e4a3635e46a46fde6e927fe0fad154c94447d988
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         Add SetCallee as DFG-Operation
4         https://bugs.webkit.org/show_bug.cgi?id=184582
5
6         Reviewed by Filip Pizlo.
7
8         For recursive tail calls not only the argument count can change but also the
9         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
10         Also update the callee when optimizing a recursive tail call.
11         Enable recursive tail call optimization also for closures.
12
13         * dfg/DFGAbstractInterpreterInlines.h:
14         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15         * dfg/DFGByteCodeParser.cpp:
16         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
17         (JSC::DFG::ByteCodeParser::handleCallVariant):
18         * dfg/DFGClobberize.h:
19         (JSC::DFG::clobberize):
20         * dfg/DFGDoesGC.cpp:
21         (JSC::DFG::doesGC):
22         * dfg/DFGFixupPhase.cpp:
23         (JSC::DFG::FixupPhase::fixupNode):
24         * dfg/DFGMayExit.cpp:
25         * dfg/DFGNodeType.h:
26         * dfg/DFGPredictionPropagationPhase.cpp:
27         * dfg/DFGSafeToExecute.h:
28         (JSC::DFG::safeToExecute):
29         * dfg/DFGSpeculativeJIT.cpp:
30         (JSC::DFG::SpeculativeJIT::compileSetCallee):
31         * dfg/DFGSpeculativeJIT.h:
32         * dfg/DFGSpeculativeJIT32_64.cpp:
33         (JSC::DFG::SpeculativeJIT::compile):
34         * dfg/DFGSpeculativeJIT64.cpp:
35         (JSC::DFG::SpeculativeJIT::compile):
36         * ftl/FTLCapabilities.cpp:
37         (JSC::FTL::canCompile):
38         * ftl/FTLLowerDFGToB3.cpp:
39         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
40         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
41
42 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
43
44         WebAssembly: add support for stream APIs - JavaScript API
45         https://bugs.webkit.org/show_bug.cgi?id=183442
46
47         Reviewed by Yusuke Suzuki and JF Bastien.
48
49         Add WebAssembly stream API. Current patch only add functions
50         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
51         does not add streaming way of the implementation. So in current version it
52         only wait for load whole module, than start to parse.
53
54         * CMakeLists.txt:
55         * Configurations/FeatureDefines.xcconfig:
56         * DerivedSources.make:
57         * JavaScriptCore.xcodeproj/project.pbxproj:
58         * builtins/BuiltinNames.h:
59         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
60         (compileStreaming):
61         (instantiateStreaming):
62         * jsc.cpp:
63         * runtime/JSGlobalObject.cpp:
64         (JSC::JSGlobalObject::init):
65         * runtime/JSGlobalObject.h:
66         * runtime/Options.h:
67         * runtime/PromiseDeferredTimer.cpp:
68         (JSC::PromiseDeferredTimer::hasPendingPromise):
69         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
70         * runtime/PromiseDeferredTimer.h:
71         * wasm/js/WebAssemblyPrototype.cpp:
72         (JSC::webAssemblyModuleValidateAsyncInternal):
73         (JSC::webAssemblyCompileFunc):
74         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
75         (JSC::webAssemblyModuleInstantinateAsyncInternal):
76         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
77         (JSC::webAssemblyCompileStreamingInternal):
78         (JSC::webAssemblyInstantiateStreamingInternal):
79         (JSC::WebAssemblyPrototype::create):
80         (JSC::WebAssemblyPrototype::finishCreation):
81         * wasm/js/WebAssemblyPrototype.h:
82
83 2018-04-30  Saam Barati  <sbarati@apple.com>
84
85         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
86         https://bugs.webkit.org/show_bug.cgi?id=185149
87         <rdar://problem/39455917>
88
89         Reviewed by Filip Pizlo.
90
91         The bug was that we were deleting checks that we shouldn't have deleted.
92         This patch makes a helper inside strength reduction that converts to
93         a LazyJSConstant while maintaining checks, and switches users of the
94         node API inside strength reduction to instead call the helper function.
95         
96         This patch also fixes a potential bug where StringReplace and
97         StringReplaceRegExp may not preserve all their checks.
98
99
100         * dfg/DFGStrengthReductionPhase.cpp:
101         (JSC::DFG::StrengthReductionPhase::handleNode):
102         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
103
104 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
105
106         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
107         https://bugs.webkit.org/show_bug.cgi?id=185126
108
109         Reviewed by Saam Barati.
110         
111         This change is just restoring functionality that we've already had for a while. It had been
112         accidentally broken due to an unrelated CodeBlock refactoring.
113
114         * dfg/DFGLICMPhase.cpp:
115         (JSC::DFG::LICMPhase::attemptHoist):
116
117 2018-04-30  Mark Lam  <mark.lam@apple.com>
118
119         Apply PtrTags to the MetaAllocator and friends.
120         https://bugs.webkit.org/show_bug.cgi?id=185110
121         <rdar://problem/39533895>
122
123         Reviewed by Saam Barati.
124
125         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
126         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
127            and add a sanity check to verify that allocated code buffers are within those
128            bounds.
129
130         * assembler/LinkBuffer.cpp:
131         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
132         (JSC::LinkBuffer::copyCompactAndLinkCode):
133         (JSC::LinkBuffer::linkCode):
134         (JSC::LinkBuffer::allocate):
135         * assembler/LinkBuffer.h:
136         (JSC::LinkBuffer::LinkBuffer):
137         (JSC::LinkBuffer::debugAddress):
138         (JSC::LinkBuffer::code):
139         * assembler/MacroAssemblerCodeRef.h:
140         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
141         * bytecode/InlineAccess.cpp:
142         (JSC::linkCodeInline):
143         (JSC::InlineAccess::rewireStubAsJump):
144         * dfg/DFGJITCode.cpp:
145         (JSC::DFG::JITCode::findPC):
146         * ftl/FTLJITCode.cpp:
147         (JSC::FTL::JITCode::findPC):
148         * jit/ExecutableAllocator.cpp:
149         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
150         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
151         (JSC::ExecutableAllocator::allocate):
152         * jit/ExecutableAllocator.h:
153         (JSC::isJITPC):
154         (JSC::performJITMemcpy):
155         * jit/JIT.cpp:
156         (JSC::JIT::link):
157         * jit/JITMathIC.h:
158         (JSC::isProfileEmpty):
159         * runtime/JSCPtrTag.h:
160         * wasm/WasmCallee.cpp:
161         (JSC::Wasm::Callee::Callee):
162         * wasm/WasmFaultSignalHandler.cpp:
163         (JSC::Wasm::trapHandler):
164
165 2018-04-30  Keith Miller  <keith_miller@apple.com>
166
167         Move the MayBePrototype JSCell header bit to InlineTypeFlags
168         https://bugs.webkit.org/show_bug.cgi?id=185143
169
170         Reviewed by Mark Lam.
171
172         * runtime/IndexingType.h:
173         * runtime/JSCellInlines.h:
174         (JSC::JSCell::setStructure):
175         (JSC::JSCell::mayBePrototype const):
176         (JSC::JSCell::didBecomePrototype):
177         * runtime/JSTypeInfo.h:
178         (JSC::TypeInfo::mayBePrototype):
179         (JSC::TypeInfo::mergeInlineTypeFlags):
180
181 2018-04-30  Keith Miller  <keith_miller@apple.com>
182
183         Remove unneeded exception check from String.fromCharCode
184         https://bugs.webkit.org/show_bug.cgi?id=185083
185
186         Reviewed by Mark Lam.
187
188         * runtime/StringConstructor.cpp:
189         (JSC::stringFromCharCode):
190
191 2018-04-30  Keith Miller  <keith_miller@apple.com>
192
193         Move StructureIsImmortal to out of line flags.
194         https://bugs.webkit.org/show_bug.cgi?id=185101
195
196         Reviewed by Saam Barati.
197
198         This will free up a bit in the inline flags where we can move the
199         isPrototype bit to. This will, in turn, free a bit for use in
200         implementing copy on write butterflies.
201
202         Also, this patch removes an assertion from Structure::typeInfo()
203         that inadvertently makes the function invalid to call while
204         cleaning up the vm.
205
206         * heap/HeapCellType.cpp:
207         (JSC::DefaultDestroyFunc::operator() const):
208         * runtime/JSCell.h:
209         * runtime/JSCellInlines.h:
210         (JSC::JSCell::callDestructor): Deleted.
211         * runtime/JSTypeInfo.h:
212         (JSC::TypeInfo::hasStaticPropertyTable):
213         (JSC::TypeInfo::structureIsImmortal const):
214         * runtime/Structure.h:
215
216 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
217
218         [JSC] Remove arity fixup check if the number of parameters is 1
219         https://bugs.webkit.org/show_bug.cgi?id=183984
220
221         Reviewed by Mark Lam.
222
223         If the number of parameters is one (|this|), we never hit arity fixup check.
224         We do not need to emit arity fixup check code.
225
226         * dfg/DFGDriver.cpp:
227         (JSC::DFG::compileImpl):
228         * dfg/DFGJITCompiler.cpp:
229         (JSC::DFG::JITCompiler::compileFunction):
230         * dfg/DFGJITCompiler.h:
231         * ftl/FTLLink.cpp:
232         (JSC::FTL::link):
233         * jit/JIT.cpp:
234         (JSC::JIT::compileWithoutLinking):
235
236 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
237
238         Use WordLock instead of std::mutex for Threading
239         https://bugs.webkit.org/show_bug.cgi?id=185121
240
241         Reviewed by Geoffrey Garen.
242
243         ThreadGroup starts using WordLock.
244
245         * heap/MachineStackMarker.h:
246         (JSC::MachineThreads::getLock):
247
248 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
249
250         B3 should run tail duplication at the bitter end
251         https://bugs.webkit.org/show_bug.cgi?id=185123
252
253         Reviewed by Geoffrey Garen.
254         
255         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
256         everywhere else.
257         
258         The goal of this change is to allow us to run path specialization after switch lowering but
259         before tail duplication.
260
261         * b3/B3Generate.cpp:
262         (JSC::B3::generateToAir):
263         * runtime/Options.h:
264
265 2018-04-29  Commit Queue  <commit-queue@webkit.org>
266
267         Unreviewed, rolling out r231137.
268         https://bugs.webkit.org/show_bug.cgi?id=185118
269
270         It is breaking Test262 language/expressions/multiplication
271         /order-of-evaluation.js (Requested by caiolima on #webkit).
272
273         Reverted changeset:
274
275         "[ESNext][BigInt] Implement support for "*" operation"
276         https://bugs.webkit.org/show_bug.cgi?id=183721
277         https://trac.webkit.org/changeset/231137
278
279 2018-04-28  Saam Barati  <sbarati@apple.com>
280
281         We don't model regexp effects properly
282         https://bugs.webkit.org/show_bug.cgi?id=185059
283         <rdar://problem/39736150>
284
285         Reviewed by Filip Pizlo.
286
287         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
288         the regexp is global.
289
290         * dfg/DFGAbstractInterpreterInlines.h:
291         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
292         * dfg/DFGClobberize.h:
293         (JSC::DFG::clobberize):
294
295 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
296
297         Token misspelled "tocken" in error message string
298         https://bugs.webkit.org/show_bug.cgi?id=185030
299
300         Reviewed by Saam Barati.
301
302         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
303         (JSC::Parser<LexerType>::Parser):
304         (JSC::Parser<LexerType>::didFinishParsing):
305         (JSC::Parser<LexerType>::parseSourceElements):
306         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
307         (JSC::Parser<LexerType>::parseVariableDeclaration):
308         (JSC::Parser<LexerType>::parseWhileStatement):
309         (JSC::Parser<LexerType>::parseVariableDeclarationList):
310         (JSC::Parser<LexerType>::createBindingPattern):
311         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
312         (JSC::Parser<LexerType>::parseObjectRestElement):
313         (JSC::Parser<LexerType>::parseDestructuringPattern):
314         (JSC::Parser<LexerType>::parseForStatement):
315         (JSC::Parser<LexerType>::parseBreakStatement):
316         (JSC::Parser<LexerType>::parseContinueStatement):
317         (JSC::Parser<LexerType>::parseThrowStatement):
318         (JSC::Parser<LexerType>::parseWithStatement):
319         (JSC::Parser<LexerType>::parseSwitchStatement):
320         (JSC::Parser<LexerType>::parseSwitchClauses):
321         (JSC::Parser<LexerType>::parseTryStatement):
322         (JSC::Parser<LexerType>::parseBlockStatement):
323         (JSC::Parser<LexerType>::parseFormalParameters):
324         (JSC::Parser<LexerType>::parseFunctionParameters):
325         (JSC::Parser<LexerType>::parseFunctionInfo):
326         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
327         (JSC::Parser<LexerType>::parseExpressionStatement):
328         (JSC::Parser<LexerType>::parseIfStatement):
329         (JSC::Parser<LexerType>::parseAssignmentExpression):
330         (JSC::Parser<LexerType>::parseConditionalExpression):
331         (JSC::Parser<LexerType>::parseBinaryExpression):
332         (JSC::Parser<LexerType>::parseObjectLiteral):
333         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
334         (JSC::Parser<LexerType>::parseArrayLiteral):
335         (JSC::Parser<LexerType>::parseArguments):
336         (JSC::Parser<LexerType>::parseMemberExpression):
337         (JSC::operatorString):
338         (JSC::Parser<LexerType>::parseUnaryExpression):
339         (JSC::Parser<LexerType>::printUnexpectedTokenText):
340
341 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
342
343         [ESNext][BigInt] Implement support for "*" operation
344         https://bugs.webkit.org/show_bug.cgi?id=183721
345
346         Reviewed by Saam Barati.
347
348         Added BigInt support into times binary operator into LLInt and on
349         JITOperations profiledMul and unprofiledMul. We are also replacing all
350         uses of int to unsigned when there is no negative values for
351         variables.
352
353         * dfg/DFGConstantFoldingPhase.cpp:
354         (JSC::DFG::ConstantFoldingPhase::foldConstants):
355         * jit/JITOperations.cpp:
356         * runtime/CommonSlowPaths.cpp:
357         (JSC::SLOW_PATH_DECL):
358         * runtime/JSBigInt.cpp:
359         (JSC::JSBigInt::JSBigInt):
360         (JSC::JSBigInt::allocationSize):
361         (JSC::JSBigInt::createWithLength):
362         (JSC::JSBigInt::toString):
363         (JSC::JSBigInt::multiply):
364         (JSC::JSBigInt::digitDiv):
365         (JSC::JSBigInt::internalMultiplyAdd):
366         (JSC::JSBigInt::multiplyAccumulate):
367         (JSC::JSBigInt::equals):
368         (JSC::JSBigInt::absoluteDivSmall):
369         (JSC::JSBigInt::calculateMaximumCharactersRequired):
370         (JSC::JSBigInt::toStringGeneric):
371         (JSC::JSBigInt::rightTrim):
372         (JSC::JSBigInt::allocateFor):
373         (JSC::JSBigInt::parseInt):
374         (JSC::JSBigInt::digit):
375         (JSC::JSBigInt::setDigit):
376         * runtime/JSBigInt.h:
377         * runtime/Operations.h:
378         (JSC::jsMul):
379
380 2018-04-28  Commit Queue  <commit-queue@webkit.org>
381
382         Unreviewed, rolling out r231131.
383         https://bugs.webkit.org/show_bug.cgi?id=185112
384
385         It is breaking Debug build due to unchecked exception
386         (Requested by caiolima on #webkit).
387
388         Reverted changeset:
389
390         "[ESNext][BigInt] Implement support for "*" operation"
391         https://bugs.webkit.org/show_bug.cgi?id=183721
392         https://trac.webkit.org/changeset/231131
393
394 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
395
396         [ESNext][BigInt] Implement support for "*" operation
397         https://bugs.webkit.org/show_bug.cgi?id=183721
398
399         Reviewed by Saam Barati.
400
401         Added BigInt support into times binary operator into LLInt and on
402         JITOperations profiledMul and unprofiledMul. We are also replacing all
403         uses of int to unsigned when there is no negative values for
404         variables.
405
406         * dfg/DFGConstantFoldingPhase.cpp:
407         (JSC::DFG::ConstantFoldingPhase::foldConstants):
408         * jit/JITOperations.cpp:
409         * runtime/CommonSlowPaths.cpp:
410         (JSC::SLOW_PATH_DECL):
411         * runtime/JSBigInt.cpp:
412         (JSC::JSBigInt::JSBigInt):
413         (JSC::JSBigInt::allocationSize):
414         (JSC::JSBigInt::createWithLength):
415         (JSC::JSBigInt::toString):
416         (JSC::JSBigInt::multiply):
417         (JSC::JSBigInt::digitDiv):
418         (JSC::JSBigInt::internalMultiplyAdd):
419         (JSC::JSBigInt::multiplyAccumulate):
420         (JSC::JSBigInt::equals):
421         (JSC::JSBigInt::absoluteDivSmall):
422         (JSC::JSBigInt::calculateMaximumCharactersRequired):
423         (JSC::JSBigInt::toStringGeneric):
424         (JSC::JSBigInt::rightTrim):
425         (JSC::JSBigInt::allocateFor):
426         (JSC::JSBigInt::parseInt):
427         (JSC::JSBigInt::digit):
428         (JSC::JSBigInt::setDigit):
429         * runtime/JSBigInt.h:
430         * runtime/Operations.h:
431         (JSC::jsMul):
432
433 2018-04-27  JF Bastien  <jfbastien@apple.com>
434
435         Make the first 64 bits of JSString look like a double JSValue
436         https://bugs.webkit.org/show_bug.cgi?id=185081
437
438         Reviewed by Filip Pizlo.
439
440         We can be clever about how we lay out JSString so that, were it
441         reinterpreted as a JSValue, it would look like a double.
442
443         * assembler/MacroAssemblerX86Common.h:
444         (JSC::MacroAssemblerX86Common::and16):
445         * assembler/X86Assembler.h:
446         (JSC::X86Assembler::andw_mr):
447         * dfg/DFGSpeculativeJIT.cpp:
448         (JSC::DFG::SpeculativeJIT::compileMakeRope):
449         * ftl/FTLLowerDFGToB3.cpp:
450         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
451         * ftl/FTLOutput.h:
452         (JSC::FTL::Output::store32As8):
453         (JSC::FTL::Output::store32As16):
454         * runtime/JSString.h:
455         (JSC::JSString::JSString):
456
457 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
458
459         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
460         https://bugs.webkit.org/show_bug.cgi?id=185055
461
462         Reviewed by JF Bastien.
463
464         This patch is paving the way to emitting jscvt instruction if possible.
465         To do that, we need to determine jscvt instruction is supported in the
466         given CPU.
467
468         We add a function collectCPUFeatures, which is responsible to collect
469         CPU features if necessary. In Linux, we can use auxiliary vector to get
470         the information without parsing /proc/cpuinfo.
471
472         Currently, nobody calls this function. It is later called when we emit
473         jscvt instruction. To make it possible, we also need to add disassembler
474         support too.
475
476         * assembler/AbstractMacroAssembler.h:
477         * assembler/MacroAssemblerARM64.cpp:
478         (JSC::MacroAssemblerARM64::collectCPUFeatures):
479         * assembler/MacroAssemblerARM64.h:
480         * assembler/MacroAssemblerX86Common.h:
481
482 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
483
484         Also run foldPathConstants before mussing up SSA
485         https://bugs.webkit.org/show_bug.cgi?id=185069
486
487         Reviewed by Saam Barati.
488         
489         This isn't needed now, but will be once I implement the phase in bug 185060.
490         
491         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
492         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
493         be landed separately and measured separately from that phase.
494         
495         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
496         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
497         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
498         neutral. It all depends on what programs typically look like.
499
500         * b3/B3Generate.cpp:
501         (JSC::B3::generateToAir):
502
503 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
504
505         Unreviewed, rolling out r231086.
506
507         Caused JSC test failures due to an unchecked exception.
508
509         Reverted changeset:
510
511         "[ESNext][BigInt] Implement support for "*" operation"
512         https://bugs.webkit.org/show_bug.cgi?id=183721
513         https://trac.webkit.org/changeset/231086
514
515 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
516
517         [ESNext][BigInt] Implement support for "*" operation
518         https://bugs.webkit.org/show_bug.cgi?id=183721
519
520         Reviewed by Saam Barati.
521
522         Added BigInt support into times binary operator into LLInt and on
523         JITOperations profiledMul and unprofiledMul. We are also replacing all
524         uses of int to unsigned when there is no negative values for
525         variables.
526
527         * dfg/DFGConstantFoldingPhase.cpp:
528         (JSC::DFG::ConstantFoldingPhase::foldConstants):
529         * jit/JITOperations.cpp:
530         * runtime/CommonSlowPaths.cpp:
531         (JSC::SLOW_PATH_DECL):
532         * runtime/JSBigInt.cpp:
533         (JSC::JSBigInt::JSBigInt):
534         (JSC::JSBigInt::allocationSize):
535         (JSC::JSBigInt::createWithLength):
536         (JSC::JSBigInt::toString):
537         (JSC::JSBigInt::multiply):
538         (JSC::JSBigInt::digitDiv):
539         (JSC::JSBigInt::internalMultiplyAdd):
540         (JSC::JSBigInt::multiplyAccumulate):
541         (JSC::JSBigInt::equals):
542         (JSC::JSBigInt::absoluteDivSmall):
543         (JSC::JSBigInt::calculateMaximumCharactersRequired):
544         (JSC::JSBigInt::toStringGeneric):
545         (JSC::JSBigInt::rightTrim):
546         (JSC::JSBigInt::allocateFor):
547         (JSC::JSBigInt::parseInt):
548         (JSC::JSBigInt::digit):
549         (JSC::JSBigInt::setDigit):
550         * runtime/JSBigInt.h:
551         * runtime/Operations.h:
552         (JSC::jsMul):
553
554 2018-04-26  Mark Lam  <mark.lam@apple.com>
555
556         Gardening: Speculative build fix for Windows.
557         https://bugs.webkit.org/show_bug.cgi?id=184976
558         <rdar://problem/39723901>
559
560         Not reviewed.
561
562         * runtime/JSCPtrTag.h:
563
564 2018-04-26  Mark Lam  <mark.lam@apple.com>
565
566         Gardening: Windows build fix.
567
568         Not reviewed.
569
570         * runtime/Options.cpp:
571
572 2018-04-26  Jer Noble  <jer.noble@apple.com>
573
574         WK_COCOA_TOUCH all the things.
575         https://bugs.webkit.org/show_bug.cgi?id=185006
576         <rdar://problem/39736025>
577
578         Reviewed by Tim Horton.
579
580         * Configurations/Base.xcconfig:
581
582 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
583
584         Disable content filtering in minimal simulator mode
585         https://bugs.webkit.org/show_bug.cgi?id=185027
586         <rdar://problem/39736091>
587
588         Reviewed by Jer Noble.
589
590         * Configurations/FeatureDefines.xcconfig:
591
592 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
593
594         [INTL] Implement Intl.PluralRules
595         https://bugs.webkit.org/show_bug.cgi?id=184312
596
597         Reviewed by JF Bastien.
598
599         Use UNumberFormat to enforce formatting, and then UPluralRules to find
600         the correct plural rule for the given number. Relies on ICU v59+ for
601         resolvedOptions().pluralCategories and trailing 0 detection.
602         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
603
604         * CMakeLists.txt:
605         * Configurations/FeatureDefines.xcconfig:
606         * DerivedSources.make:
607         * JavaScriptCore.xcodeproj/project.pbxproj:
608         * Sources.txt:
609         * builtins/BuiltinNames.h:
610         * runtime/BigIntObject.cpp:
611         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
612         * runtime/BigIntObject.h:
613         * runtime/CommonIdentifiers.h:
614         * runtime/IntlObject.cpp:
615         (JSC::IntlObject::finishCreation):
616         * runtime/IntlObject.h:
617         * runtime/IntlPluralRules.cpp: Added.
618         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
619         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
620         (JSC::UEnumerationDeleter::operator() const):
621         (JSC::IntlPluralRules::create):
622         (JSC::IntlPluralRules::createStructure):
623         (JSC::IntlPluralRules::IntlPluralRules):
624         (JSC::IntlPluralRules::finishCreation):
625         (JSC::IntlPluralRules::destroy):
626         (JSC::IntlPluralRules::visitChildren):
627         (JSC::IntlPRInternal::localeData):
628         (JSC::IntlPluralRules::initializePluralRules):
629         (JSC::IntlPluralRules::resolvedOptions):
630         (JSC::IntlPluralRules::select):
631         * runtime/IntlPluralRules.h: Added.
632         * runtime/IntlPluralRulesConstructor.cpp: Added.
633         (JSC::IntlPluralRulesConstructor::create):
634         (JSC::IntlPluralRulesConstructor::createStructure):
635         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
636         (JSC::IntlPluralRulesConstructor::finishCreation):
637         (JSC::constructIntlPluralRules):
638         (JSC::callIntlPluralRules):
639         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
640         (JSC::IntlPluralRulesConstructor::visitChildren):
641         * runtime/IntlPluralRulesConstructor.h: Added.
642         * runtime/IntlPluralRulesPrototype.cpp: Added.
643         (JSC::IntlPluralRulesPrototype::create):
644         (JSC::IntlPluralRulesPrototype::createStructure):
645         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
646         (JSC::IntlPluralRulesPrototype::finishCreation):
647         (JSC::IntlPluralRulesPrototypeFuncSelect):
648         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
649         * runtime/IntlPluralRulesPrototype.h: Added.
650         * runtime/JSGlobalObject.cpp:
651         (JSC::JSGlobalObject::init):
652         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
653         * runtime/JSGlobalObject.h:
654         * runtime/Options.h:
655         * runtime/RegExpPrototype.cpp: Added inlines header.
656         * runtime/VM.cpp:
657         (JSC::VM::VM):
658         * runtime/VM.h:
659
660 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
661
662         [MIPS] Fix branch offsets in branchNeg32
663         https://bugs.webkit.org/show_bug.cgi?id=185025
664
665         Reviewed by Yusuke Suzuki.
666
667         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
668
669         * assembler/MacroAssemblerMIPS.h:
670         (JSC::MacroAssemblerMIPS::branchNeg32):
671
672 2018-04-25  Robin Morisset  <rmorisset@apple.com>
673
674         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
675         https://bugs.webkit.org/show_bug.cgi?id=184773
676         <rdar://problem/37773612>
677
678         Reviewed by Filip Pizlo.
679
680         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
681         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
682         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
683         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
684         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
685
686         * ftl/FTLLowerDFGToB3.cpp:
687         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
688
689 2018-04-25  Mark Lam  <mark.lam@apple.com>
690
691         Push the definition of PtrTag down to the WTF layer.
692         https://bugs.webkit.org/show_bug.cgi?id=184976
693         <rdar://problem/39723901>
694
695         Reviewed by Saam Barati.
696
697         * CMakeLists.txt:
698         * JavaScriptCore.xcodeproj/project.pbxproj:
699         * assembler/ARM64Assembler.h:
700         * assembler/AbstractMacroAssembler.h:
701         * assembler/MacroAssemblerCodeRef.cpp:
702         * assembler/MacroAssemblerCodeRef.h:
703         * b3/B3MathExtras.cpp:
704         * bytecode/LLIntCallLinkInfo.h:
705         * disassembler/Disassembler.h:
706         * ftl/FTLJITCode.cpp:
707         * interpreter/InterpreterInlines.h:
708         * jit/ExecutableAllocator.h:
709         * jit/JITOperations.cpp:
710         * jit/ThunkGenerator.h:
711         * jit/ThunkGenerators.h:
712         * llint/LLIntOffsetsExtractor.cpp:
713         * llint/LLIntPCRanges.h:
714         * runtime/JSCPtrTag.h: Added.
715         * runtime/NativeFunction.h:
716         * runtime/PtrTag.h: Removed.
717         * runtime/VMTraps.cpp:
718
719 2018-04-25  Keith Miller  <keith_miller@apple.com>
720
721         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
722         https://bugs.webkit.org/show_bug.cgi?id=184998
723
724         Reviewed by Saam Barati.
725
726         * runtime/CodeCache.cpp:
727         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
728
729 2018-04-25  Keith Miller  <keith_miller@apple.com>
730
731         Add missing scope release to functionProtoFuncToString
732         https://bugs.webkit.org/show_bug.cgi?id=184995
733
734         Reviewed by Saam Barati.
735
736         * runtime/FunctionPrototype.cpp:
737         (JSC::functionProtoFuncToString):
738
739 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
740
741         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
742         https://bugs.webkit.org/show_bug.cgi?id=184730
743
744         Reviewed by Mark Lam.
745
746         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
747         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
748
749         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
750         ARMv7 implementation.
751
752         * assembler/ARMAssembler.h:
753         * assembler/MacroAssemblerARM.h:
754         (JSC::MacroAssemblerARM::add32):
755         (JSC::MacroAssemblerARM::and32):
756         (JSC::MacroAssemblerARM::lshift32):
757         (JSC::MacroAssemblerARM::mul32):
758         (JSC::MacroAssemblerARM::or32):
759         (JSC::MacroAssemblerARM::rshift32):
760         (JSC::MacroAssemblerARM::urshift32):
761         (JSC::MacroAssemblerARM::sub32):
762         (JSC::MacroAssemblerARM::xor32):
763         (JSC::MacroAssemblerARM::load8):
764         (JSC::MacroAssemblerARM::abortWithReason):
765         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
766         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
767         (JSC::MacroAssemblerARM::store8):
768         (JSC::MacroAssemblerARM::store32):
769         (JSC::MacroAssemblerARM::push):
770         (JSC::MacroAssemblerARM::swap):
771         (JSC::MacroAssemblerARM::branch8):
772         (JSC::MacroAssemblerARM::branchPtr):
773         (JSC::MacroAssemblerARM::branch32):
774         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
775         (JSC::MacroAssemblerARM::branchTest8):
776         (JSC::MacroAssemblerARM::branchTest32):
777         (JSC::MacroAssemblerARM::jump):
778         (JSC::MacroAssemblerARM::branchAdd32):
779         (JSC::MacroAssemblerARM::mull32):
780         (JSC::MacroAssemblerARM::branchMul32):
781         (JSC::MacroAssemblerARM::patchableBranch32):
782         (JSC::MacroAssemblerARM::nearCall):
783         (JSC::MacroAssemblerARM::compare32):
784         (JSC::MacroAssemblerARM::compare8):
785         (JSC::MacroAssemblerARM::test32):
786         (JSC::MacroAssemblerARM::test8):
787         (JSC::MacroAssemblerARM::add64):
788         (JSC::MacroAssemblerARM::load32):
789         (JSC::MacroAssemblerARM::call):
790         (JSC::MacroAssemblerARM::branchPtrWithPatch):
791         (JSC::MacroAssemblerARM::branch32WithPatch):
792         (JSC::MacroAssemblerARM::storePtrWithPatch):
793         (JSC::MacroAssemblerARM::loadDouble):
794         (JSC::MacroAssemblerARM::storeDouble):
795         (JSC::MacroAssemblerARM::addDouble):
796         (JSC::MacroAssemblerARM::divDouble):
797         (JSC::MacroAssemblerARM::subDouble):
798         (JSC::MacroAssemblerARM::mulDouble):
799         (JSC::MacroAssemblerARM::convertInt32ToDouble):
800         (JSC::MacroAssemblerARM::branchDouble):
801         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
802         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
803         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
804         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
805         (JSC::MacroAssemblerARM::branchDoubleNonZero):
806         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
807         (JSC::MacroAssemblerARM::call32):
808         (JSC::MacroAssemblerARM::internalCompare32):
809
810 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
811
812         [WinCairo] Fix js/regexp-unicode.html crash.
813         https://bugs.webkit.org/show_bug.cgi?id=184891
814
815         Reviewed by Yusuke Suzuki.
816
817         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
818         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
819
820         * yarr/YarrJIT.cpp:
821         (JSC::Yarr::YarrGenerator::generateEnter):
822         (JSC::Yarr::YarrGenerator::generateReturn):
823         Unconditionally save and restore RDI on 64-bit Windows.
824
825 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
826
827         [GTK] Miscellaneous build cleanups
828         https://bugs.webkit.org/show_bug.cgi?id=184399
829
830         Reviewed by Žan Doberšek.
831
832         * PlatformGTK.cmake:
833
834 2018-04-24  Keith Miller  <keith_miller@apple.com>
835
836         fromCharCode is missing some exception checks
837         https://bugs.webkit.org/show_bug.cgi?id=184952
838
839         Reviewed by Saam Barati.
840
841         I also removed the pointless slow path function and moved it into the
842         main function.
843
844         * runtime/StringConstructor.cpp:
845         (JSC::stringFromCharCode):
846         (JSC::stringFromCharCodeSlowCase): Deleted.
847
848 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
849
850         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
851         https://bugs.webkit.org/show_bug.cgi?id=184923
852
853         Reviewed by Saam Barati.
854         
855         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
856         (i.e. we know that the object has one of those structures), then previously we would still emit a
857         switch with a case per structure along with a default case. That would mean one extra redundant
858         branch to check that whatever structure we wound up with belongs to the set. In that case, we
859         were already making the default case be an Oops.
860         
861         One possible solution would be to say that the default case being Oops means that B3 doesn't need
862         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
863         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
864         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
865         trap.
866         
867         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
868         extra branch.
869         
870         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
871         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
872         read.
873
874         * ftl/FTLLowerDFGToB3.cpp:
875         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
876         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
877         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
878
879 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
880
881         DFG CSE should know how to decay a MultiGetByOffset
882         https://bugs.webkit.org/show_bug.cgi?id=159859
883
884         Reviewed by Keith Miller.
885         
886         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
887         clobberize() can report a def() for MultiGetByOffset.
888         
889         This is a slight improvement to codegen in splay because splay is a heavy user of
890         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
891         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
892         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
893         splay's time.
894
895         * dfg/DFGClobberize.h:
896         (JSC::DFG::clobberize):
897         * dfg/DFGNode.cpp:
898         (JSC::DFG::Node::remove):
899         (JSC::DFG::Node::removeWithoutChecks):
900         (JSC::DFG::Node::replaceWith):
901         (JSC::DFG::Node::replaceWithWithoutChecks):
902         * dfg/DFGNode.h:
903         (JSC::DFG::Node::convertToMultiGetByOffset):
904         (JSC::DFG::Node::replaceWith): Deleted.
905         * dfg/DFGNodeType.h:
906         * dfg/DFGObjectAllocationSinkingPhase.cpp:
907
908 2018-04-24  Keith Miller  <keith_miller@apple.com>
909
910         Update API docs with information on which run loop the VM will use
911         https://bugs.webkit.org/show_bug.cgi?id=184900
912         <rdar://problem/39166054>
913
914         Reviewed by Mark Lam.
915
916         * API/JSContextRef.h:
917         * API/JSVirtualMachine.h:
918
919 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
920
921         $vm.totalGCTime() should be a thing
922         https://bugs.webkit.org/show_bug.cgi?id=184916
923
924         Reviewed by Sam Weinig.
925         
926         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
927         time spent in GC to determine if the regression is because the GC got slower.
928         
929         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
930
931         * heap/Heap.cpp:
932         (JSC::Heap::runEndPhase):
933         * heap/Heap.h:
934         (JSC::Heap::totalGCTime const):
935         * tools/JSDollarVM.cpp:
936         (JSC::functionTotalGCTime):
937         (JSC::JSDollarVM::finishCreation):
938
939 2018-04-23  Zalan Bujtas  <zalan@apple.com>
940
941         [LayoutFormattingContext] Initial commit.
942         https://bugs.webkit.org/show_bug.cgi?id=184896
943
944         Reviewed by Antti Koivisto.
945
946         * Configurations/FeatureDefines.xcconfig:
947
948 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
949
950         Unreviewed, revert accidental change to verbose flag.
951
952         * dfg/DFGByteCodeParser.cpp:
953
954 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
955
956         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
957
958         Rubber stamped by Saam Barati.
959         
960         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
961         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
962         Seems sensible to just roll it out.
963
964         * dfg/DFGByteCodeParser.cpp:
965         (JSC::DFG::ByteCodeParser::addToGraph):
966         (JSC::DFG::ByteCodeParser::parse):
967
968 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
969
970         [JSC] Remove ModuleLoaderPrototype
971         https://bugs.webkit.org/show_bug.cgi?id=184784
972
973         Reviewed by Mark Lam.
974
975         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
976         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
977         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
978
979         * CMakeLists.txt:
980         * DerivedSources.make:
981         * JavaScriptCore.xcodeproj/project.pbxproj:
982         * Sources.txt:
983         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
984         * runtime/JSGlobalObject.cpp:
985         (JSC::JSGlobalObject::init):
986         (JSC::JSGlobalObject::visitChildren):
987         * runtime/JSGlobalObject.h:
988         (JSC::JSGlobalObject::proxyRevokeStructure const):
989         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
990         * runtime/JSModuleLoader.cpp:
991         (JSC::moduleLoaderParseModule):
992         (JSC::moduleLoaderRequestedModules):
993         (JSC::moduleLoaderModuleDeclarationInstantiation):
994         (JSC::moduleLoaderResolve):
995         (JSC::moduleLoaderResolveSync):
996         (JSC::moduleLoaderFetch):
997         (JSC::moduleLoaderGetModuleNamespaceObject):
998         (JSC::moduleLoaderEvaluate):
999         * runtime/JSModuleLoader.h:
1000         * runtime/ModuleLoaderPrototype.cpp: Removed.
1001         * runtime/ModuleLoaderPrototype.h: Removed.
1002
1003 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
1004
1005         [GLIB] All API tests fail in debug builds
1006         https://bugs.webkit.org/show_bug.cgi?id=184813
1007
1008         Reviewed by Mark Lam.
1009
1010         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
1011         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
1012
1013         * API/glib/JSCContext.cpp:
1014         (JSCContextExceptionHandler::JSCContextExceptionHandler):
1015         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
1016         (jscContextConstructed):
1017         (ExceptionHandler::ExceptionHandler): Deleted.
1018         (ExceptionHandler::~ExceptionHandler): Deleted.
1019
1020 2018-04-20  Tim Horton  <timothy_horton@apple.com>
1021
1022         Adjust geolocation feature flag
1023         https://bugs.webkit.org/show_bug.cgi?id=184856
1024
1025         Reviewed by Wenson Hsieh.
1026
1027         * Configurations/FeatureDefines.xcconfig:
1028
1029 2018-04-20  Brian Burg  <bburg@apple.com>
1030
1031         Web Inspector: remove some dead code in IdentifiersFactory
1032         https://bugs.webkit.org/show_bug.cgi?id=184839
1033
1034         Reviewed by Timothy Hatcher.
1035
1036         This was never used on non-Chrome ports, so the identifier always has a
1037         prefix of '0.'. We may change this in the future, but for now remove this.
1038         Using a PID for this purpose is problematic anyway.
1039
1040         * inspector/IdentifiersFactory.cpp:
1041         (Inspector::addPrefixToIdentifier):
1042         (Inspector::IdentifiersFactory::createIdentifier):
1043         (Inspector::IdentifiersFactory::requestId):
1044         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
1045         * inspector/IdentifiersFactory.h:
1046
1047 2018-04-20  Mark Lam  <mark.lam@apple.com>
1048
1049         Add the ability to use a hash for setting PtrTag enum values.
1050         https://bugs.webkit.org/show_bug.cgi?id=184852
1051         <rdar://problem/39613891>
1052
1053         Reviewed by Saam Barati.
1054
1055         * runtime/PtrTag.h:
1056
1057 2018-04-20  Mark Lam  <mark.lam@apple.com>
1058
1059         Some JSEntryPtrTags should actually be JSInternalPtrTags.
1060         https://bugs.webkit.org/show_bug.cgi?id=184712
1061         <rdar://problem/39507381>
1062
1063         Reviewed by Michael Saboff.
1064
1065         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
1066         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
1067            only when needed.
1068
1069         * bytecode/AccessCase.cpp:
1070         (JSC::AccessCase::generateImpl):
1071         * bytecode/ByValInfo.h:
1072         (JSC::ByValInfo::ByValInfo):
1073         * bytecode/CallLinkInfo.cpp:
1074         (JSC::CallLinkInfo::callReturnLocation):
1075         (JSC::CallLinkInfo::patchableJump):
1076         (JSC::CallLinkInfo::hotPathBegin):
1077         (JSC::CallLinkInfo::slowPathStart):
1078         * bytecode/CallLinkInfo.h:
1079         (JSC::CallLinkInfo::setCallLocations):
1080         (JSC::CallLinkInfo::hotPathOther):
1081         * bytecode/PolymorphicAccess.cpp:
1082         (JSC::PolymorphicAccess::regenerate):
1083         * bytecode/StructureStubInfo.h:
1084         (JSC::StructureStubInfo::doneLocation):
1085         * dfg/DFGJITCompiler.cpp:
1086         (JSC::DFG::JITCompiler::link):
1087         * dfg/DFGOSRExit.cpp:
1088         (JSC::DFG::reifyInlinedCallFrames):
1089         * ftl/FTLLazySlowPath.cpp:
1090         (JSC::FTL::LazySlowPath::initialize):
1091         * ftl/FTLLazySlowPath.h:
1092         (JSC::FTL::LazySlowPath::done const):
1093         * ftl/FTLLowerDFGToB3.cpp:
1094         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1095         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1096         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1097         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1098         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1099         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1100         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1101         * jit/JIT.cpp:
1102         (JSC::JIT::link):
1103         * jit/JITExceptions.cpp:
1104         (JSC::genericUnwind):
1105         * jit/JITMathIC.h:
1106         (JSC::isProfileEmpty):
1107         * llint/LLIntData.cpp:
1108         (JSC::LLInt::initialize):
1109         * llint/LLIntData.h:
1110         (JSC::LLInt::getCodePtr):
1111         (JSC::LLInt::getExecutableAddress): Deleted.
1112         * llint/LLIntExceptions.cpp:
1113         (JSC::LLInt::callToThrow):
1114         * llint/LLIntSlowPaths.cpp:
1115         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1116         * wasm/js/WasmToJS.cpp:
1117         (JSC::Wasm::wasmToJS):
1118
1119 2018-04-18  Jer Noble  <jer.noble@apple.com>
1120
1121         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1122         https://bugs.webkit.org/show_bug.cgi?id=184762
1123
1124         Reviewed by Dan Bernstein.
1125
1126         * Configurations/Base.xcconfig:
1127         * JavaScriptCore.xcodeproj/project.pbxproj:
1128
1129 2018-04-20  Daniel Bates  <dabates@apple.com>
1130
1131         Remove code for compilers that did not support NSDMI for aggregates
1132         https://bugs.webkit.org/show_bug.cgi?id=184599
1133
1134         Reviewed by Per Arne Vollan.
1135
1136         Remove workaround for earlier Visual Studio versions that did not support non-static data
1137         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1138         and EWS bots to a newer version that supports this feature.
1139
1140         * domjit/DOMJITEffect.h:
1141         (JSC::DOMJIT::Effect::Effect): Deleted.
1142         * runtime/HasOwnPropertyCache.h:
1143         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1144         * wasm/WasmFormat.h:
1145         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1146
1147 2018-04-20  Mark Lam  <mark.lam@apple.com>
1148
1149         Build fix for internal builds after r230826.
1150         https://bugs.webkit.org/show_bug.cgi?id=184790
1151         <rdar://problem/39301369>
1152
1153         Not reviewed.
1154
1155         * runtime/Options.cpp:
1156         (JSC::overrideDefaults):
1157         * tools/SigillCrashAnalyzer.cpp:
1158         (JSC::SignalContext::dump):
1159
1160 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
1161
1162         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1163         https://bugs.webkit.org/show_bug.cgi?id=184254
1164         <rdar://problem/39140200>
1165
1166         Reviewed by Daniel Bates.
1167
1168         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1169
1170         * runtime/ArrayBuffer.h:
1171         (JSC::ArrayBufferContents::ArrayBufferContents):
1172
1173 2018-04-19  Mark Lam  <mark.lam@apple.com>
1174
1175         Apply pointer profiling to Signal pointers.
1176         https://bugs.webkit.org/show_bug.cgi?id=184790
1177         <rdar://problem/39301369>
1178
1179         Reviewed by Michael Saboff.
1180
1181         1. Change stackPointer, framePointer, and instructionPointer accessors to
1182            be a pair of getter/setter functions.
1183         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1184            a pointer profiling variants of these accessors.
1185         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1186
1187         * JavaScriptCorePrefix.h:
1188         * runtime/MachineContext.h:
1189         (JSC::MachineContext::stackPointerImpl):
1190         (JSC::MachineContext::stackPointer):
1191         (JSC::MachineContext::setStackPointer):
1192         (JSC::MachineContext::framePointerImpl):
1193         (JSC::MachineContext::framePointer):
1194         (JSC::MachineContext::setFramePointer):
1195         (JSC::MachineContext::instructionPointerImpl):
1196         (JSC::MachineContext::instructionPointer):
1197         (JSC::MachineContext::setInstructionPointer):
1198         (JSC::MachineContext::linkRegisterImpl):
1199         (JSC::MachineContext::linkRegister):
1200         (JSC::MachineContext::setLinkRegister):
1201         * runtime/SamplingProfiler.cpp:
1202         (JSC::SamplingProfiler::takeSample):
1203         * runtime/VMTraps.cpp:
1204         (JSC::SignalContext::SignalContext):
1205         (JSC::VMTraps::tryInstallTrapBreakpoints):
1206         * tools/CodeProfiling.cpp:
1207         (JSC::profilingTimer):
1208         * tools/SigillCrashAnalyzer.cpp:
1209         (JSC::SignalContext::dump):
1210         (JSC::installCrashHandler):
1211         (JSC::SigillCrashAnalyzer::analyze):
1212         * wasm/WasmFaultSignalHandler.cpp:
1213         (JSC::Wasm::trapHandler):
1214
1215 2018-04-19  David Kilzer  <ddkilzer@apple.com>
1216
1217         Enable Objective-C weak references
1218         <https://webkit.org/b/184789>
1219         <rdar://problem/39571716>
1220
1221         Reviewed by Dan Bernstein.
1222
1223         * Configurations/Base.xcconfig:
1224         (CLANG_ENABLE_OBJC_WEAK): Enable.
1225         * Configurations/ToolExecutable.xcconfig:
1226         (CLANG_ENABLE_OBJC_ARC): Simplify.
1227
1228 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
1229
1230         The InternalFunction hierarchy should be in IsoSubspaces
1231         https://bugs.webkit.org/show_bug.cgi?id=184721
1232
1233         Reviewed by Saam Barati.
1234         
1235         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1236         but subclasses that are the same size as InternalFunction share its subspace. I did this
1237         because the subclasses appear to just override methods, which are called dynamically via the
1238         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1239         allocate one kind of InternalFunction over another.
1240
1241         * API/JSBase.h:
1242         * API/JSCallbackFunction.h:
1243         * API/ObjCCallbackFunction.h:
1244         (JSC::ObjCCallbackFunction::subspaceFor):
1245         * CMakeLists.txt:
1246         * JavaScriptCore.xcodeproj/project.pbxproj:
1247         * Sources.txt:
1248         * heap/IsoSubspacePerVM.cpp: Added.
1249         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1250         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1251         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1252         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1253         (JSC::IsoSubspacePerVM::forVM):
1254         * heap/IsoSubspacePerVM.h: Added.
1255         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1256         * runtime/Error.h:
1257         * runtime/ErrorConstructor.h:
1258         * runtime/InternalFunction.h:
1259         (JSC::InternalFunction::subspaceFor):
1260         * runtime/IntlCollatorConstructor.h:
1261         * runtime/IntlDateTimeFormatConstructor.h:
1262         * runtime/IntlNumberFormatConstructor.h:
1263         * runtime/JSArrayBufferConstructor.h:
1264         * runtime/NativeErrorConstructor.h:
1265         * runtime/ProxyRevoke.h:
1266         * runtime/RegExpConstructor.h:
1267         * runtime/VM.cpp:
1268         (JSC::VM::VM):
1269         * runtime/VM.h:
1270
1271 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1272
1273         Unreviewed, Fix jsc shell
1274         https://bugs.webkit.org/show_bug.cgi?id=184600
1275
1276         WebAssembly module loading does not finish with drainMicrotasks().
1277         So JSNativeStdFunction's capturing variables become invalid.
1278         This patch fixes this issue.
1279
1280         * jsc.cpp:
1281         (functionDollarAgentStart):
1282         (runWithOptions):
1283         (runJSC):
1284         (jscmain):
1285
1286 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
1287
1288         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1289         https://bugs.webkit.org/show_bug.cgi?id=184725
1290
1291         Reviewed by Mark Lam.
1292
1293         * jit/JIT.h:
1294
1295 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [WebAssembly][Modules] Import tables in wasm modules
1298         https://bugs.webkit.org/show_bug.cgi?id=184738
1299
1300         Reviewed by JF Bastien.
1301
1302         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1303         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1304         just works.
1305
1306         * wasm/js/JSWebAssemblyInstance.cpp:
1307         (JSC::JSWebAssemblyInstance::create):
1308         * wasm/js/WebAssemblyModuleRecord.cpp:
1309         (JSC::WebAssemblyModuleRecord::link):
1310
1311 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
1312
1313         [ARM] Fix build error and crash after PtrTag change
1314         https://bugs.webkit.org/show_bug.cgi?id=184732
1315
1316         Reviewed by Mark Lam.
1317
1318         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1319         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1320         twice with ARM-Thumb2.
1321
1322         * assembler/MacroAssemblerCodeRef.h:
1323         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1324         * jit/JITPropertyAccess32_64.cpp:
1325         (JSC::JIT::emitSlow_op_put_by_val):
1326         * jit/Repatch.cpp:
1327         (JSC::linkPolymorphicCall):
1328
1329 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1330
1331         [WebAssembly][Modules] Import globals from wasm modules
1332         https://bugs.webkit.org/show_bug.cgi?id=184736
1333
1334         Reviewed by JF Bastien.
1335
1336         This patch implements a feature importing globals to/from wasm modules.
1337         Since we are not supporting mutable globals now, we can just copy the
1338         global data when importing. Currently we do not support importing/exporting
1339         i64 globals. This will be supported once (1) mutable global bindings are
1340         specified and (2) BigInt based i64 importing/exporting is specified.
1341
1342         * wasm/js/JSWebAssemblyInstance.cpp:
1343         (JSC::JSWebAssemblyInstance::create):
1344         * wasm/js/WebAssemblyModuleRecord.cpp:
1345         (JSC::WebAssemblyModuleRecord::link):
1346
1347 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1348
1349         Unreviewed, fix build on ARM
1350
1351         * assembler/MacroAssemblerARM.h:
1352         (JSC::MacroAssemblerARM::readCallTarget):
1353
1354 2018-04-18  Tomas Popela  <tpopela@redhat.com>
1355
1356         Unreviewed, fix build with GCC
1357
1358         * assembler/LinkBuffer.h:
1359         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1360
1361 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1362
1363         Unreviewed, reland r230697, r230720, and r230724.
1364         https://bugs.webkit.org/show_bug.cgi?id=184600
1365
1366         With CatchScope check.
1367
1368         * JavaScriptCore.xcodeproj/project.pbxproj:
1369         * builtins/ModuleLoaderPrototype.js:
1370         (globalPrivate.newRegistryEntry):
1371         (requestInstantiate):
1372         (link):
1373         * jsc.cpp:
1374         (convertShebangToJSComment):
1375         (fillBufferWithContentsOfFile):
1376         (fetchModuleFromLocalFileSystem):
1377         (GlobalObject::moduleLoaderFetch):
1378         (functionDollarAgentStart):
1379         (checkException):
1380         (runWithOptions):
1381         * parser/NodesAnalyzeModule.cpp:
1382         (JSC::ImportDeclarationNode::analyzeModule):
1383         * parser/SourceProvider.h:
1384         (JSC::WebAssemblySourceProvider::create):
1385         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1386         * runtime/AbstractModuleRecord.cpp:
1387         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1388         (JSC::AbstractModuleRecord::resolveImport):
1389         (JSC::AbstractModuleRecord::link):
1390         (JSC::AbstractModuleRecord::evaluate):
1391         (JSC::identifierToJSValue): Deleted.
1392         * runtime/AbstractModuleRecord.h:
1393         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1394         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1395         * runtime/JSModuleEnvironment.cpp:
1396         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1397         * runtime/JSModuleLoader.cpp:
1398         (JSC::JSModuleLoader::evaluate):
1399         * runtime/JSModuleRecord.cpp:
1400         (JSC::JSModuleRecord::link):
1401         (JSC::JSModuleRecord::instantiateDeclarations):
1402         * runtime/JSModuleRecord.h:
1403         * runtime/ModuleLoaderPrototype.cpp:
1404         (JSC::moduleLoaderPrototypeParseModule):
1405         (JSC::moduleLoaderPrototypeRequestedModules):
1406         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1407         * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1408         * wasm/js/JSWebAssemblyHelpers.h:
1409         (JSC::getWasmBufferFromValue):
1410         (JSC::createSourceBufferFromValue):
1411         * wasm/js/JSWebAssemblyInstance.cpp:
1412         (JSC::JSWebAssemblyInstance::finalizeCreation):
1413         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1414         (JSC::JSWebAssemblyInstance::create):
1415         * wasm/js/JSWebAssemblyInstance.h:
1416         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1417         (JSC::constructJSWebAssemblyInstance):
1418         * wasm/js/WebAssemblyModuleRecord.cpp:
1419         (JSC::WebAssemblyModuleRecord::prepareLink):
1420         (JSC::WebAssemblyModuleRecord::link):
1421         * wasm/js/WebAssemblyModuleRecord.h:
1422         * wasm/js/WebAssemblyPrototype.cpp:
1423         (JSC::resolve):
1424         (JSC::instantiate):
1425         (JSC::compileAndInstantiate):
1426         (JSC::WebAssemblyPrototype::instantiate):
1427         (JSC::webAssemblyInstantiateFunc):
1428         (JSC::webAssemblyValidateFunc):
1429         * wasm/js/WebAssemblyPrototype.h:
1430
1431 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
1432
1433         [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1434         https://bugs.webkit.org/show_bug.cgi?id=184687
1435
1436         Reviewed by Michael Catanzaro.
1437
1438         Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1439         JSClassDefinition. This is required to implement dynamic properties that can't be added with
1440         jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1441
1442         * API/glib/JSCClass.cpp:
1443         (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1444         can throw exceptions.
1445         (VTableExceptionHandler::~VTableExceptionHandler):
1446         (getProperty): Iterate the class chain to call get_property function.
1447         (setProperty): Iterate the class chain to call set_property function.
1448         (hasProperty): Iterate the class chain to call has_property function.
1449         (deleteProperty): Iterate the class chain to call delete_property function.
1450         (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1451         (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1452         jscClassCreate now.
1453         (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1454         * API/glib/JSCClass.h:
1455         * API/glib/JSCClassPrivate.h:
1456         * API/glib/JSCContext.cpp:
1457         (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1458         (jsc_context_register_class): Add JSCClassVTable parameter.
1459         * API/glib/JSCContext.h:
1460         * API/glib/JSCContextPrivate.h:
1461         * API/glib/JSCWrapperMap.cpp:
1462         (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1463         * API/glib/JSCWrapperMap.h:
1464         * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1465
1466 2018-04-17  Mark Lam  <mark.lam@apple.com>
1467
1468         Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1469         https://bugs.webkit.org/show_bug.cgi?id=184702
1470         <rdar://problem/35391681>
1471
1472         Reviewed by Filip Pizlo and Saam Barati.
1473
1474         1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1475            to take a PtrTag template argument.
1476         2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1477
1478         * assembler/AbstractMacroAssembler.h:
1479         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1480         (JSC::AbstractMacroAssembler::linkJump):
1481         (JSC::AbstractMacroAssembler::linkPointer):
1482         (JSC::AbstractMacroAssembler::getLinkerAddress):
1483         (JSC::AbstractMacroAssembler::repatchJump):
1484         (JSC::AbstractMacroAssembler::repatchJumpToNop):
1485         (JSC::AbstractMacroAssembler::repatchNearCall):
1486         (JSC::AbstractMacroAssembler::repatchCompact):
1487         (JSC::AbstractMacroAssembler::repatchInt32):
1488         (JSC::AbstractMacroAssembler::repatchPointer):
1489         (JSC::AbstractMacroAssembler::readPointer):
1490         (JSC::AbstractMacroAssembler::replaceWithLoad):
1491         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1492         * assembler/CodeLocation.h:
1493         (JSC::CodeLocationCommon:: const):
1494         (JSC::CodeLocationCommon::CodeLocationCommon):
1495         (JSC::CodeLocationInstruction::CodeLocationInstruction):
1496         (JSC::CodeLocationLabel::CodeLocationLabel):
1497         (JSC::CodeLocationLabel::retagged):
1498         (JSC::CodeLocationLabel:: const):
1499         (JSC::CodeLocationJump::CodeLocationJump):
1500         (JSC::CodeLocationJump::retagged):
1501         (JSC::CodeLocationCall::CodeLocationCall):
1502         (JSC::CodeLocationCall::retagged):
1503         (JSC::CodeLocationNearCall::CodeLocationNearCall):
1504         (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1505         (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1506         (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1507         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1508         (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1509         (JSC::CodeLocationCommon<tag>::labelAtOffset):
1510         (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1511         (JSC::CodeLocationCommon<tag>::callAtOffset):
1512         (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1513         (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1514         (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1515         (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1516         (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1517         (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1518         (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1519         (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1520         (JSC::CodeLocationCommon::callAtOffset): Deleted.
1521         (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1522         (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1523         (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1524         (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1525         (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1526         * assembler/LinkBuffer.cpp:
1527         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1528         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1529         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1530         (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1531         * assembler/LinkBuffer.h:
1532         (JSC::LinkBuffer::link):
1533         (JSC::LinkBuffer::patch):
1534         (JSC::LinkBuffer::entrypoint):
1535         (JSC::LinkBuffer::locationOf):
1536         (JSC::LinkBuffer::locationOfNearCall):
1537         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1538         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1539         (JSC::LinkBuffer::trampolineAt):
1540         * assembler/MacroAssemblerARM.h:
1541         (JSC::MacroAssemblerARM::readCallTarget):
1542         (JSC::MacroAssemblerARM::replaceWithJump):
1543         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1544         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1545         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1546         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1547         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1548         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1549         (JSC::MacroAssemblerARM::repatchCall):
1550         (JSC::MacroAssemblerARM::linkCall):
1551         * assembler/MacroAssemblerARM64.h:
1552         (JSC::MacroAssemblerARM64::readCallTarget):
1553         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1554         (JSC::MacroAssemblerARM64::replaceWithJump):
1555         (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1556         (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1557         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1558         (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1559         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1560         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1561         (JSC::MacroAssemblerARM64::repatchCall):
1562         (JSC::MacroAssemblerARM64::linkCall):
1563         * assembler/MacroAssemblerARMv7.h:
1564         (JSC::MacroAssemblerARMv7::replaceWithJump):
1565         (JSC::MacroAssemblerARMv7::readCallTarget):
1566         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1567         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1568         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1569         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1570         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1571         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1572         (JSC::MacroAssemblerARMv7::repatchCall):
1573         (JSC::MacroAssemblerARMv7::linkCall):
1574         * assembler/MacroAssemblerCodeRef.cpp:
1575         (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1576         (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1577         (JSC::MacroAssemblerCodeRefBase::disassembly):
1578         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1579         (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1580         (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1581         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1582         (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1583         (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1584         (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1585         * assembler/MacroAssemblerCodeRef.h:
1586         (JSC::FunctionPtr::FunctionPtr):
1587         (JSC::FunctionPtr::retagged const):
1588         (JSC::FunctionPtr::retaggedExecutableAddress const):
1589         (JSC::FunctionPtr::operator== const):
1590         (JSC::FunctionPtr::operator!= const):
1591         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1592         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1593         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1594         (JSC::MacroAssemblerCodePtr::retagged const):
1595         (JSC::MacroAssemblerCodePtr:: const):
1596         (JSC::MacroAssemblerCodePtr::dumpWithName const):
1597         (JSC::MacroAssemblerCodePtr::dump const):
1598         (JSC::MacroAssemblerCodePtrHash::hash):
1599         (JSC::MacroAssemblerCodePtrHash::equal):
1600         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1601         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1602         (JSC::MacroAssemblerCodeRef::code const):
1603         (JSC::MacroAssemblerCodeRef::retaggedCode const):
1604         (JSC::MacroAssemblerCodeRef::retagged const):
1605         (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1606         (JSC::MacroAssemblerCodeRef::disassembly const):
1607         (JSC::MacroAssemblerCodeRef::dump const):
1608         (JSC::FunctionPtr<tag>::FunctionPtr):
1609         * assembler/MacroAssemblerMIPS.h:
1610         (JSC::MacroAssemblerMIPS::readCallTarget):
1611         (JSC::MacroAssemblerMIPS::replaceWithJump):
1612         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1613         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1614         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1615         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1616         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1617         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1618         (JSC::MacroAssemblerMIPS::repatchCall):
1619         (JSC::MacroAssemblerMIPS::linkCall):
1620         * assembler/MacroAssemblerX86.h:
1621         (JSC::MacroAssemblerX86::readCallTarget):
1622         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1623         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1624         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1625         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1626         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1627         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1628         (JSC::MacroAssemblerX86::repatchCall):
1629         (JSC::MacroAssemblerX86::linkCall):
1630         * assembler/MacroAssemblerX86Common.h:
1631         (JSC::MacroAssemblerX86Common::repatchCompact):
1632         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1633         (JSC::MacroAssemblerX86Common::replaceWithJump):
1634         * assembler/MacroAssemblerX86_64.h:
1635         (JSC::MacroAssemblerX86_64::readCallTarget):
1636         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1637         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1638         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1639         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1640         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1641         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1642         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1643         (JSC::MacroAssemblerX86_64::repatchCall):
1644         (JSC::MacroAssemblerX86_64::linkCall):
1645         * assembler/testmasm.cpp:
1646         (JSC::compile):
1647         (JSC::invoke):
1648         (JSC::testProbeModifiesProgramCounter):
1649         * b3/B3Compilation.cpp:
1650         (JSC::B3::Compilation::Compilation):
1651         * b3/B3Compilation.h:
1652         (JSC::B3::Compilation::code const):
1653         (JSC::B3::Compilation::codeRef const):
1654         * b3/B3Compile.cpp:
1655         (JSC::B3::compile):
1656         * b3/B3LowerMacros.cpp:
1657         * b3/air/AirDisassembler.cpp:
1658         (JSC::B3::Air::Disassembler::dump):
1659         * b3/air/testair.cpp:
1660         * b3/testb3.cpp:
1661         (JSC::B3::invoke):
1662         (JSC::B3::testInterpreter):
1663         (JSC::B3::testEntrySwitchSimple):
1664         (JSC::B3::testEntrySwitchNoEntrySwitch):
1665         (JSC::B3::testEntrySwitchWithCommonPaths):
1666         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1667         (JSC::B3::testEntrySwitchLoop):
1668         * bytecode/AccessCase.cpp:
1669         (JSC::AccessCase::generateImpl):
1670         * bytecode/AccessCaseSnippetParams.cpp:
1671         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1672         * bytecode/ByValInfo.h:
1673         (JSC::ByValInfo::ByValInfo):
1674         * bytecode/CallLinkInfo.cpp:
1675         (JSC::CallLinkInfo::callReturnLocation):
1676         (JSC::CallLinkInfo::patchableJump):
1677         (JSC::CallLinkInfo::hotPathBegin):
1678         (JSC::CallLinkInfo::slowPathStart):
1679         * bytecode/CallLinkInfo.h:
1680         (JSC::CallLinkInfo::setCallLocations):
1681         (JSC::CallLinkInfo::hotPathOther):
1682         * bytecode/CodeBlock.cpp:
1683         (JSC::CodeBlock::finishCreation):
1684         * bytecode/GetByIdStatus.cpp:
1685         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1686         * bytecode/GetByIdVariant.cpp:
1687         (JSC::GetByIdVariant::GetByIdVariant):
1688         (JSC::GetByIdVariant::dumpInContext const):
1689         * bytecode/GetByIdVariant.h:
1690         (JSC::GetByIdVariant::customAccessorGetter const):
1691         * bytecode/GetterSetterAccessCase.cpp:
1692         (JSC::GetterSetterAccessCase::create):
1693         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1694         (JSC::GetterSetterAccessCase::dumpImpl const):
1695         * bytecode/GetterSetterAccessCase.h:
1696         (JSC::GetterSetterAccessCase::customAccessor const):
1697         (): Deleted.
1698         * bytecode/HandlerInfo.h:
1699         (JSC::HandlerInfo::initialize):
1700         * bytecode/InlineAccess.cpp:
1701         (JSC::linkCodeInline):
1702         (JSC::InlineAccess::rewireStubAsJump):
1703         * bytecode/InlineAccess.h:
1704         * bytecode/JumpTable.h:
1705         (JSC::StringJumpTable::ctiForValue):
1706         (JSC::SimpleJumpTable::ctiForValue):
1707         * bytecode/LLIntCallLinkInfo.h:
1708         (JSC::LLIntCallLinkInfo::unlink):
1709         * bytecode/PolymorphicAccess.cpp:
1710         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1711         (JSC::PolymorphicAccess::regenerate):
1712         * bytecode/PolymorphicAccess.h:
1713         (JSC::AccessGenerationResult::AccessGenerationResult):
1714         (JSC::AccessGenerationResult::code const):
1715         * bytecode/StructureStubInfo.h:
1716         (JSC::StructureStubInfo::slowPathCallLocation):
1717         (JSC::StructureStubInfo::doneLocation):
1718         (JSC::StructureStubInfo::slowPathStartLocation):
1719         (JSC::StructureStubInfo::patchableJumpForIn):
1720         * dfg/DFGCommonData.h:
1721         (JSC::DFG::CommonData::appendCatchEntrypoint):
1722         * dfg/DFGDisassembler.cpp:
1723         (JSC::DFG::Disassembler::dumpDisassembly):
1724         * dfg/DFGDriver.h:
1725         * dfg/DFGJITCompiler.cpp:
1726         (JSC::DFG::JITCompiler::linkOSRExits):
1727         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1728         (JSC::DFG::JITCompiler::link):
1729         (JSC::DFG::JITCompiler::compileFunction):
1730         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1731         * dfg/DFGJITCompiler.h:
1732         (JSC::DFG::CallLinkRecord::CallLinkRecord):
1733         (JSC::DFG::JITCompiler::appendCall):
1734         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1735         (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1736         (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1737         * dfg/DFGJITFinalizer.cpp:
1738         (JSC::DFG::JITFinalizer::JITFinalizer):
1739         (JSC::DFG::JITFinalizer::finalize):
1740         (JSC::DFG::JITFinalizer::finalizeFunction):
1741         * dfg/DFGJITFinalizer.h:
1742         * dfg/DFGJumpReplacement.h:
1743         (JSC::DFG::JumpReplacement::JumpReplacement):
1744         * dfg/DFGNode.h:
1745         * dfg/DFGOSREntry.cpp:
1746         (JSC::DFG::prepareOSREntry):
1747         (JSC::DFG::prepareCatchOSREntry):
1748         * dfg/DFGOSREntry.h:
1749         (JSC::DFG::prepareOSREntry):
1750         * dfg/DFGOSRExit.cpp:
1751         (JSC::DFG::OSRExit::executeOSRExit):
1752         (JSC::DFG::reifyInlinedCallFrames):
1753         (JSC::DFG::adjustAndJumpToTarget):
1754         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1755         (JSC::DFG::OSRExit::emitRestoreArguments):
1756         (JSC::DFG::OSRExit::compileOSRExit):
1757         * dfg/DFGOSRExit.h:
1758         * dfg/DFGOSRExitCompilerCommon.cpp:
1759         (JSC::DFG::handleExitCounts):
1760         (JSC::DFG::reifyInlinedCallFrames):
1761         (JSC::DFG::osrWriteBarrier):
1762         (JSC::DFG::adjustAndJumpToTarget):
1763         * dfg/DFGOperations.cpp:
1764         * dfg/DFGSlowPathGenerator.h:
1765         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1766         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1767         (JSC::DFG::slowPathCall):
1768         * dfg/DFGSpeculativeJIT.cpp:
1769         (JSC::DFG::SpeculativeJIT::compileMathIC):
1770         (JSC::DFG::SpeculativeJIT::compileCallDOM):
1771         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1772         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1773         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1774         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1775         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1776         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1777         (JSC::DFG::SpeculativeJIT::cachedPutById):
1778         * dfg/DFGSpeculativeJIT.h:
1779         (JSC::DFG::SpeculativeJIT::callOperation):
1780         (JSC::DFG::SpeculativeJIT::appendCall):
1781         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1782         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1783         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1784         * dfg/DFGSpeculativeJIT64.cpp:
1785         (JSC::DFG::SpeculativeJIT::cachedGetById):
1786         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1787         (JSC::DFG::SpeculativeJIT::compile):
1788         * dfg/DFGThunks.cpp:
1789         (JSC::DFG::osrExitThunkGenerator):
1790         (JSC::DFG::osrExitGenerationThunkGenerator):
1791         (JSC::DFG::osrEntryThunkGenerator):
1792         * dfg/DFGThunks.h:
1793         * disassembler/ARM64Disassembler.cpp:
1794         (JSC::tryToDisassemble):
1795         * disassembler/ARMv7Disassembler.cpp:
1796         (JSC::tryToDisassemble):
1797         * disassembler/Disassembler.cpp:
1798         (JSC::disassemble):
1799         (JSC::disassembleAsynchronously):
1800         * disassembler/Disassembler.h:
1801         (JSC::tryToDisassemble):
1802         * disassembler/UDis86Disassembler.cpp:
1803         (JSC::tryToDisassembleWithUDis86):
1804         * disassembler/UDis86Disassembler.h:
1805         (JSC::tryToDisassembleWithUDis86):
1806         * disassembler/X86Disassembler.cpp:
1807         (JSC::tryToDisassemble):
1808         * ftl/FTLCompile.cpp:
1809         (JSC::FTL::compile):
1810         * ftl/FTLExceptionTarget.cpp:
1811         (JSC::FTL::ExceptionTarget::label):
1812         (JSC::FTL::ExceptionTarget::jumps):
1813         * ftl/FTLExceptionTarget.h:
1814         * ftl/FTLGeneratedFunction.h:
1815         * ftl/FTLJITCode.cpp:
1816         (JSC::FTL::JITCode::initializeB3Code):
1817         (JSC::FTL::JITCode::initializeAddressForCall):
1818         (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1819         (JSC::FTL::JITCode::addressForCall):
1820         (JSC::FTL::JITCode::executableAddressAtOffset):
1821         * ftl/FTLJITCode.h:
1822         (JSC::FTL::JITCode::b3Code const):
1823         * ftl/FTLJITFinalizer.cpp:
1824         (JSC::FTL::JITFinalizer::finalizeCommon):
1825         * ftl/FTLLazySlowPath.cpp:
1826         (JSC::FTL::LazySlowPath::initialize):
1827         (JSC::FTL::LazySlowPath::generate):
1828         * ftl/FTLLazySlowPath.h:
1829         (JSC::FTL::LazySlowPath::patchableJump const):
1830         (JSC::FTL::LazySlowPath::done const):
1831         (JSC::FTL::LazySlowPath::stub const):
1832         * ftl/FTLLazySlowPathCall.h:
1833         (JSC::FTL::createLazyCallGenerator):
1834         * ftl/FTLLink.cpp:
1835         (JSC::FTL::link):
1836         * ftl/FTLLowerDFGToB3.cpp:
1837         (JSC::FTL::DFG::LowerDFGToB3::lower):
1838         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1839         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1840         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1841         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1842         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1843         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1844         (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1845         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1846         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1847         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1848         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1849         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1850         * ftl/FTLOSRExit.cpp:
1851         (JSC::FTL::OSRExit::codeLocationForRepatch const):
1852         * ftl/FTLOSRExit.h:
1853         * ftl/FTLOSRExitCompiler.cpp:
1854         (JSC::FTL::compileStub):
1855         (JSC::FTL::compileFTLOSRExit):
1856         * ftl/FTLOSRExitHandle.cpp:
1857         (JSC::FTL::OSRExitHandle::emitExitThunk):
1858         * ftl/FTLOperations.cpp:
1859         (JSC::FTL::compileFTLLazySlowPath):
1860         * ftl/FTLPatchpointExceptionHandle.cpp:
1861         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1862         * ftl/FTLSlowPathCall.cpp:
1863         (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1864         (JSC::FTL::SlowPathCallContext::makeCall):
1865         * ftl/FTLSlowPathCall.h:
1866         (JSC::FTL::callOperation):
1867         * ftl/FTLSlowPathCallKey.cpp:
1868         (JSC::FTL::SlowPathCallKey::dump const):
1869         * ftl/FTLSlowPathCallKey.h:
1870         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1871         (JSC::FTL::SlowPathCallKey::callTarget const):
1872         (JSC::FTL::SlowPathCallKey::withCallTarget):
1873         (JSC::FTL::SlowPathCallKey::hash const):
1874         (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1875         * ftl/FTLState.cpp:
1876         (JSC::FTL::State::State):
1877         * ftl/FTLThunks.cpp:
1878         (JSC::FTL::genericGenerationThunkGenerator):
1879         (JSC::FTL::osrExitGenerationThunkGenerator):
1880         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1881         (JSC::FTL::slowPathCallThunkGenerator):
1882         * ftl/FTLThunks.h:
1883         (JSC::FTL::generateIfNecessary):
1884         (JSC::FTL::keyForThunk):
1885         (JSC::FTL::Thunks::getSlowPathCallThunk):
1886         (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1887         * interpreter/InterpreterInlines.h:
1888         (JSC::Interpreter::getOpcodeID):
1889         * jit/AssemblyHelpers.cpp:
1890         (JSC::AssemblyHelpers::callExceptionFuzz):
1891         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1892         (JSC::AssemblyHelpers::debugCall):
1893         * jit/CCallHelpers.cpp:
1894         (JSC::CCallHelpers::ensureShadowChickenPacket):
1895         * jit/ExecutableAllocator.cpp:
1896         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1897         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1898         * jit/ExecutableAllocator.h:
1899         (JSC::performJITMemcpy):
1900         * jit/GCAwareJITStubRoutine.cpp:
1901         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1902         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1903         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1904         (JSC::createJITStubRoutine):
1905         * jit/GCAwareJITStubRoutine.h:
1906         (JSC::createJITStubRoutine):
1907         * jit/JIT.cpp:
1908         (JSC::ctiPatchCallByReturnAddress):
1909         (JSC::JIT::compileWithoutLinking):
1910         (JSC::JIT::link):
1911         (JSC::JIT::privateCompileExceptionHandlers):
1912         * jit/JIT.h:
1913         (JSC::CallRecord::CallRecord):
1914         * jit/JITArithmetic.cpp:
1915         (JSC::JIT::emitMathICFast):
1916         (JSC::JIT::emitMathICSlow):
1917         * jit/JITCall.cpp:
1918         (JSC::JIT::compileOpCallSlowCase):
1919         * jit/JITCall32_64.cpp:
1920         (JSC::JIT::compileOpCallSlowCase):
1921         * jit/JITCode.cpp:
1922         (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1923         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1924         (JSC::DirectJITCode::DirectJITCode):
1925         (JSC::DirectJITCode::initializeCodeRef):
1926         (JSC::DirectJITCode::addressForCall):
1927         (JSC::NativeJITCode::NativeJITCode):
1928         (JSC::NativeJITCode::initializeCodeRef):
1929         (JSC::NativeJITCode::addressForCall):
1930         * jit/JITCode.h:
1931         * jit/JITCodeMap.h:
1932         (JSC::JITCodeMap::Entry::Entry):
1933         (JSC::JITCodeMap::Entry::codeLocation):
1934         (JSC::JITCodeMap::append):
1935         (JSC::JITCodeMap::find const):
1936         * jit/JITDisassembler.cpp:
1937         (JSC::JITDisassembler::dumpDisassembly):
1938         * jit/JITExceptions.cpp:
1939         (JSC::genericUnwind):
1940         * jit/JITInlineCacheGenerator.cpp:
1941         (JSC::JITByIdGenerator::finalize):
1942         * jit/JITInlines.h:
1943         (JSC::JIT::emitNakedCall):
1944         (JSC::JIT::emitNakedTailCall):
1945         (JSC::JIT::appendCallWithExceptionCheck):
1946         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1947         (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1948         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1949         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1950         * jit/JITMathIC.h:
1951         (JSC::isProfileEmpty):
1952         * jit/JITOpcodes.cpp:
1953         (JSC::JIT::emit_op_catch):
1954         (JSC::JIT::emit_op_switch_imm):
1955         (JSC::JIT::emit_op_switch_char):
1956         (JSC::JIT::emit_op_switch_string):
1957         (JSC::JIT::privateCompileHasIndexedProperty):
1958         (JSC::JIT::emitSlow_op_has_indexed_property):
1959         * jit/JITOpcodes32_64.cpp:
1960         (JSC::JIT::privateCompileHasIndexedProperty):
1961         * jit/JITOperations.cpp:
1962         (JSC::getByVal):
1963         * jit/JITPropertyAccess.cpp:
1964         (JSC::JIT::stringGetByValStubGenerator):
1965         (JSC::JIT::emitGetByValWithCachedId):
1966         (JSC::JIT::emitSlow_op_get_by_val):
1967         (JSC::JIT::emitPutByValWithCachedId):
1968         (JSC::JIT::emitSlow_op_put_by_val):
1969         (JSC::JIT::emitSlow_op_try_get_by_id):
1970         (JSC::JIT::emitSlow_op_get_by_id_direct):
1971         (JSC::JIT::emitSlow_op_get_by_id):
1972         (JSC::JIT::emitSlow_op_get_by_id_with_this):
1973         (JSC::JIT::emitSlow_op_put_by_id):
1974         (JSC::JIT::privateCompileGetByVal):
1975         (JSC::JIT::privateCompileGetByValWithCachedId):
1976         (JSC::JIT::privateCompilePutByVal):
1977         (JSC::JIT::privateCompilePutByValWithCachedId):
1978         * jit/JITPropertyAccess32_64.cpp:
1979         (JSC::JIT::stringGetByValStubGenerator):
1980         (JSC::JIT::emitSlow_op_get_by_val):
1981         (JSC::JIT::emitSlow_op_put_by_val):
1982         * jit/JITStubRoutine.h:
1983         (JSC::JITStubRoutine::JITStubRoutine):
1984         (JSC::JITStubRoutine::createSelfManagedRoutine):
1985         (JSC::JITStubRoutine::code const):
1986         (JSC::JITStubRoutine::asCodePtr):
1987         * jit/JITThunks.cpp:
1988         (JSC::JITThunks::ctiNativeCall):
1989         (JSC::JITThunks::ctiNativeConstruct):
1990         (JSC::JITThunks::ctiNativeTailCall):
1991         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1992         (JSC::JITThunks::ctiInternalFunctionCall):
1993         (JSC::JITThunks::ctiInternalFunctionConstruct):
1994         (JSC::JITThunks::ctiStub):
1995         (JSC::JITThunks::existingCTIStub):
1996         (JSC::JITThunks::hostFunctionStub):
1997         * jit/JITThunks.h:
1998         * jit/PCToCodeOriginMap.cpp:
1999         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2000         * jit/PCToCodeOriginMap.h:
2001         * jit/PolymorphicCallStubRoutine.cpp:
2002         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2003         * jit/PolymorphicCallStubRoutine.h:
2004         * jit/Repatch.cpp:
2005         (JSC::readPutICCallTarget):
2006         (JSC::ftlThunkAwareRepatchCall):
2007         (JSC::appropriateOptimizingGetByIdFunction):
2008         (JSC::appropriateGetByIdFunction):
2009         (JSC::tryCacheGetByID):
2010         (JSC::repatchGetByID):
2011         (JSC::tryCachePutByID):
2012         (JSC::repatchPutByID):
2013         (JSC::tryCacheIn):
2014         (JSC::repatchIn):
2015         (JSC::linkSlowFor):
2016         (JSC::linkFor):
2017         (JSC::linkDirectFor):
2018         (JSC::revertCall):
2019         (JSC::unlinkFor):
2020         (JSC::linkVirtualFor):
2021         (JSC::linkPolymorphicCall):
2022         (JSC::resetGetByID):
2023         (JSC::resetPutByID):
2024         * jit/Repatch.h:
2025         * jit/SlowPathCall.h:
2026         (JSC::JITSlowPathCall::call):
2027         * jit/SpecializedThunkJIT.h:
2028         (JSC::SpecializedThunkJIT::finalize):
2029         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2030         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
2031         * jit/ThunkGenerator.h:
2032         * jit/ThunkGenerators.cpp:
2033         (JSC::throwExceptionFromCallSlowPathGenerator):
2034         (JSC::slowPathFor):
2035         (JSC::linkCallThunkGenerator):
2036         (JSC::linkPolymorphicCallThunkGenerator):
2037         (JSC::virtualThunkFor):
2038         (JSC::nativeForGenerator):
2039         (JSC::nativeCallGenerator):
2040         (JSC::nativeTailCallGenerator):
2041         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2042         (JSC::nativeConstructGenerator):
2043         (JSC::internalFunctionCallGenerator):
2044         (JSC::internalFunctionConstructGenerator):
2045         (JSC::arityFixupGenerator):
2046         (JSC::unreachableGenerator):
2047         (JSC::charCodeAtThunkGenerator):
2048         (JSC::charAtThunkGenerator):
2049         (JSC::fromCharCodeThunkGenerator):
2050         (JSC::clz32ThunkGenerator):
2051         (JSC::sqrtThunkGenerator):
2052         (JSC::floorThunkGenerator):
2053         (JSC::ceilThunkGenerator):
2054         (JSC::truncThunkGenerator):
2055         (JSC::roundThunkGenerator):
2056         (JSC::expThunkGenerator):
2057         (JSC::logThunkGenerator):
2058         (JSC::absThunkGenerator):
2059         (JSC::imulThunkGenerator):
2060         (JSC::randomThunkGenerator):
2061         (JSC::boundThisNoArgsFunctionCallGenerator):
2062         * jit/ThunkGenerators.h:
2063         * llint/LLIntData.cpp:
2064         (JSC::LLInt::initialize):
2065         * llint/LLIntData.h:
2066         (JSC::LLInt::getExecutableAddress):
2067         (JSC::LLInt::getCodePtr):
2068         (JSC::LLInt::getCodeRef):
2069         (JSC::LLInt::getCodeFunctionPtr):
2070         * llint/LLIntEntrypoint.cpp:
2071         (JSC::LLInt::setFunctionEntrypoint):
2072         (JSC::LLInt::setEvalEntrypoint):
2073         (JSC::LLInt::setProgramEntrypoint):
2074         (JSC::LLInt::setModuleProgramEntrypoint):
2075         * llint/LLIntExceptions.cpp:
2076         (JSC::LLInt::callToThrow):
2077         * llint/LLIntSlowPaths.cpp:
2078         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2079         (JSC::LLInt::setUpCall):
2080         * llint/LLIntThunks.cpp:
2081         (JSC::vmEntryToWasm):
2082         (JSC::LLInt::generateThunkWithJumpTo):
2083         (JSC::LLInt::functionForCallEntryThunkGenerator):
2084         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2085         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2086         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2087         (JSC::LLInt::evalEntryThunkGenerator):
2088         (JSC::LLInt::programEntryThunkGenerator):
2089         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2090         * llint/LLIntThunks.h:
2091         * llint/LowLevelInterpreter.asm:
2092         * llint/LowLevelInterpreter32_64.asm:
2093         * llint/LowLevelInterpreter64.asm:
2094         * profiler/ProfilerCompilation.cpp:
2095         (JSC::Profiler::Compilation::addOSRExitSite):
2096         * profiler/ProfilerCompilation.h:
2097         * profiler/ProfilerOSRExitSite.cpp:
2098         (JSC::Profiler::OSRExitSite::toJS const):
2099         * profiler/ProfilerOSRExitSite.h:
2100         (JSC::Profiler::OSRExitSite::OSRExitSite):
2101         (JSC::Profiler::OSRExitSite::codeAddress const):
2102         (JSC::Profiler::OSRExitSite:: const): Deleted.
2103         * runtime/ExecutableBase.cpp:
2104         (JSC::ExecutableBase::clearCode):
2105         * runtime/ExecutableBase.h:
2106         (JSC::ExecutableBase::entrypointFor):
2107         * runtime/NativeExecutable.cpp:
2108         (JSC::NativeExecutable::finishCreation):
2109         * runtime/NativeFunction.h:
2110         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2111         (JSC::TaggedNativeFunction::operator NativeFunction):
2112         * runtime/PtrTag.h:
2113         (JSC::tagCodePtr):
2114         (JSC::untagCodePtr):
2115         (JSC::retagCodePtr):
2116         (JSC::tagCFunctionPtr):
2117         (JSC::untagCFunctionPtr):
2118         (JSC::nextPtrTagID): Deleted.
2119         * runtime/PutPropertySlot.h:
2120         (JSC::PutPropertySlot::PutPropertySlot):
2121         (JSC::PutPropertySlot::setCustomValue):
2122         (JSC::PutPropertySlot::setCustomAccessor):
2123         (JSC::PutPropertySlot::customSetter const):
2124         * runtime/ScriptExecutable.cpp:
2125         (JSC::ScriptExecutable::installCode):
2126         * runtime/VM.cpp:
2127         (JSC::VM::getHostFunction):
2128         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2129         * runtime/VM.h:
2130         (JSC::VM::getCTIStub):
2131         * wasm/WasmB3IRGenerator.cpp:
2132         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2133         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2134         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2135         (JSC::Wasm::B3IRGenerator::addCall):
2136         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2137         * wasm/WasmBBQPlan.cpp:
2138         (JSC::Wasm::BBQPlan::prepare):
2139         (JSC::Wasm::BBQPlan::complete):
2140         * wasm/WasmBBQPlan.h:
2141         * wasm/WasmBinding.cpp:
2142         (JSC::Wasm::wasmToWasm):
2143         * wasm/WasmBinding.h:
2144         * wasm/WasmCallee.h:
2145         (JSC::Wasm::Callee::entrypoint const):
2146         * wasm/WasmCallingConvention.h:
2147         (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2148         * wasm/WasmCodeBlock.h:
2149         (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2150         * wasm/WasmFaultSignalHandler.cpp:
2151         (JSC::Wasm::trapHandler):
2152         * wasm/WasmFormat.h:
2153         * wasm/WasmInstance.h:
2154         * wasm/WasmOMGPlan.cpp:
2155         (JSC::Wasm::OMGPlan::work):
2156         * wasm/WasmThunks.cpp:
2157         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2158         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2159         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2160         (JSC::Wasm::Thunks::stub):
2161         (JSC::Wasm::Thunks::existingStub):
2162         * wasm/WasmThunks.h:
2163         * wasm/js/JSToWasm.cpp:
2164         (JSC::Wasm::createJSToWasmWrapper):
2165         * wasm/js/JSWebAssemblyCodeBlock.h:
2166         * wasm/js/WasmToJS.cpp:
2167         (JSC::Wasm::handleBadI64Use):
2168         (JSC::Wasm::wasmToJS):
2169         * wasm/js/WasmToJS.h:
2170         * wasm/js/WebAssemblyFunction.h:
2171         * yarr/YarrJIT.cpp:
2172         (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2173         (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2174         (JSC::Yarr::YarrGenerator::compile):
2175         * yarr/YarrJIT.h:
2176         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2177         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2178         (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2179         (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2180         (JSC::Yarr::YarrCodeBlock::execute):
2181         (JSC::Yarr::YarrCodeBlock::clear):
2182
2183 2018-04-17  Commit Queue  <commit-queue@webkit.org>
2184
2185         Unreviewed, rolling out r230697, r230720, and r230724.
2186         https://bugs.webkit.org/show_bug.cgi?id=184717
2187
2188         These caused multiple failures on the Test262 testers.
2189         (Requested by mlewis13 on #webkit).
2190
2191         Reverted changesets:
2192
2193         "[WebAssembly][Modules] Prototype wasm import"
2194         https://bugs.webkit.org/show_bug.cgi?id=184600
2195         https://trac.webkit.org/changeset/230697
2196
2197         "[WebAssembly][Modules] Implement function import from wasm
2198         modules"
2199         https://bugs.webkit.org/show_bug.cgi?id=184689
2200         https://trac.webkit.org/changeset/230720
2201
2202         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2203         https://bugs.webkit.org/show_bug.cgi?id=184703
2204         https://trac.webkit.org/changeset/230724
2205
2206 2018-04-17  JF Bastien  <jfbastien@apple.com>
2207
2208         A put is not an ExistingProperty put when we transition a structure because of an attributes change
2209         https://bugs.webkit.org/show_bug.cgi?id=184706
2210         <rdar://problem/38871451>
2211
2212         Reviewed by Saam Barati.
2213
2214         When putting a property on a structure and the slot is a different
2215         type, the slot can't be said to have already been existing.
2216
2217         * runtime/JSObjectInlines.h:
2218         (JSC::JSObject::putDirectInternal):
2219
2220 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2221
2222         JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2223         https://bugs.webkit.org/show_bug.cgi?id=184705
2224
2225         Reviewed by Michael Saboff.
2226         
2227         My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2228         while testing an unrelated patch, a concurrent GC thread crashed inside
2229         JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2230         because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2231         mode and another vector.
2232         
2233         The fix is to lock inside visitChildren and anyone who changes those fields.
2234         
2235         I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2236         this.
2237
2238         * runtime/JSArrayBufferView.cpp:
2239         (JSC::JSArrayBufferView::neuter):
2240         * runtime/JSGenericTypedArrayViewInlines.h:
2241         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2242         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2243
2244 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2245
2246         PutStackSinkingPhase should know that KillStack means ConflictingFlush
2247         https://bugs.webkit.org/show_bug.cgi?id=184672
2248
2249         Reviewed by Michael Saboff.
2250
2251         We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2252         KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2253         archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2254         intentional - I don't know.
2255
2256         Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2257         doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2258         the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2259         KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2260         that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2261         specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2262         could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2263         KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2264         inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2265         have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2266         values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2267         value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2268
2269         This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2270         them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2271         its stack slot for the purpose of clobberize.
2272
2273         * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2274         * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2275         * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2276         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2277
2278 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
2279
2280         JSWebAssemblyCodeBlock should be in an IsoSubspace
2281         https://bugs.webkit.org/show_bug.cgi?id=184704
2282
2283         Reviewed by Mark Lam.
2284         
2285         Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2286         CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2287         shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2288         protection.
2289
2290         * runtime/VM.cpp:
2291         (JSC::VM::VM):
2292         * runtime/VM.h:
2293         * wasm/js/JSWebAssemblyCodeBlock.h:
2294
2295 2018-04-17  Jer Noble  <jer.noble@apple.com>
2296
2297         Only enable useSeparatedWXHeap on ARM64.
2298         https://bugs.webkit.org/show_bug.cgi?id=184697
2299
2300         Reviewed by Saam Barati.
2301
2302         * runtime/Options.cpp:
2303         (JSC::recomputeDependentOptions):
2304
2305 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2306
2307         [WebAssembly][Modules] Implement function import from wasm modules
2308         https://bugs.webkit.org/show_bug.cgi?id=184689
2309
2310         Reviewed by JF Bastien.
2311
2312         This patch implements function import from wasm modules. We move function importing part
2313         from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2314         is because linking these functions requires that all the dependent modules are created.
2315         While we want to move all the linking functionality from JSWebAssemblyInstance to
2316         WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
2317         function importing part because efficient compilation of WebAssembly needs to know
2318         the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2319         or attached WebAssembly memory object. So we cannot defer this linking to
2320         WebAssemblyModuleRecord::link now.
2321
2322         The largest difference from JS module linking is that WebAssembly module linking links
2323         function from the module by snapshotting. When you have a cyclic module graph like this,
2324
2325         -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2326             ^                                                  |
2327             +--------------------------------------------------+
2328
2329         we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2330         is described in [1], and tested in this patch.
2331
2332         [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2333
2334         * JavaScriptCore.xcodeproj/project.pbxproj:
2335         * jsc.cpp:
2336         (functionDollarAgentStart):
2337         (checkException):
2338         (runWithOptions):
2339         Small fixes for wasm module loading.
2340
2341         * parser/NodesAnalyzeModule.cpp:
2342         (JSC::ImportDeclarationNode::analyzeModule):
2343         * runtime/AbstractModuleRecord.cpp:
2344         (JSC::AbstractModuleRecord::resolveImport):
2345         (JSC::AbstractModuleRecord::link):
2346         * runtime/AbstractModuleRecord.h:
2347         (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2348         (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2349         Now, wasm modules can have import which is named "*". So this function does not work.
2350         Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2351
2352         * runtime/JSModuleEnvironment.cpp:
2353         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2354         * runtime/JSModuleRecord.cpp:
2355         (JSC::JSModuleRecord::instantiateDeclarations):
2356         * wasm/WasmCreationMode.h: Added.
2357         * wasm/js/JSWebAssemblyInstance.cpp:
2358         (JSC::JSWebAssemblyInstance::finalizeCreation):
2359         (JSC::JSWebAssemblyInstance::create):
2360         * wasm/js/JSWebAssemblyInstance.h:
2361         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2362         (JSC::constructJSWebAssemblyInstance):
2363         * wasm/js/WebAssemblyModuleRecord.cpp:
2364         (JSC::WebAssemblyModuleRecord::link):
2365         * wasm/js/WebAssemblyModuleRecord.h:
2366         * wasm/js/WebAssemblyPrototype.cpp:
2367         (JSC::resolve):
2368         (JSC::instantiate):
2369         (JSC::compileAndInstantiate):
2370         (JSC::WebAssemblyPrototype::instantiate):
2371         (JSC::webAssemblyInstantiateFunc):
2372
2373 2018-04-17  Dominik Infuehr  <dinfuehr@igalia.com>
2374
2375         Implement setupArgumentsImpl for ARM and MIPS
2376         https://bugs.webkit.org/show_bug.cgi?id=183786
2377
2378         Reviewed by Yusuke Suzuki.
2379
2380         Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2381         numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2382         registers used for 64-bit values on 32-bit architectures. numCrossSources
2383         keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2384
2385         * assembler/MacroAssemblerARMv7.h:
2386         (JSC::MacroAssemblerARMv7::moveDouble):
2387         * assembler/MacroAssemblerMIPS.h:
2388         (JSC::MacroAssemblerMIPS::moveDouble):
2389         * jit/CCallHelpers.h:
2390         (JSC::CCallHelpers::setupStubCrossArgs):
2391         (JSC::CCallHelpers::ArgCollection::ArgCollection):
2392         (JSC::CCallHelpers::ArgCollection::pushRegArg):
2393         (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2394         (JSC::CCallHelpers::ArgCollection::addGPRArg):
2395         (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2396         (JSC::CCallHelpers::ArgCollection::addStackArg):
2397         (JSC::CCallHelpers::ArgCollection::addPoke):
2398         (JSC::CCallHelpers::ArgCollection::argCount):
2399         (JSC::CCallHelpers::calculatePokeOffset):
2400         (JSC::CCallHelpers::pokeForArgument):
2401         (JSC::CCallHelpers::stackAligned):
2402         (JSC::CCallHelpers::marshallArgumentRegister):
2403         (JSC::CCallHelpers::setupArgumentsImpl):
2404         (JSC::CCallHelpers::pokeArgumentsAligned):
2405         (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2406         (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2407         (JSC::CCallHelpers::setupArguments):
2408         * jit/FPRInfo.h:
2409         (JSC::FPRInfo::toArgumentRegister):
2410
2411 2018-04-17  Saam Barati  <sbarati@apple.com>
2412
2413         Add system trace points for process launch and for initializeWebProcess
2414         https://bugs.webkit.org/show_bug.cgi?id=184669
2415
2416         Reviewed by Simon Fraser.
2417
2418         * runtime/VMEntryScope.cpp:
2419         (JSC::VMEntryScope::VMEntryScope):
2420         (JSC::VMEntryScope::~VMEntryScope):
2421
2422 2018-04-17  Jer Noble  <jer.noble@apple.com>
2423
2424         Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2425         https://bugs.webkit.org/show_bug.cgi?id=184602
2426
2427         Reviewed by Beth Dakin.
2428
2429         * JavaScriptCore.xcodeproj/project.pbxproj:
2430
2431 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2432
2433         [GLIB] Add API to clear JSCContext uncaught exception
2434         https://bugs.webkit.org/show_bug.cgi?id=184685
2435
2436         Reviewed by Žan Doberšek.
2437
2438         Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2439
2440         * API/glib/JSCContext.cpp:
2441         (jsc_context_clear_exception):
2442         * API/glib/JSCContext.h:
2443         * API/glib/docs/jsc-glib-4.0-sections.txt:
2444
2445 2018-04-17  Carlos Garcia Campos  <cgarcia@igalia.com>
2446
2447         [GLIB] Add API to query, delete and enumerate properties
2448         https://bugs.webkit.org/show_bug.cgi?id=184647
2449
2450         Reviewed by Michael Catanzaro.
2451
2452         Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2453
2454         * API/glib/JSCValue.cpp:
2455         (jsc_value_object_has_property):
2456         (jsc_value_object_delete_property):
2457         (jsc_value_object_enumerate_properties):
2458         * API/glib/JSCValue.h:
2459         * API/glib/docs/jsc-glib-4.0-sections.txt:
2460
2461 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2462
2463         [WebAssembly][Modules] Prototype wasm import
2464         https://bugs.webkit.org/show_bug.cgi?id=184600
2465
2466         Reviewed by JF Bastien.
2467
2468         This patch is an initial attempt to implement Wasm loading in module pipeline.
2469         Currently,
2470
2471         1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2472            in whatwg HTML, we should integrate this into WebCore.
2473
2474         2. We only support exporting values from Wasm. Wasm module cannot import anything from
2475            the other modules now.
2476
2477         When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2478         loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2479         module loader pipeline just handles it as the same to JS. When parsing a module, we
2480         checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2481         WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2482         AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2483
2484         * builtins/ModuleLoaderPrototype.js:
2485         (globalPrivate.newRegistryEntry):
2486         (requestInstantiate):
2487         (link):
2488         * jsc.cpp:
2489         (convertShebangToJSComment):
2490         (fillBufferWithContentsOfFile):
2491         (fetchModuleFromLocalFileSystem):
2492         (GlobalObject::moduleLoaderFetch):
2493         * parser/SourceProvider.h:
2494         (JSC::WebAssemblySourceProvider::create):
2495         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2496         * runtime/AbstractModuleRecord.cpp:
2497         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2498         (JSC::AbstractModuleRecord::link):
2499         (JSC::AbstractModuleRecord::evaluate):
2500         (JSC::identifierToJSValue): Deleted.
2501         * runtime/AbstractModuleRecord.h:
2502         * runtime/JSModuleLoader.cpp:
2503         (JSC::JSModuleLoader::evaluate):
2504         * runtime/JSModuleRecord.cpp:
2505         (JSC::JSModuleRecord::link):
2506         (JSC::JSModuleRecord::instantiateDeclarations):
2507         * runtime/JSModuleRecord.h:
2508         * runtime/ModuleLoaderPrototype.cpp:
2509         (JSC::moduleLoaderPrototypeParseModule):
2510         (JSC::moduleLoaderPrototypeRequestedModules):
2511         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2512         * wasm/js/JSWebAssemblyHelpers.h:
2513         (JSC::getWasmBufferFromValue):
2514         (JSC::createSourceBufferFromValue):
2515         * wasm/js/JSWebAssemblyInstance.cpp:
2516         (JSC::JSWebAssemblyInstance::finalizeCreation):
2517         (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2518         (JSC::JSWebAssemblyInstance::create):
2519         * wasm/js/JSWebAssemblyInstance.h:
2520         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2521         (JSC::constructJSWebAssemblyInstance):
2522         * wasm/js/WebAssemblyModuleRecord.cpp:
2523         (JSC::WebAssemblyModuleRecord::prepareLink):
2524         (JSC::WebAssemblyModuleRecord::link):
2525         * wasm/js/WebAssemblyModuleRecord.h:
2526         * wasm/js/WebAssemblyPrototype.cpp:
2527         (JSC::resolve):
2528         (JSC::instantiate):
2529         (JSC::compileAndInstantiate):
2530         (JSC::WebAssemblyPrototype::instantiate):
2531         (JSC::webAssemblyInstantiateFunc):
2532         (JSC::webAssemblyValidateFunc):
2533         * wasm/js/WebAssemblyPrototype.h:
2534
2535 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
2536
2537         Function.prototype.caller shouldn't return generator bodies
2538         https://bugs.webkit.org/show_bug.cgi?id=184630
2539
2540         Reviewed by Yusuke Suzuki.
2541         
2542         Function.prototype.caller no longer returns generator bodies. Those are meant to be
2543         private.
2544         
2545         Also added some builtin debugging tools so that it's easier to do the investigation that I
2546         did.
2547
2548         * builtins/BuiltinNames.h:
2549         * runtime/JSFunction.cpp:
2550         (JSC::JSFunction::callerGetter):
2551         * runtime/JSGlobalObject.cpp:
2552         (JSC::JSGlobalObject::init):
2553         * runtime/JSGlobalObjectFunctions.cpp:
2554         (JSC::globalFuncBuiltinDescribe):
2555         * runtime/JSGlobalObjectFunctions.h:
2556
2557 2018-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2558
2559         [DFG] Remove duplicate 32bit ProfileType implementation
2560         https://bugs.webkit.org/show_bug.cgi?id=184536
2561
2562         Reviewed by Saam Barati.
2563
2564         This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2565
2566         * dfg/DFGSpeculativeJIT.cpp:
2567         (JSC::DFG::SpeculativeJIT::compileProfileType):
2568         * dfg/DFGSpeculativeJIT.h:
2569         * dfg/DFGSpeculativeJIT32_64.cpp:
2570         (JSC::DFG::SpeculativeJIT::compile):
2571         * dfg/DFGSpeculativeJIT64.cpp:
2572         (JSC::DFG::SpeculativeJIT::compile):
2573         * jit/AssemblyHelpers.h:
2574         (JSC::AssemblyHelpers::branchIfUndefined):
2575         (JSC::AssemblyHelpers::branchIfNull):
2576
2577 2018-04-12  Mark Lam  <mark.lam@apple.com>
2578
2579         Consolidate some PtrTags.
2580         https://bugs.webkit.org/show_bug.cgi?id=184552
2581         <rdar://problem/39389404>
2582
2583         Reviewed by Filip Pizlo.
2584
2585         Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2586         Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2587
2588         * assembler/AbstractMacroAssembler.h:
2589         (JSC::AbstractMacroAssembler::repatchNearCall):
2590         * assembler/MacroAssemblerARM.h:
2591         (JSC::MacroAssemblerARM::readCallTarget):
2592         * assembler/MacroAssemblerARMv7.h:
2593         (JSC::MacroAssemblerARMv7::readCallTarget):
2594         * assembler/MacroAssemblerMIPS.h:
2595         (JSC::MacroAssemblerMIPS::readCallTarget):
2596         * assembler/MacroAssemblerX86.h:
2597         (JSC::MacroAssemblerX86::readCallTarget):
2598         * assembler/MacroAssemblerX86_64.h:
2599         (JSC::MacroAssemblerX86_64::readCallTarget):
2600         * bytecode/AccessCase.cpp:
2601         (JSC::AccessCase::generateImpl):
2602         * bytecode/InlineAccess.cpp:
2603         (JSC::InlineAccess::rewireStubAsJump):
2604         * bytecode/PolymorphicAccess.cpp:
2605         (JSC::PolymorphicAccess::regenerate):
2606         * dfg/DFGJITCompiler.cpp:
2607         (JSC::DFG::JITCompiler::linkOSRExits):
2608         (JSC::DFG::JITCompiler::link):
2609         (JSC::DFG::JITCompiler::compileFunction):
2610         * dfg/DFGJITFinalizer.cpp:
2611         (JSC::DFG::JITFinalizer::finalize):
2612         (JSC::DFG::JITFinalizer::finalizeFunction):
2613         * dfg/DFGOSREntry.cpp:
2614         (JSC::DFG::prepareOSREntry):
2615         * dfg/DFGOSRExit.cpp:
2616         (JSC::DFG::OSRExit::executeOSRExit):
2617         (JSC::DFG::adjustAndJumpToTarget):
2618         (JSC::DFG::OSRExit::compileOSRExit):
2619         * dfg/DFGOSRExitCompilerCommon.cpp:
2620         (JSC::DFG::adjustAndJumpToTarget):
2621         * dfg/DFGOperations.cpp:
2622         * ftl/FTLJITCode.cpp:
2623         (JSC::FTL::JITCode::executableAddressAtOffset):
2624         * ftl/FTLJITFinalizer.cpp:
2625         (JSC::FTL::JITFinalizer::finalizeCommon):
2626         * ftl/FTLLazySlowPath.cpp:
2627         (JSC::FTL::LazySlowPath::generate):
2628         * ftl/FTLLink.cpp:
2629         (JSC::FTL::link):
2630         * ftl/FTLLowerDFGToB3.cpp:
2631         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2632         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2633         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2634         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2635         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2636         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2637         * ftl/FTLOSRExitCompiler.cpp:
2638         (JSC::FTL::compileFTLOSRExit):
2639         * ftl/FTLOSRExitHandle.cpp:
2640         (JSC::FTL::OSRExitHandle::emitExitThunk):
2641         * jit/AssemblyHelpers.cpp:
2642         (JSC::AssemblyHelpers::emitDumbVirtualCall):
2643         * jit/JIT.cpp:
2644         (JSC::JIT::compileWithoutLinking):
2645         (JSC::JIT::link):
2646         * jit/JITCall.cpp:
2647         (JSC::JIT::compileOpCallSlowCase):
2648         * jit/JITCode.cpp:
2649         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2650         (JSC::NativeJITCode::addressForCall):
2651         * jit/JITInlines.h:
2652         (JSC::JIT::emitNakedCall):
2653         (JSC::JIT::emitNakedTailCall):
2654         * jit/JITMathIC.h:
2655         (JSC::isProfileEmpty):
2656         * jit/JITOpcodes.cpp:
2657         (JSC::JIT::privateCompileHasIndexedProperty):
2658         * jit/JITOperations.cpp:
2659         * jit/JITPropertyAccess.cpp:
2660         (JSC::JIT::stringGetByValStubGenerator):
2661         (JSC::JIT::privateCompileGetByVal):
2662         (JSC::JIT::privateCompileGetByValWithCachedId):
2663         (JSC::JIT::privateCompilePutByVal):
2664         (JSC::JIT::privateCompilePutByValWithCachedId):
2665         * jit/JITThunks.cpp:
2666         (JSC::JITThunks::hostFunctionStub):
2667         * jit/Repatch.cpp:
2668         (JSC::linkSlowFor):
2669         (JSC::linkFor):
2670         (JSC::linkPolymorphicCall):
2671         * jit/SpecializedThunkJIT.h:
2672         (JSC::SpecializedThunkJIT::finalize):
2673         * jit/ThunkGenerators.cpp:
2674         (JSC::virtualThunkFor):
2675         (JSC::nativeForGenerator):
2676         (JSC::boundThisNoArgsFunctionCallGenerator):
2677         * llint/LLIntData.cpp:
2678         (JSC::LLInt::initialize):
2679         * llint/LLIntEntrypoint.cpp:
2680         (JSC::LLInt::setEvalEntrypoint):
2681         (JSC::LLInt::setProgramEntrypoint):
2682         (JSC::LLInt::setModuleProgramEntrypoint):
2683         * llint/LLIntSlowPaths.cpp:
2684         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2685         (JSC::LLInt::setUpCall):
2686         * llint/LLIntThunks.cpp:
2687         (JSC::LLInt::generateThunkWithJumpTo):
2688         (JSC::LLInt::functionForCallEntryThunkGenerator):
2689         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2690         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2691         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2692         (JSC::LLInt::evalEntryThunkGenerator):
2693         (JSC::LLInt::programEntryThunkGenerator):
2694         (JSC::LLInt::moduleProgramEntryThunkGenerator):
2695         * llint/LowLevelInterpreter.asm:
2696         * llint/LowLevelInterpreter64.asm:
2697         * runtime/NativeExecutable.cpp:
2698         (JSC::NativeExecutable::finishCreation):
2699         * runtime/NativeFunction.h:
2700         (JSC::TaggedNativeFunction::TaggedNativeFunction):
2701         (JSC::TaggedNativeFunction::operator NativeFunction):
2702         * runtime/PtrTag.h:
2703         * wasm/WasmBBQPlan.cpp:
2704         (JSC::Wasm::BBQPlan::complete):
2705         * wasm/WasmOMGPlan.cpp:
2706         (JSC::Wasm::OMGPlan::work):
2707         * wasm/WasmThunks.cpp:
2708         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2709         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2710         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2711         * wasm/js/WasmToJS.cpp:
2712         (JSC::Wasm::wasmToJS):
2713         * wasm/js/WebAssemblyFunction.h:
2714         * yarr/YarrJIT.cpp:
2715         (JSC::Yarr::YarrGenerator::compile):
2716
2717 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2718
2719         [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2720         https://bugs.webkit.org/show_bug.cgi?id=184379
2721
2722         Reviewed by Žan Doberšek.
2723
2724         Load the module from the new location.
2725
2726         * PlatformWPE.cmake:
2727         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2728         (Inspector::backendCommands):
2729
2730 2018-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2731
2732         [DFG] Remove compileBigIntEquality in DFG 32bit
2733         https://bugs.webkit.org/show_bug.cgi?id=184535
2734
2735         Reviewed by Saam Barati.
2736
2737         We can have the unified implementation for compileBigIntEquality.
2738
2739         * dfg/DFGSpeculativeJIT.cpp:
2740         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2741         * dfg/DFGSpeculativeJIT32_64.cpp:
2742         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2743         * dfg/DFGSpeculativeJIT64.cpp:
2744         (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2745
2746 2018-04-12  Michael Catanzaro  <mcatanzaro@igalia.com>
2747
2748         [WPE] Improve include hierarchy
2749         https://bugs.webkit.org/show_bug.cgi?id=184376
2750
2751         Reviewed by Žan Doberšek.
2752
2753         Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2754         /usr/include/wpe-0.1/WPE/jsc.
2755
2756         * PlatformWPE.cmake:
2757
2758 2018-04-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2759
2760         [GLIB] Handle strings containing null characters
2761         https://bugs.webkit.org/show_bug.cgi?id=184450
2762
2763         Reviewed by Michael Catanzaro.
2764
2765         We should be able to evaluate scripts containing null characters and to handle strings that contains them
2766         too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2767         parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2768         jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2769         contain null characters.
2770
2771         * API/OpaqueJSString.cpp:
2772         (OpaqueJSString::create): Add a create constructor that takes the String.
2773         * API/OpaqueJSString.h:
2774         (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2775         * API/glib/JSCContext.cpp:
2776         (jsc_context_evaluate): Add length parameter.
2777         (jsc_context_evaluate_with_source_uri): Ditto.
2778         * API/glib/JSCContext.h:
2779         * API/glib/JSCValue.cpp:
2780         (jsc_value_new_string_from_bytes):
2781         (jsc_value_to_string):
2782         (jsc_value_to_string_as_bytes):
2783         (jsc_value_object_is_instance_of): Pass length to evaluate.
2784         * API/glib/JSCValue.h:
2785         * API/glib/docs/jsc-glib-4.0-sections.txt:
2786
2787 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2788
2789         [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2790         https://bugs.webkit.org/show_bug.cgi?id=184500
2791
2792         Reviewed by Mark Lam.
2793
2794         Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2795         JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2796         It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2797         CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2798         poke held GPR. The benefit from this CellValue is that we can use the same code
2799         for 32bit and 64bit. This patch removes several ifdefs.
2800
2801         * bytecode/AccessCase.cpp:
2802         (JSC::AccessCase::generateImpl):
2803         * dfg/DFGSpeculativeJIT.cpp:
2804         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2805         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2806         (JSC::DFG::SpeculativeJIT::cachedPutById):
2807         * dfg/DFGSpeculativeJIT32_64.cpp:
2808         (JSC::DFG::SpeculativeJIT::cachedGetById):
2809         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2810         * jit/CCallHelpers.h:
2811         (JSC::CCallHelpers::CellValue::CellValue):
2812         (JSC::CCallHelpers::CellValue::gpr const):
2813         (JSC::CCallHelpers::setupArgumentsImpl):
2814
2815 2018-04-11  Mark Lam  <mark.lam@apple.com>
2816
2817         [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2818         https://bugs.webkit.org/show_bug.cgi?id=184512
2819         <rdar://problem/35391728>
2820
2821         Not reviewed.
2822
2823         * bytecode/CodeBlock.h:
2824         * jit/JITCodeMap.h:
2825
2826 2018-04-11  Mark Lam  <mark.lam@apple.com>
2827
2828         Replace CompactJITCodeMap with JITCodeMap.
2829         https://bugs.webkit.org/show_bug.cgi?id=184512
2830         <rdar://problem/35391728>
2831
2832         Reviewed by Filip Pizlo.
2833
2834         * CMakeLists.txt:
2835         * JavaScriptCore.xcodeproj/project.pbxproj:
2836         * bytecode/CodeBlock.h:
2837         (JSC::CodeBlock::setJITCodeMap):
2838         (JSC::CodeBlock::jitCodeMap const):
2839         (JSC::CodeBlock::jitCodeMap): Deleted.
2840         * dfg/DFGOSRExit.cpp:
2841         (JSC::DFG::OSRExit::executeOSRExit):
2842         * dfg/DFGOSRExitCompilerCommon.cpp:
2843         (JSC::DFG::adjustAndJumpToTarget):
2844         * jit/AssemblyHelpers.cpp:
2845         (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2846         * jit/AssemblyHelpers.h:
2847         * jit/CompactJITCodeMap.h: Removed.
2848         * jit/JIT.cpp:
2849         (JSC::JIT::link):
2850         * jit/JITCodeMap.h: Added.
2851         (JSC::JITCodeMap::Entry::Entry):
2852         (JSC::JITCodeMap::Entry::bytecodeIndex const):
2853         (JSC::JITCodeMap::Entry::codeLocation):
2854         (JSC::JITCodeMap::append):
2855         (JSC::JITCodeMap::finish):
2856         (JSC::JITCodeMap::find const):
2857         (JSC::JITCodeMap::operator bool const):
2858         * llint/LLIntSlowPaths.cpp:
2859         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2860
2861 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2862
2863         [DFG] Remove CompareSlowPathGenerator
2864         https://bugs.webkit.org/show_bug.cgi?id=184492
2865
2866         Reviewed by Mark Lam.
2867
2868         Now CompareSlowPathGenerator is just calling a specified function.
2869         This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2870
2871         We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2872         introducing a new constructor for GPRTemporary.
2873
2874         * JavaScriptCore.xcodeproj/project.pbxproj:
2875         * dfg/DFGCompareSlowPathGenerator.h: Removed.
2876         * dfg/DFGSpeculativeJIT.cpp:
2877         (JSC::DFG::GPRTemporary::GPRTemporary):
2878         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2879         (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2880         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2881         (JSC::DFG::SpeculativeJIT::compileIsObject):
2882         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2883         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2884         * dfg/DFGSpeculativeJIT.h:
2885         (JSC::DFG::GPRTemporary::GPRTemporary):
2886         * dfg/DFGSpeculativeJIT64.cpp:
2887         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2888
2889 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         Unreviewed, build fix for 32bit
2892         https://bugs.webkit.org/show_bug.cgi?id=184236
2893
2894         * dfg/DFGSpeculativeJIT.cpp:
2895         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2896
2897 2018-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2898
2899         [DFG] Remove duplicate 32bit code more
2900         https://bugs.webkit.org/show_bug.cgi?id=184236
2901
2902         Reviewed by Mark Lam.
2903
2904         Remove duplicate 32bit code more aggressively part 2.
2905
2906         * JavaScriptCore.xcodeproj/project.pbxproj:
2907         * dfg/DFGCompareSlowPathGenerator.h: Added.
2908         (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2909         Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2910
2911         * dfg/DFGOperations.cpp:
2912         * dfg/DFGOperations.h:
2913         * dfg/DFGSpeculativeJIT.cpp:
2914         (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2915         (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2916         (JSC::DFG::SpeculativeJIT::compileIsObject):
2917         (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2918         (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2919         (JSC::DFG::SpeculativeJIT::compilePutById):
2920         (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2921         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2922         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2923         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2924         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2925         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2926         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2927         (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2928         (JSC::DFG::SpeculativeJIT::cachedPutById):
2929         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2930         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2931         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2932         * dfg/DFGSpeculativeJIT.h:
2933         (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2934         * dfg/DFGSpeculativeJIT32_64.cpp:
2935         (JSC::DFG::SpeculativeJIT::compile):
2936         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2937         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2938         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2939         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2940         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2941         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2942         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2943         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2944         * dfg/DFGSpeculativeJIT64.cpp:
2945         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2946         (JSC::DFG::SpeculativeJIT::compile):
2947         (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2948         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2949         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2950         (): Deleted.
2951         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2952         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2953         (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2954         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2955         * ftl/FTLLowerDFGToB3.cpp:
2956         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2957         operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2958
2959         * jit/AssemblyHelpers.h:
2960         (JSC::AssemblyHelpers::loadValue):
2961         (JSC::AssemblyHelpers::selectScratchGPR):
2962         (JSC::AssemblyHelpers::constructRegisterSet):
2963         * jit/RegisterSet.h:
2964         (JSC::RegisterSet::setAny):
2965         Clean up selectScratchGPR code to pass JSValueRegs.
2966
2967 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2968
2969         [ESNext][BigInt] Add support for BigInt in SpeculatedType
2970         https://bugs.webkit.org/show_bug.cgi?id=182470
2971
2972         Reviewed by Saam Barati.
2973
2974         This patch introduces the SpecBigInt type to DFG to enable BigInt
2975         speculation into DFG and FTL.
2976
2977         With SpecBigInt introduction, we can then specialize "===" operations
2978         to BigInts. As we are doing for some cells, we first check if operands
2979         are pointing to the same JSCell, and if it is false, we
2980         fallback to "operationCompareStrictEqCell". The idea in further
2981         patches is to implement BigInt equality check directly in
2982         assembly.
2983
2984         We are also adding support for BigInt constant folding into
2985         TypeOf operation.
2986
2987         * bytecode/SpeculatedType.cpp:
2988         (JSC::dumpSpeculation):
2989         (JSC::speculationFromClassInfo):
2990         (JSC::speculationFromStructure):
2991         (JSC::speculationFromJSType):
2992         (JSC::speculationFromString):
2993         * bytecode/SpeculatedType.h:
2994         (JSC::isBigIntSpeculation):
2995         * dfg/DFGAbstractInterpreterInlines.h:
2996         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2997         * dfg/DFGAbstractValue.cpp:
2998         (JSC::DFG::AbstractValue::set):
2999         * dfg/DFGConstantFoldingPhase.cpp:
3000         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3001         * dfg/DFGFixupPhase.cpp:
3002         (JSC::DFG::FixupPhase::fixupNode):
3003         (JSC::DFG::FixupPhase::fixupToThis):
3004         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3005         * dfg/DFGInferredTypeCheck.cpp:
3006         (JSC::DFG::insertInferredTypeCheck):
3007         * dfg/DFGNode.h:
3008         (JSC::DFG::Node::shouldSpeculateBigInt):
3009         * dfg/DFGPredictionPropagationPhase.cpp:
3010         * dfg/DFGSafeToExecute.h:
3011         (JSC::DFG::SafeToExecuteEdge::operator()):
3012         * dfg/DFGSpeculativeJIT.cpp:
3013         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3014         (JSC::DFG::SpeculativeJIT::speculateBigInt):
3015         (JSC::DFG::SpeculativeJIT::speculate):
3016         * dfg/DFGSpeculativeJIT.h:
3017         * dfg/DFGSpeculativeJIT32_64.cpp:
3018         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
3019         * dfg/DFGSpeculativeJIT64.cpp:
3020         (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
3021         * dfg/DFGUseKind.cpp:
3022         (WTF::printInternal):
3023         * dfg/DFGUseKind.h:
3024         (JSC::DFG::typeFilterFor):
3025         (JSC::DFG::isCell):
3026         * ftl/FTLCapabilities.cpp:
3027         (JSC::FTL::canCompile):
3028         * ftl/FTLLowerDFGToB3.cpp:
3029         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3030         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
3031         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3032         (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
3033         (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
3034         * jit/AssemblyHelpers.cpp:
3035         (JSC::AssemblyHelpers::branchIfNotType):
3036         * jit/AssemblyHelpers.h:
3037         (JSC::AssemblyHelpers::branchIfBigInt):
3038         (JSC::AssemblyHelpers::branchIfNotBigInt):
3039         * runtime/InferredType.cpp:
3040         (JSC::InferredType::Descriptor::forValue):
3041         (JSC::InferredType::Descriptor::putByIdFlags const):
3042         (JSC::InferredType::Descriptor::merge):
3043         (WTF::printInternal):
3044         * runtime/InferredType.h:
3045         * runtime/JSBigInt.h:
3046
3047 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3048
3049         Unreviewed, fix cloop build.
3050
3051         * dfg/DFGAbstractInterpreterClobberState.cpp:
3052
3053 2018-04-10  Mark Lam  <mark.lam@apple.com>
3054
3055         Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
3056         https://bugs.webkit.org/show_bug.cgi?id=184464
3057         <rdar://problem/39323947>
3058
3059         Reviewed by Saam Barati.
3060
3061         * heap/MarkedSpace.h:
3062         (JSC::MarkedSpace::sizeClassToIndex):
3063
3064 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3065
3066         DFG AI and clobberize should agree with each other
3067         https://bugs.webkit.org/show_bug.cgi?id=184440
3068
3069         Reviewed by Saam Barati.
3070         
3071         One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
3072         agree with each other. That's what this patch does: it adds an assertion that AI's structure
3073         state tracking must be equivalent to JSCell_structureID being clobbered.
3074         
3075         One subtlety is that AI sometimes folds away structure clobbering using information that
3076         clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
3077         ObservedTransitions).
3078         
3079         This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
3080         clobberize missing a write(Heap).
3081         
3082         This also makes some cases more precise in order to appease the assertion. Making things more
3083         precise might make things faster, but I didn't measure it because that wasn't the goal.
3084
3085         * JavaScriptCore.xcodeproj/project.pbxproj:
3086         * Sources.txt:
3087         * dfg/DFGAbstractInterpreter.h:
3088         * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
3089         (WTF::printInternal):
3090         * dfg/DFGAbstractInterpreterClobberState.h: Added.
3091         (JSC::DFG::mergeClobberStates):
3092         * dfg/DFGAbstractInterpreterInlines.h:
3093         (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
3094         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
3096         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3097         (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
3098         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3099         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3100         (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
3101         * dfg/DFGAtTailAbstractState.h:
3102         (JSC::DFG::AtTailAbstractState::setClobberState):
3103         (JSC::DFG::AtTailAbstractState::mergeClobberState):
3104         (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
3105         * dfg/DFGCFAPhase.cpp:
3106         (JSC::DFG::CFAPhase::performBlockCFA):
3107         * dfg/DFGClobberSet.cpp:
3108         (JSC::DFG::writeSet):
3109         * dfg/DFGClobberSet.h:
3110         * dfg/DFGClobberize.h:
3111         (JSC::DFG::clobberize):
3112         * dfg/DFGConstantFoldingPhase.cpp:
3113         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3114         * dfg/DFGInPlaceAbstractState.h:
3115         (JSC::DFG::InPlaceAbstractState::clobberState const):
3116         (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3117         (JSC::DFG::InPlaceAbstractState::didClobber const):
3118         (JSC::DFG::InPlaceAbstractState::setClobberState):
3119         (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3120         (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3121
3122 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3123
3124         ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3125         https://bugs.webkit.org/show_bug.cgi?id=184460
3126         <rdar://problem/37610966>
3127
3128         Reviewed by Mark Lam.
3129
3130         * bytecode/ExecutableToCodeBlockEdge.cpp:
3131         (JSC::ExecutableToCodeBlockEdge::visitChildren):
3132
3133 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
3134
3135         REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3136         https://bugs.webkit.org/show_bug.cgi?id=184455
3137
3138         Reviewed by Michael Saboff.
3139         
3140         LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3141         says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3142         (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3143         the thing being hoisted does have effects, then we get a crash.
3144         
3145         In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3146         ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3147         would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3148         effectful.
3149         
3150         Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3151         clobberize to also think that CompareEq(Untyped:, _) is effectful.
3152         
3153         This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3154         of CompareEq is ComapreEq(Untyped:, Untyped:).
3155
3156         * dfg/DFGAbstractInterpreterInlines.h:
3157         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3158         * dfg/DFGClobberize.h:
3159         (JSC::DFG::clobberize):
3160
3161 2018-04-09  Filip Pizlo  <fpizlo@apple.com>
3162
3163         Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3164         https://bugs.webkit.org/show_bug.cgi?id=184372
3165
3166         Reviewed by Saam Barati.
3167         
3168         We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3169         have already proved, using techniques that are more precise than AI, that the edge has type
3170         Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3171         because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3172         other than a check - so we think we can call those just because we should have already
3173         bailed. It's better to think of them as the result of folding a check. Therefore, we should
3174         only do it if there had been a check to begin with.
3175
3176         * dfg/DFGSpeculativeJIT64.cpp:
3177         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3178         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3179         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3180         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3181         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3182         * ftl/FTLLowerDFGToB3.cpp:
3183         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3184         (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3185         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3186         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3187         (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3188         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3189         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3190         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3191
3192 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3193
3194         [JSC] Introduce @putByIdDirectPrivate
3195         https://bugs.webkit.org/show_bug.cgi?id=184400
3196
3197         Reviewed by Saam Barati.
3198
3199         This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3200         @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3201         accessing to ECMAScript internal fields.
3202
3203         This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3204         has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3205         @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3206         fields that accessing to the internal fields does not traverse prototype chains.
3207
3208         * builtins/ArrayIteratorPrototype.js:
3209         (globalPrivate.arrayIteratorValueNext):
3210         (globalPrivate.arrayIteratorKeyNext):
3211         (globalPrivate.arrayIteratorKeyValueNext):
3212         * builtins/ArrayPrototype.js:
3213         (globalPrivate.createArrayIterator):
3214         * builtins/AsyncFromSyncIteratorPrototype.js:
3215         (globalPrivate.AsyncFromSyncIteratorConstructor):
3216         * builtins/AsyncFunctionPrototype.js:
3217         (globalPrivate.asyncFunctionResume):
3218         * builtins/AsyncGeneratorPrototype.js:
3219         (globalPrivate.asyncGeneratorQueueEnqueue):
3220         (globalPrivate.asyncGeneratorQueueDequeue):
3221         (asyncGeneratorYieldAwaited):
3222         (globalPrivate.asyncGeneratorYield):
3223         (globalPrivate.doAsyncGeneratorBodyCall):
3224         (globalPrivate.asyncGeneratorResumeNext):
3225         * builtins/GeneratorPrototype.js:
3226         (globalPrivate.generatorResume):
3227         * builtins/MapIteratorPrototype.js:
3228         (globalPrivate.mapIteratorNext):
3229         * builtins/MapPrototype.js:
3230         (globalPrivate.createMapIterator):
3231         * builtins/ModuleLoaderPrototype.js:
3232         (forceFulfillPromise):
3233         * builtins/PromiseOperations.js:
3234         (globalPrivate.newHandledRejectedPromise):
3235         (globalPrivate.rejectPromise):
3236         (globalPrivate.fulfillPromise):
3237         (globalPrivate.initializePromise):
3238         * builtins/PromisePrototype.js:
3239         (then):
3240         * builtins/SetIteratorPrototype.js:
3241         (globalPrivate.setIteratorNext):
3242         * builtins/SetPrototype.js:
3243         (globalPrivate.createSetIterator):
3244         * builtins/StringIteratorPrototype.js:
3245         (next):
3246         * bytecode/BytecodeIntrinsicRegistry.h:
3247         * bytecompiler/NodesCodegen.cpp:
3248         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3249         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3250
3251 2018-04-09  Mark Lam  <mark.lam@apple.com>
3252
3253         Decorate method table entries to support pointer profiling.
3254         https://bugs.webkit.org/show_bug.cgi?id=184430
3255         <rdar://problem/39296190>
3256
3257         Reviewed by Saam Barati.
3258
3259         * runtime/ClassInfo.h:
3260
3261 2018-04-09  Michael Catanzaro  <mcatanzaro@igalia.com>
3262
3263         [WPE] Don't install JSC C API headers
3264         https://bugs.webkit.org/show_bug.cgi?id=184375
3265
3266         Reviewed by Žan Doberšek.
3267
3268         None of the functions declared in these headers are exported in WPE. Use the new jsc API
3269         instead.
3270
3271         * PlatformWPE.cmake:
3272
3273 2018-04-08  Mark Lam  <mark.lam@apple.com>
3274
3275         Add pointer profiling to the FTL and supporting code.
3276         https://bugs.webkit.org/show_bug.cgi?id=184395
3277         <rdar://problem/39264019>
3278
3279         Reviewed by Michael Saboff and Filip Pizlo.
3280
3281         * assembler/CodeLocation.h:
3282         (JSC::CodeLocationLabel::retagged):
3283         (JSC::CodeLocationJump::retagged):
3284         * assembler/LinkBuffer.h:
3285         (JSC::LinkBuffer::locationOf):
3286         * dfg/DFGJITCompiler.cpp:
3287         (JSC::DFG::JITCompiler::linkOSRExits):
3288         (JSC::DFG::JITCompiler::link):
3289         * ftl/FTLCompile.cpp:
3290         (JSC::FTL::compile):
3291         * ftl/FTLExceptionTarget.cpp:
3292         (JSC::FTL::ExceptionTarget::label):
3293         (JSC::FTL::ExceptionTarget::jumps):
3294         * ftl/FTLExceptionTarget.h:
3295         * ftl/FTLJITCode.cpp:
3296         (JSC::FTL::JITCode::executableAddressAtOffset):
3297         * ftl/FTLLazySlowPath.cpp:
3298         (JSC::FTL::LazySlowPath::~LazySlowPath):
3299         (JSC::FTL::LazySlowPath::initialize):
3300         (JSC::FTL::LazySlowPath::generate):
3301         (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3302         * ftl/FTLLazySlowPath.h:
3303         * ftl/FTLLink.cpp:
3304         (JSC::FTL::link):
3305         * ftl/FTLLowerDFGToB3.cpp:
3306         (JSC::FTL::DFG::LowerDFGToB3::lower):
3307         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3308         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3309         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3310         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3311         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3312         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3313         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3314         * ftl/FTLOSRExitCompiler.cpp:
3315         (JSC::FTL::compileStub):
3316         (JSC::FTL::compileFTLOSRExit):
3317         * ftl/FTLOSRExitHandle.cpp:
3318         (JSC::FTL::OSRExitHandle::emitExitThunk):
3319         * ftl/FTLOperations.cpp:
3320         (JSC::FTL::compileFTLLazySlowPath):
3321         * ftl/FTLOutput.h:
3322         (JSC::FTL::Output::callWithoutSideEffects):
3323         (JSC::FTL::Output::operation):
3324         * ftl/FTLPatchpointExceptionHandle.cpp:
3325         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3326         * ftl/FTLSlowPathCall.cpp:
3327         (JSC::FTL::SlowPathCallContext::makeCall):
3328         * ftl/FTLSlowPathCallKey.h:
3329         (JSC::FTL::SlowPathCallKey::withCallTarget):
3330         (JSC::FTL::SlowPathCallKey::callPtrTag const):
3331         * ftl/FTLThunks.cpp:
3332         (JSC::FTL::genericGenerationThunkGenerator):
3333         (JSC::FTL::osrExitGenerationThunkGenerator):
3334         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3335         (JSC::FTL::slowPathCallThunkGenerator):
3336         * jit/JITMathIC.h:
3337         (JSC::isProfileEmpty):
3338         * jit/Repatch.cpp:
3339         (JSC::readPutICCallTarget):
3340         (JSC::ftlThunkAwareRepatchCall):
3341         (JSC::tryCacheGetByID):
3342         (JSC::repatchGetByID):
3343         (JSC::tryCachePutByID):
3344         (JSC::repatchPutByID):
3345         (JSC::repatchIn):
3346         (JSC::resetGetByID):
3347         (JSC::resetPutByID):
3348         (JSC::readCallTarget): Deleted.
3349         * jit/Repatch.h:
3350         * runtime/PtrTag.h:
3351
3352 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3353
3354         Unreviewed, attempt to fix Windows build
3355         https://bugs.webkit.org/show_bug.cgi?id=183508
3356
3357         * jit/JIT.h:
3358
3359 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3360
3361         Unreviewed, build fix for Windows by suppressing padding warning for JIT
3362         https://bugs.webkit.org/show_bug.cgi?id=183508
3363
3364         * jit/JIT.h:
3365
3366 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3367
3368         Use alignas instead of compiler-specific attributes
3369         https://bugs.webkit.org/show_bug.cgi?id=183508
3370
3371         Reviewed by Mark Lam.
3372
3373         Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3374
3375         * heap/RegisterState.h:
3376         * jit/JIT.h:
3377         (JSC::JIT::compile): Deleted.
3378         (JSC::JIT::compileGetByVal): Deleted.
3379         (JSC::JIT::compileGetByValWithCachedId): Deleted.
3380         (JSC::JIT::compilePutByVal): Deleted.
3381         (JSC::JIT::compileDirectPutByVal): Deleted.
3382         (JSC::JIT::compilePutByValWithCachedId): Deleted.
3383         (JSC::JIT::compileHasIndexedProperty): Deleted.
3384         (JSC::JIT::appendCall): Deleted.
3385         (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3386         (JSC::JIT::exceptionCheck): Deleted.
3387         (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3388         (JSC::JIT::emitInt32Load): Deleted.
3389         (JSC::JIT::emitInt32GetByVal): Deleted.
3390         (JSC::JIT::emitInt32PutByVal): Deleted.
3391         (JSC::JIT::emitDoublePutByVal): Deleted.
3392         (JSC::JIT::emitContiguousPutByVal): Deleted.
3393         (JSC::JIT::emitStoreCell): Deleted.
3394         (JSC::JIT::getSlowCase): Deleted.
3395         (JSC::JIT::linkSlowCase): Deleted.
3396         (JSC::JIT::linkDummySlowCase): Deleted.
3397         (JSC::JIT::linkAllSlowCases): Deleted.
3398         (JSC::JIT::callOperation): Deleted.
3399         (JSC::JIT::callOperationWithProfile): Deleted.
3400         (JSC::JIT::callOperationWithResult): Deleted.
3401         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3402         (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3403         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3404         (JSC::JIT::sampleCodeBlock): Deleted.
3405         (JSC::JIT::canBeOptimized): Deleted.
3406         (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3407         (JSC::JIT::shouldEmitProfiling): Deleted.
3408         * runtime/VM.h:
3409
3410 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3411
3412         Unreviewed, follow-up patch for DFG 32bit
3413         https://bugs.webkit.org/show_bug.cgi?id=183970
3414
3415         * dfg/DFGSpeculativeJIT32_64.cpp:
3416         (JSC::DFG::SpeculativeJIT::cachedGetById):
3417
3418 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3419
3420         [JSC] Fix incorrect assertion for VM's regexp buffer lock
3421         https://bugs.webkit.org/show_bug.cgi?id=184398
3422
3423         Reviewed by Mark Lam.
3424
3425         isLocked check before taking a lock is incorrect.
3426
3427         * runtime/VM.cpp:
3428         (JSC::VM::acquireRegExpPatternContexBuffer):
3429
3430 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3431
3432         [JSC] Introduce op_get_by_id_direct
3433         https://bugs.webkit.org/show_bug.cgi?id=183970
3434
3435         Reviewed by Filip Pizlo.
3436
3437         This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3438         But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3439         in all the tiers, so using this opcode does not lead to inefficiency.
3440
3441         Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3442         properties indexed with private symbols to implement ECMAScript internal fields. Before this
3443         patch, we just use get and put operations. However, it is not the correct semantics: accessing
3444         to the internal fields should not traverse prototype chain, which is specified in the spec.
3445         We use op_get_by_id_direct to access to properties which are used internal fields, so that
3446         prototype chains are not traversed.
3447
3448         To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3449         When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3450         bytecode `op_get_by_id_direct, object, @name`.
3451
3452         * builtins/ArrayIteratorPrototype.js:
3453         (next):
3454         (globalPrivate.arrayIteratorValueNext):
3455         (globalPrivate.arrayIteratorKeyNext):
3456         (globalPrivate.arrayIteratorKeyValueNext):
3457         * builtins/AsyncFromSyncIteratorPrototype.js:
3458         * builtins/AsyncFunctionPrototype.js:
3459         (globalPrivate.asyncFunctionResume):
3460         * builtins/AsyncGeneratorPrototype.js:
3461         (globalPrivate.asyncGeneratorQueueIsEmpty):
3462         (globalPrivate.asyncGeneratorQueueEnqueue):
3463         (globalPrivate.asyncGeneratorQueueDequeue):
3464         (globalPrivate.asyncGeneratorDequeue):
3465         (globalPrivate.isExecutionState):
3466         (globalPrivate.isSuspendYieldState):
3467         (globalPrivate.asyncGeneratorReject):
3468         (globalPrivate.asyncGeneratorResolve):
3469         (globalPrivate.doAsyncGeneratorBodyCall):
3470         (globalPrivate.asyncGeneratorEnqueue):
3471         * builtins/GeneratorPrototype.js:
3472         (globalPrivate.generatorResume):
3473         (next):
3474         (return):
3475         (throw):
3476         * builtins/MapIteratorPrototype.js:
3477         (next):
3478         * builtins/PromiseOperations.js:
3479         (globalPrivate.isPromise):
3480         (globalPrivate.rejectPromise):
3481         (globalPrivate.fulfillPromise):
3482         * builtins/PromisePrototype.js:
3483         (then):
3484         * builtins/SetIteratorPrototype.js:
3485         (next):
3486         * builtins/StringIteratorPrototype.js:
3487         (next):
3488         * builtins/TypedArrayConstructor.js:
3489         (of):
3490         (from):
3491         * bytecode/BytecodeDumper.cpp:
3492         (JSC::BytecodeDumper<Block>::dumpBytecode):
3493         * bytecode/BytecodeIntrinsicRegistry.h:
3494         * bytecode/BytecodeList.json:
3495         * bytecode/BytecodeUseDef.h:
3496         (JSC::computeUsesForBytecodeOffset):
3497         (JSC::computeDefsForBytecodeOffset):
3498         * bytecode/CodeBlock.cpp:
3499         (JSC::CodeBlock::finishCreation):
3500         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3501         * bytecode/GetByIdStatus.cpp:
3502         (JSC::GetByIdStatus::computeFromLLInt):
3503         (JSC::GetByIdStatus::computeFor):
3504         * bytecode/StructureStubInfo.cpp:
3505         (JSC::StructureStubInfo::reset):
3506         * bytecode/StructureStubInfo.h:
3507         (JSC::appropriateOptimizingGetByIdFunction):
3508         (JSC::appropriateGenericGetByIdFunction):
3509         * bytecompiler/BytecodeGenerator.cpp:
3510         (JSC::BytecodeGenerator::emitDirectGetById):
3511         * bytecompiler/BytecodeGenerator.h:
3512         * bytecompiler/NodesCodegen.cpp:
3513         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3514         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3515         * dfg/DFGAbstractInterpreterInlines.h:
3516         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3517         * dfg/DFGByteCodeParser.cpp:
3518         (JSC::DFG::ByteCodeParser::handleGetById):
3519         (JSC::DFG::ByteCodeParser::parseBlock):
3520         * dfg/DFGCapabilities.cpp:
3521         (JSC::DFG::capabilityLevel):
3522         * dfg/DFGClobberize.h:
3523         (JSC::DFG::clobberize):
3524         * dfg/DFGConstantFoldingPhase.cpp:
3525         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3526         * dfg/DFGDoesGC.cpp:
3527         (JSC::DFG::doesGC):
3528         * dfg/DFGFixupPhase.cpp:
3529         (JSC::DFG::FixupPhase::fixupNode):
3530         * dfg/DFGNode.h:
3531         (JSC::DFG::Node::convertToGetByOffset):
3532         (JSC::DFG::Node::convertToMultiGetByOffset):
3533         (JSC::DFG::Node::hasIdentifier):
3534         (JSC::DFG::Node::hasHeapPrediction):
3535         * dfg/DFGNodeType.h:
3536         * dfg/DFGOperations.cpp:
3537         * dfg/DFGOperations.h:
3538         * dfg/DFGPredictionPropagationPhase.cpp:
3539         * dfg/DFGSafeToExecute.h:
3540         (JSC::DFG::safeToExecute):
3541         * dfg/DFGSpeculativeJIT.cpp:
3542         (JSC::DFG::SpeculativeJIT::compileGetById):
3543         (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3544         (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3545         * dfg/DFGSpeculativeJIT.h:
3546         * dfg/DFGSpeculativeJIT32_64.cpp:
3547         (JSC::DFG::SpeculativeJIT::cachedGetById):
3548         (JSC::DFG::SpeculativeJIT::compile):
3549         * dfg/DFGSpeculativeJIT64.cpp:
3550         (JSC::DFG::SpeculativeJIT::cachedGetById):
3551         (JSC::DFG::SpeculativeJIT::compile):
3552         * ftl/FTLCapabilities.cpp:
3553         (JSC::FTL::canCompile):
3554         * ftl/FTLLowerDFGToB3.cpp:
3555         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3556         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3557         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3558         (JSC::FTL::DFG::LowerDFGToB3::getById):
3559         * jit/JIT.cpp:
3560         (JSC::JIT::privateCompileMainPass):
3561         (JSC::JIT::privateCompileSlowCases):
3562         * jit/JIT.h:
3563         * jit/JITOperations.cpp:
3564         * jit/JITOperations.h:
3565         * jit/JITPropertyAccess.cpp:
3566         (JSC::JIT::emit_op_get_by_id_direct):
3567         (JSC::JIT::emitSlow_op_get_by_id_direct):
3568         * jit/JITPropertyAccess32_64.cpp:
3569         (JSC::JIT::emit_op_get_by_id_direct):
3570         (JSC::JIT::emitSlow_op_get_by_id_direct):
3571         * jit/Repatch.cpp:
3572         (JSC::appropriateOptimizingGetByIdFunction):
3573         (JSC::appropriateGetByIdFunction):
3574         (JSC::tryCacheGetByID):
3575         (JSC::repatchGetByID):
3576         (JSC::appropriateGenericGetByIdFunction): Deleted.
3577         * jit/Repatch.h:
3578         * llint/LLIntSlowPaths.cpp:
3579         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3580         * llint/LLIntSlowPaths.h:
3581         * llint/LowLevelInterpreter32_64.asm:
3582         * llint/LowLevelInterpreter64.asm:
3583         * runtime/JSCJSValue.h:
3584         * runtime/JSCJSValueInlines.h:
3585         (JSC::JSValue::getOwnPropertySlot const):
3586         * runtime/JSObject.h:
3587         * runtime/JSObjectInlines.h:
3588         (JSC::JSObject::getOwnPropertySlotInline):
3589
3590 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3591
3592         [JSC] Remove several asXXX functions
3593         https://bugs.webkit.org/show_bug.cgi?id=184355
3594
3595         Reviewed by JF Bastien.
3596
3597         Remove asActivation, asInternalFunction, and asGetterSetter.
3598         Use jsCast<> / jsDynamicCast<> consistently.
3599
3600         * runtime/ArrayConstructor.cpp:
3601         (JSC::constructArrayWithSizeQuirk):
3602         * runtime/AsyncFunctionConstructor.cpp:
3603         (JSC::callAsyncFunctionConstructor):
3604         (JSC::constructAsyncFunctionConstructor):
3605         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3606         (JSC::callAsyncGeneratorFunctionConstructor):
3607         (JSC::constructAsyncGeneratorFunctionConstructor):
3608         * runtime/BooleanConstructor.cpp:
3609         (JSC::constructWithBooleanConstructor):
3610         * runtime/DateConstructor.cpp:
3611         (JSC::constructWithDateConstructor):
3612         * runtime/ErrorConstructor.cpp:
3613         (JSC::Interpreter::constructWithErrorConstructor):
3614         (JSC::Interpreter::callErrorConstructor):
3615         * runtime/FunctionConstructor.cpp:
3616         (JSC::constructWithFunctionConstructor):
3617         (JSC::callFunctionConstructor):
3618         * runtime/FunctionPrototype.cpp:
3619         (JSC::functionProtoFuncToString):
3620         * runtime/GeneratorFunctionConstructor.cpp:
3621         (JSC::callGeneratorFunctionConstructor):
3622         (JSC::constructGeneratorFunctionConstructor):
3623         * runtime/GetterSetter.h:
3624         (JSC::asGetterSetter): Deleted.
3625         * runtime/InternalFunction.h:
3626         (JSC::asInternalFunction): Deleted.
3627         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3628         (JSC::constructGenericTypedArrayView):
3629         * runtime/JSLexicalEnvironment.h:
3630         (JSC::asActivation): Deleted.
3631         * runtime/JSObject.cpp:
3632         (JSC::validateAndApplyPropertyDescriptor):
3633         * runtime/MapConstructor.cpp:
3634         (JSC::constructMap):
3635         * runtime/PropertyDescriptor.cpp:
3636         (JSC::PropertyDescriptor::setDescriptor):
3637         * runtime/RegExpConstructor.cpp:
3638         (JSC::constructWithRegExpConstructor):
3639         (JSC::callRegExpConstructor):
3640         * runtime/SetConstructor.cpp:
3641         (JSC::constructSet):
3642         * runtime/StringConstructor.cpp:
3643         (JSC::constructWithStringConstructor):
3644         * runtime/WeakMapConstructor.cpp:
3645         (JSC::constructWeakMap):
3646         * runtime/WeakSetConstructor.cpp:
3647         (JSC::constructWeakSet):
3648         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3649         (JSC::constructJSWebAssemblyCompileError):
3650         (JSC::callJSWebAssemblyCompileError):
3651         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3652         (JSC::constructJSWebAssemblyLinkError):
3653         (JSC::callJSWebAssemblyLinkError):
3654         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3655         (JSC::constructJSWebAssemblyRuntimeError):
3656         (JSC::callJSWebAssemblyRuntimeError):
3657
3658 2018-04-05  Mark Lam  <mark.lam@apple.com>
3659
3660         MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
3661         https://bugs.webkit.org/show_bug.cgi?id=184347
3662         <rdar://problem/39183165>
3663
3664         Reviewed by Michael Saboff.
3665
3666         * assembler/MacroAssemblerCodeRef.h:
3667         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3668         (JSC::MacroAssemblerCodePtr::retagged const):
3669
3670 2018-04-05  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3671
3672         [MIPS] Optimize generated JIT code for branches
3673         https://bugs.webkit.org/show_bug.cgi?id=183130
3674
3675         Reviewed by Yusuke Suzuki.
3676
3677         The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
3678         branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
3679         to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
3680         However, this adds a significant overhead for all other types of branches. Since these nop's
3681         protect the code that is generated by branchPtrWithPatch, this function seems like a better
3682         place to add them.
3683
3684         * assembler/MIPSAssembler.h:
3685         (JSC::MIPSAssembler::repatchInt32):
3686         (JSC::MIPSAssembler::revertJumpToMove):
3687         * assembler/MacroAssemblerMIPS.h:
3688         (JSC::MacroAssemblerMIPS::branchAdd32):
3689         (JSC::MacroAssemblerMIPS::branchMul32):
3690         (JSC::MacroAssemblerMIPS::branchSub32):
3691         (JSC::MacroAssemblerMIPS::branchNeg32):
3692         (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
3693         (JSC::MacroAssemblerMIPS::branchEqual):
3694         (JSC::MacroAssemblerMIPS::branchNotEqual):
3695
3696 2018-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3697
3698         [WTF] Remove StaticLock
3699         https://bugs.webkit.org/show_bug.cgi?id=184332
3700
3701         Reviewed by Mark Lam.
3702
3703         * API/JSValue.mm:
3704         (handerForStructTag):
3705         * API/JSVirtualMachine.mm:
3706         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3707         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3708         * API/glib/JSCVirtualMachine.cpp:
3709         (addWrapper):
3710         (removeWrapper):
3711         * assembler/testmasm.cpp:
3712         * b3/air/testair.cpp:
3713         * b3/testb3.cpp:
3714         * bytecode/SuperSampler.cpp:
3715         * dfg/DFGCommon.cpp:
3716         * dfg/DFGCommonData.cpp:
3717         * dynbench.cpp:
3718         * heap/MachineStackMarker.cpp:
3719         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3720         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3721         (Inspector::RemoteTargetHandleRunSourceGlobal):
3722         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3723         * interpreter/CLoopStack.cpp:
3724         * parser/SourceProvider.cpp:
3725         * profiler/ProfilerDatabase.cpp:
3726         * profiler/ProfilerUID.cpp:
3727         (JSC::Profiler::UID::create):
3728         * runtime/IntlObject.cpp:
3729         (JSC::numberingSystemsForLocale):
3730         * runtime/JSLock.cpp:
3731         * runtime/JSLock.h:
3732         * runtime/SamplingProfiler.cpp:
3733         (JSC::SamplingProfiler::registerForReportAtExit):
3734         * runtime/VM.cpp:
3735         * wasm/WasmFaultSignalHandler.cpp:
3736
3737 2018-04-04  Mark Lam  <mark.lam@apple.com>
3738
3739         Add pointer profiling support to the DFG and supporting files.
3740         https://bugs.webkit.org/show_bug.cgi?id=184316
3741         <rdar://problem/39188524>
3742
3743         Reviewed by Filip Pizlo.
3744
3745         1. Profile lots of pointers with PtrTags.
3746
3747         2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
3748            used for debugging anyway, and not normally called in the code.  Making it
3749            an inline function prevents it from taking up code space in builds when not in
3750            use.
3751
3752         3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3753            It doesn't need to be a far call.
3754
3755         * CMakeLists.txt:
3756         * JavaScriptCore.xcodeproj/project.pbxproj:
3757         * Sources.txt:
3758         * assembler/testmasm.cpp:
3759         (JSC::testProbeModifiesProgramCounter):
3760         * b3/B3LowerMacros.cpp:
3761         * b3/air/AirCCallSpecial.cpp:
3762         (JSC::B3::Air::CCallSpecial::generate):
3763         * b3/air/AirCCallSpecial.h:
3764         * b3/testb3.cpp:
3765         (JSC::B3::testInterpreter):
3766         * bytecode/AccessCase.cpp:
3767         (JSC::AccessCase::generateImpl):
3768         * bytecode/HandlerInfo.h:
3769         (JSC::HandlerInfo::initialize):
3770         * bytecode/PolymorphicAccess.cpp:
3771         (JSC::PolymorphicAccess::regenerate):
3772         * dfg/DFGJITCompiler.cpp:
3773         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3774         (JSC::DFG::JITCompiler::link):
3775         (JSC::DFG::JITCompiler::compileFunction):
3776         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3777         * dfg/DFGJITCompiler.h:
3778         (JSC::DFG::JITCompiler::appendCall):
3779         * dfg/DFGOSREntry.cpp:
3780         (JSC::DFG::prepareOSREntry):
3781         * dfg/DFGOSRExit.cpp:
3782         (JSC::DFG::reifyInlinedCallFrames):
3783         (JSC::DFG::adjustAndJumpToTarget):
3784         (JSC::DFG::OSRExit::emitRestoreArguments):
3785         (JSC::DFG::OSRExit::compileOSRExit):
3786         * dfg/DFGOSRExitCompilerCommon.cpp:
3787         (JSC::DFG::handleExitCounts):
3788         (JSC::DFG::reifyInlinedCallFrames):
3789         (JSC::DFG::osrWriteBarrier):
3790         (JSC::DFG::adjustAndJumpToTarget):
3791         * dfg/DFGOperations.cpp:
3792         * dfg/DFGSlowPathGenerator.h:
3793         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3794         (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3795         (JSC::DFG::slowPathCall):
3796         * dfg/DFGSpeculativeJIT.cpp:
3797         (JSC::DFG::SpeculativeJIT::compileMathIC):
3798         * dfg/DFGSpeculativeJIT.h:
3799         (JSC::DFG::SpeculativeJIT::callOperation):
3800         (JSC::DFG::SpeculativeJIT::appendCall):
3801         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3802         * dfg/DFGSpeculativeJIT64.cpp:
3803         (JSC::DFG::SpeculativeJIT::cachedGetById):
3804         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3805         (JSC::DFG::SpeculativeJIT::cachedPutById):
3806         (JSC::DFG::SpeculativeJIT::compile):
3807         * dfg/DFGThunks.cpp:
3808         (JSC::DFG::osrExitThunkGenerator):
3809         (JSC::DFG::osrExitGenerationThunkGenerator):
3810         (JSC::DFG::osrEntryThunkGenerator):
3811         * jit/AssemblyHelpers.cpp:
3812         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3813         * jit/JIT.cpp:
3814         (JSC::JIT::emitEnterOptimizationCheck):
3815         (JSC::JIT::compileWithoutLinking):
3816         * jit/JITCall.cpp:
3817         (JSC::JIT::compileOpCallSlowCase):
3818         * jit/JITMathIC.h:
3819         (JSC::isProfileEmpty):
3820         * jit/JITOpcodes.cpp:
3821         (JSC::JIT::emit_op_catch):
3822         (JSC::JIT::emitSlow_op_loop_hint):
3823         * jit/JITOperations.cpp:
3824         * jit/Repatch.cpp:
3825         (JSC::linkSlowFor):
3826         (JSC::linkFor):
3827         (JSC::revertCall):
3828         (JSC::unlinkFor):
3829         (JSC::linkVirtualFor):
3830         (JSC::linkPolymorphicCall):
3831         * jit/ThunkGenerators.cpp:
3832         (JSC::throwExceptionFromCallSlowPathGenerator):
3833         (JSC::linkCallThunkGenerator):
3834         (JSC::linkPolymorphicCallThunkGenerator):
3835         (JSC::virtualThunkFor):
3836         (JSC::arityFixupGenerator):
3837         (JSC::unreachableGenerator):
3838         * runtime/PtrTag.cpp: Removed.
3839         * runtime/PtrTag.h:
3840         (JSC::ptrTagName):
3841         * runtime/VMEntryScope.cpp:
3842         * wasm/js/WasmToJS.cpp:
3843         (JSC::Wasm::wasmToJS):
3844
3845 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3846
3847         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3848         https://bugs.webkit.org/show_bug.cgi?id=184319
3849
3850         Reviewed by Saam Barati.
3851
3852         In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3853         assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3854         the ArrayPush.
3855
3856         But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3857         GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3858         eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3859         with a GetByVal(SaneChain), then we will hit the assertion.
3860
3861         This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3862         tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3863         than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3864
3865         * dfg/DFGCSEPhase.cpp:
3866         * dfg/DFGClobberize.h:
3867         (JSC::DFG::clobberize):
3868         * dfg/DFGHeapLocation.cpp:
3869         (WTF::printInternal):
3870         * dfg/DFGHeapLocation.h:
3871         * dfg/DFGSpeculativeJIT.cpp:
3872         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3873
3874 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
3875
3876         Remove poisoning of typed array vector
3877         https://bugs.webkit.org/show_bug.cgi?id=184313
3878
3879         Reviewed by Saam Barati.
3880
3881         * dfg/DFGFixupPhase.cpp:
3882         (JSC::DFG::FixupPhase::checkArray):
3883         * dfg/DFGSpeculativeJIT.cpp:
3884         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3885         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3886         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3887         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3888         * ftl/FTLAbstractHeapRepository.h:
3889         * ftl/FTLLowerDFGToB3.cpp:
3890         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3891         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3892         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3893         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3894         * jit/IntrinsicEmitter.cpp:
3895         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3896         * jit/JITPropertyAccess.cpp:
3897         (JSC::JIT::emitIntTypedArrayGetByVal):
3898         (JSC::JIT::emitFloatTypedArrayGetByVal):
3899         (JSC::JIT::emitIntTypedArrayPutByVal):
3900         (JSC::JIT::emitFloatTypedArrayPutByVal):
3901         * llint/LowLevelInterpreter.asm:
3902         * llint/LowLevelInterpreter64.asm:
3903         * offlineasm/arm64.rb:
3904         * offlineasm/x86.rb:
3905         * runtime/CagedBarrierPtr.h:
3906         * runtime/JSArrayBufferView.cpp:
3907         (JSC::JSArrayBufferView::JSArrayBufferView):
3908         (JSC::JSArrayBufferView::finalize):
3909         (JSC::JSArrayBufferView::neuter):
3910         * runtime/JSArrayBufferView.h:
3911         (JSC::JSArrayBufferView::vector const):
3912         (JSC::JSArrayBufferView::offsetOfVector):
3913         (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3914         (JSC::JSArrayBufferView::poisonFor): Deleted.
3915         (JSC::JSArrayBufferView::Poison::key): Deleted.
3916         * runtime/JSCPoison.cpp:
3917         (JSC::initializePoison):
3918         * runtime/JSCPoison.h:
3919         * runtime/JSGenericTypedArrayViewInlines.h:
3920         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3921         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3922         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3923         * runtime/JSObject.h:
3924
3925 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
3926
3927         Don't do index masking or poisoning for DirectArguments
3928         https://bugs.webkit.org/show_bug.cgi?id=184280
3929
3930         Reviewed by Saam Barati.
3931
3932         * JavaScriptCore.xcodeproj/project.pbxproj:
3933         * bytecode/AccessCase.cpp:
3934         (JSC::AccessCase::generateWithGuard):
3935         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3936         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3937         * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3938         * dfg/DFGSpeculativeJIT.cpp:
3939         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3940         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3941         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3942         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3943         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3944         * ftl/FTLAbstractHeapRepository.h:
3945         * ftl/FTLLowerDFGToB3.cpp:
3946         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3947         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3948         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3949         (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3950         (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3951         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3952         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3953         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3954         (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3955         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3956         * heap/SecurityKind.h:
3957         * jit/JITPropertyAccess.cpp:
3958         (JSC::JIT::emit_op_get_from_arguments):
3959         (JSC::JIT::emit_op_put_to_arguments):
3960         (JSC::JIT::emitDirectArgumentsGetByVal):
3961         * jit/JITPropertyAccess32_64.cpp:
3962         (JSC::JIT::emit_op_get_from_arguments):
3963         (JSC::JIT::emit_op_put_to_arguments):
3964         * llint/LowLevelInterpreter.asm:
3965         * llint/LowLevelInterpreter32_64.asm:
3966         * llint/LowLevelInterpreter64.asm:
3967         * runtime/DirectArguments.cpp:
3968         (JSC::DirectArguments::DirectArguments):
3969         (JSC::DirectArguments::createUninitialized):
3970         (JSC::DirectArguments::create):
3971         (JSC::DirectArguments::createByCopying):
3972   &n