d57a57e92c9eabf4b5e415362c5633d6f6d78e61
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-05  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly: poison JS object's secrets
4         https://bugs.webkit.org/show_bug.cgi?id=181339
5         <rdar://problem/36325001>
6
7         Reviewed by Mark Lam.
8
9         Separating WebAssembly's JS objects from their non-JS
10         implementation means that all interesting information lives
11         outside of the JS object itself. This patch poisons each JS
12         object's pointer to non-JS implementation using the poisoning
13         mechanism and a unique key per JS object type origin.
14
15         * runtime/JSCPoison.h:
16         * wasm/js/JSToWasm.cpp:
17         (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
18         object in a stack slot when fast TLS is disabled. This requires
19         that we unpoison the Wasm::Instance.
20         * wasm/js/JSWebAssemblyCodeBlock.h:
21         * wasm/js/JSWebAssemblyInstance.h:
22         (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
23         be explicit that the pointer is poisoned.
24         * wasm/js/JSWebAssemblyMemory.h:
25         * wasm/js/JSWebAssemblyModule.h:
26         * wasm/js/JSWebAssemblyTable.h:
27
28 2018-01-05  Michael Saboff  <msaboff@apple.com>
29
30         Add ability to disable indexed property masking for testing
31         https://bugs.webkit.org/show_bug.cgi?id=181350
32
33         Reviewed by Keith Miller.
34
35         Made the masking of indexed properties runtime controllable via a new JSC::Option
36         named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
37
38         The new option has a generic name as it will probably be used to disable future mitigations.
39
40         * dfg/DFGSpeculativeJIT.cpp:
41         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
42         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
43         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
44         * dfg/DFGSpeculativeJIT.h:
45         * dfg/DFGSpeculativeJIT64.cpp:
46         (JSC::DFG::SpeculativeJIT::compile):
47         * ftl/FTLLowerDFGToB3.cpp:
48         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
49         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
50         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
51         * jit/JIT.cpp:
52         (JSC::JIT::JIT):
53         * jit/JIT.h:
54         * jit/JITPropertyAccess.cpp:
55         (JSC::JIT::emitDoubleLoad):
56         (JSC::JIT::emitContiguousLoad):
57         (JSC::JIT::emitArrayStorageLoad):
58         * runtime/Options.h:
59         * wasm/WasmB3IRGenerator.cpp:
60         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
61
62 2018-01-05  Michael Saboff  <msaboff@apple.com>
63
64         Allow JSC Config Files to set Restricted Options
65         https://bugs.webkit.org/show_bug.cgi?id=181352
66
67         Reviewed by Mark Lam.
68
69         * runtime/ConfigFile.cpp:
70         (JSC::ConfigFile::parse):
71
72 2018-01-04  Keith Miller  <keith_miller@apple.com>
73
74         TypedArrays and Wasm should use index masking.
75         https://bugs.webkit.org/show_bug.cgi?id=181313
76
77         Reviewed by Michael Saboff.
78
79         We should have index masking for our TypedArray code in the
80         DFG/FTL and for Wasm when doing bounds checking. Index masking for
81         Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
82         WasmBoundsCheckValues we don't need to worry about combining a
83         bounds check for a load and a store. I went with fusing the
84         pointer masking in the WasmBoundsCheckValue since it should reduce
85         additional compiler overhead.
86
87         * b3/B3LowerToAir.cpp:
88         * b3/B3Validate.cpp:
89         * b3/B3WasmBoundsCheckValue.cpp:
90         (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
91         (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
92         * b3/B3WasmBoundsCheckValue.h:
93         (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
94         * b3/air/AirCustom.h:
95         (JSC::B3::Air::WasmBoundsCheckCustom::generate):
96         * b3/testb3.cpp:
97         (JSC::B3::testWasmBoundsCheck):
98         * dfg/DFGSpeculativeJIT.cpp:
99         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
100         (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
101         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
102         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
103         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
104         * dfg/DFGSpeculativeJIT.h:
105         * dfg/DFGSpeculativeJIT64.cpp:
106         (JSC::DFG::SpeculativeJIT::compile):
107         * ftl/FTLLowerDFGToB3.cpp:
108         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
109         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
110         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
111         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
112         * jit/JITPropertyAccess.cpp:
113         (JSC::JIT::emitIntTypedArrayGetByVal):
114         * runtime/Butterfly.h:
115         (JSC::Butterfly::computeIndexingMask const):
116         (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
117         * runtime/JSArrayBufferView.cpp:
118         (JSC::JSArrayBufferView::JSArrayBufferView):
119         * wasm/WasmB3IRGenerator.cpp:
120         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
121         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
122         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
123         (JSC::Wasm::B3IRGenerator::load):
124         (JSC::Wasm::B3IRGenerator::store):
125         (JSC::Wasm::B3IRGenerator::addCallIndirect):
126         * wasm/WasmBinding.cpp:
127         (JSC::Wasm::wasmToWasm):
128         * wasm/WasmMemory.cpp:
129         (JSC::Wasm::Memory::Memory):
130         (JSC::Wasm::Memory::grow):
131         * wasm/WasmMemory.h:
132         (JSC::Wasm::Memory::offsetOfIndexingMask):
133         * wasm/WasmMemoryInformation.cpp:
134         (JSC::Wasm::PinnedRegisterInfo::get):
135         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
136         * wasm/WasmMemoryInformation.h:
137         (JSC::Wasm::PinnedRegisterInfo::toSave const):
138         * wasm/js/JSToWasm.cpp:
139         (JSC::Wasm::createJSToWasmWrapper):
140
141 2018-01-05  Commit Queue  <commit-queue@webkit.org>
142
143         Unreviewed, rolling out r226434.
144         https://bugs.webkit.org/show_bug.cgi?id=181322
145
146         32bit JSC failure in x86 (Requested by yusukesuzuki on
147         #webkit).
148
149         Reverted changeset:
150
151         "[DFG] Unify ToNumber implementation in 32bit and 64bit by
152         changing 32bit Int32Tag and LowestTag"
153         https://bugs.webkit.org/show_bug.cgi?id=181134
154         https://trac.webkit.org/changeset/226434
155
156 2018-01-04  Devin Rousso  <webkit@devinrousso.com>
157
158         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
159         https://bugs.webkit.org/show_bug.cgi?id=180770
160
161         Reviewed by Joseph Pecoraro.
162
163         * inspector/protocol/Canvas.json:
164
165 2018-01-04  Commit Queue  <commit-queue@webkit.org>
166
167         Unreviewed, rolling out r226405.
168         https://bugs.webkit.org/show_bug.cgi?id=181318
169
170         Speculative rollout due to Octane/SplayLatency,Octane/Splay
171         regressions (Requested by yusukesuzuki on #webkit).
172
173         Reverted changeset:
174
175         "[JSC] Create parallel SlotVisitors apriori"
176         https://bugs.webkit.org/show_bug.cgi?id=180907
177         https://trac.webkit.org/changeset/226405
178
179 2018-01-04  Saam Barati  <sbarati@apple.com>
180
181         Do value profiling in to_this
182         https://bugs.webkit.org/show_bug.cgi?id=181299
183
184         Reviewed by Filip Pizlo.
185
186         This patch adds value profiling to to_this. We use the result of the value
187         profiling only for strict mode code when we don't predict that the input is
188         of a specific type. This helps when the input is SpecCellOther. Such cells
189         might implement a custom ToThis, which can produce an arbitrary result. Before
190         this patch, in prediction propagation, we were saying that a ToThis with a
191         SpecCellOther input also produced SpecCellOther. However, this is incorrect,
192         given that the input may implement ToThis that produces an arbitrary result.
193         This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
194         
195         Interestingly, this patch only does value profiling on the slow path. The fast
196         path of to_this in the LLInt/baseline just perform a structure check. If it
197         passes, the result is the same as the input. Therefore, doing value profiling
198         from the fast path wouldn't actually produce new information for the ValueProfile.
199
200         * bytecode/BytecodeDumper.cpp:
201         (JSC::BytecodeDumper<Block>::dumpBytecode):
202         * bytecode/BytecodeList.json:
203         * bytecode/CodeBlock.cpp:
204         (JSC::CodeBlock::finishCreation):
205         * bytecompiler/BytecodeGenerator.cpp:
206         (JSC::BytecodeGenerator::BytecodeGenerator):
207         (JSC::BytecodeGenerator::emitToThis):
208         * bytecompiler/BytecodeGenerator.h:
209         * dfg/DFGByteCodeParser.cpp:
210         (JSC::DFG::ByteCodeParser::parseBlock):
211         * dfg/DFGNode.h:
212         (JSC::DFG::Node::hasHeapPrediction):
213         * dfg/DFGPredictionPropagationPhase.cpp:
214         * runtime/CommonSlowPaths.cpp:
215         (JSC::SLOW_PATH_DECL):
216
217 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
218
219         [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
220         https://bugs.webkit.org/show_bug.cgi?id=181134
221
222         Reviewed by Mark Lam.
223
224         We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
225         branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
226         an additional scratch register. We do not want to allocate an unnecessary register in 64bit
227         implementation.
228
229         This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
230         and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
231         setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
232         `<= LowestTag(Int32Tag)`.
233
234         We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
235
236         We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
237
238         * dfg/DFGSpeculativeJIT.cpp:
239         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
240         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
241         (JSC::DFG::SpeculativeJIT::speculateNumber):
242         (JSC::DFG::SpeculativeJIT::speculateMisc):
243         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
244         (JSC::DFG::SpeculativeJIT::compileToNumber):
245         * dfg/DFGSpeculativeJIT.h:
246         * dfg/DFGSpeculativeJIT32_64.cpp:
247         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
248         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
249         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
250         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
251         (JSC::DFG::SpeculativeJIT::compile):
252         * dfg/DFGSpeculativeJIT64.cpp:
253         (JSC::DFG::SpeculativeJIT::compile):
254         * jit/AssemblyHelpers.cpp:
255         (JSC::AssemblyHelpers::branchIfNotType):
256         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
257         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
258         * jit/AssemblyHelpers.h:
259         (JSC::AssemblyHelpers::branchIfMisc):
260         (JSC::AssemblyHelpers::branchIfNotMisc):
261         (JSC::AssemblyHelpers::branchIfNumber):
262         (JSC::AssemblyHelpers::branchIfNotNumber):
263         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
264         (JSC::AssemblyHelpers::emitTypeOf):
265         * jit/JITAddGenerator.cpp:
266         (JSC::JITAddGenerator::generateFastPath):
267         * jit/JITArithmetic32_64.cpp:
268         (JSC::JIT::emitBinaryDoubleOp):
269         * jit/JITDivGenerator.cpp:
270         (JSC::JITDivGenerator::loadOperand):
271         * jit/JITMulGenerator.cpp:
272         (JSC::JITMulGenerator::generateInline):
273         (JSC::JITMulGenerator::generateFastPath):
274         * jit/JITNegGenerator.cpp:
275         (JSC::JITNegGenerator::generateInline):
276         (JSC::JITNegGenerator::generateFastPath):
277         * jit/JITOpcodes32_64.cpp:
278         (JSC::JIT::emit_op_is_number):
279         (JSC::JIT::emit_op_jeq_null):
280         (JSC::JIT::emit_op_jneq_null):
281         (JSC::JIT::emit_op_to_number):
282         (JSC::JIT::emit_op_profile_type):
283         * jit/JITRightShiftGenerator.cpp:
284         (JSC::JITRightShiftGenerator::generateFastPath):
285         * jit/JITSubGenerator.cpp:
286         (JSC::JITSubGenerator::generateInline):
287         (JSC::JITSubGenerator::generateFastPath):
288         * llint/LLIntData.cpp:
289         (JSC::LLInt::Data::performAssertions):
290         * llint/LowLevelInterpreter.asm:
291         * llint/LowLevelInterpreter32_64.asm:
292         * runtime/JSCJSValue.h:
293
294 2018-01-04  JF Bastien  <jfbastien@apple.com>
295
296         Add assembler support for x86 lfence and sfence
297         https://bugs.webkit.org/show_bug.cgi?id=181311
298         <rdar://problem/36301780>
299
300         Reviewed by Michael Saboff.
301
302         Useful for testing performance of serializing instructions (hint:
303         it's not good).
304
305         * assembler/MacroAssemblerX86Common.h:
306         (JSC::MacroAssemblerX86Common::lfence):
307         (JSC::MacroAssemblerX86Common::sfence):
308         * assembler/X86Assembler.h:
309         (JSC::X86Assembler::lfence):
310         (JSC::X86Assembler::sfence):
311
312 2018-01-04  Saam Barati  <sbarati@apple.com>
313
314         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
315         https://bugs.webkit.org/show_bug.cgi?id=181296
316
317         Reviewed by Filip Pizlo.
318
319         Inside Speedometer's Ember test, there is a recompile loop like:
320         a: GetByVal(..., semanticOriginX)
321         b: SetLocal(Cell:@a, semanticOriginX)
322         
323         where the cell check always fails. For reasons I didn't investigate, the
324         baseline JIT's value profiling doesn't accurately capture the GetByVal's
325         result.
326         
327         However, when compiling this cell speculation check in the DFG, we get a null
328         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
329         this IR pattern because both @a and @b have the same semantic origin. We
330         should not follow the same semantic origin heuristic when dealing with
331         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
332         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
333         For this IR pattern, we will update the value profile for the semantic origin
334         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
335         will correctly update the GetByVal's value profile, which will prevent
336         an OSR exit loop.
337
338         * dfg/DFGGraph.cpp:
339         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
340
341 2018-01-04  Keith Miller  <keith_miller@apple.com>
342
343         Array Storage operations sometimes did not update the indexing mask correctly.
344         https://bugs.webkit.org/show_bug.cgi?id=181301
345
346         Reviewed by Mark Lam.
347
348         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
349
350         * runtime/JSArray.cpp:
351         (JSC::JSArray::shiftCountWithArrayStorage):
352         * runtime/JSObject.cpp:
353         (JSC::JSObject::increaseVectorLength):
354
355 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         [DFG] Define defs for MapSet/SetAdd to participate in CSE
358         https://bugs.webkit.org/show_bug.cgi?id=179911
359
360         Reviewed by Saam Barati.
361
362         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
363         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
364         produce added bucket as its result. Subsequent GetMapBucket will
365         be removed by CSE.
366
367         * dfg/DFGAbstractInterpreterInlines.h:
368         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
369         * dfg/DFGClobberize.h:
370         (JSC::DFG::clobberize):
371         * dfg/DFGNodeType.h:
372         * dfg/DFGOperations.cpp:
373         * dfg/DFGOperations.h:
374         * dfg/DFGPredictionPropagationPhase.cpp:
375         * dfg/DFGSpeculativeJIT.cpp:
376         (JSC::DFG::SpeculativeJIT::compileSetAdd):
377         (JSC::DFG::SpeculativeJIT::compileMapSet):
378         * dfg/DFGSpeculativeJIT.h:
379         (JSC::DFG::SpeculativeJIT::callOperation):
380         * ftl/FTLLowerDFGToB3.cpp:
381         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
382         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
383         * jit/JITOperations.h:
384         * runtime/HashMapImpl.h:
385         (JSC::HashMapImpl::addNormalized):
386         (JSC::HashMapImpl::addNormalizedInternal):
387
388 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
389
390         [JSC] Remove LocalScope
391         https://bugs.webkit.org/show_bug.cgi?id=181206
392
393         Reviewed by Geoffrey Garen.
394
395         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
396         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
397         and LocalScope.
398
399         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
400         JSObject* directly in their fields.
401
402         * JavaScriptCore.xcodeproj/project.pbxproj:
403         * Sources.txt:
404         * heap/HandleStack.cpp: Removed.
405         * heap/HandleStack.h: Removed.
406         * heap/Heap.cpp:
407         (JSC::Heap::addCoreConstraints):
408         * heap/Heap.h:
409         (JSC::Heap::handleSet):
410         (JSC::Heap::handleStack): Deleted.
411         * heap/Local.h: Removed.
412         * heap/LocalScope.h: Removed.
413         * runtime/JSONObject.cpp:
414         (JSC::Stringifier::Holder::object const):
415         (JSC::gap):
416         (JSC::Stringifier::Stringifier):
417         (JSC::Stringifier::stringify):
418         (JSC::Stringifier::appendStringifiedValue):
419         (JSC::Stringifier::Holder::Holder):
420         (JSC::Stringifier::Holder::appendNextProperty):
421         (JSC::Walker::Walker):
422         (JSC::Walker::callReviver):
423         (JSC::Walker::walk):
424         (JSC::JSONProtoFuncParse):
425         (JSC::JSONProtoFuncStringify):
426         (JSC::JSONParse):
427         (JSC::JSONStringify):
428
429 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
430
431         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
432         https://bugs.webkit.org/show_bug.cgi?id=180238
433
434         Reviewed by Saam Barati.
435
436         We can optimize ObjectAllocationSinking a bit by using removeIf.
437
438         * dfg/DFGObjectAllocationSinkingPhase.cpp:
439
440 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
441
442         [JSC] Create parallel SlotVisitors apriori
443         https://bugs.webkit.org/show_bug.cgi?id=180907
444
445         Reviewed by Saam Barati.
446
447         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
448         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
449         Then we do not need to grab locks while iterating all the SlotVisitors.
450
451         In addition, we do not need to consider the case that the number of SlotVisitors increases
452         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
453         does not increase any more.
454
455         * heap/Heap.cpp:
456         (JSC::Heap::Heap):
457         (JSC::Heap::runBeginPhase):
458         * heap/Heap.h:
459         * heap/HeapInlines.h:
460         (JSC::Heap::forEachSlotVisitor):
461         (JSC::Heap::numberOfSlotVisitors): Deleted.
462         * heap/MarkingConstraintSolver.cpp:
463         (JSC::MarkingConstraintSolver::didVisitSomething const):
464
465 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
466
467         Replace hard-coded paths in shebangs with #!/usr/bin/env
468         https://bugs.webkit.org/show_bug.cgi?id=181040
469
470         Reviewed by Alex Christensen.
471
472         * Scripts/UpdateContents.py:
473         * Scripts/cssmin.py:
474         * Scripts/generate-combined-inspector-json.py:
475         * Scripts/xxd.pl:
476         * create_hash_table:
477         * generate-bytecode-files:
478         * wasm/generateWasm.py:
479         * wasm/generateWasmOpsHeader.py:
480         * yarr/generateYarrCanonicalizeUnicode:
481
482 2018-01-03  Michael Saboff  <msaboff@apple.com>
483
484         Disable SharedArrayBuffers from Web API
485         https://bugs.webkit.org/show_bug.cgi?id=181266
486
487         Reviewed by Saam Barati.
488
489         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
490         to disable.
491
492         * runtime/JSGlobalObject.cpp:
493         (JSC::JSGlobalObject::init):
494         (JSC::JSGlobalObject::visitChildren):
495         * runtime/JSGlobalObject.h:
496         (JSC::JSGlobalObject::arrayBufferPrototype const):
497         (JSC::JSGlobalObject::arrayBufferStructure const):
498
499 2018-01-03  Michael Saboff  <msaboff@apple.com>
500
501         Add "noInline" to $vm
502         https://bugs.webkit.org/show_bug.cgi?id=181265
503
504         Reviewed by Mark Lam.
505
506         This would be useful for web based tests.
507
508         * tools/JSDollarVM.cpp:
509         (JSC::getExecutableForFunction):
510         (JSC::functionNoInline):
511         (JSC::JSDollarVM::finishCreation):
512
513 2018-01-03  Michael Saboff  <msaboff@apple.com>
514
515         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
516         https://bugs.webkit.org/show_bug.cgi?id=181263
517
518         Reviewed by Mark Lam.
519
520         Flushing the butterfly pointer provides no benefit and slows this function.
521
522         * tools/JSDollarVM.cpp:
523         (JSC::functionCpuClflush):
524
525 2018-01-03  Saam Barati  <sbarati@apple.com>
526
527         Fix BytecodeParser op_catch assert to work with useProfiler=1
528         https://bugs.webkit.org/show_bug.cgi?id=181260
529
530         Reviewed by Keith Miller.
531
532         op_catch was asserting that the current block was empty. This is only true
533         if the profiler isn't enabled. When the profiler is enabled, we will
534         insert a CountExecution node before each bytecode. This patch fixes the
535         assert to work with the profiler.
536
537         * dfg/DFGByteCodeParser.cpp:
538         (JSC::DFG::ByteCodeParser::parseBlock):
539
540 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
541
542         [Win][Debug] testapi link error.
543         https://bugs.webkit.org/show_bug.cgi?id=181247
544         <rdar://problem/36166729>
545
546         Reviewed by Brent Fulgham.
547
548         Do not set the runtime library compile flag for C files, it is already set to the correct value.
549  
550         * shell/PlatformWin.cmake:
551
552 2018-01-03  Robin Morisset  <rmorisset@apple.com>
553
554         Inlining of a function that ends in op_unreachable crashes
555         https://bugs.webkit.org/show_bug.cgi?id=181027
556
557         Reviewed by Filip Pizlo.
558
559         * dfg/DFGByteCodeParser.cpp:
560         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
561         (JSC::DFG::ByteCodeParser::inlineCall):
562
563 2018-01-02  Saam Barati  <sbarati@apple.com>
564
565         Incorrect assertion inside AccessCase
566         https://bugs.webkit.org/show_bug.cgi?id=181200
567         <rdar://problem/35494754>
568
569         Reviewed by Yusuke Suzuki.
570
571         Consider a PutById compiled to a setter in a function like so:
572         
573         ```
574         function foo(o) { o.f = o; }
575         ```
576         
577         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
578         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
579         to the same register. However, we're asserting that they're not the same register.
580         This patch just removes this invalid assertion.
581
582         * bytecode/AccessCase.cpp:
583         (JSC::AccessCase::generateImpl):
584
585 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
586
587         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
588         https://bugs.webkit.org/show_bug.cgi?id=175359
589
590         Reviewed by Yusuke Suzuki.
591
592         This patch is implementing BigIntConstructor and BigIntPrototype
593         following spec[1, 2]. As addition, we are also implementing BigIntObject
594         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
595         primitive. With these classes, now it's possible to syntetize
596         BigInt.prototype and then call "toString", "valueOf" and
597         "toLocaleString" when the primitive is a BigInt.
598         BigIntConstructor exposes an API to parse other primitives such as
599         Number, Boolean and String to BigInt.
600         We decided to skip parseInt implementation, since it was removed from
601         spec.
602
603         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
604         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
605
606         * CMakeLists.txt:
607         * DerivedSources.make:
608         * JavaScriptCore.xcodeproj/project.pbxproj:
609         * Sources.txt:
610         * jsc.cpp:
611         * runtime/BigIntConstructor.cpp: Added.
612         (JSC::BigIntConstructor::BigIntConstructor):
613         (JSC::BigIntConstructor::finishCreation):
614         (JSC::isSafeInteger):
615         (JSC::toBigInt):
616         (JSC::callBigIntConstructor):
617         (JSC::bigIntConstructorFuncAsUintN):
618         (JSC::bigIntConstructorFuncAsIntN):
619         * runtime/BigIntConstructor.h: Added.
620         (JSC::BigIntConstructor::create):
621         (JSC::BigIntConstructor::createStructure):
622         * runtime/BigIntObject.cpp: Added.
623         (JSC::BigIntObject::BigIntObject):
624         (JSC::BigIntObject::finishCreation):
625         (JSC::BigIntObject::toStringName):
626         (JSC::BigIntObject::defaultValue):
627         * runtime/BigIntObject.h: Added.
628         (JSC::BigIntObject::create):
629         (JSC::BigIntObject::internalValue const):
630         (JSC::BigIntObject::createStructure):
631         * runtime/BigIntPrototype.cpp: Added.
632         (JSC::BigIntPrototype::BigIntPrototype):
633         (JSC::BigIntPrototype::finishCreation):
634         (JSC::toThisBigIntValue):
635         (JSC::bigIntProtoFuncToString):
636         (JSC::bigIntProtoFuncToLocaleString):
637         (JSC::bigIntProtoFuncValueOf):
638         * runtime/BigIntPrototype.h: Added.
639         (JSC::BigIntPrototype::create):
640         (JSC::BigIntPrototype::createStructure):
641         * runtime/IntlCollator.cpp:
642         (JSC::IntlCollator::initializeCollator):
643         * runtime/IntlNumberFormat.cpp:
644         (JSC::IntlNumberFormat::initializeNumberFormat):
645         * runtime/JSBigInt.cpp:
646         (JSC::JSBigInt::createFrom):
647         (JSC::JSBigInt::parseInt):
648         (JSC::JSBigInt::toObject const):
649         * runtime/JSBigInt.h:
650         * runtime/JSCJSValue.cpp:
651         (JSC::JSValue::synthesizePrototype const):
652         * runtime/JSCPoisonedPtr.cpp:
653         * runtime/JSCell.cpp:
654         (JSC::JSCell::toObjectSlow const):
655         * runtime/JSGlobalObject.cpp:
656         (JSC::JSGlobalObject::init):
657         (JSC::JSGlobalObject::visitChildren):
658         * runtime/JSGlobalObject.h:
659         (JSC::JSGlobalObject::bigIntPrototype const):
660         (JSC::JSGlobalObject::bigIntObjectStructure const):
661         * runtime/StructureCache.h:
662         * runtime/StructureInlines.h:
663         (JSC::prototypeForLookupPrimitiveImpl):
664
665 2018-01-02  Tim Horton  <timothy_horton@apple.com>
666
667         Fix the MathCommon build with a recent compiler
668         https://bugs.webkit.org/show_bug.cgi?id=181216
669
670         Reviewed by Sam Weinig.
671
672         * runtime/MathCommon.cpp:
673         (JSC::fdlibmPow):
674         This cast drops the 'const' qualifier from the pointer to 'one',
675         but it doesn't have to, and it makes the compiler sad.
676
677 == Rolled over to ChangeLog-2018-01-01 ==