c54a9bd9b2b088f576c8dfc591837e6f0d3c086a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-16  Keith Miller  <keith_miller@apple.com>
2
3         Indexing should only be computed when the new structure has an indexing header.
4         https://bugs.webkit.org/show_bug.cgi?id=180895
5
6         Reviewed by Saam Barati.
7
8         If we don't have an indexing header then we point the butterfly
9         sizeof(IndexingHeader) past the end of the butterfly. This makes
10         the computation of the offset simpler since it doesn't depend on
11         the indexing headeriness of the butterfly.
12
13         * jit/JITOperations.cpp:
14         * runtime/JSObject.cpp:
15         (JSC::JSObject::createInitialUndecided):
16         (JSC::JSObject::createInitialInt32):
17         (JSC::JSObject::createInitialDouble):
18         (JSC::JSObject::createInitialContiguous):
19         (JSC::JSObject::createArrayStorage):
20         (JSC::JSObject::convertUndecidedToArrayStorage):
21         (JSC::JSObject::convertInt32ToArrayStorage):
22         (JSC::JSObject::convertDoubleToArrayStorage):
23         * runtime/JSObject.h:
24         (JSC::JSObject::setButterfly):
25         (JSC::JSObject::nukeStructureAndSetButterfly):
26         * runtime/JSObjectInlines.h:
27         (JSC::JSObject::prepareToPutDirectWithoutTransition):
28         (JSC::JSObject::putDirectInternal):
29
30 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
31
32         Unreviewed, rolling out r225941.
33
34         This change introduced LayoutTest crashes and assertion
35         failures.
36
37         Reverted changeset:
38
39         "Web Inspector: replace HTMLCanvasElement with
40         CanvasRenderingContext for instrumentation logic"
41         https://bugs.webkit.org/show_bug.cgi?id=180770
42         https://trac.webkit.org/changeset/225941
43
44 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
45
46         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
47         https://bugs.webkit.org/show_bug.cgi?id=180804
48
49         Add 32bit path for WeakMapGet.
50
51         * dfg/DFGSpeculativeJIT.cpp:
52         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
53
54 2017-12-14  Saam Barati  <sbarati@apple.com>
55
56         The CleanUp after LICM is erroneously removing a Check
57         https://bugs.webkit.org/show_bug.cgi?id=180852
58         <rdar://problem/36063494>
59
60         Reviewed by Filip Pizlo.
61
62         There was a bug where CleanUp phase relied on isProved() bits and LICM
63         changed them in an invalid way. The bug is as follows:
64         
65         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
66         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
67         and that Check dominates all of L2. This is also a hoisting candidate, so we
68         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
69         the preheader for each loop inside L1, so P1 and P2. When considering P2,
70         we execute the Check. Inside P2, before any hoisting is done, this Check
71         is dead code, because BB dominates P2. When we use AI to "execute" the
72         Check, it'll set its proof status to proved. This is because inside P2,
73         in the program before LICM runs, the Check is indeed proven at P2. But
74         it is not proven inside P1. This "execute" call will set our proof status
75         for the node inside *P1*, hence, we crash.
76         
77         The fix here is to make LICM precise when updating the ProofStatus of an edge.
78         It can trust the AI state at the preheader it hoists the node to, but it can't
79         trust the state when executing effects inside inner loops's preheaders.
80
81         * dfg/DFGPlan.cpp:
82         (JSC::DFG::Plan::compileInThreadImpl):
83
84 2017-12-14  David Kilzer  <ddkilzer@apple.com>
85
86         Enable -Wstrict-prototypes for WebKit
87         <https://webkit.org/b/180757>
88         <rdar://problem/36024132>
89
90         Rubber-stamped by Joseph Pecoraro.
91
92         * API/tests/CompareAndSwapTest.h:
93         (testCompareAndSwap): Add 'void' to C function declaration.
94         * API/tests/ExecutionTimeLimitTest.h:
95         (testExecutionTimeLimit): Ditto.
96         * API/tests/FunctionOverridesTest.h:
97         (testFunctionOverrides): Ditto.
98         * API/tests/GlobalContextWithFinalizerTest.h:
99         (testGlobalContextWithFinalizer): Ditto.
100         * API/tests/JSONParseTest.h:
101         (testJSONParse): Ditto.
102         * API/tests/MultithreadedMultiVMExecutionTest.h:
103         (startMultithreadedMultiVMExecutionTest): Ditto.
104         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
105         * API/tests/PingPongStackOverflowTest.h:
106         (testPingPongStackOverflow): Ditto.
107         * Configurations/Base.xcconfig:
108         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
109
110 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
111
112         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
113         https://bugs.webkit.org/show_bug.cgi?id=180804
114
115         Reviewed by Saam Barati.
116
117         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
118
119         * dfg/DFGRegisterBank.h:
120         (JSC::DFG::RegisterBank::lockedCount const):
121         * dfg/DFGSpeculativeJIT.cpp:
122         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
123
124 2017-12-14  Keith Miller  <keith_miller@apple.com>
125
126         Unreviewed, forgot to add { }
127
128         * runtime/JSObject.h:
129         (JSC::JSObject::setButterfly):
130         (JSC::JSObject::nukeStructureAndSetButterfly):
131
132 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
133
134         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
135         https://bugs.webkit.org/show_bug.cgi?id=180770
136
137         Reviewed by Joseph Pecoraro.
138
139         * inspector/protocol/Canvas.json:
140
141 2017-12-14  Keith Miller  <keith_miller@apple.com>
142
143         Fix assertion in JSObject's structure setting methods
144         https://bugs.webkit.org/show_bug.cgi?id=180840
145
146         Reviewed by Mark Lam.
147
148         I forgot that when Typed Arrays have non-indexed properties
149         added to them, they call the generic code. The generic code
150         in turn calls the regular structure setting methods. Thus,
151         these assertions were invalid and we should just avoid setting
152         the indexing mask if we have a Typed Array.
153
154         * runtime/JSObject.h:
155         (JSC::JSObject::setButterfly):
156         (JSC::JSObject::nukeStructureAndSetButterfly):
157
158 2017-12-14  Michael Saboff  <msaboff@apple.com>
159
160         REGRESSION (r225695): Repro crash on yahoo login page
161         https://bugs.webkit.org/show_bug.cgi?id=180761
162
163         Reviewed by JF Bastien.
164
165         Relanding r225695 with a fix.
166
167         The fix is that we need to save the return address for a parentheses in
168         the ParenContext because it is actually used by any immediately contained
169         alternatives.
170
171         Also did a little refactoring, changing occurances of PatternContext to
172         ParenContext since that is the name of the structure.
173
174         * runtime/RegExp.cpp:
175         (JSC::byteCodeCompilePattern):
176         (JSC::RegExp::byteCodeCompileIfNecessary):
177         (JSC::RegExp::compile):
178         (JSC::RegExp::compileMatchOnly):
179         * runtime/RegExp.h:
180         * runtime/RegExpInlines.h:
181         (JSC::RegExp::matchInline):
182         * testRegExp.cpp:
183         (parseRegExpLine):
184         (runFromFiles):
185         * yarr/Yarr.h:
186         * yarr/YarrInterpreter.cpp:
187         (JSC::Yarr::ByteCompiler::compile):
188         (JSC::Yarr::ByteCompiler::dumpDisjunction):
189         * yarr/YarrJIT.cpp:
190         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
191         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
192         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
193         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
194         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
195         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
196         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
197         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
198         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
199         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
200         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
201         (JSC::Yarr::YarrGenerator::allocateParenContext):
202         (JSC::Yarr::YarrGenerator::freeParenContext):
203         (JSC::Yarr::YarrGenerator::saveParenContext):
204         (JSC::Yarr::YarrGenerator::restoreParenContext):
205         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
206         (JSC::Yarr::YarrGenerator::storeToFrame):
207         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
208         (JSC::Yarr::YarrGenerator::clearMatches):
209         (JSC::Yarr::YarrGenerator::generate):
210         (JSC::Yarr::YarrGenerator::backtrack):
211         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
212         (JSC::Yarr::YarrGenerator::generateEnter):
213         (JSC::Yarr::YarrGenerator::generateReturn):
214         (JSC::Yarr::YarrGenerator::YarrGenerator):
215         (JSC::Yarr::YarrGenerator::compile):
216         * yarr/YarrJIT.h:
217         (JSC::Yarr::YarrCodeBlock::execute):
218         * yarr/YarrPattern.cpp:
219         (JSC::Yarr::indentForNestingLevel):
220         (JSC::Yarr::dumpUChar32):
221         (JSC::Yarr::dumpCharacterClass):
222         (JSC::Yarr::PatternTerm::dump):
223         (JSC::Yarr::YarrPattern::dumpPattern):
224         * yarr/YarrPattern.h:
225         (JSC::Yarr::PatternTerm::containsAnyCaptures):
226         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
227         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
228         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
229         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
230         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
231         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
232
233 2017-12-13  Keith Miller  <keith_miller@apple.com>
234
235         JSObjects should have a mask for loading indexed properties
236         https://bugs.webkit.org/show_bug.cgi?id=180768
237
238         Reviewed by Mark Lam.
239
240         This patch adds a new member to JSObject that holds an indexing
241         mask.  The indexing mask is bitwise anded with the index used to
242         load a property.  If for whatever reason an attacker is able to
243         clobber the vectorLength of our butterfly they still won't be able
244         to read substantially past the end of the buttefly. For
245         performance reasons we don't use the indexing masking for
246         TypedArrays. Since TypedArrays are already gigacaged the risk of
247         wild reads is still restricted.
248
249         This patch is a <1% regression on Speedometer and ~3% regression
250         on JetStream in my testing.
251
252         * assembler/MacroAssembler.h:
253         (JSC::MacroAssembler::urshiftPtr):
254         * bytecode/AccessCase.cpp:
255         (JSC::AccessCase::generateImpl):
256         * dfg/DFGAbstractHeap.h:
257         * dfg/DFGClobberize.h:
258         (JSC::DFG::clobberize):
259         * dfg/DFGSpeculativeJIT.cpp:
260         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
261         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
262         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
263         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
264         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
265         (JSC::DFG::SpeculativeJIT::compileArraySlice):
266         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
267         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
268         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
269         * dfg/DFGSpeculativeJIT.h:
270         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
271         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
272         * dfg/DFGSpeculativeJIT32_64.cpp:
273         (JSC::DFG::SpeculativeJIT::compile):
274         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
275         * dfg/DFGSpeculativeJIT64.cpp:
276         (JSC::DFG::SpeculativeJIT::compile):
277         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
278         * ftl/FTLAbstractHeap.cpp:
279         (JSC::FTL::IndexedAbstractHeap::baseIndex):
280         * ftl/FTLAbstractHeap.h:
281         * ftl/FTLAbstractHeapRepository.h:
282         * ftl/FTLLowerDFGToB3.cpp:
283         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
284         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
285         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
286         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
287         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
288         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
289         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
290         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
291         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
292         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
293         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
294         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
295         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
296         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
297         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
298         * ftl/FTLOutput.h:
299         (JSC::FTL::Output::baseIndex):
300         * jit/AssemblyHelpers.h:
301         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
302         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
303         (JSC::AssemblyHelpers::emitAllocateJSObject):
304         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
305         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
306         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
307         (JSC::AssemblyHelpers::storeButterfly): Deleted.
308         * jit/JITOpcodes.cpp:
309         (JSC::JIT::emit_op_new_object):
310         (JSC::JIT::emit_op_create_this):
311         * jit/JITOpcodes32_64.cpp:
312         (JSC::JIT::emit_op_new_object):
313         (JSC::JIT::emit_op_create_this):
314         * jit/JITPropertyAccess.cpp:
315         (JSC::JIT::emitDoubleLoad):
316         (JSC::JIT::emitContiguousLoad):
317         (JSC::JIT::emitArrayStorageLoad):
318         * llint/LowLevelInterpreter32_64.asm:
319         * llint/LowLevelInterpreter64.asm:
320         * runtime/ArrayStorage.h:
321         (JSC::ArrayStorage::availableVectorLength):
322         * runtime/Butterfly.h:
323         (JSC::ContiguousData::ContiguousData):
324         (JSC::ContiguousData::at const):
325         (JSC::ContiguousData::at):
326         (JSC::Butterfly::publicLength const):
327         (JSC::Butterfly::vectorLength const):
328         (JSC::Butterfly::computeIndexingMaskForVectorLength):
329         (JSC::Butterfly::computeIndexingMask):
330         (JSC::Butterfly::contiguousInt32):
331         (JSC::ContiguousData::operator[] const): Deleted.
332         (JSC::ContiguousData::operator[]): Deleted.
333         (JSC::Butterfly::publicLength): Deleted.
334         (JSC::Butterfly::vectorLength): Deleted.
335         * runtime/ButterflyInlines.h:
336         (JSC::ContiguousData<T>::at const):
337         (JSC::ContiguousData<T>::at):
338         * runtime/ClonedArguments.cpp:
339         (JSC::ClonedArguments::createEmpty):
340         * runtime/JSArray.cpp:
341         (JSC::JSArray::tryCreateUninitializedRestricted):
342         (JSC::JSArray::appendMemcpy):
343         (JSC::JSArray::setLength):
344         (JSC::JSArray::pop):
345         (JSC::JSArray::fastSlice):
346         (JSC::JSArray::shiftCountWithArrayStorage):
347         (JSC::JSArray::shiftCountWithAnyIndexingType):
348         (JSC::JSArray::unshiftCountWithAnyIndexingType):
349         (JSC::JSArray::fillArgList):
350         (JSC::JSArray::copyToArguments):
351         * runtime/JSArrayBufferView.cpp:
352         (JSC::JSArrayBufferView::JSArrayBufferView):
353         * runtime/JSArrayInlines.h:
354         (JSC::JSArray::pushInline):
355         * runtime/JSFixedArray.h:
356         (JSC::JSFixedArray::createFromArray):
357         * runtime/JSGenericTypedArrayViewInlines.h:
358         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
359         * runtime/JSObject.cpp:
360         (JSC::JSObject::getOwnPropertySlotByIndex):
361         (JSC::JSObject::putByIndex):
362         (JSC::JSObject::createInitialInt32):
363         (JSC::JSObject::createInitialDouble):
364         (JSC::JSObject::createInitialContiguous):
365         (JSC::JSObject::convertUndecidedToInt32):
366         (JSC::JSObject::convertUndecidedToDouble):
367         (JSC::JSObject::convertUndecidedToContiguous):
368         (JSC::JSObject::convertInt32ToDouble):
369         (JSC::JSObject::convertInt32ToArrayStorage):
370         (JSC::JSObject::convertDoubleToContiguous):
371         (JSC::JSObject::convertDoubleToArrayStorage):
372         (JSC::JSObject::convertContiguousToArrayStorage):
373         (JSC::JSObject::createInitialForValueAndSet):
374         (JSC::JSObject::deletePropertyByIndex):
375         (JSC::JSObject::getOwnPropertyNames):
376         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
377         (JSC::JSObject::countElements):
378         (JSC::JSObject::ensureLengthSlow):
379         (JSC::JSObject::reallocateAndShrinkButterfly):
380         (JSC::JSObject::getEnumerableLength):
381         * runtime/JSObject.h:
382         (JSC::JSObject::canGetIndexQuickly):
383         (JSC::JSObject::getIndexQuickly):
384         (JSC::JSObject::tryGetIndexQuickly const):
385         (JSC::JSObject::setIndexQuickly):
386         (JSC::JSObject::initializeIndex):
387         (JSC::JSObject::initializeIndexWithoutBarrier):
388         (JSC::JSObject::butterflyIndexingMaskOffset):
389         (JSC::JSObject::butterflyIndexingMask const):
390         (JSC::JSObject::setButterflyWithIndexingMask):
391         (JSC::JSObject::setButterfly):
392         (JSC::JSObject::nukeStructureAndSetButterfly):
393         (JSC::JSObject::JSObject):
394         * runtime/RegExpMatchesArray.h:
395         (JSC::tryCreateUninitializedRegExpMatchesArray):
396         * runtime/Structure.cpp:
397         (JSC::Structure::flattenDictionaryStructure):
398
399 2017-12-14  David Kilzer  <ddkilzer@apple.com>
400
401         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
402
403         Fixes the following warning during builds:
404
405             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
406
407         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
408         entries for JSCPoisonedPtr.h.
409
410 2017-12-14  David Kilzer  <ddkilzer@apple.com>
411
412         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
413         <https://bugs.webkit.org/show_bug.cgi?id=180738>
414
415         * runtime/InferredValue.h: Attempt to fix build by adding
416         missing #include statements.
417
418 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
419
420         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
421         https://bugs.webkit.org/show_bug.cgi?id=180783
422
423         Reviewed by Saam Barati.
424         
425         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
426         
427             BB#1:
428                 a: Load(@x)
429                 b: Load(@x)
430                 c: Load(@b)
431             BB#2:
432                 d: Load(@b)
433             BB#3:
434                 e: Load(@b)
435         
436         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
437         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
438         this:
439
440             BB#1:
441                 a: Load(@x)
442                 b: Load(@x)
443                 c: Load(@a)
444                 memoryAtTail: {@x=>@a, @a=>@c}
445             BB#2:
446                 d: Load(@a) [sic]
447                 memoryAtTail: {@b=>@d}
448             BB#3:
449                 e: Load(@b)
450                 memoryAtTail: {@b=>@e} [sic]
451         
452         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
453         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
454         map, we don't find it and leave the redundancy.
455         
456         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
457         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
458
459         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
460         * b3/B3Generate.cpp:
461         (JSC::B3::generateToAir): Fix the bug.
462         * b3/air/AirReportUsedRegisters.cpp:
463         (JSC::B3::Air::reportUsedRegisters): Logging.
464         * dfg/DFGByteCodeParser.cpp:
465         * dfg/DFGSSAConversionPhase.cpp:
466         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
467         * ftl/FTLLowerDFGToB3.cpp:
468         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
469
470 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
471
472         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
473         https://bugs.webkit.org/show_bug.cgi?id=180787
474         <rdar://problem/35934838>
475
476         Reviewed by Brian Burg.
477
478         * inspector/ContentSearchUtilities.cpp:
479         (Inspector::ContentSearchUtilities::findMagicComment):
480         For empty / null strings just return. There is no use
481         trying to search them for a long common syntax.
482
483 2017-12-13  Saam Barati  <sbarati@apple.com>
484
485         Arrow functions need their own structure because they have different properties than sloppy functions
486         https://bugs.webkit.org/show_bug.cgi?id=180779
487         <rdar://problem/35814591>
488
489         Reviewed by Mark Lam.
490
491         We were using the same structure for sloppy functions and
492         arrow functions. This broke our IC caching machinery because
493         these two types of functions actually have different properties.
494         This patch gives them different structures.
495
496         * dfg/DFGAbstractInterpreterInlines.h:
497         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
498         * dfg/DFGSpeculativeJIT.cpp:
499         (JSC::DFG::SpeculativeJIT::compileNewFunction):
500         * ftl/FTLLowerDFGToB3.cpp:
501         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
502         * runtime/FunctionConstructor.cpp:
503         (JSC::constructFunctionSkippingEvalEnabledCheck):
504         * runtime/JSFunction.cpp:
505         (JSC::JSFunction::selectStructureForNewFuncExp):
506         (JSC::JSFunction::create):
507         * runtime/JSFunction.h:
508         * runtime/JSFunctionInlines.h:
509         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
510         * runtime/JSGlobalObject.cpp:
511         (JSC::JSGlobalObject::init):
512         (JSC::JSGlobalObject::visitChildren):
513         * runtime/JSGlobalObject.h:
514         (JSC::JSGlobalObject::arrowFunctionStructure const):
515
516 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
517
518         InferredValue should use IsoSubspace
519         https://bugs.webkit.org/show_bug.cgi?id=180738
520
521         Reviewed by Keith Miller.
522         
523         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
524         its UnconditionalFinalizer.
525
526         * JavaScriptCore.xcodeproj/project.pbxproj:
527         * heap/Heap.cpp:
528         (JSC::Heap::finalizeUnconditionalFinalizers):
529         * runtime/InferredValue.cpp:
530         (JSC::InferredValue::visitChildren):
531         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
532         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
533         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
534         * runtime/InferredValue.h:
535         (JSC::InferredValue::subspaceFor):
536         * runtime/InferredValueInlines.h: Added.
537         (JSC::InferredValue::finalizeUnconditionally):
538         * runtime/VM.cpp:
539         (JSC::VM::VM):
540         * runtime/VM.h:
541
542 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
543
544         Web Inspector: add instrumentation for ImageBitmapRenderingContext
545         https://bugs.webkit.org/show_bug.cgi?id=180736
546
547         Reviewed by Joseph Pecoraro.
548
549         * inspector/protocol/Canvas.json:
550         * inspector/scripts/codegen/generator.py:
551
552 2017-12-13  Saam Barati  <sbarati@apple.com>
553
554         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
555         https://bugs.webkit.org/show_bug.cgi?id=180771
556
557         Reviewed by JF Bastien.
558
559         * dfg/DFGTypeCheckHoistingPhase.cpp:
560         (JSC::DFG::TypeCheckHoistingPhase::run):
561
562 2017-12-13  Saam Barati  <sbarati@apple.com>
563
564         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
565         https://bugs.webkit.org/show_bug.cgi?id=180764
566
567         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
568
569         * dfg/DFGTypeCheckHoistingPhase.cpp:
570         (JSC::DFG::TypeCheckHoistingPhase::run):
571
572 2017-12-13  Michael Saboff  <msaboff@apple.com>
573
574         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
575
576         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
577
578         * runtime/RegExp.cpp:
579         (JSC::RegExp::compile):
580         (JSC::RegExp::compileMatchOnly):
581         (JSC::byteCodeCompilePattern): Deleted.
582         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
583         * runtime/RegExp.h:
584         * runtime/RegExpInlines.h:
585         (JSC::RegExp::matchInline):
586         * testRegExp.cpp:
587         (parseRegExpLine):
588         (runFromFiles):
589         * yarr/Yarr.h:
590         * yarr/YarrInterpreter.cpp:
591         (JSC::Yarr::ByteCompiler::compile):
592         (JSC::Yarr::ByteCompiler::dumpDisjunction):
593         (JSC::Yarr::ByteCompiler::emitDisjunction):
594         * yarr/YarrJIT.cpp:
595         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
596         (JSC::Yarr::YarrGenerator::generate):
597         (JSC::Yarr::YarrGenerator::backtrack):
598         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
599         (JSC::Yarr::YarrGenerator::generateEnter):
600         (JSC::Yarr::YarrGenerator::generateReturn):
601         (JSC::Yarr::YarrGenerator::YarrGenerator):
602         (JSC::Yarr::YarrGenerator::compile):
603         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
604         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
605         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
606         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
607         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
608         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
609         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
610         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
611         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
612         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
613         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
614         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
615         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
616         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
617         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
618         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
619         * yarr/YarrJIT.h:
620         (JSC::Yarr::YarrCodeBlock::execute):
621         * yarr/YarrPattern.cpp:
622         (JSC::Yarr::indentForNestingLevel):
623         (JSC::Yarr::dumpUChar32):
624         (JSC::Yarr::PatternTerm::dump):
625         (JSC::Yarr::YarrPattern::dumpPattern):
626         (JSC::Yarr::dumpCharacterClass): Deleted.
627         * yarr/YarrPattern.h:
628         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
629         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
630         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
631         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
632         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
633         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
634         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
635         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
636
637 2017-12-13  Mark Lam  <mark.lam@apple.com>
638
639         Fill out some Poisoned APIs, fix some bugs, and add some tests.
640         https://bugs.webkit.org/show_bug.cgi?id=180724
641         <rdar://problem/36006884>
642
643         Reviewed by JF Bastien.
644
645         * runtime/StructureTransitionTable.h:
646
647 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
648
649         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
650         https://bugs.webkit.org/show_bug.cgi?id=180746
651
652         Reviewed by Saam Barati.
653
654         We have some uncatched exceptions that could happen due to OOM into
655         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
656         catching such exceptions properly.
657
658         * runtime/JSBigInt.cpp:
659         (JSC::JSBigInt::allocateFor):
660         (JSC::JSBigInt::parseInt):
661         * runtime/JSCJSValue.cpp:
662         (JSC::JSValue::toStringSlowCase const):
663
664 2017-12-13  Saam Barati  <sbarati@apple.com>
665
666         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
667         https://bugs.webkit.org/show_bug.cgi?id=163579
668         <rdar://problem/35455798>
669
670         Reviewed by Mark Lam.
671
672         Some functions in JavaScript do not have the "caller" and "arguments" properties.
673         For example, strict functions do not. When reading our code that dealt with these
674         types of functions, it was simply all wrong. We were doing weird things depending
675         on the method table hook. This patch fixes this by doing what we should've been
676         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
677         it should defer to its base class implementation for the various method table hooks.
678
679         * runtime/JSFunction.cpp:
680         (JSC::JSFunction::put):
681         (JSC::JSFunction::deleteProperty):
682         (JSC::JSFunction::defineOwnProperty):
683
684 2017-12-13  Saam Barati  <sbarati@apple.com>
685
686         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
687         https://bugs.webkit.org/show_bug.cgi?id=180734
688         <rdar://problem/35640547>
689
690         Reviewed by Yusuke Suzuki.
691
692         The |this| value may be TDZ. If type check hoisting phase
693         hoists a CheckStructure to it, it will crash. This patch
694         makes it so we emit CheckStructureOrEmpty for |this|.
695
696         * dfg/DFGTypeCheckHoistingPhase.cpp:
697         (JSC::DFG::TypeCheckHoistingPhase::run):
698
699 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         [JSC] Optimize Object.assign by single transition acceleration
702         https://bugs.webkit.org/show_bug.cgi?id=180644
703
704         Reviewed by Saam Barati.
705
706         Handling single transition is critical. Since this get() function is only used
707         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
708         to accelerate it.
709
710         This improves SixSpeed/object-assign.es6 by 2.8%.
711
712                                     baseline                  patched
713
714         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
715
716         * runtime/Structure.cpp:
717         (JSC::StructureTransitionTable::get const):
718
719 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
720
721         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
722         https://bugs.webkit.org/show_bug.cgi?id=180732
723
724         Rubber stamped by Mark Lam.
725         
726         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
727         scalable enough to support that, so we should do it carefully.
728
729         * heap/MarkedSpace.cpp:
730         * runtime/PropertyMapHashTable.h:
731         * runtime/Structure.h:
732         * runtime/StructureRareData.h:
733         * runtime/VM.cpp:
734         (JSC::VM::VM):
735         * runtime/VM.h:
736
737 2017-12-12  Saam Barati  <sbarati@apple.com>
738
739         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
740         https://bugs.webkit.org/show_bug.cgi?id=180725
741         <rdar://problem/35970511>
742
743         Reviewed by Michael Saboff.
744
745         * dfg/DFGClobberize.h:
746         (JSC::DFG::clobberize):
747         * dfg/DFGPreciseLocalClobberize.h:
748         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
749
750 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
751
752         [JSC] Implement optimized WeakMap and WeakSet
753         https://bugs.webkit.org/show_bug.cgi?id=179929
754
755         Reviewed by Saam Barati.
756
757         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
758         This is similar to HashMapImpl. But,
759
760         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
761         do not need to have iterators.
762
763         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
764         of auxiliary buffer. This is because we would like to allocate buffer
765         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
766         shrink it if necessary. However, allocating from the GC heap during
767         finalization is not allowed.
768
769         In particular, (2) is important since it ensures any WeakMap operations
770         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
771         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
772         do not cause GC makes our implementation simple. To ensure this, we place
773         DisallowGC for each WeakMap's interface.
774
775         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
776         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
777         WeakMap, it returns value. And it returns key if it is WeakSet. If it
778         does not find a corresponding entry, it returns JSEmpty.
779         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
780
781         This patch improves WeakMap and WeakSet operations.
782
783                                      baseline                  patched
784
785             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
786             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
787
788         * JavaScriptCore.xcodeproj/project.pbxproj:
789         * Sources.txt:
790         * dfg/DFGAbstractHeap.h:
791         * dfg/DFGAbstractInterpreterInlines.h:
792         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
793         * dfg/DFGByteCodeParser.cpp:
794         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
795         * dfg/DFGClobberize.h:
796         (JSC::DFG::clobberize):
797         * dfg/DFGDoesGC.cpp:
798         (JSC::DFG::doesGC):
799         * dfg/DFGFixupPhase.cpp:
800         (JSC::DFG::FixupPhase::fixupNode):
801         * dfg/DFGNode.h:
802         (JSC::DFG::Node::hasHeapPrediction):
803         * dfg/DFGNodeType.h:
804         * dfg/DFGOperations.cpp:
805         * dfg/DFGOperations.h:
806         * dfg/DFGPredictionPropagationPhase.cpp:
807         * dfg/DFGSafeToExecute.h:
808         (JSC::DFG::safeToExecute):
809         * dfg/DFGSpeculativeJIT.cpp:
810         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
811         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
812         * dfg/DFGSpeculativeJIT.h:
813         * dfg/DFGSpeculativeJIT32_64.cpp:
814         (JSC::DFG::SpeculativeJIT::compile):
815         * dfg/DFGSpeculativeJIT64.cpp:
816         (JSC::DFG::SpeculativeJIT::compile):
817         * ftl/FTLAbstractHeapRepository.h:
818         * ftl/FTLCapabilities.cpp:
819         (JSC::FTL::canCompile):
820         * ftl/FTLLowerDFGToB3.cpp:
821         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
822         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
823         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
824         * inspector/JSInjectedScriptHost.cpp:
825         (Inspector::JSInjectedScriptHost::weakMapEntries):
826         (Inspector::JSInjectedScriptHost::weakSetEntries):
827         Existing code is incorrect. They can run GC and break WeakMap's iterator.
828         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
829         entries without causing any GC.
830
831         * runtime/HashMapImpl.h:
832         (JSC::shouldShrink):
833         (JSC::shouldRehashAfterAdd):
834         (JSC::nextCapacity):
835         (JSC::HashMapImpl::shouldRehashAfterAdd const):
836         (JSC::HashMapImpl::shouldShrink const):
837         (JSC::HashMapImpl::rehash):
838         (JSC::WeakMapHash::hash): Deleted.
839         (JSC::WeakMapHash::equal): Deleted.
840         * runtime/Intrinsic.cpp:
841         (JSC::intrinsicName):
842         * runtime/Intrinsic.h:
843         * runtime/JSWeakMap.cpp:
844         * runtime/JSWeakMap.h:
845         * runtime/JSWeakSet.cpp:
846         * runtime/JSWeakSet.h:
847         * runtime/VM.cpp:
848         * runtime/WeakGCMap.h:
849         (JSC::WeakGCMap::forEach): Deleted.
850         * runtime/WeakMapBase.cpp: Removed.
851         * runtime/WeakMapBase.h: Removed.
852         * runtime/WeakMapConstructor.cpp:
853         (JSC::constructWeakMap):
854         * runtime/WeakMapImpl.cpp: Added.
855         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
856         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
857         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
858         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
859         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
860         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
861         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
862         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
863         * runtime/WeakMapImpl.h: Added.
864         (JSC::jsWeakMapHash):
865         (JSC::nextCapacityAfterRemoveBatching):
866         (JSC::WeakMapBucket::setKey):
867         (JSC::WeakMapBucket::setValue):
868         (JSC::WeakMapBucket::key const):
869         (JSC::WeakMapBucket::value const):
870         (JSC::WeakMapBucket::copyFrom):
871         (JSC::WeakMapBucket::offsetOfKey):
872         (JSC::WeakMapBucket::offsetOfValue):
873         (JSC::WeakMapBucket::extractValue):
874         (JSC::WeakMapBucket::isEmpty):
875         (JSC::WeakMapBucket::deletedKey):
876         (JSC::WeakMapBucket::isDeleted):
877         (JSC::WeakMapBucket::makeDeleted):
878         (JSC::WeakMapBucket::visitAggregate):
879         (JSC::WeakMapBucket::clearValue):
880         (JSC::WeakMapBuffer::allocationSize):
881         (JSC::WeakMapBuffer::buffer const):
882         (JSC::WeakMapBuffer::create):
883         (JSC::WeakMapBuffer::reset):
884         (JSC::WeakMapImpl::WeakMapImpl):
885         (JSC::WeakMapImpl::finishCreation):
886         (JSC::WeakMapImpl::get):
887         (JSC::WeakMapImpl::has):
888         (JSC::WeakMapImpl::add):
889         (JSC::WeakMapImpl::remove):
890         (JSC::WeakMapImpl::size const):
891         (JSC::WeakMapImpl::offsetOfBuffer):
892         (JSC::WeakMapImpl::offsetOfCapacity):
893         (JSC::WeakMapImpl::findBucket):
894         (JSC::WeakMapImpl::buffer const):
895         (JSC::WeakMapImpl::forEach):
896         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
897         (JSC::WeakMapImpl::shouldShrink const):
898         (JSC::WeakMapImpl::canUseBucket):
899         (JSC::WeakMapImpl::addInternal):
900         (JSC::WeakMapImpl::findBucketAlreadyHashed):
901         (JSC::WeakMapImpl::rehash):
902         (JSC::WeakMapImpl::checkConsistency const):
903         (JSC::WeakMapImpl::makeAndSetNewBuffer):
904         (JSC::WeakMapImpl::assertBufferIsEmpty const):
905         (JSC::WeakMapImpl::DeadKeyCleaner::target):
906         * runtime/WeakMapPrototype.cpp:
907         (JSC::WeakMapPrototype::finishCreation):
908         (JSC::protoFuncWeakMapGet):
909         (JSC::protoFuncWeakMapHas):
910         * runtime/WeakSetConstructor.cpp:
911         (JSC::constructWeakSet):
912         * runtime/WeakSetPrototype.cpp:
913         (JSC::WeakSetPrototype::finishCreation):
914         (JSC::protoFuncWeakSetHas):
915         (JSC::protoFuncWeakSetAdd):
916
917 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
918
919         It should be possible to flag a cell for unconditional finalization
920         https://bugs.webkit.org/show_bug.cgi?id=180636
921
922         Reviewed by Saam Barati.
923         
924         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
925         global linked list - but they had some nice properties:
926         
927         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
928           survived and needed it.
929             -> Just needing it wasn't enough.
930             -> Just surviving wasn't enough.
931         
932         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
933         finalizer logic to be invoked. I think that's not great. InferredType got around this by
934         making InferredStructure a cell, but this was a gross hack. For one, it meant that
935         InferredStructure would survive during the GC in which its finalizer obviated the need for its
936         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
937         thing that turns out to be subtly broken.
938         
939         We really need to have a way of indicating when you have entered into the state that requires
940         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
941         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
942         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
943         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
944         another level to say which atoms within a MarkedBlock have unconditional finalizers.
945         
946         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
947         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
948         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
949         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
950         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
951         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
952         it makes sense to have a handful per subspace max. This change only needs one per subspace,
953         but you could imagine more if we do this for WeakReferenceHarvester.
954         
955         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
956         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
957         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
958         both survive and need it for the hardest work to take place. The work of adding does involve
959         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
960         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
961         However, it's perfect for running in parallel since the only write operations are to widely
962         dispersed cache lines that contain the bits underlying the set.
963         
964         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
965         that need unconditional finalizers, and only touches the memory of marked objects that have
966         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
967         previously found that this speeds up walking over a lot of objects when I made similar changes
968         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
969         HashSet).
970         
971         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
972         
973         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
974         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
975         IsoSubspace in more places.
976
977         * JavaScriptCore.xcodeproj/project.pbxproj:
978         * Sources.txt:
979         * heap/AtomIndices.h: Added.
980         (JSC::AtomIndices::AtomIndices):
981         * heap/Heap.cpp:
982         (JSC::Heap::finalizeUnconditionalFinalizers):
983         * heap/Heap.h:
984         * heap/IsoCellSet.cpp: Added.
985         (JSC::IsoCellSet::IsoCellSet):
986         (JSC::IsoCellSet::~IsoCellSet):
987         (JSC::IsoCellSet::addSlow):
988         (JSC::IsoCellSet::didResizeBits):
989         (JSC::IsoCellSet::didRemoveBlock):
990         (JSC::IsoCellSet::sweepToFreeList):
991         * heap/IsoCellSet.h: Added.
992         * heap/IsoCellSetInlines.h: Added.
993         (JSC::IsoCellSet::add):
994         (JSC::IsoCellSet::remove):
995         (JSC::IsoCellSet::contains const):
996         (JSC::IsoCellSet::forEachMarkedCell):
997         * heap/IsoSubspace.cpp:
998         (JSC::IsoSubspace::didResizeBits):
999         (JSC::IsoSubspace::didRemoveBlock):
1000         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1001         * heap/IsoSubspace.h:
1002         * heap/MarkedAllocator.cpp:
1003         (JSC::MarkedAllocator::addBlock):
1004         (JSC::MarkedAllocator::removeBlock):
1005         * heap/MarkedAllocator.h:
1006         * heap/MarkedAllocatorInlines.h:
1007         * heap/MarkedBlock.cpp:
1008         (JSC::MarkedBlock::Handle::sweep):
1009         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1010         * heap/MarkedBlock.h:
1011         (JSC::MarkedBlock::marks const):
1012         (JSC::MarkedBlock::Handle::newlyAllocated const):
1013         * heap/MarkedBlockInlines.h:
1014         (JSC::MarkedBlock::Handle::isAllocated):
1015         (JSC::MarkedBlock::Handle::isEmpty):
1016         (JSC::MarkedBlock::Handle::emptyMode):
1017         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1018         * heap/Subspace.cpp:
1019         (JSC::Subspace::didResizeBits):
1020         (JSC::Subspace::didRemoveBlock):
1021         (JSC::Subspace::didBeginSweepingToFreeList):
1022         * heap/Subspace.h:
1023         * heap/SubspaceInlines.h:
1024         (JSC::Subspace::forEachMarkedCell):
1025         * runtime/InferredStructure.cpp:
1026         (JSC::InferredStructure::InferredStructure):
1027         (JSC::InferredStructure::create): Deleted.
1028         (JSC::InferredStructure::destroy): Deleted.
1029         (JSC::InferredStructure::createStructure): Deleted.
1030         (JSC::InferredStructure::visitChildren): Deleted.
1031         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1032         (JSC::InferredStructure::finishCreation): Deleted.
1033         * runtime/InferredStructure.h:
1034         * runtime/InferredStructureWatchpoint.cpp:
1035         (JSC::InferredStructureWatchpoint::fireInternal):
1036         * runtime/InferredType.cpp:
1037         (JSC::InferredType::visitChildren):
1038         (JSC::InferredType::willStoreValueSlow):
1039         (JSC::InferredType::makeTopSlow):
1040         (JSC::InferredType::set):
1041         (JSC::InferredType::removeStructure):
1042         (JSC::InferredType::finalizeUnconditionally):
1043         * runtime/InferredType.h:
1044         * runtime/VM.cpp:
1045         (JSC::VM::VM):
1046         * runtime/VM.h:
1047
1048 2017-12-12  Saam Barati  <sbarati@apple.com>
1049
1050         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1051         https://bugs.webkit.org/show_bug.cgi?id=180723
1052         <rdar://problem/35859726>
1053
1054         Reviewed by JF Bastien.
1055
1056         * dfg/DFGConstantFoldingPhase.cpp:
1057         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1058
1059 2017-12-04  Brian Burg  <bburg@apple.com>
1060
1061         Web Inspector: modernize InjectedScript a bit
1062         https://bugs.webkit.org/show_bug.cgi?id=180367
1063
1064         Reviewed by Timothy Hatcher.
1065
1066         Stop using out parameters passed by pointer, use references instead.
1067         Stop using OptOutput<T> in favor of std::optional where possible.
1068         If there is only one out-parameter and a void return type, then return the value.
1069
1070         * inspector/InjectedScript.h:
1071         * inspector/InjectedScript.cpp:
1072         (Inspector::InjectedScript::evaluate):
1073         (Inspector::InjectedScript::callFunctionOn):
1074         (Inspector::InjectedScript::evaluateOnCallFrame):
1075         (Inspector::InjectedScript::getFunctionDetails):
1076         (Inspector::InjectedScript::functionDetails):
1077         (Inspector::InjectedScript::getPreview):
1078         (Inspector::InjectedScript::getProperties):
1079         (Inspector::InjectedScript::getDisplayableProperties):
1080         (Inspector::InjectedScript::getInternalProperties):
1081         (Inspector::InjectedScript::getCollectionEntries):
1082         (Inspector::InjectedScript::saveResult):
1083         (Inspector::InjectedScript::setExceptionValue):
1084         (Inspector::InjectedScript::clearExceptionValue):
1085         (Inspector::InjectedScript::inspectObject):
1086         (Inspector::InjectedScript::releaseObject):
1087
1088         * inspector/InjectedScriptBase.h:
1089         * inspector/InjectedScriptBase.cpp:
1090         (Inspector::InjectedScriptBase::InjectedScriptBase):
1091         Declare m_environment with a default initializer.
1092
1093         (Inspector::InjectedScriptBase::makeCall):
1094         (Inspector::InjectedScriptBase::makeEvalCall):
1095         Just return the result, no need for an out-parameter.
1096         Rearrange some code paths now that we can just return a result.
1097         Return a Ref<JSON::Value> since it is either a result value or error value.
1098         Use out_ prefixes in a few places to improve readability.
1099
1100         * inspector/agents/InspectorDebuggerAgent.cpp:
1101         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1102         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1103         * inspector/agents/InspectorHeapAgent.cpp:
1104         (Inspector::InspectorHeapAgent::getPreview):
1105         * inspector/agents/InspectorRuntimeAgent.cpp:
1106         (Inspector::InspectorRuntimeAgent::evaluate):
1107         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1108         (Inspector::InspectorRuntimeAgent::getPreview):
1109         (Inspector::InspectorRuntimeAgent::getProperties):
1110         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1111         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1112         (Inspector::InspectorRuntimeAgent::saveResult):
1113         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1114         and std::optional until the former is removed from generated method signatures.
1115
1116 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1117
1118         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1119         https://bugs.webkit.org/show_bug.cgi?id=179000
1120
1121         Reviewed by Darin Adler and Yusuke Suzuki.
1122
1123         This patch starts the implementation of BigInt primitive on
1124         JavaScriptCore. We are introducing BigInt primitive and
1125         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1126         field implemented contiguosly on memory as inline storage of JSBigInt to
1127         take advantages on performance due to cache locality. The
1128         implementation allows 64 or 32 bitwise arithmetic operations.
1129         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1130         m_length that keeps track of BigInt length.
1131         The implementation is following the V8 one. [[BigIntData]] is manipulated
1132         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1133         We also have some operations to support arithmetics over digits.
1134
1135         It is important to notice that on our representation,
1136         JSBigInt::dataStorage()[0] represents the least significant digit and
1137         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1138
1139         We are also introducing into this Patch the BigInt literals lexer and
1140         syntax parsing support. The operation Strict Equals on BigInts is also being
1141         implemented to enable tests.
1142         These features are being implemented behind a runtime flage "--useBigInt" and
1143         are disabled by default.
1144
1145         * JavaScriptCore.xcodeproj/project.pbxproj:
1146         * Sources.txt:
1147         * bytecode/CodeBlock.cpp:
1148         * bytecompiler/BytecodeGenerator.cpp:
1149         (JSC::BytecodeGenerator::emitEqualityOp):
1150         (JSC::BytecodeGenerator::addBigIntConstant):
1151         * bytecompiler/BytecodeGenerator.h:
1152         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1153         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1154         * bytecompiler/NodesCodegen.cpp:
1155         (JSC::BigIntNode::jsValue const):
1156         * dfg/DFGAbstractInterpreterInlines.h:
1157         (JSC::DFG::isToThisAnIdentity):
1158         * interpreter/Interpreter.cpp:
1159         (JSC::sizeOfVarargs):
1160         * llint/LLIntData.cpp:
1161         (JSC::LLInt::Data::performAssertions):
1162         * llint/LowLevelInterpreter.asm:
1163         * parser/ASTBuilder.h:
1164         (JSC::ASTBuilder::createBigInt):
1165         * parser/Lexer.cpp:
1166         (JSC::Lexer<T>::parseBinary):
1167         (JSC::Lexer<T>::parseOctal):
1168         (JSC::Lexer<T>::parseDecimal):
1169         (JSC::Lexer<T>::lex):
1170         (JSC::Lexer<T>::parseHex): Deleted.
1171         * parser/Lexer.h:
1172         * parser/NodeConstructors.h:
1173         (JSC::BigIntNode::BigIntNode):
1174         * parser/Nodes.h:
1175         (JSC::ExpressionNode::isBigInt const):
1176         (JSC::BigIntNode::value):
1177         * parser/Parser.cpp:
1178         (JSC::Parser<LexerType>::parsePrimaryExpression):
1179         * parser/ParserTokens.h:
1180         * parser/ResultType.h:
1181         (JSC::ResultType::definitelyIsBigInt const):
1182         (JSC::ResultType::mightBeBigInt const):
1183         (JSC::ResultType::isNotBigInt const):
1184         (JSC::ResultType::addResultType):
1185         (JSC::ResultType::bigIntType):
1186         (JSC::ResultType::forAdd):
1187         (JSC::ResultType::forLogicalOp):
1188         * parser/SyntaxChecker.h:
1189         (JSC::SyntaxChecker::createBigInt):
1190         * runtime/CommonIdentifiers.h:
1191         * runtime/JSBigInt.cpp: Added.
1192         (JSC::JSBigInt::visitChildren):
1193         (JSC::JSBigInt::JSBigInt):
1194         (JSC::JSBigInt::initialize):
1195         (JSC::JSBigInt::createStructure):
1196         (JSC::JSBigInt::createZero):
1197         (JSC::JSBigInt::allocationSize):
1198         (JSC::JSBigInt::createWithLength):
1199         (JSC::JSBigInt::finishCreation):
1200         (JSC::JSBigInt::toPrimitive const):
1201         (JSC::JSBigInt::singleDigitValueForString):
1202         (JSC::JSBigInt::parseInt):
1203         (JSC::JSBigInt::toString):
1204         (JSC::JSBigInt::isZero):
1205         (JSC::JSBigInt::inplaceMultiplyAdd):
1206         (JSC::JSBigInt::digitAdd):
1207         (JSC::JSBigInt::digitSub):
1208         (JSC::JSBigInt::digitMul):
1209         (JSC::JSBigInt::digitPow):
1210         (JSC::JSBigInt::digitDiv):
1211         (JSC::JSBigInt::internalMultiplyAdd):
1212         (JSC::JSBigInt::equalToBigInt):
1213         (JSC::JSBigInt::absoluteDivSmall):
1214         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1215         (JSC::JSBigInt::toStringGeneric):
1216         (JSC::JSBigInt::rightTrim):
1217         (JSC::JSBigInt::allocateFor):
1218         (JSC::JSBigInt::estimatedSize):
1219         (JSC::JSBigInt::toNumber const):
1220         (JSC::JSBigInt::getPrimitiveNumber const):
1221         * runtime/JSBigInt.h: Added.
1222         (JSC::JSBigInt::setSign):
1223         (JSC::JSBigInt::sign const):
1224         (JSC::JSBigInt::setLength):
1225         (JSC::JSBigInt::length const):
1226         (JSC::JSBigInt::parseInt):
1227         (JSC::JSBigInt::offsetOfData):
1228         (JSC::JSBigInt::dataStorage):
1229         (JSC::JSBigInt::digit):
1230         (JSC::JSBigInt::setDigit):
1231         (JSC::asBigInt):
1232         * runtime/JSCJSValue.cpp:
1233         (JSC::JSValue::synthesizePrototype const):
1234         (JSC::JSValue::toStringSlowCase const):
1235         * runtime/JSCJSValue.h:
1236         * runtime/JSCJSValueInlines.h:
1237         (JSC::JSValue::isBigInt const):
1238         (JSC::JSValue::strictEqualSlowCaseInline):
1239         * runtime/JSCell.cpp:
1240         (JSC::JSCell::put):
1241         (JSC::JSCell::putByIndex):
1242         (JSC::JSCell::toPrimitive const):
1243         (JSC::JSCell::getPrimitiveNumber const):
1244         (JSC::JSCell::toNumber const):
1245         (JSC::JSCell::toObjectSlow const):
1246         * runtime/JSCell.h:
1247         * runtime/JSCellInlines.h:
1248         (JSC::JSCell::isBigInt const):
1249         * runtime/JSType.h:
1250         * runtime/MathCommon.h:
1251         (JSC::clz64):
1252         * runtime/NumberPrototype.cpp:
1253         * runtime/Operations.cpp:
1254         (JSC::jsTypeStringForValue):
1255         (JSC::jsIsObjectTypeOrNull):
1256         * runtime/Options.h:
1257         * runtime/ParseInt.h:
1258         * runtime/SmallStrings.h:
1259         (JSC::SmallStrings::typeString const):
1260         * runtime/StructureInlines.h:
1261         (JSC::prototypeForLookupPrimitiveImpl):
1262         * runtime/TypeofType.cpp:
1263         (WTF::printInternal):
1264         * runtime/TypeofType.h:
1265         * runtime/VM.cpp:
1266         (JSC::VM::VM):
1267         * runtime/VM.h:
1268
1269 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1270
1271         LLInt: reserve 16 bytes of stack on MIPS for native calls
1272         https://bugs.webkit.org/show_bug.cgi?id=180653
1273
1274         Reviewed by Carlos Alberto Lopez Perez.
1275
1276         * llint/LowLevelInterpreter32_64.asm:
1277         On MIPS, substract 24 from the stack pointer (16 for calling
1278         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1279         (for alignment).
1280
1281 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1282
1283         [WTF] Thread::create should have Thread::tryCreate
1284         https://bugs.webkit.org/show_bug.cgi?id=180333
1285
1286         Reviewed by Darin Adler.
1287
1288         * assembler/testmasm.cpp:
1289         (JSC::run):
1290         * b3/air/testair.cpp:
1291         * b3/testb3.cpp:
1292         (JSC::B3::run):
1293         * jsc.cpp:
1294         (functionDollarAgentStart):
1295
1296 2017-12-11  Michael Saboff  <msaboff@apple.com>
1297
1298         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1299         https://bugs.webkit.org/show_bug.cgi?id=180685
1300
1301         Reviewed by Saam Barati.
1302
1303         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1304         the character class check to return true without reading the character.  Given that
1305         the character could be a surrogate pair, we need to read the character even if we
1306         don't have the check it.
1307
1308         * yarr/YarrInterpreter.cpp:
1309         (JSC::Yarr::Interpreter::testCharacterClass):
1310         (JSC::Yarr::Interpreter::checkCharacterClass):
1311
1312 2017-12-11  Saam Barati  <sbarati@apple.com>
1313
1314         We need to disableCaching() in ErrorInstance when we materialize properties
1315         https://bugs.webkit.org/show_bug.cgi?id=180343
1316         <rdar://problem/35833002>
1317
1318         Reviewed by Mark Lam.
1319
1320         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1321         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1322         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1323         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1324         existing property only found on Structure B. This is obviously wrong as it would lead to an
1325         OOB store if we didn't already crash when generating the IC.
1326
1327         * jit/Repatch.cpp:
1328         (JSC::tryCachePutByID):
1329         * runtime/ErrorInstance.cpp:
1330         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1331         (JSC::ErrorInstance::put):
1332         * runtime/ErrorInstance.h:
1333         * runtime/Structure.cpp:
1334         (JSC::Structure::didCachePropertyReplacement):
1335
1336 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1337
1338         [WinCairo] DLLLauncherMain should use SetDllDirectory
1339         https://bugs.webkit.org/show_bug.cgi?id=180642
1340
1341         Reviewed by Alex Christensen.
1342
1343         Windows have icuuc.dll in the system directory. WebKit should find
1344         one in WebKitLibraries directory, not one in the system directory.
1345
1346         * shell/DLLLauncherMain.cpp:
1347         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1348
1349 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1350
1351         Web Inspector: Optionally log WebKit log parameters as JSON
1352         https://bugs.webkit.org/show_bug.cgi?id=180529
1353         <rdar://problem/35909462>
1354
1355         Reviewed by Joseph Pecoraro.
1356
1357         * inspector/ConsoleMessage.cpp:
1358         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1359         values. Concatenate all adjacent strings to make logging cleaner.
1360         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1361         (Inspector::ConsoleMessage::scriptState const):
1362         * inspector/ConsoleMessage.h:
1363
1364         * inspector/InjectedScript.cpp:
1365         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1366         * inspector/InjectedScript.h:
1367         * inspector/InjectedScriptSource.js:
1368         (let.InjectedScript.prototype.wrapJSONString):
1369
1370 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1371
1372         Remove unused builtin names
1373         https://bugs.webkit.org/show_bug.cgi?id=180673
1374
1375         Reviewed by Keith Miller.
1376
1377         * builtins/BuiltinNames.h:
1378
1379 2017-12-11  David Quesada  <david_quesada@apple.com>
1380
1381         Turn on ENABLE_APPLICATION_MANIFEST
1382         https://bugs.webkit.org/show_bug.cgi?id=180562
1383         rdar://problem/35924737
1384
1385         Reviewed by Geoffrey Garen.
1386
1387         * Configurations/FeatureDefines.xcconfig:
1388
1389 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1390
1391         Harden a few assertions in GC sweep
1392         https://bugs.webkit.org/show_bug.cgi?id=180634
1393
1394         Reviewed by Saam Barati.
1395         
1396         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1397         assertion.
1398
1399         * heap/MarkedBlock.cpp:
1400         (JSC::MarkedBlock::Handle::sweep):
1401
1402 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1403
1404         [python] Modernize "except" usage for python3 compatibility
1405         https://bugs.webkit.org/show_bug.cgi?id=180612
1406
1407         Reviewed by Michael Catanzaro.
1408
1409         * inspector/scripts/generate-inspector-protocol-bindings.py:
1410
1411 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1412
1413         InferredType should not use UnconditionalFinalizer
1414         https://bugs.webkit.org/show_bug.cgi?id=180456
1415
1416         Reviewed by Saam Barati.
1417         
1418         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1419         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1420         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1421         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1422         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1423
1424         * JavaScriptCore.xcodeproj/project.pbxproj:
1425         * Sources.txt:
1426         * heap/Heap.cpp:
1427         (JSC::Heap::finalizeUnconditionalFinalizers):
1428         * heap/Heap.h:
1429         * runtime/InferredStructure.cpp: Added.
1430         (JSC::InferredStructure::create):
1431         (JSC::InferredStructure::destroy):
1432         (JSC::InferredStructure::createStructure):
1433         (JSC::InferredStructure::visitChildren):
1434         (JSC::InferredStructure::finalizeUnconditionally):
1435         (JSC::InferredStructure::InferredStructure):
1436         (JSC::InferredStructure::finishCreation):
1437         * runtime/InferredStructure.h: Added.
1438         * runtime/InferredStructureWatchpoint.cpp: Added.
1439         (JSC::InferredStructureWatchpoint::fireInternal):
1440         * runtime/InferredStructureWatchpoint.h: Added.
1441         * runtime/InferredType.cpp:
1442         (JSC::InferredType::visitChildren):
1443         (JSC::InferredType::willStoreValueSlow):
1444         (JSC::InferredType::makeTopSlow):
1445         (JSC::InferredType::set):
1446         (JSC::InferredType::removeStructure):
1447         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1448         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1449         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1450         * runtime/InferredType.h:
1451         * runtime/VM.cpp:
1452         (JSC::VM::VM):
1453         * runtime/VM.h:
1454
1455 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1456
1457         [python] Replace print >> operator with print() function for python3 compatibility
1458         https://bugs.webkit.org/show_bug.cgi?id=180611
1459
1460         Reviewed by Michael Catanzaro.
1461
1462         * Scripts/make-js-file-arrays.py:
1463         (main):
1464
1465 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1466
1467         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1468         https://bugs.webkit.org/show_bug.cgi?id=180520
1469         <rdar://problem/35900764>
1470
1471         Reviewed by Brian Burg.
1472
1473         * inspector/protocol/ServiceWorker.json:
1474         Include content script content in the initialization info.
1475
1476 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1477
1478         [python] Replace print operator with print() function for python3 compatibility
1479         https://bugs.webkit.org/show_bug.cgi?id=180592
1480
1481         Reviewed by Michael Catanzaro.
1482
1483         * Scripts/generateYarrUnicodePropertyTables.py:
1484         (openOrExit):
1485         (verifyUCDFilesExist):
1486         (Aliases.parsePropertyAliasesFile):
1487         (Aliases.parsePropertyValueAliasesFile):
1488         * Scripts/make-js-file-arrays.py:
1489         (main):
1490         * generate-bytecode-files:
1491
1492 2017-12-08  Mark Lam  <mark.lam@apple.com>
1493
1494         Need to unpoison native function pointers for CLoop.
1495         https://bugs.webkit.org/show_bug.cgi?id=180601
1496         <rdar://problem/35942028>
1497
1498         Reviewed by JF Bastien.
1499
1500         * llint/LowLevelInterpreter64.asm:
1501
1502 2017-12-08  Michael Saboff  <msaboff@apple.com>
1503
1504         YARR: JIT RegExps with greedy parenthesized sub patterns
1505         https://bugs.webkit.org/show_bug.cgi?id=180538
1506
1507         Reviewed by JF Bastien.
1508
1509         This patch adds JIT support for regular expressions containing greedy counted
1510         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1511
1512         Just like in the interpreter, expressions with nested parenthetical subpatterns
1513         require saving the results of previous matches of the parentheses contents along
1514         with any associated state.  This saved state is needed in the case that we need
1515         to backtrack.  This state is called ParenContext within the code space allocated
1516         for this ParenContext is managed using a simple block allocator within the JIT'ed
1517         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1518
1519         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1520         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1521         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1522         expression.
1523
1524         Due to increased register usage by the parenthesis handling code, the use of
1525         registers by the JIT engine was restructured, with registers used for Unicode
1526         pattern matching replaced with constants.
1527
1528         Reworked some of the context structures that are used across the interpreter
1529         and JIT implementations to make them a little more uniform and to handle the
1530         needs of JIT'ing the new parentheses forms.
1531
1532         To help with development and debugging of this code, compiled patterns dumping
1533         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1534
1535         * runtime/RegExp.cpp:
1536         (JSC::byteCodeCompilePattern):
1537         (JSC::RegExp::byteCodeCompileIfNecessary):
1538         (JSC::RegExp::compile):
1539         (JSC::RegExp::compileMatchOnly):
1540         * runtime/RegExp.h:
1541         * runtime/RegExpInlines.h:
1542         (JSC::RegExp::matchInline):
1543         * testRegExp.cpp:
1544         (parseRegExpLine):
1545         (runFromFiles):
1546         * yarr/Yarr.h:
1547         * yarr/YarrInterpreter.cpp:
1548         (JSC::Yarr::ByteCompiler::compile):
1549         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1550         * yarr/YarrJIT.cpp:
1551         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1552         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1553         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1554         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1555         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1556         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1557         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1558         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1559         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1560         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1561         (JSC::Yarr::YarrGenerator::allocatePatternContext):
1562         (JSC::Yarr::YarrGenerator::freePatternContext):
1563         (JSC::Yarr::YarrGenerator::savePatternContext):
1564         (JSC::Yarr::YarrGenerator::restorePatternContext):
1565         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1566         (JSC::Yarr::YarrGenerator::storeToFrame):
1567         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1568         (JSC::Yarr::YarrGenerator::clearMatches):
1569         (JSC::Yarr::YarrGenerator::generate):
1570         (JSC::Yarr::YarrGenerator::backtrack):
1571         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1572         (JSC::Yarr::YarrGenerator::generateEnter):
1573         (JSC::Yarr::YarrGenerator::generateReturn):
1574         (JSC::Yarr::YarrGenerator::YarrGenerator):
1575         (JSC::Yarr::YarrGenerator::compile):
1576         * yarr/YarrJIT.h:
1577         (JSC::Yarr::YarrCodeBlock::execute):
1578         * yarr/YarrPattern.cpp:
1579         (JSC::Yarr::indentForNestingLevel):
1580         (JSC::Yarr::dumpUChar32):
1581         (JSC::Yarr::dumpCharacterClass):
1582         (JSC::Yarr::PatternTerm::dump):
1583         (JSC::Yarr::YarrPattern::dumpPattern):
1584         * yarr/YarrPattern.h:
1585         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1586         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1587         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1588         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1589         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1590         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1591         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1592
1593 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1594
1595         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1596         https://bugs.webkit.org/show_bug.cgi?id=180590
1597         <rdar://problem/35882767>
1598
1599         Reviewed by Mark Lam.
1600
1601         * inspector/agents/InspectorConsoleAgent.cpp:
1602         (Inspector::InspectorConsoleAgent::enable):
1603         Swap the messages to a Vector that won't change during iteration.
1604
1605 2017-12-08  Michael Saboff  <msaboff@apple.com>
1606
1607         YARR: Coalesce constructed character classes
1608         https://bugs.webkit.org/show_bug.cgi?id=180537
1609
1610         Reviewed by JF Bastien.
1611
1612         When adding characters or character ranges to a character class being constructed,
1613         we now coalesce adjacent characters and character ranges.  When we create a
1614         character class after construction is complete, we do a final coalescing pass
1615         across the character list and ranges to catch any remaining coalescing
1616         opportunities.
1617
1618         Added an optimization for character classes that will match any character.
1619         This is somewhat common in code created before the /s (dotAll) flag was added
1620         to the engine.
1621
1622         * yarr/YarrInterpreter.cpp:
1623         (JSC::Yarr::Interpreter::checkCharacterClass):
1624         * yarr/YarrJIT.cpp:
1625         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1626         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1627         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1628         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1629         * yarr/YarrPattern.cpp:
1630         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1631         (JSC::Yarr::CharacterClassConstructor::reset):
1632         (JSC::Yarr::CharacterClassConstructor::charClass):
1633         (JSC::Yarr::CharacterClassConstructor::addSorted):
1634         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1635         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1636         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1637         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1638         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1639         (JSC::Yarr::PatternTerm::dump):
1640         (JSC::Yarr::anycharCreate):
1641         * yarr/YarrPattern.h:
1642         (JSC::Yarr::CharacterClass::CharacterClass):
1643
1644 2017-12-07  Saam Barati  <sbarati@apple.com>
1645
1646         Modify our dollar VM clflush intrinsic to aid in some perf testing
1647         https://bugs.webkit.org/show_bug.cgi?id=180559
1648
1649         Reviewed by Mark Lam.
1650
1651         * tools/JSDollarVM.cpp:
1652         (JSC::functionCpuClflush):
1653         (JSC::functionDeltaBetweenButterflies):
1654         (JSC::JSDollarVM::finishCreation):
1655
1656 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1657
1658         Simplify log channel configuration UI
1659         https://bugs.webkit.org/show_bug.cgi?id=180527
1660         <rdar://problem/35908382>
1661
1662         Reviewed by Joseph Pecoraro.
1663
1664         * inspector/protocol/Console.json:
1665
1666 2017-12-07  Mark Lam  <mark.lam@apple.com>
1667
1668         Apply poisoning to some native code pointers.
1669         https://bugs.webkit.org/show_bug.cgi?id=180541
1670         <rdar://problem/35916875>
1671
1672         Reviewed by Filip Pizlo.
1673
1674         Renamed g_classInfoPoison to g_globalDataPoison.
1675         Renamed g_masmPoison to g_jitCodePoison.
1676         Introduced g_nativeCodePoison.
1677         Applied g_nativeCodePoison to poisoning some native code pointers.
1678
1679         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1680         to malloc allocated data structures (where needed).
1681
1682         * API/JSCallbackFunction.h:
1683         (JSC::JSCallbackFunction::functionCallback):
1684         * JavaScriptCore.xcodeproj/project.pbxproj:
1685         * jit/ThunkGenerators.cpp:
1686         (JSC::nativeForGenerator):
1687         * llint/LowLevelInterpreter64.asm:
1688         * runtime/CustomGetterSetter.h:
1689         (JSC::CustomGetterSetter::getter const):
1690         (JSC::CustomGetterSetter::setter const):
1691         * runtime/InternalFunction.cpp:
1692         (JSC::InternalFunction::getCallData):
1693         (JSC::InternalFunction::getConstructData):
1694         * runtime/InternalFunction.h:
1695         (JSC::InternalFunction::nativeFunctionFor):
1696         * runtime/JSCPoison.h: Added.
1697         * runtime/JSCPoisonedPtr.cpp:
1698         (JSC::initializePoison):
1699         * runtime/JSCPoisonedPtr.h:
1700         * runtime/Lookup.h:
1701         * runtime/NativeExecutable.cpp:
1702         (JSC::NativeExecutable::hashFor const):
1703         * runtime/NativeExecutable.h:
1704         * runtime/Structure.cpp:
1705         (JSC::StructureTransitionTable::setSingleTransition):
1706         * runtime/StructureTransitionTable.h:
1707         (JSC::StructureTransitionTable::StructureTransitionTable):
1708         (JSC::StructureTransitionTable::isUsingSingleSlot const):
1709         (JSC::StructureTransitionTable::map const):
1710         (JSC::StructureTransitionTable::weakImpl const):
1711         (JSC::StructureTransitionTable::setMap):
1712
1713 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
1714
1715         Web Inspector: Fix style in remote inspector classes
1716         https://bugs.webkit.org/show_bug.cgi?id=180545
1717
1718         Reviewed by Youenn Fablet.
1719
1720         * inspector/remote/RemoteControllableTarget.h:
1721         * inspector/remote/RemoteInspectionTarget.h:
1722         * runtime/JSGlobalObjectDebuggable.h:
1723
1724 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
1725
1726         Use fastAlignedFree to free aligned memory.
1727         https://bugs.webkit.org/show_bug.cgi?id=180540
1728
1729         Reviewed by Saam Barati.
1730
1731         * heap/IsoAlignedMemoryAllocator.cpp:
1732         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1733
1734 2017-12-07  Matt Lewis  <jlewis3@apple.com>
1735
1736         Unreviewed, rolling out r225634.
1737
1738         This caused layout tests to time out.
1739
1740         Reverted changeset:
1741
1742         "Simplify log channel configuration UI"
1743         https://bugs.webkit.org/show_bug.cgi?id=180527
1744         https://trac.webkit.org/changeset/225634
1745
1746 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1747
1748         Simplify log channel configuration UI
1749         https://bugs.webkit.org/show_bug.cgi?id=180527
1750         <rdar://problem/35908382>
1751
1752         Reviewed by Joseph Pecoraro.
1753
1754         * inspector/protocol/Console.json:
1755
1756 2017-12-07  Mark Lam  <mark.lam@apple.com>
1757
1758         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1759         https://bugs.webkit.org/show_bug.cgi?id=180514
1760
1761         Reviewed by Saam Barati and JF Bastien.
1762
1763         Re-landing r225620 with speculative build fix for GCC 7.
1764
1765         * API/JSCallbackObject.h:
1766         * API/JSObjectRef.cpp:
1767         (classInfoPrivate):
1768         * JavaScriptCore.xcodeproj/project.pbxproj:
1769         * Sources.txt:
1770         * assembler/MacroAssemblerCodeRef.h:
1771         (JSC::FunctionPtr::FunctionPtr):
1772         (JSC::FunctionPtr::value const):
1773         (JSC::FunctionPtr::executableAddress const):
1774         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1775         (JSC::ReturnAddressPtr::value const):
1776         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1777         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1778         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1779         (JSC::MacroAssemblerCodePtr:: const):
1780         (JSC::MacroAssemblerCodePtr::operator! const):
1781         (JSC::MacroAssemblerCodePtr::operator== const):
1782         (JSC::MacroAssemblerCodePtr::emptyValue):
1783         (JSC::MacroAssemblerCodePtr::deletedValue):
1784         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1785         * b3/B3LowerMacros.cpp:
1786         * b3/testb3.cpp:
1787         (JSC::B3::testInterpreter):
1788         * dfg/DFGSpeculativeJIT.cpp:
1789         (JSC::DFG::SpeculativeJIT::checkArray):
1790         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1791         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1792         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1793         * ftl/FTLLowerDFGToB3.cpp:
1794         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1795         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1796         * jit/AssemblyHelpers.h:
1797         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1798         * jit/SpecializedThunkJIT.h:
1799         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1800         * jit/ThunkGenerators.cpp:
1801         (JSC::virtualThunkFor):
1802         (JSC::boundThisNoArgsFunctionCallGenerator):
1803         * llint/LLIntSlowPaths.cpp:
1804         (JSC::LLInt::handleHostCall):
1805         (JSC::LLInt::setUpCall):
1806         * llint/LowLevelInterpreter64.asm:
1807         * runtime/InitializeThreading.cpp:
1808         (JSC::initializeThreading):
1809         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1810         (JSC::initializePoison):
1811         (JSC::initializeScrambledPtrKeys): Deleted.
1812         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1813         * runtime/JSCScrambledPtr.cpp: Removed.
1814         * runtime/JSCScrambledPtr.h: Removed.
1815         * runtime/JSDestructibleObject.h:
1816         (JSC::JSDestructibleObject::classInfo const):
1817         * runtime/JSSegmentedVariableObject.h:
1818         (JSC::JSSegmentedVariableObject::classInfo const):
1819         * runtime/Structure.h:
1820         * runtime/VM.h:
1821
1822 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1823
1824         Unreviewed, rolling out r225620
1825         https://bugs.webkit.org/show_bug.cgi?id=180514
1826         <rdar://problem/35901694>
1827
1828         It broke the build with GCC 7, and I don't know how to fix it.
1829
1830         * API/JSCallbackObject.h:
1831         * API/JSObjectRef.cpp:
1832         (classInfoPrivate):
1833         * JavaScriptCore.xcodeproj/project.pbxproj:
1834         * Sources.txt:
1835         * assembler/MacroAssemblerCodeRef.h:
1836         (JSC::FunctionPtr::FunctionPtr):
1837         (JSC::FunctionPtr::value const):
1838         (JSC::FunctionPtr::executableAddress const):
1839         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1840         (JSC::ReturnAddressPtr::value const):
1841         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1842         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1843         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1844         (JSC::MacroAssemblerCodePtr:: const):
1845         (JSC::MacroAssemblerCodePtr::operator! const):
1846         (JSC::MacroAssemblerCodePtr::operator== const):
1847         (JSC::MacroAssemblerCodePtr::emptyValue):
1848         (JSC::MacroAssemblerCodePtr::deletedValue):
1849         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1850         * b3/B3LowerMacros.cpp:
1851         * b3/testb3.cpp:
1852         (JSC::B3::testInterpreter):
1853         * dfg/DFGSpeculativeJIT.cpp:
1854         (JSC::DFG::SpeculativeJIT::checkArray):
1855         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1856         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1857         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1858         * ftl/FTLLowerDFGToB3.cpp:
1859         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1860         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1861         * jit/AssemblyHelpers.h:
1862         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1863         * jit/SpecializedThunkJIT.h:
1864         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1865         * jit/ThunkGenerators.cpp:
1866         (JSC::virtualThunkFor):
1867         (JSC::boundThisNoArgsFunctionCallGenerator):
1868         * llint/LLIntSlowPaths.cpp:
1869         (JSC::LLInt::handleHostCall):
1870         (JSC::LLInt::setUpCall):
1871         * llint/LowLevelInterpreter64.asm:
1872         * runtime/InitializeThreading.cpp:
1873         (JSC::initializeThreading):
1874         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1875         (JSC::initializeScrambledPtrKeys):
1876         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1877         * runtime/JSDestructibleObject.h:
1878         (JSC::JSDestructibleObject::classInfo const):
1879         * runtime/JSSegmentedVariableObject.h:
1880         (JSC::JSSegmentedVariableObject::classInfo const):
1881         * runtime/Structure.h:
1882         * runtime/VM.h:
1883
1884 2017-12-06  Mark Lam  <mark.lam@apple.com>
1885
1886         Refactoring: Rename ScrambledPtr to Poisoned.
1887         https://bugs.webkit.org/show_bug.cgi?id=180514
1888
1889         Reviewed by Saam Barati.
1890
1891         * API/JSCallbackObject.h:
1892         * API/JSObjectRef.cpp:
1893         (classInfoPrivate):
1894         * JavaScriptCore.xcodeproj/project.pbxproj:
1895         * Sources.txt:
1896         * assembler/MacroAssemblerCodeRef.h:
1897         (JSC::FunctionPtr::FunctionPtr):
1898         (JSC::FunctionPtr::value const):
1899         (JSC::FunctionPtr::executableAddress const):
1900         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1901         (JSC::ReturnAddressPtr::value const):
1902         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1903         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1904         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1905         (JSC::MacroAssemblerCodePtr:: const):
1906         (JSC::MacroAssemblerCodePtr::operator! const):
1907         (JSC::MacroAssemblerCodePtr::operator== const):
1908         (JSC::MacroAssemblerCodePtr::emptyValue):
1909         (JSC::MacroAssemblerCodePtr::deletedValue):
1910         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1911         * b3/B3LowerMacros.cpp:
1912         * b3/testb3.cpp:
1913         (JSC::B3::testInterpreter):
1914         * dfg/DFGSpeculativeJIT.cpp:
1915         (JSC::DFG::SpeculativeJIT::checkArray):
1916         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1917         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1918         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1919         * ftl/FTLLowerDFGToB3.cpp:
1920         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1921         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1922         * jit/AssemblyHelpers.h:
1923         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1924         * jit/SpecializedThunkJIT.h:
1925         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1926         * jit/ThunkGenerators.cpp:
1927         (JSC::virtualThunkFor):
1928         (JSC::boundThisNoArgsFunctionCallGenerator):
1929         * llint/LLIntSlowPaths.cpp:
1930         (JSC::LLInt::handleHostCall):
1931         (JSC::LLInt::setUpCall):
1932         * llint/LowLevelInterpreter64.asm:
1933         * runtime/InitializeThreading.cpp:
1934         (JSC::initializeThreading):
1935         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1936         (JSC::initializePoison):
1937         (JSC::initializeScrambledPtrKeys): Deleted.
1938         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1939         * runtime/JSCScrambledPtr.cpp: Removed.
1940         * runtime/JSCScrambledPtr.h: Removed.
1941         * runtime/JSDestructibleObject.h:
1942         (JSC::JSDestructibleObject::classInfo const):
1943         * runtime/JSSegmentedVariableObject.h:
1944         (JSC::JSSegmentedVariableObject::classInfo const):
1945         * runtime/Structure.h:
1946         * runtime/VM.h:
1947
1948 2017-12-02  Darin Adler  <darin@apple.com>
1949
1950         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1951         https://bugs.webkit.org/show_bug.cgi?id=180009
1952
1953         Reviewed by Alex Christensen.
1954
1955         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1956         * bytecode/CodeBlock.cpp: Ditto.
1957         * bytecode/ExecutionCounter.cpp: Ditto.
1958         * runtime/ConfigFile.cpp: Ditto.
1959         * runtime/DatePrototype.cpp: Ditto.
1960         * runtime/IndexingType.cpp: Ditto.
1961         * runtime/JSCJSValue.cpp: Ditto.
1962         * runtime/JSDateMath.cpp: Ditto.
1963         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1964         * runtime/Options.cpp: Ditto.
1965         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1966
1967 2017-12-06  Saam Barati  <sbarati@apple.com>
1968
1969         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1970         https://bugs.webkit.org/show_bug.cgi?id=180438
1971         <rdar://problem/35862342>
1972
1973         Reviewed by Yusuke Suzuki.
1974
1975         A couple inspector methods that take stacktraces need
1976         to grab the JSLock.
1977
1978         * inspector/ScriptCallStackFactory.cpp:
1979         (Inspector::createScriptCallStack):
1980         (Inspector::createScriptCallStackForConsole):
1981
1982 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
1983
1984         Switch windows build to Visual Studio 2017
1985         https://bugs.webkit.org/show_bug.cgi?id=172412
1986
1987         Reviewed by Per Arne Vollan.
1988
1989         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1990
1991 2017-12-05  JF Bastien  <jfbastien@apple.com>
1992
1993         WebAssembly: don't eagerly checksum
1994         https://bugs.webkit.org/show_bug.cgi?id=180441
1995         <rdar://problem/35156628>
1996
1997         Reviewed by Saam Barati.
1998
1999         Make checksumming of module optional for now. The bots think the
2000         checksum hurt compile-time. I'd measured it and couldn't see a
2001         difference, and still can't at this point in time, but we'll see
2002         if disabling it fixes the bots. If so then I can make it lazy upon
2003         first backtrace construction, or I can try out MD5 instead of
2004         SHA1.
2005
2006         * runtime/Options.h:
2007         * wasm/WasmModuleInformation.cpp:
2008         (JSC::Wasm::ModuleInformation::ModuleInformation):
2009         * wasm/WasmModuleInformation.h:
2010         * wasm/WasmNameSection.h:
2011         (JSC::Wasm::NameSection::NameSection):
2012
2013 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2014
2015         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2016         https://bugs.webkit.org/show_bug.cgi?id=180425
2017
2018         Reviewed by Saam Barati.
2019         
2020         Failure to do so causes leaks after starting workers.
2021
2022         * heap/IsoAlignedMemoryAllocator.cpp:
2023         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2024         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2025
2026 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2027
2028         [Win64] Compile error in testmasm.cpp.
2029         https://bugs.webkit.org/show_bug.cgi?id=180436
2030
2031         Reviewed by Mark Lam.
2032
2033         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2034         
2035         * assembler/testmasm.cpp:
2036         (JSC::testGetEffectiveAddress):
2037
2038 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2039
2040         GC constraint solving should be parallel
2041         https://bugs.webkit.org/show_bug.cgi?id=179934
2042
2043         Reviewed by JF Bastien.
2044         
2045         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2046         speed-up. It's more than 1% on trunk-Speedometer.
2047         
2048         The constraint solver supports running constraints in parallel in two different ways:
2049         
2050         - Run multiple constraints in parallel to each other. This only works for constraints that can
2051           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2052           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2053           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2054           could probably make them concurrent, but I'm playing it safe for now.
2055         
2056         - A constraint can create parallel work for itself, which the constraint solver will interleave
2057           with other stuff. A constraint can report that it has parallel work by returning
2058           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2059           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2060           for as long as that function wants to run.
2061         
2062         It's not possible to have a non-concurrent constraint that creates parallel work.
2063         
2064         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2065         most natural for two reasons:
2066         
2067         - No need to start any other threads.
2068         
2069         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2070           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2071           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2072           thread, that thread will have work it can start doing immediately. Before this change, we had to
2073           contribute the work found by the constraint solver to the global worklist so that it could be
2074           distributed to the marker threads by load balancing. This change probably helps to avoid that
2075           load balancing step.
2076         
2077         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2078         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2079         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2080         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2081         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2082         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2083         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2084         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2085         done is indicated by null).
2086         
2087         * API/JSMarkingConstraintPrivate.cpp:
2088         (JSContextGroupAddMarkingConstraint):
2089         * API/JSVirtualMachine.mm:
2090         (scanExternalObjectGraph):
2091         (scanExternalRememberedSet):
2092         * JavaScriptCore.xcodeproj/project.pbxproj:
2093         * Sources.txt:
2094         * bytecode/AccessCase.cpp:
2095         (JSC::AccessCase::propagateTransitions const):
2096         * bytecode/CodeBlock.cpp:
2097         (JSC::CodeBlock::visitWeakly):
2098         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2099         (JSC::shouldMarkTransition):
2100         (JSC::CodeBlock::propagateTransitions):
2101         (JSC::CodeBlock::determineLiveness):
2102         * dfg/DFGWorklist.cpp:
2103         * ftl/FTLCompile.cpp:
2104         (JSC::FTL::compile):
2105         * heap/ConstraintParallelism.h: Added.
2106         (WTF::printInternal):
2107         * heap/Heap.cpp:
2108         (JSC::Heap::Heap):
2109         (JSC::Heap::addToRememberedSet):
2110         (JSC::Heap::runFixpointPhase):
2111         (JSC::Heap::stopThePeriphery):
2112         (JSC::Heap::resumeThePeriphery):
2113         (JSC::Heap::addCoreConstraints):
2114         (JSC::Heap::setBonusVisitorTask):
2115         (JSC::Heap::runTaskInParallel):
2116         (JSC::Heap::forEachSlotVisitor): Deleted.
2117         * heap/Heap.h:
2118         (JSC::Heap::worldIsRunning const):
2119         (JSC::Heap::runFunctionInParallel):
2120         * heap/HeapInlines.h:
2121         (JSC::Heap::worldIsStopped const):
2122         (JSC::Heap::isMarked):
2123         (JSC::Heap::incrementDeferralDepth):
2124         (JSC::Heap::decrementDeferralDepth):
2125         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2126         (JSC::Heap::forEachSlotVisitor):
2127         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2128         (JSC::Heap::isMarkedConcurrently): Deleted.
2129         * heap/HeapSnapshotBuilder.cpp:
2130         (JSC::HeapSnapshotBuilder::appendNode):
2131         * heap/LargeAllocation.h:
2132         (JSC::LargeAllocation::isMarked):
2133         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2134         * heap/LockDuringMarking.h:
2135         (JSC::lockDuringMarking):
2136         * heap/MarkedAllocator.cpp:
2137         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2138         * heap/MarkedAllocator.h:
2139         * heap/MarkedBlock.h:
2140         (JSC::MarkedBlock::aboutToMark):
2141         (JSC::MarkedBlock::isMarked):
2142         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2143         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2144         * heap/MarkedSpace.h:
2145         (JSC::MarkedSpace::activeWeakSetsBegin):
2146         (JSC::MarkedSpace::activeWeakSetsEnd):
2147         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2148         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2149         * heap/MarkingConstraint.cpp:
2150         (JSC::MarkingConstraint::MarkingConstraint):
2151         (JSC::MarkingConstraint::execute):
2152         (JSC::MarkingConstraint::quickWorkEstimate):
2153         (JSC::MarkingConstraint::workEstimate):
2154         (JSC::MarkingConstraint::doParallelWork):
2155         (JSC::MarkingConstraint::finishParallelWork):
2156         (JSC::MarkingConstraint::doParallelWorkImpl):
2157         (JSC::MarkingConstraint::finishParallelWorkImpl):
2158         * heap/MarkingConstraint.h:
2159         (JSC::MarkingConstraint::lastExecuteParallelism const):
2160         (JSC::MarkingConstraint::parallelism const):
2161         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2162         (JSC::MarkingConstraint::workEstimate): Deleted.
2163         * heap/MarkingConstraintSet.cpp:
2164         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2165         (JSC::MarkingConstraintSet::add):
2166         (JSC::MarkingConstraintSet::executeConvergence):
2167         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2168         (JSC::MarkingConstraintSet::executeAll):
2169         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2170         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2171         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2172         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2173         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2174         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2175         (): Deleted.
2176         * heap/MarkingConstraintSet.h:
2177         * heap/MarkingConstraintSolver.cpp: Added.
2178         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2179         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2180         (JSC::MarkingConstraintSolver::didVisitSomething const):
2181         (JSC::MarkingConstraintSolver::execute):
2182         (JSC::MarkingConstraintSolver::drain):
2183         (JSC::MarkingConstraintSolver::converge):
2184         (JSC::MarkingConstraintSolver::runExecutionThread):
2185         (JSC::MarkingConstraintSolver::didExecute):
2186         * heap/MarkingConstraintSolver.h: Added.
2187         * heap/OpaqueRootSet.h: Removed.
2188         * heap/ParallelSourceAdapter.h: Added.
2189         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2190         (JSC::createParallelSourceAdapter):
2191         * heap/SimpleMarkingConstraint.cpp: Added.
2192         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2193         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2194         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2195         (JSC::SimpleMarkingConstraint::executeImpl):
2196         * heap/SimpleMarkingConstraint.h: Added.
2197         * heap/SlotVisitor.cpp:
2198         (JSC::SlotVisitor::didStartMarking):
2199         (JSC::SlotVisitor::reset):
2200         (JSC::SlotVisitor::appendToMarkStack):
2201         (JSC::SlotVisitor::visitChildren):
2202         (JSC::SlotVisitor::updateMutatorIsStopped):
2203         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2204         (JSC::SlotVisitor::drain):
2205         (JSC::SlotVisitor::performIncrementOfDraining):
2206         (JSC::SlotVisitor::didReachTermination):
2207         (JSC::SlotVisitor::hasWork):
2208         (JSC::SlotVisitor::drainFromShared):
2209         (JSC::SlotVisitor::drainInParallelPassively):
2210         (JSC::SlotVisitor::waitForTermination):
2211         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2212         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2213         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2214         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2215         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2216         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2217         * heap/SlotVisitor.h:
2218         * heap/SlotVisitorInlines.h:
2219         (JSC::SlotVisitor::addOpaqueRoot):
2220         (JSC::SlotVisitor::containsOpaqueRoot const):
2221         (JSC::SlotVisitor::vm):
2222         (JSC::SlotVisitor::vm const):
2223         * heap/Subspace.cpp:
2224         (JSC::Subspace::parallelAllocatorSource):
2225         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2226         * heap/Subspace.h:
2227         * heap/SubspaceInlines.h:
2228         (JSC::Subspace::forEachMarkedCellInParallel):
2229         * heap/VisitCounter.h: Added.
2230         (JSC::VisitCounter::VisitCounter):
2231         (JSC::VisitCounter::visitCount const):
2232         * heap/VisitingTimeout.h: Removed.
2233         * heap/WeakBlock.cpp:
2234         (JSC::WeakBlock::specializedVisit):
2235         * runtime/Structure.cpp:
2236         (JSC::Structure::isCheapDuringGC):
2237         (JSC::Structure::markIfCheap):
2238
2239 2017-12-04  JF Bastien  <jfbastien@apple.com>
2240
2241         Math: don't redundantly check for exceptions, just release scope
2242         https://bugs.webkit.org/show_bug.cgi?id=180395
2243
2244         Rubber stamped by Mark Lam.
2245
2246         Two of the exceptions checks could just have been exception scope
2247         releases before the return, which is ever-so-slightly more
2248         efficient. The same technically applies where we have loops over
2249         parameters, but doing the scope release there isn't really more
2250         efficient and is way harder to read.
2251
2252         * runtime/MathObject.cpp:
2253         (JSC::mathProtoFuncATan2):
2254         (JSC::mathProtoFuncPow):
2255
2256 2017-12-04  David Quesada  <david_quesada@apple.com>
2257
2258         Add a class for parsing application manifests
2259         https://bugs.webkit.org/show_bug.cgi?id=177973
2260         rdar://problem/34747949
2261
2262         Reviewed by Geoffrey Garen.
2263
2264         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2265
2266 2017-12-04  JF Bastien  <jfbastien@apple.com>
2267
2268         Update std::expected to match libc++ coding style
2269         https://bugs.webkit.org/show_bug.cgi?id=180264
2270
2271         Reviewed by Alex Christensen.
2272
2273         Update various uses of Expected.
2274
2275         * wasm/WasmModule.h:
2276         * wasm/WasmModuleParser.cpp:
2277         (JSC::Wasm::ModuleParser::parseImport):
2278         (JSC::Wasm::ModuleParser::parseTableHelper):
2279         (JSC::Wasm::ModuleParser::parseTable):
2280         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2281         * wasm/WasmParser.h:
2282         * wasm/generateWasmValidateInlinesHeader.py:
2283         (loadMacro):
2284         (storeMacro):
2285         * wasm/js/JSWebAssemblyModule.cpp:
2286         (JSC::JSWebAssemblyModule::createStub):
2287         * wasm/js/JSWebAssemblyModule.h:
2288
2289 2017-12-04  Saam Barati  <sbarati@apple.com>
2290
2291         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2292         https://bugs.webkit.org/show_bug.cgi?id=180366
2293         <rdar://problem/35685877>
2294
2295         Reviewed by Michael Saboff.
2296
2297         On the TailCall slow path, the CallFrameShuffler will build the frame with
2298         respect to SP instead of FP. However, this may overwrite slots on the stack
2299         that are needed if the slow path C call does a stack walk. The slow path
2300         C call does a stack walk when it throws an exception. This patch fixes
2301         this bug by ensuring that the top of the stack in the FTL always has enough
2302         space to allow CallFrameShuffler to build a frame without overwriting any
2303         items on the stack that are needed when doing a stack walk.
2304
2305         * ftl/FTLLowerDFGToB3.cpp:
2306         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2307
2308 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2309
2310         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2311         https://bugs.webkit.org/show_bug.cgi?id=175166
2312         <rdar://problem/34040740>
2313
2314         Reviewed by Joseph Pecoraro.
2315
2316         * inspector/protocol/Recording.json:
2317         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2318
2319         * inspector/JSGlobalObjectConsoleClient.h:
2320         * inspector/JSGlobalObjectConsoleClient.cpp:
2321         (Inspector::JSGlobalObjectConsoleClient::record):
2322         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2323
2324         * runtime/ConsoleClient.h:
2325         * runtime/ConsoleObject.cpp:
2326         (JSC::ConsoleObject::finishCreation):
2327         (JSC::consoleProtoFuncRecord):
2328         (JSC::consoleProtoFuncRecordEnd):
2329
2330 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2331
2332         WTF shouldn't have both Thread and ThreadIdentifier
2333         https://bugs.webkit.org/show_bug.cgi?id=180308
2334
2335         Reviewed by Darin Adler.
2336
2337         * heap/MachineStackMarker.cpp:
2338         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2339         * llint/LLIntSlowPaths.cpp:
2340         (JSC::LLInt::llint_trace_operand):
2341         (JSC::LLInt::llint_trace_value):
2342         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2343         (JSC::LLInt::traceFunctionPrologue):
2344         * runtime/ExceptionScope.cpp:
2345         (JSC::ExceptionScope::unexpectedExceptionMessage):
2346         * runtime/JSLock.h:
2347         (JSC::JSLock::currentThreadIsHoldingLock):
2348         * runtime/VM.cpp:
2349         (JSC::VM::throwException):
2350         * runtime/VM.h:
2351         (JSC::VM::throwingThread const):
2352         (JSC::VM::clearException):
2353         * tools/HeapVerifier.cpp:
2354         (JSC::HeapVerifier::printVerificationHeader):
2355
2356 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2357
2358         Rename DestroyFunc to avoid redefinition on unified build
2359         https://bugs.webkit.org/show_bug.cgi?id=180335
2360
2361         Reviewed by Filip Pizlo.
2362
2363         Changing DestroyFunc structures to more specific names to avoid
2364         conflits on unified builds.
2365
2366         * heap/HeapCellType.cpp:
2367         (JSC::HeapCellType::finishSweep):
2368         (JSC::HeapCellType::destroy):
2369         * runtime/JSDestructibleObjectHeapCellType.cpp:
2370         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2371         (JSC::JSDestructibleObjectHeapCellType::destroy):
2372         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2373         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2374         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2375         * runtime/JSStringHeapCellType.cpp:
2376         (JSC::JSStringHeapCellType::finishSweep):
2377         (JSC::JSStringHeapCellType::destroy):
2378         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2379         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2380         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2381
2382 2017-12-01  JF Bastien  <jfbastien@apple.com>
2383
2384         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2385         https://bugs.webkit.org/show_bug.cgi?id=180297
2386         <rdar://problem/35745556>
2387
2388         Reviewed by Mark Lam.
2389
2390         * runtime/MathObject.cpp:
2391         (JSC::mathProtoFuncATan2):
2392         (JSC::mathProtoFuncMax):
2393         (JSC::mathProtoFuncMin):
2394         (JSC::mathProtoFuncPow):
2395
2396 2017-12-01  Mark Lam  <mark.lam@apple.com>
2397
2398         Let's scramble ClassInfo pointers in cells.
2399         https://bugs.webkit.org/show_bug.cgi?id=180291
2400         <rdar://problem/35807620>
2401
2402         Reviewed by JF Bastien.
2403
2404         * API/JSCallbackObject.h:
2405         * API/JSObjectRef.cpp:
2406         (classInfoPrivate):
2407         * JavaScriptCore.xcodeproj/project.pbxproj:
2408         * Sources.txt:
2409         * assembler/MacroAssemblerCodeRef.cpp:
2410         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2411         * assembler/MacroAssemblerCodeRef.h:
2412         (JSC::MacroAssemblerCodePtr:: const):
2413         (JSC::MacroAssemblerCodePtr::hash const):
2414         * dfg/DFGSpeculativeJIT.cpp:
2415         (JSC::DFG::SpeculativeJIT::checkArray):
2416         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2417         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2418         * ftl/FTLLowerDFGToB3.cpp:
2419         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2420         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2421         * jit/AssemblyHelpers.h:
2422         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2423         * jit/SpecializedThunkJIT.h:
2424         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2425         * runtime/InitializeThreading.cpp:
2426         (JSC::initializeThreading):
2427         * runtime/JSCScrambledPtr.cpp: Added.
2428         (JSC::initializeScrambledPtrKeys):
2429         * runtime/JSCScrambledPtr.h: Added.
2430         * runtime/JSDestructibleObject.h:
2431         (JSC::JSDestructibleObject::classInfo const):
2432         * runtime/JSSegmentedVariableObject.h:
2433         (JSC::JSSegmentedVariableObject::classInfo const):
2434         * runtime/Structure.h:
2435         * runtime/VM.h:
2436
2437 2017-12-01  Brian Burg  <bburg@apple.com>
2438
2439         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2440         https://bugs.webkit.org/show_bug.cgi?id=173662
2441
2442         Reviewed by Joseph Pecoraro.
2443
2444         Adopt new type names. Fix protocol generator to use correct type names.
2445
2446         * inspector/ConsoleMessage.cpp:
2447         (Inspector::ConsoleMessage::addToFrontend):
2448         Improve namings and use 'auto' when the type is obvious and repeated.
2449
2450         * inspector/ContentSearchUtilities.cpp:
2451         (Inspector::ContentSearchUtilities::searchInTextByLines):
2452         * inspector/ContentSearchUtilities.h:
2453         * inspector/InjectedScript.cpp:
2454         (Inspector::InjectedScript::getProperties):
2455         (Inspector::InjectedScript::getDisplayableProperties):
2456         (Inspector::InjectedScript::getInternalProperties):
2457         (Inspector::InjectedScript::getCollectionEntries):
2458         (Inspector::InjectedScript::wrapCallFrames const):
2459         * inspector/InjectedScript.h:
2460         * inspector/InspectorProtocolTypes.h:
2461         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2462         (Inspector::Protocol::Array::Array): Deleted.
2463         (Inspector::Protocol::Array::openAccessors): Deleted.
2464         (Inspector::Protocol::Array::addItem): Deleted.
2465         (Inspector::Protocol::Array::create): Deleted.
2466         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2467         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2468         Move the implementation out of this file.
2469
2470         * inspector/ScriptCallStack.cpp:
2471         (Inspector::ScriptCallStack::buildInspectorArray const):
2472         * inspector/ScriptCallStack.h:
2473         * inspector/agents/InspectorAgent.cpp:
2474         (Inspector::InspectorAgent::activateExtraDomain):
2475         (Inspector::InspectorAgent::activateExtraDomains):
2476         * inspector/agents/InspectorAgent.h:
2477         * inspector/agents/InspectorConsoleAgent.cpp:
2478         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2479         * inspector/agents/InspectorConsoleAgent.h:
2480         * inspector/agents/InspectorDebuggerAgent.cpp:
2481         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2482         (Inspector::InspectorDebuggerAgent::searchInContent):
2483         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2484         * inspector/agents/InspectorDebuggerAgent.h:
2485         * inspector/agents/InspectorRuntimeAgent.cpp:
2486         (Inspector::InspectorRuntimeAgent::getProperties):
2487         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2488         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2489         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2490         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2491         * inspector/agents/InspectorRuntimeAgent.h:
2492         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2493         (Inspector::buildSamples):
2494         Use more 'auto' and rename a variable.
2495
2496         * inspector/scripts/codegen/cpp_generator.py:
2497         (CppGenerator.cpp_protocol_type_for_type):
2498         Adopt new type names. This exposed a latent bug where we should have been
2499         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2500         type may be an array, in which case we would have generated the wrong type.
2501
2502         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2503         (_generate_typedefs_for_domain.JSON):
2504         (_generate_typedefs_for_domain.Inspector): Deleted.
2505         * inspector/scripts/codegen/objc_generator.py:
2506         (ObjCGenerator.protocol_type_for_type):
2507         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2508         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2509         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2510         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2511         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2512         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2513         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2514         Rebaseline.
2515
2516         * runtime/TypeSet.cpp:
2517         (JSC::TypeSet::allStructureRepresentations const):
2518         (JSC::StructureShape::inspectorRepresentation):
2519         * runtime/TypeSet.h:
2520
2521 2017-12-01  Saam Barati  <sbarati@apple.com>
2522
2523         Having a bad time needs to handle ArrayClass indexing type as well
2524         https://bugs.webkit.org/show_bug.cgi?id=180274
2525         <rdar://problem/35667869>
2526
2527         Reviewed by Keith Miller and Mark Lam.
2528
2529         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2530         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2531         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2532         hasBrokenIndexing. This patch rewrites that function to automatically opt
2533         in non-empty indexing types as broken, instead of having to opt out all
2534         non-empty indexing types besides SlowPutArrayStorage.
2535
2536         * runtime/IndexingType.h:
2537         (JSC::hasSlowPutArrayStorage):
2538         (JSC::shouldUseSlowPut):
2539         * runtime/JSGlobalObject.cpp:
2540         * runtime/JSObject.cpp:
2541         (JSC::JSObject::switchToSlowPutArrayStorage):
2542
2543 2017-12-01  JF Bastien  <jfbastien@apple.com>
2544
2545         WebAssembly: stack trace improvement follow-ups
2546         https://bugs.webkit.org/show_bug.cgi?id=180273
2547
2548         Reviewed by Saam Barati.
2549
2550         * wasm/WasmIndexOrName.cpp:
2551         (JSC::Wasm::makeString):
2552         * wasm/WasmIndexOrName.h:
2553         (JSC::Wasm::IndexOrName::nameSection const):
2554         * wasm/WasmNameSection.h:
2555         (JSC::Wasm::NameSection::NameSection):
2556         (JSC::Wasm::NameSection::get):
2557
2558 2017-12-01  JF Bastien  <jfbastien@apple.com>
2559
2560         WebAssembly: restore cached stack limit after out-call
2561         https://bugs.webkit.org/show_bug.cgi?id=179106
2562         <rdar://problem/35337525>
2563
2564         Reviewed by Saam Barati.
2565
2566         We cache the stack limit on the Instance so that we can do fast
2567         stack checks where required. In regular usage the stack limit
2568         never changes because we always run on the same thread, but in
2569         rare cases an API user can totally migrate which thread (and
2570         therefore stack) is used for execution between WebAssembly
2571         traces. For that reason we set the cached stack limit to
2572         UINTPTR_MAX on the outgoing Instance when transitioning back into
2573         a different Instance. We usually restore the cached stack limit in
2574         Context::store, but this wasn't called on all code paths. We had a
2575         bug where an Instance calling into itself indirectly would
2576         therefore fail to restore its cached stack limit properly.
2577
2578         This patch therefore restores the cached stack limit after direct
2579         calls which could be to imports (both wasm->wasm and
2580         wasm->embedder). We have to do all of them because we have no way
2581         of knowing what imports will do (they're known at instantiation
2582         time, not compilation time, and different instances can have
2583         different imports). To make this efficient we also add a pointer
2584         to the canonical location of the stack limit (i.e. the extra
2585         indirection we're trying to save by caching the stack limit on the
2586         Instance in the first place). This is potentially a small perf hit
2587         on imported direct calls.
2588
2589         It's hard to say what the performance cost will be because we
2590         haven't seen much code in the wild which does this. We're adding
2591         two dependent loads and a store of the loaded value, which is
2592         unlikely to get used soon after. It's more code, but on an
2593         out-of-order processor it doesn't contribute to the critical path.
2594
2595         * wasm/WasmB3IRGenerator.cpp:
2596         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2597         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2598         (JSC::Wasm::B3IRGenerator::addCall):
2599         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2600         * wasm/WasmInstance.cpp:
2601         (JSC::Wasm::Instance::Instance):
2602         (JSC::Wasm::Instance::create):
2603         * wasm/WasmInstance.h:
2604         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2605         (JSC::Wasm::Instance::cachedStackLimit const):
2606         (JSC::Wasm::Instance::setCachedStackLimit):
2607         * wasm/js/JSWebAssemblyInstance.cpp:
2608         (JSC::JSWebAssemblyInstance::create):
2609         * wasm/js/WebAssemblyFunction.cpp:
2610         (JSC::callWebAssemblyFunction):
2611
2612 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2613
2614         [JSC] Use JSFixedArray for op_new_array_buffer
2615         https://bugs.webkit.org/show_bug.cgi?id=180084
2616
2617         Reviewed by Saam Barati.
2618
2619         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2620         But using JSFixedArray is better because,
2621
2622         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2623            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2624
2625         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2626            has JSFixedArray, we can just emit a held JSFixedArray.
2627
2628         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2629
2630         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2631
2632         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2633            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2634            will be introduced in [1].
2635
2636         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2637
2638         * bytecode/BytecodeDumper.cpp:
2639         (JSC::BytecodeDumper<Block>::dumpBytecode):
2640         * bytecode/BytecodeList.json:
2641         * bytecode/BytecodeUseDef.h:
2642         (JSC::computeUsesForBytecodeOffset):
2643         * bytecode/CodeBlock.cpp:
2644         (JSC::CodeBlock::finishCreation):
2645         * bytecode/CodeBlock.h:
2646         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2647         (JSC::CodeBlock::addConstantBuffer): Deleted.
2648         (JSC::CodeBlock::constantBufferAsVector): Deleted.
2649         (JSC::CodeBlock::constantBuffer): Deleted.
2650         * bytecode/UnlinkedCodeBlock.cpp:
2651         (JSC::UnlinkedCodeBlock::shrinkToFit):
2652         * bytecode/UnlinkedCodeBlock.h:
2653         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2654         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2655         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2656         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2657         * bytecompiler/BytecodeGenerator.cpp:
2658         (JSC::BytecodeGenerator::emitNewArray):
2659         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2660         * bytecompiler/BytecodeGenerator.h:
2661         * dfg/DFGByteCodeParser.cpp:
2662         (JSC::DFG::ByteCodeParser::parseBlock):
2663         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2664         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2665         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2666         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2667         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2668         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2669         (JSC::DFG::ConstantBufferKey::index const): Deleted.
2670         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2671         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2672         * dfg/DFGClobberize.h:
2673         (JSC::DFG::clobberize):
2674         * dfg/DFGGraph.cpp:
2675         (JSC::DFG::Graph::dump):
2676         * dfg/DFGGraph.h:
2677         * dfg/DFGNode.h:
2678         (JSC::DFG::Node::hasNewArrayBufferData):
2679         (JSC::DFG::Node::newArrayBufferData):
2680         (JSC::DFG::Node::hasVectorLengthHint):
2681         (JSC::DFG::Node::vectorLengthHint):
2682         (JSC::DFG::Node::indexingType):
2683         (JSC::DFG::Node::hasCellOperand):
2684         (JSC::DFG::Node::OpInfoWrapper::operator=):
2685         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2686         (JSC::DFG::Node::hasConstantBuffer): Deleted.
2687         (JSC::DFG::Node::startConstant): Deleted.
2688         (JSC::DFG::Node::numConstants): Deleted.
2689         * dfg/DFGOperations.cpp:
2690         * dfg/DFGOperations.h:
2691         * dfg/DFGSpeculativeJIT.h:
2692         (JSC::DFG::SpeculativeJIT::callOperation):
2693         * dfg/DFGSpeculativeJIT32_64.cpp:
2694         (JSC::DFG::SpeculativeJIT::compile):
2695         * dfg/DFGSpeculativeJIT64.cpp:
2696         (JSC::DFG::SpeculativeJIT::compile):
2697         * ftl/FTLLowerDFGToB3.cpp:
2698         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2699         * jit/JIT.cpp:
2700         (JSC::JIT::privateCompileMainPass):
2701         * jit/JIT.h:
2702         * jit/JITOpcodes.cpp:
2703         (JSC::JIT::emit_op_new_array_buffer): Deleted.
2704         * jit/JITOperations.cpp:
2705         * jit/JITOperations.h:
2706         * llint/LLIntSlowPaths.cpp:
2707         * llint/LLIntSlowPaths.h:
2708         * llint/LowLevelInterpreter.asm:
2709         * runtime/CommonSlowPaths.cpp:
2710         (JSC::SLOW_PATH_DECL):
2711         * runtime/CommonSlowPaths.h:
2712         * runtime/JSFixedArray.cpp:
2713         (JSC::JSFixedArray::dumpToStream):
2714         * runtime/JSFixedArray.h:
2715         (JSC::JSFixedArray::create):
2716         (JSC::JSFixedArray::get const):
2717         (JSC::JSFixedArray::set):
2718         (JSC::JSFixedArray::buffer const):
2719         (JSC::JSFixedArray::values const):
2720         (JSC::JSFixedArray::length const):
2721         (JSC::JSFixedArray::get): Deleted.
2722
2723 2017-11-30  JF Bastien  <jfbastien@apple.com>
2724
2725         WebAssembly: improve stack trace
2726         https://bugs.webkit.org/show_bug.cgi?id=179343
2727
2728         Reviewed by Saam Barati.
2729
2730         Stack traces now include:
2731
2732           - Module name, if provided by the name section.
2733           - Module SHA1 hash if no name was provided
2734           - Stub identification, to differentiate from user code
2735           - Slightly different naming to match design from:
2736               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2737
2738         * interpreter/StackVisitor.cpp:
2739         (JSC::StackVisitor::Frame::functionName const):
2740         * runtime/StackFrame.cpp:
2741         (JSC::StackFrame::functionName const):
2742         (JSC::StackFrame::visitChildren):
2743         * wasm/WasmIndexOrName.cpp:
2744         (JSC::Wasm::IndexOrName::IndexOrName):
2745         (JSC::Wasm::makeString):
2746         * wasm/WasmIndexOrName.h:
2747         (JSC::Wasm::IndexOrName::nameSection const):
2748         * wasm/WasmModuleInformation.cpp:
2749         (JSC::Wasm::ModuleInformation::ModuleInformation):
2750         * wasm/WasmModuleInformation.h:
2751         * wasm/WasmNameSection.h:
2752         (JSC::Wasm::NameSection::NameSection):
2753         (JSC::Wasm::NameSection::get):
2754         * wasm/WasmNameSectionParser.cpp:
2755         (JSC::Wasm::NameSectionParser::parse):
2756
2757 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2758
2759         Make LegacyCustomProtocolManager optional for network process
2760         https://bugs.webkit.org/show_bug.cgi?id=176230
2761
2762         Reviewed by Alex Christensen.
2763
2764         * Configurations/FeatureDefines.xcconfig:
2765
2766 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2767
2768         [JSC] Remove easy toRemove & map.remove() use in OAS phase
2769         https://bugs.webkit.org/show_bug.cgi?id=180208
2770
2771         Reviewed by Mark Lam.
2772
2773         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2774         to optimize this common pattern. This patch only modifies apparent ones.
2775         But we can apply this refactoring further to OAS phase in the future.
2776
2777         One thing we should care is that predicate of removeIf should not touch the
2778         removing set itself. In this patch, we apply this change to (1) apparently
2779         correct one and (2) things in DFG OAS phase since it is very slow.
2780
2781         * b3/B3MoveConstants.cpp:
2782         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2783
2784 2017-11-30  Commit Queue  <commit-queue@webkit.org>
2785
2786         Unreviewed, rolling out r225362.
2787         https://bugs.webkit.org/show_bug.cgi?id=180225
2788
2789         removeIf predicate function can touch remove target set
2790         (Requested by yusukesuzuki on #webkit).
2791
2792         Reverted changeset:
2793
2794         "[JSC] Remove easy toRemove & map.remove() use"
2795         https://bugs.webkit.org/show_bug.cgi?id=180208
2796         https://trac.webkit.org/changeset/225362
2797
2798 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         [JSC] Use AllocatorIfExists for MaterializeNewObject
2801         https://bugs.webkit.org/show_bug.cgi?id=180189
2802
2803         Reviewed by Filip Pizlo.
2804
2805         I don't think anyone guarantees this allocator exists at this phase.
2806         And nullptr allocator just works here. We change AllocatorForMode
2807         to AllocatorIfExists to accept nullptr for allocator.
2808
2809         * ftl/FTLLowerDFGToB3.cpp:
2810         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2811
2812 2017-11-30  Mark Lam  <mark.lam@apple.com>
2813
2814         Let's scramble MacroAssemblerCodePtr values.
2815         https://bugs.webkit.org/show_bug.cgi?id=180169
2816         <rdar://problem/35758340>
2817
2818         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2819
2820         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2821
2822         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2823            template argument type that will be used to cast the result.  This makes the
2824            client code that uses these functions a little less verbose.
2825
2826         3. Change the code base in general to minimize passing void* code pointers around.
2827            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2828            at the last moment when we need the underlying code pointer.
2829
2830         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2831            default.  I'm leaving them in because they are instrumental in finding bugs
2832            where not all MacroAssemblerCodePtr values were not scrambled as expected.
2833            I expect them to be useful in the near future as we add more scrambling.
2834
2835         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2836            explicit casts to a boolean).  This ensures that clients will always explicitly
2837            use scrambledBits() or executableAddress() to get a value based on which value
2838            they actually need.
2839
2840         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2841            This was helpful when debugging tests that ran multiple VMs concurrently on
2842            different threads.
2843
2844         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2845         CLoop).  It is not yet supported in 32-bit and Windows because we don't
2846         currently have a way to read a global variable from their LLInt code.
2847
2848         * assembler/AbstractMacroAssembler.h:
2849         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2850         (JSC::AbstractMacroAssembler::linkPointer):
2851         * assembler/CodeLocation.h:
2852         (JSC::CodeLocationCommon::instructionAtOffset):
2853         (JSC::CodeLocationCommon::labelAtOffset):
2854         (JSC::CodeLocationCommon::jumpAtOffset):
2855         (JSC::CodeLocationCommon::callAtOffset):
2856         (JSC::CodeLocationCommon::nearCallAtOffset):
2857         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2858         (JSC::CodeLocationCommon::dataLabel32AtOffset):
2859         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2860         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2861         * assembler/LinkBuffer.cpp:
2862         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2863         * assembler/LinkBuffer.h:
2864         (JSC::LinkBuffer::link):
2865         (JSC::LinkBuffer::patch):
2866         * assembler/MacroAssemblerCodeRef.cpp:
2867         (JSC::MacroAssemblerCodePtr::initialize):
2868         * assembler/MacroAssemblerCodeRef.h:
2869         (JSC::FunctionPtr::FunctionPtr):
2870         (JSC::FunctionPtr::value const):
2871         (JSC::FunctionPtr::executableAddress const):
2872         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2873         (JSC::ReturnAddressPtr::value const):
2874         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2875         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2876         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2877         (JSC::MacroAssemblerCodePtr:: const):
2878         (JSC::MacroAssemblerCodePtr::operator! const):
2879         (JSC::MacroAssemblerCodePtr::operator bool const):
2880         (JSC::MacroAssemblerCodePtr::operator== const):
2881         (JSC::MacroAssemblerCodePtr::hash const):
2882         (JSC::MacroAssemblerCodePtr::emptyValue):
2883         (JSC::MacroAssemblerCodePtr::deletedValue):
2884         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2885         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2886         * b3/B3LowerMacros.cpp:
2887         * b3/testb3.cpp:
2888         (JSC::B3::testInterpreter):
2889         * dfg/DFGDisassembler.cpp:
2890         (JSC::DFG::Disassembler::dumpDisassembly):
2891         * dfg/DFGJITCompiler.cpp:
2892         (JSC::DFG::JITCompiler::link):
2893         (JSC::DFG::JITCompiler::compileFunction):
2894         * dfg/DFGOperations.cpp:
2895         * dfg/DFGSpeculativeJIT.cpp:
2896         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2897         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2898         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2899         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2900         * dfg/DFGSpeculativeJIT.h:
2901         * disassembler/Disassembler.cpp:
2902         (JSC::disassemble):
2903         * disassembler/UDis86Disassembler.cpp:
2904         (JSC::tryToDisassembleWithUDis86):
2905         * ftl/FTLCompile.cpp:
2906         (JSC::FTL::compile):
2907         * ftl/FTLJITCode.cpp:
2908         (JSC::FTL::JITCode::executableAddressAtOffset):
2909         * ftl/FTLLink.cpp:
2910         (JSC::FTL::link):
2911         * ftl/FTLLowerDFGToB3.cpp:
2912         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2913         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2914         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2915         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2916         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2917         * interpreter/InterpreterInlines.h:
2918         (JSC::Interpreter::getOpcodeID):
2919         * jit/JITArithmetic.cpp:
2920         (JSC::JIT::emitMathICFast):
2921         (JSC::JIT::emitMathICSlow):
2922         * jit/JITCode.cpp:
2923         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2924         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2925         (JSC::JITCodeWithCodeRef::offsetOf):
2926         * jit/JITDisassembler.cpp:
2927         (JSC::JITDisassembler::dumpDisassembly):
2928         * jit/PCToCodeOriginMap.cpp:
2929         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2930         * jit/Repatch.cpp:
2931         (JSC::ftlThunkAwareRepatchCall):
2932         * jit/ThunkGenerators.cpp:
2933         (JSC::virtualThunkFor):
2934         (JSC::boundThisNoArgsFunctionCallGenerator):
2935         * llint/LLIntSlowPaths.cpp:
2936         (JSC::LLInt::llint_trace_operand):
2937         (JSC::LLInt::llint_trace_value):
2938         (JSC::LLInt::handleHostCall):
2939         (JSC::LLInt::setUpCall):
2940         * llint/LowLevelInterpreter64.asm:
2941         * offlineasm/cloop.rb:
2942         * runtime/InitializeThreading.cpp:
2943         (JSC::initializeThreading):
2944         * wasm/WasmBBQPlan.cpp:
2945         (JSC::Wasm::BBQPlan::complete):
2946         * wasm/WasmCallee.h:
2947         (JSC::Wasm::Callee::entrypoint const):
2948         * wasm/WasmCodeBlock.cpp:
2949         (JSC::Wasm::CodeBlock::CodeBlock):
2950         * wasm/WasmOMGPlan.cpp:
2951         (JSC::Wasm::OMGPlan::work):
2952         * wasm/js/WasmToJS.cpp:
2953         (JSC::Wasm::wasmToJS):
2954         * wasm/js/WebAssemblyFunction.cpp:
2955         (JSC::callWebAssemblyFunction):
2956         * wasm/js/WebAssemblyFunction.h:
2957         * wasm/js/WebAssemblyWrapperFunction.cpp:
2958         (JSC::WebAssemblyWrapperFunction::create):
2959
2960 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2961
2962         [JSC] Remove easy toRemove & map.remove() use
2963         https://bugs.webkit.org/show_bug.cgi?id=180208
2964
2965         Reviewed by Mark Lam.
2966
2967         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2968         to optimize this common pattern. This patch only modifies apparent ones.
2969         But we can apply this refactoring further to OAS phase in the future.
2970
2971         * b3/B3MoveConstants.cpp:
2972         * dfg/DFGArgumentsEliminationPhase.cpp:
2973         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2974         * wasm/WasmSignature.cpp:
2975         (JSC::Wasm::SignatureInformation::tryCleanup):
2976
2977 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2978
2979         [JSC] Use getEffectiveAddress more in JSC
2980         https://bugs.webkit.org/show_bug.cgi?id=180154
2981
2982         Reviewed by Mark Lam.
2983
2984         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2985         And we also add MacroAssembler::negPtr(src, dest) variation.
2986
2987         * assembler/MacroAssembler.h:
2988         (JSC::MacroAssembler::negPtr):
2989         * assembler/MacroAssemblerARM.h:
2990         (JSC::MacroAssemblerARM::neg32):
2991         * assembler/MacroAssemblerARM64.h:
2992         (JSC::MacroAssemblerARM64::neg32):
2993         (JSC::MacroAssemblerARM64::neg64):
2994         * assembler/MacroAssemblerARMv7.h:
2995         (JSC::MacroAssemblerARMv7::neg32):
2996         * assembler/MacroAssemblerMIPS.h:
2997         (JSC::MacroAssemblerMIPS::neg32):
2998         * assembler/MacroAssemblerX86Common.h:
2999         (JSC::MacroAssemblerX86Common::neg32):
3000         * assembler/MacroAssemblerX86_64.h:
3001         (JSC::MacroAssemblerX86_64::neg64):
3002         * dfg/DFGThunks.cpp:
3003         (JSC::DFG::osrEntryThunkGenerator):
3004         * ftl/FTLLowerDFGToB3.cpp:
3005         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3006         * jit/SetupVarargsFrame.cpp:
3007         (JSC::emitSetVarargsFrame):
3008
3009 2017-11-30  Mark Lam  <mark.lam@apple.com>
3010
3011         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
3012         https://bugs.webkit.org/show_bug.cgi?id=180219
3013         <rdar://problem/35696536>
3014
3015         Reviewed by Filip Pizlo.
3016
3017         * jsc.cpp:
3018         (functionFlashHeapAccess):
3019
3020 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3021
3022         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
3023         https://bugs.webkit.org/show_bug.cgi?id=180190
3024
3025         Reviewed by Mark Lam.
3026
3027         If DFG HasIndexedProperty node observes negative index, it goes to a slow
3028         path by calling operationHasIndexedProperty. The problem is that
3029         operationHasIndexedProperty does not account negative index. Negative index
3030         was used as uint32 array index.
3031
3032         In this patch we add a path for negative index in operationHasIndexedProperty.
3033         And rename it to operationHasIndexedPropertyByInt to make intension clear.
3034         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
3035         since it is only used in DFG and FTL.
3036
3037         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
3038         This causes repeated OSR exit and significantly regresses the performance. We opened
3039         a bug to track this issue[1].
3040
3041         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
3042
3043         * dfg/DFGOperations.cpp:
3044         * dfg/DFGOperations.h:
3045         * dfg/DFGSpeculativeJIT32_64.cpp:
3046         (JSC::DFG::SpeculativeJIT::compile):
3047         * dfg/DFGSpeculativeJIT64.cpp:
3048         (JSC::DFG::SpeculativeJIT::compile):
3049         * ftl/FTLLowerDFGToB3.cpp:
3050         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3051         * jit/JITOperations.cpp:
3052         * jit/JITOperations.h:
3053
3054 2017-11-30  Michael Saboff  <msaboff@apple.com>
3055
3056         Allow JSC command line tool to accept UTF8
3057         https://bugs.webkit.org/show_bug.cgi?id=180205
3058
3059         Reviewed by Keith Miller.
3060
3061         This unifies the UTF8 handling of interactive mode with that of source files.
3062
3063         * jsc.cpp:
3064         (runInteractive):
3065
3066 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3067
3068         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
3069         https://bugs.webkit.org/show_bug.cgi?id=180185
3070
3071         Reviewed by Carlos Garcia Campos.
3072
3073         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
3074         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
3075         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
3076         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
3077         DFG node can be emitted if we see untaken path includes String + String code.
3078
3079         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
3080         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
3081         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
3082         original code used before r225314.
3083
3084         * dfg/DFGSpeculativeJIT.cpp:
3085         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3086         * ftl/FTLLowerDFGToB3.cpp:
3087         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3088
3089 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
3090
3091         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
3092         https://bugs.webkit.org/show_bug.cgi?id=180108
3093
3094         Reviewed by Saam Barati.
3095         
3096         This was creating a vector of things to remove and then removing them. I think I remember writing
3097         this code, and I did that because at the time we did not have removeAllMatching, which is
3098         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
3099         obvious improvement before I did more fundamental things to this code.
3100
3101         * heap/CodeBlockSet.cpp:
3102         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3103
3104 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
3105
3106         GC should support isoheaps
3107         https://bugs.webkit.org/show_bug.cgi?id=179288
3108
3109         Reviewed by Saam Barati.
3110         
3111         This expands the power of the Subspace API in JSC:
3112         
3113         - Everything associated with describing the types of objects is now part of the HeapCellType class.
3114           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
3115           HeapCellType; these are orthogonal things.
3116         
3117         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
3118           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
3119           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
3120           pages but releases the physical pages as part of the respective allocator's scavenging policy
3121           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
3122           IsoSubspace).
3123         
3124         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3125         for more things.
3126         
3127         This does not have any effect on JetStream (0.18% faster with p = 0.69).
3128
3129         * JavaScriptCore.xcodeproj/project.pbxproj:
3130         * Sources.txt:
3131         * bytecode/AccessCase.cpp:
3132         (JSC::AccessCase::generateImpl):
3133         * bytecode/ObjectAllocationProfileInlines.h:
3134         (JSC::ObjectAllocationProfile::initializeProfile):
3135         * dfg/DFGSpeculativeJIT.cpp:
3136         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3137         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3138         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3139         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3140         * dfg/DFGSpeculativeJIT64.cpp:
3141         (JSC::DFG::SpeculativeJIT::compile):
3142         * ftl/FTLAbstractHeapRepository.h:
3143         * ftl/FTLLowerDFGToB3.cpp:
3144         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3145         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3146         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3147         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3148         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3149         * heap/AlignedMemoryAllocator.cpp:
3150         (JSC::AlignedMemoryAllocator::registerAllocator):
3151         (JSC::AlignedMemoryAllocator::registerSubspace):
3152         * heap/AlignedMemoryAllocator.h:
3153         (JSC::AlignedMemoryAllocator::firstAllocator const):
3154         * heap/AllocationFailureMode.h: Added.
3155         * heap/CompleteSubspace.cpp: Added.
3156         (JSC::CompleteSubspace::CompleteSubspace):
3157         (JSC::CompleteSubspace::~CompleteSubspace):
3158         (JSC::CompleteSubspace::allocatorFor):
3159         (JSC::CompleteSubspace::allocate):
3160         (JSC::CompleteSubspace::allocateNonVirtual):
3161         (JSC::CompleteSubspace::allocatorForSlow):
3162         (JSC::CompleteSubspace::allocateSlow):
3163         (JSC::CompleteSubspace::tryAllocateSlow):
3164         * heap/CompleteSubspace.h: Added.
3165         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3166         (JSC::CompleteSubspace::allocatorForSizeStep):
3167         (JSC::CompleteSubspace::allocatorForNonVirtual):
3168         * heap/HeapCellType.cpp: Added.
3169         (JSC::HeapCellType::HeapCellType):
3170         (JSC::HeapCellType::~HeapCellType):
3171         (JSC::HeapCellType::finishSweep):
3172         (JSC::HeapCellType::destroy):
3173         * heap/HeapCellType.h: Added.
3174         (JSC::HeapCellType::attributes const):
3175         * heap/IsoAlignedMemoryAllocator.cpp: Added.
3176         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3177         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3178         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3179         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3180         (JSC::IsoAlignedMemoryAllocator::dump const):
3181         * heap/IsoAlignedMemoryAllocator.h: Added.
3182         * heap/IsoSubspace.cpp: Added.
3183         (JSC::IsoSubspace::IsoSubspace):
3184         (JSC::IsoSubspace::~IsoSubspace):
3185         (JSC::IsoSubspace::allocatorFor):
3186         (JSC::IsoSubspace::allocatorForNonVirtual):
3187         (JSC::IsoSubspace::allocate):
3188         (JSC::IsoSubspace::allocateNonVirtual):
3189         * heap/IsoSubspace.h: Added.
3190         (JSC::IsoSubspace::size const):
3191         * heap/MarkedAllocator.cpp:
3192         (JSC::MarkedAllocator::MarkedAllocator):
3193         (JSC::MarkedAllocator::setSubspace):
3194         (JSC::MarkedAllocator::allocateSlowCase):
3195         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3196         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3197         * heap/MarkedAllocator.h:
3198         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3199         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3200         * heap/MarkedAllocatorInlines.h:
3201         (JSC::MarkedAllocator::allocate):
3202         (JSC::MarkedAllocator::tryAllocate): Deleted.
3203         * heap/MarkedBlock.h:
3204         * heap/MarkedBlockInlines.h:
3205         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3206         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3207         * heap/MarkedSpace.cpp:
3208         (JSC::MarkedSpace::addMarkedAllocator):
3209         * heap/MarkedSpace.h:
3210         * heap/Subspace.cpp:
3211         (JSC::Subspace::Subspace):
3212         (JSC::Subspace::initialize):
3213         (JSC::Subspace::finishSweep):
3214         (JSC::Subspace::destroy):
3215         (JSC::Subspace::prepareForAllocation):
3216         (JSC::Subspace::findEmptyBlockToSteal):
3217         (): Deleted.
3218         (JSC::Subspace::allocate): Deleted.
3219         (JSC::Subspace::tryAllocate): Deleted.
3220         (JSC::Subspace::allocatorForSlow): Deleted.
3221         (JSC::Subspace::allocateSlow): Deleted.
3222         (JSC::Subspace::tryAllocateSlow): Deleted.
3223         (JSC::Subspace::didAllocate): Deleted.
3224         * heap/Subspace.h:
3225         (JSC::Subspace::heapCellType const):
3226         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3227         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3228         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3229         (JSC::Subspace::allocatorForSizeStep): Deleted.
3230         (JSC::Subspace::tryAllocatorFor): Deleted.
3231         (JSC::Subspace::allocatorFor): Deleted.
3232         * jit/AssemblyHelpers.h:
3233         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3234         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3235         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3236         * jit/JITOpcodes.cpp:
3237         (JSC::JIT::emit_op_new_object):
3238         * runtime/ButterflyInlines.h:
3239         (JSC::Butterfly::createUninitialized):
3240         (JSC::Butterfly::tryCreate):
3241         (JSC::Butterfly::growArrayRight):
3242         * runtime/DirectArguments.cpp:
3243         (JSC::DirectArguments::overrideThings):
3244         * runtime/DirectArguments.h:
3245         (JSC::DirectArguments::subspaceFor):
3246         * runtime/DirectEvalExecutable.h:
3247         * runtime/EvalExecutable.h:
3248         * runtime/ExecutableBase.h:
3249         (JSC::ExecutableBase::subspaceFor):
3250         * runtime/FunctionExecutable.h:
3251         * runtime/GenericArgumentsInlines.h:
3252         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3253         * runtime/HashMapImpl.h:
3254         (JSC::HashMapBuffer::create):
3255         * runtime/IndirectEvalExecutable.h:
3256         * runtime/JSArray.cpp:
3257         (JSC::JSArray::tryCreateUninitializedRestricted):
3258         (JSC::JSArray::unshiftCountSlowCase):
3259         * runtime/JSArray.h:
3260         (JSC::JSArray::tryCreate):
3261         * runtime/JSArrayBufferView.cpp:
3262         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3263         * runtime/JSCell.h:
3264         (JSC::subspaceFor):
3265         * runtime/JSCellInlines.h:
3266         (JSC::JSCell::subspaceFor):
3267         (JSC::tryAllocateCellHelper):
3268         (JSC::allocateCell):
3269         (JSC::tryAllocateCell):
3270         * runtime/JSDestructibleObject.h:
3271         (JSC::JSDestructibleObject::subspaceFor):
3272         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3273         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3274         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3275         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3276         (JSC::JSDestructibleObjectHeapCellType::destroy):
3277         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3278         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3279         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3280         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3281         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3282         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3283         * runtime/JSDestructibleObjectSubspace.h: Removed.
3284         * runtime/JSLexicalEnvironment.h:
3285         (JSC::JSLexicalEnvironment::subspaceFor):
3286         * runtime/JSSegmentedVariableObject.h:
3287         (JSC::JSSegmentedVariableObject::subspaceFor):
3288         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3289         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3290         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3291         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3292         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3293         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3294         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3295         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3296         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3297         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3298         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3299         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3300         * runtime/JSString.h:
3301         (JSC::JSString::subspaceFor):
3302         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3303         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3304         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3305         (JSC::JSStringHeapCellType::finishSweep):
3306         (JSC::JSStringHeapCellType::destroy):
3307         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3308         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3309         (JSC::JSStringSubspace::finishSweep): Deleted.
3310         (JSC::JSStringSubspace::destroy): Deleted.
3311         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3312         * runtime/JSStringSubspace.cpp: Removed.
3313         * runtime/JSStringSubspace.h: Removed.
3314         * runtime/ModuleProgramExecutable.h:
3315         * runtime/NativeExecutable.h:
3316         * runtime/ProgramExecutable.h:
3317         * runtime/RegExpMatchesArray.h:
3318         (JSC::tryCreateUninitializedRegExpMatchesArray):
3319         * runtime/ScopedArguments.h:
3320         (JSC::ScopedArguments::subspaceFor):
3321         * runtime/VM.cpp:
3322         (JSC::VM::VM):
3323         * runtime/VM.h:
3324         (JSC::VM::gigacageAuxiliarySpace):
3325         * wasm/js/JSWebAssemblyCodeBlock.h:
3326         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3327         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3328         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3329         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3330         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3331         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3332         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3333         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3334         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3335         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3336         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3337         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3338         * wasm/js/JSWebAssemblyMemory.h:
3339         (JSC::JSWebAssemblyMemory::subspaceFor):
3340
3341 2017-11-29  Saam Barati  <sbarati@apple.com>
3342
3343         Remove pointer caging for double arrays
3344         https://bugs.webkit.org/show_bug.cgi?id=180163
3345
3346         Reviewed by Mark Lam.
3347
3348         This patch removes pointer caging from double arrays. Like
3349         my previous removals of pointer caging, this is a security vs
3350         performance tradeoff. We believe that butterflies being allocated
3351         in the cage and with a 32GB runway gives us enough security that
3352         pointer caging the butterfly just for double arrays does not add
3353         enough security benefit for the performance hit it incurs.
3354         
3355         This patch also removes the GetButterflyWithoutCaging node and
3356         the FixedButterflyAccessUncaging phase. The node i