2018-05-31 Kocsen Chung Cherry-pick r232313. rdar://problem/40050814 LLInt get_by_id prototype caching doesn't properly handle changes https://bugs.webkit.org/show_bug.cgi?id=186112 Reviewed by Filip Pizlo. JSTests: * stress/llint-proto-get-by-id-cache-change-prototype.js: Added. (foo): * stress/llint-proto-get-by-id-cache-intercept-value.js: Added. (foo): Source/JavaScriptCore: The caching would sometimes fail to track that a prototype had changed and wouldn't update its set of watchpoints. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/CodeBlock.h: * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): * bytecode/ObjectPropertyConditionSet.h: (JSC::ObjectPropertyConditionSet::size const): * bytecode/Watchpoint.h: (JSC::Watchpoint::Watchpoint): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): Source/WTF: Mark some methods const. * wtf/Bag.h: (WTF::Bag::begin const): (WTF::Bag::end const): (WTF::Bag::unwrappedHead const): (WTF::Bag::end): Deleted. (WTF::Bag::unwrappedHead): Deleted. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232313 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-30 Keith Miller LLInt get_by_id prototype caching doesn't properly handle changes https://bugs.webkit.org/show_bug.cgi?id=186112 Reviewed by Filip Pizlo. The caching would sometimes fail to track that a prototype had changed and wouldn't update its set of watchpoints. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/CodeBlock.h: * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): * bytecode/ObjectPropertyConditionSet.h: (JSC::ObjectPropertyConditionSet::size const): * bytecode/Watchpoint.h: (JSC::Watchpoint::Watchpoint): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): 2018-05-31 Kocsen Chung Revert r231595. rdar://problem/40050814 2018-05-31 Kocsen Chung Revert r231540. rdar://problem/40050814 2018-05-31 Kocsen Chung Cherry-pick r232219. rdar://problem/40641075 for-in loops should preserve and restore the TDZ stack for each of its internal loops. https://bugs.webkit.org/show_bug.cgi?id=185995 Reviewed by Saam Barati. JSTests: * stress/regress-185995.js: Added. Source/JavaScriptCore: This is because there's no guarantee that any of the loop bodies will be executed. Hence, there's no guarantee that the TDZ variables will have been initialized after each loop body. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::preserveTDZStack): (JSC::BytecodeGenerator::restoreTDZStack): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::emitBytecode): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232219 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-25 Mark Lam for-in loops should preserve and restore the TDZ stack for each of its internal loops. https://bugs.webkit.org/show_bug.cgi?id=185995 Reviewed by Saam Barati. This is because there's no guarantee that any of the loop bodies will be executed. Hence, there's no guarantee that the TDZ variables will have been initialized after each loop body. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::preserveTDZStack): (JSC::BytecodeGenerator::restoreTDZStack): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::emitBytecode): 2018-05-17 Kocsen Chung Cherry-pick r231871. rdar://problem/40346090 DFG models InstanceOf incorrectly https://bugs.webkit.org/show_bug.cgi?id=185694 Reviewed by Keith Miller. JSTests: * stress/instanceof-proxy-check-structure.js: Added. (Foo): (Bar): (doBadThings): (getPrototypeOf): (foo): (i.new.Bar): (new.Bar): * stress/instanceof-proxy-loop.js: Added. (Foo): (Bar): (doBadThings): (getPrototypeOf): (foo): * stress/instanceof-proxy.js: Added. (Foo): (Bar): (doBadThings): (getPrototypeOf): (foo): Source/JavaScriptCore: Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or hoist it. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231871 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-16 Filip Pizlo DFG models InstanceOf incorrectly https://bugs.webkit.org/show_bug.cgi?id=185694 Reviewed by Keith Miller. Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or hoist it. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: 2018-05-15 Kocsen Chung Cherry-pick r230485. rdar://problem/39988105 REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq https://bugs.webkit.org/show_bug.cgi?id=184455 Reviewed by Michael Saboff. LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that the thing being hoisted does have effects, then we get a crash. In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't effectful. Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking clobberize to also think that CompareEq(Untyped:, _) is effectful. This fixes the whole situation by teaching both clobberize and AI that the only effectful form of CompareEq is ComapreEq(Untyped:, Untyped:). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230485 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-10 Filip Pizlo REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq https://bugs.webkit.org/show_bug.cgi?id=184455 Reviewed by Michael Saboff. LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that the thing being hoisted does have effects, then we get a crash. In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't effectful. Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking clobberize to also think that CompareEq(Untyped:, _) is effectful. This fixes the whole situation by teaching both clobberize and AI that the only effectful form of CompareEq is ComapreEq(Untyped:, Untyped:). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-05-15 Kocsen Chung Cherry-pick r231317. rdar://problem/39988108 WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript https://bugs.webkit.org/show_bug.cgi?id=185231 Reviewed by Saam Barati. We weren't clearing the scratch register cache when switching back and forth between allowing scratch register usage. We disallow scratch register usage when we are in code that will freely allocate and use any register. Such usage can change the contents of scratch registers. For ARM64, where we cache the contents of scratch registers to reuse some or all of the contained values, we need to invalidate these caches. We do this when re-enabling scratch register usage, that is when we transition from disallow to allow scratch register usage. Added a new Air regression test. * assembler/AllowMacroScratchRegisterUsage.h: (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage): * assembler/AllowMacroScratchRegisterUsageIf.h: (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf): * assembler/DisallowMacroScratchRegisterUsage.h: (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage): * b3/air/testair.cpp: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231317 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-03 Michael Saboff WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript https://bugs.webkit.org/show_bug.cgi?id=185231 Reviewed by Saam Barati. We weren't clearing the scratch register cache when switching back and forth between allowing scratch register usage. We disallow scratch register usage when we are in code that will freely allocate and use any register. Such usage can change the contents of scratch registers. For ARM64, where we cache the contents of scratch registers to reuse some or all of the contained values, we need to invalidate these caches. We do this when re-enabling scratch register usage, that is when we transition from disallow to allow scratch register usage. Added a new Air regression test. * assembler/AllowMacroScratchRegisterUsage.h: (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage): * assembler/AllowMacroScratchRegisterUsageIf.h: (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf): * assembler/DisallowMacroScratchRegisterUsage.h: (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage): * b3/air/testair.cpp: 2018-05-15 Kocsen Chung Cherry-pick r230486. rdar://problem/39988121 ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally() https://bugs.webkit.org/show_bug.cgi?id=184460 Reviewed by Mark Lam. * bytecode/ExecutableToCodeBlockEdge.cpp: (JSC::ExecutableToCodeBlockEdge::visitChildren): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230486 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-10 Filip Pizlo ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally() https://bugs.webkit.org/show_bug.cgi?id=184460 Reviewed by Mark Lam. * bytecode/ExecutableToCodeBlockEdge.cpp: (JSC::ExecutableToCodeBlockEdge::visitChildren): 2018-05-15 Kocsen Chung Cherry-pick r230465. rdar://problem/39988131 Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit https://bugs.webkit.org/show_bug.cgi?id=184372 Reviewed by Saam Barati. We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we have already proved, using techniques that are more precise than AI, that the edge has type Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom, because we have a bad habit of treating terminate/terminateSpeculativeExecution as something other than a check - so we think we can call those just because we should have already bailed. It's better to think of them as the result of folding a check. Therefore, we should only do it if there had been a check to begin with. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lowInt32): (JSC::FTL::DFG::LowerDFGToB3::lowInt52): (JSC::FTL::DFG::LowerDFGToB3::lowCell): (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): (JSC::FTL::DFG::LowerDFGToB3::lowDouble): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther): (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230465 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-09 Filip Pizlo Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit https://bugs.webkit.org/show_bug.cgi?id=184372 Reviewed by Saam Barati. We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we have already proved, using techniques that are more precise than AI, that the edge has type Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom, because we have a bad habit of treating terminate/terminateSpeculativeExecution as something other than a check - so we think we can call those just because we should have already bailed. It's better to think of them as the result of folding a check. Therefore, we should only do it if there had been a check to begin with. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lowInt32): (JSC::FTL::DFG::LowerDFGToB3::lowInt52): (JSC::FTL::DFG::LowerDFGToB3::lowCell): (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): (JSC::FTL::DFG::LowerDFGToB3::lowDouble): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther): (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther): 2018-05-09 Keith Miller Cherry-pick r231316. rdar://problem/40050814 Remove the prototype caching for get_by_id in the LLInt https://bugs.webkit.org/show_bug.cgi?id=185226 Reviewed by Michael Saboff. There is no evidence that this is actually a speedup and we keep getting bugs with it. At this point it seems like we should just remove this code. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper::printGetByIdOp): (JSC::BytecodeDumper::printGetByIdCacheStatus): (JSC::BytecodeDumper::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/CodeBlock.h: (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetById): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setupGetByIdPrototypeCache): Deleted. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/Options.h: 2018-05-09 Jason Marcell Cherry-pick r231518. rdar://problem/40096743 Deferred firing of structure transition watchpoints is racy https://bugs.webkit.org/show_bug.cgi?id=185438 Reviewed by Saam Barati. Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire and fire them in the destructor. When the watchpoints are taken from the original WatchpointSet, that WatchpointSet if marked invalid. * bytecode/Watchpoint.cpp: (JSC::WatchpointSet::fireAllSlow): (JSC::WatchpointSet::take): (JSC::DeferredWatchpointFire::DeferredWatchpointFire): (JSC::DeferredWatchpointFire::~DeferredWatchpointFire): (JSC::DeferredWatchpointFire::fireAll): (JSC::DeferredWatchpointFire::takeWatchpointsToFire): * bytecode/Watchpoint.h: (JSC::WatchpointSet::fireAll): (JSC::InlineWatchpointSet::fireAll): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::convertToDictionary): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::dump const): (JSC::Structure::didTransitionFromThisStructure const): (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted. * runtime/Structure.h: (JSC::DeferredStructureTransitionWatchpointFire::structure const): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231518 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-08 Michael Saboff Deferred firing of structure transition watchpoints is racy https://bugs.webkit.org/show_bug.cgi?id=185438 Reviewed by Saam Barati. Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire and fire them in the destructor. When the watchpoints are taken from the original WatchpointSet, that WatchpointSet if marked invalid. * bytecode/Watchpoint.cpp: (JSC::WatchpointSet::fireAllSlow): (JSC::WatchpointSet::take): (JSC::DeferredWatchpointFire::DeferredWatchpointFire): (JSC::DeferredWatchpointFire::~DeferredWatchpointFire): (JSC::DeferredWatchpointFire::fireAll): (JSC::DeferredWatchpointFire::takeWatchpointsToFire): * bytecode/Watchpoint.h: (JSC::WatchpointSet::fireAll): (JSC::InlineWatchpointSet::fireAll): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::convertToDictionary): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::dump const): (JSC::Structure::didTransitionFromThisStructure const): (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted. * runtime/Structure.h: (JSC::DeferredStructureTransitionWatchpointFire::structure const): 2018-05-08 Jason Marcell Cherry-pick r231332. rdar://problem/40050814 Unreviewed, fix 32-bit profile offset for change in bytecode length of the get_by_id and get_array_length opcodes. * llint/LowLevelInterpreter32_64.asm: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231332 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-03 Keith Miller Unreviewed, fix 32-bit profile offset for change in bytecode length of the get_by_id and get_array_length opcodes. * llint/LowLevelInterpreter32_64.asm: 2018-05-08 Jason Marcell Cherry-pick r230980. rdar://problem/40050820 fromCharCode is missing some exception checks https://bugs.webkit.org/show_bug.cgi?id=184952 Reviewed by Saam Barati. JSTests: * stress/fromCharCode-exception-check.js: Added. (get catch): Source/JavaScriptCore: I also removed the pointless slow path function and moved it into the main function. * runtime/StringConstructor.cpp: (JSC::stringFromCharCode): (JSC::stringFromCharCodeSlowCase): Deleted. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230980 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-24 Keith Miller fromCharCode is missing some exception checks https://bugs.webkit.org/show_bug.cgi?id=184952 Reviewed by Saam Barati. I also removed the pointless slow path function and moved it into the main function. * runtime/StringConstructor.cpp: (JSC::stringFromCharCode): (JSC::stringFromCharCodeSlowCase): Deleted. 2018-05-08 Jason Marcell Cherry-pick r231196. rdar://problem/40050709 IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u' https://bugs.webkit.org/show_bug.cgi?id=185162 Reviewed by Filip Pizlo. JSTests: * stress/incomplete-unicode-locale.js: Added. (catch): Source/JavaScriptCore: * runtime/IntlObject.cpp: (JSC::removeUnicodeLocaleExtension): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231196 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-05-01 Robin Morisset IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u' https://bugs.webkit.org/show_bug.cgi?id=185162 Reviewed by Filip Pizlo. * runtime/IntlObject.cpp: (JSC::removeUnicodeLocaleExtension): 2018-05-08 Jason Marcell Cherry-pick r231034. rdar://problem/40050717 In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint https://bugs.webkit.org/show_bug.cgi?id=184773 Reviewed by Filip Pizlo. JSTests: This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine so I decided to add it to the stress tests nonetheless. * stress/create-rest-while-having-a-bad-time.js: Added. (f): (g): (h): Source/JavaScriptCore: We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous). arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'. This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32). We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time. This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231034 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-25 Robin Morisset In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint https://bugs.webkit.org/show_bug.cgi?id=184773 Reviewed by Filip Pizlo. We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous). arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'. This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32). We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time. This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): 2018-05-08 Jason Marcell Cherry-pick r230740. rdar://problem/40050731 A put is not an ExistingProperty put when we transition a structure because of an attributes change https://bugs.webkit.org/show_bug.cgi?id=184706 Reviewed by Saam Barati. JSTests: * stress/put-by-id-direct-strict-transition.js: Added. (const.foo): (j.const.obj.set hello): * stress/put-by-id-direct-transition.js: Added. (const.foo): (j.const.obj.set hello): * stress/put-getter-setter-by-id-strict-transition.js: Added. (const.foo): (j.const.obj.set hello): * stress/put-getter-setter-by-id-transition.js: Added. (const.foo): (j.const.obj.set hello): Source/JavaScriptCore: When putting a property on a structure and the slot is a different type, the slot can't be said to have already been existing. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230740 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-17 JF Bastien A put is not an ExistingProperty put when we transition a structure because of an attributes change https://bugs.webkit.org/show_bug.cgi?id=184706 Reviewed by Saam Barati. When putting a property on a structure and the slot is a different type, the slot can't be said to have already been existing. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): 2018-04-26 Jason Marcell Cherry-pick r230459. rdar://problem/39766214 [JSC] Introduce @putByIdDirectPrivate https://bugs.webkit.org/show_bug.cgi?id=184400 Reviewed by Saam Barati. This patch adds @putByIdDirectPrivate() to use it for builtin JS. @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics accessing to ECMAScript internal fields. This change removes accidental [[Put]] operation to an object whose [[Prototype]] has internal fields (not direct properties). By using @getByIdDirectPrivate() and @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal fields that accessing to the internal fields does not traverse prototype chains. * builtins/ArrayIteratorPrototype.js: (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/ArrayPrototype.js: (globalPrivate.createArrayIterator): * builtins/AsyncFromSyncIteratorPrototype.js: (globalPrivate.AsyncFromSyncIteratorConstructor): * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (asyncGeneratorYieldAwaited): (globalPrivate.asyncGeneratorYield): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorResumeNext): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): * builtins/MapIteratorPrototype.js: (globalPrivate.mapIteratorNext): * builtins/MapPrototype.js: (globalPrivate.createMapIterator): * builtins/ModuleLoaderPrototype.js: (forceFulfillPromise): * builtins/PromiseOperations.js: (globalPrivate.newHandledRejectedPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): (globalPrivate.initializePromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (globalPrivate.setIteratorNext): * builtins/SetPrototype.js: (globalPrivate.createSetIterator): * builtins/StringIteratorPrototype.js: (next): * bytecode/BytecodeIntrinsicRegistry.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230459 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-08 Yusuke Suzuki [JSC] Introduce @putByIdDirectPrivate https://bugs.webkit.org/show_bug.cgi?id=184400 Reviewed by Saam Barati. This patch adds @putByIdDirectPrivate() to use it for builtin JS. @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics accessing to ECMAScript internal fields. This change removes accidental [[Put]] operation to an object whose [[Prototype]] has internal fields (not direct properties). By using @getByIdDirectPrivate() and @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal fields that accessing to the internal fields does not traverse prototype chains. * builtins/ArrayIteratorPrototype.js: (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/ArrayPrototype.js: (globalPrivate.createArrayIterator): * builtins/AsyncFromSyncIteratorPrototype.js: (globalPrivate.AsyncFromSyncIteratorConstructor): * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (asyncGeneratorYieldAwaited): (globalPrivate.asyncGeneratorYield): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorResumeNext): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): * builtins/MapIteratorPrototype.js: (globalPrivate.mapIteratorNext): * builtins/MapPrototype.js: (globalPrivate.createMapIterator): * builtins/ModuleLoaderPrototype.js: (forceFulfillPromise): * builtins/PromiseOperations.js: (globalPrivate.newHandledRejectedPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): (globalPrivate.initializePromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (globalPrivate.setIteratorNext): * builtins/SetPrototype.js: (globalPrivate.createSetIterator): * builtins/StringIteratorPrototype.js: (next): * bytecode/BytecodeIntrinsicRegistry.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): 2018-04-17 Kocsen Chung Cherry-pick r230662. rdar://problem/39496355 Function.prototype.caller shouldn't return generator bodies https://bugs.webkit.org/show_bug.cgi?id=184630 Reviewed by Yusuke Suzuki. JSTests: * stress/function-caller-async-arrow-function-body.js: Added. * stress/function-caller-async-function-body.js: Added. * stress/function-caller-async-generator-body.js: Added. * stress/function-caller-generator-body.js: Added. * stress/function-caller-generator-method-body.js: Added. Source/JavaScriptCore: Function.prototype.caller no longer returns generator bodies. Those are meant to be private. Also added some builtin debugging tools so that it's easier to do the investigation that I did. * builtins/BuiltinNames.h: * runtime/JSFunction.cpp: (JSC::JSFunction::callerGetter): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncBuiltinDescribe): * runtime/JSGlobalObjectFunctions.h: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230662 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-14 Filip Pizlo Function.prototype.caller shouldn't return generator bodies https://bugs.webkit.org/show_bug.cgi?id=184630 Reviewed by Yusuke Suzuki. Function.prototype.caller no longer returns generator bodies. Those are meant to be private. Also added some builtin debugging tools so that it's easier to do the investigation that I did. * builtins/BuiltinNames.h: * runtime/JSFunction.cpp: (JSC::JSFunction::callerGetter): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncBuiltinDescribe): * runtime/JSGlobalObjectFunctions.h: 2018-04-11 Kocsen Chung Cherry-pick r230494. rdar://problem/39337455 Unreviewed, fix cloop build. * dfg/DFGAbstractInterpreterClobberState.cpp: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230494 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-10 Filip Pizlo Unreviewed, fix cloop build. * dfg/DFGAbstractInterpreterClobberState.cpp: 2018-04-11 Kocsen Chung Cherry-pick r227692. rdar://problem/39337417 We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects. https://bugs.webkit.org/show_bug.cgi?id=182180 Reviewed by Michael Saboff. Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance, but not as the Node's first base class. ParserArena::m_deletableObjects is expecting pointers to objects of the shape of ParserArenaDeletable. We ensure this by allocating the Node subclass, and casting it to ParserArenaDeletable to get the correct pointer to append to ParserArena::m_deletableObjects. To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends ParserArenaDeletable. * parser/NodeConstructors.h: (JSC::ParserArenaDeletable::operator new): * parser/Nodes.h: * parser/ParserArena.h: (JSC::ParserArena::allocateDeletable): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227692 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-01-26 Mark Lam We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects. https://bugs.webkit.org/show_bug.cgi?id=182180 Reviewed by Michael Saboff. Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance, but not as the Node's first base class. ParserArena::m_deletableObjects is expecting pointers to objects of the shape of ParserArenaDeletable. We ensure this by allocating the Node subclass, and casting it to ParserArenaDeletable to get the correct pointer to append to ParserArena::m_deletableObjects. To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends ParserArenaDeletable. * parser/NodeConstructors.h: (JSC::ParserArenaDeletable::operator new): * parser/Nodes.h: * parser/ParserArena.h: (JSC::ParserArena::allocateDeletable): 2018-04-10 Kocsen Chung Cherry-pick r230379. rdar://problem/39317885 Unreviewed, follow-up patch for DFG 32bit https://bugs.webkit.org/show_bug.cgi?id=183970 * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230379 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-08 Yusuke Suzuki Unreviewed, follow-up patch for DFG 32bit https://bugs.webkit.org/show_bug.cgi?id=183970 * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): 2018-04-10 Kocsen Chung Cherry-pick r230376. rdar://problem/39317885 [JSC] Introduce op_get_by_id_direct https://bugs.webkit.org/show_bug.cgi?id=183970 Reviewed by Filip Pizlo. JSTests: * stress/generator-prototype-copy.js: Added. (gen): (catch): Adopted JF's tests. * stress/generator-type-check.js: Added. (shouldThrow): (foo2): (i.shouldThrow): * stress/get-by-id-direct-getter.js: Added. (shouldBe): (shouldThrow): (obj.get hello): (builtin.createBuiltin): (obj2.get length): * stress/get-by-id-direct.js: Added. (shouldBe): (shouldThrow): (builtin.createBuiltin): * test262.yaml: We fixed long-standing spec compatibility issue. As a result, this patch makes several test262 tests passed! Source/JavaScriptCore: This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id. But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this in all the tiers, so using this opcode does not lead to inefficiency. Main purpose of this op_get_by_id_direct is using it for private properties. We are using properties indexed with private symbols to implement ECMAScript internal fields. Before this patch, we just use get and put operations. However, it is not the correct semantics: accessing to the internal fields should not traverse prototype chain, which is specified in the spec. We use op_get_by_id_direct to access to properties which are used internal fields, so that prototype chains are not traversed. To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate(). When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the bytecode `op_get_by_id_direct, object, @name`. * builtins/ArrayIteratorPrototype.js: (next): (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/AsyncFromSyncIteratorPrototype.js: * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueIsEmpty): (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (globalPrivate.asyncGeneratorDequeue): (globalPrivate.isExecutionState): (globalPrivate.isSuspendYieldState): (globalPrivate.asyncGeneratorReject): (globalPrivate.asyncGeneratorResolve): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorEnqueue): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): (next): (return): (throw): * builtins/MapIteratorPrototype.js: (next): * builtins/PromiseOperations.js: (globalPrivate.isPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (next): * builtins/StringIteratorPrototype.js: (next): * builtins/TypedArrayConstructor.js: (of): (from): * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper::dumpBytecode): * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeFor): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGenericGetByIdFunction): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDirectGetById): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToGetByOffset): (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetById): (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::getById): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGetByIdFunction): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::appropriateGenericGetByIdFunction): Deleted. * jit/Repatch.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::getOwnPropertySlot const): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::getOwnPropertySlotInline): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230376 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-08 Yusuke Suzuki [JSC] Introduce op_get_by_id_direct https://bugs.webkit.org/show_bug.cgi?id=183970 Reviewed by Filip Pizlo. This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id. But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this in all the tiers, so using this opcode does not lead to inefficiency. Main purpose of this op_get_by_id_direct is using it for private properties. We are using properties indexed with private symbols to implement ECMAScript internal fields. Before this patch, we just use get and put operations. However, it is not the correct semantics: accessing to the internal fields should not traverse prototype chain, which is specified in the spec. We use op_get_by_id_direct to access to properties which are used internal fields, so that prototype chains are not traversed. To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate(). When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the bytecode `op_get_by_id_direct, object, @name`. * builtins/ArrayIteratorPrototype.js: (next): (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/AsyncFromSyncIteratorPrototype.js: * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueIsEmpty): (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (globalPrivate.asyncGeneratorDequeue): (globalPrivate.isExecutionState): (globalPrivate.isSuspendYieldState): (globalPrivate.asyncGeneratorReject): (globalPrivate.asyncGeneratorResolve): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorEnqueue): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): (next): (return): (throw): * builtins/MapIteratorPrototype.js: (next): * builtins/PromiseOperations.js: (globalPrivate.isPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (next): * builtins/StringIteratorPrototype.js: (next): * builtins/TypedArrayConstructor.js: (of): (from): * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper::dumpBytecode): * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeFor): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGenericGetByIdFunction): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDirectGetById): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToGetByOffset): (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetById): (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::getById): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGetByIdFunction): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::appropriateGenericGetByIdFunction): Deleted. * jit/Repatch.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::getOwnPropertySlot const): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::getOwnPropertySlotInline): 2018-04-05 Jason Marcell Cherry-pick r230287. rdar://problem/39208588 REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain https://bugs.webkit.org/show_bug.cgi?id=184319 Reviewed by Saam Barati. JSTests: * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added. (foo): (bar): * stress/array-push-nan-to-double-array.js: Added. (foo): (bar): Source/JavaScriptCore: In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before the ArrayPush. But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that with a GetByVal(SaneChain), then we will hit the assertion. This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain. * dfg/DFGCSEPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArrayPush): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230287 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-04-04 Filip Pizlo REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain https://bugs.webkit.org/show_bug.cgi?id=184319 Reviewed by Saam Barati. In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before the ArrayPush. But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that with a GetByVal(SaneChain), then we will hit the assertion. This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain. * dfg/DFGCSEPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArrayPush): 2018-04-03 Jason Marcell Cherry-pick r229987. rdar://problem/39155464 DFG should know that CreateThis can be effectful https://bugs.webkit.org/show_bug.cgi?id=184013 Reviewed by Saam Barati. JSTests: * stress/create-this-property-change.js: Added. (Foo): (RealBar): (get if): * stress/create-this-structure-change-without-cse.js: Added. (Foo): (RealBar): (get if): * stress/create-this-structure-change.js: Added. (Foo): (RealBar): (get if): Source/JavaScriptCore: As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this is a proxy. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229987 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-26 Filip Pizlo DFG should know that CreateThis can be effectful https://bugs.webkit.org/show_bug.cgi?id=184013 Reviewed by Saam Barati. As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this is a proxy. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-04-03 Jason Marcell Cherry-pick r230143. rdar://problem/39155381 JSC crash in JIT code with for-of loop and Array/Set iterators https://bugs.webkit.org/show_bug.cgi?id=183174 Reviewed by Saam Barati. JSTests: * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x. (foo): * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed. (f): Source/JavaScriptCore: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230143 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-31 Filip Pizlo JSC crash in JIT code with for-of loop and Array/Set iterators https://bugs.webkit.org/show_bug.cgi?id=183174 Reviewed by Saam Barati. * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site. 2018-04-03 Jason Marcell Cherry-pick r230119. rdar://problem/39155070 WebAssembly compilation from DataView git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230119 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-30 JF Bastien WebAssembly: support DataView compilation https://bugs.webkit.org/show_bug.cgi?id=183342 Reviewed by Mark Lam. Compiling a module from a DataView was incorrectly dealing with DataView's offset. * wasm/WasmModuleParser.cpp: (JSC::Wasm::ModuleParser::parse): * wasm/js/JSWebAssemblyHelpers.h: (JSC::getWasmBufferFromValue): (JSC::createSourceBufferFromValue): * wasm/js/WebAssemblyPrototype.cpp: (JSC::webAssemblyValidateFunc): 2018-04-03 Jason Marcell Cherry-pick r230102. rdar://problem/38154594 A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception https://bugs.webkit.org/show_bug.cgi?id=184074 Reviewed by Keith Miller. JSTests: * stress/stack-overflow-while-parsing-builtin.js: Added. (f): Source/JavaScriptCore: Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place. It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError. Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts. As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case. There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow. If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too. Two other minor changes: - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead. - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places. * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/builtins/builtins_generate_combined_header.py: (BuiltinsCombinedHeaderGenerator.generate_forward_declarations): (ParserError): (generate_section_for_object): Deleted. (generate_externs_for_object): Deleted. (generate_macros_for_object): Deleted. (generate_section_for_code_table_macro): Deleted. (generate_section_for_code_name_macro): Deleted. (generate_section_for_global_private_code_name_macro): Deleted. * Scripts/builtins/builtins_generate_separate_header.py: (generate_secondary_header_includes): * Scripts/builtins/builtins_templates.py: * Sources.txt: * builtins/BuiltinExecutableCreator.cpp: Removed. * builtins/BuiltinExecutableCreator.h: Removed. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createDefaultConstructor): (JSC::BuiltinExecutables::createBuiltinExecutable): (JSC::createBuiltinExecutable): (JSC::BuiltinExecutables::createExecutableOrCrash): (JSC::BuiltinExecutables::createExecutable): * builtins/BuiltinExecutables.h: * bytecompiler/BytecodeGenerator.h: * parser/ParserError.cpp: Added. (JSC::ParserError::toErrorObject): (JSC::ParserError::throwStackOverflowOrOutOfMemory): (WTF::printInternal): * parser/ParserError.h: (JSC::ParserError::toErrorObject): Deleted. (WTF::printInternal): Deleted. * runtime/AsyncIteratorPrototype.cpp: (JSC::AsyncIteratorPrototype::finishCreation): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSObject.cpp: (JSC::JSObject::getOwnStaticPropertySlot): (JSC::JSObject::reifyAllStaticProperties): * runtime/JSObject.h: (JSC::JSObject::getOwnNonIndexPropertySlot): (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::getPropertySlot): * runtime/JSObjectInlines.h: (JSC::JSObject::getNonIndexPropertySlot): * runtime/JSTypedArrayViewPrototype.cpp: (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::getStaticPropertySlotFromTable): (JSC::reifyStaticProperty): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * tools/JSDollarVM.cpp: (JSC::functionCreateBuiltin): Source/WebCore: I had to slightly change the type of some bindings between JSC and WebCore. No functional change intended on the WebCore side. * bindings/js/JSReadableStreamPrivateConstructors.cpp: (WebCore::JSBuiltinReadableStreamDefaultReaderPrivateConstructor::initializeExecutable): (WebCore::JSBuiltinReadableStreamDefaultControllerPrivateConstructor::initializeExecutable): (WebCore::JSBuiltinReadableByteStreamControllerPrivateConstructor::initializeExecutable): (WebCore::JSBuiltinReadableStreamBYOBReaderPrivateConstructor::initializeExecutable): (WebCore::JSBuiltinReadableStreamBYOBRequestPrivateConstructor::initializeExecutable): * bindings/scripts/CodeGeneratorJS.pm: (GenerateConstructorHelperMethods): * bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp: (WebCore::JSTestClassWithJSBuiltinConstructorConstructor::initializeExecutable): * bindings/scripts/test/JS/JSTestJSBuiltinConstructor.cpp: (WebCore::JSTestJSBuiltinConstructorConstructor::initializeExecutable): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230102 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-30 Robin Morisset A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception https://bugs.webkit.org/show_bug.cgi?id=184074 Reviewed by Keith Miller. Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place. It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError. Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts. As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case. There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow. If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too. Two other minor changes: - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead. - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places. * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/builtins/builtins_generate_combined_header.py: (BuiltinsCombinedHeaderGenerator.generate_forward_declarations): (ParserError): (generate_section_for_object): Deleted. (generate_externs_for_object): Deleted. (generate_macros_for_object): Deleted. (generate_section_for_code_table_macro): Deleted. (generate_section_for_code_name_macro): Deleted. (generate_section_for_global_private_code_name_macro): Deleted. * Scripts/builtins/builtins_generate_separate_header.py: (generate_secondary_header_includes): * Scripts/builtins/builtins_templates.py: * Sources.txt: * builtins/BuiltinExecutableCreator.cpp: Removed. * builtins/BuiltinExecutableCreator.h: Removed. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createDefaultConstructor): (JSC::BuiltinExecutables::createBuiltinExecutable): (JSC::createBuiltinExecutable): (JSC::BuiltinExecutables::createExecutableOrCrash): (JSC::BuiltinExecutables::createExecutable): * builtins/BuiltinExecutables.h: * bytecompiler/BytecodeGenerator.h: * parser/ParserError.cpp: Added. (JSC::ParserError::toErrorObject): (JSC::ParserError::throwStackOverflowOrOutOfMemory): (WTF::printInternal): * parser/ParserError.h: (JSC::ParserError::toErrorObject): Deleted. (WTF::printInternal): Deleted. * runtime/AsyncIteratorPrototype.cpp: (JSC::AsyncIteratorPrototype::finishCreation): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSObject.cpp: (JSC::JSObject::getOwnStaticPropertySlot): (JSC::JSObject::reifyAllStaticProperties): * runtime/JSObject.h: (JSC::JSObject::getOwnNonIndexPropertySlot): (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::getPropertySlot): * runtime/JSObjectInlines.h: (JSC::JSObject::getNonIndexPropertySlot): * runtime/JSTypedArrayViewPrototype.cpp: (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::getStaticPropertySlotFromTable): (JSC::reifyStaticProperty): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * tools/JSDollarVM.cpp: (JSC::functionCreateBuiltin): 2018-04-03 Jason Marcell Cherry-pick r230101. rdar://problem/39155394 Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType https://bugs.webkit.org/show_bug.cgi?id=183657 JSTests: Reviewed by Keith Miller. * stress/large-unshift-splice.js: Added. (make_contig_arr): Source/JavaScriptCore: Reviewed by Keith Miller. There was just a missing check in unshiftCountForIndexingType. I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path', and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp). Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk. * runtime/ArrayPrototype.cpp: (JSC::unshift): * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountWithAnyIndexingType): * runtime/JSObject.h: (JSC::JSObject::ensureLength): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230101 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-30 Robin Morisset Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType https://bugs.webkit.org/show_bug.cgi?id=183657 Reviewed by Keith Miller. There was just a missing check in unshiftCountForIndexingType. I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path', and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp). Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk. * runtime/ArrayPrototype.cpp: (JSC::unshift): * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountWithAnyIndexingType): * runtime/JSObject.h: (JSC::JSObject::ensureLength): 2018-04-03 Jason Marcell Cherry-pick r230026. rdar://problem/39155085 appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards https://bugs.webkit.org/show_bug.cgi?id=183894 Reviewed by Saam Barati. JSTests: * stress/json-stringified-overflow.js: Added. (catch): Source/JavaScriptCore: Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): Source/WTF: appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large to fit in 4GB. * wtf/text/StringBuilder.h: * wtf/text/StringBuilderJSON.cpp: (WTF::StringBuilder::appendQuotedJSONString): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230026 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-28 Robin Morisset appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards https://bugs.webkit.org/show_bug.cgi?id=183894 Reviewed by Saam Barati. Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2018-04-03 Jason Marcell Cherry-pick r229962. rdar://problem/39122091 r228149 accidentally removed code that resets m_emptyCursor at the end of a GC https://bugs.webkit.org/show_bug.cgi?id=183995 Reviewed by Filip Pizlo. The removal of this line of code was unintended and happened during some refactoring Fil was doing. The consequence of removing this line of code is that the m_emptyCursor became a monotonically increasing integer, leading the cursor to usually being out of bounds of the block range (depending on what the program is doing). This made the functionality of finding an empty block to steal almost always fail. * heap/BlockDirectory.cpp: (JSC::BlockDirectory::prepareForAllocation): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229962 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-25 Saam Barati r228149 accidentally removed code that resets m_emptyCursor at the end of a GC https://bugs.webkit.org/show_bug.cgi?id=183995 Reviewed by Filip Pizlo. The removal of this line of code was unintended and happened during some refactoring Fil was doing. The consequence of removing this line of code is that the m_emptyCursor became a monotonically increasing integer, leading the cursor to usually being out of bounds of the block range (depending on what the program is doing). This made the functionality of finding an empty block to steal almost always fail. * heap/BlockDirectory.cpp: (JSC::BlockDirectory::prepareForAllocation): 2018-04-03 Jason Marcell Cherry-pick r229850. rdar://problem/39155286 Race Condition in arrayProtoFuncReverse() causes wrong results or crash https://bugs.webkit.org/show_bug.cgi?id=183901 Reviewed by Keith Miller. JSTests: New test. * stress/array-reverse-doesnt-clobber.js: Added. (testArrayReverse): (createArrayOfArrays): (createArrayStorage): Source/JavaScriptCore: Added write barriers to ensure the reversed contents are properly marked. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReverse): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229850 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-03-22 Michael Saboff Race Condition in arrayProtoFuncReverse() causes wrong results or crash https://bugs.webkit.org/show_bug.cgi?id=183901 Reviewed by Keith Miller. Added write barriers to ensure the reversed contents are properly marked. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReverse): 2018-03-20 Jason Marcell Cherry-pick r229366. rdar://problem/38651632 2018-03-06 Filip Pizlo MarkedArgumentsBuffer should allocate from the JSValue Gigacage https://bugs.webkit.org/show_bug.cgi?id=183377 Reviewed by Michael Saboff. That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap. * runtime/ArgList.cpp: (JSC::MarkedArgumentBuffer::expandCapacity): 2018-03-20 Jason Marcell Cherry-pick r229109. rdar://problem/38651610 2018-02-28 JF Bastien GC should sweep code block before deleting https://bugs.webkit.org/show_bug.cgi?id=183229 Reviewed by Saam Barati, Fil Pizlo. Stub routines shouldn't get deleted before codeblocks have been swept, otherwise there's a small race window where the codeblock thinks it's still reachable. * heap/Heap.cpp: (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::sweepInFinalize): 2018-02-21 Jason Marcell Cherry-pick r228860. rdar://problem/37751729 2018-02-20 Saam Barati DFG::VarargsForwardingPhase should eliminate getting argument length https://bugs.webkit.org/show_bug.cgi?id=182959 Reviewed by Keith Miller. This patch teaches the DFG VarargsForwardingPhase to not treat length accesses on Cloned/Direct Arguments objects as escapes. It teaches this phase to materialize the length in the same way the ArgumentsEliminationPhase does. This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds up the ML subtest by 2-4%. This patch also extends compileGetArgumentCountIncludingThis to take a parameter that is the inline call frame to load from (in the case where the inline call frame is a varargs frame). This allows the the emitCodeToGetArgumentsArrayLength helper function to just emit a GetArgumentCountIncludingThis node instead of a GetLocal. If we emitted a GetLocal, we'd need to rerun CPS rethreading. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getArgumentCount): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNode.h: (JSC::DFG::Node::argumentsInlineCallFrame): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis): 2018-02-20 Jason Marcell Cherry-pick r228725. rdar://problem/37714027 2018-02-19 Saam Barati Don't use JSFunction's allocation profile when getting the prototype can be effectful https://bugs.webkit.org/show_bug.cgi?id=182942 Reviewed by Mark Lam. Prior to this patch, the create_this implementation assumed that anything that is a JSFunction can use the object allocation profile and go down the fast path to allocate the |this| object. Implied by this approach is that accessing the 'prototype' property of the incoming function is not an effectful operation. This is inherent to the ObjectAllocationProfile data structure: it caches the prototype field. However, getting the 'prototype' property might be an effectful operation, e.g, it could be a getter. Many variants of functions in JS have the 'prototype' property as non-configurable. However, some functions, like bound functions, do not have the 'prototype' field with these attributes. This patch adds the notion of 'canUseAllocationProfile' to JSFunction and threads it through so that we only go down the fast path and use the allocation profile when the prototype property is non-configurable. * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSFunction.cpp: (JSC::JSFunction::prototypeForConstruction): (JSC::JSFunction::allocateAndInitializeRareData): (JSC::JSFunction::initializeRareData): (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::canUseAllocationProfileNonInline): * runtime/JSFunction.h: (JSC::JSFunction::ensureRareDataAndAllocationProfile): * runtime/JSFunctionInlines.h: (JSC::JSFunction::canUseAllocationProfile): 2018-02-20 Jason Marcell Cherry-pick r228720. rdar://problem/37714022 2018-02-19 Saam Barati Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain https://bugs.webkit.org/show_bug.cgi?id=182912 Reviewed by Keith Miller. In the baseline JIT and LLInt, when we loading a hole from an original array, with the array prototype chain being normal, we end up marking the ArrayProfile for that GetByVal as out of bounds. However, the DFG knows exactly how to optimize this case by returning undefined when loading from a hole. Currently, it only does this for Contiguous arrays (and sometimes Double arrays). This patch just makes sure to not mark the ArrayProfile as out of bounds in this scenario for Contiguous arrays, since the DFG will always optimize this case. However, we should extend this by profiling when a GetByVal loads a hole. By doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double arrays. That work will happen in: https://bugs.webkit.org/show_bug.cgi?id=182940 This patch is a 30-50% speedup on JetStream's hash-map test. This patch speeds up JetStream by 1% when testing on my iMac. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine const): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * jit/JITOperations.cpp: (JSC::getByVal): (JSC::canAccessArgumentIndexQuickly): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly): 2018-02-20 Jason Marcell Cherry-pick r228693. rdar://problem/37697679 2018-02-17 Filip Pizlo GetArrayMask should support constant folding https://bugs.webkit.org/show_bug.cgi?id=182907 Reviewed by Saam Barati. Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been impossible for that function to get called with a non-null value if the value was not an array view, due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and the fact that the other tryGetFoldableView overload made sure that the array mode was some typed array. This isn't a measurable progression, but it does save a register in the codegen for typed array accesses. Hopefully these improvements add up. * assembler/AssemblerBuffer.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::tryGetFoldableView): 2018-02-20 Jason Marcell Cherry-pick r228565. rdar://problem/37697682 2018-02-16 Saam Barati Fix bugs from r228411 https://bugs.webkit.org/show_bug.cgi?id=182851 Reviewed by JF Bastien. There was a bug from r228411 where inside the constant folding phase, we used an insertCheck method that didn't handle varargs. This would lead to a crash. When thinking about the fix for that function, I realized a made a couple of mistakes in r228411. One is probably a security bug, and the other is a performance bug because it'll prevent CSE for certain flavors of GetByVal nodes. Both blunders are similar in nature. In r228411, I added code in LICM that inserted a CheckVarargs node with children of another varargs node. However, to construct this new node's children, I just copied the AdjacencyList. This does a shallow copy. What we needed was a deep copy. We needed to create a new vararg AdjacencyList that points to edges that are deep copies of the original varargs children. This patch fixes this goof in LICM. r228411 made it so that PureValue over a varargs node would just compare actual AdjacencyLists structs. So, if you had two GetByVals that had equal santized children, their actual AdjacencyList structs are *not* bitwise equal, since they'll have different firstChild values. Instead, we need to do a deep compare of their adjacency lists. This patch teaches PureValue how to do that. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::copyVarargChildren): * dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::insertCheck): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGPureValue.cpp: (JSC::DFG::PureValue::dump const): * dfg/DFGPureValue.h: (JSC::DFG::PureValue::PureValue): (JSC::DFG::PureValue::op const): (JSC::DFG::PureValue::hash const): (JSC::DFG::PureValue::operator== const): (JSC::DFG::PureValue::isVarargs const): (JSC::DFG::PureValue::children const): Deleted. * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): 2018-02-16 Jason Marcell Cherry-pick r228454. rdar://problem/37615380 2018-02-13 Saam Barati putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present https://bugs.webkit.org/show_bug.cgi?id=182755 Reviewed by Keith Miller. putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted the object in question to a dictionary indexing mode when the index is less than the vector length. This makes no sense. If we're defining a getter, setter, or read only property, we must always enter the dictionary indexing mode irrespective of the index in relation to the vector length. * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): 2018-02-15 Jason Marcell Cherry-pick r228481. rdar://problem/37570863 2018-02-14 Michael Saboff REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow https://bugs.webkit.org/show_bug.cgi?id=182705 Reviewed by Mark Lam. Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated buffer on the VM. Exposed when the buffer is needed to reduce likelihood that we'd allocated it. Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a compilation thread. * runtime/RegExpInlines.h: (JSC::RegExp::matchInline): * runtime/VM.cpp: (JSC::VM::~VM): (JSC::VM::acquireRegExpPatternContexBuffer): (JSC::VM::releaseRegExpPatternContexBuffer): * runtime/VM.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generate): (JSC::Yarr::YarrGenerator::backtrack): (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::YarrGenerator::compile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer): (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): 2018-02-15 Jason Marcell Cherry-pick r228488. rdar://problem/37570860 2018-02-14 Saam Barati Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock https://bugs.webkit.org/show_bug.cgi?id=182801 Reviewed by Keith Miller. VMTraps would sometimes install traps when it paused the JS thread when it was in C code. This is wrong, as installing traps mallocs, and the JS thread may have been holding the malloc lock while in C code. This could lead to a deadlock when C code was holding the malloc lock. This patch makes it so that we only install traps when we've proven the PC is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that we're not holding the malloc lock. * jsc.cpp: (GlobalObject::finishCreation): (functionMallocInALoop): * runtime/VMTraps.cpp: (JSC::VMTraps::tryInstallTrapBreakpoints): 2018-02-13 Jason Marcell Cherry-pick r228420. rdar://problem/37521084 2018-02-10 Filip Pizlo Lock down JSFunction https://bugs.webkit.org/show_bug.cgi?id=182652 Reviewed by Saam Barati. This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in isospaces. This is so neutral on JetStream: 0.01% slower with p = 0.969211. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): (JSC::DFG::SpeculativeJIT::compileNewFunction): (JSC::DFG::SpeculativeJIT::compileCreateThis): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr): (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer): (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable): (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): (JSC::FTL::DFG::LowerDFGToB3::weakPointer): (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): * ftl/FTLOutput.h: (JSC::FTL::Output::weakPointer): (JSC::FTL::Output::weakPoisonedPointer): * heap/MarkedSpace.cpp: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSAsyncFunction.h: (JSC::JSAsyncFunction::subspaceFor): * runtime/JSAsyncGeneratorFunction.h: (JSC::JSAsyncGeneratorFunction::subspaceFor): * runtime/JSBoundFunction.h: (JSC::JSBoundFunction::subspaceFor): * runtime/JSCPoison.h: * runtime/JSCustomGetterSetterFunction.h: (JSC::JSCustomGetterSetterFunction::subspaceFor): * runtime/JSFunction.h: (JSC::JSFunction::subspaceFor): * runtime/JSGeneratorFunction.h: (JSC::JSGeneratorFunction::subspaceFor): * runtime/JSNativeStdFunction.h: (JSC::JSNativeStdFunction::subspaceFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * wasm/js/WebAssemblyFunction.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-02-13 Jason Marcell Cherry-pick r228438. rdar://problem/37521089 2018-02-13 Saam Barati Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2(). * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-02-13 Jason Marcell Cherry-pick r228411. rdar://problem/37521089 2018-02-12 Saam Barati Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA https://bugs.webkit.org/show_bug.cgi?id=182633 Reviewed by Keith Miller. This patch introduces a GetIndexMask node to DFG SSA. This is an input to GetByVal for the GetByVal variants that do conservative index masking. The reason I'm adding this node is I realized there were loads of the butterfly index mask inside loops that B3 couldn't reason about because B3 can't arbitrarily hoist loads out of loops if those loops have side exits (because the side exit might be protecting the safety of the load). However, for these loops I analyzed, the DFG would be able to hoist these loads out of loops because it knows about JS semantics to correctly reason about the safety of hoisting the load. This is a 1% speedup on JetStream on Mac and iOS in my testing. This patch also adds some infrastructure for eliminating and doing CSE on varargs nodes. Because this patch makes GetByVal a varargs node, I ran into issues we never had before. We never had a varargs node that could be CSEd or be hoisted out of a loop until I made GetByVal varargs. To make it all work, I added a CheckVarargs node. This is just like Check, but it's varargs. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::AdjacencyList): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::findTerminal const): * dfg/DFGBasicBlockInlines.h: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::mergeBlocks): * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): * dfg/DFGCSEPhase.cpp: * dfg/DFGCleanUpPhase.cpp: (JSC::DFG::CleanUpPhase::run): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::fixUpsilons): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): (JSC::DFG::DCEPhase::fixupBlock): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupChecksInBlock): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): * dfg/DFGIntegerRangeOptimizationPhase.cpp: * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGMayExit.cpp: * dfg/DFGNode.cpp: (JSC::DFG::Node::remove): (JSC::DFG::Node::convertToIdentityOn): * dfg/DFGNode.h: (JSC::DFG::Node::replaceWith): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGPureValue.cpp: (JSC::DFG::PureValue::dump const): * dfg/DFGPureValue.h: (JSC::DFG::PureValue::PureValue): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): * dfg/DFGSSALoweringPhase.cpp: (JSC::DFG::SSALoweringPhase::handleNode): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierClusteringPhase.cpp: * dfg/DFGValidate.cpp: * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): 2018-02-13 Jason Marcell Cherry-pick r228401. rdar://problem/37521078 2018-02-12 Saam Barati DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer https://bugs.webkit.org/show_bug.cgi?id=182706 Reviewed by Filip Pizlo. When we added support for PhantomNewArrayBuffer, we forgot to update the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer. This patch adds that support. It's trivial to generate the length for a PhantomNewArrayBuffer node since it's a constant buffer, with a constant length. * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): 2018-02-06 Jason Marcell Cherry-pick r228193. rdar://problem/37292950 2018-02-06 Keith Miller put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object https://bugs.webkit.org/show_bug.cgi?id=182549 Reviewed by Saam Barati. Previously, the llint/baseline caching for put_to_scope and get_from_scope would cache lexical environments when the varInjectionWatchpoint had been fired for global properties. Code in the DFG does not follow this same assumption so we could potentially return the wrong result. Additionally, the baseline would write barrier the global object rather than the lexical enviroment object. This patch makes it so that we do not cache anything other than the global object for when the resolve type is GlobalPropertyWithVarInjectionChecks or GlobalProperty. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::jitAssert): * assembler/MacroAssembler.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_from_scope): (JSC::JIT::emit_op_put_to_scope): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): * runtime/Options.h: 2018-02-06 Jason Marcell Cherry-pick r228149. rdar://problem/37264543 2018-01-28 Filip Pizlo Global objects should be able to use TLCs to allocate from different blocks from each other https://bugs.webkit.org/show_bug.cgi?id=182227 Reviewed by JF Bastien. This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of distance between objects from different origins, using the following combination of things. For short lets refer to that constant as K. - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation. - Since r227718, MarkedBlock puts at least K bytes in its footer. - Since r227617, global objects can have their own TLCs, which make them allocate from a different set of blocks than other global objects. The TLC of a global object comes into effect when you enter the VM via that global object. - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that share the same security origin or empty blocks (in which case we zero the block and change its security origin). WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get a TLC based on their document's SecurityOrigin. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/BlockDirectory.cpp: (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::prepareForAllocation): * heap/BlockDirectory.h: * heap/LocalAllocator.cpp: (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::reset): (JSC::LocalAllocator::~LocalAllocator): (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::tryAllocateWithoutCollecting): * heap/LocalAllocator.h: (JSC::LocalAllocator::tlc const): * heap/MarkStackMergingConstraint.cpp: * heap/MarkStackMergingConstraint.h: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::associateWithOrigin): * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::securityOriginToken const): * heap/SecurityOriginToken.cpp: Added. (JSC::uniqueSecurityOriginToken): * heap/SecurityOriginToken.h: Added. * heap/ThreadLocalCache.cpp: (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): (JSC::ThreadLocalCache::allocateData): (JSC::ThreadLocalCache::installSlow): * heap/ThreadLocalCache.h: (JSC::ThreadLocalCache::securityOriginToken const): * heap/ThreadLocalCacheInlines.h: (JSC::ThreadLocalCache::install): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::createThreadLocalCache): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache): (JSC::JSGlobalObject::threadLocalCache const): Deleted. * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::~VMEntryScope): * runtime/VMEntryScope.h: 2018-02-04 Jason Marcell Cherry-pick r228035. rdar://problem/37220146 2018-02-02 Saam Barati Make various DFG_ASSERTs provide more data to WTFCrashWithInfo https://bugs.webkit.org/show_bug.cgi?id=182453 Reviewed by JF Bastien and Mark Lam. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupChecksInBlock): * dfg/DFGFlowIndexing.h: (JSC::DFG::FlowIndexing::shadowIndex const): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGLoopPreHeaderCreationPhase.cpp: (JSC::DFG::LoopPreHeaderCreationPhase::run): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithAbs): (JSC::DFG::SpeculativeJIT::compileArithRounding): (JSC::DFG::SpeculativeJIT::compileToPrimitive): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierClusteringPhase.cpp: * dfg/DFGStoreBarrierInsertionPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): (JSC::FTL::DFG::LowerDFGToB3::compilePutById): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileIn): (JSC::FTL::DFG::LowerDFGToB3::compare): (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse): (JSC::FTL::DFG::LowerDFGToB3::lowInt32): (JSC::FTL::DFG::LowerDFGToB3::lowInt52): (JSC::FTL::DFG::LowerDFGToB3::lowCell): (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): (JSC::FTL::DFG::LowerDFGToB3::lowDouble): (JSC::FTL::DFG::LowerDFGToB3::lowJSValue): 2018-02-04 Jason Marcell Cherry-pick r228031. rdar://problem/37220129 2018-02-02 Saam Barati When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts https://bugs.webkit.org/show_bug.cgi?id=182368 Reviewed by Mark Lam. When preserving liveness when inserting Unreachable nodes after ForceOSRExit, we must add the VariableAccessData to the given argument position. Otherwise, we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit. If we end up with such a situation, it can lead to invalid IR after the arguments elimination phase optimizes a GetByVal to a GetStack. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushImpl): (JSC::DFG::ByteCodeParser::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parse): 2018-02-04 Jason Marcell Cherry-pick r227998. rdar://problem/37220126 2018-02-01 Mark Lam Fix broken bounds check in FTL's compileGetMyArgumentByVal(). https://bugs.webkit.org/show_bug.cgi?id=182419 Reviewed by Saam Barati. In compileGetMyArgumentByVal(), it computes: limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); ... LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); where the original "limit" is the number of arguments passed in by the caller. If the original limit is less than numberOfArgumentsToSkip, the resultant limit will be a large unsigned number. As a result, this will defeat the bounds check that follows it. Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index value by adding numberOfArgumentsToSkip to it, in order to determine the actual entry in the arguments array to get. The fix is to just add numberOfArgumentsToSkip to index upfront (instead of subtracting it from limit), and doing an overflow speculation check on that addition before doing the bounds check. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): 2018-02-04 Jason Marcell Cherry-pick r227994. rdar://problem/37145542 2018-02-01 Keith Miller Fix crashes due to mishandling custom sections. https://bugs.webkit.org/show_bug.cgi?id=182404 Reviewed by Saam Barati. This also cleans up some of our validation code. We also mistakenly, allowed unknown (different from custom sections with id: 0) section ids. * wasm/WasmModuleParser.cpp: (JSC::Wasm::ModuleParser::parse): * wasm/WasmModuleParser.h: * wasm/WasmSections.h: (JSC::Wasm::isKnownSection): (JSC::Wasm::decodeSection): (JSC::Wasm::validateOrder): (JSC::Wasm::makeString): (JSC::Wasm::isValidSection): Deleted. 2018-02-04 Jason Marcell Cherry-pick r227959. rdar://problem/37145559 2018-02-01 Chris Dumez Queue a microtask when a waitUntil() promise is settled https://bugs.webkit.org/show_bug.cgi?id=182372 Reviewed by Mark Lam. Export a symbol so it can be used in WebCore. * runtime/JSGlobalObject.h: 2018-02-04 Jason Marcell Cherry-pick r227951. rdar://problem/37145493 2018-01-31 Saam Barati Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm https://bugs.webkit.org/show_bug.cgi?id=182064 Reviewed by Geoffrey Garen. This patch switches WebAssembly Memory to always use bmalloc's zeroed virtual allocation API. This makes it so that we don't dirty the memory to zero it. It's a huge compile time speedup on WasmBench on iOS. * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::create): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::addressIsInActiveFastMemory): (JSC::Wasm::Memory::grow): (JSC::Wasm::commitZeroPages): Deleted. 2018-01-31 Jason Marcell Cherry-pick r227898. rdar://problem/37079009 2018-01-31 Saam Barati JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path) https://bugs.webkit.org/show_bug.cgi?id=182074 Reviewed by Mark Lam. This patch teaches the JSONP evaluator about the global lexical environment. Before, it was using the global object as the global scope, but that's wrong. The global lexical environment is the first node in the global scope chain. * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): * jsc.cpp: (GlobalObject::finishCreation): (shellSupportsRichSourceInfo): (functionDisableRichSourceInfo): * runtime/LiteralParser.cpp: (JSC::LiteralParser::tryJSONPParse): * runtime/LiteralParser.h: 2018-01-31 Jason Marcell Cherry-pick r227721. rdar://problem/37019345 2018-01-28 Filip Pizlo LargeAllocation should do the same distancing as MarkedBlock https://bugs.webkit.org/show_bug.cgi?id=182226 Reviewed by Saam Barati. This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do. To make that possible, this patch first makes MarkedBlock know exactly how much distancing it is doing: - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This keeps the old way just for a static_assert. - The promised amount of distancing is now codified in HeapCell.h as minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least as big as this. I didn't want to just use footer size for this constant because then, if you increased the size of the footer, you'd also add padding to every large allocation. Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large allocation. It also zeroes that slice of memory to prevent any information leaks that way. This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for smaller objects, and diminishing overhead for larger objects. We allocate very few large objects, so we shouldn't have any real space overhead from this. * heap/HeapCell.h: * heap/LargeAllocation.cpp: (JSC::LargeAllocation::tryCreate): * heap/MarkedBlock.h: * heap/MarkedSpace.h: 2018-01-31 Jason Marcell Cherry-pick r227718. rdar://problem/37019341 2018-01-27 Filip Pizlo Make MarkedBlock::Footer bigger https://bugs.webkit.org/show_bug.cgi?id=182220 Reviewed by JF Bastien. This makes the block footer larger by moving the newlyAllocated bits from the handle into the footer. It used to be profitable to put anything we could into the handle because that would free up payload space inside the block. But now that we want to use the footer for padding, it's profitable to put GC state information - especially data that is used by the GC itself and so is not useful for a Spectre attack - into the footer to increase object distancing. * heap/CellContainer.cpp: (JSC::CellContainer::isNewlyAllocated const): * heap/IsoCellSet.cpp: (JSC::IsoCellSet::sweepToFreeList): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::Handle): (JSC::MarkedBlock::Footer::Footer): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::resetAllocated): (JSC::MarkedBlock::Handle::resetAllocated): Deleted. * heap/MarkedBlock.h: (JSC::MarkedBlock::newlyAllocatedVersion const): (JSC::MarkedBlock::isNewlyAllocated): (JSC::MarkedBlock::setNewlyAllocated): (JSC::MarkedBlock::clearNewlyAllocated): (JSC::MarkedBlock::newlyAllocated const): (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted. (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::isNewlyAllocatedStale const): (JSC::MarkedBlock::hasAnyNewlyAllocated): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::newlyAllocatedMode): (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted. (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::endMarking): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendJSCellOrAuxiliary): 2018-01-31 Jason Marcell Cherry-pick r227717. rdar://problem/37019339 2018-01-27 Filip Pizlo MarkedBlock should have a footer instead of a header https://bugs.webkit.org/show_bug.cgi?id=182217 Reviewed by JF Bastien. This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really change anything except for some compile-time constants, so it should not affect performance. This change is to help protect against Spectre attacks on structure checks, which allow for small-offset out-of-bounds access. By putting the meta-data at the end of the block, small OOBs will only get to other objects in the same block or the block footer. The block footer is not super interesting. So, if we combine this with the TLC change (r227617), this means we can use blocks as the mechanism of achieving distance between objects from different origins. We just need to avoid ever putting objects from different origins in the same block. That's what bug 181636 is about. * heap/BlockDirectory.cpp: (JSC::blockHeaderSize): Deleted. (JSC::BlockDirectory::blockSizeForBytes): Deleted. * heap/BlockDirectory.h: * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::~MarkedBlock): (JSC::MarkedBlock::Footer::Footer): (JSC::MarkedBlock::Footer::~Footer): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::resetMarks): (JSC::MarkedBlock::assertMarksNotStale): (JSC::MarkedBlock::Handle::didConsumeFreeList): (JSC::MarkedBlock::markCount): (JSC::MarkedBlock::clearHasAnyMarked): (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::didRemoveFromDirectory): (JSC::MarkedBlock::Handle::sweep): * heap/MarkedBlock.h: (JSC::MarkedBlock::markingVersion const): (JSC::MarkedBlock::lock): (JSC::MarkedBlock::subspace const): (JSC::MarkedBlock::footer): (JSC::MarkedBlock::footer const): (JSC::MarkedBlock::handle): (JSC::MarkedBlock::handle const): (JSC::MarkedBlock::Handle::blockFooter): (JSC::MarkedBlock::isAtomAligned): (JSC::MarkedBlock::Handle::cellAlign): (JSC::MarkedBlock::blockFor): (JSC::MarkedBlock::vm const): (JSC::MarkedBlock::weakSet): (JSC::MarkedBlock::cellSize): (JSC::MarkedBlock::attributes const): (JSC::MarkedBlock::atomNumber): (JSC::MarkedBlock::areMarksStale): (JSC::MarkedBlock::aboutToMark): (JSC::MarkedBlock::isMarkedRaw): (JSC::MarkedBlock::isMarked): (JSC::MarkedBlock::testAndSetMarked): (JSC::MarkedBlock::marks const): (JSC::MarkedBlock::isAtom): (JSC::MarkedBlock::Handle::forEachCell): (JSC::MarkedBlock::hasAnyMarked const): (JSC::MarkedBlock::noteMarked): (WTF::MarkedBlockHash::hash): (JSC::MarkedBlock::firstAtom): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::marksConveyLivenessDuringMarking): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::forEachLiveCell): (JSC::MarkedBlock::Handle::forEachDeadCell): (JSC::MarkedBlock::Handle::forEachMarkedCell): * heap/MarkedSpace.cpp: * heap/MarkedSpace.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2018-01-31 Jason Marcell Cherry-pick r227700. rdar://problem/37019364 2018-01-26 Saam Barati Fix emitAllocateWithNonNullAllocator to work on arm https://bugs.webkit.org/show_bug.cgi?id=182187 Reviewed by Filip Pizlo. This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch register on ARM. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): 2018-01-31 Jason Marcell Cherry-pick r227683. rdar://problem/37019334 2018-01-26 Filip Pizlo Disable TLS-based TLCs https://bugs.webkit.org/show_bug.cgi?id=182175 Reviewed by Saam Barati. Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT). * heap/BlockDirectory.cpp: (JSC::BlockDirectory::~BlockDirectory): * heap/BlockDirectory.h: * heap/ThreadLocalCache.cpp: (JSC::ThreadLocalCache::installSlow): (JSC::ThreadLocalCache::installData): * heap/ThreadLocalCache.h: * heap/ThreadLocalCacheInlines.h: (JSC::ThreadLocalCache::getImpl): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): * runtime/VM.cpp: (JSC::VM::~VM): * runtime/VM.h: 2018-01-30 Jason Marcell Cherry-pick r227617. rdar://problem/37019352 2018-01-25 Filip Pizlo JSC GC should support TLCs (thread local caches) https://bugs.webkit.org/show_bug.cgi?id=181559 Reviewed by Mark Lam and Saam Barati. This is a big step towards object distancing by site origin. This patch implements TLCs, or thread-local caches, which allow each thread to allocate from its own free lists. It also means that any given thread can context-switch TLCs. This will allow us to do separate allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this will allow us to have a hard distancing constraint between objects from different origins. In this new design, every "size class" is represented as a BlockDirectory (formerly known as MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some aligned memory allocator (which roughly represents which cage you came out of), and anyone using the same allocator can share those blocks - but so long as they are in that BlockDirectory, they will have the size and type of that directory. Previously, each BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of LocalAllocators, each of which has a FreeList. To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation starts by figuring out what Allocator it wants (often we have this information at JIT time). Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use offsets as opposed to indices to make it easy to do the math on each allocation (if LocalAllocator had a weird size then every allocation would have to do an imul). This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is something there, but it's not significant according to our threshold). Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That function needs to be careful to avoid using the scratch register because the FTL will call it in disallow-scratch-register mode. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3StackmapValue.cpp: (JSC::B3::StackmapValue::appendSomeRegisterWithClobber): * b3/B3StackmapValue.h: * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::ObjectAllocationProfile): (JSC::ObjectAllocationProfile::clear): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileCreateThis): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell): * heap/Allocator.cpp: Added. (JSC::Allocator::cellSize const): * heap/Allocator.h: Added. (JSC::Allocator::Allocator): (JSC::Allocator::offset const): (JSC::Allocator::operator== const): (JSC::Allocator::operator!= const): (JSC::Allocator::operator bool const): * heap/AllocatorInlines.h: Added. (JSC::Allocator::allocate const): (JSC::Allocator::tryAllocate const): * heap/BlockDirectory.cpp: (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::stopAllocating): (JSC::BlockDirectory::prepareForAllocation): (JSC::BlockDirectory::stopAllocatingForGood): (JSC::BlockDirectory::resumeAllocating): (JSC::BlockDirectory::endMarking): (JSC::BlockDirectory::isFreeListedCell): (JSC::BlockDirectory::didConsumeFreeList): Deleted. (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted. (JSC::BlockDirectory::allocateIn): Deleted. (JSC::BlockDirectory::tryAllocateIn): Deleted. (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted. (JSC::BlockDirectory::allocateSlowCase): Deleted. * heap/BlockDirectory.h: (JSC::BlockDirectory::cellKind const): (JSC::BlockDirectory::allocator const): (JSC::BlockDirectory::freeList const): Deleted. (JSC::BlockDirectory::offsetOfFreeList): Deleted. (JSC::BlockDirectory::offsetOfCellSize): Deleted. * heap/BlockDirectoryInlines.h: (JSC::BlockDirectory::isFreeListedCell const): Deleted. (JSC::BlockDirectory::allocate): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::CompleteSubspace): (JSC::CompleteSubspace::allocatorFor): (JSC::CompleteSubspace::allocate): (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::allocateSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: (JSC::CompleteSubspace::allocatorForSizeStep): (JSC::CompleteSubspace::allocatorForNonVirtual): * heap/FreeList.h: * heap/GCDeferralContext.h: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::lastChanceToFinalize): * heap/Heap.h: (JSC::Heap::threadLocalCacheLayout): * heap/IsoCellSet.h: * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocatorFor): (JSC::IsoSubspace::allocate): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LocalAllocator.cpp: Added. (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::reset): (JSC::LocalAllocator::~LocalAllocator): (JSC::LocalAllocator::stopAllocating): (JSC::LocalAllocator::resumeAllocating): (JSC::LocalAllocator::prepareForAllocation): (JSC::LocalAllocator::stopAllocatingForGood): (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::didConsumeFreeList): (JSC::LocalAllocator::tryAllocateWithoutCollecting): (JSC::LocalAllocator::allocateIn): (JSC::LocalAllocator::tryAllocateIn): (JSC::LocalAllocator::doTestCollectionsIfNeeded): (JSC::LocalAllocator::isFreeListedCell const): * heap/LocalAllocator.h: Added. (JSC::LocalAllocator::offsetOfFreeList): (JSC::LocalAllocator::offsetOfCellSize): * heap/LocalAllocatorInlines.h: Added. (JSC::LocalAllocator::allocate): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::stopAllocatingForGood): * heap/MarkedSpace.h: * heap/SlotVisitor.cpp: * heap/SlotVisitor.h: * heap/Subspace.h: * heap/ThreadLocalCache.cpp: Added. (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): (JSC::ThreadLocalCache::~ThreadLocalCache): (JSC::ThreadLocalCache::allocateData): (JSC::ThreadLocalCache::destroyData): (JSC::ThreadLocalCache::installSlow): (JSC::ThreadLocalCache::installData): (JSC::ThreadLocalCache::allocatorSlow): (JSC::ThreadLocalCache::destructor): * heap/ThreadLocalCache.h: Added. (JSC::ThreadLocalCache::offsetOfSize): (JSC::ThreadLocalCache::offsetOfFirstAllocator): * heap/ThreadLocalCacheInlines.h: Added. (JSC::ThreadLocalCache::getImpl): (JSC::ThreadLocalCache::get): (JSC::ThreadLocalCache::install): (JSC::ThreadLocalCache::allocator): (JSC::ThreadLocalCache::tryGetAllocator): * heap/ThreadLocalCacheLayout.cpp: Added. (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::allocateOffset): (JSC::ThreadLocalCacheLayout::snapshot): (JSC::ThreadLocalCacheLayout::directory): * heap/ThreadLocalCacheLayout.h: Added. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateVariableSized): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::vm): (JSC::AssemblyHelpers::emitAllocateJSCell): (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted. (JSC::AssemblyHelpers::emitAllocate): Deleted. (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * runtime/ButterflyInlines.h: (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::growArrayRight): * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments::initModifiedArgumentsDescriptor): * runtime/HashMapImpl.h: (JSC::HashMapBuffer::create): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::unshiftCountSlowCase): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSCellInlines.h: (JSC::tryAllocateCellHelper): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache const): * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): * runtime/Options.h: * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): 2018-01-30 Jason Marcell Cherry-pick r226783. rdar://problem/37077980 2018-01-04 Filip Pizlo CodeBlocks should be in IsoSubspaces https://bugs.webkit.org/show_bug.cgi?id=180884 Reviewed by Saam Barati. This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use WeakReferenceHarvester or UnconditionalFinalizer. Instead: - Code block sweeping is now just eager sweeping. This means that it automatically takes advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use its eden set for. - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no longer has to clear the set of weakly visited code blocks. This also means that determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it has IsoCellSets to tell us which edges have output constraints (what we used to call CodeBlock's weak reference harvester) and which have unconditional finalizers. - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer. - CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to handle requests from the sampler, debugger, and other facilities. They may want to ask if some pointer corresponds to a CodeBlock during stages of execution during which the GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread. There is no way that the GC's isLive could tell us of a CodeBlock that had already been allocated has now been full constructed. Rolling this back in because it was rolled out by mistake. There was a flaky crash that was happening before and after this change, but we misread the revision numbers at first and thought that this was the cause. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finishCreationCommon): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::determineLiveness): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::stronglyVisitStrongReferences): (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): (JSC::CodeBlock::installVMTrapBreakpoints): (JSC::CodeBlock::dumpMathICStats): (JSC::CodeBlock::visitWeakly): Deleted. (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted. (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted. * bytecode/CodeBlock.h: (JSC::CodeBlock::subspaceFor): (JSC::CodeBlock::ownerEdge const): (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted. * bytecode/EvalCodeBlock.h: (JSC::EvalCodeBlock::create): Deleted. (JSC::EvalCodeBlock::createStructure): Deleted. (JSC::EvalCodeBlock::variable): Deleted. (JSC::EvalCodeBlock::numVariables): Deleted. (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted. (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted. (JSC::EvalCodeBlock::EvalCodeBlock): Deleted. (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted. * bytecode/ExecutableToCodeBlockEdge.cpp: Added. (JSC::ExecutableToCodeBlockEdge::createStructure): (JSC::ExecutableToCodeBlockEdge::create): (JSC::ExecutableToCodeBlockEdge::visitChildren): (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints): (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally): (JSC::ExecutableToCodeBlockEdge::activate): (JSC::ExecutableToCodeBlockEdge::deactivate): (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap): (JSC::ExecutableToCodeBlockEdge::wrap): (JSC::ExecutableToCodeBlockEdge::wrapAndActivate): (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge): (JSC::ExecutableToCodeBlockEdge::runConstraint): * bytecode/ExecutableToCodeBlockEdge.h: Added. (JSC::ExecutableToCodeBlockEdge::subspaceFor): (JSC::ExecutableToCodeBlockEdge::codeBlock const): (JSC::ExecutableToCodeBlockEdge::unwrap): * bytecode/FunctionCodeBlock.h: (JSC::FunctionCodeBlock::subspaceFor): (JSC::FunctionCodeBlock::createStructure): * bytecode/ModuleProgramCodeBlock.h: (JSC::ModuleProgramCodeBlock::create): Deleted. (JSC::ModuleProgramCodeBlock::createStructure): Deleted. (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted. * bytecode/ProgramCodeBlock.h: (JSC::ProgramCodeBlock::create): Deleted. (JSC::ProgramCodeBlock::createStructure): Deleted. (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted. * debugger/Debugger.cpp: (JSC::Debugger::SetSteppingModeFunctor::operator() const): (JSC::Debugger::ToggleBreakpointFunctor::operator() const): (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const): (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const): * heap/CodeBlockSet.cpp: (JSC::CodeBlockSet::contains): (JSC::CodeBlockSet::dump const): (JSC::CodeBlockSet::add): (JSC::CodeBlockSet::remove): (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted. (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted. (JSC::CodeBlockSet::lastChanceToFinalize): Deleted. (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted. * heap/CodeBlockSet.h: * heap/CodeBlockSetInlines.h: (JSC::CodeBlockSet::iterate): (JSC::CodeBlockSet::iterateViaSubspaces): * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): (JSC::DummyMarkHook::markKnownJSCell): (JSC::CompositeMarkHook::mark): (JSC::CompositeMarkHook::markKnownJSCell): * heap/ConservativeRoots.h: * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): (JSC::Heap::finalizeMarkedUnconditionalFinalizers): (JSC::Heap::finalizeUnconditionalFinalizers): (JSC::Heap::beginMarking): (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::sweepInFinalize): (JSC::Heap::forEachCodeBlockImpl): (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl): (JSC::Heap::addCoreConstraints): (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted. * heap/Heap.h: * heap/HeapCell.h: * heap/HeapCellInlines.h: (JSC::HeapCell::subspace const): * heap/HeapInlines.h: (JSC::Heap::forEachCodeBlock): (JSC::Heap::forEachCodeBlockIgnoringJITPlans): * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/IsoCellSet.cpp: (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): * heap/IsoCellSet.h: * heap/IsoCellSetInlines.h: (JSC::IsoCellSet::forEachMarkedCellInParallel): (JSC::IsoCellSet::forEachLiveCell): * heap/LargeAllocation.h: (JSC::LargeAllocation::subspace const): * heap/MarkStackMergingConstraint.cpp: (JSC::MarkStackMergingConstraint::executeImpl): * heap/MarkStackMergingConstraint.h: * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::parallelNotEmptyBlockSource): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToAllocator): (JSC::MarkedBlock::Handle::didRemoveFromAllocator): * heap/MarkedBlock.h: (JSC::MarkedBlock::subspace const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::forEachLiveCell): * heap/MarkedSpaceInlines.h: (JSC::MarkedSpace::forEachLiveCell): * heap/MarkingConstraint.cpp: (JSC::MarkingConstraint::execute): (JSC::MarkingConstraint::doParallelWork): (JSC::MarkingConstraint::finishParallelWork): Deleted. (JSC::MarkingConstraint::doParallelWorkImpl): Deleted. (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted. * heap/MarkingConstraint.h: * heap/MarkingConstraintSet.cpp: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSet.h: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::execute): (JSC::MarkingConstraintSolver::addParallelTask): (JSC::MarkingConstraintSolver::runExecutionThread): (JSC::MarkingConstraintSolver::didExecute): Deleted. * heap/MarkingConstraintSolver.h: (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint): (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const): * heap/SimpleMarkingConstraint.cpp: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): (JSC::SimpleMarkingConstraint::executeImpl): * heap/SimpleMarkingConstraint.h: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addParallelConstraintTask): * heap/SlotVisitor.h: * heap/Subspace.cpp: (JSC::Subspace::sweep): * heap/Subspace.h: * heap/SubspaceInlines.h: (JSC::Subspace::forEachLiveCell): * llint/LowLevelInterpreter.asm: * runtime/EvalExecutable.cpp: (JSC::EvalExecutable::visitChildren): * runtime/EvalExecutable.h: (JSC::EvalExecutable::codeBlock): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::baselineCodeBlockFor): (JSC::FunctionExecutable::visitChildren): * runtime/FunctionExecutable.h: * runtime/JSType.h: * runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::visitChildren): * runtime/ModuleProgramExecutable.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::visitChildren): * runtime/ProgramExecutable.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): (JSC::ScriptExecutable::newReplacementCodeBlockFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): (JSC::VM::forEachCodeBlockSpace): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): * tools/VMInspector.cpp: (JSC::VMInspector::codeBlockForMachinePC): (JSC::VMInspector::isValidCodeBlock): 2018-01-31 Jason Marcell Cherry-pick r227874. rdar://problem/37059537 2018-01-30 Mark Lam Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 Reviewed by JF Bastien. The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView::estimatedSize): (JSC::JSGenericTypedArrayView::visitChildren): (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory): * runtime/JSObject.h: 2018-01-30 Jason Marcell Cherry-pick r227649. rdar://problem/37019344 2018-01-25 Yusuke Suzuki imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes https://bugs.webkit.org/show_bug.cgi?id=181980 Reviewed by Ryosuke Niwa. We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy} promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate, and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy` correctly. * builtins/ModuleLoaderPrototype.js: (requestInstantiate): (requestSatisfy): 2018-01-30 Jason Marcell Cherry-pick r227742. rdar://problem/37019360 2018-01-29 Michael Saboff REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode() https://bugs.webkit.org/show_bug.cgi?id=182249 Reviewed by Keith Miller. Changed clobberize() handling of CompareEq, et al to properly handle comparisons between Untyped and Object values when compared against built in types. Such comparisons can invoke toNumber() or other methods. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-01-30 Jason Marcell Cherry-pick r227716. rdar://problem/37019460 2018-01-27 Yusuke Suzuki DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0' https://bugs.webkit.org/show_bug.cgi?id=182213 Reviewed by Mark Lam. toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative. As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string. This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue. We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice, but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization. * runtime/NumberPrototype.cpp: (JSC::toStringWithRadixInternal): 2018-01-30 Jason Marcell Cherry-pick r227644. rdar://problem/37019367 2018-01-25 Mark Lam Gardening: fix 32-bit build after r227643. https://bugs.webkit.org/show_bug.cgi?id=182086 Not reviewed. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): 2018-01-30 Jason Marcell Cherry-pick r227643. rdar://problem/37019367 2018-01-24 Filip Pizlo DirectArguments should protect itself using dynamic poisoning and precise index masking https://bugs.webkit.org/show_bug.cgi?id=182086 Reviewed by Saam Barati. This implements dynamic poisoning and precise index masking in DirectArguments, using the helpers from and helpers in AssemblyHelpers and FTL::LowerDFGToB3. We use dynamic poisoning for DirectArguments since this object did not have any additional indirection inside it that could have been poisoned. So, we use the xor of the expected type and the actual type as an additional input into the pointer. We use precise index masking for bounds checks, because it's not worth doing index masking unless we know that precise index masking is too slow. * assembler/MacroAssembler.h: (JSC::MacroAssembler::lshiftPtr): (JSC::MacroAssembler::rshiftPtr): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64): (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitPreciseIndexMask32): (JSC::AssemblyHelpers::emitDynamicPoison): (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): (JSC::AssemblyHelpers::emitDynamicPoisonOnType): * jit/AssemblyHelpers.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): * runtime/DirectArguments.h: (JSC::DirectArguments::getIndexQuickly const): (JSC::DirectArguments::setIndexQuickly): (JSC::DirectArguments::argument): * runtime/GenericArgumentsInlines.h: 2018-01-30 Jason Marcell Cherry-pick r227636. rdar://problem/37019363 2018-01-25 Mark Lam Rename some local vars from type to typedArrayType for greater clarity. https://bugs.webkit.org/show_bug.cgi?id=182148 Reviewed by Saam Barati. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): 2018-01-25 Jason Marcell Cherry-pick r227435. rdar://problem/36873349 2018-01-23 Robin Morisset Rollout r219636 https://bugs.webkit.org/show_bug.cgi?id=181997 Unreviewed, as it is a rollout. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSObject.cpp: (JSC::JSObject::ensureLengthSlow): 2018-01-25 Jason Marcell Cherry-pick r227410. rdar://problem/36873404 2018-01-23 Robin Morisset Update the argument count in DFGByteCodeParser::handleRecursiveCall https://bugs.webkit.org/show_bug.cgi?id=181739 Reviewed by Saam Barati. When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call into a jump, we should update that stack slot as there is no guarantee that the function was originally called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'. It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int as its first OpInfo field, and stores it to the stack at the right place. We must be a bit careful in where we put this new node, as it ClobbersExit. We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNode.h: (JSC::DFG::Node::argumentCountIncludingThis): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): 2018-01-24 Jason Marcell Cherry-pick r227527. rdar://problem/36830339 2018-01-23 Mark Lam Update Poisoned pointers to take a Poison class instead of a uintptr_t&. https://bugs.webkit.org/show_bug.cgi?id=182017 Reviewed by Filip Pizlo and JF Bastien. Removed the POISON() macro. Now that we have Poison types, we can just use the the Poison type instead and make the code a bit nicer to read. * API/JSAPIWrapperObject.h: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * b3/B3LowerMacros.cpp: * b3/testb3.cpp: (JSC::B3::testInterpreter): * bytecode/CodeBlock.h: (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckSubClass): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): * jit/JIT.h: * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * parser/UnlinkedSourceCode.h: * runtime/ArrayPrototype.h: * runtime/CustomGetterSetter.h: * runtime/DateInstance.h: * runtime/InternalFunction.h: * runtime/JSArrayBuffer.h: * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGlobalObject.h: * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/NativeExecutable.h: * runtime/StructureTransitionTable.h: * runtime/WriteBarrier.h: (JSC::WriteBarrier::poison): Deleted. * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::poison): * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-23 Jason Marcell Cherry-pick r227462. rdar://problem/36807140 2018-01-23 Filip Pizlo Use precise index masking for FTL GetByArgumentByVal https://bugs.webkit.org/show_bug.cgi?id=182006 Reviewed by Keith Miller. This protects speculative out-of-bounds on arguments[index]. Making this work right involved fixing a possible overflow situation with numberOfArgumentsToSkip. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGNode.h: (JSC::DFG::Node::hasNumberOfArgumentsToSkip): (JSC::DFG::Node::numberOfArgumentsToSkip): * dfg/DFGStackLayoutPhase.cpp: (JSC::DFG::StackLayoutPhase::run): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): 2018-01-23 Jason Marcell Cherry-pick r227434. rdar://problem/36791632 2018-01-23 Mark Lam Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list. https://bugs.webkit.org/show_bug.cgi?id=181976 Reviewed by Filip Pizlo. 1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum list. I also added static asserts in TypedArrayType.h to enforce this. Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of 2. Define 4 new values: a. FirstTypedArrayType b. LastTypedArrayType c. NumberOfTypedArrayTypesExcludingDataView d. NumberOfTypedArrayTypes Use these everywhere where we iterate or bisect the TypedArray JSTypes. 3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead. 4. Simplify the code that converts between TypedArrayType and JSType. Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType(). Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray instead of TypeDataView. Now, it converts to TypeDataView. This does not result in any change of behavior because typedArrayTypeForType() is only called in Structure::hasIndexingHeader(), and its result is passed to isTypedView(), which handles TypeDataView correctly. 5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset(). If the vector is null, we can skip the rest of the checks. While the current code does not result in incorrect behavior, it is inefficient, and communicates wrong information to the reader i.e. implying that there's something in the dataGPR when there's not. The dataGPR should also be null in this case. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView): * ftl/FTLOSRExit.cpp: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildren): * runtime/JSType.h: * runtime/TypedArrayType.cpp: (JSC::typeForTypedArrayType): Deleted. * runtime/TypedArrayType.h: (JSC::typedArrayTypeForType): (JSC::typeForTypedArrayType): 2018-01-23 Jason Marcell Cherry-pick r227431. rdar://problem/36791656 2018-01-23 Filip Pizlo DFG should always flush `this` https://bugs.webkit.org/show_bug.cgi?id=181999 Reviewed by Saam Barati and Mark Lam. This is going to make it possible to use precise index masking for arguments-on-the-stack accesses with an index adjusted so that 0 is this. Without this change, we would have no way of masking when the argument count is 0, unless we padded the argument area so that there was always an argument slot after `this` and it was always initialized. This is neutral on all benchmarks. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushImpl): (JSC::DFG::ByteCodeParser::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::parse): (JSC::DFG::flushImpl): Deleted. (JSC::DFG::flushForTerminalImpl): Deleted. * dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): 2018-01-23 Jason Marcell Cherry-pick r227424. rdar://problem/36791625 2018-01-23 Filip Pizlo JSC should use a speculation fence on VM entry/exit https://bugs.webkit.org/show_bug.cgi?id=181991 Reviewed by JF Bastien and Mark Lam. This adds a WTF::speculationFence on VM entry and exit. For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64. * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): (JSC::JSLock::willReleaseLock): 2018-01-22 Jason Marcell Cherry-pick r227341. rdar://problem/36746038 2018-01-22 Michael Saboff DFG abstract interpreter needs to properly model effects of some Math ops https://bugs.webkit.org/show_bug.cgi?id=181886 Reviewed by Saam Barati. Reviewed the processing of the various ArithXXX and CompareXXX and found that several nodes don't handle UntypedUse. Added clobberWorld() for those cases. * dfg/DFGAbstractInterpreter.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): (JSC::DFG::AbstractInterpreter::executeDoubleUnaryOpEffects): 2018-01-22 Jason Marcell Cherry-pick r227236. rdar://problem/36722544 2018-01-19 Saam Barati Kill ArithNegate's ArithProfile assert inside BytecodeParser https://bugs.webkit.org/show_bug.cgi?id=181877 Reviewed by Mark Lam. Before this patch, we used to assert that op_negate's result ArithProfile only produces number. It's logically true that negate only produces a number. However, the DFG may incorrectly pick this ArithProfile when doing OSR exit profiling. So we'll end up profiling something that's likely the input to negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor is entirely heuristic based, potentially leading to profiling results being imprecise. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): 2018-01-22 Jason Marcell Cherry-pick r227229. rdar://problem/36722641 2018-01-19 Saam Barati Spread's effects are modeled incorrectly both in AI and in Clobberize https://bugs.webkit.org/show_bug.cgi?id=181867 Reviewed by Michael Saboff. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-01-22 Jason Marcell Cherry-pick r227168. rdar://problem/36722591 2018-01-18 JF Bastien Set the minimum executable allocator size properly https://bugs.webkit.org/show_bug.cgi?id=181816 Reviewed by Saam Barati. Executable allocator expects at least two page size's worth of allocation in certain conditions, and that causes some tests to now fail because they ask for less. Set that minimum correctly. We were already rounding up to a page size, so having a minimum of 2 page sizes is fine. * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): 2018-01-22 Jason Marcell Cherry-pick r227159. rdar://problem/36722618 2018-01-18 Mark Lam Poisons should be initialized after Options are initialized. https://bugs.webkit.org/show_bug.cgi?id=181807 Reviewed by Keith Miller. This is because poison initialization may depend on options. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): 2018-01-22 Jason Marcell Cherry-pick r227136. rdar://problem/36722486 2018-01-18 Commit Queue Unreviewed, rolling out r227096. https://bugs.webkit.org/show_bug.cgi?id=181788 "it caused a 15% octane regression" (Requested by saamyjoon on #webkit). Reverted changeset: "Support MultiGetByOffset in the DFG" https://bugs.webkit.org/show_bug.cgi?id=181466 https://trac.webkit.org/changeset/227096 2018-01-18 Jason Marcell Cherry-pick r226956. rdar://problem/36598688 2018-01-15 JF Bastien Remove makePoisonedUnique https://bugs.webkit.org/show_bug.cgi?id=181630 Reviewed by Mark Lam. I added a conversion from std::unique_ptr, so we can just use std::make_unique and it'll auto-poison when converted. * bytecode/CodeBlock.h: (JSC::CodeBlock::makePoisonedUnique): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::makePoisonedUnique): Deleted. 2018-01-18 Jason Marcell Cherry-pick r227165. rdar://problem/36628552 2018-01-18 Michael Saboff Unreviewed build fix for Windows * interpreter/FrameTracers.h: (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly on Windows. 2018-01-18 Jason Marcell Cherry-pick r227152. rdar://problem/36628552 2018-01-18 Michael Saboff REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions https://bugs.webkit.org/show_bug.cgi?id=181802 Reviewed by Filip Pizlo. There where a few places where the stack isn't properly aligned for X86 when we call into C++ code. Two places are where we call into exception handling code, the LLInt and from nativeForGenerator. The other place was when we call into the operationOSRWriteBarrier(). Added an assert check that the stack is aligned on X86 platforms in the native call tracing code. This helped find the other cases beyond the original problem. * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::osrWriteBarrier): * interpreter/FrameTracers.h: (JSC::assertStackPointerIsAligned): (JSC::NativeCallFrameTracer::NativeCallFrameTracer): (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * llint/LowLevelInterpreter32_64.asm: 2018-01-17 Jason Marcell Cherry-pick r227104. rdar://problem/36609536 2018-01-17 Saam Barati Disable Atomics when SharedArrayBuffer isn’t enabled https://bugs.webkit.org/show_bug.cgi?id=181572 Reviewed by Michael Saboff. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::createAtomicsProperty): Deleted. 2018-01-17 Jason Marcell Cherry-pick r227096. rdar://problem/36609546 2018-01-17 Saam Barati Support MultiGetByOffset in the DFG https://bugs.webkit.org/show_bug.cgi?id=181466 Reviewed by Keith Miller. This seems to benefit Speedometer in my local testing. It seems like this might be around a 0.5% improvement. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::supportsMultiGetByOffset): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-01-17 Jason Marcell Cherry-pick r227053. rdar://problem/36587231 2018-01-17 Saam Barati DFG::Node::convertToConstant needs to clear the varargs flags https://bugs.webkit.org/show_bug.cgi?id=181697 Reviewed by Yusuke Suzuki. * dfg/DFGNode.h: (JSC::DFG::Node::convertToConstant): 2018-01-17 Jason Marcell Cherry-pick r227047. rdar://problem/36587246 2018-01-16 JF Bastien Allow dangerous disabling of poison https://bugs.webkit.org/show_bug.cgi?id=181685 Reviewed by Keith Miller. Some tools such as leak detectors and such like to look at real pointers, and poisoned ones confuse them. Add a JSC option to disable poisoning, but log to the console when this is done. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/Options.h: 2018-01-17 Jason Marcell Cherry-pick r226940. rdar://problem/36598019 2018-01-13 Mark Lam Replace all use of ConstExprPoisoned with Poisoned. https://bugs.webkit.org/show_bug.cgi?id=181542 Reviewed by JF Bastien. 1. All JSC poisons are now defined in JSCPoison.h. 2. Change all clients to use the new poison values via the POISON() macro. 3. The LLInt code has been updated to handle CodeBlock poison. Some of this code uses the t5 temp register, which is not available on the Windows port. Fortunately, we don't currently do poisoning on the Windows port yet. So, it will just work for now. When poisoning is enabled for the Windows port, this LLInt code will need a Windows specific implementation to workaround its lack of a t5 register. * API/JSAPIWrapperObject.h: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::emptyValue): (JSC::MacroAssemblerCodePtr::deletedValue): * b3/B3LowerMacros.cpp: * b3/testb3.cpp: (JSC::B3::testInterpreter): * bytecode/CodeBlock.h: (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): (JSC::CodeBlock::makePoisonedUnique): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckSubClass): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): * jit/JIT.h: * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/UnlinkedSourceCode.h: * runtime/ArrayPrototype.h: * runtime/CustomGetterSetter.h: * runtime/DateInstance.h: * runtime/InternalFunction.h: * runtime/JSArrayBuffer.h: * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp. (JSC::initializePoison): * runtime/JSCPoison.h: (): Deleted. * runtime/JSCPoisonedPtr.cpp: Removed. * runtime/JSCPoisonedPtr.h: Removed. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::makePoisonedUnique): * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/NativeExecutable.h: * runtime/StructureTransitionTable.h: (JSC::StructureTransitionTable::map const): (JSC::StructureTransitionTable::weakImpl const): * runtime/WriteBarrier.h: (JSC::WriteBarrier::poison): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-17 Jason Marcell Cherry-pick r226752. rdar://problem/36601128 2018-01-10 JF Bastien Poison small JSObject derivatives which only contain pointers https://bugs.webkit.org/show_bug.cgi?id=181483 Reviewed by Mark Lam. I wrote a script that finds interesting things to poison or generally harden. These stood out because they derive from JSObject and only contain a few pointer or pointer-like fields, and could therefore just be poisoned. This also requires some template "improvements" to our poisoning machinery. Worth noting is that I'm making PoisonedUniquePtr move-assignable and move-constructible from unique_ptr, which makes it a better drop-in replacement because we don't need to use makePoisonedUniquePtr. This means function-locals can be unique_ptr and get the nice RAII pattern, and once the function is done you can just move to the class' PoisonedUniquePtr without worrying. * API/JSAPIWrapperObject.h: (JSC::JSAPIWrapperObject::wrappedObject): * API/JSAPIWrapperObject.mm: (JSC::JSAPIWrapperObject::JSAPIWrapperObject): * API/JSCallbackObject.h: * runtime/ArrayPrototype.h: * runtime/DateInstance.h: * runtime/JSArrayBuffer.cpp: (JSC::JSArrayBuffer::finishCreation): (JSC::JSArrayBuffer::isShared const): (JSC::JSArrayBuffer::sharingMode const): * runtime/JSArrayBuffer.h: * runtime/JSCPoison.h: 2018-01-16 Jason Marcell Cherry-pick r226942. rdar://problem/36567945 2018-01-14 Saam Barati Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): (JSC::CallLinkStatus::computeExitSiteData): 2018-01-16 Jason Marcell Cherry-pick r226928. rdar://problem/36567945 2018-01-12 Saam Barati Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock https://bugs.webkit.org/show_bug.cgi?id=181545 Reviewed by Michael Saboff. This patch follows the theme of putting optimization profiling information on UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data. This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock pulled from the code cache, making better compilation decisions, usually resulting in fewer exits, and fewer recompilations. This is a 1% Speedometer progression in my testing. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper::dumpProfilesForBytecodeOffset): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): (JSC::CallLinkStatus::computeFor): (JSC::CallLinkStatus::computeExitSiteData): (JSC::CallLinkStatus::computeDFGStatuses): * bytecode/CallLinkStatus.h: * bytecode/CodeBlock.h: (JSC::CodeBlock::addFrequentExitSite): Deleted. (JSC::CodeBlock::hasExitSite const): Deleted. (JSC::CodeBlock::exitProfile): Deleted. * bytecode/DFGExitProfile.cpp: (JSC::DFG::ExitProfile::add): (JSC::DFG::QueryableExitProfile::initialize): * bytecode/DFGExitProfile.h: (JSC::DFG::ExitProfile::hasExitSite const): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::hasExitSite): (JSC::GetByIdStatus::computeFor): (JSC::GetByIdStatus::computeForStubInfo): * bytecode/GetByIdStatus.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::hasExitSite): (JSC::PutByIdStatus::computeFor): (JSC::PutByIdStatus::computeForStubInfo): * bytecode/PutByIdStatus.h: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::livenessAnalysisSlow): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::hasExitSite const): (JSC::UnlinkedCodeBlock::hasExitSite): (JSC::UnlinkedCodeBlock::exitProfile): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGGraph.h: (JSC::DFG::Graph::hasGlobalExitSite): (JSC::DFG::Graph::hasExitSite): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGOSRExitBase.cpp: (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 2018-01-16 Jason Marcell Cherry-pick r226920. rdar://problem/36567951 2018-01-12 JF Bastien PoisonedWriteBarrier https://bugs.webkit.org/show_bug.cgi?id=181599 Reviewed by Mark Lam. Allow poisoning of WriteBarrier objects, and use this for WebAssembly because it is perf-neutral, at least on WasmBench on my MBP. If it indeed is perf-neutral according to the bots, start using it in more performance-sensitive places. * heap/HandleTypes.h: * heap/SlotVisitor.h: * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::append): (JSC::SlotVisitor::appendHidden): * runtime/JSCJSValue.h: * runtime/JSCPoison.h: * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setPrototypeWithoutTransition): (JSC::Structure::setGlobalObject): (JSC::Structure::setPreviousID): * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::copyFrom): (JSC::WriteBarrierBase::get const): (JSC::WriteBarrierBase::operator* const): (JSC::WriteBarrierBase::operator-> const): (JSC::WriteBarrierBase::clear): (JSC::WriteBarrierBase::slot): (JSC::WriteBarrierBase::operator bool const): (JSC::WriteBarrierBase::setWithoutWriteBarrier): (JSC::WriteBarrierBase::unvalidatedGet const): (JSC::operator==): * runtime/WriteBarrierInlines.h: (JSC::Traits>::set): (JSC::Traits>::setMayBeNull): (JSC::Traits>::setEarlyValue): (JSC::DumbValueTraits>::set): * wasm/WasmInstance.h: * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): (JSC::JSWebAssemblyInstance::finishCreation): (JSC::JSWebAssemblyInstance::visitChildren): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.cpp: (JSC::JSWebAssemblyTable::JSWebAssemblyTable): (JSC::JSWebAssemblyTable::grow): (JSC::JSWebAssemblyTable::clearFunction): * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::materializeImportJSCell): (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-16 Jason Marcell Cherry-pick r226907. rdar://problem/36567949 2018-01-12 Saam Barati CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty https://bugs.webkit.org/show_bug.cgi?id=181177 Reviewed by Yusuke Suzuki. The semantics of CheckStructure are such that it does not allow the empty value to flow through it. However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't have semantic consequences when validation is turned off. However, with validation on, this trips up our OSR exit machinery that says when an exit is allowed to happen. Consider the following IR: a: GetClosureVar // Or any other node that produces BytecodeTop ... c: CheckStructure(Cell:@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) ... f: CheckStructureOrEmpty(@a, {s2}) c: CheckStructure(Cell:@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) This will cause constant folding to change the IR to: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) ... f: CheckStructureOrEmpty(@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) Our mayExit analysis determines that the PutByOffset should not exit. Note that AI will determine the only value the PutByOffset can see in @a is the empty value. Because KnownCell filters SpecCell and not SpecCellCheck, when lowering the PutByOffset, we reach a contradiction in AI and emit an OSR exit. However, because mayExit said we couldn't exit, we assert. Note that if we did not run the TypeCheckHoistingPhase on this IR, AI would have determined we would OSR exit at the second CheckStructure. This patch makes it so constant folding produces the following IR: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) g: AssertNotEmpty(@a) ... f: CheckStructureOrEmpty(@a, {s2}) h: AssertNotEmpty(@a) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) This modification will cause AI to know we will OSR exit before even reaching the PutByOffset. Note that in the original IR, the GetClosureVar won't actually produce the TDZ value. If it did, bytecode would have caused us to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's why this bug is about IR bookkeeping and not an actual error in IR analysis. This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be more congruous with CheckStructure's semantics of crashing on the empty value as input (on 64 bit platforms). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): 2018-01-16 Jason Marcell Cherry-pick r226895. rdar://problem/36568085 2018-01-12 Joseph Pecoraro Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent https://bugs.webkit.org/show_bug.cgi?id=181579 Reviewed by Brian Burg. * inspector/agents/InspectorConsoleAgent.h: * inspector/agents/InspectorConsoleAgent.cpp: (Inspector::InspectorConsoleAgent::clearMessages): (Inspector::InspectorConsoleAgent::addConsoleMessage): Switch from a raw pointer to m_consoleMessages.last(). Also move the expiration check into the if block since it can only happen inside here when the number of console messages changes. (Inspector::InspectorConsoleAgent::discardValues): Also clear the expired message count when messages are cleared. 2018-01-16 Jason Marcell Cherry-pick r226881. rdar://problem/36567948 2018-01-12 Saam Barati Each variant of a polymorphic inlined call should be exitOK at the top of the block https://bugs.webkit.org/show_bug.cgi?id=181562 Reviewed by Yusuke Suzuki. Before this patch, the very first block in the switch for polymorphic call inlining will have exitOK at the top. The others are not guaranteed to. That was just a bug. They're all exitOK at the top. This will lead to crashes in FixupPhase because we won't have a node in a block that has ExitOK, so when we fixup various type checks, we assert out. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): 2018-01-16 Jason Marcell Cherry-pick r226806. rdar://problem/36567946 2018-01-11 Saam Barati JITMathIC code in the FTL is wrong when code gets duplicated https://bugs.webkit.org/show_bug.cgi?id=181525 Reviewed by Michael Saboff and Keith Miller. B3/Air may duplicate code for various reasons. Patchpoint generators inside FTLLower must be aware that they can be called multiple times because of this. The patchpoint for math ICs was not aware of this, and shared state amongst all invocations of the patchpoint's generator. This patch fixes this bug so that each invocation of the patchpoint's generator gets a unique math IC. * bytecode/CodeBlock.h: (JSC::CodeBlock::addMathIC): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): (JSC::FTL::DFG::LowerDFGToB3::compileArithMul): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted. * jit/JITMathIC.h: (JSC::isProfileEmpty): 2018-01-12 Jason Marcell Apply patch. rdar://problem/36303061 Disable WebKit features we don't want to ship after branching 2018-01-12 Maciej Stachowiak Disable WebKit features we don't want to ship after branching Reviewed by Maciej Stachowiak. * Configurations/FeatureDefines.xcconfig: 2018-01-12 Jason Marcell Cherry-pick r226840. rdar://problem/36479468 2018-01-11 Michael Saboff REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters https://bugs.webkit.org/show_bug.cgi?id=181570 Reviewed by Keith Miller. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): Reverting these functions to use dataTempRegister and memoryTempRegister as they are JIT release asserts that will crash the program. (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): Changed this so that it invalidates any cached dataTmpRegister contents if temp register caching is enabled. 2018-01-12 Jason Marcell Cherry-pick r226822. rdar://problem/36458924 2018-01-11 Filip Pizlo Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes https://bugs.webkit.org/show_bug.cgi?id=181543 Rubber stamped by Michael Saboff. In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't really have anything to do with allocation anymore. The allocation will be done by something in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a place to find blocks (a "block directory"). Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the attributes of the HeapCellType. So let's call them CellAttributes. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ObjectAllocationProfile.h: * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): * heap/AlignedMemoryAllocator.cpp: (JSC::AlignedMemoryAllocator::registerDirectory): (JSC::AlignedMemoryAllocator::registerAllocator): Deleted. * heap/AlignedMemoryAllocator.h: (JSC::AlignedMemoryAllocator::firstDirectory const): (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted. * heap/AllocatorAttributes.cpp: Removed. * heap/AllocatorAttributes.h: Removed. * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp. (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::setSubspace): (JSC::BlockDirectory::isPagedOut): (JSC::BlockDirectory::findEmptyBlockToSteal): (JSC::BlockDirectory::didConsumeFreeList): (JSC::BlockDirectory::tryAllocateWithoutCollecting): (JSC::BlockDirectory::allocateIn): (JSC::BlockDirectory::tryAllocateIn): (JSC::BlockDirectory::doTestCollectionsIfNeeded): (JSC::BlockDirectory::allocateSlowCase): (JSC::BlockDirectory::blockSizeForBytes): (JSC::BlockDirectory::tryAllocateBlock): (JSC::BlockDirectory::addBlock): (JSC::BlockDirectory::removeBlock): (JSC::BlockDirectory::stopAllocating): (JSC::BlockDirectory::prepareForAllocation): (JSC::BlockDirectory::lastChanceToFinalize): (JSC::BlockDirectory::resumeAllocating): (JSC::BlockDirectory::beginMarkingForFullCollection): (JSC::BlockDirectory::endMarking): (JSC::BlockDirectory::snapshotUnsweptForEdenCollection): (JSC::BlockDirectory::snapshotUnsweptForFullCollection): (JSC::BlockDirectory::findBlockToSweep): (JSC::BlockDirectory::sweep): (JSC::BlockDirectory::shrink): (JSC::BlockDirectory::assertNoUnswept): (JSC::BlockDirectory::parallelNotEmptyBlockSource): (JSC::BlockDirectory::dump const): (JSC::BlockDirectory::dumpBits): (JSC::BlockDirectory::markedSpace const): (JSC::MarkedAllocator::MarkedAllocator): Deleted. (JSC::MarkedAllocator::setSubspace): Deleted. (JSC::MarkedAllocator::isPagedOut): Deleted. (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted. (JSC::MarkedAllocator::didConsumeFreeList): Deleted. (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted. (JSC::MarkedAllocator::allocateIn): Deleted. (JSC::MarkedAllocator::tryAllocateIn): Deleted. (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted. (JSC::MarkedAllocator::allocateSlowCase): Deleted. (JSC::MarkedAllocator::blockSizeForBytes): Deleted. (JSC::MarkedAllocator::tryAllocateBlock): Deleted. (JSC::MarkedAllocator::addBlock): Deleted. (JSC::MarkedAllocator::removeBlock): Deleted. (JSC::MarkedAllocator::stopAllocating): Deleted. (JSC::MarkedAllocator::prepareForAllocation): Deleted. (JSC::MarkedAllocator::lastChanceToFinalize): Deleted. (JSC::MarkedAllocator::resumeAllocating): Deleted. (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted. (JSC::MarkedAllocator::endMarking): Deleted. (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted. (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted. (JSC::MarkedAllocator::findBlockToSweep): Deleted. (JSC::MarkedAllocator::sweep): Deleted. (JSC::MarkedAllocator::shrink): Deleted. (JSC::MarkedAllocator::assertNoUnswept): Deleted. (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted. (JSC::MarkedAllocator::dump const): Deleted. (JSC::MarkedAllocator::dumpBits): Deleted. (JSC::MarkedAllocator::markedSpace const): Deleted. * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h. (JSC::BlockDirectory::attributes const): (JSC::BlockDirectory::forEachBitVector): (JSC::BlockDirectory::forEachBitVectorWithName): (JSC::BlockDirectory::nextDirectory const): (JSC::BlockDirectory::nextDirectoryInSubspace const): (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const): (JSC::BlockDirectory::setNextDirectory): (JSC::BlockDirectory::setNextDirectoryInSubspace): (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator): (JSC::BlockDirectory::offsetOfFreeList): (JSC::BlockDirectory::offsetOfCellSize): (JSC::MarkedAllocator::cellSize const): Deleted. (JSC::MarkedAllocator::attributes const): Deleted. (JSC::MarkedAllocator::needsDestruction const): Deleted. (JSC::MarkedAllocator::destruction const): Deleted. (JSC::MarkedAllocator::cellKind const): Deleted. (JSC::MarkedAllocator::heap): Deleted. (JSC::MarkedAllocator::bitvectorLock): Deleted. (JSC::MarkedAllocator::forEachBitVector): Deleted. (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted. (JSC::MarkedAllocator::nextAllocator const): Deleted. (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted. (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted. (JSC::MarkedAllocator::setNextAllocator): Deleted. (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted. (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted. (JSC::MarkedAllocator::subspace const): Deleted. (JSC::MarkedAllocator::freeList const): Deleted. (JSC::MarkedAllocator::offsetOfFreeList): Deleted. (JSC::MarkedAllocator::offsetOfCellSize): Deleted. * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h. (JSC::BlockDirectory::isFreeListedCell const): (JSC::BlockDirectory::allocate): (JSC::BlockDirectory::forEachBlock): (JSC::BlockDirectory::forEachNotEmptyBlock): (JSC::MarkedAllocator::isFreeListedCell const): Deleted. (JSC::MarkedAllocator::allocate): Deleted. (JSC::MarkedAllocator::forEachBlock): Deleted. (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted. * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp. (JSC::CellAttributes::dump const): (JSC::AllocatorAttributes::dump const): Deleted. * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h. (JSC::CellAttributes::CellAttributes): (JSC::AllocatorAttributes::AllocatorAttributes): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::allocatorFor): (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: (JSC::CompleteSubspace::allocatorForSizeStep): (JSC::CompleteSubspace::allocatorForNonVirtual): * heap/GCDeferralContext.h: * heap/Heap.cpp: (JSC::Heap::updateAllocationLimits): * heap/Heap.h: * heap/HeapCell.h: * heap/HeapCellInlines.h: (JSC::HeapCell::cellAttributes const): (JSC::HeapCell::destructionMode const): (JSC::HeapCell::cellKind const): (JSC::HeapCell::allocatorAttributes const): Deleted. * heap/HeapCellType.cpp: (JSC::HeapCellType::HeapCellType): * heap/HeapCellType.h: (JSC::HeapCellType::attributes const): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::IncrementalSweeper): (JSC::IncrementalSweeper::sweepNextBlock): (JSC::IncrementalSweeper::startSweeping): (JSC::IncrementalSweeper::stopSweeping): * heap/IncrementalSweeper.h: * heap/IsoCellSet.cpp: (JSC::IsoCellSet::IsoCellSet): (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): (JSC::IsoCellSet::addSlow): (JSC::IsoCellSet::didRemoveBlock): (JSC::IsoCellSet::sweepToFreeList): * heap/IsoCellSetInlines.h: (JSC::IsoCellSet::forEachMarkedCell): (JSC::IsoCellSet::forEachLiveCell): * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocatorFor): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LargeAllocation.h: (JSC::LargeAllocation::attributes const): * heap/MarkedAllocator.cpp: Removed. * heap/MarkedAllocator.h: Removed. * heap/MarkedAllocatorInlines.h: Removed. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::~Handle): (JSC::MarkedBlock::Handle::setIsFreeListed): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::Handle::didConsumeFreeList): (JSC::MarkedBlock::noteMarkedSlow): (JSC::MarkedBlock::Handle::removeFromDirectory): (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::didRemoveFromDirectory): (JSC::MarkedBlock::Handle::dumpState): (JSC::MarkedBlock::Handle::subspace const): (JSC::MarkedBlock::Handle::sweep): (JSC::MarkedBlock::Handle::isFreeListedCell const): (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted. (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted. (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted. * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::directory const): (JSC::MarkedBlock::Handle::attributes const): (JSC::MarkedBlock::attributes const): (JSC::MarkedBlock::Handle::allocator const): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::isAllocated): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::isEmpty): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::lastChanceToFinalize): (JSC::MarkedSpace::sweep): (JSC::MarkedSpace::stopAllocating): (JSC::MarkedSpace::resumeAllocating): (JSC::MarkedSpace::isPagedOut): (JSC::MarkedSpace::freeBlock): (JSC::MarkedSpace::shrink): (JSC::MarkedSpace::beginMarking): (JSC::MarkedSpace::endMarking): (JSC::MarkedSpace::snapshotUnswept): (JSC::MarkedSpace::assertNoUnswept): (JSC::MarkedSpace::dumpBits): (JSC::MarkedSpace::addBlockDirectory): (JSC::MarkedSpace::addMarkedAllocator): Deleted. * heap/MarkedSpace.h: (JSC::MarkedSpace::firstDirectory const): (JSC::MarkedSpace::directoryLock): (JSC::MarkedSpace::forEachBlock): (JSC::MarkedSpace::forEachDirectory): (JSC::MarkedSpace::firstAllocator const): Deleted. (JSC::MarkedSpace::allocatorLock): Deleted. (JSC::MarkedSpace::forEachAllocator): Deleted. * heap/MarkedSpaceInlines.h: * heap/Subspace.cpp: (JSC::Subspace::initialize): (JSC::Subspace::prepareForAllocation): (JSC::Subspace::findEmptyBlockToSteal): (JSC::Subspace::parallelDirectorySource): (JSC::Subspace::parallelNotEmptyMarkedBlockSource): (JSC::Subspace::sweep): (JSC::Subspace::parallelAllocatorSource): Deleted. * heap/Subspace.h: (JSC::Subspace::attributes const): (JSC::Subspace::didCreateFirstDirectory): (JSC::Subspace::didCreateFirstAllocator): Deleted. * heap/SubspaceInlines.h: (JSC::Subspace::forEachDirectory): (JSC::Subspace::forEachMarkedBlock): (JSC::Subspace::forEachNotEmptyMarkedBlock): (JSC::Subspace::forEachAllocator): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateJSCell): (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): * runtime/JSDestructibleObjectHeapCellType.cpp: (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType): * runtime/JSSegmentedVariableObjectHeapCellType.cpp: (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType): * runtime/JSStringHeapCellType.cpp: (JSC::JSStringHeapCellType::JSStringHeapCellType): * runtime/VM.cpp: (JSC::VM::VM): * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType): 2018-01-11 Jason Marcell Cherry-pick r226811. rdar://problem/36458907 2018-01-11 Saam Barati When inserting Unreachable in byte code parser we need to flush all the right things https://bugs.webkit.org/show_bug.cgi?id=181509 Reviewed by Mark Lam. I added code in r226655 that had its own mechanism for preserving liveness when inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack. I got some of these values wrong, which was leading to a crash when recovering the callee value from an inlined frame. Instead of making the same mistake and repeating similar code again, this patch refactors this logic to be shared with the other liveness preservation code in the DFG bytecode parser. This is what I should have done in my initial patch. * bytecode/InlineCallFrame.h: (JSC::remapOperand): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::flushImpl): (JSC::DFG::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::parse): 2018-01-11 Jason Marcell Cherry-pick r226788. rdar://problem/36450828 2018-01-11 Michael Saboff Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister https://bugs.webkit.org/show_bug.cgi?id=181512 Reviewed by Saam Barati. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): All current uses of dataTempRegister in these functions are safe, but it makes sense to fix them in case they might be used elsewhere. 2018-01-11 Jason Marcell Cherry-pick r226778. rdar://problem/36450800 2018-01-11 Michael Saboff Add a DOM gadget for Spectre testing https://bugs.webkit.org/show_bug.cgi?id=181351 Reviewed by Ryosuke Niwa. * runtime/Options.h: 2018-01-11 Jason Marcell Cherry-pick r226767. rdar://problem/36450818 2018-01-11 Saam Barati Our for-in caching is wrong when we add indexed properties on things in the prototype chain https://bugs.webkit.org/show_bug.cgi?id=181508 Reviewed by Yusuke Suzuki. Our for-in caching would cache structure chains that had prototypes with indexed properties. Clearly this is wrong. This caching breaks when a prototype adds new indexed properties. We would continue to enumerate the old cached state of properties, and not include the new indexed properties. The old code used to prevent caching only if the base structure had indexed properties. This patch extends it to prevent caching if the base, or any structure in the prototype chain, has indexed properties. * runtime/Structure.cpp: (JSC::Structure::canCachePropertyNameEnumerator const): 2018-01-11 Jason Marcell Cherry-pick r226655. rdar://problem/36450822 2018-01-09 Saam Barati Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable https://bugs.webkit.org/show_bug.cgi?id=181409 Reviewed by Keith Miller. When I was looking at profiler data for Speedometer, I noticed that one of the hottest functions in Speedometer is around 1100 bytecode operations long. Only about 100 of those bytecode ops ever execute. However, we ended up spending a lot of time compiling basic blocks that never executed. We often plant ForceOSRExit nodes when we parse bytecodes that have a null value profile. This is the case when such a node never executes. This patch makes it so that anytime a block has a ForceOSRExit, we replace its terminal node with an Unreachable node (and remove all nodes after the ForceOSRExit). This will cut down on graph size when such a block dominates other blocks in the CFG. This allows us to get rid of huge chunks of the CFG in certain programs. When doing this transformation, we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode live-in to the ForceOSRExit. Using ForceOSRExit as the signal for this is a bit of a hack. It definitely does not get rid of all the CFG that it could. If we decide it's worth it, we could use additional inputs into this mechanism. For example, we could profile if a basic block ever executes inside the LLInt/Baseline, and remove parts of the CFG based on that. When running Speedometer with the concurrent JIT turned off, this patch improves DFG/FTL compile times by around 5%. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::parse): 2018-01-11 Jason Marcell Cherry-pick r226650. rdar://problem/36429150 2018-01-09 Mark Lam ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter https://bugs.webkit.org/show_bug.cgi?id=181388 Reviewed by Saam Barati. When there are duplicate setters or getters, we may end up overwriting a getter with a setter, or vice versa. This patch adds tracking for getters/setters that have been overwritten with duplicates and ignore them. * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): * parser/NodeConstructors.h: (JSC::PropertyNode::PropertyNode): * parser/Nodes.h: (JSC::PropertyNode::isOverriddenByDuplicate const): (JSC::PropertyNode::setIsOverriddenByDuplicate): 2018-01-09 Jason Marcell Cherry-pick r226672. rdar://problem/36397330 2018-01-09 Keith Miller and32 with an Address source on ARM64 did not invalidate dataTempRegister https://bugs.webkit.org/show_bug.cgi?id=181467 Reviewed by Michael Saboff. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::and32): 2018-01-09 Jason Marcell Cherry-pick r226615. rdar://problem/36392328 2018-01-08 JF Bastien WebAssembly: mask indexed accesses to Table https://bugs.webkit.org/show_bug.cgi?id=181412 Reviewed by Saam Barati. WebAssembly Table indexed accesses are user-controlled and bounds-checked. Force allocations of Table data to be a power-of-two, and explicitly mask accesses after bounds-check branches. Rename misleading usage of "size" when "length" of a Table was intended. Rename the Spectre option from "disable" to "enable". * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): * jit/JIT.cpp: (JSC::JIT::JIT): * runtime/Options.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmTable.cpp: (JSC::Wasm::Table::allocatedLength): (JSC::Wasm::Table::setLength): (JSC::Wasm::Table::create): (JSC::Wasm::Table::Table): (JSC::Wasm::Table::grow): (JSC::Wasm::Table::clearFunction): (JSC::Wasm::Table::setFunction): * wasm/WasmTable.h: (JSC::Wasm::Table::length const): (JSC::Wasm::Table::offsetOfLength): (JSC::Wasm::Table::offsetOfMask): (JSC::Wasm::Table::mask const): (JSC::Wasm::Table::isValidLength): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyTable.cpp: (JSC::JSWebAssemblyTable::JSWebAssemblyTable): (JSC::JSWebAssemblyTable::visitChildren): (JSC::JSWebAssemblyTable::grow): (JSC::JSWebAssemblyTable::getFunction): (JSC::JSWebAssemblyTable::clearFunction): (JSC::JSWebAssemblyTable::setFunction): * wasm/js/JSWebAssemblyTable.h: (JSC::JSWebAssemblyTable::isValidLength): (JSC::JSWebAssemblyTable::length const): (JSC::JSWebAssemblyTable::allocatedLength const): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyTablePrototype.cpp: (JSC::webAssemblyTableProtoFuncLength): (JSC::webAssemblyTableProtoFuncGrow): (JSC::webAssemblyTableProtoFuncGet): (JSC::webAssemblyTableProtoFuncSet): 2018-01-09 Jason Marcell Cherry-pick r226556. rdar://problem/36392331 2018-01-08 Mark Lam Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM. https://bugs.webkit.org/show_bug.cgi?id=181403 Rubber-stamped by JF Bastien. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::finalizeLLIntInlineCaches): (JSC::CodeBlock::jettison): (JSC::CodeBlock::predictedMachineCodeSize): * bytecode/CodeBlock.h: (JSC::CodeBlock::vm const): (JSC::CodeBlock::addConstant): (JSC::CodeBlock::heap const): (JSC::CodeBlock::replaceConstant): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2018-01-09 Jason Marcell Cherry-pick r226530. rdar://problem/36392325 2018-01-07 Mark Lam Apply poisoning to more pointers in JSC. https://bugs.webkit.org/show_bug.cgi?id=181096 Reviewed by JF Bastien. * assembler/MacroAssembler.h: (JSC::MacroAssembler::xorPtr): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::xor64): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::xor64): - Add xorPtr implementation. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::inferredName const): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::visitWeakly): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): (JSC::CodeBlock::finalizeLLIntInlineCaches): (JSC::CodeBlock::finalizeBaselineJITInlineCaches): (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): (JSC::CodeBlock::jettison): (JSC::CodeBlock::predictedMachineCodeSize): (JSC::CodeBlock::findPC): * bytecode/CodeBlock.h: (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer): (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester): (JSC::CodeBlock::stubInfoBegin): (JSC::CodeBlock::stubInfoEnd): (JSC::CodeBlock::callLinkInfosBegin): (JSC::CodeBlock::callLinkInfosEnd): (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): (JSC::CodeBlock::vm const): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * jit/JIT.h: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/UnlinkedSourceCode.h: * runtime/JSCPoison.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/StructureTransitionTable.h: * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): (JSC::JSWebAssemblyCodeBlock::visitChildren): (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): * wasm/js/JSWebAssemblyCodeBlock.h: 2018-01-06 Yusuke Suzuki Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions https://bugs.webkit.org/show_bug.cgi?id=181321 Reviewed by Saam Barati. According to ECMA262 16.2[1], functions created using the bind method must not have "caller" and "arguments" own properties. [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::finishCreation): 2018-01-05 JF Bastien WebAssembly: poison JS object's secrets https://bugs.webkit.org/show_bug.cgi?id=181339 Reviewed by Mark Lam. Separating WebAssembly's JS objects from their non-JS implementation means that all interesting information lives outside of the JS object itself. This patch poisons each JS object's pointer to non-JS implementation using the poisoning mechanism and a unique key per JS object type origin. * runtime/JSCPoison.h: * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS object in a stack slot when fast TLS is disabled. This requires that we unpoison the Wasm::Instance. * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to be explicit that the pointer is poisoned. * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: 2018-01-05 Michael Saboff Add ability to disable indexed property masking for testing https://bugs.webkit.org/show_bug.cgi?id=181350 Reviewed by Keith Miller. Made the masking of indexed properties runtime controllable via a new JSC::Option named disableSpectreMitigations. This is done to test the efficacy of that mitigation. The new option has a generic name as it will probably be used to disable future mitigations. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): * jit/JIT.cpp: (JSC::JIT::JIT): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): * runtime/Options.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): 2018-01-05 Michael Saboff Allow JSC Config Files to set Restricted Options https://bugs.webkit.org/show_bug.cgi?id=181352 Reviewed by Mark Lam. * runtime/ConfigFile.cpp: (JSC::ConfigFile::parse): 2018-01-04 Keith Miller TypedArrays and Wasm should use index masking. https://bugs.webkit.org/show_bug.cgi?id=181313 Reviewed by Michael Saboff. We should have index masking for our TypedArray code in the DFG/FTL and for Wasm when doing bounds checking. Index masking for Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any WasmBoundsCheckValues we don't need to worry about combining a bounds check for a load and a store. I went with fusing the pointer masking in the WasmBoundsCheckValue since it should reduce additional compiler overhead. * b3/B3LowerToAir.cpp: * b3/B3Validate.cpp: * b3/B3WasmBoundsCheckValue.cpp: (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue): (JSC::B3::WasmBoundsCheckValue::dumpMeta const): * b3/B3WasmBoundsCheckValue.h: (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): * b3/air/AirCustom.h: (JSC::B3::Air::WasmBoundsCheckCustom::generate): * b3/testb3.cpp: (JSC::B3::testWasmBoundsCheck): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): * runtime/Butterfly.h: (JSC::Butterfly::computeIndexingMask const): (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted. * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): (JSC::Wasm::B3IRGenerator::load): (JSC::Wasm::B3IRGenerator::store): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::grow): * wasm/WasmMemory.h: (JSC::Wasm::Memory::offsetOfIndexingMask): * wasm/WasmMemoryInformation.cpp: (JSC::Wasm::PinnedRegisterInfo::get): (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo): * wasm/WasmMemoryInformation.h: (JSC::Wasm::PinnedRegisterInfo::toSave const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): 2018-01-05 Commit Queue Unreviewed, rolling out r226434. https://bugs.webkit.org/show_bug.cgi?id=181322 32bit JSC failure in x86 (Requested by yusukesuzuki on #webkit). Reverted changeset: "[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag" https://bugs.webkit.org/show_bug.cgi?id=181134 https://trac.webkit.org/changeset/226434 2018-01-04 Devin Rousso Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic https://bugs.webkit.org/show_bug.cgi?id=180770 Reviewed by Joseph Pecoraro. * inspector/protocol/Canvas.json: 2018-01-04 Commit Queue Unreviewed, rolling out r226405. https://bugs.webkit.org/show_bug.cgi?id=181318 Speculative rollout due to Octane/SplayLatency,Octane/Splay regressions (Requested by yusukesuzuki on #webkit). Reverted changeset: "[JSC] Create parallel SlotVisitors apriori" https://bugs.webkit.org/show_bug.cgi?id=180907 https://trac.webkit.org/changeset/226405 2018-01-04 Saam Barati Do value profiling in to_this https://bugs.webkit.org/show_bug.cgi?id=181299 Reviewed by Filip Pizlo. This patch adds value profiling to to_this. We use the result of the value profiling only for strict mode code when we don't predict that the input is of a specific type. This helps when the input is SpecCellOther. Such cells might implement a custom ToThis, which can produce an arbitrary result. Before this patch, in prediction propagation, we were saying that a ToThis with a SpecCellOther input also produced SpecCellOther. However, this is incorrect, given that the input may implement ToThis that produces an arbitrary result. This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer. Interestingly, this patch only does value profiling on the slow path. The fast path of to_this in the LLInt/baseline just perform a structure check. If it passes, the result is the same as the input. Therefore, doing value profiling from the fast path wouldn't actually produce new information for the ValueProfile. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitToThis): * bytecompiler/BytecodeGenerator.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGPredictionPropagationPhase.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-01-04 Yusuke Suzuki [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag https://bugs.webkit.org/show_bug.cgi?id=181134 Reviewed by Mark Lam. We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires an additional scratch register. We do not want to allocate an unnecessary register in 64bit implementation. This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking `<= LowestTag(Int32Tag)`. We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`. We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateMisc): (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): (JSC::DFG::SpeculativeJIT::compileToNumber): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::branchIfNotType): (JSC::AssemblyHelpers::jitAssertIsJSNumber): (JSC::AssemblyHelpers::emitConvertValueToBoolean): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfMisc): (JSC::AssemblyHelpers::branchIfNotMisc): (JSC::AssemblyHelpers::branchIfNumber): (JSC::AssemblyHelpers::branchIfNotNumber): (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32): (JSC::AssemblyHelpers::emitTypeOf): * jit/JITAddGenerator.cpp: (JSC::JITAddGenerator::generateFastPath): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emitBinaryDoubleOp): * jit/JITDivGenerator.cpp: (JSC::JITDivGenerator::loadOperand): * jit/JITMulGenerator.cpp: (JSC::JITMulGenerator::generateInline): (JSC::JITMulGenerator::generateFastPath): * jit/JITNegGenerator.cpp: (JSC::JITNegGenerator::generateInline): (JSC::JITNegGenerator::generateFastPath): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_jeq_null): (JSC::JIT::emit_op_jneq_null): (JSC::JIT::emit_op_to_number): (JSC::JIT::emit_op_profile_type): * jit/JITRightShiftGenerator.cpp: (JSC::JITRightShiftGenerator::generateFastPath): * jit/JITSubGenerator.cpp: (JSC::JITSubGenerator::generateInline): (JSC::JITSubGenerator::generateFastPath): * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * runtime/JSCJSValue.h: 2018-01-04 JF Bastien Add assembler support for x86 lfence and sfence https://bugs.webkit.org/show_bug.cgi?id=181311 Reviewed by Michael Saboff. Useful for testing performance of serializing instructions (hint: it's not good). * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::lfence): (JSC::MacroAssemblerX86Common::sfence): * assembler/X86Assembler.h: (JSC::X86Assembler::lfence): (JSC::X86Assembler::sfence): 2018-01-04 Saam Barati Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction) https://bugs.webkit.org/show_bug.cgi?id=181296 Reviewed by Filip Pizlo. Inside Speedometer's Ember test, there is a recompile loop like: a: GetByVal(..., semanticOriginX) b: SetLocal(Cell:@a, semanticOriginX) where the cell check always fails. For reasons I didn't investigate, the baseline JIT's value profiling doesn't accurately capture the GetByVal's result. However, when compiling this cell speculation check in the DFG, we get a null MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for this IR pattern because both @a and @b have the same semantic origin. We should not follow the same semantic origin heuristic when dealing with SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern. For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction). For this IR pattern, we will update the value profile for the semantic origin for @nodeWithHeapPrediction. So, for the Speedometer example above, we will correctly update the GetByVal's value profile, which will prevent an OSR exit loop. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::methodOfGettingAValueProfileFor): 2018-01-04 Keith Miller Array Storage operations sometimes did not update the indexing mask correctly. https://bugs.webkit.org/show_bug.cgi?id=181301 Reviewed by Mark Lam. I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303 * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): * runtime/JSObject.cpp: (JSC::JSObject::increaseVectorLength): 2018-01-04 Yusuke Suzuki [DFG] Define defs for MapSet/SetAdd to participate in CSE https://bugs.webkit.org/show_bug.cgi?id=179911 Reviewed by Saam Barati. With this patch, our MapSet and SetAdd DFG nodes participate in CSE. To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd produce added bucket as its result. Subsequent GetMapBucket will be removed by CSE. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSetAdd): (JSC::DFG::SpeculativeJIT::compileMapSet): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): * jit/JITOperations.h: * runtime/HashMapImpl.h: (JSC::HashMapImpl::addNormalized): (JSC::HashMapImpl::addNormalizedInternal): 2018-01-04 Yusuke Suzuki [JSC] Remove LocalScope https://bugs.webkit.org/show_bug.cgi?id=181206 Reviewed by Geoffrey Garen. The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use. This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack and LocalScope. We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold JSObject* directly in their fields. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/HandleStack.cpp: Removed. * heap/HandleStack.h: Removed. * heap/Heap.cpp: (JSC::Heap::addCoreConstraints): * heap/Heap.h: (JSC::Heap::handleSet): (JSC::Heap::handleStack): Deleted. * heap/Local.h: Removed. * heap/LocalScope.h: Removed. * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::object const): (JSC::gap): (JSC::Stringifier::Stringifier): (JSC::Stringifier::stringify): (JSC::Stringifier::appendStringifiedValue): (JSC::Stringifier::Holder::Holder): (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::Walker): (JSC::Walker::callReviver): (JSC::Walker::walk): (JSC::JSONProtoFuncParse): (JSC::JSONProtoFuncStringify): (JSC::JSONParse): (JSC::JSONStringify): 2018-01-04 Yusuke Suzuki [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf https://bugs.webkit.org/show_bug.cgi?id=180238 Reviewed by Saam Barati. We can optimize ObjectAllocationSinking a bit by using removeIf. * dfg/DFGObjectAllocationSinkingPhase.cpp: 2018-01-04 Yusuke Suzuki [JSC] Create parallel SlotVisitors apriori https://bugs.webkit.org/show_bug.cgi?id=180907 Reviewed by Saam Barati. The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2. If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically. Then we do not need to grab locks while iterating all the SlotVisitors. In addition, we do not need to consider the case that the number of SlotVisitors increases after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors does not increase any more. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::runBeginPhase): * heap/Heap.h: * heap/HeapInlines.h: (JSC::Heap::forEachSlotVisitor): (JSC::Heap::numberOfSlotVisitors): Deleted. * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::didVisitSomething const): 2018-01-03 Ting-Wei Lan Replace hard-coded paths in shebangs with #!/usr/bin/env https://bugs.webkit.org/show_bug.cgi?id=181040 Reviewed by Alex Christensen. * Scripts/UpdateContents.py: * Scripts/cssmin.py: * Scripts/generate-combined-inspector-json.py: * Scripts/xxd.pl: * create_hash_table: * generate-bytecode-files: * wasm/generateWasm.py: * wasm/generateWasmOpsHeader.py: * yarr/generateYarrCanonicalizeUnicode: 2018-01-03 Michael Saboff Disable SharedArrayBuffers from Web API https://bugs.webkit.org/show_bug.cgi?id=181266 Reviewed by Saam Barati. Removed SharedArrayBuffer prototype and structure from GlobalObject creation to disable. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::arrayBufferPrototype const): (JSC::JSGlobalObject::arrayBufferStructure const): 2018-01-03 Michael Saboff Add "noInline" to $vm https://bugs.webkit.org/show_bug.cgi?id=181265 Reviewed by Mark Lam. This would be useful for web based tests. * tools/JSDollarVM.cpp: (JSC::getExecutableForFunction): (JSC::functionNoInline): (JSC::JSDollarVM::finishCreation): 2018-01-03 Michael Saboff Remove unnecessary flushing of Butterfly pointer in functionCpuClflush() https://bugs.webkit.org/show_bug.cgi?id=181263 Reviewed by Mark Lam. Flushing the butterfly pointer provides no benefit and slows this function. * tools/JSDollarVM.cpp: (JSC::functionCpuClflush): 2018-01-03 Saam Barati Fix BytecodeParser op_catch assert to work with useProfiler=1 https://bugs.webkit.org/show_bug.cgi?id=181260 Reviewed by Keith Miller. op_catch was asserting that the current block was empty. This is only true if the profiler isn't enabled. When the profiler is enabled, we will insert a CountExecution node before each bytecode. This patch fixes the assert to work with the profiler. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2018-01-03 Per Arne Vollan [Win][Debug] testapi link error. https://bugs.webkit.org/show_bug.cgi?id=181247 Reviewed by Brent Fulgham. Do not set the runtime library compile flag for C files, it is already set to the correct value. * shell/PlatformWin.cmake: 2018-01-03 Robin Morisset Inlining of a function that ends in op_unreachable crashes https://bugs.webkit.org/show_bug.cgi?id=181027 Reviewed by Filip Pizlo. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::allocateTargetableBlock): (JSC::DFG::ByteCodeParser::inlineCall): 2018-01-02 Saam Barati Incorrect assertion inside AccessCase https://bugs.webkit.org/show_bug.cgi?id=181200 Reviewed by Yusuke Suzuki. Consider a PutById compiled to a setter in a function like so: ``` function foo(o) { o.f = o; } ``` The DFG will often assign the same registers to the baseGPR (o in o.f) and the valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned to the same register. However, we're asserting that they're not the same register. This patch just removes this invalid assertion. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): 2018-01-02 Caio Lima [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype https://bugs.webkit.org/show_bug.cgi?id=175359 Reviewed by Yusuke Suzuki. This patch is implementing BigIntConstructor and BigIntPrototype following spec[1, 2]. As addition, we are also implementing BigIntObject warapper to handle ToObject(v) abstract operation when "v" is a BigInt primitive. With these classes, now it's possible to syntetize BigInt.prototype and then call "toString", "valueOf" and "toLocaleString" when the primitive is a BigInt. BigIntConstructor exposes an API to parse other primitives such as Number, Boolean and String to BigInt. We decided to skip parseInt implementation, since it was removed from spec. [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * jsc.cpp: * runtime/BigIntConstructor.cpp: Added. (JSC::BigIntConstructor::BigIntConstructor): (JSC::BigIntConstructor::finishCreation): (JSC::isSafeInteger): (JSC::toBigInt): (JSC::callBigIntConstructor): (JSC::bigIntConstructorFuncAsUintN): (JSC::bigIntConstructorFuncAsIntN): * runtime/BigIntConstructor.h: Added. (JSC::BigIntConstructor::create): (JSC::BigIntConstructor::createStructure): * runtime/BigIntObject.cpp: Added. (JSC::BigIntObject::BigIntObject): (JSC::BigIntObject::finishCreation): (JSC::BigIntObject::toStringName): (JSC::BigIntObject::defaultValue): * runtime/BigIntObject.h: Added. (JSC::BigIntObject::create): (JSC::BigIntObject::internalValue const): (JSC::BigIntObject::createStructure): * runtime/BigIntPrototype.cpp: Added. (JSC::BigIntPrototype::BigIntPrototype): (JSC::BigIntPrototype::finishCreation): (JSC::toThisBigIntValue): (JSC::bigIntProtoFuncToString): (JSC::bigIntProtoFuncToLocaleString): (JSC::bigIntProtoFuncValueOf): * runtime/BigIntPrototype.h: Added. (JSC::BigIntPrototype::create): (JSC::BigIntPrototype::createStructure): * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::toObject const): * runtime/JSBigInt.h: * runtime/JSCJSValue.cpp: (JSC::JSValue::synthesizePrototype const): * runtime/JSCPoisonedPtr.cpp: * runtime/JSCell.cpp: (JSC::JSCell::toObjectSlow const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::bigIntPrototype const): (JSC::JSGlobalObject::bigIntObjectStructure const): * runtime/StructureCache.h: * runtime/StructureInlines.h: (JSC::prototypeForLookupPrimitiveImpl): 2018-01-02 Tim Horton Fix the MathCommon build with a recent compiler https://bugs.webkit.org/show_bug.cgi?id=181216 Reviewed by Sam Weinig. * runtime/MathCommon.cpp: (JSC::fdlibmPow): This cast drops the 'const' qualifier from the pointer to 'one', but it doesn't have to, and it makes the compiler sad. == Rolled over to ChangeLog-2018-01-01 ==