crash. This patch
1137         makes it so we emit CheckStructureOrEmpty for |this|.
1138
1139         * dfg/DFGTypeCheckHoistingPhase.cpp:
1140         (JSC::DFG::TypeCheckHoistingPhase::run):
1141
1142 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1143
1144         [JSC] Optimize Object.assign by single transition acceleration
1145         https://bugs.webkit.org/show_bug.cgi?id=180644
1146
1147         Reviewed by Saam Barati.
1148
1149         Handling single transition is critical. Since this get() function is only used
1150         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
1151         to accelerate it.
1152
1153         This improves SixSpeed/object-assign.es6 by 2.8%.
1154
1155                                     baseline                  patched
1156
1157         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
1158
1159         * runtime/Structure.cpp:
1160         (JSC::StructureTransitionTable::get const):
1161
1162 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1163
1164         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
1165         https://bugs.webkit.org/show_bug.cgi?id=180732
1166
1167         Rubber stamped by Mark Lam.
1168         
1169         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
1170         scalable enough to support that, so we should do it carefully.
1171
1172         * heap/MarkedSpace.cpp:
1173         * runtime/PropertyMapHashTable.h:
1174         * runtime/Structure.h:
1175         * runtime/StructureRareData.h:
1176         * runtime/VM.cpp:
1177         (JSC::VM::VM):
1178         * runtime/VM.h:
1179
1180 2017-12-12  Saam Barati  <sbarati@apple.com>
1181
1182         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1183         https://bugs.webkit.org/show_bug.cgi?id=180725
1184         <rdar://problem/35970511>
1185
1186         Reviewed by Michael Saboff.
1187
1188         * dfg/DFGClobberize.h:
1189         (JSC::DFG::clobberize):
1190         * dfg/DFGPreciseLocalClobberize.h:
1191         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1192
1193 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1194
1195         [JSC] Implement optimized WeakMap and WeakSet
1196         https://bugs.webkit.org/show_bug.cgi?id=179929
1197
1198         Reviewed by Saam Barati.
1199
1200         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
1201         This is similar to HashMapImpl. But,
1202
1203         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
1204         do not need to have iterators.
1205
1206         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
1207         of auxiliary buffer. This is because we would like to allocate buffer
1208         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
1209         shrink it if necessary. However, allocating from the GC heap during
1210         finalization is not allowed.
1211
1212         In particular, (2) is important since it ensures any WeakMap operations
1213         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
1214         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
1215         do not cause GC makes our implementation simple. To ensure this, we place
1216         DisallowGC for each WeakMap's interface.
1217
1218         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
1219         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
1220         WeakMap, it returns value. And it returns key if it is WeakSet. If it
1221         does not find a corresponding entry, it returns JSEmpty.
1222         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
1223
1224         This patch improves WeakMap and WeakSet operations.
1225
1226                                      baseline                  patched
1227
1228             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
1229             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
1230
1231         * JavaScriptCore.xcodeproj/project.pbxproj:
1232         * Sources.txt:
1233         * dfg/DFGAbstractHeap.h:
1234         * dfg/DFGAbstractInterpreterInlines.h:
1235         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1236         * dfg/DFGByteCodeParser.cpp:
1237         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1238         * dfg/DFGClobberize.h:
1239         (JSC::DFG::clobberize):
1240         * dfg/DFGDoesGC.cpp:
1241         (JSC::DFG::doesGC):
1242         * dfg/DFGFixupPhase.cpp:
1243         (JSC::DFG::FixupPhase::fixupNode):
1244         * dfg/DFGNode.h:
1245         (JSC::DFG::Node::hasHeapPrediction):
1246         * dfg/DFGNodeType.h:
1247         * dfg/DFGOperations.cpp:
1248         * dfg/DFGOperations.h:
1249         * dfg/DFGPredictionPropagationPhase.cpp:
1250         * dfg/DFGSafeToExecute.h:
1251         (JSC::DFG::safeToExecute):
1252         * dfg/DFGSpeculativeJIT.cpp:
1253         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1254         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1255         * dfg/DFGSpeculativeJIT.h:
1256         * dfg/DFGSpeculativeJIT32_64.cpp:
1257         (JSC::DFG::SpeculativeJIT::compile):
1258         * dfg/DFGSpeculativeJIT64.cpp:
1259         (JSC::DFG::SpeculativeJIT::compile):
1260         * ftl/FTLAbstractHeapRepository.h:
1261         * ftl/FTLCapabilities.cpp:
1262         (JSC::FTL::canCompile):
1263         * ftl/FTLLowerDFGToB3.cpp:
1264         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1265         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
1266         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1267         * inspector/JSInjectedScriptHost.cpp:
1268         (Inspector::JSInjectedScriptHost::weakMapEntries):
1269         (Inspector::JSInjectedScriptHost::weakSetEntries):
1270         Existing code is incorrect. They can run GC and break WeakMap's iterator.
1271         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
1272         entries without causing any GC.
1273
1274         * runtime/HashMapImpl.h:
1275         (JSC::shouldShrink):
1276         (JSC::shouldRehashAfterAdd):
1277         (JSC::nextCapacity):
1278         (JSC::HashMapImpl::shouldRehashAfterAdd const):
1279         (JSC::HashMapImpl::shouldShrink const):
1280         (JSC::HashMapImpl::rehash):
1281         (JSC::WeakMapHash::hash): Deleted.
1282         (JSC::WeakMapHash::equal): Deleted.
1283         * runtime/Intrinsic.cpp:
1284         (JSC::intrinsicName):
1285         * runtime/Intrinsic.h:
1286         * runtime/JSWeakMap.cpp:
1287         * runtime/JSWeakMap.h:
1288         * runtime/JSWeakSet.cpp:
1289         * runtime/JSWeakSet.h:
1290         * runtime/VM.cpp:
1291         * runtime/WeakGCMap.h:
1292         (JSC::WeakGCMap::forEach): Deleted.
1293         * runtime/WeakMapBase.cpp: Removed.
1294         * runtime/WeakMapBase.h: Removed.
1295         * runtime/WeakMapConstructor.cpp:
1296         (JSC::constructWeakMap):
1297         * runtime/WeakMapImpl.cpp: Added.
1298         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
1299         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1300         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1301         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
1302         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
1303         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1304         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
1305         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
1306         * runtime/WeakMapImpl.h: Added.
1307         (JSC::jsWeakMapHash):
1308         (JSC::nextCapacityAfterRemoveBatching):
1309         (JSC::WeakMapBucket::setKey):
1310         (JSC::WeakMapBucket::setValue):
1311         (JSC::WeakMapBucket::key const):
1312         (JSC::WeakMapBucket::value const):
1313         (JSC::WeakMapBucket::copyFrom):
1314         (JSC::WeakMapBucket::offsetOfKey):
1315         (JSC::WeakMapBucket::offsetOfValue):
1316         (JSC::WeakMapBucket::extractValue):
1317         (JSC::WeakMapBucket::isEmpty):
1318         (JSC::WeakMapBucket::deletedKey):
1319         (JSC::WeakMapBucket::isDeleted):
1320         (JSC::WeakMapBucket::makeDeleted):
1321         (JSC::WeakMapBucket::visitAggregate):
1322         (JSC::WeakMapBucket::clearValue):
1323         (JSC::WeakMapBuffer::allocationSize):
1324         (JSC::WeakMapBuffer::buffer const):
1325         (JSC::WeakMapBuffer::create):
1326         (JSC::WeakMapBuffer::reset):
1327         (JSC::WeakMapImpl::WeakMapImpl):
1328         (JSC::WeakMapImpl::finishCreation):
1329         (JSC::WeakMapImpl::get):
1330         (JSC::WeakMapImpl::has):
1331         (JSC::WeakMapImpl::add):
1332         (JSC::WeakMapImpl::remove):
1333         (JSC::WeakMapImpl::size const):
1334         (JSC::WeakMapImpl::offsetOfBuffer):
1335         (JSC::WeakMapImpl::offsetOfCapacity):
1336         (JSC::WeakMapImpl::findBucket):
1337         (JSC::WeakMapImpl::buffer const):
1338         (JSC::WeakMapImpl::forEach):
1339         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
1340         (JSC::WeakMapImpl::shouldShrink const):
1341         (JSC::WeakMapImpl::canUseBucket):
1342         (JSC::WeakMapImpl::addInternal):
1343         (JSC::WeakMapImpl::findBucketAlreadyHashed):
1344         (JSC::WeakMapImpl::rehash):
1345         (JSC::WeakMapImpl::checkConsistency const):
1346         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1347         (JSC::WeakMapImpl::assertBufferIsEmpty const):
1348         (JSC::WeakMapImpl::DeadKeyCleaner::target):
1349         * runtime/WeakMapPrototype.cpp:
1350         (JSC::WeakMapPrototype::finishCreation):
1351         (JSC::protoFuncWeakMapGet):
1352         (JSC::protoFuncWeakMapHas):
1353         * runtime/WeakSetConstructor.cpp:
1354         (JSC::constructWeakSet):
1355         * runtime/WeakSetPrototype.cpp:
1356         (JSC::WeakSetPrototype::finishCreation):
1357         (JSC::protoFuncWeakSetHas):
1358         (JSC::protoFuncWeakSetAdd):
1359
1360 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
1361
1362         It should be possible to flag a cell for unconditional finalization
1363         https://bugs.webkit.org/show_bug.cgi?id=180636
1364
1365         Reviewed by Saam Barati.
1366         
1367         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
1368         global linked list - but they had some nice properties:
1369         
1370         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
1371           survived and needed it.
1372             -> Just needing it wasn't enough.
1373             -> Just surviving wasn't enough.
1374         
1375         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
1376         finalizer logic to be invoked. I think that's not great. InferredType got around this by
1377         making InferredStructure a cell, but this was a gross hack. For one, it meant that
1378         InferredStructure would survive during the GC in which its finalizer obviated the need for its
1379         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
1380         thing that turns out to be subtly broken.
1381         
1382         We really need to have a way of indicating when you have entered into the state that requires
1383         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
1384         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
1385         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
1386         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
1387         another level to say which atoms within a MarkedBlock have unconditional finalizers.
1388         
1389         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
1390         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
1391         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
1392         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
1393         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
1394         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
1395         it makes sense to have a handful per subspace max. This change only needs one per subspace,
1396         but you could imagine more if we do this for WeakReferenceHarvester.
1397         
1398         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
1399         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
1400         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
1401         both survive and need it for the hardest work to take place. The work of adding does involve
1402         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
1403         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
1404         However, it's perfect for running in parallel since the only write operations are to widely
1405         dispersed cache lines that contain the bits underlying the set.
1406         
1407         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
1408         that need unconditional finalizers, and only touches the memory of marked objects that have
1409         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
1410         previously found that this speeds up walking over a lot of objects when I made similar changes
1411         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
1412         HashSet).
1413         
1414         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
1415         
1416         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
1417         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
1418         IsoSubspace in more places.
1419
1420         * JavaScriptCore.xcodeproj/project.pbxproj:
1421         * Sources.txt:
1422         * heap/AtomIndices.h: Added.
1423         (JSC::AtomIndices::AtomIndices):
1424         * heap/Heap.cpp:
1425         (JSC::Heap::finalizeUnconditionalFinalizers):
1426         * heap/Heap.h:
1427         * heap/IsoCellSet.cpp: Added.
1428         (JSC::IsoCellSet::IsoCellSet):
1429         (JSC::IsoCellSet::~IsoCellSet):
1430         (JSC::IsoCellSet::addSlow):
1431         (JSC::IsoCellSet::didResizeBits):
1432         (JSC::IsoCellSet::didRemoveBlock):
1433         (JSC::IsoCellSet::sweepToFreeList):
1434         * heap/IsoCellSet.h: Added.
1435         * heap/IsoCellSetInlines.h: Added.
1436         (JSC::IsoCellSet::add):
1437         (JSC::IsoCellSet::remove):
1438         (JSC::IsoCellSet::contains const):
1439         (JSC::IsoCellSet::forEachMarkedCell):
1440         * heap/IsoSubspace.cpp:
1441         (JSC::IsoSubspace::didResizeBits):
1442         (JSC::IsoSubspace::didRemoveBlock):
1443         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1444         * heap/IsoSubspace.h:
1445         * heap/MarkedAllocator.cpp:
1446         (JSC::MarkedAllocator::addBlock):
1447         (JSC::MarkedAllocator::removeBlock):
1448         * heap/MarkedAllocator.h:
1449         * heap/MarkedAllocatorInlines.h:
1450         * heap/MarkedBlock.cpp:
1451         (JSC::MarkedBlock::Handle::sweep):
1452         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1453         * heap/MarkedBlock.h:
1454         (JSC::MarkedBlock::marks const):
1455         (JSC::MarkedBlock::Handle::newlyAllocated const):
1456         * heap/MarkedBlockInlines.h:
1457         (JSC::MarkedBlock::Handle::isAllocated):
1458         (JSC::MarkedBlock::Handle::isEmpty):
1459         (JSC::MarkedBlock::Handle::emptyMode):
1460         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1461         * heap/Subspace.cpp:
1462         (JSC::Subspace::didResizeBits):
1463         (JSC::Subspace::didRemoveBlock):
1464         (JSC::Subspace::didBeginSweepingToFreeList):
1465         * heap/Subspace.h:
1466         * heap/SubspaceInlines.h:
1467         (JSC::Subspace::forEachMarkedCell):
1468         * runtime/InferredStructure.cpp:
1469         (JSC::InferredStructure::InferredStructure):
1470         (JSC::InferredStructure::create): Deleted.
1471         (JSC::InferredStructure::destroy): Deleted.
1472         (JSC::InferredStructure::createStructure): Deleted.
1473         (JSC::InferredStructure::visitChildren): Deleted.
1474         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1475         (JSC::InferredStructure::finishCreation): Deleted.
1476         * runtime/InferredStructure.h:
1477         * runtime/InferredStructureWatchpoint.cpp:
1478         (JSC::InferredStructureWatchpoint::fireInternal):
1479         * runtime/InferredType.cpp:
1480         (JSC::InferredType::visitChildren):
1481         (JSC::InferredType::willStoreValueSlow):
1482         (JSC::InferredType::makeTopSlow):
1483         (JSC::InferredType::set):
1484         (JSC::InferredType::removeStructure):
1485         (JSC::InferredType::finalizeUnconditionally):
1486         * runtime/InferredType.h:
1487         * runtime/VM.cpp:
1488         (JSC::VM::VM):
1489         * runtime/VM.h:
1490
1491 2017-12-12  Saam Barati  <sbarati@apple.com>
1492
1493         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1494         https://bugs.webkit.org/show_bug.cgi?id=180723
1495         <rdar://problem/35859726>
1496
1497         Reviewed by JF Bastien.
1498
1499         * dfg/DFGConstantFoldingPhase.cpp:
1500         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1501
1502 2017-12-04  Brian Burg  <bburg@apple.com>
1503
1504         Web Inspector: modernize InjectedScript a bit
1505         https://bugs.webkit.org/show_bug.cgi?id=180367
1506
1507         Reviewed by Timothy Hatcher.
1508
1509         Stop using out parameters passed by pointer, use references instead.
1510         Stop using OptOutput<T> in favor of std::optional where possible.
1511         If there is only one out-parameter and a void return type, then return the value.
1512
1513         * inspector/InjectedScript.h:
1514         * inspector/InjectedScript.cpp:
1515         (Inspector::InjectedScript::evaluate):
1516         (Inspector::InjectedScript::callFunctionOn):
1517         (Inspector::InjectedScript::evaluateOnCallFrame):
1518         (Inspector::InjectedScript::getFunctionDetails):
1519         (Inspector::InjectedScript::functionDetails):
1520         (Inspector::InjectedScript::getPreview):
1521         (Inspector::InjectedScript::getProperties):
1522         (Inspector::InjectedScript::getDisplayableProperties):
1523         (Inspector::InjectedScript::getInternalProperties):
1524         (Inspector::InjectedScript::getCollectionEntries):
1525         (Inspector::InjectedScript::saveResult):
1526         (Inspector::InjectedScript::setExceptionValue):
1527         (Inspector::InjectedScript::clearExceptionValue):
1528         (Inspector::InjectedScript::inspectObject):
1529         (Inspector::InjectedScript::releaseObject):
1530
1531         * inspector/InjectedScriptBase.h:
1532         * inspector/InjectedScriptBase.cpp:
1533         (Inspector::InjectedScriptBase::InjectedScriptBase):
1534         Declare m_environment with a default initializer.
1535
1536         (Inspector::InjectedScriptBase::makeCall):
1537         (Inspector::InjectedScriptBase::makeEvalCall):
1538         Just return the result, no need for an out-parameter.
1539         Rearrange some code paths now that we can just return a result.
1540         Return a Ref<JSON::Value> since it is either a result value or error value.
1541         Use out_ prefixes in a few places to improve readability.
1542
1543         * inspector/agents/InspectorDebuggerAgent.cpp:
1544         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1545         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1546         * inspector/agents/InspectorHeapAgent.cpp:
1547         (Inspector::InspectorHeapAgent::getPreview):
1548         * inspector/agents/InspectorRuntimeAgent.cpp:
1549         (Inspector::InspectorRuntimeAgent::evaluate):
1550         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1551         (Inspector::InspectorRuntimeAgent::getPreview):
1552         (Inspector::InspectorRuntimeAgent::getProperties):
1553         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1554         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1555         (Inspector::InspectorRuntimeAgent::saveResult):
1556         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1557         and std::optional until the former is removed from generated method signatures.
1558
1559 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1560
1561         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1562         https://bugs.webkit.org/show_bug.cgi?id=179000
1563
1564         Reviewed by Darin Adler and Yusuke Suzuki.
1565
1566         This patch starts the implementation of BigInt primitive on
1567         JavaScriptCore. We are introducing BigInt primitive and
1568         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1569         field implemented contiguosly on memory as inline storage of JSBigInt to
1570         take advantages on performance due to cache locality. The
1571         implementation allows 64 or 32 bitwise arithmetic operations.
1572         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1573         m_length that keeps track of BigInt length.
1574         The implementation is following the V8 one. [[BigIntData]] is manipulated
1575         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1576         We also have some operations to support arithmetics over digits.
1577
1578         It is important to notice that on our representation,
1579         JSBigInt::dataStorage()[0] represents the least significant digit and
1580         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1581
1582         We are also introducing into this Patch the BigInt literals lexer and
1583         syntax parsing support. The operation Strict Equals on BigInts is also being
1584         implemented to enable tests.
1585         These features are being implemented behind a runtime flage "--useBigInt" and
1586         are disabled by default.
1587
1588         * JavaScriptCore.xcodeproj/project.pbxproj:
1589         * Sources.txt:
1590         * bytecode/CodeBlock.cpp:
1591         * bytecompiler/BytecodeGenerator.cpp:
1592         (JSC::BytecodeGenerator::emitEqualityOp):
1593         (JSC::BytecodeGenerator::addBigIntConstant):
1594         * bytecompiler/BytecodeGenerator.h:
1595         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1596         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1597         * bytecompiler/NodesCodegen.cpp:
1598         (JSC::BigIntNode::jsValue const):
1599         * dfg/DFGAbstractInterpreterInlines.h:
1600         (JSC::DFG::isToThisAnIdentity):
1601         * interpreter/Interpreter.cpp:
1602         (JSC::sizeOfVarargs):
1603         * llint/LLIntData.cpp:
1604         (JSC::LLInt::Data::performAssertions):
1605         * llint/LowLevelInterpreter.asm:
1606         * parser/ASTBuilder.h:
1607         (JSC::ASTBuilder::createBigInt):
1608         * parser/Lexer.cpp:
1609         (JSC::Lexer<T>::parseBinary):
1610         (JSC::Lexer<T>::parseOctal):
1611         (JSC::Lexer<T>::parseDecimal):
1612         (JSC::Lexer<T>::lex):
1613         (JSC::Lexer<T>::parseHex): Deleted.
1614         * parser/Lexer.h:
1615         * parser/NodeConstructors.h:
1616         (JSC::BigIntNode::BigIntNode):
1617         * parser/Nodes.h:
1618         (JSC::ExpressionNode::isBigInt const):
1619         (JSC::BigIntNode::value):
1620         * parser/Parser.cpp:
1621         (JSC::Parser<LexerType>::parsePrimaryExpression):
1622         * parser/ParserTokens.h:
1623         * parser/ResultType.h:
1624         (JSC::ResultType::definitelyIsBigInt const):
1625         (JSC::ResultType::mightBeBigInt const):
1626         (JSC::ResultType::isNotBigInt const):
1627         (JSC::ResultType::addResultType):
1628         (JSC::ResultType::bigIntType):
1629         (JSC::ResultType::forAdd):
1630         (JSC::ResultType::forLogicalOp):
1631         * parser/SyntaxChecker.h:
1632         (JSC::SyntaxChecker::createBigInt):
1633         * runtime/CommonIdentifiers.h:
1634         * runtime/JSBigInt.cpp: Added.
1635         (JSC::JSBigInt::visitChildren):
1636         (JSC::JSBigInt::JSBigInt):
1637         (JSC::JSBigInt::initialize):
1638         (JSC::JSBigInt::createStructure):
1639         (JSC::JSBigInt::createZero):
1640         (JSC::JSBigInt::allocationSize):
1641         (JSC::JSBigInt::createWithLength):
1642         (JSC::JSBigInt::finishCreation):
1643         (JSC::JSBigInt::toPrimitive const):
1644         (JSC::JSBigInt::singleDigitValueForString):
1645         (JSC::JSBigInt::parseInt):
1646         (JSC::JSBigInt::toString):
1647         (JSC::JSBigInt::isZero):
1648         (JSC::JSBigInt::inplaceMultiplyAdd):
1649         (JSC::JSBigInt::digitAdd):
1650         (JSC::JSBigInt::digitSub):
1651         (JSC::JSBigInt::digitMul):
1652         (JSC::JSBigInt::digitPow):
1653         (JSC::JSBigInt::digitDiv):
1654         (JSC::JSBigInt::internalMultiplyAdd):
1655         (JSC::JSBigInt::equalToBigInt):
1656         (JSC::JSBigInt::absoluteDivSmall):
1657         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1658         (JSC::JSBigInt::toStringGeneric):
1659         (JSC::JSBigInt::rightTrim):
1660         (JSC::JSBigInt::allocateFor):
1661         (JSC::JSBigInt::estimatedSize):
1662         (JSC::JSBigInt::toNumber const):
1663         (JSC::JSBigInt::getPrimitiveNumber const):
1664         * runtime/JSBigInt.h: Added.
1665         (JSC::JSBigInt::setSign):
1666         (JSC::JSBigInt::sign const):
1667         (JSC::JSBigInt::setLength):
1668         (JSC::JSBigInt::length const):
1669         (JSC::JSBigInt::parseInt):
1670         (JSC::JSBigInt::offsetOfData):
1671         (JSC::JSBigInt::dataStorage):
1672         (JSC::JSBigInt::digit):
1673         (JSC::JSBigInt::setDigit):
1674         (JSC::asBigInt):
1675         * runtime/JSCJSValue.cpp:
1676         (JSC::JSValue::synthesizePrototype const):
1677         (JSC::JSValue::toStringSlowCase const):
1678         * runtime/JSCJSValue.h:
1679         * runtime/JSCJSValueInlines.h:
1680         (JSC::JSValue::isBigInt const):
1681         (JSC::JSValue::strictEqualSlowCaseInline):
1682         * runtime/JSCell.cpp:
1683         (JSC::JSCell::put):
1684         (JSC::JSCell::putByIndex):
1685         (JSC::JSCell::toPrimitive const):
1686         (JSC::JSCell::getPrimitiveNumber const):
1687         (JSC::JSCell::toNumber const):
1688         (JSC::JSCell::toObjectSlow const):
1689         * runtime/JSCell.h:
1690         * runtime/JSCellInlines.h:
1691         (JSC::JSCell::isBigInt const):
1692         * runtime/JSType.h:
1693         * runtime/MathCommon.h:
1694         (JSC::clz64):
1695         * runtime/NumberPrototype.cpp:
1696         * runtime/Operations.cpp:
1697         (JSC::jsTypeStringForValue):
1698         (JSC::jsIsObjectTypeOrNull):
1699         * runtime/Options.h:
1700         * runtime/ParseInt.h:
1701         * runtime/SmallStrings.h:
1702         (JSC::SmallStrings::typeString const):
1703         * runtime/StructureInlines.h:
1704         (JSC::prototypeForLookupPrimitiveImpl):
1705         * runtime/TypeofType.cpp:
1706         (WTF::printInternal):
1707         * runtime/TypeofType.h:
1708         * runtime/VM.cpp:
1709         (JSC::VM::VM):
1710         * runtime/VM.h:
1711
1712 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1713
1714         LLInt: reserve 16 bytes of stack on MIPS for native calls
1715         https://bugs.webkit.org/show_bug.cgi?id=180653
1716
1717         Reviewed by Carlos Alberto Lopez Perez.
1718
1719         * llint/LowLevelInterpreter32_64.asm:
1720         On MIPS, substract 24 from the stack pointer (16 for calling
1721         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1722         (for alignment).
1723
1724 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1725
1726         [WTF] Thread::create should have Thread::tryCreate
1727         https://bugs.webkit.org/show_bug.cgi?id=180333
1728
1729         Reviewed by Darin Adler.
1730
1731         * assembler/testmasm.cpp:
1732         (JSC::run):
1733         * b3/air/testair.cpp:
1734         * b3/testb3.cpp:
1735         (JSC::B3::run):
1736         * jsc.cpp:
1737         (functionDollarAgentStart):
1738
1739 2017-12-11  Michael Saboff  <msaboff@apple.com>
1740
1741         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1742         https://bugs.webkit.org/show_bug.cgi?id=180685
1743
1744         Reviewed by Saam Barati.
1745
1746         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1747         the character class check to return true without reading the character.  Given that
1748         the character could be a surrogate pair, we need to read the character even if we
1749         don't have the check it.
1750
1751         * yarr/YarrInterpreter.cpp:
1752         (JSC::Yarr::Interpreter::testCharacterClass):
1753         (JSC::Yarr::Interpreter::checkCharacterClass):
1754
1755 2017-12-11  Saam Barati  <sbarati@apple.com>
1756
1757         We need to disableCaching() in ErrorInstance when we materialize properties
1758         https://bugs.webkit.org/show_bug.cgi?id=180343
1759         <rdar://problem/35833002>
1760
1761         Reviewed by Mark Lam.
1762
1763         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1764         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1765         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1766         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1767         existing property only found on Structure B. This is obviously wrong as it would lead to an
1768         OOB store if we didn't already crash when generating the IC.
1769
1770         * jit/Repatch.cpp:
1771         (JSC::tryCachePutByID):
1772         * runtime/ErrorInstance.cpp:
1773         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1774         (JSC::ErrorInstance::put):
1775         * runtime/ErrorInstance.h:
1776         * runtime/Structure.cpp:
1777         (JSC::Structure::didCachePropertyReplacement):
1778
1779 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1780
1781         [WinCairo] DLLLauncherMain should use SetDllDirectory
1782         https://bugs.webkit.org/show_bug.cgi?id=180642
1783
1784         Reviewed by Alex Christensen.
1785
1786         Windows have icuuc.dll in the system directory. WebKit should find
1787         one in WebKitLibraries directory, not one in the system directory.
1788
1789         * shell/DLLLauncherMain.cpp:
1790         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1791
1792 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1793
1794         Web Inspector: Optionally log WebKit log parameters as JSON
1795         https://bugs.webkit.org/show_bug.cgi?id=180529
1796         <rdar://problem/35909462>
1797
1798         Reviewed by Joseph Pecoraro.
1799
1800         * inspector/ConsoleMessage.cpp:
1801         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1802         values. Concatenate all adjacent strings to make logging cleaner.
1803         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1804         (Inspector::ConsoleMessage::scriptState const):
1805         * inspector/ConsoleMessage.h:
1806
1807         * inspector/InjectedScript.cpp:
1808         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1809         * inspector/InjectedScript.h:
1810         * inspector/InjectedScriptSource.js:
1811         (let.InjectedScript.prototype.wrapJSONString):
1812
1813 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1814
1815         Remove unused builtin names
1816         https://bugs.webkit.org/show_bug.cgi?id=180673
1817
1818         Reviewed by Keith Miller.
1819
1820         * builtins/BuiltinNames.h:
1821
1822 2017-12-11  David Quesada  <david_quesada@apple.com>
1823
1824         Turn on ENABLE_APPLICATION_MANIFEST
1825         https://bugs.webkit.org/show_bug.cgi?id=180562
1826         rdar://problem/35924737
1827
1828         Reviewed by Geoffrey Garen.
1829
1830         * Configurations/FeatureDefines.xcconfig:
1831
1832 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1833
1834         Harden a few assertions in GC sweep
1835         https://bugs.webkit.org/show_bug.cgi?id=180634
1836
1837         Reviewed by Saam Barati.
1838         
1839         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1840         assertion.
1841
1842         * heap/MarkedBlock.cpp:
1843         (JSC::MarkedBlock::Handle::sweep):
1844
1845 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1846
1847         [python] Modernize "except" usage for python3 compatibility
1848         https://bugs.webkit.org/show_bug.cgi?id=180612
1849
1850         Reviewed by Michael Catanzaro.
1851
1852         * inspector/scripts/generate-inspector-protocol-bindings.py:
1853
1854 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1855
1856         InferredType should not use UnconditionalFinalizer
1857         https://bugs.webkit.org/show_bug.cgi?id=180456
1858
1859         Reviewed by Saam Barati.
1860         
1861         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1862         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1863         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1864         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1865         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1866
1867         * JavaScriptCore.xcodeproj/project.pbxproj:
1868         * Sources.txt:
1869         * heap/Heap.cpp:
1870         (JSC::Heap::finalizeUnconditionalFinalizers):
1871         * heap/Heap.h:
1872         * runtime/InferredStructure.cpp: Added.
1873         (JSC::InferredStructure::create):
1874         (JSC::InferredStructure::destroy):
1875         (JSC::InferredStructure::createStructure):
1876         (JSC::InferredStructure::visitChildren):
1877         (JSC::InferredStructure::finalizeUnconditionally):
1878         (JSC::InferredStructure::InferredStructure):
1879         (JSC::InferredStructure::finishCreation):
1880         * runtime/InferredStructure.h: Added.
1881         * runtime/InferredStructureWatchpoint.cpp: Added.
1882         (JSC::InferredStructureWatchpoint::fireInternal):
1883         * runtime/InferredStructureWatchpoint.h: Added.
1884         * runtime/InferredType.cpp:
1885         (JSC::InferredType::visitChildren):
1886         (JSC::InferredType::willStoreValueSlow):
1887         (JSC::InferredType::makeTopSlow):
1888         (JSC::InferredType::set):
1889         (JSC::InferredType::removeStructure):
1890         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1891         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1892         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1893         * runtime/InferredType.h:
1894         * runtime/VM.cpp:
1895         (JSC::VM::VM):
1896         * runtime/VM.h:
1897
1898 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1899
1900         [python] Replace print >> operator with print() function for python3 compatibility
1901         https://bugs.webkit.org/show_bug.cgi?id=180611
1902
1903         Reviewed by Michael Catanzaro.
1904
1905         * Scripts/make-js-file-arrays.py:
1906         (main):
1907
1908 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1909
1910         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1911         https://bugs.webkit.org/show_bug.cgi?id=180520
1912         <rdar://problem/35900764>
1913
1914         Reviewed by Brian Burg.
1915
1916         * inspector/protocol/ServiceWorker.json:
1917         Include content script content in the initialization info.
1918
1919 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1920
1921         [python] Replace print operator with print() function for python3 compatibility
1922         https://bugs.webkit.org/show_bug.cgi?id=180592
1923
1924         Reviewed by Michael Catanzaro.
1925
1926         * Scripts/generateYarrUnicodePropertyTables.py:
1927         (openOrExit):
1928         (verifyUCDFilesExist):
1929         (Aliases.parsePropertyAliasesFile):
1930         (Aliases.parsePropertyValueAliasesFile):
1931         * Scripts/make-js-file-arrays.py:
1932         (main):
1933         * generate-bytecode-files:
1934
1935 2017-12-08  Mark Lam  <mark.lam@apple.com>
1936
1937         Need to unpoison native function pointers for CLoop.
1938         https://bugs.webkit.org/show_bug.cgi?id=180601
1939         <rdar://problem/35942028>
1940
1941         Reviewed by JF Bastien.
1942
1943         * llint/LowLevelInterpreter64.asm:
1944
1945 2017-12-08  Michael Saboff  <msaboff@apple.com>
1946
1947         YARR: JIT RegExps with greedy parenthesized sub patterns
1948         https://bugs.webkit.org/show_bug.cgi?id=180538
1949
1950         Reviewed by JF Bastien.
1951
1952         This patch adds JIT support for regular expressions containing greedy counted
1953         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1954
1955         Just like in the interpreter, expressions with nested parenthetical subpatterns
1956         require saving the results of previous matches of the parentheses contents along
1957         with any associated state.  This saved state is needed in the case that we need
1958         to backtrack.  This state is called ParenContext within the code space allocated
1959         for this ParenContext is managed using a simple block allocator within the JIT'ed
1960         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1961
1962         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1963         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1964         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1965         expression.
1966
1967         Due to increased register usage by the parenthesis handling code, the use of
1968         registers by the JIT engine was restructured, with registers used for Unicode
1969         pattern matching replaced with constants.
1970
1971         Reworked some of the context structures that are used across the interpreter
1972         and JIT implementations to make them a little more uniform and to handle the
1973         needs of JIT'ing the new parentheses forms.
1974
1975         To help with development and debugging of this code, compiled patterns dumping
1976         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1977
1978         * runtime/RegExp.cpp:
1979         (JSC::byteCodeCompilePattern):
1980         (JSC::RegExp::byteCodeCompileIfNecessary):
1981         (JSC::RegExp::compile):
1982         (JSC::RegExp::compileMatchOnly):
1983         * runtime/RegExp.h:
1984         * runtime/RegExpInlines.h:
1985         (JSC::RegExp::matchInline):
1986         * testRegExp.cpp:
1987         (parseRegExpLine):
1988         (runFromFiles):
1989         * yarr/Yarr.h:
1990         * yarr/YarrInterpreter.cpp:
1991         (JSC::Yarr::ByteCompiler::compile):
1992         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1993         * yarr/YarrJIT.cpp:
1994         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1995         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1996         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1997         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1998         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1999         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
2000         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
2001         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
2002         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
2003         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2004         (JSC::Yarr::YarrGenerator::allocatePatternContext):
2005         (JSC::Yarr::YarrGenerator::freePatternContext):
2006         (JSC::Yarr::YarrGenerator::savePatternContext):
2007         (JSC::Yarr::YarrGenerator::restorePatternContext):
2008         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2009         (JSC::Yarr::YarrGenerator::storeToFrame):
2010         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
2011         (JSC::Yarr::YarrGenerator::clearMatches):
2012         (JSC::Yarr::YarrGenerator::generate):
2013         (JSC::Yarr::YarrGenerator::backtrack):
2014         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2015         (JSC::Yarr::YarrGenerator::generateEnter):
2016         (JSC::Yarr::YarrGenerator::generateReturn):
2017         (JSC::Yarr::YarrGenerator::YarrGenerator):
2018         (JSC::Yarr::YarrGenerator::compile):
2019         * yarr/YarrJIT.h:
2020         (JSC::Yarr::YarrCodeBlock::execute):
2021         * yarr/YarrPattern.cpp:
2022         (JSC::Yarr::indentForNestingLevel):
2023         (JSC::Yarr::dumpUChar32):
2024         (JSC::Yarr::dumpCharacterClass):
2025         (JSC::Yarr::PatternTerm::dump):
2026         (JSC::Yarr::YarrPattern::dumpPattern):
2027         * yarr/YarrPattern.h:
2028         (JSC::Yarr::PatternTerm::containsAnyCaptures):
2029         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
2030         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
2031         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
2032         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
2033         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
2034         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
2035
2036 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2037
2038         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
2039         https://bugs.webkit.org/show_bug.cgi?id=180590
2040         <rdar://problem/35882767>
2041
2042         Reviewed by Mark Lam.
2043
2044         * inspector/agents/InspectorConsoleAgent.cpp:
2045         (Inspector::InspectorConsoleAgent::enable):
2046         Swap the messages to a Vector that won't change during iteration.
2047
2048 2017-12-08  Michael Saboff  <msaboff@apple.com>
2049
2050         YARR: Coalesce constructed character classes
2051         https://bugs.webkit.org/show_bug.cgi?id=180537
2052
2053         Reviewed by JF Bastien.
2054
2055         When adding characters or character ranges to a character class being constructed,
2056         we now coalesce adjacent characters and character ranges.  When we create a
2057         character class after construction is complete, we do a final coalescing pass
2058         across the character list and ranges to catch any remaining coalescing
2059         opportunities.
2060
2061         Added an optimization for character classes that will match any character.
2062         This is somewhat common in code created before the /s (dotAll) flag was added
2063         to the engine.
2064
2065         * yarr/YarrInterpreter.cpp:
2066         (JSC::Yarr::Interpreter::checkCharacterClass):
2067         * yarr/YarrJIT.cpp:
2068         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2069         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2070         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2071         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2072         * yarr/YarrPattern.cpp:
2073         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2074         (JSC::Yarr::CharacterClassConstructor::reset):
2075         (JSC::Yarr::CharacterClassConstructor::charClass):
2076         (JSC::Yarr::CharacterClassConstructor::addSorted):
2077         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2078         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
2079         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
2080         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
2081         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2082         (JSC::Yarr::PatternTerm::dump):
2083         (JSC::Yarr::anycharCreate):
2084         * yarr/YarrPattern.h:
2085         (JSC::Yarr::CharacterClass::CharacterClass):
2086
2087 2017-12-07  Saam Barati  <sbarati@apple.com>
2088
2089         Modify our dollar VM clflush intrinsic to aid in some perf testing
2090         https://bugs.webkit.org/show_bug.cgi?id=180559
2091
2092         Reviewed by Mark Lam.
2093
2094         * tools/JSDollarVM.cpp:
2095         (JSC::functionCpuClflush):
2096         (JSC::functionDeltaBetweenButterflies):
2097         (JSC::JSDollarVM::finishCreation):
2098
2099 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2100
2101         Simplify log channel configuration UI
2102         https://bugs.webkit.org/show_bug.cgi?id=180527
2103         <rdar://problem/35908382>
2104
2105         Reviewed by Joseph Pecoraro.
2106
2107         * inspector/protocol/Console.json:
2108
2109 2017-12-07  Mark Lam  <mark.lam@apple.com>
2110
2111         Apply poisoning to some native code pointers.
2112         https://bugs.webkit.org/show_bug.cgi?id=180541
2113         <rdar://problem/35916875>
2114
2115         Reviewed by Filip Pizlo.
2116
2117         Renamed g_classInfoPoison to g_globalDataPoison.
2118         Renamed g_masmPoison to g_jitCodePoison.
2119         Introduced g_nativeCodePoison.
2120         Applied g_nativeCodePoison to poisoning some native code pointers.
2121
2122         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
2123         to malloc allocated data structures (where needed).
2124
2125         * API/JSCallbackFunction.h:
2126         (JSC::JSCallbackFunction::functionCallback):
2127         * JavaScriptCore.xcodeproj/project.pbxproj:
2128         * jit/ThunkGenerators.cpp:
2129         (JSC::nativeForGenerator):
2130         * llint/LowLevelInterpreter64.asm:
2131         * runtime/CustomGetterSetter.h:
2132         (JSC::CustomGetterSetter::getter const):
2133         (JSC::CustomGetterSetter::setter const):
2134         * runtime/InternalFunction.cpp:
2135         (JSC::InternalFunction::getCallData):
2136         (JSC::InternalFunction::getConstructData):
2137         * runtime/InternalFunction.h:
2138         (JSC::InternalFunction::nativeFunctionFor):
2139         * runtime/JSCPoison.h: Added.
2140         * runtime/JSCPoisonedPtr.cpp:
2141         (JSC::initializePoison):
2142         * runtime/JSCPoisonedPtr.h:
2143         * runtime/Lookup.h:
2144         * runtime/NativeExecutable.cpp:
2145         (JSC::NativeExecutable::hashFor const):
2146         * runtime/NativeExecutable.h:
2147         * runtime/Structure.cpp:
2148         (JSC::StructureTransitionTable::setSingleTransition):
2149         * runtime/StructureTransitionTable.h:
2150         (JSC::StructureTransitionTable::StructureTransitionTable):
2151         (JSC::StructureTransitionTable::isUsingSingleSlot const):
2152         (JSC::StructureTransitionTable::map const):
2153         (JSC::StructureTransitionTable::weakImpl const):
2154         (JSC::StructureTransitionTable::setMap):
2155
2156 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
2157
2158         Web Inspector: Fix style in remote inspector classes
2159         https://bugs.webkit.org/show_bug.cgi?id=180545
2160
2161         Reviewed by Youenn Fablet.
2162
2163         * inspector/remote/RemoteControllableTarget.h:
2164         * inspector/remote/RemoteInspectionTarget.h:
2165         * runtime/JSGlobalObjectDebuggable.h:
2166
2167 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
2168
2169         Use fastAlignedFree to free aligned memory.
2170         https://bugs.webkit.org/show_bug.cgi?id=180540
2171
2172         Reviewed by Saam Barati.
2173
2174         * heap/IsoAlignedMemoryAllocator.cpp:
2175         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2176
2177 2017-12-07  Matt Lewis  <jlewis3@apple.com>
2178
2179         Unreviewed, rolling out r225634.
2180
2181         This caused layout tests to time out.
2182
2183         Reverted changeset:
2184
2185         "Simplify log channel configuration UI"
2186         https://bugs.webkit.org/show_bug.cgi?id=180527
2187         https://trac.webkit.org/changeset/225634
2188
2189 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2190
2191         Simplify log channel configuration UI
2192         https://bugs.webkit.org/show_bug.cgi?id=180527
2193         <rdar://problem/35908382>
2194
2195         Reviewed by Joseph Pecoraro.
2196
2197         * inspector/protocol/Console.json:
2198
2199 2017-12-07  Mark Lam  <mark.lam@apple.com>
2200
2201         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
2202         https://bugs.webkit.org/show_bug.cgi?id=180514
2203
2204         Reviewed by Saam Barati and JF Bastien.
2205
2206         Re-landing r225620 with speculative build fix for GCC 7.
2207
2208         * API/JSCallbackObject.h:
2209         * API/JSObjectRef.cpp:
2210         (classInfoPrivate):
2211         * JavaScriptCore.xcodeproj/project.pbxproj:
2212         * Sources.txt:
2213         * assembler/MacroAssemblerCodeRef.h:
2214         (JSC::FunctionPtr::FunctionPtr):
2215         (JSC::FunctionPtr::value const):
2216         (JSC::FunctionPtr::executableAddress const):
2217         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2218         (JSC::ReturnAddressPtr::value const):
2219         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2220         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2221         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2222         (JSC::MacroAssemblerCodePtr:: const):
2223         (JSC::MacroAssemblerCodePtr::operator! const):
2224         (JSC::MacroAssemblerCodePtr::operator== const):
2225         (JSC::MacroAssemblerCodePtr::emptyValue):
2226         (JSC::MacroAssemblerCodePtr::deletedValue):
2227         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2228         * b3/B3LowerMacros.cpp:
2229         * b3/testb3.cpp:
2230         (JSC::B3::testInterpreter):
2231         * dfg/DFGSpeculativeJIT.cpp:
2232         (JSC::DFG::SpeculativeJIT::checkArray):
2233         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2234         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2235         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2236         * ftl/FTLLowerDFGToB3.cpp:
2237         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2238         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2239         * jit/AssemblyHelpers.h:
2240         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2241         * jit/SpecializedThunkJIT.h:
2242         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2243         * jit/ThunkGenerators.cpp:
2244         (JSC::virtualThunkFor):
2245         (JSC::boundThisNoArgsFunctionCallGenerator):
2246         * llint/LLIntSlowPaths.cpp:
2247         (JSC::LLInt::handleHostCall):
2248         (JSC::LLInt::setUpCall):
2249         * llint/LowLevelInterpreter64.asm:
2250         * runtime/InitializeThreading.cpp:
2251         (JSC::initializeThreading):
2252         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2253         (JSC::initializePoison):
2254         (JSC::initializeScrambledPtrKeys): Deleted.
2255         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2256         * runtime/JSCScrambledPtr.cpp: Removed.
2257         * runtime/JSCScrambledPtr.h: Removed.
2258         * runtime/JSDestructibleObject.h:
2259         (JSC::JSDestructibleObject::classInfo const):
2260         * runtime/JSSegmentedVariableObject.h:
2261         (JSC::JSSegmentedVariableObject::classInfo const):
2262         * runtime/Structure.h:
2263         * runtime/VM.h:
2264
2265 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2266
2267         Unreviewed, rolling out r225620
2268         https://bugs.webkit.org/show_bug.cgi?id=180514
2269         <rdar://problem/35901694>
2270
2271         It broke the build with GCC 7, and I don't know how to fix it.
2272
2273         * API/JSCallbackObject.h:
2274         * API/JSObjectRef.cpp:
2275         (classInfoPrivate):
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277         * Sources.txt:
2278         * assembler/MacroAssemblerCodeRef.h:
2279         (JSC::FunctionPtr::FunctionPtr):
2280         (JSC::FunctionPtr::value const):
2281         (JSC::FunctionPtr::executableAddress const):
2282         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2283         (JSC::ReturnAddressPtr::value const):
2284         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2285         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2286         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2287         (JSC::MacroAssemblerCodePtr:: const):
2288         (JSC::MacroAssemblerCodePtr::operator! const):
2289         (JSC::MacroAssemblerCodePtr::operator== const):
2290         (JSC::MacroAssemblerCodePtr::emptyValue):
2291         (JSC::MacroAssemblerCodePtr::deletedValue):
2292         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
2293         * b3/B3LowerMacros.cpp:
2294         * b3/testb3.cpp:
2295         (JSC::B3::testInterpreter):
2296         * dfg/DFGSpeculativeJIT.cpp:
2297         (JSC::DFG::SpeculativeJIT::checkArray):
2298         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2299         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2300         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2301         * ftl/FTLLowerDFGToB3.cpp:
2302         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2303         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2304         * jit/AssemblyHelpers.h:
2305         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2306         * jit/SpecializedThunkJIT.h:
2307         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2308         * jit/ThunkGenerators.cpp:
2309         (JSC::virtualThunkFor):
2310         (JSC::boundThisNoArgsFunctionCallGenerator):
2311         * llint/LLIntSlowPaths.cpp:
2312         (JSC::LLInt::handleHostCall):
2313         (JSC::LLInt::setUpCall):
2314         * llint/LowLevelInterpreter64.asm:
2315         * runtime/InitializeThreading.cpp:
2316         (JSC::initializeThreading):
2317         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2318         (JSC::initializeScrambledPtrKeys):
2319         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
2320         * runtime/JSDestructibleObject.h:
2321         (JSC::JSDestructibleObject::classInfo const):
2322         * runtime/JSSegmentedVariableObject.h:
2323         (JSC::JSSegmentedVariableObject::classInfo const):
2324         * runtime/Structure.h:
2325         * runtime/VM.h:
2326
2327 2017-12-06  Mark Lam  <mark.lam@apple.com>
2328
2329         Refactoring: Rename ScrambledPtr to Poisoned.
2330         https://bugs.webkit.org/show_bug.cgi?id=180514
2331
2332         Reviewed by Saam Barati.
2333
2334         * API/JSCallbackObject.h:
2335         * API/JSObjectRef.cpp:
2336         (classInfoPrivate):
2337         * JavaScriptCore.xcodeproj/project.pbxproj:
2338         * Sources.txt:
2339         * assembler/MacroAssemblerCodeRef.h:
2340         (JSC::FunctionPtr::FunctionPtr):
2341         (JSC::FunctionPtr::value const):
2342         (JSC::FunctionPtr::executableAddress const):
2343         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2344         (JSC::ReturnAddressPtr::value const):
2345         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2346         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2347         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2348         (JSC::MacroAssemblerCodePtr:: const):
2349         (JSC::MacroAssemblerCodePtr::operator! const):
2350         (JSC::MacroAssemblerCodePtr::operator== const):
2351         (JSC::MacroAssemblerCodePtr::emptyValue):
2352         (JSC::MacroAssemblerCodePtr::deletedValue):
2353         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2354         * b3/B3LowerMacros.cpp:
2355         * b3/testb3.cpp:
2356         (JSC::B3::testInterpreter):
2357         * dfg/DFGSpeculativeJIT.cpp:
2358         (JSC::DFG::SpeculativeJIT::checkArray):
2359         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2360         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2361         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2362         * ftl/FTLLowerDFGToB3.cpp:
2363         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2364         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2365         * jit/AssemblyHelpers.h:
2366         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2367         * jit/SpecializedThunkJIT.h:
2368         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2369         * jit/ThunkGenerators.cpp:
2370         (JSC::virtualThunkFor):
2371         (JSC::boundThisNoArgsFunctionCallGenerator):
2372         * llint/LLIntSlowPaths.cpp:
2373         (JSC::LLInt::handleHostCall):
2374         (JSC::LLInt::setUpCall):
2375         * llint/LowLevelInterpreter64.asm:
2376         * runtime/InitializeThreading.cpp:
2377         (JSC::initializeThreading):
2378         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2379         (JSC::initializePoison):
2380         (JSC::initializeScrambledPtrKeys): Deleted.
2381         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2382         * runtime/JSCScrambledPtr.cpp: Removed.
2383         * runtime/JSCScrambledPtr.h: Removed.
2384         * runtime/JSDestructibleObject.h:
2385         (JSC::JSDestructibleObject::classInfo const):
2386         * runtime/JSSegmentedVariableObject.h:
2387         (JSC::JSSegmentedVariableObject::classInfo const):
2388         * runtime/Structure.h:
2389         * runtime/VM.h:
2390
2391 2017-12-02  Darin Adler  <darin@apple.com>
2392
2393         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
2394         https://bugs.webkit.org/show_bug.cgi?id=180009
2395
2396         Reviewed by Alex Christensen.
2397
2398         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
2399         * bytecode/CodeBlock.cpp: Ditto.
2400         * bytecode/ExecutionCounter.cpp: Ditto.
2401         * runtime/ConfigFile.cpp: Ditto.
2402         * runtime/DatePrototype.cpp: Ditto.
2403         * runtime/IndexingType.cpp: Ditto.
2404         * runtime/JSCJSValue.cpp: Ditto.
2405         * runtime/JSDateMath.cpp: Ditto.
2406         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2407         * runtime/Options.cpp: Ditto.
2408         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
2409
2410 2017-12-06  Saam Barati  <sbarati@apple.com>
2411
2412         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
2413         https://bugs.webkit.org/show_bug.cgi?id=180438
2414         <rdar://problem/35862342>
2415
2416         Reviewed by Yusuke Suzuki.
2417
2418         A couple inspector methods that take stacktraces need
2419         to grab the JSLock.
2420
2421         * inspector/ScriptCallStackFactory.cpp:
2422         (Inspector::createScriptCallStack):
2423         (Inspector::createScriptCallStackForConsole):
2424
2425 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
2426
2427         Switch windows build to Visual Studio 2017
2428         https://bugs.webkit.org/show_bug.cgi?id=172412
2429
2430         Reviewed by Per Arne Vollan.
2431
2432         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2433
2434 2017-12-05  JF Bastien  <jfbastien@apple.com>
2435
2436         WebAssembly: don't eagerly checksum
2437         https://bugs.webkit.org/show_bug.cgi?id=180441
2438         <rdar://problem/35156628>
2439
2440         Reviewed by Saam Barati.
2441
2442         Make checksumming of module optional for now. The bots think the
2443         checksum hurt compile-time. I'd measured it and couldn't see a
2444         difference, and still can't at this point in time, but we'll see
2445         if disabling it fixes the bots. If so then I can make it lazy upon
2446         first backtrace construction, or I can try out MD5 instead of
2447         SHA1.
2448
2449         * runtime/Options.h:
2450         * wasm/WasmModuleInformation.cpp:
2451         (JSC::Wasm::ModuleInformation::ModuleInformation):
2452         * wasm/WasmModuleInformation.h:
2453         * wasm/WasmNameSection.h:
2454         (JSC::Wasm::NameSection::NameSection):
2455
2456 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2457
2458         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2459         https://bugs.webkit.org/show_bug.cgi?id=180425
2460
2461         Reviewed by Saam Barati.
2462         
2463         Failure to do so causes leaks after starting workers.
2464
2465         * heap/IsoAlignedMemoryAllocator.cpp:
2466         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2467         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2468
2469 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2470
2471         [Win64] Compile error in testmasm.cpp.
2472         https://bugs.webkit.org/show_bug.cgi?id=180436
2473
2474         Reviewed by Mark Lam.
2475
2476         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2477         
2478         * assembler/testmasm.cpp:
2479         (JSC::testGetEffectiveAddress):
2480
2481 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2482
2483         GC constraint solving should be parallel
2484         https://bugs.webkit.org/show_bug.cgi?id=179934
2485
2486         Reviewed by JF Bastien.
2487         
2488         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2489         speed-up. It's more than 1% on trunk-Speedometer.
2490         
2491         The constraint solver supports running constraints in parallel in two different ways:
2492         
2493         - Run multiple constraints in parallel to each other. This only works for constraints that can
2494           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2495           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2496           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2497           could probably make them concurrent, but I'm playing it safe for now.
2498         
2499         - A constraint can create parallel work for itself, which the constraint solver will interleave
2500           with other stuff. A constraint can report that it has parallel work by returning
2501           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2502           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2503           for as long as that function wants to run.
2504         
2505         It's not possible to have a non-concurrent constraint that creates parallel work.
2506         
2507         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2508         most natural for two reasons:
2509         
2510         - No need to start any other threads.
2511         
2512         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2513           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2514           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2515           thread, that thread will have work it can start doing immediately. Before this change, we had to
2516           contribute the work found by the constraint solver to the global worklist so that it could be
2517           distributed to the marker threads by load balancing. This change probably helps to avoid that
2518           load balancing step.
2519         
2520         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2521         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2522         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2523         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2524         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2525         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2526         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2527         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2528         done is indicated by null).
2529         
2530         * API/JSMarkingConstraintPrivate.cpp:
2531         (JSContextGroupAddMarkingConstraint):
2532         * API/JSVirtualMachine.mm:
2533         (scanExternalObjectGraph):
2534         (scanExternalRememberedSet):
2535         * JavaScriptCore.xcodeproj/project.pbxproj:
2536         * Sources.txt:
2537         * bytecode/AccessCase.cpp:
2538         (JSC::AccessCase::propagateTransitions const):
2539         * bytecode/CodeBlock.cpp:
2540         (JSC::CodeBlock::visitWeakly):
2541         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2542         (JSC::shouldMarkTransition):
2543         (JSC::CodeBlock::propagateTransitions):
2544         (JSC::CodeBlock::determineLiveness):
2545         * dfg/DFGWorklist.cpp:
2546         * ftl/FTLCompile.cpp:
2547         (JSC::FTL::compile):
2548         * heap/ConstraintParallelism.h: Added.
2549         (WTF::printInternal):
2550         * heap/Heap.cpp:
2551         (JSC::Heap::Heap):
2552         (JSC::Heap::addToRememberedSet):
2553         (JSC::Heap::runFixpointPhase):
2554         (JSC::Heap::stopThePeriphery):
2555         (JSC::Heap::resumeThePeriphery):
2556         (JSC::Heap::addCoreConstraints):
2557         (JSC::Heap::setBonusVisitorTask):
2558         (JSC::Heap::runTaskInParallel):
2559         (JSC::Heap::forEachSlotVisitor): Deleted.
2560         * heap/Heap.h:
2561         (JSC::Heap::worldIsRunning const):
2562         (JSC::Heap::runFunctionInParallel):
2563         * heap/HeapInlines.h:
2564         (JSC::Heap::worldIsStopped const):
2565         (JSC::Heap::isMarked):
2566         (JSC::Heap::incrementDeferralDepth):
2567         (JSC::Heap::decrementDeferralDepth):
2568         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2569         (JSC::Heap::forEachSlotVisitor):
2570         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2571         (JSC::Heap::isMarkedConcurrently): Deleted.
2572         * heap/HeapSnapshotBuilder.cpp:
2573         (JSC::HeapSnapshotBuilder::appendNode):
2574         * heap/LargeAllocation.h:
2575         (JSC::LargeAllocation::isMarked):
2576         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2577         * heap/LockDuringMarking.h:
2578         (JSC::lockDuringMarking):
2579         * heap/MarkedAllocator.cpp:
2580         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2581         * heap/MarkedAllocator.h:
2582         * heap/MarkedBlock.h:
2583         (JSC::MarkedBlock::aboutToMark):
2584         (JSC::MarkedBlock::isMarked):
2585         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2586         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2587         * heap/MarkedSpace.h:
2588         (JSC::MarkedSpace::activeWeakSetsBegin):
2589         (JSC::MarkedSpace::activeWeakSetsEnd):
2590         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2591         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2592         * heap/MarkingConstraint.cpp:
2593         (JSC::MarkingConstraint::MarkingConstraint):
2594         (JSC::MarkingConstraint::execute):
2595         (JSC::MarkingConstraint::quickWorkEstimate):
2596         (JSC::MarkingConstraint::workEstimate):
2597         (JSC::MarkingConstraint::doParallelWork):
2598         (JSC::MarkingConstraint::finishParallelWork):
2599         (JSC::MarkingConstraint::doParallelWorkImpl):
2600         (JSC::MarkingConstraint::finishParallelWorkImpl):
2601         * heap/MarkingConstraint.h:
2602         (JSC::MarkingConstraint::lastExecuteParallelism const):
2603         (JSC::MarkingConstraint::parallelism const):
2604         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2605         (JSC::MarkingConstraint::workEstimate): Deleted.
2606         * heap/MarkingConstraintSet.cpp:
2607         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2608         (JSC::MarkingConstraintSet::add):
2609         (JSC::MarkingConstraintSet::executeConvergence):
2610         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2611         (JSC::MarkingConstraintSet::executeAll):
2612         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2613         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2614         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2615         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2616         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2617         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2618         (): Deleted.
2619         * heap/MarkingConstraintSet.h:
2620         * heap/MarkingConstraintSolver.cpp: Added.
2621         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2622         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2623         (JSC::MarkingConstraintSolver::didVisitSomething const):
2624         (JSC::MarkingConstraintSolver::execute):
2625         (JSC::MarkingConstraintSolver::drain):
2626         (JSC::MarkingConstraintSolver::converge):
2627         (JSC::MarkingConstraintSolver::runExecutionThread):
2628         (JSC::MarkingConstraintSolver::didExecute):
2629         * heap/MarkingConstraintSolver.h: Added.
2630         * heap/OpaqueRootSet.h: Removed.
2631         * heap/ParallelSourceAdapter.h: Added.
2632         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2633         (JSC::createParallelSourceAdapter):
2634         * heap/SimpleMarkingConstraint.cpp: Added.
2635         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2636         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2637         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2638         (JSC::SimpleMarkingConstraint::executeImpl):
2639         * heap/SimpleMarkingConstraint.h: Added.
2640         * heap/SlotVisitor.cpp:
2641         (JSC::SlotVisitor::didStartMarking):
2642         (JSC::SlotVisitor::reset):
2643         (JSC::SlotVisitor::appendToMarkStack):
2644         (JSC::SlotVisitor::visitChildren):
2645         (JSC::SlotVisitor::updateMutatorIsStopped):
2646         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2647         (JSC::SlotVisitor::drain):
2648         (JSC::SlotVisitor::performIncrementOfDraining):
2649         (JSC::SlotVisitor::didReachTermination):
2650         (JSC::SlotVisitor::hasWork):
2651         (JSC::SlotVisitor::drainFromShared):
2652         (JSC::SlotVisitor::drainInParallelPassively):
2653         (JSC::SlotVisitor::waitForTermination):
2654         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2655         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2656         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2657         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2658         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2659         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2660         * heap/SlotVisitor.h:
2661         * heap/SlotVisitorInlines.h:
2662         (JSC::SlotVisitor::addOpaqueRoot):
2663         (JSC::SlotVisitor::containsOpaqueRoot const):
2664         (JSC::SlotVisitor::vm):
2665         (JSC::SlotVisitor::vm const):
2666         * heap/Subspace.cpp:
2667         (JSC::Subspace::parallelAllocatorSource):
2668         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2669         * heap/Subspace.h:
2670         * heap/SubspaceInlines.h:
2671         (JSC::Subspace::forEachMarkedCellInParallel):
2672         * heap/VisitCounter.h: Added.
2673         (JSC::VisitCounter::VisitCounter):
2674         (JSC::VisitCounter::visitCount const):
2675         * heap/VisitingTimeout.h: Removed.
2676         * heap/WeakBlock.cpp:
2677         (JSC::WeakBlock::specializedVisit):
2678         * runtime/Structure.cpp:
2679         (JSC::Structure::isCheapDuringGC):
2680         (JSC::Structure::markIfCheap):
2681
2682 2017-12-04  JF Bastien  <jfbastien@apple.com>
2683
2684         Math: don't redundantly check for exceptions, just release scope
2685         https://bugs.webkit.org/show_bug.cgi?id=180395
2686
2687         Rubber stamped by Mark Lam.
2688
2689         Two of the exceptions checks could just have been exception scope
2690         releases before the return, which is ever-so-slightly more
2691         efficient. The same technically applies where we have loops over
2692         parameters, but doing the scope release there isn't really more
2693         efficient and is way harder to read.
2694
2695         * runtime/MathObject.cpp:
2696         (JSC::mathProtoFuncATan2):
2697         (JSC::mathProtoFuncPow):
2698
2699 2017-12-04  David Quesada  <david_quesada@apple.com>
2700
2701         Add a class for parsing application manifests
2702         https://bugs.webkit.org/show_bug.cgi?id=177973
2703         rdar://problem/34747949
2704
2705         Reviewed by Geoffrey Garen.
2706
2707         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2708
2709 2017-12-04  JF Bastien  <jfbastien@apple.com>
2710
2711         Update std::expected to match libc++ coding style
2712         https://bugs.webkit.org/show_bug.cgi?id=180264
2713
2714         Reviewed by Alex Christensen.
2715
2716         Update various uses of Expected.
2717
2718         * wasm/WasmModule.h:
2719         * wasm/WasmModuleParser.cpp:
2720         (JSC::Wasm::ModuleParser::parseImport):
2721         (JSC::Wasm::ModuleParser::parseTableHelper):
2722         (JSC::Wasm::ModuleParser::parseTable):
2723         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2724         * wasm/WasmParser.h:
2725         * wasm/generateWasmValidateInlinesHeader.py:
2726         (loadMacro):
2727         (storeMacro):
2728         * wasm/js/JSWebAssemblyModule.cpp:
2729         (JSC::JSWebAssemblyModule::createStub):
2730         * wasm/js/JSWebAssemblyModule.h:
2731
2732 2017-12-04  Saam Barati  <sbarati@apple.com>
2733
2734         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2735         https://bugs.webkit.org/show_bug.cgi?id=180366
2736         <rdar://problem/35685877>
2737
2738         Reviewed by Michael Saboff.
2739
2740         On the TailCall slow path, the CallFrameShuffler will build the frame with
2741         respect to SP instead of FP. However, this may overwrite slots on the stack
2742         that are needed if the slow path C call does a stack walk. The slow path
2743         C call does a stack walk when it throws an exception. This patch fixes
2744         this bug by ensuring that the top of the stack in the FTL always has enough
2745         space to allow CallFrameShuffler to build a frame without overwriting any
2746         items on the stack that are needed when doing a stack walk.
2747
2748         * ftl/FTLLowerDFGToB3.cpp:
2749         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2750
2751 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2752
2753         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2754         https://bugs.webkit.org/show_bug.cgi?id=175166
2755         <rdar://problem/34040740>
2756
2757         Reviewed by Joseph Pecoraro.
2758
2759         * inspector/protocol/Recording.json:
2760         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2761
2762         * inspector/JSGlobalObjectConsoleClient.h:
2763         * inspector/JSGlobalObjectConsoleClient.cpp:
2764         (Inspector::JSGlobalObjectConsoleClient::record):
2765         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2766
2767         * runtime/ConsoleClient.h:
2768         * runtime/ConsoleObject.cpp:
2769         (JSC::ConsoleObject::finishCreation):
2770         (JSC::consoleProtoFuncRecord):
2771         (JSC::consoleProtoFuncRecordEnd):
2772
2773 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2774
2775         WTF shouldn't have both Thread and ThreadIdentifier
2776         https://bugs.webkit.org/show_bug.cgi?id=180308
2777
2778         Reviewed by Darin Adler.
2779
2780         * heap/MachineStackMarker.cpp:
2781         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2782         * llint/LLIntSlowPaths.cpp:
2783         (JSC::LLInt::llint_trace_operand):
2784         (JSC::LLInt::llint_trace_value):
2785         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2786         (JSC::LLInt::traceFunctionPrologue):
2787         * runtime/ExceptionScope.cpp:
2788         (JSC::ExceptionScope::unexpectedExceptionMessage):
2789         * runtime/JSLock.h:
2790         (JSC::JSLock::currentThreadIsHoldingLock):
2791         * runtime/VM.cpp:
2792         (JSC::VM::throwException):
2793         * runtime/VM.h:
2794         (JSC::VM::throwingThread const):
2795         (JSC::VM::clearException):
2796         * tools/HeapVerifier.cpp:
2797         (JSC::HeapVerifier::printVerificationHeader):
2798
2799 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2800
2801         Rename DestroyFunc to avoid redefinition on unified build
2802         https://bugs.webkit.org/show_bug.cgi?id=180335
2803
2804         Reviewed by Filip Pizlo.
2805
2806         Changing DestroyFunc structures to more specific names to avoid
2807         conflits on unified builds.
2808
2809         * heap/HeapCellType.cpp:
2810         (JSC::HeapCellType::finishSweep):
2811         (JSC::HeapCellType::destroy):
2812         * runtime/JSDestructibleObjectHeapCellType.cpp:
2813         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2814         (JSC::JSDestructibleObjectHeapCellType::destroy):
2815         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2816         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2817         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2818         * runtime/JSStringHeapCellType.cpp:
2819         (JSC::JSStringHeapCellType::finishSweep):
2820         (JSC::JSStringHeapCellType::destroy):
2821         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2822         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2823         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2824
2825 2017-12-01  JF Bastien  <jfbastien@apple.com>
2826
2827         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2828         https://bugs.webkit.org/show_bug.cgi?id=180297
2829         <rdar://problem/35745556>
2830
2831         Reviewed by Mark Lam.
2832
2833         * runtime/MathObject.cpp:
2834         (JSC::mathProtoFuncATan2):
2835         (JSC::mathProtoFuncMax):
2836         (JSC::mathProtoFuncMin):
2837         (JSC::mathProtoFuncPow):
2838
2839 2017-12-01  Mark Lam  <mark.lam@apple.com>
2840
2841         Let's scramble ClassInfo pointers in cells.
2842         https://bugs.webkit.org/show_bug.cgi?id=180291
2843         <rdar://problem/35807620>
2844
2845         Reviewed by JF Bastien.
2846
2847         * API/JSCallbackObject.h:
2848         * API/JSObjectRef.cpp:
2849         (classInfoPrivate):
2850         * JavaScriptCore.xcodeproj/project.pbxproj:
2851         * Sources.txt:
2852         * assembler/MacroAssemblerCodeRef.cpp:
2853         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2854         * assembler/MacroAssemblerCodeRef.h:
2855         (JSC::MacroAssemblerCodePtr:: const):
2856         (JSC::MacroAssemblerCodePtr::hash const):
2857         * dfg/DFGSpeculativeJIT.cpp:
2858         (JSC::DFG::SpeculativeJIT::checkArray):
2859         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2860         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2861         * ftl/FTLLowerDFGToB3.cpp:
2862         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2863         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2864         * jit/AssemblyHelpers.h:
2865         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2866         * jit/SpecializedThunkJIT.h:
2867         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2868         * runtime/InitializeThreading.cpp:
2869         (JSC::initializeThreading):
2870         * runtime/JSCScrambledPtr.cpp: Added.
2871         (JSC::initializeScrambledPtrKeys):
2872         * runtime/JSCScrambledPtr.h: Added.
2873         * runtime/JSDestructibleObject.h:
2874         (JSC::JSDestructibleObject::classInfo const):
2875         * runtime/JSSegmentedVariableObject.h:
2876         (JSC::JSSegmentedVariableObject::classInfo const):
2877         * runtime/Structure.h:
2878         * runtime/VM.h:
2879
2880 2017-12-01  Brian Burg  <bburg@apple.com>
2881
2882         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2883         https://bugs.webkit.org/show_bug.cgi?id=173662
2884
2885         Reviewed by Joseph Pecoraro.
2886
2887         Adopt new type names. Fix protocol generator to use correct type names.
2888
2889         * inspector/ConsoleMessage.cpp:
2890         (Inspector::ConsoleMessage::addToFrontend):
2891         Improve namings and use 'auto' when the type is obvious and repeated.
2892
2893         * inspector/ContentSearchUtilities.cpp:
2894         (Inspector::ContentSearchUtilities::searchInTextByLines):
2895         * inspector/ContentSearchUtilities.h:
2896         * inspector/InjectedScript.cpp:
2897         (Inspector::InjectedScript::getProperties):
2898         (Inspector::InjectedScript::getDisplayableProperties):
2899         (Inspector::InjectedScript::getInternalProperties):
2900         (Inspector::InjectedScript::getCollectionEntries):
2901         (Inspector::InjectedScript::wrapCallFrames const):
2902         * inspector/InjectedScript.h:
2903         * inspector/InspectorProtocolTypes.h:
2904         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2905         (Inspector::Protocol::Array::Array): Deleted.
2906         (Inspector::Protocol::Array::openAccessors): Deleted.
2907         (Inspector::Protocol::Array::addItem): Deleted.
2908         (Inspector::Protocol::Array::create): Deleted.
2909         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2910         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2911         Move the implementation out of this file.
2912
2913         * inspector/ScriptCallStack.cpp:
2914         (Inspector::ScriptCallStack::buildInspectorArray const):
2915         * inspector/ScriptCallStack.h:
2916         * inspector/agents/InspectorAgent.cpp:
2917         (Inspector::InspectorAgent::activateExtraDomain):
2918         (Inspector::InspectorAgent::activateExtraDomains):
2919         * inspector/agents/InspectorAgent.h:
2920         * inspector/agents/InspectorConsoleAgent.cpp:
2921         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2922         * inspector/agents/InspectorConsoleAgent.h:
2923         * inspector/agents/InspectorDebuggerAgent.cpp:
2924         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2925         (Inspector::InspectorDebuggerAgent::searchInContent):
2926         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2927         * inspector/agents/InspectorDebuggerAgent.h:
2928         * inspector/agents/InspectorRuntimeAgent.cpp:
2929         (Inspector::InspectorRuntimeAgent::getProperties):
2930         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2931         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2932         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2933         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2934         * inspector/agents/InspectorRuntimeAgent.h:
2935         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2936         (Inspector::buildSamples):
2937         Use more 'auto' and rename a variable.
2938
2939         * inspector/scripts/codegen/cpp_generator.py:
2940         (CppGenerator.cpp_protocol_type_for_type):
2941         Adopt new type names. This exposed a latent bug where we should have been
2942         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2943         type may be an array, in which case we would have generated the wrong type.
2944
2945         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2946         (_generate_typedefs_for_domain.JSON):
2947         (_generate_typedefs_for_domain.Inspector): Deleted.
2948         * inspector/scripts/codegen/objc_generator.py:
2949         (ObjCGenerator.protocol_type_for_type):
2950         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2951         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2952         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2953         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2954         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2955         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2956         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2957         Rebaseline.
2958
2959         * runtime/TypeSet.cpp:
2960         (JSC::TypeSet::allStructureRepresentations const):
2961         (JSC::StructureShape::inspectorRepresentation):
2962         * runtime/TypeSet.h:
2963
2964 2017-12-01  Saam Barati  <sbarati@apple.com>
2965
2966         Having a bad time needs to handle ArrayClass indexing type as well
2967         https://bugs.webkit.org/show_bug.cgi?id=180274
2968         <rdar://problem/35667869>
2969
2970         Reviewed by Keith Miller and Mark Lam.
2971
2972         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2973         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2974         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2975         hasBrokenIndexing. This patch rewrites that function to automatically opt
2976         in non-empty indexing types as broken, instead of having to opt out all
2977         non-empty indexing types besides SlowPutArrayStorage.
2978
2979         * runtime/IndexingType.h:
2980         (JSC::hasSlowPutArrayStorage):
2981         (JSC::shouldUseSlowPut):
2982         * runtime/JSGlobalObject.cpp:
2983         * runtime/JSObject.cpp:
2984         (JSC::JSObject::switchToSlowPutArrayStorage):
2985
2986 2017-12-01  JF Bastien  <jfbastien@apple.com>
2987
2988         WebAssembly: stack trace improvement follow-ups
2989         https://bugs.webkit.org/show_bug.cgi?id=180273
2990
2991         Reviewed by Saam Barati.
2992
2993         * wasm/WasmIndexOrName.cpp:
2994         (JSC::Wasm::makeString):
2995         * wasm/WasmIndexOrName.h:
2996         (JSC::Wasm::IndexOrName::nameSection const):
2997         * wasm/WasmNameSection.h:
2998         (JSC::Wasm::NameSection::NameSection):
2999         (JSC::Wasm::NameSection::get):
3000
3001 2017-12-01  JF Bastien  <jfbastien@apple.com>
3002
3003         WebAssembly: restore cached stack limit after out-call
3004         https://bugs.webkit.org/show_bug.cgi?id=179106
3005         <rdar://problem/35337525>
3006
3007         Reviewed by Saam Barati.
3008
3009         We cache the stack limit on the Instance so that we can do fast
3010         stack checks where required. In regular usage the stack limit
3011         never changes because we always run on the same thread, but in
3012         rare cases an API user can totally migrate which thread (and
3013         therefore stack) is used for execution between WebAssembly
3014         traces. For that reason we set the cached stack limit to
3015         UINTPTR_MAX on the outgoing Instance when transitioning back into
3016         a different Instance. We usually restore the cached stack limit in
3017         Context::store, but this wasn't called on all code paths. We had a
3018         bug where an Instance calling into itself indirectly would
3019         therefore fail to restore its cached stack limit properly.
3020
3021         This patch therefore restores the cached stack limit after direct
3022         calls which could be to imports (both wasm->wasm and
3023         wasm->embedder). We have to do all of them because we have no way
3024         of knowing what imports will do (they're known at instantiation
3025         time, not compilation time, and different instances can have
3026         different imports). To make this efficient we also add a pointer
3027         to the canonical location of the stack limit (i.e. the extra
3028         indirection we're trying to save by caching the stack limit on the
3029         Instance in the first place). This is potentially a small perf hit
3030         on imported direct calls.
3031
3032         It's hard to say what the performance cost will be because we
3033         haven't seen much code in the wild which does this. We're adding
3034         two dependent loads and a store of the loaded value, which is
3035         unlikely to get used soon after. It's more code, but on an
3036         out-of-order processor it doesn't contribute to the critical path.
3037
3038         * wasm/WasmB3IRGenerator.cpp:
3039         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3040         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3041         (JSC::Wasm::B3IRGenerator::addCall):
3042         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3043         * wasm/WasmInstance.cpp:
3044         (JSC::Wasm::Instance::Instance):
3045         (JSC::Wasm::Instance::create):
3046         * wasm/WasmInstance.h:
3047         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
3048         (JSC::Wasm::Instance::cachedStackLimit const):
3049         (JSC::Wasm::Instance::setCachedStackLimit):
3050         * wasm/js/JSWebAssemblyInstance.cpp:
3051         (JSC::JSWebAssemblyInstance::create):
3052         * wasm/js/WebAssemblyFunction.cpp:
3053         (JSC::callWebAssemblyFunction):
3054
3055 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3056
3057         [JSC] Use JSFixedArray for op_new_array_buffer
3058         https://bugs.webkit.org/show_bug.cgi?id=180084
3059
3060         Reviewed by Saam Barati.
3061
3062         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
3063         But using JSFixedArray is better because,
3064
3065         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
3066            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
3067
3068         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
3069            has JSFixedArray, we can just emit a held JSFixedArray.
3070
3071         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
3072
3073         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
3074
3075         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
3076            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
3077            will be introduced in [1].
3078
3079         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
3080
3081         * bytecode/BytecodeDumper.cpp:
3082         (JSC::BytecodeDumper<Block>::dumpBytecode):
3083         * bytecode/BytecodeList.json:
3084         * bytecode/BytecodeUseDef.h:
3085         (JSC::computeUsesForBytecodeOffset):
3086         * bytecode/CodeBlock.cpp:
3087         (JSC::CodeBlock::finishCreation):
3088         * bytecode/CodeBlock.h:
3089         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
3090         (JSC::CodeBlock::addConstantBuffer): Deleted.
3091         (JSC::CodeBlock::constantBufferAsVector): Deleted.
3092         (JSC::CodeBlock::constantBuffer): Deleted.
3093         * bytecode/UnlinkedCodeBlock.cpp:
3094         (JSC::UnlinkedCodeBlock::shrinkToFit):
3095         * bytecode/UnlinkedCodeBlock.h:
3096         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
3097         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
3098         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
3099         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
3100         * bytecompiler/BytecodeGenerator.cpp:
3101         (JSC::BytecodeGenerator::emitNewArray):
3102         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
3103         * bytecompiler/BytecodeGenerator.h:
3104         * dfg/DFGByteCodeParser.cpp:
3105         (JSC::DFG::ByteCodeParser::parseBlock):
3106         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3107         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
3108         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
3109         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
3110         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
3111         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
3112         (JSC::DFG::ConstantBufferKey::index const): Deleted.
3113         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
3114         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
3115         * dfg/DFGClobberize.h:
3116         (JSC::DFG::clobberize):
3117         * dfg/DFGGraph.cpp:
3118         (JSC::DFG::Graph::dump):
3119         * dfg/DFGGraph.h:
3120         * dfg/DFGNode.h:
3121         (JSC::DFG::Node::hasNewArrayBufferData):
3122         (JSC::DFG::Node::newArrayBufferData):
3123         (JSC::DFG::Node::hasVectorLengthHint):
3124         (JSC::DFG::Node::vectorLengthHint):
3125         (JSC::DFG::Node::indexingType):
3126         (JSC::DFG::Node::hasCellOperand):
3127         (JSC::DFG::Node::OpInfoWrapper::operator=):
3128         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
3129         (JSC::DFG::Node::hasConstantBuffer): Deleted.
3130         (JSC::DFG::Node::startConstant): Deleted.
3131         (JSC::DFG::Node::numConstants): Deleted.
3132         * dfg/DFGOperations.cpp:
3133         * dfg/DFGOperations.h:
3134         * dfg/DFGSpeculativeJIT.h:
3135         (JSC::DFG::SpeculativeJIT::callOperation):
3136         * dfg/DFGSpeculativeJIT32_64.cpp:
3137         (JSC::DFG::SpeculativeJIT::compile):
3138         * dfg/DFGSpeculativeJIT64.cpp:
3139         (JSC::DFG::SpeculativeJIT::compile):
3140         * ftl/FTLLowerDFGToB3.cpp:
3141         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3142         * jit/JIT.cpp:
3143         (JSC::JIT::privateCompileMainPass):
3144         * jit/JIT.h:
3145         * jit/JITOpcodes.cpp:
3146         (JSC::JIT::emit_op_new_array_buffer): Deleted.
3147         * jit/JITOperations.cpp:
3148         * jit/JITOperations.h:
3149         * llint/LLIntSlowPaths.cpp:
3150         * llint/LLIntSlowPaths.h:
3151         * llint/LowLevelInterpreter.asm:
3152         * runtime/CommonSlowPaths.cpp:
3153         (JSC::SLOW_PATH_DECL):
3154         * runtime/CommonSlowPaths.h:
3155         * runtime/JSFixedArray.cpp:
3156         (JSC::JSFixedArray::dumpToStream):
3157         * runtime/JSFixedArray.h:
3158         (JSC::JSFixedArray::create):
3159         (JSC::JSFixedArray::get const):
3160         (JSC::JSFixedArray::set):
3161         (JSC::JSFixedArray::buffer const):
3162         (JSC::JSFixedArray::values const):
3163         (JSC::JSFixedArray::length const):
3164         (JSC::JSFixedArray::get): Deleted.
3165
3166 2017-11-30  JF Bastien  <jfbastien@apple.com>
3167
3168         WebAssembly: improve stack trace
3169         https://bugs.webkit.org/show_bug.cgi?id=179343
3170
3171         Reviewed by Saam Barati.
3172
3173         Stack traces now include:
3174
3175           - Module name, if provided by the name section.
3176           - Module SHA1 hash if no name was provided
3177           - Stub identification, to differentiate from user code
3178           - Slightly different naming to match design from:
3179               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
3180
3181         * interpreter/StackVisitor.cpp:
3182         (JSC::StackVisitor::Frame::functionName const):
3183         * runtime/StackFrame.cpp:
3184         (JSC::StackFrame::functionName const):
3185         (JSC::StackFrame::visitChildren):
3186         * wasm/WasmIndexOrName.cpp:
3187         (JSC::Wasm::IndexOrName::IndexOrName):
3188         (JSC::Wasm::makeString):
3189         * wasm/WasmIndexOrName.h:
3190         (JSC::Wasm::IndexOrName::nameSection const):
3191         * wasm/WasmModuleInformation.cpp:
3192         (JSC::Wasm::ModuleInformation::ModuleInformation):
3193         * wasm/WasmModuleInformation.h:
3194         * wasm/WasmNameSection.h:
3195         (JSC::Wasm::NameSection::NameSection):
3196         (JSC::Wasm::NameSection::get):
3197         * wasm/WasmNameSectionParser.cpp:
3198         (JSC::Wasm::NameSectionParser::parse):
3199
3200 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
3201
3202         Make LegacyCustomProtocolManager optional for network process
3203         https://bugs.webkit.org/show_bug.cgi?id=176230
3204
3205         Reviewed by Alex Christensen.
3206
3207         * Configurations/FeatureDefines.xcconfig:
3208
3209 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         [JSC] Remove easy toRemove & map.remove() use in OAS phase
3212         https://bugs.webkit.org/show_bug.cgi?id=180208
3213
3214         Reviewed by Mark Lam.
3215
3216         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
3217         to optimize this common pattern. This patch only modifies apparent ones.
3218         But we can apply this refactoring further to OAS phase in the future.
3219
3220         One thing we should care is that predicate of removeIf should not touch the
3221         removing set itself. In this patch, we apply this change to (1) apparently
3222         correct one and (2) things in DFG OAS phase since it is very slow.
3223
3224         * b3/B3MoveConstants.cpp:
3225         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3226
3227 2017-11-30  Commit Queue  <commit-queue@webkit.org>
3228
3229         Unreviewed, rolling out r225362.
3230         https://bugs.webkit.org/show_bug.cgi?id=180225
3231
3232         removeIf predicate function can touch remove target set
3233         (Requested by yusukesuzuki on #webkit).
3234
3235         Reverted changeset:
3236
3237         "[JSC] Remove easy toRemove & map.remove() use"
3238         https://bugs.webkit.org/show_bug.cgi?id=180208
3239         https://trac.webkit.org/changeset/225362
3240
3241 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3242
3243         [JSC] Use AllocatorIfExists for MaterializeNewObject
3244         https://bugs.webkit.org/show_bug.cgi?id=180189
3245
3246         Reviewed by Filip Pizlo.
3247
3248         I don't think anyone guarantees this allocator exists at this phase.
3249         And nullptr allocator just works here. We change AllocatorForMode
3250         to AllocatorIfExists to accept nullptr for allocator.
3251
3252         * ftl/FTLLowerDFGToB3.cpp:
3253         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3254
3255 2017-11-30  Mark Lam  <mark.lam@apple.com>
3256
3257         Let's scramble MacroAssemblerCodePtr values.
3258         https://bugs.webkit.org/show_bug.cgi?id=180169
3259         <rdar://problem/35758340>
3260
3261         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
3262
3263         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
3264
3265         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
3266            template argument type that will be used to cast the result.  This makes the
3267            client code that uses these functions a little less verbose.
3268
3269         3. Change the code base in general to minimize passing void* code pointers around.
3270            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
3271            at the last moment when we need the underlying code pointer.
3272
3273         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
3274            default.  I'm leaving them in because they are instrumental in finding bugs
3275            where not all MacroAssemblerCodePtr values were not scrambled as expected.
3276            I expect them to be useful in the near future as we add more scrambling.
3277
3278         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
3279            explicit casts to a boolean).  This ensures that clients will always explicitly
3280            use scrambledBits() or executableAddress() to get a value based on which value
3281            they actually need.
3282
3283         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
3284            This was helpful when debugging tests that ran multiple VMs concurrently on
3285            different threads.
3286
3287         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
3288         CLoop).  It is not yet supported in 32-bit and Windows because we don't
3289         currently have a way to read a global variable from their LLInt code.
3290
3291         * assembler/AbstractMacroAssembler.h:
3292         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
3293         (JSC::AbstractMacroAssembler::linkPointer):
3294         * assembler/CodeLocation.h:
3295         (JSC::CodeLocationCommon::instructionAtOffset):
3296         (JSC::CodeLocationCommon::labelAtOffset):
3297         (JSC::CodeLocationCommon::jumpAtOffset):
3298         (JSC::CodeLocationCommon::callAtOffset):
3299         (JSC::CodeLocationCommon::nearCallAtOffset):
3300         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
3301         (JSC::CodeLocationCommon::dataLabel32AtOffset):
3302         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
3303         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
3304         * assembler/LinkBuffer.cpp:
3305         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3306         * assembler/LinkBuffer.h:
3307         (JSC::LinkBuffer::link):
3308         (JSC::LinkBuffer::patch):
3309         * assembler/MacroAssemblerCodeRef.cpp:
3310         (JSC::MacroAssemblerCodePtr::initialize):
3311         * assembler/MacroAssemblerCodeRef.h:
3312         (JSC::FunctionPtr::FunctionPtr):
3313         (JSC::FunctionPtr::value const):
3314         (JSC::FunctionPtr::executableAddress const):
3315         (JSC::ReturnAddressPtr::ReturnAddressPtr):
3316         (JSC::ReturnAddressPtr::value const):
3317         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3318         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
3319         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
3320         (JSC::MacroAssemblerCodePtr:: const):
3321         (JSC::MacroAssemblerCodePtr::operator! const):
3322         (JSC::MacroAssemblerCodePtr::operator bool const):
3323         (JSC::MacroAssemblerCodePtr::operator== const):
3324         (JSC::MacroAssemblerCodePtr::hash const):
3325         (JSC::MacroAssemblerCodePtr::emptyValue):
3326         (JSC::MacroAssemblerCodePtr::deletedValue):
3327         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
3328         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
3329         * b3/B3LowerMacros.cpp:
3330         * b3/testb3.cpp:
3331         (JSC::B3::testInterpreter):
3332         * dfg/DFGDisassembler.cpp:
3333         (JSC::DFG::Disassembler::dumpDisassembly):
3334         * dfg/DFGJITCompiler.cpp:
3335         (JSC::DFG::JITCompiler::link):
3336         (JSC::DFG::JITCompiler::compileFunction):
3337         * dfg/DFGOperations.cpp:
3338         * dfg/DFGSpeculativeJIT.cpp:
3339         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3340         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3341         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
3342         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3343         * dfg/DFGSpeculativeJIT.h:
3344         * disassembler/Disassembler.cpp:
3345         (JSC::disassemble):
3346         * disassembler/UDis86Disassembler.cpp:
3347         (JSC::tryToDisassembleWithUDis86):
3348         * ftl/FTLCompile.cpp:
3349         (JSC::FTL::compile):
3350         * ftl/FTLJITCode.cpp:
3351         (JSC::FTL::JITCode::executableAddressAtOffset):
3352         * ftl/FTLLink.cpp:
3353         (JSC::FTL::link):
3354         * ftl/FTLLowerDFGToB3.cpp:
3355         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3356         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3357         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3358         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3359         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3360         * interpreter/InterpreterInlines.h:
3361         (JSC::Interpreter::getOpcodeID):
3362         * jit/JITArithmetic.cpp:
3363         (JSC::JIT::emitMathICFast):
3364         (JSC::JIT::emitMathICSlow):
3365         * jit/JITCode.cpp:
3366         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):